feat: implement admin-users management with super admin restriction

- Add /admin/admin-users routes for managing admin users (super admin only)
- Remove vendor role from user creation form (vendors created via company hierarchy)
- Add admin-users.html and admin-user-detail.html templates
- Add admin-users.js and admin-user-detail.js for frontend logic
- Move database operations to admin_platform_service (list, get, create, delete, toggle status)
- Update sidebar to show Admin Users section only for super admins
- Add isSuperAdmin computed property to init-alpine.js
- Fix /api/v1 prefix issues in JS files (apiClient already adds prefix)
- Update architecture rule JS-012 to catch more variable patterns (url, endpoint, path)
- Replace inline SVGs with $icon() helper in select-platform.html

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

app/services/admin_platform_service.py

@@ -196,6 +196,53 @@ class AdminPlatformService:
 
         return query.all()
 
+    def get_all_active_platforms(self, db: Session) -> list[Platform]:
+        """
+        Get all active platforms (for super admin access).
+
+        Args:
+            db: Database session
+
+        Returns:
+            List of all active Platform objects
+        """
+        return db.query(Platform).filter(Platform.is_active == True).all()
+
+    def get_platform_by_id(self, db: Session, platform_id: int) -> Platform | None:
+        """
+        Get a platform by ID.
+
+        Args:
+            db: Database session
+            platform_id: Platform ID
+
+        Returns:
+            Platform object or None if not found
+        """
+        return db.query(Platform).filter(Platform.id == platform_id).first()
+
+    def validate_admin_platform_access(
+        self,
+        user: User,
+        platform_id: int,
+    ) -> None:
+        """
+        Validate that an admin has access to a platform.
+
+        Args:
+            user: User object
+            platform_id: Platform ID to check
+
+        Raises:
+            InsufficientPermissionsException: If user doesn't have access
+        """
+        from app.exceptions import InsufficientPermissionsException
+
+        if not user.can_access_platform(platform_id):
+            raise InsufficientPermissionsException(
+                "You don't have access to this platform"
+            )
+
     def get_admins_for_platform(
         self,
         db: Session,
@@ -385,5 +432,232 @@ class AdminPlatformService:
         return user, assignments
 
 
+    # ============================================================================
+    # ADMIN USER CRUD OPERATIONS
+    # ============================================================================
+
+    def list_admin_users(
+        self,
+        db: Session,
+        skip: int = 0,
+        limit: int = 100,
+        include_super_admins: bool = True,
+        is_active: bool | None = None,
+        search: str | None = None,
+    ) -> tuple[list[User], int]:
+        """
+        List all admin users with optional filtering.
+
+        Args:
+            db: Database session
+            skip: Number of records to skip
+            limit: Maximum records to return
+            include_super_admins: Whether to include super admins
+            is_active: Filter by active status
+            search: Search term for username/email/name
+
+        Returns:
+            Tuple of (list of User objects, total count)
+        """
+        query = db.query(User).filter(User.role == "admin")
+
+        if not include_super_admins:
+            query = query.filter(User.is_super_admin == False)
+
+        if is_active is not None:
+            query = query.filter(User.is_active == is_active)
+
+        if search:
+            search_term = f"%{search}%"
+            query = query.filter(
+                (User.username.ilike(search_term))
+                | (User.email.ilike(search_term))
+                | (User.first_name.ilike(search_term))
+                | (User.last_name.ilike(search_term))
+            )
+
+        total = query.count()
+
+        admins = (
+            query.options(joinedload(User.admin_platforms))
+            .offset(skip)
+            .limit(limit)
+            .all()
+        )
+
+        return admins, total
+
+    def get_admin_user(
+        self,
+        db: Session,
+        user_id: int,
+    ) -> User:
+        """
+        Get a single admin user by ID with platform assignments.
+
+        Args:
+            db: Database session
+            user_id: User ID
+
+        Returns:
+            User object with admin_platforms loaded
+
+        Raises:
+            ValidationException: If user not found or not an admin
+        """
+        admin = (
+            db.query(User)
+            .options(joinedload(User.admin_platforms))
+            .filter(User.id == user_id, User.role == "admin")
+            .first()
+        )
+
+        if not admin:
+            raise ValidationException("Admin user not found", field="user_id")
+
+        return admin
+
+    def create_super_admin(
+        self,
+        db: Session,
+        email: str,
+        username: str,
+        password: str,
+        created_by_user_id: int,
+        first_name: str | None = None,
+        last_name: str | None = None,
+    ) -> User:
+        """
+        Create a new super admin user.
+
+        Args:
+            db: Database session
+            email: Admin email
+            username: Admin username
+            password: Admin password
+            created_by_user_id: Super admin creating the account
+            first_name: Optional first name
+            last_name: Optional last name
+
+        Returns:
+            Created User object
+        """
+        from app.core.security import get_password_hash
+
+        # Check for existing user
+        existing = (
+            db.query(User)
+            .filter((User.email == email) | (User.username == username))
+            .first()
+        )
+        if existing:
+            field = "email" if existing.email == email else "username"
+            raise ValidationException(f"{field.capitalize()} already exists", field=field)
+
+        user = User(
+            email=email,
+            username=username,
+            hashed_password=get_password_hash(password),
+            first_name=first_name,
+            last_name=last_name,
+            role="admin",
+            is_super_admin=True,
+            is_active=True,
+        )
+        db.add(user)
+        db.flush()
+        db.refresh(user)
+
+        logger.info(
+            f"Created super admin {username} by admin {created_by_user_id}"
+        )
+
+        return user
+
+    def toggle_admin_status(
+        self,
+        db: Session,
+        user_id: int,
+        current_admin_id: int,
+    ) -> User:
+        """
+        Toggle admin user active status.
+
+        Args:
+            db: Database session
+            user_id: User ID to toggle
+            current_admin_id: Super admin making the change
+
+        Returns:
+            Updated User object
+
+        Raises:
+            CannotModifySelfException: If trying to deactivate self
+            ValidationException: If user not found or not an admin
+        """
+        if user_id == current_admin_id:
+            raise CannotModifySelfException(
+                user_id=user_id,
+                operation="deactivate own account",
+            )
+
+        admin = db.query(User).filter(User.id == user_id, User.role == "admin").first()
+
+        if not admin:
+            raise ValidationException("Admin user not found", field="user_id")
+
+        admin.is_active = not admin.is_active
+        admin.updated_at = datetime.now(UTC)
+        db.flush()
+        db.refresh(admin)
+
+        action = "activated" if admin.is_active else "deactivated"
+        logger.info(
+            f"Admin {admin.username} {action} by admin {current_admin_id}"
+        )
+
+        return admin
+
+    def delete_admin_user(
+        self,
+        db: Session,
+        user_id: int,
+        current_admin_id: int,
+    ) -> None:
+        """
+        Delete an admin user and their platform assignments.
+
+        Args:
+            db: Database session
+            user_id: User ID to delete
+            current_admin_id: Super admin making the deletion
+
+        Raises:
+            CannotModifySelfException: If trying to delete self
+            ValidationException: If user not found or not an admin
+        """
+        if user_id == current_admin_id:
+            raise CannotModifySelfException(
+                user_id=user_id,
+                operation="delete own account",
+            )
+
+        admin = db.query(User).filter(User.id == user_id, User.role == "admin").first()
+
+        if not admin:
+            raise ValidationException("Admin user not found", field="user_id")
+
+        username = admin.username
+
+        # Delete admin platform assignments first
+        db.query(AdminPlatform).filter(AdminPlatform.user_id == user_id).delete()
+
+        # Delete the admin user
+        db.delete(admin)
+        db.flush()
+
+        logger.info(f"Admin {username} deleted by admin {current_admin_id}")
+
+
 # Singleton instance
 admin_platform_service = AdminPlatformService()