Branding fixes: triple-logo overlap + Quick Connect disable + index.html override

- Logo override: removed phantom .imgLogoIcon selector + split content/
  background-image per element type (.adminDrawerLogo img uses content:,
  .pageTitleWithLogo uses background-image:). Triple-stack gone.
- Quick Connect: server-disabled via POST /System/Configuration with
  QuickConnectAvailable=false; belt-and-braces .btnQuick CSS hide.
- index.html bind-mount: title=ARRFLIX, application-name=ARRFLIX,
  apple-touch-icon + favicon set to logo data URL, .splashLogo background
  replaces Jellyfin banner with ARRFLIX wordmark. Mounted via compose
  /opt/docker/jellyfin/web-overrides/index.html → /jellyfin/jellyfin-web/.
- Doc 04 updated: §3a logo fix, §4g Quick Connect disabled.
- Compose synced from nullstone (PublishedServerUrl + Host + bind mount).

docker-compose.yml

@@ -24,6 +24,7 @@ services:
       - /home/docker/jellyfin/config:/config
       - /home/docker/jellyfin/cache:/cache
       - /home/user/media:/media:ro
+      - /opt/docker/jellyfin/web-overrides/index.html:/jellyfin/jellyfin-web/index.html:ro
     networks:
       - proxy
     labels:

docs/04-theming-and-users.md

@@ -178,14 +178,59 @@ Jellyfin web caches aggressively in browsers. After applying:
 
 | Field | Value |
 |---|---|
-| `LoginDisclaimer` | "Welcome to tv.s8n.ru — LAN-only. Be kind, rewind." (will swap to arrflix.s8n.ru when the new cert lands) |
-| `CustomCss` | `@import` of **Cineplex v1.0.6** from jsDelivr — pinned tag `@v1.0.6` (immutable). Plus appended cast/crew hide rule. |
+| `LoginDisclaimer` | "Welcome to ARRFLIX - Private invite only service" |
+| `CustomCss` | `@import` of **Cineplex v1.0.6** from jsDelivr — pinned tag `@v1.0.6` (immutable). Plus cast/crew hide rule and the ARRFLIX logo override (split-rule form, see §3a). |
 | `SplashscreenEnabled` | `true` |
 
 `SplashscreenEnabled: true` makes Jellyfin auto-pick a backdrop from the
 library and serve it at `/Branding/Splashscreen`. The web client doesn't
 itself surface this; mobile/TV clients do. Harmless to leave on.
 
+### 3a. ARRFLIX logo override — fix for triple-stacked wordmark (2026-05-08)
+
+Initial override copied Cineplex's three-selector group verbatim and
+combined `content: url(...)` with `background-image: url(...)` on every
+selector. This rendered the ARRFLIX wordmark up to three times on top of
+itself in the header (most visible on the login page). Two root causes,
+verified against the live `/jellyfin/jellyfin-web/` bundle:
+
+1. **`.imgLogoIcon` is a phantom selector.** A grep of every `*.js`,
+   `*.html` and `*.css` asset shipped with Jellyfin 10.10.3 returns zero
+   matches. Cineplex's upstream rule (`imgLogoIcon { content: url(...) }`
+   — note the missing leading dot) is itself a no-op typo. Adding the dot
+   in our override does nothing useful because the class never appears in
+   the DOM; keeping it just bloats the rule.
+2. **`content: url(...)` on a `<div>` renders the image inside the
+   element.** `.pageTitleWithLogo` is a `<div>` (set by `setDefaultTitle`
+   in `73233.*.chunk.js` — see `c.classList.add("pageTitleWithLogo")`).
+   Cineplex deliberately uses `background-image:` on this div and keeps
+   `content:` for `.adminDrawerLogo img` (an `<img>`, where `content:`
+   replaces the source). Our override applied both properties to both
+   selectors, so on the header div the logo painted *as a replaced
+   element* on top of its own *background image* — instant duplication.
+
+Fix: split the rule by element type, drop the phantom selector entirely.
+
+```css
+/* ARRFLIX logo override (replace Cineplex branding) — 2026-05-08
+   (fix: split rules, drop phantom .imgLogoIcon) */
+.adminDrawerLogo img {
+  /* <img> in admin sidebar drawer — content: replaces src */
+  content: url("data:image/png;base64,<...ARRFLIX wordmark...>") !important;
+}
+.pageTitleWithLogo {
+  /* <div> masthead on dashboard + login — bg image only, no content: */
+  background-image: url("data:image/png;base64,<...ARRFLIX wordmark...>") !important;
+}
+```
+
+Verified live (HTTP 204 on POST, then `GET /Branding/Configuration`):
+single ARRFLIX wordmark on login, dashboard header, and admin sidebar.
+Cast/crew hide rule, Cineplex `@import`, `LoginDisclaimer` and
+`SplashscreenEnabled` all preserved unchanged. The bind-mounted
+`/web/index.html` (favicon, `<title>ARRFLIX</title>`, `splashLogo`) was
+not touched — that asset is owned by the index-patcher.
+
 ---
 
 ## 4. Multi-user UX prep
@@ -318,18 +363,54 @@ curl -sS -X POST \
 To clear the password entirely (forces friend to set one on next login):
 same call with `"ResetPassword": true` and no `NewPw`.
 
-### 4g. Easy Pin / quick login
+### 4g. Quick Connect — disabled (2026-05-08)
 
-Jellyfin's built-in equivalent is **Quick Connect**:
+Quick Connect is Jellyfin's 6-digit-code device pairing flow. ARRFLIX is
+private invite-only with a small, known userbase, so we don't need it —
+and the owner doesn't want the "Use Quick Connect" button cluttering the
+login page. Disabled at both the server-config and CSS layers:
 
-- Dashboard → General → "Allow Quick Connect" (server-wide toggle).
-- Friend opens a Jellyfin client (TV app, mobile), taps "Quick Connect" →
-  6-digit code.
-- They enter the code in any already-logged-in browser session under
-  Settings → Quick Connect → Authorize.
+**1. Server-side disable (the canonical fix).** In 10.10.3 there is no
+dedicated `POST /QuickConnect/Disable` endpoint — the flag lives in
+`system.xml` as `QuickConnectAvailable` and is toggled via the system
+config API:
 
-Casual-friendly and avoids them typing passwords on a TV remote. **We
-have not enabled it yet** — flip on when friend account is created.
+```bash
+# Pull current config, flip the flag, push back.
+curl -s -H "Authorization: MediaBrowser Token=\"$TOKEN\"" \
+  https://arrflix.s8n.ru/System/Configuration > /tmp/cfg.json
+jq '.QuickConnectAvailable = false' /tmp/cfg.json > /tmp/cfg.new.json
+curl -s -X POST -H "Authorization: MediaBrowser Token=\"$TOKEN\"" \
+     -H "Content-Type: application/json" \
+     --data-binary @/tmp/cfg.new.json \
+     https://arrflix.s8n.ru/System/Configuration
+# expect: HTTP 204
+
+# Verify
+curl -s -H "Authorization: MediaBrowser Token=\"$TOKEN\"" \
+     https://arrflix.s8n.ru/QuickConnect/Enabled
+# expect: false
+```
+
+**2. CSS hide as belt-and-braces.** The login button in the web bundle
+has class `.btnQuick` (verified in
+`session-login-index-html.c73c6453a153f384f752.chunk.js`). Even with the
+server flag off, older builds have been observed to still render the
+button. Appended to CustomCss:
+
+```css
+/* Hide Quick Connect button on login page (server-side disabled too) */
+.btnQuick { display: none !important; }
+```
+
+Pushed via `POST /System/Configuration/branding` (the `/Branding/...`
+namespace is read-only — write goes through `/System/Configuration/<key>`).
+Cineplex import, cast/crew hide, and ARRFLIX logo override blocks
+preserved untouched.
+
+**Re-enable later (if friend account ever wants it):** set
+`QuickConnectAvailable=true` via the same endpoint, and remove the
+`.btnQuick` rule from CustomCss.
 
 ### 4h. Per-user defaults (profile UI)