diff --git a/Readme.md b/Readme.md
index 0fd0404..8718d7e 100644
--- a/Readme.md
+++ b/Readme.md
@@ -29,7 +29,7 @@ The goal is simple: everything the repair shop needs to track is located in one
 - Database migration system
 - User interface — sidebar navigation, theme system (dark/light), dashboard with statistics
 - User login — server-side sessions, account locking
-- Two-factor authentication (TOTP) — activation with a QR code, backup codes
+- Two-factor authentication (TOTP) — activation with a QR code; secret encrypted at rest (AES-256-GCM, key kept outside the database)
 - Brute-force protection — IP locking after 5 failed attempts within 15 minutes
 - CSRF protection — double-submit cookie pattern, automatic token injection into all forms
 - Security HTTP headers (CSP, X-Frame-Options, Referrer-Policy, nosniff...)
@@ -45,16 +45,19 @@ The goal is simple: everything the repair shop needs to track is located in one
 - Settings — company name, address, Tax ID (PIB), logo; theme toggle
 - Background images — login page and app, with blur, transparency and glass effect
 - Personal theme and background — each user can set their own theme and background image
-- Permission matrix (RBAC) — admin panel for setting permissions by role
+- Permission matrix (RBAC) — admin panel for permissions by role; enforced at the route level (both mutations and views) and in handlers
 - Flash messages — one-time feedback after an action
-- Automatic SQLite backup — with configurable number of retained copies
+- Automatic SQLite backup — with configurable number of retained copies; restore from a copy (safe, with no downtime)
 - Charts — monthly revenue on reports (Chart.js)
+- Structured logging — `log/slog` (JSON in production, text in development); separate auth log in fail2ban format
+- Automated tests — unit and integration over a SQLite database (crypto, RBAC, login flows, form validators, reports)
 
 ### Planned
 
 - Fiscalization and VAT calculation (specification in Project.md)
 - PostgreSQL support (for multi-user environments)
 - WebAuthn / Passkey login (database schema is already prepared)
+- Backup (one-time) codes for 2FA
 - Notifications (email / WhatsApp) — deferred to a later phase
 - Barcode scanning via camera — deferred to a later phase
 
diff --git a/Readme_sr.md b/Readme_sr.md
index 4b841e2..7fbc13f 100644
--- a/Readme_sr.md
+++ b/Readme_sr.md
@@ -29,7 +29,7 @@ Cilj je jednostavan: sve što servis treba da prati nalazi se na jednom mestu, b
 - Sistem migracija baze podataka
 - Korisnički interfejs — sidebar navigacija, sistem tema (tamna/svetla), dashboard sa statistikama
 - Prijava korisnika — sesije na serveru, zaključavanje naloga
-- Dvofaktorska autentifikacija (TOTP) — aktivacija sa QR kodom, rezervni kodovi
+- Dvofaktorska autentifikacija (TOTP) — aktivacija sa QR kodom; tajna šifrovana u bazi (AES-256-GCM, ključ van baze)
 - Bruteforce zaštita — IP zaključavanje nakon 5 neuspelih pokušaja u 15 minuta
 - CSRF zaštita — double-submit cookie pattern, automatska injekcija tokena u sve forme
 - Bezbednosni HTTP headeri (CSP, X-Frame-Options, Referrer-Policy, nosniff...)
@@ -45,16 +45,19 @@ Cilj je jednostavan: sve što servis treba da prati nalazi se na jednom mestu, b
 - Podešavanja — naziv, adresa, PIB, logo firme; promena teme
 - Pozadinske slike — login stranica i aplikacija, sa zamućenjem, providnošću i glass efektom
 - Lična tema i pozadina — svaki korisnik može svoju temu i pozadinsku sliku
-- Matrica dozvola (RBAC) — admin panel za podešavanje dozvola po ulogama
+- Matrica dozvola (RBAC) — admin panel za dozvole po ulogama; provera se sprovodi na nivou ruta (i mutirajućih i pregleda) i u handlerima
 - Flash poruke — jednokratne povratne informacije nakon akcije
-- Automatski backup SQLite baze — sa podešavanjem broja čuvanih kopija
+- Automatski backup SQLite baze — sa podešavanjem broja čuvanih kopija; vraćanje baze iz kopije (bezbedno, bez prekida rada)
 - Grafikoni — mesečni prihod na izveštajima (Chart.js)
+- Strukturisano logovanje — `log/slog` (JSON u produkciji, tekst u razvoju); zaseban auth log u fail2ban formatu
+- Automatski testovi — jedinični i integracioni nad SQLite bazom (kripto, RBAC, tokovi prijave, validatori forme, izveštaji)
 
 ### Planirano
 
 - Fiskalizacija i PDV obračun (specifikacija u Project.md)
 - Podrška za PostgreSQL (za višekorisničko okruženje)
 - WebAuthn / Passkey prijava (šema baze je pripremljena)
+- Rezervni (jednokratni) kodovi za 2FA
 - Obaveštenja (e-pošta / WhatsApp) — odloženo za kasniju fazu
 - Skeniranje barkodova putem kamere — odloženo za kasniju fazu