Honestly - really appreciate the great, constructive feedback!
The jwt you posted looks fine for sure. Is that what you get when you cat /tmp/http.client.jwt? You usually only see the "lacks a dot" error when your jwt is munged and this one you posted looks fine. Makes me think maybe the file is a different name or lacks permissions (like you copied via root and didn't use sudo to read the file?) What that is saying is that the jwt didn't have a "." inside it (a period). But clearly what you posted had the correct number. There should be two periods in a valid jwt file - each period distinguishes a section: header, payload, signature. I'm thinking it was the root permissions thing?
do you need to show the firewall client side ... Also, maybe put 80/443 as port numbers going through the firewall
no not really - but I did it for emphasis. It's taken for granted that it's closed, I wanted to illustrate it's closed. The ports are "often" 80/443 but not always. It's a delicate balance to keep the diagram useful but not too busy. 
I'll see what happens with ports on there. I also forgot to call out the 'hole' specifically.
do we need two edge routers
Nope. Just did that to illustrate that OpenZiti allows you to form a mesh of routers. If I add one, someone will say "can't I have two or more?" 
Might be worth a footnote though. I didn't tailor this specifically for the quickstarts - I was hoping to get away with "one diagram to rule them all" but maybe it makes sense to have options. I'll mull that over.
There are links for intercept.v1 and hosts.v1, which I would expect to chain off to a page telling me about what those options do
Totally agree. It's on the todo list, just need to get it done. I wanted to get you 'something' to get you started. All the configs should be documented for sure.
ZITI_EDGE_CONTROLLER and ZITI_PORT are not defined for me. It might be better to just say, connect to the controller
This one is always tough to be honest. Perhaps I'll just use a dummy value like "your-controller-here:port". It just gets wordy when you try to explain the various permutations of accessing your controller - but I appreciate the comment.
Maybe put a brief reason why we are creating user identities vs device identities?
Or backlinks to the relevant doc - that would make sense. I like that idea.
maybe detail that the ID that you want for docker-compose
Oh yah. Since we're going after the web-test-blue that makes sense to use the private edge router in that network. I'll make that change for sure
Other notes - Tunneller page
YIKES this stuff is crazy out of date! That's going on the top of my "todo" list. I'll probably end up just stripping much/most of this doc and making this be a simple jumping point for the download of each.
aside - jwt expired - there is no way to regenerate it without deleting the user and starting again
Not yet but that's coming very, very soon. I believe that functionality was just enabled in the API, just need to get it into the UI/CLI. I'll check that
aside - Windows client - when will the transport mode be available
This doc is so out of date it made me physically sad today. It has done all this for probably a year... 
You can do it all with Windows right now. In fact the videos I referenced will show you that I personally use the Windows client daily. If you watch that "Totally Private Postgres" video, you'll see and hear me refer to the Windows client and WSL to provide my local machine access to the Postgres server running in AWS.
Any thoughts about making access to the ZAC have 2FA capabilities
Funny you mention this - another discourse user had a similar thought just the other day here Turning ZAC dark The difference was he was thinking about using Ziti itself to protect it. Technically what we'll want to add 2FA to is probably the API, but that would need to be surfaced via the UI too. If you did take the ZAC offline and used ziti to protect ZAC, you CAN add 2FA to Windows (MacOS/iOS coming very soon). I use that every day too. In fact here's what that looks like on my client when I need to enter the MFA digits:
Thanks again for the excellent feedback. I hope the jwt thing is what I was thinking and it's just a permissions issue?