Bind native backend services and Node-RED to loopback so Angie remains the public auth boundary. Keep Docker on an internal compose network and stop kiosk fallback to a layout when display default is none.
Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator
