Security
- Documented the Umbrel first-run exposure: with the Umbrel reverse-proxy auth disabled (
PROXY_AUTH_ADD: "false"), Oikos's unauthenticated bootstrap endpoint that creates the first admin is reachable by any LAN/Tor client until setup is completed. Added a caveat todeploy/umbrel/docker-compose.ymland the Umbrel README advising owners to finish setup immediately after install.