admin area

2026-01-01 12:10:35 +01:00
parent 02c0cc44e1
commit f001df3744
68 changed files with 10324 additions and 32 deletions
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -11,6 +11,7 @@ import { LeagueModule } from './domain/league/LeagueModule';
 import { LoggingModule } from './domain/logging/LoggingModule';
 import { MediaModule } from './domain/media/MediaModule';
 import { PaymentsModule } from './domain/payments/PaymentsModule';
+import { AdminModule } from './domain/admin/AdminModule';
 import { PolicyModule } from './domain/policy/PolicyModule';
 import { ProtestsModule } from './domain/protests/ProtestsModule';
 import { RaceModule } from './domain/race/RaceModule';
@@ -44,6 +45,7 @@ const ENABLE_BOOTSTRAP = getEnableBootstrap();
    MediaModule,
    PaymentsModule,
    PolicyModule,
+    AdminModule,
  ],
 })
 export class AppModule implements NestModule {
--- a/apps/api/src/domain/admin/AdminController.ts
+++ b/apps/api/src/domain/admin/AdminController.ts
@@ -0,0 +1,67 @@
+import { Controller, Get, Inject, Query, Req, UseGuards } from '@nestjs/common';
+import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
+import { AdminService } from './AdminService';
+import { ListUsersRequestDto } from './dtos/ListUsersRequestDto';
+import { UserListResponseDto } from './dtos/UserResponseDto';
+import { DashboardStatsResponseDto } from './dto/DashboardStatsResponseDto';
+import { RequireAuthenticatedUser } from '../auth/RequireAuthenticatedUser';
+import { RequireRoles } from '../auth/RequireRoles';
+import { AuthorizationGuard } from '../auth/AuthorizationGuard';
+import type { Request } from 'express';
+import type { ListUsersInput } from '@core/admin/application/use-cases/ListUsersUseCase';
+
+@ApiTags('admin')
+@Controller('admin')
+@UseGuards(AuthorizationGuard)
+export class AdminController {
+  constructor(
+    @Inject(AdminService) private readonly adminService: AdminService,
+  ) {}
+
+  @Get('users')
+  @RequireAuthenticatedUser()
+  @RequireRoles('owner', 'admin')
+  @ApiOperation({ summary: 'List all users (Owner/Super Admin only)' })
+  @ApiResponse({ status: 200, description: 'List of users', type: UserListResponseDto })
+  @ApiResponse({ status: 403, description: 'Forbidden - not a system admin' })
+  async listUsers(
+    @Query() query: ListUsersRequestDto,
+    @Req() req: Request,
+  ): Promise<UserListResponseDto> {
+    // Get actorId from request (will be set by auth middleware/guard)
+    const actorId = (req as Request & { user?: { userId?: string } }).user?.userId || 'current-user';
+    
+    // Build input with only defined values
+    const input: ListUsersInput = {
+      actorId,
+      page: query.page || 1,
+      limit: query.limit || 10,
+    };
+
+    if (query.role !== undefined) input.role = query.role;
+    if (query.status !== undefined) input.status = query.status;
+    if (query.email !== undefined) input.email = query.email;
+    if (query.search !== undefined) input.search = query.search;
+    if (query.sortBy !== undefined) input.sortBy = query.sortBy;
+    if (query.sortDirection !== undefined) input.sortDirection = query.sortDirection;
+
+    return await this.adminService.listUsers(input);
+  }
+
+  @Get('dashboard/stats')
+  @RequireAuthenticatedUser()
+  @RequireRoles('owner', 'admin')
+  @ApiOperation({ summary: 'Get dashboard statistics (Owner/Super Admin only)' })
+  @ApiResponse({ status: 200, description: 'Dashboard statistics', type: DashboardStatsResponseDto })
+  @ApiResponse({ status: 403, description: 'Forbidden - not a system admin' })
+  async getDashboardStats(
+    @Req() req: Request,
+  ): Promise<DashboardStatsResponseDto> {
+    // Get actorId from request (will be set by auth middleware/guard)
+    const actorId = (req as Request & { user?: { userId?: string } }).user?.userId || 'current-user';
+    
+    const input = { actorId };
+
+    return await this.adminService.getDashboardStats(input);
+  }
+}
--- a/apps/api/src/domain/admin/AdminModule.ts
+++ b/apps/api/src/domain/admin/AdminModule.ts
@@ -0,0 +1,53 @@
+import { Module } from '@nestjs/common';
+import { InMemoryAdminPersistenceModule } from '../../persistence/inmemory/InMemoryAdminPersistenceModule';
+import { AdminService } from './AdminService';
+import { AdminController } from './AdminController';
+import { ListUsersPresenter } from './presenters/ListUsersPresenter';
+import { DashboardStatsPresenter } from './presenters/DashboardStatsPresenter';
+import { AuthModule } from '../auth/AuthModule';
+import { ListUsersUseCase } from '@core/admin/application/use-cases/ListUsersUseCase';
+import { GetDashboardStatsUseCase } from './use-cases/GetDashboardStatsUseCase';
+import type { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import type { ListUsersResult } from '@core/admin/application/use-cases/ListUsersUseCase';
+import type { DashboardStatsResult } from './use-cases/GetDashboardStatsUseCase';
+import type { IAdminUserRepository } from '@core/admin/domain/repositories/IAdminUserRepository';
+
+export const ADMIN_USER_REPOSITORY_TOKEN = 'IAdminUserRepository';
+export const LIST_USERS_OUTPUT_PORT_TOKEN = 'ListUsersOutputPort';
+export const DASHBOARD_STATS_OUTPUT_PORT_TOKEN = 'DashboardStatsOutputPort';
+
+@Module({
+  imports: [InMemoryAdminPersistenceModule, AuthModule],
+  controllers: [AdminController],
+  providers: [
+    AdminService,
+    ListUsersPresenter,
+    DashboardStatsPresenter,
+    {
+      provide: LIST_USERS_OUTPUT_PORT_TOKEN,
+      useExisting: ListUsersPresenter,
+    },
+    {
+      provide: DASHBOARD_STATS_OUTPUT_PORT_TOKEN,
+      useExisting: DashboardStatsPresenter,
+    },
+    {
+      provide: ListUsersUseCase,
+      useFactory: (
+        repository: IAdminUserRepository,
+        output: UseCaseOutputPort<ListUsersResult>,
+      ) => new ListUsersUseCase(repository, output),
+      inject: [ADMIN_USER_REPOSITORY_TOKEN, LIST_USERS_OUTPUT_PORT_TOKEN],
+    },
+    {
+      provide: GetDashboardStatsUseCase,
+      useFactory: (
+        repository: IAdminUserRepository,
+        output: UseCaseOutputPort<DashboardStatsResult>,
+      ) => new GetDashboardStatsUseCase(repository, output),
+      inject: [ADMIN_USER_REPOSITORY_TOKEN, DASHBOARD_STATS_OUTPUT_PORT_TOKEN],
+    },
+  ],
+  exports: [AdminService],
+})
+export class AdminModule {}
--- a/apps/api/src/domain/admin/AdminService.test.ts
+++ b/apps/api/src/domain/admin/AdminService.test.ts
@@ -0,0 +1,334 @@
+import { AdminService } from './AdminService';
+import { AdminUser } from '@core/admin/domain/entities/AdminUser';
+import { Result } from '@core/shared/application/Result';
+import { vi, describe, it, expect, beforeEach } from 'vitest';
+
+// Mock use cases
+const mockListUsersUseCase = {
+  execute: vi.fn(),
+};
+
+const mockGetDashboardStatsUseCase = {
+  execute: vi.fn(),
+};
+
+// Mock presenters
+const mockListUsersPresenter = {
+  present: vi.fn(),
+  getViewModel: vi.fn(),
+};
+
+const mockDashboardStatsPresenter = {
+  present: vi.fn(),
+  responseModel: {},
+  reset: vi.fn(),
+};
+
+describe('AdminService', () => {
+  describe('TDD - Test First', () => {
+    let service: AdminService;
+
+    beforeEach(() => {
+      vi.clearAllMocks();
+      service = new AdminService(
+        mockListUsersUseCase as any,
+        mockListUsersPresenter as any,
+        mockGetDashboardStatsUseCase as any,
+        mockDashboardStatsPresenter as any
+      );
+    });
+
+    describe('listUsers', () => {
+      it('should return empty list when no users exist', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 0,
+          page: 1,
+          limit: 10,
+          totalPages: 0,
+        };
+        
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue(expectedResult);
+
+        // Act
+        const result = await service.listUsers({ actorId: 'actor-1' });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith({ actorId: 'actor-1' });
+        expect(mockListUsersPresenter.getViewModel).toHaveBeenCalled();
+        expect(result).toEqual(expectedResult);
+      });
+
+      it('should return users when they exist', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const expectedResult = {
+          users: [user1, user2],
+          total: 2,
+          page: 1,
+          limit: 10,
+          totalPages: 1,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue({
+          users: [
+            { id: 'user-1', email: 'user1@example.com', displayName: 'User 1', roles: ['user'], status: 'active', isSystemAdmin: false, createdAt: user1.createdAt, updatedAt: user1.updatedAt },
+            { id: 'user-2', email: 'user2@example.com', displayName: 'User 2', roles: ['admin'], status: 'active', isSystemAdmin: true, createdAt: user2.createdAt, updatedAt: user2.updatedAt },
+          ],
+          total: 2,
+          page: 1,
+          limit: 10,
+          totalPages: 1,
+        });
+
+        // Act
+        const result = await service.listUsers({ actorId: 'actor-1' });
+
+        // Assert
+        expect(result.users).toHaveLength(2);
+        expect(result.total).toBe(2);
+      });
+
+      it('should apply filters correctly', async () => {
+        // Arrange
+        const adminUser = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const expectedResult = {
+          users: [adminUser],
+          total: 1,
+          page: 1,
+          limit: 10,
+          totalPages: 1,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue({
+          users: [{ id: 'admin-1', email: 'admin@example.com', displayName: 'Admin', roles: ['admin'], status: 'active', isSystemAdmin: true, createdAt: adminUser.createdAt, updatedAt: adminUser.updatedAt }],
+          total: 1,
+          page: 1,
+          limit: 10,
+          totalPages: 1,
+        });
+
+        // Act
+        const result = await service.listUsers({
+          actorId: 'actor-1',
+          role: 'admin',
+          status: 'active',
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            role: 'admin',
+            status: 'active',
+          })
+        );
+        expect(result.users).toHaveLength(1);
+      });
+
+      it('should apply pagination correctly', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 50,
+          page: 3,
+          limit: 10,
+          totalPages: 5,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue({
+          users: [],
+          total: 50,
+          page: 3,
+          limit: 10,
+          totalPages: 5,
+        });
+
+        // Act
+        const result = await service.listUsers({
+          actorId: 'actor-1',
+          page: 3,
+          limit: 10,
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            page: 3,
+            limit: 10,
+          })
+        );
+        expect(result.page).toBe(3);
+        expect(result.limit).toBe(10);
+        expect(result.totalPages).toBe(5);
+      });
+
+      it('should apply sorting correctly', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 0,
+          page: 1,
+          limit: 10,
+          totalPages: 0,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue(expectedResult);
+
+        // Act
+        await service.listUsers({
+          actorId: 'actor-1',
+          sortBy: 'email',
+          sortDirection: 'desc',
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            sortBy: 'email',
+            sortDirection: 'desc',
+          })
+        );
+      });
+
+      it('should handle search filter', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 0,
+          page: 1,
+          limit: 10,
+          totalPages: 0,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue(expectedResult);
+
+        // Act
+        await service.listUsers({
+          actorId: 'actor-1',
+          search: 'test',
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            search: 'test',
+          })
+        );
+      });
+
+      it('should handle email filter', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 0,
+          page: 1,
+          limit: 10,
+          totalPages: 0,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue(expectedResult);
+
+        // Act
+        await service.listUsers({
+          actorId: 'actor-1',
+          email: 'test@example.com',
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            email: 'test@example.com',
+          })
+        );
+      });
+
+      it('should throw error when use case fails', async () => {
+        // Arrange
+        const error = { code: 'UNAUTHORIZED', details: { message: 'Not authorized' } };
+        mockListUsersUseCase.execute.mockResolvedValue(Result.err(error));
+
+        // Act & Assert
+        await expect(
+          service.listUsers({ actorId: 'actor-1' })
+        ).rejects.toThrow('UNAUTHORIZED: Not authorized');
+      });
+
+      it('should handle all filters together', async () => {
+        // Arrange
+        const expectedResult = {
+          users: [],
+          total: 0,
+          page: 1,
+          limit: 10,
+          totalPages: 0,
+        };
+
+        mockListUsersUseCase.execute.mockResolvedValue(Result.ok(expectedResult));
+        mockListUsersPresenter.getViewModel.mockReturnValue(expectedResult);
+
+        // Act
+        await service.listUsers({
+          actorId: 'actor-1',
+          role: 'admin',
+          status: 'active',
+          email: 'admin@example.com',
+          search: 'admin',
+          page: 2,
+          limit: 20,
+          sortBy: 'displayName',
+          sortDirection: 'asc',
+        });
+
+        // Assert
+        expect(mockListUsersUseCase.execute).toHaveBeenCalledWith(
+          expect.objectContaining({
+            actorId: 'actor-1',
+            role: 'admin',
+            status: 'active',
+            email: 'admin@example.com',
+            search: 'admin',
+            page: 2,
+            limit: 20,
+            sortBy: 'displayName',
+            sortDirection: 'asc',
+          })
+        );
+      });
+    });
+  });
+});
--- a/apps/api/src/domain/admin/AdminService.ts
+++ b/apps/api/src/domain/admin/AdminService.ts
@@ -0,0 +1,39 @@
+import { Injectable } from '@nestjs/common';
+import { ListUsersUseCase, ListUsersInput } from '@core/admin/application/use-cases/ListUsersUseCase';
+import { ListUsersPresenter, ListUsersViewModel } from './presenters/ListUsersPresenter';
+import { GetDashboardStatsUseCase, GetDashboardStatsInput } from './use-cases/GetDashboardStatsUseCase';
+import { DashboardStatsPresenter, DashboardStatsResponse } from './presenters/DashboardStatsPresenter';
+
+@Injectable()
+export class AdminService {
+  constructor(
+    private readonly listUsersUseCase: ListUsersUseCase,
+    private readonly listUsersPresenter: ListUsersPresenter,
+    private readonly getDashboardStatsUseCase: GetDashboardStatsUseCase,
+    private readonly dashboardStatsPresenter: DashboardStatsPresenter,
+  ) {}
+
+  async listUsers(input: ListUsersInput): Promise<ListUsersViewModel> {
+    const result = await this.listUsersUseCase.execute(input);
+
+    if (result.isErr()) {
+      const error = result.unwrapErr();
+      throw new Error(`${error.code}: ${error.details.message}`);
+    }
+
+    return this.listUsersPresenter.getViewModel();
+  }
+
+  async getDashboardStats(input: GetDashboardStatsInput): Promise<DashboardStatsResponse> {
+    this.dashboardStatsPresenter.reset();
+    
+    const result = await this.getDashboardStatsUseCase.execute(input);
+
+    if (result.isErr()) {
+      const error = result.unwrapErr();
+      throw new Error(`${error.code}: ${error.details.message}`);
+    }
+
+    return this.dashboardStatsPresenter.responseModel;
+  }
+}
--- a/apps/api/src/domain/admin/RequireSystemAdmin.ts
+++ b/apps/api/src/domain/admin/RequireSystemAdmin.ts
@@ -0,0 +1,13 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const REQUIRE_SYSTEM_ADMIN_METADATA_KEY = 'gridpilot:requireSystemAdmin';
+
+export type RequireSystemAdminMetadata = {
+  readonly required: true;
+};
+
+export function RequireSystemAdmin(): MethodDecorator & ClassDecorator {
+  return SetMetadata(REQUIRE_SYSTEM_ADMIN_METADATA_KEY, {
+    required: true,
+  } satisfies RequireSystemAdminMetadata);
+}
--- a/apps/api/src/domain/admin/dto/DashboardStatsResponseDto.ts
+++ b/apps/api/src/domain/admin/dto/DashboardStatsResponseDto.ts
@@ -0,0 +1,80 @@
+import { ApiProperty } from '@nestjs/swagger';
+
+class UserGrowthDto {
+  @ApiProperty({ description: 'Label for the time period' })
+  label!: string;
+
+  @ApiProperty({ description: 'Number of new users' })
+  value!: number;
+
+  @ApiProperty({ description: 'Color class for the bar' })
+  color!: string;
+}
+
+class RoleDistributionDto {
+  @ApiProperty({ description: 'Role name' })
+  label!: string;
+
+  @ApiProperty({ description: 'Number of users with this role' })
+  value!: number;
+
+  @ApiProperty({ description: 'Color class for the bar' })
+  color!: string;
+}
+
+class StatusDistributionDto {
+  @ApiProperty({ description: 'Number of active users' })
+  active!: number;
+
+  @ApiProperty({ description: 'Number of suspended users' })
+  suspended!: number;
+
+  @ApiProperty({ description: 'Number of deleted users' })
+  deleted!: number;
+}
+
+class ActivityTimelineDto {
+  @ApiProperty({ description: 'Date label' })
+  date!: string;
+
+  @ApiProperty({ description: 'Number of new users' })
+  newUsers!: number;
+
+  @ApiProperty({ description: 'Number of logins' })
+  logins!: number;
+}
+
+export class DashboardStatsResponseDto {
+  @ApiProperty({ description: 'Total number of users' })
+  totalUsers!: number;
+
+  @ApiProperty({ description: 'Number of active users' })
+  activeUsers!: number;
+
+  @ApiProperty({ description: 'Number of suspended users' })
+  suspendedUsers!: number;
+
+  @ApiProperty({ description: 'Number of deleted users' })
+  deletedUsers!: number;
+
+  @ApiProperty({ description: 'Number of system admins' })
+  systemAdmins!: number;
+
+  @ApiProperty({ description: 'Number of recent logins (last 24h)' })
+  recentLogins!: number;
+
+  @ApiProperty({ description: 'Number of new users today' })
+  newUsersToday!: number;
+
+  @ApiProperty({ type: [UserGrowthDto], description: 'User growth over last 7 days' })
+  userGrowth!: UserGrowthDto[];
+
+  @ApiProperty({ type: [RoleDistributionDto], description: 'Distribution of user roles' })
+  roleDistribution!: RoleDistributionDto[];
+
+  @ApiProperty({ type: StatusDistributionDto, description: 'Distribution of user statuses' })
+  statusDistribution!: StatusDistributionDto;
+
+  @ApiProperty({ type: [ActivityTimelineDto], description: 'Activity timeline for last 7 days' })
+  activityTimeline!: ActivityTimelineDto[];
+}
--- a/apps/api/src/domain/admin/dtos/ListUsersRequestDto.test.ts
+++ b/apps/api/src/domain/admin/dtos/ListUsersRequestDto.test.ts
@@ -0,0 +1,119 @@
+import { ListUsersRequestDto } from './ListUsersRequestDto';
+
+describe('ListUsersRequestDto', () => {
+  describe('TDD - Test First', () => {
+    it('should create valid DTO with all fields', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.role = 'admin';
+      dto.status = 'active';
+      dto.email = 'test@example.com';
+      dto.search = 'test';
+      dto.page = 2;
+      dto.limit = 20;
+      dto.sortBy = 'email';
+      dto.sortDirection = 'desc';
+
+      // Assert
+      expect(dto.role).toBe('admin');
+      expect(dto.status).toBe('active');
+      expect(dto.email).toBe('test@example.com');
+      expect(dto.search).toBe('test');
+      expect(dto.page).toBe(2);
+      expect(dto.limit).toBe(20);
+      expect(dto.sortBy).toBe('email');
+      expect(dto.sortDirection).toBe('desc');
+    });
+
+    it('should create DTO with optional fields undefined', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+
+      // Assert
+      expect(dto.role).toBeUndefined();
+      expect(dto.status).toBeUndefined();
+      expect(dto.email).toBeUndefined();
+      expect(dto.search).toBeUndefined();
+      expect(dto.page).toBeUndefined();
+      expect(dto.limit).toBeUndefined();
+      expect(dto.sortBy).toBeUndefined();
+      expect(dto.sortDirection).toBeUndefined();
+    });
+
+    it('should handle partial input', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.page = 1;
+      dto.limit = 10;
+
+      // Assert
+      expect(dto.page).toBe(1);
+      expect(dto.limit).toBe(10);
+      expect(dto.role).toBeUndefined();
+      expect(dto.status).toBeUndefined();
+    });
+
+    it('should accept string values for all fields', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.role = 'owner';
+      dto.status = 'suspended';
+      dto.email = 'suspended@example.com';
+      dto.search = 'suspended';
+      dto.page = 3;
+      dto.limit = 50;
+      dto.sortBy = 'displayName';
+      dto.sortDirection = 'asc';
+
+      // Assert
+      expect(dto.role).toBe('owner');
+      expect(dto.status).toBe('suspended');
+      expect(dto.email).toBe('suspended@example.com');
+      expect(dto.search).toBe('suspended');
+      expect(dto.page).toBe(3);
+      expect(dto.limit).toBe(50);
+      expect(dto.sortBy).toBe('displayName');
+      expect(dto.sortDirection).toBe('asc');
+    });
+
+    it('should handle numeric string values for pagination', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.page = '5' as any;
+      dto.limit = '25' as any;
+
+      // Assert - Should accept the values
+      expect(dto.page).toBe('5');
+      expect(dto.limit).toBe('25');
+    });
+
+    it('should handle empty string values', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.role = '';
+      dto.search = '';
+
+      // Assert
+      expect(dto.role).toBe('');
+      expect(dto.search).toBe('');
+    });
+
+    it('should handle special characters in search', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.search = 'test@example.com';
+
+      // Assert
+      expect(dto.search).toBe('test@example.com');
+    });
+
+    it('should handle unicode characters', () => {
+      // Arrange & Act
+      const dto = new ListUsersRequestDto();
+      dto.search = 'tëst ñame';
+
+      // Assert
+      expect(dto.search).toBe('tëst ñame');
+    });
+  });
+});
--- a/apps/api/src/domain/admin/dtos/ListUsersRequestDto.ts
+++ b/apps/api/src/domain/admin/dtos/ListUsersRequestDto.ts
@@ -0,0 +1,73 @@
+import { ApiPropertyOptional } from '@nestjs/swagger';
+import { IsOptional, IsString, IsNumber, Min, Max } from 'class-validator';
+
+export class ListUsersRequestDto {
+  @ApiPropertyOptional({
+    description: 'Filter by user role',
+    enum: ['owner', 'admin', 'user'],
+  })
+  @IsOptional()
+  @IsString()
+  role?: string;
+
+  @ApiPropertyOptional({
+    description: 'Filter by user status',
+    enum: ['active', 'suspended', 'deleted'],
+  })
+  @IsOptional()
+  @IsString()
+  status?: string;
+
+  @ApiPropertyOptional({
+    description: 'Filter by email',
+  })
+  @IsOptional()
+  @IsString()
+  email?: string;
+
+  @ApiPropertyOptional({
+    description: 'Search by email or display name',
+  })
+  @IsOptional()
+  @IsString()
+  search?: string;
+
+  @ApiPropertyOptional({
+    description: 'Page number',
+    default: 1,
+    minimum: 1,
+  })
+  @IsOptional()
+  @IsNumber()
+  @Min(1)
+  page?: number;
+
+  @ApiPropertyOptional({
+    description: 'Items per page',
+    default: 10,
+    minimum: 1,
+    maximum: 100,
+  })
+  @IsOptional()
+  @IsNumber()
+  @Min(1)
+  @Max(100)
+  limit?: number;
+
+  @ApiPropertyOptional({
+    description: 'Sort field',
+    enum: ['email', 'displayName', 'createdAt', 'lastLoginAt', 'status'],
+  })
+  @IsOptional()
+  @IsString()
+  sortBy?: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+
+  @ApiPropertyOptional({
+    description: 'Sort direction',
+    enum: ['asc', 'desc'],
+    default: 'asc',
+  })
+  @IsOptional()
+  @IsString()
+  sortDirection?: 'asc' | 'desc';
+}
--- a/apps/api/src/domain/admin/dtos/UserResponseDto.test.ts
+++ b/apps/api/src/domain/admin/dtos/UserResponseDto.test.ts
@@ -0,0 +1,232 @@
+import { UserResponseDto } from './UserResponseDto';
+
+describe('UserResponseDto', () => {
+  describe('TDD - Test First', () => {
+    it('should create valid DTO with all fields', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['owner', 'admin'];
+      dto.status = 'active';
+      dto.isSystemAdmin = true;
+      dto.createdAt = new Date('2024-01-01T00:00:00Z');
+      dto.updatedAt = new Date('2024-01-02T00:00:00Z');
+      dto.lastLoginAt = new Date('2024-01-03T00:00:00Z');
+      dto.primaryDriverId = 'driver-456';
+
+      // Assert
+      expect(dto.id).toBe('user-123');
+      expect(dto.email).toBe('test@example.com');
+      expect(dto.displayName).toBe('Test User');
+      expect(dto.roles).toEqual(['owner', 'admin']);
+      expect(dto.status).toBe('active');
+      expect(dto.isSystemAdmin).toBe(true);
+      expect(dto.createdAt).toEqual(new Date('2024-01-01T00:00:00Z'));
+      expect(dto.updatedAt).toEqual(new Date('2024-01-02T00:00:00Z'));
+      expect(dto.lastLoginAt).toEqual(new Date('2024-01-03T00:00:00Z'));
+      expect(dto.primaryDriverId).toBe('driver-456');
+    });
+
+    it('should create DTO with required fields only', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.id).toBe('user-123');
+      expect(dto.email).toBe('test@example.com');
+      expect(dto.displayName).toBe('Test User');
+      expect(dto.roles).toEqual(['user']);
+      expect(dto.status).toBe('active');
+      expect(dto.isSystemAdmin).toBe(false);
+      expect(dto.createdAt).toBeInstanceOf(Date);
+      expect(dto.updatedAt).toBeInstanceOf(Date);
+      expect(dto.lastLoginAt).toBeUndefined();
+      expect(dto.primaryDriverId).toBeUndefined();
+    });
+
+    it('should handle empty roles array', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = [];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.roles).toEqual([]);
+    });
+
+    it('should handle single role', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['admin'];
+      dto.status = 'active';
+      dto.isSystemAdmin = true;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.roles).toEqual(['admin']);
+      expect(dto.isSystemAdmin).toBe(true);
+    });
+
+    it('should handle suspended status', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'suspended';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.status).toBe('suspended');
+    });
+
+    it('should handle deleted status', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'deleted';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.status).toBe('deleted');
+    });
+
+    it('should handle very long display names', () => {
+      // Arrange
+      const longName = 'A'.repeat(100);
+
+      // Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = longName;
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.displayName).toBe(longName);
+    });
+
+    it('should handle special characters in email', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test+tag@example.co.uk';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.email).toBe('test+tag@example.co.uk');
+    });
+
+    it('should handle unicode in display name', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Tëst Ñame';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.displayName).toBe('Tëst Ñame');
+    });
+
+    it('should handle UUID format for ID', () => {
+      // Arrange
+      const uuid = '550e8400-e29b-41d4-a716-446655440000';
+
+      // Act
+      const dto = new UserResponseDto();
+      dto.id = uuid;
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+
+      // Assert
+      expect(dto.id).toBe(uuid);
+    });
+
+    it('should handle numeric primary driver ID', () => {
+      // Arrange & Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = new Date();
+      dto.updatedAt = new Date();
+      dto.primaryDriverId = '123456';
+
+      // Assert
+      expect(dto.primaryDriverId).toBe('123456');
+    });
+
+    it('should handle very old and very new dates', () => {
+      // Arrange
+      const oldDate = new Date('1970-01-01T00:00:00Z');
+      const newDate = new Date('2099-12-31T23:59:59Z');
+
+      // Act
+      const dto = new UserResponseDto();
+      dto.id = 'user-123';
+      dto.email = 'test@example.com';
+      dto.displayName = 'Test User';
+      dto.roles = ['user'];
+      dto.status = 'active';
+      dto.isSystemAdmin = false;
+      dto.createdAt = oldDate;
+      dto.updatedAt = newDate;
+      dto.lastLoginAt = newDate;
+
+      // Assert
+      expect(dto.createdAt).toEqual(oldDate);
+      expect(dto.updatedAt).toEqual(newDate);
+      expect(dto.lastLoginAt).toEqual(newDate);
+    });
+  });
+});
--- a/apps/api/src/domain/admin/dtos/UserResponseDto.ts
+++ b/apps/api/src/domain/admin/dtos/UserResponseDto.ts
@@ -0,0 +1,50 @@
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+
+export class UserResponseDto {
+  @ApiProperty({ description: 'User ID' })
+  id: string = '';
+
+  @ApiProperty({ description: 'User email' })
+  email: string = '';
+
+  @ApiProperty({ description: 'Display name' })
+  displayName: string = '';
+
+  @ApiProperty({ description: 'User roles', type: [String] })
+  roles: string[] = [];
+
+  @ApiProperty({ description: 'User status' })
+  status: string = '';
+
+  @ApiProperty({ description: 'Whether user is system admin' })
+  isSystemAdmin: boolean = false;
+
+  @ApiProperty({ description: 'Account creation date' })
+  createdAt: Date = new Date();
+
+  @ApiProperty({ description: 'Last update date' })
+  updatedAt: Date = new Date();
+
+  @ApiPropertyOptional({ description: 'Last login date' })
+  lastLoginAt?: Date;
+
+  @ApiPropertyOptional({ description: 'Primary driver ID' })
+  primaryDriverId?: string;
+}
+
+export class UserListResponseDto {
+  @ApiProperty({ description: 'List of users', type: [UserResponseDto] })
+  users: UserResponseDto[] = [];
+
+  @ApiProperty({ description: 'Total number of users' })
+  total: number = 0;
+
+  @ApiProperty({ description: 'Current page number' })
+  page: number = 1;
+
+  @ApiProperty({ description: 'Items per page' })
+  limit: number = 10;
+
+  @ApiProperty({ description: 'Total number of pages' })
+  totalPages: number = 0;
+}
--- a/apps/api/src/domain/admin/presenters/DashboardStatsPresenter.ts
+++ b/apps/api/src/domain/admin/presenters/DashboardStatsPresenter.ts
@@ -0,0 +1,63 @@
+import type { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import type { DashboardStatsResult } from '../use-cases/GetDashboardStatsUseCase';
+
+export interface DashboardStatsResponse {
+  totalUsers: number;
+  activeUsers: number;
+  suspendedUsers: number;
+  deletedUsers: number;
+  systemAdmins: number;
+  recentLogins: number;
+  newUsersToday: number;
+  userGrowth: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  roleDistribution: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  statusDistribution: {
+    active: number;
+    suspended: number;
+    deleted: number;
+  };
+  activityTimeline: {
+    date: string;
+    newUsers: number;
+    logins: number;
+  }[];
+}
+
+export class DashboardStatsPresenter implements UseCaseOutputPort<DashboardStatsResult> {
+  private _responseModel: DashboardStatsResponse | null = null;
+
+  present(result: DashboardStatsResult): void {
+    this._responseModel = {
+      totalUsers: result.totalUsers,
+      activeUsers: result.activeUsers,
+      suspendedUsers: result.suspendedUsers,
+      deletedUsers: result.deletedUsers,
+      systemAdmins: result.systemAdmins,
+      recentLogins: result.recentLogins,
+      newUsersToday: result.newUsersToday,
+      userGrowth: result.userGrowth,
+      roleDistribution: result.roleDistribution,
+      statusDistribution: result.statusDistribution,
+      activityTimeline: result.activityTimeline,
+    };
+  }
+
+  get responseModel(): DashboardStatsResponse {
+    if (!this._responseModel) {
+      throw new Error('No response model available. Call present() first.');
+    }
+    return this._responseModel;
+  }
+
+  reset(): void {
+    this._responseModel = null;
+  }
+}
--- a/apps/api/src/domain/admin/presenters/ListUsersPresenter.test.ts
+++ b/apps/api/src/domain/admin/presenters/ListUsersPresenter.test.ts
@@ -0,0 +1,398 @@
+import { ListUsersPresenter } from './ListUsersPresenter';
+import { ListUsersResult } from '@core/admin/application/use-cases/ListUsersUseCase';
+import { AdminUser } from '@core/admin/domain/entities/AdminUser';
+
+describe('ListUsersPresenter', () => {
+  describe('TDD - Test First', () => {
+    it('should convert result to response DTO with all fields', () => {
+      // Arrange - Create domain objects
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['user'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+        lastLoginAt: new Date('2024-01-03T00:00:00Z'),
+        primaryDriverId: 'driver-1',
+      });
+
+      const user2 = AdminUser.create({
+        id: 'user-2',
+        email: 'user2@example.com',
+        displayName: 'User Two',
+        roles: ['owner'],
+        status: 'active',
+        createdAt: new Date('2024-01-04T00:00:00Z'),
+        updatedAt: new Date('2024-01-05T00:00:00Z'),
+        lastLoginAt: new Date('2024-01-06T00:00:00Z'),
+        primaryDriverId: 'driver-2',
+      });
+
+      const result: ListUsersResult = {
+        users: [user1, user2],
+        total: 2,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      expect(response.users).toHaveLength(2);
+      expect(response.total).toBe(2);
+      expect(response.page).toBe(1);
+      expect(response.limit).toBe(10);
+      expect(response.totalPages).toBe(1);
+
+      // Check first user
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.id).toBe('user-1');
+        expect(user0.email).toBe('user1@example.com');
+        expect(user0.displayName).toBe('User One');
+        expect(user0.roles).toEqual(['user']);
+        expect(user0.status).toBe('active');
+        expect(user0.isSystemAdmin).toBe(false);
+        expect(user0.createdAt).toEqual(new Date('2024-01-01T00:00:00Z'));
+        expect(user0.updatedAt).toEqual(new Date('2024-01-02T00:00:00Z'));
+        expect(user0.lastLoginAt).toEqual(new Date('2024-01-03T00:00:00Z'));
+        expect(user0.primaryDriverId).toBe('driver-1');
+      }
+
+      // Check second user
+      const user1Response = response.users[1];
+      expect(user1Response).toBeDefined();
+      if (user1Response) {
+        expect(user1Response.id).toBe('user-2');
+        expect(user1Response.email).toBe('user2@example.com');
+        expect(user1Response.displayName).toBe('User Two');
+        expect(user1Response.roles).toEqual(['owner']);
+        expect(user1Response.status).toBe('active');
+        expect(user1Response.isSystemAdmin).toBe(true);
+        expect(user1Response.createdAt).toEqual(new Date('2024-01-04T00:00:00Z'));
+        expect(user1Response.updatedAt).toEqual(new Date('2024-01-05T00:00:00Z'));
+        expect(user1Response.lastLoginAt).toEqual(new Date('2024-01-06T00:00:00Z'));
+        expect(user1Response.primaryDriverId).toBe('driver-2');
+      }
+    });
+
+    it('should handle empty user list', () => {
+      // Arrange
+      const result: ListUsersResult = {
+        users: [],
+        total: 0,
+        page: 1,
+        limit: 10,
+        totalPages: 0,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      expect(response.users).toEqual([]);
+      expect(response.total).toBe(0);
+      expect(response.page).toBe(1);
+      expect(response.limit).toBe(10);
+      expect(response.totalPages).toBe(0);
+    });
+
+    it('should handle users without optional fields', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['user'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      expect(response.users).toHaveLength(1);
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.lastLoginAt).toBeUndefined();
+        expect(user0.primaryDriverId).toBeUndefined();
+      }
+    });
+
+    it('should handle users with multiple roles', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['owner', 'admin'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.roles).toEqual(['owner', 'admin']);
+        expect(user0.isSystemAdmin).toBe(true);
+      }
+    });
+
+    it('should handle suspended users', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['user'],
+        status: 'suspended',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.status).toBe('suspended');
+      }
+    });
+
+    it('should handle deleted users', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['user'],
+        status: 'deleted',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.status).toBe('deleted');
+      }
+    });
+
+    it('should handle pagination metadata correctly', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        displayName: 'User One',
+        roles: ['user'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 15,
+        page: 2,
+        limit: 5,
+        totalPages: 3,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      expect(response.total).toBe(15);
+      expect(response.page).toBe(2);
+      expect(response.limit).toBe(5);
+      expect(response.totalPages).toBe(3);
+    });
+
+    it('should handle special characters in user data', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-123',
+        email: 'test+tag@example.co.uk',
+        displayName: 'Tëst Ñame',
+        roles: ['admin-steward'],
+        status: 'under-review',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+        primaryDriverId: 'driver-123',
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.email).toBe('test+tag@example.co.uk');
+        expect(user0.displayName).toBe('Tëst Ñame');
+        expect(user0.roles).toEqual(['admin-steward']);
+        expect(user0.status).toBe('under-review');
+        expect(user0.primaryDriverId).toBe('driver-123');
+      }
+    });
+
+    it('should handle very long display names', () => {
+      // Arrange
+      const longName = 'A'.repeat(100);
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'test@example.com',
+        displayName: longName,
+        roles: ['user'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.displayName).toBe(longName);
+      }
+    });
+
+    it('should handle UUID format for IDs', () => {
+      // Arrange
+      const uuid = '550e8400-e29b-41d4-a716-446655440000';
+      const user1 = AdminUser.create({
+        id: uuid,
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+        createdAt: new Date('2024-01-01T00:00:00Z'),
+        updatedAt: new Date('2024-01-02T00:00:00Z'),
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.id).toBe(uuid);
+      }
+    });
+
+    it('should handle very old and very new dates', () => {
+      // Arrange
+      const oldDate = new Date('1970-01-01T00:00:00Z');
+      const newDate = new Date('2099-12-31T23:59:59Z');
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+        createdAt: oldDate,
+        updatedAt: newDate,
+        lastLoginAt: newDate,
+      });
+
+      const result: ListUsersResult = {
+        users: [user1],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      };
+
+      // Act
+      const response = ListUsersPresenter.toResponse(result);
+
+      // Assert
+      const user0 = response.users[0];
+      expect(user0).toBeDefined();
+      if (user0) {
+        expect(user0.createdAt).toEqual(oldDate);
+        expect(user0.updatedAt).toEqual(newDate);
+        expect(user0.lastLoginAt).toEqual(newDate);
+      }
+    });
+  });
+});
--- a/apps/api/src/domain/admin/presenters/ListUsersPresenter.ts
+++ b/apps/api/src/domain/admin/presenters/ListUsersPresenter.ts
@@ -0,0 +1,85 @@
+import { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import { ListUsersResult } from '@core/admin/application/use-cases/ListUsersUseCase';
+import { UserListResponseDto, UserResponseDto } from '../dtos/UserResponseDto';
+import type { AdminUser } from '@core/admin/domain/entities/AdminUser';
+
+export type ListUsersViewModel = UserListResponseDto;
+
+/**
+ * Presenter to convert application layer result to API response DTO
+ * Implements UseCaseOutputPort to receive results from the use case
+ */
+export class ListUsersPresenter implements UseCaseOutputPort<ListUsersResult> {
+  private viewModel!: ListUsersViewModel;
+
+  present(result: ListUsersResult): void {
+    this.viewModel = {
+      users: result.users.map(user => this.toUserResponse(user)),
+      total: result.total,
+      page: result.page,
+      limit: result.limit,
+      totalPages: result.totalPages,
+    };
+  }
+
+  getViewModel(): ListUsersViewModel {
+    if (!this.viewModel) {
+      throw new Error('Presenter not presented');
+    }
+    return this.viewModel;
+  }
+
+  // Static method for backward compatibility with tests
+  static toResponse(result: ListUsersResult): UserListResponseDto {
+    const presenter = new ListUsersPresenter();
+    presenter.present(result);
+    return presenter.getViewModel();
+  }
+
+  private toUserResponse(user: AdminUser | Record<string, unknown>): UserResponseDto {
+    const response = new UserResponseDto();
+    
+    // Handle both domain objects and plain objects
+    if (user.id && typeof user.id === 'object' && 'value' in (user.id as Record<string, unknown>)) {
+      // Domain object
+      const domainUser = user as AdminUser;
+      response.id = domainUser.id.value;
+      response.email = domainUser.email.value;
+      response.displayName = domainUser.displayName;
+      response.roles = domainUser.roles.map(r => r.value);
+      response.status = domainUser.status.value;
+      response.isSystemAdmin = domainUser.isSystemAdmin();
+      response.createdAt = domainUser.createdAt;
+      response.updatedAt = domainUser.updatedAt;
+      
+      if (domainUser.lastLoginAt) {
+        response.lastLoginAt = domainUser.lastLoginAt;
+      }
+      
+      if (domainUser.primaryDriverId) {
+        response.primaryDriverId = domainUser.primaryDriverId;
+      }
+    } else {
+      // Plain object (for tests)
+      const plainUser = user as Record<string, unknown>;
+      response.id = plainUser.id as string;
+      response.email = plainUser.email as string;
+      response.displayName = plainUser.displayName as string;
+      response.roles = plainUser.roles as string[];
+      response.status = plainUser.status as string;
+      response.isSystemAdmin = plainUser.isSystemAdmin as boolean;
+      response.createdAt = plainUser.createdAt as Date;
+      response.updatedAt = plainUser.updatedAt as Date;
+      
+      if (plainUser.lastLoginAt) {
+        response.lastLoginAt = plainUser.lastLoginAt as Date;
+      }
+      
+      if (plainUser.primaryDriverId) {
+        response.primaryDriverId = plainUser.primaryDriverId as string;
+      }
+    }
+
+    return response;
+  }
+}
--- a/apps/api/src/domain/admin/use-cases/GetDashboardStatsUseCase.ts
+++ b/apps/api/src/domain/admin/use-cases/GetDashboardStatsUseCase.ts
@@ -0,0 +1,180 @@
+import { Result } from '@core/shared/application/Result';
+import type { ApplicationErrorCode } from '@core/shared/errors/ApplicationErrorCode';
+import type { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import type { IAdminUserRepository } from '@core/admin/domain/repositories/IAdminUserRepository';
+import { AuthorizationService } from '@core/admin/domain/services/AuthorizationService';
+import { UserId } from '@core/admin/domain/value-objects/UserId';
+
+export interface DashboardStatsResult {
+  totalUsers: number;
+  activeUsers: number;
+  suspendedUsers: number;
+  deletedUsers: number;
+  systemAdmins: number;
+  recentLogins: number;
+  newUsersToday: number;
+  userGrowth: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  roleDistribution: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  statusDistribution: {
+    active: number;
+    suspended: number;
+    deleted: number;
+  };
+  activityTimeline: {
+    date: string;
+    newUsers: number;
+    logins: number;
+  }[];
+}
+
+export type GetDashboardStatsInput = {
+  actorId: string;
+};
+
+export type GetDashboardStatsErrorCode = 'AUTHORIZATION_ERROR' | 'REPOSITORY_ERROR';
+
+export type GetDashboardStatsApplicationError = ApplicationErrorCode<GetDashboardStatsErrorCode, { message: string; details?: unknown }>;
+
+export class GetDashboardStatsUseCase {
+  constructor(
+    private readonly adminUserRepo: IAdminUserRepository,
+    private readonly output: UseCaseOutputPort<DashboardStatsResult>,
+  ) {}
+
+  async execute(input: GetDashboardStatsInput): Promise<Result<void, GetDashboardStatsApplicationError>> {
+    try {
+      // Get actor (current user)
+      const actor = await this.adminUserRepo.findById(UserId.fromString(input.actorId));
+      if (!actor) {
+        return Result.err({
+          code: 'AUTHORIZATION_ERROR',
+          details: { message: 'Actor not found' },
+        });
+      }
+
+      // Check authorization
+      if (!AuthorizationService.canListUsers(actor)) {
+        return Result.err({
+          code: 'AUTHORIZATION_ERROR',
+          details: { message: 'User is not authorized to view dashboard' },
+        });
+      }
+
+      // Get all users
+      const allUsersResult = await this.adminUserRepo.list();
+      const allUsers = allUsersResult.users;
+
+      // Calculate basic stats
+      const totalUsers = allUsers.length;
+      const activeUsers = allUsers.filter(u => u.status.value === 'active').length;
+      const suspendedUsers = allUsers.filter(u => u.status.value === 'suspended').length;
+      const deletedUsers = allUsers.filter(u => u.status.value === 'deleted').length;
+      const systemAdmins = allUsers.filter(u => u.isSystemAdmin()).length;
+      
+      // Recent logins (last 24 hours)
+      const oneDayAgo = new Date();
+      oneDayAgo.setDate(oneDayAgo.getDate() - 1);
+      const recentLogins = allUsers.filter(u => u.lastLoginAt && u.lastLoginAt > oneDayAgo).length;
+      
+      // New users today
+      const today = new Date();
+      today.setHours(0, 0, 0, 0);
+      const newUsersToday = allUsers.filter(u => u.createdAt > today).length;
+
+      // Role distribution
+      const roleCounts: Record<string, number> = {};
+      allUsers.forEach(user => {
+        user.roles.forEach(role => {
+          const roleValue = role.value;
+          roleCounts[roleValue] = (roleCounts[roleValue] || 0) + 1;
+        });
+      });
+
+      const roleDistribution = Object.entries(roleCounts).map(([role, count]) => ({
+        label: role.charAt(0).toUpperCase() + role.slice(1),
+        value: count,
+        color: role === 'owner' ? 'text-purple-500' : role === 'admin' ? 'text-blue-500' : 'text-gray-500',
+      }));
+
+      // User growth (last 7 days)
+      const userGrowth: DashboardStatsResult['userGrowth'] = [];
+      for (let i = 6; i >= 0; i--) {
+        const date = new Date();
+        date.setDate(date.getDate() - i);
+        const dateStr = date.toLocaleDateString('en-US', { month: 'short', day: 'numeric' });
+        
+        const count = allUsers.filter(u => {
+          const userDate = new Date(u.createdAt);
+          return userDate.toDateString() === date.toDateString();
+        }).length;
+
+        userGrowth.push({
+          label: dateStr,
+          value: count,
+          color: 'text-primary-blue',
+        });
+      }
+
+      // Activity timeline (last 7 days)
+      const activityTimeline: DashboardStatsResult['activityTimeline'] = [];
+      for (let i = 6; i >= 0; i--) {
+        const date = new Date();
+        date.setDate(date.getDate() - i);
+        const dateStr = date.toLocaleDateString('en-US', { month: 'short', day: 'numeric' });
+        
+        const newUsers = allUsers.filter(u => {
+          const userDate = new Date(u.createdAt);
+          return userDate.toDateString() === date.toDateString();
+        }).length;
+
+        const logins = allUsers.filter(u => {
+          const loginDate = u.lastLoginAt;
+          return loginDate && loginDate.toDateString() === date.toDateString();
+        }).length;
+
+        activityTimeline.push({
+          date: dateStr,
+          newUsers,
+          logins,
+        });
+      }
+
+      const result: DashboardStatsResult = {
+        totalUsers,
+        activeUsers,
+        suspendedUsers,
+        deletedUsers,
+        systemAdmins,
+        recentLogins,
+        newUsersToday,
+        userGrowth,
+        roleDistribution,
+        statusDistribution: {
+          active: activeUsers,
+          suspended: suspendedUsers,
+          deleted: deletedUsers,
+        },
+        activityTimeline,
+      };
+
+      this.output.present(result);
+
+      return Result.ok(undefined);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Failed to get dashboard stats';
+
+      return Result.err({
+        code: 'REPOSITORY_ERROR',
+        details: { message },
+      });
+    }
+  }
+}
--- a/apps/api/src/domain/auth/dtos/AuthDto.ts
+++ b/apps/api/src/domain/auth/dtos/AuthDto.ts
@@ -12,6 +12,8 @@ export class AuthenticatedUserDTO {
  primaryDriverId?: string;
  @ApiProperty({ required: false, nullable: true })
  avatarUrl?: string | null;
+  @ApiProperty({ required: false, enum: ['driver', 'sponsor', 'league-owner', 'league-steward', 'league-admin', 'system-owner', 'super-admin'] })
+  role?: 'driver' | 'sponsor' | 'league-owner' | 'league-steward' | 'league-admin' | 'system-owner' | 'super-admin';
 }

 export class AuthSessionDTO {
--- a/apps/api/src/persistence/admin/AdminPersistenceModule.ts
+++ b/apps/api/src/persistence/admin/AdminPersistenceModule.ts
@@ -0,0 +1,11 @@
+/**
+ * Admin Persistence Module
+ * 
+ * Abstract module interface for admin persistence.
+ * Both InMemory and TypeORM implementations should export this.
+ */
+
+import { Module } from '@nestjs/common';
+
+@Module({})
+export class AdminPersistenceModule {}
--- a/apps/api/src/persistence/admin/AdminPersistenceTokens.ts
+++ b/apps/api/src/persistence/admin/AdminPersistenceTokens.ts
@@ -0,0 +1,7 @@
+/**
+ * Admin Persistence Tokens
+ * 
+ * Dependency injection tokens for admin persistence layer.
+ */
+
+export const ADMIN_USER_REPOSITORY_TOKEN = 'IAdminUserRepository';
--- a/apps/api/src/persistence/inmemory/InMemoryAdminPersistenceModule.ts
+++ b/apps/api/src/persistence/inmemory/InMemoryAdminPersistenceModule.ts
@@ -0,0 +1,15 @@
+import { InMemoryAdminUserRepository } from '@core/admin/infrastructure/persistence/InMemoryAdminUserRepository';
+import { Module } from '@nestjs/common';
+
+import { ADMIN_USER_REPOSITORY_TOKEN } from '../admin/AdminPersistenceTokens';
+
+@Module({
+  providers: [
+    {
+      provide: ADMIN_USER_REPOSITORY_TOKEN,
+      useClass: InMemoryAdminUserRepository,
+    },
+  ],
+  exports: [ADMIN_USER_REPOSITORY_TOKEN],
+})
+export class InMemoryAdminPersistenceModule {}
--- a/apps/api/src/persistence/postgres/PostgresAdminPersistenceModule.ts
+++ b/apps/api/src/persistence/postgres/PostgresAdminPersistenceModule.ts
@@ -0,0 +1,26 @@
+import { Module } from '@nestjs/common';
+import { TypeOrmModule, getDataSourceToken } from '@nestjs/typeorm';
+import type { DataSource } from 'typeorm';
+
+import { AdminUserOrmEntity } from '@core/admin/infrastructure/typeorm/entities/AdminUserOrmEntity';
+import { TypeOrmAdminUserRepository } from '@core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository';
+import { AdminUserOrmMapper } from '@core/admin/infrastructure/typeorm/mappers/AdminUserOrmMapper';
+
+import { ADMIN_USER_REPOSITORY_TOKEN } from '../admin/AdminPersistenceTokens';
+
+const typeOrmFeatureImports = [TypeOrmModule.forFeature([AdminUserOrmEntity])];
+
+@Module({
+  imports: [...typeOrmFeatureImports],
+  providers: [
+    { provide: AdminUserOrmMapper, useFactory: () => new AdminUserOrmMapper() },
+    {
+      provide: ADMIN_USER_REPOSITORY_TOKEN,
+      useFactory: (dataSource: DataSource, mapper: AdminUserOrmMapper) => 
+        new TypeOrmAdminUserRepository(dataSource, mapper),
+      inject: [getDataSourceToken(), AdminUserOrmMapper],
+    },
+  ],
+  exports: [ADMIN_USER_REPOSITORY_TOKEN],
+})
+export class PostgresAdminPersistenceModule {}
--- a/apps/api/src/persistence/typeorm/TypeOrmAdminPersistenceModule.ts
+++ b/apps/api/src/persistence/typeorm/TypeOrmAdminPersistenceModule.ts
@@ -0,0 +1,26 @@
+import { Module } from '@nestjs/common';
+import { TypeOrmModule, getDataSourceToken } from '@nestjs/typeorm';
+import type { DataSource } from 'typeorm';
+
+import { AdminUserOrmEntity } from '@core/admin/infrastructure/typeorm/entities/AdminUserOrmEntity';
+import { TypeOrmAdminUserRepository } from '@core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository';
+import { AdminUserOrmMapper } from '@core/admin/infrastructure/typeorm/mappers/AdminUserOrmMapper';
+
+import { ADMIN_USER_REPOSITORY_TOKEN } from '../admin/AdminPersistenceTokens';
+
+const typeOrmFeatureImports = [TypeOrmModule.forFeature([AdminUserOrmEntity])];
+
+@Module({
+  imports: [...typeOrmFeatureImports],
+  providers: [
+    { provide: AdminUserOrmMapper, useFactory: () => new AdminUserOrmMapper() },
+    {
+      provide: ADMIN_USER_REPOSITORY_TOKEN,
+      useFactory: (dataSource: DataSource, mapper: AdminUserOrmMapper) => 
+        new TypeOrmAdminUserRepository(dataSource, mapper),
+      inject: [getDataSourceToken(), AdminUserOrmMapper],
+    },
+  ],
+  exports: [ADMIN_USER_REPOSITORY_TOKEN],
+})
+export class TypeOrmAdminPersistenceModule {}
--- a/apps/website/app/admin/page.tsx
+++ b/apps/website/app/admin/page.tsx
@@ -0,0 +1,13 @@
+import { AdminLayout } from '@/components/admin/AdminLayout';
+import { AdminDashboardPage } from '@/components/admin/AdminDashboardPage';
+import { RouteGuard } from '@/lib/gateways/RouteGuard';
+
+export default function AdminPage() {
+  return (
+    <RouteGuard config={{ requiredRoles: ['owner', 'admin'] }}>
+      <AdminLayout>
+        <AdminDashboardPage />
+      </AdminLayout>
+    </RouteGuard>
+  );
+}
--- a/apps/website/app/admin/users/page.tsx
+++ b/apps/website/app/admin/users/page.tsx
@@ -0,0 +1,13 @@
+import { AdminLayout } from '@/components/admin/AdminLayout';
+import { AdminUsersPage } from '@/components/admin/AdminUsersPage';
+import { RouteGuard } from '@/lib/gateways/RouteGuard';
+
+export default function AdminUsers() {
+  return (
+    <RouteGuard config={{ requiredRoles: ['owner', 'admin'] }}>
+      <AdminLayout>
+        <AdminUsersPage />
+      </AdminLayout>
+    </RouteGuard>
+  );
+}
--- a/apps/website/components/admin/AdminDashboardPage.tsx
+++ b/apps/website/components/admin/AdminDashboardPage.tsx
@@ -0,0 +1,217 @@
+'use client';
+
+import { useState, useEffect } from 'react';
+import { apiClient } from '@/lib/apiClient';
+import Card from '@/components/ui/Card';
+import { AdminViewModelService } from '@/lib/services/AdminViewModelService';
+import { DashboardStatsViewModel } from '@/lib/view-models/AdminUserViewModel';
+import { 
+  Users, 
+  Shield, 
+  Activity, 
+  Clock, 
+  AlertTriangle,
+  RefreshCw
+} from 'lucide-react';
+
+export function AdminDashboardPage() {
+  const [stats, setStats] = useState<DashboardStatsViewModel | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    loadStats();
+  }, []);
+
+  const loadStats = async () => {
+    try {
+      setLoading(true);
+      setError(null);
+      
+      const response = await apiClient.admin.getDashboardStats();
+      
+      // Map DTO to View Model
+      const viewModel = AdminViewModelService.mapDashboardStats(response);
+      setStats(viewModel);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to load stats';
+      if (message.includes('403') || message.includes('401')) {
+        setError('Access denied - You must be logged in as an Owner or Admin');
+      } else {
+        setError(message);
+      }
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  if (loading) {
+    return (
+      <div className="flex flex-col items-center justify-center py-20 space-y-3">
+        <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-primary-blue"></div>
+        <div className="text-gray-400">Loading dashboard...</div>
+      </div>
+    );
+  }
+
+  if (error) {
+    return (
+      <div className="container mx-auto p-6">
+        <div className="bg-racing-red/10 border border-racing-red text-racing-red px-4 py-3 rounded-lg flex items-start gap-3">
+          <AlertTriangle className="w-5 h-5 mt-0.5 flex-shrink-0" />
+          <div className="flex-1">
+            <div className="font-medium">Error</div>
+            <div className="text-sm opacity-90">{error}</div>
+          </div>
+          <button 
+            onClick={loadStats}
+            className="px-3 py-1 text-xs bg-racing-red/20 hover:bg-racing-red/30 rounded"
+          >
+            Retry
+          </button>
+        </div>
+      </div>
+    );
+  }
+
+  if (!stats) {
+    return null;
+  }
+
+  return (
+    <div className="container mx-auto p-6 space-y-6">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h1 className="text-2xl font-bold text-white">Admin Dashboard</h1>
+          <p className="text-gray-400 mt-1">System overview and statistics</p>
+        </div>
+        <button 
+          onClick={loadStats} 
+          disabled={loading}
+          className="px-4 py-2 bg-iron-gray border border-charcoal-outline rounded-lg text-white hover:bg-iron-gray/80 transition-colors flex items-center gap-2 disabled:opacity-50"
+        >
+          <RefreshCw className={`w-4 h-4 ${loading ? 'animate-spin' : ''}`} />
+          Refresh
+        </button>
+      </div>
+
+      {/* Stats Cards */}
+      <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
+        <Card className="bg-gradient-to-br from-blue-900/20 to-blue-700/10">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-sm text-gray-400 mb-1">Total Users</div>
+              <div className="text-3xl font-bold text-white">{stats.totalUsers}</div>
+            </div>
+            <Users className="w-8 h-8 text-blue-400" />
+          </div>
+        </Card>
+
+        <Card className="bg-gradient-to-br from-purple-900/20 to-purple-700/10">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-sm text-gray-400 mb-1">Admins</div>
+              <div className="text-3xl font-bold text-white">{stats.adminCount}</div>
+            </div>
+            <Shield className="w-8 h-8 text-purple-400" />
+          </div>
+        </Card>
+
+        <Card className="bg-gradient-to-br from-green-900/20 to-green-700/10">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-sm text-gray-400 mb-1">Active Users</div>
+              <div className="text-3xl font-bold text-white">{stats.activeUsers}</div>
+            </div>
+            <Activity className="w-8 h-8 text-green-400" />
+          </div>
+        </Card>
+
+        <Card className="bg-gradient-to-br from-orange-900/20 to-orange-700/10">
+          <div className="flex items-center justify-between">
+            <div>
+              <div className="text-sm text-gray-400 mb-1">Recent Logins</div>
+              <div className="text-3xl font-bold text-white">{stats.recentLogins}</div>
+            </div>
+            <Clock className="w-8 h-8 text-orange-400" />
+          </div>
+        </Card>
+      </div>
+
+      {/* Activity Overview */}
+      <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
+        {/* Recent Activity */}
+        <Card>
+          <h3 className="text-lg font-semibold text-white mb-4">Recent Activity</h3>
+          <div className="space-y-3">
+            {stats.recentActivity.length > 0 ? (
+              stats.recentActivity.map((activity, index) => (
+                <div 
+                  key={index} 
+                  className="flex items-center justify-between p-3 bg-iron-gray/30 rounded-lg border border-charcoal-outline/50"
+                >
+                  <div className="flex-1">
+                    <div className="text-sm text-white">{activity.description}</div>
+                    <div className="text-xs text-gray-500">{activity.timestamp}</div>
+                  </div>
+                  <span className={`px-2 py-1 text-xs rounded-full ${
+                    activity.type === 'user_created' ? 'bg-blue-500/20 text-blue-300' :
+                    activity.type === 'user_suspended' ? 'bg-yellow-500/20 text-yellow-300' :
+                    activity.type === 'user_deleted' ? 'bg-red-500/20 text-red-300' :
+                    'bg-gray-500/20 text-gray-300'
+                  }`}>
+                    {activity.type.replace('_', ' ')}
+                  </span>
+                </div>
+              ))
+            ) : (
+              <div className="text-center py-8 text-gray-500">No recent activity</div>
+            )}
+          </div>
+        </Card>
+
+        {/* System Status */}
+        <Card>
+          <h3 className="text-lg font-semibold text-white mb-4">System Status</h3>
+          <div className="space-y-4">
+            <div className="flex items-center justify-between">
+              <span className="text-sm text-gray-400">System Health</span>
+              <span className="px-2 py-1 text-xs rounded-full bg-performance-green/20 text-performance-green">
+                {stats.systemHealth}
+              </span>
+            </div>
+            <div className="flex items-center justify-between">
+              <span className="text-sm text-gray-400">Total Sessions</span>
+              <span className="text-white font-medium">{stats.totalSessions}</span>
+            </div>
+            <div className="flex items-center justify-between">
+              <span className="text-sm text-gray-400">Active Sessions</span>
+              <span className="text-white font-medium">{stats.activeSessions}</span>
+            </div>
+            <div className="flex items-center justify-between">
+              <span className="text-sm text-gray-400">Avg Session Duration</span>
+              <span className="text-white font-medium">{stats.avgSessionDuration}</span>
+            </div>
+          </div>
+        </Card>
+      </div>
+
+      {/* Quick Actions */}
+      <Card>
+        <h3 className="text-lg font-semibold text-white mb-4">Quick Actions</h3>
+        <div className="grid grid-cols-1 md:grid-cols-3 gap-3">
+          <button className="px-4 py-3 bg-primary-blue/20 border border-primary-blue/30 text-primary-blue rounded-lg hover:bg-primary-blue/30 transition-colors text-sm font-medium">
+            View All Users
+          </button>
+          <button className="px-4 py-3 bg-purple-500/20 border border-purple-500/30 text-purple-300 rounded-lg hover:bg-purple-500/30 transition-colors text-sm font-medium">
+            Manage Admins
+          </button>
+          <button className="px-4 py-3 bg-orange-500/20 border border-orange-500/30 text-orange-300 rounded-lg hover:bg-orange-500/30 transition-colors text-sm font-medium">
+            View Audit Log
+          </button>
+        </div>
+      </Card>
+    </div>
+  );
+}
--- a/apps/website/components/admin/AdminLayout.tsx
+++ b/apps/website/components/admin/AdminLayout.tsx
@@ -0,0 +1,185 @@
+'use client';
+
+import { ReactNode, useState } from 'react';
+import { 
+  LayoutDashboard, 
+  Users, 
+  Settings, 
+  LogOut,
+  Shield,
+  Activity
+} from 'lucide-react';
+import { useRouter, usePathname } from 'next/navigation';
+
+interface AdminLayoutProps {
+  children: ReactNode;
+}
+
+type AdminTab = 'dashboard' | 'users';
+
+export function AdminLayout({ children }: AdminLayoutProps) {
+  const router = useRouter();
+  const pathname = usePathname();
+  const [isSidebarOpen, setIsSidebarOpen] = useState(true);
+
+  // Determine current tab from pathname
+  const getCurrentTab = (): AdminTab => {
+    if (pathname === '/admin') return 'dashboard';
+    if (pathname === '/admin/users') return 'users';
+    return 'dashboard';
+  };
+
+  const currentTab = getCurrentTab();
+
+  const navigation = [
+    {
+      id: 'dashboard',
+      label: 'Dashboard',
+      icon: LayoutDashboard,
+      href: '/admin',
+      description: 'Overview and statistics'
+    },
+    {
+      id: 'users',
+      label: 'User Management',
+      icon: Users,
+      href: '/admin/users',
+      description: 'Manage all users'
+    },
+    {
+      id: 'settings',
+      label: 'Settings',
+      icon: Settings,
+      href: '/admin/settings',
+      description: 'System configuration',
+      disabled: true
+    }
+  ];
+
+  const handleNavigation = (href: string, disabled?: boolean) => {
+    if (!disabled) {
+      router.push(href);
+    }
+  };
+
+  const handleLogout = async () => {
+    try {
+      await fetch('/api/auth/logout', { method: 'POST' });
+      router.push('/');
+    } catch (error) {
+      console.error('Logout failed:', error);
+    }
+  };
+
+  return (
+    <div className="flex h-screen bg-deep-graphite overflow-hidden">
+      {/* Sidebar */}
+      <aside className={`${isSidebarOpen ? 'w-64' : 'w-20'} bg-iron-gray border-r border-charcoal-outline transition-all duration-300 flex flex-col`}>
+        {/* Logo/Header */}
+        <div className="p-4 border-b border-charcoal-outline">
+          <div className="flex items-center gap-2">
+            <Shield className="w-6 h-6 text-primary-blue" />
+            {isSidebarOpen && (
+              <span className="font-bold text-white text-lg">Admin Panel</span>
+            )}
+          </div>
+          {isSidebarOpen && (
+            <p className="text-xs text-gray-400 mt-1">System Administration</p>
+          )}
+        </div>
+
+        {/* Navigation */}
+        <nav className="flex-1 p-2 space-y-1 overflow-y-auto">
+          {navigation.map((item) => {
+            const Icon = item.icon;
+            const isActive = currentTab === item.id;
+            const isDisabled = item.disabled;
+
+            return (
+              <button
+                key={item.id}
+                onClick={() => handleNavigation(item.href, isDisabled)}
+                disabled={isDisabled}
+                className={`
+                  w-full flex items-center gap-3 px-3 py-3 rounded-lg
+                  transition-all duration-200 text-left
+                  ${isActive 
+                    ? 'bg-primary-blue/20 text-primary-blue border border-primary-blue/30' 
+                    : 'text-gray-300 hover:bg-iron-gray/50 hover:text-white'
+                  }
+                  ${isDisabled ? 'opacity-50 cursor-not-allowed' : ''}
+                `}
+              >
+                <Icon className={`w-5 h-5 flex-shrink-0 ${isActive ? 'text-primary-blue' : 'text-gray-400'}`} />
+                {isSidebarOpen && (
+                  <div className="flex-1 min-w-0">
+                    <div className="font-medium text-sm">{item.label}</div>
+                    <div className="text-xs text-gray-500">{item.description}</div>
+                  </div>
+                )}
+              </button>
+            );
+          })}
+        </nav>
+
+        {/* Footer */}
+        <div className="p-2 border-t border-charcoal-outline space-y-1">
+          <button
+            onClick={() => setIsSidebarOpen(!isSidebarOpen)}
+            className="w-full flex items-center gap-3 px-3 py-2 rounded-lg text-gray-300 hover:bg-iron-gray/50 hover:text-white transition-colors"
+          >
+            <Activity className="w-5 h-5" />
+            {isSidebarOpen && <span className="text-sm">Toggle Sidebar</span>}
+          </button>
+          
+          <button
+            onClick={handleLogout}
+            className="w-full flex items-center gap-3 px-3 py-2 rounded-lg text-racing-red hover:bg-racing-red/10 transition-colors"
+          >
+            <LogOut className="w-5 h-5" />
+            {isSidebarOpen && <span className="text-sm">Logout</span>}
+          </button>
+        </div>
+      </aside>
+
+      {/* Main Content */}
+      <main className="flex-1 flex flex-col overflow-hidden">
+        {/* Top Bar */}
+        <header className="bg-iron-gray border-b border-charcoal-outline px-6 py-4">
+          <div className="flex items-center justify-between">
+            <div className="flex items-center gap-4">
+              <div className="p-2 bg-primary-blue/20 rounded-lg">
+                <Shield className="w-5 h-5 text-primary-blue" />
+              </div>
+              <div>
+                <h2 className="text-lg font-semibold text-white">
+                  {navigation.find(n => n.id === currentTab)?.label || 'Admin'}
+                </h2>
+                <p className="text-xs text-gray-400">
+                  {navigation.find(n => n.id === currentTab)?.description}
+                </p>
+              </div>
+            </div>
+            
+            <div className="flex items-center gap-4">
+              <div className="flex items-center gap-2 px-3 py-1.5 bg-deep-graphite rounded-lg border border-charcoal-outline">
+                <Shield className="w-4 h-4 text-purple-500" />
+                <span className="text-xs font-medium text-purple-400">Super Admin</span>
+              </div>
+              
+              <div className="text-right hidden sm:block">
+                <div className="text-sm font-medium text-white">System Administrator</div>
+                <div className="text-xs text-gray-400">Full Access</div>
+              </div>
+            </div>
+          </div>
+        </header>
+
+        {/* Content Area */}
+        <div className="flex-1 overflow-y-auto bg-deep-graphite">
+          {children}
+        </div>
+      </main>
+    </div>
+  );
+}
--- a/apps/website/components/admin/AdminUsersPage.tsx
+++ b/apps/website/components/admin/AdminUsersPage.tsx
@@ -0,0 +1,341 @@
+'use client';
+
+import { useState, useEffect } from 'react';
+import { apiClient } from '@/lib/apiClient';
+import Card from '@/components/ui/Card';
+import StatusBadge from '@/components/ui/StatusBadge';
+import { AdminViewModelService } from '@/lib/services/AdminViewModelService';
+import { AdminUserViewModel, UserListViewModel } from '@/lib/view-models/AdminUserViewModel';
+import { 
+  Search, 
+  Filter, 
+  RefreshCw, 
+  Users,
+  Shield,
+  Trash2,
+  AlertTriangle
+} from 'lucide-react';
+
+export function AdminUsersPage() {
+  const [userList, setUserList] = useState<UserListViewModel | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [search, setSearch] = useState('');
+  const [roleFilter, setRoleFilter] = useState('');
+  const [statusFilter, setStatusFilter] = useState('');
+  const [deletingUser, setDeletingUser] = useState<string | null>(null);
+
+  useEffect(() => {
+    const timeout = setTimeout(() => {
+      loadUsers();
+    }, 300);
+    
+    return () => clearTimeout(timeout);
+  }, [search, roleFilter, statusFilter]);
+
+  const loadUsers = async () => {
+    try {
+      setLoading(true);
+      setError(null);
+      
+      const response = await apiClient.admin.listUsers({
+        search: search || undefined,
+        role: roleFilter || undefined,
+        status: statusFilter || undefined,
+        page: 1,
+        limit: 50,
+      });
+
+      // Map DTO to View Model
+      const viewModel = AdminViewModelService.mapUserList(response);
+      setUserList(viewModel);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Failed to load users';
+      if (message.includes('403') || message.includes('401')) {
+        setError('Access denied - You must be logged in as an Owner or Admin');
+      } else {
+        setError(message);
+      }
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleUpdateStatus = async (userId: string, newStatus: string) => {
+    try {
+      await apiClient.admin.updateUserStatus(userId, newStatus);
+      await loadUsers();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to update status');
+    }
+  };
+
+  const handleDeleteUser = async (userId: string) => {
+    if (!confirm('Are you sure you want to delete this user? This action cannot be undone.')) {
+      return;
+    }
+
+    try {
+      setDeletingUser(userId);
+      await apiClient.admin.deleteUser(userId);
+      await loadUsers();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Failed to delete user');
+    } finally {
+      setDeletingUser(null);
+    }
+  };
+
+  const clearFilters = () => {
+    setSearch('');
+    setRoleFilter('');
+    setStatusFilter('');
+  };
+
+  return (
+    <div className="container mx-auto p-6 space-y-6">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h1 className="text-2xl font-bold text-white">User Management</h1>
+          <p className="text-gray-400 mt-1">Manage and monitor all system users</p>
+        </div>
+        <button 
+          onClick={loadUsers} 
+          disabled={loading}
+          className="px-4 py-2 bg-iron-gray border border-charcoal-outline rounded-lg text-white hover:bg-iron-gray/80 transition-colors flex items-center gap-2 disabled:opacity-50"
+        >
+          <RefreshCw className={`w-4 h-4 ${loading ? 'animate-spin' : ''}`} />
+          Refresh
+        </button>
+      </div>
+
+      {/* Error Banner */}
+      {error && (
+        <div className="bg-racing-red/10 border border-racing-red text-racing-red px-4 py-3 rounded-lg flex items-start gap-3">
+          <AlertTriangle className="w-5 h-5 mt-0.5 flex-shrink-0" />
+          <div className="flex-1">
+            <div className="font-medium">Error</div>
+            <div className="text-sm opacity-90">{error}</div>
+          </div>
+          <button 
+            onClick={() => setError(null)}
+            className="text-racing-red hover:opacity-70"
+          >
+            ×
+          </button>
+        </div>
+      )}
+
+      {/* Filters Card */}
+      <Card>
+        <div className="space-y-4">
+          <div className="flex items-center justify-between">
+            <div className="flex items-center gap-2">
+              <Filter className="w-4 h-4 text-gray-400" />
+              <span className="font-medium text-white">Filters</span>
+            </div>
+            {(search || roleFilter || statusFilter) && (
+              <button
+                onClick={clearFilters}
+                className="text-xs text-primary-blue hover:text-blue-400"
+              >
+                Clear all
+              </button>
+            )}
+          </div>
+          
+          <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+            <div className="relative">
+              <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-gray-400" />
+              <input
+                type="text"
+                placeholder="Search by email or name..."
+                value={search}
+                onChange={(e) => setSearch(e.target.value)}
+                className="w-full pl-9 pr-3 py-2 bg-deep-graphite border border-charcoal-outline rounded-lg text-white placeholder-gray-500 focus:outline-none focus:border-primary-blue transition-colors"
+              />
+            </div>
+            
+            <select
+              value={roleFilter}
+              onChange={(e) => setRoleFilter(e.target.value)}
+              className="w-full px-3 py-2 bg-deep-graphite border border-charcoal-outline rounded-lg text-white focus:outline-none focus:border-primary-blue transition-colors"
+            >
+              <option value="">All Roles</option>
+              <option value="owner">Owner</option>
+              <option value="admin">Admin</option>
+              <option value="user">User</option>
+            </select>
+            
+            <select
+              value={statusFilter}
+              onChange={(e) => setStatusFilter(e.target.value)}
+              className="w-full px-3 py-2 bg-deep-graphite border border-charcoal-outline rounded-lg text-white focus:outline-none focus:border-primary-blue transition-colors"
+            >
+              <option value="">All Status</option>
+              <option value="active">Active</option>
+              <option value="suspended">Suspended</option>
+              <option value="deleted">Deleted</option>
+            </select>
+          </div>
+        </div>
+      </Card>
+
+      {/* Users Table */}
+      <Card>
+        {loading ? (
+          <div className="flex flex-col items-center justify-center py-12 space-y-3">
+            <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-primary-blue"></div>
+            <div className="text-gray-400">Loading users...</div>
+          </div>
+        ) : !userList || !userList.hasUsers ? (
+          <div className="flex flex-col items-center justify-center py-12 space-y-3">
+            <Users className="w-12 h-12 text-gray-600" />
+            <div className="text-gray-400">No users found</div>
+            <button
+              onClick={clearFilters}
+              className="text-primary-blue hover:text-blue-400 text-sm"
+            >
+              Clear filters
+            </button>
+          </div>
+        ) : (
+          <div className="overflow-x-auto">
+            <table className="w-full">
+              <thead>
+                <tr className="border-b border-charcoal-outline">
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">User</th>
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">Email</th>
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">Roles</th>
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">Status</th>
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">Last Login</th>
+                  <th className="text-left py-3 px-4 text-xs font-medium text-gray-400 uppercase">Actions</th>
+                </tr>
+              </thead>
+              <tbody>
+                {userList.users.map((user: AdminUserViewModel, index: number) => (
+                  <tr 
+                    key={user.id} 
+                    className={`border-b border-charcoal-outline/50 hover:bg-iron-gray/30 transition-colors ${index % 2 === 0 ? 'bg-transparent' : 'bg-iron-gray/10'}`}
+                  >
+                    <td className="py-3 px-4">
+                      <div className="flex items-center gap-3">
+                        <div className="w-8 h-8 rounded-full bg-primary-blue/20 flex items-center justify-center">
+                          <Shield className="w-4 h-4 text-primary-blue" />
+                        </div>
+                        <div>
+                          <div className="font-medium text-white">{user.displayName}</div>
+                          <div className="text-xs text-gray-500">ID: {user.id}</div>
+                          {user.primaryDriverId && (
+                            <div className="text-xs text-gray-500">Driver: {user.primaryDriverId}</div>
+                          )}
+                        </div>
+                      </div>
+                    </td>
+                    <td className="py-3 px-4">
+                      <div className="text-sm text-gray-300">{user.email}</div>
+                    </td>
+                    <td className="py-3 px-4">
+                      <div className="flex flex-wrap gap-1">
+                        {user.roleBadges.map((badge: string, idx: number) => (
+                          <span
+                            key={idx}
+                            className={`px-2 py-1 text-xs rounded-full font-medium ${
+                              user.roles[idx] === 'owner'
+                                ? 'bg-purple-500/20 text-purple-300 border border-purple-500/30'
+                                : user.roles[idx] === 'admin'
+                                ? 'bg-blue-500/20 text-blue-300 border border-blue-500/30'
+                                : 'bg-gray-500/20 text-gray-300 border border-gray-500/30'
+                            }`}
+                          >
+                            {badge}
+                          </span>
+                        ))}
+                      </div>
+                    </td>
+                    <td className="py-3 px-4">
+                      <StatusBadge status={user.statusBadge.label.toLowerCase()} />
+                    </td>
+                    <td className="py-3 px-4">
+                      <div className="text-sm text-gray-400">
+                        {user.lastLoginFormatted}
+                      </div>
+                    </td>
+                    <td className="py-3 px-4">
+                      <div className="flex items-center gap-2">
+                        {user.canSuspend && (
+                          <button
+                            onClick={() => handleUpdateStatus(user.id, 'suspended')}
+                            className="px-3 py-1 text-xs rounded bg-yellow-500/20 text-yellow-300 hover:bg-yellow-500/30 transition-colors"
+                          >
+                            Suspend
+                          </button>
+                        )}
+                        {user.canActivate && (
+                          <button
+                            onClick={() => handleUpdateStatus(user.id, 'active')}
+                            className="px-3 py-1 text-xs rounded bg-performance-green/20 text-performance-green hover:bg-performance-green/30 transition-colors"
+                          >
+                            Activate
+                          </button>
+                        )}
+                        {user.canDelete && (
+                          <button
+                            onClick={() => handleDeleteUser(user.id)}
+                            disabled={deletingUser === user.id}
+                            className="px-3 py-1 text-xs rounded bg-racing-red/20 text-racing-red hover:bg-racing-red/30 transition-colors flex items-center gap-1"
+                          >
+                            <Trash2 className="w-3 h-3" />
+                            {deletingUser === user.id ? 'Deleting...' : 'Delete'}
+                          </button>
+                        )}
+                      </div>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        )}
+      </Card>
+
+      {/* Stats Summary */}
+      {userList && (
+        <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+          <Card className="bg-gradient-to-br from-blue-900/20 to-blue-700/10">
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-sm text-gray-400 mb-1">Total Users</div>
+                <div className="text-2xl font-bold text-white">{userList.total}</div>
+              </div>
+              <Users className="w-6 h-6 text-blue-400" />
+            </div>
+          </Card>
+          <Card className="bg-gradient-to-br from-green-900/20 to-green-700/10">
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-sm text-gray-400 mb-1">Active</div>
+                <div className="text-2xl font-bold text-white">
+                  {userList.users.filter(u => u.status === 'active').length}
+                </div>
+              </div>
+              <div className="w-6 h-6 text-green-400">✓</div>
+            </div>
+          </Card>
+          <Card className="bg-gradient-to-br from-purple-900/20 to-purple-700/10">
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-sm text-gray-400 mb-1">Admins</div>
+                <div className="text-2xl font-bold text-white">
+                  {userList.users.filter(u => u.isSystemAdmin).length}
+                </div>
+              </div>
+              <Shield className="w-6 h-6 text-purple-400" />
+            </div>
+          </Card>
+        </div>
+      )}
+    </div>
+  );
+}
--- a/apps/website/components/profile/UserPill.tsx
+++ b/apps/website/components/profile/UserPill.tsx
@@ -2,7 +2,7 @@

 import { useAuth } from '@/lib/auth/AuthContext';
 import { AnimatePresence, motion, useReducedMotion } from 'framer-motion';
-import { BarChart3, Building2, ChevronDown, CreditCard, Handshake, LogOut, Megaphone, Paintbrush, Settings, TrendingUp, Trophy } from 'lucide-react';
+import { BarChart3, Building2, ChevronDown, CreditCard, Handshake, LogOut, Megaphone, Paintbrush, Settings, TrendingUp, Trophy, Shield } from 'lucide-react';
 import Link from 'next/link';
 import React, { useEffect, useMemo, useState } from 'react';

@@ -65,6 +65,31 @@ function useDemoUserMode(): { isDemo: boolean; demoRole: string | null } {
  return demoMode;
 }

+// Helper to check if user has admin access (Owner or Super Admin)
+function useHasAdminAccess(): boolean {
+  const { session } = useAuth();
+  const { isDemo, demoRole } = useDemoUserMode();
+  
+  // Demo users with system-owner or super-admin roles
+  if (isDemo && (demoRole === 'system-owner' || demoRole === 'super-admin')) {
+    return true;
+  }
+  
+  // Real users - would need role information from session
+  // For now, we'll check if the user has any admin-related capabilities
+  // This can be enhanced when the API includes role information
+  if (!session?.user) return false;
+  
+  // Check for admin-related email patterns as a temporary measure
+  const email = session.user.email?.toLowerCase() || '';
+  const displayName = session.user.displayName?.toLowerCase() || '';
+  
+  return email.includes('system-owner') ||
+         email.includes('super-admin') ||
+         displayName.includes('system owner') ||
+         displayName.includes('super admin');
+}
+
 // Sponsor Pill Component - matches the style of DriverSummaryPill
 function SponsorSummaryPill({ 
  onClick, 
@@ -320,6 +345,17 @@ export default function UserPill() {

              {/* Menu Items */}
              <div className="py-1 text-sm text-gray-200">
+                {/* Admin link for system-owner and super-admin demo users */}
+                {(demoRole === 'system-owner' || demoRole === 'super-admin') && (
+                  <Link
+                    href="/admin"
+                    className="flex items-center gap-3 px-4 py-2.5 hover:bg-iron-gray/50 transition-colors"
+                    onClick={() => setIsMenuOpen(false)}
+                  >
+                    <Shield className="h-4 w-4 text-indigo-400" />
+                    <span>Admin Area</span>
+                  </Link>
+                )}
                <div className="px-4 py-2 text-xs text-gray-500 italic">
                  Demo users have limited profile access
                </div>
@@ -481,6 +517,8 @@ export default function UserPill() {
    return null;
  }

+  const hasAdminAccess = useHasAdminAccess();
+
  return (
    <div className="relative inline-flex items-center" data-user-pill>
      <DriverSummaryPill
@@ -501,6 +539,17 @@ export default function UserPill() {
            transition={{ duration: 0.15 }}
          >
            <div className="py-1 text-sm text-gray-200">
+              {/* Admin link for Owner/Super Admin users */}
+              {hasAdminAccess && (
+                <Link
+                  href="/admin"
+                  className="flex items-center gap-2 px-3 py-2 hover:bg-charcoal-outline/80 transition-colors"
+                  onClick={() => setIsMenuOpen(false)}
+                >
+                  <Shield className="h-4 w-4 text-indigo-400" />
+                  <span>Admin Area</span>
+                </Link>
+              )}
              <Link
                href="/profile"
                className="block px-3 py-2 hover:bg-charcoal-outline/80 transition-colors"
--- a/apps/website/lib/api/admin/AdminApiClient.ts
+++ b/apps/website/lib/api/admin/AdminApiClient.ts
@@ -0,0 +1,145 @@
+import { BaseApiClient } from '../base/BaseApiClient';
+import type { ErrorReporter } from '@/lib/interfaces/ErrorReporter';
+import type { Logger } from '@/lib/interfaces/Logger';
+
+export interface UserDto {
+  id: string;
+  email: string;
+  displayName: string;
+  roles: string[];
+  status: string;
+  isSystemAdmin: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt?: Date;
+  primaryDriverId?: string;
+}
+
+export interface UserListResponse {
+  users: UserDto[];
+  total: number;
+  page: number;
+  limit: number;
+  totalPages: number;
+}
+
+export interface ListUsersQuery {
+  role?: string;
+  status?: string;
+  email?: string;
+  search?: string;
+  page?: number;
+  limit?: number;
+  sortBy?: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+  sortDirection?: 'asc' | 'desc';
+}
+
+export interface DashboardStats {
+  totalUsers: number;
+  activeUsers: number;
+  suspendedUsers: number;
+  deletedUsers: number;
+  systemAdmins: number;
+  recentLogins: number;
+  newUsersToday: number;
+  userGrowth: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  roleDistribution: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  statusDistribution: {
+    active: number;
+    suspended: number;
+    deleted: number;
+  };
+  activityTimeline: {
+    date: string;
+    newUsers: number;
+    logins: number;
+  }[];
+}
+
+/**
+ * Admin API Client
+ *
+ * Provides methods for admin operations like user management.
+ * Only accessible to users with Owner or Super Admin roles.
+ */
+export class AdminApiClient extends BaseApiClient {
+  /**
+   * List all users with filtering, sorting, and pagination
+   * Requires Owner or Super Admin role
+   */
+  async listUsers(query: ListUsersQuery = {}): Promise<UserListResponse> {
+    const params = new URLSearchParams();
+    
+    if (query.role) params.append('role', query.role);
+    if (query.status) params.append('status', query.status);
+    if (query.email) params.append('email', query.email);
+    if (query.search) params.append('search', query.search);
+    if (query.page) params.append('page', query.page.toString());
+    if (query.limit) params.append('limit', query.limit.toString());
+    if (query.sortBy) params.append('sortBy', query.sortBy);
+    if (query.sortDirection) params.append('sortDirection', query.sortDirection);
+
+    return this.get<UserListResponse>(`/admin/users?${params.toString()}`);
+  }
+
+  /**
+   * Get a single user by ID
+   * Requires Owner or Super Admin role
+   */
+  async getUser(userId: string): Promise<UserDto> {
+    return this.get<UserDto>(`/admin/users/${userId}`);
+  }
+
+  /**
+   * Update user roles
+   * Requires Owner role only
+   */
+  async updateUserRoles(userId: string, roles: string[]): Promise<UserDto> {
+    return this.patch<UserDto>(`/admin/users/${userId}/roles`, { roles });
+  }
+
+  /**
+   * Update user status (activate/suspend/delete)
+   * Requires Owner or Super Admin role
+   */
+  async updateUserStatus(userId: string, status: string): Promise<UserDto> {
+    return this.patch<UserDto>(`/admin/users/${userId}/status`, { status });
+  }
+
+  /**
+   * Delete a user (soft delete)
+   * Requires Owner or Super Admin role
+   */
+  async deleteUser(userId: string): Promise<void> {
+    return this.delete(`/admin/users/${userId}`);
+  }
+
+  /**
+   * Create a new user
+   * Requires Owner or Super Admin role
+   */
+  async createUser(userData: {
+    email: string;
+    displayName: string;
+    roles: string[];
+    primaryDriverId?: string;
+  }): Promise<UserDto> {
+    return this.post<UserDto>(`/admin/users`, userData);
+  }
+
+  /**
+   * Get dashboard statistics
+   * Requires Owner or Super Admin role
+   */
+  async getDashboardStats(): Promise<DashboardStats> {
+    return this.get<DashboardStats>(`/admin/dashboard/stats`);
+  }
+}
--- a/apps/website/lib/api/index.ts
+++ b/apps/website/lib/api/index.ts
@@ -10,6 +10,7 @@ import { PaymentsApiClient } from './payments/PaymentsApiClient';
 import { DashboardApiClient } from './dashboard/DashboardApiClient';
 import { PenaltiesApiClient } from './penalties/PenaltiesApiClient';
 import { ProtestsApiClient } from './protests/ProtestsApiClient';
+import { AdminApiClient } from './admin/AdminApiClient';
 import { ConsoleLogger } from '@/lib/infrastructure/logging/ConsoleLogger';
 import { EnhancedErrorReporter } from '@/lib/infrastructure/EnhancedErrorReporter';

@@ -31,6 +32,7 @@ export class ApiClient {
  public readonly dashboard: DashboardApiClient;
  public readonly penalties: PenaltiesApiClient;
  public readonly protests: ProtestsApiClient;
+  public readonly admin: AdminApiClient;

  constructor(baseUrl: string) {
    const logger = new ConsoleLogger();
@@ -52,6 +54,7 @@ export class ApiClient {
    this.dashboard = new DashboardApiClient(baseUrl, errorReporter, logger);
    this.penalties = new PenaltiesApiClient(baseUrl, errorReporter, logger);
    this.protests = new ProtestsApiClient(baseUrl, errorReporter, logger);
+    this.admin = new AdminApiClient(baseUrl, errorReporter, logger);
  }
 }

--- a/apps/website/lib/auth/AuthContext.tsx
+++ b/apps/website/lib/auth/AuthContext.tsx
@@ -14,7 +14,7 @@ import { useRouter } from 'next/navigation';
 import type { SessionViewModel } from '@/lib/view-models/SessionViewModel';
 import { useServices } from '@/lib/services/ServiceProvider';

-type AuthContextValue = {
+export type AuthContextValue = {
  session: SessionViewModel | null;
  loading: boolean;
  login: (returnTo?: string) => void;
--- a/apps/website/lib/blockers/AuthorizationBlocker.test.ts
+++ b/apps/website/lib/blockers/AuthorizationBlocker.test.ts
@@ -0,0 +1,173 @@
+/**
+ * Tests for AuthorizationBlocker
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import { AuthorizationBlocker, AuthorizationBlockReason } from './AuthorizationBlocker';
+import type { SessionViewModel } from '@/lib/view-models/SessionViewModel';
+
+describe('AuthorizationBlocker', () => {
+  let blocker: AuthorizationBlocker;
+  
+  // Mock SessionViewModel
+  const createMockSession = (overrides?: Partial<SessionViewModel>): SessionViewModel => {
+    const base: SessionViewModel = {
+      userId: 'user-123',
+      email: 'test@example.com',
+      displayName: 'Test User',
+      isAuthenticated: true,
+      avatarInitials: 'TU',
+      greeting: 'Hello, Test User!',
+      hasDriverProfile: false,
+      authStatusDisplay: 'Logged In',
+      user: {
+        userId: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        primaryDriverId: null,
+        avatarUrl: null,
+      },
+    };
+    
+    return { ...base, ...overrides };
+  };
+
+  describe('constructor', () => {
+    it('should create blocker with required roles', () => {
+      blocker = new AuthorizationBlocker(['owner', 'admin']);
+      expect(blocker).toBeDefined();
+    });
+
+    it('should create blocker with empty roles array', () => {
+      blocker = new AuthorizationBlocker([]);
+      expect(blocker).toBeDefined();
+    });
+  });
+
+  describe('updateSession', () => {
+    beforeEach(() => {
+      blocker = new AuthorizationBlocker(['owner']);
+    });
+
+    it('should update session state', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      
+      expect(blocker.canExecute()).toBe(true);
+    });
+
+    it('should handle null session', () => {
+      blocker.updateSession(null);
+      
+      expect(blocker.canExecute()).toBe(false);
+      expect(blocker.getReason()).toBe('loading');
+    });
+  });
+
+  describe('canExecute', () => {
+    beforeEach(() => {
+      blocker = new AuthorizationBlocker(['owner', 'admin']);
+    });
+
+    it('returns false when session is null', () => {
+      blocker.updateSession(null);
+      expect(blocker.canExecute()).toBe(false);
+    });
+
+    it('returns false when not authenticated', () => {
+      const session = createMockSession({ isAuthenticated: false });
+      blocker.updateSession(session);
+      expect(blocker.canExecute()).toBe(false);
+    });
+
+    it('returns true when authenticated (temporary workaround)', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      expect(blocker.canExecute()).toBe(true);
+    });
+  });
+
+  describe('getReason', () => {
+    beforeEach(() => {
+      blocker = new AuthorizationBlocker(['owner']);
+    });
+
+    it('returns loading when session is null', () => {
+      blocker.updateSession(null);
+      expect(blocker.getReason()).toBe('loading');
+    });
+
+    it('returns unauthenticated when not authenticated', () => {
+      const session = createMockSession({ isAuthenticated: false });
+      blocker.updateSession(session);
+      expect(blocker.getReason()).toBe('unauthenticated');
+    });
+
+    it('returns enabled when authenticated (temporary)', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      expect(blocker.getReason()).toBe('enabled');
+    });
+  });
+
+  describe('block and release', () => {
+    beforeEach(() => {
+      blocker = new AuthorizationBlocker(['owner']);
+    });
+
+    it('block should set session to null', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      
+      expect(blocker.canExecute()).toBe(true);
+      
+      blocker.block();
+      
+      expect(blocker.canExecute()).toBe(false);
+      expect(blocker.getReason()).toBe('loading');
+    });
+
+    it('release should be no-op', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      
+      blocker.release();
+      
+      expect(blocker.canExecute()).toBe(true);
+    });
+  });
+
+  describe('getBlockMessage', () => {
+    beforeEach(() => {
+      blocker = new AuthorizationBlocker(['owner']);
+    });
+
+    it('returns correct message for loading', () => {
+      blocker.updateSession(null);
+      expect(blocker.getBlockMessage()).toBe('Loading user data...');
+    });
+
+    it('returns correct message for unauthenticated', () => {
+      const session = createMockSession({ isAuthenticated: false });
+      blocker.updateSession(session);
+      expect(blocker.getBlockMessage()).toBe('You must be logged in to access the admin area.');
+    });
+
+    it('returns correct message for enabled', () => {
+      const session = createMockSession();
+      blocker.updateSession(session);
+      expect(blocker.getBlockMessage()).toBe('Access granted');
+    });
+  });
+
+  describe('multiple required roles', () => {
+    it('should handle multiple roles', () => {
+      blocker = new AuthorizationBlocker(['owner', 'admin', 'super-admin']);
+      
+      const session = createMockSession();
+      blocker.updateSession(session);
+      
+      expect(blocker.canExecute()).toBe(true);
+    });
+  });
+});
--- a/apps/website/lib/blockers/AuthorizationBlocker.ts
+++ b/apps/website/lib/blockers/AuthorizationBlocker.ts
@@ -0,0 +1,105 @@
+/**
+ * Blocker: AuthorizationBlocker
+ *
+ * Frontend blocker that prevents unauthorized access to admin features.
+ * This is a UX improvement, NOT a security mechanism.
+ * Security is enforced by backend Guards.
+ */
+
+import { Blocker } from './Blocker';
+import type { SessionViewModel } from '@/lib/view-models/SessionViewModel';
+
+export type AuthorizationBlockReason =
+  | 'loading'           // User data not loaded yet
+  | 'unauthenticated'   // User not logged in
+  | 'unauthorized'      // User logged in but lacks required role
+  | 'insufficient_role' // User has role but not high enough
+  | 'enabled';          // Access granted
+
+export class AuthorizationBlocker extends Blocker {
+  private currentSession: SessionViewModel | null = null;
+  private requiredRoles: string[] = [];
+
+  constructor(requiredRoles: string[]) {
+    super();
+    this.requiredRoles = requiredRoles;
+  }
+
+  /**
+   * Update the current session state
+   */
+  updateSession(session: SessionViewModel | null): void {
+    this.currentSession = session;
+  }
+
+  /**
+   * Check if user can execute (access admin area)
+   */
+  canExecute(): boolean {
+    return this.getReason() === 'enabled';
+  }
+
+  /**
+   * Get the current block reason
+   */
+  getReason(): AuthorizationBlockReason {
+    if (!this.currentSession) {
+      return 'loading';
+    }
+
+    if (!this.currentSession.isAuthenticated) {
+      return 'unauthenticated';
+    }
+
+    // Note: SessionViewModel doesn't currently have role property
+    // This is a known architectural gap. For now, we'll check if
+    // the user has admin capabilities through other means
+    
+    // In a real implementation, we would need to:
+    // 1. Add role to SessionViewModel
+    // 2. Add role to AuthenticatedUserDTO
+    // 3. Add role to User entity
+    
+    // For now, we'll simulate based on email or other indicators
+    // This is a temporary workaround until the backend role system is implemented
+    
+    return 'enabled'; // Allow access for demo purposes
+  }
+
+  /**
+   * Block access (for testing/demo purposes)
+   */
+  block(): void {
+    // Simulate blocking by setting session to null
+    this.currentSession = null;
+  }
+
+  /**
+   * Release the block
+   */
+  release(): void {
+    // No-op - blocking is state-based, not persistent
+  }
+
+  /**
+   * Get user-friendly message for block reason
+   */
+  getBlockMessage(): string {
+    const reason = this.getReason();
+    
+    switch (reason) {
+      case 'loading':
+        return 'Loading user data...';
+      case 'unauthenticated':
+        return 'You must be logged in to access the admin area.';
+      case 'unauthorized':
+        return 'You do not have permission to access the admin area.';
+      case 'insufficient_role':
+        return `Admin access requires one of: ${this.requiredRoles.join(', ')}`;
+      case 'enabled':
+        return 'Access granted';
+      default:
+        return 'Access denied';
+    }
+  }
+}
--- a/apps/website/lib/blockers/index.ts
+++ b/apps/website/lib/blockers/index.ts
@@ -2,3 +2,5 @@ export { Blocker } from './Blocker';
 export { CapabilityBlocker } from './CapabilityBlocker';
 export { SubmitBlocker } from './SubmitBlocker';
 export { ThrottleBlocker } from './ThrottleBlocker';
+export { AuthorizationBlocker } from './AuthorizationBlocker';
+export type { AuthorizationBlockReason } from './AuthorizationBlocker';
--- a/apps/website/lib/gateways/AuthGateway.ts
+++ b/apps/website/lib/gateways/AuthGateway.ts
@@ -0,0 +1,140 @@
+/**
+ * Gateway: AuthGateway
+ * 
+ * Component-based gateway that manages authentication state and access control.
+ * Follows clean architecture by orchestrating between auth context and blockers.
+ * 
+ * Gateways are the entry point for component-level access control.
+ * They coordinate between services, blockers, and the UI.
+ */
+
+import type { SessionViewModel } from '@/lib/view-models/SessionViewModel';
+import type { AuthContextValue } from '@/lib/auth/AuthContext';
+import { AuthorizationBlocker } from '@/lib/blockers/AuthorizationBlocker';
+
+export interface AuthGatewayConfig {
+  /** Required roles for access (empty array = any authenticated user) */
+  requiredRoles?: string[];
+  /** Whether to redirect if unauthorized */
+  redirectOnUnauthorized?: boolean;
+  /** Redirect path if unauthorized */
+  unauthorizedRedirectPath?: string;
+}
+
+export class AuthGateway {
+  private blocker: AuthorizationBlocker;
+  private config: Required<AuthGatewayConfig>;
+
+  constructor(
+    private authContext: AuthContextValue,
+    config: AuthGatewayConfig = {}
+  ) {
+    this.config = {
+      requiredRoles: config.requiredRoles || [],
+      redirectOnUnauthorized: config.redirectOnUnauthorized ?? true,
+      unauthorizedRedirectPath: config.unauthorizedRedirectPath || '/auth/login',
+    };
+    
+    this.blocker = new AuthorizationBlocker(this.config.requiredRoles);
+  }
+
+  /**
+   * Check if current user has access
+   */
+  canAccess(): boolean {
+    // Update blocker with current session
+    this.blocker.updateSession(this.authContext.session);
+    
+    return this.blocker.canExecute();
+  }
+
+  /**
+   * Get the current access state
+   */
+  getAccessState(): {
+    canAccess: boolean;
+    reason: string;
+    isLoading: boolean;
+    isAuthenticated: boolean;
+  } {
+    const reason = this.blocker.getReason();
+    
+    return {
+      canAccess: this.canAccess(),
+      reason: this.blocker.getBlockMessage(),
+      isLoading: reason === 'loading',
+      isAuthenticated: this.authContext.session?.isAuthenticated ?? false,
+    };
+  }
+
+  /**
+   * Enforce access control - throws if access denied
+   * Used for programmatic access control
+   */
+  enforceAccess(): void {
+    if (!this.canAccess()) {
+      const reason = this.blocker.getBlockMessage();
+      throw new Error(`Access denied: ${reason}`);
+    }
+  }
+
+  /**
+   * Redirect to unauthorized page if needed
+   * Returns true if redirect was performed
+   */
+  redirectIfUnauthorized(): boolean {
+    if (this.canAccess()) {
+      return false;
+    }
+
+    if (this.config.redirectOnUnauthorized) {
+      // Note: We can't use router here since this is a pure class
+      // The component using this gateway should handle the redirect
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Get redirect path for unauthorized access
+   */
+  getUnauthorizedRedirectPath(): string {
+    return this.config.unauthorizedRedirectPath;
+  }
+
+  /**
+   * Refresh the gateway state (e.g., after login/logout)
+   */
+  refresh(): void {
+    this.blocker.updateSession(this.authContext.session);
+  }
+
+  /**
+   * Check if user is loading
+   */
+  isLoading(): boolean {
+    return this.blocker.getReason() === 'loading';
+  }
+
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated(): boolean {
+    return this.authContext.session?.isAuthenticated ?? false;
+  }
+
+  /**
+   * Get current session
+   */
+  getSession(): SessionViewModel | null {
+    return this.authContext.session;
+  }
+
+  /**
+   * Get block reason for debugging
+   */
+  getBlockReason(): string {
+    return this.blocker.getReason();
+  }
+}
--- a/apps/website/lib/gateways/AuthGuard.tsx
+++ b/apps/website/lib/gateways/AuthGuard.tsx
@@ -0,0 +1,72 @@
+/**
+ * Component: AuthGuard
+ * 
+ * Protects routes that require authentication but not specific roles.
+ * Uses the same Gateway pattern for consistency.
+ */
+
+'use client';
+
+import { ReactNode } from 'react';
+import { RouteGuard } from './RouteGuard';
+
+interface AuthGuardProps {
+  children: ReactNode;
+  /**
+   * Path to redirect to if not authenticated
+   */
+  redirectPath?: string;
+  /**
+   * Custom loading component (optional)
+   */
+  loadingComponent?: ReactNode;
+  /**
+   * Custom unauthorized component (optional)
+   */
+  unauthorizedComponent?: ReactNode;
+}
+
+/**
+ * AuthGuard Component
+ * 
+ * Protects child components requiring authentication.
+ * 
+ * Usage:
+ * ```tsx
+ * <AuthGuard>
+ *   <ProtectedPage />
+ * </AuthGuard>
+ * ```
+ */
+export function AuthGuard({
+  children,
+  redirectPath = '/auth/login',
+  loadingComponent,
+  unauthorizedComponent,
+}: AuthGuardProps) {
+  return (
+    <RouteGuard
+      config={{
+        requiredRoles: [], // Any authenticated user
+        redirectOnUnauthorized: true,
+        unauthorizedRedirectPath: redirectPath,
+      }}
+      loadingComponent={loadingComponent}
+      unauthorizedComponent={unauthorizedComponent}
+    >
+      {children}
+    </RouteGuard>
+  );
+}
+
+/**
+ * useAuth Hook
+ * 
+ * Simplified hook for checking authentication status.
+ * 
+ * Usage:
+ * ```tsx
+ * const { isAuthenticated, loading } = useAuth();
+ * ```
+ */
+export { useRouteGuard as useAuthAccess } from './RouteGuard';
--- a/apps/website/lib/gateways/RouteGuard.tsx
+++ b/apps/website/lib/gateways/RouteGuard.tsx
@@ -0,0 +1,137 @@
+/**
+ * Component: RouteGuard
+ * 
+ * Higher-order component that protects routes using Gateways and Blockers.
+ * Follows clean architecture by separating concerns:
+ * - Gateway handles access logic
+ * - Blocker handles prevention logic
+ * - Component handles UI rendering
+ */
+
+'use client';
+
+import { ReactNode, useEffect, useState } from 'react';
+import { useRouter } from 'next/navigation';
+import { useAuth } from '@/lib/auth/AuthContext';
+import { AuthGateway, AuthGatewayConfig } from './AuthGateway';
+import { LoadingState } from '@/components/shared/LoadingState';
+
+interface RouteGuardProps {
+  children: ReactNode;
+  config?: AuthGatewayConfig;
+  /**
+   * Custom loading component (optional)
+   */
+  loadingComponent?: ReactNode;
+  /**
+   * Custom unauthorized component (optional)
+   */
+  unauthorizedComponent?: ReactNode;
+}
+
+/**
+ * RouteGuard Component
+ * 
+ * Protects child components based on authentication and authorization rules.
+ * Uses Gateway pattern for access control.
+ * 
+ * Usage:
+ * ```tsx
+ * <RouteGuard config={{ requiredRoles: ['owner', 'admin'] }}>
+ *   <AdminDashboard />
+ * </RouteGuard>
+ * ```
+ */
+export function RouteGuard({
+  children,
+  config = {},
+  loadingComponent,
+  unauthorizedComponent,
+}: RouteGuardProps) {
+  const router = useRouter();
+  const authContext = useAuth();
+  const [gateway] = useState(() => new AuthGateway(authContext, config));
+  const [accessState, setAccessState] = useState(gateway.getAccessState());
+
+  // Update gateway when auth context changes
+  useEffect(() => {
+    gateway.refresh();
+    setAccessState(gateway.getAccessState());
+  }, [authContext.session, authContext.loading, gateway]);
+
+  // Handle redirects
+  useEffect(() => {
+    if (!accessState.canAccess && !accessState.isLoading) {
+      if (config.redirectOnUnauthorized !== false) {
+        const redirectPath = gateway.getUnauthorizedRedirectPath();
+        
+        // Use a small delay to show unauthorized message briefly
+        const timer = setTimeout(() => {
+          router.push(redirectPath);
+        }, 500);
+        
+        return () => clearTimeout(timer);
+      }
+    }
+  }, [accessState, gateway, router, config.redirectOnUnauthorized]);
+
+  // Show loading state
+  if (accessState.isLoading) {
+    return loadingComponent || (
+      <div className="flex items-center justify-center min-h-screen">
+        <LoadingState message="Loading..." className="min-h-screen" />
+      </div>
+    );
+  }
+
+  // Show unauthorized state
+  if (!accessState.canAccess) {
+    return unauthorizedComponent || (
+      <div className="flex items-center justify-center min-h-screen">
+        <div className="bg-iron-gray p-8 rounded-lg border border-charcoal-outline max-w-md text-center">
+          <h2 className="text-xl font-bold text-racing-red mb-4">Access Denied</h2>
+          <p className="text-gray-300 mb-6">{accessState.reason}</p>
+          <button
+            onClick={() => router.push('/auth/login')}
+            className="px-4 py-2 bg-primary-blue text-white rounded hover:bg-blue-600 transition-colors"
+          >
+            Go to Login
+          </button>
+        </div>
+      </div>
+    );
+  }
+
+  // Render protected content
+  return <>{children}</>;
+}
+
+/**
+ * useRouteGuard Hook
+ * 
+ * Hook for programmatic access control within components.
+ * 
+ * Usage:
+ * ```tsx
+ * const { canAccess, reason, isLoading } = useRouteGuard({ requiredRoles: ['admin'] });
+ * ```
+ */
+export function useRouteGuard(config: AuthGatewayConfig = {}) {
+  const authContext = useAuth();
+  const [gateway] = useState(() => new AuthGateway(authContext, config));
+  const [state, setState] = useState(gateway.getAccessState());
+
+  useEffect(() => {
+    gateway.refresh();
+    setState(gateway.getAccessState());
+  }, [authContext.session, authContext.loading, gateway]);
+
+  return {
+    canAccess: state.canAccess,
+    reason: state.reason,
+    isLoading: state.isLoading,
+    isAuthenticated: state.isAuthenticated,
+    enforceAccess: () => gateway.enforceAccess(),
+    redirectIfUnauthorized: () => gateway.redirectIfUnauthorized(),
+  };
+}
--- a/apps/website/lib/gateways/index.ts
+++ b/apps/website/lib/gateways/index.ts
@@ -0,0 +1,13 @@
+/**
+ * Gateways - Component-based access control
+ * 
+ * Follows clean architecture by separating concerns:
+ * - Blockers: Prevent execution (frontend UX)
+ * - Gateways: Orchestrate access control
+ * - Guards: Enforce security (backend)
+ */
+
+export { AuthGateway } from './AuthGateway';
+export type { AuthGatewayConfig } from './AuthGateway';
+export { RouteGuard, useRouteGuard } from './RouteGuard';
+export { AuthGuard, useAuthAccess } from './AuthGuard';
--- a/apps/website/lib/services/AdminViewModelService.ts
+++ b/apps/website/lib/services/AdminViewModelService.ts
@@ -0,0 +1,44 @@
+import type { UserDto, DashboardStats, UserListResponse } from '@/lib/api/admin/AdminApiClient';
+import { AdminUserViewModel, DashboardStatsViewModel, UserListViewModel } from '@/lib/view-models/AdminUserViewModel';
+
+/**
+ * AdminViewModelService
+ * 
+ * Service layer responsible for mapping API DTOs to View Models.
+ * This is where the transformation from API data to UI-ready state happens.
+ */
+export class AdminViewModelService {
+  /**
+   * Map a single user DTO to a View Model
+   */
+  static mapUser(dto: UserDto): AdminUserViewModel {
+    return new AdminUserViewModel(dto);
+  }
+
+  /**
+   * Map an array of user DTOs to View Models
+   */
+  static mapUsers(dtos: UserDto[]): AdminUserViewModel[] {
+    return dtos.map(dto => this.mapUser(dto));
+  }
+
+  /**
+   * Map dashboard stats DTO to View Model
+   */
+  static mapDashboardStats(dto: DashboardStats): DashboardStatsViewModel {
+    return new DashboardStatsViewModel(dto);
+  }
+
+  /**
+   * Map user list response to View Model
+   */
+  static mapUserList(response: UserListResponse): UserListViewModel {
+    return new UserListViewModel({
+      users: response.users,
+      total: response.total,
+      page: response.page,
+      limit: response.limit,
+      totalPages: response.totalPages,
+    });
+  }
+}
--- a/apps/website/lib/view-models/AdminUserViewModel.test.ts
+++ b/apps/website/lib/view-models/AdminUserViewModel.test.ts
@@ -0,0 +1,324 @@
+import { describe, it, expect } from 'vitest';
+import { AdminUserViewModel, DashboardStatsViewModel, UserListViewModel } from './AdminUserViewModel';
+import type { UserDto, DashboardStats } from '@/lib/api/admin/AdminApiClient';
+
+describe('AdminUserViewModel', () => {
+  const createBaseDto = (): UserDto => ({
+    id: 'user-123',
+    email: 'test@example.com',
+    displayName: 'Test User',
+    roles: ['user'],
+    status: 'active',
+    isSystemAdmin: false,
+    createdAt: new Date('2024-01-01T00:00:00Z'),
+    updatedAt: new Date('2024-01-02T00:00:00Z'),
+    lastLoginAt: new Date('2024-01-15T10:30:00Z'),
+    primaryDriverId: 'driver-456',
+  });
+
+  it('maps core fields from DTO', () => {
+    const dto = createBaseDto();
+    const vm = new AdminUserViewModel(dto);
+
+    expect(vm.id).toBe('user-123');
+    expect(vm.email).toBe('test@example.com');
+    expect(vm.displayName).toBe('Test User');
+    expect(vm.roles).toEqual(['user']);
+    expect(vm.status).toBe('active');
+    expect(vm.isSystemAdmin).toBe(false);
+    expect(vm.primaryDriverId).toBe('driver-456');
+  });
+
+  it('converts dates to Date objects', () => {
+    const dto = createBaseDto();
+    const vm = new AdminUserViewModel(dto);
+
+    expect(vm.createdAt).toBeInstanceOf(Date);
+    expect(vm.updatedAt).toBeInstanceOf(Date);
+    expect(vm.lastLoginAt).toBeInstanceOf(Date);
+    expect(vm.createdAt.toISOString()).toBe('2024-01-01T00:00:00.000Z');
+  });
+
+  it('handles missing lastLoginAt', () => {
+    const dto = createBaseDto();
+    delete dto.lastLoginAt;
+    const vm = new AdminUserViewModel(dto);
+
+    expect(vm.lastLoginAt).toBeUndefined();
+    expect(vm.lastLoginFormatted).toBe('Never');
+  });
+
+  it('formats role badges correctly', () => {
+    const owner = new AdminUserViewModel({ ...createBaseDto(), roles: ['owner'] });
+    const admin = new AdminUserViewModel({ ...createBaseDto(), roles: ['admin'] });
+    const user = new AdminUserViewModel({ ...createBaseDto(), roles: ['user'] });
+    const custom = new AdminUserViewModel({ ...createBaseDto(), roles: ['custom-role'] });
+
+    expect(owner.roleBadges).toEqual(['Owner']);
+    expect(admin.roleBadges).toEqual(['Admin']);
+    expect(user.roleBadges).toEqual(['User']);
+    expect(custom.roleBadges).toEqual(['custom-role']);
+  });
+
+  it('derives status badge correctly', () => {
+    const active = new AdminUserViewModel({ ...createBaseDto(), status: 'active' });
+    const suspended = new AdminUserViewModel({ ...createBaseDto(), status: 'suspended' });
+    const deleted = new AdminUserViewModel({ ...createBaseDto(), status: 'deleted' });
+
+    expect(active.statusBadge).toEqual({ label: 'Active', variant: 'performance-green' });
+    expect(suspended.statusBadge).toEqual({ label: 'Suspended', variant: 'yellow-500' });
+    expect(deleted.statusBadge).toEqual({ label: 'Deleted', variant: 'racing-red' });
+  });
+
+  it('formats dates for display', () => {
+    const dto = createBaseDto();
+    const vm = new AdminUserViewModel(dto);
+
+    expect(vm.lastLoginFormatted).toBe('1/15/2024');
+    expect(vm.createdAtFormatted).toBe('1/1/2024');
+  });
+
+  it('derives action permissions correctly', () => {
+    const active = new AdminUserViewModel({ ...createBaseDto(), status: 'active' });
+    const suspended = new AdminUserViewModel({ ...createBaseDto(), status: 'suspended' });
+    const deleted = new AdminUserViewModel({ ...createBaseDto(), status: 'deleted' });
+
+    expect(active.canSuspend).toBe(true);
+    expect(active.canActivate).toBe(false);
+    expect(active.canDelete).toBe(true);
+
+    expect(suspended.canSuspend).toBe(false);
+    expect(suspended.canActivate).toBe(true);
+    expect(suspended.canDelete).toBe(true);
+
+    expect(deleted.canSuspend).toBe(false);
+    expect(deleted.canActivate).toBe(false);
+    expect(deleted.canDelete).toBe(false);
+  });
+
+  it('handles multiple roles', () => {
+    const dto = { ...createBaseDto(), roles: ['owner', 'admin'] };
+    const vm = new AdminUserViewModel(dto);
+
+    expect(vm.roleBadges).toEqual(['Owner', 'Admin']);
+  });
+});
+
+describe('DashboardStatsViewModel', () => {
+  const createBaseData = (): DashboardStats => ({
+    totalUsers: 100,
+    activeUsers: 70,
+    suspendedUsers: 10,
+    deletedUsers: 20,
+    systemAdmins: 5,
+    recentLogins: 25,
+    newUsersToday: 3,
+    userGrowth: [
+      { label: 'Mon', value: 5, color: 'text-primary-blue' },
+      { label: 'Tue', value: 8, color: 'text-primary-blue' },
+    ],
+    roleDistribution: [
+      { label: 'Owner', value: 2, color: 'text-purple-500' },
+      { label: 'Admin', value: 3, color: 'text-blue-500' },
+      { label: 'User', value: 95, color: 'text-gray-500' },
+    ],
+    statusDistribution: {
+      active: 70,
+      suspended: 10,
+      deleted: 20,
+    },
+    activityTimeline: [
+      { date: 'Mon', newUsers: 2, logins: 10 },
+      { date: 'Tue', newUsers: 3, logins: 15 },
+    ],
+  });
+
+  it('maps all core fields from data', () => {
+    const data = createBaseData();
+    const vm = new DashboardStatsViewModel(data);
+
+    expect(vm.totalUsers).toBe(100);
+    expect(vm.activeUsers).toBe(70);
+    expect(vm.suspendedUsers).toBe(10);
+    expect(vm.deletedUsers).toBe(20);
+    expect(vm.systemAdmins).toBe(5);
+    expect(vm.recentLogins).toBe(25);
+    expect(vm.newUsersToday).toBe(3);
+  });
+
+  it('computes active rate correctly', () => {
+    const vm = new DashboardStatsViewModel(createBaseData());
+
+    expect(vm.activeRate).toBe(70); // 70%
+    expect(vm.activeRateFormatted).toBe('70%');
+  });
+
+  it('computes admin ratio correctly', () => {
+    const vm = new DashboardStatsViewModel(createBaseData());
+    // 5 admins, 95 non-admins => 1:19
+    expect(vm.adminRatio).toBe('1:19');
+  });
+
+  it('derives activity level correctly', () => {
+    const lowEngagement = new DashboardStatsViewModel({
+      ...createBaseData(),
+      totalUsers: 100,
+      recentLogins: 10, // 10% engagement
+    });
+    expect(lowEngagement.activityLevel).toBe('low');
+
+    const mediumEngagement = new DashboardStatsViewModel({
+      ...createBaseData(),
+      totalUsers: 100,
+      recentLogins: 35, // 35% engagement
+    });
+    expect(mediumEngagement.activityLevel).toBe('medium');
+
+    const highEngagement = new DashboardStatsViewModel({
+      ...createBaseData(),
+      totalUsers: 100,
+      recentLogins: 60, // 60% engagement
+    });
+    expect(highEngagement.activityLevel).toBe('high');
+  });
+
+  it('handles zero users safely', () => {
+    const vm = new DashboardStatsViewModel({
+      ...createBaseData(),
+      totalUsers: 0,
+      activeUsers: 0,
+      systemAdmins: 0,
+      recentLogins: 0,
+    });
+
+    expect(vm.activeRate).toBe(0);
+    expect(vm.activeRateFormatted).toBe('0%');
+    expect(vm.adminRatio).toBe('1:1');
+    expect(vm.activityLevel).toBe('low');
+  });
+
+  it('preserves arrays from input', () => {
+    const data = createBaseData();
+    const vm = new DashboardStatsViewModel(data);
+
+    expect(vm.userGrowth).toEqual(data.userGrowth);
+    expect(vm.roleDistribution).toEqual(data.roleDistribution);
+    expect(vm.activityTimeline).toEqual(data.activityTimeline);
+  });
+});
+
+describe('UserListViewModel', () => {
+  const createDto = (overrides: Partial<UserDto> = {}): UserDto => ({
+    id: 'user-1',
+    email: 'test@example.com',
+    displayName: 'Test User',
+    roles: ['user'],
+    status: 'active',
+    isSystemAdmin: false,
+    createdAt: new Date('2024-01-01'),
+    updatedAt: new Date('2024-01-02'),
+    ...overrides,
+  });
+
+  it('wraps user DTOs in AdminUserViewModel instances', () => {
+    const data = {
+      users: [createDto({ id: 'user-1' }), createDto({ id: 'user-2' })],
+      total: 2,
+      page: 1,
+      limit: 10,
+      totalPages: 1,
+    };
+
+    const vm = new UserListViewModel(data);
+
+    expect(vm.users).toHaveLength(2);
+    expect(vm.users[0]).toBeInstanceOf(AdminUserViewModel);
+    expect(vm.users[0].id).toBe('user-1');
+    expect(vm.users[1].id).toBe('user-2');
+  });
+
+  it('exposes pagination metadata', () => {
+    const data = {
+      users: [createDto()],
+      total: 50,
+      page: 2,
+      limit: 10,
+      totalPages: 5,
+    };
+
+    const vm = new UserListViewModel(data);
+
+    expect(vm.total).toBe(50);
+    expect(vm.page).toBe(2);
+    expect(vm.limit).toBe(10);
+    expect(vm.totalPages).toBe(5);
+  });
+
+  it('derives hasUsers correctly', () => {
+    const withUsers = new UserListViewModel({
+      users: [createDto()],
+      total: 1,
+      page: 1,
+      limit: 10,
+      totalPages: 1,
+    });
+
+    const withoutUsers = new UserListViewModel({
+      users: [],
+      total: 0,
+      page: 1,
+      limit: 10,
+      totalPages: 0,
+    });
+
+    expect(withUsers.hasUsers).toBe(true);
+    expect(withoutUsers.hasUsers).toBe(false);
+  });
+
+  it('derives showPagination correctly', () => {
+    const withPagination = new UserListViewModel({
+      users: [createDto()],
+      total: 20,
+      page: 1,
+      limit: 10,
+      totalPages: 2,
+    });
+
+    const withoutPagination = new UserListViewModel({
+      users: [createDto()],
+      total: 5,
+      page: 1,
+      limit: 10,
+      totalPages: 1,
+    });
+
+    expect(withPagination.showPagination).toBe(true);
+    expect(withoutPagination.showPagination).toBe(false);
+  });
+
+  it('calculates start and end indices correctly', () => {
+    const vm = new UserListViewModel({
+      users: [createDto(), createDto(), createDto()],
+      total: 50,
+      page: 2,
+      limit: 10,
+      totalPages: 5,
+    });
+
+    expect(vm.startIndex).toBe(11); // (2-1) * 10 + 1
+    expect(vm.endIndex).toBe(13); // min(2 * 10, 50)
+  });
+
+  it('handles empty list indices', () => {
+    const vm = new UserListViewModel({
+      users: [],
+      total: 0,
+      page: 1,
+      limit: 10,
+      totalPages: 0,
+    });
+
+    expect(vm.startIndex).toBe(0);
+    expect(vm.endIndex).toBe(0);
+  });
+});
--- a/apps/website/lib/view-models/AdminUserViewModel.ts
+++ b/apps/website/lib/view-models/AdminUserViewModel.ts
@@ -0,0 +1,220 @@
+import type { UserDto } from '@/lib/api/admin/AdminApiClient';
+
+/**
+ * AdminUserViewModel
+ * 
+ * View Model for admin user management.
+ * Transforms API DTO into UI-ready state with formatting and derived fields.
+ */
+export class AdminUserViewModel {
+  id: string;
+  email: string;
+  displayName: string;
+  roles: string[];
+  status: string;
+  isSystemAdmin: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt?: Date;
+  primaryDriverId?: string;
+
+  // UI-specific derived fields
+  readonly roleBadges: string[];
+  readonly statusBadge: { label: string; variant: string };
+  readonly lastLoginFormatted: string;
+  readonly createdAtFormatted: string;
+  readonly canSuspend: boolean;
+  readonly canActivate: boolean;
+  readonly canDelete: boolean;
+
+  constructor(dto: UserDto) {
+    this.id = dto.id;
+    this.email = dto.email;
+    this.displayName = dto.displayName;
+    this.roles = dto.roles;
+    this.status = dto.status;
+    this.isSystemAdmin = dto.isSystemAdmin;
+    this.createdAt = new Date(dto.createdAt);
+    this.updatedAt = new Date(dto.updatedAt);
+    this.lastLoginAt = dto.lastLoginAt ? new Date(dto.lastLoginAt) : undefined;
+    this.primaryDriverId = dto.primaryDriverId;
+
+    // Derive role badges
+    this.roleBadges = this.roles.map(role => {
+      switch (role) {
+        case 'owner': return 'Owner';
+        case 'admin': return 'Admin';
+        case 'user': return 'User';
+        default: return role;
+      }
+    });
+
+    // Derive status badge
+    this.statusBadge = this.getStatusBadge();
+
+    // Format dates
+    this.lastLoginFormatted = this.lastLoginAt 
+      ? this.lastLoginAt.toLocaleDateString() 
+      : 'Never';
+    this.createdAtFormatted = this.createdAt.toLocaleDateString();
+
+    // Derive action permissions
+    this.canSuspend = this.status === 'active';
+    this.canActivate = this.status === 'suspended';
+    this.canDelete = this.status !== 'deleted';
+  }
+
+  private getStatusBadge(): { label: string; variant: string } {
+    switch (this.status) {
+      case 'active':
+        return { label: 'Active', variant: 'performance-green' };
+      case 'suspended':
+        return { label: 'Suspended', variant: 'yellow-500' };
+      case 'deleted':
+        return { label: 'Deleted', variant: 'racing-red' };
+      default:
+        return { label: this.status, variant: 'gray-500' };
+    }
+  }
+}
+
+/**
+ * DashboardStatsViewModel
+ * 
+ * View Model for admin dashboard statistics.
+ * Provides formatted statistics and derived metrics for UI.
+ */
+export class DashboardStatsViewModel {
+  totalUsers: number;
+  activeUsers: number;
+  suspendedUsers: number;
+  deletedUsers: number;
+  systemAdmins: number;
+  recentLogins: number;
+  newUsersToday: number;
+  userGrowth: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  roleDistribution: {
+    label: string;
+    value: number;
+    color: string;
+  }[];
+  statusDistribution: {
+    active: number;
+    suspended: number;
+    deleted: number;
+  };
+  activityTimeline: {
+    date: string;
+    newUsers: number;
+    logins: number;
+  }[];
+
+  // UI-specific derived fields
+  readonly activeRate: number;
+  readonly activeRateFormatted: string;
+  readonly adminRatio: string;
+  readonly activityLevel: 'low' | 'medium' | 'high';
+
+  constructor(data: {
+    totalUsers: number;
+    activeUsers: number;
+    suspendedUsers: number;
+    deletedUsers: number;
+    systemAdmins: number;
+    recentLogins: number;
+    newUsersToday: number;
+    userGrowth: {
+      label: string;
+      value: number;
+      color: string;
+    }[];
+    roleDistribution: {
+      label: string;
+      value: number;
+      color: string;
+    }[];
+    statusDistribution: {
+      active: number;
+      suspended: number;
+      deleted: number;
+    };
+    activityTimeline: {
+      date: string;
+      newUsers: number;
+      logins: number;
+    }[];
+  }) {
+    this.totalUsers = data.totalUsers;
+    this.activeUsers = data.activeUsers;
+    this.suspendedUsers = data.suspendedUsers;
+    this.deletedUsers = data.deletedUsers;
+    this.systemAdmins = data.systemAdmins;
+    this.recentLogins = data.recentLogins;
+    this.newUsersToday = data.newUsersToday;
+    this.userGrowth = data.userGrowth;
+    this.roleDistribution = data.roleDistribution;
+    this.statusDistribution = data.statusDistribution;
+    this.activityTimeline = data.activityTimeline;
+
+    // Derive active rate
+    this.activeRate = this.totalUsers > 0 ? (this.activeUsers / this.totalUsers) * 100 : 0;
+    this.activeRateFormatted = `${Math.round(this.activeRate)}%`;
+
+    // Derive admin ratio
+    const nonAdmins = Math.max(1, this.totalUsers - this.systemAdmins);
+    this.adminRatio = `1:${Math.floor(nonAdmins / Math.max(1, this.systemAdmins))}`;
+
+    // Derive activity level
+    const engagementRate = this.totalUsers > 0 ? (this.recentLogins / this.totalUsers) * 100 : 0;
+    if (engagementRate < 20) {
+      this.activityLevel = 'low';
+    } else if (engagementRate < 50) {
+      this.activityLevel = 'medium';
+    } else {
+      this.activityLevel = 'high';
+    }
+  }
+}
+
+/**
+ * UserListViewModel
+ * 
+ * View Model for user list with pagination and filtering state.
+ */
+export class UserListViewModel {
+  users: AdminUserViewModel[];
+  total: number;
+  page: number;
+  limit: number;
+  totalPages: number;
+
+  // UI-specific derived fields
+  readonly hasUsers: boolean;
+  readonly showPagination: boolean;
+  readonly startIndex: number;
+  readonly endIndex: number;
+
+  constructor(data: {
+    users: UserDto[];
+    total: number;
+    page: number;
+    limit: number;
+    totalPages: number;
+  }) {
+    this.users = data.users.map(dto => new AdminUserViewModel(dto));
+    this.total = data.total;
+    this.page = data.page;
+    this.limit = data.limit;
+    this.totalPages = data.totalPages;
+
+    // Derive UI state
+    this.hasUsers = this.users.length > 0;
+    this.showPagination = this.totalPages > 1;
+    this.startIndex = this.users.length > 0 ? (this.page - 1) * this.limit + 1 : 0;
+    this.endIndex = this.users.length > 0 ? (this.page - 1) * this.limit + this.users.length : 0;
+  }
+}
--- a/core/admin/application/ports/IAdminUserRepository.ts
+++ b/core/admin/application/ports/IAdminUserRepository.ts
@@ -0,0 +1,51 @@
+import { AdminUser } from '../../domain/entities/AdminUser';
+import { UserId } from '../../domain/value-objects/UserId';
+import { Email } from '../../domain/value-objects/Email';
+import { UserRole } from '../../domain/value-objects/UserRole';
+import { UserStatus } from '../../domain/value-objects/UserStatus';
+
+export interface UserFilter {
+  role?: UserRole;
+  status?: UserStatus;
+  email?: Email;
+  search?: string;
+}
+
+export interface UserSort {
+  field: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+  direction: 'asc' | 'desc';
+}
+
+export interface UserPagination {
+  page: number;
+  limit: number;
+}
+
+export interface UserListQuery {
+  filter?: UserFilter;
+  sort?: UserSort | undefined;
+  pagination?: UserPagination | undefined;
+}
+
+export interface UserListResult {
+  users: AdminUser[];
+  total: number;
+  page: number;
+  limit: number;
+  totalPages: number;
+}
+
+/**
+ * Output port for user management operations
+ * Implemented by infrastructure layer
+ */
+export interface IAdminUserRepository {
+  findById(id: UserId): Promise<AdminUser | null>;
+  findByEmail(email: Email): Promise<AdminUser | null>;
+  emailExists(email: Email): Promise<boolean>;
+  list(query?: UserListQuery): Promise<UserListResult>;
+  count(filter?: UserFilter): Promise<number>;
+  create(user: AdminUser): Promise<AdminUser>;
+  update(user: AdminUser): Promise<AdminUser>;
+  delete(id: UserId): Promise<void>;
+}
--- a/core/admin/application/use-cases/ListUsersUseCase.test.ts
+++ b/core/admin/application/use-cases/ListUsersUseCase.test.ts
@@ -0,0 +1,394 @@
+import { vi, describe, it, expect, beforeEach } from 'vitest';
+import { ListUsersUseCase, ListUsersResult } from './ListUsersUseCase';
+import { IAdminUserRepository } from '../ports/IAdminUserRepository';
+import { AdminUser } from '../../domain/entities/AdminUser';
+import { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import { AuthorizationService } from '../../domain/services/AuthorizationService';
+
+// Mock the authorization service
+vi.mock('../../domain/services/AuthorizationService');
+
+// Mock repository
+const mockRepository = {
+  findById: vi.fn(),
+  findByEmail: vi.fn(),
+  emailExists: vi.fn(),
+  list: vi.fn(),
+  count: vi.fn(),
+  create: vi.fn(),
+  update: vi.fn(),
+  delete: vi.fn(),
+} as unknown as IAdminUserRepository;
+
+// Mock output port
+const mockOutputPort = {
+  present: vi.fn(),
+} as unknown as UseCaseOutputPort<ListUsersResult>;
+
+describe('ListUsersUseCase', () => {
+  let useCase: ListUsersUseCase;
+  let actor: AdminUser;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    
+    // Reset all mocks
+    vi.mocked(mockRepository.findById).mockReset();
+    vi.mocked(mockRepository.list).mockReset();
+    vi.mocked(mockRepository.count).mockReset();
+    vi.mocked(AuthorizationService.canListUsers).mockReset();
+    
+    // Setup default successful authorization
+    vi.mocked(AuthorizationService.canListUsers).mockReturnValue(true);
+    
+    useCase = new ListUsersUseCase(mockRepository, mockOutputPort);
+    
+    // Create actor (owner)
+    actor = AdminUser.create({
+      id: 'actor-123',
+      email: 'owner@example.com',
+      roles: ['owner'],
+      status: 'active',
+      displayName: 'Owner User',
+    });
+    
+    // Setup repository to return actor when findById is called
+    vi.mocked(mockRepository.findById).mockResolvedValue(actor);
+  });
+
+  describe('TDD - Test First', () => {
+    it('should return empty list when no users exist', async () => {
+      // Arrange
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [],
+        total: 0,
+        page: 1,
+        limit: 10,
+        totalPages: 0,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(0);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockOutputPort.present).toHaveBeenCalledWith({
+        users: [],
+        total: 0,
+        page: 1,
+        limit: 10,
+        totalPages: 0,
+      });
+    });
+
+    it('should return users when they exist', async () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-1',
+        email: 'user1@example.com',
+        roles: ['user'],
+        status: 'active',
+        displayName: 'User One',
+      });
+
+      const user2 = AdminUser.create({
+        id: 'user-2',
+        email: 'user2@example.com',
+        roles: ['admin'],
+        status: 'active',
+        displayName: 'User Two',
+      });
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [user1, user2],
+        total: 2,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(2);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockOutputPort.present).toHaveBeenCalledWith({
+        users: [user1, user2],
+        total: 2,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+    });
+
+    it('should filter by role', async () => {
+      // Arrange
+      const adminUser = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        roles: ['admin'],
+        status: 'active',
+        displayName: 'Admin User',
+      });
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [adminUser],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(1);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        role: 'admin',
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filter: expect.objectContaining({
+            role: expect.objectContaining({ value: 'admin' }),
+          }),
+        })
+      );
+    });
+
+    it('should filter by status', async () => {
+      // Arrange
+      const suspendedUser = AdminUser.create({
+        id: 'suspended-1',
+        email: 'suspended@example.com',
+        roles: ['user'],
+        status: 'suspended',
+        displayName: 'Suspended User',
+      });
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [suspendedUser],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(1);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        status: 'suspended',
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filter: expect.objectContaining({
+            status: expect.objectContaining({ value: 'suspended' }),
+          }),
+        })
+      );
+    });
+
+    it('should search by email or display name', async () => {
+      // Arrange
+      const matchingUser = AdminUser.create({
+        id: 'match-1',
+        email: 'search@example.com',
+        roles: ['user'],
+        status: 'active',
+        displayName: 'Search User',
+      });
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [matchingUser],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(1);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        search: 'search',
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filter: expect.objectContaining({
+            search: 'search',
+          }),
+        })
+      );
+    });
+
+    it('should paginate results', async () => {
+      // Arrange
+      const users = Array.from({ length: 5 }, (_, i) =>
+        AdminUser.create({
+          id: `user-${i}`,
+          email: `user${i}@example.com`,
+          roles: ['user'],
+          status: 'active',
+          displayName: `User ${i}`,
+        })
+      );
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: users.slice(0, 2),
+        total: 5,
+        page: 1,
+        limit: 2,
+        totalPages: 3,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(5);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        page: 1,
+        limit: 2,
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          pagination: { page: 1, limit: 2 },
+        })
+      );
+    });
+
+    it('should sort results', async () => {
+      // Arrange
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [],
+        total: 0,
+        page: 1,
+        limit: 10,
+        totalPages: 0,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(0);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        sortBy: 'email',
+        sortDirection: 'desc',
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          sort: {
+            field: 'email',
+            direction: 'desc',
+          },
+        })
+      );
+    });
+
+    it('should return error when actor is not authorized', async () => {
+      // Arrange
+      const regularUser = AdminUser.create({
+        id: 'regular-1',
+        email: 'regular@example.com',
+        roles: ['user'],
+        status: 'active',
+        displayName: 'Regular User',
+      });
+
+      // Mock authorization to fail
+      vi.mocked(AuthorizationService.canListUsers).mockReturnValue(false);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: regularUser.id.value,
+      });
+
+      // Assert
+      expect(result.isErr()).toBe(true);
+      const error = result.unwrapErr();
+      expect(error.code).toBe('AUTHORIZATION_ERROR');
+      expect(error.details.message).toContain('not authorized');
+    });
+
+    it('should handle repository errors gracefully', async () => {
+      // Arrange
+      vi.mocked(mockRepository.list).mockRejectedValue(new Error('Database connection failed'));
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+      });
+
+      // Assert
+      expect(result.isErr()).toBe(true);
+      const error = result.unwrapErr();
+      expect(error.code).toBe('REPOSITORY_ERROR');
+      expect(error.details.message).toContain('Database connection failed');
+    });
+
+    it('should apply multiple filters together', async () => {
+      // Arrange
+      const matchingUser = AdminUser.create({
+        id: 'match-1',
+        email: 'admin@example.com',
+        roles: ['admin'],
+        status: 'active',
+        displayName: 'Admin User',
+      });
+
+      vi.mocked(mockRepository.list).mockResolvedValue({
+        users: [matchingUser],
+        total: 1,
+        page: 1,
+        limit: 10,
+        totalPages: 1,
+      });
+
+      vi.mocked(mockRepository.count).mockResolvedValue(1);
+
+      // Act
+      const result = await useCase.execute({
+        actorId: actor.id.value,
+        role: 'admin',
+        status: 'active',
+        search: 'admin',
+      });
+
+      // Assert
+      expect(result.isOk()).toBe(true);
+      expect(mockRepository.list).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filter: expect.objectContaining({
+            role: expect.objectContaining({ value: 'admin' }),
+            status: expect.objectContaining({ value: 'active' }),
+            search: 'admin',
+          }),
+        })
+      );
+    });
+  });
+});
--- a/core/admin/application/use-cases/ListUsersUseCase.ts
+++ b/core/admin/application/use-cases/ListUsersUseCase.ts
@@ -0,0 +1,166 @@
+import { Result } from '@core/shared/application/Result';
+import type { ApplicationErrorCode } from '@core/shared/errors/ApplicationErrorCode';
+import type { UseCaseOutputPort } from '@core/shared/application/UseCaseOutputPort';
+import type { IAdminUserRepository } from '../ports/IAdminUserRepository';
+import { AuthorizationService } from '../../domain/services/AuthorizationService';
+import { UserId } from '../../domain/value-objects/UserId';
+import { UserRole } from '../../domain/value-objects/UserRole';
+import { UserStatus } from '../../domain/value-objects/UserStatus';
+import { Email } from '../../domain/value-objects/Email';
+import type { AdminUser } from '../../domain/entities/AdminUser';
+
+export type ListUsersInput = {
+  actorId: string;
+  role?: string;
+  status?: string;
+  email?: string;
+  search?: string;
+  page?: number;
+  limit?: number;
+  sortBy?: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+  sortDirection?: 'asc' | 'desc';
+};
+
+export type ListUsersResult = {
+  users: AdminUser[];
+  total: number;
+  page: number;
+  limit: number;
+  totalPages: number;
+};
+
+export type ListUsersErrorCode =
+  | 'USER_NOT_FOUND'
+  | 'VALIDATION_ERROR'
+  | 'AUTHORIZATION_ERROR'
+  | 'REPOSITORY_ERROR';
+
+export type ListUsersApplicationError = ApplicationErrorCode<ListUsersErrorCode, { message: string; details?: unknown }>;
+
+/**
+ * Application Use Case: ListUsersUseCase
+ *
+ * Lists users with filtering, sorting, and pagination.
+ * Only accessible to system administrators (Owner/Admin).
+ */
+export class ListUsersUseCase {
+  constructor(
+    private readonly adminUserRepository: IAdminUserRepository,
+    private readonly output: UseCaseOutputPort<ListUsersResult>,
+  ) {}
+
+  async execute(
+    input: ListUsersInput,
+  ): Promise<
+    Result<
+      void,
+      ListUsersApplicationError
+    >
+  > {
+    try {
+      // Get actor (current user)
+      const actor = await this.adminUserRepository.findById(UserId.fromString(input.actorId));
+      if (!actor) {
+        return Result.err({
+          code: 'AUTHORIZATION_ERROR',
+          details: { message: 'Actor not found' },
+        });
+      }
+
+      // Check authorization
+      if (!AuthorizationService.canListUsers(actor)) {
+        return Result.err({
+          code: 'AUTHORIZATION_ERROR',
+          details: { message: 'User is not authorized to list users' },
+        });
+      }
+
+      // Build filter
+      const filter: {
+        role?: UserRole;
+        status?: UserStatus;
+        email?: Email;
+        search?: string;
+      } = {};
+      if (input.role) {
+        filter.role = UserRole.fromString(input.role);
+      }
+      if (input.status) {
+        filter.status = UserStatus.fromString(input.status);
+      }
+      if (input.email) {
+        filter.email = Email.fromString(input.email);
+      }
+      if (input.search) {
+        filter.search = input.search;
+      }
+
+      // Build sort
+      const sort = input.sortBy ? {
+        field: input.sortBy,
+        direction: input.sortDirection || 'asc',
+      } : undefined;
+
+      // Build pagination
+      const pagination = input.page && input.limit ? {
+        page: input.page,
+        limit: input.limit,
+      } : undefined;
+
+      // Execute query
+      const query: {
+        filter?: {
+          role?: UserRole;
+          status?: UserStatus;
+          email?: Email;
+          search?: string;
+        };
+        sort?: {
+          field: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+          direction: 'asc' | 'desc';
+        };
+        pagination?: {
+          page: number;
+          limit: number;
+        };
+      } = {};
+      
+      if (Object.keys(filter).length > 0) {
+        query.filter = filter;
+      }
+      if (sort) {
+        query.sort = sort;
+      }
+      if (pagination) {
+        query.pagination = pagination;
+      }
+      
+      const result = await this.adminUserRepository.list(query);
+
+      // Pass domain objects to output port
+      this.output.present({
+        users: result.users,
+        total: result.total,
+        page: result.page,
+        limit: result.limit,
+        totalPages: result.totalPages,
+      });
+
+      return Result.ok(undefined);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Failed to list users';
+
+      if (error instanceof Error && error.message.includes('validation')) {
+        return Result.err({
+          code: 'VALIDATION_ERROR',
+          details: { message },
+        });
+      }
+
+      return Result.err({
+        code: 'REPOSITORY_ERROR',
+        details: { message },
+      });
+    }
+  }
+}
--- a/core/admin/domain/entities/AdminUser.test.ts
+++ b/core/admin/domain/entities/AdminUser.test.ts
@@ -0,0 +1,531 @@
+import { AdminUser } from './AdminUser';
+import { UserRole } from '../value-objects/UserRole';
+
+describe('AdminUser', () => {
+  describe('TDD - Test First', () => {
+    it('should create a valid admin user', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'admin@example.com',
+        displayName: 'Admin User',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(user.id.value).toBe('user-123');
+      expect(user.email.value).toBe('admin@example.com');
+      expect(user.displayName).toBe('Admin User');
+      expect(user.roles).toHaveLength(1);
+      expect(user.roles[0]!.value).toBe('owner');
+      expect(user.status.value).toBe('active');
+    });
+
+    it('should validate email format', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'invalid-email',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Email should be created but validation happens in value object
+      expect(user.email.value).toBe('invalid-email');
+    });
+
+    it('should detect system admin (owner)', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(owner.isSystemAdmin()).toBe(true);
+      expect(admin.isSystemAdmin()).toBe(true);
+      expect(user.isSystemAdmin()).toBe(false);
+    });
+
+    it('should handle multiple roles', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'multi@example.com',
+        displayName: 'Multi Role',
+        roles: ['owner', 'admin'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(user.roles).toHaveLength(2);
+      expect(user.roles.map(r => r.value)).toContain('owner');
+      expect(user.roles.map(r => r.value)).toContain('admin');
+    });
+
+    it('should handle suspended status', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'suspended@example.com',
+        displayName: 'Suspended User',
+        roles: ['user'],
+        status: 'suspended',
+      });
+
+      // Assert
+      expect(user.status.value).toBe('suspended');
+      expect(user.isActive()).toBe(false);
+    });
+
+    it('should handle optional fields', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'minimal@example.com',
+        displayName: 'Minimal User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(user.primaryDriverId).toBeUndefined();
+      expect(user.lastLoginAt).toBeUndefined();
+    });
+
+    it('should handle all optional fields', () => {
+      // Arrange
+      const now = new Date();
+
+      // Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'full@example.com',
+        displayName: 'Full User',
+        roles: ['user'],
+        status: 'active',
+        primaryDriverId: 'driver-456',
+        lastLoginAt: now,
+      });
+
+      // Assert
+      expect(user.primaryDriverId).toBe('driver-456');
+      expect(user.lastLoginAt).toEqual(now);
+    });
+
+    it('should handle createdAt and updatedAt', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(user.createdAt).toBeInstanceOf(Date);
+      expect(user.updatedAt).toBeInstanceOf(Date);
+    });
+
+    it('should handle role assignment with validation', () => {
+      // Arrange & Act
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Should accept any role string (validation happens in value object)
+      expect(user.roles).toHaveLength(1);
+      expect(user.roles[0]!.value).toBe('user');
+    });
+
+    it('should handle status changes', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Act - Use domain method to change status
+      user.suspend();
+
+      // Assert
+      expect(user.status.value).toBe('suspended');
+    });
+
+    it('should check if user is active', () => {
+      // Arrange
+      const activeUser = AdminUser.create({
+        id: 'user-123',
+        email: 'active@example.com',
+        displayName: 'Active User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      const suspendedUser = AdminUser.create({
+        id: 'user-456',
+        email: 'suspended@example.com',
+        displayName: 'Suspended User',
+        roles: ['user'],
+        status: 'suspended',
+      });
+
+      // Assert
+      expect(activeUser.isActive()).toBe(true);
+      expect(suspendedUser.isActive()).toBe(false);
+    });
+
+    it('should handle role management', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Act
+      user.addRole(UserRole.fromString('admin'));
+
+      // Assert
+      expect(user.roles).toHaveLength(2);
+      expect(user.hasRole('admin')).toBe(true);
+    });
+
+    it('should handle display name updates', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Old Name',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Act
+      user.updateDisplayName('New Name');
+
+      // Assert
+      expect(user.displayName).toBe('New Name');
+    });
+
+    it('should handle login recording', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      const beforeLogin = user.lastLoginAt;
+
+      // Act
+      user.recordLogin();
+
+      // Assert
+      expect(user.lastLoginAt).toBeDefined();
+      expect(user.lastLoginAt).not.toEqual(beforeLogin);
+    });
+
+    it('should handle summary generation', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['owner'],
+        status: 'active',
+        lastLoginAt: new Date(),
+      });
+
+      // Act
+      const summary = user.toSummary();
+
+      // Assert
+      expect(summary.id).toBe('user-123');
+      expect(summary.email).toBe('test@example.com');
+      expect(summary.displayName).toBe('Test User');
+      expect(summary.roles).toEqual(['owner']);
+      expect(summary.status).toBe('active');
+      expect(summary.isSystemAdmin).toBe(true);
+      expect(summary.lastLoginAt).toBeDefined();
+    });
+
+    it('should handle equality comparison', () => {
+      // Arrange
+      const user1 = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      const user2 = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      const user3 = AdminUser.create({
+        id: 'user-456',
+        email: 'other@example.com',
+        displayName: 'Other User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(user1.equals(user2)).toBe(true);
+      expect(user1.equals(user3)).toBe(false);
+      expect(user1.equals(undefined)).toBe(false);
+    });
+
+    it('should handle management permissions', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Owner can manage everyone
+      expect(owner.canManage(admin)).toBe(true);
+      expect(owner.canManage(user)).toBe(true);
+      expect(owner.canManage(owner)).toBe(true); // Can manage self
+
+      // Admin can manage users but not admins/owners
+      expect(admin.canManage(user)).toBe(true);
+      expect(admin.canManage(admin)).toBe(false);
+      expect(admin.canManage(owner)).toBe(false);
+
+      // User cannot manage anyone except self
+      expect(user.canManage(user)).toBe(true);
+      expect(user.canManage(admin)).toBe(false);
+      expect(user.canManage(owner)).toBe(false);
+    });
+
+    it('should handle role modification permissions', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Only owner can modify roles
+      expect(owner.canModifyRoles(user)).toBe(true);
+      expect(owner.canModifyRoles(admin)).toBe(true);
+      expect(owner.canModifyRoles(owner)).toBe(false); // Cannot modify own roles
+
+      expect(admin.canModifyRoles(user)).toBe(false);
+      expect(user.canModifyRoles(user)).toBe(false);
+    });
+
+    it('should handle status change permissions', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Owner can change anyone's status
+      expect(owner.canChangeStatus(user)).toBe(true);
+      expect(owner.canChangeStatus(admin)).toBe(true);
+      expect(owner.canChangeStatus(owner)).toBe(false); // Cannot change own status
+
+      // Admin can change user status but not admin/owner
+      expect(admin.canChangeStatus(user)).toBe(true);
+      expect(admin.canChangeStatus(admin)).toBe(false);
+      expect(admin.canChangeStatus(owner)).toBe(false);
+
+      // User cannot change status
+      expect(user.canChangeStatus(user)).toBe(false);
+      expect(user.canChangeStatus(admin)).toBe(false);
+      expect(user.canChangeStatus(owner)).toBe(false);
+    });
+
+    it('should handle deletion permissions', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert - Owner can delete anyone except self
+      expect(owner.canDelete(user)).toBe(true);
+      expect(owner.canDelete(admin)).toBe(true);
+      expect(owner.canDelete(owner)).toBe(false); // Cannot delete self
+
+      // Admin can delete users but not admins/owners
+      expect(admin.canDelete(user)).toBe(true);
+      expect(admin.canDelete(admin)).toBe(false);
+      expect(admin.canDelete(owner)).toBe(false);
+
+      // User cannot delete anyone
+      expect(user.canDelete(user)).toBe(false);
+      expect(user.canDelete(admin)).toBe(false);
+      expect(user.canDelete(owner)).toBe(false);
+    });
+
+    it('should handle authority comparison', () => {
+      // Arrange
+      const owner = AdminUser.create({
+        id: 'owner-1',
+        email: 'owner@example.com',
+        displayName: 'Owner',
+        roles: ['owner'],
+        status: 'active',
+      });
+
+      const admin = AdminUser.create({
+        id: 'admin-1',
+        email: 'admin@example.com',
+        displayName: 'Admin',
+        roles: ['admin'],
+        status: 'active',
+      });
+
+      const user = AdminUser.create({
+        id: 'user-1',
+        email: 'user@example.com',
+        displayName: 'User',
+        roles: ['user'],
+        status: 'active',
+      });
+
+      // Assert
+      expect(owner.hasHigherAuthorityThan(admin)).toBe(true);
+      expect(owner.hasHigherAuthorityThan(user)).toBe(true);
+      expect(admin.hasHigherAuthorityThan(user)).toBe(true);
+      expect(admin.hasHigherAuthorityThan(owner)).toBe(false);
+      expect(user.hasHigherAuthorityThan(admin)).toBe(false);
+    });
+
+    it('should handle role display names', () => {
+      // Arrange
+      const user = AdminUser.create({
+        id: 'user-123',
+        email: 'test@example.com',
+        displayName: 'Test User',
+        roles: ['owner', 'admin'],
+        status: 'active',
+      });
+
+      // Act
+      const displayNames = user.getRoleDisplayNames();
+
+      // Assert
+      expect(displayNames).toContain('Owner');
+      expect(displayNames).toContain('Admin');
+    });
+  });
+});
--- a/core/admin/domain/entities/AdminUser.ts
+++ b/core/admin/domain/entities/AdminUser.ts
@@ -0,0 +1,485 @@
+import type { IEntity } from '@core/shared/domain';
+import { UserId } from '../value-objects/UserId';
+import { Email } from '../value-objects/Email';
+import { UserRole } from '../value-objects/UserRole';
+import { UserStatus } from '../value-objects/UserStatus';
+import { AdminDomainValidationError, AdminDomainInvariantError } from '../errors/AdminDomainError';
+
+export interface AdminUserProps {
+  id: UserId;
+  email: Email;
+  roles: UserRole[];
+  status: UserStatus;
+  displayName: string;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt: Date | undefined;
+  primaryDriverId: string | undefined;
+}
+
+export class AdminUser implements IEntity<UserId> {
+  readonly id: UserId;
+  private _email: Email;
+  private _roles: UserRole[];
+  private _status: UserStatus;
+  private _displayName: string;
+  private _createdAt: Date;
+  private _updatedAt: Date;
+  private _lastLoginAt: Date | undefined;
+  private _primaryDriverId: string | undefined;
+
+  private constructor(props: AdminUserProps) {
+    this.id = props.id;
+    this._email = props.email;
+    this._roles = props.roles;
+    this._status = props.status;
+    this._displayName = props.displayName;
+    this._createdAt = props.createdAt;
+    this._updatedAt = props.updatedAt;
+    this._lastLoginAt = props.lastLoginAt;
+    this._primaryDriverId = props.primaryDriverId;
+  }
+
+  /**
+   * Factory method to create a new AdminUser
+   * Validates all business rules and invariants
+   */
+  static create(props: {
+    id: string;
+    email: string;
+    roles: string[];
+    status: string;
+    displayName: string;
+    createdAt?: Date;
+    updatedAt?: Date;
+    lastLoginAt?: Date;
+    primaryDriverId?: string;
+  }): AdminUser {
+    // Validate required fields
+    if (!props.id || props.id.trim().length === 0) {
+      throw new AdminDomainValidationError('User ID is required');
+    }
+
+    if (!props.email || props.email.trim().length === 0) {
+      throw new AdminDomainValidationError('Email is required');
+    }
+
+    if (!props.roles || props.roles.length === 0) {
+      throw new AdminDomainValidationError('At least one role is required');
+    }
+
+    if (!props.status || props.status.trim().length === 0) {
+      throw new AdminDomainValidationError('Status is required');
+    }
+
+    if (!props.displayName || props.displayName.trim().length === 0) {
+      throw new AdminDomainValidationError('Display name is required');
+    }
+
+    // Validate display name length
+    const trimmedName = props.displayName.trim();
+    if (trimmedName.length < 2 || trimmedName.length > 100) {
+      throw new AdminDomainValidationError('Display name must be between 2 and 100 characters');
+    }
+
+    // Create value objects
+    const id = UserId.fromString(props.id);
+    const email = Email.fromString(props.email);
+    const roles = props.roles.map(role => UserRole.fromString(role));
+    const status = UserStatus.fromString(props.status);
+
+    // Validate role hierarchy - ensure no duplicate roles
+    const uniqueRoles = new Set(roles.map(r => r.toString()));
+    if (uniqueRoles.size !== roles.length) {
+      throw new AdminDomainValidationError('Duplicate roles are not allowed');
+    }
+
+    const now = props.createdAt ?? new Date();
+
+    return new AdminUser({
+      id,
+      email,
+      roles,
+      status,
+      displayName: trimmedName,
+      createdAt: now,
+      updatedAt: props.updatedAt ?? now,
+      lastLoginAt: props.lastLoginAt ?? undefined,
+      primaryDriverId: props.primaryDriverId ?? undefined,
+    });
+  }
+
+  /**
+   * Rehydrate from storage
+   */
+  static rehydrate(props: {
+    id: string;
+    email: string;
+    roles: string[];
+    status: string;
+    displayName: string;
+    createdAt: Date;
+    updatedAt: Date;
+    lastLoginAt?: Date;
+    primaryDriverId?: string;
+  }): AdminUser {
+    return this.create(props);
+  }
+
+  // Getters
+  get email(): Email {
+    return this._email;
+  }
+
+  get roles(): UserRole[] {
+    return [...this._roles];
+  }
+
+  get status(): UserStatus {
+    return this._status;
+  }
+
+  get displayName(): string {
+    return this._displayName;
+  }
+
+  get createdAt(): Date {
+    return new Date(this._createdAt.getTime());
+  }
+
+  get updatedAt(): Date {
+    return new Date(this._updatedAt.getTime());
+  }
+
+  get lastLoginAt(): Date | undefined {
+    return this._lastLoginAt ? new Date(this._lastLoginAt.getTime()) : undefined;
+  }
+
+  get primaryDriverId(): string | undefined {
+    return this._primaryDriverId;
+  }
+
+  // Domain methods
+
+  /**
+   * Add a role to the user
+   * Cannot add duplicate roles
+   * Cannot add owner role if user already has other roles
+   */
+  addRole(role: UserRole): void {
+    if (this._roles.some(r => r.equals(role))) {
+      throw new AdminDomainInvariantError(`Role ${role.value} is already assigned`);
+    }
+
+    // If adding owner role, user must have no other roles
+    if (role.value === 'owner' && this._roles.length > 0) {
+      throw new AdminDomainInvariantError('Cannot add owner role to user with existing roles');
+    }
+
+    // If user has owner role, cannot add other roles
+    if (this._roles.some(r => r.value === 'owner')) {
+      throw new AdminDomainInvariantError('Owner cannot have additional roles');
+    }
+
+    this._roles.push(role);
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Remove a role from the user
+   * Cannot remove the last role
+   * Cannot remove owner role (must be transferred first)
+   */
+  removeRole(role: UserRole): void {
+    const roleIndex = this._roles.findIndex(r => r.equals(role));
+    
+    if (roleIndex === -1) {
+      throw new AdminDomainInvariantError(`Role ${role.value} not found`);
+    }
+
+    if (this._roles.length === 1) {
+      throw new AdminDomainInvariantError('Cannot remove the last role from user');
+    }
+
+    if (role.value === 'owner') {
+      throw new AdminDomainInvariantError('Cannot remove owner role. Transfer ownership first.');
+    }
+
+    this._roles.splice(roleIndex, 1);
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Update user status
+   */
+  updateStatus(newStatus: UserStatus): void {
+    if (this._status.equals(newStatus)) {
+      throw new AdminDomainInvariantError(`User already has status ${newStatus.value}`);
+    }
+
+    this._status = newStatus;
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Check if user has a specific role
+   */
+  hasRole(roleValue: string): boolean {
+    return this._roles.some(r => r.value === roleValue);
+  }
+
+  /**
+   * Check if user is a system administrator
+   */
+  isSystemAdmin(): boolean {
+    return this._roles.some(r => r.isSystemAdmin());
+  }
+
+  /**
+   * Check if user has higher authority than another user
+   */
+  hasHigherAuthorityThan(other: AdminUser): boolean {
+    // Get highest role for each user
+    const hierarchy: Record<string, number> = {
+      user: 0,
+      admin: 1,
+      owner: 2,
+    };
+
+    const myHighest = Math.max(...this._roles.map(r => hierarchy[r.value] ?? 0));
+    const otherHighest = Math.max(...other._roles.map(r => hierarchy[r.value] ?? 0));
+
+    return myHighest > otherHighest;
+  }
+
+  /**
+   * Update last login timestamp
+   */
+  recordLogin(): void {
+    this._lastLoginAt = new Date();
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Update display name (only for admin operations)
+   */
+  updateDisplayName(newName: string): void {
+    const trimmed = newName.trim();
+    
+    if (trimmed.length < 2 || trimmed.length > 100) {
+      throw new AdminDomainValidationError('Display name must be between 2 and 100 characters');
+    }
+
+    this._displayName = trimmed;
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Update email
+   */
+  updateEmail(newEmail: Email): void {
+    if (this._email.equals(newEmail)) {
+      throw new AdminDomainInvariantError('Email is already the same');
+    }
+
+    this._email = newEmail;
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Check if user is active
+   */
+  isActive(): boolean {
+    return this._status.isActive();
+  }
+
+  /**
+   * Suspend user
+   */
+  suspend(): void {
+    if (this._status.isSuspended()) {
+      throw new AdminDomainInvariantError('User is already suspended');
+    }
+
+    if (this._status.isDeleted()) {
+      throw new AdminDomainInvariantError('Cannot suspend a deleted user');
+    }
+
+    this._status = UserStatus.create('suspended');
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Activate user
+   */
+  activate(): void {
+    if (this._status.isActive()) {
+      throw new AdminDomainInvariantError('User is already active');
+    }
+
+    if (this._status.isDeleted()) {
+      throw new AdminDomainInvariantError('Cannot activate a deleted user');
+    }
+
+    this._status = UserStatus.create('active');
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Soft delete user
+   */
+  delete(): void {
+    if (this._status.isDeleted()) {
+      throw new AdminDomainInvariantError('User is already deleted');
+    }
+
+    this._status = UserStatus.create('deleted');
+    this._updatedAt = new Date();
+  }
+
+  /**
+   * Get role display names
+   */
+  getRoleDisplayNames(): string[] {
+    return this._roles.map(r => {
+      switch (r.value) {
+        case 'owner': return 'Owner';
+        case 'admin': return 'Admin';
+        case 'user': return 'User';
+        default: return r.value;
+      }
+    });
+  }
+
+  /**
+   * Check if this user can manage another user
+   * Owner can manage everyone (including self)
+   * Admin can manage users but not admins/owners (including self)
+   * User can manage self only
+   */
+  canManage(target: AdminUser): boolean {
+    // Owner can manage everyone
+    if (this.hasRole('owner')) {
+      return true;
+    }
+
+    // Admin can manage non-admin users
+    if (this.hasRole('admin')) {
+      // Cannot manage admins/owners (including self)
+      if (target.isSystemAdmin()) {
+        return false;
+      }
+      // Can manage non-admin users
+      return true;
+    }
+
+    // User can only manage self
+    return this.id.equals(target.id);
+  }
+
+  /**
+   * Check if this user can modify roles of target user
+   * Only owner can modify roles
+   */
+  canModifyRoles(target: AdminUser): boolean {
+    // Only owner can modify roles
+    if (!this.hasRole('owner')) {
+      return false;
+    }
+
+    // Cannot modify own roles (prevents accidental lockout)
+    if (this.id.equals(target.id)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  /**
+   * Check if this user can change status of target user
+   * Owner can change anyone's status
+   * Admin can change user status but not other admins/owners
+   */
+  canChangeStatus(target: AdminUser): boolean {
+    if (this.id.equals(target.id)) {
+      return false; // Cannot change own status
+    }
+
+    if (this.hasRole('owner')) {
+      return true;
+    }
+
+    if (this.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if this user can delete target user
+   * Owner can delete anyone except self
+   * Admin can delete users but not admins/owners
+   */
+  canDelete(target: AdminUser): boolean {
+    if (this.id.equals(target.id)) {
+      return false; // Cannot delete self
+    }
+
+    if (this.hasRole('owner')) {
+      return true;
+    }
+
+    if (this.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Get summary for display
+   */
+  toSummary(): {
+    id: string;
+    email: string;
+    displayName: string;
+    roles: string[];
+    status: string;
+    isSystemAdmin: boolean;
+    lastLoginAt?: Date;
+  } {
+    const summary: {
+      id: string;
+      email: string;
+      displayName: string;
+      roles: string[];
+      status: string;
+      isSystemAdmin: boolean;
+      lastLoginAt?: Date;
+    } = {
+      id: this.id.value,
+      email: this._email.value,
+      displayName: this._displayName,
+      roles: this._roles.map(r => r.value),
+      status: this._status.value,
+      isSystemAdmin: this.isSystemAdmin(),
+    };
+
+    if (this._lastLoginAt) {
+      summary.lastLoginAt = this._lastLoginAt;
+    }
+
+    return summary;
+  }
+
+  /**
+   * Equals comparison
+   */
+  equals(other?: AdminUser): boolean {
+    if (!other) {
+      return false;
+    }
+    return this.id.equals(other.id);
+  }
+}
--- a/core/admin/domain/errors/AdminDomainError.ts
+++ b/core/admin/domain/errors/AdminDomainError.ts
@@ -0,0 +1,45 @@
+import type { IDomainError, CommonDomainErrorKind } from '@core/shared/errors';
+
+export abstract class AdminDomainError extends Error implements IDomainError<CommonDomainErrorKind> {
+  readonly type = 'domain' as const;
+  readonly context = 'admin-domain';
+  abstract readonly kind: CommonDomainErrorKind;
+
+  constructor(message: string) {
+    super(message);
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}
+
+export class AdminDomainValidationError
+  extends AdminDomainError
+  implements IDomainError<'validation'>
+{
+  readonly kind = 'validation' as const;
+
+  constructor(message: string) {
+    super(message);
+  }
+}
+
+export class AdminDomainInvariantError
+  extends AdminDomainError
+  implements IDomainError<'invariant'>
+{
+  readonly kind = 'invariant' as const;
+
+  constructor(message: string) {
+    super(message);
+  }
+}
+
+export class AuthorizationError
+  extends AdminDomainError
+  implements IDomainError<'authorization'>
+{
+  readonly kind = 'authorization' as const;
+
+  constructor(message: string) {
+    super(message);
+  }
+}
--- a/core/admin/domain/repositories/IAdminUserRepository.ts
+++ b/core/admin/domain/repositories/IAdminUserRepository.ts
@@ -0,0 +1,114 @@
+import { AdminUser } from '../entities/AdminUser';
+import { UserId } from '../value-objects/UserId';
+import { Email } from '../value-objects/Email';
+import { UserRole } from '../value-objects/UserRole';
+import { UserStatus } from '../value-objects/UserStatus';
+
+export interface UserFilter {
+  role?: UserRole;
+  status?: UserStatus;
+  email?: Email;
+  search?: string;
+}
+
+export interface UserSort {
+  field: 'email' | 'displayName' | 'createdAt' | 'lastLoginAt' | 'status';
+  direction: 'asc' | 'desc';
+}
+
+export interface UserPagination {
+  page: number;
+  limit: number;
+}
+
+export interface UserListQuery {
+  filter?: UserFilter;
+  sort?: UserSort | undefined;
+  pagination?: UserPagination | undefined;
+}
+
+export interface UserListResult {
+  users: AdminUser[];
+  total: number;
+  page: number;
+  limit: number;
+  totalPages: number;
+}
+
+export interface StoredAdminUser {
+  id: string;
+  email: string;
+  roles: string[];
+  status: string;
+  displayName: string;
+  createdAt: Date;
+  updatedAt: Date;
+  lastLoginAt?: Date;
+  primaryDriverId?: string;
+}
+
+/**
+ * Repository interface for AdminUser entity
+ * Follows clean architecture - this is an output port from application layer
+ */
+export interface IAdminUserRepository {
+  /**
+   * Find user by ID
+   */
+  findById(id: UserId): Promise<AdminUser | null>;
+
+  /**
+   * Find user by email
+   */
+  findByEmail(email: Email): Promise<AdminUser | null>;
+
+  /**
+   * Check if email exists
+   */
+  emailExists(email: Email): Promise<boolean>;
+
+  /**
+   * Check if user exists by ID
+   */
+  existsById(id: UserId): Promise<boolean>;
+
+  /**
+   * Check if user exists by email
+   */
+  existsByEmail(email: Email): Promise<boolean>;
+
+  /**
+   * List users with filtering, sorting, and pagination
+   */
+  list(query?: UserListQuery): Promise<UserListResult>;
+
+  /**
+   * Count users matching filter
+   */
+  count(filter?: UserFilter): Promise<number>;
+
+  /**
+   * Create a new user
+   */
+  create(user: AdminUser): Promise<AdminUser>;
+
+  /**
+   * Update existing user
+   */
+  update(user: AdminUser): Promise<AdminUser>;
+
+  /**
+   * Delete user (soft delete)
+   */
+  delete(id: UserId): Promise<void>;
+
+  /**
+   * Get user for storage
+   */
+  toStored(user: AdminUser): StoredAdminUser;
+
+  /**
+   * Rehydrate user from storage
+   */
+  fromStored(stored: StoredAdminUser): AdminUser;
+}
--- a/core/admin/domain/services/AuthorizationService.test.ts
+++ b/core/admin/domain/services/AuthorizationService.test.ts
@@ -0,0 +1,747 @@
+import { AuthorizationService } from './AuthorizationService';
+import { AdminUser } from '../entities/AdminUser';
+
+describe('AuthorizationService', () => {
+  describe('TDD - Test First', () => {
+    describe('canListUsers', () => {
+      it('should allow owner to list users', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        // Act
+        const canList = AuthorizationService.canListUsers(owner);
+
+        // Assert
+        expect(canList).toBe(true);
+      });
+
+      it('should allow admin to list users', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const canList = AuthorizationService.canListUsers(admin);
+
+        // Assert
+        expect(canList).toBe(true);
+      });
+
+      it('should deny regular user from listing users', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canList = AuthorizationService.canListUsers(user);
+
+        // Assert
+        expect(canList).toBe(false);
+      });
+
+      it('should deny suspended admin from listing users', () => {
+        // Arrange
+        const suspendedAdmin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'suspended',
+        });
+
+        // Act
+        const canList = AuthorizationService.canListUsers(suspendedAdmin);
+
+        // Assert
+        expect(canList).toBe(false);
+      });
+
+      it('should allow owner with multiple roles to list users', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        // Act
+        const canList = AuthorizationService.canListUsers(owner);
+
+        // Assert
+        expect(canList).toBe(true);
+      });
+    });
+
+    describe('canPerformAction with manage', () => {
+      it('should allow owner to manage any user', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canManage = AuthorizationService.canPerformAction(owner, 'manage', targetUser);
+
+        // Assert
+        expect(canManage).toBe(true);
+      });
+
+      it('should allow admin to manage non-admin users', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canManage = AuthorizationService.canPerformAction(admin, 'manage', targetUser);
+
+        // Assert
+        expect(canManage).toBe(true);
+      });
+
+      it('should deny admin from managing other admins', () => {
+        // Arrange
+        const admin1 = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin1@example.com',
+          displayName: 'Admin 1',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const admin2 = AdminUser.create({
+          id: 'admin-2',
+          email: 'admin2@example.com',
+          displayName: 'Admin 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const canManage = AuthorizationService.canPerformAction(admin1, 'manage', admin2);
+
+        // Assert
+        expect(canManage).toBe(false);
+      });
+
+      it('should deny regular user from managing anyone', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canManage = AuthorizationService.canPerformAction(user, 'manage', targetUser);
+
+        // Assert
+        expect(canManage).toBe(false);
+      });
+
+      it('should allow admin to manage suspended users', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const suspendedUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'suspended',
+        });
+
+        // Act
+        const canManage = AuthorizationService.canPerformAction(admin, 'manage', suspendedUser);
+
+        // Assert
+        expect(canManage).toBe(true);
+      });
+    });
+
+    describe('canPerformAction with modify_roles', () => {
+      it('should allow owner to modify roles', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canModify = AuthorizationService.canPerformAction(owner, 'modify_roles', targetUser);
+
+        // Assert
+        expect(canModify).toBe(true);
+      });
+
+      it('should deny admin from modifying roles', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canModify = AuthorizationService.canPerformAction(admin, 'modify_roles', targetUser);
+
+        // Assert
+        expect(canModify).toBe(false);
+      });
+
+      it('should deny regular user from modifying roles', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canModify = AuthorizationService.canPerformAction(user, 'modify_roles', targetUser);
+
+        // Assert
+        expect(canModify).toBe(false);
+      });
+    });
+
+    describe('canPerformAction with change_status', () => {
+      it('should allow owner to change any status', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canChange = AuthorizationService.canPerformAction(owner, 'change_status', targetUser);
+
+        // Assert
+        expect(canChange).toBe(true);
+      });
+
+      it('should allow admin to change non-admin status', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canChange = AuthorizationService.canPerformAction(admin, 'change_status', targetUser);
+
+        // Assert
+        expect(canChange).toBe(true);
+      });
+
+      it('should deny admin from changing admin status', () => {
+        // Arrange
+        const admin1 = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin1@example.com',
+          displayName: 'Admin 1',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const admin2 = AdminUser.create({
+          id: 'admin-2',
+          email: 'admin2@example.com',
+          displayName: 'Admin 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const canChange = AuthorizationService.canPerformAction(admin1, 'change_status', admin2);
+
+        // Assert
+        expect(canChange).toBe(false);
+      });
+
+      it('should deny regular user from changing status', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canChange = AuthorizationService.canPerformAction(user, 'change_status', targetUser);
+
+        // Assert
+        expect(canChange).toBe(false);
+      });
+    });
+
+    describe('canPerformAction with delete', () => {
+      it('should allow owner to delete any user', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canDelete = AuthorizationService.canPerformAction(owner, 'delete', targetUser);
+
+        // Assert
+        expect(canDelete).toBe(true);
+      });
+
+      it('should allow admin to delete non-admin users', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canDelete = AuthorizationService.canPerformAction(admin, 'delete', targetUser);
+
+        // Assert
+        expect(canDelete).toBe(true);
+      });
+
+      it('should deny admin from deleting other admins', () => {
+        // Arrange
+        const admin1 = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin1@example.com',
+          displayName: 'Admin 1',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const admin2 = AdminUser.create({
+          id: 'admin-2',
+          email: 'admin2@example.com',
+          displayName: 'Admin 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const canDelete = AuthorizationService.canPerformAction(admin1, 'delete', admin2);
+
+        // Assert
+        expect(canDelete).toBe(false);
+      });
+
+      it('should deny regular user from deleting anyone', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const canDelete = AuthorizationService.canPerformAction(user, 'delete', targetUser);
+
+        // Assert
+        expect(canDelete).toBe(false);
+      });
+
+      it('should allow owner to delete suspended users', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const suspendedUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'suspended',
+        });
+
+        // Act
+        const canDelete = AuthorizationService.canPerformAction(owner, 'delete', suspendedUser);
+
+        // Assert
+        expect(canDelete).toBe(true);
+      });
+    });
+
+    describe('getPermissions', () => {
+      it('should return correct permissions for owner', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        // Act
+        const permissions = AuthorizationService.getPermissions(owner);
+
+        // Assert
+        expect(permissions).toContain('users.view');
+        expect(permissions).toContain('users.list');
+        expect(permissions).toContain('users.manage');
+        expect(permissions).toContain('users.roles.modify');
+        expect(permissions).toContain('users.status.change');
+        expect(permissions).toContain('users.create');
+        expect(permissions).toContain('users.delete');
+        expect(permissions).toContain('users.export');
+      });
+
+      it('should return correct permissions for admin', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const permissions = AuthorizationService.getPermissions(admin);
+
+        // Assert
+        expect(permissions).toContain('users.view');
+        expect(permissions).toContain('users.list');
+        expect(permissions).toContain('users.manage');
+        expect(permissions).toContain('users.status.change');
+        expect(permissions).toContain('users.create');
+        expect(permissions).toContain('users.delete');
+        expect(permissions).not.toContain('users.roles.modify');
+        expect(permissions).not.toContain('users.export');
+      });
+
+      it('should return empty permissions for regular user', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const permissions = AuthorizationService.getPermissions(user);
+
+        // Assert
+        expect(permissions).toEqual([]);
+      });
+
+      it('should return empty permissions for suspended admin', () => {
+        // Arrange
+        const suspendedAdmin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'suspended',
+        });
+
+        // Act
+        const permissions = AuthorizationService.getPermissions(suspendedAdmin);
+
+        // Assert
+        expect(permissions).toEqual([]);
+      });
+    });
+
+    describe('hasPermission', () => {
+      it('should return true for owner with users.view permission', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        // Act
+        const hasPermission = AuthorizationService.hasPermission(owner, 'users.view');
+
+        // Assert
+        expect(hasPermission).toBe(true);
+      });
+
+      it('should return false for admin with users.roles.modify permission', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act
+        const hasPermission = AuthorizationService.hasPermission(admin, 'users.roles.modify');
+
+        // Assert
+        expect(hasPermission).toBe(false);
+      });
+
+      it('should return false for regular user with any permission', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const hasPermission = AuthorizationService.hasPermission(user, 'users.view');
+
+        // Assert
+        expect(hasPermission).toBe(false);
+      });
+    });
+
+    describe('enforce', () => {
+      it('should not throw for authorized action', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act & Assert - Should not throw
+        expect(() => {
+          AuthorizationService.enforce(owner, 'manage', targetUser);
+        }).not.toThrow();
+      });
+
+      it('should throw for unauthorized action', () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const targetUser = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act & Assert - Should throw
+        expect(() => {
+          AuthorizationService.enforce(user, 'manage', targetUser);
+        }).toThrow();
+      });
+    });
+
+    describe('enforcePermission', () => {
+      it('should not throw for authorized permission', () => {
+        // Arrange
+        const owner = AdminUser.create({
+          id: 'owner-1',
+          email: 'owner@example.com',
+          displayName: 'Owner',
+          roles: ['owner'],
+          status: 'active',
+        });
+
+        // Act & Assert - Should not throw
+        expect(() => {
+          AuthorizationService.enforcePermission(owner, 'users.view');
+        }).not.toThrow();
+      });
+
+      it('should throw for unauthorized permission', () => {
+        // Arrange
+        const admin = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin@example.com',
+          displayName: 'Admin',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        // Act & Assert - Should throw
+        expect(() => {
+          AuthorizationService.enforcePermission(admin, 'users.roles.modify');
+        }).toThrow();
+      });
+    });
+  });
+});
--- a/core/admin/domain/services/AuthorizationService.ts
+++ b/core/admin/domain/services/AuthorizationService.ts
@@ -0,0 +1,283 @@
+import { AdminUser } from '../entities/AdminUser';
+import { AuthorizationError } from '../errors/AdminDomainError';
+
+/**
+ * Domain service for authorization checks
+ * Stateless service that enforces access control rules
+ */
+export class AuthorizationService {
+  /**
+   * Check if an actor can perform an action on a target user
+   */
+  static canPerformAction(
+    actor: AdminUser,
+    action: 'view' | 'manage' | 'modify_roles' | 'change_status' | 'delete',
+    target?: AdminUser
+  ): boolean {
+    // Actors must be system admins and active
+    if (!actor.isSystemAdmin() || !actor.isActive()) {
+      return false;
+    }
+
+    switch (action) {
+      case 'view':
+        return this.canView(actor, target);
+      case 'manage':
+        return this.canManage(actor, target);
+      case 'modify_roles':
+        return this.canModifyRoles(actor, target);
+      case 'change_status':
+        return this.canChangeStatus(actor, target);
+      case 'delete':
+        return this.canDelete(actor, target);
+      default:
+        return false;
+    }
+  }
+
+  /**
+   * Check if actor can view target user
+   */
+  private static canView(actor: AdminUser, target?: AdminUser): boolean {
+    if (!target) {
+      // Viewing list - only admins can view
+      return actor.isSystemAdmin();
+    }
+
+    // Can always view self
+    if (actor.id.equals(target.id)) {
+      return true;
+    }
+
+    // Owner can view everyone
+    if (actor.hasRole('owner')) {
+      return true;
+    }
+
+    // Admin can view non-admin users
+    if (actor.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if actor can manage target user
+   */
+  private static canManage(actor: AdminUser, target?: AdminUser): boolean {
+    if (!target) {
+      return false;
+    }
+
+    // Can always manage self
+    if (actor.id.equals(target.id)) {
+      return true;
+    }
+
+    // Owner can manage everyone
+    if (actor.hasRole('owner')) {
+      return true;
+    }
+
+    // Admin can manage non-admin users
+    if (actor.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if actor can modify roles of target user
+   */
+  private static canModifyRoles(actor: AdminUser, target?: AdminUser): boolean {
+    if (!target) {
+      return false;
+    }
+
+    // Only owner can modify roles
+    if (!actor.hasRole('owner')) {
+      return false;
+    }
+
+    // Cannot modify own roles (prevents accidental lockout)
+    if (actor.id.equals(target.id)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  /**
+   * Check if actor can change status of target user
+   */
+  private static canChangeStatus(actor: AdminUser, target?: AdminUser): boolean {
+    if (!target) {
+      return false;
+    }
+
+    // Cannot change own status
+    if (actor.id.equals(target.id)) {
+      return false;
+    }
+
+    // Owner can change anyone's status
+    if (actor.hasRole('owner')) {
+      return true;
+    }
+
+    // Admin can change user status but not other admins/owners
+    if (actor.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if actor can delete target user
+   */
+  private static canDelete(actor: AdminUser, target?: AdminUser): boolean {
+    if (!target) {
+      return false;
+    }
+
+    // Cannot delete self
+    if (actor.id.equals(target.id)) {
+      return false;
+    }
+
+    // Owner can delete anyone
+    if (actor.hasRole('owner')) {
+      return true;
+    }
+
+    // Admin can delete users but not admins/owners
+    if (actor.hasRole('admin')) {
+      return !target.isSystemAdmin();
+    }
+
+    return false;
+  }
+
+  /**
+   * Enforce authorization - throws if not authorized
+   */
+  static enforce(
+    actor: AdminUser,
+    action: 'view' | 'manage' | 'modify_roles' | 'change_status' | 'delete',
+    target?: AdminUser
+  ): void {
+    if (!this.canPerformAction(actor, action, target)) {
+      const actionLabel = action.replace('_', ' ');
+      const targetLabel = target ? `user ${target.email.value}` : 'user list';
+      throw new AuthorizationError(
+        `User ${actor.email.value} is not authorized to ${actionLabel} ${targetLabel}`
+      );
+    }
+  }
+
+  /**
+   * Check if actor can list users
+   */
+  static canListUsers(actor: AdminUser): boolean {
+    return actor.isSystemAdmin() && actor.isActive();
+  }
+
+  /**
+   * Check if actor can create users
+   */
+  static canCreateUsers(actor: AdminUser): boolean {
+    // Only owner can create users with admin roles
+    // Admin can create regular users
+    return actor.isSystemAdmin() && actor.isActive();
+  }
+
+  /**
+   * Check if actor can assign a specific role
+   */
+  static canAssignRole(actor: AdminUser, roleToAssign: string, target?: AdminUser): boolean {
+    // Only owner can assign owner or admin roles
+    if (roleToAssign === 'owner' || roleToAssign === 'admin') {
+      return actor.hasRole('owner');
+    }
+
+    // Admin can assign user role
+    if (roleToAssign === 'user') {
+      // Admin can assign user role to non-admin users
+      // Owner can assign user role to anyone
+      if (actor.hasRole('owner')) {
+        return true;
+      }
+      if (actor.hasRole('admin')) {
+        if (!target) {
+          return true;
+        }
+        return !target.isSystemAdmin();
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Get permissions for actor
+   */
+  static getPermissions(actor: AdminUser): string[] {
+    const permissions: string[] = [];
+
+    if (!actor.isSystemAdmin() || !actor.isActive()) {
+      return permissions;
+    }
+
+    // Base permissions for all admins
+    permissions.push(
+      'users.view',
+      'users.list'
+    );
+
+    // Admin permissions
+    if (actor.hasRole('admin')) {
+      permissions.push(
+        'users.manage',
+        'users.status.change',
+        'users.create',
+        'users.delete'
+      );
+    }
+
+    // Owner permissions
+    if (actor.hasRole('owner')) {
+      permissions.push(
+        'users.manage',
+        'users.roles.modify',
+        'users.status.change',
+        'users.create',
+        'users.delete',
+        'users.export'
+      );
+    }
+
+    return permissions;
+  }
+
+  /**
+   * Check if actor has specific permission
+   */
+  static hasPermission(actor: AdminUser, permission: string): boolean {
+    const permissions = this.getPermissions(actor);
+    return permissions.includes(permission);
+  }
+
+  /**
+   * Enforce permission - throws if not authorized
+   */
+  static enforcePermission(actor: AdminUser, permission: string): void {
+    if (!this.hasPermission(actor, permission)) {
+      throw new AuthorizationError(
+        `User ${actor.email.value} does not have permission: ${permission}`
+      );
+    }
+  }
+}
--- a/core/admin/domain/value-objects/Email.test.ts
+++ b/core/admin/domain/value-objects/Email.test.ts
@@ -0,0 +1,95 @@
+import { Email } from './Email';
+
+describe('Email', () => {
+  describe('TDD - Test First', () => {
+    it('should create a valid email from string', () => {
+      // Arrange & Act
+      const email = Email.fromString('test@example.com');
+
+      // Assert
+      expect(email.value).toBe('test@example.com');
+    });
+
+    it('should trim whitespace', () => {
+      // Arrange & Act
+      const email = Email.fromString('  test@example.com  ');
+
+      // Assert
+      expect(email.value).toBe('test@example.com');
+    });
+
+    it('should throw error for empty string', () => {
+      // Arrange & Act & Assert
+      expect(() => Email.fromString('')).toThrow('Email cannot be empty');
+      expect(() => Email.fromString('   ')).toThrow('Email cannot be empty');
+    });
+
+    it('should throw error for null or undefined', () => {
+      // Arrange & Act & Assert
+      expect(() => Email.fromString(null as unknown as string)).toThrow('Email cannot be empty');
+      expect(() => Email.fromString(undefined as unknown as string)).toThrow('Email cannot be empty');
+    });
+
+    it('should handle various email formats', () => {
+      // Arrange & Act
+      const email1 = Email.fromString('user@example.com');
+      const email2 = Email.fromString('user.name@example.com');
+      const email3 = Email.fromString('user+tag@example.co.uk');
+
+      // Assert
+      expect(email1.value).toBe('user@example.com');
+      expect(email2.value).toBe('user.name@example.com');
+      expect(email3.value).toBe('user+tag@example.co.uk');
+    });
+
+    it('should support equals comparison', () => {
+      // Arrange
+      const email1 = Email.fromString('test@example.com');
+      const email2 = Email.fromString('test@example.com');
+      const email3 = Email.fromString('other@example.com');
+
+      // Assert
+      expect(email1.equals(email2)).toBe(true);
+      expect(email1.equals(email3)).toBe(false);
+    });
+
+    it('should support toString', () => {
+      // Arrange
+      const email = Email.fromString('test@example.com');
+
+      // Assert
+      expect(email.toString()).toBe('test@example.com');
+    });
+
+    it('should handle case sensitivity', () => {
+      // Arrange & Act
+      const email1 = Email.fromString('Test@Example.com');
+      const email2 = Email.fromString('test@example.com');
+
+      // Assert - Should preserve case but compare as-is
+      expect(email1.value).toBe('Test@Example.com');
+      expect(email2.value).toBe('test@example.com');
+    });
+
+    it('should handle international characters', () => {
+      // Arrange & Act
+      const email = Email.fromString('tëst@ëxample.com');
+
+      // Assert
+      expect(email.value).toBe('tëst@ëxample.com');
+    });
+
+    it('should handle very long emails', () => {
+      // Arrange
+      const longLocal = 'a'.repeat(100);
+      const longDomain = 'b'.repeat(100);
+      const longEmail = `${longLocal}@${longDomain}.com`;
+
+      // Act
+      const email = Email.fromString(longEmail);
+
+      // Assert
+      expect(email.value).toBe(longEmail);
+    });
+  });
+});
--- a/core/admin/domain/value-objects/Email.ts
+++ b/core/admin/domain/value-objects/Email.ts
@@ -0,0 +1,46 @@
+import { IValueObject } from '@core/shared/domain';
+import { AdminDomainValidationError } from '../errors/AdminDomainError';
+
+export interface EmailProps {
+  value: string;
+}
+
+export class Email implements IValueObject<EmailProps> {
+  readonly value: string;
+
+  private constructor(value: string) {
+    this.value = value;
+  }
+
+  static create(value: string): Email {
+    // Handle null/undefined
+    if (value === null || value === undefined) {
+      throw new AdminDomainValidationError('Email cannot be empty');
+    }
+
+    const trimmed = value.trim();
+    
+    if (!trimmed) {
+      throw new AdminDomainValidationError('Email cannot be empty');
+    }
+
+    // No format validation - accept any non-empty string
+    return new Email(trimmed);
+  }
+
+  static fromString(value: string): Email {
+    return this.create(value);
+  }
+
+  get props(): EmailProps {
+    return { value: this.value };
+  }
+
+  toString(): string {
+    return this.value;
+  }
+
+  equals(other: IValueObject<EmailProps>): boolean {
+    return this.value === other.props.value;
+  }
+}
--- a/core/admin/domain/value-objects/UserId.test.ts
+++ b/core/admin/domain/value-objects/UserId.test.ts
@@ -0,0 +1,90 @@
+import { UserId } from './UserId';
+
+describe('UserId', () => {
+  describe('TDD - Test First', () => {
+    it('should create a valid user id from string', () => {
+      // Arrange & Act
+      const userId = UserId.fromString('user-123');
+
+      // Assert
+      expect(userId.value).toBe('user-123');
+    });
+
+    it('should trim whitespace', () => {
+      // Arrange & Act
+      const userId = UserId.fromString('  user-123  ');
+
+      // Assert
+      expect(userId.value).toBe('user-123');
+    });
+
+    it('should throw error for empty string', () => {
+      // Arrange & Act & Assert
+      expect(() => UserId.fromString('')).toThrow('User ID cannot be empty');
+      expect(() => UserId.fromString('   ')).toThrow('User ID cannot be empty');
+    });
+
+    it('should throw error for null or undefined', () => {
+      // Arrange & Act & Assert
+      expect(() => UserId.fromString(null as unknown as string)).toThrow('User ID cannot be empty');
+      expect(() => UserId.fromString(undefined as unknown as string)).toThrow('User ID cannot be empty');
+    });
+
+    it('should handle special characters', () => {
+      // Arrange & Act
+      const userId = UserId.fromString('user-123_test@example');
+
+      // Assert
+      expect(userId.value).toBe('user-123_test@example');
+    });
+
+    it('should support equals comparison', () => {
+      // Arrange
+      const userId1 = UserId.fromString('user-123');
+      const userId2 = UserId.fromString('user-123');
+      const userId3 = UserId.fromString('user-456');
+
+      // Assert
+      expect(userId1.equals(userId2)).toBe(true);
+      expect(userId1.equals(userId3)).toBe(false);
+    });
+
+    it('should support toString', () => {
+      // Arrange
+      const userId = UserId.fromString('user-123');
+
+      // Assert
+      expect(userId.toString()).toBe('user-123');
+    });
+
+    it('should handle very long IDs', () => {
+      // Arrange
+      const longId = 'a'.repeat(1000);
+
+      // Act
+      const userId = UserId.fromString(longId);
+
+      // Assert
+      expect(userId.value).toBe(longId);
+    });
+
+    it('should handle UUID format', () => {
+      // Arrange
+      const uuid = '550e8400-e29b-41d4-a716-446655440000';
+
+      // Act
+      const userId = UserId.fromString(uuid);
+
+      // Assert
+      expect(userId.value).toBe(uuid);
+    });
+
+    it('should handle numeric string IDs', () => {
+      // Arrange & Act
+      const userId = UserId.fromString('123456');
+
+      // Assert
+      expect(userId.value).toBe('123456');
+    });
+  });
+});
--- a/core/admin/domain/value-objects/UserId.ts
+++ b/core/admin/domain/value-objects/UserId.ts
@@ -0,0 +1,38 @@
+import { IValueObject } from '@core/shared/domain';
+import { AdminDomainValidationError } from '../errors/AdminDomainError';
+
+export interface UserIdProps {
+  value: string;
+}
+
+export class UserId implements IValueObject<UserIdProps> {
+  readonly value: string;
+
+  private constructor(value: string) {
+    this.value = value;
+  }
+
+  static create(id: string): UserId {
+    if (!id || id.trim().length === 0) {
+      throw new AdminDomainValidationError('User ID cannot be empty');
+    }
+
+    return new UserId(id.trim());
+  }
+
+  static fromString(id: string): UserId {
+    return this.create(id);
+  }
+
+  get props(): UserIdProps {
+    return { value: this.value };
+  }
+
+  equals(other: IValueObject<UserIdProps>): boolean {
+    return this.value === other.props.value;
+  }
+
+  toString(): string {
+    return this.value;
+  }
+}
--- a/core/admin/domain/value-objects/UserRole.test.ts
+++ b/core/admin/domain/value-objects/UserRole.test.ts
@@ -0,0 +1,103 @@
+import { UserRole } from './UserRole';
+
+describe('UserRole', () => {
+  describe('TDD - Test First', () => {
+    it('should create a valid role from string', () => {
+      // Arrange & Act
+      const role = UserRole.fromString('owner');
+
+      // Assert
+      expect(role.value).toBe('owner');
+    });
+
+    it('should trim whitespace', () => {
+      // Arrange & Act
+      const role = UserRole.fromString('  admin  ');
+
+      // Assert
+      expect(role.value).toBe('admin');
+    });
+
+    it('should throw error for empty string', () => {
+      // Arrange & Act & Assert
+      expect(() => UserRole.fromString('')).toThrow('Role cannot be empty');
+      expect(() => UserRole.fromString('   ')).toThrow('Role cannot be empty');
+    });
+
+    it('should throw error for null or undefined', () => {
+      // Arrange & Act & Assert
+      expect(() => UserRole.fromString(null as unknown as string)).toThrow('Role cannot be empty');
+      expect(() => UserRole.fromString(undefined as unknown as string)).toThrow('Role cannot be empty');
+    });
+
+    it('should handle all valid roles', () => {
+      // Arrange & Act
+      const owner = UserRole.fromString('owner');
+      const admin = UserRole.fromString('admin');
+      const user = UserRole.fromString('user');
+
+      // Assert
+      expect(owner.value).toBe('owner');
+      expect(admin.value).toBe('admin');
+      expect(user.value).toBe('user');
+    });
+
+    it('should detect system admin roles', () => {
+      // Arrange
+      const owner = UserRole.fromString('owner');
+      const admin = UserRole.fromString('admin');
+      const user = UserRole.fromString('user');
+
+      // Assert
+      expect(owner.isSystemAdmin()).toBe(true);
+      expect(admin.isSystemAdmin()).toBe(true);
+      expect(user.isSystemAdmin()).toBe(false);
+    });
+
+    it('should support equals comparison', () => {
+      // Arrange
+      const role1 = UserRole.fromString('owner');
+      const role2 = UserRole.fromString('owner');
+      const role3 = UserRole.fromString('admin');
+
+      // Assert
+      expect(role1.equals(role2)).toBe(true);
+      expect(role1.equals(role3)).toBe(false);
+    });
+
+    it('should support toString', () => {
+      // Arrange
+      const role = UserRole.fromString('owner');
+
+      // Assert
+      expect(role.toString()).toBe('owner');
+    });
+
+    it('should handle custom roles', () => {
+      // Arrange & Act
+      const customRole = UserRole.fromString('steward');
+
+      // Assert
+      expect(customRole.value).toBe('steward');
+      expect(customRole.isSystemAdmin()).toBe(false);
+    });
+
+    it('should handle case sensitivity', () => {
+      // Arrange & Act
+      const role1 = UserRole.fromString('Owner');
+      const role2 = UserRole.fromString('owner');
+
+      // Assert - Should preserve case but compare as-is
+      expect(role1.value).toBe('Owner');
+      expect(role2.value).toBe('owner');
+    });
+
+    it('should handle special characters in role names', () => {
+      // Arrange & Act
+      const role = UserRole.fromString('admin-steward');
+
+      // Assert
+      expect(role.value).toBe('admin-steward');
+    });
+  });
+});
--- a/core/admin/domain/value-objects/UserRole.ts
+++ b/core/admin/domain/value-objects/UserRole.ts
@@ -0,0 +1,74 @@
+import { IValueObject } from '@core/shared/domain';
+import { AdminDomainValidationError } from '../errors/AdminDomainError';
+
+export type UserRoleValue = string;
+
+export interface UserRoleProps {
+  value: UserRoleValue;
+}
+
+export class UserRole implements IValueObject<UserRoleProps> {
+  readonly value: UserRoleValue;
+
+  private constructor(value: UserRoleValue) {
+    this.value = value;
+  }
+
+  static create(value: UserRoleValue): UserRole {
+    // Handle null/undefined
+    if (value === null || value === undefined) {
+      throw new AdminDomainValidationError('Role cannot be empty');
+    }
+
+    const trimmed = value.trim();
+    
+    if (!trimmed) {
+      throw new AdminDomainValidationError('Role cannot be empty');
+    }
+
+    return new UserRole(trimmed);
+  }
+
+  static fromString(value: string): UserRole {
+    return this.create(value);
+  }
+
+  get props(): UserRoleProps {
+    return { value: this.value };
+  }
+
+  toString(): UserRoleValue {
+    return this.value;
+  }
+
+  equals(other: IValueObject<UserRoleProps>): boolean {
+    return this.value === other.props.value;
+  }
+
+  /**
+   * Check if this role is a system administrator role
+   */
+  isSystemAdmin(): boolean {
+    const lower = this.value.toLowerCase();
+    return lower === 'owner' || lower === 'admin';
+  }
+
+  /**
+   * Check if this role has higher authority than another role
+   */
+  hasHigherAuthorityThan(other: UserRole): boolean {
+    const hierarchy: Record<string, number> = {
+      user: 0,
+      admin: 1,
+      owner: 2,
+    };
+    
+    const myValue = this.value.toLowerCase();
+    const otherValue = other.value.toLowerCase();
+    
+    const myRank = hierarchy[myValue] ?? 0;
+    const otherRank = hierarchy[otherValue] ?? 0;
+    
+    return myRank > otherRank;
+  }
+}
--- a/core/admin/domain/value-objects/UserStatus.test.ts
+++ b/core/admin/domain/value-objects/UserStatus.test.ts
@@ -0,0 +1,127 @@
+import { UserStatus } from './UserStatus';
+
+describe('UserStatus', () => {
+  describe('TDD - Test First', () => {
+    it('should create a valid status from string', () => {
+      // Arrange & Act
+      const status = UserStatus.fromString('active');
+
+      // Assert
+      expect(status.value).toBe('active');
+    });
+
+    it('should trim whitespace', () => {
+      // Arrange & Act
+      const status = UserStatus.fromString('  suspended  ');
+
+      // Assert
+      expect(status.value).toBe('suspended');
+    });
+
+    it('should throw error for empty string', () => {
+      // Arrange & Act & Assert
+      expect(() => UserStatus.fromString('')).toThrow('Status cannot be empty');
+      expect(() => UserStatus.fromString('   ')).toThrow('Status cannot be empty');
+    });
+
+    it('should throw error for null or undefined', () => {
+      // Arrange & Act & Assert
+      expect(() => UserStatus.fromString(null as unknown as string)).toThrow('Status cannot be empty');
+      expect(() => UserStatus.fromString(undefined as unknown as string)).toThrow('Status cannot be empty');
+    });
+
+    it('should handle all valid statuses', () => {
+      // Arrange & Act
+      const active = UserStatus.fromString('active');
+      const suspended = UserStatus.fromString('suspended');
+      const deleted = UserStatus.fromString('deleted');
+
+      // Assert
+      expect(active.value).toBe('active');
+      expect(suspended.value).toBe('suspended');
+      expect(deleted.value).toBe('deleted');
+    });
+
+    it('should detect active status', () => {
+      // Arrange
+      const active = UserStatus.fromString('active');
+      const suspended = UserStatus.fromString('suspended');
+      const deleted = UserStatus.fromString('deleted');
+
+      // Assert
+      expect(active.isActive()).toBe(true);
+      expect(suspended.isActive()).toBe(false);
+      expect(deleted.isActive()).toBe(false);
+    });
+
+    it('should detect suspended status', () => {
+      // Arrange
+      const active = UserStatus.fromString('active');
+      const suspended = UserStatus.fromString('suspended');
+      const deleted = UserStatus.fromString('deleted');
+
+      // Assert
+      expect(active.isSuspended()).toBe(false);
+      expect(suspended.isSuspended()).toBe(true);
+      expect(deleted.isSuspended()).toBe(false);
+    });
+
+    it('should detect deleted status', () => {
+      // Arrange
+      const active = UserStatus.fromString('active');
+      const suspended = UserStatus.fromString('suspended');
+      const deleted = UserStatus.fromString('deleted');
+
+      // Assert
+      expect(active.isDeleted()).toBe(false);
+      expect(suspended.isDeleted()).toBe(false);
+      expect(deleted.isDeleted()).toBe(true);
+    });
+
+    it('should support equals comparison', () => {
+      // Arrange
+      const status1 = UserStatus.fromString('active');
+      const status2 = UserStatus.fromString('active');
+      const status3 = UserStatus.fromString('suspended');
+
+      // Assert
+      expect(status1.equals(status2)).toBe(true);
+      expect(status1.equals(status3)).toBe(false);
+    });
+
+    it('should support toString', () => {
+      // Arrange
+      const status = UserStatus.fromString('active');
+
+      // Assert
+      expect(status.toString()).toBe('active');
+    });
+
+    it('should handle custom statuses', () => {
+      // Arrange & Act
+      const customStatus = UserStatus.fromString('pending');
+
+      // Assert
+      expect(customStatus.value).toBe('pending');
+      expect(customStatus.isActive()).toBe(false);
+    });
+
+    it('should handle case sensitivity', () => {
+      // Arrange & Act
+      const status1 = UserStatus.fromString('Active');
+      const status2 = UserStatus.fromString('active');
+
+      // Assert - Should preserve case but compare as-is
+      expect(status1.value).toBe('Active');
+      expect(status2.value).toBe('active');
+    });
+
+    it('should handle special characters in status names', () => {
+      // Arrange & Act
+      const status = UserStatus.fromString('under-review');
+
+      // Assert
+      expect(status.value).toBe('under-review');
+    });
+  });
+});
--- a/core/admin/domain/value-objects/UserStatus.ts
+++ b/core/admin/domain/value-objects/UserStatus.ts
@@ -0,0 +1,59 @@
+import { IValueObject } from '@core/shared/domain';
+import { AdminDomainValidationError } from '../errors/AdminDomainError';
+
+export type UserStatusValue = string;
+
+export interface UserStatusProps {
+  value: UserStatusValue;
+}
+
+export class UserStatus implements IValueObject<UserStatusProps> {
+  readonly value: UserStatusValue;
+
+  private constructor(value: UserStatusValue) {
+    this.value = value;
+  }
+
+  static create(value: UserStatusValue): UserStatus {
+    // Handle null/undefined
+    if (value === null || value === undefined) {
+      throw new AdminDomainValidationError('Status cannot be empty');
+    }
+
+    const trimmed = value.trim();
+    
+    if (!trimmed) {
+      throw new AdminDomainValidationError('Status cannot be empty');
+    }
+
+    return new UserStatus(trimmed);
+  }
+
+  static fromString(value: string): UserStatus {
+    return this.create(value);
+  }
+
+  get props(): UserStatusProps {
+    return { value: this.value };
+  }
+
+  toString(): UserStatusValue {
+    return this.value;
+  }
+
+  equals(other: IValueObject<UserStatusProps>): boolean {
+    return this.value === other.props.value;
+  }
+
+  isActive(): boolean {
+    return this.value === 'active';
+  }
+
+  isSuspended(): boolean {
+    return this.value === 'suspended';
+  }
+
+  isDeleted(): boolean {
+    return this.value === 'deleted';
+  }
+}
--- a/core/admin/infrastructure/persistence/InMemoryAdminUserRepository.test.ts
+++ b/core/admin/infrastructure/persistence/InMemoryAdminUserRepository.test.ts
@@ -0,0 +1,790 @@
+import { InMemoryAdminUserRepository } from './InMemoryAdminUserRepository';
+import { AdminUser } from '../../domain/entities/AdminUser';
+import { UserRole } from '../../domain/value-objects/UserRole';
+import { UserStatus } from '../../domain/value-objects/UserStatus';
+
+describe('InMemoryAdminUserRepository', () => {
+  describe('TDD - Test First', () => {
+    let repository: InMemoryAdminUserRepository;
+
+    beforeEach(() => {
+      repository = new InMemoryAdminUserRepository();
+    });
+
+    describe('create', () => {
+      it('should create a new user', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-123',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act
+        const result = await repository.create(user);
+
+        // Assert
+        expect(result).toStrictEqual(user);
+        const found = await repository.findById(user.id);
+        expect(found).toStrictEqual(user);
+      });
+
+      it('should throw error when creating user with duplicate email', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'test@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'test@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+
+        // Act & Assert
+        await expect(repository.create(user2)).rejects.toThrow('Email already exists');
+      });
+
+      it('should throw error when creating user with duplicate ID', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-1',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+
+        // Act & Assert
+        await expect(repository.create(user2)).rejects.toThrow('User ID already exists');
+      });
+    });
+
+    describe('findById', () => {
+      it('should find user by ID', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-123',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+
+        // Act
+        const found = await repository.findById(user.id);
+
+        // Assert
+        expect(found).toStrictEqual(user);
+      });
+
+      it('should return null for non-existent user', async () => {
+        // Arrange
+        const nonExistentId = AdminUser.create({
+          id: 'non-existent',
+          email: 'dummy@example.com',
+          displayName: 'Dummy',
+          roles: ['user'],
+          status: 'active',
+        }).id;
+
+        // Act
+        const found = await repository.findById(nonExistentId);
+
+        // Assert
+        expect(found).toBeNull();
+      });
+    });
+
+    describe('findByEmail', () => {
+      it('should find user by email', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-123',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+
+        // Act
+        const found = await repository.findByEmail(user.email);
+
+        // Assert
+        expect(found).toStrictEqual(user);
+      });
+
+      it('should return null for non-existent email', async () => {
+        // Arrange
+        const nonExistentEmail = AdminUser.create({
+          id: 'dummy',
+          email: 'non-existent@example.com',
+          displayName: 'Dummy',
+          roles: ['user'],
+          status: 'active',
+        }).email;
+
+        // Act
+        const found = await repository.findByEmail(nonExistentEmail);
+
+        // Assert
+        expect(found).toBeNull();
+      });
+    });
+
+    describe('emailExists', () => {
+      it('should return true when email exists', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-123',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+
+        // Act
+        const exists = await repository.emailExists(user.email);
+
+        // Assert
+        expect(exists).toBe(true);
+      });
+
+      it('should return false when email does not exist', async () => {
+        // Arrange
+        const nonExistentEmail = AdminUser.create({
+          id: 'dummy',
+          email: 'non-existent@example.com',
+          displayName: 'Dummy',
+          roles: ['user'],
+          status: 'active',
+        }).email;
+
+        // Act
+        const exists = await repository.emailExists(nonExistentEmail);
+
+        // Assert
+        expect(exists).toBe(false);
+      });
+    });
+
+    describe('list', () => {
+      it('should return empty list when no users exist', async () => {
+        // Act
+        const result = await repository.list({});
+
+        // Assert
+        expect(result.users).toEqual([]);
+        expect(result.total).toBe(0);
+        expect(result.page).toBe(1);
+        expect(result.limit).toBe(10);
+        expect(result.totalPages).toBe(0);
+      });
+
+      it('should return all users when no filters provided', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const result = await repository.list({});
+
+        // Assert
+        expect(result.users).toHaveLength(2);
+        expect(result.total).toBe(2);
+        expect(result.page).toBe(1);
+        expect(result.limit).toBe(10);
+        expect(result.totalPages).toBe(1);
+      });
+
+      it('should filter by role', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const admin1 = AdminUser.create({
+          id: 'admin-1',
+          email: 'admin1@example.com',
+          displayName: 'Admin 1',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(admin1);
+
+        // Act
+        const result = await repository.list({
+          filter: { role: UserRole.fromString('admin') },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('admin-1');
+        expect(result.total).toBe(1);
+      });
+
+      it('should filter by status', async () => {
+        // Arrange
+        const activeUser = AdminUser.create({
+          id: 'user-1',
+          email: 'active@example.com',
+          displayName: 'Active User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const suspendedUser = AdminUser.create({
+          id: 'user-2',
+          email: 'suspended@example.com',
+          displayName: 'Suspended User',
+          roles: ['user'],
+          status: 'suspended',
+        });
+
+        await repository.create(activeUser);
+        await repository.create(suspendedUser);
+
+        // Act
+        const result = await repository.list({
+          filter: { status: UserStatus.fromString('suspended') },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('user-2');
+        expect(result.total).toBe(1);
+      });
+
+      it('should filter by email', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'other@example.com',
+          displayName: 'Other User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const result = await repository.list({
+          filter: { email: user1.email },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('user-1');
+        expect(result.total).toBe(1);
+      });
+
+      it('should filter by search (email or display name)', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'search@example.com',
+          displayName: 'Search User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'other@example.com',
+          displayName: 'Other User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const result = await repository.list({
+          filter: { search: 'search' },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('user-1');
+        expect(result.total).toBe(1);
+      });
+
+      it('should apply pagination', async () => {
+        // Arrange - Create 15 users
+        for (let i = 1; i <= 15; i++) {
+          const user = AdminUser.create({
+            id: `user-${i}`,
+            email: `user${i}@example.com`,
+            displayName: `User ${i}`,
+            roles: ['user'],
+            status: 'active',
+          });
+          await repository.create(user);
+        }
+
+        // Act - Get page 2 with limit 5
+        const result = await repository.list({
+          pagination: { page: 2, limit: 5 },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(5);
+        expect(result.total).toBe(15);
+        expect(result.page).toBe(2);
+        expect(result.limit).toBe(5);
+        expect(result.totalPages).toBe(3);
+        expect(result.users[0]?.id.value).toBe('user-6');
+      });
+
+      it('should sort by email ascending', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'zebra@example.com',
+          displayName: 'Zebra',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'alpha@example.com',
+          displayName: 'Alpha',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const result = await repository.list({
+          sort: { field: 'email', direction: 'asc' },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(2);
+        expect(result.users[0]?.id.value).toBe('user-2');
+        expect(result.users[1]?.id.value).toBe('user-1');
+      });
+
+      it('should sort by display name descending', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'Zebra',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'Alpha',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const result = await repository.list({
+          sort: { field: 'displayName', direction: 'desc' },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(2);
+        expect(result.users[0]?.id.value).toBe('user-1');
+        expect(result.users[1]?.id.value).toBe('user-2');
+      });
+
+      it('should apply multiple filters together', async () => {
+        // Arrange
+        const matchingUser = AdminUser.create({
+          id: 'user-1',
+          email: 'admin@example.com',
+          displayName: 'Admin User',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        const nonMatchingUser1 = AdminUser.create({
+          id: 'user-2',
+          email: 'user@example.com',
+          displayName: 'User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const nonMatchingUser2 = AdminUser.create({
+          id: 'user-3',
+          email: 'admin-suspended@example.com',
+          displayName: 'Admin User',
+          roles: ['admin'],
+          status: 'suspended',
+        });
+
+        await repository.create(matchingUser);
+        await repository.create(nonMatchingUser1);
+        await repository.create(nonMatchingUser2);
+
+        // Act
+        const result = await repository.list({
+          filter: {
+            role: UserRole.fromString('admin'),
+            status: UserStatus.fromString('active'),
+            search: 'admin',
+          },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('user-1');
+        expect(result.total).toBe(1);
+      });
+    });
+
+    describe('count', () => {
+      it('should return 0 when no users exist', async () => {
+        // Act
+        const count = await repository.count();
+
+        // Assert
+        expect(count).toBe(0);
+      });
+
+      it('should return correct count of all users', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['admin'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act
+        const count = await repository.count();
+
+        // Assert
+        expect(count).toBe(2);
+      });
+
+      it('should count with filters', async () => {
+        // Arrange
+        const activeUser = AdminUser.create({
+          id: 'user-1',
+          email: 'active@example.com',
+          displayName: 'Active User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const suspendedUser = AdminUser.create({
+          id: 'user-2',
+          email: 'suspended@example.com',
+          displayName: 'Suspended User',
+          roles: ['user'],
+          status: 'suspended',
+        });
+
+        await repository.create(activeUser);
+        await repository.create(suspendedUser);
+
+        // Act
+        const count = await repository.count({
+          status: UserStatus.fromString('active'),
+        });
+
+        // Assert
+        expect(count).toBe(1);
+      });
+    });
+
+    describe('update', () => {
+      it('should update existing user', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+
+        // Act
+        user.updateDisplayName('Updated Name');
+        const updated = await repository.update(user);
+
+        // Assert
+        expect(updated.displayName).toBe('Updated Name');
+        const found = await repository.findById(user.id);
+        expect(found?.displayName).toBe('Updated Name');
+      });
+
+      it('should throw error when updating non-existent user', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'non-existent',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act & Assert
+        await expect(repository.update(user)).rejects.toThrow('User not found');
+      });
+
+      it('should throw error when updating with duplicate email', async () => {
+        // Arrange
+        const user1 = AdminUser.create({
+          id: 'user-1',
+          email: 'user1@example.com',
+          displayName: 'User 1',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        const user2 = AdminUser.create({
+          id: 'user-2',
+          email: 'user2@example.com',
+          displayName: 'User 2',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user1);
+        await repository.create(user2);
+
+        // Act - Try to change user2's email to user1's email
+        user2.updateEmail(user1.email);
+
+        // Assert
+        await expect(repository.update(user2)).rejects.toThrow('Email already exists');
+      });
+    });
+
+    describe('delete', () => {
+      it('should delete existing user', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+
+        // Act
+        await repository.delete(user.id);
+
+        // Assert
+        const found = await repository.findById(user.id);
+        expect(found).toBeNull();
+      });
+
+      it('should throw error when deleting non-existent user', async () => {
+        // Arrange
+        const nonExistentId = AdminUser.create({
+          id: 'non-existent',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        }).id;
+
+        // Act & Assert
+        await expect(repository.delete(nonExistentId)).rejects.toThrow('User not found');
+      });
+
+      it('should reduce count after deletion', async () => {
+        // Arrange
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'test@example.com',
+          displayName: 'Test User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        await repository.create(user);
+        const initialCount = await repository.count();
+
+        // Act
+        await repository.delete(user.id);
+
+        // Assert
+        const finalCount = await repository.count();
+        expect(finalCount).toBe(initialCount - 1);
+      });
+    });
+
+    describe('integration scenarios', () => {
+      it('should handle complete user lifecycle', async () => {
+        // Arrange - Create user
+        const user = AdminUser.create({
+          id: 'user-1',
+          email: 'lifecycle@example.com',
+          displayName: 'Lifecycle User',
+          roles: ['user'],
+          status: 'active',
+        });
+
+        // Act - Create
+        await repository.create(user);
+        let found = await repository.findById(user.id);
+        expect(found).toStrictEqual(user);
+
+        // Act - Update
+        user.updateDisplayName('Updated Lifecycle');
+        user.addRole(UserRole.fromString('admin'));
+        await repository.update(user);
+        found = await repository.findById(user.id);
+        expect(found?.displayName).toBe('Updated Lifecycle');
+        expect(found?.hasRole('admin')).toBe(true);
+
+        // Act - Delete
+        await repository.delete(user.id);
+        found = await repository.findById(user.id);
+        expect(found).toBeNull();
+      });
+
+      it('should handle complex filtering and pagination', async () => {
+        // Arrange - Create mixed users
+        const users = [
+          AdminUser.create({
+            id: 'owner-1',
+            email: 'owner@example.com',
+            displayName: 'Owner User',
+            roles: ['owner'],
+            status: 'active',
+          }),
+          AdminUser.create({
+            id: 'admin-1',
+            email: 'admin1@example.com',
+            displayName: 'Admin One',
+            roles: ['admin'],
+            status: 'active',
+          }),
+          AdminUser.create({
+            id: 'admin-2',
+            email: 'admin2@example.com',
+            displayName: 'Admin Two',
+            roles: ['admin'],
+            status: 'suspended',
+          }),
+          AdminUser.create({
+            id: 'user-1',
+            email: 'user1@example.com',
+            displayName: 'User One',
+            roles: ['user'],
+            status: 'active',
+          }),
+          AdminUser.create({
+            id: 'user-2',
+            email: 'user2@example.com',
+            displayName: 'User Two',
+            roles: ['user'],
+            status: 'active',
+          }),
+        ];
+
+        for (const user of users) {
+          await repository.create(user);
+        }
+
+        // Act - Get active admins, sorted by email, page 1, limit 2
+        const result = await repository.list({
+          filter: {
+            role: UserRole.fromString('admin'),
+            status: UserStatus.fromString('active'),
+          },
+          sort: { field: 'email', direction: 'asc' },
+          pagination: { page: 1, limit: 2 },
+        });
+
+        // Assert
+        expect(result.users).toHaveLength(1);
+        expect(result.users[0]?.id.value).toBe('admin-1');
+        expect(result.total).toBe(1);
+        expect(result.totalPages).toBe(1);
+      });
+    });
+  });
+});
--- a/core/admin/infrastructure/persistence/InMemoryAdminUserRepository.ts
+++ b/core/admin/infrastructure/persistence/InMemoryAdminUserRepository.ts
@@ -0,0 +1,257 @@
+import { IAdminUserRepository, UserFilter, UserListQuery, UserListResult, StoredAdminUser } from '../../domain/repositories/IAdminUserRepository';
+import { AdminUser } from '../../domain/entities/AdminUser';
+import { UserId } from '../../domain/value-objects/UserId';
+import { Email } from '../../domain/value-objects/Email';
+
+/**
+ * In-memory implementation of AdminUserRepository for testing and development
+ * Follows TDD - created with tests first
+ */
+export class InMemoryAdminUserRepository implements IAdminUserRepository {
+  private storage: Map<string, StoredAdminUser> = new Map();
+
+  async findById(id: UserId): Promise<AdminUser | null> {
+    const stored = this.storage.get(id.value);
+    return stored ? this.fromStored(stored) : null;
+  }
+
+  async findByEmail(email: Email): Promise<AdminUser | null> {
+    for (const stored of this.storage.values()) {
+      if (stored.email === email.value) {
+        return this.fromStored(stored);
+      }
+    }
+    return null;
+  }
+
+  async emailExists(email: Email): Promise<boolean> {
+    for (const stored of this.storage.values()) {
+      if (stored.email === email.value) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  async existsById(id: UserId): Promise<boolean> {
+    return this.storage.has(id.value);
+  }
+
+  async existsByEmail(email: Email): Promise<boolean> {
+    return this.emailExists(email);
+  }
+
+  async list(query?: UserListQuery): Promise<UserListResult> {
+    let users: AdminUser[] = [];
+
+    // Get all users
+    for (const stored of this.storage.values()) {
+      users.push(this.fromStored(stored));
+    }
+
+    // Apply filters
+    if (query?.filter) {
+      users = users.filter(user => {
+        if (query.filter?.role && !user.roles.some(r => r.equals(query.filter!.role!))) {
+          return false;
+        }
+        if (query.filter?.status && !user.status.equals(query.filter.status)) {
+          return false;
+        }
+        if (query.filter?.email && !user.email.equals(query.filter.email)) {
+          return false;
+        }
+        if (query.filter?.search) {
+          const search = query.filter.search.toLowerCase();
+          const matchesEmail = user.email.value.toLowerCase().includes(search);
+          const matchesDisplayName = user.displayName.toLowerCase().includes(search);
+          if (!matchesEmail && !matchesDisplayName) {
+            return false;
+          }
+        }
+        return true;
+      });
+    }
+
+    const total = users.length;
+
+    // Apply sorting
+    if (query?.sort) {
+      const { field, direction } = query.sort;
+      users.sort((a, b) => {
+        let aVal: string | number | Date;
+        let bVal: string | number | Date;
+        
+        switch (field) {
+          case 'email':
+            aVal = a.email.value;
+            bVal = b.email.value;
+            break;
+          case 'displayName':
+            aVal = a.displayName;
+            bVal = b.displayName;
+            break;
+          case 'createdAt':
+            aVal = a.createdAt;
+            bVal = b.createdAt;
+            break;
+          case 'lastLoginAt':
+            aVal = a.lastLoginAt || 0;
+            bVal = b.lastLoginAt || 0;
+            break;
+          case 'status':
+            aVal = a.status.value;
+            bVal = b.status.value;
+            break;
+          default:
+            return 0;
+        }
+
+        if (aVal < bVal) return direction === 'asc' ? -1 : 1;
+        if (aVal > bVal) return direction === 'asc' ? 1 : -1;
+        return 0;
+      });
+    }
+
+    // Apply pagination
+    const page = query?.pagination?.page || 1;
+    const limit = query?.pagination?.limit || 10;
+    const totalPages = Math.ceil(total / limit);
+    const start = (page - 1) * limit;
+    const end = start + limit;
+    const paginatedUsers = users.slice(start, end);
+
+    return {
+      users: paginatedUsers,
+      total,
+      page,
+      limit,
+      totalPages,
+    };
+  }
+
+  async count(filter?: UserFilter): Promise<number> {
+    let count = 0;
+
+    for (const stored of this.storage.values()) {
+      const user = this.fromStored(stored);
+      
+      if (filter?.role && !user.roles.some(r => r.equals(filter.role!))) {
+        continue;
+      }
+      if (filter?.status && !user.status.equals(filter.status)) {
+        continue;
+      }
+      if (filter?.email && !user.email.equals(filter.email)) {
+        continue;
+      }
+      if (filter?.search) {
+        const search = filter.search.toLowerCase();
+        const matchesEmail = user.email.value.toLowerCase().includes(search);
+        const matchesDisplayName = user.displayName.toLowerCase().includes(search);
+        if (!matchesEmail && !matchesDisplayName) {
+          continue;
+        }
+      }
+
+      count++;
+    }
+
+    return count;
+  }
+
+  async create(user: AdminUser): Promise<AdminUser> {
+    // Check for duplicate email
+    if (await this.emailExists(user.email)) {
+      throw new Error('Email already exists');
+    }
+    
+    // Check for duplicate ID
+    if (this.storage.has(user.id.value)) {
+      throw new Error('User ID already exists');
+    }
+    
+    const stored = this.toStored(user);
+    this.storage.set(user.id.value, stored);
+    return user;
+  }
+
+  async update(user: AdminUser): Promise<AdminUser> {
+    // Check if user exists
+    if (!this.storage.has(user.id.value)) {
+      throw new Error('User not found');
+    }
+    
+    // Check for duplicate email (excluding current user)
+    for (const [id, stored] of this.storage.entries()) {
+      if (id !== user.id.value && stored.email === user.email.value) {
+        throw new Error('Email already exists');
+      }
+    }
+    
+    const stored = this.toStored(user);
+    this.storage.set(user.id.value, stored);
+    return user;
+  }
+
+  async delete(id: UserId): Promise<void> {
+    if (!this.storage.has(id.value)) {
+      throw new Error('User not found');
+    }
+    this.storage.delete(id.value);
+  }
+
+  toStored(user: AdminUser): StoredAdminUser {
+    const stored: StoredAdminUser = {
+      id: user.id.value,
+      email: user.email.value,
+      roles: user.roles.map(r => r.value),
+      status: user.status.value,
+      displayName: user.displayName,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt,
+    };
+
+    if (user.lastLoginAt !== undefined) {
+      stored.lastLoginAt = user.lastLoginAt;
+    }
+
+    if (user.primaryDriverId !== undefined) {
+      stored.primaryDriverId = user.primaryDriverId;
+    }
+
+    return stored;
+  }
+
+  fromStored(stored: StoredAdminUser): AdminUser {
+    const props: {
+      id: string;
+      email: string;
+      roles: string[];
+      status: string;
+      displayName: string;
+      createdAt: Date;
+      updatedAt: Date;
+      lastLoginAt?: Date;
+      primaryDriverId?: string;
+    } = {
+      id: stored.id,
+      email: stored.email,
+      roles: stored.roles,
+      status: stored.status,
+      displayName: stored.displayName,
+      createdAt: stored.createdAt,
+      updatedAt: stored.updatedAt,
+    };
+
+    if (stored.lastLoginAt !== undefined) {
+      props.lastLoginAt = stored.lastLoginAt;
+    }
+
+    if (stored.primaryDriverId !== undefined) {
+      props.primaryDriverId = stored.primaryDriverId;
+    }
+
+    return AdminUser.rehydrate(props);
+  }
+}
--- a/core/admin/infrastructure/typeorm/entities/AdminUserOrmEntity.ts
+++ b/core/admin/infrastructure/typeorm/entities/AdminUserOrmEntity.ts
@@ -0,0 +1,32 @@
+import { Column, CreateDateColumn, Entity, Index, PrimaryColumn, UpdateDateColumn } from 'typeorm';
+
+@Entity({ name: 'admin_users' })
+export class AdminUserOrmEntity {
+  @PrimaryColumn({ type: 'uuid' })
+  id!: string;
+
+  @Index()
+  @Column({ type: 'text', unique: true })
+  email!: string;
+
+  @Column({ type: 'text' })
+  displayName!: string;
+
+  @Column({ type: 'jsonb' })
+  roles!: string[];
+
+  @Column({ type: 'text' })
+  status!: string;
+
+  @Column({ type: 'text', nullable: true })
+  primaryDriverId?: string;
+
+  @Column({ type: 'timestamptz', nullable: true })
+  lastLoginAt?: Date;
+
+  @CreateDateColumn({ type: 'timestamptz' })
+  createdAt!: Date;
+
+  @UpdateDateColumn({ type: 'timestamptz' })
+  updatedAt!: Date;
+}
--- a/core/admin/infrastructure/typeorm/errors/TypeOrmAdminSchemaError.ts
+++ b/core/admin/infrastructure/typeorm/errors/TypeOrmAdminSchemaError.ts
@@ -0,0 +1,13 @@
+export class TypeOrmAdminSchemaError extends Error {
+  constructor(
+    public details: {
+      entityName: string;
+      fieldName: string;
+      reason: string;
+      message: string;
+    },
+  ) {
+    super(`[TypeOrmAdminSchemaError] ${details.entityName}.${details.fieldName}: ${details.reason} - ${details.message}`);
+    this.name = 'TypeOrmAdminSchemaError';
+  }
+}
--- a/core/admin/infrastructure/typeorm/mappers/AdminUserOrmMapper.ts
+++ b/core/admin/infrastructure/typeorm/mappers/AdminUserOrmMapper.ts
@@ -0,0 +1,95 @@
+import { AdminUser } from '@core/admin/domain/entities/AdminUser';
+import { AdminUserOrmEntity } from '../entities/AdminUserOrmEntity';
+import { TypeOrmAdminSchemaError } from '../errors/TypeOrmAdminSchemaError';
+import {
+  assertNonEmptyString,
+  assertStringArray,
+  assertDate,
+  assertOptionalDate,
+  assertOptionalString,
+} from '../schema/TypeOrmAdminSchemaGuards';
+
+export class AdminUserOrmMapper {
+  toDomain(entity: AdminUserOrmEntity): AdminUser {
+    const entityName = 'AdminUser';
+
+    try {
+      assertNonEmptyString(entityName, 'id', entity.id);
+      assertNonEmptyString(entityName, 'email', entity.email);
+      assertNonEmptyString(entityName, 'displayName', entity.displayName);
+      assertStringArray(entityName, 'roles', entity.roles);
+      assertNonEmptyString(entityName, 'status', entity.status);
+      assertOptionalString(entityName, 'primaryDriverId', entity.primaryDriverId);
+      assertOptionalDate(entityName, 'lastLoginAt', entity.lastLoginAt);
+      assertDate(entityName, 'createdAt', entity.createdAt);
+      assertDate(entityName, 'updatedAt', entity.updatedAt);
+    } catch (error) {
+      if (error instanceof TypeOrmAdminSchemaError) {
+        throw error;
+      }
+      const message = error instanceof Error ? error.message : 'Invalid persisted AdminUser';
+      throw new TypeOrmAdminSchemaError({ entityName, fieldName: 'unknown', reason: 'invalid_shape', message });
+    }
+
+    try {
+      const domainProps: {
+        id: string;
+        email: string;
+        displayName: string;
+        roles: string[];
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        primaryDriverId?: string;
+        lastLoginAt?: Date;
+      } = {
+        id: entity.id,
+        email: entity.email,
+        displayName: entity.displayName,
+        roles: entity.roles,
+        status: entity.status,
+        createdAt: entity.createdAt,
+        updatedAt: entity.updatedAt,
+      };
+
+      if (entity.primaryDriverId !== null && entity.primaryDriverId !== undefined) {
+        domainProps.primaryDriverId = entity.primaryDriverId;
+      }
+
+      if (entity.lastLoginAt !== null && entity.lastLoginAt !== undefined) {
+        domainProps.lastLoginAt = entity.lastLoginAt;
+      }
+
+      return AdminUser.create(domainProps);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : 'Invalid persisted AdminUser';
+      throw new TypeOrmAdminSchemaError({ entityName, fieldName: 'unknown', reason: 'invalid_shape', message });
+    }
+  }
+
+  toOrmEntity(adminUser: AdminUser): AdminUserOrmEntity {
+    const entity = new AdminUserOrmEntity();
+
+    entity.id = adminUser.id.value;
+    entity.email = adminUser.email.value;
+    entity.displayName = adminUser.displayName;
+    entity.roles = adminUser.roles.map(r => r.value);
+    entity.status = adminUser.status.value;
+    entity.createdAt = adminUser.createdAt;
+    entity.updatedAt = adminUser.updatedAt;
+
+    if (adminUser.primaryDriverId !== undefined) {
+      entity.primaryDriverId = adminUser.primaryDriverId;
+    }
+
+    if (adminUser.lastLoginAt !== undefined) {
+      entity.lastLoginAt = adminUser.lastLoginAt;
+    }
+
+    return entity;
+  }
+
+  toStored(entity: AdminUserOrmEntity): AdminUser {
+    return this.toDomain(entity);
+  }
+}
--- a/core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository.test.ts
+++ b/core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository.test.ts
--- a/core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository.ts
+++ b/core/admin/infrastructure/typeorm/repositories/TypeOrmAdminUserRepository.ts
@@ -0,0 +1,184 @@
+import type { DataSource, Repository } from 'typeorm';
+import type { IAdminUserRepository, UserListQuery, UserListResult, UserFilter, StoredAdminUser } from '@core/admin/domain/repositories/IAdminUserRepository';
+import { AdminUser } from '@core/admin/domain/entities/AdminUser';
+import { AdminUserOrmEntity } from '../entities/AdminUserOrmEntity';
+import { AdminUserOrmMapper } from '../mappers/AdminUserOrmMapper';
+import { Email } from '@core/admin/domain/value-objects/Email';
+import { UserId } from '@core/admin/domain/value-objects/UserId';
+
+export class TypeOrmAdminUserRepository implements IAdminUserRepository {
+  private readonly repository: Repository<AdminUserOrmEntity>;
+  private readonly mapper: AdminUserOrmMapper;
+
+  constructor(
+    dataSource: DataSource,
+    mapper?: AdminUserOrmMapper,
+  ) {
+    this.repository = dataSource.getRepository(AdminUserOrmEntity);
+    this.mapper = mapper ?? new AdminUserOrmMapper();
+  }
+
+  async save(user: AdminUser): Promise<void> {
+    const entity = this.mapper.toOrmEntity(user);
+    await this.repository.save(entity);
+  }
+
+  async findById(id: UserId): Promise<AdminUser | null> {
+    const entity = await this.repository.findOne({ where: { id: id.value } });
+    return entity ? this.mapper.toDomain(entity) : null;
+  }
+
+  async findByEmail(email: Email): Promise<AdminUser | null> {
+    const entity = await this.repository.findOne({ where: { email: email.value } });
+    return entity ? this.mapper.toDomain(entity) : null;
+  }
+
+  async emailExists(email: Email): Promise<boolean> {
+    const count = await this.repository.count({ where: { email: email.value } });
+    return count > 0;
+  }
+
+  async existsById(id: UserId): Promise<boolean> {
+    const count = await this.repository.count({ where: { id: id.value } });
+    return count > 0;
+  }
+
+  async existsByEmail(email: Email): Promise<boolean> {
+    return this.emailExists(email);
+  }
+
+  async list(query?: UserListQuery): Promise<UserListResult> {
+    const page = query?.pagination?.page ?? 1;
+    const limit = query?.pagination?.limit ?? 10;
+    const skip = (page - 1) * limit;
+    const sortBy = query?.sort?.field ?? 'createdAt';
+    const sortOrder = query?.sort?.direction ?? 'desc';
+
+    const where: Record<string, unknown> = {};
+
+    if (query?.filter?.role) {
+      where.roles = { $contains: [query.filter.role.value] };
+    }
+
+    if (query?.filter?.status) {
+      where.status = query.filter.status.value;
+    }
+
+    if (query?.filter?.search) {
+      where.email = this.repository.manager.connection
+        .createQueryBuilder()
+        .where('email ILIKE :search', { search: `%${query.filter.search}%` })
+        .orWhere('displayName ILIKE :search', { search: `%${query.filter.search}%` })
+        .getQuery();
+    }
+
+    const [entities, total] = await this.repository.findAndCount({
+      where,
+      skip,
+      take: limit,
+      order: { [sortBy]: sortOrder },
+    });
+
+    const users = entities.map(entity => this.mapper.toDomain(entity));
+
+    return {
+      users,
+      total,
+      page,
+      limit,
+      totalPages: Math.ceil(total / limit),
+    };
+  }
+
+  async count(filter?: UserFilter): Promise<number> {
+    const where: Record<string, unknown> = {};
+
+    if (filter?.role) {
+      where.roles = { $contains: [filter.role.value] };
+    }
+
+    if (filter?.status) {
+      where.status = filter.status.value;
+    }
+
+    if (filter?.search) {
+      where.email = this.repository.manager.connection
+        .createQueryBuilder()
+        .where('email ILIKE :search', { search: `%${filter.search}%` })
+        .orWhere('displayName ILIKE :search', { search: `%${filter.search}%` })
+        .getQuery();
+    }
+
+    return await this.repository.count({ where });
+  }
+
+  async create(user: AdminUser): Promise<AdminUser> {
+    const entity = this.mapper.toOrmEntity(user);
+    const saved = await this.repository.save(entity);
+    return this.mapper.toDomain(saved);
+  }
+
+  async update(user: AdminUser): Promise<AdminUser> {
+    const entity = this.mapper.toOrmEntity(user);
+    const updated = await this.repository.save(entity);
+    return this.mapper.toDomain(updated);
+  }
+
+  async delete(id: UserId): Promise<void> {
+    await this.repository.delete({ id: id.value });
+  }
+
+  toStored(user: AdminUser): StoredAdminUser {
+    const stored: StoredAdminUser = {
+      id: user.id.value,
+      email: user.email.value,
+      roles: user.roles.map(r => r.value),
+      status: user.status.value,
+      displayName: user.displayName,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt,
+    };
+
+    if (user.lastLoginAt !== undefined) {
+      stored.lastLoginAt = user.lastLoginAt;
+    }
+
+    if (user.primaryDriverId !== undefined) {
+      stored.primaryDriverId = user.primaryDriverId;
+    }
+
+    return stored;
+  }
+
+  fromStored(stored: StoredAdminUser): AdminUser {
+    const props: {
+      id: string;
+      email: string;
+      roles: string[];
+      status: string;
+      displayName: string;
+      createdAt: Date;
+      updatedAt: Date;
+      lastLoginAt?: Date;
+      primaryDriverId?: string;
+    } = {
+      id: stored.id,
+      email: stored.email,
+      roles: stored.roles,
+      status: stored.status,
+      displayName: stored.displayName,
+      createdAt: stored.createdAt,
+      updatedAt: stored.updatedAt,
+    };
+
+    if (stored.lastLoginAt !== undefined) {
+      props.lastLoginAt = stored.lastLoginAt;
+    }
+
+    if (stored.primaryDriverId !== undefined) {
+      props.primaryDriverId = stored.primaryDriverId;
+    }
+
+    return AdminUser.rehydrate(props);
+  }
+}
--- a/core/admin/infrastructure/typeorm/schema/TypeOrmAdminSchemaGuards.ts
+++ b/core/admin/infrastructure/typeorm/schema/TypeOrmAdminSchemaGuards.ts
@@ -0,0 +1,55 @@
+import { TypeOrmAdminSchemaError } from '../errors/TypeOrmAdminSchemaError';
+
+export function assertNonEmptyString(entityName: string, fieldName: string, value: unknown): void {
+  if (typeof value !== 'string' || value.trim().length === 0) {
+    throw new TypeOrmAdminSchemaError({
+      entityName,
+      fieldName,
+      reason: 'INVALID_STRING',
+      message: `Field ${fieldName} must be a non-empty string`,
+    });
+  }
+}
+
+export function assertStringArray(entityName: string, fieldName: string, value: unknown): void {
+  if (!Array.isArray(value) || !value.every(item => typeof item === 'string')) {
+    throw new TypeOrmAdminSchemaError({
+      entityName,
+      fieldName,
+      reason: 'INVALID_STRING_ARRAY',
+      message: `Field ${fieldName} must be an array of strings`,
+    });
+  }
+}
+
+export function assertDate(entityName: string, fieldName: string, value: unknown): void {
+  if (!(value instanceof Date) || isNaN(value.getTime())) {
+    throw new TypeOrmAdminSchemaError({
+      entityName,
+      fieldName,
+      reason: 'INVALID_DATE',
+      message: `Field ${fieldName} must be a valid Date`,
+    });
+  }
+}
+
+export function assertOptionalDate(entityName: string, fieldName: string, value: unknown): void {
+  if (value === null || value === undefined) {
+    return;
+  }
+  assertDate(entityName, fieldName, value);
+}
+
+export function assertOptionalString(entityName: string, fieldName: string, value: unknown): void {
+  if (value === null || value === undefined) {
+    return;
+  }
+  if (typeof value !== 'string') {
+    throw new TypeOrmAdminSchemaError({
+      entityName,
+      fieldName,
+      reason: 'INVALID_OPTIONAL_STRING',
+      message: `Field ${fieldName} must be a string or undefined`,
+    });
+  }
+}
--- a/core/identity/application/queries/GetLeagueEligibilityPreviewQuery.test.ts
+++ b/core/identity/application/queries/GetLeagueEligibilityPreviewQuery.test.ts
@@ -2,25 +2,37 @@
 * Tests for GetLeagueEligibilityPreviewQuery
 */

-import { GetLeagueEligibilityPreviewQuery, GetLeagueEligibilityPreviewQueryHandler } from './GetLeagueEligibilityPreviewQuery';
-import { UserRating } from '../../domain/value-objects/UserRating';
 import { ExternalGameRatingProfile } from '../../domain/entities/ExternalGameRatingProfile';
-import { GameKey } from '../../domain/value-objects/GameKey';
 import { ExternalRating } from '../../domain/value-objects/ExternalRating';
 import { ExternalRatingProvenance } from '../../domain/value-objects/ExternalRatingProvenance';
+import { GameKey } from '../../domain/value-objects/GameKey';
+import { UserRating } from '../../domain/value-objects/UserRating';
+import { UserId } from '../../domain/value-objects/UserId';
+import { GetLeagueEligibilityPreviewQuery, GetLeagueEligibilityPreviewQueryHandler } from './GetLeagueEligibilityPreviewQuery';
+import { IUserRatingRepository } from '../../domain/repositories/IUserRatingRepository';
+import { IExternalGameRatingRepository } from '../../domain/repositories/IExternalGameRatingRepository';

 describe('GetLeagueEligibilityPreviewQuery', () => {
-  let mockUserRatingRepo: any;
-  let mockExternalRatingRepo: any;
+  let mockUserRatingRepo: IUserRatingRepository;
+  let mockExternalRatingRepo: IExternalGameRatingRepository;
  let handler: GetLeagueEligibilityPreviewQueryHandler;

  beforeEach(() => {
    mockUserRatingRepo = {
-      findByUserId: jest.fn(),
-    };
+      findByUserId: vi.fn(),
+      save: vi.fn(),
+    } as unknown as IUserRatingRepository;
+    
    mockExternalRatingRepo = {
-      findByUserId: jest.fn(),
-    };
+      findByUserId: vi.fn(),
+      findByUserIdAndGameKey: vi.fn(),
+      findByGameKey: vi.fn(),
+      save: vi.fn(),
+      saveMany: vi.fn(),
+      delete: vi.fn(),
+      exists: vi.fn(),
+      findProfilesPaginated: vi.fn(),
+    } as unknown as IExternalGameRatingRepository;

    handler = new GetLeagueEligibilityPreviewQueryHandler(
      mockUserRatingRepo,
@@ -37,8 +49,8 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const userRating = UserRating.create(userId);
      // Update driving to 65
      const updatedRating = userRating.updateDriverRating(65);
-      mockUserRatingRepo.findByUserId.mockResolvedValue(updatedRating);
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([]);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(updatedRating);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
@@ -50,8 +62,8 @@ describe('GetLeagueEligibilityPreviewQuery', () => {

      expect(result.eligible).toBe(true);
      expect(result.reasons).toHaveLength(1);
-      expect(result.reasons[0].target).toBe('platform.driving');
-      expect(result.reasons[0].failed).toBe(false);
+      expect(result.reasons[0]!.target).toBe('platform.driving');
+      expect(result.reasons[0]!.failed).toBe(false);
    });

    it('should evaluate simple platform eligibility - not eligible', async () => {
@@ -61,8 +73,8 @@ describe('GetLeagueEligibilityPreviewQuery', () => {

      const userRating = UserRating.create(userId);
      // Driving is 50 by default
-      mockUserRatingRepo.findByUserId.mockResolvedValue(userRating);
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([]);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(userRating);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
@@ -73,7 +85,7 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const result = await handler.execute(query);

      expect(result.eligible).toBe(false);
-      expect(result.reasons[0].failed).toBe(true);
+      expect(result.reasons[0]!.failed).toBe(true);
    });

    it('should evaluate external rating eligibility', async () => {
@@ -81,18 +93,18 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const leagueId = 'league-456';
      const rules = 'external.iracing.iRating between 2000 2500';

-      mockUserRatingRepo.findByUserId.mockResolvedValue(null);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(null);

      const gameKey = GameKey.create('iracing');
      const profile = ExternalGameRatingProfile.create({
-        userId: { toString: () => userId } as any,
+        userId: UserId.fromString(userId),
        gameKey,
        ratings: new Map([
          ['iRating', ExternalRating.create(gameKey, 'iRating', 2200)],
        ]),
        provenance: ExternalRatingProvenance.create({ source: 'iRacing API', lastSyncedAt: new Date() }),
      });
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([profile]);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([profile]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
@@ -103,7 +115,7 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const result = await handler.execute(query);

      expect(result.eligible).toBe(true);
-      expect(result.reasons[0].target).toBe('external.iracing.iRating');
+      expect(result.reasons[0]!.target).toBe('external.iracing.iRating');
    });

    it('should evaluate complex AND conditions', async () => {
@@ -113,18 +125,18 @@ describe('GetLeagueEligibilityPreviewQuery', () => {

      const userRating = UserRating.create(userId);
      const updatedRating = userRating.updateDriverRating(65);
-      mockUserRatingRepo.findByUserId.mockResolvedValue(updatedRating);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(updatedRating);

      const gameKey = GameKey.create('iracing');
      const profile = ExternalGameRatingProfile.create({
-        userId: { toString: () => userId } as any,
+        userId: UserId.fromString(userId),
        gameKey,
        ratings: new Map([
          ['iRating', ExternalRating.create(gameKey, 'iRating', 2200)],
        ]),
        provenance: ExternalRatingProvenance.create({ source: 'iRacing API', lastSyncedAt: new Date() }),
      });
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([profile]);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([profile]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
@@ -145,18 +157,18 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const rules = 'platform.driving >= 75 OR external.iracing.iRating >= 2000';

      const userRating = UserRating.create(userId);
-      mockUserRatingRepo.findByUserId.mockResolvedValue(userRating);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(userRating);

      const gameKey = GameKey.create('iracing');
      const profile = ExternalGameRatingProfile.create({
-        userId: { toString: () => userId } as any,
+        userId: UserId.fromString(userId),
        gameKey,
        ratings: new Map([
          ['iRating', ExternalRating.create(gameKey, 'iRating', 2200)],
        ]),
        provenance: ExternalRatingProvenance.create({ source: 'iRacing API', lastSyncedAt: new Date() }),
      });
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([profile]);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([profile]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
@@ -175,8 +187,8 @@ describe('GetLeagueEligibilityPreviewQuery', () => {
      const leagueId = 'league-456';
      const rules = 'platform.driving >= 55';

-      mockUserRatingRepo.findByUserId.mockResolvedValue(null);
-      mockExternalRatingRepo.findByUserId.mockResolvedValue([]);
+      vi.mocked(mockUserRatingRepo.findByUserId).mockResolvedValue(null);
+      vi.mocked(mockExternalRatingRepo.findByUserId).mockResolvedValue([]);

      const query: GetLeagueEligibilityPreviewQuery = {
        userId,
--- a/plans/admin-area-architecture.md
+++ b/plans/admin-area-architecture.md
@@ -0,0 +1,317 @@
+# Admin Area Architecture Plan
+
+## Overview
+Design and implement a clean architecture admin area for Owner and Super Admin roles to manage all users, following TDD principles.
+
+## 1. Architecture Layers
+
+### 1.1 Domain Layer (`core/admin/domain/`)
+**Purpose**: Business logic, entities, value objects, domain services - framework independent
+
+#### Value Objects:
+- `UserId` - Unique identifier for users
+- `Email` - Validated email address
+- `UserRole` - Role type (owner, admin, user, etc.)
+- `UserStatus` - Account status (active, suspended, deleted)
+- `PermissionKey` - Capability identifier
+- `PermissionAction` - view | mutate
+
+#### Entities:
+- `User` - Main entity with roles, status, email
+- `Permission` - Permission definition
+- `RolePermission` - Role to permission mapping
+
+#### Domain Services:
+- `AuthorizationService` - Checks permissions and roles
+- `UserManagementService` - User lifecycle management rules
+
+#### Domain Errors:
+- `UserDomainError` - Domain-specific errors
+- `AuthorizationError` - Permission violations
+
+### 1.2 Application Layer (`core/admin/application/`)
+**Purpose**: Use cases, ports, orchestration - no framework dependencies
+
+#### Ports (Interfaces):
+- **Input Ports**:
+  - `IManageUsersUseCase` - User CRUD operations
+  - `IManageRolesUseCase` - Role management
+  - `IQueryUsersUseCase` - User queries
+  
+- **Output Ports**:
+  - `IUserRepository` - Persistence interface
+  - `IPermissionRepository` - Permission storage
+  - `IUserPresenter` - Output formatting
+
+#### Use Cases:
+- `ListUsersUseCase` - Get all users with filtering
+- `GetUserDetailsUseCase` - Get single user details
+- `UpdateUserRolesUseCase` - Modify user roles
+- `UpdateUserStatusUseCase` - Suspend/activate users
+- `DeleteUserUseCase` - Remove user accounts
+- `GetUserPermissionsUseCase` - View user permissions
+
+#### Services:
+- `UserManagementService` - Orchestrates user operations
+- `PermissionEvaluationService` - Evaluates access rights
+
+### 1.3 Infrastructure Layer (`adapters/admin/`)
+**Purpose**: Concrete implementations of ports
+
+#### Persistence:
+- `TypeOrmUserRepository` - Database implementation
+- `TypeOrmPermissionRepository` - Permission storage
+- `InMemoryUserRepository` - Test implementation
+
+#### Presenters:
+- `UserPresenter` - Maps domain to DTO
+- `UserListPresenter` - Formats user list
+- `PermissionPresenter` - Formats permissions
+
+#### Security:
+- `RolePermissionMapper` - Maps roles to permissions
+- `AuthorizationGuard` - Enforces access control
+
+### 1.4 API Layer (`apps/api/src/domain/admin/`)
+**Purpose**: HTTP delivery mechanism
+
+#### Controllers:
+- `UsersController` - User management endpoints
+- `RolesController` - Role management endpoints
+- `PermissionsController` - Permission endpoints
+
+#### DTOs:
+- **Request**:
+  - `UpdateUserRolesRequestDto`
+  - `UpdateUserStatusRequestDto`
+  - `CreateUserRequestDto`
+  
+- **Response**:
+  - `UserResponseDto`
+  - `UserListResponseDto`
+  - `PermissionResponseDto`
+
+#### Middleware/Guards:
+- `RequireSystemAdminGuard` - Validates Owner/Super Admin access
+- `PermissionGuard` - Checks specific permissions
+
+### 1.5 Frontend Layer (`apps/website/`)
+**Purpose**: User interface for admin operations
+
+#### Pages:
+- `/admin/users` - User management dashboard
+- `/admin/users/[id]` - User detail page
+- `/admin/roles` - Role management
+- `/admin/permissions` - Permission matrix
+
+#### Components:
+- `UserTable` - Display users with filters
+- `UserDetailCard` - User information display
+- `RoleSelector` - Role assignment UI
+- `StatusBadge` - User status display
+- `PermissionMatrix` - Permission management
+
+#### API Clients:
+- `AdminUsersApiClient` - User management API calls
+- `AdminRolesApiClient` - Role management API calls
+
+#### Hooks:
+- `useAdminUsers` - User data management
+- `useAdminPermissions` - Permission data
+
+## 2. Authorization Model
+
+### 2.1 System Roles (from AUTHORIZATION.md)
+- `owner` - Full system access
+- `admin` - System admin access
+
+### 2.2 Permission Structure
+```
+capabilityKey.actionType
+```
+
+Examples:
+- `users.list` + `view`
+- `users.roles` + `mutate`
+- `users.status` + `mutate`
+
+### 2.3 Role → Permission Mapping
+```
+owner: all permissions
+admin: 
+  - users.view
+  - users.list
+  - users.roles.mutate
+  - users.status.mutate
+```
+
+## 3. TDD Implementation Strategy
+
+### 3.1 Test-First Approach
+1. **Write failing test** for domain entity/value object
+2. **Implement minimal code** to pass test
+3. **Refactor** while keeping tests green
+4. **Repeat** for each layer
+
+### 3.2 Test Structure
+```
+core/admin/
+├── domain/
+│   ├── entities/
+│   │   ├── User.test.ts
+│   │   └── Permission.test.ts
+│   ├── value-objects/
+│   │   ├── UserId.test.ts
+│   │   ├── Email.test.ts
+│   │   ├── UserRole.test.ts
+│   │   └── UserStatus.test.ts
+│   └── services/
+│       ├── AuthorizationService.test.ts
+│       └── UserManagementService.test.ts
+├── application/
+│   ├── use-cases/
+│   │   ├── ListUsersUseCase.test.ts
+│   │   ├── UpdateUserRolesUseCase.test.ts
+│   │   └── UpdateUserStatusUseCase.test.ts
+│   └── services/
+│       └── UserManagementService.test.ts
+```
+
+### 3.3 Integration Tests
+- API endpoint tests
+- End-to-end user management flows
+- Authorization guard tests
+
+## 4. Implementation Phases
+
+### Phase 1: Domain Layer (TDD)
+- [ ] Value objects with tests
+- [ ] Entities with tests
+- [ ] Domain services with tests
+
+### Phase 2: Application Layer (TDD)
+- [ ] Ports/interfaces
+- [ ] Use cases with tests
+- [ ] Application services
+
+### Phase 3: Infrastructure Layer (TDD)
+- [ ] Repository implementations
+- [ ] Presenters
+- [ ] Authorization guards
+
+### Phase 4: API Layer (TDD)
+- [ ] Controllers
+- [ ] DTOs
+- [ ] Route definitions
+
+### Phase 5: Frontend Layer
+- [ ] Pages
+- [ ] Components
+- [ ] API clients
+- [ ] Integration tests
+
+### Phase 6: Integration & Verification
+- [ ] End-to-end tests
+- [ ] Authorization verification
+- [ ] TDD compliance check
+
+## 5. Key Clean Architecture Rules
+
+1. **Dependency Direction**: API → Application → Domain
+2. **No Framework Dependencies**: Domain/Application layers pure TypeScript
+3. **Ports & Adapters**: Clear interfaces between layers
+4. **Test Coverage**: All layers tested before implementation
+5. **Single Responsibility**: Each use case does one thing
+
+## 6. User Management Features
+
+### 6.1 List Users
+- Filter by role, status, email
+- Pagination support
+- Sort by various fields
+
+### 6.2 User Details
+- View user information
+- See assigned roles
+- View account status
+- Audit trail
+
+### 6.3 Role Management
+- Add/remove roles
+- Validate role assignments
+- Prevent privilege escalation
+
+### 6.4 Status Management
+- Activate/suspend users
+- Soft delete support
+- Status history
+
+### 6.5 Permission Management
+- View user permissions
+- Role-based permission matrix
+- Permission validation
+
+## 7. Security Considerations
+
+### 7.1 Access Control
+- Only Owner/Admin can access admin area
+- Validate permissions on every operation
+- Audit all changes
+
+### 7.2 Data Protection
+- Never expose sensitive data
+- Validate all inputs
+- Prevent self-modification of critical roles
+
+### 7.3 Audit Trail
+- Log all user management actions
+- Track who changed what
+- Maintain history of changes
+
+## 8. API Endpoints
+
+### 8.1 User Management
+```
+GET    /api/admin/users
+GET    /api/admin/users/:id
+PUT    /api/admin/users/:id/roles
+PUT    /api/admin/users/:id/status
+DELETE /api/admin/users/:id
+```
+
+### 8.2 Role Management
+```
+GET    /api/admin/roles
+GET    /api/admin/roles/:id
+POST   /api/admin/roles
+PUT    /api/admin/roles/:id
+DELETE /api/admin/roles/:id
+```
+
+### 8.3 Permission Management
+```
+GET    /api/admin/permissions
+GET    /api/admin/permissions/:roleId
+PUT    /api/admin/permissions/:roleId
+```
+
+## 9. Frontend Routes
+
+```
+/admin/users              - User list
+/admin/users/:id          - User detail
+/admin/roles              - Role management
+/admin/permissions        - Permission matrix
+```
+
+## 10. Success Criteria
+
+- [ ] All domain logic tested with TDD
+- [ ] All application use cases tested
+- [ ] API endpoints tested with integration tests
+- [ ] Frontend components work correctly
+- [ ] Authorization works for Owner and Super Admin only
+- [ ] Clean architecture boundaries maintained
+- [ ] No circular dependencies
+- [ ] All tests pass
+- [ ] Code follows project conventions
--- a/tsconfig.base.json
+++ b/tsconfig.base.json
@@ -26,6 +26,7 @@
    "sourceMap": true,
    "noUnusedLocals": true,
    "noUnusedParameters": true,
+    "types": ["vitest/globals"],
    "paths": {
      "@core/*": ["./core/*"],
      "@adapters/*": ["./adapters/*"],