Merge pull request #2 from jamesii-b/gatehouse/secuird-CA-merge-v2.01

Gatehouse/secuird ca merge v2.01
2026-03-03 13:52:25 +10:30
parent cfbd64e189 b97937f080
commit e6f0d0b004
38 changed files with 9301 additions and 1034 deletions
@@ -18,13 +18,16 @@ import ResetPasswordPage from "@/pages/auth/ResetPasswordPage";
 import InviteAcceptPage from "@/pages/auth/InviteAcceptPage";
 import OIDCConsentPage from "@/pages/auth/OIDCConsentPage";
 import OIDCErrorPage from "@/pages/auth/OIDCErrorPage";
 import OIDCLoginPage from "@/pages/auth/OIDCLoginPage";
 import OAuthCallbackPage from "@/pages/auth/OAuthCallbackPage";
 import ActivatePage from "@/pages/auth/ActivatePage";
 // User pages
 import ProfilePage from "@/pages/user/ProfilePage";
 import SecurityPage from "@/pages/user/SecurityPage";
 import LinkedAccountsPage from "@/pages/user/LinkedAccountsPage";
 import ActivityPage from "@/pages/user/ActivityPage";
 import SSHKeysPage from "@/pages/user/SSHKeysPage";
 // Organization pages
 import OrgOverviewPage from "@/pages/org/OrgOverviewPage";
@@ -33,6 +36,13 @@ import PoliciesPage from "@/pages/org/PoliciesPage";
 import CompliancePage from "@/pages/org/CompliancePage";
 import OrgAuditPage from "@/pages/org/OrgAuditPage";
 import OIDCClientsPage from "@/pages/org/OIDCClientsPage";
 import CAsPage from "@/pages/org/CAsPage";
 import DepartmentsPage from "@/pages/org/DepartmentsPage";
 import PrincipalsPage from "@/pages/org/PrincipalsPage";
 import MyMembershipsPage from "@/pages/org/MyMembershipsPage";
 import SystemAuditPage from "@/pages/admin/SystemAuditPage";
 import OAuthProvidersPage from "@/pages/admin/OAuthProvidersPage";
 import OrgSetupPage from "@/pages/auth/OrgSetupPage";
 import NotFound from "@/pages/NotFound";
 import ApiDevTools from "@/components/dev/ApiDevTools";
@@ -65,26 +75,77 @@ const App = () => (
 );
 // Separate component so AuthProvider can use useNavigate
-import { AuthProvider } from "@/contexts/AuthContext";
+import { AuthProvider, useAuth } from "@/contexts/AuthContext";
 import { OrgProvider } from "@/contexts/OrgContext";
 import { Navigate } from "react-router-dom";
 /** Redirects already-authenticated users away from guest-only pages (e.g. /login). */
 function GuestRoute({ children }: { children: React.ReactNode }) {
  const { isAuthenticated, isOrgMember, isLoading } = useAuth();
  // Allow authenticated users through to /login when it's a CLI auth request or
  // an OIDC session — LoginPage will immediately forward the existing token.
  const params = new URLSearchParams(window.location.search);
  const isCli = params.has('cli_token') || params.has('cli_redirect');
  const isOidcBridge = params.has('oidc_session_id');
  if (isLoading) return null; // wait for auth state to resolve
  if (isAuthenticated && !isCli && !isOidcBridge) {
    // If the user hasn't set up an org yet, send them there first
    return <Navigate to={isOrgMember ? "/profile" : "/org-setup"} replace />;
  }
  return <>{children}</>;
 }
 /** Blocks access to /admin/* for non-admin users. */
 function RequireAdmin({ children }: { children: React.ReactNode }) {
  const { isOrgAdmin, isLoading, isAuthenticated } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  if (!isOrgAdmin) return <Navigate to="/profile" replace />;
  return <>{children}</>;
 }
 /** Blocks access to /org/* for users who don't belong to any organisation. */
 function RequireOrgMember({ children }: { children: React.ReactNode }) {
  const { isOrgMember, isLoading, isAuthenticated } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  if (!isOrgMember) return <Navigate to="/profile" replace />;
  return <>{children}</>;
 }
 /** 
 *  Used for /org-setup which lives inside PublicLayout */
 function RequireAuth({ children }: { children: React.ReactNode }) {
  const { isAuthenticated, isLoading } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  return <>{children}</>;
 }
 function AppRoutes() {
  return (
    <AuthProvider>
      <OrgProvider>
      <Routes>
        {/* Index redirect */}
        <Route path="/" element={<Index />} />
        {/* Public routes */}
        <Route element={<PublicLayout />}>
-          <Route path="/login" element={<LoginPage />} />
+          <Route path="/login" element={<GuestRoute><LoginPage /></GuestRoute>} />
          <Route path="/register" element={<RegisterPage />} />
          <Route path="/verify-email" element={<VerifyEmailPage />} />
          <Route path="/forgot-password" element={<ForgotPasswordPage />} />
          <Route path="/reset-password" element={<ResetPasswordPage />} />
          <Route path="/invite" element={<InviteAcceptPage />} />
          <Route path="/consent" element={<OIDCConsentPage />} />
          <Route path="/oidc-login" element={<OIDCLoginPage />} />
          <Route path="/error" element={<OIDCErrorPage />} />
          <Route path="/oauth/callback" element={<OAuthCallbackPage />} />
          <Route path="/activate" element={<ActivatePage />} />
          {/* Org-setup uses the same full-screen centred layout as auth pages,
              but requires a valid session token (RequireAuth guard below). */}
          <Route path="/org-setup" element={<RequireAuth><OrgSetupPage /></RequireAuth>} />
        </Route>
        {/* Protected routes - handles auth and MFA enforcement */}
@@ -94,14 +155,26 @@ function AppRoutes() {
          <Route path="/security" element={<SecurityPage />} />
          <Route path="/linked-accounts" element={<LinkedAccountsPage />} />
          <Route path="/activity" element={<ActivityPage />} />
          <Route path="/ssh-keys" element={<SSHKeysPage />} />
-          {/* Organization routes */}
+          {/* Organization routes — org members: overview + own memberships only */}
-          <Route path="/org" element={<OrgOverviewPage />} />
+          <Route path="/org" element={<RequireOrgMember><OrgOverviewPage /></RequireOrgMember>} />
-          <Route path="/org/members" element={<MembersPage />} />
+          <Route path="/org/my-memberships" element={<RequireOrgMember><MyMembershipsPage /></RequireOrgMember>} />
-          <Route path="/org/policies" element={<PoliciesPage />} />
+
-          <Route path="/org/policies/compliance" element={<CompliancePage />} />
+          {/* Organization management routes — org admins/owners only */}
-          <Route path="/org/audit" element={<OrgAuditPage />} />
+          <Route path="/org/members" element={<RequireAdmin><MembersPage /></RequireAdmin>} />
-          <Route path="/org/clients" element={<OIDCClientsPage />} />
+          <Route path="/org/departments" element={<RequireAdmin><DepartmentsPage /></RequireAdmin>} />
          <Route path="/org/principals" element={<RequireAdmin><PrincipalsPage /></RequireAdmin>} />
          <Route path="/org/policies" element={<RequireAdmin><PoliciesPage /></RequireAdmin>} />
          <Route path="/org/policies/compliance" element={<RequireAdmin><CompliancePage /></RequireAdmin>} />
          <Route path="/org/audit" element={<RequireAdmin><OrgAuditPage /></RequireAdmin>} />
          <Route path="/org/clients" element={<RequireAdmin><OIDCClientsPage /></RequireAdmin>} />
          <Route path="/org/cas" element={<RequireAdmin><CAsPage /></RequireAdmin>} />
          {/* Admin routes — org admin/owner only */}
          <Route path="/admin/audit" element={<RequireAdmin><SystemAuditPage /></RequireAdmin>} />
          <Route path="/admin/users" element={<Navigate to="/org/members" replace />} />
          <Route path="/admin/oauth" element={<RequireAdmin><OAuthProvidersPage /></RequireAdmin>} />
        </Route>
        {/* Catch-all */}
@@ -110,6 +183,7 @@ function AppRoutes() {
      {/* Dev tools - only shown in development */}
      <ApiDevTools />
      </OrgProvider>
    </AuthProvider>
  );
 }
@@ -2,12 +2,14 @@ import { Navigate, Outlet } from 'react-router-dom';
 import { useAuth } from '@/contexts/AuthContext';
 import AuthenticatedLayout from './AuthenticatedLayout';
 import MfaEnforcementLayout from './MfaEnforcementLayout';
 import { useOrganizations } from '@/hooks/useOrganizations';
 import { Loader2 } from 'lucide-react';
 export default function ProtectedLayout() {
-  const { isAuthenticated, isLoading, requiresMfaEnrollment } = useAuth();
+  const { isAuthenticated, isLoading, requiresMfaEnrollment, isOrgMember } = useAuth();
  const { isLoading: isOrgsLoading } = useOrganizations();
-  if (isLoading) {
+  if (isLoading || isOrgsLoading) {
    return (
      <div className="min-h-screen flex items-center justify-center bg-background">
        <div className="flex flex-col items-center gap-4">
@@ -22,13 +24,16 @@ export default function ProtectedLayout() {
    return <Navigate to="/login" replace />;
  }
  // User is logged in but hasn't joined/created an org yet — send to org-setup
  if (!isOrgMember) {
    return <Navigate to="/org-setup" replace />;
  }
  if (requiresMfaEnrollment) {
    return <MfaEnforcementLayout />;
  }
  return (
-    <AuthenticatedLayout>
+    <AuthenticatedLayout />
      <Outlet />
    </AuthenticatedLayout>
  );
 }
@@ -8,10 +8,15 @@ import {
  Users,
  Settings,
  FileText,
-  Key,
+  Layers,
  GitBranch,
  ScrollText,
  Terminal,
  ShieldCheck,
 } from "lucide-react";
 import { GatehouseLogo } from "@/components/branding/GatehouseLogo";
 import { NavLink } from "@/components/NavLink";
 import { useAuth } from "@/contexts/AuthContext";
 import {
  Sidebar,
  SidebarContent,
@@ -30,29 +35,41 @@ import { cn } from "@/lib/utils";
 const userNavItems = [
  { title: "Profile", url: "/profile", icon: User },
  { title: "Security", url: "/security", icon: Shield },
  { title: "SSH Keys", url: "/ssh-keys", icon: Terminal },
  { title: "Linked Accounts", url: "/linked-accounts", icon: Link2 },
  { title: "Activity", url: "/activity", icon: Activity },
 ];
-const orgNavItems = [
+// Visible to ALL org members
 const orgMemberNavItems = [
  { title: "Overview", url: "/org", icon: Building2 },
  { title: "My Memberships", url: "/org/my-memberships", icon: Layers },
 ];
 // Visible to org admins/owners only (management)
 const orgAdminNavItems = [
  { title: "Overview", url: "/org", icon: Building2 },
  { title: "Members", url: "/org/members", icon: Users },
  { title: "Departments", url: "/org/departments", icon: Layers },
  { title: "Principals", url: "/org/principals", icon: GitBranch },
  { title: "Policies", url: "/org/policies", icon: Settings },
  { title: "Audit Log", url: "/org/audit", icon: FileText },
 ];
 const adminNavItems = [
-  { title: "OIDC Clients", url: "/org/clients", icon: Key },
+  { title: "Certificate Auth.", url: "/org/cas", icon: ShieldCheck },
  { title: "Org Audit Log", url: "/org/audit", icon: FileText },
  { title: "System Logs",  url: "/admin/audit", icon: ScrollText },
 ];
 export function AppSidebar() {
  const { state } = useSidebar();
  const collapsed = state === "collapsed";
  const location = useLocation();
  const { isOrgAdmin, isOrgMember } = useAuth();
  const isActive = (path: string) => location.pathname === path;
-  const isOrgActive = orgNavItems.some((item) => isActive(item.url)) || adminNavItems.some((item) => isActive(item.url));
+  const isOrgActive = orgAdminNavItems.some((item) => isActive(item.url)) || adminNavItems.some((item) => isActive(item.url));
-  const isUserActive = userNavItems.some((item) => isActive(item.url));
+  void isOrgActive; // used for future active state tracking
  return (
    <Sidebar
@@ -77,9 +94,11 @@ export function AppSidebar() {
      <SidebarContent className="py-4">
        {/* User Section */}
        <SidebarGroup>
-          <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
+          {!collapsed && (
-            {!collapsed && "Account"}
+            <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
-          </SidebarGroupLabel>
+              Account
            </SidebarGroupLabel>
          )}
          <SidebarGroupContent>
            <SidebarMenu>
              {userNavItems.map((item) => (
@@ -89,8 +108,11 @@ export function AppSidebar() {
                      to={item.url}
                      end
                      className={cn(
-                        "flex items-center gap-3 px-4 py-2.5 text-sm text-sidebar-foreground rounded-lg mx-2 transition-colors",
+                        "flex items-center text-sm text-sidebar-foreground rounded-lg transition-colors",
-                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground"
+                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground",
                        collapsed
                          ? "justify-center w-10 h-10 mx-auto p-0"
                          : "gap-3 px-4 py-2.5 mx-2"
                      )}
                      activeClassName="bg-sidebar-accent text-sidebar-primary font-medium"
                    >
@@ -104,22 +126,28 @@ export function AppSidebar() {
          </SidebarGroupContent>
        </SidebarGroup>
-        {/* Organization Section */}
+        {/* Organization Section — content differs by role */}
        {isOrgMember && (
        <SidebarGroup className="mt-4">
-          <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
+          {!collapsed && (
-            {!collapsed && "Organization"}
+            <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
-          </SidebarGroupLabel>
+              Organization
            </SidebarGroupLabel>
          )}
          <SidebarGroupContent>
            <SidebarMenu>
-              {orgNavItems.map((item) => (
+              {(isOrgAdmin ? orgAdminNavItems : orgMemberNavItems).map((item) => (
                <SidebarMenuItem key={item.title}>
                  <SidebarMenuButton asChild>
                    <NavLink
                      to={item.url}
                      end
                      className={cn(
-                        "flex items-center gap-3 px-4 py-2.5 text-sm text-sidebar-foreground rounded-lg mx-2 transition-colors",
+                        "flex items-center text-sm text-sidebar-foreground rounded-lg transition-colors",
-                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground"
+                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground",
                        collapsed
                          ? "justify-center w-10 h-10 mx-auto p-0"
                          : "gap-3 px-4 py-2.5 mx-2"
                      )}
                      activeClassName="bg-sidebar-accent text-sidebar-primary font-medium"
                    >
@@ -132,12 +160,16 @@ export function AppSidebar() {
            </SidebarMenu>
          </SidebarGroupContent>
        </SidebarGroup>
        )}
-        {/* Admin Section */}
+        {/* Admin Section — only visible to org admins/owners */}
        {isOrgAdmin && (
        <SidebarGroup className="mt-4">
-          <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
+          {!collapsed && (
-            {!collapsed && "Admin"}
+            <SidebarGroupLabel className="px-4 text-xs font-medium text-sidebar-muted uppercase tracking-wider">
-          </SidebarGroupLabel>
+              Admin
            </SidebarGroupLabel>
          )}
          <SidebarGroupContent>
            <SidebarMenu>
              {adminNavItems.map((item) => (
@@ -147,8 +179,11 @@ export function AppSidebar() {
                      to={item.url}
                      end
                      className={cn(
-                        "flex items-center gap-3 px-4 py-2.5 text-sm text-sidebar-foreground rounded-lg mx-2 transition-colors",
+                        "flex items-center text-sm text-sidebar-foreground rounded-lg transition-colors",
-                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground"
+                        "hover:bg-sidebar-accent hover:text-sidebar-accent-foreground",
                        collapsed
                          ? "justify-center w-10 h-10 mx-auto p-0"
                          : "gap-3 px-4 py-2.5 mx-2"
                      )}
                      activeClassName="bg-sidebar-accent text-sidebar-primary font-medium"
                    >
@@ -161,6 +196,7 @@ export function AppSidebar() {
            </SidebarMenu>
          </SidebarGroupContent>
        </SidebarGroup>
        )}
      </SidebarContent>
      <SidebarFooter className="p-4 border-t border-sidebar-border">
@@ -1,4 +1,3 @@
 import { useState, useEffect } from "react";
 import { useNavigate } from "react-router-dom";
 import { Menu, ChevronDown, LogOut, User, Shield, Building2, Loader2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
@@ -13,34 +12,23 @@ import {
 } from "@/components/ui/dropdown-menu";
 import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
 import { useAuth } from "@/contexts/AuthContext";
-import { Organization } from "@/lib/api";
+import { useOrg } from "@/contexts/OrgContext";
 import { useOrganizations } from "@/hooks/useOrganizations";
 import { ComplianceBanner } from "@/components/auth/ComplianceBanner";
 export function TopBar() {
  const navigate = useNavigate();
-  const { user, isAuthenticated, mfaCompliance } = useAuth();
+  const { user, mfaCompliance, logout } = useAuth();
-  const [currentOrg, setCurrentOrg] = useState<Organization | null>(null);
+  const { selectedOrg, selectOrg } = useOrg();
-  
+
  // Use React Query hook for organizations with automatic caching and deduplication
  const { data: organizations = [], isLoading: orgsLoading } = useOrganizations();
  // Debug logging
  console.log('[TopBar] organizations data:', organizations);
  console.log('[TopBar] organizations is array:', Array.isArray(organizations));
  // Ensure organizations is always an array (defensive check)
  const organizationsArray = Array.isArray(organizations) ? organizations : [];
-  // Set initial currentOrg when organizations are loaded
+  const handleLogout = async () => {
-  useEffect(() => {
+    await logout();
    if (organizationsArray.length > 0 && !currentOrg) {
      setCurrentOrg(organizationsArray[0]);
    }
  }, [organizationsArray, currentOrg]);
  const handleLogout = () => {
    navigate("/login");
  };
  const userInitials = user?.full_name
@@ -68,7 +56,7 @@ export function TopBar() {
                  <Building2 className="w-3.5 h-3.5 text-primary" />
                </div>
                <span className="text-sm font-medium hidden sm:inline">
-                  {orgsLoading ? "Loading..." : (currentOrg?.name || "No Organization")}
+                  {orgsLoading ? "Loading..." : (selectedOrg?.name || "No Organization")}
                </span>
                <ChevronDown className="w-4 h-4 text-muted-foreground" />
              </Button>
@@ -90,7 +78,7 @@ export function TopBar() {
                organizationsArray.map((org) => (
                  <DropdownMenuItem
                    key={org.id}
-                    onClick={() => setCurrentOrg(org)}
+                    onClick={() => selectOrg(org)}
                    className="flex items-center justify-between"
                  >
                    <div className="flex items-center gap-2">
@@ -1,25 +1,32 @@
 import { createContext, useContext, useState, useEffect, useCallback, ReactNode } from 'react';
 import { useNavigate } from 'react-router-dom';
-import { api, User, ApiError, tokenManager, MfaComplianceSummary } from '@/lib/api';
+import { api, User, ApiError, tokenManager, MfaComplianceSummary, PendingInvite } from '@/lib/api';
 interface LoginResult {
  requiresTotp: boolean;
  requiresWebAuthn: boolean;
  requiresMfaEnrollment?: boolean;
  requiresOrgSetup?: boolean;
  pendingInvites?: PendingInvite[];
  isFirstUser?: boolean;
 }
 interface AuthContextType {
  user: User | null;
  isLoading: boolean;
  isAuthenticated: boolean;
  isOrgAdmin: boolean;
  isOrgMember: boolean;
  mfaCompliance: MfaComplianceSummary | null;
  requiresMfaEnrollment: boolean;
-  login: (email: string, password: string, rememberMe?: boolean) => Promise<LoginResult>;
+  login: (email: string, password: string, rememberMe?: boolean, skipNavigate?: boolean) => Promise<LoginResult>;
-  verifyTotp: (code: string, isBackupCode?: boolean) => Promise<void>;
+  verifyTotp: (code: string, isBackupCode?: boolean, skipNavigate?: boolean) => Promise<void>;
  verifyWebAuthn: () => Promise<void>;
  logout: () => Promise<void>;
  refreshUser: () => Promise<void>;
  refreshCompliance: () => Promise<void>;
  /** Re-check org membership & admin status. Exposed so post-setup pages can update the context. */
  checkOrgAdmin: () => Promise<void>;
 }
 const AuthContext = createContext<AuthContextType | null>(null);
@@ -40,66 +47,61 @@ function persistMfaCompliance(compliance: MfaComplianceSummary | null): void {
 function loadMfaCompliance(): MfaComplianceSummary | null {
  try {
    const stored = localStorage.getItem(MFA_COMPLIANCE_KEY);
-    if (!stored) {
+    if (!stored) return null;
-      console.log('[AuthContext] loadMfaCompliance: no stored data');
+
      return null;
    }
    const parsed = JSON.parse(stored);
-    console.log('[AuthContext] loadMfaCompliance: raw parsed:', parsed);
+
    // Handle both direct format and legacy double-nested format
    // Legacy format: { mfa_compliance: { ... } }
    // Current format: { ... }
    let compliance: Record<string, unknown>;
    if (parsed.mfa_compliance && typeof parsed.mfa_compliance === 'object') {
      console.log('[AuthContext] loadMfaCompliance: detected legacy double-nested format, unwrapping');
      compliance = parsed.mfa_compliance as Record<string, unknown>;
    } else {
      compliance = parsed;
    }
-    
+
    // Validate that the stored data has the required fields
-    if (!compliance || typeof compliance !== 'object') {
+    if (!compliance || typeof compliance !== 'object') return null;
-      console.log('[AuthContext] loadMfaCompliance: invalid compliance object');
+    if (!Array.isArray(compliance.orgs)) return null;
-      return null;
+
    }
    if (!Array.isArray(compliance.orgs)) {
      console.log('[AuthContext] loadMfaCompliance: orgs is not an array');
      return null;
    }
    // Validate missing_methods exists and is an array
    if (!Array.isArray(compliance.missing_methods)) {
      console.log('[AuthContext] loadMfaCompliance: missing_methods is not an array or missing');
    }
    // Check if at least one org has effective_mode (new field from API)
    // If not, treat as stale data and return null to fetch fresh data
    const hasEffectiveMode = compliance.orgs.some((org: Record<string, unknown>) =>
      typeof org.effective_mode === 'string'
    );
-    
+    if (!hasEffectiveMode) return null;
-    if (!hasEffectiveMode) {
+
      console.log('[AuthContext] loadMfaCompliance: no effective_mode found, treating as stale');
      return null;
    }
    console.log('[AuthContext] loadMfaCompliance: loaded successfully');
    return compliance as unknown as MfaComplianceSummary;
-  } catch (error) {
+  } catch {
    console.log('[AuthContext] loadMfaCompliance: error loading:', error);
    return null;
  }
 }
 export function AuthProvider({ children }: { children: ReactNode }) {
  const [user, setUser] = useState<User | null>(null);
  const [isOrgAdmin, setIsOrgAdmin] = useState(false);
  const [isOrgMember, setIsOrgMember] = useState(false);
  const [mfaCompliance, setMfaCompliance] = useState<MfaComplianceSummary | null>(loadMfaCompliance);
  const [requiresMfaEnrollment, setRequiresMfaEnrollment] = useState(false);
  const [isLoading, setIsLoading] = useState(true);
  const navigate = useNavigate();
  // Helper to check if user is admin/owner in any org
  const checkOrgAdmin = useCallback(async () => {
    try {
      const data = await api.users.organizations();
      const admin = data.organizations.some(
        (org) => org.role === 'owner' || org.role === 'admin'
      );
      setIsOrgAdmin(admin);
      setIsOrgMember(data.organizations.length > 0);
    } catch {
      setIsOrgAdmin(false);
      setIsOrgMember(false);
    }
  }, []);
  const refreshCompliance = useCallback(async () => {
    try {
      const compliance = await api.policies.getMyCompliance();
@@ -148,7 +150,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
        const response = await api.users.me();
        setUser(response.user);
-        // Also fetch compliance status
+        // Also fetch compliance status and org role
        try {
          const compliance = await api.policies.getMyCompliance();
          setMfaCompliance(compliance);
@@ -159,8 +161,12 @@ export function AuthProvider({ children }: { children: ReactNode }) {
          setMfaCompliance(null);
          persistMfaCompliance(null);
        }
        // Check org admin status
        await checkOrgAdmin();
      } catch {
        setUser(null);
        setIsOrgAdmin(false);
        setIsOrgMember(false);
        setMfaCompliance(null);
        persistMfaCompliance(null);
        setRequiresMfaEnrollment(false);
@@ -172,32 +178,21 @@ export function AuthProvider({ children }: { children: ReactNode }) {
    checkAuth();
  }, []);
-  const login = useCallback(async (email: string, password: string, rememberMe = false): Promise<LoginResult> => {
+  const login = useCallback(async (email: string, password: string, rememberMe = false, skipNavigate = false): Promise<LoginResult> => {
    console.log('[AuthContext] login() called');
    const response = await api.auth.login(email, password, rememberMe);
-    console.log('[AuthContext] login response:', {
+
      requires_totp: response.requires_totp,
      requires_webauthn: response.requires_webauthn,
      requires_mfa_enrollment: response.requires_mfa_enrollment,
      hasToken: !!response.token,
      hasUser: !!response.user
    });
    // If WebAuthn is required, don't set user yet - wait for WebAuthn verification
    if (response.requires_webauthn) {
      console.log('[AuthContext] WebAuthn required, returning early');
      return { requiresTotp: false, requiresWebAuthn: true };
    }
-    
+
    // If TOTP is required, don't set user yet - wait for TOTP verification
    if (response.requires_totp) {
      console.log('[AuthContext] TOTP required, returning early');
      return { requiresTotp: true, requiresWebAuthn: false };
    }
-    
+
    // If MFA enrollment is required (past deadline), set compliance state
    if (response.requires_mfa_enrollment) {
      console.log('[AuthContext] MFA enrollment required, setting compliance state');
      if (response.token) {
        tokenManager.setToken(response.token, response.expires_at ?? null);
      }
@@ -211,48 +206,53 @@ export function AuthProvider({ children }: { children: ReactNode }) {
      setRequiresMfaEnrollment(true);
      return { requiresTotp: false, requiresWebAuthn: false, requiresMfaEnrollment: true };
    }
-    
+
    // Login complete: store token explicitly before setting user state
    // This ensures the token is available for any subsequent API calls
    // (e.g., when navigate('/profile') triggers refreshUser())
    if (response.token) {
      console.log('[AuthContext] Storing token in localStorage');
      tokenManager.setToken(response.token, response.expires_at ?? null);
      console.log('[AuthContext] Token stored, verifying:', tokenManager.getToken()?.substring(0, 20) + '...');
    }
-    
+
    // Set user and navigate
    if (response.user) {
      console.log('[AuthContext] Setting user state and navigating to /profile');
      setUser(response.user);
      if (response.mfa_compliance) {
        setMfaCompliance(response.mfa_compliance);
        persistMfaCompliance(response.mfa_compliance);
      }
      setRequiresMfaEnrollment(false);
-      navigate('/profile');
+      await checkOrgAdmin();
      if (!skipNavigate) {
        if (response.requires_org_setup) {
          navigate('/org-setup', {
            state: {
              pendingInvites: response.pending_invites ?? [],
              isFirstUser: false,
            },
          });
        } else {
          navigate('/profile');
        }
      }
    }
-    return { requiresTotp: false, requiresWebAuthn: false };
+    return {
-  }, [navigate]);
+      requiresTotp: false,
      requiresWebAuthn: false,
      requiresOrgSetup: response.requires_org_setup,
      pendingInvites: response.pending_invites,
    };
  }, [navigate, checkOrgAdmin]);
  const verifyWebAuthn = useCallback(async () => {
    // WebAuthn verification is handled directly in the LoginPage component
    // This is a placeholder for consistency with the interface
    console.log('[AuthContext] verifyWebAuthn called - verification handled in LoginPage');
  }, []);
-  const verifyTotp = useCallback(async (code: string, isBackupCode = false) => {
+  const verifyTotp = useCallback(async (code: string, isBackupCode = false, skipNavigate = false) => {
    const response = await api.totp.verify(code, isBackupCode);
    // Store token explicitly before setting user state
    // This ensures the token is available for any subsequent API calls
    if (response.token) {
      tokenManager.setToken(response.token, response.expires_at ?? null);
    }
    setUser(response.user);
    // Check for MFA compliance in response
    try {
      const compliance = await api.policies.getMyCompliance();
      setMfaCompliance(compliance);
@@ -263,14 +263,19 @@ export function AuthProvider({ children }: { children: ReactNode }) {
      persistMfaCompliance(null);
    }
-    navigate('/profile');
+    await checkOrgAdmin();
-  }, [navigate]);
+    if (!skipNavigate) {
      navigate('/profile');
    }
  }, [navigate, checkOrgAdmin]);
  const logout = useCallback(async () => {
    try {
      await api.auth.logout();
    } finally {
      setUser(null);
      setIsOrgAdmin(false);
      setIsOrgMember(false);
      setMfaCompliance(null);
      persistMfaCompliance(null);
      setRequiresMfaEnrollment(false);
@@ -284,6 +289,8 @@ export function AuthProvider({ children }: { children: ReactNode }) {
        user,
        isLoading,
        isAuthenticated: !!user,
        isOrgAdmin,
        isOrgMember,
        mfaCompliance,
        requiresMfaEnrollment,
        login,
@@ -292,6 +299,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
        logout,
        refreshUser,
        refreshCompliance,
        checkOrgAdmin,
      }}
    >
      {children}
@@ -0,0 +1,76 @@
 import {
  createContext,
  useContext,
  useState,
  useEffect,
  useCallback,
  ReactNode,
 } from "react";
 import { useQueryClient } from "@tanstack/react-query";
 import { Organization } from "@/lib/api";
 import { useOrganizations } from "@/hooks/useOrganizations";
 import { useAuth } from "@/contexts/AuthContext";
 interface OrgContextType {
  /** The currently selected organisation (null while loading or no memberships). */
  selectedOrg: Organization | null;
  /** Programmatically switch the active organisation and invalidate all org-scoped queries. */
  selectOrg: (org: Organization) => void;
  /** Convenience accessor for the selected org's ID. */
  selectedOrgId: string | null;
 }
 const OrgContext = createContext<OrgContextType | null>(null);
 export function OrgProvider({ children }: { children: ReactNode }) {
  const { isAuthenticated } = useAuth();
  const { data: organizations = [] } = useOrganizations();
  const queryClient = useQueryClient();
  const [selectedOrg, setSelectedOrg] = useState<Organization | null>(null);
  // Auto-select the first org once the list arrives (or when the list changes
  // and the previously selected org is no longer present, e.g. after deletion).
  useEffect(() => {
    if (!isAuthenticated) {
      setSelectedOrg(null);
      return;
    }
    if (organizations.length === 0) return;
    setSelectedOrg((prev) => {
      // Keep the current selection if it still exists in the updated list.
      if (prev && organizations.some((o) => o.id === prev.id)) {
        // Refresh the object in case name/role changed.
        return organizations.find((o) => o.id === prev.id) ?? prev;
      }
      return organizations[0];
    });
  }, [organizations, isAuthenticated]);
  const selectOrg = useCallback(
    (org: Organization) => {
      setSelectedOrg(org);
      // Invalidate all organisation-scoped React Query caches so every page
      // immediately re-fetches data for the newly selected org.
      queryClient.invalidateQueries({ queryKey: ["organizations"] });
      // Invalidate any queries keyed by the previous org id.  The broadest
      // approach is to remove all non-organisations queries so pages reload.
      queryClient.invalidateQueries();
    },
    [queryClient],
  );
  return (
    <OrgContext.Provider
      value={{ selectedOrg, selectOrg, selectedOrgId: selectedOrg?.id ?? null }}
    >
      {children}
    </OrgContext.Provider>
  );
 }
 export function useOrg(): OrgContextType {
  const ctx = useContext(OrgContext);
  if (!ctx) throw new Error("useOrg must be used inside <OrgProvider>");
  return ctx;
 }
@@ -0,0 +1,34 @@
 import { useParams } from "react-router-dom";
 import { useOrganizations } from "@/hooks/useOrganizations";
 import { useOrg } from "@/contexts/OrgContext";
 /**
 * Custom hook to get the current organization from URL params, or the
 * globally-selected org from OrgContext (set via the TopBar org switcher).
 */
 export function useCurrentOrganization() {
  const params = useParams<{ orgId?: string }>();
  const { data: organizations = [], isLoading } = useOrganizations();
  const { selectedOrg } = useOrg();
  // If orgId is in the URL params, use that specific org.
  if (params.orgId) {
    return {
      org: organizations.find((org) => org.id === params.orgId) ?? organizations[0] ?? null,
      isLoading,
    };
  }
  // Otherwise use the org selected via the TopBar switcher (falls back to
  // organizations[0] when OrgContext hasn't initialised yet).
  return { org: selectedOrg ?? organizations[0] ?? null, isLoading };
 }
 /**
 * Get the organization ID from URL params or the globally-selected org.
 * Also returns isLoading so callers can distinguish "no org" from "still loading".
 */
 export function useCurrentOrganizationId(): { orgId: string | null; isLoading: boolean } {
  const { org, isLoading } = useCurrentOrganization();
  return { orgId: org?.id || null, isLoading };
 }
@@ -14,11 +14,8 @@ export function useOrganizations() {
  return useQuery<Organization[], ApiError>({
    queryKey: ["organizations"],
    queryFn: async () => {
      console.log('[useOrganizations] Fetching organizations...');
      const response = await api.users.organizations();
-      console.log('[useOrganizations] Response:', response);
+      return Array.isArray(response.organizations) ? response.organizations : [];
      console.log('[useOrganizations] Organizations array:', response.organizations);
      return response.organizations;
    },
    // Only fetch when user is authenticated
    enabled: isAuthenticated,
@@ -25,6 +25,10 @@ export interface User {
  last_login_at: string | null;
  created_at: string;
  updated_at: string;
  // Fields present in admin list view
  org_role?: string;
  org_id?: string;
  activated?: boolean;
 }
 export interface Organization {
@@ -80,6 +84,12 @@ export interface LoginResponse {
  requires_webauthn?: boolean;
  requires_mfa_enrollment?: boolean;
  mfa_compliance?: MfaComplianceSummary;
  /** Set on login when the user belongs to no organisations. */
  requires_org_setup?: boolean;
  /** Pending invitations for the user's email (present when requires_org_setup is true). */
  pending_invites?: PendingInvite[];
  /** True when the registering user is the very first user on this instance. */
  is_first_user?: boolean;
 }
 export interface TotpEnrollResponse {
@@ -167,6 +177,25 @@ export interface LinkedAccountsResponse {
  unlink_available: boolean;
 }
 export interface PrincipalOption {
  id: string;
  name: string;
  description: string | null;
 }
 export interface MyPrincipalsOrg {
  org_id: string;
  org_name: string;
  role: string;
  is_admin: boolean;
  my_principals: PrincipalOption[];
  all_principals: PrincipalOption[]; // populated for admin/owner only
 }
 export interface MyPrincipalsResponse {
  orgs: MyPrincipalsOrg[];
 }
 export interface OAuthAuthorizeResponse {
  authorization_url: string;
  state: string;
@@ -211,42 +240,30 @@ export const tokenManager = {
    if (token && expiry) {
      const expiryDate = new Date(expiry);
      if (expiryDate <= new Date()) {
        console.log('[TokenManager] Token expired, clearing');
        tokenManager.clearToken();
        return null;
      }
    }
    if (token) {
      console.log('[TokenManager] Token retrieved:', token.substring(0, 20) + '...');
    } else {
      console.log('[TokenManager] No token found in localStorage');
    }
    return token;
  },
  setToken: (token: string, expiresAt?: string | null): void => {
    console.log('[TokenManager] Setting token, expiresAt:', expiresAt);
    localStorage.setItem(TOKEN_KEY, token);
    if (expiresAt) {
      localStorage.setItem(TOKEN_EXPIRY_KEY, expiresAt);
    } else {
      localStorage.removeItem(TOKEN_EXPIRY_KEY);
    }
    console.log('[TokenManager] Token set successfully');
  },
  clearToken: (): void => {
    console.log('[TokenManager] Clearing token from localStorage');
    localStorage.removeItem(TOKEN_KEY);
    localStorage.removeItem(TOKEN_EXPIRY_KEY);
  },
  hasValidToken: (): boolean => {
-    const hasToken = tokenManager.getToken() !== null;
+    return tokenManager.getToken() !== null;
    console.log('[TokenManager] hasValidToken:', hasToken);
    return hasToken;
  },
 };
@@ -292,9 +309,6 @@ async function request<T>(
    const token = tokenManager.getToken();
    if (token) {
      headers['Authorization'] = `Bearer ${token}`;
      console.log('[API] Added Authorization header for endpoint:', endpoint);
    } else {
      console.log('[API] WARNING: No token available for authenticated endpoint:', endpoint);
    }
  }
@@ -370,6 +384,55 @@ export const api = {
      return response;
    },
    register: async (email: string, password: string, full_name?: string): Promise<LoginResponse> => {
      const response = await request<LoginResponse>('/auth/register', {
        method: 'POST',
        body: JSON.stringify({ email, password, password_confirm: password, full_name }),
      }, false);
      if (response.token) {
        tokenManager.setToken(response.token, response.expires_at ?? null);
      }
      return response;
    },
    forgotPassword: (email: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/forgot-password', {
        method: 'POST',
        body: JSON.stringify({ email }),
      }, false),
    resetPassword: (token: string, password: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/reset-password', {
        method: 'POST',
        body: JSON.stringify({ token, password, password_confirm: password }),
      }, false),
    verifyEmail: (token: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/verify-email', {
        method: 'POST',
        body: JSON.stringify({ token }),
      }, false),
    resendVerification: (email: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/resend-verification', {
        method: 'POST',
        body: JSON.stringify({ email }),
      }, false),
    activate: (activation_key: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/activate', {
        method: 'POST',
        body: JSON.stringify({ activation_key }),
      }, false),
    resendActivation: (email: string): Promise<{ message: string }> =>
      request<{ message: string }>('/auth/resend-activation', {
        method: 'POST',
        body: JSON.stringify({ email }),
      }, false),
    logout: async (): Promise<void> => {
      try {
        await request<void>('/auth/logout', {
@@ -392,9 +455,17 @@ export const api = {
        body: JSON.stringify(data),
      }),
    // Delete the current user's own account (soft delete)
    deleteMe: (requestConfig?: RequestConfig) =>
      request<{ message: string }>('/users/me', { method: 'DELETE' }, true, requestConfig),
    organizations: (requestConfig?: RequestConfig) =>
      request<OrganizationsResponse>('/users/me/organizations', {}, true, requestConfig),
    // Get the current user's effective principals across all orgs
    myPrincipals: (requestConfig?: RequestConfig) =>
      request<MyPrincipalsResponse>('/users/me/principals', {}, true, requestConfig),
    // Password change can return 401 for wrong current password - don't clear token
    changePassword: (currentPassword: string, newPassword: string, newPasswordConfirm: string) =>
      request<{ message: string }>('/users/me/password', {
@@ -405,6 +476,101 @@ export const api = {
          new_password_confirm: newPasswordConfirm,
        }),
      }, true, { clearTokenOn401: false }),
    // Get audit logs for the currently authenticated user
    auditLogs: (params?: Record<string, string>, requestConfig?: RequestConfig) =>
      request<{ audit_logs: AuditLogEntry[]; count: number; page: number; per_page: number; pages: number }>(
        `/auth/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
        {},
        true,
        requestConfig,
      ),
    // Get pending (unaccepted) invitations for the logged-in user
    getMyInvites: (requestConfig?: RequestConfig) =>
      request<{ invites: PendingInvite[] }>('/users/me/invites', {}, true, requestConfig),
    // Get the current user's department + principal memberships across all orgs
    getMyMemberships: (requestConfig?: RequestConfig) =>
      request<{ orgs: MyOrgMembership[] }>('/users/me/memberships', {}, true, requestConfig),
  },
  admin: {
    // Get all system audit logs (admin view — returns all logs for org owners, own logs otherwise)
    getAuditLogs: (params?: Record<string, string>, requestConfig?: RequestConfig) =>
      request<{ audit_logs: AuditLogEntry[]; count: number; page: number; per_page: number; pages: number; is_admin_view: boolean }>(
        `/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
        {},
        true,
        requestConfig,
      ),
    // List users visible to the calling admin
    listUsers: (params?: Record<string, string>, requestConfig?: RequestConfig) =>
      request<{ users: User[]; count: number; page: number; per_page: number; pages: number }>(
        `/admin/users${params ? '?' + new URLSearchParams(params).toString() : ''}`,
        {},
        true,
        requestConfig,
      ),
    // Get a single user's profile + SSH keys (admin view)
    getUser: (userId: string, requestConfig?: RequestConfig) =>
      request<{ user: User; ssh_keys: SSHKey[] }>(`/admin/users/${userId}`, {}, true, requestConfig),
    // Update a user's role in a shared org (admin action)
    updateUserRole: (orgId: string, userId: string, role: string, requestConfig?: RequestConfig) =>
      request<{ member: OrganizationMember }>(`/organizations/${orgId}/members/${userId}/role`, {
        method: 'PATCH',
        body: JSON.stringify({ role }),
      }, true, requestConfig),
    // List application-level OAuth provider configurations
    listOAuthProviders: (requestConfig?: RequestConfig) =>
      request<{ providers: { id: string; name: string; is_configured: boolean; is_enabled: boolean; client_id: string | null }[] }>(
        '/admin/oauth/providers', {}, true, requestConfig,
      ),
    // Create or update an application-level OAuth provider
    configureOAuthProvider: (provider: string, clientId: string, clientSecret: string, isEnabled: boolean, requestConfig?: RequestConfig) =>
      request<{ provider: { id: string; client_id: string; is_enabled: boolean } }>(
        `/admin/oauth/providers/${provider}`,
        { method: 'PUT', body: JSON.stringify({ client_id: clientId, client_secret: clientSecret, is_enabled: isEnabled }) },
        true,
        requestConfig,
      ),
    // Delete an application-level OAuth provider
    deleteOAuthProvider: (provider: string, requestConfig?: RequestConfig) =>
      request<Record<string, never>>(`/admin/oauth/providers/${provider}`, { method: 'DELETE' }, true, requestConfig),
    // Suspend a user account (blocks login & CA issuance)
    suspendUser: (userId: string, requestConfig?: RequestConfig) =>
      request<{ user: User }>(`/admin/users/${userId}/suspend`, { method: 'POST' }, true, requestConfig),
    // Restore a suspended user to active status
    unsuspendUser: (userId: string, requestConfig?: RequestConfig) =>
      request<{ user: User }>(`/admin/users/${userId}/unsuspend`, { method: 'POST' }, true, requestConfig),
    // Permanently delete a user — revokes certs, cascades DB delete, unrecoverable
    hardDeleteUser: (userId: string, requestConfig?: RequestConfig) =>
      request<{ deleted_user_id: string; deleted_user_email: string; ssh_keys_deleted: number; certs_revoked: number }>(
        `/admin/users/${userId}/delete`,
        { method: 'POST', body: JSON.stringify({ confirm: true }) },
        true,
        requestConfig,
      ),
    // Get the cert policy for a department
    getDeptCertPolicy: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
      request<{ cert_policy: DeptCertPolicy }>(`/organizations/${orgId}/departments/${deptId}/cert-policy`, {}, true, requestConfig),
    // Create or update the cert policy for a department
    setDeptCertPolicy: (orgId: string, deptId: string, policy: Partial<DeptCertPolicy>, requestConfig?: RequestConfig) =>
      request<{ cert_policy: DeptCertPolicy }>(`/organizations/${orgId}/departments/${deptId}/cert-policy`, {
        method: 'PUT',
        body: JSON.stringify(policy),
      }, true, requestConfig),
  },
  totp: {
@@ -635,8 +801,477 @@ export const api = {
        credentials: 'include',
      }),
  },
  organizations: {
    // Create a new organization (caller becomes owner)
    create: (name: string, slug: string, description?: string) =>
      request<{ organization: Organization }>('/organizations', {
        method: 'POST',
        body: JSON.stringify({ name, slug, description }),
      }, true),
    // Get organization by ID
    getById: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ organization: Organization; member_count: number }>(`/organizations/${orgId}`, {}, true, requestConfig),
    // Delete an organization (owner only; must have no other members)
    deleteOrganization: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}`, { method: 'DELETE' }, true, requestConfig),
    // Get organization members
    getMembers: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ members: OrganizationMember[]; count: number }>(`/organizations/${orgId}/members`, {}, true, requestConfig),
    // Add member to organization
    addMember: (orgId: string, email: string, role: string, requestConfig?: RequestConfig) =>
      request<{ member: OrganizationMember }>(`/organizations/${orgId}/members`, {
        method: 'POST',
        body: JSON.stringify({ email, role }),
      }, true, requestConfig),
    // Remove member from organization
    removeMember: (orgId: string, userId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/members/${userId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Update member role
    updateMemberRole: (orgId: string, userId: string, role: string, requestConfig?: RequestConfig) =>
      request<{ member: OrganizationMember }>(`/organizations/${orgId}/members/${userId}/role`, {
        method: 'PATCH',
        body: JSON.stringify({ role }),
      }, true, requestConfig),
    // Get organization audit logs
    getAuditLogs: (orgId: string, params?: Record<string, string>, requestConfig?: RequestConfig) =>
      request<{ audit_logs: AuditLogEntry[]; count: number }>(
        `/organizations/${orgId}/audit-logs${params ? '?' + new URLSearchParams(params).toString() : ''}`,
        {},
        true,
        requestConfig
      ),
    // Get departments
    getDepartments: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ departments: Department[]; count: number }>(`/organizations/${orgId}/departments`, {}, true, requestConfig),
    // Create department
    createDepartment: (orgId: string, name: string, description?: string, requestConfig?: RequestConfig) =>
      request<{ department: Department }>(`/organizations/${orgId}/departments`, {
        method: 'POST',
        body: JSON.stringify({ name, description }),
      }, true, requestConfig),
    // Update department
    updateDepartment: (orgId: string, deptId: string, data: { name?: string; description?: string }, requestConfig?: RequestConfig) =>
      request<{ department: Department }>(`/organizations/${orgId}/departments/${deptId}`, {
        method: 'PATCH',
        body: JSON.stringify(data),
      }, true, requestConfig),
    // Delete department
    deleteDepartment: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/departments/${deptId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Get department members
    getDepartmentMembers: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
      request<{ members: DepartmentMember[]; count: number }>(`/organizations/${orgId}/departments/${deptId}/members`, {}, true, requestConfig),
    // Add member to department
    addDepartmentMember: (orgId: string, deptId: string, email: string, requestConfig?: RequestConfig) =>
      request<{ member: DepartmentMember }>(`/organizations/${orgId}/departments/${deptId}/members`, {
        method: 'POST',
        body: JSON.stringify({ email }),
      }, true, requestConfig),
    // Remove member from department
    removeDepartmentMember: (orgId: string, deptId: string, userId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/departments/${deptId}/members/${userId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Get principals
    getPrincipals: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ principals: Principal[]; count: number }>(`/organizations/${orgId}/principals`, {}, true, requestConfig),
    // Create principal
    createPrincipal: (orgId: string, name: string, description?: string, requestConfig?: RequestConfig) =>
      request<{ principal: Principal }>(`/organizations/${orgId}/principals`, {
        method: 'POST',
        body: JSON.stringify({ name, description }),
      }, true, requestConfig),
    // Update principal
    updatePrincipal: (orgId: string, principalId: string, data: { name?: string; description?: string }, requestConfig?: RequestConfig) =>
      request<{ principal: Principal }>(`/organizations/${orgId}/principals/${principalId}`, {
        method: 'PATCH',
        body: JSON.stringify(data),
      }, true, requestConfig),
    // Delete principal
    deletePrincipal: (orgId: string, principalId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Get principal members
    getPrincipalMembers: (orgId: string, principalId: string, requestConfig?: RequestConfig) =>
      request<{ members: PrincipalMember[]; count: number }>(`/organizations/${orgId}/principals/${principalId}/members`, {}, true, requestConfig),
    // Add member to principal
    addPrincipalMember: (orgId: string, principalId: string, email: string, requestConfig?: RequestConfig) =>
      request<{ member: PrincipalMember }>(`/organizations/${orgId}/principals/${principalId}/members`, {
        method: 'POST',
        body: JSON.stringify({ email }),
      }, true, requestConfig),
    // Remove member from principal
    removePrincipalMember: (orgId: string, principalId: string, userId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/members/${userId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Link principal to department
    linkPrincipalToDepartment: (orgId: string, principalId: string, departmentId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/departments/${departmentId}`, {
        method: 'POST',
      }, true, requestConfig),
    // Unlink principal from department
    unlinkPrincipalFromDepartment: (orgId: string, principalId: string, departmentId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/principals/${principalId}/departments/${departmentId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Get departments linked to a principal
    getPrincipalDepartments: (orgId: string, principalId: string, requestConfig?: RequestConfig) =>
      request<{ departments: Department[]; count: number }>(`/organizations/${orgId}/principals/${principalId}/departments`, {}, true, requestConfig),
    // Get principals linked to a department
    getDepartmentPrincipals: (orgId: string, deptId: string, requestConfig?: RequestConfig) =>
      request<{ principals: Principal[]; count: number }>(`/organizations/${orgId}/departments/${deptId}/principals`, {}, true, requestConfig),
    // Create invite token
    createInvite: (orgId: string, email: string, role: string, requestConfig?: RequestConfig) =>
      request<{ invite: OrgInvite }>(`/organizations/${orgId}/invites`, {
        method: 'POST',
        body: JSON.stringify({ email, role }),
      }, true, requestConfig),
    // List pending invites for an organization
    getInvites: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ invites: OrgInvite[] }>(`/organizations/${orgId}/invites`, {}, true, requestConfig),
    // Cancel (delete) an invite
    cancelInvite: (orgId: string, inviteId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/invites/${inviteId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // List OIDC clients
    getClients: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ clients: OIDCClient[]; count: number }>(`/organizations/${orgId}/clients`, {}, true, requestConfig),
    // Create OIDC client
    createClient: (orgId: string, name: string, redirect_uris: string[], requestConfig?: RequestConfig) =>
      request<{ client: OIDCClientWithSecret }>(`/organizations/${orgId}/clients`, {
        method: 'POST',
        body: JSON.stringify({ name, redirect_uris }),
      }, true, requestConfig),
    // Delete OIDC client
    deleteClient: (orgId: string, clientId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/clients/${clientId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Send MFA reminder to a member
    sendMfaReminder: (orgId: string, userId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/organizations/${orgId}/members/${userId}/send-mfa-reminder`, {
        method: 'POST',
      }, true, requestConfig),
    // Transfer organization ownership to another member
    transferOwnership: (orgId: string, newOwnerUserId: string, requestConfig?: RequestConfig) =>
      request<{ previous_owner: OrganizationMember; new_owner: OrganizationMember }>(
        `/organizations/${orgId}/transfer-ownership`,
        { method: 'POST', body: JSON.stringify({ new_owner_user_id: newOwnerUserId }) },
        true,
        requestConfig,
      ),
    // List Certificate Authorities for an org
    getCAs: (orgId: string, requestConfig?: RequestConfig) =>
      request<{ cas: OrgCA[]; count: number }>(`/organizations/${orgId}/cas`, {}, true, requestConfig),
    // Create a new Certificate Authority for an org
    createCA: (orgId: string, data: { name: string; description?: string; ca_type?: 'user' | 'host'; key_type?: 'ed25519' | 'rsa' | 'ecdsa'; default_cert_validity_hours?: number; max_cert_validity_hours?: number }, requestConfig?: RequestConfig) =>
      request<{ ca: OrgCA }>(`/organizations/${orgId}/cas`, {
        method: 'POST',
        body: JSON.stringify(data),
      }, true, requestConfig),
    // Update CA configuration
    updateCA: (orgId: string, caId: string, data: { default_cert_validity_hours?: number; max_cert_validity_hours?: number }, requestConfig?: RequestConfig) =>
      request<{ ca: OrgCA }>(`/organizations/${orgId}/cas/${caId}`, {
        method: 'PATCH',
        body: JSON.stringify(data),
      }, true, requestConfig),
    // Rotate (replace) a CA's key pair — returns updated CA + old_fingerprint
    rotateCA: (orgId: string, caId: string, data?: { key_type?: 'ed25519' | 'rsa' | 'ecdsa'; reason?: string }, requestConfig?: RequestConfig) =>
      request<{ ca: OrgCA; old_fingerprint: string }>(`/organizations/${orgId}/cas/${caId}/rotate`, {
        method: 'POST',
        body: JSON.stringify(data ?? {}),
      }, true, requestConfig),
    // Soft-delete a CA
    deleteCA: (orgId: string, caId: string, requestConfig?: RequestConfig) =>
      request<{ ca_id: string }>(`/organizations/${orgId}/cas/${caId}`, {
        method: 'DELETE',
      }, true, requestConfig),
  },
  invites: {
    // Get invite details by token (unauthenticated)
    getInfo: (token: string) =>
      request<{ email: string; organization: { id: string; name: string }; role: string; user_exists?: boolean }>(
        `/invites/${token}`,
        {},
        false,
      ),
    // Accept invite (unauthenticated) — password/name only needed for new accounts
    accept: (token: string, full_name?: string, password?: string) =>
      request<LoginResponse>(
        `/invites/${token}/accept`,
        {
          method: 'POST',
          body: JSON.stringify({ full_name, password, password_confirm: password }),
        },
        false,
      ),
  },
  ssh: {
    // List all SSH keys for the current user
    listKeys: (requestConfig?: RequestConfig) =>
      request<SSHKeysResponse>('/ssh/keys', {}, true, requestConfig),
    // Add a new SSH public key
    addKey: (public_key: string, description?: string, requestConfig?: RequestConfig) =>
      request<SSHKey>('/ssh/keys', {
        method: 'POST',
        body: JSON.stringify({ public_key, description }),
      }, true, requestConfig),
    // Delete an SSH key
    deleteKey: (keyId: string, requestConfig?: RequestConfig) =>
      request<{ status: string }>(`/ssh/keys/${keyId}`, {
        method: 'DELETE',
      }, true, requestConfig),
    // Update SSH key description
    updateKeyDescription: (keyId: string, description: string, requestConfig?: RequestConfig) =>
      request<SSHKey>(`/ssh/keys/${keyId}/update-description`, {
        method: 'PATCH',
        body: JSON.stringify({ description }),
      }, true, requestConfig),
    // Get a verification challenge for a key
    getChallenge: (keyId: string, requestConfig?: RequestConfig) =>
      request<SSHChallengeResponse>(`/ssh/keys/${keyId}/verify`, {}, true, requestConfig),
    // Submit signature to verify key ownership
    verifyKey: (keyId: string, signature: string, requestConfig?: RequestConfig) =>
      request<SSHVerifyResponse>(`/ssh/keys/${keyId}/verify`, {
        method: 'POST',
        body: JSON.stringify({ signature, action: 'verify_signature' }),
      }, true, requestConfig),
    // Sign a certificate for the given key
    signCertificate: (key_id: string, principals?: string[], cert_type?: 'user' | 'host', expiry_hours?: number, requestConfig?: RequestConfig) =>
      request<SSHSignResponse>('/ssh/sign', {
        method: 'POST',
        body: JSON.stringify({ key_id, principals, cert_type, expiry_hours }),
      }, true, requestConfig),
    // Get the merged department certificate policy for the current user (used in sign dialog)
    getMyDeptCertPolicy: (requestConfig?: RequestConfig) =>
      request<{ policy: DeptCertPolicy }>('/ssh/dept-cert-policy', {}, true, requestConfig),
    // List issued certificates for the current user
    listCertificates: (requestConfig?: RequestConfig) =>
      request<{ certificates: SSHCertificate[]; count: number }>('/ssh/certificates', {}, true, requestConfig),
    // Get a single certificate (includes full cert text)
    getCertificate: (certId: string, requestConfig?: RequestConfig) =>
      request<SSHCertificate>(`/ssh/certificates/${certId}`, {}, true, requestConfig),
    // Revoke a certificate
    revokeCertificate: (certId: string, reason?: string, requestConfig?: RequestConfig) =>
      request<{ status: string; cert_id: string; reason: string }>(`/ssh/certificates/${certId}/revoke`, {
        method: 'POST',
        body: JSON.stringify({ reason }),
      }, true, requestConfig),
    // Get the CA public key for the current user's org
    getCaPublicKey: (requestConfig?: RequestConfig) =>
      request<{ public_key: string; fingerprint: string; ca_name: string; source: string }>('/ssh/ca/public-key', {}, true, requestConfig),
    // Add SSH key on behalf of another user (admin)
    adminAddKey: (userId: string, public_key: string, description?: string, requestConfig?: RequestConfig) =>
      request<SSHKey>(`/ssh/keys/admin/${userId}`, {
        method: 'POST',
        body: JSON.stringify({ public_key, description }),
      }, true, requestConfig),
    // List CA permissions for a CA
    listCaPermissions: (caId: string, requestConfig?: RequestConfig) =>
      request<{ ca_id: string; permissions: CAPermission[]; open_to_all: boolean }>(`/ssh/ca/${caId}/permissions`, {}, true, requestConfig),
    // Grant a user permission on a CA
    addCaPermission: (caId: string, user_id: string, permission: 'sign' | 'admin', requestConfig?: RequestConfig) =>
      request<{ message: string; permission: CAPermission }>(`/ssh/ca/${caId}/permissions`, {
        method: 'POST',
        body: JSON.stringify({ user_id, permission }),
      }, true, requestConfig),
    // Revoke a user's CA permission
    removeCaPermission: (caId: string, userId: string, requestConfig?: RequestConfig) =>
      request<{ message: string }>(`/ssh/ca/${caId}/permissions/${userId}`, {
        method: 'DELETE',
      }, true, requestConfig),
  },
 };
 // Organization types
 export interface OrganizationMember {
  id: string;
  user_id: string;
  organization_id: string;
  role: string;
  created_at: string;
  updated_at: string;
  user?: User;
 }
 export interface AuditLogEntry {
  id: string;
  action: string;
  user_id: string | null;
  organization_id: string | null;
  resource_type: string | null;
  resource_id: string | null;
  ip_address: string | null;
  user_agent: string | null;
  request_id: string | null;
  description: string | null;
  success: boolean;
  error_message: string | null;
  metadata?: Record<string, unknown>;
  created_at: string;
  updated_at: string;
  user?: User;
 }
 export interface Department {
  id: string;
  organization_id: string;
  name: string;
  description: string | null;
  created_at: string;
  updated_at: string;
  deleted_at: string | null;
 }
 export const STANDARD_SSH_EXTENSIONS = [
  'permit-X11-forwarding',
  'permit-agent-forwarding',
  'permit-pty',
  'permit-port-forwarding',
  'permit-user-rc',
 ] as const;
 export interface DeptCertPolicy {
  department_id: string;
  allow_user_expiry: boolean;
  default_expiry_hours: number;
  max_expiry_hours: number;
  allowed_extensions: string[];
  custom_extensions: string[];
  all_extensions?: string[];
  standard_extensions?: string[];
 }
 export interface PendingInvite {
  token: string;
  organization: { id: string; name: string };
  role: string;
  expires_at: string;
 }
 export interface MyOrgMembership {
  org_id: string;
  org_name: string;
  role: string;
  departments: { id: string; name: string; description: string | null }[];
  principals: { id: string; name: string; description: string | null; via_department: boolean }[];
 }
 export interface DepartmentMember {
  id: string;
  user_id: string;
  department_id: string;
  created_at: string;
  updated_at: string;
  user?: User;
 }
 export interface Principal {
  id: string;
  organization_id: string;
  name: string;
  description: string | null;
  created_at: string;
  updated_at: string;
  deleted_at: string | null;
 }
 export interface PrincipalMember {
  id: string;
  user_id: string;
  principal_id: string;
  created_at: string;
  updated_at: string;
  user?: User;
 }
 export interface OrgInvite {
  id: string;
  email: string;
  role: string;
  expires_at: string;
  invite_link?: string;  // only present on create response (dev/when email disabled)
 }
 export interface OIDCClient {
  id: string;
  name: string;
  client_id: string;
  redirect_uris: string[];
  scopes: string[];
  grant_types: string[];
  is_active: boolean;
  created_at: string;
 }
 export interface OIDCClientWithSecret extends OIDCClient {
  client_secret: string;
 }
 // Policy types
 export interface OrgPolicyResponse {
  security_policy: {
@@ -673,6 +1308,98 @@ export interface OrgComplianceMember {
 export { ApiError };
 // SSH Key types
 export interface SSHKey {
  id: string;
  user_id: string;
  public_key: string;
  description: string | null;
  key_type: string | null;
  fingerprint: string | null;
  verified: boolean;
  verified_at: string | null;
  created_at: string;
  updated_at: string;
 }
 export interface SSHKeysResponse {
  keys: SSHKey[];
  count: number;
 }
 export interface SSHChallengeResponse {
  challenge_text: string;
  validationText: string;
  key_id: string;
 }
 export interface SSHVerifyResponse {
  verified: boolean;
 }
 export interface SSHCertificate {
  id: string;
  user_id: string;
  ssh_key_id: string | null;
  certificate: string;
  serial: number | null;
  key_id: string | null;
  cert_type: string;
  principals: string[];
  valid_after: string;
  valid_before: string;
  revoked: boolean;
  status: string;
  created_at: string;
 }
 export interface SSHSignResponse {
  certificate: string;
  serial: number;
  principals: string[];
  valid_after: string;
  valid_before: string;
  cert_id?: string;
 }
 export interface CAPermission {
  id: string;
  ca_id: string;
  user_id: string;
  user_email: string | null;
  permission: 'sign' | 'admin';
  created_at: string;
 }
 export interface OrgCA {
  id: string;
  organization_id: string | null;
  name: string;
  description: string | null;
  ca_type: 'user' | 'host';
  key_type: string;
  public_key: string;
  fingerprint: string;
  is_active: boolean;
  /** True when this entry represents the server-wide config-file CA.
   *  System CAs are read-only — they cannot be edited, deleted, or replaced
   *  from the UI. */
  is_system?: boolean;
  default_cert_validity_hours: number;
  max_cert_validity_hours: number;
  total_certs: number;
  active_certs: number;
  revoked_certs: number;
  /** Next serial number that will be assigned when a certificate is issued. */
  next_serial_number: number | null;
  created_at: string | null;
  updated_at: string | null;
  /** Set when the key was last rotated. */
  rotated_at: string | null;
  /** Reason provided when the key was last rotated. */
  rotation_reason: string | null;
 }
 // Reusable 403 error handler for API calls
 // Shows a user-friendly toast message when access is denied
 export function create403Handler(toastFn: (options: { title: string; description: string; variant: "destructive" }) => void) {
@@ -1,13 +1,21 @@
 import { useEffect } from "react";
 import { useNavigate } from "react-router-dom";
 import { useAuth } from "@/contexts/AuthContext";
 const Index = () => {
  const navigate = useNavigate();
  const { isAuthenticated, isOrgMember, isLoading } = useAuth();
  useEffect(() => {
-    // Redirect to login for now - will be replaced with auth check
+    if (isLoading) return; // Wait for auth check to complete
-    navigate("/login");
+
-  }, [navigate]);
+    if (isAuthenticated) {
      // If the user has no org yet, send them to the org-setup page first
      navigate(isOrgMember ? "/profile" : "/org-setup", { replace: true });
    } else {
      navigate("/login");
    }
  }, [isLoading, isAuthenticated, isOrgMember, navigate]);
  return null;
 };
@@ -0,0 +1,733 @@
 import { useState, useCallback, useEffect } from "react";
 import {
  Search,
  User,
  CheckCircle,
  XCircle,
  Key,
  Loader2,
  Plus,
  ChevronRight,
  ShieldCheck,
  Shield,
  Ban,
  UserCheck,
  AlertTriangle,
  Trash2,
 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Badge } from "@/components/ui/badge";
 import { Textarea } from "@/components/ui/textarea";
 import {
  Card,
  CardContent,
  CardDescription,
  CardHeader,
  CardTitle,
 } from "@/components/ui/card";
 import {
  Sheet,
  SheetContent,
  SheetDescription,
  SheetHeader,
  SheetTitle,
 } from "@/components/ui/sheet";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { useToast } from "@/hooks/use-toast";
 import { api, User as ApiUser, SSHKey, ApiError } from "@/lib/api";
 import { useAuth } from "@/contexts/AuthContext";
 function formatDate(d: string | null) {
  if (!d) return "—";
  return new Date(d).toLocaleDateString(undefined, { year: "numeric", month: "short", day: "numeric" });
 }
 function isSuspended(status: string | undefined) {
  return status === "suspended" || status === "compliance_suspended";
 }
 function RoleBadge({ role }: { role: string }) {
  const r = (role || "").toLowerCase();
  if (r === "owner") {
    return (
      <Badge className="bg-purple-500/10 text-purple-600 border-purple-200 text-xs">
        <ShieldCheck className="w-3 h-3 mr-1" />Owner
      </Badge>
    );
  }
  if (r === "admin") {
    return (
      <Badge className="bg-blue-500/10 text-blue-600 border-blue-200 text-xs">
        <Shield className="w-3 h-3 mr-1" />Admin
      </Badge>
    );
  }
  return (
    <Badge variant="outline" className="text-xs text-muted-foreground">
      Member
    </Badge>
  );
 }
 export default function AdminUsersPage() {
  const { toast } = useToast();
  const { user: currentUser } = useAuth();
  // User list
  const [users, setUsers] = useState<ApiUser[]>([]);
  const [total, setTotal] = useState(0);
  const [page, setPage] = useState(1);
  const [pages, setPages] = useState(1);
  const [isLoading, setIsLoading] = useState(false);
  const [search, setSearch] = useState("");
  const [debouncedSearch, setDebouncedSearch] = useState("");
  const [roleFilter, setRoleFilter] = useState("all");
  // Debounce search
  useEffect(() => {
    const t = setTimeout(() => setDebouncedSearch(search), 300);
    return () => clearTimeout(t);
  }, [search]);
  // User detail drawer
  const [selectedUser, setSelectedUser] = useState<ApiUser | null>(null);
  const [userSshKeys, setUserSshKeys] = useState<SSHKey[]>([]);
  const [isDrawerLoading, setIsDrawerLoading] = useState(false);
  // Role update
  const [isUpdatingRole, setIsUpdatingRole] = useState(false);
  // Admin add SSH key dialog
  const [showAddKey, setShowAddKey] = useState(false);
  const [addKeyPublicKey, setAddKeyPublicKey] = useState("");
  const [addKeyDescription, setAddKeyDescription] = useState("");
  const [isAddingKey, setIsAddingKey] = useState(false);
  const [addKeyError, setAddKeyError] = useState<string | null>(null);
  // Suspend / unsuspend
  const [isSuspending, setIsSuspending] = useState(false);
  const [showSuspendConfirm, setShowSuspendConfirm] = useState(false);
  // Hard delete
  const [showHardDelete, setShowHardDelete] = useState(false);
  const [hardDeleteConfirmEmail, setHardDeleteConfirmEmail] = useState("");
  const [isHardDeleting, setIsHardDeleting] = useState(false);
  // ── Fetch users ─────────────────────────────────────────────────────────────
  const fetchUsers = useCallback(async (q: string, pg: number) => {
    setIsLoading(true);
    try {
      const params: Record<string, string> = { page: String(pg), per_page: "50" };
      if (q) params.q = q;
      const data = await api.admin.listUsers(params);
      setUsers(data.users);
      setTotal(data.count);
      setPages(data.pages);
    } catch (err) {
      if (err instanceof ApiError && err.code === 403) {
        toast({
          variant: "destructive",
          title: "Access denied",
          description: "Admin or owner role required to view all users.",
        });
      } else {
        toast({ variant: "destructive", title: "Failed to load users" });
      }
    } finally {
      setIsLoading(false);
    }
  }, [toast]);
  useEffect(() => {
    setPage(1);
    fetchUsers(debouncedSearch, 1);
  }, [debouncedSearch, fetchUsers]);
  useEffect(() => {
    fetchUsers(debouncedSearch, page);
  }, [page]); // eslint-disable-line react-hooks/exhaustive-deps
  // ── Open user drawer ─────────────────────────────────────────────────────────
  const openUserDrawer = async (user: ApiUser) => {
    setSelectedUser(user);
    setUserSshKeys([]);
    setIsDrawerLoading(true);
    try {
      const data = await api.admin.getUser(user.id);
      setUserSshKeys(data.ssh_keys);
    } catch {
      // Non-fatal — drawer still shows basic user info
    } finally {
      setIsDrawerLoading(false);
    }
  };
  // ── Update role ──────────────────────────────────────────────────────────────
  const handleRoleChange = async (newRole: string) => {
    if (!selectedUser || !selectedUser.org_id) return;
    setIsUpdatingRole(true);
    try {
      await api.admin.updateUserRole(selectedUser.org_id, selectedUser.id, newRole.toUpperCase());
      const updated = { ...selectedUser, org_role: newRole };
      setSelectedUser(updated);
      setUsers((prev) =>
        prev.map((u) => (u.id === selectedUser.id ? { ...u, org_role: newRole } : u))
      );
      toast({
        title: "Role updated",
        description: `${selectedUser.full_name || selectedUser.email} is now a ${newRole}.`,
      });
    } catch (err) {
      toast({
        variant: "destructive",
        title: "Failed to update role",
        description: err instanceof ApiError ? err.message : "Something went wrong",
      });
    } finally {
      setIsUpdatingRole(false);
    }
  };
  // ── Admin add SSH key ────────────────────────────────────────────────────────
  const handleAddKey = async () => {
    if (!selectedUser) return;
    setAddKeyError(null);
    if (!addKeyPublicKey.trim()) {
      setAddKeyError("Public key is required");
      return;
    }
    setIsAddingKey(true);
    try {
      const key = await api.ssh.adminAddKey(selectedUser.id, addKeyPublicKey.trim(), addKeyDescription.trim() || undefined);
      setUserSshKeys((prev) => [...prev, key]);
      toast({ title: "SSH key added", description: `Key added for ${selectedUser.email}` });
      setShowAddKey(false);
      setAddKeyPublicKey("");
      setAddKeyDescription("");
    } catch (err) {
      setAddKeyError(err instanceof ApiError ? err.message : "Failed to add key");
    } finally {
      setIsAddingKey(false);
    }
  };
  // ── Suspend / Unsuspend user ─────────────────────────────────────────────────
  const handleSuspend = async () => {
    if (!selectedUser) return;
    setIsSuspending(true);
    try {
      const data = await api.admin.suspendUser(selectedUser.id);
      const updated = { ...selectedUser, status: data.user.status };
      setSelectedUser(updated);
      setUsers((prev) => prev.map((u) => u.id === selectedUser.id ? { ...u, status: data.user.status } : u));
      setShowSuspendConfirm(false);
      toast({ title: "User suspended", description: `${selectedUser.full_name || selectedUser.email} has been suspended.` });
    } catch (err) {
      setShowSuspendConfirm(false);
      if (err instanceof ApiError && err.type === "OWNER_PROTECTION") {
        toast({
          variant: "destructive",
          title: "Cannot suspend organization owner",
          description: "Transfer ownership to another member before suspending this account.",
        });
      } else {
        toast({ variant: "destructive", title: "Failed to suspend user", description: err instanceof ApiError ? err.message : "Something went wrong" });
      }
    } finally {
      setIsSuspending(false);
    }
  };
  const handleUnsuspend = async () => {
    if (!selectedUser) return;
    setIsSuspending(true);
    try {
      const data = await api.admin.unsuspendUser(selectedUser.id);
      const updated = { ...selectedUser, status: data.user.status };
      setSelectedUser(updated);
      setUsers((prev) => prev.map((u) => u.id === selectedUser.id ? { ...u, status: data.user.status } : u));
      toast({ title: "User unsuspended", description: `${selectedUser.full_name || selectedUser.email} is now active.` });
    } catch (err) {
      toast({ variant: "destructive", title: "Failed to unsuspend user", description: err instanceof ApiError ? err.message : "Something went wrong" });
    } finally {
      setIsSuspending(false);
    }
  };
  // ── Hard delete user ─────────────────────────────────────────────────────────
  const handleHardDelete = async () => {
    if (!selectedUser) return;
    setIsHardDeleting(true);
    try {
      const result = await api.admin.hardDeleteUser(selectedUser.id);
      setUsers((prev) => prev.filter((u) => u.id !== selectedUser.id));
      setTotal((t) => t - 1);
      setShowHardDelete(false);
      setSelectedUser(null);
      toast({
        title: "User permanently deleted",
        description: `${result.deleted_user_email} — ${result.certs_revoked} cert(s) revoked, ${result.ssh_keys_deleted} key(s) deleted.`,
      });
    } catch (err) {
      toast({
        variant: "destructive",
        title: "Failed to delete user",
        description: err instanceof ApiError ? err.message : "Something went wrong",
      });
    } finally {
      setIsHardDeleting(false);
    }
  };
  // Filter by role client-side
  const filteredUsers = users.filter((u) => {
    if (roleFilter === "all") return true;
    const r = (u.org_role || "member").toLowerCase();
    return r === roleFilter;
  });
  // ──────────────────────────────────────────────────────────────────────────────
  return (
    <div className="page-container">
      <div className="page-header">
        <h1 className="page-title">User Management</h1>
        <p className="page-description">
          View and manage users across your organizations
        </p>
      </div>
      {/* Search + filter bar */}
      <div className="flex gap-3 mb-4">
        <div className="relative flex-1">
          <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
          <Input
            className="pl-9"
            placeholder="Search by name or email…"
            value={search}
            onChange={(e) => setSearch(e.target.value)}
          />
        </div>
        <Select value={roleFilter} onValueChange={setRoleFilter}>
          <SelectTrigger className="w-[160px]">
            <SelectValue placeholder="All roles" />
          </SelectTrigger>
          <SelectContent>
            <SelectItem value="all">All roles</SelectItem>
            <SelectItem value="owner">Owner</SelectItem>
            <SelectItem value="admin">Admin</SelectItem>
            <SelectItem value="member">Member</SelectItem>
          </SelectContent>
        </Select>
      </div>
      <Card>
        <CardHeader>
          <CardTitle className="text-base flex items-center gap-2">
            <User className="w-4 h-4" />
            Users
            {!isLoading && <Badge variant="secondary" className="ml-1">{total}</Badge>}
          </CardTitle>
          <CardDescription>Click a user to view details and manage their role or SSH keys</CardDescription>
        </CardHeader>
        <CardContent>
          {isLoading ? (
            <div className="flex items-center justify-center py-12">
              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
            </div>
          ) : filteredUsers.length === 0 ? (
            <div className="text-center py-12 text-muted-foreground">
              <User className="w-10 h-10 mx-auto mb-3 opacity-40" />
              <p className="text-sm">{debouncedSearch ? "No users match your search" : "No users found"}</p>
            </div>
          ) : (
            <div className="space-y-1">
              {filteredUsers.map((user) => (
                <button
                  key={user.id}
                  className="w-full flex items-center justify-between p-3 rounded-lg border hover:bg-accent/50 transition-colors text-left"
                  onClick={() => openUserDrawer(user)}
                >
                  <div className="flex items-center gap-3 min-w-0">
                    <div className="w-8 h-8 rounded-full bg-primary/10 flex items-center justify-center flex-shrink-0">
                      <User className="w-4 h-4 text-primary" />
                    </div>
                    <div className="min-w-0">
                      <p className="text-sm font-medium truncate">{user.full_name || user.email}</p>
                      <p className="text-xs text-muted-foreground truncate">{user.email}</p>
                    </div>
                  </div>
                  <div className="flex items-center gap-2 flex-shrink-0">
                    <RoleBadge role={user.org_role || "member"} />
                    {isSuspended(user.status) && (
                      <Badge variant="outline" className="text-xs text-red-600 border-red-300 bg-red-50">
                        <Ban className="w-3 h-3 mr-1" />Suspended
                      </Badge>
                    )}
                    {user.activated === false && (
                      <Badge variant="outline" className="text-xs text-amber-600 border-amber-300">
                        Not activated
                      </Badge>
                    )}
                    <ChevronRight className="w-4 h-4 text-muted-foreground" />
                  </div>
                </button>
              ))}
            </div>
          )}
          {/* Pagination */}
          {pages > 1 && (
            <div className="flex items-center justify-between mt-4 pt-4 border-t">
              <p className="text-xs text-muted-foreground">
                Page {page} of {pages} · {total} total
              </p>
              <div className="flex gap-2">
                <Button
                  variant="outline"
                  size="sm"
                  onClick={() => setPage((p) => Math.max(1, p - 1))}
                  disabled={page === 1}
                >
                  Previous
                </Button>
                <Button
                  variant="outline"
                  size="sm"
                  onClick={() => setPage((p) => Math.min(pages, p + 1))}
                  disabled={page === pages}
                >
                  Next
                </Button>
              </div>
            </div>
          )}
        </CardContent>
      </Card>
      {/* ── User detail drawer ─────────────────────────────────────────────────── */}
      <Sheet open={!!selectedUser} onOpenChange={(open) => { if (!open) setSelectedUser(null); }}>
        <SheetContent className="w-full sm:max-w-lg overflow-y-auto">
          {selectedUser && (
            <>
              <SheetHeader className="mb-4">
                <SheetTitle className="flex items-center gap-2">
                  <User className="w-5 h-5" />
                  {selectedUser.full_name || selectedUser.email}
                </SheetTitle>
                <SheetDescription>{selectedUser.email}</SheetDescription>
              </SheetHeader>
              {/* Basic info */}
              <div className="space-y-3 mb-6">
                <div className="grid grid-cols-2 gap-2 text-sm">
                  <span className="text-muted-foreground">Status</span>
                  <span className="flex items-center gap-1">
                    {isSuspended(selectedUser.status) ? (
                      <><Ban className="w-4 h-4 text-red-500" /><span className="text-red-600 font-medium">Suspended{selectedUser.status === "compliance_suspended" ? " (compliance)" : ""}</span></>
                    ) : (
                      <><CheckCircle className="w-4 h-4 text-green-500" /><span className="text-green-600">Active</span></>
                    )}
                  </span>
                  <span className="text-muted-foreground">Joined</span>
                  <span>{formatDate(selectedUser.created_at)}</span>
                  <span className="text-muted-foreground">Activated</span>
                  <span className="flex items-center gap-1">
                    {selectedUser.activated === false ? (
                      <><XCircle className="w-4 h-4 text-amber-500" /> No</>
                    ) : (
                      <><CheckCircle className="w-4 h-4 text-green-500" /> Yes</>
                    )}
                  </span>
                  <span className="text-muted-foreground">Last login</span>
                  <span>{formatDate(selectedUser.last_login_at)}</span>
                </div>
              </div>
              {/* Suspend / Unsuspend — only for other users */}
              {selectedUser.id !== currentUser?.id && (
                <div className="mb-6 p-4 border rounded-lg space-y-3">
                  <h3 className="text-sm font-semibold flex items-center gap-2">
                    <Ban className="w-4 h-4" />
                    Account Access
                  </h3>
                  {isSuspended(selectedUser.status) ? (
                    <div className="space-y-2">
                      <p className="text-sm text-muted-foreground">
                        {selectedUser.status === "compliance_suspended"
                          ? "This account is suspended due to MFA compliance. The user cannot log in or request certificates."
                          : "This account is suspended. The user cannot log in or request certificates."}
                      </p>
                      <Button
                        size="sm"
                        variant="outline"
                        onClick={handleUnsuspend}
                        disabled={isSuspending}
                        className="text-green-600 border-green-300 hover:bg-green-50"
                      >
                        {isSuspending ? <Loader2 className="w-4 h-4 mr-2 animate-spin" /> : <UserCheck className="w-4 h-4 mr-2" />}
                        Restore account
                      </Button>
                    </div>
                  ) : (
                    <div className="space-y-2">
                      <p className="text-sm text-muted-foreground">Suspending blocks this user from logging in and requesting SSH certificates.</p>
                      <Button
                        size="sm"
                        variant="outline"
                        onClick={() => setShowSuspendConfirm(true)}
                        disabled={isSuspending}
                        className="text-red-600 border-red-300 hover:bg-red-50"
                      >
                        <Ban className="w-4 h-4 mr-2" />
                        Suspend account
                      </Button>
                    </div>
                  )}
                </div>
              )}
              {/* Role management — only if not viewing yourself and user has org_id */}
              {selectedUser.org_id && selectedUser.id !== currentUser?.id && (
                <div className="mb-6 p-4 border rounded-lg space-y-3">
                  <h3 className="text-sm font-semibold flex items-center gap-2">
                    <Shield className="w-4 h-4" />
                    Organization Role
                  </h3>
                  <div className="flex items-center gap-3">
                    <Select
                      value={(selectedUser.org_role || "member").toLowerCase()}
                      onValueChange={handleRoleChange}
                      disabled={isUpdatingRole || (selectedUser.org_role || "").toLowerCase() === "owner"}
                    >
                      <SelectTrigger className="flex-1">
                        <SelectValue />
                      </SelectTrigger>
                      <SelectContent>
                        <SelectItem value="member">Member</SelectItem>
                        <SelectItem value="admin">Admin</SelectItem>
                        <SelectItem value="owner">Owner</SelectItem>
                      </SelectContent>
                    </Select>
                    {isUpdatingRole && <Loader2 className="w-4 h-4 animate-spin text-muted-foreground" />}
                  </div>
                  {(selectedUser.org_role || "").toLowerCase() === "owner" && (
                    <p className="text-xs text-muted-foreground">Owner role cannot be changed here. Transfer ownership from the Members page.</p>
                  )}
                </div>
              )}
              {/* SSH Keys section */}
              <div className="space-y-3">
                <div className="flex items-center justify-between">
                  <h3 className="text-sm font-semibold flex items-center gap-2">
                    <Key className="w-4 h-4" />
                    SSH Keys
                  </h3>
                  <Button size="sm" variant="outline" onClick={() => setShowAddKey(true)}>
                    <Plus className="w-3 h-3 mr-1" />
                    Add key
                  </Button>
                </div>
                {isDrawerLoading ? (
                  <div className="flex items-center justify-center py-6">
                    <Loader2 className="w-5 h-5 animate-spin text-muted-foreground" />
                  </div>
                ) : userSshKeys.length === 0 ? (
                  <div className="text-center py-6 text-muted-foreground text-sm">
                    No SSH keys registered
                  </div>
                ) : (
                  <div className="space-y-2">
                    {userSshKeys.map((k) => (
                      <div key={k.id} className="p-3 border rounded-lg text-sm">
                        <div className="flex items-center gap-2 mb-1">
                          <span className="font-medium">{k.description || <em className="text-muted-foreground">No description</em>}</span>
                          {k.verified ? (
                            <Badge className="bg-green-500/10 text-green-600 border-0 text-xs">
                              <CheckCircle className="w-3 h-3 mr-1" />Verified
                            </Badge>
                          ) : (
                            <Badge variant="outline" className="text-xs text-amber-600 border-amber-300">
                              Unverified
                            </Badge>
                          )}
                        </div>
                        <div className="text-xs text-muted-foreground font-mono truncate">
                          {k.fingerprint ?? k.public_key.slice(0, 64) + "…"}
                        </div>
                        <div className="text-xs text-muted-foreground mt-1">
                          Added {formatDate(k.created_at)}
                        </div>
                      </div>
                    ))}
                  </div>
                )}
              </div>
              {/* Danger zone — Hard delete */}
              {selectedUser.id !== currentUser?.id && (
                <div className="mt-6 p-4 border border-destructive/30 rounded-lg space-y-3">
                  <h3 className="text-sm font-semibold flex items-center gap-2 text-destructive">
                    <Trash2 className="w-4 h-4" />
                    Danger Zone
                  </h3>
                  <p className="text-sm text-muted-foreground">
                    Permanently delete this account. This cannot be undone — all SSH keys and certificates will be revoked immediately.
                  </p>
                  <Button
                    size="sm"
                    variant="outline"
                    onClick={() => { setHardDeleteConfirmEmail(""); setShowHardDelete(true); }}
                    className="text-destructive border-destructive/40 hover:bg-destructive/10"
                  >
                    <Trash2 className="w-4 h-4 mr-2" />
                    Permanently delete account
                  </Button>
                </div>
              )}
            </>
          )}
        </SheetContent>
      </Sheet>
      {/* ── Admin add SSH key dialog ───────────────────────────────────────────── */}
      <Dialog open={showAddKey} onOpenChange={(open) => { setShowAddKey(open); setAddKeyError(null); }}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle>Add SSH Key for {selectedUser?.email}</DialogTitle>
            <DialogDescription>
              Add an SSH public key on behalf of this user (admin action).
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4 py-2">
            {addKeyError && (
              <div className="p-3 rounded-md bg-destructive/10 text-destructive text-sm">{addKeyError}</div>
            )}
            <div className="space-y-2">
              <Label>Public key</Label>
              <Textarea
                placeholder="ssh-ed25519 AAAA..."
                value={addKeyPublicKey}
                onChange={(e) => setAddKeyPublicKey(e.target.value)}
                className="font-mono text-xs min-h-[80px]"
                disabled={isAddingKey}
              />
            </div>
            <div className="space-y-2">
              <Label>Description <span className="text-muted-foreground">(optional)</span></Label>
              <Input
                placeholder="Laptop key"
                value={addKeyDescription}
                onChange={(e) => setAddKeyDescription(e.target.value)}
                disabled={isAddingKey}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setShowAddKey(false)} disabled={isAddingKey}>
              Cancel
            </Button>
            <Button onClick={handleAddKey} disabled={isAddingKey || !addKeyPublicKey.trim()}>
              {isAddingKey && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Add key
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* ── Suspend confirmation dialog ───────────────────────────────────────── */}
      <Dialog open={showSuspendConfirm} onOpenChange={setShowSuspendConfirm}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2 text-red-600">
              <AlertTriangle className="w-5 h-5" />
              Suspend account?
            </DialogTitle>
            <DialogDescription>
              <strong>{selectedUser?.full_name || selectedUser?.email}</strong> will be blocked from logging in and requesting SSH certificates. You can restore their access at any time.
            </DialogDescription>
          </DialogHeader>
          <DialogFooter>
            <Button variant="outline" onClick={() => setShowSuspendConfirm(false)} disabled={isSuspending}>
              Cancel
            </Button>
            <Button
              variant="destructive"
              onClick={handleSuspend}
              disabled={isSuspending}
            >
              {isSuspending && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Suspend
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* ── Hard delete confirmation ──────────────────────────────────────────── */}
      <Dialog
        open={showHardDelete}
        onOpenChange={(open) => { setShowHardDelete(open); if (!open) setHardDeleteConfirmEmail(""); }}
      >
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2 text-destructive">
              <Trash2 className="w-5 h-5" />
              Permanently delete account?
            </DialogTitle>
            <DialogDescription>
              This will <strong>permanently</strong> delete{" "}
              <strong>{selectedUser?.full_name || selectedUser?.email}</strong>,
              revoke all their SSH certificates, and remove all their SSH keys. This action cannot be undone.
            </DialogDescription>
          </DialogHeader>
          <div className="py-2 space-y-2">
            <Label className="text-sm">
              Type <span className="font-mono font-semibold">{selectedUser?.email}</span> to confirm
            </Label>
            <Input
              value={hardDeleteConfirmEmail}
              onChange={(e) => setHardDeleteConfirmEmail(e.target.value)}
              placeholder={selectedUser?.email ?? ""}
              disabled={isHardDeleting}
              className="font-mono"
            />
          </div>
          <DialogFooter>
            <Button
              variant="outline"
              onClick={() => setShowHardDelete(false)}
              disabled={isHardDeleting}
            >
              Cancel
            </Button>
            <Button
              variant="destructive"
              onClick={handleHardDelete}
              disabled={isHardDeleting || hardDeleteConfirmEmail !== selectedUser?.email}
            >
              {isHardDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Delete permanently
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </div>
  );
 }
@@ -0,0 +1,312 @@
 import { useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { api } from "@/lib/api";
 import { useToast } from "@/hooks/use-toast";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Switch } from "@/components/ui/switch";
 import { Badge } from "@/components/ui/badge";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import {
  AlertDialog,
  AlertDialogAction,
  AlertDialogCancel,
  AlertDialogContent,
  AlertDialogDescription,
  AlertDialogFooter,
  AlertDialogHeader,
  AlertDialogTitle,
 } from "@/components/ui/alert-dialog";
 import { Loader2, Settings, Trash2, Plus, Eye, EyeOff } from "lucide-react";
 interface OAuthProvider {
  id: string;
  name: string;
  is_configured: boolean;
  is_enabled: boolean;
  client_id: string | null;
 }
 const PROVIDER_LOGOS: Record<string, string> = {
  google: "https://www.google.com/favicon.ico",
  github: "https://github.com/favicon.ico",
  microsoft: "https://www.microsoft.com/favicon.ico",
 };
 const PROVIDER_HELP: Record<string, { docsUrl: string; callbackNote: string }> = {
  google: {
    docsUrl: "https://console.cloud.google.com/apis/credentials",
    callbackNote: "Authorized redirect URI: http://localhost:5000/api/v1/auth/external/google/callback",
  },
  github: {
    docsUrl: "https://github.com/settings/applications/new",
    callbackNote: "Authorization callback URL: http://localhost:5000/api/v1/auth/external/github/callback",
  },
  microsoft: {
    docsUrl: "https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps",
    callbackNote: "Redirect URI: http://localhost:5000/api/v1/auth/external/microsoft/callback",
  },
 };
 export default function OAuthProvidersPage() {
  const { toast } = useToast();
  const queryClient = useQueryClient();
  const [configDialog, setConfigDialog] = useState<{ open: boolean; provider: OAuthProvider | null }>({
    open: false,
    provider: null,
  });
  const [deleteDialog, setDeleteDialog] = useState<{ open: boolean; provider: OAuthProvider | null }>({
    open: false,
    provider: null,
  });
  const [clientId, setClientId] = useState("");
  const [clientSecret, setClientSecret] = useState("");
  const [isEnabled, setIsEnabled] = useState(true);
  const [showSecret, setShowSecret] = useState(false);
  const { data, isLoading } = useQuery({
    queryKey: ["admin", "oauthProviders"],
    queryFn: () => api.admin.listOAuthProviders(),
  });
  const configureMutation = useMutation({
    mutationFn: ({ provider, cid, cs, enabled }: { provider: string; cid: string; cs: string; enabled: boolean }) =>
      api.admin.configureOAuthProvider(provider, cid, cs, enabled),
    onSuccess: (_, { provider }) => {
      queryClient.invalidateQueries({ queryKey: ["admin", "oauthProviders"] });
      toast({ title: `${provider} configured`, description: "OAuth provider settings saved." });
      setConfigDialog({ open: false, provider: null });
    },
    onError: (err: Error) => {
      toast({ title: "Failed to save", description: err.message, variant: "destructive" });
    },
  });
  const deleteMutation = useMutation({
    mutationFn: (provider: string) => api.admin.deleteOAuthProvider(provider),
    onSuccess: (_, provider) => {
      queryClient.invalidateQueries({ queryKey: ["admin", "oauthProviders"] });
      toast({ title: `${provider} removed`, description: "OAuth provider configuration deleted." });
      setDeleteDialog({ open: false, provider: null });
    },
    onError: (err: Error) => {
      toast({ title: "Failed to delete", description: err.message, variant: "destructive" });
    },
  });
  const openConfig = (provider: OAuthProvider) => {
    setClientId(provider.client_id ?? "");
    setClientSecret("");
    setIsEnabled(provider.is_enabled);
    setShowSecret(false);
    setConfigDialog({ open: true, provider });
  };
  const handleSave = () => {
    if (!configDialog.provider) return;
    configureMutation.mutate({
      provider: configDialog.provider.id,
      cid: clientId,
      cs: clientSecret,
      enabled: isEnabled,
    });
  };
  const providers: OAuthProvider[] = data?.providers ?? [];
  return (
    <div className="container max-w-3xl py-8 space-y-6">
      <div>
        <h1 className="text-2xl font-bold tracking-tight">OAuth Providers</h1>
        <p className="text-sm text-muted-foreground mt-1">
          Configure application-level OAuth provider credentials. Users can link their accounts via these providers.
        </p>
      </div>
      {isLoading && (
        <div className="flex items-center gap-2 text-sm text-muted-foreground">
          <Loader2 className="h-4 w-4 animate-spin" />
          Loading providers…
        </div>
      )}
      <div className="space-y-4">
        {providers.map((p) => {
          const help = PROVIDER_HELP[p.id];
          return (
            <Card key={p.id}>
              <CardHeader className="pb-3">
                <div className="flex items-center justify-between">
                  <div className="flex items-center gap-3">
                    <img
                      src={PROVIDER_LOGOS[p.id]}
                      alt={p.name}
                      className="h-5 w-5"
                      onError={(e) => (e.currentTarget.style.display = "none")}
                    />
                    <CardTitle className="text-base">{p.name}</CardTitle>
                    {p.is_configured ? (
                      <Badge variant={p.is_enabled ? "default" : "secondary"}>
                        {p.is_enabled ? "Enabled" : "Disabled"}
                      </Badge>
                    ) : (
                      <Badge variant="outline" className="text-orange-600 border-orange-300">
                        Not configured
                      </Badge>
                    )}
                  </div>
                  <div className="flex gap-2">
                    <Button variant="outline" size="sm" onClick={() => openConfig(p)}>
                      {p.is_configured ? (
                        <><Settings className="h-3.5 w-3.5 mr-1" /> Edit</>
                      ) : (
                        <><Plus className="h-3.5 w-3.5 mr-1" /> Configure</>
                      )}
                    </Button>
                    {p.is_configured && (
                      <Button
                        variant="ghost"
                        size="sm"
                        className="text-destructive hover:text-destructive"
                        onClick={() => setDeleteDialog({ open: true, provider: p })}
                      >
                        <Trash2 className="h-3.5 w-3.5" />
                      </Button>
                    )}
                  </div>
                </div>
              </CardHeader>
              {p.is_configured && p.client_id && (
                <CardContent className="pt-0">
                  <CardDescription className="font-mono text-xs">
                    Client ID: {p.client_id.slice(0, 24)}…
                  </CardDescription>
                </CardContent>
              )}
              {!p.is_configured && (
                <CardContent className="pt-0">
                  <CardDescription className="text-xs">
                    {help.callbackNote}
                  </CardDescription>
                </CardContent>
              )}
            </Card>
          );
        })}
      </div>
      {/* Configure Dialog */}
      <Dialog open={configDialog.open} onOpenChange={(o) => setConfigDialog((s) => ({ ...s, open: o }))}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle>
              {configDialog.provider?.is_configured ? "Edit" : "Configure"}{" "}
              {configDialog.provider?.name} OAuth
            </DialogTitle>
            <DialogDescription>
              {configDialog.provider && PROVIDER_HELP[configDialog.provider.id]?.callbackNote}
              {" "}
              <a
                href={configDialog.provider ? PROVIDER_HELP[configDialog.provider.id]?.docsUrl : "#"}
                target="_blank"
                rel="noopener noreferrer"
                className="underline text-primary"
              >
                Open provider console ↗
              </a>
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4 py-2">
            <div className="space-y-1.5">
              <Label htmlFor="client-id">Client ID</Label>
              <Input
                id="client-id"
                value={clientId}
                onChange={(e) => setClientId(e.target.value)}
                placeholder="Enter Client ID"
              />
            </div>
            <div className="space-y-1.5">
              <Label htmlFor="client-secret">
                Client Secret{" "}
                {configDialog.provider?.is_configured && (
                  <span className="text-muted-foreground text-xs">(leave blank to keep existing)</span>
                )}
              </Label>
              <div className="relative">
                <Input
                  id="client-secret"
                  type={showSecret ? "text" : "password"}
                  value={clientSecret}
                  onChange={(e) => setClientSecret(e.target.value)}
                  placeholder={configDialog.provider?.is_configured ? "••••••••" : "Enter Client Secret"}
                  className="pr-10"
                />
                <button
                  type="button"
                  className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground"
                  onClick={() => setShowSecret((v) => !v)}
                >
                  {showSecret ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
                </button>
              </div>
            </div>
            <div className="flex items-center justify-between">
              <Label htmlFor="is-enabled">Enable this provider</Label>
              <Switch id="is-enabled" checked={isEnabled} onCheckedChange={setIsEnabled} />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setConfigDialog({ open: false, provider: null })}>
              Cancel
            </Button>
            <Button onClick={handleSave} disabled={!clientId || configureMutation.isPending}>
              {configureMutation.isPending && <Loader2 className="h-4 w-4 mr-2 animate-spin" />}
              Save
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Delete Confirm Dialog */}
      <AlertDialog
        open={deleteDialog.open}
        onOpenChange={(o) => setDeleteDialog((s) => ({ ...s, open: o }))}
      >
        <AlertDialogContent>
          <AlertDialogHeader>
            <AlertDialogTitle>Remove {deleteDialog.provider?.name}?</AlertDialogTitle>
            <AlertDialogDescription>
              This will remove the OAuth credentials for {deleteDialog.provider?.name}. Users will no longer be able
              to sign in or link accounts via this provider.
            </AlertDialogDescription>
          </AlertDialogHeader>
          <AlertDialogFooter>
            <AlertDialogCancel>Cancel</AlertDialogCancel>
            <AlertDialogAction
              className="bg-destructive text-destructive-foreground hover:bg-destructive/90"
              onClick={() => deleteDialog.provider && deleteMutation.mutate(deleteDialog.provider.id)}
            >
              {deleteMutation.isPending ? <Loader2 className="h-4 w-4 animate-spin" /> : "Remove"}
            </AlertDialogAction>
          </AlertDialogFooter>
        </AlertDialogContent>
      </AlertDialog>
    </div>
  );
 }
@@ -0,0 +1,373 @@
 import { useState, useEffect, useCallback } from "react";
 import {
  Search,
  Filter,
  RefreshCw,
  ChevronLeft,
  ChevronRight,
  LogIn,
  LogOut,
  Key,
  UserPlus,
  Shield,
  Settings,
  AlertTriangle,
  Fingerprint,
  Smartphone,
  Terminal,
  Loader2,
  CheckCircle2,
  XCircle,
  Globe,
 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { api, AuditLogEntry } from "@/lib/api";
 // ─── category helpers ────────────────────────────────────────────────────────
 type Category = "auth" | "ssh" | "org" | "user" | "security" | "token" | "other";
 const getCategory = (action: string): Category => {
  const a = action.toLowerCase();
  if (a.startsWith("session") || a.includes("login") || a.includes("logout") || a.includes("external_auth"))
    return "auth";
  if (a.startsWith("ssh"))
    return "ssh";
  if (a.startsWith("org") || a.includes("member") || a.includes("department") || a.includes("invite"))
    return "org";
  if (a.startsWith("user"))
    return "user";
  if (a.includes("mfa") || a.includes("totp") || a.includes("webauthn") || a.includes("passkey") || a.includes("password"))
    return "security";
  if (a.includes("token") || a.includes("oidc") || a.includes("client"))
    return "token";
  return "other";
 };
 const CATEGORY_META: Record<Category, { label: string; color: string }> = {
  auth:     { label: "Auth",     color: "bg-blue-500/10 text-blue-600 dark:text-blue-400" },
  ssh:      { label: "SSH",      color: "bg-emerald-500/10 text-emerald-600 dark:text-emerald-400" },
  org:      { label: "Org",      color: "bg-violet-500/10 text-violet-600 dark:text-violet-400" },
  user:     { label: "User",     color: "bg-amber-500/10 text-amber-600 dark:text-amber-400" },
  security: { label: "Security", color: "bg-orange-500/10 text-orange-600 dark:text-orange-400" },
  token:    { label: "Token",    color: "bg-cyan-500/10 text-cyan-600 dark:text-cyan-400" },
  other:    { label: "Other",    color: "bg-muted text-muted-foreground" },
 };
 const getCategoryIcon = (category: Category) => {
  const cls = "w-4 h-4";
  switch (category) {
    case "auth":     return <LogIn className={cls} />;
    case "ssh":      return <Terminal className={cls} />;
    case "org":      return <Settings className={cls} />;
    case "user":     return <UserPlus className={cls} />;
    case "security": return <Shield className={cls} />;
    case "token":    return <Key className={cls} />;
    default:         return <Globe className={cls} />;
  }
 };
 const getActionLabel = (action: string) =>
  action
    .replace(/_/g, " ")
    .replace(/\./g, " › ")
    .replace(/\b\w/g, (c) => c.toUpperCase());
 // ─── component ───────────────────────────────────────────────────────────────
 const ACTION_FILTER_OPTIONS = [
  { value: "all",                         label: "All actions" },
  { value: "SESSION_CREATE",              label: "Login" },
  { value: "SESSION_REVOKE",              label: "Logout" },
  { value: "EXTERNAL_AUTH_LOGIN",         label: "OAuth Login" },
  { value: "EXTERNAL_AUTH_LOGIN_FAILED",  label: "OAuth Failed" },
  { value: "USER_REGISTER",              label: "Register" },
  { value: "SSH_KEY_ADDED",              label: "SSH Key Added" },
  { value: "SSH_KEY_VERIFIED",           label: "SSH Key Verified" },
  { value: "SSH_CERT_ISSUED",            label: "SSH Cert Issued" },
  { value: "SSH_CERT_REVOKED",           label: "SSH Cert Revoked" },
  { value: "SSH_CERT_FAILED",            label: "SSH Cert Failed" },
  { value: "ORG_CREATE",                 label: "Org Created" },
  { value: "ORG_MEMBER_ADD",             label: "Member Added" },
  { value: "ORG_MEMBER_ROLE_CHANGE",     label: "Role Changed" },
 ];
 export default function SystemAuditPage() {
  const [logs, setLogs] = useState<AuditLogEntry[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [isAdminView, setIsAdminView] = useState(false);
  // filters
  const [search, setSearch] = useState("");
  const [debouncedSearch, setDebouncedSearch] = useState("");
  const [actionFilter, setActionFilter] = useState("all");
  const [successFilter, setSuccessFilter] = useState("all");
  // pagination
  const [page, setPage] = useState(1);
  const [totalPages, setTotalPages] = useState(1);
  const [totalCount, setTotalCount] = useState(0);
  const PER_PAGE = 50;
  // debounce search
  useEffect(() => {
    const t = setTimeout(() => setDebouncedSearch(search), 400);
    return () => clearTimeout(t);
  }, [search]);
  const fetchLogs = useCallback(async () => {
    setIsLoading(true);
    setError(null);
    try {
      const params: Record<string, string> = {
        page: String(page),
        per_page: String(PER_PAGE),
      };
      if (actionFilter !== "all") params.action = actionFilter;
      if (successFilter !== "all") params.success = successFilter;
      if (debouncedSearch) params.q = debouncedSearch;
      const resp = await api.admin.getAuditLogs(params);
      setLogs(resp.audit_logs ?? []);
      setTotalCount(resp.count ?? 0);
      setTotalPages(resp.pages ?? 1);
      setIsAdminView(resp.is_admin_view ?? false);
    } catch (err) {
      console.error("Failed to fetch system audit logs:", err);
      setError("Failed to load audit logs. Please try again.");
    } finally {
      setIsLoading(false);
    }
  }, [page, actionFilter, successFilter, debouncedSearch]);
  useEffect(() => {
    fetchLogs();
  }, [fetchLogs]);
  // reset to page 1 when filters change
  useEffect(() => {
    setPage(1);
  }, [actionFilter, successFilter, debouncedSearch]);
  const formatDate = (dateString: string) => {
    const d = new Date(dateString);
    return new Intl.DateTimeFormat("en-US", {
      month: "short",
      day: "numeric",
      hour: "numeric",
      minute: "2-digit",
      second: "2-digit",
      hour12: false,
    }).format(d);
  };
  const formatUserAgent = (ua: string | null) => {
    if (!ua) return null;
    const m = ua.match(/\(([^)]+)\)/);
    if (m) return m[1].split(";")[0].trim();
    return ua.slice(0, 40);
  };
  return (
    <div className="page-container">
      {/* Header */}
      <div className="page-header flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4">
        <div>
          <h1 className="page-title">System Audit Log</h1>
          <p className="page-description">
            {isAdminView
              ? `All system events — ${totalCount.toLocaleString()} total`
              : "Your account events"}
          </p>
        </div>
        <Button
          variant="outline"
          size="sm"
          onClick={() => fetchLogs()}
          disabled={isLoading}
        >
          <RefreshCw className={`w-4 h-4 mr-2 ${isLoading ? "animate-spin" : ""}`} />
          Refresh
        </Button>
      </div>
      {/* Filters */}
      <div className="flex flex-col sm:flex-row gap-3 mb-4">
        <div className="relative flex-1">
          <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
          <Input
            placeholder="Search descriptions…"
            value={search}
            onChange={(e) => setSearch(e.target.value)}
            className="pl-10"
          />
        </div>
        <Select value={actionFilter} onValueChange={setActionFilter}>
          <SelectTrigger className="w-[200px]">
            <Filter className="w-4 h-4 mr-2" />
            <SelectValue placeholder="Filter by action" />
          </SelectTrigger>
          <SelectContent>
            {ACTION_FILTER_OPTIONS.map((o) => (
              <SelectItem key={o.value} value={o.value}>{o.label}</SelectItem>
            ))}
          </SelectContent>
        </Select>
        <Select value={successFilter} onValueChange={setSuccessFilter}>
          <SelectTrigger className="w-[150px]">
            <SelectValue placeholder="Status" />
          </SelectTrigger>
          <SelectContent>
            <SelectItem value="all">All statuses</SelectItem>
            <SelectItem value="true">Success only</SelectItem>
            <SelectItem value="false">Failures only</SelectItem>
          </SelectContent>
        </Select>
      </div>
      {/* Table */}
      <Card>
        <CardContent className="p-0">
          {isLoading ? (
            <div className="flex items-center justify-center py-16">
              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
              <span className="ml-2 text-muted-foreground">Loading…</span>
            </div>
          ) : error ? (
            <div className="py-12 text-center text-destructive">
              <AlertTriangle className="w-8 h-8 mx-auto mb-2" />
              <p>{error}</p>
            </div>
          ) : logs.length === 0 ? (
            <div className="py-12 text-center text-muted-foreground">
              No audit events match the current filters.
            </div>
          ) : (
            <div className="divide-y">
              {logs.map((log) => {
                const cat = getCategory(log.action);
                const meta = CATEGORY_META[cat];
                return (
                  <div key={log.id} className="flex items-start gap-4 px-4 py-3 hover:bg-muted/30 transition-colors">
                    {/* Icon */}
                    <div
                      className={`mt-0.5 w-9 h-9 rounded-lg flex items-center justify-center flex-shrink-0 ${
                        log.success ? meta.color : "bg-destructive/10 text-destructive"
                      }`}
                    >
                      {log.success ? getCategoryIcon(cat) : <XCircle className="w-4 h-4" />}
                    </div>
                    {/* Body */}
                    <div className="flex-1 min-w-0">
                      <div className="flex items-center gap-2 flex-wrap">
                        <span className="font-medium text-sm text-foreground">
                          {getActionLabel(log.action)}
                        </span>
                        <Badge variant="secondary" className={`text-xs px-1.5 py-0 ${meta.color}`}>
                          {meta.label}
                        </Badge>
                        {!log.success && (
                          <Badge variant="destructive" className="text-xs px-1.5 py-0">
                            Failed
                          </Badge>
                        )}
                        {log.resource_type && (
                          <Badge variant="outline" className="text-xs px-1.5 py-0 font-mono">
                            {log.resource_type}
                          </Badge>
                        )}
                      </div>
                      {/* Description */}
                      {log.description && (
                        <p className="mt-0.5 text-sm text-muted-foreground">{log.description}</p>
                      )}
                      {log.error_message && (
                        <p className="mt-0.5 text-xs text-destructive">{log.error_message}</p>
                      )}
                      {/* Meta row */}
                      <div className="mt-1 flex flex-wrap items-center gap-x-3 gap-y-0.5 text-xs text-muted-foreground">
                        {log.user?.email ? (
                          <span className="font-medium text-foreground/70">{log.user.email}</span>
                        ) : log.user_id ? (
                          <span className="font-mono">{log.user_id.slice(0, 8)}…</span>
                        ) : (
                          <span className="italic">System</span>
                        )}
                        {log.ip_address && (
                          <span className="font-mono">{log.ip_address}</span>
                        )}
                        {log.user_agent && (
                          <span className="truncate max-w-[220px]" title={log.user_agent}>
                            {formatUserAgent(log.user_agent)}
                          </span>
                        )}
                        {log.resource_id && (
                          <span className="font-mono">{log.resource_id.slice(0, 8)}…</span>
                        )}
                      </div>
                    </div>
                    {/* Timestamp */}
                    <div className="flex flex-col items-end gap-1 flex-shrink-0">
                      <p className="text-xs text-muted-foreground whitespace-nowrap">
                        {formatDate(log.created_at)}
                      </p>
                      {log.success ? (
                        <CheckCircle2 className="w-3.5 h-3.5 text-emerald-500" />
                      ) : (
                        <XCircle className="w-3.5 h-3.5 text-destructive" />
                      )}
                    </div>
                  </div>
                );
              })}
            </div>
          )}
        </CardContent>
      </Card>
      {/* Pagination */}
      {totalPages > 1 && (
        <div className="flex items-center justify-between mt-4">
          <p className="text-sm text-muted-foreground">
            Page {page} of {totalPages} &nbsp;·&nbsp; {totalCount.toLocaleString()} events
          </p>
          <div className="flex items-center gap-2">
            <Button
              variant="outline"
              size="sm"
              disabled={page <= 1 || isLoading}
              onClick={() => setPage((p) => p - 1)}
            >
              <ChevronLeft className="w-4 h-4" />
              Prev
            </Button>
            <Button
              variant="outline"
              size="sm"
              disabled={page >= totalPages || isLoading}
              onClick={() => setPage((p) => p + 1)}
            >
              Next
              <ChevronRight className="w-4 h-4" />
            </Button>
          </div>
        </div>
      )}
    </div>
  );
 }
@@ -0,0 +1,97 @@
 import { useEffect, useState } from "react";
 import { useSearchParams, useNavigate } from "react-router-dom";
 import { CheckCircle, XCircle, Loader2, Mail } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent } from "@/components/ui/card";
 import { GatehouseLogo } from "@/components/branding/GatehouseLogo";
 import { api, ApiError } from "@/lib/api";
 type Status = "loading" | "success" | "error" | "missing";
 export default function ActivatePage() {
  const [searchParams] = useSearchParams();
  const navigate = useNavigate();
  const [status, setStatus] = useState<Status>("loading");
  const [message, setMessage] = useState<string>("");
  useEffect(() => {
    const code = searchParams.get("code") || searchParams.get("activation_key") || searchParams.get("key");
    if (!code) {
      setStatus("missing");
      return;
    }
    api.auth
      .activate(code)
      .then(() => {
        setStatus("success");
        setMessage("Your account has been activated. You can now sign in.");
      })
      .catch((err) => {
        const msg =
          err instanceof ApiError
            ? err.message
            : "Activation failed. The link may have expired or already been used.";
        setMessage(msg);
        setStatus("error");
      });
  }, [searchParams]);
  return (
    <div className="min-h-screen flex items-center justify-center bg-background p-4">
      <div className="w-full max-w-md space-y-6">
        {/* Logo */}
        <div className="flex justify-center">
          <GatehouseLogo size="md" />
        </div>
        <Card>
          <CardContent className="pt-8 pb-8 px-6 flex flex-col items-center gap-4 text-center">
            {status === "loading" && (
              <>
                <Loader2 className="w-12 h-12 animate-spin text-primary" />
                <p className="text-sm text-muted-foreground">Activating your account…</p>
              </>
            )}
            {status === "success" && (
              <>
                <CheckCircle className="w-12 h-12 text-green-500" />
                <h1 className="text-xl font-semibold">Account Activated</h1>
                <p className="text-sm text-muted-foreground">{message}</p>
                <Button className="w-full" onClick={() => navigate("/login")}>
                  Sign in
                </Button>
              </>
            )}
            {status === "error" && (
              <>
                <XCircle className="w-12 h-12 text-destructive" />
                <h1 className="text-xl font-semibold">Activation Failed</h1>
                <p className="text-sm text-muted-foreground">{message}</p>
                <Button variant="outline" className="w-full" onClick={() => navigate("/login")}>
                  Back to sign in
                </Button>
              </>
            )}
            {status === "missing" && (
              <>
                <Mail className="w-12 h-12 text-muted-foreground" />
                <h1 className="text-xl font-semibold">Invalid Activation Link</h1>
                <p className="text-sm text-muted-foreground">
                  No activation code was found in this link. Please check your email and use the
                  link provided.
                </p>
                <Button variant="outline" className="w-full" onClick={() => navigate("/login")}>
                  Back to sign in
                </Button>
              </>
            )}
          </CardContent>
        </Card>
      </div>
    </div>
  );
 }
@@ -5,6 +5,7 @@ import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { BannerAlert } from "@/components/auth/BannerAlert";
 import { api } from "@/lib/api";
 export default function ForgotPasswordPage() {
  const [email, setEmail] = useState("");
@@ -15,11 +16,14 @@ export default function ForgotPasswordPage() {
    e.preventDefault();
    setIsLoading(true);
-    // Mock API call - POST /api/auth/forgot-password
+    try {
-    setTimeout(() => {
+      await api.auth.forgotPassword(email);
    } catch {
      // Always show success to avoid leaking account existence
    } finally {
      setIsLoading(false);
      setIsSubmitted(true);
-    }, 1000);
+    }
  };
  // Success state - always show neutral message (don't leak account existence)
@@ -1,36 +1,106 @@
-import { useState } from "react";
+import { useState, useEffect } from "react";
-import { useNavigate } from "react-router-dom";
+import { useNavigate, useSearchParams, Link } from "react-router-dom";
-import { User, Lock, Upload, ArrowRight, Building2 } from "lucide-react";
+import { User, Lock, ArrowRight, Building2, Loader2, AlertCircle, CheckCircle } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
-import { Avatar, AvatarFallback } from "@/components/ui/avatar";
+import { api, ApiError } from "@/lib/api";
 import { useAuth } from "@/contexts/AuthContext";
 export default function InviteAcceptPage() {
  const navigate = useNavigate();
  const [searchParams] = useSearchParams();
  const token = searchParams.get("token") || "";
  const { login } = useAuth();
  const [name, setName] = useState("");
  const [password, setPassword] = useState("");
  const [confirmPassword, setConfirmPassword] = useState("");
  const [isLoading, setIsLoading] = useState(false);
  const [isTokenLoading, setIsTokenLoading] = useState(true);
  const [tokenError, setTokenError] = useState("");
  const [submitError, setSubmitError] = useState("");
  const [inviteData, setInviteData] = useState<{
    email: string;
    organization: { id: string; name: string };
    role: string;
    user_exists?: boolean;
  } | null>(null);
-  // Mock invite data - will be fetched from URL token
+  useEffect(() => {
-  const inviteData = {
+    if (!token) {
-    email: "invited@example.com",
+      setTokenError("No invite token found in the URL.");
-    organization: "Acme Corp",
+      setIsTokenLoading(false);
-  };
+      return;
    }
    api.invites.getInfo(token)
      .then((data) => {
        setInviteData(data);
      })
      .catch(() => {
        setTokenError("This invitation link is invalid or has expired.");
      })
      .finally(() => setIsTokenLoading(false));
  }, [token]);
  const handleSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
-    if (password !== confirmPassword) {
+    setSubmitError("");
-      return;
+    if (!inviteData?.user_exists) {
      if (password !== confirmPassword) {
        setSubmitError("Passwords do not match.");
        return;
      }
      if (password.length < 8) {
        setSubmitError("Password must be at least 8 characters.");
        return;
      }
    }
    setIsLoading(true);
-    setTimeout(() => {
+    try {
-      setIsLoading(false);
+      const result = await api.invites.accept(token, name || undefined, inviteData?.user_exists ? undefined : password);
      if (result.token) {
        // Store the token manually since we're not using the normal login flow
        localStorage.setItem("gatehouse_token", result.token);
      }
      navigate("/profile");
-    }, 1000);
+    } catch (err: unknown) {
      const msg = err instanceof ApiError ? err.message : "Failed to accept invite.";
      setSubmitError(msg);
    } finally {
      setIsLoading(false);
    }
  };
  if (isTokenLoading) {
    return (
      <div className="auth-card flex items-center justify-center py-12">
        <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
      </div>
    );
  }
  if (tokenError) {
    return (
      <div className="auth-card">
        <div className="text-center">
          <div className="w-12 h-12 rounded-lg bg-destructive/10 flex items-center justify-center mx-auto mb-4">
            <AlertCircle className="w-6 h-6 text-destructive" />
          </div>
          <h1 className="text-2xl font-semibold text-foreground tracking-tight mb-2">
            Invalid Invitation
          </h1>
          <p className="text-muted-foreground">{tokenError}</p>
          <Link to="/login" className="inline-block mt-4 text-sm text-primary hover:underline">
            Back to sign in
          </Link>
        </div>
      </div>
    );
  }
  const isExistingUser = !!inviteData?.user_exists;
  return (
    <div className="auth-card">
      <div className="text-center mb-8">
@@ -41,95 +111,102 @@ export default function InviteAcceptPage() {
          You're invited!
        </h1>
        <p className="text-muted-foreground mt-2">
-          <span className="font-medium text-foreground">{inviteData.organization}</span> has
+          <span className="font-medium text-foreground">{inviteData?.organization.name}</span> has
-          invited you to join their organization
+          invited you to join as <span className="font-medium text-foreground capitalize">{inviteData?.role}</span>
        </p>
      </div>
      <form onSubmit={handleSubmit} className="space-y-4">
-        {/* Avatar upload */}
+        <div className="space-y-2">
-        <div className="flex flex-col items-center mb-6">
+          <Label>Email</Label>
-          <Avatar className="w-20 h-20 mb-3">
+          <Input type="email" value={inviteData?.email ?? ""} disabled className="bg-muted" />
            <AvatarFallback className="bg-primary text-primary-foreground text-xl">
              {name ? name.split(" ").map(n => n[0]).join("").slice(0, 2).toUpperCase() : "?"}
            </AvatarFallback>
          </Avatar>
          <Button type="button" variant="outline" size="sm">
            <Upload className="w-4 h-4 mr-2" />
            Upload photo
          </Button>
        </div>
-        <div className="space-y-2">
+        {isExistingUser ? (
-          <Label htmlFor="email">Email</Label>
+          <div className="rounded-lg bg-accent/10 border border-accent/20 p-4 flex items-start gap-3">
-          <Input
+            <CheckCircle className="w-5 h-5 text-accent flex-shrink-0 mt-0.5" />
-            id="email"
+            <div className="text-sm">
-            type="email"
+              <p className="font-medium text-foreground">Account found</p>
-            value={inviteData.email}
+              <p className="text-muted-foreground">You already have a Gatehouse account. Click below to join the organization.</p>
-            disabled
+            </div>
            className="bg-muted"
          />
        </div>
        <div className="space-y-2">
          <Label htmlFor="name">Full name</Label>
          <div className="relative">
            <User className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
            <Input
              id="name"
              type="text"
              placeholder="John Doe"
              value={name}
              onChange={(e) => setName(e.target.value)}
              className="pl-10"
              required
            />
          </div>
-        </div>
+        ) : (
          <>
            <div className="space-y-2">
              <Label htmlFor="name">Full name</Label>
              <div className="relative">
                <User className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
                <Input
                  id="name"
                  type="text"
                  placeholder="John Doe"
                  value={name}
                  onChange={(e) => setName(e.target.value)}
                  className="pl-10"
                  required
                />
              </div>
            </div>
            <div className="space-y-2">
              <Label htmlFor="password">Password</Label>
              <div className="relative">
                <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
                <Input
                  id="password"
                  type="password"
                  placeholder="••••••••"
                  value={password}
                  onChange={(e) => setPassword(e.target.value)}
                  className="pl-10"
                  required
                  minLength={8}
                />
              </div>
            </div>
            <div className="space-y-2">
              <Label htmlFor="confirmPassword">Confirm password</Label>
              <div className="relative">
                <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
                <Input
                  id="confirmPassword"
                  type="password"
                  placeholder="••••••••"
                  value={confirmPassword}
                  onChange={(e) => setConfirmPassword(e.target.value)}
                  className="pl-10"
                  required
                />
              </div>
            </div>
          </>
        )}
-        <div className="space-y-2">
+        {submitError && (
-          <Label htmlFor="password">Password</Label>
+          <p className="text-sm text-destructive flex items-center gap-2">
-          <div className="relative">
+            <AlertCircle className="w-4 h-4 flex-shrink-0" />
-            <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
+            {submitError}
-            <Input
+          </p>
-              id="password"
+        )}
              type="password"
              placeholder="••••••••"
              value={password}
              onChange={(e) => setPassword(e.target.value)}
              className="pl-10"
              required
              minLength={8}
            />
          </div>
        </div>
        <div className="space-y-2">
          <Label htmlFor="confirmPassword">Confirm password</Label>
          <div className="relative">
            <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
            <Input
              id="confirmPassword"
              type="password"
              placeholder="••••••••"
              value={confirmPassword}
              onChange={(e) => setConfirmPassword(e.target.value)}
              className="pl-10"
              required
            />
          </div>
        </div>
        <Button type="submit" className="w-full" disabled={isLoading}>
          {isLoading ? (
-            "Joining..."
+            <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Joining...</>
          ) : (
            <>
-              Join {inviteData.organization}
+              Join {inviteData?.organization.name}
              <ArrowRight className="w-4 h-4 ml-2" />
            </>
          )}
        </Button>
        {isExistingUser && (
          <p className="text-center text-sm text-muted-foreground">
            Not you?{" "}
            <Link to="/login" className="text-primary hover:underline">
              Sign in with a different account
            </Link>
          </p>
        )}
      </form>
    </div>
  );
@@ -1,6 +1,6 @@
-import { useState, useEffect, useCallback } from "react";
+import { useState, useEffect, useCallback, useRef } from "react";
 import { Link, useNavigate, useSearchParams } from "react-router-dom";
-import { Mail, Lock, ArrowRight, Fingerprint, ArrowLeft, ShieldCheck, Loader2, Smartphone, AlertTriangle } from "lucide-react";
+import { Mail, Lock, ArrowRight, Fingerprint, ArrowLeft, ShieldCheck, Loader2, Smartphone, AlertTriangle, Terminal } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
@@ -49,7 +49,7 @@ async function completeOidcFlow(oidcSessionId: string, token: string): Promise<s
 }
 export default function LoginPage() {
-  const { login, verifyTotp, refreshUser } = useAuth();
+  const { login, verifyTotp, refreshUser, user, isLoading: authLoading } = useAuth();
  const navigate = useNavigate();
  const { toast } = useToast();
  const [searchParams] = useSearchParams();
@@ -69,6 +69,46 @@ export default function LoginPage() {
  const oidcSessionId = searchParams.get('oidc_session_id');
  const oidcError = searchParams.get('error');
  // CLI bridge: if cli_token or cli_redirect is present the login was triggered
  // by the Gatehouse CLI tool.  After successful auth the token is delivered
  // directly to the CLI's local callback server.
  const cliToken = searchParams.get('cli_token');
  const cliRedirectParam = searchParams.get('cli_redirect');
  const [cliRedirectUrl, setCliRedirectUrl] = useState<string | null>(cliRedirectParam);
  const cliFetchedRef = useRef(false);
  // Exchange cli_token for the real redirect URL (keeps the URL clean)
  useEffect(() => {
    if (!cliToken || cliFetchedRef.current) return;
    cliFetchedRef.current = true;
    fetch(`${GATEHOUSE_API}/cli/redirect-url?token=${encodeURIComponent(cliToken)}`)
      .then((r) => r.json())
      .then((body) => {
        if (body?.data?.redirect_url) {
          setCliRedirectUrl(body.data.redirect_url);
        }
      })
      .catch(() => {/* ignore — user will just land on normal login */});
  }, [cliToken]);
  const finishCliFlow = useCallback((token: string) => {
    if (!cliRedirectUrl) return false;
    // cliRedirectUrl already ends with "token=" — just append the value
    window.location.href = cliRedirectUrl + encodeURIComponent(token);
    return true;
  }, [cliRedirectUrl]);
  // If the user is already authenticated and we're in CLI mode, deliver the
  // token immediately — no need to show the login form at all.
  useEffect(() => {
    if (authLoading) return; // wait until auth state is known
    if (!cliRedirectUrl) return;
    const existingToken = tokenManager.getToken();
    if (user && existingToken) {
      finishCliFlow(existingToken);
    }
  }, [authLoading, user, cliRedirectUrl, finishCliFlow]);
  const finishOidcFlow = useCallback(async (token: string) => {
    if (!oidcSessionId) return false;
    try {
@@ -110,8 +150,12 @@ export default function LoginPage() {
    e.preventDefault();
    setIsLoading(true);
    // In CLI or OIDC mode we need to handle post-auth navigation ourselves,
    // so tell AuthContext not to navigate to /profile automatically.
    const needsCustomNav = !!(cliRedirectUrl || oidcSessionId);
    try {
-      const result = await login(email, password, rememberMe);
+      const result = await login(email, password, rememberMe, needsCustomNav);
      if (result.requiresWebAuthn) {
        setStep('webauthn');
      } else if (result.requiresTotp) {
@@ -119,13 +163,17 @@ export default function LoginPage() {
        setTotpCode("");
      } else if (result.requiresMfaEnrollment) {
        // MFA enrollment required - will be handled by ProtectedLayout
-        // Navigation happens in AuthContext
+        // Navigation happens in AuthContext (MFA path always navigates)
      } else if (oidcSessionId) {
        // OIDC bridge: send token back to the Gatehouse backend to complete the flow
        const token = tokenManager.getToken();
        if (token) await finishOidcFlow(token);
      } else if (cliRedirectUrl) {
        // CLI bridge: deliver the token directly to the CLI's local server
        const token = tokenManager.getToken();
        if (token) finishCliFlow(token);
      }
-      // If no TOTP, WebAuthn, or MFA enrollment required, navigation happens in AuthContext
+      // Normal login: navigation already handled by AuthContext (skipNavigate=false)
    } catch (error) {
      if (import.meta.env.DEV) {
        console.error("[Gatehouse] Login failed:", error);
@@ -178,16 +226,22 @@ export default function LoginPage() {
        // OIDC bridge: finish the flow if this is an OIDC login
        if (oidcSessionId && response.token) {
          await finishOidcFlow(response.token);
        } else if (cliRedirectUrl && response.token) {
          finishCliFlow(response.token);
        } else {
          await refreshUser();
          navigate('/profile');
        }
      } else {
        // Fallback to regular TOTP verification
-        await verifyTotp(totpCode, useBackupCode);
+        const needsCustomNav = !!(cliRedirectUrl || oidcSessionId);
        await verifyTotp(totpCode, useBackupCode, needsCustomNav);
        if (oidcSessionId) {
          const token = tokenManager.getToken();
          if (token) await finishOidcFlow(token);
        } else if (cliRedirectUrl) {
          const token = tokenManager.getToken();
          if (token) finishCliFlow(token);
        }
      }
    } catch (error) {
@@ -227,13 +281,17 @@ export default function LoginPage() {
    setIsLoading(true);
    try {
-      await verifyTotp(totpCode, useBackupCode);
+      const needsCustomNav = !!(cliRedirectUrl || oidcSessionId);
      await verifyTotp(totpCode, useBackupCode, needsCustomNav);
      // OIDC bridge: finish the flow if this is an OIDC login
      if (oidcSessionId) {
        const token = tokenManager.getToken();
        if (token) await finishOidcFlow(token);
      } else if (cliRedirectUrl) {
        const token = tokenManager.getToken();
        if (token) finishCliFlow(token);
      }
-      // Otherwise navigation happens in AuthContext
+      // Normal login: navigation already handled by AuthContext (skipNavigate=false)
    } catch (error) {
      if (import.meta.env.DEV) {
        console.error("[Gatehouse] TOTP verification failed:", error);
@@ -292,6 +350,9 @@ export default function LoginPage() {
      if (oidcSessionId) {
        const token = tokenManager.getToken();
        if (token) await finishOidcFlow(token);
      } else if (cliRedirectUrl) {
        const token = tokenManager.getToken();
        if (token) finishCliFlow(token);
      } else {
        navigate('/profile');
      }
@@ -364,6 +425,9 @@ export default function LoginPage() {
      if (oidcSessionId) {
        const token = tokenManager.getToken();
        if (token) await finishOidcFlow(token);
      } else if (cliRedirectUrl) {
        const token = tokenManager.getToken();
        if (token) finishCliFlow(token);
      } else {
        await refreshUser();
        navigate('/profile');
@@ -444,6 +508,11 @@ export default function LoginPage() {
        ...(oidcSessionId ? { oidc_session_id: oidcSessionId } : {}),
      });
      // CLI bridge: stash the redirect URL so OAuthCallbackPage can deliver the token
      if (cliRedirectUrl) {
        sessionStorage.setItem('cli_redirect_url', cliRedirectUrl);
      }
      // Redirect browser to provider
      window.location.href = response.authorization_url;
@@ -860,11 +929,18 @@ export default function LoginPage() {
  return (
    <div className="auth-card">
      <div className="text-center mb-8">
        {cliRedirectUrl && (
          <div className="mx-auto w-12 h-12 rounded-full bg-primary/10 flex items-center justify-center mb-4">
            <Terminal className="w-6 h-6 text-primary" />
          </div>
        )}
        <h1 className="text-2xl font-semibold text-foreground tracking-tight">
-          {oidcSessionId ? "Sign in to continue" : "Welcome back"}
+          {cliRedirectUrl ? "Authorize CLI access" : oidcSessionId ? "Sign in to continue" : "Welcome back"}
        </h1>
        <p className="text-muted-foreground mt-2">
-          {oidcSessionId
+          {cliRedirectUrl
            ? "Sign in to grant the Gatehouse CLI access to your account"
            : oidcSessionId
            ? "An application is requesting access to your account"
            : "Sign in to your account to continue"}
        </p>
@@ -75,10 +75,30 @@ export default function OAuthCallbackPage() {
        return;
      }
-      // Organisation creation required
+      // Organisation creation required — store the token and send to /org-setup
      if (requiresOrgCreation) {
-        setStatus('error');
+        const orgSetupToken = searchParams.get("token");
-        setError("No organization found for your account. Please ask an administrator to add you to an organization.");
+        const orgSetupExpiresIn = searchParams.get("expires_in");
        const pendingInvitesRaw = searchParams.get("pending_invites");
        if (orgSetupToken) {
          const expiresAt = orgSetupExpiresIn
            ? new Date(Date.now() + parseInt(orgSetupExpiresIn, 10) * 1000).toISOString()
            : null;
          tokenManager.setToken(orgSetupToken, expiresAt);
        }
        let pendingInvites: Array<{ token: string; organization: { id: string; name: string }; role: string; expires_at: string }> = [];
        try {
          if (pendingInvitesRaw) pendingInvites = JSON.parse(pendingInvitesRaw);
        } catch {
          // ignore parse errors
        }
        navigate('/org-setup', {
          replace: true,
          state: { pendingInvites, isFirstUser: false },
        });
        return;
      }
@@ -97,6 +117,15 @@ export default function OAuthCallbackPage() {
        tokenManager.setToken(token, expiresAt);
        await refreshUser();
        // ── CLI bridge: deliver token to the local CLI server ─────────────────
        const cliCallbackUrl = sessionStorage.getItem('cli_redirect_url');
        if (cliCallbackUrl) {
          sessionStorage.removeItem('cli_redirect_url');
          // cliCallbackUrl already ends with "token=" — append the value
          window.location.href = cliCallbackUrl + encodeURIComponent(token);
          return;
        }
        // ── OIDC bridge: complete the flow and redirect back to the OIDC client ──
        if (oidcSessionId) {
          try {
@@ -1,39 +1,122 @@
-import { useState } from "react";
+import { useState, useEffect } from "react";
-import { useNavigate } from "react-router-dom";
+import { useNavigate, useSearchParams } from "react-router-dom";
-import { CheckCircle, XCircle, Shield, User, Mail, Building2 } from "lucide-react";
+import { CheckCircle, XCircle, Shield, User, Mail, Building2, Loader2, Key } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Card } from "@/components/ui/card";
 import { Separator } from "@/components/ui/separator";
 import { tokenManager } from "@/lib/api";
 const GATEHOUSE_API = import.meta.env.VITE_API_BASE_URL ?? 'http://localhost:5000/api/v1';
 const GATEHOUSE_OIDC = GATEHOUSE_API.replace(/\/api\/v1\/?$/, '');
 const SCOPE_META: Record<string, { icon: typeof Shield; label: string; description: string }> = {
  openid: { icon: Shield, label: "OpenID", description: "Verify your identity" },
  profile: { icon: User, label: "Profile", description: "Access your name and profile picture" },
  email: { icon: Mail, label: "Email", description: "Access your email address" },
  groups: { icon: Building2, label: "Groups", description: "Access your group memberships" },
  offline_access: { icon: Key, label: "Offline Access", description: "Access your data while you are not logged in" },
 };
 interface ConsentContext {
  oidc_session_id: string;
  client_name: string;
  scopes: string[];
  redirect_uri: string;
 }
 export default function OIDCConsentPage() {
  const navigate = useNavigate();
  const [searchParams] = useSearchParams();
  const oidcSessionId = searchParams.get("oidc_session_id");
  const [isLoading, setIsLoading] = useState(false);
  const [context, setContext] = useState<ConsentContext | null>(null);
  const [fetchError, setFetchError] = useState<string | null>(null);
-  // Mock OIDC client data - will be fetched from auth flow
+  useEffect(() => {
-  const clientData = {
+    if (!oidcSessionId) {
-    name: "GitLab",
+      setFetchError("No OIDC session provided.");
-    logo: null,
+      return;
-    redirectUri: "https://gitlab.example.com/callback",
+    }
    scopes: [
      { id: "openid", name: "OpenID", description: "Verify your identity" },
      { id: "profile", name: "Profile", description: "Access your name and profile picture" },
      { id: "email", name: "Email", description: "Access your email address" },
    ],
  };
-  const handleAllow = () => {
+    (async () => {
      try {
        const res = await fetch(`${GATEHOUSE_OIDC}/oidc/begin`, {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify({ oidc_session_id: oidcSessionId }),
        });
        const body = await res.json();
        if (!res.ok || !body.success) {
          setFetchError(body.message || "Failed to load consent context.");
          return;
        }
        setContext(body.data as ConsentContext);
      } catch {
        setFetchError("Failed to connect to authentication server.");
      }
    })();
  }, [oidcSessionId]);
  const handleAllow = async () => {
    if (!context) return;
    setIsLoading(true);
-    // Mock consent - will redirect to client callback
+    try {
-    setTimeout(() => {
+      const token = tokenManager.getToken();
      if (!token) {
        navigate(`/login?oidc_session_id=${context.oidc_session_id}`);
        return;
      }
      const res = await fetch(`${GATEHOUSE_OIDC}/oidc/complete`, {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({ oidc_session_id: context.oidc_session_id, token }),
      });
      const body = await res.json();
      if (!res.ok || !body.success) {
        setFetchError(body.message || "Authorization failed.");
        return;
      }
      window.location.href = body.data.redirect_url;
    } catch {
      setFetchError("Failed to complete authorization.");
    } finally {
      setIsLoading(false);
-      // In real implementation: redirect to redirectUri with auth code
+    }
    }, 500);
  };
  const handleDeny = () => {
-    navigate(-1);
+    if (context?.redirect_uri) {
      window.location.href = `${context.redirect_uri}?error=access_denied&error_description=User+denied+access`;
    } else {
      navigate(-1);
    }
  };
  if (fetchError) {
    return (
      <div className="auth-card text-center">
        <div className="w-16 h-16 rounded-full bg-destructive/10 flex items-center justify-center mx-auto mb-6">
          <XCircle className="w-8 h-8 text-destructive" />
        </div>
        <h1 className="text-xl font-semibold text-foreground">Authorization Error</h1>
        <p className="text-muted-foreground mt-2">{fetchError}</p>
        <Button variant="outline" className="mt-6 w-full" onClick={() => navigate("/")}>
          Return to home
        </Button>
      </div>
    );
  }
  if (!context) {
    return (
      <div className="auth-card text-center">
        <Loader2 className="w-8 h-8 text-accent animate-spin mx-auto mb-4" />
        <p className="text-muted-foreground">Loading authorization request…</p>
      </div>
    );
  }
  return (
    <div className="auth-card">
      <div className="text-center mb-6">
@@ -41,7 +124,7 @@ export default function OIDCConsentPage() {
          <Shield className="w-7 h-7 text-primary" />
        </div>
        <h1 className="text-xl font-semibold text-foreground tracking-tight">
-          Authorize {clientData.name}
+          Authorize {context.client_name}
        </h1>
        <p className="text-sm text-muted-foreground mt-2">
          This application wants to access your account
@@ -50,31 +133,42 @@ export default function OIDCConsentPage() {
      <Card className="p-4 bg-secondary/30 border-0 mb-6">
        <p className="text-sm text-foreground font-medium mb-3">
-          {clientData.name} is requesting access to:
+          {context.client_name} is requesting access to:
        </p>
        <ul className="space-y-3">
-          {clientData.scopes.map((scope) => (
+          {context.scopes.map((scope) => {
-            <li key={scope.id} className="flex items-start gap-3">
+            const meta = SCOPE_META[scope];
-              <div className="w-8 h-8 rounded-lg bg-card flex items-center justify-center flex-shrink-0">
+            const Icon = meta?.icon ?? Key;
-                {scope.id === "openid" && <Shield className="w-4 h-4 text-accent" />}
+            return (
-                {scope.id === "profile" && <User className="w-4 h-4 text-accent" />}
+              <li key={scope} className="flex items-start gap-3">
-                {scope.id === "email" && <Mail className="w-4 h-4 text-accent" />}
+                <div className="w-8 h-8 rounded-lg bg-card flex items-center justify-center flex-shrink-0">
-              </div>
+                  <Icon className="w-4 h-4 text-accent" />
-              <div>
+                </div>
-                <p className="text-sm font-medium text-foreground">{scope.name}</p>
+                <div>
-                <p className="text-xs text-muted-foreground">{scope.description}</p>
+                  <p className="text-sm font-medium text-foreground">
-              </div>
+                    {meta?.label ?? scope}
-            </li>
+                  </p>
-          ))}
+                  <p className="text-xs text-muted-foreground">
                    {meta?.description ?? scope}
                  </p>
                </div>
              </li>
            );
          })}
        </ul>
      </Card>
-      <div className="flex items-center gap-2 text-xs text-muted-foreground mb-6">
+      {context.redirect_uri && (
-        <Building2 className="w-4 h-4" />
+        <div className="flex items-center gap-2 text-xs text-muted-foreground mb-6">
-        <span>
+          <Building2 className="w-4 h-4" />
-          Redirecting to: <span className="font-mono text-foreground">{clientData.redirectUri}</span>
+          <span>
-        </span>
+            Redirecting to:{" "}
-      </div>
+            <span className="font-mono text-foreground">
              {new URL(context.redirect_uri).origin}
            </span>
          </span>
        </div>
      )}
      <Separator className="mb-6" />
@@ -93,8 +187,12 @@ export default function OIDCConsentPage() {
          className="flex-1"
          disabled={isLoading}
        >
-          <CheckCircle className="w-4 h-4 mr-2" />
+          {isLoading ? (
-          {isLoading ? "Authorizing..." : "Allow"}
+            <Loader2 className="w-4 h-4 mr-2 animate-spin" />
          ) : (
            <CheckCircle className="w-4 h-4 mr-2" />
          )}
          {isLoading ? "Authorizing…" : "Allow"}
        </Button>
      </div>
@@ -1,14 +1,26 @@
 import { AlertTriangle, ArrowLeft, Home } from "lucide-react";
 import { Button } from "@/components/ui/button";
-import { Link } from "react-router-dom";
+import { Link, useSearchParams } from "react-router-dom";
 const ERROR_DESCRIPTIONS: Record<string, string> = {
  invalid_request: "The request was missing a required parameter or was otherwise malformed.",
  unauthorized_client: "The client is not authorized to request an authorization code using this method.",
  access_denied: "The resource owner or authorization server denied the request.",
  unsupported_response_type: "The authorization server does not support obtaining an authorization code using this method.",
  invalid_scope: "The requested scope is invalid, unknown, or malformed.",
  server_error: "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.",
  temporarily_unavailable: "The authorization server is temporarily unavailable. Please try again later.",
 };
 export default function OIDCErrorPage() {
-  // Mock error data - will be parsed from URL params
+  const [searchParams] = useSearchParams();
-  const errorData = {
+
-    error: "invalid_request",
+  const error = searchParams.get("error") || "server_error";
-    description: "The request was missing a required parameter or was otherwise malformed.",
+  const errorDescription =
-    clientName: "Unknown Application",
+    searchParams.get("error_description") ||
-  };
+    ERROR_DESCRIPTIONS[error] ||
    "An unexpected error occurred during authentication.";
  const clientName = searchParams.get("client") || "the application";
  return (
    <div className="auth-card text-center">
@@ -20,15 +32,16 @@ export default function OIDCErrorPage() {
        Authentication Error
      </h1>
      <p className="text-muted-foreground mt-2 mb-4">
-        There was a problem with the authentication request.
+        There was a problem with the authentication request from{" "}
        <span className="font-medium text-foreground">{clientName}</span>.
      </p>
      <div className="bg-destructive/5 border border-destructive/20 rounded-lg p-4 mb-6 text-left">
        <p className="text-sm font-medium text-foreground mb-1">
-          Error: <code className="text-destructive">{errorData.error}</code>
+          Error: <code className="text-destructive">{error}</code>
        </p>
        <p className="text-sm text-muted-foreground">
-          {errorData.description}
+          {decodeURIComponent(errorDescription)}
        </p>
      </div>
@@ -0,0 +1,455 @@
 /**
 * OIDCLoginPage — Standalone OIDC proxy login UI
 *
 * Unified entry point for OIDC authorization flows via the Gatehouse OIDC bridge.
 * Handles:
 *   1. Unauthenticated users → shows an email/password login form
 *   2. Already-authenticated users → shows a consent/approval screen directly
 *
 * Route: /oidc-login?oidc_session_id=<id>
 *
 * Configure your oauth2-proxy / OIDC client's login_url to:
 *   https://<gatehouse-ui>/oidc-login
 */
 import { useState, useEffect, useCallback } from "react";
 import { useSearchParams, useNavigate } from "react-router-dom";
 import {
  Shield,
  Mail,
  Lock,
  ArrowRight,
  Loader2,
  XCircle,
  CheckCircle,
  AlertTriangle,
  User,
  Building2,
  Key,
  LogOut,
 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Card } from "@/components/ui/card";
 import { Separator } from "@/components/ui/separator";
 import { Badge } from "@/components/ui/badge";
 import { useAuth } from "@/contexts/AuthContext";
 import { ApiError, tokenManager } from "@/lib/api";
 // ── Configuration ─────────────────────────────────────────────────────────────
 const GATEHOUSE_OIDC = (import.meta.env.VITE_API_BASE_URL ?? "http://localhost:5000/api/v1")
  .replace(/\/api\/v1\/?$/, "");
 // ── Scope display metadata ────────────────────────────────────────────────────
 const SCOPE_META: Record<string, { icon: typeof Shield; label: string; description: string }> = {
  openid:         { icon: Shield,    label: "Identity",       description: "Verify your identity" },
  profile:        { icon: User,      label: "Profile",        description: "Your name and username" },
  email:          { icon: Mail,      label: "Email",          description: "Your email address" },
  groups:         { icon: Building2, label: "Groups",         description: "Your organization memberships" },
  roles:          { icon: Shield,    label: "Roles",          description: "Your roles in the organization" },
  offline_access: { icon: Key,       label: "Offline Access", description: "Access data while you're away" },
 };
 // ── Types ─────────────────────────────────────────────────────────────────────
 interface OIDCContext {
  oidc_session_id: string;
  client_name: string;
  scopes: string[];
  redirect_uri: string;
 }
 type PageStep = "loading" | "login" | "consent" | "error";
 // ── API helpers ───────────────────────────────────────────────────────────────
 async function fetchOIDCContext(oidcSessionId: string): Promise<OIDCContext> {
  const res = await fetch(`${GATEHOUSE_OIDC}/oidc/begin`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ oidc_session_id: oidcSessionId }),
  });
  const body = await res.json();
  if (!res.ok || !body.success) {
    throw new Error(body.message || "Failed to load authorization context.");
  }
  return body.data as OIDCContext;
 }
 async function completeOIDCFlow(oidcSessionId: string, token: string): Promise<string> {
  const res = await fetch(`${GATEHOUSE_OIDC}/oidc/complete`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ oidc_session_id: oidcSessionId, token }),
  });
  const body = await res.json();
  if (!res.ok || !body.success) {
    throw new Error(body.message || "Authorization failed.");
  }
  return body.data.redirect_url as string;
 }
 // ── Main component ────────────────────────────────────────────────────────────
 export default function OIDCLoginPage() {
  const [searchParams] = useSearchParams();
  const navigate = useNavigate();
  const { user, isLoading: authLoading, login, logout } = useAuth();
  const oidcSessionId = searchParams.get("oidc_session_id");
  const [step, setStep] = useState<PageStep>("loading");
  const [context, setContext] = useState<OIDCContext | null>(null);
  const [errorMsg, setErrorMsg] = useState<string | null>(null);
  const [isCompleting, setIsCompleting] = useState(false);
  // Login form state
  const [email, setEmail] = useState("");
  const [password, setPassword] = useState("");
  const [isSubmitting, setIsSubmitting] = useState(false);
  const [loginError, setLoginError] = useState<string | null>(null);
  // ── Load OIDC context on mount ─────────────────────────────────────────────
  useEffect(() => {
    if (!oidcSessionId) {
      setErrorMsg("Missing oidc_session_id. This page must be accessed from an OIDC authorization flow.");
      setStep("error");
      return;
    }
    fetchOIDCContext(oidcSessionId)
      .then((ctx) => {
        setContext(ctx);
        // Determine initial step once we have context and auth state is known
      })
      .catch((err: Error) => {
        setErrorMsg(err.message);
        setStep("error");
      });
  // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [oidcSessionId]);
  // ── Determine step once both context and auth state are ready ───────────────
  useEffect(() => {
    if (authLoading || !context || step !== "loading") return;
    const token = tokenManager.getToken();
    setStep(token ? "consent" : "login");
  }, [authLoading, context, step]);
  // ── Complete OIDC flow ──────────────────────────────────────────────────────
  const handleComplete = useCallback(async () => {
    if (!context) return;
    const token = tokenManager.getToken();
    if (!token) {
      setStep("login");
      return;
    }
    setIsCompleting(true);
    try {
      const redirectUrl = await completeOIDCFlow(context.oidc_session_id, token);
      window.location.href = redirectUrl;
    } catch (err) {
      setErrorMsg(err instanceof Error ? err.message : "Could not complete authorization.");
      setStep("error");
    } finally {
      setIsCompleting(false);
    }
  }, [context]);
  // ── Login form submit ───────────────────────────────────────────────────────
  const handleLoginSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
    if (!context) return;
    setLoginError(null);
    setIsSubmitting(true);
    try {
      // skipNavigate=true so we control post-login navigation
      const result = await login(email, password, false, true);
      if (result.requiresTotp || result.requiresWebAuthn) {
        // MFA required — hand off to main login page which already handles this
        navigate(`/login?oidc_session_id=${context.oidc_session_id}`);
        return;
      }
      // Login succeeded — move to consent step
      setStep("consent");
    } catch (err) {
      const message =
        err instanceof ApiError ? err.message
        : err instanceof Error ? err.message
        : "Invalid email or password.";
      setLoginError(message);
    } finally {
      setIsSubmitting(false);
    }
  };
  // ── Deny / cancel ───────────────────────────────────────────────────────────
  const handleDeny = () => {
    if (context?.redirect_uri) {
      window.location.href = `${context.redirect_uri}?error=access_denied&error_description=User+denied+access`;
    } else {
      navigate("/");
    }
  };
  // ── Switch account ──────────────────────────────────────────────────────────
  const handleSwitchAccount = async () => {
    await logout();
    setStep("login");
    setEmail("");
    setPassword("");
    setLoginError(null);
  };
  // ── Render: loading ──────────────────────────────────────────────────────────
  if (step === "loading") {
    return (
      <div className="auth-card text-center">
        <Loader2 className="w-8 h-8 text-accent animate-spin mx-auto mb-4" />
        <p className="text-sm text-muted-foreground">Loading authorization request…</p>
      </div>
    );
  }
  // ── Render: error ─────────────────────────────────────────────────────────────
  if (step === "error") {
    return (
      <div className="auth-card text-center space-y-4">
        <div className="w-14 h-14 rounded-full bg-destructive/10 flex items-center justify-center mx-auto">
          <XCircle className="w-7 h-7 text-destructive" />
        </div>
        <h1 className="text-lg font-semibold text-foreground">Authorization Error</h1>
        <p className="text-sm text-muted-foreground">{errorMsg}</p>
        {context?.redirect_uri && (
          <Button
            variant="outline"
            className="w-full"
            onClick={() => {
              window.location.href = `${context.redirect_uri}?error=server_error&error_description=${encodeURIComponent(errorMsg ?? "Unknown error")}`;
            }}
          >
            Return to application
          </Button>
        )}
        <Button variant="ghost" className="w-full" onClick={() => navigate("/")}>
          Go to dashboard
        </Button>
      </div>
    );
  }
  // ── Render: login form ────────────────────────────────────────────────────────
  if (step === "login") {
    return (
      <div className="auth-card space-y-6">
        {/* Header */}
        <div className="text-center space-y-3">
          <div className="w-14 h-14 rounded-xl bg-primary/10 flex items-center justify-center mx-auto">
            <Shield className="w-7 h-7 text-primary" />
          </div>
          <div>
            <h1 className="text-xl font-semibold text-foreground tracking-tight">
              Sign in to continue
            </h1>
            {context && (
              <p className="text-sm text-muted-foreground mt-1">
                <span className="font-medium text-foreground">{context.client_name}</span>
                {" "}is requesting access to your account
              </p>
            )}
          </div>
        </div>
        {/* Requested scopes preview */}
        {context && context.scopes.length > 0 && (
          <Card className="p-3 bg-secondary/30 border-0">
            <p className="text-xs text-muted-foreground mb-2">This application will access:</p>
            <div className="flex flex-wrap gap-1.5">
              {context.scopes.map((scope) => {
                const meta = SCOPE_META[scope];
                return (
                  <Badge key={scope} variant="secondary" className="text-xs gap-1">
                    {meta?.label ?? scope}
                  </Badge>
                );
              })}
            </div>
          </Card>
        )}
        {/* Login form */}
        <form onSubmit={handleLoginSubmit} className="space-y-4">
          {loginError && (
            <div className="flex items-start gap-2 p-3 rounded-lg bg-destructive/10 border border-destructive/20">
              <AlertTriangle className="w-4 h-4 text-destructive flex-shrink-0 mt-0.5" />
              <p className="text-sm text-destructive">{loginError}</p>
            </div>
          )}
          <div className="space-y-2">
            <Label htmlFor="oidc-email">Email</Label>
            <div className="relative">
              <Mail className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
              <Input
                id="oidc-email"
                type="email"
                placeholder="you@example.com"
                className="pl-9"
                value={email}
                onChange={(e) => setEmail(e.target.value)}
                autoComplete="email"
                autoFocus
                required
              />
            </div>
          </div>
          <div className="space-y-2">
            <Label htmlFor="oidc-password">Password</Label>
            <div className="relative">
              <Lock className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
              <Input
                id="oidc-password"
                type="password"
                placeholder="••••••••"
                className="pl-9"
                value={password}
                onChange={(e) => setPassword(e.target.value)}
                autoComplete="current-password"
                required
              />
            </div>
          </div>
          <Button type="submit" className="w-full" disabled={isSubmitting}>
            {isSubmitting ? (
              <><Loader2 className="w-4 h-4 animate-spin mr-2" />Signing in…</>
            ) : (
              <><ArrowRight className="w-4 h-4 mr-2" />Sign in</>
            )}
          </Button>
        </form>
        <Separator />
        <div className="text-center space-y-2">
          <p className="text-xs text-muted-foreground">
            Need an account?{" "}
            <a href="/register" className="text-primary hover:underline">Register here</a>
          </p>
          <p className="text-xs text-muted-foreground">
            Forgot your password?{" "}
            <a href="/forgot-password" className="text-primary hover:underline">Reset it</a>
          </p>
        </div>
        <div className="text-center">
          <button
            type="button"
            onClick={handleDeny}
            className="text-xs text-muted-foreground hover:text-foreground transition-colors"
          >
            Cancel and return to application
          </button>
        </div>
      </div>
    );
  }
  // ── Render: consent screen (user is authenticated) ────────────────────────────
  if (step === "consent" && context) {
    return (
      <div className="auth-card space-y-6">
        {/* Header */}
        <div className="text-center space-y-3">
          <div className="w-14 h-14 rounded-xl bg-primary/10 flex items-center justify-center mx-auto">
            <Shield className="w-7 h-7 text-primary" />
          </div>
          <div>
            <h1 className="text-xl font-semibold text-foreground tracking-tight">
              Authorize {context.client_name}
            </h1>
            <p className="text-sm text-muted-foreground mt-1">
              This application is requesting access to your account
            </p>
          </div>
        </div>
        {/* Signed-in-as banner */}
        {user && (
          <Card className="p-3 bg-secondary/30 border-0 flex items-center justify-between gap-3">
            <div className="flex items-center gap-2 min-w-0">
              <div className="w-7 h-7 rounded-full bg-primary/20 flex items-center justify-center flex-shrink-0">
                <User className="w-4 h-4 text-primary" />
              </div>
              <div className="min-w-0">
                <p className="text-sm font-medium text-foreground truncate">{user.email}</p>
                <p className="text-xs text-muted-foreground">Signed in</p>
              </div>
            </div>
            <button
              type="button"
              onClick={handleSwitchAccount}
              className="text-xs text-muted-foreground hover:text-foreground flex items-center gap-1 flex-shrink-0 transition-colors"
            >
              <LogOut className="w-3 h-3" />
              Switch
            </button>
          </Card>
        )}
        {/* Requested permissions */}
        <Card className="p-4 bg-secondary/30 border-0">
          <p className="text-sm font-medium text-foreground mb-3">
            {context.client_name} is requesting:
          </p>
          <ul className="space-y-3">
            {context.scopes.map((scope) => {
              const meta = SCOPE_META[scope];
              const Icon = meta?.icon ?? Key;
              return (
                <li key={scope} className="flex items-start gap-3">
                  <div className="w-8 h-8 rounded-lg bg-card flex items-center justify-center flex-shrink-0">
                    <Icon className="w-4 h-4 text-accent" />
                  </div>
                  <div>
                    <p className="text-sm font-medium text-foreground">
                      {meta?.label ?? scope}
                    </p>
                    <p className="text-xs text-muted-foreground">
                      {meta?.description ?? scope}
                    </p>
                  </div>
                </li>
              );
            })}
          </ul>
        </Card>
        {/* Action buttons */}
        <div className="space-y-2">
          <Button
            className="w-full"
            onClick={handleComplete}
            disabled={isCompleting}
          >
            {isCompleting ? (
              <><Loader2 className="w-4 h-4 animate-spin mr-2" />Completing…</>
            ) : (
              <><CheckCircle className="w-4 h-4 mr-2" />Allow access</>
            )}
          </Button>
          <Button variant="outline" className="w-full" onClick={handleDeny} disabled={isCompleting}>
            <XCircle className="w-4 h-4 mr-2" />
            Deny
          </Button>
        </div>
        <p className="text-xs text-center text-muted-foreground">
          By allowing, you agree to share the above information with{" "}
          <span className="font-medium text-foreground">{context.client_name}</span>.
        </p>
      </div>
    );
  }
  return null;
 }
@@ -0,0 +1,337 @@
 /**
 * OrgSetupPage — shown after registration or first login when the user has no org.
 *
 * Layout:
 *  - If the user has pending invitations → show each invite card with a "Join" button.
 *    Only one org can be joined (once joined, redirect immediately).
 *  - Always show a "Create a new organisation" expandable section below.
 */
 import { useState, useEffect } from "react";
 import { useNavigate, useLocation } from "react-router-dom";
 import { Building2, Plus, ArrowRight, Loader2, Mail, ChevronDown, ChevronUp } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { BannerAlert } from "@/components/auth/BannerAlert";
 import { api, ApiError, PendingInvite, tokenManager } from "@/lib/api";
 import { useAuth } from "@/contexts/AuthContext";
 function toSlug(name: string): string {
  return name
    .toLowerCase()
    .trim()
    .replace(/[^a-z0-9]+/g, "-")
    .replace(/^-+|-+$/g, "")
    .slice(0, 64);
 }
 interface LocationState {
  pendingInvites?: PendingInvite[];
  isFirstUser?: boolean;
 }
 export default function OrgSetupPage() {
  const navigate = useNavigate();
  const location = useLocation();
  const { refreshUser, checkOrgAdmin, isOrgMember, isLoading } = useAuth();
  // If the user already belongs to an org (e.g. they bookmarked /org-setup),
  // redirect them straight to their profile so they don't get stuck.
  useEffect(() => {
    if (!isLoading && isOrgMember) {
      navigate("/profile", { replace: true });
    }
  }, [isLoading, isOrgMember, navigate]);
  // Seed from navigation state on first render (avoids flicker), then always
  // fetch from the API so refreshing the page still shows the real invites.
  const locationState = (location.state ?? {}) as LocationState;
  const [pendingInvites, setPendingInvites] = useState<PendingInvite[]>(
    locationState.pendingInvites ?? []
  );
  const [invitesLoading, setInvitesLoading] = useState(true);
  useEffect(() => {
    let cancelled = false;
    api.users.getMyInvites()
      .then((res) => {
        if (!cancelled) {
          setPendingInvites(res.invites);
          setInvitesLoading(false);
        }
      })
      .catch(() => {
        if (!cancelled) setInvitesLoading(false);
      });
    return () => { cancelled = true; };
  }, []);
  const hasInvites = pendingInvites.length > 0;
  // Invite acceptance
  const [joiningToken, setJoiningToken] = useState<string | null>(null);
  const [joinError, setJoinError] = useState<string | null>(null);
  // Create org form — open by default; collapses once we know there are invites
  const [createOpen, setCreateOpen] = useState(false);
  // Once invite fetch resolves: if no invites, open the create form automatically
  useEffect(() => {
    if (!invitesLoading) {
      setCreateOpen(pendingInvites.length === 0);
    }
  }, [invitesLoading, pendingInvites.length]);
  const [orgName, setOrgName] = useState("");
  const [orgSlug, setOrgSlug] = useState("");
  const [slugTouched, setSlugTouched] = useState(false);
  const [isCreating, setIsCreating] = useState(false);
  const [createError, setCreateError] = useState<string | null>(null);
  const handleNameChange = (value: string) => {
    setOrgName(value);
    if (!slugTouched) setOrgSlug(toSlug(value));
  };
  const handleSlugChange = (value: string) => {
    setSlugTouched(true);
    setOrgSlug(value.toLowerCase().replace(/[^a-z0-9-]/g, ""));
  };
  const done = async () => {
    await refreshUser();
    await checkOrgAdmin();
    navigate("/profile", { replace: true });
  };
  // ── Accept an invite ───────────────────────────────────────────────────────
  const handleJoinOrg = async (invite: PendingInvite) => {
    setJoinError(null);
    setJoiningToken(invite.token);
    try {
      const result = await api.invites.accept(invite.token);
      if (result.token) tokenManager.setToken(result.token, result.expires_at ?? null);
      await done();
    } catch (err) {
      setJoinError(err instanceof ApiError ? err.message : "Failed to join organisation. Please try again.");
      setJoiningToken(null);
    }
  };
  // ── Create a new org ───────────────────────────────────────────────────────
  const handleCreateOrg = async (e: React.FormEvent) => {
    e.preventDefault();
    setCreateError(null);
    if (!orgName.trim()) { setCreateError("Organisation name is required."); return; }
    if (!orgSlug.trim()) { setCreateError("Slug is required."); return; }
    setIsCreating(true);
    try {
      await api.organizations.create(orgName.trim(), orgSlug.trim());
      await done();
    } catch (err) {
      setCreateError(err instanceof ApiError ? err.message : "Failed to create organisation. Please try again.");
    } finally {
      setIsCreating(false);
    }
  };
  return (
    <div className="auth-card" data-testid="org-setup-page">
      {/* Header */}
      <div className="text-center mb-8">
        <div className="w-12 h-12 rounded-xl bg-primary/10 flex items-center justify-center mx-auto mb-4">
          <Building2 className="w-6 h-6 text-primary" />
        </div>
        <h1 className="text-2xl font-semibold text-foreground tracking-tight">
          {hasInvites ? "You have an invitation!" : "Set up your organisation"}
        </h1>
        <p className="text-muted-foreground mt-2 text-sm">
          {hasInvites
            ? "Join an existing organisation or create your own."
            : "Create your organisation to get started. You'll be set as the Owner."}
        </p>
      </div>
      {/* Loading skeleton while fetching invites */}
      {invitesLoading ? (
        <div className="flex items-center justify-center py-10">
          <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
        </div>
      ) : (
        <>
      {/* ── Pending invitations ────────────────────────────────────────────── */}
      {hasInvites && (
        <div className="mb-6 space-y-3">
          <div className="flex items-center gap-2 text-xs font-semibold uppercase tracking-wide text-muted-foreground mb-1">
            <Mail className="w-3.5 h-3.5" />
            Invitation{pendingInvites.length > 1 ? "s" : ""} for your email
          </div>
          {joinError && <BannerAlert type="error" message={joinError} className="mb-2" />}
          {pendingInvites.map((invite) => (
            <div
              key={invite.token}
              className="flex items-center justify-between rounded-xl border border-border bg-muted/40 px-4 py-3 gap-4"
              data-testid="invite-card"
            >
              <div className="min-w-0">
                <p className="text-sm font-semibold text-foreground truncate">
                  {invite.organization.name}
                </p>
                <p className="text-xs text-muted-foreground mt-0.5">
                  You were invited as{" "}
                  <span className="font-medium capitalize">{invite.role}</span>
                </p>
              </div>
              <Button
                size="sm"
                className="shrink-0"
                disabled={joiningToken !== null}
                onClick={() => handleJoinOrg(invite)}
                data-testid="join-org-btn"
              >
                {joiningToken === invite.token ? (
                  <Loader2 className="w-4 h-4 animate-spin" />
                ) : (
                  "Join"
                )}
              </Button>
            </div>
          ))}
        </div>
      )}
      {/* ── Divider ───────────────────────────────────────────────────────── */}
      {hasInvites && (
        <div className="relative my-5">
          <div className="absolute inset-0 flex items-center">
            <span className="w-full border-t border-border" />
          </div>
          <div className="relative flex justify-center text-xs uppercase">
            <span className="bg-card px-2 text-muted-foreground">or</span>
          </div>
        </div>
      )}
      {/* ── Create organisation (collapsible when invites are present) ─────── */}
      {hasInvites ? (
        <div className="rounded-xl border border-border overflow-hidden">
          {/* Toggle header */}
          <button
            type="button"
            className="w-full flex items-center justify-between px-4 py-3 text-sm font-medium text-foreground hover:bg-muted/50 transition-colors"
            onClick={() => setCreateOpen((o) => !o)}
            data-testid="create-org-toggle"
          >
            <span className="flex items-center gap-2">
              <Plus className="w-4 h-4 text-primary" />
              Create a new organisation
            </span>
            {createOpen
              ? <ChevronUp className="w-4 h-4 text-muted-foreground" />
              : <ChevronDown className="w-4 h-4 text-muted-foreground" />
            }
          </button>
          {/* Collapsible form */}
          {createOpen && (
            <div className="border-t border-border px-4 py-4">
              <CreateOrgForm
                orgName={orgName}
                orgSlug={orgSlug}
                isCreating={isCreating}
                createError={createError}
                onNameChange={handleNameChange}
                onSlugChange={handleSlugChange}
                onSubmit={handleCreateOrg}
              />
            </div>
          )}
        </div>
      ) : (
        /* No invites — show the form directly */
        <CreateOrgForm
          orgName={orgName}
          orgSlug={orgSlug}
          isCreating={isCreating}
          createError={createError}
          onNameChange={handleNameChange}
          onSlugChange={handleSlugChange}
          onSubmit={handleCreateOrg}
        />
      )}
      </>
      )}
    </div>
  );
 }
 // ── Reusable create-org form ─────────────────────────────────────────────────
 interface CreateOrgFormProps {
  orgName: string;
  orgSlug: string;
  isCreating: boolean;
  createError: string | null;
  onNameChange: (v: string) => void;
  onSlugChange: (v: string) => void;
  onSubmit: (e: React.FormEvent) => void;
 }
 function CreateOrgForm({
  orgName, orgSlug, isCreating, createError,
  onNameChange, onSlugChange, onSubmit,
 }: CreateOrgFormProps) {
  return (
    <form onSubmit={onSubmit} className="space-y-4" data-testid="org-setup-create">
      {createError && <BannerAlert type="error" message={createError} />}
      <div className="space-y-1.5">
        <Label htmlFor="orgName">Organisation name</Label>
        <Input
          id="orgName"
          type="text"
          placeholder="Acme Corp"
          value={orgName}
          onChange={(e) => onNameChange(e.target.value)}
          required
          autoFocus
          data-testid="org-name-input"
        />
      </div>
      <div className="space-y-1.5">
        <Label htmlFor="orgSlug">
          Slug{" "}
          <span className="text-xs text-muted-foreground font-normal">
            — used in URLs, lowercase &amp; hyphens only
          </span>
        </Label>
        <Input
          id="orgSlug"
          type="text"
          placeholder="acme-corp"
          value={orgSlug}
          onChange={(e) => onSlugChange(e.target.value)}
          required
          pattern="[a-z0-9][a-z0-9\-]*"
          title="Lowercase letters, numbers, and hyphens only"
          data-testid="org-slug-input"
        />
      </div>
      <Button
        type="submit"
        className="w-full"
        disabled={isCreating || !orgName.trim() || !orgSlug.trim()}
        data-testid="create-org-btn"
      >
        {isCreating
          ? <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Creating…</>
          : <><ArrowRight className="w-4 h-4 mr-2" />Create organisation</>
        }
      </Button>
    </form>
  );
 }
@@ -6,8 +6,9 @@ import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { PasswordStrengthMeter, isPasswordValid } from "@/components/auth/PasswordStrengthMeter";
 import { BannerAlert } from "@/components/auth/BannerAlert";
 import { api, ApiError, tokenManager } from "@/lib/api";
-type RegistrationState = "form" | "success" | "disabled";
+type RegistrationState = "form" | "disabled";
 export default function RegisterPage() {
  const navigate = useNavigate();
@@ -42,22 +43,36 @@ export default function RegisterPage() {
    setIsLoading(true);
-    // Mock registration - will be replaced with actual API call
+    try {
-    // POST /api/auth/register
+      const response = await api.auth.register(email, password, name.trim() || undefined);
-    setTimeout(() => {
+
-      setIsLoading(false);
+      // Store the session token so ProtectedLayout lets the user through
-      
+      if (response.token) {
-      // Simulate different responses
+        tokenManager.setToken(response.token, response.expires_at ?? null);
      const mockResponse = "success" as RegistrationState | "error";
      if (mockResponse === "disabled") {
        setState("disabled");
      } else if (mockResponse === "error") {
        setError("An error occurred. Please try again.");
      } else {
        setState("success");
      }
-    }, 1000);
+
      // Navigate to org-setup so the user can name their org or accept an invite
      navigate("/org-setup", {
        state: {
          pendingInvites: response.pending_invites ?? [],
          isFirstUser: response.is_first_user ?? false,
        },
      });
    } catch (err) {
      if (err instanceof ApiError) {
        if (err.code === 409) {
          setError("An account with this email already exists.");
        } else if (err.code === 403 || (err.message && err.message.toLowerCase().includes("disabled"))) {
          setState("disabled");
        } else {
          setError(err.message || "An error occurred. Please try again.");
        }
      } else {
        setError("An error occurred. Please try again.");
      }
    } finally {
      setIsLoading(false);
    }
  };
  // Registration disabled state
@@ -85,44 +100,6 @@ export default function RegisterPage() {
    );
  }
  // Success state - email sent
  if (state === "success") {
    return (
      <div className="auth-card text-center">
        <div className="w-16 h-16 rounded-full bg-success/10 flex items-center justify-center mx-auto mb-6">
          <Mail className="w-8 h-8 text-success" />
        </div>
        <h1 className="text-2xl font-semibold text-foreground tracking-tight">
          Check your email
        </h1>
        <p className="text-muted-foreground mt-2 mb-6">
          We've sent a verification link to <span className="font-medium text-foreground">{email}</span>. 
          Click the link to verify your account and get started.
        </p>
        <div className="space-y-3">
          <Link to="/login">
            <Button className="w-full">
              Continue to sign in
              <ArrowRight className="w-4 h-4 ml-2" />
            </Button>
          </Link>
        </div>
        <p className="text-sm text-muted-foreground mt-6">
          Didn't receive the email?{" "}
          <button 
            onClick={() => setState("form")}
            className="text-accent hover:underline font-medium"
          >
            Try again
          </button>
        </p>
      </div>
    );
  }
  // Registration form
  return (
    <div className="auth-card">
@@ -1,27 +1,43 @@
 import { useState } from "react";
-import { useNavigate } from "react-router-dom";
+import { useNavigate, useSearchParams } from "react-router-dom";
-import { Lock, ArrowRight, CheckCircle } from "lucide-react";
+import { Lock, ArrowRight, CheckCircle, AlertCircle, Loader2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { api } from "@/lib/api";
 export default function ResetPasswordPage() {
  const navigate = useNavigate();
  const [searchParams] = useSearchParams();
  const token = searchParams.get("token") || "";
  const [password, setPassword] = useState("");
  const [confirmPassword, setConfirmPassword] = useState("");
  const [isLoading, setIsLoading] = useState(false);
  const [isSuccess, setIsSuccess] = useState(false);
  const [error, setError] = useState("");
  const handleSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
    setError("");
    if (password !== confirmPassword) {
      setError("Passwords do not match.");
      return;
    }
    if (!token) {
      setError("Invalid reset link. Please request a new one.");
      return;
    }
    setIsLoading(true);
-    setTimeout(() => {
+    try {
-      setIsLoading(false);
+      await api.auth.resetPassword(token, password);
      setIsSuccess(true);
-    }, 1000);
+    } catch (err: unknown) {
      const msg = err instanceof Error ? err.message : "Failed to reset password. The link may be expired.";
      setError(msg);
    } finally {
      setIsLoading(false);
    }
  };
  if (isSuccess) {
@@ -96,7 +112,7 @@ export default function ResetPasswordPage() {
        <Button type="submit" className="w-full" disabled={isLoading}>
          {isLoading ? (
-            "Resetting..."
+            <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Resetting...</>
          ) : (
            <>
              Reset password
@@ -104,6 +120,13 @@ export default function ResetPasswordPage() {
            </>
          )}
        </Button>
        {error && (
          <p className="text-sm text-destructive flex items-center gap-2">
            <AlertCircle className="w-4 h-4 flex-shrink-0" />
            {error}
          </p>
        )}
      </form>
    </div>
  );
@@ -5,6 +5,7 @@ import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { BannerAlert } from "@/components/auth/BannerAlert";
 import { api, ApiError } from "@/lib/api";
 type VerificationState = "verifying" | "success" | "error" | "resend";
@@ -22,21 +23,20 @@ export default function VerifyEmailPage() {
    if (token && state === "verifying") {
      verifyToken(token);
    }
-  }, [token, state]);
+  }, [token]);
  const verifyToken = async (verificationToken: string) => {
-    // Mock verification - POST /api/auth/verify-email?token=...
+    try {
-    setTimeout(() => {
+      await api.auth.verifyEmail(verificationToken);
-      // Simulate different responses
+      setState("success");
-      const mockSuccess = Math.random() > 0.3; // 70% success rate for demo
+    } catch (err) {
-      
+      setState("error");
-      if (mockSuccess) {
+      if (err instanceof ApiError) {
-        setState("success");
+        setErrorMessage(err.message || "This verification link has expired or is invalid.");
      } else {
        setState("error");
        setErrorMessage("This verification link has expired or is invalid.");
      }
-    }, 1500);
+    }
  };
  const handleResendVerification = async (e: React.FormEvent) => {
@@ -44,11 +44,14 @@ export default function VerifyEmailPage() {
    setIsResending(true);
    setResendSuccess(false);
-    // Mock resend - POST /api/auth/request-email-verification
+    try {
-    setTimeout(() => {
+      await api.auth.resendVerification(resendEmail);
    } catch {
      // Always show success to avoid leaking account existence
    } finally {
      setIsResending(false);
      setResendSuccess(true);
-    }, 1000);
+    }
  };
  // Loading / Verifying state
@@ -0,0 +1,785 @@
 import { useState, useEffect } from "react";
 import {
  Shield,
  ShieldAlert,
  Copy,
  CheckCircle,
  Loader2,
  Terminal,
  Plus,
  User,
  Server,
  Settings,
  AlertCircle,
  ServerCog,
  RefreshCw,
  ShieldOff,
 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
 import { Badge } from "@/components/ui/badge";
 import {
  Card,
  CardContent,
  CardDescription,
  CardHeader,
  CardTitle,
 } from "@/components/ui/card";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import {
  AlertDialog,
  AlertDialogAction,
  AlertDialogCancel,
  AlertDialogContent,
  AlertDialogDescription,
  AlertDialogFooter,
  AlertDialogHeader,
  AlertDialogTitle,
 } from "@/components/ui/alert-dialog";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { useToast } from "@/hooks/use-toast";
 import { useParams } from "react-router-dom";
 import { useCurrentOrganizationId } from "@/hooks/useCurrentOrganization";
 import { api, OrgCA, ApiError } from "@/lib/api";
 function CopyButton({ text }: { text: string }) {
  const [copied, setCopied] = useState(false);
  const { toast } = useToast();
  const handleCopy = async () => {
    try {
      await navigator.clipboard.writeText(text);
      setCopied(true);
      toast({ title: "Copied to clipboard" });
      setTimeout(() => setCopied(false), 2000);
    } catch {
      toast({ variant: "destructive", title: "Copy failed" });
    }
  };
  return (
    <Button variant="ghost" size="icon" className="h-8 w-8 flex-shrink-0" onClick={handleCopy}>
      {copied ? <CheckCircle className="w-4 h-4 text-green-500" /> : <Copy className="w-4 h-4" />}
    </Button>
  );
 }
 function formatDate(d: string | null) {
  if (!d) return "—";
  return new Date(d).toLocaleDateString(undefined, { year: "numeric", month: "short", day: "numeric" });
 }
 // ─── CA Detail Card ───────────────────────────────────────────────────────────
 interface CADetailCardProps {
  ca: OrgCA;
  onEdit: (ca: OrgCA) => void;
  onRotate: (ca: OrgCA) => void;
  onDelete: (ca: OrgCA) => void;
 }
 function CADetailCard({ ca, onEdit, onRotate, onDelete }: CADetailCardProps) {
  const isUser = ca.ca_type === "user";
  const isSystem = !!ca.is_system;
  const sshConfig = isUser
    ? `# /etc/ssh/sshd_config:\nTrustedUserCAKeys /etc/ssh/trusted_user_ca_keys\n\n# Add public key:\necho '${ca.public_key.trim()}' \\\n  >> /etc/ssh/trusted_user_ca_keys`
    : `# /etc/ssh/sshd_config:\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub\n\n# Add to known_hosts (clients):\n@cert-authority * ${ca.public_key.trim()}`;
  return (
    <div className="space-y-4">
      <Card>
        <CardHeader>
          <div className="flex items-start justify-between">
            <div>
              <CardTitle className="text-base flex items-center gap-2">
                {isSystem ? <ServerCog className="w-4 h-4" /> : isUser ? <User className="w-4 h-4" /> : <Server className="w-4 h-4" />}
                {ca.name}
                {isSystem ? (
                  <Badge variant="secondary" className="text-xs flex items-center gap-1">
                    <ServerCog className="w-3 h-3" />
                    System
                  </Badge>
                ) : ca.is_active ? (
                  <Badge className="bg-green-500/10 text-green-600 border-0 text-xs">Active</Badge>
                ) : (
                  <Badge variant="secondary" className="text-xs">Inactive</Badge>
                )}
              </CardTitle>
              {ca.description && (
                <CardDescription className="mt-1">{ca.description}</CardDescription>
              )}
            </div>
            <Badge variant="outline" className="text-xs font-mono">{ca.key_type}</Badge>
          </div>
        </CardHeader>
        <CardContent className="space-y-4">
          {/* Stats — hidden for system CAs (we have no cert records for them) */}
          {!isSystem && (
            <div className="grid grid-cols-4 gap-3 text-center">
              <div className="p-2 bg-muted rounded-lg">
                <p className="text-lg font-semibold">{ca.active_certs}</p>
                <p className="text-xs text-muted-foreground">Active certs</p>
              </div>
              <div className="p-2 bg-muted rounded-lg">
                <p className="text-lg font-semibold">{ca.total_certs}</p>
                <p className="text-xs text-muted-foreground">Total issued</p>
              </div>
              <div className="p-2 bg-muted rounded-lg">
                <p className="text-lg font-semibold">{ca.default_cert_validity_hours}h</p>
                <p className="text-xs text-muted-foreground">Default validity</p>
              </div>
              <div className="p-2 bg-muted rounded-lg">
                <p className="text-lg font-semibold">{ca.next_serial_number ?? '—'}</p>
                <p className="text-xs text-muted-foreground">Next serial</p>
              </div>
            </div>
          )}
          {/* Fingerprint */}
          <div>
            <p className="text-xs text-muted-foreground mb-1">Fingerprint</p>
            <code className="text-xs font-mono bg-muted px-2 py-1 rounded break-all">{ca.fingerprint}</code>
          </div>
          {/* Public key */}
          <div>
            <div className="flex items-center justify-between mb-1">
              <p className="text-xs text-muted-foreground">Public key</p>
              <CopyButton text={ca.public_key} />
            </div>
            <Textarea readOnly value={ca.public_key} className="font-mono text-xs min-h-[60px]" />
          </div>
          {/* Setup instructions */}
          <div className="rounded-lg bg-muted p-3">
            <p className="text-xs font-semibold flex items-center gap-1 mb-1">
              <Terminal className="w-3 h-3" />
              {isUser ? "Add to SSH servers (sshd_config)" : "Host certificate setup"}
            </p>
            <pre className="text-xs font-mono whitespace-pre-wrap break-all">{sshConfig}</pre>
          </div>
          {ca.created_at && (
            <p className="text-xs text-muted-foreground">Created {formatDate(ca.created_at)}</p>
          )}
          {ca.rotated_at && (
            <p className="text-xs text-muted-foreground">
              Key rotated {formatDate(ca.rotated_at)}
              {ca.rotation_reason && <> — {ca.rotation_reason}</>}
            </p>
          )}
          {!isSystem && (
            <div className="pt-2 border-t space-y-2">
              <Button variant="outline" size="sm" onClick={() => onEdit(ca)} className="w-full">
                <Settings className="w-3 h-3 mr-2" />
                Edit Configuration
              </Button>
              <div className="grid grid-cols-2 gap-2">
                <Button variant="outline" size="sm" onClick={() => onRotate(ca)} className="w-full">
                  <RefreshCw className="w-3 h-3 mr-2" />
                  Rotate Key
                </Button>
                <Button
                  variant="outline"
                  size="sm"
                  onClick={() => onDelete(ca)}
                  className="w-full text-destructive hover:text-destructive border-destructive/30 hover:border-destructive/60"
                >
                  <ShieldOff className="w-3 h-3 mr-2" />
                  Delete CA
                </Button>
              </div>
            </div>
          )}
        </CardContent>
      </Card>
    </div>
  );
 }
 // ─── CA Section (one per type) ────────────────────────────────────────────────
 interface CASectionProps {
  caType: "user" | "host";
  ca: OrgCA | null;
  onCreateClick: (caType: "user" | "host") => void;
  onEdit: (ca: OrgCA) => void;
  onRotate: (ca: OrgCA) => void;
  onDelete: (ca: OrgCA) => void;
 }
 function CASection({ caType, ca, onCreateClick, onEdit, onRotate, onDelete }: CASectionProps) {
  const isUser = caType === "user";
  const title = isUser ? "User Signing Key" : "Host Signing Key";
  const subtitle = isUser
    ? "Signs SSH user certificates so users can authenticate to servers."
    : "Signs SSH host certificates so clients can verify server identity.";
  const Icon = isUser ? User : Server;
  const isSystem = !!ca?.is_system;
  return (
    <div className="space-y-3">
      <div className="flex items-center gap-2">
        <Icon className="w-4 h-4 text-muted-foreground" />
        <h2 className="text-sm font-semibold">{title}</h2>
        {ca ? (
          isSystem ? (
            <Badge variant="secondary" className="text-xs flex items-center gap-1">
              <ServerCog className="w-3 h-3" />
              System (read-only)
            </Badge>
          ) : (
            <Badge className="bg-green-500/10 text-green-600 border-0 text-xs">Configured</Badge>
          )
        ) : (
          <Badge variant="secondary" className="text-xs flex items-center gap-1">
            <AlertCircle className="w-3 h-3" />
            Not configured
          </Badge>
        )}
      </div>
      {ca ? (
        <>
          <CADetailCard ca={ca} onEdit={onEdit} onRotate={onRotate} onDelete={onDelete} />
          {/* When only a system CA is present, offer to generate a managed replacement */}
          {isSystem && (
            <div className="flex items-start gap-3 rounded-lg border border-amber-200 bg-amber-50 dark:border-amber-900 dark:bg-amber-950/30 p-3 text-xs text-amber-800 dark:text-amber-300">
              <AlertCircle className="w-4 h-4 mt-0.5 flex-shrink-0" />
              <div className="flex-1">
                <p className="font-semibold mb-1">Using server-configured CA</p>
                <p>
                  Certificates are being signed by a CA key loaded from the server configuration,
                  not managed through this UI. Generate a managed key below to take full control
                  of certificate issuance from Gatehouse.
                </p>
              </div>
              <Button onClick={() => onCreateClick(caType)} size="sm" variant="outline" className="flex-shrink-0">
                <Plus className="w-3 h-3 mr-1" />
                Generate managed key
              </Button>
            </div>
          )}
        </>
      ) : (
        <Card className="border-dashed">
          <CardContent className="flex flex-col items-center py-10 text-muted-foreground">
            <ShieldAlert className="w-10 h-10 mb-3 opacity-30" />
            <p className="text-sm font-medium mb-1">No {title} configured</p>
            <p className="text-xs text-center mb-4 max-w-sm">{subtitle}</p>
            <Button onClick={() => onCreateClick(caType)} size="sm" variant="outline">
              <Plus className="w-4 h-4 mr-2" />
              Generate {title}
            </Button>
          </CardContent>
        </Card>
      )}
    </div>
  );
 }
 // ─── Main Page ────────────────────────────────────────────────────────────────
 export default function CAsPage() {
  const params = useParams<{ orgId?: string }>();
  const { orgId: fallbackOrgId } = useCurrentOrganizationId();
  const orgId = params.orgId || fallbackOrgId;
  const { toast } = useToast();
  const [cas, setCAs] = useState<OrgCA[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  // Create CA dialog
  const [isCreateOpen, setIsCreateOpen] = useState(false);
  const [createCaType, setCreateCaType] = useState<"user" | "host">("user");
  const [createForm, setCreateForm] = useState({
    name: "",
    description: "",
    key_type: "ed25519" as "ed25519" | "rsa" | "ecdsa",
    default_cert_validity_hours: 8,
    max_cert_validity_hours: 720,
  });
  const [isCreating, setIsCreating] = useState(false);
  const [createError, setCreateError] = useState<string | null>(null);
  // Edit CA dialog
  const [editingCA, setEditingCA] = useState<OrgCA | null>(null);
  const [isEditDialogOpen, setIsEditDialogOpen] = useState(false);
  const [editFormData, setEditFormData] = useState({
    default_cert_validity_hours: 1,
    max_cert_validity_hours: 24,
  });
  const [isEditSaving, setIsEditSaving] = useState(false);
  const [editError, setEditError] = useState<string | null>(null);
  // Rotate CA dialog
  const [rotatingCA, setRotatingCA] = useState<OrgCA | null>(null);
  const [isRotateDialogOpen, setIsRotateDialogOpen] = useState(false);
  const [rotateKeyType, setRotateKeyType] = useState<"ed25519" | "rsa" | "ecdsa">("ed25519");
  const [rotateReason, setRotateReason] = useState("");
  const [isRotating, setIsRotating] = useState(false);
  const [rotateError, setRotateError] = useState<string | null>(null);
  // Delete CA dialog
  const [deletingCA, setDeletingCA] = useState<OrgCA | null>(null);
  const [isDeleteDialogOpen, setIsDeleteDialogOpen] = useState(false);
  const [isDeleting, setIsDeleting] = useState(false);
  useEffect(() => {
    if (!orgId) { setIsLoading(false); return; }
    (async () => {
      setIsLoading(true);
      try {
        const data = await api.organizations.getCAs(orgId);
        setCAs(data.cas);
      } catch (err) {
        if (err instanceof ApiError && err.code === 403) {
          toast({ variant: "destructive", title: "Access denied", description: "Admin or owner role required." });
        } else {
          toast({ variant: "destructive", title: "Failed to load CAs" });
        }
      } finally {
        setIsLoading(false);
      }
    })();
  }, [orgId, toast]);
  const userCA = cas.find((c) => c.ca_type === "user") ?? null;
  const hostCA = cas.find((c) => c.ca_type === "host") ?? null;
  const handleOpenCreate = (caType: "user" | "host") => {
    setCreateCaType(caType);
    setCreateForm({
      name: caType === "user" ? "User CA" : "Host CA",
      description: "",
      key_type: "ed25519",
      default_cert_validity_hours: caType === "user" ? 8 : 720,
      max_cert_validity_hours: caType === "user" ? 720 : 8760,
    });
    setCreateError(null);
    setIsCreateOpen(true);
  };
  const handleCreateCA = async () => {
    if (!orgId) return;
    if (!createForm.name.trim()) { setCreateError("Name is required"); return; }
    if (createForm.default_cert_validity_hours <= 0 || createForm.max_cert_validity_hours <= 0) {
      setCreateError("Validity hours must be greater than 0"); return;
    }
    if (createForm.default_cert_validity_hours > createForm.max_cert_validity_hours) {
      setCreateError("Default validity must be ≤ maximum validity"); return;
    }
    setIsCreating(true);
    setCreateError(null);
    try {
      const result = await api.organizations.createCA(orgId, {
        name: createForm.name.trim(),
        description: createForm.description.trim() || undefined,
        ca_type: createCaType,
        key_type: createForm.key_type,
        default_cert_validity_hours: createForm.default_cert_validity_hours,
        max_cert_validity_hours: createForm.max_cert_validity_hours,
      });
      setCAs((prev) => [...prev, result.ca]);
      setIsCreateOpen(false);
      toast({
        title: `${createCaType === "user" ? "User" : "Host"} CA created`,
        description: result.ca.name,
      });
    } catch (err) {
      if (err instanceof ApiError) {
        setCreateError(err.message);
      } else {
        setCreateError("Failed to create CA — please try again");
      }
    } finally {
      setIsCreating(false);
    }
  };
  const handleEditCA = (ca: OrgCA) => {
    setEditingCA(ca);
    setEditFormData({
      default_cert_validity_hours: ca.default_cert_validity_hours,
      max_cert_validity_hours: ca.max_cert_validity_hours,
    });
    setEditError(null);
    setIsEditDialogOpen(true);
  };
  const handleSaveCA = async () => {
    if (!orgId || !editingCA) return;
    if (editFormData.default_cert_validity_hours <= 0 || editFormData.max_cert_validity_hours <= 0) {
      setEditError("Validity hours must be greater than 0"); return;
    }
    if (editFormData.default_cert_validity_hours > editFormData.max_cert_validity_hours) {
      setEditError("Default validity must be less than or equal to maximum validity"); return;
    }
    setIsEditSaving(true);
    try {
      const updated = await api.organizations.updateCA(orgId, editingCA.id, editFormData);
      setCAs(cas.map((ca) => (ca.id === editingCA.id ? updated.ca : ca)));
      setIsEditDialogOpen(false);
      setEditingCA(null);
      toast({ title: "CA configuration updated" });
    } catch (err) {
      setEditError(err instanceof ApiError ? err.message : "Failed to update CA");
    } finally {
      setIsEditSaving(false);
    }
  };
  // ── Rotate handlers ──
  const handleRotateCA = (ca: OrgCA) => {
    setRotatingCA(ca);
    setRotateKeyType((ca.key_type as "ed25519" | "rsa" | "ecdsa") || "ed25519");
    setRotateReason("");
    setRotateError(null);
    setIsRotateDialogOpen(true);
  };
  const handleConfirmRotate = async () => {
    if (!orgId || !rotatingCA) return;
    setIsRotating(true);
    setRotateError(null);
    try {
      const result = await api.organizations.rotateCA(orgId, rotatingCA.id, {
        key_type: rotateKeyType,
        reason: rotateReason.trim() || undefined,
      });
      setCAs(cas.map((ca) => (ca.id === rotatingCA.id ? result.ca : ca)));
      setIsRotateDialogOpen(false);
      setRotatingCA(null);
      toast({
        title: "CA key rotated successfully",
        description: `Old fingerprint: ${result.old_fingerprint}. Update TrustedUserCAKeys / known_hosts on your servers.`,
      });
    } catch (err) {
      setRotateError(err instanceof ApiError ? err.message : "Failed to rotate CA key");
    } finally {
      setIsRotating(false);
    }
  };
  // ── Delete handlers ──
  const handleDeleteCA = (ca: OrgCA) => {
    setDeletingCA(ca);
    setIsDeleteDialogOpen(true);
  };
  const handleConfirmDelete = async () => {
    if (!orgId || !deletingCA) return;
    setIsDeleting(true);
    try {
      await api.organizations.deleteCA(orgId, deletingCA.id);
      setCAs(cas.filter((ca) => ca.id !== deletingCA.id));
      setIsDeleteDialogOpen(false);
      setDeletingCA(null);
      toast({ title: "CA deleted", description: "Existing certificates remain valid until they expire." });
    } catch (err) {
      toast({ variant: "destructive", title: "Failed to delete CA", description: err instanceof ApiError ? err.message : "" });
    } finally {
      setIsDeleting(false);
    }
  };  return (
    <div className="page-container">
      <div className="page-header">
        <div>
          <h1 className="page-title">Certificate Authorities</h1>
          <p className="page-description">
            Manage your organization's SSH certificate authorities and access controls
          </p>
        </div>
      </div>
      {isLoading ? (
        <div className="flex items-center justify-center py-20">
          <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
        </div>
      ) : (
        <div className="space-y-8">
          <CASection caType="user" ca={userCA} onCreateClick={handleOpenCreate} onEdit={handleEditCA} onRotate={handleRotateCA} onDelete={handleDeleteCA} />
          <div className="border-t" />
          <CASection caType="host" ca={hostCA} onCreateClick={handleOpenCreate} onEdit={handleEditCA} onRotate={handleRotateCA} onDelete={handleDeleteCA} />
        </div>
      )}
      {/* ── Edit CA Dialog ── */}
      <Dialog open={isEditDialogOpen} onOpenChange={(open) => { setIsEditDialogOpen(open); if (!open) setEditError(null); }}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle>Edit CA Configuration</DialogTitle>
            <DialogDescription>
              Update certificate validity settings for <strong>{editingCA?.name}</strong>
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4 py-4">
            {editError && (
              <div className="p-3 rounded-lg bg-destructive/10 text-destructive text-sm flex items-start gap-2">
                <AlertCircle className="w-4 h-4 mt-0.5 flex-shrink-0" />
                {editError}
              </div>
            )}
            <div className="space-y-2">
              <Label htmlFor="default-validity">Default Certificate Validity (hours)</Label>
              <Input
                id="default-validity"
                type="number"
                min="1"
                value={editFormData.default_cert_validity_hours}
                onChange={(e) => setEditFormData({ ...editFormData, default_cert_validity_hours: parseInt(e.target.value) || 1 })}
                disabled={isEditSaving}
              />
              <p className="text-xs text-muted-foreground">Default validity period when issuing new certificates</p>
            </div>
            <div className="space-y-2">
              <Label htmlFor="max-validity">Maximum Certificate Validity (hours)</Label>
              <Input
                id="max-validity"
                type="number"
                min="1"
                value={editFormData.max_cert_validity_hours}
                onChange={(e) => setEditFormData({ ...editFormData, max_cert_validity_hours: parseInt(e.target.value) || 1 })}
                disabled={isEditSaving}
              />
              <p className="text-xs text-muted-foreground">Maximum allowed validity period for any certificate from this CA</p>
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsEditDialogOpen(false)} disabled={isEditSaving}>Cancel</Button>
            <Button onClick={handleSaveCA} disabled={isEditSaving}>
              {isEditSaving && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Save Changes
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* ── Create CA Dialog ── */}
      <Dialog open={isCreateOpen} onOpenChange={(open) => { setIsCreateOpen(open); if (!open) setCreateError(null); }}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2">
              {createCaType === "user" ? <User className="w-5 h-5" /> : <Server className="w-5 h-5" />}
              Generate {createCaType === "user" ? "User" : "Host"} Signing Key
            </DialogTitle>
            <DialogDescription>
              {createCaType === "user"
                ? "Creates a key pair for signing SSH user certificates. The private key is stored securely and never exposed."
                : "Creates a key pair for signing SSH host certificates, allowing clients to verify server identity."}
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4 py-4">
            {createError && (
              <div className="p-3 rounded-lg bg-destructive/10 text-destructive text-sm flex items-start gap-2">
                <AlertCircle className="w-4 h-4 mt-0.5 flex-shrink-0" />
                <span>{createError}</span>
              </div>
            )}
            <div className="space-y-2">
              <Label htmlFor="ca-name">Name <span className="text-destructive">*</span></Label>
              <Input
                id="ca-name"
                placeholder={createCaType === "user" ? "User CA" : "Host CA"}
                value={createForm.name}
                onChange={(e) => setCreateForm({ ...createForm, name: e.target.value })}
                disabled={isCreating}
              />
            </div>
            <div className="space-y-2">
              <Label htmlFor="ca-description">Description</Label>
              <Input
                id="ca-description"
                placeholder="Optional description"
                value={createForm.description}
                onChange={(e) => setCreateForm({ ...createForm, description: e.target.value })}
                disabled={isCreating}
              />
            </div>
            <div className="space-y-2">
              <Label htmlFor="ca-key-type">Key Algorithm</Label>
              <Select
                value={createForm.key_type}
                onValueChange={(v) => setCreateForm({ ...createForm, key_type: v as "ed25519" | "rsa" | "ecdsa" })}
                disabled={isCreating}
              >
                <SelectTrigger id="ca-key-type"><SelectValue /></SelectTrigger>
                <SelectContent>
                  <SelectItem value="ed25519">Ed25519 (recommended)</SelectItem>
                  <SelectItem value="ecdsa">ECDSA (P-521)</SelectItem>
                  <SelectItem value="rsa">RSA-4096</SelectItem>
                </SelectContent>
              </Select>
            </div>
            <div className="grid grid-cols-2 gap-3">
              <div className="space-y-2">
                <Label htmlFor="ca-default-validity">Default validity (hours)</Label>
                <Input
                  id="ca-default-validity"
                  type="number"
                  min="1"
                  value={createForm.default_cert_validity_hours}
                  onChange={(e) => setCreateForm({ ...createForm, default_cert_validity_hours: parseInt(e.target.value) || 1 })}
                  disabled={isCreating}
                />
              </div>
              <div className="space-y-2">
                <Label htmlFor="ca-max-validity">Max validity (hours)</Label>
                <Input
                  id="ca-max-validity"
                  type="number"
                  min="1"
                  value={createForm.max_cert_validity_hours}
                  onChange={(e) => setCreateForm({ ...createForm, max_cert_validity_hours: parseInt(e.target.value) || 1 })}
                  disabled={isCreating}
                />
              </div>
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsCreateOpen(false)} disabled={isCreating}>Cancel</Button>
            <Button onClick={handleCreateCA} disabled={isCreating}>
              {isCreating ? (
                <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Generating key…</>
              ) : (
                <><Shield className="w-4 h-4 mr-2" />Generate Key</>
              )}
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* ── Rotate CA Dialog ── */}
      <Dialog open={isRotateDialogOpen} onOpenChange={(open) => { setIsRotateDialogOpen(open); if (!open) setRotateError(null); }}>
        <DialogContent className="sm:max-w-md">
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2">
              <RefreshCw className="w-5 h-5" />
              Rotate CA Key
            </DialogTitle>
            <DialogDescription>
              Generate a new key pair for <strong>{rotatingCA?.name}</strong>.
              Previously-issued certificates remain valid until they expire, but all new
              certificates will be signed with the new key. You must update
              {rotatingCA?.ca_type === "user"
                ? " TrustedUserCAKeys on your SSH servers"
                : " @cert-authority in client known_hosts files"} after rotation.
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4 py-4">
            {rotateError && (
              <div className="p-3 rounded-lg bg-destructive/10 text-destructive text-sm flex items-start gap-2">
                <AlertCircle className="w-4 h-4 mt-0.5 flex-shrink-0" />
                <span>{rotateError}</span>
              </div>
            )}
            {rotatingCA && (
              <div className="rounded-lg bg-amber-50 dark:bg-amber-950/30 border border-amber-200 dark:border-amber-900 p-3 text-xs text-amber-800 dark:text-amber-300">
                <p className="font-semibold mb-1">⚠ Important</p>
                <p>
                  Current fingerprint: <code className="font-mono">{rotatingCA.fingerprint}</code>
                </p>
                <p className="mt-1">
                  After rotation, you <strong>must</strong> replace this fingerprint on every server /
                  client that trusts this CA. Until updated, new certificates won't be accepted.
                </p>
              </div>
            )}
            <div className="space-y-2">
              <Label htmlFor="rotate-key-type">New Key Algorithm</Label>
              <Select
                value={rotateKeyType}
                onValueChange={(v) => setRotateKeyType(v as "ed25519" | "rsa" | "ecdsa")}
                disabled={isRotating}
              >
                <SelectTrigger id="rotate-key-type"><SelectValue /></SelectTrigger>
                <SelectContent>
                  <SelectItem value="ed25519">Ed25519 (recommended)</SelectItem>
                  <SelectItem value="ecdsa">ECDSA (P-521)</SelectItem>
                  <SelectItem value="rsa">RSA-4096</SelectItem>
                </SelectContent>
              </Select>
            </div>
            <div className="space-y-2">
              <Label htmlFor="rotate-reason">Reason (optional)</Label>
              <Input
                id="rotate-reason"
                placeholder="e.g. Suspected key compromise, Scheduled rotation"
                value={rotateReason}
                onChange={(e) => setRotateReason(e.target.value)}
                disabled={isRotating}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsRotateDialogOpen(false)} disabled={isRotating}>
              Cancel
            </Button>
            <Button onClick={handleConfirmRotate} disabled={isRotating} variant="destructive">
              {isRotating ? (
                <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Rotating…</>
              ) : (
                <><RefreshCw className="w-4 h-4 mr-2" />Rotate Key</>
              )}
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* ── Delete CA Confirmation ── */}
      <AlertDialog open={isDeleteDialogOpen} onOpenChange={setIsDeleteDialogOpen}>
        <AlertDialogContent>
          <AlertDialogHeader>
            <AlertDialogTitle>Delete Certificate Authority?</AlertDialogTitle>
            <AlertDialogDescription>
              This will permanently deactivate <strong>{deletingCA?.name}</strong>.
              No new certificates can be signed with this CA after deletion.
              Existing certificates remain valid until they expire.
              {deletingCA?.active_certs ? (
                <span className="block mt-2 font-semibold text-amber-600 dark:text-amber-400">
                  ⚠ This CA has {deletingCA.active_certs} active certificate{deletingCA.active_certs !== 1 ? "s" : ""}.
                </span>
              ) : null}
            </AlertDialogDescription>
          </AlertDialogHeader>
          <AlertDialogFooter>
            <AlertDialogCancel disabled={isDeleting}>Cancel</AlertDialogCancel>
            <AlertDialogAction
              onClick={handleConfirmDelete}
              disabled={isDeleting}
              className="bg-destructive text-destructive-foreground hover:bg-destructive/90"
            >
              {isDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Delete CA
            </AlertDialogAction>
          </AlertDialogFooter>
        </AlertDialogContent>
      </AlertDialog>
    </div>
  );
 }
@@ -1,14 +1,15 @@
 import { useState, useEffect } from "react";
 import { useNavigate } from "react-router-dom";
-import { Shield, Search, Filter, Loader2, User, Clock, AlertTriangle, CheckCircle, Mail, ExternalLink } from "lucide-react";
+import { Shield, Search, Loader2, User, Clock, AlertTriangle, CheckCircle, Mail, ExternalLink } from "lucide-react";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import { Input } from "@/components/ui/input";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
 import { api, OrgComplianceMember, create403Handler } from "@/lib/api";
-import { useQuery } from "@tanstack/react-query";
+import { useQuery, useMutation } from "@tanstack/react-query";
 import { useToast } from "@/hooks/use-toast";
 import { useOrg } from "@/contexts/OrgContext";
 const STATUS_CONFIG: Record<string, { label: string; color: string; icon: typeof Clock }> = {
  compliant: {
@@ -46,24 +47,10 @@ const STATUS_CONFIG: Record<string, { label: string; color: string; icon: typeof
 export default function CompliancePage() {
  const navigate = useNavigate();
  const { toast } = useToast();
-  const [currentOrgId, setCurrentOrgId] = useState<string | null>(null);
+  const { selectedOrgId: currentOrgId } = useOrg();
  const [searchQuery, setSearchQuery] = useState("");
  const [statusFilter, setStatusFilter] = useState<string>("all");
  // Fetch organizations to get current org
  const { data: orgsData, isLoading: orgsLoading } = useQuery({
    queryKey: ['organizations'],
    queryFn: () => api.users.organizations({
      on403: create403Handler(toast),
    }),
  });
  useEffect(() => {
    if (orgsData?.organizations && orgsData.organizations.length > 0) {
      setCurrentOrgId(orgsData.organizations[0].id);
    }
  }, [orgsData]);
  // Fetch compliance data
  const { data: complianceData, isLoading: complianceLoading } = useQuery({
    queryKey: ['org-compliance', currentOrgId],
@@ -73,6 +60,18 @@ export default function CompliancePage() {
    enabled: !!currentOrgId,
  });
  // Send MFA reminder mutation
  const { mutate: sendReminder, variables: reminderVars, isPending: isSendingReminder } = useMutation({
    mutationFn: ({ userId }: { userId: string }) =>
      api.organizations.sendMfaReminder(currentOrgId!, userId),
    onSuccess: () => {
      toast({ title: "Reminder sent", description: "MFA reminder email sent successfully." });
    },
    onError: () => {
      toast({ title: "Failed to send", description: "Could not send the reminder. Please try again.", variant: "destructive" });
    },
  });
  // Filter members based on search and status
  const filteredMembers = complianceData?.members?.filter((member) => {
    const matchesSearch = 
@@ -93,7 +92,7 @@ export default function CompliancePage() {
    suspended: complianceData?.members?.filter(m => m.status === 'suspended').length || 0,
  };
-  if (orgsLoading || complianceLoading) {
+  if (complianceLoading) {
    return (
      <div className="page-container">
        <div className="flex items-center justify-center py-12">
@@ -256,10 +255,8 @@ export default function CompliancePage() {
                          size="icon"
                          className="h-8 w-8"
                          title="Send Reminder"
-                          onClick={() => {
+                          disabled={isSendingReminder && reminderVars?.userId === member.user_id}
-                            // TODO: Implement send reminder
+                          onClick={() => sendReminder({ userId: member.user_id })}
                            console.log('Send reminder to', member.user_id);
                          }}
                        >
                          <Mail className="w-4 h-4" />
                        </Button>
@@ -0,0 +1,862 @@
 import { useState, useEffect, useCallback } from "react";
 import { Search, Plus, MoreHorizontal, Users, Loader2, Trash2, Edit2, X, ChevronDown, ChevronUp, ShieldCheck, UserPlus, UserMinus, Link as LinkIcon } from "lucide-react";
 import { useParams } from "react-router-dom";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Card, CardContent } from "@/components/ui/card";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuSeparator,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
 import { Badge } from "@/components/ui/badge";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { api, Department, Principal, DeptCertPolicy, STANDARD_SSH_EXTENSIONS, DepartmentMember, OrganizationMember } from "@/lib/api";
 import { useCurrentOrganizationId } from "@/hooks/useCurrentOrganization";
 import { useToast } from "@/hooks/use-toast";
 // ---------------------------------------------------------------------------
 // Department Certificate Policy Panel
 // ---------------------------------------------------------------------------
 function DepartmentCertPolicyPanel({ orgId, deptId }: { orgId: string; deptId: string }) {
  const { toast } = useToast();
  const [policy, setPolicy] = useState<DeptCertPolicy | null>(null);
  const [isLoading, setIsLoading] = useState(false);
  const [isSaving, setIsSaving] = useState(false);
  // Local editable form state
  const [allowUserExpiry, setAllowUserExpiry] = useState(false);
  const [defaultExpiry, setDefaultExpiry] = useState(1);
  const [maxExpiry, setMaxExpiry] = useState(24);
  const [allowedExtensions, setAllowedExtensions] = useState<string[]>([...STANDARD_SSH_EXTENSIONS]);
  const [customExtensions, setCustomExtensions] = useState<string[]>([]);
  const [newCustomExt, setNewCustomExt] = useState("");
  useEffect(() => {
    setIsLoading(true);
    api.admin.getDeptCertPolicy(orgId, deptId)
      .then((data) => {
        const p = data.cert_policy;
        setPolicy(p);
        setAllowUserExpiry(p.allow_user_expiry);
        setDefaultExpiry(p.default_expiry_hours);
        setMaxExpiry(p.max_expiry_hours);
        setAllowedExtensions(p.allowed_extensions ?? [...STANDARD_SSH_EXTENSIONS]);
        setCustomExtensions(p.custom_extensions ?? []);
      })
      .catch(() => {/* non-fatal — use defaults */})
      .finally(() => setIsLoading(false));
  }, [orgId, deptId]);
  const toggleExtension = (ext: string) => {
    setAllowedExtensions((prev) =>
      prev.includes(ext) ? prev.filter((e) => e !== ext) : [...prev, ext]
    );
  };
  const addCustomExt = () => {
    const trimmed = newCustomExt.trim();
    if (!trimmed || customExtensions.includes(trimmed)) return;
    setCustomExtensions((prev) => [...prev, trimmed]);
    setNewCustomExt("");
  };
  const removeCustomExt = (ext: string) => {
    setCustomExtensions((prev) => prev.filter((e) => e !== ext));
  };
  const handleSave = async () => {
    setIsSaving(true);
    try {
      // When members can pick: max_expiry is the cap, default_expiry is also set to max
      // (the backend uses default when no expiry is provided).
      // When members can't pick: default_expiry is the fixed value, max is irrelevant.
      const payload = allowUserExpiry
        ? { allow_user_expiry: true,  default_expiry_hours: maxExpiry,    max_expiry_hours: maxExpiry }
        : { allow_user_expiry: false, default_expiry_hours: defaultExpiry, max_expiry_hours: defaultExpiry };
      const data = await api.admin.setDeptCertPolicy(orgId, deptId, {
        ...payload,
        allowed_extensions: allowedExtensions,
        custom_extensions: customExtensions,
      });
      setPolicy(data.cert_policy);
      toast({ title: "Policy saved", description: "Certificate policy updated." });
    } catch (err) {
      toast({ variant: "destructive", title: "Failed to save policy" });
    } finally {
      setIsSaving(false);
    }
  };
  if (isLoading) {
    return (
      <div className="mt-3 p-4 border rounded-lg bg-muted/30 flex items-center gap-2 text-sm text-muted-foreground">
        <Loader2 className="w-4 h-4 animate-spin" />Loading policy…
      </div>
    );
  }
  return (
    <div className="mt-3 p-4 border rounded-lg bg-muted/20 space-y-4">
      <h4 className="text-sm font-semibold flex items-center gap-2">
        <ShieldCheck className="w-4 h-4 text-primary" />
        Certificate Policy
      </h4>
      {/* Allow user to choose expiry */}
      <div className="flex items-center justify-between gap-4">
        <div>
          <p className="text-sm font-medium">Allow members to pick expiry date</p>
          <p className="text-xs text-muted-foreground">Admins can always pick.</p>
        </div>
        <button
          type="button"
          role="switch"
          aria-checked={allowUserExpiry}
          onClick={() => setAllowUserExpiry((v) => !v)}
          className={`relative inline-flex h-6 w-11 shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors focus:outline-none focus:ring-2 focus:ring-primary focus:ring-offset-2 ${
            allowUserExpiry ? "bg-primary" : "bg-zinc-600"
          }`}
        >
          <span
            className={`pointer-events-none inline-block h-5 w-5 rounded-full bg-white shadow-lg transition-transform ${
              allowUserExpiry ? "translate-x-5" : "translate-x-0"
            }`}
          />
        </button>
      </div>
      {/* Expiry hours — conditional on toggle */}
      {allowUserExpiry ? (
        <div className="space-y-1">
          <Label className="text-xs">Max expiry members can request (hours)</Label>
          <Input
            type="number"
            min={1}
            value={maxExpiry}
            onChange={(e) => setMaxExpiry(Math.max(1, Number(e.target.value)))}
            className="h-8 text-sm w-40"
          />
          <p className="text-xs text-muted-foreground">Members can choose any duration up to this cap.</p>
        </div>
      ) : (
        <div className="space-y-1">
          <Label className="text-xs">Default expiry applied to all members (hours)</Label>
          <Input
            type="number"
            min={1}
            value={defaultExpiry}
            onChange={(e) => setDefaultExpiry(Math.max(1, Number(e.target.value)))}
            className="h-8 text-sm w-40"
          />
          <p className="text-xs text-muted-foreground">Members receive this expiry automatically — no choice shown.</p>
        </div>
      )}
      {/* Standard extensions */}
      <div className="space-y-2">
        <Label className="text-xs">Standard SSH extensions</Label>
        <div className="space-y-1.5">
          {STANDARD_SSH_EXTENSIONS.map((ext) => (
            <div key={ext} className="flex items-center gap-2">
              <input
                type="checkbox"
                id={`ext-${deptId}-${ext}`}
                checked={allowedExtensions.includes(ext)}
                onChange={() => toggleExtension(ext)}
                className="accent-primary"
              />
              <label htmlFor={`ext-${deptId}-${ext}`} className="text-sm font-mono cursor-pointer">{ext}</label>
            </div>
          ))}
        </div>
      </div>
      {/* Custom extensions */}
      <div className="space-y-2">
        <Label className="text-xs">Custom extensions</Label>
        <div className="flex gap-2">
          <Input
            placeholder="permit-custom-x"
            value={newCustomExt}
            onChange={(e) => setNewCustomExt(e.target.value)}
            onKeyDown={(e) => e.key === "Enter" && addCustomExt()}
            className="h-8 text-sm"
          />
          <Button size="sm" variant="outline" onClick={addCustomExt} disabled={!newCustomExt.trim()}>
            Add
          </Button>
        </div>
        {customExtensions.length > 0 && (
          <div className="flex flex-wrap gap-1 mt-1">
            {customExtensions.map((ext) => (
              <Badge key={ext} variant="secondary" className="text-xs gap-1 pr-1">
                <span className="font-mono">{ext}</span>
                <button onClick={() => removeCustomExt(ext)} className="ml-0.5 hover:text-destructive">
                  <X className="w-3 h-3" />
                </button>
              </Badge>
            ))}
          </div>
        )}
      </div>
      <Button size="sm" onClick={handleSave} disabled={isSaving}>
        {isSaving && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
        Save policy
      </Button>
    </div>
  );
 }
 // ---------------------------------------------------------------------------
 // Department Members Panel
 // ---------------------------------------------------------------------------
 function DepartmentMembersPanel({ orgId, deptId }: { orgId: string; deptId: string }) {
  const { toast } = useToast();
  const [members, setMembers] = useState<DepartmentMember[]>([]);
  const [orgMembers, setOrgMembers] = useState<OrganizationMember[]>([]);
  const [isLoading, setIsLoading] = useState(false);
  const [isAdding, setIsAdding] = useState(false);
  const [removingId, setRemovingId] = useState<string | null>(null);
  const [selectedUserId, setSelectedUserId] = useState("");
  useEffect(() => {
    setIsLoading(true);
    Promise.all([
      api.organizations.getDepartmentMembers(orgId, deptId),
      api.organizations.getMembers(orgId),
    ])
      .then(([deptRes, orgRes]) => {
        setMembers(deptRes.members || []);
        setOrgMembers(orgRes.members || []);
      })
      .catch(() => toast({ variant: "destructive", title: "Failed to load members" }))
      .finally(() => setIsLoading(false));
  }, [orgId, deptId, toast]);
  const deptUserIds = new Set(members.map((m) => m.user_id));
  const available = orgMembers.filter((m) => !deptUserIds.has(m.user_id));
  const handleAdd = async () => {
    const orgMember = orgMembers.find((m) => m.user_id === selectedUserId);
    if (!orgMember?.user?.email) return;
    setIsAdding(true);
    try {
      const res = await api.organizations.addDepartmentMember(orgId, deptId, orgMember.user.email);
      setMembers((prev) => [...prev, res.member]);
      setSelectedUserId("");
      toast({ title: "Member added", description: `${orgMember.user.full_name || orgMember.user.email} added to department.` });
    } catch (err) {
      toast({ variant: "destructive", title: "Failed to add member" });
    } finally {
      setIsAdding(false);
    }
  };
  const handleRemove = async (userId: string, displayName: string) => {
    setRemovingId(userId);
    try {
      await api.organizations.removeDepartmentMember(orgId, deptId, userId);
      setMembers((prev) => prev.filter((m) => m.user_id !== userId));
      toast({ title: "Member removed", description: `${displayName} removed from department.` });
    } catch (err) {
      toast({ variant: "destructive", title: "Failed to remove member" });
    } finally {
      setRemovingId(null);
    }
  };
  if (isLoading) {
    return (
      <div className="mt-3 p-4 border rounded-lg bg-muted/30 flex items-center gap-2 text-sm text-muted-foreground">
        <Loader2 className="w-4 h-4 animate-spin" /> Loading members…
      </div>
    );
  }
  return (
    <div className="mt-3 p-4 border rounded-lg bg-muted/20 space-y-3">
      <h4 className="text-sm font-semibold flex items-center gap-2">
        <Users className="w-4 h-4 text-primary" />
        Department Members
        <Badge variant="secondary" className="ml-1">{members.length}</Badge>
      </h4>
      {/* Existing members */}
      {members.length === 0 ? (
        <p className="text-xs text-muted-foreground italic">No members yet.</p>
      ) : (
        <ul className="space-y-1.5">
          {members.map((m) => {
            const name = m.user?.full_name || m.user?.email || m.user_id;
            const email = m.user?.email;
            const busy = removingId === m.user_id;
            return (
              <li key={m.user_id} className="flex items-center justify-between gap-2 text-sm">
                <div className="min-w-0">
                  <span className="font-medium truncate">{name}</span>
                  {email && name !== email && (
                    <span className="ml-2 text-xs text-muted-foreground">{email}</span>
                  )}
                </div>
                <button
                  onClick={() => handleRemove(m.user_id, name)}
                  disabled={busy}
                  className="flex items-center gap-1 text-xs text-destructive hover:underline disabled:opacity-50 flex-shrink-0"
                >
                  {busy ? <Loader2 className="w-3 h-3 animate-spin" /> : <UserMinus className="w-3 h-3" />}
                  Remove
                </button>
              </li>
            );
          })}
        </ul>
      )}
      {/* Add member */}
      {available.length > 0 && (
        <div className="flex items-center gap-2 pt-1 border-t">
          <select
            value={selectedUserId}
            onChange={(e) => setSelectedUserId(e.target.value)}
            className="flex-1 h-8 rounded-md border border-input bg-background px-2 text-sm focus:outline-none focus:ring-2 focus:ring-ring"
          >
            <option value="">Select org member to add…</option>
            {available.map((m) => {
              const email = m.user?.email || "";
              const name = m.user?.full_name;
              const label = name && email
                ? `${name} (${email})`
                : email || m.user_id;
              return (
                <option key={m.user_id} value={m.user_id}>
                  {label}
                </option>
              );
            })}
          </select>
          <Button size="sm" onClick={handleAdd} disabled={!selectedUserId || isAdding}>
            {isAdding ? <Loader2 className="w-3 h-3 animate-spin mr-1" /> : <UserPlus className="w-3 h-3 mr-1" />}
            Add
          </Button>
        </div>
      )}
      {available.length === 0 && members.length > 0 && (
        <p className="text-xs text-muted-foreground pt-1 border-t">All org members are already in this department.</p>
      )}
    </div>
  );
 }
 export default function DepartmentsPage() {
  const params = useParams<{ orgId?: string }>();
  const { orgId: fallbackOrgId } = useCurrentOrganizationId();
  const orgId = params.orgId || fallbackOrgId;
  const { toast } = useToast();
  const [search, setSearch] = useState("");
  const [departments, setDepartments] = useState<Department[]>([]);
  const [principals, setPrincipals] = useState<Principal[]>([]);
  const [linkedPrincipals, setLinkedPrincipals] = useState<Record<string, Principal[]>>({});
  const [unlinkingKey, setUnlinkingKey] = useState<string | null>(null);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [isCreateDialogOpen, setIsCreateDialogOpen] = useState(false);
  const [isEditDialogOpen, setIsEditDialogOpen] = useState(false);
  const [isLinkDialogOpen, setIsLinkDialogOpen] = useState(false);
  const [linkingDept, setLinkingDept] = useState<Department | null>(null);
  const [selectedPrincipalId, setSelectedPrincipalId] = useState("");
  const [isLinking, setIsLinking] = useState(false);
  const [editingDept, setEditingDept] = useState<Department | null>(null);
  const [formData, setFormData] = useState({ name: "", description: "" });
  const [expandedPolicies, setExpandedPolicies] = useState<Set<string>>(new Set());
  const [expandedMembers, setExpandedMembers] = useState<Set<string>>(new Set());
  const togglePolicyPanel = (deptId: string) => {
    setExpandedPolicies((prev) => {
      const next = new Set(prev);
      next.has(deptId) ? next.delete(deptId) : next.add(deptId);
      return next;
    });
  };
  const toggleMembersPanel = (deptId: string) => {
    setExpandedMembers((prev) => {
      const next = new Set(prev);
      next.has(deptId) ? next.delete(deptId) : next.add(deptId);
      return next;
    });
  };
  const fetchLinkedPrincipals = useCallback(async (currentOrgId: string, deptList: Department[]) => {
    if (!deptList.length) return;
    const results = await Promise.allSettled(
      deptList.map((dept) =>
        api.organizations.getDepartmentPrincipals(currentOrgId, dept.id)
      )
    );
    const map: Record<string, Principal[]> = {};
    deptList.forEach((dept, i) => {
      const result = results[i];
      map[dept.id] = result.status === "fulfilled" ? result.value.principals || [] : [];
    });
    setLinkedPrincipals(map);
  }, []);
  const fetchDepartments = useCallback(async (currentOrgId: string) => {
    try {
      setIsLoading(true);
      setError(null);
      const [response, principalsRes] = await Promise.all([
        api.organizations.getDepartments(currentOrgId),
        api.organizations.getPrincipals(currentOrgId),
      ]);
      const deptList = response.departments || [];
      setDepartments(deptList);
      setPrincipals(principalsRes.principals || []);
      await fetchLinkedPrincipals(currentOrgId, deptList);
    } catch (err) {
      console.error("Failed to fetch departments:", err);
      setError("Failed to load departments. Please try again.");
    } finally {
      setIsLoading(false);
    }
  }, [fetchLinkedPrincipals]);
  useEffect(() => {
    setError(null);
    setDepartments([]);
    setPrincipals([]);
    setLinkedPrincipals({});
    if (!orgId) {
      setIsLoading(false);
      return;
    }
    fetchDepartments(orgId);
  }, [orgId, fetchDepartments]);
  const handleUnlink = async (deptId: string, principalId: string) => {
    if (!orgId) return;
    const key = `${deptId}:${principalId}`;
    setUnlinkingKey(key);
    try {
      await api.organizations.unlinkPrincipalFromDepartment(orgId, principalId, deptId);
      setLinkedPrincipals((prev) => ({
        ...prev,
        [deptId]: (prev[deptId] || []).filter((p) => p.id !== principalId),
      }));
      toast({ title: "Unlinked", description: "Principal removed from department." });
    } catch (err) {
      console.error("Failed to unlink:", err);
      toast({ title: "Error", description: "Failed to unlink principal.", variant: "destructive" });
    } finally {
      setUnlinkingKey(null);
    }
  };
  const handleLinkPrincipal = async () => {
    if (!orgId || !linkingDept || !selectedPrincipalId) return;
    setIsLinking(true);
    try {
      await api.organizations.linkPrincipalToDepartment(orgId, selectedPrincipalId, linkingDept.id);
      toast({ title: "Principal linked", description: "Principal linked to department." });
      setLinkingDept(null);
      setSelectedPrincipalId("");
      setIsLinkDialogOpen(false);
      await fetchDepartments(orgId);
    } catch {
      toast({ variant: "destructive", title: "Failed to link principal to department" });
    } finally {
      setIsLinking(false);
    }
  };
  const openLinkDialog = (dept: Department) => {
    setLinkingDept(dept);
    setSelectedPrincipalId("");
    setIsLinkDialogOpen(true);
  };
  const handleCreateDepartment = async () => {
    if (!orgId || !formData.name.trim()) return;
    try {
      await api.organizations.createDepartment(
        orgId,
        formData.name,
        formData.description || undefined
      );
      setFormData({ name: "", description: "" });
      setIsCreateDialogOpen(false);
      await fetchDepartments(orgId);
    } catch (err) {
      console.error("Failed to create department:");
      setError("Failed to create department.");
    }
  };
  const handleUpdateDepartment = async () => {
    if (!orgId || !editingDept || !formData.name.trim()) return;
    try {
      await api.organizations.updateDepartment(orgId, editingDept.id, {
        name: formData.name,
        description: formData.description || undefined,
      });
      setFormData({ name: "", description: "" });
      setEditingDept(null);
      setIsEditDialogOpen(false);
      await fetchDepartments(orgId);
    } catch (err) {
      console.error("Failed to update department:");
      setError("Failed to update department.");
    }
  };
  const handleDeleteDepartment = async (deptId: string) => {
    if (!orgId || !confirm("Are you sure you want to delete this department?")) return;
    try {
      await api.organizations.deleteDepartment(orgId, deptId);
      await fetchDepartments(orgId);
    } catch (err) {
      console.error("Failed to delete department:");
      setError("Failed to delete department.");
    }
  };
  const openEditDialog = (dept: Department) => {
    setEditingDept(dept);
    setFormData({ name: dept.name, description: dept.description || "" });
    setIsEditDialogOpen(true);
  };
  const filteredDepartments = departments.filter((dept) => {
    const searchLower = search.toLowerCase();
    return (
      dept.name.toLowerCase().includes(searchLower) ||
      (dept.description?.toLowerCase().includes(searchLower) ?? false)
    );
  });
  // Principals not yet linked to the dept being linked
  const availablePrincipalsToLink = linkingDept
    ? principals.filter((p) => !(linkedPrincipals[linkingDept.id] || []).some((lp) => lp.id === p.id))
    : principals;
  return (
    <div className="page-container">
      <div className="page-header flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4">
        <div>
          <h1 className="page-title">Departments</h1>
          <p className="page-description">
            Manage departments and organize team members
          </p>
        </div>
        <Button onClick={() => { setFormData({ name: "", description: "" }); setIsCreateDialogOpen(true); }}>
          <Plus className="w-4 h-4 mr-2" />
          Create Department
        </Button>
      </div>
      <div className="mb-4">
        <div className="relative">
          <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
          <Input
            placeholder="Search departments..."
            value={search}
            onChange={(e) => setSearch(e.target.value)}
            className="pl-10 max-w-sm"
          />
        </div>
      </div>
      <Card>
        <CardContent className="p-0">
          {isLoading ? (
            <div className="flex items-center justify-center p-8">
              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
              <span className="ml-2 text-muted-foreground">Loading departments...</span>
            </div>
          ) : error ? (
            <div className="p-8 text-center text-destructive">
              {error}
            </div>
          ) : filteredDepartments.length === 0 ? (
            <div className="p-8 text-center text-muted-foreground">
              No departments found
            </div>
          ) : (
            <div className="divide-y">
              {filteredDepartments.map((dept) => {
                const principals = linkedPrincipals[dept.id] || [];
                return (
                  <div key={dept.id} className="p-4 flex items-start gap-4">
                    <div className="w-10 h-10 rounded-lg bg-accent/10 text-accent flex items-center justify-center flex-shrink-0">
                      <Users className="w-4 h-4" />
                    </div>
                    <div className="flex-1 min-w-0">
                      <div className="flex items-center gap-2">
                        <p className="font-medium text-foreground">
                          {dept.name}
                        </p>
                      </div>
                      {dept.description && (
                        <p className="mt-1 text-sm text-muted-foreground">
                          {dept.description}
                        </p>
                      )}
                      {/* Linked principals */}
                      <div className="mt-2 flex flex-wrap gap-1">
                        {principals.length === 0 ? (
                          <span className="text-xs text-muted-foreground italic">
                            Not linked to any principal
                          </span>
                        ) : (
                          principals.map((principal) => {
                            const key = `${dept.id}:${principal.id}`;
                            const busy = unlinkingKey === key;
                            return (
                              <span
                                key={principal.id}
                                className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-purple-100 text-purple-700 dark:bg-purple-900 dark:text-purple-300"
                              >
                                {principal.name}
                                <button
                                  onClick={() => handleUnlink(dept.id, principal.id)}
                                  disabled={busy}
                                  className="ml-0.5 rounded-full hover:bg-purple-200 dark:hover:bg-purple-800 disabled:opacity-50 p-0.5"
                                  aria-label={`Unlink ${principal.name}`}
                                >
                                  {busy ? (
                                    <Loader2 className="w-3 h-3 animate-spin" />
                                  ) : (
                                    <X className="w-3 h-3" />
                                  )}
                                </button>
                              </span>
                            );
                          })
                        )}
                      </div>
                      <div className="mt-2 text-xs text-muted-foreground">
                        Created {new Date(dept.created_at).toLocaleDateString()}
                      </div>
                      {/* Members toggle */}
                      <button
                        className="mt-3 flex items-center gap-1 text-xs text-primary hover:underline"
                        onClick={() => toggleMembersPanel(dept.id)}
                      >
                        <Users className="w-3 h-3" />
                        Members
                        {expandedMembers.has(dept.id) ? <ChevronUp className="w-3 h-3" /> : <ChevronDown className="w-3 h-3" />}
                      </button>
                      {/* Members panel */}
                      {orgId && expandedMembers.has(dept.id) && (
                        <DepartmentMembersPanel orgId={orgId} deptId={dept.id} />
                      )}
                      {/* Certificate policy toggle */}
                      <button
                        className="mt-3 flex items-center gap-1 text-xs text-primary hover:underline"
                        onClick={() => orgId && togglePolicyPanel(dept.id)}
                      >
                        <ShieldCheck className="w-3 h-3" />
                        Certificate Policy
                        {expandedPolicies.has(dept.id) ? <ChevronUp className="w-3 h-3" /> : <ChevronDown className="w-3 h-3" />}
                      </button>
                      {/* Certificate policy panel */}
                      {orgId && expandedPolicies.has(dept.id) && (
                        <DepartmentCertPolicyPanel orgId={orgId} deptId={dept.id} />
                      )}
                    </div>
                    <DropdownMenu>
                      <DropdownMenuTrigger asChild>
                        <Button variant="ghost" size="icon">
                          <MoreHorizontal className="w-4 h-4" />
                        </Button>
                      </DropdownMenuTrigger>
                      <DropdownMenuContent align="end">
                        <DropdownMenuItem onClick={() => openEditDialog(dept)}>
                          <Edit2 className="w-4 h-4 mr-2" />
                          Edit
                        </DropdownMenuItem>
                        <DropdownMenuItem onClick={() => openLinkDialog(dept)}>
                          <LinkIcon className="w-4 h-4 mr-2" />
                          Link Principal
                        </DropdownMenuItem>
                        <DropdownMenuSeparator />
                        <DropdownMenuItem
                          className="text-destructive"
                          onClick={() => handleDeleteDepartment(dept.id)}
                        >
                          <Trash2 className="w-4 h-4 mr-2" />
                          Delete
                        </DropdownMenuItem>
                      </DropdownMenuContent>
                    </DropdownMenu>
                  </div>
                );
              })}
            </div>
          )}
        </CardContent>
      </Card>
      {/* Create Department Dialog */}
      <Dialog open={isCreateDialogOpen} onOpenChange={setIsCreateDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Create Department</DialogTitle>
            <DialogDescription>
              Create a new department to organize team members
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="dept-name">Department Name</Label>
              <Input
                id="dept-name"
                placeholder="e.g., Engineering"
                value={formData.name}
                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
              />
            </div>
            <div>
              <Label htmlFor="dept-desc">Description</Label>
              <Textarea
                id="dept-desc"
                placeholder="Optional description..."
                value={formData.description}
                onChange={(e) => setFormData({ ...formData, description: e.target.value })}
                rows={3}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsCreateDialogOpen(false)}>
              Cancel
            </Button>
            <Button onClick={handleCreateDepartment}>
              Create Department
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Edit Department Dialog */}
      <Dialog open={isEditDialogOpen} onOpenChange={setIsEditDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Edit Department</DialogTitle>
            <DialogDescription>
              Update department information
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="edit-dept-name">Department Name</Label>
              <Input
                id="edit-dept-name"
                placeholder="e.g., Engineering"
                value={formData.name}
                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
              />
            </div>
            <div>
              <Label htmlFor="edit-dept-desc">Description</Label>
              <Textarea
                id="edit-dept-desc"
                placeholder="Optional description..."
                value={formData.description}
                onChange={(e) => setFormData({ ...formData, description: e.target.value })}
                rows={3}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsEditDialogOpen(false)}>
              Cancel
            </Button>
            <Button onClick={handleUpdateDepartment}>
              Save Changes
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Link Principal to Department Dialog */}
      <Dialog
        open={isLinkDialogOpen}
        onOpenChange={(open) => {
          if (!open) { setLinkingDept(null); setSelectedPrincipalId(""); }
          setIsLinkDialogOpen(open);
        }}
      >
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Link Principal to Department</DialogTitle>
            <DialogDescription>
              Link a principal to <strong>{linkingDept?.name}</strong>. All department members will gain access to the principal.
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="principal-select">Principal</Label>
              {availablePrincipalsToLink.length === 0 ? (
                <p className="mt-2 text-sm text-muted-foreground">
                  {principals.length === 0
                    ? "No principals exist yet. Create one on the Principals page."
                    : "All principals are already linked to this department."}
                </p>
              ) : (
                <Select value={selectedPrincipalId} onValueChange={setSelectedPrincipalId}>
                  <SelectTrigger id="principal-select" className="mt-1">
                    <SelectValue placeholder="Choose a principal…" />
                  </SelectTrigger>
                  <SelectContent>
                    {availablePrincipalsToLink.map((p) => (
                      <SelectItem key={p.id} value={p.id}>{p.name}</SelectItem>
                    ))}
                  </SelectContent>
                </Select>
              )}
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsLinkDialogOpen(false)}>Cancel</Button>
            <Button
              onClick={handleLinkPrincipal}
              disabled={!selectedPrincipalId || isLinking || availablePrincipalsToLink.length === 0}
            >
              {isLinking && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Link
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </div>
  );
 }
@@ -0,0 +1,158 @@
 import { useEffect, useState } from "react";
 import { Layers, GitBranch, Building2, Loader2, Link } from "lucide-react";
 import { api, MyOrgMembership } from "@/lib/api";
 import { Skeleton } from "@/components/ui/skeleton";
 import { Badge } from "@/components/ui/badge";
 function MembershipsSkeleton() {
  return (
    <div className="space-y-6">
      {[1, 2].map((i) => (
        <div key={i} className="rounded-xl border border-border bg-card p-5 space-y-4">
          <Skeleton className="h-5 w-48" />
          <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
            <Skeleton className="h-24 w-full rounded-lg" />
            <Skeleton className="h-24 w-full rounded-lg" />
          </div>
        </div>
      ))}
    </div>
  );
 }
 export default function MyMembershipsPage() {
  const [orgs, setOrgs] = useState<MyOrgMembership[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  useEffect(() => {
    api.users.getMyMemberships()
      .then((res) => setOrgs(res.orgs ?? []))
      .catch(console.error)
      .finally(() => setIsLoading(false));
  }, []);
  const totalDepts = orgs.reduce((s, o) => s + o.departments.length, 0);
  const totalPrincipals = orgs.reduce((s, o) => s + o.principals.length, 0);
  return (
    <div className="page-container">
      <div className="page-header">
        <h1 className="page-title">My Memberships</h1>
        <p className="page-description">
          Departments and principals you belong to across your organizations
        </p>
      </div>
      {isLoading ? (
        <MembershipsSkeleton />
      ) : orgs.length === 0 ? (
        <div className="flex flex-col items-center justify-center py-20 text-center text-muted-foreground">
          <Building2 className="w-10 h-10 mb-3 opacity-30" />
          <p className="text-sm">You're not a member of any organizations yet.</p>
        </div>
      ) : (
        <div className="space-y-6">
          {/* Summary chips */}
          <div className="flex flex-wrap gap-3">
            <div className="inline-flex items-center gap-2 rounded-full border border-border bg-card px-4 py-1.5 text-sm">
              <Layers className="w-3.5 h-3.5 text-primary" />
              <span className="font-medium">{totalDepts}</span>
              <span className="text-muted-foreground">department{totalDepts !== 1 ? "s" : ""}</span>
            </div>
            <div className="inline-flex items-center gap-2 rounded-full border border-border bg-card px-4 py-1.5 text-sm">
              <GitBranch className="w-3.5 h-3.5 text-primary" />
              <span className="font-medium">{totalPrincipals}</span>
              <span className="text-muted-foreground">principal{totalPrincipals !== 1 ? "s" : ""}</span>
            </div>
          </div>
          {orgs.map((org) => (
            <div
              key={org.org_id}
              className="rounded-xl border border-border bg-card overflow-hidden"
            >
              {/* Org header */}
              <div className="flex items-center gap-3 px-5 py-4 border-b border-border bg-muted/30">
                <div className="w-7 h-7 rounded bg-primary/10 flex items-center justify-center shrink-0">
                  <Building2 className="w-3.5 h-3.5 text-primary" />
                </div>
                <span className="font-semibold text-foreground text-sm">{org.org_name}</span>
                <Badge variant="outline" className="capitalize text-xs ml-auto">
                  {org.role.toLowerCase()}
                </Badge>
              </div>
              <div className="grid grid-cols-1 md:grid-cols-2 divide-y md:divide-y-0 md:divide-x divide-border">
                {/* Departments */}
                <div className="p-5 space-y-3">
                  <div className="flex items-center gap-2 text-xs font-semibold uppercase tracking-wider text-muted-foreground">
                    <Layers className="w-3.5 h-3.5" />
                    Departments
                  </div>
                  {org.departments.length === 0 ? (
                    <p className="text-xs text-muted-foreground py-2">
                      Not assigned to any departments.
                    </p>
                  ) : (
                    <ul className="space-y-2">
                      {org.departments.map((dept) => (
                        <li
                          key={dept.id}
                          className="flex items-start gap-2.5 rounded-lg border border-border bg-background px-3 py-2.5"
                        >
                          <Layers className="w-3.5 h-3.5 mt-0.5 text-primary shrink-0" />
                          <div className="min-w-0">
                            <p className="text-sm font-medium text-foreground truncate">{dept.name}</p>
                            {dept.description && (
                              <p className="text-xs text-muted-foreground mt-0.5 line-clamp-1">{dept.description}</p>
                            )}
                          </div>
                        </li>
                      ))}
                    </ul>
                  )}
                </div>
                {/* Principals */}
                <div className="p-5 space-y-3">
                  <div className="flex items-center gap-2 text-xs font-semibold uppercase tracking-wider text-muted-foreground">
                    <GitBranch className="w-3.5 h-3.5" />
                    Principals
                  </div>
                  {org.principals.length === 0 ? (
                    <p className="text-xs text-muted-foreground py-2">
                      No principals assigned.
                    </p>
                  ) : (
                    <ul className="space-y-2">
                      {org.principals.map((p) => (
                        <li
                          key={p.id}
                          className="flex items-start gap-2.5 rounded-lg border border-border bg-background px-3 py-2.5"
                        >
                          <GitBranch className="w-3.5 h-3.5 mt-0.5 text-primary shrink-0" />
                          <div className="min-w-0 flex-1">
                            <p className="text-sm font-medium text-foreground truncate">{p.name}</p>
                            {p.description && (
                              <p className="text-xs text-muted-foreground mt-0.5 line-clamp-1">{p.description}</p>
                            )}
                          </div>
                          {p.via_department && (
                            <span className="shrink-0 inline-flex items-center gap-1 text-[10px] text-muted-foreground border border-border rounded px-1.5 py-0.5">
                              <Link className="w-2.5 h-2.5" />
                              via dept
                            </span>
                          )}
                        </li>
                      ))}
                    </ul>
                  )}
                </div>
              </div>
            </div>
          ))}
        </div>
      )}
    </div>
  );
 }
@@ -1,7 +1,7 @@
-import { useState } from "react";
+import { useState, useEffect, useRef } from "react";
-import { Plus, Key, ExternalLink, MoreHorizontal, Copy, RefreshCw, Trash2 } from "lucide-react";
+import { Plus, Key, MoreHorizontal, Copy, Trash2, Loader2, AlertCircle, CheckCircle } from "lucide-react";
 import { Button } from "@/components/ui/button";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import { Card, CardContent } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import {
  DropdownMenu,
@@ -21,39 +21,71 @@ import {
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
-
+import { api, OIDCClient, OIDCClientWithSecret } from "@/lib/api";
-const clients = [
+import { useToast } from "@/hooks/use-toast";
-  {
+import { useOrg } from "@/contexts/OrgContext";
    id: "1",
    name: "GitLab",
    clientId: "gitlab_prod_xxxxxxxxxxxxx",
    redirectUris: ["https://gitlab.example.com/callback"],
    scopes: ["openid", "profile", "email"],
    createdAt: "2024-01-10",
    lastUsed: "2 hours ago",
  },
  {
    id: "2",
    name: "Grafana",
    clientId: "grafana_prod_xxxxxxxxxxxxx",
    redirectUris: ["https://grafana.example.com/login/generic_oauth"],
    scopes: ["openid", "profile"],
    createdAt: "2024-01-08",
    lastUsed: "5 minutes ago",
  },
  {
    id: "3",
    name: "OAuth2 Proxy",
    clientId: "oauth2proxy_xxxxxxxxxxxxx",
    redirectUris: ["https://auth.example.com/oauth2/callback"],
    scopes: ["openid", "profile", "email", "groups"],
    createdAt: "2024-01-05",
    lastUsed: "1 day ago",
  },
 ];
 export default function OIDCClientsPage() {
  const { toast } = useToast();
  const { selectedOrgId: orgId } = useOrg();
  const [clients, setClients] = useState<OIDCClient[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [isCreateOpen, setIsCreateOpen] = useState(false);
  const [isCreating, setIsCreating] = useState(false);
  const [newSecret, setNewSecret] = useState<{ clientId: string; secret: string } | null>(null);
  const nameRef = useRef<HTMLInputElement>(null);
  const urisRef = useRef<HTMLTextAreaElement>(null);
  const loadData = (id: string) => {
    api.organizations.getClients(id)
      .then((data) => setClients(data.clients))
      .catch(() => toast({ title: "Error", description: "Failed to load OIDC clients.", variant: "destructive" }))
      .finally(() => setIsLoading(false));
  };
  useEffect(() => {
    if (!orgId) { setIsLoading(false); return; }
    setIsLoading(true);
    loadData(orgId);
  }, [orgId]);
  const handleCreate = async () => {
    if (!orgId || !nameRef.current || !urisRef.current) return;
    const name = nameRef.current.value.trim();
    const uris = urisRef.current.value.trim().split(/[\n,]+/).map((u) => u.trim()).filter(Boolean);
    if (!name || !uris.length) return;
    setIsCreating(true);
    try {
      const result = await api.organizations.createClient(orgId, name, uris);
      const created = result.client as OIDCClientWithSecret;
      setClients((prev) => [...prev, created]);
      setNewSecret({ clientId: created.client_id, secret: created.client_secret });
      setIsCreateOpen(false);
    } catch {
      toast({ title: "Error", description: "Failed to create client.", variant: "destructive" });
    } finally {
      setIsCreating(false);
    }
  };
  const handleDelete = async (clientId: string) => {
    if (!orgId) return;
    try {
      await api.organizations.deleteClient(orgId, clientId);
      setClients((prev) => prev.filter((c) => c.id !== clientId));
      toast({ title: "Client deleted", description: "OIDC client deactivated successfully." });
    } catch {
      toast({ title: "Error", description: "Failed to delete client.", variant: "destructive" });
    }
  };
  const copyToClipboard = (text: string) => {
    navigator.clipboard.writeText(text).then(() =>
      toast({ title: "Copied", description: "Copied to clipboard." })
    );
  };
  return (
    <div className="page-container">
@@ -81,7 +113,7 @@ export default function OIDCClientsPage() {
            <div className="space-y-4 py-4">
              <div className="space-y-2">
                <Label htmlFor="clientName">Client name</Label>
-                <Input id="clientName" placeholder="My Application" />
+                <Input id="clientName" placeholder="My Application" ref={nameRef} />
              </div>
              <div className="space-y-2">
                <Label htmlFor="redirectUris">Redirect URIs</Label>
@@ -89,17 +121,18 @@ export default function OIDCClientsPage() {
                  id="redirectUris"
                  placeholder="https://myapp.example.com/callback"
                  className="min-h-[80px]"
                  ref={urisRef}
                />
                <p className="text-xs text-muted-foreground">
                  One URI per line. These are the allowed callback URLs.
                </p>
              </div>
              <div className="flex justify-end gap-2">
-                <Button variant="outline" onClick={() => setIsCreateOpen(false)}>
+                <Button variant="outline" onClick={() => setIsCreateOpen(false)} disabled={isCreating}>
                  Cancel
                </Button>
-                <Button onClick={() => setIsCreateOpen(false)}>
+                <Button onClick={handleCreate} disabled={isCreating}>
-                  Create client
+                  {isCreating ? <><Loader2 className="w-4 h-4 mr-2 animate-spin" />Creating...</> : "Create client"}
                </Button>
              </div>
            </div>
@@ -107,71 +140,101 @@ export default function OIDCClientsPage() {
        </Dialog>
      </div>
-      <div className="space-y-4">
+      {/* Show new client secret once */}
-        {clients.map((client) => (
+      {newSecret && (
-          <Card key={client.id}>
+        <Card className="mb-4 border-success/50 bg-success/5">
-            <CardContent className="p-5">
+          <CardContent className="p-4 flex items-start gap-3">
-              <div className="flex items-start justify-between">
+            <CheckCircle className="w-5 h-5 text-success mt-0.5 flex-shrink-0" />
-                <div className="flex items-start gap-4">
+            <div className="flex-1 min-w-0">
-                  <div className="w-12 h-12 rounded-lg bg-primary/10 flex items-center justify-center">
+              <p className="font-medium text-foreground">Client created — save your secret now</p>
-                    <Key className="w-6 h-6 text-primary" />
+              <p className="text-sm text-muted-foreground mb-2">This secret will not be shown again.</p>
              <div className="flex items-center gap-2">
                <code className="text-xs bg-muted px-2 py-1 rounded font-mono break-all">{newSecret.secret}</code>
                <Button variant="ghost" size="icon" className="w-6 h-6 flex-shrink-0" onClick={() => copyToClipboard(newSecret.secret)}>
                  <Copy className="w-3 h-3" />
                </Button>
              </div>
            </div>
            <Button variant="ghost" size="icon" className="w-6 h-6" onClick={() => setNewSecret(null)}>×</Button>
          </CardContent>
        </Card>
      )}
      {isLoading ? (
        <div className="flex items-center justify-center py-12">
          <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
        </div>
      ) : clients.length === 0 ? (
        <Card>
          <CardContent className="text-center py-12">
            <AlertCircle className="w-10 h-10 mx-auto mb-3 text-muted-foreground/50" />
            <p className="text-muted-foreground">No OIDC clients configured yet.</p>
            <Button className="mt-4" onClick={() => setIsCreateOpen(true)}>
              <Plus className="w-4 h-4 mr-2" />
              Add your first client
            </Button>
          </CardContent>
        </Card>
      ) : (
        <div className="space-y-4">
          {clients.map((client) => (
            <Card key={client.id}>
              <CardContent className="p-5">
                <div className="flex items-start justify-between">
                  <div className="flex items-start gap-4">
                    <div className="w-12 h-12 rounded-lg bg-primary/10 flex items-center justify-center">
                      <Key className="w-6 h-6 text-primary" />
                    </div>
                    <div>
                      <h3 className="font-semibold text-foreground">{client.name}</h3>
                      <div className="flex items-center gap-2 mt-1">
                        <code className="text-xs bg-muted px-2 py-1 rounded font-mono">
                          {client.client_id}
                        </code>
                        <Button variant="ghost" size="icon" className="w-6 h-6" onClick={() => copyToClipboard(client.client_id)}>
                          <Copy className="w-3 h-3" />
                        </Button>
                      </div>
                      <div className="flex flex-wrap gap-1 mt-3">
                        {(client.scopes ?? []).map((scope) => (
                          <Badge key={scope} variant="secondary" className="text-xs">
                            {scope}
                          </Badge>
                        ))}
                      </div>
                    </div>
                  </div>
-                  <div>
+                  <DropdownMenu>
-                    <h3 className="font-semibold text-foreground">{client.name}</h3>
+                    <DropdownMenuTrigger asChild>
-                    <div className="flex items-center gap-2 mt-1">
+                      <Button variant="ghost" size="icon">
-                      <code className="text-xs bg-muted px-2 py-1 rounded font-mono">
+                        <MoreHorizontal className="w-4 h-4" />
                        {client.clientId}
                      </code>
                      <Button variant="ghost" size="icon" className="w-6 h-6">
                        <Copy className="w-3 h-3" />
                      </Button>
-                    </div>
+                    </DropdownMenuTrigger>
-                    <div className="flex flex-wrap gap-1 mt-3">
+                    <DropdownMenuContent align="end">
-                      {client.scopes.map((scope) => (
+                      <DropdownMenuSeparator />
-                        <Badge key={scope} variant="secondary" className="text-xs">
+                      <DropdownMenuItem
-                          {scope}
+                        className="text-destructive"
-                        </Badge>
+                        onClick={() => handleDelete(client.id)}
-                      ))}
+                      >
-                    </div>
+                        <Trash2 className="w-4 h-4 mr-2" />
                        Delete client
                      </DropdownMenuItem>
                    </DropdownMenuContent>
                  </DropdownMenu>
                </div>
                <div className="mt-4 pt-4 border-t flex items-center justify-between text-sm text-muted-foreground">
                  <span>
                    Created {new Date(client.created_at).toLocaleDateString()}
                  </span>
                  <div className="flex items-center gap-1">
                    {(client.redirect_uris ?? []).length} redirect URI{(client.redirect_uris ?? []).length !== 1 ? "s" : ""}
                  </div>
                </div>
-                <DropdownMenu>
+              </CardContent>
-                  <DropdownMenuTrigger asChild>
+            </Card>
-                    <Button variant="ghost" size="icon">
+          ))}
-                      <MoreHorizontal className="w-4 h-4" />
+        </div>
-                    </Button>
+      )}
                  </DropdownMenuTrigger>
                  <DropdownMenuContent align="end">
                    <DropdownMenuItem>
                      <ExternalLink className="w-4 h-4 mr-2" />
                      View details
                    </DropdownMenuItem>
                    <DropdownMenuItem>
                      <RefreshCw className="w-4 h-4 mr-2" />
                      Rotate secret
                    </DropdownMenuItem>
                    <DropdownMenuSeparator />
                    <DropdownMenuItem className="text-destructive">
                      <Trash2 className="w-4 h-4 mr-2" />
                      Delete client
                    </DropdownMenuItem>
                  </DropdownMenuContent>
                </DropdownMenu>
              </div>
              <div className="mt-4 pt-4 border-t flex items-center justify-between text-sm text-muted-foreground">
                <div className="flex items-center gap-4">
                  <span>Created {client.createdAt}</span>
                  <span>•</span>
                  <span>Last used {client.lastUsed}</span>
                </div>
                <div className="flex items-center gap-1">
                  {client.redirectUris.length} redirect URI{client.redirectUris.length > 1 ? "s" : ""}
                </div>
              </div>
            </CardContent>
          </Card>
        ))}
      </div>
    </div>
  );
 }
@@ -1,90 +1,77 @@
-import { useState } from "react";
+import { useState, useEffect, useCallback } from "react";
-import { Search, Filter, Download, User, Settings, Key, UserPlus, AlertTriangle } from "lucide-react";
+import { Search, Filter, Download, User, Settings, Key, UserPlus, AlertTriangle, Loader2 } from "lucide-react";
 import { useParams } from "react-router-dom";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Card, CardContent } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
 import { api, AuditLogEntry } from "@/lib/api";
 import { useCurrentOrganizationId } from "@/hooks/useCurrentOrganization";
-const auditEvents = [
+const getEventIcon = (action: string) => {
-  {
+  if (action.includes("member") || action.includes("MEMBER")) {
-    id: "1",
+    return <UserPlus className="w-4 h-4" />;
    type: "member_invited",
    actor: "John Doe",
    target: "alice@example.com",
    timestamp: "2024-01-15T10:30:00Z",
    details: "Invited as member",
  },
  {
    id: "2",
    type: "policy_changed",
    actor: "John Doe",
    target: "Password Policy",
    timestamp: "2024-01-15T09:00:00Z",
    details: "Minimum length changed from 8 to 12",
  },
  {
    id: "3",
    type: "member_disabled",
    actor: "Jane Smith",
    target: "bob@example.com",
    timestamp: "2024-01-14T15:45:00Z",
    details: "Account disabled",
  },
  {
    id: "4",
    type: "client_created",
    actor: "John Doe",
    target: "GitLab",
    timestamp: "2024-01-14T12:00:00Z",
    details: "OIDC client created",
  },
  {
    id: "5",
    type: "role_changed",
    actor: "John Doe",
    target: "jane@example.com",
    timestamp: "2024-01-13T09:00:00Z",
    details: "Role changed from member to admin",
  },
 ];
 const getEventIcon = (type: string) => {
  switch (type) {
    case "member_invited":
    case "role_changed":
      return <UserPlus className="w-4 h-4" />;
    case "policy_changed":
      return <Settings className="w-4 h-4" />;
    case "member_disabled":
      return <AlertTriangle className="w-4 h-4" />;
    case "client_created":
      return <Key className="w-4 h-4" />;
    default:
      return <User className="w-4 h-4" />;
  }
  if (action.includes("policy") || action.includes("POLICY") || action.includes("mfa")) {
    return <Settings className="w-4 h-4" />;
  }
  if (action.includes("delete") || action.includes("DELETE") || action.includes("disable")) {
    return <AlertTriangle className="w-4 h-4" />;
  }
  if (action.includes("client") || action.includes("oidc") || action.includes("key")) {
    return <Key className="w-4 h-4" />;
  }
  return <User className="w-4 h-4" />;
 };
-const getEventTitle = (type: string) => {
+const getEventTitle = (action: string) => {
-  switch (type) {
+  const parts = action.split(".");
-    case "member_invited":
+  return parts.map(p => p.charAt(0).toUpperCase() + p.slice(1)).join(" ");
-      return "Member invited";
+};
-    case "policy_changed":
+
-      return "Policy changed";
+const getActionCategory = (action: string): string => {
-    case "member_disabled":
+  if (action.includes("member") || action.includes("MEMBER")) return "members";
-      return "Member disabled";
+  if (action.includes("policy") || action.includes("POLICY") || action.includes("mfa")) return "policies";
-    case "client_created":
+  if (action.includes("client") || action.includes("OIDC")) return "clients";
-      return "OIDC client created";
+  return "other";
    case "role_changed":
      return "Role changed";
    default:
      return "Event";
  }
 };
 export default function OrgAuditPage() {
  const params = useParams<{ orgId?: string }>();
  const { orgId: fallbackOrgId } = useCurrentOrganizationId();
  const orgId = params.orgId || fallbackOrgId;
  const [search, setSearch] = useState("");
  const [typeFilter, setTypeFilter] = useState("all");
  const [auditLogs, setAuditLogs] = useState<AuditLogEntry[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const fetchAuditLogs = useCallback(async (currentOrgId: string) => {
    try {
      setIsLoading(true);
      setError(null);
      const response = await api.organizations.getAuditLogs(currentOrgId);
      setAuditLogs(response.audit_logs || []);
    } catch (err) {
      console.error("Failed to fetch audit logs:", err);
      setError("Failed to load audit logs. Please try again.");
    } finally {
      setIsLoading(false);
    }
  }, []);
  useEffect(() => {
    setError(null);
    setAuditLogs([]);
    if (!orgId) {
      setIsLoading(false);
      return;
    }
    fetchAuditLogs(orgId);
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [orgId]);
  const formatDate = (dateString: string) => {
    const date = new Date(dateString);
@@ -96,6 +83,20 @@ export default function OrgAuditPage() {
    }).format(date);
  };
  const filteredLogs = auditLogs.filter((log) => {
    const matchesSearch =
      search === "" ||
      log.description?.toLowerCase().includes(search.toLowerCase()) ||
      log.action.toLowerCase().includes(search.toLowerCase()) ||
      log.user?.email.toLowerCase().includes(search.toLowerCase());
    const matchesFilter =
      typeFilter === "all" ||
      getActionCategory(log.action) === typeFilter;
    return matchesSearch && matchesFilter;
  });
  return (
    <div className="page-container">
      <div className="page-header flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4">
@@ -137,39 +138,65 @@ export default function OrgAuditPage() {
      <Card>
        <CardContent className="p-0">
-          <div className="divide-y">
+          {isLoading ? (
-            {auditEvents.map((event) => (
+            <div className="flex items-center justify-center p-8">
-              <div key={event.id} className="p-4 flex items-start gap-4">
+              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
-                <div
+              <span className="ml-2 text-muted-foreground">Loading audit logs...</span>
-                  className={`w-10 h-10 rounded-lg flex items-center justify-center flex-shrink-0 ${
+            </div>
-                    event.type === "member_disabled"
+          ) : error ? (
-                      ? "bg-destructive/10 text-destructive"
+            <div className="p-8 text-center text-destructive">
-                      : "bg-accent/10 text-accent"
+              {error}
-                  }`}
+            </div>
-                >
+          ) : filteredLogs.length === 0 ? (
-                  {getEventIcon(event.type)}
+            <div className="p-8 text-center text-muted-foreground">
-                </div>
+              No audit events found
-                <div className="flex-1 min-w-0">
+            </div>
-                  <div className="flex items-center gap-2 flex-wrap">
+          ) : (
-                    <p className="font-medium text-foreground">
+            <div className="divide-y">
-                      {getEventTitle(event.type)}
+              {filteredLogs.map((log) => (
-                    </p>
+                <div key={log.id} className="p-4 flex items-start gap-4">
-                    <Badge variant="secondary" className="text-xs">
+                  <div
-                      {event.target}
+                    className={`w-10 h-10 rounded-lg flex items-center justify-center flex-shrink-0 ${
-                    </Badge>
+                      !log.success
                        ? "bg-destructive/10 text-destructive"
                        : "bg-accent/10 text-accent"
                    }`}
                  >
                    {getEventIcon(log.action)}
                  </div>
-                  <div className="mt-1 text-sm text-muted-foreground">
+                  <div className="flex-1 min-w-0">
-                    <span>by {event.actor}</span>
+                    <div className="flex items-center gap-2 flex-wrap">
-                    <span className="mx-2">•</span>
+                      <p className="font-medium text-foreground">
-                    <span>{event.details}</span>
+                        {getEventTitle(log.action)}
                      </p>
                      {log.resource_type && (
                        <Badge variant="secondary" className="text-xs">
                          {log.resource_type}
                        </Badge>
                      )}
                      {!log.success && (
                        <Badge variant="destructive" className="text-xs">
                          Failed
                        </Badge>
                      )}
                    </div>
                    <div className="mt-1 text-sm text-muted-foreground">
                      <span>by {log.user?.full_name || log.user?.email || "System"}</span>
                      {log.description && (
                        <>
                          <span className="mx-2">•</span>
                          <span>{log.description}</span>
                        </>
                      )}
                    </div>
                  </div>
                  <p className="text-sm text-muted-foreground whitespace-nowrap">
                    {formatDate(log.created_at)}
                  </p>
                </div>
-                <p className="text-sm text-muted-foreground whitespace-nowrap">
+              ))}
-                  {formatDate(event.timestamp)}
+            </div>
-                </p>
+          )}
              </div>
            ))}
          </div>
        </CardContent>
      </Card>
    </div>
@@ -1,19 +1,81 @@
-import { Building2, Users, Shield, Key, ArrowRight, TrendingUp } from "lucide-react";
+import { useEffect, useState } from "react";
-import { Link } from "react-router-dom";
+import { Building2, Users, Shield, Key, ArrowRight, TrendingUp, Loader2, Trash2, AlertTriangle, ArrowLeftRight } from "lucide-react";
 import { Link, useNavigate } from "react-router-dom";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import { Button } from "@/components/ui/button";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import { api, OIDCClient, ApiError } from "@/lib/api";
 import { useOrg } from "@/contexts/OrgContext";import { useOrganizations } from "@/hooks/useOrganizations";
 import { toast } from "@/hooks/use-toast";
 export default function OrgOverviewPage() {
-  // Mock organization data
+  const navigate = useNavigate();
-  const org = {
+  const { selectedOrg, selectOrg } = useOrg();
-    name: "Acme Corp",
+  const { refetch: refetchOrgs } = useOrganizations();
-    createdAt: "January 2024",
+  const [memberCount, setMemberCount] = useState<number>(0);
-    stats: {
+  const [clientCount, setClientCount] = useState<number>(0);
-      totalMembers: 24,
+  const [isLoading, setIsLoading] = useState(true);
-      activeToday: 18,
+
-      pendingInvites: 3,
+  // Delete org dialog state
-      oidcClients: 5,
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
-    },
+  const [isDeleting, setIsDeleting] = useState(false);
  const isOwner = selectedOrg?.role === "owner";
  useEffect(() => {
    if (!selectedOrg) return;
    setIsLoading(true);
    Promise.allSettled([
      api.organizations.getMembers(selectedOrg.id),
      api.organizations.getClients(selectedOrg.id),
    ]).then(([membersResp, clientsResp]) => {
      if (membersResp.status === "fulfilled") setMemberCount(membersResp.value.count);
      if (clientsResp.status === "fulfilled") setClientCount((clientsResp.value as { clients: OIDCClient[]; count: number }).count);
    }).catch(console.error)
      .finally(() => setIsLoading(false));
  }, [selectedOrg?.id]);
  const handleDeleteOrg = async () => {
    if (!selectedOrg) return;
    setIsDeleting(true);
    try {
      await api.organizations.deleteOrganization(selectedOrg.id);
      toast({ title: "Organization deleted", description: `"${selectedOrg.name}" has been deleted.` });
      setDeleteDialogOpen(false);
      // Refresh org list; context will auto-select next available org
      const result = await refetchOrgs();
      const remaining = result.data ?? [];
      if (remaining.length > 0) {
        selectOrg(remaining[0]);
        navigate("/org");
      } else {
        navigate("/org-setup");
      }
    } catch (err) {
      if (err instanceof ApiError && err.type === "ORG_HAS_MEMBERS") {
        toast({
          title: "Cannot delete organization",
          description: "This organization still has other members. Transfer ownership or remove all members first.",
          variant: "destructive",
        });
      } else {
        toast({
          title: "Deletion failed",
          description: err instanceof ApiError ? err.message : "An unexpected error occurred.",
          variant: "destructive",
        });
      }
      setDeleteDialogOpen(false);
    } finally {
      setIsDeleting(false);
    }
  };
  const quickLinks = [
@@ -37,6 +99,19 @@ export default function OrgOverviewPage() {
    },
  ];
  if (isLoading && !selectedOrg) {
    return (
      <div className="page-container flex items-center justify-center py-12">
        <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
      </div>
    );
  }
  const org = selectedOrg;
  const createdAt = org?.created_at
    ? new Date(org.created_at).toLocaleDateString("en-US", { month: "long", year: "numeric" })
    : "";
  return (
    <div className="page-container">
      <div className="page-header">
@@ -45,42 +120,20 @@ export default function OrgOverviewPage() {
            <Building2 className="w-7 h-7 text-primary" />
          </div>
          <div>
-            <h1 className="page-title">{org.name}</h1>
+            <h1 className="page-title">{org?.name ?? "Organization"}</h1>
-            <p className="page-description">Created {org.createdAt}</p>
+            {createdAt && <p className="page-description">Created {createdAt}</p>}
          </div>
        </div>
      </div>
      {/* Stats */}
-      <div className="grid gap-4 grid-cols-2 lg:grid-cols-4 mb-8">
+      <div className="grid gap-4 grid-cols-2 lg:grid-cols-3 mb-8">
        <Card>
          <CardContent className="p-4">
            <div className="flex items-center justify-between">
              <div>
                <p className="text-sm text-muted-foreground">Total Members</p>
-                <p className="text-2xl font-semibold">{org.stats.totalMembers}</p>
+                <p className="text-2xl font-semibold">{memberCount}</p>
              </div>
              <Users className="w-8 h-8 text-muted-foreground/30" />
            </div>
          </CardContent>
        </Card>
        <Card>
          <CardContent className="p-4">
            <div className="flex items-center justify-between">
              <div>
                <p className="text-sm text-muted-foreground">Active Today</p>
                <p className="text-2xl font-semibold">{org.stats.activeToday}</p>
              </div>
              <TrendingUp className="w-8 h-8 text-muted-foreground/30" />
            </div>
          </CardContent>
        </Card>
        <Card>
          <CardContent className="p-4">
            <div className="flex items-center justify-between">
              <div>
                <p className="text-sm text-muted-foreground">Pending Invites</p>
                <p className="text-2xl font-semibold">{org.stats.pendingInvites}</p>
              </div>
              <Users className="w-8 h-8 text-muted-foreground/30" />
            </div>
@@ -91,17 +144,28 @@ export default function OrgOverviewPage() {
            <div className="flex items-center justify-between">
              <div>
                <p className="text-sm text-muted-foreground">OIDC Clients</p>
-                <p className="text-2xl font-semibold">{org.stats.oidcClients}</p>
+                <p className="text-2xl font-semibold">{clientCount}</p>
              </div>
              <Key className="w-8 h-8 text-muted-foreground/30" />
            </div>
          </CardContent>
        </Card>
        <Card>
          <CardContent className="p-4">
            <div className="flex items-center justify-between">
              <div>
                <p className="text-sm text-muted-foreground">Org ID</p>
                <p className="text-xs font-mono text-muted-foreground mt-1 truncate max-w-[140px]">{org?.id ?? "—"}</p>
              </div>
              <TrendingUp className="w-8 h-8 text-muted-foreground/30" />
            </div>
          </CardContent>
        </Card>
      </div>
      {/* Quick Links */}
      <h2 className="text-lg font-semibold mb-4">Quick Actions</h2>
-      <div className="grid gap-4 md:grid-cols-3">
+      <div className="grid gap-4 md:grid-cols-3 mb-8">
        {quickLinks.map((link) => (
          <Link key={link.href} to={link.href}>
            <Card className="h-full hover:border-accent/50 transition-colors cursor-pointer group">
@@ -119,6 +183,92 @@ export default function OrgOverviewPage() {
          </Link>
        ))}
      </div>
      {/* Danger Zone — owners only */}
      {isOwner && (
        <Card className="border-destructive/40">
          <CardHeader>
            <CardTitle className="text-base text-destructive flex items-center gap-2">
              <AlertTriangle className="w-4 h-4" />
              Danger Zone
            </CardTitle>
            <CardDescription>
              Irreversible actions for this organization. Proceed with caution.
            </CardDescription>
          </CardHeader>
          <CardContent className="space-y-4">
            {/* Transfer ownership hint */}
            <div className="flex items-center justify-between rounded-lg border border-border p-4">
              <div>
                <p className="text-sm font-medium">Transfer Ownership</p>
                <p className="text-xs text-muted-foreground mt-0.5">
                  Pass ownership to another member before deleting the organization.
                </p>
              </div>
              <Button
                variant="outline"
                size="sm"
                onClick={() => navigate("/org/members")}
              >
                <ArrowLeftRight className="w-4 h-4 mr-2" />
                Go to Members
              </Button>
            </div>
            {/* Delete organization */}
            <div className="flex items-center justify-between rounded-lg border border-destructive/30 bg-destructive/5 p-4">
              <div>
                <p className="text-sm font-medium text-destructive">Delete Organization</p>
                <p className="text-xs text-muted-foreground mt-0.5">
                  Permanently deletes this organization.{" "}
                  {memberCount > 1
                    ? `You must remove all ${memberCount - 1} other member${memberCount > 2 ? "s" : ""} first.`
                    : "This action cannot be undone."}
                </p>
              </div>
              <Button
                variant="destructive"
                size="sm"
                onClick={() => setDeleteDialogOpen(true)}
                disabled={memberCount > 1}
              >
                <Trash2 className="w-4 h-4 mr-2" />
                Delete
              </Button>
            </div>
          </CardContent>
        </Card>
      )}
      {/* Delete confirmation dialog */}
      <Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2 text-destructive">
              <Trash2 className="w-5 h-5" />
              Delete "{org?.name}"?
            </DialogTitle>
            <DialogDescription>
              This will permanently delete the organization and all associated
              data. This action <strong>cannot be undone</strong>.
            </DialogDescription>
          </DialogHeader>
          <div className="rounded-lg border border-destructive/30 bg-destructive/5 p-3 text-sm text-destructive">
            <AlertTriangle className="w-4 h-4 inline mr-2" />
            You are about to delete <strong>{org?.name}</strong>. All settings,
            policies, OIDC clients, and CA configurations will be lost.
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setDeleteDialogOpen(false)} disabled={isDeleting}>
              Cancel
            </Button>
            <Button variant="destructive" onClick={handleDeleteOrg} disabled={isDeleting}>
              {isDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Yes, delete organization
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </div>
  );
 }
@@ -12,6 +12,7 @@ import { Button } from "@/components/ui/button";
 import { api, OrgPolicyResponse, UpdateOrgPolicyDto, create403Handler } from "@/lib/api";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { useToast } from "@/hooks/use-toast";
 import { useOrg } from "@/contexts/OrgContext";
 const MFA_MODE_LABELS: Record<string, { label: string; description: string }> = {
  disabled: {
@@ -40,8 +41,8 @@ export default function PoliciesPage() {
  const navigate = useNavigate();
  const { toast } = useToast();
  const queryClient = useQueryClient();
-  const [currentOrgId, setCurrentOrgId] = useState<string | null>(null);
+  const { selectedOrgId: currentOrgId } = useOrg();
-  
+
  // Local form state for unsaved changes
  const [formData, setFormData] = useState({
    mfa_policy_mode: '',
@@ -50,20 +51,6 @@ export default function PoliciesPage() {
  });
  const [hasUnsavedChanges, setHasUnsavedChanges] = useState(false);
  // Fetch organizations to get current org
  const { data: orgsData, isLoading: orgsLoading } = useQuery({
    queryKey: ['organizations'],
    queryFn: () => api.users.organizations({
      on403: create403Handler(toast),
    }),
  });
  useEffect(() => {
    if (orgsData?.organizations && orgsData.organizations.length > 0) {
      setCurrentOrgId(orgsData.organizations[0].id);
    }
  }, [orgsData]);
  // Fetch org policy
  const { data: policy, isLoading: policyLoading } = useQuery({
    queryKey: ['org-policy', currentOrgId],
@@ -184,7 +171,7 @@ export default function PoliciesPage() {
    }
  };
-  if (orgsLoading || policyLoading) {
+  if (policyLoading) {
    return (
      <div className="page-container">
        <div className="flex items-center justify-center py-12">
@@ -0,0 +1,426 @@
 import { useState, useEffect, useCallback } from "react";
 import { Search, Plus, MoreHorizontal, Users, Loader2, Trash2, Edit2, Link as LinkIcon, X } from "lucide-react";
 import { useParams } from "react-router-dom";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Card, CardContent } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuSeparator,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
 import { Label } from "@/components/ui/label";
 import { Textarea } from "@/components/ui/textarea";
 import { api, Principal, Department } from "@/lib/api";
 import { useCurrentOrganizationId } from "@/hooks/useCurrentOrganization";
 import { useToast } from "@/hooks/use-toast";
 export default function PrincipalsPage() {
  const params = useParams<{ orgId?: string }>();
  const { orgId: fallbackOrgId } = useCurrentOrganizationId();
  const orgId = params.orgId || fallbackOrgId;
  const { toast } = useToast();
  const [search, setSearch] = useState("");
  const [principals, setPrincipals] = useState<Principal[]>([]);
  const [departments, setDepartments] = useState<Department[]>([]);
  const [linkedDepts, setLinkedDepts] = useState<Record<string, Department[]>>({});
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [isCreateDialogOpen, setIsCreateDialogOpen] = useState(false);
  const [isEditDialogOpen, setIsEditDialogOpen] = useState(false);
  const [isLinkDialogOpen, setIsLinkDialogOpen] = useState(false);
  const [editingPrincipal, setEditingPrincipal] = useState<Principal | null>(null);
  const [selectedPrincipalForLink, setSelectedPrincipalForLink] = useState<Principal | null>(null);
  const [selectedDepartmentId, setSelectedDepartmentId] = useState("");
  const [isLinking, setIsLinking] = useState(false);
  const [unlinkingKey, setUnlinkingKey] = useState<string | null>(null);
  const [formData, setFormData] = useState({ name: "", description: "" });
  const fetchLinkedDepts = useCallback(async (currentOrgId: string, principalList: Principal[]) => {
    const entries = await Promise.all(
      principalList.map(async (p) => {
        try {
          const res = await api.organizations.getPrincipalDepartments(currentOrgId, p.id);
          return [p.id, res.departments] as [string, Department[]];
        } catch {
          return [p.id, []] as [string, Department[]];
        }
      })
    );
    setLinkedDepts(Object.fromEntries(entries));
  }, []);
  const fetchData = useCallback(async (currentOrgId: string) => {
    try {
      setIsLoading(true);
      setError(null);
      const [principalsRes, deptRes] = await Promise.all([
        api.organizations.getPrincipals(currentOrgId),
        api.organizations.getDepartments(currentOrgId),
      ]);
      const pList = principalsRes.principals || [];
      setPrincipals(pList);
      setDepartments(deptRes.departments || []);
      await fetchLinkedDepts(currentOrgId, pList);
    } catch (err) {
      console.error("Failed to fetch data:", err);
      setError("Failed to load data. Please try again.");
    } finally {
      setIsLoading(false);
    }
  }, [fetchLinkedDepts]);
  useEffect(() => {
    setError(null);
    setPrincipals([]);
    setDepartments([]);
    setLinkedDepts({});
    if (!orgId) { setIsLoading(false); return; }
    fetchData(orgId);
  }, [orgId, fetchData]);
  const handleCreatePrincipal = async () => {
    if (!orgId || !formData.name.trim()) return;
    try {
      await api.organizations.createPrincipal(orgId, formData.name, formData.description || undefined);
      setFormData({ name: "", description: "" });
      setIsCreateDialogOpen(false);
      await fetchData(orgId);
    } catch {
      toast({ variant: "destructive", title: "Failed to create principal" });
    }
  };
  const handleUpdatePrincipal = async () => {
    if (!orgId || !editingPrincipal || !formData.name.trim()) return;
    try {
      await api.organizations.updatePrincipal(orgId, editingPrincipal.id, {
        name: formData.name,
        description: formData.description || undefined,
      });
      setFormData({ name: "", description: "" });
      setEditingPrincipal(null);
      setIsEditDialogOpen(false);
      await fetchData(orgId);
    } catch {
      toast({ variant: "destructive", title: "Failed to update principal" });
    }
  };
  const handleDeletePrincipal = async (principalId: string) => {
    if (!orgId || !confirm("Are you sure you want to delete this principal?")) return;
    try {
      await api.organizations.deletePrincipal(orgId, principalId);
      await fetchData(orgId);
    } catch {
      toast({ variant: "destructive", title: "Failed to delete principal" });
    }
  };
  const handleLinkPrincipal = async () => {
    if (!orgId || !selectedPrincipalForLink || !selectedDepartmentId) return;
    setIsLinking(true);
    try {
      await api.organizations.linkPrincipalToDepartment(orgId, selectedPrincipalForLink.id, selectedDepartmentId);
      toast({ title: "Principal linked to department" });
      setSelectedPrincipalForLink(null);
      setSelectedDepartmentId("");
      setIsLinkDialogOpen(false);
      await fetchData(orgId);
    } catch {
      toast({ variant: "destructive", title: "Failed to link principal to department" });
    } finally {
      setIsLinking(false);
    }
  };
  const handleUnlink = async (principalId: string, deptId: string) => {
    if (!orgId) return;
    const key = `${principalId}:${deptId}`;
    setUnlinkingKey(key);
    try {
      await api.organizations.unlinkPrincipalFromDepartment(orgId, principalId, deptId);
      toast({ title: "Unlinked from department" });
      setLinkedDepts((prev) => ({
        ...prev,
        [principalId]: (prev[principalId] || []).filter((d) => d.id !== deptId),
      }));
    } catch {
      toast({ variant: "destructive", title: "Failed to unlink" });
    } finally {
      setUnlinkingKey(null);
    }
  };
  const openEditDialog = (principal: Principal) => {
    setEditingPrincipal(principal);
    setFormData({ name: principal.name, description: principal.description || "" });
    setIsEditDialogOpen(true);
  };
  const openLinkDialog = (principal: Principal) => {
    setSelectedPrincipalForLink(principal);
    setSelectedDepartmentId("");
    setIsLinkDialogOpen(true);
  };
  const filteredPrincipals = principals.filter((p) => {
    const s = search.toLowerCase();
    return p.name.toLowerCase().includes(s) || (p.description?.toLowerCase().includes(s) ?? false);
  });
  // Only show departments not already linked
  const availableToLink = selectedPrincipalForLink
    ? departments.filter((d) => !(linkedDepts[selectedPrincipalForLink.id] || []).some((ld) => ld.id === d.id))
    : departments;
  return (
    <div className="page-container">
      <div className="page-header flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4">
        <div>
          <h1 className="page-title">Principals</h1>
          <p className="page-description">Manage principals and link them to departments</p>
        </div>
        <Button onClick={() => { setFormData({ name: "", description: "" }); setIsCreateDialogOpen(true); }}>
          <Plus className="w-4 h-4 mr-2" />
          Create Principal
        </Button>
      </div>
      <div className="mb-4">
        <div className="relative">
          <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-muted-foreground" />
          <Input
            placeholder="Search principals..."
            value={search}
            onChange={(e) => setSearch(e.target.value)}
            className="pl-10 max-w-sm"
          />
        </div>
      </div>
      {error && <div className="mb-4 p-3 rounded-md bg-destructive/10 text-destructive text-sm">{error}</div>}
      <Card>
        <CardContent className="p-0">
          {isLoading ? (
            <div className="flex items-center justify-center p-8">
              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
              <span className="ml-2 text-muted-foreground">Loading principals...</span>
            </div>
          ) : filteredPrincipals.length === 0 ? (
            <div className="p-8 text-center text-muted-foreground">No principals found</div>
          ) : (
            <div className="divide-y">
              {filteredPrincipals.map((principal) => {
                const linked = linkedDepts[principal.id] || [];
                return (
                  <div key={principal.id} className="p-4 flex items-start gap-4">
                    <div className="w-10 h-10 rounded-lg bg-purple-100 dark:bg-purple-900 text-purple-600 dark:text-purple-300 flex items-center justify-center flex-shrink-0 mt-0.5">
                      <Users className="w-4 h-4" />
                    </div>
                    <div className="flex-1 min-w-0">
                      <p className="font-medium text-foreground">{principal.name}</p>
                      {principal.description && (
                        <p className="mt-0.5 text-sm text-muted-foreground">{principal.description}</p>
                      )}
                      {/* Linked department tags */}
                      <div className="mt-2 flex flex-wrap gap-1.5">
                        {linked.length === 0 ? (
                          <span className="text-xs text-muted-foreground italic">Not linked to any department</span>
                        ) : linked.map((dept) => {
                          const key = `${principal.id}:${dept.id}`;
                          const busy = unlinkingKey === key;
                          return (
                            <span
                              key={dept.id}
                              className="inline-flex items-center gap-1 text-xs bg-blue-50 dark:bg-blue-950/40 text-blue-700 dark:text-blue-300 border border-blue-200 dark:border-blue-800 rounded-full pl-2.5 pr-1 py-0.5"
                            >
                              {dept.name}
                              <button
                                onClick={() => handleUnlink(principal.id, dept.id)}
                                disabled={busy}
                                className="rounded-full p-0.5 hover:bg-blue-200 dark:hover:bg-blue-800 disabled:opacity-50 transition-colors"
                                title="Unlink from department"
                              >
                                {busy ? <Loader2 className="w-3 h-3 animate-spin" /> : <X className="w-3 h-3" />}
                              </button>
                            </span>
                          );
                        })}
                      </div>
                      <div className="mt-2 text-xs text-muted-foreground">
                        Created {new Date(principal.created_at).toLocaleDateString()}
                      </div>
                    </div>
                    <DropdownMenu>
                      <DropdownMenuTrigger asChild>
                        <Button variant="ghost" size="icon">
                          <MoreHorizontal className="w-4 h-4" />
                        </Button>
                      </DropdownMenuTrigger>
                      <DropdownMenuContent align="end">
                        <DropdownMenuItem onClick={() => openEditDialog(principal)}>
                          <Edit2 className="w-4 h-4 mr-2" />
                          Edit
                        </DropdownMenuItem>
                        <DropdownMenuItem onClick={() => openLinkDialog(principal)}>
                          <LinkIcon className="w-4 h-4 mr-2" />
                          Link to Department
                        </DropdownMenuItem>
                        <DropdownMenuSeparator />
                        <DropdownMenuItem
                          className="text-destructive"
                          onClick={() => handleDeletePrincipal(principal.id)}
                        >
                          <Trash2 className="w-4 h-4 mr-2" />
                          Delete
                        </DropdownMenuItem>
                      </DropdownMenuContent>
                    </DropdownMenu>
                  </div>
                );
              })}
            </div>
          )}
        </CardContent>
      </Card>
      {/* Create Principal Dialog */}
      <Dialog open={isCreateDialogOpen} onOpenChange={setIsCreateDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Create Principal</DialogTitle>
            <DialogDescription>Create a new principal to manage access and permissions</DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="principal-name">Principal Name</Label>
              <Input
                id="principal-name"
                placeholder="e.g., eng-prod"
                value={formData.name}
                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
              />
            </div>
            <div>
              <Label htmlFor="principal-desc">Description</Label>
              <Textarea
                id="principal-desc"
                placeholder="Optional description..."
                value={formData.description}
                onChange={(e) => setFormData({ ...formData, description: e.target.value })}
                rows={3}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsCreateDialogOpen(false)}>Cancel</Button>
            <Button onClick={handleCreatePrincipal} disabled={!formData.name.trim()}>Create Principal</Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Edit Principal Dialog */}
      <Dialog open={isEditDialogOpen} onOpenChange={setIsEditDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Edit Principal</DialogTitle>
            <DialogDescription>Update principal information</DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="edit-principal-name">Principal Name</Label>
              <Input
                id="edit-principal-name"
                value={formData.name}
                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
              />
            </div>
            <div>
              <Label htmlFor="edit-principal-desc">Description</Label>
              <Textarea
                id="edit-principal-desc"
                placeholder="Optional description..."
                value={formData.description}
                onChange={(e) => setFormData({ ...formData, description: e.target.value })}
                rows={3}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsEditDialogOpen(false)}>Cancel</Button>
            <Button onClick={handleUpdatePrincipal} disabled={!formData.name.trim()}>Save Changes</Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Link to Department Dialog */}
      <Dialog
        open={isLinkDialogOpen}
        onOpenChange={(open) => {
          if (!open) { setSelectedPrincipalForLink(null); setSelectedDepartmentId(""); }
          setIsLinkDialogOpen(open);
        }}
      >
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Link to Department</DialogTitle>
            <DialogDescription>
              Link <strong>{selectedPrincipalForLink?.name}</strong> to a department
            </DialogDescription>
          </DialogHeader>
          <div className="space-y-4">
            <div>
              <Label htmlFor="dept-select">Department</Label>
              {availableToLink.length === 0 ? (
                <p className="mt-2 text-sm text-muted-foreground">Already linked to all available departments.</p>
              ) : (
                <Select value={selectedDepartmentId} onValueChange={setSelectedDepartmentId}>
                  <SelectTrigger id="dept-select" className="mt-1">
                    <SelectValue placeholder="Choose a department..." />
                  </SelectTrigger>
                  <SelectContent>
                    {availableToLink.map((dept) => (
                      <SelectItem key={dept.id} value={dept.id}>{dept.name}</SelectItem>
                    ))}
                  </SelectContent>
                </Select>
              )}
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setIsLinkDialogOpen(false)}>Cancel</Button>
            <Button onClick={handleLinkPrincipal} disabled={!selectedDepartmentId || isLinking || availableToLink.length === 0}>
              {isLinking && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Link
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </div>
  );
 }
@@ -1,104 +1,60 @@
-import { useState } from "react";
+import { useState, useEffect } from "react";
-import { LogIn, LogOut, Key, Fingerprint, Smartphone, AlertTriangle, CheckCircle, MapPin } from "lucide-react";
+import { LogIn, LogOut, Key, Fingerprint, Smartphone, AlertTriangle, Loader2, RefreshCw, Users } from "lucide-react";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import { Card, CardContent } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
 import { Tabs, TabsList, TabsTrigger } from "@/components/ui/tabs";
 import { api, AuditLogEntry } from "@/lib/api";
 import { useAuth } from "@/contexts/AuthContext";
-const activityEvents = [
+// Map audit log action strings to display info
-  {
+const getEventDisplay = (action: string) => {
-    id: "1",
+  const a = action.toLowerCase();
-    type: "login_success",
+  if (a.includes("login") && a.includes("fail")) {
-    method: "password",
+    return { icon: <AlertTriangle className="w-4 h-4" />, title: "Failed login attempt", failed: true };
    timestamp: "2024-01-15T10:30:00Z",
    location: "San Francisco, CA",
    device: "Chrome on macOS",
    ip: "192.168.1.1",
  },
  {
    id: "2",
    type: "login_success",
    method: "passkey",
    timestamp: "2024-01-14T15:45:00Z",
    location: "San Francisco, CA",
    device: "Safari on iOS",
    ip: "192.168.1.2",
  },
  {
    id: "3",
    type: "login_failed",
    method: "password",
    timestamp: "2024-01-14T12:00:00Z",
    location: "Unknown",
    device: "Firefox on Windows",
    ip: "10.0.0.5",
  },
  {
    id: "4",
    type: "mfa_enabled",
    method: "totp",
    timestamp: "2024-01-13T09:00:00Z",
    location: "San Francisco, CA",
    device: "Chrome on macOS",
    ip: "192.168.1.1",
  },
  {
    id: "5",
    type: "passkey_added",
    method: "passkey",
    timestamp: "2024-01-12T14:30:00Z",
    location: "San Francisco, CA",
    device: "Safari on macOS",
    ip: "192.168.1.1",
  },
 ];
 const getEventIcon = (type: string, method: string) => {
  switch (type) {
    case "login_success":
      return method === "passkey" ? (
        <Fingerprint className="w-4 h-4" />
      ) : (
        <LogIn className="w-4 h-4" />
      );
    case "login_failed":
      return <AlertTriangle className="w-4 h-4" />;
    case "mfa_enabled":
      return <Smartphone className="w-4 h-4" />;
    case "passkey_added":
      return <Fingerprint className="w-4 h-4" />;
    case "logout":
      return <LogOut className="w-4 h-4" />;
    default:
      return <Key className="w-4 h-4" />;
  }
-};
+  if (a.includes("login") || a.includes("authenticate")) {
-
+    return { icon: <LogIn className="w-4 h-4" />, title: "Signed in", failed: false };
 const getEventTitle = (type: string, method: string) => {
  switch (type) {
    case "login_success":
      return `Signed in with ${method}`;
    case "login_failed":
      return "Failed login attempt";
    case "mfa_enabled":
      return "Two-factor authentication enabled";
    case "passkey_added":
      return "Passkey added";
    case "logout":
      return "Signed out";
    default:
      return "Security event";
  }
-};
+  if (a.includes("logout") || a.includes("sign_out")) {
-
+    return { icon: <LogOut className="w-4 h-4" />, title: "Signed out", failed: false };
 const getEventStatus = (type: string) => {
  if (type === "login_failed") {
    return { variant: "destructive" as const, label: "Failed" };
  }
-  return { variant: "default" as const, label: "Success" };
+  if (a.includes("passkey") || a.includes("webauthn")) {
    return { icon: <Fingerprint className="w-4 h-4" />, title: "Passkey event", failed: false };
  }
  if (a.includes("mfa") || a.includes("totp") || a.includes("2fa")) {
    return { icon: <Smartphone className="w-4 h-4" />, title: "MFA event", failed: false };
  }
  if (a.includes("ssh")) {
    return { icon: <Key className="w-4 h-4" />, title: "SSH key event", failed: false };
  }
  return { icon: <Key className="w-4 h-4" />, title: action.replace(/_/g, " "), failed: !action.includes("success") && a.includes("fail") };
 };
 export default function ActivityPage() {
  const { isOrgAdmin } = useAuth();
  const [filter, setFilter] = useState("all");
  const [view, setView] = useState<"mine" | "org">("mine");
  const [events, setEvents] = useState<AuditLogEntry[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState("");
  const loadEvents = () => {
    setIsLoading(true);
    setError("");
    const req =
      view === "org" && isOrgAdmin
        ? api.admin.getAuditLogs({ per_page: "100" }).then((d) => d.audit_logs ?? [])
        : api.users.auditLogs({ per_page: "50" }).then((d) => d.audit_logs ?? []);
    req
      .then((logs) => setEvents(logs))
      .catch(() => setError("Failed to load activity. Please try again."))
      .finally(() => setIsLoading(false));
  };
  useEffect(() => { loadEvents(); }, [view]); // eslint-disable-line react-hooks/exhaustive-deps
  const formatDate = (dateString: string) => {
    const date = new Date(dateString);
@@ -110,71 +66,117 @@ export default function ActivityPage() {
    }).format(date);
  };
  const filteredEvents = events.filter((e) => {
    if (filter === "all") return true;
    const a = e.action.toLowerCase();
    if (filter === "logins")
      return a.includes("session_create") || a.includes("session_revoke") || a.includes("external_auth") || a.includes("login") || a.includes("logout");
    if (filter === "security")
      return a.includes("mfa") || a.includes("passkey") || a.includes("ssh") || a.includes("totp") || a.includes("password") || a.includes("webauthn");
    return true;
  });
  return (
    <div className="page-container">
      <div className="page-header flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4">
        <div>
          <h1 className="page-title">Activity</h1>
          <p className="page-description">
-            Your recent account activity and security events
+            {view === "org" ? "Organization-wide audit log" : "Your recent account activity and security events"}
          </p>
        </div>
-        <Select value={filter} onValueChange={setFilter}>
+        <div className="flex items-center gap-2 flex-wrap">
-          <SelectTrigger className="w-[180px]">
+          {isOrgAdmin && (
-            <SelectValue placeholder="Filter events" />
+            <Tabs value={view} onValueChange={(v) => setView(v as "mine" | "org")}>
-          </SelectTrigger>
+              <TabsList>
-          <SelectContent>
+                <TabsTrigger value="mine">My Activity</TabsTrigger>
-            <SelectItem value="all">All events</SelectItem>
+                <TabsTrigger value="org">
-            <SelectItem value="logins">Logins only</SelectItem>
+                  <Users className="w-3.5 h-3.5 mr-1" />
-            <SelectItem value="security">Security changes</SelectItem>
+                  Org Logs
-          </SelectContent>
+                </TabsTrigger>
-        </Select>
+              </TabsList>
            </Tabs>
          )}
          <Select value={filter} onValueChange={setFilter}>
            <SelectTrigger className="w-[160px]">
              <SelectValue placeholder="Filter events" />
            </SelectTrigger>
            <SelectContent>
              <SelectItem value="all">All events</SelectItem>
              <SelectItem value="logins">Logins only</SelectItem>
              <SelectItem value="security">Security changes</SelectItem>
            </SelectContent>
          </Select>
          <Button variant="outline" size="icon" onClick={loadEvents} disabled={isLoading}>
            <RefreshCw className={`w-4 h-4 ${isLoading ? "animate-spin" : ""}`} />
          </Button>
        </div>
      </div>
      <Card>
        <CardContent className="p-0">
-          <div className="divide-y">
+          {isLoading ? (
-            {activityEvents.map((event) => {
+            <div className="flex items-center justify-center py-12">
-              const status = getEventStatus(event.type);
+              <Loader2 className="w-6 h-6 animate-spin text-muted-foreground" />
-              return (
+            </div>
-                <div key={event.id} className="p-4 flex items-start gap-4">
+          ) : error ? (
-                  <div
+            <div className="text-center py-8 text-muted-foreground">
-                    className={`w-10 h-10 rounded-lg flex items-center justify-center flex-shrink-0 ${
+              <AlertTriangle className="w-8 h-8 mx-auto mb-2 text-destructive" />
-                      event.type === "login_failed"
+              <p>{error}</p>
-                        ? "bg-destructive/10 text-destructive"
+            </div>
-                        : "bg-accent/10 text-accent"
+          ) : filteredEvents.length === 0 ? (
-                    }`}
+            <div className="text-center py-8 text-muted-foreground">
-                  >
+              <p>No activity events found.</p>
-                    {getEventIcon(event.type, event.method)}
+            </div>
-                  </div>
+          ) : (
-                  <div className="flex-1 min-w-0">
+            <div className="divide-y">
-                    <div className="flex items-center gap-2 flex-wrap">
+              {filteredEvents.map((event) => {
-                      <p className="font-medium text-foreground">
+                const display = getEventDisplay(event.action);
-                        {getEventTitle(event.type, event.method)}
+                return (
-                      </p>
+                  <div key={event.id} className="p-4 flex items-start gap-4">
-                      {event.type === "login_failed" && (
+                    <div
-                        <Badge variant="destructive" className="text-xs">
+                      className={`w-10 h-10 rounded-lg flex items-center justify-center flex-shrink-0 ${
-                          Failed
+                        display.failed || !event.success
-                        </Badge>
+                          ? "bg-destructive/10 text-destructive"
-                      )}
+                          : "bg-accent/10 text-accent"
                      }`}
                    >
                      {display.icon}
                    </div>
-                    <div className="mt-1 text-sm text-muted-foreground space-y-0.5">
+                    <div className="flex-1 min-w-0">
-                      <p>{event.device}</p>
+                      <div className="flex items-center gap-2 flex-wrap">
-                      <div className="flex items-center gap-2">
+                        <p className="font-medium text-foreground capitalize">
-                        <MapPin className="w-3 h-3" />
+                          {display.title}
-                        <span>{event.location}</span>
+                        </p>
-                        <span className="text-muted-foreground/50">•</span>
+                        {(!event.success || display.failed) && (
-                        <span className="font-mono text-xs">{event.ip}</span>
+                          <Badge variant="destructive" className="text-xs">
                            Failed
                          </Badge>
                        )}
                      </div>
                      <div className="mt-1 text-sm text-muted-foreground space-y-0.5">
                        {view === "org" && event.user_id && (
                          <p className="font-medium text-xs text-foreground/70">User: {event.user_id}</p>
                        )}
                        {event.description && <p>{event.description}</p>}
                        <div className="flex items-center gap-2 flex-wrap">
                          {event.ip_address && (
                            <span className="font-mono text-xs">{event.ip_address}</span>
                          )}
                          {event.user_agent && (
                            <span className="truncate max-w-[200px]">{event.user_agent}</span>
                          )}
                        </div>
                      </div>
                    </div>
                    <p className="text-sm text-muted-foreground whitespace-nowrap">
                      {formatDate(event.created_at)}
                    </p>
                  </div>
-                  <p className="text-sm text-muted-foreground whitespace-nowrap">
+                );
-                    {formatDate(event.timestamp)}
+              })}
-                  </p>
+            </div>
-                </div>
+          )}
              );
            })}
          </div>
        </CardContent>
      </Card>
    </div>
@@ -1,5 +1,5 @@
 import { useState, useEffect } from "react";
-import { Mail, Building2, Upload, CheckCircle, AlertCircle, Loader2 } from "lucide-react";
+import { Mail, Upload, CheckCircle, AlertCircle, Loader2, Bell, AlertTriangle, Trash2, Building2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
@@ -7,10 +7,18 @@ import { Avatar, AvatarFallback, AvatarImage } from "@/components/ui/avatar";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Skeleton } from "@/components/ui/skeleton";
 import {
  Dialog,
  DialogContent,
  DialogDescription,
  DialogFooter,
  DialogHeader,
  DialogTitle,
 } from "@/components/ui/dialog";
 import { useAuth } from "@/contexts/AuthContext";
-import { api, Organization, ApiError } from "@/lib/api";
+import { api, ApiError, PendingInvite } from "@/lib/api";
 import { useOrganizations } from "@/hooks/useOrganizations";
 import { toast } from "@/hooks/use-toast";
 import { useNavigate } from "react-router-dom";
 function ProfileSkeleton() {
  return (
@@ -52,38 +60,22 @@ function ProfileSkeleton() {
            <Skeleton className="h-12 w-full" />
          </CardContent>
        </Card>
        {/* Organizations Skeleton */}
        <Card>
          <CardHeader>
            <Skeleton className="h-5 w-28" />
            <Skeleton className="h-4 w-48 mt-1" />
          </CardHeader>
          <CardContent className="space-y-2">
            <Skeleton className="h-14 w-full" />
            <Skeleton className="h-14 w-full" />
          </CardContent>
        </Card>
      </div>
    </div>
  );
 }
 export default function ProfilePage() {
-  const { user, isLoading: authLoading, refreshUser } = useAuth();
+  const { user, isLoading: authLoading, refreshUser, logout } = useAuth();
  const navigate = useNavigate();
  const [name, setName] = useState("");
  const [isEditing, setIsEditing] = useState(false);
  const [isSaving, setIsSaving] = useState(false);
-  
+  const [pendingInvites, setPendingInvites] = useState<PendingInvite[]>([]);
  // Use React Query hook for organizations with automatic caching and deduplication
  const { data: organizations = [], isLoading: orgsLoading, error: orgsError } = useOrganizations();
-  // Debug logging
+  // Delete account dialog state
-  console.log('[ProfilePage] organizations data:', organizations);
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
-  console.log('[ProfilePage] organizations is array:', Array.isArray(organizations));
+  const [isDeleting, setIsDeleting] = useState(false);
  // Ensure organizations is always an array (defensive check)
  const organizationsArray = Array.isArray(organizations) ? organizations : [];
  // Sync local name state with user data
  useEffect(() => {
@@ -92,16 +84,13 @@ export default function ProfilePage() {
    }
  }, [user?.full_name]);
-  // Handle 403 errors for organizations
+  // Fetch pending invitations for this user
  useEffect(() => {
-    if (orgsError instanceof ApiError && orgsError.code === 403) {
+    if (!user) return;
-      toast({
+    api.users.getMyInvites()
-        title: "Access Denied",
+      .then((res) => setPendingInvites(res.invites ?? []))
-        description: "You don't have permission to view organizations. Please contact your organization administrator.",
+      .catch(() => { /* silently ignore */ });
-        variant: "destructive",
+  }, [user]);
      });
    }
  }, [orgsError]);
  const getInitials = (fullName: string | null) => {
    if (!fullName) return "?";
@@ -113,6 +102,35 @@ export default function ProfilePage() {
      .slice(0, 2);
  };
  const handleDeleteAccount = async () => {
    setIsDeleting(true);
    try {
      await api.users.deleteMe();
      toast({ title: "Account deleted", description: "Your account has been deleted." });
      setDeleteDialogOpen(false);
      await logout();
      navigate("/login");
    } catch (err) {
      if (err instanceof ApiError && err.type === "USER_IS_SOLE_OWNER") {
        const orgs: string[] = (err.details?.organizations as string[]) ?? [];
        toast({
          title: "Cannot delete account",
          description: `You are the sole owner of: ${orgs.join(", ")}. Transfer ownership or delete those organizations first.`,
          variant: "destructive",
        });
      } else {
        toast({
          title: "Deletion failed",
          description: err instanceof ApiError ? err.message : "An unexpected error occurred.",
          variant: "destructive",
        });
      }
      setDeleteDialogOpen(false);
    } finally {
      setIsDeleting(false);
    }
  };
  const handleSave = async () => {
    if (!name.trim()) {
      toast({
@@ -159,11 +177,53 @@ export default function ProfilePage() {
      <div className="page-header">
        <h1 className="page-title">Profile</h1>
        <p className="page-description">
-          Manage your personal information and organization memberships
+          Manage your personal information and account settings
        </p>
      </div>
      <div className="space-y-6">
        {/* Account Suspended Banner */}
        {(user.status === "suspended" || user.status === "compliance_suspended") && (
          <div className="flex items-start gap-3 rounded-lg border border-red-300 bg-red-50 px-4 py-4 text-red-800 dark:border-red-700 dark:bg-red-950/60 dark:text-red-300">
            <AlertTriangle className="w-5 h-5 mt-0.5 flex-shrink-0" />
            <div>
              <p className="font-semibold text-sm">Account suspended</p>
              <p className="text-sm mt-0.5 opacity-90">
                Your account has been suspended. You cannot perform most actions.
                Please contact your administrator to resolve this.
              </p>
            </div>
          </div>
        )}
        {/* Pending Invitations Banner */}
        {pendingInvites.length > 0 && (
          <div className="rounded-lg border border-primary/40 bg-primary/10 p-4 space-y-3">
            <div className="flex items-center gap-2 text-primary font-semibold text-sm">
              <Bell className="w-4 h-4" />
              You have {pendingInvites.length} pending invitation{pendingInvites.length > 1 ? "s" : ""}
            </div>
            {pendingInvites.map((invite) => (
              <div
                key={invite.token}
                className="flex items-center justify-between rounded-md border border-border bg-card px-4 py-3"
              >
                <div>
                  <p className="text-sm font-medium text-foreground">{invite.organization.name}</p>
                  <p className="text-xs text-muted-foreground capitalize">
                    Invited as <span className="font-medium">{invite.role}</span>
                  </p>
                </div>
                <a
                  href={`/invite?token=${invite.token}`}
                  className="inline-flex items-center gap-1 rounded-md bg-primary px-3 py-1.5 text-xs font-semibold text-primary-foreground hover:bg-primary/90 transition-colors"
                >
                  Accept →
                </a>
              </div>
            ))}
          </div>
        )}
        {/* Profile Photo & Name */}
        <Card>
          <CardHeader>
@@ -248,59 +308,74 @@ export default function ProfilePage() {
          </CardContent>
        </Card>
-        {/* Organizations */}
+        {/* Danger Zone */}
-        <Card>
+        <Card className="border-destructive/40">
          <CardHeader>
-            <CardTitle className="text-base">Organizations</CardTitle>
+            <CardTitle className="text-base text-destructive flex items-center gap-2">
-            <CardDescription>Organizations you're a member of</CardDescription>
+              <AlertTriangle className="w-4 h-4" />
              Danger Zone
            </CardTitle>
            <CardDescription>
              Irreversible actions for your account. Proceed with caution.
            </CardDescription>
          </CardHeader>
          <CardContent>
-            {orgsLoading ? (
+            <div className="flex items-center justify-between rounded-lg border border-destructive/30 bg-destructive/5 p-4">
-              <div className="space-y-2">
+              <div>
-                <Skeleton className="h-14 w-full" />
+                <p className="text-sm font-medium text-destructive">Delete Account</p>
-                <Skeleton className="h-14 w-full" />
+                <p className="text-xs text-muted-foreground mt-0.5">
                  Permanently deletes your profile and all associated data. If you own
                  any organizations you must transfer ownership or delete them first.
                </p>
              </div>
-            ) : organizationsArray.length === 0 ? (
+              <Button
-              <p className="text-sm text-muted-foreground text-center py-6">
+                variant="destructive"
-                You're not a member of any organizations yet.
+                size="sm"
-              </p>
+                onClick={() => setDeleteDialogOpen(true)}
-            ) : (
+              >
-              <div className="space-y-2">
+                <Trash2 className="w-4 h-4 mr-2" />
-                {organizationsArray.map((org) => (
+                Delete account
-                  <div
+              </Button>
-                    key={org.id}
+            </div>
                    className="flex items-center justify-between p-3 border rounded-lg"
                  >
                    <div className="flex items-center gap-3">
                      {org.logo_url ? (
                        <Avatar className="w-8 h-8">
                          <AvatarImage src={org.logo_url} />
                          <AvatarFallback>
                            <Building2 className="w-4 h-4 text-primary" />
                          </AvatarFallback>
                        </Avatar>
                      ) : (
                        <div className="w-8 h-8 rounded bg-primary/10 flex items-center justify-center">
                          <Building2 className="w-4 h-4 text-primary" />
                        </div>
                      )}
                      <span className="text-foreground font-medium">{org.name}</span>
                    </div>
                    <div className="flex items-center gap-2">
                      {(org.role === 'owner' || org.role === 'admin') && (
                        <Badge variant="default" className="bg-primary text-primary-foreground">
                          Admin
                        </Badge>
                      )}
                      <Badge variant="secondary" className="capitalize">{org.role}</Badge>
                    </div>
                  </div>
                ))}
              </div>
            )}
          </CardContent>
        </Card>
      </div>
      {/* Delete account confirmation dialog */}
      <Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle className="flex items-center gap-2 text-destructive">
              <Trash2 className="w-5 h-5" />
              Delete your account?
            </DialogTitle>
            <DialogDescription>
              Your profile, SSH keys, linked accounts, and session data will be
              permanently deleted. This action <strong>cannot be undone</strong>.
            </DialogDescription>
          </DialogHeader>
          <div className="rounded-lg border border-amber-300 bg-amber-50 dark:border-amber-700 dark:bg-amber-950/40 p-3 text-sm text-amber-800 dark:text-amber-300 space-y-1">
            <p className="flex items-center gap-2 font-medium">
              <Building2 className="w-4 h-4" />
              Organization ownership check
            </p>
            <p>
              If you are the sole owner of any organization that has other members,
              you must <strong>transfer ownership</strong> to another member or delete
              those organizations before proceeding.
            </p>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setDeleteDialogOpen(false)} disabled={isDeleting}>
              Cancel
            </Button>
            <Button variant="destructive" onClick={handleDeleteAccount} disabled={isDeleting}>
              {isDeleting && <Loader2 className="w-4 h-4 mr-2 animate-spin" />}
              Yes, delete my account
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </div>
  );
 }