docs: document dev login feature and authWithoutPassword event fix

- README.md: add Dev Login section under Authentication, add bullet
  to Developer-Friendly features list
- CONFIG.md: add Dev Login Settings section with property reference,
  endpoint table, and usage notes
- CLAUDE.md: add dev/ package to structure, add user.dev.* to
  configuration property groups

Relates to #260

Author: devondragon

CLAUDE.md

@@ -42,6 +42,7 @@ com.digitalsanctuary.spring.user
 ├── api/              # REST endpoints (UserAPI)
 ├── audit/            # Audit logging system
 ├── controller/       # MVC controllers for HTML pages
+├── dev/              # Dev login auto-configuration (local profile only)
 ├── dto/              # Data transfer objects
 ├── event/            # Spring application events
 ├── exceptions/       # Custom exceptions
@@ -110,6 +111,7 @@ All configuration uses `user.*` prefix in application.yml. Key property groups:
 - `user.roles-and-privileges` - Role-to-privilege mapping (applied on startup)
 - `user.role-hierarchy` - Role inheritance (e.g., ROLE_ADMIN > ROLE_MANAGER)
 - `user.gdpr.*` - GDPR features (enabled, exportBeforeDeletion, consentTracking)
+- `user.dev.*` - Dev login (autoLoginEnabled, loginRedirectUrl) — requires `local` profile
 - `user.purgetokens.cron.*` - Token cleanup schedule
 - `user.session.invalidation.warn-threshold` - Performance warning threshold
 - `user.actuallyDeleteAccount` - Hard delete vs disable

CONFIG.md

@@ -105,6 +105,35 @@ WebAuthn requires two additional tables: `user_entities` and `user_credentials`.
 - Passkey labels are limited to 64 characters.
 - When a user account is deleted, all associated WebAuthn credentials and user entities are automatically cleaned up via the `UserPreDeleteEvent` listener. The database schema also uses `ON DELETE CASCADE` as a safety net.
 
+## Dev Login Settings
+
+Provides a reusable "login as" controller for local development, so consuming applications don't need to write boilerplate dev-login controllers. **This feature is disabled by default and requires both a property flag and the `local` Spring profile to activate.**
+
+- **Auto-Login Enabled (`user.dev.auto-login-enabled`)**: Master toggle for the dev login feature. Defaults to `false`. Must be set to `true` **and** the `local` Spring profile must be active for the endpoints to be registered.
+- **Login Redirect URL (`user.dev.login-redirect-url`)**: The URL to redirect to after a successful dev login. Defaults to `/`.
+
+**Example configuration:**
+```yaml
+# application-local.yml (only active with spring.profiles.active=local)
+user:
+  dev:
+    auto-login-enabled: true
+    login-redirect-url: /dashboard
+```
+
+**Endpoints** (only available when enabled with the `local` profile):
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/dev/login-as/{email}` | GET | Authenticate as the specified user and redirect |
+| `/dev/users` | GET | List all enabled user emails |
+
+**Important Notes:**
+- The `local` Spring profile **must** be active. Without it, the controller and warning beans are never registered regardless of the property value.
+- When enabled, `/dev/**` is automatically added to the unprotected URI list and CSRF-ignored URIs in `WebSecurityConfig`.
+- A prominent WARN-level banner is logged on startup when dev login is active.
+- **NEVER enable this in production.** It bypasses all password authentication.
+
 ## Mail Configuration
 
 - **From Address (`spring.mail.fromAddress`)**: The email address used as the sender in outgoing emails.

README.md

@@ -103,6 +103,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - Configuration-driven features
   - Comprehensive documentation
   - Demo application for reference
+  - Built-in dev login controller for quick user switching during local development
 
 - **GDPR Compliance** (opt-in)
   - Data export (Right of Access - Article 15)
@@ -709,6 +710,38 @@ To enable SSO:
                 jwk-set-uri: ${DS_SPRING_USER_KEYCLOAK_PROVIDER_JWK_SET_URI}
    ```
 
+### Dev Login (Local Development)
+
+The framework includes a built-in dev login controller that lets developers quickly switch between user accounts without entering passwords. This eliminates the need for consuming applications to write boilerplate dev-login controllers.
+
+**Setup:**
+
+1. Activate the `local` Spring profile (e.g., `spring.profiles.active=local`)
+2. Enable dev login in your configuration:
+
+```yaml
+# application-local.yml
+user:
+  dev:
+    auto-login-enabled: true
+    login-redirect-url: /dashboard  # optional, defaults to /
+```
+
+**Endpoints** (only available when enabled with the `local` profile):
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/dev/login-as/{email}` | GET | Authenticate as the specified user and redirect |
+| `/dev/users` | GET | List all enabled user emails (JSON) |
+
+**Example usage during development:**
+- Visit `http://localhost:8080/dev/users` to see available accounts
+- Visit `http://localhost:8080/dev/login-as/admin@example.com` to instantly log in as that user
+
+**Security:** This feature requires **both** `user.dev.auto-login-enabled=true` **and** the `local` Spring profile to be active. A prominent warning banner is logged on startup when dev login is active. **Never enable this in production.**
+
+See the [Configuration Guide](CONFIG.md) for all dev login settings.
+
 ## Extensibility
 
 The framework is designed to be extended without modifying the core code.