Lock display names at registration

API.md

@@ -6,13 +6,13 @@ All endpoints are JSON. Most routes require the HttpOnly `player` cookie issued
 POST /api/auth/register — accepts optional `adminKey` to set `IsAdmin=true`  
 POST /api/auth/login  
 POST /api/auth/logout
+Display names are set during registration and are immutable afterward.
 
 ## State (requires auth)
 GET /api/state — returns currentPhase (for caller), votesFinal, resultsOpen, updatedAt, counts (players/suggestions/votes)  
 GET /api/me — id, displayName, username, isAdmin, currentPhase, votesFinal
 
 ## Player (requires auth)
-POST /api/me/name — set display name (max 16 chars)  
 POST /api/me/phase/next — advance caller to next phase (Suggest→Vote→Results; Results gated by resultsOpen)  
 POST /api/me/phase/prev — admin-only move caller backward (Results→Vote→Suggest)