settings site changes

settings-site/CLAUDE.md

@@ -24,7 +24,7 @@ The settings site is a thin HTTPS-oriented proxy in front of the bot's internal
 browser ──► settings server.js (:SETTINGS_PORT, default 12752)
             │  session auth (SETTINGS_ADMIN_PASSWORD)
             ▼
-            bot internalApp (127.0.0.1:INTERNAL_API_PORT, default 12753)
+            bot internalApp (broccoli-net only, INTERNAL_API_PORT, default 12753)
             │  header auth (x-internal-secret = INTERNAL_API_SECRET)
             ▼
             routes/internalApi.js in /opt/broccolini-bot
@@ -48,6 +48,9 @@ browser ──► settings server.js (:SETTINGS_PORT, default 12752)
 
 Every response-shape change in the bot's `/internal/*` handlers (`routes/internalApi.js`) is a breaking change here. The bot also gates `POST /internal/config` on an `ALLOWED_CONFIG_KEYS` allowlist — **adding a new field to the UI requires adding the key to that Set in the bot first**, otherwise the save returns 400 for that key.
 
+### Second admin password
+`server.js` accepts an optional `SETTINGS_ADMIN_PASSWORD_2`. If set, the `/login` handler grants the same session for either password; no audit distinction between them. The primary `SETTINGS_ADMIN_PASSWORD` is still required at startup — only the second is optional. Both are redacted by the bot's `GET /internal/config` response.
+
 ### Session cookie requires HTTPS
 `server.js:20-26` sets `cookie.secure: true`. Browsers will refuse to persist the session cookie over plain HTTP, so login silently fails when not behind an HTTPS reverse proxy (`SETTINGS_DOMAIN` is the deployed domain). If you're reproducing a login bug, check this first before debugging auth logic. The `session secret` falls back to `'fallback-secret-change-me'` when `INTERNAL_API_SECRET` is unset — don't rely on the fallback in any environment that matters.