diff --git a/ZB.MOM.WW.Theme/build/pack.sh b/ZB.MOM.WW.Theme/build/pack.sh
index 471e865..c166ead 100755
--- a/ZB.MOM.WW.Theme/build/pack.sh
+++ b/ZB.MOM.WW.Theme/build/pack.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# pack.sh — produce the ZB.MOM.WW.Auth NuGet packages into ./artifacts.
+# pack.sh — produce the ZB.MOM.WW.Theme NuGet packages into ./artifacts.
 #
 # Usage:
 #   ./build/pack.sh
diff --git a/ZB.MOM.WW.Theme/build/push.sh b/ZB.MOM.WW.Theme/build/push.sh
index c4a2a55..cd1ce5d 100755
--- a/ZB.MOM.WW.Theme/build/push.sh
+++ b/ZB.MOM.WW.Theme/build/push.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# push.sh — pack and push all ZB.MOM.WW.Auth NuGet packages to the Gitea feed.
+# push.sh — pack and push all ZB.MOM.WW.Theme NuGet packages to the Gitea feed.
 #
 # Required environment variables:
 #   GITEA_NUGET_SOURCE  — full URL of the Gitea NuGet feed
diff --git a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/LoginCard.razor b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/LoginCard.razor
index 4cfc8fd..0f6fb3e 100644
--- a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/LoginCard.razor
+++ b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/LoginCard.razor
@@ -1,5 +1,10 @@
 @namespace ZB.MOM.WW.Theme
-@* Components/LoginCard.razor — static form-POST sign-in card. *@
+@* Components/LoginCard.razor — static form-POST sign-in card.
+   SECURITY NOTES:
+   - ReturnUrl is echoed into a hidden field verbatim; the consuming app's POST handler
+     MUST validate it is a local/relative URL before redirecting to prevent open-redirect.
+   - This form is NOT auto-protected by Blazor antiforgery; the caller MUST pass an
+     antiforgery token via ChildContent (e.g. <AntiforgeryToken />). *@
 <div class="login-wrap rise">
     <section class="panel">
         <div class="login-body">
@@ -33,7 +38,21 @@
 @code {
     [Parameter, EditorRequired] public string Product { get; set; } = string.Empty;
     [Parameter] public string Action { get; set; } = "/auth/login";
+
+    /// <summary>
+    /// Optional URL to redirect to after a successful login. Echoed into a hidden
+    /// <c>returnUrl</c> field. The consuming app's POST handler MUST validate this is
+    /// a local/relative URL before redirecting — do not redirect to arbitrary values
+    /// to prevent open-redirect vulnerabilities.
+    /// </summary>
     [Parameter] public string? ReturnUrl { get; set; }
+
     [Parameter] public string? Error { get; set; }
+
+    /// <summary>
+    /// Content rendered inside the form, before the username/password fields.
+    /// The caller MUST supply an antiforgery token here (e.g. <c>&lt;AntiforgeryToken /&gt;</c>)
+    /// because this static POST form is not auto-protected by Blazor's antiforgery middleware.
+    /// </summary>
     [Parameter] public RenderFragment? ChildContent { get; set; }
 }
diff --git a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/TechButton.razor b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/TechButton.razor
index c97acb7..871db30 100644
--- a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/TechButton.razor
+++ b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/Components/TechButton.razor
@@ -1,6 +1,6 @@
 @namespace ZB.MOM.WW.Theme
 @* Components/TechButton.razor *@
-<button type="@Type" class="btn @VariantClass" disabled="@Busy" @attributes="Extra">
+<button @attributes="AdditionalAttributes" type="@Type" class="btn @VariantClass" disabled="@Busy">
     @if (Busy) { <span class="spinner-border spinner-border-sm me-1" aria-hidden="true"></span> }
     @ChildContent
 </button>
@@ -10,7 +10,7 @@
     [Parameter] public string Type { get; set; } = "button";
     [Parameter] public bool Busy { get; set; }
     [Parameter] public RenderFragment? ChildContent { get; set; }
-    [Parameter(CaptureUnmatchedValues = true)] public IDictionary<string, object>? Extra { get; set; }
+    [Parameter(CaptureUnmatchedValues = true)] public IDictionary<string, object>? AdditionalAttributes { get; set; }
 
     private string VariantClass => Variant switch
     {
diff --git a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/wwwroot/css/layout.css b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/wwwroot/css/layout.css
index 2c28abc..c155f43 100644
--- a/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/wwwroot/css/layout.css
+++ b/ZB.MOM.WW.Theme/src/ZB.MOM.WW.Theme/wwwroot/css/layout.css
@@ -29,7 +29,7 @@
 
 /* On lg+ keep the side rail pinned so it stays visible when content scrolls. */
 @media (min-width: 992px) {
-    #sidebar-collapse {
+    #theme-rail {
         position: sticky;
         top: 0;
         height: 100vh;
diff --git a/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/CommonControlsTests.cs b/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/CommonControlsTests.cs
index 1dac347..97ca130 100644
--- a/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/CommonControlsTests.cs
+++ b/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/CommonControlsTests.cs
@@ -27,6 +27,13 @@ public class CommonControlsTests : TestContext
         Assert.Equal("save", btn.GetAttribute("id"));
     }
 
+    [Fact]
+    public void TechButton_not_busy_is_not_disabled()
+    {
+        var cut = RenderComponent<TechButton>(p => p.Add(x => x.Busy, false).AddChildContent("Go"));
+        Assert.False(cut.Find("button").HasAttribute("disabled"));
+    }
+
     [Fact]
     public void TechCard_renders_title_and_body()
     {
diff --git a/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/NavRailTests.cs b/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/NavRailTests.cs
index 3e6ec95..479a05b 100644
--- a/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/NavRailTests.cs
+++ b/ZB.MOM.WW.Theme/tests/ZB.MOM.WW.Theme.Tests/NavRailTests.cs
@@ -24,4 +24,13 @@ public class NavRailTests : TestContext
         Assert.Contains("Navigation", cut.Find("summary").TextContent);
         Assert.NotNull(cut.Find(".rail-section-body .rail-link"));
     }
+
+    [Fact]
+    public void NavRailSection_collapsed_when_not_expanded()
+    {
+        var cut = RenderComponent<NavRailSection>(p => p
+            .Add(x => x.Title, "Nav").Add(x => x.Expanded, false)
+            .AddChildContent("<a class='rail-link'>X</a>"));
+        Assert.False(cut.Find("details.rail-section").HasAttribute("open"));
+    }
 }