Update PoliticTalk Jitsi room policy

README.md

@@ -17,8 +17,11 @@ jitsi/
   assets/
     public/politictalk/
       branding.json
+      favicon.ico
       pgLogo.svg
       pg_bg.png
+  interface_config/
+    politictalk-overrides.js
   local/
     README.md
     custom-config.js
@@ -26,6 +29,8 @@ jitsi/
     docker-compose.override.yml
   nginx/
     politictalk.parallelglobe.io.conf
+  prosody-plugins/
+    mod_politictalk_roles.lua
   scripts/
     deploy-vps.sh
     local-jitsi-setup.sh
@@ -33,20 +38,28 @@ jitsi/
     local-jitsi-stop.sh
     local-jitsi-sync.sh
   templates/
+  web/
+    plugin.head.html
+    title.html
 ```
 
 ## Current Meeting Policy
 
 - Meetings start in audio-only mode.
 - Participants join with microphone muted.
+- Participants cannot unmute themselves until a host allows them through Jitsi AV moderation.
 - Participants join with camera off.
-- Camera/prejoin camera controls are hidden.
+- Jitsi prejoin is disabled because PgPlatform owns the PoliticTalk prejoin/auth step.
+- Camera/premeeting camera controls are hidden.
 - Toolbar is limited to microphone, chat, raise hand, fullscreen, noise suppression, participants pane, and hangup.
 - Chat and polls are enabled.
 - Invite/share controls are disabled.
 - Room names are not stored in recent rooms.
 - E2EE support is enabled in the Jitsi config.
 - The logo and dynamic branding point to PoliticTalk public assets.
+- Browser title, favicon, Open Graph metadata, and in-meeting watermark/logo use PoliticTalk branding.
+- When JWT auth is enabled, Jitsi auto-owner is disabled so the first entrant cannot become moderator automatically.
+- A custom Prosody module maps PoliticTalk JWT roles to Jitsi moderator/member roles, enables host-controlled AV moderation, and closes the room when the host leaves.
 
 ## Local Docker Testing
 
@@ -91,6 +104,19 @@ jitsi/config/politictalk.parallelglobe.io-config.js
 
 jitsi/assets/public/politictalk/*
   -> /etc/jitsi/meet/public/politictalk/
+  -> /usr/share/jitsi-meet/images/politictalk/
+
+jitsi/web/title.html
+  -> /usr/share/jitsi-meet/title.html
+
+jitsi/web/plugin.head.html
+  -> /usr/share/jitsi-meet/plugin.head.html
+
+jitsi/interface_config/politictalk-overrides.js
+  -> appended to /usr/share/jitsi-meet/interface_config.js
+
+jitsi/prosody-plugins/mod_politictalk_roles.lua
+  -> /usr/share/jitsi-meet/prosody-plugins/mod_politictalk_roles.lua
 
 jitsi/nginx/politictalk.parallelglobe.io.conf
   -> /etc/nginx/sites-available/politictalk.parallelglobe.io.conf
@@ -114,15 +140,33 @@ cd /path/to/pg/jitsi
 sudo DEPLOY_NGINX=1 ./scripts/deploy-vps.sh
 ```
 
-For current `config.js`, branding, and asset changes, an nginx reload is enough. Future JWT/auth changes may require restarting Prosody and Jicofo.
+For current `config.js`, branding, and asset changes, an nginx reload is enough. JWT/auth and Prosody plugin changes require restarting Prosody and Jicofo, and usually Jitsi Videobridge.
 
-## Future Auth Work
+The `politictalk_roles` Prosody module should be configured with the PgApi
+inactive-room callback from `templates/prosody-token-auth.cfg.lua.example`.
+That callback clears the event `meetingCode` when the last host leaves, so
+participants remain on the platform waiting screen instead of reaching a
+blocked Jitsi room.
 
-The future authenticated flow should be:
+## Token Auth Rollout
+
+The authenticated flow is:
 
 ```text
 PgPlatform -> PgApi verifies event/user -> PgApi creates short-lived Jitsi JWT
 -> PgPlatform prejoin/iframe -> Jitsi validates JWT on VPS
 ```
 
+PgApi now supports JWT-backed `join-link` responses when these environment values are set:
+
+```text
+jitsi/templates/pgapi-politictalk-jwt.env.example
+```
+
+The VPS-side Prosody token-auth shape is documented here:
+
+```text
+jitsi/templates/prosody-token-auth.cfg.lua.example
+```
+
 Do not commit real secrets here. JWT secrets, Prosody passwords, and private keys should stay in VPS-only environment/config files.