feat(app): add MFA and tsdocker release

stories/end-user/EU-004-two-factor-auth.md

@@ -2,26 +2,26 @@
 
 **ID:** EU-004
 **Priority:** High
-**Status:** Planned
+**Status:** Implemented
 
 ## User Story
 As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.
 
 ## Acceptance Criteria
-- [ ] User can enable 2FA from account settings
-- [ ] Support for TOTP apps (Google Authenticator, Authy, etc.)
-- [ ] Backup codes are generated and shown once during setup
-- [ ] User must verify 2FA code during setup to confirm it works
-- [ ] Login flow prompts for 2FA code when enabled
-- [ ] User can disable 2FA (requires current 2FA code)
-- [ ] Account recovery option if 2FA device is lost
+- [x] User can enable 2FA from account settings
+- [x] Support for TOTP apps (Google Authenticator, Authy, etc.)
+- [x] Backup codes are generated and shown once during setup
+- [x] User must verify 2FA code during setup to confirm it works
+- [x] Login flow prompts for 2FA code when enabled
+- [x] User can disable 2FA (requires current 2FA code)
+- [x] Account recovery option if 2FA device is lost via one-time backup codes
 
 ## Technical Notes
-- Mobile verification infrastructure exists (SMS OTP in registration)
-- Can leverage existing `smarttwilio` integration for SMS-based 2FA
-- TOTP implementation needs `otplib` or similar library
-- Store encrypted TOTP secret in User model
-- Consider supporting multiple 2FA methods (TOTP, SMS, security keys)
+- TOTP is implemented with `otplib`.
+- TOTP secrets are stored encrypted in dedicated credential records, not on the User model.
+- Backup codes are stored as hashes and consumed once.
+- WebAuthn passkeys are supported for passwordless login and MFA step-up.
+- SMS OTP remains registration-only and is not a default login factor.
 
 ## Related TODOs
-- New feature - no existing TODO
+- Consider adding explicit recovery admin workflows beyond backup codes.