diff --git a/README.md b/README.md
index fa1d33d..8f011e1 100644
--- a/README.md
+++ b/README.md
@@ -40,9 +40,8 @@ library I actually want to watch.
 ## Live at
 
 - <https://arrflix.s8n.ru>
-- <https://tv.s8n.ru>
 
-Both endpoints are **LAN / tailnet only**. There is no public exposure — if
+Endpoint is **LAN / tailnet only**. There is no public exposure — if
 you're not on the network, you're not getting in. By design.
 
 ---
diff --git a/docs/00-overview.md b/docs/00-overview.md
index 8d2961e..f547f37 100644
--- a/docs/00-overview.md
+++ b/docs/00-overview.md
@@ -21,7 +21,7 @@ default Jellyfin chrome, names, or logos are reachable by an unprivileged user.
 | Frontend         | Jellyfin web bundle, themed and rebranded as ARRFLIX (web-overrides + NeutralFin/Cineplex CSS) |
 | Application      | `jellyfin/jellyfin:10.10.3` container on nullstone, sibling `jellyfin-dev` for theme work     |
 | Reverse proxy    | Traefik with **file-provider** routing (docker-label routing flakes for this container)       |
-| DNS              | Pi-hole internal A record: `arrflix.s8n.ru` and legacy `tv.s8n.ru` → `192.168.0.100`          |
+| DNS              | Pi-hole internal A record: `arrflix.s8n.ru` → `192.168.0.100`          |
 | TLS              | Let's Encrypt via DNS-01, Gandi LiveDNS provider                                              |
 | Storage (media)  | RO bind-mount from host `/home/user/media/{movies,tv,…}` → container `/media`                 |
 | Storage (state)  | Config + cache + metadata under host `/home/docker/jellyfin/`                                 |
diff --git a/docs/04-theming-and-users.md b/docs/04-theming-and-users.md
index b7d97de..4ae1d00 100644
--- a/docs/04-theming-and-users.md
+++ b/docs/04-theming-and-users.md
@@ -6,16 +6,6 @@ ElegantFin v25.12.31 the same day after a Netflix-fidelity-driven survey.
 Scope: visual theme, server-side branding, multi-user UX prep, SyncPlay,
 maintenance/revert. LAN-only constraints preserved (no public-facing changes).
 
-> Hostname note: this site is being renamed `tv.s8n.ru` → `arrflix.s8n.ru`
-> in the same session. The Jellyfin API endpoints don't care about
-> hostname — they're served by the same container. All `curl` examples
-> below are reachable as either `https://tv.s8n.ru/...` (legacy) or
-> `https://arrflix.s8n.ru/...` (new), as long as Traefik has a SNI cert
-> for the name. Internal pin: both names should resolve to `192.168.0.100`
-> If a
-> hostname's DNS or cert isn't up yet, use
-> `--resolve tv.s8n.ru:443:192.168.0.100` on curl — that's how this
-> re-theming was applied while `arrflix.s8n.ru` was still missing a cert.
 
 ---
 
@@ -133,21 +123,21 @@ TOKEN=<JELLYFIN_API_TOKEN>
 
 cat > /tmp/branding.json <<'EOF'
 {
-  "LoginDisclaimer": "Welcome to tv.s8n.ru — LAN-only. Be kind, rewind.",
+  "LoginDisclaimer": "Welcome to arrflix.s8n.ru — LAN-only. Be kind, rewind.",
   "CustomCss": "/* Cineplex v1.0.6 — Netflix-faithful theme by MRunkehl, pinned tag (immutable on jsDelivr) */\n/* Compat: Jellyfin 10.10.7+ ; we run 10.10.3 — verified rendering 2026-05-08 */\n@import url(\"https://cdn.jsdelivr.net/gh/MRunkehl/cineplex@v1.0.6/cineplex.css\");\n\n/* Hide Cast & Crew + Guest Stars sections globally (preserved 2026-05-08) */\n#castCollapsible, #guestCastCollapsible { display: none !important; }\n",
   "SplashscreenEnabled": true
 }
 EOF
 
 # Note: arrflix.s8n.ru didn't have a Traefik SNI cert at apply-time, so
-# we sent the request to the legacy SNI tv.s8n.ru and pinned its address
+# we sent the request to the legacy SNI arrflix.s8n.ru and pinned its address
 # with --resolve. Either form is fine once both names have certs.
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
   -X POST \
   -H "X-Emby-Token: $TOKEN" \
   -H "Content-Type: application/json" \
   --data-binary @/tmp/branding.json \
-  https://tv.s8n.ru/System/Configuration/branding
+  https://arrflix.s8n.ru/System/Configuration/branding
 # expect: HTTP 204  (got HTTP 204 — applied)
 ```
 
@@ -155,15 +145,15 @@ curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
 
 ```bash
 # 1. Admin endpoint — confirms the new CustomCss is stored.
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
   -H "X-Emby-Token: $TOKEN" \
-  https://tv.s8n.ru/System/Configuration/branding | python3 -m json.tool
+  https://arrflix.s8n.ru/System/Configuration/branding | python3 -m json.tool
 # Result: HTTP 200, contains the Cineplex @import + cast/crew hide rule.
 
 # 2. Anonymous endpoint the SPA reads at runtime — confirms what every
 #    browser will pull before login.
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
-  https://tv.s8n.ru/Branding/Configuration | python3 -m json.tool
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
+  https://arrflix.s8n.ru/Branding/Configuration | python3 -m json.tool
 # Result: HTTP 200, identical CustomCss to admin endpoint. ✓
 
 # 3. The CSS asset itself on jsDelivr (sanity-check the network path).
@@ -172,7 +162,7 @@ curl -sSI "https://cdn.jsdelivr.net/gh/MRunkehl/cineplex@v1.0.6/cineplex.css" |
 #         cache-control: public, max-age=31536000, immutable. ✓
 
 # 4. SPA shell still routes (nav not broken).
-curl -sSI --resolve tv.s8n.ru:443:192.168.0.100 https://tv.s8n.ru/ | head -1
+curl -sSI --resolve arrflix.s8n.ru:443:192.168.0.100 https://arrflix.s8n.ru/ | head -1
 # Result: HTTP/2 302 → /web/. ✓
 ```
 
@@ -180,7 +170,7 @@ curl -sSI --resolve tv.s8n.ru:443:192.168.0.100 https://tv.s8n.ru/ | head -1
 by the JS bundle from `/Branding/Configuration`, not inlined into
 `index.html`. So `curl /` won't grep-match. The valid JSON at
 `/Branding/Configuration` is the API-level confirmation. Final visual
-check is a hard browser reload (Ctrl-Shift-R) on `https://tv.s8n.ru`
+check is a hard browser reload (Ctrl-Shift-R) on `https://arrflix.s8n.ru`
 (or `https://arrflix.s8n.ru` once its cert is up) from the LAN — owner
 will do this.
 
@@ -770,11 +760,11 @@ no surprise breakage. To opt into upstream changes:
 ```bash
 # Move from immutable tag to floating @main (pulls future commits;
 # jsDelivr cache TTL is up to 7d for floating refs).
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
   -X POST -H "X-Emby-Token: $TOKEN" \
   -H "Content-Type: application/json" \
-  -d '{"CustomCss": "@import url(\"https://cdn.jsdelivr.net/gh/MRunkehl/cineplex@main/cineplex.css\");\n#castCollapsible, #guestCastCollapsible { display: none !important; }", "LoginDisclaimer": "Welcome to tv.s8n.ru — LAN-only. Be kind, rewind.", "SplashscreenEnabled": true}' \
-  https://tv.s8n.ru/System/Configuration/branding
+  -d '{"CustomCss": "@import url(\"https://cdn.jsdelivr.net/gh/MRunkehl/cineplex@main/cineplex.css\");\n#castCollapsible, #guestCastCollapsible { display: none !important; }", "LoginDisclaimer": "Welcome to arrflix.s8n.ru — LAN-only. Be kind, rewind.", "SplashscreenEnabled": true}' \
+  https://arrflix.s8n.ru/System/Configuration/branding
 ```
 
 Or just ask each user to hard-reload — their browser cache is the common
@@ -793,16 +783,16 @@ Replace the `@import` line:
 
 ```bash
 # Back to ElegantFin (Jellyseerr-style):
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
   -X POST -H "X-Emby-Token: $TOKEN" -H "Content-Type: application/json" \
-  -d '{"CustomCss": "@import url(\"https://cdn.jsdelivr.net/gh/lscambo13/ElegantFin@v25.12.31/Theme/ElegantFin-jellyfin-theme-build-latest-minified.css\");\n#castCollapsible, #guestCastCollapsible { display: none !important; }", "LoginDisclaimer": "Welcome to tv.s8n.ru — LAN-only. Be kind, rewind.", "SplashscreenEnabled": true}' \
-  https://tv.s8n.ru/System/Configuration/branding
+  -d '{"CustomCss": "@import url(\"https://cdn.jsdelivr.net/gh/lscambo13/ElegantFin@v25.12.31/Theme/ElegantFin-jellyfin-theme-build-latest-minified.css\");\n#castCollapsible, #guestCastCollapsible { display: none !important; }", "LoginDisclaimer": "Welcome to arrflix.s8n.ru — LAN-only. Be kind, rewind.", "SplashscreenEnabled": true}' \
+  https://arrflix.s8n.ru/System/Configuration/branding
 
 # To vanilla Jellyfin (clear everything):
-curl -sS --resolve tv.s8n.ru:443:192.168.0.100 \
+curl -sS --resolve arrflix.s8n.ru:443:192.168.0.100 \
   -X POST -H "X-Emby-Token: $TOKEN" -H "Content-Type: application/json" \
   -d '{"CustomCss": "", "LoginDisclaimer": "", "SplashscreenEnabled": false}' \
-  https://tv.s8n.ru/System/Configuration/branding
+  https://arrflix.s8n.ru/System/Configuration/branding
 ```
 
 Or in the UI: Dashboard → General → edit / clear "Custom CSS code" →
@@ -852,9 +842,9 @@ When the friend gets their account, walk them through this **once**:
       General → Quick Connect).
 - [ ] Configure SMTP for self-serve password reset (currently admin-only).
 - [ ] Get Traefik to issue a SNI cert for `arrflix.s8n.ru` so the curl
-      examples don't need `--resolve tv.s8n.ru:443:192.168.0.100`. Until
+      examples don't need `--resolve arrflix.s8n.ru:443:192.168.0.100`. Until
       then, both names point to the same backend on `192.168.0.100` but
-      only `tv.s8n.ru` has a valid cert.
+      only `arrflix.s8n.ru` has a valid cert.
 - [ ] Watch [Cineplex commits](https://github.com/MRunkehl/cineplex/commits/main)
       monthly; if a `v1.0.7` lands and looks safe, bump the pin.
 - [ ] Add a 2nd library (movies are mounted but the server may have an