docs: consolidate all manuals into the Gitea wiki — repo keeps README only

QUICKSTART, the monolithic project-wiki file, the API documentation, the
service developer guide, and the webui README had drifted badly out of
date (localhost-only auth, DHCP, v1 connectivity fwmarks, unsupported
DDNS providers, "HTTP dispatch not implemented") while the four-persona
Gitea wiki is current and maintained. Their still-accurate content now
lives in the wiki (incl. the new Dev-Service-Manifest-Reference page),
so the repo keeps a single README pointing there. README refreshed:
Connectivity v2 named instances, signed store images, audit log, backup
encryption, real provider list, current UI pages, dead LICENSE link
removed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

README.md

@@ -25,7 +25,7 @@ The Flask API (`api/app.py`) contains REST endpoints and a background health-mon
 
 The React frontend (`webui/`) is built with Vite + Tailwind CSS. All API calls go through `src/services/api.js` (Axios).
 
-**Web UI pages:** Dashboard, Peers, Network Services, WireGuard, Email, Calendar, Files, Routing, Vault, Containers, Cell Network, Connectivity, Service Store, Logs, Settings.
+**Web UI pages:** Dashboard, Peers, Network Services, WireGuard, Connectivity (tunnels, proxies, SSH, Tor, cells, assignments), Services (store catalog + per-service pages), Routing, Vault, Containers, Activity, Logs, Settings — plus peer-facing My Services and Account pages.
 
 ---
 
@@ -35,9 +35,9 @@ The React frontend (`webui/`) is built with Vite + Tailwind CSS. All API calls g
 - **Session-based auth** — admin and peer roles. All `/api/*` endpoints require an authenticated session after setup. CSRF protection on all state-changing requests.
 - **WireGuard VPN** — peer lifecycle management, automatic key generation, QR code config export, per-peer routing policy.
 - **Caddy HTTPS** — automatic TLS via Let's Encrypt (DNS-01 or HTTP-01) or an internal CA, depending on domain mode.
-- **DDNS (pic.ngo)** — registers a `<cell-name>.pic.ngo` subdomain. Supported providers: `pic_ngo`, `cloudflare`, `duckdns`, `noip`, `freedns`. A background thread re-publishes the public IP every 5 minutes.
-- **Service store** — install/remove optional third-party services from the `pic-services` index at `git.pic.ngo`. Manifests declare container images, Caddy routes, and iptables rules.
-- **Extended connectivity** — per-peer egress routing through alternate exits: WireGuard external, OpenVPN, Tor, sshuttle (SSH tunnel), or proxy (HTTP/SOCKS5 via redsocks). Exit nodes are optional store services. Per-service egress policy is also supported. Routing uses fwmark and `ip rule` in the WireGuard container.
+- **DDNS (pic.ngo)** — registers a `<cell-name>.pic.ngo` subdomain. Supported providers: `pic_ngo`, `cloudflare`, `duckdns`. A background thread re-publishes the public IP every 5 minutes.
+- **Service store** — install/remove optional third-party services from the `pic-services` index at `git.pic.ngo`. Manifests declare container images, Caddy routes, and iptables rules. Store images are digest-pinned and cosign-signed by the build pipeline; the cell verifies signatures before starting a container (enforced by default).
+- **Extended connectivity** — named connection instances per exit type: WireGuard external, OpenVPN, Tor, sshuttle (SSH tunnel), or proxy (HTTP/SOCKS5 via redsocks), plus cell-relay through another cell. Peers are assigned per-peer to a connection with configurable fail-open/fail-closed; per-connection health is tracked. Per-service egress policy is also supported. Routing uses per-instance fwmarks and `ip rule` in the WireGuard container.
 - **Cell-to-cell networking** — WireGuard-based site-to-site links between PIC cells with service-level access control (calendar, files, mail, WebDAV) and a peer-sync protocol.
 - **Certificate authority** — `vault_manager` issues and revokes TLS certificates for internal services.
 - **Network services** — CoreDNS (`.cell` TLD and split-horizon DNS for the cell domain), chrony NTP.
@@ -48,6 +48,8 @@ The React frontend (`webui/`) is built with Vite + Tailwind CSS. All API calls g
 - **Container manager** — start/stop/inspect containers, pull images, manage volumes via the Docker SDK.
 - **Firewall manager** — iptables rule management (`firewall_manager.py`).
 - **Structured logging** — JSON logs with rotation (5 MB / 5 backups per service), log search, and per-service verbosity control.
+- **Audit log** — append-only, hash-chained change log of all admin actions, with CSV export and an Activity page in the UI.
+- **Backup / restore** — full backup of config, secrets, key material, and live service data volumes, with optional passphrase encryption; ordered restore with automatic runtime reapply.
 
 ---
 
@@ -61,9 +63,15 @@ The React frontend (`webui/`) is built with Vite + Tailwind CSS. All API calls g
 
 ---
 
+## Documentation
+
+Full documentation lives in the [project wiki](https://git.pic.ngo/roof/pic/wiki) — installation walkthrough, admin guide (setup, domains/TLS, services, connectivity, peers, backup, logging/audit, troubleshooting), user guide, and developer documentation (architecture, API reference, building store services, testing).
+
+---
+
 ## Quick Start
 
-See [QUICKSTART.md](QUICKSTART.md) for step-by-step instructions.
+See the wiki's [Setup and First Run](https://git.pic.ngo/roof/pic/wiki/Admin-Setup) for step-by-step instructions.
 
 The short version — one-line installer (recommended):
 
@@ -212,4 +220,4 @@ make reset-admin-password   # generate and set a new random admin password
 
 ## License
 
-MIT — see [LICENSE](LICENSE).
+MIT.