feat(api): admin user management endpoints with audit log (0.38.0)

Adds /api/v1/admin/users list / DELETE / PATCH guarded by RequireAdmin,
plus the audit-log substrate every future destructive admin endpoint
will reuse.

Safety properties:
- Cannot self-delete or self-demote (409 conflict, message calls out
  "yourself" so the UI can render an explanation).
- Cannot remove the last admin via either DELETE or demote. The check
  takes pg_advisory_xact_lock(ADMIN_INVARIANT_LOCK_KEY) and re-counts
  admins inside the same tx, closing the parallel-demote race that a
  bare "if count > 1" check would let through. The HTTP-serial path to
  this guard is structurally unreachable (the actor would have to be
  the lone admin demoting themselves, which the self-guard fires on
  first); the parallel race test exercises it via repo calls.

Audit log (admin_audit table) records the action inside the same tx
as the action itself, so a rolled-back action never leaves an orphan
audit row. actor_user_id is ON DELETE SET NULL so the log outlives a
later-deleted admin. target_id is not a FK because future audit kinds
will target non-user rows.

backend/src/api/admin/mod.rs

@@ -0,0 +1,15 @@
+//! Admin-only endpoints. Mounted under `/api/v1/admin/*` by
+//! `crate::api::routes`. Every handler in this subtree is guarded by
+//! `RequireAdmin`, which only accepts session-cookie authentication —
+//! bot/API tokens cannot reach admin routes (see
+//! `crate::auth::extractor::RequireAdmin`).
+
+pub mod users;
+
+use axum::Router;
+
+use crate::app::AppState;
+
+pub fn routes() -> Router<AppState> {
+    Router::new().merge(users::routes())
+}

backend/src/api/admin/users.rs

@@ -0,0 +1,92 @@
+//! Admin user management: list, delete, promote/demote.
+//!
+//! All handlers are gated by `RequireAdmin` and rely on
+//! `repo::user::admin_safe_*` for self-protection and the last-admin
+//! invariant. Audit rows are written inside the same DB transaction as
+//! the action they record.
+
+use axum::extract::{Path, Query, State};
+use axum::http::StatusCode;
+use axum::routing::{delete, get};
+use axum::{Json, Router};
+use serde::Deserialize;
+use uuid::Uuid;
+
+use crate::api::pagination::PagedResponse;
+use crate::app::AppState;
+use crate::auth::extractor::RequireAdmin;
+use crate::domain::User;
+use crate::error::{AppError, AppResult};
+use crate::repo;
+
+pub fn routes() -> Router<AppState> {
+    Router::new()
+        .route("/admin/users", get(list_users))
+        .route(
+            "/admin/users/:id",
+            delete(delete_user).patch(update_user),
+        )
+}
+
+#[derive(Debug, Deserialize, Default)]
+pub struct ListUsersParams {
+    #[serde(default)]
+    pub search: Option<String>,
+    #[serde(default = "default_limit")]
+    pub limit: i64,
+    #[serde(default)]
+    pub offset: i64,
+}
+
+fn default_limit() -> i64 {
+    50
+}
+
+async fn list_users(
+    State(state): State<AppState>,
+    _admin: RequireAdmin,
+    Query(params): Query<ListUsersParams>,
+) -> AppResult<Json<PagedResponse<User>>> {
+    let limit = params.limit.clamp(1, 200);
+    let offset = params.offset.max(0);
+    let (items, total) = repo::user::list_with_total(
+        &state.db,
+        &repo::user::ListUsersQuery {
+            search: params.search.filter(|s| !s.trim().is_empty()),
+            limit,
+            offset,
+        },
+    )
+    .await?;
+    Ok(Json(PagedResponse::with_total(items, limit, offset, total)))
+}
+
+#[derive(Debug, Deserialize)]
+pub struct UpdateUserInput {
+    pub is_admin: Option<bool>,
+}
+
+async fn update_user(
+    State(state): State<AppState>,
+    RequireAdmin(actor): RequireAdmin,
+    Path(id): Path<Uuid>,
+    Json(input): Json<UpdateUserInput>,
+) -> AppResult<Json<User>> {
+    let Some(is_admin) = input.is_admin else {
+        return Err(AppError::InvalidInput(
+            "no updatable fields supplied".into(),
+        ));
+    };
+    let updated =
+        repo::user::admin_safe_set_is_admin(&state.db, actor.id, id, is_admin).await?;
+    Ok(Json(updated))
+}
+
+async fn delete_user(
+    State(state): State<AppState>,
+    RequireAdmin(actor): RequireAdmin,
+    Path(id): Path<Uuid>,
+) -> AppResult<StatusCode> {
+    repo::user::admin_safe_delete(&state.db, actor.id, id).await?;
+    Ok(StatusCode::NO_CONTENT)
+}

backend/src/api/mod.rs

@@ -1,3 +1,4 @@
+pub mod admin;
 pub mod auth;
 pub mod authors;
 pub mod bookmarks;
@@ -28,4 +29,5 @@ pub fn routes() -> Router<AppState> {
         .merge(authors::routes())
         .merge(collections::routes())
         .merge(history::routes())
+        .merge(admin::routes())
 }

backend/src/domain/admin_audit.rs

@@ -0,0 +1,15 @@
+use chrono::{DateTime, Utc};
+use serde::Serialize;
+use sqlx::FromRow;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, Serialize, FromRow)]
+pub struct AdminAuditEntry {
+    pub id: Uuid,
+    pub actor_user_id: Option<Uuid>,
+    pub action: String,
+    pub target_kind: String,
+    pub target_id: Option<Uuid>,
+    pub payload: serde_json::Value,
+    pub at: DateTime<Utc>,
+}

backend/src/domain/mod.rs

@@ -1,3 +1,4 @@
+pub mod admin_audit;
 pub mod api_token;
 pub mod author;
 pub mod bookmark;
@@ -14,6 +15,7 @@ pub mod upload_entry;
 pub mod user;
 pub mod user_preferences;
 
+pub use admin_audit::AdminAuditEntry;
 pub use api_token::ApiToken;
 pub use author::{Author, AuthorRef, AuthorWithCount};
 pub use bookmark::{Bookmark, BookmarkSummary};

backend/src/repo/admin_audit.rs

@@ -0,0 +1,32 @@
+//! Admin-action audit log writes.
+//!
+//! Insert is always called from inside the same transaction as the
+//! action it audits — the executor parameter is `PgExecutor` so the
+//! caller passes `&mut *tx` directly.
+
+use sqlx::PgExecutor;
+use uuid::Uuid;
+
+use crate::error::AppResult;
+
+pub async fn insert<'e, E: PgExecutor<'e>>(
+    executor: E,
+    actor_user_id: Uuid,
+    action: &str,
+    target_kind: &str,
+    target_id: Option<Uuid>,
+    payload: serde_json::Value,
+) -> AppResult<()> {
+    sqlx::query(
+        "INSERT INTO admin_audit (actor_user_id, action, target_kind, target_id, payload) \
+         VALUES ($1, $2, $3, $4, $5)",
+    )
+    .bind(actor_user_id)
+    .bind(action)
+    .bind(target_kind)
+    .bind(target_id)
+    .bind(payload)
+    .execute(executor)
+    .await?;
+    Ok(())
+}

backend/src/repo/mod.rs

@@ -1,3 +1,4 @@
+pub mod admin_audit;
 pub mod api_token;
 pub mod author;
 pub mod bookmark;

backend/src/repo/user.rs

@@ -56,6 +56,64 @@ pub async fn find_by_id(pool: &PgPool, id: Uuid) -> AppResult<Option<User>> {
     Ok(row)
 }
 
+/// Postgres advisory-lock key guarding admin-count-changing operations
+/// (demote, delete-admin). Without this lock two concurrent demotes of
+/// different admins could each pass their "more than one admin remains"
+/// check, then commit, leaving zero admins. The lock serialises any tx
+/// that might change the admin count so the recount under the lock is
+/// authoritative.
+///
+/// Value is the bytes of "admininv" interpreted as a big-endian i64.
+/// Postgres' advisory-lock keyspace is global; collision risk with
+/// `CRON_LOCK_KEY` and friends is ~2^-64.
+pub const ADMIN_INVARIANT_LOCK_KEY: i64 = 0x61_64_6d_69_6e_69_6e_76;
+
+#[derive(Debug, Default)]
+pub struct ListUsersQuery {
+    pub search: Option<String>,
+    pub limit: i64,
+    pub offset: i64,
+}
+
+/// Paginated user list with total count. `search` is a case-insensitive
+/// substring match on `username`. Order is alphabetical by username so
+/// pagination is stable across concurrent writes (mangas changing
+/// is_admin doesn't reshuffle the page).
+pub async fn list_with_total(
+    pool: &PgPool,
+    q: &ListUsersQuery,
+) -> AppResult<(Vec<User>, i64)> {
+    let pat = q
+        .search
+        .as_ref()
+        .map(|s| format!("%{}%", s.trim()))
+        .filter(|p| p.len() > 2);
+
+    let items = sqlx::query_as::<_, User>(
+        r#"
+        SELECT id, username, password_hash, created_at, is_admin
+          FROM users
+         WHERE ($1::text IS NULL OR username ILIKE $1)
+         ORDER BY username
+         LIMIT $2 OFFSET $3
+        "#,
+    )
+    .bind(&pat)
+    .bind(q.limit)
+    .bind(q.offset)
+    .fetch_all(pool)
+    .await?;
+
+    let total: i64 = sqlx::query_scalar(
+        "SELECT COUNT(*) FROM users WHERE ($1::text IS NULL OR username ILIKE $1)",
+    )
+    .bind(&pat)
+    .fetch_one(pool)
+    .await?;
+
+    Ok((items, total))
+}
+
 pub async fn set_is_admin(pool: &PgPool, id: Uuid, value: bool) -> AppResult<()> {
     sqlx::query("UPDATE users SET is_admin = $1 WHERE id = $2")
         .bind(value)
@@ -76,6 +134,148 @@ pub async fn set_is_admin(pool: &PgPool, id: Uuid, value: bool) -> AppResult<()>
 ///   admin password through the UI without env-var conflict.
 /// Wrapped in a transaction so a concurrent `register` for the same
 /// username can't slip an INSERT between the SELECT and UPDATE/INSERT.
+/// Set `is_admin` on a user with full safety checks: rejects self-demote,
+/// rejects demoting the only remaining admin (under `ADMIN_INVARIANT_LOCK_KEY`
+/// to close the parallel-demote race), and writes an `admin_audit` row
+/// in the same tx so the log mirrors what actually committed.
+///
+/// Returns the freshly-written user row (so the handler can return it
+/// without a second SELECT).
+pub async fn admin_safe_set_is_admin(
+    pool: &PgPool,
+    actor_id: Uuid,
+    target_id: Uuid,
+    value: bool,
+) -> AppResult<User> {
+    // Cheap pre-check before opening a tx — also covers the "demote me"
+    // case which would otherwise pass the recount when other admins exist.
+    if actor_id == target_id && !value {
+        return Err(AppError::Conflict(
+            "cannot demote yourself; ask another admin".into(),
+        ));
+    }
+
+    let mut tx = pool.begin().await?;
+    sqlx::query("SELECT pg_advisory_xact_lock($1)")
+        .bind(ADMIN_INVARIANT_LOCK_KEY)
+        .execute(&mut *tx)
+        .await?;
+
+    let target: Option<User> = sqlx::query_as(
+        "SELECT id, username, password_hash, created_at, is_admin \
+           FROM users WHERE id = $1 FOR UPDATE",
+    )
+    .bind(target_id)
+    .fetch_optional(&mut *tx)
+    .await?;
+    let Some(target) = target else {
+        return Err(AppError::NotFound);
+    };
+
+    // Recount inside the lock — this is the authoritative read.
+    if target.is_admin && !value {
+        let admin_count: i64 =
+            sqlx::query_scalar("SELECT COUNT(*) FROM users WHERE is_admin = true")
+                .fetch_one(&mut *tx)
+                .await?;
+        if admin_count <= 1 {
+            return Err(AppError::Conflict(
+                "cannot demote the last admin; promote another user first".into(),
+            ));
+        }
+    }
+
+    let updated: User = sqlx::query_as(
+        "UPDATE users SET is_admin = $1 WHERE id = $2 \
+         RETURNING id, username, password_hash, created_at, is_admin",
+    )
+    .bind(value)
+    .bind(target_id)
+    .fetch_one(&mut *tx)
+    .await?;
+
+    let action = if value { "promote_user" } else { "demote_user" };
+    crate::repo::admin_audit::insert(
+        &mut *tx,
+        actor_id,
+        action,
+        "user",
+        Some(target_id),
+        serde_json::json!({ "username": target.username }),
+    )
+    .await?;
+
+    tx.commit().await?;
+    Ok(updated)
+}
+
+/// Delete a user with full safety checks: rejects self-delete, rejects
+/// deleting the only remaining admin (under `ADMIN_INVARIANT_LOCK_KEY`),
+/// and writes an `admin_audit` row in the same tx. Captures the deleted
+/// username + admin status in the audit payload so the action is
+/// readable after the user row itself is gone.
+pub async fn admin_safe_delete(
+    pool: &PgPool,
+    actor_id: Uuid,
+    target_id: Uuid,
+) -> AppResult<()> {
+    if actor_id == target_id {
+        return Err(AppError::Conflict(
+            "cannot delete yourself; ask another admin".into(),
+        ));
+    }
+
+    let mut tx = pool.begin().await?;
+    sqlx::query("SELECT pg_advisory_xact_lock($1)")
+        .bind(ADMIN_INVARIANT_LOCK_KEY)
+        .execute(&mut *tx)
+        .await?;
+
+    let target: Option<User> = sqlx::query_as(
+        "SELECT id, username, password_hash, created_at, is_admin \
+           FROM users WHERE id = $1 FOR UPDATE",
+    )
+    .bind(target_id)
+    .fetch_optional(&mut *tx)
+    .await?;
+    let Some(target) = target else {
+        return Err(AppError::NotFound);
+    };
+
+    if target.is_admin {
+        let admin_count: i64 =
+            sqlx::query_scalar("SELECT COUNT(*) FROM users WHERE is_admin = true")
+                .fetch_one(&mut *tx)
+                .await?;
+        if admin_count <= 1 {
+            return Err(AppError::Conflict(
+                "cannot delete the last admin; promote another user first".into(),
+            ));
+        }
+    }
+
+    sqlx::query("DELETE FROM users WHERE id = $1")
+        .bind(target_id)
+        .execute(&mut *tx)
+        .await?;
+
+    crate::repo::admin_audit::insert(
+        &mut *tx,
+        actor_id,
+        "delete_user",
+        "user",
+        Some(target_id),
+        serde_json::json!({
+            "username": target.username,
+            "was_admin": target.is_admin,
+        }),
+    )
+    .await?;
+
+    tx.commit().await?;
+    Ok(())
+}
+
 pub async fn bootstrap_admin(
     pool: &PgPool,
     username: &str,