@agenticmail/enterprise 0.5.296 → 0.5.298

package/src/admin/routes.ts

@@ -564,17 +564,73 @@ export function createAdminRoutes(db: DatabaseAdapter) {
     return c.json({ ok: true, message: 'Password reset successfully' });
   });
 
+  // ─── Deactivate / Reactivate User ──────────────────
+
+  api.post('/users/:id/deactivate', requireRole('admin'), async (c) => {
+    const existing = await db.getUser(c.req.param('id'));
+    if (!existing) return c.json({ error: 'User not found' }, 404);
+    const requesterId = c.get('userId');
+    if (requesterId === c.req.param('id')) return c.json({ error: 'Cannot deactivate your own account' }, 400);
+
+    try {
+      await (db as any).pool.query('UPDATE users SET is_active = FALSE, updated_at = NOW() WHERE id = $1', [c.req.param('id')]);
+    } catch {
+      const edb = (db as any).db;
+      if (edb?.prepare) edb.prepare('UPDATE users SET is_active = 0, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(c.req.param('id'));
+    }
+
+    await db.logEvent({
+      actor: c.get('userId') || 'system', actorType: 'user', action: 'user.deactivated',
+      resource: `user:${c.req.param('id')}`, details: { targetEmail: existing.email },
+      ip: c.req.header('x-forwarded-for')?.split(',')[0]?.trim(),
+    }).catch(() => {});
+
+    return c.json({ ok: true, message: 'User deactivated' });
+  });
+
+  api.post('/users/:id/reactivate', requireRole('admin'), async (c) => {
+    const existing = await db.getUser(c.req.param('id'));
+    if (!existing) return c.json({ error: 'User not found' }, 404);
+
+    try {
+      await (db as any).pool.query('UPDATE users SET is_active = TRUE, updated_at = NOW() WHERE id = $1', [c.req.param('id')]);
+    } catch {
+      const edb = (db as any).db;
+      if (edb?.prepare) edb.prepare('UPDATE users SET is_active = 1, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(c.req.param('id'));
+    }
+
+    await db.logEvent({
+      actor: c.get('userId') || 'system', actorType: 'user', action: 'user.reactivated',
+      resource: `user:${c.req.param('id')}`, details: { targetEmail: existing.email },
+      ip: c.req.header('x-forwarded-for')?.split(',')[0]?.trim(),
+    }).catch(() => {});
+
+    return c.json({ ok: true, message: 'User reactivated' });
+  });
+
+  // ─── Delete User (owner only, requires confirmation token) ──
+
   api.delete('/users/:id', requireRole('owner'), async (c) => {
     const existing = await db.getUser(c.req.param('id'));
     if (!existing) return c.json({ error: 'User not found' }, 404);
 
-    // Cannot delete yourself
     const requesterId = c.get('userId');
-    if (requesterId === c.req.param('id')) {
-      return c.json({ error: 'Cannot delete your own account' }, 400);
+    if (requesterId === c.req.param('id')) return c.json({ error: 'Cannot delete your own account' }, 400);
+
+    // Require confirmation token from frontend (5-step modal flow)
+    const body = await c.req.json().catch(() => ({}));
+    if (body.confirmationToken !== 'DELETE_USER_' + existing.email) {
+      return c.json({ error: 'Invalid confirmation. Delete requires 5-step confirmation from the dashboard.' }, 400);
     }
 
     await db.deleteUser(c.req.param('id'));
+
+    await db.logEvent({
+      actor: c.get('userId') || 'system', actorType: 'user', action: 'user.deleted',
+      resource: `user:${c.req.param('id')}`, details: { targetEmail: existing.email },
+      ip: c.req.header('x-forwarded-for')?.split(',')[0]?.trim(),
+    }).catch(() => {});
+
     return c.json({ ok: true });
   });
 
@@ -607,6 +663,13 @@ export function createAdminRoutes(db: DatabaseAdapter) {
       }
       const { PAGE_REGISTRY } = await import('./page-registry.js');
       for (const [pageId, grant] of Object.entries(permissions)) {
+        if (pageId === '_allowedAgents') {
+          // Validate: must be '*' or string[]
+          if (grant !== '*' && !Array.isArray(grant)) {
+            return c.json({ error: '_allowedAgents must be "*" or string[]' }, 400);
+          }
+          continue;
+        }
         if (!(pageId in PAGE_REGISTRY)) {
           return c.json({ error: `Unknown page: ${pageId}` }, 400);
         }

package/src/auth/routes.ts

@@ -275,6 +275,11 @@ export function createAuthRoutes(
       return c.json({ error: 'Invalid credentials' }, 401);
     }
 
+    // Check if account is deactivated
+    if (user.isActive === false) {
+      return c.json({ error: 'Your account has been deactivated by your organization. Please contact your organization administrator to restore access.' }, 403);
+    }
+
     const { default: bcrypt } = await import('bcryptjs');
     const valid = await bcrypt.compare(password, user.passwordHash);
     if (!valid) {

package/src/dashboard/app.js

@@ -143,7 +143,9 @@ function App() {
     if (!authed) return;
     engineCall('/approvals/pending').then(d => setPendingCount((d.requests || []).length)).catch(() => {});
     apiCall('/settings').then(d => { const s = d.settings || d || {}; if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
-    apiCall('/me/permissions').then(d => { if (d && d.permissions) setPermissions(d.permissions); }).catch(() => {});
+    apiCall('/me/permissions').then(d => {
+      if (d && d.permissions) setPermissions(d.permissions);
+    }).catch(() => {});
   }, [authed]);
 
   const logout = useCallback(() => { authCall('/logout', { method: 'POST' }).catch(() => {}).finally(() => { setAuthed(false); setUser(null); }); }, []);

package/src/dashboard/pages/agent-detail/index.js

@@ -57,6 +57,26 @@ export function AgentDetailPage(props) {
     return false;
   });
 
+  // Check agent-level access
+  var allowedAgents = perms === '*' ? '*' : (perms._allowedAgents || '*');
+  var hasAgentAccess = allowedAgents === '*' || (Array.isArray(allowedAgents) && allowedAgents.indexOf(agentId) >= 0);
+
+  if (!hasAgentAccess) {
+    return h('div', { style: { display: 'flex', flexDirection: 'column', alignItems: 'center', justifyContent: 'center', minHeight: '60vh', textAlign: 'center', padding: 40 } },
+      h('div', { style: { width: 64, height: 64, borderRadius: '50%', background: 'var(--danger-soft, rgba(220,38,38,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', marginBottom: 20 } },
+        h('svg', { width: 32, height: 32, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger, #dc2626)', strokeWidth: 2, strokeLinecap: 'round', strokeLinejoin: 'round' },
+          h('rect', { x: 3, y: 11, width: 18, height: 11, rx: 2, ry: 2 }),
+          h('path', { d: 'M7 11V7a5 5 0 0 1 10 0v4' })
+        )
+      ),
+      h('h2', { style: { fontSize: 20, fontWeight: 700, marginBottom: 8 } }, 'Agent Access Restricted'),
+      h('p', { style: { fontSize: 14, color: 'var(--text-muted)', maxWidth: 400, lineHeight: 1.6 } },
+        'You don\'t have permission to access this agent. Contact your organization administrator to request access.'
+      ),
+      h('button', { className: 'btn btn-primary', style: { marginTop: 16 }, onClick: onBack }, 'Back to Agents')
+    );
+  }
+
   var load = function() {
     setLoading(true);
     Promise.all([

package/src/dashboard/pages/agents.js

@@ -1125,11 +1125,21 @@ export function CreateAgentWizard({ onClose, onCreated, toast }) {
 // ════════════════════════════════════════════════════════════
 
 export function AgentsPage({ onSelectAgent }) {
-  const { toast } = useApp();
+  const app = useApp();
+  const toast = app.toast;
   const [agents, setAgents] = useState([]);
   const [creating, setCreating] = useState(false);
 
-  const load = () => apiCall('/agents').then(d => setAgents(d.agents || d || [])).catch(() => {});
+  const perms = app.permissions || '*';
+  const allowedAgents = perms === '*' ? '*' : (perms._allowedAgents || '*');
+
+  const load = () => apiCall('/agents').then(d => {
+    var all = d.agents || d || [];
+    if (allowedAgents !== '*' && Array.isArray(allowedAgents)) {
+      all = all.filter(a => allowedAgents.indexOf(a.id) >= 0);
+    }
+    setAgents(all);
+  }).catch(() => {});
   useEffect(() => { load(); }, []);
 
   // Delete moved to agent detail overview tab with triple confirmation

package/src/dashboard/pages/users.js

@@ -6,23 +6,37 @@ import { HelpButton } from '../components/help-button.js';
 // ─── Permission Editor Component ───────────────────
 
 function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave, onClose }) {
-  // Deep clone perms
+  // Deep clone perms (skip _allowedAgents from page grants)
   var [grants, setGrants] = useState(function() {
     if (currentPerms === '*') {
-      // Start with all pages selected (all tabs)
       var all = {};
       Object.keys(pageRegistry).forEach(function(pid) { all[pid] = true; });
       return all;
     }
-    // Clone existing
     var c = {};
     Object.keys(currentPerms || {}).forEach(function(pid) {
+      if (pid === '_allowedAgents') return; // skip agent field
       var g = currentPerms[pid];
       c[pid] = g === true ? true : (Array.isArray(g) ? g.slice() : true);
     });
     return c;
   });
   var [fullAccess, setFullAccess] = useState(currentPerms === '*');
+
+  // Agent access control
+  var [agents, setAgents] = useState([]);
+  var [allowedAgents, setAllowedAgents] = useState(function() {
+    if (currentPerms === '*') return '*';
+    return (currentPerms || {})._allowedAgents || '*';
+  });
+  var [allAgentsAccess, setAllAgentsAccess] = useState(function() {
+    if (currentPerms === '*') return true;
+    return (currentPerms || {})._allowedAgents === '*' || !(currentPerms || {})._allowedAgents;
+  });
+
+  useEffect(function() {
+    apiCall('/agents').then(function(d) { setAgents(d.agents || d || []); }).catch(function() {});
+  }, []);
   var [saving, setSaving] = useState(false);
   var [expandedPage, setExpandedPage] = useState(null);
 
@@ -86,8 +100,11 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
       var all = {};
       Object.keys(pageRegistry).forEach(function(pid) { all[pid] = true; });
       setGrants(all);
+      setAllAgentsAccess(true);
+      setAllowedAgents('*');
     } else {
       setGrants({});
+      setAllAgentsAccess(true);
     }
   };
 
@@ -101,7 +118,17 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
   var doSave = async function() {
     setSaving(true);
     try {
-      var permsToSave = fullAccess ? '*' : grants;
+      var permsToSave;
+      if (fullAccess) {
+        permsToSave = '*';
+      } else {
+        permsToSave = Object.assign({}, grants);
+        if (!allAgentsAccess && Array.isArray(allowedAgents)) {
+          permsToSave._allowedAgents = allowedAgents;
+        } else {
+          permsToSave._allowedAgents = '*';
+        }
+      }
       await onSave(permsToSave);
     } catch(e) { /* handled by parent */ }
     setSaving(false);
@@ -201,11 +228,61 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
       })
     ),
 
+    // ─── Agent Access ──────────────────────────
+    !fullAccess && h('div', { style: { marginTop: 16 } },
+      h('div', { style: { display: 'flex', alignItems: 'center', justifyContent: 'space-between', marginBottom: 8 } },
+        h('div', null,
+          h('strong', { style: { fontSize: 13 } }, 'Agent Access'),
+          h('div', { style: { fontSize: 11, color: 'var(--text-muted)', marginTop: 1 } }, 'Which agents this user can see and manage')
+        ),
+        h('label', { style: { display: 'flex', alignItems: 'center', gap: 6, fontSize: 12, cursor: 'pointer' } },
+          h('input', { type: 'checkbox', checked: allAgentsAccess, onChange: function() {
+            var newVal = !allAgentsAccess;
+            setAllAgentsAccess(newVal);
+            if (newVal) setAllowedAgents('*');
+            else setAllowedAgents([]);
+          }, style: _checkbox }),
+          'All Agents'
+        )
+      ),
+      !allAgentsAccess && h('div', { style: { maxHeight: 180, overflowY: 'auto', border: '1px solid var(--border)', borderRadius: 8 } },
+        agents.length === 0
+          ? h('div', { style: { padding: 16, textAlign: 'center', color: 'var(--text-muted)', fontSize: 12 } }, 'No agents found')
+          : agents.map(function(a) {
+              var checked = Array.isArray(allowedAgents) && allowedAgents.indexOf(a.id) >= 0;
+              return h('div', {
+                key: a.id,
+                style: Object.assign({}, _cs, checked ? { background: 'var(--bg-tertiary)' } : {}),
+                onClick: function() {
+                  setAllowedAgents(function(prev) {
+                    var arr = Array.isArray(prev) ? prev.slice() : [];
+                    var idx = arr.indexOf(a.id);
+                    if (idx >= 0) arr.splice(idx, 1);
+                    else arr.push(a.id);
+                    return arr;
+                  });
+                }
+              },
+                h('input', { type: 'checkbox', checked: checked, readOnly: true, style: _checkbox }),
+                h('div', { style: { flex: 1 } },
+                  h('div', { style: { fontWeight: 500, fontSize: 13 } }, a.displayName || a.name || a.id),
+                  a.role && h('div', { style: { fontSize: 11, color: 'var(--text-muted)' } }, a.role)
+                ),
+                a.status && h('span', { className: 'badge badge-' + (a.status === 'active' || a.status === 'running' ? 'success' : 'neutral'), style: { fontSize: 9 } }, a.status)
+              );
+            })
+      ),
+      !allAgentsAccess && Array.isArray(allowedAgents) && h('div', { style: { marginTop: 4, fontSize: 11, color: 'var(--text-muted)' } },
+        allowedAgents.length === 0 ? 'No agents selected — user will see no agents' : allowedAgents.length + ' agent' + (allowedAgents.length !== 1 ? 's' : '') + ' selected'
+      )
+    ),
+
     // Summary
     h('div', { style: { marginTop: 12, padding: 8, background: 'var(--bg-tertiary)', borderRadius: 6, fontSize: 11, color: 'var(--text-muted)' } },
       fullAccess
-        ? 'This user has full access to all pages and tabs.'
-        : 'Access to ' + Object.keys(grants).length + ' of ' + Object.keys(pageRegistry).length + ' pages.'
+        ? 'This user has full access to all pages, tabs, and agents.'
+        : 'Access to ' + Object.keys(grants).length + ' of ' + Object.keys(pageRegistry).length + ' pages' +
+          (allAgentsAccess ? ', all agents.' : ', ' + (Array.isArray(allowedAgents) ? allowedAgents.length : 0) + ' agents.')
     )
   );
 }
@@ -214,15 +291,31 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
 
 function InlinePermissionPicker({ permissions, pageRegistry, onChange }) {
   var [expandedPage, setExpandedPage] = useState(null);
-
-  // Resolve grants from permissions
-  var grants = permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : (permissions || {});
+  var [agents, setAgents] = useState([]);
+  useEffect(function() { apiCall('/agents').then(function(d) { setAgents(d.agents || d || []); }).catch(function() {}); }, []);
+
+  // Resolve grants from permissions (skip _allowedAgents)
+  var rawGrants = permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : (permissions || {});
+  var grants = {};
+  Object.keys(rawGrants).forEach(function(k) { if (k !== '_allowedAgents') grants[k] = rawGrants[k]; });
+  var currentAllowed = permissions === '*' ? '*' : (rawGrants._allowedAgents || '*');
+  var allAgentsMode = currentAllowed === '*';
+
+  var emitChange = function(nextGrants, nextAllowed) {
+    var result = Object.assign({}, nextGrants);
+    if (nextAllowed !== undefined) result._allowedAgents = nextAllowed;
+    else if (currentAllowed !== '*') result._allowedAgents = currentAllowed;
+    var allPages = Object.keys(nextGrants).length === Object.keys(pageRegistry).length && Object.values(nextGrants).every(function(v) { return v === true; });
+    var allAg = (result._allowedAgents || '*') === '*';
+    if (allPages && allAg) return onChange('*');
+    onChange(result);
+  };
 
   var togglePage = function(pid) {
     var next = Object.assign({}, grants);
     if (next[pid]) { delete next[pid]; if (expandedPage === pid) setExpandedPage(null); }
     else { next[pid] = true; }
-    onChange(Object.keys(next).length === Object.keys(pageRegistry).length ? '*' : next);
+    emitChange(next);
   };
 
   var toggleTab = function(pid, tabId) {
@@ -243,7 +336,7 @@ function InlinePermissionPicker({ permissions, pageRegistry, onChange }) {
         next[pid] = newArr.length === allTabs.length ? true : newArr;
       }
     }
-    onChange(Object.keys(next).length === Object.keys(pageRegistry).length && Object.values(next).every(function(v) { return v === true; }) ? '*' : next);
+    emitChange(next);
   };
 
   var isTabChecked = function(pid, tabId) {
@@ -288,14 +381,38 @@ function InlinePermissionPicker({ permissions, pageRegistry, onChange }) {
           );
         })
       );
-    })
+    }),
+    // Agent access section
+    agents.length > 0 && h('div', { style: { marginTop: 8 } },
+      h('div', { style: { fontSize: 10, fontWeight: 600, textTransform: 'uppercase', letterSpacing: '0.05em', color: 'var(--text-muted)', padding: '4px 10px 2px' } }, 'Agent Access'),
+      h('div', { style: { display: 'flex', alignItems: 'center', gap: 8, padding: '4px 10px', fontSize: 12, cursor: 'pointer' }, onClick: function() {
+        emitChange(grants, allAgentsMode ? [] : '*');
+      } },
+        h('input', { type: 'checkbox', checked: allAgentsMode, readOnly: true, style: { width: 14, height: 14, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+        h('span', { style: { fontWeight: 500 } }, 'All Agents')
+      ),
+      !allAgentsMode && agents.map(function(a) {
+        var checked = Array.isArray(currentAllowed) && currentAllowed.indexOf(a.id) >= 0;
+        return h('div', { key: a.id, style: { display: 'flex', alignItems: 'center', gap: 8, padding: '3px 10px 3px 28px', fontSize: 11, cursor: 'pointer' }, onClick: function() {
+          var arr = Array.isArray(currentAllowed) ? currentAllowed.slice() : [];
+          var idx = arr.indexOf(a.id);
+          if (idx >= 0) arr.splice(idx, 1); else arr.push(a.id);
+          emitChange(grants, arr);
+        } },
+          h('input', { type: 'checkbox', checked: checked, readOnly: true, style: { width: 13, height: 13, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+          h('span', null, a.displayName || a.name || a.id),
+          a.role && h('span', { style: { color: 'var(--text-muted)', marginLeft: 4 } }, '(' + a.role + ')')
+        );
+      })
+    )
   );
 }
 
 // ─── Users Page ────────────────────────────────────
 
 export function UsersPage() {
-  var { toast } = useApp();
+  var app = useApp();
+  var toast = app.toast;
   var [users, setUsers] = useState([]);
   var [creating, setCreating] = useState(false);
   var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer', permissions: '*' });
@@ -343,22 +460,39 @@ export function UsersPage() {
     setResetting(false);
   };
 
-  var deleteUser = async function(user) {
+  var toggleActive = async function(user) {
+    var action = user.isActive === false ? 'reactivate' : 'deactivate';
     var ok = await showConfirm({
-      title: 'Delete User',
-      message: 'Are you sure you want to delete "' + (user.name || user.email) + '"? This cannot be undone.',
-      warning: 'The user will lose all access immediately.',
-      danger: true,
-      confirmText: 'Delete User'
+      title: action === 'deactivate' ? 'Deactivate User' : 'Reactivate User',
+      message: action === 'deactivate'
+        ? 'Deactivate "' + (user.name || user.email) + '"? They will be unable to log in and will see a message to contact their organization.'
+        : 'Reactivate "' + (user.name || user.email) + '"? They will be able to log in again.',
+      danger: action === 'deactivate',
+      confirmText: action === 'deactivate' ? 'Deactivate' : 'Reactivate'
     });
     if (!ok) return;
     try {
-      await apiCall('/users/' + user.id, { method: 'DELETE' });
-      toast('User deleted', 'success');
+      await apiCall('/users/' + user.id + '/' + action, { method: 'POST' });
+      toast('User ' + action + 'd', 'success');
       load();
     } catch (e) { toast(e.message, 'error'); }
   };
 
+  var [deleteStep, setDeleteStep] = useState(0);
+  var [deleteTarget, setDeleteTarget] = useState(null);
+  var [deleteTyped, setDeleteTyped] = useState('');
+
+  var startDelete = function(user) { setDeleteTarget(user); setDeleteStep(1); setDeleteTyped(''); };
+  var cancelDelete = function() { setDeleteTarget(null); setDeleteStep(0); setDeleteTyped(''); };
+
+  var confirmDelete = async function() {
+    try {
+      await apiCall('/users/' + deleteTarget.id, { method: 'DELETE', body: JSON.stringify({ confirmationToken: 'DELETE_USER_' + deleteTarget.email }) });
+      toast('User permanently deleted', 'success');
+      cancelDelete(); load();
+    } catch (e) { toast(e.message, 'error'); }
+  };
+
   var openPermissions = async function(user) {
     try {
       var d = await apiCall('/users/' + user.id + '/permissions');
@@ -485,18 +619,100 @@ export function UsersPage() {
       onClose: function() { setPermTarget(null); }
     }),
 
+    // 5-step delete confirmation modal
+    deleteTarget && h(Modal, {
+      title: 'Delete User — Step ' + deleteStep + ' of 5',
+      onClose: cancelDelete,
+      width: 480,
+      footer: h(Fragment, null,
+        h('button', { className: 'btn btn-secondary', onClick: deleteStep === 1 ? cancelDelete : function() { setDeleteStep(deleteStep - 1); } }, deleteStep === 1 ? 'Cancel' : 'Back'),
+        deleteStep < 5
+          ? h('button', { className: 'btn btn-' + (deleteStep >= 3 ? 'danger' : 'primary'), onClick: function() { setDeleteStep(deleteStep + 1); } }, 'Continue')
+          : h('button', { className: 'btn btn-danger', onClick: confirmDelete, disabled: deleteTyped !== deleteTarget.email }, 'Permanently Delete')
+      )
+    },
+      // Step 1: Warning
+      deleteStep === 1 && h('div', null,
+        h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: 16, background: 'var(--danger-soft, rgba(220,38,38,0.08))', borderRadius: 8, marginBottom: 16 } },
+          h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger)', strokeWidth: 2 }, h('path', { d: 'M12 9v4m0 4h.01M10.29 3.86l-8.6 14.86A2 2 0 0 0 3.4 21h17.2a2 2 0 0 0 1.71-2.98L13.71 3.86a2 2 0 0 0-3.42 0z' })),
+          h('div', null,
+            h('strong', null, 'Permanent Deletion'),
+            h('div', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 2 } }, 'This action cannot be undone.')
+          )
+        ),
+        h('p', { style: { fontSize: 13 } }, 'You are about to permanently delete the user account for:'),
+        h('div', { style: { padding: 12, background: 'var(--bg-tertiary)', borderRadius: 8, marginTop: 8 } },
+          h('strong', null, deleteTarget.name || 'Unnamed'), h('br'),
+          h('span', { style: { fontSize: 12, color: 'var(--text-muted)', fontFamily: 'var(--font-mono)' } }, deleteTarget.email)
+        ),
+        h('p', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 12 } }, 'Consider deactivating instead — deactivated users can be reactivated later.')
+      ),
+      // Step 2: Data loss
+      deleteStep === 2 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Data That Will Be Lost'),
+        h('ul', { style: { paddingLeft: 20, fontSize: 13, lineHeight: 1.8 } },
+          h('li', null, 'All login sessions will be terminated immediately'),
+          h('li', null, 'Audit log entries will be orphaned (no user reference)'),
+          h('li', null, 'Any API keys created by this user will be revoked'),
+          h('li', null, 'Permission grants and role assignments will be removed'),
+          h('li', null, '2FA configuration and backup codes will be destroyed')
+        )
+      ),
+      // Step 3: Impact
+      deleteStep === 3 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Impact Assessment'),
+        h('div', { style: { padding: 12, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 8, fontSize: 13, lineHeight: 1.6 } },
+          h('p', null, 'If this user manages or supervises any agents, those agents will lose their manager assignment.'),
+          h('p', { style: { marginTop: 8 } }, 'If this user created approval workflows, pending approvals may become orphaned.'),
+          h('p', { style: { marginTop: 8 } }, 'Any scheduled tasks or cron jobs created by this user will continue to run but cannot be modified.')
+        )
+      ),
+      // Step 4: Alternative
+      deleteStep === 4 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Are You Sure?'),
+        h('div', { style: { padding: 16, background: 'var(--success-soft, rgba(21,128,61,0.08))', borderRadius: 8, marginBottom: 16 } },
+          h('strong', null, 'Recommended alternative: Deactivate'),
+          h('p', { style: { fontSize: 12, color: 'var(--text-secondary)', marginTop: 4 } }, 'Deactivating blocks login while preserving all data. The user can be reactivated at any time. This is the safe option.')
+        ),
+        h('div', { style: { padding: 16, background: 'var(--danger-soft, rgba(220,38,38,0.08))', borderRadius: 8 } },
+          h('strong', null, 'Permanent deletion'),
+          h('p', { style: { fontSize: 12, color: 'var(--text-secondary)', marginTop: 4 } }, 'Removes the user and all associated data forever. There is no recovery.')
+        )
+      ),
+      // Step 5: Type email to confirm
+      deleteStep === 5 && h('div', null,
+        h('h4', { style: { marginBottom: 12, color: 'var(--danger)' } }, 'Final Confirmation'),
+        h('p', { style: { fontSize: 13, marginBottom: 12 } }, 'Type the user\'s email address to confirm permanent deletion:'),
+        h('div', { style: { padding: 8, background: 'var(--bg-tertiary)', borderRadius: 6, fontFamily: 'var(--font-mono)', fontSize: 13, textAlign: 'center', marginBottom: 12 } }, deleteTarget.email),
+        h('input', {
+          className: 'input', type: 'text', value: deleteTyped,
+          onChange: function(e) { setDeleteTyped(e.target.value); },
+          placeholder: 'Type email to confirm',
+          autoFocus: true,
+          style: { fontFamily: 'var(--font-mono)', fontSize: 13, borderColor: deleteTyped === deleteTarget.email ? 'var(--danger)' : 'var(--border)' }
+        }),
+        deleteTyped && deleteTyped !== deleteTarget.email && h('div', { style: { fontSize: 11, color: 'var(--danger)', marginTop: 4 } }, 'Email does not match')
+      )
+    ),
+
     // Users table
     h('div', { className: 'card' },
       h('div', { className: 'card-body-flush' },
         users.length === 0 ? h('div', { style: { padding: 24, textAlign: 'center', color: 'var(--text-muted)' } }, 'No users')
         : h('table', null,
-            h('thead', null, h('tr', null, h('th', null, 'Name'), h('th', null, 'Email'), h('th', null, 'Role'), h('th', null, 'Access'), h('th', null, '2FA'), h('th', null, 'Created'), h('th', { style: { width: 180 } }, 'Actions'))),
+            h('thead', null, h('tr', null, h('th', null, 'Name'), h('th', null, 'Email'), h('th', null, 'Role'), h('th', null, 'Status'), h('th', null, 'Access'), h('th', null, '2FA'), h('th', null, 'Created'), h('th', { style: { width: 200 } }, 'Actions'))),
             h('tbody', null, users.map(function(u) {
               var isRestricted = u.role === 'member' || u.role === 'viewer';
-              return h('tr', { key: u.id },
+              var isDeactivated = u.isActive === false;
+              var isSelf = u.id === ((app || {}).user || {}).id;
+              return h('tr', { key: u.id, style: isDeactivated ? { opacity: 0.6 } : {} },
                 h('td', null, h('strong', null, u.name || '-')),
                 h('td', null, h('span', { style: { fontFamily: 'var(--font-mono)', fontSize: 12 } }, u.email)),
                 h('td', null, h('span', { className: 'badge badge-' + (u.role === 'owner' ? 'warning' : u.role === 'admin' ? 'primary' : 'neutral') }, u.role)),
+                h('td', null, isDeactivated
+                  ? h('span', { className: 'badge badge-danger', style: { fontSize: 10 } }, 'Deactivated')
+                  : h('span', { className: 'badge badge-success', style: { fontSize: 10 } }, 'Active')
+                ),
                 h('td', null, permBadge(u)),
                 h('td', null, u.totpEnabled ? h('span', { className: 'badge badge-success' }, 'On') : h('span', { className: 'badge badge-neutral' }, 'Off')),
                 h('td', { style: { fontSize: 12, color: 'var(--text-muted)' } }, u.createdAt ? new Date(u.createdAt).toLocaleDateString() : '-'),
@@ -509,7 +725,15 @@ export function UsersPage() {
                       style: !isRestricted ? { opacity: 0.4 } : {}
                     }, I.shield()),
                     h('button', { className: 'btn btn-ghost btn-sm', title: 'Reset Password', onClick: function() { setResetTarget(u); setNewPassword(''); } }, I.lock()),
-                    h('button', { className: 'btn btn-ghost btn-sm', title: 'Delete User', onClick: function() { deleteUser(u); }, style: { color: 'var(--danger)' } }, I.trash())
+                    // Deactivate / Reactivate
+                    !isSelf && h('button', {
+                      className: 'btn btn-ghost btn-sm',
+                      title: isDeactivated ? 'Reactivate User' : 'Deactivate User',
+                      onClick: function() { toggleActive(u); },
+                      style: { color: isDeactivated ? 'var(--success, #15803d)' : 'var(--warning, #f59e0b)' }
+                    }, isDeactivated ? I.check() : I.pause()),
+                    // Delete (owner only)
+                    !isSelf && h('button', { className: 'btn btn-ghost btn-sm', title: 'Delete User Permanently', onClick: function() { startDelete(u); }, style: { color: 'var(--danger)' } }, I.trash())
                   )
                 )
               );

package/src/db/adapter.ts

@@ -67,6 +67,7 @@ export interface User {
   totpBackupCodes?: string;  // JSON array of hashed backup codes
   permissions?: any;         // '*' or { pageId: true | string[] }
   mustResetPassword?: boolean;
+  isActive?: boolean;
   createdAt: Date;
   updatedAt: Date;
   lastLoginAt?: Date;

package/src/db/postgres.ts

@@ -191,6 +191,7 @@ export class PostgresAdapter extends DatabaseAdapter {
         ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_backup_codes TEXT;
         ALTER TABLE users ADD COLUMN IF NOT EXISTS permissions JSONB DEFAULT '"*"';
         ALTER TABLE users ADD COLUMN IF NOT EXISTS must_reset_password BOOLEAN DEFAULT FALSE;
+        ALTER TABLE users ADD COLUMN IF NOT EXISTS is_active BOOLEAN DEFAULT TRUE;
       `).catch(() => {});
       await client.query('COMMIT');
     } catch (err) {
@@ -709,6 +710,7 @@ export class PostgresAdapter extends DatabaseAdapter {
       totpSecret: r.totp_secret, totpEnabled: !!r.totp_enabled, totpBackupCodes: r.totp_backup_codes,
       permissions: r.permissions != null ? (typeof r.permissions === 'string' ? (() => { try { return JSON.parse(r.permissions); } catch { return '*'; } })() : r.permissions) : '*',
       mustResetPassword: !!r.must_reset_password,
+      isActive: r.is_active !== false && r.is_active !== 0, // default true
       createdAt: new Date(r.created_at), updatedAt: new Date(r.updated_at),
       lastLoginAt: r.last_login_at ? new Date(r.last_login_at) : undefined,
     };

package/src/db/sqlite.ts

@@ -62,6 +62,7 @@ export class SqliteAdapter extends DatabaseAdapter {
       // Add permissions column if missing
       try { this.db.exec(`ALTER TABLE users ADD COLUMN permissions TEXT DEFAULT '"*"'`); } catch { /* exists */ }
       try { this.db.exec(`ALTER TABLE users ADD COLUMN must_reset_password INTEGER DEFAULT 0`); } catch { /* exists */ }
+      try { this.db.exec(`ALTER TABLE users ADD COLUMN is_active INTEGER DEFAULT 1`); } catch { /* exists */ }
     });
     tx();
   }