docs: update for Helm chart and telemetry changes

Add Kubernetes/Helm deployment section to DEPLOYMENT.md, telemetry
environment variables to CONFIGURATION.md, telemetry privacy details
to SECURITY.md, telemetry bullet to README quick start, and fix Go
version from 1.24 to 1.25 in docs/README.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

README.md

@@ -76,6 +76,7 @@ The setup wizard handles everything interactively:
 - Admin account creation
 - SMTP configuration (optional)
 - Domain and reverse proxy setup (Caddy, nginx, Apache, HAProxy, Traefik)
+- Optional anonymous telemetry (opt-in, disabled by default)
 - OpenBao (KMS) bootstrap
 - Docker image builds
 - Stack startup and health checks

docs/CONFIGURATION.md

@@ -102,6 +102,13 @@ OpenBao is the key management service used to encrypt device credentials on a pe
 | `SSH_MAX_PER_USER` | `10` | Maximum SSH sessions per user |
 | `SSH_MAX_PER_DEVICE` | `20` | Maximum SSH sessions per device |
 
+### Telemetry
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `TELEMETRY_ENABLED` | `false` | Enable anonymous diagnostics. Set during `setup.py` or manually in `.env.prod`. |
+| `TELEMETRY_COLLECTOR_URL` | `https://telemetry.theotherdude.net` | Telemetry collector endpoint. Only used when `TELEMETRY_ENABLED=true`. |
+
 ### Bootstrap
 
 | Variable | Default | Description |

docs/DEPLOYMENT.md

@@ -173,6 +173,86 @@ The backend serves interactive API documentation at:
 
 All endpoints include descriptions, request/response schemas, and authentication requirements.
 
+## Kubernetes (Helm)
+
+TOD includes a Helm chart for Kubernetes deployment at `infrastructure/helm/`.
+
+### Prerequisites
+
+- Kubernetes 1.28+
+- Helm 3
+- A StorageClass that supports ReadWriteOnce PersistentVolumeClaims
+
+### Install
+
+1. Create a values override file with your configuration:
+   ```bash
+   cp infrastructure/helm/values.yaml my-values.yaml
+   # Edit my-values.yaml — at minimum set:
+   #   secrets.jwtSecretKey, secrets.credentialEncryptionKey,
+   #   secrets.dbPassword, secrets.dbAppPassword, secrets.dbPollerPassword,
+   #   secrets.firstAdminPassword, ingress.host
+   ```
+
+2. Install the chart:
+   ```bash
+   helm install tod infrastructure/helm -f my-values.yaml -n tod --create-namespace
+   ```
+
+3. Initialize OpenBao (first time only):
+   ```bash
+   # Wait for the pod to start
+   kubectl get pods -n tod -l app.kubernetes.io/component=openbao
+
+   # Initialize
+   kubectl exec -it -n tod tod-openbao-0 -- bao operator init -key-shares=1 -key-threshold=1
+
+   # Save the unseal key and root token, then unseal
+   kubectl exec -it -n tod tod-openbao-0 -- bao operator unseal <UNSEAL_KEY>
+
+   # Update release with the token
+   helm upgrade tod infrastructure/helm -f my-values.yaml \
+     --set secrets.openbaoToken=<ROOT_TOKEN> \
+     --set secrets.baoUnsealKey=<UNSEAL_KEY> \
+     -n tod
+   ```
+
+4. Verify:
+   ```bash
+   kubectl get pods -n tod
+   kubectl port-forward -n tod svc/tod-api 8000:8000
+   curl http://localhost:8000/health
+   ```
+
+### Services
+
+The Helm chart deploys:
+
+| Service | Type | Purpose |
+|---------|------|---------|
+| PostgreSQL (TimescaleDB) | StatefulSet | Primary database |
+| Redis | Deployment | Cache |
+| NATS JetStream | StatefulSet | Message queue |
+| OpenBao | StatefulSet | Secrets management |
+| API | Deployment | FastAPI backend |
+| Frontend | Deployment | React SPA (nginx) |
+| Poller | Deployment | Go device poller |
+| WireGuard | Deployment | VPN gateway |
+
+### Configuration
+
+All configuration is in `values.yaml`. See `infrastructure/helm/values.yaml` for the full reference with comments. Key sections:
+
+- `secrets.*` -- All secrets (must be overridden in production)
+- `api.env.*` -- API environment settings
+- `poller.env.*` -- Poller settings
+- `ingress.*` -- Ingress routing and TLS
+- `wireguard.*` -- VPN configuration (can be disabled with `wireguard.enabled: false`)
+
+### Note on OpenBao
+
+OpenBao must be manually unsealed after every pod restart. Auto-unseal is a planned future enhancement.
+
 ## Monitoring (Optional)
 
 Enable Prometheus and Grafana monitoring with the observability compose overlay:

docs/README.md

@@ -127,7 +127,7 @@ The Other Dude is a self-hosted, multi-tenant platform (one installation serves
 |-------|-----------|
 | Frontend | React 19, TanStack Router + Query, Tailwind CSS 3.4, Vite, Framer Motion |
 | Backend | Python 3.12, FastAPI 0.115, SQLAlchemy 2.0 async, asyncpg, Pydantic v2 |
-| Poller | Go 1.24, go-routeros/v3, pgx/v5, nats.go |
+| Poller | Go 1.25, go-routeros/v3, pgx/v5, nats.go |
 | Database | PostgreSQL 17 + TimescaleDB 2.17, Row-Level Security |
 | Cache | Redis 7 |
 | Message Bus | NATS with JetStream |

docs/SECURITY.md

@@ -114,6 +114,11 @@ TOD includes on-demand WinBox tunnels and browser-based SSH terminals for device
   - RouterOS firmware update checks (no device data sent)
   - SMTP for email notifications (if configured)
   - Webhooks for alerts (if configured)
+  - Anonymous telemetry (if opted in -- see below)
+
+### Telemetry
+
+Telemetry is strictly opt-in. During `setup.py`, you are asked whether to enable anonymous diagnostics; it can also be toggled at any time by setting `TELEMETRY_ENABLED=false` in `.env.prod`. When enabled, TOD reports only operational metadata: setup step pass/fail status, step duration, OS, architecture, Python version, Docker version, and RAM (rounded). No IP addresses, hostnames, passwords, configuration contents, device data, or personally identifiable information (PII) is ever collected. The collector endpoint is configurable via `TELEMETRY_COLLECTOR_URL`.
 
 ## Security Headers