feat(web): complete MVP0 public layout, banner, and SEO baseline

.gitea/workflows/ci.yml

@@ -0,0 +1,70 @@
+name: CMS CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - dev
+      - staging
+      - main
+  workflow_dispatch:
+
+env:
+  BUN_VERSION: "1.3.5"
+  NODE_ENV: "test"
+  DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
+  BETTER_AUTH_SECRET: "ci-test-secret-change-me"
+  BETTER_AUTH_URL: "http://localhost:3001"
+  CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
+  CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
+  CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
+  CMS_SUPPORT_USERNAME: "support"
+  CMS_SUPPORT_EMAIL: "support@cms.local"
+  CMS_SUPPORT_PASSWORD: "support-ci-password"
+  CMS_SUPPORT_NAME: "Technical Support"
+  CMS_SUPPORT_LOGIN_KEY: "support-access"
+
+jobs:
+  quality:
+    name: Lint Typecheck Unit E2E
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: cms
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres -d cms"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Install Playwright browser deps
+        run: bunx playwright install --with-deps chromium
+
+      - name: Lint and format checks
+        run: bun run check
+
+      - name: Typecheck
+        run: bun run typecheck
+
+      - name: Unit and integration tests
+        run: bun run test
+
+      - name: E2E tests
+        run: bun run test:e2e

README.md

@@ -69,6 +69,7 @@ bun run dev
 - `bun run test`
 - `bun run test:watch`
 - `bun run test:coverage`
+- `bun run test:e2e:prepare`
 - `bun run test:e2e`
 - `bun run lint`
 - `bun run typecheck`
@@ -85,6 +86,7 @@ bun run dev
 - Unit/integration/component: Vitest + Testing Library + MSW
 - E2E: Playwright (separate projects for `web` and `admin`)
 - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
+- E2E data prep (migrations + seed): `bun run test:e2e:prepare`
 
 One-time Playwright browser install:
 
@@ -97,6 +99,7 @@ bunx playwright install
 The repo includes a theoretical CI/CD and deployment baseline:
 
 - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
+- Real quality gate workflow: `.gitea/workflows/ci.yml`
 - App images:
   - `apps/web/Dockerfile`
   - `apps/admin/Dockerfile`

TODO.md

@@ -21,50 +21,51 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
 - [x] [P1] RBAC enforcement at route and action level in admin
 - [x] [P1] Permission matrix documented and tested
-- [ ] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
-- [ ] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
-- [ ] [P1] Locale persistence and switcher base component (cookie/header + UI)
+- [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
+- [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
+- [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
-- [ ] [P1] Enforce invariant: exactly one owner user must always exist
+- [x] [P1] Enforce invariant: exactly one owner user must always exist
 - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
-- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
+- [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
-- [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
-- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
-- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
-- [ ] [P1] Shared error and audit hooks for CRUD mutations
+- [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
+- [x] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
+- [x] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
+- [x] [P1] Shared error and audit hooks for CRUD mutations
 
 ### Admin App
 
 - [x] [P1] Separate Next.js admin app in monorepo
 - [x] [P1] App Router + TypeScript + `src/` structure
 - [x] [P1] Shared DB access via `@cms/db`
-- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
+- [x] [P2] Base admin dashboard shell and roadmap page (`/todo`)
 - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
 - [x] [P1] Protected admin routes and session handling
-- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
+- [x] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
+- [x] [P1] Core admin IA (pages/media/users/commissions/settings)
 
 ### Public App
 
 - [x] [P1] Separate Next.js public app in monorepo
 - [x] [P1] App Router + TypeScript + `src/` structure
-- [~] [P1] Public app connected to shared data layer
-- [ ] [P1] Localized route structure and middleware rules
-- [ ] [P2] Public layout system (header/footer/navigation)
-- [ ] [P1] Header banner rendering from CMS-managed content
-- [ ] [P2] Basic SEO defaults (metadata, OG, sitemap, robots)
+- [x] [P1] Public app connected to shared data layer
+- [x] [P1] Localized route structure and middleware rules
+- [x] [P2] Public layout system (header/footer/navigation)
+- [x] [P1] Header banner rendering from CMS-managed content
+- [x] [P2] Basic SEO defaults (metadata, OG, sitemap, robots)
 
 ### Testing
 
 - [x] [P1] Vitest + Testing Library + MSW baseline
 - [x] [P1] Playwright baseline with web/admin projects
-- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
-- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
+- [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
+- [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
 - [~] [P1] RBAC policy unit tests and permission regression suite
 - [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading)
-- [ ] [P1] i18n integration tests (admin/public locale switch and persistence)
+- [x] [P1] i18n integration tests (admin/public locale switch and persistence)
 - [ ] [P1] i18n e2e smoke tests (localized headings/content per route)
 - [ ] [P1] CRUD contract tests for shared service patterns
 
@@ -73,7 +74,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Docs tool baseline added (`docs/` via VitePress)
 - [x] [P1] RBAC and permission model documentation in docs site
 - [ ] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow)
-- [ ] [P1] CRUD base patterns documentation and examples
+- [~] [P1] CRUD base patterns documentation and examples
 - [ ] [P1] Environment and deployment runbook docs (dev/staging/production)
 - [ ] [P2] API and domain glossary pages
 - [ ] [P2] Architecture Decision Records (ADR) structure and first ADRs
@@ -115,7 +116,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability)
 - [ ] [P1] Users management (invite, roles, status)
 - [ ] [P1] Disable/ban user function and enforcement in auth/session checks
-- [ ] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
+- [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
 - [ ] [P1] Commissions management (request intake, owner, due date, notes)
 - [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
 - [ ] [P1] Header banner management (message, CTA, active window)
@@ -159,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Forgot password/reset password pipeline and support tooling
 - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
 - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
+- [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
+- [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
 - [ ] [P2] Error boundaries and UX fallback states
 
 ### Public App
@@ -191,6 +194,17 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
+- [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
+- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
+- [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
+- [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
+- [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
+- [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
+- [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
+- [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
+- [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
+- [2026-02-10] Admin app now uses a shared shell with permission-aware navigation and dedicated IA routes (`/pages`, `/media`, `/users`, `/commissions`).
+- [2026-02-10] Public app now has a shared site layout (`banner/header/footer`), DB-backed header banner config, and SEO defaults (`metadata`, `robots`, `sitemap`).
 
 ## How We Use This File
 

apps/admin/package.json

@@ -14,6 +14,7 @@
   "dependencies": {
     "@cms/content": "workspace:*",
     "@cms/db": "workspace:*",
+    "@cms/i18n": "workspace:*",
     "@cms/ui": "workspace:*",
     "@tanstack/react-form": "1.28.0",
     "@tanstack/react-query": "5.90.20",

apps/admin/src/app/api/auth/[...all]/route.ts

@@ -1,5 +1,7 @@
 import {
+  auth,
   authRouteHandlers,
+  canDeleteUserAccount,
   canUserSelfRegister,
   ensureSupportUserBootstrap,
   ensureUserUsername,
@@ -40,6 +42,51 @@ function buildJsonRequest(request: Request, body: Record<string, unknown>): Requ
   })
 }
 
+function isDeleteUserAuthPath(pathname: string): boolean {
+  const actionPrefix = "/api/auth/"
+  const actionIndex = pathname.indexOf(actionPrefix)
+
+  if (actionIndex === -1) {
+    return false
+  }
+
+  const actionPath = pathname.slice(actionIndex + actionPrefix.length)
+  return actionPath === "delete-user" || actionPath.startsWith("delete-user/")
+}
+
+async function guardProtectedAccountDeletion(request: Request): Promise<Response | null> {
+  const pathname = new URL(request.url).pathname
+
+  if (!isDeleteUserAuthPath(pathname)) {
+    return null
+  }
+
+  const session = await auth.api
+    .getSession({
+      headers: request.headers,
+    })
+    .catch(() => null)
+
+  const userId = session?.user?.id
+
+  if (!userId) {
+    return null
+  }
+
+  const allowed = await canDeleteUserAccount(userId)
+
+  if (allowed) {
+    return null
+  }
+
+  return jsonResponse(
+    {
+      message: "This account is protected and cannot be deleted.",
+    },
+    403,
+  )
+}
+
 async function handleSignInPost(request: Request): Promise<Response> {
   await ensureSupportUserBootstrap()
 
@@ -136,6 +183,13 @@ async function handleSignUpPost(request: Request): Promise<Response> {
 
 export async function GET(request: Request): Promise<Response> {
   await ensureSupportUserBootstrap()
+
+  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
+
+  if (deletionGuardResponse) {
+    return deletionGuardResponse
+  }
+
   return authRouteHandlers.GET(request)
 }
 
@@ -151,20 +205,48 @@ export async function POST(request: Request): Promise<Response> {
   }
 
   await ensureSupportUserBootstrap()
+
+  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
+
+  if (deletionGuardResponse) {
+    return deletionGuardResponse
+  }
+
   return authRouteHandlers.POST(request)
 }
 
 export async function PATCH(request: Request): Promise<Response> {
   await ensureSupportUserBootstrap()
+
+  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
+
+  if (deletionGuardResponse) {
+    return deletionGuardResponse
+  }
+
   return authRouteHandlers.PATCH(request)
 }
 
 export async function PUT(request: Request): Promise<Response> {
   await ensureSupportUserBootstrap()
+
+  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
+
+  if (deletionGuardResponse) {
+    return deletionGuardResponse
+  }
+
   return authRouteHandlers.PUT(request)
 }
 
 export async function DELETE(request: Request): Promise<Response> {
   await ensureSupportUserBootstrap()
+
+  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
+
+  if (deletionGuardResponse) {
+    return deletionGuardResponse
+  }
+
   return authRouteHandlers.DELETE(request)
 }

apps/admin/src/app/commissions/page.tsx

@@ -0,0 +1,34 @@
+import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
+import { AdminShell } from "@/components/admin-shell"
+import { requirePermissionForRoute } from "@/lib/route-guards"
+
+export const dynamic = "force-dynamic"
+
+export default async function CommissionsManagementPage() {
+  const role = await requirePermissionForRoute({
+    nextPath: "/commissions",
+    permission: "commissions:read",
+    scope: "own",
+  })
+
+  return (
+    <AdminShell
+      role={role}
+      activePath="/commissions"
+      badge="Admin App"
+      title="Commissions"
+      description="Prepare commissions intake and kanban workflow tooling."
+    >
+      <AdminSectionPlaceholder
+        feature="Commissions Workflow"
+        summary="This route is reserved for request intake, ownership assignment, and kanban transitions."
+        requiredPermission="commissions:read (own)"
+        nextSteps={[
+          "Add commissions board with status columns.",
+          "Add assignment, due-date, and notes editing.",
+          "Add transition rules and audit history.",
+        ]}
+      />
+    </AdminShell>
+  )
+}

apps/admin/src/app/layout.tsx

@@ -1,6 +1,7 @@
 import type { Metadata } from "next"
 import type { ReactNode } from "react"
 
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import "./globals.css"
 import { Providers } from "./providers"
 
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
   description: "Admin dashboard for the CMS monorepo",
 }
 
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
   return (
-    <html lang="en">
+    <html lang={locale}>
       <body>
-        <Providers>{children}</Providers>
+        <Providers locale={locale} messages={messages}>
+          {children}
+        </Providers>
       </body>
     </html>
   )

apps/admin/src/app/login/login-form.tsx

@@ -4,8 +4,11 @@ import Link from "next/link"
 import { useRouter, useSearchParams } from "next/navigation"
 import { type FormEvent, useMemo, useState } from "react"
 
+import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
+import { useAdminT } from "@/providers/admin-i18n-provider"
+
 type LoginFormProps = {
-  mode: "signin" | "signup-owner" | "signup-user"
+  mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
 }
 
 type AuthResponse = {
@@ -27,6 +30,7 @@ function persistRoleCookie(role: unknown) {
 export function LoginForm({ mode }: LoginFormProps) {
   const router = useRouter()
   const searchParams = useSearchParams()
+  const t = useAdminT()
 
   const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
 
@@ -37,6 +41,7 @@ export function LoginForm({ mode }: LoginFormProps) {
   const [isBusy, setIsBusy] = useState(false)
   const [error, setError] = useState<string | null>(null)
   const [success, setSuccess] = useState<string | null>(null)
+  const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
 
   async function handleSignIn(event: FormEvent<HTMLFormElement>) {
     event.preventDefault()
@@ -60,7 +65,7 @@ export function LoginForm({ mode }: LoginFormProps) {
       const payload = (await response.json().catch(() => null)) as AuthResponse | null
 
       if (!response.ok) {
-        setError(payload?.message ?? "Sign in failed")
+        setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
         return
       }
 
@@ -68,7 +73,7 @@ export function LoginForm({ mode }: LoginFormProps) {
       router.push(nextPath)
       router.refresh()
     } catch {
-      setError("Network error while signing in")
+      setError(t("auth.errors.networkSignIn", "Network error while signing in"))
     } finally {
       setIsBusy(false)
     }
@@ -78,7 +83,7 @@ export function LoginForm({ mode }: LoginFormProps) {
     event.preventDefault()
 
     if (!name.trim()) {
-      setError("Name is required for account creation")
+      setError(t("auth.errors.nameRequired", "Name is required for account creation"))
       return
     }
 
@@ -104,20 +109,20 @@ export function LoginForm({ mode }: LoginFormProps) {
       const payload = (await response.json().catch(() => null)) as AuthResponse | null
 
       if (!response.ok) {
-        setError(payload?.message ?? "Sign up failed")
+        setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
         return
       }
 
       persistRoleCookie(payload?.user?.role)
       setSuccess(
         mode === "signup-owner"
-          ? "Owner account created. Registration is now disabled."
-          : "Account created.",
+          ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
+          : t("auth.messages.accountCreated", "Account created."),
       )
       router.push(nextPath)
       router.refresh()
     } catch {
-      setError("Network error while signing up")
+      setError(t("auth.errors.networkSignUp", "Network error while signing up"))
     } finally {
       setIsBusy(false)
     }
@@ -126,24 +131,35 @@ export function LoginForm({ mode }: LoginFormProps) {
   return (
     <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
       <div className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin Auth</p>
+        <div className="flex items-center justify-between gap-3">
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
+            {t("auth.badge", "Admin Auth")}
+          </p>
+          <AdminLocaleSwitcher />
+        </div>
         <h1 className="text-3xl font-semibold tracking-tight">
           {mode === "signin"
-            ? "Sign in to CMS Admin"
+            ? t("auth.titles.signIn", "Sign in to CMS Admin")
             : mode === "signup-owner"
-              ? "Welcome to CMS Admin"
-              : "Create an admin account"}
+              ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
+              : mode === "signup-user"
+                ? t("auth.titles.signUpUser", "Create an admin account")
+                : t("auth.titles.signUpDisabled", "Registration is disabled")}
         </h1>
         <p className="text-sm text-neutral-600">
-          {mode === "signin" ? (
-            <>
-              Better Auth is active on this app via <code>/api/auth</code>.
-            </>
-          ) : mode === "signup-owner" ? (
-            "Create the first owner account to initialize this admin instance."
-          ) : (
-            "Self-registration is enabled for admin users."
-          )}
+          {mode === "signin"
+            ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
+            : mode === "signup-owner"
+              ? t(
+                  "auth.descriptions.signUpOwner",
+                  "Create the first owner account to initialize this admin instance.",
+                )
+              : mode === "signup-user"
+                ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
+                : t(
+                    "auth.descriptions.signUpDisabled",
+                    "Self-registration is currently turned off by an administrator.",
+                  )}
         </p>
       </div>
 
@@ -154,7 +170,7 @@ export function LoginForm({ mode }: LoginFormProps) {
         >
           <div className="space-y-1">
             <label className="text-sm font-medium" htmlFor="email">
-              Email or username
+              {t("auth.fields.emailOrUsername", "Email or username")}
             </label>
             <input
               id="email"
@@ -168,84 +184,7 @@ export function LoginForm({ mode }: LoginFormProps) {
 
           <div className="space-y-1">
             <label className="text-sm font-medium" htmlFor="password">
-              Password
-            </label>
-            <input
-              id="password"
-              type="password"
-              minLength={8}
-              required
-              value={password}
-              onChange={(event) => setPassword(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <button
-            type="submit"
-            disabled={isBusy}
-            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
-          >
-            {isBusy ? "Signing in..." : "Sign in"}
-          </button>
-
-          <p className="text-xs text-neutral-600">
-            Need an account?{" "}
-            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Register
-            </Link>
-          </p>
-
-          {error ? <p className="text-sm text-red-600">{error}</p> : null}
-        </form>
-      ) : (
-        <form
-          onSubmit={handleSignUp}
-          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
-        >
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="name">
-              Name
-            </label>
-            <input
-              id="name"
-              type="text"
-              value={name}
-              onChange={(event) => setName(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="email">
-              Email
-            </label>
-            <input
-              id="email"
-              type="email"
-              required
-              value={email}
-              onChange={(event) => setEmail(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="username">
-              Username (optional)
-            </label>
-            <input
-              id="username"
-              type="text"
-              value={username}
-              onChange={(event) => setUsername(event.target.value)}
-              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
-            />
-          </div>
-
-          <div className="space-y-1">
-            <label className="text-sm font-medium" htmlFor="password">
-              Password
+              {t("auth.fields.password", "Password")}
             </label>
             <input
               id="password"
@@ -264,22 +203,115 @@ export function LoginForm({ mode }: LoginFormProps) {
             className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
           >
             {isBusy
-              ? "Creating account..."
-              : mode === "signup-owner"
-                ? "Create owner account"
-                : "Create account"}
+              ? t("auth.actions.signInBusy", "Signing in...")
+              : t("auth.actions.signInIdle", "Sign in")}
           </button>
 
           <p className="text-xs text-neutral-600">
-            Already have an account?{" "}
+            {t("auth.links.needAccount", "Need an account?")}{" "}
+            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
+              {t("auth.links.register", "Register")}
+            </Link>
+          </p>
+
+          {error ? <p className="text-sm text-red-600">{error}</p> : null}
+        </form>
+      ) : canSubmitSignUp ? (
+        <form
+          onSubmit={handleSignUp}
+          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
+        >
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="name">
+              {t("auth.fields.name", "Name")}
+            </label>
+            <input
+              id="name"
+              type="text"
+              value={name}
+              onChange={(event) => setName(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="email">
+              {t("auth.fields.email", "Email")}
+            </label>
+            <input
+              id="email"
+              type="email"
+              required
+              value={email}
+              onChange={(event) => setEmail(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="username">
+              {t("auth.fields.username", "Username (optional)")}
+            </label>
+            <input
+              id="username"
+              type="text"
+              value={username}
+              onChange={(event) => setUsername(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <div className="space-y-1">
+            <label className="text-sm font-medium" htmlFor="password">
+              {t("auth.fields.password", "Password")}
+            </label>
+            <input
+              id="password"
+              type="password"
+              minLength={8}
+              required
+              value={password}
+              onChange={(event) => setPassword(event.target.value)}
+              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
+            />
+          </div>
+
+          <button
+            type="submit"
+            disabled={isBusy}
+            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
+          >
+            {isBusy
+              ? t("auth.actions.signUpBusy", "Creating account...")
+              : mode === "signup-owner"
+                ? t("auth.actions.signUpOwnerIdle", "Create owner account")
+                : t("auth.actions.signUpUserIdle", "Create account")}
+          </button>
+
+          <p className="text-xs text-neutral-600">
+            {t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
             <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Go to sign in
+              {t("auth.links.goToSignIn", "Go to sign in")}
             </Link>
           </p>
 
           {error ? <p className="text-sm text-red-600">{error}</p> : null}
           {success ? <p className="text-sm text-green-700">{success}</p> : null}
         </form>
+      ) : (
+        <section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
+          <p className="text-sm text-neutral-700">
+            {t(
+              "auth.messages.registrationDisabled",
+              "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
+            )}
+          </p>
+          <p className="text-xs text-neutral-600">
+            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
+              {t("auth.links.goToSignIn", "Go to sign in")}
+            </Link>
+          </p>
+        </section>
       )}
     </main>
   )

apps/admin/src/app/media/page.tsx

@@ -0,0 +1,34 @@
+import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
+import { AdminShell } from "@/components/admin-shell"
+import { requirePermissionForRoute } from "@/lib/route-guards"
+
+export const dynamic = "force-dynamic"
+
+export default async function MediaManagementPage() {
+  const role = await requirePermissionForRoute({
+    nextPath: "/media",
+    permission: "media:read",
+    scope: "team",
+  })
+
+  return (
+    <AdminShell
+      role={role}
+      activePath="/media"
+      badge="Admin App"
+      title="Media"
+      description="Prepare media library and enrichment workflows."
+    >
+      <AdminSectionPlaceholder
+        feature="Media Library"
+        summary="This route is ready for media browsing, upload, and metadata refinement features."
+        requiredPermission="media:read (team)"
+        nextSteps={[
+          "Add media upload and asset listing.",
+          "Add enrichment fields (alt text, source, tags).",
+          "Add artwork-specific refinement fields.",
+        ]}
+      />
+    </AdminShell>
+  )
+}

apps/admin/src/app/page.tsx

@@ -1,65 +1,405 @@
 import { hasPermission } from "@cms/content/rbac"
-import { listPosts } from "@cms/db"
+import { createPost, deletePost, listPosts, updatePost } from "@cms/db"
 import { Button } from "@cms/ui/button"
+import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 
-import { resolveRoleFromServerContext } from "@/lib/access-server"
-import { LogoutButton } from "./logout-button"
+import { AdminShell } from "@/components/admin-shell"
+import { translateMessage } from "@/i18n/messages"
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
+import { requirePermissionForRoute } from "@/lib/route-guards"
 
 export const dynamic = "force-dynamic"
 
-export default async function AdminHomePage() {
-  const role = await resolveRoleFromServerContext()
+type SearchParamsInput = Record<string, string | string[] | undefined>
 
-  if (!role) {
-    redirect("/login?next=/")
+function readFirstValue(value: string | string[] | undefined): string | null {
+  if (Array.isArray(value)) {
+    return value[0] ?? null
   }
 
-  if (!hasPermission(role, "news:read", "team")) {
-    redirect("/unauthorized?required=news:read&scope=team")
+  return value ?? null
+}
+
+function readRequiredField(formData: FormData, field: string): string {
+  const value = formData.get(field)
+
+  if (typeof value !== "string") {
+    return ""
   }
 
+  return value.trim()
+}
+
+function readOptionalField(formData: FormData, field: string): string | undefined {
+  const value = readRequiredField(formData, field)
+  return value.length > 0 ? value : undefined
+}
+
+async function requireNewsWritePermission() {
+  await requirePermissionForRoute({
+    nextPath: "/",
+    permission: "news:write",
+    scope: "team",
+  })
+}
+
+function redirectWithState(params: { notice?: string; error?: string }) {
+  const query = new URLSearchParams()
+
+  if (params.notice) {
+    query.set("notice", params.notice)
+  }
+
+  if (params.error) {
+    query.set("error", params.error)
+  }
+
+  const value = query.toString()
+  redirect(value ? `/?${value}` : "/")
+}
+
+async function getDashboardTranslator() {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
+  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
+}
+
+async function createPostAction(formData: FormData) {
+  "use server"
+
+  await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
+
+  const status = readRequiredField(formData, "status")
+
+  try {
+    await createPost({
+      title: readRequiredField(formData, "title"),
+      slug: readRequiredField(formData, "slug"),
+      excerpt: readOptionalField(formData, "excerpt"),
+      body: readRequiredField(formData, "body"),
+      status: status === "published" ? "published" : "draft",
+    })
+  } catch {
+    redirectWithState({
+      error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
+    })
+  }
+
+  revalidatePath("/")
+  redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
+}
+
+async function updatePostAction(formData: FormData) {
+  "use server"
+
+  await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
+
+  const id = readRequiredField(formData, "id")
+  const status = readRequiredField(formData, "status")
+
+  if (!id) {
+    redirectWithState({
+      error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
+    })
+  }
+
+  try {
+    await updatePost(id, {
+      title: readRequiredField(formData, "title"),
+      slug: readRequiredField(formData, "slug"),
+      excerpt: readOptionalField(formData, "excerpt"),
+      body: readRequiredField(formData, "body"),
+      status: status === "published" ? "published" : "draft",
+    })
+  } catch {
+    redirectWithState({
+      error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
+    })
+  }
+
+  revalidatePath("/")
+  redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
+}
+
+async function deletePostAction(formData: FormData) {
+  "use server"
+
+  await requireNewsWritePermission()
+  const t = await getDashboardTranslator()
+
+  const id = readRequiredField(formData, "id")
+
+  if (!id) {
+    redirectWithState({
+      error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
+    })
+  }
+
+  try {
+    await deletePost(id)
+  } catch {
+    redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
+  }
+
+  revalidatePath("/")
+  redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
+}
+
+export default async function AdminHomePage({
+  searchParams,
+}: {
+  searchParams: Promise<SearchParamsInput>
+}) {
+  const role = await requirePermissionForRoute({
+    nextPath: "/",
+    permission: "news:read",
+    scope: "team",
+  })
+
+  const [resolvedSearchParams, locale, posts] = await Promise.all([
+    searchParams,
+    resolveAdminLocale(),
+    listPosts(),
+  ])
+  const messages = await getAdminMessages(locale)
+  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
+
+  const notice = readFirstValue(resolvedSearchParams.notice)
+  const error = readFirstValue(resolvedSearchParams.error)
   const canCreatePost = hasPermission(role, "news:write", "team")
-  const posts = await listPosts()
 
   return (
-    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
-      <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
-        <h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1>
-        <p className="text-neutral-600">Manage posts from a dedicated admin surface.</p>
-        <div className="flex items-center gap-3 pt-2">
+    <AdminShell
+      role={role}
+      activePath="/"
+      badge={t("dashboard.badge", "Admin App")}
+      title={t("dashboard.title", "Content Dashboard")}
+      description={t("dashboard.description", "Manage posts from a dedicated admin surface.")}
+      actions={
+        <>
           <Link
             href="/todo"
             className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
           >
-            Open roadmap and progress
+            {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
           </Link>
-          <LogoutButton />
-        </div>
-      </header>
+          <Link
+            href="/settings"
+            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+          >
+            {t("settings.title", "Settings")}
+          </Link>
+        </>
+      }
+    >
+      {notice ? (
+        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
+          {notice}
+        </section>
+      ) : null}
+
+      {error ? (
+        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
+          {error}
+        </section>
+      ) : null}
 
       <section className="rounded-xl border border-neutral-200 p-6">
-        <div className="mb-4 flex items-center justify-between">
-          <h2 className="text-xl font-medium">Posts</h2>
-          <Button disabled={!canCreatePost}>Create post</Button>
+        <div className="space-y-4">
+          <div className="flex items-center justify-between">
+            <h2 className="text-xl font-medium">
+              {t("dashboard.posts.title", "Posts CRUD Sandbox")}
+            </h2>
+            <p className="text-xs uppercase tracking-wide text-neutral-500">
+              {t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
+            </p>
+          </div>
+
+          {canCreatePost ? (
+            <form
+              action={createPostAction}
+              className="space-y-3 rounded-lg border border-neutral-200 p-4"
+            >
+              <h3 className="text-sm font-semibold">
+                {t("dashboard.posts.createTitle", "Create post")}
+              </h3>
+              <div className="grid gap-3 md:grid-cols-2">
+                <label className="space-y-1">
+                  <span className="text-xs text-neutral-600">
+                    {t("dashboard.posts.fields.title", "Title")}
+                  </span>
+                  <input
+                    name="title"
+                    required
+                    minLength={3}
+                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                  />
+                </label>
+                <label className="space-y-1">
+                  <span className="text-xs text-neutral-600">
+                    {t("dashboard.posts.fields.slug", "Slug")}
+                  </span>
+                  <input
+                    name="slug"
+                    required
+                    minLength={3}
+                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                  />
+                </label>
+              </div>
+              <label className="space-y-1">
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.excerpt", "Excerpt")}
+                </span>
+                <input
+                  name="excerpt"
+                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                />
+              </label>
+              <label className="space-y-1">
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.body", "Body")}
+                </span>
+                <textarea
+                  name="body"
+                  required
+                  minLength={1}
+                  rows={4}
+                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                />
+              </label>
+              <label className="space-y-1">
+                <span className="text-xs text-neutral-600">
+                  {t("dashboard.posts.fields.status", "Status")}
+                </span>
+                <select
+                  name="status"
+                  defaultValue="draft"
+                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                >
+                  <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
+                  <option value="published">
+                    {t("dashboard.posts.status.published", "Published")}
+                  </option>
+                </select>
+              </label>
+              <Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
+            </form>
+          ) : (
+            <div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
+              {t(
+                "dashboard.notices.noCrudPermission",
+                "You can read posts, but your role cannot create/update/delete posts.",
+              )}
+            </div>
+          )}
         </div>
 
         <div className="space-y-3">
           {posts.map((post) => (
             <article key={post.id} className="rounded-lg border border-neutral-200 p-4">
-              <div className="flex items-center justify-between gap-3">
-                <h3 className="text-lg font-medium">{post.title}</h3>
-                <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
-                  {post.status}
-                </span>
-              </div>
-              <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
+              {canCreatePost ? (
+                <>
+                  <form action={updatePostAction} className="space-y-3">
+                    <input type="hidden" name="id" value={post.id} />
+                    <div className="grid gap-3 md:grid-cols-2">
+                      <label className="space-y-1">
+                        <span className="text-xs text-neutral-600">
+                          {t("dashboard.posts.fields.title", "Title")}
+                        </span>
+                        <input
+                          name="title"
+                          required
+                          minLength={3}
+                          defaultValue={post.title}
+                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                        />
+                      </label>
+                      <label className="space-y-1">
+                        <span className="text-xs text-neutral-600">
+                          {t("dashboard.posts.fields.slug", "Slug")}
+                        </span>
+                        <input
+                          name="slug"
+                          required
+                          minLength={3}
+                          defaultValue={post.slug}
+                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                        />
+                      </label>
+                    </div>
+                    <label className="space-y-1">
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.excerpt", "Excerpt")}
+                      </span>
+                      <input
+                        name="excerpt"
+                        defaultValue={post.excerpt ?? ""}
+                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                      />
+                    </label>
+                    <label className="space-y-1">
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.body", "Body")}
+                      </span>
+                      <textarea
+                        name="body"
+                        required
+                        minLength={1}
+                        rows={4}
+                        defaultValue={post.body}
+                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                      />
+                    </label>
+                    <label className="space-y-1">
+                      <span className="text-xs text-neutral-600">
+                        {t("dashboard.posts.fields.status", "Status")}
+                      </span>
+                      <select
+                        name="status"
+                        defaultValue={post.status}
+                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
+                      >
+                        <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
+                        <option value="published">
+                          {t("dashboard.posts.status.published", "Published")}
+                        </option>
+                      </select>
+                    </label>
+                    <Button type="submit">
+                      {t("dashboard.posts.actions.save", "Save changes")}
+                    </Button>
+                  </form>
+                  <form action={deletePostAction} className="mt-3">
+                    <input type="hidden" name="id" value={post.id} />
+                    <Button type="submit" variant="secondary">
+                      {t("dashboard.posts.actions.delete", "Delete")}
+                    </Button>
+                  </form>
+                </>
+              ) : (
+                <>
+                  <div className="flex items-center justify-between gap-3">
+                    <h3 className="text-lg font-medium">{post.title}</h3>
+                    <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
+                      {post.status}
+                    </span>
+                  </div>
+                  <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
+                  <p className="mt-2 text-sm text-neutral-600">
+                    {post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
+                  </p>
+                </>
+              )}
             </article>
           ))}
         </div>
       </section>
-    </main>
+    </AdminShell>
   )
 }

apps/admin/src/app/pages/page.tsx

@@ -0,0 +1,34 @@
+import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
+import { AdminShell } from "@/components/admin-shell"
+import { requirePermissionForRoute } from "@/lib/route-guards"
+
+export const dynamic = "force-dynamic"
+
+export default async function PagesManagementPage() {
+  const role = await requirePermissionForRoute({
+    nextPath: "/pages",
+    permission: "pages:read",
+    scope: "team",
+  })
+
+  return (
+    <AdminShell
+      role={role}
+      activePath="/pages"
+      badge="Admin App"
+      title="Pages"
+      description="Manage page entities and publication workflows."
+    >
+      <AdminSectionPlaceholder
+        feature="Page Management"
+        summary="This MVP0 scaffold defines information architecture and access boundaries for future page CRUD."
+        requiredPermission="pages:read (team)"
+        nextSteps={[
+          "Add page entity list and search.",
+          "Add create/edit draft flows with validation.",
+          "Add publish/unpublish scheduling controls.",
+        ]}
+      />
+    </AdminShell>
+  )
+}

apps/admin/src/app/providers.tsx

@@ -1,9 +1,24 @@
 "use client"
 
+import type { AppLocale } from "@cms/i18n"
 import type { ReactNode } from "react"
 
+import type { AdminMessages } from "@/i18n/messages"
+import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
 import { QueryProvider } from "@/providers/query-provider"
 
-export function Providers({ children }: { children: ReactNode }) {
-  return <QueryProvider>{children}</QueryProvider>
+export function Providers({
+  children,
+  locale,
+  messages,
+}: {
+  children: ReactNode
+  locale: AppLocale
+  messages: AdminMessages
+}) {
+  return (
+    <AdminI18nProvider locale={locale} messages={messages}>
+      <QueryProvider>{children}</QueryProvider>
+    </AdminI18nProvider>
+  )
 }

apps/admin/src/app/register/page.tsx

@@ -33,7 +33,7 @@ export default async function RegisterPage({ searchParams }: { searchParams: Sea
   const enabled = await isSelfRegistrationEnabled()
 
   if (!enabled) {
-    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+    return <LoginForm mode="signup-disabled" />
   }
 
   return <LoginForm mode="signup-user" />

apps/admin/src/app/settings/page.tsx

@@ -0,0 +1,180 @@
+import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
+import { Button } from "@cms/ui/button"
+import { revalidatePath } from "next/cache"
+import Link from "next/link"
+import { redirect } from "next/navigation"
+
+import { AdminShell } from "@/components/admin-shell"
+import { translateMessage } from "@/i18n/messages"
+import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
+import { requirePermissionForRoute } from "@/lib/route-guards"
+
+type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
+
+function toSingleValue(input: string | string[] | undefined): string | null {
+  if (Array.isArray(input)) {
+    return input[0] ?? null
+  }
+
+  return input ?? null
+}
+
+async function requireSettingsPermission() {
+  await requirePermissionForRoute({
+    nextPath: "/settings",
+    permission: "users:manage_roles",
+    scope: "global",
+  })
+}
+
+async function getSettingsTranslator() {
+  const locale = await resolveAdminLocale()
+  const messages = await getAdminMessages(locale)
+
+  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
+}
+
+async function updateRegistrationPolicyAction(formData: FormData) {
+  "use server"
+
+  await requireSettingsPermission()
+  const t = await getSettingsTranslator()
+  const enabled = formData.get("enabled") === "on"
+
+  try {
+    await setAdminSelfRegistrationEnabled(enabled)
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : ""
+    const normalizedMessage = errorMessage.toLowerCase()
+    const isDatabaseUnavailable = errorMessage.includes("P1001")
+    const isSchemaMissing =
+      errorMessage.includes("P2021") ||
+      normalizedMessage.includes("system_setting") ||
+      normalizedMessage.includes("does not exist")
+
+    const userMessage = isDatabaseUnavailable
+      ? t(
+          "settings.registration.errors.databaseUnavailable",
+          "Saving settings failed. The database is currently unreachable.",
+        )
+      : isSchemaMissing
+        ? t(
+            "settings.registration.errors.schemaMissing",
+            "Saving settings failed. Apply the latest database migrations and try again.",
+          )
+        : t(
+            "settings.registration.errors.updateFailed",
+            "Saving settings failed. Ensure database migrations are applied.",
+          )
+
+    redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
+  }
+
+  revalidatePath("/settings")
+  revalidatePath("/register")
+  redirect(
+    `/settings?notice=${encodeURIComponent(
+      t("settings.registration.success.updated", "Registration policy updated."),
+    )}`,
+  )
+}
+
+export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
+  const role = await requirePermissionForRoute({
+    nextPath: "/settings",
+    permission: "users:manage_roles",
+    scope: "global",
+  })
+
+  const [params, locale, isRegistrationEnabled] = await Promise.all([
+    searchParams,
+    resolveAdminLocale(),
+    isAdminSelfRegistrationEnabled(),
+  ])
+  const messages = await getAdminMessages(locale)
+  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
+
+  const notice = toSingleValue(params.notice)
+  const error = toSingleValue(params.error)
+
+  return (
+    <AdminShell
+      role={role}
+      activePath="/settings"
+      badge={t("settings.badge", "Admin Settings")}
+      title={t("settings.title", "Settings")}
+      description={t(
+        "settings.description",
+        "Manage runtime policies for the admin authentication and onboarding flow.",
+      )}
+      actions={
+        <Link
+          href="/"
+          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+        >
+          {t("settings.actions.backToDashboard", "Back to dashboard")}
+        </Link>
+      }
+    >
+      {notice ? (
+        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
+          {notice}
+        </section>
+      ) : null}
+
+      {error ? (
+        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
+          {error}
+        </section>
+      ) : null}
+
+      <section className="rounded-xl border border-neutral-200 p-6">
+        <div className="space-y-5">
+          <div className="space-y-2">
+            <h2 className="text-xl font-medium">
+              {t("settings.registration.title", "Admin self-registration")}
+            </h2>
+            <p className="text-sm text-neutral-600">
+              {t(
+                "settings.registration.description",
+                "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
+              )}
+            </p>
+          </div>
+
+          <div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
+            <p>
+              {t("settings.registration.currentStatusLabel", "Current status")}:{" "}
+              <strong>
+                {isRegistrationEnabled
+                  ? t("settings.registration.status.enabled", "Enabled")
+                  : t("settings.registration.status.disabled", "Disabled")}
+              </strong>
+            </p>
+          </div>
+
+          <form action={updateRegistrationPolicyAction} className="space-y-4">
+            <label className="flex items-center gap-3 text-sm">
+              <input
+                type="checkbox"
+                name="enabled"
+                defaultChecked={isRegistrationEnabled}
+                className="h-4 w-4 rounded border-neutral-300"
+              />
+              <span>
+                {t(
+                  "settings.registration.checkboxLabel",
+                  "Allow self-registration on /register for admin users",
+                )}
+              </span>
+            </label>
+
+            <Button type="submit">
+              {t("settings.registration.actions.save", "Save registration policy")}
+            </Button>
+          </form>
+        </div>
+      </section>
+    </AdminShell>
+  )
+}

apps/admin/src/app/todo/page.tsx

@@ -1,10 +1,9 @@
 import { readFile } from "node:fs/promises"
 import path from "node:path"
-import { hasPermission } from "@cms/content/rbac"
 import Link from "next/link"
-import { redirect } from "next/navigation"
 
-import { resolveRoleFromServerContext } from "@/lib/access-server"
+import { AdminShell } from "@/components/admin-shell"
+import { requirePermissionForRoute } from "@/lib/route-guards"
 
 export const dynamic = "force-dynamic"
 
@@ -405,15 +404,11 @@ function filterButtonClass(active: boolean): string {
 export default async function AdminTodoPage(props: {
   searchParams?: SearchParamsInput | Promise<SearchParamsInput>
 }) {
-  const role = await resolveRoleFromServerContext()
-
-  if (!role) {
-    redirect("/login?next=/todo")
-  }
-
-  if (!hasPermission(role, "roadmap:read", "global")) {
-    redirect("/unauthorized?required=roadmap:read&scope=global")
-  }
+  const role = await requirePermissionForRoute({
+    nextPath: "/todo",
+    permission: "roadmap:read",
+    scope: "global",
+  })
 
   const content = await getTodoMarkdown()
   const sections = parseTodo(content)
@@ -434,26 +429,21 @@ export default async function AdminTodoPage(props: {
   }
 
   return (
-    <main className="mx-auto flex min-h-screen w-full max-w-6xl flex-col gap-8 px-6 py-12">
-      <header className="space-y-4">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
-        <div className="flex flex-wrap items-end justify-between gap-4">
-          <div className="space-y-2">
-            <h1 className="text-4xl font-semibold tracking-tight">Roadmap and Progress</h1>
-            <p className="text-neutral-600">
-              Structured view from root `TODO.md` (single source of truth).
-            </p>
-          </div>
-
-          <Link
-            href="/"
-            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
-          >
-            Back to dashboard
-          </Link>
-        </div>
-      </header>
-
+    <AdminShell
+      role={role}
+      activePath="/todo"
+      badge="Admin App"
+      title="Roadmap and Progress"
+      description="Structured view from root TODO.md (single source of truth)."
+      actions={
+        <Link
+          href="/"
+          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+        >
+          Back to dashboard
+        </Link>
+      }
+    >
       <section className="rounded-xl border border-neutral-200 bg-neutral-50 p-5">
         <div className="mb-4 flex items-center justify-between gap-4">
           <p className="text-sm font-medium text-neutral-600">Weighted completion</p>
@@ -607,6 +597,6 @@ export default async function AdminTodoPage(props: {
           {content}
         </pre>
       </details>
-    </main>
+    </AdminShell>
   )
 }

apps/admin/src/app/users/page.tsx

@@ -0,0 +1,34 @@
+import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
+import { AdminShell } from "@/components/admin-shell"
+import { requirePermissionForRoute } from "@/lib/route-guards"
+
+export const dynamic = "force-dynamic"
+
+export default async function UsersManagementPage() {
+  const role = await requirePermissionForRoute({
+    nextPath: "/users",
+    permission: "users:read",
+    scope: "own",
+  })
+
+  return (
+    <AdminShell
+      role={role}
+      activePath="/users"
+      badge="Admin App"
+      title="Users"
+      description="Prepare user lifecycle and role management operations."
+    >
+      <AdminSectionPlaceholder
+        feature="Users Management"
+        summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
+        requiredPermission="users:read (own)"
+        nextSteps={[
+          "Add user list, filter, and detail views.",
+          "Add role and permission editing actions with owner/support safety rules.",
+          "Add disable/ban and invite workflows.",
+        ]}
+      />
+    </AdminShell>
+  )
+}

apps/admin/src/components/admin-locale-switcher.tsx

@@ -0,0 +1,41 @@
+"use client"
+
+import { type AppLocale, localeLabels, locales } from "@cms/i18n"
+import { useRouter } from "next/navigation"
+import { useTransition } from "react"
+
+import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
+import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
+
+export function AdminLocaleSwitcher() {
+  const router = useRouter()
+  const [isPending, startTransition] = useTransition()
+  const { locale } = useAdminI18n()
+  const t = useAdminT()
+
+  return (
+    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
+      <span>{t("common.language", "Language")}</span>
+      <select
+        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
+        value={locale}
+        disabled={isPending}
+        onChange={(event) => {
+          const nextLocale = event.target.value as AppLocale
+          // biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
+          document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
+
+          startTransition(() => {
+            router.refresh()
+          })
+        }}
+      >
+        {locales.map((value) => (
+          <option key={value} value={value}>
+            {t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
+          </option>
+        ))}
+      </select>
+    </label>
+  )
+}

apps/admin/src/components/admin-section-placeholder.tsx

@@ -0,0 +1,40 @@
+import type { ReactNode } from "react"
+
+type AdminSectionPlaceholderProps = {
+  feature: string
+  summary: string
+  requiredPermission: string
+  nextSteps: string[]
+  children?: ReactNode
+}
+
+export function AdminSectionPlaceholder({
+  feature,
+  summary,
+  requiredPermission,
+  nextSteps,
+  children,
+}: AdminSectionPlaceholderProps) {
+  return (
+    <section className="space-y-5 rounded-xl border border-neutral-200 p-6">
+      <div className="space-y-2">
+        <h2 className="text-xl font-medium">{feature}</h2>
+        <p className="text-sm text-neutral-600">{summary}</p>
+        <p className="text-xs uppercase tracking-wide text-neutral-500">
+          Required permission: {requiredPermission}
+        </p>
+      </div>
+
+      {children}
+
+      <div className="rounded-lg border border-neutral-200 bg-neutral-50 p-4">
+        <p className="text-sm font-medium text-neutral-800">Planned next steps</p>
+        <ul className="mt-2 list-disc space-y-1 pl-5 text-sm text-neutral-600">
+          {nextSteps.map((step) => (
+            <li key={step}>{step}</li>
+          ))}
+        </ul>
+      </div>
+    </section>
+  )
+}

apps/admin/src/components/admin-shell.tsx

@@ -0,0 +1,117 @@
+import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
+import Link from "next/link"
+import type { ReactNode } from "react"
+
+import { LogoutButton } from "@/app/logout-button"
+import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
+
+type AdminShellProps = {
+  role: Role
+  activePath: string
+  badge: string
+  title: string
+  description: string
+  actions?: ReactNode
+  children: ReactNode
+}
+
+type NavItem = {
+  href: string
+  label: string
+  permission: Permission
+  scope: PermissionScope
+}
+
+const navItems: NavItem[] = [
+  { href: "/", label: "Dashboard", permission: "dashboard:read", scope: "global" },
+  { href: "/pages", label: "Pages", permission: "pages:read", scope: "team" },
+  { href: "/media", label: "Media", permission: "media:read", scope: "team" },
+  { href: "/users", label: "Users", permission: "users:read", scope: "own" },
+  { href: "/commissions", label: "Commissions", permission: "commissions:read", scope: "own" },
+  { href: "/settings", label: "Settings", permission: "users:manage_roles", scope: "global" },
+  { href: "/todo", label: "Roadmap", permission: "roadmap:read", scope: "global" },
+]
+
+function navItemClass(active: boolean): string {
+  if (active) {
+    return "bg-neutral-900 text-white border-neutral-900"
+  }
+
+  return "bg-white text-neutral-700 border-neutral-300 hover:bg-neutral-100"
+}
+
+function isActiveRoute(activePath: string, href: string): boolean {
+  if (href === "/") {
+    return activePath === "/"
+  }
+
+  return activePath === href || activePath.startsWith(`${href}/`)
+}
+
+export function AdminShell({
+  role,
+  activePath,
+  badge,
+  title,
+  description,
+  actions,
+  children,
+}: AdminShellProps) {
+  return (
+    <div className="mx-auto flex min-h-screen w-full max-w-7xl gap-8 px-6 py-10">
+      <aside className="sticky top-0 hidden h-fit w-64 shrink-0 space-y-4 lg:block">
+        <div className="rounded-xl border border-neutral-200 bg-white p-4">
+          <p className="text-xs font-semibold uppercase tracking-[0.2em] text-neutral-500">
+            CMS Admin
+          </p>
+          <p className="mt-2 text-sm text-neutral-600">Role: {role}</p>
+        </div>
+
+        <nav className="space-y-2">
+          {navItems
+            .filter((item) => hasPermission(role, item.permission, item.scope))
+            .map((item) => (
+              <Link
+                key={item.href}
+                href={item.href}
+                className={`block rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
+              >
+                {item.label}
+              </Link>
+            ))}
+        </nav>
+      </aside>
+
+      <div className="min-w-0 flex-1 space-y-8">
+        <nav className="flex flex-wrap gap-2 lg:hidden">
+          {navItems
+            .filter((item) => hasPermission(role, item.permission, item.scope))
+            .map((item) => (
+              <Link
+                key={`mobile-${item.href}`}
+                href={item.href}
+                className={`rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
+              >
+                {item.label}
+              </Link>
+            ))}
+        </nav>
+
+        <header className="space-y-3">
+          <div className="flex flex-wrap items-center justify-between gap-3">
+            <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{badge}</p>
+            <div className="flex items-center gap-2">
+              <AdminLocaleSwitcher />
+              <LogoutButton />
+            </div>
+          </div>
+          <h1 className="text-4xl font-semibold tracking-tight">{title}</h1>
+          <p className="text-neutral-600">{description}</p>
+          {actions ? <div className="flex flex-wrap items-center gap-3 pt-1">{actions}</div> : null}
+        </header>
+
+        {children}
+      </div>
+    </div>
+  )
+}

apps/admin/src/i18n/messages.test.ts

@@ -0,0 +1,147 @@
+import { describe, expect, it } from "vitest"
+
+import type { AdminMessages } from "./messages"
+import { translateMessage } from "./messages"
+
+const messages: AdminMessages = {
+  common: {
+    language: "Language",
+    localeNames: {
+      de: "German",
+      en: "English",
+      es: "Spanish",
+      fr: "French",
+    },
+  },
+  auth: {
+    badge: "Admin Auth",
+    titles: {
+      signIn: "Sign in",
+      signUpOwner: "Welcome",
+      signUpUser: "Create account",
+      signUpDisabled: "Registration disabled",
+    },
+    descriptions: {
+      signIn: "Sign in description",
+      signUpOwner: "Owner description",
+      signUpUser: "User description",
+      signUpDisabled: "Disabled description",
+    },
+    fields: {
+      name: "Name",
+      emailOrUsername: "Email or username",
+      email: "Email",
+      username: "Username",
+      password: "Password",
+    },
+    actions: {
+      signInIdle: "Sign in",
+      signInBusy: "Signing in...",
+      signUpOwnerIdle: "Create owner account",
+      signUpUserIdle: "Create account",
+      signUpBusy: "Creating account...",
+    },
+    links: {
+      needAccount: "Need an account?",
+      register: "Register",
+      alreadyHaveAccount: "Already have an account?",
+      goToSignIn: "Go to sign in",
+    },
+    messages: {
+      ownerCreated: "Owner account created.",
+      accountCreated: "Account created.",
+      registrationDisabled: "Registration is disabled.",
+    },
+    errors: {
+      nameRequired: "Name is required.",
+      signInFailed: "Sign in failed",
+      signUpFailed: "Sign up failed",
+      networkSignIn: "Network sign in error",
+      networkSignUp: "Network sign up error",
+    },
+  },
+  settings: {
+    badge: "Admin Settings",
+    title: "Settings",
+    description: "Settings description",
+    actions: {
+      backToDashboard: "Back to dashboard",
+    },
+    registration: {
+      title: "Registration",
+      description: "Registration description",
+      currentStatusLabel: "Current status",
+      status: {
+        enabled: "Enabled",
+        disabled: "Disabled",
+      },
+      checkboxLabel: "Allow registration",
+      actions: {
+        save: "Save",
+      },
+      success: {
+        updated: "Updated",
+      },
+      errors: {
+        updateFailed: "Update failed",
+      },
+    },
+  },
+  dashboard: {
+    badge: "Admin App",
+    title: "Content Dashboard",
+    description: "Manage content.",
+    actions: {
+      openRoadmap: "Open roadmap",
+    },
+    notices: {
+      noCrudPermission: "No permission.",
+      crudSandboxTag: "MVP0 functional test",
+    },
+    posts: {
+      title: "Posts CRUD Sandbox",
+      createTitle: "Create post",
+      fields: {
+        title: "Title",
+        slug: "Slug",
+        excerpt: "Excerpt",
+        body: "Body",
+        status: "Status",
+      },
+      status: {
+        draft: "Draft",
+        published: "Published",
+      },
+      actions: {
+        create: "Create post",
+        save: "Save changes",
+        delete: "Delete",
+      },
+      errors: {
+        createFailed: "Create failed.",
+        updateFailed: "Update failed.",
+        updateMissingId: "Missing post id.",
+        deleteFailed: "Delete failed.",
+        deleteMissingId: "Missing post id.",
+      },
+      success: {
+        created: "Post created.",
+        updated: "Post updated.",
+        deleted: "Post deleted.",
+      },
+      fallback: {
+        noExcerpt: "No excerpt",
+      },
+    },
+  },
+}
+
+describe("translateMessage", () => {
+  it("resolves nested keys", () => {
+    expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
+  })
+
+  it("returns fallback for unknown keys", () => {
+    expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
+  })
+})

apps/admin/src/i18n/messages.ts

@@ -0,0 +1,27 @@
+import type enMessages from "../messages/en.json"
+
+export type AdminMessages = typeof enMessages
+
+function resolveNestedValue(source: unknown, key: string): unknown {
+  let current: unknown = source
+
+  for (const segment of key.split(".")) {
+    if (!current || typeof current !== "object") {
+      return null
+    }
+
+    current = (current as Record<string, unknown>)[segment]
+  }
+
+  return current
+}
+
+export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
+  const resolved = resolveNestedValue(messages, key)
+
+  if (typeof resolved === "string") {
+    return resolved
+  }
+
+  return fallback ?? key
+}

apps/admin/src/i18n/server.ts

@@ -0,0 +1,20 @@
+import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
+import { cookies } from "next/headers"
+
+import type { AdminMessages } from "./messages"
+import { ADMIN_LOCALE_COOKIE } from "./shared"
+
+export async function resolveAdminLocale(): Promise<AppLocale> {
+  const cookieStore = await cookies()
+  const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
+
+  if (value && isAppLocale(value)) {
+    return value
+  }
+
+  return defaultLocale
+}
+
+export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
+  return (await import(`../messages/${locale}.json`)).default as AdminMessages
+}

apps/admin/src/i18n/shared.ts

@@ -0,0 +1 @@
+export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"

apps/admin/src/lib/access.test.ts

@@ -0,0 +1,43 @@
+import { describe, expect, it } from "vitest"
+
+import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
+
+describe("admin route access rules", () => {
+  it("treats support fallback route as public", () => {
+    expect(isPublicRoute("/support/support-access")).toBe(true)
+    expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
+  })
+
+  it("keeps settings route restricted to role with users:manage_roles", () => {
+    expect(isPublicRoute("/settings")).toBe(false)
+    expect(canAccessRoute("manager", "/settings")).toBe(false)
+    expect(canAccessRoute("admin", "/settings")).toBe(true)
+    expect(canAccessRoute("owner", "/settings")).toBe(true)
+  })
+
+  it("resolves route-specific permission requirements", () => {
+    expect(getRequiredPermission("/todo")).toEqual({
+      permission: "roadmap:read",
+      scope: "global",
+    })
+  })
+
+  it("maps new admin IA routes to dedicated permissions", () => {
+    expect(getRequiredPermission("/pages")).toEqual({
+      permission: "pages:read",
+      scope: "team",
+    })
+    expect(getRequiredPermission("/media")).toEqual({
+      permission: "media:read",
+      scope: "team",
+    })
+    expect(getRequiredPermission("/users")).toEqual({
+      permission: "users:read",
+      scope: "own",
+    })
+    expect(getRequiredPermission("/commissions")).toEqual({
+      permission: "commissions:read",
+      scope: "own",
+    })
+  })
+})

apps/admin/src/lib/access.ts

@@ -43,6 +43,41 @@ const guardRules: GuardRule[] = [
       scope: "global",
     },
   },
+  {
+    route: /^\/pages(?:\/|$)/,
+    requirement: {
+      permission: "pages:read",
+      scope: "team",
+    },
+  },
+  {
+    route: /^\/media(?:\/|$)/,
+    requirement: {
+      permission: "media:read",
+      scope: "team",
+    },
+  },
+  {
+    route: /^\/users(?:\/|$)/,
+    requirement: {
+      permission: "users:read",
+      scope: "own",
+    },
+  },
+  {
+    route: /^\/commissions(?:\/|$)/,
+    requirement: {
+      permission: "commissions:read",
+      scope: "own",
+    },
+  },
+  {
+    route: /^\/settings(?:\/|$)/,
+    requirement: {
+      permission: "users:manage_roles",
+      scope: "global",
+    },
+  },
   {
     route: /^\/(?:$|\?)/,
     requirement: {

apps/admin/src/lib/auth/server.ts

@@ -1,5 +1,5 @@
 import { normalizeRole, type Role } from "@cms/content/rbac"
-import { db } from "@cms/db"
+import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
 import { betterAuth } from "better-auth"
 import { prismaAdapter } from "better-auth/adapters/prisma"
 import { toNextJsHandler } from "better-auth/next-js"
@@ -43,8 +43,7 @@ export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
 }
 
 export async function isSelfRegistrationEnabled(): Promise<boolean> {
-  // Temporary fallback until registration policy is managed from admin settings.
-  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
+  return isAdminSelfRegistrationEnabled()
 }
 
 export async function canUserSelfRegister(): Promise<boolean> {
@@ -359,7 +358,10 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
     return
   }
 
-  supportBootstrapPromise = bootstrapSystemUsers()
+  supportBootstrapPromise = (async () => {
+    await bootstrapSystemUsers()
+    await enforceOwnerInvariant()
+  })()
 
   try {
     await supportBootstrapPromise
@@ -369,8 +371,116 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
   }
 }
 
-export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> {
+type OwnerInvariantState = {
+  ownerId: string | null
+  ownerCount: number
+  repaired: boolean
+}
+
+export async function enforceOwnerInvariant(): Promise<OwnerInvariantState> {
   return db.$transaction(async (tx) => {
+    const owners = await tx.user.findMany({
+      where: { role: "owner" },
+      orderBy: [{ createdAt: "asc" }, { id: "asc" }],
+      select: { id: true, isProtected: true, isBanned: true },
+    })
+
+    if (owners.length === 0) {
+      const candidate = await tx.user.findFirst({
+        where: {
+          role: {
+            not: "support",
+          },
+        },
+        orderBy: [{ createdAt: "asc" }, { id: "asc" }],
+        select: { id: true },
+      })
+
+      if (!candidate) {
+        return {
+          ownerId: null,
+          ownerCount: 0,
+          repaired: false,
+        }
+      }
+
+      await tx.user.update({
+        where: { id: candidate.id },
+        data: {
+          role: "owner",
+          isProtected: true,
+          isBanned: false,
+        },
+      })
+
+      return {
+        ownerId: candidate.id,
+        ownerCount: 1,
+        repaired: true,
+      }
+    }
+
+    const canonicalOwner = owners[0]
+    const extraOwnerIds = owners.slice(1).map((owner) => owner.id)
+
+    if (extraOwnerIds.length > 0) {
+      await tx.user.updateMany({
+        where: { id: { in: extraOwnerIds } },
+        data: {
+          role: "admin",
+          isProtected: false,
+        },
+      })
+    }
+
+    if (!canonicalOwner.isProtected || canonicalOwner.isBanned) {
+      await tx.user.update({
+        where: { id: canonicalOwner.id },
+        data: {
+          isProtected: true,
+          isBanned: false,
+        },
+      })
+    }
+
+    return {
+      ownerId: canonicalOwner.id,
+      ownerCount: 1,
+      repaired: extraOwnerIds.length > 0 || !canonicalOwner.isProtected || canonicalOwner.isBanned,
+    }
+  })
+}
+
+export async function canDeleteUserAccount(userId: string): Promise<boolean> {
+  const user = await db.user.findUnique({
+    where: { id: userId },
+    select: { role: true, isProtected: true },
+  })
+
+  if (!user) {
+    return false
+  }
+
+  // Protected/system users (support + canonical owner) are never deletable
+  // through self-service endpoints.
+  if (user.isProtected) {
+    return false
+  }
+
+  if (user.role !== "owner") {
+    return true
+  }
+
+  // Defensive fallback for drifted data; normal flow should already keep one owner.
+  const ownerCount = await db.user.count({
+    where: { role: "owner" },
+  })
+
+  return ownerCount > 1
+}
+
+export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> {
+  const promoted = await db.$transaction(async (tx) => {
     const existingOwner = await tx.user.findFirst({
       where: { role: "owner" },
       select: { id: true },
@@ -393,6 +503,12 @@ export async function promoteFirstRegisteredUserToOwner(userId: string): Promise
 
     return true
   })
+
+  if (promoted) {
+    await enforceOwnerInvariant()
+  }
+
+  return promoted
 }
 
 export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {

apps/admin/src/lib/route-guards.ts

@@ -0,0 +1,30 @@
+import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
+import { redirect } from "next/navigation"
+
+import { resolveRoleFromServerContext } from "@/lib/access-server"
+
+type RequirePermissionParams = {
+  nextPath: string
+  permission: Permission
+  scope: PermissionScope
+}
+
+export async function requireRoleForRoute(nextPath: string): Promise<Role> {
+  const role = await resolveRoleFromServerContext()
+
+  if (!role) {
+    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+  }
+
+  return role
+}
+
+export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
+  const role = await requireRoleForRoute(params.nextPath)
+
+  if (!hasPermission(role, params.permission, params.scope)) {
+    redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
+  }
+
+  return role
+}

apps/admin/src/messages/de.json

@@ -0,0 +1,132 @@
+{
+  "common": {
+    "language": "Sprache",
+    "localeNames": {
+      "de": "Deutsch",
+      "en": "Englisch",
+      "es": "Spanisch",
+      "fr": "Französisch"
+    }
+  },
+  "auth": {
+    "badge": "Admin-Authentifizierung",
+    "titles": {
+      "signIn": "Bei CMS Admin anmelden",
+      "signUpOwner": "Willkommen bei CMS Admin",
+      "signUpUser": "Admin-Konto erstellen",
+      "signUpDisabled": "Registrierung ist deaktiviert"
+    },
+    "descriptions": {
+      "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
+      "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
+      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
+      "signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
+    },
+    "fields": {
+      "name": "Name",
+      "emailOrUsername": "E-Mail oder Benutzername",
+      "email": "E-Mail",
+      "username": "Benutzername (optional)",
+      "password": "Passwort"
+    },
+    "actions": {
+      "signInIdle": "Anmelden",
+      "signInBusy": "Anmeldung läuft...",
+      "signUpOwnerIdle": "Owner-Konto erstellen",
+      "signUpUserIdle": "Konto erstellen",
+      "signUpBusy": "Konto wird erstellt..."
+    },
+    "links": {
+      "needAccount": "Du brauchst ein Konto?",
+      "register": "Registrieren",
+      "alreadyHaveAccount": "Du hast bereits ein Konto?",
+      "goToSignIn": "Zur Anmeldung"
+    },
+    "messages": {
+      "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
+      "accountCreated": "Konto erstellt.",
+      "registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
+    },
+    "errors": {
+      "nameRequired": "Name ist für die Kontoerstellung erforderlich",
+      "signInFailed": "Anmeldung fehlgeschlagen",
+      "signUpFailed": "Registrierung fehlgeschlagen",
+      "networkSignIn": "Netzwerkfehler bei der Anmeldung",
+      "networkSignUp": "Netzwerkfehler bei der Registrierung"
+    }
+  },
+  "settings": {
+    "badge": "Admin-Einstellungen",
+    "title": "Einstellungen",
+    "description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
+    "actions": {
+      "backToDashboard": "Zurück zum Dashboard"
+    },
+    "registration": {
+      "title": "Admin-Selbstregistrierung",
+      "description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
+      "currentStatusLabel": "Aktueller Status",
+      "status": {
+        "enabled": "Aktiviert",
+        "disabled": "Deaktiviert"
+      },
+      "checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
+      "actions": {
+        "save": "Registrierungsrichtlinie speichern"
+      },
+      "success": {
+        "updated": "Registrierungsrichtlinie aktualisiert."
+      },
+      "errors": {
+        "updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
+      }
+    }
+  },
+  "dashboard": {
+    "badge": "Admin-App",
+    "title": "Content-Dashboard",
+    "description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
+    "actions": {
+      "openRoadmap": "Roadmap und Fortschritt öffnen"
+    },
+    "notices": {
+      "noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
+      "crudSandboxTag": "MVP0 Funktionstest"
+    },
+    "posts": {
+      "title": "Beiträge CRUD-Sandbox",
+      "createTitle": "Beitrag erstellen",
+      "fields": {
+        "title": "Titel",
+        "slug": "Slug",
+        "excerpt": "Auszug",
+        "body": "Inhalt",
+        "status": "Status"
+      },
+      "status": {
+        "draft": "Entwurf",
+        "published": "Veröffentlicht"
+      },
+      "actions": {
+        "create": "Beitrag erstellen",
+        "save": "Änderungen speichern",
+        "delete": "Löschen"
+      },
+      "errors": {
+        "createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
+        "updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
+        "updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
+        "deleteFailed": "Löschen fehlgeschlagen.",
+        "deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
+      },
+      "success": {
+        "created": "Beitrag erstellt.",
+        "updated": "Beitrag aktualisiert.",
+        "deleted": "Beitrag gelöscht."
+      },
+      "fallback": {
+        "noExcerpt": "Kein Auszug"
+      }
+    }
+  }
+}

apps/admin/src/messages/en.json

@@ -0,0 +1,132 @@
+{
+  "common": {
+    "language": "Language",
+    "localeNames": {
+      "de": "German",
+      "en": "English",
+      "es": "Spanish",
+      "fr": "French"
+    }
+  },
+  "auth": {
+    "badge": "Admin Auth",
+    "titles": {
+      "signIn": "Sign in to CMS Admin",
+      "signUpOwner": "Welcome to CMS Admin",
+      "signUpUser": "Create an admin account",
+      "signUpDisabled": "Registration is disabled"
+    },
+    "descriptions": {
+      "signIn": "Better Auth is active on this app via /api/auth.",
+      "signUpOwner": "Create the first owner account to initialize this admin instance.",
+      "signUpUser": "Self-registration is enabled for admin users.",
+      "signUpDisabled": "Self-registration is currently turned off by an administrator."
+    },
+    "fields": {
+      "name": "Name",
+      "emailOrUsername": "Email or username",
+      "email": "Email",
+      "username": "Username (optional)",
+      "password": "Password"
+    },
+    "actions": {
+      "signInIdle": "Sign in",
+      "signInBusy": "Signing in...",
+      "signUpOwnerIdle": "Create owner account",
+      "signUpUserIdle": "Create account",
+      "signUpBusy": "Creating account..."
+    },
+    "links": {
+      "needAccount": "Need an account?",
+      "register": "Register",
+      "alreadyHaveAccount": "Already have an account?",
+      "goToSignIn": "Go to sign in"
+    },
+    "messages": {
+      "ownerCreated": "Owner account created. Registration is now disabled.",
+      "accountCreated": "Account created.",
+      "registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
+    },
+    "errors": {
+      "nameRequired": "Name is required for account creation",
+      "signInFailed": "Sign in failed",
+      "signUpFailed": "Sign up failed",
+      "networkSignIn": "Network error while signing in",
+      "networkSignUp": "Network error while signing up"
+    }
+  },
+  "settings": {
+    "badge": "Admin Settings",
+    "title": "Settings",
+    "description": "Manage runtime policies for the admin authentication and onboarding flow.",
+    "actions": {
+      "backToDashboard": "Back to dashboard"
+    },
+    "registration": {
+      "title": "Admin self-registration",
+      "description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
+      "currentStatusLabel": "Current status",
+      "status": {
+        "enabled": "Enabled",
+        "disabled": "Disabled"
+      },
+      "checkboxLabel": "Allow self-registration on /register for admin users",
+      "actions": {
+        "save": "Save registration policy"
+      },
+      "success": {
+        "updated": "Registration policy updated."
+      },
+      "errors": {
+        "updateFailed": "Saving settings failed. Ensure database migrations are applied."
+      }
+    }
+  },
+  "dashboard": {
+    "badge": "Admin App",
+    "title": "Content Dashboard",
+    "description": "Manage posts from a dedicated admin surface.",
+    "actions": {
+      "openRoadmap": "Open roadmap and progress"
+    },
+    "notices": {
+      "noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
+      "crudSandboxTag": "MVP0 functional test"
+    },
+    "posts": {
+      "title": "Posts CRUD Sandbox",
+      "createTitle": "Create post",
+      "fields": {
+        "title": "Title",
+        "slug": "Slug",
+        "excerpt": "Excerpt",
+        "body": "Body",
+        "status": "Status"
+      },
+      "status": {
+        "draft": "Draft",
+        "published": "Published"
+      },
+      "actions": {
+        "create": "Create post",
+        "save": "Save changes",
+        "delete": "Delete"
+      },
+      "errors": {
+        "createFailed": "Create failed. Please check your input.",
+        "updateFailed": "Update failed. Please check your input.",
+        "updateMissingId": "Update failed. Missing post id.",
+        "deleteFailed": "Delete failed.",
+        "deleteMissingId": "Delete failed. Missing post id."
+      },
+      "success": {
+        "created": "Post created.",
+        "updated": "Post updated.",
+        "deleted": "Post deleted."
+      },
+      "fallback": {
+        "noExcerpt": "No excerpt"
+      }
+    }
+  }
+}

apps/admin/src/messages/es.json

@@ -0,0 +1,132 @@
+{
+  "common": {
+    "language": "Idioma",
+    "localeNames": {
+      "de": "Alemán",
+      "en": "Inglés",
+      "es": "Español",
+      "fr": "Francés"
+    }
+  },
+  "auth": {
+    "badge": "Autenticación de Admin",
+    "titles": {
+      "signIn": "Iniciar sesión en CMS Admin",
+      "signUpOwner": "Bienvenido a CMS Admin",
+      "signUpUser": "Crear una cuenta de admin",
+      "signUpDisabled": "El registro está deshabilitado"
+    },
+    "descriptions": {
+      "signIn": "Better Auth está activo en esta app mediante /api/auth.",
+      "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
+      "signUpUser": "El registro automático está habilitado para usuarios admin.",
+      "signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
+    },
+    "fields": {
+      "name": "Nombre",
+      "emailOrUsername": "Correo o nombre de usuario",
+      "email": "Correo",
+      "username": "Nombre de usuario (opcional)",
+      "password": "Contraseña"
+    },
+    "actions": {
+      "signInIdle": "Iniciar sesión",
+      "signInBusy": "Iniciando sesión...",
+      "signUpOwnerIdle": "Crear cuenta owner",
+      "signUpUserIdle": "Crear cuenta",
+      "signUpBusy": "Creando cuenta..."
+    },
+    "links": {
+      "needAccount": "¿Necesitas una cuenta?",
+      "register": "Registrarse",
+      "alreadyHaveAccount": "¿Ya tienes una cuenta?",
+      "goToSignIn": "Ir a iniciar sesión"
+    },
+    "messages": {
+      "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
+      "accountCreated": "Cuenta creada.",
+      "registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
+    },
+    "errors": {
+      "nameRequired": "El nombre es obligatorio para crear la cuenta",
+      "signInFailed": "Error al iniciar sesión",
+      "signUpFailed": "Error al registrarse",
+      "networkSignIn": "Error de red al iniciar sesión",
+      "networkSignUp": "Error de red al registrarse"
+    }
+  },
+  "settings": {
+    "badge": "Ajustes de Admin",
+    "title": "Ajustes",
+    "description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
+    "actions": {
+      "backToDashboard": "Volver al panel"
+    },
+    "registration": {
+      "title": "Auto-registro de admin",
+      "description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
+      "currentStatusLabel": "Estado actual",
+      "status": {
+        "enabled": "Habilitado",
+        "disabled": "Deshabilitado"
+      },
+      "checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
+      "actions": {
+        "save": "Guardar política de registro"
+      },
+      "success": {
+        "updated": "Política de registro actualizada."
+      },
+      "errors": {
+        "updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
+      }
+    }
+  },
+  "dashboard": {
+    "badge": "App Admin",
+    "title": "Panel de Contenido",
+    "description": "Gestiona publicaciones desde una superficie de administración dedicada.",
+    "actions": {
+      "openRoadmap": "Abrir hoja de ruta y progreso"
+    },
+    "notices": {
+      "noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
+      "crudSandboxTag": "Prueba funcional MVP0"
+    },
+    "posts": {
+      "title": "Sandbox CRUD de Publicaciones",
+      "createTitle": "Crear publicación",
+      "fields": {
+        "title": "Título",
+        "slug": "Slug",
+        "excerpt": "Extracto",
+        "body": "Contenido",
+        "status": "Estado"
+      },
+      "status": {
+        "draft": "Borrador",
+        "published": "Publicado"
+      },
+      "actions": {
+        "create": "Crear publicación",
+        "save": "Guardar cambios",
+        "delete": "Eliminar"
+      },
+      "errors": {
+        "createFailed": "Error al crear. Revisa tus datos.",
+        "updateFailed": "Error al actualizar. Revisa tus datos.",
+        "updateMissingId": "Error al actualizar. Falta el id de la publicación.",
+        "deleteFailed": "Error al eliminar.",
+        "deleteMissingId": "Error al eliminar. Falta el id de la publicación."
+      },
+      "success": {
+        "created": "Publicación creada.",
+        "updated": "Publicación actualizada.",
+        "deleted": "Publicación eliminada."
+      },
+      "fallback": {
+        "noExcerpt": "Sin extracto"
+      }
+    }
+  }
+}

apps/admin/src/messages/fr.json

@@ -0,0 +1,132 @@
+{
+  "common": {
+    "language": "Langue",
+    "localeNames": {
+      "de": "Allemand",
+      "en": "Anglais",
+      "es": "Espagnol",
+      "fr": "Français"
+    }
+  },
+  "auth": {
+    "badge": "Authentification Admin",
+    "titles": {
+      "signIn": "Se connecter à CMS Admin",
+      "signUpOwner": "Bienvenue sur CMS Admin",
+      "signUpUser": "Créer un compte admin",
+      "signUpDisabled": "L’inscription est désactivée"
+    },
+    "descriptions": {
+      "signIn": "Better Auth est actif sur cette application via /api/auth.",
+      "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
+      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin.",
+      "signUpDisabled": "L’auto-inscription est actuellement désactivée par un administrateur."
+    },
+    "fields": {
+      "name": "Nom",
+      "emailOrUsername": "E-mail ou nom d’utilisateur",
+      "email": "E-mail",
+      "username": "Nom d’utilisateur (optionnel)",
+      "password": "Mot de passe"
+    },
+    "actions": {
+      "signInIdle": "Se connecter",
+      "signInBusy": "Connexion en cours...",
+      "signUpOwnerIdle": "Créer le compte owner",
+      "signUpUserIdle": "Créer un compte",
+      "signUpBusy": "Création du compte..."
+    },
+    "links": {
+      "needAccount": "Besoin d’un compte ?",
+      "register": "S’inscrire",
+      "alreadyHaveAccount": "Vous avez déjà un compte ?",
+      "goToSignIn": "Aller à la connexion"
+    },
+    "messages": {
+      "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
+      "accountCreated": "Compte créé.",
+      "registrationDisabled": "L’inscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver l’auto-inscription."
+    },
+    "errors": {
+      "nameRequired": "Le nom est requis pour créer un compte",
+      "signInFailed": "Échec de la connexion",
+      "signUpFailed": "Échec de l’inscription",
+      "networkSignIn": "Erreur réseau lors de la connexion",
+      "networkSignUp": "Erreur réseau lors de l’inscription"
+    }
+  },
+  "settings": {
+    "badge": "Paramètres Admin",
+    "title": "Paramètres",
+    "description": "Gérez les politiques d’exécution pour l’authentification et l’onboarding de l’admin.",
+    "actions": {
+      "backToDashboard": "Retour au tableau de bord"
+    },
+    "registration": {
+      "title": "Auto-inscription admin",
+      "description": "Lorsqu’elle est activée, /register peut créer des comptes admin supplémentaires après l’initialisation du premier owner.",
+      "currentStatusLabel": "Statut actuel",
+      "status": {
+        "enabled": "Activé",
+        "disabled": "Désactivé"
+      },
+      "checkboxLabel": "Autoriser l’auto-inscription sur /register pour les utilisateurs admin",
+      "actions": {
+        "save": "Enregistrer la politique d’inscription"
+      },
+      "success": {
+        "updated": "Politique d’inscription mise à jour."
+      },
+      "errors": {
+        "updateFailed": "Échec de l’enregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
+      }
+    }
+  },
+  "dashboard": {
+    "badge": "Application Admin",
+    "title": "Tableau de bord contenu",
+    "description": "Gérez les publications depuis une surface d’administration dédiée.",
+    "actions": {
+      "openRoadmap": "Ouvrir la feuille de route et la progression"
+    },
+    "notices": {
+      "noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
+      "crudSandboxTag": "Test fonctionnel MVP0"
+    },
+    "posts": {
+      "title": "Sandbox CRUD des publications",
+      "createTitle": "Créer une publication",
+      "fields": {
+        "title": "Titre",
+        "slug": "Slug",
+        "excerpt": "Extrait",
+        "body": "Contenu",
+        "status": "Statut"
+      },
+      "status": {
+        "draft": "Brouillon",
+        "published": "Publié"
+      },
+      "actions": {
+        "create": "Créer une publication",
+        "save": "Enregistrer les modifications",
+        "delete": "Supprimer"
+      },
+      "errors": {
+        "createFailed": "Échec de la création. Vérifiez vos données.",
+        "updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
+        "updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
+        "deleteFailed": "Échec de la suppression.",
+        "deleteMissingId": "Échec de la suppression. ID de publication manquant."
+      },
+      "success": {
+        "created": "Publication créée.",
+        "updated": "Publication mise à jour.",
+        "deleted": "Publication supprimée."
+      },
+      "fallback": {
+        "noExcerpt": "Aucun extrait"
+      }
+    }
+  }
+}

apps/admin/src/providers/admin-i18n-provider.tsx

@@ -0,0 +1,53 @@
+"use client"
+
+import type { AppLocale } from "@cms/i18n"
+import { createContext, type ReactNode, useContext, useMemo } from "react"
+
+import type { AdminMessages } from "@/i18n/messages"
+import { translateMessage } from "@/i18n/messages"
+
+type AdminI18nContextValue = {
+  locale: AppLocale
+  messages: AdminMessages
+}
+
+const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
+
+export function AdminI18nProvider({
+  locale,
+  messages,
+  children,
+}: {
+  locale: AppLocale
+  messages: AdminMessages
+  children: ReactNode
+}) {
+  const value = useMemo(
+    () => ({
+      locale,
+      messages,
+    }),
+    [locale, messages],
+  )
+
+  return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
+}
+
+export function useAdminI18n(): AdminI18nContextValue {
+  const context = useContext(AdminI18nContext)
+
+  if (!context) {
+    throw new Error("useAdminI18n must be used inside AdminI18nProvider")
+  }
+
+  return context
+}
+
+export function useAdminT() {
+  const { messages } = useAdminI18n()
+
+  return useMemo(
+    () => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
+    [messages],
+  )
+}

apps/web/next.config.ts

@@ -1,7 +1,10 @@
 import type { NextConfig } from "next"
+import createNextIntlPlugin from "next-intl/plugin"
+
+const withNextIntl = createNextIntlPlugin("./src/i18n/request.ts")
 
 const nextConfig: NextConfig = {
-  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db"],
+  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db", "@cms/i18n"],
 }
 
-export default nextConfig
+export default withNextIntl(nextConfig)

apps/web/package.json

@@ -13,10 +13,12 @@
   "dependencies": {
     "@cms/content": "workspace:*",
     "@cms/db": "workspace:*",
+    "@cms/i18n": "workspace:*",
     "@cms/ui": "workspace:*",
     "@tanstack/react-query": "5.90.20",
     "@tanstack/react-query-devtools": "5.91.3",
     "next": "16.1.6",
+    "next-intl": "4.4.0",
     "react": "19.2.4",
     "react-dom": "19.2.4",
     "zustand": "5.0.11"

apps/web/src/app/[locale]/about/page.tsx

@@ -0,0 +1,13 @@
+import { getTranslations } from "next-intl/server"
+
+export default async function AboutPage() {
+  const t = await getTranslations("About")
+
+  return (
+    <section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
+      <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
+      <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
+      <p className="max-w-3xl text-neutral-600">{t("description")}</p>
+    </section>
+  )
+}

apps/web/src/app/[locale]/contact/page.tsx

@@ -0,0 +1,13 @@
+import { getTranslations } from "next-intl/server"
+
+export default async function ContactPage() {
+  const t = await getTranslations("Contact")
+
+  return (
+    <section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
+      <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
+      <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
+      <p className="max-w-3xl text-neutral-600">{t("description")}</p>
+    </section>
+  )
+}

apps/web/src/app/[locale]/layout.tsx

@@ -0,0 +1,61 @@
+import { getPublicHeaderBanner } from "@cms/db"
+import { notFound } from "next/navigation"
+import { hasLocale, NextIntlClientProvider } from "next-intl"
+import { getTranslations } from "next-intl/server"
+import type { ReactNode } from "react"
+
+import { PublicHeaderBanner } from "@/components/public-header-banner"
+import { PublicSiteFooter } from "@/components/public-site-footer"
+import { PublicSiteHeader } from "@/components/public-site-header"
+import { routing } from "@/i18n/routing"
+import { Providers } from "../providers"
+
+type LocaleLayoutProps = {
+  children: ReactNode
+  params: Promise<{
+    locale: string
+  }>
+}
+
+export async function generateMetadata({ params }: LocaleLayoutProps) {
+  const { locale } = await params
+
+  if (!hasLocale(routing.locales, locale)) {
+    return {}
+  }
+
+  const t = await getTranslations({
+    locale,
+    namespace: "Seo",
+  })
+
+  return {
+    title: t("title"),
+    description: t("description"),
+    openGraph: {
+      title: t("title"),
+      description: t("description"),
+    },
+  }
+}
+
+export default async function LocaleLayout({ children, params }: LocaleLayoutProps) {
+  const { locale } = await params
+
+  if (!hasLocale(routing.locales, locale)) {
+    notFound()
+  }
+
+  const banner = await getPublicHeaderBanner()
+
+  return (
+    <NextIntlClientProvider locale={locale}>
+      <Providers>
+        <PublicHeaderBanner banner={banner} />
+        <PublicSiteHeader />
+        <main>{children}</main>
+        <PublicSiteFooter />
+      </Providers>
+    </NextIntlClientProvider>
+  )
+}

apps/web/src/app/[locale]/page.tsx

@@ -1,25 +1,24 @@
 import { listPosts } from "@cms/db"
 import { Button } from "@cms/ui/button"
+import { getTranslations } from "next-intl/server"
 
 export const dynamic = "force-dynamic"
 
 export default async function HomePage() {
-  const posts = await listPosts()
+  const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")])
 
   return (
-    <main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16">
+    <section className="mx-auto flex w-full max-w-6xl flex-col gap-6 px-6 py-16">
       <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Web App</p>
-        <h1 className="text-4xl font-semibold tracking-tight">Your Next.js CMS Frontend</h1>
-        <p className="text-neutral-600">
-          This page reads posts through the shared database package.
-        </p>
+        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
+        <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
+        <p className="text-neutral-600">{t("description")}</p>
       </header>
 
       <section className="space-y-4 rounded-xl border border-neutral-200 p-6">
         <div className="flex items-center justify-between">
-          <h2 className="text-xl font-medium">Latest posts</h2>
-          <Button variant="secondary">Explore</Button>
+          <h2 className="text-xl font-medium">{t("latestPosts")}</h2>
+          <Button variant="secondary">{t("explore")}</Button>
         </div>
 
         <ul className="space-y-3">
@@ -27,11 +26,11 @@ export default async function HomePage() {
             <li key={post.id} className="rounded-lg border border-neutral-200 p-4">
               <p className="text-xs uppercase tracking-wide text-neutral-500">{post.status}</p>
               <h3 className="mt-1 text-lg font-medium">{post.title}</h3>
-              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p>
+              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? t("noExcerpt")}</p>
             </li>
           ))}
         </ul>
       </section>
-    </main>
+    </section>
   )
 }

apps/web/src/app/layout.tsx

@@ -2,19 +2,37 @@ import type { Metadata } from "next"
 import type { ReactNode } from "react"
 
 import "./globals.css"
-import { Providers } from "./providers"
+
+const metadataBase = new URL(process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000")
 
 export const metadata: Metadata = {
-  title: "CMS Web",
+  metadataBase,
+  title: {
+    default: "CMS Web",
+    template: "%s | CMS Web",
+  },
   description: "Public frontend for the CMS monorepo",
+  applicationName: "CMS Web",
+  openGraph: {
+    type: "website",
+    siteName: "CMS Web",
+    title: "CMS Web",
+    description: "Public frontend for the CMS monorepo",
+    url: metadataBase,
+  },
+  alternates: {
+    canonical: "/",
+  },
+  robots: {
+    index: true,
+    follow: true,
+  },
 }
 
 export default function RootLayout({ children }: { children: ReactNode }) {
   return (
     <html lang="en">
-      <body>
-        <Providers>{children}</Providers>
-      </body>
+      <body>{children}</body>
     </html>
   )
 }

apps/web/src/app/robots.ts

@@ -0,0 +1,13 @@
+import type { MetadataRoute } from "next"
+
+const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+export default function robots(): MetadataRoute.Robots {
+  return {
+    rules: {
+      userAgent: "*",
+      allow: "/",
+    },
+    sitemap: `${baseUrl}/sitemap.xml`,
+  }
+}

apps/web/src/app/sitemap.ts

@@ -0,0 +1,14 @@
+import type { MetadataRoute } from "next"
+
+const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
+
+const publicRoutes = ["/", "/about", "/contact"]
+
+export default function sitemap(): MetadataRoute.Sitemap {
+  const now = new Date()
+
+  return publicRoutes.map((route) => ({
+    url: `${baseUrl}${route}`,
+    lastModified: now,
+  }))
+}

apps/web/src/components/language-switcher.tsx

@@ -0,0 +1,50 @@
+"use client"
+
+import { type AppLocale, localeLabels, locales } from "@cms/i18n"
+import { useLocale, useTranslations } from "next-intl"
+import { useEffect, useTransition } from "react"
+
+import { usePathname, useRouter } from "@/i18n/navigation"
+import { useLocaleStore } from "@/store/locale"
+
+export function LanguageSwitcher() {
+  const t = useTranslations("LanguageSwitcher")
+  const currentLocale = useLocale() as AppLocale
+  const pathname = usePathname()
+  const router = useRouter()
+  const [isPending, startTransition] = useTransition()
+
+  const locale = useLocaleStore((state) => state.locale)
+  const setLocale = useLocaleStore((state) => state.setLocale)
+
+  useEffect(() => {
+    if (locale !== currentLocale) {
+      setLocale(currentLocale)
+    }
+  }, [currentLocale, locale, setLocale])
+
+  return (
+    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
+      <span>{t("label")}</span>
+      <select
+        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
+        value={locale}
+        disabled={isPending}
+        onChange={(event) => {
+          const nextLocale = event.target.value as AppLocale
+          setLocale(nextLocale)
+
+          startTransition(() => {
+            router.replace(pathname, { locale: nextLocale })
+          })
+        }}
+      >
+        {locales.map((value) => (
+          <option key={value} value={value}>
+            {t(`localeNames.${value}`)} ({localeLabels[value]})
+          </option>
+        ))}
+      </select>
+    </label>
+  )
+}

apps/web/src/components/public-header-banner.tsx

@@ -0,0 +1,25 @@
+import type { PublicHeaderBanner as PublicHeaderBannerData } from "@cms/db"
+import Link from "next/link"
+
+type PublicHeaderBannerProps = {
+  banner: PublicHeaderBannerData | null
+}
+
+export function PublicHeaderBanner({ banner }: PublicHeaderBannerProps) {
+  if (!banner) {
+    return null
+  }
+
+  return (
+    <div className="border-b border-amber-200 bg-amber-50">
+      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-3 px-6 py-2 text-sm text-amber-900">
+        <p>{banner.message}</p>
+        {banner.ctaLabel && banner.ctaHref ? (
+          <Link href={banner.ctaHref} className="font-medium underline underline-offset-2">
+            {banner.ctaLabel}
+          </Link>
+        ) : null}
+      </div>
+    </div>
+  )
+}

apps/web/src/components/public-site-footer.tsx

@@ -0,0 +1,21 @@
+"use client"
+
+import { useTranslations } from "next-intl"
+
+export function PublicSiteFooter() {
+  const t = useTranslations("Layout")
+  const year = new Date().getFullYear()
+
+  return (
+    <footer className="border-t border-neutral-200 bg-neutral-50">
+      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-2 px-6 py-4 text-sm text-neutral-600">
+        <p>
+          {t("footer.copyright", {
+            year,
+          })}
+        </p>
+        <p>{t("footer.tagline")}</p>
+      </div>
+    </footer>
+  )
+}

apps/web/src/components/public-site-header.tsx

@@ -0,0 +1,44 @@
+"use client"
+
+import { useTranslations } from "next-intl"
+
+import { Link } from "@/i18n/navigation"
+
+import { LanguageSwitcher } from "./language-switcher"
+
+export function PublicSiteHeader() {
+  const t = useTranslations("Layout")
+
+  const navItems = [
+    { href: "/", label: t("nav.home") },
+    { href: "/about", label: t("nav.about") },
+    { href: "/contact", label: t("nav.contact") },
+  ]
+
+  return (
+    <header className="border-b border-neutral-200 bg-white/80 backdrop-blur">
+      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-4 px-6 py-4">
+        <Link
+          href="/"
+          className="text-sm font-semibold uppercase tracking-[0.2em] text-neutral-700"
+        >
+          {t("brand")}
+        </Link>
+
+        <nav className="flex flex-wrap items-center gap-2">
+          {navItems.map((item) => (
+            <Link
+              key={item.href}
+              href={item.href}
+              className="rounded-md border border-neutral-300 px-3 py-1.5 text-sm font-medium text-neutral-700 hover:bg-neutral-100"
+            >
+              {item.label}
+            </Link>
+          ))}
+        </nav>
+
+        <LanguageSwitcher />
+      </div>
+    </header>
+  )
+}

apps/web/src/i18n/navigation.ts

@@ -0,0 +1,5 @@
+import { createNavigation } from "next-intl/navigation"
+
+import { routing } from "./routing"
+
+export const { Link, redirect, usePathname, useRouter, getPathname } = createNavigation(routing)

apps/web/src/i18n/request.ts

@@ -0,0 +1,14 @@
+import { hasLocale } from "next-intl"
+import { getRequestConfig } from "next-intl/server"
+
+import { routing } from "./routing"
+
+export default getRequestConfig(async ({ requestLocale }) => {
+  const requested = await requestLocale
+  const locale = hasLocale(routing.locales, requested) ? requested : routing.defaultLocale
+
+  return {
+    locale,
+    messages: (await import(`../messages/${locale}.json`)).default,
+  }
+})

apps/web/src/i18n/routing.ts

@@ -0,0 +1,8 @@
+import { defaultLocale, locales } from "@cms/i18n"
+import { defineRouting } from "next-intl/routing"
+
+export const routing = defineRouting({
+  locales: [...locales],
+  defaultLocale,
+  localePrefix: "never",
+})

apps/web/src/messages/de.json

@@ -0,0 +1,45 @@
+{
+  "Home": {
+    "badge": "Web-App",
+    "title": "Dein Next.js CMS Frontend",
+    "description": "Diese Seite liest Beiträge über das gemeinsame Datenbank-Paket.",
+    "latestPosts": "Neueste Beiträge",
+    "explore": "Entdecken",
+    "noExcerpt": "Kein Auszug"
+  },
+  "LanguageSwitcher": {
+    "label": "Sprache",
+    "localeNames": {
+      "de": "Deutsch",
+      "en": "Englisch",
+      "es": "Spanisch",
+      "fr": "Französisch"
+    }
+  },
+  "Layout": {
+    "brand": "CMS Web",
+    "nav": {
+      "home": "Start",
+      "about": "Über uns",
+      "contact": "Kontakt"
+    },
+    "footer": {
+      "copyright": "© {year} CMS Web",
+      "tagline": "Powered by Next.js, Bun, Prisma und TanStack."
+    }
+  },
+  "Seo": {
+    "title": "CMS Web",
+    "description": "Öffentliches Frontend für das CMS-Monorepo."
+  },
+  "About": {
+    "badge": "Über uns",
+    "title": "Über dieses Projekt",
+    "description": "Diese öffentliche App ist die Frontend-Oberfläche für CMS-gesteuerte Inhalte und kommende dynamische Seiten."
+  },
+  "Contact": {
+    "badge": "Kontakt",
+    "title": "Kontakt",
+    "description": "Kontakt- und Auftragsabläufe werden in den nächsten MVP-Schritten eingeführt."
+  }
+}

apps/web/src/messages/en.json

@@ -0,0 +1,45 @@
+{
+  "Home": {
+    "badge": "Web App",
+    "title": "Your Next.js CMS Frontend",
+    "description": "This page reads posts through the shared database package.",
+    "latestPosts": "Latest posts",
+    "explore": "Explore",
+    "noExcerpt": "No excerpt"
+  },
+  "LanguageSwitcher": {
+    "label": "Language",
+    "localeNames": {
+      "de": "German",
+      "en": "English",
+      "es": "Spanish",
+      "fr": "French"
+    }
+  },
+  "Layout": {
+    "brand": "CMS Web",
+    "nav": {
+      "home": "Home",
+      "about": "About",
+      "contact": "Contact"
+    },
+    "footer": {
+      "copyright": "© {year} CMS Web",
+      "tagline": "Powered by Next.js, Bun, Prisma, and TanStack."
+    }
+  },
+  "Seo": {
+    "title": "CMS Web",
+    "description": "Public frontend for the CMS monorepo."
+  },
+  "About": {
+    "badge": "About",
+    "title": "About this project",
+    "description": "This public app is the frontend surface for CMS-driven content and upcoming dynamic pages."
+  },
+  "Contact": {
+    "badge": "Contact",
+    "title": "Contact",
+    "description": "Contact and commission flows will be introduced in upcoming MVP steps."
+  }
+}

apps/web/src/messages/es.json

@@ -0,0 +1,45 @@
+{
+  "Home": {
+    "badge": "Aplicación Web",
+    "title": "Tu Frontend CMS con Next.js",
+    "description": "Esta página lee publicaciones a través del paquete compartido de base de datos.",
+    "latestPosts": "Últimas publicaciones",
+    "explore": "Explorar",
+    "noExcerpt": "Sin extracto"
+  },
+  "LanguageSwitcher": {
+    "label": "Idioma",
+    "localeNames": {
+      "de": "Alemán",
+      "en": "Inglés",
+      "es": "Español",
+      "fr": "Francés"
+    }
+  },
+  "Layout": {
+    "brand": "CMS Web",
+    "nav": {
+      "home": "Inicio",
+      "about": "Acerca de",
+      "contact": "Contacto"
+    },
+    "footer": {
+      "copyright": "© {year} CMS Web",
+      "tagline": "Impulsado por Next.js, Bun, Prisma y TanStack."
+    }
+  },
+  "Seo": {
+    "title": "CMS Web",
+    "description": "Frontend público para el monorepo CMS."
+  },
+  "About": {
+    "badge": "Acerca de",
+    "title": "Sobre este proyecto",
+    "description": "Esta app pública es la superficie frontend para contenido gestionado por CMS y próximas páginas dinámicas."
+  },
+  "Contact": {
+    "badge": "Contacto",
+    "title": "Contacto",
+    "description": "Los flujos de contacto y comisiones se incorporarán en los siguientes pasos del MVP."
+  }
+}

apps/web/src/messages/fr.json

@@ -0,0 +1,45 @@
+{
+  "Home": {
+    "badge": "Application Web",
+    "title": "Votre Frontend CMS Next.js",
+    "description": "Cette page lit les publications via le package base de données partagé.",
+    "latestPosts": "Dernières publications",
+    "explore": "Explorer",
+    "noExcerpt": "Aucun extrait"
+  },
+  "LanguageSwitcher": {
+    "label": "Langue",
+    "localeNames": {
+      "de": "Allemand",
+      "en": "Anglais",
+      "es": "Espagnol",
+      "fr": "Français"
+    }
+  },
+  "Layout": {
+    "brand": "CMS Web",
+    "nav": {
+      "home": "Accueil",
+      "about": "À propos",
+      "contact": "Contact"
+    },
+    "footer": {
+      "copyright": "© {year} CMS Web",
+      "tagline": "Propulsé par Next.js, Bun, Prisma et TanStack."
+    }
+  },
+  "Seo": {
+    "title": "CMS Web",
+    "description": "Frontend public pour le monorepo CMS."
+  },
+  "About": {
+    "badge": "À propos",
+    "title": "À propos de ce projet",
+    "description": "Cette application publique est la surface frontend pour le contenu piloté par CMS et les futures pages dynamiques."
+  },
+  "Contact": {
+    "badge": "Contact",
+    "title": "Contact",
+    "description": "Les flux de contact et de commission seront introduits dans les prochaines étapes MVP."
+  }
+}

apps/web/src/proxy.ts

@@ -0,0 +1,14 @@
+import type { NextRequest } from "next/server"
+import createMiddleware from "next-intl/middleware"
+
+import { routing } from "@/i18n/routing"
+
+const handleI18nRouting = createMiddleware(routing)
+
+export function proxy(request: NextRequest) {
+  return handleI18nRouting(request)
+}
+
+export const config = {
+  matcher: ["/((?!api|trpc|_next|_vercel|.*\\..*).*)"],
+}

apps/web/src/store/locale.test.ts

@@ -0,0 +1,12 @@
+import { describe, expect, it } from "vitest"
+
+import { useLocaleStore } from "./locale"
+
+describe("web locale store", () => {
+  it("sets locale", () => {
+    useLocaleStore.setState({ locale: "en" })
+    useLocaleStore.getState().setLocale("de")
+
+    expect(useLocaleStore.getState().locale).toBe("de")
+  })
+})

apps/web/src/store/locale.ts

@@ -0,0 +1,12 @@
+import { type AppLocale, defaultLocale } from "@cms/i18n"
+import { create } from "zustand"
+
+type LocaleStore = {
+  locale: AppLocale
+  setLocale: (value: AppLocale) => void
+}
+
+export const useLocaleStore = create<LocaleStore>((set) => ({
+  locale: defaultLocale,
+  setLocale: (value) => set({ locale: value }),
+}))

bun.lock

@@ -5,23 +5,23 @@
     "": {
       "name": "cms-monorepo",
       "devDependencies": {
-        "@biomejs/biome": "latest",
-        "@commitlint/cli": "latest",
-        "@commitlint/config-conventional": "latest",
-        "@playwright/test": "latest",
-        "@testing-library/jest-dom": "latest",
-        "@testing-library/react": "latest",
-        "@testing-library/user-event": "latest",
-        "@vitejs/plugin-react": "latest",
-        "@vitest/coverage-istanbul": "latest",
-        "conventional-changelog-cli": "latest",
-        "jsdom": "latest",
-        "msw": "latest",
-        "turbo": "latest",
-        "typescript": "latest",
-        "vite-tsconfig-paths": "latest",
-        "vitepress": "latest",
-        "vitest": "latest",
+        "@biomejs/biome": "2.3.14",
+        "@commitlint/cli": "20.4.1",
+        "@commitlint/config-conventional": "20.4.1",
+        "@playwright/test": "1.58.2",
+        "@testing-library/jest-dom": "6.9.1",
+        "@testing-library/react": "16.3.2",
+        "@testing-library/user-event": "14.6.1",
+        "@vitejs/plugin-react": "5.1.3",
+        "@vitest/coverage-istanbul": "4.0.18",
+        "conventional-changelog-cli": "5.0.0",
+        "jsdom": "28.0.0",
+        "msw": "2.12.9",
+        "turbo": "2.8.3",
+        "typescript": "5.9.3",
+        "vite-tsconfig-paths": "6.1.0",
+        "vitepress": "1.6.4",
+        "vitest": "4.0.18",
       },
     },
     "apps/admin": {
@@ -30,26 +30,27 @@
       "dependencies": {
         "@cms/content": "workspace:*",
         "@cms/db": "workspace:*",
+        "@cms/i18n": "workspace:*",
         "@cms/ui": "workspace:*",
-        "@tanstack/react-form": "latest",
-        "@tanstack/react-query": "latest",
-        "@tanstack/react-query-devtools": "latest",
-        "@tanstack/react-table": "latest",
+        "@tanstack/react-form": "1.28.0",
+        "@tanstack/react-query": "5.90.20",
+        "@tanstack/react-query-devtools": "5.91.3",
+        "@tanstack/react-table": "8.21.3",
         "better-auth": "1.4.18",
-        "next": "latest",
-        "react": "latest",
-        "react-dom": "latest",
-        "zustand": "latest",
+        "next": "16.1.6",
+        "react": "19.2.4",
+        "react-dom": "19.2.4",
+        "zustand": "5.0.11",
       },
       "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
         "@cms/config": "workspace:*",
-        "@tailwindcss/postcss": "latest",
-        "@types/node": "latest",
-        "@types/react": "latest",
-        "@types/react-dom": "latest",
-        "tailwindcss": "latest",
-        "typescript": "latest",
+        "@tailwindcss/postcss": "4.1.18",
+        "@types/node": "25.2.2",
+        "@types/react": "19.2.13",
+        "@types/react-dom": "19.2.3",
+        "tailwindcss": "4.1.18",
+        "typescript": "5.9.3",
       },
     },
     "apps/web": {
@@ -58,23 +59,25 @@
       "dependencies": {
         "@cms/content": "workspace:*",
         "@cms/db": "workspace:*",
+        "@cms/i18n": "workspace:*",
         "@cms/ui": "workspace:*",
-        "@tanstack/react-query": "latest",
-        "@tanstack/react-query-devtools": "latest",
-        "next": "latest",
-        "react": "latest",
-        "react-dom": "latest",
-        "zustand": "latest",
+        "@tanstack/react-query": "5.90.20",
+        "@tanstack/react-query-devtools": "5.91.3",
+        "next": "16.1.6",
+        "next-intl": "4.4.0",
+        "react": "19.2.4",
+        "react-dom": "19.2.4",
+        "zustand": "5.0.11",
       },
       "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
         "@cms/config": "workspace:*",
-        "@tailwindcss/postcss": "latest",
-        "@types/node": "latest",
-        "@types/react": "latest",
-        "@types/react-dom": "latest",
-        "tailwindcss": "latest",
-        "typescript": "latest",
+        "@tailwindcss/postcss": "4.1.18",
+        "@types/node": "25.2.2",
+        "@types/react": "19.2.13",
+        "@types/react-dom": "19.2.3",
+        "tailwindcss": "4.1.18",
+        "typescript": "5.9.3",
       },
     },
     "packages/config": {
@@ -85,12 +88,24 @@
       "name": "@cms/content",
       "version": "0.0.1",
       "dependencies": {
-        "zod": "latest",
+        "zod": "4.3.6",
       },
       "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
         "@cms/config": "workspace:*",
-        "typescript": "latest",
+        "typescript": "5.9.3",
+      },
+    },
+    "packages/crud": {
+      "name": "@cms/crud",
+      "version": "0.0.1",
+      "dependencies": {
+        "zod": "4.3.6",
+      },
+      "devDependencies": {
+        "@biomejs/biome": "2.3.14",
+        "@cms/config": "workspace:*",
+        "typescript": "5.9.3",
       },
     },
     "packages/db": {
@@ -98,39 +113,48 @@
       "version": "0.0.1",
       "dependencies": {
         "@cms/content": "workspace:*",
-        "@prisma/adapter-pg": "latest",
-        "@prisma/client": "latest",
-        "pg": "latest",
-        "zod": "latest",
+        "@cms/crud": "workspace:*",
+        "@prisma/adapter-pg": "7.3.0",
+        "@prisma/client": "7.3.0",
+        "pg": "8.18.0",
+        "zod": "4.3.6",
       },
       "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
         "@cms/config": "workspace:*",
-        "@types/node": "latest",
-        "@types/pg": "latest",
-        "better-auth": "1.4.18",
-        "prisma": "latest",
-        "typescript": "latest",
+        "@types/node": "25.2.2",
+        "@types/pg": "8.16.0",
+        "prisma": "7.3.0",
+        "typescript": "5.9.3",
+      },
+    },
+    "packages/i18n": {
+      "name": "@cms/i18n",
+      "version": "0.0.1",
+      "devDependencies": {
+        "@biomejs/biome": "2.3.14",
+        "@cms/config": "workspace:*",
+        "typescript": "5.9.3",
       },
     },
     "packages/ui": {
       "name": "@cms/ui",
       "version": "0.0.1",
       "dependencies": {
-        "class-variance-authority": "latest",
-        "clsx": "latest",
-        "tailwind-merge": "latest",
+        "class-variance-authority": "0.7.1",
+        "clsx": "2.1.1",
+        "tailwind-merge": "3.4.0",
       },
       "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
         "@cms/config": "workspace:*",
-        "@types/react": "latest",
-        "@types/react-dom": "latest",
-        "typescript": "latest",
+        "@types/react": "19.2.13",
+        "@types/react-dom": "19.2.3",
+        "typescript": "5.9.3",
       },
       "peerDependencies": {
-        "react": "latest",
-        "react-dom": "latest",
+        "react": "19.2.4",
+        "react-dom": "19.2.4",
       },
     },
   },
@@ -263,8 +287,12 @@
 
     "@cms/content": ["@cms/content@workspace:packages/content"],
 
+    "@cms/crud": ["@cms/crud@workspace:packages/crud"],
+
     "@cms/db": ["@cms/db@workspace:packages/db"],
 
+    "@cms/i18n": ["@cms/i18n@workspace:packages/i18n"],
+
     "@cms/ui": ["@cms/ui@workspace:packages/ui"],
 
     "@cms/web": ["@cms/web@workspace:apps/web"],
@@ -385,6 +413,16 @@
 
     "@exodus/bytes": ["@exodus/bytes@1.12.0", "", { "peerDependencies": { "@noble/hashes": "^1.8.0 || ^2.0.0" }, "optionalPeers": ["@noble/hashes"] }, "sha512-BuCOHA/EJdPN0qQ5MdgAiJSt9fYDHbghlgrj33gRdy/Yp1/FMCDhU6vJfcKrLC0TPWGSrfH3vYXBQWmFHxlddw=="],
 
+    "@formatjs/ecma402-abstract": ["@formatjs/ecma402-abstract@3.1.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "@formatjs/intl-localematcher": "0.8.1", "decimal.js": "^10.6.0", "tslib": "^2.8.1" } }, "sha512-jhZbTwda+2tcNrs4kKvxrPLPjx8QsBCLCUgrrJ/S+G9YrGHWLhAyFMMBHJBnBoOwuLHd7L14FgYudviKaxkO2Q=="],
+
+    "@formatjs/fast-memoize": ["@formatjs/fast-memoize@3.1.0", "", { "dependencies": { "tslib": "^2.8.1" } }, "sha512-b5mvSWCI+XVKiz5WhnBCY3RJ4ZwfjAidU0yVlKa3d3MSgKmH1hC3tBGEAtYyN5mqL7N0G5x0BOUYyO8CEupWgg=="],
+
+    "@formatjs/icu-messageformat-parser": ["@formatjs/icu-messageformat-parser@3.5.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/icu-skeleton-parser": "2.1.1", "tslib": "^2.8.1" } }, "sha512-sSDmSvmmoVQ92XqWb499KrIhv/vLisJU8ITFrx7T7NZHUmMY7EL9xgRowAosaljhqnj/5iufG24QrdzB6X3ItA=="],
+
+    "@formatjs/icu-skeleton-parser": ["@formatjs/icu-skeleton-parser@2.1.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "tslib": "^2.8.1" } }, "sha512-PSFABlcNefjI6yyk8f7nyX1DC7NHmq6WaCHZLySEXBrXuLOB2f935YsnzuPjlz+ibhb9yWTdPeVX1OVcj24w2Q=="],
+
+    "@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.5.10", "", { "dependencies": { "tslib": "2" } }, "sha512-af3qATX+m4Rnd9+wHcjJ4w2ijq+rAVP3CCinJQvFv1kgSu1W6jypUmvleJxcewdxmutM8dmIRZFxO/IQBZmP2Q=="],
+
     "@hono/node-server": ["@hono/node-server@1.19.9", "", { "peerDependencies": { "hono": "^4" } }, "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw=="],
 
     "@hutson/parse-repository-url": ["@hutson/parse-repository-url@5.0.0", "", {}, "sha512-e5+YUKENATs1JgYHMzTr2MW/NDcXGfYFAuOQU8gJgF/kEh4EqKgfGrfLI67bMD4tbhZVlkigz/9YYwWcbOFthg=="],
@@ -577,6 +615,8 @@
 
     "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.57.1", "", { "os": "win32", "cpu": "x64" }, "sha512-mxRFDdHIWRxg3UfIIAwCm6NzvxG0jDX/wBN6KsQFTvKFqqg9vTrWUE68qEjHt19A5wwx5X5aUi2zuZT7YR0jrA=="],
 
+    "@schummar/icu-type-parser": ["@schummar/icu-type-parser@1.21.5", "", {}, "sha512-bXHSaW5jRTmke9Vd0h5P7BtWZG9Znqb8gSDxZnxaGSJnGwPLDPfS+3g0BKzeWqzgZPsIVZkM7m2tbo18cm5HBw=="],
+
     "@shikijs/core": ["@shikijs/core@2.5.0", "", { "dependencies": { "@shikijs/engine-javascript": "2.5.0", "@shikijs/engine-oniguruma": "2.5.0", "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "@types/hast": "^3.0.4", "hast-util-to-html": "^9.0.4" } }, "sha512-uu/8RExTKtavlpH7XqnVYBrfBkUc20ngXiX9NSrBhOVZYv/7XQRKUyhtkeflY5QsxC0GbJThCerruZfsUaSldg=="],
 
     "@shikijs/engine-javascript": ["@shikijs/engine-javascript@2.5.0", "", { "dependencies": { "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "oniguruma-to-es": "^3.1.0" } }, "sha512-VjnOpnQf8WuCEZtNUdjjwGUbtAVKuZkVQ/5cHy/tojVVRIRtlWMYVjyWhxOmIq05AlSOv72z7hRNRGVBgQOl0w=="],
@@ -1015,6 +1055,8 @@
 
     "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
 
+    "icu-minify": ["icu-minify@4.8.2", "", { "dependencies": { "@formatjs/icu-messageformat-parser": "^3.4.0" } }, "sha512-LHBQV+skKkjZSPd590pZ7ZAHftUgda3eFjeuNwA8/15L8T8loCNBktKQyTlkodAU86KovFXeg/9WntlAo5wA5A=="],
+
     "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
 
     "import-meta-resolve": ["import-meta-resolve@4.2.0", "", {}, "sha512-Iqv2fzaTQN28s/FwZAoFq0ZSs/7hMAHJVX+w8PZl3cY19Pxk6jFFalxQoIfW2826i/fDLXv8IiEZRIT0lDuWcg=="],
@@ -1025,6 +1067,8 @@
 
     "ini": ["ini@4.1.1", "", {}, "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g=="],
 
+    "intl-messageformat": ["intl-messageformat@11.1.2", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/fast-memoize": "3.1.0", "@formatjs/icu-messageformat-parser": "3.5.1", "tslib": "^2.8.1" } }, "sha512-ucSrQmZGAxfiBHfBRXW/k7UC8MaGFlEj4Ry1tKiDcmgwQm1y3EDl40u+4VNHYomxJQMJi9NEI3riDRlth96jKg=="],
+
     "is-arrayish": ["is-arrayish@0.2.1", "", {}, "sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg=="],
 
     "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="],
@@ -1167,10 +1211,14 @@
 
     "nanostores": ["nanostores@1.1.0", "", {}, "sha512-yJBmDJr18xy47dbNVlHcgdPrulSn1nhSE6Ns9vTG+Nx9VPT6iV1MD6aQFp/t52zpf82FhLLTXAXr30NuCnxvwA=="],
 
+    "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
+
     "neo-async": ["neo-async@2.6.2", "", {}, "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw=="],
 
     "next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.8.3", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "sharp": "^0.34.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="],
 
+    "next-intl": ["next-intl@4.4.0", "", { "dependencies": { "@formatjs/intl-localematcher": "^0.5.4", "negotiator": "^1.0.0", "use-intl": "^4.4.0" }, "peerDependencies": { "next": "^12.0.0 || ^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0", "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0", "typescript": "^5.0.0" }, "optionalPeers": ["typescript"] }, "sha512-QHqnP9V9Pe7Tn0PdVQ7u1Z8k9yCkW5SJKeRy2g5gxzhSt/C01y3B9qNxuj3Fsmup/yreIHe6osxU6sFa+9WIkQ=="],
+
     "node-fetch-native": ["node-fetch-native@1.6.7", "", {}, "sha512-g9yhqoedzIUm0nTnTqAQvueMPVOuIY16bqgAJJC8XOOubYFNwz6IER9qs0Gq2Xd0+CecCKFjtdDTMA4u4xG06Q=="],
 
     "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="],
@@ -1443,6 +1491,8 @@
 
     "update-browserslist-db": ["update-browserslist-db@1.2.3", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": { "update-browserslist-db": "cli.js" } }, "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w=="],
 
+    "use-intl": ["use-intl@4.8.2", "", { "dependencies": { "@formatjs/fast-memoize": "^3.1.0", "@schummar/icu-type-parser": "1.21.5", "icu-minify": "^4.8.2", "intl-messageformat": "^11.1.0" }, "peerDependencies": { "react": "^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0" } }, "sha512-3VNXZgDnPFqhIYosQ9W1Hc6K5q+ZelMfawNbexdwL/dY7BTHbceLUBX5Eeex9lgogxTp0pf1SjHuhYNAjr9H3g=="],
+
     "use-sync-external-store": ["use-sync-external-store@1.6.0", "", { "peerDependencies": { "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w=="],
 
     "valibot": ["valibot@1.2.0", "", { "peerDependencies": { "typescript": ">=5" }, "optionalPeers": ["typescript"] }, "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg=="],
@@ -1509,6 +1559,8 @@
 
     "@conventional-changelog/git-client/semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
 
+    "@formatjs/ecma402-abstract/@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.8.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "tslib": "^2.8.1" } }, "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA=="],
+
     "@inquirer/core/wrap-ansi": ["wrap-ansi@6.2.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA=="],
 
     "@prisma/engines/@prisma/get-platform": ["@prisma/get-platform@7.3.0", "", { "dependencies": { "@prisma/debug": "7.3.0" } }, "sha512-N7c6m4/I0Q6JYmWKP2RCD/sM9eWiyCPY98g5c0uEktObNSZnugW2U/PO+pwL0UaqzxqTXt7gTsYsb0FnMnJNbg=="],

docs/.vitepress/config.mts

@@ -20,7 +20,10 @@ export default defineConfig({
           { text: "Getting Started", link: "/getting-started" },
           { text: "Architecture", link: "/architecture" },
           { text: "Better Auth Baseline", link: "/product-engineering/auth-baseline" },
+          { text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
+          { text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
           { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
+          { text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
           { text: "Workflow", link: "/workflow" },
         ],
       },

docs/architecture.md

@@ -6,7 +6,9 @@
 - `apps/admin`: admin app
 - `packages/db`: prisma + data access
 - `packages/content`: shared schemas and domain contracts
+- `packages/crud`: shared CRUD service patterns (validation, errors, audit hooks)
 - `packages/ui`: shared UI layer
+- `packages/i18n`: shared locale definitions and i18n helpers
 - `packages/config`: shared TS config
 
 ## Design Principles
@@ -14,6 +16,7 @@
 - Shared contracts before feature implementation
 - RBAC and CRUD base as prerequisites for MVP1 feature work
 - Keep admin and public responsibilities clearly separated
+- Public routing is path-stable; locale is resolved via `next-intl` middleware + cookie
 
 ## Pending Documentation
 

docs/getting-started.md

@@ -39,6 +39,7 @@ bun run dev
 ```
 
 - Web: `http://localhost:3000`
+- Web locale switching: use the language switcher in the page header
 - Admin: `http://localhost:3001`
 - Admin welcome (first start): `http://localhost:3001/welcome`
 - Admin login: `http://localhost:3001/login`

docs/product-engineering/auth-baseline.md

@@ -12,6 +12,8 @@ Implemented in MVP0:
 - Support fallback sign-in page: `/support/<CMS_SUPPORT_LOGIN_KEY>`
 - Prisma auth models (`user`, `session`, `account`, `verification`)
 - First registration creates owner; subsequent registrations are disabled
+- Owner invariant reconciliation is enforced in auth bootstrap and owner promotion flow
+- Protected accounts (support + canonical owner) are blocked from delete-account auth endpoints
 
 ## Environment
 
@@ -37,6 +39,7 @@ Optional:
 
 - Support user bootstrap is available via `bun run auth:seed:support`.
 - Root `bun run db:seed` runs DB seed and support-user seed.
-- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
-- Owner invariant hardening for all future user-management mutations remains tracked in `TODO.md`.
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
+- Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
+- Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
 - Email verification and forgot/reset password pipelines are tracked for MVP2.

docs/product-engineering/crud-baseline.md

@@ -0,0 +1,40 @@
+# CRUD Baseline
+
+## Scope
+
+MVP0 now includes a shared CRUD foundation package: `@cms/crud`.
+
+Current baseline:
+
+- Shared service factory: `createCrudService`
+- Repository contract: `list`, `findById`, `create`, `update`, `delete`
+- Service surface for list/detail/editor flows: `list`, `getById`, `create`, `update`, `delete`
+- Shared validation error type: `CrudValidationError`
+- Shared not-found error type: `CrudNotFoundError`
+- Shared mutation audit hook contract: `CrudAuditHook`
+- Shared mutation context contract (`actor`, `metadata`)
+
+## First Integration
+
+`@cms/db` `posts` now uses the shared CRUD foundation:
+
+- `listPosts`
+- `getPostById`
+- `createPost`
+- `updatePost`
+- `deletePost`
+- `registerPostCrudAuditHook`
+
+Validation for create/update is enforced by `@cms/content` schemas.
+Contract tests validate:
+
+- repository list/detail behavior via CRUD service
+- validation and not-found errors
+- audit payload propagation (`actor`, `metadata`)
+
+The admin dashboard currently includes a temporary posts CRUD sandbox to validate this flow through a real app UI.
+
+## Notes
+
+- This is the base layer for future entities (pages, navigation, media, users, commissions).
+- Audit hook persistence/transport is intentionally left for later implementation work.

docs/product-engineering/i18n-baseline.md

@@ -0,0 +1,21 @@
+# i18n Baseline
+
+## Scope
+
+MVP0 introduces i18n runtime baselines for both apps.
+
+Current baseline:
+
+- Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
+- Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
+- Public app: message loading through `apps/web/src/i18n/request.ts`
+- Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
+- Public app: language switcher component backed by Zustand store
+- Admin app: cookie-based locale resolution and message loading in root layout
+- Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
+
+## Notes
+
+- Public app locale is resolved through `next-intl` middleware + cookie.
+- Enabled locales are currently static in code and will later be managed from admin settings.
+- Translation key conventions and workflow docs are tracked in `TODO.md`.

docs/product-engineering/index.md

@@ -8,6 +8,7 @@ This section covers platform and implementation documentation for engineers and
 - [Architecture](/architecture)
 - [Better Auth Baseline](/product-engineering/auth-baseline)
 - [RBAC And Permissions](/product-engineering/rbac-permission-model)
+- [Testing Strategy Baseline](/product-engineering/testing-strategy)
 - [Workflow](/workflow)
 
 ## Scope

docs/product-engineering/testing-strategy.md

@@ -0,0 +1,33 @@
+# Testing Strategy Baseline
+
+## Goals
+
+- Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
+- Make e2e runs deterministic by preparing schema and seeded data before test execution.
+- Keep test data isolated per environment (`dev` local, CI database service in workflow).
+
+## Current Gate Stack
+
+- `bun run check`
+- `bun run typecheck`
+- `bun run test`
+- `bun run test:e2e`
+
+## Data Preparation
+
+- `bun run test:e2e:prepare` runs:
+  - Prisma client generation
+  - migration deploy
+  - seed data (including support user bootstrap)
+- `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
+
+## Locale Integration Coverage
+
+- `e2e/i18n.pw.ts` covers:
+  - web locale switch + persistence
+  - admin locale switch + persistence
+
+## CI
+
+- Real quality workflow: `.gitea/workflows/ci.yml`
+- Uses a PostgreSQL service container and runs the full gate stack, including e2e.

docs/workflow.md

@@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
 
 ## Quality Gates
 
-- `bun run lint`
+- `bun run check`
 - `bun run typecheck`
 - `bun run test`
-- `bun run test:e2e --list`
+- `bun run test:e2e`
 
 ## Changelog
 

e2e/i18n.pw.ts

@@ -0,0 +1,29 @@
+import { expect, test } from "@playwright/test"
+
+test.describe("i18n integration", () => {
+  test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "web-chromium")
+
+    await page.goto("/")
+    await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
+
+    await page.locator("select").first().selectOption("de")
+    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
+
+    await page.reload()
+    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
+  })
+
+  test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    await page.goto("/login")
+    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
+
+    await page.locator("select").first().selectOption("de")
+    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
+
+    await page.reload()
+    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
+  })
+})

e2e/support-auth.pw.ts

@@ -0,0 +1,20 @@
+import { expect, test } from "@playwright/test"
+
+const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
+
+test.describe("support fallback route", () => {
+  test("valid support key opens sign-in page", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
+
+    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
+  })
+
+  test("invalid support key returns not found", async ({ page }, testInfo) => {
+    test.skip(testInfo.project.name !== "admin-chromium")
+
+    const response = await page.goto("/support/invalid-key")
+    expect(response?.status()).toBe(404)
+  })
+})

package.json

@@ -18,9 +18,10 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "test:e2e": "bun run db:generate && playwright test",
-    "test:e2e:headed": "bun run db:generate && playwright test --headed",
-    "test:e2e:ui": "bun run db:generate && playwright test --ui",
+    "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
+    "test:e2e": "bun run test:e2e:prepare && playwright test",
+    "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
+    "test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
     "commitlint": "commitlint --last",
     "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
     "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",

packages/content/src/index.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest"
 
-import { postSchema, upsertPostSchema } from "./index"
+import { createPostInputSchema, postSchema, updatePostInputSchema, upsertPostSchema } from "./index"
 
 describe("content schemas", () => {
   it("accepts a valid post", () => {
@@ -17,7 +17,24 @@ describe("content schemas", () => {
     expect(post.slug).toBe("hello-world")
   })
 
-  it("rejects invalid upsert payload", () => {
+  it("rejects invalid create payload", () => {
+    const result = createPostInputSchema.safeParse({
+      title: "Hi",
+      slug: "x",
+      body: "",
+      status: "unknown",
+    })
+
+    expect(result.success).toBe(false)
+  })
+
+  it("rejects empty update payload", () => {
+    const result = updatePostInputSchema.safeParse({})
+
+    expect(result.success).toBe(false)
+  })
+
+  it("keeps upsert alias for backward compatibility", () => {
     const result = upsertPostSchema.safeParse({
       title: "Hi",
       slug: "x",

packages/content/src/index.ts

@@ -4,22 +4,32 @@ export * from "./rbac"
 
 export const postStatusSchema = z.enum(["draft", "published"])
 
-export const postSchema = z.object({
-  id: z.string().uuid(),
+const postMutableFieldsSchema = z.object({
   title: z.string().min(3).max(180),
   slug: z.string().min(3).max(180),
   excerpt: z.string().max(320).optional(),
   body: z.string().min(1),
   status: postStatusSchema,
+})
+
+export const postSchema = z.object({
+  id: z.string().uuid(),
+  ...postMutableFieldsSchema.shape,
   createdAt: z.date(),
   updatedAt: z.date(),
 })
 
-export const upsertPostSchema = postSchema.omit({
-  id: true,
-  createdAt: true,
-  updatedAt: true,
-})
+export const createPostInputSchema = postMutableFieldsSchema
+export const updatePostInputSchema = postMutableFieldsSchema
+  .partial()
+  .refine((value) => Object.keys(value).length > 0, {
+    message: "At least one field is required for an update.",
+  })
+
+// Backward-compatible alias while migrating callers to create/update-specific schemas.
+export const upsertPostSchema = createPostInputSchema
 
 export type Post = z.infer<typeof postSchema>
+export type CreatePostInput = z.infer<typeof createPostInputSchema>
+export type UpdatePostInput = z.infer<typeof updatePostInputSchema>
 export type UpsertPostInput = z.infer<typeof upsertPostSchema>

packages/crud/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@cms/crud",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "lint": "biome check src",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "zod": "4.3.6"
+  },
+  "devDependencies": {
+    "@cms/config": "workspace:*",
+    "@biomejs/biome": "2.3.14",
+    "typescript": "5.9.3"
+  }
+}

packages/crud/src/errors.ts

@@ -0,0 +1,41 @@
+import type { ZodIssue } from "zod"
+
+export class CrudError extends Error {
+  public readonly code: string
+
+  constructor(message: string, code: string) {
+    super(message)
+    this.name = "CrudError"
+    this.code = code
+  }
+}
+
+export class CrudValidationError extends CrudError {
+  public readonly resource: string
+  public readonly operation: "create" | "update"
+  public readonly issues: ZodIssue[]
+
+  constructor(params: {
+    resource: string
+    operation: "create" | "update"
+    issues: ZodIssue[]
+  }) {
+    super(`Validation failed for ${params.resource} ${params.operation}`, "CRUD_VALIDATION")
+    this.name = "CrudValidationError"
+    this.resource = params.resource
+    this.operation = params.operation
+    this.issues = params.issues
+  }
+}
+
+export class CrudNotFoundError extends CrudError {
+  public readonly resource: string
+  public readonly id: string
+
+  constructor(params: { resource: string; id: string }) {
+    super(`${params.resource} ${params.id} was not found`, "CRUD_NOT_FOUND")
+    this.name = "CrudNotFoundError"
+    this.resource = params.resource
+    this.id = params.id
+  }
+}

packages/crud/src/index.ts

@@ -0,0 +1,3 @@
+export * from "./errors"
+export * from "./service"
+export * from "./types"

packages/crud/src/service.test.ts

@@ -0,0 +1,204 @@
+import { describe, expect, it } from "vitest"
+import { z } from "zod"
+
+import { CrudNotFoundError, CrudValidationError } from "./errors"
+import { createCrudService } from "./service"
+
+type FakeEntity = {
+  id: string
+  title: string
+}
+
+type CreateFakeEntityInput = {
+  title: string
+}
+
+type UpdateFakeEntityInput = {
+  title?: string
+}
+
+function createMemoryRepository() {
+  const state = new Map<string, FakeEntity>()
+  let sequence = 0
+
+  return {
+    list: async () => Array.from(state.values()),
+    findById: async (id: string) => state.get(id) ?? null,
+    create: async (input: CreateFakeEntityInput) => {
+      sequence += 1
+      const created = {
+        id: `${sequence}`,
+        title: input.title,
+      }
+
+      state.set(created.id, created)
+      return created
+    },
+    update: async (id: string, input: UpdateFakeEntityInput) => {
+      const current = state.get(id)
+
+      if (!current) {
+        throw new Error("unexpected missing entity in test repository")
+      }
+
+      const updated = {
+        ...current,
+        ...input,
+      }
+
+      state.set(id, updated)
+      return updated
+    },
+    delete: async (id: string) => {
+      const current = state.get(id)
+
+      if (!current) {
+        throw new Error("unexpected missing entity in test repository")
+      }
+
+      state.delete(id)
+      return current
+    },
+  }
+}
+
+describe("createCrudService", () => {
+  it("supports list and detail lookups through the repository contract", async () => {
+    const service = createCrudService({
+      resource: "fake-entity",
+      repository: createMemoryRepository(),
+      schemas: {
+        create: z.object({
+          title: z.string().min(3),
+        }),
+        update: z.object({
+          title: z.string().min(3).optional(),
+        }),
+      },
+    })
+
+    const createdA = await service.create({ title: "First" })
+    const createdB = await service.create({ title: "Second" })
+
+    expect(await service.getById(createdA.id)).toEqual(createdA)
+    expect(await service.getById("missing")).toBeNull()
+
+    const listed = await service.list()
+    expect(listed).toHaveLength(2)
+    expect(listed).toContainEqual(createdA)
+    expect(listed).toContainEqual(createdB)
+  })
+
+  it("validates create and update payloads", async () => {
+    const service = createCrudService({
+      resource: "fake-entity",
+      repository: createMemoryRepository(),
+      schemas: {
+        create: z.object({
+          title: z.string().min(3),
+        }),
+        update: z
+          .object({
+            title: z.string().min(3).optional(),
+          })
+          .refine((value) => Object.keys(value).length > 0, {
+            message: "at least one field must be updated",
+          }),
+      },
+    })
+
+    await expect(service.create({ title: "ok" })).rejects.toBeInstanceOf(CrudValidationError)
+    await expect(service.update("1", {})).rejects.toBeInstanceOf(CrudValidationError)
+  })
+
+  it("throws not found for unknown update and delete", async () => {
+    const service = createCrudService({
+      resource: "fake-entity",
+      repository: createMemoryRepository(),
+      schemas: {
+        create: z.object({
+          title: z.string().min(3),
+        }),
+        update: z.object({
+          title: z.string().min(3).optional(),
+        }),
+      },
+    })
+
+    await expect(service.update("missing", { title: "Updated" })).rejects.toBeInstanceOf(
+      CrudNotFoundError,
+    )
+    await expect(service.delete("missing")).rejects.toBeInstanceOf(CrudNotFoundError)
+  })
+
+  it("emits audit events for create, update and delete", async () => {
+    const events: Array<{
+      action: string
+      beforeTitle: string | null
+      afterTitle: string | null
+      actorRole: string | null
+      requestId: string | null
+    }> = []
+    const service = createCrudService({
+      resource: "fake-entity",
+      repository: createMemoryRepository(),
+      schemas: {
+        create: z.object({
+          title: z.string().min(3),
+        }),
+        update: z.object({
+          title: z.string().min(3).optional(),
+        }),
+      },
+      auditHooks: [
+        (event) => {
+          events.push({
+            action: event.action,
+            beforeTitle: event.before?.title ?? null,
+            afterTitle: event.after?.title ?? null,
+            actorRole: event.actor?.role ?? null,
+            requestId:
+              typeof event.metadata?.requestId === "string" ? event.metadata.requestId : null,
+          })
+        },
+      ],
+    })
+
+    const created = await service.create(
+      { title: "Created" },
+      {
+        actor: { id: "u-1", role: "owner" },
+        metadata: {
+          requestId: "req-1",
+        },
+      },
+    )
+
+    await service.update(created.id, { title: "Updated" })
+    await service.delete(created.id)
+
+    expect(events).toEqual([
+      {
+        action: "create",
+        beforeTitle: null,
+        afterTitle: "Created",
+        actorRole: "owner",
+        requestId: "req-1",
+      },
+      {
+        action: "update",
+        beforeTitle: "Created",
+        afterTitle: "Updated",
+        actorRole: null,
+        requestId: null,
+      },
+      {
+        action: "delete",
+        beforeTitle: "Updated",
+        afterTitle: null,
+        actorRole: null,
+        requestId: null,
+      },
+    ])
+  })
+})

packages/crud/src/service.ts

@@ -0,0 +1,159 @@
+import type { ZodIssue } from "zod"
+
+import { CrudNotFoundError, CrudValidationError } from "./errors"
+import type { CrudAction, CrudAuditHook, CrudMutationContext, CrudRepository } from "./types"
+
+type SchemaSafeParseResult<TInput> =
+  | {
+      success: true
+      data: TInput
+    }
+  | {
+      success: false
+      error: {
+        issues: ZodIssue[]
+      }
+    }
+
+type CrudSchema<TInput> = {
+  safeParse: (input: unknown) => SchemaSafeParseResult<TInput>
+}
+
+type CrudSchemas<TCreateInput, TUpdateInput> = {
+  create: CrudSchema<TCreateInput>
+  update: CrudSchema<TUpdateInput>
+}
+
+type CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
+  resource: string
+  repository: CrudRepository<TRecord, TCreateInput, TUpdateInput, TId>
+  schemas: CrudSchemas<TCreateInput, TUpdateInput>
+  auditHooks?: Array<CrudAuditHook<TRecord>>
+}
+
+async function emitAuditHooks<TRecord>(
+  hooks: Array<CrudAuditHook<TRecord>>,
+  event: {
+    resource: string
+    action: CrudAction
+    actor: CrudMutationContext["actor"]
+    metadata: CrudMutationContext["metadata"]
+    before: TRecord | null
+    after: TRecord | null
+  },
+): Promise<void> {
+  if (hooks.length === 0) {
+    return
+  }
+
+  const payload = {
+    ...event,
+    actor: event.actor ?? null,
+    at: new Date(),
+  }
+
+  for (const hook of hooks) {
+    await hook(payload)
+  }
+}
+
+function parseOrThrow<TInput>(params: {
+  schema: CrudSchema<TInput>
+  input: unknown
+  resource: string
+  operation: "create" | "update"
+}): TInput {
+  const parsed = params.schema.safeParse(params.input)
+
+  if (parsed.success) {
+    return parsed.data
+  }
+
+  throw new CrudValidationError({
+    resource: params.resource,
+    operation: params.operation,
+    issues: parsed.error.issues,
+  })
+}
+
+export function createCrudService<TRecord, TCreateInput, TUpdateInput, TId extends string = string>(
+  options: CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId>,
+) {
+  const auditHooks = options.auditHooks ?? []
+
+  return {
+    list: () => options.repository.list(),
+    getById: (id: TId) => options.repository.findById(id),
+    create: async (input: unknown, context: CrudMutationContext = {}) => {
+      const payload = parseOrThrow({
+        schema: options.schemas.create,
+        input,
+        resource: options.resource,
+        operation: "create",
+      })
+
+      const created = await options.repository.create(payload)
+      await emitAuditHooks(auditHooks, {
+        resource: options.resource,
+        action: "create",
+        actor: context.actor,
+        metadata: context.metadata,
+        before: null,
+        after: created,
+      })
+
+      return created
+    },
+    update: async (id: TId, input: unknown, context: CrudMutationContext = {}) => {
+      const payload = parseOrThrow({
+        schema: options.schemas.update,
+        input,
+        resource: options.resource,
+        operation: "update",
+      })
+
+      const existing = await options.repository.findById(id)
+
+      if (!existing) {
+        throw new CrudNotFoundError({
+          resource: options.resource,
+          id,
+        })
+      }
+
+      const updated = await options.repository.update(id, payload)
+      await emitAuditHooks(auditHooks, {
+        resource: options.resource,
+        action: "update",
+        actor: context.actor,
+        metadata: context.metadata,
+        before: existing,
+        after: updated,
+      })
+
+      return updated
+    },
+    delete: async (id: TId, context: CrudMutationContext = {}) => {
+      const existing = await options.repository.findById(id)
+
+      if (!existing) {
+        throw new CrudNotFoundError({
+          resource: options.resource,
+          id,
+        })
+      }
+
+      const deleted = await options.repository.delete(id)
+      await emitAuditHooks(auditHooks, {
+        resource: options.resource,
+        action: "delete",
+        actor: context.actor,
+        metadata: context.metadata,
+        before: existing,
+        after: null,
+      })
+
+      return deleted
+    },
+  }
+}

packages/crud/src/types.ts

@@ -0,0 +1,31 @@
+export type CrudAction = "create" | "update" | "delete"
+
+export type CrudActor = {
+  id?: string | null
+  role?: string | null
+}
+
+export type CrudMutationContext = {
+  actor?: CrudActor | null
+  metadata?: Record<string, unknown>
+}
+
+export type CrudAuditEvent<TRecord> = {
+  resource: string
+  action: CrudAction
+  at: Date
+  actor: CrudActor | null
+  metadata?: Record<string, unknown>
+  before: TRecord | null
+  after: TRecord | null
+}
+
+export type CrudAuditHook<TRecord> = (event: CrudAuditEvent<TRecord>) => Promise<void> | void
+
+export type CrudRepository<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
+  list: () => Promise<TRecord[]>
+  findById: (id: TId) => Promise<TRecord | null>
+  create: (input: TCreateInput) => Promise<TRecord>
+  update: (id: TId, input: TUpdateInput) => Promise<TRecord>
+  delete: (id: TId) => Promise<TRecord>
+}

packages/crud/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "@cms/config/tsconfig/base",
+  "compilerOptions": {
+    "noEmit": false,
+    "outDir": "dist"
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["src/**/*.test.ts"]
+}

packages/db/package.json

@@ -20,6 +20,7 @@
     "db:seed": "bun --env-file=../../.env prisma/seed.ts"
   },
   "dependencies": {
+    "@cms/crud": "workspace:*",
     "@cms/content": "workspace:*",
     "@prisma/adapter-pg": "7.3.0",
     "@prisma/client": "7.3.0",

packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql

@@ -0,0 +1,9 @@
+-- CreateTable
+CREATE TABLE "system_setting" (
+    "key" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
+);

packages/db/prisma/schema.prisma

@@ -87,3 +87,12 @@ model Verification {
   @@index([identifier])
   @@map("verification")
 }
+
+model SystemSetting {
+  key       String   @id
+  value     String
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("system_setting")
+}

packages/db/prisma/seed.ts

@@ -12,6 +12,20 @@ async function main() {
       status: "published",
     },
   })
+
+  await db.systemSetting.upsert({
+    where: { key: "public.header_banner" },
+    update: {},
+    create: {
+      key: "public.header_banner",
+      value: JSON.stringify({
+        enabled: true,
+        message: "New portfolio release is live.",
+        ctaLabel: "Open latest posts",
+        ctaHref: "/",
+      }),
+    },
+  })
 }
 
 main()

packages/db/src/index.ts

@@ -1,2 +1,15 @@
 export { db } from "./client"
-export { createPost, listPosts } from "./posts"
+export {
+  createPost,
+  deletePost,
+  getPostById,
+  listPosts,
+  registerPostCrudAuditHook,
+  updatePost,
+} from "./posts"
+export type { PublicHeaderBanner } from "./settings"
+export {
+  getPublicHeaderBanner,
+  isAdminSelfRegistrationEnabled,
+  setAdminSelfRegistrationEnabled,
+} from "./settings"

packages/db/src/posts.ts

@@ -1,19 +1,80 @@
-import { upsertPostSchema } from "@cms/content"
+import {
+  type CreatePostInput,
+  createPostInputSchema,
+  type UpdatePostInput,
+  updatePostInputSchema,
+} from "@cms/content"
+import { type CrudAuditHook, type CrudMutationContext, createCrudService } from "@cms/crud"
+import type { Post } from "../prisma/generated/client/client"
 
 import { db } from "./client"
 
+const postRepository = {
+  list: () =>
+    db.post.findMany({
+      orderBy: {
+        updatedAt: "desc",
+      },
+    }),
+  findById: (id: string) =>
+    db.post.findUnique({
+      where: { id },
+    }),
+  create: (input: CreatePostInput) =>
+    db.post.create({
+      data: input,
+    }),
+  update: (id: string, input: UpdatePostInput) =>
+    db.post.update({
+      where: { id },
+      data: input,
+    }),
+  delete: (id: string) =>
+    db.post.delete({
+      where: { id },
+    }),
+}
+
+const postAuditHooks: Array<CrudAuditHook<Post>> = []
+
+const postCrudService = createCrudService({
+  resource: "post",
+  repository: postRepository,
+  schemas: {
+    create: createPostInputSchema,
+    update: updatePostInputSchema,
+  },
+  auditHooks: postAuditHooks,
+})
+
+export function registerPostCrudAuditHook(hook: CrudAuditHook<Post>): () => void {
+  postAuditHooks.push(hook)
+
+  return () => {
+    const index = postAuditHooks.indexOf(hook)
+
+    if (index >= 0) {
+      postAuditHooks.splice(index, 1)
+    }
+  }
+}
+
 export async function listPosts() {
-  return db.post.findMany({
-    orderBy: {
-      updatedAt: "desc",
-    },
-  })
+  return postCrudService.list()
 }
 
-export async function createPost(input: unknown) {
-  const payload = upsertPostSchema.parse(input)
-
-  return db.post.create({
-    data: payload,
-  })
+export async function getPostById(id: string) {
+  return postCrudService.getById(id)
+}
+
+export async function createPost(input: unknown, context?: CrudMutationContext) {
+  return postCrudService.create(input, context)
+}
+
+export async function updatePost(id: string, input: unknown, context?: CrudMutationContext) {
+  return postCrudService.update(id, input, context)
+}
+
+export async function deletePost(id: string, context?: CrudMutationContext) {
+  return postCrudService.delete(id, context)
 }

packages/db/src/settings.ts

@@ -0,0 +1,116 @@
+import { db } from "./client"
+
+const ADMIN_SELF_REGISTRATION_KEY = "admin.self_registration_enabled"
+const PUBLIC_HEADER_BANNER_KEY = "public.header_banner"
+
+type PublicHeaderBannerRecord = {
+  enabled: boolean
+  message: string
+  ctaLabel?: string
+  ctaHref?: string
+}
+
+export type PublicHeaderBanner = {
+  message: string
+  ctaLabel?: string
+  ctaHref?: string
+}
+
+function resolveEnvFallback(): boolean {
+  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
+}
+
+function parseStoredBoolean(value: string): boolean | null {
+  if (value === "true") {
+    return true
+  }
+
+  if (value === "false") {
+    return false
+  }
+
+  return null
+}
+
+function parsePublicHeaderBanner(value: string): PublicHeaderBannerRecord | null {
+  try {
+    const parsed = JSON.parse(value) as Record<string, unknown>
+
+    if (typeof parsed.enabled !== "boolean" || typeof parsed.message !== "string") {
+      return null
+    }
+
+    return {
+      enabled: parsed.enabled,
+      message: parsed.message,
+      ctaLabel: typeof parsed.ctaLabel === "string" ? parsed.ctaLabel : undefined,
+      ctaHref: typeof parsed.ctaHref === "string" ? parsed.ctaHref : undefined,
+    }
+  } catch {
+    return null
+  }
+}
+
+export async function isAdminSelfRegistrationEnabled(): Promise<boolean> {
+  try {
+    const setting = await db.systemSetting.findUnique({
+      where: { key: ADMIN_SELF_REGISTRATION_KEY },
+      select: { value: true },
+    })
+
+    if (!setting) {
+      return resolveEnvFallback()
+    }
+
+    const parsed = parseStoredBoolean(setting.value)
+
+    if (parsed === null) {
+      return resolveEnvFallback()
+    }
+
+    return parsed
+  } catch {
+    // Fallback while migrations are not yet applied in a local environment.
+    return resolveEnvFallback()
+  }
+}
+
+export async function setAdminSelfRegistrationEnabled(enabled: boolean): Promise<void> {
+  await db.systemSetting.upsert({
+    where: { key: ADMIN_SELF_REGISTRATION_KEY },
+    create: {
+      key: ADMIN_SELF_REGISTRATION_KEY,
+      value: enabled ? "true" : "false",
+    },
+    update: {
+      value: enabled ? "true" : "false",
+    },
+  })
+}
+
+export async function getPublicHeaderBanner(): Promise<PublicHeaderBanner | null> {
+  try {
+    const setting = await db.systemSetting.findUnique({
+      where: { key: PUBLIC_HEADER_BANNER_KEY },
+      select: { value: true },
+    })
+
+    if (!setting) {
+      return null
+    }
+
+    const parsed = parsePublicHeaderBanner(setting.value)
+
+    if (!parsed || !parsed.enabled) {
+      return null
+    }
+
+    return {
+      message: parsed.message,
+      ctaLabel: parsed.ctaLabel,
+      ctaHref: parsed.ctaHref,
+    }
+  } catch {
+    return null
+  }
+}

packages/i18n/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@cms/i18n",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "lint": "biome check src",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "devDependencies": {
+    "@cms/config": "workspace:*",
+    "@biomejs/biome": "2.3.14",
+    "typescript": "5.9.3"
+  }
+}

packages/i18n/src/index.ts

@@ -0,0 +1,16 @@
+export const locales = ["de", "en", "es", "fr"] as const
+
+export type AppLocale = (typeof locales)[number]
+
+export const defaultLocale: AppLocale = "en"
+
+export const localeLabels: Record<AppLocale, string> = {
+  de: "Deutsch",
+  en: "English",
+  es: "Español",
+  fr: "Français",
+}
+
+export function isAppLocale(value: string): value is AppLocale {
+  return locales.includes(value as AppLocale)
+}

packages/i18n/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "@cms/config/tsconfig/base",
+  "compilerOptions": {
+    "noEmit": false,
+    "outDir": "dist"
+  },
+  "include": ["src/**/*.ts"]
+}

packages/ui/src/components/button.tsx

@@ -8,7 +8,7 @@ const buttonVariants = cva(
   {
     variants: {
       variant: {
-        default: "bg-neutral-900 text-neutral-50 hover:bg-neutral-800",
+        default: "bg-neutral-900 text-white hover:bg-neutral-800",
         secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200",
         ghost: "hover:bg-neutral-100 hover:text-neutral-900",
       },