Add user authentication system with API key management (#50)

- Add User, Session, AuthSettings models with bcrypt password hashing
- Add auth endpoints: login, logout, change-password, me
- Add API key CRUD: create (orch_xxx format), list, revoke
- Add admin user management: list, create, update, reset-password
- Create default admin user on startup (admin/admin)
- Add frontend: Login page, API Keys page, Admin Users page
- Add AuthContext for session state management
- Add user menu to Layout header with login/logout/settings
- Add 15 integration tests for auth system
- Add migration 006_auth_tables.sql

frontend/src/App.tsx

@@ -1,20 +1,36 @@
 import { Routes, Route } from 'react-router-dom';
+import { AuthProvider } from './contexts/AuthContext';
 import Layout from './components/Layout';
 import Home from './pages/Home';
 import ProjectPage from './pages/ProjectPage';
 import PackagePage from './pages/PackagePage';
 import Dashboard from './pages/Dashboard';
+import LoginPage from './pages/LoginPage';
+import APIKeysPage from './pages/APIKeysPage';
+import AdminUsersPage from './pages/AdminUsersPage';
 
 function App() {
   return (
-    <Layout>
+    <AuthProvider>
       <Routes>
-        <Route path="/" element={<Home />} />
-        <Route path="/dashboard" element={<Dashboard />} />
-        <Route path="/project/:projectName" element={<ProjectPage />} />
-        <Route path="/project/:projectName/:packageName" element={<PackagePage />} />
+        <Route path="/login" element={<LoginPage />} />
+        <Route
+          path="*"
+          element={
+            <Layout>
+              <Routes>
+                <Route path="/" element={<Home />} />
+                <Route path="/dashboard" element={<Dashboard />} />
+                <Route path="/settings/api-keys" element={<APIKeysPage />} />
+                <Route path="/admin/users" element={<AdminUsersPage />} />
+                <Route path="/project/:projectName" element={<ProjectPage />} />
+                <Route path="/project/:projectName/:packageName" element={<PackagePage />} />
+              </Routes>
+            </Layout>
+          }
+        />
       </Routes>
-    </Layout>
+    </AuthProvider>
   );
 }
 

frontend/src/api.ts

@@ -17,6 +17,14 @@ import {
   DeduplicationStats,
   TimelineStats,
   CrossProjectStats,
+  User,
+  LoginCredentials,
+  APIKey,
+  APIKeyCreate,
+  APIKeyCreateResponse,
+  AdminUser,
+  UserCreate,
+  UserUpdate,
 } from './types';
 
 const API_BASE = '/api/v1';
@@ -40,6 +48,42 @@ function buildQueryString(params: Record<string, unknown>): string {
   return query ? `?${query}` : '';
 }
 
+// Auth API
+export async function login(credentials: LoginCredentials): Promise<User> {
+  const response = await fetch(`${API_BASE}/auth/login`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(credentials),
+    credentials: 'include',
+  });
+  return handleResponse<User>(response);
+}
+
+export async function logout(): Promise<void> {
+  const response = await fetch(`${API_BASE}/auth/logout`, {
+    method: 'POST',
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new Error(error.detail || `HTTP ${response.status}`);
+  }
+}
+
+export async function getCurrentUser(): Promise<User | null> {
+  try {
+    const response = await fetch(`${API_BASE}/auth/me`, {
+      credentials: 'include',
+    });
+    if (response.status === 401) {
+      return null;
+    }
+    return handleResponse<User>(response);
+  } catch {
+    return null;
+  }
+}
+
 // Global Search API
 export async function globalSearch(query: string, limit: number = 5): Promise<GlobalSearchResponse> {
   const params = buildQueryString({ q: query, limit });
@@ -186,3 +230,72 @@ export async function getCrossProjectStats(): Promise<CrossProjectStats> {
   const response = await fetch(`${API_BASE}/stats/cross-project`);
   return handleResponse<CrossProjectStats>(response);
 }
+
+export async function listAPIKeys(): Promise<APIKey[]> {
+  const response = await fetch(`${API_BASE}/auth/keys`, {
+    credentials: 'include',
+  });
+  return handleResponse<APIKey[]>(response);
+}
+
+export async function createAPIKey(data: APIKeyCreate): Promise<APIKeyCreateResponse> {
+  const response = await fetch(`${API_BASE}/auth/keys`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<APIKeyCreateResponse>(response);
+}
+
+export async function deleteAPIKey(id: string): Promise<void> {
+  const response = await fetch(`${API_BASE}/auth/keys/${id}`, {
+    method: 'DELETE',
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new Error(error.detail || `HTTP ${response.status}`);
+  }
+}
+
+// Admin User Management API
+export async function listUsers(): Promise<AdminUser[]> {
+  const response = await fetch(`${API_BASE}/admin/users`, {
+    credentials: 'include',
+  });
+  return handleResponse<AdminUser[]>(response);
+}
+
+export async function createUser(data: UserCreate): Promise<AdminUser> {
+  const response = await fetch(`${API_BASE}/admin/users`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<AdminUser>(response);
+}
+
+export async function updateUser(username: string, data: UserUpdate): Promise<AdminUser> {
+  const response = await fetch(`${API_BASE}/admin/users/${username}`, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(data),
+    credentials: 'include',
+  });
+  return handleResponse<AdminUser>(response);
+}
+
+export async function resetUserPassword(username: string, newPassword: string): Promise<void> {
+  const response = await fetch(`${API_BASE}/admin/users/${username}/reset-password`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ new_password: newPassword }),
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ detail: 'Unknown error' }));
+    throw new Error(error.detail || `HTTP ${response.status}`);
+  }
+}

frontend/src/components/Layout.css

@@ -98,6 +98,170 @@
   opacity: 0.7;
 }
 
+/* Login link */
+.nav-login {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 8px 16px;
+  color: var(--text-primary);
+  font-size: 0.875rem;
+  font-weight: 500;
+  border-radius: var(--radius-md);
+  transition: all var(--transition-fast);
+  margin-left: 8px;
+  border: 1px solid var(--border-primary);
+}
+
+.nav-login:hover {
+  color: var(--text-primary);
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+}
+
+/* User Menu */
+.user-menu {
+  position: relative;
+  margin-left: 8px;
+}
+
+.user-menu-trigger {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 6px 12px;
+  background: transparent;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  color: var(--text-primary);
+  font-size: 0.875rem;
+  font-weight: 500;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.user-menu-trigger:hover {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+}
+
+.user-avatar {
+  width: 28px;
+  height: 28px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  background: var(--accent-gradient);
+  border-radius: var(--radius-sm);
+  color: white;
+  font-weight: 600;
+  font-size: 0.8125rem;
+}
+
+.user-name {
+  max-width: 120px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.user-menu-dropdown {
+  position: absolute;
+  top: 100%;
+  right: 0;
+  margin-top: 8px;
+  min-width: 200px;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  box-shadow: var(--shadow-lg);
+  z-index: 200;
+  overflow: hidden;
+}
+
+.user-menu-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 12px 16px;
+}
+
+.user-menu-username {
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--text-primary);
+}
+
+.user-menu-badge {
+  padding: 2px 8px;
+  background: var(--accent-gradient);
+  border-radius: 100px;
+  font-size: 0.6875rem;
+  font-weight: 600;
+  color: white;
+  text-transform: uppercase;
+  letter-spacing: 0.02em;
+}
+
+.user-menu-divider {
+  height: 1px;
+  background: var(--border-primary);
+}
+
+.user-menu-item {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  width: 100%;
+  padding: 12px 16px;
+  background: transparent;
+  border: none;
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  text-align: left;
+  text-decoration: none;
+}
+
+.user-menu-item:hover {
+  background: var(--bg-hover);
+  color: var(--text-primary);
+}
+
+.user-menu-item svg {
+  opacity: 0.7;
+}
+
+.user-menu-item:hover svg {
+  opacity: 1;
+}
+
+/* User menu loading state */
+.user-menu-loading {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  width: 40px;
+  height: 40px;
+  margin-left: 8px;
+}
+
+.user-menu-spinner {
+  width: 16px;
+  height: 16px;
+  border: 2px solid var(--border-secondary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: user-menu-spin 0.6s linear infinite;
+}
+
+@keyframes user-menu-spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
 /* Main content */
 .main {
   flex: 1;

frontend/src/components/Layout.tsx

@@ -1,5 +1,6 @@
-import { ReactNode } from 'react';
-import { Link, useLocation } from 'react-router-dom';
+import { ReactNode, useState, useRef, useEffect } from 'react';
+import { Link, NavLink, useLocation, useNavigate } from 'react-router-dom';
+import { useAuth } from '../contexts/AuthContext';
 import { GlobalSearch } from './GlobalSearch';
 import './Layout.css';
 
@@ -9,6 +10,31 @@ interface LayoutProps {
 
 function Layout({ children }: LayoutProps) {
   const location = useLocation();
+  const navigate = useNavigate();
+  const { user, loading, logout } = useAuth();
+  const [showUserMenu, setShowUserMenu] = useState(false);
+  const menuRef = useRef<HTMLDivElement>(null);
+
+  // Close menu when clicking outside
+  useEffect(() => {
+    function handleClickOutside(event: MouseEvent) {
+      if (menuRef.current && !menuRef.current.contains(event.target as Node)) {
+        setShowUserMenu(false);
+      }
+    }
+    document.addEventListener('mousedown', handleClickOutside);
+    return () => document.removeEventListener('mousedown', handleClickOutside);
+  }, []);
+
+  async function handleLogout() {
+    try {
+      await logout();
+      setShowUserMenu(false);
+      navigate('/');
+    } catch {
+      // Error handled in context
+    }
+  }
 
   return (
     <div className="layout">
@@ -60,6 +86,85 @@ function Layout({ children }: LayoutProps) {
               </svg>
               Docs
             </a>
+            
+            {/* User Menu */}
+            {loading ? (
+              <div className="user-menu-loading">
+                <div className="user-menu-spinner"></div>
+              </div>
+            ) : user ? (
+              <div className="user-menu" ref={menuRef}>
+                <button 
+                  className="user-menu-trigger"
+                  onClick={() => setShowUserMenu(!showUserMenu)}
+                  aria-expanded={showUserMenu}
+                  aria-haspopup="true"
+                >
+                  <div className="user-avatar">
+                    {user.username.charAt(0).toUpperCase()}
+                  </div>
+                  <span className="user-name">{user.display_name || user.username}</span>
+                  <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                    <polyline points="6 9 12 15 18 9"/>
+                  </svg>
+                </button>
+                
+                {showUserMenu && (
+                  <div className="user-menu-dropdown">
+                    <div className="user-menu-header">
+                      <span className="user-menu-username">{user.username}</span>
+                      {user.is_admin && (
+                        <span className="user-menu-badge">Admin</span>
+                      )}
+                    </div>
+                    <div className="user-menu-divider"></div>
+                    <NavLink
+                      to="/settings/api-keys"
+                      className="user-menu-item"
+                      onClick={() => setShowUserMenu(false)}
+                    >
+                      <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                        <path d="M21 2l-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0l3 3L22 7l-3-3m-3.5 3.5L19 4"/>
+                      </svg>
+                      API Keys
+                    </NavLink>
+                    {user.is_admin && (
+                      <NavLink
+                        to="/admin/users"
+                        className="user-menu-item"
+                        onClick={() => setShowUserMenu(false)}
+                      >
+                        <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                          <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+                          <circle cx="9" cy="7" r="4"/>
+                          <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+                          <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+                        </svg>
+                        User Management
+                      </NavLink>
+                    )}
+                    <div className="user-menu-divider"></div>
+                    <button className="user-menu-item" onClick={handleLogout}>
+                      <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                        <path d="M9 21H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4"/>
+                        <polyline points="16 17 21 12 16 7"/>
+                        <line x1="21" y1="12" x2="9" y2="12"/>
+                      </svg>
+                      Sign out
+                    </button>
+                  </div>
+                )}
+              </div>
+            ) : (
+              <Link to="/login" className="nav-login">
+                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                  <path d="M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/>
+                  <polyline points="10 17 15 12 10 7"/>
+                  <line x1="15" y1="12" x2="3" y2="12"/>
+                </svg>
+                Login
+              </Link>
+            )}
           </nav>
         </div>
       </header>

frontend/src/contexts/AuthContext.tsx

@@ -0,0 +1,87 @@
+import { createContext, useContext, useState, useEffect, useCallback, ReactNode } from 'react';
+import { User } from '../types';
+import { getCurrentUser, login as apiLogin, logout as apiLogout } from '../api';
+
+interface AuthContextType {
+  user: User | null;
+  loading: boolean;
+  error: string | null;
+  login: (username: string, password: string) => Promise<void>;
+  logout: () => Promise<void>;
+  clearError: () => void;
+}
+
+const AuthContext = createContext<AuthContextType | undefined>(undefined);
+
+interface AuthProviderProps {
+  children: ReactNode;
+}
+
+export function AuthProvider({ children }: AuthProviderProps) {
+  const [user, setUser] = useState<User | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  // Check session on initial load
+  useEffect(() => {
+    async function checkAuth() {
+      try {
+        const currentUser = await getCurrentUser();
+        setUser(currentUser);
+      } catch {
+        setUser(null);
+      } finally {
+        setLoading(false);
+      }
+    }
+    checkAuth();
+  }, []);
+
+  const login = useCallback(async (username: string, password: string) => {
+    setLoading(true);
+    setError(null);
+    try {
+      const loggedInUser = await apiLogin({ username, password });
+      setUser(loggedInUser);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Login failed';
+      setError(message);
+      throw err;
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  const logout = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      await apiLogout();
+      setUser(null);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Logout failed';
+      setError(message);
+      throw err;
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  const clearError = useCallback(() => {
+    setError(null);
+  }, []);
+
+  return (
+    <AuthContext.Provider value={{ user, loading, error, login, logout, clearError }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+
+export function useAuth() {
+  const context = useContext(AuthContext);
+  if (context === undefined) {
+    throw new Error('useAuth must be used within an AuthProvider');
+  }
+  return context;
+}

frontend/src/pages/APIKeysPage.css

@@ -0,0 +1,580 @@
+.api-keys-page {
+  max-width: 900px;
+  margin: 0 auto;
+}
+
+.api-keys-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  margin-bottom: 32px;
+  gap: 24px;
+}
+
+.api-keys-header-content h1 {
+  font-size: 1.75rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+  letter-spacing: -0.02em;
+}
+
+.api-keys-subtitle {
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.api-keys-create-button {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 12px 20px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+  flex-shrink: 0;
+}
+
+.api-keys-create-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-md), 0 0 30px rgba(16, 185, 129, 0.3);
+}
+
+.api-keys-create-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.api-keys-error {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+}
+
+.api-keys-error svg {
+  flex-shrink: 0;
+}
+
+.api-keys-error span {
+  flex: 1;
+}
+
+.api-keys-error-dismiss {
+  background: transparent;
+  border: none;
+  padding: 4px;
+  color: var(--error);
+  cursor: pointer;
+  opacity: 0.7;
+  transition: opacity var(--transition-fast);
+}
+
+.api-keys-error-dismiss:hover {
+  opacity: 1;
+}
+
+.api-keys-new-key-banner {
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.12) 0%, rgba(5, 150, 105, 0.08) 100%);
+  border: 1px solid rgba(16, 185, 129, 0.3);
+  border-radius: var(--radius-lg);
+  padding: 24px;
+  margin-bottom: 24px;
+}
+
+.api-keys-new-key-header {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  margin-bottom: 12px;
+  color: var(--accent-primary);
+}
+
+.api-keys-new-key-title {
+  font-size: 1rem;
+  font-weight: 600;
+}
+
+.api-keys-new-key-warning {
+  background: var(--warning-bg);
+  border: 1px solid rgba(245, 158, 11, 0.3);
+  color: var(--warning);
+  padding: 10px 14px;
+  border-radius: var(--radius-md);
+  font-size: 0.8125rem;
+  font-weight: 500;
+  margin-bottom: 16px;
+}
+
+.api-keys-new-key-value-container {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  margin-bottom: 16px;
+}
+
+.api-keys-new-key-value {
+  flex: 1;
+  background: var(--bg-primary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  padding: 14px 16px;
+  font-family: 'JetBrains Mono', 'Fira Code', 'SF Mono', Monaco, monospace;
+  font-size: 0.8125rem;
+  color: var(--text-primary);
+  word-break: break-all;
+  line-height: 1.5;
+}
+
+.api-keys-copy-button {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  padding: 10px 16px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  color: var(--text-secondary);
+  font-size: 0.8125rem;
+  font-weight: 500;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  flex-shrink: 0;
+}
+
+.api-keys-copy-button:hover {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+  color: var(--text-primary);
+}
+
+.api-keys-done-button {
+  padding: 10px 20px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.api-keys-done-button:hover {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-sm);
+}
+
+.api-keys-create-form-card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 24px;
+  margin-bottom: 24px;
+}
+
+.api-keys-create-form-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 20px;
+}
+
+.api-keys-create-form-header h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.api-keys-create-form-close {
+  background: transparent;
+  border: none;
+  padding: 4px;
+  color: var(--text-tertiary);
+  cursor: pointer;
+  border-radius: var(--radius-sm);
+  transition: all var(--transition-fast);
+}
+
+.api-keys-create-form-close:hover {
+  background: var(--bg-hover);
+  color: var(--text-primary);
+}
+
+.api-keys-create-error {
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 10px 14px;
+  border-radius: var(--radius-md);
+  font-size: 0.8125rem;
+  margin-bottom: 16px;
+}
+
+.api-keys-create-form {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+.api-keys-form-group {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.api-keys-form-group label {
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.api-keys-form-group input {
+  padding: 12px 14px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  color: var(--text-primary);
+  transition: all var(--transition-fast);
+}
+
+.api-keys-form-group input::placeholder {
+  color: var(--text-muted);
+}
+
+.api-keys-form-group input:hover:not(:disabled) {
+  border-color: var(--border-secondary);
+  background: var(--bg-elevated);
+}
+
+.api-keys-form-group input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+  background: var(--bg-elevated);
+}
+
+.api-keys-form-group input:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.api-keys-form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 12px;
+  margin-top: 8px;
+}
+
+.api-keys-cancel-button {
+  padding: 10px 18px;
+  background: transparent;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.api-keys-cancel-button:hover:not(:disabled) {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+  color: var(--text-primary);
+}
+
+.api-keys-cancel-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.api-keys-submit-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 8px;
+  padding: 10px 18px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  min-width: 110px;
+}
+
+.api-keys-submit-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+}
+
+.api-keys-submit-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.api-keys-button-spinner {
+  width: 14px;
+  height: 14px;
+  border: 2px solid rgba(255, 255, 255, 0.3);
+  border-top-color: white;
+  border-radius: 50%;
+  animation: api-keys-spin 0.6s linear infinite;
+}
+
+@keyframes api-keys-spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+.api-keys-list-container {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  overflow: hidden;
+}
+
+.api-keys-list-loading,
+.api-keys-loading {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 12px;
+  padding: 64px 24px;
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.api-keys-spinner {
+  width: 20px;
+  height: 20px;
+  border: 2px solid var(--border-secondary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: api-keys-spin 0.6s linear infinite;
+}
+
+.api-keys-empty {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 64px 24px;
+  text-align: center;
+}
+
+.api-keys-empty-icon {
+  color: var(--text-muted);
+  margin-bottom: 16px;
+  opacity: 0.5;
+}
+
+.api-keys-empty h3 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+}
+
+.api-keys-empty p {
+  color: var(--text-tertiary);
+  font-size: 0.875rem;
+}
+
+.api-keys-list {
+  display: flex;
+  flex-direction: column;
+}
+
+.api-keys-list-header {
+  display: grid;
+  grid-template-columns: 1fr 160px 160px 140px;
+  gap: 16px;
+  padding: 14px 20px;
+  background: var(--bg-tertiary);
+  border-bottom: 1px solid var(--border-primary);
+  font-size: 0.75rem;
+  font-weight: 600;
+  color: var(--text-tertiary);
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+
+.api-keys-list-item {
+  display: grid;
+  grid-template-columns: 1fr 160px 160px 140px;
+  gap: 16px;
+  padding: 16px 20px;
+  align-items: center;
+  border-bottom: 1px solid var(--border-primary);
+  transition: background var(--transition-fast);
+}
+
+.api-keys-list-item:last-child {
+  border-bottom: none;
+}
+
+.api-keys-list-item:hover {
+  background: var(--bg-tertiary);
+}
+
+.api-keys-item-name {
+  font-weight: 500;
+  color: var(--text-primary);
+  font-size: 0.9375rem;
+}
+
+.api-keys-item-description {
+  color: var(--text-tertiary);
+  font-size: 0.8125rem;
+  margin-top: 4px;
+}
+
+.api-keys-col-created,
+.api-keys-col-used {
+  color: var(--text-secondary);
+  font-size: 0.8125rem;
+}
+
+.api-keys-col-actions {
+  display: flex;
+  justify-content: flex-end;
+}
+
+.api-keys-revoke-button {
+  padding: 6px 14px;
+  background: transparent;
+  border: 1px solid rgba(239, 68, 68, 0.3);
+  border-radius: var(--radius-md);
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--error);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.api-keys-revoke-button:hover {
+  background: var(--error-bg);
+  border-color: rgba(239, 68, 68, 0.5);
+}
+
+.api-keys-delete-confirm {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  font-size: 0.8125rem;
+  color: var(--text-secondary);
+}
+
+.api-keys-confirm-yes {
+  padding: 4px 12px;
+  background: var(--error);
+  border: none;
+  border-radius: var(--radius-sm);
+  font-size: 0.75rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.api-keys-confirm-yes:hover:not(:disabled) {
+  opacity: 0.9;
+}
+
+.api-keys-confirm-yes:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.api-keys-confirm-no {
+  padding: 4px 12px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-sm);
+  font-size: 0.75rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.api-keys-confirm-no:hover:not(:disabled) {
+  background: var(--bg-hover);
+}
+
+.api-keys-confirm-no:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+@media (max-width: 768px) {
+  .api-keys-header {
+    flex-direction: column;
+    align-items: stretch;
+  }
+
+  .api-keys-create-button {
+    align-self: flex-start;
+  }
+
+  .api-keys-list-header {
+    display: none;
+  }
+
+  .api-keys-list-item {
+    grid-template-columns: 1fr;
+    gap: 8px;
+  }
+
+  .api-keys-col-name {
+    order: 1;
+  }
+
+  .api-keys-col-created,
+  .api-keys-col-used {
+    font-size: 0.75rem;
+  }
+
+  .api-keys-col-created::before {
+    content: 'Created: ';
+    color: var(--text-muted);
+  }
+
+  .api-keys-col-used::before {
+    content: 'Last used: ';
+    color: var(--text-muted);
+  }
+
+  .api-keys-col-actions {
+    justify-content: flex-start;
+    margin-top: 8px;
+  }
+
+  .api-keys-new-key-value-container {
+    flex-direction: column;
+  }
+
+  .api-keys-copy-button {
+    align-self: flex-start;
+  }
+}

frontend/src/pages/APIKeysPage.tsx

@@ -0,0 +1,371 @@
+import { useState, useEffect } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { useAuth } from '../contexts/AuthContext';
+import { listAPIKeys, createAPIKey, deleteAPIKey } from '../api';
+import { APIKey, APIKeyCreateResponse } from '../types';
+import './APIKeysPage.css';
+
+function APIKeysPage() {
+  const { user, loading: authLoading } = useAuth();
+  const navigate = useNavigate();
+
+  const [keys, setKeys] = useState<APIKey[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const [showCreateForm, setShowCreateForm] = useState(false);
+  const [createName, setCreateName] = useState('');
+  const [createDescription, setCreateDescription] = useState('');
+  const [isCreating, setIsCreating] = useState(false);
+  const [createError, setCreateError] = useState<string | null>(null);
+
+  const [newlyCreatedKey, setNewlyCreatedKey] = useState<APIKeyCreateResponse | null>(null);
+  const [copied, setCopied] = useState(false);
+
+  const [deleteConfirmId, setDeleteConfirmId] = useState<string | null>(null);
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  useEffect(() => {
+    if (!authLoading && !user) {
+      navigate('/login', { state: { from: '/settings/api-keys' } });
+    }
+  }, [user, authLoading, navigate]);
+
+  useEffect(() => {
+    if (user) {
+      loadKeys();
+    }
+  }, [user]);
+
+  async function loadKeys() {
+    setLoading(true);
+    setError(null);
+    try {
+      const data = await listAPIKeys();
+      setKeys(data);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load API keys');
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  async function handleCreate(e: React.FormEvent) {
+    e.preventDefault();
+    if (!createName.trim()) {
+      setCreateError('Name is required');
+      return;
+    }
+
+    setIsCreating(true);
+    setCreateError(null);
+    try {
+      const response = await createAPIKey({
+        name: createName.trim(),
+        description: createDescription.trim() || undefined,
+      });
+      setNewlyCreatedKey(response);
+      setShowCreateForm(false);
+      setCreateName('');
+      setCreateDescription('');
+      await loadKeys();
+    } catch (err) {
+      setCreateError(err instanceof Error ? err.message : 'Failed to create API key');
+    } finally {
+      setIsCreating(false);
+    }
+  }
+
+  async function handleDelete(id: string) {
+    setIsDeleting(true);
+    try {
+      await deleteAPIKey(id);
+      setDeleteConfirmId(null);
+      await loadKeys();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to revoke API key');
+    } finally {
+      setIsDeleting(false);
+    }
+  }
+
+  async function handleCopyKey() {
+    if (newlyCreatedKey) {
+      try {
+        await navigator.clipboard.writeText(newlyCreatedKey.key);
+        setCopied(true);
+        setTimeout(() => setCopied(false), 2000);
+      } catch {
+        setError('Failed to copy to clipboard');
+      }
+    }
+  }
+
+  function handleDismissNewKey() {
+    setNewlyCreatedKey(null);
+    setCopied(false);
+  }
+
+  function formatDate(dateString: string | null): string {
+    if (!dateString) return 'Never';
+    return new Date(dateString).toLocaleDateString('en-US', {
+      year: 'numeric',
+      month: 'short',
+      day: 'numeric',
+      hour: '2-digit',
+      minute: '2-digit',
+    });
+  }
+
+  if (authLoading) {
+    return (
+      <div className="api-keys-page">
+        <div className="api-keys-loading">
+          <div className="api-keys-spinner"></div>
+          <span>Loading...</span>
+        </div>
+      </div>
+    );
+  }
+
+  if (!user) {
+    return null;
+  }
+
+  return (
+    <div className="api-keys-page">
+      <div className="api-keys-header">
+        <div className="api-keys-header-content">
+          <h1>API Keys</h1>
+          <p className="api-keys-subtitle">
+            Manage API keys for programmatic access to Orchard
+          </p>
+        </div>
+        <button
+          className="api-keys-create-button"
+          onClick={() => setShowCreateForm(true)}
+          disabled={showCreateForm}
+        >
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <line x1="12" y1="5" x2="12" y2="19"/>
+            <line x1="5" y1="12" x2="19" y2="12"/>
+          </svg>
+          Create New Key
+        </button>
+      </div>
+
+      {error && (
+        <div className="api-keys-error">
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <circle cx="12" cy="12" r="10"/>
+            <line x1="12" y1="8" x2="12" y2="12"/>
+            <line x1="12" y1="16" x2="12.01" y2="16"/>
+          </svg>
+          <span>{error}</span>
+          <button onClick={() => setError(null)} className="api-keys-error-dismiss">
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+              <line x1="18" y1="6" x2="6" y2="18"/>
+              <line x1="6" y1="6" x2="18" y2="18"/>
+            </svg>
+          </button>
+        </div>
+      )}
+
+      {newlyCreatedKey && (
+        <div className="api-keys-new-key-banner">
+          <div className="api-keys-new-key-header">
+            <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+              <path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/>
+            </svg>
+            <span className="api-keys-new-key-title">New API Key Created</span>
+          </div>
+          <div className="api-keys-new-key-warning">
+            Copy this key now! It won't be shown again.
+          </div>
+          <div className="api-keys-new-key-value-container">
+            <code className="api-keys-new-key-value">{newlyCreatedKey.key}</code>
+            <button
+              className="api-keys-copy-button"
+              onClick={handleCopyKey}
+              title="Copy to clipboard"
+            >
+              {copied ? (
+                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                  <polyline points="20 6 9 17 4 12"/>
+                </svg>
+              ) : (
+                <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                  <rect x="9" y="9" width="13" height="13" rx="2" ry="2"/>
+                  <path d="M5 15H4a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h9a2 2 0 0 1 2 2v1"/>
+                </svg>
+              )}
+              {copied ? 'Copied!' : 'Copy'}
+            </button>
+          </div>
+          <button className="api-keys-done-button" onClick={handleDismissNewKey}>
+            Done
+          </button>
+        </div>
+      )}
+
+      {showCreateForm && (
+        <div className="api-keys-create-form-card">
+          <div className="api-keys-create-form-header">
+            <h2>Create New API Key</h2>
+            <button
+              className="api-keys-create-form-close"
+              onClick={() => {
+                setShowCreateForm(false);
+                setCreateName('');
+                setCreateDescription('');
+                setCreateError(null);
+              }}
+            >
+              <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <line x1="18" y1="6" x2="6" y2="18"/>
+                <line x1="6" y1="6" x2="18" y2="18"/>
+              </svg>
+            </button>
+          </div>
+
+          {createError && (
+            <div className="api-keys-create-error">
+              {createError}
+            </div>
+          )}
+
+          <form onSubmit={handleCreate} className="api-keys-create-form">
+            <div className="api-keys-form-group">
+              <label htmlFor="key-name">Name</label>
+              <input
+                id="key-name"
+                type="text"
+                value={createName}
+                onChange={(e) => setCreateName(e.target.value)}
+                placeholder="e.g., CI/CD Pipeline, Local Development"
+                autoFocus
+                disabled={isCreating}
+              />
+            </div>
+
+            <div className="api-keys-form-group">
+              <label htmlFor="key-description">Description (optional)</label>
+              <input
+                id="key-description"
+                type="text"
+                value={createDescription}
+                onChange={(e) => setCreateDescription(e.target.value)}
+                placeholder="What will this key be used for?"
+                disabled={isCreating}
+              />
+            </div>
+
+            <div className="api-keys-form-actions">
+              <button
+                type="button"
+                className="api-keys-cancel-button"
+                onClick={() => {
+                  setShowCreateForm(false);
+                  setCreateName('');
+                  setCreateDescription('');
+                  setCreateError(null);
+                }}
+                disabled={isCreating}
+              >
+                Cancel
+              </button>
+              <button
+                type="submit"
+                className="api-keys-submit-button"
+                disabled={isCreating || !createName.trim()}
+              >
+                {isCreating ? (
+                  <>
+                    <span className="api-keys-button-spinner"></span>
+                    Creating...
+                  </>
+                ) : (
+                  'Create Key'
+                )}
+              </button>
+            </div>
+          </form>
+        </div>
+      )}
+
+      <div className="api-keys-list-container">
+        {loading ? (
+          <div className="api-keys-list-loading">
+            <div className="api-keys-spinner"></div>
+            <span>Loading API keys...</span>
+          </div>
+        ) : keys.length === 0 ? (
+          <div className="api-keys-empty">
+            <div className="api-keys-empty-icon">
+              <svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+                <path d="M21 2l-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0l3 3L22 7l-3-3m-3.5 3.5L19 4"/>
+              </svg>
+            </div>
+            <h3>No API Keys</h3>
+            <p>Create an API key to access Orchard programmatically</p>
+          </div>
+        ) : (
+          <div className="api-keys-list">
+            <div className="api-keys-list-header">
+              <span className="api-keys-col-name">Name</span>
+              <span className="api-keys-col-created">Created</span>
+              <span className="api-keys-col-used">Last Used</span>
+              <span className="api-keys-col-actions">Actions</span>
+            </div>
+            {keys.map((key) => (
+              <div key={key.id} className="api-keys-list-item">
+                <div className="api-keys-col-name">
+                  <div className="api-keys-item-name">{key.name}</div>
+                  {key.description && (
+                    <div className="api-keys-item-description">{key.description}</div>
+                  )}
+                </div>
+                <div className="api-keys-col-created">
+                  {formatDate(key.created_at)}
+                </div>
+                <div className="api-keys-col-used">
+                  {formatDate(key.last_used)}
+                </div>
+                <div className="api-keys-col-actions">
+                  {deleteConfirmId === key.id ? (
+                    <div className="api-keys-delete-confirm">
+                      <span>Revoke?</span>
+                      <button
+                        className="api-keys-confirm-yes"
+                        onClick={() => handleDelete(key.id)}
+                        disabled={isDeleting}
+                      >
+                        {isDeleting ? 'Revoking...' : 'Yes'}
+                      </button>
+                      <button
+                        className="api-keys-confirm-no"
+                        onClick={() => setDeleteConfirmId(null)}
+                        disabled={isDeleting}
+                      >
+                        No
+                      </button>
+                    </div>
+                  ) : (
+                    <button
+                      className="api-keys-revoke-button"
+                      onClick={() => setDeleteConfirmId(key.id)}
+                    >
+                      Revoke
+                    </button>
+                  )}
+                </div>
+              </div>
+            ))}
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default APIKeysPage;

frontend/src/pages/AdminUsersPage.css

@@ -0,0 +1,667 @@
+.admin-users-page {
+  max-width: 1100px;
+  margin: 0 auto;
+}
+
+.admin-users-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  margin-bottom: 32px;
+  gap: 24px;
+}
+
+.admin-users-header-content h1 {
+  font-size: 1.75rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+  letter-spacing: -0.02em;
+}
+
+.admin-users-subtitle {
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.admin-users-create-button {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 12px 20px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+  flex-shrink: 0;
+}
+
+.admin-users-create-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-md), 0 0 30px rgba(16, 185, 129, 0.3);
+}
+
+.admin-users-create-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.admin-users-success {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--success-bg);
+  border: 1px solid rgba(34, 197, 94, 0.2);
+  color: var(--success);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+  animation: admin-users-fade-in 0.2s ease;
+}
+
+@keyframes admin-users-fade-in {
+  from {
+    opacity: 0;
+    transform: translateY(-8px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+.admin-users-error {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+}
+
+.admin-users-error svg {
+  flex-shrink: 0;
+}
+
+.admin-users-error span {
+  flex: 1;
+}
+
+.admin-users-error-dismiss {
+  background: transparent;
+  border: none;
+  padding: 4px;
+  color: var(--error);
+  cursor: pointer;
+  opacity: 0.7;
+  transition: opacity var(--transition-fast);
+}
+
+.admin-users-error-dismiss:hover {
+  opacity: 1;
+}
+
+.admin-users-access-denied {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 80px 24px;
+  text-align: center;
+}
+
+.admin-users-access-denied-icon {
+  color: var(--error);
+  margin-bottom: 24px;
+  opacity: 0.8;
+}
+
+.admin-users-access-denied h2 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 12px;
+}
+
+.admin-users-access-denied p {
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+  max-width: 400px;
+}
+
+.admin-users-create-form-card,
+.admin-users-reset-password-card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  padding: 24px;
+  margin-bottom: 24px;
+}
+
+.admin-users-create-form-header,
+.admin-users-reset-password-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  margin-bottom: 20px;
+}
+
+.admin-users-create-form-header h2,
+.admin-users-reset-password-header h2 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+}
+
+.admin-users-create-form-close {
+  background: transparent;
+  border: none;
+  padding: 4px;
+  color: var(--text-tertiary);
+  cursor: pointer;
+  border-radius: var(--radius-sm);
+  transition: all var(--transition-fast);
+}
+
+.admin-users-create-form-close:hover {
+  background: var(--bg-hover);
+  color: var(--text-primary);
+}
+
+.admin-users-reset-password-info {
+  color: var(--text-secondary);
+  font-size: 0.875rem;
+  margin-bottom: 16px;
+}
+
+.admin-users-reset-password-info strong {
+  color: var(--text-primary);
+}
+
+.admin-users-create-error {
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 10px 14px;
+  border-radius: var(--radius-md);
+  font-size: 0.8125rem;
+  margin-bottom: 16px;
+}
+
+.admin-users-create-form,
+.admin-users-reset-password-form {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+.admin-users-form-group {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.admin-users-form-group label {
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.admin-users-form-group input[type="text"],
+.admin-users-form-group input[type="password"],
+.admin-users-form-group input[type="email"] {
+  padding: 12px 14px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  color: var(--text-primary);
+  transition: all var(--transition-fast);
+}
+
+.admin-users-form-group input::placeholder {
+  color: var(--text-muted);
+}
+
+.admin-users-form-group input:hover:not(:disabled) {
+  border-color: var(--border-secondary);
+  background: var(--bg-elevated);
+}
+
+.admin-users-form-group input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+  background: var(--bg-elevated);
+}
+
+.admin-users-form-group input:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+.admin-users-checkbox-group {
+  flex-direction: row;
+  align-items: center;
+}
+
+.admin-users-checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  cursor: pointer;
+  font-size: 0.875rem;
+  font-weight: 400;
+  color: var(--text-secondary);
+  user-select: none;
+}
+
+.admin-users-checkbox-label input[type="checkbox"] {
+  position: absolute;
+  opacity: 0;
+  width: 0;
+  height: 0;
+}
+
+.admin-users-checkbox-custom {
+  width: 18px;
+  height: 18px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-secondary);
+  border-radius: var(--radius-sm);
+  transition: all var(--transition-fast);
+  position: relative;
+}
+
+.admin-users-checkbox-label input[type="checkbox"]:checked + .admin-users-checkbox-custom {
+  background: var(--accent-primary);
+  border-color: var(--accent-primary);
+}
+
+.admin-users-checkbox-label input[type="checkbox"]:checked + .admin-users-checkbox-custom::after {
+  content: '';
+  position: absolute;
+  left: 5px;
+  top: 2px;
+  width: 5px;
+  height: 9px;
+  border: solid white;
+  border-width: 0 2px 2px 0;
+  transform: rotate(45deg);
+}
+
+.admin-users-checkbox-label input[type="checkbox"]:focus + .admin-users-checkbox-custom {
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+}
+
+.admin-users-checkbox-label:hover .admin-users-checkbox-custom {
+  border-color: var(--accent-primary);
+}
+
+.admin-users-form-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 12px;
+  margin-top: 8px;
+}
+
+.admin-users-cancel-button {
+  padding: 10px 18px;
+  background: transparent;
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+}
+
+.admin-users-cancel-button:hover:not(:disabled) {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+  color: var(--text-primary);
+}
+
+.admin-users-cancel-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.admin-users-submit-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 8px;
+  padding: 10px 18px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  min-width: 120px;
+}
+
+.admin-users-submit-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+}
+
+.admin-users-submit-button:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.admin-users-button-spinner {
+  width: 14px;
+  height: 14px;
+  border: 2px solid rgba(255, 255, 255, 0.3);
+  border-top-color: white;
+  border-radius: 50%;
+  animation: admin-users-spin 0.6s linear infinite;
+}
+
+@keyframes admin-users-spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+.admin-users-list-container {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-lg);
+  overflow: hidden;
+}
+
+.admin-users-list-loading,
+.admin-users-loading {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 12px;
+  padding: 64px 24px;
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+.admin-users-spinner {
+  width: 20px;
+  height: 20px;
+  border: 2px solid var(--border-secondary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: admin-users-spin 0.6s linear infinite;
+}
+
+.admin-users-empty {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  padding: 64px 24px;
+  text-align: center;
+}
+
+.admin-users-empty-icon {
+  color: var(--text-muted);
+  margin-bottom: 16px;
+  opacity: 0.5;
+}
+
+.admin-users-empty h3 {
+  font-size: 1.125rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+}
+
+.admin-users-empty p {
+  color: var(--text-tertiary);
+  font-size: 0.875rem;
+}
+
+.admin-users-list {
+  display: flex;
+  flex-direction: column;
+}
+
+.admin-users-list-header {
+  display: grid;
+  grid-template-columns: 2fr 100px 140px 140px 1fr;
+  gap: 16px;
+  padding: 14px 20px;
+  background: var(--bg-tertiary);
+  border-bottom: 1px solid var(--border-primary);
+  font-size: 0.75rem;
+  font-weight: 600;
+  color: var(--text-tertiary);
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+
+.admin-users-list-item {
+  display: grid;
+  grid-template-columns: 2fr 100px 140px 140px 1fr;
+  gap: 16px;
+  padding: 16px 20px;
+  align-items: center;
+  border-bottom: 1px solid var(--border-primary);
+  transition: background var(--transition-fast);
+}
+
+.admin-users-list-item:last-child {
+  border-bottom: none;
+}
+
+.admin-users-list-item:hover {
+  background: var(--bg-tertiary);
+}
+
+.admin-users-list-item.admin-users-inactive {
+  opacity: 0.6;
+}
+
+.admin-users-col-user {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+
+.admin-users-item-avatar {
+  width: 36px;
+  height: 36px;
+  border-radius: 50%;
+  background: var(--accent-gradient);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  color: white;
+  font-weight: 600;
+  font-size: 0.875rem;
+  flex-shrink: 0;
+}
+
+.admin-users-item-info {
+  display: flex;
+  flex-direction: column;
+  min-width: 0;
+}
+
+.admin-users-item-username {
+  font-weight: 500;
+  color: var(--text-primary);
+  font-size: 0.9375rem;
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.admin-users-admin-badge {
+  display: inline-flex;
+  padding: 2px 8px;
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.15) 0%, rgba(5, 150, 105, 0.1) 100%);
+  border: 1px solid rgba(16, 185, 129, 0.3);
+  border-radius: 20px;
+  font-size: 0.6875rem;
+  font-weight: 600;
+  color: var(--accent-primary);
+  text-transform: uppercase;
+  letter-spacing: 0.03em;
+}
+
+.admin-users-item-email {
+  color: var(--text-tertiary);
+  font-size: 0.8125rem;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.admin-users-col-status {
+  display: flex;
+  align-items: center;
+}
+
+.admin-users-status-badge {
+  display: inline-flex;
+  padding: 4px 10px;
+  border-radius: 20px;
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.admin-users-status-badge.active {
+  background: var(--success-bg);
+  color: var(--success);
+}
+
+.admin-users-status-badge.inactive {
+  background: var(--error-bg);
+  color: var(--error);
+}
+
+.admin-users-col-created,
+.admin-users-col-login {
+  color: var(--text-secondary);
+  font-size: 0.8125rem;
+}
+
+.admin-users-col-actions {
+  display: flex;
+  justify-content: flex-end;
+}
+
+.admin-users-actions-menu {
+  display: flex;
+  gap: 6px;
+}
+
+.admin-users-action-button {
+  display: flex;
+  align-items: center;
+  gap: 4px;
+  padding: 6px 10px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-sm);
+  font-size: 0.75rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  white-space: nowrap;
+}
+
+.admin-users-action-button:hover:not(:disabled) {
+  background: var(--bg-hover);
+  border-color: var(--border-secondary);
+  color: var(--text-primary);
+}
+
+.admin-users-action-button:disabled {
+  opacity: 0.4;
+  cursor: not-allowed;
+}
+
+.admin-users-action-spinner {
+  width: 12px;
+  height: 12px;
+  border: 2px solid var(--border-secondary);
+  border-top-color: var(--accent-primary);
+  border-radius: 50%;
+  animation: admin-users-spin 0.6s linear infinite;
+}
+
+@media (max-width: 1024px) {
+  .admin-users-list-header {
+    grid-template-columns: 2fr 100px 1fr;
+  }
+
+  .admin-users-list-item {
+    grid-template-columns: 2fr 100px 1fr;
+  }
+
+  .admin-users-col-created,
+  .admin-users-col-login {
+    display: none;
+  }
+
+  .admin-users-list-header .admin-users-col-created,
+  .admin-users-list-header .admin-users-col-login {
+    display: none;
+  }
+}
+
+@media (max-width: 768px) {
+  .admin-users-header {
+    flex-direction: column;
+    align-items: stretch;
+  }
+
+  .admin-users-create-button {
+    align-self: flex-start;
+  }
+
+  .admin-users-list-header {
+    display: none;
+  }
+
+  .admin-users-list-item {
+    grid-template-columns: 1fr;
+    gap: 12px;
+    padding: 16px;
+  }
+
+  .admin-users-col-user {
+    order: 1;
+  }
+
+  .admin-users-col-status {
+    order: 2;
+  }
+
+  .admin-users-col-actions {
+    order: 3;
+    justify-content: flex-start;
+  }
+
+  .admin-users-actions-menu {
+    flex-wrap: wrap;
+  }
+}

frontend/src/pages/AdminUsersPage.tsx

@@ -0,0 +1,529 @@
+import { useState, useEffect } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { useAuth } from '../contexts/AuthContext';
+import { listUsers, createUser, updateUser, resetUserPassword } from '../api';
+import { AdminUser } from '../types';
+import './AdminUsersPage.css';
+
+function AdminUsersPage() {
+  const { user, loading: authLoading } = useAuth();
+  const navigate = useNavigate();
+
+  const [users, setUsers] = useState<AdminUser[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const [showCreateForm, setShowCreateForm] = useState(false);
+  const [createUsername, setCreateUsername] = useState('');
+  const [createPassword, setCreatePassword] = useState('');
+  const [createEmail, setCreateEmail] = useState('');
+  const [createIsAdmin, setCreateIsAdmin] = useState(false);
+  const [isCreating, setIsCreating] = useState(false);
+  const [createError, setCreateError] = useState<string | null>(null);
+
+  const [resetPasswordUsername, setResetPasswordUsername] = useState<string | null>(null);
+  const [newPassword, setNewPassword] = useState('');
+  const [isResetting, setIsResetting] = useState(false);
+
+  const [togglingUser, setTogglingUser] = useState<string | null>(null);
+
+  const [successMessage, setSuccessMessage] = useState<string | null>(null);
+
+  useEffect(() => {
+    if (!authLoading && !user) {
+      navigate('/login', { state: { from: '/admin/users' } });
+    }
+  }, [user, authLoading, navigate]);
+
+  useEffect(() => {
+    if (user && user.is_admin) {
+      loadUsers();
+    }
+  }, [user]);
+
+  useEffect(() => {
+    if (successMessage) {
+      const timer = setTimeout(() => setSuccessMessage(null), 3000);
+      return () => clearTimeout(timer);
+    }
+  }, [successMessage]);
+
+  async function loadUsers() {
+    setLoading(true);
+    setError(null);
+    try {
+      const data = await listUsers();
+      setUsers(data);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to load users');
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  async function handleCreate(e: React.FormEvent) {
+    e.preventDefault();
+    if (!createUsername.trim()) {
+      setCreateError('Username is required');
+      return;
+    }
+    if (!createPassword.trim()) {
+      setCreateError('Password is required');
+      return;
+    }
+
+    setIsCreating(true);
+    setCreateError(null);
+    try {
+      await createUser({
+        username: createUsername.trim(),
+        password: createPassword,
+        email: createEmail.trim() || undefined,
+        is_admin: createIsAdmin,
+      });
+      setShowCreateForm(false);
+      setCreateUsername('');
+      setCreatePassword('');
+      setCreateEmail('');
+      setCreateIsAdmin(false);
+      setSuccessMessage('User created successfully');
+      await loadUsers();
+    } catch (err) {
+      setCreateError(err instanceof Error ? err.message : 'Failed to create user');
+    } finally {
+      setIsCreating(false);
+    }
+  }
+
+  async function handleToggleAdmin(targetUser: AdminUser) {
+    setTogglingUser(targetUser.username);
+    try {
+      await updateUser(targetUser.username, { is_admin: !targetUser.is_admin });
+      setSuccessMessage(`${targetUser.username} is ${!targetUser.is_admin ? 'now' : 'no longer'} an admin`);
+      await loadUsers();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to update user');
+    } finally {
+      setTogglingUser(null);
+    }
+  }
+
+  async function handleToggleActive(targetUser: AdminUser) {
+    setTogglingUser(targetUser.username);
+    try {
+      await updateUser(targetUser.username, { is_active: !targetUser.is_active });
+      setSuccessMessage(`${targetUser.username} has been ${!targetUser.is_active ? 'enabled' : 'disabled'}`);
+      await loadUsers();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to update user');
+    } finally {
+      setTogglingUser(null);
+    }
+  }
+
+  async function handleResetPassword(e: React.FormEvent) {
+    e.preventDefault();
+    if (!resetPasswordUsername || !newPassword.trim()) {
+      return;
+    }
+
+    setIsResetting(true);
+    try {
+      await resetUserPassword(resetPasswordUsername, newPassword);
+      setResetPasswordUsername(null);
+      setNewPassword('');
+      setSuccessMessage(`Password reset for ${resetPasswordUsername}`);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to reset password');
+    } finally {
+      setIsResetting(false);
+    }
+  }
+
+  function formatDate(dateString: string | null): string {
+    if (!dateString) return 'Never';
+    return new Date(dateString).toLocaleDateString('en-US', {
+      year: 'numeric',
+      month: 'short',
+      day: 'numeric',
+      hour: '2-digit',
+      minute: '2-digit',
+    });
+  }
+
+  if (authLoading) {
+    return (
+      <div className="admin-users-page">
+        <div className="admin-users-loading">
+          <div className="admin-users-spinner"></div>
+          <span>Loading...</span>
+        </div>
+      </div>
+    );
+  }
+
+  if (!user) {
+    return null;
+  }
+
+  if (!user.is_admin) {
+    return (
+      <div className="admin-users-page">
+        <div className="admin-users-access-denied">
+          <div className="admin-users-access-denied-icon">
+            <svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+              <circle cx="12" cy="12" r="10"/>
+              <line x1="4.93" y1="4.93" x2="19.07" y2="19.07"/>
+            </svg>
+          </div>
+          <h2>Access Denied</h2>
+          <p>You do not have permission to access this page. Admin privileges are required.</p>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="admin-users-page">
+      <div className="admin-users-header">
+        <div className="admin-users-header-content">
+          <h1>User Management</h1>
+          <p className="admin-users-subtitle">
+            Manage user accounts and permissions
+          </p>
+        </div>
+        <button
+          className="admin-users-create-button"
+          onClick={() => setShowCreateForm(true)}
+          disabled={showCreateForm}
+        >
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <line x1="12" y1="5" x2="12" y2="19"/>
+            <line x1="5" y1="12" x2="19" y2="12"/>
+          </svg>
+          Create User
+        </button>
+      </div>
+
+      {successMessage && (
+        <div className="admin-users-success">
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/>
+            <polyline points="22 4 12 14.01 9 11.01"/>
+          </svg>
+          <span>{successMessage}</span>
+        </div>
+      )}
+
+      {error && (
+        <div className="admin-users-error">
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+            <circle cx="12" cy="12" r="10"/>
+            <line x1="12" y1="8" x2="12" y2="12"/>
+            <line x1="12" y1="16" x2="12.01" y2="16"/>
+          </svg>
+          <span>{error}</span>
+          <button onClick={() => setError(null)} className="admin-users-error-dismiss">
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+              <line x1="18" y1="6" x2="6" y2="18"/>
+              <line x1="6" y1="6" x2="18" y2="18"/>
+            </svg>
+          </button>
+        </div>
+      )}
+
+      {showCreateForm && (
+        <div className="admin-users-create-form-card">
+          <div className="admin-users-create-form-header">
+            <h2>Create New User</h2>
+            <button
+              className="admin-users-create-form-close"
+              onClick={() => {
+                setShowCreateForm(false);
+                setCreateUsername('');
+                setCreatePassword('');
+                setCreateEmail('');
+                setCreateIsAdmin(false);
+                setCreateError(null);
+              }}
+            >
+              <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <line x1="18" y1="6" x2="6" y2="18"/>
+                <line x1="6" y1="6" x2="18" y2="18"/>
+              </svg>
+            </button>
+          </div>
+
+          {createError && (
+            <div className="admin-users-create-error">
+              {createError}
+            </div>
+          )}
+
+          <form onSubmit={handleCreate} className="admin-users-create-form">
+            <div className="admin-users-form-group">
+              <label htmlFor="username">Username</label>
+              <input
+                id="username"
+                type="text"
+                value={createUsername}
+                onChange={(e) => setCreateUsername(e.target.value)}
+                placeholder="Enter username"
+                autoFocus
+                disabled={isCreating}
+              />
+            </div>
+
+            <div className="admin-users-form-group">
+              <label htmlFor="password">Password</label>
+              <input
+                id="password"
+                type="password"
+                value={createPassword}
+                onChange={(e) => setCreatePassword(e.target.value)}
+                placeholder="Enter password"
+                disabled={isCreating}
+              />
+            </div>
+
+            <div className="admin-users-form-group">
+              <label htmlFor="email">Email (optional)</label>
+              <input
+                id="email"
+                type="email"
+                value={createEmail}
+                onChange={(e) => setCreateEmail(e.target.value)}
+                placeholder="user@example.com"
+                disabled={isCreating}
+              />
+            </div>
+
+            <div className="admin-users-form-group admin-users-checkbox-group">
+              <label className="admin-users-checkbox-label">
+                <input
+                  type="checkbox"
+                  checked={createIsAdmin}
+                  onChange={(e) => setCreateIsAdmin(e.target.checked)}
+                  disabled={isCreating}
+                />
+                <span className="admin-users-checkbox-custom"></span>
+                Grant admin privileges
+              </label>
+            </div>
+
+            <div className="admin-users-form-actions">
+              <button
+                type="button"
+                className="admin-users-cancel-button"
+                onClick={() => {
+                  setShowCreateForm(false);
+                  setCreateUsername('');
+                  setCreatePassword('');
+                  setCreateEmail('');
+                  setCreateIsAdmin(false);
+                  setCreateError(null);
+                }}
+                disabled={isCreating}
+              >
+                Cancel
+              </button>
+              <button
+                type="submit"
+                className="admin-users-submit-button"
+                disabled={isCreating || !createUsername.trim() || !createPassword.trim()}
+              >
+                {isCreating ? (
+                  <>
+                    <span className="admin-users-button-spinner"></span>
+                    Creating...
+                  </>
+                ) : (
+                  'Create User'
+                )}
+              </button>
+            </div>
+          </form>
+        </div>
+      )}
+
+      {resetPasswordUsername && (
+        <div className="admin-users-reset-password-card">
+          <div className="admin-users-reset-password-header">
+            <h2>Reset Password</h2>
+            <button
+              className="admin-users-create-form-close"
+              onClick={() => {
+                setResetPasswordUsername(null);
+                setNewPassword('');
+              }}
+            >
+              <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <line x1="18" y1="6" x2="6" y2="18"/>
+                <line x1="6" y1="6" x2="18" y2="18"/>
+              </svg>
+            </button>
+          </div>
+          <p className="admin-users-reset-password-info">
+            Set a new password for <strong>{resetPasswordUsername}</strong>
+          </p>
+          <form onSubmit={handleResetPassword} className="admin-users-reset-password-form">
+            <div className="admin-users-form-group">
+              <label htmlFor="new-password">New Password</label>
+              <input
+                id="new-password"
+                type="password"
+                value={newPassword}
+                onChange={(e) => setNewPassword(e.target.value)}
+                placeholder="Enter new password"
+                autoFocus
+                disabled={isResetting}
+              />
+            </div>
+            <div className="admin-users-form-actions">
+              <button
+                type="button"
+                className="admin-users-cancel-button"
+                onClick={() => {
+                  setResetPasswordUsername(null);
+                  setNewPassword('');
+                }}
+                disabled={isResetting}
+              >
+                Cancel
+              </button>
+              <button
+                type="submit"
+                className="admin-users-submit-button"
+                disabled={isResetting || !newPassword.trim()}
+              >
+                {isResetting ? (
+                  <>
+                    <span className="admin-users-button-spinner"></span>
+                    Resetting...
+                  </>
+                ) : (
+                  'Reset Password'
+                )}
+              </button>
+            </div>
+          </form>
+        </div>
+      )}
+
+      <div className="admin-users-list-container">
+        {loading ? (
+          <div className="admin-users-list-loading">
+            <div className="admin-users-spinner"></div>
+            <span>Loading users...</span>
+          </div>
+        ) : users.length === 0 ? (
+          <div className="admin-users-empty">
+            <div className="admin-users-empty-icon">
+              <svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+                <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
+                <circle cx="9" cy="7" r="4"/>
+                <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
+                <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
+              </svg>
+            </div>
+            <h3>No Users</h3>
+            <p>Create a user to get started</p>
+          </div>
+        ) : (
+          <div className="admin-users-list">
+            <div className="admin-users-list-header">
+              <span className="admin-users-col-user">User</span>
+              <span className="admin-users-col-status">Status</span>
+              <span className="admin-users-col-created">Created</span>
+              <span className="admin-users-col-login">Last Login</span>
+              <span className="admin-users-col-actions">Actions</span>
+            </div>
+            {users.map((u) => (
+              <div key={u.id} className={`admin-users-list-item ${!u.is_active ? 'admin-users-inactive' : ''}`}>
+                <div className="admin-users-col-user">
+                  <div className="admin-users-item-avatar">
+                    {u.username.charAt(0).toUpperCase()}
+                  </div>
+                  <div className="admin-users-item-info">
+                    <div className="admin-users-item-username">
+                      {u.username}
+                      {u.is_admin && <span className="admin-users-admin-badge">Admin</span>}
+                    </div>
+                    {u.email && (
+                      <div className="admin-users-item-email">{u.email}</div>
+                    )}
+                  </div>
+                </div>
+                <div className="admin-users-col-status">
+                  <span className={`admin-users-status-badge ${u.is_active ? 'active' : 'inactive'}`}>
+                    {u.is_active ? 'Active' : 'Disabled'}
+                  </span>
+                </div>
+                <div className="admin-users-col-created">
+                  {formatDate(u.created_at)}
+                </div>
+                <div className="admin-users-col-login">
+                  {formatDate(u.last_login)}
+                </div>
+                <div className="admin-users-col-actions">
+                  <div className="admin-users-actions-menu">
+                    <button
+                      className="admin-users-action-button"
+                      onClick={() => handleToggleAdmin(u)}
+                      disabled={togglingUser === u.username || u.username === user.username}
+                      title={u.is_admin ? 'Remove admin' : 'Make admin'}
+                    >
+                      {togglingUser === u.username ? (
+                        <span className="admin-users-action-spinner"></span>
+                      ) : (
+                        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                          <path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/>
+                        </svg>
+                      )}
+                      {u.is_admin ? 'Revoke' : 'Admin'}
+                    </button>
+                    <button
+                      className="admin-users-action-button"
+                      onClick={() => handleToggleActive(u)}
+                      disabled={togglingUser === u.username || u.username === user.username}
+                      title={u.is_active ? 'Disable user' : 'Enable user'}
+                    >
+                      {togglingUser === u.username ? (
+                        <span className="admin-users-action-spinner"></span>
+                      ) : u.is_active ? (
+                        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                          <circle cx="12" cy="12" r="10"/>
+                          <line x1="4.93" y1="4.93" x2="19.07" y2="19.07"/>
+                        </svg>
+                      ) : (
+                        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                          <path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/>
+                          <polyline points="22 4 12 14.01 9 11.01"/>
+                        </svg>
+                      )}
+                      {u.is_active ? 'Disable' : 'Enable'}
+                    </button>
+                    <button
+                      className="admin-users-action-button"
+                      onClick={() => setResetPasswordUsername(u.username)}
+                      disabled={togglingUser === u.username}
+                      title="Reset password"
+                    >
+                      <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                        <rect x="3" y="11" width="18" height="11" rx="2" ry="2"/>
+                        <path d="M7 11V7a5 5 0 0 1 10 0v4"/>
+                      </svg>
+                      Reset
+                    </button>
+                  </div>
+                </div>
+              </div>
+            ))}
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default AdminUsersPage;

frontend/src/pages/LoginPage.css

@@ -0,0 +1,231 @@
+/* Login Page - Full viewport centered layout */
+.login-page {
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  background: var(--bg-primary);
+  padding: 24px;
+  position: relative;
+  overflow: hidden;
+}
+
+/* Subtle background pattern */
+.login-page::before {
+  content: '';
+  position: absolute;
+  inset: 0;
+  background: 
+    radial-gradient(circle at 20% 50%, rgba(16, 185, 129, 0.08) 0%, transparent 50%),
+    radial-gradient(circle at 80% 50%, rgba(16, 185, 129, 0.05) 0%, transparent 50%);
+  pointer-events: none;
+}
+
+.login-container {
+  width: 100%;
+  max-width: 400px;
+  position: relative;
+  z-index: 1;
+}
+
+/* Card styling */
+.login-card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-xl);
+  padding: 40px;
+  box-shadow: var(--shadow-lg);
+}
+
+/* Header section */
+.login-header {
+  text-align: center;
+  margin-bottom: 32px;
+}
+
+.login-logo {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 80px;
+  height: 80px;
+  background: var(--accent-gradient);
+  border-radius: var(--radius-lg);
+  color: white;
+  margin-bottom: 24px;
+  box-shadow: var(--shadow-glow);
+}
+
+.login-header h1 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 8px;
+  letter-spacing: -0.02em;
+}
+
+.login-subtitle {
+  color: var(--text-tertiary);
+  font-size: 0.875rem;
+}
+
+/* Error message */
+.login-error {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  background: var(--error-bg);
+  border: 1px solid rgba(239, 68, 68, 0.2);
+  color: var(--error);
+  padding: 12px 16px;
+  border-radius: var(--radius-md);
+  margin-bottom: 24px;
+  font-size: 0.875rem;
+}
+
+.login-error svg {
+  flex-shrink: 0;
+}
+
+/* Form styling */
+.login-form {
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+.login-form-group {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+}
+
+.login-form-group label {
+  font-size: 0.875rem;
+  font-weight: 500;
+  color: var(--text-secondary);
+}
+
+.login-form-group input {
+  width: 100%;
+  padding: 14px 16px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-primary);
+  border-radius: var(--radius-md);
+  font-size: 0.9375rem;
+  color: var(--text-primary);
+  transition: all var(--transition-fast);
+}
+
+.login-form-group input::placeholder {
+  color: var(--text-muted);
+}
+
+.login-form-group input:hover:not(:disabled) {
+  border-color: var(--border-secondary);
+  background: var(--bg-elevated);
+}
+
+.login-form-group input:focus {
+  outline: none;
+  border-color: var(--accent-primary);
+  box-shadow: 0 0 0 3px rgba(16, 185, 129, 0.15);
+  background: var(--bg-elevated);
+}
+
+.login-form-group input:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+}
+
+/* Submit button */
+.login-submit {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 10px;
+  width: 100%;
+  padding: 14px 20px;
+  background: var(--accent-gradient);
+  border: none;
+  border-radius: var(--radius-md);
+  font-size: 0.9375rem;
+  font-weight: 500;
+  color: white;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  margin-top: 8px;
+  box-shadow: var(--shadow-sm), 0 0 20px rgba(16, 185, 129, 0.2);
+}
+
+.login-submit:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: var(--shadow-md), 0 0 30px rgba(16, 185, 129, 0.3);
+}
+
+.login-submit:active:not(:disabled) {
+  transform: translateY(0);
+}
+
+.login-submit:disabled {
+  opacity: 0.7;
+  cursor: not-allowed;
+  transform: none;
+}
+
+/* Loading spinner */
+.login-spinner {
+  width: 16px;
+  height: 16px;
+  border: 2px solid rgba(255, 255, 255, 0.3);
+  border-top-color: white;
+  border-radius: 50%;
+  animation: spin 0.6s linear infinite;
+}
+
+@keyframes spin {
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+/* Loading state */
+.login-loading {
+  text-align: center;
+  padding: 64px 32px;
+  color: var(--text-tertiary);
+  font-size: 0.9375rem;
+}
+
+/* Footer */
+.login-footer {
+  text-align: center;
+  margin-top: 24px;
+  padding-top: 24px;
+}
+
+.login-footer p {
+  color: var(--text-muted);
+  font-size: 0.8125rem;
+}
+
+/* Responsive adjustments */
+@media (max-width: 480px) {
+  .login-card {
+    padding: 32px 24px;
+  }
+
+  .login-logo {
+    width: 64px;
+    height: 64px;
+  }
+
+  .login-logo svg {
+    width: 36px;
+    height: 36px;
+  }
+
+  .login-header h1 {
+    font-size: 1.25rem;
+  }
+}

frontend/src/pages/LoginPage.tsx

@@ -0,0 +1,142 @@
+import { useState, useEffect } from 'react';
+import { useNavigate, useLocation } from 'react-router-dom';
+import { useAuth } from '../contexts/AuthContext';
+import './LoginPage.css';
+
+function LoginPage() {
+  const [username, setUsername] = useState('');
+  const [password, setPassword] = useState('');
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const { user, login, loading: authLoading } = useAuth();
+  const navigate = useNavigate();
+  const location = useLocation();
+
+  // Get the return URL from location state, default to home
+  const from = (location.state as { from?: string })?.from || '/';
+
+  // Redirect if already logged in
+  useEffect(() => {
+    if (user && !authLoading) {
+      navigate(from, { replace: true });
+    }
+  }, [user, authLoading, navigate, from]);
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    
+    if (!username.trim() || !password) {
+      setError('Please enter both username and password');
+      return;
+    }
+
+    setIsSubmitting(true);
+    setError(null);
+
+    try {
+      await login(username, password);
+      navigate(from, { replace: true });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Login failed. Please try again.');
+    } finally {
+      setIsSubmitting(false);
+    }
+  }
+
+  // Show loading while checking auth state
+  if (authLoading) {
+    return (
+      <div className="login-page">
+        <div className="login-container">
+          <div className="login-loading">Checking session...</div>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="login-page">
+      <div className="login-container">
+        <div className="login-card">
+          <div className="login-header">
+            <div className="login-logo">
+              <svg width="48" height="48" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+                <path d="M6 14 Q6 8 3 8 Q6 4 6 4 Q6 4 9 8 Q6 8 6 14" fill="currentColor" opacity="0.6"/>
+                <rect x="5.25" y="13" width="1.5" height="4" fill="currentColor" opacity="0.6"/>
+                <path d="M12 12 Q12 5 8 5 Q12 1 12 1 Q12 1 16 5 Q12 5 12 12" fill="currentColor"/>
+                <rect x="11.25" y="11" width="1.5" height="5" fill="currentColor"/>
+                <path d="M18 14 Q18 8 15 8 Q18 4 18 4 Q18 4 21 8 Q18 8 18 14" fill="currentColor" opacity="0.6"/>
+                <rect x="17.25" y="13" width="1.5" height="4" fill="currentColor" opacity="0.6"/>
+                <ellipse cx="12" cy="19" rx="9" ry="1.5" fill="currentColor" opacity="0.3"/>
+              </svg>
+            </div>
+            <h1>Sign in to Orchard</h1>
+            <p className="login-subtitle">Content-Addressable Storage</p>
+          </div>
+
+          {error && (
+            <div className="login-error">
+              <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+                <circle cx="12" cy="12" r="10"/>
+                <line x1="12" y1="8" x2="12" y2="12"/>
+                <line x1="12" y1="16" x2="12.01" y2="16"/>
+              </svg>
+              <span>{error}</span>
+            </div>
+          )}
+
+          <form onSubmit={handleSubmit} className="login-form">
+            <div className="login-form-group">
+              <label htmlFor="username">Username</label>
+              <input
+                id="username"
+                type="text"
+                value={username}
+                onChange={(e) => setUsername(e.target.value)}
+                placeholder="Enter your username"
+                autoComplete="username"
+                autoFocus
+                disabled={isSubmitting}
+              />
+            </div>
+
+            <div className="login-form-group">
+              <label htmlFor="password">Password</label>
+              <input
+                id="password"
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                placeholder="Enter your password"
+                autoComplete="current-password"
+                disabled={isSubmitting}
+              />
+            </div>
+
+            <button
+              type="submit"
+              className="login-submit"
+              disabled={isSubmitting}
+            >
+              {isSubmitting ? (
+                <>
+                  <span className="login-spinner"></span>
+                  Signing in...
+                </>
+              ) : (
+                'Sign in'
+              )}
+            </button>
+          </form>
+        </div>
+
+        <div className="login-footer">
+          <p>Artifact storage and management system</p>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+export default LoginPage;

frontend/src/types.ts

@@ -225,3 +225,67 @@ export interface CrossProjectStats {
   bytes_saved_cross_project: number;
   duplicates: CrossProjectDuplicate[];
 }
+
+// Auth types
+export interface User {
+  id: string;
+  username: string;
+  display_name: string | null;
+  is_admin: boolean;
+}
+
+export interface LoginCredentials {
+  username: string;
+  password: string;
+}
+
+// API Key types
+export interface APIKey {
+  id: string;
+  name: string;
+  description: string | null;
+  scopes: string[];
+  created_at: string;
+  expires_at: string | null;
+  last_used: string | null;
+}
+
+export interface APIKeyCreate {
+  name: string;
+  description?: string;
+}
+
+export interface APIKeyCreateResponse {
+  id: string;
+  name: string;
+  description: string | null;
+  scopes: string[];
+  key: string;
+  created_at: string;
+  expires_at: string | null;
+}
+
+// Admin User Management types
+export interface AdminUser {
+  id: string;
+  username: string;
+  email: string | null;
+  display_name: string | null;
+  is_admin: boolean;
+  is_active: boolean;
+  created_at: string;
+  last_login: string | null;
+}
+
+export interface UserCreate {
+  username: string;
+  password: string;
+  email?: string;
+  is_admin?: boolean;
+}
+
+export interface UserUpdate {
+  email?: string;
+  is_admin?: boolean;
+  is_active?: boolean;
+}