From e2d3e389f3a1c18df08043a6ec1b6fdc8b897e75 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Wed, 4 Mar 2026 13:09:41 +0900
Subject: [PATCH 1/8] =?UTF-8?q?=EC=97=AD=ED=95=A0=20=EC=A0=84=ED=99=98=20E?=
 =?UTF-8?q?2E=20=EB=B0=8F=20=EA=B6=8C=ED=95=9C=20=EC=95=88=EB=82=B4=20?=
 =?UTF-8?q?=EA=B2=80=EC=A6=9D=20=ED=85=8C=EC=8A=A4=ED=8A=B8=20=EC=B6=94?=
 =?UTF-8?q?=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/package.json                         |   1 +
 .../tests/devfront-role-switch-report.spec.ts | 141 ++++++++++++++++++
 devfront/tests/devfront-security.spec.ts      |  12 +-
 devfront/tests/helpers/devfront-fixtures.ts   |  56 +++----
 devfront/tests/helpers/evidence.ts            |  24 +++
 5 files changed, 207 insertions(+), 27 deletions(-)
 create mode 100644 devfront/tests/devfront-role-switch-report.spec.ts
 create mode 100644 devfront/tests/helpers/evidence.ts

diff --git a/devfront/package.json b/devfront/package.json
index a8c53649..7db0ed87 100644
--- a/devfront/package.json
+++ b/devfront/package.json
@@ -9,6 +9,7 @@
     "lint": "biome check .",
     "preview": "vite preview",
     "test": "playwright test",
+    "test:roles": "playwright test tests/devfront-role-switch-report.spec.ts",
     "test:ui": "playwright test --ui"
   },
   "dependencies": {
diff --git a/devfront/tests/devfront-role-switch-report.spec.ts b/devfront/tests/devfront-role-switch-report.spec.ts
new file mode 100644
index 00000000..794564d7
--- /dev/null
+++ b/devfront/tests/devfront-role-switch-report.spec.ts
@@ -0,0 +1,141 @@
+import { expect, test } from "@playwright/test";
+import {
+  type AuditLog,
+  type Consent,
+  installDevApiMock,
+  makeClient,
+  seedAuth,
+} from "./helpers/devfront-fixtures";
+import { captureEvidence } from "./helpers/evidence";
+
+test.describe("DevFront role report", () => {
+  test.beforeEach(async ({ page }) => {
+    page.on("dialog", async (dialog) => {
+      await dialog.accept();
+    });
+  });
+
+  test("user(tenant_member) is blocked with 안내 문구", async ({
+    page,
+  }, testInfo) => {
+    await seedAuth(page, "user");
+    await installDevApiMock(page, {
+      clients: [],
+      consents: [] as Consent[],
+      auditLogs: [] as AuditLog[],
+    });
+
+    await page.goto("/clients");
+    await expect(
+      page.getByText(/관리자 전용 화면|administrator only/i),
+    ).toBeVisible();
+    await captureEvidence(page, testInfo, "role-user-blocked");
+  });
+
+  test("rp_admin sees only assigned Gitea app and its logs", async ({
+    page,
+  }, testInfo) => {
+    await seedAuth(page, "rp_admin");
+    const state = {
+      clients: [makeClient("gitea-client", { name: "Gitea" })],
+      consents: [] as Consent[],
+      auditLogs: [
+        {
+          event_id: "evt-rp-1",
+          timestamp: "2026-03-04T01:00:00.000Z",
+          user_id: "rp-admin-user",
+          event_type: "CLIENT_UPDATE",
+          status: "success" as const,
+          ip_address: "127.0.0.1",
+          user_agent: "playwright",
+          details: JSON.stringify({
+            action: "UPDATE_CLIENT",
+            target_id: "gitea-client",
+            tenant_id: "tenant-a",
+          }),
+        },
+      ] as AuditLog[],
+    };
+    await installDevApiMock(page, state);
+
+    await page.goto("/clients");
+    await expect(page.getByRole("link", { name: /Gitea/ })).toBeVisible();
+    await expect(page.getByText("gitea-client")).toBeVisible();
+    await captureEvidence(page, testInfo, "role-rp-admin-clients");
+
+    await page.goto("/audit-logs");
+    await expect(page.getByText("UPDATE_CLIENT")).toBeVisible();
+    await expect(page.getByText("gitea-client")).toBeVisible();
+    await captureEvidence(page, testInfo, "role-rp-admin-audit");
+  });
+
+  test("tenant_admin can manage tenant apps and see tenant logs", async ({
+    page,
+  }, testInfo) => {
+    await seedAuth(page, "tenant_admin");
+    const state = {
+      clients: [
+        makeClient("tenant-a-app-1", { name: "Tenant A CRM" }),
+        makeClient("tenant-a-app-2", { name: "Tenant A ERP" }),
+      ],
+      consents: [] as Consent[],
+      auditLogs: [] as AuditLog[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.goto("/clients");
+    await expect(page.getByText("Tenant A CRM")).toBeVisible();
+    await expect(page.getByText("Tenant A ERP")).toBeVisible();
+    await captureEvidence(page, testInfo, "role-tenant-admin-clients");
+
+    await page.goto("/clients/tenant-a-app-1/settings");
+    await page
+      .getByPlaceholder("My Awesome Application")
+      .fill("Tenant A CRM Updated");
+    await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
+
+    await page.goto("/audit-logs");
+    await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
+      timeout: 30000,
+    });
+    await expect(page.getByText("tenant-a-app-1")).toBeVisible();
+    await captureEvidence(page, testInfo, "role-tenant-admin-audit");
+  });
+
+  test("super_admin sees all and can generate log entries", async ({
+    page,
+  }, testInfo) => {
+    await seedAuth(page, "super_admin");
+    const state = {
+      clients: [
+        makeClient("tenant-a-app", { name: "Tenant A App" }),
+        makeClient("tenant-b-app", { name: "Tenant B App" }),
+      ],
+      consents: [] as Consent[],
+      auditLogs: [] as AuditLog[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.goto("/clients");
+    await expect(page.getByText("Tenant A App")).toBeVisible();
+    await expect(page.getByText("Tenant B App")).toBeVisible();
+    await captureEvidence(page, testInfo, "role-super-admin-clients");
+
+    await page.goto("/clients/new");
+    await page
+      .getByPlaceholder("My Awesome Application")
+      .fill("Super Admin Created App");
+    await page
+      .getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
+      .fill("https://super-admin.example.com/callback");
+    await page.getByRole("button", { name: /앱 생성|Create/i }).click();
+
+    await page.goto("/audit-logs");
+    await expect(page.getByText("CREATE_CLIENT")).toBeVisible({
+      timeout: 30000,
+    });
+    await captureEvidence(page, testInfo, "role-super-admin-audit");
+  });
+});
diff --git a/devfront/tests/devfront-security.spec.ts b/devfront/tests/devfront-security.spec.ts
index 75e684df..f6c7cd1a 100644
--- a/devfront/tests/devfront-security.spec.ts
+++ b/devfront/tests/devfront-security.spec.ts
@@ -1,9 +1,9 @@
 import { expect, test } from "@playwright/test";
 import {
+  type Consent,
   installDevApiMock,
   makeClient,
   seedAuth,
-  type Consent,
 } from "./helpers/devfront-fixtures";
 
 test.describe("DevFront security and isolation", () => {
@@ -47,4 +47,14 @@ test.describe("DevFront security and isolation", () => {
     await expect(page.getByText("PKCE only app")).toBeVisible();
     await expect(page.getByText("Server side App")).not.toBeVisible();
   });
+
+  test("tenant_member user is blocked at AuthGuard", async ({ page }) => {
+    await seedAuth(page, "tenant_member");
+
+    await page.goto("/clients");
+    await expect(
+      page.getByText(/DevFront는 관리자 전용 화면입니다|administrator access/i),
+    ).toBeVisible();
+    await expect(page).toHaveURL(/\/clients$/);
+  });
 });
diff --git a/devfront/tests/helpers/devfront-fixtures.ts b/devfront/tests/helpers/devfront-fixtures.ts
index e2f092cc..fd154b43 100644
--- a/devfront/tests/helpers/devfront-fixtures.ts
+++ b/devfront/tests/helpers/devfront-fixtures.ts
@@ -70,35 +70,39 @@ export function makeClient(
   };
 }
 
-export async function seedAuth(page: Page) {
+export async function seedAuth(page: Page, role?: string) {
   const nowInSeconds = Math.floor(Date.now() / 1000);
 
-  await page.addInitScript((issuedAt) => {
-    const mockOidcUser = {
-      id_token: "playwright-id-token",
-      session_state: "playwright-session",
-      access_token: "playwright-access-token",
-      refresh_token: "playwright-refresh-token",
-      token_type: "Bearer",
-      scope: "openid profile email",
-      profile: {
-        sub: "playwright-user",
-        email: "playwright@example.com",
-        name: "Playwright User",
-      },
-      expires_at: issuedAt + 3600,
-    };
+  await page.addInitScript(
+    ({ issuedAt, injectedRole }) => {
+      const mockOidcUser = {
+        id_token: "playwright-id-token",
+        session_state: "playwright-session",
+        access_token: "playwright-access-token",
+        refresh_token: "playwright-refresh-token",
+        token_type: "Bearer",
+        scope: "openid profile email",
+        profile: {
+          sub: "playwright-user",
+          email: "playwright@example.com",
+          name: "Playwright User",
+          ...(injectedRole ? { role: injectedRole } : {}),
+        },
+        expires_at: issuedAt + 3600,
+      };
 
-    window.localStorage.setItem(
-      "oidc.user:http://localhost:5000/oidc:devfront",
-      JSON.stringify(mockOidcUser),
-    );
-    window.localStorage.setItem(
-      "oidc.user:http://localhost:5000/oidc/:devfront",
-      JSON.stringify(mockOidcUser),
-    );
-    window.localStorage.setItem("dev_tenant_id", "tenant-a");
-  }, nowInSeconds);
+      window.localStorage.setItem(
+        "oidc.user:http://localhost:5000/oidc:devfront",
+        JSON.stringify(mockOidcUser),
+      );
+      window.localStorage.setItem(
+        "oidc.user:http://localhost:5000/oidc/:devfront",
+        JSON.stringify(mockOidcUser),
+      );
+      window.localStorage.setItem("dev_tenant_id", "tenant-a");
+    },
+    { issuedAt: nowInSeconds, injectedRole: role ?? "" },
+  );
 }
 
 function json(route: Route, payload: unknown, status = 200) {
diff --git a/devfront/tests/helpers/evidence.ts b/devfront/tests/helpers/evidence.ts
new file mode 100644
index 00000000..a2507776
--- /dev/null
+++ b/devfront/tests/helpers/evidence.ts
@@ -0,0 +1,24 @@
+import type { Page, TestInfo } from "@playwright/test";
+
+function safeName(name: string): string {
+  return name
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9-_]+/g, "-")
+    .replace(/-+/g, "-")
+    .replace(/^-|-$/g, "");
+}
+
+export async function captureEvidence(
+  page: Page,
+  testInfo: TestInfo,
+  name: string,
+) {
+  const filename = `${safeName(name)}.png`;
+  const fullPath = testInfo.outputPath(filename);
+  await page.screenshot({ path: fullPath, fullPage: true });
+  await testInfo.attach(name, {
+    path: fullPath,
+    contentType: "image/png",
+  });
+}

From 1b4b5d433f82b229743db2a7876f9734a4317772 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Wed, 4 Mar 2026 13:13:54 +0900
Subject: [PATCH 2/8] =?UTF-8?q?=EC=97=AD=ED=95=A0=20=EB=9D=BC=EB=B2=A8=20?=
 =?UTF-8?q?=EB=B0=8F=20dev=20=EC=A0=91=EA=B7=BC=20=EC=95=88=EB=82=B4=20?=
 =?UTF-8?q?=EB=AC=B8=EA=B5=AC=20=ED=82=A4=20=EC=A0=95=EB=A6=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adminfront/src/locales/en.toml       | 5 +++++
 adminfront/src/locales/ko.toml       | 5 +++++
 adminfront/src/locales/template.toml | 5 +++++
 devfront/src/locales/en.toml         | 5 +++++
 devfront/src/locales/ko.toml         | 5 +++++
 devfront/src/locales/template.toml   | 5 +++++
 locales/en.toml                      | 5 +++++
 locales/ko.toml                      | 5 +++++
 locales/template.toml                | 5 +++++
 9 files changed, 45 insertions(+)

diff --git a/adminfront/src/locales/en.toml b/adminfront/src/locales/en.toml
index 92c43ae3..2e86be36 100644
--- a/adminfront/src/locales/en.toml
+++ b/adminfront/src/locales/en.toml
@@ -741,6 +741,7 @@ view_audit_logs = "View Audit Logs"
 rp_admin = "RP ADMIN"
 super_admin = "SUPER ADMIN"
 tenant_admin = "TENANT ADMIN"
+tenant_member = "TENANT MEMBER"
 user = "TENANT MEMBER"
 
 [ui.admin.tenants]
@@ -966,6 +967,10 @@ system = "System"
 
 [ui.common.role]
 admin = "Admin"
+rp_admin = "RP Admin"
+super_admin = "Super Admin"
+tenant_admin = "Tenant Admin"
+tenant_member = "Tenant Member"
 user = "User"
 
 [ui.common.status]
diff --git a/adminfront/src/locales/ko.toml b/adminfront/src/locales/ko.toml
index 81bf79c1..aa6fd8ee 100644
--- a/adminfront/src/locales/ko.toml
+++ b/adminfront/src/locales/ko.toml
@@ -791,6 +791,7 @@ total_tenants = "전체 테넌트"
 rp_admin = "서비스 관리자 (RP Admin)"
 super_admin = "시스템 관리자 (Super Admin)"
 tenant_admin = "테넌트 관리자 (Tenant Admin)"
+tenant_member = "일반 사용자 (Tenant Member)"
 user = "일반 사용자 (Tenant Member)"
 
 [ui.admin.tenants]
@@ -1046,6 +1047,10 @@ system = "System"
 
 [ui.common.role]
 admin = "Admin"
+rp_admin = "RP Admin"
+super_admin = "Super Admin"
+tenant_admin = "Tenant Admin"
+tenant_member = "Tenant Member"
 user = "User"
 
 [ui.common.status]
diff --git a/adminfront/src/locales/template.toml b/adminfront/src/locales/template.toml
index d3f46c56..ae5d6a4b 100644
--- a/adminfront/src/locales/template.toml
+++ b/adminfront/src/locales/template.toml
@@ -714,6 +714,7 @@ rp_admin = ""
 super_admin = ""
 tenant_admin = ""
 tenant_member = ""
+user = ""
 
 [ui.admin.tenants]
 add = ""
@@ -922,6 +923,10 @@ system = ""
 
 [ui.common.role]
 admin = ""
+rp_admin = ""
+super_admin = ""
+tenant_admin = ""
+tenant_member = ""
 user = ""
 
 [ui.common.status]
diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml
index 0abda2df..6936c8b2 100644
--- a/devfront/src/locales/en.toml
+++ b/devfront/src/locales/en.toml
@@ -207,6 +207,10 @@ unknown_error = "unknown error"
 [msg.dev]
 logout_confirm = "Are you sure you want to log out?"
 
+[msg.dev.auth]
+access_denied_description = "DevFront is for administrators only. Request access from your administrator."
+access_denied_title = "Access denied."
+
 [msg.dev.audit]
 empty = "No audit logs found."
 forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -890,6 +894,7 @@ tenant_dept = "TENANT / DEPT"
 [ui.common]
 add = "Add"
 back = "Back"
+back_to_login = "Back to login"
 cancel = "Cancel"
 close = "Close"
 collapse = "Collapse"
diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml
index 46e3d2e5..3879ffd8 100644
--- a/devfront/src/locales/ko.toml
+++ b/devfront/src/locales/ko.toml
@@ -207,6 +207,10 @@ unknown_error = "unknown error"
 [msg.dev]
 logout_confirm = "로그아웃 하시겠습니까?"
 
+[msg.dev.auth]
+access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
+access_denied_title = "접근 권한이 없습니다."
+
 [msg.dev.audit]
 empty = "조회된 감사 로그가 없습니다."
 forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -890,6 +894,7 @@ tenant_dept = "TENANT / DEPT"
 [ui.common]
 add = "추가"
 back = "돌아가기"
+back_to_login = "로그인으로 돌아가기"
 cancel = "취소"
 close = "닫기"
 collapse = "접기"
diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml
index b2603ada..d3fa256f 100644
--- a/devfront/src/locales/template.toml
+++ b/devfront/src/locales/template.toml
@@ -207,6 +207,10 @@ unknown_error = ""
 [msg.dev]
 logout_confirm = ""
 
+[msg.dev.auth]
+access_denied_description = ""
+access_denied_title = ""
+
 [msg.dev.audit]
 empty = ""
 forbidden = ""
@@ -902,6 +906,7 @@ tenant_dept = ""
 [ui.common]
 add = ""
 back = ""
+back_to_login = ""
 cancel = ""
 close = ""
 collapse = ""
diff --git a/locales/en.toml b/locales/en.toml
index af2e11bd..aebc6602 100644
--- a/locales/en.toml
+++ b/locales/en.toml
@@ -273,6 +273,10 @@ unknown_error = "unknown error"
 [msg.dev]
 logout_confirm = "Are you sure you want to log out?"
 
+[msg.dev.auth]
+access_denied_description = "DevFront is for administrators only. Request access from your administrator."
+access_denied_title = "Access denied."
+
 [msg.dev.audit]
 empty = "No audit logs found."
 forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -1056,6 +1060,7 @@ add = "Add"
 admin_only = "Admin Only"
 assign = "Assign"
 back = "Back"
+back_to_login = "Back to login"
 cancel = "Cancel"
 close = "Close"
 collapse = "Collapse"
diff --git a/locales/ko.toml b/locales/ko.toml
index abc0bfff..b97c29a6 100644
--- a/locales/ko.toml
+++ b/locales/ko.toml
@@ -273,6 +273,10 @@ unknown_error = "unknown error"
 [msg.dev]
 logout_confirm = "로그아웃 하시겠습니까?"
 
+[msg.dev.auth]
+access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
+access_denied_title = "접근 권한이 없습니다."
+
 [msg.dev.audit]
 empty = "조회된 감사 로그가 없습니다."
 forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -1056,6 +1060,7 @@ add = "추가"
 admin_only = "관리자 전용"
 assign = "할당"
 back = "돌아가기"
+back_to_login = "로그인으로 돌아가기"
 cancel = "취소"
 close = "닫기"
 collapse = "접기"
diff --git a/locales/template.toml b/locales/template.toml
index 37627a41..77613d27 100644
--- a/locales/template.toml
+++ b/locales/template.toml
@@ -213,6 +213,10 @@ unknown_error = ""
 [msg.dev]
 logout_confirm = ""
 
+[msg.dev.auth]
+access_denied_description = ""
+access_denied_title = ""
+
 [msg.dev.audit]
 empty = ""
 forbidden = ""
@@ -921,6 +925,7 @@ add = ""
 admin_only = ""
 assign = ""
 back = ""
+back_to_login = ""
 cancel = ""
 close = ""
 collapse = ""

From 0f8b19a9b1c3ee6c31436a67982ab33397b7ec71 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Wed, 4 Mar 2026 13:15:28 +0900
Subject: [PATCH 3/8] =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=20=EA=B6=8C?=
 =?UTF-8?q?=ED=95=9C=20=ED=8C=90=EB=B3=84=20=EB=A1=9C=EC=A7=81=20=EB=B3=B4?=
 =?UTF-8?q?=EC=99=84=EC=9C=BC=EB=A1=9C=20=EB=A9=94=EB=89=B4/=EC=A0=91?=
 =?UTF-8?q?=EA=B7=BC=20=EC=A0=9C=EC=96=B4=20=EC=9D=BC=EC=B9=98=ED=99=94?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/src/components/layout/AppLayout.tsx | 44 ++++++++++++--------
 devfront/src/features/auth/AuthGuard.tsx     | 36 ++++++++++++++++
 devfront/src/lib/role.ts                     | 25 +++++++++++
 3 files changed, 88 insertions(+), 17 deletions(-)
 create mode 100644 devfront/src/lib/role.ts

diff --git a/devfront/src/components/layout/AppLayout.tsx b/devfront/src/components/layout/AppLayout.tsx
index 66b8d175..92b458a8 100644
--- a/devfront/src/components/layout/AppLayout.tsx
+++ b/devfront/src/components/layout/AppLayout.tsx
@@ -10,6 +10,7 @@ import { useEffect, useRef, useState } from "react";
 import { useAuth } from "react-oidc-context";
 import { NavLink, Outlet, useNavigate } from "react-router-dom";
 import { t } from "../../lib/i18n";
+import { resolveProfileRole } from "../../lib/role";
 import LanguageSelector from "../common/LanguageSelector";
 import { Toaster } from "../ui/toaster";
 
@@ -96,6 +97,14 @@ function AppLayout() {
     auth.user?.profile?.email?.toString().trim() ||
     t("ui.dev.profile.unknown_email", "unknown@example.com");
   const profileInitial = profileName.charAt(0).toUpperCase();
+  const currentRole = resolveProfileRole(
+    auth.user?.profile as Record<string, unknown> | undefined,
+  );
+  const isDevConsoleAllowed = [
+    "super_admin",
+    "tenant_admin",
+    "rp_admin",
+  ].includes(currentRole);
   const expiresAtSec = auth.user?.expires_at;
   const remainingMs =
     typeof expiresAtSec === "number" ? expiresAtSec * 1000 - nowMs : null;
@@ -191,23 +200,24 @@ function AppLayout() {
               </span>
             </div>
             <div className="flex flex-col gap-1">
-              {navItems.map(({ labelKey, labelFallback, to, icon: Icon }) => (
-                <NavLink
-                  key={to}
-                  to={to}
-                  className={({ isActive }) =>
-                    [
-                      "flex items-center gap-3 rounded-xl px-3 py-3 text-sm transition",
-                      isActive
-                        ? "bg-primary/10 text-primary shadow-[0_12px_40px_rgba(54,211,153,0.18)]"
-                        : "text-muted-foreground hover:bg-muted/10 hover:text-foreground",
-                    ].join(" ")
-                  }
-                >
-                  <Icon size={18} />
-                  <span>{t(labelKey, labelFallback)}</span>
-                </NavLink>
-              ))}
+              {isDevConsoleAllowed &&
+                navItems.map(({ labelKey, labelFallback, to, icon: Icon }) => (
+                  <NavLink
+                    key={to}
+                    to={to}
+                    className={({ isActive }) =>
+                      [
+                        "flex items-center gap-3 rounded-xl px-3 py-3 text-sm transition",
+                        isActive
+                          ? "bg-primary/10 text-primary shadow-[0_12px_40px_rgba(54,211,153,0.18)]"
+                          : "text-muted-foreground hover:bg-muted/10 hover:text-foreground",
+                      ].join(" ")
+                    }
+                  >
+                    <Icon size={18} />
+                    <span>{t(labelKey, labelFallback)}</span>
+                  </NavLink>
+                ))}
             </div>
           </nav>
         </div>
diff --git a/devfront/src/features/auth/AuthGuard.tsx b/devfront/src/features/auth/AuthGuard.tsx
index 26069583..0ab7c9fd 100644
--- a/devfront/src/features/auth/AuthGuard.tsx
+++ b/devfront/src/features/auth/AuthGuard.tsx
@@ -1,5 +1,7 @@
 import { useAuth } from "react-oidc-context";
 import { Navigate, Outlet } from "react-router-dom";
+import { t } from "../../lib/i18n";
+import { resolveProfileRole } from "../../lib/role";
 
 export default function AuthGuard() {
   const auth = useAuth();
@@ -16,5 +18,39 @@ export default function AuthGuard() {
     return <Navigate to="/login" replace />;
   }
 
+  const normalizedRole = resolveProfileRole(
+    auth.user?.profile as Record<string, unknown> | undefined,
+  );
+  const isTenantMember =
+    normalizedRole === "user" || normalizedRole === "tenant_member";
+
+  if (isTenantMember) {
+    return (
+      <div className="min-h-screen grid place-items-center bg-background text-foreground p-6">
+        <div className="max-w-lg w-full rounded-xl border border-border bg-card p-6 space-y-4">
+          <h1 className="text-xl font-semibold">
+            {t("msg.dev.auth.access_denied_title", "접근 권한이 없습니다.")}
+          </h1>
+          <p className="text-sm text-muted-foreground">
+            {t(
+              "msg.dev.auth.access_denied_description",
+              "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요.",
+            )}
+          </p>
+          <button
+            type="button"
+            className="inline-flex items-center rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:opacity-90"
+            onClick={() => {
+              auth.removeUser();
+              window.location.href = "/login";
+            }}
+          >
+            {t("ui.common.back_to_login", "로그인으로 돌아가기")}
+          </button>
+        </div>
+      </div>
+    );
+  }
+
   return <Outlet />;
 }
diff --git a/devfront/src/lib/role.ts b/devfront/src/lib/role.ts
new file mode 100644
index 00000000..f4400c72
--- /dev/null
+++ b/devfront/src/lib/role.ts
@@ -0,0 +1,25 @@
+export function normalizeRole(rawRole: unknown): string {
+  if (typeof rawRole !== "string") return "";
+  const role = rawRole.trim().toLowerCase();
+  if (role === "tenant_member") return "user";
+  if (role === "admin") return "tenant_admin";
+  if (role === "superadmin") return "super_admin";
+  if (role === "tenantadmin") return "tenant_admin";
+  if (role === "rpadmin") return "rp_admin";
+  return role;
+}
+
+export function resolveProfileRole(profile: Record<string, unknown> | undefined) {
+  if (!profile) return "";
+  const candidates = [
+    profile.role,
+    profile.grade,
+    profile["custom:role"],
+    profile["custom:grade"],
+  ];
+  for (const candidate of candidates) {
+    const normalized = normalizeRole(candidate);
+    if (normalized) return normalized;
+  }
+  return "";
+}

From eac16cfcd965adcbcf9c3716fc55a7667bf26b95 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Wed, 4 Mar 2026 13:16:34 +0900
Subject: [PATCH 4/8] =?UTF-8?q?4=EB=8B=A8=EA=B3=84=20=EC=97=AD=ED=95=A0=20?=
 =?UTF-8?q?=EC=A0=95=EA=B7=9C=ED=99=94=20=EB=B0=8F=20dev=20=EA=B6=8C?=
 =?UTF-8?q?=ED=95=9C=20=EC=8A=A4=EC=BD=94=ED=94=84=20=EA=B2=80=EC=A6=9D=20?=
 =?UTF-8?q?=EA=B0=95=ED=99=94?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/internal/bootstrap/keto_sync.go       |   5 +-
 backend/internal/domain/user.go               |  15 +
 backend/internal/domain/user_test.go          |  29 ++
 backend/internal/handler/auth_handler.go      |  18 +-
 backend/internal/handler/dev_handler.go       | 434 ++++++++++++------
 .../handler/dev_handler_isolation_test.go     |  54 ++-
 backend/internal/handler/dev_handler_test.go  |  81 +++-
 .../internal/handler/relying_party_handler.go |   7 +-
 backend/internal/handler/tenant_handler.go    |   2 +-
 backend/internal/handler/user_handler.go      |  33 +-
 backend/internal/middleware/rbac.go           |  20 +-
 11 files changed, 521 insertions(+), 177 deletions(-)
 create mode 100644 backend/internal/domain/user_test.go

diff --git a/backend/internal/bootstrap/keto_sync.go b/backend/internal/bootstrap/keto_sync.go
index b185b39a..7d7f12fc 100644
--- a/backend/internal/bootstrap/keto_sync.go
+++ b/backend/internal/bootstrap/keto_sync.go
@@ -34,15 +34,16 @@ func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
 	}
 	slog.Info("Syncing users to Keto", "count", len(users))
 	for _, u := range users {
+		role := domain.NormalizeRole(u.Role)
 		// Membership
 		if u.TenantID != nil {
 			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", "User:"+u.ID)
 		}
 
 		// Roles
-		if u.Role == domain.RoleSuperAdmin {
+		if role == domain.RoleSuperAdmin {
 			_ = keto.CreateRelation(ctx, "System", "global", "super_admins", "User:"+u.ID)
-		} else if u.Role == domain.RoleTenantAdmin && u.TenantID != nil {
+		} else if role == domain.RoleTenantAdmin && u.TenantID != nil {
 			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", "User:"+u.ID)
 		}
 	}
diff --git a/backend/internal/domain/user.go b/backend/internal/domain/user.go
index 6a27ed2d..448f116e 100644
--- a/backend/internal/domain/user.go
+++ b/backend/internal/domain/user.go
@@ -1,6 +1,7 @@
 package domain
 
 import (
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -15,6 +16,20 @@ const (
 	RoleUser        = "user"         // 일반 사용자
 )
 
+// NormalizeRole maps legacy/synonym role values to canonical role keys.
+func NormalizeRole(role string) string {
+	normalized := strings.ToLower(strings.TrimSpace(role))
+	switch normalized {
+	case "tenant_member":
+		return RoleUser
+	case "admin":
+		// Legacy admin is treated as tenant admin for least-privilege compatibility.
+		return RoleTenantAdmin
+	default:
+		return normalized
+	}
+}
+
 // User represents the user model stored in PostgreSQL
 type User struct {
 	ID              string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
diff --git a/backend/internal/domain/user_test.go b/backend/internal/domain/user_test.go
new file mode 100644
index 00000000..737ac0ad
--- /dev/null
+++ b/backend/internal/domain/user_test.go
@@ -0,0 +1,29 @@
+package domain
+
+import "testing"
+
+func TestNormalizeRole(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{name: "super admin unchanged", in: "super_admin", want: RoleSuperAdmin},
+		{name: "tenant admin unchanged", in: "tenant_admin", want: RoleTenantAdmin},
+		{name: "rp admin unchanged", in: "rp_admin", want: RoleRPAdmin},
+		{name: "user unchanged", in: "user", want: RoleUser},
+		{name: "legacy admin", in: "admin", want: RoleTenantAdmin},
+		{name: "legacy tenant member", in: "tenant_member", want: RoleUser},
+		{name: "trim and lower", in: "  ADMIN  ", want: RoleTenantAdmin},
+		{name: "unknown role pass-through", in: "custom_role", want: "custom_role"},
+		{name: "empty", in: "   ", want: ""},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := NormalizeRole(tc.in); got != tc.want {
+				t.Fatalf("NormalizeRole(%q)=%q, want %q", tc.in, got, tc.want)
+			}
+		})
+	}
+}
diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go
index d0d63baa..04d7a849 100644
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -4004,17 +4004,19 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 	// 2. Role Override for real profile or fallback to Mock Profile
 	if profile != nil {
 		if isDev && mockRole != "" {
+			normalizedMockRole := domain.NormalizeRole(mockRole)
 			slog.Info("🔑 [AUTH] Overriding real profile role",
-				"email", profile.Email, "originalRole", profile.Role, "overriddenRole", mockRole)
-			profile.Role = mockRole
+				"email", profile.Email, "originalRole", profile.Role, "overriddenRole", normalizedMockRole)
+			profile.Role = normalizedMockRole
 		}
 	} else if isDev && mockRole != "" && token == "" && cookie == "" {
+		normalizedMockRole := domain.NormalizeRole(mockRole)
 		slog.Info("🔑 [AUTH] Using full Mock Auth (no session)", "role", mockRole)
 		profile = &domain.UserProfileResponse{
 			ID:    "00000000-0000-0000-0000-000000000000",
 			Email: "mock@hmac.kr",
 			Name:  "Dev Mock User",
-			Role:  mockRole,
+			Role:  normalizedMockRole,
 		}
 		if tid := c.Get("X-Tenant-ID"); tid != "" {
 			profile.TenantID = &tid
@@ -4027,6 +4029,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 	}
 
 	// 3. Post-Process (Defaults & Metadata Enrichment)
+	profile.Role = domain.NormalizeRole(profile.Role)
 	if profile.Role == "" {
 		profile.Role = domain.RoleUser
 	}
@@ -5115,6 +5118,7 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
 	compCode, _ := traits["companyCode"].(string)
 	role, _ := traits["role"].(string)
 	tenantID, _ := traits["tenant_id"].(string)
+	relyingPartyID, _ := traits["relying_party_id"].(string)
 
 	profile := &domain.UserProfileResponse{
 		ID:              identityID,
@@ -5124,18 +5128,22 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
 		Department:      dept,
 		AffiliationType: affType,
 		CompanyCode:     compCode,
-		Role:            role,
+		Role:            domain.NormalizeRole(role),
 		Metadata:        make(map[string]any),
 	}
 
 	if tenantID != "" {
 		profile.TenantID = &tenantID
 	}
+	if strings.TrimSpace(relyingPartyID) != "" {
+		rpID := strings.TrimSpace(relyingPartyID)
+		profile.RelyingPartyID = &rpID
+	}
 
 	coreTraits := map[string]bool{
 		"email": true, "name": true, "phone_number": true,
 		"grade": true, "companyCode": true, "department": true,
-		"affiliationType": true, "role": true, "tenant_id": true,
+		"affiliationType": true, "role": true, "tenant_id": true, "relying_party_id": true,
 	}
 	for k, v := range traits {
 		if !coreTraits[k] {
diff --git a/backend/internal/handler/dev_handler.go b/backend/internal/handler/dev_handler.go
index 91f80b10..a15c1ba4 100644
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -140,6 +140,127 @@ type clientUpsertRequest struct {
 	Metadata                *map[string]interface{} `json:"metadata"`
 }
 
+func normalizeUserRole(role string) string {
+	return domain.NormalizeRole(role)
+}
+
+func isDevConsoleRoleAllowed(role string) bool {
+	switch normalizeUserRole(role) {
+	case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin:
+		return true
+	default:
+		return false
+	}
+}
+
+func (h *DevHandler) getCurrentProfile(c *fiber.Ctx) *domain.UserProfileResponse {
+	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
+		return profile
+	}
+	if h.Auth != nil {
+		enriched, err := h.Auth.GetEnrichedProfile(c)
+		if err == nil && enriched != nil {
+			c.Locals("user_profile", enriched)
+			return enriched
+		}
+	}
+	return nil
+}
+
+func tenantIDFromProfile(profile *domain.UserProfileResponse) string {
+	if profile == nil || profile.TenantID == nil {
+		return ""
+	}
+	return strings.TrimSpace(*profile.TenantID)
+}
+
+func addClientIDToSet(set map[string]struct{}, raw any) {
+	switch value := raw.(type) {
+	case string:
+		for _, chunk := range strings.Split(value, ",") {
+			id := strings.TrimSpace(chunk)
+			if id != "" {
+				set[id] = struct{}{}
+			}
+		}
+	case []string:
+		for _, item := range value {
+			id := strings.TrimSpace(item)
+			if id != "" {
+				set[id] = struct{}{}
+			}
+		}
+	case []any:
+		for _, item := range value {
+			if str, ok := item.(string); ok {
+				id := strings.TrimSpace(str)
+				if id != "" {
+					set[id] = struct{}{}
+				}
+			}
+		}
+	}
+}
+
+func managedClientIDsFromProfile(profile *domain.UserProfileResponse) map[string]struct{} {
+	ids := make(map[string]struct{})
+	if profile == nil {
+		return ids
+	}
+
+	if profile.RelyingPartyID != nil {
+		if id := strings.TrimSpace(*profile.RelyingPartyID); id != "" {
+			ids[id] = struct{}{}
+		}
+	}
+
+	if profile.Metadata == nil {
+		return ids
+	}
+
+	for _, key := range []string{
+		"managed_client_ids",
+		"managedClientIds",
+		"relying_party_id",
+		"relyingPartyId",
+		"client_id",
+		"clientId",
+	} {
+		if raw, ok := profile.Metadata[key]; ok {
+			addClientIDToSet(ids, raw)
+		}
+	}
+
+	return ids
+}
+
+func resolveClientTenantID(summary clientSummary) string {
+	if summary.Metadata == nil {
+		return ""
+	}
+	clientTenantID, _ := summary.Metadata["tenant_id"].(string)
+	return strings.TrimSpace(clientTenantID)
+}
+
+func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
+	if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin {
+		return true
+	}
+	allowed := managedClientIDsFromProfile(profile)
+	if len(allowed) == 0 {
+		return false
+	}
+	_, ok := allowed[strings.TrimSpace(clientID)]
+	return ok
+}
+
+func profileRole(profile *domain.UserProfileResponse) string {
+	if profile == nil {
+		return ""
+	}
+	return strings.TrimSpace(profile.Role)
+}
+
 func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
 	if (!ok || profile == nil) && h.Auth != nil {
@@ -151,11 +272,19 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 		}
 	}
 	if ok && profile != nil {
-		// Super Admin bypass
-		if profile.Role == domain.RoleSuperAdmin {
+		role := normalizeUserRole(profile.Role)
+		switch role {
+		case domain.RoleSuperAdmin:
 			slog.Info("Dev private permission granted by super_admin role", "user_id", profile.ID)
 			return true, nil
+		case domain.RoleTenantAdmin, domain.RoleRPAdmin:
+			slog.Info("Dev private permission granted by role", "user_id", profile.ID, "role", role)
+			return true, nil
+		case domain.RoleUser:
+			return false, nil
 		}
+
+		// Super Admin bypass
 		if isAdminEmail(profile.Email) {
 			slog.Info("Dev private permission granted by ADMIN_EMAIL match", "email", profile.Email)
 			return true, nil
@@ -203,16 +332,24 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 			if tokenEmail == "" {
 				tokenEmail = strings.TrimSpace(info.Email)
 			}
-			tokenRole = strings.TrimSpace(info.Role)
+			tokenRole = normalizeUserRole(info.Role)
 		} else if err != nil {
 			slog.Warn("Dev private permission userinfo fallback failed", "error", err)
 		}
 	}
+	tokenRole = normalizeUserRole(tokenRole)
 
 	if tokenRole == domain.RoleSuperAdmin {
 		slog.Info("Dev private permission granted by token role", "role", tokenRole)
 		return true, nil
 	}
+	if tokenRole == domain.RoleTenantAdmin || tokenRole == domain.RoleRPAdmin {
+		slog.Info("Dev private permission granted by token role", "role", tokenRole)
+		return true, nil
+	}
+	if tokenRole == domain.RoleUser {
+		return false, nil
+	}
 	if isAdminEmail(tokenEmail) {
 		slog.Info("Dev private permission granted by token email", "email", tokenEmail)
 		return true, nil
@@ -237,7 +374,7 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 	if h.KratosAdmin != nil {
 		identity, err := h.KratosAdmin.GetIdentity(c.Context(), tokenSubject)
 		if err == nil && identity != nil {
-			if rawRole, ok := identity.Traits["role"].(string); ok && rawRole == domain.RoleSuperAdmin {
+			if rawRole, ok := identity.Traits["role"].(string); ok && normalizeUserRole(rawRole) == domain.RoleSuperAdmin {
 				slog.Info("Dev private permission granted by Kratos role", "subject", tokenSubject)
 				return true, nil
 			}
@@ -383,90 +520,20 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
 		offset = 0
 	}
 
-	// [Tenant Isolation] Get current user's tenant ID
-	userTenantID := ""
-	isSuperAdmin := false
-	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if (!ok || profile == nil) && h.Auth != nil {
-		enriched, _ := h.Auth.GetEnrichedProfile(c)
-		if enriched != nil {
-			profile = enriched
-			ok = true
-			c.Locals("user_profile", enriched)
-		}
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
 
-	if ok && profile != nil {
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-	} else {
-		// If profile resolution failed, verify bearer token via OIDC userinfo fallback.
-		authHeader := c.Get("Authorization")
-		bearerToken := extractBearerToken(authHeader)
-		if bearerToken == "" {
-			return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
-		}
-
-		sub, email := extractAuthClaimsFromBearer(authHeader)
-		if sub == "" {
-			info, infoErr := h.fetchOIDCUserInfo(c.Context(), bearerToken)
-			if infoErr != nil {
-				slog.Warn("ListClients userinfo fallback failed", "error", infoErr)
-				return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
-			}
-			sub = strings.TrimSpace(info.Sub)
-			if email == "" {
-				email = strings.TrimSpace(info.Email)
-			}
-			if userTenantID == "" {
-				userTenantID = strings.TrimSpace(info.TenantID)
-			}
-			if strings.EqualFold(strings.TrimSpace(info.Role), domain.RoleSuperAdmin) {
-				isSuperAdmin = true
-			}
-		}
-
-		if sub == "" && email == "" {
-			return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
-		}
-
-		if h.KratosAdmin != nil && (userTenantID == "" || !isSuperAdmin) {
-			identityID := strings.TrimSpace(sub)
-			if identityID == "" && email != "" {
-				if resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email); err == nil {
-					identityID = strings.TrimSpace(resolved)
-				}
-			}
-			if identityID != "" {
-				if identity, err := h.KratosAdmin.GetIdentity(c.Context(), identityID); err == nil && identity != nil {
-					if userTenantID == "" {
-						if tid, ok := identity.Traits["tenant_id"].(string); ok {
-							userTenantID = strings.TrimSpace(tid)
-						}
-					}
-					role := ""
-					if rawRole, ok := identity.Traits["role"].(string); ok {
-						role = strings.TrimSpace(rawRole)
-					}
-					if role == domain.RoleSuperAdmin {
-						isSuperAdmin = true
-					}
-					profile = &domain.UserProfileResponse{
-						ID:       identityID,
-						Email:    email,
-						Role:     role,
-						TenantID: nil,
-					}
-					if userTenantID != "" {
-						tid := userTenantID
-						profile.TenantID = &tid
-					}
-					c.Locals("user_profile", profile)
-				}
-			}
-		}
+	userTenantID := tenantIDFromProfile(profile)
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	allowedClientIDs := managedClientIDsFromProfile(profile)
+	if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
 	}
 
 	isAppManager, err := h.checkAppManagerPermission(c)
@@ -503,6 +570,13 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
 			}
 		}
 
+		// 3. [Role Scope] RP Admin can only access managed RP IDs
+		if role == domain.RoleRPAdmin {
+			if _, ok := allowedClientIDs[summary.ID]; !ok {
+				continue
+			}
+		}
+
 		items = append(items, summary)
 	}
 
@@ -529,22 +603,27 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
 	}
 
 	summary := h.mapClientSummary(*client)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
 
 	// [Tenant Isolation] Check if user has access to this client
-	isSuperAdmin := false
-	userTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-	}
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	userTenantID := tenantIDFromProfile(profile)
 	if !isSuperAdmin {
-		clientTenantID, _ := summary.Metadata["tenant_id"].(string)
+		clientTenantID := resolveClientTenantID(summary)
 		if clientTenantID != userTenantID {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
 		}
 	}
+	if !isRPAdminClientAllowed(profile, summary.ID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	// Check permission for private clients
 	if summary.Type == "private" {
@@ -598,22 +677,27 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 	}
 
 	summary := h.mapClientSummary(*current)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
 
 	// [Tenant Isolation]
-	isSuperAdmin := false
-	userTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-	}
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	userTenantID := tenantIDFromProfile(profile)
 	if !isSuperAdmin {
-		clientTenantID, _ := summary.Metadata["tenant_id"].(string)
+		clientTenantID := resolveClientTenantID(summary)
 		if clientTenantID != userTenantID {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
 		}
 	}
+	if !isRPAdminClientAllowed(profile, summary.ID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	if summary.Type == "private" {
 		isAppManager, _ := h.checkAppManagerPermission(c)
@@ -655,6 +739,15 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 
 func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 	tenantID := h.injectTenantContextFromHeader(c)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
+
 	var req clientUpsertRequest
 	if err := c.BodyParser(&req); err != nil {
 		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
@@ -706,7 +799,7 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 	}
 
 	// [Tenant Isolation] Record owner information
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
+	if profile != nil {
 		metadata["user_id"] = profile.ID
 		if tenantID == "" && profile.TenantID != nil {
 			tenantID = *profile.TenantID
@@ -805,22 +898,27 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 	}
 
 	currentSummary := h.mapClientSummary(*current)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
 
 	// [Tenant Isolation]
-	isSuperAdmin := false
-	userTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-	}
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	userTenantID := tenantIDFromProfile(profile)
 	if !isSuperAdmin {
-		clientTenantID, _ := currentSummary.Metadata["tenant_id"].(string)
+		clientTenantID := resolveClientTenantID(currentSummary)
 		if clientTenantID != userTenantID {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
 		}
 	}
+	if !isRPAdminClientAllowed(profile, currentSummary.ID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	clientType := ""
 	if req.Type != nil {
@@ -931,22 +1029,27 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 	}
 
 	summary := h.mapClientSummary(*current)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
 
 	// [Tenant Isolation]
-	isSuperAdmin := false
-	userTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-	}
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	userTenantID := tenantIDFromProfile(profile)
 	if !isSuperAdmin {
-		clientTenantID, _ := summary.Metadata["tenant_id"].(string)
+		clientTenantID := resolveClientTenantID(summary)
 		if clientTenantID != userTenantID {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
 		}
 	}
+	if !isRPAdminClientAllowed(profile, summary.ID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	// [Security] Check permission for private clients
 	if summary.Type == "private" {
@@ -986,6 +1089,18 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusBadRequest, "client_id is required")
 	}
 
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
+	if !isRPAdminClientAllowed(profile, clientID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
+
 	subject := strings.TrimSpace(c.Query("subject"))
 	limit := c.QueryInt("limit", 50)
 	offset := c.QueryInt("offset", 0)
@@ -995,8 +1110,8 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
 
 	// [Isolation] Get admin tenant ID from locals or header
 	adminTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		if profile.Role != domain.RoleSuperAdmin && profile.TenantID != nil {
+	if profile != nil {
+		if role != domain.RoleSuperAdmin && profile.TenantID != nil {
 			adminTenantID = *profile.TenantID
 		}
 	}
@@ -1091,6 +1206,17 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusBadRequest, "subject is required")
 	}
 	clientID := strings.TrimSpace(c.Query("client_id"))
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
+	if clientID != "" && !isRPAdminClientAllowed(profile, clientID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	// If subject is not a UUID, try to resolve it as an identifier (email/username)
 	if _, err := uuid.Parse(subject); err != nil {
@@ -1138,22 +1264,27 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
 	}
 
 	summary := h.mapClientSummary(*current)
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
+	}
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+	}
 
 	// [Tenant Isolation]
-	isSuperAdmin := false
-	userTenantID := ""
-	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
-		if profile.TenantID != nil {
-			userTenantID = *profile.TenantID
-		}
-	}
+	isSuperAdmin := role == domain.RoleSuperAdmin
+	userTenantID := tenantIDFromProfile(profile)
 	if !isSuperAdmin {
-		clientTenantID, _ := summary.Metadata["tenant_id"].(string)
+		clientTenantID := resolveClientTenantID(summary)
 		if clientTenantID != userTenantID {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
 		}
 	}
+	if !isRPAdminClientAllowed(profile, summary.ID) {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
+	}
 
 	// [Security] Check permission for private clients
 	if summary.Type == "private" {
@@ -1216,13 +1347,18 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
 	}
 
 	h.injectTenantContextFromHeader(c)
-	allowed, err := h.checkAppManagerPermission(c)
-	if err != nil {
-		return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
-	if !allowed {
+	role := normalizeUserRole(profile.Role)
+	if !isDevConsoleRoleAllowed(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
+	allowedClientIDs := managedClientIDsFromProfile(profile)
+	if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
+		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
+	}
 
 	limit := c.QueryInt("limit", 50)
 	if limit <= 0 {
@@ -1239,6 +1375,9 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
 	if tenantFilter == "" {
 		tenantFilter = h.resolveDevTenantScope(c)
 	}
+	if role != domain.RoleSuperAdmin && tenantFilter == "" {
+		tenantFilter = tenantIDFromProfile(profile)
+	}
 
 	cursorRaw := c.Query("cursor")
 	cursor, err := parseAuditCursor(cursorRaw)
@@ -1263,7 +1402,7 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
 
 		for _, logItem := range page {
 			scanned++
-			if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter) {
+			if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter, allowedClientIDs) {
 				collected = append(collected, logItem)
 				if len(collected) == limit+1 {
 					break
@@ -1308,7 +1447,7 @@ func (h *DevHandler) GetStats(c *fiber.Ctx) error {
 	userTenantID := ""
 	isSuperAdmin := false
 	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
-		isSuperAdmin = profile.Role == domain.RoleSuperAdmin
+		isSuperAdmin = normalizeUserRole(profile.Role) == domain.RoleSuperAdmin
 		if profile.TenantID != nil {
 			userTenantID = *profile.TenantID
 		}
@@ -1553,6 +1692,7 @@ func clientTypeOrDefault(tokenEndpointAuthMethod string) string {
 func (h *DevHandler) matchesDevAuditFilter(
 	logItem domain.AuditLog,
 	tenantFilter, clientFilter, actionFilter, statusFilter string,
+	allowedClientIDs map[string]struct{},
 ) bool {
 	if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
 		return false
@@ -1574,6 +1714,20 @@ func (h *DevHandler) matchesDevAuditFilter(
 			return false
 		}
 	}
+	if len(allowedClientIDs) > 0 {
+		targetID, _ := details["target_id"].(string)
+		clientID, _ := details["client_id"].(string)
+		resolvedID := strings.TrimSpace(targetID)
+		if resolvedID == "" {
+			resolvedID = strings.TrimSpace(clientID)
+		}
+		if resolvedID == "" {
+			return false
+		}
+		if _, ok := allowedClientIDs[resolvedID]; !ok {
+			return false
+		}
+	}
 	if actionFilter != "" {
 		if normalizeAuditAction(logItem.EventType, details) != actionFilter {
 			return false
diff --git a/backend/internal/handler/dev_handler_isolation_test.go b/backend/internal/handler/dev_handler_isolation_test.go
index e69df93c..ff1f4a05 100644
--- a/backend/internal/handler/dev_handler_isolation_test.go
+++ b/backend/internal/handler/dev_handler_isolation_test.go
@@ -82,14 +82,14 @@ func TestDevHandler_Isolation(t *testing.T) {
 		app.Use(func(c *fiber.Ctx) error {
 			c.Locals("user_profile", &domain.UserProfileResponse{
 				ID:       "user-a",
-				Role:     domain.RoleUser,
+				Role:     domain.RoleTenantAdmin,
 				TenantID: &tenantA,
 			})
 			return c.Next()
 		})
 		app.Get("/api/v1/dev/clients", h.ListClients)
 
-		mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(false, nil)
+		mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(true, nil)
 
 		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
 		resp, _ := app.Test(req, -1)
@@ -105,7 +105,7 @@ func TestDevHandler_Isolation(t *testing.T) {
 		assert.Equal(t, "client-tenant-a", res.Items[0].ID)
 	})
 
-	t.Run("GetClient should enforce tenant isolation", func(t *testing.T) {
+	t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
 		app := fiber.New()
 		tenantA := "tenant-a"
 		app.Use(func(c *fiber.Ctx) error {
@@ -116,6 +116,52 @@ func TestDevHandler_Isolation(t *testing.T) {
 			})
 			return c.Next()
 		})
+		app.Get("/api/v1/dev/clients", h.ListClients)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
+		resp, _ := app.Test(req, -1)
+		assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+	})
+
+	t.Run("RP Admin should only see managed clients", func(t *testing.T) {
+		app := fiber.New()
+		tenantA := "tenant-a"
+		app.Use(func(c *fiber.Ctx) error {
+			c.Locals("user_profile", &domain.UserProfileResponse{
+				ID:       "rp-admin-a",
+				Role:     domain.RoleRPAdmin,
+				TenantID: &tenantA,
+				Metadata: map[string]any{
+					"managed_client_ids": []any{"client-tenant-a"},
+				},
+			})
+			return c.Next()
+		})
+		app.Get("/api/v1/dev/clients", h.ListClients)
+
+		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
+		resp, _ := app.Test(req, -1)
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+		var res struct {
+			Items []clientSummary `json:"items"`
+		}
+		json.NewDecoder(resp.Body).Decode(&res)
+		assert.Equal(t, 1, len(res.Items))
+		assert.Equal(t, "client-tenant-a", res.Items[0].ID)
+	})
+
+	t.Run("GetClient should enforce tenant isolation", func(t *testing.T) {
+		app := fiber.New()
+		tenantA := "tenant-a"
+		app.Use(func(c *fiber.Ctx) error {
+			c.Locals("user_profile", &domain.UserProfileResponse{
+				ID:       "user-a",
+				Role:     domain.RoleTenantAdmin,
+				TenantID: &tenantA,
+			})
+			return c.Next()
+		})
 		app.Get("/api/v1/dev/clients/:id", h.GetClient)
 
 		// Case 1: Same tenant
@@ -135,7 +181,7 @@ func TestDevHandler_Isolation(t *testing.T) {
 		app.Use(func(c *fiber.Ctx) error {
 			c.Locals("user_profile", &domain.UserProfileResponse{
 				ID:       "user-a",
-				Role:     domain.RoleUser,
+				Role:     domain.RoleTenantAdmin,
 				TenantID: &tenantA,
 			})
 			return c.Next()
diff --git a/backend/internal/handler/dev_handler_test.go b/backend/internal/handler/dev_handler_test.go
index 19ede568..d42b99f5 100644
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -266,8 +266,6 @@ func TestGetStats_Success(t *testing.T) {
 	}
 
 	mockKeto := new(devMockKetoService)
-	// mockKeto setup to allow stats view
-	mockKeto.On("CheckPermission", mock.Anything, "u1", "System", "AppManager", "member").Return(true, nil)
 
 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
@@ -281,7 +279,7 @@ func TestGetStats_Success(t *testing.T) {
 	tenantID := "t1"
 	app.Use(func(c *fiber.Ctx) error {
 		c.Locals("user_profile", &domain.UserProfileResponse{
-			ID: "u1", Role: domain.RoleUser, TenantID: &tenantID,
+			ID: "u1", Role: domain.RoleTenantAdmin, TenantID: &tenantID,
 		})
 		return c.Next()
 	})
@@ -297,7 +295,7 @@ func TestGetStats_Success(t *testing.T) {
 	assert.Equal(t, int64(2), res.TotalClients)
 	assert.Equal(t, int64(7), res.AuthFailures)
 	assert.Equal(t, int64(3), res.ActiveSessions)
-	mockKeto.AssertExpectations(t)
+	mockKeto.AssertNotCalled(t, "CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member")
 }
 
 func TestDevHandler_NoAuditNoAction(t *testing.T) {
@@ -323,3 +321,78 @@ func TestDevHandler_NoAuditNoAction(t *testing.T) {
 		assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
 	})
 }
+
+func TestListAuditLogs_TenantMemberForbidden(t *testing.T) {
+	h := &DevHandler{
+		Hydra:     &service.HydraAdminService{AdminURL: "http://hydra.test"},
+		AuditRepo: &mockAuditRepo{},
+		Keto:      new(devMockKetoService),
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-a"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "u-member",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs", nil)
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+}
+
+func TestListAuditLogs_RPAdminScope(t *testing.T) {
+	auditRepo := &mockAuditRepo{
+		logs: []domain.AuditLog{
+			{
+				EventID:   "evt-1",
+				EventType: "POST /api/v1/dev/clients",
+				Status:    "success",
+				Timestamp: time.Now().UTC(),
+				Details:   `{"target_id":"client-allowed","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
+			},
+			{
+				EventID:   "evt-2",
+				EventType: "POST /api/v1/dev/clients",
+				Status:    "success",
+				Timestamp: time.Now().UTC().Add(-time.Minute),
+				Details:   `{"target_id":"client-other","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
+			},
+		},
+	}
+
+	h := &DevHandler{
+		Hydra:     &service.HydraAdminService{AdminURL: "http://hydra.test"},
+		AuditRepo: auditRepo,
+		Keto:      new(devMockKetoService),
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-a"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "u-rp-admin",
+			Role:     domain.RoleRPAdmin,
+			TenantID: &tenantID,
+			Metadata: map[string]any{
+				"managed_client_ids": []any{"client-allowed"},
+			},
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?limit=50", nil)
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var result devAuditListResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	assert.Len(t, result.Items, 1)
+	assert.Equal(t, "evt-1", result.Items[0].EventID)
+}
diff --git a/backend/internal/handler/relying_party_handler.go b/backend/internal/handler/relying_party_handler.go
index 4f047f04..600a9490 100644
--- a/backend/internal/handler/relying_party_handler.go
+++ b/backend/internal/handler/relying_party_handler.go
@@ -44,13 +44,14 @@ func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
 
 	var rps []domain.RelyingParty
 	var err error
+	role := domain.NormalizeRole(profile.Role)
 
-	if profile.Role == domain.RoleSuperAdmin {
+	if role == domain.RoleSuperAdmin {
 		rps, err = h.Service.ListAll(c.Context())
-	} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil {
+	} else if role == domain.RoleTenantAdmin && profile.TenantID != nil {
 		rps, err = h.Service.List(c.Context(), *profile.TenantID)
 	} else {
-		slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role)
+		slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", role)
 		return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient role to list all applications")
 	}
 
diff --git a/backend/internal/handler/tenant_handler.go b/backend/internal/handler/tenant_handler.go
index 56cf1bc4..6ddadc31 100644
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -116,7 +116,7 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
 	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
 
 	// If Tenant Admin, only list manageable tenants
-	if profile != nil && profile.Role == domain.RoleTenantAdmin {
+	if profile != nil && domain.NormalizeRole(profile.Role) == domain.RoleTenantAdmin {
 		slog.Info("Listing manageable tenants for tenant admin", "userID", profile.ID)
 		tenants, err = h.Service.ListManageableTenants(c.Context(), profile.ID)
 		if err != nil {
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 45d36730..acaa4eac 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -61,7 +61,7 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 	var requesterRole string
 	var requesterCompany string
 	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
-		requesterRole = profile.Role
+		requesterRole = domain.NormalizeRole(profile.Role)
 		requesterCompany = profile.CompanyCode
 	}
 
@@ -195,7 +195,7 @@ func (h *UserHandler) GetUser(c *fiber.Ctx) error {
 
 	// [New] Check access scope
 	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		compCode := extractTraitString(identity.Traits, "companyCode")
 		if requester.CompanyCode == "" || compCode != requester.CompanyCode {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: access to user in another tenant denied")
@@ -263,9 +263,9 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 	}
 
-	role := strings.TrimSpace(req.Role)
+	role := domain.NormalizeRole(req.Role)
 	if role == "" {
-		role = "user"
+		role = domain.RoleUser
 	}
 
 	attributes := map[string]interface{}{
@@ -380,7 +380,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 
 	// [New] Check access scope
 	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		compCode := extractTraitString(identity.Traits, "companyCode")
 		if requester.CompanyCode == "" || compCode != requester.CompanyCode {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant")
@@ -402,7 +402,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 	}
 
 	// [New] Tenant Admin restriction: Cannot change companyCode
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant")
 		}
@@ -437,9 +437,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		traits["department"] = strings.TrimSpace(*req.Department)
 	}
 	if req.Role != nil {
-		role := strings.TrimSpace(*req.Role)
+		role := domain.NormalizeRole(*req.Role)
 		if role == "" {
-			role = "user"
+			role = domain.RoleUser
 		}
 		traits["grade"] = role
 		traits["role"] = role
@@ -507,7 +507,7 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
 
 	// [New] Check access scope before deletion
 	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-	if requester != nil && requester.Role == domain.RoleTenantAdmin {
+	if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
 		identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
 		if err == nil && identity != nil {
 			compCode := extractTraitString(identity.Traits, "companyCode")
@@ -541,7 +541,11 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
 	traits := identity.Traits
 	role := extractTraitString(traits, "grade")
 	if role == "" {
-		role = "user"
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
 	}
 
 	compCode := extractTraitString(traits, "companyCode")
@@ -589,7 +593,11 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 	traits := identity.Traits
 	role := extractTraitString(traits, "grade")
 	if role == "" {
-		role = "user"
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
 	}
 	compCode := extractTraitString(traits, "companyCode")
 
@@ -633,6 +641,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 }
 
 func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
+	newRole = domain.NormalizeRole(newRole)
+	oldRole = domain.NormalizeRole(oldRole)
+
 	// Remove old roles
 	if oldRole == domain.RoleSuperAdmin {
 		_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
diff --git a/backend/internal/middleware/rbac.go b/backend/internal/middleware/rbac.go
index aaa345ab..5a15e190 100644
--- a/backend/internal/middleware/rbac.go
+++ b/backend/internal/middleware/rbac.go
@@ -31,8 +31,10 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 		// Store profile in locals for further use in handlers
 		c.Locals("user_profile", profile)
 
+		role := domain.NormalizeRole(profile.Role)
+
 		// Super Admin bypass
-		if profile.Role == domain.RoleSuperAdmin {
+		if role == domain.RoleSuperAdmin {
 			return c.Next()
 		}
 
@@ -67,7 +69,7 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
 		}
 
 		if !allowed {
-			slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", profile.Role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role"))
+			slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role"))
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: keto permission denied for "+namespace+":"+objectID)
 		}
 
@@ -91,15 +93,17 @@ func RequireRole(config RBACConfig) fiber.Handler {
 		// Store profile in locals for further use in handlers
 		c.Locals("user_profile", profile)
 
+		userRole := domain.NormalizeRole(profile.Role)
+
 		// Super Admin always has access
-		if profile.Role == domain.RoleSuperAdmin {
+		if userRole == domain.RoleSuperAdmin {
 			return c.Next()
 		}
 
 		// Check if user's role is in allowed roles
 		roleAllowed := false
 		for _, role := range config.AllowedRoles {
-			if profile.Role == role {
+			if userRole == domain.NormalizeRole(role) {
 				roleAllowed = true
 				break
 			}
@@ -108,7 +112,7 @@ func RequireRole(config RBACConfig) fiber.Handler {
 		if !roleAllowed {
 			slog.Warn("RBAC access denied",
 				"userID", profile.ID,
-				"userRole", profile.Role,
+				"userRole", userRole,
 				"allowedRoles", config.AllowedRoles,
 				"path", c.Path(),
 				"X-Test-Role", c.Get("X-Test-Role"),
@@ -136,13 +140,15 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 		// Store profile in locals for further use in handlers
 		c.Locals("user_profile", profile)
 
+		userRole := domain.NormalizeRole(profile.Role)
+
 		// Super Admin bypass
-		if profile.Role == domain.RoleSuperAdmin {
+		if userRole == domain.RoleSuperAdmin {
 			return c.Next()
 		}
 
 		// Tenant Admin check
-		if profile.Role == domain.RoleTenantAdmin {
+		if userRole == domain.RoleTenantAdmin {
 			targetTenantID := c.Params("tenantId")
 			if targetTenantID == "" {
 				targetTenantID = c.Params("id") // common for /tenants/:id

From 95ae991af4d4e7c5a77d36f41af254b63b0b280c Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Mon, 16 Mar 2026 15:08:55 +0900
Subject: [PATCH 5/8] =?UTF-8?q?E2E=20=EC=97=AD=ED=95=A0=20=EC=A0=84?=
 =?UTF-8?q?=ED=99=98=20=ED=85=8C=EC=8A=A4=ED=8A=B8=20=EB=A0=88=EC=9D=B4?=
 =?UTF-8?q?=EC=8A=A4=20=EC=BB=A8=EB=94=94=EC=85=98=20=ED=95=B4=EA=B2=B0=20?=
 =?UTF-8?q?=EB=B0=8F=20=EC=95=88=EC=A0=95=EC=84=B1=20=EB=B3=B4=EA=B0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/tests/devfront-role-switch-report.spec.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/devfront/tests/devfront-role-switch-report.spec.ts b/devfront/tests/devfront-role-switch-report.spec.ts
index 794564d7..6fcf659d 100644
--- a/devfront/tests/devfront-role-switch-report.spec.ts
+++ b/devfront/tests/devfront-role-switch-report.spec.ts
@@ -93,7 +93,10 @@ test.describe("DevFront role report", () => {
     await page
       .getByPlaceholder("My Awesome Application")
       .fill("Tenant A CRM Updated");
+    
+    const updatePromise = page.waitForResponse(r => r.url().includes('/api/v1/dev/clients') && r.request().method() === 'PUT');
     await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
+    await updatePromise;
 
     await page.goto("/audit-logs");
     await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
@@ -130,7 +133,10 @@ test.describe("DevFront role report", () => {
     await page
       .getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
       .fill("https://super-admin.example.com/callback");
+    
+    const createPromise = page.waitForResponse(r => r.url().includes('/api/v1/dev/clients') && r.request().method() === 'POST');
     await page.getByRole("button", { name: /앱 생성|Create/i }).click();
+    await createPromise;
 
     await page.goto("/audit-logs");
     await expect(page.getByText("CREATE_CLIENT")).toBeVisible({

From 1ff12075f6c44dbae6a03802133e459ddc773f4f Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Mon, 16 Mar 2026 15:34:27 +0900
Subject: [PATCH 6/8] =?UTF-8?q?[#365]=20Devfront=20=ED=94=84=EB=A1=9C?=
 =?UTF-8?q?=ED=95=84=20=EB=A9=94=EB=89=B4=20=EA=B0=9C=EC=84=A0=20=EB=B0=8F?=
 =?UTF-8?q?=20=EC=83=81=EC=84=B8=20=ED=8E=98=EC=9D=B4=EC=A7=80=20=EA=B5=AC?=
 =?UTF-8?q?=ED=98=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/src/app/routes.tsx                   |   2 +
 devfront/src/components/layout/AppLayout.tsx  |  50 ++++-
 .../features/clients/ClientConsentsPage.tsx   |   2 +-
 devfront/src/features/clients/ClientsPage.tsx |   4 +-
 devfront/src/features/profile/ProfilePage.tsx | 186 ++++++++++++++++++
 devfront/src/locales/en.toml                  |  30 +++
 devfront/src/locales/ko.toml                  |  30 +++
 devfront/src/locales/template.toml            |  30 +++
 8 files changed, 324 insertions(+), 10 deletions(-)
 create mode 100644 devfront/src/features/profile/ProfilePage.tsx

diff --git a/devfront/src/app/routes.tsx b/devfront/src/app/routes.tsx
index b28a124c..1586062e 100644
--- a/devfront/src/app/routes.tsx
+++ b/devfront/src/app/routes.tsx
@@ -8,6 +8,7 @@ import ClientConsentsPage from "../features/clients/ClientConsentsPage";
 import ClientDetailsPage from "../features/clients/ClientDetailsPage";
 import ClientGeneralPage from "../features/clients/ClientGeneralPage";
 import ClientsPage from "../features/clients/ClientsPage";
+import ProfilePage from "../features/profile/ProfilePage";
 
 export const router = createBrowserRouter(
   [
@@ -33,6 +34,7 @@ export const router = createBrowserRouter(
             { path: "clients/:id/consents", element: <ClientConsentsPage /> },
             { path: "clients/:id/settings", element: <ClientGeneralPage /> },
             { path: "audit-logs", element: <AuditLogsPage /> },
+            { path: "profile", element: <ProfilePage /> },
           ],
         },
       ],
diff --git a/devfront/src/components/layout/AppLayout.tsx b/devfront/src/components/layout/AppLayout.tsx
index 92b458a8..cdb98dcb 100644
--- a/devfront/src/components/layout/AppLayout.tsx
+++ b/devfront/src/components/layout/AppLayout.tsx
@@ -1,3 +1,4 @@
+import { useQuery } from "@tanstack/react-query";
 import {
   BadgeCheck,
   LogOut,
@@ -5,6 +6,7 @@ import {
   NotebookTabs,
   ShieldHalf,
   Sun,
+  User as UserIcon,
 } from "lucide-react";
 import { useEffect, useRef, useState } from "react";
 import { useAuth } from "react-oidc-context";
@@ -13,6 +15,8 @@ import { t } from "../../lib/i18n";
 import { resolveProfileRole } from "../../lib/role";
 import LanguageSelector from "../common/LanguageSelector";
 import { Toaster } from "../ui/toaster";
+import { Badge } from "../ui/badge";
+import { fetchMe } from "../../features/auth/authApi";
 
 const navItems = [
   {
@@ -41,6 +45,13 @@ function AppLayout() {
   const [isRefreshingSession, setIsRefreshingSession] = useState(false);
   const [nowMs, setNowMs] = useState(() => Date.now());
 
+  const hasAccessToken = Boolean(auth.user?.access_token);
+  const { data: profile } = useQuery({
+    queryKey: ["userMe"],
+    queryFn: fetchMe,
+    enabled: hasAccessToken,
+  });
+
   const handleLogout = () => {
     if (window.confirm(t("msg.dev.logout_confirm", "로그아웃 하시겠습니까?"))) {
       auth.removeUser();
@@ -100,6 +111,10 @@ function AppLayout() {
   const currentRole = resolveProfileRole(
     auth.user?.profile as Record<string, unknown> | undefined,
   );
+  
+  // Use profile.role from API if available, otherwise fallback to local role
+  const displayRoleKey = profile?.role || currentRole;
+
   const isDevConsoleAllowed = [
     "super_admin",
     "tenant_admin",
@@ -306,14 +321,35 @@ function AppLayout() {
                     <p className="text-xs uppercase tracking-[0.16em] text-muted-foreground">
                       {t("ui.dev.profile.menu_title", "Account")}
                     </p>
-                    <div className="mt-2 rounded-lg border border-border px-3 py-2">
-                      <p className="truncate text-sm font-semibold text-foreground">
-                        {profileName}
-                      </p>
-                      <p className="truncate text-xs text-muted-foreground">
-                        {profileEmail}
-                      </p>
+                    <div className="mt-2 rounded-lg border border-border px-3 py-3 flex flex-col gap-2">
+                      <div>
+                        <p className="truncate text-sm font-semibold text-foreground">
+                          {profileName}
+                        </p>
+                        <p className="truncate text-xs text-muted-foreground">
+                          {profileEmail}
+                        </p>
+                      </div>
+                      <div className="flex items-center pt-1">
+                        <Badge variant="outline" className="text-[10px] px-2 py-0">
+                          {t(`ui.common.role.${displayRoleKey}`, displayRoleKey.toUpperCase())}
+                        </Badge>
+                      </div>
                     </div>
+                    
+                    <button
+                      type="button"
+                      role="menuitem"
+                      className="mt-2 w-full flex items-center gap-2 rounded-lg border border-border px-3 py-2 text-left text-sm text-foreground transition hover:bg-muted/20"
+                      onClick={() => {
+                        navigate("/profile");
+                        setIsProfileMenuOpen(false);
+                      }}
+                    >
+                      <UserIcon size={16} className="text-muted-foreground" />
+                      <span>{t("ui.dev.profile.title", "내 정보")}</span>
+                    </button>
+                    
                     <button
                       type="button"
                       role="menuitem"
diff --git a/devfront/src/features/clients/ClientConsentsPage.tsx b/devfront/src/features/clients/ClientConsentsPage.tsx
index 56cb764b..75c85219 100644
--- a/devfront/src/features/clients/ClientConsentsPage.tsx
+++ b/devfront/src/features/clients/ClientConsentsPage.tsx
@@ -356,7 +356,7 @@ function ClientConsentsPage() {
 
               <div className="flex justify-end">
                 <Button
-                  variant="link"
+                  variant="ghost"
                   size="sm"
                   className="text-xs text-muted-foreground p-0 h-auto"
                   onClick={() => {
diff --git a/devfront/src/features/clients/ClientsPage.tsx b/devfront/src/features/clients/ClientsPage.tsx
index eec97540..5ad69d78 100644
--- a/devfront/src/features/clients/ClientsPage.tsx
+++ b/devfront/src/features/clients/ClientsPage.tsx
@@ -262,7 +262,7 @@ function ClientsPage() {
                   </select>
                 </div>
                 <Button
-                  variant="link"
+                  variant="ghost"
                   size="sm"
                   className="text-xs text-muted-foreground ml-auto"
                   onClick={() => {
@@ -291,7 +291,7 @@ function ClientsPage() {
                         item.tone === "up"
                           ? "success"
                           : item.tone === "down"
-                            ? "destructive"
+                            ? "warning"
                             : "muted"
                       }
                       className={cn(
diff --git a/devfront/src/features/profile/ProfilePage.tsx b/devfront/src/features/profile/ProfilePage.tsx
new file mode 100644
index 00000000..6e026ffc
--- /dev/null
+++ b/devfront/src/features/profile/ProfilePage.tsx
@@ -0,0 +1,186 @@
+import { useQuery } from "@tanstack/react-query";
+import { User, Shield, Briefcase, Mail, Fingerprint, Building2 } from "lucide-react";
+import { useState } from "react";
+import { useAuth } from "react-oidc-context";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../components/ui/card";
+import { fetchMe } from "../auth/authApi";
+import { t } from "../../lib/i18n";
+
+function ProfilePage() {
+  const auth = useAuth();
+  const hasAccessToken = Boolean(auth.user?.access_token);
+
+  const { data: profile, isLoading, error } = useQuery({
+    queryKey: ["userMe"],
+    queryFn: fetchMe,
+    enabled: hasAccessToken,
+  });
+
+  const [activeTab, setActiveTab] = useState<"basic" | "role">("basic");
+
+  if (isLoading) {
+    return (
+      <div className="p-8 text-center">
+        {t("ui.dev.profile.loading", "Loading profile...")}
+      </div>
+    );
+  }
+
+  if (error || !profile) {
+    return (
+      <div className="p-8 text-center text-red-500">
+        {t("ui.dev.profile.error", "Failed to load profile information.")}
+      </div>
+    );
+  }
+
+  // Fallback to token information if API data is incomplete
+  const displayTenant = profile.tenant?.name || profile.tenantId || auth.user?.profile?.tenant_id?.toString() || "-";
+  const displayCompanyCode = profile.companyCode || auth.user?.profile?.companyCode?.toString() || "-";
+
+  return (
+    <div className="space-y-6 max-w-4xl mx-auto">
+      <div>
+        <h1 className="text-3xl font-black tracking-tight">
+          {t("ui.dev.profile.title", "내 정보")}
+        </h1>
+        <p className="text-muted-foreground mt-2">
+          {t(
+            "ui.dev.profile.subtitle",
+            "사용자 상세 정보 및 할당된 역할(Role)을 확인합니다.",
+          )}
+        </p>
+      </div>
+
+      <div className="flex space-x-1 border-b border-border pb-px">
+        <button
+          type="button"
+          onClick={() => setActiveTab("basic")}
+          className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
+            activeTab === "basic"
+              ? "border-primary text-primary"
+              : "border-transparent text-muted-foreground hover:text-foreground hover:border-border"
+          }`}
+        >
+          {t("ui.dev.profile.tab.basic", "기본 정보")}
+        </button>
+        <button
+          type="button"
+          onClick={() => setActiveTab("role")}
+          className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
+            activeTab === "role"
+              ? "border-primary text-primary"
+              : "border-transparent text-muted-foreground hover:text-foreground hover:border-border"
+          }`}
+        >
+          {t("ui.dev.profile.tab.role", "권한 및 역할")}
+        </button>
+      </div>
+
+      <div className="pt-4">
+        {activeTab === "basic" && (
+          <div className="grid gap-6 md:grid-cols-2">
+            <Card className="glass-panel">
+              <CardHeader>
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <User className="h-5 w-5 text-primary" />
+                  {t("ui.dev.profile.basic.title", "사용자 정보")}
+                </CardTitle>
+              </CardHeader>
+              <CardContent className="space-y-4">
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
+                    <Fingerprint className="h-4 w-4" />
+                    {t("ui.dev.profile.basic.id", "User ID")}
+                  </p>
+                  <p className="text-sm break-all font-mono bg-muted/50 p-2 rounded-md">
+                    {profile.id}
+                  </p>
+                </div>
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
+                    <User className="h-4 w-4" />
+                    {t("ui.dev.profile.basic.name", "Name")}
+                  </p>
+                  <p className="text-sm">{profile.name}</p>
+                </div>
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
+                    <Mail className="h-4 w-4" />
+                    {t("ui.dev.profile.basic.email", "Email")}
+                  </p>
+                  <p className="text-sm">{profile.email}</p>
+                </div>
+              </CardContent>
+            </Card>
+
+            <Card className="glass-panel">
+              <CardHeader>
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <Building2 className="h-5 w-5 text-primary" />
+                  {t("ui.dev.profile.org.title", "조직 정보")}
+                </CardTitle>
+              </CardHeader>
+              <CardContent className="space-y-4">
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground">
+                    {t("ui.dev.profile.org.tenant", "테넌트")}
+                  </p>
+                  <p className="text-sm">
+                    {displayTenant}
+                  </p>
+                </div>
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground">
+                    {t("ui.dev.profile.org.company_code", "회사 코드")}
+                  </p>
+                  <p className="text-sm">{displayCompanyCode}</p>
+                </div>
+              </CardContent>
+            </Card>
+          </div>
+        )}
+
+        {activeTab === "role" && (
+          <Card className="glass-panel">
+            <CardHeader>
+              <CardTitle className="text-lg flex items-center gap-2">
+                <Shield className="h-5 w-5 text-primary" />
+                {t("ui.dev.profile.role.title", "시스템 역할")}
+              </CardTitle>
+              <CardDescription>
+                {t(
+                  "ui.dev.profile.role.description",
+                  "현재 계정에 부여된 권한 등급입니다.",
+                )}
+              </CardDescription>
+            </CardHeader>
+            <CardContent>
+              <div className="flex items-center gap-4 bg-muted/30 p-4 rounded-lg border border-border">
+                <div className="h-12 w-12 rounded-full bg-primary/20 flex items-center justify-center text-primary">
+                  <Briefcase className="h-6 w-6" />
+                </div>
+                <div>
+                  <p className="text-sm text-muted-foreground font-medium uppercase tracking-wider">
+                    {t("ui.dev.profile.role.current", "Current Role")}
+                  </p>
+                  <p className="text-xl font-bold mt-1">
+                    {t(`ui.common.role.${profile.role}`, profile.role.toUpperCase())}
+                  </p>
+                </div>
+              </div>
+            </CardContent>
+          </Card>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default ProfilePage;
diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml
index 6936c8b2..ceaea07d 100644
--- a/devfront/src/locales/en.toml
+++ b/devfront/src/locales/en.toml
@@ -1399,6 +1399,36 @@ verify = "Verify"
 [ui.userfront.signup.success]
 action = "Action"
 
+[ui.dev.profile]
+unknown_name = "Unknown User"
+unknown_email = "unknown@example.com"
+menu_aria = "Open account menu"
+menu_title = "Account"
+title = "Profile"
+subtitle = "View user details and assigned roles."
+loading = "Loading profile..."
+error = "Failed to load profile."
+
+[ui.dev.profile.tab]
+basic = "Basic Info"
+role = "Roles & Permissions"
+
+[ui.dev.profile.basic]
+title = "User Info"
+id = "User ID"
+name = "Name"
+email = "Email"
+
+[ui.dev.profile.org]
+title = "Organization Info"
+tenant = "Tenant"
+company_code = "Company Code"
+
+[ui.dev.profile.role]
+title = "System Role"
+description = "The permission level granted to this account."
+current = "Current Role"
+
 [ui.admin.nav]
 api_keys = "API Keys"
 audit_logs = "Audit Logs"
diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml
index 3879ffd8..eb34ab28 100644
--- a/devfront/src/locales/ko.toml
+++ b/devfront/src/locales/ko.toml
@@ -1411,3 +1411,33 @@ tenant_dashboard = "테넌트 대시보드"
 user_groups = "유저 그룹"
 tenants = "테넌트"
 users = "사용자"
+
+[ui.dev.profile]
+unknown_name = "알 수 없는 사용자"
+unknown_email = "unknown@example.com"
+menu_aria = "계정 메뉴 열기"
+menu_title = "Account"
+title = "내 정보"
+subtitle = "사용자 상세 정보 및 할당된 역할(Role)을 확인합니다."
+loading = "프로필 정보를 불러오는 중..."
+error = "프로필 정보를 불러오지 못했습니다."
+
+[ui.dev.profile.tab]
+basic = "기본 정보"
+role = "권한 및 역할"
+
+[ui.dev.profile.basic]
+title = "사용자 정보"
+id = "사용자 ID"
+name = "이름"
+email = "이메일"
+
+[ui.dev.profile.org]
+title = "조직 정보"
+tenant = "테넌트"
+company_code = "회사 코드"
+
+[ui.dev.profile.role]
+title = "시스템 역할"
+description = "현재 계정에 부여된 권한 등급입니다."
+current = "현재 역할"
diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml
index d3fa256f..4afd8a93 100644
--- a/devfront/src/locales/template.toml
+++ b/devfront/src/locales/template.toml
@@ -1410,3 +1410,33 @@ verify = ""
 
 [ui.userfront.signup.success]
 action = ""
+
+[ui.dev.profile]
+unknown_name = ""
+unknown_email = ""
+menu_aria = ""
+menu_title = ""
+title = ""
+subtitle = ""
+loading = ""
+error = ""
+
+[ui.dev.profile.tab]
+basic = ""
+role = ""
+
+[ui.dev.profile.basic]
+title = ""
+id = ""
+name = ""
+email = ""
+
+[ui.dev.profile.org]
+title = ""
+tenant = ""
+company_code = ""
+
+[ui.dev.profile.role]
+title = ""
+description = ""
+current = ""

From 9a4681b2c053716ead3df9ac107eaf967f28d23b Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Mon, 16 Mar 2026 16:16:53 +0900
Subject: [PATCH 7/8] =?UTF-8?q?=EB=82=B4=20=EC=A0=95=EB=B3=B4=20=EB=B0=8F?=
 =?UTF-8?q?=20=EC=97=AD=ED=95=A0=EB=B3=84=20=EA=B6=8C=ED=95=9C=20=EB=B2=94?=
 =?UTF-8?q?=EC=9C=84=20=EC=95=88=EB=82=B4=20=EC=A0=9C=EA=B3=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/src/features/profile/ProfilePage.tsx | 17 +++++++++++++++--
 devfront/src/locales/en.toml                  |  6 ++++++
 devfront/src/locales/ko.toml                  |  6 ++++++
 devfront/src/locales/template.toml            |  6 ++++++
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/devfront/src/features/profile/ProfilePage.tsx b/devfront/src/features/profile/ProfilePage.tsx
index 6e026ffc..e4917363 100644
--- a/devfront/src/features/profile/ProfilePage.tsx
+++ b/devfront/src/features/profile/ProfilePage.tsx
@@ -117,6 +117,13 @@ function ProfilePage() {
                   </p>
                   <p className="text-sm">{profile.email}</p>
                 </div>
+                <div className="space-y-1">
+                  <p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
+                    <Briefcase className="h-4 w-4" />
+                    {t("ui.dev.profile.basic.phone", "Phone")}
+                  </p>
+                  <p className="text-sm">{profile.phone || "-"}</p>
+                </div>
               </CardContent>
             </Card>
 
@@ -163,16 +170,22 @@ function ProfilePage() {
             </CardHeader>
             <CardContent>
               <div className="flex items-center gap-4 bg-muted/30 p-4 rounded-lg border border-border">
-                <div className="h-12 w-12 rounded-full bg-primary/20 flex items-center justify-center text-primary">
+                <div className="h-12 w-12 rounded-full bg-primary/20 flex items-center justify-center text-primary shrink-0">
                   <Briefcase className="h-6 w-6" />
                 </div>
-                <div>
+                <div className="flex flex-col gap-1 w-full">
                   <p className="text-sm text-muted-foreground font-medium uppercase tracking-wider">
                     {t("ui.dev.profile.role.current", "Current Role")}
                   </p>
                   <p className="text-xl font-bold mt-1">
                     {t(`ui.common.role.${profile.role}`, profile.role.toUpperCase())}
                   </p>
+                  <p className="mt-1 text-sm text-muted-foreground">
+                    {t(
+                      `ui.dev.profile.role.desc_${profile.role}`,
+                      "시스템 역할에 대한 설명이 제공되지 않았습니다.",
+                    )}
+                  </p>
                 </div>
               </div>
             </CardContent>
diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml
index ceaea07d..665aa6cd 100644
--- a/devfront/src/locales/en.toml
+++ b/devfront/src/locales/en.toml
@@ -1418,6 +1418,7 @@ title = "User Info"
 id = "User ID"
 name = "Name"
 email = "Email"
+phone = "Phone Number"
 
 [ui.dev.profile.org]
 title = "Organization Info"
@@ -1428,6 +1429,11 @@ company_code = "Company Code"
 title = "System Role"
 description = "The permission level granted to this account."
 current = "Current Role"
+desc_super_admin = "Can manage all tenants and applications system-wide without restriction."
+desc_tenant_admin = "Can manage all applications within their assigned tenant."
+desc_rp_admin = "Can view and manage only assigned/linked applications."
+desc_user = "Standard application access. DevFront access is denied."
+desc_tenant_member = "Standard application access. DevFront access is denied."
 
 [ui.admin.nav]
 api_keys = "API Keys"
diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml
index eb34ab28..74a27993 100644
--- a/devfront/src/locales/ko.toml
+++ b/devfront/src/locales/ko.toml
@@ -1431,6 +1431,7 @@ title = "사용자 정보"
 id = "사용자 ID"
 name = "이름"
 email = "이메일"
+phone = "전화번호"
 
 [ui.dev.profile.org]
 title = "조직 정보"
@@ -1441,3 +1442,8 @@ company_code = "회사 코드"
 title = "시스템 역할"
 description = "현재 계정에 부여된 권한 등급입니다."
 current = "현재 역할"
+desc_super_admin = "전체 시스템의 모든 테넌트와 모든 앱을 제한 없이 관리할 수 있습니다."
+desc_tenant_admin = "본인이 속한 테넌트(조직/회사) 하위의 모든 앱을 관리할 수 있습니다."
+desc_rp_admin = "본인에게 할당된 연동 앱(Client)만 확인 및 관리할 수 있습니다."
+desc_user = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
+desc_tenant_member = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml
index 4afd8a93..1da1c1ac 100644
--- a/devfront/src/locales/template.toml
+++ b/devfront/src/locales/template.toml
@@ -1430,6 +1430,7 @@ title = ""
 id = ""
 name = ""
 email = ""
+phone = ""
 
 [ui.dev.profile.org]
 title = ""
@@ -1440,3 +1441,8 @@ company_code = ""
 title = ""
 description = ""
 current = ""
+desc_super_admin = ""
+desc_tenant_admin = ""
+desc_rp_admin = ""
+desc_user = ""
+desc_tenant_member = ""

From fb27fbf3b1c6a6930bcf5185ca46cbdfee0f0550 Mon Sep 17 00:00:00 2001
From: kyy <b24053@hanmaceng.co.kr>
Date: Mon, 16 Mar 2026 16:43:25 +0900
Subject: [PATCH 8/8] =?UTF-8?q?i18n=20=EB=88=84=EB=9D=BD=20=ED=82=A4=20?=
 =?UTF-8?q?=EB=B3=B4=EC=99=84=20=EB=B0=8F=20biome=20=ED=8F=AC=EB=A7=B7=20?=
 =?UTF-8?q?=EC=A0=95=EB=A6=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 devfront/src/components/layout/AppLayout.tsx  | 16 ++++++---
 devfront/src/features/profile/ProfilePage.tsx | 33 ++++++++++++++-----
 devfront/src/lib/role.ts                      |  4 ++-
 .../tests/devfront-role-switch-report.spec.ts | 16 ++++++---
 locales/en.toml                               | 25 ++++++++++++++
 locales/ko.toml                               | 25 ++++++++++++++
 locales/template.toml                         | 25 ++++++++++++++
 7 files changed, 126 insertions(+), 18 deletions(-)

diff --git a/devfront/src/components/layout/AppLayout.tsx b/devfront/src/components/layout/AppLayout.tsx
index cdb98dcb..64ed2759 100644
--- a/devfront/src/components/layout/AppLayout.tsx
+++ b/devfront/src/components/layout/AppLayout.tsx
@@ -111,7 +111,7 @@ function AppLayout() {
   const currentRole = resolveProfileRole(
     auth.user?.profile as Record<string, unknown> | undefined,
   );
-  
+
   // Use profile.role from API if available, otherwise fallback to local role
   const displayRoleKey = profile?.role || currentRole;
 
@@ -331,12 +331,18 @@ function AppLayout() {
                         </p>
                       </div>
                       <div className="flex items-center pt-1">
-                        <Badge variant="outline" className="text-[10px] px-2 py-0">
-                          {t(`ui.common.role.${displayRoleKey}`, displayRoleKey.toUpperCase())}
+                        <Badge
+                          variant="outline"
+                          className="text-[10px] px-2 py-0"
+                        >
+                          {t(
+                            `ui.common.role.${displayRoleKey}`,
+                            displayRoleKey.toUpperCase(),
+                          )}
                         </Badge>
                       </div>
                     </div>
-                    
+
                     <button
                       type="button"
                       role="menuitem"
@@ -349,7 +355,7 @@ function AppLayout() {
                       <UserIcon size={16} className="text-muted-foreground" />
                       <span>{t("ui.dev.profile.title", "내 정보")}</span>
                     </button>
-                    
+
                     <button
                       type="button"
                       role="menuitem"
diff --git a/devfront/src/features/profile/ProfilePage.tsx b/devfront/src/features/profile/ProfilePage.tsx
index e4917363..2878a948 100644
--- a/devfront/src/features/profile/ProfilePage.tsx
+++ b/devfront/src/features/profile/ProfilePage.tsx
@@ -1,5 +1,12 @@
 import { useQuery } from "@tanstack/react-query";
-import { User, Shield, Briefcase, Mail, Fingerprint, Building2 } from "lucide-react";
+import {
+  User,
+  Shield,
+  Briefcase,
+  Mail,
+  Fingerprint,
+  Building2,
+} from "lucide-react";
 import { useState } from "react";
 import { useAuth } from "react-oidc-context";
 import {
@@ -16,7 +23,11 @@ function ProfilePage() {
   const auth = useAuth();
   const hasAccessToken = Boolean(auth.user?.access_token);
 
-  const { data: profile, isLoading, error } = useQuery({
+  const {
+    data: profile,
+    isLoading,
+    error,
+  } = useQuery({
     queryKey: ["userMe"],
     queryFn: fetchMe,
     enabled: hasAccessToken,
@@ -41,8 +52,13 @@ function ProfilePage() {
   }
 
   // Fallback to token information if API data is incomplete
-  const displayTenant = profile.tenant?.name || profile.tenantId || auth.user?.profile?.tenant_id?.toString() || "-";
-  const displayCompanyCode = profile.companyCode || auth.user?.profile?.companyCode?.toString() || "-";
+  const displayTenant =
+    profile.tenant?.name ||
+    profile.tenantId ||
+    auth.user?.profile?.tenant_id?.toString() ||
+    "-";
+  const displayCompanyCode =
+    profile.companyCode || auth.user?.profile?.companyCode?.toString() || "-";
 
   return (
     <div className="space-y-6 max-w-4xl mx-auto">
@@ -139,9 +155,7 @@ function ProfilePage() {
                   <p className="text-sm font-medium text-muted-foreground">
                     {t("ui.dev.profile.org.tenant", "테넌트")}
                   </p>
-                  <p className="text-sm">
-                    {displayTenant}
-                  </p>
+                  <p className="text-sm">{displayTenant}</p>
                 </div>
                 <div className="space-y-1">
                   <p className="text-sm font-medium text-muted-foreground">
@@ -178,7 +192,10 @@ function ProfilePage() {
                     {t("ui.dev.profile.role.current", "Current Role")}
                   </p>
                   <p className="text-xl font-bold mt-1">
-                    {t(`ui.common.role.${profile.role}`, profile.role.toUpperCase())}
+                    {t(
+                      `ui.common.role.${profile.role}`,
+                      profile.role.toUpperCase(),
+                    )}
                   </p>
                   <p className="mt-1 text-sm text-muted-foreground">
                     {t(
diff --git a/devfront/src/lib/role.ts b/devfront/src/lib/role.ts
index f4400c72..9a5a2dc8 100644
--- a/devfront/src/lib/role.ts
+++ b/devfront/src/lib/role.ts
@@ -9,7 +9,9 @@ export function normalizeRole(rawRole: unknown): string {
   return role;
 }
 
-export function resolveProfileRole(profile: Record<string, unknown> | undefined) {
+export function resolveProfileRole(
+  profile: Record<string, unknown> | undefined,
+) {
   if (!profile) return "";
   const candidates = [
     profile.role,
diff --git a/devfront/tests/devfront-role-switch-report.spec.ts b/devfront/tests/devfront-role-switch-report.spec.ts
index 6fcf659d..6faedf92 100644
--- a/devfront/tests/devfront-role-switch-report.spec.ts
+++ b/devfront/tests/devfront-role-switch-report.spec.ts
@@ -93,8 +93,12 @@ test.describe("DevFront role report", () => {
     await page
       .getByPlaceholder("My Awesome Application")
       .fill("Tenant A CRM Updated");
-    
-    const updatePromise = page.waitForResponse(r => r.url().includes('/api/v1/dev/clients') && r.request().method() === 'PUT');
+
+    const updatePromise = page.waitForResponse(
+      (r) =>
+        r.url().includes("/api/v1/dev/clients") &&
+        r.request().method() === "PUT",
+    );
     await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
     await updatePromise;
 
@@ -133,8 +137,12 @@ test.describe("DevFront role report", () => {
     await page
       .getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
       .fill("https://super-admin.example.com/callback");
-    
-    const createPromise = page.waitForResponse(r => r.url().includes('/api/v1/dev/clients') && r.request().method() === 'POST');
+
+    const createPromise = page.waitForResponse(
+      (r) =>
+        r.url().includes("/api/v1/dev/clients") &&
+        r.request().method() === "POST",
+    );
     await page.getByRole("button", { name: /앱 생성|Create/i }).click();
     await createPromise;
 
diff --git a/locales/en.toml b/locales/en.toml
index aebc6602..321bf730 100644
--- a/locales/en.toml
+++ b/locales/en.toml
@@ -1160,6 +1160,31 @@ menu_aria = "Open account menu"
 menu_title = "Account"
 unknown_email = "unknown@example.com"
 unknown_name = "Unknown User"
+title = "My Profile"
+subtitle = "View user details and assigned roles."
+loading = "Loading profile..."
+error = "Failed to load profile."
+
+[ui.dev.profile.tab]
+basic = "Basic Info"
+role = "Roles & Permissions"
+
+[ui.dev.profile.basic]
+title = "User Info"
+id = "User ID"
+name = "Name"
+email = "Email"
+phone = "Phone Number"
+
+[ui.dev.profile.org]
+title = "Organization Info"
+tenant = "Tenant"
+company_code = "Company Code"
+
+[ui.dev.profile.role]
+title = "System Role"
+description = "The permission level granted to this account."
+current = "Current Role"
 
 [ui.dev.clients]
 copy_client_id = "Copy client id"
diff --git a/locales/ko.toml b/locales/ko.toml
index b97c29a6..4fda16f5 100644
--- a/locales/ko.toml
+++ b/locales/ko.toml
@@ -1160,6 +1160,31 @@ menu_aria = "계정 메뉴 열기"
 menu_title = "계정"
 unknown_email = "unknown@example.com"
 unknown_name = "Unknown User"
+title = "내 정보"
+subtitle = "사용자 상세 정보 및 할당된 역할(Role)을 확인합니다."
+loading = "프로필 정보를 불러오는 중..."
+error = "프로필 정보를 불러오지 못했습니다."
+
+[ui.dev.profile.tab]
+basic = "기본 정보"
+role = "권한 및 역할"
+
+[ui.dev.profile.basic]
+title = "사용자 정보"
+id = "사용자 ID"
+name = "이름"
+email = "이메일"
+phone = "전화번호"
+
+[ui.dev.profile.org]
+title = "조직 정보"
+tenant = "테넌트"
+company_code = "회사 코드"
+
+[ui.dev.profile.role]
+title = "시스템 역할"
+description = "현재 계정에 부여된 권한 등급입니다."
+current = "현재 역할"
 
 [ui.dev.clients]
 copy_client_id = "Copy client id"
diff --git a/locales/template.toml b/locales/template.toml
index 77613d27..0cfb9081 100644
--- a/locales/template.toml
+++ b/locales/template.toml
@@ -1025,6 +1025,31 @@ menu_aria = ""
 menu_title = ""
 unknown_email = ""
 unknown_name = ""
+title = ""
+subtitle = ""
+loading = ""
+error = ""
+
+[ui.dev.profile.tab]
+basic = ""
+role = ""
+
+[ui.dev.profile.basic]
+title = ""
+id = ""
+name = ""
+email = ""
+phone = ""
+
+[ui.dev.profile.org]
+title = ""
+tenant = ""
+company_code = ""
+
+[ui.dev.profile.role]
+title = ""
+description = ""
+current = ""
 
 [ui.dev.clients]
 new = ""