diff --git a/internal/control/control.go b/internal/control/control.go
index 0af6741..e4cf0f5 100644
--- a/internal/control/control.go
+++ b/internal/control/control.go
@@ -155,12 +155,15 @@ func hasRequestBody(r *http.Request) bool {
 }
 
 func (s *Server) rejectBody(w http.ResponseWriter, r *http.Request) bool {
+	// Returns true when the request has an unexpected body and the error response
+	// has already been written — callers should return immediately in that case.
+	// Returns false when there is no body (happy path — request should proceed).
 	if !hasRequestBody(r) {
-		return true
+		return false
 	}
 	s.recordAudit(auditUnexpectedBody)
 	http.Error(w, noBodyErrMsg, http.StatusBadRequest)
-	return false
+	return true
 }
 
 func (s *Server) recordAudit(evt auditEvent) {