feat(web-i18n): add es/fr locales and expand switcher locale set

TODO.md

@@ -21,9 +21,9 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
 - [x] [P1] RBAC enforcement at route and action level in admin
 - [x] [P1] Permission matrix documented and tested
-- [ ] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
-- [ ] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
-- [ ] [P1] Locale persistence and switcher base component (cookie/header + UI)
+- [~] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
+- [~] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
+- [~] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
@@ -192,6 +192,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
 - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
+- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes; admin i18n runtime is still pending.
+- [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
 
 ## How We Use This File