Bug Report + UX: Subscriber role has excessive admin access + login page needs overhaul

[marcusbellamyshaw-cell]

Subscriber Role Exposes Too Much

Tested with a subscriber-level account and found some significant permission issues in the admin UI.

What a subscriber can currently see/access:

• Full admin sidebar — Pages, Posts, Media, Forms, Submissions, Webhook Settings, Audit History, AT Protocol
• Media library — can browse all uploaded media
• Delete button on media items — visible and clickable (fortunately the API rejects it, but the UI shouldn't show it at all)
• Settings page — including General, Social Links, SEO, Security, Self-Signup Domains, API Tokens, and Email sections
• API Tokens section — a subscriber can navigate to the API token creation page

The API correctly rejects destructive actions, so there's no actual data loss risk — but showing a subscriber the full admin UI, delete buttons, and API token settings is confusing at best and a security concern at worst. The principle of least privilege should apply to the UI, not just the API layer.

Expected behavior:

A subscriber should see a minimal dashboard — perhaps just their profile, saved content, or a "you don't have permission to access this" screen. The full sidebar and settings should be gated by role.

---

Login/Logout UX Needs Significant Work

There's no built-in UI component for surfacing login/logout to visitors. For any site with user accounts this is table-stakes. The workarounds required are non-obvious:

• The logout route is POST-only (/_emdash/api/auth/logout) — reasonable for CSRF, but means <a> tags don't work
• Plain form POST returns CSRF_REJECTED unless x-emdash-request: 1 header is included
• The login URL (/_emdash/admin/login) isn't documented prominently
• There's no <AuthNav /> or equivalent component in emdash/ui

The login page itself is also confusing for non-technical users. Passkeys are great but the UI doesn't explain what they are or provide clear fallback guidance. A first-time subscriber landing on the login page has no idea what to do.

What would help:

1. Role-gated admin UI — subscribers should see a minimal view, not the full sidebar
2. Built-in <LoginButton /> / <LogoutButton /> components in emdash/ui
3. Role-aware "Admin" label — sites using isLoggedIn to show an admin link have no easy way to check role without additional API calls; a Astro.locals.user.role field (if not already there) would help
4. Login page UX overhaul — clearer explanation of passkeys, obvious fallback options, friendlier copy for non-developer end users

We're running [Every Bit Texas](https://everybittexas.com) on EmDash and these came up immediately when we tried to onboard a non-admin user. Happy to provide more details or screenshots.