diff --git a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
index c170f863..0ff6137e 100644
--- a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AutoLoginAuthenticationHandler.cs
@@ -17,6 +17,9 @@ namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
 public sealed class AutoLoginAuthenticationHandler
     : AuthenticationHandler<AuthenticationSchemeOptions>, IAuthenticationSignInHandler
 {
+    // Only _opts.User is consumed here. The DisableLogin flag is gated at registration time
+    // (AddSecurity); if DisableLogin is false this handler is never registered, so it is
+    // never reached and the flag itself is irrelevant inside the handler.
     private readonly AuthDisableLoginOptions _opts;
     private readonly TimeProvider _clock;
 
diff --git a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
index 124665b1..33662e13 100644
--- a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
+++ b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
@@ -49,6 +49,7 @@ public class AutoLoginAuthenticationHandlerTests
 
         Assert.True(result.Succeeded);
         var p = result.Principal!;
+        Assert.True(p.Identity!.IsAuthenticated);  // first gate checked by [Authorize] + Blazor AuthenticationStateProvider
         Assert.Equal("multi-role", p.Identity!.Name);
         foreach (var role in Roles.All)
             Assert.True(p.IsInRole(role), $"expected role {role}");