Update documentation for remote auth tokens and validation commands

CONTRIBUTING.md

@@ -67,13 +67,16 @@ If you only need the production bundle without the lint/format gate, use:
 npm run build:app
 ```
 
-If local port `3015` is already occupied, run Playwright on another isolated port:
+If local port `3015` is already occupied, run the stable Playwright smoke on another isolated port:
 
 ```bash
-PLAYWRIGHT_TEST_PORT=3016 npm run test:e2e
+PLAYWRIGHT_TEST_PORT=3016 npm run test:e2e:ci
 ```
 
-The Playwright suite starts an isolated local app per worker under `.tmp-playwright/workers/` and should not reuse your normal local dashboard data. `npm run verify:package` builds the real tarball and verifies that the packaged CLI can start outside the repo checkout.
+The Playwright suite starts an isolated local app per worker under `.tmp-playwright/workers/` and
+should not reuse your normal local dashboard data. Use `npm run test:e2e` only when you intentionally
+want the fresh app build plus the default local worker count. `npm run verify:package` builds the
+real tarball and verifies that the packaged CLI can start outside the repo checkout.
 
 Then manually verify the main user flows touched by your change:
 

README.md

@@ -98,8 +98,8 @@ Then either:
 The auto-import path prefers:
 
 1. local `toktrack`
-2. `bunx toktrack@<pinned version>`
-3. `npx --yes toktrack@<pinned version>`
+2. `bunx` with the exact `toktrack` package spec pinned by this TTDash release
+3. `npx --yes` with the exact `toktrack` package spec pinned by this TTDash release
 
 ## Common Commands
 
@@ -177,21 +177,29 @@ Commands:
 
 Environment variables:
 
-| Variable                | Description                                               |
-| ----------------------- | --------------------------------------------------------- |
-| `PORT`                  | Override the start port                                   |
-| `NO_OPEN_BROWSER=1`     | Disable browser auto-open                                 |
-| `HOST`                  | Override the bind host, for example `HOST=0.0.0.0 ttdash` |
-| `TTDASH_ALLOW_REMOTE=1` | Explicitly allow binding to a non-loopback host           |
+| Variable                                  | Description                                            |
+| ----------------------------------------- | ------------------------------------------------------ |
+| `PORT`                                    | Override the start port                                |
+| `NO_OPEN_BROWSER=1`                       | Disable browser auto-open                              |
+| `HOST`                                    | Override the bind host                                 |
+| `TTDASH_ALLOW_REMOTE=1`                   | Explicitly allow binding to a non-loopback host        |
+| `TTDASH_REMOTE_TOKEN=<long-random-token>` | Required for non-loopback binds; use at least 24 chars |
 
-Binding to a non-loopback host such as `0.0.0.0` exposes the local dashboard API to your network, including destructive routes for local data and settings resets. TTDash now refuses that bind unless you also set `TTDASH_ALLOW_REMOTE=1`. Only use this on trusted networks.
+Binding to a non-loopback host such as `0.0.0.0` exposes the local dashboard API to your network, including destructive routes for local data and settings resets. TTDash refuses that bind unless you set both `TTDASH_ALLOW_REMOTE=1` and a `TTDASH_REMOTE_TOKEN` with at least 24 characters. Only use remote token access over a trusted LAN, VPN, or SSH tunnel; for any public hostname, put TTDash behind an HTTPS reverse proxy with valid TLS termination before sending the bearer token.
 
 Example:
 
 ```bash
-TTDASH_ALLOW_REMOTE=1 HOST=0.0.0.0 ttdash
+TTDASH_ALLOW_REMOTE=1 TTDASH_REMOTE_TOKEN=<long-random-token> HOST=0.0.0.0 ttdash
+curl -H "Authorization: Bearer $TTDASH_REMOTE_TOKEN" http://127.0.0.1:3000/api/usage
 ```
 
+When calling the server from another device, replace `127.0.0.1` with the server's LAN, VPN, or
+SSH-tunneled host. For public hostnames, call an HTTPS reverse proxy URL instead; do not send the
+bearer token over public HTTP.
+
+Remote API requests can authenticate with the `Authorization: Bearer $TTDASH_REMOTE_TOKEN` header or the equivalent `X-TTDash-Remote-Token: $TTDASH_REMOTE_TOKEN` header.
+
 ## Features
 
 - Provider and model filtering across OpenAI, Anthropic, Google, and other imported providers
@@ -371,12 +379,16 @@ To inspect the slowest suites and test cases after a Vitest run:
 npm run test:timings
 ```
 
-The Playwright suite starts an isolated local app per worker under `.tmp-playwright/workers/`. If the base port `3015` is already occupied locally, run it from another base port:
+The Playwright suite starts an isolated local app per worker under `.tmp-playwright/workers/`. For
+stable Playwright-only validation from another base port, use the CI-style worker cap:
 
 ```bash
-PLAYWRIGHT_TEST_PORT=3016 npm run test:e2e
+PLAYWRIGHT_TEST_PORT=3016 npm run test:e2e:ci
 ```
 
+Use `npm run test:e2e` when you intentionally want the fresh app build plus the default local worker
+count.
+
 Refresh the README screenshots:
 
 ```bash

SECURITY.md

@@ -31,10 +31,19 @@ This project is maintained on a best-effort basis by a single maintainer. Report
 
 `TTDash` is intended to run as a local-first app on loopback by default. Binding it to a non-loopback host exposes local API routes for uploads, imports, resets, and report generation to your network.
 
-Non-loopback binding therefore requires an explicit opt-in:
+Non-loopback binding therefore requires an explicit opt-in and a remote token with at least 24
+characters. Only use remote token access over a trusted LAN, VPN, or SSH tunnel; for any public
+hostname, put TTDash behind an HTTPS reverse proxy with valid TLS termination before sending the
+bearer token.
 
 ```bash
-TTDASH_ALLOW_REMOTE=1 HOST=0.0.0.0 ttdash
+TTDASH_ALLOW_REMOTE=1 TTDASH_REMOTE_TOKEN=<long-random-token> HOST=0.0.0.0 ttdash
+curl -H "Authorization: Bearer $TTDASH_REMOTE_TOKEN" http://127.0.0.1:3000/api/usage
 ```
 
-Only use that mode on trusted networks.
+When calling the server from another device, replace `127.0.0.1` with the server's LAN, VPN, or
+SSH-tunneled host. For public hostnames, call an HTTPS reverse proxy URL instead; do not send the
+bearer token over public HTTP.
+
+Remote API requests can authenticate with `Authorization: Bearer $TTDASH_REMOTE_TOKEN` or the
+equivalent `X-TTDash-Remote-Token` header. Keep the token secret.