Phase 6: PDF & Polish — PDF generation, admin users/settings, AI tool

Backend:
- Setting + GeneratedPdf models, Alembic migration with default settings seed
- PDF generation service (WeasyPrint + Jinja2 with autoescape)
- Health report HTML template with memory entries + document excerpts
- Admin user management: list, create, update (role/max_chats/is_active)
- Admin settings: self_registration_enabled, default_max_chats
- Self-registration check wired into auth register endpoint
- default_max_chats applied to new user registrations
- AI tool: generate_pdf creates health compilation PDFs
- PDF compile/list/download API endpoints
- WeasyPrint system deps added to Dockerfile

Frontend:
- PDF reports page with generate + download
- Admin users page with create/edit/activate/deactivate
- Admin settings page with self-registration toggle + max chats
- Extended sidebar with PDF reports + admin users/settings links
- English + Russian translations for all new UI

Review fixes applied:
- Jinja2 autoescape enabled (XSS prevention in PDFs)
- db.refresh after flush (created_at populated correctly)
- storage_path removed from API response (no internal path leak)
- Role field uses Literal["user", "admin"] validation
- React hooks called before conditional returns (rules of hooks)
- default_max_chats setting now applied during registration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/app/api/v1/admin.py

@@ -1,7 +1,7 @@
 import uuid
 from typing import Annotated
 
-from fastapi import APIRouter, Depends, status
+from fastapi import APIRouter, Depends, Query, status
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.api.deps import require_admin
@@ -14,7 +14,14 @@ from app.schemas.skill import (
     SkillResponse,
     UpdateSkillRequest,
 )
-from app.services import context_service, skill_service
+from app.schemas.admin import (
+    AdminUserCreateRequest,
+    AdminUserListResponse,
+    AdminUserResponse,
+    AdminUserUpdateRequest,
+)
+from app.schemas.setting import SettingResponse, SettingsListResponse, UpdateSettingRequest
+from app.services import context_service, skill_service, setting_service, admin_user_service
 
 router = APIRouter(prefix="/admin", tags=["admin"])
 
@@ -81,3 +88,65 @@ async def delete_general_skill(
     db: Annotated[AsyncSession, Depends(get_db)],
 ):
     await skill_service.delete_general_skill(db, skill_id)
+
+
+# --- Users ---
+
+@router.get("/users", response_model=AdminUserListResponse)
+async def list_users(
+    _admin: Annotated[User, Depends(require_admin)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+    limit: int = Query(default=50, le=200),
+    offset: int = Query(default=0),
+):
+    users, total = await admin_user_service.list_users(db, limit, offset)
+    return AdminUserListResponse(
+        users=[AdminUserResponse.model_validate(u) for u in users],
+        total=total,
+    )
+
+
+@router.post("/users", response_model=AdminUserResponse, status_code=status.HTTP_201_CREATED)
+async def create_user(
+    data: AdminUserCreateRequest,
+    _admin: Annotated[User, Depends(require_admin)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    user = await admin_user_service.create_user(
+        db, data.email, data.username, data.password,
+        data.full_name, data.role, data.max_chats,
+    )
+    return AdminUserResponse.model_validate(user)
+
+
+@router.patch("/users/{user_id}", response_model=AdminUserResponse)
+async def update_user(
+    user_id: uuid.UUID,
+    data: AdminUserUpdateRequest,
+    _admin: Annotated[User, Depends(require_admin)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    user = await admin_user_service.update_user(db, user_id, **data.model_dump(exclude_unset=True))
+    return AdminUserResponse.model_validate(user)
+
+
+# --- Settings ---
+
+@router.get("/settings", response_model=SettingsListResponse)
+async def get_settings(
+    _admin: Annotated[User, Depends(require_admin)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    settings = await setting_service.get_all_settings(db)
+    return SettingsListResponse(settings=[SettingResponse.model_validate(s) for s in settings])
+
+
+@router.patch("/settings/{key}", response_model=SettingResponse)
+async def update_setting(
+    key: str,
+    data: UpdateSettingRequest,
+    admin: Annotated[User, Depends(require_admin)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    setting = await setting_service.upsert_setting(db, key, data.value, admin.id)
+    return SettingResponse.model_validate(setting)

backend/app/api/v1/auth.py

@@ -25,6 +25,12 @@ async def register(
     request: Request,
     db: Annotated[AsyncSession, Depends(get_db)],
 ):
+    from app.services.setting_service import get_setting_value
+    registration_enabled = await get_setting_value(db, "self_registration_enabled", True)
+    if not registration_enabled:
+        from fastapi import HTTPException
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Registration is currently disabled")
+
     return await auth_service.register_user(
         db,
         data,

backend/app/api/v1/pdf.py

@@ -0,0 +1,52 @@
+import uuid
+from pathlib import Path
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.responses import FileResponse
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.api.deps import get_current_user
+from app.database import get_db
+from app.models.user import User
+from app.schemas.pdf import GeneratePdfRequest, PdfListResponse, PdfResponse
+from app.services import pdf_service
+
+router = APIRouter(prefix="/pdf", tags=["pdf"])
+
+
+@router.post("/compile", response_model=PdfResponse, status_code=status.HTTP_201_CREATED)
+async def compile_pdf(
+    data: GeneratePdfRequest,
+    user: Annotated[User, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    pdf = await pdf_service.generate_health_pdf(
+        db, user.id, data.title, data.document_ids or None, data.chat_id,
+    )
+    return PdfResponse.model_validate(pdf)
+
+
+@router.get("/", response_model=PdfListResponse)
+async def list_pdfs(
+    user: Annotated[User, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    pdfs = await pdf_service.get_user_pdfs(db, user.id)
+    return PdfListResponse(pdfs=[PdfResponse.model_validate(p) for p in pdfs])
+
+
+@router.get("/{pdf_id}/download")
+async def download_pdf(
+    pdf_id: uuid.UUID,
+    user: Annotated[User, Depends(get_current_user)],
+    db: Annotated[AsyncSession, Depends(get_db)],
+):
+    pdf = await pdf_service.get_pdf(db, pdf_id, user.id)
+    if not pdf:
+        raise HTTPException(status_code=404, detail="PDF not found")
+    file_path = Path(pdf.storage_path)
+    if not file_path.exists():
+        raise HTTPException(status_code=404, detail="PDF file not found on disk")
+    media_type = "application/pdf" if file_path.suffix == ".pdf" else "text/html"
+    return FileResponse(path=str(file_path), filename=f"{pdf.title}.pdf", media_type=media_type)

backend/app/api/v1/router.py

@@ -9,6 +9,7 @@ from app.api.v1.documents import router as documents_router
 from app.api.v1.memory import router as memory_router
 from app.api.v1.notifications import router as notifications_router
 from app.api.v1.ws import router as ws_router
+from app.api.v1.pdf import router as pdf_router
 
 api_v1_router = APIRouter(prefix="/api/v1")
 
@@ -21,6 +22,7 @@ api_v1_router.include_router(documents_router)
 api_v1_router.include_router(memory_router)
 api_v1_router.include_router(notifications_router)
 api_v1_router.include_router(ws_router)
+api_v1_router.include_router(pdf_router)
 
 
 @api_v1_router.get("/health")