test+docs(dashboard): assert hub policy under disable-login; correct warning/doc wording

docs/GatewayConfiguration.md

@@ -172,7 +172,7 @@ events (a "gap") and must re-snapshot; whatever is still retained is replayed.
 | `MxGateway:Dashboard:ShowTagValues` | `false` | Reserved display control for tag values. The dashboard does not show full tag values by default. |
 | `MxGateway:Dashboard:GroupToRole` | _(empty)_ | LDAP group → dashboard role mapping. Keys are LDAP group names (short CN or full DN — leading-RDN match). Values must be `Admin` (read/write, API-key CRUD) or `Viewer` (read-only). A user whose LDAP groups don't intersect this map cannot sign in; with no mapping at all, only the loopback bypass admits anyone. |
 | `MxGateway:Dashboard:DisableLogin` | `false` | Dev/test only. When `true`, replaces the cookie authentication handler with `DashboardAutoLoginAuthenticationHandler`, which auto-authenticates every dashboard request — including requests from remote browsers, not just loopback — as `AutoLoginUser` holding both `Administrator` and `Viewer` roles. No login form, LDAP bind, or cookie is involved. A loud one-time startup warning is logged. Differs from `AllowAnonymousLocalhost`: `DisableLogin` mints a real authenticated principal (so role-gated write affordances appear), whereas `AllowAnonymousLocalhost` satisfies the authorization requirement on loopback only without minting a principal (write affordances stay hidden). Never enable in production. |
-| `MxGateway:Dashboard:AutoLoginUser` | `multi-role` | Username stamped on the synthetic principal when `DisableLogin` is `true`. Has no effect when `DisableLogin` is `false`. |
+| `MxGateway:Dashboard:AutoLoginUser` | `(null)` | Username stamped on the synthetic principal when `DisableLogin` is `true`. Default `(null)` — a null or blank value falls back to `multi-role`. Has no effect when `DisableLogin` is `false`. |
 
 `SnapshotIntervalMilliseconds` must be greater than zero. `RecentFaultLimit`
 and `RecentSessionLimit` must be greater than or equal to zero.

src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardServiceCollectionExtensions.cs

@@ -73,7 +73,8 @@ public static class DashboardServiceCollectionExtensions
                 DashboardAuthenticationDefaults.AuthenticationScheme,
                 _ => { });
 
-            // Loud, once-at-startup warning (emitted when GatewayOptions is first resolved).
+            // Loud warning, emitted on first resolution of GatewayOptions (i.e. on the first
+            // request/options access, not guaranteed at process start). Dev-only safety notice.
             services.AddOptions<GatewayOptions>().PostConfigure<ILoggerFactory>((gatewayOptions, loggerFactory) =>
                 loggerFactory
                     .CreateLogger("ZB.MOM.WW.MxGateway.Server.Dashboard.DisableLogin")

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardDisableLoginTests.cs

@@ -53,5 +53,7 @@ public sealed class DashboardDisableLoginTests
             user, resource: null, DashboardAuthenticationDefaults.AdminPolicy)).Succeeded);
         Assert.True((await authorization.AuthorizeAsync(
             user, resource: null, DashboardAuthenticationDefaults.ViewerPolicy)).Succeeded);
+        Assert.True((await authorization.AuthorizeAsync(
+            user, resource: null, DashboardAuthenticationDefaults.HubClientsPolicy)).Succeeded);
     }
 }