feat(admin): add IA shell and protected section skeleton routes

test(crud): finalize MVP1 gate CRUD contract coverage
merge: todo/mvp0-admin-i18n-baseline into dev
2026-02-10 21:34:26 +01:00 · 2026-02-10 21:26:49 +01:00 · 2026-02-10 21:21:35 +01:00 · 2026-02-10 21:21:32 +01:00 · 2026-02-10 21:21:28 +01:00 · 2026-02-10 21:21:25 +01:00
48 changed files with 2037 additions and 237 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,70 @@
 name: CMS CI
 on:
  pull_request:
  push:
    branches:
      - dev
      - staging
      - main
  workflow_dispatch:
 env:
  BUN_VERSION: "1.3.5"
  NODE_ENV: "test"
  DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
  BETTER_AUTH_SECRET: "ci-test-secret-change-me"
  BETTER_AUTH_URL: "http://localhost:3001"
  CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
  CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
  CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
  CMS_SUPPORT_USERNAME: "support"
  CMS_SUPPORT_EMAIL: "support@cms.local"
  CMS_SUPPORT_PASSWORD: "support-ci-password"
  CMS_SUPPORT_NAME: "Technical Support"
  CMS_SUPPORT_LOGIN_KEY: "support-access"
 jobs:
  quality:
    name: Lint Typecheck Unit E2E
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_DB: cms
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres -d cms"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies
        run: bun install --frozen-lockfile
      - name: Install Playwright browser deps
        run: bunx playwright install --with-deps chromium
      - name: Lint and format checks
        run: bun run check
      - name: Typecheck
        run: bun run typecheck
      - name: Unit and integration tests
        run: bun run test
      - name: E2E tests
        run: bun run test:e2e
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ bun run dev
 - `bun run test`
 - `bun run test:watch`
 - `bun run test:coverage`
 - `bun run test:e2e:prepare`
 - `bun run test:e2e`
 - `bun run lint`
 - `bun run typecheck`
@@ -85,6 +86,7 @@ bun run dev
 - Unit/integration/component: Vitest + Testing Library + MSW
 - E2E: Playwright (separate projects for `web` and `admin`)
 - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
 - E2E data prep (migrations + seed): `bun run test:e2e:prepare`
 One-time Playwright browser install:
@@ -97,6 +99,7 @@ bunx playwright install
 The repo includes a theoretical CI/CD and deployment baseline:
 - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
 - Real quality gate workflow: `.gitea/workflows/ci.yml`
 - App images:
  - `apps/web/Dockerfile`
  - `apps/admin/Dockerfile`
--- a/TODO.md
+++ b/TODO.md
@@ -21,31 +21,31 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
 - [x] [P1] RBAC enforcement at route and action level in admin
 - [x] [P1] Permission matrix documented and tested
- [~] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
+- [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
- [~] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
+- [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
- [~] [P1] Locale persistence and switcher base component (cookie/header + UI)
+- [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
 - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
+- [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
- [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
+- [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
- [~] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
+- [x] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
- [~] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
+- [x] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
- [~] [P1] Shared error and audit hooks for CRUD mutations
+- [x] [P1] Shared error and audit hooks for CRUD mutations
 ### Admin App
 - [x] [P1] Separate Next.js admin app in monorepo
 - [x] [P1] App Router + TypeScript + `src/` structure
 - [x] [P1] Shared DB access via `@cms/db`
- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
+- [x] [P2] Base admin dashboard shell and roadmap page (`/todo`)
 - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
 - [x] [P1] Protected admin routes and session handling
- [~] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
+- [x] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
+- [x] [P1] Core admin IA (pages/media/users/commissions/settings)
 ### Public App
@@ -61,11 +61,11 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Vitest + Testing Library + MSW baseline
 - [x] [P1] Playwright baseline with web/admin projects
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
+- [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
+- [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
 - [~] [P1] RBAC policy unit tests and permission regression suite
 - [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading)
- [ ] [P1] i18n integration tests (admin/public locale switch and persistence)
+- [x] [P1] i18n integration tests (admin/public locale switch and persistence)
 - [ ] [P1] i18n e2e smoke tests (localized headings/content per route)
 - [ ] [P1] CRUD contract tests for shared service patterns
@@ -160,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Forgot password/reset password pipeline and support tooling
 - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
 - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
 - [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
 - [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
 - [ ] [P2] Error boundaries and UX fallback states
 ### Public App
@@ -193,10 +195,15 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
 - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes; admin i18n runtime is still pending.
+- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
 - [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
 - [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
 - [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
 - [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
 - [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
 - [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
 - [2026-02-10] Admin app now uses a shared shell with permission-aware navigation and dedicated IA routes (`/pages`, `/media`, `/users`, `/commissions`).
 ## How We Use This File
--- a/apps/admin/package.json
+++ b/apps/admin/package.json
@@ -14,6 +14,7 @@
  "dependencies": {
    "@cms/content": "workspace:*",
    "@cms/db": "workspace:*",
    "@cms/i18n": "workspace:*",
    "@cms/ui": "workspace:*",
    "@tanstack/react-form": "1.28.0",
    "@tanstack/react-query": "5.90.20",
--- a/apps/admin/src/app/commissions/page.tsx
+++ b/apps/admin/src/app/commissions/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function CommissionsManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/commissions",
    permission: "commissions:read",
    scope: "own",
  })
  return (
    <AdminShell
      role={role}
      activePath="/commissions"
      badge="Admin App"
      title="Commissions"
      description="Prepare commissions intake and kanban workflow tooling."
    >
      <AdminSectionPlaceholder
        feature="Commissions Workflow"
        summary="This route is reserved for request intake, ownership assignment, and kanban transitions."
        requiredPermission="commissions:read (own)"
        nextSteps={[
          "Add commissions board with status columns.",
          "Add assignment, due-date, and notes editing.",
          "Add transition rules and audit history.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/layout.tsx
+++ b/apps/admin/src/app/layout.tsx
@@ -1,6 +1,7 @@
 import type { Metadata } from "next"
 import type { ReactNode } from "react"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import "./globals.css"
 import { Providers } from "./providers"
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
  description: "Admin dashboard for the CMS monorepo",
 }
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (
-    <html lang="en">
+    <html lang={locale}>
      <body>
-        <Providers>{children}</Providers>
+        <Providers locale={locale} messages={messages}>
          {children}
        </Providers>
      </body>
    </html>
  )
--- a/apps/admin/src/app/login/login-form.tsx
+++ b/apps/admin/src/app/login/login-form.tsx
@@ -4,8 +4,11 @@ import Link from "next/link"
 import { useRouter, useSearchParams } from "next/navigation"
 import { type FormEvent, useMemo, useState } from "react"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { useAdminT } from "@/providers/admin-i18n-provider"
 type LoginFormProps = {
-  mode: "signin" | "signup-owner" | "signup-user"
+  mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
 }
 type AuthResponse = {
@@ -27,6 +30,7 @@ function persistRoleCookie(role: unknown) {
 export function LoginForm({ mode }: LoginFormProps) {
  const router = useRouter()
  const searchParams = useSearchParams()
  const t = useAdminT()
  const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
@@ -37,6 +41,7 @@ export function LoginForm({ mode }: LoginFormProps) {
  const [isBusy, setIsBusy] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [success, setSuccess] = useState<string | null>(null)
  const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
  async function handleSignIn(event: FormEvent<HTMLFormElement>) {
    event.preventDefault()
@@ -60,7 +65,7 @@ export function LoginForm({ mode }: LoginFormProps) {
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
-        setError(payload?.message ?? "Sign in failed")
+        setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
        return
      }
@@ -68,7 +73,7 @@ export function LoginForm({ mode }: LoginFormProps) {
      router.push(nextPath)
      router.refresh()
    } catch {
-      setError("Network error while signing in")
+      setError(t("auth.errors.networkSignIn", "Network error while signing in"))
    } finally {
      setIsBusy(false)
    }
@@ -78,7 +83,7 @@ export function LoginForm({ mode }: LoginFormProps) {
    event.preventDefault()
    if (!name.trim()) {
-      setError("Name is required for account creation")
+      setError(t("auth.errors.nameRequired", "Name is required for account creation"))
      return
    }
@@ -104,20 +109,20 @@ export function LoginForm({ mode }: LoginFormProps) {
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
-        setError(payload?.message ?? "Sign up failed")
+        setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
        return
      }
      persistRoleCookie(payload?.user?.role)
      setSuccess(
        mode === "signup-owner"
-          ? "Owner account created. Registration is now disabled."
+          ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
-          : "Account created.",
+          : t("auth.messages.accountCreated", "Account created."),
      )
      router.push(nextPath)
      router.refresh()
    } catch {
-      setError("Network error while signing up")
+      setError(t("auth.errors.networkSignUp", "Network error while signing up"))
    } finally {
      setIsBusy(false)
    }
@@ -126,23 +131,34 @@ export function LoginForm({ mode }: LoginFormProps) {
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
      <div className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin Auth</p>
+        <div className="flex items-center justify-between gap-3">
          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
            {t("auth.badge", "Admin Auth")}
          </p>
          <AdminLocaleSwitcher />
        </div>
        <h1 className="text-3xl font-semibold tracking-tight">
          {mode === "signin"
-            ? "Sign in to CMS Admin"
+            ? t("auth.titles.signIn", "Sign in to CMS Admin")
            : mode === "signup-owner"
-              ? "Welcome to CMS Admin"
+              ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
-              : "Create an admin account"}
+              : mode === "signup-user"
                ? t("auth.titles.signUpUser", "Create an admin account")
                : t("auth.titles.signUpDisabled", "Registration is disabled")}
        </h1>
        <p className="text-sm text-neutral-600">
-          {mode === "signin" ? (
+          {mode === "signin"
-            <>
+            ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
-              Better Auth is active on this app via <code>/api/auth</code>.
+            : mode === "signup-owner"
-            </>
+              ? t(
-          ) : mode === "signup-owner" ? (
+                  "auth.descriptions.signUpOwner",
-            "Create the first owner account to initialize this admin instance."
+                  "Create the first owner account to initialize this admin instance.",
-          ) : (
+                )
-            "Self-registration is enabled for admin users."
+              : mode === "signup-user"
                ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
                : t(
                    "auth.descriptions.signUpDisabled",
                    "Self-registration is currently turned off by an administrator.",
                  )}
        </p>
      </div>
@@ -154,7 +170,7 @@ export function LoginForm({ mode }: LoginFormProps) {
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
-              Email or username
+              {t("auth.fields.emailOrUsername", "Email or username")}
            </label>
            <input
              id="email"
@@ -168,84 +184,7 @@ export function LoginForm({ mode }: LoginFormProps) {
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
-              Password
+              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy ? "Signing in..." : "Sign in"}
          </button>
          <p className="text-xs text-neutral-600">
            Need an account?{" "}
            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
              Register
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
        </form>
      ) : (
        <form
          onSubmit={handleSignUp}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="name">
              Name
            </label>
            <input
              id="name"
              type="text"
              value={name}
              onChange={(event) => setName(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              Email
            </label>
            <input
              id="email"
              type="email"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="username">
              Username (optional)
            </label>
            <input
              id="username"
              type="text"
              value={username}
              onChange={(event) => setUsername(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              Password
            </label>
            <input
              id="password"
@@ -264,22 +203,115 @@ export function LoginForm({ mode }: LoginFormProps) {
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
-              ? "Creating account..."
+              ? t("auth.actions.signInBusy", "Signing in...")
-              : mode === "signup-owner"
+              : t("auth.actions.signInIdle", "Sign in")}
                ? "Create owner account"
                : "Create account"}
          </button>
          <p className="text-xs text-neutral-600">
-            Already have an account?{" "}
+            {t("auth.links.needAccount", "Need an account?")}{" "}
            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.register", "Register")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
        </form>
      ) : canSubmitSignUp ? (
        <form
          onSubmit={handleSignUp}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="name">
              {t("auth.fields.name", "Name")}
            </label>
            <input
              id="name"
              type="text"
              value={name}
              onChange={(event) => setName(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              {t("auth.fields.email", "Email")}
            </label>
            <input
              id="email"
              type="email"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="username">
              {t("auth.fields.username", "Username (optional)")}
            </label>
            <input
              id="username"
              type="text"
              value={username}
              onChange={(event) => setUsername(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
              ? t("auth.actions.signUpBusy", "Creating account...")
              : mode === "signup-owner"
                ? t("auth.actions.signUpOwnerIdle", "Create owner account")
                : t("auth.actions.signUpUserIdle", "Create account")}
          </button>
          <p className="text-xs text-neutral-600">
            {t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Go to sign in
+              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
          {success ? <p className="text-sm text-green-700">{success}</p> : null}
        </form>
      ) : (
        <section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
          <p className="text-sm text-neutral-700">
            {t(
              "auth.messages.registrationDisabled",
              "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
            )}
          </p>
          <p className="text-xs text-neutral-600">
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
        </section>
      )}
    </main>
  )
--- a/apps/admin/src/app/media/page.tsx
+++ b/apps/admin/src/app/media/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function MediaManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/media",
    permission: "media:read",
    scope: "team",
  })
  return (
    <AdminShell
      role={role}
      activePath="/media"
      badge="Admin App"
      title="Media"
      description="Prepare media library and enrichment workflows."
    >
      <AdminSectionPlaceholder
        feature="Media Library"
        summary="This route is ready for media browsing, upload, and metadata refinement features."
        requiredPermission="media:read (team)"
        nextSteps={[
          "Add media upload and asset listing.",
          "Add enrichment fields (alt text, source, tags).",
          "Add artwork-specific refinement fields.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@@ -5,8 +5,10 @@ import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
-import { resolveRoleFromServerContext } from "@/lib/access-server"
+import { AdminShell } from "@/components/admin-shell"
-import { LogoutButton } from "./logout-button"
+import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
@@ -36,11 +38,11 @@ function readOptionalField(formData: FormData, field: string): string | undefine
 }
 async function requireNewsWritePermission() {
-  const role = await resolveRoleFromServerContext()
+  await requirePermissionForRoute({
-
+    nextPath: "/",
-  if (!role || !hasPermission(role, "news:write", "team")) {
+    permission: "news:write",
-    redirect("/unauthorized?required=news:write&scope=team")
+    scope: "team",
-  }
+  })
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
@@ -58,10 +60,18 @@ function redirectWithState(params: { notice?: string; error?: string }) {
  redirect(value ? `/?${value}` : "/")
 }
 async function getDashboardTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function createPostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const status = readRequiredField(formData, "status")
@@ -74,23 +84,28 @@ async function createPostAction(formData: FormData) {
      status: status === "published" ? "published" : "draft",
    })
  } catch {
-    redirectWithState({ error: "Create failed. Please check your input." })
+    redirectWithState({
      error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
    })
  }
  revalidatePath("/")
-  redirectWithState({ notice: "Post created." })
+  redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
 }
 async function updatePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  const status = readRequiredField(formData, "status")
  if (!id) {
-    redirectWithState({ error: "Update failed. Missing post id." })
+    redirectWithState({
      error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
    })
  }
  try {
@@ -102,32 +117,37 @@ async function updatePostAction(formData: FormData) {
      status: status === "published" ? "published" : "draft",
    })
  } catch {
-    redirectWithState({ error: "Update failed. Please check your input." })
+    redirectWithState({
      error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
    })
  }
  revalidatePath("/")
-  redirectWithState({ notice: "Post updated." })
+  redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
 }
 async function deletePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  if (!id) {
-    redirectWithState({ error: "Delete failed. Missing post id." })
+    redirectWithState({
      error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
    })
  }
  try {
    await deletePost(id)
  } catch {
-    redirectWithState({ error: "Delete failed." })
+    redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
  }
  revalidatePath("/")
-  redirectWithState({ notice: "Post deleted." })
+  redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
 }
 export default async function AdminHomePage({
@@ -135,39 +155,48 @@ export default async function AdminHomePage({
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
-  const role = await resolveRoleFromServerContext()
+  const role = await requirePermissionForRoute({
    nextPath: "/",
    permission: "news:read",
    scope: "team",
  })
-  if (!role) {
+  const [resolvedSearchParams, locale, posts] = await Promise.all([
-    redirect("/login?next=/")
+    searchParams,
-  }
+    resolveAdminLocale(),
    listPosts(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  if (!hasPermission(role, "news:read", "team")) {
    redirect("/unauthorized?required=news:read&scope=team")
  }
  const resolvedSearchParams = await searchParams
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  const canCreatePost = hasPermission(role, "news:write", "team")
  const posts = await listPosts()
  return (
-    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
+    <AdminShell
-      <header className="space-y-3">
+      role={role}
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
+      activePath="/"
-        <h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1>
+      badge={t("dashboard.badge", "Admin App")}
-        <p className="text-neutral-600">Manage posts from a dedicated admin surface.</p>
+      title={t("dashboard.title", "Content Dashboard")}
-        <div className="flex items-center gap-3 pt-2">
+      description={t("dashboard.description", "Manage posts from a dedicated admin surface.")}
      actions={
        <>
          <Link
            href="/todo"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
-            Open roadmap and progress
+            {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
          </Link>
-          <LogoutButton />
+          <Link
-        </div>
+            href="/settings"
-      </header>
+            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
-
+          >
            {t("settings.title", "Settings")}
          </Link>
        </>
      }
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
@@ -183,8 +212,12 @@ export default async function AdminHomePage({
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="space-y-4">
          <div className="flex items-center justify-between">
-            <h2 className="text-xl font-medium">Posts CRUD Sandbox</h2>
+            <h2 className="text-xl font-medium">
-            <p className="text-xs uppercase tracking-wide text-neutral-500">MVP0 functional test</p>
+              {t("dashboard.posts.title", "Posts CRUD Sandbox")}
            </h2>
            <p className="text-xs uppercase tracking-wide text-neutral-500">
              {t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
            </p>
          </div>
          {canCreatePost ? (
@@ -192,10 +225,14 @@ export default async function AdminHomePage({
              action={createPostAction}
              className="space-y-3 rounded-lg border border-neutral-200 p-4"
            >
-              <h3 className="text-sm font-semibold">Create post</h3>
+              <h3 className="text-sm font-semibold">
                {t("dashboard.posts.createTitle", "Create post")}
              </h3>
              <div className="grid gap-3 md:grid-cols-2">
                <label className="space-y-1">
-                  <span className="text-xs text-neutral-600">Title</span>
+                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.title", "Title")}
                  </span>
                  <input
                    name="title"
                    required
@@ -204,7 +241,9 @@ export default async function AdminHomePage({
                  />
                </label>
                <label className="space-y-1">
-                  <span className="text-xs text-neutral-600">Slug</span>
+                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.slug", "Slug")}
                  </span>
                  <input
                    name="slug"
                    required
@@ -214,14 +253,18 @@ export default async function AdminHomePage({
                </label>
              </div>
              <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Excerpt</span>
+                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.excerpt", "Excerpt")}
                </span>
                <input
                  name="excerpt"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Body</span>
+                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.body", "Body")}
                </span>
                <textarea
                  name="body"
                  required
@@ -231,21 +274,28 @@ export default async function AdminHomePage({
                />
              </label>
              <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Status</span>
+                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.status", "Status")}
                </span>
                <select
                  name="status"
                  defaultValue="draft"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                >
-                  <option value="draft">Draft</option>
+                  <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
-                  <option value="published">Published</option>
+                  <option value="published">
                    {t("dashboard.posts.status.published", "Published")}
                  </option>
                </select>
              </label>
-              <Button type="submit">Create post</Button>
+              <Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
            </form>
          ) : (
            <div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
-              You can read posts, but your role cannot create/update/delete posts.
+              {t(
                "dashboard.notices.noCrudPermission",
                "You can read posts, but your role cannot create/update/delete posts.",
              )}
            </div>
          )}
        </div>
@@ -259,7 +309,9 @@ export default async function AdminHomePage({
                    <input type="hidden" name="id" value={post.id} />
                    <div className="grid gap-3 md:grid-cols-2">
                      <label className="space-y-1">
-                        <span className="text-xs text-neutral-600">Title</span>
+                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.title", "Title")}
                        </span>
                        <input
                          name="title"
                          required
@@ -269,7 +321,9 @@ export default async function AdminHomePage({
                        />
                      </label>
                      <label className="space-y-1">
-                        <span className="text-xs text-neutral-600">Slug</span>
+                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.slug", "Slug")}
                        </span>
                        <input
                          name="slug"
                          required
@@ -280,7 +334,9 @@ export default async function AdminHomePage({
                      </label>
                    </div>
                    <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Excerpt</span>
+                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.excerpt", "Excerpt")}
                      </span>
                      <input
                        name="excerpt"
                        defaultValue={post.excerpt ?? ""}
@@ -288,7 +344,9 @@ export default async function AdminHomePage({
                      />
                    </label>
                    <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Body</span>
+                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.body", "Body")}
                      </span>
                      <textarea
                        name="body"
                        required
@@ -299,22 +357,28 @@ export default async function AdminHomePage({
                      />
                    </label>
                    <label className="space-y-1">
-                      <span className="text-xs text-neutral-600">Status</span>
+                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.status", "Status")}
                      </span>
                      <select
                        name="status"
                        defaultValue={post.status}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      >
-                        <option value="draft">Draft</option>
+                        <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
-                        <option value="published">Published</option>
+                        <option value="published">
                          {t("dashboard.posts.status.published", "Published")}
                        </option>
                      </select>
                    </label>
-                    <Button type="submit">Save changes</Button>
+                    <Button type="submit">
                      {t("dashboard.posts.actions.save", "Save changes")}
                    </Button>
                  </form>
                  <form action={deletePostAction} className="mt-3">
                    <input type="hidden" name="id" value={post.id} />
                    <Button type="submit" variant="secondary">
-                      Delete
+                      {t("dashboard.posts.actions.delete", "Delete")}
                    </Button>
                  </form>
                </>
@@ -327,13 +391,15 @@ export default async function AdminHomePage({
                    </span>
                  </div>
                  <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
-                  <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p>
+                  <p className="mt-2 text-sm text-neutral-600">
                    {post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
                  </p>
                </>
              )}
            </article>
          ))}
        </div>
      </section>
-    </main>
+    </AdminShell>
  )
 }
--- a/apps/admin/src/app/pages/page.tsx
+++ b/apps/admin/src/app/pages/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function PagesManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/pages",
    permission: "pages:read",
    scope: "team",
  })
  return (
    <AdminShell
      role={role}
      activePath="/pages"
      badge="Admin App"
      title="Pages"
      description="Manage page entities and publication workflows."
    >
      <AdminSectionPlaceholder
        feature="Page Management"
        summary="This MVP0 scaffold defines information architecture and access boundaries for future page CRUD."
        requiredPermission="pages:read (team)"
        nextSteps={[
          "Add page entity list and search.",
          "Add create/edit draft flows with validation.",
          "Add publish/unpublish scheduling controls.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/providers.tsx
+++ b/apps/admin/src/app/providers.tsx
@@ -1,9 +1,24 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import type { ReactNode } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
 import { QueryProvider } from "@/providers/query-provider"
-export function Providers({ children }: { children: ReactNode }) {
+export function Providers({
-  return <QueryProvider>{children}</QueryProvider>
+  children,
  locale,
  messages,
 }: {
  children: ReactNode
  locale: AppLocale
  messages: AdminMessages
 }) {
  return (
    <AdminI18nProvider locale={locale} messages={messages}>
      <QueryProvider>{children}</QueryProvider>
    </AdminI18nProvider>
  )
 }
--- a/apps/admin/src/app/register/page.tsx
+++ b/apps/admin/src/app/register/page.tsx
@@ -33,7 +33,7 @@ export default async function RegisterPage({ searchParams }: { searchParams: Sea
  const enabled = await isSelfRegistrationEnabled()
  if (!enabled) {
-    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+    return <LoginForm mode="signup-disabled" />
  }
  return <LoginForm mode="signup-user" />
--- a/apps/admin/src/app/settings/page.tsx
+++ b/apps/admin/src/app/settings/page.tsx
@@ -0,0 +1,180 @@
 import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
 function toSingleValue(input: string | string[] | undefined): string | null {
  if (Array.isArray(input)) {
    return input[0] ?? null
  }
  return input ?? null
 }
 async function requireSettingsPermission() {
  await requirePermissionForRoute({
    nextPath: "/settings",
    permission: "users:manage_roles",
    scope: "global",
  })
 }
 async function getSettingsTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function updateRegistrationPolicyAction(formData: FormData) {
  "use server"
  await requireSettingsPermission()
  const t = await getSettingsTranslator()
  const enabled = formData.get("enabled") === "on"
  try {
    await setAdminSelfRegistrationEnabled(enabled)
  } catch (error) {
    const errorMessage = error instanceof Error ? error.message : ""
    const normalizedMessage = errorMessage.toLowerCase()
    const isDatabaseUnavailable = errorMessage.includes("P1001")
    const isSchemaMissing =
      errorMessage.includes("P2021") ||
      normalizedMessage.includes("system_setting") ||
      normalizedMessage.includes("does not exist")
    const userMessage = isDatabaseUnavailable
      ? t(
          "settings.registration.errors.databaseUnavailable",
          "Saving settings failed. The database is currently unreachable.",
        )
      : isSchemaMissing
        ? t(
            "settings.registration.errors.schemaMissing",
            "Saving settings failed. Apply the latest database migrations and try again.",
          )
        : t(
            "settings.registration.errors.updateFailed",
            "Saving settings failed. Ensure database migrations are applied.",
          )
    redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
  }
  revalidatePath("/settings")
  revalidatePath("/register")
  redirect(
    `/settings?notice=${encodeURIComponent(
      t("settings.registration.success.updated", "Registration policy updated."),
    )}`,
  )
 }
 export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
  const role = await requirePermissionForRoute({
    nextPath: "/settings",
    permission: "users:manage_roles",
    scope: "global",
  })
  const [params, locale, isRegistrationEnabled] = await Promise.all([
    searchParams,
    resolveAdminLocale(),
    isAdminSelfRegistrationEnabled(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  const notice = toSingleValue(params.notice)
  const error = toSingleValue(params.error)
  return (
    <AdminShell
      role={role}
      activePath="/settings"
      badge={t("settings.badge", "Admin Settings")}
      title={t("settings.title", "Settings")}
      description={t(
        "settings.description",
        "Manage runtime policies for the admin authentication and onboarding flow.",
      )}
      actions={
        <Link
          href="/"
          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
        >
          {t("settings.actions.backToDashboard", "Back to dashboard")}
        </Link>
      }
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="space-y-5">
          <div className="space-y-2">
            <h2 className="text-xl font-medium">
              {t("settings.registration.title", "Admin self-registration")}
            </h2>
            <p className="text-sm text-neutral-600">
              {t(
                "settings.registration.description",
                "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
              )}
            </p>
          </div>
          <div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
            <p>
              {t("settings.registration.currentStatusLabel", "Current status")}:{" "}
              <strong>
                {isRegistrationEnabled
                  ? t("settings.registration.status.enabled", "Enabled")
                  : t("settings.registration.status.disabled", "Disabled")}
              </strong>
            </p>
          </div>
          <form action={updateRegistrationPolicyAction} className="space-y-4">
            <label className="flex items-center gap-3 text-sm">
              <input
                type="checkbox"
                name="enabled"
                defaultChecked={isRegistrationEnabled}
                className="h-4 w-4 rounded border-neutral-300"
              />
              <span>
                {t(
                  "settings.registration.checkboxLabel",
                  "Allow self-registration on /register for admin users",
                )}
              </span>
            </label>
            <Button type="submit">
              {t("settings.registration.actions.save", "Save registration policy")}
            </Button>
          </form>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/todo/page.tsx
+++ b/apps/admin/src/app/todo/page.tsx
@@ -1,10 +1,9 @@
 import { readFile } from "node:fs/promises"
 import path from "node:path"
 import { hasPermission } from "@cms/content/rbac"
 import Link from "next/link"
 import { redirect } from "next/navigation"
-import { resolveRoleFromServerContext } from "@/lib/access-server"
+import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
@@ -405,15 +404,11 @@ function filterButtonClass(active: boolean): string {
 export default async function AdminTodoPage(props: {
  searchParams?: SearchParamsInput | Promise<SearchParamsInput>
 }) {
-  const role = await resolveRoleFromServerContext()
+  const role = await requirePermissionForRoute({
-
+    nextPath: "/todo",
-  if (!role) {
+    permission: "roadmap:read",
-    redirect("/login?next=/todo")
+    scope: "global",
-  }
+  })
  if (!hasPermission(role, "roadmap:read", "global")) {
    redirect("/unauthorized?required=roadmap:read&scope=global")
  }
  const content = await getTodoMarkdown()
  const sections = parseTodo(content)
@@ -434,26 +429,21 @@ export default async function AdminTodoPage(props: {
  }
  return (
-    <main className="mx-auto flex min-h-screen w-full max-w-6xl flex-col gap-8 px-6 py-12">
+    <AdminShell
-      <header className="space-y-4">
+      role={role}
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
+      activePath="/todo"
-        <div className="flex flex-wrap items-end justify-between gap-4">
+      badge="Admin App"
-          <div className="space-y-2">
+      title="Roadmap and Progress"
-            <h1 className="text-4xl font-semibold tracking-tight">Roadmap and Progress</h1>
+      description="Structured view from root TODO.md (single source of truth)."
-            <p className="text-neutral-600">
+      actions={
              Structured view from root `TODO.md` (single source of truth).
            </p>
          </div>
        <Link
          href="/"
          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
        >
          Back to dashboard
        </Link>
-        </div>
+      }
-      </header>
+    >
      <section className="rounded-xl border border-neutral-200 bg-neutral-50 p-5">
        <div className="mb-4 flex items-center justify-between gap-4">
          <p className="text-sm font-medium text-neutral-600">Weighted completion</p>
@@ -607,6 +597,6 @@ export default async function AdminTodoPage(props: {
          {content}
        </pre>
      </details>
-    </main>
+    </AdminShell>
  )
 }
--- a/apps/admin/src/app/users/page.tsx
+++ b/apps/admin/src/app/users/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function UsersManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:read",
    scope: "own",
  })
  return (
    <AdminShell
      role={role}
      activePath="/users"
      badge="Admin App"
      title="Users"
      description="Prepare user lifecycle and role management operations."
    >
      <AdminSectionPlaceholder
        feature="Users Management"
        summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
        requiredPermission="users:read (own)"
        nextSteps={[
          "Add user list, filter, and detail views.",
          "Add role and permission editing actions with owner/support safety rules.",
          "Add disable/ban and invite workflows.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/components/admin-locale-switcher.tsx
+++ b/apps/admin/src/components/admin-locale-switcher.tsx
@@ -0,0 +1,41 @@
 "use client"
 import { type AppLocale, localeLabels, locales } from "@cms/i18n"
 import { useRouter } from "next/navigation"
 import { useTransition } from "react"
 import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
 import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
 export function AdminLocaleSwitcher() {
  const router = useRouter()
  const [isPending, startTransition] = useTransition()
  const { locale } = useAdminI18n()
  const t = useAdminT()
  return (
    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
      <span>{t("common.language", "Language")}</span>
      <select
        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
        value={locale}
        disabled={isPending}
        onChange={(event) => {
          const nextLocale = event.target.value as AppLocale
          // biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
          document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
          startTransition(() => {
            router.refresh()
          })
        }}
      >
        {locales.map((value) => (
          <option key={value} value={value}>
            {t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
          </option>
        ))}
      </select>
    </label>
  )
 }
--- a/apps/admin/src/components/admin-section-placeholder.tsx
+++ b/apps/admin/src/components/admin-section-placeholder.tsx
@@ -0,0 +1,40 @@
 import type { ReactNode } from "react"
 type AdminSectionPlaceholderProps = {
  feature: string
  summary: string
  requiredPermission: string
  nextSteps: string[]
  children?: ReactNode
 }
 export function AdminSectionPlaceholder({
  feature,
  summary,
  requiredPermission,
  nextSteps,
  children,
 }: AdminSectionPlaceholderProps) {
  return (
    <section className="space-y-5 rounded-xl border border-neutral-200 p-6">
      <div className="space-y-2">
        <h2 className="text-xl font-medium">{feature}</h2>
        <p className="text-sm text-neutral-600">{summary}</p>
        <p className="text-xs uppercase tracking-wide text-neutral-500">
          Required permission: {requiredPermission}
        </p>
      </div>
      {children}
      <div className="rounded-lg border border-neutral-200 bg-neutral-50 p-4">
        <p className="text-sm font-medium text-neutral-800">Planned next steps</p>
        <ul className="mt-2 list-disc space-y-1 pl-5 text-sm text-neutral-600">
          {nextSteps.map((step) => (
            <li key={step}>{step}</li>
          ))}
        </ul>
      </div>
    </section>
  )
 }
--- a/apps/admin/src/components/admin-shell.tsx
+++ b/apps/admin/src/components/admin-shell.tsx
@@ -0,0 +1,117 @@
 import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
 import Link from "next/link"
 import type { ReactNode } from "react"
 import { LogoutButton } from "@/app/logout-button"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 type AdminShellProps = {
  role: Role
  activePath: string
  badge: string
  title: string
  description: string
  actions?: ReactNode
  children: ReactNode
 }
 type NavItem = {
  href: string
  label: string
  permission: Permission
  scope: PermissionScope
 }
 const navItems: NavItem[] = [
  { href: "/", label: "Dashboard", permission: "dashboard:read", scope: "global" },
  { href: "/pages", label: "Pages", permission: "pages:read", scope: "team" },
  { href: "/media", label: "Media", permission: "media:read", scope: "team" },
  { href: "/users", label: "Users", permission: "users:read", scope: "own" },
  { href: "/commissions", label: "Commissions", permission: "commissions:read", scope: "own" },
  { href: "/settings", label: "Settings", permission: "users:manage_roles", scope: "global" },
  { href: "/todo", label: "Roadmap", permission: "roadmap:read", scope: "global" },
 ]
 function navItemClass(active: boolean): string {
  if (active) {
    return "bg-neutral-900 text-white border-neutral-900"
  }
  return "bg-white text-neutral-700 border-neutral-300 hover:bg-neutral-100"
 }
 function isActiveRoute(activePath: string, href: string): boolean {
  if (href === "/") {
    return activePath === "/"
  }
  return activePath === href || activePath.startsWith(`${href}/`)
 }
 export function AdminShell({
  role,
  activePath,
  badge,
  title,
  description,
  actions,
  children,
 }: AdminShellProps) {
  return (
    <div className="mx-auto flex min-h-screen w-full max-w-7xl gap-8 px-6 py-10">
      <aside className="sticky top-0 hidden h-fit w-64 shrink-0 space-y-4 lg:block">
        <div className="rounded-xl border border-neutral-200 bg-white p-4">
          <p className="text-xs font-semibold uppercase tracking-[0.2em] text-neutral-500">
            CMS Admin
          </p>
          <p className="mt-2 text-sm text-neutral-600">Role: {role}</p>
        </div>
        <nav className="space-y-2">
          {navItems
            .filter((item) => hasPermission(role, item.permission, item.scope))
            .map((item) => (
              <Link
                key={item.href}
                href={item.href}
                className={`block rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
              >
                {item.label}
              </Link>
            ))}
        </nav>
      </aside>
      <div className="min-w-0 flex-1 space-y-8">
        <nav className="flex flex-wrap gap-2 lg:hidden">
          {navItems
            .filter((item) => hasPermission(role, item.permission, item.scope))
            .map((item) => (
              <Link
                key={`mobile-${item.href}`}
                href={item.href}
                className={`rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
              >
                {item.label}
              </Link>
            ))}
        </nav>
        <header className="space-y-3">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{badge}</p>
            <div className="flex items-center gap-2">
              <AdminLocaleSwitcher />
              <LogoutButton />
            </div>
          </div>
          <h1 className="text-4xl font-semibold tracking-tight">{title}</h1>
          <p className="text-neutral-600">{description}</p>
          {actions ? <div className="flex flex-wrap items-center gap-3 pt-1">{actions}</div> : null}
        </header>
        {children}
      </div>
    </div>
  )
 }
--- a/apps/admin/src/i18n/messages.test.ts
+++ b/apps/admin/src/i18n/messages.test.ts
@@ -0,0 +1,147 @@
 import { describe, expect, it } from "vitest"
 import type { AdminMessages } from "./messages"
 import { translateMessage } from "./messages"
 const messages: AdminMessages = {
  common: {
    language: "Language",
    localeNames: {
      de: "German",
      en: "English",
      es: "Spanish",
      fr: "French",
    },
  },
  auth: {
    badge: "Admin Auth",
    titles: {
      signIn: "Sign in",
      signUpOwner: "Welcome",
      signUpUser: "Create account",
      signUpDisabled: "Registration disabled",
    },
    descriptions: {
      signIn: "Sign in description",
      signUpOwner: "Owner description",
      signUpUser: "User description",
      signUpDisabled: "Disabled description",
    },
    fields: {
      name: "Name",
      emailOrUsername: "Email or username",
      email: "Email",
      username: "Username",
      password: "Password",
    },
    actions: {
      signInIdle: "Sign in",
      signInBusy: "Signing in...",
      signUpOwnerIdle: "Create owner account",
      signUpUserIdle: "Create account",
      signUpBusy: "Creating account...",
    },
    links: {
      needAccount: "Need an account?",
      register: "Register",
      alreadyHaveAccount: "Already have an account?",
      goToSignIn: "Go to sign in",
    },
    messages: {
      ownerCreated: "Owner account created.",
      accountCreated: "Account created.",
      registrationDisabled: "Registration is disabled.",
    },
    errors: {
      nameRequired: "Name is required.",
      signInFailed: "Sign in failed",
      signUpFailed: "Sign up failed",
      networkSignIn: "Network sign in error",
      networkSignUp: "Network sign up error",
    },
  },
  settings: {
    badge: "Admin Settings",
    title: "Settings",
    description: "Settings description",
    actions: {
      backToDashboard: "Back to dashboard",
    },
    registration: {
      title: "Registration",
      description: "Registration description",
      currentStatusLabel: "Current status",
      status: {
        enabled: "Enabled",
        disabled: "Disabled",
      },
      checkboxLabel: "Allow registration",
      actions: {
        save: "Save",
      },
      success: {
        updated: "Updated",
      },
      errors: {
        updateFailed: "Update failed",
      },
    },
  },
  dashboard: {
    badge: "Admin App",
    title: "Content Dashboard",
    description: "Manage content.",
    actions: {
      openRoadmap: "Open roadmap",
    },
    notices: {
      noCrudPermission: "No permission.",
      crudSandboxTag: "MVP0 functional test",
    },
    posts: {
      title: "Posts CRUD Sandbox",
      createTitle: "Create post",
      fields: {
        title: "Title",
        slug: "Slug",
        excerpt: "Excerpt",
        body: "Body",
        status: "Status",
      },
      status: {
        draft: "Draft",
        published: "Published",
      },
      actions: {
        create: "Create post",
        save: "Save changes",
        delete: "Delete",
      },
      errors: {
        createFailed: "Create failed.",
        updateFailed: "Update failed.",
        updateMissingId: "Missing post id.",
        deleteFailed: "Delete failed.",
        deleteMissingId: "Missing post id.",
      },
      success: {
        created: "Post created.",
        updated: "Post updated.",
        deleted: "Post deleted.",
      },
      fallback: {
        noExcerpt: "No excerpt",
      },
    },
  },
 }
 describe("translateMessage", () => {
  it("resolves nested keys", () => {
    expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
  })
  it("returns fallback for unknown keys", () => {
    expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
  })
 })
--- a/apps/admin/src/i18n/messages.ts
+++ b/apps/admin/src/i18n/messages.ts
@@ -0,0 +1,27 @@
 import type enMessages from "../messages/en.json"
 export type AdminMessages = typeof enMessages
 function resolveNestedValue(source: unknown, key: string): unknown {
  let current: unknown = source
  for (const segment of key.split(".")) {
    if (!current || typeof current !== "object") {
      return null
    }
    current = (current as Record<string, unknown>)[segment]
  }
  return current
 }
 export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
  const resolved = resolveNestedValue(messages, key)
  if (typeof resolved === "string") {
    return resolved
  }
  return fallback ?? key
 }
--- a/apps/admin/src/i18n/server.ts
+++ b/apps/admin/src/i18n/server.ts
@@ -0,0 +1,20 @@
 import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
 import { cookies } from "next/headers"
 import type { AdminMessages } from "./messages"
 import { ADMIN_LOCALE_COOKIE } from "./shared"
 export async function resolveAdminLocale(): Promise<AppLocale> {
  const cookieStore = await cookies()
  const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
  if (value && isAppLocale(value)) {
    return value
  }
  return defaultLocale
 }
 export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
  return (await import(`../messages/${locale}.json`)).default as AdminMessages
 }
--- a/apps/admin/src/i18n/shared.ts
+++ b/apps/admin/src/i18n/shared.ts
@@ -0,0 +1 @@
 export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"
--- a/apps/admin/src/lib/access.test.ts
+++ b/apps/admin/src/lib/access.test.ts
@@ -0,0 +1,43 @@
 import { describe, expect, it } from "vitest"
 import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
 describe("admin route access rules", () => {
  it("treats support fallback route as public", () => {
    expect(isPublicRoute("/support/support-access")).toBe(true)
    expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
  })
  it("keeps settings route restricted to role with users:manage_roles", () => {
    expect(isPublicRoute("/settings")).toBe(false)
    expect(canAccessRoute("manager", "/settings")).toBe(false)
    expect(canAccessRoute("admin", "/settings")).toBe(true)
    expect(canAccessRoute("owner", "/settings")).toBe(true)
  })
  it("resolves route-specific permission requirements", () => {
    expect(getRequiredPermission("/todo")).toEqual({
      permission: "roadmap:read",
      scope: "global",
    })
  })
  it("maps new admin IA routes to dedicated permissions", () => {
    expect(getRequiredPermission("/pages")).toEqual({
      permission: "pages:read",
      scope: "team",
    })
    expect(getRequiredPermission("/media")).toEqual({
      permission: "media:read",
      scope: "team",
    })
    expect(getRequiredPermission("/users")).toEqual({
      permission: "users:read",
      scope: "own",
    })
    expect(getRequiredPermission("/commissions")).toEqual({
      permission: "commissions:read",
      scope: "own",
    })
  })
 })
--- a/apps/admin/src/lib/access.ts
+++ b/apps/admin/src/lib/access.ts
@@ -43,6 +43,41 @@ const guardRules: GuardRule[] = [
      scope: "global",
    },
  },
  {
    route: /^\/pages(?:\/|$)/,
    requirement: {
      permission: "pages:read",
      scope: "team",
    },
  },
  {
    route: /^\/media(?:\/|$)/,
    requirement: {
      permission: "media:read",
      scope: "team",
    },
  },
  {
    route: /^\/users(?:\/|$)/,
    requirement: {
      permission: "users:read",
      scope: "own",
    },
  },
  {
    route: /^\/commissions(?:\/|$)/,
    requirement: {
      permission: "commissions:read",
      scope: "own",
    },
  },
  {
    route: /^\/settings(?:\/|$)/,
    requirement: {
      permission: "users:manage_roles",
      scope: "global",
    },
  },
  {
    route: /^\/(?:$|\?)/,
    requirement: {
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@@ -1,5 +1,5 @@
 import { normalizeRole, type Role } from "@cms/content/rbac"
-import { db } from "@cms/db"
+import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
 import { betterAuth } from "better-auth"
 import { prismaAdapter } from "better-auth/adapters/prisma"
 import { toNextJsHandler } from "better-auth/next-js"
@@ -43,8 +43,7 @@ export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
 }
 export async function isSelfRegistrationEnabled(): Promise<boolean> {
-  // Temporary fallback until registration policy is managed from admin settings.
+  return isAdminSelfRegistrationEnabled()
  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
 }
 export async function canUserSelfRegister(): Promise<boolean> {
--- a/apps/admin/src/lib/route-guards.ts
+++ b/apps/admin/src/lib/route-guards.ts
@@ -0,0 +1,30 @@
 import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
 import { redirect } from "next/navigation"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 type RequirePermissionParams = {
  nextPath: string
  permission: Permission
  scope: PermissionScope
 }
 export async function requireRoleForRoute(nextPath: string): Promise<Role> {
  const role = await resolveRoleFromServerContext()
  if (!role) {
    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
  }
  return role
 }
 export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
  const role = await requireRoleForRoute(params.nextPath)
  if (!hasPermission(role, params.permission, params.scope)) {
    redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
  }
  return role
 }
--- a/apps/admin/src/messages/de.json
+++ b/apps/admin/src/messages/de.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Sprache",
    "localeNames": {
      "de": "Deutsch",
      "en": "Englisch",
      "es": "Spanisch",
      "fr": "Französisch"
    }
  },
  "auth": {
    "badge": "Admin-Authentifizierung",
    "titles": {
      "signIn": "Bei CMS Admin anmelden",
      "signUpOwner": "Willkommen bei CMS Admin",
      "signUpUser": "Admin-Konto erstellen",
      "signUpDisabled": "Registrierung ist deaktiviert"
    },
    "descriptions": {
      "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
      "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
      "signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "E-Mail oder Benutzername",
      "email": "E-Mail",
      "username": "Benutzername (optional)",
      "password": "Passwort"
    },
    "actions": {
      "signInIdle": "Anmelden",
      "signInBusy": "Anmeldung läuft...",
      "signUpOwnerIdle": "Owner-Konto erstellen",
      "signUpUserIdle": "Konto erstellen",
      "signUpBusy": "Konto wird erstellt..."
    },
    "links": {
      "needAccount": "Du brauchst ein Konto?",
      "register": "Registrieren",
      "alreadyHaveAccount": "Du hast bereits ein Konto?",
      "goToSignIn": "Zur Anmeldung"
    },
    "messages": {
      "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
      "accountCreated": "Konto erstellt.",
      "registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
    },
    "errors": {
      "nameRequired": "Name ist für die Kontoerstellung erforderlich",
      "signInFailed": "Anmeldung fehlgeschlagen",
      "signUpFailed": "Registrierung fehlgeschlagen",
      "networkSignIn": "Netzwerkfehler bei der Anmeldung",
      "networkSignUp": "Netzwerkfehler bei der Registrierung"
    }
  },
  "settings": {
    "badge": "Admin-Einstellungen",
    "title": "Einstellungen",
    "description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
    "actions": {
      "backToDashboard": "Zurück zum Dashboard"
    },
    "registration": {
      "title": "Admin-Selbstregistrierung",
      "description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
      "currentStatusLabel": "Aktueller Status",
      "status": {
        "enabled": "Aktiviert",
        "disabled": "Deaktiviert"
      },
      "checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
      "actions": {
        "save": "Registrierungsrichtlinie speichern"
      },
      "success": {
        "updated": "Registrierungsrichtlinie aktualisiert."
      },
      "errors": {
        "updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
      }
    }
  },
  "dashboard": {
    "badge": "Admin-App",
    "title": "Content-Dashboard",
    "description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
    "actions": {
      "openRoadmap": "Roadmap und Fortschritt öffnen"
    },
    "notices": {
      "noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
      "crudSandboxTag": "MVP0 Funktionstest"
    },
    "posts": {
      "title": "Beiträge CRUD-Sandbox",
      "createTitle": "Beitrag erstellen",
      "fields": {
        "title": "Titel",
        "slug": "Slug",
        "excerpt": "Auszug",
        "body": "Inhalt",
        "status": "Status"
      },
      "status": {
        "draft": "Entwurf",
        "published": "Veröffentlicht"
      },
      "actions": {
        "create": "Beitrag erstellen",
        "save": "Änderungen speichern",
        "delete": "Löschen"
      },
      "errors": {
        "createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
        "deleteFailed": "Löschen fehlgeschlagen.",
        "deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
      },
      "success": {
        "created": "Beitrag erstellt.",
        "updated": "Beitrag aktualisiert.",
        "deleted": "Beitrag gelöscht."
      },
      "fallback": {
        "noExcerpt": "Kein Auszug"
      }
    }
  }
 }
--- a/apps/admin/src/messages/en.json
+++ b/apps/admin/src/messages/en.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Language",
    "localeNames": {
      "de": "German",
      "en": "English",
      "es": "Spanish",
      "fr": "French"
    }
  },
  "auth": {
    "badge": "Admin Auth",
    "titles": {
      "signIn": "Sign in to CMS Admin",
      "signUpOwner": "Welcome to CMS Admin",
      "signUpUser": "Create an admin account",
      "signUpDisabled": "Registration is disabled"
    },
    "descriptions": {
      "signIn": "Better Auth is active on this app via /api/auth.",
      "signUpOwner": "Create the first owner account to initialize this admin instance.",
      "signUpUser": "Self-registration is enabled for admin users.",
      "signUpDisabled": "Self-registration is currently turned off by an administrator."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "Email or username",
      "email": "Email",
      "username": "Username (optional)",
      "password": "Password"
    },
    "actions": {
      "signInIdle": "Sign in",
      "signInBusy": "Signing in...",
      "signUpOwnerIdle": "Create owner account",
      "signUpUserIdle": "Create account",
      "signUpBusy": "Creating account..."
    },
    "links": {
      "needAccount": "Need an account?",
      "register": "Register",
      "alreadyHaveAccount": "Already have an account?",
      "goToSignIn": "Go to sign in"
    },
    "messages": {
      "ownerCreated": "Owner account created. Registration is now disabled.",
      "accountCreated": "Account created.",
      "registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
    },
    "errors": {
      "nameRequired": "Name is required for account creation",
      "signInFailed": "Sign in failed",
      "signUpFailed": "Sign up failed",
      "networkSignIn": "Network error while signing in",
      "networkSignUp": "Network error while signing up"
    }
  },
  "settings": {
    "badge": "Admin Settings",
    "title": "Settings",
    "description": "Manage runtime policies for the admin authentication and onboarding flow.",
    "actions": {
      "backToDashboard": "Back to dashboard"
    },
    "registration": {
      "title": "Admin self-registration",
      "description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
      "currentStatusLabel": "Current status",
      "status": {
        "enabled": "Enabled",
        "disabled": "Disabled"
      },
      "checkboxLabel": "Allow self-registration on /register for admin users",
      "actions": {
        "save": "Save registration policy"
      },
      "success": {
        "updated": "Registration policy updated."
      },
      "errors": {
        "updateFailed": "Saving settings failed. Ensure database migrations are applied."
      }
    }
  },
  "dashboard": {
    "badge": "Admin App",
    "title": "Content Dashboard",
    "description": "Manage posts from a dedicated admin surface.",
    "actions": {
      "openRoadmap": "Open roadmap and progress"
    },
    "notices": {
      "noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
      "crudSandboxTag": "MVP0 functional test"
    },
    "posts": {
      "title": "Posts CRUD Sandbox",
      "createTitle": "Create post",
      "fields": {
        "title": "Title",
        "slug": "Slug",
        "excerpt": "Excerpt",
        "body": "Body",
        "status": "Status"
      },
      "status": {
        "draft": "Draft",
        "published": "Published"
      },
      "actions": {
        "create": "Create post",
        "save": "Save changes",
        "delete": "Delete"
      },
      "errors": {
        "createFailed": "Create failed. Please check your input.",
        "updateFailed": "Update failed. Please check your input.",
        "updateMissingId": "Update failed. Missing post id.",
        "deleteFailed": "Delete failed.",
        "deleteMissingId": "Delete failed. Missing post id."
      },
      "success": {
        "created": "Post created.",
        "updated": "Post updated.",
        "deleted": "Post deleted."
      },
      "fallback": {
        "noExcerpt": "No excerpt"
      }
    }
  }
 }
--- a/apps/admin/src/messages/es.json
+++ b/apps/admin/src/messages/es.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Idioma",
    "localeNames": {
      "de": "Alemán",
      "en": "Inglés",
      "es": "Español",
      "fr": "Francés"
    }
  },
  "auth": {
    "badge": "Autenticación de Admin",
    "titles": {
      "signIn": "Iniciar sesión en CMS Admin",
      "signUpOwner": "Bienvenido a CMS Admin",
      "signUpUser": "Crear una cuenta de admin",
      "signUpDisabled": "El registro está deshabilitado"
    },
    "descriptions": {
      "signIn": "Better Auth está activo en esta app mediante /api/auth.",
      "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
      "signUpUser": "El registro automático está habilitado para usuarios admin.",
      "signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
    },
    "fields": {
      "name": "Nombre",
      "emailOrUsername": "Correo o nombre de usuario",
      "email": "Correo",
      "username": "Nombre de usuario (opcional)",
      "password": "Contraseña"
    },
    "actions": {
      "signInIdle": "Iniciar sesión",
      "signInBusy": "Iniciando sesión...",
      "signUpOwnerIdle": "Crear cuenta owner",
      "signUpUserIdle": "Crear cuenta",
      "signUpBusy": "Creando cuenta..."
    },
    "links": {
      "needAccount": "¿Necesitas una cuenta?",
      "register": "Registrarse",
      "alreadyHaveAccount": "¿Ya tienes una cuenta?",
      "goToSignIn": "Ir a iniciar sesión"
    },
    "messages": {
      "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
      "accountCreated": "Cuenta creada.",
      "registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
    },
    "errors": {
      "nameRequired": "El nombre es obligatorio para crear la cuenta",
      "signInFailed": "Error al iniciar sesión",
      "signUpFailed": "Error al registrarse",
      "networkSignIn": "Error de red al iniciar sesión",
      "networkSignUp": "Error de red al registrarse"
    }
  },
  "settings": {
    "badge": "Ajustes de Admin",
    "title": "Ajustes",
    "description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
    "actions": {
      "backToDashboard": "Volver al panel"
    },
    "registration": {
      "title": "Auto-registro de admin",
      "description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
      "currentStatusLabel": "Estado actual",
      "status": {
        "enabled": "Habilitado",
        "disabled": "Deshabilitado"
      },
      "checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
      "actions": {
        "save": "Guardar política de registro"
      },
      "success": {
        "updated": "Política de registro actualizada."
      },
      "errors": {
        "updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
      }
    }
  },
  "dashboard": {
    "badge": "App Admin",
    "title": "Panel de Contenido",
    "description": "Gestiona publicaciones desde una superficie de administración dedicada.",
    "actions": {
      "openRoadmap": "Abrir hoja de ruta y progreso"
    },
    "notices": {
      "noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
      "crudSandboxTag": "Prueba funcional MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD de Publicaciones",
      "createTitle": "Crear publicación",
      "fields": {
        "title": "Título",
        "slug": "Slug",
        "excerpt": "Extracto",
        "body": "Contenido",
        "status": "Estado"
      },
      "status": {
        "draft": "Borrador",
        "published": "Publicado"
      },
      "actions": {
        "create": "Crear publicación",
        "save": "Guardar cambios",
        "delete": "Eliminar"
      },
      "errors": {
        "createFailed": "Error al crear. Revisa tus datos.",
        "updateFailed": "Error al actualizar. Revisa tus datos.",
        "updateMissingId": "Error al actualizar. Falta el id de la publicación.",
        "deleteFailed": "Error al eliminar.",
        "deleteMissingId": "Error al eliminar. Falta el id de la publicación."
      },
      "success": {
        "created": "Publicación creada.",
        "updated": "Publicación actualizada.",
        "deleted": "Publicación eliminada."
      },
      "fallback": {
        "noExcerpt": "Sin extracto"
      }
    }
  }
 }
--- a/apps/admin/src/messages/fr.json
+++ b/apps/admin/src/messages/fr.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Langue",
    "localeNames": {
      "de": "Allemand",
      "en": "Anglais",
      "es": "Espagnol",
      "fr": "Français"
    }
  },
  "auth": {
    "badge": "Authentification Admin",
    "titles": {
      "signIn": "Se connecter à CMS Admin",
      "signUpOwner": "Bienvenue sur CMS Admin",
      "signUpUser": "Créer un compte admin",
      "signUpDisabled": "L’inscription est désactivée"
    },
    "descriptions": {
      "signIn": "Better Auth est actif sur cette application via /api/auth.",
      "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin.",
      "signUpDisabled": "L’auto-inscription est actuellement désactivée par un administrateur."
    },
    "fields": {
      "name": "Nom",
      "emailOrUsername": "E-mail ou nom d’utilisateur",
      "email": "E-mail",
      "username": "Nom d’utilisateur (optionnel)",
      "password": "Mot de passe"
    },
    "actions": {
      "signInIdle": "Se connecter",
      "signInBusy": "Connexion en cours...",
      "signUpOwnerIdle": "Créer le compte owner",
      "signUpUserIdle": "Créer un compte",
      "signUpBusy": "Création du compte..."
    },
    "links": {
      "needAccount": "Besoin d’un compte ?",
      "register": "S’inscrire",
      "alreadyHaveAccount": "Vous avez déjà un compte ?",
      "goToSignIn": "Aller à la connexion"
    },
    "messages": {
      "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
      "accountCreated": "Compte créé.",
      "registrationDisabled": "L’inscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver l’auto-inscription."
    },
    "errors": {
      "nameRequired": "Le nom est requis pour créer un compte",
      "signInFailed": "Échec de la connexion",
      "signUpFailed": "Échec de l’inscription",
      "networkSignIn": "Erreur réseau lors de la connexion",
      "networkSignUp": "Erreur réseau lors de l’inscription"
    }
  },
  "settings": {
    "badge": "Paramètres Admin",
    "title": "Paramètres",
    "description": "Gérez les politiques d’exécution pour l’authentification et l’onboarding de l’admin.",
    "actions": {
      "backToDashboard": "Retour au tableau de bord"
    },
    "registration": {
      "title": "Auto-inscription admin",
      "description": "Lorsqu’elle est activée, /register peut créer des comptes admin supplémentaires après l’initialisation du premier owner.",
      "currentStatusLabel": "Statut actuel",
      "status": {
        "enabled": "Activé",
        "disabled": "Désactivé"
      },
      "checkboxLabel": "Autoriser l’auto-inscription sur /register pour les utilisateurs admin",
      "actions": {
        "save": "Enregistrer la politique d’inscription"
      },
      "success": {
        "updated": "Politique d’inscription mise à jour."
      },
      "errors": {
        "updateFailed": "Échec de l’enregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
      }
    }
  },
  "dashboard": {
    "badge": "Application Admin",
    "title": "Tableau de bord contenu",
    "description": "Gérez les publications depuis une surface d’administration dédiée.",
    "actions": {
      "openRoadmap": "Ouvrir la feuille de route et la progression"
    },
    "notices": {
      "noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
      "crudSandboxTag": "Test fonctionnel MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD des publications",
      "createTitle": "Créer une publication",
      "fields": {
        "title": "Titre",
        "slug": "Slug",
        "excerpt": "Extrait",
        "body": "Contenu",
        "status": "Statut"
      },
      "status": {
        "draft": "Brouillon",
        "published": "Publié"
      },
      "actions": {
        "create": "Créer une publication",
        "save": "Enregistrer les modifications",
        "delete": "Supprimer"
      },
      "errors": {
        "createFailed": "Échec de la création. Vérifiez vos données.",
        "updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
        "updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
        "deleteFailed": "Échec de la suppression.",
        "deleteMissingId": "Échec de la suppression. ID de publication manquant."
      },
      "success": {
        "created": "Publication créée.",
        "updated": "Publication mise à jour.",
        "deleted": "Publication supprimée."
      },
      "fallback": {
        "noExcerpt": "Aucun extrait"
      }
    }
  }
 }
--- a/apps/admin/src/providers/admin-i18n-provider.tsx
+++ b/apps/admin/src/providers/admin-i18n-provider.tsx
@@ -0,0 +1,53 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import { createContext, type ReactNode, useContext, useMemo } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { translateMessage } from "@/i18n/messages"
 type AdminI18nContextValue = {
  locale: AppLocale
  messages: AdminMessages
 }
 const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
 export function AdminI18nProvider({
  locale,
  messages,
  children,
 }: {
  locale: AppLocale
  messages: AdminMessages
  children: ReactNode
 }) {
  const value = useMemo(
    () => ({
      locale,
      messages,
    }),
    [locale, messages],
  )
  return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
 }
 export function useAdminI18n(): AdminI18nContextValue {
  const context = useContext(AdminI18nContext)
  if (!context) {
    throw new Error("useAdminI18n must be used inside AdminI18nProvider")
  }
  return context
 }
 export function useAdminT() {
  const { messages } = useAdminI18n()
  return useMemo(
    () => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
    [messages],
  )
 }
--- a/bun.lock
+++ b/bun.lock
@@ -30,6 +30,7 @@
      "dependencies": {
        "@cms/content": "workspace:*",
        "@cms/db": "workspace:*",
        "@cms/i18n": "workspace:*",
        "@cms/ui": "workspace:*",
        "@tanstack/react-form": "1.28.0",
        "@tanstack/react-query": "5.90.20",
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@@ -23,6 +23,7 @@ export default defineConfig({
          { text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
          { text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
          { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
          { text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
          { text: "Workflow", link: "/workflow" },
        ],
      },
--- a/docs/product-engineering/auth-baseline.md
+++ b/docs/product-engineering/auth-baseline.md
@@ -39,6 +39,7 @@ Optional:
 - Support user bootstrap is available via `bun run auth:seed:support`.
 - Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
 - Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
 - Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
 - Email verification and forgot/reset password pipelines are tracked for MVP2.
--- a/docs/product-engineering/crud-baseline.md
+++ b/docs/product-engineering/crud-baseline.md
@@ -7,6 +7,8 @@ MVP0 now includes a shared CRUD foundation package: `@cms/crud`.
 Current baseline:
 - Shared service factory: `createCrudService`
 - Repository contract: `list`, `findById`, `create`, `update`, `delete`
 - Service surface for list/detail/editor flows: `list`, `getById`, `create`, `update`, `delete`
 - Shared validation error type: `CrudValidationError`
 - Shared not-found error type: `CrudNotFoundError`
 - Shared mutation audit hook contract: `CrudAuditHook`
@@ -24,6 +26,11 @@ Current baseline:
 - `registerPostCrudAuditHook`
 Validation for create/update is enforced by `@cms/content` schemas.
 Contract tests validate:
 - repository list/detail behavior via CRUD service
 - validation and not-found errors
 - audit payload propagation (`actor`, `metadata`)
 The admin dashboard currently includes a temporary posts CRUD sandbox to validate this flow through a real app UI.
--- a/docs/product-engineering/i18n-baseline.md
+++ b/docs/product-engineering/i18n-baseline.md
@@ -2,19 +2,20 @@
 ## Scope
-MVP0 introduces i18n runtime only for the public app (`@cms/web`) using `next-intl`.
+MVP0 introduces i18n runtime baselines for both apps.
 Current baseline:
 - Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
- Path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
+- Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
- Message loading through `apps/web/src/i18n/request.ts`
+- Public app: message loading through `apps/web/src/i18n/request.ts`
- Locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
+- Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
- Public language switcher component backed by Zustand store
+- Public app: language switcher component backed by Zustand store
 - Admin app: cookie-based locale resolution and message loading in root layout
 - Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
 ## Notes
 - Public app locale is resolved through `next-intl` middleware + cookie.
 - Enabled locales are currently static in code and will later be managed from admin settings.
 - Admin app i18n provider/message loading is still pending.
 - Translation key conventions and workflow docs are tracked in `TODO.md`.
--- a/docs/product-engineering/index.md
+++ b/docs/product-engineering/index.md
@@ -8,6 +8,7 @@ This section covers platform and implementation documentation for engineers and
 - [Architecture](/architecture)
 - [Better Auth Baseline](/product-engineering/auth-baseline)
 - [RBAC And Permissions](/product-engineering/rbac-permission-model)
 - [Testing Strategy Baseline](/product-engineering/testing-strategy)
 - [Workflow](/workflow)
 ## Scope
--- a/docs/product-engineering/testing-strategy.md
+++ b/docs/product-engineering/testing-strategy.md
@@ -0,0 +1,33 @@
 # Testing Strategy Baseline
 ## Goals
 - Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
 - Make e2e runs deterministic by preparing schema and seeded data before test execution.
 - Keep test data isolated per environment (`dev` local, CI database service in workflow).
 ## Current Gate Stack
 - `bun run check`
 - `bun run typecheck`
 - `bun run test`
 - `bun run test:e2e`
 ## Data Preparation
 - `bun run test:e2e:prepare` runs:
  - Prisma client generation
  - migration deploy
  - seed data (including support user bootstrap)
 - `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
 ## Locale Integration Coverage
 - `e2e/i18n.pw.ts` covers:
  - web locale switch + persistence
  - admin locale switch + persistence
 ## CI
 - Real quality workflow: `.gitea/workflows/ci.yml`
 - Uses a PostgreSQL service container and runs the full gate stack, including e2e.
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
 ## Quality Gates
- `bun run lint`
+- `bun run check`
 - `bun run typecheck`
 - `bun run test`
- `bun run test:e2e --list`
+- `bun run test:e2e`
 ## Changelog
--- a/e2e/i18n.pw.ts
+++ b/e2e/i18n.pw.ts
@@ -0,0 +1,29 @@
 import { expect, test } from "@playwright/test"
 test.describe("i18n integration", () => {
  test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "web-chromium")
    await page.goto("/")
    await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
    await page.locator("select").first().selectOption("de")
    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
    await page.reload()
    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
  })
  test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    await page.goto("/login")
    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
    await page.locator("select").first().selectOption("de")
    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
    await page.reload()
    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
  })
 })
--- a/e2e/support-auth.pw.ts
+++ b/e2e/support-auth.pw.ts
@@ -0,0 +1,20 @@
 import { expect, test } from "@playwright/test"
 const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
 test.describe("support fallback route", () => {
  test("valid support key opens sign-in page", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
  })
  test("invalid support key returns not found", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    const response = await page.goto("/support/invalid-key")
    expect(response?.status()).toBe(404)
  })
 })
--- a/package.json
+++ b/package.json
@@ -18,9 +18,10 @@
    "test": "vitest run",
    "test:watch": "vitest",
    "test:coverage": "vitest run --coverage",
-    "test:e2e": "bun run db:generate && playwright test",
+    "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
-    "test:e2e:headed": "bun run db:generate && playwright test --headed",
+    "test:e2e": "bun run test:e2e:prepare && playwright test",
-    "test:e2e:ui": "bun run db:generate && playwright test --ui",
+    "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
    "test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
    "commitlint": "commitlint --last",
    "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
    "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",
--- a/packages/crud/src/service.test.ts
+++ b/packages/crud/src/service.test.ts
@@ -63,6 +63,32 @@ function createMemoryRepository() {
 }
 describe("createCrudService", () => {
  it("supports list and detail lookups through the repository contract", async () => {
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
      schemas: {
        create: z.object({
          title: z.string().min(3),
        }),
        update: z.object({
          title: z.string().min(3).optional(),
        }),
      },
    })
    const createdA = await service.create({ title: "First" })
    const createdB = await service.create({ title: "Second" })
    expect(await service.getById(createdA.id)).toEqual(createdA)
    expect(await service.getById("missing")).toBeNull()
    const listed = await service.list()
    expect(listed).toHaveLength(2)
    expect(listed).toContainEqual(createdA)
    expect(listed).toContainEqual(createdB)
  })
  it("validates create and update payloads", async () => {
    const service = createCrudService({
      resource: "fake-entity",
@@ -106,8 +132,13 @@ describe("createCrudService", () => {
  })
  it("emits audit events for create, update and delete", async () => {
-    const events: Array<{ action: string; beforeTitle: string | null; afterTitle: string | null }> =
+    const events: Array<{
-      []
+      action: string
      beforeTitle: string | null
      afterTitle: string | null
      actorRole: string | null
      requestId: string | null
    }> = []
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
@@ -125,6 +156,9 @@ describe("createCrudService", () => {
            action: event.action,
            beforeTitle: event.before?.title ?? null,
            afterTitle: event.after?.title ?? null,
            actorRole: event.actor?.role ?? null,
            requestId:
              typeof event.metadata?.requestId === "string" ? event.metadata.requestId : null,
          })
        },
      ],
@@ -134,6 +168,9 @@ describe("createCrudService", () => {
      { title: "Created" },
      {
        actor: { id: "u-1", role: "owner" },
        metadata: {
          requestId: "req-1",
        },
      },
    )
@@ -145,16 +182,22 @@ describe("createCrudService", () => {
        action: "create",
        beforeTitle: null,
        afterTitle: "Created",
        actorRole: "owner",
        requestId: "req-1",
      },
      {
        action: "update",
        beforeTitle: "Created",
        afterTitle: "Updated",
        actorRole: null,
        requestId: null,
      },
      {
        action: "delete",
        beforeTitle: "Updated",
        afterTitle: null,
        actorRole: null,
        requestId: null,
      },
    ])
  })
--- a/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
+++ b/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
@@ -0,0 +1,9 @@
 -- CreateTable
 CREATE TABLE "system_setting" (
    "key" TEXT NOT NULL,
    "value" TEXT NOT NULL,
    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updatedAt" TIMESTAMP(3) NOT NULL,
    CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
 );
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@@ -87,3 +87,12 @@ model Verification {
  @@index([identifier])
  @@map("verification")
 }
 model SystemSetting {
  key       String   @id
  value     String
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
  @@map("system_setting")
 }
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -7,3 +7,4 @@ export {
  registerPostCrudAuditHook,
  updatePost,
 } from "./posts"
 export { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "./settings"
--- a/packages/db/src/settings.ts
+++ b/packages/db/src/settings.ts
@@ -0,0 +1,56 @@
 import { db } from "./client"
 const ADMIN_SELF_REGISTRATION_KEY = "admin.self_registration_enabled"
 function resolveEnvFallback(): boolean {
  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
 }
 function parseStoredBoolean(value: string): boolean | null {
  if (value === "true") {
    return true
  }
  if (value === "false") {
    return false
  }
  return null
 }
 export async function isAdminSelfRegistrationEnabled(): Promise<boolean> {
  try {
    const setting = await db.systemSetting.findUnique({
      where: { key: ADMIN_SELF_REGISTRATION_KEY },
      select: { value: true },
    })
    if (!setting) {
      return resolveEnvFallback()
    }
    const parsed = parseStoredBoolean(setting.value)
    if (parsed === null) {
      return resolveEnvFallback()
    }
    return parsed
  } catch {
    // Fallback while migrations are not yet applied in a local environment.
    return resolveEnvFallback()
  }
 }
 export async function setAdminSelfRegistrationEnabled(enabled: boolean): Promise<void> {
  await db.systemSetting.upsert({
    where: { key: ADMIN_SELF_REGISTRATION_KEY },
    create: {
      key: ADMIN_SELF_REGISTRATION_KEY,
      value: enabled ? "true" : "false",
    },
    update: {
      value: enabled ? "true" : "false",
    },
  })
 }
--- a/packages/ui/src/components/button.tsx
+++ b/packages/ui/src/components/button.tsx
@@ -8,7 +8,7 @@ const buttonVariants = cva(
  {
    variants: {
      variant: {
-        default: "bg-neutral-900 text-neutral-50 hover:bg-neutral-800",
+        default: "bg-neutral-900 text-white hover:bg-neutral-800",
        secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200",
        ghost: "hover:bg-neutral-100 hover:text-neutral-900",
      },
Author	SHA1	Message	Date
Citali	bf1a92d129	feat(admin): add IA shell and protected section skeleton routes	2026-02-10 21:34:26 +01:00
Citali	36b09cd9d7	test(crud): finalize MVP1 gate CRUD contract coverage	2026-02-10 21:26:49 +01:00
Citali	70fc154f97	merge: todo/mvp0-admin-i18n-baseline into dev	2026-02-10 21:21:35 +01:00
Citali	c4d0499d12	merge: todo/mvp0-crud-foundation into dev	2026-02-10 21:21:32 +01:00
Citali	d16fb6e121	merge: todo/mvp0-i18n-baseline into dev	2026-02-10 21:21:28 +01:00
Citali	a508e3203a	merge: todo/mvp0-owner-invariant-enforcement into dev	2026-02-10 21:21:25 +01:00
Citali	4d4b583cf4	test(ci): add quality gates, e2e data prep, and i18n integration coverage	2026-02-10 21:17:41 +01:00
Citali	4ac7410148	test(admin): cover support fallback route and mark todo complete	2026-02-10 21:11:49 +01:00
Citali	d0f731743c	feat(admin): add registration policy settings and disabled register state	2026-02-10 21:10:39 +01:00
Citali	b618c8cb51	feat(admin-i18n): add cookie-based locale runtime and switcher baseline	2026-02-10 20:56:03 +01:00
		`@@ -0,0 +1 @@`
							`export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"`