[ci skip] more suggested improvements

README.md

@@ -86,6 +86,40 @@ Hourly and daily snapshot table retention can be configured in the settings file
 - `settings.hourly_snapshot_max_age_days` (default: 60)
 - `settings.daily_snapshot_max_age_months` (default: 12)
 
+## Runtime Environment Flags
+These flags are read from the process environment (for example via `/etc/default/vctp` on systemd installs):
+
+- `VCTP_ENCRYPTION_KEY`: optional explicit key source for credential encryption/decryption.
+  Recommended for stable behavior across host migrations/rebuilds.
+- `VCTP_ENABLE_EXPERIMENTAL_POSTGRES`: set to `1` to enable experimental PostgreSQL driver startup.
+- `VCTP_ENABLE_LEGACY_API`: set to `1` to re-enable deprecated legacy API endpoints temporarily.
+
+## Credential Encryption Lifecycle
+At startup, vCTP resolves `settings.vcenter_password` using this order:
+
+1. If value starts with `enc:v1:`, decrypt using the active key.
+2. If no prefix, attempt legacy ciphertext decryption (active key, then legacy fallback keys).
+3. If decrypt fails and value length is greater than 2, treat value as plaintext.
+
+When steps 2 or 3 succeed, vCTP rewrites the setting in-place to `enc:v1:<ciphertext>`.
+
+Behavior notes:
+- Plaintext values with length `<= 2` are rejected.
+- Malformed ciphertext is rejected safely (short payloads do not panic).
+- Legacy encrypted values can still be migrated forward automatically.
+
+## Deprecated API Endpoints
+These endpoints are considered legacy and are disabled by default unless `VCTP_ENABLE_LEGACY_API=1`:
+
+- `/api/event/vm/create`
+- `/api/event/vm/modify`
+- `/api/event/vm/move`
+- `/api/event/vm/delete`
+- `/api/cleanup/updates`
+- `/api/cleanup/vcenter`
+
+When disabled, they return HTTP `410 Gone` with JSON error payload.
+
 ## Settings Reference
 All configuration lives under the top-level `settings:` key in `vctp.yml`.
 
@@ -94,7 +128,7 @@ General:
 - `settings.log_output`: log format, `text` or `json`
 
 Database:
-- `settings.database_driver`: `sqlite` or `postgres`
+- `settings.database_driver`: `sqlite` or `postgres` (experimental; requires `VCTP_ENABLE_EXPERIMENTAL_POSTGRES=1`)
 - `settings.database_url`: SQLite file path/DSN or PostgreSQL DSN
 
 HTTP/TLS:
@@ -138,9 +172,9 @@ Filters/chargeback:
 ## Pre-requisite tools
 
 ```shell
-go install github.com/a-h/templ/cmd/templ@latest
-go install github.com/sqlc-dev/sqlc/cmd/sqlc@latest
-go install github.com/swaggo/swag/cmd/swag@latest
+go install github.com/a-h/templ/cmd/templ@v0.3.977
+go install github.com/sqlc-dev/sqlc/cmd/sqlc@v1.29.0
+go install github.com/swaggo/swag/cmd/swag@v1.16.6
 ```
 
 ## Database
@@ -163,6 +197,19 @@ Run `templ generate -path ./components` to generate code based on template files
 ## Documentation
 Run `swag init --exclude "pkg.mod,pkg.build,pkg.tools" -o server/router/docs`
 
+## Tests
+Run the test suite:
+
+```shell
+go test ./...
+```
+
+Recommended static analysis:
+
+```shell
+go vet ./...
+```
+
 ## CI/CD (Drone)
 - `.drone.yml` defines a Docker pipeline:
   - Restore/build caches for Go modules/tools.