diff --git a/services/mam-api/src/index.js b/services/mam-api/src/index.js
index d275d4a..20dc7a8 100644
--- a/services/mam-api/src/index.js
+++ b/services/mam-api/src/index.js
@@ -78,9 +78,6 @@ app.use(
       pool,
       tableName:            'sessions',
       pruneSessionInterval: 3600,
-      // Belt-and-braces: connect-pg-simple will CREATE TABLE on its first
-      // write if migration 021 somehow didn't run. Cheap, idempotent.
-      createTableIfMissing: true,
     }),
     secret:            SESSION_SECRET,
     resave:            false,
diff --git a/services/web-ui/public/login.html b/services/web-ui/public/login.html
index 7971670..f0fcb36 100644
--- a/services/web-ui/public/login.html
+++ b/services/web-ui/public/login.html
@@ -264,23 +264,22 @@
   $('show-setup').onclick = e => { e.preventDefault(); clearFlash(); showSetup(); };
   $('show-login').onclick = e => { e.preventDefault(); clearFlash(); showLogin(); };
 
-  // First-run detection: if no users exist, skip the sign-in panel entirely
-  // and present the create-admin form. This is the only state in which the
-  // app is unusable without intervention, so we want the operator routed
-  // there automatically rather than relying on them to click the small link.
+  // Auth is parked for now. If the server reports auth is disabled, bounce
+  // straight to the app — no one should ever land on this screen while
+  // AUTH_ENABLED=false. If the server is unreachable, leave the panel
+  // visible so the operator at least sees something.
   (async () => {
     try {
       const r = await fetch(API + '/setup-status', { credentials: 'same-origin' });
       if (r.ok) {
         const d = await r.json();
+        if (!d.auth_enabled) {
+          location.replace('/');
+          return;
+        }
         if (d.needs_setup) {
           showSetup();
           showFlash('No accounts yet — create the first admin to continue.', 'info');
-        } else if (!d.auth_enabled) {
-          // Auth is off server-side; logging in does nothing. Tell the
-          // operator clearly instead of letting them fill out the form
-          // and watch the redirect loop back to /login.html.
-          showFlash('Authentication is disabled on the server (AUTH_ENABLED=false). Set AUTH_ENABLED=true in mam-api and restart.', 'error');
         }
       }
     } catch (_) { /* offline → leave the login panel visible */ }
diff --git a/services/web-ui/public/shell.jsx b/services/web-ui/public/shell.jsx
index 87a57f8..d2cec94 100644
--- a/services/web-ui/public/shell.jsx
+++ b/services/web-ui/public/shell.jsx
@@ -177,18 +177,15 @@ function Sidebar({ active, onNavigate, me, collapsed, onToggle }) {
             {me?.role || '—'}{me?.synthetic ? ' · auth off' : ''}
           </div>
         </div>
-        <button className="icon-btn" aria-label="Sign out" data-tip="Sign out" title="Sign out"
-          onClick={async () => {
-            // Best-effort logout — works whether auth is on or off. With
-            // AUTH_ENABLED=true the server clears the session; with auth
-            // off there's no session, so we still bounce to /login.html
-            // so the operator can see "auth disabled" messaging and choose
-            // to enable it instead of staring at a no-op power button.
-            try { await window.ZAMPP_API.fetch('/auth/logout', { method: 'POST' }); } catch (_) {}
-            window.location.replace('/login.html');
-          }}>
-          <Icon name="power" />
-        </button>
+        {me?.synthetic ? null : (
+          <button className="icon-btn" aria-label="Sign out" data-tip="Sign out" title="Sign out"
+            onClick={async () => {
+              try { await window.ZAMPP_API.fetch('/auth/logout', { method: 'POST' }); } catch (_) {}
+              window.location.replace('/login.html');
+            }}>
+            <Icon name="power" />
+          </button>
+        )}
       </div>
     </aside>
   );