From b618c8cb5161eef46e80d622156a1e53a732ea35 Mon Sep 17 00:00:00 2001
From: Citali <git@fellies.email>
Date: Tue, 10 Feb 2026 20:56:03 +0100
Subject: [PATCH 1/4] feat(admin-i18n): add cookie-based locale runtime and
 switcher baseline

---
 TODO.md                                       |   9 +-
 apps/admin/package.json                       |   1 +
 apps/admin/src/app/layout.tsx                 |  12 +-
 apps/admin/src/app/login/login-form.tsx       | 220 +++++++++---------
 apps/admin/src/app/page.tsx                   | 145 +++++++++---
 apps/admin/src/app/providers.tsx              |  19 +-
 .../src/components/admin-locale-switcher.tsx  |  41 ++++
 apps/admin/src/i18n/messages.test.ts          | 117 ++++++++++
 apps/admin/src/i18n/messages.ts               |  27 +++
 apps/admin/src/i18n/server.ts                 |  20 ++
 apps/admin/src/i18n/shared.ts                 |   1 +
 apps/admin/src/messages/de.json               | 102 ++++++++
 apps/admin/src/messages/en.json               | 102 ++++++++
 apps/admin/src/messages/es.json               | 102 ++++++++
 apps/admin/src/messages/fr.json               | 102 ++++++++
 .../src/providers/admin-i18n-provider.tsx     |  53 +++++
 bun.lock                                      |   1 +
 docs/product-engineering/i18n-baseline.md     |  13 +-
 18 files changed, 931 insertions(+), 156 deletions(-)
 create mode 100644 apps/admin/src/components/admin-locale-switcher.tsx
 create mode 100644 apps/admin/src/i18n/messages.test.ts
 create mode 100644 apps/admin/src/i18n/messages.ts
 create mode 100644 apps/admin/src/i18n/server.ts
 create mode 100644 apps/admin/src/i18n/shared.ts
 create mode 100644 apps/admin/src/messages/de.json
 create mode 100644 apps/admin/src/messages/en.json
 create mode 100644 apps/admin/src/messages/es.json
 create mode 100644 apps/admin/src/messages/fr.json
 create mode 100644 apps/admin/src/providers/admin-i18n-provider.tsx

diff --git a/TODO.md b/TODO.md
index b0f218b..97913f8 100644
--- a/TODO.md
+++ b/TODO.md
@@ -21,9 +21,9 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
 - [x] [P1] RBAC enforcement at route and action level in admin
 - [x] [P1] Permission matrix documented and tested
-- [~] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
-- [~] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
-- [~] [P1] Locale persistence and switcher base component (cookie/header + UI)
+- [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
+- [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
+- [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
@@ -193,10 +193,11 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
 - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
-- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes; admin i18n runtime is still pending.
+- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
 - [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
 - [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
+- [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
 
 ## How We Use This File
 
diff --git a/apps/admin/package.json b/apps/admin/package.json
index c61d95a..5d90b51 100644
--- a/apps/admin/package.json
+++ b/apps/admin/package.json
@@ -14,6 +14,7 @@
   "dependencies": {
     "@cms/content": "workspace:*",
     "@cms/db": "workspace:*",
+    "@cms/i18n": "workspace:*",
     "@cms/ui": "workspace:*",
     "@tanstack/react-form": "1.28.0",
     "@tanstack/react-query": "5.90.20",
diff --git a/apps/admin/src/app/layout.tsx b/apps/admin/src/app/layout.tsx
index c8ace86..72f119b 100644
--- a/apps/admin/src/app/layout.tsx
+++ b/apps/admin/src/app/layout.tsx
@@ -1,6 +1,7 @@
 import type { Metadata } from "next"
 import type { ReactNode } from "react"
 
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import "./globals.css"
 import { Providers } from "./providers"
 
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
   description: "Admin dashboard for the CMS monorepo",
 }
 
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
   return (
-    <html lang="en">
+    <html lang={locale}>
       <body>
-        <Providers>{children}</Providers>
+        <Providers locale={locale} messages={messages}>
+          {children}
+        </Providers>
       </body>
     </html>
   )
diff --git a/apps/admin/src/app/login/login-form.tsx b/apps/admin/src/app/login/login-form.tsx
index 16679be..df017ec 100644
--- a/apps/admin/src/app/login/login-form.tsx
+++ b/apps/admin/src/app/login/login-form.tsx
@@ -4,6 +4,9 @@ import Link from "next/link"
 import { useRouter, useSearchParams } from "next/navigation"
 import { type FormEvent, useMemo, useState } from "react"
 
+import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
+import { useAdminT } from "@/providers/admin-i18n-provider"
+
 type LoginFormProps = {
   mode: "signin" | "signup-owner" | "signup-user"
 }
@@ -27,6 +30,7 @@ function persistRoleCookie(role: unknown) {
 export function LoginForm({ mode }: LoginFormProps) {
   const router = useRouter()
   const searchParams = useSearchParams()
+  const t = useAdminT()
 
   const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
 
@@ -60,7 +64,7 @@ export function LoginForm({ mode }: LoginFormProps) {
       const payload = (await response.json().catch(() => null)) as AuthResponse | null
 
       if (!response.ok) {
-        setError(payload?.message ?? "Sign in failed")
+        setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
         return
       }
 
@@ -68,7 +72,7 @@ export function LoginForm({ mode }: LoginFormProps) {
       router.push(nextPath)
       router.refresh()
     } catch {
-      setError("Network error while signing in")
+      setError(t("auth.errors.networkSignIn", "Network error while signing in"))
     } finally {
       setIsBusy(false)
     }
@@ -78,7 +82,7 @@ export function LoginForm({ mode }: LoginFormProps) {
     event.preventDefault()
 
     if (!name.trim()) {
-      setError("Name is required for account creation")
+      setError(t("auth.errors.nameRequired", "Name is required for account creation"))
       return
     }
 
@@ -104,20 +108,20 @@ export function LoginForm({ mode }: LoginFormProps) {
       const payload = (await response.json().catch(() => null)) as AuthResponse | null
 
       if (!response.ok) {
-        setError(payload?.message ?? "Sign up failed")
+        setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
         return
       }
 
       persistRoleCookie(payload?.user?.role)
       setSuccess(
         mode === "signup-owner"
-          ? "Owner account created. Registration is now disabled."
-          : "Account created.",
+          ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
+          : t("auth.messages.accountCreated", "Account created."),
       )
       router.push(nextPath)
       router.refresh()
     } catch {
-      setError("Network error while signing up")
+      setError(t("auth.errors.networkSignUp", "Network error while signing up"))
     } finally {
       setIsBusy(false)
     }
@@ -126,24 +130,28 @@ export function LoginForm({ mode }: LoginFormProps) {
   return (
     <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
       <div className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin Auth</p>
+        <div className="flex items-center justify-between gap-3">
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
+            {t("auth.badge", "Admin Auth")}
+          </p>
+          <AdminLocaleSwitcher />
+        </div>
         <h1 className="text-3xl font-semibold tracking-tight">
           {mode === "signin"
-            ? "Sign in to CMS Admin"
+            ? t("auth.titles.signIn", "Sign in to CMS Admin")
             : mode === "signup-owner"
-              ? "Welcome to CMS Admin"
-              : "Create an admin account"}
+              ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
+              : t("auth.titles.signUpUser", "Create an admin account")}
         </h1>
         <p className="text-sm text-neutral-600">
-          {mode === "signin" ? (
-            <>
-              Better Auth is active on this app via <code>/api/auth</code>.
-            </>
-          ) : mode === "signup-owner" ? (
-            "Create the first owner account to initialize this admin instance."
-          ) : (
-            "Self-registration is enabled for admin users."
-          )}
+          {mode === "signin"
+            ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
+            : mode === "signup-owner"
+              ? t(
+                  "auth.descriptions.signUpOwner",
+                  "Create the first owner account to initialize this admin instance.",
+                )
+              : t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")}
         </p>
       </div>
 
@@ -154,7 +162,7 @@ export function LoginForm({ mode }: LoginFormProps) {
         >
           <div className="space-y-1">
             <label className="text-sm font-medium" htmlFor="email">
-              Email or username
+              {t("auth.fields.emailOrUsername", "Email or username")}
             </label>
             <input
               id="email"
@@ -168,84 +176,7 @@ export function LoginForm({ mode }: LoginFormProps) {
 
           <div className="space-y-1">
             <label className="text-sm font-medium" htmlFor="password">
-              Password
-            </label>
-            <input
-              id="password"
-              type="password"
-              minLength={8}
-              required
-              value={password}
-              onChange={(event) => setPassword(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <button
-            type="submit"
-            disabled={isBusy}
-            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
-          >
-            {isBusy ? "Signing in..." : "Sign in"}
-          </button>
-
-          <p className="text-xs text-neutral-600">
-            Need an account?{" "}
-            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Register
-            </Link>
-          </p>
-
-          {error ? <p className="text-sm text-red-600">{error}</p> : null}
-        </form>
-      ) : (
-        <form
-          onSubmit={handleSignUp}
-          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
-        >
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="name">
-              Name
-            </label>
-            <input
-              id="name"
-              type="text"
-              value={name}
-              onChange={(event) => setName(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="email">
-              Email
-            </label>
-            <input
-              id="email"
-              type="email"
-              required
-              value={email}
-              onChange={(event) => setEmail(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="username">
-              Username (optional)
-            </label>
-            <input
-              id="username"
-              type="text"
-              value={username}
-              onChange={(event) => setUsername(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="password">
-              Password
+              {t("auth.fields.password", "Password")}
             </label>
             <input
               id="password"
@@ -264,16 +195,95 @@ export function LoginForm({ mode }: LoginFormProps) {
             className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
           >
             {isBusy
-              ? "Creating account..."
-              : mode === "signup-owner"
-                ? "Create owner account"
-                : "Create account"}
+              ? t("auth.actions.signInBusy", "Signing in...")
+              : t("auth.actions.signInIdle", "Sign in")}
           </button>
 
           <p className="text-xs text-neutral-600">
-            Already have an account?{" "}
+            {t("auth.links.needAccount", "Need an account?")}{" "}
+            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
+              {t("auth.links.register", "Register")}
+            </Link>
+          </p>
+
+          {error ? <p className="text-sm text-red-600">{error}</p> : null}
+        </form>
+      ) : (
+        <form
+          onSubmit={handleSignUp}
+          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
+        >
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="name">
+              {t("auth.fields.name", "Name")}
+            </label>
+            <input
+              id="name"
+              type="text"
+              value={name}
+              onChange={(event) => setName(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="email">
+              {t("auth.fields.email", "Email")}
+            </label>
+            <input
+              id="email"
+              type="email"
+              required
+              value={email}
+              onChange={(event) => setEmail(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="username">
+              {t("auth.fields.username", "Username (optional)")}
+            </label>
+            <input
+              id="username"
+              type="text"
+              value={username}
+              onChange={(event) => setUsername(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="password">
+              {t("auth.fields.password", "Password")}
+            </label>
+            <input
+              id="password"
+              type="password"
+              minLength={8}
+              required
+              value={password}
+              onChange={(event) => setPassword(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <button
+            type="submit"
+            disabled={isBusy}
+            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
+          >
+            {isBusy
+              ? t("auth.actions.signUpBusy", "Creating account...")
+              : mode === "signup-owner"
+                ? t("auth.actions.signUpOwnerIdle", "Create owner account")
+                : t("auth.actions.signUpUserIdle", "Create account")}
+          </button>
+
+          <p className="text-xs text-neutral-600">
+            {t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
             <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Go to sign in
+              {t("auth.links.goToSignIn", "Go to sign in")}
             </Link>
           </p>
 
diff --git a/apps/admin/src/app/page.tsx b/apps/admin/src/app/page.tsx
index 564a275..b55c5a2 100644
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@@ -5,6 +5,9 @@ import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 
+import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
+import { translateMessage } from "@/i18n/messages"
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { LogoutButton } from "./logout-button"
 
@@ -58,10 +61,18 @@ function redirectWithState(params: { notice?: string; error?: string }) {
   redirect(value ? `/?${value}` : "/")
 }
 
+async function getDashboardTranslator() {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
+  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
+}
+
 async function createPostAction(formData: FormData) {
   "use server"
 
   await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
 
   const status = readRequiredField(formData, "status")
 
@@ -74,23 +85,28 @@ async function createPostAction(formData: FormData) {
       status: status === "published" ? "published" : "draft",
     })
   } catch {
-    redirectWithState({ error: "Create failed. Please check your input." })
+    redirectWithState({
+      error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
+    })
   }
 
   revalidatePath("/")
-  redirectWithState({ notice: "Post created." })
+  redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
 }
 
 async function updatePostAction(formData: FormData) {
   "use server"
 
   await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
 
   const id = readRequiredField(formData, "id")
   const status = readRequiredField(formData, "status")
 
   if (!id) {
-    redirectWithState({ error: "Update failed. Missing post id." })
+    redirectWithState({
+      error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
+    })
   }
 
   try {
@@ -102,32 +118,37 @@ async function updatePostAction(formData: FormData) {
       status: status === "published" ? "published" : "draft",
     })
   } catch {
-    redirectWithState({ error: "Update failed. Please check your input." })
+    redirectWithState({
+      error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
+    })
   }
 
   revalidatePath("/")
-  redirectWithState({ notice: "Post updated." })
+  redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
 }
 
 async function deletePostAction(formData: FormData) {
   "use server"
 
   await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
 
   const id = readRequiredField(formData, "id")
 
   if (!id) {
-    redirectWithState({ error: "Delete failed. Missing post id." })
+    redirectWithState({
+      error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
+    })
   }
 
   try {
     await deletePost(id)
   } catch {
-    redirectWithState({ error: "Delete failed." })
+    redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
   }
 
   revalidatePath("/")
-  redirectWithState({ notice: "Post deleted." })
+  redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
 }
 
 export default async function AdminHomePage({
@@ -145,24 +166,39 @@ export default async function AdminHomePage({
     redirect("/unauthorized?required=news:read&scope=team")
   }
 
-  const resolvedSearchParams = await searchParams
+  const [resolvedSearchParams, locale, posts] = await Promise.all([
+    searchParams,
+    resolveAdminLocale(),
+    listPosts(),
+  ])
+  const messages = await getAdminMessages(locale)
+  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
+
   const notice = readFirstValue(resolvedSearchParams.notice)
   const error = readFirstValue(resolvedSearchParams.error)
   const canCreatePost = hasPermission(role, "news:write", "team")
-  const posts = await listPosts()
 
   return (
     <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
       <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
-        <h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1>
-        <p className="text-neutral-600">Manage posts from a dedicated admin surface.</p>
+        <div className="flex items-center justify-between gap-3">
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
+            {t("dashboard.badge", "Admin App")}
+          </p>
+          <AdminLocaleSwitcher />
+        </div>
+        <h1 className="text-4xl font-semibold tracking-tight">
+          {t("dashboard.title", "Content Dashboard")}
+        </h1>
+        <p className="text-neutral-600">
+          {t("dashboard.description", "Manage posts from a dedicated admin surface.")}
+        </p>
         <div className="flex items-center gap-3 pt-2">
           <Link
             href="/todo"
             className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
           >
-            Open roadmap and progress
+            {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
           </Link>
           <LogoutButton />
         </div>
@@ -183,8 +219,12 @@ export default async function AdminHomePage({
       <section className="rounded-xl border border-neutral-200 p-6">
         <div className="space-y-4">
           <div className="flex items-center justify-between">
-            <h2 className="text-xl font-medium">Posts CRUD Sandbox</h2>
-            <p className="text-xs uppercase tracking-wide text-neutral-500">MVP0 functional test</p>
+            <h2 className="text-xl font-medium">
+              {t("dashboard.posts.title", "Posts CRUD Sandbox")}
+            </h2>
+            <p className="text-xs uppercase tracking-wide text-neutral-500">
+              {t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
+            </p>
           </div>
 
           {canCreatePost ? (
@@ -192,10 +232,14 @@ export default async function AdminHomePage({
               action={createPostAction}
               className="space-y-3 rounded-lg border border-neutral-200 p-4"
             >
-              <h3 className="text-sm font-semibold">Create post</h3>
+              <h3 className="text-sm font-semibold">
+                {t("dashboard.posts.createTitle", "Create post")}
+              </h3>
               <div className="grid gap-3 md:grid-cols-2">
                 <label className="space-y-1">
-                  <span className="text-xs text-neutral-600">Title</span>
+                  <span className="text-xs text-neutral-600">
+                    {t("dashboard.posts.fields.title", "Title")}
+                  </span>
                   <input
                     name="title"
                     required
@@ -204,7 +248,9 @@ export default async function AdminHomePage({
                   />
                 </label>
                 <label className="space-y-1">
-                  <span className="text-xs text-neutral-600">Slug</span>
+                  <span className="text-xs text-neutral-600">
+                    {t("dashboard.posts.fields.slug", "Slug")}
+                  </span>
                   <input
                     name="slug"
                     required
@@ -214,14 +260,18 @@ export default async function AdminHomePage({
                 </label>
               </div>
               <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Excerpt</span>
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.excerpt", "Excerpt")}
+                </span>
                 <input
                   name="excerpt"
                   className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                 />
               </label>
               <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Body</span>
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.body", "Body")}
+                </span>
                 <textarea
                   name="body"
                   required
@@ -231,21 +281,28 @@ export default async function AdminHomePage({
                 />
               </label>
               <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Status</span>
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.status", "Status")}
+                </span>
                 <select
                   name="status"
                   defaultValue="draft"
                   className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                 >
-                  <option value="draft">Draft</option>
-                  <option value="published">Published</option>
+                  <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
+                  <option value="published">
+                    {t("dashboard.posts.status.published", "Published")}
+                  </option>
                 </select>
               </label>
-              <Button type="submit">Create post</Button>
+              <Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
             </form>
           ) : (
             <div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
-              You can read posts, but your role cannot create/update/delete posts.
+              {t(
+                "dashboard.notices.noCrudPermission",
+                "You can read posts, but your role cannot create/update/delete posts.",
+              )}
             </div>
           )}
         </div>
@@ -259,7 +316,9 @@ export default async function AdminHomePage({
                     <input type="hidden" name="id" value={post.id} />
                     <div className="grid gap-3 md:grid-cols-2">
                       <label className="space-y-1">
-                        <span className="text-xs text-neutral-600">Title</span>
+                        <span className="text-xs text-neutral-600">
+                          {t("dashboard.posts.fields.title", "Title")}
+                        </span>
                         <input
                           name="title"
                           required
@@ -269,7 +328,9 @@ export default async function AdminHomePage({
                         />
                       </label>
                       <label className="space-y-1">
-                        <span className="text-xs text-neutral-600">Slug</span>
+                        <span className="text-xs text-neutral-600">
+                          {t("dashboard.posts.fields.slug", "Slug")}
+                        </span>
                         <input
                           name="slug"
                           required
@@ -280,7 +341,9 @@ export default async function AdminHomePage({
                       </label>
                     </div>
                     <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Excerpt</span>
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.excerpt", "Excerpt")}
+                      </span>
                       <input
                         name="excerpt"
                         defaultValue={post.excerpt ?? ""}
@@ -288,7 +351,9 @@ export default async function AdminHomePage({
                       />
                     </label>
                     <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Body</span>
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.body", "Body")}
+                      </span>
                       <textarea
                         name="body"
                         required
@@ -299,22 +364,28 @@ export default async function AdminHomePage({
                       />
                     </label>
                     <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Status</span>
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.status", "Status")}
+                      </span>
                       <select
                         name="status"
                         defaultValue={post.status}
                         className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                       >
-                        <option value="draft">Draft</option>
-                        <option value="published">Published</option>
+                        <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
+                        <option value="published">
+                          {t("dashboard.posts.status.published", "Published")}
+                        </option>
                       </select>
                     </label>
-                    <Button type="submit">Save changes</Button>
+                    <Button type="submit">
+                      {t("dashboard.posts.actions.save", "Save changes")}
+                    </Button>
                   </form>
                   <form action={deletePostAction} className="mt-3">
                     <input type="hidden" name="id" value={post.id} />
                     <Button type="submit" variant="secondary">
-                      Delete
+                      {t("dashboard.posts.actions.delete", "Delete")}
                     </Button>
                   </form>
                 </>
@@ -327,7 +398,9 @@ export default async function AdminHomePage({
                     </span>
                   </div>
                   <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
-                  <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p>
+                  <p className="mt-2 text-sm text-neutral-600">
+                    {post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
+                  </p>
                 </>
               )}
             </article>
diff --git a/apps/admin/src/app/providers.tsx b/apps/admin/src/app/providers.tsx
index 9178890..1d87cee 100644
--- a/apps/admin/src/app/providers.tsx
+++ b/apps/admin/src/app/providers.tsx
@@ -1,9 +1,24 @@
 "use client"
 
+import type { AppLocale } from "@cms/i18n"
 import type { ReactNode } from "react"
 
+import type { AdminMessages } from "@/i18n/messages"
+import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
 import { QueryProvider } from "@/providers/query-provider"
 
-export function Providers({ children }: { children: ReactNode }) {
-  return <QueryProvider>{children}</QueryProvider>
+export function Providers({
+  children,
+  locale,
+  messages,
+}: {
+  children: ReactNode
+  locale: AppLocale
+  messages: AdminMessages
+}) {
+  return (
+    <AdminI18nProvider locale={locale} messages={messages}>
+      <QueryProvider>{children}</QueryProvider>
+    </AdminI18nProvider>
+  )
 }
diff --git a/apps/admin/src/components/admin-locale-switcher.tsx b/apps/admin/src/components/admin-locale-switcher.tsx
new file mode 100644
index 0000000..10227ce
--- /dev/null
+++ b/apps/admin/src/components/admin-locale-switcher.tsx
@@ -0,0 +1,41 @@
+"use client"
+
+import { type AppLocale, localeLabels, locales } from "@cms/i18n"
+import { useRouter } from "next/navigation"
+import { useTransition } from "react"
+
+import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
+import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
+
+export function AdminLocaleSwitcher() {
+  const router = useRouter()
+  const [isPending, startTransition] = useTransition()
+  const { locale } = useAdminI18n()
+  const t = useAdminT()
+
+  return (
+    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
+      <span>{t("common.language", "Language")}</span>
+      <select
+        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
+        value={locale}
+        disabled={isPending}
+        onChange={(event) => {
+          const nextLocale = event.target.value as AppLocale
+          // biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
+          document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
+
+          startTransition(() => {
+            router.refresh()
+          })
+        }}
+      >
+        {locales.map((value) => (
+          <option key={value} value={value}>
+            {t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
+          </option>
+        ))}
+      </select>
+    </label>
+  )
+}
diff --git a/apps/admin/src/i18n/messages.test.ts b/apps/admin/src/i18n/messages.test.ts
new file mode 100644
index 0000000..4b2e987
--- /dev/null
+++ b/apps/admin/src/i18n/messages.test.ts
@@ -0,0 +1,117 @@
+import { describe, expect, it } from "vitest"
+
+import type { AdminMessages } from "./messages"
+import { translateMessage } from "./messages"
+
+const messages: AdminMessages = {
+  common: {
+    language: "Language",
+    localeNames: {
+      de: "German",
+      en: "English",
+      es: "Spanish",
+      fr: "French",
+    },
+  },
+  auth: {
+    badge: "Admin Auth",
+    titles: {
+      signIn: "Sign in",
+      signUpOwner: "Welcome",
+      signUpUser: "Create account",
+    },
+    descriptions: {
+      signIn: "Sign in description",
+      signUpOwner: "Owner description",
+      signUpUser: "User description",
+    },
+    fields: {
+      name: "Name",
+      emailOrUsername: "Email or username",
+      email: "Email",
+      username: "Username",
+      password: "Password",
+    },
+    actions: {
+      signInIdle: "Sign in",
+      signInBusy: "Signing in...",
+      signUpOwnerIdle: "Create owner account",
+      signUpUserIdle: "Create account",
+      signUpBusy: "Creating account...",
+    },
+    links: {
+      needAccount: "Need an account?",
+      register: "Register",
+      alreadyHaveAccount: "Already have an account?",
+      goToSignIn: "Go to sign in",
+    },
+    messages: {
+      ownerCreated: "Owner account created.",
+      accountCreated: "Account created.",
+    },
+    errors: {
+      nameRequired: "Name is required.",
+      signInFailed: "Sign in failed",
+      signUpFailed: "Sign up failed",
+      networkSignIn: "Network sign in error",
+      networkSignUp: "Network sign up error",
+    },
+  },
+  dashboard: {
+    badge: "Admin App",
+    title: "Content Dashboard",
+    description: "Manage content.",
+    actions: {
+      openRoadmap: "Open roadmap",
+    },
+    notices: {
+      noCrudPermission: "No permission.",
+      crudSandboxTag: "MVP0 functional test",
+    },
+    posts: {
+      title: "Posts CRUD Sandbox",
+      createTitle: "Create post",
+      fields: {
+        title: "Title",
+        slug: "Slug",
+        excerpt: "Excerpt",
+        body: "Body",
+        status: "Status",
+      },
+      status: {
+        draft: "Draft",
+        published: "Published",
+      },
+      actions: {
+        create: "Create post",
+        save: "Save changes",
+        delete: "Delete",
+      },
+      errors: {
+        createFailed: "Create failed.",
+        updateFailed: "Update failed.",
+        updateMissingId: "Missing post id.",
+        deleteFailed: "Delete failed.",
+        deleteMissingId: "Missing post id.",
+      },
+      success: {
+        created: "Post created.",
+        updated: "Post updated.",
+        deleted: "Post deleted.",
+      },
+      fallback: {
+        noExcerpt: "No excerpt",
+      },
+    },
+  },
+}
+
+describe("translateMessage", () => {
+  it("resolves nested keys", () => {
+    expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
+  })
+
+  it("returns fallback for unknown keys", () => {
+    expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
+  })
+})
diff --git a/apps/admin/src/i18n/messages.ts b/apps/admin/src/i18n/messages.ts
new file mode 100644
index 0000000..f81ce7a
--- /dev/null
+++ b/apps/admin/src/i18n/messages.ts
@@ -0,0 +1,27 @@
+import type enMessages from "../messages/en.json"
+
+export type AdminMessages = typeof enMessages
+
+function resolveNestedValue(source: unknown, key: string): unknown {
+  let current: unknown = source
+
+  for (const segment of key.split(".")) {
+    if (!current || typeof current !== "object") {
+      return null
+    }
+
+    current = (current as Record<string, unknown>)[segment]
+  }
+
+  return current
+}
+
+export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
+  const resolved = resolveNestedValue(messages, key)
+
+  if (typeof resolved === "string") {
+    return resolved
+  }
+
+  return fallback ?? key
+}
diff --git a/apps/admin/src/i18n/server.ts b/apps/admin/src/i18n/server.ts
new file mode 100644
index 0000000..25aa29e
--- /dev/null
+++ b/apps/admin/src/i18n/server.ts
@@ -0,0 +1,20 @@
+import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
+import { cookies } from "next/headers"
+
+import type { AdminMessages } from "./messages"
+import { ADMIN_LOCALE_COOKIE } from "./shared"
+
+export async function resolveAdminLocale(): Promise<AppLocale> {
+  const cookieStore = await cookies()
+  const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
+
+  if (value && isAppLocale(value)) {
+    return value
+  }
+
+  return defaultLocale
+}
+
+export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
+  return (await import(`../messages/${locale}.json`)).default as AdminMessages
+}
diff --git a/apps/admin/src/i18n/shared.ts b/apps/admin/src/i18n/shared.ts
new file mode 100644
index 0000000..f0b3c28
--- /dev/null
+++ b/apps/admin/src/i18n/shared.ts
@@ -0,0 +1 @@
+export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"
diff --git a/apps/admin/src/messages/de.json b/apps/admin/src/messages/de.json
new file mode 100644
index 0000000..267ff3c
--- /dev/null
+++ b/apps/admin/src/messages/de.json
@@ -0,0 +1,102 @@
+{
+  "common": {
+    "language": "Sprache",
+    "localeNames": {
+      "de": "Deutsch",
+      "en": "Englisch",
+      "es": "Spanisch",
+      "fr": "Französisch"
+    }
+  },
+  "auth": {
+    "badge": "Admin-Authentifizierung",
+    "titles": {
+      "signIn": "Bei CMS Admin anmelden",
+      "signUpOwner": "Willkommen bei CMS Admin",
+      "signUpUser": "Admin-Konto erstellen"
+    },
+    "descriptions": {
+      "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
+      "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
+      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert."
+    },
+    "fields": {
+      "name": "Name",
+      "emailOrUsername": "E-Mail oder Benutzername",
+      "email": "E-Mail",
+      "username": "Benutzername (optional)",
+      "password": "Passwort"
+    },
+    "actions": {
+      "signInIdle": "Anmelden",
+      "signInBusy": "Anmeldung läuft...",
+      "signUpOwnerIdle": "Owner-Konto erstellen",
+      "signUpUserIdle": "Konto erstellen",
+      "signUpBusy": "Konto wird erstellt..."
+    },
+    "links": {
+      "needAccount": "Du brauchst ein Konto?",
+      "register": "Registrieren",
+      "alreadyHaveAccount": "Du hast bereits ein Konto?",
+      "goToSignIn": "Zur Anmeldung"
+    },
+    "messages": {
+      "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
+      "accountCreated": "Konto erstellt."
+    },
+    "errors": {
+      "nameRequired": "Name ist für die Kontoerstellung erforderlich",
+      "signInFailed": "Anmeldung fehlgeschlagen",
+      "signUpFailed": "Registrierung fehlgeschlagen",
+      "networkSignIn": "Netzwerkfehler bei der Anmeldung",
+      "networkSignUp": "Netzwerkfehler bei der Registrierung"
+    }
+  },
+  "dashboard": {
+    "badge": "Admin-App",
+    "title": "Content-Dashboard",
+    "description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
+    "actions": {
+      "openRoadmap": "Roadmap und Fortschritt öffnen"
+    },
+    "notices": {
+      "noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
+      "crudSandboxTag": "MVP0 Funktionstest"
+    },
+    "posts": {
+      "title": "Beiträge CRUD-Sandbox",
+      "createTitle": "Beitrag erstellen",
+      "fields": {
+        "title": "Titel",
+        "slug": "Slug",
+        "excerpt": "Auszug",
+        "body": "Inhalt",
+        "status": "Status"
+      },
+      "status": {
+        "draft": "Entwurf",
+        "published": "Veröffentlicht"
+      },
+      "actions": {
+        "create": "Beitrag erstellen",
+        "save": "Änderungen speichern",
+        "delete": "Löschen"
+      },
+      "errors": {
+        "createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
+        "updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
+        "updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
+        "deleteFailed": "Löschen fehlgeschlagen.",
+        "deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
+      },
+      "success": {
+        "created": "Beitrag erstellt.",
+        "updated": "Beitrag aktualisiert.",
+        "deleted": "Beitrag gelöscht."
+      },
+      "fallback": {
+        "noExcerpt": "Kein Auszug"
+      }
+    }
+  }
+}
diff --git a/apps/admin/src/messages/en.json b/apps/admin/src/messages/en.json
new file mode 100644
index 0000000..b23adfb
--- /dev/null
+++ b/apps/admin/src/messages/en.json
@@ -0,0 +1,102 @@
+{
+  "common": {
+    "language": "Language",
+    "localeNames": {
+      "de": "German",
+      "en": "English",
+      "es": "Spanish",
+      "fr": "French"
+    }
+  },
+  "auth": {
+    "badge": "Admin Auth",
+    "titles": {
+      "signIn": "Sign in to CMS Admin",
+      "signUpOwner": "Welcome to CMS Admin",
+      "signUpUser": "Create an admin account"
+    },
+    "descriptions": {
+      "signIn": "Better Auth is active on this app via /api/auth.",
+      "signUpOwner": "Create the first owner account to initialize this admin instance.",
+      "signUpUser": "Self-registration is enabled for admin users."
+    },
+    "fields": {
+      "name": "Name",
+      "emailOrUsername": "Email or username",
+      "email": "Email",
+      "username": "Username (optional)",
+      "password": "Password"
+    },
+    "actions": {
+      "signInIdle": "Sign in",
+      "signInBusy": "Signing in...",
+      "signUpOwnerIdle": "Create owner account",
+      "signUpUserIdle": "Create account",
+      "signUpBusy": "Creating account..."
+    },
+    "links": {
+      "needAccount": "Need an account?",
+      "register": "Register",
+      "alreadyHaveAccount": "Already have an account?",
+      "goToSignIn": "Go to sign in"
+    },
+    "messages": {
+      "ownerCreated": "Owner account created. Registration is now disabled.",
+      "accountCreated": "Account created."
+    },
+    "errors": {
+      "nameRequired": "Name is required for account creation",
+      "signInFailed": "Sign in failed",
+      "signUpFailed": "Sign up failed",
+      "networkSignIn": "Network error while signing in",
+      "networkSignUp": "Network error while signing up"
+    }
+  },
+  "dashboard": {
+    "badge": "Admin App",
+    "title": "Content Dashboard",
+    "description": "Manage posts from a dedicated admin surface.",
+    "actions": {
+      "openRoadmap": "Open roadmap and progress"
+    },
+    "notices": {
+      "noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
+      "crudSandboxTag": "MVP0 functional test"
+    },
+    "posts": {
+      "title": "Posts CRUD Sandbox",
+      "createTitle": "Create post",
+      "fields": {
+        "title": "Title",
+        "slug": "Slug",
+        "excerpt": "Excerpt",
+        "body": "Body",
+        "status": "Status"
+      },
+      "status": {
+        "draft": "Draft",
+        "published": "Published"
+      },
+      "actions": {
+        "create": "Create post",
+        "save": "Save changes",
+        "delete": "Delete"
+      },
+      "errors": {
+        "createFailed": "Create failed. Please check your input.",
+        "updateFailed": "Update failed. Please check your input.",
+        "updateMissingId": "Update failed. Missing post id.",
+        "deleteFailed": "Delete failed.",
+        "deleteMissingId": "Delete failed. Missing post id."
+      },
+      "success": {
+        "created": "Post created.",
+        "updated": "Post updated.",
+        "deleted": "Post deleted."
+      },
+      "fallback": {
+        "noExcerpt": "No excerpt"
+      }
+    }
+  }
+}
diff --git a/apps/admin/src/messages/es.json b/apps/admin/src/messages/es.json
new file mode 100644
index 0000000..52764f3
--- /dev/null
+++ b/apps/admin/src/messages/es.json
@@ -0,0 +1,102 @@
+{
+  "common": {
+    "language": "Idioma",
+    "localeNames": {
+      "de": "Alemán",
+      "en": "Inglés",
+      "es": "Español",
+      "fr": "Francés"
+    }
+  },
+  "auth": {
+    "badge": "Autenticación de Admin",
+    "titles": {
+      "signIn": "Iniciar sesión en CMS Admin",
+      "signUpOwner": "Bienvenido a CMS Admin",
+      "signUpUser": "Crear una cuenta de admin"
+    },
+    "descriptions": {
+      "signIn": "Better Auth está activo en esta app mediante /api/auth.",
+      "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
+      "signUpUser": "El registro automático está habilitado para usuarios admin."
+    },
+    "fields": {
+      "name": "Nombre",
+      "emailOrUsername": "Correo o nombre de usuario",
+      "email": "Correo",
+      "username": "Nombre de usuario (opcional)",
+      "password": "Contraseña"
+    },
+    "actions": {
+      "signInIdle": "Iniciar sesión",
+      "signInBusy": "Iniciando sesión...",
+      "signUpOwnerIdle": "Crear cuenta owner",
+      "signUpUserIdle": "Crear cuenta",
+      "signUpBusy": "Creando cuenta..."
+    },
+    "links": {
+      "needAccount": "¿Necesitas una cuenta?",
+      "register": "Registrarse",
+      "alreadyHaveAccount": "¿Ya tienes una cuenta?",
+      "goToSignIn": "Ir a iniciar sesión"
+    },
+    "messages": {
+      "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
+      "accountCreated": "Cuenta creada."
+    },
+    "errors": {
+      "nameRequired": "El nombre es obligatorio para crear la cuenta",
+      "signInFailed": "Error al iniciar sesión",
+      "signUpFailed": "Error al registrarse",
+      "networkSignIn": "Error de red al iniciar sesión",
+      "networkSignUp": "Error de red al registrarse"
+    }
+  },
+  "dashboard": {
+    "badge": "App Admin",
+    "title": "Panel de Contenido",
+    "description": "Gestiona publicaciones desde una superficie de administración dedicada.",
+    "actions": {
+      "openRoadmap": "Abrir hoja de ruta y progreso"
+    },
+    "notices": {
+      "noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
+      "crudSandboxTag": "Prueba funcional MVP0"
+    },
+    "posts": {
+      "title": "Sandbox CRUD de Publicaciones",
+      "createTitle": "Crear publicación",
+      "fields": {
+        "title": "Título",
+        "slug": "Slug",
+        "excerpt": "Extracto",
+        "body": "Contenido",
+        "status": "Estado"
+      },
+      "status": {
+        "draft": "Borrador",
+        "published": "Publicado"
+      },
+      "actions": {
+        "create": "Crear publicación",
+        "save": "Guardar cambios",
+        "delete": "Eliminar"
+      },
+      "errors": {
+        "createFailed": "Error al crear. Revisa tus datos.",
+        "updateFailed": "Error al actualizar. Revisa tus datos.",
+        "updateMissingId": "Error al actualizar. Falta el id de la publicación.",
+        "deleteFailed": "Error al eliminar.",
+        "deleteMissingId": "Error al eliminar. Falta el id de la publicación."
+      },
+      "success": {
+        "created": "Publicación creada.",
+        "updated": "Publicación actualizada.",
+        "deleted": "Publicación eliminada."
+      },
+      "fallback": {
+        "noExcerpt": "Sin extracto"
+      }
+    }
+  }
+}
diff --git a/apps/admin/src/messages/fr.json b/apps/admin/src/messages/fr.json
new file mode 100644
index 0000000..85acb74
--- /dev/null
+++ b/apps/admin/src/messages/fr.json
@@ -0,0 +1,102 @@
+{
+  "common": {
+    "language": "Langue",
+    "localeNames": {
+      "de": "Allemand",
+      "en": "Anglais",
+      "es": "Espagnol",
+      "fr": "Français"
+    }
+  },
+  "auth": {
+    "badge": "Authentification Admin",
+    "titles": {
+      "signIn": "Se connecter à CMS Admin",
+      "signUpOwner": "Bienvenue sur CMS Admin",
+      "signUpUser": "Créer un compte admin"
+    },
+    "descriptions": {
+      "signIn": "Better Auth est actif sur cette application via /api/auth.",
+      "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
+      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin."
+    },
+    "fields": {
+      "name": "Nom",
+      "emailOrUsername": "E-mail ou nom d’utilisateur",
+      "email": "E-mail",
+      "username": "Nom d’utilisateur (optionnel)",
+      "password": "Mot de passe"
+    },
+    "actions": {
+      "signInIdle": "Se connecter",
+      "signInBusy": "Connexion en cours...",
+      "signUpOwnerIdle": "Créer le compte owner",
+      "signUpUserIdle": "Créer un compte",
+      "signUpBusy": "Création du compte..."
+    },
+    "links": {
+      "needAccount": "Besoin d’un compte ?",
+      "register": "S’inscrire",
+      "alreadyHaveAccount": "Vous avez déjà un compte ?",
+      "goToSignIn": "Aller à la connexion"
+    },
+    "messages": {
+      "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
+      "accountCreated": "Compte créé."
+    },
+    "errors": {
+      "nameRequired": "Le nom est requis pour créer un compte",
+      "signInFailed": "Échec de la connexion",
+      "signUpFailed": "Échec de l’inscription",
+      "networkSignIn": "Erreur réseau lors de la connexion",
+      "networkSignUp": "Erreur réseau lors de l’inscription"
+    }
+  },
+  "dashboard": {
+    "badge": "Application Admin",
+    "title": "Tableau de bord contenu",
+    "description": "Gérez les publications depuis une surface d’administration dédiée.",
+    "actions": {
+      "openRoadmap": "Ouvrir la feuille de route et la progression"
+    },
+    "notices": {
+      "noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
+      "crudSandboxTag": "Test fonctionnel MVP0"
+    },
+    "posts": {
+      "title": "Sandbox CRUD des publications",
+      "createTitle": "Créer une publication",
+      "fields": {
+        "title": "Titre",
+        "slug": "Slug",
+        "excerpt": "Extrait",
+        "body": "Contenu",
+        "status": "Statut"
+      },
+      "status": {
+        "draft": "Brouillon",
+        "published": "Publié"
+      },
+      "actions": {
+        "create": "Créer une publication",
+        "save": "Enregistrer les modifications",
+        "delete": "Supprimer"
+      },
+      "errors": {
+        "createFailed": "Échec de la création. Vérifiez vos données.",
+        "updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
+        "updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
+        "deleteFailed": "Échec de la suppression.",
+        "deleteMissingId": "Échec de la suppression. ID de publication manquant."
+      },
+      "success": {
+        "created": "Publication créée.",
+        "updated": "Publication mise à jour.",
+        "deleted": "Publication supprimée."
+      },
+      "fallback": {
+        "noExcerpt": "Aucun extrait"
+      }
+    }
+  }
+}
diff --git a/apps/admin/src/providers/admin-i18n-provider.tsx b/apps/admin/src/providers/admin-i18n-provider.tsx
new file mode 100644
index 0000000..429cd34
--- /dev/null
+++ b/apps/admin/src/providers/admin-i18n-provider.tsx
@@ -0,0 +1,53 @@
+"use client"
+
+import type { AppLocale } from "@cms/i18n"
+import { createContext, type ReactNode, useContext, useMemo } from "react"
+
+import type { AdminMessages } from "@/i18n/messages"
+import { translateMessage } from "@/i18n/messages"
+
+type AdminI18nContextValue = {
+  locale: AppLocale
+  messages: AdminMessages
+}
+
+const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
+
+export function AdminI18nProvider({
+  locale,
+  messages,
+  children,
+}: {
+  locale: AppLocale
+  messages: AdminMessages
+  children: ReactNode
+}) {
+  const value = useMemo(
+    () => ({
+      locale,
+      messages,
+    }),
+    [locale, messages],
+  )
+
+  return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
+}
+
+export function useAdminI18n(): AdminI18nContextValue {
+  const context = useContext(AdminI18nContext)
+
+  if (!context) {
+    throw new Error("useAdminI18n must be used inside AdminI18nProvider")
+  }
+
+  return context
+}
+
+export function useAdminT() {
+  const { messages } = useAdminI18n()
+
+  return useMemo(
+    () => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
+    [messages],
+  )
+}
diff --git a/bun.lock b/bun.lock
index c57aff4..acba547 100644
--- a/bun.lock
+++ b/bun.lock
@@ -30,6 +30,7 @@
       "dependencies": {
         "@cms/content": "workspace:*",
         "@cms/db": "workspace:*",
+        "@cms/i18n": "workspace:*",
         "@cms/ui": "workspace:*",
         "@tanstack/react-form": "1.28.0",
         "@tanstack/react-query": "5.90.20",
diff --git a/docs/product-engineering/i18n-baseline.md b/docs/product-engineering/i18n-baseline.md
index 5a12acd..40cb051 100644
--- a/docs/product-engineering/i18n-baseline.md
+++ b/docs/product-engineering/i18n-baseline.md
@@ -2,19 +2,20 @@
 
 ## Scope
 
-MVP0 introduces i18n runtime only for the public app (`@cms/web`) using `next-intl`.
+MVP0 introduces i18n runtime baselines for both apps.
 
 Current baseline:
 
 - Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
-- Path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
-- Message loading through `apps/web/src/i18n/request.ts`
-- Locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
-- Public language switcher component backed by Zustand store
+- Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
+- Public app: message loading through `apps/web/src/i18n/request.ts`
+- Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
+- Public app: language switcher component backed by Zustand store
+- Admin app: cookie-based locale resolution and message loading in root layout
+- Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
 
 ## Notes
 
 - Public app locale is resolved through `next-intl` middleware + cookie.
 - Enabled locales are currently static in code and will later be managed from admin settings.
-- Admin app i18n provider/message loading is still pending.
 - Translation key conventions and workflow docs are tracked in `TODO.md`.

From d0f731743c789ef836e4573eadece2f4c67c973d Mon Sep 17 00:00:00 2001
From: Citali <git@fellies.email>
Date: Tue, 10 Feb 2026 21:10:39 +0100
Subject: [PATCH 2/4] feat(admin): add registration policy settings and
 disabled register state

---
 TODO.md                                       |   5 +-
 apps/admin/src/app/login/login-form.tsx       |  30 ++-
 apps/admin/src/app/page.tsx                   |   6 +
 apps/admin/src/app/register/page.tsx          |   2 +-
 apps/admin/src/app/settings/page.tsx          | 188 ++++++++++++++++++
 apps/admin/src/i18n/messages.test.ts          |  30 +++
 apps/admin/src/lib/access.ts                  |   7 +
 apps/admin/src/lib/auth/server.ts             |   5 +-
 apps/admin/src/messages/de.json               |  36 +++-
 apps/admin/src/messages/en.json               |  36 +++-
 apps/admin/src/messages/es.json               |  36 +++-
 apps/admin/src/messages/fr.json               |  36 +++-
 docs/product-engineering/auth-baseline.md     |   3 +-
 .../migration.sql                             |   9 +
 packages/db/prisma/schema.prisma              |   9 +
 packages/db/src/index.ts                      |   1 +
 packages/db/src/settings.ts                   |  56 ++++++
 packages/ui/src/components/button.tsx         |   2 +-
 18 files changed, 473 insertions(+), 24 deletions(-)
 create mode 100644 apps/admin/src/app/settings/page.tsx
 create mode 100644 packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
 create mode 100644 packages/db/src/settings.ts

diff --git a/TODO.md b/TODO.md
index 97913f8..ee0fa67 100644
--- a/TODO.md
+++ b/TODO.md
@@ -28,7 +28,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
 - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
-- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
+- [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
 - [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
@@ -45,7 +45,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
 - [x] [P1] Protected admin routes and session handling
 - [~] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
-- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
+- [~] [P1] Core admin IA (pages/media/users/commissions/settings)
 
 ### Public App
 
@@ -198,6 +198,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
 - [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
+- [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
 
 ## How We Use This File
 
diff --git a/apps/admin/src/app/login/login-form.tsx b/apps/admin/src/app/login/login-form.tsx
index df017ec..473d81a 100644
--- a/apps/admin/src/app/login/login-form.tsx
+++ b/apps/admin/src/app/login/login-form.tsx
@@ -8,7 +8,7 @@ import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { useAdminT } from "@/providers/admin-i18n-provider"
 
 type LoginFormProps = {
-  mode: "signin" | "signup-owner" | "signup-user"
+  mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
 }
 
 type AuthResponse = {
@@ -41,6 +41,7 @@ export function LoginForm({ mode }: LoginFormProps) {
   const [isBusy, setIsBusy] = useState(false)
   const [error, setError] = useState<string | null>(null)
   const [success, setSuccess] = useState<string | null>(null)
+  const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
 
   async function handleSignIn(event: FormEvent<HTMLFormElement>) {
     event.preventDefault()
@@ -141,7 +142,9 @@ export function LoginForm({ mode }: LoginFormProps) {
             ? t("auth.titles.signIn", "Sign in to CMS Admin")
             : mode === "signup-owner"
               ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
-              : t("auth.titles.signUpUser", "Create an admin account")}
+              : mode === "signup-user"
+                ? t("auth.titles.signUpUser", "Create an admin account")
+                : t("auth.titles.signUpDisabled", "Registration is disabled")}
         </h1>
         <p className="text-sm text-neutral-600">
           {mode === "signin"
@@ -151,7 +154,12 @@ export function LoginForm({ mode }: LoginFormProps) {
                   "auth.descriptions.signUpOwner",
                   "Create the first owner account to initialize this admin instance.",
                 )
-              : t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")}
+              : mode === "signup-user"
+                ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
+                : t(
+                    "auth.descriptions.signUpDisabled",
+                    "Self-registration is currently turned off by an administrator.",
+                  )}
         </p>
       </div>
 
@@ -208,7 +216,7 @@ export function LoginForm({ mode }: LoginFormProps) {
 
           {error ? <p className="text-sm text-red-600">{error}</p> : null}
         </form>
-      ) : (
+      ) : canSubmitSignUp ? (
         <form
           onSubmit={handleSignUp}
           className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
@@ -290,6 +298,20 @@ export function LoginForm({ mode }: LoginFormProps) {
           {error ? <p className="text-sm text-red-600">{error}</p> : null}
           {success ? <p className="text-sm text-green-700">{success}</p> : null}
         </form>
+      ) : (
+        <section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
+          <p className="text-sm text-neutral-700">
+            {t(
+              "auth.messages.registrationDisabled",
+              "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
+            )}
+          </p>
+          <p className="text-xs text-neutral-600">
+            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
+              {t("auth.links.goToSignIn", "Go to sign in")}
+            </Link>
+          </p>
+        </section>
       )}
     </main>
   )
diff --git a/apps/admin/src/app/page.tsx b/apps/admin/src/app/page.tsx
index b55c5a2..03e3216 100644
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@@ -200,6 +200,12 @@ export default async function AdminHomePage({
           >
             {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
           </Link>
+          <Link
+            href="/settings"
+            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+          >
+            {t("settings.title", "Settings")}
+          </Link>
           <LogoutButton />
         </div>
       </header>
diff --git a/apps/admin/src/app/register/page.tsx b/apps/admin/src/app/register/page.tsx
index 648587b..2790154 100644
--- a/apps/admin/src/app/register/page.tsx
+++ b/apps/admin/src/app/register/page.tsx
@@ -33,7 +33,7 @@ export default async function RegisterPage({ searchParams }: { searchParams: Sea
   const enabled = await isSelfRegistrationEnabled()
 
   if (!enabled) {
-    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+    return <LoginForm mode="signup-disabled" />
   }
 
   return <LoginForm mode="signup-user" />
diff --git a/apps/admin/src/app/settings/page.tsx b/apps/admin/src/app/settings/page.tsx
new file mode 100644
index 0000000..e1793d0
--- /dev/null
+++ b/apps/admin/src/app/settings/page.tsx
@@ -0,0 +1,188 @@
+import { hasPermission } from "@cms/content/rbac"
+import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
+import { Button } from "@cms/ui/button"
+import { revalidatePath } from "next/cache"
+import Link from "next/link"
+import { redirect } from "next/navigation"
+
+import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
+import { translateMessage } from "@/i18n/messages"
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
+import { resolveRoleFromServerContext } from "@/lib/access-server"
+
+type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
+
+function toSingleValue(input: string | string[] | undefined): string | null {
+  if (Array.isArray(input)) {
+    return input[0] ?? null
+  }
+
+  return input ?? null
+}
+
+async function requireSettingsPermission() {
+  const role = await resolveRoleFromServerContext()
+
+  if (!role) {
+    redirect("/login?next=/settings")
+  }
+
+  if (!hasPermission(role, "users:manage_roles", "global")) {
+    redirect("/unauthorized?required=users:manage_roles&scope=global")
+  }
+}
+
+async function getSettingsTranslator() {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
+  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
+}
+
+async function updateRegistrationPolicyAction(formData: FormData) {
+  "use server"
+
+  await requireSettingsPermission()
+  const t = await getSettingsTranslator()
+  const enabled = formData.get("enabled") === "on"
+
+  try {
+    await setAdminSelfRegistrationEnabled(enabled)
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : ""
+    const normalizedMessage = errorMessage.toLowerCase()
+    const isDatabaseUnavailable = errorMessage.includes("P1001")
+    const isSchemaMissing =
+      errorMessage.includes("P2021") ||
+      normalizedMessage.includes("system_setting") ||
+      normalizedMessage.includes("does not exist")
+
+    const userMessage = isDatabaseUnavailable
+      ? t(
+          "settings.registration.errors.databaseUnavailable",
+          "Saving settings failed. The database is currently unreachable.",
+        )
+      : isSchemaMissing
+        ? t(
+            "settings.registration.errors.schemaMissing",
+            "Saving settings failed. Apply the latest database migrations and try again.",
+          )
+        : t(
+            "settings.registration.errors.updateFailed",
+            "Saving settings failed. Ensure database migrations are applied.",
+          )
+
+    redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
+  }
+
+  revalidatePath("/settings")
+  revalidatePath("/register")
+  redirect(
+    `/settings?notice=${encodeURIComponent(
+      t("settings.registration.success.updated", "Registration policy updated."),
+    )}`,
+  )
+}
+
+export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
+  await requireSettingsPermission()
+
+  const [params, locale, isRegistrationEnabled] = await Promise.all([
+    searchParams,
+    resolveAdminLocale(),
+    isAdminSelfRegistrationEnabled(),
+  ])
+  const messages = await getAdminMessages(locale)
+  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
+
+  const notice = toSingleValue(params.notice)
+  const error = toSingleValue(params.error)
+
+  return (
+    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
+      <header className="space-y-3">
+        <div className="flex items-center justify-between gap-3">
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
+            {t("settings.badge", "Admin Settings")}
+          </p>
+          <AdminLocaleSwitcher />
+        </div>
+        <h1 className="text-4xl font-semibold tracking-tight">{t("settings.title", "Settings")}</h1>
+        <p className="text-neutral-600">
+          {t(
+            "settings.description",
+            "Manage runtime policies for the admin authentication and onboarding flow.",
+          )}
+        </p>
+        <div className="flex items-center gap-3 pt-2">
+          <Link
+            href="/"
+            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+          >
+            {t("settings.actions.backToDashboard", "Back to dashboard")}
+          </Link>
+        </div>
+      </header>
+
+      {notice ? (
+        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
+          {notice}
+        </section>
+      ) : null}
+
+      {error ? (
+        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
+          {error}
+        </section>
+      ) : null}
+
+      <section className="rounded-xl border border-neutral-200 p-6">
+        <div className="space-y-5">
+          <div className="space-y-2">
+            <h2 className="text-xl font-medium">
+              {t("settings.registration.title", "Admin self-registration")}
+            </h2>
+            <p className="text-sm text-neutral-600">
+              {t(
+                "settings.registration.description",
+                "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
+              )}
+            </p>
+          </div>
+
+          <div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
+            <p>
+              {t("settings.registration.currentStatusLabel", "Current status")}:{" "}
+              <strong>
+                {isRegistrationEnabled
+                  ? t("settings.registration.status.enabled", "Enabled")
+                  : t("settings.registration.status.disabled", "Disabled")}
+              </strong>
+            </p>
+          </div>
+
+          <form action={updateRegistrationPolicyAction} className="space-y-4">
+            <label className="flex items-center gap-3 text-sm">
+              <input
+                type="checkbox"
+                name="enabled"
+                defaultChecked={isRegistrationEnabled}
+                className="h-4 w-4 rounded border-neutral-300"
+              />
+              <span>
+                {t(
+                  "settings.registration.checkboxLabel",
+                  "Allow self-registration on /register for admin users",
+                )}
+              </span>
+            </label>
+
+            <Button type="submit">
+              {t("settings.registration.actions.save", "Save registration policy")}
+            </Button>
+          </form>
+        </div>
+      </section>
+    </main>
+  )
+}
diff --git a/apps/admin/src/i18n/messages.test.ts b/apps/admin/src/i18n/messages.test.ts
index 4b2e987..6f9852e 100644
--- a/apps/admin/src/i18n/messages.test.ts
+++ b/apps/admin/src/i18n/messages.test.ts
@@ -19,11 +19,13 @@ const messages: AdminMessages = {
       signIn: "Sign in",
       signUpOwner: "Welcome",
       signUpUser: "Create account",
+      signUpDisabled: "Registration disabled",
     },
     descriptions: {
       signIn: "Sign in description",
       signUpOwner: "Owner description",
       signUpUser: "User description",
+      signUpDisabled: "Disabled description",
     },
     fields: {
       name: "Name",
@@ -48,6 +50,7 @@ const messages: AdminMessages = {
     messages: {
       ownerCreated: "Owner account created.",
       accountCreated: "Account created.",
+      registrationDisabled: "Registration is disabled.",
     },
     errors: {
       nameRequired: "Name is required.",
@@ -57,6 +60,33 @@ const messages: AdminMessages = {
       networkSignUp: "Network sign up error",
     },
   },
+  settings: {
+    badge: "Admin Settings",
+    title: "Settings",
+    description: "Settings description",
+    actions: {
+      backToDashboard: "Back to dashboard",
+    },
+    registration: {
+      title: "Registration",
+      description: "Registration description",
+      currentStatusLabel: "Current status",
+      status: {
+        enabled: "Enabled",
+        disabled: "Disabled",
+      },
+      checkboxLabel: "Allow registration",
+      actions: {
+        save: "Save",
+      },
+      success: {
+        updated: "Updated",
+      },
+      errors: {
+        updateFailed: "Update failed",
+      },
+    },
+  },
   dashboard: {
     badge: "Admin App",
     title: "Content Dashboard",
diff --git a/apps/admin/src/lib/access.ts b/apps/admin/src/lib/access.ts
index 068ca14..dec492c 100644
--- a/apps/admin/src/lib/access.ts
+++ b/apps/admin/src/lib/access.ts
@@ -43,6 +43,13 @@ const guardRules: GuardRule[] = [
       scope: "global",
     },
   },
+  {
+    route: /^\/settings(?:\/|$)/,
+    requirement: {
+      permission: "users:manage_roles",
+      scope: "global",
+    },
+  },
   {
     route: /^\/(?:$|\?)/,
     requirement: {
diff --git a/apps/admin/src/lib/auth/server.ts b/apps/admin/src/lib/auth/server.ts
index e12fb11..8707f79 100644
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@@ -1,5 +1,5 @@
 import { normalizeRole, type Role } from "@cms/content/rbac"
-import { db } from "@cms/db"
+import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
 import { betterAuth } from "better-auth"
 import { prismaAdapter } from "better-auth/adapters/prisma"
 import { toNextJsHandler } from "better-auth/next-js"
@@ -43,8 +43,7 @@ export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
 }
 
 export async function isSelfRegistrationEnabled(): Promise<boolean> {
-  // Temporary fallback until registration policy is managed from admin settings.
-  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
+  return isAdminSelfRegistrationEnabled()
 }
 
 export async function canUserSelfRegister(): Promise<boolean> {
diff --git a/apps/admin/src/messages/de.json b/apps/admin/src/messages/de.json
index 267ff3c..7554210 100644
--- a/apps/admin/src/messages/de.json
+++ b/apps/admin/src/messages/de.json
@@ -13,12 +13,14 @@
     "titles": {
       "signIn": "Bei CMS Admin anmelden",
       "signUpOwner": "Willkommen bei CMS Admin",
-      "signUpUser": "Admin-Konto erstellen"
+      "signUpUser": "Admin-Konto erstellen",
+      "signUpDisabled": "Registrierung ist deaktiviert"
     },
     "descriptions": {
       "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
       "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
-      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert."
+      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
+      "signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
     },
     "fields": {
       "name": "Name",
@@ -42,7 +44,8 @@
     },
     "messages": {
       "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
-      "accountCreated": "Konto erstellt."
+      "accountCreated": "Konto erstellt.",
+      "registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
     },
     "errors": {
       "nameRequired": "Name ist für die Kontoerstellung erforderlich",
@@ -52,6 +55,33 @@
       "networkSignUp": "Netzwerkfehler bei der Registrierung"
     }
   },
+  "settings": {
+    "badge": "Admin-Einstellungen",
+    "title": "Einstellungen",
+    "description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
+    "actions": {
+      "backToDashboard": "Zurück zum Dashboard"
+    },
+    "registration": {
+      "title": "Admin-Selbstregistrierung",
+      "description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
+      "currentStatusLabel": "Aktueller Status",
+      "status": {
+        "enabled": "Aktiviert",
+        "disabled": "Deaktiviert"
+      },
+      "checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
+      "actions": {
+        "save": "Registrierungsrichtlinie speichern"
+      },
+      "success": {
+        "updated": "Registrierungsrichtlinie aktualisiert."
+      },
+      "errors": {
+        "updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
+      }
+    }
+  },
   "dashboard": {
     "badge": "Admin-App",
     "title": "Content-Dashboard",
diff --git a/apps/admin/src/messages/en.json b/apps/admin/src/messages/en.json
index b23adfb..6507ce4 100644
--- a/apps/admin/src/messages/en.json
+++ b/apps/admin/src/messages/en.json
@@ -13,12 +13,14 @@
     "titles": {
       "signIn": "Sign in to CMS Admin",
       "signUpOwner": "Welcome to CMS Admin",
-      "signUpUser": "Create an admin account"
+      "signUpUser": "Create an admin account",
+      "signUpDisabled": "Registration is disabled"
     },
     "descriptions": {
       "signIn": "Better Auth is active on this app via /api/auth.",
       "signUpOwner": "Create the first owner account to initialize this admin instance.",
-      "signUpUser": "Self-registration is enabled for admin users."
+      "signUpUser": "Self-registration is enabled for admin users.",
+      "signUpDisabled": "Self-registration is currently turned off by an administrator."
     },
     "fields": {
       "name": "Name",
@@ -42,7 +44,8 @@
     },
     "messages": {
       "ownerCreated": "Owner account created. Registration is now disabled.",
-      "accountCreated": "Account created."
+      "accountCreated": "Account created.",
+      "registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
     },
     "errors": {
       "nameRequired": "Name is required for account creation",
@@ -52,6 +55,33 @@
       "networkSignUp": "Network error while signing up"
     }
   },
+  "settings": {
+    "badge": "Admin Settings",
+    "title": "Settings",
+    "description": "Manage runtime policies for the admin authentication and onboarding flow.",
+    "actions": {
+      "backToDashboard": "Back to dashboard"
+    },
+    "registration": {
+      "title": "Admin self-registration",
+      "description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
+      "currentStatusLabel": "Current status",
+      "status": {
+        "enabled": "Enabled",
+        "disabled": "Disabled"
+      },
+      "checkboxLabel": "Allow self-registration on /register for admin users",
+      "actions": {
+        "save": "Save registration policy"
+      },
+      "success": {
+        "updated": "Registration policy updated."
+      },
+      "errors": {
+        "updateFailed": "Saving settings failed. Ensure database migrations are applied."
+      }
+    }
+  },
   "dashboard": {
     "badge": "Admin App",
     "title": "Content Dashboard",
diff --git a/apps/admin/src/messages/es.json b/apps/admin/src/messages/es.json
index 52764f3..698e634 100644
--- a/apps/admin/src/messages/es.json
+++ b/apps/admin/src/messages/es.json
@@ -13,12 +13,14 @@
     "titles": {
       "signIn": "Iniciar sesión en CMS Admin",
       "signUpOwner": "Bienvenido a CMS Admin",
-      "signUpUser": "Crear una cuenta de admin"
+      "signUpUser": "Crear una cuenta de admin",
+      "signUpDisabled": "El registro está deshabilitado"
     },
     "descriptions": {
       "signIn": "Better Auth está activo en esta app mediante /api/auth.",
       "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
-      "signUpUser": "El registro automático está habilitado para usuarios admin."
+      "signUpUser": "El registro automático está habilitado para usuarios admin.",
+      "signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
     },
     "fields": {
       "name": "Nombre",
@@ -42,7 +44,8 @@
     },
     "messages": {
       "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
-      "accountCreated": "Cuenta creada."
+      "accountCreated": "Cuenta creada.",
+      "registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
     },
     "errors": {
       "nameRequired": "El nombre es obligatorio para crear la cuenta",
@@ -52,6 +55,33 @@
       "networkSignUp": "Error de red al registrarse"
     }
   },
+  "settings": {
+    "badge": "Ajustes de Admin",
+    "title": "Ajustes",
+    "description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
+    "actions": {
+      "backToDashboard": "Volver al panel"
+    },
+    "registration": {
+      "title": "Auto-registro de admin",
+      "description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
+      "currentStatusLabel": "Estado actual",
+      "status": {
+        "enabled": "Habilitado",
+        "disabled": "Deshabilitado"
+      },
+      "checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
+      "actions": {
+        "save": "Guardar política de registro"
+      },
+      "success": {
+        "updated": "Política de registro actualizada."
+      },
+      "errors": {
+        "updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
+      }
+    }
+  },
   "dashboard": {
     "badge": "App Admin",
     "title": "Panel de Contenido",
diff --git a/apps/admin/src/messages/fr.json b/apps/admin/src/messages/fr.json
index 85acb74..50daaf6 100644
--- a/apps/admin/src/messages/fr.json
+++ b/apps/admin/src/messages/fr.json
@@ -13,12 +13,14 @@
     "titles": {
       "signIn": "Se connecter à CMS Admin",
       "signUpOwner": "Bienvenue sur CMS Admin",
-      "signUpUser": "Créer un compte admin"
+      "signUpUser": "Créer un compte admin",
+      "signUpDisabled": "L’inscription est désactivée"
     },
     "descriptions": {
       "signIn": "Better Auth est actif sur cette application via /api/auth.",
       "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
-      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin."
+      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin.",
+      "signUpDisabled": "L’auto-inscription est actuellement désactivée par un administrateur."
     },
     "fields": {
       "name": "Nom",
@@ -42,7 +44,8 @@
     },
     "messages": {
       "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
-      "accountCreated": "Compte créé."
+      "accountCreated": "Compte créé.",
+      "registrationDisabled": "L’inscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver l’auto-inscription."
     },
     "errors": {
       "nameRequired": "Le nom est requis pour créer un compte",
@@ -52,6 +55,33 @@
       "networkSignUp": "Erreur réseau lors de l’inscription"
     }
   },
+  "settings": {
+    "badge": "Paramètres Admin",
+    "title": "Paramètres",
+    "description": "Gérez les politiques d’exécution pour l’authentification et l’onboarding de l’admin.",
+    "actions": {
+      "backToDashboard": "Retour au tableau de bord"
+    },
+    "registration": {
+      "title": "Auto-inscription admin",
+      "description": "Lorsqu’elle est activée, /register peut créer des comptes admin supplémentaires après l’initialisation du premier owner.",
+      "currentStatusLabel": "Statut actuel",
+      "status": {
+        "enabled": "Activé",
+        "disabled": "Désactivé"
+      },
+      "checkboxLabel": "Autoriser l’auto-inscription sur /register pour les utilisateurs admin",
+      "actions": {
+        "save": "Enregistrer la politique d’inscription"
+      },
+      "success": {
+        "updated": "Politique d’inscription mise à jour."
+      },
+      "errors": {
+        "updateFailed": "Échec de l’enregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
+      }
+    }
+  },
   "dashboard": {
     "badge": "Application Admin",
     "title": "Tableau de bord contenu",
diff --git a/docs/product-engineering/auth-baseline.md b/docs/product-engineering/auth-baseline.md
index d604b2b..7a01497 100644
--- a/docs/product-engineering/auth-baseline.md
+++ b/docs/product-engineering/auth-baseline.md
@@ -39,6 +39,7 @@ Optional:
 
 - Support user bootstrap is available via `bun run auth:seed:support`.
 - Root `bun run db:seed` runs DB seed and support-user seed.
-- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
+- Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
 - Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
 - Email verification and forgot/reset password pipelines are tracked for MVP2.
diff --git a/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql b/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
new file mode 100644
index 0000000..4dbabbc
--- /dev/null
+++ b/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
@@ -0,0 +1,9 @@
+-- CreateTable
+CREATE TABLE "system_setting" (
+    "key" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
+);
diff --git a/packages/db/prisma/schema.prisma b/packages/db/prisma/schema.prisma
index 33ce8dd..2154806 100644
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@@ -87,3 +87,12 @@ model Verification {
   @@index([identifier])
   @@map("verification")
 }
+
+model SystemSetting {
+  key       String   @id
+  value     String
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("system_setting")
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 91418cb..4f14908 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -7,3 +7,4 @@ export {
   registerPostCrudAuditHook,
   updatePost,
 } from "./posts"
+export { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "./settings"
diff --git a/packages/db/src/settings.ts b/packages/db/src/settings.ts
new file mode 100644
index 0000000..fb3cd12
--- /dev/null
+++ b/packages/db/src/settings.ts
@@ -0,0 +1,56 @@
+import { db } from "./client"
+
+const ADMIN_SELF_REGISTRATION_KEY = "admin.self_registration_enabled"
+
+function resolveEnvFallback(): boolean {
+  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
+}
+
+function parseStoredBoolean(value: string): boolean | null {
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return null
+}
+
+export async function isAdminSelfRegistrationEnabled(): Promise<boolean> {
+  try {
+    const setting = await db.systemSetting.findUnique({
+      where: { key: ADMIN_SELF_REGISTRATION_KEY },
+      select: { value: true },
+    })
+
+    if (!setting) {
+      return resolveEnvFallback()
+    }
+
+    const parsed = parseStoredBoolean(setting.value)
+
+    if (parsed === null) {
+      return resolveEnvFallback()
+    }
+
+    return parsed
+  } catch {
+    // Fallback while migrations are not yet applied in a local environment.
+    return resolveEnvFallback()
+  }
+}
+
+export async function setAdminSelfRegistrationEnabled(enabled: boolean): Promise<void> {
+  await db.systemSetting.upsert({
+    where: { key: ADMIN_SELF_REGISTRATION_KEY },
+    create: {
+      key: ADMIN_SELF_REGISTRATION_KEY,
+      value: enabled ? "true" : "false",
+    },
+    update: {
+      value: enabled ? "true" : "false",
+    },
+  })
+}
diff --git a/packages/ui/src/components/button.tsx b/packages/ui/src/components/button.tsx
index be5462f..ab10d0e 100644
--- a/packages/ui/src/components/button.tsx
+++ b/packages/ui/src/components/button.tsx
@@ -8,7 +8,7 @@ const buttonVariants = cva(
   {
     variants: {
       variant: {
-        default: "bg-neutral-900 text-neutral-50 hover:bg-neutral-800",
+        default: "bg-neutral-900 text-white hover:bg-neutral-800",
         secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200",
         ghost: "hover:bg-neutral-100 hover:text-neutral-900",
       },

From 4ac74101487e0bb220215328510fd4344c9110e3 Mon Sep 17 00:00:00 2001
From: Citali <git@fellies.email>
Date: Tue, 10 Feb 2026 21:11:49 +0100
Subject: [PATCH 3/4] test(admin): cover support fallback route and mark todo
 complete

---
 TODO.md                           |  2 +-
 apps/admin/src/lib/access.test.ts | 24 ++++++++++++++++++++++++
 e2e/support-auth.pw.ts            | 20 ++++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 apps/admin/src/lib/access.test.ts
 create mode 100644 e2e/support-auth.pw.ts

diff --git a/TODO.md b/TODO.md
index ee0fa67..0d71663 100644
--- a/TODO.md
+++ b/TODO.md
@@ -31,7 +31,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
-- [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
+- [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
 - [~] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
 - [~] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
 - [~] [P1] Shared error and audit hooks for CRUD mutations
diff --git a/apps/admin/src/lib/access.test.ts b/apps/admin/src/lib/access.test.ts
new file mode 100644
index 0000000..717e061
--- /dev/null
+++ b/apps/admin/src/lib/access.test.ts
@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest"
+
+import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
+
+describe("admin route access rules", () => {
+  it("treats support fallback route as public", () => {
+    expect(isPublicRoute("/support/support-access")).toBe(true)
+    expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
+  })
+
+  it("keeps settings route restricted to role with users:manage_roles", () => {
+    expect(isPublicRoute("/settings")).toBe(false)
+    expect(canAccessRoute("manager", "/settings")).toBe(false)
+    expect(canAccessRoute("admin", "/settings")).toBe(true)
+    expect(canAccessRoute("owner", "/settings")).toBe(true)
+  })
+
+  it("resolves route-specific permission requirements", () => {
+    expect(getRequiredPermission("/todo")).toEqual({
+      permission: "roadmap:read",
+      scope: "global",
+    })
+  })
+})
diff --git a/e2e/support-auth.pw.ts b/e2e/support-auth.pw.ts
new file mode 100644
index 0000000..d334213
--- /dev/null
+++ b/e2e/support-auth.pw.ts
@@ -0,0 +1,20 @@
+import { expect, test } from "@playwright/test"
+
+const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
+
+test.describe("support fallback route", () => {
+  test("valid support key opens sign-in page", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
+
+    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
+  })
+
+  test("invalid support key returns not found", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    const response = await page.goto("/support/invalid-key")
+    expect(response?.status()).toBe(404)
+  })
+})

From 4d4b583cf4dcb0f3b99f74c666af15d3b1a0fc59 Mon Sep 17 00:00:00 2001
From: Citali <git@fellies.email>
Date: Tue, 10 Feb 2026 21:17:41 +0100
Subject: [PATCH 4/4] test(ci): add quality gates, e2e data prep, and i18n
 integration coverage

---
 .gitea/workflows/ci.yml                      | 70 ++++++++++++++++++++
 README.md                                    |  3 +
 TODO.md                                      | 10 ++-
 docs/.vitepress/config.mts                   |  1 +
 docs/product-engineering/index.md            |  1 +
 docs/product-engineering/testing-strategy.md | 33 +++++++++
 docs/workflow.md                             |  4 +-
 e2e/i18n.pw.ts                               | 29 ++++++++
 package.json                                 |  7 +-
 9 files changed, 150 insertions(+), 8 deletions(-)
 create mode 100644 .gitea/workflows/ci.yml
 create mode 100644 docs/product-engineering/testing-strategy.md
 create mode 100644 e2e/i18n.pw.ts

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..fe71858
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,70 @@
+name: CMS CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - dev
+      - staging
+      - main
+  workflow_dispatch:
+
+env:
+  BUN_VERSION: "1.3.5"
+  NODE_ENV: "test"
+  DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
+  BETTER_AUTH_SECRET: "ci-test-secret-change-me"
+  BETTER_AUTH_URL: "http://localhost:3001"
+  CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
+  CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
+  CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
+  CMS_SUPPORT_USERNAME: "support"
+  CMS_SUPPORT_EMAIL: "support@cms.local"
+  CMS_SUPPORT_PASSWORD: "support-ci-password"
+  CMS_SUPPORT_NAME: "Technical Support"
+  CMS_SUPPORT_LOGIN_KEY: "support-access"
+
+jobs:
+  quality:
+    name: Lint Typecheck Unit E2E
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: cms
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres -d cms"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Install Playwright browser deps
+        run: bunx playwright install --with-deps chromium
+
+      - name: Lint and format checks
+        run: bun run check
+
+      - name: Typecheck
+        run: bun run typecheck
+
+      - name: Unit and integration tests
+        run: bun run test
+
+      - name: E2E tests
+        run: bun run test:e2e
diff --git a/README.md b/README.md
index 12eb566..ac3377f 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ bun run dev
 - `bun run test`
 - `bun run test:watch`
 - `bun run test:coverage`
+- `bun run test:e2e:prepare`
 - `bun run test:e2e`
 - `bun run lint`
 - `bun run typecheck`
@@ -85,6 +86,7 @@ bun run dev
 - Unit/integration/component: Vitest + Testing Library + MSW
 - E2E: Playwright (separate projects for `web` and `admin`)
 - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
+- E2E data prep (migrations + seed): `bun run test:e2e:prepare`
 
 One-time Playwright browser install:
 
@@ -97,6 +99,7 @@ bunx playwright install
 The repo includes a theoretical CI/CD and deployment baseline:
 
 - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
+- Real quality gate workflow: `.gitea/workflows/ci.yml`
 - App images:
   - `apps/web/Dockerfile`
   - `apps/admin/Dockerfile`
diff --git a/TODO.md b/TODO.md
index 0d71663..7eff558 100644
--- a/TODO.md
+++ b/TODO.md
@@ -61,11 +61,11 @@ This file is the single source of truth for roadmap and delivery progress.
 
 - [x] [P1] Vitest + Testing Library + MSW baseline
 - [x] [P1] Playwright baseline with web/admin projects
-- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
-- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
+- [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
+- [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
 - [~] [P1] RBAC policy unit tests and permission regression suite
 - [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading)
-- [ ] [P1] i18n integration tests (admin/public locale switch and persistence)
+- [x] [P1] i18n integration tests (admin/public locale switch and persistence)
 - [ ] [P1] i18n e2e smoke tests (localized headings/content per route)
 - [ ] [P1] CRUD contract tests for shared service patterns
 
@@ -160,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Forgot password/reset password pipeline and support tooling
 - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
 - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
+- [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
+- [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
 - [ ] [P2] Error boundaries and UX fallback states
 
 ### Public App
@@ -199,6 +201,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
 - [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
 - [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
+- [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
+- [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
 
 ## How We Use This File
 
diff --git a/docs/.vitepress/config.mts b/docs/.vitepress/config.mts
index 92a27bf..92e508e 100644
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@@ -23,6 +23,7 @@ export default defineConfig({
           { text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
           { text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
           { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
+          { text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
           { text: "Workflow", link: "/workflow" },
         ],
       },
diff --git a/docs/product-engineering/index.md b/docs/product-engineering/index.md
index 2d5fd11..5735cc1 100644
--- a/docs/product-engineering/index.md
+++ b/docs/product-engineering/index.md
@@ -8,6 +8,7 @@ This section covers platform and implementation documentation for engineers and
 - [Architecture](/architecture)
 - [Better Auth Baseline](/product-engineering/auth-baseline)
 - [RBAC And Permissions](/product-engineering/rbac-permission-model)
+- [Testing Strategy Baseline](/product-engineering/testing-strategy)
 - [Workflow](/workflow)
 
 ## Scope
diff --git a/docs/product-engineering/testing-strategy.md b/docs/product-engineering/testing-strategy.md
new file mode 100644
index 0000000..0df677a
--- /dev/null
+++ b/docs/product-engineering/testing-strategy.md
@@ -0,0 +1,33 @@
+# Testing Strategy Baseline
+
+## Goals
+
+- Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
+- Make e2e runs deterministic by preparing schema and seeded data before test execution.
+- Keep test data isolated per environment (`dev` local, CI database service in workflow).
+
+## Current Gate Stack
+
+- `bun run check`
+- `bun run typecheck`
+- `bun run test`
+- `bun run test:e2e`
+
+## Data Preparation
+
+- `bun run test:e2e:prepare` runs:
+  - Prisma client generation
+  - migration deploy
+  - seed data (including support user bootstrap)
+- `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
+
+## Locale Integration Coverage
+
+- `e2e/i18n.pw.ts` covers:
+  - web locale switch + persistence
+  - admin locale switch + persistence
+
+## CI
+
+- Real quality workflow: `.gitea/workflows/ci.yml`
+- Uses a PostgreSQL service container and runs the full gate stack, including e2e.
diff --git a/docs/workflow.md b/docs/workflow.md
index c72cdf7..4946754 100644
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
 
 ## Quality Gates
 
-- `bun run lint`
+- `bun run check`
 - `bun run typecheck`
 - `bun run test`
-- `bun run test:e2e --list`
+- `bun run test:e2e`
 
 ## Changelog
 
diff --git a/e2e/i18n.pw.ts b/e2e/i18n.pw.ts
new file mode 100644
index 0000000..01d6ff9
--- /dev/null
+++ b/e2e/i18n.pw.ts
@@ -0,0 +1,29 @@
+import { expect, test } from "@playwright/test"
+
+test.describe("i18n integration", () => {
+  test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "web-chromium")
+
+    await page.goto("/")
+    await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
+
+    await page.locator("select").first().selectOption("de")
+    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
+
+    await page.reload()
+    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
+  })
+
+  test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    await page.goto("/login")
+    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
+
+    await page.locator("select").first().selectOption("de")
+    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
+
+    await page.reload()
+    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
+  })
+})
diff --git a/package.json b/package.json
index d6b2c84..28f8647 100644
--- a/package.json
+++ b/package.json
@@ -18,9 +18,10 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "test:e2e": "bun run db:generate && playwright test",
-    "test:e2e:headed": "bun run db:generate && playwright test --headed",
-    "test:e2e:ui": "bun run db:generate && playwright test --ui",
+    "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
+    "test:e2e": "bun run test:e2e:prepare && playwright test",
+    "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
+    "test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
     "commitlint": "commitlint --last",
     "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
     "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",