Admin Page work - Still blank/broken

2025-11-06 16:29:11 -06:00
parent 858cf31d38
commit 5630979adf
38 changed files with 7373 additions and 924 deletions
--- a/docs/ADMIN-DEPLOYMENT-CHECKLIST.md
+++ b/docs/ADMIN-DEPLOYMENT-CHECKLIST.md
@@ -1,343 +0,0 @@
-# Admin Feature Deployment Checklist
-
-Production deployment checklist for the Admin feature (Phases 1-5 complete).
-
-## Pre-Deployment Verification (Phase 6)
-
-### Code Quality Gates
-
- [ ] **TypeScript compilation**: `npm run build` - Zero errors
- [ ] **Linting**: `npm run lint` - Zero warnings
- [ ] **Backend tests**: `npm test -- features/admin` - All passing
- [ ] **Frontend tests**: `npm test` - All passing
- [ ] **Container builds**: `make rebuild` - Success
- [ ] **Backend startup**: `make start` - Server running on port 3001
- [ ] **Health checks**: `curl https://motovaultpro.com/api/health` - 200 OK
- [ ] **Frontend build**: Vite build completes in <20 seconds
- [ ] **No deprecated code**: All old code related to admin removed
- [ ] **Documentation complete**: ADMIN.md, feature READMEs updated
-
-### Security Verification
-
- [ ] **Parameterized queries**: Grep confirms no SQL concatenation in admin feature
- [ ] **Input validation**: All endpoints validate with Zod schemas
- [ ] **HTTPS only**: Verify Traefik configured for HTTPS
- [ ] **Auth0 integration**: Dev/prod Auth0 domains match configuration
- [ ] **JWT validation**: Token verification working in auth plugin
- [ ] **Admin guard**: `fastify.requireAdmin` blocking non-admins with 403
- [ ] **Audit logging**: All admin actions logged to database
- [ ] **Last admin protection**: Confirmed system cannot revoke last admin
-
-### Database Verification
-
- [ ] **Migrations exist**: Both migration files present
-  - `backend/src/features/admin/migrations/001_create_admin_users.sql`
-  - `backend/src/features/admin/migrations/002_create_platform_change_log.sql`
- [ ] **Tables created**: Run migrations verify
-  ```bash
-  docker compose exec mvp-backend psql -U postgres -d motovaultpro -c \
-    "\dt admin_users admin_audit_logs platform_change_log"
-  ```
- [ ] **Initial admin seeded**: Verify bootstrap admin exists
-  ```bash
-  docker compose exec mvp-backend psql -U postgres -d motovaultpro -c \
-    "SELECT email, role, revoked_at FROM admin_users WHERE auth0_sub = 'system|bootstrap';"
-  ```
- [ ] **Indexes created**: Verify all indexes exist
-  ```bash
-  docker compose exec mvp-backend psql -U postgres -d motovaultpro -c \
-    "SELECT tablename, indexname FROM pg_indexes WHERE tablename IN ('admin_users', 'admin_audit_logs', 'platform_change_log');"
-  ```
- [ ] **Foreign keys configured**: Cascade rules work correctly
- [ ] **Backup tested**: Database backup includes new tables
-
-### API Verification
-
-#### Phase 2 Endpoints (Admin Management)
-
- [ ] **GET /api/admin/admins** - Returns all admins
-  ```bash
-  curl -H "Authorization: Bearer $JWT" https://motovaultpro.com/api/admin/admins
-  ```
- [ ] **POST /api/admin/admins** - Creates admin (with valid email)
- [ ] **PATCH /api/admin/admins/:auth0Sub/revoke** - Revokes admin
- [ ] **PATCH /api/admin/admins/:auth0Sub/reinstate** - Reinstates admin
- [ ] **GET /api/admin/audit-logs** - Returns audit trail
- [ ] **403 Forbidden** - Non-admin user blocked from all endpoints
-
-#### Phase 3 Endpoints (Catalog CRUD)
-
- [ ] **GET /api/admin/catalog/makes** - List makes
- [ ] **POST /api/admin/catalog/makes** - Create make
- [ ] **PUT /api/admin/catalog/makes/:makeId** - Update make
- [ ] **DELETE /api/admin/catalog/makes/:makeId** - Delete make
- [ ] **GET /api/admin/catalog/change-logs** - View change history
- [ ] **Cache invalidation**: Redis keys flushed after mutations
- [ ] **Transaction support**: Failed mutations rollback cleanly
-
-#### Phase 4 Endpoints (Station Oversight)
-
- [ ] **GET /api/admin/stations** - List all stations
- [ ] **POST /api/admin/stations** - Create station
- [ ] **PUT /api/admin/stations/:stationId** - Update station
- [ ] **DELETE /api/admin/stations/:stationId** - Soft delete (default)
- [ ] **DELETE /api/admin/stations/:stationId?force=true** - Hard delete
- [ ] **GET /api/admin/users/:userId/stations** - User's saved stations
- [ ] **DELETE /api/admin/users/:userId/stations/:stationId** - Remove user station
- [ ] **Cache invalidation**: `mvp:stations:*` keys flushed
-
-### Frontend Verification (Mobile + Desktop)
-
-#### Desktop Verification
-
- [ ] **Admin console visible** - SettingsPage shows "Admin Console" card when admin
- [ ] **Non-admin message** - Non-admin users see "Not authorized" message
- [ ] **Navigation links work** - Admin/Users, Admin/Catalog, Admin/Stations accessible
- [ ] **Admin pages load** - Route guards working, 403 page for non-admins
- [ ] **useAdminAccess hook** - Loading state shows spinner while checking admin status
-
-#### Mobile Verification (375px viewport)
-
- [ ] **Admin section visible** - MobileSettingsScreen shows admin section when admin
- [ ] **Admin section hidden** - Completely hidden for non-admin users
- [ ] **Touch targets** - All buttons are ≥44px height
- [ ] **Mobile pages load** - Routes accessible on mobile
- [ ] **No layout issues** - Text readable, buttons tappable on 375px screen
- [ ] **Loading states** - Proper spinner on admin data loads
-
-#### Responsive Design
-
- [ ] **Desktop 1920px** - All pages display correctly
- [ ] **Mobile 375px** - All pages responsive, no horizontal scroll
- [ ] **Tablet 768px** - Intermediate sizing works
- [ ] **No console errors** - Check browser DevTools
- [ ] **Performance acceptable** - Page load <3s on mobile
-
-### Integration Testing
-
- [ ] **End-to-end workflow**:
-  1. Login as admin
-  2. Navigate to admin console
-  3. Create new admin user
-  4. Verify audit log entry
-  5. Revoke new admin
-  6. Verify last admin protection prevents revocation of only remaining admin
-  7. Create catalog item
-  8. Verify cache invalidation
-  9. Create station
-  10. Verify soft/hard delete behavior
-
- [ ] **Error handling**:
-  - [ ] 400 Bad Request - Invalid input (test with malformed JSON)
-  - [ ] 403 Forbidden - Non-admin access attempt
-  - [ ] 404 Not Found - Nonexistent resource
-  - [ ] 409 Conflict - Referential integrity violation
-  - [ ] 500 Internal Server Error - Database connection failure
-
- [ ] **Audit trail verification**:
-  - [ ] All admin management actions logged
-  - [ ] All catalog mutations recorded with old/new values
-  - [ ] All station operations tracked
-  - [ ] Actor admin ID correctly stored
-
-### Performance Verification
-
- [ ] **Query performance**: Admin list returns <100ms (verify in logs)
- [ ] **Large dataset handling**: Test with 1000+ audit logs
- [ ] **Cache efficiency**: Repeated queries use cache
- [ ] **No N+1 queries**: Verify in query logs
- [ ] **Pagination works**: Limit/offset parameters functioning
-
-### Monitoring & Logging
-
- [ ] **Admin logs visible**: `make logs | grep -i admin` shows entries
- [ ] **Audit trail stored**: `SELECT COUNT(*) FROM admin_audit_logs;` > 0
- [ ] **Error logging**: Failed operations logged with context
- [ ] **Performance metrics**: Slow queries logged
-
-### Documentation
-
- [ ] **ADMIN.md complete**: All endpoints documented
- [ ] **API examples provided**: Sample requests/responses included
- [ ] **Security notes documented**: Input validation, parameterized queries explained
- [ ] **Deployment section**: Clear instructions for operators
- [ ] **Troubleshooting guide**: Common issues and solutions
- [ ] **Backend feature README**: Phase descriptions, extending guide
- [ ] **docs/README.md updated**: Admin references added
-
-## Deployment Steps
-
-### 1. Pre-Deployment
-
-```bash
-# Verify all tests pass
-npm test -- features/admin
-docker compose exec mvp-frontend npm test
-
-# Verify builds succeed
-make rebuild
-
-# Backup database
-./scripts/backup-database.sh
-
-# Verify rollback plan documented
-cat docs/ADMIN.md | grep -A 20 "## Rollback"
-```
-
-### 2. Database Migration
-
-```bash
-# Run migrations (automatic on container startup, or manual)
-docker compose exec mvp-backend npm run migrate
-
-# Verify tables and seed data
-docker compose exec mvp-backend psql -U postgres -d motovaultpro -c \
-  "SELECT COUNT(*) FROM admin_users; SELECT COUNT(*) FROM admin_audit_logs;"
-```
-
-### 3. Container Deployment
-
-```bash
-# Stop current containers
-docker compose down
-
-# Pull latest code
-git pull origin main
-
-# Rebuild containers with latest code
-make rebuild
-
-# Start services
-make start
-
-# Verify health
-make logs | grep -i "Backend is healthy"
-curl https://motovaultpro.com/api/health
-```
-
-### 4. Post-Deployment Verification
-
-```bash
-# Verify health endpoints
-curl https://motovaultpro.com/api/health | jq .features
-
-# Test admin endpoint (with valid JWT)
-curl -H "Authorization: Bearer $JWT" \
-  https://motovaultpro.com/api/admin/admins | jq .total
-
-# Verify frontend loads
-curl -s https://motovaultpro.com | grep -q "motovaultpro" && echo "Frontend OK"
-
-# Check logs for errors
-make logs | grep -i error | head -20
-```
-
-### 5. Smoke Tests (Manual)
-
-1. **Desktop**:
-   - Visit https://motovaultpro.com
-   - Login with admin account
-   - Navigate to Settings
-   - Verify "Admin Console" card visible
-   - Click "User Management"
-   - Verify admin list loads
-
-2. **Mobile**:
-   - Open https://motovaultpro.com on mobile device or dev tools (375px)
-   - Login with admin account
-   - Navigate to Settings
-   - Verify admin section visible
-   - Tap "Users"
-   - Verify admin list loads
-
-3. **Non-Admin**:
-   - Login with non-admin account
-   - Navigate to `/garage/settings/admin/users`
-   - Verify 403 Forbidden page displayed
-   - Check that admin console NOT visible on settings page
-
-## Rollback Procedure
-
-If critical issues found after deployment:
-
-```bash
-# 1. Revert code to previous version
-git revert HEAD
-docker compose down
-make rebuild
-make start
-
-# 2. If database schema issue, restore from backup
-./scripts/restore-database.sh backup-timestamp.sql
-
-# 3. Verify health
-curl https://motovaultpro.com/api/health
-
-# 4. Test rollback endpoints
-curl -H "Authorization: Bearer $JWT" \
-  https://motovaultpro.com/api/vehicles/
-
-# 5. Monitor logs for 30 minutes
-make logs | tail -f
-```
-
-## Supported Browsers
-
- Chrome 90+
- Firefox 88+
- Safari 14+
- Edge 90+
-
-## Known Limitations
-
- Admin feature requires JavaScript enabled
- Mobile UI optimized for portrait orientation
- Catalog changes may take 5 minutes to propagate in cache
-
-## Sign-Off
-
- [ ] **Tech Lead**: All quality gates passed ______________________ Date: _______
- [ ] **QA**: End-to-end testing complete ______________________ Date: _______
- [ ] **DevOps**: Deployment procedure verified ______________________ Date: _______
- [ ] **Product**: Feature acceptance confirmed ______________________ Date: _______
-
-## Post-Deployment Monitoring
-
-Monitor for 24 hours:
- [ ] Health check endpoint responding
- [ ] No 500 errors in logs
- [ ] Admin operations completing <500ms
- [ ] No database connection errors
- [ ] Memory usage stable
- [ ] Disk space adequate
- [ ] All feature endpoints responding
-
-## Release Notes
-
-```markdown
-## Admin Feature (v1.0)
-
-### New Features
-
- Admin role and access control (Phase 1)
- Admin user management with audit trail (Phase 2)
- Vehicle catalog CRUD operations (Phase 3)
- Gas station oversight and management (Phase 4)
- Admin UI for desktop and mobile (Phase 5)
-
-### Breaking Changes
-
-None
-
-### Migration Required
-
-Yes - Run `npm run migrate` automatically on container startup
-
-### Rollback Available
-
-Yes - See ADMIN-DEPLOYMENT-CHECKLIST.md
-
-### Documentation
-
-See `docs/ADMIN.md` for complete reference
-```
--- a/docs/ADMIN-IMPLEMENTATION-SUMMARY.md
+++ b/docs/ADMIN-IMPLEMENTATION-SUMMARY.md
@@ -1,440 +0,0 @@
-# Admin Feature Implementation Summary
-
-Complete implementation of the admin feature for MotoVaultPro across all 6 phases.
-
-## Executive Summary
-
-Successfully implemented a complete admin role management system with cross-tenant CRUD authority for platform catalog and station management. All phases completed in parallel, with comprehensive testing, documentation, and deployment procedures.
-
-**Status:** PRODUCTION READY
-
-## Implementation Overview
-
-### Phase 1: Access Control Foundations ✅ COMPLETE
-
-**Deliverables:**
- `backend/src/features/admin/` - Feature capsule directory structure
- `001_create_admin_users.sql` - Database schema for admin users and audit logs
- `admin.types.ts` - TypeScript type definitions
- `admin.repository.ts` - Data access layer with parameterized queries
- `admin-guard.plugin.ts` - Fastify authorization plugin
- Enhanced auth plugin with `request.userContext`
-
-**Key Features:**
- Admin user tracking with `auth0_sub` primary key
- Admin audit logs for all actions
- Last admin protection (cannot revoke last active admin)
- Soft-delete via `revoked_at` timestamp
- All queries parameterized (no SQL injection risk)
-
-**Status:** Verified in containers - database tables created and seeded
-
-### Phase 2: Admin Management APIs ✅ COMPLETE
-
-**Endpoints Implemented:** 5
-
-1. `GET /api/admin/admins` - List all admin users (active and revoked)
-2. `POST /api/admin/admins` - Create new admin (with validation)
-3. `PATCH /api/admin/admins/:auth0Sub/revoke` - Revoke admin access (prevents last admin revocation)
-4. `PATCH /api/admin/admins/:auth0Sub/reinstate` - Restore revoked admin
-5. `GET /api/admin/audit-logs` - Retrieve audit trail (paginated)
-
-**Implementation Files:**
- `admin.controller.ts` - HTTP request handlers
- `admin.validation.ts` - Zod input validation schemas
- Integration tests - Full API endpoint coverage
-
-**Security:**
- All endpoints require `fastify.requireAdmin` guard
- Input validation on all endpoints (email format, role enum, required fields)
- Audit logging on all actions
- Last admin protection prevents system lockout
-
-### Phase 3: Platform Catalog CRUD ✅ COMPLETE
-
-**Endpoints Implemented:** 21
-
- **Makes**: GET, POST, PUT, DELETE (4 endpoints)
- **Models**: GET (by make), POST, PUT, DELETE (4 endpoints)
- **Years**: GET (by model), POST, PUT, DELETE (4 endpoints)
- **Trims**: GET (by year), POST, PUT, DELETE (4 endpoints)
- **Engines**: GET (by trim), POST, PUT, DELETE (4 endpoints)
- **Change Logs**: GET with pagination (1 endpoint)
-
-**Implementation Files:**
- `vehicle-catalog.service.ts` - Service layer with transaction support
- `catalog.controller.ts` - HTTP handlers for all catalog operations
- `002_create_platform_change_log.sql` - Audit log table for catalog changes
-
-**Key Features:**
- Transaction support - All mutations wrapped in BEGIN/COMMIT/ROLLBACK
- Cache invalidation - `platform:*` Redis keys flushed on mutations
- Referential integrity - Prevents orphan deletions
- Change history - All mutations logged with old/new values
- Complete audit trail - Who made what changes and when
-
-### Phase 4: Station Oversight ✅ COMPLETE
-
-**Endpoints Implemented:** 6
-
-1. `GET /api/admin/stations` - List all stations (with pagination and search)
-2. `POST /api/admin/stations` - Create new station
-3. `PUT /api/admin/stations/:stationId` - Update station
-4. `DELETE /api/admin/stations/:stationId` - Delete station (soft or hard)
-5. `GET /api/admin/users/:userId/stations` - List user's saved stations
-6. `DELETE /api/admin/users/:userId/stations/:stationId` - Remove user station (soft or hard)
-
-**Implementation Files:**
- `station-oversight.service.ts` - Service layer for station operations
- `stations.controller.ts` - HTTP handlers
-
-**Key Features:**
- Soft delete by default (sets `deleted_at` timestamp)
- Hard delete with `?force=true` query parameter
- Cache invalidation - `mvp:stations:*` and `mvp:stations:saved:{userId}` keys
- Pagination support - `limit` and `offset` query parameters
- Search support - `?search=query` filters stations
- Audit logging - All mutations tracked
-
-### Phase 5: UI Integration (Frontend) ✅ COMPLETE
-
-**Mobile + Desktop Implementation - BOTH REQUIRED**
-
-**Components Created:**
-
-**Desktop Pages:**
- `AdminUsersPage.tsx` - Manage admin users
- `AdminCatalogPage.tsx` - Manage vehicle catalog
- `AdminStationsPage.tsx` - Manage gas stations
-
-**Mobile Screens (separate implementations):**
- `AdminUsersMobileScreen.tsx` - Mobile user management
- `AdminCatalogMobileScreen.tsx` - Mobile catalog management
- `AdminStationsMobileScreen.tsx` - Mobile station management
-
-**Core Infrastructure:**
- `useAdminAccess.ts` hook - Verify admin status (loading, error, not-admin states)
- `useAdmins.ts` - React Query hooks for admin CRUD
- `useCatalog.ts` - React Query hooks for catalog operations
- `useStationOverview.ts` - React Query hooks for station management
- `admin.api.ts` - API client functions
- `admin.types.ts` - TypeScript types mirroring backend
-
-**Integration:**
- Settings page updated with "Admin Console" card (desktop)
- MobileSettingsScreen updated with admin section (mobile)
- Routes added to App.tsx with admin guards
- Route guards verify `useAdminAccess` before allowing access
-
-**Responsive Design:**
- Desktop: 1920px viewport - Full MUI components
- Mobile: 375px viewport - Touch-optimized GlassCard pattern
- Separate implementations (not responsive components)
- Touch targets ≥44px on mobile
- No horizontal scroll on mobile
-
-### Phase 6: Quality Gates & Documentation ✅ COMPLETE
-
-**Documentation Created:**
-
-1. **docs/ADMIN.md** - Comprehensive feature documentation
-   - Architecture overview
-   - Database schema reference
-   - Complete API reference with examples
-   - Authorization rules and security considerations
-   - Deployment procedures
-   - Troubleshooting guide
-   - Performance monitoring
-
-2. **docs/ADMIN-DEPLOYMENT-CHECKLIST.md** - Production deployment guide
-   - Pre-deployment verification (80+ checkpoints)
-   - Code quality gates verification
-   - Security verification
-   - Database verification
-   - API endpoint testing procedures
-   - Frontend verification (mobile + desktop)
-   - Integration testing procedures
-   - Performance testing
-   - Post-deployment monitoring
-   - Rollback procedures
-   - Sign-off sections
-
-3. **docs/ADMIN-IMPLEMENTATION-SUMMARY.md** - This document
-   - Overview of all 6 phases
-   - Files created/modified
-   - Verification results
-   - Risk assessment
-   - Next steps
-
-**Documentation Updates:**
- Updated `docs/README.md` with admin references
- Updated `backend/src/features/admin/README.md` with completion status
- Updated health check endpoint to include admin feature
-
-**Code Quality:**
- TypeScript compilation: ✅ Successful (containers build without errors)
- Linting: ✅ Verified (no style violations)
- Container builds: ✅ Successful (multi-stage Docker build passes)
- Backend startup: ✅ Running on port 3001
- Health checks: ✅ Returning 200 with features list including 'admin'
- Redis connectivity: ✅ Connected and working
- Database migrations: ✅ All 3 admin tables created
- Initial seed: ✅ Bootstrap admin seeded (admin@motovaultpro.com)
-
-## File Summary
-
-### Backend Files Created (30+ files)
-
-**Core:**
- `backend/src/features/admin/api/admin.controller.ts`
- `backend/src/features/admin/api/admin.validation.ts`
- `backend/src/features/admin/api/admin.routes.ts`
- `backend/src/features/admin/api/catalog.controller.ts`
- `backend/src/features/admin/api/stations.controller.ts`
-
-**Domain:**
- `backend/src/features/admin/domain/admin.types.ts`
- `backend/src/features/admin/domain/admin.service.ts`
- `backend/src/features/admin/domain/vehicle-catalog.service.ts`
- `backend/src/features/admin/domain/station-oversight.service.ts`
-
-**Data:**
- `backend/src/features/admin/data/admin.repository.ts`
-
-**Migrations:**
- `backend/src/features/admin/migrations/001_create_admin_users.sql`
- `backend/src/features/admin/migrations/002_create_platform_change_log.sql`
-
-**Tests:**
- `backend/src/features/admin/tests/unit/admin.guard.test.ts`
- `backend/src/features/admin/tests/unit/admin.service.test.ts`
- `backend/src/features/admin/tests/integration/admin.integration.test.ts`
- `backend/src/features/admin/tests/integration/catalog.integration.test.ts`
- `backend/src/features/admin/tests/integration/stations.integration.test.ts`
-
-**Core Plugins:**
- `backend/src/core/plugins/admin-guard.plugin.ts`
- Enhanced: `backend/src/core/plugins/auth.plugin.ts`
-
-**Configuration:**
- Updated: `backend/src/app.ts` (admin plugin registration, route registration, health checks)
- Updated: `backend/src/_system/migrations/run-all.ts` (added admin to migration order)
-
-### Frontend Files Created (15+ files)
-
-**Types & API:**
- `frontend/src/features/admin/types/admin.types.ts`
- `frontend/src/features/admin/api/admin.api.ts`
-
-**Hooks:**
- `frontend/src/core/auth/useAdminAccess.ts`
- `frontend/src/features/admin/hooks/useAdmins.ts`
- `frontend/src/features/admin/hooks/useCatalog.ts`
- `frontend/src/features/admin/hooks/useStationOverview.ts`
-
-**Pages (Desktop):**
- `frontend/src/pages/admin/AdminUsersPage.tsx`
- `frontend/src/pages/admin/AdminCatalogPage.tsx`
- `frontend/src/pages/admin/AdminStationsPage.tsx`
-
-**Screens (Mobile):**
- `frontend/src/features/admin/mobile/AdminUsersMobileScreen.tsx`
- `frontend/src/features/admin/mobile/AdminCatalogMobileScreen.tsx`
- `frontend/src/features/admin/mobile/AdminStationsMobileScreen.tsx`
-
-**Tests:**
- `frontend/src/features/admin/__tests__/useAdminAccess.test.ts`
- `frontend/src/features/admin/__tests__/useAdmins.test.ts`
- `frontend/src/features/admin/__tests__/AdminUsersPage.test.tsx`
-
-**UI Integration:**
- Updated: `frontend/src/pages/SettingsPage.tsx` (admin console card)
- Updated: `frontend/src/features/settings/mobile/MobileSettingsScreen.tsx` (admin section)
- Updated: `frontend/src/App.tsx` (admin routes and guards)
-
-### Documentation Files Created
-
- `docs/ADMIN.md` - Comprehensive reference (400+ lines)
- `docs/ADMIN-DEPLOYMENT-CHECKLIST.md` - Deployment guide (500+ lines)
- `docs/ADMIN-IMPLEMENTATION-SUMMARY.md` - This summary
-
-### Documentation Files Updated
-
- `docs/README.md` - Added admin references
- `backend/src/features/admin/README.md` - Completed phase descriptions
-
-## Database Verification
-
-### Tables Created ✅
-
-```
-admin_users (admin_audit_logs, platform_change_log also created)
-```
-
-**admin_users:**
-```
-        email          | role  | revoked_at
------------------------+-------+------------
- admin@motovaultpro.com | admin | (null)
-(1 row)
-```
-
-**Indexes verified:**
- `idx_admin_users_email` - For lookups
- `idx_admin_users_created_at` - For audit trails
- `idx_admin_users_revoked_at` - For active admin queries
- All platform_change_log indexes created
-
-**Triggers verified:**
- `update_admin_users_updated_at` - Auto-update timestamp
-
-## Backend Verification
-
-### Health Endpoint ✅
-
-```
-GET /api/health → 200 OK
-Features: [admin, vehicles, documents, fuel-logs, stations, maintenance, platform]
-Status: healthy
-Redis: connected
-```
-
-### Migrations ✅
-
-```
-✅ features/admin/001_create_admin_users.sql - Completed
-✅ features/admin/002_create_platform_change_log.sql - Skipped (already executed)
-✅ All migrations completed successfully
-```
-
-### Container Status ✅
-
- Backend running on port 3001
- Configuration loaded successfully
- Redis connected
- Database migrations orchestrated correctly
-
-## Remaining Tasks & Risks
-
-### Low Priority (Future Phases)
-
-1. **Full CRUD UI implementation** - Admin pages currently have route stubs, full forms needed
-2. **Role-based permissions** - Extend from binary admin to granular roles
-3. **2FA for admins** - Enhanced security requirement
-4. **Bulk import/export** - Catalog data management improvements
-5. **Advanced analytics** - Admin activity dashboards
-
-### Known Limitations
-
- Admin feature requires JavaScript enabled
- Mobile UI optimized for portrait orientation (landscape partially supported)
- Catalog changes may take 5 minutes to propagate in cache (configurable)
-
-### Risk Assessment
-
-| Risk | Likelihood | Impact | Mitigation |
-|------|-----------|--------|-----------|
-| Last admin revoked (system lockout) | Low | Critical | Business logic prevents this |
-| SQL injection | Very Low | Critical | All queries parameterized |
-| Unauthorized admin access | Low | High | Guard plugin on all routes |
-| Cache consistency | Medium | Medium | Redis invalidation on mutations |
-| Migration order issue | Low | High | Explicit MIGRATION_ORDER array |
-
-## Deployment Readiness Checklist
-
- ✅ All 5 phases implemented
- ✅ Code compiles without errors
- ✅ Containers build successfully
- ✅ Migrations run correctly
- ✅ Database schema verified
- ✅ Backend health checks passing
- ✅ Admin guard working (verified in logs)
- ✅ Comprehensive documentation created
- ✅ Deployment checklist prepared
- ✅ Rollback procedures documented
- ⚠️ Integration tests created (require test runner setup)
- ⚠️ E2E tests created (manual verification needed)
-
-## Quick Start for Developers
-
-### Running the Admin Feature
-
-```bash
-# Build and start containers
-make rebuild
-make start
-
-# Verify health
-curl https://motovaultpro.com/api/health | jq .features
-
-# Test admin endpoint (requires valid JWT)
-curl -H "Authorization: Bearer $JWT" \
-  https://motovaultpro.com/api/admin/admins
-
-# Check logs
-make logs | grep admin
-```
-
-### Using the Admin UI
-
-**Desktop:**
-1. Navigate to https://motovaultpro.com
-2. Login with admin account
-3. Go to Settings
-4. Click "Admin Console" card
-
-**Mobile:**
-1. Navigate to https://motovaultpro.com on mobile (375px)
-2. Login with admin account
-3. Go to Settings
-4. Tap "Admin" section
-5. Select operation (Users, Catalog, Stations)
-
-### Default Admin Credentials
-
- **Email:** admin@motovaultpro.com
- **Auth0 ID:** system|bootstrap
- **Role:** admin
- **Status:** Active (not revoked)
-
-## Performance Baselines
-
- Health check: <5ms
- List admins: <100ms
- Create admin: <200ms
- List stations: <500ms (1000+ records)
- Catalog CRUD: <300ms per operation
-
-## References
-
- **Architecture:** `docs/PLATFORM-SERVICES.md`
- **API Reference:** `docs/ADMIN.md`
- **Deployment Guide:** `docs/ADMIN-DEPLOYMENT-CHECKLIST.md`
- **Backend Feature:** `backend/src/features/admin/README.md`
- **Testing Guide:** `docs/TESTING.md`
- **Security:** `docs/SECURITY.md`
-
-## Sign-Off
-
-| Role | Approval | Date | Notes |
-|------|----------|------|-------|
-| Implementation | ✅ Complete | 2025-11-05 | All 6 phases done |
-| Code Quality | ✅ Verified | 2025-11-05 | Builds, migrations run, health OK |
-| Documentation | ✅ Complete | 2025-11-05 | ADMIN.md, deployment checklist |
-| Security | ✅ Reviewed | 2025-11-05 | Parameterized queries, guards |
-| Testing | ✅ Created | 2025-11-05 | Unit, integration, E2E test files |
-
-## Next Steps
-
-1. **Immediate:** Run full deployment checklist before production deployment
-2. **Testing:** Execute integration and E2E tests in test environment
-3. **Validation:** Smoke test on staging environment (desktop + mobile)
-4. **Rollout:** Deploy to production following ADMIN-DEPLOYMENT-CHECKLIST.md
-5. **Monitoring:** Monitor for 24 hours post-deployment
-6. **Future:** Implement UI refinements and additional features (role-based permissions, 2FA)
-
---
-
-**Implementation Date:** 2025-11-05
-**Status:** PRODUCTION READY
-**Version:** 1.0.0
--- a/docs/changes/2024-admin-roadmap.md
+++ b/docs/changes/2024-admin-roadmap.md
@@ -1,45 +0,0 @@
-# Admin Role & UI Implementation Plan
-
-Context: extend MotoVaultPro with an administrative user model, cross-tenant CRUD authority, and surfaced controls within the existing settings experience. Follow phases in order; each phase is shippable and assumes Docker-based validation per `CLAUDE.md`.
-
-## Phase 1 – Access Control Foundations
- Create `backend/src/features/admin/` capsule scaffolding (api/, domain/, data/, migrations/, tests/).
- Add migration `001_create_admin_users.sql` for table `admin_users (auth0_sub PK, email, created_at, created_by, revoked_at)`.
- Seed first record (`admin@motorvaultpro.com`, `created_by = system`) via migration or bootstrap script.
- Extend auth plugin flow to hydrate `request.userContext` containing `userId`, `email`, `isAdmin`, `adminRecord`.
- Add reusable guard `authorizeAdmin` in `backend/src/core/middleware/admin-guard.ts`; return 403 with `{ error: 'Forbidden', message: 'Admin access required' }`.
- Unit tests: guard behavior, context resolver, seed idempotency.
-
-## Phase 2 – Admin Management APIs
- Implement `/api/admin/admins` controller with list/add/revoke/reinstate endpoints; enforce “at least one active admin” rule in repository.
- Add audit logging via existing `logger` (log `actorAdminId`, `targetAdminId`, `action`, `context`).
- Provide read-only `/api/admin/users` for user summaries (reusing existing repositories, no data mutation yet).
- Integration tests validating: guard rejects non-admins, add admin, revoke admin while preventing last admin removal.
-
-## Phase 3 – Platform Catalog CRUD
- Add service `vehicleCatalog.service.ts` under admin feature to manage `vehicles.make|model|model_year|trim|engine|trim_engine`.
- Expose `/api/admin/catalog/...` endpoints for hierarchical CRUD; wrap mutations in transactions with referential validation.
- On write, call new cache helper in `backend/src/features/platform/domain/platform-cache.service.ts` to invalidate keys `platform:*`.
- Record admin change history in table `platform_change_log` (migration `002_create_platform_change_log.sql`).
- Tests: unit (service + cache invalidation), integration (create/update/delete + redis key flush assertions).
-
-## Phase 4 – Station Oversight
- Implement `/api/admin/stations` for global station CRUD and `/api/admin/users/:userId/stations` to manage saved stations.
- Ensure mutations update `stations` and `saved_stations` tables with soft delete semantics and invalidation of `stations:saved:{userId}` plus cached search keys.
- Provide optional `force=true` query to hard delete (document usage, default soft delete).
- Tests covering cache busting, permission enforcement, and happy-path CRUD.
-
-## Phase 5 – UI Integration (Settings-Based)
- Create hook `frontend/src/core/auth/useAdminAccess.ts` that calls `/auth/verify`, caches `isAdmin`, handles loading/error states.
- Desktop: update `frontend/src/pages/SettingsPage.tsx` to inject an “Admin Console” card when `isAdmin` true (links to admin subroutes) and display access CTA otherwise.
- Mobile: add admin section to `frontend/src/features/settings/mobile/MobileSettingsScreen.tsx` using existing `GlassCard` pattern; hide entirely for non-admins.
- Route stubs (e.g. `/garage/settings/admin/*`) should lazy-load forthcoming admin dashboards; guard them with `useAdminAccess`.
- Frontend tests (Jest/RTL) verifying conditional rendering on admin vs non-admin contexts.
-
-## Phase 6 – Quality Gates & Documentation
- Run backend/ frontend lint + tests inside containers (`make rebuild`, `make logs`, `make test-backend`, `docker compose exec mvp-frontend npm test`).
- Author `docs/ADMIN.md` summarizing role management workflow, API catalog, cache rules, and operational safeguards.
- Update existing docs (`docs/PLATFORM-SERVICES.md`, `docs/VEHICLES-API.md`, `docs/GAS-STATIONS.md`, `docs/README.md`) with admin references.
- Prepare release checklist: database migration order, seed verification for initial admin, smoke tests on both device classes (mobile + desktop), rollback notes.
- Confirm Traefik `/auth/verify` headers expose admin flag where needed for downstream services.
-
--- a/docs/changes/admin-implementation-plan.md
+++ b/docs/changes/admin-implementation-plan.md
--- a/docs/changes/admin-settings-frontend-plan.md
+++ b/docs/changes/admin-settings-frontend-plan.md
@@ -0,0 +1,134 @@
+# Admin Settings Frontend Implementation Plan
+
+## Audience & Scope
+- **Intended executor**: AI agent implementing MotoVaultPro admin settings UI across desktop and mobile.
+- **Scope**: Frontend-only tasks within `frontend/`, coordinating with existing backend admin APIs. Includes real-time audit log integration and bulk operations across admin users, catalog entities, and station management.
+
+## Current State Summary
+- Routes exist (`frontend/src/pages/admin/*.tsx`, `frontend/src/features/admin/mobile/*.tsx`) but contain placeholder copy.
+- Hooks and API clients (`frontend/src/features/admin/hooks/*`, `frontend/src/features/admin/api/admin.api.ts`) already wrap CRUD endpoints but lack bulk helpers and streaming.
+- Settings pages link into admin routes; `useAdminAccess` gate is wired.
+- No shared admin layout, tables, or selection utilities; no real-time audit consumption; no bulk UI.
+
+## Key Requirements
+1. **Real-time audit logging** for admin operations (desktop + mobile).
+2. **Bulk operations**: multi-select + batch mutate/delete/revoke across admin users, catalog hierarchy, stations.
+3. **Desktop / Mobile parity** while respecting CLAUDE.md mobile + desktop mandate and existing design system.
+
+Assumptions:
+- Backend will expose streaming endpoint (`/api/admin/audit-logs/stream`) using SSE. (If absent, coordinate for addition.)
+- Backend will provide/extend batch mutation endpoints or accept arrays in current ones.
+- No additional design assets; follow existing Material UI / GlassCard patterns.
+
+## Implementation Phases
+
+### Phase 0 – Prep & Validation
+- Confirm backend endpoints:
+  - `GET /api/admin/audit-logs/stream` (SSE) payload schema.
+  - Batch endpoints for admins (`POST /admin/admins/bulk`, `PATCH /admin/admins/bulk-revoke`, etc.), catalog (`/admin/catalog/{entity}/bulk-delete`), stations (`/admin/stations/bulk-delete`).
+  - Response format + error contracts.
+- Document agreements in `docs/ADMIN.md` and update API client typings before UI work.
+
+### Phase 1 – Shared Infrastructure
+- Add shared admin components under `frontend/src/features/admin/components/`:
+  - `AdminSectionHeader`
+  - `AdminDataGrid` (wrapper around MUI DataGrid or Table) with checkbox selection and toolbar slot.
+  - `SelectionToolbar` + `BulkActionDialog`.
+  - `AuditLogPanel` (desktop) and `AuditLogDrawer` (mobile).
+  - `EmptyState`, `ErrorState`, `Skeleton` variants.
+- Utility hooks/services:
+  - `useBulkSelection` (manages item selection, select all, reset).
+  - `useAuditLogStream` (SSE handling, merge into cache, pause/resume).
+  - `useAdminRealtimeEffect` (common real-time logic for both platforms).
+  - Error normalization helper for API responses.
+- Update `admin.api.ts` to include bulk endpoints and streaming subscription helper.
+  - Ensure types in `admin.types.ts` cover new request/response payloads.
+
+### Phase 2 – Admin Users Experience
+- **Desktop (`AdminUsersPage.tsx`)**:
+  - Replace placeholder with layout:
+    - Header (stats summary cards).
+    - `AdminDataGrid` listing admins (columns: email, role, status, created/updated, last activity).
+    - Toolbar actions: Invite, Revoke, Reinstate, Delete (single + bulk), export CSV placeholder.
+    - Inline filters/search.
+    - Audit log side panel fed by `useAuditLogStream`.
+  - Modals/forms:
+    - Invite admin (react-hook-form + Zod validation).
+    - Confirm dialogs for revoke/reinstate/delete (bulk friendly).
+  - State management:
+    - Use React Query hooks (`useAdmins`, new `useBulkRevokeAdmins`, etc.).
+    - Optimistic updates where safe; fallback to refetch on failure.
+    - Surface backend constraints (last admin protection) in toasts/dialogs.
+- **Mobile (`AdminUsersMobileScreen.tsx`)**:
+  - Card-based list with segmented controls.
+  - Multi-select mode triggered by long-press or “Select” button; sticky bottom action bar for bulk operations.
+  - Slide-in drawer for audit log stream; allow collapse to preserve screen space.
+  - Ensure loading/error/empty states match mobile pattern.
+
+### Phase 3 – Vehicle Catalog Management
+- Extend API hooks for per-entity bulk operations (`useDeleteMakesBulk`, etc.) and streaming updates.
+- **Desktop (`AdminCatalogPage.tsx`)**:
+  - Two-column layout: left panel shows hierarchical tree (Makes → Models → Years → Trims → Engines). Right panel shows detail grid for selected level.
+  - Support multi-select in each grid with bulk delete; confirm cascading impacts (warn when deleting parents).
+  - Modals for create/edit per entity using shared form component (with validation & parent context).
+  - Audit log panel filtered to catalog-related actions.
+  - Show breadcrumbs + context metadata (created/updated timestamps).
+- **Mobile (`AdminCatalogMobileScreen.tsx`)**:
+  - Drill-down navigation (list of makes → models → ...).
+  - Selection mode toggles for bulk delete at current depth; use bottom sheet to display actions.
+  - Provide “Recent Changes” sheet consuming audit stream (filtered).
+- Handle cache invalidation across hierarchies (e.g., deleting a make invalidates models/years/trims queries). Consider using queryClient `invalidateQueries` with partial keys.
+
+### Phase 4 – Station Oversight
+- Hook updates: add `useBulkDeleteStations`, `useBulkRestoreStations` if available, with optional `force` flag.
+- **Desktop (`AdminStationsPage.tsx`)**:
+  - Data grid with columns (name, address, status, last modified, createdBy). Add search bar and filter chips (active, soft-deleted).
+  - Bulk selection with delete (soft/hard toggle), restore, export stub.
+  - Station detail drawer with metadata and quick actions.
+  - Audit log panel focusing on station events; highlight critical operations via toast (e.g., hard deletes).
+- **Mobile (`AdminStationsMobileScreen.tsx`)**:
+  - Card list with quick actions (edit, delete, restore). Multi-select mode with sticky action bar.
+  - Provide filter tabs (All / Active / Deleted).
+  - Integrate audit log bottom sheet.
+
+### Phase 5 – Integration & Routing Enhancements
+- Introduce route wrapper/components (e.g., `AdminUsersRoute`) that detect viewport using `useMediaQuery` and render desktop or mobile variant; ensures shared logic and prevents duplicate routing code.
+- Update navigation flows, ensuring mobile bottom navigation can reach admin sections gracefully.
+- Document keyboard shortcuts or focus management for accessibility (bulk selection, audit log toggles).
+
+### Phase 6 – Testing & QA
+- Add unit tests for new hooks (`useAuditLogStream`, bulk hooks) using Jest + Testing Library. Mock EventSource for streaming tests.
+- Component tests:
+  - Desktop grids: selection toggles, bulk action dialogs, form validation.
+  - Mobile screens: selection mode toggling, action bar behaviors.
+  - Audit log panels: streaming update rendering, pause/resume controls.
+- Visual regression smoke tests if tooling available; otherwise document manual screenshot checkpoints.
+- Manual QA matrix:
+  - Desktop ≥1280px and mobile ≤480px.
+  - Test flows: invite admin, revoke/reinstate, bulk revoke, catalog cascading delete, station soft/hard delete, audit log live updates.
+
+## Deliverables Checklist
+- [ ] Updated API client + types for batch + streaming.
+- [ ] Shared admin UI components & utilities.
+- [ ] Desktop admin pages fully functional with bulk + real-time features.
+- [ ] Mobile admin screens matching functionality.
+- [ ] Comprehensive tests covering new flows.
+- [ ] Documentation updates (API usage, manual QA steps).
+
+## Risks & Mitigations
+- **Streaming availability**: If backend stream not ready, fall back to polling with progressive enhancement; keep SSE integration behind feature flag.
+- **Bulk API inconsistencies**: Align payload format with backend; add defensive UI (disable actions until backend confirms support).
+- **State synchronization**: Ensure query invalidation covers dependent entities; consider structured query keys and `queryClient.setQueryData` for incremental updates.
+- **Mobile UX complexity**: Prototype selection mode early to validate ergonomics; leverage bottom sheets to avoid cramped toolbars.
+
+## Follow-up Questions (Resolved)
+1. Real-time audit logs required — implement SSE-based stream handling.
+2. Bulk operations mandatory — support multi-select + batch actions across admin users, catalog entities, stations.
+3. No additional design constraints — rely on existing Material UI and GlassCard paradigms.
+
+## Handoff Notes
+- Keep code comments concise per developer guidelines; avoid introducing new design systems.
+- Validate hooks for Auth0 dependency (ensure disabled when unauthenticated).
+- Coordinate with backend team if API gaps found; document interim shims.
+- Maintain responsiveness and accessibility; ensure touch targets ≥44px and keyboard operability on desktop grids.
+