test(security): DL-3 review nits — assert OnValidatePrincipal on prod path + warning/doc polish

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs

@@ -32,4 +32,30 @@ public class DisableLoginRegistrationTests
         var scheme = await ResolveCookieSchemeAsync(disableLogin: false);
         Assert.Equal(typeof(CookieAuthenticationHandler), scheme!.HandlerType);
     }
+
+    /// <summary>
+    /// When <c>disableLogin: false</c> (the production path) the M2.19 idle-timeout /
+    /// role-refresh hook MUST be wired on the cookie scheme's
+    /// <see cref="Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.OnValidatePrincipal"/>.
+    /// This pin-test ensures a future refactor cannot silently drop the hook without
+    /// a red test.
+    /// </summary>
+    [Fact]
+    public async Task FlagFalse_CookieScheme_OnValidatePrincipalIsWired()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        // Provide default SecurityOptions so the PostConfigure that reads
+        // IOptions<SecurityOptions> (cookie-hardening + name) can resolve successfully.
+        services.Configure<SecurityOptions>(_ => { });
+        services.AddSecurity(disableLogin: false);
+
+        await using var sp = services.BuildServiceProvider();
+
+        var options = sp
+            .GetRequiredService<Microsoft.Extensions.Options.IOptionsMonitor<CookieAuthenticationOptions>>()
+            .Get(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.NotNull(options.Events?.OnValidatePrincipal);
+    }
 }