docs: update documentation for Phase 3.6 features

Update README.md and SESSION_CONTEXT.md to reflect recent changes:

Phase 3.6 features:
- Cloudflare Turnstile CAPTCHA (registration & contact form)
- Cloudflare TURN/STUN servers for WebRTC
- Public profiles accessible without authentication
- Static content pages (About Us, How It Works)
- Contact form with admin panel
- 404 page with activity logging
- Responsive mobile design improvements
- Trust proxy configuration

Testing updates:
- 351 tests (up from 342), 100% passing
- 73% coverage (up from 72.5%)
- New webrtc-api.test.js with 9 comprehensive tests
- 100% coverage for routes/webrtc.js

Structure updates:
- New routes: /api/webrtc/ice-servers, /api/public/contact
- New admin pages: ContactMessagesPage
- Static content in frontend/public/content/
- Enhanced navbar with admin dropdown

README.md

@@ -24,7 +24,9 @@ Web application (PWA) enabling dance event participants to:
 - Password reset workflow
 - WSDC integration (auto-fill profile data from worldsdc.com)
 - Event slugs (alphanumeric IDs preventing enumeration attacks)
+- Cloudflare Turnstile CAPTCHA (bot protection on registration & contact form)
 - Security: CORS, CSRF, Helmet.js, rate limiting, account lockout
+- Trust proxy for correct client IP detection behind nginx
 
 ### Events & Chat
 - Event list from worldsdc.com
@@ -55,7 +57,8 @@ Web application (PWA) enabling dance event participants to:
 ### WebRTC P2P File Transfer
 - Browser-to-browser video file exchange (RTCDataChannel)
 - 16KB chunking with progress monitoring
-- STUN servers for NAT traversal
+- Cloudflare TURN/STUN servers for reliable NAT traversal
+- Dynamic ICE server configuration with fallback to public STUN
 - E2E encryption (DTLS/SRTP)
 - WebRTC capability detection
 - User-friendly fallback when WebRTC blocked
@@ -69,11 +72,15 @@ Web application (PWA) enabling dance event participants to:
 - Source filtering (auto vs manual matches)
 - Auto-completion when both partners rated
 
-### User Profiles
+### User Profiles & Public Pages
-- Public profiles (/@{username}) visible to logged-in users
+- Public profiles (/u/{username}) accessible without authentication
+- Clickable usernames in navbar linking to profile
 - Social media links (YouTube, Instagram, Facebook, TikTok)
 - Location (country + city with 195 countries)
-- Profile statistics (matches, average rating, reviews)
+- Profile statistics (average rating, reviews)
+- Responsive mobile layout
+- 404 page with activity logging for invalid routes
+- About Us and How It Works pages (markdown-based static content)
 
 ### Admin & Monitoring
 - Activity Log System with real-time streaming dashboard
@@ -82,6 +89,8 @@ Web application (PWA) enabling dance event participants to:
 - Real-time Socket.IO streaming (like `tail -f`)
 - Admin-only access with requireAdmin middleware
 - Statistics dashboard (total logs, failures, 24h activity)
+- Contact form submissions with admin panel
+- Admin dropdown menu in navbar (Activity Logs, Contact Messages)
 
 ### PWA & Infrastructure
 - Progressive Web App (offline support, iOS compatible)
@@ -97,7 +106,8 @@ Web application (PWA) enabling dance event participants to:
 **Backend:** Node.js 20 + Express 4.18 + Socket.IO 4.8 + JWT + bcrypt
 **Database:** PostgreSQL 15 + Prisma ORM 5.22
 **Infrastructure:** Docker Compose + Nginx + Alpine Linux
-**Testing:** Jest + Supertest (342 tests, 72.5% coverage, 100% passing ✅)
+**Testing:** Jest + Supertest (351 tests, 73% coverage, 100% passing ✅)
+**External Services:** AWS SES (email), Cloudflare Turnstile (CAPTCHA), Cloudflare TURN (WebRTC)
 
 ---
 
@@ -162,7 +172,7 @@ docker compose exec backend npm run cli -- users:list --limit 20
 
 ## 📊 Test Coverage
 
-**Backend: 342/342 tests passing - 100% ✅** (72.5% overall coverage)
+**Backend: 351/351 tests passing - 100% ✅** (73% overall coverage)
 
 ### Test Suites
 - **Matching Algorithm**: 19/19 integration tests
@@ -174,13 +184,15 @@ docker compose exec backend npm run cli -- users:list --limit 20
 - **Incremental Matching**: 5/5 tests
 - **Recording Stats Integration**: 6/6 tests
 - **WebRTC Signaling**: 12/12 tests
+- **WebRTC API**: 9/9 tests (Cloudflare TURN integration, fallbacks, authentication)
 - **Socket.IO**: 12/12 tests
-- **API Routes**: Full CRUD coverage (auth, events, matches, dashboard)
+- **API Routes**: Full CRUD coverage (auth, events, matches, dashboard, webrtc)
 
 ### Code Coverage Highlights
 - matching.js: 94.71% statements, 91.5% branches
 - routes/matches.js: 76.11% statements
 - routes/events.js: 78.2% statements
+- routes/webrtc.js: 100% coverage (9 comprehensive tests)
 
 **Comprehensive test documentation:** See `docs/TESTING_MATCHING_RATINGS.md` for detailed breakdown of all 45 matching/ratings tests.
 
@@ -193,24 +205,25 @@ spotlightcam/
 ├── docker-compose.yml          # Container orchestration (dev + prod profiles)
 ├── nginx/                      # Nginx reverse proxy config
 ├── frontend/                   # React PWA
+│   ├── public/content/        # Static markdown content (About Us, How It Works)
 │   ├── src/
 │   │   ├── components/        # React components
-│   │   ├── pages/             # Application pages
+│   │   ├── pages/             # Application pages (Home, Profile, Contact, 404)
-│   │   │   └── admin/         # Admin pages (ActivityLogsPage)
+│   │   │   └── admin/         # Admin pages (ActivityLogsPage, ContactMessages)
-│   │   ├── hooks/             # Custom hooks (useWebRTC)
+│   │   ├── hooks/             # Custom hooks (useWebRTC with Cloudflare TURN)
 │   │   ├── contexts/          # AuthContext
-│   │   ├── services/          # API client, Socket.IO client
+│   │   ├── services/          # API client, Socket.IO client, WebRTC API
 │   │   └── constants/         # Status constants
 │   ├── Dockerfile             # Development container
 │   └── Dockerfile.prod        # Production build
 ├── backend/                    # Node.js + Express API
 │   ├── src/
 │   │   ├── controllers/       # Auth, users, events, WSDC
-│   │   ├── routes/            # API routes (events, matches, admin)
+│   │   ├── routes/            # API routes (events, matches, admin, webrtc, public)
 │   │   ├── services/          # Matching algorithm, activity logging
 │   │   ├── middleware/        # Auth, admin access, message validation (spam protection)
 │   │   ├── socket/            # Socket.IO handlers (chat, WebRTC signaling, admin logs)
-│   │   └── __tests__/         # Jest tests (342 tests)
+│   │   └── __tests__/         # Jest tests (351 tests, 100% passing)
 │   ├── prisma/
 │   │   ├── schema.prisma      # Database schema (12 tables)
 │   │   └── migrations/        # Database migrations
@@ -345,6 +358,7 @@ docker compose exec backend npm run cli -- matches:list --limit 20 --status acce
 **Phase 2.5:** WebRTC P2P file transfer with fallback UX
 **Phase 3:** MVP finalization (landing page, dashboard, security hardening, PWA, auto-matching)
 **Phase 3.5:** Activity Log System (admin monitoring, real-time streaming dashboard, 18 action types)
+**Phase 3.6:** Public enhancements (Cloudflare CAPTCHA, public profiles, static pages, responsive design, Cloudflare TURN)
 
 ### ⏳ Future Extensions (Phase 4)
 - User badges & trust system
@@ -379,5 +393,5 @@ TBD
 
 ---
 
-**Status:** MVP Complete ✅ | 342/342 tests passing (100%) | Production Ready
+**Status:** MVP Complete ✅ | 351/351 tests passing (100%) | Production Ready
-**Last Updated:** 2025-12-03
+**Last Updated:** 2025-12-05

docs/SESSION_CONTEXT.md

@@ -15,17 +15,20 @@
 
 ## Current Status
 
-**Phase:** MVP Complete - Production Ready
+**Phase:** MVP Complete - Production Ready (Phase 3.6 complete)
-**Tests:** 342/342 backend tests passing - 100% ✅ (72.5% coverage)
+**Tests:** 351/351 backend tests passing - 100% ✅ (73% coverage)
-**Recent Work:** Activity Log System with real-time admin dashboard (Phase 3.5 complete)
+**Recent Work:** Cloudflare integrations (CAPTCHA, TURN/STUN), public pages, responsive design improvements
 
 ### Core Features (All Implemented)
 - JWT authentication with email verification (AWS SES)
+- Cloudflare Turnstile CAPTCHA (bot protection on registration & contact form)
 - Real-time chat (Socket.IO) - event rooms + private 1:1
   - Real-time active users with instant updates
   - Message validation (2000 char limit with visual counter)
   - Spam protection (rate limiting, duplicate detection, profanity filter)
 - WebRTC P2P file transfer (RTCDataChannel, up to 700MB tested)
+  - Cloudflare TURN/STUN servers with dynamic configuration
+  - Fallback to public STUN servers
 - Competition heats system for matchmaking
 - Recording matching system with 3-tier account system (BASIC/SUPPORTER/COMFORT)
 - Fairness algorithm (karma tracking: recordingsDone vs recordingsReceived)
@@ -34,11 +37,16 @@
 - Incremental matching (preserves accepted/completed suggestions)
 - Scheduler integration (automated matching with cron)
 - Atomic stats updates with race condition prevention
-- Clickable usernames with @ prefix, country flags
+- Clickable usernames in navbar, country flags
+- Public profiles (/u/{username}) - accessible without authentication
+- Static content pages (About Us, How It Works) - markdown-based
+- Contact form with admin panel
+- 404 page with activity logging
 - Matches & ratings API
 - QR code event check-in
 - PWA (offline support, iOS compatible)
-- Security: CSRF, rate limiting, account lockout
+- Responsive mobile design
+- Security: CSRF, rate limiting, account lockout, trust proxy
 - Test bot for automated testing
 - Activity Log System - admin monitoring dashboard with real-time streaming (18 action types)
 
@@ -49,27 +57,30 @@
 ```
 /spotlightcam
 ├── docker-compose.yml       # nginx:8080 + frontend + backend + db
-├── frontend/src/
+├── frontend/
-│   ├── pages/               # React pages
+│   ├── public/content/      # Static markdown content (about-us.md, how-it-works.md)
-│   │   └── admin/           # Admin pages (ActivityLogsPage.jsx)
+│   └── src/
+│       ├── pages/           # React pages (Home, Profile, Contact, 404, AboutUs, HowItWorks)
+│       │   └── admin/       # Admin pages (ActivityLogsPage.jsx, ContactMessagesPage.jsx)
 │       ├── components/      # Reusable components
 │       ├── contexts/        # AuthContext
-│   ├── services/            # api.js, socket.js
+│       ├── services/        # api.js, socket.js, webrtcAPI
-│   ├── hooks/               # useWebRTC.js
+│       ├── hooks/           # useWebRTC.js (Cloudflare TURN)
 │       └── constants/       # MATCH_STATUS, SUGGESTION_STATUS, etc.
 ├── backend/src/
-│   ├── routes/              # API endpoints (events.js, matches.js, admin.js)
+│   ├── routes/              # API endpoints (events.js, matches.js, admin.js, webrtc.js, public.js)
 │   ├── controllers/         # Business logic
 │   ├── services/            # matching.js (auto-matching), activityLog.js (audit trail)
 │   ├── middleware/          # auth.js, admin.js (requireAdmin)
 │   ├── socket/              # Socket.IO handlers (chat, WebRTC, admin logs)
 │   ├── utils/               # request.js (IP extraction)
 │   ├── constants/           # Status constants
-│   └── __tests__/           # Jest tests (342 tests - 100% passing)
+│   └── __tests__/           # Jest tests (351 tests - 100% passing)
 │       ├── matching-algorithm.test.js      # 19 tests
 │       ├── ratings-stats-flow.test.js      # 9 tests
 │       ├── matching-runs-audit.test.js     # 6 tests
 │       ├── matching-incremental.test.js    # 5 tests
+│       ├── webrtc-api.test.js              # 9 tests (Cloudflare TURN)
 │       └── socket.test.js                  # 12 tests
 └── docs/
     ├── SESSION_CONTEXT.md   # This file - quick context