From b97937f080e07f2415d08269103877592b877306 Mon Sep 17 00:00:00 2001
From: James Bhattarai <jamesbhattarai14@gmail.com>
Date: Mon, 2 Mar 2026 23:55:47 +0545
Subject: [PATCH] Feat(Fix): Multi Org, Suspension, User Detail

Multi Org switch, members suspend/unsuspend status, delete account, next serial, show email in user member search
---
 src/App.tsx                              |   15 +-
 src/components/navigation/AppSidebar.tsx |    1 -
 src/components/navigation/TopBar.tsx     |   20 +-
 src/contexts/OrgContext.tsx              |   76 ++
 src/hooks/useCurrentOrganization.ts      |   17 +-
 src/lib/api.ts                           |   28 +
 src/pages/admin/AdminUsersPage.tsx       |  113 +-
 src/pages/auth/OIDCLoginPage.tsx         |  455 ++++++++
 src/pages/org/CAsPage.tsx                |    6 +-
 src/pages/org/CompliancePage.tsx         |   15 +-
 src/pages/org/DepartmentsPage.tsx        |   17 +-
 src/pages/org/MembersPage.tsx            | 1202 ++++++++++++++++++----
 src/pages/org/OIDCClientsPage.tsx        |   16 +-
 src/pages/org/OrgOverviewPage.tsx        |  182 +++-
 src/pages/org/PoliciesPage.tsx           |   17 +-
 src/pages/user/ProfilePage.tsx           |  129 ++-
 16 files changed, 2011 insertions(+), 298 deletions(-)
 create mode 100644 src/contexts/OrgContext.tsx
 create mode 100644 src/pages/auth/OIDCLoginPage.tsx

diff --git a/src/App.tsx b/src/App.tsx
index d2e33ff..0596091 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -18,6 +18,7 @@ import ResetPasswordPage from "@/pages/auth/ResetPasswordPage";
 import InviteAcceptPage from "@/pages/auth/InviteAcceptPage";
 import OIDCConsentPage from "@/pages/auth/OIDCConsentPage";
 import OIDCErrorPage from "@/pages/auth/OIDCErrorPage";
+import OIDCLoginPage from "@/pages/auth/OIDCLoginPage";
 import OAuthCallbackPage from "@/pages/auth/OAuthCallbackPage";
 import ActivatePage from "@/pages/auth/ActivatePage";
 
@@ -40,7 +41,6 @@ import DepartmentsPage from "@/pages/org/DepartmentsPage";
 import PrincipalsPage from "@/pages/org/PrincipalsPage";
 import MyMembershipsPage from "@/pages/org/MyMembershipsPage";
 import SystemAuditPage from "@/pages/admin/SystemAuditPage";
-import AdminUsersPage from "@/pages/admin/AdminUsersPage";
 import OAuthProvidersPage from "@/pages/admin/OAuthProvidersPage";
 import OrgSetupPage from "@/pages/auth/OrgSetupPage";
 
@@ -76,17 +76,19 @@ const App = () => (
 
 // Separate component so AuthProvider can use useNavigate
 import { AuthProvider, useAuth } from "@/contexts/AuthContext";
+import { OrgProvider } from "@/contexts/OrgContext";
 import { Navigate } from "react-router-dom";
 
 /** Redirects already-authenticated users away from guest-only pages (e.g. /login). */
 function GuestRoute({ children }: { children: React.ReactNode }) {
   const { isAuthenticated, isOrgMember, isLoading } = useAuth();
-  // Allow authenticated users through to /login when it's a CLI auth request —
-  // LoginPage will immediately forward the existing token to the CLI callback.
+  // Allow authenticated users through to /login when it's a CLI auth request or
+  // an OIDC session — LoginPage will immediately forward the existing token.
   const params = new URLSearchParams(window.location.search);
   const isCli = params.has('cli_token') || params.has('cli_redirect');
+  const isOidcBridge = params.has('oidc_session_id');
   if (isLoading) return null; // wait for auth state to resolve
-  if (isAuthenticated && !isCli) {
+  if (isAuthenticated && !isCli && !isOidcBridge) {
     // If the user hasn't set up an org yet, send them there first
     return <Navigate to={isOrgMember ? "/profile" : "/org-setup"} replace />;
   }
@@ -123,6 +125,7 @@ function RequireAuth({ children }: { children: React.ReactNode }) {
 function AppRoutes() {
   return (
     <AuthProvider>
+      <OrgProvider>
       <Routes>
         {/* Index redirect */}
         <Route path="/" element={<Index />} />
@@ -136,6 +139,7 @@ function AppRoutes() {
           <Route path="/reset-password" element={<ResetPasswordPage />} />
           <Route path="/invite" element={<InviteAcceptPage />} />
           <Route path="/consent" element={<OIDCConsentPage />} />
+          <Route path="/oidc-login" element={<OIDCLoginPage />} />
           <Route path="/error" element={<OIDCErrorPage />} />
           <Route path="/oauth/callback" element={<OAuthCallbackPage />} />
           <Route path="/activate" element={<ActivatePage />} />
@@ -169,7 +173,7 @@ function AppRoutes() {
 
           {/* Admin routes — org admin/owner only */}
           <Route path="/admin/audit" element={<RequireAdmin><SystemAuditPage /></RequireAdmin>} />
-          <Route path="/admin/users" element={<RequireAdmin><AdminUsersPage /></RequireAdmin>} />
+          <Route path="/admin/users" element={<Navigate to="/org/members" replace />} />
           <Route path="/admin/oauth" element={<RequireAdmin><OAuthProvidersPage /></RequireAdmin>} />
         </Route>
 
@@ -179,6 +183,7 @@ function AppRoutes() {
 
       {/* Dev tools - only shown in development */}
       <ApiDevTools />
+      </OrgProvider>
     </AuthProvider>
   );
 }
diff --git a/src/components/navigation/AppSidebar.tsx b/src/components/navigation/AppSidebar.tsx
index d96fa98..0ba10a0 100644
--- a/src/components/navigation/AppSidebar.tsx
+++ b/src/components/navigation/AppSidebar.tsx
@@ -56,7 +56,6 @@ const orgAdminNavItems = [
 ];
 
 const adminNavItems = [
-  { title: "Users", url: "/admin/users", icon: Users },
   { title: "Certificate Auth.", url: "/org/cas", icon: ShieldCheck },
   { title: "Org Audit Log", url: "/org/audit", icon: FileText },
   { title: "System Logs",  url: "/admin/audit", icon: ScrollText },
diff --git a/src/components/navigation/TopBar.tsx b/src/components/navigation/TopBar.tsx
index c48941a..a92393c 100644
--- a/src/components/navigation/TopBar.tsx
+++ b/src/components/navigation/TopBar.tsx
@@ -1,4 +1,3 @@
-import { useState, useEffect } from "react";
 import { useNavigate } from "react-router-dom";
 import { Menu, ChevronDown, LogOut, User, Shield, Building2, Loader2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
@@ -13,28 +12,21 @@ import {
 } from "@/components/ui/dropdown-menu";
 import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
 import { useAuth } from "@/contexts/AuthContext";
-import { Organization } from "@/lib/api";
+import { useOrg } from "@/contexts/OrgContext";
 import { useOrganizations } from "@/hooks/useOrganizations";
 import { ComplianceBanner } from "@/components/auth/ComplianceBanner";
 
 export function TopBar() {
   const navigate = useNavigate();
-  const { user, isAuthenticated, mfaCompliance, logout } = useAuth();
-  const [currentOrg, setCurrentOrg] = useState<Organization | null>(null);
-  
+  const { user, mfaCompliance, logout } = useAuth();
+  const { selectedOrg, selectOrg } = useOrg();
+
   // Use React Query hook for organizations with automatic caching and deduplication
   const { data: organizations = [], isLoading: orgsLoading } = useOrganizations();
 
   // Ensure organizations is always an array (defensive check)
   const organizationsArray = Array.isArray(organizations) ? organizations : [];
 
-  // Set initial currentOrg when organizations are loaded
-  useEffect(() => {
-    if (organizationsArray.length > 0 && !currentOrg) {
-      setCurrentOrg(organizationsArray[0]);
-    }
-  }, [organizationsArray, currentOrg]);
-
   const handleLogout = async () => {
     await logout();
   };
@@ -64,7 +56,7 @@ export function TopBar() {
                   <Building2 className="w-3.5 h-3.5 text-primary" />
                 </div>
                 <span className="text-sm font-medium hidden sm:inline">
-                  {orgsLoading ? "Loading..." : (currentOrg?.name || "No Organization")}
+                  {orgsLoading ? "Loading..." : (selectedOrg?.name || "No Organization")}
                 </span>
                 <ChevronDown className="w-4 h-4 text-muted-foreground" />
               </Button>
@@ -86,7 +78,7 @@ export function TopBar() {
                 organizationsArray.map((org) => (
                   <DropdownMenuItem
                     key={org.id}
-                    onClick={() => setCurrentOrg(org)}
+                    onClick={() => selectOrg(org)}
                     className="flex items-center justify-between"
                   >
                     <div className="flex items-center gap-2">
diff --git a/src/contexts/OrgContext.tsx b/src/contexts/OrgContext.tsx
new file mode 100644
index 0000000..3dd3479
--- /dev/null
+++ b/src/contexts/OrgContext.tsx
@@ -0,0 +1,76 @@
+import {
+  createContext,
+  useContext,
+  useState,
+  useEffect,
+  useCallback,
+  ReactNode,
+} from "react";
+import { useQueryClient } from "@tanstack/react-query";
+import { Organization } from "@/lib/api";
+import { useOrganizations } from "@/hooks/useOrganizations";
+import { useAuth } from "@/contexts/AuthContext";
+
+interface OrgContextType {
+  /** The currently selected organisation (null while loading or no memberships). */
+  selectedOrg: Organization | null;
+  /** Programmatically switch the active organisation and invalidate all org-scoped queries. */
+  selectOrg: (org: Organization) => void;
+  /** Convenience accessor for the selected org's ID. */
+  selectedOrgId: string | null;
+}
+
+const OrgContext = createContext<OrgContextType | null>(null);
+
+export function OrgProvider({ children }: { children: ReactNode }) {
+  const { isAuthenticated } = useAuth();
+  const { data: organizations = [] } = useOrganizations();
+  const queryClient = useQueryClient();
+  const [selectedOrg, setSelectedOrg] = useState<Organization | null>(null);
+
+  // Auto-select the first org once the list arrives (or when the list changes
+  // and the previously selected org is no longer present, e.g. after deletion).
+  useEffect(() => {
+    if (!isAuthenticated) {
+      setSelectedOrg(null);
+      return;
+    }
+    if (organizations.length === 0) return;
+
+    setSelectedOrg((prev) => {
+      // Keep the current selection if it still exists in the updated list.
+      if (prev && organizations.some((o) => o.id === prev.id)) {
+        // Refresh the object in case name/role changed.
+        return organizations.find((o) => o.id === prev.id) ?? prev;
+      }
+      return organizations[0];
+    });
+  }, [organizations, isAuthenticated]);
+
+  const selectOrg = useCallback(
+    (org: Organization) => {
+      setSelectedOrg(org);
+      // Invalidate all organisation-scoped React Query caches so every page
+      // immediately re-fetches data for the newly selected org.
+      queryClient.invalidateQueries({ queryKey: ["organizations"] });
+      // Invalidate any queries keyed by the previous org id.  The broadest
+      // approach is to remove all non-organisations queries so pages reload.
+      queryClient.invalidateQueries();
+    },
+    [queryClient],
+  );
+
+  return (
+    <OrgContext.Provider
+      value={{ selectedOrg, selectOrg, selectedOrgId: selectedOrg?.id ?? null }}
+    >
+      {children}
+    </OrgContext.Provider>
+  );
+}
+
+export function useOrg(): OrgContextType {
+  const ctx = useContext(OrgContext);
+  if (!ctx) throw new Error("useOrg must be used inside <OrgProvider>");
+  return ctx;
+}
diff --git a/src/hooks/useCurrentOrganization.ts b/src/hooks/useCurrentOrganization.ts
index 3cec019..1851a14 100644
--- a/src/hooks/useCurrentOrganization.ts
+++ b/src/hooks/useCurrentOrganization.ts
@@ -1,28 +1,31 @@
 import { useParams } from "react-router-dom";
 import { useOrganizations } from "@/hooks/useOrganizations";
+import { useOrg } from "@/contexts/OrgContext";
 
 /**
- * Custom hook to get the current organization from URL params or first available org.
- * This helps with backward compatibility if routes don't include orgId.
+ * Custom hook to get the current organization from URL params, or the
+ * globally-selected org from OrgContext (set via the TopBar org switcher).
  */
 export function useCurrentOrganization() {
   const params = useParams<{ orgId?: string }>();
   const { data: organizations = [], isLoading } = useOrganizations();
+  const { selectedOrg } = useOrg();
 
-  // If orgId is in params, use that
+  // If orgId is in the URL params, use that specific org.
   if (params.orgId) {
     return {
-      org: organizations.find((org) => org.id === params.orgId) || organizations[0] || null,
+      org: organizations.find((org) => org.id === params.orgId) ?? organizations[0] ?? null,
       isLoading,
     };
   }
 
-  // Otherwise, return the first organization (default)
-  return { org: organizations[0] || null, isLoading };
+  // Otherwise use the org selected via the TopBar switcher (falls back to
+  // organizations[0] when OrgContext hasn't initialised yet).
+  return { org: selectedOrg ?? organizations[0] ?? null, isLoading };
 }
 
 /**
- * Get the organization ID from URL params or first available org.
+ * Get the organization ID from URL params or the globally-selected org.
  * Also returns isLoading so callers can distinguish "no org" from "still loading".
  */
 export function useCurrentOrganizationId(): { orgId: string | null; isLoading: boolean } {
diff --git a/src/lib/api.ts b/src/lib/api.ts
index ee725e0..08a2c8d 100644
--- a/src/lib/api.ts
+++ b/src/lib/api.ts
@@ -455,6 +455,10 @@ export const api = {
         body: JSON.stringify(data),
       }),
 
+    // Delete the current user's own account (soft delete)
+    deleteMe: (requestConfig?: RequestConfig) =>
+      request<{ message: string }>('/users/me', { method: 'DELETE' }, true, requestConfig),
+
     organizations: (requestConfig?: RequestConfig) =>
       request<OrganizationsResponse>('/users/me/organizations', {}, true, requestConfig),
 
@@ -548,6 +552,15 @@ export const api = {
     unsuspendUser: (userId: string, requestConfig?: RequestConfig) =>
       request<{ user: User }>(`/admin/users/${userId}/unsuspend`, { method: 'POST' }, true, requestConfig),
 
+    // Permanently delete a user — revokes certs, cascades DB delete, unrecoverable
+    hardDeleteUser: (userId: string, requestConfig?: RequestConfig) =>
+      request<{ deleted_user_id: string; deleted_user_email: string; ssh_keys_deleted: number; certs_revoked: number }>(
+        `/admin/users/${userId}/delete`,
+        { method: 'POST', body: JSON.stringify({ confirm: true }) },
+        true,
+        requestConfig,
+      ),
+
     // Get the cert policy for a department
     getDeptCertPolicy: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
       request<{ cert_policy: DeptCertPolicy }>(`/organizations/${orgId}/departments/${deptId}/cert-policy`, {}, true, requestConfig),
@@ -801,6 +814,10 @@ export const api = {
     getById: (orgId: string, requestConfig?: RequestConfig) =>
       request<{ organization: Organization; member_count: number }>(`/organizations/${orgId}`, {}, true, requestConfig),
 
+    // Delete an organization (owner only; must have no other members)
+    deleteOrganization: (orgId: string, requestConfig?: RequestConfig) =>
+      request<{ message: string }>(`/organizations/${orgId}`, { method: 'DELETE' }, true, requestConfig),
+
     // Get organization members
     getMembers: (orgId: string, requestConfig?: RequestConfig) =>
       request<{ members: OrganizationMember[]; count: number }>(`/organizations/${orgId}/members`, {}, true, requestConfig),
@@ -976,6 +993,15 @@ export const api = {
         method: 'POST',
       }, true, requestConfig),
 
+    // Transfer organization ownership to another member
+    transferOwnership: (orgId: string, newOwnerUserId: string, requestConfig?: RequestConfig) =>
+      request<{ previous_owner: OrganizationMember; new_owner: OrganizationMember }>(
+        `/organizations/${orgId}/transfer-ownership`,
+        { method: 'POST', body: JSON.stringify({ new_owner_user_id: newOwnerUserId }) },
+        true,
+        requestConfig,
+      ),
+
     // List Certificate Authorities for an org
     getCAs: (orgId: string, requestConfig?: RequestConfig) =>
       request<{ cas: OrgCA[]; count: number }>(`/organizations/${orgId}/cas`, {}, true, requestConfig),
@@ -1364,6 +1390,8 @@ export interface OrgCA {
   total_certs: number;
   active_certs: number;
   revoked_certs: number;
+  /** Next serial number that will be assigned when a certificate is issued. */
+  next_serial_number: number | null;
   created_at: string | null;
   updated_at: string | null;
   /** Set when the key was last rotated. */
diff --git a/src/pages/admin/AdminUsersPage.tsx b/src/pages/admin/AdminUsersPage.tsx
index 3589da5..8a80188 100644
--- a/src/pages/admin/AdminUsersPage.tsx
+++ b/src/pages/admin/AdminUsersPage.tsx
@@ -13,6 +13,7 @@ import {
   Ban,
   UserCheck,
   AlertTriangle,
+  Trash2,
 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
@@ -123,6 +124,11 @@ export default function AdminUsersPage() {
   const [isSuspending, setIsSuspending] = useState(false);
   const [showSuspendConfirm, setShowSuspendConfirm] = useState(false);
 
+  // Hard delete
+  const [showHardDelete, setShowHardDelete] = useState(false);
+  const [hardDeleteConfirmEmail, setHardDeleteConfirmEmail] = useState("");
+  const [isHardDeleting, setIsHardDeleting] = useState(false);
+
   // ── Fetch users ─────────────────────────────────────────────────────────────
   const fetchUsers = useCallback(async (q: string, pg: number) => {
     setIsLoading(true);
@@ -233,7 +239,16 @@ export default function AdminUsersPage() {
       setShowSuspendConfirm(false);
       toast({ title: "User suspended", description: `${selectedUser.full_name || selectedUser.email} has been suspended.` });
     } catch (err) {
-      toast({ variant: "destructive", title: "Failed to suspend user", description: err instanceof ApiError ? err.message : "Something went wrong" });
+      setShowSuspendConfirm(false);
+      if (err instanceof ApiError && err.type === "OWNER_PROTECTION") {
+        toast({
+          variant: "destructive",
+          title: "Cannot suspend organization owner",
+          description: "Transfer ownership to another member before suspending this account.",
+        });
+      } else {
+        toast({ variant: "destructive", title: "Failed to suspend user", description: err instanceof ApiError ? err.message : "Something went wrong" });
+      }
     } finally {
       setIsSuspending(false);
     }
@@ -255,6 +270,31 @@ export default function AdminUsersPage() {
     }
   };
 
+  // ── Hard delete user ─────────────────────────────────────────────────────────
+  const handleHardDelete = async () => {
+    if (!selectedUser) return;
+    setIsHardDeleting(true);
+    try {
+      const result = await api.admin.hardDeleteUser(selectedUser.id);
+      setUsers((prev) => prev.filter((u) => u.id !== selectedUser.id));
+      setTotal((t) => t - 1);
+      setShowHardDelete(false);
+      setSelectedUser(null);
+      toast({
+        title: "User permanently deleted",
+        description: `${result.deleted_user_email} — ${result.certs_revoked} cert(s) revoked, ${result.ssh_keys_deleted} key(s) deleted.`,
+      });
+    } catch (err) {
+      toast({
+        variant: "destructive",
+        title: "Failed to delete user",
+        description: err instanceof ApiError ? err.message : "Something went wrong",
+      });
+    } finally {
+      setIsHardDeleting(false);
+    }
+  };
+
   // Filter by role client-side
   const filteredUsers = users.filter((u) => {
     if (roleFilter === "all") return true;
@@ -540,6 +580,28 @@ export default function AdminUsersPage() {
                   </div>
                 )}
               </div>
+
+              {/* Danger zone — Hard delete */}
+              {selectedUser.id !== currentUser?.id && (
+                <div className="mt-6 p-4 border border-destructive/30 rounded-lg space-y-3">
+                  <h3 className="text-sm font-semibold flex items-center gap-2 text-destructive">
+                    <Trash2 className="w-4 h-4" />
+                    Danger Zone
+                  </h3>
+                  <p className="text-sm text-muted-foreground">
+                    Permanently delete this account. This cannot be undone — all SSH keys and certificates will be revoked immediately.
+                  </p>
+                  <Button
+                    size="sm"
+                    variant="outline"
+                    onClick={() => { setHardDeleteConfirmEmail(""); setShowHardDelete(true); }}
+                    className="text-destructive border-destructive/40 hover:bg-destructive/10"
+                  >
+                    <Trash2 className="w-4 h-4 mr-2" />
+                    Permanently delete account
+                  </Button>
+                </div>
+              )}
             </>
           )}
         </SheetContent>
@@ -617,6 +679,55 @@ export default function AdminUsersPage() {
           </DialogFooter>
         </DialogContent>
       </Dialog>
+
+      {/* ── Hard delete confirmation ──────────────────────────────────────────── */}
+      <Dialog
+        open={showHardDelete}
+        onOpenChange={(open) => { setShowHardDelete(open); if (!open) setHardDeleteConfirmEmail(""); }}
+      >
+        <DialogContent className="sm:max-w-md">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-destructive">
+              <Trash2 className="w-5 h-5" />
+              Permanently delete account?
+            </DialogTitle>
+            <DialogDescription>
+              This will <strong>permanently</strong> delete{" "}
+              <strong>{selectedUser?.full_name || selectedUser?.email}</strong>,
+              revoke all their SSH certificates, and remove all their SSH keys. This action cannot be undone.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="py-2 space-y-2">
+            <Label className="text-sm">
+              Type <span className="font-mono font-semibold">{selectedUser?.email}</span> to confirm
+            </Label>
+            <Input
+              value={hardDeleteConfirmEmail}
+              onChange={(e) => setHardDeleteConfirmEmail(e.target.value)}
+              placeholder={selectedUser?.email ?? ""}
+              disabled={isHardDeleting}
+              className="font-mono"
+            />
+          </div>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setShowHardDelete(false)}
+              disabled={isHardDeleting}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={handleHardDelete}
+              disabled={isHardDeleting || hardDeleteConfirmEmail !== selectedUser?.email}
+            >
+              {isHardDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Delete permanently
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/src/pages/auth/OIDCLoginPage.tsx b/src/pages/auth/OIDCLoginPage.tsx
new file mode 100644
index 0000000..4f8434c
--- /dev/null
+++ b/src/pages/auth/OIDCLoginPage.tsx
@@ -0,0 +1,455 @@
+/**
+ * OIDCLoginPage — Standalone OIDC proxy login UI
+ *
+ * Unified entry point for OIDC authorization flows via the Gatehouse OIDC bridge.
+ * Handles:
+ *   1. Unauthenticated users → shows an email/password login form
+ *   2. Already-authenticated users → shows a consent/approval screen directly
+ *
+ * Route: /oidc-login?oidc_session_id=<id>
+ *
+ * Configure your oauth2-proxy / OIDC client's login_url to:
+ *   https://<gatehouse-ui>/oidc-login
+ */
+import { useState, useEffect, useCallback } from "react";
+import { useSearchParams, useNavigate } from "react-router-dom";
+import {
+  Shield,
+  Mail,
+  Lock,
+  ArrowRight,
+  Loader2,
+  XCircle,
+  CheckCircle,
+  AlertTriangle,
+  User,
+  Building2,
+  Key,
+  LogOut,
+} from "lucide-react";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { Card } from "@/components/ui/card";
+import { Separator } from "@/components/ui/separator";
+import { Badge } from "@/components/ui/badge";
+import { useAuth } from "@/contexts/AuthContext";
+import { ApiError, tokenManager } from "@/lib/api";
+
+// ── Configuration ─────────────────────────────────────────────────────────────
+const GATEHOUSE_OIDC = (import.meta.env.VITE_API_BASE_URL ?? "http://localhost:5000/api/v1")
+  .replace(/\/api\/v1\/?$/, "");
+
+// ── Scope display metadata ────────────────────────────────────────────────────
+const SCOPE_META: Record<string, { icon: typeof Shield; label: string; description: string }> = {
+  openid:         { icon: Shield,    label: "Identity",       description: "Verify your identity" },
+  profile:        { icon: User,      label: "Profile",        description: "Your name and username" },
+  email:          { icon: Mail,      label: "Email",          description: "Your email address" },
+  groups:         { icon: Building2, label: "Groups",         description: "Your organization memberships" },
+  roles:          { icon: Shield,    label: "Roles",          description: "Your roles in the organization" },
+  offline_access: { icon: Key,       label: "Offline Access", description: "Access data while you're away" },
+};
+
+// ── Types ─────────────────────────────────────────────────────────────────────
+interface OIDCContext {
+  oidc_session_id: string;
+  client_name: string;
+  scopes: string[];
+  redirect_uri: string;
+}
+
+type PageStep = "loading" | "login" | "consent" | "error";
+
+// ── API helpers ───────────────────────────────────────────────────────────────
+async function fetchOIDCContext(oidcSessionId: string): Promise<OIDCContext> {
+  const res = await fetch(`${GATEHOUSE_OIDC}/oidc/begin`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ oidc_session_id: oidcSessionId }),
+  });
+  const body = await res.json();
+  if (!res.ok || !body.success) {
+    throw new Error(body.message || "Failed to load authorization context.");
+  }
+  return body.data as OIDCContext;
+}
+
+async function completeOIDCFlow(oidcSessionId: string, token: string): Promise<string> {
+  const res = await fetch(`${GATEHOUSE_OIDC}/oidc/complete`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ oidc_session_id: oidcSessionId, token }),
+  });
+  const body = await res.json();
+  if (!res.ok || !body.success) {
+    throw new Error(body.message || "Authorization failed.");
+  }
+  return body.data.redirect_url as string;
+}
+
+// ── Main component ────────────────────────────────────────────────────────────
+export default function OIDCLoginPage() {
+  const [searchParams] = useSearchParams();
+  const navigate = useNavigate();
+  const { user, isLoading: authLoading, login, logout } = useAuth();
+
+  const oidcSessionId = searchParams.get("oidc_session_id");
+
+  const [step, setStep] = useState<PageStep>("loading");
+  const [context, setContext] = useState<OIDCContext | null>(null);
+  const [errorMsg, setErrorMsg] = useState<string | null>(null);
+  const [isCompleting, setIsCompleting] = useState(false);
+
+  // Login form state
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [loginError, setLoginError] = useState<string | null>(null);
+
+  // ── Load OIDC context on mount ─────────────────────────────────────────────
+  useEffect(() => {
+    if (!oidcSessionId) {
+      setErrorMsg("Missing oidc_session_id. This page must be accessed from an OIDC authorization flow.");
+      setStep("error");
+      return;
+    }
+
+    fetchOIDCContext(oidcSessionId)
+      .then((ctx) => {
+        setContext(ctx);
+        // Determine initial step once we have context and auth state is known
+      })
+      .catch((err: Error) => {
+        setErrorMsg(err.message);
+        setStep("error");
+      });
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [oidcSessionId]);
+
+  // ── Determine step once both context and auth state are ready ───────────────
+  useEffect(() => {
+    if (authLoading || !context || step !== "loading") return;
+    const token = tokenManager.getToken();
+    setStep(token ? "consent" : "login");
+  }, [authLoading, context, step]);
+
+  // ── Complete OIDC flow ──────────────────────────────────────────────────────
+  const handleComplete = useCallback(async () => {
+    if (!context) return;
+    const token = tokenManager.getToken();
+    if (!token) {
+      setStep("login");
+      return;
+    }
+    setIsCompleting(true);
+    try {
+      const redirectUrl = await completeOIDCFlow(context.oidc_session_id, token);
+      window.location.href = redirectUrl;
+    } catch (err) {
+      setErrorMsg(err instanceof Error ? err.message : "Could not complete authorization.");
+      setStep("error");
+    } finally {
+      setIsCompleting(false);
+    }
+  }, [context]);
+
+  // ── Login form submit ───────────────────────────────────────────────────────
+  const handleLoginSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!context) return;
+    setLoginError(null);
+    setIsSubmitting(true);
+
+    try {
+      // skipNavigate=true so we control post-login navigation
+      const result = await login(email, password, false, true);
+      if (result.requiresTotp || result.requiresWebAuthn) {
+        // MFA required — hand off to main login page which already handles this
+        navigate(`/login?oidc_session_id=${context.oidc_session_id}`);
+        return;
+      }
+      // Login succeeded — move to consent step
+      setStep("consent");
+    } catch (err) {
+      const message =
+        err instanceof ApiError ? err.message
+        : err instanceof Error ? err.message
+        : "Invalid email or password.";
+      setLoginError(message);
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  // ── Deny / cancel ───────────────────────────────────────────────────────────
+  const handleDeny = () => {
+    if (context?.redirect_uri) {
+      window.location.href = `${context.redirect_uri}?error=access_denied&error_description=User+denied+access`;
+    } else {
+      navigate("/");
+    }
+  };
+
+  // ── Switch account ──────────────────────────────────────────────────────────
+  const handleSwitchAccount = async () => {
+    await logout();
+    setStep("login");
+    setEmail("");
+    setPassword("");
+    setLoginError(null);
+  };
+
+  // ── Render: loading ──────────────────────────────────────────────────────────
+  if (step === "loading") {
+    return (
+      <div className="auth-card text-center">
+        <Loader2 className="w-8 h-8 text-accent animate-spin mx-auto mb-4" />
+        <p className="text-sm text-muted-foreground">Loading authorization request…</p>
+      </div>
+    );
+  }
+
+  // ── Render: error ─────────────────────────────────────────────────────────────
+  if (step === "error") {
+    return (
+      <div className="auth-card text-center space-y-4">
+        <div className="w-14 h-14 rounded-full bg-destructive/10 flex items-center justify-center mx-auto">
+          <XCircle className="w-7 h-7 text-destructive" />
+        </div>
+        <h1 className="text-lg font-semibold text-foreground">Authorization Error</h1>
+        <p className="text-sm text-muted-foreground">{errorMsg}</p>
+        {context?.redirect_uri && (
+          <Button
+            variant="outline"
+            className="w-full"
+            onClick={() => {
+              window.location.href = `${context.redirect_uri}?error=server_error&error_description=${encodeURIComponent(errorMsg ?? "Unknown error")}`;
+            }}
+          >
+            Return to application
+          </Button>
+        )}
+        <Button variant="ghost" className="w-full" onClick={() => navigate("/")}>
+          Go to dashboard
+        </Button>
+      </div>
+    );
+  }
+
+  // ── Render: login form ────────────────────────────────────────────────────────
+  if (step === "login") {
+    return (
+      <div className="auth-card space-y-6">
+        {/* Header */}
+        <div className="text-center space-y-3">
+          <div className="w-14 h-14 rounded-xl bg-primary/10 flex items-center justify-center mx-auto">
+            <Shield className="w-7 h-7 text-primary" />
+          </div>
+          <div>
+            <h1 className="text-xl font-semibold text-foreground tracking-tight">
+              Sign in to continue
+            </h1>
+            {context && (
+              <p className="text-sm text-muted-foreground mt-1">
+                <span className="font-medium text-foreground">{context.client_name}</span>
+                {" "}is requesting access to your account
+              </p>
+            )}
+          </div>
+        </div>
+
+        {/* Requested scopes preview */}
+        {context && context.scopes.length > 0 && (
+          <Card className="p-3 bg-secondary/30 border-0">
+            <p className="text-xs text-muted-foreground mb-2">This application will access:</p>
+            <div className="flex flex-wrap gap-1.5">
+              {context.scopes.map((scope) => {
+                const meta = SCOPE_META[scope];
+                return (
+                  <Badge key={scope} variant="secondary" className="text-xs gap-1">
+                    {meta?.label ?? scope}
+                  </Badge>
+                );
+              })}
+            </div>
+          </Card>
+        )}
+
+        {/* Login form */}
+        <form onSubmit={handleLoginSubmit} className="space-y-4">
+          {loginError && (
+            <div className="flex items-start gap-2 p-3 rounded-lg bg-destructive/10 border border-destructive/20">
+              <AlertTriangle className="w-4 h-4 text-destructive flex-shrink-0 mt-0.5" />
+              <p className="text-sm text-destructive">{loginError}</p>
+            </div>
+          )}
+
+          <div className="space-y-2">
+            <Label htmlFor="oidc-email">Email</Label>
+            <div className="relative">
+              <Mail className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
+              <Input
+                id="oidc-email"
+                type="email"
+                placeholder="you@example.com"
+                className="pl-9"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                autoComplete="email"
+                autoFocus
+                required
+              />
+            </div>
+          </div>
+
+          <div className="space-y-2">
+            <Label htmlFor="oidc-password">Password</Label>
+            <div className="relative">
+              <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
+              <Input
+                id="oidc-password"
+                type="password"
+                placeholder="••••••••"
+                className="pl-9"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                autoComplete="current-password"
+                required
+              />
+            </div>
+          </div>
+
+          <Button type="submit" className="w-full" disabled={isSubmitting}>
+            {isSubmitting ? (
+              <><Loader2 className="w-4 h-4 animate-spin mr-2" />Signing in…</>
+            ) : (
+              <><ArrowRight className="w-4 h-4 mr-2" />Sign in</>
+            )}
+          </Button>
+        </form>
+
+        <Separator />
+
+        <div className="text-center space-y-2">
+          <p className="text-xs text-muted-foreground">
+            Need an account?{" "}
+            <a href="/register" className="text-primary hover:underline">Register here</a>
+          </p>
+          <p className="text-xs text-muted-foreground">
+            Forgot your password?{" "}
+            <a href="/forgot-password" className="text-primary hover:underline">Reset it</a>
+          </p>
+        </div>
+
+        <div className="text-center">
+          <button
+            type="button"
+            onClick={handleDeny}
+            className="text-xs text-muted-foreground hover:text-foreground transition-colors"
+          >
+            Cancel and return to application
+          </button>
+        </div>
+      </div>
+    );
+  }
+
+  // ── Render: consent screen (user is authenticated) ────────────────────────────
+  if (step === "consent" && context) {
+    return (
+      <div className="auth-card space-y-6">
+        {/* Header */}
+        <div className="text-center space-y-3">
+          <div className="w-14 h-14 rounded-xl bg-primary/10 flex items-center justify-center mx-auto">
+            <Shield className="w-7 h-7 text-primary" />
+          </div>
+          <div>
+            <h1 className="text-xl font-semibold text-foreground tracking-tight">
+              Authorize {context.client_name}
+            </h1>
+            <p className="text-sm text-muted-foreground mt-1">
+              This application is requesting access to your account
+            </p>
+          </div>
+        </div>
+
+        {/* Signed-in-as banner */}
+        {user && (
+          <Card className="p-3 bg-secondary/30 border-0 flex items-center justify-between gap-3">
+            <div className="flex items-center gap-2 min-w-0">
+              <div className="w-7 h-7 rounded-full bg-primary/20 flex items-center justify-center flex-shrink-0">
+                <User className="w-4 h-4 text-primary" />
+              </div>
+              <div className="min-w-0">
+                <p className="text-sm font-medium text-foreground truncate">{user.email}</p>
+                <p className="text-xs text-muted-foreground">Signed in</p>
+              </div>
+            </div>
+            <button
+              type="button"
+              onClick={handleSwitchAccount}
+              className="text-xs text-muted-foreground hover:text-foreground flex items-center gap-1 flex-shrink-0 transition-colors"
+            >
+              <LogOut className="w-3 h-3" />
+              Switch
+            </button>
+          </Card>
+        )}
+
+        {/* Requested permissions */}
+        <Card className="p-4 bg-secondary/30 border-0">
+          <p className="text-sm font-medium text-foreground mb-3">
+            {context.client_name} is requesting:
+          </p>
+          <ul className="space-y-3">
+            {context.scopes.map((scope) => {
+              const meta = SCOPE_META[scope];
+              const Icon = meta?.icon ?? Key;
+              return (
+                <li key={scope} className="flex items-start gap-3">
+                  <div className="w-8 h-8 rounded-lg bg-card flex items-center justify-center flex-shrink-0">
+                    <Icon className="w-4 h-4 text-accent" />
+                  </div>
+                  <div>
+                    <p className="text-sm font-medium text-foreground">
+                      {meta?.label ?? scope}
+                    </p>
+                    <p className="text-xs text-muted-foreground">
+                      {meta?.description ?? scope}
+                    </p>
+                  </div>
+                </li>
+              );
+            })}
+          </ul>
+        </Card>
+
+        {/* Action buttons */}
+        <div className="space-y-2">
+          <Button
+            className="w-full"
+            onClick={handleComplete}
+            disabled={isCompleting}
+          >
+            {isCompleting ? (
+              <><Loader2 className="w-4 h-4 animate-spin mr-2" />Completing…</>
+            ) : (
+              <><CheckCircle className="w-4 h-4 mr-2" />Allow access</>
+            )}
+          </Button>
+          <Button variant="outline" className="w-full" onClick={handleDeny} disabled={isCompleting}>
+            <XCircle className="w-4 h-4 mr-2" />
+            Deny
+          </Button>
+        </div>
+
+        <p className="text-xs text-center text-muted-foreground">
+          By allowing, you agree to share the above information with{" "}
+          <span className="font-medium text-foreground">{context.client_name}</span>.
+        </p>
+      </div>
+    );
+  }
+
+  return null;
+}
diff --git a/src/pages/org/CAsPage.tsx b/src/pages/org/CAsPage.tsx
index a62f641..ddfe44f 100644
--- a/src/pages/org/CAsPage.tsx
+++ b/src/pages/org/CAsPage.tsx
@@ -128,7 +128,7 @@ function CADetailCard({ ca, onEdit, onRotate, onDelete }: CADetailCardProps) {
         <CardContent className="space-y-4">
           {/* Stats — hidden for system CAs (we have no cert records for them) */}
           {!isSystem && (
-            <div className="grid grid-cols-3 gap-3 text-center">
+            <div className="grid grid-cols-4 gap-3 text-center">
               <div className="p-2 bg-muted rounded-lg">
                 <p className="text-lg font-semibold">{ca.active_certs}</p>
                 <p className="text-xs text-muted-foreground">Active certs</p>
@@ -141,6 +141,10 @@ function CADetailCard({ ca, onEdit, onRotate, onDelete }: CADetailCardProps) {
                 <p className="text-lg font-semibold">{ca.default_cert_validity_hours}h</p>
                 <p className="text-xs text-muted-foreground">Default validity</p>
               </div>
+              <div className="p-2 bg-muted rounded-lg">
+                <p className="text-lg font-semibold">{ca.next_serial_number ?? '—'}</p>
+                <p className="text-xs text-muted-foreground">Next serial</p>
+              </div>
             </div>
           )}
 
diff --git a/src/pages/org/CompliancePage.tsx b/src/pages/org/CompliancePage.tsx
index 9138c14..e9b069b 100644
--- a/src/pages/org/CompliancePage.tsx
+++ b/src/pages/org/CompliancePage.tsx
@@ -9,7 +9,7 @@ import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@
 import { api, OrgComplianceMember, create403Handler } from "@/lib/api";
 import { useQuery, useMutation } from "@tanstack/react-query";
 import { useToast } from "@/hooks/use-toast";
-import { useOrganizations } from "@/hooks/useOrganizations";
+import { useOrg } from "@/contexts/OrgContext";
 
 const STATUS_CONFIG: Record<string, { label: string; color: string; icon: typeof Clock }> = {
   compliant: {
@@ -47,19 +47,10 @@ const STATUS_CONFIG: Record<string, { label: string; color: string; icon: typeof
 export default function CompliancePage() {
   const navigate = useNavigate();
   const { toast } = useToast();
-  const [currentOrgId, setCurrentOrgId] = useState<string | null>(null);
+  const { selectedOrgId: currentOrgId } = useOrg();
   const [searchQuery, setSearchQuery] = useState("");
   const [statusFilter, setStatusFilter] = useState<string>("all");
 
-  // Fetch organizations to get current org
-  const { data: organizations, isLoading: orgsLoading } = useOrganizations();
-
-  useEffect(() => {
-    if (organizations && organizations.length > 0) {
-      setCurrentOrgId(organizations[0].id);
-    }
-  }, [organizations]);
-
   // Fetch compliance data
   const { data: complianceData, isLoading: complianceLoading } = useQuery({
     queryKey: ['org-compliance', currentOrgId],
@@ -101,7 +92,7 @@ export default function CompliancePage() {
     suspended: complianceData?.members?.filter(m => m.status === 'suspended').length || 0,
   };
 
-  if (orgsLoading || complianceLoading) {
+  if (complianceLoading) {
     return (
       <div className="page-container">
         <div className="flex items-center justify-center py-12">
diff --git a/src/pages/org/DepartmentsPage.tsx b/src/pages/org/DepartmentsPage.tsx
index bddd25b..72b5eef 100644
--- a/src/pages/org/DepartmentsPage.tsx
+++ b/src/pages/org/DepartmentsPage.tsx
@@ -344,11 +344,18 @@ function DepartmentMembersPanel({ orgId, deptId }: { orgId: string; deptId: stri
             className="flex-1 h-8 rounded-md border border-input bg-background px-2 text-sm focus:outline-none focus:ring-2 focus:ring-ring"
           >
             <option value="">Select org member to add…</option>
-            {available.map((m) => (
-              <option key={m.user_id} value={m.user_id}>
-                {m.user?.full_name || m.user?.email || m.user_id}
-              </option>
-            ))}
+            {available.map((m) => {
+              const email = m.user?.email || "";
+              const name = m.user?.full_name;
+              const label = name && email
+                ? `${name} (${email})`
+                : email || m.user_id;
+              return (
+                <option key={m.user_id} value={m.user_id}>
+                  {label}
+                </option>
+              );
+            })}
           </select>
           <Button size="sm" onClick={handleAdd} disabled={!selectedUserId || isAdding}>
             {isAdding ? <Loader2 className="w-3 h-3 animate-spin mr-1" /> : <UserPlus className="w-3 h-3 mr-1" />}
diff --git a/src/pages/org/MembersPage.tsx b/src/pages/org/MembersPage.tsx
index eb716df..957d2f6 100644
--- a/src/pages/org/MembersPage.tsx
+++ b/src/pages/org/MembersPage.tsx
@@ -1,12 +1,34 @@
-import { useState, useEffect } from "react";
-import { Search, Shield, ShieldCheck, Mail, Loader2, Copy, Check, ExternalLink } from "lucide-react";
+import { useState, useEffect, useCallback } from "react";
+import {
+  Search,
+  Shield,
+  ShieldCheck,
+  Mail,
+  Loader2,
+  Copy,
+  Check,
+  ExternalLink,
+  User,
+  Key,
+  Plus,
+  Ban,
+  UserCheck,
+  AlertTriangle,
+  MoreHorizontal,
+  ChevronRight,
+  CheckCircle,
+  XCircle,
+  Crown,
+  Trash2,
+} from "lucide-react";
 import { useParams } from "react-router-dom";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
-import { Card, CardContent } from "@/components/ui/card";
+import { Card, CardContent, CardHeader, CardTitle, CardDescription } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
+import { Textarea } from "@/components/ui/textarea";
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -29,12 +51,20 @@ import {
   SelectTrigger,
   SelectValue,
 } from "@/components/ui/select";
+import {
+  Sheet,
+  SheetContent,
+  SheetDescription,
+  SheetHeader,
+  SheetTitle,
+} from "@/components/ui/sheet";
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs";
 import { useToast } from "@/hooks/use-toast";
-import { api, OrganizationMember, ApiError, OrgInvite } from "@/lib/api";
+import { api, OrganizationMember, ApiError, OrgInvite, SSHKey, User as ApiUser } from "@/lib/api";
 import { useCurrentOrganizationId } from "@/hooks/useCurrentOrganization";
 import { useAuth } from "@/contexts/AuthContext";
-import { MoreHorizontal } from "lucide-react";
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
 
 const getInitials = (name: string | null | undefined): string => {
   if (!name) return "?";
@@ -46,6 +76,19 @@ const getInitials = (name: string | null | undefined): string => {
     .slice(0, 2);
 };
 
+function formatDate(d: string | null | undefined) {
+  if (!d) return "—";
+  return new Date(d).toLocaleDateString(undefined, {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+  });
+}
+
+function isSuspended(status: string | undefined) {
+  return status === "suspended" || status === "compliance_suspended";
+}
+
 function RoleBadge({ role }: { role: string }) {
   const r = (role || "").toLowerCase();
   if (r === "owner") {
@@ -69,6 +112,8 @@ function RoleBadge({ role }: { role: string }) {
   );
 }
 
+// ── Main Component ────────────────────────────────────────────────────────────
+
 export default function MembersPage() {
   const params = useParams<{ orgId?: string }>();
   const { orgId: fallbackOrgId } = useCurrentOrganizationId();
@@ -76,123 +121,269 @@ export default function MembersPage() {
   const { toast } = useToast();
   const { user: currentUser } = useAuth();
 
-  const [search, setSearch] = useState("");
+  // ── Member list ──────────────────────────────────────────────────────────────
   const [members, setMembers] = useState<OrganizationMember[]>([]);
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState<string | null>(null);
+  const [search, setSearch] = useState("");
 
-  // Invite dialog
-  const [showInvite, setShowInvite] = useState(false);
+  // ── User detail drawer ───────────────────────────────────────────────────────
+  const [selectedMember, setSelectedMember] = useState<OrganizationMember | null>(null);
+  const [detailUser, setDetailUser] = useState<ApiUser | null>(null);
+  const [userSshKeys, setUserSshKeys] = useState<SSHKey[]>([]);
+  const [isDrawerLoading, setIsDrawerLoading] = useState(false);
+
+  // ── Suspend / Unsuspend ──────────────────────────────────────────────────────
+  const [isSuspending, setIsSuspending] = useState(false);
+  const [showSuspendConfirm, setShowSuspendConfirm] = useState(false);
+
+  // ── Role update (via drawer) ─────────────────────────────────────────────────
+  const [isUpdatingRole, setIsUpdatingRole] = useState(false);
+
+  // ── Admin add SSH key dialog ─────────────────────────────────────────────────
+  const [showAddKey, setShowAddKey] = useState(false);
+  const [addKeyPublicKey, setAddKeyPublicKey] = useState("");
+  const [addKeyDescription, setAddKeyDescription] = useState("");
+  const [isAddingKey, setIsAddingKey] = useState(false);
+  const [addKeyError, setAddKeyError] = useState<string | null>(null);
+
+  // ── Change role dialog (from row dropdown) ───────────────────────────────────
+  const [changeRoleMember, setChangeRoleMember] = useState<OrganizationMember | null>(null);
+  const [newRole, setNewRole] = useState("member");
+  const [isChangingRole, setIsChangingRole] = useState(false);
+
+  // ── Remove member ────────────────────────────────────────────────────────────
+  const [removeMember, setRemoveMember] = useState<OrganizationMember | null>(null);
+  const [isRemoving, setIsRemoving] = useState(false);
+
+  // ── Invite ───────────────────────────────────────────────────────────────────
   const [inviteEmail, setInviteEmail] = useState("");
   const [inviteRole, setInviteRole] = useState("member");
   const [isInviting, setIsInviting] = useState(false);
   const [inviteError, setInviteError] = useState<string | null>(null);
 
-  // Invite link dialog (shown when email is not configured)
+  // Invite link dialog (when SMTP not configured)
   const [inviteLink, setInviteLink] = useState<string | null>(null);
   const [inviteLinkEmail, setInviteLinkEmail] = useState("");
   const [linkCopied, setLinkCopied] = useState(false);
 
-  // Change role dialog
-  const [changeRoleMember, setChangeRoleMember] = useState<OrganizationMember | null>(null);
-  const [newRole, setNewRole] = useState("member");
-  const [isChangingRole, setIsChangingRole] = useState(false);
-
-  // Pending invites
+  // ── Pending invites ──────────────────────────────────────────────────────────
   const [invites, setInvites] = useState<OrgInvite[]>([]);
   const [isInvitesLoading, setIsInvitesLoading] = useState(false);
   const [cancellingInviteId, setCancellingInviteId] = useState<string | null>(null);
 
-  useEffect(() => {
-    setError(null);
-    setMembers([]);
+  // ── Transfer ownership ───────────────────────────────────────────────────────
+  const [showTransferOwnership, setShowTransferOwnership] = useState(false);
+  const [isTransferringOwnership, setIsTransferringOwnership] = useState(false);
+
+  // ── Hard delete ──────────────────────────────────────────────────────────────
+  const [showHardDelete, setShowHardDelete] = useState(false);
+  const [hardDeleteConfirmEmail, setHardDeleteConfirmEmail] = useState("");
+  const [isHardDeleting, setIsHardDeleting] = useState(false);
+
+  // ── Fetch members ────────────────────────────────────────────────────────────
+  const fetchMembers = useCallback(async () => {
     if (!orgId) {
       setIsLoading(false);
       return;
     }
-
-    const fetchMembers = async () => {
-      try {
-        setIsLoading(true);
-        setError(null);
-        const response = await api.organizations.getMembers(orgId);
-        setMembers(response.members || []);
-      } catch (err) {
-        console.error("Failed to fetch members:", err);
-        setError("Failed to load members. Please try again.");
-      } finally {
-        setIsLoading(false);
-      }
-    };
-
-    const fetchInvites = async () => {
-      try {
-        setIsInvitesLoading(true);
-        const res = await api.organizations.getInvites(orgId);
-        setInvites(res.invites || []);
-      } catch (err) {
-        console.error("Failed to fetch invites:", err);
-      } finally {
-        setIsInvitesLoading(false);
-      }
-    };
-
-    fetchMembers();
-    fetchInvites();
-    // eslint-disable-next-line react-hooks/exhaustive-deps
+    setIsLoading(true);
+    setError(null);
+    try {
+      const response = await api.organizations.getMembers(orgId);
+      setMembers(response.members || []);
+    } catch (err) {
+      console.error("Failed to fetch members:", err);
+      setError("Failed to load members. Please try again.");
+    } finally {
+      setIsLoading(false);
+    }
   }, [orgId]);
 
-  const filteredMembers = members.filter((member) => {
-    const searchLower = search.toLowerCase();
-    return (
-      (member.user?.full_name?.toLowerCase().includes(searchLower) ?? false) ||
-      (member.user?.email.toLowerCase().includes(searchLower) ?? false)
-    );
-  });
-
-  const handleInvite = async () => {
+  const fetchInvites = useCallback(async () => {
     if (!orgId) return;
-    setInviteError(null);
-    if (!inviteEmail.trim()) {
-      setInviteError("Email is required.");
-      return;
-    }
-    setIsInviting(true);
+    setIsInvitesLoading(true);
     try {
-      const res = await api.organizations.createInvite(orgId, inviteEmail.trim(), inviteRole);
-      const link = res.invite?.invite_link;
-      setShowInvite(false);
-      // Refresh invites list
-      const updated = await api.organizations.getInvites(orgId);
-      setInvites(updated.invites || []);
-      if (link) {
-        // Email delivery not configured — show copyable link as fallback
-        setInviteLink(link);
-        setInviteLinkEmail(inviteEmail.trim());
-      } else {
-        // Email was sent successfully
-        toast({ title: "Invitation sent", description: `Invite email sent to ${inviteEmail.trim()}.` });
-      }
-      setInviteEmail("");
-      setInviteRole("member");
+      const res = await api.organizations.getInvites(orgId);
+      setInvites(res.invites || []);
     } catch (err) {
-      setInviteError(err instanceof ApiError ? err.message : "Failed to send invitation.");
+      console.error("Failed to fetch invites:", err);
     } finally {
-      setIsInviting(false);
+      setIsInvitesLoading(false);
+    }
+  }, [orgId]);
+
+  useEffect(() => {
+    setMembers([]);
+    setError(null);
+    fetchMembers();
+    fetchInvites();
+  }, [fetchMembers, fetchInvites]);
+
+  // ── Open user drawer ─────────────────────────────────────────────────────────
+  const openMemberDrawer = async (member: OrganizationMember) => {
+    setSelectedMember(member);
+    setDetailUser(null);
+    setUserSshKeys([]);
+    setIsDrawerLoading(true);
+    try {
+      const data = await api.admin.getUser(member.user_id);
+      setDetailUser(data.user);
+      setUserSshKeys(data.ssh_keys);
+    } catch {
+      // Non-fatal — drawer still shows member info
+    } finally {
+      setIsDrawerLoading(false);
     }
   };
 
+  const closeDrawer = () => {
+    setSelectedMember(null);
+    setDetailUser(null);
+    setUserSshKeys([]);
+  };
+
+  // ── Role change (drawer inline select) ──────────────────────────────────────
+  const handleDrawerRoleChange = async (newRoleValue: string) => {
+    if (!orgId || !selectedMember) return;
+    setIsUpdatingRole(true);
+    try {
+      const updated = await api.organizations.updateMemberRole(orgId, selectedMember.user_id, newRoleValue.toLowerCase());
+      const updatedRole = updated.member.role;
+      setSelectedMember((prev) => prev ? { ...prev, role: updatedRole } : prev);
+      setMembers((prev) =>
+        prev.map((m) => m.id === selectedMember.id ? { ...m, role: updatedRole } : m)
+      );
+      toast({
+        title: "Role updated",
+        description: `${selectedMember.user?.full_name || selectedMember.user?.email} is now a ${updatedRole}.`,
+      });
+    } catch (err) {
+      toast({
+        variant: "destructive",
+        title: "Failed to update role",
+        description: err instanceof ApiError ? err.message : "Something went wrong.",
+      });
+    } finally {
+      setIsUpdatingRole(false);
+    }
+  };
+
+  // ── Suspend ──────────────────────────────────────────────────────────────────
+  const handleSuspend = async () => {
+    if (!selectedMember) return;
+    setIsSuspending(true);
+    try {
+      const data = await api.admin.suspendUser(selectedMember.user_id);
+      const newStatus = data.user.status;
+      setDetailUser((prev) => prev ? { ...prev, status: newStatus } : prev);
+      setMembers((prev) =>
+        prev.map((m) =>
+          m.id === selectedMember.id
+            ? { ...m, user: m.user ? { ...m.user, status: newStatus } : m.user }
+            : m
+        )
+      );
+      setSelectedMember((prev) =>
+        prev ? { ...prev, user: prev.user ? { ...prev.user, status: newStatus } : prev.user } : prev
+      );
+      setShowSuspendConfirm(false);
+      toast({
+        title: "User suspended",
+        description: `${selectedMember.user?.full_name || selectedMember.user?.email} has been suspended.`,
+      });
+    } catch (err) {
+      setShowSuspendConfirm(false);
+      if (err instanceof ApiError && err.type === "OWNER_PROTECTION") {
+        toast({
+          variant: "destructive",
+          title: "Cannot suspend organization owner",
+          description: "Transfer ownership to another member before suspending this account.",
+        });
+      } else {
+        toast({
+          variant: "destructive",
+          title: "Failed to suspend user",
+          description: err instanceof ApiError ? err.message : "Something went wrong.",
+        });
+      }
+    } finally {
+      setIsSuspending(false);
+    }
+  };
+
+  const handleUnsuspend = async () => {
+    if (!selectedMember) return;
+    setIsSuspending(true);
+    try {
+      const data = await api.admin.unsuspendUser(selectedMember.user_id);
+      const newStatus = data.user.status;
+      setDetailUser((prev) => prev ? { ...prev, status: newStatus } : prev);
+      setMembers((prev) =>
+        prev.map((m) =>
+          m.id === selectedMember.id
+            ? { ...m, user: m.user ? { ...m.user, status: newStatus } : m.user }
+            : m
+        )
+      );
+      setSelectedMember((prev) =>
+        prev ? { ...prev, user: prev.user ? { ...prev.user, status: newStatus } : prev.user } : prev
+      );
+      toast({
+        title: "User unsuspended",
+        description: `${selectedMember.user?.full_name || selectedMember.user?.email} is now active.`,
+      });
+    } catch (err) {
+      toast({
+        variant: "destructive",
+        title: "Failed to unsuspend user",
+        description: err instanceof ApiError ? err.message : "Something went wrong.",
+      });
+    } finally {
+      setIsSuspending(false);
+    }
+  };
+
+  // ── Admin add SSH key ────────────────────────────────────────────────────────
+  const handleAddKey = async () => {
+    if (!selectedMember) return;
+    setAddKeyError(null);
+    if (!addKeyPublicKey.trim()) {
+      setAddKeyError("Public key is required.");
+      return;
+    }
+    setIsAddingKey(true);
+    try {
+      const key = await api.ssh.adminAddKey(
+        selectedMember.user_id,
+        addKeyPublicKey.trim(),
+        addKeyDescription.trim() || undefined
+      );
+      setUserSshKeys((prev) => [...prev, key]);
+      toast({ title: "SSH key added", description: `Key added for ${selectedMember.user?.email}` });
+      setShowAddKey(false);
+      setAddKeyPublicKey("");
+      setAddKeyDescription("");
+    } catch (err) {
+      setAddKeyError(err instanceof ApiError ? err.message : "Failed to add key.");
+    } finally {
+      setIsAddingKey(false);
+    }
+  };
+
+  // ── Change role (row dropdown) ───────────────────────────────────────────────
   const handleChangeRole = async () => {
     if (!orgId || !changeRoleMember) return;
     setIsChangingRole(true);
     try {
       const updated = await api.organizations.updateMemberRole(orgId, changeRoleMember.user_id, newRole.toLowerCase());
+      const updatedRole = updated.member.role;
       setMembers((prev) =>
-        prev.map((m) => (m.id === changeRoleMember.id ? { ...m, role: updated.member.role } : m))
+        prev.map((m) => m.id === changeRoleMember.id ? { ...m, role: updatedRole } : m)
       );
       toast({
         title: "Role updated",
-        description: `${changeRoleMember.user?.full_name || changeRoleMember.user?.email} is now a ${newRole}.`,
+        description: `${changeRoleMember.user?.full_name || changeRoleMember.user?.email} is now a ${updatedRole}.`,
       });
       setChangeRoleMember(null);
     } catch (err) {
@@ -206,31 +397,126 @@ export default function MembersPage() {
     }
   };
 
-  const handleRemoveMember = async (member: OrganizationMember) => {
-    if (!orgId) return;
+  // ── Remove member ────────────────────────────────────────────────────────────
+  const handleRemoveMember = async () => {
+    if (!orgId || !removeMember) return;
+    setIsRemoving(true);
     try {
-      await api.organizations.removeMember(orgId, member.user_id);
-      setMembers((prev) => prev.filter((m) => m.id !== member.id));
+      await api.organizations.removeMember(orgId, removeMember.user_id);
+      setMembers((prev) => prev.filter((m) => m.id !== removeMember.id));
       toast({
         title: "Member removed",
-        description: `${member.user?.full_name || member.user?.email} has been removed.`,
+        description: `${removeMember.user?.full_name || removeMember.user?.email} has been removed.`,
       });
+      setRemoveMember(null);
     } catch (err) {
       toast({
         variant: "destructive",
         title: "Failed to remove member",
         description: err instanceof ApiError ? err.message : "Something went wrong.",
       });
+    } finally {
+      setIsRemoving(false);
     }
   };
 
+  // ── Transfer ownership ───────────────────────────────────────────────────────
+  const handleTransferOwnership = async () => {
+    if (!orgId || !selectedMember) return;
+    setIsTransferringOwnership(true);
+    try {
+      await api.organizations.transferOwnership(orgId, selectedMember.user_id);
+      await fetchMembers();
+      setShowTransferOwnership(false);
+      closeDrawer();
+      toast({
+        title: "Ownership transferred",
+        description: `${selectedMember.user?.full_name || selectedMember.user?.email} is now the organization owner.`,
+      });
+    } catch (err) {
+      toast({
+        variant: "destructive",
+        title: "Failed to transfer ownership",
+        description: err instanceof ApiError ? err.message : "Something went wrong.",
+      });
+    } finally {
+      setIsTransferringOwnership(false);
+    }
+  };
+
+  // ── Hard delete ──────────────────────────────────────────────────────────────
+  const handleHardDelete = async () => {
+    if (!selectedMember) return;
+    setIsHardDeleting(true);
+    try {
+      const result = await api.admin.hardDeleteUser(selectedMember.user_id);
+      setMembers((prev) => prev.filter((m) => m.id !== selectedMember.id));
+      setShowHardDelete(false);
+      closeDrawer();
+      toast({
+        title: "User permanently deleted",
+        description: `${result.deleted_user_email} — ${result.certs_revoked} cert(s) revoked, ${result.ssh_keys_deleted} key(s) deleted.`,
+      });
+    } catch (err) {
+      toast({
+        variant: "destructive",
+        title: "Failed to delete user",
+        description: err instanceof ApiError ? err.message : "Something went wrong.",
+      });
+    } finally {
+      setIsHardDeleting(false);
+    }
+  };
+
+  // ── Invite ───────────────────────────────────────────────────────────────────
+  const handleInvite = async () => {
+    if (!orgId) return;
+    setInviteError(null);
+    if (!inviteEmail.trim()) {
+      setInviteError("Email is required.");
+      return;
+    }
+    setIsInviting(true);
+    try {
+      const res = await api.organizations.createInvite(orgId, inviteEmail.trim(), inviteRole);
+      const link = res.invite?.invite_link;
+      await fetchInvites();
+      if (link) {
+        setInviteLink(link);
+        setInviteLinkEmail(inviteEmail.trim());
+      } else {
+        toast({ title: "Invitation sent", description: `Invite email sent to ${inviteEmail.trim()}.` });
+      }
+      setInviteEmail("");
+      setInviteRole("member");
+    } catch (err) {
+      setInviteError(err instanceof ApiError ? err.message : "Failed to send invitation.");
+    } finally {
+      setIsInviting(false);
+    }
+  };
+
+  // ── Filtered members ─────────────────────────────────────────────────────────
+  const filteredMembers = members.filter((m) => {
+    const q = search.toLowerCase();
+    return (
+      (m.user?.full_name?.toLowerCase().includes(q) ?? false) ||
+      (m.user?.email.toLowerCase().includes(q) ?? false)
+    );
+  });
+
+  // ── Derived status for drawer ────────────────────────────────────────────────
+  const drawerStatus = detailUser?.status ?? selectedMember?.user?.status;
+  const drawerActivated = detailUser?.activated ?? undefined;
+  const drawerLastLogin = detailUser?.last_login_at ?? selectedMember?.user?.last_login_at ?? null;
+  const drawerCreatedAt = detailUser?.created_at ?? selectedMember?.user?.created_at ?? selectedMember?.created_at ?? null;
+
+  // ── Render ────────────────────────────────────────────────────────────────────
   return (
     <div className="page-container">
       <div className="page-header">
         <h1 className="page-title">Members</h1>
-        <p className="page-description">
-          Manage organization members and invitations
-        </p>
+        <p className="page-description">Manage organization members and invitations</p>
       </div>
 
       <Tabs defaultValue="members" className="w-full">
@@ -239,16 +525,21 @@ export default function MembersPage() {
             Members ({members.length})
           </TabsTrigger>
           <TabsTrigger value="invites">
-            Invitations {invites.length > 0 && <span className="ml-1.5 inline-flex items-center justify-center w-4 h-4 rounded-full bg-primary text-primary-foreground text-[10px] font-bold">{invites.length}</span>}
+            Invitations{invites.length > 0 && (
+              <span className="ml-1.5 inline-flex items-center justify-center w-4 h-4 rounded-full bg-primary text-primary-foreground text-[10px] font-bold">
+                {invites.length}
+              </span>
+            )}
           </TabsTrigger>
         </TabsList>
 
+        {/* ── Members tab ────────────────────────────────────────────────────── */}
         <TabsContent value="members">
           <div className="mb-4">
             <div className="relative">
               <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
               <Input
-                placeholder="Search members..."
+                placeholder="Search members…"
                 value={search}
                 onChange={(e) => setSearch(e.target.value)}
                 className="pl-10 max-w-sm"
@@ -257,87 +548,122 @@ export default function MembersPage() {
           </div>
 
           <Card>
+            <CardHeader className="pb-3">
+              <CardTitle className="text-base flex items-center gap-2">
+                <User className="w-4 h-4" />
+                Members
+                {!isLoading && (
+                  <Badge variant="secondary" className="ml-1">{members.length}</Badge>
+                )}
+              </CardTitle>
+              <CardDescription>
+                Click a member to view details, manage their role, or administer SSH keys
+              </CardDescription>
+            </CardHeader>
             <CardContent className="p-0">
               {isLoading ? (
                 <div className="flex items-center justify-center p-8">
                   <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
-                  <span className="ml-2 text-muted-foreground">Loading members...</span>
+                  <span className="ml-2 text-muted-foreground">Loading members…</span>
                 </div>
               ) : error ? (
-                <div className="p-8 text-center text-destructive">
-                  {error}
-                </div>
+                <div className="p-8 text-center text-destructive">{error}</div>
               ) : filteredMembers.length === 0 ? (
-                <div className="p-8 text-center text-muted-foreground">
-                  No members found
-                </div>
+                <div className="p-8 text-center text-muted-foreground">No members found</div>
               ) : (
                 <div className="divide-y">
-                  {filteredMembers.map((member) => (
-                    <div key={member.id} className="p-4 flex items-center gap-4">
-                      <Avatar className="w-10 h-10">
-                        <AvatarImage src={member.user?.avatar_url || undefined} />
-                        <AvatarFallback className="bg-primary text-primary-foreground">
-                          {getInitials(member.user?.full_name)}
-                        </AvatarFallback>
-                      </Avatar>
-                      <div className="flex-1 min-w-0">
-                        <div className="flex items-center gap-2">
-                          <p className="font-medium text-foreground truncate">
-                            {member.user?.full_name || member.user?.email}
+                  {filteredMembers.map((member) => {
+                    const memberStatus = member.user?.status;
+                    const suspended = isSuspended(memberStatus);
+                    const isOwner = (member.role || "").toLowerCase() === "owner";
+                    const isSelf = member.user?.id === currentUser?.id;
+                    return (
+                      <button
+                        key={member.id}
+                        className="w-full flex items-center gap-4 p-4 text-left hover:bg-accent/50 transition-colors"
+                        onClick={() => openMemberDrawer(member)}
+                      >
+                        <Avatar className="w-10 h-10 flex-shrink-0">
+                          <AvatarImage src={member.user?.avatar_url || undefined} />
+                          <AvatarFallback className="bg-primary text-primary-foreground">
+                            {getInitials(member.user?.full_name)}
+                          </AvatarFallback>
+                        </Avatar>
+                        <div className="flex-1 min-w-0">
+                          <div className="flex items-center gap-2 flex-wrap">
+                            <p className="font-medium text-foreground truncate">
+                              {member.user?.full_name || member.user?.email}
+                            </p>
+                            <RoleBadge role={member.role} />
+                            {suspended && (
+                              <Badge variant="outline" className="text-xs text-red-600 border-red-300 bg-red-50">
+                                <Ban className="w-3 h-3 mr-1" />Suspended
+                              </Badge>
+                            )}
+                          </div>
+                          <p className="text-sm text-muted-foreground truncate">
+                            {member.user?.email}
                           </p>
-                          <RoleBadge role={member.role} />
                         </div>
-                        <p className="text-sm text-muted-foreground truncate">
-                          {member.user?.email}
-                        </p>
-                      </div>
-                      {/* Actions — hide for self and for owners (can't modify owner here) */}
-                      {member.user?.id !== currentUser?.id && (member.role || "").toLowerCase() !== "owner" && (
-                        <DropdownMenu>
-                          <DropdownMenuTrigger asChild>
-                            <Button variant="ghost" size="icon">
-                              <MoreHorizontal className="w-4 h-4" />
-                            </Button>
-                          </DropdownMenuTrigger>
-                          <DropdownMenuContent align="end">
-                            <DropdownMenuItem
-                              onClick={() => {
-                                setChangeRoleMember(member);
-                                setNewRole((member.role || "member").toLowerCase());
-                              }}
+                        {/* Row action menu — hide for owners and self */}
+                        {!isSelf && !isOwner && (
+                          <DropdownMenu>
+                            <DropdownMenuTrigger
+                              asChild
+                              onClick={(e) => e.stopPropagation()}
                             >
-                              <Shield className="w-4 h-4 mr-2" />
-                              Change role
-                            </DropdownMenuItem>
-                            <DropdownMenuSeparator />
-                            <DropdownMenuItem
-                              className="text-destructive"
-                              onClick={() => handleRemoveMember(member)}
-                            >
-                              Remove member
-                            </DropdownMenuItem>
-                          </DropdownMenuContent>
-                        </DropdownMenu>
-                      )}
-                    </div>
-                  ))}
+                              <Button variant="ghost" size="icon" className="flex-shrink-0">
+                                <MoreHorizontal className="w-4 h-4" />
+                              </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                              <DropdownMenuItem
+                                onClick={(e) => {
+                                  e.stopPropagation();
+                                  setChangeRoleMember(member);
+                                  setNewRole((member.role || "member").toLowerCase());
+                                }}
+                              >
+                                <Shield className="w-4 h-4 mr-2" />
+                                Change role
+                              </DropdownMenuItem>
+                              <DropdownMenuSeparator />
+                              <DropdownMenuItem
+                                className="text-destructive"
+                                onClick={(e) => {
+                                  e.stopPropagation();
+                                  setRemoveMember(member);
+                                }}
+                              >
+                                Remove member
+                              </DropdownMenuItem>
+                            </DropdownMenuContent>
+                          </DropdownMenu>
+                        )}
+                        <ChevronRight className="w-4 h-4 text-muted-foreground flex-shrink-0" />
+                      </button>
+                    );
+                  })}
                 </div>
               )}
             </CardContent>
           </Card>
         </TabsContent>
 
+        {/* ── Invitations tab ─────────────────────────────────────────────────── */}
         <TabsContent value="invites">
           <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+            {/* Pending invites list */}
             <Card>
               <CardContent className="p-6">
                 <div className="flex items-center justify-between mb-3">
                   <h3 className="text-sm font-semibold">Pending invitations</h3>
-                  <span className="text-sm text-muted-foreground">{isInvitesLoading ? 'Loading...' : `${invites.length}`}</span>
+                  <span className="text-sm text-muted-foreground">
+                    {isInvitesLoading ? "Loading…" : invites.length}
+                  </span>
                 </div>
                 {isInvitesLoading ? (
-                  <div className="p-4 text-center text-muted-foreground">Loading invites...</div>
+                  <div className="p-4 text-center text-muted-foreground">Loading invites…</div>
                 ) : invites.length === 0 ? (
                   <div className="p-4 text-center text-muted-foreground">No pending invitations</div>
                 ) : (
@@ -346,25 +672,36 @@ export default function MembersPage() {
                       <div key={inv.id} className="py-3 flex items-center justify-between gap-4">
                         <div>
                           <div className="font-medium">{inv.email}</div>
-                          <div className="text-sm text-muted-foreground">Role: {inv.role} • Expires: {new Date(inv.expires_at).toLocaleString()}</div>
-                        </div>
-                        <div className="flex items-center gap-2">
-                          <Button size="sm" variant="ghost" onClick={() => { void (async () => {
-                            if (!orgId) return;
-                            setCancellingInviteId(inv.id);
-                            try {
-                              await api.organizations.cancelInvite(orgId, inv.id);
-                              setInvites((prev) => prev.filter((i) => i.id !== inv.id));
-                              toast({ title: 'Invite cancelled' });
-                            } catch (err) {
-                              toast({ variant: 'destructive', title: 'Failed to cancel invite' });
-                            } finally {
-                              setCancellingInviteId(null);
-                            }
-                          })() }}>
-                            {cancellingInviteId === inv.id ? <Loader2 className="w-4 h-4 animate-spin" /> : 'Cancel'}
-                          </Button>
+                          <div className="text-sm text-muted-foreground">
+                            Role: {inv.role} · Expires: {new Date(inv.expires_at).toLocaleString()}
+                          </div>
                         </div>
+                        <Button
+                          size="sm"
+                          variant="ghost"
+                          disabled={cancellingInviteId === inv.id}
+                          onClick={() => {
+                            void (async () => {
+                              if (!orgId) return;
+                              setCancellingInviteId(inv.id);
+                              try {
+                                await api.organizations.cancelInvite(orgId, inv.id);
+                                setInvites((prev) => prev.filter((i) => i.id !== inv.id));
+                                toast({ title: "Invite cancelled" });
+                              } catch {
+                                toast({ variant: "destructive", title: "Failed to cancel invite" });
+                              } finally {
+                                setCancellingInviteId(null);
+                              }
+                            })();
+                          }}
+                        >
+                          {cancellingInviteId === inv.id ? (
+                            <Loader2 className="w-4 h-4 animate-spin" />
+                          ) : (
+                            "Cancel"
+                          )}
+                        </Button>
                       </div>
                     ))}
                   </div>
@@ -372,13 +709,12 @@ export default function MembersPage() {
               </CardContent>
             </Card>
 
+            {/* Invite form */}
             <Card>
               <CardContent className="p-6 space-y-4">
-                <div className="flex items-center justify-between">
-                  <div className="flex items-center gap-2">
-                    <Mail className="w-4 h-4 text-muted-foreground" />
-                    <h3 className="text-sm font-semibold">Send an invitation</h3>
-                  </div>
+                <div className="flex items-center gap-2">
+                  <Mail className="w-4 h-4 text-muted-foreground" />
+                  <h3 className="text-sm font-semibold">Send an invitation</h3>
                 </div>
                 <div className="space-y-3">
                   <div className="space-y-2">
@@ -405,7 +741,11 @@ export default function MembersPage() {
                   {inviteError && (
                     <p className="text-sm text-destructive">{inviteError}</p>
                   )}
-                  <Button onClick={handleInvite} disabled={isInviting || !inviteEmail.trim()} className="w-full">
+                  <Button
+                    onClick={handleInvite}
+                    disabled={isInviting || !inviteEmail.trim()}
+                    className="w-full"
+                  >
                     {isInviting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
                     <Mail className="w-4 h-4 mr-2" />
                     Send invitation
@@ -417,53 +757,339 @@ export default function MembersPage() {
         </TabsContent>
       </Tabs>
 
-      {/* ── Invite link dialog (shown when SMTP not configured) ────────────────── */}
-      <Dialog open={!!inviteLink} onOpenChange={(o) => { if (!o) { setInviteLink(null); setLinkCopied(false); } }}>
-        <DialogContent className="sm:max-w-lg">
+      {/* ── User detail drawer ──────────────────────────────────────────────────── */}
+      <Sheet open={!!selectedMember} onOpenChange={(open) => { if (!open) closeDrawer(); }}>
+        <SheetContent className="w-full sm:max-w-lg overflow-y-auto">
+          {selectedMember && (
+            <>
+              <SheetHeader className="mb-4">
+                <SheetTitle className="flex items-center gap-3">
+                  <Avatar className="w-9 h-9">
+                    <AvatarImage src={selectedMember.user?.avatar_url || undefined} />
+                    <AvatarFallback className="bg-primary text-primary-foreground text-sm">
+                      {getInitials(selectedMember.user?.full_name)}
+                    </AvatarFallback>
+                  </Avatar>
+                  <span>{selectedMember.user?.full_name || selectedMember.user?.email}</span>
+                </SheetTitle>
+                <SheetDescription>{selectedMember.user?.email}</SheetDescription>
+              </SheetHeader>
+
+              {isDrawerLoading ? (
+                <div className="flex items-center justify-center py-12">
+                  <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
+                </div>
+              ) : (
+                <>
+                  {/* Basic info */}
+                  <div className="space-y-3 mb-6">
+                    <div className="grid grid-cols-2 gap-2 text-sm">
+                      <span className="text-muted-foreground">Status</span>
+                      <span className="flex items-center gap-1">
+                        {isSuspended(drawerStatus) ? (
+                          <>
+                            <Ban className="w-4 h-4 text-red-500" />
+                            <span className="text-red-600 font-medium">
+                              Suspended{drawerStatus === "compliance_suspended" ? " (compliance)" : ""}
+                            </span>
+                          </>
+                        ) : (
+                          <>
+                            <CheckCircle className="w-4 h-4 text-green-500" />
+                            <span className="text-green-600">Active</span>
+                          </>
+                        )}
+                      </span>
+                      <span className="text-muted-foreground">Joined</span>
+                      <span>{formatDate(drawerCreatedAt)}</span>
+                      {drawerActivated !== undefined && (
+                        <>
+                          <span className="text-muted-foreground">Activated</span>
+                          <span className="flex items-center gap-1">
+                            {drawerActivated === false ? (
+                              <><XCircle className="w-4 h-4 text-amber-500" /> No</>
+                            ) : (
+                              <><CheckCircle className="w-4 h-4 text-green-500" /> Yes</>
+                            )}
+                          </span>
+                        </>
+                      )}
+                      <span className="text-muted-foreground">Last login</span>
+                      <span>{formatDate(drawerLastLogin)}</span>
+                    </div>
+                  </div>
+
+                  {/* Suspend / Unsuspend */}
+                  {selectedMember.user?.id !== currentUser?.id && (
+                    <div className="mb-6 p-4 border rounded-lg space-y-3">
+                      <h3 className="text-sm font-semibold flex items-center gap-2">
+                        <Ban className="w-4 h-4" />
+                        Account Access
+                      </h3>
+                      {isSuspended(drawerStatus) ? (
+                        <div className="space-y-2">
+                          <p className="text-sm text-muted-foreground">
+                            {drawerStatus === "compliance_suspended"
+                              ? "This account is suspended due to MFA compliance. The user cannot request certificates."
+                              : "This account is suspended. The user cannot request certificates."}
+                          </p>
+                          <Button
+                            size="sm"
+                            variant="outline"
+                            onClick={handleUnsuspend}
+                            disabled={isSuspending}
+                            className="text-green-600 border-green-300 hover:bg-green-50"
+                          >
+                            {isSuspending ? (
+                              <Loader2 className="w-4 h-4 mr-2 animate-spin" />
+                            ) : (
+                              <UserCheck className="w-4 h-4 mr-2" />
+                            )}
+                            Restore account
+                          </Button>
+                        </div>
+                      ) : (
+                        <div className="space-y-2">
+                          <p className="text-sm text-muted-foreground">
+                            Suspending blocks this user from requesting SSH certificates.
+                          </p>
+                          <Button
+                            size="sm"
+                            variant="outline"
+                            onClick={() => setShowSuspendConfirm(true)}
+                            disabled={isSuspending}
+                            className="text-red-600 border-red-300 hover:bg-red-50"
+                          >
+                            <Ban className="w-4 h-4 mr-2" />
+                            Suspend account
+                          </Button>
+                        </div>
+                      )}
+                    </div>
+                  )}
+
+                  {/* Role management */}
+                  {selectedMember.user?.id !== currentUser?.id && (
+                    <div className="mb-6 p-4 border rounded-lg space-y-3">
+                      <h3 className="text-sm font-semibold flex items-center gap-2">
+                        <Shield className="w-4 h-4" />
+                        Organization Role
+                      </h3>
+                      {(selectedMember.role || "").toLowerCase() === "owner" ? (
+                        <p className="text-xs text-muted-foreground">
+                          Owner role cannot be changed here. Transfer ownership from organization settings.
+                        </p>
+                      ) : (
+                        <div className="flex items-center gap-3">
+                          <Select
+                            value={(selectedMember.role || "member").toLowerCase()}
+                            onValueChange={handleDrawerRoleChange}
+                            disabled={isUpdatingRole}
+                          >
+                            <SelectTrigger className="flex-1">
+                              <SelectValue />
+                            </SelectTrigger>
+                            <SelectContent>
+                              <SelectItem value="member">Member</SelectItem>
+                              <SelectItem value="admin">Admin</SelectItem>
+                            </SelectContent>
+                          </Select>
+                          {isUpdatingRole && <Loader2 className="w-4 h-4 animate-spin text-muted-foreground" />}
+                        </div>
+                      )}
+                    </div>
+                  )}
+
+                  {/* Transfer Ownership — shown when current user is owner and target is not */}
+                  {selectedMember.user?.id !== currentUser?.id &&
+                    (selectedMember.role || "").toLowerCase() !== "owner" &&
+                    members.some(
+                      (m) => m.user?.id === currentUser?.id && (m.role || "").toLowerCase() === "owner"
+                    ) && (
+                    <div className="mb-6 p-4 border rounded-lg space-y-3">
+                      <h3 className="text-sm font-semibold flex items-center gap-2">
+                        <Crown className="w-4 h-4" />
+                        Transfer Ownership
+                      </h3>
+                      <p className="text-sm text-muted-foreground">
+                        Make this member the new organization owner. You will be demoted to admin.
+                      </p>
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => setShowTransferOwnership(true)}
+                        className="text-purple-600 border-purple-300 hover:bg-purple-50"
+                      >
+                        <Crown className="w-4 h-4 mr-2" />
+                        Transfer ownership to this member
+                      </Button>
+                    </div>
+                  )}
+
+                  {/* Danger zone — Hard delete */}
+                  {selectedMember.user?.id !== currentUser?.id && (
+                    <div className="mb-6 p-4 border border-destructive/30 rounded-lg space-y-3">
+                      <h3 className="text-sm font-semibold flex items-center gap-2 text-destructive">
+                        <Trash2 className="w-4 h-4" />
+                        Danger Zone
+                      </h3>
+                      <p className="text-sm text-muted-foreground">
+                        Permanently delete this user account. This cannot be undone — all SSH keys and certificates will be revoked.
+                      </p>
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => { setHardDeleteConfirmEmail(""); setShowHardDelete(true); }}
+                        className="text-destructive border-destructive/40 hover:bg-destructive/10"
+                      >
+                        <Trash2 className="w-4 h-4 mr-2" />
+                        Permanently delete account
+                      </Button>
+                    </div>
+                  )}
+
+                  {/* SSH Keys */}
+                  <div className="space-y-3">
+                    <div className="flex items-center justify-between">
+                      <h3 className="text-sm font-semibold flex items-center gap-2">
+                        <Key className="w-4 h-4" />
+                        SSH Keys
+                      </h3>
+                      <Button size="sm" variant="outline" onClick={() => setShowAddKey(true)}>
+                        <Plus className="w-3 h-3 mr-1" />
+                        Add key
+                      </Button>
+                    </div>
+                    {userSshKeys.length === 0 ? (
+                      <div className="text-center py-6 text-muted-foreground text-sm">
+                        No SSH keys registered
+                      </div>
+                    ) : (
+                      <div className="space-y-2">
+                        {userSshKeys.map((k) => (
+                          <div key={k.id} className="p-3 border rounded-lg text-sm">
+                            <div className="flex items-center gap-2 mb-1">
+                              <span className="font-medium">
+                                {k.description || <em className="text-muted-foreground">No description</em>}
+                              </span>
+                              {k.verified ? (
+                                <Badge className="bg-green-500/10 text-green-600 border-0 text-xs">
+                                  <CheckCircle className="w-3 h-3 mr-1" />Verified
+                                </Badge>
+                              ) : (
+                                <Badge variant="outline" className="text-xs text-amber-600 border-amber-300">
+                                  Unverified
+                                </Badge>
+                              )}
+                            </div>
+                            <div className="text-xs text-muted-foreground font-mono truncate">
+                              {k.fingerprint ?? (k.public_key.slice(0, 64) + "…")}
+                            </div>
+                            <div className="text-xs text-muted-foreground mt-1">
+                              Added {formatDate(k.created_at)}
+                            </div>
+                          </div>
+                        ))}
+                      </div>
+                    )}
+                  </div>
+                </>
+              )}
+            </>
+          )}
+        </SheetContent>
+      </Sheet>
+
+      {/* ── Admin add SSH key dialog ──────────────────────────────────────────── */}
+      <Dialog
+        open={showAddKey}
+        onOpenChange={(open) => {
+          setShowAddKey(open);
+          if (!open) { setAddKeyError(null); setAddKeyPublicKey(""); setAddKeyDescription(""); }
+        }}
+      >
+        <DialogContent className="sm:max-w-md">
           <DialogHeader>
-            <DialogTitle className="flex items-center gap-2">
-              <ExternalLink className="w-4 h-4" />
-              Share this invite link
-            </DialogTitle>
+            <DialogTitle>Add SSH Key for {selectedMember?.user?.email}</DialogTitle>
             <DialogDescription>
-              Email delivery is not configured. Share this link directly with <strong>{inviteLinkEmail}</strong>.
+              Add an SSH public key on behalf of this user (admin action).
             </DialogDescription>
           </DialogHeader>
-          <div className="space-y-3 py-2">
-            <div className="flex items-center gap-2 rounded-md border bg-muted px-3 py-2">
-              <span className="flex-1 text-xs text-muted-foreground break-all font-mono">{inviteLink}</span>
-              <Button
-                size="sm"
-                variant="ghost"
-                className="shrink-0"
-                onClick={() => {
-                  if (inviteLink) {
-                    navigator.clipboard.writeText(inviteLink);
-                    setLinkCopied(true);
-                    setTimeout(() => setLinkCopied(false), 2000);
-                  }
-                }}
-              >
-                {linkCopied ? <Check className="w-4 h-4 text-green-500" /> : <Copy className="w-4 h-4" />}
-              </Button>
+          <div className="space-y-4 py-2">
+            {addKeyError && (
+              <div className="p-3 rounded-md bg-destructive/10 text-destructive text-sm">{addKeyError}</div>
+            )}
+            <div className="space-y-2">
+              <Label>Public key</Label>
+              <Textarea
+                placeholder="ssh-ed25519 AAAA..."
+                value={addKeyPublicKey}
+                onChange={(e) => setAddKeyPublicKey(e.target.value)}
+                className="font-mono text-xs min-h-[80px]"
+                disabled={isAddingKey}
+              />
+            </div>
+            <div className="space-y-2">
+              <Label>
+                Description <span className="text-muted-foreground">(optional)</span>
+              </Label>
+              <Input
+                placeholder="Laptop key"
+                value={addKeyDescription}
+                onChange={(e) => setAddKeyDescription(e.target.value)}
+                disabled={isAddingKey}
+              />
             </div>
-            <p className="text-xs text-muted-foreground">
-              This link expires in 7 days. The recipient must already have an account or will be prompted to create one.
-            </p>
           </div>
           <DialogFooter>
-            <Button onClick={() => { setInviteLink(null); setLinkCopied(false); }}>Done</Button>
+            <Button variant="outline" onClick={() => setShowAddKey(false)} disabled={isAddingKey}>
+              Cancel
+            </Button>
+            <Button onClick={handleAddKey} disabled={isAddingKey || !addKeyPublicKey.trim()}>
+              {isAddingKey && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Add key
+            </Button>
           </DialogFooter>
         </DialogContent>
       </Dialog>
 
-      {/* ── Change role dialog ─────────────────────────────────────────────────── */}
+      {/* ── Suspend confirmation dialog ───────────────────────────────────────── */}
+      <Dialog open={showSuspendConfirm} onOpenChange={setShowSuspendConfirm}>
+        <DialogContent className="sm:max-w-md">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-red-600">
+              <AlertTriangle className="w-5 h-5" />
+              Suspend account?
+            </DialogTitle>
+            <DialogDescription>
+              <strong>{selectedMember?.user?.full_name || selectedMember?.user?.email}</strong> will be
+              blocked from requesting SSH certificates. You can restore their access at any time.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setShowSuspendConfirm(false)}
+              disabled={isSuspending}
+            >
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleSuspend} disabled={isSuspending}>
+              {isSuspending && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Suspend
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* ── Change role dialog (row dropdown) ────────────────────────────────── */}
       <Dialog open={!!changeRoleMember} onOpenChange={(o) => { if (!o) setChangeRoleMember(null); }}>
         <DialogContent className="sm:max-w-sm">
           <DialogHeader>
             <DialogTitle>Change role</DialogTitle>
             <DialogDescription>
-              Update the role for {changeRoleMember?.user?.full_name || changeRoleMember?.user?.email}
+              Update the role for{" "}
+              {changeRoleMember?.user?.full_name || changeRoleMember?.user?.email}
             </DialogDescription>
           </DialogHeader>
           <div className="py-2">
@@ -479,7 +1105,11 @@ export default function MembersPage() {
             </Select>
           </div>
           <DialogFooter>
-            <Button variant="outline" onClick={() => setChangeRoleMember(null)} disabled={isChangingRole}>
+            <Button
+              variant="outline"
+              onClick={() => setChangeRoleMember(null)}
+              disabled={isChangingRole}
+            >
               Cancel
             </Button>
             <Button onClick={handleChangeRole} disabled={isChangingRole}>
@@ -489,6 +1119,170 @@ export default function MembersPage() {
           </DialogFooter>
         </DialogContent>
       </Dialog>
+
+      {/* ── Remove member confirmation ────────────────────────────────────────── */}
+      <Dialog open={!!removeMember} onOpenChange={(o) => { if (!o) setRemoveMember(null); }}>
+        <DialogContent className="sm:max-w-sm">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-destructive">
+              <AlertTriangle className="w-5 h-5" />
+              Remove member?
+            </DialogTitle>
+            <DialogDescription>
+              <strong>{removeMember?.user?.full_name || removeMember?.user?.email}</strong> will lose
+              access to this organization immediately.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setRemoveMember(null)}
+              disabled={isRemoving}
+            >
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleRemoveMember} disabled={isRemoving}>
+              {isRemoving && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Remove
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* ── Transfer ownership confirmation ───────────────────────────────── */}
+      <Dialog open={showTransferOwnership} onOpenChange={setShowTransferOwnership}>
+        <DialogContent className="sm:max-w-md">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-purple-600">
+              <Crown className="w-5 h-5" />
+              Transfer ownership?
+            </DialogTitle>
+            <DialogDescription>
+              <strong>{selectedMember?.user?.full_name || selectedMember?.user?.email}</strong> will
+              become the new organization owner. You will be demoted to admin and lose the ability to
+              perform owner-only actions.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setShowTransferOwnership(false)}
+              disabled={isTransferringOwnership}
+            >
+              Cancel
+            </Button>
+            <Button
+              onClick={handleTransferOwnership}
+              disabled={isTransferringOwnership}
+              className="bg-purple-600 hover:bg-purple-700 text-white"
+            >
+              {isTransferringOwnership && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Transfer ownership
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* ── Hard delete confirmation ──────────────────────────────────────────── */}
+      <Dialog
+        open={showHardDelete}
+        onOpenChange={(open) => { setShowHardDelete(open); if (!open) setHardDeleteConfirmEmail(""); }}
+      >
+        <DialogContent className="sm:max-w-md">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-destructive">
+              <Trash2 className="w-5 h-5" />
+              Permanently delete account?
+            </DialogTitle>
+            <DialogDescription>
+              This will <strong>permanently</strong> delete{" "}
+              <strong>{selectedMember?.user?.full_name || selectedMember?.user?.email}</strong>,
+              revoke all their SSH certificates, and remove all their SSH keys. This action
+              cannot be undone.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="py-2 space-y-2">
+            <Label className="text-sm">
+              Type <span className="font-mono font-semibold">{selectedMember?.user?.email}</span> to confirm
+            </Label>
+            <Input
+              value={hardDeleteConfirmEmail}
+              onChange={(e) => setHardDeleteConfirmEmail(e.target.value)}
+              placeholder={selectedMember?.user?.email ?? ""}
+              disabled={isHardDeleting}
+              className="font-mono"
+            />
+          </div>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setShowHardDelete(false)}
+              disabled={isHardDeleting}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={handleHardDelete}
+              disabled={isHardDeleting || hardDeleteConfirmEmail !== selectedMember?.user?.email}
+            >
+              {isHardDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Delete permanently
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* ── Invite link dialog ────────────────────────────────────────────────── */}
+      <Dialog
+        open={!!inviteLink}
+        onOpenChange={(o) => { if (!o) { setInviteLink(null); setLinkCopied(false); } }}
+      >
+        <DialogContent className="sm:max-w-lg">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2">
+              <ExternalLink className="w-4 h-4" />
+              Share this invite link
+            </DialogTitle>
+            <DialogDescription>
+              Email delivery is not configured. Share this link directly with{" "}
+              <strong>{inviteLinkEmail}</strong>.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-3 py-2">
+            <div className="flex items-center gap-2 rounded-md border bg-muted px-3 py-2">
+              <span className="flex-1 text-xs text-muted-foreground break-all font-mono">
+                {inviteLink}
+              </span>
+              <Button
+                size="sm"
+                variant="ghost"
+                className="shrink-0"
+                onClick={() => {
+                  if (inviteLink) {
+                    navigator.clipboard.writeText(inviteLink);
+                    setLinkCopied(true);
+                    setTimeout(() => setLinkCopied(false), 2000);
+                  }
+                }}
+              >
+                {linkCopied ? (
+                  <Check className="w-4 h-4 text-green-500" />
+                ) : (
+                  <Copy className="w-4 h-4" />
+                )}
+              </Button>
+            </div>
+            <p className="text-xs text-muted-foreground">
+              This link expires in 7 days. The recipient must already have an account or will be
+              prompted to create one.
+            </p>
+          </div>
+          <DialogFooter>
+            <Button onClick={() => { setInviteLink(null); setLinkCopied(false); }}>Done</Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/src/pages/org/OIDCClientsPage.tsx b/src/pages/org/OIDCClientsPage.tsx
index 05cb662..4b4424c 100644
--- a/src/pages/org/OIDCClientsPage.tsx
+++ b/src/pages/org/OIDCClientsPage.tsx
@@ -23,10 +23,11 @@ import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
 import { api, OIDCClient, OIDCClientWithSecret } from "@/lib/api";
 import { useToast } from "@/hooks/use-toast";
+import { useOrg } from "@/contexts/OrgContext";
 
 export default function OIDCClientsPage() {
   const { toast } = useToast();
-  const [orgId, setOrgId] = useState<string | null>(null);
+  const { selectedOrgId: orgId } = useOrg();
   const [clients, setClients] = useState<OIDCClient[]>([]);
   const [isLoading, setIsLoading] = useState(true);
   const [isCreateOpen, setIsCreateOpen] = useState(false);
@@ -44,15 +45,10 @@ export default function OIDCClientsPage() {
   };
 
   useEffect(() => {
-    api.users.organizations()
-      .then((data) => {
-        if (!data.organizations.length) { setIsLoading(false); return; }
-        const id = data.organizations[0].id;
-        setOrgId(id);
-        loadData(id);
-      })
-      .catch(() => { setIsLoading(false); });
-  }, []);
+    if (!orgId) { setIsLoading(false); return; }
+    setIsLoading(true);
+    loadData(orgId);
+  }, [orgId]);
 
   const handleCreate = async () => {
     if (!orgId || !nameRef.current || !urisRef.current) return;
diff --git a/src/pages/org/OrgOverviewPage.tsx b/src/pages/org/OrgOverviewPage.tsx
index 56d6d13..19f34fb 100644
--- a/src/pages/org/OrgOverviewPage.tsx
+++ b/src/pages/org/OrgOverviewPage.tsx
@@ -1,33 +1,82 @@
 import { useEffect, useState } from "react";
-import { Building2, Users, Shield, Key, ArrowRight, TrendingUp, Loader2 } from "lucide-react";
-import { Link } from "react-router-dom";
-import { Card, CardContent } from "@/components/ui/card";
-import { api, Organization, OIDCClient } from "@/lib/api";
+import { Building2, Users, Shield, Key, ArrowRight, TrendingUp, Loader2, Trash2, AlertTriangle, ArrowLeftRight } from "lucide-react";
+import { Link, useNavigate } from "react-router-dom";
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { api, OIDCClient, ApiError } from "@/lib/api";
+import { useOrg } from "@/contexts/OrgContext";import { useOrganizations } from "@/hooks/useOrganizations";
+import { toast } from "@/hooks/use-toast";
 
 export default function OrgOverviewPage() {
-  const [org, setOrg] = useState<Organization | null>(null);
+  const navigate = useNavigate();
+  const { selectedOrg, selectOrg } = useOrg();
+  const { refetch: refetchOrgs } = useOrganizations();
   const [memberCount, setMemberCount] = useState<number>(0);
   const [clientCount, setClientCount] = useState<number>(0);
   const [isLoading, setIsLoading] = useState(true);
 
+  // Delete org dialog state
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  const isOwner = selectedOrg?.role === "owner";
+
   useEffect(() => {
-    api.users.organizations()
-      .then(async (data) => {
-        if (!data.organizations.length) return;
-        const first = data.organizations[0];
-        setOrg(first);
-
-        const [membersResp, clientsResp] = await Promise.allSettled([
-          api.organizations.getMembers(first.id),
-          api.organizations.getClients(first.id),
-        ]);
-
-        if (membersResp.status === "fulfilled") setMemberCount(membersResp.value.count);
-        if (clientsResp.status === "fulfilled") setClientCount((clientsResp.value as { clients: OIDCClient[]; count: number }).count);
-      })
-      .catch(console.error)
+    if (!selectedOrg) return;
+    setIsLoading(true);
+    Promise.allSettled([
+      api.organizations.getMembers(selectedOrg.id),
+      api.organizations.getClients(selectedOrg.id),
+    ]).then(([membersResp, clientsResp]) => {
+      if (membersResp.status === "fulfilled") setMemberCount(membersResp.value.count);
+      if (clientsResp.status === "fulfilled") setClientCount((clientsResp.value as { clients: OIDCClient[]; count: number }).count);
+    }).catch(console.error)
       .finally(() => setIsLoading(false));
-  }, []);
+  }, [selectedOrg?.id]);
+
+  const handleDeleteOrg = async () => {
+    if (!selectedOrg) return;
+    setIsDeleting(true);
+    try {
+      await api.organizations.deleteOrganization(selectedOrg.id);
+      toast({ title: "Organization deleted", description: `"${selectedOrg.name}" has been deleted.` });
+      setDeleteDialogOpen(false);
+      // Refresh org list; context will auto-select next available org
+      const result = await refetchOrgs();
+      const remaining = result.data ?? [];
+      if (remaining.length > 0) {
+        selectOrg(remaining[0]);
+        navigate("/org");
+      } else {
+        navigate("/org-setup");
+      }
+    } catch (err) {
+      if (err instanceof ApiError && err.type === "ORG_HAS_MEMBERS") {
+        toast({
+          title: "Cannot delete organization",
+          description: "This organization still has other members. Transfer ownership or remove all members first.",
+          variant: "destructive",
+        });
+      } else {
+        toast({
+          title: "Deletion failed",
+          description: err instanceof ApiError ? err.message : "An unexpected error occurred.",
+          variant: "destructive",
+        });
+      }
+      setDeleteDialogOpen(false);
+    } finally {
+      setIsDeleting(false);
+    }
+  };
 
   const quickLinks = [
     {
@@ -50,7 +99,7 @@ export default function OrgOverviewPage() {
     },
   ];
 
-  if (isLoading) {
+  if (isLoading && !selectedOrg) {
     return (
       <div className="page-container flex items-center justify-center py-12">
         <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
@@ -58,6 +107,7 @@ export default function OrgOverviewPage() {
     );
   }
 
+  const org = selectedOrg;
   const createdAt = org?.created_at
     ? new Date(org.created_at).toLocaleDateString("en-US", { month: "long", year: "numeric" })
     : "";
@@ -115,7 +165,7 @@ export default function OrgOverviewPage() {
 
       {/* Quick Links */}
       <h2 className="text-lg font-semibold mb-4">Quick Actions</h2>
-      <div className="grid gap-4 md:grid-cols-3">
+      <div className="grid gap-4 md:grid-cols-3 mb-8">
         {quickLinks.map((link) => (
           <Link key={link.href} to={link.href}>
             <Card className="h-full hover:border-accent/50 transition-colors cursor-pointer group">
@@ -133,6 +183,92 @@ export default function OrgOverviewPage() {
           </Link>
         ))}
       </div>
+
+      {/* Danger Zone — owners only */}
+      {isOwner && (
+        <Card className="border-destructive/40">
+          <CardHeader>
+            <CardTitle className="text-base text-destructive flex items-center gap-2">
+              <AlertTriangle className="w-4 h-4" />
+              Danger Zone
+            </CardTitle>
+            <CardDescription>
+              Irreversible actions for this organization. Proceed with caution.
+            </CardDescription>
+          </CardHeader>
+          <CardContent className="space-y-4">
+            {/* Transfer ownership hint */}
+            <div className="flex items-center justify-between rounded-lg border border-border p-4">
+              <div>
+                <p className="text-sm font-medium">Transfer Ownership</p>
+                <p className="text-xs text-muted-foreground mt-0.5">
+                  Pass ownership to another member before deleting the organization.
+                </p>
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => navigate("/org/members")}
+              >
+                <ArrowLeftRight className="w-4 h-4 mr-2" />
+                Go to Members
+              </Button>
+            </div>
+
+            {/* Delete organization */}
+            <div className="flex items-center justify-between rounded-lg border border-destructive/30 bg-destructive/5 p-4">
+              <div>
+                <p className="text-sm font-medium text-destructive">Delete Organization</p>
+                <p className="text-xs text-muted-foreground mt-0.5">
+                  Permanently deletes this organization.{" "}
+                  {memberCount > 1
+                    ? `You must remove all ${memberCount - 1} other member${memberCount > 2 ? "s" : ""} first.`
+                    : "This action cannot be undone."}
+                </p>
+              </div>
+              <Button
+                variant="destructive"
+                size="sm"
+                onClick={() => setDeleteDialogOpen(true)}
+                disabled={memberCount > 1}
+              >
+                <Trash2 className="w-4 h-4 mr-2" />
+                Delete
+              </Button>
+            </div>
+          </CardContent>
+        </Card>
+      )}
+
+      {/* Delete confirmation dialog */}
+      <Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-destructive">
+              <Trash2 className="w-5 h-5" />
+              Delete "{org?.name}"?
+            </DialogTitle>
+            <DialogDescription>
+              This will permanently delete the organization and all associated
+              data. This action <strong>cannot be undone</strong>.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="rounded-lg border border-destructive/30 bg-destructive/5 p-3 text-sm text-destructive">
+            <AlertTriangle className="w-4 h-4 inline mr-2" />
+            You are about to delete <strong>{org?.name}</strong>. All settings,
+            policies, OIDC clients, and CA configurations will be lost.
+          </div>
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setDeleteDialogOpen(false)} disabled={isDeleting}>
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleDeleteOrg} disabled={isDeleting}>
+              {isDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Yes, delete organization
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/src/pages/org/PoliciesPage.tsx b/src/pages/org/PoliciesPage.tsx
index 40022e3..c7e19c3 100644
--- a/src/pages/org/PoliciesPage.tsx
+++ b/src/pages/org/PoliciesPage.tsx
@@ -12,7 +12,7 @@ import { Button } from "@/components/ui/button";
 import { api, OrgPolicyResponse, UpdateOrgPolicyDto, create403Handler } from "@/lib/api";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { useToast } from "@/hooks/use-toast";
-import { useOrganizations } from "@/hooks/useOrganizations";
+import { useOrg } from "@/contexts/OrgContext";
 
 const MFA_MODE_LABELS: Record<string, { label: string; description: string }> = {
   disabled: {
@@ -41,8 +41,8 @@ export default function PoliciesPage() {
   const navigate = useNavigate();
   const { toast } = useToast();
   const queryClient = useQueryClient();
-  const [currentOrgId, setCurrentOrgId] = useState<string | null>(null);
-  
+  const { selectedOrgId: currentOrgId } = useOrg();
+
   // Local form state for unsaved changes
   const [formData, setFormData] = useState({
     mfa_policy_mode: '',
@@ -51,15 +51,6 @@ export default function PoliciesPage() {
   });
   const [hasUnsavedChanges, setHasUnsavedChanges] = useState(false);
 
-  // Fetch organizations to get current org
-  const { data: organizations, isLoading: orgsLoading } = useOrganizations();
-
-  useEffect(() => {
-    if (organizations && organizations.length > 0) {
-      setCurrentOrgId(organizations[0].id);
-    }
-  }, [organizations]);
-
   // Fetch org policy
   const { data: policy, isLoading: policyLoading } = useQuery({
     queryKey: ['org-policy', currentOrgId],
@@ -180,7 +171,7 @@ export default function PoliciesPage() {
     }
   };
 
-  if (orgsLoading || policyLoading) {
+  if (policyLoading) {
     return (
       <div className="page-container">
         <div className="flex items-center justify-center py-12">
diff --git a/src/pages/user/ProfilePage.tsx b/src/pages/user/ProfilePage.tsx
index b9c00e8..60e6db1 100644
--- a/src/pages/user/ProfilePage.tsx
+++ b/src/pages/user/ProfilePage.tsx
@@ -1,5 +1,5 @@
 import { useState, useEffect } from "react";
-import { Mail, Upload, CheckCircle, AlertCircle, Loader2, Bell } from "lucide-react";
+import { Mail, Upload, CheckCircle, AlertCircle, Loader2, Bell, AlertTriangle, Trash2, Building2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
@@ -7,9 +7,18 @@ import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Skeleton } from "@/components/ui/skeleton";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
 import { useAuth } from "@/contexts/AuthContext";
 import { api, ApiError, PendingInvite } from "@/lib/api";
 import { toast } from "@/hooks/use-toast";
+import { useNavigate } from "react-router-dom";
 
 function ProfileSkeleton() {
   return (
@@ -57,12 +66,17 @@ function ProfileSkeleton() {
 }
 
 export default function ProfilePage() {
-  const { user, isLoading: authLoading, refreshUser } = useAuth();
+  const { user, isLoading: authLoading, refreshUser, logout } = useAuth();
+  const navigate = useNavigate();
   const [name, setName] = useState("");
   const [isEditing, setIsEditing] = useState(false);
   const [isSaving, setIsSaving] = useState(false);
   const [pendingInvites, setPendingInvites] = useState<PendingInvite[]>([]);
 
+  // Delete account dialog state
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+
   // Sync local name state with user data
   useEffect(() => {
     if (user?.full_name) {
@@ -88,6 +102,35 @@ export default function ProfilePage() {
       .slice(0, 2);
   };
 
+  const handleDeleteAccount = async () => {
+    setIsDeleting(true);
+    try {
+      await api.users.deleteMe();
+      toast({ title: "Account deleted", description: "Your account has been deleted." });
+      setDeleteDialogOpen(false);
+      await logout();
+      navigate("/login");
+    } catch (err) {
+      if (err instanceof ApiError && err.type === "USER_IS_SOLE_OWNER") {
+        const orgs: string[] = (err.details?.organizations as string[]) ?? [];
+        toast({
+          title: "Cannot delete account",
+          description: `You are the sole owner of: ${orgs.join(", ")}. Transfer ownership or delete those organizations first.`,
+          variant: "destructive",
+        });
+      } else {
+        toast({
+          title: "Deletion failed",
+          description: err instanceof ApiError ? err.message : "An unexpected error occurred.",
+          variant: "destructive",
+        });
+      }
+      setDeleteDialogOpen(false);
+    } finally {
+      setIsDeleting(false);
+    }
+  };
+
   const handleSave = async () => {
     if (!name.trim()) {
       toast({
@@ -139,6 +182,20 @@ export default function ProfilePage() {
       </div>
 
       <div className="space-y-6">
+        {/* Account Suspended Banner */}
+        {(user.status === "suspended" || user.status === "compliance_suspended") && (
+          <div className="flex items-start gap-3 rounded-lg border border-red-300 bg-red-50 px-4 py-4 text-red-800 dark:border-red-700 dark:bg-red-950/60 dark:text-red-300">
+            <AlertTriangle className="w-5 h-5 mt-0.5 flex-shrink-0" />
+            <div>
+              <p className="font-semibold text-sm">Account suspended</p>
+              <p className="text-sm mt-0.5 opacity-90">
+                Your account has been suspended. You cannot perform most actions.
+                Please contact your administrator to resolve this.
+              </p>
+            </div>
+          </div>
+        )}
+
         {/* Pending Invitations Banner */}
         {pendingInvites.length > 0 && (
           <div className="rounded-lg border border-primary/40 bg-primary/10 p-4 space-y-3">
@@ -250,7 +307,75 @@ export default function ProfilePage() {
             </div>
           </CardContent>
         </Card>
+
+        {/* Danger Zone */}
+        <Card className="border-destructive/40">
+          <CardHeader>
+            <CardTitle className="text-base text-destructive flex items-center gap-2">
+              <AlertTriangle className="w-4 h-4" />
+              Danger Zone
+            </CardTitle>
+            <CardDescription>
+              Irreversible actions for your account. Proceed with caution.
+            </CardDescription>
+          </CardHeader>
+          <CardContent>
+            <div className="flex items-center justify-between rounded-lg border border-destructive/30 bg-destructive/5 p-4">
+              <div>
+                <p className="text-sm font-medium text-destructive">Delete Account</p>
+                <p className="text-xs text-muted-foreground mt-0.5">
+                  Permanently deletes your profile and all associated data. If you own
+                  any organizations you must transfer ownership or delete them first.
+                </p>
+              </div>
+              <Button
+                variant="destructive"
+                size="sm"
+                onClick={() => setDeleteDialogOpen(true)}
+              >
+                <Trash2 className="w-4 h-4 mr-2" />
+                Delete account
+              </Button>
+            </div>
+          </CardContent>
+        </Card>
       </div>
+
+      {/* Delete account confirmation dialog */}
+      <Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2 text-destructive">
+              <Trash2 className="w-5 h-5" />
+              Delete your account?
+            </DialogTitle>
+            <DialogDescription>
+              Your profile, SSH keys, linked accounts, and session data will be
+              permanently deleted. This action <strong>cannot be undone</strong>.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="rounded-lg border border-amber-300 bg-amber-50 dark:border-amber-700 dark:bg-amber-950/40 p-3 text-sm text-amber-800 dark:text-amber-300 space-y-1">
+            <p className="flex items-center gap-2 font-medium">
+              <Building2 className="w-4 h-4" />
+              Organization ownership check
+            </p>
+            <p>
+              If you are the sole owner of any organization that has other members,
+              you must <strong>transfer ownership</strong> to another member or delete
+              those organizations before proceeding.
+            </p>
+          </div>
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setDeleteDialogOpen(false)} disabled={isDeleting}>
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleDeleteAccount} disabled={isDeleting}>
+              {isDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
+              Yes, delete my account
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }