From d332630267bae303cf3c9a90fd018b0dc26cd6e0 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Wed, 15 Apr 2026 03:36:37 +0600
Subject: [PATCH 1/2] Add admin teams management page

Admin panel now includes a Teams page with paginated listing of all teams
(including soft-deleted), BYOC enable with confirmation dialog, and team
deletion with active capsule warnings. Shows member count, owner info,
active capsules, and channel count per team.
---
 db/queries/teams.sql                          |  25 +
 frontend/src/lib/api/team.ts                  |  36 ++
 .../src/lib/components/AdminSidebar.svelte    |   6 +-
 frontend/src/routes/admin/teams/+page.svelte  | 509 ++++++++++++++++++
 internal/api/handlers_team.go                 |  85 +++
 internal/api/server.go                        |   2 +
 internal/db/teams.sql.go                      |  85 +++
 internal/service/team.go                      | 106 ++++
 8 files changed, 852 insertions(+), 2 deletions(-)
 create mode 100644 frontend/src/routes/admin/teams/+page.svelte

diff --git a/db/queries/teams.sql b/db/queries/teams.sql
index 2117e95..d94341d 100644
--- a/db/queries/teams.sql
+++ b/db/queries/teams.sql
@@ -53,3 +53,28 @@ UPDATE users_teams SET role = $3 WHERE team_id = $1 AND user_id = $2;
 
 -- name: DeleteTeamMember :exec
 DELETE FROM users_teams WHERE team_id = $1 AND user_id = $2;
+
+-- name: ListTeamsAdmin :many
+SELECT
+    t.id,
+    t.name,
+    t.slug,
+    t.is_byoc,
+    t.created_at,
+    t.deleted_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.team_id = t.id)::int AS member_count,
+    COALESCE(owner_u.name, '') AS owner_name,
+    COALESCE(owner_u.email, '') AS owner_email,
+    (SELECT COUNT(*) FROM sandboxes s WHERE s.team_id = t.id AND s.status IN ('running', 'paused', 'starting'))::int AS active_sandbox_count,
+    (SELECT COUNT(*) FROM channels c WHERE c.team_id = t.id)::int AS channel_count
+FROM teams t
+LEFT JOIN users_teams owner_ut ON owner_ut.team_id = t.id AND owner_ut.role = 'owner'
+LEFT JOIN users owner_u ON owner_u.id = owner_ut.user_id
+WHERE t.id != '00000000-0000-0000-0000-000000000000'
+ORDER BY t.deleted_at ASC NULLS FIRST, t.created_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: CountTeamsAdmin :one
+SELECT COUNT(*)::int AS total
+FROM teams
+WHERE id != '00000000-0000-0000-0000-000000000000';
diff --git a/frontend/src/lib/api/team.ts b/frontend/src/lib/api/team.ts
index 0ffc4ed..2cebb8e 100644
--- a/frontend/src/lib/api/team.ts
+++ b/frontend/src/lib/api/team.ts
@@ -83,3 +83,39 @@ export async function leaveTeam(id: string): Promise<ApiResult<void>> {
 export async function searchUsers(email: string): Promise<ApiResult<UserSearchResult[]>> {
 	return apiFetch('GET', `/api/v1/users/search?email=${encodeURIComponent(email)}`);
 }
+
+// Admin team types and API functions
+
+export type AdminTeam = {
+	id: string;
+	name: string;
+	slug: string;
+	is_byoc: boolean;
+	created_at: string;
+	deleted_at: string | null;
+	member_count: number;
+	owner_name: string;
+	owner_email: string;
+	active_sandbox_count: number;
+	channel_count: number;
+};
+
+export type AdminTeamsResponse = {
+	teams: AdminTeam[];
+	total: number;
+	page: number;
+	per_page: number;
+	total_pages: number;
+};
+
+export async function listAdminTeams(page: number = 1): Promise<ApiResult<AdminTeamsResponse>> {
+	return apiFetch('GET', `/api/v1/admin/teams?page=${page}`);
+}
+
+export async function adminSetBYOC(id: string, enabled: boolean): Promise<ApiResult<void>> {
+	return apiFetch('PUT', `/api/v1/admin/teams/${id}/byoc`, { enabled });
+}
+
+export async function adminDeleteTeam(id: string): Promise<ApiResult<void>> {
+	return apiFetch('DELETE', `/api/v1/admin/teams/${id}`);
+}
diff --git a/frontend/src/lib/components/AdminSidebar.svelte b/frontend/src/lib/components/AdminSidebar.svelte
index 2b55db6..3ea8a7b 100644
--- a/frontend/src/lib/components/AdminSidebar.svelte
+++ b/frontend/src/lib/components/AdminSidebar.svelte
@@ -11,7 +11,8 @@
 		IconBell,
 		IconDocs,
 		IconChevron,
-		IconShield
+		IconShield,
+		IconMembers
 	} from './icons';
 
 	let { collapsed = $bindable(false) }: { collapsed: boolean } = $props();
@@ -25,7 +26,8 @@
 	const managementItems: NavItem[] = [
 		{ label: 'Templates', icon: IconBox, href: '/admin/templates' },
 		{ label: 'Capsules', icon: IconMonitor, href: '/admin/capsules' },
-		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' }
+		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' },
+		{ label: 'Teams', icon: IconMembers, href: '/admin/teams' }
 	];
 
 	function isActive(href: string): boolean {
diff --git a/frontend/src/routes/admin/teams/+page.svelte b/frontend/src/routes/admin/teams/+page.svelte
new file mode 100644
index 0000000..7c1394b
--- /dev/null
+++ b/frontend/src/routes/admin/teams/+page.svelte
@@ -0,0 +1,509 @@
+<script lang="ts">
+	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
+	import { onMount } from 'svelte';
+	import { toast } from '$lib/toast.svelte';
+	import { formatDate } from '$lib/utils/format';
+	import {
+		listAdminTeams,
+		adminSetBYOC,
+		adminDeleteTeam,
+		type AdminTeam,
+		type AdminTeamsResponse
+	} from '$lib/api/team';
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
+
+	// Data state
+	let teams = $state<AdminTeam[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+	let currentPage = $state(1);
+	let totalPages = $state(1);
+	let totalTeams = $state(0);
+
+	// Delete state
+	let deleteTarget = $state<AdminTeam | null>(null);
+	let deleting = $state(false);
+	let deleteError = $state<string | null>(null);
+
+	// BYOC toggle state
+	let byocTarget = $state<AdminTeam | null>(null);
+	let enablingByoc = $state(false);
+	let byocError = $state<string | null>(null);
+
+	// Animation
+	let initialAnimationDone = $state(false);
+
+	// Stats
+	let byocCount = $derived(teams.filter((t) => t.is_byoc).length);
+	let totalActiveSandboxes = $derived(teams.reduce((sum, t) => sum + t.active_sandbox_count, 0));
+
+	async function fetchTeams(page: number = 1) {
+		const wasEmpty = teams.length === 0;
+		if (wasEmpty) loading = true;
+		error = null;
+
+		const result = await listAdminTeams(page);
+		if (result.ok) {
+			teams = result.data.teams;
+			currentPage = result.data.page;
+			totalPages = result.data.total_pages;
+			totalTeams = result.data.total;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+
+		if (!initialAnimationDone) {
+			setTimeout(() => { initialAnimationDone = true; }, 400 + (teams.length * 30));
+		}
+	}
+
+	async function handleEnableBYOC() {
+		if (!byocTarget) return;
+		enablingByoc = true;
+		byocError = null;
+
+		const result = await adminSetBYOC(byocTarget.id, true);
+		if (result.ok) {
+			byocTarget.is_byoc = true;
+			toast.success(`BYOC enabled for ${byocTarget.name}`);
+			byocTarget = null;
+		} else {
+			byocError = result.error;
+		}
+		enablingByoc = false;
+	}
+
+	async function handleDelete() {
+		if (!deleteTarget) return;
+		deleting = true;
+		deleteError = null;
+		const name = deleteTarget.name;
+		const result = await adminDeleteTeam(deleteTarget.id);
+		if (result.ok) {
+			teams = teams.filter((t) => t.id !== deleteTarget!.id);
+			totalTeams--;
+			deleteTarget = null;
+			toast.success(`Team "${name}" deleted`);
+		} else {
+			deleteError = result.error;
+		}
+		deleting = false;
+	}
+
+	function goToPage(page: number) {
+		if (page < 1 || page > totalPages) return;
+		fetchTeams(page);
+	}
+
+	onMount(() => {
+		fetchTeams();
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — Teams</title>
+</svelte:head>
+
+<style>
+	.team-grid {
+		display: grid;
+		grid-template-columns: 1.4fr 0.5fr 1.4fr 0.6fr 0.6fr 0.5fr 1fr 0.5fr;
+	}
+
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	.row-stripe {
+		transform: scaleY(0);
+		transform-origin: center;
+		transition: transform 0.18s cubic-bezier(0.25, 1, 0.5, 1);
+	}
+	.team-row:hover .row-stripe {
+		transform: scaleY(1);
+	}
+
+	@keyframes fadeUp {
+		from { opacity: 0; transform: translateY(10px); }
+		to { opacity: 1; transform: translateY(0); }
+	}
+</style>
+
+<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
+	<AdminSidebar bind:collapsed />
+
+	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+		<!-- Header -->
+		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
+
+			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+				<div>
+					<h1 class="font-serif text-page leading-none tracking-[-0.03em] text-[var(--color-text-bright)]">
+						Teams
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
+						All registered teams, BYOC status, and active capsules.
+					</p>
+				</div>
+			</div>
+
+			<!-- Stat strip -->
+			{#if !loading && !error}
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{totalTeams}</span>
+						<span class="text-label text-[var(--color-text-muted)]">team{totalTeams !== 1 ? 's' : ''}</span>
+					</div>
+					{#if byocCount > 0}
+						<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8">
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{byocCount}</span>
+							<span class="text-label text-[var(--color-accent-bright)]/70">BYOC</span>
+						</div>
+					{/if}
+					{#if totalActiveSandboxes > 0}
+						<div class="stat-pill border-[var(--color-accent)]/25 bg-[var(--color-accent)]/8 gap-2">
+							<span class="relative flex h-2 w-2 shrink-0">
+								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)] opacity-60"></span>
+								<span class="relative inline-flex h-2 w-2 rounded-full bg-[var(--color-accent)]"></span>
+							</span>
+							<span class="font-mono text-body font-bold tabular-nums text-[var(--color-accent-bright)]">{totalActiveSandboxes}</span>
+							<span class="text-label text-[var(--color-accent-bright)]/70">active</span>
+						</div>
+					{/if}
+				</div>
+			{/if}
+		</header>
+
+		<!-- Content -->
+		<div class="flex-1 overflow-y-auto px-8 py-6" style="animation: fadeUp 0.35s ease both">
+			{#if error}
+				<div class="mb-4 flex items-start gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{error}. Try refreshing the page.</span>
+				</div>
+			{/if}
+
+			<!-- Table -->
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+				<!-- Header row -->
+				<div class="team-grid rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Members</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Owner</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">BYOC</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Capsules</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Channels</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Created</div>
+					<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Actions</div>
+				</div>
+
+				{#if loading && teams.length === 0}
+					<div class="flex items-center justify-center py-16">
+						<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading teams...
+						</div>
+					</div>
+				{:else if teams.length === 0}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-3)]">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-mid)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2" /><circle cx="9" cy="7" r="4" /><path d="M23 21v-2a4 4 0 0 0-3-3.87" /><path d="M16 3.13a4 4 0 0 1 0 7.75" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+							No teams yet
+						</p>
+						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+							Teams are created when users sign up.
+						</p>
+					</div>
+				{:else}
+					{#each teams as team, i (team.id)}
+						{@const isDeleted = !!team.deleted_at}
+						<div
+							class="team-row team-grid relative items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 last:border-b-0 {isDeleted ? 'opacity-50' : 'hover:bg-[var(--color-bg-3)]'}"
+							style={initialAnimationDone ? '' : `animation: fadeUp 0.35s ease both; animation-delay: ${i * 30}ms`}
+						>
+							<!-- Left accent stripe -->
+							{#if !isDeleted}
+								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 bg-[var(--color-accent)]"></div>
+							{/if}
+
+							<!-- Name -->
+							<div class="min-w-0 px-5 py-4">
+								<div class="flex items-center gap-2">
+									<span class="block truncate text-ui font-medium text-[var(--color-text-bright)]">{team.name}</span>
+									{#if isDeleted}
+										<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-red)]/30 bg-[var(--color-red)]/10 px-2 py-0.5 text-[10px] font-semibold uppercase tracking-[0.05em] text-[var(--color-red)]">
+											Deleted
+										</span>
+									{/if}
+								</div>
+								<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{team.slug}</span>
+							</div>
+
+							<!-- Members -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{team.member_count}</span>
+							</div>
+
+							<!-- Owner -->
+							<div class="min-w-0 px-5 py-4">
+								{#if team.owner_name || team.owner_email}
+									<span class="block truncate text-ui text-[var(--color-text-secondary)]">{team.owner_name || '\u2014'}</span>
+									<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{team.owner_email}</span>
+								{:else}
+									<span class="text-ui text-[var(--color-text-muted)]">&mdash;</span>
+								{/if}
+							</div>
+
+							<!-- BYOC -->
+							<div class="px-5 py-4">
+								{#if team.is_byoc}
+									<span class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-accent)]/30 bg-[var(--color-accent)]/10 px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-accent-bright)]">
+										Enabled
+									</span>
+								{:else if !isDeleted}
+									<button
+										onclick={() => { byocTarget = team; byocError = null; }}
+										class="inline-flex items-center gap-1.5 rounded-full border border-[var(--color-border)] bg-transparent px-2.5 py-1 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-all duration-150 hover:border-[var(--color-accent)]/40 hover:text-[var(--color-accent-mid)]"
+									>
+										Enable
+									</button>
+								{:else}
+									<span class="text-ui text-[var(--color-text-muted)]">&mdash;</span>
+								{/if}
+							</div>
+
+							<!-- Capsules -->
+							<div class="px-5 py-4">
+								{#if team.active_sandbox_count > 0}
+									<span class="flex items-center gap-1.5">
+										<span class="relative flex h-[6px] w-[6px] shrink-0">
+											<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+											<span class="relative inline-flex h-[6px] w-[6px] rounded-full bg-[var(--color-accent)]"></span>
+										</span>
+										<span class="font-mono text-ui text-[var(--color-accent-bright)]">{team.active_sandbox_count}</span>
+									</span>
+								{:else}
+									<span class="font-mono text-ui text-[var(--color-text-muted)]">0</span>
+								{/if}
+							</div>
+
+							<!-- Channels -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{team.channel_count}</span>
+							</div>
+
+							<!-- Created -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{formatDate(team.created_at)}</span>
+							</div>
+
+							<!-- Actions -->
+							<div class="flex items-center justify-end px-5 py-4">
+								{#if !isDeleted}
+									<button
+										onclick={() => { deleteTarget = team; deleteError = null; }}
+										class="rounded-[var(--radius-button)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/8 px-3 py-1.5 text-meta font-medium text-[var(--color-red)] transition-all duration-150 hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50"
+									>
+										Delete
+									</button>
+								{/if}
+							</div>
+						</div>
+					{/each}
+				{/if}
+			</div>
+
+			<!-- Pagination -->
+			{#if totalPages > 1}
+				<div class="mt-4 flex items-center justify-between">
+					<span class="text-ui text-[var(--color-text-tertiary)]">
+						Page <span class="font-mono text-[var(--color-text-secondary)]">{currentPage}</span> of <span class="font-mono text-[var(--color-text-secondary)]">{totalPages}</span>
+					</span>
+					<div class="flex items-center gap-2">
+						<button
+							onclick={() => goToPage(currentPage - 1)}
+							disabled={currentPage <= 1}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="15 18 9 12 15 6"/></svg>
+							Previous
+						</button>
+						<button
+							onclick={() => goToPage(currentPage + 1)}
+							disabled={currentPage >= totalPages}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							Next
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="9 18 15 12 9 6"/></svg>
+						</button>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Status bar -->
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+	</main>
+</div>
+
+<!-- BYOC confirmation dialog -->
+{#if byocTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!enablingByoc) byocTarget = null; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !enablingByoc) byocTarget = null; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<div class="p-6">
+				<h2 class="font-serif text-heading leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+					Enable BYOC
+				</h2>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					Allow <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{byocTarget.name}</code> to register and run capsules on their own hosts.
+				</p>
+
+				<div class="mt-3 flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/5 px-3 py-2.5">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-amber)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" /><line x1="12" y1="9" x2="12" y2="13" /><line x1="12" y1="17" x2="12.01" y2="17" />
+					</svg>
+					<span class="text-meta text-[var(--color-amber)]">
+						BYOC cannot be disabled once enabled.
+					</span>
+				</div>
+
+				{#if byocError}
+					<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{byocError}
+					</div>
+				{/if}
+
+				<div class="mt-6 flex justify-end gap-3">
+					<button
+						onclick={() => (byocTarget = null)}
+						disabled={enablingByoc}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleEnableBYOC}
+						disabled={enablingByoc}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-accent)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if enablingByoc}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+							Enabling...
+						{:else}
+							Enable BYOC
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<!-- Delete confirmation dialog -->
+{#if deleteTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
+		<div
+			class="absolute inset-0 bg-black/60"
+			onclick={() => { if (!deleting) deleteTarget = null; }}
+			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
+		></div>
+		<div
+			class="relative w-full max-w-[420px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)]"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
+		>
+			<div class="p-6">
+				<h2 class="font-serif text-heading leading-tight tracking-[-0.02em] text-[var(--color-text-bright)]">
+					Delete Team
+				</h2>
+				<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+					Remove <code class="rounded bg-[var(--color-bg-4)] px-1.5 py-0.5 font-mono text-[0.8rem] text-[var(--color-text-primary)]">{deleteTarget.name}</code> and stop all its running capsules. Members will lose access immediately.
+				</p>
+
+				{#if deleteTarget.active_sandbox_count > 0}
+					<div class="mt-3 flex items-start gap-2.5 rounded-[var(--radius-input)] border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/5 px-3 py-2.5">
+						<svg class="mt-0.5 shrink-0 text-[var(--color-amber)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+							<path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z" /><line x1="12" y1="9" x2="12" y2="13" /><line x1="12" y1="17" x2="12.01" y2="17" />
+						</svg>
+						<span class="text-meta text-[var(--color-amber)]">
+							<strong class="font-semibold">{deleteTarget.active_sandbox_count}</strong> active capsule{deleteTarget.active_sandbox_count !== 1 ? 's' : ''} will be destroyed immediately.
+						</span>
+					</div>
+				{/if}
+
+				{#if deleteError}
+					<div class="mt-3 rounded-[var(--radius-input)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-3 py-2 text-meta text-[var(--color-red)]">
+						{deleteError}
+					</div>
+				{/if}
+
+				<div class="mt-6 flex justify-end gap-3">
+					<button
+						onclick={() => (deleteTarget = null)}
+						disabled={deleting}
+						class="rounded-[var(--radius-button)] border border-[var(--color-border)] px-4 py-2 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-50"
+					>
+						Cancel
+					</button>
+					<button
+						onclick={handleDelete}
+						disabled={deleting}
+						class="flex items-center gap-2 rounded-[var(--radius-button)] bg-[var(--color-red)] px-5 py-2 text-ui font-semibold text-white transition-all duration-150 hover:brightness-110 hover:-translate-y-px active:translate-y-0 disabled:opacity-50 disabled:hover:translate-y-0"
+					>
+						{#if deleting}
+							<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+							Deleting...
+						{:else}
+							Delete team
+						{/if}
+					</button>
+				</div>
+			</div>
+		</div>
+	</div>
+{/if}
diff --git a/internal/api/handlers_team.go b/internal/api/handlers_team.go
index ed23134..1c26681 100644
--- a/internal/api/handlers_team.go
+++ b/internal/api/handlers_team.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"fmt"
 	"log/slog"
 	"net/http"
 	"strings"
@@ -388,3 +389,87 @@ func (h *teamHandler) SetBYOC(w http.ResponseWriter, r *http.Request) {
 
 	w.WriteHeader(http.StatusNoContent)
 }
+
+// AdminListTeams handles GET /v1/admin/teams?page=1
+// Returns a paginated list of all teams with member counts, owner info, and active sandbox counts.
+func (h *teamHandler) AdminListTeams(w http.ResponseWriter, r *http.Request) {
+	page := 1
+	if p := r.URL.Query().Get("page"); p != "" {
+		if _, err := fmt.Sscanf(p, "%d", &page); err != nil || page < 1 {
+			page = 1
+		}
+	}
+	const perPage = 100
+	offset := int32((page - 1) * perPage)
+
+	teams, total, err := h.svc.AdminListTeams(r.Context(), perPage, offset)
+	if err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	type adminTeamResponse struct {
+		ID                 string  `json:"id"`
+		Name               string  `json:"name"`
+		Slug               string  `json:"slug"`
+		IsByoc             bool    `json:"is_byoc"`
+		CreatedAt          string  `json:"created_at"`
+		DeletedAt          *string `json:"deleted_at"`
+		MemberCount        int32   `json:"member_count"`
+		OwnerName          string  `json:"owner_name"`
+		OwnerEmail         string  `json:"owner_email"`
+		ActiveSandboxCount int32   `json:"active_sandbox_count"`
+		ChannelCount       int32   `json:"channel_count"`
+	}
+
+	resp := make([]adminTeamResponse, len(teams))
+	for i, t := range teams {
+		r := adminTeamResponse{
+			ID:                 id.FormatTeamID(t.ID),
+			Name:               t.Name,
+			Slug:               t.Slug,
+			IsByoc:             t.IsByoc,
+			CreatedAt:          t.CreatedAt.Format(time.RFC3339),
+			MemberCount:        t.MemberCount,
+			OwnerName:          t.OwnerName,
+			OwnerEmail:         t.OwnerEmail,
+			ActiveSandboxCount: t.ActiveSandboxCount,
+			ChannelCount:       t.ChannelCount,
+		}
+		if t.DeletedAt != nil {
+			s := t.DeletedAt.Format(time.RFC3339)
+			r.DeletedAt = &s
+		}
+		resp[i] = r
+	}
+
+	totalPages := (total + perPage - 1) / perPage
+	writeJSON(w, http.StatusOK, map[string]any{
+		"teams":       resp,
+		"total":       total,
+		"page":        page,
+		"per_page":    perPage,
+		"total_pages": totalPages,
+	})
+}
+
+// AdminDeleteTeam handles DELETE /v1/admin/teams/{id}
+// Soft-deletes a team and destroys all its active sandboxes.
+func (h *teamHandler) AdminDeleteTeam(w http.ResponseWriter, r *http.Request) {
+	teamIDStr := chi.URLParam(r, "id")
+
+	teamID, err := id.ParseTeamID(teamIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid team ID")
+		return
+	}
+
+	if err := h.svc.AdminDeleteTeam(r.Context(), teamID); err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/internal/api/server.go b/internal/api/server.go
index 1069d22..779e7be 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -205,7 +205,9 @@ func New(
 	r.Route("/v1/admin", func(r chi.Router) {
 		r.Use(requireJWT(jwtSecret))
 		r.Use(requireAdmin(queries))
+		r.Get("/teams", teamH.AdminListTeams)
 		r.Put("/teams/{id}/byoc", teamH.SetBYOC)
+		r.Delete("/teams/{id}", teamH.AdminDeleteTeam)
 		r.Get("/templates", buildH.ListTemplates)
 		r.Delete("/templates/{name}", buildH.DeleteTemplate)
 		r.Post("/builds", buildH.Create)
diff --git a/internal/db/teams.sql.go b/internal/db/teams.sql.go
index 334141f..0700db4 100644
--- a/internal/db/teams.sql.go
+++ b/internal/db/teams.sql.go
@@ -11,6 +11,19 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const countTeamsAdmin = `-- name: CountTeamsAdmin :one
+SELECT COUNT(*)::int AS total
+FROM teams
+WHERE id != '00000000-0000-0000-0000-000000000000'
+`
+
+func (q *Queries) CountTeamsAdmin(ctx context.Context) (int32, error) {
+	row := q.db.QueryRow(ctx, countTeamsAdmin)
+	var total int32
+	err := row.Scan(&total)
+	return total, err
+}
+
 const deleteTeamMember = `-- name: DeleteTeamMember :exec
 DELETE FROM users_teams WHERE team_id = $1 AND user_id = $2
 `
@@ -271,6 +284,78 @@ func (q *Queries) InsertTeamMember(ctx context.Context, arg InsertTeamMemberPara
 	return err
 }
 
+const listTeamsAdmin = `-- name: ListTeamsAdmin :many
+SELECT
+    t.id,
+    t.name,
+    t.slug,
+    t.is_byoc,
+    t.created_at,
+    t.deleted_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.team_id = t.id)::int AS member_count,
+    COALESCE(owner_u.name, '') AS owner_name,
+    COALESCE(owner_u.email, '') AS owner_email,
+    (SELECT COUNT(*) FROM sandboxes s WHERE s.team_id = t.id AND s.status IN ('running', 'paused', 'starting'))::int AS active_sandbox_count,
+    (SELECT COUNT(*) FROM channels c WHERE c.team_id = t.id)::int AS channel_count
+FROM teams t
+LEFT JOIN users_teams owner_ut ON owner_ut.team_id = t.id AND owner_ut.role = 'owner'
+LEFT JOIN users owner_u ON owner_u.id = owner_ut.user_id
+WHERE t.id != '00000000-0000-0000-0000-000000000000'
+ORDER BY t.deleted_at ASC NULLS FIRST, t.created_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListTeamsAdminParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type ListTeamsAdminRow struct {
+	ID                 pgtype.UUID        `json:"id"`
+	Name               string             `json:"name"`
+	Slug               string             `json:"slug"`
+	IsByoc             bool               `json:"is_byoc"`
+	CreatedAt          pgtype.Timestamptz `json:"created_at"`
+	DeletedAt          pgtype.Timestamptz `json:"deleted_at"`
+	MemberCount        int32              `json:"member_count"`
+	OwnerName          string             `json:"owner_name"`
+	OwnerEmail         string             `json:"owner_email"`
+	ActiveSandboxCount int32              `json:"active_sandbox_count"`
+	ChannelCount       int32              `json:"channel_count"`
+}
+
+func (q *Queries) ListTeamsAdmin(ctx context.Context, arg ListTeamsAdminParams) ([]ListTeamsAdminRow, error) {
+	rows, err := q.db.Query(ctx, listTeamsAdmin, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListTeamsAdminRow
+	for rows.Next() {
+		var i ListTeamsAdminRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Name,
+			&i.Slug,
+			&i.IsByoc,
+			&i.CreatedAt,
+			&i.DeletedAt,
+			&i.MemberCount,
+			&i.OwnerName,
+			&i.OwnerEmail,
+			&i.ActiveSandboxCount,
+			&i.ChannelCount,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const setTeamBYOC = `-- name: SetTeamBYOC :exec
 UPDATE teams SET is_byoc = $2 WHERE id = $1
 `
diff --git a/internal/service/team.go b/internal/service/team.go
index f386338..ece4078 100644
--- a/internal/service/team.go
+++ b/internal/service/team.go
@@ -441,3 +441,109 @@ func (s *TeamService) SetBYOC(ctx context.Context, teamID pgtype.UUID, enabled b
 	}
 	return nil
 }
+
+// AdminTeamRow is the shape returned by AdminListTeams.
+type AdminTeamRow struct {
+	ID                 pgtype.UUID
+	Name               string
+	Slug               string
+	IsByoc             bool
+	CreatedAt          time.Time
+	DeletedAt          *time.Time
+	MemberCount        int32
+	OwnerName          string
+	OwnerEmail         string
+	ActiveSandboxCount int32
+	ChannelCount       int32
+}
+
+// AdminListTeams returns a paginated list of all teams (excluding the platform
+// team) with member counts, owner info, and active sandbox counts.
+// Admin-only — caller must verify admin status.
+func (s *TeamService) AdminListTeams(ctx context.Context, limit, offset int32) ([]AdminTeamRow, int32, error) {
+	teams, err := s.DB.ListTeamsAdmin(ctx, db.ListTeamsAdminParams{
+		Limit:  limit,
+		Offset: offset,
+	})
+	if err != nil {
+		return nil, 0, fmt.Errorf("list teams: %w", err)
+	}
+
+	total, err := s.DB.CountTeamsAdmin(ctx)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count teams: %w", err)
+	}
+
+	rows := make([]AdminTeamRow, len(teams))
+	for i, t := range teams {
+		row := AdminTeamRow{
+			ID:                 t.ID,
+			Name:               t.Name,
+			Slug:               t.Slug,
+			IsByoc:             t.IsByoc,
+			CreatedAt:          t.CreatedAt.Time,
+			MemberCount:        t.MemberCount,
+			OwnerName:          t.OwnerName,
+			OwnerEmail:         t.OwnerEmail,
+			ActiveSandboxCount: t.ActiveSandboxCount,
+			ChannelCount:       t.ChannelCount,
+		}
+		if t.DeletedAt.Valid {
+			deletedAt := t.DeletedAt.Time
+			row.DeletedAt = &deletedAt
+		}
+		rows[i] = row
+	}
+	return rows, total, nil
+}
+
+// AdminDeleteTeam soft-deletes a team and destroys all its active sandboxes.
+// Unlike DeleteTeam, this does not require the caller to be the team owner —
+// it is admin-only (caller must verify admin status).
+func (s *TeamService) AdminDeleteTeam(ctx context.Context, teamID pgtype.UUID) error {
+	team, err := s.DB.GetTeam(ctx, teamID)
+	if err != nil {
+		return fmt.Errorf("team not found: %w", err)
+	}
+	if team.DeletedAt.Valid {
+		return fmt.Errorf("team not found")
+	}
+
+	// Destroy active sandboxes (same logic as DeleteTeam).
+	sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
+	if err != nil {
+		return fmt.Errorf("list active sandboxes: %w", err)
+	}
+
+	var stopIDs []pgtype.UUID
+	for _, sb := range sandboxes {
+		host, hostErr := s.DB.GetHost(ctx, sb.HostID)
+		if hostErr == nil {
+			agent, agentErr := s.HostPool.GetForHost(host)
+			if agentErr == nil {
+				if _, err := agent.DestroySandbox(ctx, connect.NewRequest(&pb.DestroySandboxRequest{
+					SandboxId: id.FormatSandboxID(sb.ID),
+				})); err != nil && connect.CodeOf(err) != connect.CodeNotFound {
+					slog.Warn("admin team delete: failed to destroy sandbox", "sandbox_id", id.FormatSandboxID(sb.ID), "error", err)
+				}
+			}
+		}
+		stopIDs = append(stopIDs, sb.ID)
+	}
+
+	if len(stopIDs) > 0 {
+		if err := s.DB.BulkUpdateStatusByIDs(ctx, db.BulkUpdateStatusByIDsParams{
+			Column1: stopIDs,
+			Status:  "stopped",
+		}); err != nil {
+			return fmt.Errorf("update sandbox statuses: %w", err)
+		}
+	}
+
+	go s.cleanupTeamTemplates(context.Background(), teamID)
+
+	if err := s.DB.SoftDeleteTeam(ctx, teamID); err != nil {
+		return fmt.Errorf("soft delete team: %w", err)
+	}
+	return nil
+}

From a265c15c4dc56474ea33e382d8fb5512b249b1d8 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Wed, 15 Apr 2026 03:58:44 +0600
Subject: [PATCH 2/2] Add admin user management with is_active enforcement

Admin users page at /admin/users with paginated user list showing name,
email, team counts, role, join date, and active status toggle. Inactive
users are blocked from all authenticated endpoints immediately via DB
check in JWT middleware. OAuth login errors now show human-readable
messages on the login page.
---
 ...20260414213729_add_user_active_deleted.sql |   7 +
 db/queries/users.sql                          |  23 ++
 frontend/src/lib/api/admin-users.ts           |  28 ++
 .../src/lib/components/AdminSidebar.svelte    |  90 +++---
 frontend/src/routes/admin/users/+page.svelte  | 305 ++++++++++++++++++
 frontend/src/routes/login/+page.svelte        |  12 +-
 internal/api/handlers_auth.go                 |   6 +
 internal/api/handlers_oauth.go                |  10 +
 internal/api/handlers_users.go                |  99 +++++-
 internal/api/middleware_auth.go               |  12 +
 internal/api/middleware_jwt.go                |  17 +-
 internal/api/server.go                        |  21 +-
 internal/db/models.go                         |   2 +
 internal/db/users.sql.go                      | 108 ++++++-
 internal/service/user.go                      |  70 ++++
 15 files changed, 751 insertions(+), 59 deletions(-)
 create mode 100644 db/migrations/20260414213729_add_user_active_deleted.sql
 create mode 100644 frontend/src/lib/api/admin-users.ts
 create mode 100644 frontend/src/routes/admin/users/+page.svelte
 create mode 100644 internal/service/user.go

diff --git a/db/migrations/20260414213729_add_user_active_deleted.sql b/db/migrations/20260414213729_add_user_active_deleted.sql
new file mode 100644
index 0000000..b54b588
--- /dev/null
+++ b/db/migrations/20260414213729_add_user_active_deleted.sql
@@ -0,0 +1,7 @@
+-- +goose Up
+ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT TRUE;
+ALTER TABLE users ADD COLUMN deleted_at TIMESTAMPTZ;
+
+-- +goose Down
+ALTER TABLE users DROP COLUMN deleted_at;
+ALTER TABLE users DROP COLUMN is_active;
diff --git a/db/queries/users.sql b/db/queries/users.sql
index fe0e1fd..bd7d85a 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -43,3 +43,26 @@ SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10;
 
 -- name: UpdateUserName :exec
 UPDATE users SET name = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: ListUsersAdmin :many
+SELECT
+    u.id,
+    u.email,
+    u.name,
+    u.is_admin,
+    u.is_active,
+    u.created_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
+FROM users u
+WHERE u.deleted_at IS NULL
+ORDER BY u.created_at DESC
+LIMIT $1 OFFSET $2;
+
+-- name: CountUsersAdmin :one
+SELECT COUNT(*)::int AS total
+FROM users
+WHERE deleted_at IS NULL;
+
+-- name: SetUserActive :exec
+UPDATE users SET is_active = $2, updated_at = NOW() WHERE id = $1;
diff --git a/frontend/src/lib/api/admin-users.ts b/frontend/src/lib/api/admin-users.ts
new file mode 100644
index 0000000..a8cfa19
--- /dev/null
+++ b/frontend/src/lib/api/admin-users.ts
@@ -0,0 +1,28 @@
+import { apiFetch, type ApiResult } from '$lib/api/client';
+
+export type AdminUser = {
+	id: string;
+	email: string;
+	name: string;
+	is_admin: boolean;
+	is_active: boolean;
+	created_at: string;
+	teams_joined: number;
+	teams_owned: number;
+};
+
+export type AdminUsersResponse = {
+	users: AdminUser[];
+	total: number;
+	page: number;
+	per_page: number;
+	total_pages: number;
+};
+
+export async function listAdminUsers(page: number = 1): Promise<ApiResult<AdminUsersResponse>> {
+	return apiFetch('GET', `/api/v1/admin/users?page=${page}`);
+}
+
+export async function setUserActive(id: string, active: boolean): Promise<ApiResult<void>> {
+	return apiFetch('PUT', `/api/v1/admin/users/${id}/active`, { active });
+}
diff --git a/frontend/src/lib/components/AdminSidebar.svelte b/frontend/src/lib/components/AdminSidebar.svelte
index 3ea8a7b..e7421b0 100644
--- a/frontend/src/lib/components/AdminSidebar.svelte
+++ b/frontend/src/lib/components/AdminSidebar.svelte
@@ -12,7 +12,8 @@
 		IconDocs,
 		IconChevron,
 		IconShield,
-		IconMembers
+		IconMembers,
+		IconUser
 	} from './icons';
 
 	let { collapsed = $bindable(false) }: { collapsed: boolean } = $props();
@@ -24,10 +25,14 @@
 	};
 
 	const managementItems: NavItem[] = [
+		{ label: 'Users', icon: IconUser, href: '/admin/users' },
+		{ label: 'Teams', icon: IconMembers, href: '/admin/teams' }
+	];
+
+	const platformItems: NavItem[] = [
 		{ label: 'Templates', icon: IconBox, href: '/admin/templates' },
 		{ label: 'Capsules', icon: IconMonitor, href: '/admin/capsules' },
-		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' },
-		{ label: 'Teams', icon: IconMembers, href: '/admin/teams' }
+		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' }
 	];
 
 	function isActive(href: string): boolean {
@@ -100,43 +105,8 @@
 
 	<!-- Navigation -->
 	<nav class="flex-1 overflow-y-auto px-3 {collapsed ? 'px-1.5' : ''}">
-		<div class="mb-3">
-			{#if !collapsed}
-				<div class="mb-1 px-2.5 py-1.5 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">
-					Management
-				</div>
-			{:else}
-				<div class="mx-1 my-2 h-px bg-[var(--color-border)]"></div>
-			{/if}
-			{#each managementItems as item}
-				{#if isActive(item.href)}
-					<a
-						href={item.href}
-						class="group relative flex items-center rounded-[var(--radius-input)] bg-[var(--color-accent-glow-mid)] px-2.5 py-2.5 transition-colors duration-150 {collapsed ? 'justify-center px-2' : 'gap-3'}"
-						title={collapsed ? item.label : undefined}
-					>
-						{#if !collapsed}
-							<div class="absolute left-0 top-1/2 h-5 w-[3px] -translate-y-1/2 rounded-r-full bg-[var(--color-accent)]"></div>
-						{/if}
-						<item.icon size={16} class="shrink-0 text-[var(--color-accent-bright)]" />
-						{#if !collapsed}
-							<span class="text-ui font-medium text-[var(--color-accent-bright)]">{item.label}</span>
-						{/if}
-					</a>
-				{:else}
-					<a
-						href={item.href}
-						class="group flex items-center rounded-[var(--radius-input)] px-2.5 py-2.5 transition-colors duration-150 hover:bg-[var(--color-bg-3)] {collapsed ? 'justify-center px-2' : 'gap-3'}"
-						title={collapsed ? item.label : undefined}
-					>
-						<item.icon size={16} class="shrink-0 opacity-50 transition-opacity duration-150 group-hover:opacity-100" />
-						{#if !collapsed}
-							<span class="text-ui text-[var(--color-text-primary)] transition-colors duration-150 group-hover:text-[var(--color-text-bright)]">{item.label}</span>
-						{/if}
-					</a>
-				{/if}
-			{/each}
-		</div>
+		{@render navSection('Platform', platformItems)}
+		{@render navSection('Management', managementItems)}
 	</nav>
 
 	<!-- Bottom links -->
@@ -188,3 +158,43 @@
 		</button>
 	</div>
 </aside>
+
+{#snippet navSection(title: string, items: NavItem[])}
+	<div class="mb-3">
+		{#if !collapsed}
+			<div class="mb-1 px-2.5 py-1.5 text-label font-semibold uppercase tracking-[0.06em] text-[var(--color-text-tertiary)]">
+				{title}
+			</div>
+		{:else}
+			<div class="mx-1 my-2 h-px bg-[var(--color-border)]"></div>
+		{/if}
+		{#each items as item}
+			{#if isActive(item.href)}
+				<a
+					href={item.href}
+					class="group relative flex items-center rounded-[var(--radius-input)] bg-[var(--color-accent-glow-mid)] px-2.5 py-2.5 transition-colors duration-150 {collapsed ? 'justify-center px-2' : 'gap-3'}"
+					title={collapsed ? item.label : undefined}
+				>
+					{#if !collapsed}
+						<div class="absolute left-0 top-1/2 h-5 w-[3px] -translate-y-1/2 rounded-r-full bg-[var(--color-accent)]"></div>
+					{/if}
+					<item.icon size={16} class="shrink-0 text-[var(--color-accent-bright)]" />
+					{#if !collapsed}
+						<span class="text-ui font-medium text-[var(--color-accent-bright)]">{item.label}</span>
+					{/if}
+				</a>
+			{:else}
+				<a
+					href={item.href}
+					class="group flex items-center rounded-[var(--radius-input)] px-2.5 py-2.5 transition-colors duration-150 hover:bg-[var(--color-bg-3)] {collapsed ? 'justify-center px-2' : 'gap-3'}"
+					title={collapsed ? item.label : undefined}
+				>
+					<item.icon size={16} class="shrink-0 opacity-50 transition-opacity duration-150 group-hover:opacity-100" />
+					{#if !collapsed}
+						<span class="text-ui text-[var(--color-text-primary)] transition-colors duration-150 group-hover:text-[var(--color-text-bright)]">{item.label}</span>
+					{/if}
+				</a>
+			{/if}
+		{/each}
+	</div>
+{/snippet}
diff --git a/frontend/src/routes/admin/users/+page.svelte b/frontend/src/routes/admin/users/+page.svelte
new file mode 100644
index 0000000..07432ec
--- /dev/null
+++ b/frontend/src/routes/admin/users/+page.svelte
@@ -0,0 +1,305 @@
+<script lang="ts">
+	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
+	import { onMount } from 'svelte';
+	import { toast } from '$lib/toast.svelte';
+	import { formatDate } from '$lib/utils/format';
+	import {
+		listAdminUsers,
+		setUserActive,
+		type AdminUser,
+	} from '$lib/api/admin-users';
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
+
+	// Data state
+	let users = $state<AdminUser[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+	let currentPage = $state(1);
+	let totalPages = $state(1);
+	let totalUsers = $state(0);
+
+	// Animation
+	let initialAnimationDone = $state(false);
+
+	// Toggle state
+	let togglingId = $state<string | null>(null);
+
+	async function fetchUsers(page: number = 1) {
+		const wasEmpty = users.length === 0;
+		if (wasEmpty) loading = true;
+		error = null;
+
+		const result = await listAdminUsers(page);
+		if (result.ok) {
+			users = result.data.users;
+			currentPage = result.data.page;
+			totalPages = result.data.total_pages;
+			totalUsers = result.data.total;
+		} else {
+			error = result.error;
+		}
+		loading = false;
+
+		if (!initialAnimationDone) {
+			setTimeout(() => { initialAnimationDone = true; }, 400 + (users.length * 30));
+		}
+	}
+
+	async function handleToggleActive(user: AdminUser) {
+		togglingId = user.id;
+		const newActive = !user.is_active;
+		const result = await setUserActive(user.id, newActive);
+		if (result.ok) {
+			user.is_active = newActive;
+			toast.success(`${user.email} ${newActive ? 'activated' : 'deactivated'}`);
+		} else {
+			toast.error(result.error);
+		}
+		togglingId = null;
+	}
+
+	function goToPage(page: number) {
+		if (page < 1 || page > totalPages) return;
+		fetchUsers(page);
+	}
+
+	onMount(() => {
+		fetchUsers();
+	});
+</script>
+
+<svelte:head>
+	<title>Wrenn Admin — Users</title>
+</svelte:head>
+
+<style>
+	.user-grid {
+		display: grid;
+		grid-template-columns: 1.6fr 1.4fr 0.7fr 0.7fr 0.5fr 1fr 0.6fr;
+	}
+
+	.stat-pill {
+		display: flex;
+		align-items: baseline;
+		gap: 6px;
+		border-radius: var(--radius-button);
+		border-width: 1px;
+		padding: 6px 12px;
+		transition: transform 0.15s ease, box-shadow 0.15s ease;
+	}
+	.stat-pill:hover {
+		transform: translateY(-1px);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.25);
+	}
+
+	.row-stripe {
+		transform: scaleY(0);
+		transform-origin: center;
+		transition: transform 0.18s cubic-bezier(0.25, 1, 0.5, 1);
+	}
+	.user-row:hover .row-stripe {
+		transform: scaleY(1);
+	}
+
+	@keyframes fadeUp {
+		from { opacity: 0; transform: translateY(10px); }
+		to { opacity: 1; transform: translateY(0); }
+	}
+</style>
+
+<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
+	<AdminSidebar bind:collapsed />
+
+	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+		<!-- Header -->
+		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
+
+			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+				<div>
+					<h1 class="font-serif text-page leading-none tracking-[-0.03em] text-[var(--color-text-bright)]">
+						Users
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
+						All registered users, team memberships, and account status.
+					</p>
+				</div>
+			</div>
+
+			<!-- Stat strip -->
+			{#if !loading && !error}
+				<div class="relative flex items-center gap-3 px-8 pb-5">
+					<div class="stat-pill border-[var(--color-border)] bg-[var(--color-bg-2)]">
+						<span class="font-mono text-body font-bold tabular-nums text-[var(--color-text-bright)]">{totalUsers}</span>
+						<span class="text-label text-[var(--color-text-muted)]">user{totalUsers !== 1 ? 's' : ''}</span>
+					</div>
+				</div>
+			{/if}
+		</header>
+
+		<!-- Content -->
+		<div class="flex-1 overflow-y-auto px-8 py-6" style="animation: fadeUp 0.35s ease both">
+			{#if error}
+				<div class="mb-4 flex items-start gap-3 rounded-[var(--radius-card)] border border-[var(--color-red)]/30 bg-[var(--color-red)]/5 px-4 py-3">
+					<svg class="mt-0.5 shrink-0 text-[var(--color-red)]" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+						<circle cx="12" cy="12" r="10" /><line x1="12" y1="8" x2="12" y2="12" /><line x1="12" y1="16" x2="12.01" y2="16" />
+					</svg>
+					<span class="text-ui text-[var(--color-red)]">{error}. Try refreshing the page.</span>
+				</div>
+			{/if}
+
+			<!-- Table -->
+			<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+				<!-- Header row -->
+				<div class="user-grid rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Name</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Email</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Teams</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Owned</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Role</div>
+					<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Joined</div>
+					<div class="px-5 py-3 text-right text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">Status</div>
+				</div>
+
+				{#if loading && users.length === 0}
+					<div class="flex items-center justify-center py-16">
+						<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
+							<svg class="animate-spin" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+								<path d="M21 12a9 9 0 1 1-6.219-8.56" />
+							</svg>
+							Loading users...
+						</div>
+					</div>
+				{:else if users.length === 0}
+					<div class="flex flex-col items-center justify-center py-[72px]">
+						<div class="relative mb-5">
+							<div class="absolute inset-0 -m-4 rounded-full" style="background: radial-gradient(circle, rgba(94,140,88,0.08) 0%, transparent 70%)"></div>
+							<div class="relative flex h-14 w-14 items-center justify-center rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-3)]">
+								<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="var(--color-accent-mid)" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round">
+									<path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2" /><circle cx="12" cy="7" r="4" />
+								</svg>
+							</div>
+						</div>
+						<p class="font-serif text-heading tracking-[-0.02em] text-[var(--color-text-bright)]">
+							No users yet
+						</p>
+						<p class="mt-1.5 text-ui text-[var(--color-text-tertiary)]">
+							Users appear here when they sign up.
+						</p>
+					</div>
+				{:else}
+					{#each users as user, i (user.id)}
+						<div
+							class="user-row user-grid relative items-center overflow-hidden border-b border-[var(--color-border)] transition-colors duration-150 last:border-b-0 {!user.is_active ? 'opacity-50' : 'hover:bg-[var(--color-bg-3)]'}"
+							style={initialAnimationDone ? '' : `animation: fadeUp 0.35s ease both; animation-delay: ${i * 30}ms`}
+						>
+							<!-- Left accent stripe -->
+							{#if user.is_active}
+								<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 bg-[var(--color-accent)]"></div>
+							{/if}
+
+							<!-- Name -->
+							<div class="min-w-0 px-5 py-4">
+								<div class="flex items-center gap-2">
+									<span class="block truncate text-ui font-medium text-[var(--color-text-bright)]">{user.name || '\u2014'}</span>
+									{#if user.is_admin}
+										<span class="inline-flex shrink-0 items-center rounded-full border border-[var(--color-amber)]/30 bg-[var(--color-amber)]/10 px-2 py-0.5 text-[10px] font-semibold uppercase tracking-[0.05em] text-[var(--color-amber)]">
+											Admin
+										</span>
+									{/if}
+								</div>
+								<span class="block truncate font-mono text-label text-[var(--color-text-muted)]">{user.id}</span>
+							</div>
+
+							<!-- Email -->
+							<div class="min-w-0 px-5 py-4">
+								<span class="block truncate font-mono text-ui text-[var(--color-text-secondary)]">{user.email}</span>
+							</div>
+
+							<!-- Teams Joined -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{user.teams_joined}</span>
+							</div>
+
+							<!-- Teams Owned -->
+							<div class="px-5 py-4">
+								<span class="font-mono text-ui text-[var(--color-text-secondary)]">{user.teams_owned}</span>
+							</div>
+
+							<!-- Role -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{user.is_admin ? 'Admin' : 'User'}</span>
+							</div>
+
+							<!-- Joined -->
+							<div class="px-5 py-4">
+								<span class="text-ui text-[var(--color-text-secondary)]">{formatDate(user.created_at)}</span>
+							</div>
+
+							<!-- Status / Toggle -->
+							<div class="flex items-center justify-end px-5 py-4">
+								<button
+									onclick={() => handleToggleActive(user)}
+									disabled={togglingId === user.id}
+									class="rounded-[var(--radius-button)] border px-3 py-1.5 text-meta font-medium transition-all duration-150 disabled:opacity-50
+										{user.is_active
+											? 'border-[var(--color-accent)]/30 bg-[var(--color-accent)]/8 text-[var(--color-accent-bright)] hover:bg-[var(--color-accent)]/15 hover:border-[var(--color-accent)]/50'
+											: 'border-[var(--color-red)]/30 bg-[var(--color-red)]/8 text-[var(--color-red)] hover:bg-[var(--color-red)]/15 hover:border-[var(--color-red)]/50'}"
+								>
+									{#if togglingId === user.id}
+										<svg class="inline animate-spin" width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 12a9 9 0 1 1-6.219-8.56"/></svg>
+									{:else}
+										{user.is_active ? 'Active' : 'Inactive'}
+									{/if}
+								</button>
+							</div>
+						</div>
+					{/each}
+				{/if}
+			</div>
+
+			<!-- Pagination -->
+			{#if totalPages > 1}
+				<div class="mt-4 flex items-center justify-between">
+					<span class="text-ui text-[var(--color-text-tertiary)]">
+						Page <span class="font-mono text-[var(--color-text-secondary)]">{currentPage}</span> of <span class="font-mono text-[var(--color-text-secondary)]">{totalPages}</span>
+					</span>
+					<div class="flex items-center gap-2">
+						<button
+							onclick={() => goToPage(currentPage - 1)}
+							disabled={currentPage <= 1}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="15 18 9 12 15 6"/></svg>
+							Previous
+						</button>
+						<button
+							onclick={() => goToPage(currentPage + 1)}
+							disabled={currentPage >= totalPages}
+							class="flex items-center gap-1.5 rounded-[var(--radius-button)] border border-[var(--color-border)] px-3 py-1.5 text-ui text-[var(--color-text-secondary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:text-[var(--color-text-primary)] disabled:opacity-40 disabled:hover:border-[var(--color-border)] disabled:hover:text-[var(--color-text-secondary)]"
+						>
+							Next
+							<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="9 18 15 12 9 6"/></svg>
+						</button>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Status bar -->
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+			<div class="flex items-center gap-1.5">
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
+				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+			</div>
+		</footer>
+	</main>
+</div>
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index 116b3a0..2deb4dd 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -22,10 +22,20 @@
 	let error = $state('');
 	let loading = $state(false);
 
+	const oauthErrorMessages: Record<string, string> = {
+		account_deactivated: 'Your account has been deactivated — contact your administrator to regain access',
+		access_denied: 'Access was denied by the provider',
+		email_taken: 'An account with this email already exists',
+		exchange_failed: 'Authentication failed — please try again',
+	};
+
 	// Read OAuth error forwarded from /auth/github/callback
 	onMount(() => {
 		const urlErr = $page.url.searchParams.get('error');
-		if (urlErr) error = decodeURIComponent(urlErr);
+		if (urlErr) {
+			const decoded = decodeURIComponent(urlErr);
+			error = oauthErrorMessages[decoded] ?? decoded;
+		}
 	});
 
 	// Mouse-reactive glow — moves opposite to cursor with viscous drag
diff --git a/internal/api/handlers_auth.go b/internal/api/handlers_auth.go
index 9a22fca..8502554 100644
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@@ -237,6 +237,12 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !user.IsActive {
+		slog.Warn("login failed: account deactivated", "email", req.Email, "ip", r.RemoteAddr)
+		writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+		return
+	}
+
 	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
diff --git a/internal/api/handlers_oauth.go b/internal/api/handlers_oauth.go
index 9209e86..4bf8ca7 100644
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@@ -150,6 +150,11 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
+		if !user.IsActive {
+			slog.Warn("oauth login: account deactivated", "email", user.Email)
+			redirectWithError(w, r, redirectBase, "account_deactivated")
+			return
+		}
 		team, role, err := loginTeam(ctx, h.db, user.ID)
 		if err != nil {
 			slog.Error("oauth login: failed to get team", "error", err)
@@ -301,6 +306,11 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
+	if !user.IsActive {
+		slog.Warn("oauth: retry login: account deactivated", "email", user.Email)
+		redirectWithError(w, r, redirectBase, "account_deactivated")
+		return
+	}
 	team, role, err := loginTeam(ctx, h.db, user.ID)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get team", "error", err)
diff --git a/internal/api/handlers_users.go b/internal/api/handlers_users.go
index 5f9ef6a..ab3098c 100644
--- a/internal/api/handlers_users.go
+++ b/internal/api/handlers_users.go
@@ -1,22 +1,27 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
+	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 
 	"git.omukk.dev/wrenn/wrenn/internal/auth"
 	"git.omukk.dev/wrenn/wrenn/internal/db"
 	"git.omukk.dev/wrenn/wrenn/internal/id"
+	"git.omukk.dev/wrenn/wrenn/internal/service"
 )
 
 type usersHandler struct {
-	db *db.Queries
+	db  *db.Queries
+	svc *service.UserService
 }
 
-func newUsersHandler(db *db.Queries) *usersHandler {
-	return &usersHandler{db: db}
+func newUsersHandler(db *db.Queries, svc *service.UserService) *usersHandler {
+	return &usersHandler{db: db, svc: svc}
 }
 
 // Search handles GET /v1/users/search?email=<prefix>
@@ -50,3 +55,91 @@ func (h *usersHandler) Search(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, resp)
 }
+
+// AdminListUsers handles GET /v1/admin/users?page=1
+// Returns a paginated list of all users with team counts.
+func (h *usersHandler) AdminListUsers(w http.ResponseWriter, r *http.Request) {
+	page := 1
+	if p := r.URL.Query().Get("page"); p != "" {
+		if _, err := fmt.Sscanf(p, "%d", &page); err != nil || page < 1 {
+			page = 1
+		}
+	}
+	const perPage = 100
+	offset := int32((page - 1) * perPage)
+
+	users, total, err := h.svc.AdminListUsers(r.Context(), perPage, offset)
+	if err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	type adminUserResponse struct {
+		ID          string `json:"id"`
+		Email       string `json:"email"`
+		Name        string `json:"name"`
+		IsAdmin     bool   `json:"is_admin"`
+		IsActive    bool   `json:"is_active"`
+		CreatedAt   string `json:"created_at"`
+		TeamsJoined int32  `json:"teams_joined"`
+		TeamsOwned  int32  `json:"teams_owned"`
+	}
+
+	resp := make([]adminUserResponse, len(users))
+	for i, u := range users {
+		resp[i] = adminUserResponse{
+			ID:          id.FormatUserID(u.ID),
+			Email:       u.Email,
+			Name:        u.Name,
+			IsAdmin:     u.IsAdmin,
+			IsActive:    u.IsActive,
+			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
+			TeamsJoined: u.TeamsJoined,
+			TeamsOwned:  u.TeamsOwned,
+		}
+	}
+
+	totalPages := (total + perPage - 1) / perPage
+	writeJSON(w, http.StatusOK, map[string]any{
+		"users":       resp,
+		"total":       total,
+		"page":        page,
+		"per_page":    perPage,
+		"total_pages": totalPages,
+	})
+}
+
+// SetUserActive handles PUT /v1/admin/users/{id}/active
+// Enables or disables a user account. Admins cannot deactivate themselves.
+func (h *usersHandler) SetUserActive(w http.ResponseWriter, r *http.Request) {
+	ac := auth.MustFromContext(r.Context())
+	userIDStr := chi.URLParam(r, "id")
+
+	userID, err := id.ParseUserID(userIDStr)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid user ID")
+		return
+	}
+
+	var req struct {
+		Active bool `json:"active"`
+	}
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_request", "invalid JSON body")
+		return
+	}
+
+	if ac.UserID == userID && !req.Active {
+		writeError(w, http.StatusBadRequest, "invalid_request", "cannot deactivate your own account")
+		return
+	}
+
+	if err := h.svc.SetUserActive(r.Context(), userID, req.Active); err != nil {
+		status, code, msg := serviceErrToHTTP(err)
+		writeError(w, status, code, msg)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
diff --git a/internal/api/middleware_auth.go b/internal/api/middleware_auth.go
index 5c00c25..2c5e192 100644
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@@ -64,6 +64,18 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 					return
 				}
 
+				// Verify user is still active in the database.
+				user, err := queries.GetUserByID(r.Context(), userID)
+				if err != nil {
+					slog.Warn("jwt auth: failed to look up user", "user_id", claims.Subject, "error", err)
+					writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
+					return
+				}
+				if !user.IsActive {
+					writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+					return
+				}
+
 				ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
 					TeamID: teamID,
 					UserID: userID,
diff --git a/internal/api/middleware_jwt.go b/internal/api/middleware_jwt.go
index 421f5fa..a4f311a 100644
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@@ -1,16 +1,19 @@
 package api
 
 import (
+	"log/slog"
 	"net/http"
 	"strings"
 
 	"git.omukk.dev/wrenn/wrenn/internal/auth"
+	"git.omukk.dev/wrenn/wrenn/internal/db"
 	"git.omukk.dev/wrenn/wrenn/internal/id"
 )
 
 // requireJWT validates a JWT from the Authorization: Bearer header or the
 // ?token= query parameter (for WebSocket connections that cannot send headers).
-func requireJWT(secret []byte) func(http.Handler) http.Handler {
+// It also verifies the user is still active in the database.
+func requireJWT(secret []byte, queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			var tokenStr string
@@ -40,6 +43,18 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 				return
 			}
 
+			// Verify user is still active in the database.
+			user, err := queries.GetUserByID(r.Context(), userID)
+			if err != nil {
+				slog.Warn("jwt auth: failed to look up user", "user_id", claims.Subject, "error", err)
+				writeError(w, http.StatusUnauthorized, "unauthorized", "user not found")
+				return
+			}
+			if !user.IsActive {
+				writeError(w, http.StatusForbidden, "account_deactivated", "your account has been deactivated — contact your administrator to regain access")
+				return
+			}
+
 			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
 				TeamID:  teamID,
 				UserID:  userID,
diff --git a/internal/api/server.go b/internal/api/server.go
index 779e7be..b33b145 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -51,6 +51,7 @@ func New(
 	templateSvc := &service.TemplateService{DB: queries}
 	hostSvc := &service.HostService{DB: queries, Redis: rdb, JWT: jwtSecret, Pool: pool, CA: ca}
 	teamSvc := &service.TeamService{DB: queries, Pool: pgPool, HostPool: pool}
+	userSvc := &service.UserService{DB: queries}
 	auditSvc := &service.AuditService{DB: queries}
 	statsSvc := &service.StatsService{DB: queries, Pool: pgPool}
 	buildSvc := &service.BuildService{DB: queries, Redis: rdb, Pool: pool, Scheduler: sched}
@@ -67,7 +68,7 @@ func New(
 	apiKeys := newAPIKeyHandler(apiKeySvc, al)
 	hostH := newHostHandler(hostSvc, queries, al)
 	teamH := newTeamHandler(teamSvc, al)
-	usersH := newUsersHandler(queries)
+	usersH := newUsersHandler(queries, userSvc)
 	auditH := newAuditHandler(auditSvc)
 	statsH := newStatsHandler(statsSvc)
 	metricsH := newSandboxMetricsHandler(queries, pool)
@@ -88,11 +89,11 @@ func New(
 	r.Get("/auth/oauth/{provider}/callback", oauthH.Callback)
 
 	// JWT-authenticated: switch active team.
-	r.With(requireJWT(jwtSecret)).Post("/v1/auth/switch-team", authH.SwitchTeam)
+	r.With(requireJWT(jwtSecret, queries)).Post("/v1/auth/switch-team", authH.SwitchTeam)
 
 	// JWT-authenticated: API key management.
 	r.Route("/v1/api-keys", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Post("/", apiKeys.Create)
 		r.Get("/", apiKeys.List)
 		r.Delete("/{id}", apiKeys.Delete)
@@ -100,7 +101,7 @@ func New(
 
 	// JWT-authenticated: team management.
 	r.Route("/v1/teams", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Get("/", teamH.List)
 		r.Post("/", teamH.Create)
 		r.Route("/{id}", func(r chi.Router) {
@@ -116,7 +117,7 @@ func New(
 	})
 
 	// JWT-authenticated: user search (for add-member UI).
-	r.With(requireJWT(jwtSecret)).Get("/v1/users/search", usersH.Search)
+	r.With(requireJWT(jwtSecret, queries)).Get("/v1/users/search", usersH.Search)
 
 	// Capsule lifecycle: accepts API key or JWT bearer token.
 	r.Route("/v1/capsules", func(r chi.Router) {
@@ -169,7 +170,7 @@ func New(
 
 		// JWT-authenticated: host CRUD and tags.
 		r.Group(func(r chi.Router) {
-			r.Use(requireJWT(jwtSecret))
+			r.Use(requireJWT(jwtSecret, queries))
 			r.Post("/", hostH.Create)
 			r.Get("/", hostH.List)
 			r.Route("/{id}", func(r chi.Router) {
@@ -186,7 +187,7 @@ func New(
 
 	// JWT-authenticated: notification channels.
 	r.Route("/v1/channels", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Post("/", channelH.Create)
 		r.Get("/", channelH.List)
 		r.Post("/test", channelH.Test)
@@ -199,15 +200,17 @@ func New(
 	})
 
 	// JWT-authenticated: audit log.
-	r.With(requireJWT(jwtSecret)).Get("/v1/audit-logs", auditH.List)
+	r.With(requireJWT(jwtSecret, queries)).Get("/v1/audit-logs", auditH.List)
 
 	// Platform admin routes — require JWT + DB-validated admin status.
 	r.Route("/v1/admin", func(r chi.Router) {
-		r.Use(requireJWT(jwtSecret))
+		r.Use(requireJWT(jwtSecret, queries))
 		r.Use(requireAdmin(queries))
 		r.Get("/teams", teamH.AdminListTeams)
 		r.Put("/teams/{id}/byoc", teamH.SetBYOC)
 		r.Delete("/teams/{id}", teamH.AdminDeleteTeam)
+		r.Get("/users", usersH.AdminListUsers)
+		r.Put("/users/{id}/active", usersH.SetUserActive)
 		r.Get("/templates", buildH.ListTemplates)
 		r.Delete("/templates/{name}", buildH.DeleteTemplate)
 		r.Post("/builds", buildH.Create)
diff --git a/internal/db/models.go b/internal/db/models.go
index 45c00da..82829b7 100644
--- a/internal/db/models.go
+++ b/internal/db/models.go
@@ -197,6 +197,8 @@ type User struct {
 	IsAdmin      bool               `json:"is_admin"`
 	CreatedAt    pgtype.Timestamptz `json:"created_at"`
 	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
+	IsActive     bool               `json:"is_active"`
+	DeletedAt    pgtype.Timestamptz `json:"deleted_at"`
 }
 
 type UsersTeam struct {
diff --git a/internal/db/users.sql.go b/internal/db/users.sql.go
index 9be8fdd..73ebe52 100644
--- a/internal/db/users.sql.go
+++ b/internal/db/users.sql.go
@@ -22,6 +22,19 @@ func (q *Queries) CountUsers(ctx context.Context) (int64, error) {
 	return count, err
 }
 
+const countUsersAdmin = `-- name: CountUsersAdmin :one
+SELECT COUNT(*)::int AS total
+FROM users
+WHERE deleted_at IS NULL
+`
+
+func (q *Queries) CountUsersAdmin(ctx context.Context) (int32, error) {
+	row := q.db.QueryRow(ctx, countUsersAdmin)
+	var total int32
+	err := row.Scan(&total)
+	return total, err
+}
+
 const deleteAdminPermission = `-- name: DeleteAdminPermission :exec
 DELETE FROM admin_permissions WHERE user_id = $1 AND permission = $2
 `
@@ -66,7 +79,7 @@ func (q *Queries) GetAdminPermissions(ctx context.Context, userID pgtype.UUID) (
 }
 
 const getAdminUsers = `-- name: GetAdminUsers :many
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE is_admin = TRUE ORDER BY created_at
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, is_active, deleted_at FROM users WHERE is_admin = TRUE ORDER BY created_at
 `
 
 func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
@@ -86,6 +99,8 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 			&i.IsAdmin,
 			&i.CreatedAt,
 			&i.UpdatedAt,
+			&i.IsActive,
+			&i.DeletedAt,
 		); err != nil {
 			return nil, err
 		}
@@ -98,7 +113,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE email = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, is_active, deleted_at FROM users WHERE email = $1
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -112,12 +127,14 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.IsActive,
+		&i.DeletedAt,
 	)
 	return i, err
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at FROM users WHERE id = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, is_active, deleted_at FROM users WHERE id = $1
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {
@@ -131,6 +148,8 @@ func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error)
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.IsActive,
+		&i.DeletedAt,
 	)
 	return i, err
 }
@@ -172,7 +191,7 @@ func (q *Queries) InsertAdminPermission(ctx context.Context, arg InsertAdminPerm
 const insertUser = `-- name: InsertUser :one
 INSERT INTO users (id, email, password_hash, name)
 VALUES ($1, $2, $3, $4)
-RETURNING id, email, password_hash, name, is_admin, created_at, updated_at
+RETURNING id, email, password_hash, name, is_admin, created_at, updated_at, is_active, deleted_at
 `
 
 type InsertUserParams struct {
@@ -198,6 +217,8 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.IsActive,
+		&i.DeletedAt,
 	)
 	return i, err
 }
@@ -205,7 +226,7 @@ func (q *Queries) InsertUser(ctx context.Context, arg InsertUserParams) (User, e
 const insertUserOAuth = `-- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
 VALUES ($1, $2, $3)
-RETURNING id, email, password_hash, name, is_admin, created_at, updated_at
+RETURNING id, email, password_hash, name, is_admin, created_at, updated_at, is_active, deleted_at
 `
 
 type InsertUserOAuthParams struct {
@@ -225,10 +246,73 @@ func (q *Queries) InsertUserOAuth(ctx context.Context, arg InsertUserOAuthParams
 		&i.IsAdmin,
 		&i.CreatedAt,
 		&i.UpdatedAt,
+		&i.IsActive,
+		&i.DeletedAt,
 	)
 	return i, err
 }
 
+const listUsersAdmin = `-- name: ListUsersAdmin :many
+SELECT
+    u.id,
+    u.email,
+    u.name,
+    u.is_admin,
+    u.is_active,
+    u.created_at,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
+    (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
+FROM users u
+WHERE u.deleted_at IS NULL
+ORDER BY u.created_at DESC
+LIMIT $1 OFFSET $2
+`
+
+type ListUsersAdminParams struct {
+	Limit  int32 `json:"limit"`
+	Offset int32 `json:"offset"`
+}
+
+type ListUsersAdminRow struct {
+	ID          pgtype.UUID        `json:"id"`
+	Email       string             `json:"email"`
+	Name        string             `json:"name"`
+	IsAdmin     bool               `json:"is_admin"`
+	IsActive    bool               `json:"is_active"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	TeamsJoined int32              `json:"teams_joined"`
+	TeamsOwned  int32              `json:"teams_owned"`
+}
+
+func (q *Queries) ListUsersAdmin(ctx context.Context, arg ListUsersAdminParams) ([]ListUsersAdminRow, error) {
+	rows, err := q.db.Query(ctx, listUsersAdmin, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListUsersAdminRow
+	for rows.Next() {
+		var i ListUsersAdminRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Email,
+			&i.Name,
+			&i.IsAdmin,
+			&i.IsActive,
+			&i.CreatedAt,
+			&i.TeamsJoined,
+			&i.TeamsOwned,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const searchUsersByEmailPrefix = `-- name: SearchUsersByEmailPrefix :many
 SELECT id, email FROM users WHERE email LIKE $1 || '%' ORDER BY email LIMIT 10
 `
@@ -258,6 +342,20 @@ func (q *Queries) SearchUsersByEmailPrefix(ctx context.Context, dollar_1 pgtype.
 	return items, nil
 }
 
+const setUserActive = `-- name: SetUserActive :exec
+UPDATE users SET is_active = $2, updated_at = NOW() WHERE id = $1
+`
+
+type SetUserActiveParams struct {
+	ID       pgtype.UUID `json:"id"`
+	IsActive bool        `json:"is_active"`
+}
+
+func (q *Queries) SetUserActive(ctx context.Context, arg SetUserActiveParams) error {
+	_, err := q.db.Exec(ctx, setUserActive, arg.ID, arg.IsActive)
+	return err
+}
+
 const setUserAdmin = `-- name: SetUserAdmin :exec
 UPDATE users SET is_admin = $2, updated_at = NOW() WHERE id = $1
 `
diff --git a/internal/service/user.go b/internal/service/user.go
new file mode 100644
index 0000000..2b90c61
--- /dev/null
+++ b/internal/service/user.go
@@ -0,0 +1,70 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/wrenn/internal/db"
+)
+
+// UserService provides user management operations.
+type UserService struct {
+	DB *db.Queries
+}
+
+// AdminUserRow is the shape returned by AdminListUsers.
+type AdminUserRow struct {
+	ID          pgtype.UUID
+	Email       string
+	Name        string
+	IsAdmin     bool
+	IsActive    bool
+	CreatedAt   time.Time
+	TeamsJoined int32
+	TeamsOwned  int32
+}
+
+// AdminListUsers returns a paginated list of all non-deleted users with team counts.
+func (s *UserService) AdminListUsers(ctx context.Context, limit, offset int32) ([]AdminUserRow, int32, error) {
+	users, err := s.DB.ListUsersAdmin(ctx, db.ListUsersAdminParams{
+		Limit:  limit,
+		Offset: offset,
+	})
+	if err != nil {
+		return nil, 0, fmt.Errorf("list users: %w", err)
+	}
+
+	total, err := s.DB.CountUsersAdmin(ctx)
+	if err != nil {
+		return nil, 0, fmt.Errorf("count users: %w", err)
+	}
+
+	rows := make([]AdminUserRow, len(users))
+	for i, u := range users {
+		rows[i] = AdminUserRow{
+			ID:          u.ID,
+			Email:       u.Email,
+			Name:        u.Name,
+			IsAdmin:     u.IsAdmin,
+			IsActive:    u.IsActive,
+			CreatedAt:   u.CreatedAt.Time,
+			TeamsJoined: u.TeamsJoined,
+			TeamsOwned:  u.TeamsOwned,
+		}
+	}
+	return rows, total, nil
+}
+
+// SetUserActive enables or disables a user account.
+func (s *UserService) SetUserActive(ctx context.Context, userID pgtype.UUID, active bool) error {
+	if err := s.DB.SetUserActive(ctx, db.SetUserActiveParams{
+		ID:       userID,
+		IsActive: active,
+	}); err != nil {
+		return fmt.Errorf("set user active: %w", err)
+	}
+	return nil
+}