Multi-User Authentication — Roles, sessions, audit trail

[GareBear99]

Overview

Replace client-side SHA-256 auth with a proper multi-user authentication system.

Current State

• Single shared password, hashed client-side with SHA-256
• No user roles, no session management, no audit trail
• Auth gate prevents casual access but not determined bypass via dev tools

Scope

• User accounts with role-based access (admin, agent, viewer)
• Secure session management
• Login audit trail (who accessed what, when)
• Per-user lead assignment and queue management
• Agent-specific dashboard views
• Password reset flow

Options

1. Serverless auth — Firebase Auth, Supabase Auth, Auth0
2. Self-hosted — Express.js + JWT, or Django sessions
3. OAuth — Google/GitHub SSO for team members

Acceptance Criteria

• At least 2 user roles (admin, agent)
• Secure session tokens (not client-side hash)
• Login audit visible to admin
• Lead assignment per agent