From 84f83507003493e2f3ba5ca44de2fc555fc6205c Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Thu, 12 Mar 2026 03:45:39 -0400
Subject: [PATCH] =?UTF-8?q?feat:=20server-side=20test=20role=20=E2=80=94?=
 =?UTF-8?q?=20PUT=20/api/admin/test-role=20writes=20to=20session,=20middle?=
 =?UTF-8?q?ware=20injects=20into=20context?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/handlers.go                   |  32 ++++++++++++++++++++++++++++++
 api/middleware.go                 |  18 ++++++++++++++++-
 api/routes.go                     |   1 +
 data/dealspace.db-shm             | Bin 32768 -> 32768 bytes
 data/dealspace.db-wal             | Bin 57712 -> 65952 bytes
 lib/dbcore.go                     |   6 ++++++
 lib/types.go                      |   1 +
 portal/templates/layouts/app.html |  23 +++++++++++++--------
 8 files changed, 72 insertions(+), 9 deletions(-)

diff --git a/api/handlers.go b/api/handlers.go
index 665f4e0..3754749 100644
--- a/api/handlers.go
+++ b/api/handlers.go
@@ -2852,3 +2852,35 @@ func containsAny(s string, subs ...string) bool {
 }
 
 // UpdateOrg handles PUT /api/orgs/{orgId} — update org name, domains, role, website
+
+// SetTestRole handles PUT /api/admin/test-role — super admin sets their test role for the current session.
+func (h *Handlers) SetTestRole(w http.ResponseWriter, r *http.Request) {
+	actorID := UserIDFromContext(r.Context())
+	isSuperAdmin, _ := lib.IsSuperAdmin(h.DB, actorID)
+	if !isSuperAdmin {
+		ErrorResponse(w, http.StatusForbidden, "access_denied", "Super admin only")
+		return
+	}
+	sessionID := SessionIDFromContext(r.Context())
+	if sessionID == "" {
+		ErrorResponse(w, http.StatusBadRequest, "no_session", "No session found")
+		return
+	}
+	var req struct {
+		Role string `json:"role"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		ErrorResponse(w, http.StatusBadRequest, "invalid_json", "Invalid request body")
+		return
+	}
+	validRoles := map[string]bool{"": true, "ib": true, "buyer": true, "seller": true, "advisor": true}
+	if !validRoles[req.Role] {
+		ErrorResponse(w, http.StatusBadRequest, "invalid_role", "Role must be one of: ib, buyer, seller, advisor (or empty to reset)")
+		return
+	}
+	if err := lib.SetSessionTestRole(h.DB, sessionID, req.Role); err != nil {
+		ErrorResponse(w, http.StatusInternalServerError, "internal", "Failed to set test role")
+		return
+	}
+	JSONResponse(w, http.StatusOK, map[string]any{"ok": true, "test_role": req.Role})
+}
diff --git a/api/middleware.go b/api/middleware.go
index 84a024c..75a704d 100644
--- a/api/middleware.go
+++ b/api/middleware.go
@@ -18,7 +18,9 @@ import (
 type contextKey string
 
 const (
-	ctxUserID contextKey = "user_id"
+	ctxUserID   contextKey = "user_id"
+	ctxTestRole contextKey = "test_role"
+	ctxSessID   contextKey = "session_id"
 )
 
 // UserIDFromContext extracts the authenticated user ID from the request context.
@@ -27,6 +29,18 @@ func UserIDFromContext(ctx context.Context) string {
 	return v
 }
 
+// TestRoleFromContext returns the active test role (empty = none).
+func TestRoleFromContext(ctx context.Context) string {
+	v, _ := ctx.Value(ctxTestRole).(string)
+	return v
+}
+
+// SessionIDFromContext returns the session ID from context.
+func SessionIDFromContext(ctx context.Context) string {
+	v, _ := ctx.Value(ctxSessID).(string)
+	return v
+}
+
 // AuthMiddleware validates JWT tokens and sets user context.
 func AuthMiddleware(db *lib.DB, jwtSecret []byte) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -55,6 +69,8 @@ func AuthMiddleware(db *lib.DB, jwtSecret []byte) func(http.Handler) http.Handle
 			}
 
 			ctx := context.WithValue(r.Context(), ctxUserID, claims.UserID)
+			ctx = context.WithValue(ctx, ctxTestRole, session.TestRole)
+			ctx = context.WithValue(ctx, ctxSessID, claims.SessionID)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
diff --git a/api/routes.go b/api/routes.go
index 56a2fcf..1e05c51 100644
--- a/api/routes.go
+++ b/api/routes.go
@@ -99,6 +99,7 @@ func NewRouter(db *lib.DB, cfg *lib.Config, store lib.ObjectStore, websiteFS fs.
 		r.Get("/orgs", h.ListOrgs)
 		r.Post("/orgs", h.CreateOrg)
 		r.Put("/orgs/{orgID}", h.UpdateOrg)
+		r.Put("/admin/test-role", h.SetTestRole)
 		r.Get("/orgs/{orgID}", h.GetOrg)
 		r.Patch("/orgs/{orgID}", h.UpdateOrg)
 
diff --git a/data/dealspace.db-shm b/data/dealspace.db-shm
index 4a0d3890d2c74dac660c1695b10d0a3e31205516..e393e42fcff10b335328fee09b4b506763c57489 100644
GIT binary patch
delta 142
zcmZo@U}|V!N|1P@%K!q55G)`7q^AS1UQp5O`x}m_ynPj3_-os#nkG-_;5QQ<JtkHC
r#DoM^klE534?eZuyviYjiIIQe!Ihg=I4kio3T!-hmTU8j=nNGA8qF}S

delta 135
zcmZo@U}|V!N|1P@%K!t63=9H%K+bd^KFhww*35<b*xOg(g}=6)s$uZBY!P%rf|peF
n6B80PUb$vJ@qx(ZRSqFc6CbSFyuw+DcjJR|T$^V^XQ%)G#S$!o

diff --git a/data/dealspace.db-wal b/data/dealspace.db-wal
index 78e88c6e0c6354a22f27c7968be075d161e3bb7e..fcbd94bc22d641e2ffca1707dbdcc2291aaf2368 100644
GIT binary patch
literal 65952
zcmeHw3zQtkRrb!Vc4v2IXGXRpkEFG%HnyYPNG<iN`Vq%YWO-u=Yh_svY(wn*tGlbU
z6YcJ-XGVU+K1tRwc6>r0<mDtNn1^ygFc5M=6k_0@;~0a<AKt_v;hY!;{``SB=Z8P|
zK!Ctk)jhNGl-m}G1k^~|yHkDpR@GOxZdcvzd$04>kp~9U=Qj=vtR3K=7ykB^JHK=K
z_wRqhwci?e^WWe97>c&HmjC9ze)##t$I0_~6mHIbb)fjkqF-EBc&c!s@T&Z?`FG^)
ziLXz5aAIHXJGsYmx8<_qzdl|bFOB`)*j-~+j{eE$+eUZdBKeUBNCYGT5&?;TMBqY1
zV0Lr%sJdx*c$Auk6$OT?k|?lM%MBydWr3mUp+gMaqMGMhZ>r4GrPsfyvUIGrNOvwW
zSJzzK%$$7g(_dSI<8O~Yb#PPmsL9y{gi#~XiRxMgQ!RtIsvi<l4PD!1hNdyY4;Rb9
zJY@^7Up!Ge&Xy}XgUX_1d7f^Am;J|ohvV!1`SF7r6ONAV87zuyHKGPpEr+_Q2R15U
z%%_3wc!AD(aMaOAon%fv^CUZi<LBS?wu7aFqv=sXZO>3$Pe&VVYO2(<d^ObkNHZcM
zK*xJ<)J#Js4tPB@ki+pOwtfEKB?(9BTBhMJTlM@1ZKRQpUb9Hmm}lxb^L(3GJvbV!
zZd(?3{os~saXftecMonzI0lyOMZRaNRAXqP7kVnSY)jQ`jEBt}fEo1Q=oz|a1IIJ}
z_`iM($M3#l|Lpo?pbgul8oI9fnr@(t7!=nt4b^mwFtkIR0OQVqCXVUY0P!=I{p1&M
z-1gZI99)+)(2at?L;F?JCKlLfrs^@KtIT(`$Z<mIg?5hy+Lr5SUgqTKPkpn5<8Q5d
zcJ|_=fjV`}$Ov6Ea#*NZKDAWO(KR(9u1l$-Tanh)KvOex(*UEw>wX%?(y=>cFG|?i
z#3P#Shbr++UA2f$RO))JYBL&8FCc!TyPf^jEaI7H-KW2J_3Lr`YA|qcZPH&YB+PRt
zQLVt{@Ogpi8V=z@tW(`#OtWc^{(6>1Y&UcAlb>@2aQxqQoH<x*2#sY?rc+2V=Adfn
zmZSO+rl0PGjuDz#XtG{Y#l@((=<+Aux}@Ovj`u$|TS&UBF;fd{OgY=P(PaP%F|?>^
zIslLvHfB2O?6T*Wwt*pj{PK5x498c0>ey^PVdoi<=Qxq4dL#t9fa<F6>5*!iy6Huc
zZ&|w5&CW6msD_Wvya^Ne;|JdJ`0PZ&&NOXJw?k9)O(RmR5VGTIOj85fb2zdX^{xRS
znr*rmkdMFS?h`ofd5p~F5_W;9G2P`tVmK!Bg5jxdg!vqJdJs7w0~n;Mb;R;)&QAN(
zJ{-NTjLnWG?3m*OmKm9<Ml=`LnSlxsHq=n}iN+k?(MizBPWK4$w9LtmK4GDCAN|}L
z$-%M4^dLZrqO+#vaXlD1&{`o?nHFfo@chuUq8{R6YedZ7kLn*<3y!Zj^GCCzjRsnl
z=DLvvJpkFW2n|*6k5tbz9b##|0WdlnNNmS&AbqEHe(s$(I)8WLY&Ky>xdzcqQ?*?_
zxH<&Jb$nBebm%`6S!UQZ+gvC>0~+v@`XLDODf`Ts*^z`Dfr=)kX{iRYFt{GH3nhA>
zVi1_-Q5xxC*Ju#kvJEJ!Q`^7#AdVz^{p@hUF0ftOv~)<ai7r~MrKx`4S*l4q!?Y~h
zHQg>rwj7sm-FIsHul+iX)?eN;yCz}hLurNvq|WxKkIoWw)^KzvR}I=w^Fk}=Vn<9(
z=YxByXdS_E;~Uq{4mDb*5vq~EQ4JH5&58(7J)7E)WK(Bu=xI3HITX4J5yd<^RrtsO
z9814bm>o>m*+Ad)eWvP>4R(P6(K9sY`jELSGF&b6x>~2}rta{e82m6q?^NzdGMh=*
z={|(Rvjf$mKG-oEik=0Y$}E#O#J3DjH#%EKOkFcEZGZk7zw`fb{D&7lg+<E_zHn*S
z3qJNUPfZ_q<nYuu$~Nbo9mwCA|6G1+@k<k5C~TNGRLm7Wk>5KpU3mAzi}`Qnp3Q%F
z;=aQ3#oLPy6|S8)H8D`M3ZE?;<NV}DA|Mfv2uK7Z0ulj<fJ8tdAQ3q42uuwf&7?5}
zZsvq(jC`9oVH(@rMoyT<Bv%q`OkrueM6@x50c`^(Ok)>Y&k565yw-8TG={8;Ibj+T
z)kT~zjqzzMC!{HCN=3mjg{i2(3DX#X@|-Y@d1rzXrZL>)IAI!-%s3}>Qy5#u1jiIM
zlu=HY#yXPaglX&^Bb+deMPrx~rm<D55gb!kA%-|%8vDZFwxOeAX)FiOR4RTRZP*3w
zc;vp@Pc8lRX<--0KQ&PNX7SnLlf_>yez5rV;!^Rp;*MgeI9Pb0@TJ0g3vVghoPVmg
zyKtuP3x%lQ6)rD~<^Mka7w293$p%OSBmxoviGV~vA|Mfv2uK7Z0uq7$VF;`rQZt=T
zhBudn%uJ6r6*l!L-`J<T)TjKCKII#FHD-Mu;&r`<FYZ-%Q6CO#`;-@ZF)8#a%=aps
z=vA2ORXE<K0b{+0M|%}!dlioKDje=rxTaU(P_M$lbwlb{r<`D_Somq$1s?meGyk;z
zgV${3egvbVCkKkf!j*Y*VsGyD@#@&aD3BkCfJ8tdAQ6xVNCYGT=K+D0`OC&u@<&&W
zb3X{*jeNrn3I6MN!P?jGn!Tk(#MVOYA>l=M_1?fMt$}Vwrh|89J?5L5O^m=WsfCxQ
zHM~~|=LFrrTl*HpTd-c>`zoWp!H8x>p6Se1-dtW-pu5OUO_{o-ycAaMt|<qOD7v;&
zyIMhkZC$P0V_Vb8?&akLb_?@wEZ27t)7fd-%G8Z}kIe4hp)8b-Gvx*r9Is3(d*-W^
zMYc<~z>)t`4%3KM%gH6&o#JbcW<IiJ&#^~W=C?GuIu<x~pg9z;(3)1D(a6<;h!H~Z
zhCN(2G$(RQs#E6cTHrdN<LaT|^0#~8bP(VX5xXF}`plCj)Xd2j{@|b0mHA7XUG*58
z3PNHKbT|s}9x{A5@M<^3TgsjVzko<L9o?`D)7Kfg8KIjYyf-WpgXRW-ePMR>q1?OB
z)%X0wyH@5Wn_Y!Ri*FcIj~v(4F-&&gg%RE$4)M;k?c!}^*Mz46@UX4G3{1oH!Z5O_
zZu`3L+cvo{yZVFEuSHjX=$Bu+GQYXm)qv<U#Jk%@V7dXs)h40l!B@m^4F=Z<xYZaM
z2_1CPb1{k`cVjRk=5rUF$PTp&va4tQap8%~$-l|`zb96fHi@p@Jv=<d0*GvAhOTCX
z%!VI97`T>eGiV>Y&+ftP23pB?eJi4o=0=ne$8rMSHW|Qh2={jgsBcGV2!AekNjQ<}
z`#x3S7-LYVGuO4OHnlWMgYr_nQk%b8*|$_@3knL9n+_|tLQBo*WX}0dQ%;|`>_fL_
zPJU(kmfKh6H#Wx>FQP+4ZR+^YoOa-Z@MzM*z+~{vF#O2Vy(l1&q5E()f_ISVd+2CL
z4UBvQiVIUYo&L4K&6$&5KJ(D#m8DX1Yy*sp=V`w0_|P=AMIFkOZ9p)Q{Q&N5p5vl-
zrsl8!&Sx5c(R{}Xp_I)if;ZTOJGQ3_Gsn^4&CeXiZGD>G+8gf+6h2n|$o>1?b0vRY
zU~Bf_f#Qk6&*#3L``O%v{2%AvIsS)ZcTW8K#AgfNm{7<5E&K5Jp4^WVN~5<GZXbOt
z`-S|>=--U48~aRg*Z3o2+b3$p-{73(M<O5*kO)WwBmxqFmx;j4nw5M8dss$w&46Ph
z!?FsiMq+zrgyj{1=dX(ewd-O<Z5jdGi!GP3(2G0|{*i_rx+Ju>3NGimgT72~IoHkU
z7Qy9Q_kEYfJvzrN)nweGbKI?L7F^DCBd|$uIoH+o#<)l4xNt2AF2ryNEGCF0p}{kn
z8N|@A>~#W4BKW;B8_w0(x4Swd%#RHC<=fb^Xb!e>#MMk!yCmk~BW{K3YA*J$h%^D7
zCVXiP9n$Cqniselg%`92uVhF!gf~Qd2h+v&0`?3)vb_z03kysSn_}(?ACLgP!U$KP
zS(@(nz8P|7=m;<RB8-D)IefnX)-HD?W*Xmi5I<NixES08+6is!IRlp%798ZGh*5;L
z@L)*7#?;neT?$}RGK0{<#vIWwSb!K2W(42!z*{G{=r9#|G_cSY^vMo=O3?AZq+y6C
z8G#+a*E>W&1QMA68ml=PE=K4I><X}>GmVP{7l&VO`KVTp;0lk;go%dOz}utDfh`OD
zgSR=Ouwa>vV~4^BVx!YqWMhYTQQQ`f+VDB|Fe`l>78L9x9b($pefS7$;236z?mB_T
z0<_ciFjj!q2_oGgp$muOwJ{fm8ljC*=I+}RRwbQ^+OXjXS*RH{;t~XWfU$>XFwnqR
zTMyCxfCd2BCq==<3Q?~a7#cj*VXCp5$TvykX^51-T#5}LI!~BmyRhb11~uWwA0l!H
z^p|bI<vu6~E{ul}fhRVcyRn_JVd`TLA43ZfSHVHV5Z(8H6Qh=o=pZ3Bpq}f4)Yc(`
z3>W9)wqRsJCqifvgLocsu?r8WrBR>+k$^n{aX-*F*C9HCJGKT{HbXd@+Zd(*PWcmp
z3pTab>A48K0nx%nmPHy3xXcrXVt|kw*vFe11uBqz#|2J-Yghq+=;;IkofBNZz=8;c
z1OR)sMiJ%%gTh07V9+6bkR&vax{$@drIF3u?wKF>2I6VJ?xl|lF5GegfrA|du_92F
zZ~6pd0;n-%AkjMFUf78Dp>fDzGQuqaLlZa#>IjGvjm2ER)Co2Cu!pdhGFuOQ`0m?I
z=sPeyQO|OHgwfE=2;z%bh9QQn%?t>^Mi|}GMg<qdA%F>hzyb+gF6c1n4a$H;2x3UK
zi)n_&Q6Ccw+hq@PBqXp=+7Tqxcd~*DHSywmWHJnbV|%vcAUpvglOW~>1Pw7LLgG72
z3vmIAxdFriJ8RekF@7w-Y|%#q7mZ6bCI@Vy_yan|qHaJ#Jwk{LA0Y}nSZ5%ax*0OV
zA|}OrL#P8C!x}Ib-5M5L5Y2>P5?BP90fu1LigX>}IAE`{LkO4yd3U4Gaxr;;H!O7~
z0<;h<!bHMsilQ}wOX%yw4G?REf``R4!~n1nwugF5M^FSzELcW}M?){5wh=;{fs6;!
zfu}hTgvcI>d!#d1xDliUW-=d&*QF)|A9~J%XhJ#|4IzgbnuM4umSZ7aOGGTghDwIX
ziJ61fW6dxI6N~}%Vrzy5n<L_M7&fl95Tya#gCsF91@Mv0Ag&HU6aqJhAP5>Pk_2*r
zb;_&xTBTtZ$o&v`|HE%t^Y6kgkQ*N;K2-ct@e_z3U=?$P=Mg>N-GyU?YxCbk)PWBp
z_Q2l!)`=G<?wdF?F_0Ta1cEOh%D{B)+1#(>el+*SocS_WL6Te|AQ6xVNCYGT5&?;T
zL_i{N-VxxgyJ;TrZ52MgDPBLhEG^-dw1k(YC7eu4DB=sG>9vS2kmf<Yh%b<aqlhn%
zhET*8NK>_lFOY^%#1}|YwTLf}hET*8NJA*%3#1_w@deTliueL)2t|B>G=w6)KpGrH
ze1S9^MSOuYgd)B`8bT3YAPu32FOY^%#1}|IDB=sGAr$ci(h!RH0+wTIF!bWB5yC_H
z;<<o|pp2RdYbeY=n&!Y>E8+{J;V9w@q#=abZSx~II`rV5{obqpWe@iw7|TB1<wt-b
z`H=`n1SA3y0f~S_;QS-7vb44Fj^pULzFLrG$#9<DUw!WM_%dFufAYtdr5}OxBanUs
z(vRSR@cEH`1l*r%>|Eb;N@H$lyYYNK{JH*T`w_I|DKsChyzt#0_KtG9z-0E_uP9F;
zE|VXLfJ8tdAQ6xVNCf^95SX1z(hx;>tuctSKt%>I59!=UsNy|G4avw1?mbVCcq!@(
zB4opP)ke;x=RW(3XK;M-Pu?c;6v{k>GEZUWJdt?{Wu8Krr%>i8<jHttp2D^~g|vL=
zV~>6P8?WMi1e3X6c|~~&ahd!`1SA3y0f~S_Kq4R!kO)WwBm&<v1h{)Z8iS$mBanFt
z4Fnh^NbByIhKg9FVQ3>*0NmeYo<dLc5VA(K0;;RNr$?%dKnz}lke-&V$vlOYipZyt
zYI%?zieR=XL&yvbaZw`#E%<Mpr|{eQ=%0?i`~Qge0+abqq{vg4|Afp`_&rnjlCeZU
zA|Mfv2uK7Z0ulj<fJ8tdAQ9+9pjZC6$zFvrPhofNMwzGZrSlYie)hR9zj)EYdu4oq
z&Z#HAO9UhW5&?;TMBsu#pe4S*n2awV^AyTFg)&d!c}}$XjLcIg^AyTFh5wE66pp?5
z|6cj%7r*XuKLRDY`xWLX%<h(%3NNU&qil>sKq4R!kO+Lg5D+<sn1cjT$lioh$H<0<
z<V}u&L{mP}U71LV#!Op}D6wc{X+AY|lsd@s#51ya$Q*{0LW<yWuA6<Cr?7YGcbTWK
z_rg`?DU^8%kxWpRc?xBoLYb#f<|+Kn>EFNqwR^ww?Vozr*B%yjf$_h3S$PV_|4L>m
z{C+JvWjzuBiGV~vA|Mfv2uK7Z0xuH*?vkG-`-YO1Q06IgRo(Dx`0n>g6d>~yMrs&3
zNH^y=k?Q+CRdqi!s6lkswJe#Z@T~C2JcZ{uPvJGcl>Nffx$AB2M=(C}M2|d$D3l+G
zfJ8tdAQ6xVTyO}iEGf;jedqeTKF!9VEql@|4a!UPN^SmXW#3YrEhs2ZZaS>os_5FB
zPUf6xW%u&(0=tFzH<s(Wi0SM!ZDs1ly+>yE?@$)X$C+{i3yxQ&l|A#-$|BpPTV$uk
z|0#!QM62cG5}sS&lQ$r3-_zs<=|^DLA;EtgF~of7M<D$Oq#uFwBY?)7`hMiHlX(hd
zo<i!ldKeJTH~fGx-*a5ga81qW{W{hKyr?)`m^q#~`Q^>e9LKUQ!<Tk1{Ov7w^7jRP
z?x){)>bfWX@RGwf?=RPx5>={;w62%~YX=4g2VSozARWceqxfljuEHN{8ei~R@N4<r
z>(9}Fop(Jlj5CA97y0=|i~mx5F@Me2E&0Oew@2SMdUf`>?0wnN$Y(}w9{$$Q&kTP$
z^Od1m=Aq2?fq%fi@5#s6I8wUts?0!nDP;H5?p#3k=je%gMSP!QOZDo#bL=ksuFdJK
z-!|QL$w*1xl(}0Fmcx7IXb`YkZEm?*c@qoj@wd{RLo>UN%qaT~Tt9QG(oLn@bU=wI
zr;_XD%Hj0k4I`!Pn=*HHvOZB`)tLH{etbEJg3l^nUc#BaeZ#tJY15|6L&J6IFR++T
zd|aP!JF@$_{WD2>l&NvfryTNQ<8x%@)+5TnL;GfTAG%Gsaptxif@ZbloKDajxao*;
z;OPGSF~QxH>hW5=%IG2*A_(I0q-hEF9v4<C3#?IhPtKL)+UogURR?rw?pT#B)dktU
z14m|Vm^q|0nx|Yp^M>6=_a9NTxIu!Fg>(MBoV-Va8U&ae_;j+1nN-<bmE&O2M$>+3
zmH+tk_VpvB*KO)2fbjs$;bmhkTpJ#|_@Zp-s;e>&ABzWZsdhI;ccHv=yhdC8zPNor
zTh1iInh+<W+tyL#(99cV4$U0cGjmws0$*mesaWtKM2&9Td4kpId@ws<N^v!BZ4={O
zASVPdetkd=Doathy2xVj>>P;Bai!(CT2QGbvV<v_2xhHL>nEBL)DA;KG`20XrLeqo
zY}*b+QB@`RrrfWrHsOAy%J`gTp_mU4fHJ$g(M8U+0b5codX}`gaf)9*hbdC4EVay#
zmbs=(H3w}6>T8U^^!T)M@!3>Zt6V^iT4Z4zU7IbLlbMxFQ_&;?J{PhDhVCR^FY3}Z
z9duj_pmCDYspM+Rfa$Q9EqOhws4-d%=I4&Hdy~u7_N`@=w6&Ji(&;-2(8ZIPw|4cT
zQY{}VFC`Te`&JN>@m{o65SMb@>F2YY|H^Pz1yxo*QEgOE=vzTd)>%PZI#;joI)aI8
ziJ*?5t~zL~Rz9}GSkjGr-&z`k?cHdU@=9*Yjg)pxw%oK5o^zN9#~Kw(^sPWpiC(ng
zBub}m86PRBlbI7;&9C3P+~Az+%b63!j9WSL(&;<K`V8(et)lr!561hlj>$T)k4rfw
zbhO_rNN#LN4P*Ulh;RA4ik4ZhdRv@+*c!=}CMPpL{yL$y6NbsJY{ECb`zD2np61`~
zMI%M)g??($2(ju|tp-GGDl9oKP)c~Too{N%ZQEkfmO<#rDrC#`dC?RcUP|Y#PEQbD
zxBsT=pg+4m(5OE2eW(brQKt6J?%tyw-n-i%_Owu@t89#OVsm0~kygcR{p@U(X@I-a
zYm_(F>Y=h-**$YuMO)Mx_RNargtShZy*OL1UV=}{OzMDobySwCY>wAgtyC715o(#s
zeJ@K$Ta`<@T&&iRkTw+^@7dW!<StgNm2ry_pS~iX$MUp#9{_pV{jPCFEQENC@ddaU
z%r$FxDeeL8mbgd7>#R=VnBR$I;CFVC2A5__nv28nX*D}i+CABCX_m~?cw2x~(&)b7
zk<zwO1}0)`CHPvOuWxH}mFh9^$4Hm{XrAY4LwuP6G1p1^*I)-w%CHVrY>}211mSQW
zW`bgso%lNa_I;UbsZ`25bf-{1f`K>;wy7RblqeqlcdO3mQaf=)LJZm^=IDWaHy@pe
z@n52g4Xxfr6rWv&G-GSPm0SB+!8JZ`{SZ{|U9Kzhv^FoMU<^@@nwu-OrdS`FOIpyz
zzf1lXBRW@Okc4`BLs|*>+V99sM-D16;SMZzM7xqT9}Vi|yW+lfiei&XGAkMqhgD!F
zX_wS?5{yqz4~>+rDfN>{F@$r5__bzw@TEz0PKu57B;U?&zKH*YpGO;ZfuE`#+Ii*E
zzxvgDc41)s;3EUY-!1GKd?f$n{98vWqjvVsv-RQ6XVsB!4G#=|VCWau{Q1z~p@G5E
z6I1zI;b=jbcuVfyiR;D(a=XW#9(y{s8=TMI$DAH1-Eet7;DUL&u)vm%F>Lc!|K4%y
zHmsMnWNOWMSi>$1`mYwx?c~d=yC!2B8J~`gf~jO;O`ks?{!7>VvUbaRuN)~|)vA!`
ziLhLstJlQuZC#_*I324VjG8Ezs@JA(zC!5Z*eWE<ID!*qeWfahUe$-0pa8!nGf}`*
z{LvqPXq8$-E3Q3R&WSHq^<kROtTJ6)15Q6Mr3hXB;I7z0z}qR9U6C+Lj6A%&+r}gG
zWS6dAW#6tJV|CT&5qjCCW}9al>jl1CYTjM>YLIWI#d1sNbu4s_vDm1<`NWrptd3ir
z*rIo>w%RW*FUP}{G$X#e-rU@G=~}4L%g?4C<KfW7uPay9U6w6fetBjkzJszwpM~5g
zP+R@$@-}=|%R5){oe-z6nA`>1K!uz2+7KL{Hn*NlrL8srOO$4Vf8YUSGF#fdJ@fXv
zg@8cWEiJKyx%xboQ(>*+>t$`7>NuHJd|Ea!Z32>_=ShuxWZN!HMpv|1EK_=%J-gJ#
z%ap04f*nfSe?BqCr?1&EQo4EjS#A}rh|L+Duv~NL%ekE2Zd&<m9s5;bYaf`~j1Bcw
znfsdep2Q3-=39(uT(YH0O|(*SEzwFn)tIl-bDMfsAgEg}xwKyef~c#4_);MGif!u;
zTw4-m&Iecb%MB}hYr8hKNoVVsPSNa~bg}$28rm*fDa5h?Vf%$K)27Jw5J_AYE5o*l
zoER2YHDPm;d3Lg<a_e3t;t9(=-47>RiyI0D`#kHY;IYR%j8VrKmN$Cqw}B5laIKy#
zU2(<WgS&;&h))KUkkwlL9C&Zrc(j~JhJ#-aL)LYR2^Pv24L+57z?Q6;dY!7Wuw3P)
z(-YNluk*ahISfg>xa&m$!!S%wZM8O6><z;RyJs1-)c97j6YF@;(ZaCnRFjQ1j^*B(
z-`;n{*`XJBHjo!z2Hv;whF#gxwrztC>}v&HfYpFL{xa~By}*ypHQ;Z@xZfCvEmIpF
zaUWZuuC)V}NPd+)aOA3NY0H+(gZGK%Hdeij-&1XEY?O9R)~2@aYGFeVI7NF4S|=^1
zsx=qdaoZx?tXXxrir2R~uk745w(QTER*ThTi&(0($U{Gp<SCG7>DeR$cOL#IMLg+h
f1HCCd+qO;1XN~e%W5=V*#+-av&l+FxlcN6sbh%Cv

delta 9
QcmZ3`%<|z7^M-<l02d?#-T(jq

diff --git a/lib/dbcore.go b/lib/dbcore.go
index b1358ba..49fc1e0 100644
--- a/lib/dbcore.go
+++ b/lib/dbcore.go
@@ -1100,3 +1100,9 @@ func OAuthTokenRevoke(db *DB, tokenStr string) error {
 	_, err := db.Conn.Exec(`UPDATE oauth_tokens SET revoked = 1 WHERE token = ?`, tokenStr)
 	return err
 }
+
+// SetSessionTestRole updates the test_role on a session (super-admin only).
+func SetSessionTestRole(db *DB, sessionID, role string) error {
+	_, err := db.Conn.Exec(`UPDATE sessions SET test_role = ? WHERE id = ?`, role, sessionID)
+	return err
+}
diff --git a/lib/types.go b/lib/types.go
index a9e2ce5..2db3480 100644
--- a/lib/types.go
+++ b/lib/types.go
@@ -202,6 +202,7 @@ type Session struct {
 	CreatedAt   int64  `json:"created_at"`
 	ExpiresAt   int64  `json:"expires_at"`
 	Revoked     bool   `json:"revoked"`
+	TestRole    string `json:"test_role,omitempty"` // super-admin test impersonation
 }
 
 // Theme is a CSS custom properties bundle.
diff --git a/portal/templates/layouts/app.html b/portal/templates/layouts/app.html
index d1a0d1b..96798e1 100644
--- a/portal/templates/layouts/app.html
+++ b/portal/templates/layouts/app.html
@@ -83,20 +83,27 @@
     function escHtml(s) { if (!s) return ''; const d = document.createElement('div'); d.textContent = s; return d.innerHTML; }
 
     // Theme switcher
-    function setTestRole(role) {
-      localStorage.setItem('ds_test_role', role);
-      document.getElementById('testRoleSelect').value = role;
-      // Show banner when impersonating
-      const banner = document.getElementById('testRoleBanner');
-      if (banner) { banner.textContent = role ? '⚠ Viewing as: ' + role : ''; banner.style.display = role ? 'block' : 'none'; }
+    async function setTestRole(role) {
+      const sel = document.getElementById('testRoleSelect');
+      sel.disabled = true;
+      try {
+        const res = await fetchAPI('/api/admin/test-role', { method: 'PUT', body: JSON.stringify({ role }) });
+        if (!res.ok) { const e = await res.json(); alert(e.error || 'Failed'); sel.value = localStorage.getItem('ds_test_role')||''; return; }
+        localStorage.setItem('ds_test_role', role);
+        const banner = document.getElementById('testRoleBanner');
+        if (banner) { banner.textContent = role ? '⚠ Test mode: viewing as ' + role.toUpperCase() : ''; banner.style.display = role ? 'block' : 'none'; }
+        // Reload to reflect new role
+        window.location.reload();
+      } catch(e) { alert('Error: ' + e.message); }
+      finally { sel.disabled = false; }
     }
-    // Restore test role select on load
+    // Restore test role banner on load (role is server-side now)
     (function(){
       const r = localStorage.getItem('ds_test_role') || '';
       const sel = document.getElementById('testRoleSelect');
       if (sel) sel.value = r;
       const banner = document.getElementById('testRoleBanner');
-      if (banner && r) { banner.textContent = '⚠ Viewing as: ' + r; banner.style.display = 'block'; }
+      if (banner && r) { banner.textContent = '⚠ Test mode: viewing as ' + r.toUpperCase(); banner.style.display = 'block'; }
     })();
 
     function setTheme(t){document.documentElement.setAttribute('data-theme',t);localStorage.setItem('ds_theme',t);document.querySelectorAll('#ds-theme-bar button').forEach(b=>b.classList.toggle('active',b.getAttribute('data-t')===t))}