Manage role

Share Your Thoughts With Me has three roles:

• Public visitor — no login required. Submits feedback, sees public comments, reads docs.
• Manager — email + password login. Owns one or more feedback posts; can edit them, view their feedback, moderate their public comments, see their telemetry.
• Admin — the project operator (you). Sees everything. Creates managers and assigns them to posts.

How managers are created

Two paths:

Self-service signup. Anyone visits /manage/signup and fills in:

• Email (unique across all managers; lowercase-normalized)
• Password (12+ characters)

…and clicks Create account. The account is active immediately; the visitor is signed in and redirected to /manage/posts. The signup form is rate-limited (30 attempts per minute per IP) and includes a hidden honeypot to defeat naive bots. There is no email verification and no admin approval step.

Admin provisioning. The admin opens /admin/managers, fills in:

• Email (unique across all managers)
• Display name (optional)
• Initial password (12+ characters)

…and clicks Create manager. The admin then opens the manager's post at /admin/posts/{id} and assigns the manager to it via the Assigned managers section.

A manager can also create their own posts from /manage/posts. Posts the manager creates are auto-assigned to that manager.

What a manager sees

• /manage/login — sign-in form.
• /manage/posts — only the posts assigned to this manager.
• /manage/posts/{id} — the same post editor the admin sees, scoped to this post.
• /manage/posts/{id}/feedback — feedback entries submitted to this post only.
• /manage/posts/{id}/feedback/{entry_id} — entry detail with answers.
• /manage/posts/{id}/feedback/{entry_id}/hide — moderate (hide or show) a public comment.
• /manage/posts/{id}/telemetry — funnel + event counts for this post only.
• /manage/account — manager's own profile; password change.

A manager attempting /manage/posts/{id} for a post they don't own gets 403 — You don't have access to that post. Attempting /admin/* redirects to the admin login.

What a manager cannot do

• See or moderate feedback on other managers' posts.
• See aggregate telemetry across the whole project (the admin's /admin/telemetry view).
• Create or manage API keys.
• Create, disable, or delete other managers.
• Promote themselves to admin.

Admin = manager whose email is on the allowlist

Issue #14 unified admin sign-in with manager sign-in. There is no separate /admin/login form, no separate admin password, no separate admin cookie. The admin signs in at /manage/login with their manager-account email and password. Admin privilege is granted at request time when manager.email appears in SYTWM_ADMIN_EMAILS (falling back to [SYTWM_ADMIN_EMAIL]). Admins see everything any manager sees plus the /admin/* routes.

SYTWM_ADMIN_TOKEN is the initial password for the admin's manager account, applied by a one-time bootstrap step on first deploy. After the admin signs in they can rotate the password via /manage/account/password like any other manager. The env var is not consulted on subsequent deploys.

Password reset

A manager who has forgotten their password should ask the admin. The admin opens /admin/managers/{id} and uses Reset password to set a new one, then communicates it out-of-band.

Email-based password reset and magic-link login are tracked as future-state improvements (jobs/004-manage-experience/008-improvements.md).

Disabling a manager

The admin clicks Disable this manager from /admin/managers/{id}. The manager's next login attempt fails with "Your manager account is disabled." Existing sessions remain valid until the cookie expires (7 days). To revoke immediately, the admin can also delete the manager (cascading their post assignments).

Audit

Every manager-related action records a telemetry event:

• manager_login, manager_login_failed (with code field: unknown_email, bad_password, or inactive)
• manager_logout (with actor field distinguishing admin vs manager sign-outs)
• admin_session_granted (fires alongside manager_login when the signed-in email is on the admin allowlist)
• manager_signup, manager_signup_failed (with code field: honeypot, bad_email, short_password, duplicate_email)
• manager_created, manager_disabled, manager_reactivated, manager_deleted
• manager_password_changed (with by field: self or admin)
• post_manager_assigned, post_manager_revoked

These surface in /admin/telemetry as event counts.