diff --git a/src/server/src/app/server.ts b/src/server/src/app/server.ts
index 4ffb2a8..1871ef3 100644
--- a/src/server/src/app/server.ts
+++ b/src/server/src/app/server.ts
@@ -100,6 +100,11 @@ export async function createApp() {
       return deviceTokenAuth(config.SERVICE_TOKEN)(c, next);
     })
     .route('/client', clientSurface)
+    // TODO(merge-conflict): plum gates /my/* with `ssoRequired(SSO_VALIDATE_URL, SERVICE_TOKEN)`
+    // (cookie/SSO session against an external validator); apricot gates it with
+    // `serviceTokenAuth(SERVICE_TOKEN)` (single shared bearer token). These are
+    // production auth models for the dashboard — pick one before deploy.
+    // Currently using apricot's simpler service-token mode.
     .use('/my/*', corsMiddleware('same-origin'))
     .use('/my/*', rateLimitMiddleware('my'))
     .use('/my/*', serviceTokenAuth(config.SERVICE_TOKEN))