data/ with hashed passwords (bcrypt).ADMIN_USER): full access; cannot be deleted or demoted; only superadmin may delete superadmin’s messages./, /login only; all /secure/* requires login.GET / — This guide.GET /login — Login form.POST /login — Sign in with username/password.POST /logout — Sign out.GET /secure/messages — Form + latest messages.POST /secure/messages — Add a message (body: text).POST /secure/messages/:id/delete — Delete (author; admin; superadmin — only superadmin can delete superadmin messages).GET /secure/account — Change password form.POST /secure/account/password — Update password (body: currentPassword, newPassword, confirmPassword).GET /secure/users — List users, add user, set roles.POST /secure/users — Add user (body: username, password); role defaults to user.POST /secure/users/:username/role — Set role to user or admin (cannot change original superadmin).POST /secure/users/:username/delete — Delete user (cannot delete original superadmin).data/users.json — [{ username, passwordHash, role }]data/messages.json — [{ id, text, at, user }]users.json exists): ADMIN_USER (default admin), ADMIN_PASS (default admin).SESSION_SECRET in production (long random string)./secure/account to create a hashed record.npm install then npm start.http://127.0.0.1:3000/login → sign in (admin/admin unless overridden)./secure/messages • Account: /secure/account • Users: /secure/users (admin only).data/ and persists across deploys.main).Token-based API usage will be documented here later.