Caught up the docs to match what the dashboard actually does. Four spots
were stale enough to be misleading.
- TOTP / 2FA section rewritten. The doc still claimed admins enrolled
TOTP from the Users action menu, but that button was removed when
TOTP enrollment moved to the self-service profile page (two-step
with QR + 6-digit confirmation; nothing written to user_totp_secrets
until the user proves they have a working authenticator). Admins can
disable a user's TOTP but can no longer enroll on someone's behalf.
Also called out that OIDC-linked users skip local TOTP — their MFA
lives at the IdP.
- Admin dashboard URLs table was missing nine routes that exist
today: /admin/assets/{tailwindcss,htmx.min}.js (vendored CDN
assets), /admin/pages/profile + four sub-routes (self-service
profile flow), /admin/connect/:peer_id, and the two web-client SPA
asset routes. Updated the Users-page row to mention the inline
edit-profile + TOTP-disable controls.
- CLI flags / HTTP API & dashboard table now lists --http-listen and
--ws-listen (they previously only appeared inside the nginx
subsection — discoverability matters when an operator scans the
flag tables looking for what's available). Added a one-liner about
hbbr's matching --ws-listen flag.
- Security checklist gained a bind-flags hardening tip
(--http-listen=127.0.0.1, --ws-listen=127.0.0.1 on both daemons
when fronted by nginx) and a note about forwarding
X-Forwarded-Proto: https so the dashboard generates wss:// URLs.
Sections cross-checked and confirmed accurate as-is: OIDC walk-through
+ role sync + troubleshooting, strategies, address books, recordings,
audit retention, SMTP, web client (routes / browser reqs / codec /
HUD diagnostics / build), database / backup notes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mike
7e2c7a7e4c