Citali/cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Citali:todo/mvp0-rbac-model-and-enforcement
Branches Tags
Citali:dev Citali:todo/mvp0-docs-conventions Citali:todo/mvp0-public-app-topics Citali:todo/mvp0-admin-ia-skeleton Citali:todo/mvp0-admin-i18n-baseline Citali:todo/mvp0-crud-foundation Citali:todo/mvp0-i18n-baseline Citali:todo/mvp0-owner-invariant-enforcement Citali:todo/mvp0-better-auth-core Citali:todo/mvp0-rbac-model-and-enforcement Citali:code Citali:main Citali:refactor Citali:staging
..
compare: Citali:todo/mvp0-admin-i18n-baseline
Branches Tags
Citali:dev Citali:todo/mvp0-docs-conventions Citali:todo/mvp0-public-app-topics Citali:todo/mvp0-admin-ia-skeleton Citali:todo/mvp0-admin-i18n-baseline Citali:todo/mvp0-crud-foundation Citali:todo/mvp0-i18n-baseline Citali:todo/mvp0-owner-invariant-enforcement Citali:todo/mvp0-better-auth-core Citali:todo/mvp0-rbac-model-and-enforcement Citali:code Citali:main Citali:refactor Citali:staging

17 Commits
todo/mvp0- ... todo/mvp0-

Author SHA1 Message Date
Citali
4d4b583cf4 test(ci): add quality gates, e2e data prep, and i18n integration coverage 2026-02-10 21:17:41 +01:00
Citali
4ac7410148 test(admin): cover support fallback route and mark todo complete 2026-02-10 21:11:49 +01:00
Citali
d0f731743c feat(admin): add registration policy settings and disabled register state 2026-02-10 21:10:39 +01:00
Citali
b618c8cb51 feat(admin-i18n): add cookie-based locale runtime and switcher baseline 2026-02-10 20:56:03 +01:00
Citali
07e5f53793 feat(admin): add posts CRUD sandbox and shared CRUD foundation 2026-02-10 19:35:41 +01:00
Citali
de26cb7647 feat(web-i18n): add es/fr locales and expand switcher locale set 2026-02-10 19:23:36 +01:00
Citali
0e2248b5c7 feat(auth): block protected account deletion in auth endpoints 2026-02-10 18:47:52 +01:00
Citali
29a6e38ff3 feat(auth): enforce single-owner invariant in bootstrap flow 2026-02-10 18:43:06 +01:00
Citali
b96cd6d800 feat(admin-auth): support username login and add dashboard logout 2026-02-10 18:35:19 +01:00
Citali
7b665ae633 feat(admin-auth): add first-start onboarding flow and dev db reset command 2026-02-10 18:14:47 +01:00
Citali
411861419f feat(auth): bootstrap protected support and first owner users 2026-02-10 17:50:16 +01:00
Citali
df1280af4a refactor(db): simplify to single prisma schema workflow 2026-02-10 17:42:48 +01:00
Citali
670f7d3fb2 chore(release): initialize versioning roadmap and changelog 2026-02-10 12:58:42 +01:00
Citali
2dcb8a80ba docs(todo): mark auth routing baseline complete 2026-02-10 12:53:44 +01:00
Citali
efb93f212b fix(next): migrate admin middleware to proxy convention 2026-02-10 12:52:38 +01:00
Citali
24eca3e740 refactor(auth): localize admin auth and replace latest ranges 2026-02-10 12:49:59 +01:00
Citali
ba8abb3b1b feat(auth): add better-auth core wiring for admin and db 2026-02-10 12:42:49 +01:00
96 changed files with 4493 additions and 254 deletions
Expand all files Collapse all files

13
.env.example
View File

@@ -1 +1,14 @@
DATABASE_URL="postgresql://postgres:postgres@localhost:5432/cms?schema=public" DATABASE_URL="postgresql://postgres:postgres@localhost:5432/cms?schema=public"
BETTER_AUTH_SECRET="replace-with-long-random-secret"
BETTER_AUTH_URL="http://localhost:3001"
CMS_ADMIN_ORIGIN="http://localhost:3001"
CMS_WEB_ORIGIN="http://localhost:3000"
CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
# Bootstrap system users (used only when creating missing users)
CMS_SUPPORT_USERNAME="support"
CMS_SUPPORT_EMAIL="support@cms.local"
CMS_SUPPORT_PASSWORD="change-me-support-password"
CMS_SUPPORT_NAME="Technical Support"
CMS_SUPPORT_LOGIN_KEY="support-access-change-me"
# Optional dev bypass role for admin middleware. Leave empty to require auth login.
# CMS_DEV_ROLE="admin"

10
.env.production.example
View File

@@ -1 +1,11 @@
DATABASE_URL="postgresql://cms:cms_production_password@localhost:65432/cms_production?schema=public" DATABASE_URL="postgresql://cms:cms_production_password@localhost:65432/cms_production?schema=public"
BETTER_AUTH_SECRET="replace-with-production-secret"
BETTER_AUTH_URL="https://admin.example.com"
CMS_ADMIN_ORIGIN="https://admin.example.com"
CMS_WEB_ORIGIN="https://www.example.com"
CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
CMS_SUPPORT_USERNAME="support"
CMS_SUPPORT_EMAIL="support@admin.example.com"
CMS_SUPPORT_PASSWORD="replace-with-production-support-password"
CMS_SUPPORT_NAME="Technical Support"
CMS_SUPPORT_LOGIN_KEY="replace-with-production-support-login-key"

10
.env.staging.example
View File

@@ -1 +1,11 @@
DATABASE_URL="postgresql://cms:cms_staging_password@localhost:55432/cms_staging?schema=public" DATABASE_URL="postgresql://cms:cms_staging_password@localhost:55432/cms_staging?schema=public"
BETTER_AUTH_SECRET="replace-with-staging-secret"
BETTER_AUTH_URL="https://staging-admin.example.com"
CMS_ADMIN_ORIGIN="https://staging-admin.example.com"
CMS_WEB_ORIGIN="https://staging-web.example.com"
CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
CMS_SUPPORT_USERNAME="support"
CMS_SUPPORT_EMAIL="support@staging-admin.example.com"
CMS_SUPPORT_PASSWORD="replace-with-staging-support-password"
CMS_SUPPORT_NAME="Technical Support"
CMS_SUPPORT_LOGIN_KEY="replace-with-staging-support-login-key"

70
.gitea/workflows/ci.yml Normal file
View File

@@ -0,0 +1,70 @@
name: CMS CI
on:
pull_request:
push:
branches:
- dev
- staging
- main
workflow_dispatch:
env:
BUN_VERSION: "1.3.5"
NODE_ENV: "test"
DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
BETTER_AUTH_SECRET: "ci-test-secret-change-me"
BETTER_AUTH_URL: "http://localhost:3001"
CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
CMS_SUPPORT_USERNAME: "support"
CMS_SUPPORT_EMAIL: "support@cms.local"
CMS_SUPPORT_PASSWORD: "support-ci-password"
CMS_SUPPORT_NAME: "Technical Support"
CMS_SUPPORT_LOGIN_KEY: "support-access"
jobs:
quality:
name: Lint Typecheck Unit E2E
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16-alpine
env:
POSTGRES_DB: cms
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
options: >-
--health-cmd "pg_isready -U postgres -d cms"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: ${{ env.BUN_VERSION }}
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Install Playwright browser deps
run: bunx playwright install --with-deps chromium
- name: Lint and format checks
run: bun run check
- name: Typecheck
run: bun run typecheck
- name: Unit and integration tests
run: bun run test
- name: E2E tests
run: bun run test:e2e

1
.gitignore vendored
View File

@@ -27,6 +27,7 @@ test-results
# prisma # prisma
packages/db/prisma/dev.db* packages/db/prisma/dev.db*
packages/db/prisma/generated/
# misc # misc
.DS_Store .DS_Store

10
CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.1.0 (2026-02-10)
### Features
* **auth:** add better-auth core wiring for admin and db ([ba8abb3](https://git.fellies.net/Citali/cms.fellies.org/commit/ba8abb3b1bc42f87bc19460107311f53b27799d8))
* **rbac:** enforce admin access checks and document permission model ([947cb0a](https://git.fellies.net/Citali/cms.fellies.org/commit/947cb0a3d79104d82c4b97fb6584633b4c6a7c92))
### Bug Fixes
* **next:** migrate admin middleware to proxy convention ([efb93f2](https://git.fellies.net/Citali/cms.fellies.org/commit/efb93f212bc8d8976fc6b443e415be812d12961a))
# Changelog # Changelog
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.

6
README.md
View File

@@ -38,6 +38,8 @@ bun install
cp .env.example .env cp .env.example .env
``` ```
Set `BETTER_AUTH_SECRET` before production use.
3. Generate Prisma client and run migrations: 3. Generate Prisma client and run migrations:
```bash ```bash
@@ -54,6 +56,7 @@ bun run dev
- Web: http://localhost:3000 - Web: http://localhost:3000
- Admin: http://localhost:3001 - Admin: http://localhost:3001
- Admin login: http://localhost:3001/login
## Useful scripts ## Useful scripts
@@ -66,6 +69,7 @@ bun run dev
- `bun run test` - `bun run test`
- `bun run test:watch` - `bun run test:watch`
- `bun run test:coverage` - `bun run test:coverage`
- `bun run test:e2e:prepare`
- `bun run test:e2e` - `bun run test:e2e`
- `bun run lint` - `bun run lint`
- `bun run typecheck` - `bun run typecheck`
@@ -82,6 +86,7 @@ bun run dev
- Unit/integration/component: Vitest + Testing Library + MSW - Unit/integration/component: Vitest + Testing Library + MSW
- E2E: Playwright (separate projects for `web` and `admin`) - E2E: Playwright (separate projects for `web` and `admin`)
- Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner) - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
- E2E data prep (migrations + seed): `bun run test:e2e:prepare`
One-time Playwright browser install: One-time Playwright browser install:
@@ -94,6 +99,7 @@ bunx playwright install
The repo includes a theoretical CI/CD and deployment baseline: The repo includes a theoretical CI/CD and deployment baseline:
- Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml` - Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
- Real quality gate workflow: `.gitea/workflows/ci.yml`
- App images: - App images:
- `apps/web/Dockerfile` - `apps/web/Dockerfile`
- `apps/admin/Dockerfile` - `apps/admin/Dockerfile`

61
TODO.md
View File

@@ -21,17 +21,20 @@ This file is the single source of truth for roadmap and delivery progress.
- [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes) - [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
- [x] [P1] RBAC enforcement at route and action level in admin - [x] [P1] RBAC enforcement at route and action level in admin
- [x] [P1] Permission matrix documented and tested - [x] [P1] Permission matrix documented and tested
- [ ] [P1] i18n baseline architecture (default locale, supported locales, routing strategy) - [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
- [ ] [P1] i18n runtime integration baseline for both apps (locale provider + message loading) - [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
- [ ] [P1] Locale persistence and switcher base component (cookie/header + UI) - [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
- [ ] [P1] Integrate Better Auth core configuration and session wiring - [x] [P1] Integrate Better Auth core configuration and session wiring
- [ ] [P1] Bootstrap first-run owner account creation when users table is empty - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
- [ ] [P1] Enforce invariant: exactly one owner user must always exist - [x] [P1] Enforce invariant: exactly one owner user must always exist
- [ ] [P1] Create hidden technical support user by default (non-demotable, non-deletable) - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
- [ ] [P1] Admin registration policy control (allow/deny self-registration for admin panel) - [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository) - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement) - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
- [ ] [P1] Shared error and audit hooks for CRUD mutations - [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
- [~] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
- [~] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
- [~] [P1] Shared error and audit hooks for CRUD mutations
### Admin App ### Admin App
@@ -39,9 +42,10 @@ This file is the single source of truth for roadmap and delivery progress.
- [x] [P1] App Router + TypeScript + `src/` structure - [x] [P1] App Router + TypeScript + `src/` structure
- [x] [P1] Shared DB access via `@cms/db` - [x] [P1] Shared DB access via `@cms/db`
- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`) - [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
- [~] [P1] Authentication and session model (`admin`, `editor`, `manager`) - [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
- [ ] [P1] Protected admin routes and session handling - [x] [P1] Protected admin routes and session handling
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings) - [~] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
- [~] [P1] Core admin IA (pages/media/users/commissions/settings)
### Public App ### Public App
@@ -57,11 +61,11 @@ This file is the single source of truth for roadmap and delivery progress.
- [x] [P1] Vitest + Testing Library + MSW baseline - [x] [P1] Vitest + Testing Library + MSW baseline
- [x] [P1] Playwright baseline with web/admin projects - [x] [P1] Playwright baseline with web/admin projects
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates - [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data) - [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
- [~] [P1] RBAC policy unit tests and permission regression suite - [~] [P1] RBAC policy unit tests and permission regression suite
- [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading) - [ ] [P1] i18n unit tests (locale resolution, fallback, message key loading)
- [ ] [P1] i18n integration tests (admin/public locale switch and persistence) - [x] [P1] i18n integration tests (admin/public locale switch and persistence)
- [ ] [P1] i18n e2e smoke tests (localized headings/content per route) - [ ] [P1] i18n e2e smoke tests (localized headings/content per route)
- [ ] [P1] CRUD contract tests for shared service patterns - [ ] [P1] CRUD contract tests for shared service patterns
@@ -70,7 +74,7 @@ This file is the single source of truth for roadmap and delivery progress.
- [x] [P1] Docs tool baseline added (`docs/` via VitePress) - [x] [P1] Docs tool baseline added (`docs/` via VitePress)
- [x] [P1] RBAC and permission model documentation in docs site - [x] [P1] RBAC and permission model documentation in docs site
- [ ] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow) - [ ] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow)
- [ ] [P1] CRUD base patterns documentation and examples - [~] [P1] CRUD base patterns documentation and examples
- [ ] [P1] Environment and deployment runbook docs (dev/staging/production) - [ ] [P1] Environment and deployment runbook docs (dev/staging/production)
- [ ] [P2] API and domain glossary pages - [ ] [P2] API and domain glossary pages
- [ ] [P2] Architecture Decision Records (ADR) structure and first ADRs - [ ] [P2] Architecture Decision Records (ADR) structure and first ADRs
@@ -93,6 +97,12 @@ This file is the single source of truth for roadmap and delivery progress.
- [ ] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*` - [ ] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*`
- [x] [P2] Conventional commit schema documentation (`CONTRIBUTING.md`) - [x] [P2] Conventional commit schema documentation (`CONTRIBUTING.md`)
- [x] [P2] Changelog scaffold and generation scripts (`CHANGELOG.md`, `bun run changelog:*`) - [x] [P2] Changelog scaffold and generation scripts (`CHANGELOG.md`, `bun run changelog:*`)
- [ ] [P1] Versioning policy definition (SemVer strategy + when to bump major/minor/patch)
- [ ] [P1] Source of truth for version (`package.json` root) and release tagging rules (`vX.Y.Z`)
- [ ] [P1] Build metadata policy for git hash (`+sha.<short>`) in app runtime footer
- [ ] [P1] App footer implementation plan for version + commit hash (admin + web)
- [ ] [P2] Automated version injection in CI (stamping build from tag + commit hash)
- [ ] [P2] Validation tests for displayed version/hash consistency per deployment
- [ ] [P1] Release tagging and changelog publication policy in CI - [ ] [P1] Release tagging and changelog publication policy in CI
## MVP 1: Core CMS Business Features ## MVP 1: Core CMS Business Features
@@ -106,7 +116,7 @@ This file is the single source of truth for roadmap and delivery progress.
- [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability) - [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability)
- [ ] [P1] Users management (invite, roles, status) - [ ] [P1] Users management (invite, roles, status)
- [ ] [P1] Disable/ban user function and enforcement in auth/session checks - [ ] [P1] Disable/ban user function and enforcement in auth/session checks
- [ ] [P1] Owner/support protection rules in user management actions (cannot delete/demote) - [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
- [ ] [P1] Commissions management (request intake, owner, due date, notes) - [ ] [P1] Commissions management (request intake, owner, due date, notes)
- [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done) - [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
- [ ] [P1] Header banner management (message, CTA, active window) - [ ] [P1] Header banner management (message, CTA, active window)
@@ -150,6 +160,8 @@ This file is the single source of truth for roadmap and delivery progress.
- [ ] [P1] Forgot password/reset password pipeline and support tooling - [ ] [P1] Forgot password/reset password pipeline and support tooling
- [ ] [P2] GUI page to edit role-permission mappings with safety guardrails - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
- [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers) - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
- [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
- [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
- [ ] [P2] Error boundaries and UX fallback states - [ ] [P2] Error boundaries and UX fallback states
### Public App ### Public App
@@ -180,6 +192,17 @@ This file is the single source of truth for roadmap and delivery progress.
- [2026-02-10] Prisma client must be generated before app/e2e startup to avoid runtime module errors. - [2026-02-10] Prisma client must be generated before app/e2e startup to avoid runtime module errors.
- [2026-02-10] `bun test` conflicts with Playwright-style test files; keep e2e files on `*.pw.ts` and run e2e via Playwright. - [2026-02-10] `bun test` conflicts with Playwright-style test files; keep e2e files on `*.pw.ts` and run e2e via Playwright.
- [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`. - [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`.
- [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
- [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
- [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
- [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
- [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
- [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
- [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
- [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
- [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
- [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
- [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
## How We Use This File ## How We Use This File

33
apps/admin/package.json
View File

@@ -7,30 +7,33 @@
"dev": "bun --env-file=../../.env next dev --port 3001", "dev": "bun --env-file=../../.env next dev --port 3001",
"build": "bun --env-file=../../.env next build", "build": "bun --env-file=../../.env next build",
"start": "bun --env-file=../../.env next start --port 3001", "start": "bun --env-file=../../.env next start --port 3001",
"auth:seed:support": "bun --env-file=../../.env ./scripts/seed-support-user.ts",
"lint": "biome check src", "lint": "biome check src",
"typecheck": "tsc -p tsconfig.json --noEmit" "typecheck": "tsc -p tsconfig.json --noEmit"
}, },
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-form": "latest", "@tanstack/react-form": "1.28.0",
"@tanstack/react-query": "latest", "@tanstack/react-query": "5.90.20",
"@tanstack/react-query-devtools": "latest", "@tanstack/react-query-devtools": "5.91.3",
"@tanstack/react-table": "latest", "@tanstack/react-table": "8.21.3",
"next": "latest", "better-auth": "1.4.18",
"react": "latest", "next": "16.1.6",
"react-dom": "latest", "react": "19.2.4",
"zustand": "latest" "react-dom": "19.2.4",
"zustand": "5.0.11"
}, },
"devDependencies": { "devDependencies": {
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@tailwindcss/postcss": "latest", "@tailwindcss/postcss": "4.1.18",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"tailwindcss": "latest", "tailwindcss": "4.1.18",
"typescript": "latest" "typescript": "5.9.3"
} }
} }

11
apps/admin/scripts/seed-support-user.ts Normal file
View File

@@ -0,0 +1,11 @@
import { ensureSupportUserBootstrap } from "../src/lib/auth/server"
async function main() {
await ensureSupportUserBootstrap()
console.log("Support user bootstrap completed")
}
main().catch((error) => {
console.error(error)
process.exit(1)
})

252
apps/admin/src/app/api/auth/[...all]/route.ts Normal file
View File

@@ -0,0 +1,252 @@
import {
auth,
authRouteHandlers,
canDeleteUserAccount,
canUserSelfRegister,
ensureSupportUserBootstrap,
ensureUserUsername,
hasOwnerUser,
promoteFirstRegisteredUserToOwner,
resolveEmailFromLoginIdentifier,
} from "@/lib/auth/server"
export const runtime = "nodejs"
type AuthPostResponse = {
user?: {
id?: string
role?: string
email?: string
name?: string
username?: string
}
message?: string
}
function jsonResponse(payload: unknown, status: number): Response {
return Response.json(payload, { status })
}
async function parseJsonBody(request: Request): Promise<Record<string, unknown> | null> {
return (await request.json().catch(() => null)) as Record<string, unknown> | null
}
function buildJsonRequest(request: Request, body: Record<string, unknown>): Request {
const headers = new Headers(request.headers)
headers.set("content-type", "application/json")
return new Request(request.url, {
method: request.method,
headers,
body: JSON.stringify(body),
})
}
function isDeleteUserAuthPath(pathname: string): boolean {
const actionPrefix = "/api/auth/"
const actionIndex = pathname.indexOf(actionPrefix)
if (actionIndex === -1) {
return false
}
const actionPath = pathname.slice(actionIndex + actionPrefix.length)
return actionPath === "delete-user" || actionPath.startsWith("delete-user/")
}
async function guardProtectedAccountDeletion(request: Request): Promise<Response | null> {
const pathname = new URL(request.url).pathname
if (!isDeleteUserAuthPath(pathname)) {
return null
}
const session = await auth.api
.getSession({
headers: request.headers,
})
.catch(() => null)
const userId = session?.user?.id
if (!userId) {
return null
}
const allowed = await canDeleteUserAccount(userId)
if (allowed) {
return null
}
return jsonResponse(
{
message: "This account is protected and cannot be deleted.",
},
403,
)
}
async function handleSignInPost(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const body = await parseJsonBody(request)
const identifier = typeof body?.identifier === "string" ? body.identifier : null
const rawEmail = typeof body?.email === "string" ? body.email : null
const resolvedEmail = await resolveEmailFromLoginIdentifier(identifier ?? rawEmail)
if (!resolvedEmail) {
return jsonResponse(
{
message: "Invalid email or username.",
},
401,
)
}
const rewrittenBody = {
...(body ?? {}),
email: resolvedEmail,
}
return authRouteHandlers.POST(buildJsonRequest(request, rewrittenBody))
}
async function handleSignUpPost(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const signUpBody = await parseJsonBody(request)
const preferredUsername =
typeof signUpBody?.username === "string" ? signUpBody.username : undefined
const { username: _ignoredUsername, ...signUpBodyWithoutUsername } = signUpBody ?? {}
const hadOwnerBeforeSignUp = await hasOwnerUser()
const registrationEnabled = await canUserSelfRegister()
if (!registrationEnabled) {
return jsonResponse(
{
message: "Registration is currently disabled.",
},
403,
)
}
const response = await authRouteHandlers.POST(
buildJsonRequest(request, {
...signUpBodyWithoutUsername,
}),
)
if (!response.ok) {
return response
}
const payload = (await response
.clone()
.json()
.catch(() => null)) as AuthPostResponse | null
const userId = payload?.user?.id
if (!userId) {
return response
}
await ensureUserUsername(userId, {
preferred: preferredUsername,
fallbackEmail: payload?.user?.email,
fallbackName: payload?.user?.name,
})
if (hadOwnerBeforeSignUp || !payload?.user) {
return response
}
const promoted = await promoteFirstRegisteredUserToOwner(userId)
if (!promoted) {
return jsonResponse(
{
message: "Initial owner registration window has just closed. Please sign in instead.",
},
409,
)
}
payload.user.role = "owner"
return new Response(JSON.stringify(payload), {
status: response.status,
headers: response.headers,
})
}
export async function GET(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const deletionGuardResponse = await guardProtectedAccountDeletion(request)
if (deletionGuardResponse) {
return deletionGuardResponse
}
return authRouteHandlers.GET(request)
}
export async function POST(request: Request): Promise<Response> {
const pathname = new URL(request.url).pathname
if (pathname.endsWith("/sign-in/email")) {
return handleSignInPost(request)
}
if (pathname.endsWith("/sign-up/email")) {
return handleSignUpPost(request)
}
await ensureSupportUserBootstrap()
const deletionGuardResponse = await guardProtectedAccountDeletion(request)
if (deletionGuardResponse) {
return deletionGuardResponse
}
return authRouteHandlers.POST(request)
}
export async function PATCH(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const deletionGuardResponse = await guardProtectedAccountDeletion(request)
if (deletionGuardResponse) {
return deletionGuardResponse
}
return authRouteHandlers.PATCH(request)
}
export async function PUT(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const deletionGuardResponse = await guardProtectedAccountDeletion(request)
if (deletionGuardResponse) {
return deletionGuardResponse
}
return authRouteHandlers.PUT(request)
}
export async function DELETE(request: Request): Promise<Response> {
await ensureSupportUserBootstrap()
const deletionGuardResponse = await guardProtectedAccountDeletion(request)
if (deletionGuardResponse) {
return deletionGuardResponse
}
return authRouteHandlers.DELETE(request)
}

12
apps/admin/src/app/layout.tsx
View File

@@ -1,6 +1,7 @@
import type { Metadata } from "next" import type { Metadata } from "next"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import "./globals.css" import "./globals.css"
import { Providers } from "./providers" import { Providers } from "./providers"
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
description: "Admin dashboard for the CMS monorepo", description: "Admin dashboard for the CMS monorepo",
} }
export default function RootLayout({ children }: { children: ReactNode }) { export default async function RootLayout({ children }: { children: ReactNode }) {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return ( return (
<html lang="en"> <html lang={locale}>
<body> <body>
<Providers>{children}</Providers> <Providers locale={locale} messages={messages}>
{children}
</Providers>
</body> </body>
</html> </html>
) )

318
apps/admin/src/app/login/login-form.tsx Normal file
View File

@@ -0,0 +1,318 @@
"use client"
import Link from "next/link"
import { useRouter, useSearchParams } from "next/navigation"
import { type FormEvent, useMemo, useState } from "react"
import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
import { useAdminT } from "@/providers/admin-i18n-provider"
type LoginFormProps = {
mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
}
type AuthResponse = {
user?: {
role?: string
}
message?: string
}
function persistRoleCookie(role: unknown) {
if (typeof role !== "string") {
return
}
// biome-ignore lint/suspicious/noDocumentCookie: Temporary fallback for middleware role resolution.
document.cookie = `cms_role=${encodeURIComponent(role)}; Path=/; SameSite=Lax`
}
export function LoginForm({ mode }: LoginFormProps) {
const router = useRouter()
const searchParams = useSearchParams()
const t = useAdminT()
const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
const [name, setName] = useState("Admin User")
const [username, setUsername] = useState("")
const [email, setEmail] = useState("")
const [password, setPassword] = useState("")
const [isBusy, setIsBusy] = useState(false)
const [error, setError] = useState<string | null>(null)
const [success, setSuccess] = useState<string | null>(null)
const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
async function handleSignIn(event: FormEvent<HTMLFormElement>) {
event.preventDefault()
setIsBusy(true)
setError(null)
setSuccess(null)
try {
const response = await fetch("/api/auth/sign-in/email", {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify({
identifier: email,
password,
callbackURL: nextPath,
}),
})
const payload = (await response.json().catch(() => null)) as AuthResponse | null
if (!response.ok) {
setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
return
}
persistRoleCookie(payload?.user?.role)
router.push(nextPath)
router.refresh()
} catch {
setError(t("auth.errors.networkSignIn", "Network error while signing in"))
} finally {
setIsBusy(false)
}
}
async function handleSignUp(event: FormEvent<HTMLFormElement>) {
event.preventDefault()
if (!name.trim()) {
setError(t("auth.errors.nameRequired", "Name is required for account creation"))
return
}
setIsBusy(true)
setError(null)
setSuccess(null)
try {
const response = await fetch("/api/auth/sign-up/email", {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify({
name,
username,
email,
password,
callbackURL: nextPath,
}),
})
const payload = (await response.json().catch(() => null)) as AuthResponse | null
if (!response.ok) {
setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
return
}
persistRoleCookie(payload?.user?.role)
setSuccess(
mode === "signup-owner"
? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
: t("auth.messages.accountCreated", "Account created."),
)
router.push(nextPath)
router.refresh()
} catch {
setError(t("auth.errors.networkSignUp", "Network error while signing up"))
} finally {
setIsBusy(false)
}
}
return (
<main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
<div className="space-y-3">
<div className="flex items-center justify-between gap-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
{t("auth.badge", "Admin Auth")}
</p>
<AdminLocaleSwitcher />
</div>
<h1 className="text-3xl font-semibold tracking-tight">
{mode === "signin"
? t("auth.titles.signIn", "Sign in to CMS Admin")
: mode === "signup-owner"
? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
: mode === "signup-user"
? t("auth.titles.signUpUser", "Create an admin account")
: t("auth.titles.signUpDisabled", "Registration is disabled")}
</h1>
<p className="text-sm text-neutral-600">
{mode === "signin"
? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
: mode === "signup-owner"
? t(
"auth.descriptions.signUpOwner",
"Create the first owner account to initialize this admin instance.",
)
: mode === "signup-user"
? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
: t(
"auth.descriptions.signUpDisabled",
"Self-registration is currently turned off by an administrator.",
)}
</p>
</div>
{mode === "signin" ? (
<form
onSubmit={handleSignIn}
className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="email">
{t("auth.fields.emailOrUsername", "Email or username")}
</label>
<input
id="email"
type="text"
required
value={email}
onChange={(event) => setEmail(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="password">
{t("auth.fields.password", "Password")}
</label>
<input
id="password"
type="password"
minLength={8}
required
value={password}
onChange={(event) => setPassword(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<button
type="submit"
disabled={isBusy}
className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
>
{isBusy
? t("auth.actions.signInBusy", "Signing in...")
: t("auth.actions.signInIdle", "Sign in")}
</button>
<p className="text-xs text-neutral-600">
{t("auth.links.needAccount", "Need an account?")}{" "}
<Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
{t("auth.links.register", "Register")}
</Link>
</p>
{error ? <p className="text-sm text-red-600">{error}</p> : null}
</form>
) : canSubmitSignUp ? (
<form
onSubmit={handleSignUp}
className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="name">
{t("auth.fields.name", "Name")}
</label>
<input
id="name"
type="text"
value={name}
onChange={(event) => setName(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="email">
{t("auth.fields.email", "Email")}
</label>
<input
id="email"
type="email"
required
value={email}
onChange={(event) => setEmail(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="username">
{t("auth.fields.username", "Username (optional)")}
</label>
<input
id="username"
type="text"
value={username}
onChange={(event) => setUsername(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<div className="space-y-1">
<label className="text-sm font-medium" htmlFor="password">
{t("auth.fields.password", "Password")}
</label>
<input
id="password"
type="password"
minLength={8}
required
value={password}
onChange={(event) => setPassword(event.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
/>
</div>
<button
type="submit"
disabled={isBusy}
className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
>
{isBusy
? t("auth.actions.signUpBusy", "Creating account...")
: mode === "signup-owner"
? t("auth.actions.signUpOwnerIdle", "Create owner account")
: t("auth.actions.signUpUserIdle", "Create account")}
</button>
<p className="text-xs text-neutral-600">
{t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
<Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
{t("auth.links.goToSignIn", "Go to sign in")}
</Link>
</p>
{error ? <p className="text-sm text-red-600">{error}</p> : null}
{success ? <p className="text-sm text-green-700">{success}</p> : null}
</form>
) : (
<section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
<p className="text-sm text-neutral-700">
{t(
"auth.messages.registrationDisabled",
"Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
)}
</p>
<p className="text-xs text-neutral-600">
<Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
{t("auth.links.goToSignIn", "Go to sign in")}
</Link>
</p>
</section>
)}
</main>
)
}

36
apps/admin/src/app/login/page.tsx Normal file
View File

@@ -0,0 +1,36 @@
import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access-server"
import { hasOwnerUser } from "@/lib/auth/server"
import { LoginForm } from "./login-form"
export const dynamic = "force-dynamic"
type SearchParams = Promise<Record<string, string | string[] | undefined>>
function getSingleValue(input: string | string[] | undefined): string | undefined {
if (Array.isArray(input)) {
return input[0]
}
return input
}
export default async function LoginPage({ searchParams }: { searchParams: SearchParams }) {
const params = await searchParams
const nextPath = getSingleValue(params.next) ?? "/"
const role = await resolveRoleFromServerContext()
if (role) {
redirect("/")
}
const hasOwner = await hasOwnerUser()
if (!hasOwner) {
redirect(`/welcome?next=${encodeURIComponent(nextPath)}`)
}
return <LoginForm mode="signin" />
}

36
apps/admin/src/app/logout-button.tsx Normal file
View File

@@ -0,0 +1,36 @@
"use client"
import { Button } from "@cms/ui/button"
import { useRouter } from "next/navigation"
import { useState } from "react"
export function LogoutButton() {
const router = useRouter()
const [isBusy, setIsBusy] = useState(false)
async function handleLogout() {
setIsBusy(true)
try {
await fetch("/api/auth/sign-out", {
method: "POST",
headers: {
"content-type": "application/json",
},
body: JSON.stringify({ callbackURL: "/login" }),
})
} finally {
// biome-ignore lint/suspicious/noDocumentCookie: Temporary cookie fallback until role resolution no longer needs this cookie.
document.cookie = "cms_role=; Path=/; Max-Age=0; SameSite=Lax"
router.push("/login")
router.refresh()
setIsBusy(false)
}
}
return (
<Button type="button" onClick={() => void handleLogout()} disabled={isBusy} variant="secondary">
{isBusy ? "Signing out..." : "Sign out"}
</Button>
)
}

399
apps/admin/src/app/page.tsx
View File

@@ -1,55 +1,414 @@
import { hasPermission } from "@cms/content/rbac" import { hasPermission } from "@cms/content/rbac"
import { listPosts } from "@cms/db" import { createPost, deletePost, listPosts, updatePost } from "@cms/db"
import { Button } from "@cms/ui/button" import { Button } from "@cms/ui/button"
import { revalidatePath } from "next/cache"
import Link from "next/link" import Link from "next/link"
import { redirect } from "next/navigation" import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access" import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
import { translateMessage } from "@/i18n/messages"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import { resolveRoleFromServerContext } from "@/lib/access-server"
import { LogoutButton } from "./logout-button"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
export default async function AdminHomePage() { type SearchParamsInput = Record<string, string | string[] | undefined>
function readFirstValue(value: string | string[] | undefined): string | null {
if (Array.isArray(value)) {
return value[0] ?? null
}
return value ?? null
}
function readRequiredField(formData: FormData, field: string): string {
const value = formData.get(field)
if (typeof value !== "string") {
return ""
}
return value.trim()
}
function readOptionalField(formData: FormData, field: string): string | undefined {
const value = readRequiredField(formData, field)
return value.length > 0 ? value : undefined
}
async function requireNewsWritePermission() {
const role = await resolveRoleFromServerContext() const role = await resolveRoleFromServerContext()
if (!role || !hasPermission(role, "news:read", "team")) { if (!role || !hasPermission(role, "news:write", "team")) {
redirect("/unauthorized?required=news:write&scope=team")
}
}
function redirectWithState(params: { notice?: string; error?: string }) {
const query = new URLSearchParams()
if (params.notice) {
query.set("notice", params.notice)
}
if (params.error) {
query.set("error", params.error)
}
const value = query.toString()
redirect(value ? `/?${value}` : "/")
}
async function getDashboardTranslator() {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return (key: string, fallback: string) => translateMessage(messages, key, fallback)
}
async function createPostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const status = readRequiredField(formData, "status")
try {
await createPost({
title: readRequiredField(formData, "title"),
slug: readRequiredField(formData, "slug"),
excerpt: readOptionalField(formData, "excerpt"),
body: readRequiredField(formData, "body"),
status: status === "published" ? "published" : "draft",
})
} catch {
redirectWithState({
error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
})
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
}
async function updatePostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const id = readRequiredField(formData, "id")
const status = readRequiredField(formData, "status")
if (!id) {
redirectWithState({
error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
})
}
try {
await updatePost(id, {
title: readRequiredField(formData, "title"),
slug: readRequiredField(formData, "slug"),
excerpt: readOptionalField(formData, "excerpt"),
body: readRequiredField(formData, "body"),
status: status === "published" ? "published" : "draft",
})
} catch {
redirectWithState({
error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
})
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
}
async function deletePostAction(formData: FormData) {
"use server"
await requireNewsWritePermission()
const t = await getDashboardTranslator()
const id = readRequiredField(formData, "id")
if (!id) {
redirectWithState({
error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
})
}
try {
await deletePost(id)
} catch {
redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
}
revalidatePath("/")
redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
}
export default async function AdminHomePage({
searchParams,
}: {
searchParams: Promise<SearchParamsInput>
}) {
const role = await resolveRoleFromServerContext()
if (!role) {
redirect("/login?next=/")
}
if (!hasPermission(role, "news:read", "team")) {
redirect("/unauthorized?required=news:read&scope=team") redirect("/unauthorized?required=news:read&scope=team")
} }
const [resolvedSearchParams, locale, posts] = await Promise.all([
searchParams,
resolveAdminLocale(),
listPosts(),
])
const messages = await getAdminMessages(locale)
const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
const notice = readFirstValue(resolvedSearchParams.notice)
const error = readFirstValue(resolvedSearchParams.error)
const canCreatePost = hasPermission(role, "news:write", "team") const canCreatePost = hasPermission(role, "news:write", "team")
const posts = await listPosts()
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16"> <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
<header className="space-y-3"> <header className="space-y-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p> <div className="flex items-center justify-between gap-3">
<h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1> <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
<p className="text-neutral-600">Manage posts from a dedicated admin surface.</p> {t("dashboard.badge", "Admin App")}
<div className="pt-2"> </p>
<AdminLocaleSwitcher />
</div>
<h1 className="text-4xl font-semibold tracking-tight">
{t("dashboard.title", "Content Dashboard")}
</h1>
<p className="text-neutral-600">
{t("dashboard.description", "Manage posts from a dedicated admin surface.")}
</p>
<div className="flex items-center gap-3 pt-2">
<Link <Link
href="/todo" href="/todo"
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100" className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
> >
Open roadmap and progress {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
</Link> </Link>
<Link
href="/settings"
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
>
{t("settings.title", "Settings")}
</Link>
<LogoutButton />
</div> </div>
</header> </header>
{notice ? (
<section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
{notice}
</section>
) : null}
{error ? (
<section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
{error}
</section>
) : null}
<section className="rounded-xl border border-neutral-200 p-6"> <section className="rounded-xl border border-neutral-200 p-6">
<div className="mb-4 flex items-center justify-between"> <div className="space-y-4">
<h2 className="text-xl font-medium">Posts</h2> <div className="flex items-center justify-between">
<Button disabled={!canCreatePost}>Create post</Button> <h2 className="text-xl font-medium">
{t("dashboard.posts.title", "Posts CRUD Sandbox")}
</h2>
<p className="text-xs uppercase tracking-wide text-neutral-500">
{t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
</p>
</div>
{canCreatePost ? (
<form
action={createPostAction}
className="space-y-3 rounded-lg border border-neutral-200 p-4"
>
<h3 className="text-sm font-semibold">
{t("dashboard.posts.createTitle", "Create post")}
</h3>
<div className="grid gap-3 md:grid-cols-2">
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.title", "Title")}
</span>
<input
name="title"
required
minLength={3}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.slug", "Slug")}
</span>
<input
name="slug"
required
minLength={3}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
</div>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.excerpt", "Excerpt")}
</span>
<input
name="excerpt"
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.body", "Body")}
</span>
<textarea
name="body"
required
minLength={1}
rows={4}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.status", "Status")}
</span>
<select
name="status"
defaultValue="draft"
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
>
<option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
<option value="published">
{t("dashboard.posts.status.published", "Published")}
</option>
</select>
</label>
<Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
</form>
) : (
<div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
{t(
"dashboard.notices.noCrudPermission",
"You can read posts, but your role cannot create/update/delete posts.",
)}
</div>
)}
</div> </div>
<div className="space-y-3"> <div className="space-y-3">
{posts.map((post) => ( {posts.map((post) => (
<article key={post.id} className="rounded-lg border border-neutral-200 p-4"> <article key={post.id} className="rounded-lg border border-neutral-200 p-4">
<div className="flex items-center justify-between gap-3"> {canCreatePost ? (
<h3 className="text-lg font-medium">{post.title}</h3> <>
<span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide"> <form action={updatePostAction} className="space-y-3">
{post.status} <input type="hidden" name="id" value={post.id} />
</span> <div className="grid gap-3 md:grid-cols-2">
</div> <label className="space-y-1">
<p className="mt-2 text-sm text-neutral-600">{post.slug}</p> <span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.title", "Title")}
</span>
<input
name="title"
required
minLength={3}
defaultValue={post.title}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.slug", "Slug")}
</span>
<input
name="slug"
required
minLength={3}
defaultValue={post.slug}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
</div>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.excerpt", "Excerpt")}
</span>
<input
name="excerpt"
defaultValue={post.excerpt ?? ""}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.body", "Body")}
</span>
<textarea
name="body"
required
minLength={1}
rows={4}
defaultValue={post.body}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
/>
</label>
<label className="space-y-1">
<span className="text-xs text-neutral-600">
{t("dashboard.posts.fields.status", "Status")}
</span>
<select
name="status"
defaultValue={post.status}
className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
>
<option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
<option value="published">
{t("dashboard.posts.status.published", "Published")}
</option>
</select>
</label>
<Button type="submit">
{t("dashboard.posts.actions.save", "Save changes")}
</Button>
</form>
<form action={deletePostAction} className="mt-3">
<input type="hidden" name="id" value={post.id} />
<Button type="submit" variant="secondary">
{t("dashboard.posts.actions.delete", "Delete")}
</Button>
</form>
</>
) : (
<>
<div className="flex items-center justify-between gap-3">
<h3 className="text-lg font-medium">{post.title}</h3>
<span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
{post.status}
</span>
</div>
<p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
<p className="mt-2 text-sm text-neutral-600">
{post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
</p>
</>
)}
</article> </article>
))} ))}
</div> </div>

19
apps/admin/src/app/providers.tsx
View File

@@ -1,9 +1,24 @@
"use client" "use client"
import type { AppLocale } from "@cms/i18n"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import type { AdminMessages } from "@/i18n/messages"
import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
import { QueryProvider } from "@/providers/query-provider" import { QueryProvider } from "@/providers/query-provider"
export function Providers({ children }: { children: ReactNode }) { export function Providers({
return <QueryProvider>{children}</QueryProvider> children,
locale,
messages,
}: {
children: ReactNode
locale: AppLocale
messages: AdminMessages
}) {
return (
<AdminI18nProvider locale={locale} messages={messages}>
<QueryProvider>{children}</QueryProvider>
</AdminI18nProvider>
)
} }

40
apps/admin/src/app/register/page.tsx Normal file
View File

@@ -0,0 +1,40 @@
import { redirect } from "next/navigation"
import { LoginForm } from "@/app/login/login-form"
import { resolveRoleFromServerContext } from "@/lib/access-server"
import { hasOwnerUser, isSelfRegistrationEnabled } from "@/lib/auth/server"
export const dynamic = "force-dynamic"
type SearchParams = Promise<Record<string, string | string[] | undefined>>
function getSingleValue(input: string | string[] | undefined): string | undefined {
if (Array.isArray(input)) {
return input[0]
}
return input
}
export default async function RegisterPage({ searchParams }: { searchParams: SearchParams }) {
const params = await searchParams
const nextPath = getSingleValue(params.next) ?? "/"
const role = await resolveRoleFromServerContext()
if (role) {
redirect("/")
}
const hasOwner = await hasOwnerUser()
if (!hasOwner) {
redirect(`/welcome?next=${encodeURIComponent(nextPath)}`)
}
const enabled = await isSelfRegistrationEnabled()
if (!enabled) {
return <LoginForm mode="signup-disabled" />
}
return <LoginForm mode="signup-user" />
}

188
apps/admin/src/app/settings/page.tsx Normal file
View File

@@ -0,0 +1,188 @@
import { hasPermission } from "@cms/content/rbac"
import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
import { Button } from "@cms/ui/button"
import { revalidatePath } from "next/cache"
import Link from "next/link"
import { redirect } from "next/navigation"
import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
import { translateMessage } from "@/i18n/messages"
import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
import { resolveRoleFromServerContext } from "@/lib/access-server"
type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
function toSingleValue(input: string | string[] | undefined): string | null {
if (Array.isArray(input)) {
return input[0] ?? null
}
return input ?? null
}
async function requireSettingsPermission() {
const role = await resolveRoleFromServerContext()
if (!role) {
redirect("/login?next=/settings")
}
if (!hasPermission(role, "users:manage_roles", "global")) {
redirect("/unauthorized?required=users:manage_roles&scope=global")
}
}
async function getSettingsTranslator() {
const locale = await resolveAdminLocale()
const messages = await getAdminMessages(locale)
return (key: string, fallback: string) => translateMessage(messages, key, fallback)
}
async function updateRegistrationPolicyAction(formData: FormData) {
"use server"
await requireSettingsPermission()
const t = await getSettingsTranslator()
const enabled = formData.get("enabled") === "on"
try {
await setAdminSelfRegistrationEnabled(enabled)
} catch (error) {
const errorMessage = error instanceof Error ? error.message : ""
const normalizedMessage = errorMessage.toLowerCase()
const isDatabaseUnavailable = errorMessage.includes("P1001")
const isSchemaMissing =
errorMessage.includes("P2021") ||
normalizedMessage.includes("system_setting") ||
normalizedMessage.includes("does not exist")
const userMessage = isDatabaseUnavailable
? t(
"settings.registration.errors.databaseUnavailable",
"Saving settings failed. The database is currently unreachable.",
)
: isSchemaMissing
? t(
"settings.registration.errors.schemaMissing",
"Saving settings failed. Apply the latest database migrations and try again.",
)
: t(
"settings.registration.errors.updateFailed",
"Saving settings failed. Ensure database migrations are applied.",
)
redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
}
revalidatePath("/settings")
revalidatePath("/register")
redirect(
`/settings?notice=${encodeURIComponent(
t("settings.registration.success.updated", "Registration policy updated."),
)}`,
)
}
export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
await requireSettingsPermission()
const [params, locale, isRegistrationEnabled] = await Promise.all([
searchParams,
resolveAdminLocale(),
isAdminSelfRegistrationEnabled(),
])
const messages = await getAdminMessages(locale)
const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
const notice = toSingleValue(params.notice)
const error = toSingleValue(params.error)
return (
<main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
<header className="space-y-3">
<div className="flex items-center justify-between gap-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
{t("settings.badge", "Admin Settings")}
</p>
<AdminLocaleSwitcher />
</div>
<h1 className="text-4xl font-semibold tracking-tight">{t("settings.title", "Settings")}</h1>
<p className="text-neutral-600">
{t(
"settings.description",
"Manage runtime policies for the admin authentication and onboarding flow.",
)}
</p>
<div className="flex items-center gap-3 pt-2">
<Link
href="/"
className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
>
{t("settings.actions.backToDashboard", "Back to dashboard")}
</Link>
</div>
</header>
{notice ? (
<section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
{notice}
</section>
) : null}
{error ? (
<section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
{error}
</section>
) : null}
<section className="rounded-xl border border-neutral-200 p-6">
<div className="space-y-5">
<div className="space-y-2">
<h2 className="text-xl font-medium">
{t("settings.registration.title", "Admin self-registration")}
</h2>
<p className="text-sm text-neutral-600">
{t(
"settings.registration.description",
"When enabled, /register can create additional admin accounts after initial owner bootstrap.",
)}
</p>
</div>
<div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
<p>
{t("settings.registration.currentStatusLabel", "Current status")}:{" "}
<strong>
{isRegistrationEnabled
? t("settings.registration.status.enabled", "Enabled")
: t("settings.registration.status.disabled", "Disabled")}
</strong>
</p>
</div>
<form action={updateRegistrationPolicyAction} className="space-y-4">
<label className="flex items-center gap-3 text-sm">
<input
type="checkbox"
name="enabled"
defaultChecked={isRegistrationEnabled}
className="h-4 w-4 rounded border-neutral-300"
/>
<span>
{t(
"settings.registration.checkboxLabel",
"Allow self-registration on /register for admin users",
)}
</span>
</label>
<Button type="submit">
{t("settings.registration.actions.save", "Save registration policy")}
</Button>
</form>
</div>
</section>
</main>
)
}

23
apps/admin/src/app/support/[key]/page.tsx Normal file
View File

@@ -0,0 +1,23 @@
import { notFound, redirect } from "next/navigation"
import { LoginForm } from "@/app/login/login-form"
import { resolveRoleFromServerContext } from "@/lib/access-server"
import { resolveSupportLoginKey } from "@/lib/auth/server"
export const dynamic = "force-dynamic"
type Params = Promise<{ key: string }>
export default async function SupportLoginPage({ params }: { params: Params }) {
const { key } = await params
const role = await resolveRoleFromServerContext()
if (role) {
redirect("/")
}
if (key !== resolveSupportLoginKey()) {
notFound()
}
return <LoginForm mode="signin" />
}

8
apps/admin/src/app/todo/page.tsx
View File

@@ -4,7 +4,7 @@ import { hasPermission } from "@cms/content/rbac"
import Link from "next/link" import Link from "next/link"
import { redirect } from "next/navigation" import { redirect } from "next/navigation"
import { resolveRoleFromServerContext } from "@/lib/access" import { resolveRoleFromServerContext } from "@/lib/access-server"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
@@ -407,7 +407,11 @@ export default async function AdminTodoPage(props: {
}) { }) {
const role = await resolveRoleFromServerContext() const role = await resolveRoleFromServerContext()
if (!role || !hasPermission(role, "roadmap:read", "global")) { if (!role) {
redirect("/login?next=/todo")
}
if (!hasPermission(role, "roadmap:read", "global")) {
redirect("/unauthorized?required=roadmap:read&scope=global") redirect("/unauthorized?required=roadmap:read&scope=global")
} }

34
apps/admin/src/app/welcome/page.tsx Normal file
View File

@@ -0,0 +1,34 @@
import { redirect } from "next/navigation"
import { LoginForm } from "@/app/login/login-form"
import { resolveRoleFromServerContext } from "@/lib/access-server"
import { hasOwnerUser } from "@/lib/auth/server"
export const dynamic = "force-dynamic"
type SearchParams = Promise<Record<string, string | string[] | undefined>>
function getSingleValue(input: string | string[] | undefined): string | undefined {
if (Array.isArray(input)) {
return input[0]
}
return input
}
export default async function WelcomePage({ searchParams }: { searchParams: SearchParams }) {
const params = await searchParams
const nextPath = getSingleValue(params.next) ?? "/"
const role = await resolveRoleFromServerContext()
if (role) {
redirect("/")
}
const hasOwner = await hasOwnerUser()
if (hasOwner) {
redirect(`/login?next=${encodeURIComponent(nextPath)}`)
}
return <LoginForm mode="signup-owner" />
}

41
apps/admin/src/components/admin-locale-switcher.tsx Normal file
View File

@@ -0,0 +1,41 @@
"use client"
import { type AppLocale, localeLabels, locales } from "@cms/i18n"
import { useRouter } from "next/navigation"
import { useTransition } from "react"
import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
export function AdminLocaleSwitcher() {
const router = useRouter()
const [isPending, startTransition] = useTransition()
const { locale } = useAdminI18n()
const t = useAdminT()
return (
<label className="inline-flex items-center gap-2 text-sm text-neutral-700">
<span>{t("common.language", "Language")}</span>
<select
className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
value={locale}
disabled={isPending}
onChange={(event) => {
const nextLocale = event.target.value as AppLocale
// biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
startTransition(() => {
router.refresh()
})
}}
>
{locales.map((value) => (
<option key={value} value={value}>
{t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
</option>
))}
</select>
</label>
)
}

147
apps/admin/src/i18n/messages.test.ts Normal file
View File

@@ -0,0 +1,147 @@
import { describe, expect, it } from "vitest"
import type { AdminMessages } from "./messages"
import { translateMessage } from "./messages"
const messages: AdminMessages = {
common: {
language: "Language",
localeNames: {
de: "German",
en: "English",
es: "Spanish",
fr: "French",
},
},
auth: {
badge: "Admin Auth",
titles: {
signIn: "Sign in",
signUpOwner: "Welcome",
signUpUser: "Create account",
signUpDisabled: "Registration disabled",
},
descriptions: {
signIn: "Sign in description",
signUpOwner: "Owner description",
signUpUser: "User description",
signUpDisabled: "Disabled description",
},
fields: {
name: "Name",
emailOrUsername: "Email or username",
email: "Email",
username: "Username",
password: "Password",
},
actions: {
signInIdle: "Sign in",
signInBusy: "Signing in...",
signUpOwnerIdle: "Create owner account",
signUpUserIdle: "Create account",
signUpBusy: "Creating account...",
},
links: {
needAccount: "Need an account?",
register: "Register",
alreadyHaveAccount: "Already have an account?",
goToSignIn: "Go to sign in",
},
messages: {
ownerCreated: "Owner account created.",
accountCreated: "Account created.",
registrationDisabled: "Registration is disabled.",
},
errors: {
nameRequired: "Name is required.",
signInFailed: "Sign in failed",
signUpFailed: "Sign up failed",
networkSignIn: "Network sign in error",
networkSignUp: "Network sign up error",
},
},
settings: {
badge: "Admin Settings",
title: "Settings",
description: "Settings description",
actions: {
backToDashboard: "Back to dashboard",
},
registration: {
title: "Registration",
description: "Registration description",
currentStatusLabel: "Current status",
status: {
enabled: "Enabled",
disabled: "Disabled",
},
checkboxLabel: "Allow registration",
actions: {
save: "Save",
},
success: {
updated: "Updated",
},
errors: {
updateFailed: "Update failed",
},
},
},
dashboard: {
badge: "Admin App",
title: "Content Dashboard",
description: "Manage content.",
actions: {
openRoadmap: "Open roadmap",
},
notices: {
noCrudPermission: "No permission.",
crudSandboxTag: "MVP0 functional test",
},
posts: {
title: "Posts CRUD Sandbox",
createTitle: "Create post",
fields: {
title: "Title",
slug: "Slug",
excerpt: "Excerpt",
body: "Body",
status: "Status",
},
status: {
draft: "Draft",
published: "Published",
},
actions: {
create: "Create post",
save: "Save changes",
delete: "Delete",
},
errors: {
createFailed: "Create failed.",
updateFailed: "Update failed.",
updateMissingId: "Missing post id.",
deleteFailed: "Delete failed.",
deleteMissingId: "Missing post id.",
},
success: {
created: "Post created.",
updated: "Post updated.",
deleted: "Post deleted.",
},
fallback: {
noExcerpt: "No excerpt",
},
},
},
}
describe("translateMessage", () => {
it("resolves nested keys", () => {
expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
})
it("returns fallback for unknown keys", () => {
expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
})
})

27
apps/admin/src/i18n/messages.ts Normal file
View File

@@ -0,0 +1,27 @@
import type enMessages from "../messages/en.json"
export type AdminMessages = typeof enMessages
function resolveNestedValue(source: unknown, key: string): unknown {
let current: unknown = source
for (const segment of key.split(".")) {
if (!current || typeof current !== "object") {
return null
}
current = (current as Record<string, unknown>)[segment]
}
return current
}
export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
const resolved = resolveNestedValue(messages, key)
if (typeof resolved === "string") {
return resolved
}
return fallback ?? key
}

20
apps/admin/src/i18n/server.ts Normal file
View File

@@ -0,0 +1,20 @@
import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
import { cookies } from "next/headers"
import type { AdminMessages } from "./messages"
import { ADMIN_LOCALE_COOKIE } from "./shared"
export async function resolveAdminLocale(): Promise<AppLocale> {
const cookieStore = await cookies()
const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
if (value && isAppLocale(value)) {
return value
}
return defaultLocale
}
export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
return (await import(`../messages/${locale}.json`)).default as AdminMessages
}

1
apps/admin/src/i18n/shared.ts Normal file
View File

@@ -0,0 +1 @@
export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"

42
apps/admin/src/lib/access-server.ts Normal file
View File

@@ -0,0 +1,42 @@
import "server-only"
import type { Role } from "@cms/content/rbac"
import { cookies, headers } from "next/headers"
import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
import { resolveDefaultRole, resolveRoleFromRawValue } from "./access"
export async function resolveRoleFromServerContext(): Promise<Role | null> {
const roleFromAuthSession = await resolveRoleFromAuthSessionInServerContext()
if (roleFromAuthSession) {
return roleFromAuthSession
}
const cookieStore = await cookies()
const headerStore = await headers()
const roleFromCookie = cookieStore.get("cms_role")?.value
const roleFromHeader = headerStore.get("x-cms-role")
const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
if (resolved) {
return resolved
}
return resolveDefaultRole()
}
async function resolveRoleFromAuthSessionInServerContext(): Promise<Role | null> {
try {
const headerStore = await headers()
const session = await auth.api.getSession({
headers: headerStore,
})
return resolveRoleFromAuthSession(session)
} catch {
return null
}
}

24
apps/admin/src/lib/access.test.ts Normal file
View File

@@ -0,0 +1,24 @@
import { describe, expect, it } from "vitest"
import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
describe("admin route access rules", () => {
it("treats support fallback route as public", () => {
expect(isPublicRoute("/support/support-access")).toBe(true)
expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
})
it("keeps settings route restricted to role with users:manage_roles", () => {
expect(isPublicRoute("/settings")).toBe(false)
expect(canAccessRoute("manager", "/settings")).toBe(false)
expect(canAccessRoute("admin", "/settings")).toBe(true)
expect(canAccessRoute("owner", "/settings")).toBe(true)
})
it("resolves route-specific permission requirements", () => {
expect(getRequiredPermission("/todo")).toEqual({
permission: "roadmap:read",
scope: "global",
})
})
})

56
apps/admin/src/lib/access.ts
View File

@@ -1,5 +1,4 @@
import { hasPermission, normalizeRole, type PermissionScope, type Role } from "@cms/content/rbac" import { hasPermission, normalizeRole, type PermissionScope, type Role } from "@cms/content/rbac"
import { cookies, headers } from "next/headers"
import type { NextRequest } from "next/server" import type { NextRequest } from "next/server"
type RoutePermission = { type RoutePermission = {
@@ -17,6 +16,26 @@ const guardRules: GuardRule[] = [
route: /^\/unauthorized(?:\/|$)/, route: /^\/unauthorized(?:\/|$)/,
requirement: null, requirement: null,
}, },
{
route: /^\/api\/auth(?:\/|$)/,
requirement: null,
},
{
route: /^\/login(?:\/|$)/,
requirement: null,
},
{
route: /^\/register(?:\/|$)/,
requirement: null,
},
{
route: /^\/welcome(?:\/|$)/,
requirement: null,
},
{
route: /^\/support\/[^/]+(?:\/|$)/,
requirement: null,
},
{ {
route: /^\/todo(?:\/|$)/, route: /^\/todo(?:\/|$)/,
requirement: { requirement: {
@@ -24,6 +43,13 @@ const guardRules: GuardRule[] = [
scope: "global", scope: "global",
}, },
}, },
{
route: /^\/settings(?:\/|$)/,
requirement: {
permission: "users:manage_roles",
scope: "global",
},
},
{ {
route: /^\/(?:$|\?)/, route: /^\/(?:$|\?)/,
requirement: { requirement: {
@@ -33,15 +59,15 @@ const guardRules: GuardRule[] = [
}, },
] ]
function resolveDefaultRole(): Role | null { export function resolveDefaultRole(): Role | null {
if (process.env.NODE_ENV === "production") { if (process.env.NODE_ENV === "production") {
return null return null
} }
return normalizeRole(process.env.CMS_DEV_ROLE ?? "admin") return normalizeRole(process.env.CMS_DEV_ROLE)
} }
function resolveRoleFromRawValue(raw: string | null | undefined): Role | null { export function resolveRoleFromRawValue(raw: string | null | undefined): Role | null {
return normalizeRole(raw) return normalizeRole(raw)
} }
@@ -58,22 +84,6 @@ export function resolveRoleFromRequest(request: NextRequest): Role | null {
return resolveDefaultRole() return resolveDefaultRole()
} }
export async function resolveRoleFromServerContext(): Promise<Role | null> {
const cookieStore = await cookies()
const headerStore = await headers()
const roleFromCookie = cookieStore.get("cms_role")?.value
const roleFromHeader = headerStore.get("x-cms-role")
const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
if (resolved) {
return resolved
}
return resolveDefaultRole()
}
export function getRequiredPermission(pathname: string): RoutePermission { export function getRequiredPermission(pathname: string): RoutePermission {
for (const rule of guardRules) { for (const rule of guardRules) {
if (rule.route.test(pathname)) { if (rule.route.test(pathname)) {
@@ -103,3 +113,9 @@ export function canAccessRoute(role: Role, pathname: string): boolean {
return hasPermission(role, requirement.permission, requirement.scope) return hasPermission(role, requirement.permission, requirement.scope)
} }
export function isPublicRoute(pathname: string): boolean {
const rule = guardRules.find((item) => item.route.test(pathname))
return rule?.requirement === null
}

522
apps/admin/src/lib/auth/server.ts Normal file
View File

@@ -0,0 +1,522 @@
import { normalizeRole, type Role } from "@cms/content/rbac"
import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
import { betterAuth } from "better-auth"
import { prismaAdapter } from "better-auth/adapters/prisma"
import { toNextJsHandler } from "better-auth/next-js"
const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
const isProduction = process.env.NODE_ENV === "production"
const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
const DEFAULT_SUPPORT_USERNAME = "support"
const DEFAULT_SUPPORT_PASSWORD = "change-me-support-password"
const DEFAULT_SUPPORT_NAME = "Technical Support"
const DEFAULT_SUPPORT_LOGIN_KEY = "support-access"
const USERNAME_MAX_LENGTH = 32
function resolveAuthSecret(): string {
const value = process.env.BETTER_AUTH_SECRET
if (value) {
return value
}
if (isProduction) {
throw new Error("BETTER_AUTH_SECRET is required in production")
}
return FALLBACK_DEV_SECRET
}
export async function hasOwnerUser(): Promise<boolean> {
const ownerCount = await db.user.count({
where: { role: "owner" },
})
return ownerCount > 0
}
export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
return !(await hasOwnerUser())
}
export async function isSelfRegistrationEnabled(): Promise<boolean> {
return isAdminSelfRegistrationEnabled()
}
export async function canUserSelfRegister(): Promise<boolean> {
if (!(await hasOwnerUser())) {
return true
}
return isSelfRegistrationEnabled()
}
export function resolveSupportLoginKey(): string {
const value = process.env.CMS_SUPPORT_LOGIN_KEY
if (value) {
return value
}
if (isProduction) {
throw new Error("CMS_SUPPORT_LOGIN_KEY is required in production")
}
return DEFAULT_SUPPORT_LOGIN_KEY
}
function resolveBootstrapValue(
envKey: string,
fallback: string,
options: {
requiredInProduction?: boolean
} = {},
): string {
const value = process.env[envKey]
if (value) {
return value
}
if (isProduction && options.requiredInProduction) {
throw new Error(`${envKey} is required in production`)
}
return fallback
}
function normalizeUsernameCandidate(input: string | null | undefined): string | null {
if (!input) {
return null
}
const normalized = input
.trim()
.toLowerCase()
.replace(/[^a-z0-9._-]+/g, "-")
.replace(/^[._-]+|[._-]+$/g, "")
.slice(0, USERNAME_MAX_LENGTH)
if (!normalized) {
return null
}
return normalized
}
function extractEmailLocalPart(email: string): string {
return email.split("@")[0] ?? email
}
async function getAvailableUsername(base: string): Promise<string> {
const normalizedBase = normalizeUsernameCandidate(base) ?? "user"
for (let suffix = 0; suffix < 1000; suffix += 1) {
const candidate =
suffix === 0 ? normalizedBase : `${normalizedBase}-${suffix}`.slice(0, USERNAME_MAX_LENGTH)
const existing = await db.user.findUnique({
where: { username: candidate },
select: { id: true },
})
if (!existing) {
return candidate
}
}
throw new Error("Unable to allocate unique username")
}
export async function ensureUserUsername(
userId: string,
options: {
preferred?: string | null | undefined
fallbackEmail?: string | null | undefined
fallbackName?: string | null | undefined
} = {},
): Promise<string | null> {
const user = await db.user.findUnique({
where: { id: userId },
select: { id: true, username: true, email: true, name: true },
})
if (!user) {
return null
}
if (user.username) {
return user.username
}
const baseCandidate =
normalizeUsernameCandidate(options.preferred) ??
normalizeUsernameCandidate(
options.fallbackEmail ? extractEmailLocalPart(options.fallbackEmail) : null,
) ??
normalizeUsernameCandidate(options.fallbackName) ??
normalizeUsernameCandidate(extractEmailLocalPart(user.email)) ??
normalizeUsernameCandidate(user.name) ??
"user"
const username = await getAvailableUsername(baseCandidate)
await db.user.update({
where: { id: user.id },
data: { username },
})
return username
}
export async function resolveEmailFromLoginIdentifier(
identifier: string | null | undefined,
): Promise<string | null> {
const value = identifier?.trim()
if (!value) {
return null
}
if (value.includes("@")) {
return value.toLowerCase()
}
const username = normalizeUsernameCandidate(value)
if (!username) {
return null
}
const user = await db.user.findUnique({
where: { username },
select: { email: true },
})
return user?.email ?? null
}
export const auth = betterAuth({
appName: "CMS Admin",
baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
secret: resolveAuthSecret(),
trustedOrigins: [adminOrigin, webOrigin],
database: prismaAdapter(db, {
provider: "postgresql",
}),
emailAndPassword: {
enabled: true,
// Sign-up gating is handled in route layer so we can close registration
// automatically after the first owner account is created.
disableSignUp: false,
},
user: {
additionalFields: {
role: {
type: "string",
required: true,
defaultValue: "editor",
input: false,
},
username: {
type: "string",
required: false,
input: false,
},
isBanned: {
type: "boolean",
required: true,
defaultValue: false,
input: false,
},
isSystem: {
type: "boolean",
required: true,
defaultValue: false,
input: false,
},
isHidden: {
type: "boolean",
required: true,
defaultValue: false,
input: false,
},
isProtected: {
type: "boolean",
required: true,
defaultValue: false,
input: false,
},
},
},
})
export const authRouteHandlers = toNextJsHandler(auth)
export type AuthSession = typeof auth.$Infer.Session
let supportBootstrapPromise: Promise<void> | null = null
type BootstrapUserConfig = {
email: string
username: string
name: string
password: string
role: Role
isHidden: boolean
}
async function ensureCredentialUser(config: BootstrapUserConfig): Promise<void> {
const ctx = await auth.$context
const normalizedEmail = config.email.toLowerCase()
const existing = await ctx.internalAdapter.findUserByEmail(normalizedEmail, {
includeAccounts: true,
})
if (existing?.user) {
await db.user.update({
where: { id: existing.user.id },
data: {
name: config.name,
role: config.role,
isBanned: false,
isSystem: true,
isHidden: config.isHidden,
isProtected: true,
},
})
const hasCredentialAccount = existing.accounts.some(
(account) => account.providerId === "credential",
)
if (!hasCredentialAccount) {
const passwordHash = await ctx.password.hash(config.password)
await ctx.internalAdapter.linkAccount({
userId: existing.user.id,
providerId: "credential",
accountId: existing.user.id,
password: passwordHash,
})
}
await ensureUserUsername(existing.user.id, {
preferred: config.username,
fallbackEmail: existing.user.email,
fallbackName: config.name,
})
return
}
const availableUsername = await getAvailableUsername(config.username)
const passwordHash = await ctx.password.hash(config.password)
const createdUser = await ctx.internalAdapter.createUser({
name: config.name,
email: normalizedEmail,
username: availableUsername,
emailVerified: true,
role: config.role,
isBanned: false,
isSystem: true,
isHidden: config.isHidden,
isProtected: true,
})
await ctx.internalAdapter.linkAccount({
userId: createdUser.id,
providerId: "credential",
accountId: createdUser.id,
password: passwordHash,
})
}
async function bootstrapSystemUsers(): Promise<void> {
const supportUsername = resolveBootstrapValue("CMS_SUPPORT_USERNAME", DEFAULT_SUPPORT_USERNAME)
const supportEmail = resolveBootstrapValue("CMS_SUPPORT_EMAIL", `${supportUsername}@cms.local`)
const supportPassword = resolveBootstrapValue("CMS_SUPPORT_PASSWORD", DEFAULT_SUPPORT_PASSWORD, {
requiredInProduction: true,
})
const supportName = resolveBootstrapValue("CMS_SUPPORT_NAME", DEFAULT_SUPPORT_NAME)
await ensureCredentialUser({
email: supportEmail,
username: supportUsername,
name: supportName,
password: supportPassword,
role: "support",
isHidden: true,
})
}
export async function ensureSupportUserBootstrap(): Promise<void> {
if (supportBootstrapPromise) {
await supportBootstrapPromise
return
}
supportBootstrapPromise = (async () => {
await bootstrapSystemUsers()
await enforceOwnerInvariant()
})()
try {
await supportBootstrapPromise
} catch (error) {
supportBootstrapPromise = null
throw error
}
}
type OwnerInvariantState = {
ownerId: string | null
ownerCount: number
repaired: boolean
}
export async function enforceOwnerInvariant(): Promise<OwnerInvariantState> {
return db.$transaction(async (tx) => {
const owners = await tx.user.findMany({
where: { role: "owner" },
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
select: { id: true, isProtected: true, isBanned: true },
})
if (owners.length === 0) {
const candidate = await tx.user.findFirst({
where: {
role: {
not: "support",
},
},
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
select: { id: true },
})
if (!candidate) {
return {
ownerId: null,
ownerCount: 0,
repaired: false,
}
}
await tx.user.update({
where: { id: candidate.id },
data: {
role: "owner",
isProtected: true,
isBanned: false,
},
})
return {
ownerId: candidate.id,
ownerCount: 1,
repaired: true,
}
}
const canonicalOwner = owners[0]
const extraOwnerIds = owners.slice(1).map((owner) => owner.id)
if (extraOwnerIds.length > 0) {
await tx.user.updateMany({
where: { id: { in: extraOwnerIds } },
data: {
role: "admin",
isProtected: false,
},
})
}
if (!canonicalOwner.isProtected || canonicalOwner.isBanned) {
await tx.user.update({
where: { id: canonicalOwner.id },
data: {
isProtected: true,
isBanned: false,
},
})
}
return {
ownerId: canonicalOwner.id,
ownerCount: 1,
repaired: extraOwnerIds.length > 0 || !canonicalOwner.isProtected || canonicalOwner.isBanned,
}
})
}
export async function canDeleteUserAccount(userId: string): Promise<boolean> {
const user = await db.user.findUnique({
where: { id: userId },
select: { role: true, isProtected: true },
})
if (!user) {
return false
}
// Protected/system users (support + canonical owner) are never deletable
// through self-service endpoints.
if (user.isProtected) {
return false
}
if (user.role !== "owner") {
return true
}
// Defensive fallback for drifted data; normal flow should already keep one owner.
const ownerCount = await db.user.count({
where: { role: "owner" },
})
return ownerCount > 1
}
export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> {
const promoted = await db.$transaction(async (tx) => {
const existingOwner = await tx.user.findFirst({
where: { role: "owner" },
select: { id: true },
})
if (existingOwner) {
return false
}
await tx.user.update({
where: { id: userId },
data: {
role: "owner",
isSystem: false,
isHidden: false,
isProtected: true,
isBanned: false,
},
})
return true
})
if (promoted) {
await enforceOwnerInvariant()
}
return promoted
}
export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
const sessionUserRole = session?.user?.role
if (typeof sessionUserRole !== "string") {
return null
}
return normalizeRole(sessionUserRole)
}

132
apps/admin/src/messages/de.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Sprache",
"localeNames": {
"de": "Deutsch",
"en": "Englisch",
"es": "Spanisch",
"fr": "Französisch"
}
},
"auth": {
"badge": "Admin-Authentifizierung",
"titles": {
"signIn": "Bei CMS Admin anmelden",
"signUpOwner": "Willkommen bei CMS Admin",
"signUpUser": "Admin-Konto erstellen",
"signUpDisabled": "Registrierung ist deaktiviert"
},
"descriptions": {
"signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
"signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
"signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
"signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
},
"fields": {
"name": "Name",
"emailOrUsername": "E-Mail oder Benutzername",
"email": "E-Mail",
"username": "Benutzername (optional)",
"password": "Passwort"
},
"actions": {
"signInIdle": "Anmelden",
"signInBusy": "Anmeldung läuft...",
"signUpOwnerIdle": "Owner-Konto erstellen",
"signUpUserIdle": "Konto erstellen",
"signUpBusy": "Konto wird erstellt..."
},
"links": {
"needAccount": "Du brauchst ein Konto?",
"register": "Registrieren",
"alreadyHaveAccount": "Du hast bereits ein Konto?",
"goToSignIn": "Zur Anmeldung"
},
"messages": {
"ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
"accountCreated": "Konto erstellt.",
"registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
},
"errors": {
"nameRequired": "Name ist für die Kontoerstellung erforderlich",
"signInFailed": "Anmeldung fehlgeschlagen",
"signUpFailed": "Registrierung fehlgeschlagen",
"networkSignIn": "Netzwerkfehler bei der Anmeldung",
"networkSignUp": "Netzwerkfehler bei der Registrierung"
}
},
"settings": {
"badge": "Admin-Einstellungen",
"title": "Einstellungen",
"description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
"actions": {
"backToDashboard": "Zurück zum Dashboard"
},
"registration": {
"title": "Admin-Selbstregistrierung",
"description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
"currentStatusLabel": "Aktueller Status",
"status": {
"enabled": "Aktiviert",
"disabled": "Deaktiviert"
},
"checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
"actions": {
"save": "Registrierungsrichtlinie speichern"
},
"success": {
"updated": "Registrierungsrichtlinie aktualisiert."
},
"errors": {
"updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
}
}
},
"dashboard": {
"badge": "Admin-App",
"title": "Content-Dashboard",
"description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
"actions": {
"openRoadmap": "Roadmap und Fortschritt öffnen"
},
"notices": {
"noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
"crudSandboxTag": "MVP0 Funktionstest"
},
"posts": {
"title": "Beiträge CRUD-Sandbox",
"createTitle": "Beitrag erstellen",
"fields": {
"title": "Titel",
"slug": "Slug",
"excerpt": "Auszug",
"body": "Inhalt",
"status": "Status"
},
"status": {
"draft": "Entwurf",
"published": "Veröffentlicht"
},
"actions": {
"create": "Beitrag erstellen",
"save": "Änderungen speichern",
"delete": "Löschen"
},
"errors": {
"createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
"updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
"updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
"deleteFailed": "Löschen fehlgeschlagen.",
"deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
},
"success": {
"created": "Beitrag erstellt.",
"updated": "Beitrag aktualisiert.",
"deleted": "Beitrag gelöscht."
},
"fallback": {
"noExcerpt": "Kein Auszug"
}
}
}
}

132
apps/admin/src/messages/en.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Language",
"localeNames": {
"de": "German",
"en": "English",
"es": "Spanish",
"fr": "French"
}
},
"auth": {
"badge": "Admin Auth",
"titles": {
"signIn": "Sign in to CMS Admin",
"signUpOwner": "Welcome to CMS Admin",
"signUpUser": "Create an admin account",
"signUpDisabled": "Registration is disabled"
},
"descriptions": {
"signIn": "Better Auth is active on this app via /api/auth.",
"signUpOwner": "Create the first owner account to initialize this admin instance.",
"signUpUser": "Self-registration is enabled for admin users.",
"signUpDisabled": "Self-registration is currently turned off by an administrator."
},
"fields": {
"name": "Name",
"emailOrUsername": "Email or username",
"email": "Email",
"username": "Username (optional)",
"password": "Password"
},
"actions": {
"signInIdle": "Sign in",
"signInBusy": "Signing in...",
"signUpOwnerIdle": "Create owner account",
"signUpUserIdle": "Create account",
"signUpBusy": "Creating account..."
},
"links": {
"needAccount": "Need an account?",
"register": "Register",
"alreadyHaveAccount": "Already have an account?",
"goToSignIn": "Go to sign in"
},
"messages": {
"ownerCreated": "Owner account created. Registration is now disabled.",
"accountCreated": "Account created.",
"registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
},
"errors": {
"nameRequired": "Name is required for account creation",
"signInFailed": "Sign in failed",
"signUpFailed": "Sign up failed",
"networkSignIn": "Network error while signing in",
"networkSignUp": "Network error while signing up"
}
},
"settings": {
"badge": "Admin Settings",
"title": "Settings",
"description": "Manage runtime policies for the admin authentication and onboarding flow.",
"actions": {
"backToDashboard": "Back to dashboard"
},
"registration": {
"title": "Admin self-registration",
"description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
"currentStatusLabel": "Current status",
"status": {
"enabled": "Enabled",
"disabled": "Disabled"
},
"checkboxLabel": "Allow self-registration on /register for admin users",
"actions": {
"save": "Save registration policy"
},
"success": {
"updated": "Registration policy updated."
},
"errors": {
"updateFailed": "Saving settings failed. Ensure database migrations are applied."
}
}
},
"dashboard": {
"badge": "Admin App",
"title": "Content Dashboard",
"description": "Manage posts from a dedicated admin surface.",
"actions": {
"openRoadmap": "Open roadmap and progress"
},
"notices": {
"noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
"crudSandboxTag": "MVP0 functional test"
},
"posts": {
"title": "Posts CRUD Sandbox",
"createTitle": "Create post",
"fields": {
"title": "Title",
"slug": "Slug",
"excerpt": "Excerpt",
"body": "Body",
"status": "Status"
},
"status": {
"draft": "Draft",
"published": "Published"
},
"actions": {
"create": "Create post",
"save": "Save changes",
"delete": "Delete"
},
"errors": {
"createFailed": "Create failed. Please check your input.",
"updateFailed": "Update failed. Please check your input.",
"updateMissingId": "Update failed. Missing post id.",
"deleteFailed": "Delete failed.",
"deleteMissingId": "Delete failed. Missing post id."
},
"success": {
"created": "Post created.",
"updated": "Post updated.",
"deleted": "Post deleted."
},
"fallback": {
"noExcerpt": "No excerpt"
}
}
}
}

132
apps/admin/src/messages/es.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Idioma",
"localeNames": {
"de": "Alemán",
"en": "Inglés",
"es": "Español",
"fr": "Francés"
}
},
"auth": {
"badge": "Autenticación de Admin",
"titles": {
"signIn": "Iniciar sesión en CMS Admin",
"signUpOwner": "Bienvenido a CMS Admin",
"signUpUser": "Crear una cuenta de admin",
"signUpDisabled": "El registro está deshabilitado"
},
"descriptions": {
"signIn": "Better Auth está activo en esta app mediante /api/auth.",
"signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
"signUpUser": "El registro automático está habilitado para usuarios admin.",
"signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
},
"fields": {
"name": "Nombre",
"emailOrUsername": "Correo o nombre de usuario",
"email": "Correo",
"username": "Nombre de usuario (opcional)",
"password": "Contraseña"
},
"actions": {
"signInIdle": "Iniciar sesión",
"signInBusy": "Iniciando sesión...",
"signUpOwnerIdle": "Crear cuenta owner",
"signUpUserIdle": "Crear cuenta",
"signUpBusy": "Creando cuenta..."
},
"links": {
"needAccount": "¿Necesitas una cuenta?",
"register": "Registrarse",
"alreadyHaveAccount": "¿Ya tienes una cuenta?",
"goToSignIn": "Ir a iniciar sesión"
},
"messages": {
"ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
"accountCreated": "Cuenta creada.",
"registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
},
"errors": {
"nameRequired": "El nombre es obligatorio para crear la cuenta",
"signInFailed": "Error al iniciar sesión",
"signUpFailed": "Error al registrarse",
"networkSignIn": "Error de red al iniciar sesión",
"networkSignUp": "Error de red al registrarse"
}
},
"settings": {
"badge": "Ajustes de Admin",
"title": "Ajustes",
"description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
"actions": {
"backToDashboard": "Volver al panel"
},
"registration": {
"title": "Auto-registro de admin",
"description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
"currentStatusLabel": "Estado actual",
"status": {
"enabled": "Habilitado",
"disabled": "Deshabilitado"
},
"checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
"actions": {
"save": "Guardar política de registro"
},
"success": {
"updated": "Política de registro actualizada."
},
"errors": {
"updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
}
}
},
"dashboard": {
"badge": "App Admin",
"title": "Panel de Contenido",
"description": "Gestiona publicaciones desde una superficie de administración dedicada.",
"actions": {
"openRoadmap": "Abrir hoja de ruta y progreso"
},
"notices": {
"noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
"crudSandboxTag": "Prueba funcional MVP0"
},
"posts": {
"title": "Sandbox CRUD de Publicaciones",
"createTitle": "Crear publicación",
"fields": {
"title": "Título",
"slug": "Slug",
"excerpt": "Extracto",
"body": "Contenido",
"status": "Estado"
},
"status": {
"draft": "Borrador",
"published": "Publicado"
},
"actions": {
"create": "Crear publicación",
"save": "Guardar cambios",
"delete": "Eliminar"
},
"errors": {
"createFailed": "Error al crear. Revisa tus datos.",
"updateFailed": "Error al actualizar. Revisa tus datos.",
"updateMissingId": "Error al actualizar. Falta el id de la publicación.",
"deleteFailed": "Error al eliminar.",
"deleteMissingId": "Error al eliminar. Falta el id de la publicación."
},
"success": {
"created": "Publicación creada.",
"updated": "Publicación actualizada.",
"deleted": "Publicación eliminada."
},
"fallback": {
"noExcerpt": "Sin extracto"
}
}
}
}

132
apps/admin/src/messages/fr.json Normal file
View File

@@ -0,0 +1,132 @@
{
"common": {
"language": "Langue",
"localeNames": {
"de": "Allemand",
"en": "Anglais",
"es": "Espagnol",
"fr": "Français"
}
},
"auth": {
"badge": "Authentification Admin",
"titles": {
"signIn": "Se connecter à CMS Admin",
"signUpOwner": "Bienvenue sur CMS Admin",
"signUpUser": "Créer un compte admin",
"signUpDisabled": "Linscription est désactivée"
},
"descriptions": {
"signIn": "Better Auth est actif sur cette application via /api/auth.",
"signUpOwner": "Créez le premier compte owner pour initialiser cette instance dadministration.",
"signUpUser": "Lauto-inscription est activée pour les utilisateurs admin.",
"signUpDisabled": "Lauto-inscription est actuellement désactivée par un administrateur."
},
"fields": {
"name": "Nom",
"emailOrUsername": "E-mail ou nom dutilisateur",
"email": "E-mail",
"username": "Nom dutilisateur (optionnel)",
"password": "Mot de passe"
},
"actions": {
"signInIdle": "Se connecter",
"signInBusy": "Connexion en cours...",
"signUpOwnerIdle": "Créer le compte owner",
"signUpUserIdle": "Créer un compte",
"signUpBusy": "Création du compte..."
},
"links": {
"needAccount": "Besoin dun compte ?",
"register": "Sinscrire",
"alreadyHaveAccount": "Vous avez déjà un compte ?",
"goToSignIn": "Aller à la connexion"
},
"messages": {
"ownerCreated": "Compte owner créé. Linscription est maintenant désactivée.",
"accountCreated": "Compte créé.",
"registrationDisabled": "Linscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver lauto-inscription."
},
"errors": {
"nameRequired": "Le nom est requis pour créer un compte",
"signInFailed": "Échec de la connexion",
"signUpFailed": "Échec de linscription",
"networkSignIn": "Erreur réseau lors de la connexion",
"networkSignUp": "Erreur réseau lors de linscription"
}
},
"settings": {
"badge": "Paramètres Admin",
"title": "Paramètres",
"description": "Gérez les politiques dexécution pour lauthentification et lonboarding de ladmin.",
"actions": {
"backToDashboard": "Retour au tableau de bord"
},
"registration": {
"title": "Auto-inscription admin",
"description": "Lorsquelle est activée, /register peut créer des comptes admin supplémentaires après linitialisation du premier owner.",
"currentStatusLabel": "Statut actuel",
"status": {
"enabled": "Activé",
"disabled": "Désactivé"
},
"checkboxLabel": "Autoriser lauto-inscription sur /register pour les utilisateurs admin",
"actions": {
"save": "Enregistrer la politique dinscription"
},
"success": {
"updated": "Politique dinscription mise à jour."
},
"errors": {
"updateFailed": "Échec de lenregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
}
}
},
"dashboard": {
"badge": "Application Admin",
"title": "Tableau de bord contenu",
"description": "Gérez les publications depuis une surface dadministration dédiée.",
"actions": {
"openRoadmap": "Ouvrir la feuille de route et la progression"
},
"notices": {
"noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
"crudSandboxTag": "Test fonctionnel MVP0"
},
"posts": {
"title": "Sandbox CRUD des publications",
"createTitle": "Créer une publication",
"fields": {
"title": "Titre",
"slug": "Slug",
"excerpt": "Extrait",
"body": "Contenu",
"status": "Statut"
},
"status": {
"draft": "Brouillon",
"published": "Publié"
},
"actions": {
"create": "Créer une publication",
"save": "Enregistrer les modifications",
"delete": "Supprimer"
},
"errors": {
"createFailed": "Échec de la création. Vérifiez vos données.",
"updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
"updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
"deleteFailed": "Échec de la suppression.",
"deleteMissingId": "Échec de la suppression. ID de publication manquant."
},
"success": {
"created": "Publication créée.",
"updated": "Publication mise à jour.",
"deleted": "Publication supprimée."
},
"fallback": {
"noExcerpt": "Aucun extrait"
}
}
}
}

53
apps/admin/src/providers/admin-i18n-provider.tsx Normal file
View File

@@ -0,0 +1,53 @@
"use client"
import type { AppLocale } from "@cms/i18n"
import { createContext, type ReactNode, useContext, useMemo } from "react"
import type { AdminMessages } from "@/i18n/messages"
import { translateMessage } from "@/i18n/messages"
type AdminI18nContextValue = {
locale: AppLocale
messages: AdminMessages
}
const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
export function AdminI18nProvider({
locale,
messages,
children,
}: {
locale: AppLocale
messages: AdminMessages
children: ReactNode
}) {
const value = useMemo(
() => ({
locale,
messages,
}),
[locale, messages],
)
return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
}
export function useAdminI18n(): AdminI18nContextValue {
const context = useContext(AdminI18nContext)
if (!context) {
throw new Error("useAdminI18n must be used inside AdminI18nProvider")
}
return context
}
export function useAdminT() {
const { messages } = useAdminI18n()
return useMemo(
() => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
[messages],
)
}

21
apps/admin/src/middleware.ts → apps/admin/src/proxy.ts
View File

@@ -1,18 +1,27 @@
import { type NextRequest, NextResponse } from "next/server" import { type NextRequest, NextResponse } from "next/server"
import { canAccessRoute, getRequiredPermission, resolveRoleFromRequest } from "@/lib/access" import {
canAccessRoute,
getRequiredPermission,
isPublicRoute,
resolveRoleFromRequest,
} from "@/lib/access"
export function middleware(request: NextRequest) { export function proxy(request: NextRequest) {
const { pathname } = request.nextUrl const { pathname } = request.nextUrl
if (isPublicRoute(pathname)) {
return NextResponse.next()
}
const role = resolveRoleFromRequest(request) const role = resolveRoleFromRequest(request)
if (!role) { if (!role) {
const unauthorizedUrl = request.nextUrl.clone() const loginUrl = request.nextUrl.clone()
unauthorizedUrl.pathname = "/unauthorized" loginUrl.pathname = "/login"
unauthorizedUrl.searchParams.set("reason", "missing-role") loginUrl.searchParams.set("next", pathname)
return NextResponse.redirect(unauthorizedUrl) return NextResponse.redirect(loginUrl)
} }
if (!canAccessRoute(role, pathname)) { if (!canAccessRoute(role, pathname)) {

7
apps/web/next.config.ts
View File

@@ -1,7 +1,10 @@
import type { NextConfig } from "next" import type { NextConfig } from "next"
import createNextIntlPlugin from "next-intl/plugin"
const withNextIntl = createNextIntlPlugin("./src/i18n/request.ts")
const nextConfig: NextConfig = { const nextConfig: NextConfig = {
transpilePackages: ["@cms/ui", "@cms/content", "@cms/db"], transpilePackages: ["@cms/ui", "@cms/content", "@cms/db", "@cms/i18n"],
} }
export default nextConfig export default withNextIntl(nextConfig)

28
apps/web/package.json
View File

@@ -13,22 +13,24 @@
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-query": "latest", "@tanstack/react-query": "5.90.20",
"@tanstack/react-query-devtools": "latest", "@tanstack/react-query-devtools": "5.91.3",
"next": "latest", "next": "16.1.6",
"react": "latest", "next-intl": "4.4.0",
"react-dom": "latest", "react": "19.2.4",
"zustand": "latest" "react-dom": "19.2.4",
"zustand": "5.0.11"
}, },
"devDependencies": { "devDependencies": {
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@tailwindcss/postcss": "latest", "@tailwindcss/postcss": "4.1.18",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"tailwindcss": "latest", "tailwindcss": "4.1.18",
"typescript": "latest" "typescript": "5.9.3"
} }
} }

27
apps/web/src/app/[locale]/layout.tsx Normal file
View File

@@ -0,0 +1,27 @@
import { notFound } from "next/navigation"
import { hasLocale, NextIntlClientProvider } from "next-intl"
import type { ReactNode } from "react"
import { routing } from "@/i18n/routing"
import { Providers } from "../providers"
type LocaleLayoutProps = {
children: ReactNode
params: Promise<{
locale: string
}>
}
export default async function LocaleLayout({ children, params }: LocaleLayoutProps) {
const { locale } = await params
if (!hasLocale(routing.locales, locale)) {
notFound()
}
return (
<NextIntlClientProvider locale={locale}>
<Providers>{children}</Providers>
</NextIntlClientProvider>
)
}

22
apps/web/src/app/page.tsx → apps/web/src/app/[locale]/page.tsx
View File

@@ -1,25 +1,29 @@
import { listPosts } from "@cms/db" import { listPosts } from "@cms/db"
import { Button } from "@cms/ui/button" import { Button } from "@cms/ui/button"
import { getTranslations } from "next-intl/server"
import { LanguageSwitcher } from "@/components/language-switcher"
export const dynamic = "force-dynamic" export const dynamic = "force-dynamic"
export default async function HomePage() { export default async function HomePage() {
const posts = await listPosts() const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")])
return ( return (
<main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16"> <main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16">
<header className="space-y-3"> <header className="space-y-3">
<p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Web App</p> <div className="flex flex-wrap items-center justify-between gap-3">
<h1 className="text-4xl font-semibold tracking-tight">Your Next.js CMS Frontend</h1> <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
<p className="text-neutral-600"> <LanguageSwitcher />
This page reads posts through the shared database package. </div>
</p> <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
<p className="text-neutral-600">{t("description")}</p>
</header> </header>
<section className="space-y-4 rounded-xl border border-neutral-200 p-6"> <section className="space-y-4 rounded-xl border border-neutral-200 p-6">
<div className="flex items-center justify-between"> <div className="flex items-center justify-between">
<h2 className="text-xl font-medium">Latest posts</h2> <h2 className="text-xl font-medium">{t("latestPosts")}</h2>
<Button variant="secondary">Explore</Button> <Button variant="secondary">{t("explore")}</Button>
</div> </div>
<ul className="space-y-3"> <ul className="space-y-3">
@@ -27,7 +31,7 @@ export default async function HomePage() {
<li key={post.id} className="rounded-lg border border-neutral-200 p-4"> <li key={post.id} className="rounded-lg border border-neutral-200 p-4">
<p className="text-xs uppercase tracking-wide text-neutral-500">{post.status}</p> <p className="text-xs uppercase tracking-wide text-neutral-500">{post.status}</p>
<h3 className="mt-1 text-lg font-medium">{post.title}</h3> <h3 className="mt-1 text-lg font-medium">{post.title}</h3>
<p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p> <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? t("noExcerpt")}</p>
</li> </li>
))} ))}
</ul> </ul>

5
apps/web/src/app/layout.tsx
View File

@@ -2,7 +2,6 @@ import type { Metadata } from "next"
import type { ReactNode } from "react" import type { ReactNode } from "react"
import "./globals.css" import "./globals.css"
import { Providers } from "./providers"
export const metadata: Metadata = { export const metadata: Metadata = {
title: "CMS Web", title: "CMS Web",
@@ -12,9 +11,7 @@ export const metadata: Metadata = {
export default function RootLayout({ children }: { children: ReactNode }) { export default function RootLayout({ children }: { children: ReactNode }) {
return ( return (
<html lang="en"> <html lang="en">
<body> <body>{children}</body>
<Providers>{children}</Providers>
</body>
</html> </html>
) )
} }

50
apps/web/src/components/language-switcher.tsx Normal file
View File

@@ -0,0 +1,50 @@
"use client"
import { type AppLocale, localeLabels, locales } from "@cms/i18n"
import { useLocale, useTranslations } from "next-intl"
import { useEffect, useTransition } from "react"
import { usePathname, useRouter } from "@/i18n/navigation"
import { useLocaleStore } from "@/store/locale"
export function LanguageSwitcher() {
const t = useTranslations("LanguageSwitcher")
const currentLocale = useLocale() as AppLocale
const pathname = usePathname()
const router = useRouter()
const [isPending, startTransition] = useTransition()
const locale = useLocaleStore((state) => state.locale)
const setLocale = useLocaleStore((state) => state.setLocale)
useEffect(() => {
if (locale !== currentLocale) {
setLocale(currentLocale)
}
}, [currentLocale, locale, setLocale])
return (
<label className="inline-flex items-center gap-2 text-sm text-neutral-700">
<span>{t("label")}</span>
<select
className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
value={locale}
disabled={isPending}
onChange={(event) => {
const nextLocale = event.target.value as AppLocale
setLocale(nextLocale)
startTransition(() => {
router.replace(pathname, { locale: nextLocale })
})
}}
>
{locales.map((value) => (
<option key={value} value={value}>
{t(`localeNames.${value}`)} ({localeLabels[value]})
</option>
))}
</select>
</label>
)
}

5
apps/web/src/i18n/navigation.ts Normal file
View File

@@ -0,0 +1,5 @@
import { createNavigation } from "next-intl/navigation"
import { routing } from "./routing"
export const { Link, redirect, usePathname, useRouter, getPathname } = createNavigation(routing)

14
apps/web/src/i18n/request.ts Normal file
View File

@@ -0,0 +1,14 @@
import { hasLocale } from "next-intl"
import { getRequestConfig } from "next-intl/server"
import { routing } from "./routing"
export default getRequestConfig(async ({ requestLocale }) => {
const requested = await requestLocale
const locale = hasLocale(routing.locales, requested) ? requested : routing.defaultLocale
return {
locale,
messages: (await import(`../messages/${locale}.json`)).default,
}
})

8
apps/web/src/i18n/routing.ts Normal file
View File

@@ -0,0 +1,8 @@
import { defaultLocale, locales } from "@cms/i18n"
import { defineRouting } from "next-intl/routing"
export const routing = defineRouting({
locales: [...locales],
defaultLocale,
localePrefix: "never",
})

19
apps/web/src/messages/de.json Normal file
View File

@@ -0,0 +1,19 @@
{
"Home": {
"badge": "Web-App",
"title": "Dein Next.js CMS Frontend",
"description": "Diese Seite liest Beiträge über das gemeinsame Datenbank-Paket.",
"latestPosts": "Neueste Beiträge",
"explore": "Entdecken",
"noExcerpt": "Kein Auszug"
},
"LanguageSwitcher": {
"label": "Sprache",
"localeNames": {
"de": "Deutsch",
"en": "Englisch",
"es": "Spanisch",
"fr": "Französisch"
}
}
}

19
apps/web/src/messages/en.json Normal file
View File

@@ -0,0 +1,19 @@
{
"Home": {
"badge": "Web App",
"title": "Your Next.js CMS Frontend",
"description": "This page reads posts through the shared database package.",
"latestPosts": "Latest posts",
"explore": "Explore",
"noExcerpt": "No excerpt"
},
"LanguageSwitcher": {
"label": "Language",
"localeNames": {
"de": "German",
"en": "English",
"es": "Spanish",
"fr": "French"
}
}
}

19
apps/web/src/messages/es.json Normal file
View File

@@ -0,0 +1,19 @@
{
"Home": {
"badge": "Aplicación Web",
"title": "Tu Frontend CMS con Next.js",
"description": "Esta página lee publicaciones a través del paquete compartido de base de datos.",
"latestPosts": "Últimas publicaciones",
"explore": "Explorar",
"noExcerpt": "Sin extracto"
},
"LanguageSwitcher": {
"label": "Idioma",
"localeNames": {
"de": "Alemán",
"en": "Inglés",
"es": "Español",
"fr": "Francés"
}
}
}

19
apps/web/src/messages/fr.json Normal file
View File

@@ -0,0 +1,19 @@
{
"Home": {
"badge": "Application Web",
"title": "Votre Frontend CMS Next.js",
"description": "Cette page lit les publications via le package base de données partagé.",
"latestPosts": "Dernières publications",
"explore": "Explorer",
"noExcerpt": "Aucun extrait"
},
"LanguageSwitcher": {
"label": "Langue",
"localeNames": {
"de": "Allemand",
"en": "Anglais",
"es": "Espagnol",
"fr": "Français"
}
}
}

14
apps/web/src/proxy.ts Normal file
View File

@@ -0,0 +1,14 @@
import type { NextRequest } from "next/server"
import createMiddleware from "next-intl/middleware"
import { routing } from "@/i18n/routing"
const handleI18nRouting = createMiddleware(routing)
export function proxy(request: NextRequest) {
return handleI18nRouting(request)
}
export const config = {
matcher: ["/((?!api|trpc|_next|_vercel|.*\\..*).*)"],
}

12
apps/web/src/store/locale.test.ts Normal file
View File

@@ -0,0 +1,12 @@
import { describe, expect, it } from "vitest"
import { useLocaleStore } from "./locale"
describe("web locale store", () => {
it("sets locale", () => {
useLocaleStore.setState({ locale: "en" })
useLocaleStore.getState().setLocale("de")
expect(useLocaleStore.getState().locale).toBe("de")
})
})

12
apps/web/src/store/locale.ts Normal file
View File

@@ -0,0 +1,12 @@
import { type AppLocale, defaultLocale } from "@cms/i18n"
import { create } from "zustand"
type LocaleStore = {
locale: AppLocale
setLocale: (value: AppLocale) => void
}
export const useLocaleStore = create<LocaleStore>((set) => ({
locale: defaultLocale,
setLocale: (value) => set({ locale: value }),
}))

1
biome.json
View File

@@ -10,6 +10,7 @@
"!**/coverage", "!**/coverage",
"!**/playwright-report", "!**/playwright-report",
"!**/test-results", "!**/test-results",
"!**/prisma/generated",
"!**/next-env.d.ts", "!**/next-env.d.ts",
"!**/.vitepress/cache", "!**/.vitepress/cache",
"!**/.vitepress/dist" "!**/.vitepress/dist"

212
bun.lock
View File

@@ -5,23 +5,23 @@
"": { "": {
"name": "cms-monorepo", "name": "cms-monorepo",
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@commitlint/cli": "latest", "@commitlint/cli": "20.4.1",
"@commitlint/config-conventional": "latest", "@commitlint/config-conventional": "20.4.1",
"@playwright/test": "latest", "@playwright/test": "1.58.2",
"@testing-library/jest-dom": "latest", "@testing-library/jest-dom": "6.9.1",
"@testing-library/react": "latest", "@testing-library/react": "16.3.2",
"@testing-library/user-event": "latest", "@testing-library/user-event": "14.6.1",
"@vitejs/plugin-react": "latest", "@vitejs/plugin-react": "5.1.3",
"@vitest/coverage-istanbul": "latest", "@vitest/coverage-istanbul": "4.0.18",
"conventional-changelog-cli": "latest", "conventional-changelog-cli": "5.0.0",
"jsdom": "latest", "jsdom": "28.0.0",
"msw": "latest", "msw": "2.12.9",
"turbo": "latest", "turbo": "2.8.3",
"typescript": "latest", "typescript": "5.9.3",
"vite-tsconfig-paths": "latest", "vite-tsconfig-paths": "6.1.0",
"vitepress": "latest", "vitepress": "1.6.4",
"vitest": "latest", "vitest": "4.0.18",
}, },
}, },
"apps/admin": { "apps/admin": {
@@ -30,25 +30,27 @@
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-form": "latest", "@tanstack/react-form": "1.28.0",
"@tanstack/react-query": "latest", "@tanstack/react-query": "5.90.20",
"@tanstack/react-query-devtools": "latest", "@tanstack/react-query-devtools": "5.91.3",
"@tanstack/react-table": "latest", "@tanstack/react-table": "8.21.3",
"next": "latest", "better-auth": "1.4.18",
"react": "latest", "next": "16.1.6",
"react-dom": "latest", "react": "19.2.4",
"zustand": "latest", "react-dom": "19.2.4",
"zustand": "5.0.11",
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@tailwindcss/postcss": "latest", "@tailwindcss/postcss": "4.1.18",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"tailwindcss": "latest", "tailwindcss": "4.1.18",
"typescript": "latest", "typescript": "5.9.3",
}, },
}, },
"apps/web": { "apps/web": {
@@ -57,23 +59,25 @@
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@cms/db": "workspace:*", "@cms/db": "workspace:*",
"@cms/i18n": "workspace:*",
"@cms/ui": "workspace:*", "@cms/ui": "workspace:*",
"@tanstack/react-query": "latest", "@tanstack/react-query": "5.90.20",
"@tanstack/react-query-devtools": "latest", "@tanstack/react-query-devtools": "5.91.3",
"next": "latest", "next": "16.1.6",
"react": "latest", "next-intl": "4.4.0",
"react-dom": "latest", "react": "19.2.4",
"zustand": "latest", "react-dom": "19.2.4",
"zustand": "5.0.11",
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@tailwindcss/postcss": "latest", "@tailwindcss/postcss": "4.1.18",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"tailwindcss": "latest", "tailwindcss": "4.1.18",
"typescript": "latest", "typescript": "5.9.3",
}, },
}, },
"packages/config": { "packages/config": {
@@ -84,12 +88,24 @@
"name": "@cms/content", "name": "@cms/content",
"version": "0.0.1", "version": "0.0.1",
"dependencies": { "dependencies": {
"zod": "latest", "zod": "4.3.6",
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"typescript": "latest", "typescript": "5.9.3",
},
},
"packages/crud": {
"name": "@cms/crud",
"version": "0.0.1",
"dependencies": {
"zod": "4.3.6",
},
"devDependencies": {
"@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*",
"typescript": "5.9.3",
}, },
}, },
"packages/db": { "packages/db": {
@@ -97,38 +113,48 @@
"version": "0.0.1", "version": "0.0.1",
"dependencies": { "dependencies": {
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@prisma/adapter-pg": "latest", "@cms/crud": "workspace:*",
"@prisma/client": "latest", "@prisma/adapter-pg": "7.3.0",
"pg": "latest", "@prisma/client": "7.3.0",
"zod": "latest", "pg": "8.18.0",
"zod": "4.3.6",
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/pg": "latest", "@types/pg": "8.16.0",
"prisma": "latest", "prisma": "7.3.0",
"typescript": "latest", "typescript": "5.9.3",
},
},
"packages/i18n": {
"name": "@cms/i18n",
"version": "0.0.1",
"devDependencies": {
"@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*",
"typescript": "5.9.3",
}, },
}, },
"packages/ui": { "packages/ui": {
"name": "@cms/ui", "name": "@cms/ui",
"version": "0.0.1", "version": "0.0.1",
"dependencies": { "dependencies": {
"class-variance-authority": "latest", "class-variance-authority": "0.7.1",
"clsx": "latest", "clsx": "2.1.1",
"tailwind-merge": "latest", "tailwind-merge": "3.4.0",
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"typescript": "latest", "typescript": "5.9.3",
}, },
"peerDependencies": { "peerDependencies": {
"react": "latest", "react": "19.2.4",
"react-dom": "latest", "react-dom": "19.2.4",
}, },
}, },
}, },
@@ -221,6 +247,14 @@
"@babel/types": ["@babel/types@7.29.0", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.28.5" } }, "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A=="], "@babel/types": ["@babel/types@7.29.0", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.28.5" } }, "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A=="],
"@better-auth/core": ["@better-auth/core@1.4.18", "", { "dependencies": { "@standard-schema/spec": "^1.0.0", "zod": "^4.3.5" }, "peerDependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21", "better-call": "1.1.8", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" } }, "sha512-q+awYgC7nkLEBdx2sW0iJjkzgSHlIxGnOpsN1r/O1+a4m7osJNHtfK2mKJSL1I+GfNyIlxJF8WvD/NLuYMpmcg=="],
"@better-auth/telemetry": ["@better-auth/telemetry@1.4.18", "", { "dependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21" }, "peerDependencies": { "@better-auth/core": "1.4.18" } }, "sha512-e5rDF8S4j3Um/0LIVATL2in9dL4lfO2fr2v1Wio4qTMRbfxqnUDTa+6SZtwdeJrbc4O+a3c+IyIpjG9Q/6GpfQ=="],
"@better-auth/utils": ["@better-auth/utils@0.3.0", "", {}, "sha512-W+Adw6ZA6mgvnSnhOki270rwJ42t4XzSK6YWGF//BbVXL6SwCLWfyzBc1lN2m/4RM28KubdBKQ4X5VMoLRNPQw=="],
"@better-fetch/fetch": ["@better-fetch/fetch@1.1.21", "", {}, "sha512-/ImESw0sskqlVR94jB+5+Pxjf+xBwDZF/N5+y2/q4EqD7IARUTSpPfIo8uf39SYpCxyOCtbyYpUrZ3F/k0zT4A=="],
"@biomejs/biome": ["@biomejs/biome@2.3.14", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.14", "@biomejs/cli-darwin-x64": "2.3.14", "@biomejs/cli-linux-arm64": "2.3.14", "@biomejs/cli-linux-arm64-musl": "2.3.14", "@biomejs/cli-linux-x64": "2.3.14", "@biomejs/cli-linux-x64-musl": "2.3.14", "@biomejs/cli-win32-arm64": "2.3.14", "@biomejs/cli-win32-x64": "2.3.14" }, "bin": { "biome": "bin/biome" } }, "sha512-QMT6QviX0WqXJCaiqVMiBUCr5WRQ1iFSjvOLoTk6auKukJMvnMzWucXpwZB0e8F00/1/BsS9DzcKgWH+CLqVuA=="], "@biomejs/biome": ["@biomejs/biome@2.3.14", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.3.14", "@biomejs/cli-darwin-x64": "2.3.14", "@biomejs/cli-linux-arm64": "2.3.14", "@biomejs/cli-linux-arm64-musl": "2.3.14", "@biomejs/cli-linux-x64": "2.3.14", "@biomejs/cli-linux-x64-musl": "2.3.14", "@biomejs/cli-win32-arm64": "2.3.14", "@biomejs/cli-win32-x64": "2.3.14" }, "bin": { "biome": "bin/biome" } }, "sha512-QMT6QviX0WqXJCaiqVMiBUCr5WRQ1iFSjvOLoTk6auKukJMvnMzWucXpwZB0e8F00/1/BsS9DzcKgWH+CLqVuA=="],
"@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.14", "", { "os": "darwin", "cpu": "arm64" }, "sha512-UJGPpvWJMkLxSRtpCAKfKh41Q4JJXisvxZL8ChN1eNW3m/WlPFJ6EFDCE7YfUb4XS8ZFi3C1dFpxUJ0Ety5n+A=="], "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.3.14", "", { "os": "darwin", "cpu": "arm64" }, "sha512-UJGPpvWJMkLxSRtpCAKfKh41Q4JJXisvxZL8ChN1eNW3m/WlPFJ6EFDCE7YfUb4XS8ZFi3C1dFpxUJ0Ety5n+A=="],
@@ -253,8 +287,12 @@
"@cms/content": ["@cms/content@workspace:packages/content"], "@cms/content": ["@cms/content@workspace:packages/content"],
"@cms/crud": ["@cms/crud@workspace:packages/crud"],
"@cms/db": ["@cms/db@workspace:packages/db"], "@cms/db": ["@cms/db@workspace:packages/db"],
"@cms/i18n": ["@cms/i18n@workspace:packages/i18n"],
"@cms/ui": ["@cms/ui@workspace:packages/ui"], "@cms/ui": ["@cms/ui@workspace:packages/ui"],
"@cms/web": ["@cms/web@workspace:apps/web"], "@cms/web": ["@cms/web@workspace:apps/web"],
@@ -375,6 +413,16 @@
"@exodus/bytes": ["@exodus/bytes@1.12.0", "", { "peerDependencies": { "@noble/hashes": "^1.8.0 || ^2.0.0" }, "optionalPeers": ["@noble/hashes"] }, "sha512-BuCOHA/EJdPN0qQ5MdgAiJSt9fYDHbghlgrj33gRdy/Yp1/FMCDhU6vJfcKrLC0TPWGSrfH3vYXBQWmFHxlddw=="], "@exodus/bytes": ["@exodus/bytes@1.12.0", "", { "peerDependencies": { "@noble/hashes": "^1.8.0 || ^2.0.0" }, "optionalPeers": ["@noble/hashes"] }, "sha512-BuCOHA/EJdPN0qQ5MdgAiJSt9fYDHbghlgrj33gRdy/Yp1/FMCDhU6vJfcKrLC0TPWGSrfH3vYXBQWmFHxlddw=="],
"@formatjs/ecma402-abstract": ["@formatjs/ecma402-abstract@3.1.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "@formatjs/intl-localematcher": "0.8.1", "decimal.js": "^10.6.0", "tslib": "^2.8.1" } }, "sha512-jhZbTwda+2tcNrs4kKvxrPLPjx8QsBCLCUgrrJ/S+G9YrGHWLhAyFMMBHJBnBoOwuLHd7L14FgYudviKaxkO2Q=="],
"@formatjs/fast-memoize": ["@formatjs/fast-memoize@3.1.0", "", { "dependencies": { "tslib": "^2.8.1" } }, "sha512-b5mvSWCI+XVKiz5WhnBCY3RJ4ZwfjAidU0yVlKa3d3MSgKmH1hC3tBGEAtYyN5mqL7N0G5x0BOUYyO8CEupWgg=="],
"@formatjs/icu-messageformat-parser": ["@formatjs/icu-messageformat-parser@3.5.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/icu-skeleton-parser": "2.1.1", "tslib": "^2.8.1" } }, "sha512-sSDmSvmmoVQ92XqWb499KrIhv/vLisJU8ITFrx7T7NZHUmMY7EL9xgRowAosaljhqnj/5iufG24QrdzB6X3ItA=="],
"@formatjs/icu-skeleton-parser": ["@formatjs/icu-skeleton-parser@2.1.1", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "tslib": "^2.8.1" } }, "sha512-PSFABlcNefjI6yyk8f7nyX1DC7NHmq6WaCHZLySEXBrXuLOB2f935YsnzuPjlz+ibhb9yWTdPeVX1OVcj24w2Q=="],
"@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.5.10", "", { "dependencies": { "tslib": "2" } }, "sha512-af3qATX+m4Rnd9+wHcjJ4w2ijq+rAVP3CCinJQvFv1kgSu1W6jypUmvleJxcewdxmutM8dmIRZFxO/IQBZmP2Q=="],
"@hono/node-server": ["@hono/node-server@1.19.9", "", { "peerDependencies": { "hono": "^4" } }, "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw=="], "@hono/node-server": ["@hono/node-server@1.19.9", "", { "peerDependencies": { "hono": "^4" } }, "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw=="],
"@hutson/parse-repository-url": ["@hutson/parse-repository-url@5.0.0", "", {}, "sha512-e5+YUKENATs1JgYHMzTr2MW/NDcXGfYFAuOQU8gJgF/kEh4EqKgfGrfLI67bMD4tbhZVlkigz/9YYwWcbOFthg=="], "@hutson/parse-repository-url": ["@hutson/parse-repository-url@5.0.0", "", {}, "sha512-e5+YUKENATs1JgYHMzTr2MW/NDcXGfYFAuOQU8gJgF/kEh4EqKgfGrfLI67bMD4tbhZVlkigz/9YYwWcbOFthg=="],
@@ -477,6 +525,10 @@
"@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.1.6", "", { "os": "win32", "cpu": "x64" }, "sha512-NRfO39AIrzBnixKbjuo2YiYhB6o9d8v/ymU9m/Xk8cyVk+k7XylniXkHwjs4s70wedVffc6bQNbufk5v0xEm0A=="], "@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.1.6", "", { "os": "win32", "cpu": "x64" }, "sha512-NRfO39AIrzBnixKbjuo2YiYhB6o9d8v/ymU9m/Xk8cyVk+k7XylniXkHwjs4s70wedVffc6bQNbufk5v0xEm0A=="],
"@noble/ciphers": ["@noble/ciphers@2.1.1", "", {}, "sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw=="],
"@noble/hashes": ["@noble/hashes@2.0.1", "", {}, "sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw=="],
"@open-draft/deferred-promise": ["@open-draft/deferred-promise@2.2.0", "", {}, "sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA=="], "@open-draft/deferred-promise": ["@open-draft/deferred-promise@2.2.0", "", {}, "sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA=="],
"@open-draft/logger": ["@open-draft/logger@0.3.0", "", { "dependencies": { "is-node-process": "^1.2.0", "outvariant": "^1.4.0" } }, "sha512-X2g45fzhxH238HKO4xbSr7+wBS8Fvw6ixhTDuvLd5mqh6bJJCFAPwU9mPDxbcrRtfxv4u5IHCEH77BmxvXmmxQ=="], "@open-draft/logger": ["@open-draft/logger@0.3.0", "", { "dependencies": { "is-node-process": "^1.2.0", "outvariant": "^1.4.0" } }, "sha512-X2g45fzhxH238HKO4xbSr7+wBS8Fvw6ixhTDuvLd5mqh6bJJCFAPwU9mPDxbcrRtfxv4u5IHCEH77BmxvXmmxQ=="],
@@ -563,6 +615,8 @@
"@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.57.1", "", { "os": "win32", "cpu": "x64" }, "sha512-mxRFDdHIWRxg3UfIIAwCm6NzvxG0jDX/wBN6KsQFTvKFqqg9vTrWUE68qEjHt19A5wwx5X5aUi2zuZT7YR0jrA=="], "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.57.1", "", { "os": "win32", "cpu": "x64" }, "sha512-mxRFDdHIWRxg3UfIIAwCm6NzvxG0jDX/wBN6KsQFTvKFqqg9vTrWUE68qEjHt19A5wwx5X5aUi2zuZT7YR0jrA=="],
"@schummar/icu-type-parser": ["@schummar/icu-type-parser@1.21.5", "", {}, "sha512-bXHSaW5jRTmke9Vd0h5P7BtWZG9Znqb8gSDxZnxaGSJnGwPLDPfS+3g0BKzeWqzgZPsIVZkM7m2tbo18cm5HBw=="],
"@shikijs/core": ["@shikijs/core@2.5.0", "", { "dependencies": { "@shikijs/engine-javascript": "2.5.0", "@shikijs/engine-oniguruma": "2.5.0", "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "@types/hast": "^3.0.4", "hast-util-to-html": "^9.0.4" } }, "sha512-uu/8RExTKtavlpH7XqnVYBrfBkUc20ngXiX9NSrBhOVZYv/7XQRKUyhtkeflY5QsxC0GbJThCerruZfsUaSldg=="], "@shikijs/core": ["@shikijs/core@2.5.0", "", { "dependencies": { "@shikijs/engine-javascript": "2.5.0", "@shikijs/engine-oniguruma": "2.5.0", "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "@types/hast": "^3.0.4", "hast-util-to-html": "^9.0.4" } }, "sha512-uu/8RExTKtavlpH7XqnVYBrfBkUc20ngXiX9NSrBhOVZYv/7XQRKUyhtkeflY5QsxC0GbJThCerruZfsUaSldg=="],
"@shikijs/engine-javascript": ["@shikijs/engine-javascript@2.5.0", "", { "dependencies": { "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "oniguruma-to-es": "^3.1.0" } }, "sha512-VjnOpnQf8WuCEZtNUdjjwGUbtAVKuZkVQ/5cHy/tojVVRIRtlWMYVjyWhxOmIq05AlSOv72z7hRNRGVBgQOl0w=="], "@shikijs/engine-javascript": ["@shikijs/engine-javascript@2.5.0", "", { "dependencies": { "@shikijs/types": "2.5.0", "@shikijs/vscode-textmate": "^10.0.2", "oniguruma-to-es": "^3.1.0" } }, "sha512-VjnOpnQf8WuCEZtNUdjjwGUbtAVKuZkVQ/5cHy/tojVVRIRtlWMYVjyWhxOmIq05AlSOv72z7hRNRGVBgQOl0w=="],
@@ -767,6 +821,10 @@
"baseline-browser-mapping": ["baseline-browser-mapping@2.9.19", "", { "bin": { "baseline-browser-mapping": "dist/cli.js" } }, "sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg=="], "baseline-browser-mapping": ["baseline-browser-mapping@2.9.19", "", { "bin": { "baseline-browser-mapping": "dist/cli.js" } }, "sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg=="],
"better-auth": ["better-auth@1.4.18", "", { "dependencies": { "@better-auth/core": "1.4.18", "@better-auth/telemetry": "1.4.18", "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.21", "@noble/ciphers": "^2.0.0", "@noble/hashes": "^2.0.0", "better-call": "1.1.8", "defu": "^6.1.4", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1", "zod": "^4.3.5" }, "peerDependencies": { "@lynx-js/react": "*", "@prisma/client": "^5.0.0 || ^6.0.0 || ^7.0.0", "@sveltejs/kit": "^2.0.0", "@tanstack/react-start": "^1.0.0", "@tanstack/solid-start": "^1.0.0", "better-sqlite3": "^12.0.0", "drizzle-kit": ">=0.31.4", "drizzle-orm": ">=0.41.0", "mongodb": "^6.0.0 || ^7.0.0", "mysql2": "^3.0.0", "next": "^14.0.0 || ^15.0.0 || ^16.0.0", "pg": "^8.0.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0", "react": "^18.0.0 || ^19.0.0", "react-dom": "^18.0.0 || ^19.0.0", "solid-js": "^1.0.0", "svelte": "^4.0.0 || ^5.0.0", "vitest": "^2.0.0 || ^3.0.0 || ^4.0.0", "vue": "^3.0.0" }, "optionalPeers": ["@lynx-js/react", "@prisma/client", "@sveltejs/kit", "@tanstack/react-start", "@tanstack/solid-start", "better-sqlite3", "drizzle-kit", "drizzle-orm", "mongodb", "mysql2", "next", "pg", "prisma", "react", "react-dom", "solid-js", "svelte", "vitest", "vue"] }, "sha512-bnyifLWBPcYVltH3RhS7CM62MoelEqC6Q+GnZwfiDWNfepXoQZBjEvn4urcERC7NTKgKq5zNBM8rvPvRBa6xcg=="],
"better-call": ["better-call@1.1.8", "", { "dependencies": { "@better-auth/utils": "^0.3.0", "@better-fetch/fetch": "^1.1.4", "rou3": "^0.7.10", "set-cookie-parser": "^2.7.1" }, "peerDependencies": { "zod": "^4.0.0" }, "optionalPeers": ["zod"] }, "sha512-XMQ2rs6FNXasGNfMjzbyroSwKwYbZ/T3IxruSS6U2MJRsSYh3wYtG3o6H00ZlKZ/C/UPOAD97tqgQJNsxyeTXw=="],
"bidi-js": ["bidi-js@1.0.3", "", { "dependencies": { "require-from-string": "^2.0.2" } }, "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw=="], "bidi-js": ["bidi-js@1.0.3", "", { "dependencies": { "require-from-string": "^2.0.2" } }, "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw=="],
"birpc": ["birpc@2.9.0", "", {}, "sha512-KrayHS5pBi69Xi9JmvoqrIgYGDkD6mcSe/i6YKi3w5kekCLzrX4+nawcXqrj2tIp50Kw/mT/s3p+GVK0A0sKxw=="], "birpc": ["birpc@2.9.0", "", {}, "sha512-KrayHS5pBi69Xi9JmvoqrIgYGDkD6mcSe/i6YKi3w5kekCLzrX4+nawcXqrj2tIp50Kw/mT/s3p+GVK0A0sKxw=="],
@@ -997,6 +1055,8 @@
"iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="], "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
"icu-minify": ["icu-minify@4.8.2", "", { "dependencies": { "@formatjs/icu-messageformat-parser": "^3.4.0" } }, "sha512-LHBQV+skKkjZSPd590pZ7ZAHftUgda3eFjeuNwA8/15L8T8loCNBktKQyTlkodAU86KovFXeg/9WntlAo5wA5A=="],
"import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="], "import-fresh": ["import-fresh@3.3.1", "", { "dependencies": { "parent-module": "^1.0.0", "resolve-from": "^4.0.0" } }, "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ=="],
"import-meta-resolve": ["import-meta-resolve@4.2.0", "", {}, "sha512-Iqv2fzaTQN28s/FwZAoFq0ZSs/7hMAHJVX+w8PZl3cY19Pxk6jFFalxQoIfW2826i/fDLXv8IiEZRIT0lDuWcg=="], "import-meta-resolve": ["import-meta-resolve@4.2.0", "", {}, "sha512-Iqv2fzaTQN28s/FwZAoFq0ZSs/7hMAHJVX+w8PZl3cY19Pxk6jFFalxQoIfW2826i/fDLXv8IiEZRIT0lDuWcg=="],
@@ -1007,6 +1067,8 @@
"ini": ["ini@4.1.1", "", {}, "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g=="], "ini": ["ini@4.1.1", "", {}, "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g=="],
"intl-messageformat": ["intl-messageformat@11.1.2", "", { "dependencies": { "@formatjs/ecma402-abstract": "3.1.1", "@formatjs/fast-memoize": "3.1.0", "@formatjs/icu-messageformat-parser": "3.5.1", "tslib": "^2.8.1" } }, "sha512-ucSrQmZGAxfiBHfBRXW/k7UC8MaGFlEj4Ry1tKiDcmgwQm1y3EDl40u+4VNHYomxJQMJi9NEI3riDRlth96jKg=="],
"is-arrayish": ["is-arrayish@0.2.1", "", {}, "sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg=="], "is-arrayish": ["is-arrayish@0.2.1", "", {}, "sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg=="],
"is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="], "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="],
@@ -1035,6 +1097,8 @@
"jiti": ["jiti@2.6.1", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ=="], "jiti": ["jiti@2.6.1", "", { "bin": { "jiti": "lib/jiti-cli.mjs" } }, "sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ=="],
"jose": ["jose@6.1.3", "", {}, "sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ=="],
"js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="], "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
"js-yaml": ["js-yaml@4.1.1", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA=="], "js-yaml": ["js-yaml@4.1.1", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA=="],
@@ -1049,6 +1113,8 @@
"json5": ["json5@2.2.3", "", { "bin": { "json5": "lib/cli.js" } }, "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg=="], "json5": ["json5@2.2.3", "", { "bin": { "json5": "lib/cli.js" } }, "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg=="],
"kysely": ["kysely@0.28.11", "", {}, "sha512-zpGIFg0HuoC893rIjYX1BETkVWdDnzTzF5e0kWXJFg5lE0k1/LfNWBejrcnOFu8Q2Rfq/hTDTU7XLUM8QOrpzg=="],
"lightningcss": ["lightningcss@1.30.2", "", { "dependencies": { "detect-libc": "^2.0.3" }, "optionalDependencies": { "lightningcss-android-arm64": "1.30.2", "lightningcss-darwin-arm64": "1.30.2", "lightningcss-darwin-x64": "1.30.2", "lightningcss-freebsd-x64": "1.30.2", "lightningcss-linux-arm-gnueabihf": "1.30.2", "lightningcss-linux-arm64-gnu": "1.30.2", "lightningcss-linux-arm64-musl": "1.30.2", "lightningcss-linux-x64-gnu": "1.30.2", "lightningcss-linux-x64-musl": "1.30.2", "lightningcss-win32-arm64-msvc": "1.30.2", "lightningcss-win32-x64-msvc": "1.30.2" } }, "sha512-utfs7Pr5uJyyvDETitgsaqSyjCb2qNRAtuqUeWIAKztsOYdcACf2KtARYXg2pSvhkt+9NfoaNY7fxjl6nuMjIQ=="], "lightningcss": ["lightningcss@1.30.2", "", { "dependencies": { "detect-libc": "^2.0.3" }, "optionalDependencies": { "lightningcss-android-arm64": "1.30.2", "lightningcss-darwin-arm64": "1.30.2", "lightningcss-darwin-x64": "1.30.2", "lightningcss-freebsd-x64": "1.30.2", "lightningcss-linux-arm-gnueabihf": "1.30.2", "lightningcss-linux-arm64-gnu": "1.30.2", "lightningcss-linux-arm64-musl": "1.30.2", "lightningcss-linux-x64-gnu": "1.30.2", "lightningcss-linux-x64-musl": "1.30.2", "lightningcss-win32-arm64-msvc": "1.30.2", "lightningcss-win32-x64-msvc": "1.30.2" } }, "sha512-utfs7Pr5uJyyvDETitgsaqSyjCb2qNRAtuqUeWIAKztsOYdcACf2KtARYXg2pSvhkt+9NfoaNY7fxjl6nuMjIQ=="],
"lightningcss-android-arm64": ["lightningcss-android-arm64@1.30.2", "", { "os": "android", "cpu": "arm64" }, "sha512-BH9sEdOCahSgmkVhBLeU7Hc9DWeZ1Eb6wNS6Da8igvUwAe0sqROHddIlvU06q3WyXVEOYDZ6ykBZQnjTbmo4+A=="], "lightningcss-android-arm64": ["lightningcss-android-arm64@1.30.2", "", { "os": "android", "cpu": "arm64" }, "sha512-BH9sEdOCahSgmkVhBLeU7Hc9DWeZ1Eb6wNS6Da8igvUwAe0sqROHddIlvU06q3WyXVEOYDZ6ykBZQnjTbmo4+A=="],
@@ -1143,10 +1209,16 @@
"nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="], "nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="],
"nanostores": ["nanostores@1.1.0", "", {}, "sha512-yJBmDJr18xy47dbNVlHcgdPrulSn1nhSE6Ns9vTG+Nx9VPT6iV1MD6aQFp/t52zpf82FhLLTXAXr30NuCnxvwA=="],
"negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
"neo-async": ["neo-async@2.6.2", "", {}, "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw=="], "neo-async": ["neo-async@2.6.2", "", {}, "sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw=="],
"next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.8.3", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "sharp": "^0.34.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="], "next": ["next@16.1.6", "", { "dependencies": { "@next/env": "16.1.6", "@swc/helpers": "0.5.15", "baseline-browser-mapping": "^2.8.3", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.1.6", "@next/swc-darwin-x64": "16.1.6", "@next/swc-linux-arm64-gnu": "16.1.6", "@next/swc-linux-arm64-musl": "16.1.6", "@next/swc-linux-x64-gnu": "16.1.6", "@next/swc-linux-x64-musl": "16.1.6", "@next/swc-win32-arm64-msvc": "16.1.6", "@next/swc-win32-x64-msvc": "16.1.6", "sharp": "^0.34.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-hkyRkcu5x/41KoqnROkfTm2pZVbKxvbZRuNvKXLRXxs3VfyO0WhY50TQS40EuKO9SW3rBj/sF3WbVwDACeMZyw=="],
"next-intl": ["next-intl@4.4.0", "", { "dependencies": { "@formatjs/intl-localematcher": "^0.5.4", "negotiator": "^1.0.0", "use-intl": "^4.4.0" }, "peerDependencies": { "next": "^12.0.0 || ^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0", "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0", "typescript": "^5.0.0" }, "optionalPeers": ["typescript"] }, "sha512-QHqnP9V9Pe7Tn0PdVQ7u1Z8k9yCkW5SJKeRy2g5gxzhSt/C01y3B9qNxuj3Fsmup/yreIHe6osxU6sFa+9WIkQ=="],
"node-fetch-native": ["node-fetch-native@1.6.7", "", {}, "sha512-g9yhqoedzIUm0nTnTqAQvueMPVOuIY16bqgAJJC8XOOubYFNwz6IER9qs0Gq2Xd0+CecCKFjtdDTMA4u4xG06Q=="], "node-fetch-native": ["node-fetch-native@1.6.7", "", {}, "sha512-g9yhqoedzIUm0nTnTqAQvueMPVOuIY16bqgAJJC8XOOubYFNwz6IER9qs0Gq2Xd0+CecCKFjtdDTMA4u4xG06Q=="],
"node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="], "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="],
@@ -1271,6 +1343,8 @@
"rollup": ["rollup@4.57.1", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.57.1", "@rollup/rollup-android-arm64": "4.57.1", "@rollup/rollup-darwin-arm64": "4.57.1", "@rollup/rollup-darwin-x64": "4.57.1", "@rollup/rollup-freebsd-arm64": "4.57.1", "@rollup/rollup-freebsd-x64": "4.57.1", "@rollup/rollup-linux-arm-gnueabihf": "4.57.1", "@rollup/rollup-linux-arm-musleabihf": "4.57.1", "@rollup/rollup-linux-arm64-gnu": "4.57.1", "@rollup/rollup-linux-arm64-musl": "4.57.1", "@rollup/rollup-linux-loong64-gnu": "4.57.1", "@rollup/rollup-linux-loong64-musl": "4.57.1", "@rollup/rollup-linux-ppc64-gnu": "4.57.1", "@rollup/rollup-linux-ppc64-musl": "4.57.1", "@rollup/rollup-linux-riscv64-gnu": "4.57.1", "@rollup/rollup-linux-riscv64-musl": "4.57.1", "@rollup/rollup-linux-s390x-gnu": "4.57.1", "@rollup/rollup-linux-x64-gnu": "4.57.1", "@rollup/rollup-linux-x64-musl": "4.57.1", "@rollup/rollup-openbsd-x64": "4.57.1", "@rollup/rollup-openharmony-arm64": "4.57.1", "@rollup/rollup-win32-arm64-msvc": "4.57.1", "@rollup/rollup-win32-ia32-msvc": "4.57.1", "@rollup/rollup-win32-x64-gnu": "4.57.1", "@rollup/rollup-win32-x64-msvc": "4.57.1", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-oQL6lgK3e2QZeQ7gcgIkS2YZPg5slw37hYufJ3edKlfQSGGm8ICoxswK15ntSzF/a8+h7ekRy7k7oWc3BQ7y8A=="], "rollup": ["rollup@4.57.1", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.57.1", "@rollup/rollup-android-arm64": "4.57.1", "@rollup/rollup-darwin-arm64": "4.57.1", "@rollup/rollup-darwin-x64": "4.57.1", "@rollup/rollup-freebsd-arm64": "4.57.1", "@rollup/rollup-freebsd-x64": "4.57.1", "@rollup/rollup-linux-arm-gnueabihf": "4.57.1", "@rollup/rollup-linux-arm-musleabihf": "4.57.1", "@rollup/rollup-linux-arm64-gnu": "4.57.1", "@rollup/rollup-linux-arm64-musl": "4.57.1", "@rollup/rollup-linux-loong64-gnu": "4.57.1", "@rollup/rollup-linux-loong64-musl": "4.57.1", "@rollup/rollup-linux-ppc64-gnu": "4.57.1", "@rollup/rollup-linux-ppc64-musl": "4.57.1", "@rollup/rollup-linux-riscv64-gnu": "4.57.1", "@rollup/rollup-linux-riscv64-musl": "4.57.1", "@rollup/rollup-linux-s390x-gnu": "4.57.1", "@rollup/rollup-linux-x64-gnu": "4.57.1", "@rollup/rollup-linux-x64-musl": "4.57.1", "@rollup/rollup-openbsd-x64": "4.57.1", "@rollup/rollup-openharmony-arm64": "4.57.1", "@rollup/rollup-win32-arm64-msvc": "4.57.1", "@rollup/rollup-win32-ia32-msvc": "4.57.1", "@rollup/rollup-win32-x64-gnu": "4.57.1", "@rollup/rollup-win32-x64-msvc": "4.57.1", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-oQL6lgK3e2QZeQ7gcgIkS2YZPg5slw37hYufJ3edKlfQSGGm8ICoxswK15ntSzF/a8+h7ekRy7k7oWc3BQ7y8A=="],
"rou3": ["rou3@0.7.12", "", {}, "sha512-iFE4hLDuloSWcD7mjdCDhx2bKcIsYbtOTpfH5MHHLSKMOUyjqQXTeZVa289uuwEGEKFoE/BAPbhaU4B774nceg=="],
"safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="], "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
"saxes": ["saxes@6.0.0", "", { "dependencies": { "xmlchars": "^2.2.0" } }, "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA=="], "saxes": ["saxes@6.0.0", "", { "dependencies": { "xmlchars": "^2.2.0" } }, "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA=="],
@@ -1283,6 +1357,8 @@
"seq-queue": ["seq-queue@0.0.5", "", {}, "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q=="], "seq-queue": ["seq-queue@0.0.5", "", {}, "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q=="],
"set-cookie-parser": ["set-cookie-parser@2.7.2", "", {}, "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw=="],
"sharp": ["sharp@0.34.5", "", { "dependencies": { "@img/colour": "^1.0.0", "detect-libc": "^2.1.2", "semver": "^7.7.3" }, "optionalDependencies": { "@img/sharp-darwin-arm64": "0.34.5", "@img/sharp-darwin-x64": "0.34.5", "@img/sharp-libvips-darwin-arm64": "1.2.4", "@img/sharp-libvips-darwin-x64": "1.2.4", "@img/sharp-libvips-linux-arm": "1.2.4", "@img/sharp-libvips-linux-arm64": "1.2.4", "@img/sharp-libvips-linux-ppc64": "1.2.4", "@img/sharp-libvips-linux-riscv64": "1.2.4", "@img/sharp-libvips-linux-s390x": "1.2.4", "@img/sharp-libvips-linux-x64": "1.2.4", "@img/sharp-libvips-linuxmusl-arm64": "1.2.4", "@img/sharp-libvips-linuxmusl-x64": "1.2.4", "@img/sharp-linux-arm": "0.34.5", "@img/sharp-linux-arm64": "0.34.5", "@img/sharp-linux-ppc64": "0.34.5", "@img/sharp-linux-riscv64": "0.34.5", "@img/sharp-linux-s390x": "0.34.5", "@img/sharp-linux-x64": "0.34.5", "@img/sharp-linuxmusl-arm64": "0.34.5", "@img/sharp-linuxmusl-x64": "0.34.5", "@img/sharp-wasm32": "0.34.5", "@img/sharp-win32-arm64": "0.34.5", "@img/sharp-win32-ia32": "0.34.5", "@img/sharp-win32-x64": "0.34.5" } }, "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg=="], "sharp": ["sharp@0.34.5", "", { "dependencies": { "@img/colour": "^1.0.0", "detect-libc": "^2.1.2", "semver": "^7.7.3" }, "optionalDependencies": { "@img/sharp-darwin-arm64": "0.34.5", "@img/sharp-darwin-x64": "0.34.5", "@img/sharp-libvips-darwin-arm64": "1.2.4", "@img/sharp-libvips-darwin-x64": "1.2.4", "@img/sharp-libvips-linux-arm": "1.2.4", "@img/sharp-libvips-linux-arm64": "1.2.4", "@img/sharp-libvips-linux-ppc64": "1.2.4", "@img/sharp-libvips-linux-riscv64": "1.2.4", "@img/sharp-libvips-linux-s390x": "1.2.4", "@img/sharp-libvips-linux-x64": "1.2.4", "@img/sharp-libvips-linuxmusl-arm64": "1.2.4", "@img/sharp-libvips-linuxmusl-x64": "1.2.4", "@img/sharp-linux-arm": "0.34.5", "@img/sharp-linux-arm64": "0.34.5", "@img/sharp-linux-ppc64": "0.34.5", "@img/sharp-linux-riscv64": "0.34.5", "@img/sharp-linux-s390x": "0.34.5", "@img/sharp-linux-x64": "0.34.5", "@img/sharp-linuxmusl-arm64": "0.34.5", "@img/sharp-linuxmusl-x64": "0.34.5", "@img/sharp-wasm32": "0.34.5", "@img/sharp-win32-arm64": "0.34.5", "@img/sharp-win32-ia32": "0.34.5", "@img/sharp-win32-x64": "0.34.5" } }, "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg=="],
"shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="], "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
@@ -1415,6 +1491,8 @@
"update-browserslist-db": ["update-browserslist-db@1.2.3", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": { "update-browserslist-db": "cli.js" } }, "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w=="], "update-browserslist-db": ["update-browserslist-db@1.2.3", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": { "update-browserslist-db": "cli.js" } }, "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w=="],
"use-intl": ["use-intl@4.8.2", "", { "dependencies": { "@formatjs/fast-memoize": "^3.1.0", "@schummar/icu-type-parser": "1.21.5", "icu-minify": "^4.8.2", "intl-messageformat": "^11.1.0" }, "peerDependencies": { "react": "^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0" } }, "sha512-3VNXZgDnPFqhIYosQ9W1Hc6K5q+ZelMfawNbexdwL/dY7BTHbceLUBX5Eeex9lgogxTp0pf1SjHuhYNAjr9H3g=="],
"use-sync-external-store": ["use-sync-external-store@1.6.0", "", { "peerDependencies": { "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w=="], "use-sync-external-store": ["use-sync-external-store@1.6.0", "", { "peerDependencies": { "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w=="],
"valibot": ["valibot@1.2.0", "", { "peerDependencies": { "typescript": ">=5" }, "optionalPeers": ["typescript"] }, "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg=="], "valibot": ["valibot@1.2.0", "", { "peerDependencies": { "typescript": ">=5" }, "optionalPeers": ["typescript"] }, "sha512-mm1rxUsmOxzrwnX5arGS+U4T25RdvpPjPN4yR0u9pUBov9+zGVtO84tif1eY4r6zWxVxu3KzIyknJy3rxfRZZg=="],
@@ -1481,6 +1559,8 @@
"@conventional-changelog/git-client/semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="], "@conventional-changelog/git-client/semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
"@formatjs/ecma402-abstract/@formatjs/intl-localematcher": ["@formatjs/intl-localematcher@0.8.1", "", { "dependencies": { "@formatjs/fast-memoize": "3.1.0", "tslib": "^2.8.1" } }, "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA=="],
"@inquirer/core/wrap-ansi": ["wrap-ansi@6.2.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA=="], "@inquirer/core/wrap-ansi": ["wrap-ansi@6.2.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA=="],
"@prisma/engines/@prisma/get-platform": ["@prisma/get-platform@7.3.0", "", { "dependencies": { "@prisma/debug": "7.3.0" } }, "sha512-N7c6m4/I0Q6JYmWKP2RCD/sM9eWiyCPY98g5c0uEktObNSZnugW2U/PO+pwL0UaqzxqTXt7gTsYsb0FnMnJNbg=="], "@prisma/engines/@prisma/get-platform": ["@prisma/get-platform@7.3.0", "", { "dependencies": { "@prisma/debug": "7.3.0" } }, "sha512-N7c6m4/I0Q6JYmWKP2RCD/sM9eWiyCPY98g5c0uEktObNSZnugW2U/PO+pwL0UaqzxqTXt7gTsYsb0FnMnJNbg=="],

4
docs/.vitepress/config.mts
View File

@@ -19,7 +19,11 @@ export default defineConfig({
{ text: "Section Overview", link: "/product-engineering/" }, { text: "Section Overview", link: "/product-engineering/" },
{ text: "Getting Started", link: "/getting-started" }, { text: "Getting Started", link: "/getting-started" },
{ text: "Architecture", link: "/architecture" }, { text: "Architecture", link: "/architecture" },
{ text: "Better Auth Baseline", link: "/product-engineering/auth-baseline" },
{ text: "CRUD Baseline", link: "/product-engineering/crud-baseline" },
{ text: "i18n Baseline", link: "/product-engineering/i18n-baseline" },
{ text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" }, { text: "RBAC And Permissions", link: "/product-engineering/rbac-permission-model" },
{ text: "Testing Strategy", link: "/product-engineering/testing-strategy" },
{ text: "Workflow", link: "/workflow" }, { text: "Workflow", link: "/workflow" },
], ],
}, },

3
docs/architecture.md
View File

@@ -6,7 +6,9 @@
- `apps/admin`: admin app - `apps/admin`: admin app
- `packages/db`: prisma + data access - `packages/db`: prisma + data access
- `packages/content`: shared schemas and domain contracts - `packages/content`: shared schemas and domain contracts
- `packages/crud`: shared CRUD service patterns (validation, errors, audit hooks)
- `packages/ui`: shared UI layer - `packages/ui`: shared UI layer
- `packages/i18n`: shared locale definitions and i18n helpers
- `packages/config`: shared TS config - `packages/config`: shared TS config
## Design Principles ## Design Principles
@@ -14,6 +16,7 @@
- Shared contracts before feature implementation - Shared contracts before feature implementation
- RBAC and CRUD base as prerequisites for MVP1 feature work - RBAC and CRUD base as prerequisites for MVP1 feature work
- Keep admin and public responsibilities clearly separated - Keep admin and public responsibilities clearly separated
- Public routing is path-stable; locale is resolved via `next-intl` middleware + cookie
## Pending Documentation ## Pending Documentation

16
docs/getting-started.md
View File

@@ -20,6 +20,18 @@ bun run db:migrate
bun run db:seed bun run db:seed
``` ```
Create a named migration:
```bash
bun run db:migrate:named -- --name your_migration_name
```
Reset local dev DB:
```bash
bun run db:reset:dev
```
## Run apps ## Run apps
```bash ```bash
@@ -27,7 +39,11 @@ bun run dev
``` ```
- Web: `http://localhost:3000` - Web: `http://localhost:3000`
- Web locale switching: use the language switcher in the page header
- Admin: `http://localhost:3001` - Admin: `http://localhost:3001`
- Admin welcome (first start): `http://localhost:3001/welcome`
- Admin login: `http://localhost:3001/login`
- Admin register (when enabled): `http://localhost:3001/register`
## Run docs ## Run docs

45
docs/product-engineering/auth-baseline.md Normal file
View File

@@ -0,0 +1,45 @@
# Better Auth Baseline
## Scope
This baseline activates Better Auth for the admin app with email/password login and Prisma-backed sessions.
Implemented in MVP0:
- Admin-local auth config: `apps/admin/src/lib/auth/server.ts`
- Admin auth API routes: `apps/admin/src/app/api/auth/[...all]/route.ts`
- Admin auth pages: `/welcome`, `/login`, `/register`
- Support fallback sign-in page: `/support/<CMS_SUPPORT_LOGIN_KEY>`
- Prisma auth models (`user`, `session`, `account`, `verification`)
- First registration creates owner; subsequent registrations are disabled
- Owner invariant reconciliation is enforced in auth bootstrap and owner promotion flow
- Protected accounts (support + canonical owner) are blocked from delete-account auth endpoints
## Environment
Required variables:
- `BETTER_AUTH_SECRET`
- `BETTER_AUTH_URL`
- `CMS_ADMIN_ORIGIN`
- `CMS_WEB_ORIGIN`
- `DATABASE_URL`
Optional:
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED`
- `CMS_SUPPORT_USERNAME`
- `CMS_SUPPORT_EMAIL`
- `CMS_SUPPORT_PASSWORD`
- `CMS_SUPPORT_NAME`
- `CMS_SUPPORT_LOGIN_KEY`
- `CMS_DEV_ROLE` (development-only middleware bypass)
## Notes
- Support user bootstrap is available via `bun run auth:seed:support`.
- Root `bun run db:seed` runs DB seed and support-user seed.
- `CMS_ADMIN_SELF_REGISTRATION_ENABLED` is now a fallback/default only.
- Runtime source of truth is admin settings (`/settings`) backed by `system_setting`.
- Owner/support checks for future admin user-management mutations remain tracked in `TODO.md`.
- Email verification and forgot/reset password pipelines are tracked for MVP2.

33
docs/product-engineering/crud-baseline.md Normal file
View File

@@ -0,0 +1,33 @@
# CRUD Baseline
## Scope
MVP0 now includes a shared CRUD foundation package: `@cms/crud`.
Current baseline:
- Shared service factory: `createCrudService`
- Shared validation error type: `CrudValidationError`
- Shared not-found error type: `CrudNotFoundError`
- Shared mutation audit hook contract: `CrudAuditHook`
- Shared mutation context contract (`actor`, `metadata`)
## First Integration
`@cms/db` `posts` now uses the shared CRUD foundation:
- `listPosts`
- `getPostById`
- `createPost`
- `updatePost`
- `deletePost`
- `registerPostCrudAuditHook`
Validation for create/update is enforced by `@cms/content` schemas.
The admin dashboard currently includes a temporary posts CRUD sandbox to validate this flow through a real app UI.
## Notes
- This is the base layer for future entities (pages, navigation, media, users, commissions).
- Audit hook persistence/transport is intentionally left for later implementation work.

21
docs/product-engineering/i18n-baseline.md Normal file
View File

@@ -0,0 +1,21 @@
# i18n Baseline
## Scope
MVP0 introduces i18n runtime baselines for both apps.
Current baseline:
- Shared locale contract in `@cms/i18n` (`de`, `en`, `es`, `fr`; default `en`)
- Public app: path-stable routing (no locale in URL) via `apps/web/src/proxy.ts`
- Public app: message loading through `apps/web/src/i18n/request.ts`
- Public app: locale-aware navigation helpers in `apps/web/src/i18n/navigation.ts`
- Public app: language switcher component backed by Zustand store
- Admin app: cookie-based locale resolution and message loading in root layout
- Admin app: runtime i18n provider (`AdminI18nProvider`) and locale switcher UI
## Notes
- Public app locale is resolved through `next-intl` middleware + cookie.
- Enabled locales are currently static in code and will later be managed from admin settings.
- Translation key conventions and workflow docs are tracked in `TODO.md`.

2
docs/product-engineering/index.md
View File

@@ -6,7 +6,9 @@ This section covers platform and implementation documentation for engineers and
- [Getting Started](/getting-started) - [Getting Started](/getting-started)
- [Architecture](/architecture) - [Architecture](/architecture)
- [Better Auth Baseline](/product-engineering/auth-baseline)
- [RBAC And Permissions](/product-engineering/rbac-permission-model) - [RBAC And Permissions](/product-engineering/rbac-permission-model)
- [Testing Strategy Baseline](/product-engineering/testing-strategy)
- [Workflow](/workflow) - [Workflow](/workflow)
## Scope ## Scope

2
docs/product-engineering/rbac-permission-model.md
View File

@@ -40,7 +40,7 @@ Scope hierarchy (higher includes lower):
## Enforcement Layers ## Enforcement Layers
- Route-level: `apps/admin/src/middleware.ts` - Route-level: `apps/admin/src/proxy.ts`
- Action-level: server component checks in admin pages (`/` and `/todo`) - Action-level: server component checks in admin pages (`/` and `/todo`)
- Shared model + checks: `packages/content/src/rbac.ts` - Shared model + checks: `packages/content/src/rbac.ts`

33
docs/product-engineering/testing-strategy.md Normal file
View File

@@ -0,0 +1,33 @@
# Testing Strategy Baseline
## Goals
- Keep lint, typecheck, unit/integration, and e2e as mandatory quality gates.
- Make e2e runs deterministic by preparing schema and seeded data before test execution.
- Keep test data isolated per environment (`dev` local, CI database service in workflow).
## Current Gate Stack
- `bun run check`
- `bun run typecheck`
- `bun run test`
- `bun run test:e2e`
## Data Preparation
- `bun run test:e2e:prepare` runs:
- Prisma client generation
- migration deploy
- seed data (including support user bootstrap)
- `bun run test:e2e` and related scripts call `test:e2e:prepare` automatically.
## Locale Integration Coverage
- `e2e/i18n.pw.ts` covers:
- web locale switch + persistence
- admin locale switch + persistence
## CI
- Real quality workflow: `.gitea/workflows/ci.yml`
- Uses a PostgreSQL service container and runs the full gate stack, including e2e.

4
docs/workflow.md
View File

@@ -15,10 +15,10 @@ Follow `BRANCHING.md`:
## Quality Gates ## Quality Gates
- `bun run lint` - `bun run check`
- `bun run typecheck` - `bun run typecheck`
- `bun run test` - `bun run test`
- `bun run test:e2e --list` - `bun run test:e2e`
## Changelog ## Changelog

29
e2e/i18n.pw.ts Normal file
View File

@@ -0,0 +1,29 @@
import { expect, test } from "@playwright/test"
test.describe("i18n integration", () => {
test("web language switcher updates and persists locale", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "web-chromium")
await page.goto("/")
await expect(page.getByRole("heading", { name: /your next\.js cms frontend/i })).toBeVisible()
await page.locator("select").first().selectOption("de")
await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
await page.reload()
await expect(page.getByRole("heading", { name: /dein next\.js cms frontend/i })).toBeVisible()
})
test("admin language switcher updates and persists locale", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
await page.goto("/login")
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
await page.locator("select").first().selectOption("de")
await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
await page.reload()
await expect(page.getByRole("heading", { name: /bei cms admin anmelden/i })).toBeVisible()
})
})

9
e2e/smoke.pw.ts
View File

@@ -8,5 +8,12 @@ test("smoke", async ({ page }, testInfo) => {
return return
} }
await expect(page.getByRole("heading", { name: /content dashboard/i })).toBeVisible() const dashboardHeading = page.getByRole("heading", { name: /content dashboard/i })
if (await dashboardHeading.isVisible({ timeout: 2000 })) {
await expect(dashboardHeading).toBeVisible()
return
}
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
}) })

20
e2e/support-auth.pw.ts Normal file
View File

@@ -0,0 +1,20 @@
import { expect, test } from "@playwright/test"
const SUPPORT_LOGIN_KEY = process.env.CMS_SUPPORT_LOGIN_KEY ?? "support-access"
test.describe("support fallback route", () => {
test("valid support key opens sign-in page", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
await page.goto(`/support/${SUPPORT_LOGIN_KEY}`)
await expect(page.getByRole("heading", { name: /sign in to cms admin/i })).toBeVisible()
})
test("invalid support key returns not found", async ({ page }, testInfo) => {
test.skip(testInfo.project.name !== "admin-chromium")
const response = await page.goto("/support/invalid-key")
expect(response?.status()).toBe(404)
})
})

49
package.json
View File

@@ -1,5 +1,6 @@
{ {
"name": "cms-monorepo", "name": "cms-monorepo",
"version": "0.1.0",
"private": true, "private": true,
"packageManager": "bun@1.3.5", "packageManager": "bun@1.3.5",
"workspaces": [ "workspaces": [
@@ -17,9 +18,10 @@
"test": "vitest run", "test": "vitest run",
"test:watch": "vitest", "test:watch": "vitest",
"test:coverage": "vitest run --coverage", "test:coverage": "vitest run --coverage",
"test:e2e": "bun run db:generate && playwright test", "test:e2e:prepare": "bun run db:generate && bun run db:migrate:deploy && bun run db:seed",
"test:e2e:headed": "bun run db:generate && playwright test --headed", "test:e2e": "bun run test:e2e:prepare && playwright test",
"test:e2e:ui": "bun run db:generate && playwright test --ui", "test:e2e:headed": "bun run test:e2e:prepare && playwright test --headed",
"test:e2e:ui": "bun run test:e2e:prepare && playwright test --ui",
"commitlint": "commitlint --last", "commitlint": "commitlint --last",
"changelog:preview": "conventional-changelog -p conventionalcommits -r 0", "changelog:preview": "conventional-changelog -p conventionalcommits -r 0",
"changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s", "changelog:release": "conventional-changelog -p conventionalcommits -i CHANGELOG.md -s",
@@ -29,32 +31,35 @@
"check": "biome check .", "check": "biome check .",
"db:generate": "bun --filter @cms/db db:generate", "db:generate": "bun --filter @cms/db db:generate",
"db:migrate": "bun --filter @cms/db db:migrate", "db:migrate": "bun --filter @cms/db db:migrate",
"db:migrate:named": "bun --filter @cms/db db:migrate:named", "db:migrate:named": "cd packages/db && bun --env-file=../../.env prisma migrate dev",
"db:migrate:deploy": "bun --filter @cms/db db:migrate:deploy",
"db:reset:dev": "bun --filter @cms/db db:reset:dev && bun run auth:seed:support",
"db:push": "bun --filter @cms/db db:push", "db:push": "bun --filter @cms/db db:push",
"db:studio": "bun --filter @cms/db db:studio", "db:studio": "bun --filter @cms/db db:studio",
"db:seed": "bun --filter @cms/db db:seed", "db:seed": "bun --filter @cms/db db:seed && bun --filter @cms/admin auth:seed:support",
"auth:seed:support": "bun --filter @cms/admin auth:seed:support",
"docker:staging:up": "docker compose -f docker-compose.staging.yml up -d --build", "docker:staging:up": "docker compose -f docker-compose.staging.yml up -d --build",
"docker:staging:down": "docker compose -f docker-compose.staging.yml down", "docker:staging:down": "docker compose -f docker-compose.staging.yml down",
"docker:production:up": "docker compose -f docker-compose.production.yml up -d --build", "docker:production:up": "docker compose -f docker-compose.production.yml up -d --build",
"docker:production:down": "docker compose -f docker-compose.production.yml down" "docker:production:down": "docker compose -f docker-compose.production.yml down"
}, },
"devDependencies": { "devDependencies": {
"@playwright/test": "latest", "@playwright/test": "1.58.2",
"@commitlint/cli": "latest", "@commitlint/cli": "20.4.1",
"@commitlint/config-conventional": "latest", "@commitlint/config-conventional": "20.4.1",
"@testing-library/jest-dom": "latest", "@testing-library/jest-dom": "6.9.1",
"@testing-library/react": "latest", "@testing-library/react": "16.3.2",
"@testing-library/user-event": "latest", "@testing-library/user-event": "14.6.1",
"@vitejs/plugin-react": "latest", "@vitejs/plugin-react": "5.1.3",
"@vitest/coverage-istanbul": "latest", "@vitest/coverage-istanbul": "4.0.18",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"jsdom": "latest", "jsdom": "28.0.0",
"msw": "latest", "msw": "2.12.9",
"conventional-changelog-cli": "latest", "conventional-changelog-cli": "5.0.0",
"turbo": "latest", "turbo": "2.8.3",
"typescript": "latest", "typescript": "5.9.3",
"vitepress": "latest", "vitepress": "1.6.4",
"vite-tsconfig-paths": "latest", "vite-tsconfig-paths": "6.1.0",
"vitest": "latest" "vitest": "4.0.18"
} }
} }

6
packages/content/package.json
View File

@@ -13,11 +13,11 @@
"typecheck": "tsc -p tsconfig.json --noEmit" "typecheck": "tsc -p tsconfig.json --noEmit"
}, },
"dependencies": { "dependencies": {
"zod": "latest" "zod": "4.3.6"
}, },
"devDependencies": { "devDependencies": {
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"typescript": "latest" "typescript": "5.9.3"
} }
} }

21
packages/content/src/index.test.ts
View File

@@ -1,6 +1,6 @@
import { describe, expect, it } from "vitest" import { describe, expect, it } from "vitest"
import { postSchema, upsertPostSchema } from "./index" import { createPostInputSchema, postSchema, updatePostInputSchema, upsertPostSchema } from "./index"
describe("content schemas", () => { describe("content schemas", () => {
it("accepts a valid post", () => { it("accepts a valid post", () => {
@@ -17,7 +17,24 @@ describe("content schemas", () => {
expect(post.slug).toBe("hello-world") expect(post.slug).toBe("hello-world")
}) })
it("rejects invalid upsert payload", () => { it("rejects invalid create payload", () => {
const result = createPostInputSchema.safeParse({
title: "Hi",
slug: "x",
body: "",
status: "unknown",
})
expect(result.success).toBe(false)
})
it("rejects empty update payload", () => {
const result = updatePostInputSchema.safeParse({})
expect(result.success).toBe(false)
})
it("keeps upsert alias for backward compatibility", () => {
const result = upsertPostSchema.safeParse({ const result = upsertPostSchema.safeParse({
title: "Hi", title: "Hi",
slug: "x", slug: "x",

24
packages/content/src/index.ts
View File

@@ -4,22 +4,32 @@ export * from "./rbac"
export const postStatusSchema = z.enum(["draft", "published"]) export const postStatusSchema = z.enum(["draft", "published"])
export const postSchema = z.object({ const postMutableFieldsSchema = z.object({
id: z.string().uuid(),
title: z.string().min(3).max(180), title: z.string().min(3).max(180),
slug: z.string().min(3).max(180), slug: z.string().min(3).max(180),
excerpt: z.string().max(320).optional(), excerpt: z.string().max(320).optional(),
body: z.string().min(1), body: z.string().min(1),
status: postStatusSchema, status: postStatusSchema,
})
export const postSchema = z.object({
id: z.string().uuid(),
...postMutableFieldsSchema.shape,
createdAt: z.date(), createdAt: z.date(),
updatedAt: z.date(), updatedAt: z.date(),
}) })
export const upsertPostSchema = postSchema.omit({ export const createPostInputSchema = postMutableFieldsSchema
id: true, export const updatePostInputSchema = postMutableFieldsSchema
createdAt: true, .partial()
updatedAt: true, .refine((value) => Object.keys(value).length > 0, {
}) message: "At least one field is required for an update.",
})
// Backward-compatible alias while migrating callers to create/update-specific schemas.
export const upsertPostSchema = createPostInputSchema
export type Post = z.infer<typeof postSchema> export type Post = z.infer<typeof postSchema>
export type CreatePostInput = z.infer<typeof createPostInputSchema>
export type UpdatePostInput = z.infer<typeof updatePostInputSchema>
export type UpsertPostInput = z.infer<typeof upsertPostSchema> export type UpsertPostInput = z.infer<typeof upsertPostSchema>

4
packages/content/src/rbac.test.ts
View File

@@ -4,12 +4,16 @@ import { hasPermission, normalizeRole, permissionMatrix } from "./rbac"
describe("rbac model", () => { describe("rbac model", () => {
it("normalizes valid roles", () => { it("normalizes valid roles", () => {
expect(normalizeRole("OWNER")).toBe("owner")
expect(normalizeRole("support")).toBe("support")
expect(normalizeRole("ADMIN")).toBe("admin") expect(normalizeRole("ADMIN")).toBe("admin")
expect(normalizeRole("manager")).toBe("manager") expect(normalizeRole("manager")).toBe("manager")
expect(normalizeRole("unknown")).toBeNull() expect(normalizeRole("unknown")).toBeNull()
}) })
it("grants admin full access", () => { it("grants admin full access", () => {
expect(hasPermission("owner", "users:manage_roles", "global")).toBe(true)
expect(hasPermission("support", "news:publish", "global")).toBe(true)
expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true) expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true)
expect(hasPermission("admin", "news:publish", "global")).toBe(true) expect(hasPermission("admin", "news:publish", "global")).toBe(true)
}) })

4
packages/content/src/rbac.ts
View File

@@ -1,6 +1,6 @@
import { z } from "zod" import { z } from "zod"
export const roleSchema = z.enum(["admin", "editor", "manager"]) export const roleSchema = z.enum(["owner", "support", "admin", "editor", "manager"])
export const permissionScopeSchema = z.enum(["own", "team", "global"]) export const permissionScopeSchema = z.enum(["own", "team", "global"])
export const permissionSchema = z.enum([ export const permissionSchema = z.enum([
@@ -44,6 +44,8 @@ const allGlobalGrants: PermissionGrant[] = allPermissions.map((permission) => ({
})) }))
export const permissionMatrix: Record<Role, PermissionGrant[]> = { export const permissionMatrix: Record<Role, PermissionGrant[]> = {
owner: allGlobalGrants,
support: allGlobalGrants,
admin: allGlobalGrants, admin: allGlobalGrants,
manager: [ manager: [
{ permission: "dashboard:read", scopes: ["global"] }, { permission: "dashboard:read", scopes: ["global"] },

22
packages/crud/package.json Normal file
View File

@@ -0,0 +1,22 @@
{
"name": "@cms/crud",
"version": "0.0.1",
"private": true,
"type": "module",
"exports": {
".": "./src/index.ts"
},
"scripts": {
"build": "tsc -p tsconfig.json",
"lint": "biome check src",
"typecheck": "tsc -p tsconfig.json --noEmit"
},
"dependencies": {
"zod": "4.3.6"
},
"devDependencies": {
"@cms/config": "workspace:*",
"@biomejs/biome": "2.3.14",
"typescript": "5.9.3"
}
}

41
packages/crud/src/errors.ts Normal file
View File

@@ -0,0 +1,41 @@
import type { ZodIssue } from "zod"
export class CrudError extends Error {
public readonly code: string
constructor(message: string, code: string) {
super(message)
this.name = "CrudError"
this.code = code
}
}
export class CrudValidationError extends CrudError {
public readonly resource: string
public readonly operation: "create" | "update"
public readonly issues: ZodIssue[]
constructor(params: {
resource: string
operation: "create" | "update"
issues: ZodIssue[]
}) {
super(`Validation failed for ${params.resource} ${params.operation}`, "CRUD_VALIDATION")
this.name = "CrudValidationError"
this.resource = params.resource
this.operation = params.operation
this.issues = params.issues
}
}
export class CrudNotFoundError extends CrudError {
public readonly resource: string
public readonly id: string
constructor(params: { resource: string; id: string }) {
super(`${params.resource} ${params.id} was not found`, "CRUD_NOT_FOUND")
this.name = "CrudNotFoundError"
this.resource = params.resource
this.id = params.id
}
}

3
packages/crud/src/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export * from "./errors"
export * from "./service"
export * from "./types"

161
packages/crud/src/service.test.ts Normal file
View File

@@ -0,0 +1,161 @@
import { describe, expect, it } from "vitest"
import { z } from "zod"
import { CrudNotFoundError, CrudValidationError } from "./errors"
import { createCrudService } from "./service"
type FakeEntity = {
id: string
title: string
}
type CreateFakeEntityInput = {
title: string
}
type UpdateFakeEntityInput = {
title?: string
}
function createMemoryRepository() {
const state = new Map<string, FakeEntity>()
let sequence = 0
return {
list: async () => Array.from(state.values()),
findById: async (id: string) => state.get(id) ?? null,
create: async (input: CreateFakeEntityInput) => {
sequence += 1
const created = {
id: `${sequence}`,
title: input.title,
}
state.set(created.id, created)
return created
},
update: async (id: string, input: UpdateFakeEntityInput) => {
const current = state.get(id)
if (!current) {
throw new Error("unexpected missing entity in test repository")
}
const updated = {
...current,
...input,
}
state.set(id, updated)
return updated
},
delete: async (id: string) => {
const current = state.get(id)
if (!current) {
throw new Error("unexpected missing entity in test repository")
}
state.delete(id)
return current
},
}
}
describe("createCrudService", () => {
it("validates create and update payloads", async () => {
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z
.object({
title: z.string().min(3).optional(),
})
.refine((value) => Object.keys(value).length > 0, {
message: "at least one field must be updated",
}),
},
})
await expect(service.create({ title: "ok" })).rejects.toBeInstanceOf(CrudValidationError)
await expect(service.update("1", {})).rejects.toBeInstanceOf(CrudValidationError)
})
it("throws not found for unknown update and delete", async () => {
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
})
await expect(service.update("missing", { title: "Updated" })).rejects.toBeInstanceOf(
CrudNotFoundError,
)
await expect(service.delete("missing")).rejects.toBeInstanceOf(CrudNotFoundError)
})
it("emits audit events for create, update and delete", async () => {
const events: Array<{ action: string; beforeTitle: string | null; afterTitle: string | null }> =
[]
const service = createCrudService({
resource: "fake-entity",
repository: createMemoryRepository(),
schemas: {
create: z.object({
title: z.string().min(3),
}),
update: z.object({
title: z.string().min(3).optional(),
}),
},
auditHooks: [
(event) => {
events.push({
action: event.action,
beforeTitle: event.before?.title ?? null,
afterTitle: event.after?.title ?? null,
})
},
],
})
const created = await service.create(
{ title: "Created" },
{
actor: { id: "u-1", role: "owner" },
},
)
await service.update(created.id, { title: "Updated" })
await service.delete(created.id)
expect(events).toEqual([
{
action: "create",
beforeTitle: null,
afterTitle: "Created",
},
{
action: "update",
beforeTitle: "Created",
afterTitle: "Updated",
},
{
action: "delete",
beforeTitle: "Updated",
afterTitle: null,
},
])
})
})

159
packages/crud/src/service.ts Normal file
View File

@@ -0,0 +1,159 @@
import type { ZodIssue } from "zod"
import { CrudNotFoundError, CrudValidationError } from "./errors"
import type { CrudAction, CrudAuditHook, CrudMutationContext, CrudRepository } from "./types"
type SchemaSafeParseResult<TInput> =
| {
success: true
data: TInput
}
| {
success: false
error: {
issues: ZodIssue[]
}
}
type CrudSchema<TInput> = {
safeParse: (input: unknown) => SchemaSafeParseResult<TInput>
}
type CrudSchemas<TCreateInput, TUpdateInput> = {
create: CrudSchema<TCreateInput>
update: CrudSchema<TUpdateInput>
}
type CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
resource: string
repository: CrudRepository<TRecord, TCreateInput, TUpdateInput, TId>
schemas: CrudSchemas<TCreateInput, TUpdateInput>
auditHooks?: Array<CrudAuditHook<TRecord>>
}
async function emitAuditHooks<TRecord>(
hooks: Array<CrudAuditHook<TRecord>>,
event: {
resource: string
action: CrudAction
actor: CrudMutationContext["actor"]
metadata: CrudMutationContext["metadata"]
before: TRecord | null
after: TRecord | null
},
): Promise<void> {
if (hooks.length === 0) {
return
}
const payload = {
...event,
actor: event.actor ?? null,
at: new Date(),
}
for (const hook of hooks) {
await hook(payload)
}
}
function parseOrThrow<TInput>(params: {
schema: CrudSchema<TInput>
input: unknown
resource: string
operation: "create" | "update"
}): TInput {
const parsed = params.schema.safeParse(params.input)
if (parsed.success) {
return parsed.data
}
throw new CrudValidationError({
resource: params.resource,
operation: params.operation,
issues: parsed.error.issues,
})
}
export function createCrudService<TRecord, TCreateInput, TUpdateInput, TId extends string = string>(
options: CreateCrudServiceOptions<TRecord, TCreateInput, TUpdateInput, TId>,
) {
const auditHooks = options.auditHooks ?? []
return {
list: () => options.repository.list(),
getById: (id: TId) => options.repository.findById(id),
create: async (input: unknown, context: CrudMutationContext = {}) => {
const payload = parseOrThrow({
schema: options.schemas.create,
input,
resource: options.resource,
operation: "create",
})
const created = await options.repository.create(payload)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "create",
actor: context.actor,
metadata: context.metadata,
before: null,
after: created,
})
return created
},
update: async (id: TId, input: unknown, context: CrudMutationContext = {}) => {
const payload = parseOrThrow({
schema: options.schemas.update,
input,
resource: options.resource,
operation: "update",
})
const existing = await options.repository.findById(id)
if (!existing) {
throw new CrudNotFoundError({
resource: options.resource,
id,
})
}
const updated = await options.repository.update(id, payload)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "update",
actor: context.actor,
metadata: context.metadata,
before: existing,
after: updated,
})
return updated
},
delete: async (id: TId, context: CrudMutationContext = {}) => {
const existing = await options.repository.findById(id)
if (!existing) {
throw new CrudNotFoundError({
resource: options.resource,
id,
})
}
const deleted = await options.repository.delete(id)
await emitAuditHooks(auditHooks, {
resource: options.resource,
action: "delete",
actor: context.actor,
metadata: context.metadata,
before: existing,
after: null,
})
return deleted
},
}
}

31
packages/crud/src/types.ts Normal file
View File

@@ -0,0 +1,31 @@
export type CrudAction = "create" | "update" | "delete"
export type CrudActor = {
id?: string | null
role?: string | null
}
export type CrudMutationContext = {
actor?: CrudActor | null
metadata?: Record<string, unknown>
}
export type CrudAuditEvent<TRecord> = {
resource: string
action: CrudAction
at: Date
actor: CrudActor | null
metadata?: Record<string, unknown>
before: TRecord | null
after: TRecord | null
}
export type CrudAuditHook<TRecord> = (event: CrudAuditEvent<TRecord>) => Promise<void> | void
export type CrudRepository<TRecord, TCreateInput, TUpdateInput, TId extends string = string> = {
list: () => Promise<TRecord[]>
findById: (id: TId) => Promise<TRecord | null>
create: (input: TCreateInput) => Promise<TRecord>
update: (id: TId, input: TUpdateInput) => Promise<TRecord>
delete: (id: TId) => Promise<TRecord>
}

9
packages/crud/tsconfig.json Normal file
View File

@@ -0,0 +1,9 @@
{
"extends": "@cms/config/tsconfig/base",
"compilerOptions": {
"noEmit": false,
"outDir": "dist"
},
"include": ["src/**/*.ts"],
"exclude": ["src/**/*.test.ts"]
}

21
packages/db/package.json
View File

@@ -13,24 +13,27 @@
"db:generate": "bun --env-file=../../.env prisma generate", "db:generate": "bun --env-file=../../.env prisma generate",
"db:migrate": "bun --env-file=../../.env prisma migrate dev --name init", "db:migrate": "bun --env-file=../../.env prisma migrate dev --name init",
"db:migrate:named": "bun --env-file=../../.env prisma migrate dev", "db:migrate:named": "bun --env-file=../../.env prisma migrate dev",
"db:migrate:deploy": "bun --env-file=../../.env prisma migrate deploy",
"db:reset:dev": "bun --env-file=../../.env prisma migrate reset --force",
"db:push": "bun --env-file=../../.env prisma db push", "db:push": "bun --env-file=../../.env prisma db push",
"db:studio": "bun --env-file=../../.env prisma studio", "db:studio": "bun --env-file=../../.env prisma studio",
"db:seed": "bun --env-file=../../.env prisma/seed.ts" "db:seed": "bun --env-file=../../.env prisma/seed.ts"
}, },
"dependencies": { "dependencies": {
"@cms/crud": "workspace:*",
"@cms/content": "workspace:*", "@cms/content": "workspace:*",
"@prisma/adapter-pg": "latest", "@prisma/adapter-pg": "7.3.0",
"@prisma/client": "latest", "@prisma/client": "7.3.0",
"pg": "latest", "pg": "8.18.0",
"zod": "latest" "zod": "4.3.6"
}, },
"devDependencies": { "devDependencies": {
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@types/node": "latest", "@types/node": "25.2.2",
"@types/pg": "latest", "@types/pg": "8.16.0",
"prisma": "latest", "prisma": "7.3.0",
"typescript": "latest" "typescript": "5.9.3"
}, },
"prisma": { "prisma": {
"seed": "bun --env-file=../../.env prisma/seed.ts" "seed": "bun --env-file=../../.env prisma/seed.ts"

80
packages/db/prisma/migrations/20260210123700_better_auth_core/migration.sql Normal file
View File

@@ -0,0 +1,80 @@
-- CreateTable
CREATE TABLE "user" (
"id" TEXT NOT NULL,
"name" TEXT NOT NULL,
"email" TEXT NOT NULL,
"emailVerified" BOOLEAN NOT NULL DEFAULT false,
"image" TEXT,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
"role" TEXT NOT NULL DEFAULT 'editor',
"isBanned" BOOLEAN NOT NULL DEFAULT false,
CONSTRAINT "user_pkey" PRIMARY KEY ("id")
);
-- CreateTable
CREATE TABLE "session" (
"id" TEXT NOT NULL,
"expiresAt" TIMESTAMP(3) NOT NULL,
"token" TEXT NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
"ipAddress" TEXT,
"userAgent" TEXT,
"userId" TEXT NOT NULL,
CONSTRAINT "session_pkey" PRIMARY KEY ("id")
);
-- CreateTable
CREATE TABLE "account" (
"id" TEXT NOT NULL,
"accountId" TEXT NOT NULL,
"providerId" TEXT NOT NULL,
"userId" TEXT NOT NULL,
"accessToken" TEXT,
"refreshToken" TEXT,
"idToken" TEXT,
"accessTokenExpiresAt" TIMESTAMP(3),
"refreshTokenExpiresAt" TIMESTAMP(3),
"scope" TEXT,
"password" TEXT,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
CONSTRAINT "account_pkey" PRIMARY KEY ("id")
);
-- CreateTable
CREATE TABLE "verification" (
"id" TEXT NOT NULL,
"identifier" TEXT NOT NULL,
"value" TEXT NOT NULL,
"expiresAt" TIMESTAMP(3) NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
CONSTRAINT "verification_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE UNIQUE INDEX "user_email_key" ON "user"("email");
-- CreateIndex
CREATE INDEX "session_userId_idx" ON "session"("userId");
-- CreateIndex
CREATE UNIQUE INDEX "session_token_key" ON "session"("token");
-- CreateIndex
CREATE INDEX "account_userId_idx" ON "account"("userId");
-- CreateIndex
CREATE INDEX "verification_identifier_idx" ON "verification"("identifier");
-- AddForeignKey
ALTER TABLE "session" ADD CONSTRAINT "session_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;
-- AddForeignKey
ALTER TABLE "account" ADD CONSTRAINT "account_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE CASCADE;

11
packages/db/prisma/migrations/20260210173127_username_auth/migration.sql Normal file
View File

@@ -0,0 +1,11 @@
/*
Warnings:
- A unique constraint covering the columns `[username]` on the table `user` will be added. If there are existing duplicate values, this will fail.
*/
-- AlterTable
ALTER TABLE "user" ADD COLUMN "username" TEXT;
-- CreateIndex
CREATE UNIQUE INDEX "user_username_key" ON "user"("username");

8
packages/db/prisma/migrations/20260210190000_system_user_guards/migration.sql Normal file
View File

@@ -0,0 +1,8 @@
-- AlterTable
ALTER TABLE "user"
ADD COLUMN "isSystem" BOOLEAN NOT NULL DEFAULT false,
ADD COLUMN "isHidden" BOOLEAN NOT NULL DEFAULT false,
ADD COLUMN "isProtected" BOOLEAN NOT NULL DEFAULT false;
-- CreateIndex
CREATE INDEX "user_role_idx" ON "user"("role");

9
packages/db/prisma/migrations/20260210200148_admin_registration_policy_setting/migration.sql Normal file
View File

@@ -0,0 +1,9 @@
-- CreateTable
CREATE TABLE "system_setting" (
"key" TEXT NOT NULL,
"value" TEXT NOT NULL,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
CONSTRAINT "system_setting_pkey" PRIMARY KEY ("key")
);

82
packages/db/prisma/schema.prisma
View File

@@ -1,5 +1,6 @@
generator client { generator client {
provider = "prisma-client-js" provider = "prisma-client"
output = "./generated/client"
} }
datasource db { datasource db {
@@ -16,3 +17,82 @@ model Post {
createdAt DateTime @default(now()) createdAt DateTime @default(now())
updatedAt DateTime @updatedAt updatedAt DateTime @updatedAt
} }
model User {
id String @id
name String
email String
username String? @unique
emailVerified Boolean @default(false)
image String?
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
role String @default("editor")
isBanned Boolean @default(false)
isSystem Boolean @default(false)
isHidden Boolean @default(false)
isProtected Boolean @default(false)
sessions Session[]
accounts Account[]
@@unique([email])
@@index([role])
@@map("user")
}
model Session {
id String @id
expiresAt DateTime
token String
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
ipAddress String?
userAgent String?
userId String
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
@@unique([token])
@@index([userId])
@@map("session")
}
model Account {
id String @id
accountId String
providerId String
userId String
user User @relation(fields: [userId], references: [id], onDelete: Cascade)
accessToken String?
refreshToken String?
idToken String?
accessTokenExpiresAt DateTime?
refreshTokenExpiresAt DateTime?
scope String?
password String?
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
@@index([userId])
@@map("account")
}
model Verification {
id String @id
identifier String
value String
expiresAt DateTime
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
@@index([identifier])
@@map("verification")
}
model SystemSetting {
key String @id
value String
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
@@map("system_setting")
}

2
packages/db/src/client.ts
View File

@@ -1,6 +1,6 @@
import { PrismaPg } from "@prisma/adapter-pg" import { PrismaPg } from "@prisma/adapter-pg"
import { PrismaClient } from "@prisma/client"
import { Pool } from "pg" import { Pool } from "pg"
import { PrismaClient } from "../prisma/generated/client/client"
const connectionString = process.env.DATABASE_URL const connectionString = process.env.DATABASE_URL

10
packages/db/src/index.ts
View File

@@ -1,2 +1,10 @@
export { db } from "./client" export { db } from "./client"
export { createPost, listPosts } from "./posts" export {
createPost,
deletePost,
getPostById,
listPosts,
registerPostCrudAuditHook,
updatePost,
} from "./posts"
export { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "./settings"

85
packages/db/src/posts.ts
View File

@@ -1,19 +1,80 @@
import { upsertPostSchema } from "@cms/content" import {
type CreatePostInput,
createPostInputSchema,
type UpdatePostInput,
updatePostInputSchema,
} from "@cms/content"
import { type CrudAuditHook, type CrudMutationContext, createCrudService } from "@cms/crud"
import type { Post } from "../prisma/generated/client/client"
import { db } from "./client" import { db } from "./client"
const postRepository = {
list: () =>
db.post.findMany({
orderBy: {
updatedAt: "desc",
},
}),
findById: (id: string) =>
db.post.findUnique({
where: { id },
}),
create: (input: CreatePostInput) =>
db.post.create({
data: input,
}),
update: (id: string, input: UpdatePostInput) =>
db.post.update({
where: { id },
data: input,
}),
delete: (id: string) =>
db.post.delete({
where: { id },
}),
}
const postAuditHooks: Array<CrudAuditHook<Post>> = []
const postCrudService = createCrudService({
resource: "post",
repository: postRepository,
schemas: {
create: createPostInputSchema,
update: updatePostInputSchema,
},
auditHooks: postAuditHooks,
})
export function registerPostCrudAuditHook(hook: CrudAuditHook<Post>): () => void {
postAuditHooks.push(hook)
return () => {
const index = postAuditHooks.indexOf(hook)
if (index >= 0) {
postAuditHooks.splice(index, 1)
}
}
}
export async function listPosts() { export async function listPosts() {
return db.post.findMany({ return postCrudService.list()
orderBy: {
updatedAt: "desc",
},
})
} }
export async function createPost(input: unknown) { export async function getPostById(id: string) {
const payload = upsertPostSchema.parse(input) return postCrudService.getById(id)
}
return db.post.create({
data: payload, export async function createPost(input: unknown, context?: CrudMutationContext) {
}) return postCrudService.create(input, context)
}
export async function updatePost(id: string, input: unknown, context?: CrudMutationContext) {
return postCrudService.update(id, input, context)
}
export async function deletePost(id: string, context?: CrudMutationContext) {
return postCrudService.delete(id, context)
} }

56
packages/db/src/settings.ts Normal file
View File

@@ -0,0 +1,56 @@
import { db } from "./client"
const ADMIN_SELF_REGISTRATION_KEY = "admin.self_registration_enabled"
function resolveEnvFallback(): boolean {
return process.env.CMS_ADMIN_SELF_REGISTRATION_ENABLED === "true"
}
function parseStoredBoolean(value: string): boolean | null {
if (value === "true") {
return true
}
if (value === "false") {
return false
}
return null
}
export async function isAdminSelfRegistrationEnabled(): Promise<boolean> {
try {
const setting = await db.systemSetting.findUnique({
where: { key: ADMIN_SELF_REGISTRATION_KEY },
select: { value: true },
})
if (!setting) {
return resolveEnvFallback()
}
const parsed = parseStoredBoolean(setting.value)
if (parsed === null) {
return resolveEnvFallback()
}
return parsed
} catch {
// Fallback while migrations are not yet applied in a local environment.
return resolveEnvFallback()
}
}
export async function setAdminSelfRegistrationEnabled(enabled: boolean): Promise<void> {
await db.systemSetting.upsert({
where: { key: ADMIN_SELF_REGISTRATION_KEY },
create: {
key: ADMIN_SELF_REGISTRATION_KEY,
value: enabled ? "true" : "false",
},
update: {
value: enabled ? "true" : "false",
},
})
}

19
packages/i18n/package.json Normal file
View File

@@ -0,0 +1,19 @@
{
"name": "@cms/i18n",
"version": "0.0.1",
"private": true,
"type": "module",
"exports": {
".": "./src/index.ts"
},
"scripts": {
"build": "tsc -p tsconfig.json",
"lint": "biome check src",
"typecheck": "tsc -p tsconfig.json --noEmit"
},
"devDependencies": {
"@cms/config": "workspace:*",
"@biomejs/biome": "2.3.14",
"typescript": "5.9.3"
}
}

16
packages/i18n/src/index.ts Normal file
View File

@@ -0,0 +1,16 @@
export const locales = ["de", "en", "es", "fr"] as const
export type AppLocale = (typeof locales)[number]
export const defaultLocale: AppLocale = "en"
export const localeLabels: Record<AppLocale, string> = {
de: "Deutsch",
en: "English",
es: "Español",
fr: "Français",
}
export function isAppLocale(value: string): value is AppLocale {
return locales.includes(value as AppLocale)
}

8
packages/i18n/tsconfig.json Normal file
View File

@@ -0,0 +1,8 @@
{
"extends": "@cms/config/tsconfig/base",
"compilerOptions": {
"noEmit": false,
"outDir": "dist"
},
"include": ["src/**/*.ts"]
}

18
packages/ui/package.json
View File

@@ -14,19 +14,19 @@
"typecheck": "tsc -p tsconfig.json --noEmit" "typecheck": "tsc -p tsconfig.json --noEmit"
}, },
"dependencies": { "dependencies": {
"class-variance-authority": "latest", "class-variance-authority": "0.7.1",
"clsx": "latest", "clsx": "2.1.1",
"tailwind-merge": "latest" "tailwind-merge": "3.4.0"
}, },
"peerDependencies": { "peerDependencies": {
"react": "latest", "react": "19.2.4",
"react-dom": "latest" "react-dom": "19.2.4"
}, },
"devDependencies": { "devDependencies": {
"@cms/config": "workspace:*", "@cms/config": "workspace:*",
"@biomejs/biome": "latest", "@biomejs/biome": "2.3.14",
"@types/react": "latest", "@types/react": "19.2.13",
"@types/react-dom": "latest", "@types/react-dom": "19.2.3",
"typescript": "latest" "typescript": "5.9.3"
} }
} }

2
packages/ui/src/components/button.tsx
View File

@@ -8,7 +8,7 @@ const buttonVariants = cva(
{ {
variants: { variants: {
variant: { variant: {
default: "bg-neutral-900 text-neutral-50 hover:bg-neutral-800", default: "bg-neutral-900 text-white hover:bg-neutral-800",
secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200", secondary: "bg-neutral-100 text-neutral-900 hover:bg-neutral-200",
ghost: "hover:bg-neutral-100 hover:text-neutral-900", ghost: "hover:bg-neutral-100 hover:text-neutral-900",
}, },