Manch · The public canvas
Manch is the first Eleven11 surface that takes signup from the open internet. A tldraw canvas, a share-link your prospect opens without an account, and a promotion path that converts that anonymous viewer into an editor in your workspace the moment they sign in.
Boards on our Postgres. Assets on our disk. Auth, mail, and rotation under the same hands that run every other Eleven11 service.
Surface signal
Status
LIVE
Access
Walk-up
Workspace
manch.eleven11.pro
Why this exists
Most collaborative whiteboards are someone else's tenant. Your sketches, your customer maps, your sprint diagrams sit on a vendor's database, behind a vendor's auth, priced by a vendor's seat math. Manch is what we built when we wanted Miro's walk-up shape — open a link, draw together, share with anyone — but on infrastructure we own and operate.
It is the canvas a teammate opens in a browser, the link a prospect opens without an account, and the editor that promotes that prospect into your workspace the moment they sign in. One product, three audiences, no vendor in the middle.
Self-sustained by design
Manch is the only Eleven11 product the public can sign up for — and that is exactly why the substrate underneath it has to be ours. A walk-up surface on someone else's infrastructure is a pricing notice waiting to land in your inbox.
01
The only public-facing sibling, on our own box
Architect, operator, dhara, cal, outreach, alerts, kosh — all internal-only or CF-Access-gated. Manch is the one Eleven11 surface that takes walk-up signup from the open internet, and it runs on the same Hetzner box, the same e11-edge network, the same operator hands as the rest of the fleet.
02
Boards in our Postgres, not someone else's cloud
Every board, every snapshot, every share-link hash sits in a Postgres 16 sidecar at /data/docker/apps/e11-manch. No external storage vendor reading your strokes. No third-party CDN holding your customer journey map for ransom.
03
Your assets on disk, not on a vendor bucket
Image paste and drop write to a workspace+board scoped path under MANCH_ASSET_ROOT, served back through an authenticated GET. 10MB cap, five image mimes, audited at the path level. No S3, no Cloudinary, no opaque CDN intermediating your screenshots.
04
Auth that the operator controls end to end
Google OAuth and magic-link via Auth.js v5, HMAC-signed manch_session cookie, 12h TTL, revocable by row. Magic-links go out through the e11 mailserver socket on the same box. No third-party auth vendor in the path between your prospect and their first stroke.
05
Promotion, not pricing, is the funnel
Anonymous viewer to editor to workspace member is a transaction in the database, not a paywall to clear. Free for everyone in v1; plan-shape data exists, enforcement does not. We earn the upgrade later, by being the surface teams keep returning to.
The primitive
Manch is built on a small, opinionated trio — a board to draw on, a share-link to hand out, and a workspace to own them. Promotion between roles is a database transaction, not a workflow rule.
01 · Canvas
/app/<ws>/b/<slug>
A tldraw canvas with auto-saved snapshots and image paste. Slug is permanent after creation; the workspace owns it. Snapshot is one row per board, upserted by the sync server — no history table, no version graveyard in v1.
02 · Bearer
/v/<token>
A 22-char base32 bearer the owner issues. We store sha256(token) — never the cleartext. Default 30-day TTL, owner-rotatable. The token is the entire access-control surface for anonymous viewers.
03 · Tenancy
/app/<ws>
Architect's table shape — manch_workspaces plus manch_tenants composite-PK. Auto-provisioned on first signup with a slug derived from the email local-part. Multi-member, Miro-style, with a free-tier ceiling of 22 boards and 11 members.
How it fits the fleet
Manch is the first thing a stranger can touch in the Eleven11 fleet. Behind it sits architect, kosh, alerts, outreach, dhara, operator — all internal, all reading from the same workspace shape Manch writes into when an anonymous viewer signs up.
architect
manch.recent-boards publishes through the WIDGET-CONTRACT envelope; Architect mounts it on /today and matter pages. Your most-recently-edited canvas lives next to the prose that references it.
alerts
Snapshot-save failures and abuse-suspect viewer-anon connections route through alerts-api. The audit trail is the same one operations watches across the fleet.
kosh
Boards are resources, the same way Kosh tables are resources. Both publish GET /v1/resources for CHANNEL-HUB. Both belong to the same workspace shape.
outreach
A share-link is the cheapest first touch — drop the URL into a campaign, the prospect opens a real artifact rather than a deck PDF. Authority signal for a self-built stack.
operator
Same docker compose pattern, same e11-edge network, same SECRETS.md rotator entries. Manch is not a special case — it is one more stack the operator already knows how to run.
dhara
An audit finding can land on a manch board as a drawn diagram before it lands in the matter. Visual-thinking surface for the freeform sketches that precede formal write-ups.
Surfaces & contracts
Manch's URL space is small on purpose. Two are public, three sit behind requireManchSession(), one is for caddy. No tab graveyard.
/
Public landing
Editorial value-prop with sign-in CTAs. The walk-up surface; no auth required.
/v/<token>
Anonymous viewer
Read-only tldraw mount with signup-to-edit CTA. The PLG hook — open without an account, promote on signup.
/app/<ws>/b
Board list
Workspace-scoped board list plus shared-with-me library. Gated by requireManchSession() and workspace membership.
/app/<ws>/b/<slug>
Editor
Full tldraw mount with brand chrome, image paste, snapshot persistence. Present-mode toggle is one query param away.
/app/inbox
Cross-workspace shared
Boards in other workspaces where you are a board-member but not a workspace-member. Where promoted-from-share-link boards live.
/api/health
Health
Public liveness check for Caddy and Cloudflare. The only public API endpoint.
Senior engineering, visible
Five decisions visible in the migrations, the auth gate, and the bearer-token storage — not adjectives, design choices a public-facing surface earns the right to make.
Hand-authored idempotent migrations
Every ALTER wrapped in DO $$ BEGIN ... EXCEPTION WHEN duplicate_* THEN NULL END; tables and indexes use IF NOT EXISTS. Orphan SQL files are silently skipped at boot — journal entry and migration land in the same commit. No drizzle-kit generate.
Cross-workspace access returns 404, not 403
A leak that says 'forbidden' is a leak that confirms the resource exists. Manch returns not-found on cross-workspace mutation attempts to remove the enumeration vector. Same posture across the fleet.
Bearer tokens hashed at rest
Share-link tokens and magic-link tokens are sha256 before the database sees them. Constant-time compare on validation. The cleartext token never touches a row, a log, or a backup.
One auth gate at the top of every authed surface
requireManchSession() in lib/auth.ts is the single chokepoint. No edge middleware reaching Postgres, no scattered guards, no can-this-user-see-this checks duplicated across server actions.
tldraw watermark stays through paid tiers
Credit where due. The 'Made with tldraw' mark stays on free and on paid until MRR can absorb the commercial license. We pay for the substrate when the substrate is paying us, not before.
Who this is for
Manch earns its keep when the cost of running a shared canvas on someone else's cloud starts to exceed the cost of operating one yourself.
FAQ
Those are shared multi-tenant SaaS — your boards on someone else's infrastructure, priced by their seat math. Manch is the tldraw engine on infrastructure we own and operate, with auth, sharing, and PLG promotion wired into a workspace shape that mirrors the rest of the Eleven11 fleet.
Architect, operator, dhara, cal — they all hold context that belongs to a specific tenant, and the cost of a wrong identity claim is high. Manch's blast radius is bounded by the share-link, the workspace cap, and the rate-limit on /v/*. It is the right product to put on the public internet first.
v1.0 ships snapshot-only viewers — anonymous viewers see the auto-saved board and reload to refresh. Live cursors and follow-mode land in v1.1 via a separate @tldraw/sync server container that validates the same HMAC session cookie. The substrate is in place; the realtime layer is the next slice.
Not yet. v1 ships free for everyone. plan and plan_limits columns exist, an informational 80%-of-cap banner exists, but enforcement and Stripe wiring are deferred to v1.5. We earn the upgrade by being the canvas teams keep returning to, not by gating the door.
Open Manch
Manch takes walk-up signup today — open a board, share a link, promote your first anonymous viewer into an editor. Talk to us if you want a workspace deployed alongside the rest of the Eleven11 stack.
Direct line
Consultation requests stay owned. We reply from e11 after reviewing fit and timing.
