Show orgfront login page for regular entries

Refresh frontend containers during image deploy
Serve gateway mjs files as JavaScript
2026-06-23 08:41:40 +09:00 · 2026-06-23 08:24:59 +09:00 · 2026-06-23 08:16:47 +09:00 · 2026-06-22 18:21:05 +09:00 · 2026-06-22 18:17:11 +09:00 · 2026-06-22 18:02:34 +09:00
1194 changed files with 303054 additions and 15916 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,19 @@
+.git
+.gitea
+.codex
+.env
+.env.*
+**/.dart_tool
+**/.packages
+**/build
+**/node_modules
+**/dist
+**/.next
+**/.cache
+**/coverage
+**/tmp
+**/logs
+**/*.log
+**/*.swp
+**/.DS_Store
+**/.pnpm-store
--- a/.env.sample
+++ b/.env.sample
@@ -7,7 +7,6 @@ APP_ENV=stage # 애플리케이션 실행 환경 (dev, stage, production)
 TZ=Asia/Seoul


-# IDP_PROVIDER는 우선순위 순으로 콤마 구분 (예: Kratos/Hydra 우선, Descope 백업)
 IDP_PROVIDER=ory

 # --- Infrastructure Ports ---
@@ -28,9 +27,44 @@ DB_NAME=baron_sso
 # Must be 32 bytes. Generate with `openssl rand -hex 32`
 COOKIE_SECRET=super-secret-key-must-be-32-bytes!
 JWT_SECRET=super-secret-key-must-be-32-bytes!
+# Optional backend slog override: debug, info, warn, error
+BACKEND_LOG_LEVEL=
 REDIS_ADDR=redis:6389 # compose.infra.yaml의 redis 포트(컨테이너 내부 기준)
 CORS_ALLOWED_ORIGINS=http://localhost:5000 # 쿠키 인증 사용 시 정확한 Origin 지정 필요

+# --- NAVER WORKS API ---
+WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com
+WORKS_ADMIN_OAUTH_TOKEN_URL=https://auth.worksmobile.com/oauth2/v2.0/token
+
+# --- NAVER WORKS Drive backup upload ---
+# Drive API 업로드에는 `file` scope가 필요합니다.
+# 운영에서는 Drive 권한이 위임된 사용자/OAuth access token을 우선 사용하세요.
+# 서비스 계정 JWT 방식은 WORKS 앱 정책에서 Drive API scope 위임이 허용된 경우에만 사용할 수 있습니다.
+WORKS_DRIVE_TARGET=sharedrive
+WORKS_DRIVE_SHARED_DRIVE_ID=
+WORKS_DRIVE_PARENT_FILE_ID=
+WORKS_DRIVE_USER_ID=me
+WORKS_DRIVE_GROUP_ID=
+WORKS_DRIVE_SHARED_FOLDER_ID=
+WORKS_DRIVE_ACCESS_TOKEN=
+WORKS_DRIVE_ACCESS_TOKEN_FILE=
+WORKS_DRIVE_ACCESS_TOKEN_CMD=
+WORKS_DRIVE_OAUTH_SCOPE=file
+WORKS_DRIVE_OAUTH_CLIENT_ID=
+WORKS_DRIVE_OAUTH_CLIENT_SECRET=
+WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT=
+WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY_FILE=./config/worksmobile-driveapp-private-key.pem
+WORKS_DRIVE_OAUTH_REFRESH_TOKEN=
+WORKS_DRIVE_OAUTH_REDIRECT_URI=
+WORKS_DRIVE_SPLIT_SIZE=9000M
+WORKS_DRIVE_MAX_SINGLE_FILE_BYTES=0
+WORKS_DRIVE_FORCE_SPLIT=false
+WORKS_DRIVE_OVERWRITE=false
+WORKS_DRIVE_DRY_RUN=false
+WORKS_DRIVE_UPLOAD_REPORTS=true
+WORKS_DRIVE_REPORT_FOLDER_NAME=reports
+
+
 # Audit System Configuration
 AUDIT_WORKER_COUNT=5      # 비동기 감사 로그 처리를 위한 고루틴 워커 수
 AUDIT_QUEUE_SIZE=2000      # 감사 로그 대기열(채널) 버퍼 크기
@@ -59,7 +93,8 @@ ADMIN_PASSWORD=adminPasswordIsNotSimple
 USERFRONT_URL=https://sso.hmac.kr

 # Services proxied via Nginx
-BACKEND_URL=${USERFRONT_URL}/api
+BACKEND_PUBLIC_URL=${USERFRONT_URL}
+BACKEND_URL=${USERFRONT_URL}
 OATHKEEPER_PUBLIC_URL=${USERFRONT_URL}

 # ory-stack 변수들
@@ -74,22 +109,24 @@ HYDRA_DB=ory_hydra
 KETO_DB=ory_keto

 # Ory Kratos Configuration
-KRATOS_VERSION=v25.4.0-distroless
+KRATOS_VERSION=v26.2.0-distroless
 # KRATOS_PUBLIC_PORT=4433 # Internal only
 # KRATOS_ADMINFRONT_PORT=4434 # Internal only

-KRATOS_UI_NODE_VERSION=v25.4.0
+KRATOS_UI_NODE_VERSION=v26.2.0
 # KRATOS_UI_PORT=4455 # Internal only

 # Ory Hydra Configuration
-HYDRA_VERSION=v25.4.0-distroless
+HYDRA_VERSION=v26.2.0-distroless
 # HYDRA_PUBLIC_PORT=4441 # Internal only
 # HYDRA_ADMINFRONT_PORT=4445 # Internal only

 # Ory Keto Configuration
-KETO_VERSION=v25.4.0-distroless
+KETO_VERSION=v26.2.0-distroless
 # KETO_READ_PORT=4466 # Internal only
 # KETO_WRITE_PORT=4467 # Internal only
+KETO_READ_URL=http://keto:4466
+KETO_WRITE_URL=http://keto:4467

 # Kratos Selfservice UI upstreams (override for deployments)
 ORY_SDK_URL=http://kratos:4433
@@ -105,12 +142,23 @@ KRATOS_UI_URL=http://localhost:5000
 HYDRA_ADMIN_URL=http://hydra:4445
 # Oathkeeper가 /oidc 경로를 Hydra Public API로 라우팅합니다.
 HYDRA_PUBLIC_URL=${OATHKEEPER_PUBLIC_URL}/oidc
+# 선택: Hydra 화면 핸드오프 URL을 USERFRONT_URL 기준 기본값과 다르게 둘 때만 설정합니다.
+# HYDRA_LOGIN_URL=https://sso.hmac.kr/login
+# HYDRA_CONSENT_URL=https://sso.hmac.kr/consent
+# HYDRA_ERROR_URL=https://sso.hmac.kr/error
+# Refresh Token 만료시각 source of truth (Hydra + backend ID Token rt_expires_at claim)
+HYDRA_REFRESH_TOKEN_TTL=720h
+
+# Kratos allowed_return_urls 확장 목록 (콤마 구분, 선택)
+# 기본값은 KRATOS_UI_URL, USERFRONT_URL, 각 callback URL을 자동 포함합니다.
+KRATOS_ALLOWED_RETURN_URLS_EXTRA=[]
+KRATOS_ALLOWED_RETURN_URLS_JSON=["http://localhost:5000","http://localhost:5000/","https://sso.hmac.kr","https://sso.hmac.kr/","https://sso.hmac.kr/ko","https://sso.hmac.kr/ko/","https://sso.hmac.kr/en","https://sso.hmac.kr/en/","https://sso.hmac.kr/auth/callback","https://sso.hmac.kr/ko/auth/callback","https://sso.hmac.kr/en/auth/callback","http://localhost:5173/auth/callback","http://localhost:5174/auth/callback","http://localhost:5175/auth/callback","https://sso.hmac.kr/orgfront/auth/callback"]

 # Oathkeeper JWKS (내부 통신용)
 JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json

 # Oathkeeper 실행 사용자/프로브 설정
-OATHKEEPER_VERSION=v25.4.0
+OATHKEEPER_VERSION=v26.2.0
 OATHKEEPER_UID=1001
 OATHKEEPER_GID=1001
 OATHKEEPER_HEALTH_URL=http://oathkeeper:4456/health/ready
@@ -122,3 +170,19 @@ OATHKEEPER_HEALTH_ENABLED=true
 COOKIE_SECRET=localcookie123
 CSRF_COOKIE_NAME=__HOST-baronSSO_csrf
 CSRF_COOKIE_SECRET=localcsrf123
+
+# AdminFront OIDC 설정
+ADMINFRONT_URL=http://localhost:5173
+ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback,https://sso.hmac.kr/auth/callback
+
+# DevFront OIDC 설정
+VITE_OIDC_CLIENT_ID=devfront
+VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc
+DEVFRONT_URL=http://localhost:5174
+DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback
+ORGFRONT_URL=http://localhost:5175
+ORGFRONT_CALLBACK_URLS=http://localhost:5175/auth/callback,https://sso.hmac.kr/orgfront/auth/callback
+VITE_ORGCHART_URL=
+
+# promtail에서 로그를 전송받을 Loki 서버 엔드포인트 URL
+LOKI_URL=http://loki:3100/loki/api/v1/push
--- a/.gitea/workflows/build_RC.yml
+++ b/.gitea/workflows/build_RC.yml
@@ -18,6 +18,30 @@ jobs:
      - name: Install dependencies
        run: sudo apt-get update && sudo apt-get install -y jq curl

+      - name: Validate RC build configuration
+        env:
+          HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }}
+          HARBOR_HOSTNAME: ${{ vars.HARBOR_HOSTNAME }}
+          HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }}
+          HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }}
+          ADMINFRONT_URL: ${{ vars.ADMINFRONT_URL }}
+          DEVFRONT_URL: ${{ vars.DEVFRONT_URL }}
+          ORGFRONT_URL: ${{ vars.ORGFRONT_URL }}
+          VITE_OIDC_AUTHORITY: ${{ vars.VITE_OIDC_AUTHORITY }}
+        run: |
+          set -euo pipefail
+
+          required_action_env="
+          HARBOR_ENDPOINT HARBOR_HOSTNAME HARBOR_ROBOT_ACCOUNT HARBOR_ROBOT_KEY
+          ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY
+          "
+          for key in ${required_action_env}; do
+            if [ -z "${!key:-}" ]; then
+              echo "::error::Missing required RC build value: ${key}. Check Gitea repo variables/secrets."
+              exit 1
+            fi
+          done
+
      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
@@ -89,28 +113,52 @@ jobs:
      - name: Build and push adminfront RC image
        uses: docker/build-push-action@v5
        with:
-          context: ./adminfront
+          context: .
          file: ./adminfront/Dockerfile
          push: true
          tags: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront:${{ steps.rc_calculator.outputs.new_rc_tag }}
+          build-args: |
+            VITE_ADMIN_PUBLIC_URL=${{ vars.ADMINFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=adminfront
+            ORGFRONT_URL=${{ vars.ORGFRONT_URL }}
          provenance: false
          sbom: false

      - name: Build and push devfront RC image
        uses: docker/build-push-action@v5
        with:
-          context: ./devfront
+          context: .
          file: ./devfront/Dockerfile
          push: true
          tags: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront:${{ steps.rc_calculator.outputs.new_rc_tag }}
+          build-args: |
+            VITE_DEVFRONT_PUBLIC_URL=${{ vars.DEVFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=devfront
+          provenance: false
+          sbom: false
+
+      - name: Build and push orgfront RC image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./orgfront/Dockerfile
+          push: true
+          tags: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront:${{ steps.rc_calculator.outputs.new_rc_tag }}
+          build-args: |
+            VITE_ORGFRONT_PUBLIC_URL=${{ vars.ORGFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=orgfront
          provenance: false
          sbom: false

      - name: Build and push userfront RC image
        uses: docker/build-push-action@v5
        with:
-          context: ./userfront
+          context: .
          file: ./userfront/Dockerfile
+          target: production
          push: true
          tags: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront:${{ steps.rc_calculator.outputs.new_rc_tag }}
          provenance: false
--- a/.gitea/workflows/code_check.yml
+++ b/.gitea/workflows/code_check.yml
--- a/.gitea/workflows/image_publish.yml
+++ b/.gitea/workflows/image_publish.yml
@@ -0,0 +1,279 @@
+name: Publish Baron SSO Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_prefix:
+        description: "stage/prod 공용 이미지 태그 prefix (예: v1.2606, 최종 태그는 v1.2606.<커밋해시4자리>)"
+        required: true
+        type: string
+
+jobs:
+  publish-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout dev branch
+        uses: actions/checkout@v4
+        with:
+          ref: dev
+
+      - name: Validate publish inputs
+        env:
+          VERSION_PREFIX: ${{ github.event.inputs.version_prefix }}
+          ADMINFRONT_URL: ${{ vars.ADMINFRONT_URL }}
+          DEVFRONT_URL: ${{ vars.DEVFRONT_URL }}
+          ORGFRONT_URL: ${{ vars.ORGFRONT_URL }}
+          VITE_OIDC_AUTHORITY: ${{ vars.VITE_OIDC_AUTHORITY }}
+          WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
+          WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
+          WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
+          WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
+          WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
+          WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
+          WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          if ! printf '%s' "${VERSION_PREFIX}" | grep -Eq '^v[0-9]+\.[0-9]{4}$'; then
+            echo "::error::version_prefix must look like vX.YYMM (got: ${VERSION_PREFIX})"
+            exit 1
+          fi
+
+          required_values="
+          ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID
+          "
+          for key in ${required_values}; do
+            if [ -z "${!key:-}" ]; then
+              echo "::error::Missing required publish value: ${key}. Check Gitea repo variables/secrets."
+              exit 1
+            fi
+          done
+
+          if [ -z "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ] \
+            && [ -z "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ] \
+            && [ -z "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ] \
+            && [ -z "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]; then
+            echo "::error::Missing WORKS Drive access auth. Provide WORKS_DRIVE_ACCESS_TOKEN, WORKS_DRIVE_ACCESS_TOKEN_FILE, WORKS_DRIVE_ACCESS_TOKEN_CMD, or WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
+            exit 1
+          fi
+
+          if [ -z "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ] \
+            && [ -z "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ] \
+            && [ -z "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ] \
+            && [ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ] \
+            && { [ -z "${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" ] || [ -z "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]; }; then
+            echo "::error::WORKS_DRIVE_OAUTH_CLIENT_ID and WORKS_DRIVE_OAUTH_CLIENT_SECRET are required when WORKS_DRIVE_OAUTH_REFRESH_TOKEN is the selected auth source."
+            exit 1
+          fi
+
+      - name: Compute commit-hash image tag
+        id: version
+        env:
+          VERSION_PREFIX: ${{ github.event.inputs.version_prefix }}
+        run: |
+          set -euo pipefail
+
+          short_sha="$(git rev-parse --short=4 HEAD)"
+          if ! printf '%s' "${short_sha}" | grep -Eq '^[0-9a-f]{4}$'; then
+            echo "::error::commit hash suffix must be 4 lowercase hexadecimal characters (got: ${short_sha})"
+            exit 1
+          fi
+
+          image_tag="${VERSION_PREFIX}.${short_sha}"
+          echo "image_tag=${image_tag}" >> "${GITHUB_OUTPUT}"
+          echo "Computed shared image tag: ${image_tag}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build backend image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile
+          target: production
+          load: true
+          tags: baron_sso/backend:${{ steps.version.outputs.image_tag }}
+          provenance: false
+          sbom: false
+
+      - name: Build userfront image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./userfront/Dockerfile
+          target: production
+          load: true
+          tags: baron_sso/userfront:${{ steps.version.outputs.image_tag }}
+          provenance: false
+          sbom: false
+
+      - name: Build adminfront image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./adminfront/Dockerfile
+          target: production
+          load: true
+          tags: baron_sso/adminfront:${{ steps.version.outputs.image_tag }}
+          build-args: |
+            VITE_ADMIN_PUBLIC_URL=${{ vars.ADMINFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=adminfront
+            ORGFRONT_URL=${{ vars.ORGFRONT_URL }}
+          provenance: false
+          sbom: false
+
+      - name: Build devfront image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./devfront/Dockerfile
+          target: production
+          load: true
+          tags: baron_sso/devfront:${{ steps.version.outputs.image_tag }}
+          build-args: |
+            VITE_DEVFRONT_PUBLIC_URL=${{ vars.DEVFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=devfront
+            ORGFRONT_URL=${{ vars.ORGFRONT_URL }}
+          provenance: false
+          sbom: false
+
+      - name: Build orgfront image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./orgfront/Dockerfile
+          target: production
+          load: true
+          tags: baron_sso/orgfront:${{ steps.version.outputs.image_tag }}
+          build-args: |
+            VITE_ORGFRONT_PUBLIC_URL=${{ vars.ORGFRONT_URL }}
+            VITE_OIDC_AUTHORITY=${{ vars.VITE_OIDC_AUTHORITY }}
+            VITE_OIDC_CLIENT_ID=orgfront
+          provenance: false
+          sbom: false
+
+      - name: Verify built Docker images before WORKS upload
+        env:
+          IMAGE_TAG: ${{ steps.version.outputs.image_tag }}
+        run: |
+          set -euo pipefail
+
+          for image in backend userfront adminfront devfront orgfront; do
+            image_ref="baron_sso/${image}:${IMAGE_TAG}"
+            echo "Checking built Docker image before WORKS upload: ${image_ref}"
+            docker image inspect "${image_ref}" >/dev/null
+            docker image ls "${image_ref}"
+          done
+
+      - name: Resolve WORKS Drive access token
+        env:
+          WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
+          WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
+          WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
+          WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
+          WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
+          WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
+        run: |
+          set -euo pipefail
+
+          access_token=""
+          rotated_refresh_token_file="${RUNNER_TEMP}/works-drive-rotated-refresh-token"
+
+          if [ -n "${WORKS_DRIVE_ACCESS_TOKEN_INPUT:-}" ]; then
+            access_token="${WORKS_DRIVE_ACCESS_TOKEN_INPUT}"
+          elif [ -n "${WORKS_DRIVE_ACCESS_TOKEN_FILE:-}" ]; then
+            access_token="$(sed -n '1p' "${WORKS_DRIVE_ACCESS_TOKEN_FILE}")"
+          elif [ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]; then
+            access_token="$(sh -c "${WORKS_DRIVE_ACCESS_TOKEN_CMD}")"
+          else
+            token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
+            response="$(curl -sS -w $'\n%{http_code}' -X POST \
+              -H "Content-Type: application/x-www-form-urlencoded" \
+              --data-urlencode "grant_type=refresh_token" \
+              --data-urlencode "refresh_token=${WORKS_DRIVE_OAUTH_REFRESH_TOKEN}" \
+              --data-urlencode "client_id=${WORKS_DRIVE_OAUTH_CLIENT_ID}" \
+              --data-urlencode "client_secret=${WORKS_DRIVE_OAUTH_CLIENT_SECRET}" \
+              "${token_url}")"
+            http_status="$(tail -n 1 <<<"${response}")"
+            response_body="$(sed '$d' <<<"${response}")"
+            if [ "${http_status}" -lt 200 ] || [ "${http_status}" -ge 300 ]; then
+              echo "::error::WORKS Drive access token refresh failed with HTTP ${http_status}."
+              exit 1
+            fi
+
+            access_token="$(jq -er '.access_token' <<<"${response_body}")"
+            rotated_refresh_token="$(jq -r '.refresh_token // empty' <<<"${response_body}")"
+            if [ -n "${rotated_refresh_token}" ]; then
+              echo "::add-mask::${rotated_refresh_token}"
+              printf '%s\n' "${rotated_refresh_token}" >"${rotated_refresh_token_file}"
+              chmod 600 "${rotated_refresh_token_file}"
+              echo "WORKS_DRIVE_ROTATED_REFRESH_TOKEN_FILE=${rotated_refresh_token_file}" >>"${GITHUB_ENV}"
+              echo "::warning::WORKS returned a rotated refresh token. Persist it to the WORKS_DRIVE_OAUTH_REFRESH_TOKEN secret before old refresh tokens age out."
+            fi
+          fi
+
+          if [ -z "${access_token}" ]; then
+            echo "::error::WORKS Drive access token could not be resolved."
+            exit 1
+          fi
+
+          echo "::add-mask::${access_token}"
+          echo "WORKS_DRIVE_ACCESS_TOKEN=${access_token}" >>"${GITHUB_ENV}"
+
+      - name: Upload built images to WORKS Drive archive
+        env:
+          IMAGE_TAG: ${{ steps.version.outputs.image_tag }}
+          WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR }}
+          WORKS_DRIVE_TARGET: sharedrive
+          WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
+          WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
+        run: |
+          set -euo pipefail
+
+          : "${WORKS_DRIVE_DOCKER_IMAGE_DIR:=baron-sso}"
+
+          required_values="
+          IMAGE_TAG WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID
+          "
+          for key in ${required_values}; do
+            if [ -z "${!key:-}" ]; then
+              echo "::error::Missing required WORKS image archive value: ${key}."
+              exit 1
+            fi
+          done
+
+          images="backend userfront adminfront devfront orgfront"
+          image_total=5
+          image_index=0
+          uploaded_images=""
+
+          for image in ${images}; do
+            image_index=$((image_index + 1))
+            image_ref="baron_sso/${image}:${IMAGE_TAG}"
+            echo "WORKS image upload ${image_index}/${image_total}: ${image_ref}"
+            docker image inspect "${image_ref}" >/dev/null
+            if DOCKER_IMAGE_REF="${image_ref}" \
+              WORKS_DRIVE_DOCKER_IMAGE_DIR="${WORKS_DRIVE_DOCKER_IMAGE_DIR}" \
+              WORKS_DRIVE_SHARED_DRIVE_ID="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}" \
+              WORKS_DRIVE_PARENT_FILE_ID="${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}" \
+              WORKS_DOCKER_IMAGE_ARCHIVE_DIR="${RUNNER_TEMP}/baron-sso-docker-image-upload" \
+                scripts/docker-image/upload_works_drive.sh; then
+              uploaded_images="${uploaded_images}${uploaded_images:+ }${image_ref}"
+              echo "WORKS image upload completed: ${image_ref}"
+            else
+              upload_status="$?"
+              echo "::error::WORKS image upload failed at ${image_index}/${image_total}: ${image_ref}"
+              echo "Already uploaded images: ${uploaded_images:-none}"
+              exit "${upload_status}"
+            fi
+          done
+
+          echo "Uploaded WORKS image archives:"
+          for image_ref in ${uploaded_images}; do
+            echo " - ${image_ref}"
+          done
--- a/.gitea/workflows/production_image_deploy.yml
+++ b/.gitea/workflows/production_image_deploy.yml
@@ -0,0 +1,122 @@
+name: Deploy Baron SSO Production Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: "배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)"
+        required: true
+        type: string
+
+jobs:
+  deploy-production-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout deployment scripts and templates
+        uses: actions/checkout@v4
+
+      - name: Setup SSH
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
+
+      - name: Build production deployment bundle
+        env:
+          IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+          IMAGE_DEPLOY_ENV: production
+          IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.PROD_INSTANCE_NAME }}
+          IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.PROD_PORT_PREFIX }}
+          IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.PROD_FRONTEND_URL }}
+          IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml
+          IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
+          ADMINFRONT_URL: ${{ vars.PROD_ADMINFRONT_URL }}
+          DEVFRONT_URL: ${{ vars.PROD_DEVFRONT_URL }}
+          ORGFRONT_URL: ${{ vars.PROD_ORGFRONT_URL }}
+          VITE_OIDC_AUTHORITY: ${{ vars.PROD_VITE_OIDC_AUTHORITY }}
+          IMAGE_DEPLOY_BACKEND_LOG_LEVEL: ${{ vars.PROD_BACKEND_LOG_LEVEL }}
+          IMAGE_DEPLOY_CLIENT_LOG_DEBUG: ${{ vars.PROD_CLIENT_LOG_DEBUG }}
+          IMAGE_DEPLOY_BACKEND_PUBLIC_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }}
+          IMAGE_DEPLOY_BACKEND_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }}
+          WORKS_ADMIN_API_BASE_URL: ${{ vars.PROD_WORKS_ADMIN_API_BASE_URL }}
+          WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.PROD_WORKS_ADMIN_OAUTH_TOKEN_URL }}
+          PROFILE_CACHE_TTL: ${{ vars.PROD_PROFILE_CACHE_TTL }}
+          NAVER_CLOUD_ACCESS_KEY: ${{ secrets.PROD_NAVER_CLOUD_ACCESS_KEY }}
+          NAVER_CLOUD_SECRET_KEY: ${{ secrets.PROD_NAVER_CLOUD_SECRET_KEY }}
+          NAVER_CLOUD_SERVICE_ID: ${{ vars.PROD_NAVER_CLOUD_SERVICE_ID }}
+          NAVER_SENDER_PHONE_NUMBER: ${{ vars.PROD_NAVER_SENDER_PHONE_NUMBER }}
+          AWS_REGION: ${{ vars.PROD_AWS_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ vars.PROD_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+          AWS_SES_SENDER: ${{ vars.PROD_AWS_SES_SENDER }}
+          CORS_ALLOWED_ORIGINS: ${{ vars.PROD_CORS_ALLOWED_ORIGINS }}
+          OATHKEEPER_API_URL: ${{ vars.PROD_OATHKEEPER_API_URL }}
+          CLICKHOUSE_HOST: ${{ vars.PROD_CLICKHOUSE_HOST }}
+          CLICKHOUSE_USER: ${{ vars.PROD_CLICKHOUSE_USER }}
+          IMAGE_DEPLOY_DB_PORT: ${{ vars.PROD_DB_PORT }}
+          IMAGE_DEPLOY_REDIS_PORT: ${{ vars.PROD_REDIS_PORT }}
+          IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.PROD_CLICKHOUSE_PORT_HTTP }}
+          IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }}
+          IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.PROD_BACKEND_PORT }}
+          IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.PROD_FRONTEND_PORT }}
+          ADMINFRONT_PORT: ${{ vars.PROD_ADMINFRONT_PORT }}
+          DEVFRONT_PORT: ${{ vars.PROD_DEVFRONT_PORT }}
+          ORGFRONT_PORT: ${{ vars.PROD_ORGFRONT_PORT }}
+          IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.PROD_OATHKEEPER_PROXY_PORT }}
+          IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.PROD_DOMAIN_SUFFIX }}
+          ADMINFRONT_CALLBACK_URLS: ${{ vars.PROD_ADMINFRONT_CALLBACK_URLS }}
+          DEVFRONT_CALLBACK_URLS: ${{ vars.PROD_DEVFRONT_CALLBACK_URLS }}
+          ORGFRONT_CALLBACK_URLS: ${{ vars.PROD_ORGFRONT_CALLBACK_URLS }}
+          HYDRA_REFRESH_TOKEN_TTL: ${{ vars.PROD_HYDRA_REFRESH_TOKEN_TTL }}
+          ORY_POSTGRES_USER: ${{ vars.PROD_ORY_POSTGRES_USER }}
+          ORY_POSTGRES_DB: ${{ vars.PROD_ORY_POSTGRES_DB }}
+          KRATOS_DB: ${{ vars.PROD_KRATOS_DB }}
+          HYDRA_DB: ${{ vars.PROD_HYDRA_DB }}
+          KETO_DB: ${{ vars.PROD_KETO_DB }}
+          KRATOS_VERSION: ${{ vars.PROD_KRATOS_VERSION }}
+          HYDRA_VERSION: ${{ vars.PROD_HYDRA_VERSION }}
+          KETO_VERSION: ${{ vars.PROD_KETO_VERSION }}
+          OATHKEEPER_VERSION: ${{ vars.PROD_OATHKEEPER_VERSION }}
+          ORY_POSTGRES_TAG: ${{ vars.PROD_ORY_POSTGRES_TAG }}
+          OATHKEEPER_UID: ${{ vars.PROD_OATHKEEPER_UID }}
+          OATHKEEPER_GID: ${{ vars.PROD_OATHKEEPER_GID }}
+          OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.PROD_OATHKEEPER_INTROSPECT_CLIENT_ID }}
+          ADMIN_EMAIL: ${{ vars.PROD_ADMIN_EMAIL }}
+          BACKEND_IMAGE_NAME: baron_sso/backend
+          USERFRONT_IMAGE_NAME: baron_sso/userfront
+          ADMINFRONT_IMAGE_NAME: baron_sso/adminfront
+          DEVFRONT_IMAGE_NAME: baron_sso/devfront
+          ORGFRONT_IMAGE_NAME: baron_sso/orgfront
+          IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+          IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.PROD_ORY_POSTGRES_PASSWORD }}
+          IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.PROD_OATHKEEPER_SECRET }}
+          IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.PROD_CLICKHOUSE_PASSWORD }}
+          IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.PROD_COOKIE_SECRET }}
+          IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.PROD_JWT_SECRET }}
+          IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.PROD_CSRF_COOKIE_SECRET }}
+          IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }}
+        run: |
+          set -euo pipefail
+          # Same image tag contract as staging: production must consume the
+          # immutable image tag that already passed staging verification.
+          scripts/deploy/build_image_deploy_bundle.sh
+
+      - name: Upload bundle and run requested production image tag
+        env:
+          IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
+          DEPLOY_HOST: ${{ vars.PROD_HOST }}
+          DEPLOY_USER: ${{ vars.PROD_USER }}
+          DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }}
+          WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
+          WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
+          WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
+          WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
+          WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
+          WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
+          WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
+          WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
+          WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
+        run: |
+          set -euo pipefail
+          scripts/deploy/upload_and_run_image_deploy.sh
--- a/.gitea/workflows/production_release.yml
+++ b/.gitea/workflows/production_release.yml
@@ -42,19 +42,13 @@ jobs:
            sudo apt-get update -y && sudo apt-get install -y skopeo
          fi

-          # Re-tag backend image
-          echo "Re-tagging backend image..."
-          skopeo copy --preserve-digests \
-                      --src-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" --dest-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" \
-                      --src-tls-verify=false --dest-tls-verify=false \
-                      "docker://${HARBOR_HOSTNAME}/baron_sso/backend:${BASE_TAG}" "docker://${HARBOR_HOSTNAME}/baron_sso/backend:${RE_TAG}"
-
-          # Re-tag userfront image
-          echo "Re-tagging userfront image..."
-          skopeo copy --preserve-digests \
-                      --src-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" --dest-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" \
-                      --src-tls-verify=false --dest-tls-verify=false \
-                      "docker://${HARBOR_HOSTNAME}/baron_sso/userfront:${BASE_TAG}" "docker://${HARBOR_HOSTNAME}/baron_sso/userfront:${RE_TAG}"
+          for image in backend userfront adminfront devfront orgfront; do
+            echo "Re-tagging ${image} image..."
+            skopeo copy --preserve-digests \
+                        --src-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" --dest-creds "${HARBOR_USER}:${HARBOR_PASSWORD}" \
+                        --src-tls-verify=false --dest-tls-verify=false \
+                        "docker://${HARBOR_HOSTNAME}/baron_sso/${image}:${BASE_TAG}" "docker://${HARBOR_HOSTNAME}/baron_sso/${image}:${RE_TAG}"
+          done

          echo "final_image_tag=${RE_TAG}" >> "$GITHUB_OUTPUT"

@@ -68,6 +62,9 @@ jobs:
          IMAGE_TAG: ${{ steps.retag.outputs.final_image_tag }}
          BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend
          USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront
+          ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront
+          DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront
+          ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront
          DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }}
          PROD_HOST: ${{ vars.PROD_HOST }}
          PROD_USER: ${{ vars.PROD_USER }}
@@ -89,7 +86,7 @@ jobs:

          ssh-keyscan -H "${PROD_HOST}" >> ~/.ssh/known_hosts

-          ssh "${PROD_USER}@${PROD_HOST}" "mkdir -p '${DEPLOY_PATH}'"
+          ssh "${PROD_USER}@${PROD_HOST}" "mkdir -p '${DEPLOY_PATH}/adminfront'"

          # Create the main .env file for Baron SSO on the remote server
          # Note: All values are pulled from Gitea secrets and variables
@@ -101,27 +98,56 @@ jobs:
            "CLICKHOUSE_PORT_NATIVE=${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }}" \
            "CLICKHOUSE_USER=${{ vars.PROD_CLICKHOUSE_USER }}" \
            "CLICKHOUSE_PASSWORD=${{ secrets.PROD_CLICKHOUSE_PASSWORD }}" \
-            "BACKEND_PORT=${{ vars.PROD_BACKEND_PORT }}" \
-            "USERFRONT_PORT=${{ vars.PROD_USERFRONT_PORT }}" \
+            "PROD_BACKEND_PORT=${{ vars.PROD_BACKEND_PORT }}" \
+            "BACKEND_PORT=3000" \
+            "USERFRONT_PORT=${{ vars.PROD_FRONTEND_PORT }}" \
+            "ADMINFRONT_PORT=${{ vars.PROD_ADMINFRONT_PORT }}" \
+            "DEVFRONT_PORT=${{ vars.PROD_DEVFRONT_PORT }}" \
+            "ORGFRONT_PORT=${{ vars.PROD_ORGFRONT_PORT }}" \
            "DB_USER=${{ vars.PROD_DB_USER }}" \
            "DB_PASSWORD=${{ secrets.PROD_DB_PASSWORD }}" \
            "DB_NAME=${{ vars.PROD_DB_NAME }}" \
            "COOKIE_SECRET=${{ secrets.PROD_COOKIE_SECRET }}" \
            "JWT_SECRET=${{ secrets.PROD_JWT_SECRET }}" \
            "REDIS_ADDR=${{ vars.PROD_REDIS_ADDR }}" \
-            "NAVER_CLOUD_ACCESS_KEY=${{ vars.NAVER_CLOUD_ACCESS_KEY }}" \
-            "NAVER_CLOUD_SECRET_KEY=${{ secrets.NAVER_CLOUD_SECRET_KEY }}" \
-            "NAVER_CLOUD_SERVICE_ID=${{ vars.NAVER_CLOUD_SERVICE_ID }}" \
-            "NAVER_SENDER_PHONE_NUMBER=${{ vars.NAVER_SENDER_PHONE_NUMBER }}" \
-            "AWS_REGION=${{ vars.AWS_REGION }}" \
-            "AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}" \
-            "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" \
-            "AWS_SES_SENDER=${{ vars.AWS_SES_SENDER }}" \
-            "USERFRONT_URL=${{ vars.PROD_USERFRONT_URL }}" \
+            "NAVER_CLOUD_ACCESS_KEY=${{ secrets.PROD_NAVER_CLOUD_ACCESS_KEY }}" \
+            "NAVER_CLOUD_SECRET_KEY=${{ secrets.PROD_NAVER_CLOUD_SECRET_KEY }}" \
+            "NAVER_CLOUD_SERVICE_ID=${{ vars.PROD_NAVER_CLOUD_SERVICE_ID }}" \
+            "NAVER_SENDER_PHONE_NUMBER=${{ vars.PROD_NAVER_SENDER_PHONE_NUMBER }}" \
+            "AWS_REGION=${{ vars.PROD_AWS_REGION }}" \
+            "AWS_ACCESS_KEY_ID=${{ vars.PROD_AWS_ACCESS_KEY_ID }}" \
+            "AWS_SECRET_ACCESS_KEY=${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}" \
+            "AWS_SES_SENDER=${{ vars.PROD_AWS_SES_SENDER }}" \
+            "USERFRONT_URL=${{ vars.PROD_FRONTEND_URL }}" \
+            "ADMINFRONT_URL=${{ vars.PROD_ADMINFRONT_URL }}" \
+            "DEVFRONT_URL=${{ vars.PROD_DEVFRONT_URL }}" \
+            "ORGFRONT_URL=${{ vars.PROD_ORGFRONT_URL }}" \
            "BACKEND_URL=${{ vars.PROD_BACKEND_URL }}" \
+            "VITE_OIDC_AUTHORITY=${{ vars.PROD_VITE_OIDC_AUTHORITY }}" \
+            "HYDRA_REFRESH_TOKEN_TTL=${{ vars.PROD_HYDRA_REFRESH_TOKEN_TTL }}" \
+            "ADMINFRONT_CALLBACK_URLS=${{ vars.PROD_ADMINFRONT_CALLBACK_URLS }}" \
+            "DEVFRONT_CALLBACK_URLS=${{ vars.PROD_DEVFRONT_CALLBACK_URLS }}" \
+            "ORGFRONT_CALLBACK_URLS=${{ vars.PROD_ORGFRONT_CALLBACK_URLS }}" \
            > .env

+          required_dotenv_keys="
+          APP_ENV TZ DB_PORT CLICKHOUSE_PORT_HTTP CLICKHOUSE_PORT_NATIVE CLICKHOUSE_USER CLICKHOUSE_PASSWORD
+          PROD_BACKEND_PORT BACKEND_PORT USERFRONT_PORT ADMINFRONT_PORT DEVFRONT_PORT ORGFRONT_PORT
+          DB_USER DB_PASSWORD DB_NAME COOKIE_SECRET JWT_SECRET REDIS_ADDR
+          NAVER_CLOUD_ACCESS_KEY NAVER_CLOUD_SECRET_KEY NAVER_CLOUD_SERVICE_ID NAVER_SENDER_PHONE_NUMBER
+          AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SES_SENDER
+          USERFRONT_URL ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL BACKEND_URL VITE_OIDC_AUTHORITY HYDRA_REFRESH_TOKEN_TTL
+          ADMINFRONT_CALLBACK_URLS DEVFRONT_CALLBACK_URLS ORGFRONT_CALLBACK_URLS
+          "
+          for key in ${required_dotenv_keys}; do
+            if ! grep -Eq "^${key}=.+" .env; then
+              echo "::error::Missing required production .env value: ${key}. Check Gitea repo variables/secrets."
+              exit 1
+            fi
+          done
+
          # Copy compose template and .env file to the remote server
+          scp adminfront/seed-tenant.csv "${PROD_USER}@${PROD_HOST}:${DEPLOY_PATH}/adminfront/"
          scp docker/docker-compose.template.yaml .env "${PROD_USER}@${PROD_HOST}:${DEPLOY_PATH}/"
          scp docker/compose.infra.prd.yaml "${PROD_USER}@${PROD_HOST}:${DEPLOY_PATH}/compose.infra.yml"

@@ -130,6 +156,9 @@ jobs:
            "export DEPLOY_PATH='${DEPLOY_PATH}'; \
             export BACKEND_IMAGE_NAME='${BACKEND_IMAGE_NAME}'; \
             export USERFRONT_IMAGE_NAME='${USERFRONT_IMAGE_NAME}'; \
+             export ADMINFRONT_IMAGE_NAME='${ADMINFRONT_IMAGE_NAME}'; \
+             export DEVFRONT_IMAGE_NAME='${DEVFRONT_IMAGE_NAME}'; \
+             export ORGFRONT_IMAGE_NAME='${ORGFRONT_IMAGE_NAME}'; \
             export IMAGE_TAG='${IMAGE_TAG}'; \
             export HARBOR_ENDPOINT='${HARBOR_ENDPOINT}'; \
             export HARBOR_ROBOT_ACCOUNT='${HARBOR_ROBOT_ACCOUNT}'; \
--- a/.gitea/workflows/staging_build_check.yml
+++ b/.gitea/workflows/staging_build_check.yml
@@ -0,0 +1,83 @@
+name: Staging Build Check
+
+on:
+    pull_request:
+        paths:
+            - ".gitea/workflows/staging_build_check.yml"
+            - "docker/staging_pull_compose.template.yaml"
+            - "adminfront/**"
+            - "devfront/**"
+            - "userfront/**"
+            - "backend/**"
+            - "common/**"
+            - "scripts/**"
+            - "locales/**"
+            - "package.json"
+            - "pnpm-lock.yaml"
+            - "pnpm-workspace.yaml"
+    workflow_dispatch:
+
+jobs:
+    build-check:
+        runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    - service: adminfront
+                    - service: devfront
+                    - service: userfront
+                    - service: backend
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Prepare staging build inputs
+              run: |
+                  set -euo pipefail
+
+                  cat <<'EOF' > .env
+                  APP_ENV=stage
+                  TZ=Asia/Seoul
+                  IDP_PROVIDER=ory
+                  ADMINFRONT_URL=https://adminfront.staging.example.com
+                  DEVFRONT_URL=https://devfront.staging.example.com
+                  USERFRONT_URL=https://userfront.staging.example.com
+                  ORGFRONT_URL=https://orgfront.staging.example.com
+                  BACKEND_URL=https://backend.staging.example.com
+                  BACKEND_PUBLIC_URL=https://backend.staging.example.com
+                  VITE_OIDC_AUTHORITY=https://sso.staging.example.com/oidc
+                  WORKS_ADMIN_API_BASE_URL=https://works-admin.staging.example.com/api
+                  WORKS_ADMIN_OAUTH_TOKEN_URL=https://works-admin.staging.example.com/oauth/token
+                  ORY_POSTGRES_USER=ory
+                  ORY_POSTGRES_PASSWORD=ory-password
+                  COOKIE_SECRET=staging-build-cookie-secret
+                  JWT_SECRET=staging-build-jwt-secret
+                  NAVER_CLOUD_ACCESS_KEY=dummy
+                  NAVER_CLOUD_SECRET_KEY=dummy
+                  NAVER_CLOUD_SERVICE_ID=dummy
+                  NAVER_SENDER_PHONE_NUMBER=00000000000
+                  AWS_REGION=ap-northeast-2
+                  AWS_ACCESS_KEY_ID=dummy
+                  AWS_SECRET_ACCESS_KEY=dummy
+                  AWS_SES_SENDER=dummy@example.com
+                  REDIS_ADDR=redis:6389
+                  CLICKHOUSE_PORT_NATIVE=9000
+                  CLICKHOUSE_USER=baron
+                  CLICKHOUSE_PASSWORD=password
+                  HYDRA_PUBLIC_URL=https://hydra.staging.example.com
+                  KRATOS_BROWSER_URL=https://sso.staging.example.com
+                  KRATOS_ADMIN_URL=http://kratos:4434
+                  KRATOS_UI_URL=https://sso.staging.example.com
+                  EOF
+
+                  cp docker/staging_pull_compose.template.yaml staging_pull_compose.yaml
+
+            - name: Build ${{ matrix.service }} with staging compose
+              env:
+                  DOCKER_BUILDKIT: "1"
+                  COMPOSE_DOCKER_CLI_BUILD: "1"
+              run: |
+                  set -euo pipefail
+                  docker compose -f staging_pull_compose.yaml build --pull --progress=plain "${{ matrix.service }}"
--- a/.gitea/workflows/staging_code_pull.yml
+++ b/.gitea/workflows/staging_code_pull.yml
@@ -0,0 +1,252 @@
+name: Release Baron SSO to Staging
+
+on:
+    workflow_dispatch:
+        inputs:
+            target_branch:
+                description: "Branch to deploy"
+                required: true
+                default: "dev"
+
+jobs:
+    deploy-staging:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup SSH
+              uses: webfactory/ssh-agent@v0.9.0
+              with:
+                  ssh-private-key: ${{ secrets.STG_SSH_PRIVATE_KEY }}
+
+            - name: Deploy to Staging by git pull
+              env:
+                  DEPLOY_PATH: ${{ vars.STG_DEPLOY_PATH }}
+                  STAGE_HOST: ${{ vars.STG_HOST }}
+                  STAGE_USER: ${{ vars.STG_USER }}
+                  TARGET_BRANCH: ${{ inputs.target_branch }}
+              run: |
+                  set -euo pipefail
+
+                  echo "DEBUG: STAGE_USER='${STAGE_USER}'"
+                  echo "DEBUG: STAGE_HOST='${STAGE_HOST}'"
+                  echo "DEBUG: DEPLOY_PATH='${DEPLOY_PATH}'"
+                  echo "DEBUG: TARGET_BRANCH='${TARGET_BRANCH}'"
+
+                  # Sanity check
+                  if [ -z "${STAGE_USER}" ] || [ -z "${STAGE_HOST}" ] || [ -z "${DEPLOY_PATH}" ] || [ -z "${TARGET_BRANCH}" ]; then
+                    echo "::error::Missing required vars (STAGE_USER/STAGE_HOST/DEPLOY_PATH/TARGET_BRANCH)."
+                    exit 1
+                  fi
+
+                  ssh-keyscan -H "${STAGE_HOST}" >> ~/.ssh/known_hosts
+                  ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p '${DEPLOY_PATH}'"
+
+                  # .env 파일 생성
+                  cat <<'EOF' > .env
+                  APP_ENV=stage
+                  BACKEND_LOG_LEVEL=debug
+                  CLIENT_LOG_DEBUG=true
+                  WORKS_ADMIN_API_BASE_URL=${{ vars.STG_WORKS_ADMIN_API_BASE_URL }}
+                  WORKS_ADMIN_OAUTH_TOKEN_URL=${{ vars.STG_WORKS_ADMIN_OAUTH_TOKEN_URL }}
+                  TZ=Asia/Seoul
+                  IDP_PROVIDER=ory
+
+                  # DB & Clickhouse
+                  DB_PORT=${{ vars.STG_DB_PORT }}
+                  CLICKHOUSE_PORT_HTTP=${{ vars.STG_CLICKHOUSE_PORT_HTTP }}
+                  CLICKHOUSE_PORT_NATIVE=${{ vars.STG_CLICKHOUSE_PORT_NATIVE }}
+                  CLICKHOUSE_HOST=${{ vars.STG_CLICKHOUSE_HOST }}
+                  CLICKHOUSE_USER=${{ vars.STG_CLICKHOUSE_USER }}
+                  CLICKHOUSE_PASSWORD=${{ secrets.STG_CLICKHOUSE_PASSWORD }}
+
+
+                  BACKEND_PORT=${{ vars.STG_BACKEND_PORT }}
+                  ADMINFRONT_PORT=${{ vars.STG_ADMINFRONT_PORT }}
+                  DEVFRONT_PORT=${{ vars.STG_DEVFRONT_PORT }}
+                  ORGFRONT_PORT=${{ vars.STG_ORGFRONT_PORT }}
+                  USERFRONT_PORT=${{ vars.STG_USERFRONT_PORT }}
+
+                  OATHKEEPER_API_URL=${{ vars.STG_OATHKEEPER_API_URL }}
+
+                  DB_USER=${{ vars.STG_DB_USER }}
+                  DB_PASSWORD=${{ secrets.STG_DB_PASSWORD }}
+                  DB_NAME=${{ vars.STG_DB_NAME }}
+                  COOKIE_SECRET=${{ secrets.STG_COOKIE_SECRET }}
+                  JWT_SECRET=${{ secrets.STG_JWT_SECRET }}
+                  REDIS_ADDR=${{ vars.STG_REDIS_ADDR }}
+                  CORS_ALLOWED_ORIGINS=${{ vars.STG_CORS_ALLOWED_ORIGINS }}
+                  AUDIT_WORKER_COUNT=5
+                  AUDIT_QUEUE_SIZE=2000
+                  PROFILE_CACHE_TTL=${{ vars.STG_PROFILE_CACHE_TTL }}
+                  NAVER_CLOUD_ACCESS_KEY=${{ secrets.STG_NAVER_CLOUD_ACCESS_KEY }}
+                  NAVER_CLOUD_SECRET_KEY=${{ secrets.STG_NAVER_CLOUD_SECRET_KEY }}
+                  NAVER_CLOUD_SERVICE_ID=${{ vars.STG_NAVER_CLOUD_SERVICE_ID }}
+                  NAVER_SENDER_PHONE_NUMBER=${{ vars.STG_NAVER_SENDER_PHONE_NUMBER }}
+                  AWS_REGION=${{ vars.STG_AWS_REGION }}
+                  AWS_ACCESS_KEY_ID=${{ vars.STG_AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY=${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+                  AWS_SES_SENDER=${{ vars.STG_AWS_SES_SENDER }}
+                  ADMIN_EMAIL=${{ vars.STG_ADMIN_EMAIL }}
+                  ADMIN_PASSWORD=${{ secrets.STG_ADMIN_PASSWORD }}
+                  USERFRONT_URL=${{ vars.STG_USERFRONT_URL }}
+                  ADMINFRONT_URL=${{ vars.STG_ADMINFRONT_URL }}
+                  DEVFRONT_URL=${{ vars.STG_DEVFRONT_URL }}
+                  ORGFRONT_URL=${{ vars.STG_ORGFRONT_URL }}
+                  BACKEND_PUBLIC_URL=${{ vars.STG_BACKEND_URL }}
+                  BACKEND_URL=${{ vars.STG_BACKEND_URL }}
+                  OATHKEEPER_PUBLIC_URL=${{ vars.STG_OATHKEEPER_PUBLIC_URL }}
+                  ORY_POSTGRES_TAG=${{ vars.STG_ORY_POSTGRES_TAG }}
+                  ORY_POSTGRES_USER=${{ vars.STG_ORY_POSTGRES_USER }}
+                  ORY_POSTGRES_PASSWORD=${{ secrets.STG_ORY_POSTGRES_PASSWORD }}
+                  ORY_POSTGRES_DB=${{ vars.STG_ORY_POSTGRES_DB }}
+                  KRATOS_DB=${{ vars.STG_KRATOS_DB }}
+                  HYDRA_DB=${{ vars.STG_HYDRA_DB }}
+                  KETO_DB=${{ vars.STG_KETO_DB }}
+                  KRATOS_VERSION=${{ vars.STG_KRATOS_VERSION }}
+                  KRATOS_UI_NODE_VERSION=${{ vars.STG_KRATOS_UI_NODE_VERSION }}
+                  HYDRA_VERSION=${{ vars.STG_HYDRA_VERSION }}
+                  KETO_VERSION=${{ vars.STG_KETO_VERSION }}
+                  ORY_SDK_URL=${{ vars.STG_ORY_SDK_URL }}
+                  KRATOS_PUBLIC_URL=${{ vars.STG_KRATOS_PUBLIC_URL }}
+                  KRATOS_ADMIN_URL=${{ vars.STG_KRATOS_ADMIN_URL }}
+                  KRATOS_BROWSER_URL=${{ vars.STG_KRATOS_BROWSER_URL }}
+                  KRATOS_UI_URL=${{ vars.STG_KRATOS_UI_URL }}
+                  HYDRA_ADMIN_URL=${{ vars.STG_HYDRA_ADMIN_URL }}
+                  HYDRA_PUBLIC_URL=${{ vars.STG_HYDRA_PUBLIC_URL }}
+                  HYDRA_REFRESH_TOKEN_TTL=${{ vars.STG_HYDRA_REFRESH_TOKEN_TTL }}
+                  JWKS_URL=${{ vars.STG_JWKS_URL }}
+                  OATHKEEPER_VERSION=${{ vars.STG_OATHKEEPER_VERSION }}
+                  OATHKEEPER_UID=${{ vars.STG_OATHKEEPER_UID }}
+                  OATHKEEPER_GID=${{ vars.STG_OATHKEEPER_GID }}
+                  OATHKEEPER_HEALTH_URL=${{ vars.STG_OATHKEEPER_HEALTH_URL }}
+                  OATHKEEPER_HEALTH_INTERVAL_SECONDS=${{ vars.STG_OATHKEEPER_HEALTH_INTERVAL_SECONDS }}
+                  OATHKEEPER_HEALTH_TIMEOUT_SECONDS=${{ vars.STG_OATHKEEPER_HEALTH_TIMEOUT_SECONDS }}
+                  OATHKEEPER_HEALTH_ENABLED=${{ vars.STG_OATHKEEPER_HEALTH_ENABLED }}
+                  CSRF_COOKIE_NAME=${{ vars.STG_CSRF_COOKIE_NAME }}
+                  CSRF_COOKIE_SECRET=${{ secrets.STG_CSRF_COOKIE_SECRET }}
+
+                  # Frontend/Ory URL configs for Staging
+                  VITE_OIDC_AUTHORITY=${{ vars.STG_VITE_OIDC_AUTHORITY }}
+                  ADMINFRONT_CALLBACK_URLS=${{ vars.STG_ADMINFRONT_CALLBACK_URLS }}
+                  DEVFRONT_CALLBACK_URLS=${{ vars.STG_DEVFRONT_CALLBACK_URLS }}
+                  ORGFRONT_CALLBACK_URLS=${{ vars.STG_ORGFRONT_CALLBACK_URLS }}
+                  KRATOS_ALLOWED_RETURN_URLS_JSON=${{ vars.STG_KRATOS_ALLOWED_RETURN_URLS_JSON }}
+                  KRATOS_ALLOWED_RETURN_URLS_EXTRA=${{ vars.STG_KRATOS_ALLOWED_RETURN_URLS_EXTRA }}
+                  # OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.STG_OATHKEEPER_INTROSPECT_CLIENT_ID }}
+                  # OATHKEEPER_INTROSPECT_CLIENT_SECRET=${{ secrets.STG_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
+
+                  # Monitoring & Alerts
+                  SMS_WEBHOOK_PORT=${{ vars.STG_SMS_WEBHOOK_PORT || '8080' }}
+                  MONITOR_RECIPIENT_PHONES=${{ vars.STG_MONITOR_RECIPIENT_PHONES || '01012345678,01098765432' }}
+                  LOKI_URL=${{ vars.STG_LOKI_URL || 'http://loki:3100/loki/api/v1/push' }}
+                  EOF
+
+                  # 코드 업데이트 (Git)
+                  ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p '${DEPLOY_PATH}' && cd '${DEPLOY_PATH}' && \
+                  if [ ! -d .git ]; then
+                    git init
+                    git remote add origin  ssh://git@172.16.10.175:222/baron/baron-sso.git
+                  else
+                    git remote set-url origin  ssh://git@172.16.10.175:222/baron/baron-sso.git
+                  fi
+                  git fetch --depth 1 origin '${TARGET_BRANCH}' && \
+                  git reset --hard FETCH_HEAD && \
+                  git clean -fd && \
+                  git checkout -B '${TARGET_BRANCH}' FETCH_HEAD"
+
+                  # .env 파일 복사
+                  scp .env "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/"
+
+                  # 배포 실행
+                  ssh "${STAGE_USER}@${STAGE_HOST}" "DEPLOY_PATH='${DEPLOY_PATH}' bash -s" <<'EOSSH'
+                  set -euo pipefail
+                  cd "${DEPLOY_PATH}"
+                  set -a; . ./.env; set +a;
+
+                  # 네트워크 생성
+                  for net in baron_net public_net ory-net hydranet kratosnet; do
+                    docker network inspect "${net}" >/dev/null 2>&1 || docker network create "${net}"
+                  done
+
+
+                  # Ory 컨테이너가 직접 읽는 설정은 env 기반으로 완성한 뒤 mount합니다.
+                  bash scripts/render_ory_config.sh
+                  chmod -R 777 config/.generated/ory || true
+
+                  cp docker/staging_pull_compose.template.yaml staging_pull_compose.yaml
+
+                  docker compose -f staging_pull_compose.yaml pull
+
+                  # 코드 변경 반영을 위해 build 수행 (userfront nginx.conf 등)
+                  docker compose -f staging_pull_compose.yaml build --pull
+
+                  docker compose -f staging_pull_compose.yaml up -d --remove-orphans --renew-anon-volumes
+                  docker compose -f staging_pull_compose.yaml up -d --force-recreate kratos hydra keto oathkeeper
+                  docker compose -f staging_pull_compose.yaml up -d --force-recreate ory_stack_check
+                  docker compose -f staging_pull_compose.yaml up -d init-rp
+
+                  # 배포 후 상태 확인 (실패 시 로그 출력을 위함)
+                  sleep 10
+
+                  check_container_http() {
+                    name="$1"
+                    port="$2"
+                    max="${FRONTEND_HEALTH_MAX_ATTEMPTS:-60}"
+                    i=1
+                    while [ "${i}" -le "${max}" ]; do
+                      if docker exec "${name}" sh -c "if command -v wget >/dev/null 2>&1; then wget -qO- 'http://127.0.0.1:${port}/' >/dev/null; elif command -v node >/dev/null 2>&1; then node -e \"fetch('http://127.0.0.1:${port}/').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))\"; else exit 127; fi" >/dev/null 2>&1; then
+                        echo "Frontend ready: ${name}:${port}"
+                        return 0
+                      fi
+                      echo "Waiting for frontend: ${name}:${port} (${i}/${max})"
+                      i=$((i + 1))
+                      sleep 2
+                    done
+                    echo "ERROR: frontend not ready: ${name}:${port}" >&2
+                    docker logs "${name}" --tail 200 >&2 || true
+                    return 1
+                  }
+
+                  check_container_url() {
+                    name="$1"
+                    url="$2"
+                    max="${FRONTEND_HEALTH_MAX_ATTEMPTS:-60}"
+                    i=1
+                    while [ "${i}" -le "${max}" ]; do
+                      if docker exec "${name}" sh -c "if command -v wget >/dev/null 2>&1; then wget -qO- '${url}' >/dev/null; elif command -v node >/dev/null 2>&1; then node -e \"fetch('${url}').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))\"; else exit 127; fi" >/dev/null 2>&1; then
+                        echo "Container URL ready: ${name} ${url}"
+                        return 0
+                      fi
+                      echo "Waiting for container URL: ${name} ${url} (${i}/${max})"
+                      i=$((i + 1))
+                      sleep 2
+                    done
+                    echo "ERROR: container URL not ready: ${name} ${url}" >&2
+                    docker logs "${name}" --tail 200 >&2 || true
+                    return 1
+                  }
+
+                  check_container_url baron_backend http://127.0.0.1:3000/health
+                  check_container_http baron_userfront 5000
+                  check_container_http baron_gateway 5000
+                  check_container_http baron_adminfront 5173
+                  check_container_http baron_devfront 5173
+                  check_container_http baron_orgfront 5175
+                  
+                  echo "===== INIT-RP LOGS ====="
+                  docker compose -f staging_pull_compose.yaml logs init-rp || true
+                  echo "========================"
+                  
+                  kratos_migrate_cid="$(docker compose -f staging_pull_compose.yaml ps -q kratos-migrate || true)"
+                  if [ -n "${kratos_migrate_cid}" ]; then
+                    if [ "$(docker inspect -f '{{.State.ExitCode}}' "${kratos_migrate_cid}")" -ne 0 ]; then
+                       echo 'Kratos Migrate Failed. Logs:'
+                       docker logs "${kratos_migrate_cid}"
+                       exit 1
+                    fi
+                  else
+                    echo "WARN: kratos-migrate container not found; skipping exit-code check."
+                  fi
+                  EOSSH
--- a/.gitea/workflows/staging_image_deploy.yml
+++ b/.gitea/workflows/staging_image_deploy.yml
@@ -0,0 +1,120 @@
+name: Deploy Baron SSO Staging Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: "스테이징에 배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)"
+        required: true
+        type: string
+
+jobs:
+  deploy-staging-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout deployment scripts and templates
+        uses: actions/checkout@v4
+
+      - name: Setup SSH
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.STG_SSH_PRIVATE_KEY }}
+
+      - name: Build staging deployment bundle
+        env:
+          IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+          IMAGE_DEPLOY_ENV: stage
+          IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.STG_INSTANCE_NAME }}
+          IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.STG_PORT_PREFIX }}
+          IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.STG_USERFRONT_URL }}
+          IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml
+          IMAGE_DEPLOY_BUNDLE_FILE: stage-image-deploy-bundle.tgz
+          ADMINFRONT_URL: ${{ vars.STG_ADMINFRONT_URL }}
+          DEVFRONT_URL: ${{ vars.STG_DEVFRONT_URL }}
+          ORGFRONT_URL: ${{ vars.STG_ORGFRONT_URL }}
+          VITE_OIDC_AUTHORITY: ${{ vars.STG_VITE_OIDC_AUTHORITY }}
+          IMAGE_DEPLOY_BACKEND_LOG_LEVEL: ${{ vars.STG_BACKEND_LOG_LEVEL || 'debug' }}
+          IMAGE_DEPLOY_CLIENT_LOG_DEBUG: ${{ vars.STG_CLIENT_LOG_DEBUG || 'true' }}
+          IMAGE_DEPLOY_BACKEND_PUBLIC_URL: ${{ vars.STG_BACKEND_URL }}
+          IMAGE_DEPLOY_BACKEND_URL: ${{ vars.STG_BACKEND_URL }}
+          WORKS_ADMIN_API_BASE_URL: ${{ vars.STG_WORKS_ADMIN_API_BASE_URL }}
+          WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.STG_WORKS_ADMIN_OAUTH_TOKEN_URL }}
+          PROFILE_CACHE_TTL: ${{ vars.STG_PROFILE_CACHE_TTL }}
+          NAVER_CLOUD_ACCESS_KEY: ${{ secrets.STG_NAVER_CLOUD_ACCESS_KEY }}
+          NAVER_CLOUD_SECRET_KEY: ${{ secrets.STG_NAVER_CLOUD_SECRET_KEY }}
+          NAVER_CLOUD_SERVICE_ID: ${{ vars.STG_NAVER_CLOUD_SERVICE_ID }}
+          NAVER_SENDER_PHONE_NUMBER: ${{ vars.STG_NAVER_SENDER_PHONE_NUMBER }}
+          AWS_REGION: ${{ vars.STG_AWS_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+          AWS_SES_SENDER: ${{ vars.STG_AWS_SES_SENDER }}
+          CORS_ALLOWED_ORIGINS: ${{ vars.STG_CORS_ALLOWED_ORIGINS }}
+          OATHKEEPER_API_URL: ${{ vars.STG_OATHKEEPER_API_URL }}
+          CLICKHOUSE_HOST: ${{ vars.STG_CLICKHOUSE_HOST }}
+          CLICKHOUSE_USER: ${{ vars.STG_CLICKHOUSE_USER }}
+          IMAGE_DEPLOY_DB_PORT: ${{ vars.STG_DB_PORT }}
+          IMAGE_DEPLOY_REDIS_PORT: ${{ vars.STG_REDIS_PORT }}
+          IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.STG_CLICKHOUSE_PORT_HTTP }}
+          IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.STG_CLICKHOUSE_PORT_NATIVE }}
+          IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.STG_BACKEND_PORT }}
+          IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.STG_USERFRONT_PORT }}
+          ADMINFRONT_PORT: ${{ vars.STG_ADMINFRONT_PORT }}
+          DEVFRONT_PORT: ${{ vars.STG_DEVFRONT_PORT }}
+          ORGFRONT_PORT: ${{ vars.STG_ORGFRONT_PORT }}
+          IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.STG_OATHKEEPER_PROXY_PORT }}
+          IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.STG_DOMAIN_SUFFIX }}
+          ADMINFRONT_CALLBACK_URLS: ${{ vars.STG_ADMINFRONT_CALLBACK_URLS }}
+          DEVFRONT_CALLBACK_URLS: ${{ vars.STG_DEVFRONT_CALLBACK_URLS }}
+          ORGFRONT_CALLBACK_URLS: ${{ vars.STG_ORGFRONT_CALLBACK_URLS }}
+          HYDRA_REFRESH_TOKEN_TTL: ${{ vars.STG_HYDRA_REFRESH_TOKEN_TTL }}
+          ORY_POSTGRES_USER: ${{ vars.STG_ORY_POSTGRES_USER }}
+          ORY_POSTGRES_DB: ${{ vars.STG_ORY_POSTGRES_DB }}
+          KRATOS_DB: ${{ vars.STG_KRATOS_DB }}
+          HYDRA_DB: ${{ vars.STG_HYDRA_DB }}
+          KETO_DB: ${{ vars.STG_KETO_DB }}
+          KRATOS_VERSION: ${{ vars.STG_KRATOS_VERSION }}
+          HYDRA_VERSION: ${{ vars.STG_HYDRA_VERSION }}
+          KETO_VERSION: ${{ vars.STG_KETO_VERSION }}
+          OATHKEEPER_VERSION: ${{ vars.STG_OATHKEEPER_VERSION }}
+          ORY_POSTGRES_TAG: ${{ vars.STG_ORY_POSTGRES_TAG }}
+          OATHKEEPER_UID: ${{ vars.STG_OATHKEEPER_UID }}
+          OATHKEEPER_GID: ${{ vars.STG_OATHKEEPER_GID }}
+          OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.STG_OATHKEEPER_INTROSPECT_CLIENT_ID }}
+          ADMIN_EMAIL: ${{ vars.STG_ADMIN_EMAIL }}
+          BACKEND_IMAGE_NAME: baron_sso/backend
+          USERFRONT_IMAGE_NAME: baron_sso/userfront
+          ADMINFRONT_IMAGE_NAME: baron_sso/adminfront
+          DEVFRONT_IMAGE_NAME: baron_sso/devfront
+          ORGFRONT_IMAGE_NAME: baron_sso/orgfront
+          IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.STG_DB_PASSWORD }}
+          IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.STG_ORY_POSTGRES_PASSWORD }}
+          IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.STG_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
+          IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.STG_CLICKHOUSE_PASSWORD }}
+          IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.STG_COOKIE_SECRET }}
+          IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.STG_JWT_SECRET }}
+          IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.STG_CSRF_COOKIE_SECRET }}
+          IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.STG_ADMIN_PASSWORD }}
+        run: |
+          set -euo pipefail
+          scripts/deploy/build_image_deploy_bundle.sh
+
+      - name: Upload bundle and run requested staging image tag
+        env:
+          IMAGE_DEPLOY_BUNDLE_FILE: stage-image-deploy-bundle.tgz
+          DEPLOY_HOST: ${{ vars.STG_HOST }}
+          DEPLOY_USER: ${{ vars.STG_USER }}
+          DEPLOY_PATH: ${{ vars.STG_DEPLOY_PATH }}
+          WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
+          WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
+          WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
+          WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
+          WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
+          WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
+          WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
+          WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
+          WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
+        run: |
+          set -euo pipefail
+          scripts/deploy/upload_and_run_image_deploy.sh
--- a/.gitea/workflows/staging_release.yml
+++ b/.gitea/workflows/staging_release.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Setup SSH
        uses: webfactory/ssh-agent@v0.9.0
        with:
-          ssh-private-key: ${{ secrets.STAGE_SSH_PRIVATE_KEY }}
+          ssh-private-key: ${{ secrets.STG_SSH_PRIVATE_KEY }}

      - name: Deploy to Staging
        env:
@@ -27,11 +27,12 @@ jobs:
          USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront
          ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront
          DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront
+          ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront
          
          # Staging-specific variables
-          DEPLOY_PATH: ${{ vars.STAGE_DEPLOY_PATH }}
-          STAGE_HOST: ${{ vars.STAGE_HOST }}
-          STAGE_USER: ${{ vars.STAGE_USER }}
+          DEPLOY_PATH: ${{ vars.STG_DEPLOY_PATH }}
+          STAGE_HOST: ${{ vars.STG_HOST }}
+          STAGE_USER: ${{ vars.STG_USER }}

          HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }}
          HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }}
@@ -54,84 +55,120 @@ jobs:

          # .env 파일 생성
          cat <<'EOF' > .env
-          APP_ENV=${{ vars.APP_ENV }}
+          APP_ENV=stage
+          BACKEND_LOG_LEVEL=debug
+          CLIENT_LOG_DEBUG=true
+          WORKS_ADMIN_API_BASE_URL=${{ vars.STG_WORKS_ADMIN_API_BASE_URL }}
+          WORKS_ADMIN_OAUTH_TOKEN_URL=${{ vars.STG_WORKS_ADMIN_OAUTH_TOKEN_URL }}
          TZ=Asia/Seoul
          IDP_PROVIDER=ory

          # DB & Clickhouse
-          DB_PORT=${{ vars.DB_PORT }}
-          CLICKHOUSE_PORT_HTTP=${{ vars.CLICKHOUSE_PORT_HTTP }}
-          CLICKHOUSE_PORT_NATIVE=${{ vars.CLICKHOUSE_PORT_NATIVE }}
-          CLICKHOUSE_HOST=${{ vars.CLICKHOUSE_HOST }}
-          CLICKHOUSE_USER=${{ vars.CLICKHOUSE_USER }}
-          CLICKHOUSE_PASSWORD=${{ vars.CLICKHOUSE_PASSWORD }}
+          DB_PORT=${{ vars.STG_DB_PORT }}
+          CLICKHOUSE_PORT_HTTP=${{ vars.STG_CLICKHOUSE_PORT_HTTP }}
+          CLICKHOUSE_PORT_NATIVE=${{ vars.STG_CLICKHOUSE_PORT_NATIVE }}
+          CLICKHOUSE_HOST=${{ vars.STG_CLICKHOUSE_HOST }}
+          CLICKHOUSE_USER=${{ vars.STG_CLICKHOUSE_USER }}
+          CLICKHOUSE_PASSWORD=${{ secrets.STG_CLICKHOUSE_PASSWORD }}


-          BACKEND_PORT=${{ vars.BACKEND_PORT }}
-          ADMINFRONT_PORT=${{ vars.ADMINFRONT_PORT }}
-          DEVFRONT_PORT=${{ vars.DEVFRONT_PORT }}
-          USERFRONT_PORT=${{ vars.USERFRONT_PORT }}
+          BACKEND_PORT=${{ vars.STG_BACKEND_PORT }}
+          ADMINFRONT_PORT=${{ vars.STG_ADMINFRONT_PORT }}
+          DEVFRONT_PORT=${{ vars.STG_DEVFRONT_PORT }}
+          ORGFRONT_PORT=${{ vars.STG_ORGFRONT_PORT }}
+          USERFRONT_PORT=${{ vars.STG_USERFRONT_PORT }}
          
-          OATHKEEPER_API_URL=${{ vars.OATHKEEPER_API_URL }}
+          OATHKEEPER_API_URL=${{ vars.STG_OATHKEEPER_API_URL }}

-          DB_USER=${{ vars.DB_USER }}
+          DB_USER=${{ vars.STG_DB_USER }}
          DB_PASSWORD=${{ secrets.STG_DB_PASSWORD }}
-          DB_NAME=${{ vars.DB_NAME }}
+          DB_NAME=${{ vars.STG_DB_NAME }}
          COOKIE_SECRET=${{ secrets.STG_COOKIE_SECRET }}
          JWT_SECRET=${{ secrets.STG_JWT_SECRET }}
-          REDIS_ADDR=${{ vars.REDIS_ADDR }}
-          CORS_ALLOWED_ORIGINS=${{ vars.CORS_ALLOWED_ORIGINS }}
+          REDIS_ADDR=${{ vars.STG_REDIS_ADDR }}
+          CORS_ALLOWED_ORIGINS=${{ vars.STG_CORS_ALLOWED_ORIGINS }}
          AUDIT_WORKER_COUNT=5
          AUDIT_QUEUE_SIZE=2000
-          PROFILE_CACHE_TTL=${{ vars.PROFILE_CACHE_TTL }}
-          DESCOPE_TEST_ACCOUNT=${{ vars.DESCOPE_TEST_ACCOUNT }}
-          NAVER_CLOUD_ACCESS_KEY=${{ vars.NAVER_CLOUD_ACCESS_KEY }}
-          NAVER_CLOUD_SECRET_KEY=${{ secrets.NAVER_CLOUD_SECRET_KEY }}
-          NAVER_CLOUD_SERVICE_ID=${{ vars.NAVER_CLOUD_SERVICE_ID }}
-          NAVER_SENDER_PHONE_NUMBER=${{ vars.NAVER_SENDER_PHONE_NUMBER }}
-          AWS_REGION=${{ vars.AWS_REGION }}
-          AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_SES_SENDER=${{ vars.AWS_SES_SENDER }}
-          ADMIN_EMAIL=${{ vars.ADMIN_EMAIL }}
+          PROFILE_CACHE_TTL=${{ vars.STG_PROFILE_CACHE_TTL }}
+          NAVER_CLOUD_ACCESS_KEY=${{ secrets.STG_NAVER_CLOUD_ACCESS_KEY }}
+          NAVER_CLOUD_SECRET_KEY=${{ secrets.STG_NAVER_CLOUD_SECRET_KEY }}
+          NAVER_CLOUD_SERVICE_ID=${{ vars.STG_NAVER_CLOUD_SERVICE_ID }}
+          NAVER_SENDER_PHONE_NUMBER=${{ vars.STG_NAVER_SENDER_PHONE_NUMBER }}
+          AWS_REGION=${{ vars.STG_AWS_REGION }}
+          AWS_ACCESS_KEY_ID=${{ vars.STG_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY=${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+          AWS_SES_SENDER=${{ vars.STG_AWS_SES_SENDER }}
+          ADMIN_EMAIL=${{ vars.STG_ADMIN_EMAIL }}
          ADMIN_PASSWORD=${{ secrets.STG_ADMIN_PASSWORD }}
-          USERFRONT_URL=${{ vars.USERFRONT_URL }}
-          BACKEND_URL=${{ vars.BACKEND_URL }}
-          OATHKEEPER_PUBLIC_URL=${{ vars.OATHKEEPER_PUBLIC_URL }}
-          ORY_POSTGRES_TAG=${{ vars.ORY_POSTGRES_TAG }}
-          ORY_POSTGRES_USER=${{ vars.ORY_POSTGRES_USER }}
+          USERFRONT_URL=${{ vars.STG_USERFRONT_URL }}
+          ORGFRONT_URL=${{ vars.STG_ORGFRONT_URL }}
+          BACKEND_PUBLIC_URL=${{ vars.STG_BACKEND_URL }}
+          BACKEND_URL=${{ vars.STG_BACKEND_URL }}
+          OATHKEEPER_PUBLIC_URL=${{ vars.STG_OATHKEEPER_PUBLIC_URL }}
+          ORY_POSTGRES_TAG=${{ vars.STG_ORY_POSTGRES_TAG }}
+          ORY_POSTGRES_USER=${{ vars.STG_ORY_POSTGRES_USER }}
          ORY_POSTGRES_PASSWORD=${{ secrets.STG_ORY_POSTGRES_PASSWORD }}
-          ORY_POSTGRES_DB=${{ vars.ORY_POSTGRES_DB }}
-          KRATOS_DB=${{ vars.KRATOS_DB }}
-          HYDRA_DB=${{ vars.HYDRA_DB }}
-          KETO_DB=${{ vars.KETO_DB }}
-          KRATOS_VERSION=${{ vars.KRATOS_VERSION }}
-          KRATOS_UI_NODE_VERSION=${{ vars.KRATOS_UI_NODE_VERSION }}
-          HYDRA_VERSION=${{ vars.HYDRA_VERSION }}
-          KETO_VERSION=${{ vars.KETO_VERSION }}
-          ORY_SDK_URL=${{ vars.ORY_SDK_URL }}
-          KRATOS_PUBLIC_URL=${{ vars.KRATOS_PUBLIC_URL }}
-          KRATOS_ADMIN_URL=${{ vars.KRATOS_ADMIN_URL }}
-          KRATOS_BROWSER_URL=${{ vars.KRATOS_BROWSER_URL }}
-          KRATOS_UI_URL=${{ vars.KRATOS_UI_URL }}
-          HYDRA_ADMIN_URL=${{ vars.HYDRA_ADMIN_URL }}
-          HYDRA_PUBLIC_URL=${{ vars.HYDRA_PUBLIC_URL }}
-          JWKS_URL=${{ vars.JWKS_URL }}
-          OATHKEEPER_VERSION=${{ vars.OATHKEEPER_VERSION }}
-          OATHKEEPER_UID=${{ vars.OATHKEEPER_UID }}
-          OATHKEEPER_GID=${{ vars.OATHKEEPER_GID }}
-          OATHKEEPER_HEALTH_URL=${{ vars.OATHKEEPER_HEALTH_URL }}
-          OATHKEEPER_HEALTH_INTERVAL_SECONDS=${{ vars.OATHKEEPER_HEALTH_INTERVAL_SECONDS }}
-          OATHKEEPER_HEALTH_TIMEOUT_SECONDS=${{ vars.OATHKEEPER_HEALTH_TIMEOUT_SECONDS }}
-          OATHKEEPER_HEALTH_ENABLED=${{ vars.OATHKEEPER_HEALTH_ENABLED }}
-          CSRF_COOKIE_NAME=${{ vars.CSRF_COOKIE_NAME }}
+          ORY_POSTGRES_DB=${{ vars.STG_ORY_POSTGRES_DB }}
+          KRATOS_DB=${{ vars.STG_KRATOS_DB }}
+          HYDRA_DB=${{ vars.STG_HYDRA_DB }}
+          KETO_DB=${{ vars.STG_KETO_DB }}
+          KRATOS_VERSION=${{ vars.STG_KRATOS_VERSION }}
+          KRATOS_UI_NODE_VERSION=${{ vars.STG_KRATOS_UI_NODE_VERSION }}
+          HYDRA_VERSION=${{ vars.STG_HYDRA_VERSION }}
+          KETO_VERSION=${{ vars.STG_KETO_VERSION }}
+          ORY_SDK_URL=${{ vars.STG_ORY_SDK_URL }}
+          KRATOS_PUBLIC_URL=${{ vars.STG_KRATOS_PUBLIC_URL }}
+          KRATOS_ADMIN_URL=${{ vars.STG_KRATOS_ADMIN_URL }}
+          KRATOS_BROWSER_URL=${{ vars.STG_KRATOS_BROWSER_URL }}
+          KRATOS_UI_URL=${{ vars.STG_KRATOS_UI_URL }}
+          HYDRA_ADMIN_URL=${{ vars.STG_HYDRA_ADMIN_URL }}
+          HYDRA_PUBLIC_URL=${{ vars.STG_HYDRA_PUBLIC_URL }}
+          HYDRA_REFRESH_TOKEN_TTL=${{ vars.STG_HYDRA_REFRESH_TOKEN_TTL }}
+          JWKS_URL=${{ vars.STG_JWKS_URL }}
+          OATHKEEPER_VERSION=${{ vars.STG_OATHKEEPER_VERSION }}
+          OATHKEEPER_UID=${{ vars.STG_OATHKEEPER_UID }}
+          OATHKEEPER_GID=${{ vars.STG_OATHKEEPER_GID }}
+          OATHKEEPER_HEALTH_URL=${{ vars.STG_OATHKEEPER_HEALTH_URL }}
+          OATHKEEPER_HEALTH_INTERVAL_SECONDS=${{ vars.STG_OATHKEEPER_HEALTH_INTERVAL_SECONDS }}
+          OATHKEEPER_HEALTH_TIMEOUT_SECONDS=${{ vars.STG_OATHKEEPER_HEALTH_TIMEOUT_SECONDS }}
+          OATHKEEPER_HEALTH_ENABLED=${{ vars.STG_OATHKEEPER_HEALTH_ENABLED }}
+          CSRF_COOKIE_NAME=${{ vars.STG_CSRF_COOKIE_NAME }}
          CSRF_COOKIE_SECRET=${{ secrets.STG_CSRF_COOKIE_SECRET }}
-          # OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }}
+          
+          VITE_OIDC_AUTHORITY=${{ vars.STG_VITE_OIDC_AUTHORITY }}
+          ADMINFRONT_CALLBACK_URLS=${{ vars.STG_ADMINFRONT_CALLBACK_URLS }}
+          DEVFRONT_CALLBACK_URLS=${{ vars.STG_DEVFRONT_CALLBACK_URLS }}
+          ORGFRONT_CALLBACK_URLS=${{ vars.STG_ORGFRONT_CALLBACK_URLS }}
+          # OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.STG_OATHKEEPER_INTROSPECT_CLIENT_ID }}
          # OATHKEEPER_INTROSPECT_CLIENT_SECRET=${{ secrets.STG_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
          EOF

+          required_dotenv_keys="
+          APP_ENV BACKEND_LOG_LEVEL CLIENT_LOG_DEBUG WORKS_ADMIN_API_BASE_URL WORKS_ADMIN_OAUTH_TOKEN_URL TZ IDP_PROVIDER
+          DB_PORT CLICKHOUSE_PORT_HTTP CLICKHOUSE_PORT_NATIVE CLICKHOUSE_HOST CLICKHOUSE_USER CLICKHOUSE_PASSWORD
+          BACKEND_PORT ADMINFRONT_PORT DEVFRONT_PORT ORGFRONT_PORT USERFRONT_PORT OATHKEEPER_API_URL
+          DB_USER DB_PASSWORD DB_NAME COOKIE_SECRET JWT_SECRET REDIS_ADDR CORS_ALLOWED_ORIGINS PROFILE_CACHE_TTL
+          NAVER_CLOUD_ACCESS_KEY NAVER_CLOUD_SECRET_KEY NAVER_CLOUD_SERVICE_ID NAVER_SENDER_PHONE_NUMBER
+          AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SES_SENDER ADMIN_EMAIL ADMIN_PASSWORD
+          USERFRONT_URL ORGFRONT_URL BACKEND_PUBLIC_URL BACKEND_URL OATHKEEPER_PUBLIC_URL
+          ORY_POSTGRES_TAG ORY_POSTGRES_USER ORY_POSTGRES_PASSWORD ORY_POSTGRES_DB KRATOS_DB HYDRA_DB KETO_DB
+          KRATOS_VERSION KRATOS_UI_NODE_VERSION HYDRA_VERSION KETO_VERSION ORY_SDK_URL KRATOS_PUBLIC_URL
+          KRATOS_ADMIN_URL KRATOS_BROWSER_URL KRATOS_UI_URL HYDRA_ADMIN_URL HYDRA_PUBLIC_URL HYDRA_REFRESH_TOKEN_TTL JWKS_URL
+          OATHKEEPER_VERSION OATHKEEPER_UID OATHKEEPER_GID OATHKEEPER_HEALTH_URL OATHKEEPER_HEALTH_INTERVAL_SECONDS
+          OATHKEEPER_HEALTH_TIMEOUT_SECONDS OATHKEEPER_HEALTH_ENABLED CSRF_COOKIE_NAME CSRF_COOKIE_SECRET
+          VITE_OIDC_AUTHORITY ADMINFRONT_CALLBACK_URLS DEVFRONT_CALLBACK_URLS ORGFRONT_CALLBACK_URLS
+          "
+          for key in ${required_dotenv_keys}; do
+            if ! grep -Eq "^${key}=.+" .env; then
+              echo "::error::Missing required staging .env value: ${key}. Check Gitea repo variables/secrets."
+              exit 1
+            fi
+          done
+
          # 파일 복사
          ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p ${DEPLOY_PATH}/docker"
+          ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p ${DEPLOY_PATH}/adminfront"
+          ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p ${DEPLOY_PATH}/scripts"
          
          # [중요] docker/ory 폴더 복사 (여기에 init-db/1-createdb.sql이 있어야 함)
          scp -r docker/ory "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/docker/"
@@ -144,9 +181,11 @@ jobs:
             scp -r gateway "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/"
          fi

+          scp adminfront/seed-tenant.csv "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/adminfront/"
+          scp scripts/render_ory_config.sh "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/scripts/"
          scp docker/docker-compose.staging.template.yaml .env "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/"
          scp docker/compose.infra.yaml "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/compose.infra.yml"
-          scp docker/compose.ory.yaml "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/compose.ory.yml"
+          scp compose.ory.yaml "${STAGE_USER}@${STAGE_HOST}:${DEPLOY_PATH}/compose.ory.yml"

          # 배포 실행
          echo "${HARBOR_ROBOT_KEY}" | ssh "${STAGE_USER}@${STAGE_HOST}" \
@@ -155,6 +194,7 @@ jobs:
             export USERFRONT_IMAGE_NAME='${USERFRONT_IMAGE_NAME}'; \
             export ADMINFRONT_IMAGE_NAME='${ADMINFRONT_IMAGE_NAME}'; \
             export DEVFRONT_IMAGE_NAME='${DEVFRONT_IMAGE_NAME}'; \
+             export ORGFRONT_IMAGE_NAME='${ORGFRONT_IMAGE_NAME}'; \
             export IMAGE_TAG='${IMAGE_TAG}'; \
             export HARBOR_ENDPOINT='${HARBOR_ENDPOINT}'; \
             export HARBOR_ROBOT_ACCOUNT='${HARBOR_ROBOT_ACCOUNT}'; \
@@ -166,6 +206,9 @@ jobs:
             for net in baron_net public_net ory-net hydranet kratosnet; do
               docker network inspect \"\$net\" >/dev/null 2>&1 || docker network create \"\$net\"
             done
+
+             bash scripts/render_ory_config.sh; \
+             chmod -R 777 config/.generated/ory || true; \
             
             envsubst < docker-compose.staging.template.yaml > docker-compose.yml; \

@@ -187,4 +230,4 @@ jobs:
                echo 'Kratos Migrate Failed. Logs:'; \
                docker logs baron-sso-staging-kratos-migrate-1; \
                exit 1; \
-             fi"
+             fi"
--- a/.gitea/workflows/userfront_e2e_full_nightly.yml
+++ b/.gitea/workflows/userfront_e2e_full_nightly.yml
@@ -0,0 +1,273 @@
+name: Userfront E2E Full Nightly
+
+on:
+    schedule:
+        - cron: "0 18 * * *"
+    workflow_dispatch:
+
+permissions:
+    contents: write
+
+jobs:
+    lint:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: "24"
+
+            - name: Setup Go
+              uses: actions/setup-go@v5
+              with:
+                  go-version: "1.25"
+                  cache-dependency-path: backend/go.sum
+
+            - name: Setup Flutter
+              uses: subosito/flutter-action@v2
+              with:
+                  channel: "stable"
+                  cache: true
+
+            - name: Run common lint checks
+              run: |
+                  make code-check-lint
+
+    full-test-policy:
+        runs-on: ubuntu-latest
+        outputs:
+            should_run: ${{ steps.policy.outputs.should_run }}
+            reason: ${{ steps.policy.outputs.reason }}
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+
+            - name: Decide whether full E2E is needed
+              id: policy
+              run: |
+                  set -euo pipefail
+
+                  target_sha="${GITHUB_SHA}"
+                  should_run="true"
+                  reason="manual-dispatch"
+
+                  if [ "${GITHUB_EVENT_NAME}" = "schedule" ]; then
+                    reason="missing-full-result"
+                    git fetch origin "+refs/heads/badges:refs/remotes/origin/badges" || true
+                    if git show-ref --verify --quiet refs/remotes/origin/badges && \
+                       git cat-file -e "refs/remotes/origin/badges:dev/${target_sha}/badges.json" 2>/dev/null; then
+                      full_message="$(
+                        git show "refs/remotes/origin/badges:dev/${target_sha}/badges.json" |
+                          node -e "let input=''; process.stdin.on('data', c => input += c); process.stdin.on('end', () => { const data = JSON.parse(input); const keys = ['userfront-chrome', 'userfront-firefox', 'userfront-safari']; const messages = keys.map((key) => data.badges?.[key]?.message || 'unknown'); process.stdout.write(messages.join(',')); });"
+                      )"
+                      if [ -n "${full_message}" ] && ! printf '%s' "${full_message}" | grep -q "unknown"; then
+                        should_run="false"
+                        reason="full-result-exists:${full_message}"
+                      fi
+                    fi
+                  fi
+
+                  echo "should_run=${should_run}" >> "$GITHUB_OUTPUT"
+                  echo "reason=${reason}" >> "$GITHUB_OUTPUT"
+                  echo "target_sha=${target_sha}"
+                  echo "should_run=${should_run}"
+                  echo "reason=${reason}"
+
+    userfront-e2e-full:
+        needs:
+            - lint
+            - full-test-policy
+        if: ${{ needs.lint.result == 'success' && needs.full-test-policy.outputs.should_run == 'true' }}
+        runs-on: ubuntu-latest
+        timeout-minutes: 80
+        outputs:
+            chromium_desktop: ${{ steps.full-results.outputs.chromium_desktop }}
+            chromium_mobile: ${{ steps.full-results.outputs.chromium_mobile }}
+            firefox_desktop: ${{ steps.full-results.outputs.firefox_desktop }}
+            firefox_mobile: ${{ steps.full-results.outputs.firefox_mobile }}
+            webkit_desktop: ${{ steps.full-results.outputs.webkit_desktop }}
+            webkit_mobile: ${{ steps.full-results.outputs.webkit_mobile }}
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: "24"
+                  cache: "npm"
+                  cache-dependency-path: userfront-e2e/package-lock.json
+
+            - name: Setup Flutter
+              uses: subosito/flutter-action@v2
+              with:
+                  channel: "stable"
+                  cache: true
+
+            - name: Sync userfront locales
+              run: |
+                  /bin/sh ./scripts/sync_userfront_locales.sh
+
+            - name: Install userfront-e2e dependencies
+              run: |
+                  cd userfront-e2e
+                  npm ci
+
+            - name: Build userfront WASM
+              run: |
+                  cd userfront
+                  rm -rf build/web
+                  flutter build web --wasm --release
+                  cd ..
+                  node userfront/scripts/optimize-web-build.mjs userfront/build/web
+
+            - name: Provision full browser matrix
+              run: |
+                  cd userfront-e2e
+                  npx playwright install --with-deps
+
+            - name: Run full userfront-e2e tests
+              id: full-results
+              run: |
+                  mkdir -p reports
+                  cd userfront-e2e
+                  workers="${PLAYWRIGHT_WORKERS:-4}"
+                  case "$workers" in
+                    ''|*[!0-9]*|0) workers=4 ;;
+                  esac
+                  any_failure=0
+
+                  run_project() {
+                    output_name="$1"
+                    project_name="$2"
+                    log_path="../reports/userfront-e2e-full-${project_name}.log"
+
+                    set +e
+                    echo "[userfront-e2e-full] PLAYWRIGHT_WORKERS=${workers} npx playwright test --project=${project_name}" | tee "$log_path"
+                    PLAYWRIGHT_WORKERS="$workers" npx playwright test --project="$project_name" --reporter=list 2>&1 | tee -a "$log_path"
+                    exit_code=${PIPESTATUS[0]}
+                    set -e
+
+                    if [ "$exit_code" -eq 0 ]; then
+                      result="success"
+                    else
+                      result="failure"
+                      any_failure=1
+                    fi
+                    echo "${output_name}=${result}" >> "$GITHUB_OUTPUT"
+                  }
+
+                  run_project chromium_desktop chromium-desktop
+                  run_project chromium_mobile chromium-mobile-webapp
+                  run_project firefox_desktop firefox-desktop
+                  echo "firefox_mobile=skipped" >> "$GITHUB_OUTPUT"
+                  run_project webkit_desktop webkit-desktop
+                  run_project webkit_mobile webkit-mobile-webapp
+
+                  exit "$any_failure"
+
+            - name: Upload userfront-e2e full artifacts
+              if: ${{ always() }}
+              uses: actions/upload-artifact@v3
+              continue-on-error: true
+              with:
+                  name: userfront-e2e-full-report
+                  path: |
+                      reports/userfront-e2e-full-*.log
+                      userfront-e2e/playwright-report
+                      userfront-e2e/test-results
+                  if-no-files-found: ignore
+
+    badge-updater:
+        needs:
+            - lint
+            - full-test-policy
+            - userfront-e2e-full
+        if: ${{ always() && needs.lint.result == 'success' && needs.full-test-policy.outputs.should_run == 'true' && github.ref == 'refs/heads/dev' }}
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: "24"
+
+            - name: Restore published badge state
+              run: |
+                  git fetch origin "+refs/heads/badges:refs/remotes/origin/badges" || true
+                  if git show-ref --verify --quiet refs/remotes/origin/badges && \
+                     git cat-file -e refs/remotes/origin/badges:latest/badges.json 2>/dev/null; then
+                    mkdir -p docs/badges
+                    git archive --format=tar refs/remotes/origin/badges latest | tar -x
+                    cp latest/* docs/badges/
+                    rm -rf latest
+                  else
+                    echo "No published badge state found."
+                  fi
+
+            - name: Update full E2E badge files
+              env:
+                  USERFRONT_E2E_RESULT: ${{ needs.userfront-e2e-full.result }}
+                  USERFRONT_E2E_FULL: "true"
+                  USERFRONT_E2E_CHROMIUM_DESKTOP_RESULT: ${{ needs.userfront-e2e-full.outputs.chromium_desktop }}
+                  USERFRONT_E2E_CHROMIUM_MOBILE_RESULT: ${{ needs.userfront-e2e-full.outputs.chromium_mobile }}
+                  USERFRONT_E2E_FIREFOX_DESKTOP_RESULT: ${{ needs.userfront-e2e-full.outputs.firefox_desktop }}
+                  USERFRONT_E2E_FIREFOX_MOBILE_RESULT: ${{ needs.userfront-e2e-full.outputs.firefox_mobile }}
+                  USERFRONT_E2E_WEBKIT_DESKTOP_RESULT: ${{ needs.userfront-e2e-full.outputs.webkit_desktop }}
+                  USERFRONT_E2E_WEBKIT_MOBILE_RESULT: ${{ needs.userfront-e2e-full.outputs.webkit_mobile }}
+                  BADGE_UPDATE_CODE_CHECK: "false"
+                  BADGE_SOURCE_BRANCH: dev
+                  BADGE_SOURCE_SHA: ${{ github.sha }}
+              run: |
+                  node scripts/update_code_check_badges.mjs
+                  cat docs/badges/badges.json
+
+            - name: Publish full E2E badge assets
+              run: |
+                  if [ -z "$(git status --porcelain docs/badges)" ]; then
+                    echo "No badge changes."
+                    exit 0
+                  fi
+
+                  BADGE_BRANCH=badges
+                  BADGE_WORKTREE="$(mktemp -d)"
+                  BADGE_LATEST_DIR="${BADGE_WORKTREE}/latest"
+                  BADGE_SHA_DIR="${BADGE_WORKTREE}/dev/${GITHUB_SHA}"
+                  trap 'rm -rf "${BADGE_WORKTREE}"' EXIT
+
+                  git config user.name "gitea-actions"
+                  git config user.email "gitea-actions@hmac.kr"
+
+                  git fetch origin "+refs/heads/${BADGE_BRANCH}:refs/remotes/origin/${BADGE_BRANCH}" || true
+                  if git show-ref --verify --quiet "refs/remotes/origin/${BADGE_BRANCH}"; then
+                    git worktree add --detach "${BADGE_WORKTREE}" "origin/${BADGE_BRANCH}"
+                  else
+                    git worktree add --detach "${BADGE_WORKTREE}"
+                    git -C "${BADGE_WORKTREE}" checkout --orphan "${BADGE_BRANCH}"
+                    git -C "${BADGE_WORKTREE}" rm -rf . || true
+                  fi
+
+                  find "${BADGE_WORKTREE}" -mindepth 1 -maxdepth 1 ! -name .git -exec rm -rf {} +
+                  mkdir -p "${BADGE_LATEST_DIR}" "${BADGE_SHA_DIR}"
+                  cp docs/badges/*.svg "${BADGE_LATEST_DIR}/"
+                  cp docs/badges/badges.json "${BADGE_LATEST_DIR}/badges.json"
+                  cp docs/badges/*.svg "${BADGE_SHA_DIR}/"
+                  cp docs/badges/badges.json "${BADGE_SHA_DIR}/badges.json"
+
+                  git -C "${BADGE_WORKTREE}" add .
+                  if [ -z "$(git -C "${BADGE_WORKTREE}" status --porcelain)" ]; then
+                    echo "No published badge changes."
+                    exit 0
+                  fi
+
+                  git -C "${BADGE_WORKTREE}" commit -m "chore: publish userfront e2e full badge [skip ci]"
+                  git -C "${BADGE_WORKTREE}" push origin HEAD:${BADGE_BRANCH}
--- a/.gitignore
+++ b/.gitignore
@@ -1,19 +1,32 @@
 # General
 .env
+.env_backup
 .temp
 .DS_Store
 .idea/
 .vscode/
 .codex
 .codex/
+.serena/
+.generated/
+config/.generated/
 *.swp
 *.log
 *.out
 *.exe
+.npm-cache/
+reports
+reports/*
+/backups/
+/tmp/rp-restore-*/
+config/*.pem
+common/node_modules
+common/.baron-deps-install.lock

 # Docker Services Data (Volumes)
 postgres_data/
 clickhouse_data/
+docker/ory/oathkeeper/logs/

 # Backend (Go)
 backend/main
@@ -30,3 +43,21 @@ userfront/.dart_tool/
 userfront/.packages
 userfront/.pub/
 userfront/.env
+
+# Frontend test artifacts
+adminfront/test-results/
+adminfront/test-results.nobody-backup/
+devfront/test-results/
+orgfront/test-results/
+adminfront/playwright-report/
+devfront/playwright-report/
+orgfront/playwright-report/
+adminfront/coverage/
+devfront/coverage/
+orgfront/coverage/
+orgfront/node_modules/
+orgfront/dist/
+orgfront/.vite/
+.pnpm-store
+.playwright-mcp
+node_modules
--- a/579
+++ b/579
@@ -10,60 +10,287 @@ endif
 COMPOSE_INFRA := compose.infra.yaml
 COMPOSE_ORY := compose.ory.yaml
 COMPOSE_APP := docker-compose.yaml
+AUTH_CONFIG_ENV := config/.generated/auth-config.env
+DEV_SERVICES ?= backend adminfront devfront orgfront userfront
+DEV_NETWORKS := baron_net ory-net hydranet kratosnet public_net
+INFRA_CONTAINERS := baron_postgres baron_clickhouse baron_redis baron_gateway
+ORY_CONTAINERS := ory_postgres ory_kratos ory_hydra ory_keto ory_oathkeeper ory_clickhouse ory_vector
+APP_CONTAINERS := baron_backend baron_adminfront baron_devfront baron_orgfront baron_userfront
+DROP_CONTAINERS := $(INFRA_CONTAINERS) $(ORY_CONTAINERS) $(APP_CONTAINERS) ory_stack_check
+
+COMPOSE_CLI_ENV_ARGS :=
+ifneq (,$(wildcard ./.env))
+COMPOSE_CLI_ENV_ARGS += --env-file .env
+endif
+COMPOSE_CLI_ENV_ARGS += --env-file $(AUTH_CONFIG_ENV)
+
+COMPOSE_DROP_ENV_ARGS :=
+ifneq (,$(wildcard ./.env))
+COMPOSE_DROP_ENV_ARGS += --env-file .env
+endif
+
+DUMP_SERVICES ?= all
+RESTORE_SERVICES ?= all
+DUMP_DATASET ?= full
+RESTORE_DATASET ?=
+FILTER_SERVICES ?= postgres,ory-postgres
+OUTPUT_BACKUP ?=
+FILE_PATH ?=
+RESTORE_INPUT ?= $(or $(FILE_PATH),$(word 2,$(MAKECMDGOALS)))
+CONFIRM_RESTORE ?=
+ALLOW_NON_EMPTY_RESTORE ?= false
+DUMP_MODE ?= maintenance
+BACKUP_USE_DOCKER ?= true
+BACKUP_TOOLS_IMAGE ?= baron-sso-backup-tools:local
+BACKUP_TOOLS_DOCKERFILE ?= docker/backup-tools/Dockerfile
+BACKUP_DOCKER_ENV_ARGS :=
+ifneq (,$(wildcard ./.env))
+BACKUP_DOCKER_ENV_ARGS += --env-file .env
+endif
+ifneq (,$(wildcard ./$(AUTH_CONFIG_ENV)))
+BACKUP_DOCKER_ENV_ARGS += --env-file $(AUTH_CONFIG_ENV)
+endif
+BACKUP_DOCKER_RUN = docker run --rm $(BACKUP_DOCKER_ENV_ARGS) -e BACKUP_REPO_ROOT=/workspace -v /var/run/docker.sock:/var/run/docker.sock -v "$(CURDIR)":/workspace -v /tmp:/tmp -w /workspace $(BACKUP_TOOLS_IMAGE)
+DOCKER_IMAGE_REF ?=
+WORKS_DOCKER_COMMIT_CONTAINER ?=
+WORKS_DOCKER_IMAGE_ARCHIVE_DIR ?= /tmp/baron-sso-docker-image-upload
+
+.PHONY: help build-auth-config validate-auth-config verify-auth-config render-ory-config up up-all up-infra up-ory up-app up-backend ensure-networks ensure-infra ensure-ory ensure-restore-containers up-dev up-front-dev dev dev-debug down drop down-app down-backend down-infra down-ory check-infra ps logs-infra logs-ory logs-app backup-tools-build dump filter-personnel-dump restore dump-verify restore-verify dump-list restore-plan upload-cloud works-drive-refresh-token dump-upload-cloud docker-image-upload-works docker-image-verify-works
+
+help: ## 생성된 타깃과 옵션 목록 표시
+	@printf "Usage:\n  make <target> [OPTION=value ...]\n\n"
+	@printf "Targets:\n"
+	@awk ' \
+		BEGIN { current = ""; printed_section = 0 } \
+		/^# --- .+ ---/ { \
+			current = $$0; \
+			gsub(/^# ---[[:space:]]*/, "", current); \
+			gsub(/[[:space:]]*---$$/, "", current); \
+			next; \
+		} \
+		/^[[:alnum:]_.-]+:([^=]|$$)/ { \
+			line = $$0; \
+			target = line; \
+			sub(/:.*/, "", target); \
+			if (target ~ /^\.|%/) { next } \
+			if (seen[target]++) { next } \
+			desc = ""; \
+			if (line ~ /##/) { \
+				desc = line; \
+				sub(/^.*##[[:space:]]*/, "", desc); \
+			} \
+			if (current != "" && current != printed_section) { \
+				printf "\n  %s\n", current; \
+				printed_section = current; \
+			} \
+			if (desc != "") { \
+				printf "    %-36s %s\n", target, desc; \
+			} else { \
+				printf "    %-36s\n", target; \
+			} \
+		} \
+	' Makefile
+	@printf "\nOptions:\n"
+	@awk ' \
+		/^[A-Z][A-Z0-9_]+[[:space:]]*\?=/ { \
+			name = $$1; \
+			value = $$0; \
+			sub(/[[:space:]]*\?=.*/, "", name); \
+			sub(/^[^?]+\?=[[:space:]]*/, "", value); \
+			printf "  %-32s default: %s\n", name, value; \
+		} \
+	' Makefile
+	@printf "\nRestore Safety:\n"
+	@printf "  CONFIRM_RESTORE=baron-sso          복구 실행 의도를 명시하는 필수 확인값\n"
+	@printf "  ALLOW_NON_EMPTY_RESTORE=true       비어 있지 않은 복구 대상에 덮어쓰는 승인된 복구에서만 사용\n"
+	@printf "\nRestore Examples:\n"
+	@printf "  make restore-plan FILE_PATH=stg.today.tar.gz CONFIRM_RESTORE=baron-sso\n"
+	@printf "  make restore FILE_PATH=stg.today.tar.gz CONFIRM_RESTORE=baron-sso ALLOW_NON_EMPTY_RESTORE=true\n"
+
+# --- 인증 설정 빌드/검증 ---
+build-auth-config: ## 인증 설정 파일 생성
+	@echo "Building auth config..."
+	@mkdir -p config/.generated
+	@bash scripts/auth_config.sh build
+
+validate-auth-config: build-auth-config ## 인증 설정 값 검증
+	@echo "Validating auth config..."
+	@bash scripts/auth_config.sh validate
+
+verify-auth-config: validate-auth-config ## 인증 설정 연결 상태 확인
+	@echo "Verifying auth config wiring..."
+	@bash scripts/auth_config.sh verify
+
+render-ory-config: validate-auth-config ## Ory 설정 파일 렌더링
+	@echo "Rendering Ory config..."
+	@bash scripts/render_ory_config.sh

 # --- 기본 실행 ---
 # 주의: --remove-orphan 사용 금지 (다른 스택이 orphan으로 판단되어 종료될 수 있음)
-up-all:
+up: up-all ## 전체 로컬 스택 실행
+
+up-all: ensure-networks render-ory-config ## 인프라, Ory, 앱 스택 모두 실행
 	@echo "Starting ALL stacks (infra + ory + app)..."
-	docker compose -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) up -d
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) up --build -d
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) restart kratos

 # --- 개별 스택 실행 ---
-up-infra:
+up-infra: ensure-networks ## 인프라 스택 실행
 	@echo "Starting Infra stack (postgres/clickhouse/redis)..."
 	docker compose -f $(COMPOSE_INFRA) up -d

-up-ory:
+up-ory: ensure-networks render-ory-config ## Ory 스택 실행
 	@echo "Starting Ory stack (kratos/hydra/keto/oathkeeper)..."
-	docker compose -f $(COMPOSE_ORY) up -d
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_ORY) up -d
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_ORY) restart kratos

-up-app:
-	@echo "Starting App stack (backend/userfront/adminfront/devfront)..."
-	docker compose -f $(COMPOSE_APP) up -d
+up-app: ensure-networks render-ory-config ## 앱 스택 실행
+	@echo "Starting App stack (backend/userfront/adminfront/devfront/orgfront)..."
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_APP) up --build -d

-up-backend:
+up-backend: ensure-networks render-ory-config ## 백엔드 컨테이너만 실행
 	@echo "Starting Backend only..."
-	docker compose -f $(COMPOSE_APP) up -d backend
+	docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_APP) up --build -d backend

-up-dev: up-infra up-ory
+ensure-networks: ## 개발용 Docker 네트워크 보장
+	@echo "Ensuring Docker networks..."
+	@for network in $(DEV_NETWORKS); do \
+		if ! docker network inspect "$$network" >/dev/null 2>&1; then \
+			echo "Creating Docker network $$network..."; \
+			docker network create "$$network"; \
+		else \
+			echo "Docker network $$network already exists."; \
+		fi; \
+	done
+
+ensure-infra: ensure-networks ## 인프라 스택 실행 상태 보장
+	@echo "Ensuring Infra stack..."
+	@missing=0; \
+	for container in $(INFRA_CONTAINERS); do \
+		if [ "$$(docker inspect -f '{{.State.Running}}' "$$container" 2>/dev/null)" != "true" ]; then \
+			missing=1; \
+			break; \
+		fi; \
+	done; \
+	if [ "$$missing" -eq 1 ]; then \
+		echo "Starting missing Infra stack containers in daemon mode..."; \
+		docker compose -f $(COMPOSE_INFRA) up -d; \
+	else \
+		echo "Infra stack is already running."; \
+	fi
+
+ensure-ory: ensure-networks render-ory-config ## Ory 스택 실행 상태 보장
+	@echo "Ensuring Ory stack..."
+	@missing=0; \
+	for container in $(ORY_CONTAINERS); do \
+		if [ "$$(docker inspect -f '{{.State.Running}}' "$$container" 2>/dev/null)" != "true" ]; then \
+			missing=1; \
+			break; \
+		fi; \
+	done; \
+	if [ "$$missing" -eq 1 ]; then \
+		echo "Starting missing Ory stack containers in daemon mode..."; \
+		docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_ORY) up -d; \
+	else \
+		echo "Ory stack is already running. Restarting Kratos to apply rendered dev config..."; \
+		docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_ORY) restart kratos; \
+	fi
+
+ensure-restore-containers: ## 복구 대상 저장소 컨테이너 실행 상태 보장
+	@echo "Ensuring restore target containers..."
+	@if [ "$(CONFIRM_RESTORE)" != "baron-sso" ]; then \
+		echo "Skipping restore target container startup until CONFIRM_RESTORE=baron-sso is provided."; \
+		exit 0; \
+	fi
+	@$(MAKE) --no-print-directory ensure-networks
+	@ensure_restore_container() { \
+		container="$$1"; \
+		compose_file="$$2"; \
+		compose_service="$$3"; \
+		if docker inspect -f '{{.State.Running}}' "$$container" 2>/dev/null | grep -qx 'true'; then \
+			echo "Restore target container $$container is already running."; \
+			return 0; \
+		fi; \
+		if docker inspect "$$container" >/dev/null 2>&1; then \
+			echo "Starting stopped restore target container $$container..."; \
+			docker start "$$container"; \
+		else \
+			echo "Creating restore target container $$container via $$compose_file service $$compose_service..."; \
+			docker compose -f "$$compose_file" up -d "$$compose_service"; \
+		fi; \
+		for attempt in 1 2 3 4 5 6 7 8 9 10; do \
+			if docker inspect -f '{{.State.Running}}' "$$container" 2>/dev/null | grep -qx 'true'; then \
+				return 0; \
+			fi; \
+			sleep 1; \
+		done; \
+		echo "ERROR: restore target container $$container did not reach running state." >&2; \
+		return 1; \
+	}; \
+	services="$(RESTORE_SERVICES)"; \
+	if [ -z "$$services" ] || [ "$$services" = "all" ]; then \
+		services="postgres ory-postgres clickhouse ory-clickhouse config"; \
+	else \
+		services="$$(printf '%s' "$$services" | tr ',' ' ')"; \
+	fi; \
+	for service in $$services; do \
+		case "$$service" in \
+			postgres) ensure_restore_container baron_postgres compose.infra.yaml postgres ;; \
+			ory-postgres) ensure_restore_container ory_postgres compose.ory.yaml postgres ;; \
+			clickhouse) ensure_restore_container baron_clickhouse compose.infra.yaml clickhouse ;; \
+			ory-clickhouse) ensure_restore_container ory_clickhouse compose.ory.yaml ory_clickhouse ;; \
+			config) ;; \
+			*) echo "ERROR: unknown restore service: $$service" >&2; exit 1 ;; \
+		esac; \
+	done
+
+up-dev: ensure-infra ensure-ory ## 개발 기본 스택 준비
 	@echo "Dev stack is up (infra + ory)."

-up-front-dev: up-infra up-ory up-backend
+up-front-dev: up-infra up-ory up-backend ## 프론트 개발용 의존 스택 준비
 	@echo "Dev stack is up (infra + ory + backend)."

+dev: up-dev ## 개발 앱 컨테이너를 포그라운드로 실행
+	@echo "Starting development app containers in foreground attach mode..."
+	BACKEND_LOG_LEVEL=info CLIENT_LOG_DEBUG=false VITE_CLIENT_LOG_DEBUG=false docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_APP) up --build $(DEV_SERVICES)
+
+dev-debug: up-dev ## 디버그 로그로 개발 앱 컨테이너 실행
+	@echo "Starting development app containers in foreground attach debug mode..."
+	BACKEND_LOG_LEVEL=debug CLIENT_LOG_DEBUG=true VITE_CLIENT_LOG_DEBUG=true USERFRONT_FLUTTER_RUN_FLAGS=--debug docker compose $(COMPOSE_CLI_ENV_ARGS) -f $(COMPOSE_APP) up --build $(DEV_SERVICES)
+
 # --- 종료 (Down) ---
-down-all:
+down: ## 전체 로컬 스택 중지
 	@echo "Stopping ALL stacks (infra + ory + app)..."
 	docker compose -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) down

-down-app:
+drop: ## 로컬 스택 컨테이너, 볼륨, 로컬 이미지 제거
+	@echo "Dropping Baron SSO local Docker stack containers, volumes, and local images..."
+	-docker compose $(COMPOSE_DROP_ENV_ARGS) -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) down -v --rmi local
+	@echo "Removing any remaining fixed-name Baron SSO containers..."
+	@for container in $(DROP_CONTAINERS); do \
+		docker rm -f "$$container" >/dev/null 2>&1 || true; \
+	done
+	@echo "Drop complete. External Docker networks are preserved."
+
+down-app: ## 앱 스택 중지
 	@echo "Stopping App stack..."
 	docker compose -f $(COMPOSE_APP) down

-down-backend:
+down-backend: ## 백엔드 컨테이너 중지
 	@echo "Stopping Backend only..."
 	docker compose -f $(COMPOSE_APP) stop backend

-down-infra:
+down-infra: ## 인프라 스택 중지
 	@echo "Stopping Infra stack..."
 	docker compose -f $(COMPOSE_INFRA) down

-down-ory:
+down-ory: ## Ory 스택 중지
 	@echo "Stopping Ory stack..."
 	docker compose -f $(COMPOSE_ORY) down

 # --- 유틸리티 ---
 # 인프라 상태 확인
-check-infra:
+check-infra: ## 인프라 헬스 상태 확인
 	@echo "Checking infra status..."
 	@if [ "$$(docker inspect -f '{{.State.Health.Status}}' baron_postgres 2>/dev/null)" != "healthy" ]; then \
 			echo "Error: PostgreSQL is not running or not healthy."; \
@@ -73,14 +300,322 @@ check-infra:
 			echo "PostgreSQL is healthy."; \
 	fi

-ps:
+ps: ## 전체 Compose 컨테이너 상태 조회
 	docker compose -f $(COMPOSE_INFRA) -f $(COMPOSE_ORY) -f $(COMPOSE_APP) ps

-logs-infra:
+logs-infra: ## 인프라 스택 로그 팔로우
 	docker compose -f $(COMPOSE_INFRA) logs -f

-logs-ory:
+logs-ory: ## Ory 스택 로그 팔로우
 	docker compose -f $(COMPOSE_ORY) logs -f

-logs-app:
+logs-app: ## 앱 스택 로그 팔로우
 	docker compose -f $(COMPOSE_APP) logs -f
+
+# --- 백업/복구 ---
+backup-tools-build: ## 백업 도구 Docker 이미지 빌드
+	docker build -f $(BACKUP_TOOLS_DOCKERFILE) -t $(BACKUP_TOOLS_IMAGE) .
+
+ifeq ($(BACKUP_USE_DOCKER),true)
+dump: backup-tools-build ## 백업 덤프 생성
+	$(BACKUP_DOCKER_RUN) bash -lc 'DUMP_SERVICES="$(DUMP_SERVICES)" DUMP_DATASET="$(DUMP_DATASET)" DUMP_MODE="$(DUMP_MODE)" BACKUP="$(BACKUP)" BACKUP_ROOT="$(BACKUP_ROOT)" scripts/backup/dump.sh'
+
+filter-personnel-dump: backup-tools-build ## 전체 백업에서 personnel dataset 백업 추출
+	$(MAKE) --no-print-directory ensure-restore-containers RESTORE_SERVICES="$(FILTER_SERVICES)" CONFIRM_RESTORE=baron-sso
+	$(BACKUP_DOCKER_RUN) bash -lc 'BACKUP="$(BACKUP)" OUTPUT_BACKUP="$(OUTPUT_BACKUP)" FILTER_SERVICES="$(FILTER_SERVICES)" scripts/backup/filter_personnel_dump.sh'
+
+restore: backup-tools-build ensure-restore-containers ## 백업 덤프 복구
+	$(BACKUP_DOCKER_RUN) bash -lc 'RESTORE_INPUT="$(RESTORE_INPUT)" BACKUP="$(BACKUP)" DUMP_FILE="$(DUMP_FILE)" RESTORE_SERVICES="$(RESTORE_SERVICES)" RESTORE_DATASET="$(RESTORE_DATASET)" CONFIRM_RESTORE="$(CONFIRM_RESTORE)" ALLOW_NON_EMPTY_RESTORE="$(ALLOW_NON_EMPTY_RESTORE)" RESTORE_REPORT="$(RESTORE_REPORT)" scripts/backup/restore.sh'
+
+dump-verify: backup-tools-build ## 백업 덤프 검증
+	$(BACKUP_DOCKER_RUN) bash -lc 'BACKUP="$(BACKUP)" scripts/backup/verify-dump.sh'
+
+restore-verify: backup-tools-build ## 복구 결과 검증
+	$(BACKUP_DOCKER_RUN) bash -lc 'BACKUP="$(BACKUP)" scripts/backup/verify-restore.sh'
+
+dump-list: backup-tools-build ## 사용 가능한 백업 덤프 목록 조회
+	$(BACKUP_DOCKER_RUN) bash -lc 'BACKUP_ROOT="$(BACKUP_ROOT)" scripts/backup/dump-list.sh'
+
+restore-plan: backup-tools-build ## 복구 실행 계획 출력
+	$(BACKUP_DOCKER_RUN) bash -lc 'RESTORE_INPUT="$(RESTORE_INPUT)" BACKUP="$(BACKUP)" DUMP_FILE="$(DUMP_FILE)" RESTORE_SERVICES="$(RESTORE_SERVICES)" RESTORE_DATASET="$(RESTORE_DATASET)" CONFIRM_RESTORE="$(CONFIRM_RESTORE)" RESTORE_REPORT="$(RESTORE_REPORT)" scripts/backup/restore-plan.sh'
+
+upload-cloud: backup-tools-build ## 백업 덤프 클라우드 업로드
+	$(BACKUP_DOCKER_RUN) bash -lc '$(if $(WORKS_DRIVE_DRY_RUN),WORKS_DRIVE_DRY_RUN="$(WORKS_DRIVE_DRY_RUN)" )$(if $(WORKS_DRIVE_AUTH_MODE),WORKS_DRIVE_AUTH_MODE="$(WORKS_DRIVE_AUTH_MODE)" )BACKUP="$(BACKUP)" scripts/backup/upload_cloud.sh'
+
+works-drive-refresh-token: ## WORKS Drive OAuth refresh token 갱신
+	WORKS_DRIVE_TOKEN_GRANT="$(WORKS_DRIVE_TOKEN_GRANT)" WORKS_DRIVE_AUTH_CODE="$(WORKS_DRIVE_AUTH_CODE)" WORKS_DRIVE_AUTH_CALLBACK_URL="$(WORKS_DRIVE_AUTH_CALLBACK_URL)" scripts/backup/refresh_works_drive_token.sh
+else
+dump: ## 백업 덤프 생성
+	DUMP_SERVICES="$(DUMP_SERVICES)" DUMP_DATASET="$(DUMP_DATASET)" DUMP_MODE="$(DUMP_MODE)" BACKUP="$(BACKUP)" BACKUP_ROOT="$(BACKUP_ROOT)" scripts/backup/dump.sh
+
+filter-personnel-dump: ## 전체 백업에서 personnel dataset 백업 추출
+	$(MAKE) --no-print-directory ensure-restore-containers RESTORE_SERVICES="$(FILTER_SERVICES)" CONFIRM_RESTORE=baron-sso
+	BACKUP="$(BACKUP)" OUTPUT_BACKUP="$(OUTPUT_BACKUP)" FILTER_SERVICES="$(FILTER_SERVICES)" scripts/backup/filter_personnel_dump.sh
+
+restore: ensure-restore-containers ## 백업 덤프 복구
+	RESTORE_INPUT="$(RESTORE_INPUT)" BACKUP="$(BACKUP)" DUMP_FILE="$(DUMP_FILE)" RESTORE_SERVICES="$(RESTORE_SERVICES)" RESTORE_DATASET="$(RESTORE_DATASET)" CONFIRM_RESTORE="$(CONFIRM_RESTORE)" ALLOW_NON_EMPTY_RESTORE="$(ALLOW_NON_EMPTY_RESTORE)" RESTORE_REPORT="$(RESTORE_REPORT)" scripts/backup/restore.sh
+
+dump-verify: ## 백업 덤프 검증
+	BACKUP="$(BACKUP)" scripts/backup/verify-dump.sh
+
+restore-verify: ## 복구 결과 검증
+	BACKUP="$(BACKUP)" scripts/backup/verify-restore.sh
+
+dump-list: ## 사용 가능한 백업 덤프 목록 조회
+	BACKUP_ROOT="$(BACKUP_ROOT)" scripts/backup/dump-list.sh
+
+restore-plan: ## 복구 실행 계획 출력
+	RESTORE_INPUT="$(RESTORE_INPUT)" BACKUP="$(BACKUP)" DUMP_FILE="$(DUMP_FILE)" RESTORE_SERVICES="$(RESTORE_SERVICES)" RESTORE_DATASET="$(RESTORE_DATASET)" CONFIRM_RESTORE="$(CONFIRM_RESTORE)" RESTORE_REPORT="$(RESTORE_REPORT)" scripts/backup/restore-plan.sh
+
+upload-cloud: ## 백업 덤프 클라우드 업로드
+	$(if $(WORKS_DRIVE_DRY_RUN),WORKS_DRIVE_DRY_RUN="$(WORKS_DRIVE_DRY_RUN)" )$(if $(WORKS_DRIVE_AUTH_MODE),WORKS_DRIVE_AUTH_MODE="$(WORKS_DRIVE_AUTH_MODE)" )BACKUP="$(BACKUP)" scripts/backup/upload_cloud.sh
+
+works-drive-refresh-token: ## WORKS Drive OAuth refresh token 갱신
+	WORKS_DRIVE_TOKEN_GRANT="$(WORKS_DRIVE_TOKEN_GRANT)" WORKS_DRIVE_AUTH_CODE="$(WORKS_DRIVE_AUTH_CODE)" WORKS_DRIVE_AUTH_CALLBACK_URL="$(WORKS_DRIVE_AUTH_CALLBACK_URL)" scripts/backup/refresh_works_drive_token.sh
+endif
+
+dump-upload-cloud: dump upload-cloud ## 백업 덤프 생성 후 클라우드 업로드
+
+docker-image-upload-works: ## Docker 이미지를 WORKS Shared Drive archive로 업로드
+	WORKS_DOCKER_COMMIT_CONTAINER="$(WORKS_DOCKER_COMMIT_CONTAINER)" DOCKER_IMAGE_REF="$(DOCKER_IMAGE_REF)" WORKS_DOCKER_IMAGE_ARCHIVE_DIR="$(WORKS_DOCKER_IMAGE_ARCHIVE_DIR)" scripts/docker-image/upload_works_drive.sh
+
+docker-image-verify-works: ## WORKS Shared Drive Docker image archive 검증
+	WORKS_DOCKER_VERIFY_LOAD="$(WORKS_DOCKER_VERIFY_LOAD)" WORKS_DOCKER_IMAGE_ARCHIVE_DIR="$(WORKS_DOCKER_IMAGE_ARCHIVE_DIR)" scripts/docker-image/verify_archive.sh "$(WORKS_DOCKER_IMAGE_ARCHIVE_DIR)"
+
+# --- 로컬 통합 코드 체크 ---
+PLAYWRIGHT_BROWSERS_PATH := $(HOME)/.cache/ms-playwright
+PLAYWRIGHT_CHROMIUM_COMPLETE := $(PLAYWRIGHT_BROWSERS_PATH)/chromium-1208/INSTALLATION_COMPLETE
+PLAYWRIGHT_FIREFOX_COMPLETE := $(PLAYWRIGHT_BROWSERS_PATH)/firefox-1509/INSTALLATION_COMPLETE
+PLAYWRIGHT_WEBKIT_COMPLETE := $(PLAYWRIGHT_BROWSERS_PATH)/webkit-2248/INSTALLATION_COMPLETE
+
+PLAYWRIGHT_INSTALL_ALL := sh -c 'if [ -f "$(PLAYWRIGHT_CHROMIUM_COMPLETE)" ] && [ -f "$(PLAYWRIGHT_FIREFOX_COMPLETE)" ] && [ -f "$(PLAYWRIGHT_WEBKIT_COMPLETE)" ]; then echo "Playwright browsers already installed"; else npx playwright install; fi'
+PLAYWRIGHT_INSTALL_CHROMIUM := sh -c 'if [ -f "$(PLAYWRIGHT_CHROMIUM_COMPLETE)" ]; then echo "Playwright chromium already installed"; else npx playwright install chromium; fi'
+
+.PHONY: code-check code-check-lint code-check-test-jobs code-check-i18n code-check-i18n-values code-check-go-lint code-check-sync-userfront-locales code-check-userfront-install code-check-userfront-lint code-check-front-lint code-check-backend-tests code-check-userfront-tests code-check-adminfront-tests code-check-devfront-tests code-check-orgfront-tests code-check-userfront-e2e-tests
+
+CODE_CHECK_TEST_JOBS ?= 1
+PLAYWRIGHT_WORKERS ?= 1
+FLUTTER_TEST_CONCURRENCY ?= 1
+
+code-check: code-check-lint code-check-test-jobs ## 로컬 CI 상당 코드 검사 실행
+	@echo "code-check complete."
+
+code-check-lint: code-check-i18n code-check-i18n-values code-check-front-lint code-check-go-lint code-check-sync-userfront-locales code-check-userfront-install code-check-userfront-lint ## 로컬 린트와 정적 검사 실행
+
+code-check-test-jobs: ## 코드 검사 테스트 작업 실행
+	@echo "==> run CI-equivalent test jobs (parallel)"
+	@$(MAKE) --no-print-directory -j$(CODE_CHECK_TEST_JOBS) --output-sync=target \
+		code-check-backend-tests \
+		code-check-userfront-tests \
+		code-check-userfront-e2e-tests \
+		code-check-adminfront-tests \
+		code-check-devfront-tests \
+		code-check-orgfront-tests
+
+code-check-i18n: ## i18n 리소스 검사
+	@echo "==> i18n resource check"
+	@mkdir -p reports
+	node tools/i18n-scanner/index.js
+	node tools/i18n-scanner/report.js
+	@cat reports/i18n-report.txt
+
+code-check-i18n-values: ## i18n 번역 값 품질 검사
+	@echo "==> i18n value quality check"
+	@mkdir -p reports
+	node tools/i18n-scanner/value-check.js
+	@cat reports/i18n-value-report.txt
+
+code-check-go-lint: ## Go 포맷과 린트 검사
+	@echo "==> go lint/format check"
+	@if command -v golangci-lint >/dev/null 2>&1; then \
+		cd backend && golangci-lint fmt -E gofmt -E gofumpt -d; \
+	elif command -v docker >/dev/null 2>&1; then \
+		docker run --rm \
+			-v "$$(pwd)/backend:/app" \
+			-w /app \
+			golangci/golangci-lint:v2.10.1 \
+			golangci-lint fmt -E gofmt -E gofumpt -d; \
+	else \
+		echo "ERROR: golangci-lint not found and docker is unavailable."; \
+		echo "Install golangci-lint v2.10.1 or Docker to match CI lint step."; \
+		exit 1; \
+	fi
+
+code-check-sync-userfront-locales: ## UserFront 로케일 동기화 검사
+	@echo "==> sync userfront locales"
+	/bin/sh ./scripts/sync_userfront_locales.sh
+
+code-check-userfront-install: ## UserFront 의존성 설치
+	@echo "==> install userfront dependencies"
+	@if command -v flutter >/dev/null 2>&1; then \
+		cd userfront && flutter pub get; \
+	else \
+		echo "WARNING: flutter not found, skipping userfront dependencies install."; \
+	fi
+
+code-check-userfront-lint: ## UserFront 포맷과 analyze 검사
+	@echo "==> userfront format/analyze"
+	@if command -v dart >/dev/null 2>&1; then \
+		cd userfront && dart format --output=none --set-exit-if-changed lib test; \
+	else \
+		echo "WARNING: dart not found, skipping userfront format check."; \
+	fi
+	@if command -v flutter >/dev/null 2>&1; then \
+		cd userfront && flutter analyze --no-fatal-warnings --no-fatal-infos; \
+	else \
+		echo "WARNING: flutter not found, skipping userfront analyze."; \
+	fi
+
+code-check-front-lint: ## 프론트엔드 Biome 린트와 포맷 검사
+	@echo "==> adminfront biome lint/format check"
+	rm -rf adminfront/playwright-report adminfront/test-results
+	@if [ -d adminfront/node_modules ]; then \
+		echo "adminfront/node_modules already present; skipping pnpm install."; \
+	else \
+		cd adminfront && CI=true npx pnpm install --frozen-lockfile --ignore-scripts; \
+	fi
+	cd adminfront && npx biome lint .
+	cd adminfront && npx biome format .
+	@echo "==> devfront biome lint/format check"
+	rm -rf devfront/playwright-report devfront/test-results
+	@if [ -d devfront/node_modules ]; then \
+		echo "devfront/node_modules already present; skipping npm install."; \
+	else \
+		cd devfront && npm ci --ignore-scripts; \
+	fi
+	cd devfront && npx biome lint .
+	cd devfront && npx biome format .
+	@echo "==> orgfront biome lint/format check"
+	rm -rf orgfront/playwright-report orgfront/test-results
+	@if [ -d orgfront/node_modules ]; then \
+		echo "orgfront/node_modules already present; skipping npm install."; \
+	else \
+		cd orgfront && npm ci --ignore-scripts; \
+	fi
+	cd orgfront && ./node_modules/@biomejs/biome/bin/biome lint .
+	cd orgfront && ./node_modules/@biomejs/biome/bin/biome format .
+
+code-check-backend-tests: ## 백엔드 Go 테스트 실행
+	@echo "==> backend tests"
+	cd backend && GOCACHE=/tmp/baron-sso-go-cache go test -v ./...
+
+code-check-userfront-tests: ## UserFront Flutter 테스트 실행
+	@echo "==> userfront tests (isolated workspace)"
+	@if ! command -v flutter >/dev/null 2>&1; then \
+		echo "WARNING: flutter not found, skipping userfront tests."; \
+		exit 0; \
+	fi; \
+	tmp_dir="$$(mktemp -d /tmp/baron-sso-userfront-tests.XXXXXX)"; \
+	trap 'rm -rf "$$tmp_dir"' EXIT INT TERM; \
+	mkdir -p "$$tmp_dir/scripts"; \
+	cp scripts/sync_userfront_locales.sh "$$tmp_dir/scripts/"; \
+	cp -R locales "$$tmp_dir/locales"; \
+	if command -v rsync >/dev/null 2>&1; then \
+		rsync -a --delete \
+			--exclude '.dart_tool' \
+			--exclude 'build' \
+			--exclude '.pub-cache' \
+			--exclude '.flutter-plugins' \
+			--exclude '.flutter-plugins-dependencies' \
+			userfront/ "$$tmp_dir/userfront/"; \
+	else \
+		cp -R userfront "$$tmp_dir/userfront"; \
+		rm -rf "$$tmp_dir/userfront/.dart_tool" "$$tmp_dir/userfront/build"; \
+	fi; \
+	cd "$$tmp_dir" && /bin/sh ./scripts/sync_userfront_locales.sh; \
+	cd "$$tmp_dir/userfront" && flutter test --concurrency=$(FLUTTER_TEST_CONCURRENCY)
+
+code-check-adminfront-tests: ## AdminFront 테스트 실행
+	@echo "==> adminfront tests"
+	PLAYWRIGHT_WORKERS=$(PLAYWRIGHT_WORKERS) ./scripts/run_adminfront_ci_tests.sh adminfront-tests
+
+code-check-devfront-tests: ## DevFront 테스트 실행
+	@echo "==> devfront tests"
+	@mkdir -p reports/devfront
+	@rm -rf reports/devfront/playwright-report reports/devfront/test-results
+	@status=0; \
+	preview_pattern='[v]ite preview --host 127.0.0.1 --strictPort --port 4174'; \
+	pkill -f "$$preview_pattern" >/dev/null 2>&1 || true; \
+	trap 'pkill -f "$$preview_pattern" >/dev/null 2>&1 || true' EXIT INT TERM; \
+	if [ -d devfront/node_modules ]; then \
+		echo "devfront/node_modules already present; skipping npm install."; \
+	else \
+		(cd devfront && npm ci --ignore-scripts) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		(cd devfront && $(PLAYWRIGHT_INSTALL_ALL)) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		(cd devfront && PLAYWRIGHT_WORKERS=$(PLAYWRIGHT_WORKERS) npm test) || status=$$?; \
+	fi; \
+	[ -d devfront/playwright-report ] && cp -R devfront/playwright-report reports/devfront/ || true; \
+	[ -d devfront/test-results ] && cp -R devfront/test-results reports/devfront/ || true; \
+	exit $$status
+
+code-check-orgfront-tests: ## OrgFront 테스트 실행
+	@echo "==> orgfront tests"
+	@mkdir -p reports/orgfront
+	@rm -rf reports/orgfront/playwright-report reports/orgfront/test-results
+	@status=0; \
+	(cd orgfront && npm ci --ignore-scripts) || status=$$?; \
+	if [ $$status -eq 0 ]; then \
+		(cd orgfront && $(PLAYWRIGHT_INSTALL_ALL)) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		(cd orgfront && PLAYWRIGHT_WORKERS=$(PLAYWRIGHT_WORKERS) npm test) || status=$$?; \
+	fi; \
+	[ -d orgfront/playwright-report ] && cp -R orgfront/playwright-report reports/orgfront/ || true; \
+	[ -d orgfront/test-results ] && cp -R orgfront/test-results reports/orgfront/ || true; \
+	exit $$status
+
+code-check-userfront-e2e-tests: ## UserFront WASM E2E 테스트 실행
+	@echo "==> userfront wasm playwright e2e tests (isolated workspace)"
+	@if ! command -v flutter >/dev/null 2>&1; then \
+		echo "WARNING: flutter not found, skipping userfront e2e tests."; \
+		exit 0; \
+	fi; \
+	mkdir -p reports/userfront-e2e; \
+	rm -rf reports/userfront-e2e/playwright-report reports/userfront-e2e/test-results; \
+	tmp_dir="$$(mktemp -d /tmp/baron-sso-userfront-e2e-tests.XXXXXX)"; \
+	trap 'rm -rf "$$tmp_dir"' EXIT INT TERM; \
+	mkdir -p "$$tmp_dir/scripts"; \
+	cp scripts/sync_userfront_locales.sh "$$tmp_dir/scripts/"; \
+	cp -R locales "$$tmp_dir/locales"; \
+	if command -v rsync >/dev/null 2>&1; then \
+		rsync -a --delete \
+			--exclude '.dart_tool' \
+			--exclude 'build' \
+			--exclude '.pub-cache' \
+			--exclude '.flutter-plugins' \
+			--exclude '.flutter-plugins-dependencies' \
+			userfront/ "$$tmp_dir/userfront/"; \
+		rsync -a --delete \
+			--exclude 'node_modules' \
+			--exclude 'playwright-report' \
+			--exclude 'test-results' \
+			userfront-e2e/ "$$tmp_dir/userfront-e2e/"; \
+	else \
+		cp -R userfront "$$tmp_dir/userfront"; \
+		rm -rf "$$tmp_dir/userfront/.dart_tool" "$$tmp_dir/userfront/build"; \
+		cp -R userfront-e2e "$$tmp_dir/userfront-e2e"; \
+		rm -rf "$$tmp_dir/userfront-e2e/node_modules" "$$tmp_dir/userfront-e2e/playwright-report" "$$tmp_dir/userfront-e2e/test-results"; \
+	fi; \
+	status=0; \
+	(cd "$$tmp_dir" && /bin/sh ./scripts/sync_userfront_locales.sh) || status=$$?; \
+	if [ $$status -eq 0 ]; then \
+		(cd "$$tmp_dir/userfront-e2e" && npm ci) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		(cd "$$tmp_dir/userfront" && flutter build web --wasm --release) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		(cd "$$tmp_dir/userfront-e2e" && $(PLAYWRIGHT_INSTALL_ALL)) || status=$$?; \
+	fi; \
+	if [ $$status -eq 0 ]; then \
+		port="$$(node -e "const net=require('node:net'); const s=net.createServer(); s.listen(0,'127.0.0.1',()=>{console.log(s.address().port); s.close();});")"; \
+		echo "==> userfront-e2e using PORT=$$port"; \
+		(cd "$$tmp_dir/userfront-e2e" && PORT=$$port PLAYWRIGHT_WORKERS=$(PLAYWRIGHT_WORKERS) npm test) || status=$$?; \
+	fi; \
+	[ -d "$$tmp_dir/userfront-e2e/playwright-report" ] && cp -R "$$tmp_dir/userfront-e2e/playwright-report" reports/userfront-e2e/ || true; \
+	[ -d "$$tmp_dir/userfront-e2e/test-results" ] && cp -R "$$tmp_dir/userfront-e2e/test-results" reports/userfront-e2e/ || true; \
+	exit $$status
--- a/README.md
+++ b/README.md
@@ -1,7 +1,34 @@
 # Baron SSO

+[![dev](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/dev-sha.svg)](https://gitea.hmac.kr/baron/baron-sso/src/branch/dev) [![Code Check](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/code-check.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev) [![Biome](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/biome.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev) [![backend](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/backend-tests.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev)
+[![userfront](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/userfront.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev) [![adminfront](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/adminfront.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev) [![devfront](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/devfront.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev) [![orgfront](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/orgfront.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/code_check.yml?branch=dev)
+[![chrome](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/userfront-chrome.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/userfront_e2e_full_nightly.yml?branch=dev) [![firefox](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/userfront-firefox.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/userfront_e2e_full_nightly.yml?branch=dev) [![safari](https://gitea.hmac.kr/baron/baron-sso/raw/branch/badges/latest/userfront-safari.svg)](https://gitea.hmac.kr/baron/baron-sso/actions/workflows/userfront_e2e_full_nightly.yml?branch=dev)
+
+badge는 `Code Check`가 `badges` 브랜치의 `latest/`와 `dev/<commit-sha>/`에 발행합니다. 최신 HTML/LCOV/JSON summary는 Gitea `Code Check`의 패키지별 `*-vitest-coverage-report` artifact에서 확인할 수 있습니다.
+
 **Baron 로그인**은 화이트 라벨링된 가족사의 모든 소프트웨어 Auth를 총괄하는 사용자 인증/인가 허브입니다.

+## 📂 프로젝트 구조 (Project Structure)
+
+```
+baron_sso/
+├── backend/            # Go Fiber 애플리케이션
+│   ├── cmd/server/     # 진입점 (Entry point)
+│   ├── internal/       # 도메인, 핸들러, 저장소(Repository)
+│   └── Dockerfile
+├── userfront/          # Flutter 애플리케이션
+│   ├── src/            # UI 및 로직
+│   └── pubspec.yaml
+├── adminfront/         # React 기반 관리
+│   ├── src/            # UI 및 로직
+│   └── pubspec.yaml
+├── gateway/            # Nginx 기반 Gateway (UserFront 프록시)
+├── compose.ory-stack.yaml  # DB 서비스 (Postgres, ClickHouse)
+├── compose.infra.yaml  # DB 서비스 (Postgres, ClickHouse)
+├── docker-compose.yaml # 앱 서비스 (Front, Back)
+├── .env.sample         # 환경 설정 템플릿
+└── README.md           # 본 파일
+```
 * Ory Stack으로 모든 구성요소를 self-hosting 합니다.
 * Backend는 Go (Fiber)로 구성된 Ory Stack의 유일한 Command 전송 포인트입니다. 모든 Command는 ClickHouse로 강제 전송되며 Audit Log 시스템을 구성합니다.
 * Front는 Backend를 통해서만 연동하며 자체가 Ory Stack의 RP기도 합니다. 크게 3개 계층으로 분리됩니다.
@@ -13,6 +40,21 @@
  * AdminFront: 사용자 관리 등 Admin 기능
  * DevFront: RP 관리 등 개발자 기능

+## 개발 실행 정책
+
+`make dev`는 로컬 개발용 실행 모드이며, React 기반 `adminfront`, `devfront`, `orgfront`는 모두 Vite HMR 모드로 동작해야 합니다. 이 세 서비스는 Docker Compose에서 Dockerfile `dev` target을 사용하고 `/workspace/<app>` bind mount 위에서 `npm run dev -- --host 0.0.0.0`로 실행합니다. `make dev` 경로에서 production `dist`를 `serve_frontend_prod.mjs`로 정적 서빙하면 안 됩니다.
+
+현재 개발 포트는 다음과 같습니다.
+
+- AdminFront: `http://localhost:5173`
+- DevFront: `http://localhost:5174`
+- OrgFront: `http://localhost:5175`
+
+자세한 정책과 회귀 테스트는 [make dev Vite HMR Policy](docs/make-dev-vite-hmr-policy.md)를 확인하세요. 정책 회귀는 `test/frontend_dev_bind_mount_policy_test.sh`에서 검사합니다.
+
+로컬 Playwright E2E도 기본적으로 Vite dev server를 봅니다. Gitea Actions 같은 CI에서는 `CI=true`로 production bundle을 `vite preview`로 검증합니다. 로컬에서 production bundle을 명시적으로 검증하려면 `PLAYWRIGHT_USE_PREVIEW=true`를 사용하세요. 이 정책은 `test/playwright_frontend_runtime_policy_test.sh`에서 검사합니다.
+
+
 ## 🏗 아키텍처 (Architecture)

 ### 0. Ory Stack
@@ -44,7 +86,7 @@ flowchart
 ```

 ### 1. Backend (Go Fiber)
- **Language**: Go 1.25+
+- **Language**: Go 1.26.2+
 - **Framework**: Fiber v2.25+
 - **Database**:
  - **ClickHouse**: 감사 로그 (고성능 데이터 수집)
@@ -55,7 +97,7 @@ flowchart
  - userfront가 바라보는 backend

 ### 2. UserFront(Flutter Web/App)
- **Framework**: Flutter 3.32+
+- **Framework**: Flutter 3.38.0+
 - **Key Packages**: `flutter_riverpod`, `go_router`
 - **Features**:
  - 탭 기반 로그인 UI (비밀번호 기반 / 링크 기반 / QR 기반 등)
@@ -73,6 +115,99 @@ flowchart
  - RP 등록 및 관리
  - RP별 Consent 관리

+## 관리 데이터 Export/Import 정책
+
+AdminFront의 테넌트와 사용자 export/import는 운영자가 CSV를 직접 검토하고 재반입할 수 있는 흐름을 기준으로 설계합니다. 기본 원칙은 내부 UUID를 불필요하게 노출하지 않고, 사람이 이해하기 쉬운 `slug`와 이름을 우선 사용하는 것입니다.
+
+### 공통 원칙
+- CSV는 Excel 호환을 위해 UTF-8 BOM을 포함해 내려받습니다.
+- 기본 export는 시스템 내부 ID를 제외합니다.
+- 같은 데이터를 정확히 재동기화해야 하는 운영 작업에서는 `includeIds=true` 옵션으로 내부 ID 컬럼을 포함할 수 있습니다.
+- import는 preview/검토 단계를 거친 뒤 실행하는 것을 기본으로 합니다.
+- 기존 데이터와 충돌 가능성이 있는 row는 자동 적용하지 않고 관리자 선택 또는 확인 상태로 표시합니다.
+- 삭제는 export/import로 암묵 처리하지 않습니다. 삭제가 필요하면 별도 삭제 기능을 사용합니다.
+
+### Tenant Export
+- 기본 컬럼은 운영자가 다시 import하기 쉬운 형태를 유지합니다.
+- `includeIds=false`가 기본이며, 이 경우 내부 `tenant_id`는 제외합니다.
+- `includeIds=true`를 사용하면 기존 테넌트 update 또는 staging/production 간 매핑 확인에 필요한 ID를 포함합니다.
+- 주요 의미:
+  - `tenant_id`: 내부 UUID. 기본 export에서는 제외됩니다.
+  - `name`: 테넌트 표시 이름입니다.
+  - `type`: `PERSONAL`, `COMPANY`, `COMPANY_GROUP`, `USER_GROUP` 중 하나입니다.
+  - `parent_tenant_id`: 상위 테넌트 내부 ID입니다.
+  - `parent_tenant_slug`: 상위 테넌트를 slug로 연결할 때 사용합니다.
+  - `slug`: 운영상 사람이 다루는 테넌트 식별자입니다.
+  - `memo`: 설명 또는 비고입니다.
+  - `email_domain`: 테넌트에 연결된 이메일 도메인입니다. 여러 도메인은 `;`, `,`, 줄바꿈으로 구분할 수 있습니다.
+
+### Tenant Import
+- 필수 컬럼은 `name`, `type`, `slug`입니다.
+- 허용되는 header alias:
+  - `tenant_id`: `id`, `tenantid`, `tenant_id`
+  - `parent_tenant_id`: `parentid`, `parent_id`, `parenttenantid`, `parent_tenant_id`
+  - `parent_tenant_slug`: `parenttenantslug`, `parent_tenant_slug`
+  - `memo`: `memo`, `description`
+  - `email_domain`: `email-domain`, `emaildomain`, `email_domain`, `domain`, `domains`
+- `tenant_id`가 있고 기존 테넌트가 있으면 update 대상으로 봅니다.
+- `tenant_id`가 없으면 `slug` 기준으로 기존 테넌트를 찾고, 없으면 신규 생성 후보로 봅니다.
+- `parent_tenant_slug`가 같은 import 파일 안에 있으면 부모 row를 먼저 처리하도록 정렬합니다.
+- import preview는 이름/slug 유사도 기반 후보를 보여주며, 관리자가 기존 테넌트 사용, 신규 생성, skip 중 선택할 수 있어야 합니다.
+- 외부 시스템에서 가져온 `tenant_id`처럼 현재 DB에 없는 ID는 충돌로 표시하고, 관리자가 새 slug 또는 기존 테넌트 매핑을 결정해야 합니다.
+
+### User Export
+- 기본 컬럼은 `Email`, `Name`, `Phone`, `Status`, `tenant_slug`, `Position`, `JobTitle`, `CreatedAt`입니다.
+- `includeIds=true`이면 `user_id`, `tenant_id`를 함께 포함합니다.
+- 사용자 role은 export 기본 컬럼에서 제외합니다. role은 일괄 변경의 실수 위험이 크므로 명시적 관리 화면 또는 별도 정책으로 다룹니다.
+- 사용자 metadata는 `Meta:<key>` 컬럼으로 뒤에 추가됩니다.
+- `includeIds=false`일 때는 `id`, `user_id`, `tenant_id`, `tenantid` 성격의 metadata key를 export에서 제외합니다.
+- tenant admin의 export는 관리 가능한 테넌트 범위로 제한됩니다.
+
+### User Import
+- 사용자 CSV의 기본 컬럼은 `email`, `name`, `phone`, `role`, `tenant_slug`, `department`, `position`, `jobTitle`입니다.
+- `email`과 `name`은 CSV parsing 단계의 필수값입니다.
+- backend 생성 단계에서는 `tenantSlug`도 필수입니다.
+- `tenant`, `tenant_slug`, `companyCode` header는 사용자 소속 테넌트 slug로 매핑됩니다.
+- `tenant_id`, `tenant_name`, `tenant_type`, `parent_tenant_id`, `parent_tenant_slug`, `parent_tenant_name`, `tenant_memo`, `email_domain` 컬럼이 있으면 사용자 import 과정에서 필요한 테넌트 생성/매핑 preview에 사용합니다.
+- 위 기본 컬럼에 속하지 않는 컬럼은 사용자 metadata로 들어갑니다.
+- 테넌트에 `userSchema`가 있으면 import 중 metadata required/validation/loginId 규칙을 적용합니다.
+- 테넌트 schema에서 `isLoginId`로 지정된 metadata 값은 custom login ID로 동기화하며, 이메일/전화번호/예약어와 충돌하지 않아야 합니다.
+
+### 한맥가족 User Import Email 정책
+- 전체 시스템에서 `users.email`은 unique입니다.
+- `active`, `temporary_leave`, `suspended`, `preboarding`, `baron_guest`, `extended_leave`, `archived` 등 모든 사용자 상태가 unique 검사 대상입니다. 특히 `preboarding`, `baron_guest`, `archived` 사용자는 email/local-part 선점 대상입니다.
+- 한맥가족 테넌트 root(`hanmac-family`)와 그 하위 subtree에서는 이메일 도메인과 무관하게 `@` 앞 local-part도 unique 해야 합니다.
+- 예: `han@hanmaceng.co.kr`가 한맥가족 구성원으로 있으면 `han@samaneng.com`은 한맥가족 구성원으로 생성할 수 없습니다.
+- `email` 값이 `@hanmaceng.co.kr`처럼 도메인만 있으면 import preview에서 이름 기반 local-part를 제안합니다.
+- 이름 기반 local-part 기본 규칙은 `이름 부분 초성 + 성 로마자`입니다.
+  - 예: `한치영` -> `치영`의 초성 `c + y` + 성 `han` -> `cyhan`
+- 이미 `cyhan`, `cyhan1`이 있으면 다음 후보인 `cyhan2`를 제안합니다.
+- 외부 로마자화 패키지는 backend 의존성으로 추가하지 않고, 내부 한글 음절 분해와 성씨/초성 매핑을 사용합니다.
+- import preview의 row 상태:
+  - `valid`: unique와 이름 기반 권장 규칙을 모두 만족합니다.
+  - `suggested`: 도메인만 있거나 suffix 제안이 필요한 row입니다.
+  - `needsReview`: 이름 매핑이 애매해 관리자가 직접 확인해야 합니다.
+  - `ruleMismatch`: 최종 local-part가 `이름 이니셜 + 성 + 숫자 suffix` 규칙과 다릅니다. 예외 진행은 가능하지만 관리자에게 표시해야 합니다.
+  - `blockingError`: local-part 중복, email 형식 오류, 필수값 누락처럼 생성을 차단해야 하는 상태입니다.
+- 단건 사용자 생성은 한맥가족 local-part 중복 시 자동 제안하지 않고 `409 Conflict`로 차단합니다.
+- bulk import는 preview에서 제안/수정된 최종 email을 사용하되, backend가 생성 직전에 다시 unique 규칙을 검증합니다.
+
+### User Status 정책
+| 상태 | 표시명 | Baron 사용 | Works 처리 | 일반 조직도 |
+| --- | --- | --- | --- | --- |
+| `active` | 재직 | 가능 | 생성/갱신 | 노출 |
+| `temporary_leave` | 단기휴무 | 가능 | 계정 유지 | 노출 |
+| `suspended` | 정지 | 불가 | suspend | 노출 |
+| `preboarding` | 입사대기 | 불가 | 생성 안 함 | 비노출 |
+| `baron_guest` | Baron 게스트 | 가능 | 생성 금지, 기존 계정 delete/deprovision | 비노출 |
+| `extended_leave` | 장기휴직 | 불가 | delete/deprovision | 비노출 |
+| `archived` | 보관 | 불가 | delete/deprovision | 비노출 |
+
+- 기존 `inactive` 입력은 `preboarding`으로, `leave_of_absence` 입력은 `temporary_leave`로 호환 처리합니다.
+- 이슈 #862의 초기 명칭 `baron_only`는 구현 명칭으로 사용하지 않고 `baron_guest`로 정리합니다.
+- backend bootstrap은 남아 있는 legacy `users.status` 값을 `inactive -> preboarding`, `leave_of_absence -> temporary_leave`, `baron_only -> baron_guest`로 자동 정규화합니다.
+- `archived` 사용자는 과거 이력 보존용 계정이며 AdminFront 같은 관리자 화면에서만 감사/운영/중복 확인 목적으로 조회할 수 있습니다.
+

 ### 4. 주요 시나리오 (Core Scenarios)
 1.  **Same Browser SSO**: Baron 로그인 서비스에 로그인된 상태에서 런처를 통해 타 앱/서비스로 이동 (자동 로그인).
@@ -81,6 +216,122 @@ flowchart
  2.1 향후 App Push 등 2차 인증 강화수단 검토 필요
 3.  **QR Login**: 최초 진입 시 사전 로그인되어 있는 웹/앱을 이용해 QR 코드를 스캔하여, QR코드가 로딩된 Device를 로그인 상태로 전환

+### 5. Headless Login ID/Password Flow
+- 목적: headless login을 허용한 클라이언트가 자체 로그인 화면에서 `ID/password`를 수집하되, Baron Backend가 OIDC 로그인 흐름만 계속 진행하고 RP에는 `sessionJwt`를 직접 넘기지 않습니다.
+- 대상 엔드포인트: `POST /api/v1/auth/headless/password/login`
+- 관련 구현:
+  - `backend/internal/handler/auth_handler.go`
+  - `backend/internal/domain/hydra_models.go`
+  - `backend/internal/handler/auth_handler_login_test.go`
+
+#### 호출 순서
+1. RP 브라우저가 Hydra Public의 `/oauth2/auth`를 호출해 OIDC 인증을 시작합니다.
+2. Hydra가 로그인 단계로 넘긴 `login_challenge`를 RP가 확보합니다.
+3. RP backend가 자기 private key로 `client_assertion` JWT를 서명합니다.
+4. RP backend가 Baron Backend의 `POST /api/v1/auth/headless/password/login`에 `client_id`, `client_assertion`, `login_challenge`, `loginId`, `password`를 전송합니다.
+5. Baron Backend가 Hydra login request와 RP 설정을 검증한 뒤 Kratos sign-in 및 Hydra login accept를 수행합니다.
+6. 성공 시 Baron Backend는 `redirectTo`만 반환하고, RP 브라우저는 그 URL로 이동해 OIDC 흐름을 이어갑니다.
+
+#### 요청 바디
+```json
+{
+  "client_id": "headless-login-client",
+  "client_assertion": "<signed-jwt>",
+  "login_challenge": "<hydra-login-challenge>",
+  "loginId": "employee001",
+  "password": "secret"
+}
+```
+
+#### 성공 응답
+```json
+{
+  "status": "ok",
+  "provider": "ory",
+  "redirectTo": "https://rp.example.com/callback?code=..."
+}
+```
+
+#### RP / Hydra 선행 조건
+- Hydra login request의 `client.client_id`와 요청 바디의 `client_id`가 반드시 같아야 합니다.
+- client가 headless login 선행 조건을 만족해야 합니다.
+  - `headless_token_endpoint_auth_method == "private_key_jwt"` 또는 top-level `token_endpoint_auth_method == "private_key_jwt"`
+  - `headless_jwks_uri`가 존재해야 합니다.
+  - inline `headless_jwks`는 더 이상 지원하지 않습니다.
+- `headless_login_enabled == true`가 필요합니다.
+- `metadata.status == "inactive"`인 client는 차단됩니다.
+
+#### `client_assertion` 규칙
+- 구현상 `client_assertion`은 현재 필수입니다.
+- 허용 서명 알고리즘:
+  - `RS256`, `RS384`, `RS512`
+  - `PS256`, `PS384`, `PS512`
+  - `ES256`, `ES384`, `ES512`
+  - `EdDSA`
+- JWT claim의 `iss`와 `sub`는 모두 `client_id`와 같아야 합니다.
+- `exp`는 현재 시각 이후여야 합니다.
+- `nbf`, `iat`가 있으면 미래 시각이면 안 됩니다.
+- `aud`는 다음 둘 중 하나와 일치해야 합니다.
+  - `https://<backend-origin>/api/v1/auth/headless/password/login`
+  - `/api/v1/auth/headless/password/login`
+- 서명 검증용 public key는 `headless_jwks_uri`에서만 읽습니다.
+
+#### 내부 JWKS 캐시 정책
+- Baron Backend는 `headless_jwks_uri`를 직접 외부 스펙으로 저장하고, 실제 JWKS 문서는 내부 캐시에 저장해 사용합니다.
+- 등록/수정 이후에는 내부 캐시 동기화를 시도하고, 성공/실패 상태를 DevFront에서 확인할 수 있습니다.
+- 로그인 시 재조회는 다음 조건으로 제한합니다.
+  - 캐시에 `kid`가 없을 때
+  - `kid`는 있지만 서명 검증이 실패할 때
+  - 캐시 TTL이 만료되었을 때
+- 그 외에는 내부 캐시를 사용합니다.
+- 백그라운드 worker가 TTL보다 짧은 주기로 `jwksUri`를 선제 점검해 첫 사용자 실패를 줄입니다.
+
+#### DevFront 운영 액션
+- Settings > `Public Key Registration` 카드에서 다음 정보를 확인할 수 있습니다.
+  - 최근 JWKS 캐시 갱신 시각
+  - 최근 검증 성공 시각
+  - 최근 에러와 연속 실패 횟수
+  - 현재 cached `kid` 목록
+  - 파싱된 key summary
+    - `kid`
+    - `kty`
+    - `use`
+    - `alg`
+    - RSA key의 `n` preview (앞/뒤 일부만 표시)
+- 수동 운영 액션:
+  - `Refresh JWKS Cache`
+  - `Revoke JWKS Cache`
+- RP가 키를 교체했으면 실제 트래픽 전에 `Refresh JWKS Cache`를 먼저 호출하는 것을 권장합니다.
+
+#### 일반 로그인과의 차이
+- `POST /api/v1/auth/password/login`
+  - UserFront 기본 비밀번호 로그인용입니다.
+  - `login_challenge`가 없으면 `sessionJwt`를 반환합니다.
+  - `login_challenge`가 있으면 Hydra accept 후 `redirectTo`를 반환합니다.
+- `POST /api/v1/auth/headless/password/login`
+  - headless login 허용 클라이언트 전용입니다.
+  - `client_assertion` 검증이 추가됩니다.
+  - 항상 `sessionJwt` 없이 `redirectTo`만 반환합니다.
+
+#### 실패 패턴 요약
+- `400 bad_request`
+  - 필수 필드 누락
+  - `client_assertion` 누락
+- `401 invalid_client_assertion`
+  - `jwksUri` 조회 실패
+  - 서명 불일치
+  - `aud`/`iss`/`sub`/`exp` 검증 실패
+- `401 invalid_client_assertion` with explicit message
+  - `Headless login requires jwksUri. Inline jwks is not supported.`
+  - `Configured jwksUri returned no keys for headless login.`
+  - `Failed to refresh headless login jwks from jwksUri.`
+- `403 forbidden`
+  - `client_id` 불일치
+  - `headless_login_enabled` 미설정
+  - inactive client
+- `401 password_or_email_mismatch`
+  - 사용자 인증 실패
+

 ### 전체 연결 구조도

@@ -141,13 +392,68 @@ flowchart TD

 Kratos가 사용자 SoT이며 Hydra는 순수 OIDC 토큰 엔진입니다. 비지니스로직은 Backend를 통해서, 기본 인증 로직은 Ory Stack을 통해 진행됩니다.

+### SSOT 및 Redis Cache 전략
+
+Baron SSO의 인증, 권한, OAuth/OIDC 원장은 Ory Stack입니다. Backend는 원장 쓰기 경로와 감사 로그를 중앙화하는 Control Plane입니다. 사용자 identity/profile/소속/조직도 노출 데이터에 대해 Backend DB `users`를 원장 또는 read model로 사용하지 않습니다. Redis는 Ory 원장 데이터의 성능 cache/mirror로만 사용합니다.
+
+Ory에서 Redis cache로 웜업된 identity/조직 데이터는 frontend가 직접 소비하지 않습니다. Backend가 Redis mirror 또는 Ory Admin API fallback을 기준으로 cursor 기반 API를 adminfront, orgfront, userfront, 외부 API에 제공합니다.
+
+#### 데이터별 원본 위치
+
+| 데이터 | SSOT | 보조 저장소/캐시 | 비고 |
+| --- | --- | --- | --- |
+| Identity subject, credentials, recovery/verification address | Ory Kratos `identities` | Redis identity mirror | Kratos identity ID가 사용자 subject이며 WORKS `externalKey` 기준입니다. |
+| 로그인 식별자 | Ory Kratos traits | Redis identity mirror/index | Kratos가 인증 식별자의 원장입니다. |
+| 사용자 이름, 이메일, 전화번호, role 기본값 | Ory Kratos traits | Redis identity mirror | 인증/profile 계산에 필요한 identity 값은 Kratos 기준으로 유지합니다. |
+| Baron 사용자 운영 상태, soft delete, 운영 메타데이터 | Ory Kratos traits/state 또는 별도 명시 원장 | Redis mirror/cache | Backend DB `users`를 사용자 read model로 사용하지 않습니다. |
+| 테넌트 tree, slug, 조직/부서/직무/직책 | Ory Keto relation tuple, Backend read model | Redis/API response cache 가능 | 권한/관계 판단은 Keto가 원장입니다. Ory가 보관하거나 조회할 수 없는 조직 표시/검색 데이터만 Backend read model에 둡니다. |
+| 권한/관계 | Ory Keto relation tuple | PostgreSQL outbox/status | Backend를 통해 relation command를 보내고 처리 상태를 추적합니다. |
+| OAuth2/OIDC client, consent, token state | Ory Hydra | PostgreSQL `client_consents`, audit/read model | Hydra가 프로토콜 원장이며 로컬 테이블은 운영 조회/감사용입니다. |
+| RP별 사용자 custom claim 값 | Backend read model `rp_user_metadata` | ID token/userinfo claim assembly | Ory에 저장되지 않는 RP 범위 데이터입니다. Kratos traits나 claim output을 SSOT로 취급하지 않습니다. |
+| 전역 사용자 custom claim 값 | Backend read model `users.metadata.global_custom_claims` | ID token claim assembly | Ory에 저장되지 않는 운영 범위 custom 값입니다. |
+| WORKS Mobile mapping/outbox/job 상태 | PostgreSQL `worksmobile_*` | WORKS API 비교 응답 cache 가능 | 외부 SaaS 연동 상태이며 identity 원장이 아닙니다. |
+| 감사 로그/사용량 | ClickHouse, Oathkeeper/Ory 로그 | 화면별 summary cache 가능 | command와 보안 이벤트의 감사 원장입니다. |
+| Headless JWKS 검증 상태 | Redis `headless:jwks:*` cache | DevFront 상태 카드 | RP public key 문서 자체는 외부 `jwksUri`가 원본입니다. |
+| 로그인 코드, pending login, verification token | Redis short-lived key | 없음 | 만료 가능한 휘발성 상태입니다. 백업/복구 대상이 아닙니다. |
+
+#### SSOT 보장 원칙
+
+1. Kratos/Hydra/Keto/WORKS로 향하는 쓰기 command는 Backend를 통과합니다.
+2. Backend는 Ory write 성공 후 원장 ID를 기준으로 Ory를 재조회하고, Redis mirror를 갱신하거나 stale로 표시합니다. 사용자 identity/profile/소속 데이터는 Backend DB `users`에 read model로 갱신하지 않습니다.
+3. write-through 갱신 실패 시 원장 write를 되돌린 것으로 간주하지 않습니다. 대신 mirror/cache 상태를 `stale` 또는 `failed`로 표시하고 drift report와 refresh 대상으로 둡니다.
+4. Kratos Admin API 또는 Kratos DB를 Backend 밖에서 직접 수정하는 경로는 운영 정책상 금지합니다. 정비/DR처럼 예외가 필요한 경우에는 Redis mirror를 stale로 표시하고, full refresh와 drift report를 완료하기 전까지 cache 결과를 신뢰하지 않습니다.
+5. Backend DB `users`나 Redis cache는 Kratos partial list를 full snapshot처럼 취급하지 않습니다. Kratos 목록 조회가 partial이면 로컬 사용자 데이터를 근거로 정상 목록을 만들지 않습니다.
+6. frontend/API 대량 조회는 Backend가 제공하는 cursor 기반을 원칙으로 합니다. `limit=5000&offset=0` 같은 단일 대량 offset 조회는 사용자 수가 늘면 partial data를 전체처럼 보이게 만들 수 있으므로 신규 구현에서 금지합니다.
+7. Redis cache miss가 발생한 단건 조회는 가능한 경우 SSOT로 fallback하고, fallback 성공 시 Redis를 갱신합니다. 목록 조회는 mirror 상태가 `ready`가 아니면 화면/API에 경고 상태를 함께 전달해야 합니다.
+
+#### Redis 사용 원칙
+
+Redis는 원장이 아니라 cache/mirror 계층입니다. Redis 데이터 유실은 장애지만 데이터 유실 사고로 보지 않고, 원장 재조회와 refresh로 재수렴해야 합니다.
+
+| Redis 데이터 | 역할 | TTL/보존 정책 | 장애 시 처리 |
+| --- | --- | --- | --- |
+| `identity:mirror:{identityID}` | Kratos identity summary 단건 cache | 장기 mirror. refresh 상태와 함께 운영 | Kratos `GetIdentity` fallback 후 write-through |
+| `identity:index:*` | Backend cursor API용 identity 목록/검색 index | mirror refresh 주기로 재작성 | `stale` 표시 후 full refresh |
+| `identity:mirror:state` | mirror 상태, count, last error | 영구 상태 key | adminfront에서 경고 표시 |
+| `headless:jwks:*` | RP headless login JWKS cache | JWKS TTL과 prefetch 정책 | kid miss/검증 실패/TTL 만료 시 재조회 |
+| login/verification/pending 계열 key | 인증 흐름의 단기 상태 | 짧은 TTL 필수 | 만료 또는 유실 시 사용자가 흐름 재시작 |
+| 일반 API response cache | 선택적 성능 cache | 짧은 TTL, invalidation 우선 | miss 시 Backend DB 또는 Ory 원장 조회 |
+
+운영 Redis 설정은 `maxmemory`와 `maxmemory_policy`가 명시되어야 합니다. identity mirror처럼 재수렴 가능한 데이터와 pending login처럼 사용자 흐름에 영향을 주는 단기 key가 같은 Redis를 공유하므로, eviction 발생 여부와 TTL 없는 key 증가를 운영 화면에서 볼 수 있어야 합니다.
+
+#### Redis 모니터링 계획
+
+Redis 적정 설정 판단에 필요한 운영 지표를 adminfront에 노출하는 후속 작업은 이슈 [#1046](https://gitea.hmac.kr/baron/baron-sso/issues/1046)으로 분리했습니다.
+
+표시 대상은 Redis 연결/버전/uptime, `used_memory`, `maxmemory`, `maxmemory_policy`, keyspace hit/miss, expired/evicted keys, prefix별 key count, TTL 분포, `identity:mirror:state`, headless JWKS cache failure 요약입니다. 이 화면은 `super_admin` 전용으로 두고, Redis key value 자체는 노출하지 않습니다.
+
 ---

 ## 🚀 시작하기 (Getting Started)

 ### 사전 요구사항 (Prerequisites)
 - Docker & Docker Compose
- Flutter SDK (로컬 개발용)
+- Flutter SDK (로컬 개발용, 3.38.0+)
 - Go (로컬 백엔드 개발용)

 ### 환경 설정 (Environment Setup)
@@ -155,13 +461,74 @@ Kratos가 사용자 SoT이며 Hydra는 순수 OIDC 토큰 엔진입니다. 비
   ```bash
   cp .env.sample .env
   ```
-2. **IDP 우선순위와 Ory 엔드포인트를 지정**합니다. 기본값은 Ory 입니다
-   ```
-   IDP_PROVIDER=ory
-   KRATOS_ADMIN_URL=http://kratos:4434
-   HYDRA_ADMIN_URL=http://hydra:4445
-   HYDRA_PUBLIC_URL=http://hydra:4444
-   ```
+2. `.env`를 작성합니다. (아래 작성 규칙 필수)
+
+### `.env` 작성 규칙 (중요)
+- `KEY=value` 한 줄만 사용하고, **값 뒤에 같은 줄 주석을 붙이지 않습니다.**
+- 주석이 필요하면 반드시 **윗줄에 별도 주석 라인**으로 작성합니다.
+- URL 값 끝에 공백이 들어가면 Hydra/Kratos 기동 실패로 이어질 수 있습니다.
+
+잘못된 예:
+```env
+USERFRONT_URL=https://sso.example.com # 이렇게 같은 줄 주석 금지
+```
+
+올바른 예:
+```env
+# UserFront 공개 URL
+USERFRONT_URL=https://sso.example.com
+```
+
+### `.env` 핵심 변수 가이드
+- `IDP_PROVIDER`: 기본 `ory`
+- `USERFRONT_URL`: 브라우저 기준 공개 도메인 (예: `https://sso.example.com`)
+- `OATHKEEPER_PUBLIC_URL`: 보통 `${USERFRONT_URL}`
+- `HYDRA_PUBLIC_URL`: 보통 `${OATHKEEPER_PUBLIC_URL}/oidc`
+- `KRATOS_BROWSER_URL`: 보통 `${OATHKEEPER_PUBLIC_URL}/auth`
+- `KRATOS_UI_URL`: UserFront UI URL (로컬 예: `http://localhost:5000`)
+- `ADMINFRONT_CALLBACK_URLS`: 콤마 구분 콜백 목록 (예: `http://localhost:5173/auth/callback`)
+- `DEVFRONT_CALLBACK_URLS`: 콤마 구분 콜백 목록 (예: `http://localhost:5174/auth/callback`)
+  - 주의: callback URL 끝에 `/`가 붙으면 `make validate-auth-config`에서 실패 처리됩니다.
+- `KRATOS_ALLOWED_RETURN_URLS_EXTRA`: 추가 허용 return URL (선택)
+  - 빈값: `[]`
+  - 다중값: `["https://a.example.com/callback","https://b.example.com/callback"]` 또는 `https://a.example.com/callback,https://b.example.com/callback`
+- `KRATOS_ALLOWED_RETURN_URLS_JSON`: stage/prod에서 권장하는 전체 허용 return URL 목록
+  - 공개 도메인, `/ko`, `/en`, `/auth/callback`, `/ko/auth/callback`, `/en/auth/callback`, 각 front callback을 포함해야 합니다.
+- `CLIENT_LOG_DEBUG`: 클라이언트 로그 디버그 모드 강제 (기본: 비운영 `true`, 운영 `false`)
+  - 운영(`APP_ENV=production|prod`)에서 `true|1|on|yes` 설정 시 `INFO/DEBUG` 클라이언트 로그 수집 허용
+  - 미설정(기본) 시 운영에서는 `WARN/ERROR`만 수집
+- `BACKEND_LOG_LEVEL`: Backend `slog` 레벨 override (선택)
+  - 허용 값: `debug`, `info`, `warn`, `error`
+  - 미설정 시 `APP_ENV` 기준으로 결정됩니다.
+    - `dev|local|development`: `debug`
+    - 그 외(`stage`, `production`, `prod` 등): `info`
+- `USERFRONT_DEBUG_LOG`: UserFront 측 디버그 로그 fallback 플래그
+  - `CLIENT_LOG_DEBUG`가 없을 때만 UserFront에서 대체로 참조
+
+### 클라이언트 로그 정책 (중요)
+- 기본 원칙: 운영 환경에서는 민감정보 보호를 우선하며, 과도한 로그 수집을 제한합니다.
+- 환경별 동작:
+  - 비운영(`dev/local/stage` 등): 디버그 로그 허용 (`INFO/DEBUG/WARN/ERROR`)
+  - 운영(`production/prod`) + `CLIENT_LOG_DEBUG` 미설정: `WARN/ERROR`만 수집
+  - 운영(`production/prod`) + `CLIENT_LOG_DEBUG=true`: 디버그 로그 허용
+- 민감정보는 환경과 무관하게 마스킹합니다.
+  - 예: `password`, `newPassword`, `token`, `authorization`, `cookie`, `sessionJwt`
+  - 문자열 패턴(`token=...`, `authorization:...`, JSON body 내 민감 key)도 마스킹
+- 상세 정책 문서: `docs/client-log-policy.md`
+
+### Backend 로그 정책 (중요)
+- Backend 서버 로그는 `APP_ENV` 기준으로 기본 레벨이 정해집니다.
+  - `dev|local|development`: `debug`
+  - 그 외(`stage`, `production`, `prod` 등): `info`
+- 운영/스테이징에서 장애 분석이 필요할 때만 `BACKEND_LOG_LEVEL=debug`를 일시적으로 설정하는 것을 권장합니다.
+- headless login 같은 경로의 상세 진단 필드는 `debug` 레벨에서만 추가로 남습니다.
+- 상세 정책 문서: `docs/backend-log-policy.md`
+
+### `.env` 작성 후 권장 점검
+```bash
+make validate-auth-config
+```
+위 검증은 callback/allowed_return_urls/게이트웨이 매핑 규칙을 점검하고 `config/.generated/auth-config.env`를 생성합니다.

 ### 전체 스택 실행 (Running the Stack)

@@ -178,15 +545,49 @@ docker network create public_net #서비스용
 #### 2. 인프라 및 Ory Stack 실행
 데이터베이스와 Ory 서비스(Kratos, Hydra, Keto 등)를 실행합니다.
 ```bash
-docker compose -f compose.infra.yaml -f compose.ory.yaml up -d
+# 권장: Make 실행 (인증 설정 검증 포함)
+make up-dev
 ```

 #### 3. 애플리케이션 실행
 userfront와 backend 서비스를 실행합니다.
 ```bash
-docker compose -f docker-compose.yaml up -d
+make up-app
+```
+(또는 전체 스택 한번에 실행: `make up-all`)
+
+### Make 기반 인증 설정 검증 (권장)
+`up-*` 타깃은 실행 전 인증 리다이렉트 설정을 자동 검증합니다.
+
+```bash
+# 1) 인증 설정 생성
+make build-auth-config
+
+# 2) 정적 검증 (callback / allowed_return_urls / 게이트웨이 매핑)
+make validate-auth-config
+
+# 3) 배선 + (가능 시) 런타임 Hydra client 검증
+make verify-auth-config
+```
+
+- 생성 파일: `config/.generated/auth-config.env` (compose 실행 시 자동 주입)
+- 게이트웨이 경유 환경은 URL 문자열 완전일치 대신 매핑 유효성(`direct_match` / `mapped_match`) 기준으로 검증합니다.
+- 관련 정책 문서: `docs/oidc_redirect_mapping_validation_policy.md`
+
+### 권장 실행 순서
+```bash
+cp .env.sample .env
+# .env 편집
+make validate-auth-config
+make up-dev
+make up-app
+```
+
+직접 Compose를 사용하려면 다음처럼 env 파일을 함께 주입하세요.
+```bash
+docker compose --env-file .env --env-file config/.generated/auth-config.env -f compose.infra.yaml -f compose.ory.yaml up -d
+docker compose --env-file .env --env-file config/.generated/auth-config.env -f docker-compose.yaml up -d
 ```
-(또는 한번에 실행: `docker compose -f compose.infra.yaml -f compose.ory.yaml -f docker-compose.yaml up -d`)

 - **gateway (UserFront 프록시)**: http://localhost:5000 접속
 - **backend**: http://localhost:3000 (API)
@@ -195,6 +596,155 @@ docker compose -f docker-compose.yaml up -d
 - **Hydra Public**: http://localhost:4444
 - **Kratos UI (UserFront)**: http://localhost:5000

+### 전체 백업/복구
+
+전체 백업/복구는 CSV export/import가 아니라 Baron SSO와 Ory Stack 저장소를 같은 시점의 재해 복구 단위로 보존하는 절차입니다. 사용자 UUID, Kratos identity ID, Hydra/Keto 원장, WORKS 연동 mapping이 어긋나면 안 되므로 운영 복구는 DB dump와 설정 snapshot을 함께 다룹니다.
+
+#### 백업 실행
+```bash
+# 전체 백업
+make dump
+
+# 출력 위치를 직접 지정
+make dump BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# 일부 서비스만 백업
+make dump DUMP_SERVICES=postgres,ory-postgres,clickhouse,ory-clickhouse,config
+make dump DUMP_SERVICES=ory-postgres,ory-clickhouse
+
+# 생성된 백업 검증
+make dump-verify BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# WORKS Drive로 외부 분산 저장
+make upload-cloud BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# 지정 경로로 dump 후 바로 WORKS Drive 업로드
+make dump-upload-cloud BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# 로컬 백업 목록
+make dump-list
+```
+
+기본값은 `DUMP_SERVICES=all`, `DUMP_MODE=maintenance`입니다. `DUMP_SERVICES`는 다음 값을 콤마로 조합할 수 있습니다.
+
+| 값 | 대상 |
+| --- | --- |
+| `postgres` | Baron Postgres (`baron_postgres`, `${DB_NAME:-baron_sso}`) |
+| `ory-postgres` | Ory Postgres의 `${KRATOS_DB:-ory_kratos}`, `${HYDRA_DB:-ory_hydra}`, `${KETO_DB:-ory_keto}` |
+| `clickhouse` | Baron ClickHouse (`baron_clickhouse`) |
+| `ory-clickhouse` | Ory ClickHouse (`ory_clickhouse`) |
+| `config` | `.env` redacted copy, generated Ory config, gateway, 주요 compose 파일 |
+
+백업 산출물은 기본적으로 `backups/baron-sso-backup-YYYYMMDD-HHMMSSZ/` 아래에 생성됩니다.
+
+```text
+manifest.json
+checksums.sha256
+postgres/
+clickhouse/
+config/
+reports/
+```
+
+#### WORKS Drive 외부 업로드
+
+`make dump`, `make restore`, `make upload-cloud`는 기본적으로 `docker/backup-tools/Dockerfile`에서 빌드한 `baron-sso-backup-tools:local` 컨테이너 안에서 실행됩니다. 호스트에는 Docker와 Docker socket 접근 권한만 필요하고, `zstd`, `jq`, `curl`, `openssl`, `postgresql-client` 같은 백업/복구 도구는 backup-tools image에 포함됩니다.
+
+`make upload-cloud`는 기존 백업 디렉터리를 `baron-sso-backup-*.tar.zst`로 묶은 뒤 WORKS Drive에 업로드합니다. 압축 포맷은 `.tar.zst`로 고정되어 있고, 압축/해제는 backup-tools 컨테이너 내부의 `zstd`로 수행합니다.
+
+백업이 완료되면 `reports/backup-report.md`도 생성됩니다. 이 report에는 사용자 수, 테넌트 수, RP 수, Hydra client 수, WORKS 관련 row count, 서비스별 수행 시간이 Markdown 표로 기록됩니다. `make upload-cloud`는 `reports/*.md`만 WORKS Drive 대상 폴더 아래의 `reports` 하위 폴더로 업로드하며, 업로드 파일명은 `backup-report-YYYYMMDD-HHMMSSZ.md`처럼 업로드 시각을 붙입니다. `reports/cloud-upload.json`은 로컬 업로드 실행 기록으로만 남기고 Drive에는 업로드하지 않습니다.
+
+```bash
+# 권장: 백업 경로를 명시해서 dump와 upload를 분리
+make dump BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+make upload-cloud BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# 또는 같은 BACKUP 경로로 연속 실행
+make dump-upload-cloud BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+
+# 실제 업로드 전 endpoint와 target만 확인
+make upload-cloud BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ WORKS_DRIVE_DRY_RUN=true
+
+# 예외적으로 호스트 도구로 직접 실행
+make restore BACKUP_USE_DOCKER=false BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ CONFIRM_RESTORE=baron-sso
+```
+
+주요 변수:
+
+| 변수 | 설명 |
+| --- | --- |
+| `WORKS_DRIVE_TARGET` | `sharedrive`, `mydrive`, `group`, `sharedfolder` 중 하나. 기본값은 `sharedrive`입니다. |
+| `WORKS_DRIVE_SHARED_DRIVE_ID` | `WORKS_DRIVE_TARGET=sharedrive`일 때 공용 드라이브 ID입니다. |
+| `WORKS_DRIVE_PARENT_FILE_ID` | 업로드할 대상 폴더의 WORKS Drive `fileId`입니다. 폴더 이름이나 경로가 아니며, 비우면 대상 drive/folder root에 업로드합니다. |
+| `WORKS_DRIVE_USER_ID` | `mydrive` 또는 `sharedfolder` 대상 사용자 ID입니다. 기본값은 `me`입니다. |
+| `WORKS_DRIVE_GROUP_ID` | `WORKS_DRIVE_TARGET=group`일 때 조직/그룹 ID입니다. |
+| `WORKS_DRIVE_SHARED_FOLDER_ID` | `WORKS_DRIVE_TARGET=sharedfolder`일 때 공유받은 폴더 ID입니다. |
+| `WORKS_DRIVE_ACCESS_TOKEN` | Drive API 호출용 Bearer token입니다. Drive API는 `file` scope가 필요합니다. |
+| `WORKS_DRIVE_ACCESS_TOKEN_FILE` | access token을 파일에서 읽을 때 사용합니다. |
+| `WORKS_DRIVE_ACCESS_TOKEN_CMD` | access token을 명령 출력으로 주입할 때 사용합니다. |
+| `WORKS_DRIVE_OAUTH_SCOPE` | Drive 업로드 앱 OAuth token에 사용할 scope입니다. 기본값은 `file`입니다. |
+| `WORKS_DRIVE_OAUTH_CLIENT_ID` | Drive 업로드 앱의 OAuth client ID입니다. 계정 동기화용 `WORKS_ADMIN_OAUTH_CLIENT_ID`와 분리합니다. |
+| `WORKS_DRIVE_OAUTH_CLIENT_SECRET` | Drive 업로드 앱의 OAuth client secret입니다. |
+| `WORKS_DRIVE_OAUTH_REFRESH_TOKEN` | Drive 업로드 앱의 refresh token입니다. 명시 access token이 없으면 이 값으로 access token을 갱신합니다. |
+| `WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT` | Drive 업로드 앱의 service account입니다. JWT `sub`에 들어갑니다. |
+| `WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY_FILE` | Drive 업로드 앱 private key 파일입니다. 예: `./config/worksmobile-driveapp-private-key.pem` |
+| `WORKS_DRIVE_SPLIT_SIZE` | 분할 업로드 시 part 크기입니다. 기본값은 `9000M`입니다. |
+| `WORKS_DRIVE_MAX_SINGLE_FILE_BYTES` | 이 값보다 archive가 크면 split part로 나눕니다. 기본값 `0`은 자동 분할 비활성입니다. |
+| `WORKS_DRIVE_FORCE_SPLIT` | `true`이면 크기와 무관하게 split part로 업로드합니다. |
+| `WORKS_DRIVE_OVERWRITE` | WORKS Drive upload URL 생성 요청의 overwrite 플래그입니다. 기본값은 `false`입니다. |
+| `WORKS_DRIVE_UPLOAD_REPORTS` | `true`이면 `reports/*.md`를 Drive의 report 폴더로 함께 업로드합니다. 기본값은 `true`입니다. |
+| `WORKS_DRIVE_REPORT_FOLDER_NAME` | Markdown report를 업로드할 하위 폴더 이름입니다. 기본값은 `reports`입니다. |
+
+Drive API는 업로드 URL 생성 후 해당 URL에 multipart `Filedata`로 실제 파일을 전송하는 2단계 방식입니다. 계정 동기화용 `WORKS_ADMIN_OAUTH_*`와 Drive 업로드용 `WORKS_DRIVE_OAUTH_*`는 서로 다른 앱/키로 관리합니다. token 우선순위는 `WORKS_DRIVE_ACCESS_TOKEN`, `WORKS_DRIVE_ACCESS_TOKEN_FILE`, `WORKS_DRIVE_ACCESS_TOKEN_CMD`, `WORKS_DRIVE_OAUTH_REFRESH_TOKEN`, 서비스 계정 JWT fallback 순서입니다. 운영에서는 Drive API 권한과 `file` scope 위임 정책을 먼저 확인해야 합니다.
+
+#### 복구 계획과 복구 실행
+```bash
+# 복구 전 계획 확인
+make restore-plan BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ \
+  RESTORE_SERVICES=postgres,ory-postgres,clickhouse,ory-clickhouse,config \
+  CONFIRM_RESTORE=baron-sso
+
+# 복구 실행
+make restore BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ \
+  RESTORE_SERVICES=postgres,ory-postgres,clickhouse,ory-clickhouse,config \
+  CONFIRM_RESTORE=baron-sso
+
+# .tar.zst archive를 직접 복구 입력으로 사용
+make restore DUMP_FILE=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ.tar.zst \
+  RESTORE_SERVICES=all \
+  CONFIRM_RESTORE=baron-sso
+
+# report 경로를 명시
+make restore BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ \
+  CONFIRM_RESTORE=baron-sso \
+  RESTORE_REPORT=reports/restore/baron-sso-restore-report.json
+
+# 복구 후 기본 검증
+make restore-verify BACKUP=backups/baron-sso-backup-YYYYMMDD-HHMMSSZ
+```
+
+복구는 반드시 빈 volume 또는 restore 전용 stack에서 수행하는 것을 기본 정책으로 합니다. `make restore`는 `BACKUP` 또는 `DUMP_FILE` 중 하나와 `CONFIRM_RESTORE=baron-sso`가 없으면 실패하고, 기본적으로 non-empty Postgres 대상에는 복구하지 않습니다. 승인된 restore rehearsal에서만 `ALLOW_NON_EMPTY_RESTORE=true`를 사용하세요. `DUMP_FILE=.tar.zst` 해제도 backup-tools 컨테이너에서 수행하므로 호스트 `zstd` 설치에 의존하지 않습니다.
+
+`make restore`는 복구 report를 JSON과 Markdown으로 남깁니다. `BACKUP` 디렉터리 입력의 기본 JSON report는 `<BACKUP>/reports/restore-report.json`이고, `DUMP_FILE` archive 입력의 기본 JSON report는 `reports/restore/<archive-name>-restore-report.json`입니다. 같은 경로에 `.md` 확장자의 Markdown 요약도 함께 생성됩니다. `RESTORE_REPORT`로 직접 지정할 수 있습니다. report에는 입력 archive, 복구 서비스, checksum 검증 상태, 복구 후 대상 row count 비교 결과가 기록됩니다.
+
+`config` 복구는 운영 파일을 직접 덮어쓰지 않고 `config-restored/`에 풀어 수동 검토하도록 합니다. migration은 자동 실행하지 않으며, Ory Stack과 backend 기동 후 super admin login, 대표 OIDC login, WORKS comparison dry-run을 통과하기 전까지 WORKS relay를 자동 재개하지 않습니다.
+
+#### 백업/복구 범위
+
+필수 백업 대상:
+- Baron Postgres: users, tenants, user_login_ids, user_groups, RP metadata, WORKS mapping/outbox 등
+- Ory Postgres: Kratos identity/credentials/session, Hydra client/consent/token state, Keto relation tuple
+- Baron ClickHouse: 감사 로그와 RP usage event
+- Ory ClickHouse: Oathkeeper/Ory 계열 접근 로그
+- 설정 snapshot: `.env` redacted copy, generated Ory config, gateway, compose 파일
+
+기본 제외 대상:
+- Redis: pending login, short code, cache 등 휘발성 데이터이므로 복구 후 재수렴 대상으로 봅니다.
+- 프론트 빌드 산출물: 소스와 이미지 태그로 재생성합니다.
+- coverage, reports, test-results 같은 로컬 개발 산출물
+
+상세 설계와 운영 정책은 `docs/backup-restore-design.md`를 기준으로 유지합니다.
+
 ### MCP 서버 (Hydra/Kratos/Keto)
 MCP 서버는 기존 Hydra/Kratos에 연결하며 별도 Ory 스택이나 포트를 추가로 띄우지 않습니다.  
 프로덕션에서는 실행하지 않도록 `mcp` 프로파일을 로컬에서만 켜세요.
@@ -231,6 +781,72 @@ KETO_READ_URL = "http://keto:4466"
 KETO_WRITE_URL = "http://keto:4467"
 ```

+## 🌐 i18n 구조 (간략)
+- **Root locales**: `locales/template.toml`, `locales/ko.toml`, `locales/en.toml`은 현재 `userfront`와 전역 i18n 검증 기준 리소스입니다.
+- **Common locales**: `common/locales/template.toml`, `common/locales/ko.toml`, `common/locales/en.toml`은 `ui.common.*`, `msg.common.*` 같은 React 공통 문구 레이어입니다.
+- **React(Admin/Dev/Org)**: `adminfront/src/lib/i18n.ts`, `devfront/src/lib/i18n.ts`, `orgfront/src/lib/i18n.ts`에서 `t(key, fallback, vars)`를 사용하며 `common locale -> app locale override` 순서로 TOML을 `?raw` 로드합니다.
+- **Flutter(User)**: `userfront/lib/i18n.dart`에서 `tr(key, fallback, params)` 사용. `locales/*.toml`을 `tools/i18n-scanner/gen-flutter-i18n.js`로 `userfront/lib/i18n_data.dart`에 사전 생성합니다.
+- **UserFront 동기화 규칙**: `locales/*.toml`을 수정한 뒤에는 반드시 `./scripts/sync_userfront_locales.sh`를 실행해 `userfront/assets/translations/*.toml`과 런타임 번역 리소스를 동기화합니다.
+- **검증**: `node tools/i18n-scanner/index.js`로 `root locales`와 `common/locales`의 코드-키-로케일 동기화 상태를 함께 점검합니다.
+
+## 🧪 Code Check CI
+워크플로우 파일: `.gitea/workflows/code_check.yml`
+
+### 트리거
+- `push` (`dev` 브랜치)
+- `pull_request` (`dev` 대상)
+- `workflow_dispatch` (수동 실행)
+
+### workflow_dispatch 입력값
+- `run_lint`: Go/Flutter lint 실행 여부
+- `run_backend_tests`: backend 테스트 실행 여부
+- `run_userfront_tests`: userfront 테스트 실행 여부
+- `run_userfront_e2e_tests`: userfront WASM Playwright E2E 실행 여부
+- `run_adminfront_tests`: adminfront 테스트 실행 여부
+- `run_devfront_tests`: devfront 테스트 실행 여부
+
+### 실행 잡
+- `lint`
+- `backend-tests`
+- `userfront-tests`
+- `userfront-e2e-tests`
+- `adminfront-tests`
+- `devfront-tests`
+
+### 프런트 테스트 브라우저 프리비저닝 정책
+- `userfront-tests`
+  - `flutter test`(VM)만 실행
+  - `locale_storage` 정책 테스트는 엔진 단위로 통합되어 별도 브라우저 실행이 필요하지 않음
+- `adminfront-tests`, `devfront-tests`
+  - Playwright 기반 테스트
+  - `npx playwright install --with-deps`로 브라우저/OS 의존성을 사전 설치
+
+### 실패 보고서 확인 방법
+테스트가 실패하면 다음이 자동 생성됩니다.
+- Job Summary: 실패 원인 요약(Markdown) 즉시 확인
+- Artifact: 상세 로그/리포트 다운로드
+  - `backend-test-failure-report`
+  - `userfront-test-failure-report`
+  - `adminfront-test-failure-report`
+  - `devfront-test-failure-report`
+
+### userfront `locale_storage` 테스트 정책
+- `locale_storage_platform_test.dart`는 `LocaleStorageEngine` 기반 정책 테스트로 통합되었습니다.
+- 일반 `flutter test`(VM) 실행에 포함되며, 브라우저 전용 `kIsWeb` 케이스를 사용하지 않습니다.
+- 단일 파일만 확인하려면 다음 명령을 사용합니다.
+  - `flutter test test/locale_storage_platform_test.dart`
+
+### userfront WASM Playwright E2E
+- 워크스페이스: `userfront-e2e/`
+- 빌드+실행:
+  - `cd userfront-e2e && npm run test:wasm`
+- 빌드 결과가 이미 있을 때:
+  - `cd userfront-e2e && npm test`
+- Makefile 타깃:
+  - `make code-check-userfront-e2e-tests`
+- 전수 인벤토리:
+  - `https://gitea.hmac.kr/baron/baron-sso/wiki/UserFront-WASM-E2E-Inventory.-`
+
 ### 로컬 개발 (Manual)
 Docker 없이는 개발할 수 없지만 Backend 및 [user/admin/dev]Front 코드는 개발모드로 수정하며 개발가능.
 백그라운드로 infra 및 ory stack이 구동중이라는 가정
@@ -247,6 +863,8 @@ go run cmd/server/main.go
 cd userfront
 flutter pub get
 flutter run -d chrome
+# 정책: 웹 빌드는 기본적으로 WASM 사용
+flutter build web --wasm
 ```

 **adminfront:**
@@ -262,34 +880,12 @@ cd devfront
 npm install
 npm run dev
 ```
-
 ---

-## 📂 프로젝트 구조 (Project Structure)

-```
-baron_sso/
-├── backend/            # Go Fiber 애플리케이션
-│   ├── cmd/server/     # 진입점 (Entry point)
-│   ├── internal/       # 도메인, 핸들러, 저장소(Repository)
-│   └── Dockerfile
-├── userfront/          # Flutter 애플리케이션
-│   ├── src/            # UI 및 로직
-│   └── pubspec.yaml
-├── adminfront/         # React 기반 관리
-│   ├── src/            # UI 및 로직
-│   └── pubspec.yaml
-├── gateway/            # Nginx 기반 Gateway (UserFront 프록시)
-├── compose.ory-stack.yaml  # DB 서비스 (Postgres, ClickHouse)
-├── compose.infra.yaml  # DB 서비스 (Postgres, ClickHouse)
-├── docker-compose.yaml # 앱 서비스 (Front, Back)
-├── .env.sample         # 환경 설정 템플릿
-└── README.md           # 본 파일
-```
-
-## 📝 상태 및 로드맵 (Status & Roadmap)
- [x] **Phase 1**: 초기 설정 및 아키텍처 설계 (완료)
- [x] **Phase 2**: Backend Audit API 구현 (일부 완료)
- [ ] **Phase 3**: userfront 로그인 UI 인증 로직 (예정)
- [ ] **Phase 4**: adminfront 기능 추가 (예정)
- [ ] **Phase 5**: 대시보드 및 통합 런처 구현 (예정)
+## 버그 대응 대원칙 (필수)
+- 모든 버그 수정은 반드시 **재현 테스트를 먼저 작성**합니다. (Failing test first)
+- 재현 테스트 없이 코드만 먼저 고치는 행위를 금지합니다.
+- 수정 후에는 **해당 재현 테스트가 통과할 때까지 반복**해서 원인 분석/수정/검증을 수행합니다.
+- “테스트 통과”는 최소 기준입니다. 실제 재현 시나리오(로그인, 새로고침, 리다이렉트 등)까지 확인한 뒤에만 이슈를 종료합니다.
+- 관련 변경이 발생하면 테스트 문서(`docs/test-plan/*`, `docs/trouble-shooting/*`)를 함께 업데이트합니다.
--- a/README_en.md
+++ b/README_en.md
@@ -6,7 +6,7 @@ It leverages **Descope** for secure, passwordless authentication (Enchanted Link
 ## 🏗 Architecture

 ### 1. Frontend (Flutter Web)
- **Framework**: Flutter 3.32+
+- **Framework**: Flutter 3.38.0+
 - **Organization**: `kr.co.baroncs`
 - **Key Packages**: `descope`, `flutter_riverpod`, `go_router`
 - **Features**:
@@ -14,7 +14,7 @@ It leverages **Descope** for secure, passwordless authentication (Enchanted Link
  - Descope SDK Integration (Enchanted Link, Magic Link)

 ### 2. Backend (Go Fiber)
- **Language**: Go 1.25+
+- **Language**: Go 1.26.2+
 - **Framework**: Fiber v2.25+
 - **Database**:
  - **ClickHouse**: Audit Logs (High performance ingestion)
@@ -32,7 +32,7 @@ It leverages **Descope** for secure, passwordless authentication (Enchanted Link

 ### Prerequisites
 - Docker & Docker Compose
- Flutter SDK (for local development)
+- Flutter SDK (for local development, 3.38.0+)
 - Go (for local backend development)

 ### Environment Setup
--- a/adminfront/Dockerfile
+++ b/adminfront/Dockerfile
@@ -1,25 +1,51 @@
-FROM node:lts
+FROM node:lts AS deps

-WORKDIR /app
+WORKDIR /workspace

-# 패키지 정보 복사 및 의존성 설치
-COPY package*.json ./
-RUN npm ci
+ENV CI=true
+ENV ADMINFRONT_BUILD_OUT_DIR=/workspace/adminfront/dist

-# 프로덕션 서빙을 위한 serve 패키지 글로벌 설치
-RUN npm install -g serve
+RUN corepack enable && corepack prepare pnpm@10.5.2 --activate

-# 소스 코드 복사
-COPY . .
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY common ./common
+COPY adminfront ./adminfront
+
+ARG VITE_ADMIN_PUBLIC_URL
+ARG VITE_OIDC_AUTHORITY
+ARG VITE_OIDC_CLIENT_ID
+ARG ORGFRONT_URL
+ENV VITE_ADMIN_PUBLIC_URL=$VITE_ADMIN_PUBLIC_URL
+ENV VITE_OIDC_AUTHORITY=$VITE_OIDC_AUTHORITY
+ENV VITE_OIDC_CLIENT_ID=$VITE_OIDC_CLIENT_ID
+ENV ORGFRONT_URL=$ORGFRONT_URL
+
+RUN pnpm install --frozen-lockfile --ignore-scripts
+
+FROM deps AS dev
+
+WORKDIR /workspace/adminfront
+ENV NODE_ENV=development

-# Vite 기본 포트
 EXPOSE 5173

-# 실행 스크립트: APP_ENV에 따라 개발 서버 또는 빌드 후 서빙
-CMD sh -c "if [ \"$APP_ENV\" = 'production' ]; then \
-    echo 'Running in production mode...'; \
-    npm run build && serve -s dist -l 5173; \
-  else \
-    echo 'Running in development mode...'; \
-    npm run dev -- --host 0.0.0.0; \
-  fi"
+CMD ["npm", "run", "dev", "--", "--host", "0.0.0.0", "--port", "5173"]
+
+FROM deps AS build
+
+WORKDIR /workspace/adminfront
+RUN npm run build
+
+FROM node:24-alpine AS production
+
+WORKDIR /app
+ENV NODE_ENV=production
+ENV FRONTEND_DIST_DIR=/app/dist
+ENV PORT=5173
+
+COPY scripts/serve_frontend_prod.mjs ./serve_frontend_prod.mjs
+COPY --from=build /workspace/adminfront/dist ./dist
+
+EXPOSE 5173
+
+CMD ["node", "./serve_frontend_prod.mjs"]
--- a/adminfront/README.md
+++ b/adminfront/README.md
@@ -3,7 +3,7 @@
 관리자 포털을 위한 React/Vite 기반 웹입니다. 이슈 #60 스펙을 바탕으로 라우팅, 서버 상태, 스타일 토큰을 세팅했고 특정 벤더에 종속되지 않는 IDP 연동 훅 포인트를 남겨두었습니다.

 ## 주요 스택
- React 19, Vite 7, TypeScript(strict)
+- React 19, Vite 8, TypeScript(strict)
 - React Router v6 (data router)
 - TanStack Query v5
 - Tailwind CSS v3 + shadcn/ui 컴포넌트(seed: Button/Card/Badge/Input/Table/Avatar)
--- a/adminfront/Trace-20260615T113806.json.gz
+++ b/adminfront/Trace-20260615T113806.json.gz
--- a/adminfront/biome.json
+++ b/adminfront/biome.json
@@ -1,24 +1,7 @@
 {
-  "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json",
-  "formatter": {
-    "enabled": true,
-    "indentStyle": "space"
-  },
-  "linter": {
-    "enabled": true,
-    "rules": {
-      "style": {
-        "useEnumInitializers": "off"
-      },
-      "a11y": {
-        "noLabelWithoutControl": "off"
-      }
-    }
-  },
-  "organizeImports": {
-    "enabled": true
-  },
+  "root": true,
+  "extends": ["../common/config/biome.base.json"],
  "files": {
-    "ignore": ["dist", "node_modules", "tsconfig*.json"]
+    "includes": [".vite"]
  }
 }
--- a/adminfront/e2e-evidence/tenant-profile-performance-local.json
+++ b/adminfront/e2e-evidence/tenant-profile-performance-local.json
@@ -0,0 +1,134 @@
+{
+  "metric": "tenant-profile-local-performance",
+  "tenantId": "56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+  "actualApiBaseUrl": "http://localhost:5173/api",
+  "measuredAt": "2026-06-16T23:45:00.441Z",
+  "browser": "chromium",
+  "samples": [
+    {
+      "sample": 1,
+      "configFieldsVisibleMs": 424,
+      "networkIdleMs": 862,
+      "orgUnitType": "센터",
+      "visibility": "public",
+      "worksmobileSync": "enabled",
+      "apiTimings": [
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/user/me",
+          "status": 200,
+          "durationMs": 134
+        },
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/admin/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+          "status": 200,
+          "durationMs": 184
+        }
+      ]
+    },
+    {
+      "sample": 2,
+      "configFieldsVisibleMs": 376,
+      "networkIdleMs": 751,
+      "orgUnitType": "센터",
+      "visibility": "public",
+      "worksmobileSync": "enabled",
+      "apiTimings": [
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/user/me",
+          "status": 200,
+          "durationMs": 20
+        },
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/admin/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+          "status": 200,
+          "durationMs": 133
+        }
+      ]
+    },
+    {
+      "sample": 3,
+      "configFieldsVisibleMs": 400,
+      "networkIdleMs": 797,
+      "orgUnitType": "센터",
+      "visibility": "public",
+      "worksmobileSync": "enabled",
+      "apiTimings": [
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/user/me",
+          "status": 200,
+          "durationMs": 21
+        },
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/admin/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+          "status": 200,
+          "durationMs": 156
+        }
+      ]
+    },
+    {
+      "sample": 4,
+      "configFieldsVisibleMs": 431,
+      "networkIdleMs": 843,
+      "orgUnitType": "센터",
+      "visibility": "public",
+      "worksmobileSync": "enabled",
+      "apiTimings": [
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/user/me",
+          "status": 200,
+          "durationMs": 25
+        },
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/admin/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+          "status": 200,
+          "durationMs": 178
+        }
+      ]
+    },
+    {
+      "sample": 5,
+      "configFieldsVisibleMs": 380,
+      "networkIdleMs": 758,
+      "orgUnitType": "센터",
+      "visibility": "public",
+      "worksmobileSync": "enabled",
+      "apiTimings": [
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/user/me",
+          "status": 200,
+          "durationMs": 24
+        },
+        {
+          "method": "GET",
+          "url": "http://playwright-mock/api/v1/admin/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+          "status": 200,
+          "durationMs": 129
+        }
+      ]
+    }
+  ],
+  "summary": {
+    "configFieldsVisibleMs": {
+      "min": 376,
+      "max": 431,
+      "p50": 400,
+      "p95": 431
+    },
+    "networkIdleMs": {
+      "min": 751,
+      "max": 862,
+      "p50": 797,
+      "p95": 862
+    }
+  },
+  "screenshotPath": "/home/lectom/repos/baron-sso/adminfront/e2e-evidence/tenant-profile-performance-local.png"
+}
--- a/adminfront/e2e-evidence/tenant-profile-performance-local.png
+++ b/adminfront/e2e-evidence/tenant-profile-performance-local.png
--- a/adminfront/package-lock.json
+++ b/adminfront/package-lock.json
--- a/adminfront/package.json
+++ b/adminfront/package.json
@@ -3,49 +3,66 @@
  "private": true,
  "version": "0.0.0",
  "type": "module",
+  "engines": {
+    "node": ">=24.0.0"
+  },
  "scripts": {
-    "dev": "vite --host 0.0.0.0",
+    "dev": "vite --host 127.0.0.1",
    "build": "tsc -b && vite build",
    "lint": "biome check .",
    "lint:fix": "biome check . --write",
    "format": "biome format . --write",
    "preview": "vite preview",
    "test": "playwright test",
-    "test:ui": "playwright test --ui"
+    "test:coverage": "vitest run --coverage --bail 1",
+    "test:unit": "vitest run --bail 1",
+    "test:ui": "playwright test --ui",
+    "i18n-scan": "cd .. && node tools/i18n-scanner/index.js && node tools/i18n-scanner/report.js"
  },
  "dependencies": {
-    "@radix-ui/react-avatar": "^1.1.4",
-    "@radix-ui/react-scroll-area": "^1.1.2",
-    "@radix-ui/react-slot": "^1.1.2",
-    "@radix-ui/react-switch": "^1.1.2",
-    "@tanstack/react-query": "^5.66.8",
-    "@tanstack/react-query-devtools": "^5.66.8",
-    "axios": "^1.7.9",
+    "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-scroll-area": "^1.2.10",
+    "@radix-ui/react-select": "^2.2.6",
+    "@radix-ui/react-slot": "^1.2.4",
+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.10",
+    "@tanstack/react-query-devtools": "^5.100.10",
+    "@tanstack/react-virtual": "^3.13.24",
+    "axios": "^1.16.1",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "lucide-react": "^0.563.0",
-    "react": "^19.2.0",
-    "react-dom": "^19.2.0",
-    "react-hook-form": "^7.71.1",
-    "react-router-dom": "^6.28.2",
-    "tailwind-merge": "^3.4.0",
-    "zod": "^3.24.1"
+    "lucide-react": "^1.14.0",
+    "oidc-client-ts": "^3.5.0",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
+    "react-hook-form": "^7.75.0",
+    "react-oidc-context": "^3.3.1",
+    "react-router-dom": "^7.15.0",
+    "tailwind-merge": "^3.6.0",
+    "zod": "^4.4.3"
  },
  "devDependencies": {
-    "@biomejs/biome": "^1.9.4",
-    "@playwright/test": "^1.58.0",
-    "@types/node": "^24.10.1",
-    "@types/react": "^19.2.5",
+    "@biomejs/biome": "2.4.16",
+    "@playwright/test": "^1.60.0",
+    "@testing-library/jest-dom": "^6.9.1",
+    "@testing-library/react": "^16.3.2",
+    "@testing-library/user-event": "^14.6.1",
+    "@types/node": "^25.7.0",
+    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.1",
-    "autoprefixer": "^10.4.23",
-    "postcss": "^8.5.6",
-    "tailwindcss": "^3.4.14",
+    "@types/react-router-dom": "^5.3.3",
+    "@vitejs/plugin-react": "^6.0.1",
+    "@vitest/coverage-v8": "4.1.6",
+    "autoprefixer": "^10.5.0",
+    "jsdom": "^28.1.0",
+    "playwright": "1.60.0",
+    "postcss": "^8.5.14",
+    "tailwindcss": "^3.4.19",
    "tailwindcss-animate": "^1.0.7",
-    "typescript": "~5.9.3",
-    "vite": "npm:rolldown-vite@7.2.5"
-  },
-  "overrides": {
-    "vite": "npm:rolldown-vite@7.2.5"
+    "typescript": "^6.0.3",
+    "vite": "^8.0.14",
+    "vitest": "^4.1.6"
  }
 }
--- a/adminfront/playwright-report/index.html
+++ b/adminfront/playwright-report/index.html
--- a/adminfront/playwright.config.ts
+++ b/adminfront/playwright.config.ts
@@ -1,5 +1,23 @@
+import { createRequire } from "node:module";
 import { defineConfig, devices } from "@playwright/test";

+const require = createRequire(import.meta.url);
+const { shouldIncludeWebKit } =
+  require("../scripts/playwrightHostDeps.cjs") as {
+    shouldIncludeWebKit: () => boolean;
+  };
+
+const configuredWorkers = process.env.PLAYWRIGHT_WORKERS
+  ? Number.parseInt(process.env.PLAYWRIGHT_WORKERS, 10)
+  : undefined;
+const port = Number.parseInt(process.env.PORT ?? "5173", 10);
+const defaultBaseUrl = `http://127.0.0.1:${port}`;
+const baseURL = process.env.BASE_URL ?? defaultBaseUrl;
+const reuseExistingServer = !process.env.CI && !process.env.PORT;
+const usePreviewServer =
+  process.env.CI === "true" || process.env.PLAYWRIGHT_USE_PREVIEW === "true";
+const chromiumExecutablePath = process.env.PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH;
+
 /**
 * Read environment variables from file.
 * https://github.com/motdotla/dotenv
@@ -13,6 +31,10 @@ import { defineConfig, devices } from "@playwright/test";
 */
 export default defineConfig({
  testDir: "./tests",
+  timeout: 60 * 1000,
+  expect: {
+    timeout: 15000,
+  },
  /* Run tests in files in parallel */
  fullyParallel: true,
  /* Fail the build on CI if you accidentally left test.only in the source code. */
@@ -20,23 +42,29 @@ export default defineConfig({
  /* Retry on CI only */
  retries: process.env.CI ? 2 : 0,
  /* Opt out of parallel tests on CI. */
-  workers: process.env.CI ? 1 : undefined,
+  workers: configuredWorkers ?? (process.env.CI ? 1 : undefined),
  /* Reporter to use. See https://playwright.dev/docs/test-reporters */
-  reporter: "html",
+  reporter: [["html", { open: "never" }], ["list"]],
  /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
  use: {
    /* Base URL to use in actions like `await page.goto('/')`. */
-    baseURL: "http://localhost:5173",
+    baseURL,

    /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
-    trace: "on-first-retry",
+    trace: "retain-on-failure",
+    locale: "ko-KR",
  },

  /* Configure projects for major browsers */
  projects: [
    {
      name: "chromium",
-      use: { ...devices["Desktop Chrome"] },
+      use: {
+        ...devices["Desktop Chrome"],
+        launchOptions: chromiumExecutablePath
+          ? { executablePath: chromiumExecutablePath }
+          : undefined,
+      },
    },

    {
@@ -44,16 +72,25 @@ export default defineConfig({
      use: { ...devices["Desktop Firefox"] },
    },

-    {
-      name: "webkit",
-      use: { ...devices["Desktop Safari"] },
-    },
+    ...(shouldIncludeWebKit()
+      ? [
+          {
+            name: "webkit",
+            use: { ...devices["Desktop Safari"] },
+          },
+        ]
+      : []),
  ],

  /* Run your local dev server before starting the tests */
-  webServer: {
-    command: "npm run dev",
-    url: "http://localhost:5173",
-    reuseExistingServer: !process.env.CI,
-  },
+  webServer: process.env.BASE_URL
+    ? undefined
+    : {
+        command: usePreviewServer
+          ? `pnpm exec vite preview --host 127.0.0.1 --port ${port} --strictPort`
+          : `pnpm exec vite --host 127.0.0.1 --port ${port} --strictPort`,
+        url: `http://127.0.0.1:${port}`,
+        reuseExistingServer,
+        timeout: 180 * 1000,
+      },
 });
--- a/adminfront/pnpm-lock.yaml
+++ b/adminfront/pnpm-lock.yaml
--- a/adminfront/public/LINE_WORKS_Appicon.svg
+++ b/adminfront/public/LINE_WORKS_Appicon.svg
@@ -0,0 +1,7 @@
+<svg width="30" height="30" viewBox="0 0 30 30" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M23.5556 0H6.44444C2.88528 0 0 2.88528 0 6.44444V23.5556C0 27.1147 2.88528 30 6.44444 30H23.5556C27.1147 30 30 27.1147 30 23.5556V6.44444C30 2.88528 27.1147 0 23.5556 0Z" fill="white"/>
+<path d="M9.01667 23.2633H12.3633C12.4481 23.2637 12.5307 23.2363 12.5985 23.1853C12.6663 23.1344 12.7156 23.0627 12.7389 22.9811L17.0489 8.12111C17.0658 8.06285 17.0689 8.00146 17.058 7.9418C17.047 7.88214 17.0224 7.82583 16.986 7.77733C16.9495 7.72883 16.9023 7.68947 16.8481 7.66236C16.7938 7.63525 16.734 7.62112 16.6733 7.62111H13.3267C13.2419 7.62113 13.1595 7.64866 13.0918 7.69955C13.0241 7.75045 12.9747 7.82196 12.9511 7.90333L8.64222 22.7633C8.62512 22.8215 8.62182 22.8829 8.63258 22.9425C8.64334 23.0022 8.66787 23.0586 8.70422 23.1071C8.74057 23.1556 8.78773 23.195 8.84197 23.2222C8.89621 23.2493 8.95603 23.2634 9.01667 23.2633Z" fill="#028B3A"/>
+<path d="M18.0122 23.2633H21.3589C21.4436 23.2633 21.526 23.2358 21.5938 23.1849C21.6615 23.134 21.7109 23.0625 21.7344 22.9811L26.0433 8.12111C26.0602 8.06285 26.0633 8.00146 26.0524 7.9418C26.0415 7.88214 26.0168 7.82583 25.9804 7.77733C25.944 7.72883 25.8968 7.68947 25.8425 7.66236C25.7883 7.63525 25.7284 7.62112 25.6678 7.62111H22.3211C22.2364 7.62131 22.1541 7.64891 22.0864 7.69977C22.0187 7.75064 21.9693 7.82205 21.9456 7.90333L17.6367 22.7633C17.6195 22.8216 17.6163 22.8831 17.6271 22.9428C17.6379 23.0026 17.6625 23.059 17.699 23.1076C17.7355 23.1561 17.7828 23.1955 17.8372 23.2225C17.8915 23.2496 17.9515 23.2635 18.0122 23.2633Z" fill="#88E518"/>
+<path d="M12.3633 23.2633H8.64222C8.55741 23.2637 8.47481 23.2363 8.40701 23.1853C8.33921 23.1344 8.28993 23.0627 8.26666 22.9811L3.95666 8.12111C3.93977 8.06285 3.93667 8.00146 3.94759 7.9418C3.95851 7.88214 3.98316 7.82583 4.01959 7.77733C4.05602 7.72883 4.10322 7.68947 4.15748 7.66236C4.21174 7.63525 4.27156 7.62112 4.33222 7.62111H8.05444C8.13911 7.62131 8.22145 7.64891 8.28915 7.69977C8.35684 7.75064 8.40625 7.82205 8.43 7.90333L12.7389 22.7633C12.756 22.8216 12.7593 22.8831 12.7485 22.9428C12.7377 23.0026 12.713 23.059 12.6765 23.1076C12.6401 23.1561 12.5928 23.1955 12.5384 23.2225C12.484 23.2496 12.4241 23.2635 12.3633 23.2633Z" fill="#7EE3A1"/>
+<path d="M21.3589 23.2633H17.6367C17.5519 23.2637 17.4693 23.2363 17.4015 23.1853C17.3337 23.1344 17.2844 23.0627 17.2611 22.9811L12.9511 8.12111C12.9342 8.06285 12.9311 8.00146 12.942 7.9418C12.953 7.88214 12.9776 7.82583 13.014 7.77733C13.0505 7.72883 13.0977 7.68947 13.1519 7.66236C13.2062 7.63525 13.266 7.62112 13.3267 7.62111H17.0489C17.1336 7.62113 17.216 7.64866 17.2838 7.69955C17.3515 7.75045 17.4009 7.82196 17.4244 7.90333L21.7344 22.7633C21.7513 22.8216 21.7544 22.883 21.7435 22.9426C21.7326 23.0023 21.7079 23.0586 21.6715 23.1071C21.6351 23.1556 21.5879 23.195 21.5336 23.2221C21.4794 23.2492 21.4195 23.2633 21.3589 23.2633Z" fill="#03C75A"/>
+</svg>
--- a/adminfront/scripts/runtime-mode.sh
+++ b/adminfront/scripts/runtime-mode.sh
@@ -0,0 +1,144 @@
+#!/usr/bin/env sh
+set -eu
+
+app_env="$(printf '%s' "${APP_ENV:-development}" | tr '[:upper:]' '[:lower:]')"
+
+if [ -z "${VITE_ADMIN_PUBLIC_URL:-}" ] && [ -n "${ADMINFRONT_URL:-}" ]; then
+  export VITE_ADMIN_PUBLIC_URL="$ADMINFRONT_URL"
+fi
+
+if [ -z "${VITE_ADMIN_PUBLIC_URL:-}" ] && [ -n "${ADMINFRONT_CALLBACK_URLS:-}" ]; then
+  first_admin_callback="${ADMINFRONT_CALLBACK_URLS%%,*}"
+  case "$first_admin_callback" in
+    http://*/auth/callback | https://*/auth/callback)
+      export VITE_ADMIN_PUBLIC_URL="${first_admin_callback%/auth/callback}"
+      ;;
+  esac
+fi
+
+case "$app_env" in
+  production|prod|stage|staging)
+    mode="production"
+    ;;
+  *)
+    mode="development"
+    ;;
+esac
+
+if [ "${1:-}" = "--print-admin-public-url" ]; then
+  printf '%s\n' "${VITE_ADMIN_PUBLIC_URL:-}"
+  exit 0
+fi
+
+if [ "${1:-}" = "--print-mode" ]; then
+  printf '%s\n' "$mode"
+  exit 0
+fi
+
+ensure_frontend_dependencies() {
+  APP_PACKAGE_NAME="adminfront"
+
+  # Detect workspace root
+  if [ -f "/workspace/pnpm-workspace.yaml" ]; then
+    WORKSPACE_ROOT="/workspace"
+  elif [ -f "../../pnpm-workspace.yaml" ]; then
+    WORKSPACE_ROOT="../.."
+  else
+    WORKSPACE_ROOT=""
+  fi
+
+  # Manage dependencies from the real workspace tree if possible, otherwise use current dir.
+  if [ -n "$WORKSPACE_ROOT" ]; then
+    WORKSPACE_DIR="$WORKSPACE_ROOT"
+    LOCK_FILE="$WORKSPACE_ROOT/pnpm-lock.yaml"
+    COMMON_PACKAGE_FILE="$WORKSPACE_ROOT/common/package.json"
+    INSTALL_CMD="cd $WORKSPACE_ROOT && CI=true pnpm install --filter ${APP_PACKAGE_NAME}... --frozen-lockfile --ignore-scripts"
+  elif [ -f "pnpm-lock.yaml" ]; then
+    WORKSPACE_DIR="."
+    LOCK_FILE="pnpm-lock.yaml"
+    COMMON_PACKAGE_FILE="/workspace/common/package.json"
+    INSTALL_CMD="CI=true pnpm install --frozen-lockfile --ignore-scripts"
+  else
+    WORKSPACE_DIR="."
+    LOCK_FILE="package-lock.json"
+    COMMON_PACKAGE_FILE="/workspace/common/package.json"
+    INSTALL_CMD="npm ci"
+  fi
+
+  if [ ! -f "$WORKSPACE_DIR/package.json" ]; then
+    return 0
+  fi
+
+  lock_mode=""
+  lock_file="$WORKSPACE_DIR/.baron-deps-install.lock"
+
+  acquire_install_lock() {
+    if command -v flock >/dev/null 2>&1; then
+      lock_mode="flock"
+      exec 9>"$lock_file"
+      flock 9
+      trap 'release_install_lock' EXIT INT TERM
+      return 0
+    fi
+
+    lock_mode="mkdir"
+    while ! mkdir "$lock_file" 2>/dev/null; do
+      sleep 1
+    done
+    trap 'release_install_lock' EXIT INT TERM
+  }
+
+  release_install_lock() {
+    trap - EXIT INT TERM
+
+    if [ "$lock_mode" = "flock" ]; then
+      flock -u 9 || true
+      exec 9>&-
+      return 0
+    fi
+
+    if [ "$lock_mode" = "mkdir" ]; then
+      rmdir "$lock_file" >/dev/null 2>&1 || true
+    fi
+  }
+
+  if command -v sha256sum >/dev/null 2>&1; then
+    deps_hash="$(sha256sum "$WORKSPACE_DIR/package.json" "$LOCK_FILE" "$COMMON_PACKAGE_FILE" package.json 2>/dev/null | sha256sum | awk '{print $1}')"
+  else
+    deps_hash="$(cksum "$WORKSPACE_DIR/package.json" "$LOCK_FILE" "$COMMON_PACKAGE_FILE" package.json 2>/dev/null | cksum | awk '{print $1}')"
+  fi
+  deps_stamp="node_modules/.baron-deps-hash"
+  installed_hash="$(cat "$deps_stamp" 2>/dev/null || true)"
+
+  if [ "$installed_hash" != "$deps_hash" ]; then
+    echo "Installing frontend dependencies..."
+    acquire_install_lock
+    if command -v sha256sum >/dev/null 2>&1; then
+      deps_hash="$(sha256sum "$WORKSPACE_DIR/package.json" "$LOCK_FILE" "$COMMON_PACKAGE_FILE" package.json 2>/dev/null | sha256sum | awk '{print $1}')"
+    else
+      deps_hash="$(cksum "$WORKSPACE_DIR/package.json" "$LOCK_FILE" "$COMMON_PACKAGE_FILE" package.json 2>/dev/null | cksum | awk '{print $1}')"
+    fi
+    installed_hash="$(cat "$deps_stamp" 2>/dev/null || true)"
+    if [ "$installed_hash" = "$deps_hash" ]; then
+      release_install_lock
+      return 0
+    fi
+    
+    eval "$INSTALL_CMD"
+    
+    mkdir -p node_modules
+    printf '%s\n' "$deps_hash" > "$deps_stamp"
+    release_install_lock
+  fi
+}
+
+ensure_frontend_dependencies
+
+if [ "$mode" = "production" ]; then
+  echo "Running in production mode with custom static server..."
+  export ADMINFRONT_BUILD_OUT_DIR="${ADMINFRONT_BUILD_OUT_DIR:-/tmp/baron-sso-adminfront-dist}"
+  exec sh -c "npm run build && node ./scripts/serve-prod.mjs"
+fi
+
+echo "Running in development mode..."
+exec npm run dev -- --host 0.0.0.0
--- a/adminfront/scripts/serve-prod.mjs
+++ b/adminfront/scripts/serve-prod.mjs
@@ -0,0 +1,160 @@
+import { readFile, stat } from "node:fs/promises";
+import { createServer } from "node:http";
+import { extname, join, normalize, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const _rootDir = fileURLToPath(new URL("..", import.meta.url));
+const distDir = resolve(
+  process.env.ADMINFRONT_BUILD_OUT_DIR ?? "/tmp/baron-sso-adminfront-dist",
+);
+const host = process.env.HOST ?? "0.0.0.0";
+const port = Number(process.env.PORT ?? process.env.ADMINFRONT_PORT ?? 5173);
+const backendTarget = new URL(
+  process.env.API_PROXY_TARGET || "http://localhost:3000",
+);
+
+const contentTypes = {
+  ".css": "text/css; charset=utf-8",
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".map": "application/json; charset=utf-8",
+  ".mjs": "application/javascript; charset=utf-8",
+  ".svg": "image/svg+xml",
+};
+
+function getContentType(filePath) {
+  return (
+    contentTypes[extname(filePath).toLowerCase()] ?? "application/octet-stream"
+  );
+}
+
+function sendJson(res, statusCode, body) {
+  res.writeHead(statusCode, {
+    "Content-Type": "application/json; charset=utf-8",
+    "Cache-Control": "no-store",
+  });
+  res.end(JSON.stringify(body));
+}
+
+function toSafePath(pathname) {
+  const decoded = decodeURIComponent(pathname);
+  const relative = decoded.replace(/^\/+/, "");
+  const safe = normalize(relative).replace(/^(\.\.(?:[\\/]|$))+/, "");
+  return join(distDir, safe);
+}
+
+async function tryReadFile(filePath) {
+  try {
+    return await readFile(filePath);
+  } catch {
+    return null;
+  }
+}
+
+async function proxyToBackend(req, res, pathname, search) {
+  const target = new URL(pathname + search, backendTarget);
+  const headers = new Headers();
+
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (!value) continue;
+    if (key === "host" || key === "content-length" || key === "connection") {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      headers.set(key, value.join(", "));
+      continue;
+    }
+    headers.set(key, value);
+  }
+
+  const hasBody = !["GET", "HEAD"].includes(req.method ?? "GET");
+  const response = await fetch(target, {
+    method: req.method,
+    headers,
+    body: hasBody ? req : undefined,
+    duplex: hasBody ? "half" : undefined,
+  });
+
+  const responseHeaders = new Headers(response.headers);
+  responseHeaders.delete("content-length");
+  responseHeaders.delete("transfer-encoding");
+  responseHeaders.delete("connection");
+
+  res.writeHead(response.status, Object.fromEntries(responseHeaders.entries()));
+
+  if (req.method === "HEAD") {
+    res.end();
+    return;
+  }
+
+  const arrayBuffer = await response.arrayBuffer();
+  res.end(Buffer.from(arrayBuffer));
+}
+
+async function serveStatic(req, res, pathname) {
+  const indexPath = join(distDir, "index.html");
+  const filePath = toSafePath(pathname);
+
+  let resolvedPath = filePath;
+  try {
+    const fileStat = await stat(resolvedPath);
+    if (fileStat.isDirectory()) {
+      resolvedPath = join(resolvedPath, "index.html");
+    }
+  } catch {
+    resolvedPath = indexPath;
+  }
+
+  let body = await tryReadFile(resolvedPath);
+  if (!body) {
+    body = await tryReadFile(indexPath);
+    resolvedPath = indexPath;
+  }
+
+  if (!body) {
+    sendJson(res, 500, { error: "dist_not_found" });
+    return;
+  }
+
+  res.writeHead(200, {
+    "Content-Type": getContentType(resolvedPath),
+    "Cache-Control": resolvedPath.endsWith("index.html")
+      ? "no-cache"
+      : "public, max-age=31536000, immutable",
+  });
+
+  if (req.method === "HEAD") {
+    res.end();
+    return;
+  }
+
+  res.end(body);
+}
+
+createServer(async (req, res) => {
+  try {
+    const url = new URL(
+      req.url ?? "/",
+      `http://${req.headers.host ?? "localhost"}`,
+    );
+    const { pathname, search } = url;
+
+    if (pathname === "/api" || pathname.startsWith("/api/")) {
+      await proxyToBackend(req, res, pathname, search);
+      return;
+    }
+
+    const normalizedPath = pathname === "/" ? "/index.html" : pathname;
+    await serveStatic(req, res, normalizedPath);
+  } catch (error) {
+    sendJson(res, 500, {
+      error: "internal_server_error",
+      message: error instanceof Error ? error.message : String(error),
+    });
+  }
+}).listen(port, host, () => {
+  console.log(
+    `Adminfront production server listening on http://${host}:${port}`,
+  );
+});
--- a/adminfront/seed-tenant.csv
+++ b/adminfront/seed-tenant.csv
@@ -0,0 +1,16 @@
+id,name,type,parent_tenant_slug,slug,memo,email_domain,visibility,org_unit_type,worksmobile_sync
+038326b6-954a-48a7-a85f-efd83f62b82a,한맥가족,COMPANY_GROUP,,hanmac-family,한맥가족 기본 루트 테넌트,,,,
+5530ca6e-c5e6-4bf0-84d6-76c6a8fb70ee,총괄기획&기술개발센터,COMPANY,hanmac-family,gpdtdc,네이버웍스 총괄기획&기술개발센터 GPDTDC_DOMAIN_ID, baroncs.co.kr,,,
+9caf62e1-297d-4e8f-870b-61780998bbeb,삼안,COMPANY,hanmac-family,saman,네이버웍스 삼안 SAMAN_DOMAIN_ID, samaneng.com,,,
+369c1843-56af-4344-9c21-0e01197ab861,한맥기술,COMPANY,hanmac-family,hanmac,네이버웍스 한맥 HANMAC_DOMAIN_ID, hanmaceng.co.kr,,,
+96369f12-6b66-4b2a-a916-d1c99d326f02,바론그룹,COMPANY_GROUP,hanmac-family,baron-group,네이버웍스 바론그룹 BARONGROUP_DOMAIN_ID,brsw.kr,,,
+5a03efd2-e62f-4243-800d-58334bf48b2f,한라산업개발,COMPANY,hanmac-family,halla,네이버웍스 한라 HALLA_DOMAIN_ID,hallasanup.com,,,
+c18a8284-0008-48aa-9cdf-9f47ab79a2a9,(주)장헌,COMPANY,baron-group,jangheon,,jangheon.com,,,
+b2fcf17f-7085-4bfe-9663-d8a2f2f4b2d6,장헌산업,COMPANY,baron-group,jangheon-sanup,,jangheon.co.kr,,,
+e57cb22c-383e-4489-8c2f-0c5431917e86,(주)피티씨,COMPANY,baron-group,ptc,,pre-cast.co.kr,,,
+4d0f26b9-702c-4bc6-8996-46e9eedfdeb7,MH_manager,USER_GROUP,hanmac-family,mhd,맨아워 대시보드 권한 보유자그룹,,private,,no
+e41adf79-3d15-4807-8303-afbdb0f2bab7,SW_uploader,USER_GROUP,hanmac-family,sw-uploader,소프트웨어 배포 권한 그룹,,private,,no
+ee2f39ac-fe52-4cfb-b4e3-4ae1d114c916,일반회사,COMPANY_GROUP,,commercial,외부 기업회원 루트 테넌트,,,,
+d19c10f0-0224-4bbb-bf3e-ce579c5338ea,공공기관,COMPANY_GROUP,,public-org,공공기관 기본 루트 테넌트,,,,
+78accec5-8eba-4324-b8f1-10ab360011fe,교육/학생,COMPANY_GROUP,,edu,교육기관 및 학생 기본 루트 테넌트,,,,
+9607eb7b-04d2-42ab-80fe-780fe21c7e8f,개인사용자,PERSONAL,,personal,개인 사용자 기본 루트 테넌트,,,,
--- a/adminfront/src/app/queryClient.ts
+++ b/adminfront/src/app/queryClient.ts
@@ -1,11 +1,7 @@
 import { QueryClient } from "@tanstack/react-query";

+import { queryClientDefaultOptions } from "../../../common/core/query/queryClient";
+
 export const queryClient = new QueryClient({
-  defaultOptions: {
-    queries: {
-      staleTime: 30_000,
-      refetchOnWindowFocus: false,
-      retry: 1,
-    },
-  },
+  defaultOptions: queryClientDefaultOptions,
 });
--- a/adminfront/src/app/routes.test.tsx
+++ b/adminfront/src/app/routes.test.tsx
@@ -0,0 +1,102 @@
+import { matchRoutes } from "react-router-dom";
+import { describe, expect, it } from "vitest";
+import { buildAdminAuthRedirectUris } from "../lib/authConfig";
+import { adminRoutes } from "./routes";
+
+describe("admin routes", () => {
+  it("accepts the auth callback path generated from the public admin URL", () => {
+    const { redirectUri } = buildAdminAuthRedirectUris(
+      "https://sadmin.hmac.kr",
+    );
+    const callbackPath = new URL(redirectUri).pathname;
+
+    const matches = matchRoutes(adminRoutes, callbackPath);
+
+    expect(callbackPath).toBe("/auth/callback");
+    expect(matches?.at(-1)?.route.path).toBe("/auth/callback");
+  });
+
+  it("registers the super-admin Ory SSOT system route", () => {
+    const matches = matchRoutes(adminRoutes, "/system/ory-ssot");
+
+    expect(matches?.at(-1)?.route.path).toBe("system/ory-ssot");
+  });
+
+  it("registers the super-admin data integrity management route", () => {
+    const matches = matchRoutes(adminRoutes, "/system/data-integrity");
+
+    expect(matches?.at(-1)?.route.path).toBe("system/data-integrity");
+  });
+
+  it("routes global custom claim settings before user detail id matching", async () => {
+    const matches = matchRoutes(adminRoutes, "/users/custom-claims");
+    const leafRoute = matches?.at(-1)?.route;
+
+    expect(leafRoute?.path).toBe("users/custom-claims");
+    expect(await getRouteComponentName(leafRoute)).toBe(
+      "GlobalCustomClaimsPage",
+    );
+  });
+
+  it("code-splits tenant detail profile routes away from the initial admin shell", () => {
+    const matches = matchRoutes(
+      adminRoutes,
+      "/tenants/56cd0fd7-b62a-43c0-8db9-74a30468d7cb",
+    );
+    const detailRoute = matches?.find(
+      (match) => match.route.path === "tenants/:tenantId",
+    )?.route;
+    const profileRoute = matches?.at(-1)?.route;
+
+    expect(detailRoute?.element).toBeUndefined();
+    expect(typeof detailRoute?.lazy).toBe("function");
+    expect(profileRoute?.index).toBe(true);
+    expect(profileRoute?.element).toBeUndefined();
+    expect(typeof profileRoute?.lazy).toBe("function");
+  });
+
+  it("keeps protected admin pages behind an auth guard before mounting the layout", () => {
+    const rootRoute = adminRoutes.find((route) => route.path === "/");
+    const protectedShellRoute = rootRoute?.children?.[0];
+
+    expect(getRouteElementName(rootRoute?.element)).toBe("AuthGuard");
+    expect(getRouteElementName(protectedShellRoute?.element)).toBe("AppLayout");
+    expect(protectedShellRoute?.children?.at(0)?.index).toBe(true);
+  });
+});
+
+async function getRouteComponentName(route: unknown) {
+  if (
+    typeof route === "object" &&
+    route !== null &&
+    "lazy" in route &&
+    typeof route.lazy === "function"
+  ) {
+    const lazyRoute = await route.lazy();
+    if ("Component" in lazyRoute && typeof lazyRoute.Component === "function") {
+      return lazyRoute.Component.name;
+    }
+    if ("element" in lazyRoute) {
+      return getRouteElementName(lazyRoute.element);
+    }
+  }
+
+  if (typeof route === "object" && route !== null && "element" in route) {
+    return getRouteElementName(route.element);
+  }
+
+  return undefined;
+}
+
+function getRouteElementName(element: unknown) {
+  if (
+    typeof element === "object" &&
+    element !== null &&
+    "type" in element &&
+    typeof element.type === "function"
+  ) {
+    return element.type.name;
+  }
+
+  return undefined;
+}
--- a/adminfront/src/app/routes.tsx
+++ b/adminfront/src/app/routes.tsx
@@ -1,52 +1,197 @@
+import type { ComponentType } from "react";
+import type { RouteObject } from "react-router-dom";
 import { createBrowserRouter } from "react-router-dom";
 import AppLayout from "../components/layout/AppLayout";
-import ApiKeyCreatePage from "../features/api-keys/ApiKeyCreatePage";
-import ApiKeyListPage from "../features/api-keys/ApiKeyListPage";
-import AuditLogsPage from "../features/audit/AuditLogsPage";
-import AuthPage from "../features/auth/AuthPage";
-import DashboardPage from "../features/dashboard/DashboardPage";
-import GlobalOverviewPage from "../features/overview/GlobalOverviewPage";
-import TenantCreatePage from "../features/tenants/routes/TenantCreatePage";
-import TenantDetailPage from "../features/tenants/routes/TenantDetailPage";
-import TenantListPage from "../features/tenants/routes/TenantListPage";
-import { TenantProfilePage } from "../features/tenants/routes/TenantProfilePage";
-import { TenantSchemaPage } from "../features/tenants/routes/TenantSchemaPage";
-import UserCreatePage from "../features/users/UserCreatePage";
-import UserDetailPage from "../features/users/UserDetailPage";
-import UserListPage from "../features/users/UserListPage";
+import AuthCallbackPage from "../features/auth/AuthCallbackPage";
+import AuthGuard from "../features/auth/AuthGuard";
+import LoginPage from "../features/auth/LoginPage";
+import { ADMIN_AUTH_CALLBACK_PATH } from "../lib/authConfig";
+
+type RouteModule = {
+  default: ComponentType;
+};
+
+function lazyDefault(loader: () => Promise<RouteModule>) {
+  return async () => {
+    const module = await loader();
+    return { Component: module.default };
+  };
+}
+
+function lazyNamed<TModule, TKey extends keyof TModule>(
+  loader: () => Promise<TModule>,
+  key: TKey,
+) {
+  return async () => {
+    const module = await loader();
+    return { Component: module[key] as ComponentType };
+  };
+}
+
+export const adminRoutes: RouteObject[] = [
+  {
+    path: "/login",
+    element: <LoginPage />,
+  },
+  {
+    path: ADMIN_AUTH_CALLBACK_PATH,
+    element: <AuthCallbackPage />,
+  },
+  {
+    path: "/",
+    element: <AuthGuard />,
+    children: [
+      {
+        element: <AppLayout />,
+        children: [
+          {
+            index: true,
+            lazy: lazyDefault(
+              () => import("../features/overview/GlobalOverviewPage"),
+            ),
+          },
+          {
+            path: "audit-logs",
+            lazy: lazyDefault(() => import("../features/audit/AuditLogsPage")),
+          },
+          {
+            path: "auth",
+            lazy: lazyDefault(() => import("../features/auth/AuthPage")),
+          },
+          {
+            path: "users",
+            lazy: lazyDefault(() => import("../features/users/UserListPage")),
+          },
+          {
+            path: "users/custom-claims",
+            lazy: lazyDefault(
+              () => import("../features/users/GlobalCustomClaimsPage"),
+            ),
+          },
+          {
+            path: "users/new",
+            lazy: lazyDefault(() => import("../features/users/UserCreatePage")),
+          },
+          {
+            path: "users/:id",
+            lazy: lazyDefault(() => import("../features/users/UserDetailPage")),
+          },
+          {
+            path: "tenants",
+            lazy: lazyDefault(
+              () => import("../features/tenants/routes/TenantListPage"),
+            ),
+          },
+          {
+            path: "tenants/new",
+            lazy: lazyDefault(
+              () => import("../features/tenants/routes/TenantCreatePage"),
+            ),
+          },
+          {
+            path: "worksmobile",
+            lazy: lazyNamed(
+              () => import("../features/tenants/routes/TenantWorksmobilePage"),
+              "TenantWorksmobilePage",
+            ),
+          },
+          {
+            path: "permissions-direct",
+            lazy: lazyNamed(
+              () =>
+                import(
+                  "../features/tenants/routes/TenantFineGrainedPermissionsPage"
+                ),
+              "TenantFineGrainedPermissionsPage",
+            ),
+          },
+          {
+            path: "tenants/:tenantId",
+            lazy: lazyDefault(
+              () => import("../features/tenants/routes/TenantDetailPage"),
+            ),
+            children: [
+              {
+                index: true,
+                lazy: lazyNamed(
+                  () => import("../features/tenants/routes/TenantProfilePage"),
+                  "TenantProfilePage",
+                ),
+              },
+              {
+                path: "permissions",
+                lazy: lazyNamed(
+                  () =>
+                    import(
+                      "../features/tenants/routes/TenantAdminsAndOwnersTab"
+                    ),
+                  "TenantAdminsAndOwnersTab",
+                ),
+              },
+              {
+                path: "organization",
+                lazy: lazyDefault(
+                  () =>
+                    import(
+                      "../features/user-groups/routes/TenantUserGroupsTab"
+                    ),
+                ),
+              },
+              {
+                path: "schema",
+                lazy: lazyNamed(
+                  () => import("../features/tenants/routes/TenantSchemaPage"),
+                  "TenantSchemaPage",
+                ),
+              },
+              {
+                path: "relations",
+                lazy: lazyNamed(
+                  () =>
+                    import(
+                      "../features/tenants/routes/TenantFineGrainedPermissionsTab"
+                    ),
+                  "TenantFineGrainedPermissionsTab",
+                ),
+              },
+            ],
+          },
+          {
+            path: "tenants/:tenantId/organization/:id",
+            lazy: lazyDefault(
+              () =>
+                import("../features/user-groups/routes/TenantUserGroupsTab"),
+            ),
+          },
+          {
+            path: "api-keys",
+            lazy: lazyDefault(
+              () => import("../features/api-keys/ApiKeyListPage"),
+            ),
+          },
+          {
+            path: "api-keys/new",
+            lazy: lazyDefault(
+              () => import("../features/api-keys/ApiKeyCreatePage"),
+            ),
+          },
+          {
+            path: "system/ory-ssot",
+            lazy: lazyDefault(() => import("../features/ory-ssot/OrySSOTPage")),
+          },
+          {
+            path: "system/data-integrity",
+            lazy: lazyDefault(
+              () => import("../features/integrity/DataIntegrityPage"),
+            ),
+          },
+        ],
+      },
+    ],
+  },
+];

 export const router = createBrowserRouter(
-  [
-    {
-      path: "/",
-      element: <AppLayout />,
-      children: [
-        { index: true, element: <GlobalOverviewPage /> },
-        { path: "dashboard", element: <DashboardPage /> },
-        { path: "audit-logs", element: <AuditLogsPage /> },
-        { path: "auth", element: <AuthPage /> },
-        { path: "users", element: <UserListPage /> },
-        { path: "users/new", element: <UserCreatePage /> },
-        { path: "users/:id", element: <UserDetailPage /> },
-        { path: "tenants", element: <TenantListPage /> },
-        { path: "tenants/new", element: <TenantCreatePage /> },
-        {
-          path: "tenants/:tenantId",
-          element: <TenantDetailPage />,
-          children: [
-            { index: true, element: <TenantProfilePage /> },
-            { path: "schema", element: <TenantSchemaPage /> },
-          ],
-        },
-        { path: "api-keys", element: <ApiKeyListPage /> },
-        { path: "api-keys/new", element: <ApiKeyCreatePage /> },
-      ],
-    },
-  ],
-  // React Router v7 플래그 사전 적용 (현재 타입 정의에 없어 any 캐스팅)
-  {
-    future: {
-      v7_startTransition: true,
-    },
-  } as unknown as Parameters<typeof createBrowserRouter>[1],
+  adminRoutes,
+  // React Router v7 플래그는 Provider에서 적용합니다.
 );
--- a/adminfront/src/components/auth/RoleGuard.tsx
+++ b/adminfront/src/components/auth/RoleGuard.tsx
@@ -0,0 +1,43 @@
+import { useQuery } from "@tanstack/react-query";
+import type * as React from "react";
+import { fetchMe } from "../../lib/adminApi";
+import { normalizeAdminRole } from "../../lib/roles";
+
+interface RoleGuardProps {
+  children: React.ReactNode;
+  roles: string[];
+  fallback?: React.ReactNode;
+}
+
+/**
+ * RoleGuard conditionally renders children based on the current user's role.
+ *
+ * Usage:
+ * <RoleGuard roles={['super_admin']}>
+ *   <button>System Only Action</button>
+ * </RoleGuard>
+ */
+export function RoleGuard({
+  children,
+  roles,
+  fallback = null,
+}: RoleGuardProps) {
+  const { data: profile, isLoading } = useQuery({
+    queryKey: ["me"],
+    queryFn: fetchMe,
+    staleTime: 5 * 60 * 1000, // 5 minutes
+  });
+
+  if (isLoading) return null;
+
+  const userRole = normalizeAdminRole(profile?.role);
+  const hasAccess = roles
+    .map((role) => normalizeAdminRole(role))
+    .includes(userRole);
+
+  if (!hasAccess) {
+    return <>{fallback}</>;
+  }
+
+  return <>{children}</>;
+}
--- a/adminfront/src/components/common/LanguageSelector.test.tsx
+++ b/adminfront/src/components/common/LanguageSelector.test.tsx
@@ -0,0 +1,32 @@
+import { fireEvent, render, screen } from "@testing-library/react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import LanguageSelector from "./LanguageSelector";
+
+vi.mock("../../lib/i18n", () => ({
+  t: (_key: string, fallback?: string) => fallback ?? "",
+}));
+
+describe("LanguageSelector", () => {
+  beforeEach(() => {
+    window.localStorage.clear();
+    vi.restoreAllMocks();
+  });
+
+  it("updates locale without reloading the page", () => {
+    const dispatchSpy = vi.spyOn(window, "dispatchEvent");
+    window.localStorage.setItem("locale", "ko");
+
+    render(<LanguageSelector />);
+
+    fireEvent.change(screen.getByRole("combobox"), {
+      target: { value: "en" },
+    });
+
+    expect(window.localStorage.getItem("locale")).toBe("en");
+    expect(
+      dispatchSpy.mock.calls.some(
+        ([event]) => event instanceof Event && event.type === "localechange",
+      ),
+    ).toBe(true);
+  });
+});
--- a/adminfront/src/components/common/LanguageSelector.tsx
+++ b/adminfront/src/components/common/LanguageSelector.tsx
@@ -0,0 +1,69 @@
+import { useEffect, useState } from "react";
+import { LOCALE_STORAGE_KEY } from "../../../../common/core/i18n";
+import { t } from "../../lib/i18n";
+
+const SUPPORTED_LOCALES = ["ko", "en"] as const;
+
+type Locale = (typeof SUPPORTED_LOCALES)[number];
+
+function resolveLocale(): Locale {
+  if (typeof window === "undefined") {
+    return "ko";
+  }
+
+  const stored = window.localStorage.getItem(LOCALE_STORAGE_KEY);
+  if (stored === "ko" || stored === "en") {
+    return stored;
+  }
+
+  const pathLocale = window.location.pathname.split("/")[1];
+  if (pathLocale === "ko" || pathLocale === "en") {
+    return pathLocale;
+  }
+
+  const browserLang = window.navigator.language.toLowerCase();
+  return browserLang.startsWith("ko") ? "ko" : "en";
+}
+
+function LanguageSelector() {
+  const [locale, setLocale] = useState<Locale>(resolveLocale());
+
+  useEffect(() => {
+    const syncLocale = () => {
+      setLocale(resolveLocale());
+    };
+
+    window.addEventListener("localechange", syncLocale);
+    window.addEventListener("storage", syncLocale);
+
+    return () => {
+      window.removeEventListener("localechange", syncLocale);
+      window.removeEventListener("storage", syncLocale);
+    };
+  }, []);
+
+  const handleChange = (next: Locale) => {
+    if (next === locale) {
+      return;
+    }
+    window.localStorage.setItem(LOCALE_STORAGE_KEY, next);
+    setLocale(next);
+    window.dispatchEvent(new Event("localechange"));
+  };
+
+  return (
+    <select
+      id="admin-language-selector"
+      name="admin-language-selector"
+      value={locale}
+      onChange={(event) => handleChange(event.target.value as Locale)}
+      className="rounded-full border border-border bg-transparent px-3 py-2 text-sm text-muted-foreground transition hover:bg-muted/20"
+      aria-label={t("ui.common.language", "언어")}
+    >
+      <option value="ko">{t("ui.common.language_ko", "한국어")}</option>
+      <option value="en">{t("ui.common.language_en", "English")}</option>
+    </select>
+  );
+}
+
+export default LanguageSelector;
--- a/adminfront/src/components/common/LocaleRefreshBoundary.test.tsx
+++ b/adminfront/src/components/common/LocaleRefreshBoundary.test.tsx
@@ -0,0 +1,57 @@
+import { act, render, screen } from "@testing-library/react";
+import { beforeEach, describe, expect, it } from "vitest";
+import LocaleRefreshBoundary from "./LocaleRefreshBoundary";
+
+let renderCount = 0;
+
+function RenderCounter() {
+  renderCount += 1;
+  return <span>{renderCount}</span>;
+}
+
+describe("LocaleRefreshBoundary", () => {
+  beforeEach(() => {
+    window.localStorage.clear();
+    renderCount = 0;
+  });
+
+  it("re-renders children when locale changes", async () => {
+    render(
+      <LocaleRefreshBoundary>
+        <RenderCounter />
+      </LocaleRefreshBoundary>,
+    );
+
+    expect(screen.getByText("1")).toBeInTheDocument();
+
+    await act(async () => {
+      window.localStorage.setItem("locale", "en");
+      window.dispatchEvent(new Event("localechange"));
+    });
+
+    expect(screen.getByText("2")).toBeInTheDocument();
+  });
+
+  it("ignores storage events unrelated to locale changes", async () => {
+    render(
+      <LocaleRefreshBoundary>
+        <RenderCounter />
+      </LocaleRefreshBoundary>,
+    );
+
+    expect(screen.getByText("1")).toBeInTheDocument();
+
+    await act(async () => {
+      window.dispatchEvent(
+        new StorageEvent("storage", {
+          key: "admin_session",
+          newValue: "token",
+          oldValue: null,
+          storageArea: window.localStorage,
+        }),
+      );
+    });
+
+    expect(screen.getByText("1")).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/components/common/LocaleRefreshBoundary.tsx
+++ b/adminfront/src/components/common/LocaleRefreshBoundary.tsx
@@ -0,0 +1,35 @@
+import { Fragment, type ReactNode, useEffect, useState } from "react";
+import { LOCALE_STORAGE_KEY } from "../../../../common/core/i18n";
+
+type LocaleRefreshBoundaryProps = {
+  children: ReactNode;
+};
+
+function LocaleRefreshBoundary({ children }: LocaleRefreshBoundaryProps) {
+  const [localeVersion, setLocaleVersion] = useState(0);
+
+  useEffect(() => {
+    const syncLocale = () => {
+      setLocaleVersion((current) => current + 1);
+    };
+
+    const syncLocaleFromStorage = (event: StorageEvent) => {
+      if (event.key !== LOCALE_STORAGE_KEY && event.key !== null) {
+        return;
+      }
+      syncLocale();
+    };
+
+    window.addEventListener("localechange", syncLocale);
+    window.addEventListener("storage", syncLocaleFromStorage);
+
+    return () => {
+      window.removeEventListener("localechange", syncLocale);
+      window.removeEventListener("storage", syncLocaleFromStorage);
+    };
+  }, []);
+
+  return <Fragment key={localeVersion}>{children}</Fragment>;
+}
+
+export default LocaleRefreshBoundary;
--- a/adminfront/src/components/layout/AppLayout.test.tsx
+++ b/adminfront/src/components/layout/AppLayout.test.tsx
@@ -0,0 +1,187 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen } from "@testing-library/react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import AppLayout from "./AppLayout";
+
+const authState = {
+  isAuthenticated: true,
+  isLoading: false,
+  user: {
+    access_token: "access-token",
+    expires_at: Math.floor(Date.now() / 1000) + 120,
+    profile: {
+      sub: "admin-1",
+      name: "Admin User",
+      email: "admin@example.com",
+    },
+  },
+  signinSilent: vi.fn(async () => undefined),
+  removeUser: vi.fn(),
+};
+
+vi.mock("react-oidc-context", () => ({
+  useAuth: () => authState,
+}));
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({
+    id: "admin-1",
+    name: "Fetched Admin",
+    email: "fetched@example.com",
+    role: "super_admin",
+    tenantId: "tenant-1",
+    manageableTenants: [
+      {
+        id: "tenant-1",
+        name: "GPDTDC",
+        slug: "gpdtdc",
+        type: "COMPANY",
+      },
+      {
+        id: "tenant-2",
+        name: "기술연구팀",
+        slug: "gpdtdc-rnd",
+        type: "ORGANIZATION",
+      },
+    ],
+  })),
+}));
+
+function renderLayout(entry = "/users") {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>
+        <Routes>
+          <Route path="/" element={<AppLayout />}>
+            <Route path="users" element={<div>Users outlet</div>} />
+            <Route path="users/:id" element={<div>User detail outlet</div>} />
+            <Route
+              path="tenants/:tenantId"
+              element={<div>Tenant outlet</div>}
+            />
+            <Route path="worksmobile" element={<div>Worksmobile outlet</div>} />
+            <Route path="login" element={<div>Login outlet</div>} />
+          </Route>
+        </Routes>
+      </MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("admin AppLayout", () => {
+  beforeEach(() => {
+    (
+      window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
+    )._IS_TEST_MODE = true;
+    authState.isAuthenticated = true;
+    authState.isLoading = false;
+    authState.user.expires_at = Math.floor(Date.now() / 1000) + 120;
+    authState.signinSilent.mockClear();
+    authState.removeUser.mockClear();
+    window.localStorage.clear();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+  });
+
+  it("renders admin navigation, fetched profile, and outlet content", async () => {
+    renderLayout();
+
+    expect(await screen.findByText("Fetched Admin")).toBeInTheDocument();
+    expect(screen.getByText("Admin Control")).toBeInTheDocument();
+    expect(screen.getByText("Users outlet")).toBeInTheDocument();
+    expect(screen.getByText("Tenants")).toBeInTheDocument();
+    expect(screen.getByText("Org Chart")).toBeInTheDocument();
+    expect(screen.getByText("Worksmobile")).toBeInTheDocument();
+    expect(screen.getByText("Ory SSOT System")).toBeInTheDocument();
+    expect(screen.getByText("Data Integrity")).toBeInTheDocument();
+    const navigation = screen.getByRole("navigation");
+    const navLabels = Array.from(navigation.querySelectorAll("a")).map((link) =>
+      link.textContent?.trim(),
+    );
+    expect(navLabels).toEqual([
+      "Overview",
+      "Tenants",
+      "Org Chart",
+      "Worksmobile",
+      "Ory SSOT System",
+      "Data Integrity",
+      "Users",
+      "권한 부여",
+      "Auth Guard",
+      "API Keys",
+      "Audit Logs",
+    ]);
+    const worksmobileIcon = screen.getByTestId("worksmobile-nav-icon");
+    expect(worksmobileIcon.tagName.toLowerCase()).toBe("svg");
+    expect(worksmobileIcon).toHaveAttribute("fill", "none");
+    expect(worksmobileIcon.querySelectorAll("path")).toHaveLength(4);
+    expect(worksmobileIcon.querySelector('path[fill="white"]')).toBeNull();
+  });
+
+  it("toggles the sidebar and persists the collapsed state", async () => {
+    renderLayout();
+
+    const collapseButton = await screen.findByRole("button", {
+      name: "사이드바 접기",
+    });
+    fireEvent.click(collapseButton);
+
+    expect(window.localStorage.getItem("baron_shell_sidebar_collapsed")).toBe(
+      "true",
+    );
+    expect(
+      screen.getByRole("button", { name: "사이드바 펼치기" }),
+    ).toBeInTheDocument();
+  });
+
+  it("opens profile menu, navigates, toggles theme/session, and logs out", async () => {
+    renderLayout();
+
+    const themeButton = await screen.findByRole("button", {
+      name: "테마 전환",
+    });
+    fireEvent.click(themeButton);
+    expect(document.documentElement.classList.contains("dark")).toBe(true);
+
+    fireEvent.click(screen.getByRole("button", { name: "계정 메뉴 열기" }));
+    expect(screen.getByText("Manageable Tenants")).toBeInTheDocument();
+
+    const sessionSwitch = screen.getByRole("switch");
+    fireEvent.click(sessionSwitch);
+    expect(window.localStorage.getItem("baron_session_expiry_enabled")).toBe(
+      "false",
+    );
+
+    fireEvent.click(screen.getByText("기술연구팀"));
+    expect(await screen.findByText("Tenant outlet")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole("button", { name: "계정 메뉴 열기" }));
+    fireEvent.click(screen.getAllByText("내 정보")[0]);
+    expect(await screen.findByText("User detail outlet")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole("button", { name: "계정 메뉴 열기" }));
+    fireEvent.click(screen.getAllByText("Logout")[1]);
+    expect(window.confirm).toHaveBeenCalled();
+    expect(authState.removeUser).toHaveBeenCalled();
+  }, 10_000);
+
+  it("attempts silent renewal on user activity when session is near expiry", async () => {
+    authState.user.expires_at = Math.floor(Date.now() / 1000) + 60;
+
+    renderLayout();
+    await screen.findByText("Fetched Admin");
+    fireEvent.keyDown(window, { key: "Tab" });
+
+    expect(authState.signinSilent).toHaveBeenCalled();
+  });
+});
--- a/adminfront/src/components/layout/AppLayout.tsx
+++ b/adminfront/src/components/layout/AppLayout.tsx
@@ -1,148 +1,844 @@
+import { useQuery } from "@tanstack/react-query";
 import {
-    BadgeCheck,
-    Building2,
-    Key,
-    KeyRound,
-    LayoutDashboard,
-    Moon,
-    NotebookTabs,
-    ShieldHalf,
-    Sun,
-    Users,
+  Building2,
+  ChevronDown,
+  Database,
+  Key,
+  KeyRound,
+  LayoutDashboard,
+  LogOut,
+  Moon,
+  Network,
+  NotebookTabs,
+  ShieldCheck,
+  ShieldHalf,
+  Sun,
+  User as UserIcon,
+  Users,
 } from "lucide-react";
-import { useEffect, useState } from "react";
-import { NavLink, Outlet } from "react-router-dom";
-import RoleSwitcher from "./RoleSwitcher";
+import * as React from "react";
+import { useEffect, useRef, useState } from "react";
+import { useAuth } from "react-oidc-context";
+import { NavLink, Outlet, useLocation, useNavigate } from "react-router-dom";
+import {
+  AppSidebar,
+  applyShellTheme,
+  buildShellProfileSummary,
+  buildShellSessionStatus,
+  readShellSessionExpiryEnabled,
+  readShellSidebarCollapsed,
+  readShellTheme,
+  type ShellSidebarNavItem,
+  type ShellTranslator,
+  shellLayoutClasses,
+  writeShellSessionExpiryEnabled,
+  writeShellSidebarCollapsed,
+} from "../../../../common/shell";
+import { canAccessWorksmobile } from "../../features/tenants/routes/worksmobileAccess";
+import { buildAuthenticatedOrgChartUrl } from "../../features/users/orgChartPicker";
+import { fetchMe } from "../../lib/adminApi";
+import { debugLog } from "../../lib/debugLog";
+import { t } from "../../lib/i18n";
+import { isSuperAdminRole } from "../../lib/roles";
+import {
+  shouldAttemptSlidingSessionRenew,
+  shouldAttemptUnlimitedSessionRenew,
+} from "../../lib/sessionSliding";
+import LanguageSelector from "../common/LanguageSelector";

-const navItems = [
-    { label: "Overview", to: "/", icon: LayoutDashboard },
-    { label: "Tenant Dashboard", to: "/dashboard", icon: ShieldHalf },
-    { label: "Tenants", to: "/tenants", icon: Building2 },
-    { label: "Users", to: "/users", icon: Users },
-    { label: "API Keys (M2M)", to: "/api-keys", icon: Key },
-    { label: "Audit Logs", to: "/audit-logs", icon: NotebookTabs },
-    { label: "Auth Guard", to: "/auth", icon: KeyRound },
+const LOCALE_CHANGED_EVENT = "baron_locale_changed";
+
+const staticNavItems: ShellSidebarNavItem[] = [
+  {
+    labelKey: "ui.admin.nav.overview",
+    labelFallback: "Overview",
+    to: "/",
+    icon: LayoutDashboard,
+    end: true,
+  },
+  {
+    labelKey: "ui.admin.nav.users",
+    labelFallback: "Users",
+    to: "/users",
+    icon: Users,
+  },
+  {
+    labelKey: "ui.admin.nav.permissions_direct",
+    labelFallback: "권한 부여",
+    to: "/permissions-direct",
+    icon: ShieldCheck,
+  },
+  {
+    labelKey: "ui.admin.nav.auth_guard",
+    labelFallback: "Auth Guard",
+    to: "/auth",
+    icon: KeyRound,
+  },
+  {
+    labelKey: "ui.admin.nav.api_keys",
+    labelFallback: "API Keys",
+    to: "/api-keys",
+    icon: Key,
+  },
+  {
+    labelKey: "ui.admin.nav.audit_logs",
+    labelFallback: "Audit Logs",
+    to: "/audit-logs",
+    icon: NotebookTabs,
+  },
 ];

+type SessionStatusProps = {
+  expiresAtSec?: number | null;
+  t: ShellTranslator;
+};
+
+function useSessionStatus({ expiresAtSec, t }: SessionStatusProps) {
+  const [nowMs, setNowMs] = useState(() => Date.now());
+
+  useEffect(() => {
+    const timer = window.setInterval(() => {
+      setNowMs(Date.now());
+    }, 1000);
+
+    return () => {
+      window.clearInterval(timer);
+    };
+  }, []);
+
+  return buildShellSessionStatus({ expiresAtSec, nowMs, t });
+}
+
+function SessionStatusBadge(props: SessionStatusProps) {
+  const sessionStatus = useSessionStatus(props);
+
+  return (
+    <span
+      className={[
+        shellLayoutClasses.sessionBadge,
+        sessionStatus.toneClass,
+      ].join(" ")}
+    >
+      {sessionStatus.text}
+    </span>
+  );
+}
+
+function SessionStatusText(props: SessionStatusProps) {
+  const sessionStatus = useSessionStatus(props);
+
+  return <>{sessionStatus.text}</>;
+}
+
+function LineWorksNavIcon({ size = 18 }: { size?: number | string }) {
+  const iconSize = typeof size === "number" ? size : Number.parseFloat(size);
+  return (
+    <svg
+      aria-hidden="true"
+      data-testid="worksmobile-nav-icon"
+      width={Number.isFinite(iconSize) ? iconSize : size}
+      height={Number.isFinite(iconSize) ? iconSize : size}
+      viewBox="0 0 30 30"
+      fill="none"
+      className="shrink-0 text-current"
+    >
+      <path
+        d="M9.01667 23.2633H12.3633C12.4481 23.2637 12.5307 23.2363 12.5985 23.1853C12.6663 23.1344 12.7156 23.0627 12.7389 22.9811L17.0489 8.12111C17.0658 8.06285 17.0689 8.00146 17.058 7.9418C17.047 7.88214 17.0224 7.82583 16.986 7.77733C16.9495 7.72883 16.9023 7.68947 16.8481 7.66236C16.7938 7.63525 16.734 7.62112 16.6733 7.62111H13.3267C13.2419 7.62113 13.1595 7.64866 13.0918 7.69955C13.0241 7.75045 12.9747 7.82196 12.9511 7.90333L8.64222 22.7633C8.62512 22.8215 8.62182 22.8829 8.63258 22.9425C8.64334 23.0022 8.66787 23.0586 8.70422 23.1071C8.74057 23.1556 8.78773 23.195 8.84197 23.2222C8.89621 23.2493 8.95603 23.2634 9.01667 23.2633Z"
+        fill="currentColor"
+      />
+      <path
+        d="M18.0122 23.2633H21.3589C21.4436 23.2633 21.526 23.2358 21.5938 23.1849C21.6615 23.134 21.7109 23.0625 21.7344 22.9811L26.0433 8.12111C26.0602 8.06285 26.0633 8.00146 26.0524 7.9418C26.0415 7.88214 26.0168 7.82583 25.9804 7.77733C25.944 7.72883 25.8968 7.68947 25.8425 7.66236C25.7883 7.63525 25.7284 7.62112 25.6678 7.62111H22.3211C22.2364 7.62131 22.1541 7.64891 22.0864 7.69977C22.0187 7.75064 21.9693 7.82205 21.9456 7.90333L17.6367 22.7633C17.6195 22.8216 17.6163 22.8831 17.6271 22.9428C17.6379 23.0026 17.6625 23.059 17.699 23.1076C17.7355 23.1561 17.7828 23.1955 17.8372 23.2225C17.8915 23.2496 17.9515 23.2635 18.0122 23.2633Z"
+        fill="currentColor"
+      />
+      <path
+        d="M12.3633 23.2633H8.64222C8.55741 23.2637 8.47481 23.2363 8.40701 23.1853C8.33921 23.1344 8.28993 23.0627 8.26666 22.9811L3.95666 8.12111C3.93977 8.06285 3.93667 8.00146 3.94759 7.9418C3.95851 7.88214 3.98316 7.82583 4.01959 7.77733C4.05602 7.72883 4.10322 7.68947 4.15748 7.66236C4.21174 7.63525 4.27156 7.62112 4.33222 7.62111H8.05444C8.13911 7.62131 8.22145 7.64891 8.28915 7.69977C8.35684 7.75064 8.40625 7.82205 8.43 7.90333L12.7389 22.7633C12.756 22.8216 12.7593 22.8831 12.7485 22.9428C12.7377 23.0026 12.713 23.059 12.6765 23.1076C12.6401 23.1561 12.5928 23.1955 12.5384 23.2225C12.484 23.2496 12.4241 23.2635 12.3633 23.2633Z"
+        fill="currentColor"
+      />
+      <path
+        d="M21.3589 23.2633H17.6367C17.5519 23.2637 17.4693 23.2363 17.4015 23.1853C17.3337 23.1344 17.2844 23.0627 17.2611 22.9811L12.9511 8.12111C12.9342 8.06285 12.9311 8.00146 12.942 7.9418C12.953 7.88214 12.9776 7.82583 13.014 7.77733C13.0505 7.72883 13.0977 7.68947 13.1519 7.66236C13.2062 7.63525 13.266 7.62112 13.3267 7.62111H17.0489C17.1336 7.62113 17.216 7.64866 17.2838 7.69955C17.3515 7.75045 17.4009 7.82196 17.4244 7.90333L21.7344 22.7633C21.7513 22.8216 21.7544 22.883 21.7435 22.9426C21.7326 23.0023 21.7079 23.0586 21.6715 23.1071C21.6351 23.1556 21.5879 23.195 21.5336 23.2221C21.4794 23.2492 21.4195 23.2633 21.3589 23.2633Z"
+        fill="currentColor"
+      />
+    </svg>
+  );
+}
+
 function AppLayout() {
-    const [theme, setTheme] = useState<"light" | "dark">(() => {
-        const stored = window.localStorage.getItem("admin_theme");
-        return stored === "dark" ? "dark" : "light";
+  const auth = useAuth();
+  const location = useLocation();
+  const navigate = useNavigate();
+  const profileMenuRef = useRef<HTMLDivElement>(null);
+  const isRenewInFlightRef = useRef(false);
+  const lastRenewAttemptAtRef = useRef(0);
+  const lastVisitedRouteRef = useRef<string | null>(null);
+  const isDevelopmentRuntime = import.meta.env.MODE === "development";
+  const [theme, setTheme] = useState<"light" | "dark">(readShellTheme);
+  const [isProfileOpen, setIsProfileOpen] = useState(false);
+  const [isSidebarCollapsed, setIsSidebarCollapsed] = useState(() =>
+    readShellSidebarCollapsed(false),
+  );
+  const [isSessionExpiryEnabled, setIsSessionExpiryEnabled] = useState(() =>
+    readShellSessionExpiryEnabled(!isDevelopmentRuntime),
+  );
+  const { data: profile } = useQuery({
+    queryKey: ["me"],
+    queryFn: async () => {
+      debugLog("[AppLayout] Fetching profile...");
+      try {
+        const data = await fetchMe();
+        debugLog("[AppLayout] Profile fetched successfully:", data.email);
+        return data;
+      } catch (err) {
+        console.error("[AppLayout] Failed to fetch profile:", err);
+        throw err;
+      }
+    },
+    enabled:
+      (auth.isAuthenticated && !auth.isLoading) ||
+      import.meta.env.MODE === "development" ||
+      (window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean })
+        ._IS_TEST_MODE === true,
+  });
+
+  const navItems = React.useMemo<ShellSidebarNavItem[]>(() => {
+    const items = [...staticNavItems];
+    const _isTest =
+      (window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean })
+        ._IS_TEST_MODE === true;
+    const effectiveRole = profile?.role;
+
+    const isSuperAdmin = isSuperAdminRole(effectiveRole);
+    const _manageableCount = profile?.manageableTenants?.length ?? 0;
+    const showWorksmobile = canAccessWorksmobile({
+      ...profile,
+      role: effectiveRole ?? profile?.role,
+    });
+    const orgfrontUrl = buildAuthenticatedOrgChartUrl(
+      import.meta.env.ORGFRONT_URL || "http://localhost:5175",
+      { includeInternal: false },
+    );
+
+    // Splice optional menus in a standard order
+    items.splice(1, 0, {
+      labelKey: "ui.admin.nav.tenants",
+      labelFallback: "Tenants",
+      to: "/tenants",
+      icon: Building2,
+    });
+    items.splice(2, 0, {
+      labelKey: "ui.admin.nav.org_chart",
+      labelFallback: "Org Chart",
+      to: orgfrontUrl,
+      icon: Network,
+      isExternal: true,
+    });
+    items.splice(3, 0, {
+      labelKey: "ui.admin.nav.worksmobile",
+      labelFallback: "Worksmobile",
+      to: "/worksmobile",
+      icon: LineWorksNavIcon,
+    });
+    items.splice(4, 0, {
+      labelKey: "ui.admin.nav.ory_ssot",
+      labelFallback: "Ory SSOT System",
+      to: "/system/ory-ssot",
+      icon: Database,
+    });
+    items.splice(5, 0, {
+      labelKey: "ui.admin.nav.data_integrity",
+      labelFallback: "Data Integrity",
+      to: "/system/data-integrity",
+      icon: ShieldCheck,
    });

-    useEffect(() => {
-        const root = document.documentElement;
-        root.classList.remove("light", "dark");
-        if (theme === "light") {
-            root.classList.add("light");
-        } else {
-            root.classList.add("dark");
-        }
-        window.localStorage.setItem("admin_theme", theme);
-    }, [theme]);
+    const permissions = profile?.systemPermissions;

-    const toggleTheme = () => {
-        setTheme((prev) => (prev === "light" ? "dark" : "light"));
+    return items.filter((item) => {
+      // Super Admin ALWAYS bypasses and gets full access to everything
+      if (isSuperAdmin) {
+        if (item.to === "/worksmobile") return showWorksmobile;
+        return true;
+      }
+
+      // For others, check their fine-grained systemPermissions
+      if (!permissions) return false;
+
+      if (item.to === "/") return permissions.overview;
+      if (item.to === "/users") return permissions.users;
+      if (item.to === "/auth") return permissions.auth_guard;
+      if (item.to === "/api-keys") return permissions.api_keys;
+      if (item.to === "/audit-logs") return permissions.audit_logs;
+      if (item.to === "/permissions-direct") return false;
+      if (item.to === "/tenants") return permissions.tenants;
+      if (item.to === orgfrontUrl) return permissions.org_chart;
+      if (item.to === "/worksmobile") return permissions.worksmobile;
+      if (item.to === "/system/ory-ssot") return permissions.ory_ssot;
+      if (item.to === "/system/data-integrity")
+        return permissions.data_integrity;
+
+      return true;
+    });
+  }, [profile]);
+
+  const handleLogout = () => {
+    if (
+      window.confirm(t("msg.admin.logout_confirm", "로그아웃 하시겠습니까?"))
+    ) {
+      window.localStorage.removeItem("admin_session");
+      auth.removeUser();
+      navigate("/login");
+    }
+  };
+
+  useEffect(() => {
+    const isTest =
+      (window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean })
+        ._IS_TEST_MODE === true;
+
+    debugLog("[AppLayout] Auth state check:", {
+      isLoading: auth.isLoading,
+      isAuthenticated: auth.isAuthenticated,
+      isTest,
+    });
+
+    if (!auth.isLoading && !auth.isAuthenticated && !isTest) {
+      console.warn("[AppLayout] Not authenticated, redirecting to /login");
+      navigate("/login");
+    }
+  }, [auth.isLoading, auth.isAuthenticated, navigate]);
+
+  useEffect(() => {
+    if (auth.user?.access_token) {
+      window.localStorage.setItem("admin_session", auth.user.access_token);
+    }
+  }, [auth.user]);
+
+  useEffect(() => {
+    applyShellTheme(theme);
+  }, [theme]);
+
+  useEffect(() => {
+    if (!isDevelopmentRuntime) {
+      return;
+    }
+
+    const rerenderDevelopmentShell = () => {
+      // Re-render when locale changes
    };

-    return (
-        <div className="grid min-h-screen bg-background text-foreground md:grid-cols-[240px,1fr]">
-            <aside className="border-b border-border bg-card md:sticky md:top-0 md:h-screen md:border-b-0 md:border-r md:bg-card md:backdrop-blur">
-                <div className="flex items-center justify-between px-5 py-4 md:block md:space-y-6 md:py-6">
-                    <div className="flex items-center gap-3 md:flex-col md:items-start">
-                        <div className="grid h-11 w-11 place-items-center rounded-xl bg-primary/15 text-primary shadow-[0_12px_30px_rgba(54,211,153,0.22)]">
-                            <ShieldHalf size={20} />
-                        </div>
-                        <div>
-                            <p className="text-xs uppercase tracking-[0.18em] text-muted-foreground">
-                                Baron 로그인
-                            </p>
-                            <h1 className="text-lg font-semibold">
-                                Admin Control
-                            </h1>
-                        </div>
-                    </div>
-                    <div className="hidden rounded-full border border-border px-3 py-2 text-xs text-muted-foreground md:inline-flex md:items-center md:gap-2">
-                        <BadgeCheck size={14} />
-                        Scoped to /admin
-                    </div>
-                </div>
-                <nav className="px-2 pb-4 md:px-3 md:pb-8">
-                    <div className="flex flex-wrap gap-2 px-3 pb-4 text-[11px] text-muted-foreground md:flex-col md:items-start">
-                        <span className="rounded-full border border-border px-3 py-1">
-                            IDP env: prod
-                        </span>
-                        <span className="rounded-full border border-border px-3 py-1">
-                            Tenant-aware headers
-                        </span>
-                    </div>
-                    <div className="flex flex-col gap-1">
-                        {navItems.map(({ label, to, icon: Icon }) => (
-                            <NavLink
-                                key={to}
-                                to={to}
-                                className={({ isActive }) =>
-                                    [
-                                        "flex items-center gap-3 rounded-xl px-3 py-3 text-sm transition",
-                                        isActive
-                                            ? "bg-primary/10 text-primary shadow-[0_12px_40px_rgba(54,211,153,0.18)]"
-                                            : "text-muted-foreground hover:bg-muted/10 hover:text-foreground",
-                                    ].join(" ")
-                                }
-                            >
-                                <Icon size={18} />
-                                <span>{label}</span>
-                            </NavLink>
-                        ))}
-                    </div>
-                </nav>
-                <div className="hidden space-y-2 px-5 pb-6 text-xs text-[var(--color-muted)] md:block">
-                    <p>관리 기능은 /admin 네임스페이스에서만 노출합니다.</p>
-                    <p>
-                        IDP 관리 키는 서버 내부 래핑 API로만 사용하며, 감사·
-                        레이트리밋을 기본 적용합니다.
-                    </p>
-                </div>
-            </aside>
+    window.addEventListener(LOCALE_CHANGED_EVENT, rerenderDevelopmentShell);

-            <div className="relative">
-                <header className="sticky top-0 z-20 border-b border-border bg-background/90 backdrop-blur">
-                    <div className="flex items-center justify-between px-5 py-4 md:px-8">
-                        <div className="flex flex-col gap-1">
-                            <p className="text-xs uppercase tracking-[0.22em] text-muted-foreground">
-                                Admin Plane
-                            </p>
-                            <span className="text-lg font-semibold">
-                                Tenant isolation & least privilege by default
-                            </span>
-                        </div>
-                        <div className="flex items-center gap-2 text-sm">
-                            <button
-                                type="button"
-                                onClick={toggleTheme}
-                                className="inline-flex items-center gap-2 rounded-full border border-border px-3 py-2 text-muted-foreground transition hover:bg-muted/20"
-                                aria-label="테마 전환"
-                            >
-                                {theme === "light" ? (
-                                    <Sun size={16} />
-                                ) : (
-                                    <Moon size={16} />
-                                )}
-                                {theme === "light" ? "Light" : "Dark"}
-                            </button>
-                            <span className="rounded-full border border-border px-3 py-2 text-muted-foreground">
-                                Session TTL: 15m admin
-                            </span>
-                        </div>
-                    </div>
-                </header>
-                <main className="px-5 py-6 md:px-10 md:py-10">
-                    <Outlet />
-                </main>
-                <RoleSwitcher />
-            </div>
-        </div>
+    return () => {
+      window.removeEventListener(
+        LOCALE_CHANGED_EVENT,
+        rerenderDevelopmentShell,
+      );
+    };
+  }, []);
+
+  useEffect(() => {
+    const handleClickOutside = (event: MouseEvent) => {
+      if (
+        profileMenuRef.current &&
+        !profileMenuRef.current.contains(event.target as Node)
+      ) {
+        setIsProfileOpen(false);
+      }
+    };
+
+    document.addEventListener("mousedown", handleClickOutside);
+    return () => {
+      document.removeEventListener("mousedown", handleClickOutside);
+    };
+  }, []);
+
+  useEffect(() => {
+    const maybeRenewSession = async () => {
+      const now = Date.now();
+      if (
+        !shouldAttemptSlidingSessionRenew({
+          expiresAtSec: auth.user?.expires_at,
+          nowMs: now,
+          isEnabled: isSessionExpiryEnabled,
+          isAuthenticated: auth.isAuthenticated,
+          isLoading: auth.isLoading,
+          isRenewInFlight: isRenewInFlightRef.current,
+          lastAttemptAtMs: lastRenewAttemptAtRef.current,
+        })
+      ) {
+        return;
+      }
+
+      isRenewInFlightRef.current = true;
+      lastRenewAttemptAtRef.current = now;
+
+      try {
+        await auth.signinSilent();
+      } catch (error) {
+        console.error("세션 자동 연장에 실패했습니다.", error);
+      } finally {
+        isRenewInFlightRef.current = false;
+      }
+    };
+
+    const handleUserAction = () => {
+      void maybeRenewSession();
+    };
+
+    window.addEventListener("pointerdown", handleUserAction);
+    window.addEventListener("keydown", handleUserAction);
+
+    return () => {
+      window.removeEventListener("pointerdown", handleUserAction);
+      window.removeEventListener("keydown", handleUserAction);
+    };
+  }, [
+    auth,
+    auth.isAuthenticated,
+    auth.isLoading,
+    auth.user?.expires_at,
+    isSessionExpiryEnabled,
+  ]);
+
+  useEffect(() => {
+    if (isDevelopmentRuntime) {
+      return;
+    }
+
+    const maybeKeepSessionAlive = async () => {
+      const now = Date.now();
+      if (
+        !shouldAttemptUnlimitedSessionRenew({
+          expiresAtSec: auth.user?.expires_at,
+          nowMs: now,
+          isEnabled: isSessionExpiryEnabled,
+          isAuthenticated: auth.isAuthenticated,
+          isLoading: auth.isLoading,
+          isRenewInFlight: isRenewInFlightRef.current,
+          lastAttemptAtMs: lastRenewAttemptAtRef.current,
+        })
+      ) {
+        return;
+      }
+
+      isRenewInFlightRef.current = true;
+      lastRenewAttemptAtRef.current = now;
+
+      try {
+        await auth.signinSilent();
+      } catch (error) {
+        console.error("세션 무제한 유지 갱신에 실패했습니다.", error);
+      } finally {
+        isRenewInFlightRef.current = false;
+      }
+    };
+
+    const timer = window.setInterval(() => {
+      void maybeKeepSessionAlive();
+    }, 30_000);
+
+    void maybeKeepSessionAlive();
+
+    return () => {
+      window.clearInterval(timer);
+    };
+  }, [
+    auth,
+    auth.isAuthenticated,
+    auth.isLoading,
+    auth.user?.expires_at,
+    isSessionExpiryEnabled,
+  ]);
+
+  useEffect(() => {
+    const routeKey = `${location.pathname}${location.search}${location.hash}`;
+    if (lastVisitedRouteRef.current === null) {
+      lastVisitedRouteRef.current = routeKey;
+      return;
+    }
+
+    if (lastVisitedRouteRef.current === routeKey) {
+      return;
+    }
+
+    lastVisitedRouteRef.current = routeKey;
+
+    const now = Date.now();
+    if (
+      !shouldAttemptSlidingSessionRenew({
+        expiresAtSec: auth.user?.expires_at,
+        nowMs: now,
+        isEnabled: isSessionExpiryEnabled,
+        isAuthenticated: auth.isAuthenticated,
+        isLoading: auth.isLoading,
+        isRenewInFlight: isRenewInFlightRef.current,
+        lastAttemptAtMs: lastRenewAttemptAtRef.current,
+      })
+    ) {
+      return;
+    }
+
+    isRenewInFlightRef.current = true;
+    lastRenewAttemptAtRef.current = now;
+
+    void auth
+      .signinSilent()
+      .catch((error) => {
+        console.error("세션 자동 연장에 실패했습니다.", error);
+      })
+      .finally(() => {
+        isRenewInFlightRef.current = false;
+      });
+  }, [
+    auth,
+    auth.isAuthenticated,
+    auth.isLoading,
+    auth.user?.expires_at,
+    isSessionExpiryEnabled,
+    location.hash,
+    location.pathname,
+    location.search,
+  ]);
+
+  const toggleTheme = () => {
+    setTheme((prev) => (prev === "light" ? "dark" : "light"));
+  };
+
+  const profileSummary = buildShellProfileSummary({
+    profileName:
+      profile?.name ||
+      auth.user?.profile.name?.toString() ||
+      auth.user?.profile.preferred_username?.toString(),
+    profileEmail: profile?.email || auth.user?.profile.email?.toString(),
+    fallbackName: t("ui.shell.profile.unknown_name", "Unknown User"),
+    fallbackEmail: t("ui.shell.profile.unknown_email", "unknown@example.com"),
+  });
+  const profileRoleKey = profile?.role || "user";
+  const handleSessionExpiryToggle = () => {
+    setIsSessionExpiryEnabled((prev) => {
+      const next = !prev;
+      writeShellSessionExpiryEnabled(next);
+      return next;
+    });
+  };
+  const handleSidebarToggle = () => {
+    setIsSidebarCollapsed((prev) => {
+      const next = !prev;
+      writeShellSidebarCollapsed(next);
+      return next;
+    });
+  };
+  const sidebarNavContent = (
+    <div className={shellLayoutClasses.navList}>
+      {navItems.map((item) => {
+        const { labelKey, labelFallback, to, icon: Icon, isExternal } = item;
+        const label = t(labelKey, labelFallback);
+
+        if (isExternal) {
+          return (
+            <a
+              key={to}
+              href={to}
+              target="_blank"
+              rel="noopener noreferrer"
+              className={[
+                shellLayoutClasses.navItemBase,
+                isSidebarCollapsed
+                  ? shellLayoutClasses.navItemBaseCollapsed
+                  : "",
+                shellLayoutClasses.navItemIdle,
+              ].join(" ")}
+              title={label}
+              aria-label={label}
+            >
+              <Icon size={18} />
+              <span className={isSidebarCollapsed ? "sr-only" : ""}>
+                {label}
+              </span>
+            </a>
+          );
+        }
+
+        return (
+          <NavLink
+            key={to}
+            to={to}
+            end={item.end ?? to === "/"}
+            className={({ isActive }) =>
+              [
+                shellLayoutClasses.navItemBase,
+                isSidebarCollapsed
+                  ? shellLayoutClasses.navItemBaseCollapsed
+                  : "",
+                item.isActive !== undefined
+                  ? item.isActive
+                    ? shellLayoutClasses.navItemActive
+                    : shellLayoutClasses.navItemIdle
+                  : isActive
+                    ? shellLayoutClasses.navItemActive
+                    : shellLayoutClasses.navItemIdle,
+              ].join(" ")
+            }
+            title={label}
+            aria-label={label}
+          >
+            <Icon size={18} />
+            <span className={isSidebarCollapsed ? "sr-only" : ""}>{label}</span>
+          </NavLink>
+        );
+      })}
+    </div>
+  );
+  const sidebarFooterContent = (
+    <div className="border-t border-border/50 px-3 pt-4">
+      <button
+        type="button"
+        onClick={handleLogout}
+        className={
+          isSidebarCollapsed
+            ? shellLayoutClasses.logoutButtonCollapsed
+            : shellLayoutClasses.logoutButton
+        }
+        title={t("ui.shell.nav.logout", "Logout")}
+      >
+        <LogOut size={18} />
+        <span className={isSidebarCollapsed ? "sr-only" : ""}>
+          {t("ui.shell.nav.logout", "Logout")}
+        </span>
+      </button>
+    </div>
+  );
+
+  if (auth.isLoading) {
+    return (
+      <div className="flex h-screen items-center justify-center bg-background">
+        <div className="h-8 w-8 animate-spin rounded-full border-4 border-primary/30 border-t-primary" />
+      </div>
    );
+  }
+
+  return (
+    <div
+      className={
+        isSidebarCollapsed
+          ? shellLayoutClasses.rootCollapsed
+          : shellLayoutClasses.root
+      }
+    >
+      <AppSidebar
+        brandLabel={t("ui.admin.brand", "Baron 로그인")}
+        brandTitle={t("ui.admin.title", "Admin Control")}
+        brandIcon={<ShieldHalf size={20} />}
+        navContent={sidebarNavContent}
+        footerContent={sidebarFooterContent}
+        collapsed={isSidebarCollapsed}
+        onToggleCollapsed={handleSidebarToggle}
+        collapseLabel={t("ui.shell.sidebar.collapse", "사이드바 접기")}
+        expandLabel={t("ui.shell.sidebar.expand", "사이드바 펼치기")}
+      />
+
+      <div className={shellLayoutClasses.contentWide}>
+        <header className={shellLayoutClasses.headerElevated}>
+          <div className={shellLayoutClasses.headerInner}>
+            <div className={shellLayoutClasses.headerTitleWrap}>
+              <p className="text-xs uppercase tracking-[0.22em] text-muted-foreground">
+                {t("ui.admin.header.plane", "ADMIN PLANE")}
+              </p>
+              <span className="text-lg font-semibold">
+                {t("ui.admin.header.subtitle", "Manage your organization")}
+              </span>
+            </div>
+
+            <div className={shellLayoutClasses.headerActions}>
+              <LanguageSelector />
+              <button
+                type="button"
+                onClick={toggleTheme}
+                className={shellLayoutClasses.actionButton}
+                aria-label={t("ui.common.theme_toggle", "테마 전환")}
+              >
+                {theme === "light" ? <Sun size={16} /> : <Moon size={16} />}
+                {theme === "light"
+                  ? t("ui.common.theme_light", "Light")
+                  : t("ui.common.theme_dark", "Dark")}
+              </button>
+              {isSessionExpiryEnabled ? (
+                <SessionStatusBadge
+                  expiresAtSec={auth.user?.expires_at}
+                  t={t}
+                />
+              ) : null}
+              <div className="relative" ref={profileMenuRef}>
+                <button
+                  type="button"
+                  onClick={() => setIsProfileOpen((prev) => !prev)}
+                  className="inline-flex items-center gap-3 rounded-full border border-border bg-card px-3 py-2 transition hover:bg-muted/20"
+                  aria-haspopup="menu"
+                  aria-expanded={isProfileOpen}
+                  aria-label={t("ui.shell.profile.menu_aria", "계정 메뉴 열기")}
+                >
+                  <div className={shellLayoutClasses.profileInitial}>
+                    {profileSummary.initial}
+                  </div>
+                  <div className="hidden min-w-0 text-left md:block">
+                    <p className="truncate text-xs font-medium text-foreground">
+                      {profileSummary.name}
+                    </p>
+                    <p className="truncate text-[11px] text-muted-foreground">
+                      {profileSummary.email}
+                    </p>
+                  </div>
+                  <ChevronDown
+                    size={14}
+                    className={`transition-transform duration-200 ${isProfileOpen ? "rotate-180" : ""}`}
+                  />
+                </button>
+
+                {isProfileOpen ? (
+                  <div role="menu" className={shellLayoutClasses.profileMenu}>
+                    <p className="text-xs uppercase tracking-[0.16em] text-muted-foreground">
+                      {t("ui.shell.profile.menu_title", "Account")}
+                    </p>
+                    <div className={shellLayoutClasses.profileCard}>
+                      <div>
+                        <p className="truncate text-sm font-semibold text-foreground">
+                          {profileSummary.name}
+                        </p>
+                        <p className="truncate text-xs text-muted-foreground">
+                          {profileSummary.email}
+                        </p>
+                      </div>
+                      <div className="flex items-center pt-1">
+                        <span className="inline-flex items-center rounded-full bg-sky-500/10 px-2.5 py-1 text-[10px] font-semibold text-sky-700 dark:text-sky-300">
+                          {t(
+                            `ui.shell.role.${profileRoleKey}`,
+                            profileRoleKey.toUpperCase(),
+                          )}
+                        </span>
+                      </div>
+                    </div>
+
+                    <div className={shellLayoutClasses.settingsCard}>
+                      <div className="flex items-center justify-between gap-3">
+                        <div>
+                          <p className="text-sm font-medium text-foreground">
+                            {t(
+                              "ui.shell.session.auto_extend",
+                              "세션 만료 관리",
+                            )}
+                          </p>
+                          <p className="text-xs text-muted-foreground">
+                            {isSessionExpiryEnabled ? (
+                              <SessionStatusText
+                                expiresAtSec={auth.user?.expires_at}
+                                t={t}
+                              />
+                            ) : (
+                              t(
+                                "ui.shell.session.disabled",
+                                "세션 만료 비활성화",
+                              )
+                            )}
+                          </p>
+                        </div>
+                        <button
+                          type="button"
+                          role="switch"
+                          aria-checked={isSessionExpiryEnabled}
+                          onClick={handleSessionExpiryToggle}
+                          className={[
+                            "relative inline-flex h-6 w-11 shrink-0 items-center rounded-full transition",
+                            isSessionExpiryEnabled ? "bg-primary" : "bg-muted",
+                          ].join(" ")}
+                        >
+                          <span
+                            className={[
+                              "inline-block h-5 w-5 rounded-full bg-white transition",
+                              isSessionExpiryEnabled
+                                ? "translate-x-5"
+                                : "translate-x-1",
+                            ].join(" ")}
+                          />
+                        </button>
+                      </div>
+                    </div>
+
+                    {profile?.manageableTenants &&
+                    profile.manageableTenants.length > 0 ? (
+                      <div className="mt-2 rounded-lg border border-border px-3 py-3">
+                        <p className="mb-2 text-xs uppercase tracking-[0.16em] text-muted-foreground">
+                          {t(
+                            "ui.admin.profile.manageable_tenants",
+                            "Manageable Tenants",
+                          )}
+                        </p>
+                        <div className="max-h-40 space-y-1 overflow-y-auto pr-1">
+                          {profile.manageableTenants.map((tenant) => (
+                            <button
+                              key={tenant.id}
+                              type="button"
+                              onClick={() => {
+                                setIsProfileOpen(false);
+                                navigate(`/tenants/${tenant.id}`);
+                              }}
+                              className="flex w-full items-center gap-2 rounded-lg px-2 py-1.5 text-left text-sm text-foreground transition hover:bg-muted/20"
+                            >
+                              <div className="flex h-6 w-6 shrink-0 items-center justify-center rounded bg-muted text-muted-foreground">
+                                {tenant.type === "USER_GROUP" ? (
+                                  <Users size={13} />
+                                ) : (
+                                  <Building2 size={13} />
+                                )}
+                              </div>
+                              <div className="min-w-0">
+                                <p className="truncate font-medium">
+                                  {tenant.name}
+                                </p>
+                                <p className="truncate text-xs text-muted-foreground">
+                                  {tenant.slug}
+                                </p>
+                              </div>
+                            </button>
+                          ))}
+                        </div>
+                      </div>
+                    ) : null}
+
+                    <button
+                      type="button"
+                      onClick={() => {
+                        setIsProfileOpen(false);
+                        navigate(
+                          `/users/${profile?.id || auth.user?.profile.sub}`,
+                        );
+                      }}
+                      className="mt-2 flex w-full items-center gap-2 rounded-lg border border-border px-3 py-2 text-left text-sm text-foreground transition hover:bg-muted/20"
+                    >
+                      <UserIcon size={16} className="text-muted-foreground" />
+                      <span>{t("ui.shell.nav.profile", "내 정보")}</span>
+                    </button>
+                    <button
+                      type="button"
+                      onClick={() => {
+                        setIsProfileOpen(false);
+                        handleLogout();
+                      }}
+                      className="mt-2 flex w-full items-center gap-2 rounded-lg border border-border px-3 py-2 text-left text-sm text-muted-foreground transition hover:bg-destructive/10 hover:text-destructive"
+                    >
+                      <LogOut size={16} />
+                      <span>{t("ui.shell.nav.logout", "Logout")}</span>
+                    </button>
+                  </div>
+                ) : null}
+              </div>
+            </div>
+          </div>
+        </header>
+        <main className={shellLayoutClasses.mainMinWidth}>
+          <Outlet context={isSidebarCollapsed} />
+        </main>
+      </div>
+    </div>
+  );
 }

 export default AppLayout;
--- a/adminfront/src/components/layout/RoleSwitcher.tsx
+++ b/adminfront/src/components/layout/RoleSwitcher.tsx
@@ -1,68 +0,0 @@
-import React, { useState, useEffect } from 'react';
-
-const RoleSwitcher: React.FC = () => {
-  const [currentRole, setCurrentRole] = useState<string>('super_admin');
-
-  useEffect(() => {
-    // localStorage에서 역할 읽기
-    const savedRole = window.localStorage.getItem('X-Mock-Role');
-    if (savedRole) {
-      setCurrentRole(savedRole);
-    } else {
-      // 기본값 설정
-      window.localStorage.setItem('X-Mock-Role', 'super_admin');
-    }
-  }, []);
-
-  const switchRole = (role: string) => {
-    // localStorage 설정
-    window.localStorage.setItem('X-Mock-Role', role);
-    setCurrentRole(role);
-    // 페이지 새로고침하여 권한 적용
-    window.location.reload();
-  };
-
-  if (import.meta.env.MODE === 'production') return null;
-
-  return (
-    <div style={{
-      position: 'fixed',
-      bottom: '20px',
-      right: '20px',
-      zIndex: 9999,
-      background: '#1A1F2C',
-      color: 'white',
-      padding: '10px',
-      borderRadius: '8px',
-      boxShadow: '0 4px 12px rgba(0,0,0,0.3)',
-      display: 'flex',
-      flexDirection: 'column',
-      gap: '8px',
-      fontSize: '12px'
-    }}>
-      <div style={{ fontWeight: 'bold', borderBottom: '1px solid #444', paddingBottom: '4px', marginBottom: '4px' }}>
-        🛠 DEV Role Switcher
-      </div>
-      {(['super_admin', 'tenant_admin', 'rp_admin', 'tenant_member'] as const).map(role => (
-        <button
-          key={role}
-          onClick={() => switchRole(role)}
-          style={{
-            background: currentRole === role ? '#3b82f6' : '#333',
-            color: 'white',
-            border: 'none',
-            padding: '4px 8px',
-            borderRadius: '4px',
-            cursor: 'pointer',
-            textAlign: 'left',
-            transition: 'background 0.2s'
-          }}
-        >
-          {role.toUpperCase().replace('_', ' ')} {currentRole === role ? '✅' : ''}
-        </button>
-      ))}
-    </div>
-  );
-};
-
-export default RoleSwitcher;
--- a/adminfront/src/components/ui/avatar.test.tsx
+++ b/adminfront/src/components/ui/avatar.test.tsx
@@ -0,0 +1,49 @@
+import type React from "react";
+import { act } from "react";
+import { createRoot } from "react-dom/client";
+import { afterEach, describe, expect, it } from "vitest";
+import { Avatar, AvatarFallback, AvatarImage } from "./avatar";
+
+let container: HTMLDivElement | null = null;
+
+const render = async (element: React.ReactElement) => {
+  container = document.createElement("div");
+  document.body.appendChild(container);
+  const root = createRoot(container);
+  await act(async () => {
+    root.render(element);
+  });
+  return root;
+};
+
+afterEach(() => {
+  if (container) {
+    container.remove();
+    container = null;
+  }
+});
+
+describe("Avatar", () => {
+  it("renders image and fallback with merged classes", async () => {
+    const root = await render(
+      <Avatar className="custom-root" data-testid="avatar">
+        <AvatarImage
+          alt="Admin user"
+          className="custom-image"
+          src="/avatar.png"
+        />
+        <AvatarFallback className="custom-fallback">AU</AvatarFallback>
+      </Avatar>,
+    );
+
+    const avatar = container?.querySelector("[data-testid='avatar']");
+    const fallback = container?.textContent;
+
+    expect(avatar?.className).toContain("custom-root");
+    expect(fallback).toContain("AU");
+
+    await act(async () => {
+      root.unmount();
+    });
+  });
+});
--- a/adminfront/src/components/ui/avatar.tsx
+++ b/adminfront/src/components/ui/avatar.tsx
@@ -44,4 +44,4 @@ const AvatarFallback = React.forwardRef<
 ));
 AvatarFallback.displayName = AvatarPrimitive.Fallback.displayName;

-export { Avatar, AvatarImage, AvatarFallback };
+export { Avatar, AvatarFallback, AvatarImage };
--- a/adminfront/src/components/ui/badge.test.tsx
+++ b/adminfront/src/components/ui/badge.test.tsx
@@ -0,0 +1,26 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { Badge } from "./badge";
+
+describe("Badge Component", () => {
+  it("renders correctly with children", () => {
+    render(<Badge>Active</Badge>);
+    expect(screen.getByText("Active")).toBeInTheDocument();
+  });
+
+  it("applies variant classes correctly", () => {
+    const { rerender } = render(<Badge variant="secondary">Secondary</Badge>);
+    let badge = screen.getByText("Secondary");
+    expect(badge).toHaveClass("bg-secondary");
+
+    rerender(<Badge variant="outline">Default</Badge>);
+    badge = screen.getByText("Default");
+    expect(badge).toHaveClass("text-foreground");
+  });
+
+  it("applies custom className", () => {
+    render(<Badge className="custom-class">Custom</Badge>);
+    const badge = screen.getByText("Custom");
+    expect(badge).toHaveClass("custom-class");
+  });
+});
--- a/adminfront/src/components/ui/badge.tsx
+++ b/adminfront/src/components/ui/badge.tsx
@@ -1,38 +1,21 @@
-import { type VariantProps, cva } from "class-variance-authority";
 import type * as React from "react";
+import {
+  type CommonBadgeVariant,
+  getCommonBadgeClasses,
+} from "../../../../common/ui/badge";
 import { cn } from "../../lib/utils";

-const badgeVariants = cva(
-  "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2",
-  {
-    variants: {
-      variant: {
-        default:
-          "border-transparent bg-primary text-primary-foreground shadow hover:bg-primary/90",
-        secondary:
-          "border-transparent bg-secondary text-secondary-foreground hover:bg-secondary/80",
-        outline: "text-foreground",
-        muted: "border-border bg-secondary/60 text-muted-foreground",
-        success:
-          "border-transparent bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-300",
-        warning:
-          "border-transparent bg-amber-100 text-amber-700 dark:bg-amber-900/40 dark:text-amber-200",
-      },
-    },
-    defaultVariants: {
-      variant: "default",
-    },
-  },
-);
-
-export interface BadgeProps
-  extends React.HTMLAttributes<HTMLDivElement>,
-    VariantProps<typeof badgeVariants> {}
+export interface BadgeProps extends React.HTMLAttributes<HTMLDivElement> {
+  variant?: CommonBadgeVariant;
+}

 function Badge({ className, variant, ...props }: BadgeProps) {
  return (
-    <div className={cn(badgeVariants({ variant }), className)} {...props} />
+    <div
+      className={cn(getCommonBadgeClasses({ variant }), className)}
+      {...props}
+    />
  );
 }

-export { Badge, badgeVariants };
+export { Badge };
--- a/adminfront/src/components/ui/button.test.tsx
+++ b/adminfront/src/components/ui/button.test.tsx
@@ -0,0 +1,38 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, expect, it, vi } from "vitest";
+import { Button } from "./button";
+
+describe("Button Component", () => {
+  it("renders correctly with children", () => {
+    render(<Button>Click me</Button>);
+    expect(
+      screen.getByRole("button", { name: /click me/i }),
+    ).toBeInTheDocument();
+  });
+
+  it("applies variant classes correctly", () => {
+    const { rerender } = render(<Button variant="destructive">Delete</Button>);
+    const button = screen.getByRole("button", { name: /delete/i });
+    expect(button).toHaveClass("bg-destructive");
+
+    rerender(<Button variant="outline">Cancel</Button>);
+    const outlineButton = screen.getByRole("button", { name: /cancel/i });
+    expect(outlineButton).toHaveClass("border-input");
+  });
+
+  it("calls onClick when clicked", async () => {
+    const onClick = vi.fn();
+    const user = userEvent.setup();
+    render(<Button onClick={onClick}>Click me</Button>);
+
+    await user.click(screen.getByRole("button", { name: /click me/i }));
+    expect(onClick).toHaveBeenCalledTimes(1);
+  });
+
+  it("is disabled when the disabled prop is passed", () => {
+    render(<Button disabled>Disabled Button</Button>);
+    const button = screen.getByRole("button", { name: /disabled button/i });
+    expect(button).toBeDisabled();
+  });
+});
--- a/adminfront/src/components/ui/button.tsx
+++ b/adminfront/src/components/ui/button.tsx
@@ -1,41 +1,16 @@
 import { Slot } from "@radix-ui/react-slot";
-import { type VariantProps, cva } from "class-variance-authority";
 import * as React from "react";
+import {
+  type CommonButtonSize,
+  type CommonButtonVariant,
+  getCommonButtonClasses,
+} from "../../../../common/ui/button";
 import { cn } from "../../lib/utils";

-const buttonVariants = cva(
-  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-semibold transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50 ring-offset-background",
-  {
-    variants: {
-      variant: {
-        default:
-          "bg-primary text-primary-foreground shadow hover:bg-primary/90",
-        secondary:
-          "bg-secondary text-secondary-foreground hover:bg-secondary/80",
-        outline:
-          "border border-input bg-background hover:bg-accent hover:text-accent-foreground",
-        ghost: "hover:bg-accent hover:text-accent-foreground",
-        destructive:
-          "bg-destructive text-destructive-foreground hover:bg-destructive/90",
-        muted: "bg-muted text-muted-foreground hover:bg-muted/80",
-      },
-      size: {
-        default: "h-10 px-4 py-2",
-        sm: "h-9 rounded-md px-3",
-        lg: "h-11 rounded-md px-6 text-base",
-        icon: "h-10 w-10",
-      },
-    },
-    defaultVariants: {
-      variant: "default",
-      size: "default",
-    },
-  },
-);
-
 export interface ButtonProps
-  extends React.ButtonHTMLAttributes<HTMLButtonElement>,
-    VariantProps<typeof buttonVariants> {
+  extends React.ButtonHTMLAttributes<HTMLButtonElement> {
+  variant?: CommonButtonVariant;
+  size?: CommonButtonSize;
  asChild?: boolean;
 }

@@ -44,7 +19,7 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
    const Comp = asChild ? Slot : "button";
    return (
      <Comp
-        className={cn(buttonVariants({ variant, size, className }))}
+        className={cn(getCommonButtonClasses({ variant, size }), className)}
        ref={ref}
        {...props}
      />
@@ -53,4 +28,4 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
 );
 Button.displayName = "Button";

-export { Button, buttonVariants };
+export { Button };
--- a/adminfront/src/components/ui/card.test.tsx
+++ b/adminfront/src/components/ui/card.test.tsx
@@ -0,0 +1,35 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from "./card";
+
+describe("Card Component", () => {
+  it("renders card structure correctly", () => {
+    render(
+      <Card>
+        <CardHeader>
+          <CardTitle>Card Title</CardTitle>
+          <CardDescription>Card Description</CardDescription>
+        </CardHeader>
+        <CardContent>Card Content</CardContent>
+        <CardFooter>Card Footer</CardFooter>
+      </Card>,
+    );
+
+    expect(screen.getByText("Card Title")).toBeInTheDocument();
+    expect(screen.getByText("Card Description")).toBeInTheDocument();
+    expect(screen.getByText("Card Content")).toBeInTheDocument();
+    expect(screen.getByText("Card Footer")).toBeInTheDocument();
+  });
+
+  it("applies custom className to Card", () => {
+    const { container } = render(<Card className="custom-card" />);
+    expect(container.firstChild).toHaveClass("custom-card");
+  });
+});
--- a/adminfront/src/components/ui/card.tsx
+++ b/adminfront/src/components/ui/card.tsx
@@ -1,72 +1,58 @@
 import type * as React from "react";
+import {
+  commonCardClass,
+  commonCardContentClass,
+  commonCardDescriptionClass,
+  commonCardFooterClass,
+  commonCardHeaderClass,
+  commonCardTitleClass,
+} from "../../../../common/ui/card";
 import { cn } from "../../lib/utils";

 function Card({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) {
-  return (
-    <div
-      className={cn(
-        "rounded-2xl border border-border bg-card/90 text-card-foreground shadow-card",
-        className,
-      )}
-      {...props}
-    />
-  );
+  return <div className={cn(commonCardClass, className)} {...props} />;
 }

 function CardHeader({
  className,
  ...props
 }: React.HTMLAttributes<HTMLDivElement>) {
-  return (
-    <div
-      className={cn("flex flex-col space-y-1.5 p-6", className)}
-      {...props}
-    />
-  );
+  return <div className={cn(commonCardHeaderClass, className)} {...props} />;
 }

 function CardTitle({
  className,
  ...props
 }: React.HTMLAttributes<HTMLHeadingElement>) {
-  return (
-    <h3
-      className={cn("text-lg font-semibold leading-none", className)}
-      {...props}
-    />
-  );
+  return <h3 className={cn(commonCardTitleClass, className)} {...props} />;
 }

 function CardDescription({
  className,
  ...props
 }: React.HTMLAttributes<HTMLParagraphElement>) {
-  return (
-    <p className={cn("text-sm text-muted-foreground", className)} {...props} />
-  );
+  return <p className={cn(commonCardDescriptionClass, className)} {...props} />;
 }

 function CardContent({
  className,
  ...props
 }: React.HTMLAttributes<HTMLDivElement>) {
-  return <div className={cn("p-6 pt-0", className)} {...props} />;
+  return <div className={cn(commonCardContentClass, className)} {...props} />;
 }

 function CardFooter({
  className,
  ...props
 }: React.HTMLAttributes<HTMLDivElement>) {
-  return (
-    <div className={cn("flex items-center p-6 pt-0", className)} {...props} />
-  );
+  return <div className={cn(commonCardFooterClass, className)} {...props} />;
 }

 export {
  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
  CardHeader,
  CardTitle,
-  CardDescription,
-  CardContent,
-  CardFooter,
 };
--- a/adminfront/src/components/ui/checkbox.test.tsx
+++ b/adminfront/src/components/ui/checkbox.test.tsx
@@ -0,0 +1,19 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { Checkbox } from "./checkbox";
+
+describe("Checkbox Component", () => {
+  it("adds a fallback id for browser autofill diagnostics", () => {
+    render(<Checkbox aria-label="Select row" />);
+
+    expect(screen.getByRole("checkbox")).toHaveAttribute("id");
+  });
+
+  it("keeps explicit id and name values", () => {
+    render(<Checkbox id="explicit-checkbox" name="explicit-name" />);
+    const checkbox = screen.getByRole("checkbox");
+
+    expect(checkbox).toHaveAttribute("id", "explicit-checkbox");
+    expect(checkbox).toHaveAttribute("name", "explicit-name");
+  });
+});
--- a/adminfront/src/components/ui/checkbox.tsx
+++ b/adminfront/src/components/ui/checkbox.tsx
@@ -0,0 +1,36 @@
+import * as React from "react";
+import { cn } from "../../lib/utils";
+
+export interface CheckboxProps
+  extends Omit<React.InputHTMLAttributes<HTMLInputElement>, "onChange"> {
+  onCheckedChange?: (checked: boolean | "indeterminate") => void;
+}
+
+const Checkbox = React.forwardRef<HTMLInputElement, CheckboxProps>(
+  ({ className, onCheckedChange, id, name, ...props }, ref) => {
+    const fallbackId = React.useId();
+    const fieldId = id ?? (name ? undefined : fallbackId);
+
+    const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+      onCheckedChange?.(e.target.checked);
+    };
+
+    return (
+      <input
+        id={fieldId}
+        name={name}
+        type="checkbox"
+        className={cn(
+          "peer h-4 w-4 shrink-0 rounded-sm border border-primary ring-offset-background focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 accent-primary",
+          className,
+        )}
+        onChange={handleChange}
+        ref={ref}
+        {...props}
+      />
+    );
+  },
+);
+Checkbox.displayName = "Checkbox";
+
+export { Checkbox };
--- a/adminfront/src/components/ui/dialog.focus-scope.test.tsx
+++ b/adminfront/src/components/ui/dialog.focus-scope.test.tsx
@@ -0,0 +1,23 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogTitle,
+} from "./dialog";
+
+describe("Dialog FocusScope integration", () => {
+  it("mounts an open dialog without a ref update loop", () => {
+    render(
+      <Dialog open>
+        <DialogContent>
+          <DialogTitle>Focus scope check</DialogTitle>
+          <DialogDescription>Dialog content is mounted.</DialogDescription>
+        </DialogContent>
+      </Dialog>,
+    );
+
+    expect(screen.getByText("Focus scope check")).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/components/ui/dialog.tsx
+++ b/adminfront/src/components/ui/dialog.tsx
@@ -0,0 +1,287 @@
+import { X } from "lucide-react";
+import * as React from "react";
+import { createPortal } from "react-dom";
+
+import { cn } from "../../lib/utils";
+
+type DialogContextValue = {
+  open: boolean;
+  setOpen: (open: boolean) => void;
+};
+
+const DialogContext = React.createContext<DialogContextValue | null>(null);
+
+function useDialogContext(componentName: string) {
+  const context = React.useContext(DialogContext);
+  if (!context) {
+    throw new Error(`${componentName} must be used within Dialog`);
+  }
+  return context;
+}
+
+function composeEventHandlers<E extends React.SyntheticEvent>(
+  theirs: ((event: E) => void) | undefined,
+  ours: (event: E) => void,
+) {
+  return (event: E) => {
+    theirs?.(event);
+    if (!event.defaultPrevented) {
+      ours(event);
+    }
+  };
+}
+
+type DialogProps = {
+  open?: boolean;
+  defaultOpen?: boolean;
+  onOpenChange?: (open: boolean) => void;
+  children?: React.ReactNode;
+};
+
+function Dialog({
+  open,
+  defaultOpen = false,
+  onOpenChange,
+  children,
+}: DialogProps) {
+  const [internalOpen, setInternalOpen] = React.useState(defaultOpen);
+  const isControlled = open !== undefined;
+  const currentOpen = isControlled ? open : internalOpen;
+  const setOpen = React.useCallback(
+    (nextOpen: boolean) => {
+      if (!isControlled) {
+        setInternalOpen(nextOpen);
+      }
+      onOpenChange?.(nextOpen);
+    },
+    [isControlled, onOpenChange],
+  );
+
+  const value = React.useMemo(
+    () => ({ open: currentOpen, setOpen }),
+    [currentOpen, setOpen],
+  );
+
+  return (
+    <DialogContext.Provider value={value}>{children}</DialogContext.Provider>
+  );
+}
+
+type DialogTriggerProps = React.ButtonHTMLAttributes<HTMLButtonElement> & {
+  asChild?: boolean;
+};
+
+const DialogTrigger = React.forwardRef<HTMLButtonElement, DialogTriggerProps>(
+  ({ asChild = false, children, onClick, ...props }, ref) => {
+    const { setOpen } = useDialogContext("DialogTrigger");
+    const handleOpen = (event: React.MouseEvent<HTMLButtonElement>) => {
+      onClick?.(event);
+      if (!event.defaultPrevented) {
+        setOpen(true);
+      }
+    };
+
+    if (asChild && React.isValidElement(children)) {
+      const child = children as React.ReactElement<{
+        onClick?: React.MouseEventHandler<HTMLElement>;
+      }>;
+      return React.cloneElement(child, {
+        ...props,
+        onClick: composeEventHandlers(
+          child.props.onClick as React.MouseEventHandler<HTMLButtonElement>,
+          () => setOpen(true),
+        ),
+      });
+    }
+
+    return (
+      <button type="button" ref={ref} onClick={handleOpen} {...props}>
+        {children}
+      </button>
+    );
+  },
+);
+DialogTrigger.displayName = "DialogTrigger";
+
+const DialogPortal = ({ children }: { children?: React.ReactNode }) => {
+  if (typeof document === "undefined") {
+    return null;
+  }
+  return createPortal(children, document.body);
+};
+DialogPortal.displayName = "DialogPortal";
+
+const DialogClose = React.forwardRef<HTMLButtonElement, DialogTriggerProps>(
+  ({ asChild = false, children, onClick, ...props }, ref) => {
+    const { setOpen } = useDialogContext("DialogClose");
+    const handleClose = (event: React.MouseEvent<HTMLButtonElement>) => {
+      onClick?.(event);
+      if (!event.defaultPrevented) {
+        setOpen(false);
+      }
+    };
+
+    if (asChild && React.isValidElement(children)) {
+      const child = children as React.ReactElement<{
+        onClick?: React.MouseEventHandler<HTMLElement>;
+      }>;
+      return React.cloneElement(child, {
+        ...props,
+        onClick: composeEventHandlers(
+          child.props.onClick as React.MouseEventHandler<HTMLButtonElement>,
+          () => setOpen(false),
+        ),
+      });
+    }
+
+    return (
+      <button type="button" ref={ref} onClick={handleClose} {...props}>
+        {children}
+      </button>
+    );
+  },
+);
+DialogClose.displayName = "DialogClose";
+
+const DialogOverlay = React.forwardRef<
+  HTMLButtonElement,
+  React.ButtonHTMLAttributes<HTMLButtonElement>
+>(({ className, onMouseDown, ...props }, ref) => {
+  const { setOpen } = useDialogContext("DialogOverlay");
+  return (
+    <button
+      type="button"
+      ref={ref}
+      className={cn(
+        "fixed inset-0 z-50 border-0 bg-black/80 p-0 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0",
+        className,
+      )}
+      data-state="open"
+      aria-label="Close dialog"
+      onMouseDown={composeEventHandlers(onMouseDown, (event) => {
+        if (event.target === event.currentTarget) {
+          setOpen(false);
+        }
+      })}
+      {...props}
+    />
+  );
+});
+DialogOverlay.displayName = "DialogOverlay";
+
+const DialogContent = React.forwardRef<
+  HTMLDialogElement,
+  React.HTMLAttributes<HTMLDialogElement>
+>(({ className, children, onKeyDown, ...props }, ref) => {
+  const { open, setOpen } = useDialogContext("DialogContent");
+
+  React.useEffect(() => {
+    if (!open) {
+      return;
+    }
+    const onDocumentKeyDown = (event: KeyboardEvent) => {
+      if (event.key === "Escape") {
+        setOpen(false);
+      }
+    };
+    document.addEventListener("keydown", onDocumentKeyDown);
+    return () => document.removeEventListener("keydown", onDocumentKeyDown);
+  }, [open, setOpen]);
+
+  if (!open) {
+    return null;
+  }
+
+  return (
+    <DialogPortal>
+      <DialogOverlay />
+      <dialog
+        ref={ref}
+        open
+        aria-modal="true"
+        data-state="open"
+        className={cn(
+          "fixed left-[50%] top-[50%] z-50 m-0 grid w-full max-w-lg translate-x-[-50%] translate-y-[-50%] gap-4 border bg-background p-6 shadow-lg duration-200 backdrop:bg-transparent data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[state=closed]:slide-out-to-left-1/2 data-[state=closed]:slide-out-to-top-[48%] data-[state=open]:slide-in-from-left-1/2 data-[state=open]:slide-in-from-top-[48%] sm:rounded-lg",
+          className,
+        )}
+        onKeyDown={onKeyDown}
+        {...props}
+      >
+        {children}
+        <DialogClose className="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none data-[state=open]:bg-accent data-[state=open]:text-muted-foreground">
+          <X className="h-4 w-4" />
+          <span className="sr-only">Close</span>
+        </DialogClose>
+      </dialog>
+    </DialogPortal>
+  );
+});
+DialogContent.displayName = "DialogContent";
+
+const DialogHeader = ({
+  className,
+  ...props
+}: React.HTMLAttributes<HTMLDivElement>) => (
+  <div
+    className={cn(
+      "flex flex-col space-y-1.5 text-center sm:text-left",
+      className,
+    )}
+    {...props}
+  />
+);
+DialogHeader.displayName = "DialogHeader";
+
+const DialogFooter = ({
+  className,
+  ...props
+}: React.HTMLAttributes<HTMLDivElement>) => (
+  <div
+    className={cn(
+      "flex flex-col-reverse sm:flex-row sm:justify-end sm:space-x-2",
+      className,
+    )}
+    {...props}
+  />
+);
+DialogFooter.displayName = "DialogFooter";
+
+const DialogTitle = React.forwardRef<
+  HTMLHeadingElement,
+  React.HTMLAttributes<HTMLHeadingElement>
+>(({ className, ...props }, ref) => (
+  <h2
+    ref={ref}
+    className={cn(
+      "text-lg font-semibold leading-none tracking-tight",
+      className,
+    )}
+    {...props}
+  />
+));
+DialogTitle.displayName = "DialogTitle";
+
+const DialogDescription = React.forwardRef<
+  HTMLParagraphElement,
+  React.HTMLAttributes<HTMLParagraphElement>
+>(({ className, ...props }, ref) => (
+  <p
+    ref={ref}
+    className={cn("text-sm text-muted-foreground", className)}
+    {...props}
+  />
+));
+DialogDescription.displayName = "DialogDescription";
+
+export {
+  Dialog,
+  DialogClose,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogOverlay,
+  DialogPortal,
+  DialogTitle,
+  DialogTrigger,
+};
--- a/adminfront/src/components/ui/dropdown-menu.tsx
+++ b/adminfront/src/components/ui/dropdown-menu.tsx
@@ -0,0 +1,200 @@
+"use client";
+
+import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu";
+import { Check, ChevronRight, Circle } from "lucide-react";
+import * as React from "react";
+
+import { cn } from "../../lib/utils";
+
+const DropdownMenu = DropdownMenuPrimitive.Root;
+
+const DropdownMenuTrigger = DropdownMenuPrimitive.Trigger;
+
+const DropdownMenuGroup = DropdownMenuPrimitive.Group;
+
+const DropdownMenuPortal = DropdownMenuPrimitive.Portal;
+
+const DropdownMenuSub = DropdownMenuPrimitive.Sub;
+
+const DropdownMenuRadioGroup = DropdownMenuPrimitive.RadioGroup;
+
+const DropdownMenuSubTrigger = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.SubTrigger>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.SubTrigger> & {
+    inset?: boolean;
+  }
+>(({ className, inset, children, ...props }, ref) => (
+  <DropdownMenuPrimitive.SubTrigger
+    ref={ref}
+    className={cn(
+      "flex cursor-default gap-2 select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none focus:bg-accent data-[state=open]:bg-accent [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0",
+      inset && "pl-8",
+      className,
+    )}
+    {...props}
+  >
+    {children}
+    <ChevronRight className="ml-auto" />
+  </DropdownMenuPrimitive.SubTrigger>
+));
+DropdownMenuSubTrigger.displayName =
+  DropdownMenuPrimitive.SubTrigger.displayName;
+
+const DropdownMenuSubContent = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.SubContent>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.SubContent>
+>(({ className, ...props }, ref) => (
+  <DropdownMenuPrimitive.SubContent
+    ref={ref}
+    className={cn(
+      "z-50 min-w-[8rem] overflow-hidden rounded-md border bg-popover p-1 text-popover-foreground shadow-lg data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2",
+      className,
+    )}
+    {...props}
+  />
+));
+DropdownMenuSubContent.displayName =
+  DropdownMenuPrimitive.SubContent.displayName;
+
+const DropdownMenuContent = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.Content>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Content>
+>(({ className, sideOffset = 4, ...props }, ref) => (
+  <DropdownMenuPrimitive.Portal>
+    <DropdownMenuPrimitive.Content
+      ref={ref}
+      sideOffset={sideOffset}
+      className={cn(
+        "z-50 min-w-[8rem] overflow-hidden rounded-md border bg-popover p-1 text-popover-foreground shadow-md data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2",
+        className,
+      )}
+      {...props}
+    />
+  </DropdownMenuPrimitive.Portal>
+));
+DropdownMenuContent.displayName = DropdownMenuPrimitive.Content.displayName;
+
+const DropdownMenuItem = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.Item>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Item> & {
+    inset?: boolean;
+  }
+>(({ className, inset, ...props }, ref) => (
+  <DropdownMenuPrimitive.Item
+    ref={ref}
+    className={cn(
+      "relative flex cursor-default select-none items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-none transition-colors focus:bg-accent focus:text-accent-foreground data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:size-4 [&_svg]:shrink-0",
+      inset && "pl-8",
+      className,
+    )}
+    {...props}
+  />
+));
+DropdownMenuItem.displayName = DropdownMenuPrimitive.Item.displayName;
+
+const DropdownMenuCheckboxItem = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.CheckboxItem>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.CheckboxItem>
+>(({ className, children, checked, ...props }, ref) => (
+  <DropdownMenuPrimitive.CheckboxItem
+    ref={ref}
+    className={cn(
+      "relative flex cursor-default select-none items-center rounded-sm py-1.5 pl-8 pr-2 text-sm outline-none transition-colors focus:bg-accent focus:text-accent-foreground data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
+      className,
+    )}
+    checked={checked}
+    {...props}
+  >
+    <span className="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
+      <DropdownMenuPrimitive.ItemIndicator>
+        <Check className="h-4 w-4" />
+      </DropdownMenuPrimitive.ItemIndicator>
+    </span>
+    {children}
+  </DropdownMenuPrimitive.CheckboxItem>
+));
+DropdownMenuCheckboxItem.displayName =
+  DropdownMenuPrimitive.CheckboxItem.displayName;
+
+const DropdownMenuRadioItem = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.RadioItem>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.RadioItem>
+>(({ className, children, ...props }, ref) => (
+  <DropdownMenuPrimitive.RadioItem
+    ref={ref}
+    className={cn(
+      "relative flex cursor-default select-none items-center rounded-sm py-1.5 pl-8 pr-2 text-sm outline-none transition-colors focus:bg-accent focus:text-accent-foreground data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
+      className,
+    )}
+    {...props}
+  >
+    <span className="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
+      <DropdownMenuPrimitive.ItemIndicator>
+        <Circle className="h-2 w-2 fill-current" />
+      </DropdownMenuPrimitive.ItemIndicator>
+    </span>
+    {children}
+  </DropdownMenuPrimitive.RadioItem>
+));
+DropdownMenuRadioItem.displayName = DropdownMenuPrimitive.RadioItem.displayName;
+
+const DropdownMenuLabel = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.Label>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Label> & {
+    inset?: boolean;
+  }
+>(({ className, inset, ...props }, ref) => (
+  <DropdownMenuPrimitive.Label
+    ref={ref}
+    className={cn(
+      "px-2 py-1.5 text-sm font-semibold",
+      inset && "pl-8",
+      className,
+    )}
+    {...props}
+  />
+));
+DropdownMenuLabel.displayName = DropdownMenuPrimitive.Label.displayName;
+
+const DropdownMenuSeparator = React.forwardRef<
+  React.ElementRef<typeof DropdownMenuPrimitive.Separator>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Separator>
+>(({ className, ...props }, ref) => (
+  <DropdownMenuPrimitive.Separator
+    ref={ref}
+    className={cn("-mx-1 my-1 h-px bg-muted", className)}
+    {...props}
+  />
+));
+DropdownMenuSeparator.displayName = DropdownMenuPrimitive.Separator.displayName;
+
+const DropdownMenuShortcut = ({
+  className,
+  ...props
+}: React.HTMLAttributes<HTMLSpanElement>) => {
+  return (
+    <span
+      className={cn("ml-auto text-xs tracking-tighter opacity-60", className)}
+      {...props}
+    />
+  );
+};
+DropdownMenuShortcut.displayName = "DropdownMenuShortcut";
+
+export {
+  DropdownMenu,
+  DropdownMenuCheckboxItem,
+  DropdownMenuContent,
+  DropdownMenuGroup,
+  DropdownMenuItem,
+  DropdownMenuLabel,
+  DropdownMenuPortal,
+  DropdownMenuRadioGroup,
+  DropdownMenuRadioItem,
+  DropdownMenuSeparator,
+  DropdownMenuShortcut,
+  DropdownMenuSub,
+  DropdownMenuSubContent,
+  DropdownMenuSubTrigger,
+  DropdownMenuTrigger,
+};
--- a/adminfront/src/components/ui/input.test.tsx
+++ b/adminfront/src/components/ui/input.test.tsx
@@ -0,0 +1,42 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { describe, expect, it, vi } from "vitest";
+import { Input } from "./input";
+
+describe("Input Component", () => {
+  it("renders correctly", () => {
+    render(<Input placeholder="Enter text" />);
+    expect(screen.getByPlaceholderText("Enter text")).toBeInTheDocument();
+  });
+
+  it("adds a fallback id for browser autofill diagnostics", () => {
+    render(<Input placeholder="Enter text" />);
+
+    expect(screen.getByPlaceholderText("Enter text")).toHaveAttribute("id");
+  });
+
+  it("keeps explicit id and name values", () => {
+    render(<Input id="explicit-id" name="explicit-name" />);
+    const input = screen.getByRole("textbox");
+
+    expect(input).toHaveAttribute("id", "explicit-id");
+    expect(input).toHaveAttribute("name", "explicit-name");
+  });
+
+  it("handles value changes", async () => {
+    const onChange = vi.fn();
+    const user = userEvent.setup();
+    render(<Input placeholder="Enter text" onChange={onChange} />);
+    const input = screen.getByPlaceholderText("Enter text");
+
+    await user.type(input, "Hello");
+    expect(onChange).toHaveBeenCalled();
+    expect(input).toHaveValue("Hello");
+  });
+
+  it("is disabled when the disabled prop is passed", () => {
+    render(<Input disabled />);
+    const input = screen.getByRole("textbox");
+    expect(input).toBeDisabled();
+  });
+});
--- a/adminfront/src/components/ui/input.tsx
+++ b/adminfront/src/components/ui/input.tsx
@@ -1,18 +1,21 @@
 import * as React from "react";
+import { commonInputClass } from "../../../../common/ui/input";
 import { cn } from "../../lib/utils";

 export interface InputProps
  extends React.InputHTMLAttributes<HTMLInputElement> {}

 const Input = React.forwardRef<HTMLInputElement, InputProps>(
-  ({ className, type, ...props }, ref) => {
+  ({ className, type, id, name, ...props }, ref) => {
+    const fallbackId = React.useId();
+    const fieldId = id ?? (name ? undefined : fallbackId);
+
    return (
      <input
+        id={fieldId}
+        name={name}
        type={type}
-        className={cn(
-          "flex h-10 w-full rounded-lg border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50",
-          className,
-        )}
+        className={cn(commonInputClass, className)}
        ref={ref}
        {...props}
      />
--- a/adminfront/src/components/ui/label.test.tsx
+++ b/adminfront/src/components/ui/label.test.tsx
@@ -0,0 +1,27 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { Label } from "./label";
+
+describe("Label Component", () => {
+  it("renders correctly with children", () => {
+    render(<Label>Username</Label>);
+    expect(screen.getByText("Username")).toBeInTheDocument();
+  });
+
+  it("applies custom className", () => {
+    render(<Label className="custom-label">Password</Label>);
+    const label = screen.getByText("Password");
+    expect(label).toHaveClass("custom-label");
+  });
+
+  it("is associated with an input via htmlFor", () => {
+    render(
+      <>
+        <Label htmlFor="test-input">Label Text</Label>
+        <input id="test-input" />
+      </>,
+    );
+    const label = screen.getByText("Label Text");
+    expect(label).toHaveAttribute("for", "test-input");
+  });
+});
--- a/adminfront/src/components/ui/select.tsx
+++ b/adminfront/src/components/ui/select.tsx
@@ -0,0 +1,158 @@
+import * as SelectPrimitive from "@radix-ui/react-select";
+import { Check, ChevronDown, ChevronUp } from "lucide-react";
+import * as React from "react";
+
+import { cn } from "../../lib/utils";
+
+const Select = SelectPrimitive.Root;
+
+const SelectGroup = SelectPrimitive.Group;
+
+const SelectValue = SelectPrimitive.Value;
+
+const SelectTrigger = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.Trigger>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.Trigger>
+>(({ className, children, ...props }, ref) => (
+  <SelectPrimitive.Trigger
+    ref={ref}
+    className={cn(
+      "flex h-10 w-full items-center justify-between rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 [&>span]:line-clamp-1",
+      className,
+    )}
+    {...props}
+  >
+    {children}
+    <SelectPrimitive.Icon asChild>
+      <ChevronDown className="h-4 w-4 opacity-50" />
+    </SelectPrimitive.Icon>
+  </SelectPrimitive.Trigger>
+));
+SelectTrigger.displayName = SelectPrimitive.Trigger.displayName;
+
+const SelectScrollUpButton = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.ScrollUpButton>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollUpButton>
+>(({ className, ...props }, ref) => (
+  <SelectPrimitive.ScrollUpButton
+    ref={ref}
+    className={cn(
+      "flex cursor-default items-center justify-center py-1",
+      className,
+    )}
+    {...props}
+  >
+    <ChevronUp className="h-4 w-4" />
+  </SelectPrimitive.ScrollUpButton>
+));
+SelectScrollUpButton.displayName = SelectPrimitive.ScrollUpButton.displayName;
+
+const SelectScrollDownButton = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.ScrollDownButton>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.ScrollDownButton>
+>(({ className, ...props }, ref) => (
+  <SelectPrimitive.ScrollDownButton
+    ref={ref}
+    className={cn(
+      "flex cursor-default items-center justify-center py-1",
+      className,
+    )}
+    {...props}
+  >
+    <ChevronDown className="h-4 w-4" />
+  </SelectPrimitive.ScrollDownButton>
+));
+SelectScrollDownButton.displayName =
+  SelectPrimitive.ScrollDownButton.displayName;
+
+const SelectContent = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.Content>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.Content>
+>(({ className, children, position = "popper", ...props }, ref) => (
+  <SelectPrimitive.Portal>
+    <SelectPrimitive.Content
+      ref={ref}
+      className={cn(
+        "relative z-50 max-h-96 min-w-[8rem] overflow-hidden rounded-md border bg-popover text-popover-foreground shadow-md data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[state=top]:slide-in-from-bottom-2 data-[state=bottom]:slide-in-from-top-2",
+        position === "popper" &&
+          "data-[state=open]:slide-in-from-top-2 data-[state=bottom]:translate-y-1 data-[state=left]:-translate-x-1 data-[state=right]:translate-x-1 data-[state=top]:-translate-y-1",
+        className,
+      )}
+      position={position}
+      {...props}
+    >
+      <SelectScrollUpButton />
+      <SelectPrimitive.Viewport
+        className={cn(
+          "p-1",
+          position === "popper" &&
+            "h-[var(--radix-select-content-available-height)] w-full min-w-[var(--radix-select-trigger-width)]",
+        )}
+      >
+        {children}
+      </SelectPrimitive.Viewport>
+      <SelectScrollDownButton />
+    </SelectPrimitive.Content>
+  </SelectPrimitive.Portal>
+));
+SelectContent.displayName = SelectPrimitive.Content.displayName;
+
+const SelectLabel = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.Label>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.Label>
+>(({ className, ...props }, ref) => (
+  <SelectPrimitive.Label
+    ref={ref}
+    className={cn("py-1.5 pl-8 pr-2 text-sm font-semibold", className)}
+    {...props}
+  />
+));
+SelectLabel.displayName = SelectPrimitive.Label.displayName;
+
+const SelectItem = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.Item>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.Item>
+>(({ className, children, ...props }, ref) => (
+  <SelectPrimitive.Item
+    ref={ref}
+    className={cn(
+      "relative flex w-full cursor-default select-none items-center rounded-sm py-1.5 pl-8 pr-2 text-sm outline-none focus:bg-accent focus:text-accent-foreground data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
+      className,
+    )}
+    {...props}
+  >
+    <span className="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
+      <SelectPrimitive.ItemIndicator>
+        <Check className="h-4 w-4" />
+      </SelectPrimitive.ItemIndicator>
+    </span>
+
+    <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
+  </SelectPrimitive.Item>
+));
+SelectItem.displayName = SelectPrimitive.Item.displayName;
+
+const SelectSeparator = React.forwardRef<
+  React.ElementRef<typeof SelectPrimitive.Separator>,
+  React.ComponentPropsWithoutRef<typeof SelectPrimitive.Separator>
+>(({ className, ...props }, ref) => (
+  <SelectPrimitive.Separator
+    ref={ref}
+    className={cn("-mx-1 my-1 h-px bg-muted", className)}
+    {...props}
+  />
+));
+SelectSeparator.displayName = SelectPrimitive.Separator.displayName;
+
+export {
+  Select,
+  SelectContent,
+  SelectGroup,
+  SelectItem,
+  SelectLabel,
+  SelectScrollDownButton,
+  SelectScrollUpButton,
+  SelectSeparator,
+  SelectTrigger,
+  SelectValue,
+};
--- a/adminfront/src/components/ui/separator.test.tsx
+++ b/adminfront/src/components/ui/separator.test.tsx
@@ -0,0 +1,41 @@
+import type React from "react";
+import { act } from "react";
+import { createRoot } from "react-dom/client";
+import { afterEach, describe, expect, it } from "vitest";
+import { Separator } from "./separator";
+
+let container: HTMLDivElement | null = null;
+
+const render = async (element: React.ReactElement) => {
+  container = document.createElement("div");
+  document.body.appendChild(container);
+  const root = createRoot(container);
+  await act(async () => {
+    root.render(element);
+  });
+  return root;
+};
+
+afterEach(() => {
+  if (container) {
+    container.remove();
+    container = null;
+  }
+});
+
+describe("Separator", () => {
+  it("renders a horizontal separator with custom classes", async () => {
+    const root = await render(
+      <Separator className="custom-separator" data-testid="separator" />,
+    );
+
+    const separator = container?.querySelector("[data-testid='separator']");
+
+    expect(separator?.className).toContain("h-px");
+    expect(separator?.className).toContain("custom-separator");
+
+    await act(async () => {
+      root.unmount();
+    });
+  });
+});
--- a/adminfront/src/components/ui/switch.tsx
+++ b/adminfront/src/components/ui/switch.tsx
@@ -1,26 +1,68 @@
-import * as SwitchPrimitives from "@radix-ui/react-switch";
 import * as React from "react";
 import { cn } from "../../lib/utils";

-const Switch = React.forwardRef<
-  React.ElementRef<typeof SwitchPrimitives.Root>,
-  React.ComponentPropsWithoutRef<typeof SwitchPrimitives.Root>
->(({ className, ...props }, ref) => (
-  <SwitchPrimitives.Root
-    className={cn(
-      "peer inline-flex h-5 w-10 shrink-0 cursor-pointer items-center rounded-full border-2 border-transparent bg-input transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 focus-visible:ring-offset-background disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=unchecked]:bg-muted/50",
+interface SwitchProps
+  extends Omit<React.ButtonHTMLAttributes<HTMLButtonElement>, "onChange"> {
+  checked?: boolean;
+  defaultChecked?: boolean;
+  onCheckedChange?: (checked: boolean) => void;
+}
+
+const Switch = React.forwardRef<HTMLButtonElement, SwitchProps>(
+  (
+    {
      className,
-    )}
-    {...props}
-    ref={ref}
-  >
-    <SwitchPrimitives.Thumb
-      className={cn(
-        "pointer-events-none block h-4 w-4 rounded-full bg-background shadow-lg ring-0 transition-transform data-[state=checked]:translate-x-4 data-[state=unchecked]:translate-x-0",
-      )}
-    />
-  </SwitchPrimitives.Root>
-));
-Switch.displayName = SwitchPrimitives.Root.displayName;
+      checked,
+      defaultChecked = false,
+      disabled,
+      onCheckedChange,
+      onClick,
+      ...props
+    },
+    ref,
+  ) => {
+    const isControlled = checked !== undefined;
+    const [internalChecked, setInternalChecked] =
+      React.useState(defaultChecked);
+    const currentChecked = isControlled ? checked : internalChecked;
+
+    const handleClick = (event: React.MouseEvent<HTMLButtonElement>) => {
+      onClick?.(event);
+      if (event.defaultPrevented || disabled) {
+        return;
+      }
+      const nextChecked = !currentChecked;
+      if (!isControlled) {
+        setInternalChecked(nextChecked);
+      }
+      onCheckedChange?.(nextChecked);
+    };
+
+    return (
+      <button
+        type="button"
+        role="switch"
+        aria-checked={currentChecked}
+        data-state={currentChecked ? "checked" : "unchecked"}
+        className={cn(
+          "peer inline-flex h-5 w-10 shrink-0 cursor-pointer items-center rounded-full border-2 border-transparent bg-input transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 focus-visible:ring-offset-background disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=unchecked]:bg-muted/50",
+          className,
+        )}
+        disabled={disabled}
+        onClick={handleClick}
+        ref={ref}
+        {...props}
+      >
+        <span
+          data-state={currentChecked ? "checked" : "unchecked"}
+          className={cn(
+            "pointer-events-none block h-4 w-4 rounded-full bg-background shadow-lg ring-0 transition-transform data-[state=checked]:translate-x-4 data-[state=unchecked]:translate-x-0",
+          )}
+        />
+      </button>
+    );
+  },
+);
+Switch.displayName = "Switch";

 export { Switch };
--- a/adminfront/src/components/ui/table.tsx
+++ b/adminfront/src/components/ui/table.tsx
@@ -1,16 +1,23 @@
 import * as React from "react";
+import {
+  commonTableBodyClass,
+  commonTableCaptionClass,
+  commonTableCellClass,
+  commonTableClass,
+  commonTableFooterClass,
+  commonTableHeadClass,
+  commonTableHeaderClass,
+  commonTableRowClass,
+  commonTableWrapperClass,
+} from "../../../../common/ui/table";
 import { cn } from "../../lib/utils";

 const Table = React.forwardRef<
  HTMLTableElement,
  React.HTMLAttributes<HTMLTableElement>
 >(({ className, ...props }, ref) => (
-  <div className="relative w-full overflow-auto">
-    <table
-      ref={ref}
-      className={cn("w-full caption-bottom text-sm", className)}
-      {...props}
-    />
+  <div className={commonTableWrapperClass}>
+    <table ref={ref} className={cn(commonTableClass, className)} {...props} />
  </div>
 ));
 Table.displayName = "Table";
@@ -19,7 +26,11 @@ const TableHeader = React.forwardRef<
  HTMLTableSectionElement,
  React.HTMLAttributes<HTMLTableSectionElement>
 >(({ className, ...props }, ref) => (
-  <thead ref={ref} className={cn("[&_tr]:border-b", className)} {...props} />
+  <thead
+    ref={ref}
+    className={cn(commonTableHeaderClass, className)}
+    {...props}
+  />
 ));
 TableHeader.displayName = "TableHeader";

@@ -27,11 +38,7 @@ const TableBody = React.forwardRef<
  HTMLTableSectionElement,
  React.HTMLAttributes<HTMLTableSectionElement>
 >(({ className, ...props }, ref) => (
-  <tbody
-    ref={ref}
-    className={cn("[&_tr:last-child]:border-0", className)}
-    {...props}
-  />
+  <tbody ref={ref} className={cn(commonTableBodyClass, className)} {...props} />
 ));
 TableBody.displayName = "TableBody";

@@ -41,7 +48,7 @@ const TableFooter = React.forwardRef<
 >(({ className, ...props }, ref) => (
  <tfoot
    ref={ref}
-    className={cn("bg-muted/50 font-medium text-foreground", className)}
+    className={cn(commonTableFooterClass, className)}
    {...props}
  />
 ));
@@ -51,14 +58,7 @@ const TableRow = React.forwardRef<
  HTMLTableRowElement,
  React.HTMLAttributes<HTMLTableRowElement>
 >(({ className, ...props }, ref) => (
-  <tr
-    ref={ref}
-    className={cn(
-      "border-b transition-colors hover:bg-muted/30 data-[state=selected]:bg-muted",
-      className,
-    )}
-    {...props}
-  />
+  <tr ref={ref} className={cn(commonTableRowClass, className)} {...props} />
 ));
 TableRow.displayName = "TableRow";

@@ -66,14 +66,7 @@ const TableHead = React.forwardRef<
  HTMLTableCellElement,
  React.ThHTMLAttributes<HTMLTableCellElement>
 >(({ className, ...props }, ref) => (
-  <th
-    ref={ref}
-    className={cn(
-      "h-12 px-6 text-left text-xs font-bold uppercase tracking-[0.08em] text-muted-foreground align-middle",
-      className,
-    )}
-    {...props}
-  />
+  <th ref={ref} className={cn(commonTableHeadClass, className)} {...props} />
 ));
 TableHead.displayName = "TableHead";

@@ -81,11 +74,7 @@ const TableCell = React.forwardRef<
  HTMLTableCellElement,
  React.TdHTMLAttributes<HTMLTableCellElement>
 >(({ className, ...props }, ref) => (
-  <td
-    ref={ref}
-    className={cn("p-6 align-middle text-sm", className)}
-    {...props}
-  />
+  <td ref={ref} className={cn(commonTableCellClass, className)} {...props} />
 ));
 TableCell.displayName = "TableCell";

@@ -95,7 +84,7 @@ const TableCaption = React.forwardRef<
 >(({ className, ...props }, ref) => (
  <caption
    ref={ref}
-    className={cn("mt-4 text-sm text-muted-foreground", className)}
+    className={cn(commonTableCaptionClass, className)}
    {...props}
  />
 ));
@@ -103,11 +92,11 @@ TableCaption.displayName = "TableCaption";

 export {
  Table,
-  TableHeader,
  TableBody,
+  TableCaption,
+  TableCell,
  TableFooter,
  TableHead,
+  TableHeader,
  TableRow,
-  TableCell,
-  TableCaption,
 };
--- a/adminfront/src/components/ui/tabs.tsx
+++ b/adminfront/src/components/ui/tabs.tsx
@@ -0,0 +1,87 @@
+import * as React from "react";
+import { cn } from "../../lib/utils";
+
+const TabsContext = React.createContext<{
+  value?: string;
+  onValueChange?: (value: string) => void;
+}>({});
+
+const Tabs = React.forwardRef<
+  HTMLDivElement,
+  React.HTMLAttributes<HTMLDivElement> & {
+    value?: string;
+    onValueChange?: (value: string) => void;
+  }
+>(({ className, value, onValueChange, ...props }, ref) => {
+  return (
+    <TabsContext.Provider value={{ value, onValueChange }}>
+      <div ref={ref} className={cn("w-full", className)} {...props} />
+    </TabsContext.Provider>
+  );
+});
+Tabs.displayName = "Tabs";
+
+const TabsList = React.forwardRef<
+  HTMLDivElement,
+  React.HTMLAttributes<HTMLDivElement>
+>(({ className, ...props }, ref) => (
+  <div
+    ref={ref}
+    className={cn(
+      "inline-flex h-10 items-center justify-center rounded-md bg-muted p-1 text-muted-foreground",
+      className,
+    )}
+    {...props}
+  />
+));
+TabsList.displayName = "TabsList";
+
+const TabsTrigger = React.forwardRef<
+  HTMLButtonElement,
+  React.ButtonHTMLAttributes<HTMLButtonElement> & { value: string }
+>(({ className, value, ...props }, ref) => {
+  const { value: activeValue, onValueChange } = React.useContext(TabsContext);
+  const isSelected = activeValue === value;
+
+  return (
+    <button
+      ref={ref}
+      type="button"
+      role="tab"
+      aria-selected={isSelected}
+      className={cn(
+        "inline-flex items-center justify-center whitespace-nowrap rounded-sm px-3 py-1.5 text-sm font-medium ring-offset-background transition-all focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50 data-[state=active]:bg-background data-[state=active]:text-foreground data-[state=active]:shadow-sm",
+        className,
+      )}
+      data-state={isSelected ? "active" : "inactive"}
+      onClick={() => onValueChange?.(value)}
+      {...props}
+    />
+  );
+});
+TabsTrigger.displayName = "TabsTrigger";
+
+const TabsContent = React.forwardRef<
+  HTMLDivElement,
+  React.HTMLAttributes<HTMLDivElement> & { value: string }
+>(({ className, value, ...props }, ref) => {
+  const { value: activeValue } = React.useContext(TabsContext);
+  const isSelected = activeValue === value;
+
+  if (!isSelected) return null;
+
+  return (
+    <div
+      ref={ref}
+      role="tabpanel"
+      className={cn(
+        "mt-2 ring-offset-background focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2",
+        className,
+      )}
+      {...props}
+    />
+  );
+});
+TabsContent.displayName = "TabsContent";
+
+export { Tabs, TabsContent, TabsList, TabsTrigger };
--- a/adminfront/src/components/ui/textarea.test.tsx
+++ b/adminfront/src/components/ui/textarea.test.tsx
@@ -0,0 +1,19 @@
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it } from "vitest";
+import { Textarea } from "./textarea";
+
+describe("Textarea Component", () => {
+  it("adds a fallback id for browser autofill diagnostics", () => {
+    render(<Textarea aria-label="Description" />);
+
+    expect(screen.getByRole("textbox")).toHaveAttribute("id");
+  });
+
+  it("keeps explicit id and name values", () => {
+    render(<Textarea id="explicit-textarea" name="explicit-name" />);
+    const textarea = screen.getByRole("textbox");
+
+    expect(textarea).toHaveAttribute("id", "explicit-textarea");
+    expect(textarea).toHaveAttribute("name", "explicit-name");
+  });
+});
--- a/adminfront/src/components/ui/textarea.tsx
+++ b/adminfront/src/components/ui/textarea.tsx
@@ -5,9 +5,14 @@ export interface TextareaProps
  extends React.TextareaHTMLAttributes<HTMLTextAreaElement> {}

 const Textarea = React.forwardRef<HTMLTextAreaElement, TextareaProps>(
-  ({ className, ...props }, ref) => {
+  ({ className, id, name, ...props }, ref) => {
+    const fallbackId = React.useId();
+    const fieldId = id ?? (name ? undefined : fallbackId);
+
    return (
      <textarea
+        id={fieldId}
+        name={name}
        className={cn(
          "flex min-h-[80px] w-full rounded-lg border border-input bg-background px-3 py-2 text-sm ring-offset-background placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50",
          className,
--- a/adminfront/src/components/ui/toaster.tsx
+++ b/adminfront/src/components/ui/toaster.tsx
@@ -0,0 +1,35 @@
+import { AlertCircle, CheckCircle2, Info } from "lucide-react";
+import { cn } from "../../lib/utils";
+import { useToastState } from "./use-toast";
+
+export function Toaster() {
+  const toasts = useToastState();
+
+  if (toasts.length === 0) return null;
+
+  return (
+    <div className="fixed bottom-4 right-4 z-[100] flex flex-col gap-2 w-full max-w-[320px]">
+      {toasts.map((t) => (
+        <div
+          key={t.id}
+          className={cn(
+            "flex items-center gap-3 rounded-lg border p-4 shadow-lg animate-in slide-in-from-right-full duration-300",
+            t.type === "success" &&
+              "bg-emerald-50 border-emerald-200 text-emerald-800 dark:bg-emerald-950 dark:border-emerald-800 dark:text-emerald-200",
+            t.type === "error" &&
+              "bg-rose-50 border-rose-200 text-rose-800 dark:bg-rose-950 dark:border-rose-800 dark:text-rose-200",
+            t.type === "info" &&
+              "bg-blue-50 border-blue-200 text-blue-800 dark:bg-blue-950 dark:border-blue-800 dark:text-blue-200",
+          )}
+        >
+          {t.type === "success" && (
+            <CheckCircle2 className="h-5 w-5 shrink-0" />
+          )}
+          {t.type === "error" && <AlertCircle className="h-5 w-5 shrink-0" />}
+          {t.type === "info" && <Info className="h-5 w-5 shrink-0" />}
+          <p className="text-sm font-medium leading-none">{t.message}</p>
+        </div>
+      ))}
+    </div>
+  );
+}
--- a/adminfront/src/components/ui/use-toast.ts
+++ b/adminfront/src/components/ui/use-toast.ts
@@ -0,0 +1,71 @@
+import * as React from "react";
+
+type ToastType = "success" | "error" | "info";
+
+interface Toast {
+  id: string;
+  message: string;
+  type: ToastType;
+}
+
+let subscribers: ((toasts: Toast[]) => void)[] = [];
+let toasts: Toast[] = [];
+
+const notify = () => {
+  for (const sub of subscribers) {
+    sub(toasts);
+  }
+};
+
+const toastBase = (message: string, type: ToastType = "success") => {
+  if (
+    toasts.some((toast) => toast.message === message && toast.type === type)
+  ) {
+    return;
+  }
+  const id = Math.random().toString(36).substring(2, 9);
+  toasts = [...toasts, { id, message, type }];
+  notify();
+
+  setTimeout(() => {
+    toasts = toasts.filter((t) => t.id !== id);
+    notify();
+  }, 3000);
+};
+
+export const toast = Object.assign(toastBase, {
+  success: (message: string, options?: { description?: string }) => {
+    const finalMessage = options?.description
+      ? `${message}
+${options.description}`
+      : message;
+    toastBase(finalMessage, "success");
+  },
+  error: (message: string, options?: { description?: string }) => {
+    const finalMessage = options?.description
+      ? `${message}
+${options.description}`
+      : message;
+    toastBase(finalMessage, "error");
+  },
+  info: (message: string, options?: { description?: string }) => {
+    const finalMessage = options?.description
+      ? `${message}
+${options.description}`
+      : message;
+    toastBase(finalMessage, "info");
+  },
+});
+
+export const useToastState = () => {
+  const [state, setState] = React.useState<Toast[]>(toasts);
+
+  React.useEffect(() => {
+    subscribers.push(setState);
+    return () => {
+      subscribers = subscribers.filter((sub) => sub !== setState);
+    };
+  }, []);
+
+  return state;
+};
--- a/adminfront/src/features/api-keys/ApiKeyCreatePage.test.tsx
+++ b/adminfront/src/features/api-keys/ApiKeyCreatePage.test.tsx
@@ -0,0 +1,69 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import { MemoryRouter } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createApiKey } from "../../lib/adminApi";
+import ApiKeyCreatePage from "./ApiKeyCreatePage";
+
+vi.mock("../../lib/adminApi", () => ({
+  createApiKey: vi.fn(async () => ({
+    apiKey: {
+      id: "api-key-id",
+      name: "org-context-client",
+      client_id: "client-id",
+      scopes: ["audit:read", "user:read", "org-context:read"],
+      status: "active",
+      createdAt: "2026-05-13T00:00:00Z",
+    },
+    clientSecret: "secret",
+  })),
+}));
+
+function renderPage() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter>
+        <ApiKeyCreatePage />
+      </MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("ApiKeyCreatePage", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("renders org-context:read as a selectable API key scope", () => {
+    renderPage();
+
+    expect(screen.getByText("조직 Context 조회")).toBeInTheDocument();
+    expect(screen.getByText("ID: org-context:read")).toBeInTheDocument();
+  });
+
+  it("includes org-context:read in the create request when selected", async () => {
+    renderPage();
+
+    fireEvent.change(screen.getByLabelText("서비스 또는 목적 식별 이름"), {
+      target: { value: "org-context-client" },
+    });
+    fireEvent.click(screen.getByRole("button", { name: /조직 Context 조회/ }));
+    fireEvent.click(screen.getByRole("button", { name: /API 키 발급하기/ }));
+
+    await waitFor(() => {
+      expect(createApiKey).toHaveBeenCalledWith(
+        expect.objectContaining({
+          name: "org-context-client",
+          scopes: expect.arrayContaining(["org-context:read"]),
+        }),
+      );
+    });
+  });
+});
--- a/adminfront/src/features/api-keys/ApiKeyCreatePage.tsx
+++ b/adminfront/src/features/api-keys/ApiKeyCreatePage.tsx
@@ -1,6 +1,14 @@
 import { useMutation, useQueryClient } from "@tanstack/react-query";
 import type { AxiosError } from "axios";
-import { AlertCircle, Check, ChevronLeft, Copy, Loader2, Save, ShieldCheck } from "lucide-react";
+import {
+  AlertCircle,
+  Check,
+  ChevronLeft,
+  Copy,
+  Loader2,
+  Save,
+  ShieldCheck,
+} from "lucide-react";
 import * as React from "react";
 import { useForm } from "react-hook-form";
 import { Link, useNavigate } from "react-router-dom";
@@ -13,24 +21,25 @@ import {
 } from "../../components/ui/card";
 import { Input } from "../../components/ui/input";
 import { Label } from "../../components/ui/label";
+import {
+  type ApiKeyCreateRequest,
+  type ApiKeyCreateResponse,
+  createApiKey,
+} from "../../lib/adminApi";
+import { t } from "../../lib/i18n";
 import { cn } from "../../lib/utils";
-import { createApiKey, type ApiKeyCreateRequest, type ApiKeyCreateResponse } from "../../lib/adminApi";
-
-const AVAILABLE_SCOPES = [
-  { id: "audit:read", label: "감사 로그 조회", desc: "시스템 내의 모든 이력을 조회할 수 있습니다." },
-  { id: "audit:write", label: "감사 로그 생성", desc: "외부 앱의 로그를 Baron SSO로 전송합니다." },
-  { id: "user:read", label: "사용자 조회", desc: "사용자 목록 및 프로필을 읽을 수 있습니다." },
-  { id: "user:write", label: "사용자 관리", desc: "사용자 생성, 수정, 삭제 작업을 수행합니다." },
-  { id: "tenant:read", label: "테넌트 조회", desc: "등록된 모든 조직 정보를 조회합니다." },
-  { id: "tenant:write", label: "테넌트 관리", desc: "테넌트 정보를 직접 제어합니다." },
-];
+import { AVAILABLE_API_KEY_SCOPES } from "./apiKeyScopes";

 function ApiKeyCreatePage() {
  const navigate = useNavigate();
  const queryClient = useQueryClient();
  const [error, setError] = React.useState<string | null>(null);
-  const [createdResult, setCreatedResult] = React.useState<ApiKeyCreateResponse | null>(null);
-  const [selectedScopes, setSelectedScopes] = React.useState<string[]>(["audit:read", "user:read"]);
+  const [createdResult, setCreatedResult] =
+    React.useState<ApiKeyCreateResponse | null>(null);
+  const [selectedScopes, setSelectedScopes] = React.useState<string[]>([
+    "audit:read",
+    "user:read",
+  ]);

  const {
    register,
@@ -47,19 +56,29 @@ function ApiKeyCreatePage() {
      setCreatedResult(data);
    },
    onError: (err: AxiosError<{ error?: string }>) => {
-      setError(err.response?.data?.error || "API 키 생성에 실패했습니다.");
+      setError(
+        err.response?.data?.error ||
+          t("msg.admin.api_keys.create.error", "API 키 생성에 실패했습니다."),
+      );
    },
  });

  const toggleScope = (scopeId: string) => {
    setSelectedScopes((prev) =>
-      prev.includes(scopeId) ? prev.filter((s) => s !== scopeId) : [...prev, scopeId]
+      prev.includes(scopeId)
+        ? prev.filter((s) => s !== scopeId)
+        : [...prev, scopeId],
    );
  };

  const onSubmit = (data: { name: string }) => {
    if (selectedScopes.length === 0) {
-      setError("최소 하나 이상의 권한을 선택해야 합니다.");
+      setError(
+        t(
+          "msg.admin.api_keys.create.scope_required",
+          "최소 하나 이상의 권한을 선택해야 합니다.",
+        ),
+      );
      return;
    }
    setError(null);
@@ -77,9 +96,24 @@ function ApiKeyCreatePage() {
          <div className="mx-auto w-16 h-16 bg-primary/10 text-primary rounded-full flex items-center justify-center">
            <ShieldCheck size={32} />
          </div>
-          <h2 className="text-3xl font-bold tracking-tight">API 키 생성 완료</h2>
+          <h2 className="text-3xl font-bold tracking-tight">
+            {t("ui.admin.api_keys.create.success.title", "API 키 생성 완료")}
+          </h2>
          <p className="text-muted-foreground">
-            아래의 비밀번호(Secret)는 보안을 위해 <span className="text-destructive font-bold">지금 한 번만</span> 표시됩니다.
+            {t(
+              "msg.admin.api_keys.create.success.notice",
+              "아래의 비밀번호(Secret)는 보안을 위해 ",
+            )}
+            <span className="text-destructive font-bold">
+              {t(
+                "msg.admin.api_keys.create.success.notice_emphasis",
+                "지금 한 번만",
+              )}
+            </span>{" "}
+            {t(
+              "msg.admin.api_keys.create.success.notice_suffix",
+              "표시됩니다.",
+            )}
          </p>
        </div>

@@ -87,7 +121,10 @@ function ApiKeyCreatePage() {
          <CardHeader className="bg-primary/5 border-b">
            <CardTitle className="text-sm font-semibold flex items-center gap-2">
              <AlertCircle size={16} className="text-primary" />
-              보안 시크릿 복사
+              {t(
+                "ui.admin.api_keys.create.success.copy_secret",
+                "보안 시크릿 복사",
+              )}
            </CardTitle>
          </CardHeader>
          <CardContent className="pt-8 pb-8 space-y-6">
@@ -96,14 +133,14 @@ function ApiKeyCreatePage() {
                X-Baron-Key-Secret
              </Label>
              <div className="relative group">
-                <Input 
-                  readOnly 
-                  value={createdResult.clientSecret} 
-                  className="font-mono text-lg py-6 pr-12 border-primary/30 bg-muted/30 focus-visible:ring-0" 
+                <Input
+                  readOnly
+                  value={createdResult.clientSecret}
+                  className="font-mono text-lg py-6 pr-12 border-primary/30 bg-muted/30 focus-visible:ring-0"
                />
-                <Button 
-                  variant="ghost" 
-                  size="icon" 
+                <Button
+                  variant="ghost"
+                  size="icon"
                  className="absolute right-2 top-1/2 -translate-y-1/2 hover:bg-primary/10"
                  onClick={() => handleCopy(createdResult.clientSecret)}
                >
@@ -111,13 +148,21 @@ function ApiKeyCreatePage() {
                </Button>
              </div>
              <p className="text-[11px] text-center text-muted-foreground italic">
-                복사 버튼을 눌러 안전한 곳(비밀번호 관리자 등)에 저장하세요.
+                {t(
+                  "msg.admin.api_keys.create.success.copy_hint",
+                  "복사 버튼을 눌러 안전한 곳(비밀번호 관리자 등)에 저장하세요.",
+                )}
              </p>
            </div>

            <div className="pt-4 flex flex-col gap-2">
              <Button size="lg" className="w-full font-bold" asChild>
-                <Link to="/api-keys">저장했습니다. 목록으로 이동</Link>
+                <Link to="/api-keys">
+                  {t(
+                    "ui.admin.api_keys.create.success.go_list",
+                    "저장했습니다. 목록으로 이동",
+                  )}
+                </Link>
              </Button>
            </div>
          </CardContent>
@@ -130,12 +175,24 @@ function ApiKeyCreatePage() {
    <div className="max-w-3xl mx-auto space-y-10">
      <header className="flex items-center justify-between">
        <div className="space-y-1">
-          <Button variant="ghost" size="sm" className="-ml-3 text-muted-foreground" onClick={() => navigate("/api-keys")}>
+          <Button
+            variant="ghost"
+            size="sm"
+            className="-ml-3 text-muted-foreground"
+            onClick={() => navigate("/api-keys")}
+          >
            <ChevronLeft size={16} className="mr-1" />
-            돌아가기
+            {t("ui.common.back", "돌아가기")}
          </Button>
-          <h2 className="text-3xl font-bold tracking-tight">새 API 키 생성</h2>
-          <p className="text-muted-foreground">내부 시스템 연동을 위한 보안 인증 키를 구성합니다.</p>
+          <h2 className="text-3xl font-bold tracking-tight">
+            {t("ui.admin.api_keys.create.title", "새 API 키 생성")}
+          </h2>
+          <p className="text-muted-foreground">
+            {t(
+              "msg.admin.api_keys.create.subtitle",
+              "내부 시스템 연동을 위한 보안 인증 키를 구성합니다.",
+            )}
+          </p>
        </div>
      </header>

@@ -143,20 +200,41 @@ function ApiKeyCreatePage() {
        {/* 섹션 1: 이름 설정 */}
        <section className="space-y-4">
          <div className="flex items-center gap-2 pb-2 border-b">
-            <span className="flex items-center justify-center w-6 h-6 rounded-full bg-primary text-primary-foreground text-xs font-bold">1</span>
-            <h3 className="font-semibold text-lg">키 이름 지정</h3>
+            <span className="flex items-center justify-center w-6 h-6 rounded-full bg-primary text-primary-foreground text-xs font-bold">
+              1
+            </span>
+            <h3 className="font-semibold text-lg">
+              {t("ui.admin.api_keys.create.section_name", "키 이름 지정")}
+            </h3>
          </div>
          <Card>
            <CardContent className="pt-6">
              <div className="space-y-2">
-                <Label htmlFor="name" className="text-sm font-medium">서비스 또는 목적 식별 이름</Label>
+                <Label htmlFor="name" className="text-sm font-medium">
+                  {t(
+                    "ui.admin.api_keys.create.name_label",
+                    "서비스 또는 목적 식별 이름",
+                  )}
+                </Label>
                <Input
                  id="name"
-                  placeholder="예: Jenkins-CI, Grafana-Dashboard"
+                  placeholder={t(
+                    "ui.admin.api_keys.create.name_placeholder",
+                    "예: Jenkins-CI, Grafana-Dashboard",
+                  )}
                  className="text-base py-5"
-                  {...register("name", { required: "이름은 필수입니다." })}
+                  {...register("name", {
+                    required: t(
+                      "msg.admin.api_keys.create.name_required",
+                      "이름은 필수입니다.",
+                    ),
+                  })}
                />
-                {errors.name && <p className="text-sm text-destructive mt-1">{errors.name.message}</p>}
+                {errors.name && (
+                  <p className="text-sm text-destructive mt-1">
+                    {errors.name.message}
+                  </p>
+                )}
              </div>
            </CardContent>
          </Card>
@@ -165,11 +243,18 @@ function ApiKeyCreatePage() {
        {/* 섹션 2: 권한 선택 */}
        <section className="space-y-4">
          <div className="flex items-center gap-2 pb-2 border-b">
-            <span className="flex items-center justify-center w-6 h-6 rounded-full bg-primary text-primary-foreground text-xs font-bold">2</span>
-            <h3 className="font-semibold text-lg">권한 범위(Scopes) 선택</h3>
+            <span className="flex items-center justify-center w-6 h-6 rounded-full bg-primary text-primary-foreground text-xs font-bold">
+              2
+            </span>
+            <h3 className="font-semibold text-lg">
+              {t(
+                "ui.admin.api_keys.create.section_scopes",
+                "권한 범위(Scopes) 선택",
+              )}
+            </h3>
          </div>
          <div className="grid gap-4 sm:grid-cols-2">
-            {AVAILABLE_SCOPES.map((scope) => {
+            {AVAILABLE_API_KEY_SCOPES.map((scope) => {
              const isSelected = selectedScopes.includes(scope.id);
              return (
                <button
@@ -178,24 +263,39 @@ function ApiKeyCreatePage() {
                  onClick={() => toggleScope(scope.id)}
                  className={cn(
                    "flex flex-col items-start gap-2 p-4 rounded-xl border-2 text-left transition-all",
-                    isSelected 
-                      ? "border-primary bg-primary/5 shadow-md" 
-                      : "border-border bg-card hover:border-muted-foreground/30"
+                    isSelected
+                      ? "border-primary bg-primary/5 shadow-md"
+                      : "border-border bg-card hover:border-muted-foreground/30",
                  )}
                >
                  <div className="flex items-center justify-between w-full">
-                    <span className={cn("font-bold text-sm", isSelected ? "text-primary" : "")}>{scope.label}</span>
-                    <div className={cn(
-                      "h-5 w-5 rounded-md flex items-center justify-center border",
-                      isSelected ? "bg-primary border-primary" : "border-muted-foreground/30"
-                    )}>
-                      {isSelected && <Check size={12} className="text-primary-foreground" />}
+                    <span
+                      className={cn(
+                        "font-bold text-sm",
+                        isSelected ? "text-primary" : "",
+                      )}
+                    >
+                      {t(scope.labelKey, scope.labelFallback)}
+                    </span>
+                    <div
+                      className={cn(
+                        "h-5 w-5 rounded-md flex items-center justify-center border",
+                        isSelected
+                          ? "bg-primary border-primary"
+                          : "border-muted-foreground/30",
+                      )}
+                    >
+                      {isSelected && (
+                        <Check size={12} className="text-primary-foreground" />
+                      )}
                    </div>
                  </div>
                  <p className="text-[11px] text-muted-foreground leading-snug">
-                    {scope.desc}
+                    {t(scope.descKey, scope.descFallback)}
                  </p>
-                  <code className="text-[9px] font-mono opacity-60 mt-1 uppercase tracking-tighter">ID: {scope.id}</code>
+                  <code className="text-[9px] font-mono opacity-60 mt-1 uppercase tracking-tighter">
+                    ID: {scope.id}
+                  </code>
                </button>
              );
            })}
@@ -210,15 +310,26 @@ function ApiKeyCreatePage() {
              <p className="text-sm font-medium">{error}</p>
            </div>
          )}
-          
+
          <div className="flex items-center justify-between p-6 bg-muted/30 rounded-2xl border">
            <div>
-              <p className="text-sm font-bold">총 {selectedScopes.length}개의 권한이 할당됩니다.</p>
-              <p className="text-xs text-muted-foreground">생성 즉시 활성화되어 사용 가능합니다.</p>
+              <p className="text-sm font-bold">
+                {t(
+                  "msg.admin.api_keys.create.scopes_count",
+                  "총 {{count}}개의 권한이 할당됩니다.",
+                  { count: selectedScopes.length },
+                )}
+              </p>
+              <p className="text-xs text-muted-foreground">
+                {t(
+                  "msg.admin.api_keys.create.scopes_hint",
+                  "생성 즉시 활성화되어 사용 가능합니다.",
+                )}
+              </p>
            </div>
-            <Button 
-              onClick={handleSubmit(onSubmit)} 
-              size="lg" 
+            <Button
+              onClick={handleSubmit(onSubmit)}
+              size="lg"
              className="px-8 font-bold shadow-lg shadow-primary/20"
              disabled={mutation.isPending}
            >
@@ -227,7 +338,7 @@ function ApiKeyCreatePage() {
              ) : (
                <Save className="mr-2 h-5 w-5" />
              )}
-              API 키 발급하기
+              {t("ui.admin.api_keys.create.submit", "API 키 발급하기")}
            </Button>
          </div>
        </div>
@@ -236,4 +347,4 @@ function ApiKeyCreatePage() {
  );
 }

-export default ApiKeyCreatePage;
+export default ApiKeyCreatePage;
--- a/adminfront/src/features/api-keys/ApiKeyListPage.test.tsx
+++ b/adminfront/src/features/api-keys/ApiKeyListPage.test.tsx
@@ -0,0 +1,125 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen, waitFor } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { MemoryRouter } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  fetchApiKeys,
+  rotateApiKeySecret,
+  updateApiKeyScopes,
+} from "../../lib/adminApi";
+import ApiKeyListPage from "./ApiKeyListPage";
+
+vi.mock("../../lib/i18n", () => ({
+  t: (_key: string, fallback?: string) => fallback ?? "",
+}));
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchApiKeys: vi.fn(async () => ({
+    items: [
+      {
+        id: "api-key-id",
+        name: "org-context-client",
+        client_id: "client-id-stable",
+        scopes: ["audit:read"],
+        status: "active",
+        createdAt: "2026-05-13T00:00:00Z",
+      },
+    ],
+    total: 1,
+  })),
+  deleteApiKey: vi.fn(async () => undefined),
+  updateApiKeyScopes: vi.fn(async () => ({
+    id: "api-key-id",
+    name: "org-context-client",
+    client_id: "client-id-stable",
+    scopes: ["audit:read", "org-context:read"],
+    status: "active",
+    createdAt: "2026-05-13T00:00:00Z",
+  })),
+  rotateApiKeySecret: vi.fn(async () => ({
+    apiKey: {
+      id: "api-key-id",
+      name: "org-context-client",
+      client_id: "client-id-stable",
+      scopes: ["audit:read"],
+      status: "active",
+      createdAt: "2026-05-13T00:00:00Z",
+    },
+    clientSecret: "rotated-secret",
+  })),
+}));
+
+function renderPage() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter>
+        <ApiKeyListPage />
+      </MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("ApiKeyListPage", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+  });
+
+  it("updates scopes without changing client_id", async () => {
+    const user = userEvent.setup({ delay: null });
+    renderPage();
+
+    expect(await screen.findByText("client-id-stable")).toBeInTheDocument();
+
+    await user.click(screen.getByRole("button", { name: /권한 수정/ }));
+    await user.click(screen.getByRole("button", { name: /조직 Context 조회/ }));
+    await user.click(screen.getByRole("button", { name: /권한 저장/ }));
+
+    await waitFor(() => {
+      expect(updateApiKeyScopes).toHaveBeenCalledWith("api-key-id", {
+        scopes: expect.arrayContaining(["audit:read", "org-context:read"]),
+      });
+    });
+  }, 15_000);
+
+  it("rotates only the secret and shows the one-time secret", async () => {
+    const user = userEvent.setup();
+    renderPage();
+
+    expect(await screen.findByText("client-id-stable")).toBeInTheDocument();
+
+    await user.click(screen.getByRole("button", { name: /Secret 재발급/ }));
+
+    await waitFor(() => {
+      expect(rotateApiKeySecret).toHaveBeenCalledWith("api-key-id");
+    });
+    expect(
+      await screen.findByDisplayValue("rotated-secret"),
+    ).toBeInTheDocument();
+    expect(fetchApiKeys).toHaveBeenCalled();
+  });
+
+  it("refresh button refetches the list without navigation", async () => {
+    const user = userEvent.setup();
+    renderPage();
+
+    await screen.findByText("client-id-stable");
+
+    const refreshButton = screen.getByRole("button", { name: /새로고침/ });
+    expect(refreshButton).toHaveAttribute("type", "button");
+
+    await user.click(refreshButton);
+
+    await waitFor(() => {
+      expect(fetchApiKeys).toHaveBeenCalledTimes(2);
+    });
+  });
+});
--- a/adminfront/src/features/api-keys/ApiKeyListPage.tsx
+++ b/adminfront/src/features/api-keys/ApiKeyListPage.tsx
@@ -1,7 +1,19 @@
 import { useMutation, useQuery } from "@tanstack/react-query";
 import type { AxiosError } from "axios";
-import { Key, Plus, RefreshCw, Trash2 } from "lucide-react";
+import {
+  Copy,
+  Edit3,
+  Key,
+  Plus,
+  RefreshCw,
+  RotateCcw,
+  Save,
+  Trash2,
+} from "lucide-react";
+import * as React from "react";
 import { Link } from "react-router-dom";
+import { PageHeader } from "../../../../common/core/components/page";
+import { commonStickyTableHeaderClass } from "../../../../common/ui/table";
 import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
 import {
@@ -11,6 +23,15 @@ import {
  CardHeader,
  CardTitle,
 } from "../../components/ui/card";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "../../components/ui/dialog";
+import { Input } from "../../components/ui/input";
 import {
  Table,
  TableBody,
@@ -19,9 +40,27 @@ import {
  TableHeader,
  TableRow,
 } from "../../components/ui/table";
-import { deleteApiKey, fetchApiKeys } from "../../lib/adminApi";
+import {
+  type ApiKeySummary,
+  deleteApiKey,
+  fetchApiKeys,
+  rotateApiKeySecret,
+  updateApiKeyScopes,
+} from "../../lib/adminApi";
+import { t } from "../../lib/i18n";
+import { cn } from "../../lib/utils";
+import { AVAILABLE_API_KEY_SCOPES } from "./apiKeyScopes";

 function ApiKeyListPage() {
+  const [editingKey, setEditingKey] = React.useState<ApiKeySummary | null>(
+    null,
+  );
+  const [draftScopes, setDraftScopes] = React.useState<string[]>([]);
+  const [rotatedSecret, setRotatedSecret] = React.useState<{
+    key: ApiKeySummary;
+    clientSecret: string;
+  } | null>(null);
+
  const query = useQuery({
    queryKey: ["api-keys", { limit: 50, offset: 0 }],
    queryFn: () => fetchApiKeys(50, 0),
@@ -34,137 +73,393 @@ function ApiKeyListPage() {
    },
  });

+  const updateScopesMutation = useMutation({
+    mutationFn: ({ id, scopes }: { id: string; scopes: string[] }) =>
+      updateApiKeyScopes(id, { scopes }),
+    onSuccess: () => {
+      setEditingKey(null);
+      setDraftScopes([]);
+      query.refetch();
+    },
+  });
+
+  const rotateSecretMutation = useMutation({
+    mutationFn: (id: string) => rotateApiKeySecret(id),
+    onSuccess: (data) => {
+      setRotatedSecret({
+        key: data.apiKey,
+        clientSecret: data.clientSecret,
+      });
+      query.refetch();
+    },
+  });
+
  const errorMsg = (query.error as AxiosError<{ error?: string }>)?.response
    ?.data?.error;
  const fallbackError =
-    !errorMsg && query.isError ? "API 키 목록 조회에 실패했습니다." : null;
+    !errorMsg && query.isError
+      ? t(
+          "msg.admin.api_keys.list.fetch_error",
+          "API 키 목록 조회에 실패했습니다.",
+        )
+      : null;

  const items = query.data?.items ?? [];

  const handleDelete = (id: string, name: string) => {
-    if (!window.confirm(`API 키 "${name}"를 삭제할까요?`)) {
+    if (
+      !window.confirm(
+        t(
+          "msg.admin.api_keys.list.delete_confirm",
+          'API 키 "{{name}}"를 삭제할까요?',
+          { name },
+        ),
+      )
+    ) {
      return;
    }
    deleteMutation.mutate(id);
  };

-  return (
-    <div className="space-y-8">
-      <header className="flex flex-wrap items-start justify-between gap-4">
-        <div className="space-y-2">
-          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
-            <span>API Keys</span>
-            <span>/</span>
-            <span className="text-foreground">List</span>
-          </div>
-          <h2 className="text-3xl font-semibold">API 키 관리 (M2M)</h2>
-          <p className="text-sm text-[var(--color-muted)]">
-            서버 간 통신(Machine-to-Machine)을 위한 API 키를 발급하고
-            관리합니다.
-          </p>
-        </div>
-        <div className="flex items-center gap-2">
-          <Button
-            variant="outline"
-            onClick={() => query.refetch()}
-            disabled={query.isFetching}
-          >
-            <RefreshCw size={16} />
-            새로고침
-          </Button>
-          <Button asChild>
-            <Link to="/api-keys/new">
-              <Plus size={16} />
-              API 키 생성
-            </Link>
-          </Button>
-        </div>
-      </header>
+  const openScopeEditor = (key: ApiKeySummary) => {
+    setEditingKey(key);
+    setDraftScopes(key.scopes);
+  };

-      <Card className="bg-[var(--color-panel)]">
-        <CardHeader className="flex flex-row items-center justify-between">
+  const toggleDraftScope = (scopeId: string) => {
+    setDraftScopes((current) =>
+      current.includes(scopeId)
+        ? current.filter((scope) => scope !== scopeId)
+        : [...current, scopeId],
+    );
+  };
+
+  const saveScopes = () => {
+    if (!editingKey || draftScopes.length === 0) return;
+    updateScopesMutation.mutate({ id: editingKey.id, scopes: draftScopes });
+  };
+
+  const handleRotateSecret = (key: ApiKeySummary) => {
+    if (
+      !window.confirm(
+        t(
+          "msg.admin.api_keys.list.rotate_confirm",
+          'API 키 "{{name}}"의 Secret을 재발급할까요? 기존 Secret은 더 이상 사용할 수 없습니다.',
+          { name: key.name },
+        ),
+      )
+    ) {
+      return;
+    }
+    rotateSecretMutation.mutate(key.id);
+  };
+
+  const copyRotatedSecret = () => {
+    if (!rotatedSecret) return;
+    navigator.clipboard.writeText(rotatedSecret.clientSecret);
+  };
+
+  return (
+    <div className="space-y-6 flex flex-col h-[calc(100vh-theme(spacing.32))]">
+      <PageHeader
+        sticky
+        titleAs="h2"
+        icon={<Key size={20} />}
+        title={t("ui.admin.api_keys.list.title", "API 키 관리 (M2M)")}
+        description={t(
+          "msg.admin.api_keys.list.subtitle",
+          "서버 간 통신(Machine-to-Machine)을 위한 API 키를 발급하고 관리합니다.",
+        )}
+        actions={
+          <>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => query.refetch()}
+              disabled={query.isFetching}
+            >
+              <RefreshCw size={16} />
+              {t("ui.common.refresh", "새로고침")}
+            </Button>
+            <Button asChild>
+              <Link to="/api-keys/new">
+                <Plus size={16} />
+                {t("ui.admin.api_keys.list.add", "API 키 생성")}
+              </Link>
+            </Button>
+          </>
+        }
+      />
+
+      <Card className="bg-[var(--color-panel)] flex-1 flex flex-col min-h-0 overflow-hidden">
+        <CardHeader className="flex flex-row items-center justify-between flex-shrink-0">
          <div>
-            <CardTitle>API Key Registry</CardTitle>
+            <CardTitle className="text-lg font-bold flex items-center gap-2">
+              {t("ui.admin.apikeys.registry.title", "API Key Registry")}
+            </CardTitle>
            <CardDescription>
-              총 {query.data?.total ?? 0}개 API 키
+              {t(
+                "msg.admin.apikeys.registry.count",
+                "총 {{count}}개의 활성 키가 등록되어 있습니다.",
+                { count: query.data?.items?.length ?? 0 },
+              )}
            </CardDescription>
          </div>
-          <Badge variant="muted">System</Badge>
        </CardHeader>
-        <CardContent>
+        <CardContent className="flex-1 flex flex-col min-h-0 pt-0">
          {(errorMsg || fallbackError) && (
-            <div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
+            <div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive flex-shrink-0">
              {errorMsg ?? fallbackError}
            </div>
          )}

-          <Table>
-            <TableHeader>
-              <TableRow>
-                <TableHead>NAME</TableHead>
-                <TableHead>CLIENT ID</TableHead>
-                <TableHead>SCOPES</TableHead>
-                <TableHead>LAST USED</TableHead>
-                <TableHead className="text-right">ACTIONS</TableHead>
-              </TableRow>
-            </TableHeader>
-            <TableBody>
-              {query.isLoading && (
-                <TableRow>
-                  <TableCell colSpan={5}>로딩 중...</TableCell>
-                </TableRow>
-              )}
-              {!query.isLoading && items.length === 0 && (
-                <TableRow>
-                  <TableCell colSpan={5}>등록된 API 키가 없습니다.</TableCell>
-                </TableRow>
-              )}
-              {items.map((key) => (
-                <TableRow key={key.id}>
-                  <TableCell className="font-semibold">
-                    <div className="flex items-center gap-2">
-                      <Key size={14} className="text-[var(--color-muted)]" />
-                      {key.name}
-                    </div>
-                  </TableCell>
-                  <TableCell>
-                    <code>{key.client_id}</code>
-                  </TableCell>
-                  <TableCell>
-                    <div className="flex flex-wrap gap-1">
-                      {key.scopes.map((scope) => (
-                        <Badge
-                          key={scope}
-                          variant="muted"
-                          className="text-[10px]"
-                        >
-                          {scope}
-                        </Badge>
-                      ))}
-                    </div>
-                  </TableCell>
-                  <TableCell>
-                    {key.lastUsedAt
-                      ? new Date(key.lastUsedAt).toLocaleString("ko-KR")
-                      : "Never"}
-                  </TableCell>
-                  <TableCell className="text-right">
-                    <Button
-                      variant="outline"
-                      size="sm"
-                      onClick={() => handleDelete(key.id, key.name)}
-                      disabled={deleteMutation.isPending}
-                    >
-                      <Trash2 size={14} />
-                      삭제
-                    </Button>
-                  </TableCell>
-                </TableRow>
-              ))}
-            </TableBody>
-          </Table>
+          <div className="flex-1 rounded-md border overflow-hidden flex flex-col">
+            <div className="flex-1 overflow-auto relative custom-scrollbar">
+              <Table>
+                <TableHeader className={commonStickyTableHeaderClass}>
+                  <TableRow>
+                    <TableHead>
+                      {t("ui.admin.api_keys.list.table.name", "NAME")}
+                    </TableHead>
+                    <TableHead>
+                      {t("ui.admin.api_keys.list.table.client_id", "CLIENT ID")}
+                    </TableHead>
+                    <TableHead>
+                      {t("ui.admin.api_keys.list.table.scopes", "SCOPES")}
+                    </TableHead>
+                    <TableHead>
+                      {t("ui.admin.api_keys.list.table.last_used", "LAST USED")}
+                    </TableHead>
+                    <TableHead className="text-right">
+                      {t("ui.admin.api_keys.list.table.actions", "ACTIONS")}
+                    </TableHead>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  {query.isLoading && (
+                    <TableRow>
+                      <TableCell colSpan={5}>
+                        {t("msg.common.loading", "로딩 중...")}
+                      </TableCell>
+                    </TableRow>
+                  )}
+                  {!query.isLoading && items.length === 0 && (
+                    <TableRow>
+                      <TableCell colSpan={5}>
+                        {t(
+                          "msg.admin.api_keys.list.empty",
+                          "등록된 API 키가 없습니다.",
+                        )}
+                      </TableCell>
+                    </TableRow>
+                  )}
+                  {items.map((key) => (
+                    <TableRow key={key.id}>
+                      <TableCell className="font-semibold">
+                        <div className="flex items-center gap-2">
+                          <Key
+                            size={14}
+                            className="text-[var(--color-muted)]"
+                          />
+                          {key.name}
+                        </div>
+                      </TableCell>
+                      <TableCell>
+                        <code>{key.client_id}</code>
+                      </TableCell>
+                      <TableCell>
+                        <div className="flex flex-wrap gap-1">
+                          {key.scopes.map((scope) => (
+                            <Badge
+                              key={scope}
+                              variant="muted"
+                              className="text-[10px]"
+                            >
+                              {scope}
+                            </Badge>
+                          ))}
+                        </div>
+                      </TableCell>
+                      <TableCell>
+                        {key.lastUsedAt
+                          ? new Date(key.lastUsedAt).toLocaleString("ko-KR")
+                          : t("ui.common.never", "Never")}
+                      </TableCell>
+                      <TableCell className="text-right">
+                        <div className="flex flex-wrap justify-end gap-2">
+                          <Button
+                            variant="outline"
+                            size="sm"
+                            onClick={() => openScopeEditor(key)}
+                          >
+                            <Edit3 size={14} />
+                            {t(
+                              "ui.admin.api_keys.list.edit_scopes",
+                              "권한 수정",
+                            )}
+                          </Button>
+                          <Button
+                            variant="outline"
+                            size="sm"
+                            onClick={() => handleRotateSecret(key)}
+                            disabled={rotateSecretMutation.isPending}
+                          >
+                            <RotateCcw size={14} />
+                            {t(
+                              "ui.admin.api_keys.list.rotate_secret",
+                              "Secret 재발급",
+                            )}
+                          </Button>
+                          <Button
+                            variant="outline"
+                            size="sm"
+                            onClick={() => handleDelete(key.id, key.name)}
+                            disabled={deleteMutation.isPending}
+                          >
+                            <Trash2 size={14} />
+                            {t("ui.common.delete", "삭제")}
+                          </Button>
+                        </div>
+                      </TableCell>
+                    </TableRow>
+                  ))}
+                </TableBody>
+              </Table>
+            </div>
+          </div>
        </CardContent>
      </Card>
+
+      <Dialog
+        open={editingKey !== null}
+        onOpenChange={() => setEditingKey(null)}
+      >
+        <DialogContent className="max-w-2xl">
+          <DialogHeader>
+            <DialogTitle>
+              {t("ui.admin.api_keys.list.edit_scopes", "권한 수정")}
+            </DialogTitle>
+            <DialogDescription>
+              {editingKey
+                ? t(
+                    "msg.admin.api_keys.list.edit_scopes_desc",
+                    "{{clientId}}의 CLIENT_ID는 유지하고 권한만 변경합니다.",
+                    { clientId: editingKey.client_id },
+                  )
+                : null}
+            </DialogDescription>
+          </DialogHeader>
+          <div className="grid gap-3 sm:grid-cols-2">
+            {AVAILABLE_API_KEY_SCOPES.map((scope) => {
+              const isSelected = draftScopes.includes(scope.id);
+              return (
+                <button
+                  key={scope.id}
+                  type="button"
+                  onClick={() => toggleDraftScope(scope.id)}
+                  className={cn(
+                    "flex flex-col items-start gap-2 rounded-lg border-2 p-4 text-left transition-all",
+                    isSelected
+                      ? "border-primary bg-primary/5"
+                      : "border-border bg-card hover:border-muted-foreground/30",
+                  )}
+                >
+                  <span className="font-bold text-sm">
+                    {t(scope.labelKey, scope.labelFallback)}
+                  </span>
+                  <span className="text-[11px] text-muted-foreground leading-snug">
+                    {t(scope.descKey, scope.descFallback)}
+                  </span>
+                  <code className="text-[9px] font-mono opacity-60 uppercase tracking-tighter">
+                    ID: {scope.id}
+                  </code>
+                </button>
+              );
+            })}
+          </div>
+          {draftScopes.length === 0 && (
+            <p className="text-sm text-destructive">
+              {t(
+                "msg.admin.api_keys.create.scope_required",
+                "최소 하나 이상의 권한을 선택해야 합니다.",
+              )}
+            </p>
+          )}
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setEditingKey(null)}>
+              {t("ui.common.cancel", "취소")}
+            </Button>
+            <Button
+              onClick={saveScopes}
+              disabled={
+                updateScopesMutation.isPending || draftScopes.length === 0
+              }
+            >
+              <Save size={16} />
+              {t("ui.admin.api_keys.list.save_scopes", "권한 저장")}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      <Dialog
+        open={rotatedSecret !== null}
+        onOpenChange={() => setRotatedSecret(null)}
+      >
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>
+              {t(
+                "ui.admin.api_keys.list.rotate_secret_done",
+                "Secret 재발급 완료",
+              )}
+            </DialogTitle>
+            <DialogDescription>
+              {t(
+                "msg.admin.api_keys.list.rotate_secret_notice",
+                "새 Secret은 지금 한 번만 표시됩니다. CLIENT_ID는 변경되지 않았습니다.",
+              )}
+            </DialogDescription>
+          </DialogHeader>
+          {rotatedSecret && (
+            <div className="space-y-4">
+              <div className="space-y-2">
+                <p className="text-xs font-bold text-muted-foreground">
+                  CLIENT ID
+                </p>
+                <code className="block rounded-md bg-muted px-3 py-2 text-sm">
+                  {rotatedSecret.key.client_id}
+                </code>
+              </div>
+              <div className="space-y-2">
+                <p className="text-xs font-bold text-muted-foreground">
+                  X-Baron-Key-Secret
+                </p>
+                <div className="relative">
+                  <Input
+                    readOnly
+                    value={rotatedSecret.clientSecret}
+                    className="font-mono pr-12"
+                  />
+                  <Button
+                    variant="ghost"
+                    size="icon"
+                    className="absolute right-1 top-1/2 -translate-y-1/2"
+                    onClick={copyRotatedSecret}
+                  >
+                    <Copy size={16} />
+                  </Button>
+                </div>
+              </div>
+            </div>
+          )}
+          <DialogFooter>
+            <Button onClick={() => setRotatedSecret(null)}>
+              {t("ui.common.confirm", "확인")}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
    </div>
  );
 }
--- a/adminfront/src/features/api-keys/apiKeyScopes.ts
+++ b/adminfront/src/features/api-keys/apiKeyScopes.ts
@@ -0,0 +1,59 @@
+export type ApiKeyScopeOption = {
+  id: string;
+  labelKey: string;
+  labelFallback: string;
+  descKey: string;
+  descFallback: string;
+};
+
+export const AVAILABLE_API_KEY_SCOPES: ApiKeyScopeOption[] = [
+  {
+    id: "audit:read",
+    labelKey: "ui.admin.api_keys.scopes.audit_read.title",
+    labelFallback: "감사 로그 조회",
+    descKey: "msg.admin.api_keys.scopes.audit_read.desc",
+    descFallback: "시스템 내의 모든 이력을 조회할 수 있습니다.",
+  },
+  {
+    id: "audit:write",
+    labelKey: "ui.admin.api_keys.scopes.audit_write.title",
+    labelFallback: "감사 로그 생성",
+    descKey: "msg.admin.api_keys.scopes.audit_write.desc",
+    descFallback: "외부 앱의 로그를 Baron SSO로 전송합니다.",
+  },
+  {
+    id: "user:read",
+    labelKey: "ui.admin.api_keys.scopes.user_read.title",
+    labelFallback: "사용자 조회",
+    descKey: "msg.admin.api_keys.scopes.user_read.desc",
+    descFallback: "사용자 목록 및 프로필을 읽을 수 있습니다.",
+  },
+  {
+    id: "user:write",
+    labelKey: "ui.admin.api_keys.scopes.user_write.title",
+    labelFallback: "사용자 관리",
+    descKey: "msg.admin.api_keys.scopes.user_write.desc",
+    descFallback: "사용자 생성, 수정, 삭제 작업을 수행합니다.",
+  },
+  {
+    id: "tenant:read",
+    labelKey: "ui.admin.api_keys.scopes.tenant_read.title",
+    labelFallback: "테넌트 조회",
+    descKey: "msg.admin.api_keys.scopes.tenant_read.desc",
+    descFallback: "등록된 모든 조직 정보를 조회합니다.",
+  },
+  {
+    id: "tenant:write",
+    labelKey: "ui.admin.api_keys.scopes.tenant_write.title",
+    labelFallback: "테넌트 관리",
+    descKey: "msg.admin.api_keys.scopes.tenant_write.desc",
+    descFallback: "테넌트 정보를 직접 제어합니다.",
+  },
+  {
+    id: "org-context:read",
+    labelKey: "ui.admin.api_keys.scopes.org_context_read.title",
+    labelFallback: "조직 Context 조회",
+    descKey: "msg.admin.api_keys.scopes.org_context_read.desc",
+    descFallback: "외부 연동앱이 OrgFront SSOT 조직 JSON을 조회합니다.",
+  },
+];
--- a/adminfront/src/features/audit/AuditLogsPage.tsx
+++ b/adminfront/src/features/audit/AuditLogsPage.tsx
@@ -1,562 +1,197 @@
 import { useInfiniteQuery } from "@tanstack/react-query";
 import type { AxiosError } from "axios";
-import {
-    ChevronDown,
-    ChevronUp,
-    Copy,
-    ListChecks,
-    RefreshCw,
-    Search,
-    Terminal,
-} from "lucide-react";
+import { Download, NotebookTabs, RefreshCw, Search } from "lucide-react";
 import * as React from "react";
+import { PageHeader } from "../../../../common/core/components/page";
+import { SearchFilterBar } from "../../../../common/ui/search-filter-bar";
 import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
 import {
-    Card,
-    CardContent,
-    CardDescription,
-    CardHeader,
-    CardTitle,
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
 } from "../../components/ui/card";
-import {
-    Table,
-    TableBody,
-    TableCell,
-    TableHead,
-    TableHeader,
-    TableRow,
-} from "../../components/ui/table";
+import { Input } from "../../components/ui/input";
 import type { AuditLog } from "../../lib/adminApi";
 import { fetchAuditLogs } from "../../lib/adminApi";
-
-const defaultAuditFilters = [
-    "method:POST path:/api/v1/*",
-    "status:failure",
-    "latency_ms:>1000",
-];
-
-type AuditDetails = {
-    request_id?: string;
-    method?: string;
-    path?: string;
-    status?: number;
-    latency_ms?: number;
-    error?: string;
-    tenant_id?: string;
-    actor_id?: string;
-    action?: string;
-    target?: string;
-    before?: unknown;
-    after?: unknown;
-};
-
-function parseDetails(details?: string): AuditDetails {
-    if (!details) {
-        return {};
-    }
-    try {
-        const parsed = JSON.parse(details);
-        if (parsed && typeof parsed === "object") {
-            return parsed as AuditDetails;
-        }
-    } catch {}
-    return {};
-}
-
-function formatCellValue(value: unknown) {
-    if (value === null || value === undefined || value === "") {
-        return "-";
-    }
-    if (typeof value === "string") {
-        return value;
-    }
-    try {
-        return JSON.stringify(value);
-    } catch {
-        return String(value);
-    }
-}
-
-function formatIsoDateTime(value: string) {
-    if (!value) {
-        return { date: "-", time: "-" };
-    }
-    const parsed = new Date(value);
-    if (Number.isNaN(parsed.getTime())) {
-        return { date: value, time: "-" };
-    }
-    const date = parsed.toISOString().slice(0, 10);
-    const time = parsed.toLocaleTimeString("ko-KR", { hour12: false });
-    return { date, time };
-}
+import { t } from "../../lib/i18n";
+import { VirtualizedAuditLogTable } from "./VirtualizedAuditLogTable";

 function AuditLogsPage() {
-    const [filters, setFilters] = React.useState(defaultAuditFilters);
-    const [filterDraft, setFilterDraft] = React.useState("");
-    const [expandedRows, setExpandedRows] = React.useState<
-        Record<string, boolean>
-    >({});
+  const [searchActorId, setSearchActorId] = React.useState("");
+  const [searchAction, setSearchAction] = React.useState("");
+  const [statusFilter, setStatusFilter] = React.useState("all");
+  const deferredSearchActorId = React.useDeferredValue(searchActorId.trim());
+  const deferredSearchAction = React.useDeferredValue(searchAction.trim());
+  const {
+    data,
+    isLoading,
+    error,
+    fetchNextPage,
+    hasNextPage,
+    isFetchingNextPage,
+    isFetching,
+    refetch,
+  } = useInfiniteQuery({
+    queryKey: [
+      "audit-logs",
+      deferredSearchActorId,
+      deferredSearchAction,
+      statusFilter,
+    ],
+    queryFn: ({ pageParam }) => {
+      const search = [deferredSearchActorId, deferredSearchAction]
+        .filter(Boolean)
+        .join(" ");
+      return fetchAuditLogs(
+        50,
+        pageParam,
+        search || undefined,
+        statusFilter === "all" ? undefined : statusFilter,
+      );
+    },
+    initialPageParam: undefined as string | undefined,
+    getNextPageParam: (lastPage) => lastPage.next_cursor || undefined,
+  });

-    const handleCopy = (value: string) => {
-        if (!value) {
-            return;
+  const logs =
+    data?.pages?.flatMap(
+      (page) =>
+        page?.items?.filter((item): item is AuditLog => Boolean(item)) ?? [],
+    ) ?? [];
+
+  return (
+    <div className="space-y-6">
+      <PageHeader
+        title={t("ui.common.audit.title", "감사 로그")}
+        description={t(
+          "msg.admin.audit.subtitle",
+          "관리자 작업 이력을 조회합니다.",
+        )}
+        icon={<NotebookTabs size={20} />}
+        actions={
+          <>
+            <Badge variant="muted">
+              {t("msg.common.audit.registry.count", "총 {{count}}개 로그", {
+                count: logs.length,
+              })}
+            </Badge>
+            <Button
+              variant="outline"
+              onClick={() => refetch()}
+              disabled={isFetching}
+            >
+              <RefreshCw size={16} />
+              {t("ui.common.refresh", "새로고침")}
+            </Button>
+            <Button>
+              <Download size={16} />
+              {t("ui.common.export_csv", "CSV 내보내기")}
+            </Button>
+          </>
        }
-        navigator.clipboard.writeText(value);
-    };
-    const {
-        data,
-        isLoading,
-        error,
-        fetchNextPage,
-        hasNextPage,
-        isFetchingNextPage,
-        isFetching,
-        refetch,
-    } = useInfiniteQuery({
-        queryKey: ["audit-logs"],
-        queryFn: ({ pageParam }) => fetchAuditLogs(50, pageParam),
-        initialPageParam: undefined as string | undefined,
-        getNextPageParam: (lastPage) => lastPage.next_cursor || undefined,
-    });
+      />

-    const logs =
-        data?.pages?.flatMap(
-            (page) =>
-                page?.items?.filter((item): item is AuditLog =>
-                    Boolean(item),
-                ) ?? [],
-        ) ?? [];
-
-    const handleAddFilter = () => {
-        const trimmed = filterDraft.trim();
-        if (!trimmed) {
-            return;
-        }
-        setFilters((prev) =>
-            prev.includes(trimmed) ? prev : [...prev, trimmed],
-        );
-        setFilterDraft("");
-    };
-
-    if (isLoading) {
-        return <div className="p-8 text-center">Loading audit logs...</div>;
-    }
-
-    if (error) {
-        const errMsg =
-            (error as AxiosError<{ error?: string }>).response?.data?.error ??
-            (error as Error).message;
-        return (
-            <div className="p-8 text-center text-red-500">
-                Error loading logs: {errMsg}
-            </div>
-        );
-    }
-
-    return (
-        <div className="space-y-8">
-            <header className="flex flex-wrap items-start justify-between gap-4">
-                <div>
-                    <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
-                        <span>Audit</span>
-                        <span>/</span>
-                        <span className="text-foreground">Logs</span>
-                    </div>
-                    <h2 className="text-3xl font-semibold">감사 로그</h2>
-                    <p className="text-sm text-[var(--color-muted)]">
-                        Command 요청 기반 ClickHouse 로그를 조회합니다.
-                        사용자/테넌트는 추후 세션 연동 시 자동 채워집니다.
-                    </p>
-                </div>
-                <div className="flex items-center gap-2">
-                    <Button
-                        variant="outline"
-                        onClick={() => refetch()}
-                        disabled={isFetching}
-                    >
-                        <RefreshCw size={16} />
-                        새로고침
-                    </Button>
-                    <Button>
-                        <ListChecks size={16} />
-                        Export CSV
-                    </Button>
-                </div>
-            </header>
-
-            <div className="space-y-4">
-                <Card className="glass-panel">
-                    <CardHeader className="flex flex-row items-center justify-between">
-                        <div>
-                            <CardTitle>Audit registry</CardTitle>
-                            <CardDescription>
-                                로드된 로그 {logs.length}건
-                            </CardDescription>
-                        </div>
-                        <Badge variant="muted">Command only</Badge>
-                    </CardHeader>
-                    <CardContent>
-                        <div className="mb-4 flex flex-wrap items-center gap-2">
-                            <div className="flex flex-1 items-center gap-2 rounded-full border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-2 text-[var(--color-muted)]">
-                                <Search size={14} />
-                                <input
-                                    value={filterDraft}
-                                    onChange={(event) =>
-                                        setFilterDraft(event.target.value)
-                                    }
-                                    onKeyDown={(event) => {
-                                        if (event.key === "Enter") {
-                                            handleAddFilter();
-                                        }
-                                    }}
-                                    placeholder="필터 추가 (예: status:failure)"
-                                    className="w-full bg-transparent text-sm text-foreground outline-none"
-                                />
-                                <Button
-                                    size="sm"
-                                    variant="outline"
-                                    onClick={handleAddFilter}
-                                >
-                                    추가
-                                </Button>
-                            </div>
-                            {filters.length === 0 ? (
-                                <span className="text-xs text-[var(--color-muted)]">
-                                    필터 없음
-                                </span>
-                            ) : (
-                                filters.map((filter) => (
-                                    <span
-                                        key={filter}
-                                        className="inline-flex items-center gap-2 rounded-full border border-[var(--color-border)] bg-[rgba(255,255,255,0.04)] px-3 py-1 text-xs text-[var(--color-muted)]"
-                                    >
-                                        <Terminal size={12} />
-                                        {filter}
-                                        <button
-                                            type="button"
-                                            onClick={() =>
-                                                setFilters((prev) =>
-                                                    prev.filter(
-                                                        (item) =>
-                                                            item !== filter,
-                                                    ),
-                                                )
-                                            }
-                                            className="inline-flex h-5 w-5 items-center justify-center rounded-full border border-[var(--color-border)] text-[10px] text-[var(--color-muted)]"
-                                            aria-label={`${filter} 필터 제거`}
-                                        >
-                                            ×
-                                        </button>
-                                    </span>
-                                ))
-                            )}
-                        </div>
-                        <Table className="table-fixed">
-                            <TableHeader>
-                                <TableRow>
-                                    <TableHead className="w-[140px]">
-                                        TIME
-                                    </TableHead>
-                                    <TableHead className="w-[160px]">
-                                        ACTOR (ID)
-                                    </TableHead>
-                                    <TableHead>REQUEST</TableHead>
-                                    <TableHead>PATH</TableHead>
-                                    <TableHead className="w-[120px]">
-                                        STATUS
-                                    </TableHead>
-                                    <TableHead>Action / Target</TableHead>
-                                    <TableHead className="w-[80px]"></TableHead>
-                                </TableRow>
-                            </TableHeader>
-                            <TableBody>
-                                {isLoading && (
-                                    <TableRow>
-                                        <TableCell colSpan={7}>
-                                            로딩 중...
-                                        </TableCell>
-                                    </TableRow>
-                                )}
-                                {!isLoading && logs.length === 0 && (
-                                    <TableRow>
-                                        <TableCell colSpan={7}>
-                                            아직 수집된 감사 로그가 없습니다.
-                                        </TableCell>
-                                    </TableRow>
-                                )}
-                                {logs.map((row, index) => {
-                                    const details = parseDetails(row.details);
-                                    const actionLabel =
-                                        details.action ||
-                                        (details.method && details.path
-                                            ? `${details.method} ${details.path}`
-                                            : row.event_type);
-                                    const rowKey = `${row.event_id}-${row.timestamp}-${index}`;
-                                    const isExpanded = Boolean(
-                                        expandedRows[rowKey],
-                                    );
-                                    return (
-                                        <React.Fragment key={rowKey}>
-                                            <TableRow className="bg-card/40">
-                                                <TableCell className="text-xs text-[var(--color-muted)]">
-                                                    {(() => {
-                                                        const { date, time } =
-                                                            formatIsoDateTime(
-                                                                row.timestamp,
-                                                            );
-                                                        return (
-                                                            <div className="space-y-1">
-                                                                <div>
-                                                                    {date}
-                                                                </div>
-                                                                <div>
-                                                                    {time}
-                                                                </div>
-                                                            </div>
-                                                        );
-                                                    })()}
-                                                </TableCell>
-                                                <TableCell>
-                                                    <div className="flex items-center gap-2">
-                                                        <code className="rounded-md bg-secondary/60 px-2 py-1 text-xs text-muted-foreground">
-                                                            {row.user_id ||
-                                                                details.actor_id ||
-                                                                "-"}
-                                                        </code>
-                                                        {(row.user_id ||
-                                                            details.actor_id) && (
-                                                            <Button
-                                                                variant="ghost"
-                                                                size="icon"
-                                                                className="h-7 w-7 text-muted-foreground hover:text-primary"
-                                                                aria-label="Copy actor id"
-                                                                onClick={() =>
-                                                                    handleCopy(
-                                                                        row.user_id ||
-                                                                            details.actor_id ||
-                                                                            "",
-                                                                    )
-                                                                }
-                                                            >
-                                                                <Copy className="h-3 w-3" />
-                                                            </Button>
-                                                        )}
-                                                    </div>
-                                                </TableCell>
-                                                <TableCell className="text-xs text-[var(--color-muted)]">
-                                                    <div className="flex items-start gap-2">
-                                                        <span className="break-all">
-                                                            {formatCellValue(
-                                                                details.request_id,
-                                                            )}
-                                                        </span>
-                                                        {details.request_id && (
-                                                            <Button
-                                                                variant="ghost"
-                                                                size="icon"
-                                                                className="h-7 w-7 text-muted-foreground hover:text-primary"
-                                                                aria-label="Copy request id"
-                                                                onClick={() =>
-                                                                    handleCopy(
-                                                                        details.request_id ||
-                                                                            "",
-                                                                    )
-                                                                }
-                                                            >
-                                                                <Copy className="h-3 w-3" />
-                                                            </Button>
-                                                        )}
-                                                    </div>
-                                                </TableCell>
-                                                <TableCell className="text-xs text-[var(--color-muted)]">
-                                                    <div className="font-semibold text-foreground">
-                                                        {formatCellValue(
-                                                            details.method,
-                                                        )}
-                                                    </div>
-                                                    <div className="break-all">
-                                                        {formatCellValue(
-                                                            details.path,
-                                                        )}
-                                                    </div>
-                                                </TableCell>
-                                                <TableCell>
-                                                    <Badge
-                                                        variant={
-                                                            row.status ===
-                                                                "success" ||
-                                                            row.status === "ok"
-                                                                ? "success"
-                                                                : "warning"
-                                                        }
-                                                    >
-                                                        {row.status}
-                                                    </Badge>
-                                                </TableCell>
-                                                <TableCell className="text-xs text-[var(--color-muted)]">
-                                                    <div className="font-semibold text-foreground">
-                                                        {actionLabel}
-                                                    </div>
-                                                    {details.target && (
-                                                        <div className="flex items-center gap-2">
-                                                            <span className="break-all">
-                                                                Target ·{" "}
-                                                                {details.target}
-                                                            </span>
-                                                            <Button
-                                                                variant="ghost"
-                                                                size="icon"
-                                                                className="h-7 w-7 text-muted-foreground hover:text-primary"
-                                                                aria-label="Copy target"
-                                                                onClick={() =>
-                                                                    handleCopy(
-                                                                        details.target ||
-                                                                            "",
-                                                                    )
-                                                                }
-                                                            >
-                                                                <Copy className="h-3 w-3" />
-                                                            </Button>
-                                                        </div>
-                                                    )}
-                                                </TableCell>
-                                                <TableCell className="text-right">
-                                                    <Button
-                                                        variant="ghost"
-                                                        size="sm"
-                                                        onClick={() =>
-                                                            setExpandedRows(
-                                                                (prev) => ({
-                                                                    ...prev,
-                                                                    [rowKey]:
-                                                                        !isExpanded,
-                                                                }),
-                                                            )
-                                                        }
-                                                    >
-                                                        {isExpanded ? (
-                                                            <ChevronUp className="h-4 w-4" />
-                                                        ) : (
-                                                            <ChevronDown className="h-4 w-4" />
-                                                        )}
-                                                    </Button>
-                                                </TableCell>
-                                            </TableRow>
-                                            {isExpanded && (
-                                                <TableRow className="bg-card/20">
-                                                    <TableCell
-                                                        colSpan={7}
-                                                        className="text-xs"
-                                                    >
-                                                        <div className="grid gap-4 text-[var(--color-muted)] md:grid-cols-3">
-                                                            <div className="space-y-1">
-                                                                <div className="uppercase tracking-[0.16em]">
-                                                                    Request
-                                                                </div>
-                                                                <div className="break-all">
-                                                                    Request ID ·{" "}
-                                                                    {formatCellValue(
-                                                                        details.request_id,
-                                                                    )}
-                                                                </div>
-                                                                <div className="break-all">
-                                                                    Event ID ·{" "}
-                                                                    {formatCellValue(
-                                                                        row.event_id,
-                                                                    )}
-                                                                </div>
-                                                                <div>
-                                                                    IP ·{" "}
-                                                                    {formatCellValue(
-                                                                        row.ip_address,
-                                                                    )}
-                                                                </div>
-                                                                <div>
-                                                                    Latency ·{" "}
-                                                                    {details.latency_ms !==
-                                                                    undefined
-                                                                        ? `${details.latency_ms}ms`
-                                                                        : "-"}
-                                                                </div>
-                                                            </div>
-                                                            <div className="space-y-1">
-                                                                <div className="uppercase tracking-[0.16em]">
-                                                                    Actor
-                                                                </div>
-                                                                <div>
-                                                                    Actor ID ·{" "}
-                                                                    {row.user_id ||
-                                                                        details.actor_id ||
-                                                                        "-"}
-                                                                </div>
-                                                                <div>
-                                                                    Tenant ·{" "}
-                                                                    {formatCellValue(
-                                                                        details.tenant_id,
-                                                                    )}
-                                                                </div>
-                                                                <div>
-                                                                    Device ·{" "}
-                                                                    {formatCellValue(
-                                                                        row.device_id,
-                                                                    )}
-                                                                </div>
-                                                            </div>
-                                                            <div className="space-y-1">
-                                                                <div className="uppercase tracking-[0.16em]">
-                                                                    Result
-                                                                </div>
-                                                                <div className="break-all">
-                                                                    Error ·{" "}
-                                                                    {formatCellValue(
-                                                                        details.error,
-                                                                    )}
-                                                                </div>
-                                                                <div className="break-all">
-                                                                    Before ·{" "}
-                                                                    {formatCellValue(
-                                                                        details.before,
-                                                                    )}
-                                                                </div>
-                                                                <div className="break-all">
-                                                                    After ·{" "}
-                                                                    {formatCellValue(
-                                                                        details.after,
-                                                                    )}
-                                                                </div>
-                                                            </div>
-                                                        </div>
-                                                    </TableCell>
-                                                </TableRow>
-                                            )}
-                                        </React.Fragment>
-                                    );
-                                })}
-                            </TableBody>
-                        </Table>
-                        <div className="pt-4 text-center">
-                            {hasNextPage ? (
-                                <Button
-                                    variant="outline"
-                                    onClick={() => fetchNextPage()}
-                                    disabled={isFetchingNextPage}
-                                >
-                                    {isFetchingNextPage
-                                        ? "Loading..."
-                                        : "Load more"}
-                                </Button>
-                            ) : (
-                                <span className="text-xs text-[var(--color-muted)]">
-                                    End of audit feed
-                                </span>
-                            )}
-                        </div>
-                    </CardContent>
-                </Card>
-            </div>
-        </div>
-    );
+      <Card className="glass-panel">
+        <CardHeader className="flex flex-row items-center justify-between">
+          <div>
+            <CardTitle className="text-lg font-bold flex items-center gap-2">
+              {t("ui.common.audit.registry.title", "Audit registry")}
+            </CardTitle>
+            <CardDescription>
+              {t(
+                "msg.admin.audit.registry.description",
+                "최근 감사 로그를 검색 조건에 맞춰 필터링하고, 작업 이력을 빠르게 확인합니다.",
+              )}
+            </CardDescription>
+          </div>
+        </CardHeader>
+        {isLoading ? (
+          <div className="p-8 text-center" data-testid="audit-loading">
+            {t("msg.common.audit.loading", "Loading audit logs...")}
+          </div>
+        ) : error ? (
+          <div
+            className="p-8 text-center text-red-500"
+            data-testid="audit-error"
+          >
+            {t("msg.common.audit.load_error", "Error loading logs: {{error}}", {
+              error:
+                (error as AxiosError<{ error?: string }>).response?.data
+                  ?.error ?? (error as Error).message,
+            })}
+          </div>
+        ) : (
+          <CardContent className="space-y-4 pt-0">
+            <SearchFilterBar
+              primary={
+                <form
+                  onSubmit={(e) => {
+                    e.preventDefault();
+                    refetch();
+                  }}
+                  className="grid flex-1 gap-2 md:grid-cols-[1fr,1fr,180px]"
+                >
+                  <div className="relative">
+                    <Search className="absolute left-3 top-1/2 h-4 w-4 -translate-y-1/2 text-muted-foreground" />
+                    <Input
+                      className="pl-10"
+                      data-testid="audit-search-user-id"
+                      value={searchActorId}
+                      onChange={(event) => setSearchActorId(event.target.value)}
+                      placeholder={t(
+                        "ui.common.audit.filters.user_id",
+                        "Filter by User ID",
+                      )}
+                    />
+                  </div>
+                  <Input
+                    data-testid="audit-search-action"
+                    value={searchAction}
+                    onChange={(event) =>
+                      setSearchAction(event.target.value.toUpperCase())
+                    }
+                    placeholder={t(
+                      "ui.common.audit.filters.action",
+                      "Filter by Action (e.g. ROTATE_SECRET)",
+                    )}
+                  />
+                  <select
+                    id="audit-filter-status"
+                    name="audit-filter-status"
+                    data-testid="audit-filter-status"
+                    className="h-10 rounded-md border border-input bg-background px-3 text-sm"
+                    value={statusFilter}
+                    onChange={(event) => setStatusFilter(event.target.value)}
+                  >
+                    <option value="all">
+                      {t("ui.common.audit.filters.status_all", "All Status")}
+                    </option>
+                    <option value="success">
+                      {t("ui.common.status.success", "Success")}
+                    </option>
+                    <option value="failure">
+                      {t("ui.common.status.failure", "Failure")}
+                    </option>
+                  </select>
+                </form>
+              }
+            />
+            <VirtualizedAuditLogTable
+              logs={logs}
+              t={t}
+              loading={isLoading}
+              hasNextPage={Boolean(hasNextPage)}
+              isFetchingNextPage={isFetchingNextPage}
+              onLoadMore={() => fetchNextPage()}
+            />
+          </CardContent>
+        )}
+      </Card>
+    </div>
+  );
 }

-export default AuditLogsPage;
+export default AuditLogsPage;
--- a/adminfront/src/features/audit/VirtualizedAuditLogTable.tsx
+++ b/adminfront/src/features/audit/VirtualizedAuditLogTable.tsx
@@ -0,0 +1,475 @@
+import { useVirtualizer } from "@tanstack/react-virtual";
+import { ChevronDown, ChevronUp, Copy } from "lucide-react";
+import * as React from "react";
+import {
+  formatAuditDateParts,
+  formatAuditValue,
+  parseAuditDetails,
+  resolveAuditAction,
+  resolveAuditActor,
+  resolveAuditTarget,
+} from "../../../../common/core/audit";
+import {
+  type CommonBadgeVariant,
+  getCommonBadgeClasses,
+} from "../../../../common/ui/badge";
+import { getCommonButtonClasses } from "../../../../common/ui/button";
+import {
+  commonStickyTableHeaderClass,
+  commonTableBodyClass,
+  commonTableCellClass,
+  commonTableClass,
+  commonTableHeadClass,
+  commonTableHeaderClass,
+  commonTableRowClass,
+  commonTableShellClass,
+  commonTableViewportClass,
+  commonTableWrapperClass,
+} from "../../../../common/ui/table";
+import { Button } from "../../components/ui/button";
+import type { AuditLog } from "../../lib/adminApi";
+
+type AuditTranslate = (
+  key: string,
+  fallback: string,
+  vars?: Record<string, string | number>,
+) => string;
+
+type VirtualizedAuditLogTableProps = {
+  logs: AuditLog[];
+  t: AuditTranslate;
+  loading: boolean;
+  hasNextPage: boolean;
+  isFetchingNextPage: boolean;
+  onLoadMore: () => void;
+  className?: string;
+};
+
+function cx(...classNames: Array<string | false | null | undefined>) {
+  return classNames.filter(Boolean).join(" ");
+}
+
+function statusVariant(status: string): CommonBadgeVariant {
+  return status === "success" || status === "ok" ? "success" : "warning";
+}
+
+export function VirtualizedAuditLogTable({
+  logs,
+  t,
+  loading,
+  hasNextPage,
+  isFetchingNextPage,
+  onLoadMore,
+  className,
+}: VirtualizedAuditLogTableProps) {
+  const [expandedRows, setExpandedRows] = React.useState<
+    Record<string, boolean>
+  >({});
+  const viewportRef = React.useRef<HTMLDivElement>(null);
+  const isTest =
+    (typeof process !== "undefined" && process.env.NODE_ENV === "test") ||
+    (typeof window !== "undefined" &&
+      (window as Window & { _IS_TEST_MODE?: boolean })._IS_TEST_MODE);
+
+  const handleCopy = (value: string) => {
+    if (!value) {
+      return;
+    }
+    navigator.clipboard.writeText(value);
+  };
+
+  const rowVirtualizer = useVirtualizer({
+    count: logs.length,
+    getScrollElement: () => viewportRef.current,
+    estimateSize: () => 80,
+    measureElement: (el) => el.getBoundingClientRect().height,
+    overscan: isTest ? logs.length : 10,
+    initialRect: isTest ? { width: 1010, height: 1000 } : undefined,
+  });
+
+  const virtualRows = rowVirtualizer.getVirtualItems();
+
+  React.useEffect(() => {
+    if (isTest) {
+      return;
+    }
+    const lastItem = virtualRows[virtualRows.length - 1];
+    if (!lastItem) return;
+
+    if (
+      lastItem.index >= logs.length - 1 &&
+      hasNextPage &&
+      !isFetchingNextPage
+    ) {
+      onLoadMore();
+    }
+  }, [
+    virtualRows,
+    logs.length,
+    hasNextPage,
+    isFetchingNextPage,
+    onLoadMore,
+    isTest,
+  ]);
+
+  const tableMinWidth = 1010;
+
+  const renderRow = (
+    row: AuditLog,
+    index: number,
+    virtualRow?: { start: number; end: number },
+  ) => {
+    if (!row) return null;
+
+    const details = parseAuditDetails(row.details);
+    const actorLabel = resolveAuditActor(row, details);
+    const actionLabel = resolveAuditAction(row, details);
+    const targetLabel = resolveAuditTarget(details);
+    const rowKey = `${row.event_id}-${row.timestamp}-${index}`;
+    const expanded = Boolean(expandedRows[rowKey]);
+    const { date, time } = formatAuditDateParts(row.timestamp);
+
+    return (
+      <tr
+        key={rowKey}
+        data-index={index}
+        ref={virtualRow ? rowVirtualizer.measureElement : undefined}
+        className={cx(
+          commonTableRowClass,
+          "bg-card/40",
+          virtualRow ? "absolute left-0 w-full" : "",
+        )}
+        style={
+          virtualRow
+            ? {
+                transform: `translateY(${virtualRow.start}px)`,
+              }
+            : undefined
+        }
+      >
+        <td colSpan={6} className="p-0">
+          <div className={cx("flex items-center", expanded && "border-b")}>
+            <div
+              className={cx(
+                commonTableCellClass,
+                "w-[190px] shrink-0 text-xs text-muted-foreground",
+              )}
+            >
+              <div className="space-y-1">
+                <div>{date}</div>
+                <div>{time}</div>
+              </div>
+            </div>
+            <div className={cx(commonTableCellClass, "w-[180px] shrink-0")}>
+              <div className="flex items-center gap-2">
+                <code className="rounded-md bg-secondary/60 px-2 py-1 text-xs text-muted-foreground">
+                  {actorLabel}
+                </code>
+                {actorLabel !== "-" ? (
+                  <button
+                    type="button"
+                    className={cx(
+                      getCommonButtonClasses({
+                        variant: "ghost",
+                        size: "icon",
+                      }),
+                      "h-7 w-7 text-muted-foreground hover:text-primary",
+                    )}
+                    aria-label={t(
+                      "ui.common.audit.copy.actor_id",
+                      "Copy User ID",
+                    )}
+                    onClick={() => handleCopy(actorLabel)}
+                  >
+                    <Copy className="h-3 w-3" />
+                  </button>
+                ) : null}
+              </div>
+            </div>
+            <div
+              className={cx(
+                commonTableCellClass,
+                "w-[180px] shrink-0 text-xs text-muted-foreground",
+              )}
+            >
+              <div className="font-semibold text-foreground">{actionLabel}</div>
+            </div>
+            <div
+              className={cx(
+                commonTableCellClass,
+                "w-[260px] shrink-0 text-xs text-muted-foreground",
+              )}
+            >
+              <div className="flex items-center gap-2">
+                <span className="break-all">{targetLabel}</span>
+                {targetLabel !== "-" ? (
+                  <button
+                    type="button"
+                    className={cx(
+                      getCommonButtonClasses({
+                        variant: "ghost",
+                        size: "icon",
+                      }),
+                      "h-7 w-7 text-muted-foreground hover:text-primary",
+                    )}
+                    aria-label={t(
+                      "ui.common.audit.copy.target",
+                      "Copy Client ID",
+                    )}
+                    onClick={() => handleCopy(targetLabel)}
+                  >
+                    <Copy className="h-3 w-3" />
+                  </button>
+                ) : null}
+              </div>
+            </div>
+            <div className={cx(commonTableCellClass, "w-[120px] shrink-0")}>
+              <span
+                className={getCommonBadgeClasses({
+                  variant: statusVariant(row.status),
+                })}
+              >
+                {row.status}
+              </span>
+            </div>
+            <div
+              className={cx(
+                commonTableCellClass,
+                "w-[80px] shrink-0 text-right",
+              )}
+            >
+              <button
+                type="button"
+                className={getCommonButtonClasses({
+                  variant: "ghost",
+                  size: "sm",
+                })}
+                onClick={() => {
+                  setExpandedRows((prev) => ({
+                    ...prev,
+                    [rowKey]: !expanded,
+                  }));
+                  // Re-measure after state change
+                  setTimeout(() => rowVirtualizer.measure(), 0);
+                }}
+              >
+                {expanded ? (
+                  <ChevronUp className="h-4 w-4" />
+                ) : (
+                  <ChevronDown className="h-4 w-4" />
+                )}
+              </button>
+            </div>
+          </div>
+          {expanded && (
+            <div className={cx(commonTableCellClass, "bg-card/20 text-xs")}>
+              <div className="grid gap-4 text-muted-foreground md:grid-cols-3">
+                <div className="space-y-1">
+                  <div className="uppercase tracking-[0.16em]">
+                    {t("ui.common.audit.details.request", "Request")}
+                  </div>
+                  <div className="break-all">
+                    {t(
+                      "ui.common.audit.details.request_id",
+                      "Request ID · {{value}}",
+                      { value: formatAuditValue(details.request_id) },
+                    )}
+                  </div>
+                  <div className="break-all">
+                    {t(
+                      "ui.common.audit.details.event_id",
+                      "Event ID · {{value}}",
+                      { value: formatAuditValue(row.event_id) },
+                    )}
+                  </div>
+                  <div>
+                    {t("ui.common.audit.details.ip", "IP · {{value}}", {
+                      value: formatAuditValue(row.ip_address),
+                    })}
+                  </div>
+                  <div className="break-all">
+                    {t("ui.common.audit.details.method", "Method · {{value}}", {
+                      value: formatAuditValue(details.method),
+                    })}
+                  </div>
+                  <div className="break-all">
+                    {t("ui.common.audit.details.path", "Path · {{value}}", {
+                      value: formatAuditValue(details.path),
+                    })}
+                  </div>
+                  <div>
+                    {t(
+                      "ui.common.audit.details.latency",
+                      "Latency · {{value}}",
+                      {
+                        value:
+                          details.latency_ms !== undefined
+                            ? `${details.latency_ms}ms`
+                            : "-",
+                      },
+                    )}
+                  </div>
+                </div>
+                <div className="space-y-1">
+                  <div className="uppercase tracking-[0.16em]">
+                    {t("ui.common.audit.details.actor", "Actor")}
+                  </div>
+                  <div>
+                    {t(
+                      "ui.common.audit.details.actor_id",
+                      "User ID · {{value}}",
+                      { value: actorLabel },
+                    )}
+                  </div>
+                  <div>
+                    {t("ui.common.audit.details.tenant", "Tenant · {{value}}", {
+                      value: formatAuditValue(details.tenant_id),
+                    })}
+                  </div>
+                  <div>
+                    {t("ui.common.audit.details.device", "Device · {{value}}", {
+                      value: formatAuditValue(row.device_id),
+                    })}
+                  </div>
+                  <div className="break-all">
+                    {t(
+                      "ui.common.audit.details.target",
+                      "Client ID · {{value}}",
+                      { value: targetLabel },
+                    )}
+                  </div>
+                </div>
+                <div className="space-y-1">
+                  <div className="uppercase tracking-[0.16em]">
+                    {t("ui.common.audit.details.result", "Result")}
+                  </div>
+                  <div className="break-all">
+                    {t("ui.common.audit.details.error", "Error · {{value}}", {
+                      value: formatAuditValue(details.error),
+                    })}
+                  </div>
+                  <div className="break-all">
+                    {t("ui.common.audit.details.before", "Before · {{value}}", {
+                      value: formatAuditValue(details.before),
+                    })}
+                  </div>
+                  <div className="break-all">
+                    {t("ui.common.audit.details.after", "After · {{value}}", {
+                      value: formatAuditValue(details.after),
+                    })}
+                  </div>
+                </div>
+              </div>
+            </div>
+          )}
+        </td>
+      </tr>
+    );
+  };
+
+  return (
+    <div className={cx(commonTableShellClass, className)}>
+      <div
+        ref={viewportRef}
+        className={cx(commonTableViewportClass, "flex-1")}
+        data-testid="audit-table-viewport"
+      >
+        <div
+          className={commonTableWrapperClass}
+          style={{ minWidth: tableMinWidth }}
+        >
+          <table
+            className={cx(commonTableClass, "table-fixed w-full")}
+            style={{ borderCollapse: "separate", borderSpacing: 0 }}
+          >
+            <thead
+              className={cx(
+                commonTableHeaderClass,
+                commonStickyTableHeaderClass,
+              )}
+            >
+              <tr className={commonTableRowClass}>
+                <th className={cx(commonTableHeadClass, "w-[190px]")}>
+                  {t("ui.common.audit.table.time", "Time")}
+                </th>
+                <th className={cx(commonTableHeadClass, "w-[180px]")}>
+                  {t("ui.common.audit.table.user_id", "User ID")}
+                </th>
+                <th className={cx(commonTableHeadClass, "w-[180px]")}>
+                  {t("ui.common.audit.table.action", "Action")}
+                </th>
+                <th className={cx(commonTableHeadClass, "w-[260px]")}>
+                  {t("ui.common.audit.table.client_id", "Client ID")}
+                </th>
+                <th className={cx(commonTableHeadClass, "w-[120px]")}>
+                  {t("ui.common.audit.table.status", "Status")}
+                </th>
+                <th className={cx(commonTableHeadClass, "w-[80px]")} />
+              </tr>
+            </thead>
+            <tbody
+              className={commonTableBodyClass}
+              style={
+                !isTest
+                  ? {
+                      height: `${rowVirtualizer.getTotalSize()}px`,
+                      position: "relative",
+                    }
+                  : undefined
+              }
+            >
+              {isTest
+                ? logs.map((row, index) => renderRow(row, index))
+                : virtualRows.map((virtualRow) =>
+                    renderRow(
+                      logs[virtualRow.index],
+                      virtualRow.index,
+                      virtualRow,
+                    ),
+                  )}
+              {logs.length === 0 && !loading && (
+                <tr>
+                  <td
+                    colSpan={6}
+                    className={cx(
+                      commonTableCellClass,
+                      "text-center py-8 text-muted-foreground",
+                    )}
+                  >
+                    {t("ui.common.audit.table.no_logs", "No audit logs found")}
+                  </td>
+                </tr>
+              )}
+            </tbody>
+          </table>
+        </div>
+      </div>
+
+      <div className="flex-shrink-0 border-t bg-background/50 p-4 text-center backdrop-blur-sm">
+        {hasNextPage ? (
+          <div className="flex flex-col items-center gap-2">
+            {isFetchingNextPage && (
+              <span className="animate-pulse text-xs text-muted-foreground">
+                {t("msg.common.loading", "Loading more...")}
+              </span>
+            )}
+            <Button
+              variant="outline"
+              size="sm"
+              onClick={onLoadMore}
+              disabled={isFetchingNextPage}
+            >
+              {isFetchingNextPage
+                ? t("msg.common.loading", "Loading...")
+                : t("ui.common.audit.load_more", "더 보기")}
+            </Button>
+          </div>
+        ) : logs.length > 0 ? (
+          <span className="text-xs text-muted-foreground">
+            {t("msg.common.audit.end", "End of audit feed")}
+          </span>
+        ) : null}
+      </div>
+    </div>
+  );
+}
--- a/adminfront/src/features/auth/AuthCallbackPage.tsx
+++ b/adminfront/src/features/auth/AuthCallbackPage.tsx
@@ -0,0 +1,56 @@
+import { ShieldHalf } from "lucide-react";
+import { useEffect } from "react";
+import { useAuth } from "react-oidc-context";
+import { useNavigate } from "react-router-dom";
+import { debugLog } from "../../lib/debugLog";
+
+function AuthCallbackPage() {
+  const auth = useAuth();
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    debugLog("[AuthCallbackPage] State:", {
+      isAuthenticated: auth.isAuthenticated,
+      isLoading: auth.isLoading,
+      error: auth.error,
+    });
+    if (auth.isAuthenticated) {
+      // Save token to localStorage for existing API clients that might still use it
+      const user = auth.user;
+      if (user?.access_token) {
+        window.localStorage.setItem("admin_session", user.access_token);
+      }
+      const returnTo =
+        typeof auth.user?.state === "object" &&
+        auth.user?.state !== null &&
+        "returnTo" in auth.user.state &&
+        typeof auth.user.state.returnTo === "string"
+          ? auth.user.state.returnTo
+          : "/";
+      console.info(
+        "[AuthCallbackPage] Auth successful, navigating to",
+        returnTo,
+      );
+      navigate(returnTo, { replace: true });
+    } else if (auth.error) {
+      console.error("[AuthCallbackPage] Auth Error:", auth.error);
+      navigate("/login", { replace: true });
+    }
+  }, [auth.isAuthenticated, auth.error, navigate, auth.user, auth.isLoading]);
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-background">
+      <div className="flex flex-col items-center gap-4">
+        <div className="flex h-16 w-16 items-center justify-center rounded-2xl bg-primary/15 text-primary shadow-lg animate-pulse">
+          <ShieldHalf size={32} />
+        </div>
+        <div className="text-lg font-semibold">인증 완료 중...</div>
+        <p className="text-sm text-muted-foreground">
+          세션을 동기화하고 있습니다.
+        </p>
+      </div>
+    </div>
+  );
+}
+
+export default AuthCallbackPage;
--- a/adminfront/src/features/auth/AuthGuard.test.tsx
+++ b/adminfront/src/features/auth/AuthGuard.test.tsx
@@ -0,0 +1,56 @@
+import { render, screen, waitFor } from "@testing-library/react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import AuthGuard from "./AuthGuard";
+
+const authState = {
+  activeNavigator: undefined,
+  error: undefined as Error | undefined,
+  isAuthenticated: false,
+  isLoading: false,
+  removeUser: vi.fn(async () => undefined),
+};
+
+vi.mock("react-oidc-context", () => ({
+  useAuth: () => authState,
+}));
+
+function renderAuthGuard(initialEntry = "/users") {
+  return render(
+    <MemoryRouter initialEntries={[initialEntry]}>
+      <Routes>
+        <Route path="/" element={<AuthGuard />}>
+          <Route path="users" element={<div>Users outlet</div>} />
+        </Route>
+        <Route path="/login" element={<div>Login outlet</div>} />
+      </Routes>
+    </MemoryRouter>,
+  );
+}
+
+describe("AuthGuard", () => {
+  beforeEach(() => {
+    (
+      window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
+    )._IS_TEST_MODE = false;
+    authState.activeNavigator = undefined;
+    authState.error = undefined;
+    authState.isAuthenticated = false;
+    authState.isLoading = false;
+    authState.removeUser.mockClear();
+    window.localStorage.clear();
+  });
+
+  it("clears stale auth state and returns to login when OIDC reports an error", async () => {
+    window.localStorage.setItem("admin_session", "stale-token");
+    authState.error = new Error("stale session");
+
+    renderAuthGuard();
+
+    await waitFor(() => {
+      expect(authState.removeUser).toHaveBeenCalled();
+    });
+    await screen.findByText("Login outlet");
+    expect(window.localStorage.getItem("admin_session")).toBeNull();
+  });
+});
--- a/adminfront/src/features/auth/AuthGuard.tsx
+++ b/adminfront/src/features/auth/AuthGuard.tsx
@@ -0,0 +1,59 @@
+import { useEffect, useRef } from "react";
+import { useAuth } from "react-oidc-context";
+import { Navigate, Outlet, useLocation, useNavigate } from "react-router-dom";
+import { clearStoredAdminAuthSession } from "../../lib/auth";
+
+export default function AuthGuard() {
+  const auth = useAuth();
+  const location = useLocation();
+  const navigate = useNavigate();
+  const handledAuthErrorRef = useRef(false);
+  const isTest =
+    (window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean })
+      ._IS_TEST_MODE === true;
+
+  useEffect(() => {
+    if (!auth.error || handledAuthErrorRef.current || isTest) {
+      return;
+    }
+
+    handledAuthErrorRef.current = true;
+    clearStoredAdminAuthSession();
+    void Promise.resolve(
+      auth.removeUser ? auth.removeUser() : undefined,
+    ).finally(() => {
+      navigate("/login", { replace: true });
+    });
+  }, [auth, auth.error, isTest, navigate]);
+
+  if (isTest) {
+    return <Outlet />;
+  }
+
+  if (auth.isLoading || auth.activeNavigator) {
+    return <div>Loading...</div>;
+  }
+
+  if (auth.error) {
+    return (
+      <div className="flex min-h-screen flex-col items-center justify-center p-4 text-center">
+        <div className="mb-4 text-destructive">
+          <h2 className="text-xl font-bold">인증 오류</h2>
+          <p>{auth.error.message}</p>
+        </div>
+      </div>
+    );
+  }
+
+  if (!auth.isAuthenticated) {
+    const returnTo = `${location.pathname}${location.search}${location.hash}`;
+    return (
+      <Navigate
+        to={`/login?returnTo=${encodeURIComponent(returnTo)}`}
+        replace
+      />
+    );
+  }
+
+  return <Outlet />;
+}
--- a/adminfront/src/features/auth/AuthPage.test.tsx
+++ b/adminfront/src/features/auth/AuthPage.test.tsx
@@ -0,0 +1,38 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen } from "@testing-library/react";
+import { beforeEach, describe, expect, it } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import AuthPage from "./AuthPage";
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+function renderPage() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <AuthPage />
+    </QueryClientProvider>,
+  );
+}
+
+describe("AuthPage", () => {
+  beforeEach(() => {
+    window.localStorage.setItem("locale", "en");
+  });
+
+  it("renders localized auth guard labels in English", () => {
+    renderPage();
+
+    expect(screen.getByText("Auth Guard")).toBeInTheDocument();
+    expect(screen.getByText("ReBAC permission checker")).toBeInTheDocument();
+    expect(
+      screen.getByRole("button", { name: "Check permission" }),
+    ).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/auth/AuthPage.tsx
+++ b/adminfront/src/features/auth/AuthPage.tsx
@@ -1,109 +1,22 @@
-import { ArrowRight, Fingerprint, Smartphone, Sparkles } from "lucide-react";
-
-const flows = [
-  {
-    title: "Admin login",
-    description:
-      "Enforce short TTL and step-up MFA. Keep admin session separate from app session.",
-    pill: "15m TTL",
-  },
-  {
-    title: "Tenant pick",
-    description:
-      "Admin chooses target tenant before hitting APIs. Propagate X-Tenant-ID on every call.",
-    pill: "Header-ready",
-  },
-  {
-    title: "Device approval",
-    description:
-      "If app session exists and user opts in, use push/deeplink approval as MFA replacement.",
-    pill: "App session",
-  },
-];
+import { ShieldHalf } from "lucide-react";
+import { PageHeader } from "../../../../common/core/components/page";
+import { t } from "../../lib/i18n";
+import PermissionChecker from "./components/PermissionChecker";

 function AuthPage() {
  return (
-    <div className="space-y-8">
-      <section className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6 shadow-[var(--shadow-card)]">
-        <div className="flex flex-col gap-4 md:flex-row md:items-center md:justify-between">
-          <div>
-            <p className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-              Admin auth
-            </p>
-            <h2 className="text-2xl font-semibold">Admin auth guardrails</h2>
-            <p className="text-sm text-[var(--color-muted)]">
-              Build the admin-only login flow first, keeping app login separate.
-              Respect the “fallback only when user chooses” rule for SMS/email
-              vs app approval.
-            </p>
-          </div>
-          <div className="flex items-center gap-2">
-            <span className="rounded-full border border-[var(--color-border)] px-3 py-2 text-sm text-[var(--color-muted)]">
-              IDP session placeholder
-            </span>
-            <button
-              type="button"
-              className="inline-flex items-center gap-2 rounded-full bg-[var(--color-accent)] px-4 py-2 text-sm font-semibold text-black"
-            >
-              <Sparkles size={14} />
-              Connect auth layer
-            </button>
-          </div>
-        </div>
-      </section>
+    <div className="space-y-6">
+      <PageHeader
+        titleAs="h2"
+        icon={<ShieldHalf size={20} />}
+        title={t("ui.admin.auth_guard.title", "Auth Guard")}
+        description={t(
+          "ui.admin.auth_guard.subtitle",
+          "Verify admin privileges and ReBAC relationships against the policy engine.",
+        )}
+      />

-      <section className="grid gap-4 md:grid-cols-3">
-        {flows.map((flow) => (
-          <div
-            key={flow.title}
-            className="rounded-xl border border-[var(--color-border)] bg-[var(--color-panel)] p-5"
-          >
-            <div className="flex items-center justify-between text-xs uppercase tracking-[0.16em] text-[var(--color-muted)]">
-              <span>{flow.pill}</span>
-              <Fingerprint size={14} />
-            </div>
-            <h3 className="mt-3 text-lg font-semibold">{flow.title}</h3>
-            <p className="text-sm text-[var(--color-muted)]">
-              {flow.description}
-            </p>
-          </div>
-        ))}
-      </section>
-
-      <section className="grid gap-6 md:grid-cols-[1fr,0.9fr]">
-        <div className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6">
-          <div className="flex items-center gap-2 text-[var(--color-muted)]">
-            <Smartphone size={16} />
-            <span className="text-xs uppercase tracking-[0.18em]">
-              App-based approvals
-            </span>
-          </div>
-          <h3 className="mt-2 text-xl font-semibold">
-            App session as MFA replacement
-          </h3>
-          <p className="text-sm text-[var(--color-muted)]">
-            If the admin keeps the mobile app signed in and opts in, use
-            push/deeplink approval instead of OTP. Otherwise fall back to
-            SMS/email based on user choice.
-          </p>
-        </div>
-        <div className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6">
-          <div className="flex items-center gap-2 text-[var(--color-muted)]">
-            <ArrowRight size={16} />
-            <span className="text-xs uppercase tracking-[0.18em]">
-              TTL discipline
-            </span>
-          </div>
-          <h3 className="mt-2 text-xl font-semibold">
-            Keep admin sessions short
-          </h3>
-          <p className="text-sm text-[var(--color-muted)]">
-            Default admin TTL is 15 minutes. Show countdown and nudge re-auth
-            with step-up MFA when critical actions (rotate secret, export logs)
-            happen.
-          </p>
-        </div>
-      </section>
+      <PermissionChecker />
    </div>
  );
 }
--- a/adminfront/src/features/auth/LoginPage.test.tsx
+++ b/adminfront/src/features/auth/LoginPage.test.tsx
@@ -0,0 +1,76 @@
+import { render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { MemoryRouter } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import LoginPage from "./LoginPage";
+
+const mockSigninRedirect = vi.fn();
+const mockUseAuth = vi.fn();
+
+vi.mock("react-oidc-context", () => ({
+  useAuth: () => mockUseAuth(),
+}));
+
+function renderLoginPage(initialEntry: string) {
+  return render(
+    <MemoryRouter initialEntries={[initialEntry]}>
+      <LoginPage />
+    </MemoryRouter>,
+  );
+}
+
+describe("LoginPage", () => {
+  beforeEach(() => {
+    Object.defineProperty(window, "crypto", {
+      configurable: true,
+      value: {},
+    });
+    Object.defineProperty(window, "isSecureContext", {
+      configurable: true,
+      value: false,
+    });
+    mockSigninRedirect.mockReset();
+    mockUseAuth.mockReturnValue({
+      activeNavigator: undefined,
+      error: undefined,
+      isAuthenticated: false,
+      isLoading: false,
+      signinRedirect: mockSigninRedirect,
+    });
+  });
+
+  it("shows an actionable error instead of starting PKCE when WebCrypto is unavailable", async () => {
+    renderLoginPage("/login?returnTo=%2F");
+
+    await userEvent.click(
+      screen.getByRole("button", { name: /SSO 계정으로 로그인/i }),
+    );
+
+    expect(mockSigninRedirect).not.toHaveBeenCalled();
+    expect(screen.getByRole("alert")).toHaveTextContent(
+      /SSO 로그인을 시작할 수 없습니다/,
+    );
+  });
+
+  it("preserves the returnTo query when starting SSO manually", async () => {
+    Object.defineProperty(window, "crypto", {
+      configurable: true,
+      value: { subtle: {} },
+    });
+    Object.defineProperty(window, "isSecureContext", {
+      configurable: true,
+      value: true,
+    });
+    renderLoginPage("/login?returnTo=%2Fusers%3Fpage%3D2");
+
+    await userEvent.click(
+      screen.getByRole("button", { name: /SSO 계정으로 로그인/i }),
+    );
+
+    expect(mockSigninRedirect).toHaveBeenCalledWith({
+      state: {
+        returnTo: "/users?page=2",
+      },
+    });
+  });
+});
--- a/adminfront/src/features/auth/LoginPage.tsx
+++ b/adminfront/src/features/auth/LoginPage.tsx
@@ -0,0 +1,206 @@
+import { AlertTriangle, ExternalLink, LogIn, ShieldHalf } from "lucide-react";
+import { useEffect, useMemo, useRef, useState } from "react";
+import { useAuth } from "react-oidc-context";
+import { useNavigate, useSearchParams } from "react-router-dom";
+import { Button } from "../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../components/ui/card";
+import { canStartBrowserPkceLogin } from "../../lib/authConfig";
+import { debugLog } from "../../lib/debugLog";
+
+const insecurePkceMessage =
+  "이 주소에서는 브라우저 보안 정책 때문에 SSO 로그인을 시작할 수 없습니다. HTTPS 또는 localhost로 접속하거나, 내부망/host.docker.internal 개발 접속은 Chrome의 insecure-origin secure context 옵션에 실제 auth UI origin(예: http://host.docker.internal:5000)을 정확히 등록해 주세요.";
+
+function isPkceSetupFailure(error: unknown) {
+  const message = error instanceof Error ? error.message : String(error);
+  return /Crypto\.subtle|WebCrypto|PKCE|secure context|subtle/i.test(message);
+}
+
+function LoginPage() {
+  const auth = useAuth();
+  const navigate = useNavigate();
+  const [searchParams] = useSearchParams();
+  const autoStartedRef = useRef(false);
+  const [loginError, setLoginError] = useState<string | null>(null);
+  const returnTo = searchParams.get("returnTo") || "/";
+  const shouldAutoLogin = searchParams.get("auto") === "1";
+  const authErrorMessage = useMemo(() => {
+    const message = auth.error?.message;
+    if (!message) {
+      return null;
+    }
+    if (message.includes("Crypto.subtle")) {
+      return insecurePkceMessage;
+    }
+    return message;
+  }, [auth.error?.message]);
+  const visibleLoginError = loginError || authErrorMessage;
+
+  useEffect(() => {
+    debugLog("[LoginPage] Auth state check:", {
+      isAuthenticated: auth.isAuthenticated,
+      isLoading: auth.isLoading,
+      returnTo,
+    });
+    if (auth.isAuthenticated) {
+      console.info(
+        "[LoginPage] User is authenticated, redirecting to",
+        returnTo,
+      );
+      navigate(returnTo, { replace: true });
+    }
+  }, [auth.isAuthenticated, navigate, returnTo, auth.isLoading]);
+
+  useEffect(() => {
+    if (!shouldAutoLogin) {
+      return;
+    }
+    if (autoStartedRef.current || auth.isLoading || auth.activeNavigator) {
+      return;
+    }
+    if (!canStartBrowserPkceLogin()) {
+      setLoginError(insecurePkceMessage);
+      return;
+    }
+
+    autoStartedRef.current = true;
+    void auth
+      .signinRedirect({
+        state: {
+          returnTo,
+        },
+      })
+      .catch((error) => {
+        if (isPkceSetupFailure(error)) {
+          setLoginError(insecurePkceMessage);
+          return;
+        }
+        console.error("Auto login redirect failed", error);
+      });
+  }, [auth, auth.activeNavigator, auth.isLoading, returnTo, shouldAutoLogin]);
+
+  const handleSSOLogin = async () => {
+    try {
+      setLoginError(null);
+      if (!canStartBrowserPkceLogin()) {
+        setLoginError(insecurePkceMessage);
+        return;
+      }
+      await auth.signinRedirect({
+        state: {
+          returnTo,
+        },
+      });
+    } catch (error) {
+      if (isPkceSetupFailure(error)) {
+        setLoginError(insecurePkceMessage);
+        return;
+      }
+      console.error("Redirect login failed", error);
+    }
+  };
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-background px-4 py-12 sm:px-6 lg:px-8 bg-[radial-gradient(ellipse_at_top,_var(--tw-gradient-stops))] from-primary/10 via-background to-background">
+      <div className="w-full max-w-md space-y-8">
+        <div className="flex flex-col items-center justify-center space-y-4 text-center">
+          <div className="flex h-16 w-16 items-center justify-center rounded-2xl bg-primary/15 text-primary shadow-[0_20px_50px_rgba(54,211,153,0.3)]">
+            <ShieldHalf size={32} />
+          </div>
+          <div className="space-y-2">
+            <h1 className="text-3xl font-bold tracking-tight">Baron SSO</h1>
+            <p className="text-sm text-muted-foreground uppercase tracking-[0.2em]">
+              Admin Control Plane
+            </p>
+          </div>
+        </div>
+
+        {auth.error && (
+          <div className="rounded-lg bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20 animate-in fade-in slide-in-from-top-1">
+            <div className="font-bold flex items-center gap-2 mb-1">
+              <ShieldHalf size={16} />
+              인증 오류가 발생했습니다
+            </div>
+            <p className="opacity-90">{auth.error.message}</p>
+            <Button
+              variant="ghost"
+              className="p-0 h-auto text-destructive underline mt-2 hover:bg-transparent"
+              onClick={() => {
+                void handleSSOLogin();
+              }}
+            >
+              다시 시도하기
+            </Button>
+          </div>
+        )}
+
+        <Card className="border-primary/20 bg-card/50 backdrop-blur-xl shadow-2xl">
+          <CardHeader className="space-y-1">
+            <CardTitle className="text-2xl flex items-center gap-2">
+              <LogIn size={20} className="text-primary" />
+              관리자 로그인
+            </CardTitle>
+            <CardDescription>
+              Baron 통합 인증(SSO)을 통해 관리자 페이지에 접속합니다.
+            </CardDescription>
+          </CardHeader>
+          <CardContent className="pt-4 pb-8 space-y-3">
+            <Button
+              onClick={handleSSOLogin}
+              className="w-full h-14 text-lg font-semibold flex gap-3 shadow-lg"
+              disabled={auth.isLoading}
+            >
+              {auth.isLoading ? (
+                <>
+                  <div className="h-5 w-5 border-2 border-white/30 border-t-white rounded-full animate-spin" />
+                  로그인 진행 중...
+                </>
+              ) : (
+                <>
+                  <ShieldHalf size={22} />
+                  SSO 계정으로 로그인
+                  <ExternalLink size={16} className="opacity-50" />
+                </>
+              )}
+            </Button>
+
+            {visibleLoginError ? (
+              <div
+                role="alert"
+                className="flex gap-2 rounded-md border border-destructive/30 bg-destructive/10 px-3 py-2 text-sm leading-5 text-destructive"
+              >
+                <AlertTriangle className="mt-0.5 h-4 w-4 shrink-0" />
+                <span>{visibleLoginError}</span>
+              </div>
+            ) : null}
+
+            <p className="mt-6 text-xs text-center text-muted-foreground leading-relaxed">
+              관리자 전역 세션은 보안을 위해 15분간 유지됩니다.
+              <br />
+              민감한 작업 시 재인증을 요구할 수 있습니다.
+            </p>
+          </CardContent>
+        </Card>
+
+        <div className="flex justify-center gap-4">
+          <div className="h-1 w-1 rounded-full bg-primary/30" />
+          <div className="h-1 w-1 rounded-full bg-primary/30" />
+          <div className="h-1 w-1 rounded-full bg-primary/30" />
+        </div>
+
+        <p className="px-8 text-center text-sm text-muted-foreground">
+          인증 정보가 없거나 로그인이 되지 않는 경우
+          <br />
+          시스템 관리자에게 문의하세요.
+        </p>
+      </div>
+    </div>
+  );
+}
+
+export default LoginPage;
--- a/adminfront/src/features/auth/components/PermissionChecker.tsx
+++ b/adminfront/src/features/auth/components/PermissionChecker.tsx
@@ -0,0 +1,188 @@
+import { useMutation } from "@tanstack/react-query";
+import { CheckCircle2, XCircle } from "lucide-react";
+import { useState } from "react";
+import { Button } from "../../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../../components/ui/card";
+import { Input } from "../../../components/ui/input";
+import { Label } from "../../../components/ui/label";
+import apiClient from "../../../lib/apiClient";
+import { t } from "../../../lib/i18n";
+
+type CheckPermissionResponse = {
+  allowed: boolean;
+  query: {
+    namespace: string;
+    object: string;
+    relation: string;
+    subject: string;
+  };
+};
+
+function PermissionChecker() {
+  const [namespace, setNamespace] = useState("Tenant");
+  const [object, setObject] = useState("");
+  const [relation, setRelation] = useState("manage");
+  const [subject, setSubject] = useState("");
+
+  const checkMutation = useMutation({
+    mutationFn: async () => {
+      const { data } = await apiClient.get<CheckPermissionResponse>(
+        "/v1/admin/debug/check-permission",
+        {
+          params: { namespace, object, relation, subject },
+        },
+      );
+      return data;
+    },
+  });
+
+  const result = checkMutation.data;
+
+  return (
+    <Card className="border-primary/20 bg-[var(--color-panel)]">
+      <CardHeader>
+        <CardTitle className="text-lg font-bold">
+          {t("ui.admin.auth_guard.checker.title", "ReBAC permission checker")}
+        </CardTitle>
+        <CardDescription>
+          {t(
+            "ui.admin.auth_guard.checker.description",
+            "Check in real time whether a subject has access to a resource through Ory Keto.",
+          )}
+        </CardDescription>
+      </CardHeader>
+      <CardContent className="space-y-6">
+        <div className="grid gap-4 md:grid-cols-2 lg:grid-cols-4">
+          <div className="space-y-2">
+            <Label>
+              {t("ui.admin.auth_guard.checker.namespace.label", "Namespace")}
+            </Label>
+            <select
+              id="permission-checker-namespace"
+              name="permission-checker-namespace"
+              value={namespace}
+              onChange={(e) => setNamespace(e.target.value)}
+              className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2"
+            >
+              <option value="Tenant">
+                {t("ui.admin.auth_guard.checker.namespace.tenant", "Tenant")}
+              </option>
+              <option value="TenantGroup">
+                {t(
+                  "ui.admin.auth_guard.checker.namespace.tenant_group",
+                  "TenantGroup",
+                )}
+              </option>
+              <option value="RelyingParty">
+                {t(
+                  "ui.admin.auth_guard.checker.namespace.relying_party",
+                  "RelyingParty",
+                )}
+              </option>
+              <option value="System">
+                {t("ui.admin.auth_guard.checker.namespace.system", "System")}
+              </option>
+            </select>
+          </div>
+          <div className="space-y-2">
+            <Label>
+              {t("ui.admin.auth_guard.checker.relation", "Relation")}
+            </Label>
+            <Input
+              placeholder={t(
+                "ui.admin.auth_guard.checker.relation_placeholder",
+                "view, manage, admins...",
+              )}
+              value={relation}
+              onChange={(e) => setRelation(e.target.value)}
+            />
+          </div>
+          <div className="space-y-2">
+            <Label>
+              {t("ui.admin.auth_guard.checker.object_id", "Object ID")}
+            </Label>
+            <Input
+              placeholder={t(
+                "ui.admin.auth_guard.checker.object_id_placeholder",
+                "Tenant UUID, etc.",
+              )}
+              value={object}
+              onChange={(e) => setObject(e.target.value)}
+            />
+          </div>
+          <div className="space-y-2">
+            <Label>
+              {t("ui.admin.auth_guard.checker.subject", "Subject (User:ID)")}
+            </Label>
+            <Input
+              placeholder={t(
+                "ui.admin.auth_guard.checker.subject_placeholder",
+                "User:uuid or Namespace:ID#Relation",
+              )}
+              value={subject}
+              onChange={(e) => setSubject(e.target.value)}
+            />
+          </div>
+        </div>
+
+        <div className="flex justify-center">
+          <Button
+            onClick={() => checkMutation.mutate()}
+            disabled={!object || !subject || checkMutation.isPending}
+            className="w-full px-12 md:w-auto"
+          >
+            {checkMutation.isPending
+              ? t("ui.admin.auth_guard.checker.checking", "Checking...")
+              : t("ui.admin.auth_guard.checker.check", "Check permission")}
+          </Button>
+        </div>
+
+        {checkMutation.isSuccess && result && (
+          <div
+            className={`flex flex-col items-center justify-center gap-3 rounded-xl border-2 p-6 animate-in zoom-in duration-300 ${
+              result.allowed
+                ? "border-green-500/50 bg-green-500/10 text-green-600"
+                : "border-destructive/50 bg-destructive/10 text-destructive"
+            }`}
+          >
+            {result.allowed ? (
+              <>
+                <CheckCircle2 size={48} />
+                <div className="text-lg font-bold">
+                  {t("ui.admin.auth_guard.checker.allowed", "Access ALLOWED")}
+                </div>
+                <p className="text-center text-sm opacity-80">
+                  {t(
+                    "ui.admin.auth_guard.checker.allowed_description",
+                    "The subject has access to the requested resource, including inherited permissions.",
+                  )}
+                </p>
+              </>
+            ) : (
+              <>
+                <XCircle size={48} />
+                <div className="text-lg font-bold">
+                  {t("ui.admin.auth_guard.checker.denied", "Access DENIED")}
+                </div>
+                <p className="text-center text-sm opacity-80">
+                  {t(
+                    "ui.admin.auth_guard.checker.denied_description",
+                    "The subject does not have access to the requested resource.",
+                  )}
+                </p>
+              </>
+            )}
+          </div>
+        )}
+      </CardContent>
+    </Card>
+  );
+}
+
+export default PermissionChecker;
--- a/adminfront/src/features/coverage/adminAuditAuth.test.tsx
+++ b/adminfront/src/features/coverage/adminAuditAuth.test.tsx
@@ -0,0 +1,192 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen } from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import AuditLogsPage from "../audit/AuditLogsPage";
+import AuthCallbackPage from "../auth/AuthCallbackPage";
+import AuthGuard from "../auth/AuthGuard";
+
+const authState = {
+  isAuthenticated: true,
+  isLoading: false,
+  activeNavigator: undefined as string | undefined,
+  error: null as Error | null,
+  user: {
+    access_token: "access-token",
+    state: undefined as unknown,
+  },
+};
+
+vi.mock("react-oidc-context", () => ({
+  useAuth: () => authState,
+}));
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("../../../../common/core/components/audit", () => ({
+  AuditLogTable: ({
+    logs,
+  }: {
+    logs: Array<{ user_id: string; event_type: string }>;
+  }) => (
+    <div>
+      {logs.map((log) => (
+        <div key={`${log.user_id}-${log.event_type}`}>
+          <span>{log.user_id}</span>
+          <span>{log.event_type}</span>
+        </div>
+      ))}
+    </div>
+  ),
+}));
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchAuditLogs: vi.fn(async () => ({
+    items: [
+      {
+        event_id: "event-1",
+        timestamp: "2026-05-01T00:00:00Z",
+        user_id: "admin-1",
+        event_type: "USER_UPDATE",
+        status: "success",
+        ip_address: "127.0.0.1",
+        user_agent: "Vitest",
+        details: JSON.stringify({ action: "USER_UPDATE", actor: "Admin" }),
+      },
+      {
+        event_id: "event-2",
+        timestamp: "2026-05-01T01:00:00Z",
+        user_id: "admin-2",
+        event_type: "LOGIN_FAILED",
+        status: "failure",
+        ip_address: "127.0.0.2",
+        user_agent: "Vitest",
+        details: "{}",
+      },
+    ],
+    limit: 50,
+  })),
+}));
+
+function renderWithProviders(ui: React.ReactElement, entry = "/") {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("admin audit and auth coverage smoke", () => {
+  beforeEach(() => {
+    (
+      window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
+    )._IS_TEST_MODE = false;
+    authState.isAuthenticated = true;
+    authState.isLoading = false;
+    authState.activeNavigator = undefined;
+    authState.error = null;
+    authState.user = {
+      access_token: "access-token",
+      state: undefined,
+    };
+    window.localStorage.clear();
+  });
+
+  it("renders audit log table with fetched events", async () => {
+    renderWithProviders(<AuditLogsPage />);
+
+    expect(await screen.findByText("감사 로그")).toBeInTheDocument();
+    expect(await screen.findByText("admin-1")).toBeInTheDocument();
+    expect(screen.getByText("USER_UPDATE")).toBeInTheDocument();
+  });
+
+  it("renders AuthGuard loading, error, redirect, test, and outlet states", async () => {
+    authState.isLoading = true;
+    renderWithProviders(
+      <Routes>
+        <Route path="/secure" element={<AuthGuard />}>
+          <Route index element={<div>Secure outlet</div>} />
+        </Route>
+      </Routes>,
+      "/secure",
+    );
+    expect(screen.getByText("Loading...")).toBeInTheDocument();
+
+    authState.isLoading = false;
+    authState.error = new Error("OIDC failed");
+    renderWithProviders(
+      <Routes>
+        <Route path="/secure" element={<AuthGuard />}>
+          <Route index element={<div>Secure outlet</div>} />
+        </Route>
+      </Routes>,
+      "/secure",
+    );
+    expect(screen.getByText("인증 오류")).toBeInTheDocument();
+
+    authState.error = null;
+    authState.isAuthenticated = false;
+    renderWithProviders(
+      <Routes>
+        <Route path="/secure" element={<AuthGuard />}>
+          <Route index element={<div>Secure outlet</div>} />
+        </Route>
+        <Route path="/login" element={<div>Login outlet</div>} />
+      </Routes>,
+      "/secure?x=1",
+    );
+    expect(screen.getByText("Login outlet")).toBeInTheDocument();
+
+    (
+      window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
+    )._IS_TEST_MODE = true;
+    renderWithProviders(
+      <Routes>
+        <Route path="/secure" element={<AuthGuard />}>
+          <Route index element={<div>Secure outlet</div>} />
+        </Route>
+      </Routes>,
+      "/secure",
+    );
+    expect(screen.getByText("Secure outlet")).toBeInTheDocument();
+  });
+
+  it("stores callback token and navigates by auth result", async () => {
+    authState.isAuthenticated = true;
+    authState.user = {
+      access_token: "callback-token",
+      state: { returnTo: "/users" },
+    };
+
+    renderWithProviders(
+      <Routes>
+        <Route path="/auth/callback" element={<AuthCallbackPage />} />
+        <Route path="/users" element={<div>Users outlet</div>} />
+        <Route path="/login" element={<div>Login outlet</div>} />
+      </Routes>,
+      "/auth/callback",
+    );
+    expect(await screen.findByText("Users outlet")).toBeInTheDocument();
+    expect(window.localStorage.getItem("admin_session")).toBe("callback-token");
+
+    authState.isAuthenticated = false;
+    authState.error = new Error("callback failed");
+    renderWithProviders(
+      <Routes>
+        <Route path="/auth/callback" element={<AuthCallbackPage />} />
+        <Route path="/login" element={<div>Login outlet</div>} />
+      </Routes>,
+      "/auth/callback",
+    );
+    expect(await screen.findByText("Login outlet")).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/coverage/adminLargePages.test.tsx
+++ b/adminfront/src/features/coverage/adminLargePages.test.tsx
@@ -0,0 +1,506 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import {
+  cleanup,
+  fireEvent,
+  render,
+  screen,
+  waitFor,
+} from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import * as adminApi from "../../lib/adminApi";
+import { TenantWorksmobilePage } from "../tenants/routes/TenantWorksmobilePage";
+import TenantListPage from "../tenants/routes/TenantListPage";
+import UserCreatePage from "../users/UserCreatePage";
+import UserDetailPage from "../users/UserDetailPage";
+
+const tenantItems = [
+  {
+    id: "tenant-root",
+    type: "COMPANY_GROUP",
+    name: "한맥 가족",
+    slug: "hanmac-family",
+    description: "root",
+    status: "active",
+    memberCount: 0,
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+  {
+    id: "tenant-company",
+    type: "COMPANY",
+    parentId: "tenant-root",
+    name: "GPDTDC",
+    slug: "gpdtdc",
+    description: "company",
+    status: "active",
+    memberCount: 2,
+    config: {
+      userSchema: [
+        {
+          key: "employee_id",
+          label: "사번",
+          type: "text",
+          required: false,
+        },
+      ],
+    },
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+  {
+    id: "tenant-leaf",
+    type: "ORGANIZATION",
+    parentId: "tenant-company",
+    name: "기술연구팀",
+    slug: "gpdtdc-rnd",
+    description: "leaf",
+    status: "active",
+    memberCount: 1,
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+];
+
+const userDetail = {
+  id: "user-1",
+  email: "engineer@example.com",
+  name: "Engineer User",
+  phone: "010-0000-0000",
+  role: "user",
+  status: "active",
+  tenantSlug: "gpdtdc-rnd",
+  tenantId: "tenant-leaf",
+  department: "기술연구팀",
+  grade: "책임",
+  position: "팀장",
+  jobTitle: "Backend",
+  metadata: {
+    employee_id: "EMP001",
+    sub_email: ["engineer.sub@example.com"],
+  },
+  tenant: tenantItems[2],
+  appointments: [
+    {
+      tenantId: "tenant-leaf",
+      tenantSlug: "gpdtdc-rnd",
+      tenantName: "기술연구팀",
+      isPrimary: true,
+      isOwner: false,
+      isAdmin: false,
+      isManager: true,
+      department: "기술연구팀",
+      grade: "책임",
+      position: "팀장",
+      jobTitle: "Backend",
+      metadata: { employee_id: "EMP001" },
+    },
+  ],
+  createdAt: "2026-05-01T00:00:00Z",
+  updatedAt: "2026-05-02T00:00:00Z",
+};
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("../../components/auth/RoleGuard", () => ({
+  RoleGuard: ({ children }: { children: React.ReactNode }) => <>{children}</>,
+}));
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({
+    id: "admin-1",
+    role: "super_admin",
+    name: "Admin User",
+    email: "admin@example.com",
+  })),
+  fetchAllTenants: vi.fn(async () => ({
+    items: tenantItems,
+    total: tenantItems.length,
+  })),
+  fetchTenants: vi.fn(async () => ({
+    items: tenantItems,
+    limit: 500,
+    offset: 0,
+    total: tenantItems.length,
+    nextCursor: null,
+  })),
+  fetchTenant: vi.fn(async (id: string) => {
+    return tenantItems.find((tenant) => tenant.id === id) ?? tenantItems[1];
+  }),
+  createUser: vi.fn(async () => ({
+    id: "created-user",
+    email: "created@example.com",
+    generatedPassword: "GeneratedPassword!1",
+  })),
+  fetchUser: vi.fn(async () => userDetail),
+  fetchUserRpHistory: vi.fn(async () => [
+    {
+      client_id: "orgfront",
+      client_name: "OrgFront",
+      last_login_at: "2026-05-01T00:00:00Z",
+      login_count: 3,
+    },
+  ]),
+  fetchGlobalCustomClaimDefinitions: vi.fn(async () => ({ items: [] })),
+  fetchPasswordPolicy: vi.fn(async () => ({
+    minLength: 12,
+    lowercase: true,
+    uppercase: true,
+    number: true,
+    nonAlphanumeric: true,
+    minCharacterTypes: 3,
+  })),
+  updateUser: vi.fn(async () => userDetail),
+  deleteUser: vi.fn(async () => undefined),
+  updateTenant: vi.fn(async () => tenantItems[1]),
+  deleteTenantsBulk: vi.fn(async () => ({ deleted: 1 })),
+  exportTenantsCSV: vi.fn(async () => new Blob(["name,slug\nGPDTDC,gpdtdc"])),
+  importTenantsCSV: vi.fn(async () => ({
+    created: 1,
+    updated: 0,
+    failed: 0,
+    errors: [],
+  })),
+  fetchWorksmobileOverview: vi.fn(async () => ({
+    tenant: tenantItems[1],
+    config: {
+      enabled: true,
+      tokenConfigured: true,
+      adminTenantId: "works-admin",
+      domainMappings: { "example.com": 1001 },
+    },
+    recentJobs: [
+      {
+        id: "job-1",
+        resourceType: "USER",
+        resourceId: "user-1",
+        action: "SYNC",
+        status: "failed",
+        retryCount: 1,
+        lastError: "temporary failure",
+        createdAt: "2026-05-01T00:00:00Z",
+        updatedAt: "2026-05-01T00:10:00Z",
+      },
+    ],
+  })),
+  fetchWorksmobileComparison: vi.fn(async () => ({
+    users: [
+      {
+        resourceType: "USER",
+        baronId: "user-1",
+        baronName: "Engineer User",
+        baronEmail: "engineer@example.com",
+        baronPrimaryOrgId: "tenant-leaf",
+        baronPrimaryOrgName: "기술연구팀",
+        worksmobileId: "works-user-1",
+        worksmobileName: "Engineer User",
+        worksmobileEmail: "engineer@example.com",
+        worksmobileDomainId: 1001,
+        worksmobilePrimaryOrgId: "works-org-1",
+        worksmobilePrimaryOrgName: "기술연구팀",
+        status: "matched",
+      },
+      {
+        resourceType: "USER",
+        baronId: "user-2",
+        baronName: "New User",
+        baronEmail: "new@example.com",
+        worksmobileJobStatus: "failed",
+        worksmobileJobRetryCount: 2,
+        worksmobileLastError: "worksmobile api failed",
+        status: "missing_in_worksmobile",
+      },
+      {
+        resourceType: "USER",
+        baronId: "user-3",
+        baronName: "Next User",
+        baronEmail: "next@example.com",
+        status: "missing_in_worksmobile",
+      },
+    ],
+    groups: [
+      {
+        resourceType: "ORG_UNIT",
+        baronId: "tenant-leaf",
+        baronSlug: "gpdtdc-rnd",
+        baronName: "기술연구팀",
+        worksmobileId: "works-org-1",
+        worksmobileName: "기술연구팀",
+        status: "needs_update",
+      },
+    ],
+  })),
+  fetchWorksmobileCredentialBatches: vi.fn(async () => [
+    {
+      batchId: "credential-batch-1",
+      operation: "worksmobile_user_sync",
+      userCount: 1,
+      processedCount: 1,
+      failedCount: 1,
+      hasPasswords: true,
+      failures: [
+        {
+          userId: "failed-user",
+          email: "failed-user@samaneng.com",
+          status: "failed",
+          retryCount: 2,
+          lastError: "worksmobile api failed",
+          updatedAt: "2026-06-01T04:05:00Z",
+        },
+      ],
+      createdAt: "2026-06-01T04:00:00Z",
+      updatedAt: "2026-06-01T04:00:00Z",
+    },
+    {
+      batchId: "credential-batch-pending",
+      operation: "worksmobile_user_sync",
+      userCount: 2,
+      pendingCount: 1,
+      processingCount: 1,
+      processedCount: 0,
+      failedCount: 0,
+      hasPasswords: true,
+      createdAt: "2026-06-01T04:10:00Z",
+      updatedAt: "2026-06-01T04:10:00Z",
+    },
+  ]),
+  enqueueWorksmobileBackfillDryRun: vi.fn(async () => ({ id: "job-dry" })),
+  retryWorksmobileJob: vi.fn(async () => ({ id: "job-retry" })),
+  downloadWorksmobileInitialPasswordsCSV: vi.fn(async () => ({
+    blob: new Blob(["id"]),
+    filename: "worksmobile_initial_passwords.csv",
+  })),
+  enqueueWorksmobileOrgUnitSync: vi.fn(async () => ({ id: "job-org" })),
+  enqueueWorksmobileOrgUnitDelete: vi.fn(async () => ({ id: "job-delete" })),
+  enqueueWorksmobileUserSync: vi.fn(async () => ({ id: "job-user" })),
+  resetWorksmobileUserPassword: vi.fn(async () => ({ id: "job-reset" })),
+  deleteWorksmobileCredentialBatchPasswords: vi.fn(async () => ({
+    batchId: "credential-batch-1",
+    userCount: 1,
+    hasPasswords: false,
+  })),
+}));
+
+function renderWithProviders(ui: React.ReactElement, entry = "/") {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("adminfront large page coverage smoke", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    if (typeof window !== "undefined") {
+      (window as any)._IS_TEST_MODE = true;
+    }
+  });
+
+  it("renders user creation form with tenant context", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route path="/users/new" element={<UserCreatePage />} />
+      </Routes>,
+      "/users/new?tenantSlug=gpdtdc-rnd",
+    );
+
+    expect(await screen.findByText("사용자 추가")).toBeInTheDocument();
+    expect(screen.getByLabelText("이메일")).toBeInTheDocument();
+  });
+
+  it("renders user detail form and RP history", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route path="/users/:id" element={<UserDetailPage />} />
+      </Routes>,
+      "/users/user-1",
+    );
+
+    expect(await screen.findByDisplayValue("Engineer User")).toBeInTheDocument();
+    expect(screen.getAllByText("기술연구팀").length).toBeGreaterThan(0);
+    expect(screen.getByDisplayValue("engineer@example.com")).toBeInTheDocument();
+  });
+
+  it("renders tenant list hierarchy", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route path="/tenants" element={<TenantListPage />} />
+      </Routes>,
+      "/tenants",
+    );
+
+    expect(await screen.findByText("GPDTDC")).toBeInTheDocument();
+    expect(screen.getByText("기술연구팀")).toBeInTheDocument();
+  });
+
+  it("renders worksmobile comparison screens", async () => {
+    cleanup();
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/worksmobile"
+          element={<TenantWorksmobilePage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/worksmobile",
+    );
+
+    expect(await screen.findByText("Worksmobile 연동")).toBeInTheDocument();
+    expect(await screen.findByText("Baron / Works 비교")).toBeInTheDocument();
+    expect(
+      await screen.findByText("최근 실패: worksmobile api failed"),
+    ).toBeInTheDocument();
+    expect(screen.getByText("Backfill Dry-run")).toBeInTheDocument();
+    expect(screen.queryByRole("button", { name: "초기 비밀번호 CSV" })).toBeNull();
+  });
+
+  it("does not automatically download the selected Worksmobile user credential batch after create enqueue", async () => {
+    vi.spyOn(window.URL, "createObjectURL").mockReturnValue("blob:test");
+    vi.spyOn(window.URL, "revokeObjectURL").mockImplementation(() => {});
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/worksmobile"
+          element={<TenantWorksmobilePage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/worksmobile",
+    );
+
+    await screen.findByText("New User");
+    fireEvent.click(screen.getByRole("checkbox", { name: "New User 선택" }));
+    fireEvent.click(
+      screen.getByRole("button", { name: "선택 구성원 WORKS에 생성" }),
+    );
+    fireEvent.change(screen.getByLabelText("초기 비밀번호"), {
+      target: { value: "InitialPassword!1" },
+    });
+    fireEvent.click(screen.getByRole("button", { name: "생성 작업 등록" }));
+
+    await waitFor(() =>
+      expect(adminApi.enqueueWorksmobileUserSync).toHaveBeenCalledWith(
+        "tenant-company",
+        "user-2",
+        undefined,
+        "InitialPassword!1",
+      ),
+    );
+    expect(adminApi.downloadWorksmobileInitialPasswordsCSV).not.toHaveBeenCalled();
+  });
+
+  it("continues selected Worksmobile user create enqueue after one row fails", async () => {
+    vi.mocked(adminApi.enqueueWorksmobileUserSync)
+      .mockRejectedValueOnce(new Error("sync failed"))
+      .mockResolvedValueOnce({ id: "job-user-3" } as never);
+    vi.spyOn(window.URL, "createObjectURL").mockReturnValue("blob:test");
+    vi.spyOn(window.URL, "revokeObjectURL").mockImplementation(() => {});
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/worksmobile"
+          element={<TenantWorksmobilePage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/worksmobile",
+    );
+
+    await screen.findByText("New User");
+    fireEvent.click(screen.getByRole("checkbox", { name: "New User 선택" }));
+    fireEvent.click(screen.getByRole("checkbox", { name: "Next User 선택" }));
+    fireEvent.click(
+      screen.getByRole("button", { name: "선택 구성원 WORKS에 생성" }),
+    );
+    fireEvent.change(screen.getByLabelText("초기 비밀번호"), {
+      target: { value: "InitialPassword!1" },
+    });
+    fireEvent.click(screen.getByRole("button", { name: "생성 작업 등록" }));
+
+    await waitFor(() =>
+      expect(adminApi.enqueueWorksmobileUserSync).toHaveBeenCalledTimes(2),
+    );
+    expect(adminApi.enqueueWorksmobileUserSync).toHaveBeenNthCalledWith(
+      1,
+      "tenant-company",
+      "user-2",
+      undefined,
+      "InitialPassword!1",
+    );
+    expect(adminApi.enqueueWorksmobileUserSync).toHaveBeenNthCalledWith(
+      2,
+      "tenant-company",
+      "user-3",
+      undefined,
+      "InitialPassword!1",
+    );
+    expect(adminApi.downloadWorksmobileInitialPasswordsCSV).not.toHaveBeenCalled();
+  });
+
+  it("renders and retries Worksmobile jobs from history", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/worksmobile"
+          element={<TenantWorksmobilePage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/worksmobile",
+    );
+
+    fireEvent.click(screen.getByRole("tab", { name: "이력" }));
+    expect((await screen.findAllByText("user-1")).length).toBeGreaterThan(0);
+    expect(screen.getByText("failed")).toBeInTheDocument();
+
+    fireEvent.click(screen.getAllByRole("button", { name: "" })[0]);
+    await waitFor(() =>
+      expect(adminApi.retryWorksmobileJob).toHaveBeenCalledWith(
+        "tenant-company",
+        "job-1",
+      ),
+    );
+  });
+
+  it("opens Worksmobile password management for matched users", async () => {
+    const openSpy = vi.spyOn(window, "open").mockReturnValue(null);
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/worksmobile"
+          element={<TenantWorksmobilePage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/worksmobile",
+    );
+
+    await screen.findByText("Worksmobile 연동");
+    fireEvent.click(screen.getAllByRole("button", { name: "양쪽 다 있음" })[0]);
+    await screen.findAllByText("Engineer User");
+    fireEvent.click(
+      screen.getByRole("button", {
+        name: "Engineer User 비밀번호 관리",
+      }),
+    );
+
+    expect(openSpy).toHaveBeenCalledWith(
+      expect.stringContaining(
+        "https://auth.worksmobile.com/integrate/password/manage",
+      ),
+      "_blank",
+      "noopener,noreferrer",
+    );
+    const [url] = openSpy.mock.calls[0] ?? [];
+    const parsed = new URL(String(url));
+    expect(parsed.searchParams.get("targetUserTenantId")).toBe("works-admin");
+    expect(parsed.searchParams.get("targetUserDomainId")).toBe("1001");
+    expect(parsed.searchParams.get("targetUserIdNo")).toBe("works-user-1");
+  });
+});
--- a/adminfront/src/features/coverage/adminPageAnimationPolicy.test.ts
+++ b/adminfront/src/features/coverage/adminPageAnimationPolicy.test.ts
@@ -0,0 +1,33 @@
+import { readdirSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+
+function listSourceFiles(directory: string): string[] {
+  const entries = readdirSync(directory);
+  const files: string[] = [];
+  for (const entry of entries) {
+    const path = join(directory, entry);
+    const stat = statSync(path);
+    if (stat.isDirectory()) {
+      files.push(...listSourceFiles(path));
+      continue;
+    }
+    if (path.endsWith(".tsx")) {
+      files.push(path);
+    }
+  }
+  return files;
+}
+
+describe("admin page animation policy", () => {
+  it("does not use long enter fade animations on stable page containers", () => {
+    const sourceRoot = join(process.cwd(), "src");
+    const offenders = listSourceFiles(sourceRoot).filter((file) =>
+      readFileSync(file, "utf8").includes("animate-in fade-in duration-500"),
+    );
+
+    expect(offenders.map((file) => file.replace(`${sourceRoot}/`, ""))).toEqual(
+      [],
+    );
+  });
+});
--- a/adminfront/src/features/coverage/adminTenantDetailPages.test.tsx
+++ b/adminfront/src/features/coverage/adminTenantDetailPages.test.tsx
@@ -0,0 +1,129 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen } from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import TenantCreatePage from "../tenants/routes/TenantCreatePage";
+import { TenantProfilePage } from "../tenants/routes/TenantProfilePage";
+import { TenantSchemaPage } from "../tenants/routes/TenantSchemaPage";
+
+const tenants = [
+  {
+    id: "tenant-root",
+    type: "COMPANY_GROUP",
+    name: "한맥 가족",
+    slug: "hanmac-family",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    domains: ["hmac.kr"],
+    config: { visibility: "public" },
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+  {
+    id: "tenant-company",
+    type: "COMPANY",
+    parentId: "tenant-root",
+    name: "GPDTDC",
+    slug: "gpdtdc",
+    description: "실 조직",
+    status: "active",
+    memberCount: 2,
+    domains: ["gpdtdc.example.com"],
+    config: {
+      visibility: "public",
+      userSchema: [
+        {
+          key: "employee_id",
+          label: "사번",
+          type: "text",
+          required: false,
+          adminOnly: false,
+          isLoginId: true,
+          indexed: true,
+        },
+      ],
+    },
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+];
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({
+    id: "admin-1",
+    role: "super_admin",
+  })),
+  fetchAllTenants: vi.fn(async () => ({
+    items: tenants,
+    total: tenants.length,
+  })),
+  fetchTenant: vi.fn(async (id: string) => {
+    return tenants.find((tenant) => tenant.id === id) ?? tenants[1];
+  }),
+  createTenant: vi.fn(async () => tenants[1]),
+  updateTenant: vi.fn(async () => tenants[1]),
+  deleteTenant: vi.fn(async () => undefined),
+  approveTenant: vi.fn(async () => tenants[1]),
+}));
+
+function renderWithProviders(ui: React.ReactElement, entry: string) {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("admin tenant detail page coverage smoke", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+  });
+
+  it("renders tenant create page with parent context", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route path="/tenants/new" element={<TenantCreatePage />} />
+      </Routes>,
+      "/tenants/new?parentId=tenant-root",
+    );
+
+    expect(await screen.findByText("테넌트 생성")).toBeInTheDocument();
+    expect(screen.getByText("Tenant Profile")).toBeInTheDocument();
+    expect(screen.getByText("정책 메모")).toBeInTheDocument();
+  });
+
+  it("renders tenant profile and schema management pages", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId"
+          element={
+            <>
+              <TenantProfilePage />
+              <TenantSchemaPage />
+            </>
+          }
+        />
+      </Routes>,
+      "/tenants/tenant-company",
+    );
+
+    expect(await screen.findByDisplayValue("GPDTDC")).toBeInTheDocument();
+    expect(screen.getByDisplayValue("gpdtdc")).toBeInTheDocument();
+    expect(await screen.findByText("사용자 스키마 확장")).toBeInTheDocument();
+    expect(screen.getByDisplayValue("employee_id")).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/coverage/adminTenantGroupsPage.test.tsx
+++ b/adminfront/src/features/coverage/adminTenantGroupsPage.test.tsx
@@ -0,0 +1,117 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { render, screen } from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import TenantGroupsPage from "../tenants/routes/TenantGroupsPage";
+
+const tenant = {
+  id: "tenant-company",
+  type: "COMPANY",
+  name: "GPDTDC",
+  slug: "gpdtdc",
+  description: "",
+  status: "active",
+  memberCount: 2,
+  createdAt: "2026-05-01T00:00:00Z",
+  updatedAt: "2026-05-01T00:00:00Z",
+};
+
+const members = [
+  {
+    id: "user-1",
+    name: "Member User",
+    email: "member@example.com",
+  },
+];
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({ id: "admin-user", role: "super_admin" })),
+  fetchTenant: vi.fn(async () => tenant),
+  fetchUsers: vi.fn(async () => ({
+    items: [
+      {
+        id: "user-1",
+        name: "Member User",
+        email: "member@example.com",
+        role: "user",
+        status: "active",
+      },
+      {
+        id: "user-2",
+        name: "Candidate User",
+        email: "candidate@example.com",
+        role: "user",
+        status: "active",
+      },
+    ],
+    total: 2,
+  })),
+  fetchGroups: vi.fn(async () => [
+    {
+      id: "group-root",
+      tenantId: "tenant-company",
+      name: "연구소",
+      description: "root group",
+      members,
+      createdAt: "2026-05-01T00:00:00Z",
+      updatedAt: "2026-05-01T00:00:00Z",
+    },
+    {
+      id: "group-child",
+      tenantId: "tenant-company",
+      parentId: "group-root",
+      name: "플랫폼팀",
+      description: "child group",
+      members: [],
+      createdAt: "2026-05-01T00:00:00Z",
+      updatedAt: "2026-05-01T00:00:00Z",
+    },
+  ]),
+  createGroup: vi.fn(async () => undefined),
+  deleteGroup: vi.fn(async () => undefined),
+  addGroupMember: vi.fn(async () => undefined),
+  removeGroupMember: vi.fn(async () => undefined),
+}));
+
+function renderWithProviders(ui: React.ReactElement, entry: string) {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("TenantGroupsPage coverage smoke", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+  });
+
+  it("renders group hierarchy and selected group members", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/groups"
+          element={<TenantGroupsPage />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/groups",
+    );
+
+    expect((await screen.findAllByText("연구소")).length).toBeGreaterThan(0);
+    expect(screen.getAllByText("플랫폼팀").length).toBeGreaterThan(0);
+    expect(screen.getByText("새 그룹 생성")).toBeInTheDocument();
+    expect(screen.getByText("조직 단위 레벨")).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/coverage/adminTenantTabs.test.tsx
+++ b/adminfront/src/features/coverage/adminTenantTabs.test.tsx
@@ -0,0 +1,276 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter, Route, Routes } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createI18nMock } from "../../test/i18nMock";
+import { TenantAdminsAndOwnersTab } from "../tenants/routes/TenantAdminsAndOwnersTab";
+import { TenantFineGrainedPermissionsTab } from "../tenants/routes/TenantFineGrainedPermissionsTab";
+import TenantUserGroupsTab from "../user-groups/routes/TenantUserGroupsTab";
+
+const exportUsersCSVMock = vi.hoisted(() =>
+  vi.fn(async () => ({
+    blob: new Blob(["email,name\nmember@example.com,Member User\n"], {
+      type: "text/csv",
+    }),
+    filename: "users_export_20260609.csv",
+  })),
+);
+const bulkUpdateUsersMock = vi.hoisted(() => vi.fn(async () => ({ results: [] })));
+
+const tenants = [
+  {
+    id: "tenant-root",
+    type: "COMPANY_GROUP",
+    name: "한맥 가족",
+    slug: "hanmac-family",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+  {
+    id: "tenant-company",
+    type: "COMPANY",
+    parentId: "tenant-root",
+    name: "GPDTDC",
+    slug: "gpdtdc",
+    description: "",
+    status: "active",
+    memberCount: 2,
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+  {
+    id: "tenant-leaf",
+    type: "ORGANIZATION",
+    parentId: "tenant-company",
+    name: "기술연구팀",
+    slug: "gpdtdc-rnd",
+    description: "",
+    status: "active",
+    memberCount: 1,
+    createdAt: "2026-05-01T00:00:00Z",
+    updatedAt: "2026-05-01T00:00:00Z",
+  },
+];
+
+const users = [
+  {
+    id: "user-owner",
+    name: "Owner User",
+    email: "owner@example.com",
+    role: "super_admin",
+    status: "active",
+  },
+  {
+    id: "user-admin",
+    name: "Admin User",
+    email: "admin@example.com",
+    role: "tenant_admin",
+    status: "active",
+  },
+  {
+    id: "user-member",
+    name: "Member User",
+    email: "member@example.com",
+    role: "user",
+    status: "active",
+    tenantSlug: "gpdtdc-rnd",
+    tenant: tenants[2],
+  },
+];
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+vi.mock("react-oidc-context", () => ({
+  useAuth: () => ({
+    user: {
+      profile: {
+        sub: "admin-1",
+      },
+    },
+  }),
+}));
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => users[0]),
+  fetchTenant: vi.fn(async (tenantId) => ({
+    id: tenantId,
+    name: "Test Tenant",
+    slug: "test-tenant",
+    userPermissions: { view: true, manage: true, manage_admins: true },
+  })),
+  fetchTenantOwners: vi.fn(async () => [users[0]]),
+  fetchTenantAdmins: vi.fn(async () => [users[1]]),
+  addTenantOwner: vi.fn(async () => undefined),
+  addTenantAdmin: vi.fn(async () => undefined),
+  removeTenantOwner: vi.fn(async () => undefined),
+  removeTenantAdmin: vi.fn(async () => undefined),
+  fetchTenantRelations: vi.fn(async () => [
+    {
+      userId: "user-relation-1",
+      name: "Relation User",
+      email: "relation@example.com",
+      relations: ["profile_managers", "schema_viewers"],
+    },
+  ]),
+  addTenantRelation: vi.fn(async () => undefined),
+  removeTenantRelation: vi.fn(async () => undefined),
+  fetchUsers: vi.fn(async () => ({
+    items: users,
+    total: users.length,
+  })),
+  fetchAllTenants: vi.fn(async () => ({
+    items: tenants,
+    total: tenants.length,
+  })),
+  updateTenant: vi.fn(async () => tenants[2]),
+  updateUser: vi.fn(async () => users[2]),
+  bulkUpdateUsers: bulkUpdateUsersMock,
+  exportTenantsCSV: vi.fn(async () => ({
+    blob: new Blob(["name,slug"]),
+    filename: "tenants.csv",
+  })),
+  exportUsersCSV: exportUsersCSVMock,
+}));
+
+function renderWithProviders(ui: React.ReactElement, entry: string) {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter initialEntries={[entry]}>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("admin tenant tab coverage smoke", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+    vi.spyOn(window.URL, "createObjectURL").mockReturnValue(
+      "blob:tenant-users-export",
+    );
+    vi.spyOn(window.URL, "revokeObjectURL").mockImplementation(() => {});
+  });
+
+  it("renders tenant owners and admins lists", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/permissions"
+          element={<TenantAdminsAndOwnersTab />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/permissions",
+    );
+
+    expect(await screen.findByText("Owner User")).toBeInTheDocument();
+    expect(screen.getByText("Admin User")).toBeInTheDocument();
+    expect(screen.getByText("owner@example.com")).toBeInTheDocument();
+    expect(screen.getByText("admin@example.com")).toBeInTheDocument();
+  });
+
+  it("renders tenant fine-grained relations list", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/relations"
+          element={<TenantFineGrainedPermissionsTab />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/relations",
+    );
+
+    expect(await screen.findByText("Relation User")).toBeInTheDocument();
+    expect(screen.getByText("relation@example.com")).toBeInTheDocument();
+    expect(screen.getByText("세부 권한 설정 (Fine-grained Permissions)")).toBeInTheDocument();
+  });
+
+  it("renders tenant hierarchy and selected organization members", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/organization"
+          element={<TenantUserGroupsTab />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/organization",
+    );
+
+    expect((await screen.findAllByText("GPDTDC")).length).toBeGreaterThan(0);
+    expect(screen.getAllByText("기술연구팀").length).toBeGreaterThan(0);
+    expect(await screen.findByText("Member User")).toBeInTheDocument();
+  });
+
+  it("exports selected organization users by tenant slug", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/organization"
+          element={<TenantUserGroupsTab />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/organization",
+    );
+
+    expect(await screen.findByText("Member User")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByTestId("tenant-current-users-export-btn"));
+
+    await waitFor(() => {
+      expect(exportUsersCSVMock).toHaveBeenCalledWith("", "gpdtdc", false);
+    });
+  });
+
+  it("queues searched users and bulk adds them to the selected organization", async () => {
+    renderWithProviders(
+      <Routes>
+        <Route
+          path="/tenants/:tenantId/organization"
+          element={<TenantUserGroupsTab />}
+        />
+      </Routes>,
+      "/tenants/tenant-company/organization",
+    );
+
+    expect(await screen.findByText("Member User")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole("button", { name: /멤버 추가/ }));
+    fireEvent.change(screen.getByTestId("tenant-org-member-search-input"), {
+      target: { value: "user" },
+    });
+    fireEvent.click(screen.getByTestId("tenant-org-member-search-btn"));
+
+    fireEvent.click(
+      await screen.findByTestId("tenant-org-member-search-result-user-owner"),
+    );
+    fireEvent.click(
+      await screen.findByTestId("tenant-org-member-search-result-user-admin"),
+    );
+
+    expect(screen.getByTestId("tenant-org-member-add-queue")).toHaveTextContent(
+      "Owner User",
+    );
+    expect(screen.getByTestId("tenant-org-member-add-queue")).toHaveTextContent(
+      "Admin User",
+    );
+
+    fireEvent.click(screen.getByTestId("tenant-org-member-add-submit-btn"));
+
+    await waitFor(() => {
+      expect(bulkUpdateUsersMock).toHaveBeenCalledWith({
+        userIds: ["user-owner", "user-admin"],
+        tenantSlug: "gpdtdc",
+        isAddTenant: true,
+      });
+    });
+  });
+});
--- a/adminfront/src/features/dashboard/DashboardPage.tsx
+++ b/adminfront/src/features/dashboard/DashboardPage.tsx
@@ -1,243 +0,0 @@
-import {
-  Activity,
-  ArrowRight,
-  Building2,
-  CheckCircle2,
-  LineChart,
-  Radio,
-  ShieldCheck,
-  Sparkles,
-} from "lucide-react";
-
-const guardHighlights = [
-  {
-    title: "Tenant isolation",
-    body: "All admin calls expect X-Tenant-ID and are prepared for tenant-aware headers.",
-    metric: "Header guard",
-    accent: "active",
-  },
-  {
-    title: "Admin TTL",
-    body: "Session budget kept short for admins. App session vs admin session split is explicit.",
-    metric: "15m default",
-    accent: "ttl",
-  },
-  {
-    title: "Audit-first",
-    body: "Every management action should log to ClickHouse. Hooks in place for later wiring.",
-    metric: "per-action",
-    accent: "audit",
-  },
-];
-
-const stackReadiness = [
-  "React 19 + Vite 7, strict TS, Router v6 data router.",
-  "TanStack Query 5 provider ready with sane defaults.",
-  "Axios client stub with bearer + tenant header injector.",
-  "Tailwind v4 tokens tuned for admin dark plane.",
-  "React Hook Form + Zod planned for client forms.",
-  "IdP-neutral auth hook point reserved for role guard.",
-];
-
-const nextSteps = [
-  "Add IdP-neutral OIDC/OAuth auth layer and enforce admin role in RequireAuth.",
-  "Persist tenant picklist and feed X-Tenant-ID for every admin call.",
-  "Add shadcn/ui primitives for forms and tables; lock lint/format.",
-];
-
-function DashboardPage() {
-  return (
-    <div className="space-y-10">
-      <section className="relative overflow-hidden rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-7 shadow-[var(--shadow-card)]">
-        <div className="pointer-events-none absolute inset-0 bg-[radial-gradient(circle_at_24%_20%,rgba(54,211,153,0.14),transparent_32%)]" />
-        <div className="relative flex flex-col gap-6 md:flex-row md:items-center md:justify-between">
-          <div className="space-y-3 max-w-2xl">
-            <div className="inline-flex items-center gap-2 rounded-full border border-[var(--color-border)] px-3 py-1 text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-              <Sparkles size={14} />
-              adminfront ready
-            </div>
-            <h2 className="text-3xl font-semibold leading-tight">
-              Build the admin plane with{" "}
-              <span className="text-[var(--color-accent)]">tenant-aware</span>{" "}
-              defaults and{" "}
-              <span className="text-[var(--color-accent-strong)]">
-                least privilege
-              </span>{" "}
-              UX.
-            </h2>
-            <p className="text-[var(--color-muted)]">
-              Route, query, and styling scaffolds are in place. Use this canvas
-              to ship RP registry, audit exploration, and guarded login aligned
-              with issue #60 while keeping providers swappable.
-            </p>
-            <div className="flex flex-wrap gap-3 text-sm">
-              <span className="rounded-full bg-[rgba(54,211,153,0.16)] px-3 py-2 text-[var(--color-accent)]">
-                Router + Query wired
-              </span>
-              <span className="rounded-full border border-[var(--color-border)] px-3 py-2 text-[var(--color-muted)]">
-                Admin namespace only
-              </span>
-              <span className="rounded-full bg-[rgba(249,168,38,0.16)] px-3 py-2 font-semibold text-[var(--color-accent-strong)]">
-                Auth hook pending
-              </span>
-            </div>
-          </div>
-          <div className="grid gap-3 text-sm">
-            <div className="flex items-center gap-2 rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-3 text-[var(--color-muted)]">
-              <ShieldCheck size={16} />
-              Admin guard scoped to /admin
-            </div>
-            <div className="flex items-center gap-2 rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-3 text-[var(--color-muted)]">
-              <Building2 size={16} />
-              Tenant selection placeholder ready
-            </div>
-            <div className="flex items-center gap-2 rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-3 text-[var(--color-muted)]">
-              <Radio size={16} />
-              Audit stream hook for ClickHouse
-            </div>
-          </div>
-        </div>
-      </section>
-
-      <section className="grid gap-4 md:grid-cols-3">
-        {guardHighlights.map((item) => (
-          <div
-            key={item.title}
-            className="relative overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-panel)] p-5 transition hover:-translate-y-1 hover:shadow-[0_16px_48px_rgba(7,15,26,0.4)]"
-          >
-            <div className="absolute inset-0 bg-[radial-gradient(circle_at_25%_25%,rgba(54,211,153,0.12),transparent_45%)]" />
-            <div className="relative flex items-center justify-between gap-2">
-              <div className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-                {item.metric}
-              </div>
-              <span className="rounded-full border border-[var(--color-border)] px-3 py-1 text-[11px] text-[var(--color-muted)]">
-                {item.accent}
-              </span>
-            </div>
-            <div className="relative mt-3 space-y-2">
-              <h3 className="text-lg font-semibold">{item.title}</h3>
-              <p className="text-sm text-[var(--color-muted)]">{item.body}</p>
-            </div>
-          </div>
-        ))}
-      </section>
-
-      <section className="grid gap-6 md:grid-cols-[1.2fr,0.8fr]">
-        <div className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6">
-          <div className="flex items-center justify-between gap-3">
-            <div>
-              <p className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-                Stack readiness
-              </p>
-              <h3 className="text-xl font-semibold">Matches issue #60</h3>
-            </div>
-            <button
-              type="button"
-              className="inline-flex items-center gap-2 rounded-full border border-[var(--color-border)] px-3 py-2 text-sm text-[var(--color-muted)] transition hover:border-[var(--color-accent)] hover:text-[var(--color-accent)]"
-            >
-              Setup notes
-              <ArrowRight size={14} />
-            </button>
-          </div>
-          <div className="mt-4 grid gap-3 md:grid-cols-2">
-            {stackReadiness.map((item) => (
-              <div
-                key={item}
-                className="flex items-center gap-3 rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-3"
-              >
-                <CheckCircle2
-                  size={16}
-                  className="text-[var(--color-accent)]"
-                />
-                <p className="text-sm">{item}</p>
-              </div>
-            ))}
-          </div>
-        </div>
-
-        <div className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6">
-          <p className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-            Next actions
-          </p>
-          <h3 className="mt-2 text-xl font-semibold">
-            Ship the first guarded flows
-          </h3>
-          <div className="mt-4 space-y-3">
-            {nextSteps.map((item, idx) => (
-              <div
-                key={item}
-                className="flex gap-3 rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] px-4 py-3"
-              >
-                <div className="grid h-8 w-8 place-items-center rounded-full bg-[rgba(249,168,38,0.12)] text-sm font-semibold text-[var(--color-accent-strong)]">
-                  {idx + 1}
-                </div>
-                <p className="text-sm text-[var(--color-text)]">{item}</p>
-              </div>
-            ))}
-          </div>
-        </div>
-      </section>
-
-      <section className="rounded-2xl border border-[var(--color-border)] bg-[var(--color-panel)] p-6">
-        <div className="flex flex-col gap-2 md:flex-row md:items-center md:justify-between">
-          <div>
-            <p className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-              Ops board
-            </p>
-            <h3 className="text-xl font-semibold">What to prototype next</h3>
-          </div>
-          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
-            <span className="rounded-full border border-[var(--color-border)] px-3 py-2">
-              Audit → ClickHouse
-            </span>
-            <span className="rounded-full border border-[var(--color-border)] px-3 py-2">
-              RP registry
-            </span>
-          </div>
-        </div>
-        <div className="mt-4 grid gap-4 md:grid-cols-3">
-          <div className="rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] p-4">
-            <div className="flex items-center gap-2 text-[var(--color-muted)]">
-              <LineChart size={16} />
-              <span className="text-xs uppercase tracking-[0.16em]">
-                Metrics
-              </span>
-            </div>
-            <h4 className="mt-2 text-lg font-semibold">
-              RP registration funnel
-            </h4>
-            <p className="text-sm text-[var(--color-muted)]">
-              Visualize create → secret rotate → redirect URI edits per tenant.
-            </p>
-          </div>
-          <div className="rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] p-4">
-            <div className="flex items-center gap-2 text-[var(--color-muted)]">
-              <Activity size={16} />
-              <span className="text-xs uppercase tracking-[0.16em]">Audit</span>
-            </div>
-            <h4 className="mt-2 text-lg font-semibold">Admin action stream</h4>
-            <p className="text-sm text-[var(--color-muted)]">
-              Live feed of admin API calls with per-action tenant, actor, and
-              rate-limit outcome.
-            </p>
-          </div>
-          <div className="rounded-xl border border-[var(--color-border)] bg-[rgba(255,255,255,0.02)] p-4">
-            <div className="flex items-center gap-2 text-[var(--color-muted)]">
-              <ShieldCheck size={16} />
-              <span className="text-xs uppercase tracking-[0.16em]">
-                Access
-              </span>
-            </div>
-            <h4 className="mt-2 text-lg font-semibold">Admin login journey</h4>
-            <p className="text-sm text-[var(--color-muted)]">
-              Outline SMS + app-based MFA choice and emphasize “admin session”
-              TTL with logout.
-            </p>
-          </div>
-        </div>
-      </section>
-    </div>
-  );
-}
-
-export default DashboardPage;
--- a/adminfront/src/features/integrity/DataIntegrityPage.test.tsx
+++ b/adminfront/src/features/integrity/DataIntegrityPage.test.tsx
@@ -0,0 +1,197 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  deleteOrphanUserLoginIDs,
+  fetchDataIntegrityReport,
+  fetchMe,
+  fetchOrphanUserLoginIDs,
+} from "../../lib/adminApi";
+import { expectNoAnonymousFormFields } from "../../test/formFieldDiagnostics";
+import { createI18nMock } from "../../test/i18nMock";
+import DataIntegrityPage from "./DataIntegrityPage";
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+let currentRole = "super_admin";
+
+const integrityReport = {
+  status: "fail",
+  checkedAt: "2026-05-14T00:00:00Z",
+  summary: {
+    totalChecks: 2,
+    passed: 1,
+    warnings: 0,
+    failures: 1,
+  },
+  sections: [
+    {
+      key: "tenant_integrity",
+      label: "테넌트 정합성",
+      status: "fail",
+      checks: [
+        {
+          key: "duplicate_tenant_slugs",
+          label: "중복 테넌트 slug",
+          description: "active tenant slug의 대소문자 무시 중복을 검사합니다.",
+          status: "fail",
+          severity: "error",
+          count: 1,
+        },
+      ],
+    },
+  ],
+};
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({ role: currentRole })),
+  fetchDataIntegrityReport: vi.fn(async () => integrityReport),
+  fetchOrphanUserLoginIDs: vi.fn(async () => ({
+    items: [
+      {
+        id: "login-id-1",
+        userId: "user-1",
+        userEmail: "missing@example.com",
+        tenantId: "tenant-1",
+        tenantSlug: "deleted-tenant",
+        fieldKey: "emp_id",
+        loginId: "EMP001",
+        reasons: ["deleted_tenant"],
+      },
+    ],
+    total: 1,
+  })),
+  deleteOrphanUserLoginIDs: vi.fn(async () => ({
+    deletedCount: 1,
+    deleted: [
+      {
+        id: "login-id-1",
+        userId: "user-1",
+        tenantId: "tenant-1",
+        fieldKey: "emp_id",
+        loginId: "EMP001",
+        reasons: ["deleted_tenant"],
+      },
+    ],
+    skippedIds: [],
+  })),
+}));
+
+function renderPage() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <DataIntegrityPage />
+    </QueryClientProvider>,
+  );
+}
+
+describe("DataIntegrityPage", () => {
+  beforeEach(() => {
+    currentRole = "super_admin";
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+    window.localStorage.setItem("locale", "ko");
+  });
+
+  it("renders integrity report for super_admin", async () => {
+    renderPage();
+
+    expect(await screen.findByText("데이터 정합성 검증")).toBeInTheDocument();
+    expect(
+      await screen.findByText(
+        "정합성 상태를 확인하고 데이터 모델 전반의 검증 결과를 살펴봅니다.",
+      ),
+    ).toBeInTheDocument();
+    expect(await screen.findByText("테넌트 정합성")).toBeInTheDocument();
+    expect(screen.getByText("중복 테넌트 slug")).toBeInTheDocument();
+    expect(screen.getAllByText("1").length).toBeGreaterThan(0);
+    expect(fetchDataIntegrityReport).toHaveBeenCalledTimes(1);
+  });
+
+  it("shows orphan login ID targets and deletes selected rows", async () => {
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+    const { container } = renderPage();
+
+    expect(await screen.findByText("유령 로그인 ID 정리")).toBeInTheDocument();
+    expect(await screen.findByText("EMP001")).toBeInTheDocument();
+    expect(screen.getByText("삭제된 테넌트")).toBeInTheDocument();
+    expectNoAnonymousFormFields(container);
+    expect(fetchOrphanUserLoginIDs).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByRole("checkbox", { name: "EMP001 선택" }));
+    fireEvent.click(screen.getByRole("button", { name: "선택 삭제" }));
+
+    await waitFor(() => {
+      expect(deleteOrphanUserLoginIDs).toHaveBeenCalled();
+    });
+    expect(vi.mocked(deleteOrphanUserLoginIDs).mock.calls[0][0]).toEqual([
+      "login-id-1",
+    ]);
+  });
+
+  it("disables recheck button and shows manual recheck progress", async () => {
+    let finishRecheck: (value: typeof integrityReport) => void = () => {};
+    const pendingRecheck = new Promise<typeof integrityReport>((resolve) => {
+      finishRecheck = resolve;
+    });
+
+    renderPage();
+
+    expect(await screen.findByText("중복 테넌트 slug")).toBeInTheDocument();
+    vi.mocked(fetchDataIntegrityReport).mockImplementationOnce(
+      () => pendingRecheck,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: "다시 검사" }));
+
+    expect(screen.getByRole("button", { name: "검사 중" })).toBeDisabled();
+    expect(
+      screen.getByText("정합성 검사를 실행 중입니다."),
+    ).toBeInTheDocument();
+
+    finishRecheck(integrityReport);
+
+    await waitFor(() => {
+      expect(screen.getByRole("button", { name: "다시 검사" })).toBeEnabled();
+    });
+    expect(screen.getByText("검사가 완료되었습니다.")).toBeInTheDocument();
+  });
+
+  it("blocks non-super admins", async () => {
+    currentRole = "tenant_admin";
+
+    renderPage();
+
+    expect(await screen.findByText("접근 권한이 없습니다")).toBeInTheDocument();
+    expect(fetchMe).toHaveBeenCalled();
+    expect(fetchDataIntegrityReport).not.toHaveBeenCalled();
+  });
+
+  it("renders localized integrity labels in English", async () => {
+    window.localStorage.setItem("locale", "en");
+    renderPage();
+
+    expect(await screen.findByText("Data Integrity Check")).toBeInTheDocument();
+    expect(
+      await screen.findByText(
+        "Review integrity status and inspect checks across the admin data model.",
+      ),
+    ).toBeInTheDocument();
+    expect(await screen.findByText("Tenant integrity")).toBeInTheDocument();
+    expect(
+      await screen.findByText("Duplicate tenant slug"),
+    ).toBeInTheDocument();
+    expect(
+      await screen.findByText(
+        "Checks duplicate active tenant slugs using LOWER(TRIM(slug)).",
+      ),
+    ).toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/integrity/DataIntegrityPage.tsx
+++ b/adminfront/src/features/integrity/DataIntegrityPage.tsx
@@ -0,0 +1,595 @@
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import {
+  AlertTriangle,
+  CheckCircle2,
+  Database,
+  ShieldAlert,
+} from "lucide-react";
+import { useState } from "react";
+import { RoleGuard } from "../../components/auth/RoleGuard";
+import { Badge } from "../../components/ui/badge";
+import { Button } from "../../components/ui/button";
+import {
+  type DataIntegrityCheck,
+  type DataIntegrityStatus,
+  deleteOrphanUserLoginIDs,
+  fetchDataIntegrityReport,
+  fetchOrphanUserLoginIDs,
+  type OrphanUserLoginID,
+} from "../../lib/adminApi";
+import { t } from "../../lib/i18n";
+import { getAdminDateLocale } from "../../lib/locale";
+
+function statusLabel(status: DataIntegrityStatus) {
+  switch (status) {
+    case "pass":
+      return t("ui.admin.integrity.status.pass", "정상");
+    case "warning":
+      return t("ui.admin.integrity.status.warning", "주의");
+    case "fail":
+      return t("ui.admin.integrity.status.fail", "실패");
+    default:
+      return status;
+  }
+}
+
+function statusBadgeVariant(status: DataIntegrityStatus) {
+  switch (status) {
+    case "pass":
+      return "success";
+    case "warning":
+      return "warning";
+    default:
+      return "warning";
+  }
+}
+
+function formatDateTime(value?: string) {
+  if (!value) return "-";
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  return new Intl.DateTimeFormat(getAdminDateLocale(), {
+    dateStyle: "medium",
+    timeStyle: "medium",
+  }).format(date);
+}
+
+function CheckIcon({ check }: { check: DataIntegrityCheck }) {
+  if (check.status === "pass") {
+    return <CheckCircle2 className="text-emerald-600" size={18} />;
+  }
+  if (check.status === "warning") {
+    return <AlertTriangle className="text-amber-600" size={18} />;
+  }
+  return <ShieldAlert className="text-destructive" size={18} />;
+}
+
+function reasonLabel(reason: string) {
+  switch (reason) {
+    case "missing_user":
+      return t("ui.admin.integrity.reason.missing_user", "사용자 없음");
+    case "deleted_user":
+      return t("ui.admin.integrity.reason.deleted_user", "삭제된 사용자");
+    case "missing_tenant":
+      return t("ui.admin.integrity.reason.missing_tenant", "테넌트 없음");
+    case "deleted_tenant":
+      return t("ui.admin.integrity.reason.deleted_tenant", "삭제된 테넌트");
+    default:
+      return reason;
+  }
+}
+
+function integritySectionLabel(key: string, fallback: string) {
+  switch (key) {
+    case "tenant_integrity":
+      return t("ui.admin.integrity.section.tenant_integrity", fallback);
+    case "user_integrity":
+      return t("ui.admin.integrity.section.user_integrity", fallback);
+    default:
+      return fallback;
+  }
+}
+
+function integritySectionDescription(key: string) {
+  switch (key) {
+    case "tenant_integrity":
+      return t(
+        "msg.admin.integrity.section.tenant_integrity.description",
+        "테넌트 slug 중복과 부모 관계 이상을 확인합니다.",
+      );
+    case "user_integrity":
+      return t(
+        "msg.admin.integrity.section.user_integrity.description",
+        "사용자와 로그인 ID 참조의 고아 레코드를 확인합니다.",
+      );
+    default:
+      return "";
+  }
+}
+
+function integrityCheckLabel(key: string, fallback: string) {
+  switch (key) {
+    case "duplicate_tenant_slugs":
+      return t(
+        "ui.admin.integrity.check.duplicate_tenant_slugs.title",
+        fallback,
+      );
+    case "orphan_tenant_parents":
+      return t(
+        "ui.admin.integrity.check.orphan_tenant_parents.title",
+        fallback,
+      );
+    case "orphan_user_tenant_memberships":
+      return t(
+        "ui.admin.integrity.check.orphan_user_tenant_memberships.title",
+        fallback,
+      );
+    case "orphan_user_login_id_tenants":
+      return t(
+        "ui.admin.integrity.check.orphan_user_login_id_tenants.title",
+        fallback,
+      );
+    case "orphan_user_login_id_users":
+      return t(
+        "ui.admin.integrity.check.orphan_user_login_id_users.title",
+        fallback,
+      );
+    default:
+      return fallback;
+  }
+}
+
+function integrityCheckDescription(key: string, fallback: string) {
+  switch (key) {
+    case "duplicate_tenant_slugs":
+      return t(
+        "msg.admin.integrity.check.duplicate_tenant_slugs.description",
+        fallback,
+      );
+    case "orphan_tenant_parents":
+      return t(
+        "msg.admin.integrity.check.orphan_tenant_parents.description",
+        fallback,
+      );
+    case "orphan_user_tenant_memberships":
+      return t(
+        "msg.admin.integrity.check.orphan_user_tenant_memberships.description",
+        fallback,
+      );
+    case "orphan_user_login_id_tenants":
+      return t(
+        "msg.admin.integrity.check.orphan_user_login_id_tenants.description",
+        fallback,
+      );
+    case "orphan_user_login_id_users":
+      return t(
+        "msg.admin.integrity.check.orphan_user_login_id_users.description",
+        fallback,
+      );
+    default:
+      return fallback;
+  }
+}
+
+function recheckStatusText(status: "idle" | "running" | "success" | "error") {
+  switch (status) {
+    case "running":
+      return t(
+        "msg.admin.integrity.recheck.running",
+        "정합성 검사를 실행 중입니다.",
+      );
+    case "success":
+      return t("msg.admin.integrity.recheck.success", "검사가 완료되었습니다.");
+    case "error":
+      return t("msg.admin.integrity.recheck.error", "검사에 실패했습니다.");
+    default:
+      return "";
+  }
+}
+
+function OrphanLoginIDTable({
+  items,
+  selectedIds,
+  onToggle,
+}: {
+  items: OrphanUserLoginID[];
+  selectedIds: string[];
+  onToggle: (id: string) => void;
+}) {
+  if (items.length === 0) {
+    return (
+      <div className="rounded border border-border/60 px-3 py-6 text-center text-sm text-muted-foreground">
+        {t(
+          "msg.admin.integrity.orphan_login_ids.empty",
+          "삭제할 유령 로그인 ID가 없습니다.",
+        )}
+      </div>
+    );
+  }
+
+  const selectedSet = new Set(selectedIds);
+  return (
+    <div className="overflow-x-auto rounded border border-border/60">
+      <table className="w-full min-w-[760px] text-sm">
+        <thead className="bg-muted/50 text-left text-muted-foreground">
+          <tr>
+            <th className="w-12 px-3 py-2">
+              {t("ui.admin.integrity.table.select", "선택")}
+            </th>
+            <th className="px-3 py-2">
+              {t("ui.admin.integrity.table.login_id", "Login ID")}
+            </th>
+            <th className="px-3 py-2">
+              {t("ui.admin.integrity.table.field", "Field")}
+            </th>
+            <th className="px-3 py-2">
+              {t("ui.admin.integrity.table.user", "User")}
+            </th>
+            <th className="px-3 py-2">
+              {t("ui.admin.integrity.table.tenant", "Tenant")}
+            </th>
+            <th className="px-3 py-2">
+              {t("ui.admin.integrity.table.reason", "사유")}
+            </th>
+          </tr>
+        </thead>
+        <tbody className="divide-y divide-border">
+          {items.map((item) => (
+            <tr key={item.id}>
+              <td className="px-3 py-2">
+                <input
+                  name={`orphan-login-id-select-${item.id}`}
+                  type="checkbox"
+                  aria-label={t(
+                    "ui.admin.integrity.table.select_item",
+                    "{{loginId}} 선택",
+                    { loginId: item.loginId },
+                  )}
+                  checked={selectedSet.has(item.id)}
+                  onChange={() => onToggle(item.id)}
+                  className="h-4 w-4 rounded border-input"
+                />
+              </td>
+              <td className="px-3 py-2 font-medium">{item.loginId}</td>
+              <td className="px-3 py-2 text-muted-foreground">
+                {item.fieldKey}
+              </td>
+              <td className="px-3 py-2">
+                <div>{item.userEmail || "-"}</div>
+                <div className="text-xs text-muted-foreground">
+                  {item.userId}
+                </div>
+              </td>
+              <td className="px-3 py-2">
+                <div>{item.tenantSlug || "-"}</div>
+                <div className="text-xs text-muted-foreground">
+                  {item.tenantId}
+                </div>
+              </td>
+              <td className="px-3 py-2">
+                <div className="flex flex-wrap gap-1">
+                  {item.reasons.map((reason) => (
+                    <Badge key={reason} variant="warning">
+                      {reasonLabel(reason)}
+                    </Badge>
+                  ))}
+                </div>
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  );
+}
+
+function DataIntegrityContent() {
+  const queryClient = useQueryClient();
+  const [selectedOrphanIds, setSelectedOrphanIds] = useState<string[]>([]);
+  const [recheckStatus, setRecheckStatus] = useState<
+    "idle" | "running" | "success" | "error"
+  >("idle");
+  const { data, isLoading, isError, error, refetch, isFetching } = useQuery({
+    queryKey: ["data-integrity-report"],
+    queryFn: fetchDataIntegrityReport,
+  });
+  const orphanLoginIDsQuery = useQuery({
+    queryKey: ["orphan-user-login-ids"],
+    queryFn: fetchOrphanUserLoginIDs,
+  });
+  const deleteMutation = useMutation({
+    mutationFn: deleteOrphanUserLoginIDs,
+    onSuccess: async () => {
+      setSelectedOrphanIds([]);
+      await Promise.all([
+        queryClient.invalidateQueries({ queryKey: ["data-integrity-report"] }),
+        queryClient.invalidateQueries({ queryKey: ["orphan-user-login-ids"] }),
+      ]);
+    },
+  });
+
+  const orphanItems = orphanLoginIDsQuery.data?.items ?? [];
+  const toggleOrphanID = (id: string) => {
+    setSelectedOrphanIds((current) =>
+      current.includes(id)
+        ? current.filter((selectedID) => selectedID !== id)
+        : [...current, id],
+    );
+  };
+  const handleDeleteSelected = () => {
+    if (selectedOrphanIds.length === 0) {
+      return;
+    }
+    const confirmed = window.confirm(
+      t(
+        "msg.admin.integrity.orphan_login_ids.delete_confirm",
+        "선택한 {{count}}개의 유령 로그인 ID를 삭제하시겠습니까?",
+        { count: selectedOrphanIds.length },
+      ),
+    );
+    if (confirmed) {
+      deleteMutation.mutate(selectedOrphanIds);
+    }
+  };
+  const isManualRechecking = recheckStatus === "running";
+  const handleRecheck = async () => {
+    if (isManualRechecking) {
+      return;
+    }
+    setRecheckStatus("running");
+    const result = await refetch();
+    setRecheckStatus(result.isError ? "error" : "success");
+  };
+  const recheckMessage = recheckStatusText(recheckStatus);
+
+  return (
+    <main className="space-y-6">
+      <header className="flex flex-shrink-0 flex-wrap items-start justify-between gap-4 sticky top-[-2.5rem] z-20 -mt-4 bg-background/95 pb-2 pt-4 backdrop-blur">
+        <div className="flex min-w-0 items-start gap-3">
+          <div className="mt-1 flex h-10 w-10 shrink-0 items-center justify-center rounded-xl border border-primary/15 bg-primary/10 text-primary">
+            <Database size={20} />
+          </div>
+          <div className="space-y-2">
+            <h2 className="text-3xl font-semibold">
+              {t("ui.admin.integrity.title", "데이터 정합성 검증")}
+            </h2>
+            <p className="text-sm text-muted-foreground">
+              {t(
+                "msg.admin.integrity.subtitle",
+                "Review integrity status and inspect checks across the admin data model.",
+              )}
+            </p>
+          </div>
+        </div>
+        <div className="flex flex-col items-end gap-1">
+          <Button
+            type="button"
+            variant="outline"
+            onClick={handleRecheck}
+            disabled={isLoading || isFetching || isManualRechecking}
+          >
+            <Database size={16} />
+            {isManualRechecking
+              ? t("ui.admin.integrity.recheck.running", "검사 중")
+              : t("ui.admin.integrity.recheck.run", "다시 검사")}
+          </Button>
+          {recheckMessage ? (
+            <output
+              aria-live="polite"
+              className="text-xs text-muted-foreground"
+            >
+              {recheckMessage}
+            </output>
+          ) : null}
+        </div>
+      </header>
+
+      <div className="space-y-4 pb-6">
+        {isError ? (
+          <section className="rounded-lg border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
+            {(error as Error)?.message ||
+              t(
+                "msg.admin.integrity.report.load_error",
+                "정합성 리포트를 불러오지 못했습니다.",
+              )}
+          </section>
+        ) : null}
+
+        <section className="rounded-lg border border-border bg-card p-5">
+          <div className="flex flex-wrap items-center justify-between gap-3 border-b border-border pb-4">
+            <div>
+              <h3 className="text-lg font-bold flex items-center gap-2">
+                {t(
+                  "ui.admin.integrity.read_model.title",
+                  "Read model integrity",
+                )}
+              </h3>
+              <p className="text-sm text-muted-foreground">
+                {t(
+                  "msg.admin.integrity.read_model.description",
+                  "Ory SoT를 덮어쓰지 않고 backend DB read model의 이상 징후만 확인합니다.",
+                )}
+              </p>
+            </div>
+            {data ? (
+              <Badge variant={statusBadgeVariant(data.status)}>
+                {statusLabel(data.status)}
+              </Badge>
+            ) : null}
+          </div>
+
+          {isLoading ? (
+            <div className="py-8 text-sm text-muted-foreground">
+              {t("ui.admin.integrity.loading", "불러오는 중")}
+            </div>
+          ) : (
+            <dl className="grid gap-4 py-5 sm:grid-cols-2 lg:grid-cols-4">
+              <div>
+                <dt className="text-sm text-muted-foreground">
+                  {t("ui.admin.integrity.summary.total_checks", "검사 항목")}
+                </dt>
+                <dd className="mt-1 text-xl font-semibold tabular-nums">
+                  {data?.summary.totalChecks ?? 0}
+                </dd>
+              </div>
+              <div>
+                <dt className="text-sm text-muted-foreground">
+                  {t("ui.admin.integrity.summary.passed", "정상")}
+                </dt>
+                <dd className="mt-1 text-xl font-semibold tabular-nums">
+                  {data?.summary.passed ?? 0}
+                </dd>
+              </div>
+              <div>
+                <dt className="text-sm text-muted-foreground">
+                  {t("ui.admin.integrity.summary.failures", "실패 건수")}
+                </dt>
+                <dd className="mt-1 text-xl font-semibold tabular-nums">
+                  {data?.summary.failures ?? 0}
+                </dd>
+              </div>
+              <div>
+                <dt className="text-sm text-muted-foreground">
+                  {t("ui.admin.integrity.summary.checked_at", "검사 시각")}
+                </dt>
+                <dd className="mt-1 text-sm">
+                  {formatDateTime(data?.checkedAt)}
+                </dd>
+              </div>
+            </dl>
+          )}
+        </section>
+
+        <div className="space-y-4">
+          {(data?.sections ?? []).map((section) => (
+            <section
+              key={section.key}
+              className="rounded-lg border border-border bg-card p-5"
+            >
+              <div className="mb-4 flex items-center justify-between gap-3">
+                <div className="space-y-1">
+                  <h3 className="text-lg font-bold flex items-center gap-2">
+                    {integritySectionLabel(section.key, section.label)}
+                  </h3>
+                  <p className="text-sm text-muted-foreground">
+                    {integritySectionDescription(section.key)}
+                  </p>
+                </div>
+                <Badge variant={statusBadgeVariant(section.status)}>
+                  {statusLabel(section.status)}
+                </Badge>
+              </div>
+              <div className="divide-y divide-border">
+                {section.checks.map((check) => (
+                  <div
+                    key={check.key}
+                    className="grid gap-3 py-4 md:grid-cols-[1fr_auto]"
+                  >
+                    <div className="flex gap-3">
+                      <CheckIcon check={check} />
+                      <div>
+                        <div className="font-medium">
+                          {integrityCheckLabel(check.key, check.label)}
+                        </div>
+                        <p className="mt-1 text-sm text-muted-foreground">
+                          {integrityCheckDescription(
+                            check.key,
+                            check.description,
+                          )}
+                        </p>
+                      </div>
+                    </div>
+                    <div className="flex items-center gap-3 md:justify-end">
+                      <Badge variant={statusBadgeVariant(check.status)}>
+                        {statusLabel(check.status)}
+                      </Badge>
+                      <span className="min-w-12 text-right text-lg font-semibold tabular-nums">
+                        {check.count}
+                      </span>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </section>
+          ))}
+        </div>
+
+        <section className="rounded-lg border border-border bg-card p-5">
+          <div className="mb-4 flex flex-wrap items-center justify-between gap-3">
+            <div>
+              <h3 className="text-lg font-bold flex items-center gap-2">
+                {t(
+                  "ui.admin.integrity.orphan_login_ids.title",
+                  "유령 로그인 ID 정리",
+                )}
+              </h3>
+              <p className="mt-1 text-sm text-muted-foreground">
+                {t(
+                  "msg.admin.integrity.orphan_login_ids.description",
+                  "삭제되었거나 존재하지 않는 사용자/테넌트를 참조하는 로그인 ID를 확인한 뒤 선택 삭제합니다.",
+                )}
+              </p>
+            </div>
+            <Button
+              type="button"
+              variant="destructive"
+              onClick={handleDeleteSelected}
+              disabled={
+                selectedOrphanIds.length === 0 || deleteMutation.isPending
+              }
+            >
+              {t("ui.admin.integrity.orphan_login_ids.delete", "선택 삭제")}
+            </Button>
+          </div>
+          {orphanLoginIDsQuery.isError ? (
+            <div className="mb-3 rounded border border-destructive/30 bg-destructive/10 p-3 text-sm text-destructive">
+              {t(
+                "msg.admin.integrity.orphan_login_ids.load_error",
+                "유령 로그인 ID 대상을 불러오지 못했습니다.",
+              )}
+            </div>
+          ) : null}
+          {deleteMutation.data ? (
+            <div className="mb-3 rounded border border-emerald-200 bg-emerald-50 p-3 text-sm text-emerald-800 dark:border-emerald-900 dark:bg-emerald-950/40 dark:text-emerald-200">
+              {t(
+                "msg.admin.integrity.orphan_login_ids.delete_success",
+                "{{count}}개의 유령 로그인 ID를 삭제했습니다.",
+                { count: deleteMutation.data.deletedCount },
+              )}
+            </div>
+          ) : null}
+          <OrphanLoginIDTable
+            items={orphanItems}
+            selectedIds={selectedOrphanIds}
+            onToggle={toggleOrphanID}
+          />
+        </section>
+      </div>
+    </main>
+  );
+}
+
+export default function DataIntegrityPage() {
+  return (
+    <RoleGuard
+      roles={["super_admin"]}
+      fallback={
+        <main className="p-6 md:p-8">
+          <section className="rounded-lg border border-border bg-card p-5">
+            <h2 className="text-lg font-semibold">
+              {t("ui.admin.integrity.forbidden.title", "접근 권한이 없습니다")}
+            </h2>
+            <p className="mt-2 text-sm text-muted-foreground">
+              {t(
+                "msg.admin.integrity.forbidden.description",
+                "이 화면은 super_admin 권한으로만 접근할 수 있습니다.",
+              )}
+            </p>
+          </section>
+        </main>
+      }
+    >
+      <DataIntegrityContent />
+    </RoleGuard>
+  );
+}
--- a/adminfront/src/features/ory-ssot/OrySSOTPage.test.tsx
+++ b/adminfront/src/features/ory-ssot/OrySSOTPage.test.tsx
@@ -0,0 +1,85 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  fetchMe,
+  fetchOrySSOTSystemStatus,
+  flushIdentityCache,
+} from "../../lib/adminApi";
+import { createI18nMock } from "../../test/i18nMock";
+import OrySSOTPage from "./OrySSOTPage";
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+let currentRole = "super_admin";
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({ role: currentRole })),
+  fetchOrySSOTSystemStatus: vi.fn(async () => ({
+    identityCache: {
+      status: "ready",
+      redisReady: true,
+      observedCount: 151,
+      keyCount: 153,
+      lastRefreshedAt: "2026-05-11T03:00:00Z",
+      updatedAt: "2026-05-11T03:00:10Z",
+    },
+  })),
+  flushIdentityCache: vi.fn(async () => ({
+    status: "success",
+    flushedKeys: 153,
+    updatedAt: "2026-05-11T03:02:00Z",
+  })),
+}));
+
+function renderPage() {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <OrySSOTPage />
+    </QueryClientProvider>,
+  );
+}
+
+describe("OrySSOTPage", () => {
+  beforeEach(() => {
+    currentRole = "super_admin";
+    vi.clearAllMocks();
+    vi.spyOn(window, "confirm").mockReturnValue(true);
+    window.localStorage.setItem("locale", "ko");
+  });
+
+  it("renders identity cache status and flushes cache", async () => {
+    renderPage();
+
+    expect(
+      (await screen.findAllByText("Ory SSOT 시스템")).length,
+    ).toBeGreaterThan(0);
+    expect(await screen.findByText("Redis identity cache")).toBeInTheDocument();
+    expect(screen.getAllByText("준비됨").length).toBeGreaterThan(0);
+    expect(screen.getByText("151")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole("button", { name: /Redis cache flush/ }));
+
+    await waitFor(() => {
+      expect(flushIdentityCache).toHaveBeenCalledTimes(1);
+    });
+    expect(fetchOrySSOTSystemStatus).toHaveBeenCalled();
+  });
+
+  it("blocks non-super admins", async () => {
+    currentRole = "tenant_admin";
+
+    renderPage();
+
+    expect(await screen.findByText("접근 권한이 없습니다")).toBeInTheDocument();
+    expect(fetchMe).toHaveBeenCalled();
+    expect(fetchOrySSOTSystemStatus).not.toHaveBeenCalled();
+  });
+});
--- a/adminfront/src/features/ory-ssot/OrySSOTPage.tsx
+++ b/adminfront/src/features/ory-ssot/OrySSOTPage.tsx
@@ -0,0 +1,238 @@
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { AlertTriangle, Database, Trash2 } from "lucide-react";
+import { RoleGuard } from "../../components/auth/RoleGuard";
+import { Badge } from "../../components/ui/badge";
+import { Button } from "../../components/ui/button";
+import {
+  fetchOrySSOTSystemStatus,
+  flushIdentityCache,
+} from "../../lib/adminApi";
+import { t } from "../../lib/i18n";
+import { getAdminDateLocale } from "../../lib/locale";
+
+function formatDateTime(value?: string) {
+  if (!value) return "-";
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  return new Intl.DateTimeFormat(getAdminDateLocale(), {
+    dateStyle: "medium",
+    timeStyle: "medium",
+  }).format(date);
+}
+
+function StatusBadge({ ready, status }: { ready: boolean; status: string }) {
+  if (ready) {
+    return (
+      <Badge variant="success">
+        {t("ui.admin.ory_ssot.status.ready", "ready")}
+      </Badge>
+    );
+  }
+  if (status === "failed") {
+    return (
+      <Badge variant="warning">
+        {t("ui.admin.ory_ssot.status.failed", "failed")}
+      </Badge>
+    );
+  }
+  return (
+    <Badge variant="secondary">
+      {status ? status : t("ui.admin.ory_ssot.status.not_ready", "not ready")}
+    </Badge>
+  );
+}
+
+function OrySSOTContent() {
+  const queryClient = useQueryClient();
+  const { data, isLoading, isError, error } = useQuery({
+    queryKey: ["ory-ssot-system-status"],
+    queryFn: fetchOrySSOTSystemStatus,
+  });
+
+  const flushMutation = useMutation({
+    mutationFn: flushIdentityCache,
+    onSuccess: async () => {
+      await queryClient.invalidateQueries({
+        queryKey: ["ory-ssot-system-status"],
+      });
+    },
+  });
+
+  const handleFlush = () => {
+    const confirmed = window.confirm(
+      t(
+        "msg.admin.ory_ssot.flush_confirm",
+        "Flush only Redis identity cache keys?",
+      ),
+    );
+    if (confirmed) flushMutation.mutate();
+  };
+
+  const identityCache = data?.identityCache;
+
+  return (
+    <main className="space-y-6 flex flex-col h-[calc(100vh-theme(spacing.32))]">
+      <header className="flex flex-shrink-0 flex-wrap items-start justify-between gap-4 sticky top-[-2.5rem] z-20 -mt-4 bg-background/95 pb-2 pt-4 backdrop-blur">
+        <div className="flex min-w-0 items-start gap-3">
+          <div className="mt-1 flex h-10 w-10 shrink-0 items-center justify-center rounded-xl border border-primary/15 bg-primary/10 text-primary">
+            <Database size={20} />
+          </div>
+          <div className="space-y-2">
+            <h2 className="text-3xl font-semibold">
+              {t("ui.admin.ory_ssot.title", "Ory SSOT System")}
+            </h2>
+            <p className="text-sm text-muted-foreground">
+              {t(
+                "msg.admin.ory_ssot.subtitle",
+                "Review Kratos source-of-truth and Redis identity cache status separately.",
+              )}
+            </p>
+          </div>
+        </div>
+        <Button
+          type="button"
+          variant="destructive"
+          onClick={handleFlush}
+          disabled={flushMutation.isPending}
+        >
+          <Trash2 size={16} />
+          {t(
+            "ui.admin.ory_ssot.actions.flush_identity_cache",
+            "Redis cache flush",
+          )}
+        </Button>
+      </header>
+
+      {isError ? (
+        <section className="rounded-lg border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
+          {(error as Error)?.message ||
+            t(
+              "msg.admin.ory_ssot.load_error",
+              "Failed to load Ory SSOT system status.",
+            )}
+        </section>
+      ) : null}
+
+      {flushMutation.data ? (
+        <section className="rounded-lg border border-emerald-200 bg-emerald-50 p-4 text-sm text-emerald-800 dark:border-emerald-900 dark:bg-emerald-950/40 dark:text-emerald-200">
+          {t(
+            "msg.admin.ory_ssot.flush_success",
+            "Flushed {{count}} Redis identity cache keys.",
+            { count: flushMutation.data.flushedKeys },
+          )}
+        </section>
+      ) : null}
+
+      {flushMutation.error ? (
+        <section className="rounded-lg border border-destructive/30 bg-destructive/10 p-4 text-sm text-destructive">
+          {(flushMutation.error as Error)?.message ||
+            t(
+              "msg.admin.ory_ssot.flush_error",
+              "Redis identity cache flush failed.",
+            )}
+        </section>
+      ) : null}
+
+      <section className="rounded-lg border border-border bg-card p-5">
+        <div className="flex items-center gap-3 border-b border-border pb-4">
+          <div>
+            <h3 className="text-lg font-bold">
+              {t("ui.admin.ory_ssot.cache_card.title", "Redis identity cache")}
+            </h3>
+            <p className="text-sm text-muted-foreground">
+              {t(
+                "ui.admin.ory_ssot.cache_card.description",
+                "Redis mirror/cache status for Kratos identity list and lookup operations.",
+              )}
+            </p>
+          </div>
+        </div>
+
+        {isLoading ? (
+          <div className="py-8 text-sm text-muted-foreground">
+            {t("ui.admin.ory_ssot.loading", "Loading")}
+          </div>
+        ) : (
+          <dl className="grid gap-4 py-5 sm:grid-cols-2 lg:grid-cols-4">
+            <div>
+              <dt className="text-sm text-muted-foreground">
+                {t("ui.admin.ory_ssot.summary.status", "Status")}
+              </dt>
+              <dd className="mt-1">
+                <StatusBadge
+                  ready={
+                    Boolean(identityCache?.redisReady) &&
+                    identityCache?.status === "ready"
+                  }
+                  status={identityCache?.status ?? "unknown"}
+                />
+              </dd>
+            </div>
+            <div>
+              <dt className="text-sm text-muted-foreground">
+                {t(
+                  "ui.admin.ory_ssot.summary.observed_identities",
+                  "Observed identities",
+                )}
+              </dt>
+              <dd className="mt-1 text-xl font-semibold tabular-nums">
+                {identityCache?.observedCount ?? 0}
+              </dd>
+            </div>
+            <div>
+              <dt className="text-sm text-muted-foreground">
+                {t("ui.admin.ory_ssot.summary.cache_keys", "Cache keys")}
+              </dt>
+              <dd className="mt-1 text-xl font-semibold tabular-nums">
+                {identityCache?.keyCount ?? 0}
+              </dd>
+            </div>
+            <div>
+              <dt className="text-sm text-muted-foreground">
+                {t(
+                  "ui.admin.ory_ssot.summary.last_refreshed",
+                  "Last refreshed",
+                )}
+              </dt>
+              <dd className="mt-1 text-sm">
+                {formatDateTime(identityCache?.lastRefreshedAt)}
+              </dd>
+            </div>
+          </dl>
+        )}
+
+        {identityCache?.lastError ? (
+          <div className="flex gap-2 rounded-lg border border-amber-200 bg-amber-50 p-3 text-sm text-amber-900 dark:border-amber-900 dark:bg-amber-950/40 dark:text-amber-200">
+            <AlertTriangle className="mt-0.5 shrink-0" size={16} />
+            <span>{identityCache.lastError}</span>
+          </div>
+        ) : null}
+      </section>
+    </main>
+  );
+}
+
+export default function OrySSOTPage() {
+  return (
+    <RoleGuard
+      roles={["super_admin"]}
+      fallback={
+        <main className="p-6 md:p-8">
+          <section className="rounded-lg border border-border bg-card p-5">
+            <h2 className="text-lg font-semibold">
+              {t("ui.admin.ory_ssot.forbidden.title", "Access denied")}
+            </h2>
+            <p className="mt-2 text-sm text-muted-foreground">
+              {t(
+                "msg.admin.ory_ssot.forbidden.description",
+                "This screen is only available to super_admin users.",
+              )}
+            </p>
+          </section>
+        </main>
+      }
+    >
+      <OrySSOTContent />
+    </RoleGuard>
+  );
+}
--- a/adminfront/src/features/overview/GlobalOverviewPage.test.tsx
+++ b/adminfront/src/features/overview/GlobalOverviewPage.test.tsx
@@ -0,0 +1,266 @@
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import type React from "react";
+import { MemoryRouter } from "react-router-dom";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  fetchAdminRPUsageDaily,
+  fetchDataIntegrityReport,
+} from "../../lib/adminApi";
+import { createI18nMock } from "../../test/i18nMock";
+import AuthPage from "../auth/AuthPage";
+import GlobalOverviewPage from "./GlobalOverviewPage";
+
+vi.mock("../../lib/i18n", () => createI18nMock());
+
+let currentRole = "super_admin";
+
+vi.mock("../../lib/adminApi", () => ({
+  fetchMe: vi.fn(async () => ({ role: currentRole })),
+  fetchAdminOverviewStats: vi.fn(async () => ({
+    totalTenants: 10,
+    totalUsers: 152,
+    oidcClients: 3,
+    auditEvents24h: 18,
+  })),
+  fetchAllTenants: vi.fn(async () => ({
+    items: [
+      {
+        id: "group-1",
+        type: "COMPANY_GROUP",
+        name: "한맥그룹",
+        slug: "hanmac-group",
+        description: "",
+        status: "active",
+        memberCount: 0,
+        createdAt: "2026-05-06T00:00:00Z",
+        updatedAt: "2026-05-06T00:00:00Z",
+      },
+      {
+        id: "company-1",
+        type: "COMPANY",
+        name: "한맥",
+        slug: "hanmac",
+        description: "",
+        status: "active",
+        memberCount: 0,
+        createdAt: "2026-05-06T00:00:00Z",
+        updatedAt: "2026-05-06T00:00:00Z",
+      },
+      {
+        id: "org-1",
+        type: "ORGANIZATION",
+        name: "개발팀",
+        slug: "dev-team",
+        description: "",
+        status: "active",
+        memberCount: 0,
+        createdAt: "2026-05-06T00:00:00Z",
+        updatedAt: "2026-05-06T00:00:00Z",
+      },
+      {
+        id: "personal-1",
+        type: "PERSONAL",
+        name: "개인",
+        slug: "personal",
+        description: "",
+        status: "active",
+        memberCount: 0,
+        createdAt: "2026-05-06T00:00:00Z",
+        updatedAt: "2026-05-06T00:00:00Z",
+      },
+    ],
+    limit: 1000,
+    offset: 0,
+    total: 4,
+  })),
+  fetchAdminRPUsageDaily: vi.fn(async () => ({
+    days: 14,
+    period: "day",
+    items: [
+      {
+        date: "2026-05-05",
+        tenantId: "company-1",
+        tenantType: "COMPANY",
+        tenantName: "한맥",
+        clientId: "orgfront",
+        clientName: "OrgFront",
+        loginRequests: 12,
+        otherRequests: 4,
+        uniqueSubjects: 8,
+      },
+      {
+        date: "2026-05-06",
+        tenantId: "company-1",
+        tenantType: "COMPANY",
+        tenantName: "한맥",
+        clientId: "adminfront",
+        clientName: "AdminFront",
+        loginRequests: 7,
+        otherRequests: 3,
+        uniqueSubjects: 5,
+      },
+      {
+        date: "2026-09-28",
+        tenantId: "company-1",
+        tenantType: "COMPANY",
+        tenantName: "한맥",
+        clientId: "devfront",
+        clientName: "DevFront",
+        loginRequests: 2,
+        otherRequests: 1,
+        uniqueSubjects: 2,
+      },
+    ],
+  })),
+  fetchDataIntegrityReport: vi.fn(async () => ({
+    status: "fail",
+    checkedAt: "2026-05-14T00:00:00Z",
+    summary: {
+      totalChecks: 5,
+      passed: 4,
+      warnings: 0,
+      failures: 1,
+    },
+    sections: [
+      {
+        key: "tenant_integrity",
+        label: "테넌트 정합성",
+        status: "pass",
+        checks: [],
+      },
+      {
+        key: "user_integrity",
+        label: "사용자 정합성",
+        status: "fail",
+        checks: [],
+      },
+    ],
+  })),
+}));
+
+function renderWithProviders(ui: React.ReactElement) {
+  const queryClient = new QueryClient({
+    defaultOptions: {
+      queries: { retry: false },
+      mutations: { retry: false },
+    },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <MemoryRouter>{ui}</MemoryRouter>
+    </QueryClientProvider>,
+  );
+}
+
+describe("admin overview and auth guard pages", () => {
+  beforeEach(() => {
+    currentRole = "super_admin";
+    vi.clearAllMocks();
+  });
+
+  it("renders usage trend chart without quick navigation or permission checker", async () => {
+    renderWithProviders(<GlobalOverviewPage />);
+
+    expect(
+      await screen.findByText("회사별 앱별 로그인 요청 현황"),
+    ).toBeInTheDocument();
+    expect(
+      await screen.findByLabelText("일 단위 RP 요청 현황"),
+    ).toBeInTheDocument();
+    expect(await screen.findByText("05.05")).toBeInTheDocument();
+    expect(await screen.findByText("05.06")).toBeInTheDocument();
+    expect(screen.queryByText("빠른 작업")).not.toBeInTheDocument();
+    expect(screen.queryByText("빠른 이동")).not.toBeInTheDocument();
+    expect(screen.queryByText("테넌트 추가")).not.toBeInTheDocument();
+    expect(screen.queryByText("ReBAC 권한 검증 도구")).not.toBeInTheDocument();
+  });
+
+  it("renders overview tenant count from the fully fetched tenant list", async () => {
+    renderWithProviders(<GlobalOverviewPage />);
+
+    expect(
+      (await screen.findByText("전체 테넌트 수")).parentElement,
+    ).toHaveTextContent("4");
+    expect(screen.getByText("OIDC 클라이언트").parentElement).toHaveTextContent(
+      "3",
+    );
+    expect(screen.getByText("전체 사용자 수").parentElement).toHaveTextContent(
+      "152",
+    );
+    expect(screen.getByText("24시간 이벤트").parentElement).toHaveTextContent(
+      "18",
+    );
+  });
+
+  it("limits the overview graph choices to company tenants", async () => {
+    renderWithProviders(<GlobalOverviewPage />);
+
+    await screen.findByText("회사별 앱별 로그인 요청 현황");
+
+    expect(
+      await screen.findByRole("checkbox", { name: "한맥 (hanmac)" }),
+    ).toBeInTheDocument();
+    expect(
+      screen.queryByText("한맥그룹 (hanmac-group)"),
+    ).not.toBeInTheDocument();
+    expect(screen.queryByText("개발팀 (dev-team)")).not.toBeInTheDocument();
+    expect(screen.queryByText("개인 (personal)")).not.toBeInTheDocument();
+  });
+
+  it("changes the RP usage perspective and targets a permitted company", async () => {
+    renderWithProviders(<GlobalOverviewPage />);
+
+    await screen.findByText("회사별 앱별 로그인 요청 현황");
+    fireEvent.click(screen.getByRole("button", { name: "주" }));
+    expect(await screen.findAllByText("19(05월1주)")).not.toHaveLength(0);
+    expect(await screen.findAllByText("40(10월1주)")).not.toHaveLength(0);
+    fireEvent.click(screen.getByRole("button", { name: "월" }));
+    fireEvent.click(screen.getByRole("checkbox", { name: "한맥 (hanmac)" }));
+
+    await waitFor(() => {
+      expect(fetchAdminRPUsageDaily).toHaveBeenLastCalledWith({
+        days: 90,
+        period: "month",
+      });
+    });
+    expect(
+      screen.queryByText("한맥그룹 (hanmac-group)"),
+    ).not.toBeInTheDocument();
+    expect(screen.queryByText("개발팀 (dev-team)")).not.toBeInTheDocument();
+    expect(screen.queryByText("개인 (personal)")).not.toBeInTheDocument();
+  });
+
+  it("shows the latest integrity summary at the bottom for super admins only", async () => {
+    renderWithProviders(<GlobalOverviewPage />);
+
+    expect(await screen.findByText("정합성 최종 검증")).toBeInTheDocument();
+    expect(screen.getByText("실패 1건")).toBeInTheDocument();
+    expect(screen.getByText("테넌트 정합성")).toBeInTheDocument();
+    expect(screen.getByText("사용자 정합성")).toBeInTheDocument();
+    expect(fetchDataIntegrityReport).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not fetch or show the integrity summary for non-super admins", async () => {
+    currentRole = "tenant_admin";
+
+    renderWithProviders(<GlobalOverviewPage />);
+
+    await screen.findByText("회사별 앱별 로그인 요청 현황");
+    expect(screen.queryByText("정합성 최종 검증")).not.toBeInTheDocument();
+    expect(fetchDataIntegrityReport).not.toHaveBeenCalled();
+  });
+
+  it("moves the permission checker to the auth guard page and removes mock guardrails", () => {
+    renderWithProviders(<AuthPage />);
+
+    expect(screen.getByText("인증 가드")).toBeInTheDocument();
+    expect(screen.getByText("ReBAC 권한 검증 도구")).toBeInTheDocument();
+    expect(screen.queryByText("Admin auth guardrails")).not.toBeInTheDocument();
+    expect(
+      screen.queryByText("IDP session placeholder"),
+    ).not.toBeInTheDocument();
+    expect(screen.queryByText("Admin login")).not.toBeInTheDocument();
+  });
+});
--- a/adminfront/src/features/overview/GlobalOverviewPage.tsx
+++ b/adminfront/src/features/overview/GlobalOverviewPage.tsx
@@ -1,168 +1,608 @@
+import { useQuery } from "@tanstack/react-query";
 import {
  Activity,
-  ArrowUpRight,
-  Box,
+  AlertTriangle,
+  CheckCircle2,
  Database,
+  LayoutDashboard,
  ShieldCheck,
  Users,
 } from "lucide-react";
-import { Link } from "react-router-dom";
-import { Badge } from "../../components/ui/badge";
-import { Button } from "../../components/ui/button";
+import { type ReactNode, useMemo, useState } from "react";
 import {
-  Card,
-  CardContent,
-  CardDescription,
-  CardHeader,
-  CardTitle,
-} from "../../components/ui/card";
+  OverviewAxisNotes,
+  OverviewMetric,
+  OverviewSelectionChips,
+} from "../../../../common/core/components/overview";
+import { RoleGuard } from "../../components/auth/RoleGuard";
+import {
+  type DataIntegrityStatus,
+  fetchAdminOverviewStats,
+  fetchAdminRPUsageDaily,
+  fetchAllTenants,
+  fetchDataIntegrityReport,
+  type RPUsageDailyMetric,
+  type RPUsagePeriod,
+} from "../../lib/adminApi";
+import { t } from "../../lib/i18n";

-const summaryCards = [
-  {
-    label: "Total Tenants",
-    value: "-",
-    hint: "Tenant-aware core",
-    icon: Users,
-  },
-  {
-    label: "OIDC Clients",
-    value: "-",
-    hint: "Hydra registry",
-    icon: ShieldCheck,
-  },
-  {
-    label: "Audit Events (24h)",
-    value: "-",
-    hint: "ClickHouse stream",
-    icon: Activity,
-  },
-  {
-    label: "Policy Gate",
-    value: "Planned",
-    hint: "Keto + Admin checks",
-    icon: Database,
-  },
-];
+type DailyPoint = {
+  date: string;
+  loginRequests: number;
+  otherRequests: number;
+};

-function GlobalOverviewPage() {
-  return (
-    <div className="space-y-10">
-      <div className="flex flex-wrap items-start justify-between gap-4">
-        <div className="space-y-2">
-          <p className="text-xs uppercase tracking-[0.2em] text-[var(--color-muted)]">
-            Global Overview
-          </p>
-          <h2 className="text-3xl font-semibold">
-            Tenant-independent control plane
-          </h2>
-          <p className="text-sm text-[var(--color-muted)]">
-            모든 테넌트 공통 지표와 정책 상태를 한 곳에서 확인합니다.
-          </p>
+type SeriesSummary = {
+  key: string;
+  clientLabel: string;
+  loginRequests: number;
+  uniqueSubjects: number;
+};
+
+function summarizeDaily(rows: RPUsageDailyMetric[]): DailyPoint[] {
+  const byDate = new Map<string, DailyPoint>();
+  for (const row of rows) {
+    const current =
+      byDate.get(row.date) ??
+      ({
+        date: row.date,
+        loginRequests: 0,
+        otherRequests: 0,
+      } satisfies DailyPoint);
+    current.loginRequests += row.loginRequests;
+    current.otherRequests += row.otherRequests;
+    byDate.set(row.date, current);
+  }
+  return Array.from(byDate.values()).sort((a, b) =>
+    a.date.localeCompare(b.date),
+  );
+}
+
+function summarizeSeries(rows: RPUsageDailyMetric[]): SeriesSummary[] {
+  const bySeries = new Map<string, SeriesSummary>();
+  for (const row of rows) {
+    const key = row.clientId;
+    const current =
+      bySeries.get(key) ??
+      ({
+        key,
+        clientLabel: row.clientName || row.clientId,
+        loginRequests: 0,
+        uniqueSubjects: 0,
+      } satisfies SeriesSummary);
+    current.loginRequests += row.loginRequests;
+    current.uniqueSubjects = Math.max(
+      current.uniqueSubjects,
+      row.uniqueSubjects,
+    );
+    bySeries.set(key, current);
+  }
+  return Array.from(bySeries.values())
+    .sort((a, b) => b.loginRequests - a.loginRequests)
+    .slice(0, 5);
+}
+
+function parseDateParts(date: string) {
+  const parts = date.split("-");
+  if (parts.length === 3) {
+    return {
+      year: Number(parts[0]),
+      month: Number(parts[1]),
+      day: Number(parts[2]),
+      monthText: parts[1],
+      dayText: parts[2],
+    };
+  }
+  return null;
+}
+
+function getISOWeekNumber(year: number, month: number, day: number) {
+  const date = new Date(Date.UTC(year, month - 1, day));
+  const dayOfWeek = date.getUTCDay() || 7;
+  date.setUTCDate(date.getUTCDate() + 4 - dayOfWeek);
+  const yearStart = new Date(Date.UTC(date.getUTCFullYear(), 0, 1));
+  return Math.ceil(((date.getTime() - yearStart.getTime()) / 86400000 + 1) / 7);
+}
+
+function getISOWeekThursday(year: number, month: number, day: number) {
+  const date = new Date(Date.UTC(year, month - 1, day));
+  const dayOfWeek = date.getUTCDay() || 7;
+  date.setUTCDate(date.getUTCDate() + 4 - dayOfWeek);
+  return date;
+}
+
+function formatPeriodLabel(date: string, period: RPUsagePeriod) {
+  const parts = parseDateParts(date);
+  if (!parts) {
+    return date;
+  }
+  if (period === "month") {
+    return `${parts.monthText}월`;
+  }
+  if (period === "week") {
+    const weekNumber = String(
+      getISOWeekNumber(parts.year, parts.month, parts.day),
+    ).padStart(2, "0");
+    const weekThursday = getISOWeekThursday(parts.year, parts.month, parts.day);
+    const weekMonth = weekThursday.getUTCMonth() + 1;
+    const weekDay = weekThursday.getUTCDate();
+    const weekMonthText = String(weekMonth).padStart(2, "0");
+    const weekOfMonth = Math.min(5, Math.max(1, Math.ceil(weekDay / 7)));
+    return `${weekNumber}(${weekMonthText}월${weekOfMonth}주)`;
+  }
+  return `${parts.monthText}.${parts.dayText}`;
+}
+
+function formatOverviewDateTime(value?: string) {
+  if (!value) return "-";
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return value;
+  return new Intl.DateTimeFormat("ko-KR", {
+    dateStyle: "medium",
+    timeStyle: "short",
+  }).format(date);
+}
+
+function integrityStatusText(status: DataIntegrityStatus) {
+  switch (status) {
+    case "pass":
+      return t("ui.admin.integrity.status.pass", "정상");
+    case "warning":
+      return t("ui.admin.integrity.status.warning", "주의");
+    default:
+      return t("ui.admin.integrity.status.fail", "실패");
+  }
+}
+
+function integrityStatusClass(status: DataIntegrityStatus) {
+  switch (status) {
+    case "pass":
+      return "text-emerald-700 dark:text-emerald-300";
+    case "warning":
+      return "text-amber-700 dark:text-amber-300";
+    default:
+      return "text-destructive";
+  }
+}
+
+function IntegrityOverviewSummary() {
+  const { data, isError } = useQuery({
+    queryKey: ["admin-overview-integrity"],
+    queryFn: fetchDataIntegrityReport,
+    retry: false,
+  });
+
+  if (isError) {
+    return (
+      <section className="border-t border-border/60 pt-4">
+        <div className="flex items-center gap-2 text-sm text-muted-foreground">
+          <AlertTriangle size={16} />
+          <span>
+            {t(
+              "ui.admin.integrity.fetch_error",
+              "정합성 최종 검증 결과를 불러오지 못했습니다.",
+            )}
+          </span>
        </div>
+      </section>
+    );
+  }
+
+  if (!data) {
+    return null;
+  }
+
+  return (
+    <section className="border-t border-border/60 pt-4">
+      <div className="flex flex-wrap items-start justify-between gap-3">
        <div className="flex items-center gap-2">
-          <Badge variant="muted">IDP: Ory primary</Badge>
-          <Badge variant="muted">Fallback: Descope</Badge>
+          {data.status === "pass" ? (
+            <CheckCircle2 size={18} className="text-emerald-600" />
+          ) : (
+            <AlertTriangle size={18} className="text-amber-600" />
+          )}
+          <h3 className="text-lg font-bold flex items-center gap-2">
+            {t("ui.admin.integrity.summary.title", "정합성 최종 검증")}
+          </h3>
+        </div>
+        <div className="flex flex-wrap items-center gap-3 text-sm">
+          <span
+            className={`font-semibold ${integrityStatusClass(data.status)}`}
+          >
+            {integrityStatusText(data.status)}
+          </span>
+          <span className="tabular-nums">
+            {t("ui.admin.integrity.summary.failures_text", "실패 {{count}}건", {
+              count: data.summary.failures,
+            })}
+          </span>
+          <span className="text-muted-foreground">
+            {formatOverviewDateTime(data.checkedAt)}
+          </span>
        </div>
      </div>
-
-      <div className="grid gap-4 md:grid-cols-2 xl:grid-cols-4">
-        {summaryCards.map(({ label, value, hint, icon: Icon }) => (
-          <Card key={label} className="bg-[var(--color-panel)]">
-            <CardHeader className="flex flex-row items-center justify-between pb-2">
-              <CardDescription>{label}</CardDescription>
-              <div className="rounded-full border border-[var(--color-border)] p-2 text-[var(--color-muted)]">
-                <Icon size={16} />
-              </div>
-            </CardHeader>
-            <CardContent>
-              <div className="text-2xl font-semibold">{value}</div>
-              <p className="mt-1 text-xs text-[var(--color-muted)]">{hint}</p>
-            </CardContent>
-          </Card>
+      <div className="mt-3 grid gap-2 text-sm sm:grid-cols-2">
+        {data.sections.map((section) => (
+          <div
+            key={section.key}
+            className="flex items-center justify-between gap-3 rounded border border-border/60 px-3 py-2"
+          >
+            <span>{integritySectionLabel(section.key, section.label)}</span>
+            <span
+              className={`font-medium ${integrityStatusClass(section.status)}`}
+            >
+              {integrityStatusText(section.status)}
+            </span>
+          </div>
        ))}
      </div>
+    </section>
+  );
+}

-      <div className="grid gap-6 lg:grid-cols-[1.4fr,1fr]">
-        <Card className="bg-[var(--color-panel)]">
-          <CardHeader>
-            <CardTitle className="text-xl">Admin playbook</CardTitle>
-            <CardDescription>
-              운영 정책, 레이트리밋, 감사 로그의 기본 룰을 요약합니다.
-            </CardDescription>
-          </CardHeader>
-          <CardContent className="space-y-3 text-sm text-[var(--color-muted)]">
-            <div className="flex items-start gap-3">
-              <div className="mt-1 rounded-full border border-[var(--color-border)] p-2">
-                <ShieldCheck size={14} />
-              </div>
-              <div>
-                <p className="font-semibold text-foreground">
-                  Backend-only IDP access
-                </p>
-                <p>
-                  모든 IDP 호출은 backend를 통해서만 수행하며, Hydra/Kratos
-                  admin 포트는 외부에 노출하지 않습니다.
-                </p>
-              </div>
-            </div>
-            <div className="flex items-start gap-3">
-              <div className="mt-1 rounded-full border border-[var(--color-border)] p-2">
-                <Box size={14} />
-              </div>
-              <div>
-                <p className="font-semibold text-foreground">
-                  Tenant isolation
-                </p>
-                <p>
-                  Tenant 헤더와 감사 로그 규칙을 기본 적용하며, 향후 Keto
-                  정책으로 확장 예정입니다.
-                </p>
-              </div>
-            </div>
-          </CardContent>
-        </Card>
+function integritySectionLabel(key: string, fallback: string) {
+  switch (key) {
+    case "tenant_integrity":
+      return t("ui.admin.integrity.section.tenant_integrity", fallback);
+    case "user_integrity":
+      return t("ui.admin.integrity.section.user_integrity", fallback);
+    default:
+      return fallback;
+  }
+}

-        <Card className="bg-[var(--color-panel)]">
-          <CardHeader>
-            <CardTitle className="text-xl">빠른 이동</CardTitle>
-            <CardDescription>
-              주요 운영 화면으로 바로 이동합니다.
-            </CardDescription>
-          </CardHeader>
-          <CardContent className="space-y-3">
-            <Button
-              asChild
-              className="w-full justify-between"
-              variant="outline"
-            >
-              <Link to="/tenants/new">
-                테넌트 추가
-                <ArrowUpRight size={16} />
-              </Link>
-            </Button>
-            <Button
-              asChild
-              className="w-full justify-between"
-              variant="outline"
-            >
-              <Link to="/audit-logs">
-                감사 로그 보기
-                <ArrowUpRight size={16} />
-              </Link>
-            </Button>
-            <Button
-              asChild
-              className="w-full justify-between"
-              variant="outline"
-            >
-              <Link to="/dashboard">
-                테넌트 대시보드
-                <ArrowUpRight size={16} />
-              </Link>
-            </Button>
-          </CardContent>
-        </Card>
+function RPUsageMixedChart({
+  rows,
+  periodControls,
+  filters,
+  period,
+}: {
+  rows: RPUsageDailyMetric[];
+  periodControls: ReactNode;
+  filters: ReactNode;
+  period: RPUsagePeriod;
+}) {
+  const daily = summarizeDaily(rows);
+  const series = summarizeSeries(rows);
+  const chartWidth = 720;
+  const chartHeight = 230;
+  const padX = 48;
+  const padTop = 32;
+  const padBottom = 34;
+  const innerWidth = chartWidth - padX * 2;
+  const innerHeight = chartHeight - padTop - padBottom;
+  const maxValue = Math.max(
+    1,
+    ...daily.map((point) => point.loginRequests + point.otherRequests),
+    ...daily.map((point) => point.loginRequests),
+  );
+  const slot = daily.length > 0 ? innerWidth / daily.length : innerWidth;
+  const barWidth = Math.min(28, Math.max(10, slot * 0.42));
+  const y = (value: number) =>
+    padTop + innerHeight - (value / maxValue) * innerHeight;
+  const x = (index: number) => padX + slot * index + slot / 2;
+  const linePoints = daily
+    .map((point, index) => `${x(index)},${y(point.loginRequests)}`)
+    .join(" ");
+
+  return (
+    <section className="space-y-3">
+      <div className="flex flex-wrap items-start justify-between gap-3">
+        <div className="space-y-1">
+          <h3 className="text-lg font-bold flex items-center gap-2">
+            {t("ui.admin.overview.chart.title", "회사별 앱별 로그인 요청 현황")}
+          </h3>
+          <p className="text-sm text-muted-foreground">
+            {t(
+              "ui.admin.overview.chart.description",
+              "전체 또는 선택한 조직 기준으로 그래프를 확인합니다.",
+            )}
+          </p>
+        </div>
+        {periodControls}
      </div>
+
+      {filters}
+
+      {daily.length === 0 ? (
+        <div className="flex min-h-[210px] items-center justify-center text-sm text-muted-foreground">
+          표시할 RP 이용 집계가 없습니다.
+        </div>
+      ) : (
+        <div className="space-y-3">
+          <div className="overflow-x-auto">
+            <svg
+              role="img"
+              aria-label="일 단위 RP 요청 현황"
+              viewBox={`0 0 ${chartWidth} ${chartHeight}`}
+              className="h-[235px] min-w-[720px] w-full"
+            >
+              <title>일 단위 RP 요청 현황</title>
+              {[0, 0.25, 0.5, 0.75, 1].map((ratio) => {
+                const gridY = padTop + innerHeight * ratio;
+                const label = Math.round(maxValue * (1 - ratio));
+                return (
+                  <g key={ratio}>
+                    <line
+                      x1={padX}
+                      x2={chartWidth - padX}
+                      y1={gridY}
+                      y2={gridY}
+                      stroke="currentColor"
+                      className="text-border"
+                      strokeWidth="1"
+                    />
+                    <text
+                      x={padX - 12}
+                      y={gridY + 4}
+                      textAnchor="end"
+                      className="fill-muted-foreground text-[11px]"
+                    >
+                      {label}
+                    </text>
+                  </g>
+                );
+              })}
+              {daily.map((point, index) => {
+                const center = x(index);
+                const otherHeight =
+                  (point.otherRequests / maxValue) * innerHeight;
+                return (
+                  <g key={point.date}>
+                    <rect
+                      x={center - barWidth / 2}
+                      y={padTop + innerHeight - otherHeight}
+                      width={barWidth}
+                      height={otherHeight}
+                      rx="3"
+                      className="fill-sky-500/70"
+                    />
+                    <text
+                      x={center}
+                      y={chartHeight - 12}
+                      textAnchor="middle"
+                      className="fill-muted-foreground text-[11px]"
+                    >
+                      {formatPeriodLabel(point.date, period)}
+                    </text>
+                  </g>
+                );
+              })}
+              <polyline
+                points={linePoints}
+                fill="none"
+                className="stroke-emerald-500"
+                strokeWidth="3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+              {daily.map((point, index) => (
+                <circle
+                  key={`${point.date}-login`}
+                  cx={x(index)}
+                  cy={y(point.loginRequests)}
+                  r="4"
+                  className="fill-emerald-500 stroke-background"
+                  strokeWidth="2"
+                />
+              ))}
+            </svg>
+          </div>
+          <OverviewAxisNotes
+            xAxisLabel={t("ui.common.chart.axis.x", "X축: 기간")}
+            yAxisLabel={t("ui.common.chart.axis.y", "Y축: 로그인 요청 수")}
+          />
+        </div>
+      )}
+
+      {series.length > 0 && (
+        <div className="grid gap-x-6 gap-y-2 border-t border-border/60 pt-2 text-xs md:grid-cols-2 xl:grid-cols-3">
+          {series.map((item) => (
+            <div
+              key={item.key}
+              className="flex min-w-0 flex-wrap items-center gap-x-3 gap-y-1"
+            >
+              <span className="font-medium">{item.clientLabel}</span>
+              <span className="whitespace-nowrap tabular-nums text-muted-foreground">
+                {t(
+                  "ui.common.chart.series_summary.login_users",
+                  "로그인 {{login}} / 사용자 {{subjects}}",
+                  {
+                    login: item.loginRequests.toLocaleString(),
+                    subjects: item.uniqueSubjects.toLocaleString(),
+                  },
+                )}
+              </span>
+            </div>
+          ))}
+        </div>
+      )}
+    </section>
+  );
+}
+
+function GlobalOverviewPage() {
+  const [period, setPeriod] = useState<RPUsagePeriod>("day");
+  const [selectedTenantIds, setSelectedTenantIds] = useState<string[]>([]);
+  const usageDays = period === "day" ? 14 : period === "week" ? 84 : 90;
+  const statsQuery = useQuery({
+    queryKey: ["admin-overview-stats"],
+    queryFn: fetchAdminOverviewStats,
+    retry: false,
+  });
+  const tenantsQuery = useQuery({
+    queryKey: ["admin-overview-tenant-options"],
+    queryFn: () => fetchAllTenants(),
+    retry: false,
+  });
+  const tenantOptions = useMemo(() => {
+    return (tenantsQuery.data?.items ?? []).filter(
+      (tenant) => tenant.type === "COMPANY",
+    );
+  }, [tenantsQuery.data?.items]);
+  const usageQuery = useQuery({
+    queryKey: ["admin-rp-usage-daily", usageDays, period],
+    queryFn: () =>
+      fetchAdminRPUsageDaily({
+        days: usageDays,
+        period,
+      }),
+    retry: false,
+  });
+  const stats = statsQuery.data;
+  const visibleTenantCount = tenantsQuery.data?.items.length;
+  const usageRows = usageQuery.data?.items ?? [];
+  const filteredUsageRows = useMemo(() => {
+    if (selectedTenantIds.length === 0) {
+      return usageRows;
+    }
+    const selectedSet = new Set(selectedTenantIds);
+    return usageRows.filter((row) => selectedSet.has(row.tenantId));
+  }, [selectedTenantIds, usageRows]);
+  const metric = (value: number | undefined) =>
+    value === undefined ? "-" : value.toLocaleString();
+  const periodControls = (
+    <fieldset className="flex h-8 items-center gap-1" aria-label="집계 단위">
+      {[
+        ["day", t("ui.common.chart.period.day", "일")],
+        ["week", t("ui.common.chart.period.week", "주")],
+        ["month", t("ui.common.chart.period.month", "월")],
+      ].map(([value, label]) => (
+        <button
+          key={value}
+          type="button"
+          aria-pressed={period === value}
+          onClick={() => setPeriod(value as RPUsagePeriod)}
+          className={`h-8 rounded px-3 text-xs font-medium transition-colors ${
+            period === value
+              ? "bg-primary text-primary-foreground"
+              : "bg-muted/60 hover:bg-muted"
+          }`}
+        >
+          {label}
+        </button>
+      ))}
+    </fieldset>
+  );
+  const chartFilters = (
+    <div>
+      <OverviewSelectionChips
+        allLabel="전체"
+        options={tenantOptions.map((tenant) => ({
+          id: tenant.id,
+          label: `${tenant.name} (${tenant.slug})`,
+        }))}
+        selectedIds={selectedTenantIds}
+        onSelectAll={() => setSelectedTenantIds([])}
+        onToggle={(tenantId) => {
+          setSelectedTenantIds((current) =>
+            current.includes(tenantId)
+              ? current.filter((item) => item !== tenantId)
+              : [...current, tenantId],
+          );
+        }}
+      />
+    </div>
+  );
+
+  return (
+    <div className="space-y-4">
+      <div className="flex flex-wrap items-start justify-between gap-4">
+        <div className="flex min-w-0 items-start gap-3">
+          <div className="mt-1 flex h-10 w-10 shrink-0 items-center justify-center rounded-xl border border-primary/15 bg-primary/10 text-primary">
+            <LayoutDashboard size={20} />
+          </div>
+          <div className="space-y-1">
+            <h2 className="text-3xl font-semibold">
+              {t("ui.common.overview.title", "운영 현황")}
+            </h2>
+            <p className="text-sm text-muted-foreground">
+              {t(
+                "msg.admin.overview.description",
+                "시스템 전반의 주요 현황을 확인하고 관리합니다.",
+              )}
+            </p>
+          </div>
+        </div>
+      </div>
+
+      <div className="flex flex-wrap items-center gap-x-6 gap-y-2 border-y border-border/60 py-2">
+        <RoleGuard roles={["super_admin"]}>
+          <OverviewMetric
+            icon={<Users size={14} />}
+            label={t(
+              "ui.admin.overview.summary.total_tenants",
+              "전체 테넌트 수",
+            )}
+            value={metric(visibleTenantCount ?? stats?.totalTenants)}
+          />
+          <OverviewMetric
+            icon={<ShieldCheck size={14} />}
+            label={t(
+              "ui.admin.overview.summary.oidc_clients",
+              "OIDC 클라이언트",
+            )}
+            value={metric(stats?.oidcClients)}
+          />
+          <OverviewMetric
+            icon={<Users size={14} />}
+            label={t("ui.admin.overview.summary.total_users", "전체 사용자 수")}
+            value={metric(stats?.totalUsers)}
+          />
+        </RoleGuard>
+        <OverviewMetric
+          icon={<Activity size={14} />}
+          label={t(
+            "ui.admin.overview.summary.audit_events_24h",
+            "24시간 이벤트",
+          )}
+          value={metric(stats?.auditEvents24h)}
+        />
+        <OverviewMetric
+          icon={<Database size={14} />}
+          label={t("ui.admin.overview.summary.policy_gate", "정책 상태")}
+          value="Active"
+        />
+      </div>
+
+      {usageQuery.isError ? (
+        <section className="space-y-2">
+          <div className="flex flex-wrap items-start justify-between gap-3">
+            <div className="space-y-1">
+              <h3 className="text-lg font-bold flex items-center gap-2">
+                {t(
+                  "ui.admin.overview.chart.title",
+                  "회사별 앱별 로그인 요청 현황",
+                )}
+              </h3>
+              <p className="text-sm text-muted-foreground">
+                {t(
+                  "ui.admin.overview.chart.description",
+                  "전체 또는 선택한 조직 기준으로 그래프를 확인합니다.",
+                )}
+              </p>
+            </div>
+            {periodControls}
+          </div>
+          {chartFilters}
+          <div className="text-sm text-muted-foreground">
+            RP 이용 통계 Query API 응답을 확인할 수 없습니다. backend 재시작
+            이후 `rp_usage_daily_aggregate`가 준비되면 이 영역에 일 단위
+            그래프가 표시됩니다.
+          </div>
+        </section>
+      ) : (
+        <RPUsageMixedChart
+          rows={filteredUsageRows}
+          periodControls={periodControls}
+          filters={chartFilters}
+          period={period}
+        />
+      )}
+
+      <RoleGuard roles={["super_admin"]}>
+        <IntegrityOverviewSummary />
+      </RoleGuard>
    </div>
  );
 }
--- a/adminfront/src/features/tenants/components/DomainTagInput.test.tsx
+++ b/adminfront/src/features/tenants/components/DomainTagInput.test.tsx
@@ -0,0 +1,50 @@
+import { fireEvent, render, screen } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
+import { DomainTagInput } from "./DomainTagInput";
+
+describe("DomainTagInput", () => {
+  it("shows a clear duplicate tenant warning and adds the domain after confirmation", async () => {
+    const onChange = vi.fn();
+    const onConfirmedConflictsChange = vi.fn();
+
+    render(
+      <DomainTagInput
+        value={[]}
+        onChange={onChange}
+        tenants={[
+          {
+            id: "tenant-1",
+            name: "한맥가족",
+            slug: "hanmac-family",
+            type: "COMPANY",
+            description: "",
+            status: "active",
+            domains: ["samaneng.com"],
+            memberCount: 0,
+            createdAt: "",
+            updatedAt: "",
+          },
+        ]}
+        currentTenantId="tenant-2"
+        confirmedConflicts={[]}
+        onConfirmedConflictsChange={onConfirmedConflictsChange}
+        placeholder="example.com"
+      />,
+    );
+
+    const input = screen.getByPlaceholderText("example.com");
+    fireEvent.change(input, { target: { value: "samaneng.com" } });
+    fireEvent.keyDown(input, { key: " " });
+
+    expect(
+      await screen.findByText(
+        "samaneng.com 도메인은 한맥가족 테넌트에 이미 설정되어 있습니다. 그래도 현재 테넌트에도 추가하시겠습니까?",
+      ),
+    ).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole("button", { name: "계속 진행" }));
+
+    expect(onChange).toHaveBeenCalledWith(["samaneng.com"]);
+    expect(onConfirmedConflictsChange).toHaveBeenCalledWith(["samaneng.com"]);
+  });
+});
--- a/adminfront/src/features/tenants/components/DomainTagInput.tsx
+++ b/adminfront/src/features/tenants/components/DomainTagInput.tsx
@@ -0,0 +1,192 @@
+import { X } from "lucide-react";
+import { useState } from "react";
+import { Badge } from "../../../components/ui/badge";
+import { Button } from "../../../components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "../../../components/ui/dialog";
+import { Input } from "../../../components/ui/input";
+import type { TenantSummary } from "../../../lib/adminApi";
+import { t } from "../../../lib/i18n";
+import {
+  type DomainConflict,
+  findDomainConflict,
+  formatDomainConflictMessage,
+  normalizeDomainTokens,
+} from "../utils/domainTags";
+
+type DomainTagInputProps = {
+  id?: string;
+  value: string[];
+  onChange: (domains: string[]) => void;
+  tenants?: TenantSummary[];
+  currentTenantId?: string;
+  confirmedConflicts?: string[];
+  onConfirmedConflictsChange?: (domains: string[]) => void;
+  placeholder?: string;
+  disabled?: boolean;
+};
+
+export function DomainTagInput({
+  id,
+  value,
+  onChange,
+  tenants = [],
+  currentTenantId,
+  confirmedConflicts = [],
+  onConfirmedConflictsChange,
+  placeholder,
+  disabled = false,
+}: DomainTagInputProps) {
+  const [input, setInput] = useState("");
+  const [pendingConflict, setPendingConflict] = useState<DomainConflict | null>(
+    null,
+  );
+
+  const addConfirmedConflict = (domain: string) => {
+    if (!confirmedConflicts.includes(domain)) {
+      onConfirmedConflictsChange?.([...confirmedConflicts, domain]);
+    }
+  };
+
+  const removeConfirmedConflict = (domain: string) => {
+    if (confirmedConflicts.includes(domain)) {
+      onConfirmedConflictsChange?.(
+        confirmedConflicts.filter((item) => item !== domain),
+      );
+    }
+  };
+
+  const addDomain = (domain: string, confirmed = false) => {
+    if (value.includes(domain)) {
+      return;
+    }
+    onChange([...value, domain]);
+    if (confirmed) {
+      addConfirmedConflict(domain);
+    }
+  };
+
+  const tokenizeInput = () => {
+    const tokens = normalizeDomainTokens(input);
+    if (tokens.length === 0) {
+      setInput("");
+      return;
+    }
+
+    for (const token of tokens) {
+      if (value.includes(token)) {
+        continue;
+      }
+      const conflict = findDomainConflict(token, tenants, currentTenantId);
+      if (conflict && !confirmedConflicts.includes(token)) {
+        setPendingConflict(conflict);
+        setInput("");
+        return;
+      }
+      addDomain(token, confirmedConflicts.includes(token));
+    }
+    setInput("");
+  };
+
+  const removeDomain = (domain: string) => {
+    onChange(value.filter((item) => item !== domain));
+    removeConfirmedConflict(domain);
+  };
+
+  return (
+    <>
+      <div className="flex min-h-10 w-full flex-wrap items-center gap-2 rounded-md border border-input bg-transparent px-3 py-2 text-sm shadow-sm focus-within:ring-1 focus-within:ring-ring">
+        {value.map((domain) => (
+          <Badge
+            key={domain}
+            variant={confirmedConflicts.includes(domain) ? "warning" : "muted"}
+            className="gap-1 rounded-md"
+          >
+            <span>{domain}</span>
+            {!disabled && (
+              <button
+                type="button"
+                className="inline-flex h-4 w-4 items-center justify-center rounded-sm hover:bg-background/60"
+                onClick={() => removeDomain(domain)}
+                aria-label={t("ui.common.remove", "삭제")}
+              >
+                <X size={12} />
+              </button>
+            )}
+          </Badge>
+        ))}
+        <Input
+          id={id}
+          value={input}
+          onChange={(event) => setInput(event.target.value)}
+          onBlur={tokenizeInput}
+          onKeyDown={(event) => {
+            if (
+              event.key === " " ||
+              event.key === "Enter" ||
+              event.key === "," ||
+              event.key === ";"
+            ) {
+              event.preventDefault();
+              tokenizeInput();
+            }
+          }}
+          disabled={disabled}
+          className="h-7 min-w-[180px] flex-1 border-0 px-0 py-0 shadow-none focus-visible:ring-0"
+          placeholder={value.length === 0 ? placeholder : undefined}
+        />
+      </div>
+
+      <Dialog
+        open={pendingConflict !== null}
+        onOpenChange={(open) => {
+          if (!open) {
+            setPendingConflict(null);
+          }
+        }}
+      >
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>
+              {t("ui.admin.tenants.domain_conflict.title", "도메인 충돌")}
+            </DialogTitle>
+            <DialogDescription>
+              {pendingConflict
+                ? t(
+                    "ui.admin.tenants.domain_conflict.description",
+                    formatDomainConflictMessage(pendingConflict),
+                  )
+                : ""}
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => setPendingConflict(null)}
+            >
+              {t("ui.common.cancel", "취소")}
+            </Button>
+            <Button
+              type="button"
+              onClick={() => {
+                if (pendingConflict) {
+                  addDomain(pendingConflict.domain, true);
+                }
+                setPendingConflict(null);
+              }}
+            >
+              {t("ui.common.continue", "계속 진행")}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+    </>
+  );
+}
--- a/adminfront/src/features/tenants/components/ParentTenantSelector.helpers.ts
+++ b/adminfront/src/features/tenants/components/ParentTenantSelector.helpers.ts
@@ -0,0 +1,21 @@
+import type { TenantSummary } from "../../../lib/adminApi";
+
+const companyParentTypes = new Set(["COMPANY", "COMPANY_GROUP"]);
+
+export function filterParentTenants(
+  tenants: TenantSummary[],
+  search: string,
+  companyOnly: boolean,
+  excludeTenantId = "",
+) {
+  const normalizedSearch = search.trim().toLowerCase();
+  return tenants.filter((tenant) => {
+    if (excludeTenantId && tenant.id === excludeTenantId) return false;
+    if (companyOnly && !companyParentTypes.has(tenant.type)) return false;
+    if (!normalizedSearch) return true;
+
+    return [tenant.name, tenant.slug, tenant.type]
+      .filter(Boolean)
+      .some((value) => value.toLowerCase().includes(normalizedSearch));
+  });
+}
--- a/adminfront/src/features/tenants/components/ParentTenantSelector.picker.test.tsx
+++ b/adminfront/src/features/tenants/components/ParentTenantSelector.picker.test.tsx
@@ -0,0 +1,163 @@
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
+import type { TenantSummary } from "../../../lib/adminApi";
+import { ParentTenantSelector } from "./ParentTenantSelector";
+
+const tenants: TenantSummary[] = [
+  {
+    id: "company-1",
+    type: "COMPANY",
+    name: "Saman Engineering",
+    slug: "saman",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "",
+    updatedAt: "",
+  },
+  {
+    id: "group-1",
+    type: "COMPANY_GROUP",
+    name: "Hanmac Family",
+    slug: "hanmac-family",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "",
+    updatedAt: "",
+  },
+];
+
+describe("ParentTenantSelector picker", () => {
+  it("opens an org-chart picker modal and applies tenant selection messages", async () => {
+    const onChange = vi.fn();
+
+    render(
+      <ParentTenantSelector
+        id="parentId"
+        label="상위 테넌트"
+        value=""
+        onChange={onChange}
+        tenants={tenants}
+        noneLabel="없음"
+      />,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: /테넌트 선택/ }));
+
+    expect(screen.getByRole("dialog")).toBeInTheDocument();
+    const pickerSrc = screen
+      .getByTestId("parent-tenant-picker-frame")
+      .getAttribute("src");
+    expect(pickerSrc).toContain("http://localhost:5175/login");
+    expect(decodeURIComponent(pickerSrc ?? "")).toContain("/embed/picker");
+
+    fireEvent(
+      window,
+      new MessageEvent("message", {
+        data: {
+          type: "orgfront:picker:confirm",
+          payload: {
+            selections: [
+              {
+                type: "tenant",
+                id: "company-1",
+                name: "Saman Engineering",
+              },
+            ],
+          },
+        },
+      }),
+    );
+
+    await waitFor(() => expect(onChange).toHaveBeenCalledWith("company-1"));
+  });
+
+  it("scopes the org-chart picker to the requested tenant root", () => {
+    const onChange = vi.fn();
+
+    render(
+      <ParentTenantSelector
+        id="parentId"
+        label="상위 테넌트"
+        value=""
+        onChange={onChange}
+        tenants={tenants}
+        noneLabel="없음"
+        orgChartTenantId="group-1"
+        orgChartPickerLabel="한맥가족에서 선택"
+      />,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: "한맥가족에서 선택" }));
+
+    const pickerSrc = screen
+      .getByTestId("parent-tenant-picker-frame")
+      .getAttribute("src");
+    expect(decodeURIComponent(pickerSrc ?? "")).toContain("tenantId=group-1");
+  });
+
+  it("keeps the current tenant out of picker message selections", async () => {
+    const onChange = vi.fn();
+
+    render(
+      <ParentTenantSelector
+        id="parentId"
+        label="상위 테넌트"
+        value=""
+        onChange={onChange}
+        tenants={tenants}
+        noneLabel="없음"
+        excludeTenantId="company-1"
+      />,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: /테넌트 선택/ }));
+    fireEvent(
+      window,
+      new MessageEvent("message", {
+        data: {
+          type: "orgfront:picker:confirm",
+          payload: {
+            selections: [
+              {
+                type: "tenant",
+                id: "company-1",
+                name: "Saman Engineering",
+              },
+            ],
+          },
+        },
+      }),
+    );
+
+    await waitFor(() => expect(onChange).not.toHaveBeenCalled());
+  });
+
+  it("selects a non-hanmac parent from the local tenant picker", async () => {
+    const onChange = vi.fn();
+
+    render(
+      <ParentTenantSelector
+        id="parentId"
+        label="상위 테넌트"
+        value=""
+        onChange={onChange}
+        tenants={tenants}
+        noneLabel="없음"
+        orgChartPickerLabel="한맥가족에서 선택"
+        localPickerLabel="다른 테넌트 선택"
+        localTenantFilter={(tenant) => tenant.slug !== "hanmac-family"}
+      />,
+    );
+
+    fireEvent.click(screen.getByRole("button", { name: "다른 테넌트 선택" }));
+    fireEvent.change(
+      screen.getByPlaceholderText("테넌트 이름 또는 슬러그 검색"),
+      { target: { value: "saman" } },
+    );
+    fireEvent.click(screen.getByRole("button", { name: /Saman Engineering/ }));
+
+    expect(onChange).toHaveBeenCalledWith("company-1");
+  });
+});
--- a/adminfront/src/features/tenants/components/ParentTenantSelector.test.ts
+++ b/adminfront/src/features/tenants/components/ParentTenantSelector.test.ts
@@ -0,0 +1,57 @@
+import { describe, expect, it } from "vitest";
+import type { TenantSummary } from "../../../lib/adminApi";
+import { filterParentTenants } from "./ParentTenantSelector.helpers";
+
+const tenants: TenantSummary[] = [
+  {
+    id: "company-1",
+    type: "COMPANY",
+    name: "Saman Engineering",
+    slug: "saman",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "",
+    updatedAt: "",
+  },
+  {
+    id: "group-1",
+    type: "COMPANY_GROUP",
+    name: "Hanmac Family",
+    slug: "hanmac-family",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "",
+    updatedAt: "",
+  },
+  {
+    id: "org-1",
+    type: "ORGANIZATION",
+    name: "기획부",
+    slug: "planning",
+    description: "",
+    status: "active",
+    memberCount: 0,
+    createdAt: "",
+    updatedAt: "",
+  },
+];
+
+describe("filterParentTenants", () => {
+  it("searches parent candidates by name and slug", () => {
+    expect(
+      filterParentTenants(tenants, "saman", false).map((t) => t.id),
+    ).toEqual(["company-1"]);
+    expect(
+      filterParentTenants(tenants, "family", false).map((t) => t.id),
+    ).toEqual(["group-1"]);
+  });
+
+  it("can limit parent candidates to company and company group tenants", () => {
+    expect(filterParentTenants(tenants, "", true).map((t) => t.id)).toEqual([
+      "company-1",
+      "group-1",
+    ]);
+  });
+});
--- a/Show More
+++ b/Show More