diff --git a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AuthDisableLoginOptions.cs b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AuthDisableLoginOptions.cs
index ff8b1606..ba7d9fa8 100644
--- a/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AuthDisableLoginOptions.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.Security/Auth/AuthDisableLoginOptions.cs
@@ -8,7 +8,15 @@ namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
 /// </summary>
 public sealed class AuthDisableLoginOptions
 {
-    /// <summary>Configuration section name (<c>ScadaBridge:Security:Auth</c>).</summary>
+    /// <summary>
+    /// Configuration section name (<c>ScadaBridge:Security:Auth</c>).
+    /// This is a CHILD sub-section of <c>ScadaBridge:Security</c> (where
+    /// <see cref="SecurityOptions"/> binds the parent fields) — not a sibling.
+    /// In appsettings.json nest it under the existing <c>Security</c> object:
+    /// <code>
+    /// "ScadaBridge": { "Security": { "Auth": { "DisableLogin": true } } }
+    /// </code>
+    /// </summary>
     public const string SectionName = "ScadaBridge:Security:Auth";
 
     /// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
diff --git a/src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs b/src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs
index f9c3022b..94edacac 100644
--- a/src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs
+++ b/src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs
@@ -127,7 +127,7 @@ public static class ServiceCollectionExtensions
                         "AUTH DISABLED (ScadaBridge:Security:Auth:DisableLogin=true) — every request is " +
                         "authenticated as '{User}' with FULL permissions ({Roles}) across ALL sites. This " +
                         "is a SCADA control surface; dev/test ONLY — never enable in production.",
-                        opts.User, string.Join(",", Roles.All)));
+                        opts.User, string.Join(", ", Roles.All)));
         }
         else
         {
diff --git a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs
index c84fb094..c4075ba3 100644
--- a/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs
+++ b/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs
@@ -32,4 +32,30 @@ public class DisableLoginRegistrationTests
         var scheme = await ResolveCookieSchemeAsync(disableLogin: false);
         Assert.Equal(typeof(CookieAuthenticationHandler), scheme!.HandlerType);
     }
+
+    /// <summary>
+    /// When <c>disableLogin: false</c> (the production path) the M2.19 idle-timeout /
+    /// role-refresh hook MUST be wired on the cookie scheme's
+    /// <see cref="Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.OnValidatePrincipal"/>.
+    /// This pin-test ensures a future refactor cannot silently drop the hook without
+    /// a red test.
+    /// </summary>
+    [Fact]
+    public async Task FlagFalse_CookieScheme_OnValidatePrincipalIsWired()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        // Provide default SecurityOptions so the PostConfigure that reads
+        // IOptions<SecurityOptions> (cookie-hardening + name) can resolve successfully.
+        services.Configure<SecurityOptions>(_ => { });
+        services.AddSecurity(disableLogin: false);
+
+        await using var sp = services.BuildServiceProvider();
+
+        var options = sp
+            .GetRequiredService<Microsoft.Extensions.Options.IOptionsMonitor<CookieAuthenticationOptions>>()
+            .Get(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.NotNull(options.Events?.OnValidatePrincipal);
+    }
 }