Hide admin-only actions from non-Admin activity feed

Non-Admin users should not see user management events (create, delete,
group changes, password resets), impersonation events, or admin-only
compliance operations (config reconcile, upload rollback) in the
Recent Activity panel.

backend/server.js

@@ -164,7 +164,14 @@ app.get('/api/recent-activity', requireAuth(), async (req, res) => {
         // Hide impersonation events from non-Admin users
         const excludedActions = ['login', 'logout', 'login_failed'];
         if (req.user.group !== 'Admin') {
-            excludedActions.push('impersonate_start', 'impersonate_stop');
+            // Hide admin-only actions from non-Admin users
+            excludedActions.push(
+                'impersonate_start', 'impersonate_stop',
+                'create_user', 'delete_user', 'update_user',
+                'added_user', 'deleted_user', 'group_change',
+                'toggle_active', 'password_reset',
+                'compliance_config_reconcile', 'compliance_upload_rollback'
+            );
         }
         const { rows } = await pool.query(
             `SELECT username, action, entity_type, entity_id, details, created_at