diff --git a/README.md b/README.md
index 2fc59fd..4362e0a 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,10 @@ npm run dev
 
 ## Plugin Overview
 
+Core and plugin docs:
+- Core: `docs/core-overview.md`
+- Plugin index: `docs/plugins/README.md`
+
 Auth
 - `rms.auth.smtp_relay`: email link challenge delivery through SMTP relay
 - `rms.auth.otp_email`: OTP challenge delivery through email
diff --git a/docs/core-overview.md b/docs/core-overview.md
new file mode 100644
index 0000000..eb6da6f
--- /dev/null
+++ b/docs/core-overview.md
@@ -0,0 +1,29 @@
+# Core Overview
+
+Diese Datei beschreibt den Core von `ARCG-Remote-Station-Software` auf hoher Ebene.
+
+## Zweck
+
+- Generische Remote-Station-Software (station-unabhaengig)
+- API (`server/`), Web-UI (`public/`), Plugin-Runtime (`plugins/`)
+- Keine station-spezifischen Deploy-Details im Core
+
+## Schichten
+
+1. Core-Defaults im Software-Repo
+2. Overlay/Deploy-Repo (stationsspezifisch)
+3. Runtime-ENV auf dem Zielsystem (hoechste Prioritaet)
+
+## Wichtige Core-Funktionen
+
+- Passwortlose Auth (SMTP-Link, OTP, optional OAuth)
+- Rollen/Policies, Owner-Locks, Reservierungen
+- OpenWebRX-Integration (Session/Guard/Bandmap)
+- Hardwaresteuerung ueber Plugins (TX/PTT/Router/Rotor/VSWR)
+- Audit/Event-Stream fuer Live-UI
+
+## Security Boundary
+
+- Repo ist oeffentlich.
+- Keine Live-Konfigurationen, Secrets, Tokens, private Hostnamen oder Betriebsinterna committen.
+- Sensible Werte ausschliesslich in Runtime-ENV/Deploy-Ebene halten.
diff --git a/docs/plugins/README.md b/docs/plugins/README.md
new file mode 100644
index 0000000..6b52e29
--- /dev/null
+++ b/docs/plugins/README.md
@@ -0,0 +1,20 @@
+# Plugin Doku Index
+
+- `rms-auth-otp-email.md`
+- `rms-auth-oauth.md`
+- `rms-auth-smtp-relay.md`
+- `rms-microham.md`
+- `rms-tx-audio-core.md`
+- `rms-debug-remote.md`
+- `rms-openwebrx-guard.md`
+- `rms-openwebrx-bandmap.md`
+- `rms-station-access-policy.md`
+- `rms-help-basic.md`
+- `rms-tx-control-native.md`
+- `rms-tx-state-file.md`
+- `rms-rfroute-shell.md`
+- `rms-rotor-hamlib.md`
+- `rms-vswr-native.md`
+- `rms-vswr-report-reader.md`
+- `rms-vswr-nanovna.md`
+- `rms-station-shell.md`
diff --git a/docs/plugins/rms-auth-oauth.md b/docs/plugins/rms-auth-oauth.md
new file mode 100644
index 0000000..db7bde2
--- /dev/null
+++ b/docs/plugins/rms-auth-oauth.md
@@ -0,0 +1,6 @@
+# rms.auth.oauth
+
+- Zweck: OAuth/OIDC Authorization-Code Login.
+- Auth-Methode: `oauth`.
+- Wichtige Settings: `authorizeUrl`, `tokenUrl`, `userInfoUrl`, `clientId`, `clientSecret`, `scope`, `redirectUri`, `emailField`, `authStyle`.
+- Verhalten: erstellt Authorize-URL (`start_oauth`) und validiert Callback (`finish_oauth`) inkl. E-Mail-Aufloesung.
diff --git a/docs/plugins/rms-auth-otp-email.md b/docs/plugins/rms-auth-otp-email.md
new file mode 100644
index 0000000..d3a5e7d
--- /dev/null
+++ b/docs/plugins/rms-auth-otp-email.md
@@ -0,0 +1,6 @@
+# rms.auth.otp_email
+
+- Zweck: OTP-Challenge per E-Mail versenden.
+- Auth-Methode: `otp-email`.
+- Wichtige Settings/ENV: `SMTP_HOST`, `SMTP_PORT`, `SMTP_SECURE`, `SMTP_USER`, `SMTP_PASS`, `SMTP_FROM`, `SMTP_REPLY_TO`, `allowInvalidCert`.
+- Verhalten: versucht SMTP-Versand, faellt bei Bedarf auf Outbox-Queue zurueck.
diff --git a/docs/plugins/rms-auth-smtp-relay.md b/docs/plugins/rms-auth-smtp-relay.md
new file mode 100644
index 0000000..d9344b4
--- /dev/null
+++ b/docs/plugins/rms-auth-smtp-relay.md
@@ -0,0 +1,6 @@
+# rms.auth.smtp_relay
+
+- Zweck: Passwortlosen Login-Link per SMTP-Relay versenden.
+- Auth-Methode: `smtp-link`.
+- Wichtige Settings/ENV: `SMTP_HOST`, `SMTP_PORT`, `SMTP_SECURE`, `SMTP_USER`, `SMTP_PASS`, `SMTP_FROM`, `SMTP_REPLY_TO`.
+- Verhalten: Versand ueber SMTP, bei Fehlern Outbox-Fallback fuer resiliente Challenge-Zustellung.
diff --git a/docs/plugins/rms-debug-remote.md b/docs/plugins/rms-debug-remote.md
new file mode 100644
index 0000000..75f7525
--- /dev/null
+++ b/docs/plugins/rms-debug-remote.md
@@ -0,0 +1,6 @@
+# rms.debug.remote
+
+- Zweck: Remote-Debug Sammlung (OWRX/USB) fuer Admin-Triage.
+- Capability: `admin.debug.remote`.
+- Wichtige Settings: `enabled`, `remoteToken`, `collectLines`, `unitName`, `redactSensitive`.
+- Verhalten: sammelt/liest/loescht Debug-Logs und Snapshots in `DATA_DIR/debug/*`, redaktiert sensible Werte.
diff --git a/docs/plugins/rms-help-basic.md b/docs/plugins/rms-help-basic.md
new file mode 100644
index 0000000..0a875ab
--- /dev/null
+++ b/docs/plugins/rms-help-basic.md
@@ -0,0 +1,7 @@
+# rms.help.basic
+
+- Zweck: Liefert statische Hilfeinhalte fuer die UI.
+- Capability: `help.content.read`.
+- Settings/ENV: keine.
+- Aktion: `getContent`.
+- Verhalten: gibt strukturierte Hilfeabschnitte (Nutzung, Troubleshooting, Sicherheit) aus.
diff --git a/docs/plugins/rms-microham.md b/docs/plugins/rms-microham.md
new file mode 100644
index 0000000..efd22d5
--- /dev/null
+++ b/docs/plugins/rms-microham.md
@@ -0,0 +1,7 @@
+# rms.microham
+
+- Zweck: PTT- und TX-Audio-Backend fuer microHAM.
+- Capabilities: `microham.ptt`, `microham.audio`, `tx.audio.backend`.
+- Wichtige ENV: `MICROHAM_DEVICE`, `MICROHAM_PTT_*`, `MICROHAM_AUDIO_*`.
+- Aktionen: `pttDown`, `pttUp`, `pttStatus`, `audioConnect`, `audioDisconnect`, `audioWriteChunk`.
+- Detailguide: `docs/hardware-microham-guide.md`.
diff --git a/docs/plugins/rms-openwebrx-bandmap.md b/docs/plugins/rms-openwebrx-bandmap.md
new file mode 100644
index 0000000..26e13ab
--- /dev/null
+++ b/docs/plugins/rms-openwebrx-bandmap.md
@@ -0,0 +1,7 @@
+# rms.openwebrx.bandmap
+
+- Zweck: Band-/Profilverwaltung fuer OpenWebRX.
+- Capabilities: `openwebrx.band.read`, `openwebrx.band.set`.
+- Wichtige ENV: `OPENWEBRX_BANDMAP_CSV_PATH`, `OPENWEBRX_CONFIG_PATH`, `OPENWEBRX_BAND_SET_CMD_TEMPLATE`, `OPENWEBRX_BAND_STATE_PATH`, `OPENWEBRX_BAND_TIMEOUT_MS`.
+- Aktionen: `getBands`, `setBand`, `getState`.
+- Verhalten: liest CSV, setzt Band ueber Template oder Config-Patch und speichert Zustand.
diff --git a/docs/plugins/rms-openwebrx-guard.md b/docs/plugins/rms-openwebrx-guard.md
new file mode 100644
index 0000000..8d4797d
--- /dev/null
+++ b/docs/plugins/rms-openwebrx-guard.md
@@ -0,0 +1,6 @@
+# rms.openwebrx.guard
+
+- Zweck: OpenWebRX Zugriffsschutz und Dienststeuerung.
+- Capabilities: `openwebrx.access.issue`, `openwebrx.access.verify`, `openwebrx.service.control`.
+- Wichtige ENV: `OPENWEBRX_PATH`, `OPENWEBRX_TICKET_TTL_SEC`, `OPENWEBRX_START_CMD`, `OPENWEBRX_STOP_CMD`, `OPENWEBRX_ENSURE_SDR_CMD`.
+- Verhalten: owner-gebundene Tickets ausstellen/verifizieren/revoken; optional OpenWebRX Start/Stop orchestrieren.
diff --git a/docs/plugins/rms-rfroute-shell.md b/docs/plugins/rms-rfroute-shell.md
new file mode 100644
index 0000000..4da2143
--- /dev/null
+++ b/docs/plugins/rms-rfroute-shell.md
@@ -0,0 +1,7 @@
+# rms.rfroute.shell
+
+- Zweck: RF-Route/Umschaltung ueber Shell-Kommandos.
+- Capabilities: `rfroute.set`, `rfroute.read`.
+- Wichtige ENV: `RFROUTE_CMD_TX`, `RFROUTE_CMD_RX`, `RFROUTE_CMD_ON`, `RFROUTE_CMD_OFF`, `RFROUTE_CMD_DRAHT`, `RFROUTE_CMD_BEAM`, `RFROUTE_CMD_WRTC`, `RFROUTE_TIMEOUT_MS`.
+- Aktion: `setRoute`.
+- Detailguide: `docs/hardware-rfroute-guide.md`.
diff --git a/docs/plugins/rms-rotor-hamlib.md b/docs/plugins/rms-rotor-hamlib.md
new file mode 100644
index 0000000..86c22ca
--- /dev/null
+++ b/docs/plugins/rms-rotor-hamlib.md
@@ -0,0 +1,7 @@
+# rms.rotor.hamlib
+
+- Zweck: Rotorsteuerung ueber Hamlib/rotctl.
+- Capabilities: `rotor.read`, `rotor.set`.
+- Wichtige Settings/ENV: `defaultAzimuth`, `setTemplate`, `getCommand`, sowie `ROTOR_*` im nativen Server-Pfad.
+- Aktionen: `getAzimuth`, `setAzimuth`.
+- Detailguide: `docs/rotor-rot1prog-guide.md`.
diff --git a/docs/plugins/rms-station-access-policy.md b/docs/plugins/rms-station-access-policy.md
new file mode 100644
index 0000000..a75d72f
--- /dev/null
+++ b/docs/plugins/rms-station-access-policy.md
@@ -0,0 +1,6 @@
+# rms.station.access.policy
+
+- Zweck: Persistente und effektive Benutzerliste fuer OpenWebRX Access-Policy.
+- Capabilities: `station.access.policy.read`, `admin.station.access.policy.write`.
+- Wichtige ENV: `OPENWEBRX_ACCESS_POLICY_FILE`, `OPENWEBRX_PERSISTENT_USERS_FILE`.
+- Aktionen: `addPersistentUser`, `removePersistentUser`, `syncOwner`, `clearOwner`, `readPolicy`.
diff --git a/docs/plugins/rms-station-shell.md b/docs/plugins/rms-station-shell.md
new file mode 100644
index 0000000..b50bcce
--- /dev/null
+++ b/docs/plugins/rms-station-shell.md
@@ -0,0 +1,7 @@
+# rms.station.shell
+
+- Zweck: Aktivierungs-/Deaktivierungs-Skripte fuer Stationshardware ausfuehren.
+- Capabilities: `station.activate`, `station.deactivate`.
+- Wichtige ENV: `SCRIPT_ACTIVATE`, `SCRIPT_DEACTIVATE`, `SCRIPT_ROOT`, `STATION_SCRIPT_TIMEOUT_MS`.
+- Aktionen: `activate`, `deactivate`.
+- Detailguide: `docs/hardware-station-shell-guide.md`.
diff --git a/docs/plugins/rms-tx-audio-core.md b/docs/plugins/rms-tx-audio-core.md
new file mode 100644
index 0000000..34190e9
--- /dev/null
+++ b/docs/plugins/rms-tx-audio-core.md
@@ -0,0 +1,6 @@
+# rms.tx.audio.core
+
+- Zweck: Abstraktionsschicht fuer TX-Audio.
+- Capability: `tx.audio`.
+- Wichtige Settings: `backendCapability` (Default `tx.audio.backend`).
+- Verhalten: mappt Core-Audio-Aktionen auf Backend-Aktionen (`backendStart`, `backendWrite`, `backendStop`, `backendStatus`).
diff --git a/docs/plugins/rms-tx-control-native.md b/docs/plugins/rms-tx-control-native.md
new file mode 100644
index 0000000..9efda71
--- /dev/null
+++ b/docs/plugins/rms-tx-control-native.md
@@ -0,0 +1,7 @@
+# rms.tx.control.native
+
+- Zweck: Native TX-Power Schaltung.
+- Capabilities: `tx.control`, `tx.state.read`.
+- Wichtige ENV: `TX_ENABLE_CMD`, `TX_DISABLE_CMD`, `TX_STATUS_CMD`, `TX_CONTROL_TIMEOUT_MS`, `TX_STATE_PATH`.
+- Aktionen: `enableTx`, `disableTx`, `getTxState`.
+- Detailguide: `docs/hardware-tx-control-guide.md`.
diff --git a/docs/plugins/rms-tx-state-file.md b/docs/plugins/rms-tx-state-file.md
new file mode 100644
index 0000000..9c0e482
--- /dev/null
+++ b/docs/plugins/rms-tx-state-file.md
@@ -0,0 +1,7 @@
+# rms.tx.state.file
+
+- Zweck: TX-Status aus JSON-Datei lesen.
+- Capability: `tx.state.read`.
+- Wichtige ENV: `TX_STATE_PATH`.
+- Aktion: `getTxState`.
+- Verhalten: liest `txActive/updatedAt/source`; liefert sicheren Fallback, wenn Datei fehlt/ungueltig ist.
diff --git a/docs/plugins/rms-vswr-nanovna.md b/docs/plugins/rms-vswr-nanovna.md
new file mode 100644
index 0000000..fb4609e
--- /dev/null
+++ b/docs/plugins/rms-vswr-nanovna.md
@@ -0,0 +1,7 @@
+# rms.vswr.nanovna
+
+- Zweck: Einfacher NanoVNA-VSWR Lauf ueber ein Kommando.
+- Capabilities: `vswr.run`, `vswr.read`.
+- Wichtige ENV: `VSWR_CHECK_CMD`, `VSWR_CHECK_TIMEOUT_MS`, `VSWR_METADATA_PATH`.
+- Aktionen: `runCheck`, `readStatus`.
+- Detailguide: `docs/hardware-vswr-nanovna-guide.md`.
diff --git a/docs/plugins/rms-vswr-native.md b/docs/plugins/rms-vswr-native.md
new file mode 100644
index 0000000..ab6d3c8
--- /dev/null
+++ b/docs/plugins/rms-vswr-native.md
@@ -0,0 +1,7 @@
+# rms.vswr.native
+
+- Zweck: Native VSWR-Laufsteuerung und Report-Erzeugung.
+- Capabilities: `vswr.run`, `vswr.report.read`.
+- Wichtige ENV: `NANOVNA_COMMAND_TEMPLATE`, `VSWR_BANDS_JSON`, `VSWR_TIMEOUT_MS_PER_BAND`, `VSWR_REPORT_JSON_PATH`, `VSWR_OUTPUT_BASE_DIR`, `VSWR_IMAGES_BASE_URL`.
+- Aktionen: `runCheck`, `getReport`.
+- Detailguide: `docs/hardware-vswr-nanovna-guide.md`.
diff --git a/docs/plugins/rms-vswr-report-reader.md b/docs/plugins/rms-vswr-report-reader.md
new file mode 100644
index 0000000..9592516
--- /dev/null
+++ b/docs/plugins/rms-vswr-report-reader.md
@@ -0,0 +1,7 @@
+# rms.vswr.report_reader
+
+- Zweck: Liest vorhandene VSWR-Artefakte und normalisiert sie fuer die API/UI.
+- Capability: `vswr.report.read`.
+- Wichtige ENV: `VSWR_OVERVIEW_HTML_PATH`, `VSWR_METADATA_PATH`, `VSWR_IMAGES_DIR_PATH`, `VSWR_IMAGES_BASE_URL`, `SWR_OVERVIEW_URL`.
+- Aktion: `getReport`.
+- Verhalten: kombiniert Metadata/HTML/Image-Infos zu bandweisem Statusreport.