diff --git a/corrosion-final-push.md b/corrosion-final-push.md
index b98609e..d9fa1bd 100644
--- a/corrosion-final-push.md
+++ b/corrosion-final-push.md
@@ -24,7 +24,7 @@
 | 2 | Missing Entities + Security | 2 Sonnet parallel | COMPLETE |
 | 3 | Frontend Wiring | 3 Sonnet parallel | COMPLETE |
 | 4 | Backend Completion | 2 Sonnet parallel | COMPLETE |
-| 5 | Docker + Polish | 1 Sonnet | PENDING |
+| 5 | Docker + Polish | 2 Sonnet parallel | COMPLETE |
 
 ---
 
@@ -40,3 +40,115 @@
 4. Removed ConsoleModule from app.module.ts — eliminates `/ws` namespace conflict with NatsBridgeGateway
 5. Fixed Store module — `throw new Error()` → `NotFoundException` / `ForbiddenException`
 6. Fixed payment-order entity FK — `webstore_subscription_id` now references `WebstoreSubscription` not `License`
+
+---
+
+## Wave 2: Missing Entities + Security (15 files)
+
+**Status**: COMPLETE
+
+### Entity Creation (Agent A)
+- Created `webstore-config.entity.ts` — maps `webstore_config` (all columns verified against live DB)
+- Created `webstore-category.entity.ts` — maps `webstore_categories`
+- Created `webstore-item.entity.ts` — maps `webstore_items`
+- Created `webstore-transaction.entity.ts` — maps `webstore_transactions`
+- Created `module-store.entity.ts` — maps `module_store` (platform-level, no license_id)
+- Fixed `wipe-profile.entity.ts` — removed incorrect `default: {}` for pre/post wipe configs
+
+### Security Hardening (Agent B)
+- Added `@RequirePermission` to 7 controllers (36 endpoints):
+  - team (view/manage), webstore (manage), notifications (view/manage), alerts (view/manage), analytics (view), settings (view/manage), schedules (view/manage)
+- Encrypted panel API key with AES-256-GCM in setup.service.ts (was plaintext)
+
+---
+
+## Wave 3: Frontend Wiring (3 agents, 13 files)
+
+**Status**: COMPLETE
+
+### Agent C — Dashboard + Console + Login
+- DashboardView: Wired Start/Stop/Trigger Wipe buttons, wired Next Wipe from schedule data
+- ConsoleView: Added WebSocket subscription for real-time console_output streaming
+- LoginView: Implemented full TOTP 2FA challenge flow (show code input, re-POST with totp_code)
+
+### Agent D — Plugins + Wipes + Maps
+- PluginsView: Wired Load/Unload toggle + Uninstall with confirmation + toasts
+- WipesView: Added profile selector dropdown, disabled trigger when no profiles, warning banner
+- WipeProfilesView: Built full create/edit modal with all pre/post wipe config fields
+- MapsView: Wired file upload (hidden input, multipart FormData, auth header, loading state)
+
+### Agent E — Settings + Stores + Misc
+- SettingsView: Replaced 3 empty catch blocks with toast.error messages + success toasts
+- AnalyticsView + PlayerRetentionView: Fixed stale localStorage token → authStore.accessToken
+- stores/auth.ts: Replaced hardcoded permissions → JWT-decoded role permissions (custom roles now work)
+- stores/wipe.ts: Fixed onMounted lifecycle bug → explicit subscribeToWipeEvents() action
+- EarlyAccessView: Converted from expired countdown to "Early Access Now Live" state
+
+---
+
+## Wave 4: Backend Completion (2 agents, ~20 files)
+
+**Status**: COMPLETE
+
+### Agent F — NATS + Schedules
+- Wired wipe trigger to NATS (`corrosion.{id}.cmd.wipe` subject)
+- Wired plugin reload/uninstall to NATS (`corrosion.{id}.cmd.plugin` subject)
+- Expanded NatsBridgeService: added `files.response`, `wipe.status`, `server.status` subscriptions
+- Added `PATCH schedules/:id/toggle` endpoint with permission guard
+
+### Agent G — Service Completion + Graceful Stubs
+- ChangelogService: Now queries `platform_changelog` table (was returning empty array)
+- Map upload endpoint: Added `POST /maps/upload` with FileInterceptor + SHA-256 checksum
+- Auth password reset: Logger.warn + "not configured" response (was console.log)
+- Plugins uMod search: Returns `{ results: [], message: 'not configured' }` (was bare `[]`)
+- SteamService: Logger.warn on both methods (was debug/console)
+- Settings Cloudflare: Logger.warn for DNS stub (was silent)
+- MigrationService: Export returns with note, import throws NotImplementedException
+
+---
+
+## Wave 5: Docker + Polish (2 files)
+
+**Status**: COMPLETE
+
+- Pinned NATS image `nats:latest` → `nats:2.10-alpine`
+- Added nginx healthcheck (`wget -q --spider`)
+- Added proxy buffer config (128k buffer, 256k buffers) — prevents JWT truncation 502s
+- Added security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy)
+- Fixed marketing copy: "Rust / Axum backend" → "NestJS / TypeScript backend"
+
+---
+
+## Final Commit Log
+
+| Commit | Description | Files |
+|--------|-------------|-------|
+| `2086220` | Wave 1 — critical bug fixes | 10 |
+| `e1a3ea3` | Wave 2 — entities, security, encryption | 15 |
+| `a181ed7` | Backend stubs → real implementations | 11 |
+| `8bb6cc0` | Waves 3+4 — frontend wiring + NATS | 19 |
+| `1579a47` | Docker + Nginx hardening | 2 |
+| (pending) | Marketing copy + final log | 2 |
+
+**Total**: ~59 files touched, ~1100+ insertions
+
+---
+
+## Remaining Items (Not In Scope — External Dependencies)
+
+These require external API keys or infrastructure that can't be wired without credentials:
+
+| Feature | Dependency | Current State |
+|---------|-----------|---------------|
+| Steam force-wipe detection | `STEAM_API_KEY` | Graceful stub with Logger.warn |
+| PayPal payments | `PAYPAL_CLIENT_ID` + SDK | Sandbox URL stub |
+| Cloudflare DNS provisioning | `CLOUDFLARE_API_TOKEN` | DB-only update with Logger.warn |
+| SMTP email (password reset) | SMTP config | "Not configured" response |
+| uMod plugin search | uMod API integration | `{ results: [], message }` |
+| Map file persistence | S3/R2 or filesystem | Metadata saved, bytes not persisted |
+| Scheduled task execution | Cron engine / NATS bridge | DB CRUD only, no execution |
+| Alert triggering | Heartbeat processor | Config saved, no firing mechanism |
+
+---
+
+## Operation Status: COMPLETE
diff --git a/frontend/src/views/marketing/LandingView.vue b/frontend/src/views/marketing/LandingView.vue
index 6d1d2d0..7943b31 100644
--- a/frontend/src/views/marketing/LandingView.vue
+++ b/frontend/src/views/marketing/LandingView.vue
@@ -208,8 +208,8 @@ const panelUrl = import.meta.env.VITE_PANEL_URL || ''
         </p>
         <div class="grid grid-cols-2 md:grid-cols-4 gap-4 mb-10">
           <div class="p-5 bg-neutral-900 border border-neutral-800 rounded-lg">
-            <p class="text-oxide-400 font-semibold mb-1">Rust</p>
-            <p class="text-xs text-neutral-500">Axum backend</p>
+            <p class="text-oxide-400 font-semibold mb-1">NestJS</p>
+            <p class="text-xs text-neutral-500">TypeScript backend</p>
           </div>
           <div class="p-5 bg-neutral-900 border border-neutral-800 rounded-lg">
             <p class="text-oxide-400 font-semibold mb-1">NATS</p>