diff --git a/docs/rdp-debug-handoff.md b/docs/rdp-debug-handoff.md
index 4d23ca9..9c91e4b 100644
--- a/docs/rdp-debug-handoff.md
+++ b/docs/rdp-debug-handoff.md
@@ -1,5 +1,97 @@
 # RDP Connection Debugging — Handoff Doc
 
+## ✅ WORKING NOW (2026-06-22) — XFCE over xrdp, full input + 1080p
+
+RDP through ArchNest works end-to-end on the test Fedora VM (`192.168.122.55`, user
+`sam`) with the **XFCE** desktop. Confirmed by the user: logged in, desktop renders,
+mouse + keyboard work, 1080p. The full chain of fixes that got it there (each was a
+separate blocker, each its own deployed PR):
+
+1. **Auth/security (PR #41):** gnome-remote-desktop mandates NLA, which guacd's FreeRDP 2
+   can't do → replaced it with **xrdp** on the VM (xrdp interoperates with guacd FreeRDP 2).
+2. **Desktop session (PR #42):** GNOME 50 is Wayland-only and won't run on xrdp's Xorg
+   backend → installed **XFCE** + created `/etc/xrdp/startwm.sh` to launch it.
+3. **Rendering (PR #43):** blank despite XFCE running → disabled xfwm4 **compositing**
+   (`use_compositing=false`) + `LIBGL_ALWAYS_SOFTWARE=1` (no GL on the Virtio GPU).
+4. **Display scaling (PR #44):** client scaled the Guacamole display to the panel.
+5. **Connection stability (PR #46):** ArchNest backend now **echoes the guacamole-common-js
+   tunnel `ping`** (`0.,4.ping,...`) that `guacamole-lite` 1.2.0 wrongly forwarded to guacd,
+   which fixed the flicker→drop→reconnect loop ("User is not responding"). See `guacamole.ts`.
+6. **Input (PR #47):** wired `Guacamole.Mouse` (scaled coords) + `Guacamole.Keyboard` in
+   `RemoteDesktop.tsx` — the display rendered but no input was captured before this.
+7. **Default resolution (PR #48):** guacd `connectionDefaultSettings` now 1920x1080.
+
+ArchNest connection setting that works: **Security = `any`** (blank also fine). `nla`/`rdp`
+do not work against xrdp's default config.
+
+## ⚠️ Desktop environment support matrix (the open task)
+
+**Goal (from the user): get GNOME and KDE working too, on latest versions — not just XFCE.**
+
+| Desktop | Over xrdp (X11 backend) | Over native Wayland RDP | Works with guacd (FreeRDP 2)? |
+|---|---|---|---|
+| **XFCE** | ✅ works (current setup) | n/a (X11 DE) | ✅ yes, via xrdp |
+| **KDE Plasma 6** | ✅ should work via `startplasma-x11` (X11 session still shipped through ~early 2027) | KRdp (Wayland) — newer, finicky | ✅ via xrdp X11 session; ⚠️ via KRdp |
+| **GNOME 50** | ❌ no Xorg session exists (Wayland-only) — xrdp can't launch it | gnome-remote-desktop **mandates NLA** | ❌ blocked both ways with FreeRDP 2 |
+
+### Why GNOME is the hard one (verified on the VM, not theory)
+
+- GNOME 50 ships **only Wayland sessions** (`/usr/share/xsessions/` has no `gnome*.desktop`;
+  only `gnome.desktop`/`gnome-classic.desktop` under `wayland-sessions/`). So the xrdp route
+  that works for XFCE/KDE-X11 **cannot launch GNOME** at all.
+- GNOME's own Wayland RDP (`gnome-remote-desktop`) **requires NLA** and `grdctl` exposes no
+  way to disable it (`set-auth-methods` only accepts `credentials`/`kerberos`, both NLA).
+  guacd's FreeRDP 2 can't complete that NLA handshake → "wrong security type". Confirmed again
+  this session: `grdctl --help` shows no TLS-only/disable-NLA option in v50.1.
+
+### Researched paths to make GNOME work (pick when picking this up)
+
+1. **Best long-term: get FreeRDP 3 into guacd.** FreeRDP 3 *can* do gnome-remote-desktop NLA.
+   Apache's official `guacamole/guacd` images (1.5.5 **and** 1.6.0) still ship FreeRDP **2.11.x**,
+   so this needs a **custom guacd image built against FreeRDP 3** (guacamole-server has FreeRDP-3
+   build support; ~30-min from-source build to maintain in `docker-compose.yml`). This would
+   unblock GNOME's native Wayland RDP *and* is the cleanest fix for any modern GNOME/Ubuntu 24.04+
+   target other ArchNest users hit. **Recommended primary direction.** Validate by rebuilding the
+   guacd service and re-running the `security=nla` connect test against gnome-remote-desktop.
+2. **GNOME headless "system" RDP (GNOME 46+/48+), the *intended* modern path.** `gnome-remote-desktop`
+   has a **system daemon + GDM handover** mode (a separate path from the per-user
+   `gnome-remote-desktop.service`; note the VM already has a `gnome-remote-desktop-configuration.service`
+   unit present but disabled). It starts a headless GNOME Wayland session on connect, no monitor
+   needed. BUT it still negotiates NLA, so it only helps **once guacd has FreeRDP 3** (path 1).
+   Refs: SUSE "Headless remote sessions in GNOME" parts 2–3; jamesnorth.net GRD setup; RHEL 10
+   "Administering RHEL by using the GNOME desktop" → remote desktop on headless server.
+3. **Fallback that works with FreeRDP 2 today: don't use GNOME's RDP at all — run a GNOME
+   *Xorg* session under xrdp.** Requires installing the GNOME-on-Xorg session
+   (`gnome-session-xsession` / the classic Xorg session package) so a `gnome.desktop` appears in
+   `/usr/share/xsessions/`, then point `startwm.sh`/`~/.xsession` at `gnome-session`. On Virtio GPU
+   also force software GL (`LIBGL_ALWAYS_SOFTWARE=1`) and expect GNOME Shell to be heavy without
+   GPU accel — GNOME Classic or "GNOME on Xorg" is lighter. Fedora has been **dropping** the GNOME
+   Xorg session, so this may not be installable on 44+; verify availability first. Lower priority.
+
+### KDE Plasma 6 (should be straightforward, same pattern as XFCE)
+
+- KDE is **not installed** on the VM yet. Two routes:
+  - **xrdp + Plasma X11 session (recommended now):** install Plasma, ensure `startplasma-x11`
+    exists, point `startwm.sh`/`~/.xsession` at it (`exec startplasma-x11`). Same model as XFCE;
+    works with guacd FreeRDP 2. Plasma keeps the X11 session through ~early 2027 (Plasma 6.8 goes
+    Wayland-only). May also need compositing tweaks on the Virtio GPU (KWin: `export
+    KWIN_COMPOSE=Q` for software/XRender, or disable compositing) to avoid a black screen.
+  - **KRdp (native Wayland, future-proof):** Plasma 6's own Wayland RDP server. Newer, has its own
+    black-screen/portal pitfalls, and (like gnome-remote-desktop) check its NLA behavior against
+    guacd FreeRDP 2 before relying on it. Prefer once guacd has FreeRDP 3.
+
+### Suggested order of work for the next agent
+
+1. Build & wire a **FreeRDP-3 guacd image** (path 1) — unblocks GNOME natively and benefits all
+   users. Test against the VM's gnome-remote-desktop with `security=nla`.
+2. Install **KDE Plasma** on the VM and prove the **xrdp + `startplasma-x11`** route (quick win,
+   no guacd change needed). Document the compositing/GL tweak if a black screen appears.
+3. Only if FreeRDP 3 lands: enable **GNOME headless system RDP** and validate end-to-end.
+4. Make the desktop/session choice per-host configurable rather than a global `startwm.sh`
+   (e.g. xrdp session-select, or per-user `~/.xsession`) so one VM can offer XFCE/KDE/GNOME.
+
+---
+
 ## ✅ RESOLVED (2026-06-22) — root cause found, proven end-to-end
 
 **Root cause: guacd 1.5.5 ships FreeRDP 2.11.5, whose NLA/CredSSP client cannot