test(crud): finalize MVP1 gate CRUD contract coverage

merge: todo/mvp0-admin-i18n-baseline into dev
merge: todo/mvp0-crud-foundation into dev
2026-02-10 21:26:49 +01:00 · 2026-02-10 21:21:35 +01:00 · 2026-02-10 21:21:32 +01:00 · 2026-02-10 21:21:28 +01:00 · 2026-02-10 21:21:25 +01:00 · 2026-02-10 21:17:41 +01:00
71 changed files with 2894 additions and 256 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -0,0 +1,70 @@
 name: CMS CI
 on:
  pull_request:
  push:
    branches:
      - dev
      - staging
      - main
  workflow_dispatch:
 env:
  BUN_VERSION: "1.3.5"
  NODE_ENV: "test"
  DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
  BETTER_AUTH_SECRET: "ci-test-secret-change-me"
  BETTER_AUTH_URL: "http://localhost:3001"
  CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
  CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
  CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
  CMS_SUPPORT_USERNAME: "support"
  CMS_SUPPORT_EMAIL: "support@cms.local"
  CMS_SUPPORT_PASSWORD: "support-ci-password"
  CMS_SUPPORT_NAME: "Technical Support"
  CMS_SUPPORT_LOGIN_KEY: "support-access"
 jobs:
  quality:
    name: Lint Typecheck Unit E2E
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_DB: cms
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres -d cms"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies
        run: bun install --frozen-lockfile
      - name: Install Playwright browser deps
        run: bunx playwright install --with-deps chromium
      - name: Lint and format checks
        run: bun run check
      - name: Typecheck
        run: bun run typecheck
      - name: Unit and integration tests
        run: bun run test
      - name: E2E tests
        run: bun run test:e2e
--- a/README.md
+++ b/README.md
@ -69,6 +69,7 @@ bun run dev
 - `bun run test`
 - `bun run test:watch`
 - `bun run test:coverage`
 - `bun run test:e2e:prepare`
 - `bun run test:e2e`
 - `bun run lint`
 - `bun run typecheck`
@ -85,6 +86,7 @@ bun run dev
 - Unit/integration/component: Vitest + Testing Library + MSW
 - E2E: Playwright (separate projects for `web` and `admin`)
 - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
 - E2E data prep (migrations + seed): `bun run test:e2e:prepare`
 One-time Playwright browser install:
@ -97,6 +99,7 @@ bunx playwright install
 The repo includes a theoretical CI/CD and deployment baseline:
 - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
 - Real quality gate workflow: `.gitea/workflows/ci.yml`
 - App images:
  - `apps/web/Dockerfile`
  - `apps/admin/Dockerfile`
--- a/TODO.md
+++ b/TODO.md
@ -21,20 +21,20 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
 - [x] [P1] RBAC enforcement at route and action level in admin
 - [x] [P1] Permission matrix documented and tested
- [ ] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
+- [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
- [ ] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
+- [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
- [ ] [P1] Locale persistence and switcher base component (cookie/header + UI)
+- [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
 - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
+- [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
- [~] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
+- [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
+- [x] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
+- [x] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
- [ ] [P1] Shared error and audit hooks for CRUD mutations
+- [x] [P1] Shared error and audit hooks for CRUD mutations
 ### Admin App
@ -44,7 +44,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
 - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
 - [x] [P1] Protected admin routes and session handling
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
+- [~] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
 - [~] [P1] Core admin IA (pages/media/users/commissions/settings)
 ### Public App
@ -60,11 +61,11 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Vitest + Testing Library + MSW baseline
 - [x] [P1] Playwright baseline with web/admin projects
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
+- [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
+- [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
 - [~] [P1] RBAC policy unit tests and permission regression suite
 - [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading)
- [ ] [P1] i18n integration tests (admin/public locale switch and persistence)
+- [x] [P1] i18n integration tests (admin/public locale switch and persistence)
 - [ ] [P1] i18n e2e smoke tests (localized headings/content per route)
 - [ ] [P1] CRUD contract tests for shared service patterns
@ -73,7 +74,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [x] [P1] Docs tool baseline added (`docs/` via VitePress)
 - [x] [P1] RBAC and permission model documentation in docs site
 - [ ] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow)
- [ ] [P1] CRUD base patterns documentation and examples
+- [~] [P1] CRUD base patterns documentation and examples
 - [ ] [P1] Environment and deployment runbook docs (dev/staging/production)
 - [ ] [P2] API and domain glossary pages
 - [ ] [P2] Architecture Decision Records (ADR) structure and first ADRs
@ -159,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Forgot password/reset password pipeline and support tooling
 - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
 - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
 - [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
 - [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
 - [ ] [P2] Error boundaries and UX fallback states
 ### Public App
@ -192,6 +195,14 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
 - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
 - [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
 - [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
 - [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
 - [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
 - [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
 - [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
 - [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
 ## How We Use This File
--- a/apps/admin/package.json
+++ b/apps/admin/package.json
@ -14,6 +14,7 @@
  "dependencies": {
    "@cms/content": "workspace:*",
    "@cms/db": "workspace:*",
    "@cms/i18n": "workspace:*",
    "@cms/ui": "workspace:*",
    "@tanstack/react-form": "1.28.0",
    "@tanstack/react-query": "5.90.20",
--- a/apps/admin/src/app/layout.tsx
+++ b/apps/admin/src/app/layout.tsx
@ -1,6 +1,7 @@
 import type { Metadata } from "next"
 import type { ReactNode } from "react"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import "./globals.css"
 import { Providers } from "./providers"
@ -9,11 +10,16 @@ export const metadata: Metadata = {
  description: "Admin dashboard for the CMS monorepo",
 }
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (
-    <html lang="en">
+    <html lang={locale}>
      <body>
-        <Providers>{children}</Providers>
+        <Providers locale={locale} messages={messages}>
          {children}
        </Providers>
      </body>
    </html>
  )
--- a/apps/admin/src/app/login/login-form.tsx
+++ b/apps/admin/src/app/login/login-form.tsx
@ -4,8 +4,11 @@ import Link from "next/link"
 import { useRouter, useSearchParams } from "next/navigation"
 import { type FormEvent, useMemo, useState } from "react"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { useAdminT } from "@/providers/admin-i18n-provider"
 type LoginFormProps = {
-  mode: "signin" | "signup-owner" | "signup-user"
+  mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
 }
 type AuthResponse = {
@ -27,6 +30,7 @@ function persistRoleCookie(role: unknown) {
 export function LoginForm({ mode }: LoginFormProps) {
  const router = useRouter()
  const searchParams = useSearchParams()
  const t = useAdminT()
  const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
@ -37,6 +41,7 @@ export function LoginForm({ mode }: LoginFormProps) {
  const [isBusy, setIsBusy] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [success, setSuccess] = useState<string | null>(null)
  const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
  async function handleSignIn(event: FormEvent<HTMLFormElement>) {
    event.preventDefault()
@ -60,7 +65,7 @@ export function LoginForm({ mode }: LoginFormProps) {
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
-        setError(payload?.message ?? "Sign in failed")
+        setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
        return
      }
@ -68,7 +73,7 @@ export function LoginForm({ mode }: LoginFormProps) {
      router.push(nextPath)
      router.refresh()
    } catch {
-      setError("Network error while signing in")
+      setError(t("auth.errors.networkSignIn", "Network error while signing in"))
    } finally {
      setIsBusy(false)
    }
@ -78,7 +83,7 @@ export function LoginForm({ mode }: LoginFormProps) {
    event.preventDefault()
    if (!name.trim()) {
-      setError("Name is required for account creation")
+      setError(t("auth.errors.nameRequired", "Name is required for account creation"))
      return
    }
@ -104,20 +109,20 @@ export function LoginForm({ mode }: LoginFormProps) {
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
-        setError(payload?.message ?? "Sign up failed")
+        setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
        return
      }
      persistRoleCookie(payload?.user?.role)
      setSuccess(
        mode === "signup-owner"
-          ? "Owner account created. Registration is now disabled."
+          ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
-          : "Account created.",
+          : t("auth.messages.accountCreated", "Account created."),
      )
      router.push(nextPath)
      router.refresh()
    } catch {
-      setError("Network error while signing up")
+      setError(t("auth.errors.networkSignUp", "Network error while signing up"))
    } finally {
      setIsBusy(false)
    }
@ -126,24 +131,35 @@ export function LoginForm({ mode }: LoginFormProps) {
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
      <div className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin Auth</p>
+        <div className="flex items-center justify-between gap-3">
          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
            {t("auth.badge", "Admin Auth")}
          </p>
          <AdminLocaleSwitcher />
        </div>
        <h1 className="text-3xl font-semibold tracking-tight">
          {mode === "signin"
-            ? "Sign in to CMS Admin"
+            ? t("auth.titles.signIn", "Sign in to CMS Admin")
            : mode === "signup-owner"
-              ? "Welcome to CMS Admin"
+              ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
-              : "Create an admin account"}
+              : mode === "signup-user"
                ? t("auth.titles.signUpUser", "Create an admin account")
                : t("auth.titles.signUpDisabled", "Registration is disabled")}
        </h1>
        <p className="text-sm text-neutral-600">
-          {mode === "signin" ? (
+          {mode === "signin"
-            <>
+            ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
-              Better Auth is active on this app via <code>/api/auth</code>.
+            : mode === "signup-owner"
-            </>
+              ? t(
-          ) : mode === "signup-owner" ? (
+                  "auth.descriptions.signUpOwner",
-            "Create the first owner account to initialize this admin instance."
+                  "Create the first owner account to initialize this admin instance.",
-          ) : (
+                )
-            "Self-registration is enabled for admin users."
+              : mode === "signup-user"
-          )}
+                ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
                : t(
                    "auth.descriptions.signUpDisabled",
                    "Self-registration is currently turned off by an administrator.",
                  )}
        </p>
      </div>
@ -154,7 +170,7 @@ export function LoginForm({ mode }: LoginFormProps) {
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
-              Email or username
+              {t("auth.fields.emailOrUsername", "Email or username")}
            </label>
            <input
              id="email"
@ -168,84 +184,7 @@ export function LoginForm({ mode }: LoginFormProps) {
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
-              Password
+              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy ? "Signing in..." : "Sign in"}
          </button>
          <p className="text-xs text-neutral-600">
            Need an account?{" "}
            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
              Register
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
        </form>
      ) : (
        <form
          onSubmit={handleSignUp}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="name">
              Name
            </label>
            <input
              id="name"
              type="text"
              value={name}
              onChange={(event) => setName(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              Email
            </label>
            <input
              id="email"
              type="email"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="username">
              Username (optional)
            </label>
            <input
              id="username"
              type="text"
              value={username}
              onChange={(event) => setUsername(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              Password
            </label>
            <input
              id="password"
@ -264,22 +203,115 @@ export function LoginForm({ mode }: LoginFormProps) {
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
-              ? "Creating account..."
+              ? t("auth.actions.signInBusy", "Signing in...")
-              : mode === "signup-owner"
+              : t("auth.actions.signInIdle", "Sign in")}
                ? "Create owner account"
                : "Create account"}
          </button>
          <p className="text-xs text-neutral-600">
-            Already have an account?{" "}
+            {t("auth.links.needAccount", "Need an account?")}{" "}
            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.register", "Register")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
        </form>
      ) : canSubmitSignUp ? (
        <form
          onSubmit={handleSignUp}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="name">
              {t("auth.fields.name", "Name")}
            </label>
            <input
              id="name"
              type="text"
              value={name}
              onChange={(event) => setName(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              {t("auth.fields.email", "Email")}
            </label>
            <input
              id="email"
              type="email"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="username">
              {t("auth.fields.username", "Username (optional)")}
            </label>
            <input
              id="username"
              type="text"
              value={username}
              onChange={(event) => setUsername(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
              ? t("auth.actions.signUpBusy", "Creating account...")
              : mode === "signup-owner"
                ? t("auth.actions.signUpOwnerIdle", "Create owner account")
                : t("auth.actions.signUpUserIdle", "Create account")}
          </button>
          <p className="text-xs text-neutral-600">
            {t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
-              Go to sign in
+              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
          {success ? <p className="text-sm text-green-700">{success}</p> : null}
        </form>
      ) : (
        <section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
          <p className="text-sm text-neutral-700">
            {t(
              "auth.messages.registrationDisabled",
              "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
            )}
          </p>
          <p className="text-xs text-neutral-600">
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
        </section>
      )}
    </main>
  )
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@ -1,15 +1,161 @@
 import { hasPermission } from "@cms/content/rbac"
-import { listPosts } from "@cms/db"
+import { createPost, deletePost, listPosts, updatePost } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { LogoutButton } from "./logout-button"
 export const dynamic = "force-dynamic"
-export default async function AdminHomePage() {
+type SearchParamsInput = Record<string, string | string[] | undefined>
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readRequiredField(formData: FormData, field: string): string {
  const value = formData.get(field)
  if (typeof value !== "string") {
    return ""
  }
  return value.trim()
 }
 function readOptionalField(formData: FormData, field: string): string | undefined {
  const value = readRequiredField(formData, field)
  return value.length > 0 ? value : undefined
 }
 async function requireNewsWritePermission() {
  const role = await resolveRoleFromServerContext()
  if (!role || !hasPermission(role, "news:write", "team")) {
    redirect("/unauthorized?required=news:write&scope=team")
  }
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/?${value}` : "/")
 }
 async function getDashboardTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function createPostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const status = readRequiredField(formData, "status")
  try {
    await createPost({
      title: readRequiredField(formData, "title"),
      slug: readRequiredField(formData, "slug"),
      excerpt: readOptionalField(formData, "excerpt"),
      body: readRequiredField(formData, "body"),
      status: status === "published" ? "published" : "draft",
    })
  } catch {
    redirectWithState({
      error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
    })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
 }
 async function updatePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  const status = readRequiredField(formData, "status")
  if (!id) {
    redirectWithState({
      error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
    })
  }
  try {
    await updatePost(id, {
      title: readRequiredField(formData, "title"),
      slug: readRequiredField(formData, "slug"),
      excerpt: readOptionalField(formData, "excerpt"),
      body: readRequiredField(formData, "body"),
      status: status === "published" ? "published" : "draft",
    })
  } catch {
    redirectWithState({
      error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
    })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
 }
 async function deletePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  if (!id) {
    redirectWithState({
      error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
    })
  }
  try {
    await deletePost(id)
  } catch {
    redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
 }
 export default async function AdminHomePage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await resolveRoleFromServerContext()
  if (!role) {
@ -20,42 +166,249 @@ export default async function AdminHomePage() {
    redirect("/unauthorized?required=news:read&scope=team")
  }
  const [resolvedSearchParams, locale, posts] = await Promise.all([
    searchParams,
    resolveAdminLocale(),
    listPosts(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  const canCreatePost = hasPermission(role, "news:write", "team")
  const posts = await listPosts()
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
      <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
+        <div className="flex items-center justify-between gap-3">
-        <h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1>
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
-        <p className="text-neutral-600">Manage posts from a dedicated admin surface.</p>
+            {t("dashboard.badge", "Admin App")}
          </p>
          <AdminLocaleSwitcher />
        </div>
        <h1 className="text-4xl font-semibold tracking-tight">
          {t("dashboard.title", "Content Dashboard")}
        </h1>
        <p className="text-neutral-600">
          {t("dashboard.description", "Manage posts from a dedicated admin surface.")}
        </p>
        <div className="flex items-center gap-3 pt-2">
          <Link
            href="/todo"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
-            Open roadmap and progress
+            {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
          </Link>
          <Link
            href="/settings"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
            {t("settings.title", "Settings")}
          </Link>
          <LogoutButton />
        </div>
      </header>
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
-        <div className="mb-4 flex items-center justify-between">
+        <div className="space-y-4">
-          <h2 className="text-xl font-medium">Posts</h2>
+          <div className="flex items-center justify-between">
-          <Button disabled={!canCreatePost}>Create post</Button>
+            <h2 className="text-xl font-medium">
              {t("dashboard.posts.title", "Posts CRUD Sandbox")}
            </h2>
            <p className="text-xs uppercase tracking-wide text-neutral-500">
              {t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
            </p>
          </div>
          {canCreatePost ? (
            <form
              action={createPostAction}
              className="space-y-3 rounded-lg border border-neutral-200 p-4"
            >
              <h3 className="text-sm font-semibold">
                {t("dashboard.posts.createTitle", "Create post")}
              </h3>
              <div className="grid gap-3 md:grid-cols-2">
                <label className="space-y-1">
                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.title", "Title")}
                  </span>
                  <input
                    name="title"
                    required
                    minLength={3}
                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                  />
                </label>
                <label className="space-y-1">
                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.slug", "Slug")}
                  </span>
                  <input
                    name="slug"
                    required
                    minLength={3}
                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                  />
                </label>
              </div>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.excerpt", "Excerpt")}
                </span>
                <input
                  name="excerpt"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.body", "Body")}
                </span>
                <textarea
                  name="body"
                  required
                  minLength={1}
                  rows={4}
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.status", "Status")}
                </span>
                <select
                  name="status"
                  defaultValue="draft"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                >
                  <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
                  <option value="published">
                    {t("dashboard.posts.status.published", "Published")}
                  </option>
                </select>
              </label>
              <Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
            </form>
          ) : (
            <div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
              {t(
                "dashboard.notices.noCrudPermission",
                "You can read posts, but your role cannot create/update/delete posts.",
              )}
            </div>
          )}
        </div>
        <div className="space-y-3">
          {posts.map((post) => (
            <article key={post.id} className="rounded-lg border border-neutral-200 p-4">
-              <div className="flex items-center justify-between gap-3">
+              {canCreatePost ? (
-                <h3 className="text-lg font-medium">{post.title}</h3>
+                <>
-                <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
+                  <form action={updatePostAction} className="space-y-3">
-                  {post.status}
+                    <input type="hidden" name="id" value={post.id} />
-                </span>
+                    <div className="grid gap-3 md:grid-cols-2">
-              </div>
+                      <label className="space-y-1">
-              <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
+                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.title", "Title")}
                        </span>
                        <input
                          name="title"
                          required
                          minLength={3}
                          defaultValue={post.title}
                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                        />
                      </label>
                      <label className="space-y-1">
                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.slug", "Slug")}
                        </span>
                        <input
                          name="slug"
                          required
                          minLength={3}
                          defaultValue={post.slug}
                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                        />
                      </label>
                    </div>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.excerpt", "Excerpt")}
                      </span>
                      <input
                        name="excerpt"
                        defaultValue={post.excerpt ?? ""}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      />
                    </label>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.body", "Body")}
                      </span>
                      <textarea
                        name="body"
                        required
                        minLength={1}
                        rows={4}
                        defaultValue={post.body}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      />
                    </label>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.status", "Status")}
                      </span>
                      <select
                        name="status"
                        defaultValue={post.status}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      >
                        <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
                        <option value="published">
                          {t("dashboard.posts.status.published", "Published")}
                        </option>
                      </select>
                    </label>
                    <Button type="submit">
                      {t("dashboard.posts.actions.save", "Save changes")}
                    </Button>
                  </form>
                  <form action={deletePostAction} className="mt-3">
                    <input type="hidden" name="id" value={post.id} />
                    <Button type="submit" variant="secondary">
                      {t("dashboard.posts.actions.delete", "Delete")}
                    </Button>
                  </form>
                </>
              ) : (
                <>
                  <div className="flex items-center justify-between gap-3">
                    <h3 className="text-lg font-medium">{post.title}</h3>
                    <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
                      {post.status}
                    </span>
                  </div>
                  <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
                  <p className="mt-2 text-sm text-neutral-600">
                    {post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
                  </p>
                </>
              )}
            </article>
          ))}
        </div>
--- a/apps/admin/src/app/providers.tsx
+++ b/apps/admin/src/app/providers.tsx
@ -1,9 +1,24 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import type { ReactNode } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
 import { QueryProvider } from "@/providers/query-provider"
-export function Providers({ children }: { children: ReactNode }) {
+export function Providers({
-  return <QueryProvider>{children}</QueryProvider>
+  children,
  locale,
  messages,
 }: {
  children: ReactNode
  locale: AppLocale
  messages: AdminMessages
 }) {
  return (
    <AdminI18nProvider locale={locale} messages={messages}>
      <QueryProvider>{children}</QueryProvider>
    </AdminI18nProvider>
  )
 }
--- a/apps/admin/src/app/register/page.tsx
+++ b/apps/admin/src/app/register/page.tsx
@ -33,7 +33,7 @@ export default async function RegisterPage({ searchParams }: { searchParams: Sea
  const enabled = await isSelfRegistrationEnabled()
  if (!enabled) {
-    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+    return <LoginForm mode="signup-disabled" />
  }
  return <LoginForm mode="signup-user" />
--- a/apps/admin/src/app/settings/page.tsx
+++ b/apps/admin/src/app/settings/page.tsx
@ -0,0 +1,188 @@
 import { hasPermission } from "@cms/content/rbac"
 import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
 function toSingleValue(input: string | string[] | undefined): string | null {
  if (Array.isArray(input)) {
    return input[0] ?? null
  }
  return input ?? null
 }
 async function requireSettingsPermission() {
  const role = await resolveRoleFromServerContext()
  if (!role) {
    redirect("/login?next=/settings")
  }
  if (!hasPermission(role, "users:manage_roles", "global")) {
    redirect("/unauthorized?required=users:manage_roles&scope=global")
  }
 }
 async function getSettingsTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function updateRegistrationPolicyAction(formData: FormData) {
  "use server"
  await requireSettingsPermission()
  const t = await getSettingsTranslator()
  const enabled = formData.get("enabled") === "on"
  try {
    await setAdminSelfRegistrationEnabled(enabled)
  } catch (error) {
    const errorMessage = error instanceof Error ? error.message : ""
    const normalizedMessage = errorMessage.toLowerCase()
    const isDatabaseUnavailable = errorMessage.includes("P1001")
    const isSchemaMissing =
      errorMessage.includes("P2021") ||
      normalizedMessage.includes("system_setting") ||
      normalizedMessage.includes("does not exist")
    const userMessage = isDatabaseUnavailable
      ? t(
          "settings.registration.errors.databaseUnavailable",
          "Saving settings failed. The database is currently unreachable.",
        )
      : isSchemaMissing
        ? t(
            "settings.registration.errors.schemaMissing",
            "Saving settings failed. Apply the latest database migrations and try again.",
          )
        : t(
            "settings.registration.errors.updateFailed",
            "Saving settings failed. Ensure database migrations are applied.",
          )
    redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
  }
  revalidatePath("/settings")
  revalidatePath("/register")
  redirect(
    `/settings?notice=${encodeURIComponent(
      t("settings.registration.success.updated", "Registration policy updated."),
    )}`,
  )
 }
 export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
  await requireSettingsPermission()
  const [params, locale, isRegistrationEnabled] = await Promise.all([
    searchParams,
    resolveAdminLocale(),
    isAdminSelfRegistrationEnabled(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  const notice = toSingleValue(params.notice)
  const error = toSingleValue(params.error)
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
      <header className="space-y-3">
        <div className="flex items-center justify-between gap-3">
          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
            {t("settings.badge", "Admin Settings")}
          </p>
          <AdminLocaleSwitcher />
        </div>
        <h1 className="text-4xl font-semibold tracking-tight">{t("settings.title", "Settings")}</h1>
        <p className="text-neutral-600">
          {t(
            "settings.description",
            "Manage runtime policies for the admin authentication and onboarding flow.",
          )}
        </p>
        <div className="flex items-center gap-3 pt-2">
          <Link
            href="/"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
            {t("settings.actions.backToDashboard", "Back to dashboard")}
          </Link>
        </div>
      </header>
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="space-y-5">
          <div className="space-y-2">
            <h2 className="text-xl font-medium">
              {t("settings.registration.title", "Admin self-registration")}
            </h2>
            <p className="text-sm text-neutral-600">
              {t(
                "settings.registration.description",
                "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
              )}
            </p>
          </div>
          <div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
            <p>
              {t("settings.registration.currentStatusLabel", "Current status")}:{" "}
              <strong>
                {isRegistrationEnabled
                  ? t("settings.registration.status.enabled", "Enabled")
                  : t("settings.registration.status.disabled", "Disabled")}
              </strong>
            </p>
          </div>
          <form action={updateRegistrationPolicyAction} className="space-y-4">
            <label className="flex items-center gap-3 text-sm">
              <input
                type="checkbox"
                name="enabled"
                defaultChecked={isRegistrationEnabled}
                className="h-4 w-4 rounded border-neutral-300"
              />
              <span>
                {t(
                  "settings.registration.checkboxLabel",
                  "Allow self-registration on /register for admin users",
                )}
              </span>
            </label>
            <Button type="submit">
              {t("settings.registration.actions.save", "Save registration policy")}
            </Button>
          </form>
        </div>
      </section>
    </main>
  )
 }
--- a/apps/admin/src/components/admin-locale-switcher.tsx
+++ b/apps/admin/src/components/admin-locale-switcher.tsx
@ -0,0 +1,41 @@
 "use client"
 import { type AppLocale, localeLabels, locales } from "@cms/i18n"
 import { useRouter } from "next/navigation"
 import { useTransition } from "react"
 import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
 import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
 export function AdminLocaleSwitcher() {
  const router = useRouter()
  const [isPending, startTransition] = useTransition()
  const { locale } = useAdminI18n()
  const t = useAdminT()
  return (
    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
      <span>{t("common.language", "Language")}</span>
      <select
        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
        value={locale}
        disabled={isPending}
        onChange={(event) => {
          const nextLocale = event.target.value as AppLocale
          // biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
          document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
          startTransition(() => {
            router.refresh()
          })
        }}
      >
        {locales.map((value) => (
          <option key={value} value={value}>
            {t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
          </option>
        ))}
      </select>
    </label>
  )
 }
--- a/apps/admin/src/i18n/messages.test.ts
+++ b/apps/admin/src/i18n/messages.test.ts
@ -0,0 +1,147 @@
 import { describe, expect, it } from "vitest"
 import type { AdminMessages } from "./messages"
 import { translateMessage } from "./messages"
 const messages: AdminMessages = {
  common: {
    language: "Language",
    localeNames: {
      de: "German",
      en: "English",
      es: "Spanish",
      fr: "French",
    },
  },
  auth: {
    badge: "Admin Auth",
    titles: {
      signIn: "Sign in",
      signUpOwner: "Welcome",
      signUpUser: "Create account",
      signUpDisabled: "Registration disabled",
    },
    descriptions: {
      signIn: "Sign in description",
      signUpOwner: "Owner description",
      signUpUser: "User description",
      signUpDisabled: "Disabled description",
    },
    fields: {
      name: "Name",
      emailOrUsername: "Email or username",
      email: "Email",
      username: "Username",
      password: "Password",
    },
    actions: {
      signInIdle: "Sign in",
      signInBusy: "Signing in...",
      signUpOwnerIdle: "Create owner account",
      signUpUserIdle: "Create account",
      signUpBusy: "Creating account...",
    },
    links: {
      needAccount: "Need an account?",
      register: "Register",
      alreadyHaveAccount: "Already have an account?",
      goToSignIn: "Go to sign in",
    },
    messages: {
      ownerCreated: "Owner account created.",
      accountCreated: "Account created.",
      registrationDisabled: "Registration is disabled.",
    },
    errors: {
      nameRequired: "Name is required.",
      signInFailed: "Sign in failed",
      signUpFailed: "Sign up failed",
      networkSignIn: "Network sign in error",
      networkSignUp: "Network sign up error",
    },
  },
  settings: {
    badge: "Admin Settings",
    title: "Settings",
    description: "Settings description",
    actions: {
      backToDashboard: "Back to dashboard",
    },
    registration: {
      title: "Registration",
      description: "Registration description",
      currentStatusLabel: "Current status",
      status: {
        enabled: "Enabled",
        disabled: "Disabled",
      },
      checkboxLabel: "Allow registration",
      actions: {
        save: "Save",
      },
      success: {
        updated: "Updated",
      },
      errors: {
        updateFailed: "Update failed",
      },
    },
  },
  dashboard: {
    badge: "Admin App",
    title: "Content Dashboard",
    description: "Manage content.",
    actions: {
      openRoadmap: "Open roadmap",
    },
    notices: {
      noCrudPermission: "No permission.",
      crudSandboxTag: "MVP0 functional test",
    },
    posts: {
      title: "Posts CRUD Sandbox",
      createTitle: "Create post",
      fields: {
        title: "Title",
        slug: "Slug",
        excerpt: "Excerpt",
        body: "Body",
        status: "Status",
      },
      status: {
        draft: "Draft",
        published: "Published",
      },
      actions: {
        create: "Create post",
        save: "Save changes",
        delete: "Delete",
      },
      errors: {
        createFailed: "Create failed.",
        updateFailed: "Update failed.",
        updateMissingId: "Missing post id.",
        deleteFailed: "Delete failed.",
        deleteMissingId: "Missing post id.",
      },
      success: {
        created: "Post created.",
        updated: "Post updated.",
        deleted: "Post deleted.",
      },
      fallback: {
        noExcerpt: "No excerpt",
      },
    },
  },
 }
 describe("translateMessage", () => {
  it("resolves nested keys", () => {
    expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
  })
  it("returns fallback for unknown keys", () => {
    expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
  })
 })
--- a/apps/admin/src/i18n/messages.ts
+++ b/apps/admin/src/i18n/messages.ts
@ -0,0 +1,27 @@
 import type enMessages from "../messages/en.json"
 export type AdminMessages = typeof enMessages
 function resolveNestedValue(source: unknown, key: string): unknown {
  let current: unknown = source
  for (const segment of key.split(".")) {
    if (!current || typeof current !== "object") {
      return null
    }
    current = (current as Record<string, unknown>)[segment]
  }
  return current
 }
 export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
  const resolved = resolveNestedValue(messages, key)
  if (typeof resolved === "string") {
    return resolved
  }
  return fallback ?? key
 }
--- a/apps/admin/src/i18n/server.ts
+++ b/apps/admin/src/i18n/server.ts
@ -0,0 +1,20 @@
 import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
 import { cookies } from "next/headers"
 import type { AdminMessages } from "./messages"
 import { ADMIN_LOCALE_COOKIE } from "./shared"
 export async function resolveAdminLocale(): Promise<AppLocale> {
  const cookieStore = await cookies()
  const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
  if (value && isAppLocale(value)) {
    return value
  }
  return defaultLocale
 }
 export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
  return (await import(`../messages/${locale}.json`)).default as AdminMessages
 }
--- a/apps/admin/src/i18n/shared.ts
+++ b/apps/admin/src/i18n/shared.ts
@ -0,0 +1 @@
 export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"
--- a/apps/admin/src/lib/access.test.ts
+++ b/apps/admin/src/lib/access.test.ts
@ -0,0 +1,24 @@
 import { describe, expect, it } from "vitest"
 import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
 describe("admin route access rules", () => {
  it("treats support fallback route as public", () => {
    expect(isPublicRoute("/support/support-access")).toBe(true)
    expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
  })
  it("keeps settings route restricted to role with users:manage_roles", () => {
    expect(isPublicRoute("/settings")).toBe(false)
    expect(canAccessRoute("manager", "/settings")).toBe(false)
    expect(canAccessRoute("admin", "/settings")).toBe(true)
    expect(canAccessRoute("owner", "/settings")).toBe(true)
  })
  it("resolves route-specific permission requirements", () => {
    expect(getRequiredPermission("/todo")).toEqual({
      permission: "roadmap:read",
      scope: "global",
    })
  })
 })
--- a/apps/admin/src/lib/access.ts
+++ b/apps/admin/src/lib/access.ts
@ -43,6 +43,13 @@ const guardRules: GuardRule[] = [
      scope: "global",
    },
  },
  {
    route: /^\/settings(?:\/|$)/,
    requirement: {
      permission: "users:manage_roles",
      scope: "global",
    },
  },
  {
    route: /^\/(?:$|\?)/,
    requirement: {
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@ -1,5 +1,5 @@
 import { normalizeRole, type Role } from "@cms/content/rbac"
-import { db } from "@cms/db"
+import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
 import { betterAuth } from "better-auth"
 import { prismaAdapter } from "better-auth/adapters/prisma"
 import { toNextJsHandler } from "better-auth/next-js"
@ -43,8 +43,7 @@ export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
 }
 export async function isSelfRegistrationEnabled(): Promise<boolean> {
-  // Temporary fallback until registration policy is managed from admin settings.
+  return isAdminSelfRegistrationEnabled()
  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
 }
 export async function canUserSelfRegister(): Promise<boolean> {
--- a/apps/admin/src/messages/de.json
+++ b/apps/admin/src/messages/de.json
@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Sprache",
    "localeNames": {
      "de": "Deutsch",
      "en": "Englisch",
      "es": "Spanisch",
      "fr": "Französisch"
    }
  },
  "auth": {
    "badge": "Admin-Authentifizierung",
    "titles": {
      "signIn": "Bei CMS Admin anmelden",
      "signUpOwner": "Willkommen bei CMS Admin",
      "signUpUser": "Admin-Konto erstellen",
      "signUpDisabled": "Registrierung ist deaktiviert"
    },
    "descriptions": {
      "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
      "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
      "signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "E-Mail oder Benutzername",
      "email": "E-Mail",
      "username": "Benutzername (optional)",
      "password": "Passwort"
    },
    "actions": {
      "signInIdle": "Anmelden",
      "signInBusy": "Anmeldung läuft...",
      "signUpOwnerIdle": "Owner-Konto erstellen",
      "signUpUserIdle": "Konto erstellen",
      "signUpBusy": "Konto wird erstellt..."
    },
    "links": {
      "needAccount": "Du brauchst ein Konto?",
      "register": "Registrieren",
      "alreadyHaveAccount": "Du hast bereits ein Konto?",
      "goToSignIn": "Zur Anmeldung"
    },
    "messages": {
      "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
      "accountCreated": "Konto erstellt.",
      "registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
    },
    "errors": {
      "nameRequired": "Name ist für die Kontoerstellung erforderlich",
      "signInFailed": "Anmeldung fehlgeschlagen",
      "signUpFailed": "Registrierung fehlgeschlagen",
      "networkSignIn": "Netzwerkfehler bei der Anmeldung",
      "networkSignUp": "Netzwerkfehler bei der Registrierung"
    }
  },
  "settings": {
    "badge": "Admin-Einstellungen",
    "title": "Einstellungen",
    "description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
    "actions": {
      "backToDashboard": "Zurück zum Dashboard"
    },
    "registration": {
      "title": "Admin-Selbstregistrierung",
      "description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
      "currentStatusLabel": "Aktueller Status",
      "status": {
        "enabled": "Aktiviert",
        "disabled": "Deaktiviert"
      },
      "checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
      "actions": {
        "save": "Registrierungsrichtlinie speichern"
      },
      "success": {
        "updated": "Registrierungsrichtlinie aktualisiert."
      },
      "errors": {
        "updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
      }
    }
  },
  "dashboard": {
    "badge": "Admin-App",
    "title": "Content-Dashboard",
    "description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
    "actions": {
      "openRoadmap": "Roadmap und Fortschritt öffnen"
    },
    "notices": {
      "noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
      "crudSandboxTag": "MVP0 Funktionstest"
    },
    "posts": {
      "title": "Beiträge CRUD-Sandbox",
      "createTitle": "Beitrag erstellen",
      "fields": {
        "title": "Titel",
        "slug": "Slug",
        "excerpt": "Auszug",
        "body": "Inhalt",
        "status": "Status"
      },
      "status": {
        "draft": "Entwurf",
        "published": "Veröffentlicht"
      },
      "actions": {
        "create": "Beitrag erstellen",
        "save": "Änderungen speichern",
        "delete": "Löschen"
      },
      "errors": {
        "createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
        "deleteFailed": "Löschen fehlgeschlagen.",
        "deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
      },
      "success": {
        "created": "Beitrag erstellt.",
        "updated": "Beitrag aktualisiert.",
        "deleted": "Beitrag gelöscht."
      },
      "fallback": {
        "noExcerpt": "Kein Auszug"
      }
    }
  }
 }
--- a/apps/admin/src/messages/en.json
+++ b/apps/admin/src/messages/en.json
@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Language",
    "localeNames": {
      "de": "German",
      "en": "English",
      "es": "Spanish",
      "fr": "French"
    }
  },
  "auth": {
    "badge": "Admin Auth",
    "titles": {
      "signIn": "Sign in to CMS Admin",
      "signUpOwner": "Welcome to CMS Admin",
      "signUpUser": "Create an admin account",
      "signUpDisabled": "Registration is disabled"
    },
    "descriptions": {
      "signIn": "Better Auth is active on this app via /api/auth.",
      "signUpOwner": "Create the first owner account to initialize this admin instance.",
      "signUpUser": "Self-registration is enabled for admin users.",
      "signUpDisabled": "Self-registration is currently turned off by an administrator."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "Email or username",
      "email": "Email",
      "username": "Username (optional)",
      "password": "Password"
    },
    "actions": {
      "signInIdle": "Sign in",
      "signInBusy": "Signing in...",
      "signUpOwnerIdle": "Create owner account",
      "signUpUserIdle": "Create account",
      "signUpBusy": "Creating account..."
    },
    "links": {
      "needAccount": "Need an account?",
      "register": "Register",
      "alreadyHaveAccount": "Already have an account?",
      "goToSignIn": "Go to sign in"
    },
    "messages": {
      "ownerCreated": "Owner account created. Registration is now disabled.",
      "accountCreated": "Account created.",
      "registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
    },
    "errors": {
      "nameRequired": "Name is required for account creation",
      "signInFailed": "Sign in failed",
      "signUpFailed": "Sign up failed",
      "networkSignIn": "Network error while signing in",
      "networkSignUp": "Network error while signing up"
    }
  },
  "settings": {
    "badge": "Admin Settings",
    "title": "Settings",
    "description": "Manage runtime policies for the admin authentication and onboarding flow.",
    "actions": {
      "backToDashboard": "Back to dashboard"
    },
    "registration": {
      "title": "Admin self-registration",
      "description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
      "currentStatusLabel": "Current status",
      "status": {
        "enabled": "Enabled",
        "disabled": "Disabled"
      },
      "checkboxLabel": "Allow self-registration on /register for admin users",
      "actions": {
        "save": "Save registration policy"
      },
      "success": {
        "updated": "Registration policy updated."
      },
      "errors": {
        "updateFailed": "Saving settings failed. Ensure database migrations are applied."
      }
    }
  },
  "dashboard": {
    "badge": "Admin App",
    "title": "Content Dashboard",
    "description": "Manage posts from a dedicated admin surface.",
    "actions": {
      "openRoadmap": "Open roadmap and progress"
    },
    "notices": {
      "noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
      "crudSandboxTag": "MVP0 functional test"
    },
    "posts": {
      "title": "Posts CRUD Sandbox",
      "createTitle": "Create post",
      "fields": {
        "title": "Title",
        "slug": "Slug",
        "excerpt": "Excerpt",
        "body": "Body",
        "status": "Status"
      },
      "status": {
        "draft": "Draft",
        "published": "Published"
      },
      "actions": {
        "create": "Create post",
        "save": "Save changes",
        "delete": "Delete"
      },
      "errors": {
        "createFailed": "Create failed. Please check your input.",
        "updateFailed": "Update failed. Please check your input.",
        "updateMissingId": "Update failed. Missing post id.",
        "deleteFailed": "Delete failed.",
        "deleteMissingId": "Delete failed. Missing post id."
      },
      "success": {
        "created": "Post created.",
        "updated": "Post updated.",
        "deleted": "Post deleted."
      },
      "fallback": {
        "noExcerpt": "No excerpt"
      }
    }
  }
 }
--- a/apps/admin/src/messages/es.json
+++ b/apps/admin/src/messages/es.json
@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Idioma",
    "localeNames": {
      "de": "Alemán",
      "en": "Inglés",
      "es": "Español",
      "fr": "Francés"
    }
  },
  "auth": {
    "badge": "Autenticación de Admin",
    "titles": {
      "signIn": "Iniciar sesión en CMS Admin",
      "signUpOwner": "Bienvenido a CMS Admin",
      "signUpUser": "Crear una cuenta de admin",
      "signUpDisabled": "El registro está deshabilitado"
    },
    "descriptions": {
      "signIn": "Better Auth está activo en esta app mediante /api/auth.",
      "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
      "signUpUser": "El registro automático está habilitado para usuarios admin.",
      "signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
    },
    "fields": {
      "name": "Nombre",
      "emailOrUsername": "Correo o nombre de usuario",
      "email": "Correo",
      "username": "Nombre de usuario (opcional)",
      "password": "Contraseña"
    },
    "actions": {
      "signInIdle": "Iniciar sesión",
      "signInBusy": "Iniciando sesión...",
      "signUpOwnerIdle": "Crear cuenta owner",
      "signUpUserIdle": "Crear cuenta",
      "signUpBusy": "Creando cuenta..."
    },
    "links": {
      "needAccount": "¿Necesitas una cuenta?",
      "register": "Registrarse",
      "alreadyHaveAccount": "¿Ya tienes una cuenta?",
      "goToSignIn": "Ir a iniciar sesión"
    },
    "messages": {
      "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
      "accountCreated": "Cuenta creada.",
      "registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
    },
    "errors": {
      "nameRequired": "El nombre es obligatorio para crear la cuenta",
      "signInFailed": "Error al iniciar sesión",
      "signUpFailed": "Error al registrarse",
      "networkSignIn": "Error de red al iniciar sesión",
      "networkSignUp": "Error de red al registrarse"
    }
  },
  "settings": {
    "badge": "Ajustes de Admin",
    "title": "Ajustes",
    "description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
    "actions": {
      "backToDashboard": "Volver al panel"
    },
    "registration": {
      "title": "Auto-registro de admin",
      "description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
      "currentStatusLabel": "Estado actual",
      "status": {
        "enabled": "Habilitado",
        "disabled": "Deshabilitado"
      },
      "checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
      "actions": {
        "save": "Guardar política de registro"
      },
      "success": {
        "updated": "Política de registro actualizada."
      },
      "errors": {
        "updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
      }
    }
  },
  "dashboard": {
    "badge": "App Admin",
    "title": "Panel de Contenido",
    "description": "Gestiona publicaciones desde una superficie de administración dedicada.",
    "actions": {
      "openRoadmap": "Abrir hoja de ruta y progreso"
    },
    "notices": {
      "noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
      "crudSandboxTag": "Prueba funcional MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD de Publicaciones",
      "createTitle": "Crear publicación",
      "fields": {
        "title": "Título",
        "slug": "Slug",
        "excerpt": "Extracto",
        "body": "Contenido",
        "status": "Estado"
      },
      "status": {
        "draft": "Borrador",
        "published": "Publicado"
      },
      "actions": {
        "create": "Crear publicación",
        "save": "Guardar cambios",
        "delete": "Eliminar"
      },
      "errors": {
        "createFailed": "Error al crear. Revisa tus datos.",
        "updateFailed": "Error al actualizar. Revisa tus datos.",
        "updateMissingId": "Error al actualizar. Falta el id de la publicación.",
        "deleteFailed": "Error al eliminar.",
        "deleteMissingId": "Error al eliminar. Falta el id de la publicación."
      },
      "success": {
        "created": "Publicación creada.",
        "updated": "Publicación actualizada.",
        "deleted": "Publicación eliminada."
      },
      "fallback": {
        "noExcerpt": "Sin extracto"
      }
    }
  }
 }
--- a/apps/admin/src/messages/fr.json
+++ b/apps/admin/src/messages/fr.json
@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Langue",
    "localeNames": {
      "de": "Allemand",
      "en": "Anglais",
      "es": "Espagnol",
      "fr": "Français"
    }
  },
  "auth": {
    "badge": "Authentification Admin",
    "titles": {
      "signIn": "Se connecter à CMS Admin",
      "signUpOwner": "Bienvenue sur CMS Admin",
      "signUpUser": "Créer un compte admin",
      "signUpDisabled": "L’inscription est désactivée"
    },
    "descriptions": {
      "signIn": "Better Auth est actif sur cette application via /api/auth.",
      "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin.",
      "signUpDisabled": "L’auto-inscription est actuellement désactivée par un administrateur."
    },
    "fields": {
      "name": "Nom",
      "emailOrUsername": "E-mail ou nom d’utilisateur",
      "email": "E-mail",
      "username": "Nom d’utilisateur (optionnel)",
      "password": "Mot de passe"
    },
    "actions": {
      "signInIdle": "Se connecter",
      "signInBusy": "Connexion en cours...",
      "signUpOwnerIdle": "Créer le compte owner",
      "signUpUserIdle": "Créer un compte",
      "signUpBusy": "Création du compte..."
    },
    "links": {
      "needAccount": "Besoin d’un compte ?",
      "register": "S’inscrire",
      "alreadyHaveAccount": "Vous avez déjà un compte ?",
      "goToSignIn": "Aller à la connexion"
    },
    "messages": {
      "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
      "accountCreated": "Compte créé.",
      "registrationDisabled": "L’inscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver l’auto-inscription."
    },
    "errors": {
      "nameRequired": "Le nom est requis pour créer un compte",
      "signInFailed": "Échec de la connexion",
      "signUpFailed": "Échec de l’inscription",
      "networkSignIn": "Erreur réseau lors de la connexion",
      "networkSignUp": "Erreur réseau lors de l’inscription"
    }
  },
  "settings": {
    "badge": "Paramètres Admin",
    "title": "Paramètres",
    "description": "Gérez les politiques d’exécution pour l’authentification et l’onboarding de l’admin.",
    "actions": {
      "backToDashboard": "Retour au tableau de bord"
    },
    "registration": {
      "title": "Auto-inscription admin",
      "description": "Lorsqu’elle est activée, /register peut créer des comptes admin supplémentaires après l’initialisation du premier owner.",
      "currentStatusLabel": "Statut actuel",
      "status": {
        "enabled": "Activé",
        "disabled": "Désactivé"
      },
      "checkboxLabel": "Autoriser l’auto-inscription sur /register pour les utilisateurs admin",
      "actions": {
        "save": "Enregistrer la politique d’inscription"
      },
      "success": {
        "updated": "Politique d’inscription mise à jour."
      },
      "errors": {
        "updateFailed": "Échec de l’enregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
      }
    }
  },
  "dashboard": {
    "badge": "Application Admin",
    "title": "Tableau de bord contenu",
    "description": "Gérez les publications depuis une surface d’administration dédiée.",
    "actions": {
      "openRoadmap": "Ouvrir la feuille de route et la progression"
    },
    "notices": {
      "noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
      "crudSandboxTag": "Test fonctionnel MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD des publications",
      "createTitle": "Créer une publication",
      "fields": {
        "title": "Titre",
        "slug": "Slug",
        "excerpt": "Extrait",
        "body": "Contenu",
        "status": "Statut"
      },
      "status": {
        "draft": "Brouillon",
        "published": "Publié"
      },
      "actions": {
        "create": "Créer une publication",
        "save": "Enregistrer les modifications",
        "delete": "Supprimer"
      },
      "errors": {
        "createFailed": "Échec de la création. Vérifiez vos données.",
        "updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
        "updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
        "deleteFailed": "Échec de la suppression.",
        "deleteMissingId": "Échec de la suppression. ID de publication manquant."
      },
      "success": {
        "created": "Publication créée.",
        "updated": "Publication mise à jour.",
        "deleted": "Publication supprimée."
      },
      "fallback": {
        "noExcerpt": "Aucun extrait"
      }
    }
  }
 }
--- a/apps/admin/src/providers/admin-i18n-provider.tsx
+++ b/apps/admin/src/providers/admin-i18n-provider.tsx
@ -0,0 +1,53 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import { createContext, type ReactNode, useContext, useMemo } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { translateMessage } from "@/i18n/messages"
 type AdminI18nContextValue = {
  locale: AppLocale
  messages: AdminMessages
 }
 const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
 export function AdminI18nProvider({
  locale,
  messages,
  children,
 }: {
  locale: AppLocale
  messages: AdminMessages
  children: ReactNode
 }) {
  const value = useMemo(
    () => ({
      locale,
      messages,
    }),
    [locale, messages],
  )
  return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
 }
 export function useAdminI18n(): AdminI18nContextValue {
  const context = useContext(AdminI18nContext)
  if (!context) {
    throw new Error("useAdminI18n must be used inside AdminI18nProvider")
  }
  return context
 }
 export function useAdminT() {
  const { messages } = useAdminI18n()
  return useMemo(
    () => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
    [messages],
  )
 }
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@ -1,7 +1,10 @@
 import type { NextConfig } from "next"
 import createNextIntlPlugin from "next-intl/plugin"
 const withNextIntl = createNextIntlPlugin("./src/i18n/request.ts")
 const nextConfig: NextConfig = {
-  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db"],
+  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db", "@cms/i18n"],
 }
-export default nextConfig
+export default withNextIntl(nextConfig)
--- a/apps/web/package.json
+++ b/apps/web/package.json
@ -13,10 +13,12 @@
  "dependencies": {
    "@cms/content": "workspace:*",
    "@cms/db": "workspace:*",
    "@cms/i18n": "workspace:*",
    "@cms/ui": "workspace:*",
    "@tanstack/react-query": "5.90.20",
    "@tanstack/react-query-devtools": "5.91.3",
    "next": "16.1.6",
    "next-intl": "4.4.0",
    "react": "19.2.4",
    "react-dom": "19.2.4",
    "zustand": "5.0.11"
--- a/apps/web/src/app/[locale]/layout.tsx
+++ b/apps/web/src/app/[locale]/layout.tsx
@ -0,0 +1,27 @@
 import { notFound } from "next/navigation"
 import { hasLocale, NextIntlClientProvider } from "next-intl"
 import type { ReactNode } from "react"
 import { routing } from "@/i18n/routing"
 import { Providers } from "../providers"
 type LocaleLayoutProps = {
  children: ReactNode
  params: Promise<{
    locale: string
  }>
 }
 export default async function LocaleLayout({ children, params }: LocaleLayoutProps) {
  const { locale } = await params
  if (!hasLocale(routing.locales, locale)) {
    notFound()
  }
  return (
    <NextIntlClientProvider locale={locale}>
      <Providers>{children}</Providers>
    </NextIntlClientProvider>
  )
 }
--- a/apps/web/src/app/[locale]/page.tsx
+++ b/apps/web/src/app/[locale]/page.tsx
@ -1,25 +1,29 @@
 import { listPosts } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { getTranslations } from "next-intl/server"
 import { LanguageSwitcher } from "@/components/language-switcher"
 export const dynamic = "force-dynamic"
 export default async function HomePage() {
-  const posts = await listPosts()
+  const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")])
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16">
      <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Web App</p>
+        <div className="flex flex-wrap items-center justify-between gap-3">
-        <h1 className="text-4xl font-semibold tracking-tight">Your Next.js CMS Frontend</h1>
+          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
-        <p className="text-neutral-600">
+          <LanguageSwitcher />
-          This page reads posts through the shared database package.
+        </div>
-        </p>
+        <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
        <p className="text-neutral-600">{t("description")}</p>
      </header>
      <section className="space-y-4 rounded-xl border border-neutral-200 p-6">
        <div className="flex items-center justify-between">
-          <h2 className="text-xl font-medium">Latest posts</h2>
+          <h2 className="text-xl font-medium">{t("latestPosts")}</h2>
-          <Button variant="secondary">Explore</Button>
+          <Button variant="secondary">{t("explore")}</Button>
        </div>
        <ul className="space-y-3">
@ -27,7 +31,7 @@ export default async function HomePage() {
            <li key={post.id} className="rounded-lg border border-neutral-200 p-4">
              <p className="text-xs uppercase tracking-wide text-neutral-500">{post.status}</p>
              <h3 className="mt-1 text-lg font-medium">{post.title}</h3>
-              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p>
+              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? t("noExcerpt")}</p>
            </li>
          ))}
        </ul>
--- a/apps/web/src/app/layout.tsx
+++ b/apps/web/src/app/layout.tsx
@ -2,7 +2,6 @@ import type { Metadata } from "next"
 import type { ReactNode } from "react"
 import "./globals.css"
 import { Providers } from "./providers"
 export const metadata: Metadata = {
  title: "CMS Web",
@ -12,9 +11,7 @@ export const metadata: Metadata = {
 export default function RootLayout({ children }: { children: ReactNode }) {
  return (
    <html lang="en">
-      <body>
+      <body>{children}</body>
        <Providers>{children}</Providers>
      </body>
    </html>
  )
 }
--- a/apps/web/src/components/language-switcher.tsx
+++ b/apps/web/src/components/language-switcher.tsx
@ -0,0 +1,50 @@
 "use client"
 import { type AppLocale, localeLabels, locales } from "@cms/i18n"
 import { useLocale, useTranslations } from "next-intl"
 import { useEffect, useTransition } from "react"
 import { usePathname, useRouter } from "@/i18n/navigation"
 import { useLocaleStore } from "@/store/locale"
 export function LanguageSwitcher() {
  const t = useTranslations("LanguageSwitcher")
  const currentLocale = useLocale() as AppLocale
  const pathname = usePathname()
  const router = useRouter()
  const [isPending, startTransition] = useTransition()
  const locale = useLocaleStore((state) => state.locale)
  const setLocale = useLocaleStore((state) => state.setLocale)
  useEffect(() => {
    if (locale !== currentLocale) {
      setLocale(currentLocale)
    }
  }, [currentLocale, locale, setLocale])
  return (
    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
      <span>{t("label")}</span>
      <select
        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
        value={locale}
        disabled={isPending}
        onChange={(event) => {
          const nextLocale = event.target.value as AppLocale
          setLocale(nextLocale)
          startTransition(() => {
            router.replace(pathname, { locale: nextLocale })
          })
        }}
      >
        {locales.map((value) => (
          <option key={value} value={value}>
            {t(`localeNames.${value}`)} ({localeLabels[value]})
          </option>
        ))}
      </select>
    </label>
  )
 }
--- a/apps/web/src/i18n/navigation.ts
+++ b/apps/web/src/i18n/navigation.ts
@ -0,0 +1,5 @@
 import { createNavigation } from "next-intl/navigation"
 import { routing } from "./routing"
 export const { Link, redirect, usePathname, useRouter, getPathname } = createNavigation(routing)
--- a/apps/web/src/i18n/request.ts
+++ b/apps/web/src/i18n/request.ts
@ -0,0 +1,14 @@
 import { hasLocale } from "next-intl"
 import { getRequestConfig } from "next-intl/server"
 import { routing } from "./routing"
 export default getRequestConfig(async ({ requestLocale }) => {
  const requested = await requestLocale
  const locale = hasLocale(routing.locales, requested) ? requested : routing.defaultLocale
  return {
    locale,
    messages: (await import(`../messages/${locale}.json`)).default,
  }
 })
--- a/apps/web/src/i18n/routing.ts
+++ b/apps/web/src/i18n/routing.ts
@ -0,0 +1,8 @@
 import { defaultLocale, locales } from "@cms/i18n"
 import { defineRouting } from "next-intl/routing"
 export const routing = defineRouting({
  locales: [...locales],
  defaultLocale,
  localePrefix: "never",
 })
--- a/apps/web/src/messages/de.json
+++ b/apps/web/src/messages/de.json
@ -0,0 +1,19 @@
 {
  "Home": {
    "badge": "Web-App",
    "title": "Dein Next.js CMS Frontend",
    "description": "Diese Seite liest Beiträge über das gemeinsame Datenbank-Paket.",
    "latestPosts": "Neueste Beiträge",
    "explore": "Entdecken",
    "noExcerpt": "Kein Auszug"
  },
  "LanguageSwitcher": {
    "label": "Sprache",
    "localeNames": {
      "de": "Deutsch",
      "en": "Englisch",
      "es": "Spanisch",
      "fr": "Französisch"
    }
  }
 }
--- a/apps/web/src/messages/en.json
+++ b/apps/web/src/messages/en.json
@ -0,0 +1,19 @@
 {
  "Home": {
    "badge": "Web App",
    "title": "Your Next.js CMS Frontend",
    "description": "This page reads posts through the shared database package.",
    "latestPosts": "Latest posts",
    "explore": "Explore",
    "noExcerpt": "No excerpt"
  },
  "LanguageSwitcher": {
    "label": "Language",
    "localeNames": {
      "de": "German",
      "en": "English",
      "es": "Spanish",
      "fr": "French"
    }
  }
 }
--- a/apps/web/src/messages/es.json
+++ b/apps/web/src/messages/es.json
@ -0,0 +1,19 @@
 {
  "Home": {
    "badge": "Aplicación Web",
    "title": "Tu Frontend CMS con Next.js",
    "description": "Esta página lee publicaciones a través del paquete compartido de base de datos.",
    "latestPosts": "Últimas publicaciones",
    "explore": "Explorar",
    "noExcerpt": "Sin extracto"
  },
  "LanguageSwitcher": {
    "label": "Idioma",
    "localeNames": {
      "de": "Alemán",
      "en": "Inglés",
      "es": "Español",
      "fr": "Francés"
    }
  }
 }
--- a/apps/web/src/messages/fr.json
+++ b/apps/web/src/messages/fr.json
@ -0,0 +1,19 @@
 {
  "Home": {
    "badge": "Application Web",
    "title": "Votre Frontend CMS Next.js",
    "description": "Cette page lit les publications via le package base de données partagé.",
    "latestPosts": "Dernières publications",
    "explore": "Explorer",
    "noExcerpt": "Aucun extrait"
  },
  "LanguageSwitcher": {
    "label": "Langue",
    "localeNames": {
      "de": "Allemand",
      "en": "Anglais",
      "es": "Espagnol",
      "fr": "Français"
    }
  }
 }
--- a/apps/web/src/proxy.ts
+++ b/apps/web/src/proxy.ts
@ -0,0 +1,14 @@
 import type { NextRequest } from "next/server"
 import createMiddleware from "next-intl/middleware"
 import { routing } from "@/i18n/routing"
 const handleI18nRouting = createMiddleware(routing)
 export function proxy(request: NextRequest) {
  return handleI18nRouting(request)
 }
 export const config = {
  matcher: ["/((?!api|trpc|_next|_vercel|.*\\..*).*)"],
 }
--- a/apps/web/src/store/locale.test.ts
+++ b/apps/web/src/store/locale.test.ts
@ -0,0 +1,12 @@
 import { describe, expect, it } from "vitest"
 import { useLocaleStore } from "./locale"
 describe("web locale store", () => {
  it("sets locale", () => {
    useLocaleStore.setState({ locale: "en" })
    useLocaleStore.getState().setLocale("de")
    expect(useLocaleStore.getState().locale).toBe("de")
  })
 })
--- a/apps/web/src/store/locale.ts
+++ b/apps/web/src/store/locale.ts
@ -0,0 +1,12 @@
 import { type AppLocale, defaultLocale } from "@cms/i18n"
 import { create } from "zustand"
 type LocaleStore = {
  locale: AppLocale
  setLocale: (value: AppLocale) => void
 }
 export const useLocaleStore = create<LocaleStore>((set) => ({
  locale: defaultLocale,
  setLocale: (value) => set({ locale: value }),
 }))
--- a/bun.lock
+++ b/bun.lock
@ -5,23 +5,23 @@
    "": {
      "name": "cms-monorepo",
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
-        "@commitlint/cli": "latest",
+        "@commitlint/cli": "20.4.1",
-        "@commitlint/config-conventional": "latest",
+        "@commitlint/config-conventional": "20.4.1",
-        "@playwright/test": "latest",
+        "@playwright/test": "1.58.2",
-        "@testing-library/jest-dom": "latest",
+        "@testing-library/jest-dom": "6.9.1",
-        "@testing-library/react": "latest",
+        "@testing-library/react": "16.3.2",
-        "@testing-library/user-event": "latest",
+        "@testing-library/user-event": "14.6.1",
-        "@vitejs/plugin-react": "latest",
+        "@vitejs/plugin-react": "5.1.3",
-        "@vitest/coverage-istanbul": "latest",
+        "@vitest/coverage-istanbul": "4.0.18",
-        "conventional-changelog-cli": "latest",
+        "conventional-changelog-cli": "5.0.0",
-        "jsdom": "latest",
+        "jsdom": "28.0.0",
-        "msw": "latest",
+        "msw": "2.12.9",
-        "turbo": "latest",
+        "turbo": "2.8.3",
-        "typescript": "latest",
+        "typescript": "5.9.3",
-        "vite-tsconfig-paths": "latest",
+        "vite-tsconfig-paths": "6.1.0",
-        "vitepress": "latest",
+        "vitepress": "1.6.4",
-        "vitest": "latest",
+        "vitest": "4.0.18",
      },
    },
    "apps/admin": {
@ -30,26 +30,27 @@
      "dependencies": {
        "@cms/content": "workspace:*",
        "@cms/db": "workspace:*",
        "@cms/i18n": "workspace:*",
        "@cms/ui": "workspace:*",
-        "@tanstack/react-form": "latest",
+        "@tanstack/react-form": "1.28.0",
-        "@tanstack/react-query": "latest",
+        "@tanstack/react-query": "5.90.20",
-        "@tanstack/react-query-devtools": "latest",
+        "@tanstack/react-query-devtools": "5.91.3",
-        "@tanstack/react-table": "latest",
+        "@tanstack/react-table": "8.21.3",
        "better-auth": "1.4.18",
-        "next": "latest",
+        "next": "16.1.6",
-        "react": "latest",
+        "react": "19.2.4",
-        "react-dom": "latest",
+        "react-dom": "19.2.4",
-        "zustand": "latest",
+        "zustand": "5.0.11",
      },
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
-        "@tailwindcss/postcss": "latest",
+        "@tailwindcss/postcss": "4.1.18",
-        "@types/node": "latest",
+        "@types/node": "25.2.2",
-        "@types/react": "latest",
+        "@types/react": "19.2.13",
-        "@types/react-dom": "latest",
+        "@types/react-dom": "19.2.3",
-        "tailwindcss": "latest",
+        "tailwindcss": "4.1.18",
-        "typescript": "latest",
+        "typescript": "5.9.3",
      },
    },
    "apps/web": {
@ -58,23 +59,25 @@
      "dependencies": {
        "@cms/content": "workspace:*",
        "@cms/db": "workspace:*",
        "@cms/i18n": "workspace:*",
        "@cms/ui": "workspace:*",
-        "@tanstack/react-query": "latest",
+        "@tanstack/react-query": "5.90.20",
-        "@tanstack/react-query-devtools": "latest",
+        "@tanstack/react-query-devtools": "5.91.3",
-        "next": "latest",
+        "next": "16.1.6",
-        "react": "latest",
+        "next-intl": "4.4.0",
-        "react-dom": "latest",
+        "react": "19.2.4",
-        "zustand": "latest",
+        "react-dom": "19.2.4",
        "zustand": "5.0.11",
      },
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
-        "@tailwindcss/postcss": "latest",
+        "@tailwindcss/postcss": "4.1.18",
-        "@types/node": "latest",
+        "@types/node": "25.2.2",
-        "@types/react": "latest",
+        "@types/react": "19.2.13",
-        "@types/react-dom": "latest",
+        "@types/react-dom": "19.2.3",
-        "tailwindcss": "latest",
+        "tailwindcss": "4.1.18",
-        "typescript": "latest",
+        "typescript": "5.9.3",
      },
    },
    "packages/config": {
@ -85,12 +88,24 @@
      "name": "@cms/content",
      "version": "0.0.1",
      "dependencies": {
-        "zod": "latest",
+        "zod": "4.3.6",
      },
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
-        "typescript": "latest",
+        "typescript": "5.9.3",
      },
    },
    "packages/crud": {
      "name": "@cms/crud",
      "version": "0.0.1",
      "dependencies": {
        "zod": "4.3.6",
      },
      "devDependencies": {
        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
        "typescript": "5.9.3",
      },
    },
    "packages/db": {
@ -98,39 +113,48 @@
      "version": "0.0.1",
      "dependencies": {
        "@cms/content": "workspace:*",
-        "@prisma/adapter-pg": "latest",
+        "@cms/crud": "workspace:*",
-        "@prisma/client": "latest",
+        "@prisma/adapter-pg": "7.3.0",
-        "pg": "latest",
+        "@prisma/client": "7.3.0",
-        "zod": "latest",
+        "pg": "8.18.0",
        "zod": "4.3.6",
      },
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
-        "@types/node": "latest",
+        "@types/node": "25.2.2",
-        "@types/pg": "latest",
+        "@types/pg": "8.16.0",
-        "better-auth": "1.4.18",
+        "prisma": "7.3.0",
-        "prisma": "latest",
+        "typescript": "5.9.3",
-        "typescript": "latest",
+      },
    },
    "packages/i18n": {
      "name": "@cms/i18n",
      "version": "0.0.1",
      "devDependencies": {
        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
        "typescript": "5.9.3",
      },
    },
    "packages/ui": {
      "name": "@cms/ui",
      "version": "0.0.1",
      "dependencies": {
-        "class-variance-authority": "latest",
+        "class-variance-authority": "0.7.1",
-        "clsx": "latest",
+        "clsx": "2.1.1",
-        "tailwind-merge": "latest",
+        "tailwind-merge": "3.4.0",
      },
      "devDependencies": {
-        "@biomejs/biome": "latest",
+        "@biomejs/biome": "2.3.14",
        "@cms/config": "workspace:*",
-        "@types/react": "latest",
+        "@types/react": "19.2.13",
-        "@types/react-dom": "latest",
+        "@types/react-dom": "19.2.3",
-        "typescript": "latest",
+        "typescript": "5.9.3",
      },
      "peerDependencies": {
-        "react": "latest",
+        "react": "19.2.4",
-        "react-dom": "latest",
+        "react-dom": "19.2.4",
      },
    },
  },
@ -263,8 +287,12 @@
    "@cms/content": ["@cms/content@workspace:packages/content"],
    "@cms/crud": ["@cms/crud@workspace:packages/crud"],
    "@cms/db": ["@cms/db@workspace:packages/db"],
    "@cms/i18n": ["@cms/i18n@workspace:packages/i18n"],
    "@cms/ui": ["@cms/ui@workspace:packages/ui"],
    "@cms/web": ["@cms/web@workspace:apps/web"],
@ -385,6 +413,16 @@
    "@exodus/bytes": ["@exodus/bytes@1.12.0", "", { "peerDependencies": { "@noble/hashes": "^1.8.0 || ^2.0.0" }, "optionalPeers": ["@noble/hashes"] }, "sha512-BuCOHA/EJdPN0qQ5MdgAiJSt9fYDHbghlgrj33gRdy/Yp1/FMCDhU6vJfcKrLC0TPWGSrfH3vYXBQWmFHxlddw=="],
    "@formatjs/ecma402-abstract": ["@formatjs/ecma402-abstract@3.1.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "@formatjs/intl-localematcher": "0.8.1", "decimal.js": "^10.6.0", "tslib": "^2.8.1" } }, "sha512-jhZbTwda+2tcNrs4kKvxrPLPjx8QsBCLCUgrrJ/S+G9YrGHWLhAyFMMBHJBnBoOwuLHd7L14FgYudviKaxkO2Q=="],
    "@formatjs/fast-memoize": ["@formatjs/fast-memoize@3.1.0", "", { "dependencies": { "tslib": "^2.8.1" } }, "sha512-b5mvSWCI+XVKiz5WhnBCY3RJ4ZwfjAidU0yVlKa3d3MSgKmH1hC3tBGEAtYyN5mqL7N0G5x0BOUYyO8CEupWgg=="],
    "@formatjs/icu-messageformat-parser": ["@formatjs/icu-messageformat-parser@3.5.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/icu-skeleton-parser": "2.1.1", "tslib": "^2.8.1" } }, "sha512-sSDmSvmmoVQ92XqWb499KrIhv/vLisJU8ITFrx7T7NZHUmMY7EL9xgRowAosaljhqnj/5iufG24QrdzB6X3ItA=="],
    "@formatjs/icu-skeleton-parser": ["@formatjs/icu-skeleton-parser@2.1.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "tslib": "^2.8.1" } }, "sha512-PSFABlcNefjI6yyk8f7nyX1DC7NHmq6WaCHZLySEXBrXuLOB2f935YsnzuPjlz+ibhb9yWTdPeVX1OVcj24w2Q=="],
    "@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.5.10", "", { "dependencies": { "tslib": "2" } }, "sha512-af3qATX+m4Rnd9+wHcjJ4w2ijq+rAVP3CCinJQvFv1kgSu1W6jypUmvleJxcewdxmutM8dmIRZFxO/IQBZmP2Q=="],
    "@hono/node-server": ["@hono/node-server@1.19.9", "", { "peerDependencies": { "hono": "^4" } }, "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw=="],
    "@hutson/parse-repository-url": ["@hutson/parse-repository-url@5.0.0", "", {}, "sha512-e5+YUKENATs1JgYHMzTr2MW/NDcXGfYFAuOQU8gJgF/kEh4EqKgfGrfLI67bMD4tbhZVlkigz/9YYwWcbOFthg=="],
@ -577,6 +615,8 @@
    "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.57.1", "", { "os": "win32", "cpu": "x64" }, "sha512-mxRFDdHIWRxg3UfIIAwCm6NzvxG0jDX/wBN6KsQFTvKFqqg9vTrWUE68qEjHt19A5wwx5X5aUi2zuZT7YR0jrA=="],
    "@schummar/icu-type-parser": ["@schummar/icu-type-parser@1.21.5", "", {}, "sha512-bXHSaW5jRTmke9Vd0h5P7BtWZG9Znqb8gSDxZnxaGSJnGwPLDPfS+3g0BKzeWqzgZPsIVZkM7m2tbo18cm5HBw=="],
    "@shikijs/core": ["@shikijs/core@2.5.0", "", { "dependencies": { "@shikijs/engine-javascript": "2.5.0", "@shikijs/engine-oniguruma": "2.5.0", "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "@types/hast": "^3.0.4", "hast-util-to-html": "^9.0.4" } }, "sha512-uu/8RExTKtavlpH7XqnVYBrfBkUc20ngXiX9NSrBhOVZYv/7XQRKUyhtkeflY5QsxC0GbJThCerruZfsUaSldg=="],
    "@shikijs/engine-javascript": ["@shikijs/engine-javascript@2.5.0", "", { "dependencies": { "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "oniguruma-to-es": "^3.1.0" } }, "sha512-VjnOpnQf8WuCEZtNUdjjwGUbtAVKuZkVQ/5cHy/tojVVRIRtlWMYVjyWhxOmIq05AlSOv72z7hRNRGVBgQOl0w=="],
@ -1015,6 +1055,8 @@
    "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
    "icu-minify": ["icu-minify@4.8.2", "", { "dependencies": { "@formatjs/icu-messageformat-parser": "^3.4.0" } }, "sha512-LHBQV+skKkjZSPd590pZ7ZAHftUgda3eFjeuNwA8/15L8T8loCNBktKQyTlkodAU86KovFXeg/9WntlAo5wA5A=="],
    "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
    "import-meta-resolve": ["import-meta-resolve@4.2.0", "", {}, "sha512-Iqv2fzaTQN28s/FwZAoFq0ZSs/7hMAHJVX+w8PZl3cY19Pxk6jFFalxQoIfW2826i/fDLXv8IiEZRIT0lDuWcg=="],
@ -1025,6 +1067,8 @@
    "ini": ["ini@4.1.1", "", {}, "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g=="],
    "intl-messageformat": ["intl-messageformat@11.1.2", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/fast-memoize": "3.1.0", "@formatjs/icu-messageformat-parser": "3.5.1", "tslib": "^2.8.1" } }, "sha512-ucSrQmZGAxfiBHfBRXW/k7UC8MaGFlEj4Ry1tKiDcmgwQm1y3EDl40u+4VNHYomxJQMJi9NEI3riDRlth96jKg=="],
    "is-arrayish": ["is-arrayish@0.2.1", "", {}, "sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg=="],
    "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="],
@ -1167,10 +1211,14 @@
    "nanostores": ["nanostores@1.1.0", "", {}, "sha512-yJBmDJr18xy47dbNVlHcgdPrulSn1nhSE6Ns9vTG+Nx9VPT6iV1MD6aQFp/t52zpf82FhLLTXAXr30NuCnxvwA=="],
    "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
    "neo-async": ["neo-async@2.6.2", "", {}, "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw=="],
    "next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.8.3", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "sharp": "^0.34.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="],
    "next-intl": ["next-intl@4.4.0", "", { "dependencies": { "@formatjs/intl-localematcher": "^0.5.4", "negotiator": "^1.0.0", "use-intl": "^4.4.0" }, "peerDependencies": { "next": "^12.0.0 || ^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0", "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0", "typescript": "^5.0.0" }, "optionalPeers": ["typescript"] }, "sha512-QHqnP9V9Pe7Tn0PdVQ7u1Z8k9yCkW5SJKeRy2g5gxzhSt/C01y3B9qNxuj3Fsmup/yreIHe6osxU6sFa+9WIkQ=="],
    "node-fetch-native": ["node-fetch-native@1.6.7", "", {}, "sha512-g9yhqoedzIUm0nTnTqAQvueMPVOuIY16bqgAJJC8XOOubYFNwz6IER9qs0Gq2Xd0+CecCKFjtdDTMA4u4xG06Q=="],
    "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="],
@ -1443,6 +1491,8 @@
    "update-browserslist-db": ["update-browserslist-db@1.2.3", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": { "update-browserslist-db": "cli.js" } }, "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w=="],
    "use-intl": ["use-intl@4.8.2", "", { "dependencies": { "@formatjs/fast-memoize": "^3.1.0", "@schummar/icu-type-parser": "1.21.5", "icu-minify": "^4.8.2", "intl-messageformat": "^11.1.0" }, "peerDependencies": { "react": "^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0" } }, "sha512-3VNXZgDnPFqhIYosQ9W1Hc6K5q+ZelMfawNbexdwL/dY7BTHbceLUBX5Eeex9lgogxTp0pf1SjHuhYNAjr9H3g=="],
    "use-sync-external-store": ["use-sync-external-store@1.6.0", "", { "peerDependencies": { "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w=="],
    "valibot": ["valibot@1.2.0", "", { "peerDependencies": { "typescript": ">=5" }, "optionalPeers": ["typescript"] }, "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg=="],
@ -1509,6 +1559,8 @@
    "@conventional-changelog/git-client/semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
    "@formatjs/ecma402-abstract/@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.8.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "tslib": "^2.8.1" } }, "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA=="],
    "@inquirer/core/wrap-ansi": ["wrap-ansi@6.2.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA=="],
    "@prisma/engines/@prisma/get-platform": ["@prisma/get-platform@7.3.0", "", { "dependencies": { "@prisma/debug": "7.3.0" } }, "sha512-N7c6m4/I0Q6JYmWKP2RCD/sM9eWiyCPY98g5c0uEktObNSZnugW2U/PO+pwL0UaqzxqTXt7gTsYsb0FnMnJNbg=="],
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@ -20,7 +20,10 @@ export default defineConfig({
          { text: "Getting Started", link: "/getting-started" },
          { text: "Architecture", link: "/architecture" },
          { text: "Better Auth Baseline", link: "/product-engineering/auth-baseline" },
          { text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
          { text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
          { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
          { text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
          { text: "Workflow", link: "/workflow" },
        ],
      },
--- a/docs/architecture.md
+++ b/docs/architecture.md
@ -6,7 +6,9 @@
 - `apps/admin`: admin app
 - `packages/db`: prisma + data access
 - `packages/content`: shared schemas and domain contracts
 - `packages/crud`: shared CRUD service patterns (validation, errors, audit hooks)
 - `packages/ui`: shared UI layer
 - `packages/i18n`: shared locale definitions and i18n helpers
 - `packages/config`: shared TS config
 ## Design Principles
@ -14,6 +16,7 @@
 - Shared contracts before feature implementation
 - RBAC and CRUD base as prerequisites for MVP1 feature work
 - Keep admin and public responsibilities clearly separated
 - Public routing is path-stable; locale is resolved via `next-intl` middleware + cookie
 ## Pending Documentation
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@ -39,6 +39,7 @@ bun run dev
 ```
 - Web: `http://localhost:3000`
 - Web locale switching: use the language switcher in the page header
 - Admin: `http://localhost:3001`
 - Admin welcome (first start): `http://localhost:3001/welcome`
 - Admin login: `http://localhost:3001/login`
--- a/docs/product-engineering/auth-baseline.md
+++ b/docs/product-engineering/auth-baseline.md
@ -39,6 +39,7 @@ Optional:
 - Support user bootstrap is available via `bun run auth:seed:support`.
 - Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is temporary until admin settings UI manages this policy.
+- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
 - Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
 - Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
 - Email verification and forgot/reset password pipelines are tracked for MVP2.
--- a/docs/product-engineering/crud-baseline.md
+++ b/docs/product-engineering/crud-baseline.md
@ -0,0 +1,40 @@
 # CRUD Baseline
 ## Scope
 MVP0 now includes a shared CRUD foundation package: `@cms/crud`.
 Current baseline:
 - Shared service factory: `createCrudService`
 - Repository contract: `list`, `findById`, `create`, `update`, `delete`
 - Service surface for list/detail/editor flows: `list`, `getById`, `create`, `update`, `delete`
 - Shared validation error type: `CrudValidationError`
 - Shared not-found error type: `CrudNotFoundError`
 - Shared mutation audit hook contract: `CrudAuditHook`
 - Shared mutation context contract (`actor`, `metadata`)
 ## First Integration
 `@cms/db` `posts` now uses the shared CRUD foundation:
 - `listPosts`
 - `getPostById`
 - `createPost`
 - `updatePost`
 - `deletePost`
 - `registerPostCrudAuditHook`
 Validation for create/update is enforced by `@cms/content` schemas.
 Contract tests validate:
 - repository list/detail behavior via CRUD service
 - validation and not-found errors
 - audit payload propagation (`actor`, `metadata`)
 The admin dashboard currently includes a temporary posts CRUD sandbox to validate this flow through a real app UI.
 ## Notes
 - This is the base layer for future entities (pages, navigation, media, users, commissions).
 - Audit hook persistence/transport is intentionally left for later implementation work.
--- a/docs/product-engineering/i18n-baseline.md
+++ b/docs/product-engineering/i18n-baseline.md
@ -0,0 +1,21 @@
 # i18n Baseline
 ## Scope
 MVP0 introduces i18n runtime baselines for both apps.
 Current baseline:
 - Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
 - Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
 - Public app: message loading through `apps/web/src/i18n/request.ts`
 - Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
 - Public app: language switcher component backed by Zustand store
 - Admin app: cookie-based locale resolution and message loading in root layout
 - Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
 ## Notes
 - Public app locale is resolved through `next-intl` middleware + cookie.
 - Enabled locales are currently static in code and will later be managed from admin settings.
 - Translation key conventions and workflow docs are tracked in `TODO.md`.
--- a/docs/product-engineering/index.md
+++ b/docs/product-engineering/index.md
@ -8,6 +8,7 @@ This section covers platform and implementation documentation for engineers and
 - [Architecture](/architecture)
 - [Better Auth Baseline](/product-engineering/auth-baseline)
 - [RBAC And Permissions](/product-engineering/rbac-permission-model)
 - [Testing Strategy Baseline](/product-engineering/testing-strategy)
 - [Workflow](/workflow)
 ## Scope
--- a/docs/product-engineering/testing-strategy.md
+++ b/docs/product-engineering/testing-strategy.md
@ -0,0 +1,33 @@
 # Testing Strategy Baseline
 ## Goals
 - Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
 - Make e2e runs deterministic by preparing schema and seeded data before test execution.
 - Keep test data isolated per environment (`dev` local, CI database service in workflow).
 ## Current Gate Stack
 - `bun run check`
 - `bun run typecheck`
 - `bun run test`
 - `bun run test:e2e`
 ## Data Preparation
 - `bun run test:e2e:prepare` runs:
  - Prisma client generation
  - migration deploy
  - seed data (including support user bootstrap)
 - `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
 ## Locale Integration Coverage
 - `e2e/i18n.pw.ts` covers:
  - web locale switch + persistence
  - admin locale switch + persistence
 ## CI
 - Real quality workflow: `.gitea/workflows/ci.yml`
 - Uses a PostgreSQL service container and runs the full gate stack, including e2e.
--- a/docs/workflow.md
+++ b/docs/workflow.md
@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
 ## Quality Gates
- `bun run lint`
+- `bun run check`
 - `bun run typecheck`
 - `bun run test`
- `bun run test:e2e --list`
+- `bun run test:e2e`
 ## Changelog
--- a/e2e/i18n.pw.ts
+++ b/e2e/i18n.pw.ts
@ -0,0 +1,29 @@
 import { expect, test } from "@playwright/test"
 test.describe("i18n integration", () => {
  test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "web-chromium")
    await page.goto("/")
    await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
    await page.locator("select").first().selectOption("de")
    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
    await page.reload()
    await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
  })
  test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    await page.goto("/login")
    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
    await page.locator("select").first().selectOption("de")
    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
    await page.reload()
    await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
  })
 })
--- a/e2e/support-auth.pw.ts
+++ b/e2e/support-auth.pw.ts
@ -0,0 +1,20 @@
 import { expect, test } from "@playwright/test"
 const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
 test.describe("support fallback route", () => {
  test("valid support key opens sign-in page", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
    await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
  })
  test("invalid support key returns not found", async ({ page }, testInfo) => {
    test.skip(testInfo.project.name !== "admin-chromium")
    const response = await page.goto("/support/invalid-key")
    expect(response?.status()).toBe(404)
  })
 })
--- a/package.json
+++ b/package.json
@ -18,9 +18,10 @@
    "test": "vitest run",
    "test:watch": "vitest",
    "test:coverage": "vitest run --coverage",
-    "test:e2e": "bun run db:generate && playwright test",
+    "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
-    "test:e2e:headed": "bun run db:generate && playwright test --headed",
+    "test:e2e": "bun run test:e2e:prepare && playwright test",
-    "test:e2e:ui": "bun run db:generate && playwright test --ui",
+    "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
    "test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
    "commitlint": "commitlint --last",
    "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
    "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",
--- a/packages/content/src/index.test.ts
+++ b/packages/content/src/index.test.ts
@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest"
-import { postSchema, upsertPostSchema } from "./index"
+import { createPostInputSchema, postSchema, updatePostInputSchema, upsertPostSchema } from "./index"
 describe("content schemas", () => {
  it("accepts a valid post", () => {
@ -17,7 +17,24 @@ describe("content schemas", () => {
    expect(post.slug).toBe("hello-world")
  })
-  it("rejects invalid upsert payload", () => {
+  it("rejects invalid create payload", () => {
    const result = createPostInputSchema.safeParse({
      title: "Hi",
      slug: "x",
      body: "",
      status: "unknown",
    })
    expect(result.success).toBe(false)
  })
  it("rejects empty update payload", () => {
    const result = updatePostInputSchema.safeParse({})
    expect(result.success).toBe(false)
  })
  it("keeps upsert alias for backward compatibility", () => {
    const result = upsertPostSchema.safeParse({
      title: "Hi",
      slug: "x",
--- a/packages/content/src/index.ts
+++ b/packages/content/src/index.ts
@ -4,22 +4,32 @@ export * from "./rbac"
 export const postStatusSchema = z.enum(["draft", "published"])
-export const postSchema = z.object({
+const postMutableFieldsSchema = z.object({
  id: z.string().uuid(),
  title: z.string().min(3).max(180),
  slug: z.string().min(3).max(180),
  excerpt: z.string().max(320).optional(),
  body: z.string().min(1),
  status: postStatusSchema,
 })
 export const postSchema = z.object({
  id: z.string().uuid(),
  ...postMutableFieldsSchema.shape,
  createdAt: z.date(),
  updatedAt: z.date(),
 })
-export const upsertPostSchema = postSchema.omit({
+export const createPostInputSchema = postMutableFieldsSchema
-  id: true,
+export const updatePostInputSchema = postMutableFieldsSchema
-  createdAt: true,
+  .partial()
-  updatedAt: true,
+  .refine((value) => Object.keys(value).length > 0, {
-})
+    message: "At least one field is required for an update.",
  })
 // Backward-compatible alias while migrating callers to create/update-specific schemas.
 export const upsertPostSchema = createPostInputSchema
 export type Post = z.infer<typeof postSchema>
 export type CreatePostInput = z.infer<typeof createPostInputSchema>
 export type UpdatePostInput = z.infer<typeof updatePostInputSchema>
 export type UpsertPostInput = z.infer<typeof upsertPostSchema>
--- a/packages/crud/package.json
+++ b/packages/crud/package.json
@ -0,0 +1,22 @@
 {
  "name": "@cms/crud",
  "version": "0.0.1",
  "private": true,
  "type": "module",
  "exports": {
    ".": "./src/index.ts"
  },
  "scripts": {
    "build": "tsc -p tsconfig.json",
    "lint": "biome check src",
    "typecheck": "tsc -p tsconfig.json --noEmit"
  },
  "dependencies": {
    "zod": "4.3.6"
  },
  "devDependencies": {
    "@cms/config": "workspace:*",
    "@biomejs/biome": "2.3.14",
    "typescript": "5.9.3"
  }
 }
--- a/packages/crud/src/errors.ts
+++ b/packages/crud/src/errors.ts
@ -0,0 +1,41 @@
 import type { ZodIssue } from "zod"
 export class CrudError extends Error {
  public readonly code: string
  constructor(message: string, code: string) {
    super(message)
    this.name = "CrudError"
    this.code = code
  }
 }
 export class CrudValidationError extends CrudError {
  public readonly resource: string
  public readonly operation: "create" | "update"
  public readonly issues: ZodIssue[]
  constructor(params: {
    resource: string
    operation: "create" | "update"
    issues: ZodIssue[]
  }) {
    super(`Validation failed for ${params.resource} ${params.operation}`, "CRUD_VALIDATION")
    this.name = "CrudValidationError"
    this.resource = params.resource
    this.operation = params.operation
    this.issues = params.issues
  }
 }
 export class CrudNotFoundError extends CrudError {
  public readonly resource: string
  public readonly id: string
  constructor(params: { resource: string; id: string }) {
    super(`${params.resource} ${params.id} was not found`, "CRUD_NOT_FOUND")
    this.name = "CrudNotFoundError"
    this.resource = params.resource
    this.id = params.id
  }
 }
--- a/packages/crud/src/index.ts
+++ b/packages/crud/src/index.ts
@ -0,0 +1,3 @@
 export * from "./errors"
 export * from "./service"
 export * from "./types"
--- a/packages/crud/src/service.test.ts
+++ b/packages/crud/src/service.test.ts
@ -0,0 +1,204 @@
 import { describe, expect, it } from "vitest"
 import { z } from "zod"
 import { CrudNotFoundError, CrudValidationError } from "./errors"
 import { createCrudService } from "./service"
 type FakeEntity = {
  id: string
  title: string
 }
 type CreateFakeEntityInput = {
  title: string
 }
 type UpdateFakeEntityInput = {
  title?: string
 }
 function createMemoryRepository() {
  const state = new Map<string, FakeEntity>()
  let sequence = 0
  return {
    list: async () => Array.from(state.values()),
    findById: async (id: string) => state.get(id) ?? null,
    create: async (input: CreateFakeEntityInput) => {
      sequence += 1
      const created = {
        id: `${sequence}`,
        title: input.title,
      }
      state.set(created.id, created)
      return created
    },
    update: async (id: string, input: UpdateFakeEntityInput) => {
      const current = state.get(id)
      if (!current) {
        throw new Error("unexpected missing entity in test repository")
      }
      const updated = {
        ...current,
        ...input,
      }
      state.set(id, updated)
      return updated
    },
    delete: async (id: string) => {
      const current = state.get(id)
      if (!current) {
        throw new Error("unexpected missing entity in test repository")
      }
      state.delete(id)
      return current
    },
  }
 }
 describe("createCrudService", () => {
  it("supports list and detail lookups through the repository contract", async () => {
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
      schemas: {
        create: z.object({
          title: z.string().min(3),
        }),
        update: z.object({
          title: z.string().min(3).optional(),
        }),
      },
    })
    const createdA = await service.create({ title: "First" })
    const createdB = await service.create({ title: "Second" })
    expect(await service.getById(createdA.id)).toEqual(createdA)
    expect(await service.getById("missing")).toBeNull()
    const listed = await service.list()
    expect(listed).toHaveLength(2)
    expect(listed).toContainEqual(createdA)
    expect(listed).toContainEqual(createdB)
  })
  it("validates create and update payloads", async () => {
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
      schemas: {
        create: z.object({
          title: z.string().min(3),
        }),
        update: z
          .object({
            title: z.string().min(3).optional(),
          })
          .refine((value) => Object.keys(value).length > 0, {
            message: "at least one field must be updated",
          }),
      },
    })
    await expect(service.create({ title: "ok" })).rejects.toBeInstanceOf(CrudValidationError)
    await expect(service.update("1", {})).rejects.toBeInstanceOf(CrudValidationError)
  })
  it("throws not found for unknown update and delete", async () => {
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
      schemas: {
        create: z.object({
          title: z.string().min(3),
        }),
        update: z.object({
          title: z.string().min(3).optional(),
        }),
      },
    })
    await expect(service.update("missing", { title: "Updated" })).rejects.toBeInstanceOf(
      CrudNotFoundError,
    )
    await expect(service.delete("missing")).rejects.toBeInstanceOf(CrudNotFoundError)
  })
  it("emits audit events for create, update and delete", async () => {
    const events: Array<{
      action: string
      beforeTitle: string | null
      afterTitle: string | null
      actorRole: string | null
      requestId: string | null
    }> = []
    const service = createCrudService({
      resource: "fake-entity",
      repository: createMemoryRepository(),
      schemas: {
        create: z.object({
          title: z.string().min(3),
        }),
        update: z.object({
          title: z.string().min(3).optional(),
        }),
      },
      auditHooks: [
        (event) => {
          events.push({
            action: event.action,
            beforeTitle: event.before?.title ?? null,
            afterTitle: event.after?.title ?? null,
            actorRole: event.actor?.role ?? null,
            requestId:
              typeof event.metadata?.requestId === "string" ? event.metadata.requestId : null,
          })
        },
      ],
    })
    const created = await service.create(
      { title: "Created" },
      {
        actor: { id: "u-1", role: "owner" },
        metadata: {
          requestId: "req-1",
        },
      },
    )
    await service.update(created.id, { title: "Updated" })
    await service.delete(created.id)
    expect(events).toEqual([
      {
        action: "create",
        beforeTitle: null,
        afterTitle: "Created",
        actorRole: "owner",
        requestId: "req-1",
      },
      {
        action: "update",
        beforeTitle: "Created",
        afterTitle: "Updated",
        actorRole: null,
        requestId: null,
      },
      {
        action: "delete",
        beforeTitle: "Updated",
        afterTitle: null,
        actorRole: null,
        requestId: null,
      },
    ])
  })
 })
--- a/packages/crud/src/service.ts
+++ b/packages/crud/src/service.ts
@ -0,0 +1,159 @@
 import type { ZodIssue } from "zod"
 import { CrudNotFoundError, CrudValidationError } from "./errors"
 import type { CrudAction, CrudAuditHook, CrudMutationContext, CrudRepository } from "./types"
 type SchemaSafeParseResult<TInput> =
  | {
      success: true
      data: TInput
    }
  | {
      success: false
      error: {
        issues: ZodIssue[]
      }
    }
 type CrudSchema<TInput> = {
  safeParse: (input: unknown) => SchemaSafeParseResult<TInput>
 }
 type CrudSchemas<TCreateInput, TUpdateInput> = {
  create: CrudSchema<TCreateInput>
  update: CrudSchema<TUpdateInput>
 }
 type CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
  resource: string
  repository: CrudRepository<TRecord, TCreateInput, TUpdateInput, TId>
  schemas: CrudSchemas<TCreateInput, TUpdateInput>
  auditHooks?: Array<CrudAuditHook<TRecord>>
 }
 async function emitAuditHooks<TRecord>(
  hooks: Array<CrudAuditHook<TRecord>>,
  event: {
    resource: string
    action: CrudAction
    actor: CrudMutationContext["actor"]
    metadata: CrudMutationContext["metadata"]
    before: TRecord | null
    after: TRecord | null
  },
 ): Promise<void> {
  if (hooks.length === 0) {
    return
  }
  const payload = {
    ...event,
    actor: event.actor ?? null,
    at: new Date(),
  }
  for (const hook of hooks) {
    await hook(payload)
  }
 }
 function parseOrThrow<TInput>(params: {
  schema: CrudSchema<TInput>
  input: unknown
  resource: string
  operation: "create" | "update"
 }): TInput {
  const parsed = params.schema.safeParse(params.input)
  if (parsed.success) {
    return parsed.data
  }
  throw new CrudValidationError({
    resource: params.resource,
    operation: params.operation,
    issues: parsed.error.issues,
  })
 }
 export function createCrudService<TRecord, TCreateInput, TUpdateInput, TId extends string = string>(
  options: CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId>,
 ) {
  const auditHooks = options.auditHooks ?? []
  return {
    list: () => options.repository.list(),
    getById: (id: TId) => options.repository.findById(id),
    create: async (input: unknown, context: CrudMutationContext = {}) => {
      const payload = parseOrThrow({
        schema: options.schemas.create,
        input,
        resource: options.resource,
        operation: "create",
      })
      const created = await options.repository.create(payload)
      await emitAuditHooks(auditHooks, {
        resource: options.resource,
        action: "create",
        actor: context.actor,
        metadata: context.metadata,
        before: null,
        after: created,
      })
      return created
    },
    update: async (id: TId, input: unknown, context: CrudMutationContext = {}) => {
      const payload = parseOrThrow({
        schema: options.schemas.update,
        input,
        resource: options.resource,
        operation: "update",
      })
      const existing = await options.repository.findById(id)
      if (!existing) {
        throw new CrudNotFoundError({
          resource: options.resource,
          id,
        })
      }
      const updated = await options.repository.update(id, payload)
      await emitAuditHooks(auditHooks, {
        resource: options.resource,
        action: "update",
        actor: context.actor,
        metadata: context.metadata,
        before: existing,
        after: updated,
      })
      return updated
    },
    delete: async (id: TId, context: CrudMutationContext = {}) => {
      const existing = await options.repository.findById(id)
      if (!existing) {
        throw new CrudNotFoundError({
          resource: options.resource,
          id,
        })
      }
      const deleted = await options.repository.delete(id)
      await emitAuditHooks(auditHooks, {
        resource: options.resource,
        action: "delete",
        actor: context.actor,
        metadata: context.metadata,
        before: existing,
        after: null,
      })
      return deleted
    },
  }
 }
--- a/packages/crud/src/types.ts
+++ b/packages/crud/src/types.ts
@ -0,0 +1,31 @@
 export type CrudAction = "create" | "update" | "delete"
 export type CrudActor = {
  id?: string | null
  role?: string | null
 }
 export type CrudMutationContext = {
  actor?: CrudActor | null
  metadata?: Record<string, unknown>
 }
 export type CrudAuditEvent<TRecord> = {
  resource: string
  action: CrudAction
  at: Date
  actor: CrudActor | null
  metadata?: Record<string, unknown>
  before: TRecord | null
  after: TRecord | null
 }
 export type CrudAuditHook<TRecord> = (event: CrudAuditEvent<TRecord>) => Promise<void> | void
 export type CrudRepository<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
  list: () => Promise<TRecord[]>
  findById: (id: TId) => Promise<TRecord | null>
  create: (input: TCreateInput) => Promise<TRecord>
  update: (id: TId, input: TUpdateInput) => Promise<TRecord>
  delete: (id: TId) => Promise<TRecord>
 }
--- a/packages/crud/tsconfig.json
+++ b/packages/crud/tsconfig.json
@ -0,0 +1,9 @@
 {
  "extends": "@cms/config/tsconfig/base",
  "compilerOptions": {
    "noEmit": false,
    "outDir": "dist"
  },
  "include": ["src/**/*.ts"],
  "exclude": ["src/**/*.test.ts"]
 }
--- a/packages/db/package.json
+++ b/packages/db/package.json
@ -20,6 +20,7 @@
    "db:seed": "bun --env-file=../../.env prisma/seed.ts"
  },
  "dependencies": {
    "@cms/crud": "workspace:*",
    "@cms/content": "workspace:*",
    "@prisma/adapter-pg": "7.3.0",
    "@prisma/client": "7.3.0",
--- a/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
+++ b/packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql
@ -0,0 +1,9 @@
 -- CreateTable
 CREATE TABLE "system_setting" (
    "key" TEXT NOT NULL,
    "value" TEXT NOT NULL,
    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updatedAt" TIMESTAMP(3) NOT NULL,
    CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
 );
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@ -87,3 +87,12 @@ model Verification {
  @@index([identifier])
  @@map("verification")
 }
 model SystemSetting {
  key       String   @id
  value     String
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
  @@map("system_setting")
 }
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@ -1,2 +1,10 @@
 export { db } from "./client"
-export { createPost, listPosts } from "./posts"
+export {
  createPost,
  deletePost,
  getPostById,
  listPosts,
  registerPostCrudAuditHook,
  updatePost,
 } from "./posts"
 export { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "./settings"
--- a/packages/db/src/posts.ts
+++ b/packages/db/src/posts.ts
@ -1,19 +1,80 @@
-import { upsertPostSchema } from "@cms/content"
+import {
  type CreatePostInput,
  createPostInputSchema,
  type UpdatePostInput,
  updatePostInputSchema,
 } from "@cms/content"
 import { type CrudAuditHook, type CrudMutationContext, createCrudService } from "@cms/crud"
 import type { Post } from "../prisma/generated/client/client"
 import { db } from "./client"
 const postRepository = {
  list: () =>
    db.post.findMany({
      orderBy: {
        updatedAt: "desc",
      },
    }),
  findById: (id: string) =>
    db.post.findUnique({
      where: { id },
    }),
  create: (input: CreatePostInput) =>
    db.post.create({
      data: input,
    }),
  update: (id: string, input: UpdatePostInput) =>
    db.post.update({
      where: { id },
      data: input,
    }),
  delete: (id: string) =>
    db.post.delete({
      where: { id },
    }),
 }
 const postAuditHooks: Array<CrudAuditHook<Post>> = []
 const postCrudService = createCrudService({
  resource: "post",
  repository: postRepository,
  schemas: {
    create: createPostInputSchema,
    update: updatePostInputSchema,
  },
  auditHooks: postAuditHooks,
 })
 export function registerPostCrudAuditHook(hook: CrudAuditHook<Post>): () => void {
  postAuditHooks.push(hook)
  return () => {
    const index = postAuditHooks.indexOf(hook)
    if (index >= 0) {
      postAuditHooks.splice(index, 1)
    }
  }
 }
 export async function listPosts() {
-  return db.post.findMany({
+  return postCrudService.list()
    orderBy: {
      updatedAt: "desc",
    },
  })
 }
-export async function createPost(input: unknown) {
+export async function getPostById(id: string) {
-  const payload = upsertPostSchema.parse(input)
+  return postCrudService.getById(id)
-
+}
-  return db.post.create({
+
-    data: payload,
+export async function createPost(input: unknown, context?: CrudMutationContext) {
-  })
+  return postCrudService.create(input, context)
 }
 export async function updatePost(id: string, input: unknown, context?: CrudMutationContext) {
  return postCrudService.update(id, input, context)
 }
 export async function deletePost(id: string, context?: CrudMutationContext) {
  return postCrudService.delete(id, context)
 }
--- a/packages/db/src/settings.ts
+++ b/packages/db/src/settings.ts
@ -0,0 +1,56 @@
 import { db } from "./client"
 const ADMIN_SELF_REGISTRATION_KEY = "admin.self_registration_enabled"
 function resolveEnvFallback(): boolean {
  return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
 }
 function parseStoredBoolean(value: string): boolean | null {
  if (value === "true") {
    return true
  }
  if (value === "false") {
    return false
  }
  return null
 }
 export async function isAdminSelfRegistrationEnabled(): Promise<boolean> {
  try {
    const setting = await db.systemSetting.findUnique({
      where: { key: ADMIN_SELF_REGISTRATION_KEY },
      select: { value: true },
    })
    if (!setting) {
      return resolveEnvFallback()
    }
    const parsed = parseStoredBoolean(setting.value)
    if (parsed === null) {
      return resolveEnvFallback()
    }
    return parsed
  } catch {
    // Fallback while migrations are not yet applied in a local environment.
    return resolveEnvFallback()
  }
 }
 export async function setAdminSelfRegistrationEnabled(enabled: boolean): Promise<void> {
  await db.systemSetting.upsert({
    where: { key: ADMIN_SELF_REGISTRATION_KEY },
    create: {
      key: ADMIN_SELF_REGISTRATION_KEY,
      value: enabled ? "true" : "false",
    },
    update: {
      value: enabled ? "true" : "false",
    },
  })
 }
--- a/packages/i18n/package.json
+++ b/packages/i18n/package.json
@ -0,0 +1,19 @@
 {
  "name": "@cms/i18n",
  "version": "0.0.1",
  "private": true,
  "type": "module",
  "exports": {
    ".": "./src/index.ts"
  },
  "scripts": {
    "build": "tsc -p tsconfig.json",
    "lint": "biome check src",
    "typecheck": "tsc -p tsconfig.json --noEmit"
  },
  "devDependencies": {
    "@cms/config": "workspace:*",
    "@biomejs/biome": "2.3.14",
    "typescript": "5.9.3"
  }
 }
--- a/packages/i18n/src/index.ts
+++ b/packages/i18n/src/index.ts
@ -0,0 +1,16 @@
 export const locales = ["de", "en", "es", "fr"] as const
 export type AppLocale = (typeof locales)[number]
 export const defaultLocale: AppLocale = "en"
 export const localeLabels: Record<AppLocale, string> = {
  de: "Deutsch",
  en: "English",
  es: "Español",
  fr: "Français",
 }
 export function isAppLocale(value: string): value is AppLocale {
  return locales.includes(value as AppLocale)
 }
--- a/packages/i18n/tsconfig.json
+++ b/packages/i18n/tsconfig.json
@ -0,0 +1,8 @@
 {
  "extends": "@cms/config/tsconfig/base",
  "compilerOptions": {
    "noEmit": false,
    "outDir": "dist"
  },
  "include": ["src/**/*.ts"]
 }
--- a/packages/ui/src/components/button.tsx
+++ b/packages/ui/src/components/button.tsx
@ -8,7 +8,7 @@ const buttonVariants = cva(
  {
    variants: {
      variant: {
-        default: "bg-neutral-900 text-neutral-50 hover:bg-neutral-800",
+        default: "bg-neutral-900 text-white hover:bg-neutral-800",
        secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200",
        ghost: "hover:bg-neutral-100 hover:text-neutral-900",
      },
Author	SHA1	Message	Date
Citali	36b09cd9d7	test(crud): finalize MVP1 gate CRUD contract coverage	2026-02-10 21:26:49 +01:00
Citali	70fc154f97	merge: todo/mvp0-admin-i18n-baseline into dev	2026-02-10 21:21:35 +01:00
Citali	c4d0499d12	merge: todo/mvp0-crud-foundation into dev	2026-02-10 21:21:32 +01:00
Citali	d16fb6e121	merge: todo/mvp0-i18n-baseline into dev	2026-02-10 21:21:28 +01:00
Citali	a508e3203a	merge: todo/mvp0-owner-invariant-enforcement into dev	2026-02-10 21:21:25 +01:00
Citali	4d4b583cf4	test(ci): add quality gates, e2e data prep, and i18n integration coverage	2026-02-10 21:17:41 +01:00
Citali	4ac7410148	test(admin): cover support fallback route and mark todo complete	2026-02-10 21:11:49 +01:00
Citali	d0f731743c	feat(admin): add registration policy settings and disabled register state	2026-02-10 21:10:39 +01:00
Citali	b618c8cb51	feat(admin-i18n): add cookie-based locale runtime and switcher baseline	2026-02-10 20:56:03 +01:00
Citali	07e5f53793	feat(admin): add posts CRUD sandbox and shared CRUD foundation	2026-02-10 19:35:41 +01:00
Citali	de26cb7647	feat(web-i18n): add es/fr locales and expand switcher locale set	2026-02-10 19:23:36 +01:00
		`@ -0,0 +1 @@`
							`export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"`