feat: Add admin vehicle management and profile vehicles display (refs #11)

- Add GET /api/admin/stats endpoint for Total Vehicles widget
- Add GET /api/admin/users/:auth0Sub/vehicles endpoint for user vehicle list
- Update AdminUsersPage with Total Vehicles stat and expandable vehicle rows
- Add My Vehicles section to SettingsPage (desktop) and MobileSettingsScreen
- Update AdminUsersMobileScreen with stats header and vehicle expansion
- Add defense-in-depth admin checks and error handling
- Update admin README documentation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/src/features/admin/api/admin.routes.ts

@@ -102,6 +102,16 @@ export const adminRoutes: FastifyPluginAsync = async (fastify) => {
     handler: adminController.bulkReinstateAdmins.bind(adminController)
   });
 
+  // ============================================
+  // Admin Stats endpoint (dashboard widgets)
+  // ============================================
+
+  // GET /api/admin/stats - Get admin dashboard stats (total users, total vehicles)
+  fastify.get('/admin/stats', {
+    preHandler: [fastify.requireAdmin],
+    handler: usersController.getAdminStats.bind(usersController)
+  });
+
   // ============================================
   // User Management endpoints (subscription tiers, deactivation)
   // ============================================
@@ -118,6 +128,12 @@ export const adminRoutes: FastifyPluginAsync = async (fastify) => {
     handler: usersController.getUser.bind(usersController)
   });
 
+  // GET /api/admin/users/:auth0Sub/vehicles - Get user's vehicles (admin view)
+  fastify.get<{ Params: UserAuth0SubInput }>('/admin/users/:auth0Sub/vehicles', {
+    preHandler: [fastify.requireAdmin],
+    handler: usersController.getUserVehicles.bind(usersController)
+  });
+
   // PATCH /api/admin/users/:auth0Sub/tier - Update subscription tier
   fastify.patch<{ Params: UserAuth0SubInput; Body: UpdateTierInput }>('/admin/users/:auth0Sub/tier', {
     preHandler: [fastify.requireAdmin],

backend/src/features/admin/api/users.controller.ts

@@ -28,16 +28,112 @@ import { AdminService } from '../domain/admin.service';
 export class UsersController {
   private userProfileService: UserProfileService;
   private adminService: AdminService;
+  private userProfileRepository: UserProfileRepository;
 
   constructor() {
-    const userProfileRepository = new UserProfileRepository(pool);
+    this.userProfileRepository = new UserProfileRepository(pool);
     const adminRepository = new AdminRepository(pool);
 
-    this.userProfileService = new UserProfileService(userProfileRepository);
+    this.userProfileService = new UserProfileService(this.userProfileRepository);
     this.userProfileService.setAdminRepository(adminRepository);
     this.adminService = new AdminService(adminRepository);
   }
 
+  /**
+   * GET /api/admin/stats - Get admin dashboard stats
+   */
+  async getAdminStats(
+    request: FastifyRequest,
+    reply: FastifyReply
+  ) {
+    try {
+      const actorId = request.userContext?.userId;
+      if (!actorId) {
+        return reply.code(401).send({
+          error: 'Unauthorized',
+          message: 'User context missing',
+        });
+      }
+
+      // Defense-in-depth: verify admin status even with requireAdmin guard
+      if (!request.userContext?.isAdmin) {
+        return reply.code(403).send({
+          error: 'Forbidden',
+          message: 'Admin access required',
+        });
+      }
+
+      const [totalVehicles, totalUsers] = await Promise.all([
+        this.userProfileRepository.getTotalVehicleCount(),
+        this.userProfileRepository.getTotalUserCount(),
+      ]);
+
+      return reply.code(200).send({
+        totalVehicles,
+        totalUsers,
+      });
+    } catch (error) {
+      logger.error('Error getting admin stats', {
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+
+      return reply.code(500).send({
+        error: 'Internal server error',
+        message: 'Failed to get admin stats',
+      });
+    }
+  }
+
+  /**
+   * GET /api/admin/users/:auth0Sub/vehicles - Get user's vehicles (admin view)
+   */
+  async getUserVehicles(
+    request: FastifyRequest<{ Params: UserAuth0SubInput }>,
+    reply: FastifyReply
+  ) {
+    try {
+      const actorId = request.userContext?.userId;
+      if (!actorId) {
+        return reply.code(401).send({
+          error: 'Unauthorized',
+          message: 'User context missing',
+        });
+      }
+
+      // Defense-in-depth: verify admin status even with requireAdmin guard
+      if (!request.userContext?.isAdmin) {
+        return reply.code(403).send({
+          error: 'Forbidden',
+          message: 'Admin access required',
+        });
+      }
+
+      // Validate path param
+      const parseResult = userAuth0SubSchema.safeParse(request.params);
+      if (!parseResult.success) {
+        return reply.code(400).send({
+          error: 'Validation error',
+          message: parseResult.error.errors.map(e => e.message).join(', '),
+        });
+      }
+
+      const { auth0Sub } = parseResult.data;
+      const vehicles = await this.userProfileRepository.getUserVehiclesForAdmin(auth0Sub);
+
+      return reply.code(200).send({ vehicles });
+    } catch (error) {
+      logger.error('Error getting user vehicles', {
+        error: error instanceof Error ? error.message : 'Unknown error',
+        auth0Sub: request.params?.auth0Sub,
+      });
+
+      return reply.code(500).send({
+        error: 'Internal server error',
+        message: 'Failed to get user vehicles',
+      });
+    }
+  }
+
   /**
    * GET /api/admin/users - List all users with pagination and filters
    */