docs: close out ADR-0001 — installer + FINDINGS + close #43/#51 (Child C — refs #54)

[thinmintdev]

Wave 2, Child C of ADR-0001 — the documentation pass for the auth collapse. No code touched; the entire diff is markdown.

Refs the three-PR sequence:

• Child A — PR feat(auth): password + session cookies, dual cookie/Bearer middleware (ADR-0001 Child A — refs #54) #58 (a405cf7) — FastAPI password auth, /api/auth/login / /logout / /password, session cookie, dual cookie/Bearer middleware.
• Child B — PR feat(install): collapse Caddy to TLS-only, drop PUBLIC_PATHS, add --no-tls (ADR-0001 Child B — refs #54) #59 (635cf5a) — Caddyfile collapsed to ~42 lines (TLS terminator + reverse proxy only), PUBLIC_PATHS frozenset deleted, --auth=basic removed, --no-tls flag added, HAL0_HOSTNAME → HAL0_PUBLIC_HOST and HAL0_HARNESS_AUTH → HAL0_HARNESS_TLS renames, wizard's password-setup step wired.
• Child C — this PR — docs + housekeeping.

What changed, per file

installer/README.md

• Rewrote the ## Authentication section: single FastAPI layer, no edge-auth, password set via dashboard wizard (POST /api/auth/password, public on first run), Bearer tokens for programmatic clients.
• Documented --no-tls — skips Caddy, FastAPI binds 0.0.0.0:8080, reachable at http://<host>:8080/. Note that --dev implies --no-tls.
• Dropped every mention of --auth=basic, HAL0_ADMIN_USER, HAL0_ADMIN_PASSWORD, HAL0_HOSTNAME, HAL0_AUTH_ENABLED, Caddy basic_auth, htpasswd.
• Renamed HAL0_HOSTNAME → HAL0_PUBLIC_HOST in the env-var table.
• Added an Upgrade notes (pre-v1) subsection: existing --auth=basic installs lose edge auth on upgrade; mitigation is set a password in the wizard OR --no-tls and front with your own reverse proxy.
• Acceptance grep clean: git grep -i basic_auth installer/README.md → no hits.

PLAN.md

• §1 "Auth + reverse proxy" rewritten for the single FastAPI layer with an explicit Trust posture paragraph: open on the LAN by default, password auth opt-in via wizard, Bearer tokens unchanged from Enforce write scope across admin routers (require_writer split) #29.
• §10 (harness flags) renamed HAL0_HARNESS_AUTH → HAL0_HARNESS_TLS to match what scripts/harness.sh and installer-test.sh actually read.
• No remaining PUBLIC_PATHS mentions; remaining edge auth mentions are descriptive (referencing the ADR / describing what Caddy no longer does).

docs/api-errors.md

• Added a brief note in the 401 section linking to ADR-0001 / PR feat(auth): password + session cookies, dual cookie/Bearer middleware (ADR-0001 Child A — refs #54) #58 and naming the new endpoints (/api/auth/login, /api/auth/logout, /api/auth/password). Envelope shapes themselves are unchanged — this is just a pointer.

tests/harness/FINDINGS.md

• §10 (Caddy basic_auth swallows PUBLIC_PATHS — the Caddy basic_auth swallows PUBLIC_PATHS allowlist — first-run wizard unbootstrappable #28 critical bug): leads with FIXED BY ARCHITECTURE REMOVAL (ADR-0001). Original report preserved verbatim below the note.
• §16 (basic_auth password unrecoverable post-install — source of [HITL] Pick a basic_auth credential capture story #43): same treatment. Notes that credential capture moved into the wizard.
• §21 (/api/metrics/prometheus orphan in PUBLIC_PATHS): same treatment. PUBLIC_PATHS itself is gone, so the allowlist-vs-route drift cannot recur.
• "What the harness didn't try" + "How to re-run" sections updated for HAL0_HARNESS_TLS.

README.md (repo root)

• "Auth posture" subsection brought in line with the new model. Not in the spec's target list, but it was stale after Child B and would have contradicted installer/README.md. Small consistency fix.

tests/harness/README.md

• Opt-in flags table + status vocabulary updated for HAL0_HARNESS_TLS. Same rationale as README.md: the old HAL0_HARNESS_AUTH knob doesn't exist in the scripts anymore, so the doc was wrong.

Acceptance checks

$ git grep -i basic_auth installer/README.md          # → no output (exit 1)
$ git grep -n PUBLIC_PATHS docs/ installer/ PLAN.md   # → only the ADR + a code comment in install.sh
$ grep '^## 10\.' tests/harness/FINDINGS.md
## 10. Caddy basic_auth swallows the PUBLIC_PATHS allowlist — **critical / bug** · ✅ FIXED BY ARCHITECTURE REMOVAL (ADR-0001)

The ADR (docs/adr/0001-...md) mentions PUBLIC_PATHS / --auth=basic / basicauth by design — it's the historical decision record. The spec explicitly says "Do NOT alter the ADR itself." Similarly, installer/install.sh:333 is a code comment outside this PR's scope.

Issue housekeeping

After this PR merges, the following issues get closed with explanatory comments naming which PR did what:

• [HITL] Pick a basic_auth credential capture story #43 (HITL — basic_auth credential capture story): closed by ADR-0001 + PRs feat(auth): password + session cookies, dual cookie/Bearer middleware (ADR-0001 Child A — refs #54) #58/feat(install): collapse Caddy to TLS-only, drop PUBLIC_PATHS, add --no-tls (ADR-0001 Child B — refs #54) #59 — credential capture is a wizard form, not an installer prompt.
• PUBLIC_PATHS duplicated in Python + Caddyfile — needs single source of truth #51 (PUBLIC_PATHS duplicated in Python + Caddyfile): closed by ADR-0001 + PR feat(install): collapse Caddy to TLS-only, drop PUBLIC_PATHS, add --no-tls (ADR-0001 Child B — refs #54) #59 — duplication eliminated because PUBLIC_PATHS is deleted.
• [ADR-0001] Collapse edge auth into FastAPI — parent #54 (parent): closed with a summary linking all three child PRs.

This PR body includes the GH-semantics closes #43 / closes #51 markers as a fallback; the manual close-with-comment is the preferred path (it adds the explanatory text).

CI / billing note

Hal0ai org Actions are billing-blocked — CI on this PR fails in ~2s with no logs. Since this is a docs-only PR, the broken CI is not a risk. User will admin-merge.