diff --git a/.env.example b/.env.example
index 55017296cf9..2d7f1a9c197 100644
--- a/.env.example
+++ b/.env.example
@@ -1,38 +1,73 @@
-
-
 # =============================================================================
-# ROOT SUPERSET ENV
-# Shared by all worktrees via direnv
+# SUPERSET LOCAL DEVELOPMENT ENV
+# Copied to .env by `bun setup:local`.
+#
+# Keep .env machine-local and untracked. Blank optional integration keys are
+# intentional in the local profile; the app should boot without third-party
+# credentials and degrade only when those specific features are exercised.
 # =============================================================================
 
 # -----------------------------------------------------------------------------
-# Neon Organization Credentials
+# Local Contributor Profile
 # -----------------------------------------------------------------------------
-NEON_ORG_ID=
-NEON_PROJECT_ID=
-NEON_API_KEY=
+# Required for fresh-clone local development without third-party credentials.
+SUPERSET_PROFILE=local
+
+# Keep desktop dev state separate from production / canary installs.
+# `bun setup:local` rewrites this to local-dev-<worktree>.
+SUPERSET_WORKSPACE_NAME=local-dev
+
+# -----------------------------------------------------------------------------
+# Local Database
+# -----------------------------------------------------------------------------
+# `bun setup:local` rewrites these to a database name derived from the
+# worktree path, so multiple local worktrees can share one Postgres container
+# without sharing schema/auth state.
+SUPERSET_LOCAL_DATABASE_NAME=superset
+DATABASE_URL=postgres://superset:superset@localhost:5433/superset
+DATABASE_URL_UNPOOLED=postgres://superset:superset@localhost:5433/superset
 
 # -----------------------------------------------------------------------------
-# Neon Database Credentials (Production)
+# Local Ports
 # -----------------------------------------------------------------------------
-DATABASE_URL=
-DATABASE_URL_UNPOOLED=
+WEB_PORT=4640
+API_PORT=4641
+DESKTOP_VITE_PORT=4645
+DESKTOP_NOTIFICATIONS_PORT=4646
+ELECTRIC_PORT=4649
+CADDY_ELECTRIC_PORT=4650
+WRANGLER_PORT=4652
 
 # -----------------------------------------------------------------------------
-# Cross-App URLs (Local Dev)
+# Local App URLs
 # -----------------------------------------------------------------------------
-NEXT_PUBLIC_API_URL=http://localhost:3001
-NEXT_PUBLIC_WEB_URL=http://localhost:3000
+NEXT_PUBLIC_API_URL=http://localhost:4641
+NEXT_PUBLIC_WEB_URL=http://localhost:4640
 NEXT_PUBLIC_ADMIN_URL=http://localhost:3003
 NEXT_PUBLIC_MARKETING_URL=http://localhost:3002
 NEXT_PUBLIC_DOCS_URL=http://localhost:3004
+NEXT_PUBLIC_ELECTRIC_URL=https://localhost:4650
 
 # -----------------------------------------------------------------------------
-# Better Auth
+# Local Auth Defaults
 # -----------------------------------------------------------------------------
-BETTER_AUTH_SECRET=
+BETTER_AUTH_SECRET=local_dev_secret_not_for_production
 NEXT_PUBLIC_COOKIE_DOMAIN=localhost
 
+# =============================================================================
+# OPTIONAL INTEGRATION CREDENTIALS
+# Leave these blank for the default local contributor flow.
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Neon Organization Credentials
+# -----------------------------------------------------------------------------
+# Only needed for Neon-backed/internal workflows. The local setup script uses the
+# Docker Postgres URLs above.
+NEON_ORG_ID=
+NEON_PROJECT_ID=
+NEON_API_KEY=
+
 # -----------------------------------------------------------------------------
 # OAuth Credentials (for Desktop App direct auth)
 # -----------------------------------------------------------------------------
@@ -99,6 +134,7 @@ KV_REST_API_TOKEN=
 
 # QStash API token (used for background job scheduling in packages/trpc and apps/api)
 QSTASH_TOKEN=
+QSTASH_URL=
 
 # QStash webhook signature verification keys (used to verify webhook requests)
 QSTASH_CURRENT_SIGNING_KEY=
diff --git a/Caddyfile.example b/Caddyfile.example
index b1043c33d78..719e224ae8d 100644
--- a/Caddyfile.example
+++ b/Caddyfile.example
@@ -2,14 +2,14 @@
 # Avoids browser's 6-connection limit when using 10+ Electric streams.
 #
 # Copy to Caddyfile:  cp Caddyfile.example Caddyfile
-# Install caddy:      brew install caddy  (macOS) / see https://caddyserver.com/docs/install
+# Install caddy:      brew install caddy
 
 {
 	auto_https disable_redirects
 }
 
-https://localhost:3010 {
-	reverse_proxy localhost:3001 {
+https://localhost:{$CADDY_ELECTRIC_PORT} {
+	reverse_proxy localhost:{$WRANGLER_PORT} {
 		flush_interval -1
 	}
 }
diff --git a/README.md b/README.md
index e1d935232ec..478d5dea679 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ If it runs in a terminal, it runs on Superset
 
 | Requirement | Details |
 |:------------|:--------|
-| **OS** | macOS (Windows/Linux untested) |
+| **OS** | macOS |
 | **Runtime** | [Bun](https://bun.sh/) v1.0+ |
 | **Version Control** | Git 2.20+ |
 | **GitHub CLI** | [gh](https://cli.github.com/) |
@@ -85,57 +85,27 @@ If it runs in a terminal, it runs on Superset
 
 ### Build from Source
 
-<details>
-<summary>Click to expand build instructions</summary>
+For a complete contributor workflow that boots a fresh clone with no third-party credentials (Neon / OAuth / Stripe / Resend keys are all optional), follow **[Local Development](docs/LOCAL_DEVELOPMENT.md)**.
 
-**1. Clone the repository**
+Short version:
 
 ```bash
 git clone https://github.com/superset-sh/superset.git
 cd superset
-```
-
-**2. Set up environment variables** (choose one):
-
-Option A: Full setup
-```bash
-cp .env.example .env
-# Edit .env and fill in the values
-```
-
-Option B: Skip env validation (for quick local testing)
-```bash
-cp .env.example .env
-echo 'SKIP_ENV_VALIDATION=1' >> .env
-```
-
-**3. Set up Caddy** (reverse proxy for Electric SQL streams):
-
-```bash
-# Install caddy: brew install caddy (macOS) or see https://caddyserver.com/docs/install
-cp Caddyfile.example Caddyfile
-
-# Without this, Chromium rejects https://localhost:* with ERR_CERT_AUTHORITY_INVALID.
-# Prompts for sudo once.
-caddy trust
-```
-
-**4. Install dependencies and run**
-
-```bash
 bun install
-bun run dev
+bun setup:local
+bun dev
 ```
 
-**5. Build the desktop app**
+`bun setup:local` copies local examples, assigns this worktree its own local database and desktop state, starts Docker Postgres/Electric, trusts Caddy's local CA, and runs migrations. It does not overwrite internal `.env` files. The desktop window opens auto-signed-in as `admin@local.test`, with state isolated under `~/.superset-local-dev-*` so source builds do not reuse production or canary desktop state. See [Local Development](docs/LOCAL_DEVELOPMENT.md) for details and troubleshooting.
+
+To build a distributable desktop app:
 
 ```bash
 bun run build
 open apps/desktop/release
 ```
 
-</details>
-
 ## Keyboard Shortcuts
 
 All shortcuts are customizable via **Settings > Keyboard Shortcuts** (`⌘/`). See [full documentation](https://docs.superset.sh/keyboard-shortcuts).
diff --git a/apps/admin/src/env.ts b/apps/admin/src/env.ts
index 0601dc61f69..2d9ea4aba6d 100644
--- a/apps/admin/src/env.ts
+++ b/apps/admin/src/env.ts
@@ -1,7 +1,10 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-nextjs";
 import { vercel } from "@t3-oss/env-nextjs/presets-zod";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	extends: [vercel()],
 	shared: {
@@ -49,6 +52,6 @@ export const env = createEnv({
 		NEXT_PUBLIC_SENTRY_ENVIRONMENT: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,
 	},
 
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 	emptyStringAsUndefined: true,
 });
diff --git a/apps/api/package.json b/apps/api/package.json
index 2fb057d5453..77c73628b5c 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -8,6 +8,7 @@
 		"clean": "git clean -xdf .cache .next .turbo node_modules",
 		"dev": "dotenv -e ../../.env -- sh -c 'exec next dev --port ${API_PORT:-3001}'",
 		"start": "next start --port 3001",
+		"test": "bun test",
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
diff --git a/apps/api/src/app/api/automations/evaluate/route.ts b/apps/api/src/app/api/automations/evaluate/route.ts
index f1c6d7f5a85..7b14e4c2f1d 100644
--- a/apps/api/src/app/api/automations/evaluate/route.ts
+++ b/apps/api/src/app/api/automations/evaluate/route.ts
@@ -2,17 +2,14 @@ import { dbWs } from "@superset/db/client";
 import { automations, subscriptions } from "@superset/db/schema";
 import { ACTIVE_SUBSCRIPTION_STATUSES } from "@superset/shared/billing";
 import { nextOccurrenceAfter } from "@superset/shared/rrule";
-import { Client, Receiver } from "@upstash/qstash";
+import { Receiver } from "@upstash/qstash";
 import { and, eq, exists, inArray, lte, ne, sql } from "drizzle-orm";
 
 import { env } from "@/env";
+import { qstash } from "@/lib/qstash";
 
 export const dynamic = "force-dynamic";
 
-const qstash = new Client({
-	token: env.QSTASH_TOKEN,
-	baseUrl: env.QSTASH_URL,
-});
 const receiver = new Receiver({
 	currentSigningKey: env.QSTASH_CURRENT_SIGNING_KEY,
 	nextSigningKey: env.QSTASH_NEXT_SIGNING_KEY,
@@ -73,6 +70,13 @@ export async function POST(request: Request): Promise<Response> {
 		return Response.json({ enqueued: 0 });
 	}
 
+	if (!qstash) {
+		return Response.json(
+			{ error: "QSTASH_TOKEN is required to enqueue automation jobs" },
+			{ status: 503 },
+		);
+	}
+
 	await qstash.batchJSON(
 		due.map((automation) => {
 			const scheduledFor = bucketToMinute(automation.nextRunAt);
diff --git a/apps/api/src/app/api/github/callback/route.ts b/apps/api/src/app/api/github/callback/route.ts
index 94021159083..6e220e14217 100644
--- a/apps/api/src/app/api/github/callback/route.ts
+++ b/apps/api/src/app/api/github/callback/route.ts
@@ -1,14 +1,12 @@
 import { db } from "@superset/db/client";
 import { githubInstallations, members } from "@superset/db/schema";
-import { Client } from "@upstash/qstash";
 import { and, eq } from "drizzle-orm";
 
 import { env } from "@/env";
 import { verifySignedState } from "@/lib/oauth-state";
+import { qstash, requireQstash } from "@/lib/qstash";
 import { githubApp } from "../octokit";
 
-const qstash = new Client({ token: env.QSTASH_TOKEN });
-
 /**
  * Callback handler for GitHub App installation.
  * GitHub redirects here after the user installs/configures the app.
@@ -122,14 +120,28 @@ export async function GET(request: Request) {
 
 		// Queue initial sync job
 		try {
-			await qstash.publishJSON({
-				url: `${env.NEXT_PUBLIC_API_URL}/api/github/jobs/initial-sync`,
-				body: {
-					installationDbId: savedInstallation.id,
-					organizationId,
-				},
-				retries: 3,
-			});
+			const syncUrl = `${env.NEXT_PUBLIC_API_URL}/api/github/jobs/initial-sync`;
+			const syncBody = {
+				installationDbId: savedInstallation.id,
+				organizationId,
+			};
+
+			if (env.NODE_ENV === "development" && !qstash) {
+				const response = await fetch(syncUrl, {
+					method: "POST",
+					headers: { "Content-Type": "application/json" },
+					body: JSON.stringify(syncBody),
+				});
+				if (!response.ok) {
+					throw new Error(`Local sync request failed: ${response.status}`);
+				}
+			} else {
+				await requireQstash("github/callback").publishJSON({
+					url: syncUrl,
+					body: syncBody,
+					retries: 3,
+				});
+			}
 		} catch (error) {
 			console.error(
 				"[github/callback] Failed to queue initial sync job:",
diff --git a/apps/api/src/app/api/health/route.ts b/apps/api/src/app/api/health/route.ts
new file mode 100644
index 00000000000..9b3588d69ae
--- /dev/null
+++ b/apps/api/src/app/api/health/route.ts
@@ -0,0 +1,19 @@
+import {
+	getDeploymentProfile,
+	isStrictProfile,
+} from "@superset/shared/deployment-profile";
+import { NextResponse } from "next/server";
+import { getIntegrationStatuses } from "../../../lib/integration-status";
+
+export function GET() {
+	const profile = getDeploymentProfile();
+	if (isStrictProfile(profile)) {
+		return NextResponse.json({ ok: true });
+	}
+
+	return NextResponse.json({
+		ok: true,
+		profile,
+		integrations: getIntegrationStatuses(),
+	});
+}
diff --git a/apps/api/src/app/api/integrations/linear/callback/route.ts b/apps/api/src/app/api/integrations/linear/callback/route.ts
index 5b090f03a54..3a770bd097d 100644
--- a/apps/api/src/app/api/integrations/linear/callback/route.ts
+++ b/apps/api/src/app/api/integrations/linear/callback/route.ts
@@ -2,18 +2,16 @@ import { LinearClient } from "@linear/sdk";
 import { db } from "@superset/db/client";
 import { integrationConnections, members, users } from "@superset/db/schema";
 import { linearTokenResponseSchema } from "@superset/trpc/integrations/linear";
-import { Client } from "@upstash/qstash";
 import { and, eq, isNull, ne } from "drizzle-orm";
 
 import { env } from "@/env";
 import { verifySignedState } from "@/lib/oauth-state";
+import { qstash, requireQstash } from "@/lib/qstash";
 
 const UNIQUE_VIOLATION = "23505";
 const ACTIVE_LINKAGE_INDEX =
 	"integration_connections_provider_external_org_active_unique";
 
-const qstash = new Client({ token: env.QSTASH_TOKEN });
-
 export async function GET(request: Request) {
 	const url = new URL(request.url);
 	const code = url.searchParams.get("code");
@@ -149,11 +147,25 @@ export async function GET(request: Request) {
 	}
 
 	try {
-		await qstash.publishJSON({
-			url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/linear/jobs/initial-sync`,
-			body: { organizationId, creatorUserId: userId },
-			retries: 3,
-		});
+		const syncUrl = `${env.NEXT_PUBLIC_API_URL}/api/integrations/linear/jobs/initial-sync`;
+		const syncBody = { organizationId, creatorUserId: userId };
+
+		if (env.NODE_ENV === "development" && !qstash) {
+			const response = await fetch(syncUrl, {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify(syncBody),
+			});
+			if (!response.ok) {
+				throw new Error(`Local sync request failed: ${response.status}`);
+			}
+		} else {
+			await requireQstash("linear/callback").publishJSON({
+				url: syncUrl,
+				body: syncBody,
+				retries: 3,
+			});
+		}
 	} catch (error) {
 		console.error("Failed to queue initial sync job:", error);
 		return Response.redirect(
diff --git a/apps/api/src/app/api/integrations/slack/events/route.ts b/apps/api/src/app/api/integrations/slack/events/route.ts
index 8706cb59ae9..ea098d5ca78 100644
--- a/apps/api/src/app/api/integrations/slack/events/route.ts
+++ b/apps/api/src/app/api/integrations/slack/events/route.ts
@@ -1,14 +1,12 @@
 import type { LinkSharedEvent, SlackEvent } from "@slack/types";
-import { Client } from "@upstash/qstash";
 
 import { env } from "@/env";
+import { qstash } from "@/lib/qstash";
 import { verifySlackSignature } from "../verify-signature";
 import { processAppHomeOpened } from "./process-app-home-opened";
 import { processEntityDetails } from "./process-entity-details";
 import { processLinkShared } from "./process-link-shared";
 
-const qstash = new Client({ token: env.QSTASH_TOKEN });
-
 type SlackEventEnvelope = {
 	type?: string;
 	challenge?: string;
@@ -79,15 +77,21 @@ export async function POST(request: Request) {
 
 		if (event.type === "app_mention") {
 			try {
-				await qstash.publishJSON({
-					url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/slack/jobs/process-mention`,
-					body: {
-						event,
-						teamId: team_id,
-						eventId: event_id,
-					},
-					retries: 3,
-				});
+				if (qstash) {
+					await qstash.publishJSON({
+						url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/slack/jobs/process-mention`,
+						body: {
+							event,
+							teamId: team_id,
+							eventId: event_id,
+						},
+						retries: 3,
+					});
+				} else {
+					console.warn(
+						"[slack/events] Skipping mention job; QStash is not configured",
+					);
+				}
 			} catch (error) {
 				console.error("[slack/events] Failed to queue mention job:", error);
 			}
@@ -109,15 +113,21 @@ export async function POST(request: Request) {
 			}
 
 			try {
-				await qstash.publishJSON({
-					url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/slack/jobs/process-assistant-message`,
-					body: {
-						event: messageEvent,
-						teamId: team_id,
-						eventId: event_id,
-					},
-					retries: 3,
-				});
+				if (qstash) {
+					await qstash.publishJSON({
+						url: `${env.NEXT_PUBLIC_API_URL}/api/integrations/slack/jobs/process-assistant-message`,
+						body: {
+							event: messageEvent,
+							teamId: team_id,
+							eventId: event_id,
+						},
+						retries: 3,
+					});
+				} else {
+					console.warn(
+						"[slack/events] Skipping assistant message job; QStash is not configured",
+					);
+				}
 			} catch (error) {
 				console.error(
 					"[slack/events] Failed to queue assistant message job:",
diff --git a/apps/api/src/env.ts b/apps/api/src/env.ts
index 117ed25046a..cc3c98b3923 100644
--- a/apps/api/src/env.ts
+++ b/apps/api/src/env.ts
@@ -1,6 +1,9 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-nextjs";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	shared: {
 		NODE_ENV: z
@@ -70,5 +73,5 @@ export const env = createEnv({
 		NEXT_PUBLIC_SENTRY_ENVIRONMENT: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,
 	},
 	emptyStringAsUndefined: true,
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 });
diff --git a/apps/api/src/instrumentation.ts b/apps/api/src/instrumentation.ts
index 5a4e9039446..125499e5b0a 100644
--- a/apps/api/src/instrumentation.ts
+++ b/apps/api/src/instrumentation.ts
@@ -1,8 +1,10 @@
 import * as Sentry from "@sentry/nextjs";
+import { logBootSummary } from "./lib/boot-summary";
 
 export async function register() {
 	if (process.env.NEXT_RUNTIME === "nodejs") {
 		await import("../sentry.server.config");
+		logBootSummary();
 	}
 
 	if (process.env.NEXT_RUNTIME === "edge") {
diff --git a/apps/api/src/lib/analytics.ts b/apps/api/src/lib/analytics.ts
index aa8d66fce76..ae446bf440d 100644
--- a/apps/api/src/lib/analytics.ts
+++ b/apps/api/src/lib/analytics.ts
@@ -1,8 +1,43 @@
+import type { EventMessage } from "posthog-node";
 import { PostHog } from "posthog-node";
 import { env } from "@/env";
 
-export const posthog = new PostHog(env.NEXT_PUBLIC_POSTHOG_KEY, {
-	host: env.NEXT_PUBLIC_POSTHOG_HOST,
-	flushAt: 1,
-	flushInterval: 0,
-});
+type FeatureFlagValue = Parameters<PostHog["getFeatureFlagPayload"]>[2];
+type FeatureFlagOptions = Parameters<PostHog["getFeatureFlag"]>[2];
+type FeatureFlagPayloadOptions = Parameters<
+	PostHog["getFeatureFlagPayload"]
+>[3];
+type FeatureFlagResult = Awaited<ReturnType<PostHog["getFeatureFlag"]>>;
+type FeatureFlagPayload = Awaited<ReturnType<PostHog["getFeatureFlagPayload"]>>;
+
+interface AnalyticsClient {
+	capture: (props: EventMessage) => void;
+	getFeatureFlag: (
+		key: string,
+		distinctId: string,
+		options?: FeatureFlagOptions,
+	) => Promise<FeatureFlagResult>;
+	getFeatureFlagPayload: (
+		key: string,
+		distinctId: string,
+		matchValue?: FeatureFlagValue,
+		options?: FeatureFlagPayloadOptions,
+	) => Promise<FeatureFlagPayload>;
+}
+
+const disabled: AnalyticsClient = {
+	capture: () => {},
+	getFeatureFlag: async () => undefined,
+	getFeatureFlagPayload: async () => undefined,
+};
+
+function createAnalyticsClient(): AnalyticsClient {
+	if (!env.NEXT_PUBLIC_POSTHOG_KEY) return disabled;
+	return new PostHog(env.NEXT_PUBLIC_POSTHOG_KEY, {
+		host: env.NEXT_PUBLIC_POSTHOG_HOST,
+		flushAt: 1,
+		flushInterval: 0,
+	});
+}
+
+export const posthog = createAnalyticsClient();
diff --git a/apps/api/src/lib/boot-summary.ts b/apps/api/src/lib/boot-summary.ts
new file mode 100644
index 00000000000..e8ecfc44ad7
--- /dev/null
+++ b/apps/api/src/lib/boot-summary.ts
@@ -0,0 +1,32 @@
+import {
+	getDeploymentProfile,
+	isStrictProfile,
+} from "@superset/shared/deployment-profile";
+import { getMissingIntegrations } from "./integration-status";
+
+let logged = false;
+
+export function logBootSummary(): void {
+	if (logged) return;
+	logged = true;
+
+	const profile = getDeploymentProfile();
+	const missing = getMissingIntegrations();
+
+	if (isStrictProfile(profile)) {
+		console.log(`[superset] profile=${profile} (strict)`);
+		return;
+	}
+
+	console.log(`[superset] profile=${profile} (lenient)`);
+	if (missing.length === 0) {
+		console.log("[superset] all integrations configured");
+		return;
+	}
+	console.log(
+		`[superset] disabled features (set the listed env var(s) to enable):`,
+	);
+	for (const { label, envVars } of missing) {
+		console.log(`           - ${label.padEnd(28)} ${envVars.join(", ")}`);
+	}
+}
diff --git a/apps/api/src/lib/integration-status.test.ts b/apps/api/src/lib/integration-status.test.ts
new file mode 100644
index 00000000000..3c29ba092f2
--- /dev/null
+++ b/apps/api/src/lib/integration-status.test.ts
@@ -0,0 +1,50 @@
+import { describe, expect, it } from "bun:test";
+
+import {
+	getIntegrationStatuses,
+	getMissingIntegrations,
+} from "./integration-status";
+
+describe("integration status", () => {
+	it("reports configured and missing integrations from the supplied env", () => {
+		const statuses = getIntegrationStatuses({
+			STRIPE_SECRET_KEY: "sk_test",
+			RESEND_API_KEY: "",
+			NEXT_PUBLIC_POSTHOG_KEY: undefined,
+		});
+
+		expect(statuses.stripe).toBe("configured");
+		expect(statuses.resend).toBe("missing");
+		expect(statuses.posthog).toBe("missing");
+		expect(statuses["upstash-kv"]).toBe("missing");
+		expect(statuses.blob).toBe("missing");
+	});
+
+	it("requires all env vars for multi-key integrations", () => {
+		expect(
+			getIntegrationStatuses({
+				KV_REST_API_URL: "https://example.upstash.io",
+			})["upstash-kv"],
+		).toBe("missing");
+
+		expect(
+			getIntegrationStatuses({
+				KV_REST_API_URL: "https://example.upstash.io",
+				KV_REST_API_TOKEN: "token",
+			})["upstash-kv"],
+		).toBe("configured");
+	});
+
+	it("returns missing integrations with display labels for boot output", () => {
+		const missing = getMissingIntegrations({
+			STRIPE_SECRET_KEY: "sk_test",
+		});
+
+		expect(missing.some(({ key }) => key === "stripe")).toBe(false);
+		expect(missing).toContainEqual({
+			key: "blob",
+			label: "vercel-blob (uploads)",
+			envVars: ["BLOB_READ_WRITE_TOKEN"],
+		});
+	});
+});
diff --git a/apps/api/src/lib/integration-status.ts b/apps/api/src/lib/integration-status.ts
new file mode 100644
index 00000000000..ceb07171a3f
--- /dev/null
+++ b/apps/api/src/lib/integration-status.ts
@@ -0,0 +1,51 @@
+export const INTEGRATIONS = [
+	{ key: "stripe", label: "stripe", envVars: ["STRIPE_SECRET_KEY"] },
+	{ key: "resend", label: "resend (email)", envVars: ["RESEND_API_KEY"] },
+	{
+		key: "posthog",
+		label: "posthog (telemetry)",
+		envVars: ["NEXT_PUBLIC_POSTHOG_KEY"],
+	},
+	{ key: "sentry", label: "sentry", envVars: ["NEXT_PUBLIC_SENTRY_DSN_API"] },
+	{ key: "github-app", label: "github-app", envVars: ["GH_APP_ID"] },
+	{ key: "github-oauth", label: "github-oauth", envVars: ["GH_CLIENT_ID"] },
+	{ key: "google-oauth", label: "google-oauth", envVars: ["GOOGLE_CLIENT_ID"] },
+	{ key: "linear", label: "linear", envVars: ["LINEAR_CLIENT_ID"] },
+	{ key: "slack", label: "slack", envVars: ["SLACK_CLIENT_ID"] },
+	{ key: "qstash", label: "qstash (jobs)", envVars: ["QSTASH_TOKEN"] },
+	{
+		key: "upstash-kv",
+		label: "upstash-kv (rate limit)",
+		envVars: ["KV_REST_API_URL", "KV_REST_API_TOKEN"],
+	},
+	{
+		key: "blob",
+		label: "vercel-blob (uploads)",
+		envVars: ["BLOB_READ_WRITE_TOKEN"],
+	},
+	{ key: "anthropic", label: "anthropic", envVars: ["ANTHROPIC_API_KEY"] },
+	{ key: "tavily", label: "tavily (search)", envVars: ["TAVILY_API_KEY"] },
+] as const;
+
+export type IntegrationKey = (typeof INTEGRATIONS)[number]["key"];
+export type Integration = (typeof INTEGRATIONS)[number];
+export type IntegrationStatus = "configured" | "missing";
+
+export function getIntegrationStatuses(
+	envSource: Record<string, string | undefined> = process.env,
+): Record<IntegrationKey, IntegrationStatus> {
+	return Object.fromEntries(
+		INTEGRATIONS.map(({ key, envVars }) => [
+			key,
+			envVars.every((envVar) => envSource[envVar]) ? "configured" : "missing",
+		]),
+	) as Record<IntegrationKey, IntegrationStatus>;
+}
+
+export function getMissingIntegrations(
+	envSource: Record<string, string | undefined> = process.env,
+): Integration[] {
+	return INTEGRATIONS.filter(({ envVars }) =>
+		envVars.some((envVar) => !envSource[envVar]),
+	);
+}
diff --git a/apps/api/src/lib/qstash.ts b/apps/api/src/lib/qstash.ts
new file mode 100644
index 00000000000..b826b638086
--- /dev/null
+++ b/apps/api/src/lib/qstash.ts
@@ -0,0 +1,20 @@
+import { Client } from "@upstash/qstash";
+
+import { env } from "@/env";
+
+export const qstash = env.QSTASH_TOKEN
+	? new Client({
+			token: env.QSTASH_TOKEN,
+			...(env.QSTASH_URL ? { baseUrl: env.QSTASH_URL } : {}),
+		})
+	: null;
+
+export function requireQstash(context: string) {
+	if (!qstash) {
+		throw new Error(
+			`[${context}] QSTASH_TOKEN is required to enqueue background jobs`,
+		);
+	}
+
+	return qstash;
+}
diff --git a/apps/desktop/electron.vite.config.ts b/apps/desktop/electron.vite.config.ts
index f11759ceaa2..add0f28f908 100644
--- a/apps/desktop/electron.vite.config.ts
+++ b/apps/desktop/electron.vite.config.ts
@@ -13,6 +13,7 @@ import { mainExternalizedDependencies } from "./runtime-dependencies";
 import {
 	copyResourcesPlugin,
 	defineEnv,
+	devOrProdUrl,
 	devPath,
 	htmlEnvTransformPlugin,
 } from "./vite/helpers";
@@ -53,17 +54,26 @@ export default defineConfig({
 				process.env.SKIP_ENV_VALIDATION,
 				"",
 			),
-			"process.env.NEXT_PUBLIC_API_URL": defineEnv(
-				process.env.NEXT_PUBLIC_API_URL,
-				"https://api.superset.sh",
+			"process.env.NEXT_PUBLIC_API_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_API_URL",
+					"http://localhost:4641",
+					"https://api.superset.sh",
+				),
 			),
-			"process.env.NEXT_PUBLIC_STREAMS_URL": defineEnv(
-				process.env.NEXT_PUBLIC_STREAMS_URL,
-				"https://streams.superset.sh",
+			"process.env.NEXT_PUBLIC_STREAMS_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_STREAMS_URL",
+					"http://localhost:4647",
+					"https://streams.superset.sh",
+				),
 			),
-			"process.env.NEXT_PUBLIC_WEB_URL": defineEnv(
-				process.env.NEXT_PUBLIC_WEB_URL,
-				"https://app.superset.sh",
+			"process.env.NEXT_PUBLIC_WEB_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_WEB_URL",
+					"http://localhost:4640",
+					"https://app.superset.sh",
+				),
 			),
 			"process.env.NEXT_PUBLIC_MARKETING_URL": defineEnv(
 				process.env.NEXT_PUBLIC_MARKETING_URL,
@@ -76,7 +86,16 @@ export default defineConfig({
 			"process.env.SENTRY_DSN_DESKTOP": defineEnv(
 				process.env.SENTRY_DSN_DESKTOP,
 			),
-			"process.env.RELAY_URL": defineEnv(process.env.RELAY_URL),
+			"process.env.RELAY_URL": JSON.stringify(
+				devOrProdUrl(
+					"RELAY_URL",
+					"http://localhost:4653",
+					"https://relay.superset.sh",
+				),
+			),
+			"process.env.SUPERSET_EXPLICIT_RELAY_URL": defineEnv(
+				process.env.RELAY_URL ? "1" : "",
+			),
 			// Must match renderer for analytics in main process
 			"process.env.NEXT_PUBLIC_POSTHOG_KEY": defineEnv(
 				process.env.NEXT_PUBLIC_POSTHOG_KEY,
@@ -169,22 +188,35 @@ export default defineConfig({
 				process.env.SKIP_ENV_VALIDATION,
 				"",
 			),
+			"process.env.SUPERSET_PROFILE": defineEnv(
+				process.env.SUPERSET_PROFILE,
+				"",
+			),
 			"process.platform": defineEnv(process.platform),
-			"process.env.NEXT_PUBLIC_API_URL": defineEnv(
-				process.env.NEXT_PUBLIC_API_URL,
-				"https://api.superset.sh",
+			"process.env.NEXT_PUBLIC_API_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_API_URL",
+					"http://localhost:4641",
+					"https://api.superset.sh",
+				),
 			),
-			"process.env.NEXT_PUBLIC_WEB_URL": defineEnv(
-				process.env.NEXT_PUBLIC_WEB_URL,
-				"https://app.superset.sh",
+			"process.env.NEXT_PUBLIC_WEB_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_WEB_URL",
+					"http://localhost:4640",
+					"https://app.superset.sh",
+				),
 			),
 			"process.env.NEXT_PUBLIC_MARKETING_URL": defineEnv(
 				process.env.NEXT_PUBLIC_MARKETING_URL,
 				"https://superset.sh",
 			),
-			"process.env.NEXT_PUBLIC_ELECTRIC_URL": defineEnv(
-				process.env.NEXT_PUBLIC_ELECTRIC_URL,
-				"https://electric-proxy.avi-6ac.workers.dev",
+			"process.env.NEXT_PUBLIC_ELECTRIC_URL": JSON.stringify(
+				devOrProdUrl(
+					"NEXT_PUBLIC_ELECTRIC_URL",
+					"https://localhost:4650",
+					"https://electric-proxy.avi-6ac.workers.dev",
+				),
 			),
 			"process.env.NEXT_PUBLIC_DOCS_URL": defineEnv(
 				process.env.NEXT_PUBLIC_DOCS_URL,
@@ -200,7 +232,16 @@ export default defineConfig({
 			"import.meta.env.SENTRY_DSN_DESKTOP": defineEnv(
 				process.env.SENTRY_DSN_DESKTOP,
 			),
-			"process.env.RELAY_URL": defineEnv(process.env.RELAY_URL),
+			"process.env.RELAY_URL": JSON.stringify(
+				devOrProdUrl(
+					"RELAY_URL",
+					"http://localhost:4653",
+					"https://relay.superset.sh",
+				),
+			),
+			"process.env.SUPERSET_EXPLICIT_RELAY_URL": defineEnv(
+				process.env.RELAY_URL ? "1" : "",
+			),
 			"process.env.STREAMS_URL": defineEnv(
 				process.env.STREAMS_URL,
 				"https://superset-stream.fly.dev",
diff --git a/apps/desktop/scripts/clean-launch-services.ts b/apps/desktop/scripts/clean-launch-services.ts
index 8f8dda03557..d60686b3f2f 100644
--- a/apps/desktop/scripts/clean-launch-services.ts
+++ b/apps/desktop/scripts/clean-launch-services.ts
@@ -12,6 +12,14 @@ import { execFileSync } from "node:child_process";
 import { existsSync } from "node:fs";
 import { homedir } from "node:os";
 import { resolve } from "node:path";
+import { config } from "dotenv";
+
+// Let contributor-local .env opt out before touching global Launch Services.
+config({
+	path: resolve(import.meta.dirname, "../../../.env"),
+	override: true,
+	quiet: true,
+});
 
 if (process.platform !== "darwin") {
 	process.exit(0);
@@ -22,6 +30,11 @@ if (process.env.NODE_ENV !== "development") {
 	process.exit(0);
 }
 
+if (process.env.SUPERSET_PROFILE === "local") {
+	console.log("[clean-launch-services] Skipping - local profile");
+	process.exit(0);
+}
+
 const LSREGISTER =
 	"/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister";
 const WORKTREE_BASE = resolve(homedir(), ".superset/worktrees");
diff --git a/apps/desktop/scripts/patch-dev-protocol.ts b/apps/desktop/scripts/patch-dev-protocol.ts
index dc89ff36fe0..871905fdfbc 100644
--- a/apps/desktop/scripts/patch-dev-protocol.ts
+++ b/apps/desktop/scripts/patch-dev-protocol.ts
@@ -175,6 +175,11 @@ export function main() {
 		process.exit(0);
 	}
 
+	if (process.env.SUPERSET_PROFILE === "local") {
+		console.log("[patch-dev-protocol] Skipping - local profile");
+		process.exit(0);
+	}
+
 	// Prefer path-derived name so stale .env values never override the active worktree.
 	const { bundleDisplayWorkspaceName, workspaceName, worktreePath } =
 		resolveWorkspaceIdentity({
diff --git a/apps/desktop/src/main/env.main.ts b/apps/desktop/src/main/env.main.ts
index 13fe2e1af5a..6fa5939b502 100644
--- a/apps/desktop/src/main/env.main.ts
+++ b/apps/desktop/src/main/env.main.ts
@@ -9,23 +9,106 @@
 import { createEnv } from "@t3-oss/env-core";
 import { z } from "zod/v4";
 
+// NOTE: deployment-profile checks are inlined here rather than imported from
+// @superset/shared/deployment-profile because electron.vite.config.ts does
+// `await import("./src/main/env.main")` at config-load time, which Node's ESM
+// loader handles directly (no Vite transform) — and Node can't load `.ts`
+// files from sibling workspace packages. Keep this in sync with shared/.
+function isTruthyFlag(value: string | undefined): boolean {
+	return value === "1" || value === "true";
+}
+
+type MainDeploymentProfile = "cloud" | "local" | "ci" | "internal";
+const VALID_PROFILES: MainDeploymentProfile[] = [
+	"cloud",
+	"local",
+	"ci",
+	"internal",
+];
+
+function getExplicitProfile(): MainDeploymentProfile | undefined {
+	const explicitProfile = process.env.SUPERSET_PROFILE;
+	if (!explicitProfile) return undefined;
+	if (VALID_PROFILES.includes(explicitProfile as MainDeploymentProfile)) {
+		return explicitProfile as MainDeploymentProfile;
+	}
+	throw new Error(
+		`Invalid SUPERSET_PROFILE="${explicitProfile}". Expected one of: ${VALID_PROFILES.join(
+			", ",
+		)}.`,
+	);
+}
+
+function getDeploymentProfile(): MainDeploymentProfile {
+	if (isTruthyFlag(process.env.VERCEL) || process.env.VERCEL_ENV) {
+		return "cloud";
+	}
+	const explicitProfile = getExplicitProfile();
+	if (explicitProfile) return explicitProfile;
+	if (isTruthyFlag(process.env.CI)) return "ci";
+	return "internal";
+}
+
+export const deploymentProfile = getDeploymentProfile();
+const isStrict =
+	deploymentProfile === "cloud" || deploymentProfile === "internal";
+const skipValidation =
+	!isStrict || isTruthyFlag(process.env.SKIP_ENV_VALIDATION);
+
 export const env = createEnv({
 	server: {
 		NODE_ENV: z
 			.enum(["development", "production", "test"])
 			.default("development"),
-		NEXT_PUBLIC_API_URL: z.url().default("https://api.superset.sh"),
-		NEXT_PUBLIC_STREAMS_URL: z.url().default("https://streams.superset.sh"),
+		// In dev builds (NODE_ENV=development) the URL defaults switch to
+		// localhost so fresh-clone local contributors never silently sync
+		// against hosted production endpoints.
+		NEXT_PUBLIC_API_URL: z
+			.url()
+			.default(
+				process.env.NODE_ENV === "development"
+					? "http://localhost:4641"
+					: "https://api.superset.sh",
+			),
+		NEXT_PUBLIC_STREAMS_URL: z
+			.url()
+			.default(
+				process.env.NODE_ENV === "development"
+					? "http://localhost:4647"
+					: "https://streams.superset.sh",
+			),
 		NEXT_PUBLIC_ELECTRIC_URL: z
 			.url()
-			.default("https://electric-proxy.avi-6ac.workers.dev"),
-		NEXT_PUBLIC_WEB_URL: z.url().default("https://app.superset.sh"),
+			.default(
+				process.env.NODE_ENV === "development"
+					? "https://localhost:4650"
+					: "https://electric-proxy.avi-6ac.workers.dev",
+			),
+		NEXT_PUBLIC_WEB_URL: z
+			.url()
+			.default(
+				process.env.NODE_ENV === "development"
+					? "http://localhost:4640"
+					: "https://app.superset.sh",
+			),
 		NEXT_PUBLIC_MARKETING_URL: z.url().default("https://superset.sh"),
 		NEXT_PUBLIC_POSTHOG_KEY: z.string().optional(),
 		NEXT_PUBLIC_POSTHOG_HOST: z.string().default("https://us.i.posthog.com"),
 		SENTRY_DSN_DESKTOP: z.string().optional(),
-		STREAMS_URL: z.url().default("https://superset-stream.fly.dev"),
-		RELAY_URL: z.url().default("https://relay.superset.sh"),
+		STREAMS_URL: z
+			.url()
+			.default(
+				process.env.NODE_ENV === "development"
+					? "http://localhost:4647"
+					: "https://superset-stream.fly.dev",
+			),
+		RELAY_URL: z
+			.url()
+			.default(
+				process.env.NODE_ENV === "development"
+					? "http://localhost:4653"
+					: "https://relay.superset.sh",
+			),
 	},
 
 	runtimeEnv: {
@@ -45,9 +128,7 @@ export const env = createEnv({
 		RELAY_URL: process.env.RELAY_URL,
 	},
 	emptyStringAsUndefined: true,
-	// Only allow skipping validation in development (never in production)
-	skipValidation:
-		process.env.NODE_ENV === "development" && !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 
 	// Main process runs in trusted Node.js environment
 	isServer: true,
diff --git a/apps/desktop/src/main/index.ts b/apps/desktop/src/main/index.ts
index 181fde3e22e..ad5053c31d5 100644
--- a/apps/desktop/src/main/index.ts
+++ b/apps/desktop/src/main/index.ts
@@ -1,6 +1,7 @@
 import path from "node:path";
 import { pathToFileURL } from "node:url";
 import { settings } from "@superset/local-db";
+import { isLocalProfile } from "@superset/shared/deployment-profile";
 import {
 	app,
 	BrowserWindow,
@@ -28,6 +29,7 @@ import { initAppState } from "./lib/app-state";
 import { requestAppleEventsAccess } from "./lib/apple-events-permission";
 import { isUpdateReadyToInstall, setupAutoUpdater } from "./lib/auto-updater";
 import { installBundledCliShim } from "./lib/bundled-cli";
+import { ensureDevAuthToken } from "./lib/dev-auto-sign-in";
 import { resolveDevWorkspaceName } from "./lib/dev-workspace-name";
 import { setWorkspaceDockIcon } from "./lib/dock-icon";
 import { loadWebviewBrowserExtension } from "./lib/extensions";
@@ -55,6 +57,13 @@ import { MainWindow } from "./windows/main";
 console.log("[main] Local database ready:", !!localDb);
 const IS_DEV = process.env.NODE_ENV === "development";
 
+// Local profile only: expose Chrome DevTools Protocol for headless testing
+// (e.g. import/host-service checks). Skip in internal / cloud profiles.
+if (IS_DEV && isLocalProfile()) {
+	app.commandLine.appendSwitch("remote-debugging-port", "9333");
+	app.commandLine.appendSwitch("remote-allow-origins", "*");
+}
+
 void applyShellEnvToProcess().catch((error) => {
 	console.error("[main] Failed to apply shell environment:", error);
 });
@@ -418,6 +427,14 @@ if (!gotTheLock) {
 			console.error("[main] Failed to install bundled CLI shim:", error);
 		}
 
+		// Local profile only: auto-sign-in as the seed admin if no token is on disk.
+		// Fire-and-forget — the function polls the API for readiness internally
+		// (Turbo starts services concurrently, the API may still be compiling).
+		// AuthProvider in the renderer subscribes to auth.onTokenChanged and
+		// will re-hydrate when the token lands, so window creation doesn't
+		// block on this.
+		void ensureDevAuthToken();
+
 		// Discover and adopt host-services that survived a previous quit
 		// before the tray initializes, so it shows accurate status immediately.
 		await getHostServiceCoordinator().discoverAll();
diff --git a/apps/desktop/src/main/lib/dev-auto-sign-in.ts b/apps/desktop/src/main/lib/dev-auto-sign-in.ts
new file mode 100644
index 00000000000..10c33969d04
--- /dev/null
+++ b/apps/desktop/src/main/lib/dev-auto-sign-in.ts
@@ -0,0 +1,165 @@
+import { isLocalProfile } from "@superset/shared/deployment-profile";
+import { env as mainEnv } from "main/env.main";
+import {
+	loadToken,
+	saveToken,
+} from "../../lib/trpc/routers/auth/utils/auth-functions";
+
+const DEV_EMAIL = "admin@local.test";
+const DEV_PASSWORD = "supersetdev";
+const DEV_NAME = "Local Admin";
+const TOKEN_TTL_MS = 1000 * 60 * 60 * 24 * 30;
+const DEV_AUTH_TIMEOUT_MS = 8000;
+
+// API may take a few seconds to compile on first dev launch (Turbo starts
+// services concurrently). Poll /api/auth/ok before giving up.
+const HEALTH_POLL_INTERVAL_MS = 1000;
+const HEALTH_POLL_TIMEOUT_MS = 60_000;
+
+interface SignInResponse {
+	token?: string;
+	user?: { id: string };
+}
+
+interface AuthErrorBody {
+	code?: string;
+	message?: string;
+}
+
+interface SessionResponse {
+	user?: unknown;
+}
+
+async function postAuth<T>(
+	path: string,
+	body: Record<string, unknown>,
+): Promise<{ ok: boolean; status: number; data: T | AuthErrorBody }> {
+	const res = await fetch(`${mainEnv.NEXT_PUBLIC_API_URL}${path}`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Origin: mainEnv.NEXT_PUBLIC_API_URL,
+		},
+		body: JSON.stringify(body),
+		signal: AbortSignal.timeout(DEV_AUTH_TIMEOUT_MS),
+	});
+	const data = (await res.json().catch(() => ({}))) as T | AuthErrorBody;
+	return { ok: res.ok, status: res.status, data };
+}
+
+async function waitForApiReady(): Promise<boolean> {
+	const start = Date.now();
+	const url = `${mainEnv.NEXT_PUBLIC_API_URL}/api/auth/ok`;
+	while (Date.now() - start < HEALTH_POLL_TIMEOUT_MS) {
+		try {
+			const res = await fetch(url, {
+				signal: AbortSignal.timeout(2000),
+			});
+			if (res.ok) return true;
+		} catch {
+			// connection refused / timeout — keep polling
+		}
+		await new Promise((r) => setTimeout(r, HEALTH_POLL_INTERVAL_MS));
+	}
+	return false;
+}
+
+async function isStoredTokenValid(token: string): Promise<boolean> {
+	try {
+		const res = await fetch(
+			`${mainEnv.NEXT_PUBLIC_API_URL}/api/auth/get-session`,
+			{
+				headers: { Authorization: `Bearer ${token}` },
+				signal: AbortSignal.timeout(DEV_AUTH_TIMEOUT_MS),
+			},
+		);
+		if (!res.ok) return false;
+
+		const data = (await res.json().catch(() => null)) as SessionResponse | null;
+		return !!data?.user;
+	} catch {
+		return false;
+	}
+}
+
+/**
+ * Dev-only: in the local profile, sign in (or sign up) as the seed
+ * admin user and persist the token so the renderer's AuthProvider can
+ * hydrate normally — no special renderer code.
+ *
+ * Polls the API for readiness before attempting sign-in (Turbo starts
+ * services concurrently and the API may still be compiling on first
+ * launch). Best-effort: failure is logged but doesn't crash boot.
+ */
+export async function ensureDevAuthToken(): Promise<void> {
+	// Local profile only — internal devs, self-hosters, and prod all use real auth.
+	if (!isLocalProfile()) return;
+
+	const stored = await loadToken();
+	if (stored.token && stored.expiresAt) {
+		const expiresAt = new Date(stored.expiresAt);
+		const isExpired =
+			Number.isNaN(expiresAt.getTime()) || expiresAt < new Date();
+		if (!isExpired) {
+			const ready = await waitForApiReady();
+			if (!ready) {
+				console.warn(
+					`[dev-auto-sign-in] API at ${mainEnv.NEXT_PUBLIC_API_URL} did not respond within ${HEALTH_POLL_TIMEOUT_MS}ms — skipping. Use the sign-in form once the API is up.`,
+				);
+				return;
+			}
+
+			if (await isStoredTokenValid(stored.token)) return;
+
+			console.log("[dev-auto-sign-in] stored token is stale; refreshing");
+		}
+	}
+
+	const ready = await waitForApiReady();
+	if (!ready) {
+		console.warn(
+			`[dev-auto-sign-in] API at ${mainEnv.NEXT_PUBLIC_API_URL} did not respond within ${HEALTH_POLL_TIMEOUT_MS}ms — skipping. Use the sign-in form once the API is up.`,
+		);
+		return;
+	}
+
+	try {
+		let signIn = await postAuth<SignInResponse>("/api/auth/sign-in/email", {
+			email: DEV_EMAIL,
+			password: DEV_PASSWORD,
+		});
+
+		const errBody = signIn.data as AuthErrorBody;
+		if (!signIn.ok && errBody.code === "INVALID_EMAIL_OR_PASSWORD") {
+			const signUp = await postAuth<SignInResponse>("/api/auth/sign-up/email", {
+				email: DEV_EMAIL,
+				password: DEV_PASSWORD,
+				name: DEV_NAME,
+			});
+			if (!signUp.ok) {
+				const e = signUp.data as AuthErrorBody;
+				throw new Error(`dev sign-up failed (${signUp.status}): ${e.message}`);
+			}
+			signIn = await postAuth<SignInResponse>("/api/auth/sign-in/email", {
+				email: DEV_EMAIL,
+				password: DEV_PASSWORD,
+			});
+		}
+
+		if (!signIn.ok) {
+			const e = signIn.data as AuthErrorBody;
+			throw new Error(`dev sign-in failed (${signIn.status}): ${e.message}`);
+		}
+		const token = (signIn.data as SignInResponse).token;
+		if (!token) throw new Error("dev sign-in: no token in response");
+
+		const expiresAt = new Date(Date.now() + TOKEN_TTL_MS).toISOString();
+		await saveToken({ token, expiresAt });
+		console.log(`[dev-auto-sign-in] signed in as ${DEV_EMAIL}`);
+	} catch (err) {
+		console.warn(
+			`[dev-auto-sign-in] failed (is the API up at ${mainEnv.NEXT_PUBLIC_API_URL}?):`,
+			err,
+		);
+	}
+}
diff --git a/apps/desktop/src/main/lib/dev-workspace-name.ts b/apps/desktop/src/main/lib/dev-workspace-name.ts
index ee730f59e34..472a74404e6 100644
--- a/apps/desktop/src/main/lib/dev-workspace-name.ts
+++ b/apps/desktop/src/main/lib/dev-workspace-name.ts
@@ -2,6 +2,7 @@ import { existsSync } from "node:fs";
 import { homedir } from "node:os";
 import path from "node:path";
 import { workspaces, worktrees } from "@superset/local-db";
+import { isLocalProfile } from "@superset/shared/deployment-profile";
 import BetterSqlite3 from "better-sqlite3";
 import { and, desc, eq, isNull } from "drizzle-orm";
 import { getWorkspaceName as getEnvWorkspaceName } from "shared/env.shared";
@@ -102,16 +103,22 @@ export function resolveDevWorkspaceName(
 ): string | undefined {
 	if (!IS_DEV) return undefined;
 
+	const workspaceNameFromEnv = getEnvWorkspaceName();
 	const segments = getWorktreeSegmentsFromCwd(cwd);
-	if (!segments) return getEnvWorkspaceName();
+	if (!segments) return workspaceNameFromEnv;
 
 	const workspaceNameFromPath =
 		deriveWorkspaceNameFromWorktreeSegments(segments);
+
+	if (isLocalProfile()) {
+		return workspaceNameFromEnv ?? workspaceNameFromPath;
+	}
+
 	const worktreePath = getWorktreePathFromSegments(segments);
 	const workspaceNameFromDb = worktreePath
 		? (getWorkspaceNameForPathFromCurrentDb(worktreePath) ??
 			getWorkspaceNameForPathFromProdDb(worktreePath))
 		: undefined;
 
-	return workspaceNameFromDb ?? workspaceNameFromPath ?? getEnvWorkspaceName();
+	return workspaceNameFromDb ?? workspaceNameFromPath ?? workspaceNameFromEnv;
 }
diff --git a/apps/desktop/src/main/lib/relay-url/relay-url.ts b/apps/desktop/src/main/lib/relay-url/relay-url.ts
index eafc30e7f62..8574c6470cc 100644
--- a/apps/desktop/src/main/lib/relay-url/relay-url.ts
+++ b/apps/desktop/src/main/lib/relay-url/relay-url.ts
@@ -1,5 +1,5 @@
 import { FEATURE_FLAGS } from "@superset/shared/constants";
-import { env } from "main/env.main";
+import { deploymentProfile, env } from "main/env.main";
 import { getPosthogClient, getUserId } from "main/lib/analytics";
 
 interface RelayUrlPayload {
@@ -16,7 +16,13 @@ interface RelayUrlPayload {
  * opens land on the same URL.
  */
 export async function getRelayUrl(): Promise<string | undefined> {
-	const fallback = env.RELAY_URL;
+	const usesLenientLocalEnv =
+		deploymentProfile === "local" || deploymentProfile === "ci";
+	// Vite always injects RELAY_URL, so track whether the value came from a
+	// real env var before enabling local tunnels in contributor profiles.
+	const hasExplicitRelayUrl = process.env.SUPERSET_EXPLICIT_RELAY_URL === "1";
+	const fallback =
+		usesLenientLocalEnv && !hasExplicitRelayUrl ? undefined : env.RELAY_URL;
 	const client = getPosthogClient();
 	const userId = getUserId();
 	if (!client || !userId) return fallback;
diff --git a/apps/desktop/src/renderer/env.renderer.ts b/apps/desktop/src/renderer/env.renderer.ts
index 445b0be9d46..495be6feee9 100644
--- a/apps/desktop/src/renderer/env.renderer.ts
+++ b/apps/desktop/src/renderer/env.renderer.ts
@@ -15,16 +15,43 @@ const envSchema = z.object({
 	NODE_ENV: z
 		.enum(["development", "production", "test"])
 		.default("development"),
-	NEXT_PUBLIC_API_URL: z.url().default("https://api.superset.sh"),
-	NEXT_PUBLIC_WEB_URL: z.url().default("https://app.superset.sh"),
+	// Hosted defaults for prod builds. In dev builds Vite replaces
+	// NODE_ENV with "development", so the dev-time defaults below kick in
+	// and a fresh-clone contributor never silently syncs against
+	// production Electric / API.
+	NEXT_PUBLIC_API_URL: z
+		.url()
+		.default(
+			process.env.NODE_ENV === "development"
+				? "http://localhost:4641"
+				: "https://api.superset.sh",
+		),
+	NEXT_PUBLIC_WEB_URL: z
+		.url()
+		.default(
+			process.env.NODE_ENV === "development"
+				? "http://localhost:4640"
+				: "https://app.superset.sh",
+		),
 	NEXT_PUBLIC_MARKETING_URL: z.url().default("https://superset.sh"),
 	NEXT_PUBLIC_ELECTRIC_URL: z
 		.url()
-		.default("https://electric-proxy.avi-6ac.workers.dev"),
+		.default(
+			process.env.NODE_ENV === "development"
+				? "https://localhost:4650"
+				: "https://electric-proxy.avi-6ac.workers.dev",
+		),
 	NEXT_PUBLIC_POSTHOG_KEY: z.string().optional(),
 	NEXT_PUBLIC_POSTHOG_HOST: z.string().default("https://us.i.posthog.com"),
 	SENTRY_DSN_DESKTOP: z.string().optional(),
-	RELAY_URL: z.url().default("https://relay.superset.sh"),
+	SUPERSET_PROFILE: z.enum(["cloud", "local", "ci", "internal"]).optional(),
+	RELAY_URL: z
+		.url()
+		.default(
+			process.env.NODE_ENV === "development"
+				? "http://localhost:4653"
+				: "https://relay.superset.sh",
+		),
 });
 
 /**
@@ -47,6 +74,7 @@ const rawEnv = {
 		| string
 		| undefined,
 	SENTRY_DSN_DESKTOP: import.meta.env.SENTRY_DSN_DESKTOP as string | undefined,
+	SUPERSET_PROFILE: process.env.SUPERSET_PROFILE,
 	RELAY_URL: process.env.RELAY_URL,
 };
 
diff --git a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/$taskId/components/PropertiesSidebar/components/OpenInWorkspaceV2/OpenInWorkspaceV2.tsx b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/$taskId/components/PropertiesSidebar/components/OpenInWorkspaceV2/OpenInWorkspaceV2.tsx
index fc0c44460f4..6fc59ad5d73 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/$taskId/components/PropertiesSidebar/components/OpenInWorkspaceV2/OpenInWorkspaceV2.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/$taskId/components/PropertiesSidebar/components/OpenInWorkspaceV2/OpenInWorkspaceV2.tsx
@@ -56,9 +56,9 @@ export function OpenInWorkspaceV2({ task }: OpenInWorkspaceV2Props) {
 	const { machineId, activeHostUrl } = hostService;
 	const { otherHosts } = useWorkspaceHostOptions();
 	const { data: session } = authClient.useSession();
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { submit } = useWorkspaceCreates();
 	const lastProjectId = useV2WorkspaceCreateDefaultsStore(
diff --git a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunInWorkspacePopoverV2/RunInWorkspacePopoverV2.tsx b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunInWorkspacePopoverV2/RunInWorkspacePopoverV2.tsx
index d758e23487e..639578896d4 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunInWorkspacePopoverV2/RunInWorkspacePopoverV2.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunInWorkspacePopoverV2/RunInWorkspacePopoverV2.tsx
@@ -61,9 +61,9 @@ export function RunInWorkspacePopoverV2({
 	const hostService = useLocalHostService();
 	const { machineId, activeHostUrl } = hostService;
 	const { data: session } = authClient.useSession();
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 	const { otherHosts } = useWorkspaceHostOptions();
 	const { submit } = useWorkspaceCreates();
 
diff --git a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunIssuesInWorkspacePopover/RunIssuesInWorkspacePopover.tsx b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunIssuesInWorkspacePopover/RunIssuesInWorkspacePopover.tsx
index b2023e809f6..52c39d07df4 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunIssuesInWorkspacePopover/RunIssuesInWorkspacePopover.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/tasks/components/TasksView/components/TasksTopBar/components/RunIssuesInWorkspacePopover/RunIssuesInWorkspacePopover.tsx
@@ -65,9 +65,9 @@ export function RunIssuesInWorkspacePopover({
 	const hostService = useLocalHostService();
 	const { machineId, activeHostUrl } = hostService;
 	const { data: session } = authClient.useSession();
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 	const { otherHosts } = useWorkspaceHostOptions();
 	const { submit } = useWorkspaceCreates();
 
diff --git a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspaces/hooks/useAccessibleV2Workspaces/useAccessibleV2Workspaces.ts b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspaces/hooks/useAccessibleV2Workspaces/useAccessibleV2Workspaces.ts
index eb904571c63..6a95ea646b5 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspaces/hooks/useAccessibleV2Workspaces/useAccessibleV2Workspaces.ts
+++ b/apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspaces/hooks/useAccessibleV2Workspaces/useAccessibleV2Workspaces.ts
@@ -221,9 +221,9 @@ export function useAccessibleV2Workspaces(
 	const collections = useCollections();
 	const { machineId } = useLocalHostService();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 	const currentUserId = session?.user?.id ?? null;
 
 	const { data: rows = [] } = useLiveQuery(
diff --git a/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceForm/components/DevicePicker/hooks/useWorkspaceHostOptions/useWorkspaceHostOptions.ts b/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceForm/components/DevicePicker/hooks/useWorkspaceHostOptions/useWorkspaceHostOptions.ts
index b96c7534db5..6014b9ee911 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceForm/components/DevicePicker/hooks/useWorkspaceHostOptions/useWorkspaceHostOptions.ts
+++ b/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceForm/components/DevicePicker/hooks/useWorkspaceHostOptions/useWorkspaceHostOptions.ts
@@ -26,9 +26,9 @@ export function useWorkspaceHostOptions(): UseWorkspaceHostOptionsResult {
 	const collections = useCollections();
 	const { machineId, activeHostUrl } = useLocalHostService();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 	const currentUserId = session?.user?.id ?? null;
 
 	const { data: accessibleHosts = [] } = useLiveQuery(
diff --git a/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceModalContent/DashboardNewWorkspaceModalContent.tsx b/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceModalContent/DashboardNewWorkspaceModalContent.tsx
index da8399adba2..da6b96ba19d 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceModalContent/DashboardNewWorkspaceModalContent.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/components/DashboardNewWorkspaceModal/components/DashboardNewWorkspaceModalContent/DashboardNewWorkspaceModalContent.tsx
@@ -32,9 +32,9 @@ export function DashboardNewWorkspaceModalContent({
 	);
 	const collections = useCollections();
 	const { data: session } = authClient.useSession();
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: v2Projects } = useLiveQuery(
 		(q) =>
diff --git a/apps/desktop/src/renderer/routes/_authenticated/components/V1ImportModal/V1ImportModal.tsx b/apps/desktop/src/renderer/routes/_authenticated/components/V1ImportModal/V1ImportModal.tsx
index bd292fd0e90..8b127423c10 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/components/V1ImportModal/V1ImportModal.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/components/V1ImportModal/V1ImportModal.tsx
@@ -27,9 +27,9 @@ export function V1ImportModal() {
 	const close = useCloseV1ImportModal();
 	const { data: session } = authClient.useSession();
 	const { activeHostUrl } = useLocalHostService();
-	const organizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const organizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	if (!organizationId) return null;
 
diff --git a/apps/desktop/src/renderer/routes/_authenticated/layout.tsx b/apps/desktop/src/renderer/routes/_authenticated/layout.tsx
index dbc28401f70..4717948ec01 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/layout.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/layout.tsx
@@ -62,9 +62,9 @@ function AuthenticatedLayout() {
 	const isV2CloudEnabled = useIsV2CloudEnabled();
 
 	const isSignedIn = env.SKIP_ENV_VALIDATION || !!session?.user;
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: session?.session?.activeOrganizationId;
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	useAgentHookListener();
 	useUpdateListener();
diff --git a/apps/desktop/src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx b/apps/desktop/src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx
index f5562295086..518fb6b4495 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx
@@ -33,9 +33,9 @@ export function preloadActiveOrganizationCollections(
 export function CollectionsProvider({ children }: { children: ReactNode }) {
 	const { data: session, refetch: refetchSession } = authClient.useSession();
 	const [isSwitching, setIsSwitching] = useState(false);
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: session?.session?.activeOrganizationId;
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const switchOrganization = useCallback(
 		async (organizationId: string) => {
diff --git a/apps/desktop/src/renderer/routes/_authenticated/providers/LocalHostServiceProvider/LocalHostServiceProvider.tsx b/apps/desktop/src/renderer/routes/_authenticated/providers/LocalHostServiceProvider/LocalHostServiceProvider.tsx
index 9f2b09c8f43..ea26b80efa9 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/providers/LocalHostServiceProvider/LocalHostServiceProvider.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/providers/LocalHostServiceProvider/LocalHostServiceProvider.tsx
@@ -35,9 +35,9 @@ export function LocalHostServiceProvider({
 	const { mutate: startHostService } =
 		electronTrpc.hostServiceCoordinator.start.useMutation();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: organizations } = useLiveQuery(
 		(q) => q.from({ organizations: collections.organizations }),
diff --git a/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/components/HostsSettingsSidebar/HostsSettingsSidebar.tsx b/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/components/HostsSettingsSidebar/HostsSettingsSidebar.tsx
index 0b4567a52e4..5a0c0454b7d 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/components/HostsSettingsSidebar/HostsSettingsSidebar.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/components/HostsSettingsSidebar/HostsSettingsSidebar.tsx
@@ -30,9 +30,9 @@ export function HostsSettingsSidebar({
 	const collections = useCollections();
 	const { data: session } = authClient.useSession();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: hosts = [] } = useLiveQuery(
 		(q) =>
diff --git a/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/page.tsx b/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/page.tsx
index 643c8e8adbd..3c50905ddd5 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/page.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/settings/hosts/page.tsx
@@ -16,9 +16,9 @@ function HostsIndexPage() {
 	const { data: session } = authClient.useSession();
 	const navigate = useNavigate();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: hosts = [] } = useLiveQuery(
 		(q) =>
diff --git a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/$projectId/page.tsx b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/$projectId/page.tsx
index e19226947d5..94f2d8da568 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/$projectId/page.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/$projectId/page.tsx
@@ -29,9 +29,9 @@ function ProjectDetailPage() {
 	const { data: session } = authClient.useSession();
 	const searchQuery = useSettingsSearchQuery();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: v2Match = [] } = useLiveQuery(
 		(q) =>
diff --git a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/components/ProjectsSettingsSidebar/ProjectsSettingsSidebar.tsx b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/components/ProjectsSettingsSidebar/ProjectsSettingsSidebar.tsx
index ce7d751ecc4..bedd6a8612b 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/components/ProjectsSettingsSidebar/ProjectsSettingsSidebar.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/components/ProjectsSettingsSidebar/ProjectsSettingsSidebar.tsx
@@ -31,9 +31,9 @@ export function ProjectsSettingsSidebar({
 	const collections = useCollections();
 	const { data: session } = authClient.useSession();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: groups = [] } =
 		electronTrpc.workspaces.getAllGrouped.useQuery();
diff --git a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/page.tsx b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/page.tsx
index 5db0608732d..60605248b49 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/settings/projects/page.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/settings/projects/page.tsx
@@ -17,9 +17,9 @@ function ProjectsIndexPage() {
 	const { data: session } = authClient.useSession();
 	const navigate = useNavigate();
 
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: groups = [] } =
 		electronTrpc.workspaces.getAllGrouped.useQuery();
diff --git a/apps/desktop/src/renderer/routes/_authenticated/setup/project/page.tsx b/apps/desktop/src/renderer/routes/_authenticated/setup/project/page.tsx
index fe5b99a03f3..10626d1ce1f 100644
--- a/apps/desktop/src/renderer/routes/_authenticated/setup/project/page.tsx
+++ b/apps/desktop/src/renderer/routes/_authenticated/setup/project/page.tsx
@@ -26,9 +26,9 @@ function OnboardingProjectPage() {
 	const markSkipped = useOnboardingStore((s) => s.markSkipped);
 
 	const { data: session } = authClient.useSession();
-	const activeOrganizationId = env.SKIP_ENV_VALIDATION
-		? MOCK_ORG_ID
-		: (session?.session?.activeOrganizationId ?? null);
+	const activeOrganizationId =
+		session?.session?.activeOrganizationId ??
+		(env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null);
 
 	const { data: projects = [], isLoading } = useQuery({
 		queryKey: ["onboarding", "v2Projects", activeOrganizationId],
diff --git a/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/LocalDevAuthForm.tsx b/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/LocalDevAuthForm.tsx
new file mode 100644
index 00000000000..e0f1f6bc881
--- /dev/null
+++ b/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/LocalDevAuthForm.tsx
@@ -0,0 +1,148 @@
+import { Button } from "@superset/ui/button";
+import { Input } from "@superset/ui/input";
+import { Label } from "@superset/ui/label";
+import { useNavigate } from "@tanstack/react-router";
+import { type FormEvent, useState } from "react";
+import { env } from "renderer/env.renderer";
+import { setAuthToken } from "renderer/lib/auth-client";
+import { electronTrpc } from "renderer/lib/electron-trpc";
+
+const DEV_EMAIL = "admin@local.test";
+const DEV_PASSWORD = "supersetdev";
+const DEV_NAME = "Local Admin";
+const TOKEN_TTL_MS = 1000 * 60 * 60 * 24 * 30;
+
+interface AuthResponse {
+	token?: string;
+}
+
+interface AuthErrorBody {
+	code?: string;
+	message?: string;
+}
+
+async function postAuth(
+	path: string,
+	body: Record<string, unknown>,
+): Promise<{
+	ok: boolean;
+	status: number;
+	data: AuthResponse | AuthErrorBody;
+}> {
+	const res = await fetch(`${env.NEXT_PUBLIC_API_URL}${path}`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		credentials: "omit",
+		body: JSON.stringify(body),
+	});
+	const data = (await res.json().catch(() => ({}))) as
+		| AuthResponse
+		| AuthErrorBody;
+	return { ok: res.ok, status: res.status, data };
+}
+
+export function LocalDevAuthForm() {
+	const navigate = useNavigate();
+	const persistToken = electronTrpc.auth.persistToken.useMutation();
+	const [email, setEmail] = useState(DEV_EMAIL);
+	const [password, setPassword] = useState(DEV_PASSWORD);
+	const [error, setError] = useState<string | null>(null);
+	const [submitting, setSubmitting] = useState(false);
+
+	const onSubmit = async (event: FormEvent) => {
+		event.preventDefault();
+		setError(null);
+		setSubmitting(true);
+
+		try {
+			let signIn = await postAuth("/api/auth/sign-in/email", {
+				email,
+				password,
+			});
+
+			const errBody = signIn.data as AuthErrorBody;
+			if (
+				!signIn.ok &&
+				errBody.code === "INVALID_EMAIL_OR_PASSWORD" &&
+				email === DEV_EMAIL &&
+				password === DEV_PASSWORD
+			) {
+				const signUp = await postAuth("/api/auth/sign-up/email", {
+					email,
+					password,
+					name: DEV_NAME,
+				});
+				if (!signUp.ok) {
+					const signUpError = signUp.data as AuthErrorBody;
+					throw new Error(
+						signUpError.message ?? `Sign-up failed (${signUp.status})`,
+					);
+				}
+
+				signIn = await postAuth("/api/auth/sign-in/email", {
+					email,
+					password,
+				});
+			}
+
+			if (!signIn.ok) {
+				const signInError = signIn.data as AuthErrorBody;
+				throw new Error(
+					signInError.message ?? `Sign-in failed (${signIn.status})`,
+				);
+			}
+
+			const token = (signIn.data as AuthResponse).token;
+			if (!token) throw new Error("Sign-in did not return a token");
+
+			const expiresAt = new Date(Date.now() + TOKEN_TTL_MS).toISOString();
+			await persistToken.mutateAsync({ token, expiresAt });
+			setAuthToken(token);
+			await navigate({ to: "/workspace", replace: true });
+		} catch (err) {
+			setError(err instanceof Error ? err.message : "Sign-in failed");
+			setSubmitting(false);
+		}
+	};
+
+	return (
+		<form className="grid gap-3" onSubmit={onSubmit}>
+			<div className="grid gap-1.5">
+				<Label htmlFor="local-dev-email" className="text-xs">
+					Email
+				</Label>
+				<Input
+					id="local-dev-email"
+					type="email"
+					autoComplete="email"
+					value={email}
+					onChange={(event) => setEmail(event.target.value)}
+					required
+				/>
+			</div>
+			<div className="grid gap-1.5">
+				<Label htmlFor="local-dev-password" className="text-xs">
+					Password
+				</Label>
+				<Input
+					id="local-dev-password"
+					type="password"
+					autoComplete="current-password"
+					value={password}
+					onChange={(event) => setPassword(event.target.value)}
+					required
+					minLength={8}
+				/>
+			</div>
+			{error && <p className="text-destructive text-xs">{error}</p>}
+			<Button
+				type="submit"
+				size="lg"
+				className="w-full"
+				disabled={submitting || persistToken.isPending}
+			>
+				{submitting || persistToken.isPending ? "Signing in..." : "Sign in"}
+			</Button>
+		</form>
+	);
+}
diff --git a/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/index.ts b/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/index.ts
new file mode 100644
index 00000000000..9514c0436a0
--- /dev/null
+++ b/apps/desktop/src/renderer/routes/sign-in/components/LocalDevAuthForm/index.ts
@@ -0,0 +1 @@
+export { LocalDevAuthForm } from "./LocalDevAuthForm";
diff --git a/apps/desktop/src/renderer/routes/sign-in/page.tsx b/apps/desktop/src/renderer/routes/sign-in/page.tsx
index ddfc693a961..d7d7f5eb4e2 100644
--- a/apps/desktop/src/renderer/routes/sign-in/page.tsx
+++ b/apps/desktop/src/renderer/routes/sign-in/page.tsx
@@ -7,6 +7,7 @@ import { FcGoogle } from "react-icons/fc";
 import { env } from "renderer/env.renderer";
 import { track } from "renderer/lib/analytics";
 import { electronTrpc } from "renderer/lib/electron-trpc";
+import { LocalDevAuthForm } from "./components/LocalDevAuthForm";
 import { SupersetLogo } from "./components/SupersetLogo";
 import { useSessionRecovery } from "./hooks/useSessionRecovery";
 
@@ -17,9 +18,10 @@ export const Route = createFileRoute("/sign-in/")({
 function SignInPage() {
 	const signInMutation = electronTrpc.auth.signIn.useMutation();
 	const { hasLocalToken, isPending, session } = useSessionRecovery();
+	const isLocalProfile = env.SUPERSET_PROFILE === "local";
 
-	// Dev bypass: skip sign-in entirely
-	if (env.SKIP_ENV_VALIDATION) {
+	// Dev bypass: AuthProvider handles auto-sign-in; if session lands, redirect
+	if (env.SKIP_ENV_VALIDATION && session?.user) {
 		return <Navigate to="/workspace" replace />;
 	}
 
@@ -63,7 +65,11 @@ function SignInPage() {
 						</p>
 					</div>
 
-					<div className="flex flex-col gap-3 w-full max-w-xs">
+					<div className="flex w-full max-w-xs flex-col gap-3">
+						{isLocalProfile && <LocalDevAuthForm />}
+
+						{isLocalProfile && <div className="h-px bg-border" />}
+
 						<Button
 							variant="outline"
 							size="lg"
diff --git a/apps/desktop/vite/helpers.ts b/apps/desktop/vite/helpers.ts
index b2552e2dba6..fd4c4c949c0 100644
--- a/apps/desktop/vite/helpers.ts
+++ b/apps/desktop/vite/helpers.ts
@@ -23,6 +23,25 @@ export function defineEnv(
 	return JSON.stringify(value ?? fallback);
 }
 
+/**
+ * Returns a URL appropriate for the current build:
+ *   - the configured `process.env[key]` if set
+ *   - the dev fallback in development builds (fresh-clone OSS contributors)
+ *   - the prod fallback otherwise (hosted production)
+ *
+ * Avoids fresh-clone OSS dev sessions silently syncing against hosted
+ * production Electric / API / relay endpoints.
+ */
+export function devOrProdUrl(
+	envKey: string,
+	devFallback: string,
+	prodFallback: string,
+): string {
+	const value = process.env[envKey];
+	if (value) return value;
+	return process.env.NODE_ENV === "development" ? devFallback : prodFallback;
+}
+
 const RESOURCES_TO_COPY = [
 	{
 		src: resolve(__dirname, "..", resources, "sounds"),
@@ -76,22 +95,37 @@ export function htmlEnvTransformPlugin(): Plugin {
 			return html
 				.replace(
 					/%NEXT_PUBLIC_API_URL%/g,
-					process.env.NEXT_PUBLIC_API_URL || "https://api.superset.sh",
+					devOrProdUrl(
+						"NEXT_PUBLIC_API_URL",
+						"http://localhost:4641",
+						"https://api.superset.sh",
+					),
 				)
 				.replace(
 					/%NEXT_PUBLIC_ELECTRIC_URL%/g,
 					new URL(
-						process.env.NEXT_PUBLIC_ELECTRIC_URL ||
+						devOrProdUrl(
+							"NEXT_PUBLIC_ELECTRIC_URL",
+							"https://localhost:4650",
 							"https://electric-proxy.avi-6ac.workers.dev",
+						),
 					).origin,
 				)
 				.replace(
 					/%NEXT_PUBLIC_STREAMS_URL%/g,
-					process.env.NEXT_PUBLIC_STREAMS_URL || "https://streams.superset.sh",
+					devOrProdUrl(
+						"NEXT_PUBLIC_STREAMS_URL",
+						"http://localhost:4647",
+						"https://streams.superset.sh",
+					),
 				)
 				.replace(
 					/%RELAY_URL%/g,
-					process.env.RELAY_URL || "https://relay.superset.sh",
+					devOrProdUrl(
+						"RELAY_URL",
+						"http://localhost:4653",
+						"https://relay.superset.sh",
+					),
 				);
 		},
 	};
diff --git a/apps/docs/src/env.ts b/apps/docs/src/env.ts
index 0343e017bba..af9e47cba2a 100644
--- a/apps/docs/src/env.ts
+++ b/apps/docs/src/env.ts
@@ -1,7 +1,10 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-nextjs";
 import { vercel } from "@t3-oss/env-nextjs/presets-zod";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	extends: [vercel()],
 	shared: {
@@ -33,6 +36,6 @@ export const env = createEnv({
 		NEXT_PUBLIC_SENTRY_ENVIRONMENT: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,
 	},
 
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 	emptyStringAsUndefined: true,
 });
diff --git a/apps/electric-proxy/.dev.vars.example b/apps/electric-proxy/.dev.vars.example
index afd284e77b0..b7a68d9fe39 100644
--- a/apps/electric-proxy/.dev.vars.example
+++ b/apps/electric-proxy/.dev.vars.example
@@ -1,5 +1,10 @@
-AUTH_URL=http://localhost:3141
-ELECTRIC_SHAPE_URL=http://localhost:3069/v1/shape
+# Defaults match docker-compose.dev.yml (Electric on host port 4649)
+# and the local contributor `bun dev` ports (API on 4641).
+#
+# Internal devs: setup.sh regenerates this with per-workspace ports.
+# External contributors: cp .dev.vars.example .dev.vars and run `bun dev`.
+AUTH_URL=http://localhost:4641
+ELECTRIC_SHAPE_URL=http://localhost:4649/v1/shape
 ELECTRIC_SECRET=local_electric_dev_secret
 ELECTRIC_SOURCE_ID=
 ELECTRIC_SOURCE_SECRET=
diff --git a/apps/marketing/src/env.ts b/apps/marketing/src/env.ts
index c962325f8cc..0ae1560eb44 100644
--- a/apps/marketing/src/env.ts
+++ b/apps/marketing/src/env.ts
@@ -1,7 +1,10 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-nextjs";
 import { vercel } from "@t3-oss/env-nextjs/presets-zod";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	extends: [vercel()],
 	shared: {
@@ -42,5 +45,5 @@ export const env = createEnv({
 			process.env.NEXT_PUBLIC_SENTRY_DSN_MARKETING,
 		NEXT_PUBLIC_SENTRY_ENVIRONMENT: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,
 	},
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 });
diff --git a/apps/relay/src/env.ts b/apps/relay/src/env.ts
index d1aae3c0d08..25966a56c2e 100644
--- a/apps/relay/src/env.ts
+++ b/apps/relay/src/env.ts
@@ -1,6 +1,9 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-core";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	server: {
 		RELAY_PORT: z.coerce.number().int().positive().default(8080),
@@ -15,5 +18,5 @@ export const env = createEnv({
 	},
 	runtimeEnv: process.env,
 	emptyStringAsUndefined: true,
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 });
diff --git a/apps/web/src/app/(auth)/components/DevAuthForm/DevAuthForm.tsx b/apps/web/src/app/(auth)/components/DevAuthForm/DevAuthForm.tsx
new file mode 100644
index 00000000000..d07f9a35f6a
--- /dev/null
+++ b/apps/web/src/app/(auth)/components/DevAuthForm/DevAuthForm.tsx
@@ -0,0 +1,103 @@
+"use client";
+
+import { authClient } from "@superset/auth/client";
+import { Button } from "@superset/ui/button";
+import { Input } from "@superset/ui/input";
+import { Label } from "@superset/ui/label";
+import { useRouter } from "next/navigation";
+import { useState } from "react";
+
+interface DevAuthFormProps {
+	mode: "sign-in" | "sign-up";
+	callbackURL: string;
+}
+
+export function DevAuthForm({ mode, callbackURL }: DevAuthFormProps) {
+	const router = useRouter();
+	const [email, setEmail] = useState(
+		mode === "sign-up" ? "" : "admin@local.test",
+	);
+	const [password, setPassword] = useState(
+		mode === "sign-up" ? "" : "supersetdev",
+	);
+	const [name, setName] = useState("");
+	const [submitting, setSubmitting] = useState(false);
+	const [error, setError] = useState<string | null>(null);
+
+	const onSubmit = async (e: React.FormEvent) => {
+		e.preventDefault();
+		setSubmitting(true);
+		setError(null);
+
+		try {
+			if (mode === "sign-up") {
+				const res = await authClient.signUp.email({
+					email,
+					password,
+					name: name || email.split("@")[0] || "Dev User",
+				});
+				if (res.error) throw new Error(res.error.message);
+			} else {
+				const res = await authClient.signIn.email({ email, password });
+				if (res.error) throw new Error(res.error.message);
+			}
+			router.push(callbackURL);
+		} catch (err) {
+			const message =
+				err instanceof Error ? err.message : "Authentication failed";
+			setError(message);
+			setSubmitting(false);
+		}
+	};
+
+	return (
+		<form onSubmit={onSubmit} className="grid gap-3 rounded-md border p-4">
+			<p className="text-muted-foreground text-xs">
+				Dev only — email + password auth
+			</p>
+			{mode === "sign-up" && (
+				<div className="grid gap-1.5">
+					<Label htmlFor="name" className="text-xs">
+						Name
+					</Label>
+					<Input
+						id="name"
+						type="text"
+						value={name}
+						onChange={(e) => setName(e.target.value)}
+						placeholder="Optional"
+					/>
+				</div>
+			)}
+			<div className="grid gap-1.5">
+				<Label htmlFor="email" className="text-xs">
+					Email
+				</Label>
+				<Input
+					id="email"
+					type="email"
+					value={email}
+					onChange={(e) => setEmail(e.target.value)}
+					required
+				/>
+			</div>
+			<div className="grid gap-1.5">
+				<Label htmlFor="password" className="text-xs">
+					Password
+				</Label>
+				<Input
+					id="password"
+					type="password"
+					value={password}
+					onChange={(e) => setPassword(e.target.value)}
+					required
+					minLength={8}
+				/>
+			</div>
+			{error && <p className="text-destructive text-xs">{error}</p>}
+			<Button type="submit" disabled={submitting} className="w-full">
+				{submitting ? "..." : mode === "sign-up" ? "Create account" : "Sign in"}
+			</Button>
+		</form>
+	);
+}
diff --git a/apps/web/src/app/(auth)/components/DevAuthForm/index.ts b/apps/web/src/app/(auth)/components/DevAuthForm/index.ts
new file mode 100644
index 00000000000..eddbcfa938b
--- /dev/null
+++ b/apps/web/src/app/(auth)/components/DevAuthForm/index.ts
@@ -0,0 +1 @@
+export { DevAuthForm } from "./DevAuthForm";
diff --git a/apps/web/src/app/(auth)/sign-in/[[...sign-in]]/page.tsx b/apps/web/src/app/(auth)/sign-in/[[...sign-in]]/page.tsx
index b27142e33f0..63049a01b27 100644
--- a/apps/web/src/app/(auth)/sign-in/[[...sign-in]]/page.tsx
+++ b/apps/web/src/app/(auth)/sign-in/[[...sign-in]]/page.tsx
@@ -8,6 +8,9 @@ import { useState } from "react";
 import { FaGithub } from "react-icons/fa";
 import { FcGoogle } from "react-icons/fc";
 import { env } from "@/env";
+import { DevAuthForm } from "../../components/DevAuthForm";
+
+const isDev = process.env.NODE_ENV !== "production";
 
 export default function SignInPage() {
 	const searchParams = useSearchParams();
@@ -66,6 +69,7 @@ export default function SignInPage() {
 				{error && (
 					<p className="text-destructive text-center text-sm">{error}</p>
 				)}
+				{isDev && <DevAuthForm mode="sign-in" callbackURL={callbackURL} />}
 				<Button
 					variant="outline"
 					disabled={isLoading}
diff --git a/apps/web/src/app/(auth)/sign-up/[[...sign-up]]/page.tsx b/apps/web/src/app/(auth)/sign-up/[[...sign-up]]/page.tsx
index dd9b579cd65..66a2e56b728 100644
--- a/apps/web/src/app/(auth)/sign-up/[[...sign-up]]/page.tsx
+++ b/apps/web/src/app/(auth)/sign-up/[[...sign-up]]/page.tsx
@@ -7,6 +7,9 @@ import { useState } from "react";
 import { FaGithub } from "react-icons/fa";
 import { FcGoogle } from "react-icons/fc";
 import { env } from "@/env";
+import { DevAuthForm } from "../../components/DevAuthForm";
+
+const isDev = process.env.NODE_ENV !== "production";
 
 export default function SignUpPage() {
 	const [isLoadingGoogle, setIsLoadingGoogle] = useState(false);
@@ -61,6 +64,9 @@ export default function SignUpPage() {
 				{error && (
 					<p className="text-destructive text-center text-sm">{error}</p>
 				)}
+				{isDev && (
+					<DevAuthForm mode="sign-up" callbackURL={env.NEXT_PUBLIC_WEB_URL} />
+				)}
 				<Button
 					variant="outline"
 					disabled={isLoading}
diff --git a/apps/web/src/env.ts b/apps/web/src/env.ts
index cd3c34a2cb6..251eb3efa61 100644
--- a/apps/web/src/env.ts
+++ b/apps/web/src/env.ts
@@ -1,7 +1,10 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-nextjs";
 import { vercel } from "@t3-oss/env-nextjs/presets-zod";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	extends: [vercel()],
 	shared: {
@@ -53,6 +56,6 @@ export const env = createEnv({
 		NEXT_PUBLIC_SENTRY_ENVIRONMENT: process.env.NEXT_PUBLIC_SENTRY_ENVIRONMENT,
 	},
 
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 	emptyStringAsUndefined: true,
 });
diff --git a/bun.lock b/bun.lock
index e80518d5049..f32632d301d 100644
--- a/bun.lock
+++ b/bun.lock
@@ -729,11 +729,13 @@
         "@t3-oss/env-core": "0.13.11",
         "dotenv": "17.3.1",
         "drizzle-orm": "0.45.2",
+        "pg": "8.20.0",
         "zod": "4.3.6",
       },
       "devDependencies": {
         "@superset/typescript": "workspace:*",
         "@types/node": "24.12.0",
+        "@types/pg": "8.20.0",
         "bun-types": "1.3.11",
         "drizzle-kit": "0.31.8",
         "typescript": "5.9.3",
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
new file mode 100644
index 00000000000..27da81a29bb
--- /dev/null
+++ b/docker-compose.dev.yml
@@ -0,0 +1,47 @@
+# Local dev services for external contributors.
+#
+# Brings up Postgres + Electric SQL on stable host ports so a fresh clone
+# can talk to both immediately. Internal devs use `.superset/setup.sh`
+# instead (Neon branches + per-workspace Electric containers).
+#
+#   bun setup:local
+#
+# See docs/LOCAL_DEVELOPMENT.md for full setup.
+
+services:
+  postgres:
+    image: postgres:16
+    container_name: superset-pg
+    command: ["postgres", "-c", "wal_level=logical"]
+    environment:
+      POSTGRES_USER: superset
+      POSTGRES_PASSWORD: superset
+      POSTGRES_DB: superset
+    ports:
+      # 5433 to avoid clobbering a host Postgres on the default 5432
+      - "5433:5432"
+    volumes:
+      - superset-pg-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U superset -d superset"]
+      interval: 2s
+      timeout: 2s
+      retries: 30
+
+  electric:
+    image: electricsql/electric:1.4.13
+    container_name: superset-electric
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      # Docker Desktop exposes host.docker.internal so Electric can reach
+      # the worktree-specific database through the host's stable 5433 port.
+      DATABASE_URL: postgres://superset:superset@host.docker.internal:5433/${SUPERSET_LOCAL_DATABASE_NAME:-superset}
+      ELECTRIC_SECRET: local_electric_dev_secret
+    ports:
+      - "4649:3000"
+    restart: on-failure:5
+
+volumes:
+  superset-pg-data:
diff --git a/docs/LOCAL_DEVELOPMENT.md b/docs/LOCAL_DEVELOPMENT.md
new file mode 100644
index 00000000000..c3c15cd9f66
--- /dev/null
+++ b/docs/LOCAL_DEVELOPMENT.md
@@ -0,0 +1,155 @@
+# Local Development
+
+How to run Superset locally from a fresh clone with no Neon, OAuth, Stripe, Resend, or QStash keys. Local contributor state is isolated under `~/.superset-local-dev-*`, so this flow does not reuse production or canary desktop state from `~/.superset`.
+
+## Prerequisites
+
+- [Bun](https://bun.sh) 1.3+
+- Docker Desktop for macOS (for Postgres and Electric SQL)
+- [Caddy](https://caddyserver.com/docs/install) (for HTTPS proxy)
+- macOS
+
+## Quick Start
+
+```bash
+git clone https://github.com/superset-sh/superset.git
+cd superset
+bun install
+bun setup:local
+bun dev
+```
+
+`bun setup:local` is non-destructive for existing internal config. It copies `.env.example`, `apps/electric-proxy/.dev.vars.example`, and `Caddyfile.example` only when the target file is missing; writes worktree-specific local database settings into `.env`; starts Docker Postgres/Electric; runs `caddy trust`; and applies DB migrations.
+
+If you already have an internal `.env`, the script leaves it untouched and stops before running migrations. Do not overwrite an internal `.env` unless you intentionally want the local contributor profile.
+
+Useful setup flags:
+
+```bash
+bun setup:local --skip-docker
+bun setup:local --skip-migrate
+bun setup:local --skip-caddy-trust
+```
+
+The generated `.env` sets `SUPERSET_PROFILE=local`. `bun setup:local` derives `SUPERSET_WORKSPACE_NAME`, `SUPERSET_LOCAL_DATABASE_NAME`, `DATABASE_URL`, and `DATABASE_URL_UNPOOLED` from the worktree path. All local worktrees share one Postgres container, but each worktree gets its own database and desktop state directory. Missing integration keys are allowed at boot; features that need them fail cleanly when exercised.
+
+That brings up:
+
+| Service | Port | What it does |
+|---|---|---|
+| Web | 4640 | Marketing-style sign-in page |
+| API | 4641 | Backend (Next.js) |
+| Desktop (Vite) | 4645 | Renderer dev server |
+| Notifications | 4646 | Desktop notification bridge |
+| Electric SQL | 4649 | Sync layer (Docker) |
+| Caddy | 4650 | HTTPS proxy in front of electric-proxy |
+| electric-proxy | 4652 | Cloudflare worker (Wrangler) |
+
+The Electron window opens automatically.
+
+### How sign-in works
+
+On first launch in the `local` profile (when `SUPERSET_PROFILE=local` is set), the desktop main process auto-signs you in as a seed admin user:
+
+- **Email:** `admin@local.test`
+- **Password:** `supersetdev`
+
+If the user doesn't exist, it's created and a personal organization is provisioned automatically (`Local Admin's Team`). The encrypted auth token lands in that worktree's local desktop state directory, for example `~/.superset-local-dev-flax-soda-a1b2c3/auth-token.enc`. The renderer hydrates this token like a real OAuth user.
+
+If auto-sign-in does not complete, the desktop sign-in screen shows the same email/password fields in the `local` profile.
+
+### Deployment profiles
+
+Profile is resolved at boot:
+
+| Profile     | Trigger                              | Behavior |
+|-------------|--------------------------------------|----------|
+| `cloud`     | `VERCEL=1` or `VERCEL_ENV` (set by Vercel) | Strict — every integration key required |
+| `local`     | `SUPERSET_PROFILE=local`             | Lenient — integration keys optional, features degrade |
+| `ci`        | `CI=true` (set automatically by GitHub Actions, most runners) | Lenient — build/lint/test jobs run without prod secrets |
+| `internal`  | default                              | Strict — covers internal team dev and self-hosted prod |
+
+**Strict-by-default is the safe direction.** Internal devs and self-hosters keep their fail-fast workflow with no setup changes. Local contributors set `SUPERSET_PROFILE=local` once (in `.env`, or as a shell var) to opt into the lenient path. CI auto-degrades so `bun run lint/typecheck/test` works without injecting every production secret — actual deploy steps run `vercel build`, which pulls env from the Vercel project, and runtime strictness still kicks in once Vercel env markers are set.
+
+The escape hatch `SKIP_ENV_VALIDATION=1` still works for one-off bypass cases (e.g. Docker preview builds outside of GitHub Actions).
+
+### Boot summary + `/api/health`
+
+When the API boots in the `local` profile, it prints a one-time summary of what's disabled:
+
+```text
+[superset] profile=local (lenient)
+[superset] disabled features (set the listed env var(s) to enable):
+           - stripe                       STRIPE_SECRET_KEY
+           - resend (email)               RESEND_API_KEY
+           - posthog (telemetry)          NEXT_PUBLIC_POSTHOG_KEY
+           ...
+```
+
+For programmatic monitoring (or to confirm a key took effect), hit `GET /api/health`:
+
+```json
+{ "ok": true, "profile": "local", "integrations": { "stripe": "missing", ... } }
+```
+
+For the web app (`http://localhost:4640`), the sign-in and sign-up pages render a dev-only email/password form when `NODE_ENV !== "production"`. Use the same credentials.
+
+## What works locally
+
+✓ Sign-in (email/password)
+✓ Database (Postgres + Drizzle)
+✓ Electric SQL sync
+✓ Host service (local git/worktree operations)
+✓ Create workspaces, run terminals, edit files
+✓ tRPC / API routing
+
+## What's stubbed (won't fully work without keys)
+
+- **Billing** — Stripe lazy-throws if exercised. Subscriptions/checkout disabled.
+- **Email send** — Resend lazy-throws. Magic-link / password reset emails are stubbed.
+- **Telemetry** — PostHog initializes only when key present; calls are no-ops otherwise.
+- **Error tracking** — Sentry initializes only when DSN present.
+- **OAuth (Google, GitHub)** — providers register only when their `*_CLIENT_ID` is set.
+- **GitHub App / Linear / Slack** — webhooks and integrations no-op without their keys.
+- **QStash background jobs** — no key → no scheduled jobs fire.
+- **Upstash KV rate limiting** — falls back gracefully.
+- **Cloud relay tunnel** — disabled in `local` / `ci` unless `RELAY_URL` is explicitly set.
+
+Each is "guard, don't crash" — if you click into a feature that needs a key, you'll see a `503` or a clean exception, not a boot failure.
+
+## Troubleshooting
+
+**`EADDRINUSE: address already in use :::4641`** — a previous `bun dev` is still alive. `pkill -f "turbo run dev"` and retry.
+
+**`Host service not available` toast in desktop** — the auto-sign-in didn't run or didn't persist the token. Check the state directory printed by `bun setup:local` contains `auth-token.enc`. Delete that file and rerun if needed. Also confirm the profile via `curl http://localhost:4641/api/health` returns `"profile": "local"` — if it says `internal`, you forgot to set `SUPERSET_PROFILE=local` and auto-sign-in is intentionally skipped.
+
+**`Missing API key` for some integration** — that integration's key isn't in `.env`. Either supply it or avoid the feature.
+
+**Electric SQL container fails to start replication** — verify `wal_level=logical` on your Postgres: `docker exec superset-pg psql -U superset -d superset -c "SHOW wal_level"` should return `logical`.
+
+**`schema "auth" already exists` during `db:migrate`** — drop and re-migrate: `docker exec superset-pg psql -U superset -d superset -c "DROP SCHEMA auth CASCADE"` then `bun run db:migrate`.
+
+## Resetting state
+
+```bash
+# Stop dev
+pkill -f "turbo run dev"
+
+# Wipe this worktree's local desktop state
+STATE_NAME=$(grep '^SUPERSET_WORKSPACE_NAME=' .env | cut -d= -f2)
+rm -rf "$HOME/.superset-$STATE_NAME"
+
+# Wipe only this worktree's Postgres database, then recreate it
+DB_NAME=$(grep '^SUPERSET_LOCAL_DATABASE_NAME=' .env | cut -d= -f2)
+docker exec superset-pg dropdb -U superset --if-exists "$DB_NAME"
+bun setup:local
+```
+
+## Architecture notes for contributors
+
+- **Deployment profiles** — `packages/shared/src/deployment-profile.ts` resolves `cloud | local | ci | internal` from env flags. Strict profiles fail boot on missing keys; lenient profiles (`local`, `ci`) let the app boot. Use `shouldSkipEnvValidation()` from this module when wiring env schemas, and `isLocalProfile()` when gating local-only behavior.
+- **Per-worktree local state** — `bun setup:local` rewrites `.env` to use a worktree-specific `SUPERSET_WORKSPACE_NAME`, `SUPERSET_LOCAL_DATABASE_NAME`, and local Postgres URLs. Local worktrees share one Docker Postgres container on port 5433, but not a database, auth sessions, JWKS rows, or desktop state. Local profile desktop predev also skips macOS Launch Services cleanup and protocol patching.
+- **DB driver swap** — `packages/db/src/client.ts` detects whether `DATABASE_URL` is a Neon host (`*.neon.tech`, `*.neon.build`) and uses Drizzle's `neon-http` adapter for cloud, or `node-postgres` for any other Postgres (including the local Docker one).
+- **Dev auto-sign-in** — `apps/desktop/src/main/lib/dev-auto-sign-in.ts` runs once during `app.whenReady()` only in the `local` profile. POSTs to `/api/auth/sign-in/email` (auto-signs-up if user doesn't exist), persists the token via the same `saveToken()` that OAuth uses. The renderer doesn't know dev mode exists.
+- **Renderer organization selection** — pages prefer `session.activeOrganizationId` from Better Auth, falling back to `MOCK_ORG_ID` only if there's no session at all. Make sure new code that needs `activeOrganizationId` follows this same priority (real session first).
+- **CDP for headless tests** — in the `local` profile, the desktop main process exposes Chrome DevTools Protocol on `localhost:9333`. Useful for scripted UI checks (`curl http://localhost:9333/json/list`).
diff --git a/package.json b/package.json
index 7bb54007705..6ed3717db54 100644
--- a/package.json
+++ b/package.json
@@ -22,6 +22,7 @@
 		"dev:caddy": "dotenv -- caddy run --config Caddyfile",
 		"dev:docs": "turbo dev --filter=@superset/docs",
 		"dev:marketing": "turbo dev --filter=@superset/marketing --filter=@superset/docs",
+		"setup:local": "bun run scripts/setup-local.ts",
 		"build": "turbo build --filter=@superset/desktop",
 		"test": "turbo test --concurrency=2",
 		"lint": "./scripts/lint.sh",
@@ -38,6 +39,7 @@
 		"release:canary": "./scripts/release-canary.sh",
 		"db:push": "bun run --cwd packages/db push",
 		"db:migrate": "bun run --cwd packages/db migrate",
+		"db:seed:dev": "bun run --cwd packages/db seed:dev",
 		"db:generate:desktop": "bun run --cwd packages/local-db generate"
 	},
 	"type": "module",
diff --git a/packages/auth/src/lib/rate-limit.ts b/packages/auth/src/lib/rate-limit.ts
index a513dbe6f27..aaf029262eb 100644
--- a/packages/auth/src/lib/rate-limit.ts
+++ b/packages/auth/src/lib/rate-limit.ts
@@ -1,15 +1,33 @@
+import { isStrictProfile } from "@superset/shared/deployment-profile";
 import { Ratelimit } from "@upstash/ratelimit";
 import { Redis } from "@upstash/redis";
 import { env } from "../env";
 
-const redis = new Redis({
-	url: env.KV_REST_API_URL,
-	token: env.KV_REST_API_TOKEN,
-});
-
 // 10 invitations per hour per user
-export const invitationRateLimit = new Ratelimit({
-	redis,
-	limiter: Ratelimit.slidingWindow(10, "1 h"),
-	prefix: "ratelimit:invitation",
-});
+export const invitationRateLimit =
+	env.KV_REST_API_URL && env.KV_REST_API_TOKEN
+		? new Ratelimit({
+				redis: new Redis({
+					url: env.KV_REST_API_URL,
+					token: env.KV_REST_API_TOKEN,
+				}),
+				limiter: Ratelimit.slidingWindow(10, "1 h"),
+				prefix: "ratelimit:invitation",
+			})
+		: null;
+
+export async function checkInvitationRateLimit(
+	inviterId: string,
+): Promise<void> {
+	if (!invitationRateLimit) {
+		if (isStrictProfile()) {
+			throw new Error("Invitation rate limiting is not configured.");
+		}
+		return;
+	}
+
+	const limit = await invitationRateLimit.limit(inviterId);
+	if (!limit.success) {
+		throw new Error("Rate limit exceeded. Max 10 invitations per hour.");
+	}
+}
diff --git a/packages/auth/src/lib/resend.ts b/packages/auth/src/lib/resend.ts
index e17addc2635..d05f21f75cc 100644
--- a/packages/auth/src/lib/resend.ts
+++ b/packages/auth/src/lib/resend.ts
@@ -1,5 +1,62 @@
-import { Resend } from "resend";
+import { isStrictProfile } from "@superset/shared/deployment-profile";
+import {
+	type CreateBatchOptions,
+	type CreateBatchRequestOptions,
+	type CreateBatchResponse,
+	type CreateEmailOptions,
+	type CreateEmailRequestOptions,
+	type CreateEmailResponse,
+	Resend,
+} from "resend";
 
 import { env } from "../env";
 
-export const resend = new Resend(env.RESEND_API_KEY);
+let client: Resend | null = null;
+
+function getResend(): Resend {
+	if (client) return client;
+	if (!env.RESEND_API_KEY) {
+		throw new Error(
+			"Resend not configured — set RESEND_API_KEY (or use Mailpit/console for local dev)",
+		);
+	}
+	client = new Resend(env.RESEND_API_KEY);
+	return client;
+}
+
+function formatRecipients(to: CreateEmailOptions["to"]): string {
+	return Array.isArray(to) ? to.join(",") : to;
+}
+
+function logConsoleEmail(email: CreateEmailOptions) {
+	console.log(
+		`[email:console] to=${formatRecipients(email.to)} subject=${email.subject}`,
+	);
+}
+
+export async function sendEmail(
+	email: CreateEmailOptions,
+	options?: CreateEmailRequestOptions,
+): Promise<CreateEmailResponse> {
+	if (!env.RESEND_API_KEY && !isStrictProfile()) {
+		logConsoleEmail(email);
+		return { data: { id: "console-dev" }, error: null };
+	}
+	return getResend().emails.send(email, options);
+}
+
+export async function sendBatchEmails(
+	emails: CreateBatchOptions,
+	options?: CreateBatchRequestOptions,
+): Promise<CreateBatchResponse> {
+	if (!env.RESEND_API_KEY && !isStrictProfile()) {
+		for (const email of emails) logConsoleEmail(email);
+		return {
+			data: {
+				data: emails.map((_, index) => ({ id: `console-dev-${index}` })),
+			},
+			error: null,
+		};
+	}
+	return getResend().batch.send(emails, options);
+}
diff --git a/packages/auth/src/server.ts b/packages/auth/src/server.ts
index f275d285bb6..50691f6c890 100644
--- a/packages/auth/src/server.ts
+++ b/packages/auth/src/server.ts
@@ -27,16 +27,18 @@ import type Stripe from "stripe";
 import { env } from "./env";
 import { acceptInvitationEndpoint } from "./lib/accept-invitation-endpoint";
 import { generateMagicTokenForInvite } from "./lib/generate-magic-token";
-import { invitationRateLimit } from "./lib/rate-limit";
-import { resend } from "./lib/resend";
+import { checkInvitationRateLimit } from "./lib/rate-limit";
+import { sendBatchEmails, sendEmail } from "./lib/resend";
 import {
 	resolveSessionOrganizationState,
 	type SessionOrganizationContext,
 } from "./lib/resolve-session-organization-state";
-import { stripeClient } from "./stripe";
+import { getStripeClient } from "./stripe";
 import { formatPrice, getOrganizationOwners } from "./utils";
 
-const qstash = new Client({ token: env.QSTASH_TOKEN });
+const qstash = env.QSTASH_TOKEN
+	? new Client({ token: env.QSTASH_TOKEN })
+	: null;
 
 const NOTIFY_SLACK_URL = `${env.NEXT_PUBLIC_API_URL}/api/integrations/stripe/jobs/notify-slack`;
 const desktopDevPort = process.env.DESKTOP_VITE_PORT || "5173";
@@ -47,6 +49,24 @@ const desktopDevOrigins =
 				`http://127.0.0.1:${desktopDevPort}`,
 			]
 		: [];
+const socialProviders = {
+	...(env.GH_CLIENT_ID && env.GH_CLIENT_SECRET
+		? {
+				github: {
+					clientId: env.GH_CLIENT_ID,
+					clientSecret: env.GH_CLIENT_SECRET,
+				},
+			}
+		: {}),
+	...(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET
+		? {
+				google: {
+					clientId: env.GOOGLE_CLIENT_ID,
+					clientSecret: env.GOOGLE_CLIENT_SECRET,
+				},
+			}
+		: {}),
+};
 
 function serializeCancellationDetails(
 	cancellationDetails?: Stripe.Subscription.CancellationDetails | null,
@@ -109,16 +129,15 @@ export const auth = betterAuth({
 			generateId: false,
 		},
 	},
-	socialProviders: {
-		github: {
-			clientId: env.GH_CLIENT_ID,
-			clientSecret: env.GH_CLIENT_SECRET,
-		},
-		google: {
-			clientId: env.GOOGLE_CLIENT_ID,
-			clientSecret: env.GOOGLE_CLIENT_SECRET,
-		},
+	// Dev-only: email+password is enabled for OSS contributors and
+	// internal devs (NODE_ENV=development). In production builds the
+	// /sign-up/email and /sign-in/email endpoints are disabled — auth
+	// is OAuth-only there. Matches the UI form gating in apps/web.
+	emailAndPassword: {
+		enabled: process.env.NODE_ENV !== "production",
+		autoSignIn: true,
 	},
+	socialProviders,
 	databaseHooks: {
 		user: {
 			create: {
@@ -313,7 +332,7 @@ export const auth = betterAuth({
 					where: eq(authSchema.users.email, data.email),
 				});
 
-				await resend.emails.send({
+				await sendEmail({
 					from: "Superset <noreply@superset.sh>",
 					to: data.email,
 					subject: `${data.inviter.user.name} invited you to join ${data.organization.name}`,
@@ -332,12 +351,7 @@ export const auth = betterAuth({
 				beforeCreateInvitation: async (data) => {
 					const { inviterId, organizationId, role, teamId } = data.invitation;
 
-					const { success } = await invitationRateLimit.limit(inviterId);
-					if (!success) {
-						throw new Error(
-							"Rate limit exceeded. Max 10 invitations per hour.",
-						);
-					}
+					await checkInvitationRateLimit(inviterId);
 
 					const inviterMember = await db.query.members.findFirst({
 						where: and(
@@ -374,19 +388,21 @@ export const auth = betterAuth({
 				},
 
 				afterCreateOrganization: async ({ organization, user }) => {
-					const customer = await stripeClient.customers.create({
-						name: organization.name,
-						email: user.email,
-						metadata: {
-							organizationId: organization.id,
-							organizationSlug: organization.slug,
-						},
-					});
+					if (env.STRIPE_SECRET_KEY) {
+						const customer = await getStripeClient().customers.create({
+							name: organization.name,
+							email: user.email,
+							metadata: {
+								organizationId: organization.id,
+								organizationSlug: organization.slug,
+							},
+						});
 
-					await db
-						.update(authSchema.organizations)
-						.set({ stripeCustomerId: customer.id })
-						.where(eq(authSchema.organizations.id, organization.id));
+						await db
+							.update(authSchema.organizations)
+							.set({ stripeCustomerId: customer.id })
+							.where(eq(authSchema.organizations.id, organization.id));
+					}
 
 					await seedDefaultStatuses(organization.id);
 				},
@@ -484,21 +500,24 @@ export const auth = betterAuth({
 				beforeDeleteOrganization: async ({ organization }) => {
 					if (!organization.stripeCustomerId) return;
 
-					const subs = await stripeClient.subscriptions.list({
+					const subs = await getStripeClient().subscriptions.list({
 						customer: organization.stripeCustomerId,
 						status: "active",
 					});
 					for (const sub of subs.data) {
-						await stripeClient.subscriptions.cancel(sub.id);
+						await getStripeClient().subscriptions.cancel(sub.id);
 					}
 				},
 
 				afterUpdateOrganization: async ({ organization }) => {
 					if (!organization?.stripeCustomerId) return;
 
-					await stripeClient.customers.update(organization.stripeCustomerId, {
-						name: organization.name,
-					});
+					await getStripeClient().customers.update(
+						organization.stripeCustomerId,
+						{
+							name: organization.name,
+						},
+					);
 				},
 
 				beforeAddMember: async ({ organization, user }) => {
@@ -583,7 +602,7 @@ export const auth = betterAuth({
 					});
 
 					if (acceptedInvitation) {
-						await resend.emails.send({
+						await sendEmail({
 							from: "Superset <noreply@superset.sh>",
 							to: user.email,
 							subject: `You've been added to ${organization.name}`,
@@ -607,13 +626,13 @@ export const auth = betterAuth({
 
 					const quantity = memberCount[0]?.count ?? 1;
 
-					const stripeSub = await stripeClient.subscriptions.retrieve(
+					const stripeSub = await getStripeClient().subscriptions.retrieve(
 						subscription.stripeSubscriptionId,
 					);
 					const itemId = stripeSub.items.data[0]?.id;
 
 					if (itemId) {
-						await stripeClient.subscriptions.update(
+						await getStripeClient().subscriptions.update(
 							subscription.stripeSubscriptionId,
 							{
 								items: [{ id: itemId, quantity }],
@@ -630,7 +649,7 @@ export const auth = betterAuth({
 						currency,
 					);
 
-					await resend.batch.send(
+					await sendBatchEmails(
 						owners.map((owner) => ({
 							from: "Superset <noreply@superset.sh>",
 							to: owner.email,
@@ -648,7 +667,7 @@ export const auth = betterAuth({
 					);
 
 					try {
-						await qstash.publishJSON({
+						await qstash?.publishJSON({
 							url: NOTIFY_SLACK_URL,
 							body: {
 								eventType: "seat_added",
@@ -668,7 +687,7 @@ export const auth = betterAuth({
 				},
 
 				afterRemoveMember: async ({ user, organization }) => {
-					await resend.emails.send({
+					await sendEmail({
 						from: "Superset <noreply@superset.sh>",
 						to: user.email,
 						subject: `You've been removed from ${organization.name}`,
@@ -696,13 +715,13 @@ export const auth = betterAuth({
 
 					const quantity = Math.max(1, memberCount[0]?.count ?? 1);
 
-					const stripeSub = await stripeClient.subscriptions.retrieve(
+					const stripeSub = await getStripeClient().subscriptions.retrieve(
 						subscription.stripeSubscriptionId,
 					);
 					const itemId = stripeSub.items.data[0]?.id;
 
 					if (itemId) {
-						await stripeClient.subscriptions.update(
+						await getStripeClient().subscriptions.update(
 							subscription.stripeSubscriptionId,
 							{
 								items: [{ id: itemId, quantity }],
@@ -719,7 +738,7 @@ export const auth = betterAuth({
 						currency,
 					);
 
-					await resend.batch.send(
+					await sendBatchEmails(
 						owners.map((owner) => ({
 							from: "Superset <noreply@superset.sh>",
 							to: owner.email,
@@ -737,7 +756,7 @@ export const auth = betterAuth({
 					);
 
 					try {
-						await qstash.publishJSON({
+						await qstash?.publishJSON({
 							url: NOTIFY_SLACK_URL,
 							body: {
 								eventType: "seat_removed",
@@ -792,349 +811,373 @@ export const auth = betterAuth({
 				},
 			};
 		}),
-		stripe({
-			stripeClient,
-			stripeWebhookSecret: env.STRIPE_WEBHOOK_SECRET,
-			createCustomerOnSignUp: false,
-
-			subscription: {
-				enabled: true,
-				plans: [
-					{
-						name: "pro",
-						priceId: env.STRIPE_PRO_MONTHLY_PRICE_ID,
-						annualDiscountPriceId: env.STRIPE_PRO_YEARLY_PRICE_ID,
-					},
-					{
-						name: "enterprise",
-						priceId: env.STRIPE_ENTERPRISE_YEARLY_PRICE_ID,
-					},
-				],
-
-				authorizeReference: async ({ user, referenceId, action }) => {
-					const member = await db.query.members.findFirst({
-						where: and(
-							eq(members.userId, user.id),
-							eq(members.organizationId, referenceId),
-						),
-					});
-
-					if (!member) return false;
-
-					if (
-						action === "upgrade-subscription" ||
-						action === "cancel-subscription" ||
-						action === "restore-subscription"
-					) {
-						const subscription = await db.query.subscriptions.findFirst({
-							where: and(
-								eq(subscriptions.referenceId, referenceId),
-								eq(subscriptions.status, "active"),
-							),
-						});
-						if (subscription?.plan === "enterprise") return false;
-					}
-
-					switch (action) {
-						case "upgrade-subscription":
-						case "cancel-subscription":
-						case "restore-subscription":
-							return member.role === "owner";
-						case "list-subscription":
-							return member.role === "owner" || member.role === "admin";
-						default:
-							return false;
-					}
-				},
-
-				getCheckoutSessionParams: async (
-					{ user, plan, subscription },
-					_request,
-					ctx,
-				) => {
-					if (plan.name === "enterprise") {
-						throw new Error(
-							"Enterprise subscriptions are managed by admins. Contact founders@superset.sh.",
-						);
-					}
+		...(env.STRIPE_SECRET_KEY
+			? [
+					stripe({
+						stripeClient: getStripeClient(),
+						stripeWebhookSecret: env.STRIPE_WEBHOOK_SECRET,
+						createCustomerOnSignUp: false,
+
+						subscription: {
+							enabled: true,
+							plans: [
+								{
+									name: "pro",
+									priceId: env.STRIPE_PRO_MONTHLY_PRICE_ID,
+									annualDiscountPriceId: env.STRIPE_PRO_YEARLY_PRICE_ID,
+								},
+								{
+									name: "enterprise",
+									priceId: env.STRIPE_ENTERPRISE_YEARLY_PRICE_ID,
+								},
+							],
 
-					const org = await db.query.organizations.findFirst({
-						where: eq(
-							authSchema.organizations.id,
-							subscription?.referenceId ?? "",
-						),
-					});
+							authorizeReference: async ({ user, referenceId, action }) => {
+								const member = await db.query.members.findFirst({
+									where: and(
+										eq(members.userId, user.id),
+										eq(members.organizationId, referenceId),
+									),
+								});
 
-					const annual = Boolean(
-						(ctx?.body as { annual?: boolean } | undefined)?.annual,
-					);
+								if (!member) return false;
+
+								if (
+									action === "upgrade-subscription" ||
+									action === "cancel-subscription" ||
+									action === "restore-subscription"
+								) {
+									const subscription = await db.query.subscriptions.findFirst({
+										where: and(
+											eq(subscriptions.referenceId, referenceId),
+											eq(subscriptions.status, "active"),
+										),
+									});
+									if (subscription?.plan === "enterprise") return false;
+								}
 
-					return {
-						params: {
-							customer: org?.stripeCustomerId ?? undefined,
-							allow_promotion_codes: !annual,
-							billing_address_collection: "required",
-							metadata: {
-								organizationId: org?.id ?? "",
-								initiatedByUserId: user.id,
+								switch (action) {
+									case "upgrade-subscription":
+									case "cancel-subscription":
+									case "restore-subscription":
+										return member.role === "owner";
+									case "list-subscription":
+										return member.role === "owner" || member.role === "admin";
+									default:
+										return false;
+								}
 							},
-						},
-					};
-				},
-
-				onSubscriptionComplete: async ({
-					subscription,
-					stripeSubscription,
-					plan,
-				}) => {
-					const org = await db.query.organizations.findFirst({
-						where: eq(authSchema.organizations.id, subscription.referenceId),
-					});
-
-					if (!org) return;
 
-					if (plan.name === "enterprise") return;
-
-					const owners = await getOrganizationOwners(subscription.referenceId);
-
-					const interval = stripeSubscription.items.data[0]?.price?.recurring
-						?.interval as "month" | "year" | undefined;
-					const billingInterval = interval === "year" ? "yearly" : "monthly";
+							getCheckoutSessionParams: async (
+								{ user, plan, subscription },
+								_request,
+								ctx,
+							) => {
+								if (plan.name === "enterprise") {
+									throw new Error(
+										"Enterprise subscriptions are managed by admins. Contact founders@superset.sh.",
+									);
+								}
 
-					const pricePerSeat =
-						stripeSubscription.items.data[0]?.price?.unit_amount ?? 0;
-					const currency =
-						stripeSubscription.items.data[0]?.price?.currency ?? "usd";
-					const amount = formatPrice(pricePerSeat, currency);
+								const org = await db.query.organizations.findFirst({
+									where: eq(
+										authSchema.organizations.id,
+										subscription?.referenceId ?? "",
+									),
+								});
 
-					await resend.batch.send(
-						owners.map((owner) => ({
-							from: "Superset <noreply@superset.sh>",
-							to: owner.email,
-							subject: `Welcome to Superset ${plan.name}!`,
-							react: SubscriptionStartedEmail({
-								ownerName: owner.name,
-								organizationName: org.name,
-								planName: plan.name,
-								billingInterval,
-								amount,
-								seatCount: subscription.seats ?? 1,
-							}),
-						})),
-					);
+								const annual = Boolean(
+									(ctx?.body as { annual?: boolean } | undefined)?.annual,
+								);
 
-					try {
-						await qstash.publishJSON({
-							url: NOTIFY_SLACK_URL,
-							body: {
-								eventType: "subscription_started",
-								stripeSubscriptionId: stripeSubscription.id,
+								return {
+									params: {
+										customer: org?.stripeCustomerId ?? undefined,
+										allow_promotion_codes: !annual,
+										billing_address_collection: "required",
+										metadata: {
+											organizationId: org?.id ?? "",
+											initiatedByUserId: user.id,
+										},
+									},
+								};
 							},
-							retries: 3,
-						});
-					} catch (error) {
-						console.error(
-							"[stripe/subscription-complete] Failed to queue Slack notification:",
-							error,
-						);
-					}
-				},
 
-				onSubscriptionCancel: async ({
-					subscription,
-					stripeSubscription,
-					cancellationDetails,
-				}) => {
-					const org = await db.query.organizations.findFirst({
-						where: eq(authSchema.organizations.id, subscription.referenceId),
-					});
+							onSubscriptionComplete: async ({
+								subscription,
+								stripeSubscription,
+								plan,
+							}) => {
+								const org = await db.query.organizations.findFirst({
+									where: eq(
+										authSchema.organizations.id,
+										subscription.referenceId,
+									),
+								});
 
-					if (!org?.stripeCustomerId) return;
+								if (!org) return;
 
-					const owners = await getOrganizationOwners(subscription.referenceId);
-					const accessEndsAt = subscription.periodEnd ?? new Date();
+								if (plan.name === "enterprise") return;
 
-					const portalSession =
-						await stripeClient.billingPortal.sessions.create({
-							customer: org.stripeCustomerId,
-							return_url: env.NEXT_PUBLIC_WEB_URL,
-						});
+								const owners = await getOrganizationOwners(
+									subscription.referenceId,
+								);
 
-					await resend.batch.send(
-						owners.map((owner) => ({
-							from: "Superset <noreply@superset.sh>",
-							to: owner.email,
-							subject: `Your ${subscription.plan} subscription has been cancelled`,
-							react: SubscriptionCancelledEmail({
-								ownerName: owner.name,
-								organizationName: org.name,
-								planName: subscription.plan,
-								accessEndsAt,
-								billingPortalUrl: portalSession.url,
-							}),
-						})),
-					);
+								const interval = stripeSubscription.items.data[0]?.price
+									?.recurring?.interval as "month" | "year" | undefined;
+								const billingInterval =
+									interval === "year" ? "yearly" : "monthly";
+
+								const pricePerSeat =
+									stripeSubscription.items.data[0]?.price?.unit_amount ?? 0;
+								const currency =
+									stripeSubscription.items.data[0]?.price?.currency ?? "usd";
+								const amount = formatPrice(pricePerSeat, currency);
+
+								await sendBatchEmails(
+									owners.map((owner) => ({
+										from: "Superset <noreply@superset.sh>",
+										to: owner.email,
+										subject: `Welcome to Superset ${plan.name}!`,
+										react: SubscriptionStartedEmail({
+											ownerName: owner.name,
+											organizationName: org.name,
+											planName: plan.name,
+											billingInterval,
+											amount,
+											seatCount: subscription.seats ?? 1,
+										}),
+									})),
+								);
 
-					try {
-						await qstash.publishJSON({
-							url: NOTIFY_SLACK_URL,
-							body: {
-								eventType: "subscription_cancelled",
-								stripeSubscriptionId: stripeSubscription.id,
-								cancellationDetails: serializeCancellationDetails(
-									cancellationDetails ??
-										stripeSubscription.cancellation_details,
-								),
+								try {
+									await qstash?.publishJSON({
+										url: NOTIFY_SLACK_URL,
+										body: {
+											eventType: "subscription_started",
+											stripeSubscriptionId: stripeSubscription.id,
+										},
+										retries: 3,
+									});
+								} catch (error) {
+									console.error(
+										"[stripe/subscription-complete] Failed to queue Slack notification:",
+										error,
+									);
+								}
 							},
-							retries: 3,
-						});
-					} catch (error) {
-						console.error(
-							"[stripe/subscription-cancel] Failed to queue Slack notification:",
-							error,
-						);
-					}
-				},
-
-				onEvent: async (event: Stripe.Event) => {
-					if (event.type === "invoice.payment_failed") {
-						const invoice = event.data.object as Stripe.Invoice;
-
-						const customerId =
-							typeof invoice.customer === "string"
-								? invoice.customer
-								: invoice.customer?.id;
 
-						if (!customerId) return;
-
-						const org = await db.query.organizations.findFirst({
-							where: eq(authSchema.organizations.stripeCustomerId, customerId),
-						});
+							onSubscriptionCancel: async ({
+								subscription,
+								stripeSubscription,
+								cancellationDetails,
+							}) => {
+								const org = await db.query.organizations.findFirst({
+									where: eq(
+										authSchema.organizations.id,
+										subscription.referenceId,
+									),
+								});
 
-						if (!org?.stripeCustomerId) return;
+								if (!org?.stripeCustomerId) return;
 
-						const subscription = await db.query.subscriptions.findFirst({
-							where: eq(subscriptions.referenceId, org.id),
-						});
+								const owners = await getOrganizationOwners(
+									subscription.referenceId,
+								);
+								const accessEndsAt = subscription.periodEnd ?? new Date();
+
+								const portalSession =
+									await getStripeClient().billingPortal.sessions.create({
+										customer: org.stripeCustomerId,
+										return_url: env.NEXT_PUBLIC_WEB_URL,
+									});
+
+								await sendBatchEmails(
+									owners.map((owner) => ({
+										from: "Superset <noreply@superset.sh>",
+										to: owner.email,
+										subject: `Your ${subscription.plan} subscription has been cancelled`,
+										react: SubscriptionCancelledEmail({
+											ownerName: owner.name,
+											organizationName: org.name,
+											planName: subscription.plan,
+											accessEndsAt,
+											billingPortalUrl: portalSession.url,
+										}),
+									})),
+								);
 
-						const owners = await getOrganizationOwners(org.id);
-						const amount = formatPrice(invoice.amount_due, invoice.currency);
-
-						const portalSession =
-							await stripeClient.billingPortal.sessions.create({
-								customer: org.stripeCustomerId,
-								return_url: env.NEXT_PUBLIC_WEB_URL,
-							});
-
-						await resend.batch.send(
-							owners.map((owner) => ({
-								from: "Superset <noreply@superset.sh>",
-								to: owner.email,
-								subject: `Payment failed for ${org.name}`,
-								react: PaymentFailedEmail({
-									ownerName: owner.name,
-									organizationName: org.name,
-									planName: subscription?.plan ?? "Pro",
-									amount,
-									billingPortalUrl: portalSession.url,
-								}),
-							})),
-						);
+								try {
+									await qstash?.publishJSON({
+										url: NOTIFY_SLACK_URL,
+										body: {
+											eventType: "subscription_cancelled",
+											stripeSubscriptionId: stripeSubscription.id,
+											cancellationDetails: serializeCancellationDetails(
+												cancellationDetails ??
+													stripeSubscription.cancellation_details,
+											),
+										},
+										retries: 3,
+									});
+								} catch (error) {
+									console.error(
+										"[stripe/subscription-cancel] Failed to queue Slack notification:",
+										error,
+									);
+								}
+							},
 
-						const stripeSubId =
-							subscription?.stripeSubscriptionId ??
-							(invoice.parent?.subscription_details?.subscription as
-								| string
-								| undefined);
+							onEvent: async (event: Stripe.Event) => {
+								if (event.type === "invoice.payment_failed") {
+									const invoice = event.data.object as Stripe.Invoice;
 
-						if (stripeSubId) {
-							try {
-								await qstash.publishJSON({
-									url: NOTIFY_SLACK_URL,
-									body: {
-										eventType: "payment_failed",
-										stripeSubscriptionId: stripeSubId,
-										amountCents: invoice.amount_due,
-										currency: invoice.currency,
-									},
-									retries: 3,
-								});
-							} catch (error) {
-								console.error(
-									"[stripe/payment-failed] Failed to queue Slack notification:",
-									error,
-								);
-							}
-						}
-					}
+									const customerId =
+										typeof invoice.customer === "string"
+											? invoice.customer
+											: invoice.customer?.id;
 
-					if (event.type === "invoice.paid") {
-						const invoice = event.data.object as Stripe.Invoice;
+									if (!customerId) return;
 
-						const stripeSubId = invoice.parent?.subscription_details
-							?.subscription as string | undefined;
+									const org = await db.query.organizations.findFirst({
+										where: eq(
+											authSchema.organizations.stripeCustomerId,
+											customerId,
+										),
+									});
+
+									if (!org?.stripeCustomerId) return;
+
+									const subscription = await db.query.subscriptions.findFirst({
+										where: eq(subscriptions.referenceId, org.id),
+									});
+
+									const owners = await getOrganizationOwners(org.id);
+									const amount = formatPrice(
+										invoice.amount_due,
+										invoice.currency,
+									);
+
+									const portalSession =
+										await getStripeClient().billingPortal.sessions.create({
+											customer: org.stripeCustomerId,
+											return_url: env.NEXT_PUBLIC_WEB_URL,
+										});
+
+									await sendBatchEmails(
+										owners.map((owner) => ({
+											from: "Superset <noreply@superset.sh>",
+											to: owner.email,
+											subject: `Payment failed for ${org.name}`,
+											react: PaymentFailedEmail({
+												ownerName: owner.name,
+												organizationName: org.name,
+												planName: subscription?.plan ?? "Pro",
+												amount,
+												billingPortalUrl: portalSession.url,
+											}),
+										})),
+									);
+
+									const stripeSubId =
+										subscription?.stripeSubscriptionId ??
+										(invoice.parent?.subscription_details?.subscription as
+											| string
+											| undefined);
+
+									if (stripeSubId) {
+										try {
+											await qstash?.publishJSON({
+												url: NOTIFY_SLACK_URL,
+												body: {
+													eventType: "payment_failed",
+													stripeSubscriptionId: stripeSubId,
+													amountCents: invoice.amount_due,
+													currency: invoice.currency,
+												},
+												retries: 3,
+											});
+										} catch (error) {
+											console.error(
+												"[stripe/payment-failed] Failed to queue Slack notification:",
+												error,
+											);
+										}
+									}
+								}
 
-						if (stripeSubId) {
-							try {
-								await qstash.publishJSON({
-									url: NOTIFY_SLACK_URL,
-									body: {
-										eventType: "payment_succeeded",
-										stripeSubscriptionId: stripeSubId,
-										amountCents: invoice.amount_paid,
-										currency: invoice.currency,
-										periodStart: invoice.period_start ?? 0,
-										periodEnd: invoice.period_end ?? 0,
-									},
-									retries: 3,
-								});
-							} catch (error) {
-								console.error(
-									"[stripe/payment-succeeded] Failed to queue Slack notification:",
-									error,
-								);
-							}
-						}
-					}
+								if (event.type === "invoice.paid") {
+									const invoice = event.data.object as Stripe.Invoice;
+
+									const stripeSubId = invoice.parent?.subscription_details
+										?.subscription as string | undefined;
+
+									if (stripeSubId) {
+										try {
+											await qstash?.publishJSON({
+												url: NOTIFY_SLACK_URL,
+												body: {
+													eventType: "payment_succeeded",
+													stripeSubscriptionId: stripeSubId,
+													amountCents: invoice.amount_paid,
+													currency: invoice.currency,
+													periodStart: invoice.period_start ?? 0,
+													periodEnd: invoice.period_end ?? 0,
+												},
+												retries: 3,
+											});
+										} catch (error) {
+											console.error(
+												"[stripe/payment-succeeded] Failed to queue Slack notification:",
+												error,
+											);
+										}
+									}
+								}
 
-					if (event.type === "customer.subscription.updated") {
-						const stripeSubscription = event.data.object as Stripe.Subscription;
-						const previousAttributes = event.data.previous_attributes as
-							| Partial<Stripe.Subscription>
-							| undefined;
-
-						const previousPriceId =
-							previousAttributes?.items?.data?.[0]?.price?.id;
-						const currentPriceId = stripeSubscription.items.data[0]?.price?.id;
-
-						if (!previousPriceId || previousPriceId === currentPriceId) return;
-
-						const previousInterval =
-							previousAttributes?.items?.data?.[0]?.price?.recurring
-								?.interval === "year"
-								? "yearly"
-								: "monthly";
-
-						try {
-							await qstash.publishJSON({
-								url: NOTIFY_SLACK_URL,
-								body: {
-									eventType: "plan_changed",
-									stripeSubscriptionId: stripeSubscription.id,
-									previousInterval,
-								},
-								retries: 3,
-							});
-						} catch (error) {
-							console.error(
-								"[stripe/plan-changed] Failed to queue Slack notification:",
-								error,
-							);
-						}
-					}
-				},
-			},
-		}),
+								if (event.type === "customer.subscription.updated") {
+									const stripeSubscription = event.data
+										.object as Stripe.Subscription;
+									const previousAttributes = event.data.previous_attributes as
+										| Partial<Stripe.Subscription>
+										| undefined;
+
+									const previousPriceId =
+										previousAttributes?.items?.data?.[0]?.price?.id;
+									const currentPriceId =
+										stripeSubscription.items.data[0]?.price?.id;
+
+									if (!previousPriceId || previousPriceId === currentPriceId)
+										return;
+
+									const previousInterval =
+										previousAttributes?.items?.data?.[0]?.price?.recurring
+											?.interval === "year"
+											? "yearly"
+											: "monthly";
+
+									try {
+										await qstash?.publishJSON({
+											url: NOTIFY_SLACK_URL,
+											body: {
+												eventType: "plan_changed",
+												stripeSubscriptionId: stripeSubscription.id,
+												previousInterval,
+											},
+											retries: 3,
+										});
+									} catch (error) {
+										console.error(
+											"[stripe/plan-changed] Failed to queue Slack notification:",
+											error,
+										);
+									}
+								}
+							},
+						},
+					}),
+				]
+			: []),
 		acceptInvitationEndpoint,
 	],
 });
diff --git a/packages/auth/src/stripe.ts b/packages/auth/src/stripe.ts
index d238bd34fd5..59abfe5b75b 100644
--- a/packages/auth/src/stripe.ts
+++ b/packages/auth/src/stripe.ts
@@ -1,4 +1,15 @@
 import Stripe from "stripe";
 import { env } from "./env";
 
-export const stripeClient = new Stripe(env.STRIPE_SECRET_KEY);
+let client: Stripe | null = null;
+
+export function getStripeClient(): Stripe {
+	if (client) return client;
+	if (!env.STRIPE_SECRET_KEY) {
+		throw new Error(
+			"Stripe not configured — set STRIPE_SECRET_KEY (billing disabled in local dev)",
+		);
+	}
+	client = new Stripe(env.STRIPE_SECRET_KEY);
+	return client;
+}
diff --git a/packages/db/package.json b/packages/db/package.json
index e18f843e39e..5b59660c4fe 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -37,6 +37,7 @@
 		"clean": "git clean -xdf .cache .turbo dist node_modules",
 		"push": "drizzle-kit push",
 		"migrate": "drizzle-kit migrate",
+		"seed:dev": "bun run src/seed-dev.ts",
 		"studio": "drizzle-kit studio",
 		"typecheck": "tsc --noEmit --emitDeclarationOnly false"
 	},
@@ -46,11 +47,13 @@
 		"@t3-oss/env-core": "0.13.11",
 		"dotenv": "17.3.1",
 		"drizzle-orm": "0.45.2",
+		"pg": "8.20.0",
 		"zod": "4.3.6"
 	},
 	"devDependencies": {
 		"@superset/typescript": "workspace:*",
 		"@types/node": "24.12.0",
+		"@types/pg": "8.20.0",
 		"bun-types": "1.3.11",
 		"drizzle-kit": "0.31.8",
 		"typescript": "5.9.3"
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
index 8fd403619d6..76b9f0d3726 100644
--- a/packages/db/src/client.ts
+++ b/packages/db/src/client.ts
@@ -1,23 +1,52 @@
-import { neon, Pool } from "@neondatabase/serverless";
+import { Pool as NeonPool, neon } from "@neondatabase/serverless";
 import { config } from "dotenv";
-import { drizzle } from "drizzle-orm/neon-http";
-import { drizzle as drizzleWs } from "drizzle-orm/neon-serverless";
+import { drizzle as drizzleNeonHttp } from "drizzle-orm/neon-http";
+import { drizzle as drizzleNeonWs } from "drizzle-orm/neon-serverless";
+import { drizzle as drizzleNodePg } from "drizzle-orm/node-postgres";
+import pg from "pg";
 
 import { env } from "./env";
 import * as schema from "./schema";
 
 config({ path: ".env", quiet: true });
 
-const sql = neon(env.DATABASE_URL);
+function isNeonDatabaseUrl(value: string): boolean {
+	try {
+		const hostname = new URL(value).hostname;
+		return hostname.endsWith(".neon.tech") || hostname.endsWith(".neon.build");
+	} catch {
+		return false;
+	}
+}
 
-export const db = drizzle({
-	client: sql,
-	schema,
-	casing: "snake_case",
-});
+const isNeon = isNeonDatabaseUrl(env.DATABASE_URL);
 
-export const dbWs = drizzleWs({
-	client: new Pool({ connectionString: env.DATABASE_URL }),
-	schema,
-	casing: "snake_case",
-});
+// Single canonical type — both adapters expose the same Drizzle PG surface at
+// runtime, so we narrow callers to the Neon-HTTP shape (the production path)
+// and cast the local-Postgres branch through it.
+type Db = ReturnType<typeof drizzleNeonHttp<typeof schema>>;
+type DbWs = ReturnType<typeof drizzleNeonWs<typeof schema>>;
+
+const nodePgDb = isNeon
+	? null
+	: drizzleNodePg({
+			client: new pg.Pool({ connectionString: env.DATABASE_URL }),
+			schema,
+			casing: "snake_case",
+		});
+
+export const db: Db = isNeon
+	? drizzleNeonHttp({
+			client: neon(env.DATABASE_URL),
+			schema,
+			casing: "snake_case",
+		})
+	: (nodePgDb as unknown as Db);
+
+export const dbWs: DbWs = isNeon
+	? drizzleNeonWs({
+			client: new NeonPool({ connectionString: env.DATABASE_URL }),
+			schema,
+			casing: "snake_case",
+		})
+	: (nodePgDb as unknown as DbWs);
diff --git a/packages/db/src/seed-dev.ts b/packages/db/src/seed-dev.ts
new file mode 100644
index 00000000000..b06b9a4410a
--- /dev/null
+++ b/packages/db/src/seed-dev.ts
@@ -0,0 +1,79 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { config } from "dotenv";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+config({ path: path.resolve(__dirname, "../../../.env"), quiet: true });
+
+const DEV_ADMIN_EMAIL = "admin@local.test";
+const DEV_ADMIN_PASSWORD = "supersetdev";
+const DEV_ADMIN_NAME = "Local Admin";
+const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "[::1]"]);
+
+function requireLocalUrl(value: string, label: string): URL {
+	const url = new URL(value);
+	if (!LOCAL_HOSTS.has(url.hostname)) {
+		console.error(
+			`FATAL: db:seed refuses to run against non-localhost ${label}: ${url.hostname}`,
+		);
+		process.exit(1);
+	}
+	return url;
+}
+
+async function main() {
+	if (process.env.NODE_ENV === "production") {
+		console.error("FATAL: db:seed refuses to run in production");
+		process.exit(1);
+	}
+
+	const dbUrl = process.env.DATABASE_URL;
+	if (!dbUrl) {
+		console.error("FATAL: DATABASE_URL not set");
+		process.exit(1);
+	}
+
+	requireLocalUrl(dbUrl, "database host");
+
+	const apiUrl = process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:4641";
+	requireLocalUrl(apiUrl, "API host");
+	const endpoint = `${apiUrl}/api/auth/sign-up/email`;
+
+	console.log(`Seeding dev admin via ${endpoint}`);
+
+	const res = await fetch(endpoint, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			email: DEV_ADMIN_EMAIL,
+			password: DEV_ADMIN_PASSWORD,
+			name: DEV_ADMIN_NAME,
+		}),
+	}).catch((err) => {
+		console.error(`FATAL: could not reach ${apiUrl} — is the API running?`);
+		console.error(err.message);
+		process.exit(1);
+	});
+
+	if (res.status === 200) {
+		console.log(`✓ Created ${DEV_ADMIN_EMAIL} / ${DEV_ADMIN_PASSWORD}`);
+		return;
+	}
+
+	const body = (await res.json().catch(() => ({}))) as {
+		code?: string;
+		message?: string;
+	};
+
+	if (body.code === "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL") {
+		console.log(
+			`✓ ${DEV_ADMIN_EMAIL} already exists (password: ${DEV_ADMIN_PASSWORD})`,
+		);
+		return;
+	}
+
+	console.error(`FATAL: sign-up returned ${res.status}: ${body.message ?? ""}`);
+	process.exit(1);
+}
+
+main();
diff --git a/packages/shared/package.json b/packages/shared/package.json
index bafa022fca3..5f0400af78e 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -8,6 +8,10 @@
 			"types": "./src/constants.ts",
 			"default": "./src/constants.ts"
 		},
+		"./deployment-profile": {
+			"types": "./src/deployment-profile.ts",
+			"default": "./src/deployment-profile.ts"
+		},
 		"./v2-only-user": {
 			"types": "./src/v2-only-user.ts",
 			"default": "./src/v2-only-user.ts"
diff --git a/packages/shared/src/deployment-profile.test.ts b/packages/shared/src/deployment-profile.test.ts
new file mode 100644
index 00000000000..62dff7e2f5b
--- /dev/null
+++ b/packages/shared/src/deployment-profile.test.ts
@@ -0,0 +1,66 @@
+import { describe, expect, it } from "bun:test";
+
+import {
+	getDeploymentProfile,
+	isLocalProfile,
+	isStrictProfile,
+	shouldSkipEnvValidation,
+} from "./deployment-profile";
+
+describe("deployment profile resolution", () => {
+	it("defaults to internal strict mode", () => {
+		const env: Record<string, string | undefined> = {};
+
+		expect(getDeploymentProfile(env)).toBe("internal");
+		expect(isStrictProfile(getDeploymentProfile(env))).toBe(true);
+		expect(shouldSkipEnvValidation(env)).toBe(false);
+	});
+
+	it("uses explicit local profile for lenient contributor development", () => {
+		const env = { SUPERSET_PROFILE: "local" };
+
+		expect(getDeploymentProfile(env)).toBe("local");
+		expect(isLocalProfile(getDeploymentProfile(env))).toBe(true);
+		expect(isStrictProfile(getDeploymentProfile(env))).toBe(false);
+		expect(shouldSkipEnvValidation(env)).toBe(true);
+	});
+
+	it("uses ci only when no explicit or cloud profile is present", () => {
+		expect(getDeploymentProfile({ CI: "true" })).toBe("ci");
+		expect(getDeploymentProfile({ CI: "1" })).toBe("ci");
+		expect(
+			getDeploymentProfile({ CI: "true", SUPERSET_PROFILE: "internal" }),
+		).toBe("internal");
+	});
+
+	it("keeps cloud strict above local and ci flags", () => {
+		const env = {
+			VERCEL: "1",
+			CI: "true",
+			SUPERSET_PROFILE: "local",
+		};
+
+		expect(getDeploymentProfile(env)).toBe("cloud");
+		expect(isStrictProfile(getDeploymentProfile(env))).toBe(true);
+		expect(shouldSkipEnvValidation(env)).toBe(false);
+	});
+
+	it("treats VERCEL_ENV as cloud", () => {
+		expect(getDeploymentProfile({ VERCEL_ENV: "preview", CI: "true" })).toBe(
+			"cloud",
+		);
+	});
+
+	it("allows SKIP_ENV_VALIDATION as an explicit strict-profile escape hatch", () => {
+		const env = { SKIP_ENV_VALIDATION: "1" };
+
+		expect(getDeploymentProfile(env)).toBe("internal");
+		expect(shouldSkipEnvValidation(env)).toBe(true);
+	});
+
+	it("throws on invalid explicit profiles", () => {
+		expect(() =>
+			getDeploymentProfile({ SUPERSET_PROFILE: "external" }),
+		).toThrow(/Invalid SUPERSET_PROFILE/);
+	});
+});
diff --git a/packages/shared/src/deployment-profile.ts b/packages/shared/src/deployment-profile.ts
new file mode 100644
index 00000000000..dc6b7b39f43
--- /dev/null
+++ b/packages/shared/src/deployment-profile.ts
@@ -0,0 +1,69 @@
+/**
+ * Deployment profile resolution.
+ *
+ * Strict profiles (`cloud`, `internal`) validate all required integration
+ * env vars at boot. Lenient profiles (`local`, `ci`) let the app boot with
+ * missing integration keys; call sites lazy-throw or no-op when the missing
+ * feature is exercised.
+ *
+ * `SUPERSET_PROFILE=local` is the explicit contributor opt-in for a fresh
+ * clone backed by local Postgres/Electric and no third-party credentials.
+ */
+export type DeploymentProfile = "cloud" | "local" | "ci" | "internal";
+
+const VALID_PROFILES: DeploymentProfile[] = [
+	"cloud",
+	"local",
+	"ci",
+	"internal",
+];
+
+function isTruthyFlag(value: string | undefined): boolean {
+	return value === "1" || value === "true";
+}
+
+function getExplicitProfile(
+	envSource: Record<string, string | undefined>,
+): DeploymentProfile | undefined {
+	const explicitProfile = envSource.SUPERSET_PROFILE;
+	if (!explicitProfile) return undefined;
+	if (VALID_PROFILES.includes(explicitProfile as DeploymentProfile)) {
+		return explicitProfile as DeploymentProfile;
+	}
+	throw new Error(
+		`Invalid SUPERSET_PROFILE="${explicitProfile}". Expected one of: ${VALID_PROFILES.join(
+			", ",
+		)}.`,
+	);
+}
+
+export function getDeploymentProfile(
+	envSource: Record<string, string | undefined> = process.env,
+): DeploymentProfile {
+	if (isTruthyFlag(envSource.VERCEL) || envSource.VERCEL_ENV) return "cloud";
+	const explicitProfile = getExplicitProfile(envSource);
+	if (explicitProfile) return explicitProfile;
+	if (isTruthyFlag(envSource.CI)) return "ci";
+	return "internal";
+}
+
+export function isStrictProfile(
+	profile: DeploymentProfile = getDeploymentProfile(),
+): boolean {
+	return profile === "cloud" || profile === "internal";
+}
+
+export function isLocalProfile(
+	profile: DeploymentProfile = getDeploymentProfile(),
+): boolean {
+	return profile === "local";
+}
+
+export function shouldSkipEnvValidation(
+	envSource: Record<string, string | undefined> = process.env,
+): boolean {
+	return (
+		!isStrictProfile(getDeploymentProfile(envSource)) ||
+		isTruthyFlag(envSource.SKIP_ENV_VALIDATION)
+	);
+}
diff --git a/packages/trpc/src/env.ts b/packages/trpc/src/env.ts
index d3b05f407f1..a10cd45a39e 100644
--- a/packages/trpc/src/env.ts
+++ b/packages/trpc/src/env.ts
@@ -1,6 +1,9 @@
+import { shouldSkipEnvValidation } from "@superset/shared/deployment-profile";
 import { createEnv } from "@t3-oss/env-core";
 import { z } from "zod";
 
+const skipValidation = shouldSkipEnvValidation();
+
 export const env = createEnv({
 	server: {
 		NODE_ENV: z
@@ -37,5 +40,5 @@ export const env = createEnv({
 	client: {},
 	runtimeEnv: process.env,
 	emptyStringAsUndefined: true,
-	skipValidation: !!process.env.SKIP_ENV_VALIDATION,
+	skipValidation,
 });
diff --git a/packages/trpc/src/lib/analytics.ts b/packages/trpc/src/lib/analytics.ts
index a06694f753d..ee455838457 100644
--- a/packages/trpc/src/lib/analytics.ts
+++ b/packages/trpc/src/lib/analytics.ts
@@ -1,11 +1,46 @@
+import type { EventMessage } from "posthog-node";
 import { PostHog } from "posthog-node";
 import { env } from "../env";
 
+type FeatureFlagValue = Parameters<PostHog["getFeatureFlagPayload"]>[2];
+type FeatureFlagOptions = Parameters<PostHog["getFeatureFlag"]>[2];
+type FeatureFlagPayloadOptions = Parameters<
+	PostHog["getFeatureFlagPayload"]
+>[3];
+type FeatureFlagResult = Awaited<ReturnType<PostHog["getFeatureFlag"]>>;
+type FeatureFlagPayload = Awaited<ReturnType<PostHog["getFeatureFlagPayload"]>>;
+
+interface AnalyticsClient {
+	capture: (props: EventMessage) => void;
+	getFeatureFlag: (
+		key: string,
+		distinctId: string,
+		options?: FeatureFlagOptions,
+	) => Promise<FeatureFlagResult>;
+	getFeatureFlagPayload: (
+		key: string,
+		distinctId: string,
+		matchValue?: FeatureFlagValue,
+		options?: FeatureFlagPayloadOptions,
+	) => Promise<FeatureFlagPayload>;
+}
+
+const disabled: AnalyticsClient = {
+	capture: () => {},
+	getFeatureFlag: async () => undefined,
+	getFeatureFlagPayload: async () => undefined,
+};
+
+function createAnalyticsClient(): AnalyticsClient {
+	if (!env.NEXT_PUBLIC_POSTHOG_KEY) return disabled;
+	return new PostHog(env.NEXT_PUBLIC_POSTHOG_KEY, {
+		host: env.NEXT_PUBLIC_POSTHOG_HOST,
+		flushAt: 1,
+		flushInterval: 0,
+	});
+}
+
 // Singleton — all server-side product event captures go through this client.
 // flushAt: 1, flushInterval: 0 mirrors apps/api/src/lib/analytics.ts so we
 // don't lose events on short-lived processes (Vercel functions, edge handlers).
-export const posthog = new PostHog(env.NEXT_PUBLIC_POSTHOG_KEY, {
-	host: env.NEXT_PUBLIC_POSTHOG_HOST,
-	flushAt: 1,
-	flushInterval: 0,
-});
+export const posthog = createAnalyticsClient();
diff --git a/packages/trpc/src/lib/integrations/sync/tasks.ts b/packages/trpc/src/lib/integrations/sync/tasks.ts
index d749dbfb6e3..65712a9ed27 100644
--- a/packages/trpc/src/lib/integrations/sync/tasks.ts
+++ b/packages/trpc/src/lib/integrations/sync/tasks.ts
@@ -1,10 +1,8 @@
 import { db } from "@superset/db/client";
 import { integrationConnections, tasks } from "@superset/db/schema";
-import { Client } from "@upstash/qstash";
 import { eq } from "drizzle-orm";
 import { env } from "../../../env";
-
-const qstash = new Client({ token: env.QSTASH_TOKEN });
+import { qstash } from "../../qstash";
 
 const PROVIDER_ENDPOINTS: Record<string, string> = {
 	linear: "/api/integrations/linear/jobs/sync-task",
@@ -26,6 +24,24 @@ export async function syncTask(taskId: string) {
 	});
 
 	const qstashBaseUrl = env.NEXT_PUBLIC_API_URL;
+	const providersToSync = connections.filter(
+		(conn) => PROVIDER_ENDPOINTS[conn.provider],
+	);
+
+	if (!qstash) {
+		if (providersToSync.length > 0) {
+			console.warn(
+				`[syncTask] QSTASH_TOKEN is not configured; skipped task sync for providers: ${providersToSync
+					.map((conn) => conn.provider)
+					.join(", ")}`,
+			);
+		}
+		return connections.map((conn) => ({
+			status: "fulfilled" as const,
+			value: { provider: conn.provider, skipped: true },
+		}));
+	}
+	const qstashClient = qstash;
 
 	const results = await Promise.allSettled(
 		connections.map(async (conn) => {
@@ -36,7 +52,7 @@ export async function syncTask(taskId: string) {
 
 			const syncUrl = `${qstashBaseUrl}${endpoint}`;
 
-			await qstash.publishJSON({
+			await qstashClient.publishJSON({
 				url: syncUrl,
 				body: { taskId },
 				retries: 3,
@@ -46,5 +62,10 @@ export async function syncTask(taskId: string) {
 		}),
 	);
 
+	const failures = results.filter((result) => result.status === "rejected");
+	if (failures.length > 0) {
+		console.error("[syncTask] failed to enqueue integration sync", failures);
+	}
+
 	return results;
 }
diff --git a/packages/trpc/src/lib/qstash.ts b/packages/trpc/src/lib/qstash.ts
new file mode 100644
index 00000000000..8562a6991a8
--- /dev/null
+++ b/packages/trpc/src/lib/qstash.ts
@@ -0,0 +1,17 @@
+import { Client } from "@upstash/qstash";
+
+import { env } from "../env";
+
+export const qstash = env.QSTASH_TOKEN
+	? new Client({ token: env.QSTASH_TOKEN })
+	: null;
+
+export function requireQstash(context: string) {
+	if (!qstash) {
+		throw new Error(
+			`[${context}] QSTASH_TOKEN is required to enqueue background jobs`,
+		);
+	}
+
+	return qstash;
+}
diff --git a/packages/trpc/src/router/billing/billing.ts b/packages/trpc/src/router/billing/billing.ts
index 664f17daf29..ad023f913cd 100644
--- a/packages/trpc/src/router/billing/billing.ts
+++ b/packages/trpc/src/router/billing/billing.ts
@@ -1,4 +1,4 @@
-import { stripeClient } from "@superset/auth/stripe";
+import { getStripeClient } from "@superset/auth/stripe";
 import { db } from "@superset/db/client";
 import { members, subscriptions } from "@superset/db/schema";
 import { ACTIVE_SUBSCRIPTION_STATUSES } from "@superset/shared/billing";
@@ -104,7 +104,7 @@ export const billingRouter = {
 
 		const twelveMonthsAgo = subtractMonthsClamped(new Date(), 12);
 
-		const stripeInvoices = await stripeClient.invoices.list({
+		const stripeInvoices = await getStripeClient().invoices.list({
 			customer: subscription.stripeCustomerId,
 			limit: 100,
 			status: "paid",
@@ -125,9 +125,9 @@ export const billingRouter = {
 		if (!stripeCustomerId) return null;
 
 		const [customer, taxIds, paymentMethods] = await Promise.all([
-			stripeClient.customers.retrieve(stripeCustomerId),
-			stripeClient.customers.listTaxIds(stripeCustomerId, { limit: 1 }),
-			stripeClient.paymentMethods.list({
+			getStripeClient().customers.retrieve(stripeCustomerId),
+			getStripeClient().customers.listTaxIds(stripeCustomerId, { limit: 1 }),
+			getStripeClient().paymentMethods.list({
 				customer: stripeCustomerId,
 				limit: 1,
 			}),
@@ -197,13 +197,14 @@ export const billingRouter = {
 				});
 			}
 
-			const portalSession = await stripeClient.billingPortal.sessions.create({
-				customer: stripeCustomerId,
-				return_url: `${env.NEXT_PUBLIC_WEB_URL}/settings/billing`,
-				...(input.flowType === "payment_method_update" && {
-					flow_data: { type: "payment_method_update" as const },
-				}),
-			});
+			const portalSession =
+				await getStripeClient().billingPortal.sessions.create({
+					customer: stripeCustomerId,
+					return_url: `${env.NEXT_PUBLIC_WEB_URL}/settings/billing`,
+					...(input.flowType === "payment_method_update" && {
+						flow_data: { type: "payment_method_update" as const },
+					}),
+				});
 
 			return { url: portalSession.url };
 		}),
diff --git a/packages/trpc/src/router/integration/github/github.ts b/packages/trpc/src/router/integration/github/github.ts
index 6d4456a432c..bb54ed14a52 100644
--- a/packages/trpc/src/router/integration/github/github.ts
+++ b/packages/trpc/src/router/integration/github/github.ts
@@ -6,15 +6,13 @@ import {
 } from "@superset/db/schema";
 import type { TRPCRouterRecord } from "@trpc/server";
 import { TRPCError } from "@trpc/server";
-import { Client } from "@upstash/qstash";
 import { and, desc, eq, inArray } from "drizzle-orm";
 import { z } from "zod";
 import { env } from "../../../env";
+import { qstash } from "../../../lib/qstash";
 import { protectedProcedure } from "../../../trpc";
 import { verifyOrgAdmin, verifyOrgMembership } from "../utils";
 
-const qstash = new Client({ token: env.QSTASH_TOKEN });
-
 export const githubRouter = {
 	getInstallation: protectedProcedure
 		.input(z.object({ organizationId: z.string().uuid() }))
@@ -86,6 +84,13 @@ export const githubRouter = {
 					console.error("[github/triggerSync] Dev sync failed:", error);
 				});
 			} else {
+				if (!qstash) {
+					throw new TRPCError({
+						code: "PRECONDITION_FAILED",
+						message: "QStash is not configured",
+					});
+				}
+
 				await qstash.publishJSON({
 					url: syncUrl,
 					body: syncBody,
diff --git a/packages/trpc/src/router/organization/organization.ts b/packages/trpc/src/router/organization/organization.ts
index ceefc4ef57a..92f27126eb9 100644
--- a/packages/trpc/src/router/organization/organization.ts
+++ b/packages/trpc/src/router/organization/organization.ts
@@ -1,4 +1,4 @@
-import { stripeClient } from "@superset/auth/stripe";
+import { getStripeClient } from "@superset/auth/stripe";
 import { db } from "@superset/db/client";
 import { members, organizations } from "@superset/db/schema";
 import {
@@ -300,8 +300,8 @@ export const organizationRouter = {
 				.returning();
 
 			if (organization?.stripeCustomerId && data.name) {
-				stripeClient.customers
-					.update(organization.stripeCustomerId, {
+				getStripeClient()
+					.customers.update(organization.stripeCustomerId, {
 						name: data.name,
 					})
 					.catch((error) => {
diff --git a/packages/trpc/src/router/support/support.ts b/packages/trpc/src/router/support/support.ts
index ed2e4062ea7..e269430b704 100644
--- a/packages/trpc/src/router/support/support.ts
+++ b/packages/trpc/src/router/support/support.ts
@@ -9,7 +9,19 @@ import { z } from "zod";
 import { env } from "../../env";
 import { createTRPCRouter, protectedProcedure } from "../../trpc";
 
-const resend = new Resend(env.RESEND_API_KEY);
+let resendClient: Resend | null = null;
+function getResend(): Resend {
+	if (!resendClient) {
+		if (!env.RESEND_API_KEY) {
+			throw new TRPCError({
+				code: "SERVICE_UNAVAILABLE",
+				message: "Email not configured — set RESEND_API_KEY",
+			});
+		}
+		resendClient = new Resend(env.RESEND_API_KEY);
+	}
+	return resendClient;
+}
 const SUPPORT_EMAIL = COMPANY.MAIL_TO.replace(/^mailto:/, "");
 const supportReportRateLimit =
 	env.KV_REST_API_URL && env.KV_REST_API_TOKEN
@@ -120,7 +132,7 @@ export const supportRouter = createTRPCRouter({
 			});
 
 			try {
-				await resend.emails.send({
+				await getResend().emails.send({
 					from: "Superset <noreply@superset.sh>",
 					to: SUPPORT_EMAIL,
 					replyTo: user.email,
diff --git a/packages/trpc/src/router/task/task.test.ts b/packages/trpc/src/router/task/task.test.ts
index fc712cd395e..0c5169b7a5b 100644
--- a/packages/trpc/src/router/task/task.test.ts
+++ b/packages/trpc/src/router/task/task.test.ts
@@ -3,7 +3,7 @@ import { TRPCError, type TRPCRouterRecord } from "@trpc/server";
 
 const getCurrentTxidMock = mock(async () => "txid-123");
 const seedDefaultStatusesMock = mock(async () => "status-seeded");
-const syncTaskMock = mock(() => undefined);
+const syncTaskMock = mock(async () => undefined);
 const verifyOrgAdminMock = mock(async () => ({
 	membership: { role: "owner" },
 }));
@@ -245,7 +245,7 @@ describe("task router authorization", () => {
 		seedDefaultStatusesMock.mockImplementation(async () => "status-seeded");
 
 		syncTaskMock.mockReset();
-		syncTaskMock.mockImplementation(() => undefined);
+		syncTaskMock.mockImplementation(async () => undefined);
 
 		transactionMock.mockReset();
 		transactionMock.mockImplementation(async (callback) =>
diff --git a/packages/trpc/src/router/task/task.ts b/packages/trpc/src/router/task/task.ts
index 09b750a9e90..f5308e859dd 100644
--- a/packages/trpc/src/router/task/task.ts
+++ b/packages/trpc/src/router/task/task.ts
@@ -28,6 +28,15 @@ import { taskStatusesRouter } from "./statuses";
 const TASK_SLUG_CONSTRAINT = "tasks_org_slug_unique";
 const TASK_SLUG_RETRY_LIMIT = 5;
 
+function enqueueTaskSync(taskId: string): void {
+	void syncTask(taskId).catch((error) => {
+		console.error(
+			`[task] failed to enqueue integration sync for ${taskId}`,
+			error,
+		);
+	});
+}
+
 function escapeLikePattern(value: string): string {
 	return value.replace(/[\\%_]/g, (match) => `\\${match}`);
 }
@@ -243,7 +252,7 @@ async function createTask(
 			});
 
 			if (result.task) {
-				syncTask(result.task.id);
+				enqueueTaskSync(result.task.id);
 			}
 
 			return result;
@@ -447,7 +456,7 @@ export const taskRouter = {
 			});
 
 			if (result.task) {
-				syncTask(result.task.id);
+				enqueueTaskSync(result.task.id);
 			}
 
 			return result;
@@ -474,7 +483,7 @@ export const taskRouter = {
 			});
 
 			if (result.deleted?.externalProvider && result.deleted?.externalId) {
-				syncTask(input);
+				enqueueTaskSync(input);
 			}
 
 			return { txid: result.txid };
diff --git a/plans/20260515-oss-local-setup.md b/plans/20260515-oss-local-setup.md
new file mode 100644
index 00000000000..09f17af7365
--- /dev/null
+++ b/plans/20260515-oss-local-setup.md
@@ -0,0 +1,342 @@
+# OSS Local Setup — Complete Record
+
+Authoritative design record for PR [#4616](https://github.com/superset-sh/superset/pull/4616). Contributor-facing setup instructions live in [docs/LOCAL_DEVELOPMENT.md](../docs/LOCAL_DEVELOPMENT.md).
+
+## Goal
+
+A contributor cloning Superset from GitHub can boot the full web + API + Electric + electric-proxy + Caddy + desktop stack against a local Postgres in Docker, **without Neon, OAuth, Stripe, Resend, GitHub App, Linear, Slack, QStash, Upstash, PostHog, Sentry, Freestyle, or any other cloud-service credentials**. The internal team's fail-fast workflow stays unchanged, and production stays strictly validated.
+
+## Requirements
+
+Three audiences with different expectations:
+
+1. **OSS contributor (fresh GitHub clone)**
+   - Has Docker + Bun, nothing else
+   - Wants `git clone && SUPERSET_PROFILE=local bun dev` to land them in a working app, signed in
+   - Features that need cloud keys should degrade visibly, never crash boot
+   - Must not silently sync against hosted production endpoints
+
+2. **Internal team dev (existing workflow)**
+   - Uses `.superset/setup.sh` to provision per-worktree Neon branches + real cloud keys
+   - Same fail-fast behavior they have today on missing keys
+   - No new flags to type, no shell-config changes, no documentation to memorize
+
+3. **Production (Vercel + self-host)**
+   - Strict env validation: missing required key → deploy fails before serving traffic
+   - All visibility/observability surfaces report what's actually configured
+
+## Final design — four deployment profiles
+
+`packages/shared/src/deployment-profile.ts`:
+
+| Profile     | Trigger                                  | Validation | Notes |
+|-------------|------------------------------------------|------------|-------|
+| `cloud`     | `VERCEL=1` or `VERCEL_ENV` (set by Vercel) | Strict     | Vercel deploy/build context |
+| `local`     | `SUPERSET_PROFILE=local`                 | Lenient    | Explicit local contributor opt-in |
+| `ci`        | `CI=true` (auto by GH Actions et al.)    | Lenient    | Build/lint/test don't need prod secrets |
+| `internal`  | default                                  | Strict     | Covers internal team dev + self-hosted prod |
+
+Resolution order in `getDeploymentProfile()` (most-trusted wins):
+
+```ts
+if (env.VERCEL === "1" || env.VERCEL_ENV) return "cloud";
+if (env.SUPERSET_PROFILE === "local") return "local";
+if (env.CI === "true")         return "ci";
+return "internal";
+```
+
+Each env schema (`apps/api`, `apps/web`, `apps/admin`, `apps/marketing`, `apps/docs`, `apps/relay`, `apps/desktop/src/main/env.main`, `packages/trpc`) computes:
+
+```ts
+const skipValidation = shouldSkipEnvValidation();
+```
+
+`SKIP_ENV_VALIDATION=1` remains a build-time escape hatch (Docker preview builds, etc.) — not the primary discriminator.
+
+## What's wired
+
+### Database layer
+
+- **`packages/db/src/client.ts`** — driver swap. Detects non-Neon `DATABASE_URL` (regex on `*.neon.tech` / `*.neon.build`) and uses `drizzle-orm/node-postgres` with `pg.Pool` instead of `@neondatabase/serverless`. The Neon driver only speaks Neon's HTTP/WS protocol, not vanilla Postgres TCP.
+- **`packages/db/src/seed-dev.ts`** — `bun db:seed:dev` script. POSTs to `/api/auth/sign-up/email` to create `admin@local.test / supersetdev`. Refuses to run in production or against non-localhost `DATABASE_URL`. Idempotent.
+- **`docker-compose.dev.yml`** — Postgres 16 with `wal_level=logical` on host port 5433, Electric SQL 1.4.13 on host port 4649 reading from the Postgres above via `host.docker.internal`. Health-checked.
+
+### Auth
+
+- **`packages/auth/src/server.ts`** — `emailAndPassword: { enabled: NODE_ENV !== "production", autoSignIn: true }`. Direct credential endpoints removed in prod builds. `afterCreateOrganization` hook gates Stripe customer creation on `env.STRIPE_SECRET_KEY` presence; `seedDefaultStatuses` always runs so OSS users complete org provisioning cleanly. OAuth providers register conditionally on their `*_CLIENT_ID`.
+- **`packages/auth/src/lib/resend.ts`** — `Proxy` lazy-init with batch + emails console fallback when `RESEND_API_KEY` empty. Better Auth's `sendEmail` hook writes to terminal instead of crashing.
+- **`packages/auth/src/stripe.ts`** — `Proxy` lazy-init. Throws "Stripe not configured" only when a billing operation is exercised.
+- **`packages/trpc/src/router/support/support.ts`** — same lazy-init Proxy pattern for the support email path.
+
+### Desktop main process
+
+- **`apps/desktop/src/main/lib/dev-auto-sign-in.ts`** — fired once during `app.whenReady()` when `isLocalProfile()` is true. Polls `/api/auth/ok` with 1s interval × 60s timeout (auto-sign-in survives the race against API startup), then POSTs to `/api/auth/sign-in/email` (auto-signs-up the seed user if missing). Persists the token via the same `saveToken()` that OAuth uses. Renderer stays prod-pure.
+- **`apps/desktop/src/main/index.ts`** — calls `void ensureDevAuthToken()` (fire-and-forget) so the window opens immediately. `AuthProvider`'s `onTokenChanged` subscription re-hydrates when the token lands. Also exposes Chrome DevTools Protocol on `localhost:9333` in the local profile for headless verification.
+- **`apps/desktop/src/main/env.main.ts`** — env defaults switch to localhost in dev builds (`NODE_ENV=development`) so a fresh-clone session never silently points main-process clients at hosted production. Profile check inlined here (rather than imported from `@superset/shared`) because `electron.vite.config.ts` does `await import("./src/main/env.main")` at config-load time using Node's ESM loader, which can't transform `.ts` files from sibling workspace packages.
+
+### Desktop renderer
+
+- **`apps/desktop/src/renderer/env.renderer.ts`** — env defaults switch to localhost in dev builds for `NEXT_PUBLIC_API_URL`, `NEXT_PUBLIC_WEB_URL`, `NEXT_PUBLIC_ELECTRIC_URL`, `RELAY_URL`. Fresh-clone renderer never syncs against hosted Electric.
+- **`apps/desktop/src/renderer/routes/_authenticated/.../*`** (16 files) — flipped `env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : session.activeOrganizationId` to `session.activeOrganizationId ?? (env.SKIP_ENV_VALIDATION ? MOCK_ORG_ID : null)`. Prefer real session, fall back to mock only when there is no session. Fixed the "Host service not available" toast caused by the renderer querying host-service by the fake org ID while host-service spawned for the real auto-signed-in admin org.
+
+### Build pipeline
+
+- **`apps/desktop/electron.vite.config.ts`** + **`apps/desktop/vite/helpers.ts`** — added `devOrProdUrl()` helper that returns `process.env[key]` if set, else a dev-vs-prod fallback based on `NODE_ENV`. Used in `define` blocks for main + renderer `process.env` replacements and in `htmlEnvTransformPlugin` for `%NEXT_PUBLIC_*%` placeholders in `index.html`. Builds default to localhost-friendly URLs in dev mode.
+
+### Web app
+
+- **`apps/web/src/app/(auth)/components/DevAuthForm/`** — email/password form, gated `NODE_ENV !== "production"`. Prefilled with seed credentials so contributors click "Sign in" once.
+- **`apps/web/src/app/(auth)/sign-in/.../page.tsx`** + **`sign-up/.../page.tsx`** — wire the form.
+
+### Telemetry / observability
+
+- **`apps/api/src/lib/analytics.ts`** + **`packages/trpc/src/lib/analytics.ts`** — PostHog `Proxy` lazy-init returning a no-op surface (`capture`, `getFeatureFlag`, etc.) when `NEXT_PUBLIC_POSTHOG_KEY` is missing.
+- **`apps/api/src/lib/boot-summary.ts`** — one-time API startup log printing every disabled integration and the env var to enable it. Visible to contributors so degradation is never silent.
+- **`apps/api/src/app/api/health/route.ts`** — `GET /api/health` returns `{ ok, profile, integrations: { stripe: "configured" | "missing", … } }` for prod monitoring + contributor sanity checks.
+
+### Plumbing
+
+- **`turbo.jsonc`** — `SUPERSET_PROFILE`, `CI`, `VERCEL`, `VERCEL_ENV`, and `SKIP_ENV_VALIDATION` live in `globalEnv`. Profile-affecting flags now hash into the cache key so strict/lenient cached builds can't cross-contaminate.
+- **`package.json`** — `bun db:seed:dev` root script.
+
+### Docs
+
+- **`docs/LOCAL_DEVELOPMENT.md`** — contributor-facing setup guide.
+- **`README.md`** — `Build from Source` section shrunk to a 6-line quickstart, pointed at `docs/LOCAL_DEVELOPMENT.md`.
+
+## Decisions made (with rejected alternatives)
+
+### Why profile-aware `skipValidation` instead of marking ~70 integration vars `.optional()` everywhere?
+
+**Rejected:** Mark each integration key `.optional()`, fix every consumer that types it as `string`. The "Formbricks pattern."
+
+**Chosen:** Keep schemas as-is, flip `skipValidation` based on profile. Lazy guards at call sites catch the crashes.
+
+**Why:** The Formbricks refactor would touch ~70 schema entries and ~100+ consumer sites that assume non-null. The skipValidation approach is one line per env file, no consumer changes, and the runtime behavior is identical: in OSS, the env object has whatever's in `process.env` (possibly empty strings); call sites that crash get wrapped in lazy guards as discovered.
+
+### Why strict-by-default with `SUPERSET_PROFILE=local` opt-in, not lenient-by-default with `SUPERSET_INTERNAL_DEV=1` opt-in?
+
+**Rejected:** Default to lenient + write `SUPERSET_INTERNAL_DEV=1` from `.superset/setup.sh` so internal devs land in strict.
+
+**Chosen:** Default to strict + local contributors set `SUPERSET_PROFILE=local`.
+
+**Why:** Strict-by-default is the conservative direction. An internal dev or self-hoster who forgets to source their `.env` gets a clear failure, not a silently-degraded app. OSS contributors trade a one-time flag for that safety guarantee. Also: no setup-script edit means internal devs' workflow is byte-identical to today.
+
+### Why not gate on `NODE_ENV === "production"` instead of Vercel env markers?
+
+**Rejected:** Use `NODE_ENV === "production"` as the cloud discriminator.
+
+**Chosen:** `VERCEL=1` or `VERCEL_ENV` for cloud, `NODE_ENV` only as a fallback indicator inside the `internal` default.
+
+**Why:** `NODE_ENV=production` is true in self-hosted dev too — it conflates "deployed to Vercel" with "operator running the production build locally." Self-hosters are legitimate prod operators and we want them strict, but they have different keys than Vercel (no `VERCEL_*` vars, no Vercel-specific URLs). Discriminating on Vercel env markers keeps cloud and self-hosted as two distinct strict-validated buckets.
+
+### Why a `ci` profile when `SKIP_ENV_VALIDATION=1` already exists?
+
+**Rejected:** Have CI workflows explicitly set `SKIP_ENV_VALIDATION=1` for lint/typecheck/test jobs.
+
+**Chosen:** Auto-detect `CI=true` (set by GitHub Actions and most CI runners) and treat as lenient.
+
+**Why:** Zero-config — existing workflows don't need to add env vars. And the profile is reported correctly in the boot summary + `/api/health`, so it's clear in logs that the build is lenient. `SKIP_ENV_VALIDATION=1` remains the explicit one-off escape hatch.
+
+### Why move profile-affecting flags from `globalPassThroughEnv` to `globalEnv`?
+
+**Rejected:** Pass-through (cheap, no cache invalidation).
+
+**Chosen:** Hash into the cache key.
+
+**Why:** A `bun run build` cached with `SUPERSET_PROFILE=local` (validation skipped) could be served back when the next caller doesn't have the flag (validation expected). Same for `CI=true` vs not. Caches that disagree about validation produce bugs that are very hard to attribute. Cache invalidation cost is acceptable — these flags don't flip often.
+
+### Why dev auto-sign-in in the main process, not the renderer?
+
+**Initial attempt:** Put it in `AuthProvider` (renderer).
+
+**Rejected because:** Mixes dev seed concerns with prod auth hydration. `AuthProvider` becomes "auth + dev seeding." Race conditions with React render lifecycle. Easy to accidentally ship to prod bundles.
+
+**Chosen:** Main process during `app.whenReady()`. Uses the same `saveToken()` OAuth uses. Renderer is 100% upstream-pure — has no idea dev mode exists.
+
+### Why fire-and-forget instead of blocking window creation on auto-sign-in?
+
+**Initial attempt:** `await ensureDevAuthToken()` before `MainWindow()`.
+
+**Rejected because:** If the API takes 30s to compile on first launch, the desktop window is blank for 30s with no feedback. Bad UX.
+
+**Chosen:** `void ensureDevAuthToken()` — window opens immediately. The function polls `/api/auth/ok` internally with backoff. `AuthProvider.onTokenChanged` subscription picks up the token whenever it eventually lands and re-hydrates the renderer's session.
+
+### Why inline the profile check in `env.main.ts` instead of importing from `@superset/shared`?
+
+**Rejected:** Single canonical import.
+
+**Chosen:** Inline the four-line check in `env.main.ts` only; other consumers import from `@superset/shared/deployment-profile`.
+
+**Why:** `electron.vite.config.ts` does `await import("./src/main/env.main")` at config-load time to validate env at build. Node's native ESM loader handles that import — it has no Vite/SWC/TS transform — so any transitive `.ts` import from a sibling workspace package fails with `ERR_UNKNOWN_FILE_EXTENSION`. Discovered the hard way when CI build failed. The four lines of duplication are a fair trade for not breaking the build.
+
+## Lessons learned
+
+### `neondatabase/neon_local` is not a Neon protocol emulator
+
+It requires `NEON_PROJECT_ID` + `NEON_API_KEY` and acts as a *proxy* to a real Neon project. Useless for OSS. We discovered this only by running it. Plain `postgres:16 -c wal_level=logical` is the right substrate; pair it with a driver swap.
+
+### `@neondatabase/serverless` cannot speak vanilla Postgres TCP
+
+The serverless driver only knows Neon's HTTP/WS protocol. Verified by running it against a local Postgres — fails with "Unable to connect." Driver swap is unavoidable (~20 LOC), not a config flag.
+
+### Most integrations degrade gracefully on their own
+
+Better Auth social providers, Upstash KV, QStash all log warnings on missing keys and keep working. Only **Stripe, Resend, PostHog, and the trpc support router** crashed at module load. The plan's "guard a dozen integrations" overestimated; actual scope was 4 files.
+
+### The renderer had a hidden dev-mode landmine
+
+16 places overrode `activeOrganizationId` to `MOCK_ORG_ID` whenever `SKIP_ENV_VALIDATION` was set — a hack from when dev mode had no real session. With the new main-process auto-sign-in producing a real session with a real org, the renderer was looking up host-service connections by the fake mock org while host-service had spawned for the real org → "Host service not available" toast. Flipping the priority (`session.org ?? (devMode ? mock : null)`) fixed all 16 sites with the same one-line pattern.
+
+### Vite/Turbopack caches can mask real bugs during iteration
+
+A mid-process `.next/` deletion left the dev server in a corrupted state — every route returned 404 even though the files existed. Full clean-restart fixed it. Don't trust caches during refactoring; reset between iterations.
+
+### `electron-vite build` uses Node's native ESM loader for its config
+
+`electron.vite.config.ts` does `await import("./src/main/env.main")` at config-load time, which Node handles directly. Any transitive `.ts` import from a sibling workspace package crashes the build. Workspace packages exporting `.ts` files (the common monorepo pattern here) only work for consumers that go through a transform layer.
+
+### CDP is invaluable for verifying renderer state without manual clicks
+
+Enabling Chrome DevTools Protocol in the Electron main process (one line of `app.commandLine.appendSwitch`) let me probe the React context for `activeHostUrl` directly. Confirmed the fix without needing to click "Import" in the UI. Faster + more honest than asking the user to retry.
+
+### Most upstream OSS projects don't multi-profile cleanly
+
+The previous research agent found nobody in the OSS reference class (Cal.com, Documenso, Plane, Twenty, Supabase, Formbricks) does true three-or-four-profile env validation. The closest is Formbricks (`createFinalSchema` + per-group `.refine()`). The pattern we shipped — `getDeploymentProfile()` + profile-keyed `skipValidation` + boot summary + `/api/health` — is novel relative to that ref class.
+
+### CI build failures are a fast feedback loop you should actually use
+
+I shipped the deployment-profile changes without checking `gh pr checks 4616`. The build broke. Next time: `gh pr checks` is part of the post-push ritual.
+
+## What was built — commit-by-commit
+
+| Commit | Theme |
+|---|---|
+| [`04130c0`](https://github.com/superset-sh/superset/pull/4616/commits/04130c0) | Core OSS path: DB driver swap, lazy-init guards (Stripe/Resend/PostHog), Better Auth email/password, desktop dev auto-sign-in, 17-file MOCK_ORG_ID priority fix, web app DevAuthForm, `db:seed:dev`, CDP for verification, docs |
+| [`2b609b5`](https://github.com/superset-sh/superset/pull/4616/commits/2b609b5) | Deployment profiles + boot summary + `/api/health` endpoint |
+| [`f3c76b9`](https://github.com/superset-sh/superset/pull/4616/commits/f3c76b9) | Flipped discriminator (strict by default, local profile opts into lenient) |
+| [`101cd30`](https://github.com/superset-sh/superset/pull/4616/commits/101cd30) | Added `ci` profile (GitHub Actions auto-detect) |
+| [`513d198`](https://github.com/superset-sh/superset/pull/4616/commits/513d198) | Five review-finding fixes: Stripe gate in `afterCreateOrganization`, email/password disabled in prod, docker-compose.dev.yml + Electric URL defaults, auto-sign-in API readiness poll, profile flags hash into Turbo cache |
+| [`f3254ef`](https://github.com/superset-sh/superset/pull/4616/commits/f3254ef) | Fixed CI build (inlined profile check in `env.main.ts`); remaining hardcoded prod URL defaults switched to `devOrProdUrl()` helper across `electron.vite.config.ts`, `vite/helpers.ts`, `env.main.ts` |
+
+## Verification
+
+End-to-end smoke test after final commit:
+
+```text
+[superset] profile=local (lenient)
+[superset] disabled features (set the listed env var(s) to enable):
+           - stripe                       STRIPE_SECRET_KEY
+           - resend (email)               RESEND_API_KEY
+           - posthog (telemetry)          NEXT_PUBLIC_POSTHOG_KEY
+           …
+[dev-auto-sign-in] signed in as admin@local.test
+[host-service:b499daed-…] listening on port 51257
+```
+
+DB sanity check confirmed the Stripe-gate fix:
+```sql
+SELECT email, name, slug, stripe_customer_id FROM auth.users JOIN auth.organizations ...
+admin@local.test | Local Admin's Team | 14019d9c-team | <NULL>
+```
+
+Profile resolution unit test (all 6 cases pass):
+```
+✓ fresh clone (no env)                  → internal  (strict)
+✓ Local contributor                     → local     (lenient)
+✓ GitHub Actions                        → ci        (lenient)
+✓ Vercel runtime                        → cloud     (strict)
+✓ Vercel runtime overrides CI           → cloud     (strict)
+✓ Local profile overrides CI            → local     (lenient)
+```
+
+CDP-probed React context:
+```json
+{ "activeHostUrl": "http://127.0.0.1:51257", "machineId": "…" }
+```
+
+Local CI reproduction:
+- `bun run lint` — clean
+- `bun run --cwd apps/desktop typecheck` — clean
+- `bun turbo run build --filter=@superset/desktop` — succeeds
+
+## What's still deferred (honest TODO list)
+
+These are real follow-ups, none of them blocking the OSS path from working today:
+
+- **`.env.example` with working defaults** — README says "edit DATABASE_URL + BETTER_AUTH_SECRET" without telling contributors the values. Pre-fill `postgres://superset:superset@localhost:5433/superset` + a sentinel `BETTER_AUTH_SECRET=dev_secret_not_for_production_*` and move optional integration keys to a `# OPTIONAL` block.
+- **`bun setup` orchestrator** — current contributor flow is 6 commands. A `bun setup` wrapping `docker compose up`, `cp .env.example .env` if missing, `bun install`, `bun run db:migrate`, copy `.dev.vars`, with idempotency + friendly errors would collapse it to two: `bun setup && bun dev`.
+- **Full integration crash audit** — Stripe, Resend, PostHog, trpc-support-Resend are wrapped. GitHub App (`@octokit/app`), Freestyle, Linear, Slack, QStash signing keys, Anthropic (`@anthropic-ai/sdk`), Blob (`@vercel/blob`) may still crash at import in the local profile. Mechanical `grep -rn "new \w\+(.*env\." packages apps` survey.
+- **Mailpit instead of console-log emails** — Better Auth's `sendEmail` falls back to stdout. Mailpit container would give contributors a clickable UI at `localhost:8025`.
+- **CI fresh-clone smoke test** — without one, the OSS path silently rots the next time someone adds a crash-on-import integration. A GitHub Actions job that does `git clone` in a fresh runner, follows the README, hits `/api/auth/ok`, fails if anything red.
+- **Per-integration group `.refine()` validation** — Formbricks pattern. E.g. if `STRIPE_SECRET_KEY` is set then `STRIPE_WEBHOOK_SECRET` must also be set. Catches half-configured prod deploys.
+
+## Architecture diagrams
+
+### Profile resolution
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│                       getDeploymentProfile()                         │
+│                                                                      │
+│   VERCEL === "1" or VERCEL_ENV ─────────►  cloud      (strict)     │
+│       │                                                              │
+│       no                                                             │
+│       ▼                                                              │
+│   SUPERSET_PROFILE=local ────────────────►  local      (lenient)    │
+│       │                                                              │
+│       no                                                             │
+│       ▼                                                              │
+│   CI === "true"         ─────────────────►  ci         (lenient)    │
+│       │                                                              │
+│       no                                                             │
+│       ▼                                                              │
+│                          ─────────────────►  internal  (strict)     │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+### Local session lifecycle
+
+```
+┌──────────────────┐                  ┌──────────────────┐
+│  Postgres :5433  │  wal_level=      │  Electric :4649  │
+│  superset-pg     │  logical         │  superset-       │
+│                  │ ◄────────────────┤  electric        │
+└──────────────────┘  (docker-compose)└──────────────────┘
+        ▲                                       ▲
+        │ migrations                            │ shape stream
+        │                                       │
+        ▼                                       ▼
+┌──────────────────────────────────────────────────────────────┐
+│  bun dev (with SUPERSET_PROFILE=local)                         │
+│                                                                │
+│  apps/web      :4640  ─ Next.js, DevAuthForm visible          │
+│  apps/api      :4641  ─ Better Auth + tRPC, /api/health       │
+│                                                                │
+│  apps/desktop:                                                 │
+│     Electron main         ─ ensureDevAuthToken() polls API,    │
+│                              POSTs sign-up/sign-in, saveToken()│
+│     Vite renderer :4645  ─ AuthProvider.onTokenChanged hydrates│
+│     Notifications :4646                                        │
+│                                                                │
+│  electric-proxy :4652  (Wrangler)  ─ ELECTRIC_SHAPE_URL=:4649 │
+│  Caddy           :4650  (HTTPS)   ─ reverse proxy → :4652     │
+└──────────────────────────────────────────────────────────────┘
+        │
+        │ host-service spawned per-org (dynamic port)
+        ▼
+┌──────────────────────────────────────────────────┐
+│  Host service (per organization)                  │
+│  superset-dev-data/host/<orgId>/host.db           │
+│  Listening on dynamic port (e.g. :51257)          │
+└──────────────────────────────────────────────────┘
+```
+
+### Strictness × visibility matrix
+
+| Profile      | `skipValidation` | Boot summary    | `/api/health` shows         | Sign-in path                                  |
+|--------------|------------------|------------------|------------------------------|------------------------------------------------|
+| `cloud`      | false (strict)   | `profile=cloud (strict)`    | `profile: "cloud"`        | OAuth (email/password disabled in prod build)  |
+| `internal`   | false (strict)   | `profile=internal (strict)` | `profile: "internal"`     | OAuth + dev email/password form (NODE_ENV=dev) |
+| `ci`         | true (lenient)   | `profile=ci (lenient)`      | `profile: "ci"`           | n/a (build/test job, no runtime auth)          |
+| `local`      | true (lenient)   | lists disabled features     | `profile: "local"`        | dev auto-sign-in + dev email/password form     |
diff --git a/scripts/setup-local.ts b/scripts/setup-local.ts
new file mode 100644
index 00000000000..e4678242440
--- /dev/null
+++ b/scripts/setup-local.ts
@@ -0,0 +1,389 @@
+#!/usr/bin/env bun
+import { spawnSync } from "node:child_process";
+import { createHash } from "node:crypto";
+import { copyFileSync, existsSync, readFileSync, writeFileSync } from "node:fs";
+import { basename, resolve } from "node:path";
+
+const args = new Set(process.argv.slice(2));
+const root = resolve(import.meta.dirname, "..");
+const localWorktreeSlug = toSlug(basename(root), "-");
+const localWorktreeHash = createHash("sha1")
+	.update(root)
+	.digest("hex")
+	.slice(0, 6);
+const localWorkspaceName = [
+	"local-dev",
+	localWorktreeSlug.slice(0, 15),
+	localWorktreeHash,
+].join("-");
+const localDatabaseName = [
+	"superset_local",
+	toSlug(basename(root), "_").slice(0, 32),
+	localWorktreeHash,
+].join("_");
+const LOCAL_DATABASE_HOSTS = new Set([
+	"localhost",
+	"127.0.0.1",
+	"::1",
+	"[::1]",
+]);
+const LOCAL_DATABASE_USER = "superset";
+const LOCAL_DATABASE_PASSWORD = "superset";
+const LOCAL_DATABASE_PORT = "5433";
+const LOCAL_POSTGRES_CONTAINER = "superset-pg";
+const LOCAL_ELECTRIC_CONTAINER = "superset-electric";
+const DOCKER_COMPOSE_ARGS = [
+	"compose",
+	"-p",
+	"superset-local",
+	"-f",
+	"docker-compose.dev.yml",
+];
+
+const help = `Usage: bun setup:local [options]
+
+Prepares a fresh-clone local contributor setup without cloud credentials.
+
+Options:
+  --skip-docker       Do not start Docker Postgres/Electric
+  --skip-migrate      Do not run database migrations
+  --skip-caddy-trust  Do not run caddy trust
+  -h, --help          Show this help
+`;
+
+function log(message: string): void {
+	console.log(`[setup:local] ${message}`);
+}
+
+function fail(message: string): never {
+	console.error(`[setup:local] ${message}`);
+	process.exit(1);
+}
+
+function run(
+	command: string,
+	commandArgs: string[],
+	env: Record<string, string | undefined> = {},
+): void {
+	log(`$ ${[command, ...commandArgs].join(" ")}`);
+	const result = spawnSync(command, commandArgs, {
+		cwd: root,
+		stdio: "inherit",
+		env: { ...process.env, ...env },
+	});
+	if (result.status !== 0) {
+		fail(`${command} ${commandArgs.join(" ")} failed`);
+	}
+}
+
+function runOutput(command: string, commandArgs: string[]): string {
+	const result = spawnSync(command, commandArgs, {
+		cwd: root,
+		encoding: "utf8",
+		env: process.env,
+	});
+	if (result.status !== 0) {
+		fail(
+			`${command} ${commandArgs.join(" ")} failed\n${result.stderr ?? ""}`.trim(),
+		);
+	}
+	return result.stdout;
+}
+
+function commandExists(command: string): boolean {
+	const result = spawnSync("sh", ["-lc", `command -v ${command}`], {
+		cwd: root,
+		stdio: "ignore",
+	});
+	return result.status === 0;
+}
+
+function requireCommand(command: string, installHint: string): void {
+	if (!commandExists(command)) {
+		fail(`${command} is required. ${installHint}`);
+	}
+}
+
+function copyIfMissing(source: string, destination: string): void {
+	const sourcePath = resolve(root, source);
+	const destinationPath = resolve(root, destination);
+	if (existsSync(destinationPath)) {
+		log(`keeping existing ${destination}`);
+		return;
+	}
+	copyFileSync(sourcePath, destinationPath);
+	log(`created ${destination} from ${basename(source)}`);
+}
+
+function toSlug(value: string, separator: "-" | "_"): string {
+	return (
+		value
+			.toLowerCase()
+			.replace(/[^a-z0-9]+/g, separator)
+			.replace(new RegExp(`^\\${separator}+|\\${separator}+$`, "g"), "") ||
+		"dev"
+	);
+}
+
+function localDatabaseUrl(databaseName: string): string {
+	return `postgres://${LOCAL_DATABASE_USER}:${LOCAL_DATABASE_PASSWORD}@localhost:${LOCAL_DATABASE_PORT}/${databaseName}`;
+}
+
+function readEnvValue(name: string): string | undefined {
+	const envPath = resolve(root, ".env");
+	if (!existsSync(envPath)) return undefined;
+	const lines = readFileSync(envPath, "utf8").split(/\r?\n/);
+	for (const line of lines) {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const [key, ...valueParts] = trimmed.split("=");
+		if (key === name) {
+			return valueParts.join("=").replace(/^["']|["']$/g, "");
+		}
+	}
+	return undefined;
+}
+
+function writeEnvValues(values: Record<string, string>): void {
+	const envPath = resolve(root, ".env");
+	const original = readFileSync(envPath, "utf8");
+	const seen = new Set<string>();
+	const lines = original.split(/\r?\n/).map((line) => {
+		const match = line.match(/^([A-Z0-9_]+)=/);
+		if (!match) return line;
+
+		const key = match[1];
+		const value = values[key];
+		if (value === undefined) return line;
+
+		seen.add(key);
+		return `${key}=${value}`;
+	});
+
+	for (const [key, value] of Object.entries(values)) {
+		if (!seen.has(key)) {
+			lines.push(`${key}=${value}`);
+		}
+	}
+
+	const next = lines.join("\n");
+	if (next !== original) {
+		writeFileSync(envPath, next);
+		log("updated .env with this worktree's local database settings");
+	}
+}
+
+function isLocalDatabaseUrl(value: string | undefined): boolean {
+	if (!value) return false;
+	try {
+		const url = new URL(value);
+		return LOCAL_DATABASE_HOSTS.has(url.hostname);
+	} catch {
+		return false;
+	}
+}
+
+function isLocalWorkspaceName(value: string | undefined): boolean {
+	return value === "local-dev" || Boolean(value?.startsWith("local-dev-"));
+}
+
+function normalizeLocalEnv(): void {
+	const profile = readEnvValue("SUPERSET_PROFILE");
+	const workspaceName = readEnvValue("SUPERSET_WORKSPACE_NAME");
+	if (profile !== "local" || !isLocalWorkspaceName(workspaceName)) {
+		fail(
+			[
+				"existing .env is not the default contributor profile, so setup stopped before running migrations",
+				"expected: SUPERSET_PROFILE=local",
+				"expected: SUPERSET_WORKSPACE_NAME=local-dev or local-dev-*",
+				"move your existing .env aside or update it intentionally, then rerun bun setup:local",
+			].join("\n"),
+		);
+	}
+
+	if (!isLocalDatabaseUrl(readEnvValue("DATABASE_URL"))) {
+		fail("DATABASE_URL must point at localhost for bun setup:local.");
+	}
+
+	if (!isLocalDatabaseUrl(readEnvValue("DATABASE_URL_UNPOOLED"))) {
+		fail("DATABASE_URL_UNPOOLED must point at localhost for bun setup:local.");
+	}
+
+	writeEnvValues({
+		SUPERSET_WORKSPACE_NAME: localWorkspaceName,
+		SUPERSET_LOCAL_DATABASE_NAME: localDatabaseName,
+		DATABASE_URL: localDatabaseUrl(localDatabaseName),
+		DATABASE_URL_UNPOOLED: localDatabaseUrl(localDatabaseName),
+	});
+}
+
+function dockerContainerExists(name: string): boolean {
+	const result = spawnSync("docker", ["inspect", name], {
+		cwd: root,
+		stdio: "ignore",
+	});
+	return result.status === 0;
+}
+
+function dockerContainerEnvValue(
+	containerName: string,
+	envName: string,
+): string | undefined {
+	if (!dockerContainerExists(containerName)) return undefined;
+	const output = runOutput("docker", [
+		"inspect",
+		"--format",
+		"{{range .Config.Env}}{{println .}}{{end}}",
+		containerName,
+	]);
+	const line = output
+		.split(/\r?\n/)
+		.find((item) => item.startsWith(`${envName}=`));
+	return line?.slice(envName.length + 1);
+}
+
+function sleep(seconds: number): void {
+	spawnSync("sleep", [String(seconds)], { stdio: "ignore" });
+}
+
+function waitForPostgres(): void {
+	for (let attempt = 0; attempt < 30; attempt++) {
+		const result = spawnSync(
+			"docker",
+			[
+				"exec",
+				LOCAL_POSTGRES_CONTAINER,
+				"pg_isready",
+				"-U",
+				LOCAL_DATABASE_USER,
+				"-d",
+				"postgres",
+			],
+			{ cwd: root, stdio: "ignore" },
+		);
+		if (result.status === 0) return;
+		sleep(1);
+	}
+
+	fail("Postgres did not become ready.");
+}
+
+function ensureLocalPostgres(): void {
+	if (dockerContainerExists(LOCAL_POSTGRES_CONTAINER)) {
+		run("docker", ["start", LOCAL_POSTGRES_CONTAINER]);
+	} else {
+		run("docker", [...DOCKER_COMPOSE_ARGS, "up", "-d", "postgres"]);
+	}
+
+	waitForPostgres();
+}
+
+function ensureLocalDatabase(databaseName: string): void {
+	const exists = runOutput("docker", [
+		"exec",
+		LOCAL_POSTGRES_CONTAINER,
+		"psql",
+		"-U",
+		LOCAL_DATABASE_USER,
+		"-d",
+		"postgres",
+		"-tAc",
+		`SELECT 1 FROM pg_database WHERE datname='${databaseName}'`,
+	]).trim();
+
+	if (exists === "1") {
+		log(`database ${databaseName} already exists`);
+		return;
+	}
+
+	run("docker", [
+		"exec",
+		LOCAL_POSTGRES_CONTAINER,
+		"psql",
+		"-U",
+		LOCAL_DATABASE_USER,
+		"-d",
+		"postgres",
+		"-c",
+		`CREATE DATABASE ${databaseName}`,
+	]);
+}
+
+function ensureLocalElectric(databaseName: string): void {
+	const expectedDatabaseUrl = `postgres://${LOCAL_DATABASE_USER}:${LOCAL_DATABASE_PASSWORD}@host.docker.internal:${LOCAL_DATABASE_PORT}/${databaseName}`;
+	const currentDatabaseUrl = dockerContainerEnvValue(
+		LOCAL_ELECTRIC_CONTAINER,
+		"DATABASE_URL",
+	);
+
+	if (currentDatabaseUrl && currentDatabaseUrl !== expectedDatabaseUrl) {
+		log("recreating Electric for this worktree's local database");
+		run("docker", ["rm", "-f", LOCAL_ELECTRIC_CONTAINER]);
+	}
+
+	if (dockerContainerExists(LOCAL_ELECTRIC_CONTAINER)) {
+		run("docker", ["start", LOCAL_ELECTRIC_CONTAINER]);
+		return;
+	}
+
+	run("docker", [...DOCKER_COMPOSE_ARGS, "up", "-d", "--no-deps", "electric"], {
+		SUPERSET_LOCAL_DATABASE_NAME: databaseName,
+	});
+}
+
+if (args.has("-h") || args.has("--help")) {
+	console.log(help);
+	process.exit(0);
+}
+
+if (process.platform !== "darwin") {
+	fail("local desktop development is currently documented for macOS only.");
+}
+
+requireCommand("bun", "Install Bun from https://bun.sh.");
+if (!args.has("--skip-docker")) {
+	requireCommand("docker", "Install Docker Desktop for macOS.");
+}
+if (!args.has("--skip-caddy-trust")) {
+	requireCommand("caddy", "Install Caddy with: brew install caddy");
+}
+
+copyIfMissing(".env.example", ".env");
+normalizeLocalEnv();
+
+copyIfMissing(
+	"apps/electric-proxy/.dev.vars.example",
+	"apps/electric-proxy/.dev.vars",
+);
+copyIfMissing("Caddyfile.example", "Caddyfile");
+
+if (!args.has("--skip-docker")) {
+	ensureLocalPostgres();
+	ensureLocalDatabase(localDatabaseName);
+	ensureLocalElectric(localDatabaseName);
+}
+
+if (!args.has("--skip-caddy-trust")) {
+	run("caddy", ["trust"]);
+}
+
+if (!args.has("--skip-migrate")) {
+	run("bun", ["run", "db:migrate"]);
+}
+
+console.log(`
+Local setup is ready.
+
+Next:
+  bun dev
+
+Useful checks after boot:
+  curl -fsS http://localhost:4641/api/health
+  curl -fsS http://localhost:4641/api/auth/ok
+
+Desktop state for this setup lives in:
+  ~/.superset-${localWorkspaceName}
+
+Local database for this worktree:
+  ${localDatabaseName}
+`);
diff --git a/turbo.jsonc b/turbo.jsonc
index 125a76a58bd..b54a931444d 100644
--- a/turbo.jsonc
+++ b/turbo.jsonc
@@ -17,17 +17,20 @@
 		"POSTHOG_API_KEY",
 		"POSTHOG_PROJECT_ID",
 		"KV_REST_API_URL",
-		"KV_REST_API_TOKEN"
-	],
-	"globalPassThroughEnv": [
-		"NODE_ENV",
+		"KV_REST_API_TOKEN",
+		// Profile-affecting flags must hash into the cache key so
+		// strict and lenient builds never share cached outputs.
+		"SUPERSET_PROFILE",
+		"SUPERSET_WORKSPACE_NAME",
 		"CI",
 		"VERCEL",
 		"VERCEL_ENV",
+		"SKIP_ENV_VALIDATION",
 		"VERCEL_URL",
 		"npm_lifecycle_event",
 		"RENDERER_REMOTE_DEBUG_PORT"
 	],
+	"globalPassThroughEnv": ["NODE_ENV", "VERCEL_URL", "npm_lifecycle_event"],
 	"tasks": {
 		"build": {
 			"inputs": ["$TURBO_DEFAULT$", ".env*"],