feat(admin-auth): add first-start onboarding flow and dev db reset command

docs/getting-started.md

@@ -20,6 +20,12 @@ bun run db:migrate
 bun run db:seed
 ```
 
+Reset local dev DB:
+
+```bash
+bun run db:reset:dev
+```
+
 ## Run apps
 
 ```bash
@@ -28,7 +34,9 @@ bun run dev
 
 - Web: `http://localhost:3000`
 - Admin: `http://localhost:3001`
+- Admin welcome (first start): `http://localhost:3001/welcome`
 - Admin login: `http://localhost:3001/login`
+- Admin register (when enabled): `http://localhost:3001/register`
 
 ## Run docs
 

docs/product-engineering/auth-baseline.md

@@ -8,9 +8,10 @@ Implemented in MVP0:
 
 - Admin-local auth config: `apps/admin/src/lib/auth/server.ts`
 - Admin auth API routes: `apps/admin/src/app/api/auth/[...all]/route.ts`
-- Admin login page: `/login`
+- Admin auth pages: `/welcome`, `/login`, `/register`
+- Support fallback sign-in page: `/support/<CMS_SUPPORT_LOGIN_KEY>`
 - Prisma auth models (`user`, `session`, `account`, `verification`)
-- Registration toggle via `CMS_ADMIN_REGISTRATION_ENABLED`
+- First registration creates owner; subsequent registrations are disabled
 
 ## Environment
 
@@ -24,10 +25,18 @@ Required variables:
 
 Optional:
 
-- `CMS_ADMIN_REGISTRATION_ENABLED`
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED`
+- `CMS_SUPPORT_USERNAME`
+- `CMS_SUPPORT_EMAIL`
+- `CMS_SUPPORT_PASSWORD`
+- `CMS_SUPPORT_NAME`
+- `CMS_SUPPORT_LOGIN_KEY`
 - `CMS_DEV_ROLE` (development-only middleware bypass)
 
 ## Notes
 
-- Owner bootstrap, hidden support user, and owner invariant are tracked as upcoming MVP0 tasks in `TODO.md`.
+- Support user bootstrap is available via `bun run auth:seed:support`.
+- Root `bun run db:seed` runs DB seed and support-user seed.
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
+- Owner invariant hardening for all future user-management mutations remains tracked in `TODO.md`.
 - Email verification and forgot/reset password pipelines are tracked for MVP2.