From 3875604a50542b2925e3a696af29f6fb9ebce1e2 Mon Sep 17 00:00:00 2001
From: mqmalagris <63169613+mqmalagris@users.noreply.github.com>
Date: Thu, 30 Apr 2026 20:56:38 -0300
Subject: [PATCH 1/5] feat: admin search and analytics dashboard

- Search box on the admin inbox view filters the message list client-side
  by from/subject/preview substrings.
- New stats package exposes user, premium, active inbox, and message
  (24h/7d) counts via DynamoDB scans with paginated SelectCount.
- GET /admin/stats returns the snapshot; AdminView renders a five-tile
  strip at the top so the operator sees platform health at a glance.

Scan-based aggregation is fine at current volumes; if the table grows we
will move to per-counter sentinel items or CloudWatch metrics.
---
 apps/web/src/components/AdminView.svelte |  74 ++++++++++++-
 services/cmd/api-local/main.go           |   2 +-
 services/cmd/api/main.go                 |   4 +-
 services/internal/handler/api.go         |  26 ++++-
 services/internal/handler/api_test.go    |   2 +-
 services/internal/stats/service.go       | 129 +++++++++++++++++++++++
 terraform/api_gateway.tf                 |   6 ++
 7 files changed, 236 insertions(+), 7 deletions(-)
 create mode 100644 services/internal/stats/service.go

diff --git a/apps/web/src/components/AdminView.svelte b/apps/web/src/components/AdminView.svelte
index c8d17fc..dcf5555 100644
--- a/apps/web/src/components/AdminView.svelte
+++ b/apps/web/src/components/AdminView.svelte
@@ -23,6 +23,40 @@
   let selectedMessage = $state<MessageDetailType | null>(null);
   let loading = $state(true);
   let pollInterval: ReturnType<typeof setInterval> | undefined;
+  let searchQuery = $state("");
+
+  type StatsSnapshot = {
+    users: number;
+    premium_users: number;
+    active_inboxes: number;
+    messages_24h: number;
+    messages_7d: number;
+    generated_at: number;
+  };
+  let stats = $state<StatsSnapshot | null>(null);
+  let statsLoading = $state(false);
+
+  async function loadStats() {
+    if (!user.apiKey) return;
+    statsLoading = true;
+    try {
+      const res = await fetch(`${import.meta.env.PUBLIC_API_URL || ""}/admin/stats`, {
+        headers: { Authorization: `Bearer ${user.apiKey}` },
+      });
+      if (res.ok) stats = await res.json();
+    } catch { /* silent */ }
+    finally { statsLoading = false; }
+  }
+
+  let filteredMessages = $derived.by(() => {
+    const q = searchQuery.trim().toLowerCase();
+    if (!q) return messages;
+    return messages.filter((m) =>
+      (m.from || "").toLowerCase().includes(q) ||
+      (m.subject || "").toLowerCase().includes(q) ||
+      (m.preview || "").toLowerCase().includes(q)
+    );
+  });
 
   // Compose state
   let showCompose = $state(false);
@@ -145,6 +179,7 @@
 
     await initAdminInboxes();
     await loadMessages();
+    loadStats();
     loading = false;
 
     pollInterval = setInterval(loadMessages, 10000);
@@ -170,6 +205,30 @@
       <div class="w-8 h-8 border-2 border-ghost border-t-neon rounded-full animate-spin"></div>
     </div>
   {:else}
+    <!-- Stats strip -->
+    <div class="px-6 py-3 border-b border-ghost/15 grid grid-cols-2 md:grid-cols-5 gap-4 text-[11px] font-mono">
+      <div>
+        <div class="text-muted tracking-widest">USERS</div>
+        <div class="text-white text-lg font-display">{stats?.users ?? "—"}</div>
+      </div>
+      <div>
+        <div class="text-muted tracking-widest">PREMIUM</div>
+        <div class="text-neon text-lg font-display">{stats?.premium_users ?? "—"}</div>
+      </div>
+      <div>
+        <div class="text-muted tracking-widest">ACTIVE INBOXES</div>
+        <div class="text-white text-lg font-display">{stats?.active_inboxes ?? "—"}</div>
+      </div>
+      <div>
+        <div class="text-muted tracking-widest">MSG / 24h</div>
+        <div class="text-white text-lg font-display">{stats?.messages_24h ?? "—"}</div>
+      </div>
+      <div>
+        <div class="text-muted tracking-widest">MSG / 7d</div>
+        <div class="text-white text-lg font-display">{stats?.messages_7d ?? "—"}</div>
+      </div>
+    </div>
+
     <div class="flex-1 flex">
       <!-- Sidebar -->
       <aside class="w-64 border-r border-ghost/15 p-4">
@@ -287,12 +346,23 @@
         {:else}
           <!-- Message List -->
           <div>
-            <h2 class="text-white text-sm font-display tracking-wider mb-4">{selectedInbox}</h2>
+            <div class="flex items-center justify-between gap-3 mb-4">
+              <h2 class="text-white text-sm font-display tracking-wider">{selectedInbox}</h2>
+              <input
+                type="search"
+                bind:value={searchQuery}
+                placeholder="search from / subject / preview"
+                class="w-72 bg-slab/50 border border-ghost/20 text-white text-[11px] font-mono px-3 py-1.5 rounded-sm
+                  focus:border-neon/40 focus:outline-none placeholder:text-ghost/40"
+              />
+            </div>
             {#if messages.length === 0}
               <p class="text-ghost text-xs font-mono">No messages</p>
+            {:else if filteredMessages.length === 0}
+              <p class="text-ghost text-xs font-mono">No matches for "{searchQuery}"</p>
             {:else}
               <div class="space-y-2">
-                {#each messages as msg}
+                {#each filteredMessages as msg}
                   <button
                     onclick={() => loadMessage(msg.message_id)}
                     class="w-full text-left p-3 bg-slab/40 border border-ghost/10 rounded-sm hover:border-neon/30 hover:bg-slab/60 transition-all"
diff --git a/services/cmd/api-local/main.go b/services/cmd/api-local/main.go
index 3c221f5..3a3eb78 100644
--- a/services/cmd/api-local/main.go
+++ b/services/cmd/api-local/main.go
@@ -65,7 +65,7 @@ func main() {
 	userRepo := user.NewRepository(ddbClient, tableName)
 	userSvc := user.NewService(userRepo, nil, "http://localhost:4321")
 
-	api := handler.NewAPI(inboxSvc, userSvc, nil, nil, nil, nil, "", domain, ttl, "")
+	api := handler.NewAPI(inboxSvc, userSvc, nil, nil, nil, nil, nil, "", domain, ttl, "")
 
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
diff --git a/services/cmd/api/main.go b/services/cmd/api/main.go
index 0d90036..3c05d3c 100644
--- a/services/cmd/api/main.go
+++ b/services/cmd/api/main.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ephemask/services/internal/inbox"
 	"github.com/ephemask/services/internal/mailer"
 	"github.com/ephemask/services/internal/ratelimit"
+	"github.com/ephemask/services/internal/stats"
 	"github.com/ephemask/services/internal/user"
 )
 
@@ -66,10 +67,11 @@ func init() {
 	domainSvc := domain.NewService(domainRepo, sesClient, region)
 
 	rateLimiter := ratelimit.NewLimiter(ddbClient, tableName)
+	statsSvc := stats.NewService(ddbClient, tableName)
 
 	webhookSecret := os.Getenv("REVENUECAT_WEBHOOK_SECRET")
 
-	api = handler.NewAPI(inboxSvc, userSvc, domainSvc, mailerSvc, rateLimiter, s3Client, emailBucket, domainName, ttl, webhookSecret)
+	api = handler.NewAPI(inboxSvc, userSvc, domainSvc, mailerSvc, rateLimiter, statsSvc, s3Client, emailBucket, domainName, ttl, webhookSecret)
 }
 
 func handleRequest(ctx context.Context, event events.APIGatewayV2HTTPRequest) (events.APIGatewayV2HTTPResponse, error) {
diff --git a/services/internal/handler/api.go b/services/internal/handler/api.go
index d566753..a017917 100644
--- a/services/internal/handler/api.go
+++ b/services/internal/handler/api.go
@@ -18,6 +18,7 @@ import (
 	"github.com/ephemask/services/internal/inbox"
 	"github.com/ephemask/services/internal/mailer"
 	"github.com/ephemask/services/internal/ratelimit"
+	"github.com/ephemask/services/internal/stats"
 	"github.com/ephemask/services/internal/user"
 )
 
@@ -33,6 +34,7 @@ type API struct {
 	domainSvc      *domain.Service
 	mailerSvc      *mailer.Service
 	rateLimiter    *ratelimit.Limiter
+	statsSvc       *stats.Service
 	s3Client       *s3.Client
 	emailBucket    string
 	mainDomain     string
@@ -41,8 +43,8 @@ type API struct {
 }
 
 // NewAPI creates a new API handler.
-func NewAPI(inboxSvc *inbox.Service, userSvc *user.Service, domainSvc *domain.Service, mailerSvc *mailer.Service, rateLimiter *ratelimit.Limiter, s3Client *s3.Client, emailBucket, mainDomain string, defaultTTL int64, webhookSecret string) *API {
-	return &API{inboxSvc: inboxSvc, userSvc: userSvc, domainSvc: domainSvc, mailerSvc: mailerSvc, rateLimiter: rateLimiter, s3Client: s3Client, emailBucket: emailBucket, mainDomain: mainDomain, defaultTTL: defaultTTL, webhookSecret: webhookSecret}
+func NewAPI(inboxSvc *inbox.Service, userSvc *user.Service, domainSvc *domain.Service, mailerSvc *mailer.Service, rateLimiter *ratelimit.Limiter, statsSvc *stats.Service, s3Client *s3.Client, emailBucket, mainDomain string, defaultTTL int64, webhookSecret string) *API {
+	return &API{inboxSvc: inboxSvc, userSvc: userSvc, domainSvc: domainSvc, mailerSvc: mailerSvc, rateLimiter: rateLimiter, statsSvc: statsSvc, s3Client: s3Client, emailBucket: emailBucket, mainDomain: mainDomain, defaultTTL: defaultTTL, webhookSecret: webhookSecret}
 }
 
 // Route dispatches the request to the appropriate handler.
@@ -110,6 +112,8 @@ func (a *API) routeInternal(method string, parts []string) http.HandlerFunc {
 		return a.DeleteDomain
 
 	// Admin routes
+	case method == "GET" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "stats":
+		return a.GetAdminStats
 	case method == "POST" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "inbox":
 		return a.CreateAdminInbox
 	case method == "GET" && len(parts) == 3 && parts[0] == "admin" && parts[1] == "inbox":
@@ -161,6 +165,24 @@ func (a *API) authenticateAdmin(r *http.Request) (*user.UserRecord, error) {
 	return u, nil
 }
 
+func (a *API) GetAdminStats(w http.ResponseWriter, r *http.Request) {
+	if _, err := a.authenticateAdmin(r); err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if a.statsSvc == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "stats unavailable"})
+		return
+	}
+	snap, err := a.statsSvc.Compute(r.Context())
+	if err != nil {
+		log.Printf("stats compute error: %v", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to compute stats"})
+		return
+	}
+	writeJSON(w, http.StatusOK, snap)
+}
+
 func (a *API) CreateAdminInbox(w http.ResponseWriter, r *http.Request) {
 	if _, err := a.authenticateAdmin(r); err != nil {
 		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
diff --git a/services/internal/handler/api_test.go b/services/internal/handler/api_test.go
index f392ca4..de9b8d0 100644
--- a/services/internal/handler/api_test.go
+++ b/services/internal/handler/api_test.go
@@ -10,7 +10,7 @@ import (
 
 func newTestAPI() *API {
 	svc := inbox.NewService(nil, "ephemask.dev", 600)
-	return NewAPI(svc, nil, nil, nil, nil, nil, "", "ephemask.dev", 600, "")
+	return NewAPI(svc, nil, nil, nil, nil, nil, nil, "", "ephemask.dev", 600, "")
 }
 
 func TestRouteNotFound(t *testing.T) {
diff --git a/services/internal/stats/service.go b/services/internal/stats/service.go
new file mode 100644
index 0000000..5a155a1
--- /dev/null
+++ b/services/internal/stats/service.go
@@ -0,0 +1,129 @@
+// Package stats produces aggregate counts for the admin analytics dashboard.
+// Implementation is intentionally simple — DynamoDB Scan with filters — since
+// table volume is small at this stage. If the table grows past the cheap-scan
+// regime we'll move to per-counter sentinel items or CloudWatch metrics.
+package stats
+
+import (
+	"context"
+	"strconv"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+
+	"github.com/ephemask/services/internal/inbox"
+	"github.com/ephemask/services/internal/user"
+)
+
+// Snapshot is the single response shape for GET /admin/stats.
+type Snapshot struct {
+	Users          int64 `json:"users"`
+	PremiumUsers   int64 `json:"premium_users"`
+	ActiveInboxes  int64 `json:"active_inboxes"`
+	Messages24h    int64 `json:"messages_24h"`
+	Messages7d     int64 `json:"messages_7d"`
+	GeneratedAt    int64 `json:"generated_at"`
+}
+
+// Service computes Snapshot values via Scan operations.
+type Service struct {
+	client    *dynamodb.Client
+	tableName string
+}
+
+// NewService returns a stats Service backed by the given DynamoDB client.
+func NewService(client *dynamodb.Client, tableName string) *Service {
+	return &Service{client: client, tableName: tableName}
+}
+
+// Compute returns a fresh snapshot. Each metric is one Scan; we run them
+// sequentially because DynamoDB charges per RCU regardless of parallelism
+// and Lambda concurrency for /admin/stats is tiny.
+func (s *Service) Compute(ctx context.Context) (*Snapshot, error) {
+	now := time.Now().Unix()
+	day := now - 86400
+	week := now - 7*86400
+
+	users, err := s.count(ctx, "message_id = :sentinel", map[string]types.AttributeValue{
+		":sentinel": &types.AttributeValueMemberS{Value: user.UserSentinel},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	premium, err := s.count(ctx, "message_id = :sentinel AND tier = :tier", map[string]types.AttributeValue{
+		":sentinel": &types.AttributeValueMemberS{Value: user.UserSentinel},
+		":tier":     &types.AttributeValueMemberS{Value: user.TierPremium},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	activeInboxes, err := s.count(ctx, "message_id = :sentinel AND expires_at > :now", map[string]types.AttributeValue{
+		":sentinel": &types.AttributeValueMemberS{Value: inbox.InboxSentinel},
+		":now":      &types.AttributeValueMemberN{Value: strconv.FormatInt(now, 10)},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Messages: filter out the sentinel items that share the messages table.
+	msg24h, err := s.count(ctx,
+		"received_at > :since AND message_id <> :inboxSentinel AND message_id <> :userSentinel AND message_id <> :magicSentinel",
+		map[string]types.AttributeValue{
+			":since":          &types.AttributeValueMemberN{Value: strconv.FormatInt(day, 10)},
+			":inboxSentinel":  &types.AttributeValueMemberS{Value: inbox.InboxSentinel},
+			":userSentinel":   &types.AttributeValueMemberS{Value: user.UserSentinel},
+			":magicSentinel":  &types.AttributeValueMemberS{Value: user.MagicTokenSentinel},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	msg7d, err := s.count(ctx,
+		"received_at > :since AND message_id <> :inboxSentinel AND message_id <> :userSentinel AND message_id <> :magicSentinel",
+		map[string]types.AttributeValue{
+			":since":          &types.AttributeValueMemberN{Value: strconv.FormatInt(week, 10)},
+			":inboxSentinel":  &types.AttributeValueMemberS{Value: inbox.InboxSentinel},
+			":userSentinel":   &types.AttributeValueMemberS{Value: user.UserSentinel},
+			":magicSentinel":  &types.AttributeValueMemberS{Value: user.MagicTokenSentinel},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Snapshot{
+		Users:         users,
+		PremiumUsers:  premium,
+		ActiveInboxes: activeInboxes,
+		Messages24h:   msg24h,
+		Messages7d:    msg7d,
+		GeneratedAt:   now,
+	}, nil
+}
+
+func (s *Service) count(ctx context.Context, filter string, values map[string]types.AttributeValue) (int64, error) {
+	var total int64
+	var lastKey map[string]types.AttributeValue
+	for {
+		out, err := s.client.Scan(ctx, &dynamodb.ScanInput{
+			TableName:                 &s.tableName,
+			FilterExpression:          aws.String(filter),
+			ExpressionAttributeValues: values,
+			Select:                    types.SelectCount,
+			ExclusiveStartKey:         lastKey,
+		})
+		if err != nil {
+			return 0, err
+		}
+		total += int64(out.Count)
+		if out.LastEvaluatedKey == nil {
+			return total, nil
+		}
+		lastKey = out.LastEvaluatedKey
+	}
+}
diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf
index e44390c..26693e1 100644
--- a/terraform/api_gateway.tf
+++ b/terraform/api_gateway.tf
@@ -187,6 +187,12 @@ resource "aws_apigatewayv2_route" "post_user_email" {
   target    = "integrations/${aws_apigatewayv2_integration.api.id}"
 }
 
+resource "aws_apigatewayv2_route" "get_admin_stats" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "GET /admin/stats"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
 resource "aws_apigatewayv2_route" "post_admin_inbox" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "POST /admin/inbox"

From 9df06dd5cfa9f6a2b2f51b818fec31df0097fd01 Mon Sep 17 00:00:00 2001
From: mqmalagris <63169613+mqmalagris@users.noreply.github.com>
Date: Thu, 30 Apr 2026 21:02:17 -0300
Subject: [PATCH 2/5] feat: admin user management dashboard (read-only)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds GET /admin/users returning every user with id, email, tier, role,
webhook flag, and created_at. AdminView grew an INBOXES / USERS tab
switcher under the stats strip; the USERS tab shows a sortable table
with client-side search by id/email/tier/role.

Sensitive fields (api key, webhook secret) are deliberately omitted
from the admin view. Mutations (promote/demote, manual tier change)
left out for v1 — they need confirmation UX and audit logging before
shipping.
---
 apps/web/src/components/AdminView.svelte | 119 +++++++++++++++++++++++
 services/internal/handler/api.go         |  16 +++
 services/internal/user/model.go          |  12 +++
 services/internal/user/repository.go     |  32 ++++++
 services/internal/user/service.go        |  25 +++++
 terraform/api_gateway.tf                 |   6 ++
 6 files changed, 210 insertions(+)

diff --git a/apps/web/src/components/AdminView.svelte b/apps/web/src/components/AdminView.svelte
index dcf5555..4394c60 100644
--- a/apps/web/src/components/AdminView.svelte
+++ b/apps/web/src/components/AdminView.svelte
@@ -36,6 +36,30 @@
   let stats = $state<StatsSnapshot | null>(null);
   let statsLoading = $state(false);
 
+  type AdminUser = {
+    user_id: string;
+    email?: string;
+    tier: string;
+    role?: string;
+    no_ads: boolean;
+    has_webhook: boolean;
+    created_at: number;
+  };
+  let activeView = $state<"inboxes" | "users">("inboxes");
+  let users = $state<AdminUser[]>([]);
+  let usersLoading = $state(false);
+  let userSearch = $state("");
+  let filteredUsers = $derived.by(() => {
+    const q = userSearch.trim().toLowerCase();
+    if (!q) return users;
+    return users.filter((u) =>
+      (u.user_id || "").toLowerCase().includes(q) ||
+      (u.email || "").toLowerCase().includes(q) ||
+      (u.tier || "").toLowerCase().includes(q) ||
+      (u.role || "").toLowerCase().includes(q)
+    );
+  });
+
   async function loadStats() {
     if (!user.apiKey) return;
     statsLoading = true;
@@ -48,6 +72,26 @@
     finally { statsLoading = false; }
   }
 
+  async function loadUsers() {
+    if (!user.apiKey) return;
+    usersLoading = true;
+    try {
+      const res = await fetch(`${import.meta.env.PUBLIC_API_URL || ""}/admin/users`, {
+        headers: { Authorization: `Bearer ${user.apiKey}` },
+      });
+      if (res.ok) {
+        const data = await res.json();
+        users = data.users || [];
+      }
+    } catch { /* silent */ }
+    finally { usersLoading = false; }
+  }
+
+  function showUsersTab() {
+    activeView = "users";
+    if (users.length === 0) loadUsers();
+  }
+
   let filteredMessages = $derived.by(() => {
     const q = searchQuery.trim().toLowerCase();
     if (!q) return messages;
@@ -229,6 +273,80 @@
       </div>
     </div>
 
+    <!-- Tab switcher -->
+    <div class="px-6 border-b border-ghost/15 flex gap-1 text-[11px] font-mono tracking-widest">
+      <button
+        onclick={() => (activeView = "inboxes")}
+        class="px-3 py-2 transition-colors
+          {activeView === 'inboxes' ? 'text-neon border-b border-neon' : 'text-muted hover:text-white'}"
+      >
+        INBOXES
+      </button>
+      <button
+        onclick={showUsersTab}
+        class="px-3 py-2 transition-colors
+          {activeView === 'users' ? 'text-neon border-b border-neon' : 'text-muted hover:text-white'}"
+      >
+        USERS
+      </button>
+    </div>
+
+    {#if activeView === "users"}
+      <main class="flex-1 p-4 overflow-y-auto">
+        <div class="flex items-center justify-between gap-3 mb-4">
+          <h2 class="text-white text-sm font-display tracking-wider">All users</h2>
+          <input
+            type="search"
+            bind:value={userSearch}
+            placeholder="search id / email / tier"
+            class="w-72 bg-slab/50 border border-ghost/20 text-white text-[11px] font-mono px-3 py-1.5 rounded-sm
+              focus:border-neon/40 focus:outline-none placeholder:text-ghost/40"
+          />
+        </div>
+
+        {#if usersLoading}
+          <div class="text-ghost text-xs font-mono">Loading...</div>
+        {:else if filteredUsers.length === 0}
+          <div class="text-ghost text-xs font-mono">No users.</div>
+        {:else}
+          <div class="overflow-x-auto">
+            <table class="w-full text-[11px] font-mono">
+              <thead>
+                <tr class="text-left text-muted tracking-widest border-b border-ghost/15">
+                  <th class="py-2 pr-4">USER</th>
+                  <th class="py-2 pr-4">EMAIL</th>
+                  <th class="py-2 pr-4">TIER</th>
+                  <th class="py-2 pr-4">ROLE</th>
+                  <th class="py-2 pr-4">WEBHOOK</th>
+                  <th class="py-2 pr-4">CREATED</th>
+                </tr>
+              </thead>
+              <tbody>
+                {#each filteredUsers as u}
+                  <tr class="border-b border-ghost/10 hover:bg-slab/40">
+                    <td class="py-2 pr-4 text-white truncate max-w-[180px]">{u.user_id}</td>
+                    <td class="py-2 pr-4 text-white/80 truncate max-w-[200px]">{u.email || "—"}</td>
+                    <td class="py-2 pr-4">
+                      <span class={u.tier === "premium" ? "text-neon" : "text-muted"}>{u.tier}</span>
+                    </td>
+                    <td class="py-2 pr-4">
+                      <span class={u.role === "admin" ? "text-ember" : "text-muted"}>{u.role || "user"}</span>
+                    </td>
+                    <td class="py-2 pr-4">
+                      <span class={u.has_webhook ? "text-pulse" : "text-ghost"}>{u.has_webhook ? "yes" : "—"}</span>
+                    </td>
+                    <td class="py-2 pr-4 text-muted">
+                      {new Date(u.created_at * 1000).toLocaleDateString(getLocale())}
+                    </td>
+                  </tr>
+                {/each}
+              </tbody>
+            </table>
+          </div>
+        {/if}
+      </main>
+    {:else}
+
     <div class="flex-1 flex">
       <!-- Sidebar -->
       <aside class="w-64 border-r border-ghost/15 p-4">
@@ -383,5 +501,6 @@
         {/if}
       </main>
     </div>
+    {/if}
   {/if}
 </div>
diff --git a/services/internal/handler/api.go b/services/internal/handler/api.go
index a017917..00db4d8 100644
--- a/services/internal/handler/api.go
+++ b/services/internal/handler/api.go
@@ -114,6 +114,8 @@ func (a *API) routeInternal(method string, parts []string) http.HandlerFunc {
 	// Admin routes
 	case method == "GET" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "stats":
 		return a.GetAdminStats
+	case method == "GET" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "users":
+		return a.GetAdminUsers
 	case method == "POST" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "inbox":
 		return a.CreateAdminInbox
 	case method == "GET" && len(parts) == 3 && parts[0] == "admin" && parts[1] == "inbox":
@@ -183,6 +185,20 @@ func (a *API) GetAdminStats(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, snap)
 }
 
+func (a *API) GetAdminUsers(w http.ResponseWriter, r *http.Request) {
+	if _, err := a.authenticateAdmin(r); err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	users, err := a.userSvc.ListAllUsers(r.Context())
+	if err != nil {
+		log.Printf("list users error: %v", err)
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to list users"})
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]any{"users": users})
+}
+
 func (a *API) CreateAdminInbox(w http.ResponseWriter, r *http.Request) {
 	if _, err := a.authenticateAdmin(r); err != nil {
 		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
diff --git a/services/internal/user/model.go b/services/internal/user/model.go
index b28512d..534b998 100644
--- a/services/internal/user/model.go
+++ b/services/internal/user/model.go
@@ -74,6 +74,18 @@ type UserInfo struct {
 	CreatedAt  int64  `json:"created_at"`
 }
 
+// AdminUserSummary is one row in the admin user list. We deliberately omit
+// the api key and the webhook secret; admins shouldn't see those.
+type AdminUserSummary struct {
+	UserID     string `json:"user_id"`
+	Email      string `json:"email,omitempty"`
+	Tier       string `json:"tier"`
+	Role       string `json:"role,omitempty"`
+	NoAds      bool   `json:"no_ads"`
+	HasWebhook bool   `json:"has_webhook"`
+	CreatedAt  int64  `json:"created_at"`
+}
+
 // MagicLinkResponse is returned after sending a magic link.
 type MagicLinkResponse struct {
 	Message string `json:"message"`
diff --git a/services/internal/user/repository.go b/services/internal/user/repository.go
index 5d50dfe..57fc55b 100644
--- a/services/internal/user/repository.go
+++ b/services/internal/user/repository.go
@@ -170,6 +170,38 @@ func (r *Repository) ClearWebhook(ctx context.Context, userID string) error {
 	return err
 }
 
+// ListUsers returns every user record. Uses Scan with a sentinel filter; fine
+// while volume is low. If we outgrow this, switch to a "tier-index" GSI.
+func (r *Repository) ListUsers(ctx context.Context) ([]*UserRecord, error) {
+	var out []*UserRecord
+	var lastKey map[string]types.AttributeValue
+	for {
+		resp, err := r.client.Scan(ctx, &dynamodb.ScanInput{
+			TableName:        &r.tableName,
+			FilterExpression: aws.String("message_id = :sentinel"),
+			ExpressionAttributeValues: map[string]types.AttributeValue{
+				":sentinel": &types.AttributeValueMemberS{Value: UserSentinel},
+			},
+			ExclusiveStartKey: lastKey,
+		})
+		if err != nil {
+			return nil, err
+		}
+		for _, item := range resp.Items {
+			var rec UserRecord
+			if err := attributevalue.UnmarshalMap(item, &rec); err != nil {
+				continue
+			}
+			rec.UserID = strings.TrimPrefix(rec.InboxAddress, UserPKPrefix)
+			out = append(out, &rec)
+		}
+		if resp.LastEvaluatedKey == nil {
+			return out, nil
+		}
+		lastKey = resp.LastEvaluatedKey
+	}
+}
+
 // CountUserInboxes returns the number of active inboxes for a user.
 func (r *Repository) CountUserInboxes(ctx context.Context, userID string) (int, error) {
 	out, err := r.client.Query(ctx, &dynamodb.QueryInput{
diff --git a/services/internal/user/service.go b/services/internal/user/service.go
index ba7ce00..daf8e98 100644
--- a/services/internal/user/service.go
+++ b/services/internal/user/service.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
+	"sort"
 	"time"
 
 	"github.com/ephemask/services/internal/mailer"
@@ -354,6 +355,30 @@ func (s *Service) ClearWebhook(ctx context.Context, userID string) error {
 	return s.repo.ClearWebhook(ctx, userID)
 }
 
+// ListAllUsers returns a summary of every registered user, sorted by created
+// time (newest first). Intended for the admin dashboard only.
+func (s *Service) ListAllUsers(ctx context.Context) ([]AdminUserSummary, error) {
+	records, err := s.repo.ListUsers(ctx)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]AdminUserSummary, 0, len(records))
+	for _, r := range records {
+		out = append(out, AdminUserSummary{
+			UserID:     r.UserID,
+			Email:      r.Email,
+			Tier:       r.Tier,
+			Role:       r.Role,
+			NoAds:      r.NoAds,
+			HasWebhook: r.WebhookURL != "",
+			CreatedAt:  r.CreatedAt,
+		})
+	}
+	// Newest first.
+	sort.Slice(out, func(i, j int) bool { return out[i].CreatedAt > out[j].CreatedAt })
+	return out, nil
+}
+
 // GetTTLForTier returns the TTL in seconds for the given tier.
 func GetTTLForTier(tier string) int64 {
 	if tier == TierPremium {
diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf
index 26693e1..3826c7c 100644
--- a/terraform/api_gateway.tf
+++ b/terraform/api_gateway.tf
@@ -193,6 +193,12 @@ resource "aws_apigatewayv2_route" "get_admin_stats" {
   target    = "integrations/${aws_apigatewayv2_integration.api.id}"
 }
 
+resource "aws_apigatewayv2_route" "get_admin_users" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "GET /admin/users"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
 resource "aws_apigatewayv2_route" "post_admin_inbox" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "POST /admin/inbox"

From 68b1b12cbec92287146e8ee3d1bbae4ddbb3c71b Mon Sep 17 00:00:00 2001
From: mqmalagris <63169613+mqmalagris@users.noreply.github.com>
Date: Thu, 30 Apr 2026 21:06:15 -0300
Subject: [PATCH 3/5] feat: admin email templates for compose

New template package persists per-admin compose presets in DynamoDB
under PK __template__:<userID>. Admin endpoints GET/POST/DELETE
/admin/templates list, create (max 25 per user), and remove templates.

Compose form gets a 'Insert template' dropdown that fills subject and
body, and a 'Save template' input next to SEND that captures the
current draft under a name. Saved templates are listed below the form
with inline delete buttons.
---
 apps/web/src/components/AdminView.svelte | 131 +++++++++++++++++++--
 services/cmd/api-local/main.go           |   2 +-
 services/cmd/api/main.go                 |   4 +-
 services/internal/handler/api.go         |  83 ++++++++++++-
 services/internal/handler/api_test.go    |   2 +-
 services/internal/template/service.go    | 142 +++++++++++++++++++++++
 terraform/api_gateway.tf                 |  18 +++
 7 files changed, 370 insertions(+), 12 deletions(-)
 create mode 100644 services/internal/template/service.go

diff --git a/apps/web/src/components/AdminView.svelte b/apps/web/src/components/AdminView.svelte
index 4394c60..3bd1bcd 100644
--- a/apps/web/src/components/AdminView.svelte
+++ b/apps/web/src/components/AdminView.svelte
@@ -92,6 +92,74 @@
     if (users.length === 0) loadUsers();
   }
 
+  type AdminTemplate = {
+    id: string;
+    name: string;
+    subject: string;
+    body: string;
+    created_at: number;
+  };
+  let templates = $state<AdminTemplate[]>([]);
+  let templateSelected = $state("");
+  let savingTemplate = $state(false);
+  let savingTemplateName = $state("");
+
+  async function loadTemplates() {
+    if (!user.apiKey) return;
+    try {
+      const res = await fetch(`${import.meta.env.PUBLIC_API_URL || ""}/admin/templates`, {
+        headers: { Authorization: `Bearer ${user.apiKey}` },
+      });
+      if (res.ok) {
+        const data = await res.json();
+        templates = data.templates || [];
+      }
+    } catch { /* silent */ }
+  }
+
+  function applyTemplate(id: string) {
+    if (!id) return;
+    const t = templates.find((x) => x.id === id);
+    if (!t) return;
+    composeSubject = t.subject;
+    composeBody = t.body;
+    templateSelected = "";
+  }
+
+  async function saveAsTemplate() {
+    if (!user.apiKey || !savingTemplateName.trim() || !composeBody.trim()) return;
+    savingTemplate = true;
+    try {
+      const res = await fetch(`${import.meta.env.PUBLIC_API_URL || ""}/admin/templates`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${user.apiKey}` },
+        body: JSON.stringify({
+          name: savingTemplateName.trim(),
+          subject: composeSubject,
+          body: composeBody,
+        }),
+      });
+      if (res.ok) {
+        savingTemplateName = "";
+        await loadTemplates();
+      }
+    } finally {
+      savingTemplate = false;
+    }
+  }
+
+  async function deleteTemplate(id: string) {
+    if (!user.apiKey) return;
+    if (!confirm("Delete this template?")) return;
+    try {
+      await fetch(`${import.meta.env.PUBLIC_API_URL || ""}/admin/templates/${id}`, {
+        method: "DELETE",
+        headers: { Authorization: `Bearer ${user.apiKey}` },
+      });
+      templates = templates.filter((t) => t.id !== id);
+    } catch { /* silent */ }
+  }
+
   let filteredMessages = $derived.by(() => {
     const q = searchQuery.trim().toLowerCase();
     if (!q) return messages;
@@ -224,6 +292,7 @@
     await initAdminInboxes();
     await loadMessages();
     loadStats();
+    loadTemplates();
     loading = false;
 
     pollInterval = setInterval(loadMessages, 10000);
@@ -408,6 +477,21 @@
                   <span class="text-ghost text-[10px] font-mono w-16">SUBJECT</span>
                   <input bind:value={composeSubject} placeholder="Subject" class="flex-1 bg-slab/50 border border-ghost/20 text-white text-xs font-mono px-3 py-2 rounded-sm focus:border-neon/40 focus:outline-none placeholder:text-ghost/40" />
                 </div>
+                {#if templates.length > 0}
+                  <div class="flex items-center gap-2">
+                    <span class="text-ghost text-[10px] font-mono w-16">TEMPLATE</span>
+                    <select
+                      bind:value={templateSelected}
+                      onchange={() => applyTemplate(templateSelected)}
+                      class="flex-1 bg-slab/50 border border-ghost/20 text-white text-xs font-mono px-3 py-2 rounded-sm focus:border-neon/40 focus:outline-none"
+                    >
+                      <option value="">Insert template...</option>
+                      {#each templates as t}
+                        <option value={t.id}>{t.name}</option>
+                      {/each}
+                    </select>
+                  </div>
+                {/if}
                 <textarea
                   bind:value={composeBody}
                   placeholder="Message body..."
@@ -417,13 +501,46 @@
                 {#if composeError}
                   <div class="text-ember text-xs font-mono">{composeError}</div>
                 {/if}
-                <button
-                  onclick={sendEmail}
-                  disabled={composeSending || !composeTo || !composeSubject}
-                  class="px-4 py-2 text-xs font-mono tracking-wider border border-neon/40 text-neon hover:bg-neon/10 transition-all disabled:opacity-40"
-                >
-                  {composeSending ? "SENDING..." : "SEND"}
-                </button>
+                <div class="flex flex-wrap items-center gap-2">
+                  <button
+                    onclick={sendEmail}
+                    disabled={composeSending || !composeTo || !composeSubject}
+                    class="px-4 py-2 text-xs font-mono tracking-wider border border-neon/40 text-neon hover:bg-neon/10 transition-all disabled:opacity-40"
+                  >
+                    {composeSending ? "SENDING..." : "SEND"}
+                  </button>
+                  <input
+                    type="text"
+                    bind:value={savingTemplateName}
+                    placeholder="Template name"
+                    class="bg-slab/50 border border-ghost/20 text-white text-xs font-mono px-3 py-2 rounded-sm focus:border-neon/40 focus:outline-none placeholder:text-ghost/40"
+                  />
+                  <button
+                    onclick={saveAsTemplate}
+                    disabled={savingTemplate || !savingTemplateName.trim() || !composeBody.trim()}
+                    class="px-3 py-2 text-[10px] font-mono tracking-wider border border-ghost/30 text-muted hover:border-neon/40 hover:text-neon transition-all disabled:opacity-40"
+                  >
+                    SAVE TEMPLATE
+                  </button>
+                </div>
+                {#if templates.length > 0}
+                  <div class="border-t border-ghost/15 pt-3 mt-3">
+                    <div class="text-[10px] font-mono tracking-widest text-muted mb-2">SAVED TEMPLATES</div>
+                    <div class="space-y-1">
+                      {#each templates as t}
+                        <div class="flex items-center justify-between gap-2 text-[11px] font-mono">
+                          <span class="text-white/80 truncate">{t.name}</span>
+                          <button
+                            onclick={() => deleteTemplate(t.id)}
+                            class="text-ember/70 hover:text-ember text-[10px]"
+                          >
+                            DELETE
+                          </button>
+                        </div>
+                      {/each}
+                    </div>
+                  </div>
+                {/if}
               </div>
             {/if}
           </div>
diff --git a/services/cmd/api-local/main.go b/services/cmd/api-local/main.go
index 3a3eb78..1e53866 100644
--- a/services/cmd/api-local/main.go
+++ b/services/cmd/api-local/main.go
@@ -65,7 +65,7 @@ func main() {
 	userRepo := user.NewRepository(ddbClient, tableName)
 	userSvc := user.NewService(userRepo, nil, "http://localhost:4321")
 
-	api := handler.NewAPI(inboxSvc, userSvc, nil, nil, nil, nil, nil, "", domain, ttl, "")
+	api := handler.NewAPI(inboxSvc, userSvc, nil, nil, nil, nil, nil, nil, "", domain, ttl, "")
 
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
diff --git a/services/cmd/api/main.go b/services/cmd/api/main.go
index 3c05d3c..c1a4318 100644
--- a/services/cmd/api/main.go
+++ b/services/cmd/api/main.go
@@ -23,6 +23,7 @@ import (
 	"github.com/ephemask/services/internal/mailer"
 	"github.com/ephemask/services/internal/ratelimit"
 	"github.com/ephemask/services/internal/stats"
+	"github.com/ephemask/services/internal/template"
 	"github.com/ephemask/services/internal/user"
 )
 
@@ -68,10 +69,11 @@ func init() {
 
 	rateLimiter := ratelimit.NewLimiter(ddbClient, tableName)
 	statsSvc := stats.NewService(ddbClient, tableName)
+	templateSvc := template.NewService(ddbClient, tableName)
 
 	webhookSecret := os.Getenv("REVENUECAT_WEBHOOK_SECRET")
 
-	api = handler.NewAPI(inboxSvc, userSvc, domainSvc, mailerSvc, rateLimiter, statsSvc, s3Client, emailBucket, domainName, ttl, webhookSecret)
+	api = handler.NewAPI(inboxSvc, userSvc, domainSvc, mailerSvc, rateLimiter, statsSvc, templateSvc, s3Client, emailBucket, domainName, ttl, webhookSecret)
 }
 
 func handleRequest(ctx context.Context, event events.APIGatewayV2HTTPRequest) (events.APIGatewayV2HTTPResponse, error) {
diff --git a/services/internal/handler/api.go b/services/internal/handler/api.go
index 00db4d8..6fbdf93 100644
--- a/services/internal/handler/api.go
+++ b/services/internal/handler/api.go
@@ -19,6 +19,7 @@ import (
 	"github.com/ephemask/services/internal/mailer"
 	"github.com/ephemask/services/internal/ratelimit"
 	"github.com/ephemask/services/internal/stats"
+	"github.com/ephemask/services/internal/template"
 	"github.com/ephemask/services/internal/user"
 )
 
@@ -35,6 +36,7 @@ type API struct {
 	mailerSvc      *mailer.Service
 	rateLimiter    *ratelimit.Limiter
 	statsSvc       *stats.Service
+	templateSvc    *template.Service
 	s3Client       *s3.Client
 	emailBucket    string
 	mainDomain     string
@@ -43,8 +45,8 @@ type API struct {
 }
 
 // NewAPI creates a new API handler.
-func NewAPI(inboxSvc *inbox.Service, userSvc *user.Service, domainSvc *domain.Service, mailerSvc *mailer.Service, rateLimiter *ratelimit.Limiter, statsSvc *stats.Service, s3Client *s3.Client, emailBucket, mainDomain string, defaultTTL int64, webhookSecret string) *API {
-	return &API{inboxSvc: inboxSvc, userSvc: userSvc, domainSvc: domainSvc, mailerSvc: mailerSvc, rateLimiter: rateLimiter, statsSvc: statsSvc, s3Client: s3Client, emailBucket: emailBucket, mainDomain: mainDomain, defaultTTL: defaultTTL, webhookSecret: webhookSecret}
+func NewAPI(inboxSvc *inbox.Service, userSvc *user.Service, domainSvc *domain.Service, mailerSvc *mailer.Service, rateLimiter *ratelimit.Limiter, statsSvc *stats.Service, templateSvc *template.Service, s3Client *s3.Client, emailBucket, mainDomain string, defaultTTL int64, webhookSecret string) *API {
+	return &API{inboxSvc: inboxSvc, userSvc: userSvc, domainSvc: domainSvc, mailerSvc: mailerSvc, rateLimiter: rateLimiter, statsSvc: statsSvc, templateSvc: templateSvc, s3Client: s3Client, emailBucket: emailBucket, mainDomain: mainDomain, defaultTTL: defaultTTL, webhookSecret: webhookSecret}
 }
 
 // Route dispatches the request to the appropriate handler.
@@ -116,6 +118,12 @@ func (a *API) routeInternal(method string, parts []string) http.HandlerFunc {
 		return a.GetAdminStats
 	case method == "GET" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "users":
 		return a.GetAdminUsers
+	case method == "GET" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "templates":
+		return a.ListAdminTemplates
+	case method == "POST" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "templates":
+		return a.CreateAdminTemplate
+	case method == "DELETE" && len(parts) == 3 && parts[0] == "admin" && parts[1] == "templates":
+		return a.DeleteAdminTemplate
 	case method == "POST" && len(parts) == 2 && parts[0] == "admin" && parts[1] == "inbox":
 		return a.CreateAdminInbox
 	case method == "GET" && len(parts) == 3 && parts[0] == "admin" && parts[1] == "inbox":
@@ -199,6 +207,77 @@ func (a *API) GetAdminUsers(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, map[string]any{"users": users})
 }
 
+func (a *API) ListAdminTemplates(w http.ResponseWriter, r *http.Request) {
+	u, err := a.authenticateAdmin(r)
+	if err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if a.templateSvc == nil {
+		writeJSON(w, http.StatusOK, map[string]any{"templates": []any{}})
+		return
+	}
+	list, err := a.templateSvc.List(r.Context(), u.UserID)
+	if err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to list templates"})
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]any{"templates": list})
+}
+
+func (a *API) CreateAdminTemplate(w http.ResponseWriter, r *http.Request) {
+	u, err := a.authenticateAdmin(r)
+	if err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if a.templateSvc == nil {
+		writeJSON(w, http.StatusServiceUnavailable, map[string]string{"error": "templates unavailable"})
+		return
+	}
+	var body struct {
+		Name    string `json:"name"`
+		Subject string `json:"subject"`
+		Body    string `json:"body"`
+	}
+	if err := readJSON(r, &body); err != nil {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "invalid body"})
+		return
+	}
+	t, err := a.templateSvc.Create(r.Context(), u.UserID, body.Name, body.Subject, body.Body)
+	if err != nil {
+		switch {
+		case errors.Is(err, template.ErrEmpty):
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": "name and body are required"})
+		case errors.Is(err, template.ErrLimit):
+			writeJSON(w, http.StatusConflict, map[string]string{"error": "template limit reached"})
+		default:
+			writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to create template"})
+		}
+		return
+	}
+	writeJSON(w, http.StatusOK, t)
+}
+
+func (a *API) DeleteAdminTemplate(w http.ResponseWriter, r *http.Request) {
+	u, err := a.authenticateAdmin(r)
+	if err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if a.templateSvc == nil {
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+	parts := strings.Split(strings.Trim(r.URL.Path, "/"), "/")
+	id := parts[2]
+	if err := a.templateSvc.Delete(r.Context(), u.UserID, id); err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to delete template"})
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
 func (a *API) CreateAdminInbox(w http.ResponseWriter, r *http.Request) {
 	if _, err := a.authenticateAdmin(r); err != nil {
 		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
diff --git a/services/internal/handler/api_test.go b/services/internal/handler/api_test.go
index de9b8d0..dda5322 100644
--- a/services/internal/handler/api_test.go
+++ b/services/internal/handler/api_test.go
@@ -10,7 +10,7 @@ import (
 
 func newTestAPI() *API {
 	svc := inbox.NewService(nil, "ephemask.dev", 600)
-	return NewAPI(svc, nil, nil, nil, nil, nil, nil, "", "ephemask.dev", 600, "")
+	return NewAPI(svc, nil, nil, nil, nil, nil, nil, nil, "", "ephemask.dev", 600, "")
 }
 
 func TestRouteNotFound(t *testing.T) {
diff --git a/services/internal/template/service.go b/services/internal/template/service.go
new file mode 100644
index 0000000..03ecef0
--- /dev/null
+++ b/services/internal/template/service.go
@@ -0,0 +1,142 @@
+// Package template stores reusable subject/body presets for the admin
+// compose form. Stored as separate DynamoDB items keyed by a per-user
+// sentinel so they don't show up anywhere else in the codebase.
+package template
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
+	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
+)
+
+const pkPrefix = "__template__:"
+
+const MaxTemplatesPerUser = 25
+
+var (
+	ErrLimit = errors.New("template limit reached")
+	ErrEmpty = errors.New("name and body are required")
+)
+
+// Template is one stored compose preset.
+type Template struct {
+	UserKey   string `dynamodbav:"inbox_address" json:"-"`
+	ID        string `dynamodbav:"message_id" json:"id"`
+	Name      string `dynamodbav:"name" json:"name"`
+	Subject   string `dynamodbav:"subject" json:"subject"`
+	Body      string `dynamodbav:"body" json:"body"`
+	CreatedAt int64  `dynamodbav:"received_at" json:"created_at"`
+}
+
+// Service exposes CRUD for an admin's templates.
+type Service struct {
+	client    *dynamodb.Client
+	tableName string
+}
+
+// NewService returns a template Service.
+func NewService(client *dynamodb.Client, tableName string) *Service {
+	return &Service{client: client, tableName: tableName}
+}
+
+func userKey(userID string) string { return pkPrefix + userID }
+
+func newID() (string, error) {
+	b := make([]byte, 12)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return "tpl_" + hex.EncodeToString(b), nil
+}
+
+// Create stores a new template for the given user.
+func (s *Service) Create(ctx context.Context, userID, name, subject, body string) (*Template, error) {
+	name = strings.TrimSpace(name)
+	body = strings.TrimSpace(body)
+	if name == "" || body == "" {
+		return nil, ErrEmpty
+	}
+
+	existing, err := s.List(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	if len(existing) >= MaxTemplatesPerUser {
+		return nil, ErrLimit
+	}
+
+	id, err := newID()
+	if err != nil {
+		return nil, err
+	}
+
+	t := &Template{
+		UserKey:   userKey(userID),
+		ID:        id,
+		Name:      name,
+		Subject:   strings.TrimSpace(subject),
+		Body:      body,
+		CreatedAt: time.Now().Unix(),
+	}
+
+	item, err := attributevalue.MarshalMap(t)
+	if err != nil {
+		return nil, err
+	}
+	_, err = s.client.PutItem(ctx, &dynamodb.PutItemInput{
+		TableName: &s.tableName,
+		Item:      item,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return t, nil
+}
+
+// List returns all templates for the user, newest first.
+func (s *Service) List(ctx context.Context, userID string) ([]*Template, error) {
+	out, err := s.client.Query(ctx, &dynamodb.QueryInput{
+		TableName:              &s.tableName,
+		KeyConditionExpression: aws.String("inbox_address = :pk"),
+		ExpressionAttributeValues: map[string]types.AttributeValue{
+			":pk": &types.AttributeValueMemberS{Value: userKey(userID)},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	templates := make([]*Template, 0, len(out.Items))
+	for _, item := range out.Items {
+		var t Template
+		if err := attributevalue.UnmarshalMap(item, &t); err != nil {
+			continue
+		}
+		templates = append(templates, &t)
+	}
+	sort.Slice(templates, func(i, j int) bool {
+		return templates[i].CreatedAt > templates[j].CreatedAt
+	})
+	return templates, nil
+}
+
+// Delete removes a single template.
+func (s *Service) Delete(ctx context.Context, userID, id string) error {
+	_, err := s.client.DeleteItem(ctx, &dynamodb.DeleteItemInput{
+		TableName: &s.tableName,
+		Key: map[string]types.AttributeValue{
+			"inbox_address": &types.AttributeValueMemberS{Value: userKey(userID)},
+			"message_id":    &types.AttributeValueMemberS{Value: id},
+		},
+	})
+	return err
+}
diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf
index 3826c7c..e8b51a7 100644
--- a/terraform/api_gateway.tf
+++ b/terraform/api_gateway.tf
@@ -199,6 +199,24 @@ resource "aws_apigatewayv2_route" "get_admin_users" {
   target    = "integrations/${aws_apigatewayv2_integration.api.id}"
 }
 
+resource "aws_apigatewayv2_route" "get_admin_templates" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "GET /admin/templates"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
+resource "aws_apigatewayv2_route" "post_admin_templates" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "POST /admin/templates"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
+resource "aws_apigatewayv2_route" "delete_admin_template" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "DELETE /admin/templates/{id}"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
 resource "aws_apigatewayv2_route" "post_admin_inbox" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "POST /admin/inbox"

From 100acd099f2815164e26a1a5ea6148d4f1aba9c5 Mon Sep 17 00:00:00 2001
From: mqmalagris <63169613+mqmalagris@users.noreply.github.com>
Date: Fri, 1 May 2026 11:31:46 -0300
Subject: [PATCH 4/5] feat: read receipts on messages

Stamp read_at on the first GetMessage call via a conditional UpdateItem
(skips write if already set). MessageSummary now carries read_at so the
list renders unread rows in bold with a brighter dot and a subtle
border highlight; opening a message optimistically flips the row in
the client before the next poll lands.
---
 apps/web/src/components/InboxView.svelte   |  5 ++++
 apps/web/src/components/MessageList.svelte | 11 +++++----
 packages/shared/src/types.ts               |  2 ++
 services/internal/inbox/model.go           |  2 ++
 services/internal/inbox/repository.go      | 27 ++++++++++++++++++++++
 services/internal/inbox/service.go         | 15 ++++++++++--
 6 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/apps/web/src/components/InboxView.svelte b/apps/web/src/components/InboxView.svelte
index 0c20e6e..2037265 100644
--- a/apps/web/src/components/InboxView.svelte
+++ b/apps/web/src/components/InboxView.svelte
@@ -169,6 +169,11 @@
 
   async function selectMessage(messageId: string) {
     selectedId = messageId;
+    // Optimistic: bold-out the row immediately, server stamps read_at on GET.
+    const now = Math.floor(Date.now() / 1000);
+    messages = messages.map((m) =>
+      m.message_id === messageId && !m.read_at ? { ...m, read_at: now } : m
+    );
     try {
       selectedMessage = await api.getMessage(inboxAddress, messageId, inboxToken);
     } catch {
diff --git a/apps/web/src/components/MessageList.svelte b/apps/web/src/components/MessageList.svelte
index 660a36d..fe915e1 100644
--- a/apps/web/src/components/MessageList.svelte
+++ b/apps/web/src/components/MessageList.svelte
@@ -31,21 +31,24 @@
     </div>
   {:else}
     {#each messages as msg, i}
+      {@const unread = !msg.read_at || msg.read_at === 0}
       <button
         onclick={() => onSelect(msg.message_id)}
         class="w-full text-left p-4 font-mono transition-all duration-200 rounded-sm border
           {selectedId === msg.message_id
             ? 'bg-neon/5 border-neon/30 glow-box'
-            : 'bg-slab/40 border-ghost/10 hover:bg-slab/70 hover:border-ghost/25'}"
+            : unread
+              ? 'bg-slab/60 border-neon/20 hover:bg-slab/80'
+              : 'bg-slab/40 border-ghost/10 hover:bg-slab/70 hover:border-ghost/25'}"
         style="animation: fadeUp 0.4s ease-out both; animation-delay: {i * 0.05}s;"
       >
         <div class="flex items-start justify-between gap-3">
           <div class="flex-1 min-w-0">
             <div class="flex items-center gap-2 mb-1">
-              <span class="w-1.5 h-1.5 rounded-full bg-neon flex-shrink-0"></span>
-              <span class="text-xs text-white truncate">{msg.from}</span>
+              <span class="w-1.5 h-1.5 rounded-full flex-shrink-0 {unread ? 'bg-neon' : 'bg-ghost/40'}"></span>
+              <span class="text-xs truncate {unread ? 'text-white font-bold' : 'text-white/70'}">{msg.from}</span>
             </div>
-            <div class="text-sm text-white/90 truncate mb-1">{msg.subject}</div>
+            <div class="text-sm truncate mb-1 {unread ? 'text-white font-bold' : 'text-white/70'}">{msg.subject}</div>
             <div class="text-[11px] text-muted truncate">{msg.preview}</div>
           </div>
           <div class="text-[10px] text-ghost flex-shrink-0 mt-0.5">
diff --git a/packages/shared/src/types.ts b/packages/shared/src/types.ts
index 0a8381e..f4eb51d 100644
--- a/packages/shared/src/types.ts
+++ b/packages/shared/src/types.ts
@@ -11,6 +11,7 @@ export interface MessageSummary {
   subject: string;
   received_at: number;
   preview: string;
+  read_at?: number;
 }
 
 export interface AttachmentMeta {
@@ -26,6 +27,7 @@ export interface MessageDetail extends MessageSummary {
   body_text: string;
   body_html: string;
   attachments?: AttachmentMeta[];
+  read_at?: number;
 }
 
 export interface CreateInboxResponse {
diff --git a/services/internal/inbox/model.go b/services/internal/inbox/model.go
index 049f665..b806f66 100644
--- a/services/internal/inbox/model.go
+++ b/services/internal/inbox/model.go
@@ -38,6 +38,7 @@ type Message struct {
 	TTL          int64            `dynamodbav:"ttl" json:"-"`
 	S3Key        string           `dynamodbav:"s3_key" json:"s3_key,omitempty"`
 	Attachments  []AttachmentMeta `dynamodbav:"attachments,omitempty" json:"attachments,omitempty"`
+	ReadAt       int64            `dynamodbav:"read_at,omitempty" json:"read_at,omitempty"`
 }
 
 // MessageSummary is a lightweight view for listing messages.
@@ -47,6 +48,7 @@ type MessageSummary struct {
 	Subject    string `json:"subject"`
 	ReceivedAt int64  `json:"received_at"`
 	Preview    string `json:"preview"`
+	ReadAt     int64  `json:"read_at,omitempty"`
 }
 
 // Inbox represents an inbox with its messages.
diff --git a/services/internal/inbox/repository.go b/services/internal/inbox/repository.go
index b0bde85..130c22e 100644
--- a/services/internal/inbox/repository.go
+++ b/services/internal/inbox/repository.go
@@ -2,6 +2,8 @@ package inbox
 
 import (
 	"context"
+	"errors"
+	"strconv"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
@@ -135,6 +137,31 @@ func (r *Repository) GetMessage(ctx context.Context, address, messageID string)
 	return &msg, err
 }
 
+// MarkMessageRead sets read_at on a message if it isn't already set.
+func (r *Repository) MarkMessageRead(ctx context.Context, address, messageID string, readAt int64) error {
+	_, err := r.client.UpdateItem(ctx, &dynamodb.UpdateItemInput{
+		TableName: &r.tableName,
+		Key: map[string]types.AttributeValue{
+			"inbox_address": &types.AttributeValueMemberS{Value: address},
+			"message_id":    &types.AttributeValueMemberS{Value: messageID},
+		},
+		UpdateExpression:    aws.String("SET read_at = :ra"),
+		ConditionExpression: aws.String("attribute_not_exists(read_at) OR read_at = :zero"),
+		ExpressionAttributeValues: map[string]types.AttributeValue{
+			":ra":   &types.AttributeValueMemberN{Value: strconv.FormatInt(readAt, 10)},
+			":zero": &types.AttributeValueMemberN{Value: "0"},
+		},
+	})
+	if err != nil {
+		// Conditional check failure means already-read; not an error to surface.
+		var ccfe *types.ConditionalCheckFailedException
+		if errors.As(err, &ccfe) {
+			return nil
+		}
+	}
+	return err
+}
+
 // DeleteMessage deletes a single message.
 func (r *Repository) DeleteMessage(ctx context.Context, address, messageID string) error {
 	_, err := r.client.DeleteItem(ctx, &dynamodb.DeleteItemInput{
diff --git a/services/internal/inbox/service.go b/services/internal/inbox/service.go
index a7cb30c..5096bfa 100644
--- a/services/internal/inbox/service.go
+++ b/services/internal/inbox/service.go
@@ -269,6 +269,7 @@ func (s *Service) GetInbox(ctx context.Context, address string) (*Inbox, error)
 			Subject:    m.Subject,
 			ReceivedAt: m.ReceivedAt,
 			Preview:    truncate(m.BodyText, 100),
+			ReadAt:     m.ReadAt,
 		})
 	}
 
@@ -279,9 +280,19 @@ func (s *Service) GetInbox(ctx context.Context, address string) (*Inbox, error)
 	}, nil
 }
 
-// GetMessage returns full message detail.
+// GetMessage returns full message detail and stamps read_at on first access.
 func (s *Service) GetMessage(ctx context.Context, address, messageID string) (*Message, error) {
-	return s.repo.GetMessage(ctx, address, messageID)
+	msg, err := s.repo.GetMessage(ctx, address, messageID)
+	if err != nil || msg == nil {
+		return msg, err
+	}
+	if msg.ReadAt == 0 {
+		now := time.Now().Unix()
+		if err := s.repo.MarkMessageRead(ctx, address, messageID, now); err == nil {
+			msg.ReadAt = now
+		}
+	}
+	return msg, nil
 }
 
 // DeleteMessage removes a single message.

From 37b03d100ecf6e59694a1a2129b5d45a4482d46e Mon Sep 17 00:00:00 2001
From: mqmalagris <63169613+mqmalagris@users.noreply.github.com>
Date: Fri, 1 May 2026 11:37:01 -0300
Subject: [PATCH 5/5] feat: inbox sharing for premium users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Owners (premium) can grant another account read access to one of their
inboxes by entering the recipient's account email. The recipient
authenticates with their own api key when fetching the inbox; backend
authenticateInbox now allows owner OR shared_with match.

New endpoints (premium-gated for add):
  GET    /inbox/{addr}/shares
  POST   /inbox/{addr}/shares          { email }
  DELETE /inbox/{addr}/shares/{userId}

Shares are persisted as a string list on the inbox sentinel item; the
recipient surfaces them via direct URL for now (a "Shared with you"
listing for the recipient is left for v2 — no reverse index yet).

Account page grew an inline Share section per active inbox with email
input, error states for unknown email or self-share, and an inline
list with per-row remove.
---
 apps/web/src/components/AccountView.svelte | 120 +++++++++++++++++++--
 packages/shared/src/api-client.ts          |  21 ++++
 packages/shared/src/i18n/locales/en.ts     |  10 ++
 packages/shared/src/i18n/locales/es.ts     |  10 ++
 packages/shared/src/i18n/locales/fr.ts     |  10 ++
 packages/shared/src/i18n/locales/pt-BR.ts  |  10 ++
 services/internal/handler/api.go           | 111 ++++++++++++++++++-
 services/internal/inbox/model.go           |  23 ++--
 services/internal/inbox/repository.go      |  31 ++++++
 services/internal/inbox/service.go         |  51 +++++++++
 services/internal/user/service.go          |  10 ++
 terraform/api_gateway.tf                   |  18 ++++
 12 files changed, 407 insertions(+), 18 deletions(-)

diff --git a/apps/web/src/components/AccountView.svelte b/apps/web/src/components/AccountView.svelte
index e6eb69d..42df7f2 100644
--- a/apps/web/src/components/AccountView.svelte
+++ b/apps/web/src/components/AccountView.svelte
@@ -90,6 +90,59 @@
     }
   }
 
+  type ShareEntry = { user_id: string; email?: string };
+  let shareExpanded = $state("");
+  let shares = $state<ShareEntry[]>([]);
+  let shareEmail = $state("");
+  let shareError = $state("");
+  let sharing = $state(false);
+
+  async function openShares(addr: string) {
+    if (shareExpanded === addr) {
+      shareExpanded = "";
+      shares = [];
+      return;
+    }
+    shareExpanded = addr;
+    shareEmail = "";
+    shareError = "";
+    if (!user.apiKey) return;
+    try {
+      const res = await api.listInboxShares(addr, user.apiKey);
+      shares = res.shares || [];
+    } catch {
+      shares = [];
+    }
+  }
+
+  async function addShare() {
+    if (!user.apiKey || !shareExpanded || !shareEmail.trim()) return;
+    shareError = "";
+    sharing = true;
+    try {
+      const entry = await api.addInboxShare(shareExpanded, shareEmail.trim(), user.apiKey);
+      if (!shares.find((s) => s.user_id === entry.user_id)) {
+        shares = [...shares, entry];
+      }
+      shareEmail = "";
+    } catch (e: any) {
+      const msg = e?.message || "";
+      if (msg.includes("404")) shareError = t("shareUserNotFound");
+      else if (msg.includes("400")) shareError = t("shareSelf");
+      else shareError = t("genericError");
+    } finally {
+      sharing = false;
+    }
+  }
+
+  async function removeShare(uid: string) {
+    if (!user.apiKey || !shareExpanded) return;
+    try {
+      await api.removeInboxShare(shareExpanded, uid, user.apiKey);
+      shares = shares.filter((s) => s.user_id !== uid);
+    } catch { /* silent */ }
+  }
+
   async function loadPlanData() {
     if (!user.info?.user_id) return;
     try {
@@ -506,14 +559,65 @@
               </h3>
               <div class="space-y-2">
                 {#each activeInboxes as addr}
-                  <a
-                    href="/inbox/{addr}"
-                    class="flex items-center gap-2 p-2 bg-slab/40 border border-ghost/10 rounded-sm
-                      hover:border-neon/30 hover:bg-slab/60 transition-all duration-200"
-                  >
-                    <div class="w-1.5 h-1.5 rounded-full bg-neon"></div>
-                    <span class="text-xs font-mono text-white truncate">{addr}</span>
-                  </a>
+                  <div class="bg-slab/40 border border-ghost/10 rounded-sm hover:border-neon/30 transition-colors">
+                    <div class="flex items-center gap-2 p-2">
+                      <a
+                        href="/inbox/{addr}"
+                        class="flex items-center gap-2 flex-1 min-w-0"
+                      >
+                        <div class="w-1.5 h-1.5 rounded-full bg-neon flex-shrink-0"></div>
+                        <span class="text-xs font-mono text-white truncate">{addr}</span>
+                      </a>
+                      <button
+                        onclick={() => openShares(addr)}
+                        class="text-[10px] font-mono text-muted hover:text-neon transition-colors px-2 py-1"
+                      >
+                        {t("shareInbox")}
+                      </button>
+                    </div>
+
+                    {#if shareExpanded === addr}
+                      <div class="border-t border-ghost/15 p-3 space-y-2">
+                        <p class="text-[10px] font-mono text-muted">{t("shareInboxDescription")}</p>
+                        <div class="flex gap-2">
+                          <input
+                            type="email"
+                            bind:value={shareEmail}
+                            placeholder={t("shareEmailPlaceholder")}
+                            class="flex-1 bg-slab/50 border border-ghost/20 text-white text-[11px] font-mono px-2 py-1.5 rounded-sm
+                              focus:border-neon/40 focus:outline-none placeholder:text-ghost/40"
+                          />
+                          <button
+                            onclick={addShare}
+                            disabled={sharing || !shareEmail.trim()}
+                            class="px-2 py-1.5 text-[10px] font-mono border border-neon/40 text-neon
+                              hover:bg-neon/10 transition-all disabled:opacity-40"
+                          >
+                            {t("shareAdd")}
+                          </button>
+                        </div>
+                        {#if shareError}
+                          <div class="text-ember text-[11px] font-mono">{shareError}</div>
+                        {/if}
+                        {#if shares.length > 0}
+                          <div class="space-y-1">
+                            <div class="text-[10px] font-mono tracking-widest text-muted">{t("sharedWith")}</div>
+                            {#each shares as s}
+                              <div class="flex items-center justify-between gap-2 text-[11px] font-mono">
+                                <span class="text-white/80 truncate">{s.email || s.user_id}</span>
+                                <button
+                                  onclick={() => removeShare(s.user_id)}
+                                  class="text-ember/70 hover:text-ember text-[10px]"
+                                >
+                                  {t("shareRemove")}
+                                </button>
+                              </div>
+                            {/each}
+                          </div>
+                        {/if}
+                      </div>
+                    {/if}
+                  </div>
                 {/each}
               </div>
             </div>
diff --git a/packages/shared/src/api-client.ts b/packages/shared/src/api-client.ts
index 3701c6a..45c120d 100644
--- a/packages/shared/src/api-client.ts
+++ b/packages/shared/src/api-client.ts
@@ -157,5 +157,26 @@ export function createApiClient(baseUrl: string) {
         headers: { Authorization: `Bearer ${userApiKey}` },
       });
     },
+
+    listInboxShares: (address: string, userApiKey: string) =>
+      request<{ shares: { user_id: string; email?: string }[] }>(
+        `/inbox/${address}/shares`,
+        undefined,
+        userApiKey
+      ),
+
+    addInboxShare: (address: string, email: string, userApiKey: string) =>
+      request<{ user_id: string; email?: string }>(
+        `/inbox/${address}/shares`,
+        { method: "POST", body: JSON.stringify({ email }) },
+        userApiKey
+      ),
+
+    removeInboxShare: async (address: string, userId: string, userApiKey: string): Promise<void> => {
+      await fetch(`${baseUrl}/inbox/${address}/shares/${userId}`, {
+        method: "DELETE",
+        headers: { Authorization: `Bearer ${userApiKey}` },
+      });
+    },
   };
 }
diff --git a/packages/shared/src/i18n/locales/en.ts b/packages/shared/src/i18n/locales/en.ts
index 68d7e78..e83bb44 100644
--- a/packages/shared/src/i18n/locales/en.ts
+++ b/packages/shared/src/i18n/locales/en.ts
@@ -177,4 +177,14 @@ export const en: Record<TranslationKey, string> = {
   webhookRemove: "Remove",
   webhookActive: "Active",
   webhookInvalidUrl: "URL must start with https://",
+
+  // Inbox sharing
+  shareInbox: "Share inbox",
+  shareInboxDescription: "Grant read access to another user by their account email.",
+  shareEmailPlaceholder: "email@account.com",
+  shareAdd: "Add",
+  shareRemove: "Remove",
+  sharedWith: "Shared with",
+  shareUserNotFound: "No user with that email",
+  shareSelf: "You can't share with yourself",
 };
diff --git a/packages/shared/src/i18n/locales/es.ts b/packages/shared/src/i18n/locales/es.ts
index 8c77b6e..818de91 100644
--- a/packages/shared/src/i18n/locales/es.ts
+++ b/packages/shared/src/i18n/locales/es.ts
@@ -177,4 +177,14 @@ export const es: Record<TranslationKey, string> = {
   webhookRemove: "Eliminar",
   webhookActive: "Activo",
   webhookInvalidUrl: "La URL debe empezar con https://",
+
+  // Inbox sharing
+  shareInbox: "Compartir inbox",
+  shareInboxDescription: "Concede acceso de lectura a otro usuario por el email de su cuenta.",
+  shareEmailPlaceholder: "email@cuenta.com",
+  shareAdd: "Agregar",
+  shareRemove: "Quitar",
+  sharedWith: "Compartido con",
+  shareUserNotFound: "No hay usuario con ese email",
+  shareSelf: "No puedes compartir contigo mismo",
 };
diff --git a/packages/shared/src/i18n/locales/fr.ts b/packages/shared/src/i18n/locales/fr.ts
index b10cbc4..5741f63 100644
--- a/packages/shared/src/i18n/locales/fr.ts
+++ b/packages/shared/src/i18n/locales/fr.ts
@@ -177,4 +177,14 @@ export const fr: Record<TranslationKey, string> = {
   webhookRemove: "Supprimer",
   webhookActive: "Actif",
   webhookInvalidUrl: "L'URL doit commencer par https://",
+
+  // Inbox sharing
+  shareInbox: "Partager l'inbox",
+  shareInboxDescription: "Accordez un accès en lecture à un autre utilisateur par l'email de son compte.",
+  shareEmailPlaceholder: "email@compte.com",
+  shareAdd: "Ajouter",
+  shareRemove: "Retirer",
+  sharedWith: "Partagé avec",
+  shareUserNotFound: "Aucun utilisateur avec cet email",
+  shareSelf: "Vous ne pouvez pas partager avec vous-même",
 };
diff --git a/packages/shared/src/i18n/locales/pt-BR.ts b/packages/shared/src/i18n/locales/pt-BR.ts
index 1880978..893425b 100644
--- a/packages/shared/src/i18n/locales/pt-BR.ts
+++ b/packages/shared/src/i18n/locales/pt-BR.ts
@@ -175,6 +175,16 @@ export const ptBR = {
   webhookRemove: "Remover",
   webhookActive: "Ativo",
   webhookInvalidUrl: "A URL deve começar com https://",
+
+  // Inbox sharing
+  shareInbox: "Compartilhar inbox",
+  shareInboxDescription: "Conceda acesso de leitura a outro usuário pelo email da conta dele.",
+  shareEmailPlaceholder: "email@conta.com",
+  shareAdd: "Adicionar",
+  shareRemove: "Remover",
+  sharedWith: "Compartilhado com",
+  shareUserNotFound: "Nenhum usuário com esse email",
+  shareSelf: "Você não pode compartilhar consigo mesmo",
 } as const;
 
 export type TranslationKey = keyof typeof ptBR;
diff --git a/services/internal/handler/api.go b/services/internal/handler/api.go
index 6fbdf93..868b8f1 100644
--- a/services/internal/handler/api.go
+++ b/services/internal/handler/api.go
@@ -92,6 +92,12 @@ func (a *API) routeInternal(method string, parts []string) http.HandlerFunc {
 		return a.DeleteInbox
 	case method == "POST" && len(parts) == 3 && parts[0] == "inbox" && parts[2] == "forward":
 		return a.SetForward
+	case method == "GET" && len(parts) == 3 && parts[0] == "inbox" && parts[2] == "shares":
+		return a.ListInboxShares
+	case method == "POST" && len(parts) == 3 && parts[0] == "inbox" && parts[2] == "shares":
+		return a.AddInboxShare
+	case method == "DELETE" && len(parts) == 4 && parts[0] == "inbox" && parts[2] == "shares":
+		return a.RemoveInboxShare
 
 	// User routes
 	case method == "POST" && len(parts) == 2 && parts[0] == "user" && parts[1] == "register":
@@ -497,10 +503,16 @@ func (a *API) authenticateInbox(r *http.Request, address string) error {
 		return inbox.ErrUnauthorized
 	}
 	rec, err := a.inboxSvc.GetInboxRecord(r.Context(), address)
-	if err != nil || rec == nil || rec.UserID != u.UserID {
+	if err != nil || rec == nil {
 		return inbox.ErrUnauthorized
 	}
-	return nil
+	if rec.UserID == u.UserID {
+		return nil
+	}
+	if a.inboxSvc.IsSharedWith(rec, u.UserID) {
+		return nil
+	}
+	return inbox.ErrUnauthorized
 }
 
 func (a *API) authenticateUser(r *http.Request) (*user.UserRecord, error) {
@@ -679,6 +691,101 @@ func (a *API) GetMessage(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, msg)
 }
 
+func (a *API) requireOwner(r *http.Request, address string) (*inbox.InboxRecord, *user.UserRecord, error) {
+	u, err := a.authenticateUser(r)
+	if err != nil {
+		return nil, nil, err
+	}
+	rec, err := a.inboxSvc.GetInboxRecord(r.Context(), address)
+	if err != nil {
+		return nil, nil, err
+	}
+	if rec == nil || rec.UserID != u.UserID {
+		return nil, nil, user.ErrUnauthorized
+	}
+	return rec, u, nil
+}
+
+func (a *API) ListInboxShares(w http.ResponseWriter, r *http.Request) {
+	parts := strings.Split(strings.Trim(r.URL.Path, "/"), "/")
+	address := parts[1]
+
+	rec, _, err := a.requireOwner(r, address)
+	if err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+
+	shares := make([]inbox.InboxShare, 0, len(rec.SharedWith))
+	for _, uid := range rec.SharedWith {
+		share := inbox.InboxShare{UserID: uid}
+		if u, err := a.userSvc.LookupByID(r.Context(), uid); err == nil && u != nil {
+			share.Email = u.Email
+		}
+		shares = append(shares, share)
+	}
+	writeJSON(w, http.StatusOK, map[string]any{"shares": shares})
+}
+
+func (a *API) AddInboxShare(w http.ResponseWriter, r *http.Request) {
+	parts := strings.Split(strings.Trim(r.URL.Path, "/"), "/")
+	address := parts[1]
+
+	_, owner, err := a.requireOwner(r, address)
+	if err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if owner.Tier != user.TierPremium {
+		writeJSON(w, http.StatusForbidden, map[string]string{"error": "premium feature"})
+		return
+	}
+
+	var body struct {
+		Email string `json:"email"`
+	}
+	if err := readJSON(r, &body); err != nil || body.Email == "" {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "email is required"})
+		return
+	}
+
+	target, err := a.userSvc.LookupByEmail(r.Context(), strings.ToLower(strings.TrimSpace(body.Email)))
+	if err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to look up user"})
+		return
+	}
+	if target == nil {
+		writeJSON(w, http.StatusNotFound, map[string]string{"error": "no user with that email"})
+		return
+	}
+	if target.UserID == owner.UserID {
+		writeJSON(w, http.StatusBadRequest, map[string]string{"error": "cannot share with yourself"})
+		return
+	}
+
+	if err := a.inboxSvc.AddShare(r.Context(), address, target.UserID); err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to add share"})
+		return
+	}
+	writeJSON(w, http.StatusOK, inbox.InboxShare{UserID: target.UserID, Email: target.Email})
+}
+
+func (a *API) RemoveInboxShare(w http.ResponseWriter, r *http.Request) {
+	parts := strings.Split(strings.Trim(r.URL.Path, "/"), "/")
+	address := parts[1]
+	shareUserID := parts[3]
+
+	if _, _, err := a.requireOwner(r, address); err != nil {
+		writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "unauthorized"})
+		return
+	}
+	if err := a.inboxSvc.RemoveShare(r.Context(), address, shareUserID); err != nil {
+		writeJSON(w, http.StatusInternalServerError, map[string]string{"error": "failed to remove share"})
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
 func (a *API) GetAttachment(w http.ResponseWriter, r *http.Request) {
 	parts := strings.Split(strings.Trim(r.URL.Path, "/"), "/")
 	address := parts[1]
diff --git a/services/internal/inbox/model.go b/services/internal/inbox/model.go
index b806f66..4960b9c 100644
--- a/services/internal/inbox/model.go
+++ b/services/internal/inbox/model.go
@@ -2,14 +2,21 @@ package inbox
 
 // InboxRecord represents a registered inbox in DynamoDB.
 type InboxRecord struct {
-	InboxAddress string `dynamodbav:"inbox_address" json:"address"`
-	MessageID    string `dynamodbav:"message_id" json:"-"`
-	Token        string `dynamodbav:"token" json:"-"`
-	UserID       string `dynamodbav:"user_id,omitempty" json:"-"`
-	ForwardTo    string `dynamodbav:"forward_to,omitempty" json:"forward_to,omitempty"`
-	CreatedAt    int64  `dynamodbav:"received_at" json:"created_at"`
-	TTL          int64  `dynamodbav:"ttl" json:"-"`
-	ExpiresAt    int64  `dynamodbav:"expires_at" json:"expires_at"`
+	InboxAddress string   `dynamodbav:"inbox_address" json:"address"`
+	MessageID    string   `dynamodbav:"message_id" json:"-"`
+	Token        string   `dynamodbav:"token" json:"-"`
+	UserID       string   `dynamodbav:"user_id,omitempty" json:"-"`
+	SharedWith   []string `dynamodbav:"shared_with,omitempty" json:"-"`
+	ForwardTo    string   `dynamodbav:"forward_to,omitempty" json:"forward_to,omitempty"`
+	CreatedAt    int64    `dynamodbav:"received_at" json:"created_at"`
+	TTL          int64    `dynamodbav:"ttl" json:"-"`
+	ExpiresAt    int64    `dynamodbav:"expires_at" json:"expires_at"`
+}
+
+// InboxShare is the public-facing shape used in /inbox/{addr}/shares responses.
+type InboxShare struct {
+	UserID string `json:"user_id"`
+	Email  string `json:"email,omitempty"`
 }
 
 const InboxSentinel = "__inbox__"
diff --git a/services/internal/inbox/repository.go b/services/internal/inbox/repository.go
index 130c22e..947d4f4 100644
--- a/services/internal/inbox/repository.go
+++ b/services/internal/inbox/repository.go
@@ -57,6 +57,37 @@ func (r *Repository) GetInboxRecord(ctx context.Context, address string) (*Inbox
 	return &record, err
 }
 
+// SetSharedWith replaces the shared_with list for an inbox.
+func (r *Repository) SetSharedWith(ctx context.Context, address string, userIDs []string) error {
+	if len(userIDs) == 0 {
+		_, err := r.client.UpdateItem(ctx, &dynamodb.UpdateItemInput{
+			TableName: &r.tableName,
+			Key: map[string]types.AttributeValue{
+				"inbox_address": &types.AttributeValueMemberS{Value: address},
+				"message_id":    &types.AttributeValueMemberS{Value: InboxSentinel},
+			},
+			UpdateExpression: aws.String("REMOVE shared_with"),
+		})
+		return err
+	}
+	values := make([]types.AttributeValue, 0, len(userIDs))
+	for _, id := range userIDs {
+		values = append(values, &types.AttributeValueMemberS{Value: id})
+	}
+	_, err := r.client.UpdateItem(ctx, &dynamodb.UpdateItemInput{
+		TableName: &r.tableName,
+		Key: map[string]types.AttributeValue{
+			"inbox_address": &types.AttributeValueMemberS{Value: address},
+			"message_id":    &types.AttributeValueMemberS{Value: InboxSentinel},
+		},
+		UpdateExpression: aws.String("SET shared_with = :sw"),
+		ExpressionAttributeValues: map[string]types.AttributeValue{
+			":sw": &types.AttributeValueMemberL{Value: values},
+		},
+	})
+	return err
+}
+
 // SetForwardTo updates the forwarding address for an inbox.
 func (r *Repository) SetForwardTo(ctx context.Context, address, forwardTo string) error {
 	_, err := r.client.UpdateItem(ctx, &dynamodb.UpdateItemInput{
diff --git a/services/internal/inbox/service.go b/services/internal/inbox/service.go
index 5096bfa..95505d0 100644
--- a/services/internal/inbox/service.go
+++ b/services/internal/inbox/service.go
@@ -305,6 +305,57 @@ func (s *Service) DeleteInbox(ctx context.Context, address string) error {
 	return s.repo.DeleteInbox(ctx, address)
 }
 
+// AddShare adds a user_id to the inbox's shared_with list. Caller is
+// responsible for verifying ownership and that the user_id corresponds to a
+// real account.
+func (s *Service) AddShare(ctx context.Context, address, userID string) error {
+	rec, err := s.repo.GetInboxRecord(ctx, address)
+	if err != nil {
+		return err
+	}
+	if rec == nil {
+		return ErrUnauthorized
+	}
+	for _, existing := range rec.SharedWith {
+		if existing == userID {
+			return nil
+		}
+	}
+	updated := append(append([]string{}, rec.SharedWith...), userID)
+	return s.repo.SetSharedWith(ctx, address, updated)
+}
+
+// RemoveShare drops a user_id from the inbox's shared_with list.
+func (s *Service) RemoveShare(ctx context.Context, address, userID string) error {
+	rec, err := s.repo.GetInboxRecord(ctx, address)
+	if err != nil {
+		return err
+	}
+	if rec == nil {
+		return ErrUnauthorized
+	}
+	out := make([]string, 0, len(rec.SharedWith))
+	for _, existing := range rec.SharedWith {
+		if existing != userID {
+			out = append(out, existing)
+		}
+	}
+	return s.repo.SetSharedWith(ctx, address, out)
+}
+
+// IsSharedWith returns true if the inbox grants read access to userID.
+func (s *Service) IsSharedWith(rec *InboxRecord, userID string) bool {
+	if rec == nil || userID == "" {
+		return false
+	}
+	for _, id := range rec.SharedWith {
+		if id == userID {
+			return true
+		}
+	}
+	return false
+}
+
 // SetForward sets the forwarding address for an inbox (premium only).
 func (s *Service) SetForward(ctx context.Context, address, forwardTo string) error {
 	return s.repo.SetForwardTo(ctx, address, forwardTo)
diff --git a/services/internal/user/service.go b/services/internal/user/service.go
index daf8e98..2345b4a 100644
--- a/services/internal/user/service.go
+++ b/services/internal/user/service.go
@@ -301,6 +301,16 @@ func (s *Service) DeleteAccount(ctx context.Context, userID string) error {
 	return s.repo.DeleteUser(ctx, userID)
 }
 
+// LookupByEmail returns the user with the given email or nil if not found.
+func (s *Service) LookupByEmail(ctx context.Context, email string) (*UserRecord, error) {
+	return s.repo.GetUserByEmail(ctx, email)
+}
+
+// LookupByID returns the user with the given user_id or nil if not found.
+func (s *Service) LookupByID(ctx context.Context, userID string) (*UserRecord, error) {
+	return s.repo.GetUserByID(ctx, userID)
+}
+
 // SetTier updates a user's tier (for admin/webhook use).
 func (s *Service) SetTier(ctx context.Context, userID, tier string) error {
 	noAds := tier == TierPremium
diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf
index e8b51a7..e11e24a 100644
--- a/terraform/api_gateway.tf
+++ b/terraform/api_gateway.tf
@@ -91,6 +91,24 @@ resource "aws_apigatewayv2_route" "get_attachment" {
   target    = "integrations/${aws_apigatewayv2_integration.api.id}"
 }
 
+resource "aws_apigatewayv2_route" "get_inbox_shares" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "GET /inbox/{address}/shares"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
+resource "aws_apigatewayv2_route" "post_inbox_share" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "POST /inbox/{address}/shares"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
+resource "aws_apigatewayv2_route" "delete_inbox_share" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "DELETE /inbox/{address}/shares/{userId}"
+  target    = "integrations/${aws_apigatewayv2_integration.api.id}"
+}
+
 resource "aws_apigatewayv2_route" "delete_inbox" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "DELETE /inbox/{address}"