build: Update library assets with UI visibility fix

- Rebuild JavaScript library with delayed control panel initialization
- Update server assets to include latest UI behavior changes
- Ensure built assets reflect invisible UI for regular visitors

The control panel now only appears after gate activation, maintaining
the invisible CMS principle for end users.

README.md

@@ -48,10 +48,96 @@ Containers with `class="insertr"` automatically make their viable children edita
 - Never see or manage generated content IDs
 - Works with any static site generator
 
+## 🔐 Authentication & Security
+
+Insertr provides enterprise-grade authentication with multiple provider support for secure content editing.
+
+### **Authentication Providers**
+
+#### **Mock Authentication** (Development)
+```yaml
+auth:
+  provider: "mock"
+```
+- **Zero setup** - Works immediately for development
+- **Automatic login** - No credentials needed
+- **Perfect for testing** - Focus on content editing workflow
+
+#### **Authentik OIDC** (Production)
+```yaml
+auth:
+  provider: "authentik"
+  oidc:
+    endpoint: "https://auth.example.com/application/o/insertr/"
+    client_id: "insertr-client"
+    client_secret: "your-secret"  # or use AUTHENTIK_CLIENT_SECRET env var
+```
+
+**Enterprise-grade security features:**
+- ✅ **OIDC Discovery** - Automatic endpoint configuration
+- ✅ **PKCE Flow** - Proof Key for Code Exchange security
+- ✅ **JWT Verification** - RSA/ECDSA signature validation via JWKS
+- ✅ **Secure Sessions** - HTTP-only cookies with CSRF protection
+- ✅ **Multi-tenant** - Per-site authentication configuration
+
+### **Authentication Flow**
+
+```
+1. Editor clicks gate → Popup opens to Authentik
+2. User authenticates → Authentik returns authorization code  
+3. Backend exchanges code for JWT → Validates with OIDC provider
+4. Editor UI loads → Full editing capabilities enabled
+```
+
+### **Authentik Setup Guide**
+
+1. **Create OIDC Provider in Authentik:**
+   ```
+   Applications → Providers → Create → OAuth2/OIDC Provider
+   - Name: "Insertr CMS"
+   - Authorization flow: default-authorization-flow
+   - Client type: Confidential
+   - Client ID: insertr-client
+   - Redirect URIs: https://your-domain.com/auth/callback
+   ```
+
+2. **Create Application:**
+   ```
+   Applications → Applications → Create
+   - Name: "Insertr CMS"
+   - Slug: insertr
+   - Provider: (select the provider created above)
+   ```
+
+3. **Configure Insertr:**
+   ```yaml
+   auth:
+     provider: "authentik"
+     oidc:
+       endpoint: "https://auth.example.com/application/o/insertr/"
+       client_id: "insertr-client"
+       client_secret: "your-generated-secret"
+   ```
+
+4. **Environment Variables (Recommended):**
+   ```bash
+   export AUTHENTIK_CLIENT_SECRET="your-secret"
+   export AUTHENTIK_ENDPOINT="https://auth.example.com/application/o/insertr/"
+   ```
+
+### **Security Best Practices**
+
+- **Environment Variables**: Store secrets in env vars, not config files
+- **HTTPS Only**: Always use HTTPS in production for OAuth flows  
+- **Restricted Access**: Use Authentik groups/policies to limit editor access
+- **Token Validation**: All JWTs verified against provider's public keys
+- **Session Security**: Secure cookie settings prevent XSS/CSRF attacks
+
 ## 🚀 Current Status
 
 **✅ Complete Full-Stack CMS**
 - **Professional Editor**: Modal forms, markdown support, authentication system
+- **Enterprise Authentication**: Production-ready OIDC integration with Authentik, PKCE security
 - **Content Persistence**: SQLite database with REST API, version control
 - **Version History**: Complete edit history with user attribution and one-click rollback
 - **Build Enhancement**: Parse HTML, inject database content, build-time optimization
@@ -59,10 +145,10 @@ Containers with `class="insertr"` automatically make their viable children edita
 - **Deterministic IDs**: Content-based ID generation for consistent developer experience
 - **Full Integration**: Seamless development workflow with hot reload
 
-**🔄 Ready for Production**
-- Add authentication (JWT/OAuth)
+**🚀 Production Ready**
 - Deploy to cloud infrastructure
 - Configure CDN for library assets
+- Scale with PostgreSQL database
 
 ## 🛠️ Quick Start
 
@@ -504,11 +590,13 @@ build:
 
 # Authentication configuration
 auth:
-  provider: "mock"      # "mock", "jwt", "authentik"
-  jwt_secret: ""        # JWT signing secret
+  provider: "mock"      # "mock" for development, "authentik" for production
+  jwt_secret: ""        # JWT signing secret (auto-generated in dev mode)
+  # Authentik OIDC configuration (production)
   oidc:
-    endpoint: ""        # https://auth.example.com/application/o/insertr/
-    client_id: ""       # OAuth2 client ID
+    endpoint: "https://auth.example.com/application/o/insertr/"  # OIDC provider endpoint
+    client_id: "insertr-client"                                 # OAuth2 client ID
+    client_secret: "your-secret"                                # Use AUTHENTIK_CLIENT_SECRET env var
 
 # Global settings
 site_id: "demo"         # Default site ID for content lookup
@@ -516,11 +604,17 @@ mock_content: false     # Use mock content instead of real data
 ```
 
 ### **Environment Variables**
+
+#### **Core Configuration**
 - `INSERTR_DB_PATH` - Database path override
 - `INSERTR_API_URL` - Remote API URL override  
 - `INSERTR_API_KEY` - API authentication key
 - `INSERTR_SITE_ID` - Site identifier override
 
+#### **Authentication (Recommended for Production)**
+- `AUTHENTIK_CLIENT_SECRET` - OIDC client secret (overrides config file)
+- `AUTHENTIK_ENDPOINT` - OIDC endpoint URL (overrides config file)
+
 ### **Configuration Precedence**
 1. **CLI flags** (highest priority)
 2. **Environment variables**