admin Posts (NOTE_UNLOCK): readonly input + 'No response needed' placeholder + secUser focus glow + buddy btn suppressed + view POST 403 + Line.admin_solicited listener nukes errant writes; share Lines: drop ts suffix, author = sharer (adman fallback for anon legacy), silent no-op on re-share — TDD

- billboard/0005 adds Line.admin_solicited (BooleanField default False); RunPython backfills existing note_unlock Lines to True. Note.grant_if_new sets admin_solicited=True on its system prose.
  - billboard.models post_save signal: any Line saved on a Post.kind=NOTE_UNLOCK without admin_solicited=True is deleted (defense-in-depth alongside the view guard).
  - billboard.views.view_post hard-rejects POST on NOTE_UNLOCK kind (HTTP 403) — clean view-level contract; the post_save listener is the safety net for ORM/API paths that bypass it.
  - templates/apps/billboard/post.html: NOTE_UNLOCK branch renders the input as readonly w. 'No response needed at this time' placeholder + no method/action; user_post branch keeps the regular composer. Buddy panel include guarded behind `{% if post.kind != 'note_unlock' %}` — friend invites don't apply to admin threads.
  - SCSS: .post-line-form input.form-control[readonly]:focus uses --secUser glow (cooler than the regular --terUser composer focus).
  - share_post: drop the iso-timestamp suffix on Line.text (just 'Shared with {email}'); author = request.user (anon legacy fallback to adman so AnonymousUser doesn't break the FK); re-share of an already-in-shared_with recipient is a silent no-op (no second Line, brief: null in JSON response). Buddy panel JS now reads data-sharer-name from server-rendered display_name so the optimistic _appendLine matches the post-refresh state.
  - new ITs: test_admin_posts (PostRejectsAdminWritesTest, UnsolicitedLineListenerTest, NoteGrantSetsAdminSolicitedTest) — 7 tests; share_post tests rewritten for the new contract (drop ts, author=sharer, silent re-share dedup) — 12 tests; new FT test_admin_post_readonly w. AdminPostInputReadonlyTest + AdminPostHasNoBuddyBtnTest + UserPostInputUnaffectedTest — 4 tests. 827 ITs + 18 buddy/sharing FTs green.

Code architected by Disco DeDisco <discodedisco@outlook.com>
Git commit message Co-Authored-By:
Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/apps/billboard/views.py

@@ -8,7 +8,6 @@ from django.http import HttpResponseForbidden, JsonResponse
 from django.shortcuts import redirect, render
 
 from apps.applets.utils import applet_context, apply_applet_toggle
-from django.utils import timezone
 
 from apps.billboard.forms import ExistingPostLineForm, LineForm
 from apps.billboard.models import Brief, Line, Post
@@ -264,6 +263,13 @@ def view_post(request, post_id):
         if request.user != our_post.owner and request.user not in our_post.shared_with.all():
             return HttpResponseForbidden()
 
+    # Admin-Post (note-unlock thread) hard write-rejection — the per-Line
+    # signal in billboard.models nukes any Line that bypasses this guard,
+    # but at the view level we want a clean 403 so the FT/IT contract is
+    # explicit and the client never sees a silent line vanish.
+    if our_post.kind == Post.KIND_NOTE_UNLOCK and request.method == "POST":
+        return HttpResponseForbidden()
+
     form = ExistingPostLineForm(for_post=our_post)
 
     if request.method == "POST":
@@ -315,30 +321,39 @@ def share_post(request, post_id):
             return JsonResponse({"brief": None, "line_text": ""})
         return redirect(our_post)
 
-    if recipient is not None:
+    # Re-share dedup: if the recipient is already in shared_with (registered
+    # email previously shared), skip the Line + Brief — silent no-op.
+    # `add()` itself is idempotent on M2M, but we want the JSON response to
+    # signal "nothing happened" so the JS can suppress the banner.
+    is_reshare = recipient is not None and recipient in our_post.shared_with.all()
+
+    if recipient is not None and not is_reshare:
         our_post.shared_with.add(recipient)
 
-    # Always append a Line + spawn a Brief for the sharer — privacy: the
-    # response shape mustn't leak whether the email is on the system. Line
-    # text carries an isoformat timestamp w/ microseconds so two rapid
-    # shares of the same email don't collide on the
-    # Line.unique_together(post, text) constraint. System-authored as adman
-    # so the per-line "username" column renders the share announcement.
-    line_text = (
-        f"Shared with {recipient_email} at {timezone.now().isoformat()}"
-    )
-    adman = get_or_create_adman()
-    line = Line.objects.create(post=our_post, text=line_text, author=adman)
-
+    line = None
     brief = None
-    if request.user.is_authenticated:
-        brief = Brief.objects.create(
-            owner=request.user,
-            post=our_post,
-            line=line,
-            kind=Brief.KIND_SHARE_INVITE,
-            title="Invite sent",
+    line_text = ""
+    if not is_reshare:
+        # Plain "Shared with X" — timestamp display lives on the per-Line
+        # `<time>` element, not in the prose. Author = sharer (post owner)
+        # so the per-line "username" column attributes correctly. Anonymous
+        # shares (legacy Percival ch. 19 ownerless-post path) fall back to
+        # adman since AnonymousUser can't be FK'd. Privacy: we still create
+        # the Line + Brief even when the address is unregistered, so the
+        # response doesn't leak membership.
+        line_text = f"Shared with {recipient_email}"
+        author = request.user if request.user.is_authenticated else get_or_create_adman()
+        line = Line.objects.create(
+            post=our_post, text=line_text, author=author,
         )
+        if request.user.is_authenticated:
+            brief = Brief.objects.create(
+                owner=request.user,
+                post=our_post,
+                line=line,
+                kind=Brief.KIND_SHARE_INVITE,
+                title="Invite sent",
+            )
 
     if is_ajax:
         # recipient_display is populated only when the address resolves to a