Citali/cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Compare commits

merge into: Citali:todo/mvp0-i18n-baseline
Branches Tags
Citali:dev Citali:todo/mvp0-docs-conventions Citali:todo/mvp0-public-app-topics Citali:todo/mvp0-admin-ia-skeleton Citali:todo/mvp0-admin-i18n-baseline Citali:todo/mvp0-crud-foundation Citali:todo/mvp0-i18n-baseline Citali:todo/mvp0-owner-invariant-enforcement Citali:todo/mvp0-better-auth-core Citali:todo/mvp0-rbac-model-and-enforcement Citali:code Citali:main Citali:refactor Citali:staging
...
pull from: Citali:dev
Branches Tags
Citali:dev Citali:todo/mvp0-docs-conventions Citali:todo/mvp0-public-app-topics Citali:todo/mvp0-admin-ia-skeleton Citali:todo/mvp0-admin-i18n-baseline Citali:todo/mvp0-crud-foundation Citali:todo/mvp0-i18n-baseline Citali:todo/mvp0-owner-invariant-enforcement Citali:todo/mvp0-better-auth-core Citali:todo/mvp0-rbac-model-and-enforcement Citali:code Citali:main Citali:refactor Citali:staging

22 Commits
todo/mvp0- ... dev

Author SHA1 Message Date
Citali
c286c5e84b fix:Gitea workflows
Some checks failed
CMS CI/CD (Theoretical) / Lint Typecheck Tests (push) Failing after 2s
Details
CMS CI/CD (Theoretical) / Build Staging Images (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Build Production Images (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Deploy Staging (Placeholder) (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Deploy Production (Placeholder) (push) Has been skipped
Details
CMS CI / Governance Checks (push) Waiting to run
Details
CMS CI / Lint Typecheck Unit E2E (push) Blocked by required conditions
Details
2026-02-11 13:01:13 +01:00
Citali
334a5e3526 chore(ci): add gitea actions runner compose setup 2026-02-11 12:25:57 +01:00
Citali
516b773012 docs(versioning): define release policy and close MVP0 pipeline tasks
Some checks failed
CMS CI/CD (Theoretical) / Lint Typecheck Tests (push) Failing after 5m34s
Details
CMS CI / Governance Checks (push) Failing after 4m47s
Details
CMS CI/CD (Theoretical) / Build Staging Images (push) Has been skipped
Details
CMS CI / Lint Typecheck Unit E2E (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Build Production Images (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Deploy Staging (Placeholder) (push) Has been skipped
Details
CMS CI/CD (Theoretical) / Deploy Production (Placeholder) (push) Has been skipped
Details
2026-02-11 12:19:50 +01:00
Citali
21cc55a1b9 ci(gitflow): enforce branch and PR governance checks 2026-02-11 12:19:39 +01:00
Citali
969e88670f ci(delivery): add deploy and release workflow scaffolds 2026-02-11 12:19:31 +01:00
Citali
cec87679ca docs(adr): add glossary pages and ADR baseline structure 2026-02-11 12:12:34 +01:00
Citali
4d6e17a13b docs(ops): add environment and deployment runbook 2026-02-11 12:11:08 +01:00
Citali
7b4b23fc4f docs(crud): add implementation examples and complete docs task 2026-02-11 12:10:28 +01:00
Citali
5872593b01 docs(i18n): add conventions guide and wire docs navigation 2026-02-11 12:09:43 +01:00
Citali
3b130568e9 test(mvp0): complete remaining i18n, RBAC, and CRUD coverage 2026-02-11 12:06:27 +01:00
Citali
8390689c8d feat(web): complete MVP0 public layout, banner, and SEO baseline 2026-02-10 22:04:53 +01:00
Citali
bf1a92d129 feat(admin): add IA shell and protected section skeleton routes 2026-02-10 21:34:26 +01:00
Citali
36b09cd9d7 test(crud): finalize MVP1 gate CRUD contract coverage 2026-02-10 21:26:49 +01:00
Citali
70fc154f97 merge: todo/mvp0-admin-i18n-baseline into dev 2026-02-10 21:21:35 +01:00
Citali
c4d0499d12 merge: todo/mvp0-crud-foundation into dev 2026-02-10 21:21:32 +01:00
Citali
d16fb6e121 merge: todo/mvp0-i18n-baseline into dev 2026-02-10 21:21:28 +01:00
Citali
a508e3203a merge: todo/mvp0-owner-invariant-enforcement into dev 2026-02-10 21:21:25 +01:00
Citali
4d4b583cf4 test(ci): add quality gates, e2e data prep, and i18n integration coverage 2026-02-10 21:17:41 +01:00
Citali
4ac7410148 test(admin): cover support fallback route and mark todo complete 2026-02-10 21:11:49 +01:00
Citali
d0f731743c feat(admin): add registration policy settings and disabled register state 2026-02-10 21:10:39 +01:00
Citali
b618c8cb51 feat(admin-i18n): add cookie-based locale runtime and switcher baseline 2026-02-10 20:56:03 +01:00
Citali
07e5f53793 feat(admin): add posts CRUD sandbox and shared CRUD foundation 2026-02-10 19:35:41 +01:00
105 changed files with 4488 additions and 277 deletions
Expand all files Collapse all files

4
.env.gitea-runner.example Normal file
View File

@@ -0,0 +1,4 @@
GITEA_INSTANCE_URL="https://git.example.com"
GITEA_RUNNER_REGISTRATION_TOKEN="replace-with-runner-registration-token"
GITEA_RUNNER_NAME="cms-runner"
GITEA_RUNNER_LABELS="ubuntu-latest:docker://node:20-bookworm"

17
.gitea/PULL_REQUEST_TEMPLATE.md Normal file
View File

@@ -0,0 +1,17 @@
## Summary
- TODO item reference (exact text): `...`
- Scope (single primary TODO item): `...`
## Checklist
- [ ] Linked TODO item is in `TODO.md`
- [ ] Branch name follows `todo/*`, `refactor/*`, or `code/*`
- [ ] `bun run check`
- [ ] `bun run typecheck`
- [ ] `bun run test`
- [ ] E2E validation plan included (`bun run test:e2e` or reason if deferred)
## Notes
- Risks / migrations / rollout notes:

25
.gitea/scripts/check-branch-name.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env sh
set -eu
branch="${1:-}"
if [ -z "$branch" ]; then
echo "Missing branch name."
exit 1
fi
case "$branch" in
dev|staging|main)
echo "Long-lived branch detected: $branch"
exit 0
;;
esac
if printf "%s" "$branch" | grep -Eq '^(todo|refactor|code)\/[a-z0-9]+([._-][a-z0-9]+)*$'; then
echo "Branch naming valid: $branch"
exit 0
fi
echo "Invalid branch name: $branch"
echo "Expected: todo/<slug> | refactor/<slug> | code/<slug>"
exit 1

17
.gitea/scripts/check-pr-todo-reference.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/env sh
set -eu
body="${1:-}"
if [ -z "$body" ]; then
echo "PR body is empty."
exit 1
fi
if printf "%s" "$body" | grep -Eq 'TODO|todo|\[P[1-3]\]'; then
echo "PR body includes TODO reference."
exit 0
fi
echo "PR body must reference the related TODO item."
exit 1

34
.gitea/scripts/configure-branch-protection.sh Executable file
View File

@@ -0,0 +1,34 @@
#!/usr/bin/env sh
set -eu
if [ "${#}" -ne 4 ]; then
echo "Usage: $0 <base-url> <owner> <repo> <token>"
exit 1
fi
base_url="$1"
owner="$2"
repo="$3"
token="$4"
protect_branch() {
branch="$1"
curl -sS -X POST \
"${base_url}/api/v1/repos/${owner}/${repo}/branch_protections" \
-H "Authorization: token ${token}" \
-H "Content-Type: application/json" \
-d "{
\"branch_name\": \"${branch}\",
\"enable_push\": false,
\"enable_push_whitelist\": false,
\"enable_merge_whitelist\": false,
\"enable_status_check\": true,
\"status_check_contexts\": [\"Governance Checks\", \"Lint Typecheck Unit E2E\"]
}" >/dev/null
}
protect_branch "main"
protect_branch "staging"
echo "Branch protection applied for main and staging."

18
.gitea/scripts/validate-tag-version.sh Executable file
View File

@@ -0,0 +1,18 @@
#!/usr/bin/env sh
set -eu
tag="${1:-}"
if [ -z "$tag" ]; then
echo "Missing tag ref name (expected vX.Y.Z)."
exit 1
fi
version="$(node -p "require('./package.json').version")"
if [ "$tag" != "v$version" ]; then
echo "Tag/version mismatch: tag=$tag package.json=$version"
exit 1
fi
echo "Tag matches package.json version: $tag"

10
.gitea/workflows/ci-cd-theoretical.yml
View File

@@ -17,7 +17,7 @@ env:
jobs: jobs:
quality: quality:
name: Lint Typecheck Tests name: Lint Typecheck Tests
runs-on: ubuntu-latest runs-on: node22-bun
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
build_staging_images: build_staging_images:
name: Build Staging Images name: Build Staging Images
runs-on: ubuntu-latest runs-on: node22-bun
needs: quality needs: quality
if: github.ref == 'refs/heads/staging' if: github.ref == 'refs/heads/staging'
steps: steps:
@@ -65,7 +65,7 @@ jobs:
build_production_images: build_production_images:
name: Build Production Images name: Build Production Images
runs-on: ubuntu-latest runs-on: node22-bun
needs: quality needs: quality
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
steps: steps:
@@ -92,7 +92,7 @@ jobs:
deploy_staging: deploy_staging:
name: Deploy Staging (Placeholder) name: Deploy Staging (Placeholder)
runs-on: ubuntu-latest runs-on: node22-bun
needs: build_staging_images needs: build_staging_images
if: github.ref == 'refs/heads/staging' if: github.ref == 'refs/heads/staging'
steps: steps:
@@ -103,7 +103,7 @@ jobs:
deploy_production: deploy_production:
name: Deploy Production (Placeholder) name: Deploy Production (Placeholder)
runs-on: ubuntu-latest runs-on: node22-bun
needs: build_production_images needs: build_production_images
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
steps: steps:

100
.gitea/workflows/ci.yml Normal file
View File

@@ -0,0 +1,100 @@
name: CMS CI
on:
pull_request:
push:
branches:
- dev
- staging
- main
workflow_dispatch:
env:
BUN_VERSION: "1.3.5"
NODE_ENV: "test"
DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
BETTER_AUTH_SECRET: "ci-test-secret-change-me"
BETTER_AUTH_URL: "http://localhost:3001"
CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
CMS_SUPPORT_USERNAME: "support"
CMS_SUPPORT_EMAIL: "support@cms.local"
CMS_SUPPORT_PASSWORD: "support-ci-password"
CMS_SUPPORT_NAME: "Technical Support"
CMS_SUPPORT_LOGIN_KEY: "support-access"
jobs:
governance:
name: Governance Checks
runs-on: node22-bun
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate branch naming
run: |
branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
sh .gitea/scripts/check-branch-name.sh "$branch"
- name: Validate PR TODO reference
if: github.event_name == 'pull_request'
run: |
body='${{ github.event.pull_request.body }}'
sh .gitea/scripts/check-pr-todo-reference.sh "$body"
- name: Commit schema check (latest commit)
uses: oven-sh/setup-bun@v2
with:
bun-version: ${{ env.BUN_VERSION }}
- name: Install dependencies for commitlint
run: bun install --frozen-lockfile
- name: Commitlint
run: bun run commitlint
quality:
name: Lint Typecheck Unit E2E
needs: governance
runs-on: node22-bun
services:
postgres:
image: postgres:16-alpine
env:
POSTGRES_DB: cms
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
options: >-
--health-cmd "pg_isready -U postgres -d cms"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: ${{ env.BUN_VERSION }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Install Playwright browser deps
run: bunx playwright install --with-deps chromium
- name: Lint and format checks
run: bun run check
- name: Typecheck
run: bun run typecheck
- name: Unit and integration tests
run: bun run test
- name: E2E tests
run: bun run test:e2e

54
.gitea/workflows/deploy.yml Normal file
View File

@@ -0,0 +1,54 @@
name: CMS Deploy
on:
workflow_dispatch:
inputs:
environment:
description: "Target environment"
required: true
type: choice
options:
- staging
- production
image_tag:
description: "Image tag to deploy (e.g. v0.1.0)"
required: true
rollback_tag:
description: "Optional rollback tag"
required: false
jobs:
deploy:
name: Deploy Compose Stack
runs-on: node22-bun
steps:
- name: Resolve deployment target
id: target
run: |
if [ "${{ github.event.inputs.environment }}" = "staging" ]; then
echo "host=${{ secrets.CMS_STAGING_HOST }}" >> "$GITHUB_OUTPUT"
echo "user=${{ secrets.CMS_STAGING_USER }}" >> "$GITHUB_OUTPUT"
echo "compose=docker-compose.staging.yml" >> "$GITHUB_OUTPUT"
else
echo "host=${{ secrets.CMS_PRODUCTION_HOST }}" >> "$GITHUB_OUTPUT"
echo "user=${{ secrets.CMS_PRODUCTION_USER }}" >> "$GITHUB_OUTPUT"
echo "compose=docker-compose.production.yml" >> "$GITHUB_OUTPUT"
fi
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.CMS_DEPLOY_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H "${{ steps.target.outputs.host }}" >> ~/.ssh/known_hosts
- name: Deploy image tag
run: |
ssh "${{ steps.target.outputs.user }}@${{ steps.target.outputs.host }}" \
"cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.image_tag }} docker compose -f ${{ steps.target.outputs.compose }} up -d"
- name: Optional rollback
if: github.event.inputs.rollback_tag != ''
run: |
ssh "${{ steps.target.outputs.user }}@${{ steps.target.outputs.host }}" \
"cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_tag }} docker compose -f ${{ steps.target.outputs.compose }} up -d"

82
.gitea/workflows/release.yml Normal file
View File

@@ -0,0 +1,82 @@
name: CMS Release
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
release_tag:
description: "Release tag in vX.Y.Z format"
required: true
rollback_image_tag:
description: "Optional rollback image tag"
required: false
env:
BUN_VERSION: "1.3.5"
REGISTRY: ${{ secrets.CMS_IMAGE_REGISTRY }}
IMAGE_NAMESPACE: ${{ secrets.CMS_IMAGE_NAMESPACE }}
jobs:
release:
name: Build Push Changelog
runs-on: node22-bun
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: ${{ env.BUN_VERSION }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Resolve release tag
id: tag
run: |
if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
echo "value=${{ github.event.inputs.release_tag }}" >> "$GITHUB_OUTPUT"
else
echo "value=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
fi
- name: Validate tag against package version
run: sh .gitea/scripts/validate-tag-version.sh "${{ steps.tag.outputs.value }}"
- name: Generate changelog
run: bun run changelog:release
- name: Login to image registry
run: |
echo "${{ secrets.CMS_IMAGE_REGISTRY_PASSWORD }}" | docker login "${{ env.REGISTRY }}" -u "${{ secrets.CMS_IMAGE_REGISTRY_USER }}" --password-stdin
- name: Build and push web image
run: |
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-web:${{ steps.tag.outputs.value }}"
docker build -f apps/web/Dockerfile -t "$image" .
docker push "$image"
- name: Build and push admin image
run: |
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-admin:${{ steps.tag.outputs.value }}"
docker build -f apps/admin/Dockerfile -t "$image" .
docker push "$image"
- name: Release notes placeholder
run: |
echo "Release tag: ${{ steps.tag.outputs.value }}"
echo "TODO: publish CHANGELOG.md content to release notes in Gitea."
rollback:
name: Rollback (Manual)
if: github.event_name == 'workflow_dispatch' && github.event.inputs.rollback_image_tag != ''
runs-on: ubuntu-latest
needs: release
steps:
- name: Rollback placeholder
run: |
echo "Rollback to image tag: ${{ github.event.inputs.rollback_image_tag }}"
echo "TODO: apply compose update with rollback image tags on production host."

1
.gitignore vendored
View File

@@ -24,6 +24,7 @@ test-results
!.env.example !.env.example
!.env.staging.example !.env.staging.example
!.env.production.example !.env.production.example
!.env.gitea-runner.example
# prisma # prisma
packages/db/prisma/dev.db* packages/db/prisma/dev.db*

7
BRANCHING.md
View File

@@ -96,6 +96,13 @@ Apply in repository settings:
Optional: Optional:
- Protect `dev` from direct push if team size/process requires stricter control. - Protect `dev` from direct push if team size/process requires stricter control.
- Automate protection via `.gitea/scripts/configure-branch-protection.sh`.
## Governance Automation
- Branch naming check: `.gitea/scripts/check-branch-name.sh`
- PR TODO reference check: `.gitea/scripts/check-pr-todo-reference.sh`
- PR template: `.gitea/PULL_REQUEST_TEMPLATE.md`
## Commit Signing Notes ## Commit Signing Notes

2
CONTRIBUTING.md
View File

@@ -4,6 +4,8 @@
Follow `BRANCHING.md` for long-lived and task branch rules. Follow `BRANCHING.md` for long-lived and task branch rules.
Pull requests should use `.gitea/PULL_REQUEST_TEMPLATE.md` and link the exact TODO item.
## Commit Message Schema ## Commit Message Schema
This repository uses Conventional Commits. This repository uses Conventional Commits.

12
README.md
View File

@@ -3,6 +3,7 @@
Roadmap and progress are tracked in `TODO.md` (also visible in admin at `/todo`). Roadmap and progress are tracked in `TODO.md` (also visible in admin at `/todo`).
Branch model and promotion flow are documented in `BRANCHING.md`. Branch model and promotion flow are documented in `BRANCHING.md`.
Commit schema and changelog workflow are documented in `CONTRIBUTING.md`. Commit schema and changelog workflow are documented in `CONTRIBUTING.md`.
Versioning and release policy are documented in `VERSIONING.md`.
A baseline monorepo with: A baseline monorepo with:
@@ -69,6 +70,7 @@ bun run dev
- `bun run test` - `bun run test`
- `bun run test:watch` - `bun run test:watch`
- `bun run test:coverage` - `bun run test:coverage`
- `bun run test:e2e:prepare`
- `bun run test:e2e` - `bun run test:e2e`
- `bun run lint` - `bun run lint`
- `bun run typecheck` - `bun run typecheck`
@@ -85,6 +87,7 @@ bun run dev
- Unit/integration/component: Vitest + Testing Library + MSW - Unit/integration/component: Vitest + Testing Library + MSW
- E2E: Playwright (separate projects for `web` and `admin`) - E2E: Playwright (separate projects for `web` and `admin`)
- Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner) - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
- E2E data prep (migrations + seed): `bun run test:e2e:prepare`
One-time Playwright browser install: One-time Playwright browser install:
@@ -97,6 +100,7 @@ bunx playwright install
The repo includes a theoretical CI/CD and deployment baseline: The repo includes a theoretical CI/CD and deployment baseline:
- Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml` - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
- Real quality gate workflow: `.gitea/workflows/ci.yml`
- App images: - App images:
- `apps/web/Dockerfile` - `apps/web/Dockerfile`
- `apps/admin/Dockerfile` - `apps/admin/Dockerfile`
@@ -115,12 +119,20 @@ Environment examples:
- `.env.staging.example` - `.env.staging.example`
- `.env.production.example` - `.env.production.example`
- `.env.gitea-runner.example`
Notes: Notes:
- `dev` remains your local non-docker Bun workflow. - `dev` remains your local non-docker Bun workflow.
- Staging and production compose files are templates and still require real secrets, registry strategy, and deployment host wiring. - Staging and production compose files are templates and still require real secrets, registry strategy, and deployment host wiring.
Gitea Actions runner compose (self-hosted):
```bash
cp .env.gitea-runner.example .env.gitea-runner
docker compose --env-file .env.gitea-runner -f docker-compose.gitea-runner.yml up -d
```
## Changelog ## Changelog
- Changelog file: `CHANGELOG.md` - Changelog file: `CHANGELOG.md`

101
TODO.md
View File

@@ -21,88 +21,89 @@ This file is the single source of truth for roadmap and delivery progress.
- [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes) - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
- [x] [P1] RBAC enforcement at route and action level in admin - [x] [P1] RBAC enforcement at route and action level in admin
- [x] [P1] Permission matrix documented and tested - [x] [P1] Permission matrix documented and tested
- [~] [P1] i18n baseline architecture (default locale, supported locales, routing strategy) - [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
- [~] [P1] i18n runtime integration baseline for both apps (locale provider + message loading) - [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
- [~] [P1] Locale persistence and switcher base component (cookie/header + UI) - [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
- [x] [P1] Integrate Better Auth core configuration and session wiring - [x] [P1] Integrate Better Auth core configuration and session wiring
- [x] [P1] Bootstrap first-run owner account creation via initial registration flow - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
- [x] [P1] Enforce invariant: exactly one owner user must always exist - [x] [P1] Enforce invariant: exactly one owner user must always exist
- [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable) - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel) - [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
- [x] [P1] First-start onboarding route for initial owner creation (`/welcome`) - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
- [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
- [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access - [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository) - [x] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement) - [x] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
- [ ] [P1] Shared error and audit hooks for CRUD mutations - [x] [P1] Shared error and audit hooks for CRUD mutations
### Admin App ### Admin App
- [x] [P1] Separate Next.js admin app in monorepo - [x] [P1] Separate Next.js admin app in monorepo
- [x] [P1] App Router + TypeScript + `src/` structure - [x] [P1] App Router + TypeScript + `src/` structure
- [x] [P1] Shared DB access via `@cms/db` - [x] [P1] Shared DB access via `@cms/db`
- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`) - [x] [P2] Base admin dashboard shell and roadmap page (`/todo`)
- [x] [P1] Authentication and session model (`admin`, `editor`, `manager`) - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
- [x] [P1] Protected admin routes and session handling - [x] [P1] Protected admin routes and session handling
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings) - [x] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
- [x] [P1] Core admin IA (pages/media/users/commissions/settings)
### Public App ### Public App
- [x] [P1] Separate Next.js public app in monorepo - [x] [P1] Separate Next.js public app in monorepo
- [x] [P1] App Router + TypeScript + `src/` structure - [x] [P1] App Router + TypeScript + `src/` structure
- [~] [P1] Public app connected to shared data layer - [x] [P1] Public app connected to shared data layer
- [ ] [P1] Localized route structure and middleware rules - [x] [P1] Localized route structure and middleware rules
- [ ] [P2] Public layout system (header/footer/navigation) - [x] [P2] Public layout system (header/footer/navigation)
- [ ] [P1] Header banner rendering from CMS-managed content - [x] [P1] Header banner rendering from CMS-managed content
- [ ] [P2] Basic SEO defaults (metadata, OG, sitemap, robots) - [x] [P2] Basic SEO defaults (metadata, OG, sitemap, robots)
### Testing ### Testing
- [x] [P1] Vitest + Testing Library + MSW baseline - [x] [P1] Vitest + Testing Library + MSW baseline
- [x] [P1] Playwright baseline with web/admin projects - [x] [P1] Playwright baseline with web/admin projects
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates - [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data) - [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
- [~] [P1] RBAC policy unit tests and permission regression suite - [x] [P1] RBAC policy unit tests and permission regression suite
- [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading) - [x] [P1] i18n unit tests (locale resolution, fallback, message key loading)
- [ ] [P1] i18n integration tests (admin/public locale switch and persistence) - [x] [P1] i18n integration tests (admin/public locale switch and persistence)
- [ ] [P1] i18n e2e smoke tests (localized headings/content per route) - [x] [P1] i18n e2e smoke tests (localized headings/content per route)
- [ ] [P1] CRUD contract tests for shared service patterns - [x] [P1] CRUD contract tests for shared service patterns
### Documentation ### Documentation
- [x] [P1] Docs tool baseline added (`docs/` via VitePress) - [x] [P1] Docs tool baseline added (`docs/` via VitePress)
- [x] [P1] RBAC and permission model documentation in docs site - [x] [P1] RBAC and permission model documentation in docs site
- [ ] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow) - [x] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow)
- [ ] [P1] CRUD base patterns documentation and examples - [x] [P1] CRUD base patterns documentation and examples
- [ ] [P1] Environment and deployment runbook docs (dev/staging/production) - [x] [P1] Environment and deployment runbook docs (dev/staging/production)
- [ ] [P2] API and domain glossary pages - [x] [P2] API and domain glossary pages
- [ ] [P2] Architecture Decision Records (ADR) structure and first ADRs - [x] [P2] Architecture Decision Records (ADR) structure and first ADRs
### Delivery Pipeline And Runtime ### Delivery Pipeline And Runtime
- [x] [P2] Theoretical Gitea Actions workflow scaffold (`.gitea/workflows/ci-cd-theoretical.yml`) - [x] [P2] Theoretical Gitea Actions workflow scaffold (`.gitea/workflows/ci-cd-theoretical.yml`)
- [x] [P2] Bun-based Dockerfiles for public and admin apps - [x] [P2] Bun-based Dockerfiles for public and admin apps
- [x] [P2] Staging and production docker-compose templates - [x] [P2] Staging and production docker-compose templates
- [ ] [P1] Registry credentials and image push strategy - [x] [P1] Registry credentials and image push strategy
- [ ] [P1] Staging deployment automation against real host - [x] [P1] Staging deployment automation against real host
- [ ] [P1] Production promotion and rollback procedure - [x] [P1] Production promotion and rollback procedure
### Git Flow And Branching ### Git Flow And Branching
- [ ] [P1] Protect `main` and `staging` branches in Gitea - [x] [P1] Protect `main` and `staging` branches in Gitea
- [ ] [P1] Define PR gates: lint + typecheck + unit + e2e list minimum - [x] [P1] Define PR gates: lint + typecheck + unit + e2e list minimum
- [ ] [P1] Enforce one todo item per branch naming convention - [x] [P1] Enforce one todo item per branch naming convention
- [ ] [P2] Add PR template requiring linked TODO step - [x] [P2] Add PR template requiring linked TODO step
- [ ] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*` - [x] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*`
- [x] [P2] Conventional commit schema documentation (`CONTRIBUTING.md`) - [x] [P2] Conventional commit schema documentation (`CONTRIBUTING.md`)
- [x] [P2] Changelog scaffold and generation scripts (`CHANGELOG.md`, `bun run changelog:*`) - [x] [P2] Changelog scaffold and generation scripts (`CHANGELOG.md`, `bun run changelog:*`)
- [ ] [P1] Versioning policy definition (SemVer strategy + when to bump major/minor/patch) - [x] [P1] Versioning policy definition (SemVer strategy + when to bump major/minor/patch)
- [ ] [P1] Source of truth for version (`package.json` root) and release tagging rules (`vX.Y.Z`) - [x] [P1] Source of truth for version (`package.json` root) and release tagging rules (`vX.Y.Z`)
- [ ] [P1] Build metadata policy for git hash (`+sha.<short>`) in app runtime footer - [x] [P1] Build metadata policy for git hash (`+sha.<short>`) in app runtime footer
- [ ] [P1] App footer implementation plan for version + commit hash (admin + web) - [x] [P1] App footer implementation plan for version + commit hash (admin + web)
- [ ] [P2] Automated version injection in CI (stamping build from tag + commit hash) - [x] [P2] Automated version injection in CI (stamping build from tag + commit hash)
- [ ] [P2] Validation tests for displayed version/hash consistency per deployment - [x] [P2] Validation tests for displayed version/hash consistency per deployment
- [ ] [P1] Release tagging and changelog publication policy in CI - [x] [P1] Release tagging and changelog publication policy in CI
## MVP 1: Core CMS Business Features ## MVP 1: Core CMS Business Features
@@ -159,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
- [ ] [P1] Forgot password/reset password pipeline and support tooling - [ ] [P1] Forgot password/reset password pipeline and support tooling
- [ ] [P2] GUI page to edit role-permission mappings with safety guardrails - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
- [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers) - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
- [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
- [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
- [ ] [P2] Error boundaries and UX fallback states - [ ] [P2] Error boundaries and UX fallback states
### Public App ### Public App
@@ -192,8 +195,20 @@ This file is the single source of truth for roadmap and delivery progress.
- [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`. - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
- [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers. - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
- [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented. - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes; admin i18n runtime is still pending. - [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
- [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later. - [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
- [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
- [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
- [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
- [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
- [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
- [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
- [2026-02-10] Admin app now uses a shared shell with permission-aware navigation and dedicated IA routes (`/pages`, `/media`, `/users`, `/commissions`).
- [2026-02-10] Public app now has a shared site layout (`banner/header/footer`), DB-backed header banner config, and SEO defaults (`metadata`, `robots`, `sitemap`).
- [2026-02-10] Testing baseline now includes explicit RBAC regression checks, locale-resolution unit tests (admin/web), CRUD service contract tests, and i18n smoke e2e routes.
- [2026-02-10] i18n conventions are now documented as an engineering standard (`docs/product-engineering/i18n-conventions.md`).
- [2026-02-10] Docs now include a domain glossary, public API glossary, and ADR baseline with initial accepted decision (`ADR 0001`).
- [2026-02-10] Delivery and release governance now include branch/PR policy checks, deploy/release workflows, and explicit versioning policy (`VERSIONING.md`).
## How We Use This File ## How We Use This File

71
VERSIONING.md Normal file
View File

@@ -0,0 +1,71 @@
# Versioning Policy
## Source Of Truth
- Canonical version: root `package.json` field `version`
- Tag format: `vX.Y.Z`
Tag validation is enforced in CI:
- `.gitea/scripts/validate-tag-version.sh`
## SemVer Strategy
- `major`: breaking API/behavior changes
- `minor`: backward-compatible features
- `patch`: backward-compatible fixes
## Build Metadata Policy
Use git metadata in runtime display format:
- `<version>+sha.<short>`
Example:
- `0.1.0+sha.a1b2c3d`
## Footer Display Plan (Admin + Web)
Planned runtime footer fields:
- app name
- version from root `package.json`
- commit hash (short)
- environment (`dev|staging|production`)
Implementation note:
- inject values at build/deploy time through env vars
- render in shared footer components
## CI Version Injection
Release/deploy workflows pass release tag and commit metadata:
- `.gitea/workflows/release.yml`
- `.gitea/workflows/deploy.yml`
Required inputs:
- release tag (`vX.Y.Z`)
- image tag for deployment
## Validation Strategy
CI validations:
- tag equals `v${package.json.version}`
- required checks pass before release builds
Runtime validations (planned):
- smoke tests assert footer version/hash format
- environment-specific deployment checks assert expected image tag
## Changelog and Release Publication
- changelog generation command:
- `bun run changelog:release`
- release workflow generates changelog on tag pipeline
- release notes publication remains a dedicated step in CI workflow.

1
apps/admin/package.json
View File

@@ -14,6 +14,7 @@
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-form": "1.28.0", "@tanstack/react-form": "1.28.0",
"@tanstack/react-query": "5.90.20", "@tanstack/react-query": "5.90.20",

34
apps/admin/src/app/commissions/page.tsx Normal file
View File

@@ -0,0 +1,34 @@
import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
import { AdminShell } from "@/components/admin-shell"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic"
export default async function CommissionsManagementPage() {
const role = await requirePermissionForRoute({
nextPath: "/commissions",
permission: "commissions:read",
scope: "own",
})
return (
<AdminShell
role={role}
activePath="/commissions"
badge="Admin App"
title="Commissions"
description="Prepare commissions intake and kanban workflow tooling."
>
<AdminSectionPlaceholder
feature="Commissions Workflow"
summary="This route is reserved for request intake, ownership assignment, and kanban transitions."
requiredPermission="commissions:read (own)"
nextSteps={[
"Add commissions board with status columns.",
"Add assignment, due-date, and notes editing.",
"Add transition rules and audit history.",
]}
/>
</AdminShell>
)
}

12
apps/admin/src/app/layout.tsx
View File

@@ -1,6 +1,7 @@
import type { Metadata } from "next" import type { Metadata } from "next"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import "./globals.css" import "./globals.css"
import { Providers } from "./providers" import { Providers } from "./providers"
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
description: "Admin dashboard for the CMS monorepo", description: "Admin dashboard for the CMS monorepo",
} }
export default function RootLayout({ children }: { children: ReactNode }) { export default async function RootLayout({ children }: { children: ReactNode }) {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return ( return (
<html lang="en"> <html lang={locale}>
<body> <body>
<Providers>{children}</Providers> <Providers locale={locale} messages={messages}>
{children}
</Providers>
</body> </body>
</html> </html>
) )

244
apps/admin/src/app/login/login-form.tsx
View File

@@ -4,8 +4,11 @@ import Link from "next/link"
import { useRouter, useSearchParams } from "next/navigation" import { useRouter, useSearchParams } from "next/navigation"
import { type FormEvent, useMemo, useState } from "react" import { type FormEvent, useMemo, useState } from "react"
import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
import { useAdminT } from "@/providers/admin-i18n-provider"
type LoginFormProps = { type LoginFormProps = {
mode: "signin" | "signup-owner" | "signup-user" mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
} }
type AuthResponse = { type AuthResponse = {
@@ -27,6 +30,7 @@ function persistRoleCookie(role: unknown) {
export function LoginForm({ mode }: LoginFormProps) { export function LoginForm({ mode }: LoginFormProps) {
const router = useRouter() const router = useRouter()
const searchParams = useSearchParams() const searchParams = useSearchParams()
const t = useAdminT()
const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams]) const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
@@ -37,6 +41,7 @@ export function LoginForm({ mode }: LoginFormProps) {
const [isBusy, setIsBusy] = useState(false) const [isBusy, setIsBusy] = useState(false)
const [error, setError] = useState<string | null>(null) const [error, setError] = useState<string | null>(null)
const [success, setSuccess] = useState<string | null>(null) const [success, setSuccess] = useState<string | null>(null)
const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
async function handleSignIn(event: FormEvent<HTMLFormElement>) { async function handleSignIn(event: FormEvent<HTMLFormElement>) {
event.preventDefault() event.preventDefault()
@@ -60,7 +65,7 @@ export function LoginForm({ mode }: LoginFormProps) {
const payload = (await response.json().catch(() => null)) as AuthResponse | null const payload = (await response.json().catch(() => null)) as AuthResponse | null
if (!response.ok) { if (!response.ok) {
setError(payload?.message ?? "Sign in failed") setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
return return
} }
@@ -68,7 +73,7 @@ export function LoginForm({ mode }: LoginFormProps) {
router.push(nextPath) router.push(nextPath)
router.refresh() router.refresh()
} catch { } catch {
setError("Network error while signing in") setError(t("auth.errors.networkSignIn", "Network error while signing in"))
} finally { } finally {
setIsBusy(false) setIsBusy(false)
} }
@@ -78,7 +83,7 @@ export function LoginForm({ mode }: LoginFormProps) {
event.preventDefault() event.preventDefault()
if (!name.trim()) { if (!name.trim()) {
setError("Name is required for account creation") setError(t("auth.errors.nameRequired", "Name is required for account creation"))
return return
} }
@@ -104,20 +109,20 @@ export function LoginForm({ mode }: LoginFormProps) {
const payload = (await response.json().catch(() => null)) as AuthResponse | null const payload = (await response.json().catch(() => null)) as AuthResponse | null
if (!response.ok) { if (!response.ok) {
setError(payload?.message ?? "Sign up failed") setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
return return
} }
persistRoleCookie(payload?.user?.role) persistRoleCookie(payload?.user?.role)
setSuccess( setSuccess(
mode === "signup-owner" mode === "signup-owner"
? "Owner account created. Registration is now disabled." ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
: "Account created.", : t("auth.messages.accountCreated", "Account created."),
) )
router.push(nextPath) router.push(nextPath)
router.refresh() router.refresh()
} catch { } catch {
setError("Network error while signing up") setError(t("auth.errors.networkSignUp", "Network error while signing up"))
} finally { } finally {
setIsBusy(false) setIsBusy(false)
} }
@@ -126,24 +131,35 @@ export function LoginForm({ mode }: LoginFormProps) {
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16"> <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
<div className="space-y-3"> <div className="space-y-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin Auth</p> <div className="flex items-center justify-between gap-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
{t("auth.badge", "Admin Auth")}
</p>
<AdminLocaleSwitcher />
</div>
<h1 className="text-3xl font-semibold tracking-tight"> <h1 className="text-3xl font-semibold tracking-tight">
{mode === "signin" {mode === "signin"
? "Sign in to CMS Admin" ? t("auth.titles.signIn", "Sign in to CMS Admin")
: mode === "signup-owner" : mode === "signup-owner"
? "Welcome to CMS Admin" ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
: "Create an admin account"} : mode === "signup-user"
? t("auth.titles.signUpUser", "Create an admin account")
: t("auth.titles.signUpDisabled", "Registration is disabled")}
</h1> </h1>
<p className="text-sm text-neutral-600"> <p className="text-sm text-neutral-600">
{mode === "signin" ? ( {mode === "signin"
<> ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
Better Auth is active on this app via <code>/api/auth</code>. : mode === "signup-owner"
</> ? t(
) : mode === "signup-owner" ? ( "auth.descriptions.signUpOwner",
"Create the first owner account to initialize this admin instance." "Create the first owner account to initialize this admin instance.",
) : ( )
"Self-registration is enabled for admin users." : mode === "signup-user"
)} ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
: t(
"auth.descriptions.signUpDisabled",
"Self-registration is currently turned off by an administrator.",
)}
</p> </p>
</div> </div>
@@ -154,7 +170,7 @@ export function LoginForm({ mode }: LoginFormProps) {
> >
<div className="space-y-1"> <div className="space-y-1">
<label className="text-sm font-medium" htmlFor="email"> <label className="text-sm font-medium" htmlFor="email">
Email or username {t("auth.fields.emailOrUsername", "Email or username")}
</label> </label>
<input <input
id="email" id="email"
@@ -168,84 +184,7 @@ export function LoginForm({ mode }: LoginFormProps) {
<div className="space-y-1"> <div className="space-y-1">
<label className="text-sm font-medium" htmlFor="password"> <label className="text-sm font-medium" htmlFor="password">
Password {t("auth.fields.password", "Password")}
</label>
<input
id="password"
type="password"
minLength={8}
required
value={password}
onChange={(event) => setPassword(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<button
type="submit"
disabled={isBusy}
className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
>
{isBusy ? "Signing in..." : "Sign in"}
</button>
<p className="text-xs text-neutral-600">
Need an account?{" "}
<Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
Register
</Link>
</p>
{error ? <p className="text-sm text-red-600">{error}</p> : null}
</form>
) : (
<form
onSubmit={handleSignUp}
className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="name">
Name
</label>
<input
id="name"
type="text"
value={name}
onChange={(event) => setName(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="email">
Email
</label>
<input
id="email"
type="email"
required
value={email}
onChange={(event) => setEmail(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="username">
Username (optional)
</label>
<input
id="username"
type="text"
value={username}
onChange={(event) => setUsername(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="password">
Password
</label> </label>
<input <input
id="password" id="password"
@@ -264,22 +203,115 @@ export function LoginForm({ mode }: LoginFormProps) {
className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60" className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
> >
{isBusy {isBusy
? "Creating account..." ? t("auth.actions.signInBusy", "Signing in...")
: mode === "signup-owner" : t("auth.actions.signInIdle", "Sign in")}
? "Create owner account"
: "Create account"}
</button> </button>
<p className="text-xs text-neutral-600"> <p className="text-xs text-neutral-600">
Already have an account?{" "} {t("auth.links.needAccount", "Need an account?")}{" "}
<Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
{t("auth.links.register", "Register")}
</Link>
</p>
{error ? <p className="text-sm text-red-600">{error}</p> : null}
</form>
) : canSubmitSignUp ? (
<form
onSubmit={handleSignUp}
className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="name">
{t("auth.fields.name", "Name")}
</label>
<input
id="name"
type="text"
value={name}
onChange={(event) => setName(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="email">
{t("auth.fields.email", "Email")}
</label>
<input
id="email"
type="email"
required
value={email}
onChange={(event) => setEmail(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="username">
{t("auth.fields.username", "Username (optional)")}
</label>
<input
id="username"
type="text"
value={username}
onChange={(event) => setUsername(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="password">
{t("auth.fields.password", "Password")}
</label>
<input
id="password"
type="password"
minLength={8}
required
value={password}
onChange={(event) => setPassword(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<button
type="submit"
disabled={isBusy}
className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
>
{isBusy
? t("auth.actions.signUpBusy", "Creating account...")
: mode === "signup-owner"
? t("auth.actions.signUpOwnerIdle", "Create owner account")
: t("auth.actions.signUpUserIdle", "Create account")}
</button>
<p className="text-xs text-neutral-600">
{t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
<Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline"> <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
Go to sign in {t("auth.links.goToSignIn", "Go to sign in")}
</Link> </Link>
</p> </p>
{error ? <p className="text-sm text-red-600">{error}</p> : null} {error ? <p className="text-sm text-red-600">{error}</p> : null}
{success ? <p className="text-sm text-green-700">{success}</p> : null} {success ? <p className="text-sm text-green-700">{success}</p> : null}
</form> </form>
) : (
<section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
<p className="text-sm text-neutral-700">
{t(
"auth.messages.registrationDisabled",
"Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
)}
</p>
<p className="text-xs text-neutral-600">
<Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
{t("auth.links.goToSignIn", "Go to sign in")}
</Link>
</p>
</section>
)} )}
</main> </main>
) )

34
apps/admin/src/app/media/page.tsx Normal file
View File

@@ -0,0 +1,34 @@
import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
import { AdminShell } from "@/components/admin-shell"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic"
export default async function MediaManagementPage() {
const role = await requirePermissionForRoute({
nextPath: "/media",
permission: "media:read",
scope: "team",
})
return (
<AdminShell
role={role}
activePath="/media"
badge="Admin App"
title="Media"
description="Prepare media library and enrichment workflows."
>
<AdminSectionPlaceholder
feature="Media Library"
summary="This route is ready for media browsing, upload, and metadata refinement features."
requiredPermission="media:read (team)"
nextSteps={[
"Add media upload and asset listing.",
"Add enrichment fields (alt text, source, tags).",
"Add artwork-specific refinement fields.",
]}
/>
</AdminShell>
)
}

402
apps/admin/src/app/page.tsx
View File

@@ -1,65 +1,405 @@
import { hasPermission } from "@cms/content/rbac" import { hasPermission } from "@cms/content/rbac"
import { listPosts } from "@cms/db" import { createPost, deletePost, listPosts, updatePost } from "@cms/db"
import { Button } from "@cms/ui/button" import { Button } from "@cms/ui/button"
import { revalidatePath } from "next/cache"
import Link from "next/link" import Link from "next/link"
import { redirect } from "next/navigation" import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access-server" import { AdminShell } from "@/components/admin-shell"
import { LogoutButton } from "./logout-button" import { translateMessage } from "@/i18n/messages"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
export default async function AdminHomePage() { type SearchParamsInput = Record<string, string | string[] | undefined>
const role = await resolveRoleFromServerContext()
if (!role) { function readFirstValue(value: string | string[] | undefined): string | null {
redirect("/login?next=/") if (Array.isArray(value)) {
return value[0] ?? null
} }
if (!hasPermission(role, "news:read", "team")) { return value ?? null
redirect("/unauthorized?required=news:read&scope=team") }
function readRequiredField(formData: FormData, field: string): string {
const value = formData.get(field)
if (typeof value !== "string") {
return ""
} }
return value.trim()
}
function readOptionalField(formData: FormData, field: string): string | undefined {
const value = readRequiredField(formData, field)
return value.length > 0 ? value : undefined
}
async function requireNewsWritePermission() {
await requirePermissionForRoute({
nextPath: "/",
permission: "news:write",
scope: "team",
})
}
function redirectWithState(params: { notice?: string; error?: string }) {
const query = new URLSearchParams()
if (params.notice) {
query.set("notice", params.notice)
}
if (params.error) {
query.set("error", params.error)
}
const value = query.toString()
redirect(value ? `/?${value}` : "/")
}
async function getDashboardTranslator() {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return (key: string, fallback: string) => translateMessage(messages, key, fallback)
}
async function createPostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const status = readRequiredField(formData, "status")
try {
await createPost({
title: readRequiredField(formData, "title"),
slug: readRequiredField(formData, "slug"),
excerpt: readOptionalField(formData, "excerpt"),
body: readRequiredField(formData, "body"),
status: status === "published" ? "published" : "draft",
})
} catch {
redirectWithState({
error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
})
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
}
async function updatePostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const id = readRequiredField(formData, "id")
const status = readRequiredField(formData, "status")
if (!id) {
redirectWithState({
error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
})
}
try {
await updatePost(id, {
title: readRequiredField(formData, "title"),
slug: readRequiredField(formData, "slug"),
excerpt: readOptionalField(formData, "excerpt"),
body: readRequiredField(formData, "body"),
status: status === "published" ? "published" : "draft",
})
} catch {
redirectWithState({
error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
})
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
}
async function deletePostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const id = readRequiredField(formData, "id")
if (!id) {
redirectWithState({
error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
})
}
try {
await deletePost(id)
} catch {
redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
}
export default async function AdminHomePage({
searchParams,
}: {
searchParams: Promise<SearchParamsInput>
}) {
const role = await requirePermissionForRoute({
nextPath: "/",
permission: "news:read",
scope: "team",
})
const [resolvedSearchParams, locale, posts] = await Promise.all([
searchParams,
resolveAdminLocale(),
listPosts(),
])
const messages = await getAdminMessages(locale)
const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
const notice = readFirstValue(resolvedSearchParams.notice)
const error = readFirstValue(resolvedSearchParams.error)
const canCreatePost = hasPermission(role, "news:write", "team") const canCreatePost = hasPermission(role, "news:write", "team")
const posts = await listPosts()
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16"> <AdminShell
<header className="space-y-3"> role={role}
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p> activePath="/"
<h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1> badge={t("dashboard.badge", "Admin App")}
<p className="text-neutral-600">Manage posts from a dedicated admin surface.</p> title={t("dashboard.title", "Content Dashboard")}
<div className="flex items-center gap-3 pt-2"> description={t("dashboard.description", "Manage posts from a dedicated admin surface.")}
actions={
<>
<Link <Link
href="/todo" href="/todo"
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100" className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
> >
Open roadmap and progress {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
</Link> </Link>
<LogoutButton /> <Link
</div> href="/settings"
</header> className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
>
{t("settings.title", "Settings")}
</Link>
</>
}
>
{notice ? (
<section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
{notice}
</section>
) : null}
{error ? (
<section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
{error}
</section>
) : null}
<section className="rounded-xl border border-neutral-200 p-6"> <section className="rounded-xl border border-neutral-200 p-6">
<div className="mb-4 flex items-center justify-between"> <div className="space-y-4">
<h2 className="text-xl font-medium">Posts</h2> <div className="flex items-center justify-between">
<Button disabled={!canCreatePost}>Create post</Button> <h2 className="text-xl font-medium">
{t("dashboard.posts.title", "Posts CRUD Sandbox")}
</h2>
<p className="text-xs uppercase tracking-wide text-neutral-500">
{t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
</p>
</div>
{canCreatePost ? (
<form
action={createPostAction}
className="space-y-3 rounded-lg border border-neutral-200 p-4"
>
<h3 className="text-sm font-semibold">
{t("dashboard.posts.createTitle", "Create post")}
</h3>
<div className="grid gap-3 md:grid-cols-2">
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.title", "Title")}
</span>
<input
name="title"
required
minLength={3}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.slug", "Slug")}
</span>
<input
name="slug"
required
minLength={3}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
</div>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.excerpt", "Excerpt")}
</span>
<input
name="excerpt"
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.body", "Body")}
</span>
<textarea
name="body"
required
minLength={1}
rows={4}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.status", "Status")}
</span>
<select
name="status"
defaultValue="draft"
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
>
<option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
<option value="published">
{t("dashboard.posts.status.published", "Published")}
</option>
</select>
</label>
<Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
</form>
) : (
<div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
{t(
"dashboard.notices.noCrudPermission",
"You can read posts, but your role cannot create/update/delete posts.",
)}
</div>
)}
</div> </div>
<div className="space-y-3"> <div className="space-y-3">
{posts.map((post) => ( {posts.map((post) => (
<article key={post.id} className="rounded-lg border border-neutral-200 p-4"> <article key={post.id} className="rounded-lg border border-neutral-200 p-4">
<div className="flex items-center justify-between gap-3"> {canCreatePost ? (
<h3 className="text-lg font-medium">{post.title}</h3> <>
<span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide"> <form action={updatePostAction} className="space-y-3">
{post.status} <input type="hidden" name="id" value={post.id} />
</span> <div className="grid gap-3 md:grid-cols-2">
</div> <label className="space-y-1">
<p className="mt-2 text-sm text-neutral-600">{post.slug}</p> <span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.title", "Title")}
</span>
<input
name="title"
required
minLength={3}
defaultValue={post.title}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.slug", "Slug")}
</span>
<input
name="slug"
required
minLength={3}
defaultValue={post.slug}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
</div>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.excerpt", "Excerpt")}
</span>
<input
name="excerpt"
defaultValue={post.excerpt ?? ""}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.body", "Body")}
</span>
<textarea
name="body"
required
minLength={1}
rows={4}
defaultValue={post.body}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.status", "Status")}
</span>
<select
name="status"
defaultValue={post.status}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
>
<option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
<option value="published">
{t("dashboard.posts.status.published", "Published")}
</option>
</select>
</label>
<Button type="submit">
{t("dashboard.posts.actions.save", "Save changes")}
</Button>
</form>
<form action={deletePostAction} className="mt-3">
<input type="hidden" name="id" value={post.id} />
<Button type="submit" variant="secondary">
{t("dashboard.posts.actions.delete", "Delete")}
</Button>
</form>
</>
) : (
<>
<div className="flex items-center justify-between gap-3">
<h3 className="text-lg font-medium">{post.title}</h3>
<span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
{post.status}
</span>
</div>
<p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
<p className="mt-2 text-sm text-neutral-600">
{post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
</p>
</>
)}
</article> </article>
))} ))}
</div> </div>
</section> </section>
</main> </AdminShell>
) )
} }

34
apps/admin/src/app/pages/page.tsx Normal file
View File

@@ -0,0 +1,34 @@
import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
import { AdminShell } from "@/components/admin-shell"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic"
export default async function PagesManagementPage() {
const role = await requirePermissionForRoute({
nextPath: "/pages",
permission: "pages:read",
scope: "team",
})
return (
<AdminShell
role={role}
activePath="/pages"
badge="Admin App"
title="Pages"
description="Manage page entities and publication workflows."
>
<AdminSectionPlaceholder
feature="Page Management"
summary="This MVP0 scaffold defines information architecture and access boundaries for future page CRUD."
requiredPermission="pages:read (team)"
nextSteps={[
"Add page entity list and search.",
"Add create/edit draft flows with validation.",
"Add publish/unpublish scheduling controls.",
]}
/>
</AdminShell>
)
}

19
apps/admin/src/app/providers.tsx
View File

@@ -1,9 +1,24 @@
"use client" "use client"
import type { AppLocale } from "@cms/i18n"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import type { AdminMessages } from "@/i18n/messages"
import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
import { QueryProvider } from "@/providers/query-provider" import { QueryProvider } from "@/providers/query-provider"
export function Providers({ children }: { children: ReactNode }) { export function Providers({
return <QueryProvider>{children}</QueryProvider> children,
locale,
messages,
}: {
children: ReactNode
locale: AppLocale
messages: AdminMessages
}) {
return (
<AdminI18nProvider locale={locale} messages={messages}>
<QueryProvider>{children}</QueryProvider>
</AdminI18nProvider>
)
} }

2
apps/admin/src/app/register/page.tsx
View File

@@ -33,7 +33,7 @@ export default async function RegisterPage({ searchParams }: { searchParams: Sea
const enabled = await isSelfRegistrationEnabled() const enabled = await isSelfRegistrationEnabled()
if (!enabled) { if (!enabled) {
redirect(`/login?next=${encodeURIComponent(nextPath)}`) return <LoginForm mode="signup-disabled" />
} }
return <LoginForm mode="signup-user" /> return <LoginForm mode="signup-user" />

180
apps/admin/src/app/settings/page.tsx Normal file
View File

@@ -0,0 +1,180 @@
import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
import { Button } from "@cms/ui/button"
import { revalidatePath } from "next/cache"
import Link from "next/link"
import { redirect } from "next/navigation"
import { AdminShell } from "@/components/admin-shell"
import { translateMessage } from "@/i18n/messages"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import { requirePermissionForRoute } from "@/lib/route-guards"
type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
function toSingleValue(input: string | string[] | undefined): string | null {
if (Array.isArray(input)) {
return input[0] ?? null
}
return input ?? null
}
async function requireSettingsPermission() {
await requirePermissionForRoute({
nextPath: "/settings",
permission: "users:manage_roles",
scope: "global",
})
}
async function getSettingsTranslator() {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return (key: string, fallback: string) => translateMessage(messages, key, fallback)
}
async function updateRegistrationPolicyAction(formData: FormData) {
"use server"
await requireSettingsPermission()
const t = await getSettingsTranslator()
const enabled = formData.get("enabled") === "on"
try {
await setAdminSelfRegistrationEnabled(enabled)
} catch (error) {
const errorMessage = error instanceof Error ? error.message : ""
const normalizedMessage = errorMessage.toLowerCase()
const isDatabaseUnavailable = errorMessage.includes("P1001")
const isSchemaMissing =
errorMessage.includes("P2021") ||
normalizedMessage.includes("system_setting") ||
normalizedMessage.includes("does not exist")
const userMessage = isDatabaseUnavailable
? t(
"settings.registration.errors.databaseUnavailable",
"Saving settings failed. The database is currently unreachable.",
)
: isSchemaMissing
? t(
"settings.registration.errors.schemaMissing",
"Saving settings failed. Apply the latest database migrations and try again.",
)
: t(
"settings.registration.errors.updateFailed",
"Saving settings failed. Ensure database migrations are applied.",
)
redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
}
revalidatePath("/settings")
revalidatePath("/register")
redirect(
`/settings?notice=${encodeURIComponent(
t("settings.registration.success.updated", "Registration policy updated."),
)}`,
)
}
export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
const role = await requirePermissionForRoute({
nextPath: "/settings",
permission: "users:manage_roles",
scope: "global",
})
const [params, locale, isRegistrationEnabled] = await Promise.all([
searchParams,
resolveAdminLocale(),
isAdminSelfRegistrationEnabled(),
])
const messages = await getAdminMessages(locale)
const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
const notice = toSingleValue(params.notice)
const error = toSingleValue(params.error)
return (
<AdminShell
role={role}
activePath="/settings"
badge={t("settings.badge", "Admin Settings")}
title={t("settings.title", "Settings")}
description={t(
"settings.description",
"Manage runtime policies for the admin authentication and onboarding flow.",
)}
actions={
<Link
href="/"
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
>
{t("settings.actions.backToDashboard", "Back to dashboard")}
</Link>
}
>
{notice ? (
<section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
{notice}
</section>
) : null}
{error ? (
<section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
{error}
</section>
) : null}
<section className="rounded-xl border border-neutral-200 p-6">
<div className="space-y-5">
<div className="space-y-2">
<h2 className="text-xl font-medium">
{t("settings.registration.title", "Admin self-registration")}
</h2>
<p className="text-sm text-neutral-600">
{t(
"settings.registration.description",
"When enabled, /register can create additional admin accounts after initial owner bootstrap.",
)}
</p>
</div>
<div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
<p>
{t("settings.registration.currentStatusLabel", "Current status")}:{" "}
<strong>
{isRegistrationEnabled
? t("settings.registration.status.enabled", "Enabled")
: t("settings.registration.status.disabled", "Disabled")}
</strong>
</p>
</div>
<form action={updateRegistrationPolicyAction} className="space-y-4">
<label className="flex items-center gap-3 text-sm">
<input
type="checkbox"
name="enabled"
defaultChecked={isRegistrationEnabled}
className="h-4 w-4 rounded border-neutral-300"
/>
<span>
{t(
"settings.registration.checkboxLabel",
"Allow self-registration on /register for admin users",
)}
</span>
</label>
<Button type="submit">
{t("settings.registration.actions.save", "Save registration policy")}
</Button>
</form>
</div>
</section>
</AdminShell>
)
}

56
apps/admin/src/app/todo/page.tsx
View File

@@ -1,10 +1,9 @@
import { readFile } from "node:fs/promises" import { readFile } from "node:fs/promises"
import path from "node:path" import path from "node:path"
import { hasPermission } from "@cms/content/rbac"
import Link from "next/link" import Link from "next/link"
import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access-server" import { AdminShell } from "@/components/admin-shell"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
@@ -405,15 +404,11 @@ function filterButtonClass(active: boolean): string {
export default async function AdminTodoPage(props: { export default async function AdminTodoPage(props: {
searchParams?: SearchParamsInput | Promise<SearchParamsInput> searchParams?: SearchParamsInput | Promise<SearchParamsInput>
}) { }) {
const role = await resolveRoleFromServerContext() const role = await requirePermissionForRoute({
nextPath: "/todo",
if (!role) { permission: "roadmap:read",
redirect("/login?next=/todo") scope: "global",
} })
if (!hasPermission(role, "roadmap:read", "global")) {
redirect("/unauthorized?required=roadmap:read&scope=global")
}
const content = await getTodoMarkdown() const content = await getTodoMarkdown()
const sections = parseTodo(content) const sections = parseTodo(content)
@@ -434,26 +429,21 @@ export default async function AdminTodoPage(props: {
} }
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-6xl flex-col gap-8 px-6 py-12"> <AdminShell
<header className="space-y-4"> role={role}
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p> activePath="/todo"
<div className="flex flex-wrap items-end justify-between gap-4"> badge="Admin App"
<div className="space-y-2"> title="Roadmap and Progress"
<h1 className="text-4xl font-semibold tracking-tight">Roadmap and Progress</h1> description="Structured view from root TODO.md (single source of truth)."
<p className="text-neutral-600"> actions={
Structured view from root `TODO.md` (single source of truth). <Link
</p> href="/"
</div> className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
>
<Link Back to dashboard
href="/" </Link>
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100" }
> >
Back to dashboard
</Link>
</div>
</header>
<section className="rounded-xl border border-neutral-200 bg-neutral-50 p-5"> <section className="rounded-xl border border-neutral-200 bg-neutral-50 p-5">
<div className="mb-4 flex items-center justify-between gap-4"> <div className="mb-4 flex items-center justify-between gap-4">
<p className="text-sm font-medium text-neutral-600">Weighted completion</p> <p className="text-sm font-medium text-neutral-600">Weighted completion</p>
@@ -607,6 +597,6 @@ export default async function AdminTodoPage(props: {
{content} {content}
</pre> </pre>
</details> </details>
</main> </AdminShell>
) )
} }

34
apps/admin/src/app/users/page.tsx Normal file
View File

@@ -0,0 +1,34 @@
import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
import { AdminShell } from "@/components/admin-shell"
import { requirePermissionForRoute } from "@/lib/route-guards"
export const dynamic = "force-dynamic"
export default async function UsersManagementPage() {
const role = await requirePermissionForRoute({
nextPath: "/users",
permission: "users:read",
scope: "own",
})
return (
<AdminShell
role={role}
activePath="/users"
badge="Admin App"
title="Users"
description="Prepare user lifecycle and role management operations."
>
<AdminSectionPlaceholder
feature="Users Management"
summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
requiredPermission="users:read (own)"
nextSteps={[
"Add user list, filter, and detail views.",
"Add role and permission editing actions with owner/support safety rules.",
"Add disable/ban and invite workflows.",
]}
/>
</AdminShell>
)
}

41
apps/admin/src/components/admin-locale-switcher.tsx Normal file
View File

@@ -0,0 +1,41 @@
"use client"
import { type AppLocale, localeLabels, locales } from "@cms/i18n"
import { useRouter } from "next/navigation"
import { useTransition } from "react"
import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
export function AdminLocaleSwitcher() {
const router = useRouter()
const [isPending, startTransition] = useTransition()
const { locale } = useAdminI18n()
const t = useAdminT()
return (
<label className="inline-flex items-center gap-2 text-sm text-neutral-700">
<span>{t("common.language", "Language")}</span>
<select
className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
value={locale}
disabled={isPending}
onChange={(event) => {
const nextLocale = event.target.value as AppLocale
// biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
startTransition(() => {
router.refresh()
})
}}
>
{locales.map((value) => (
<option key={value} value={value}>
{t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
</option>
))}
</select>
</label>
)
}

40
apps/admin/src/components/admin-section-placeholder.tsx Normal file
View File

@@ -0,0 +1,40 @@
import type { ReactNode } from "react"
type AdminSectionPlaceholderProps = {
feature: string
summary: string
requiredPermission: string
nextSteps: string[]
children?: ReactNode
}
export function AdminSectionPlaceholder({
feature,
summary,
requiredPermission,
nextSteps,
children,
}: AdminSectionPlaceholderProps) {
return (
<section className="space-y-5 rounded-xl border border-neutral-200 p-6">
<div className="space-y-2">
<h2 className="text-xl font-medium">{feature}</h2>
<p className="text-sm text-neutral-600">{summary}</p>
<p className="text-xs uppercase tracking-wide text-neutral-500">
Required permission: {requiredPermission}
</p>
</div>
{children}
<div className="rounded-lg border border-neutral-200 bg-neutral-50 p-4">
<p className="text-sm font-medium text-neutral-800">Planned next steps</p>
<ul className="mt-2 list-disc space-y-1 pl-5 text-sm text-neutral-600">
{nextSteps.map((step) => (
<li key={step}>{step}</li>
))}
</ul>
</div>
</section>
)
}

117
apps/admin/src/components/admin-shell.tsx Normal file
View File

@@ -0,0 +1,117 @@
import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
import Link from "next/link"
import type { ReactNode } from "react"
import { LogoutButton } from "@/app/logout-button"
import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
type AdminShellProps = {
role: Role
activePath: string
badge: string
title: string
description: string
actions?: ReactNode
children: ReactNode
}
type NavItem = {
href: string
label: string
permission: Permission
scope: PermissionScope
}
const navItems: NavItem[] = [
{ href: "/", label: "Dashboard", permission: "dashboard:read", scope: "global" },
{ href: "/pages", label: "Pages", permission: "pages:read", scope: "team" },
{ href: "/media", label: "Media", permission: "media:read", scope: "team" },
{ href: "/users", label: "Users", permission: "users:read", scope: "own" },
{ href: "/commissions", label: "Commissions", permission: "commissions:read", scope: "own" },
{ href: "/settings", label: "Settings", permission: "users:manage_roles", scope: "global" },
{ href: "/todo", label: "Roadmap", permission: "roadmap:read", scope: "global" },
]
function navItemClass(active: boolean): string {
if (active) {
return "bg-neutral-900 text-white border-neutral-900"
}
return "bg-white text-neutral-700 border-neutral-300 hover:bg-neutral-100"
}
function isActiveRoute(activePath: string, href: string): boolean {
if (href === "/") {
return activePath === "/"
}
return activePath === href || activePath.startsWith(`${href}/`)
}
export function AdminShell({
role,
activePath,
badge,
title,
description,
actions,
children,
}: AdminShellProps) {
return (
<div className="mx-auto flex min-h-screen w-full max-w-7xl gap-8 px-6 py-10">
<aside className="sticky top-0 hidden h-fit w-64 shrink-0 space-y-4 lg:block">
<div className="rounded-xl border border-neutral-200 bg-white p-4">
<p className="text-xs font-semibold uppercase tracking-[0.2em] text-neutral-500">
CMS Admin
</p>
<p className="mt-2 text-sm text-neutral-600">Role: {role}</p>
</div>
<nav className="space-y-2">
{navItems
.filter((item) => hasPermission(role, item.permission, item.scope))
.map((item) => (
<Link
key={item.href}
href={item.href}
className={`block rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
>
{item.label}
</Link>
))}
</nav>
</aside>
<div className="min-w-0 flex-1 space-y-8">
<nav className="flex flex-wrap gap-2 lg:hidden">
{navItems
.filter((item) => hasPermission(role, item.permission, item.scope))
.map((item) => (
<Link
key={`mobile-${item.href}`}
href={item.href}
className={`rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
>
{item.label}
</Link>
))}
</nav>
<header className="space-y-3">
<div className="flex flex-wrap items-center justify-between gap-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{badge}</p>
<div className="flex items-center gap-2">
<AdminLocaleSwitcher />
<LogoutButton />
</div>
</div>
<h1 className="text-4xl font-semibold tracking-tight">{title}</h1>
<p className="text-neutral-600">{description}</p>
{actions ? <div className="flex flex-wrap items-center gap-3 pt-1">{actions}</div> : null}
</header>
{children}
</div>
</div>
)
}

147
apps/admin/src/i18n/messages.test.ts Normal file
View File

@@ -0,0 +1,147 @@
import { describe, expect, it } from "vitest"
import type { AdminMessages } from "./messages"
import { translateMessage } from "./messages"
const messages: AdminMessages = {
common: {
language: "Language",
localeNames: {
de: "German",
en: "English",
es: "Spanish",
fr: "French",
},
},
auth: {
badge: "Admin Auth",
titles: {
signIn: "Sign in",
signUpOwner: "Welcome",
signUpUser: "Create account",
signUpDisabled: "Registration disabled",
},
descriptions: {
signIn: "Sign in description",
signUpOwner: "Owner description",
signUpUser: "User description",
signUpDisabled: "Disabled description",
},
fields: {
name: "Name",
emailOrUsername: "Email or username",
email: "Email",
username: "Username",
password: "Password",
},
actions: {
signInIdle: "Sign in",
signInBusy: "Signing in...",
signUpOwnerIdle: "Create owner account",
signUpUserIdle: "Create account",
signUpBusy: "Creating account...",
},
links: {
needAccount: "Need an account?",
register: "Register",
alreadyHaveAccount: "Already have an account?",
goToSignIn: "Go to sign in",
},
messages: {
ownerCreated: "Owner account created.",
accountCreated: "Account created.",
registrationDisabled: "Registration is disabled.",
},
errors: {
nameRequired: "Name is required.",
signInFailed: "Sign in failed",
signUpFailed: "Sign up failed",
networkSignIn: "Network sign in error",
networkSignUp: "Network sign up error",
},
},
settings: {
badge: "Admin Settings",
title: "Settings",
description: "Settings description",
actions: {
backToDashboard: "Back to dashboard",
},
registration: {
title: "Registration",
description: "Registration description",
currentStatusLabel: "Current status",
status: {
enabled: "Enabled",
disabled: "Disabled",
},
checkboxLabel: "Allow registration",
actions: {
save: "Save",
},
success: {
updated: "Updated",
},
errors: {
updateFailed: "Update failed",
},
},
},
dashboard: {
badge: "Admin App",
title: "Content Dashboard",
description: "Manage content.",
actions: {
openRoadmap: "Open roadmap",
},
notices: {
noCrudPermission: "No permission.",
crudSandboxTag: "MVP0 functional test",
},
posts: {
title: "Posts CRUD Sandbox",
createTitle: "Create post",
fields: {
title: "Title",
slug: "Slug",
excerpt: "Excerpt",
body: "Body",
status: "Status",
},
status: {
draft: "Draft",
published: "Published",
},
actions: {
create: "Create post",
save: "Save changes",
delete: "Delete",
},
errors: {
createFailed: "Create failed.",
updateFailed: "Update failed.",
updateMissingId: "Missing post id.",
deleteFailed: "Delete failed.",
deleteMissingId: "Missing post id.",
},
success: {
created: "Post created.",
updated: "Post updated.",
deleted: "Post deleted.",
},
fallback: {
noExcerpt: "No excerpt",
},
},
},
}
describe("translateMessage", () => {
it("resolves nested keys", () => {
expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
})
it("returns fallback for unknown keys", () => {
expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
})
})

27
apps/admin/src/i18n/messages.ts Normal file
View File

@@ -0,0 +1,27 @@
import type enMessages from "../messages/en.json"
export type AdminMessages = typeof enMessages
function resolveNestedValue(source: unknown, key: string): unknown {
let current: unknown = source
for (const segment of key.split(".")) {
if (!current || typeof current !== "object") {
return null
}
current = (current as Record<string, unknown>)[segment]
}
return current
}
export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
const resolved = resolveNestedValue(messages, key)
if (typeof resolved === "string") {
return resolved
}
return fallback ?? key
}

17
apps/admin/src/i18n/server.test.ts Normal file
View File

@@ -0,0 +1,17 @@
import { describe, expect, it } from "vitest"
import { resolveAdminLocaleFromCookieValue } from "./server"
describe("resolveAdminLocaleFromCookieValue", () => {
it("accepts supported locales", () => {
expect(resolveAdminLocaleFromCookieValue("de")).toBe("de")
expect(resolveAdminLocaleFromCookieValue("en")).toBe("en")
expect(resolveAdminLocaleFromCookieValue("es")).toBe("es")
expect(resolveAdminLocaleFromCookieValue("fr")).toBe("fr")
})
it("falls back to default locale for unknown values", () => {
expect(resolveAdminLocaleFromCookieValue("it")).toBe("en")
expect(resolveAdminLocaleFromCookieValue(undefined)).toBe("en")
})
})

23
apps/admin/src/i18n/server.ts Normal file
View File

@@ -0,0 +1,23 @@
import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
import { cookies } from "next/headers"
import type { AdminMessages } from "./messages"
import { ADMIN_LOCALE_COOKIE } from "./shared"
export function resolveAdminLocaleFromCookieValue(value: string | undefined): AppLocale {
if (value && isAppLocale(value)) {
return value
}
return defaultLocale
}
export async function resolveAdminLocale(): Promise<AppLocale> {
const cookieStore = await cookies()
const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
return resolveAdminLocaleFromCookieValue(value)
}
export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
return (await import(`../messages/${locale}.json`)).default as AdminMessages
}

1
apps/admin/src/i18n/shared.ts Normal file
View File

@@ -0,0 +1 @@
export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"

43
apps/admin/src/lib/access.test.ts Normal file
View File

@@ -0,0 +1,43 @@
import { describe, expect, it } from "vitest"
import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
describe("admin route access rules", () => {
it("treats support fallback route as public", () => {
expect(isPublicRoute("/support/support-access")).toBe(true)
expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
})
it("keeps settings route restricted to role with users:manage_roles", () => {
expect(isPublicRoute("/settings")).toBe(false)
expect(canAccessRoute("manager", "/settings")).toBe(false)
expect(canAccessRoute("admin", "/settings")).toBe(true)
expect(canAccessRoute("owner", "/settings")).toBe(true)
})
it("resolves route-specific permission requirements", () => {
expect(getRequiredPermission("/todo")).toEqual({
permission: "roadmap:read",
scope: "global",
})
})
it("maps new admin IA routes to dedicated permissions", () => {
expect(getRequiredPermission("/pages")).toEqual({
permission: "pages:read",
scope: "team",
})
expect(getRequiredPermission("/media")).toEqual({
permission: "media:read",
scope: "team",
})
expect(getRequiredPermission("/users")).toEqual({
permission: "users:read",
scope: "own",
})
expect(getRequiredPermission("/commissions")).toEqual({
permission: "commissions:read",
scope: "own",
})
})
})

35
apps/admin/src/lib/access.ts
View File

@@ -43,6 +43,41 @@ const guardRules: GuardRule[] = [
scope: "global", scope: "global",
}, },
}, },
{
route: /^\/pages(?:\/|$)/,
requirement: {
permission: "pages:read",
scope: "team",
},
},
{
route: /^\/media(?:\/|$)/,
requirement: {
permission: "media:read",
scope: "team",
},
},
{
route: /^\/users(?:\/|$)/,
requirement: {
permission: "users:read",
scope: "own",
},
},
{
route: /^\/commissions(?:\/|$)/,
requirement: {
permission: "commissions:read",
scope: "own",
},
},
{
route: /^\/settings(?:\/|$)/,
requirement: {
permission: "users:manage_roles",
scope: "global",
},
},
{ {
route: /^\/(?:$|\?)/, route: /^\/(?:$|\?)/,
requirement: { requirement: {

5
apps/admin/src/lib/auth/server.ts
View File

@@ -1,5 +1,5 @@
import { normalizeRole, type Role } from "@cms/content/rbac" import { normalizeRole, type Role } from "@cms/content/rbac"
import { db } from "@cms/db" import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
import { betterAuth } from "better-auth" import { betterAuth } from "better-auth"
import { prismaAdapter } from "better-auth/adapters/prisma" import { prismaAdapter } from "better-auth/adapters/prisma"
import { toNextJsHandler } from "better-auth/next-js" import { toNextJsHandler } from "better-auth/next-js"
@@ -43,8 +43,7 @@ export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
} }
export async function isSelfRegistrationEnabled(): Promise<boolean> { export async function isSelfRegistrationEnabled(): Promise<boolean> {
// Temporary fallback until registration policy is managed from admin settings. return isAdminSelfRegistrationEnabled()
return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
} }
export async function canUserSelfRegister(): Promise<boolean> { export async function canUserSelfRegister(): Promise<boolean> {

30
apps/admin/src/lib/route-guards.ts Normal file
View File

@@ -0,0 +1,30 @@
import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access-server"
type RequirePermissionParams = {
nextPath: string
permission: Permission
scope: PermissionScope
}
export async function requireRoleForRoute(nextPath: string): Promise<Role> {
const role = await resolveRoleFromServerContext()
if (!role) {
redirect(`/login?next=${encodeURIComponent(nextPath)}`)
}
return role
}
export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
const role = await requireRoleForRoute(params.nextPath)
if (!hasPermission(role, params.permission, params.scope)) {
redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
}
return role
}

132
apps/admin/src/messages/de.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Sprache",
"localeNames": {
"de": "Deutsch",
"en": "Englisch",
"es": "Spanisch",
"fr": "Französisch"
}
},
"auth": {
"badge": "Admin-Authentifizierung",
"titles": {
"signIn": "Bei CMS Admin anmelden",
"signUpOwner": "Willkommen bei CMS Admin",
"signUpUser": "Admin-Konto erstellen",
"signUpDisabled": "Registrierung ist deaktiviert"
},
"descriptions": {
"signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
"signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
"signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
"signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
},
"fields": {
"name": "Name",
"emailOrUsername": "E-Mail oder Benutzername",
"email": "E-Mail",
"username": "Benutzername (optional)",
"password": "Passwort"
},
"actions": {
"signInIdle": "Anmelden",
"signInBusy": "Anmeldung läuft...",
"signUpOwnerIdle": "Owner-Konto erstellen",
"signUpUserIdle": "Konto erstellen",
"signUpBusy": "Konto wird erstellt..."
},
"links": {
"needAccount": "Du brauchst ein Konto?",
"register": "Registrieren",
"alreadyHaveAccount": "Du hast bereits ein Konto?",
"goToSignIn": "Zur Anmeldung"
},
"messages": {
"ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
"accountCreated": "Konto erstellt.",
"registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
},
"errors": {
"nameRequired": "Name ist für die Kontoerstellung erforderlich",
"signInFailed": "Anmeldung fehlgeschlagen",
"signUpFailed": "Registrierung fehlgeschlagen",
"networkSignIn": "Netzwerkfehler bei der Anmeldung",
"networkSignUp": "Netzwerkfehler bei der Registrierung"
}
},
"settings": {
"badge": "Admin-Einstellungen",
"title": "Einstellungen",
"description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
"actions": {
"backToDashboard": "Zurück zum Dashboard"
},
"registration": {
"title": "Admin-Selbstregistrierung",
"description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
"currentStatusLabel": "Aktueller Status",
"status": {
"enabled": "Aktiviert",
"disabled": "Deaktiviert"
},
"checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
"actions": {
"save": "Registrierungsrichtlinie speichern"
},
"success": {
"updated": "Registrierungsrichtlinie aktualisiert."
},
"errors": {
"updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
}
}
},
"dashboard": {
"badge": "Admin-App",
"title": "Content-Dashboard",
"description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
"actions": {
"openRoadmap": "Roadmap und Fortschritt öffnen"
},
"notices": {
"noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
"crudSandboxTag": "MVP0 Funktionstest"
},
"posts": {
"title": "Beiträge CRUD-Sandbox",
"createTitle": "Beitrag erstellen",
"fields": {
"title": "Titel",
"slug": "Slug",
"excerpt": "Auszug",
"body": "Inhalt",
"status": "Status"
},
"status": {
"draft": "Entwurf",
"published": "Veröffentlicht"
},
"actions": {
"create": "Beitrag erstellen",
"save": "Änderungen speichern",
"delete": "Löschen"
},
"errors": {
"createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
"updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
"updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
"deleteFailed": "Löschen fehlgeschlagen.",
"deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
},
"success": {
"created": "Beitrag erstellt.",
"updated": "Beitrag aktualisiert.",
"deleted": "Beitrag gelöscht."
},
"fallback": {
"noExcerpt": "Kein Auszug"
}
}
}
}

132
apps/admin/src/messages/en.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Language",
"localeNames": {
"de": "German",
"en": "English",
"es": "Spanish",
"fr": "French"
}
},
"auth": {
"badge": "Admin Auth",
"titles": {
"signIn": "Sign in to CMS Admin",
"signUpOwner": "Welcome to CMS Admin",
"signUpUser": "Create an admin account",
"signUpDisabled": "Registration is disabled"
},
"descriptions": {
"signIn": "Better Auth is active on this app via /api/auth.",
"signUpOwner": "Create the first owner account to initialize this admin instance.",
"signUpUser": "Self-registration is enabled for admin users.",
"signUpDisabled": "Self-registration is currently turned off by an administrator."
},
"fields": {
"name": "Name",
"emailOrUsername": "Email or username",
"email": "Email",
"username": "Username (optional)",
"password": "Password"
},
"actions": {
"signInIdle": "Sign in",
"signInBusy": "Signing in...",
"signUpOwnerIdle": "Create owner account",
"signUpUserIdle": "Create account",
"signUpBusy": "Creating account..."
},
"links": {
"needAccount": "Need an account?",
"register": "Register",
"alreadyHaveAccount": "Already have an account?",
"goToSignIn": "Go to sign in"
},
"messages": {
"ownerCreated": "Owner account created. Registration is now disabled.",
"accountCreated": "Account created.",
"registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
},
"errors": {
"nameRequired": "Name is required for account creation",
"signInFailed": "Sign in failed",
"signUpFailed": "Sign up failed",
"networkSignIn": "Network error while signing in",
"networkSignUp": "Network error while signing up"
}
},
"settings": {
"badge": "Admin Settings",
"title": "Settings",
"description": "Manage runtime policies for the admin authentication and onboarding flow.",
"actions": {
"backToDashboard": "Back to dashboard"
},
"registration": {
"title": "Admin self-registration",
"description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
"currentStatusLabel": "Current status",
"status": {
"enabled": "Enabled",
"disabled": "Disabled"
},
"checkboxLabel": "Allow self-registration on /register for admin users",
"actions": {
"save": "Save registration policy"
},
"success": {
"updated": "Registration policy updated."
},
"errors": {
"updateFailed": "Saving settings failed. Ensure database migrations are applied."
}
}
},
"dashboard": {
"badge": "Admin App",
"title": "Content Dashboard",
"description": "Manage posts from a dedicated admin surface.",
"actions": {
"openRoadmap": "Open roadmap and progress"
},
"notices": {
"noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
"crudSandboxTag": "MVP0 functional test"
},
"posts": {
"title": "Posts CRUD Sandbox",
"createTitle": "Create post",
"fields": {
"title": "Title",
"slug": "Slug",
"excerpt": "Excerpt",
"body": "Body",
"status": "Status"
},
"status": {
"draft": "Draft",
"published": "Published"
},
"actions": {
"create": "Create post",
"save": "Save changes",
"delete": "Delete"
},
"errors": {
"createFailed": "Create failed. Please check your input.",
"updateFailed": "Update failed. Please check your input.",
"updateMissingId": "Update failed. Missing post id.",
"deleteFailed": "Delete failed.",
"deleteMissingId": "Delete failed. Missing post id."
},
"success": {
"created": "Post created.",
"updated": "Post updated.",
"deleted": "Post deleted."
},
"fallback": {
"noExcerpt": "No excerpt"
}
}
}
}

132
apps/admin/src/messages/es.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Idioma",
"localeNames": {
"de": "Alemán",
"en": "Inglés",
"es": "Español",
"fr": "Francés"
}
},
"auth": {
"badge": "Autenticación de Admin",
"titles": {
"signIn": "Iniciar sesión en CMS Admin",
"signUpOwner": "Bienvenido a CMS Admin",
"signUpUser": "Crear una cuenta de admin",
"signUpDisabled": "El registro está deshabilitado"
},
"descriptions": {
"signIn": "Better Auth está activo en esta app mediante /api/auth.",
"signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
"signUpUser": "El registro automático está habilitado para usuarios admin.",
"signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
},
"fields": {
"name": "Nombre",
"emailOrUsername": "Correo o nombre de usuario",
"email": "Correo",
"username": "Nombre de usuario (opcional)",
"password": "Contraseña"
},
"actions": {
"signInIdle": "Iniciar sesión",
"signInBusy": "Iniciando sesión...",
"signUpOwnerIdle": "Crear cuenta owner",
"signUpUserIdle": "Crear cuenta",
"signUpBusy": "Creando cuenta..."
},
"links": {
"needAccount": "¿Necesitas una cuenta?",
"register": "Registrarse",
"alreadyHaveAccount": "¿Ya tienes una cuenta?",
"goToSignIn": "Ir a iniciar sesión"
},
"messages": {
"ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
"accountCreated": "Cuenta creada.",
"registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
},
"errors": {
"nameRequired": "El nombre es obligatorio para crear la cuenta",
"signInFailed": "Error al iniciar sesión",
"signUpFailed": "Error al registrarse",
"networkSignIn": "Error de red al iniciar sesión",
"networkSignUp": "Error de red al registrarse"
}
},
"settings": {
"badge": "Ajustes de Admin",
"title": "Ajustes",
"description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
"actions": {
"backToDashboard": "Volver al panel"
},
"registration": {
"title": "Auto-registro de admin",
"description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
"currentStatusLabel": "Estado actual",
"status": {
"enabled": "Habilitado",
"disabled": "Deshabilitado"
},
"checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
"actions": {
"save": "Guardar política de registro"
},
"success": {
"updated": "Política de registro actualizada."
},
"errors": {
"updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
}
}
},
"dashboard": {
"badge": "App Admin",
"title": "Panel de Contenido",
"description": "Gestiona publicaciones desde una superficie de administración dedicada.",
"actions": {
"openRoadmap": "Abrir hoja de ruta y progreso"
},
"notices": {
"noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
"crudSandboxTag": "Prueba funcional MVP0"
},
"posts": {
"title": "Sandbox CRUD de Publicaciones",
"createTitle": "Crear publicación",
"fields": {
"title": "Título",
"slug": "Slug",
"excerpt": "Extracto",
"body": "Contenido",
"status": "Estado"
},
"status": {
"draft": "Borrador",
"published": "Publicado"
},
"actions": {
"create": "Crear publicación",
"save": "Guardar cambios",
"delete": "Eliminar"
},
"errors": {
"createFailed": "Error al crear. Revisa tus datos.",
"updateFailed": "Error al actualizar. Revisa tus datos.",
"updateMissingId": "Error al actualizar. Falta el id de la publicación.",
"deleteFailed": "Error al eliminar.",
"deleteMissingId": "Error al eliminar. Falta el id de la publicación."
},
"success": {
"created": "Publicación creada.",
"updated": "Publicación actualizada.",
"deleted": "Publicación eliminada."
},
"fallback": {
"noExcerpt": "Sin extracto"
}
}
}
}

132
apps/admin/src/messages/fr.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Langue",
"localeNames": {
"de": "Allemand",
"en": "Anglais",
"es": "Espagnol",
"fr": "Français"
}
},
"auth": {
"badge": "Authentification Admin",
"titles": {
"signIn": "Se connecter à CMS Admin",
"signUpOwner": "Bienvenue sur CMS Admin",
"signUpUser": "Créer un compte admin",
"signUpDisabled": "Linscription est désactivée"
},
"descriptions": {
"signIn": "Better Auth est actif sur cette application via /api/auth.",
"signUpOwner": "Créez le premier compte owner pour initialiser cette instance dadministration.",
"signUpUser": "Lauto-inscription est activée pour les utilisateurs admin.",
"signUpDisabled": "Lauto-inscription est actuellement désactivée par un administrateur."
},
"fields": {
"name": "Nom",
"emailOrUsername": "E-mail ou nom dutilisateur",
"email": "E-mail",
"username": "Nom dutilisateur (optionnel)",
"password": "Mot de passe"
},
"actions": {
"signInIdle": "Se connecter",
"signInBusy": "Connexion en cours...",
"signUpOwnerIdle": "Créer le compte owner",
"signUpUserIdle": "Créer un compte",
"signUpBusy": "Création du compte..."
},
"links": {
"needAccount": "Besoin dun compte ?",
"register": "Sinscrire",
"alreadyHaveAccount": "Vous avez déjà un compte ?",
"goToSignIn": "Aller à la connexion"
},
"messages": {
"ownerCreated": "Compte owner créé. Linscription est maintenant désactivée.",
"accountCreated": "Compte créé.",
"registrationDisabled": "Linscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver lauto-inscription."
},
"errors": {
"nameRequired": "Le nom est requis pour créer un compte",
"signInFailed": "Échec de la connexion",
"signUpFailed": "Échec de linscription",
"networkSignIn": "Erreur réseau lors de la connexion",
"networkSignUp": "Erreur réseau lors de linscription"
}
},
"settings": {
"badge": "Paramètres Admin",
"title": "Paramètres",
"description": "Gérez les politiques dexécution pour lauthentification et lonboarding de ladmin.",
"actions": {
"backToDashboard": "Retour au tableau de bord"
},
"registration": {
"title": "Auto-inscription admin",
"description": "Lorsquelle est activée, /register peut créer des comptes admin supplémentaires après linitialisation du premier owner.",
"currentStatusLabel": "Statut actuel",
"status": {
"enabled": "Activé",
"disabled": "Désactivé"
},
"checkboxLabel": "Autoriser lauto-inscription sur /register pour les utilisateurs admin",
"actions": {
"save": "Enregistrer la politique dinscription"
},
"success": {
"updated": "Politique dinscription mise à jour."
},
"errors": {
"updateFailed": "Échec de lenregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
}
}
},
"dashboard": {
"badge": "Application Admin",
"title": "Tableau de bord contenu",
"description": "Gérez les publications depuis une surface dadministration dédiée.",
"actions": {
"openRoadmap": "Ouvrir la feuille de route et la progression"
},
"notices": {
"noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
"crudSandboxTag": "Test fonctionnel MVP0"
},
"posts": {
"title": "Sandbox CRUD des publications",
"createTitle": "Créer une publication",
"fields": {
"title": "Titre",
"slug": "Slug",
"excerpt": "Extrait",
"body": "Contenu",
"status": "Statut"
},
"status": {
"draft": "Brouillon",
"published": "Publié"
},
"actions": {
"create": "Créer une publication",
"save": "Enregistrer les modifications",
"delete": "Supprimer"
},
"errors": {
"createFailed": "Échec de la création. Vérifiez vos données.",
"updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
"updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
"deleteFailed": "Échec de la suppression.",
"deleteMissingId": "Échec de la suppression. ID de publication manquant."
},
"success": {
"created": "Publication créée.",
"updated": "Publication mise à jour.",
"deleted": "Publication supprimée."
},
"fallback": {
"noExcerpt": "Aucun extrait"
}
}
}
}

53
apps/admin/src/providers/admin-i18n-provider.tsx Normal file
View File

@@ -0,0 +1,53 @@
"use client"
import type { AppLocale } from "@cms/i18n"
import { createContext, type ReactNode, useContext, useMemo } from "react"
import type { AdminMessages } from "@/i18n/messages"
import { translateMessage } from "@/i18n/messages"
type AdminI18nContextValue = {
locale: AppLocale
messages: AdminMessages
}
const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
export function AdminI18nProvider({
locale,
messages,
children,
}: {
locale: AppLocale
messages: AdminMessages
children: ReactNode
}) {
const value = useMemo(
() => ({
locale,
messages,
}),
[locale, messages],
)
return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
}
export function useAdminI18n(): AdminI18nContextValue {
const context = useContext(AdminI18nContext)
if (!context) {
throw new Error("useAdminI18n must be used inside AdminI18nProvider")
}
return context
}
export function useAdminT() {
const { messages } = useAdminI18n()
return useMemo(
() => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
[messages],
)
}

13
apps/web/src/app/[locale]/about/page.tsx Normal file
View File

@@ -0,0 +1,13 @@
import { getTranslations } from "next-intl/server"
export default async function AboutPage() {
const t = await getTranslations("About")
return (
<section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
<h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
<p className="max-w-3xl text-neutral-600">{t("description")}</p>
</section>
)
}

13
apps/web/src/app/[locale]/contact/page.tsx Normal file
View File

@@ -0,0 +1,13 @@
import { getTranslations } from "next-intl/server"
export default async function ContactPage() {
const t = await getTranslations("Contact")
return (
<section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
<h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
<p className="max-w-3xl text-neutral-600">{t("description")}</p>
</section>
)
}

36
apps/web/src/app/[locale]/layout.tsx
View File

@@ -1,7 +1,12 @@
import { getPublicHeaderBanner } from "@cms/db"
import { notFound } from "next/navigation" import { notFound } from "next/navigation"
import { hasLocale, NextIntlClientProvider } from "next-intl" import { hasLocale, NextIntlClientProvider } from "next-intl"
import { getTranslations } from "next-intl/server"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import { PublicHeaderBanner } from "@/components/public-header-banner"
import { PublicSiteFooter } from "@/components/public-site-footer"
import { PublicSiteHeader } from "@/components/public-site-header"
import { routing } from "@/i18n/routing" import { routing } from "@/i18n/routing"
import { Providers } from "../providers" import { Providers } from "../providers"
@@ -12,6 +17,28 @@ type LocaleLayoutProps = {
}> }>
} }
export async function generateMetadata({ params }: LocaleLayoutProps) {
const { locale } = await params
if (!hasLocale(routing.locales, locale)) {
return {}
}
const t = await getTranslations({
locale,
namespace: "Seo",
})
return {
title: t("title"),
description: t("description"),
openGraph: {
title: t("title"),
description: t("description"),
},
}
}
export default async function LocaleLayout({ children, params }: LocaleLayoutProps) { export default async function LocaleLayout({ children, params }: LocaleLayoutProps) {
const { locale } = await params const { locale } = await params
@@ -19,9 +46,16 @@ export default async function LocaleLayout({ children, params }: LocaleLayoutPro
notFound() notFound()
} }
const banner = await getPublicHeaderBanner()
return ( return (
<NextIntlClientProvider locale={locale}> <NextIntlClientProvider locale={locale}>
<Providers>{children}</Providers> <Providers>
<PublicHeaderBanner banner={banner} />
<PublicSiteHeader />
<main>{children}</main>
<PublicSiteFooter />
</Providers>
</NextIntlClientProvider> </NextIntlClientProvider>
) )
} }

11
apps/web/src/app/[locale]/page.tsx
View File

@@ -2,20 +2,15 @@ import { listPosts } from "@cms/db"
import { Button } from "@cms/ui/button" import { Button } from "@cms/ui/button"
import { getTranslations } from "next-intl/server" import { getTranslations } from "next-intl/server"
import { LanguageSwitcher } from "@/components/language-switcher"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
export default async function HomePage() { export default async function HomePage() {
const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")]) const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")])
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16"> <section className="mx-auto flex w-full max-w-6xl flex-col gap-6 px-6 py-16">
<header className="space-y-3"> <header className="space-y-3">
<div className="flex flex-wrap items-center justify-between gap-3"> <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
<LanguageSwitcher />
</div>
<h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1> <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
<p className="text-neutral-600">{t("description")}</p> <p className="text-neutral-600">{t("description")}</p>
</header> </header>
@@ -36,6 +31,6 @@ export default async function HomePage() {
))} ))}
</ul> </ul>
</section> </section>
</main> </section>
) )
} }

23
apps/web/src/app/layout.tsx
View File

@@ -3,9 +3,30 @@ import type { ReactNode } from "react"
import "./globals.css" import "./globals.css"
const metadataBase = new URL(process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000")
export const metadata: Metadata = { export const metadata: Metadata = {
title: "CMS Web", metadataBase,
title: {
default: "CMS Web",
template: "%s | CMS Web",
},
description: "Public frontend for the CMS monorepo", description: "Public frontend for the CMS monorepo",
applicationName: "CMS Web",
openGraph: {
type: "website",
siteName: "CMS Web",
title: "CMS Web",
description: "Public frontend for the CMS monorepo",
url: metadataBase,
},
alternates: {
canonical: "/",
},
robots: {
index: true,
follow: true,
},
} }
export default function RootLayout({ children }: { children: ReactNode }) { export default function RootLayout({ children }: { children: ReactNode }) {

13
apps/web/src/app/robots.ts Normal file
View File

@@ -0,0 +1,13 @@
import type { MetadataRoute } from "next"
const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
export default function robots(): MetadataRoute.Robots {
return {
rules: {
userAgent: "*",
allow: "/",
},
sitemap: `${baseUrl}/sitemap.xml`,
}
}

14
apps/web/src/app/sitemap.ts Normal file
View File

@@ -0,0 +1,14 @@
import type { MetadataRoute } from "next"
const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
const publicRoutes = ["/", "/about", "/contact"]
export default function sitemap(): MetadataRoute.Sitemap {
const now = new Date()
return publicRoutes.map((route) => ({
url: `${baseUrl}${route}`,
lastModified: now,
}))
}

25
apps/web/src/components/public-header-banner.tsx Normal file
View File

@@ -0,0 +1,25 @@
import type { PublicHeaderBanner as PublicHeaderBannerData } from "@cms/db"
import Link from "next/link"
type PublicHeaderBannerProps = {
banner: PublicHeaderBannerData | null
}
export function PublicHeaderBanner({ banner }: PublicHeaderBannerProps) {
if (!banner) {
return null
}
return (
<div className="border-b border-amber-200 bg-amber-50">
<div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-3 px-6 py-2 text-sm text-amber-900">
<p>{banner.message}</p>
{banner.ctaLabel && banner.ctaHref ? (
<Link href={banner.ctaHref} className="font-medium underline underline-offset-2">
{banner.ctaLabel}
</Link>
) : null}
</div>
</div>
)
}

21
apps/web/src/components/public-site-footer.tsx Normal file
View File

@@ -0,0 +1,21 @@
"use client"
import { useTranslations } from "next-intl"
export function PublicSiteFooter() {
const t = useTranslations("Layout")
const year = new Date().getFullYear()
return (
<footer className="border-t border-neutral-200 bg-neutral-50">
<div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-2 px-6 py-4 text-sm text-neutral-600">
<p>
{t("footer.copyright", {
year,
})}
</p>
<p>{t("footer.tagline")}</p>
</div>
</footer>
)
}

44
apps/web/src/components/public-site-header.tsx Normal file
View File

@@ -0,0 +1,44 @@
"use client"
import { useTranslations } from "next-intl"
import { Link } from "@/i18n/navigation"
import { LanguageSwitcher } from "./language-switcher"
export function PublicSiteHeader() {
const t = useTranslations("Layout")
const navItems = [
{ href: "/", label: t("nav.home") },
{ href: "/about", label: t("nav.about") },
{ href: "/contact", label: t("nav.contact") },
]
return (
<header className="border-b border-neutral-200 bg-white/80 backdrop-blur">
<div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-4 px-6 py-4">
<Link
href="/"
className="text-sm font-semibold uppercase tracking-[0.2em] text-neutral-700"
>
{t("brand")}
</Link>
<nav className="flex flex-wrap items-center gap-2">
{navItems.map((item) => (
<Link
key={item.href}
href={item.href}
className="rounded-md border border-neutral-300 px-3 py-1.5 text-sm font-medium text-neutral-700 hover:bg-neutral-100"
>
{item.label}
</Link>
))}
</nav>
<LanguageSwitcher />
</div>
</header>
)
}

17
apps/web/src/i18n/request.test.ts Normal file
View File

@@ -0,0 +1,17 @@
import { describe, expect, it } from "vitest"
import { resolveRequestLocale } from "./request"
describe("resolveRequestLocale", () => {
it("accepts supported locales", () => {
expect(resolveRequestLocale("de")).toBe("de")
expect(resolveRequestLocale("en")).toBe("en")
expect(resolveRequestLocale("es")).toBe("es")
expect(resolveRequestLocale("fr")).toBe("fr")
})
it("falls back to default locale for unsupported values", () => {
expect(resolveRequestLocale("it")).toBe("en")
expect(resolveRequestLocale(undefined)).toBe("en")
})
})

7
apps/web/src/i18n/request.ts
View File

@@ -1,11 +1,16 @@
import type { AppLocale } from "@cms/i18n"
import { hasLocale } from "next-intl" import { hasLocale } from "next-intl"
import { getRequestConfig } from "next-intl/server" import { getRequestConfig } from "next-intl/server"
import { routing } from "./routing" import { routing } from "./routing"
export function resolveRequestLocale(requested: string | undefined): AppLocale {
return hasLocale(routing.locales, requested) ? requested : routing.defaultLocale
}
export default getRequestConfig(async ({ requestLocale }) => { export default getRequestConfig(async ({ requestLocale }) => {
const requested = await requestLocale const requested = await requestLocale
const locale = hasLocale(routing.locales, requested) ? requested : routing.defaultLocale const locale = resolveRequestLocale(requested)
return { return {
locale, locale,

26
apps/web/src/messages/de.json
View File

@@ -15,5 +15,31 @@
"es": "Spanisch", "es": "Spanisch",
"fr": "Französisch" "fr": "Französisch"
} }
},
"Layout": {
"brand": "CMS Web",
"nav": {
"home": "Start",
"about": "Über uns",
"contact": "Kontakt"
},
"footer": {
"copyright": "© {year} CMS Web",
"tagline": "Powered by Next.js, Bun, Prisma und TanStack."
}
},
"Seo": {
"title": "CMS Web",
"description": "Öffentliches Frontend für das CMS-Monorepo."
},
"About": {
"badge": "Über uns",
"title": "Über dieses Projekt",
"description": "Diese öffentliche App ist die Frontend-Oberfläche für CMS-gesteuerte Inhalte und kommende dynamische Seiten."
},
"Contact": {
"badge": "Kontakt",
"title": "Kontakt",
"description": "Kontakt- und Auftragsabläufe werden in den nächsten MVP-Schritten eingeführt."
} }
} }

26
apps/web/src/messages/en.json
View File

@@ -15,5 +15,31 @@
"es": "Spanish", "es": "Spanish",
"fr": "French" "fr": "French"
} }
},
"Layout": {
"brand": "CMS Web",
"nav": {
"home": "Home",
"about": "About",
"contact": "Contact"
},
"footer": {
"copyright": "© {year} CMS Web",
"tagline": "Powered by Next.js, Bun, Prisma, and TanStack."
}
},
"Seo": {
"title": "CMS Web",
"description": "Public frontend for the CMS monorepo."
},
"About": {
"badge": "About",
"title": "About this project",
"description": "This public app is the frontend surface for CMS-driven content and upcoming dynamic pages."
},
"Contact": {
"badge": "Contact",
"title": "Contact",
"description": "Contact and commission flows will be introduced in upcoming MVP steps."
} }
} }

26
apps/web/src/messages/es.json
View File

@@ -15,5 +15,31 @@
"es": "Español", "es": "Español",
"fr": "Francés" "fr": "Francés"
} }
},
"Layout": {
"brand": "CMS Web",
"nav": {
"home": "Inicio",
"about": "Acerca de",
"contact": "Contacto"
},
"footer": {
"copyright": "© {year} CMS Web",
"tagline": "Impulsado por Next.js, Bun, Prisma y TanStack."
}
},
"Seo": {
"title": "CMS Web",
"description": "Frontend público para el monorepo CMS."
},
"About": {
"badge": "Acerca de",
"title": "Sobre este proyecto",
"description": "Esta app pública es la superficie frontend para contenido gestionado por CMS y próximas páginas dinámicas."
},
"Contact": {
"badge": "Contacto",
"title": "Contacto",
"description": "Los flujos de contacto y comisiones se incorporarán en los siguientes pasos del MVP."
} }
} }

26
apps/web/src/messages/fr.json
View File

@@ -15,5 +15,31 @@
"es": "Espagnol", "es": "Espagnol",
"fr": "Français" "fr": "Français"
} }
},
"Layout": {
"brand": "CMS Web",
"nav": {
"home": "Accueil",
"about": "À propos",
"contact": "Contact"
},
"footer": {
"copyright": "© {year} CMS Web",
"tagline": "Propulsé par Next.js, Bun, Prisma et TanStack."
}
},
"Seo": {
"title": "CMS Web",
"description": "Frontend public pour le monorepo CMS."
},
"About": {
"badge": "À propos",
"title": "À propos de ce projet",
"description": "Cette application publique est la surface frontend pour le contenu piloté par CMS et les futures pages dynamiques."
},
"Contact": {
"badge": "Contact",
"title": "Contact",
"description": "Les flux de contact et de commission seront introduits dans les prochaines étapes MVP."
} }
} }

16
bun.lock
View File

@@ -30,6 +30,7 @@
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-form": "1.28.0", "@tanstack/react-form": "1.28.0",
"@tanstack/react-query": "5.90.20", "@tanstack/react-query": "5.90.20",
@@ -95,11 +96,24 @@
"typescript": "5.9.3", "typescript": "5.9.3",
}, },
}, },
"packages/crud": {
"name": "@cms/crud",
"version": "0.0.1",
"dependencies": {
"zod": "4.3.6",
},
"devDependencies": {
"@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*",
"typescript": "5.9.3",
},
},
"packages/db": { "packages/db": {
"name": "@cms/db", "name": "@cms/db",
"version": "0.0.1", "version": "0.0.1",
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/crud": "workspace:*",
"@prisma/adapter-pg": "7.3.0", "@prisma/adapter-pg": "7.3.0",
"@prisma/client": "7.3.0", "@prisma/client": "7.3.0",
"pg": "8.18.0", "pg": "8.18.0",
@@ -273,6 +287,8 @@
"@cms/content": ["@cms/content@workspace:packages/content"], "@cms/content": ["@cms/content@workspace:packages/content"],
"@cms/crud": ["@cms/crud@workspace:packages/crud"],
"@cms/db": ["@cms/db@workspace:packages/db"], "@cms/db": ["@cms/db@workspace:packages/db"],
"@cms/i18n": ["@cms/i18n@workspace:packages/i18n"], "@cms/i18n": ["@cms/i18n@workspace:packages/i18n"],

13
docker-compose.gitea-runner.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
gitea-runner:
image: gitea/act_runner:latest
container_name: cms-gitea-runner
restart: unless-stopped
environment:
GITEA_INSTANCE_URL: "${GITEA_INSTANCE_URL}"
GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}"
GITEA_RUNNER_NAME: "${GITEA_RUNNER_NAME:-cms-runner}"
GITEA_RUNNER_LABELS: "${GITEA_RUNNER_LABELS:-ubuntu-latest:docker://node:20-bookworm}"
volumes:
- ./runner-data:/data
- /var/run/docker.sock:/var/run/docker.sock

21
docs/.vitepress/config.mts
View File

@@ -20,8 +20,17 @@ export default defineConfig({
{ text: "Getting Started", link: "/getting-started" }, { text: "Getting Started", link: "/getting-started" },
{ text: "Architecture", link: "/architecture" }, { text: "Architecture", link: "/architecture" },
{ text: "Better Auth Baseline", link: "/product-engineering/auth-baseline" }, { text: "Better Auth Baseline", link: "/product-engineering/auth-baseline" },
{ text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
{ text: "CRUD Examples", link: "/product-engineering/crud-examples" },
{ text: "i18n Baseline", link: "/product-engineering/i18n-baseline" }, { text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
{ text: "i18n Conventions", link: "/product-engineering/i18n-conventions" },
{ text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" }, { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
{ text: "Domain Glossary", link: "/product-engineering/domain-glossary" },
{ text: "Environment Runbook", link: "/product-engineering/environment-runbook" },
{ text: "Delivery Pipeline", link: "/product-engineering/delivery-pipeline" },
{ text: "Git Flow Governance", link: "/product-engineering/git-flow-governance" },
{ text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
{ text: "ADR Index", link: "/adr/" },
{ text: "Workflow", link: "/workflow" }, { text: "Workflow", link: "/workflow" },
], ],
}, },
@@ -31,7 +40,17 @@ export default defineConfig({
}, },
{ {
text: "Public API", text: "Public API",
items: [{ text: "Section Overview", link: "/public-api/" }], items: [
{ text: "Section Overview", link: "/public-api/" },
{ text: "Glossary", link: "/public-api/glossary" },
],
},
{
text: "ADR",
items: [
{ text: "Index", link: "/adr/" },
{ text: "0001 Monorepo Foundation", link: "/adr/0001-monorepo-foundation" },
],
}, },
], ],
socialLinks: [{ icon: "github", link: "https://example.com/replace-with-repo" }], socialLinks: [{ icon: "github", link: "https://example.com/replace-with-repo" }],

37
docs/adr/0001-monorepo-foundation.md Normal file
View File

@@ -0,0 +1,37 @@
# ADR 0001: Monorepo Foundation
- Status: Accepted
- Date: 2026-02-10
## Context
The CMS platform requires:
- separate admin and public apps
- shared domain contracts and data access
- consistent tooling and CI quality gates
- incremental delivery through MVP stages
A fragmented multi-repo setup would increase coordination overhead and duplicate shared contracts.
## Decision
Adopt a Bun workspace monorepo with:
- `apps/admin` and `apps/web` for runtime surfaces
- shared packages (`@cms/content`, `@cms/db`, `@cms/crud`, `@cms/ui`, `@cms/i18n`)
- shared quality tooling (Biome, TypeScript, Vitest, Playwright, Turbo)
## Consequences
### Positive
- shared contract updates propagate in one change set
- easier cross-app refactors and testing
- single CI pipeline with consistent gates
### Negative
- stronger need for workspace discipline and clear boundaries
- larger repository clone/build surface
- potential for cross-package coupling if conventions are not enforced

17
docs/adr/README.md Normal file
View File

@@ -0,0 +1,17 @@
# ADR Index
Architecture Decision Records (ADRs) capture important technical decisions and context.
## Format
- Numbered files: `0001-<short-title>.md`
- Immutable once accepted (new ADRs supersede old decisions)
- Include:
- Status
- Context
- Decision
- Consequences
## Records
- [0001 - Monorepo Foundation](./0001-monorepo-foundation.md)

1
docs/architecture.md
View File

@@ -6,6 +6,7 @@
- `apps/admin`: admin app - `apps/admin`: admin app
- `packages/db`: prisma + data access - `packages/db`: prisma + data access
- `packages/content`: shared schemas and domain contracts - `packages/content`: shared schemas and domain contracts
- `packages/crud`: shared CRUD service patterns (validation, errors, audit hooks)
- `packages/ui`: shared UI layer - `packages/ui`: shared UI layer
- `packages/i18n`: shared locale definitions and i18n helpers - `packages/i18n`: shared locale definitions and i18n helpers
- `packages/config`: shared TS config - `packages/config`: shared TS config

2
docs/index.md
View File

@@ -7,6 +7,7 @@ Engineering documentation hub for this repository.
- [Product / Engineering](/product-engineering/) - [Product / Engineering](/product-engineering/)
- [Admin / User Guides](/admin-user-guides/) - [Admin / User Guides](/admin-user-guides/)
- [Public API](/public-api/) - [Public API](/public-api/)
- [ADR Index](/adr/)
## Core Sources ## Core Sources
@@ -14,6 +15,7 @@ Engineering documentation hub for this repository.
- Branching and promotion flow: `BRANCHING.md` - Branching and promotion flow: `BRANCHING.md`
- Contribution and commit schema: `CONTRIBUTING.md` - Contribution and commit schema: `CONTRIBUTING.md`
- Release history: `CHANGELOG.md` - Release history: `CHANGELOG.md`
- Versioning and release policy: `VERSIONING.md`
## Documentation Scope ## Documentation Scope

3
docs/product-engineering/auth-baseline.md
View File

@@ -39,6 +39,7 @@ Optional:
- Support user bootstrap is available via `bun run auth:seed:support`. - Support user bootstrap is available via `bun run auth:seed:support`.
- Root `bun run db:seed` runs DB seed and support-user seed. - Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy. - `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
- Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
- Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`. - Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
- Email verification and forgot/reset password pipelines are tracked for MVP2. - Email verification and forgot/reset password pipelines are tracked for MVP2.

41
docs/product-engineering/crud-baseline.md Normal file
View File

@@ -0,0 +1,41 @@
# CRUD Baseline
## Scope
MVP0 now includes a shared CRUD foundation package: `@cms/crud`.
Current baseline:
- Shared service factory: `createCrudService`
- Repository contract: `list`, `findById`, `create`, `update`, `delete`
- Service surface for list/detail/editor flows: `list`, `getById`, `create`, `update`, `delete`
- Shared validation error type: `CrudValidationError`
- Shared not-found error type: `CrudNotFoundError`
- Shared mutation audit hook contract: `CrudAuditHook`
- Shared mutation context contract (`actor`, `metadata`)
## First Integration
`@cms/db` `posts` now uses the shared CRUD foundation:
- `listPosts`
- `getPostById`
- `createPost`
- `updatePost`
- `deletePost`
- `registerPostCrudAuditHook`
Validation for create/update is enforced by `@cms/content` schemas.
Contract tests validate:
- repository list/detail behavior via CRUD service
- validation and not-found errors
- audit payload propagation (`actor`, `metadata`)
The admin dashboard currently includes a temporary posts CRUD sandbox to validate this flow through a real app UI.
## Notes
- This is the base layer for future entities (pages, navigation, media, users, commissions).
- Audit hook persistence/transport is intentionally left for later implementation work.
- Implementation examples are documented in `crud-examples.md`.

69
docs/product-engineering/crud-examples.md Normal file
View File

@@ -0,0 +1,69 @@
# CRUD Examples
## Goal
Provide concrete implementation patterns for new entities adopting `@cms/crud`.
## Example: Service Factory Wiring
```ts
import { createCrudService } from "@cms/crud"
import { createPageInputSchema, updatePageInputSchema } from "@cms/content"
const pageCrudService = createCrudService({
resource: "page",
repository: pageRepository,
schemas: {
create: createPageInputSchema,
update: updatePageInputSchema,
},
auditHooks: pageAuditHooks,
})
```
## Example: Repository Contract
```ts
const pageRepository = {
list: () => db.page.findMany({ orderBy: { updatedAt: "desc" } }),
findById: (id: string) => db.page.findUnique({ where: { id } }),
create: (input: CreatePageInput) => db.page.create({ data: input }),
update: (id: string, input: UpdatePageInput) =>
db.page.update({
where: { id },
data: input,
}),
delete: (id: string) => db.page.delete({ where: { id } }),
}
```
## Example: Action Usage
```ts
export async function createPage(input: unknown, context?: CrudMutationContext) {
return pageCrudService.create(input, context)
}
export async function updatePage(id: string, input: unknown, context?: CrudMutationContext) {
return pageCrudService.update(id, input, context)
}
export async function deletePage(id: string, context?: CrudMutationContext) {
return pageCrudService.delete(id, context)
}
```
## Testing Expectations
- validation failure returns `CrudValidationError`
- missing IDs return `CrudNotFoundError`
- repository methods are called in expected order
- audit hooks receive `actor`, `metadata`, `before`, `after`
## Adoption Checklist
1. Add entity schemas in `@cms/content`
2. Add repository + service in `@cms/db`
3. Add unit tests for contract + validation
4. Wire route/action permission checks before mutations
5. Add docs links and TODO updates

77
docs/product-engineering/delivery-pipeline.md Normal file
View File

@@ -0,0 +1,77 @@
# Delivery Pipeline
## Scope
Operational pipeline baseline for image build/push, staging deploy, production promotion, and rollback.
## Registry Credentials Strategy
Use scoped Gitea secrets:
- `CMS_IMAGE_REGISTRY`
- `CMS_IMAGE_NAMESPACE`
- `CMS_IMAGE_REGISTRY_USER`
- `CMS_IMAGE_REGISTRY_PASSWORD`
Policy:
- credentials only in CI secrets
- no plaintext credentials in repo
- least privilege: push/pull for target namespace only
## Build and Push Flow
- Workflow: `.gitea/workflows/release.yml`
- Trigger:
- tag push `vX.Y.Z`
- manual `workflow_dispatch`
- Steps:
1. validate tag vs root `package.json` version
2. generate changelog
3. docker login
4. build and push `cms-web` and `cms-admin` images
## Staging Deployment Automation
- Workflow: `.gitea/workflows/deploy.yml`
- Manual input:
- `environment=staging`
- `image_tag=vX.Y.Z`
- Remote deployment uses SSH + compose file:
- `docker-compose.staging.yml`
Required secrets:
- `CMS_STAGING_HOST`
- `CMS_STAGING_USER`
- `CMS_DEPLOY_KEY`
- `CMS_REMOTE_DEPLOY_PATH`
## Production Promotion and Rollback
Promotion:
- run deploy workflow with:
- `environment=production`
- `image_tag=vX.Y.Z`
Rollback:
- release workflow supports rollback placeholder by image tag
- deploy workflow supports `rollback_tag` input
- recovery action:
- rerun deploy with previous known-good tag
## Deployment Verification
After deploy:
1. app health checks (web/admin)
2. auth smoke flow
3. i18n smoke flow
4. critical route checks (`/`, `/login`, `/todo`)
## Notes
- Current workflows are production-oriented scaffolds and require secret provisioning in Gitea.
- Host hardening, network ACLs, and backup policy remain mandatory operational controls.

35
docs/product-engineering/domain-glossary.md Normal file
View File

@@ -0,0 +1,35 @@
# Domain Glossary
## Core Terms
### Owner
Highest-privilege admin role. Exactly one canonical owner must exist at all times.
### Support User
Hidden technical support account used for break-glass access and operational recovery.
### Admin Registration Policy
Runtime policy controlling whether `/register` can create additional admin users after owner bootstrap.
### Protected Account
Account that cannot be deleted/demoted through self-service flows (support + canonical owner).
### CRUD Service
Shared `@cms/crud` service abstraction combining schema validation, repository orchestration, and audit hooks.
### Permission Scope
RBAC access scope granularity: `own`, `team`, `global`.
### Roadmap Source Of Truth
`TODO.md` in repository root. Rendered in admin via `/todo`.
### Header Banner
Public-site announcement strip configured through `system_setting` key `public.header_banner`.

103
docs/product-engineering/environment-runbook.md Normal file
View File

@@ -0,0 +1,103 @@
# Environment and Deployment Runbook
## Scope
Operational baseline for `dev`, `staging`, and `production`.
## Environments
### Dev (local)
- Runtime: Bun + local Next dev servers
- Entry point: `bun run dev`
- Database: local/remote dev Postgres from `.env`
- Characteristics:
- fastest feedback
- non-production data acceptable
- migrations created here first
### Staging
- Runtime: Docker Compose (`docker-compose.staging.yml`)
- Purpose: integration validation and release candidate checks
- Characteristics:
- production-like environment
- controlled test data
- candidate for production promotion
### Production
- Runtime: Docker Compose (`docker-compose.production.yml`)
- Purpose: end-user traffic
- Characteristics:
- protected secrets and stricter access controls
- immutable release artifacts
- rollback procedures required
## Core Commands
### Local development
```bash
bun install
bun run db:generate
bun run db:migrate
bun run db:seed
bun run dev
```
### Staging compose
```bash
bun run docker:staging:up
bun run docker:staging:down
```
### Production compose
```bash
bun run docker:production:up
bun run docker:production:down
```
## Release Flow
1. Complete work on task branch.
2. Merge into `dev` and pass quality gates.
3. Promote `dev` -> `staging`.
4. Validate staging smoke/e2e + manual checks.
5. Promote `staging` -> `main` and tag release.
## Migration Policy
- Create migrations in development only.
- Apply migrations in deployment using `prisma migrate deploy`.
- Never hand-edit applied migration history.
## Rollback Baseline
Current baseline strategy:
- rollback app image/tag to previous known-good release
- restore database from backup when schema/data changes require recovery
## Secrets and Config
- Dev: `.env`
- Staging: `.env.staging` (from `.env.staging.example`)
- Production: `.env.production` (from `.env.production.example`)
Minimum sensitive values:
- `DATABASE_URL`
- `BETTER_AUTH_SECRET`
- `CMS_SUPPORT_*` credentials/keys
## Verification Checklist
- `bun run check`
- `bun run typecheck`
- `bun run test`
- `bun run test:e2e`
- app startup health for web/admin
- login flow and permissions smoke

66
docs/product-engineering/git-flow-governance.md Normal file
View File

@@ -0,0 +1,66 @@
# Git Flow Governance
## Scope
Governance rules for branch protections, PR gates, branch naming, and merge discipline.
## Branch Protection
Protected branches:
- `main`
- `staging`
Apply protections using:
- Gitea UI settings
- or automation script: `.gitea/scripts/configure-branch-protection.sh`
Minimum policy:
- no direct pushes
- PR merge required
- required status checks
- at least one reviewer approval
## PR Gates
Required checks are implemented in `.gitea/workflows/ci.yml`:
- Governance Checks
- Lint Typecheck Unit E2E
## Branch Naming and TODO Scope
Allowed branch prefixes:
- `todo/`
- `refactor/`
- `code/`
Validation script:
- `.gitea/scripts/check-branch-name.sh`
Rule:
- one primary TODO item per delivery branch
PR TODO reference enforcement:
- template: `.gitea/PULL_REQUEST_TEMPLATE.md`
- CI check: `.gitea/scripts/check-pr-todo-reference.sh`
## Branch Lifecycle
1. Create short-lived branch from latest integration tip.
2. Implement one primary scope.
3. Open PR and pass required checks.
4. Merge into `dev`.
5. Promote `dev -> staging -> main`.
## Commit and Tag Policy
- Conventional commits required (`CONTRIBUTING.md`)
- release tags: `vX.Y.Z`
- changelog generated from commit history

15
docs/product-engineering/i18n-baseline.md
View File

@@ -2,19 +2,20 @@
## Scope ## Scope
MVP0 introduces i18n runtime only for the public app (`@cms/web`) using `next-intl`. MVP0 introduces i18n runtime baselines for both apps.
Current baseline: Current baseline:
- Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`) - Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
- Path-stable routing (no locale in URL) via `apps/web/src/proxy.ts` - Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
- Message loading through `apps/web/src/i18n/request.ts` - Public app: message loading through `apps/web/src/i18n/request.ts`
- Locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts` - Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
- Public language switcher component backed by Zustand store - Public app: language switcher component backed by Zustand store
- Admin app: cookie-based locale resolution and message loading in root layout
- Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
## Notes ## Notes
- Public app locale is resolved through `next-intl` middleware + cookie. - Public app locale is resolved through `next-intl` middleware + cookie.
- Enabled locales are currently static in code and will later be managed from admin settings. - Enabled locales are currently static in code and will later be managed from admin settings.
- Admin app i18n provider/message loading is still pending. - Translation key and workflow standards are documented in `i18n-conventions.md`.
- Translation key conventions and workflow docs are tracked in `TODO.md`.

86
docs/product-engineering/i18n-conventions.md Normal file
View File

@@ -0,0 +1,86 @@
# i18n Conventions
## Scope
This document defines translation conventions for both apps in MVP0+.
- Public app i18n: `next-intl` message namespaces and route-level usage
- Admin app i18n: JSON dictionaries + runtime resolver/provider
- Shared locale contract: `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
## Locale Policy
- Source of truth: `packages/i18n/src/index.ts`
- Current enabled locales are code-driven and shared across web/admin.
- Admin-managed locale toggles are planned for a later MVP.
## Key Naming Conventions
- Use `camelCase` for keys.
- Group by domain namespace (not by component filename).
- Keep keys stable; update values, not key names, during copy edits.
### Public app namespaces
- `Layout.*`
- `Home.*`
- `LanguageSwitcher.*`
- Page-specific namespaces, e.g. `About.*`, `Contact.*`
- Metadata namespace: `Seo.*`
### Admin app namespaces
- `common.*`
- `auth.*`
- `dashboard.*`
- `settings.*`
## Message Structure
- Keep messages as nested JSON objects.
- Avoid very deep nesting (prefer 2-3 levels).
- Keep punctuation in translation values, not code.
- Avoid embedding HTML in message strings.
## Fallback Rules
- Unknown/invalid locale values fallback to default locale `en`.
- Missing translation key behavior:
- Admin: `translateMessage` returns provided fallback, else key.
- Public: ensure required keys exist in locale JSON; avoid runtime missing-key states.
## Adding New Translation Keys
1. Add key/value in `apps/*/src/messages/en.json`.
2. Add equivalent key in `de/es/fr` JSON files.
3. Use key via translator:
- Web: `useTranslations("Namespace")` or `getTranslations("Namespace")`
- Admin: `useAdminT()` or server-side `translateMessage(...)`
4. Add/adjust tests for behavior where relevant.
## Translation Workflow
1. Author English source copy first.
2. Add keys in all supported locales in same change.
3. Keep semantic parity across locales.
4. Run checks:
- `bun run check`
- `bun run typecheck`
- `bun run test`
5. For route-level i18n behavior changes, run e2e smoke:
- `bunx playwright test --grep "i18n smoke"`
## QA Checklist
- Locale switch persists after refresh.
- Page headings and navigation labels translate correctly.
- Metadata (`Seo`) strings resolve per locale.
- No missing-key placeholders visible in UI.
## Related Files
- `apps/web/src/i18n/request.ts`
- `apps/web/src/i18n/routing.ts`
- `apps/admin/src/i18n/server.ts`
- `apps/admin/src/i18n/messages.ts`
- `packages/i18n/src/index.ts`

10
docs/product-engineering/index.md
View File

@@ -8,6 +8,14 @@ This section covers platform and implementation documentation for engineers and
- [Architecture](/architecture) - [Architecture](/architecture)
- [Better Auth Baseline](/product-engineering/auth-baseline) - [Better Auth Baseline](/product-engineering/auth-baseline)
- [RBAC And Permissions](/product-engineering/rbac-permission-model) - [RBAC And Permissions](/product-engineering/rbac-permission-model)
- [i18n Conventions](/product-engineering/i18n-conventions)
- [CRUD Examples](/product-engineering/crud-examples)
- [Domain Glossary](/product-engineering/domain-glossary)
- [Environment Runbook](/product-engineering/environment-runbook)
- [Delivery Pipeline](/product-engineering/delivery-pipeline)
- [Git Flow Governance](/product-engineering/git-flow-governance)
- [Testing Strategy Baseline](/product-engineering/testing-strategy)
- [ADR Index](/adr/)
- [Workflow](/workflow) - [Workflow](/workflow)
## Scope ## Scope
@@ -19,6 +27,4 @@ This section covers platform and implementation documentation for engineers and
## Planned Expansions ## Planned Expansions
- Domain model and glossary
- ADR (Architecture Decision Record) index
- Operational playbooks (incident, rollback, recovery) - Operational playbooks (incident, rollback, recovery)

33
docs/product-engineering/testing-strategy.md Normal file
View File

@@ -0,0 +1,33 @@
# Testing Strategy Baseline
## Goals
- Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
- Make e2e runs deterministic by preparing schema and seeded data before test execution.
- Keep test data isolated per environment (`dev` local, CI database service in workflow).
## Current Gate Stack
- `bun run check`
- `bun run typecheck`
- `bun run test`
- `bun run test:e2e`
## Data Preparation
- `bun run test:e2e:prepare` runs:
- Prisma client generation
- migration deploy
- seed data (including support user bootstrap)
- `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
## Locale Integration Coverage
- `e2e/i18n.pw.ts` covers:
- web locale switch + persistence
- admin locale switch + persistence
## CI
- Real quality workflow: `.gitea/workflows/ci.yml`
- Uses a PostgreSQL service container and runs the full gate stack, including e2e.

43
docs/public-api/glossary.md Normal file
View File

@@ -0,0 +1,43 @@
# Public API Glossary
## Scope
Baseline terms for future public API design and integration discussions.
## Terms
### Public API
Externally consumable endpoints intended for non-admin clients.
### Resource
Entity exposed by an API endpoint (for example: `page`, `media`, `news`).
### Contract
The stable request/response schema for an endpoint version.
### Version
Compatibility boundary for API contracts (for example: `v1`).
### Authentication
Identity verification mechanism for protected API routes.
### Authorization
Permission check determining whether an authenticated actor can access a resource/action.
### Pagination
Mechanism for splitting large result sets across requests.
### Idempotency
Property where repeating a request does not change final state beyond the first successful call.
### Rate Limit
Request threshold policy applied per consumer/time window.

5
docs/public-api/index.md
View File

@@ -11,6 +11,11 @@ No stable public API surface is documented yet.
- Add API docs when real endpoints are implemented and versioned - Add API docs when real endpoints are implemented and versioned
- Use OpenAPI as source of truth for endpoint reference - Use OpenAPI as source of truth for endpoint reference
- Keep integration guides and authentication examples here - Keep integration guides and authentication examples here
- Use glossary terms consistently across API specs and guides
## Reference
- [Public API Glossary](/public-api/glossary)
## Notes ## Notes

10
docs/workflow.md
View File

@@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
## Quality Gates ## Quality Gates
- `bun run lint` - `bun run check`
- `bun run typecheck` - `bun run typecheck`
- `bun run test` - `bun run test`
- `bun run test:e2e --list` - `bun run test:e2e`
## Changelog ## Changelog
@@ -28,3 +28,9 @@ Follow `BRANCHING.md`:
```bash ```bash
bun run changelog:release bun run changelog:release
``` ```
## Governance
- Branch and PR governance checks run in `.gitea/workflows/ci.yml`.
- PR template: `.gitea/PULL_REQUEST_TEMPLATE.md`
- Versioning policy: `VERSIONING.md`

35
e2e/i18n-smoke.pw.ts Normal file
View File

@@ -0,0 +1,35 @@
import { expect, test } from "@playwright/test"
test.describe("i18n smoke", () => {
test("web renders localized page headings on key routes", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "web-chromium")
await page.goto("/")
await page.locator("select").first().selectOption("de")
await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
await page.getByRole("link", { name: /über uns/i }).click()
await expect(page.getByRole("heading", { name: /über dieses projekt/i })).toBeVisible()
await page.locator("select").first().selectOption("es")
await expect(page.getByRole("heading", { name: /sobre este proyecto/i })).toBeVisible()
await page.getByRole("link", { name: /contacto/i }).click()
await expect(page.getByRole("heading", { name: /^contacto$/i })).toBeVisible()
})
test("admin login renders localized heading and labels", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
await page.goto("/login")
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
await page.locator("select").first().selectOption("fr")
await expect(page.getByRole("heading", { name: /se connecter à cms admin/i })).toBeVisible()
await expect(page.getByLabel(/e-mail ou nom dutilisateur/i)).toBeVisible()
await page.locator("select").first().selectOption("es")
await expect(page.getByRole("heading", { name: /iniciar sesión en cms admin/i })).toBeVisible()
await expect(page.getByLabel(/correo o nombre de usuario/i)).toBeVisible()
})
})

29
e2e/i18n.pw.ts Normal file
View File

@@ -0,0 +1,29 @@
import { expect, test } from "@playwright/test"
test.describe("i18n integration", () => {
test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "web-chromium")
await page.goto("/")
await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
await page.locator("select").first().selectOption("de")
await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
await page.reload()
await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
})
test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
await page.goto("/login")
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
await page.locator("select").first().selectOption("de")
await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
await page.reload()
await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
})
})

20
e2e/support-auth.pw.ts Normal file
View File

@@ -0,0 +1,20 @@
import { expect, test } from "@playwright/test"
const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
test.describe("support fallback route", () => {
test("valid support key opens sign-in page", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
})
test("invalid support key returns not found", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
const response = await page.goto("/support/invalid-key")
expect(response?.status()).toBe(404)
})
})

7
package.json
View File

@@ -18,9 +18,10 @@
"test": "vitest run", "test": "vitest run",
"test:watch": "vitest", "test:watch": "vitest",
"test:coverage": "vitest run --coverage", "test:coverage": "vitest run --coverage",
"test:e2e": "bun run db:generate && playwright test", "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
"test:e2e:headed": "bun run db:generate && playwright test --headed", "test:e2e": "bun run test:e2e:prepare && playwright test",
"test:e2e:ui": "bun run db:generate && playwright test --ui", "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
"test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
"commitlint": "commitlint --last", "commitlint": "commitlint --last",
"changelog:preview": "conventional-changelog -p conventionalcommits -r 0", "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
"changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s", "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",

21
packages/content/src/index.test.ts
View File

@@ -1,6 +1,6 @@
import { describe, expect, it } from "vitest" import { describe, expect, it } from "vitest"
import { postSchema, upsertPostSchema } from "./index" import { createPostInputSchema, postSchema, updatePostInputSchema, upsertPostSchema } from "./index"
describe("content schemas", () => { describe("content schemas", () => {
it("accepts a valid post", () => { it("accepts a valid post", () => {
@@ -17,7 +17,24 @@ describe("content schemas", () => {
expect(post.slug).toBe("hello-world") expect(post.slug).toBe("hello-world")
}) })
it("rejects invalid upsert payload", () => { it("rejects invalid create payload", () => {
const result = createPostInputSchema.safeParse({
title: "Hi",
slug: "x",
body: "",
status: "unknown",
})
expect(result.success).toBe(false)
})
it("rejects empty update payload", () => {
const result = updatePostInputSchema.safeParse({})
expect(result.success).toBe(false)
})
it("keeps upsert alias for backward compatibility", () => {
const result = upsertPostSchema.safeParse({ const result = upsertPostSchema.safeParse({
title: "Hi", title: "Hi",
slug: "x", slug: "x",

24
packages/content/src/index.ts
View File

@@ -4,22 +4,32 @@ export * from "./rbac"
export const postStatusSchema = z.enum(["draft", "published"]) export const postStatusSchema = z.enum(["draft", "published"])
export const postSchema = z.object({ const postMutableFieldsSchema = z.object({
id: z.string().uuid(),
title: z.string().min(3).max(180), title: z.string().min(3).max(180),
slug: z.string().min(3).max(180), slug: z.string().min(3).max(180),
excerpt: z.string().max(320).optional(), excerpt: z.string().max(320).optional(),
body: z.string().min(1), body: z.string().min(1),
status: postStatusSchema, status: postStatusSchema,
})
export const postSchema = z.object({
id: z.string().uuid(),
...postMutableFieldsSchema.shape,
createdAt: z.date(), createdAt: z.date(),
updatedAt: z.date(), updatedAt: z.date(),
}) })
export const upsertPostSchema = postSchema.omit({ export const createPostInputSchema = postMutableFieldsSchema
id: true, export const updatePostInputSchema = postMutableFieldsSchema
createdAt: true, .partial()
updatedAt: true, .refine((value) => Object.keys(value).length > 0, {
}) message: "At least one field is required for an update.",
})
// Backward-compatible alias while migrating callers to create/update-specific schemas.
export const upsertPostSchema = createPostInputSchema
export type Post = z.infer<typeof postSchema> export type Post = z.infer<typeof postSchema>
export type CreatePostInput = z.infer<typeof createPostInputSchema>
export type UpdatePostInput = z.infer<typeof updatePostInputSchema>
export type UpsertPostInput = z.infer<typeof upsertPostSchema> export type UpsertPostInput = z.infer<typeof upsertPostSchema>

27
packages/content/src/rbac.test.ts
View File

@@ -28,4 +28,31 @@ describe("rbac model", () => {
expect(permissionMatrix.editor.length).toBeGreaterThan(0) expect(permissionMatrix.editor.length).toBeGreaterThan(0)
expect(permissionMatrix.manager.length).toBeGreaterThan(0) expect(permissionMatrix.manager.length).toBeGreaterThan(0)
}) })
it("prevents privilege escalation for non-admin roles", () => {
expect(hasPermission("editor", "users:manage_roles", "global")).toBe(false)
expect(hasPermission("manager", "users:manage_roles", "global")).toBe(false)
expect(hasPermission("editor", "dashboard:read", "global")).toBe(true)
})
it("keeps role policy regressions visible for critical permissions", () => {
const criticalChecks: Array<{
role: "owner" | "support" | "admin" | "manager" | "editor"
permission: Parameters<typeof hasPermission>[1]
scope: Parameters<typeof hasPermission>[2]
allowed: boolean
}> = [
{ role: "owner", permission: "users:manage_roles", scope: "global", allowed: true },
{ role: "support", permission: "users:manage_roles", scope: "global", allowed: true },
{ role: "admin", permission: "banner:write", scope: "global", allowed: true },
{ role: "manager", permission: "users:write", scope: "global", allowed: false },
{ role: "manager", permission: "users:write", scope: "team", allowed: true },
{ role: "editor", permission: "news:publish", scope: "team", allowed: false },
{ role: "editor", permission: "news:publish", scope: "own", allowed: true },
]
for (const check of criticalChecks) {
expect(hasPermission(check.role, check.permission, check.scope)).toBe(check.allowed)
}
})
}) })

22
packages/crud/package.json Normal file
View File

@@ -0,0 +1,22 @@
{
"name": "@cms/crud",
"version": "0.0.1",
"private": true,
"type": "module",
"exports": {
".": "./src/index.ts"
},
"scripts": {
"build": "tsc -p tsconfig.json",
"lint": "biome check src",
"typecheck": "tsc -p tsconfig.json --noEmit"
},
"dependencies": {
"zod": "4.3.6"
},
"devDependencies": {
"@cms/config": "workspace:*",
"@biomejs/biome": "2.3.14",
"typescript": "5.9.3"
}
}

124
packages/crud/src/contract.test.ts Normal file
View File

@@ -0,0 +1,124 @@
import { describe, expect, it } from "vitest"
import { z } from "zod"
import { createCrudService } from "./service"
type RecordItem = {
id: string
title: string
}
describe("crud service contract", () => {
it("calls repository in expected order for update and delete", async () => {
const calls: string[] = []
const state = new Map<string, RecordItem>([["1", { id: "1", title: "Initial" }]])
const service = createCrudService({
resource: "item",
repository: {
list: async () => {
calls.push("list")
return Array.from(state.values())
},
findById: async (id) => {
calls.push(`findById:${id}`)
return state.get(id) ?? null
},
create: async (input: { title: string }) => {
calls.push("create")
return {
id: "2",
title: input.title,
}
},
update: async (id, input: { title?: string }) => {
calls.push(`update:${id}`)
const current = state.get(id)
if (!current) {
throw new Error("missing")
}
const updated = {
...current,
...input,
}
state.set(id, updated)
return updated
},
delete: async (id) => {
calls.push(`delete:${id}`)
const current = state.get(id)
if (!current) {
throw new Error("missing")
}
state.delete(id)
return current
},
},
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
})
await service.update("1", { title: "Updated" })
await service.delete("1")
expect(calls).toEqual(["findById:1", "update:1", "findById:1", "delete:1"])
})
it("passes parsed payload to repository create/update contracts", async () => {
let createPayload: unknown = null
let updatePayload: unknown = null
const service = createCrudService({
resource: "item",
repository: {
list: async () => [],
findById: async () => ({
id: "1",
title: "Existing",
}),
create: async (input: { title: string }) => {
createPayload = input
return {
id: "2",
title: input.title,
}
},
update: async (_id, input: { title?: string }) => {
updatePayload = input
return {
id: "1",
title: input.title ?? "Existing",
}
},
delete: async () => ({
id: "1",
title: "Existing",
}),
},
schemas: {
create: z.object({
title: z.string().trim().min(3),
}),
update: z.object({
title: z.string().trim().min(3).optional(),
}),
},
})
await service.create({
title: " Created ",
})
await service.update("1", {
title: " Updated ",
})
expect(createPayload).toEqual({ title: "Created" })
expect(updatePayload).toEqual({ title: "Updated" })
})
})

41
packages/crud/src/errors.ts Normal file
View File

@@ -0,0 +1,41 @@
import type { ZodIssue } from "zod"
export class CrudError extends Error {
public readonly code: string
constructor(message: string, code: string) {
super(message)
this.name = "CrudError"
this.code = code
}
}
export class CrudValidationError extends CrudError {
public readonly resource: string
public readonly operation: "create" | "update"
public readonly issues: ZodIssue[]
constructor(params: {
resource: string
operation: "create" | "update"
issues: ZodIssue[]
}) {
super(`Validation failed for ${params.resource} ${params.operation}`, "CRUD_VALIDATION")
this.name = "CrudValidationError"
this.resource = params.resource
this.operation = params.operation
this.issues = params.issues
}
}
export class CrudNotFoundError extends CrudError {
public readonly resource: string
public readonly id: string
constructor(params: { resource: string; id: string }) {
super(`${params.resource} ${params.id} was not found`, "CRUD_NOT_FOUND")
this.name = "CrudNotFoundError"
this.resource = params.resource
this.id = params.id
}
}

3
packages/crud/src/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export * from "./errors"
export * from "./service"
export * from "./types"

204
packages/crud/src/service.test.ts Normal file
View File

@@ -0,0 +1,204 @@
import { describe, expect, it } from "vitest"
import { z } from "zod"
import { CrudNotFoundError, CrudValidationError } from "./errors"
import { createCrudService } from "./service"
type FakeEntity = {
id: string
title: string
}
type CreateFakeEntityInput = {
title: string
}
type UpdateFakeEntityInput = {
title?: string
}
function createMemoryRepository() {
const state = new Map<string, FakeEntity>()
let sequence = 0
return {
list: async () => Array.from(state.values()),
findById: async (id: string) => state.get(id) ?? null,
create: async (input: CreateFakeEntityInput) => {
sequence += 1
const created = {
id: `${sequence}`,
title: input.title,
}
state.set(created.id, created)
return created
},
update: async (id: string, input: UpdateFakeEntityInput) => {
const current = state.get(id)
if (!current) {
throw new Error("unexpected missing entity in test repository")
}
const updated = {
...current,
...input,
}
state.set(id, updated)
return updated
},
delete: async (id: string) => {
const current = state.get(id)
if (!current) {
throw new Error("unexpected missing entity in test repository")
}
state.delete(id)
return current
},
}
}
describe("createCrudService", () => {
it("supports list and detail lookups through the repository contract", async () => {
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
})
const createdA = await service.create({ title: "First" })
const createdB = await service.create({ title: "Second" })
expect(await service.getById(createdA.id)).toEqual(createdA)
expect(await service.getById("missing")).toBeNull()
const listed = await service.list()
expect(listed).toHaveLength(2)
expect(listed).toContainEqual(createdA)
expect(listed).toContainEqual(createdB)
})
it("validates create and update payloads", async () => {
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z
.object({
title: z.string().min(3).optional(),
})
.refine((value) => Object.keys(value).length > 0, {
message: "at least one field must be updated",
}),
},
})
await expect(service.create({ title: "ok" })).rejects.toBeInstanceOf(CrudValidationError)
await expect(service.update("1", {})).rejects.toBeInstanceOf(CrudValidationError)
})
it("throws not found for unknown update and delete", async () => {
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
})
await expect(service.update("missing", { title: "Updated" })).rejects.toBeInstanceOf(
CrudNotFoundError,
)
await expect(service.delete("missing")).rejects.toBeInstanceOf(CrudNotFoundError)
})
it("emits audit events for create, update and delete", async () => {
const events: Array<{
action: string
beforeTitle: string | null
afterTitle: string | null
actorRole: string | null
requestId: string | null
}> = []
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
auditHooks: [
(event) => {
events.push({
action: event.action,
beforeTitle: event.before?.title ?? null,
afterTitle: event.after?.title ?? null,
actorRole: event.actor?.role ?? null,
requestId:
typeof event.metadata?.requestId === "string" ? event.metadata.requestId : null,
})
},
],
})
const created = await service.create(
{ title: "Created" },
{
actor: { id: "u-1", role: "owner" },
metadata: {
requestId: "req-1",
},
},
)
await service.update(created.id, { title: "Updated" })
await service.delete(created.id)
expect(events).toEqual([
{
action: "create",
beforeTitle: null,
afterTitle: "Created",
actorRole: "owner",
requestId: "req-1",
},
{
action: "update",
beforeTitle: "Created",
afterTitle: "Updated",
actorRole: null,
requestId: null,
},
{
action: "delete",
beforeTitle: "Updated",
afterTitle: null,
actorRole: null,
requestId: null,
},
])
})
})

159
packages/crud/src/service.ts Normal file
View File

@@ -0,0 +1,159 @@
import type { ZodIssue } from "zod"
import { CrudNotFoundError, CrudValidationError } from "./errors"
import type { CrudAction, CrudAuditHook, CrudMutationContext, CrudRepository } from "./types"
type SchemaSafeParseResult<TInput> =
| {
success: true
data: TInput
}
| {
success: false
error: {
issues: ZodIssue[]
}
}
type CrudSchema<TInput> = {
safeParse: (input: unknown) => SchemaSafeParseResult<TInput>
}
type CrudSchemas<TCreateInput, TUpdateInput> = {
create: CrudSchema<TCreateInput>
update: CrudSchema<TUpdateInput>
}
type CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
resource: string
repository: CrudRepository<TRecord, TCreateInput, TUpdateInput, TId>
schemas: CrudSchemas<TCreateInput, TUpdateInput>
auditHooks?: Array<CrudAuditHook<TRecord>>
}
async function emitAuditHooks<TRecord>(
hooks: Array<CrudAuditHook<TRecord>>,
event: {
resource: string
action: CrudAction
actor: CrudMutationContext["actor"]
metadata: CrudMutationContext["metadata"]
before: TRecord | null
after: TRecord | null
},
): Promise<void> {
if (hooks.length === 0) {
return
}
const payload = {
...event,
actor: event.actor ?? null,
at: new Date(),
}
for (const hook of hooks) {
await hook(payload)
}
}
function parseOrThrow<TInput>(params: {
schema: CrudSchema<TInput>
input: unknown
resource: string
operation: "create" | "update"
}): TInput {
const parsed = params.schema.safeParse(params.input)
if (parsed.success) {
return parsed.data
}
throw new CrudValidationError({
resource: params.resource,
operation: params.operation,
issues: parsed.error.issues,
})
}
export function createCrudService<TRecord, TCreateInput, TUpdateInput, TId extends string = string>(
options: CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId>,
) {
const auditHooks = options.auditHooks ?? []
return {
list: () => options.repository.list(),
getById: (id: TId) => options.repository.findById(id),
create: async (input: unknown, context: CrudMutationContext = {}) => {
const payload = parseOrThrow({
schema: options.schemas.create,
input,
resource: options.resource,
operation: "create",
})
const created = await options.repository.create(payload)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "create",
actor: context.actor,
metadata: context.metadata,
before: null,
after: created,
})
return created
},
update: async (id: TId, input: unknown, context: CrudMutationContext = {}) => {
const payload = parseOrThrow({
schema: options.schemas.update,
input,
resource: options.resource,
operation: "update",
})
const existing = await options.repository.findById(id)
if (!existing) {
throw new CrudNotFoundError({
resource: options.resource,
id,
})
}
const updated = await options.repository.update(id, payload)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "update",
actor: context.actor,
metadata: context.metadata,
before: existing,
after: updated,
})
return updated
},
delete: async (id: TId, context: CrudMutationContext = {}) => {
const existing = await options.repository.findById(id)
if (!existing) {
throw new CrudNotFoundError({
resource: options.resource,
id,
})
}
const deleted = await options.repository.delete(id)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "delete",
actor: context.actor,
metadata: context.metadata,
before: existing,
after: null,
})
return deleted
},
}
}

31
packages/crud/src/types.ts Normal file
View File

@@ -0,0 +1,31 @@
export type CrudAction = "create" | "update" | "delete"
export type CrudActor = {
id?: string | null
role?: string | null
}
export type CrudMutationContext = {
actor?: CrudActor | null
metadata?: Record<string, unknown>
}
export type CrudAuditEvent<TRecord> = {
resource: string
action: CrudAction
at: Date
actor: CrudActor | null
metadata?: Record<string, unknown>
before: TRecord | null
after: TRecord | null
}
export type CrudAuditHook<TRecord> = (event: CrudAuditEvent<TRecord>) => Promise<void> | void
export type CrudRepository<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
list: () => Promise<TRecord[]>
findById: (id: TId) => Promise<TRecord | null>
create: (input: TCreateInput) => Promise<TRecord>
update: (id: TId, input: TUpdateInput) => Promise<TRecord>
delete: (id: TId) => Promise<TRecord>
}

9
packages/crud/tsconfig.json Normal file
View File

@@ -0,0 +1,9 @@
{
"extends": "@cms/config/tsconfig/base",
"compilerOptions": {
"noEmit": false,
"outDir": "dist"
},
"include": ["src/**/*.ts"],
"exclude": ["src/**/*.test.ts"]
}

1
packages/db/package.json
View File

@@ -20,6 +20,7 @@
"db:seed": "bun --env-file=../../.env prisma/seed.ts" "db:seed": "bun --env-file=../../.env prisma/seed.ts"
}, },
"dependencies": { "dependencies": {
"@cms/crud": "workspace:*",
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@prisma/adapter-pg": "7.3.0", "@prisma/adapter-pg": "7.3.0",
"@prisma/client": "7.3.0", "@prisma/client": "7.3.0",

9
packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql Normal file
View File

@@ -0,0 +1,9 @@
-- CreateTable
CREATE TABLE "system_setting" (
"key" TEXT NOT NULL,
"value" TEXT NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
);

9
packages/db/prisma/schema.prisma
View File

@@ -87,3 +87,12 @@ model Verification {
@@index([identifier]) @@index([identifier])
@@map("verification") @@map("verification")
} }
model SystemSetting {
key String @id
value String
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
@@map("system_setting")
}

Some files were not shown because too many files have changed in this diff Show More