Update PoliticTalk Jitsi room policy

templates/auth-roadmap.md

@@ -5,7 +5,7 @@ These notes are intentionally not deployed yet. They describe the local files an
 ## Target Flow
 
 ```text
-PgPlatform calendar event
+PgPlatform PoliticTalk event
   -> PgPlatform PoliticTalk prejoin page
   -> PgApi verifies logged-in user, event ownership/invite/access, and event time window
   -> PgApi returns a short-lived Jitsi JWT
@@ -13,21 +13,22 @@ PgPlatform calendar event
   -> Jitsi VPS validates JWT through Prosody token auth
 ```
 
-## Local Files To Add Later
+## Local Files
 
 ```text
 jitsi/templates/prosody-token-auth.cfg.lua.example
-jitsi/templates/jicofo-token-auth.conf.example
-jitsi/templates/jitsi-token-auth.env.example
+jitsi/templates/pgapi-politictalk-jwt.env.example
 ```
 
 Only templates should be committed. Real JWT secrets must stay in VPS-only files.
 
 ## Platform Changes To Add Later
 
-- PgApi endpoint to issue Jitsi JWTs for valid PoliticTalk event access.
+- PgApi `join-link` issues Jitsi JWTs when token-auth env values are present.
 - JWT claims for room, user display name, email/id, moderator flag, expiry, and feature permissions.
-- PgPlatform prejoin route that shows event title and immutable platform user name.
+- PgPlatform prejoin route shows event title and immutable platform user name.
 - PgPlatform embedded Jitsi room using the IFrame API.
+- Participants must wait on the PgPlatform prejoin page until the host starts the room.
+- Jitsi auto-owner must be disabled once JWT auth is enabled so moderator status comes only from PgApi JWT claims.
 - Moderator-only controls for audio moderation and poll permissions.
 - Event end-time enforcement through JWT expiry and/or iframe hangup.

templates/pgapi-politictalk-jwt.env.example

@@ -0,0 +1,10 @@
+# Add these to pgapi/.env only when the Jitsi VPS has token auth enabled.
+# The app id and secret must match the Prosody token-auth config on the VPS.
+
+POLITICTALK_MEETING_BASE_URL=https://politictalk.parallelglobe.io
+POLITICTALK_JITSI_JWT_APP_ID=politictalk
+POLITICTALK_JITSI_JWT_APP_SECRET=replace-with-a-long-random-secret
+POLITICTALK_JITSI_JWT_AUDIENCE=jitsi
+POLITICTALK_JITSI_JWT_SUBJECT=politictalk.parallelglobe.io
+POLITICTALK_JITSI_JWT_TTL_SECONDS=21600
+POLITICTALK_JITSI_LIFECYCLE_SECRET=replace-with-a-second-long-random-secret

templates/prosody-token-auth.cfg.lua.example

@@ -0,0 +1,35 @@
+-- Reference snippet for the PoliticTalk VPS.
+-- Apply this manually inside:
+-- /etc/prosody/conf.avail/politictalk.parallelglobe.io.cfg.lua
+--
+-- Do not commit real app secrets. The app_id/app_secret values must match
+-- POLITICTALK_JITSI_JWT_APP_ID and POLITICTALK_JITSI_JWT_APP_SECRET in PgApi.
+
+VirtualHost "politictalk.parallelglobe.io"
+    authentication = "token"
+    app_id = "POLITICTALK_JITSI_JWT_APP_ID"
+    app_secret = "POLITICTALK_JITSI_JWT_APP_SECRET"
+    allow_empty_token = false
+    enable_domain_verification = false
+
+Component "conference.politictalk.parallelglobe.io" "muc"
+    politictalk_room_inactive_callback_url = "https://api.parallelglobe.is/events/politictalk/jitsi/room-inactive"
+    politictalk_room_inactive_callback_secret = "POLITICTALK_JITSI_LIFECYCLE_SECRET"
+
+    modules_enabled = {
+        -- keep the existing modules already present in the VPS file
+        "token_verification";
+        "politictalk_roles";
+    }
+
+-- Also set the equivalent Jicofo options so only PgApi JWT moderator
+-- claims can create room moderators:
+--
+-- /etc/jitsi/jicofo/jicofo.conf
+--
+-- jicofo {
+--   conference {
+--     enable-auto-owner = false
+--     enable-moderator-checks = true
+--   }
+-- }