Admin interface

2026-06-07 21:55:22 +02:00 · 2026-06-07 21:55:22 +02:00 · f67c109f2f
commit f67c109f2f
parent fa5394e10d
33 changed files with 2086 additions and 87 deletions
--- a/README.md
+++ b/README.md
@ -104,7 +104,7 @@ Un seul **nginx** expose l’entrée HTTP (`:80`) et route :
 | `/auth/*` | Authentik |
 | `/meet/*` | Jitsi (si `JITSI_ENABLED=true`) |
 | `/cloud/*` | Nextcloud nginx+FPM (si `NEXTCLOUD_ENABLED=true`) |
-| `/mail/*`, `/drive/*`, `/contacts` | Suite frontend (`MAIL_FRONTEND_UPSTREAM`, défaut `host.docker.internal:3000`) |
+| `/mail/*`, `/drive/*`, `/contacts`, `/admin/*` | Suite frontend (`MAIL_FRONTEND_UPSTREAM`, défaut `host.docker.internal:3000` ; Docker : `suite-frontend:3000`) |
 Nextcloud : FPM + nginx dédié ; ultid appelle `NEXTCLOUD_URL` en interne (`http://nextcloud:80`).  
 Caddy retiré : un seul proxy évite la double couche ; TLS plus tard (certbot, Traefik, ou `listen 443` nginx).
--- a/deploy/authentik/blueprints/03-ulti-suite-groups.yaml
+++ b/deploy/authentik/blueprints/03-ulti-suite-groups.yaml
@ -5,6 +5,14 @@ metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
 entries:
  - model: authentik_core.group
    id: ulti-admins-group
    identifiers:
      name: ulti-admins
    attrs:
      name: ulti-admins
      is_superuser: false
  - model: authentik_providers_oauth2.scopemapping
    id: ulti-suite-groups-mapping
    identifiers:
@ -14,15 +22,18 @@ entries:
      scope_name: profile
      description: Suite RBAC groups for Ultimail API
      expression: |
-        return {
+        groups = [
            "groups": [
            "role:user",
            "contacts:write",
            "calendar:write",
            "drive:write",
            "photos:write",
-            ],
+        ]
-        }
+        for group in user.ak_groups.all():
            if group.name == "ulti-admins":
                groups.extend(["admin", "admin:write"])
                break
        return {"groups": groups}
  - model: authentik_providers_oauth2.oauth2provider
    identifiers:
--- a/deploy/nginx/default.conf.template
+++ b/deploy/nginx/default.conf.template
@ -254,6 +254,20 @@ server {
        proxy_set_header Connection $connection_upgrade;
    }
    # Console d'administration suite
    location ^~ /admin {
        resolver 127.0.0.11 valid=10s ipv6=off;
        set $mail_upstream ${MAIL_FRONTEND_UPSTREAM};
        proxy_pass http://$mail_upstream;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    location ^~ /_next/ {
        resolver 127.0.0.11 valid=10s ipv6=off;
        set $mail_upstream ${MAIL_FRONTEND_UPSTREAM};
--- a/internal/api/admin/handlers.go
+++ b/internal/api/admin/handlers.go
@ -14,8 +14,11 @@ import (
 	"github.com/ultisuite/ulti-backend/internal/api/apivalidate"
 	"github.com/ultisuite/ulti-backend/internal/api/middleware"
 	"github.com/ultisuite/ulti-backend/internal/api/query"
 	"github.com/ultisuite/ulti-backend/internal/config"
 	"github.com/ultisuite/ulti-backend/internal/nextcloud"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 	"github.com/ultisuite/ulti-backend/internal/securityaudit"
 	platformusers "github.com/ultisuite/ulti-backend/internal/users"
 )
 type Handler struct {
@ -23,9 +26,9 @@ type Handler struct {
 	logger *slog.Logger
 }
-func NewHandler(db *pgxpool.Pool, audit *securityaudit.Logger) *Handler {
+func NewHandler(db *pgxpool.Pool, audit *securityaudit.Logger, cfg *config.Config, nc *nextcloud.Client) *Handler {
 	return &Handler{
-		svc:    NewService(db, audit),
+		svc:    NewService(db, audit, cfg, nc),
 		logger: slog.Default().With("component", "admin-api"),
 	}
 }
@ -44,12 +47,19 @@ func (h *Handler) Routes() chi.Router {
 	r.With(write).Post("/users/{userID}/disable", h.DisableUser)
 	r.With(write).Post("/users/{userID}/reactivate", h.ReactivateUser)
 	r.With(write).Put("/users/{userID}/quota", h.SetQuota)
 	r.With(write).Put("/users/{userID}/role", h.SetUserRole)
 	r.With(write).Delete("/users/{userID}", h.DeleteUser)
 	r.With(read).Get("/audit", h.ListAuditLogs)
 	r.With(read).Get("/audit/export", h.ExportAuditLogs)
 	r.With(read).Get("/stats", h.GetStats)
 	r.With(read).Get("/public-shares", h.ListPublicShares)
 	r.With(write).Delete("/public-shares/{shareID}", h.RevokePublicShare)
 	r.With(read).Get("/org/settings", h.GetOrgSettings)
 	r.With(write).Put("/org/settings", h.PutOrgSettings)
 	return r
 }
@ -64,9 +74,15 @@ func (h *Handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		apivalidate.WriteValidationError(w, r, verr)
 		return
 	}
 	role, verr := validateAccountRoleFilter(r.URL.Query().Get("role"))
 	if verr != nil {
 		apivalidate.WriteValidationError(w, r, verr)
 		return
 	}
 	result, err := h.svc.ListUsers(r.Context(), params, UserFilter{
 		Status: status,
 		Role:   role,
 		Q:      strings.TrimSpace(params.Q),
 	})
 	if err != nil {
@ -169,6 +185,42 @@ func (h *Handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	apiresponse.WriteJSON(w, http.StatusOK, user)
 }
 func (h *Handler) SetUserRole(w http.ResponseWriter, r *http.Request) {
 	userID := chi.URLParam(r, "userID")
 	if verr := validateUserID(userID); verr != nil {
 		apivalidate.WriteValidationError(w, r, verr)
 		return
 	}
 	claims := middleware.ClaimsFromContext(r.Context())
 	var req setUserRoleRequest
 	if err := apivalidate.DecodeJSON(w, r, maxQuotaRequestBody, &req); err != nil {
 		return
 	}
 	if verr := validateSetUserRole(&req); verr != nil {
 		apivalidate.WriteValidationError(w, r, verr)
 		return
 	}
 	user, err := h.svc.SetUserRole(r.Context(), claims.Sub, userID, req.Role)
 	if err != nil {
 		if errors.Is(err, ErrNotFound) {
 			apivalidate.WriteNotFound(w, r, "not found")
 			return
 		}
 		if errors.Is(err, platformusers.ErrLastPlatformAdmin) {
 			apivalidate.WriteValidationError(w, r, apivalidate.NewValidationError(
 				apivalidate.FieldDetail{Field: "role", Message: "cannot remove the last platform admin"},
 			))
 			return
 		}
 		h.logger.Error("set user role", "error", err)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	apiresponse.WriteJSON(w, http.StatusOK, user)
 }
 func (h *Handler) SetQuota(w http.ResponseWriter, r *http.Request) {
 	userID := chi.URLParam(r, "userID")
 	if verr := validateUserID(userID); verr != nil {
@ -305,3 +357,37 @@ func (h *Handler) GetStats(w http.ResponseWriter, r *http.Request) {
 	}
 	apiresponse.WriteJSON(w, http.StatusOK, stats)
 }
 func (h *Handler) GetOrgSettings(w http.ResponseWriter, r *http.Request) {
 	payload, err := h.svc.GetOrgSettings(r.Context())
 	if err != nil {
 		h.logger.Error("get org settings", "error", err)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	apiresponse.WriteJSON(w, http.StatusOK, payload)
 }
 func (h *Handler) PutOrgSettings(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	var req map[string]any
 	if err := apivalidate.DecodeJSON(w, r, 1<<20, &req); err != nil {
 		return
 	}
 	patch, ok := req["policy"].(map[string]any)
 	if !ok || len(patch) == 0 {
 		apivalidate.WriteValidationError(w, r, apivalidate.NewValidationError(
 			apivalidate.FieldDetail{Field: "policy", Message: "required"},
 		))
 		return
 	}
 	payload, err := h.svc.PutOrgSettings(r.Context(), claims.Sub, patch)
 	if err != nil {
 		h.logger.Error("put org settings", "error", err)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	apiresponse.WriteJSON(w, http.StatusOK, payload)
 }
--- a/internal/api/admin/org_settings.go
+++ b/internal/api/admin/org_settings.go
@ -0,0 +1,520 @@
 package admin
 import (
 	"context"
 	"encoding/json"
 	"strings"
 	"time"
 	"github.com/jackc/pgx/v5"
 	"github.com/ultisuite/ulti-backend/internal/config"
 )
 const orgSettingsSingletonID = 1
 func defaultOrgPolicy() map[string]any {
 	return map[string]any{
 		"authentik": map[string]any{
 			"enabled":                  true,
 			"api_url":                  "",
 			"slug":                     "ulti-suite",
 			"client_id":                "",
 			"enforce_sso":              true,
 			"allow_password_fallback":  false,
 			"default_groups":           "ulti-users",
 		},
 		"two_factor": map[string]any{
 			"required_for_all":     false,
 			"required_for_admins":  true,
 			"allowed_methods":      []any{"totp", "webauthn"},
 			"grace_period_days":    7,
 			"remember_device_days": 30,
 		},
 		"storage_quotas": map[string]any{
 			"default_mail_gib":     5,
 			"default_drive_gib":    5,
 			"default_photos_gib":   5,
 			"warn_threshold_pct":   90,
 		},
 		"usage_quotas": map[string]any{
 			"llm_requests_per_day":      100,
 			"llm_tokens_per_month":      500000,
 			"search_requests_per_day":   50,
 			"max_api_tokens_per_user":   10,
 			"max_webhooks_per_user":     20,
 		},
 		"file_policies": map[string]any{
 			"max_upload_mib":           512,
 			"allowed_extensions":       "",
 			"block_executable":         true,
 			"external_sharing":         "authenticated",
 			"default_link_expiry_days": 30,
 			"virus_scan_enabled":       false,
 			"retention_trash_days":     30,
 		},
 		"llm": map[string]any{
 			"default_provider_id":     "",
 			"providers":               []any{},
 			"enforce_org_providers":   false,
 			"allow_user_override":     true,
 		},
 		"search": map[string]any{
 			"suite_engine":         "postgres",
 			"meilisearch_url":      "",
 			"meilisearch_api_key":  "",
 			"typesense_url":        "",
 			"typesense_api_key":    "",
 			"web_search": map[string]any{
 				"default_provider_id": "brave-default",
 				"providers":           []any{},
 			},
 			"enforce_org_search": false,
 		},
 		"administrators": []any{},
 		"nextcloud": map[string]any{
 			"enabled":           false,
 			"base_url":          "",
 			"admin_user":        "",
 			"admin_password":    "",
 			"drive_enabled":     true,
 			"calendar_enabled":  true,
 			"contacts_enabled":  true,
 			"talk_enabled":      false,
 		},
 		"mailing": map[string]any{
 			"enabled":       false,
 			"smtp_host":     "",
 			"smtp_port":     587,
 			"smtp_user":     "",
 			"smtp_password": "",
 			"from_email":    "noreply@example.com",
 			"from_name":     "Ulti Suite",
 			"tls_mode":      "starttls",
 		},
 		"onlyoffice": map[string]any{
 			"enabled":               false,
 			"document_server_url":   "",
 			"jwt_secret":            "",
 			"jwt_header":            "Authorization",
 		},
 		"plugins": []any{
 			map[string]any{"id": "mail-automation", "name": "Automatisations mail", "description": "Règles, webhooks et tri IA sur la réception.", "enabled": true, "version": "1.0.0"},
 			map[string]any{"id": "contact-discovery", "name": "Découverte contacts", "description": "Enrichissement IA et signatures détectées.", "enabled": true, "version": "1.0.0"},
 			map[string]any{"id": "public-share", "name": "Partage public Drive", "description": "Liens publics et partages externes.", "enabled": true, "version": "1.0.0"},
 			map[string]any{"id": "office-editor", "name": "Édition OnlyOffice", "description": "Édition collaborative de documents.", "enabled": false, "version": "1.0.0"},
 		},
 		"integrations": []any{
 			map[string]any{"id": "authentik", "name": "Authentik", "description": "SSO, groupes et provisionnement des comptes.", "enabled": true, "configured": false},
 			map[string]any{"id": "nextcloud", "name": "Nextcloud", "description": "Drive, agenda, contacts et Talk.", "enabled": false, "configured": false},
 			map[string]any{"id": "onlyoffice", "name": "OnlyOffice", "description": "Édition de documents dans le navigateur.", "enabled": false, "configured": false},
 			map[string]any{"id": "smtp", "name": "Mailing unifié", "description": "SMTP pour notifications suite (partages, mentions).", "enabled": false, "configured": false},
 		},
 	}
 }
 func (s *Service) loadOrgPolicyRaw(ctx context.Context) (map[string]any, time.Time, string, error) {
 	var raw []byte
 	var updatedAt time.Time
 	var updatedBy string
 	err := s.db.QueryRow(ctx, `
 		SELECT settings, updated_at, updated_by FROM org_settings WHERE id = $1
 	`, orgSettingsSingletonID).Scan(&raw, &updatedAt, &updatedBy)
 	if err != nil {
 		if err == pgx.ErrNoRows {
 			return map[string]any{}, time.Time{}, "", nil
 		}
 		return nil, time.Time{}, "", err
 	}
 	stored := map[string]any{}
 	if len(raw) > 0 {
 		if err := json.Unmarshal(raw, &stored); err != nil {
 			return nil, time.Time{}, "", err
 		}
 	}
 	return stored, updatedAt, updatedBy, nil
 }
 func mergeMaps(base, patch map[string]any) map[string]any {
 	if base == nil {
 		base = map[string]any{}
 	}
 	out := make(map[string]any, len(base)+len(patch))
 	for k, v := range base {
 		out[k] = v
 	}
 	for k, patchVal := range patch {
 		if patchVal == nil {
 			continue
 		}
 		baseVal, ok := out[k]
 		if !ok {
 			out[k] = patchVal
 			continue
 		}
 		baseMap, baseOK := baseVal.(map[string]any)
 		patchMap, patchOK := patchVal.(map[string]any)
 		if baseOK && patchOK {
 			out[k] = mergeMaps(baseMap, patchMap)
 			continue
 		}
 		out[k] = patchVal
 	}
 	return out
 }
 func mergeOrgSecrets(existing, patch map[string]any) map[string]any {
 	merged := mergeMaps(existing, patch)
 	secretPaths := []struct {
 		section string
 		key     string
 	}{
 		{"nextcloud", "admin_password"},
 		{"mailing", "smtp_password"},
 		{"onlyoffice", "jwt_secret"},
 		{"search", "meilisearch_api_key"},
 		{"search", "typesense_api_key"},
 	}
 	for _, p := range secretPaths {
 		patchSection, _ := patch[p.section].(map[string]any)
 		if patchSection == nil {
 			continue
 		}
 		val, _ := patchSection[p.key].(string)
 		if strings.TrimSpace(val) == "" {
 			if existingSection, ok := existing[p.section].(map[string]any); ok {
 				if existingVal, ok := existingSection[p.key].(string); ok && existingVal != "" {
 					mergedSection, _ := merged[p.section].(map[string]any)
 					if mergedSection == nil {
 						mergedSection = map[string]any{}
 					}
 					mergedSection[p.key] = existingVal
 					merged[p.section] = mergedSection
 				}
 			}
 		}
 	}
 	if patchLLM, ok := patch["llm"].(map[string]any); ok {
 		mergeLLMProviderSecrets(existing, patchLLM, merged)
 	}
 	if patchSearch, ok := patch["search"].(map[string]any); ok {
 		if patchWS, ok := patchSearch["web_search"].(map[string]any); ok {
 			mergeSearchProviderSecrets(existing, patchWS, merged)
 		}
 	}
 	return merged
 }
 func mergeLLMProviderSecrets(existing, patchLLM, merged map[string]any) {
 	patchProviders, _ := patchLLM["providers"].([]any)
 	if len(patchProviders) == 0 {
 		return
 	}
 	existingLLM, _ := existing["llm"].(map[string]any)
 	existingProviders, _ := existingLLM["providers"].([]any)
 	mergedLLM, _ := merged["llm"].(map[string]any)
 	if mergedLLM == nil {
 		return
 	}
 	mergedProviders := make([]any, len(patchProviders))
 	for i, item := range patchProviders {
 		pm, ok := item.(map[string]any)
 		if !ok {
 			mergedProviders[i] = item
 			continue
 		}
 		id, _ := pm["id"].(string)
 		apiKey, _ := pm["api_key"].(string)
 		if strings.TrimSpace(apiKey) == "" && id != "" {
 			for _, ep := range existingProviders {
 				em, ok := ep.(map[string]any)
 				if !ok {
 					continue
 				}
 				if eid, _ := em["id"].(string); eid == id {
 					if ek, ok := em["api_key"].(string); ok && ek != "" {
 						pm["api_key"] = ek
 					}
 				}
 			}
 		}
 		mergedProviders[i] = pm
 	}
 	mergedLLM["providers"] = mergedProviders
 	merged["llm"] = mergedLLM
 }
 func mergeSearchProviderSecrets(existing map[string]any, patchWS map[string]any, merged map[string]any) {
 	patchProviders, _ := patchWS["providers"].([]any)
 	if len(patchProviders) == 0 {
 		return
 	}
 	existingSearch, _ := existing["search"].(map[string]any)
 	existingWS, _ := existingSearch["web_search"].(map[string]any)
 	existingProviders, _ := existingWS["providers"].([]any)
 	mergedSearch, _ := merged["search"].(map[string]any)
 	if mergedSearch == nil {
 		return
 	}
 	mergedWS, _ := mergedSearch["web_search"].(map[string]any)
 	if mergedWS == nil {
 		mergedWS = map[string]any{}
 	}
 	mergedProviders := make([]any, len(patchProviders))
 	for i, item := range patchProviders {
 		pm, ok := item.(map[string]any)
 		if !ok {
 			mergedProviders[i] = item
 			continue
 		}
 		id, _ := pm["id"].(string)
 		apiKey, _ := pm["api_key"].(string)
 		if strings.TrimSpace(apiKey) == "" && id != "" {
 			for _, ep := range existingProviders {
 				em, ok := ep.(map[string]any)
 				if !ok {
 					continue
 				}
 				if eid, _ := em["id"].(string); eid == id {
 					if ek, ok := em["api_key"].(string); ok && ek != "" {
 						pm["api_key"] = ek
 					}
 				}
 			}
 		}
 		mergedProviders[i] = pm
 	}
 	mergedWS["providers"] = mergedProviders
 	mergedSearch["web_search"] = mergedWS
 	merged["search"] = mergedSearch
 }
 func maskOrgPolicy(policy map[string]any) map[string]any {
 	cloned := deepCloneMap(policy)
 	maskStringField(cloned, "nextcloud", "admin_password")
 	maskStringField(cloned, "mailing", "smtp_password")
 	maskStringField(cloned, "onlyoffice", "jwt_secret")
 	maskStringField(cloned, "search", "meilisearch_api_key")
 	maskStringField(cloned, "search", "typesense_api_key")
 	if llm, ok := cloned["llm"].(map[string]any); ok {
 		if providers, ok := llm["providers"].([]any); ok {
 			for i, p := range providers {
 				pm, ok := p.(map[string]any)
 				if !ok {
 					continue
 				}
 				if v, _ := pm["api_key"].(string); strings.TrimSpace(v) != "" {
 					pm["api_key"] = ""
 				}
 				providers[i] = pm
 			}
 			llm["providers"] = providers
 		}
 	}
 	if search, ok := cloned["search"].(map[string]any); ok {
 		if ws, ok := search["web_search"].(map[string]any); ok {
 			if providers, ok := ws["providers"].([]any); ok {
 				for i, p := range providers {
 					pm, ok := p.(map[string]any)
 					if !ok {
 						continue
 					}
 					if v, _ := pm["api_key"].(string); strings.TrimSpace(v) != "" {
 						pm["api_key"] = ""
 					}
 					providers[i] = pm
 				}
 				ws["providers"] = providers
 			}
 		}
 	}
 	return cloned
 }
 func maskStringField(m map[string]any, section, key string) {
 	sec, ok := m[section].(map[string]any)
 	if !ok {
 		return
 	}
 	if v, _ := sec[key].(string); strings.TrimSpace(v) != "" {
 		sec[key] = ""
 	}
 }
 func deepCloneMap(in map[string]any) map[string]any {
 	raw, _ := json.Marshal(in)
 	out := map[string]any{}
 	_ = json.Unmarshal(raw, &out)
 	return out
 }
 func secretConfigured(policy map[string]any, section, key string) bool {
 	sec, ok := policy[section].(map[string]any)
 	if !ok {
 		return false
 	}
 	v, _ := sec[key].(string)
 	return strings.TrimSpace(v) != ""
 }
 func buildOrgSecretsStatus(policy map[string]any, cfg *config.Config) map[string]any {
 	return map[string]any{
 		"nextcloud_admin_password": map[string]any{
 			"configured": secretConfigured(policy, "nextcloud", "admin_password") || strings.TrimSpace(cfg.NCAdminPass) != "",
 		},
 		"mailing_smtp_password": map[string]any{
 			"configured": secretConfigured(policy, "mailing", "smtp_password"),
 		},
 		"onlyoffice_jwt_secret": map[string]any{
 			"configured": secretConfigured(policy, "onlyoffice", "jwt_secret") || strings.TrimSpace(cfg.OnlyOfficeJWTSecret) != "",
 		},
 		"meilisearch_api_key": map[string]any{
 			"configured": secretConfigured(policy, "search", "meilisearch_api_key") || strings.TrimSpace(cfg.MeilisearchKey) != "",
 		},
 		"typesense_api_key": map[string]any{
 			"configured": secretConfigured(policy, "search", "typesense_api_key") || strings.TrimSpace(cfg.TypesenseKey) != "",
 		},
 	}
 }
 func buildOrgEffective(cfg *config.Config) map[string]any {
 	authentikEnabled := strings.TrimSpace(cfg.AuthentikAPIToken) != "" || strings.TrimSpace(cfg.OIDCIssuer) != ""
 	return map[string]any{
 		"authentik": map[string]any{
 			"enabled":   authentikEnabled,
 			"api_url":   cfg.AuthentikAPIURL,
 			"client_id": cfg.OIDCClientID,
 			"issuer":    cfg.OIDCIssuer,
 		},
 		"nextcloud": map[string]any{
 			"enabled":   cfg.NextcloudEnabled,
 			"base_url":  firstNonEmpty(cfg.NextcloudPublicURL, cfg.NextcloudURL),
 			"admin_user": cfg.NCAdminUser,
 		},
 		"onlyoffice": map[string]any{
 			"enabled":             cfg.OnlyOfficeEnabled,
 			"document_server_url": firstNonEmpty(cfg.OnlyOfficePublicURL, cfg.OnlyOfficeURL),
 		},
 		"search": map[string]any{
 			"suite_engine":    cfg.SearchEngine,
 			"meilisearch_url": cfg.MeilisearchURL,
 			"typesense_url":   cfg.TypesenseURL,
 		},
 		"immich": map[string]any{
 			"enabled": cfg.ImmichEnabled,
 			"api_url": cfg.ImmichAPIURL,
 		},
 		"jitsi": map[string]any{
 			"enabled":    cfg.JitsiEnabled,
 			"public_url": cfg.JitsiPublicURL,
 		},
 	}
 }
 func firstNonEmpty(values ...string) string {
 	for _, v := range values {
 		if strings.TrimSpace(v) != "" {
 			return v
 		}
 	}
 	return ""
 }
 func (s *Service) GetOrgSettings(ctx context.Context) (map[string]any, error) {
 	stored, updatedAt, updatedBy, err := s.loadOrgPolicyRaw(ctx)
 	if err != nil {
 		return nil, err
 	}
 	policy := mergeMaps(defaultOrgPolicy(), stored)
 	masked := maskOrgPolicy(policy)
 	return map[string]any{
 		"policy":         masked,
 		"effective":      buildOrgEffective(s.cfg),
 		"secrets":        buildOrgSecretsStatus(policy, s.cfg),
 		"env_vars":       buildOrgEnvVars(),
 		"deploy_locked":  buildOrgDeployLocked(s.cfg),
 		"updated_at":     updatedAt.UTC().Format(time.RFC3339),
 		"updated_by":     updatedBy,
 	}, nil
 }
 func (s *Service) PutOrgSettings(ctx context.Context, actorSub string, patch map[string]any) (map[string]any, error) {
 	stored, _, _, err := s.loadOrgPolicyRaw(ctx)
 	if err != nil {
 		return nil, err
 	}
 	merged := mergeOrgSecrets(stored, patch)
 	raw, err := json.Marshal(merged)
 	if err != nil {
 		return nil, err
 	}
 	_, err = s.db.Exec(ctx, `
 		INSERT INTO org_settings (id, settings, updated_at, updated_by)
 		VALUES ($1, $2, NOW(), $3)
 		ON CONFLICT (id) DO UPDATE SET
 			settings = EXCLUDED.settings,
 			updated_at = NOW(),
 			updated_by = EXCLUDED.updated_by
 	`, orgSettingsSingletonID, raw, actorSub)
 	if err != nil {
 		return nil, err
 	}
 	s.logAudit(ctx, actorSub, "update_org_settings", map[string]any{
 		"sections": mapKeys(patch),
 	})
 	return s.GetOrgSettings(ctx)
 }
 func mapKeys(m map[string]any) []string {
 	keys := make([]string, 0, len(m))
 	for k := range m {
 		keys = append(keys, k)
 	}
 	return keys
 }
 const gibBytes = int64(1024 * 1024 * 1024)
 func policyGibValue(v any, fallback int64) int64 {
 	switch n := v.(type) {
 	case float64:
 		if n > 0 {
 			return int64(n * float64(gibBytes))
 		}
 	case int:
 		if n > 0 {
 			return int64(n) * gibBytes
 		}
 	case int64:
 		if n > 0 {
 			return n * gibBytes
 		}
 	}
 	return fallback * gibBytes
 }
 func (s *Service) applyOrgDefaultQuotas(ctx context.Context, userID string) error {
 	stored, _, _, err := s.loadOrgPolicyRaw(ctx)
 	if err != nil {
 		return err
 	}
 	policy := mergeMaps(defaultOrgPolicy(), stored)
 	storage, _ := policy["storage_quotas"].(map[string]any)
 	const defaultGib = int64(5)
 	mail := policyGibValue(storage["default_mail_gib"], defaultGib)
 	drive := policyGibValue(storage["default_drive_gib"], defaultGib)
 	photos := policyGibValue(storage["default_photos_gib"], defaultGib)
 	_, err = s.db.Exec(ctx, `
 		INSERT INTO settings (user_id, preferences)
 		VALUES (
 			$1,
 			jsonb_build_object(
 				'mail_max_storage_bytes', $2::text,
 				'drive_max_storage_bytes', $3::text,
 				'photos_max_storage_bytes', $4::text
 			)
 		)
 		ON CONFLICT (user_id) DO NOTHING
 	`, userID, mail, drive, photos)
 	return err
 }
--- a/internal/api/admin/org_settings_env.go
+++ b/internal/api/admin/org_settings_env.go
@ -0,0 +1,109 @@
 package admin
 import (
 	"os"
 	"strings"
 	"github.com/ultisuite/ulti-backend/internal/config"
 )
 type envVarSpec struct {
 	Name   string
 	Group  string
 	Secret bool
 }
 var orgEnvVarSpecs = []envVarSpec{
 	// Authentik / OIDC
 	{Name: "ULTID_OIDC_ISSUER", Group: "authentik", Secret: false},
 	{Name: "ULTID_OIDC_CLIENT_ID", Group: "authentik", Secret: false},
 	{Name: "ULTID_OIDC_CLIENT_SECRET", Group: "authentik", Secret: true},
 	{Name: "AUTHENTIK_API_URL", Group: "authentik", Secret: false},
 	{Name: "AUTHENTIK_API_TOKEN", Group: "authentik", Secret: true},
 	// Nextcloud
 	{Name: "NEXTCLOUD_ENABLED", Group: "nextcloud", Secret: false},
 	{Name: "NEXTCLOUD_URL", Group: "nextcloud", Secret: false},
 	{Name: "NC_PUBLIC_URL", Group: "nextcloud", Secret: false},
 	{Name: "NC_ADMIN_USER", Group: "nextcloud", Secret: false},
 	{Name: "NC_ADMIN_PASSWORD", Group: "nextcloud", Secret: true},
 	// OnlyOffice
 	{Name: "ONLYOFFICE_ENABLED", Group: "onlyoffice", Secret: false},
 	{Name: "ONLYOFFICE_URL", Group: "onlyoffice", Secret: false},
 	{Name: "ONLYOFFICE_PUBLIC_URL", Group: "onlyoffice", Secret: false},
 	{Name: "ONLYOFFICE_JWT_SECRET", Group: "onlyoffice", Secret: true},
 	// Search
 	{Name: "SEARCH_ENGINE", Group: "search", Secret: false},
 	{Name: "MEILISEARCH_URL", Group: "search", Secret: false},
 	{Name: "MEILISEARCH_API_KEY", Group: "search", Secret: true},
 	{Name: "TYPESENSE_URL", Group: "search", Secret: false},
 	{Name: "TYPESENSE_API_KEY", Group: "search", Secret: true},
 	// Immich / Jitsi (docker compose modules)
 	{Name: "IMMICH_ENABLED", Group: "immich", Secret: false},
 	{Name: "IMMICH_API_URL", Group: "immich", Secret: false},
 	{Name: "JITSI_ENABLED", Group: "jitsi", Secret: false},
 	{Name: "JITSI_PUBLIC_URL", Group: "jitsi", Secret: false},
 	{Name: "JITSI_APP_SECRET", Group: "jitsi", Secret: true},
 	// Object storage (mail attachments)
 	{Name: "ULTID_RUSTFS_ENDPOINT", Group: "storage", Secret: false},
 	{Name: "ULTID_RUSTFS_ACCESS_KEY", Group: "storage", Secret: true},
 	{Name: "ULTID_RUSTFS_SECRET_KEY", Group: "storage", Secret: true},
 	{Name: "MAIL_ATTACHMENTS_BUCKET", Group: "storage", Secret: false},
 }
 func buildOrgEnvVars() []map[string]any {
 	out := make([]map[string]any, 0, len(orgEnvVarSpecs))
 	for _, spec := range orgEnvVarSpecs {
 		raw, set := os.LookupEnv(spec.Name)
 		entry := map[string]any{
 			"name":   spec.Name,
 			"group":  spec.Group,
 			"set":    set && strings.TrimSpace(raw) != "",
 			"secret": spec.Secret,
 		}
 		if set && !spec.Secret && strings.TrimSpace(raw) != "" {
 			entry["value"] = raw
 		}
 		out = append(out, entry)
 	}
 	return out
 }
 func buildOrgDeployLocked(cfg *config.Config) map[string]any {
 	// Services deployed via Docker Compose: runtime flags come from env, not admin policy toggles.
 	return map[string]any{
 		"nextcloud": map[string]any{
 			"locked": true,
 			"reason": "docker_compose",
 			"fields": []string{"enabled", "base_url", "admin_user", "admin_password"},
 		},
 		"onlyoffice": map[string]any{
 			"locked": true,
 			"reason": "docker_compose",
 			"fields": []string{"enabled", "document_server_url", "jwt_secret", "jwt_header"},
 		},
 		"search": map[string]any{
 			"locked": true,
 			"reason": "docker_compose",
 			"fields": []string{"suite_engine", "meilisearch_url", "meilisearch_api_key", "typesense_url", "typesense_api_key"},
 		},
 		"authentik": map[string]any{
 			"locked": envAuthentikLocked(cfg),
 			"reason": "docker_compose",
 			"fields": []string{"enabled", "api_url", "client_id"},
 		},
 		"plugins": map[string]any{
 			"locked": true,
 			"reason": "docker_compose",
 			"fields": []string{"office-editor"},
 		},
 	}
 }
 func envAuthentikLocked(cfg *config.Config) bool {
 	if cfg == nil {
 		return false
 	}
 	return strings.TrimSpace(cfg.OIDCIssuer) != "" ||
 		strings.TrimSpace(cfg.OIDCClientID) != "" ||
 		strings.TrimSpace(cfg.AuthentikAPIToken) != ""
 }
--- a/internal/api/admin/public_shares.go
+++ b/internal/api/admin/public_shares.go
@ -0,0 +1,194 @@
 package admin
 import (
 	"context"
 	"sort"
 	"strings"
 	"time"
 	"github.com/ultisuite/ulti-backend/internal/api/query"
 	"github.com/ultisuite/ulti-backend/internal/nextcloud"
 	"github.com/ultisuite/ulti-backend/internal/publicshare"
 )
 type PublicSharesList struct {
 	Shares     []map[string]any     `json:"shares"`
 	Pagination query.PaginationMeta `json:"pagination,omitempty"`
 }
 func (s *Service) ListPublicShares(ctx context.Context, params query.ListParams) (PublicSharesList, error) {
 	if s.nc == nil {
 		return PublicSharesList{
 			Shares:     []map[string]any{},
 			Pagination: params.Meta(ptrInt64(0)),
 		}, nil
 	}
 	rows, err := s.db.Query(ctx, `
 		SELECT email, external_id FROM users WHERE status != 'disabled'
 	`)
 	if err != nil {
 		return PublicSharesList{}, err
 	}
 	defer rows.Close()
 	type platformUser struct {
 		email      string
 		externalID string
 	}
 	users := make([]platformUser, 0)
 	for rows.Next() {
 		var u platformUser
 		if err := rows.Scan(&u.email, &u.externalID); err != nil {
 			return PublicSharesList{}, err
 		}
 		users = append(users, u)
 	}
 	if err := rows.Err(); err != nil {
 		return PublicSharesList{}, err
 	}
 	q := strings.ToLower(strings.TrimSpace(params.Q))
 	all := make([]map[string]any, 0)
 	for _, u := range users {
 		ncUser := nextcloud.UserIDFromClaims(u.email, u.externalID)
 		if ncUser == "" {
 			continue
 		}
 		shares, err := s.nc.ListShares(ctx, ncUser, "")
 		if err != nil {
 			s.logger.Debug("list shares for admin audit", "nc_user", ncUser, "error", err)
 			continue
 		}
 		for _, share := range shares {
 			if !nextcloud.IsExternalShare(share) {
 				continue
 			}
 			if q != "" && !publicShareMatchesQuery(share, u.email, q) {
 				continue
 			}
 			entry := map[string]any{
 				"id":                      share.ID,
 				"token":                   share.Token,
 				"path":                    share.Path,
 				"item_type":               share.ItemType,
 				"access_mode":             share.AccessMode,
 				"share_type":              share.ShareType,
 				"permissions":             share.Permissions,
 				"url":                     share.URL,
 				"expires_at":              share.ExpiresAt,
 				"created_at":              share.CreatedAt,
 				"owner_nc_user_id":        ncUser,
 				"owner_email":             strings.ToLower(strings.TrimSpace(u.email)),
 				"owner_display_name":      firstNonEmptyStr(share.OwnerDisplayName, share.FileOwnerDisplayName),
 				"share_with":              share.ShareWith,
 				"share_with_display_name": share.ShareWithDisplayName,
 				"has_password":            share.HasPassword,
 				"label":                   share.Label,
 			}
 			all = append(all, entry)
 		}
 	}
 	sort.Slice(all, func(i, j int) bool {
 		return shareCreatedAt(all[i]).After(shareCreatedAt(all[j]))
 	})
 	tokens := make([]string, 0, len(all))
 	for _, item := range all {
 		if t, _ := item["token"].(string); t != "" {
 			tokens = append(tokens, t)
 		}
 	}
 	access, err := publicshare.Lookup(ctx, s.db, tokens)
 	if err != nil {
 		return PublicSharesList{}, err
 	}
 	for _, item := range all {
 		token, _ := item["token"].(string)
 		if stats, ok := access[token]; ok {
 			item["last_access_at"] = stats.LastAccessAt.UTC().Format(time.RFC3339)
 			item["access_count"] = stats.AccessCount
 		} else {
 			item["last_access_at"] = nil
 			item["access_count"] = int64(0)
 		}
 	}
 	total := int64(len(all))
 	start := params.Offset()
 	if start > len(all) {
 		start = len(all)
 	}
 	end := start + params.Limit()
 	if end > len(all) {
 		end = len(all)
 	}
 	page := all[start:end]
 	return PublicSharesList{
 		Shares:     page,
 		Pagination: params.Meta(&total),
 	}, nil
 }
 func (s *Service) RevokePublicShare(ctx context.Context, actorSub, shareID, ownerNCUserID string) error {
 	if s.nc == nil {
 		return ErrNotFound
 	}
 	shareID = strings.TrimSpace(shareID)
 	ownerNCUserID = strings.TrimSpace(ownerNCUserID)
 	if shareID == "" || ownerNCUserID == "" {
 		return ErrNotFound
 	}
 	if err := s.nc.DeleteShare(ctx, ownerNCUserID, shareID); err != nil {
 		return err
 	}
 	s.logAudit(ctx, actorSub, "revoke_public_share", map[string]any{
 		"share_id":         shareID,
 		"owner_nc_user_id": ownerNCUserID,
 	})
 	return nil
 }
 func publicShareMatchesQuery(share nextcloud.ShareInfo, ownerEmail, q string) bool {
 	haystack := strings.ToLower(strings.Join([]string{
 		share.Path,
 		share.Token,
 		share.URL,
 		share.ShareWith,
 		share.ShareWithDisplayName,
 		share.OwnerDisplayName,
 		share.FileOwnerDisplayName,
 		ownerEmail,
 		share.Label,
 		share.Note,
 	}, " "))
 	return strings.Contains(haystack, q)
 }
 func shareCreatedAt(item map[string]any) time.Time {
 	raw, _ := item["created_at"].(string)
 	if raw == "" {
 		return time.Time{}
 	}
 	t, err := time.Parse(time.RFC3339, raw)
 	if err != nil {
 		return time.Time{}
 	}
 	return t
 }
 func firstNonEmptyStr(values ...string) string {
 	for _, v := range values {
 		if strings.TrimSpace(v) != "" {
 			return strings.TrimSpace(v)
 		}
 	}
 	return ""
 }
 func ptrInt64(v int64) *int64 {
 	return &v
 }
--- a/internal/api/admin/public_shares_handlers.go
+++ b/internal/api/admin/public_shares_handlers.go
@ -0,0 +1,59 @@
 package admin
 import (
 	"errors"
 	"net/http"
 	"strings"
 	"github.com/go-chi/chi/v5"
 	"github.com/ultisuite/ulti-backend/internal/api/apiresponse"
 	"github.com/ultisuite/ulti-backend/internal/api/apivalidate"
 	"github.com/ultisuite/ulti-backend/internal/api/middleware"
 	"github.com/ultisuite/ulti-backend/internal/api/query"
 )
 func (h *Handler) ListPublicShares(w http.ResponseWriter, r *http.Request) {
 	params, err := query.ParseListRequest(r)
 	if err != nil {
 		apivalidate.WriteQueryError(w, r, err)
 		return
 	}
 	result, err := h.svc.ListPublicShares(r.Context(), params)
 	if err != nil {
 		h.logger.Error("list public shares", "error", err)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	apiresponse.WriteJSON(w, http.StatusOK, result)
 }
 func (h *Handler) RevokePublicShare(w http.ResponseWriter, r *http.Request) {
 	shareID := strings.TrimSpace(chi.URLParam(r, "shareID"))
 	if shareID == "" {
 		apivalidate.WriteValidationError(w, r, apivalidate.NewValidationError(
 			apivalidate.FieldDetail{Field: "shareID", Message: "required"},
 		))
 		return
 	}
 	claims := middleware.ClaimsFromContext(r.Context())
 	owner := strings.TrimSpace(r.URL.Query().Get("owner_nc_user_id"))
 	if owner == "" {
 		apivalidate.WriteValidationError(w, r, apivalidate.NewValidationError(
 			apivalidate.FieldDetail{Field: "owner_nc_user_id", Message: "required"},
 		))
 		return
 	}
 	if err := h.svc.RevokePublicShare(r.Context(), claims.Sub, shareID, owner); err != nil {
 		if errors.Is(err, ErrNotFound) {
 			apivalidate.WriteNotFound(w, r, "not found")
 			return
 		}
 		h.logger.Error("revoke public share", "error", err, "share_id", shareID)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
--- a/internal/api/admin/service.go
+++ b/internal/api/admin/service.go
@ -17,7 +17,11 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/ultisuite/ulti-backend/internal/api/query"
 	"github.com/ultisuite/ulti-backend/internal/config"
 	"github.com/ultisuite/ulti-backend/internal/nextcloud"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 	"github.com/ultisuite/ulti-backend/internal/securityaudit"
 	platformusers "github.com/ultisuite/ulti-backend/internal/users"
 )
 var ErrNotFound = errors.New("not found")
@ -25,13 +29,17 @@ var ErrNotFound = errors.New("not found")
 type Service struct {
 	db     *pgxpool.Pool
 	audit  *securityaudit.Logger
 	cfg    *config.Config
 	nc     *nextcloud.Client
 	logger *slog.Logger
 }
-func NewService(db *pgxpool.Pool, audit *securityaudit.Logger) *Service {
+func NewService(db *pgxpool.Pool, audit *securityaudit.Logger, cfg *config.Config, nc *nextcloud.Client) *Service {
 	return &Service{
 		db:     db,
 		audit:  audit,
 		cfg:    cfg,
 		nc:     nc,
 		logger: slog.Default().With("component", "admin-service"),
 	}
 }
@ -43,6 +51,7 @@ type UsersList struct {
 type UserFilter struct {
 	Status string
 	Role   string
 	Q      string
 }
@ -56,7 +65,7 @@ func (s *Service) ListUsers(ctx context.Context, params query.ListParams, filter
 	}
 	listSQL := `
-		SELECT id, external_id, email, name, status, invited_at, disabled_at, created_at, updated_at
+		SELECT id, external_id, email, name, status, platform_admin, invited_at, disabled_at, created_at, updated_at
 		FROM users` + whereSQL + `
 		ORDER BY created_at DESC
 		LIMIT $` + strconv.Itoa(len(args)+1) + ` OFFSET $` + strconv.Itoa(len(args)+2)
@ -70,27 +79,18 @@ func (s *Service) ListUsers(ctx context.Context, params query.ListParams, filter
 	users := make([]map[string]any, 0)
 	for rows.Next() {
-		var id, extID, email, name, status string
+		user, err := scanUserRow(rows)
-		var invitedAt, disabledAt *time.Time
+		if err != nil {
 		var createdAt, updatedAt time.Time
 		if err := rows.Scan(&id, &extID, &email, &name, &status, &invitedAt, &disabledAt, &createdAt, &updatedAt); err != nil {
 			return UsersList{}, err
 		}
-		users = append(users, map[string]any{
+		users = append(users, user)
 			"id":          id,
 			"external_id": extID,
 			"email":       email,
 			"name":        name,
 			"status":      status,
 			"invited_at":  invitedAt,
 			"disabled_at": disabledAt,
 			"created_at":  createdAt,
 			"updated_at":  updatedAt,
 		})
 	}
 	if err := rows.Err(); err != nil {
 		return UsersList{}, err
 	}
 	if err := s.attachUsersStorage(ctx, users); err != nil {
 		return UsersList{}, err
 	}
 	return UsersList{
 		Users:      users,
@ -99,8 +99,20 @@ func (s *Service) ListUsers(ctx context.Context, params query.ListParams, filter
 }
 func buildUserFilter(filter UserFilter) (string, []any) {
-	clauses := make([]string, 0, 2)
+	clauses := make([]string, 0, 3)
-	args := make([]any, 0, 2)
+	args := make([]any, 0, 3)
 	if role := strings.TrimSpace(filter.Role); role != "" {
 		switch permission.AccountRole(role) {
 		case permission.AccountRoleAdmin:
 			clauses = append(clauses, "platform_admin = true AND status = 'active'")
 		case permission.AccountRoleUser:
 			clauses = append(clauses, "platform_admin = false AND status = 'active'")
 		case permission.AccountRoleGuest:
 			clauses = append(clauses, "status = 'invited'")
 		case permission.AccountRoleSuspended:
 			clauses = append(clauses, "status = 'disabled'")
 		}
 	}
 	if strings.TrimSpace(filter.Status) != "" {
 		args = append(args, strings.TrimSpace(filter.Status))
 		clauses = append(clauses, "status = $"+strconv.Itoa(len(args)))
@ -118,27 +130,19 @@ func buildUserFilter(filter UserFilter) (string, []any) {
 }
 func (s *Service) GetUser(ctx context.Context, userID string) (map[string]any, error) {
-	var id, extID, email, name, status string
+	row := s.db.QueryRow(ctx, `
-	var invitedAt, disabledAt *time.Time
+		SELECT id, external_id, email, name, status, platform_admin, invited_at, disabled_at, created_at, updated_at
 	var createdAt, updatedAt time.Time
 	err := s.db.QueryRow(ctx, `
 		SELECT id, external_id, email, name, status, invited_at, disabled_at, created_at, updated_at
 		FROM users WHERE id = $1
-	`, userID).Scan(&id, &extID, &email, &name, &status, &invitedAt, &disabledAt, &createdAt, &updatedAt)
+	`, userID)
 	user, err := scanUserRow(row)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			return nil, ErrNotFound
 		}
 		return nil, err
 	}
-
+	mailCount, mailUsedStorage, err := s.mailUsageForUser(ctx, userID)
-	var mailCount, mailUsedStorage int64
+	if err != nil {
 	if err := s.db.QueryRow(ctx, `
 		SELECT COALESCE(COUNT(*), 0), COALESCE(SUM(COALESCE(m.raw_size, 0)), 0)
 		FROM messages m
 		JOIN mail_accounts ma ON m.account_id = ma.id
 		WHERE ma.user_id = $1
 	`, userID).Scan(&mailCount, &mailUsedStorage); err != nil {
 		return nil, err
 	}
@ -153,34 +157,136 @@ func (s *Service) GetUser(ctx context.Context, userID string) (map[string]any, e
 		return nil, err
 	}
-	return map[string]any{
+	email, _ := user["email"].(string)
-		"id":          id,
+	extID, _ := user["external_id"].(string)
-		"external_id": extID,
+	driveUsedStorage := s.driveUsageForUser(ctx, email, extID)
-		"email":       email,
+
-		"name":        name,
+	user["quota"] = map[string]any{
 		"status":      status,
 		"invited_at":  invitedAt,
 		"disabled_at": disabledAt,
 		"created_at":  createdAt,
 		"updated_at":  updatedAt,
 		"quota": map[string]any{
 			"mail": map[string]any{
 				"count":              mailCount,
 				"used_storage_bytes": mailUsedStorage,
 				"max_storage_bytes":  mailMax,
 			},
 			"drive": map[string]any{
-				"used_storage_bytes": int64(0),
+				"used_storage_bytes": driveUsedStorage,
 				"max_storage_bytes":  driveMax,
 			},
 			"photos": map[string]any{
 				"used_storage_bytes": int64(0),
 				"max_storage_bytes":  photosMax,
 			},
-		},
+		}
 	return user, nil
 }
 type userRowScanner interface {
 	Scan(dest ...any) error
 }
 func scanUserRow(row userRowScanner) (map[string]any, error) {
 	var id, extID, email, name, status string
 	var platformAdmin bool
 	var invitedAt, disabledAt *time.Time
 	var createdAt, updatedAt time.Time
 	if err := row.Scan(&id, &extID, &email, &name, &status, &platformAdmin, &invitedAt, &disabledAt, &createdAt, &updatedAt); err != nil {
 		return nil, err
 	}
 	return map[string]any{
 		"id":              id,
 		"external_id":     extID,
 		"email":           email,
 		"name":            name,
 		"status":          status,
 		"platform_admin":  platformAdmin,
 		"role":            string(permission.DeriveAccountRole(platformAdmin, status)),
 		"invited_at":      invitedAt,
 		"disabled_at":     disabledAt,
 		"created_at":      createdAt,
 		"updated_at":      updatedAt,
 	}, nil
 }
 func (s *Service) SetUserRole(ctx context.Context, actorSub, userID, role string) (map[string]any, error) {
 	accountRole, ok := permission.ParseAccountRole(role)
 	if !ok {
 		return nil, fmt.Errorf("invalid role")
 	}
 	var extID string
 	var currentAdmin bool
 	var currentStatus string
 	err := s.db.QueryRow(ctx, `
 		SELECT external_id, platform_admin, status FROM users WHERE id = $1
 	`, userID).Scan(&extID, &currentAdmin, &currentStatus)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			return nil, ErrNotFound
 		}
 		return nil, err
 	}
 	if currentAdmin && accountRole != permission.AccountRoleAdmin {
 		count, err := platformusers.CountPlatformAdmins(ctx, s.db)
 		if err != nil {
 			return nil, err
 		}
 		if count <= 1 {
 			return nil, platformusers.ErrLastPlatformAdmin
 		}
 	}
 	switch accountRole {
 	case permission.AccountRoleAdmin:
 		_, err = s.db.Exec(ctx, `
 			UPDATE users
 			SET platform_admin = true,
 			    status = 'active',
 			    disabled_at = NULL,
 			    updated_at = NOW()
 			WHERE id = $1
 		`, userID)
 	case permission.AccountRoleUser:
 		_, err = s.db.Exec(ctx, `
 			UPDATE users
 			SET platform_admin = false,
 			    status = 'active',
 			    disabled_at = NULL,
 			    updated_at = NOW()
 			WHERE id = $1
 		`, userID)
 	case permission.AccountRoleGuest:
 		_, err = s.db.Exec(ctx, `
 			UPDATE users
 			SET platform_admin = false,
 			    status = 'invited',
 			    invited_at = COALESCE(invited_at, NOW()),
 			    disabled_at = NULL,
 			    updated_at = NOW()
 			WHERE id = $1
 		`, userID)
 	case permission.AccountRoleSuspended:
 		_, err = s.db.Exec(ctx, `
 			UPDATE users
 			SET platform_admin = false,
 			    status = 'disabled',
 			    disabled_at = NOW(),
 			    updated_at = NOW()
 			WHERE id = $1
 		`, userID)
 	}
 	if err != nil {
 		return nil, err
 	}
 	s.logAudit(ctx, actorSub, "set_user_role", map[string]any{
 		"target_user": userID,
 		"role":        accountRole,
 		"from_status": currentStatus,
 		"from_admin":  currentAdmin,
 	})
 	return s.GetUser(ctx, userID)
 }
 func (s *Service) CreateUser(ctx context.Context, actorSub string, req createUserRequest) (map[string]any, error) {
 	var id string
 	if err := s.db.QueryRow(ctx, `
@ -196,6 +302,9 @@ func (s *Service) CreateUser(ctx context.Context, actorSub string, req createUse
 		"email":        strings.ToLower(strings.TrimSpace(req.Email)),
 		"initial_name": strings.TrimSpace(req.Name),
 	})
 	if err := s.applyOrgDefaultQuotas(ctx, id); err != nil {
 		return nil, err
 	}
 	return s.GetUser(ctx, id)
 }
@ -213,6 +322,9 @@ func (s *Service) InviteUser(ctx context.Context, actorSub string, req inviteUse
 		"target_user": id,
 		"email":       strings.ToLower(strings.TrimSpace(req.Email)),
 	})
 	if err := s.applyOrgDefaultQuotas(ctx, id); err != nil {
 		return nil, err
 	}
 	return s.GetUser(ctx, id)
 }
@ -530,11 +642,20 @@ func (s *Service) GetStats(ctx context.Context) (map[string]any, error) {
 		SELECT COUNT(*) FROM (
 			SELECT
 				u.id,
-				COALESCE(SUM(COALESCE(m.raw_size, 0)), 0) AS used_storage,
+				COALESCE(SUM(
 					octet_length(COALESCE(m.body_text, '')) +
 					octet_length(COALESCE(m.body_html, '')) +
 					COALESCE(att.attachment_bytes, 0)
 				), 0) AS used_storage,
 				COALESCE((s.preferences->>'mail_max_storage_bytes')::bigint, 5368709120) AS max_storage
 			FROM users u
 			LEFT JOIN mail_accounts ma ON ma.user_id = u.id
 			LEFT JOIN messages m ON m.account_id = ma.id
 			LEFT JOIN (
 				SELECT message_id, SUM(size) AS attachment_bytes
 				FROM attachments
 				GROUP BY message_id
 			) att ON att.message_id = m.id
 			LEFT JOIN settings s ON s.user_id = u.id
 			GROUP BY u.id, s.preferences
 		) q
@ -557,12 +678,202 @@ func (s *Service) GetStats(ctx context.Context) (map[string]any, error) {
 	stats["quotas"] = map[string]any{
 		"users_near_mail_quota_90pct": usersNearMailQuota,
 	}
 	storage, err := s.globalStorageStats(ctx)
 	if err != nil {
 		return nil, err
 	}
 	stats["storage"] = storage
 	stats["audit"] = map[string]any{
 		"top_actors_7d": topActors,
 	}
 	return stats, nil
 }
 const defaultQuotaBytes int64 = 5368709120
 func (s *Service) globalStorageStats(ctx context.Context) (map[string]any, error) {
 	var mailUsed int64
 	if err := s.db.QueryRow(ctx, `
 		SELECT COALESCE(SUM(
 			octet_length(COALESCE(m.body_text, '')) +
 			octet_length(COALESCE(m.body_html, '')) +
 			COALESCE(att.attachment_bytes, 0)
 		), 0)
 		FROM messages m
 		LEFT JOIN (
 			SELECT message_id, SUM(size) AS attachment_bytes
 			FROM attachments
 			GROUP BY message_id
 		) att ON att.message_id = m.id
 	`).Scan(&mailUsed); err != nil {
 		return nil, err
 	}
 	var mailAllocated, driveAllocated, photosAllocated int64
 	if err := s.db.QueryRow(ctx, `
 		SELECT
 			COALESCE(SUM(COALESCE((s.preferences->>'mail_max_storage_bytes')::bigint, $1)), 0),
 			COALESCE(SUM(COALESCE((s.preferences->>'drive_max_storage_bytes')::bigint, $1)), 0),
 			COALESCE(SUM(COALESCE((s.preferences->>'photos_max_storage_bytes')::bigint, $1)), 0)
 		FROM users u
 		LEFT JOIN settings s ON s.user_id = u.id
 	`, defaultQuotaBytes).Scan(&mailAllocated, &driveAllocated, &photosAllocated); err != nil {
 		return nil, err
 	}
 	driveUsed := s.sumDriveUsageAllUsers(ctx)
 	return map[string]any{
 		"mail": map[string]any{
 			"used_bytes":      mailUsed,
 			"allocated_bytes": mailAllocated,
 		},
 		"drive": map[string]any{
 			"used_bytes":      driveUsed,
 			"allocated_bytes": driveAllocated,
 			"tracked":         s.nc != nil,
 		},
 		"photos": map[string]any{
 			"used_bytes":      int64(0),
 			"allocated_bytes": photosAllocated,
 			"tracked":         false,
 		},
 	}, nil
 }
 func (s *Service) sumDriveUsageAllUsers(ctx context.Context) int64 {
 	if s.nc == nil {
 		return 0
 	}
 	rows, err := s.db.Query(ctx, `
 		SELECT email, external_id FROM users WHERE status != 'disabled'
 	`)
 	if err != nil {
 		s.logger.Debug("drive usage aggregate failed", "error", err)
 		return 0
 	}
 	defer rows.Close()
 	var total int64
 	for rows.Next() {
 		var email, externalID string
 		if err := rows.Scan(&email, &externalID); err != nil {
 			continue
 		}
 		total += s.driveUsageForUser(ctx, email, externalID)
 	}
 	return total
 }
 func (s *Service) attachUsersStorage(ctx context.Context, users []map[string]any) error {
 	if len(users) == 0 {
 		return nil
 	}
 	ids := make([]string, 0, len(users))
 	byID := make(map[string]map[string]any, len(users))
 	for _, user := range users {
 		id, _ := user["id"].(string)
 		if id == "" {
 			continue
 		}
 		ids = append(ids, id)
 		byID[id] = user
 	}
 	mailUsed, err := s.mailUsageByUserIDs(ctx, ids)
 	if err != nil {
 		return err
 	}
 	for id, user := range byID {
 		email, _ := user["email"].(string)
 		extID, _ := user["external_id"].(string)
 		user["storage"] = map[string]any{
 			"mail_used_bytes":  mailUsed[id],
 			"drive_used_bytes": s.driveUsageForUser(ctx, email, extID),
 		}
 	}
 	return nil
 }
 func (s *Service) mailUsageByUserIDs(ctx context.Context, userIDs []string) (map[string]int64, error) {
 	out := make(map[string]int64, len(userIDs))
 	if len(userIDs) == 0 {
 		return out, nil
 	}
 	rows, err := s.db.Query(ctx, `
 		SELECT
 			ma.user_id::text,
 			COALESCE(SUM(
 				octet_length(COALESCE(m.body_text, '')) +
 				octet_length(COALESCE(m.body_html, '')) +
 				COALESCE(att.attachment_bytes, 0)
 			), 0)
 		FROM mail_accounts ma
 		LEFT JOIN messages m ON m.account_id = ma.id
 		LEFT JOIN (
 			SELECT message_id, SUM(size) AS attachment_bytes
 			FROM attachments
 			GROUP BY message_id
 		) att ON att.message_id = m.id
 		WHERE ma.user_id = ANY($1::uuid[])
 		GROUP BY ma.user_id
 	`, userIDs)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	for rows.Next() {
 		var userID string
 		var used int64
 		if err := rows.Scan(&userID, &used); err != nil {
 			return nil, err
 		}
 		out[userID] = used
 	}
 	return out, rows.Err()
 }
 func (s *Service) mailUsageForUser(ctx context.Context, userID string) (count, bytes int64, err error) {
 	err = s.db.QueryRow(ctx, `
 		SELECT
 			COALESCE(COUNT(m.id), 0),
 			COALESCE(SUM(
 				octet_length(COALESCE(m.body_text, '')) +
 				octet_length(COALESCE(m.body_html, '')) +
 				COALESCE(att.attachment_bytes, 0)
 			), 0)
 		FROM messages m
 		JOIN mail_accounts ma ON m.account_id = ma.id
 		LEFT JOIN (
 			SELECT message_id, SUM(size) AS attachment_bytes
 			FROM attachments
 			GROUP BY message_id
 		) att ON att.message_id = m.id
 		WHERE ma.user_id = $1
 	`, userID).Scan(&count, &bytes)
 	return count, bytes, err
 }
 func (s *Service) driveUsageForUser(ctx context.Context, email, externalID string) int64 {
 	if s.nc == nil {
 		return 0
 	}
 	ncUserID := nextcloud.UserIDFromClaims(email, externalID)
 	if ncUserID == "" {
 		return 0
 	}
 	quota, err := s.nc.GetQuota(ctx, ncUserID)
 	if err != nil {
 		s.logger.Debug("drive quota lookup failed", "nc_user", ncUserID, "error", err)
 		return 0
 	}
 	if quota.Used < 0 {
 		return 0
 	}
 	return quota.Used
 }
 func (s *Service) logAudit(ctx context.Context, actor, action string, details map[string]any) {
 	if s.audit == nil {
 		return
--- a/internal/api/admin/validate.go
+++ b/internal/api/admin/validate.go
@ -7,6 +7,7 @@ import (
 	"strings"
 	"github.com/ultisuite/ulti-backend/internal/api/apivalidate"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 )
 const maxQuotaRequestBody = 4 << 10
@ -126,3 +127,31 @@ func validateUserID(userID string) *apivalidate.ValidationError {
 	}
 	return nil
 }
 type setUserRoleRequest struct {
 	Role string `json:"role"`
 }
 func validateSetUserRole(req *setUserRoleRequest) *apivalidate.ValidationError {
 	if _, ok := permission.ParseAccountRole(req.Role); !ok {
 		return apivalidate.NewValidationError(apivalidate.FieldDetail{
 			Field:   "role",
 			Message: "must be one of: admin,user,guest,suspended",
 		})
 	}
 	return nil
 }
 func validateAccountRoleFilter(raw string) (string, *apivalidate.ValidationError) {
 	role := strings.ToLower(strings.TrimSpace(raw))
 	if role == "" {
 		return "", nil
 	}
 	if _, ok := permission.ParseAccountRole(role); !ok {
 		return "", apivalidate.NewValidationError(apivalidate.FieldDetail{
 			Field:   "role",
 			Message: "must be one of: admin,user,guest,suspended",
 		})
 	}
 	return role, nil
 }
--- a/internal/api/drive/public_service.go
+++ b/internal/api/drive/public_service.go
@ -17,7 +17,11 @@ func (s *Service) UploadPublicShare(ctx context.Context, token, filePath, passwo
 	if !nextcloud.PublicShareCanCreate(perms) && !nextcloud.PublicShareCanUpdate(perms) {
 		return ErrForbidden
 	}
-	return mapPublicShareError(s.nc.UploadPublicShare(ctx, token, filePath, password, body, contentType))
+	if err := mapPublicShareError(s.nc.UploadPublicShare(ctx, token, filePath, password, body, contentType)); err != nil {
 		return err
 	}
 	s.recordPublicShareAccess(ctx, token)
 	return nil
 }
 func (s *Service) CreatePublicShareFolder(ctx context.Context, token, folderPath, password string) error {
--- a/internal/api/drive/service.go
+++ b/internal/api/drive/service.go
@ -20,6 +20,7 @@ import (
 	"github.com/ultisuite/ulti-backend/internal/automation"
 	"github.com/ultisuite/ulti-backend/internal/mail/rules"
 	"github.com/ultisuite/ulti-backend/internal/nextcloud"
 	"github.com/ultisuite/ulti-backend/internal/publicshare"
 	"github.com/ultisuite/ulti-backend/internal/realtime"
 )
@ -362,6 +363,7 @@ func (s *Service) GetPublicShare(ctx context.Context, token, path, password stri
 	if err != nil {
 		return nil, mapPublicShareError(err)
 	}
 	s.recordPublicShareAccess(ctx, token)
 	return view, nil
 }
@ -370,6 +372,7 @@ func (s *Service) DownloadPublicShare(ctx context.Context, token, filePath, pass
 	if err != nil {
 		return nil, "", mapPublicShareError(err)
 	}
 	s.recordPublicShareAccess(ctx, token)
 	return body, contentType, nil
 }
@ -378,9 +381,14 @@ func (s *Service) PreviewPublicShare(ctx context.Context, token, filePath, passw
 	if err != nil {
 		return nil, "", mapPublicShareError(err)
 	}
 	s.recordPublicShareAccess(ctx, token)
 	return body, contentType, nil
 }
 func (s *Service) recordPublicShareAccess(ctx context.Context, token string) {
 	publicshare.RecordAccess(ctx, s.db, token)
 }
 func (s *Service) rewriteShareURL(share *nextcloud.ShareInfo) {
 	if share == nil || s.nc == nil {
 		return
--- a/internal/api/middleware/auth.go
+++ b/internal/api/middleware/auth.go
@ -118,14 +118,17 @@ func Auth(verifier *auth.Holder, db *pgxpool.Pool, audit *securityaudit.Logger)
 				}
 				return
 			}
 			claims.Groups = permission.WithSuiteDefaults(claims.Groups)
 			if db != nil {
 				if _, err := users.EnsureUser(r.Context(), db, claims); err != nil {
 					slog.Error("provision user", "sub", claims.Sub, "error", err)
 					apiresponse.WriteError(w, r, http.StatusInternalServerError, apiresponse.CodeInternal, "failed to provision user", nil)
 					return
 				}
 				if err := users.ApplyAccountGroups(r.Context(), db, claims); err != nil {
 					slog.Error("apply account groups", "sub", claims.Sub, "error", err)
 					apiresponse.WriteError(w, r, http.StatusInternalServerError, apiresponse.CodeInternal, "failed to read user privileges", nil)
 					return
 				}
 				var disabled bool
 				if err := db.QueryRow(r.Context(), `
 					SELECT status = 'disabled' FROM users WHERE external_id = $1
@ -145,6 +148,8 @@ func Auth(verifier *auth.Holder, db *pgxpool.Pool, audit *securityaudit.Logger)
 					}
 					return
 				}
 			} else {
 				claims.Groups = permission.WithSuiteDefaults(claims.Groups)
 			}
 			if audit != nil {
--- a/internal/api/middleware/rbac.go
+++ b/internal/api/middleware/rbac.go
@ -45,6 +45,26 @@ func RequirePermission(resource permission.Resource, level permission.Level) fun
 	}
 }
 // RequireFullAccount blocks guest (invited) accounts from full-suite modules.
 func RequireFullAccount(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if ApiTokenFromContext(r.Context()) != nil {
 			next.ServeHTTP(w, r)
 			return
 		}
 		claims := ClaimsFromContext(r.Context())
 		if claims == nil {
 			apiresponse.WriteError(w, r, http.StatusUnauthorized, apiresponse.CodeAuthUnauthorized, "unauthorized", nil)
 			return
 		}
 		if permission.HasRole(claims.Groups, permission.RoleGuest) {
 			apiresponse.WriteError(w, r, http.StatusForbidden, apiresponse.CodeAuthForbidden, "guest accounts may only access shared drive content", nil)
 			return
 		}
 		next.ServeHTTP(w, r)
 	})
 }
 func RequireAdminScope(scope permission.AdminScope) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/internal/api/users/handlers.go
+++ b/internal/api/users/handlers.go
@ -0,0 +1,59 @@
 package users
 import (
 	"log/slog"
 	"net/http"
 	"github.com/go-chi/chi/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/ultisuite/ulti-backend/internal/api/apiresponse"
 	"github.com/ultisuite/ulti-backend/internal/api/apivalidate"
 	"github.com/ultisuite/ulti-backend/internal/api/middleware"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 	platformusers "github.com/ultisuite/ulti-backend/internal/users"
 )
 type Handler struct {
 	db     *pgxpool.Pool
 	logger *slog.Logger
 }
 func NewHandler(db *pgxpool.Pool) *Handler {
 	return &Handler{
 		db:     db,
 		logger: slog.Default().With("component", "users-api"),
 	}
 }
 func (h *Handler) Routes() chi.Router {
 	r := chi.NewRouter()
 	r.Get("/me", h.Me)
 	return r
 }
 func (h *Handler) Me(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	if claims == nil {
 		apiresponse.WriteError(w, r, http.StatusUnauthorized, apiresponse.CodeAuthUnauthorized, "unauthorized", nil)
 		return
 	}
 	state, err := platformusers.GetAccountState(r.Context(), h.db, claims.Sub)
 	if err != nil {
 		h.logger.Error("read account state", "error", err)
 		apivalidate.WriteInternal(w, r)
 		return
 	}
 	role := permission.DeriveAccountRole(state.PlatformAdmin, state.Status)
 	apiresponse.WriteJSON(w, http.StatusOK, map[string]any{
 		"sub":            claims.Sub,
 		"email":          claims.Email,
 		"name":           claims.Name,
 		"status":         state.Status,
 		"platform_admin": state.PlatformAdmin,
 		"role":           role,
 		"groups":         claims.Groups,
 	})
 }
--- a/internal/integrationtest/admin/org_settings_test.go
+++ b/internal/integrationtest/admin/org_settings_test.go
@ -0,0 +1,59 @@
 //go:build integration
 package admin_test
 import (
 	"testing"
 	"github.com/ultisuite/ulti-backend/internal/integrationtest"
 )
 func TestAdminOrgSettings(t *testing.T) {
 	h := integrationtest.RequireHarness(t)
 	adminClient, _ := integrationtest.RequireAdminClient(t, h)
 	getResp, err := adminClient.Get("/api/v1/admin/org/settings")
 	integrationtest.FailIf(err, t, "get org settings")
 	integrationtest.FailUnlessStatus(t, getResp, 200)
 	var initial map[string]any
 	integrationtest.DecodeJSON(t, getResp, &initial)
 	policy, ok := initial["policy"].(map[string]any)
 	if !ok {
 		t.Fatalf("missing policy: %#v", initial)
 	}
 	storage, ok := policy["storage_quotas"].(map[string]any)
 	if !ok {
 		t.Fatalf("missing storage_quotas: %#v", policy)
 	}
 	if storage["default_mail_gib"] == nil {
 		t.Fatalf("expected default_mail_gib in policy")
 	}
 	putResp, err := adminClient.Put("/api/v1/admin/org/settings", map[string]any{
 		"policy": map[string]any{
 			"storage_quotas": map[string]any{
 				"default_mail_gib": 10,
 			},
 			"usage_quotas": map[string]any{
 				"llm_requests_per_day": 200,
 			},
 		},
 	})
 	integrationtest.FailIf(err, t, "put org settings")
 	integrationtest.FailUnlessStatus(t, putResp, 200)
 	var updated map[string]any
 	integrationtest.DecodeJSON(t, putResp, &updated)
 	updatedPolicy, ok := updated["policy"].(map[string]any)
 	if !ok {
 		t.Fatalf("missing policy after update: %#v", updated)
 	}
 	updatedStorage, ok := updatedPolicy["storage_quotas"].(map[string]any)
 	if !ok {
 		t.Fatalf("missing storage_quotas after update")
 	}
 	if updatedStorage["default_mail_gib"] != float64(10) {
 		t.Fatalf("default_mail_gib = %v, want 10", updatedStorage["default_mail_gib"])
 	}
 }
--- a/internal/integrationtest/auth/first_admin_test.go
+++ b/internal/integrationtest/auth/first_admin_test.go
@ -0,0 +1,66 @@
 //go:build integration
 package auth_test
 import (
 	"context"
 	"testing"
 	"github.com/ultisuite/ulti-backend/internal/integrationtest"
 	"github.com/ultisuite/ulti-backend/internal/users"
 )
 func TestPlatformAdminAccessAfterGrant(t *testing.T) {
 	h := integrationtest.RequireHarness(t)
 	externalID := integrationtest.NewExternalID("plat-admin")
 	claims := integrationtest.RegularUser(externalID)
 	if _, err := users.EnsureUser(context.Background(), h.Pool, claims); err != nil {
 		t.Fatalf("ensure user: %v", err)
 	}
 	if err := users.GrantPlatformAdmin(context.Background(), h.Pool, externalID); err != nil {
 		t.Fatalf("grant platform admin: %v", err)
 	}
 	client, err := h.Client(claims)
 	integrationtest.FailIf(err, t, "client")
 	meResp, err := client.Get("/api/v1/users/me")
 	integrationtest.FailIf(err, t, "GET /users/me")
 	integrationtest.FailUnlessStatus(t, meResp, 200)
 	var me map[string]any
 	integrationtest.DecodeJSON(t, meResp, &me)
 	if me["platform_admin"] != true {
 		t.Fatalf("platform_admin = %v, want true", me["platform_admin"])
 	}
 	statsResp, err := client.Get("/api/v1/admin/stats")
 	integrationtest.FailIf(err, t, "GET /admin/stats")
 	integrationtest.FailUnlessStatus(t, statsResp, 200)
 }
 func TestFirstProvisionedUserBecomesPlatformAdmin(t *testing.T) {
 	h := integrationtest.RequireHarness(t)
 	var count int64
 	if err := h.Pool.QueryRow(context.Background(), `SELECT COUNT(*) FROM users`).Scan(&count); err != nil {
 		t.Fatalf("count users: %v", err)
 	}
 	if count > 0 {
 		t.Skip("database already has users; first-user bootstrap not testable here")
 	}
 	externalID := integrationtest.NewExternalID("bootstrap-admin")
 	claims := integrationtest.RegularUser(externalID)
 	client, err := h.Client(claims)
 	integrationtest.FailIf(err, t, "client")
 	meResp, err := client.Get("/api/v1/users/me")
 	integrationtest.FailIf(err, t, "GET /users/me")
 	integrationtest.FailUnlessStatus(t, meResp, 200)
 	var me map[string]any
 	integrationtest.DecodeJSON(t, meResp, &me)
 	if me["platform_admin"] != true {
 		t.Fatalf("platform_admin = %v, want true", me["platform_admin"])
 	}
 }
--- a/internal/nextcloud/drive.go
+++ b/internal/nextcloud/drive.go
@ -473,7 +473,11 @@ func pathBaseName(raw string) string {
 }
 func (c *Client) ListShares(ctx context.Context, userID, filePath string) ([]ShareInfo, error) {
-	path := "/ocs/v2.php/apps/files_sharing/api/v1/shares?path=" + url.QueryEscape(filePath)
+	apiPath := "/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json"
 	if strings.TrimSpace(filePath) != "" {
 		apiPath += "&path=" + url.QueryEscape(filePath)
 	}
 	path := apiPath
 	resp, err := c.DoAsUser(ctx, "GET", path, nil, userID, map[string]string{
 		"Accept": "application/json",
 	})
--- a/internal/nextcloud/share_filter.go
+++ b/internal/nextcloud/share_filter.go
@ -0,0 +1,21 @@
 package nextcloud
 import "strings"
 // IsExternalShare reports public or email link shares (not internal/user/group).
 func IsExternalShare(share ShareInfo) bool {
 	switch share.ShareType {
 	case 4:
 		return true
 	case 3:
 		if strings.EqualFold(strings.TrimSpace(share.Label), "internal") {
 			return false
 		}
 		if strings.EqualFold(strings.TrimSpace(share.AccessMode), "internal") {
 			return false
 		}
 		return true
 	default:
 		return false
 	}
 }
--- a/internal/nextcloud/share_filter_test.go
+++ b/internal/nextcloud/share_filter_test.go
@ -0,0 +1,18 @@
 package nextcloud
 import "testing"
 func TestIsExternalShare(t *testing.T) {
 	if !IsExternalShare(ShareInfo{ShareType: 3, AccessMode: "public"}) {
 		t.Fatal("public link should be external")
 	}
 	if IsExternalShare(ShareInfo{ShareType: 3, Label: "internal", AccessMode: "internal"}) {
 		t.Fatal("internal link should not be external")
 	}
 	if !IsExternalShare(ShareInfo{ShareType: 4}) {
 		t.Fatal("email share should be external")
 	}
 	if IsExternalShare(ShareInfo{ShareType: 0}) {
 		t.Fatal("user share should not be external")
 	}
 }
--- a/internal/permission/permission.go
+++ b/internal/permission/permission.go
@ -8,9 +8,45 @@ type Role string
 const (
 	RoleAdmin   Role = "admin"
 	RoleUser    Role = "user"
 	RoleGuest   Role = "guest"
 	RoleService Role = "service"
 )
 // AccountRole is the admin-facing lifecycle role stored as status + platform_admin.
 type AccountRole string
 const (
 	AccountRoleAdmin     AccountRole = "admin"
 	AccountRoleUser      AccountRole = "user"
 	AccountRoleGuest     AccountRole = "guest"
 	AccountRoleSuspended AccountRole = "suspended"
 )
 // DeriveAccountRole maps database fields to the admin UI role.
 func DeriveAccountRole(platformAdmin bool, status string) AccountRole {
 	switch strings.ToLower(strings.TrimSpace(status)) {
 	case "disabled":
 		return AccountRoleSuspended
 	case "invited":
 		return AccountRoleGuest
 	default:
 		if platformAdmin {
 			return AccountRoleAdmin
 		}
 		return AccountRoleUser
 	}
 }
 // ParseAccountRole validates an admin role string.
 func ParseAccountRole(raw string) (AccountRole, bool) {
 	switch AccountRole(strings.ToLower(strings.TrimSpace(raw))) {
 	case AccountRoleAdmin, AccountRoleUser, AccountRoleGuest, AccountRoleSuspended:
 		return AccountRole(strings.ToLower(strings.TrimSpace(raw))), true
 	default:
 		return "", false
 	}
 }
 // Resource is a suite module protected by resource-scoped permissions.
 type Resource string
@ -120,6 +156,45 @@ func WithSuiteDefaults(groups []string) []string {
 	return out
 }
 // WithGuestAccess limits suite access to drive (shared + own files via Nextcloud).
 // Guests must not receive suite-wide defaults (mail, contacts, calendar, photos).
 func WithGuestAccess(groups []string) []string {
 	guestGroups := []string{
 		string(RoleGuest),
 		string(ResourceDrive) + ":write",
 	}
 	seen := make(map[string]struct{}, len(groups)+len(guestGroups))
 	out := make([]string, 0, len(guestGroups))
 	for _, g := range guestGroups {
 		key := strings.ToLower(strings.TrimSpace(g))
 		if key == "" {
 			continue
 		}
 		if _, ok := seen[key]; ok {
 			continue
 		}
 		seen[key] = struct{}{}
 		out = append(out, g)
 	}
 	return out
 }
 // WithPlatformAdmin grants full platform admin groups when missing.
 func WithPlatformAdmin(groups []string) []string {
 	if HasRole(groups, RoleAdmin) && HasAdminScope(groups, AdminScopeWrite) {
 		return groups
 	}
 	out := append([]string{}, groups...)
 	if !HasRole(groups, RoleAdmin) {
 		out = append(out, string(RoleAdmin))
 	}
 	if !HasAdminScope(groups, AdminScopeWrite) {
 		out = append(out, GroupAdminWrite)
 	}
 	return out
 }
 // AdminScope is a fine-grained admin API permission with read < write ordering.
 type AdminScope int
--- a/internal/permission/permission_test.go
+++ b/internal/permission/permission_test.go
@ -85,6 +85,37 @@ func TestWithSuiteDefaultsPreservesExplicitResource(t *testing.T) {
 	}
 }
 func TestDeriveAccountRole(t *testing.T) {
 	if got := DeriveAccountRole(true, "active"); got != AccountRoleAdmin {
 		t.Fatalf("admin = %q", got)
 	}
 	if got := DeriveAccountRole(false, "active"); got != AccountRoleUser {
 		t.Fatalf("user = %q", got)
 	}
 	if got := DeriveAccountRole(false, "invited"); got != AccountRoleGuest {
 		t.Fatalf("guest = %q", got)
 	}
 	if got := DeriveAccountRole(true, "disabled"); got != AccountRoleSuspended {
 		t.Fatalf("suspended = %q", got)
 	}
 }
 func TestWithGuestAccess(t *testing.T) {
 	groups := WithGuestAccess(nil)
 	if !HasRole(groups, RoleGuest) {
 		t.Fatal("expected guest role")
 	}
 	if !HasPermission(groups, ResourceDrive, LevelWrite) {
 		t.Fatal("expected drive write for own uploads")
 	}
 	if HasPermission(groups, ResourceContacts, LevelRead) {
 		t.Fatal("guest must not get contacts")
 	}
 	if HasPermission(groups, ResourcePhotos, LevelRead) {
 		t.Fatal("guest must not get photos")
 	}
 }
 func TestWithSuiteDefaultsUserRoleOnly(t *testing.T) {
 	groups := WithSuiteDefaults([]string{"role:user"})
@ -190,6 +221,17 @@ func TestHasAdminScopePlatformAdminBypass(t *testing.T) {
 	}
 }
 func TestWithPlatformAdmin(t *testing.T) {
 	groups := WithSuiteDefaults(nil)
 	out := WithPlatformAdmin(groups)
 	if !HasRole(out, RoleAdmin) {
 		t.Fatal("expected admin role")
 	}
 	if !HasAdminScope(out, AdminScopeWrite) {
 		t.Fatal("expected admin:write scope")
 	}
 }
 func TestHasAdminScopeNoAccess(t *testing.T) {
 	tests := []struct {
 		name   string
--- a/internal/publicshare/access.go
+++ b/internal/publicshare/access.go
@ -0,0 +1,60 @@
 package publicshare
 import (
 	"context"
 	"strings"
 	"time"
 	"github.com/jackc/pgx/v5/pgxpool"
 )
 // AccessStats tracks anonymous public link usage via Ulti API.
 type AccessStats struct {
 	FirstAccessAt time.Time
 	LastAccessAt  time.Time
 	AccessCount   int64
 }
 // RecordAccess bumps usage counters for a public share token.
 func RecordAccess(ctx context.Context, db *pgxpool.Pool, token string) {
 	if db == nil {
 		return
 	}
 	token = strings.TrimSpace(token)
 	if token == "" {
 		return
 	}
 	_, _ = db.Exec(ctx, `
 		INSERT INTO drive_public_share_access (token, first_access_at, last_access_at, access_count)
 		VALUES ($1, NOW(), NOW(), 1)
 		ON CONFLICT (token) DO UPDATE SET
 			last_access_at = NOW(),
 			access_count = drive_public_share_access.access_count + 1
 	`, token)
 }
 // Lookup returns access stats keyed by token.
 func Lookup(ctx context.Context, db *pgxpool.Pool, tokens []string) (map[string]AccessStats, error) {
 	out := make(map[string]AccessStats)
 	if db == nil || len(tokens) == 0 {
 		return out, nil
 	}
 	rows, err := db.Query(ctx, `
 		SELECT token, first_access_at, last_access_at, access_count
 		FROM drive_public_share_access
 		WHERE token = ANY($1::text[])
 	`, tokens)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	for rows.Next() {
 		var token string
 		var stats AccessStats
 		if err := rows.Scan(&token, &stats.FirstAccessAt, &stats.LastAccessAt, &stats.AccessCount); err != nil {
 			return nil, err
 		}
 		out[token] = stats
 	}
 	return out, rows.Err()
 }
--- a/internal/server/bootstrap.go
+++ b/internal/server/bootstrap.go
@ -27,6 +27,7 @@ import (
 	"github.com/ultisuite/ulti-backend/internal/api/middleware"
 	"github.com/ultisuite/ulti-backend/internal/api/office"
 	photosapi "github.com/ultisuite/ulti-backend/internal/api/photos"
 	usersapi "github.com/ultisuite/ulti-backend/internal/api/users"
 	"github.com/ultisuite/ulti-backend/internal/automation"
 	"github.com/ultisuite/ulti-backend/internal/authentik"
 	"github.com/ultisuite/ulti-backend/internal/auth"
@ -286,8 +287,15 @@ func New(ctx context.Context, cfg *config.Config, opts Options) (*App, error) {
 		r.Use(middleware.Auth(verifierHolder, pool, auditLogger))
 		r.Use(middleware.EnforceApiTokenPolicy())
 		r.Mount("/api/v1/users", usersapi.NewHandler(pool).Routes())
 		r.Mount("/api/v1/admin", admin.NewHandler(pool, auditLogger, cfg, ncClient).Routes())
 		if driveHandler != nil {
 			r.Mount("/api/v1/drive", driveHandler.Routes())
 		}
 		r.Group(func(r chi.Router) {
 			r.Use(middleware.RequireFullAccount)
 			r.Mount("/api/v1/mail", mailHandler.Routes())
 		r.Mount("/api/v1/admin", admin.NewHandler(pool, auditLogger).Routes())
 			r.Get("/api/v1/search", search.NewHandler(pool, search.Options{
 				Nextcloud:           ncClient,
 				Engine:              cfg.SearchEngine,
@ -298,9 +306,7 @@ func New(ctx context.Context, cfg *config.Config, opts Options) (*App, error) {
 				TypesenseKey:        cfg.TypesenseKey,
 				TypesenseCollection: cfg.TypesenseCollection,
 			}).Search)
 			if driveHandler != nil {
 			r.Mount("/api/v1/drive", driveHandler.Routes())
 				r.Mount("/api/v1/calendar", calendar.NewHandler(ncClient, meetCfg).Routes())
 				r.Mount("/api/v1/contacts", contactsHandler.Routes())
 			}
@ -311,6 +317,7 @@ func New(ctx context.Context, cfg *config.Config, opts Options) (*App, error) {
 				r.Mount("/api/v1/photos", photosapi.NewHandler(photosClient, ncClient).Routes())
 			}
 		})
 	})
 	slog.Info("mail oauth providers", "enabled", mailOAuthSvc.EnabledProviders(), "redirect", oauthRedirect)
--- a/internal/users/admin.go
+++ b/internal/users/admin.go
@ -0,0 +1,82 @@
 package users
 import (
 	"context"
 	"errors"
 	"fmt"
 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/ultisuite/ulti-backend/internal/auth"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 )
 // IsPlatformAdmin reports whether the user row is marked platform_admin.
 func IsPlatformAdmin(ctx context.Context, db *pgxpool.Pool, externalID string) (bool, error) {
 	if db == nil || externalID == "" {
 		return false, nil
 	}
 	var admin bool
 	err := db.QueryRow(ctx, `
 		SELECT platform_admin FROM users WHERE external_id = $1
 	`, externalID).Scan(&admin)
 	if errors.Is(err, pgx.ErrNoRows) {
 		return false, nil
 	}
 	if err != nil {
 		return false, err
 	}
 	return admin, nil
 }
 // GrantPlatformAdmin sets platform_admin for the given external_id.
 func GrantPlatformAdmin(ctx context.Context, db *pgxpool.Pool, externalID string) error {
 	if db == nil {
 		return fmt.Errorf("database not configured")
 	}
 	if externalID == "" {
 		return fmt.Errorf("missing external id")
 	}
 	tag, err := db.Exec(ctx, `
 		UPDATE users SET platform_admin = true, updated_at = NOW()
 		WHERE external_id = $1
 	`, externalID)
 	if err != nil {
 		return err
 	}
 	if tag.RowsAffected() == 0 {
 		return pgx.ErrNoRows
 	}
 	return nil
 }
 // ApplyPlatformAdminGroups adds admin RBAC groups when the user is platform_admin.
 func ApplyPlatformAdminGroups(ctx context.Context, db *pgxpool.Pool, claims *auth.Claims) error {
 	if claims == nil || db == nil {
 		return nil
 	}
 	admin, err := IsPlatformAdmin(ctx, db, claims.Sub)
 	if err != nil {
 		return err
 	}
 	if admin {
 		claims.Groups = permission.WithPlatformAdmin(claims.Groups)
 	}
 	return nil
 }
 func bootstrapFirstUserAdmin(ctx context.Context, db *pgxpool.Pool, userID string) error {
 	var hasAdmin bool
 	if err := db.QueryRow(ctx, `SELECT EXISTS(SELECT 1 FROM users WHERE platform_admin = true)`).Scan(&hasAdmin); err != nil {
 		return err
 	}
 	if hasAdmin {
 		return nil
 	}
 	_, err := db.Exec(ctx, `
 		UPDATE users SET platform_admin = true, updated_at = NOW()
 		WHERE id = $1
 	`, userID)
 	return err
 }
--- a/internal/users/provision.go
+++ b/internal/users/provision.go
@ -34,18 +34,29 @@ func EnsureUser(ctx context.Context, db *pgxpool.Pool, claims *auth.Claims) (str
 	email := ProvisionEmail(claims)
 	name := strings.TrimSpace(claims.Name)
 	var userCount int64
 	if err := db.QueryRow(ctx, `SELECT COUNT(*) FROM users`).Scan(&userCount); err != nil {
 		return "", fmt.Errorf("count users: %w", err)
 	}
 	isFirstUser := userCount == 0
 	var userID string
 	err := db.QueryRow(ctx, `
-		INSERT INTO users (external_id, email, name)
+		INSERT INTO users (external_id, email, name, platform_admin)
-		VALUES ($1, $2, $3)
+		VALUES ($1, $2, $3, $4)
 		ON CONFLICT (external_id) DO UPDATE SET
 			email = EXCLUDED.email,
 			name = EXCLUDED.name,
 			updated_at = NOW()
 		RETURNING id
-	`, claims.Sub, email, name).Scan(&userID)
+	`, claims.Sub, email, name, isFirstUser).Scan(&userID)
 	if err != nil {
 		return "", fmt.Errorf("provision user: %w", err)
 	}
 	if isFirstUser {
 		if err := bootstrapFirstUserAdmin(ctx, db, userID); err != nil {
 			return "", fmt.Errorf("bootstrap platform admin: %w", err)
 		}
 	}
 	return userID, nil
 }
--- a/internal/users/role.go
+++ b/internal/users/role.go
@ -0,0 +1,96 @@
 package users
 import (
 	"context"
 	"errors"
 	"fmt"
 	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/ultisuite/ulti-backend/internal/auth"
 	"github.com/ultisuite/ulti-backend/internal/permission"
 )
 var ErrLastPlatformAdmin = errors.New("cannot remove the last platform admin")
 // AccountState is the persisted user lifecycle used for auth and admin APIs.
 type AccountState struct {
 	Status        string
 	PlatformAdmin bool
 }
 // GetAccountState loads status and platform_admin for an external_id.
 func GetAccountState(ctx context.Context, db *pgxpool.Pool, externalID string) (AccountState, error) {
 	if db == nil || externalID == "" {
 		return AccountState{Status: "active"}, nil
 	}
 	var state AccountState
 	err := db.QueryRow(ctx, `
 		SELECT status, platform_admin FROM users WHERE external_id = $1
 	`, externalID).Scan(&state.Status, &state.PlatformAdmin)
 	if errors.Is(err, pgx.ErrNoRows) {
 		return AccountState{Status: "active"}, nil
 	}
 	if err != nil {
 		return AccountState{}, err
 	}
 	return state, nil
 }
 // ApplyAccountGroups adjusts OIDC groups from the persisted account role.
 func ApplyAccountGroups(ctx context.Context, db *pgxpool.Pool, claims *auth.Claims) error {
 	if claims == nil || db == nil {
 		return nil
 	}
 	state, err := GetAccountState(ctx, db, claims.Sub)
 	if err != nil {
 		return err
 	}
 	switch permission.DeriveAccountRole(state.PlatformAdmin, state.Status) {
 	case permission.AccountRoleGuest:
 		claims.Groups = permission.WithGuestAccess(claims.Groups)
 	case permission.AccountRoleSuspended:
 		// Auth middleware rejects disabled accounts before handlers run.
 	default:
 		claims.Groups = permission.WithSuiteDefaults(claims.Groups)
 	}
 	if state.PlatformAdmin {
 		claims.Groups = permission.WithPlatformAdmin(claims.Groups)
 	}
 	return nil
 }
 // CountPlatformAdmins returns active platform admins.
 func CountPlatformAdmins(ctx context.Context, db *pgxpool.Pool) (int64, error) {
 	if db == nil {
 		return 0, fmt.Errorf("database not configured")
 	}
 	var count int64
 	err := db.QueryRow(ctx, `
 		SELECT COUNT(*) FROM users
 		WHERE platform_admin = true AND status = 'active'
 	`).Scan(&count)
 	return count, err
 }
 // RevokePlatformAdmin clears platform_admin for external_id.
 func RevokePlatformAdmin(ctx context.Context, db *pgxpool.Pool, externalID string) error {
 	if db == nil {
 		return fmt.Errorf("database not configured")
 	}
 	if externalID == "" {
 		return fmt.Errorf("missing external id")
 	}
 	tag, err := db.Exec(ctx, `
 		UPDATE users SET platform_admin = false, updated_at = NOW()
 		WHERE external_id = $1
 	`, externalID)
 	if err != nil {
 		return err
 	}
 	if tag.RowsAffected() == 0 {
 		return pgx.ErrNoRows
 	}
 	return nil
 }
--- a/migrations/000031_org_settings.down.sql
+++ b/migrations/000031_org_settings.down.sql
@ -0,0 +1 @@
 DROP TABLE IF EXISTS org_settings;
--- a/migrations/000031_org_settings.up.sql
+++ b/migrations/000031_org_settings.up.sql
@ -0,0 +1,8 @@
 CREATE TABLE org_settings (
    id SMALLINT PRIMARY KEY DEFAULT 1 CHECK (id = 1),
    settings JSONB NOT NULL DEFAULT '{}',
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_by TEXT NOT NULL DEFAULT ''
 );
 INSERT INTO org_settings (id) VALUES (1) ON CONFLICT (id) DO NOTHING;
--- a/migrations/000032_user_platform_admin.down.sql
+++ b/migrations/000032_user_platform_admin.down.sql
@ -0,0 +1 @@
 ALTER TABLE users DROP COLUMN IF EXISTS platform_admin;
--- a/migrations/000032_user_platform_admin.up.sql
+++ b/migrations/000032_user_platform_admin.up.sql
@ -0,0 +1,10 @@
 ALTER TABLE users
    ADD COLUMN platform_admin BOOLEAN NOT NULL DEFAULT false;
 -- Existing deployments: promote the earliest account if none is admin yet.
 UPDATE users
 SET platform_admin = true
 WHERE id = (
    SELECT id FROM users ORDER BY created_at ASC LIMIT 1
 )
 AND NOT EXISTS (SELECT 1 FROM users WHERE platform_admin = true);
--- a/migrations/000033_drive_public_share_access.down.sql
+++ b/migrations/000033_drive_public_share_access.down.sql
@ -0,0 +1 @@
 DROP TABLE IF EXISTS drive_public_share_access;
--- a/migrations/000033_drive_public_share_access.up.sql
+++ b/migrations/000033_drive_public_share_access.up.sql
@ -0,0 +1,8 @@
 CREATE TABLE drive_public_share_access (
    token TEXT PRIMARY KEY,
    first_access_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    last_access_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    access_count BIGINT NOT NULL DEFAULT 0
 );
 CREATE INDEX idx_drive_public_share_access_last ON drive_public_share_access (last_access_at DESC);
		`@ -0,0 +1 @@`
							`ALTER TABLE users DROP COLUMN IF EXISTS platform_admin;`
		`@ -0,0 +1 @@`
							`DROP TABLE IF EXISTS drive_public_share_access;`