diff --git a/backend/internal/api/handlers/user_handler.go b/backend/internal/api/handlers/user_handler.go
index ef838361..31eca210 100644
--- a/backend/internal/api/handlers/user_handler.go
+++ b/backend/internal/api/handlers/user_handler.go
@@ -199,10 +199,19 @@ func (h *UserHandler) Setup(c *gin.Context) {
 	})
 }
 
+// rejectPassthrough aborts with 403 if the caller is a passthrough user.
+// Returns true if the request was rejected (caller should return).
+func rejectPassthrough(c *gin.Context, action string) bool {
+	if c.GetString("role") == string(models.RolePassthrough) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Passthrough users cannot " + action})
+		return true
+	}
+	return false
+}
+
 // RegenerateAPIKey generates a new API key for the authenticated user.
 func (h *UserHandler) RegenerateAPIKey(c *gin.Context) {
-	if c.GetString("role") == string(models.RolePassthrough) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Passthrough users cannot manage API keys"})
+	if rejectPassthrough(c, "manage API keys") {
 		return
 	}
 	userID, exists := c.Get("userID")
@@ -228,8 +237,7 @@ func (h *UserHandler) RegenerateAPIKey(c *gin.Context) {
 
 // GetProfile returns the current user's profile including API key.
 func (h *UserHandler) GetProfile(c *gin.Context) {
-	if c.GetString("role") == string(models.RolePassthrough) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Passthrough users cannot access profile"})
+	if rejectPassthrough(c, "access profile") {
 		return
 	}
 	userID, exists := c.Get("userID")
@@ -262,8 +270,7 @@ type UpdateProfileRequest struct {
 
 // UpdateProfile updates the authenticated user's profile.
 func (h *UserHandler) UpdateProfile(c *gin.Context) {
-	if c.GetString("role") == string(models.RolePassthrough) {
-		c.JSON(http.StatusForbidden, gin.H{"error": "Passthrough users cannot update profile"})
+	if rejectPassthrough(c, "update profile") {
 		return
 	}
 	userID, exists := c.Get("userID")
@@ -734,8 +741,8 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 	}
 
 	var req UpdateUserRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+	if bindErr := c.ShouldBindJSON(&req); bindErr != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": bindErr.Error()})
 		return
 	}
 
@@ -763,7 +770,7 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 	if req.Email != "" {
 		email := strings.ToLower(req.Email)
 		var count int64
-		if err := h.DB.Model(&models.User{}).Where("email = ? AND id != ?", email, id).Count(&count).Error; err == nil && count > 0 {
+		if dbErr := h.DB.Model(&models.User{}).Where("email = ? AND id != ?", email, id).Count(&count).Error; dbErr == nil && count > 0 {
 			c.JSON(http.StatusConflict, gin.H{"error": "Email already in use"})
 			return
 		}
@@ -786,23 +793,13 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 				return
 			}
 
-			// Last-admin protection
-			if user.Role == models.RoleAdmin && newRole != models.RoleAdmin {
-				var adminCount int64
-				h.DB.Model(&models.User{}).Where("role = ? AND enabled = ?", models.RoleAdmin, true).Count(&adminCount)
-				if adminCount <= 1 {
-					c.JSON(http.StatusForbidden, gin.H{"error": "Cannot demote the last admin"})
-					return
-				}
-			}
-
 			updates["role"] = string(newRole)
 			needsSessionInvalidation = true
 		}
 	}
 
 	if req.Password != nil {
-		if err := user.SetPassword(*req.Password); err != nil {
+		if hashErr := user.SetPassword(*req.Password); hashErr != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to hash password"})
 			return
 		}
@@ -818,28 +815,70 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 			return
 		}
 
-		// Last-admin protection for disabling
-		if user.Role == models.RoleAdmin && !*req.Enabled {
-			var adminCount int64
-			h.DB.Model(&models.User{}).Where("role = ? AND enabled = ?", models.RoleAdmin, true).Count(&adminCount)
-			if adminCount <= 1 {
-				c.JSON(http.StatusForbidden, gin.H{"error": "Cannot disable the last admin"})
-				return
-			}
-		}
-
 		updates["enabled"] = *req.Enabled
 		if !*req.Enabled {
 			needsSessionInvalidation = true
 		}
 	}
 
-	if len(updates) > 0 {
-		if err := h.DB.Model(&user).Updates(updates).Error; err != nil {
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update user"})
-			return
+	// Wrap the last-admin checks and the actual update in a transaction to prevent
+	// race conditions: two concurrent requests could both read adminCount==2
+	// and both proceed, leaving zero admins.
+	err = h.DB.Transaction(func(tx *gorm.DB) error {
+		// Re-fetch user inside transaction for consistent state
+		if txErr := tx.First(&user, id).Error; txErr != nil {
+			return txErr
 		}
 
+		// Last-admin protection for role demotion
+		if newRoleStr, ok := updates["role"]; ok {
+			newRole := models.UserRole(newRoleStr.(string))
+			if user.Role == models.RoleAdmin && newRole != models.RoleAdmin {
+				var adminCount int64
+				// Policy: count only enabled admins. This is stricter than "WHERE role = ?"
+				// because a disabled admin cannot act; treating them as non-existent
+				// prevents leaving the system with only disabled admins.
+				tx.Model(&models.User{}).Where("role = ? AND enabled = ?", models.RoleAdmin, true).Count(&adminCount)
+				if adminCount <= 1 {
+					return fmt.Errorf("cannot demote the last admin")
+				}
+			}
+		}
+
+		// Last-admin protection for disabling
+		if enabledVal, ok := updates["enabled"]; ok {
+			if enabled, isBool := enabledVal.(bool); isBool && !enabled {
+				if user.Role == models.RoleAdmin {
+					var adminCount int64
+					// Policy: count only enabled admins (same rationale as above).
+					tx.Model(&models.User{}).Where("role = ? AND enabled = ?", models.RoleAdmin, true).Count(&adminCount)
+					if adminCount <= 1 {
+						return fmt.Errorf("cannot disable the last admin")
+					}
+				}
+			}
+		}
+
+		if len(updates) > 0 {
+			if txErr := tx.Model(&user).Updates(updates).Error; txErr != nil {
+				return txErr
+			}
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		errMsg := err.Error()
+		if errMsg == "cannot demote the last admin" || errMsg == "cannot disable the last admin" {
+			c.JSON(http.StatusForbidden, gin.H{"error": "Cannot" + errMsg[len("cannot"):]})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update user"})
+		return
+	}
+
+	if len(updates) > 0 {
 		if needsSessionInvalidation && h.AuthService != nil {
 			if invErr := h.AuthService.InvalidateSessions(user.ID); invErr != nil {
 				c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to invalidate sessions"})
diff --git a/backend/internal/api/middleware/auth.go b/backend/internal/api/middleware/auth.go
index 726eb65a..9eea57fb 100644
--- a/backend/internal/api/middleware/auth.go
+++ b/backend/internal/api/middleware/auth.go
@@ -117,7 +117,7 @@ func RequireManagementAccess() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		role := c.GetString("role")
 		if role == string(models.RolePassthrough) {
-			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Forbidden"})
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "Pass-through users cannot access management features"})
 			return
 		}
 		c.Next()
diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md
index a69a91c1..490a4c5f 100644
--- a/docs/plans/current_spec.md
+++ b/docs/plans/current_spec.md
@@ -1,362 +1,981 @@
-# Uptime Monitoring Regression Investigation (Scheduled vs Manual)
+# User Management Consolidation & Privilege Tier System
 
-Date: 2026-03-01
+Date: 2026-06-25
 Owner: Planning Agent
-Status: Investigation Complete, Fix Plan Proposed
-Severity: High (false DOWN states on automated monitoring)
+Status: Proposed
+Severity: Medium (UX consolidation + feature enhancement)
 
-## 1. Executive Summary
+---
 
-Two services (Wizarr and Charon) can flip to `DOWN` during scheduled cycles while manual checks immediately return `UP` because scheduled checks use a host-level TCP gate that can short-circuit monitor-level HTTP checks.
+## 1. Introduction
 
-The scheduled path is:
-- `ticker -> CheckAll -> checkAllHosts -> (host status down) -> markHostMonitorsDown`
+### 1.1 Overview
 
-The manual path is:
-- `POST /api/v1/uptime/monitors/:id/check -> CheckMonitor -> checkMonitor`
+Charon currently manages users through **two separate interfaces**:
 
-Only the scheduled path runs host precheck gating. If host precheck fails (TCP to upstream host/port), `CheckAll` skips HTTP checks and forcibly writes monitor status to `down` with heartbeat message `Host unreachable`.
+1. **Admin Account** page at `/settings/account` — self-service profile management (name, email, password, API key, certificate email)
+2. **Account Management** page at `/settings/account-management` — admin-only user CRUD (list, invite, delete, update roles/permissions)
 
-This is a backend state mutation problem (not only UI rendering).
+This split is confusing and redundant. A logged-in admin must navigate to two different places to manage their own account versus managing other users. The system also lacks a formal privilege tier model — the `Role` field on the `User` model is a raw string defaulting to `"user"`, with only `"admin"` and `"user"` exposed in the frontend selector (the model comment mentions `"viewer"` but it is entirely unused).
 
-## 1.1 Monitoring Policy (Authoritative Behavior)
+### 1.2 Objectives
 
-Charon uptime monitoring SHALL follow URL-truth semantics for HTTP/HTTPS monitors,
-matching third-party external monitor behavior (Uptime Kuma style) without requiring
-any additional service.
+1. **Consolidate** user management into a single **"Users"** page that lists ALL users, including the admin.
+2. **Introduce a formal privilege tier system** with three tiers: **Admin**, **User**, and **Pass-through**.
+3. **Self-service profile editing** occurs inline or via a detail drawer/modal on the consolidated page — no separate "Admin Account" page.
+4. **Remove** the `/settings/account` route and its sidebar/tab navigation entry entirely.
+5. **Update navigation** to a single "Users" entry under Settings (or as a top-level item).
+6. **Write E2E Playwright tests** for the consolidated page before any implementation changes.
 
-Policy:
-- HTTP/HTTPS monitors are URL-truth based. The monitor result is authoritative based
-  on the configured URL check outcome (status code/timeout/TLS/connectivity from URL
-  perspective).
-- Internal TCP reachability precheck (`ForwardHost:ForwardPort`) is
-  non-authoritative for HTTP/HTTPS monitor status.
-- TCP monitors remain endpoint-socket checks and may rely on direct socket
-  reachability semantics.
-- Host precheck may still be used for optimization, grouping telemetry, and operator
-  diagnostics, but SHALL NOT force HTTP/HTTPS monitors to DOWN.
+---
 
 ## 2. Research Findings
 
-### 2.1 Execution Path Comparison (Required)
+### 2.1 Current Architecture: Backend
+
+#### 2.1.1 User Model — `backend/internal/models/user.go`
+
+```go
+type User struct {
+    ID                  uint           `json:"-" gorm:"primaryKey"`
+    UUID                string         `json:"uuid" gorm:"uniqueIndex"`
+    Email               string         `json:"email" gorm:"uniqueIndex"`
+    APIKey              string         `json:"-" gorm:"uniqueIndex"`
+    PasswordHash        string         `json:"-"`
+    Name                string         `json:"name"`
+    Role                string         `json:"role" gorm:"default:'user'"`  // "admin", "user", "viewer"
+    Enabled             bool           `json:"enabled" gorm:"default:true"`
+    FailedLoginAttempts int            `json:"-" gorm:"default:0"`
+    LockedUntil         *time.Time     `json:"-"`
+    LastLogin           *time.Time     `json:"last_login,omitempty"`
+    SessionVersion      uint           `json:"-" gorm:"default:0"`
+    // Invite system fields ...
+    PermissionMode      PermissionMode `json:"permission_mode" gorm:"default:'allow_all'"`
+    PermittedHosts      []ProxyHost    `json:"permitted_hosts,omitempty" gorm:"many2many:user_permitted_hosts;"`
+    CreatedAt           time.Time      `json:"created_at"`
+    UpdatedAt           time.Time      `json:"updated_at"`
+}
+```
+
+**Key observations:**
+
+| Aspect | Current State | Issue |
+|--------|--------------|-------|
+| `Role` field | Raw string, default `"user"` | No Go-level enum/const; `"viewer"` mentioned in comment but unused anywhere |
+| Permission logic | `CanAccessHost()` — admins bypass all checks | Sound; needs extension for pass-through tier |
+| JSON serialization | `ID` is `json:"-"`, `APIKey` is `json:"-"` | Correctly hidden from API responses |
+| Password hashing | bcrypt via `SetPassword()` / `CheckPassword()` | Solid |
+
+#### 2.1.2 Auth Service — `backend/internal/services/auth_service.go`
+
+- `Register()`: First user becomes admin (`role = "admin"`)
+- `Login()`: Account lockout after 5 failed attempts; sets `LastLogin`
+- `GenerateToken()`: JWT with claims `{UserID, Role, SessionVersion}`, 24h expiry
+- `AuthenticateToken()`: Validates JWT + checks `Enabled` + matches `SessionVersion`
+- `InvalidateSessions()`: Increments `SessionVersion` to revoke all existing tokens
+
+**Impact of role changes:** The `Role` string is embedded in the JWT. When a user's role is changed, their existing JWT still carries the old role until it expires or `SessionVersion` is bumped. The `InvalidateSessions()` method exists for this purpose, **but it is NOT currently called in `UpdateUser()`**. This is a security gap — a user demoted from admin to passthrough retains their admin JWT for up to 24 hours. Task 2.6 addresses this.
+
+#### 2.1.3 Auth Middleware — `backend/internal/api/middleware/auth.go`
+
+```go
+func AuthMiddleware(authService *services.AuthService) gin.HandlerFunc
+func RequireRole(role string) gin.HandlerFunc
+```
+
+- `AuthMiddleware`: Extracts token from header/cookie/query, sets `userID` and `role` in Gin context.
+- `RequireRole`: Checks `role` against a **single** required role string, always allows `"admin"` as fallback. Currently used only for SMTP settings.
+
+**Gap:** Most admin-only endpoints in `user_handler.go` do inline `role != "admin"` checks via `requireAdmin(c)` in `permission_helpers.go` rather than using middleware. This works but is inconsistent.
+
+#### 2.1.4 User Handler — `backend/internal/api/handlers/user_handler.go`
+
+Two disjoint groups of endpoints:
+
+| Group | Endpoints | Purpose | Auth |
+|-------|-----------|---------|------|
+| **Self-service** | `GET /user/profile`, `POST /user/profile`, `POST /user/api-key` | Current user edits own profile/API key | Any authenticated user |
+| **Admin CRUD** | `GET /users`, `POST /users`, `POST /users/invite`, `GET /users/:id`, `PUT /users/:id`, `DELETE /users/:id`, `PUT /users/:id/permissions`, `POST /users/:id/resend-invite`, `POST /users/preview-invite-url` | Admin manages all users | Admin only (inline check) |
+
+**Key handler behaviors:**
+
+- `ListUsers()`: Returns all users with safe fields (excludes password hash, API key). Admin only.
+- `UpdateUser()`: Can change `name`, `email`, `password`, `role`, `enabled`. **Does NOT call `InvalidateSessions()` on role change** — a demoted user retains their old-role JWT for up to 24 hours. This is a security gap that must be fixed in this spec (see Task 2.6).
+- `DeleteUser()`: Prevents self-deletion.
+- `GetProfile()`: Returns `{id, email, name, role, has_api_key, api_key_masked}` for the calling user.
+- `UpdateProfile()`: Requires `current_password` verification when email changes.
+- `RegenerateAPIKey()`: Generates new UUID-based API key for the calling user.
+
+#### 2.1.5 Route Registration — `backend/internal/api/routes/routes.go`
+
+```
+Public:
+  POST /api/v1/auth/login
+  POST /api/v1/auth/register
+  GET  /api/v1/auth/verify          (forward auth for Caddy)
+  GET  /api/v1/auth/status
+  GET  /api/v1/setup/status
+  POST /api/v1/setup
+  GET  /api/v1/invite/validate
+  POST /api/v1/invite/accept
+
+Protected (authMiddleware):
+  POST /api/v1/auth/logout
+  POST /api/v1/auth/refresh
+  GET  /api/v1/auth/me
+  POST /api/v1/auth/change-password
+  GET  /api/v1/user/profile          ← Self-service group
+  POST /api/v1/user/profile          ←
+  POST /api/v1/user/api-key          ←
+  GET    /api/v1/users               ← Admin CRUD group
+  POST   /api/v1/users               ←
+  POST   /api/v1/users/invite        ←
+  POST   /api/v1/users/preview-invite-url ←
+  GET    /api/v1/users/:id           ←
+  PUT    /api/v1/users/:id           ←
+  DELETE /api/v1/users/:id           ←
+  PUT    /api/v1/users/:id/permissions ←
+  POST   /api/v1/users/:id/resend-invite ←
+```
+
+#### 2.1.6 Forward Auth — `backend/internal/api/handlers/auth_handler.go`
+
+The `Verify()` handler at `GET /api/v1/auth/verify` is the critical integration point for the pass-through tier:
+
+1. Extracts token from cookie/header/query
+2. Authenticates user via `AuthenticateToken()`
+3. Reads `X-Forwarded-Host` from Caddy
+4. Checks `user.CanAccessHost(hostID)` against the permission model
+5. Returns `200 OK` with `X-Auth-User` headers or `401`/`403`
+
+**Pass-through users will use this exact path** — they log in to Charon only to establish a session, then Caddy's `forward_auth` directive validates their access to proxied services. They never need to see the Charon management UI.
+
+### 2.2 Current Architecture: Frontend
+
+#### 2.2.1 Router — `frontend/src/App.tsx`
+
+```tsx
+// Three routes serve user management:
+<Route path="users" element={<UsersPage />} />                    // top-level
+<Route path="settings" element={<Settings />}>
+  <Route path="account" element={<Account />} />                  // self-service
+  <Route path="account-management" element={<UsersPage />} />     // admin CRUD
+</Route>
+```
 
-### Scheduled path behavior
-- Entry: `backend/internal/api/routes/routes.go` (background ticker, calls `uptimeService.CheckAll()`)
-- `CheckAll()` calls `checkAllHosts()` first.
-  - File: `backend/internal/services/uptime_service.go:354`
-- `checkAllHosts()` updates each `UptimeHost.Status` via TCP checks in `checkHost()`.
-  - File: `backend/internal/services/uptime_service.go:395`
-- `checkHost()` dials `UptimeHost.Host` + monitor port (prefer `ProxyHost.ForwardPort`, fallback to URL port).
-  - File: `backend/internal/services/uptime_service.go:437`
-- Back in `CheckAll()`, monitors are grouped by `UptimeHostID`.
-  - File: `backend/internal/services/uptime_service.go:367`
-- If `UptimeHost.Status == "down"`, `markHostMonitorsDown()` is called and individual monitor checks are skipped.
-  - File: `backend/internal/services/uptime_service.go:381`
-  - File: `backend/internal/services/uptime_service.go:593`
-
-### Manual path behavior
-- Entry: `POST /api/v1/uptime/monitors/:id/check`.
-  - Handler: `backend/internal/api/handlers/uptime_handler.go:107`
-- Calls `service.CheckMonitor(*monitor)` asynchronously.
-  - File: `backend/internal/services/uptime_service.go:707`
-- `checkMonitor()` performs direct HTTP/TCP monitor check and updates monitor + heartbeat.
-  - File: `backend/internal/services/uptime_service.go:711`
-
-### Key divergence
-- Scheduled: host-gated (precheck can override monitor)
-- Manual: direct monitor check (no host gate)
+The `UsersPage` component is mounted at **two** routes: `/users` and `/settings/account-management`. The `Account` component is only at `/settings/account`.
 
-## 3. Root Cause With Evidence
+#### 2.2.2 Settings Page — `frontend/src/pages/Settings.tsx`
 
-## 3.1 Primary Root Cause: Host Precheck Overrides HTTP Success in Scheduled Cycles
-
-When `UptimeHost` is marked `down`, scheduled checks do not run `checkMonitor()` for that host's monitors. Instead they call `markHostMonitorsDown()` which:
-- sets each monitor `Status = "down"`
-- writes `UptimeHeartbeat{Status: "down", Message: "Host unreachable"}`
-- maxes failure count (`FailureCount = MaxRetries`)
-
-Evidence:
-- Short-circuit: `backend/internal/services/uptime_service.go:381`
-- Forced down write: `backend/internal/services/uptime_service.go:610`
-- Forced heartbeat message: `backend/internal/services/uptime_service.go:624`
-
-This exactly matches symptom pattern:
-1. Manual refresh sets monitor `UP` via direct HTTP check.
-2. Next scheduler cycle can force it back to `DOWN` from host precheck path.
-
-## 3.2 Hypothesis Check: TCP precheck can fail while public URL HTTP check succeeds
-
-Confirmed as plausible by design:
-- `checkHost()` tests upstream reachability (`ForwardHost:ForwardPort`) from Charon runtime.
-- `checkMonitor()` tests monitor URL (public domain URL, often via Caddy/public routing).
+Tab bar with 4 items: `System`, `Notifications`, `SMTP`, `Account`. Note that **Account Management is NOT in the tab bar** — it is only reachable via the sidebar. The `Account` tab links to `/settings/account` (the self-service profile page).
+
+#### 2.2.3 Sidebar Navigation — `frontend/src/components/Layout.tsx`
 
-A service can be publicly reachable by monitor URL while upstream TCP precheck fails due to network namespace/routing/DNS/hairpin differences.
+Under the Settings section, two entries:
 
-This is especially likely for:
-- self-referential routes (Charon monitoring Charon via public hostname)
-- host/container networking asymmetry
-- services reachable through proxy path but not directly on upstream socket from current runtime context
+```tsx
+{ name: t('navigation.adminAccount'), path: '/settings/account', icon: '🛡️' },
+{ name: t('navigation.accountManagement'), path: '/settings/account-management', icon: '👥' },
+```
 
-## 3.3 Recent Change Correlation (Required)
+#### 2.2.4 Account Page — `frontend/src/pages/Account.tsx`
 
-### `SyncAndCheckForHost` (regression amplifier)
-- Introduced in commit `2cd19d89` and called from proxy host create path.
-- Files:
-  - `backend/internal/services/uptime_service.go:1195`
-  - `backend/internal/api/handlers/proxy_host_handler.go:418`
-- Behavior: creates/syncs monitor and immediately runs `checkMonitor()`.
+Four cards:
+1. **Profile** — name, email (with password verification for email changes)
+2. **Certificate Email** — toggle between account email and custom email for ACME
+3. **Password Change** — old/new/confirm password form
+4. **API Key** — masked display + regenerate button
 
-Impact: makes monitors quickly show `UP` after create/manual, then scheduler can flip to `DOWN` if host precheck fails. This increased visibility of scheduled/manual inconsistency.
+Uses `api/user.ts` (singular) — endpoints: `GET /user/profile`, `POST /user/profile`, `POST /user/api-key`.
 
-### `CleanupStaleFailureCounts`
-- Introduced in `2cd19d89`, refined in `7a12ab79`.
-- File: `backend/internal/services/uptime_service.go:1277`
-- It runs at startup and resets stale monitor states only; not per-cycle override logic.
-- Not root cause of recurring per-cycle flip.
+#### 2.2.5 Users Page — `frontend/src/pages/UsersPage.tsx`
 
-### Frontend effective status changes
-- Latest commit `0241de69` refactors `effectiveStatus` handling.
-- File: `frontend/src/pages/Uptime.tsx`.
-- Backend evidence proves this is not visual-only: scheduler writes `down` heartbeats/messages directly in DB.
+~900 lines. Contains:
+- `InviteModal` — email, role select (`user`/`admin`), permission mode, host selection, URL preview
+- `PermissionsModal` — permission mode + host checkboxes per user
+- `UsersPage` (default export) — table listing all users with columns: User (name/email), Role (badge), Status (active/pending/expired), Permissions (whitelist/blacklist), Enabled (toggle), Actions (resend/permissions/delete)
+
+**Current limitations:**
+- Admin users cannot be disabled (switch is `disabled` when `role === 'admin'`)
+- Admin users cannot be deleted (delete button is `disabled` when `role === 'admin'`)
+- No permission editing for admins (gear icon hidden when `role !== 'admin'`)
+- Role selector in `InviteModal` only has `user` and `admin` options
+- No inline profile editing — admins can't edit their own name/email/password from this page
+- The admin's own row appears in the list but has limited interactivity
+
+#### 2.2.6 API Client Files
+
+**`frontend/src/api/user.ts`** (singular — self-service):
+
+```tsx
+interface UserProfile { id, email, name, role, has_api_key, api_key_masked }
+getProfile()         → GET  /user/profile
+updateProfile(data)  → POST /user/profile
+regenerateApiKey()   → POST /user/api-key
+```
 
-## 3.4 Grouping Logic Analysis (`UptimeHost`/`UpstreamHost`)
+**`frontend/src/api/users.ts`** (plural — admin CRUD):
 
-Monitors are grouped by `UptimeHostID` in `CheckAll()`. `UptimeHost` is derived from `ProxyHost.ForwardHost` in sync flows.
-
-Relevant code:
-- group map by `UptimeHostID`: `backend/internal/services/uptime_service.go:367`
-- host linkage in sync: `backend/internal/services/uptime_service.go:189`, `backend/internal/services/uptime_service.go:226`
-- sync single-host update path: `backend/internal/services/uptime_service.go:1023`
-
-Risk: one host precheck failure can mark all grouped monitors down without URL-level validation.
-
-## 4. Technical Specification (Fix Plan)
-
-## 4.1 Minimal Proper Fix (First)
-
-Goal: eliminate false DOWN while preserving existing behavior as much as possible.
-
-Change `CheckAll()` host-down branch to avoid hard override for HTTP/HTTPS monitors.
-
-Mandatory hotfix rule:
-- WHEN a host precheck is `down`, THE SYSTEM SHALL partition host monitors by type inside `CheckAll()`.
-- `markHostMonitorsDown` MUST be invoked only for `tcp` monitors.
-- `http`/`https` monitors MUST still run through `checkMonitor()` and MUST NOT be force-written `down` by the host precheck path.
-- Host precheck outcomes MAY be recorded for optimization/telemetry/grouping, but MUST NOT be treated as final status for `http`/`https` monitors.
-
-Proposed rule:
-1. If host is down:
-  - For `http`/`https` monitors: still run `checkMonitor()` (do not force down).
-  - For `tcp` monitors: keep current host-down fast-path (`markHostMonitorsDown`) or direct tcp check.
-2. If host is not down:
-   - Keep existing behavior (run `checkMonitor()` for all monitors).
-
-Rationale:
-- Aligns scheduled behavior with manual for URL-based monitors.
-- Preserves reverse proxy product semantics where public URL availability is the source of truth.
-- Minimal code delta in `CheckAll()` decision branch.
-- Preserves optimization for true TCP-only monitors.
-
-### Exact file/function targets
-- `backend/internal/services/uptime_service.go`
-  - `CheckAll()`
-  - add small helper (optional): `partitionMonitorsByType(...)`
-
-## 4.2 Long-Term Robust Fix (Deferred)
-
-Introduce host precheck as advisory signal, not authoritative override.
-
-Design:
-1. Add `HostReachability` result to run context (not persisted as forced monitor status).
-2. Always execute per-monitor checks, but use host precheck to:
-   - tune retries/backoff
-   - annotate failure reason
-   - optimize notification batching
-3. Optionally add feature flag:
-   - `feature.uptime.strict_host_precheck` (default `false`)
-   - allows legacy strict gating in environments that want it.
-
-Benefits:
-- Removes false DOWN caused by precheck mismatch.
-- Keeps performance and batching controls.
-- More explicit semantics for operators.
-
-## 5. API/Schema Impact
-
-No API contract change required for minimal fix.
-No database migration required for minimal fix.
-
-Long-term fix may add one feature flag setting only.
-
-## 6. EARS Requirements
-
-### Ubiquitous
-- THE SYSTEM SHALL evaluate HTTP/HTTPS monitor availability using URL-level checks as the authoritative signal.
-
-### Event-driven
-- WHEN the scheduled uptime cycle runs, THE SYSTEM SHALL execute HTTP/HTTPS monitor checks regardless of internal host precheck state.
-- WHEN the scheduled uptime cycle runs and host precheck is down, THE SYSTEM SHALL apply host-level forced-down logic only to TCP monitors.
-
-### State-driven
-- WHILE a monitor type is `http` or `https`, THE SYSTEM SHALL NOT force monitor status to `down` solely from internal host precheck failure.
-- WHILE a monitor type is `tcp`, THE SYSTEM SHALL evaluate status using endpoint socket reachability semantics.
-
-### Unwanted behavior
-- IF internal host precheck is unreachable AND URL-level HTTP/HTTPS check returns success, THEN THE SYSTEM SHALL set monitor status to `up`.
-- IF internal host precheck is reachable AND URL-level HTTP/HTTPS check fails, THEN THE SYSTEM SHALL set monitor status to `down`.
-
-### Optional
-- WHERE host precheck telemetry is enabled, THE SYSTEM SHALL record host-level reachability for diagnostics and grouping without overriding HTTP/HTTPS monitor final state.
-
-## 7. Implementation Plan
-
-### Phase 1: Reproduction Lock-In (Tests First)
-- Add backend service test proving current regression:
-  - host precheck fails
-  - monitor URL check would succeed
-  - scheduled `CheckAll()` currently writes down (existing behavior)
-- File: `backend/internal/services/uptime_service_test.go` (new test block)
-
-### Phase 2: Minimal Backend Fix
-- Update `CheckAll()` branch logic to run HTTP/HTTPS monitors even when host is down.
-- Make monitor partitioning explicit and mandatory in `CheckAll()` host-down branch.
-- Add an implementation guard before partitioning: normalize monitor type using
-  `strings.TrimSpace` + `strings.ToLower` to prevent `HTTP`/`HTTPS` case
-  regressions and whitespace-related misclassification.
-- Ensure `markHostMonitorsDown` is called only for TCP monitor partitions.
-- File: `backend/internal/services/uptime_service.go`
-
-### Phase 3: Backend Validation
-- Add/adjust tests:
-  - scheduled path no longer forces down when HTTP succeeds
-  - manual and scheduled reach same final state for HTTP monitors
-  - internal host unreachable + public URL HTTP 200 => monitor is `UP`
-  - internal host reachable + public URL failure => monitor is `DOWN`
-  - TCP monitor behavior unchanged under host-down conditions
-- Files:
-  - `backend/internal/services/uptime_service_test.go`
-  - `backend/internal/services/uptime_service_race_test.go` (if needed for concurrency side-effects)
-
-### Phase 4: Integration/E2E Coverage
-- Add targeted API-level integration test for scheduler vs manual parity.
-- Add Playwright scenario for:
-  - monitor set UP by manual check
-  - remains UP after scheduled cycle when URL is reachable
-- Add parity scenario for:
-  - internal TCP precheck unreachable + URL returns 200 => `UP`
-  - internal TCP precheck reachable + URL failure => `DOWN`
-- Files:
-  - `backend/internal/api/routes/routes_test.go` (or uptime handler integration suite)
-  - `tests/monitoring/uptime-monitoring.spec.ts` (or equivalent uptime spec file)
-
-Scope note:
-- This hotfix plan is intentionally limited to backend behavior correction and
-  regression tests (unit/integration/E2E).
-- Dedicated documentation-phase work is deferred and out of scope for this
-  hotfix PR.
-
-## 8. Test Plan (Unit / Integration / E2E)
-
-Duplicate notification definition (hotfix acceptance/testing):
-- A duplicate notification means the same `(monitor_id, status,
-  scheduler_tick_id)` is emitted more than once within a single scheduler run.
-
-## Unit Tests
-1. `CheckAll_HostDown_DoesNotForceDown_HTTPMonitor_WhenHTTPCheckSucceeds`
-2. `CheckAll_HostDown_StillHandles_TCPMonitor_Conservatively`
-3. `CheckAll_ManualAndScheduledParity_HTTPMonitor`
-4. `CheckAll_InternalHostUnreachable_PublicURL200_HTTPMonitorEndsUp` (blocking)
-5. `CheckAll_InternalHostReachable_PublicURLFail_HTTPMonitorEndsDown` (blocking)
-
-## Integration Tests
-1. Scheduler endpoint (`/api/v1/system/uptime/check`) parity with monitor check endpoint.
-2. Verify DB heartbeat message is real HTTP result (not `Host unreachable`) for HTTP monitors where URL is reachable.
-3. Verify when host precheck is down, HTTP monitor heartbeat/notification output is derived from `checkMonitor()` (not synthetic host-path `Host unreachable`).
-4. Verify no duplicate notifications are emitted from host+monitor paths for the same scheduler run, where duplicate is defined as repeated `(monitor_id, status, scheduler_tick_id)`.
-5. Verify internal host precheck unreachable + public URL 200 still resolves monitor `UP`.
-6. Verify internal host precheck reachable + public URL failure resolves monitor `DOWN`.
-
-## E2E Tests
-1. Create/sync monitor scenario where manual refresh returns `UP`.
-2. Wait one scheduler interval.
-3. Assert monitor remains `UP` and latest heartbeat is not forced `Host unreachable` for reachable URL.
-4. Assert scenario: internal host precheck unreachable + public URL 200 => monitor remains `UP`.
-5. Assert scenario: internal host precheck reachable + public URL failure => monitor is `DOWN`.
-
-## Regression Guardrails
-- Add a test explicitly asserting that host precheck must not unconditionally override HTTP monitor checks.
-- Add explicit assertions that HTTP monitors under host-down precheck emit
-  check-derived heartbeat messages and do not produce duplicate notifications
-  under the `(monitor_id, status, scheduler_tick_id)` rule within a single
-  scheduler run.
-
-## 9. Risks and Rollback
-
-## Risks
-1. More HTTP checks under true host outage may increase check volume.
-2. Notification patterns may shift from single host-level event to monitor-level batched events.
-3. Edge cases for mixed-type monitor groups (HTTP + TCP) need deterministic behavior.
-
-## Mitigations
-1. Preserve batching (`queueDownNotification`) and existing retry thresholds.
-2. Keep TCP strict path unchanged in minimal fix.
-3. Add explicit log fields and targeted tests for mixed groups.
-
-## Rollback Plan
-1. Revert the `CheckAll()` branch change only (single-file rollback).
-2. Keep added tests; mark expected behavior as legacy if temporary rollback needed.
-3. If necessary, introduce temporary feature toggle to switch between strict and tolerant host gating.
-
-## 10. PR Slicing Strategy
-
-Decision: Single focused PR (hotfix + tests)
-
-Trigger reasons:
-- High-severity runtime behavior fix requiring minimal blast radius
-- Fast review/rollback with behavior-only delta plus regression coverage
-- Avoid scope creep into optional hardening/feature-flag work
-
-### PR-1 (Hotfix + Tests)
-Scope:
-- `CheckAll()` host-down branch adjustment for HTTP/HTTPS
-- Unit/integration/E2E regression tests for URL-truth semantics
-
-Files:
-- `backend/internal/services/uptime_service.go`
-- `backend/internal/services/uptime_service_test.go`
-- `backend/internal/api/routes/routes_test.go` (or equivalent)
-- `tests/monitoring/uptime-monitoring.spec.ts` (or equivalent)
-
-Validation gates:
-- backend unit tests pass
-- targeted uptime integration tests pass
-- targeted uptime E2E tests pass
-- no behavior regression in existing `CheckAll` tests
-
-Rollback:
-- single revert of PR-1 commit
-
-## 11. Acceptance Criteria (DoD)
-
-1. Scheduled and manual checks produce consistent status for HTTP/HTTPS monitors.
-2. A reachable monitor URL is not forced to `DOWN` solely by host precheck failure.
-3. New regression tests fail before fix and pass after fix.
-4. No break in TCP monitor behavior expectations.
-5. No new critical/high security findings in touched paths.
-6. Blocking parity case passes: internal host precheck unreachable + public URL 200 => scheduled result is `UP`.
-7. Blocking parity case passes: internal host precheck reachable + public URL failure => scheduled result is `DOWN`.
-8. Under host-down precheck, HTTP monitors produce check-derived heartbeat messages (not synthetic `Host unreachable` from host path).
-9. No duplicate notifications are produced by host+monitor paths within a
-  single scheduler run, where duplicate is defined as repeated
-  `(monitor_id, status, scheduler_tick_id)`.
-
-## 12. Implementation Risks
-
-1. Increased scheduler workload during host-precheck failures because HTTP/HTTPS checks continue to run.
-2. Notification cadence may change due to check-derived monitor outcomes replacing host-forced synthetic downs.
-3. Mixed monitor groups (TCP + HTTP/HTTPS) require strict ordering/partitioning to avoid regression.
-
-Mitigations:
-- Keep change localized to `CheckAll()` host-down branch decisioning.
-- Add explicit regression tests for both parity directions and mixed monitor types.
-- Keep rollback path as single-commit revert.
+```tsx
+interface User { id, uuid, email, name, role, enabled, last_login, invite_status, ... }
+type PermissionMode = 'allow_all' | 'deny_all'
+listUsers()                  → GET    /users
+getUser(id)                  → GET    /users/:id
+createUser(data)             → POST   /users
+inviteUser(data)             → POST   /users/invite
+updateUser(id, data)         → PUT    /users/:id
+deleteUser(id)               → DELETE /users/:id
+updateUserPermissions(id, d) → PUT    /users/:id/permissions
+validateInvite(token)        → GET    /invite/validate
+acceptInvite(data)           → POST   /invite/accept
+previewInviteURL(email)      → POST   /users/preview-invite-url
+resendInvite(id)             → POST   /users/:id/resend-invite
+```
+
+#### 2.2.7 Auth Context — `frontend/src/context/AuthContextValue.ts`
+
+```tsx
+interface User { user_id: number; role: string; name?: string; email?: string; }
+interface AuthContextType { user, login, logout, changePassword, isAuthenticated, isLoading }
+```
+
+The `AuthProvider` in `AuthContext.tsx` fetches `/api/v1/auth/me` on mount and stores the user. Auto-logout after 15 minutes of inactivity.
+
+#### 2.2.8 Route Protection — `frontend/src/components/RequireAuth.tsx`
+
+Checks `isAuthenticated`, localStorage token, and `user !== null`. Redirects to `/login` if any check fails. **No role-based route protection exists** — all authenticated users see the same navigation and routes.
+
+#### 2.2.9 Translation Keys — `frontend/src/locales/en/translation.json`
+
+Relevant keys:
+```json
+"navigation.adminAccount": "Admin Account",
+"navigation.accountManagement": "Account Management",
+"users.roleUser": "User",
+"users.roleAdmin": "Admin"
+```
+
+No keys exist for `"roleViewer"` or `"rolePassthrough"`.
+
+### 2.3 Current Architecture: E2E Tests
+
+**No Playwright E2E tests exist** for user management or account pages. The `tests/` directory contains specs for DNS providers, modal dropdowns, and debug utilities only.
+
+### 2.4 Configuration Files Review
+
+| File | Relevance | Action Needed |
+|------|-----------|---------------|
+| `.gitignore` | May need entries for new test artifacts | Review during implementation |
+| `codecov.yml` | Coverage thresholds may need adjustment | Review if new files change coverage ratios |
+| `.dockerignore` | No impact expected | No changes |
+| `Dockerfile` | No impact expected | No changes |
+
+---
+
+## 3. Technical Specifications
+
+### 3.1 Privilege Tier System
+
+#### 3.1.1 Tier Definitions
+
+| Tier | Value | Charon UI Access | Forward Auth (Proxy) Access | Can Manage Others |
+|------|-------|------------------|---------------------------|-------------------|
+| **Admin** | `"admin"` | Full access to all pages and settings | All hosts (bypasses permission checks) | Yes — full CRUD on all users |
+| **User** | `"user"` | Access to Charon UI except admin-only pages (user management, system settings) | Based on `permission_mode` + `permitted_hosts` | No |
+| **Pass-through** | `"passthrough"` | Login page only — redirected away from all management pages after login | Based on `permission_mode` + `permitted_hosts` | No |
+
+#### 3.1.2 Behavioral Details
+
+**Admin:**
+- Unchanged from current behavior.
+- Can edit any user's role, permissions, name, email, enabled state.
+- Can edit their own profile inline on the consolidated Users page.
+- Cannot delete themselves. Cannot disable themselves.
+
+**User:**
+- Can log in to the Charon management UI.
+- Can view proxy hosts, certificates, DNS, uptime, and other read-oriented pages.
+- Cannot access: User management, System settings, SMTP settings, Encryption, Plugins.
+- Can edit their own profile (name, email, password, API key) via self-service section on the Users page or a dedicated "My Account" modal.
+- Forward auth access is governed by `permission_mode` + `permitted_hosts`.
+
+**Pass-through:**
+- Can log in to Charon (to obtain a session cookie/JWT).
+- Immediately after login, is redirected to `/passthrough` landing page — **no access to the management UI**.
+- The session cookie is used by Caddy's `forward_auth` to grant access to proxied services based on `permission_mode` + `permitted_hosts`.
+- Can access **only**: `/auth/logout`, `/auth/refresh`, `/auth/me`, `/auth/change-password`.
+- **Cannot access**: `/user/profile`, `/user/api-key`, or any management API endpoints.
+- Cannot access any Charon management UI pages.
+
+#### 3.1.3 Backend Role Constants
+
+Add typed constants to `backend/internal/models/user.go`:
+
+```go
+type UserRole string
+
+const (
+    RoleAdmin       UserRole = "admin"
+    RoleUser        UserRole = "user"
+    RolePassthrough UserRole = "passthrough"
+)
+
+func (r UserRole) IsValid() bool {
+    switch r {
+    case RoleAdmin, RoleUser, RolePassthrough:
+        return true
+    }
+    return false
+}
+```
+
+Change `User.Role` from `string` to `UserRole` (which is still a `string` alias, so GORM and JSON work identically — zero migration friction).
+
+### 3.2 Database Schema Changes
+
+#### 3.2.1 User Table
+
+**No schema migration needed.** The `Role` column is already a `TEXT` field storing string values. Changing the Go type from `string` to `UserRole` (a `string` alias) requires no ALTER TABLE. New role values (`"passthrough"`) are immediately storable.
+
+#### 3.2.2 Data Migration
+
+A one-time migration function should:
+1. Scan for any users with `role = "viewer"` and update them to `role = "passthrough"` (in case any were manually created via the unused viewer path).
+2. Validate all existing roles are in the allowed set.
+
+This runs in the `AutoMigrate` block in `routes.go`.
+
+The migration must be in a clearly named function (e.g., `migrateViewerToPassthrough()`) and must log when it runs and how many records it affected:
+
+```go
+func migrateViewerToPassthrough(db *gorm.DB) {
+    result := db.Model(&User{}).Where("role = ?", "viewer").Update("role", string(RolePassthrough))
+    if result.RowsAffected > 0 {
+        log.Printf("[migration] Updated %d users from 'viewer' to 'passthrough' role", result.RowsAffected)
+    }
+}
+```
+
+### 3.3 API Changes
+
+#### 3.3.1 Consolidated Self-Service Endpoints
+
+Merge the current `/user/profile` and `/user/api-key` endpoints into the existing `/users/:id` group by allowing users to edit their own record:
+
+| Current Endpoint | Action | Proposed |
+|-----------------|--------|----------|
+| `GET /user/profile` | Get own profile | **Keep** (convenience alias) |
+| `POST /user/profile` | Update own profile | **Keep** (convenience alias) |
+| `POST /user/api-key` | Regenerate API key | **Keep** (convenience alias) |
+| `PUT /users/:id` | Admin updates any user | **Extend**: allow authenticated user to update their own record (name, email with password verification) |
+
+The self-service endpoints (`/user/*`) remain as convenient aliases that internally resolve to the caller's own user ID and delegate to the same service logic. No breaking API changes.
+
+#### 3.3.2 Role Validation
+
+The `UpdateUser()` and `CreateUser()` handlers must validate the `role` field against `UserRole.IsValid()`. The invite endpoint `InviteUser()` must accept `"passthrough"` as a valid role.
+
+#### 3.3.3 Pass-through Route Protection
+
+Add middleware to block pass-through users from accessing management endpoints:
+
+```go
+func RequireManagementAccess() gin.HandlerFunc {
+    return func(c *gin.Context) {
+        role := c.GetString("role")
+        if role == string(models.RolePassthrough) {
+            c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
+                "error": "pass-through users cannot access management features",
+            })
+            return
+        }
+        c.Next()
+    }
+}
+```
+
+Apply this middleware by restructuring the protected routes into two sub-groups:
+
+**Exempt routes** (authMiddleware only — no management check):
+```
+POST /auth/logout
+POST /auth/refresh
+GET  /auth/me
+POST /auth/change-password
+GET  /auth/accessible-hosts
+GET  /auth/check-host/:hostId
+GET  /user/profile
+POST /user/profile
+POST /user/api-key
+```
+
+**Management routes** (authMiddleware + `RequireManagementAccess`):
+```
+GET    /users
+POST   /users
+POST   /users/invite
+POST   /users/preview-invite-url
+GET    /users/:id
+PUT    /users/:id
+DELETE /users/:id
+PUT    /users/:id/permissions
+POST   /users/:id/resend-invite
+All /backup/* routes
+All /logs/* routes
+All /settings/* routes
+All /system/* routes
+All /security/* routes
+All /features/* routes
+All /proxy/* routes
+All /certificates/* routes
+All /dns/* routes
+All /uptime/* routes
+All /plugins/* routes
+```
+
+The route split in `routes.go` should look like:
+
+```go
+// Self-service + auth routes — accessible to all authenticated users (including passthrough)
+exempt := protected.Group("")
+{
+    exempt.POST("/auth/logout", ...)
+    exempt.POST("/auth/refresh", ...)
+    exempt.GET("/auth/me", ...)
+    exempt.POST("/auth/change-password", ...)
+    exempt.GET("/auth/accessible-hosts", ...)
+    exempt.GET("/auth/check-host/:hostId", ...)
+    exempt.GET("/user/profile", ...)
+    exempt.POST("/user/profile", ...)
+    exempt.POST("/user/api-key", ...)
+}
+
+// Management routes — blocked for passthrough users
+management := protected.Group("", middleware.RequireManagementAccess())
+{
+    // All other routes registered here
+}
+```
+
+#### 3.3.4 New Endpoint: Pass-through Landing
+
+No new backend endpoint needed. The forward auth flow (`GET /auth/verify`) already works for pass-through users. The minimal landing page is purely a frontend concern.
+
+### 3.4 Frontend Changes
+
+#### 3.4.1 Consolidated Users Page
+
+Transform `UsersPage.tsx` into the single source of truth for all user management:
+
+**New capabilities:**
+1. **Admin's own row is fully interactive** — edit name/email/password, regenerate API key, view cert email settings.
+2. **"My Profile" section** at the top (or accessible via a button) for the currently logged-in user to manage their own account, replacing the `Account.tsx` page entirely.
+3. **Role selector** includes three options: `Admin`, `User`, `Pass-through`.
+4. **Permission controls** are shown for `User` and `Pass-through` roles (hidden for `Admin`).
+5. **Inline editing** or a detail drawer for editing individual users.
+
+**Components to modify:**
+
+| Component | File | Change |
+|-----------|------|--------|
+| `InviteModal` | `UsersPage.tsx` | Add `"passthrough"` to role `<select>`. Show permission controls for both `user` and `passthrough`. |
+| `PermissionsModal` | `UsersPage.tsx` | No functional changes — already works for any non-admin role. |
+| `UsersPage` (table) | `UsersPage.tsx` | Add role badge color for `passthrough`. Remove `disabled` from admin row's enable/delete where appropriate. Add "Edit" action for all users. Add "My Profile" card or section. |
+| New: `UserDetailModal` | `UsersPage.tsx` or separate file | Modal/drawer for editing a user's full details (including password reset, API key regen for self). Replaces the Account page's four cards. |
+
+#### 3.4.2 Remove Account Page
+
+| Action | File | Detail |
+|--------|------|--------|
+| Delete | `frontend/src/pages/Account.tsx` | Remove entirely |
+| Delete | `frontend/src/api/user.ts` | Remove (merge any unique types into `users.ts`) |
+| Remove route | `frontend/src/App.tsx` | Remove `<Route path="account" element={<Account />} />` |
+| Remove nav entry | `frontend/src/components/Layout.tsx` | Remove `{ name: t('navigation.adminAccount'), path: '/settings/account', icon: '🛡️' }` |
+| Remove tab | `frontend/src/pages/Settings.tsx` | Remove `{ path: '/settings/account', label: t('settings.account'), icon: User }` |
+| Remove translation keys | `frontend/src/locales/en/translation.json` | Remove `navigation.adminAccount`, update `navigation.accountManagement` → `navigation.users` |
+
+#### 3.4.3 Navigation Update
+
+**Sidebar** (Layout.tsx): Under Settings, consolidate to a single entry:
+
+```tsx
+{ name: t('navigation.users'), path: '/settings/users', icon: '👥' }
+```
+
+**Settings tab bar** (Settings.tsx): Add "Users" as a new tab, remove "Account":
+
+```tsx
+{ path: '/settings/users', label: t('navigation.users'), icon: Users }
+```
+
+**Router** (App.tsx): Update routes:
+
+```tsx
+{/* Pass-through landing — accessible to all authenticated users */}
+<Route path="passthrough" element={<RequireAuth><PassthroughLanding /></RequireAuth>} />
+
+<Route path="settings" element={<RequireRole allowed={['admin', 'user']}><Settings /></RequireRole>}>
+  <Route index element={<SystemSettings />} />
+  <Route path="system" element={<SystemSettings />} />
+  <Route path="notifications" element={<Notifications />} />
+  <Route path="smtp" element={<SMTPSettings />} />
+  <Route path="users" element={<RequireRole allowed={['admin']}><UsersPage /></RequireRole>} />
+</Route>
+```
+
+Add redirects for old paths:
+```tsx
+<Route path="settings/account" element={<Navigate to="/settings/users" replace />} />
+<Route path="settings/account-management" element={<Navigate to="/settings/users" replace />} />
+<Route path="users" element={<Navigate to="/settings/users" replace />} />
+```
+
+#### 3.4.4 Role-Based Route Protection
+
+Create a new `RequireRole` wrapper component:
+
+```tsx
+// frontend/src/components/RequireRole.tsx
+const RequireRole: React.FC<{ allowed: string[]; children: React.ReactNode }> = ({ allowed, children }) => {
+  const { user } = useAuth();
+  if (!user) {
+    return <Navigate to="/login" replace />;
+  }
+  if (!allowed.includes(user.role)) {
+    // Role-aware redirect: pass-through users go to their landing page,
+    // other unauthorized roles go to dashboard
+    const redirectTarget = user.role === 'passthrough' ? '/passthrough' : '/';
+    return <Navigate to={redirectTarget} replace />;
+  }
+  return children;
+};
+```
+
+Wrap admin-only routes (user management, system settings) with `<RequireRole allowed={['admin']}>`.
+
+For pass-through users, redirect all management routes to a minimal landing page:
+
+```tsx
+// frontend/src/pages/PassthroughLanding.tsx
+// Minimal page: "You are logged in. Your session grants access to authorized services."
+// Shows: user name, logout button, change password link, optionally a list of accessible hosts.
+// Route: /passthrough (must be registered in App.tsx router)
+//
+// Accessibility requirements (WCAG 2.2 AA):
+// - Use semantic HTML: <main>, <h1>, <nav>
+// - Logout button must be keyboard focusable
+// - Announce page purpose via <title> and <h1>
+// - Sufficient color contrast on all text (4.5:1 minimum)
+```
+
+#### 3.4.5 Auth Context Update
+
+Update the `User` interface in `AuthContextValue.ts`:
+
+```tsx
+export interface User {
+  user_id: number;
+  role: 'admin' | 'user' | 'passthrough';
+  name?: string;
+  email?: string;
+}
+```
+
+#### 3.4.6 API Types Consolidation
+
+Merge `frontend/src/api/user.ts` into `frontend/src/api/users.ts`:
+
+- Move `UserProfile` interface into `users.ts` (or inline it).
+- Keep `getProfile()`, `updateProfile()`, `regenerateApiKey()` functions in `users.ts`.
+- Delete `user.ts`.
+
+Update the `User` role type:
+
+```tsx
+role: 'admin' | 'user' | 'passthrough'
+```
+
+#### 3.4.7 Translation Keys
+
+Add to `frontend/src/locales/en/translation.json`:
+
+```json
+"users.rolePassthrough": "Pass-through",
+"users.rolePassthroughDescription": "Can access proxied services only — no Charon management access",
+"users.roleUserDescription": "Can view Charon management UI with limited permissions",
+"users.roleAdminDescription": "Full access to all Charon features and settings",
+"users.myProfile": "My Profile",
+"users.editUser": "Edit User",
+"users.changePassword": "Change Password",
+"users.apiKey": "API Key",
+"users.regenerateApiKey": "Regenerate API Key",
+"navigation.users": "Users",
+"passthrough.title": "Welcome to Charon",
+"passthrough.description": "Your session grants access to authorized services through the reverse proxy.",
+"passthrough.noAccessToManagement": "You do not have access to the management interface."
+```
+
+Remove:
+```json
+"navigation.adminAccount"  → delete
+```
+
+Rename:
+```json
+"navigation.accountManagement" → "navigation.users"
+```
+
+### 3.5 Forward Auth & Pass-through Integration
+
+The existing `Verify()` handler in `auth_handler.go` already handles pass-through users correctly:
+
+1. User logs in → gets JWT with `role: "passthrough"`.
+2. User's browser sends cookie with each request to proxied services.
+3. Caddy's `forward_auth` calls `GET /api/v1/auth/verify`.
+4. `Verify()` authenticates the token, checks `user.CanAccessHost(hostID)`.
+5. Pass-through users have `permission_mode` + `permitted_hosts` just like regular users.
+
+**No changes needed to the forward auth flow.** The `CanAccessHost()` method already handles non-admin roles correctly.
+
+**Note on X-Forwarded-Groups header:** The `Verify()` handler currently sets `X-Auth-User` headers for upstream services. It does NOT expose the user's role via `X-Forwarded-Groups` or similar headers. For this iteration, the pass-through role is **not exposed** to upstream services — they only see the authenticated user identity. If upstream services need to differentiate pass-through from regular users, a future enhancement can add `X-Auth-Role` headers.
+
+### 3.6 Error Handling & Edge Cases
+
+| Scenario | Expected Behavior | Status |
+|----------|-------------------|--------|
+| Admin demotes themselves | Prevent — return 400 "Cannot change your own role" | **Needs implementation** |
+| Admin disables themselves | Prevent — return 400 "Cannot disable your own account" | **Needs implementation** |
+| Last admin is demoted | Prevent — return 400 "At least one admin must exist". **Must use a DB transaction** around the count-check-and-update to prevent race conditions (see section 3.6.1). | **Needs implementation** |
+| Concurrent demotion of last two admins | DB transaction serializes the check — second request fails atomically | **Needs implementation** |
+| Pass-through user accesses `/api/v1/users` | Return 403 "pass-through users cannot access management features" | **Needs implementation** |
+| Pass-through user accesses Charon UI routes | Frontend redirects to `/passthrough` landing page (NOT `/` which would loop) | **Needs implementation** |
+| User with active session has role changed | `InvalidateSessions(user.ID)` **must be called** in `UpdateUser()` when role changes — **not currently implemented** (see Task 2.6) | **Needs implementation** |
+| Non-admin edits own record via `PUT /users/:id` | Handler **must reject** changes to `role`, `enabled`, or `permissions` fields — only `name`, `email` (with password verification), and `password` are self-editable (see Task 2.11) | **Needs implementation** |
+| Invite with `role: "passthrough"` | Valid — creates pending pass-through user | **Needs validation** |
+| Pass-through user changes own password | Allowed via `/auth/change-password` (exempt from management middleware) | Already works |
+
+#### 3.6.1 Last-Admin Race Condition Protection
+
+Two concurrent demotion requests could both pass the admin count check before either commits. SQLite serializes writes, but the spec mandates a transaction for correctness by design:
+
+```go
+func (h *UserHandler) updateUserRole(tx *gorm.DB, userID uint, newRole models.UserRole, currentUser uint) error {
+    // Must run inside a transaction to prevent race conditions
+    return tx.Transaction(func(inner *gorm.DB) error {
+        // 1. Prevent self-demotion
+        if userID == currentUser {
+            return fmt.Errorf("cannot change your own role")
+        }
+
+        // 2. If demoting from admin, check admin count atomically
+        var user models.User
+        if err := inner.First(&user, userID).Error; err != nil {
+            return err
+        }
+
+        if user.Role == models.RoleAdmin && newRole != models.RoleAdmin {
+            var adminCount int64
+            if err := inner.Model(&models.User{}).Where("role = ?", models.RoleAdmin).Count(&adminCount).Error; err != nil {
+                return err
+            }
+            if adminCount <= 1 {
+                return fmt.Errorf("at least one admin must exist")
+            }
+        }
+
+        // 3. Update role
+        if err := inner.Model(&user).Update("role", string(newRole)).Error; err != nil {
+            return err
+        }
+
+        return nil
+    })
+}
+```
+
+After the transaction succeeds, the handler calls `authService.InvalidateSessions(userID)` to revoke existing JWTs.
+
+### 3.6.2 User Tier Permission Matrix
+
+Complete access matrix for all protected route groups by role:
+
+| Route Group | Admin | User | Pass-through |
+|-------------|-------|------|--------------|
+| `/auth/logout`, `/auth/refresh`, `/auth/me` | Full | Full | Full |
+| `/auth/change-password` | Full | Full | Full |
+| `/auth/accessible-hosts`, `/auth/check-host/:hostId` | Full | Full | Full |
+| `/user/profile` (GET, POST) | Full | Full | **Blocked** |
+| `/user/api-key` (POST) | Full | Full | **Blocked** |
+| `/users` (list, create, invite) | Full | **Blocked** | **Blocked** |
+| `/users/:id` (get, update, delete) | Full | **Blocked** (except self-edit of own name/email/password) | **Blocked** |
+| `/users/:id/permissions` | Full | **Blocked** | **Blocked** |
+| `/proxy/*` (all proxy host routes) | Full | **Read-only** | **Blocked** |
+| `/certificates/*` | Full | **Read-only** | **Blocked** |
+| `/dns/*` | Full | **Read-only** | **Blocked** |
+| `/uptime/*` | Full | **Read-only** | **Blocked** |
+| `/settings/*` (system, SMTP, encryption) | Full | **Blocked** | **Blocked** |
+| `/backup/*` | Full | **Blocked** | **Blocked** |
+| `/logs/*` | Full | **Read-only** | **Blocked** |
+| `/security/*` | Full | **Blocked** | **Blocked** |
+| `/features/*` | Full | **Blocked** | **Blocked** |
+| `/plugins/*` | Full | **Blocked** | **Blocked** |
+| `/system/*` | Full | **Blocked** | **Blocked** |
+
+**Enforcement strategy:** Pass-through blocking is handled by `RequireManagementAccess` middleware. User-tier read-only vs blocked distinctions are enforced by existing inline `requireAdmin()` checks, which will be consolidated to use `UserRole` constants. A future PR may extract these into dedicated middleware, but for this iteration the inline checks remain.
+
+#### 3.6.3 Pass-through Self-Service Scope
+
+Pass-through users have the **most restricted** self-service access. They can access:
+- `/auth/logout` — end their session
+- `/auth/refresh` — refresh their JWT
+- `/auth/me` — view their own identity
+- `/auth/change-password` — change their own password
+
+Pass-through users **cannot** access:
+- `/user/profile` — no profile editing (name/email changes are not applicable)
+- `/user/api-key` — no API key management
+
+This means the exempt route group must further restrict `/user/*` endpoints for pass-through users. Implementation: the `/user/profile` and `/user/api-key` endpoints remain in the exempt group (accessible to admin and user roles) but add an inline check that rejects pass-through callers:
+
+```go
+func (h *UserHandler) GetProfile(c *gin.Context) {
+    role, _ := c.Get("role")
+    if role == string(models.RolePassthrough) {
+        c.JSON(http.StatusForbidden, gin.H{"error": "pass-through users cannot access profile management"})
+        return
+    }
+    // ... existing logic
+}
+```
+
+### 3.7 Data Flow Diagram
+
+```
+┌─────────────┐    Login     ┌─────────┐    JWT Cookie     ┌───────────┐
+│  Browser    │──────────────▶│ Charon  │──────────────────▶│  Caddy    │
+│  (User)     │              │ Backend │                   │  Proxy    │
+└──────┬──────┘              └────┬────┘                   └─────┬─────┘
+       │                         │                               │
+       │  Admin/User Role        │                               │
+       │  ───────────────▶       │                               │
+       │  Charon UI pages        │                               │
+       │                         │                               │
+       │  Pass-through Role      │  forward_auth                 │
+       │  ───────────────▶       │◀──────────────────────────────┤
+       │  Landing page only      │  GET /auth/verify             │
+       │                         │  → 200 OK (access granted)    │
+       │                         │  → 403 (access denied)        │
+       │                         │                               │
+       │◀────────────────────────┤◀──────────────────────────────┤
+       │  Proxied service        │  Proxy pass to upstream       │
+       │  response               │                               │
+```
+
+---
+
+## 4. Implementation Plan
+
+### Phase 1: E2E Tests (Write-First)
+
+Write Playwright tests for the CURRENT behavior so we have a regression baseline. Then update them for the new design.
+
+| Task | Description | Files |
+|------|-------------|-------|
+| 1.1 | Write E2E tests for current Account page (`/settings/account`) | `tests/account.spec.ts` |
+| 1.2 | Write E2E tests for current Users page (`/settings/account-management`) | `tests/users.spec.ts` |
+| 1.3 | Write E2E tests for invite flow (invite → accept → login) | `tests/user-invite.spec.ts` |
+| 1.4 | Update tests to match the consolidated design (new routes, new role options, pass-through behavior) | All above files |
+
+### Phase 2: Backend Implementation
+
+| Task | Description | Files | Dependencies |
+|------|-------------|-------|-------------|
+| 2.1 | Add `UserRole` type with constants and `IsValid()` method | `backend/internal/models/user.go` | None |
+| 2.2 | Change `User.Role` field type from `string` to `UserRole` | `backend/internal/models/user.go` | 2.1 |
+| 2.3 | Add data migration for `"viewer"` → `"passthrough"` | `backend/internal/api/routes/routes.go` (AutoMigrate block) | 2.1 |
+| 2.4 | Add `RequireManagementAccess()` middleware | `backend/internal/api/middleware/auth.go` | 2.1 |
+| 2.5 | Apply middleware to protected routes, exempt self-service + auth endpoints | `backend/internal/api/routes/routes.go` | 2.4 |
+| 2.6 | **[HIGH SEVERITY]** Update `UpdateUser()`: (a) validate role against `UserRole.IsValid()`, (b) **call `authService.InvalidateSessions(user.ID)` when the `role` field changes**, (c) validate role in `CreateUser()` and `InviteUser()` | `backend/internal/api/handlers/user_handler.go` | 2.1 |
+| 2.7 | Add self-demotion and last-admin protection to `UpdateUser()` using a **DB transaction** around the admin count check-and-update (see section 3.6.1 for reference implementation) | `backend/internal/api/handlers/user_handler.go` | 2.1 |
+| 2.8 | Update `RequireRole()` middleware — note: current signature is `func RequireRole(role string)` (single argument, not variadic). Update to accept `UserRole` type: `func RequireRole(role models.UserRole)` | `backend/internal/api/middleware/auth.go` | 2.1 |
+| 2.9 | Update all inline `role != "admin"` checks to use `UserRole` constants. **Including `CanAccessHost()` in `user.go`** which currently hardcodes `"admin"` string — update to use `models.RoleAdmin`. | `backend/internal/api/handlers/permission_helpers.go`, `user_handler.go`, `backend/internal/models/user.go` | 2.1 |
+| 2.10 | Update existing Go unit tests for role changes | `backend/internal/models/user_test.go`, handler tests | 2.1–2.9 |
+| 2.11 | **[PRIVILEGE ESCALATION GUARD]** Add field-level protection in `UpdateUser()`: when the caller is NOT an admin editing another user's record (i.e., a non-admin editing their own record via `PUT /users/:id`), the handler **must reject** any attempt to modify `role`, `enabled`, or permission fields. Only `name`, `email` (with password verification), and `password` are self-editable. | `backend/internal/api/handlers/user_handler.go` | 2.6 |
+
+### Phase 3: Frontend Implementation
+
+| Task | Description | Files | Dependencies |
+|------|-------------|-------|-------------|
+| 3.1 | Update `User` role type in `api/users.ts` to include `'passthrough'` | `frontend/src/api/users.ts` | None |
+| 3.2 | Merge `api/user.ts` functions into `api/users.ts` | `frontend/src/api/users.ts`, delete `frontend/src/api/user.ts` | 3.1 |
+| 3.3 | Update `AuthContextValue.ts` `User` interface role type | `frontend/src/context/AuthContextValue.ts` | None |
+| 3.4 | Create `RequireRole` component | `frontend/src/components/RequireRole.tsx` | 3.3 |
+| 3.5 | Create `PassthroughLanding` page | `frontend/src/pages/PassthroughLanding.tsx` | 3.3 |
+| 3.6 | Add `UserDetailModal` component to `UsersPage.tsx` (inline profile editing, password, API key) | `frontend/src/pages/UsersPage.tsx` | 3.1, 3.2 |
+| 3.7 | Add "My Profile" section/card to `UsersPage` | `frontend/src/pages/UsersPage.tsx` | 3.6 |
+| 3.8 | Update `InviteModal` — add `'passthrough'` to role select with descriptions | `frontend/src/pages/UsersPage.tsx` | 3.1 |
+| 3.9 | Update user table — pass-through badge, edit actions, admin row interactivity | `frontend/src/pages/UsersPage.tsx` | 3.1 |
+| 3.10 | Delete `Account.tsx` page | Delete `frontend/src/pages/Account.tsx` | 3.6, 3.7 |
+| 3.11 | Update routes in `App.tsx` — remove old paths, add redirects, add pass-through routing | `frontend/src/App.tsx` | 3.4, 3.5, 3.10 |
+| 3.12 | Update sidebar navigation in `Layout.tsx` — single "Users" entry | `frontend/src/components/Layout.tsx` | 3.11 |
+| 3.13 | Update Settings tab bar in `Settings.tsx` — replace "Account" with "Users" | `frontend/src/pages/Settings.tsx` | 3.11 |
+| 3.14 | Add role-based navigation hiding (pass-through sees minimal nav, user sees limited nav) | `frontend/src/components/Layout.tsx` | 3.3, 3.4 |
+| 3.15 | Add translation keys for pass-through role, descriptions, landing page | `frontend/src/locales/en/translation.json` (and other locale files) | None |
+| 3.16 | Update frontend unit tests (`Account.test.tsx`, `Settings.test.tsx`, `useAuth.test.tsx`) | Various `__tests__/` files | 3.10–3.14 |
+| 3.17 | **Audit all locale directories** for stale keys. Remove `navigation.adminAccount` and any other orphaned keys from ALL locales (not just English). Verify all new keys (`users.rolePassthrough`, `passthrough.*`, etc.) are added to every locale file with at least the English fallback. | All files in `frontend/src/locales/*/translation.json` | 3.15 |
+| 3.18 | **Accessibility requirements** for new components: (a) `PassthroughLanding` — semantic landmarks (`<main>`, `<h1>`), sufficient contrast, keyboard-operable logout button. (b) `UserDetailModal` — focus trap, Escape to close, `aria-modal="true"`, `role="dialog"`, `aria-labelledby` pointing to modal title heading. (c) `RequireRole` redirect must not cause focus loss — ensure redirected page receives focus on its `<h1>` or `<main>`. | `PassthroughLanding.tsx`, `UsersPage.tsx`, `RequireRole.tsx` | 3.4, 3.5, 3.6 |
+
+### Phase 4: Integration & Validation
+
+| Task | Description |
+|------|-------------|
+| 4.1 | Run updated E2E tests against consolidated page |
+| 4.2 | Test pass-through login flow end-to-end (login → redirect → forward auth working) |
+| 4.3 | Test role change flows (admin → user, user → passthrough, passthrough → admin) |
+| 4.4 | Test last-admin protection (cannot demote or delete the last admin) |
+| 4.5 | Test invite flow with all three roles |
+| 4.6 | Verify forward auth still works correctly for all roles |
+| 4.7 | Run full backend test suite |
+| 4.8 | Run full frontend test suite |
+| 4.9 | Generate coverage reports |
+
+### Phase 5: Documentation & Cleanup
+
+| Task | Description |
+|------|-------------|
+| 5.1 | Update `docs/features.md` with privilege tier documentation |
+| 5.2 | Update `CHANGELOG.md` |
+| 5.3 | Remove unused translation keys |
+| 5.4 | Review `.gitignore` and `codecov.yml` for any needed updates |
+| 5.5 | Archive this plan to `docs/plans/` with completion status |
+
+---
+
+## 5. Acceptance Criteria
+
+### 5.1 Functional Requirements
+
+| ID | Requirement (EARS) | Verification |
+|----|-------------------|-------------|
+| F1 | WHEN an admin navigates to `/settings/users`, THE SYSTEM SHALL display a table listing ALL users including the admin's own account. | E2E test |
+| F2 | WHEN an admin clicks "Edit" on any user row, THE SYSTEM SHALL open a detail modal showing name, email, role, permissions, enabled state, and (for self) password change and API key management. | E2E test |
+| F3 | WHEN an admin invites a user, THE SYSTEM SHALL offer three role options: Admin, User, and Pass-through. | E2E test |
+| F4 | WHEN a pass-through user logs in, THE SYSTEM SHALL redirect them to a minimal landing page and block access to all management routes. | E2E test |
+| F5 | WHEN a pass-through user's browser sends a request through Caddy with a valid session, THE SYSTEM SHALL evaluate `CanAccessHost()` and return 200 or 403 via the forward auth endpoint. | Integration test |
+| F6 | WHEN an admin attempts to demote themselves, THE SYSTEM SHALL reject the request with a 400 error. | Backend unit test |
+| F7 | WHEN an admin attempts to demote the last remaining admin, THE SYSTEM SHALL reject the request with a 400 error. | Backend unit test |
+| F8 | WHEN a user navigates to `/settings/account`, THE SYSTEM SHALL redirect to `/settings/users`. | E2E test |
+| F9 | WHEN a user (non-admin) is logged in, THE SYSTEM SHALL hide admin-only navigation items (user management, system settings). | E2E test |
+| F10 | THE SYSTEM SHALL provide self-service profile management (name, email, password, API key) accessible to all non-passthrough roles from the Users page. | E2E test |
+
+### 5.2 Non-Functional Requirements
+
+| ID | Requirement | Verification |
+|----|------------|-------------|
+| NF1 | THE SYSTEM SHALL maintain backward compatibility — existing JWTs with `role: "user"` or `role: "admin"` continue working without user action. | Manual test |
+| NF2 | THE SYSTEM SHALL require no database migration — the `UserRole` type alias does not alter the SQLite schema. | AutoMigrate verification |
+| NF3 | All new UI components SHALL meet WCAG 2.2 Level AA accessibility standards. | Lighthouse/manual audit |
+
+---
+
+## 6. PR Slicing Strategy
+
+### 6.1 Decision: Multiple PRs
+
+**Trigger reasons:**
+- Cross-domain changes (backend model + middleware + frontend pages + navigation + tests)
+- High review complexity if combined (~30+ files changed)
+- Independent validation gates per slice reduce risk
+- Backend changes can be deployed and verified before frontend changes land
+
+### 6.2 PR Slices
+
+#### PR-1: Backend Role System & Middleware
+
+**Scope:** Introduce `UserRole` type, role validation, `RequireManagementAccess` middleware, last-admin protection, data migration.
+
+**Files:**
+- `backend/internal/models/user.go` — `UserRole` type, constants, `IsValid()`
+- `backend/internal/api/middleware/auth.go` — `RequireManagementAccess()` middleware
+- `backend/internal/api/routes/routes.go` — apply middleware, data migration in AutoMigrate
+- `backend/internal/api/handlers/user_handler.go` — role validation, self-demotion protection, last-admin check
+- `backend/internal/api/handlers/permission_helpers.go` — use `UserRole` constants
+- `backend/internal/models/user_test.go` — tests for new role logic
+- Handler test files — updated for new validation
+
+**Dependencies:** None (standalone backend change).
+
+**Validation gate:** All Go unit tests pass. Manual verification: `POST /users/invite` with `role: "passthrough"` succeeds; pass-through user cannot access `GET /users`.
+
+**Rollback:** Revert PR. No schema changes to undo.
+
+#### PR-2a: Frontend Structural Changes
+
+**Scope:** File merges, deletions, route restructuring, navigation consolidation. No new behavioral components.
+
+**Files:**
+- `frontend/src/pages/Account.tsx` — **deleted**
+- `frontend/src/api/user.ts` — **deleted** (merged into `users.ts`)
+- `frontend/src/api/users.ts` — merged functions + updated types (add `'passthrough'` to role type)
+- `frontend/src/App.tsx` — updated routes + redirects for old paths
+- `frontend/src/components/Layout.tsx` — single "Users" nav entry, role-based nav hiding
+- `frontend/src/pages/Settings.tsx` — replace "Account" tab with "Users"
+- `frontend/src/context/AuthContextValue.ts` — updated User role type
+- `frontend/src/locales/*/translation.json` — key renames, removals, additions across ALL locales
+- Frontend unit test files — updated for removed components
+
+**Dependencies:** PR-1 must be merged first (backend must accept `"passthrough"` role).
+
+**Validation gate:** Frontend unit tests pass. Old routes redirect correctly. Navigation shows single "Users" entry. No regressions in existing functionality.
+
+**Rollback:** Revert PR. Old routes and Account page restored.
+
+#### PR-2b: Frontend Behavioral Changes
+
+**Scope:** New components and behavioral features — detail modal, profile section, pass-through landing, RequireRole guard.
+
+**Files:**
+- `frontend/src/components/RequireRole.tsx` — **new** (with role-aware redirect logic)
+- `frontend/src/pages/PassthroughLanding.tsx` — **new** (routed at `/passthrough`)
+- `frontend/src/pages/UsersPage.tsx` — add `UserDetailModal`, "My Profile" section, pass-through badge, role selector with descriptions
+- `frontend/src/App.tsx` — add `/passthrough` route, wrap admin routes with `RequireRole`
+- Frontend unit test files — tests for new components
+
+**Dependencies:** PR-2a must be merged first.
+
+**Validation gate:** Frontend unit tests pass. Pass-through user redirected to `/passthrough` (not `/`). Admin-only routes blocked for non-admin roles. Detail modal opens/closes correctly with focus trap.
+
+**Rollback:** Revert PR. Structural changes from PR-2a remain intact.
+
+#### PR-3: E2E Tests
+
+**Scope:** Playwright E2E tests for the consolidated user management flow.
+
+**Files:**
+- `tests/users.spec.ts` — **new**: user list, invite flow, role assignment, permissions, inline editing
+- `tests/user-invite.spec.ts` — **new**: invite → accept → login flow for all roles
+- `tests/passthrough.spec.ts` — **new**: pass-through login → landing → no management access
+
+**Dependencies:** PR-1, PR-2a, and PR-2b must be merged.
+
+**Validation gate:** All E2E tests pass on Firefox, Chromium, and WebKit.
+
+**Rollback:** Revert PR (test-only, no production impact).
+
+### 6.3 Contingency Notes
+
+- If PR-1 causes unexpected JWT issues in production, the `UserRole` type is a string alias — reverting just means removing the type and going back to raw strings. No data loss.
+- PR-2 is **committed to a split** into PR-2a and PR-2b (see section 6.2 for details).
+- The top-level `/users` route currently duplicates `/settings/account-management`. The redirect in PR-2a handles this, but if external tools link to `/users`, the redirect ensures continuity.
+
+---
+
+## 7. Complexity Estimates
+
+| Component | Estimate | Rationale |
+|-----------|----------|-----------|
+| PR-1: Backend role system | **Medium** | New type + middleware + validation + transaction-based protection + session invalidation. Well-scoped. ~10 files. |
+| PR-2a: Frontend structural | **Medium** | File merges/deletes, route restructuring, nav consolidation. ~10 files. |
+| PR-2b: Frontend behavioral | **Medium** | New components (RequireRole, PassthroughLanding, UserDetailModal), role-aware routing. ~8 files. |
+| PR-3: E2E tests | **Medium** | 3 new test files, requires running Docker environment. |
+| **Total** | **Large** | Touches backend models, middleware, handlers, frontend pages, components, navigation, API client, translations, and tests. Split across 4 PRs for safer review. |
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index 343225da..8c5d387b 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -101,7 +101,7 @@ export default function App() {
               <Route path="import" element={<Navigate to="/tasks/import/caddyfile" replace />} />
 
               {/* Settings Routes */}
-              <Route path="settings" element={<Settings />}>
+              <Route path="settings" element={<RequireRole allowed={['admin', 'user']}><Settings /></RequireRole>}>
                 <Route index element={<SystemSettings />} />
                 <Route path="system" element={<SystemSettings />} />
                 <Route path="notifications" element={<Notifications />} />
diff --git a/frontend/src/hooks/useFocusTrap.ts b/frontend/src/hooks/useFocusTrap.ts
new file mode 100644
index 00000000..299382ed
--- /dev/null
+++ b/frontend/src/hooks/useFocusTrap.ts
@@ -0,0 +1,47 @@
+import { useEffect, type RefObject } from 'react'
+
+const FOCUSABLE_SELECTOR =
+  'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])'
+
+export function useFocusTrap(
+  dialogRef: RefObject<HTMLElement | null>,
+  isOpen: boolean,
+  onEscape?: () => void,
+) {
+  useEffect(() => {
+    if (!isOpen) return
+
+    const handleKeyDown = (e: KeyboardEvent) => {
+      if (e.key === 'Escape' && onEscape) {
+        onEscape()
+        return
+      }
+
+      if (e.key === 'Tab' && dialogRef.current) {
+        const focusable =
+          dialogRef.current.querySelectorAll<HTMLElement>(FOCUSABLE_SELECTOR)
+        if (focusable.length === 0) return
+
+        const first = focusable[0]
+        const last = focusable[focusable.length - 1]
+
+        if (e.shiftKey && document.activeElement === first) {
+          e.preventDefault()
+          last.focus()
+        } else if (!e.shiftKey && document.activeElement === last) {
+          e.preventDefault()
+          first.focus()
+        }
+      }
+    }
+
+    document.addEventListener('keydown', handleKeyDown)
+
+    requestAnimationFrame(() => {
+      const first = dialogRef.current?.querySelector<HTMLElement>(FOCUSABLE_SELECTOR)
+      first?.focus()
+    })
+
+    return () => document.removeEventListener('keydown', handleKeyDown)
+  }, [isOpen, onEscape, dialogRef])
+}
diff --git a/frontend/src/pages/PassthroughLanding.tsx b/frontend/src/pages/PassthroughLanding.tsx
index 33a619c3..fab15f6c 100644
--- a/frontend/src/pages/PassthroughLanding.tsx
+++ b/frontend/src/pages/PassthroughLanding.tsx
@@ -1,3 +1,4 @@
+import { useEffect, useRef } from 'react'
 import { useTranslation } from 'react-i18next'
 import { useAuth } from '../hooks/useAuth'
 import { Button } from '../components/ui/Button'
@@ -7,6 +8,11 @@ import { Shield, LogOut } from 'lucide-react'
 export default function PassthroughLanding() {
   const { t } = useTranslation()
   const { user, logout } = useAuth()
+  const headingRef = useRef<HTMLHeadingElement>(null)
+
+  useEffect(() => {
+    headingRef.current?.focus()
+  }, [])
 
   return (
     <div className="min-h-screen bg-light-bg dark:bg-dark-bg flex items-center justify-center p-4">
@@ -19,7 +25,12 @@ export default function PassthroughLanding() {
           </div>
 
           <div className="space-y-2">
-            <h1 id="passthrough-heading" className="text-2xl font-bold text-gray-900 dark:text-white">
+            <h1
+              id="passthrough-heading"
+              ref={headingRef}
+              tabIndex={-1}
+              className="text-2xl font-bold text-gray-900 dark:text-white outline-none"
+            >
               {t('passthrough.title')}
             </h1>
             {user?.name && (
@@ -37,16 +48,14 @@ export default function PassthroughLanding() {
             {t('passthrough.noAccessToManagement')}
           </p>
 
-          <nav aria-label={t('passthrough.title')}>
-            <Button
-              onClick={logout}
-              variant="secondary"
-              className="w-full"
-            >
-              <LogOut className="h-4 w-4 mr-2" aria-hidden="true" />
-              {t('auth.logout')}
-            </Button>
-          </nav>
+          <Button
+            onClick={logout}
+            variant="secondary"
+            className="w-full"
+          >
+            <LogOut className="h-4 w-4 mr-2" aria-hidden="true" />
+            {t('auth.logout')}
+          </Button>
         </Card>
       </main>
     </div>
diff --git a/frontend/src/pages/UsersPage.tsx b/frontend/src/pages/UsersPage.tsx
index 714f07f9..de00bad9 100644
--- a/frontend/src/pages/UsersPage.tsx
+++ b/frontend/src/pages/UsersPage.tsx
@@ -1,4 +1,5 @@
 import { useState, useEffect, useCallback, useRef } from 'react'
+import { useFocusTrap } from '../hooks/useFocusTrap'
 import { useTranslation } from 'react-i18next'
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
 import { Link } from 'react-router-dom'
@@ -55,6 +56,7 @@ interface InviteModalProps {
 function InviteModal({ isOpen, onClose, proxyHosts }: InviteModalProps) {
   const { t } = useTranslation()
   const queryClient = useQueryClient()
+  const dialogRef = useRef<HTMLDivElement>(null)
   const [email, setEmail] = useState('')
   const [emailError, setEmailError] = useState<string | null>(null)
   const [role, setRole] = useState<'user' | 'admin' | 'passthrough'>('user')
@@ -92,19 +94,7 @@ function InviteModal({ isOpen, onClose, proxyHosts }: InviteModalProps) {
     return true
   }
 
-  // Keyboard navigation - close on Escape
-  useEffect(() => {
-    const handleKeyDown = (e: KeyboardEvent) => {
-      if (e.key === 'Escape') {
-        onClose()
-      }
-    }
-
-    if (isOpen) {
-      document.addEventListener('keydown', handleKeyDown)
-      return () => document.removeEventListener('keydown', handleKeyDown)
-    }
-  }, [isOpen, onClose])
+  useFocusTrap(dialogRef, isOpen, onClose)
 
   // Fetch preview when email changes
   useEffect(() => {
@@ -204,6 +194,7 @@ function InviteModal({ isOpen, onClose, proxyHosts }: InviteModalProps) {
 
         {/* Layer 3: Form content (pointer-events-auto) */}
         <div
+          ref={dialogRef}
           className="bg-dark-card border border-gray-800 rounded-lg w-full max-w-lg max-h-[90vh] overflow-y-auto pointer-events-auto"
           role="dialog"
           aria-modal="true"
@@ -425,6 +416,7 @@ interface PermissionsModalProps {
 function PermissionsModal({ isOpen, onClose, user, proxyHosts }: PermissionsModalProps) {
   const { t } = useTranslation()
   const queryClient = useQueryClient()
+  const dialogRef = useRef<HTMLDivElement>(null)
   const [permissionMode, setPermissionMode] = useState<PermissionMode>('allow_all')
   const [selectedHosts, setSelectedHosts] = useState<number[]>([])
 
@@ -436,23 +428,11 @@ function PermissionsModal({ isOpen, onClose, user, proxyHosts }: PermissionsModa
     }
   }, [user])
 
-  // Keyboard navigation - close on Escape
   const handleClose = useCallback(() => {
     onClose()
   }, [onClose])
 
-  useEffect(() => {
-    const handleKeyDown = (e: KeyboardEvent) => {
-      if (e.key === 'Escape') {
-        handleClose()
-      }
-    }
-
-    if (isOpen) {
-      document.addEventListener('keydown', handleKeyDown)
-      return () => document.removeEventListener('keydown', handleKeyDown)
-    }
-  }, [isOpen, handleClose])
+  useFocusTrap(dialogRef, isOpen, handleClose)
 
   const updatePermissionsMutation = useMutation({
     mutationFn: async () => {
@@ -492,6 +472,7 @@ function PermissionsModal({ isOpen, onClose, user, proxyHosts }: PermissionsModa
 
         {/* Layer 3: Form content (pointer-events-auto) */}
         <div
+          ref={dialogRef}
           className="bg-dark-card border border-gray-800 rounded-lg w-full max-w-lg max-h-[90vh] overflow-y-auto pointer-events-auto"
           role="dialog"
           aria-modal="true"
@@ -624,44 +605,7 @@ function UserDetailModal({ isOpen, onClose, user, isSelf }: UserDetailModalProps
     }
   }, [profile])
 
-  // Focus trap and Escape handling
-  useEffect(() => {
-    if (!isOpen) return
-
-    const handleKeyDown = (e: KeyboardEvent) => {
-      if (e.key === 'Escape') {
-        onClose()
-        return
-      }
-      // Focus trap
-      if (e.key === 'Tab' && dialogRef.current) {
-        const focusable = dialogRef.current.querySelectorAll<HTMLElement>(
-          'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])'
-        )
-        if (focusable.length === 0) return
-        const first = focusable[0]
-        const last = focusable[focusable.length - 1]
-        if (e.shiftKey && document.activeElement === first) {
-          e.preventDefault()
-          last.focus()
-        } else if (!e.shiftKey && document.activeElement === last) {
-          e.preventDefault()
-          first.focus()
-        }
-      }
-    }
-
-    document.addEventListener('keydown', handleKeyDown)
-    // Focus first focusable element on open
-    requestAnimationFrame(() => {
-      const first = dialogRef.current?.querySelector<HTMLElement>(
-        'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])'
-      )
-      first?.focus()
-    })
-
-    return () => document.removeEventListener('keydown', handleKeyDown)
-  }, [isOpen, onClose])
+  useFocusTrap(dialogRef, isOpen, onClose)
 
   const profileMutation = useMutation({
     mutationFn: async () => {