diff --git a/README.md b/README.md
index 2b375c0..0aba8ee 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,15 @@ it is almost certainly a bug. All cryptographic operations must go through
 Exceptions require explicit authorization in a code comment referencing this
 policy.
 
+### DEBUG Mode Policy
+
+The `DEBUG` constant in the popup JS enables a red "DEBUG / INSECURE" banner and
+a hardcoded test mnemonic. **DEBUG mode must behave as close to normal mode as
+possible.** No `if (DEBUG)` branches that skip functionality, bypass security
+flows, or alter program behavior beyond the banner and the hardcoded mnemonic.
+Adding new DEBUG-conditional branches requires explicit approval from the
+project owner.
+
 ### Key Decisions
 
 - **No framework**: The popup UI is vanilla JS and HTML. The extension is small
diff --git a/src/popup/index.js b/src/popup/index.js
index 9a3b165..d1ac45f 100644
--- a/src/popup/index.js
+++ b/src/popup/index.js
@@ -287,11 +287,6 @@ async function init() {
 
     await loadState();
 
-    // In DEBUG mode, skip the lock screen (no encryption yet)
-    if (DEBUG && state.hasWallet) {
-        state.locked = false;
-    }
-
     if (!state.hasWallet) {
         showView("welcome");
     } else if (state.locked) {