feat: immutable audit log for forensic chain-of-custody

Backend:
- AuditLog model (append-only, no UPDATE/DELETE) with action enum,
user snapshot, resource type/id, detail, ip_address
- log_event() helper — silently swallows errors so logging never
breaks the main request flow
- Integrated in all key endpoints: login, project create/delete,
document upload/delete, all analysis types, PDF download, clear analyses
- GET /audit/ (admin only) with filters by action and user email,
pagination (page/page_size)

Frontend:
- AdminPage with two tabs: Users and Activity Log
- Audit tab: filter by action and email, paginated table with
color-coded action badges, timestamp, user, resource, detail, IP
- auditApi in api.ts
- i18n keys for audit log (IT + EN)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/audit.py

@@ -0,0 +1,54 @@
+"""
+GraphoLab Backend — Audit log helper.
+
+Usage:
+    from backend.audit import log_event
+    from backend.models.audit import AuditAction
+
+    await log_event(
+        db       = db,
+        user     = current_user,
+        action   = AuditAction.analysis_run,
+        resource_type = "analysis",
+        resource_id   = analysis.id,
+        detail        = "pipeline",
+        ip_address    = request.client.host if request.client else None,
+    )
+
+The function simply inserts a row and flushes — the caller's db session
+commits at the end of the request as usual.
+"""
+
+from __future__ import annotations
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from backend.models.audit import AuditAction, AuditLog
+from backend.models.user import User
+
+
+async def log_event(
+    db: AsyncSession,
+    user: User,
+    action: AuditAction,
+    resource_type: str | None = None,
+    resource_id: int | None = None,
+    detail: str | None = None,
+    ip_address: str | None = None,
+) -> None:
+    """Append one row to the audit_log table.  Never raises — failures are silently swallowed
+    so that a logging error never breaks an otherwise successful operation."""
+    try:
+        entry = AuditLog(
+            user_id=user.id,
+            user_email=user.email,
+            action=action,
+            resource_type=resource_type,
+            resource_id=resource_id,
+            detail=detail,
+            ip_address=ip_address,
+        )
+        db.add(entry)
+        await db.flush()
+    except Exception:
+        pass  # audit must never break the main flow

backend/main.py

@@ -18,7 +18,7 @@ from fastapi.middleware.cors import CORSMiddleware
 
 from backend.config import settings
 from backend.database import init_db
-from backend.routers import auth, users, projects, analysis, rag
+from backend.routers import auth, users, projects, analysis, rag, audit
 
 
 @asynccontextmanager
@@ -51,6 +51,7 @@ app.include_router(users.router)
 app.include_router(projects.router)
 app.include_router(analysis.router)
 app.include_router(rag.router)
+app.include_router(audit.router)
 
 
 # ── Health check ──────────────────────────────────────────────────────────────

backend/models/__init__.py

@@ -1,3 +1,4 @@
 # Import all models so SQLAlchemy can resolve relationships regardless of import order.
 from backend.models.user import User, Organization, Role  # noqa: F401
 from backend.models.project import Project, Document, Analysis, ProjectStatus, AnalysisType  # noqa: F401
+from backend.models.audit import AuditLog, AuditAction  # noqa: F401

backend/models/audit.py

@@ -0,0 +1,62 @@
+"""
+GraphoLab Backend — AuditLog ORM model.
+
+Append-only table: no UPDATE or DELETE is ever issued by application code.
+Every sensitive operation is recorded here for forensic chain-of-custody.
+"""
+
+from __future__ import annotations
+
+import enum
+from datetime import datetime
+
+from sqlalchemy import DateTime, Enum, ForeignKey, Integer, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+from backend.database import Base
+
+
+class AuditAction(str, enum.Enum):
+    login                = "login"
+    project_create       = "project_create"
+    project_delete       = "project_delete"
+    document_upload      = "document_upload"
+    document_delete      = "document_delete"
+    analysis_run         = "analysis_run"
+    analysis_clear       = "analysis_clear"
+    pdf_download         = "pdf_download"
+
+
+class AuditLog(Base):
+    """Immutable audit trail.  Never UPDATE or DELETE rows from this table."""
+
+    __tablename__ = "audit_log"
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+
+    # UTC timestamp — server-generated, not client-supplied
+    timestamp: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now(), index=True
+    )
+
+    # Who performed the action (snapshot: user may be deleted later)
+    user_id: Mapped[int | None] = mapped_column(
+        Integer,
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+        index=True,
+    )
+    user_email: Mapped[str] = mapped_column(String(256), nullable=False)
+
+    # What happened
+    action: Mapped[AuditAction] = mapped_column(Enum(AuditAction), nullable=False, index=True)
+
+    # On which resource (e.g. resource_type="project", resource_id=42)
+    resource_type: Mapped[str | None] = mapped_column(String(64), nullable=True)
+    resource_id: Mapped[int | None] = mapped_column(Integer, nullable=True)
+
+    # Optional extra context (e.g. analysis type, filename)
+    detail: Mapped[str | None] = mapped_column(Text, nullable=True)
+
+    # Network info
+    ip_address: Mapped[str | None] = mapped_column(String(64), nullable=True)

backend/routers/analysis.py

@@ -33,9 +33,11 @@ from pydantic import BaseModel
 from sqlalchemy import delete, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from backend.audit import log_event
 from backend.auth.dependencies import get_current_user
 from backend.config import settings
 from backend.database import get_db
+from backend.models.audit import AuditAction
 from backend.models.project import Analysis, AnalysisType, Document, Project
 from backend.models.user import Role, User
 from backend.storage.minio_client import download_object, upload_fileobj
@@ -150,7 +152,10 @@ async def run_htr(
     from core.ocr import htr_transcribe
     text = htr_transcribe(image)
 
-    return await _save_analysis(db, body.project_id, doc.id, AnalysisType.htr, text)
+    result = await _save_analysis(db, body.project_id, doc.id, AnalysisType.htr, text)
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="htr")
+    return result
 
 
 @router.post("/signature-detection", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -166,9 +171,12 @@ async def run_signature_detection(
     from core.signature import detect_and_crop
     annotated, _, summary = detect_and_crop(image)
 
-    return await _save_analysis(
+    result = await _save_analysis(
         db, body.project_id, doc.id, AnalysisType.signature_detection, summary, annotated
     )
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="signature_detection")
+    return result
 
 
 @router.post("/signature-verification", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -190,9 +198,12 @@ async def run_signature_verification(
 
     report, _ = sig_verify(ref_image, None, query, settings.signet_weights)
 
-    return await _save_analysis(
+    result = await _save_analysis(
         db, body.project_id, doc.id, AnalysisType.signature_verification, report
     )
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="signature_verification")
+    return result
 
 
 @router.post("/ner", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -210,7 +221,10 @@ async def run_ner(
     text = htr_transcribe(image)
     _, ner_summary = ner_extract(text)
 
-    return await _save_analysis(db, body.project_id, doc.id, AnalysisType.ner, ner_summary)
+    result = await _save_analysis(db, body.project_id, doc.id, AnalysisType.ner, ner_summary)
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="ner")
+    return result
 
 
 @router.post("/writer", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -226,9 +240,12 @@ async def run_writer_identification(
     from core.writer import writer_identify
     report, _ = writer_identify(image, settings.writer_samples_dir)
 
-    return await _save_analysis(
+    result = await _save_analysis(
         db, body.project_id, doc.id, AnalysisType.writer_identification, report
     )
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="writer_identification")
+    return result
 
 
 @router.post("/graphology", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -244,9 +261,12 @@ async def run_graphology(
     from core.graphology import grapho_analyse
     report, annotated = grapho_analyse(image)
 
-    return await _save_analysis(
+    result = await _save_analysis(
         db, body.project_id, doc.id, AnalysisType.graphology, report, annotated
     )
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=result.id, detail="graphology")
+    return result
 
 
 @router.post("/dating", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -264,11 +284,14 @@ async def run_dating(
     text = htr_transcribe(image)
     dates = extract_dates(text)
     if dates:
-        result = "\n".join(f"- {raw} → {dt.strftime('%Y-%m-%d')}" for raw, dt in dates)
+        dating_result = "\n".join(f"- {raw} → {dt.strftime('%Y-%m-%d')}" for raw, dt in dates)
     else:
-        result = "Nessuna data rilevata nel documento."
+        dating_result = "Nessuna data rilevata nel documento."
 
-    return await _save_analysis(db, body.project_id, doc.id, AnalysisType.dating, result)
+    saved = await _save_analysis(db, body.project_id, doc.id, AnalysisType.dating, dating_result)
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=saved.id, detail="dating")
+    return saved
 
 
 @router.post("/pipeline", response_model=AnalysisOut, status_code=status.HTTP_201_CREATED)
@@ -331,6 +354,8 @@ async def run_pipeline(
         analysis.result_text = analysis.result_text.replace("__img_sig__", f"/api/analysis/{analysis.id}/image/sig") if analysis.result_text else analysis.result_text
     await db.flush()
 
+    await log_event(db, current_user, AuditAction.analysis_run,
+                    resource_type="analysis", resource_id=analysis.id, detail="pipeline")
     return analysis
 
 
@@ -357,6 +382,8 @@ async def clear_analyses(
 ) -> None:
     await _check_project_access(project_id, db, current_user)
     await db.execute(delete(Analysis).where(Analysis.project_id == project_id))
+    await log_event(db, current_user, AuditAction.analysis_clear,
+                    resource_type="project", resource_id=project_id)
     await db.commit()
 
 
@@ -414,6 +441,8 @@ async def get_analysis_pdf(
     if not analysis.result_text:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Nessun testo disponibile.")
 
+    await log_event(db, current_user, AuditAction.pdf_download,
+                    resource_type="analysis", resource_id=analysis_id)
     pdf_bytes = await anyio.to_thread.run_sync(lambda: _generate_pdf(analysis))
     return StreamingResponse(
         io.BytesIO(pdf_bytes),

backend/routers/audit.py

@@ -0,0 +1,68 @@
+"""
+GraphoLab Backend — Audit log router.
+
+Endpoints:
+  GET /audit   → paginated audit log (admin only)
+"""
+
+from __future__ import annotations
+
+from datetime import datetime
+
+from fastapi import APIRouter, Depends, HTTPException, Query, status
+from pydantic import BaseModel
+from sqlalchemy import select, func
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from backend.auth.dependencies import get_current_user
+from backend.database import get_db
+from backend.models.audit import AuditAction, AuditLog
+from backend.models.user import Role, User
+
+router = APIRouter(prefix="/audit", tags=["audit"])
+
+
+class AuditLogOut(BaseModel):
+    id: int
+    timestamp: datetime
+    user_id: int | None
+    user_email: str
+    action: AuditAction
+    resource_type: str | None
+    resource_id: int | None
+    detail: str | None
+    ip_address: str | None
+
+    model_config = {"from_attributes": True}
+
+
+class AuditPage(BaseModel):
+    total: int
+    items: list[AuditLogOut]
+
+
+@router.get("/", response_model=AuditPage)
+async def list_audit_log(
+    page: int = Query(1, ge=1),
+    page_size: int = Query(50, ge=1, le=200),
+    action: AuditAction | None = Query(None),
+    user_email: str | None = Query(None),
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> AuditPage:
+    if current_user.role != Role.admin:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Solo gli amministratori possono visualizzare il log.")
+
+    q = select(AuditLog)
+    if action:
+        q = q.where(AuditLog.action == action)
+    if user_email:
+        q = q.where(AuditLog.user_email.ilike(f"%{user_email}%"))
+
+    count_q = select(func.count()).select_from(q.subquery())
+    total = (await db.execute(count_q)).scalar_one()
+
+    q = q.order_by(AuditLog.timestamp.desc()).offset((page - 1) * page_size).limit(page_size)
+    rows = (await db.execute(q)).scalars().all()
+
+    return AuditPage(total=total, items=list(rows))

backend/routers/auth.py

@@ -9,16 +9,18 @@ Endpoints:
 
 from __future__ import annotations
 
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordRequestForm
 from jose import JWTError
 from pydantic import BaseModel
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from backend.audit import log_event
 from backend.auth.jwt import TokenType, create_access_token, create_refresh_token, decode_token
 from backend.auth.password import verify_password
 from backend.database import get_db
+from backend.models.audit import AuditAction
 from backend.models.user import User
 
 router = APIRouter(prefix="/auth", tags=["auth"])
@@ -36,6 +38,7 @@ class RefreshRequest(BaseModel):
 
 @router.post("/login", response_model=TokenResponse)
 async def login(
+    request: Request,
     form: OAuth2PasswordRequestForm = Depends(),
     db: AsyncSession = Depends(get_db),
 ) -> TokenResponse:
@@ -54,6 +57,11 @@ async def login(
             detail="Account disabilitato. Contatta l'amministratore.",
         )
 
+    await log_event(
+        db, user, AuditAction.login,
+        ip_address=request.client.host if request.client else None,
+    )
+
     return TokenResponse(
         access_token=create_access_token(user.id, user.role),
         refresh_token=create_refresh_token(user.id),

backend/routers/projects.py

@@ -22,8 +22,10 @@ from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 
+from backend.audit import log_event
 from backend.auth.dependencies import get_current_user
 from backend.database import get_db
+from backend.models.audit import AuditAction
 from backend.models.project import Document, Project, ProjectStatus
 from backend.models.user import Role, User
 from backend.storage.minio_client import delete_object, upload_fileobj
@@ -122,6 +124,8 @@ async def create_project(
     )
     db.add(project)
     await db.flush()
+    await log_event(db, current_user, AuditAction.project_create,
+                    resource_type="project", resource_id=project.id, detail=body.title)
     project.document_count = 0
     return project
 
@@ -163,6 +167,8 @@ async def delete_project(
     current_user: User = Depends(get_current_user),
 ) -> None:
     project = await _get_project_or_404(project_id, db, current_user)
+    await log_event(db, current_user, AuditAction.project_delete,
+                    resource_type="project", resource_id=project_id, detail=project.title)
     # Remove files from MinIO
     for doc in project.documents:
         await delete_object(doc.storage_key)
@@ -195,6 +201,8 @@ async def upload_document(
     )
     db.add(doc)
     await db.flush()
+    await log_event(db, current_user, AuditAction.document_upload,
+                    resource_type="document", resource_id=doc.id, detail=file.filename)
     return doc
 
 
@@ -222,5 +230,7 @@ async def delete_document(
     doc = result.scalar_one_or_none()
     if doc is None:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Documento non trovato.")
+    await log_event(db, current_user, AuditAction.document_delete,
+                    resource_type="document", resource_id=doc_id, detail=doc.filename)
     await delete_object(doc.storage_key)
     await db.delete(doc)

frontend/src/App.tsx

@@ -4,6 +4,7 @@ import LoginPage from "@/pages/LoginPage"
 import ProjectsPage from "@/pages/ProjectsPage"
 import ProjectDetailPage from "@/pages/ProjectDetailPage"
 import RagPage from "@/pages/RagPage"
+import AdminPage from "@/pages/AdminPage"
 
 export default function App() {
   return (
@@ -14,6 +15,7 @@ export default function App() {
           <Route path="/projects" element={<ProjectsPage />} />
           <Route path="/projects/:id" element={<ProjectDetailPage />} />
           <Route path="/rag" element={<RagPage />} />
+          <Route path="/admin/*" element={<AdminPage />} />
         </Route>
         <Route path="*" element={<Navigate to="/projects" replace />} />
       </Routes>

frontend/src/i18n/en.json

@@ -81,6 +81,7 @@
   },
   "admin": {
     "users": "Users",
+    "audit": "Activity log",
     "new_user": "New user",
     "email": "Email",
     "full_name": "Full name",
@@ -92,7 +93,30 @@
       "admin": "Administrator",
       "examiner": "Examiner",
       "viewer": "Read-only"
-    }
+    },
+    "audit_timestamp": "Date/Time",
+    "audit_user": "User",
+    "audit_action": "Action",
+    "audit_resource": "Resource",
+    "audit_detail": "Detail",
+    "audit_ip": "IP",
+    "audit_actions": {
+      "login": "Login",
+      "project_create": "Case created",
+      "project_delete": "Case deleted",
+      "document_upload": "Document uploaded",
+      "document_delete": "Document deleted",
+      "analysis_run": "Analysis run",
+      "analysis_clear": "Analyses cleared",
+      "pdf_download": "PDF downloaded"
+    },
+    "audit_empty": "No activity recorded.",
+    "audit_filter_action": "Filter by action",
+    "audit_filter_user": "Filter by email",
+    "audit_all_actions": "All actions",
+    "audit_prev": "Previous",
+    "audit_next": "Next",
+    "audit_page": "Page {{page}} — {{total}} events"
   },
   "common": {
     "loading": "Loading…",

frontend/src/i18n/it.json

@@ -81,6 +81,7 @@
   },
   "admin": {
     "users": "Utenti",
+    "audit": "Registro attività",
     "new_user": "Nuovo utente",
     "email": "Email",
     "full_name": "Nome completo",
@@ -92,7 +93,30 @@
       "admin": "Amministratore",
       "examiner": "Perito",
       "viewer": "Sola lettura"
-    }
+    },
+    "audit_timestamp": "Data/Ora",
+    "audit_user": "Utente",
+    "audit_action": "Azione",
+    "audit_resource": "Risorsa",
+    "audit_detail": "Dettaglio",
+    "audit_ip": "IP",
+    "audit_actions": {
+      "login": "Login",
+      "project_create": "Perizia creata",
+      "project_delete": "Perizia eliminata",
+      "document_upload": "Documento caricato",
+      "document_delete": "Documento eliminato",
+      "analysis_run": "Analisi eseguita",
+      "analysis_clear": "Analisi cancellate",
+      "pdf_download": "PDF scaricato"
+    },
+    "audit_empty": "Nessuna attività registrata.",
+    "audit_filter_action": "Filtra per azione",
+    "audit_filter_user": "Filtra per email",
+    "audit_all_actions": "Tutte le azioni",
+    "audit_prev": "Precedente",
+    "audit_next": "Successivo",
+    "audit_page": "Pagina {{page}} — {{total}} eventi"
   },
   "common": {
     "loading": "Caricamento…",

frontend/src/lib/api.ts

@@ -161,6 +161,33 @@ export const analysisApi = {
   imageUrl: (analysisId: number) => `/api/analysis/${analysisId}/image`,
 }
 
+// Audit
+export interface AuditLogEntry {
+  id: number
+  timestamp: string
+  user_id: number | null
+  user_email: string
+  action: string
+  resource_type: string | null
+  resource_id: number | null
+  detail: string | null
+  ip_address: string | null
+}
+
+export interface AuditPage {
+  total: number
+  items: AuditLogEntry[]
+}
+
+export const auditApi = {
+  list: (page = 1, pageSize = 50, action?: string, userEmail?: string) => {
+    const params: Record<string, string | number> = { page, page_size: pageSize }
+    if (action) params.action = action
+    if (userEmail) params.user_email = userEmail
+    return api.get<AuditPage>("/audit/", { params })
+  },
+}
+
 // RAG
 export const ragApi = {
   status: () => api.get<{ ollama_reachable: boolean; models: string[] }>("/rag/status"),

frontend/src/pages/AdminPage.tsx

@@ -0,0 +1,297 @@
+import { useEffect, useState } from "react"
+import { useTranslation } from "react-i18next"
+import { Users, ClipboardList, Plus, Trash2, RefreshCw, ChevronLeft, ChevronRight } from "lucide-react"
+import { Button } from "@/components/ui/button"
+import { Badge } from "@/components/ui/badge"
+import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card"
+import { Input } from "@/components/ui/input"
+import { api, usersApi, auditApi, type User, type AuditLogEntry } from "@/lib/api"
+
+const AUDIT_ACTIONS = [
+  "login",
+  "project_create",
+  "project_delete",
+  "document_upload",
+  "document_delete",
+  "analysis_run",
+  "analysis_clear",
+  "pdf_download",
+]
+
+const ACTION_COLORS: Record<string, string> = {
+  login: "bg-blue-100 text-blue-800",
+  project_create: "bg-green-100 text-green-800",
+  project_delete: "bg-red-100 text-red-800",
+  document_upload: "bg-green-100 text-green-800",
+  document_delete: "bg-red-100 text-red-800",
+  analysis_run: "bg-purple-100 text-purple-800",
+  analysis_clear: "bg-orange-100 text-orange-800",
+  pdf_download: "bg-gray-100 text-gray-800",
+}
+
+export default function AdminPage() {
+  const { t } = useTranslation()
+  const [tab, setTab] = useState<"users" | "audit">("users")
+
+  // ── Users state ──────────────────────────────────────────────────────────────
+  const [users, setUsers] = useState<User[]>([])
+  const [newEmail, setNewEmail] = useState("")
+  const [newName, setNewName] = useState("")
+  const [newPassword, setNewPassword] = useState("")
+  const [newRole, setNewRole] = useState<"admin" | "examiner" | "viewer">("examiner")
+  const [userError, setUserError] = useState("")
+
+  async function loadUsers() {
+    const { data } = await usersApi.list()
+    setUsers(data)
+  }
+
+  async function handleCreateUser(e: React.FormEvent) {
+    e.preventDefault()
+    setUserError("")
+    try {
+      const { data } = await usersApi.create({ email: newEmail, full_name: newName, password: newPassword, role: newRole })
+      setUsers((u) => [...u, data])
+      setNewEmail(""); setNewName(""); setNewPassword(""); setNewRole("examiner")
+    } catch (err: any) {
+      setUserError(err?.response?.data?.detail ?? t("common.error"))
+    }
+  }
+
+  async function handleDeactivate(userId: number) {
+    if (!confirm(t("common.confirm"))) return
+    await usersApi.deactivate(userId)
+    setUsers((u) => u.map((x) => x.id === userId ? { ...x, is_active: false } : x))
+  }
+
+  // ── Audit state ──────────────────────────────────────────────────────────────
+  const [auditItems, setAuditItems] = useState<AuditLogEntry[]>([])
+  const [auditTotal, setAuditTotal] = useState(0)
+  const [auditPage, setAuditPage] = useState(1)
+  const [filterAction, setFilterAction] = useState("")
+  const [filterEmail, setFilterEmail] = useState("")
+  const PAGE_SIZE = 50
+
+  async function loadAudit(page = auditPage) {
+    const { data } = await auditApi.list(page, PAGE_SIZE, filterAction || undefined, filterEmail || undefined)
+    setAuditItems(data.items)
+    setAuditTotal(data.total)
+  }
+
+  useEffect(() => { loadUsers() }, [])
+  useEffect(() => { if (tab === "audit") loadAudit(1) }, [tab])
+
+  function handleAuditFilter(e: React.FormEvent) {
+    e.preventDefault()
+    setAuditPage(1)
+    loadAudit(1)
+  }
+
+  function changePage(delta: number) {
+    const next = auditPage + delta
+    setAuditPage(next)
+    loadAudit(next)
+  }
+
+  const totalPages = Math.max(1, Math.ceil(auditTotal / PAGE_SIZE))
+
+  return (
+    <div className="p-6 max-w-5xl mx-auto space-y-4">
+      <h1 className="text-xl font-semibold">{t("nav.admin")}</h1>
+
+      {/* Tab bar */}
+      <div className="flex gap-1 border-b pb-0">
+        <button
+          className={`flex items-center gap-1.5 px-4 py-2 text-sm font-medium border-b-2 transition-colors ${tab === "users" ? "border-primary text-primary" : "border-transparent text-muted-foreground hover:text-foreground"}`}
+          onClick={() => setTab("users")}
+        >
+          <Users className="h-4 w-4" />
+          {t("admin.users")}
+        </button>
+        <button
+          className={`flex items-center gap-1.5 px-4 py-2 text-sm font-medium border-b-2 transition-colors ${tab === "audit" ? "border-primary text-primary" : "border-transparent text-muted-foreground hover:text-foreground"}`}
+          onClick={() => setTab("audit")}
+        >
+          <ClipboardList className="h-4 w-4" />
+          {t("admin.audit")}
+        </button>
+      </div>
+
+      {/* ── Users tab ─────────────────────────────────────────────────────────── */}
+      {tab === "users" && (
+        <div className="space-y-4">
+          {/* Create user form */}
+          <Card>
+            <CardHeader className="pb-2">
+              <CardTitle className="text-sm flex items-center gap-2">
+                <Plus className="h-4 w-4" />
+                {t("admin.new_user")}
+              </CardTitle>
+            </CardHeader>
+            <CardContent>
+              <form onSubmit={handleCreateUser} className="flex flex-wrap gap-2 items-end">
+                <div className="flex flex-col gap-1">
+                  <label className="text-xs text-muted-foreground">{t("admin.email")}</label>
+                  <Input className="h-8 text-sm w-48" type="email" value={newEmail} onChange={(e) => setNewEmail(e.target.value)} required />
+                </div>
+                <div className="flex flex-col gap-1">
+                  <label className="text-xs text-muted-foreground">{t("admin.full_name")}</label>
+                  <Input className="h-8 text-sm w-40" value={newName} onChange={(e) => setNewName(e.target.value)} required />
+                </div>
+                <div className="flex flex-col gap-1">
+                  <label className="text-xs text-muted-foreground">Password</label>
+                  <Input className="h-8 text-sm w-32" type="password" value={newPassword} onChange={(e) => setNewPassword(e.target.value)} required />
+                </div>
+                <div className="flex flex-col gap-1">
+                  <label className="text-xs text-muted-foreground">{t("admin.role")}</label>
+                  <select className="h-8 text-sm border rounded-md px-2" value={newRole} onChange={(e) => setNewRole(e.target.value as any)}>
+                    <option value="examiner">{t("admin.roles.examiner")}</option>
+                    <option value="viewer">{t("admin.roles.viewer")}</option>
+                    <option value="admin">{t("admin.roles.admin")}</option>
+                  </select>
+                </div>
+                <Button type="submit" size="sm" className="h-8">{t("admin.new_user")}</Button>
+              </form>
+              {userError && <p className="text-xs text-destructive mt-2">{userError}</p>}
+            </CardContent>
+          </Card>
+
+          {/* Users table */}
+          <Card>
+            <CardContent className="pt-4">
+              <table className="w-full text-sm">
+                <thead>
+                  <tr className="border-b text-xs text-muted-foreground">
+                    <th className="text-left pb-2 font-medium">{t("admin.full_name")}</th>
+                    <th className="text-left pb-2 font-medium">{t("admin.email")}</th>
+                    <th className="text-left pb-2 font-medium">{t("admin.role")}</th>
+                    <th className="text-left pb-2 font-medium">{t("admin.status")}</th>
+                    <th />
+                  </tr>
+                </thead>
+                <tbody>
+                  {users.map((u) => (
+                    <tr key={u.id} className="border-b last:border-0">
+                      <td className="py-2">{u.full_name}</td>
+                      <td className="py-2 text-muted-foreground">{u.email}</td>
+                      <td className="py-2">
+                        <Badge variant="outline" className="text-xs">{t(`admin.roles.${u.role}`)}</Badge>
+                      </td>
+                      <td className="py-2">
+                        <Badge variant={u.is_active ? "default" : "secondary"} className="text-xs">
+                          {u.is_active ? t("admin.active") : t("admin.inactive")}
+                        </Badge>
+                      </td>
+                      <td className="py-2 text-right">
+                        {u.is_active && (
+                          <Button variant="ghost" size="icon" className="h-7 w-7 text-muted-foreground hover:text-destructive"
+                            onClick={() => handleDeactivate(u.id)}>
+                            <Trash2 className="h-3.5 w-3.5" />
+                          </Button>
+                        )}
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
+            </CardContent>
+          </Card>
+        </div>
+      )}
+
+      {/* ── Audit tab ─────────────────────────────────────────────────────────── */}
+      {tab === "audit" && (
+        <div className="space-y-3">
+          {/* Filters */}
+          <form onSubmit={handleAuditFilter} className="flex flex-wrap gap-2 items-end">
+            <div className="flex flex-col gap-1">
+              <label className="text-xs text-muted-foreground">{t("admin.audit_filter_action")}</label>
+              <select className="h-8 text-sm border rounded-md px-2 w-44"
+                value={filterAction} onChange={(e) => setFilterAction(e.target.value)}>
+                <option value="">{t("admin.audit_all_actions")}</option>
+                {AUDIT_ACTIONS.map((a) => (
+                  <option key={a} value={a}>{t(`admin.audit_actions.${a}`)}</option>
+                ))}
+              </select>
+            </div>
+            <div className="flex flex-col gap-1">
+              <label className="text-xs text-muted-foreground">{t("admin.audit_filter_user")}</label>
+              <Input className="h-8 text-sm w-48" placeholder="email…"
+                value={filterEmail} onChange={(e) => setFilterEmail(e.target.value)} />
+            </div>
+            <Button type="submit" size="sm" className="h-8 gap-1">
+              <RefreshCw className="h-3.5 w-3.5" />
+              {t("common.confirm")}
+            </Button>
+          </form>
+
+          {/* Summary */}
+          {auditTotal > 0 && (
+            <p className="text-xs text-muted-foreground">
+              {t("admin.audit_page", { page: auditPage, total: auditTotal })}
+            </p>
+          )}
+
+          {/* Table */}
+          <Card>
+            <CardContent className="pt-4 overflow-x-auto">
+              {auditItems.length === 0 ? (
+                <p className="text-sm text-muted-foreground">{t("admin.audit_empty")}</p>
+              ) : (
+                <table className="w-full text-xs">
+                  <thead>
+                    <tr className="border-b text-muted-foreground">
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_timestamp")}</th>
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_user")}</th>
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_action")}</th>
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_resource")}</th>
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_detail")}</th>
+                      <th className="text-left pb-2 font-medium">{t("admin.audit_ip")}</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    {auditItems.map((entry) => (
+                      <tr key={entry.id} className="border-b last:border-0">
+                        <td className="py-1.5 pr-3 whitespace-nowrap text-muted-foreground">
+                          {new Date(entry.timestamp).toLocaleString()}
+                        </td>
+                        <td className="py-1.5 pr-3">{entry.user_email}</td>
+                        <td className="py-1.5 pr-3">
+                          <span className={`px-1.5 py-0.5 rounded text-xs font-medium ${ACTION_COLORS[entry.action] ?? "bg-gray-100 text-gray-800"}`}>
+                            {t(`admin.audit_actions.${entry.action}`, { defaultValue: entry.action })}
+                          </span>
+                        </td>
+                        <td className="py-1.5 pr-3 text-muted-foreground">
+                          {entry.resource_type ? `${entry.resource_type}/${entry.resource_id}` : "—"}
+                        </td>
+                        <td className="py-1.5 pr-3">{entry.detail ?? "—"}</td>
+                        <td className="py-1.5 text-muted-foreground">{entry.ip_address ?? "—"}</td>
+                      </tr>
+                    ))}
+                  </tbody>
+                </table>
+              )}
+            </CardContent>
+          </Card>
+
+          {/* Pagination */}
+          {totalPages > 1 && (
+            <div className="flex items-center gap-2 justify-end">
+              <Button variant="outline" size="sm" className="h-7 gap-1"
+                disabled={auditPage <= 1} onClick={() => changePage(-1)}>
+                <ChevronLeft className="h-3.5 w-3.5" />
+                {t("admin.audit_prev")}
+              </Button>
+              <span className="text-xs text-muted-foreground">{auditPage} / {totalPages}</span>
+              <Button variant="outline" size="sm" className="h-7 gap-1"
+                disabled={auditPage >= totalPages} onClick={() => changePage(1)}>
+                {t("admin.audit_next")}
+                <ChevronRight className="h-3.5 w-3.5" />
+              </Button>
+            </div>
+          )}
+        </div>
+      )}
+    </div>
+  )
+}