feat(pages): add pages and navigation builder baseline

feat(media): add admin media CRUD preview and storage cleanup
refactor(media): use asset-centric storage key layout
2026-02-12 19:30:09 +01:00 · 2026-02-12 19:15:26 +01:00 · 2026-02-12 18:41:01 +01:00 · 2026-02-12 18:16:11 +01:00 · 2026-02-12 12:02:31 +01:00 · 2026-02-12 11:57:39 +01:00
176 changed files with 13127 additions and 391 deletions
--- a/.env.example
+++ b/.env.example
@@ -1 +1,28 @@
 DATABASE_URL="postgresql://postgres:postgres@localhost:5432/cms?schema=public"
 BETTER_AUTH_SECRET="replace-with-long-random-secret"
 BETTER_AUTH_URL="http://localhost:3001"
 CMS_ADMIN_ORIGIN="http://localhost:3001"
 CMS_WEB_ORIGIN="http://localhost:3000"
 CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
 # Bootstrap system users (used only when creating missing users)
 CMS_SUPPORT_USERNAME="support"
 CMS_SUPPORT_EMAIL="support@cms.local"
 CMS_SUPPORT_PASSWORD="change-me-support-password"
 CMS_SUPPORT_NAME="Technical Support"
 CMS_SUPPORT_LOGIN_KEY="support-access-change-me"
 CMS_MEDIA_STORAGE_PROVIDER="s3"
 CMS_MEDIA_STORAGE_TENANT_ID="default"
 CMS_MEDIA_UPLOAD_MAX_BYTES="26214400"
 # Optional: override local media storage directory for admin upload adapter.
 # CMS_MEDIA_LOCAL_STORAGE_DIR="/absolute/path/to/media-storage"
 # S3/object-storage config (default provider). If unavailable, upload falls back to local storage.
 # CMS_MEDIA_S3_BUCKET="cms-media"
 # CMS_MEDIA_S3_REGION="eu-central-1"
 # CMS_MEDIA_S3_ACCESS_KEY_ID=""
 # CMS_MEDIA_S3_SECRET_ACCESS_KEY=""
 # CMS_MEDIA_S3_ENDPOINT="" # optional (e.g. MinIO, R2)
 # CMS_MEDIA_S3_FORCE_PATH_STYLE="false"
 NEXT_PUBLIC_APP_VERSION="0.1.0-dev"
 NEXT_PUBLIC_GIT_SHA="local"
 # Optional dev bypass role for admin middleware. Leave empty to require auth login.
 # CMS_DEV_ROLE="admin"
--- a/.env.gitea-runner.example
+++ b/.env.gitea-runner.example
@@ -0,0 +1,4 @@
 GITEA_INSTANCE_URL="https://git.example.com"
 GITEA_RUNNER_REGISTRATION_TOKEN="replace-with-runner-registration-token"
 GITEA_RUNNER_NAME="cms-runner"
 GITEA_RUNNER_LABELS="ubuntu-latest:docker://node:20-bookworm"
--- a/.env.production.example
+++ b/.env.production.example
@@ -1 +1,11 @@
 DATABASE_URL="postgresql://cms:cms_production_password@localhost:65432/cms_production?schema=public"
 BETTER_AUTH_SECRET="replace-with-production-secret"
 BETTER_AUTH_URL="https://admin.example.com"
 CMS_ADMIN_ORIGIN="https://admin.example.com"
 CMS_WEB_ORIGIN="https://www.example.com"
 CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
 CMS_SUPPORT_USERNAME="support"
 CMS_SUPPORT_EMAIL="support@admin.example.com"
 CMS_SUPPORT_PASSWORD="replace-with-production-support-password"
 CMS_SUPPORT_NAME="Technical Support"
 CMS_SUPPORT_LOGIN_KEY="replace-with-production-support-login-key"
--- a/.env.staging.example
+++ b/.env.staging.example
@@ -1 +1,11 @@
 DATABASE_URL="postgresql://cms:cms_staging_password@localhost:55432/cms_staging?schema=public"
 BETTER_AUTH_SECRET="replace-with-staging-secret"
 BETTER_AUTH_URL="https://staging-admin.example.com"
 CMS_ADMIN_ORIGIN="https://staging-admin.example.com"
 CMS_WEB_ORIGIN="https://staging-web.example.com"
 CMS_ADMIN_SELF_REGISTRATION_ENABLED="false"
 CMS_SUPPORT_USERNAME="support"
 CMS_SUPPORT_EMAIL="support@staging-admin.example.com"
 CMS_SUPPORT_PASSWORD="replace-with-staging-support-password"
 CMS_SUPPORT_NAME="Technical Support"
 CMS_SUPPORT_LOGIN_KEY="replace-with-staging-support-login-key"
--- a/.gitea/PULL_REQUEST_TEMPLATE.md
+++ b/.gitea/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,17 @@
 ## Summary
 - TODO item reference (exact text): `...`
 - Scope (single primary TODO item): `...`
 ## Checklist
 - [ ] Linked TODO item is in `TODO.md`
 - [ ] Branch name follows `todo/*`, `refactor/*`, or `code/*`
 - [ ] `bun run check`
 - [ ] `bun run typecheck`
 - [ ] `bun run test`
 - [ ] E2E validation plan included (`bun run test:e2e` or reason if deferred)
 ## Notes
 - Risks / migrations / rollout notes:
--- a/.gitea/scripts/check-branch-name.sh
+++ b/.gitea/scripts/check-branch-name.sh
@@ -0,0 +1,25 @@
 #!/usr/bin/env sh
 set -eu
 branch="${1:-}"
 if [ -z "$branch" ]; then
  echo "Missing branch name."
  exit 1
 fi
 case "$branch" in
  dev|staging|main)
    echo "Long-lived branch detected: $branch"
    exit 0
    ;;
 esac
 if printf "%s" "$branch" | grep -Eq '^(todo|refactor|code)\/[a-z0-9]+([._-][a-z0-9]+)*$'; then
  echo "Branch naming valid: $branch"
  exit 0
 fi
 echo "Invalid branch name: $branch"
 echo "Expected: todo/<slug> | refactor/<slug> | code/<slug>"
 exit 1
--- a/.gitea/scripts/check-pr-todo-reference.sh
+++ b/.gitea/scripts/check-pr-todo-reference.sh
@@ -0,0 +1,17 @@
 #!/usr/bin/env sh
 set -eu
 body="${1:-}"
 if [ -z "$body" ]; then
  echo "PR body is empty."
  exit 1
 fi
 if printf "%s" "$body" | grep -Eq 'TODO|todo|\[P[1-3]\]'; then
  echo "PR body includes TODO reference."
  exit 0
 fi
 echo "PR body must reference the related TODO item."
 exit 1
--- a/.gitea/scripts/configure-branch-protection.sh
+++ b/.gitea/scripts/configure-branch-protection.sh
@@ -0,0 +1,34 @@
 #!/usr/bin/env sh
 set -eu
 if [ "${#}" -ne 4 ]; then
  echo "Usage: $0 <base-url> <owner> <repo> <token>"
  exit 1
 fi
 base_url="$1"
 owner="$2"
 repo="$3"
 token="$4"
 protect_branch() {
  branch="$1"
  curl -sS -X POST \
    "${base_url}/api/v1/repos/${owner}/${repo}/branch_protections" \
    -H "Authorization: token ${token}" \
    -H "Content-Type: application/json" \
    -d "{
      \"branch_name\": \"${branch}\",
      \"enable_push\": false,
      \"enable_push_whitelist\": false,
      \"enable_merge_whitelist\": false,
      \"enable_status_check\": true,
      \"status_check_contexts\": [\"Governance Checks\", \"Lint Typecheck Unit E2E\"]
    }" >/dev/null
 }
 protect_branch "main"
 protect_branch "staging"
 echo "Branch protection applied for main and staging."
--- a/.gitea/scripts/extract-release-notes.sh
+++ b/.gitea/scripts/extract-release-notes.sh
@@ -0,0 +1,45 @@
 #!/usr/bin/env sh
 set -eu
 tag="${1:-}"
 if [ -z "$tag" ]; then
  echo "Missing release tag argument (expected vX.Y.Z)."
  exit 1
 fi
 if [ ! -f CHANGELOG.md ]; then
  echo "CHANGELOG.md not found."
  exit 1
 fi
 version="${tag#v}"
 awk -v version="$version" '
 BEGIN {
  in_section = 0
  started = 0
 }
 /^## / {
  if (in_section == 1) {
    exit
  }
  if (index($0, version) > 0) {
    in_section = 1
    started = 1
    print $0
    next
  }
 }
 {
  if (in_section == 1) {
    print $0
  }
 }
 END {
  if (started == 0) {
    exit 2
  }
 }
 ' CHANGELOG.md
--- a/.gitea/scripts/publish-gitea-release.mjs
+++ b/.gitea/scripts/publish-gitea-release.mjs
@@ -0,0 +1,80 @@
 import { readFileSync } from "node:fs"
 const tag = process.env.RELEASE_TAG?.trim()
 const releaseName = process.env.RELEASE_NAME?.trim() || tag
 const bodyFile = process.env.RELEASE_BODY_FILE?.trim() || ".gitea-release-notes.md"
 const serverUrl = process.env.GITHUB_SERVER_URL?.trim()
 const repository = process.env.GITHUB_REPOSITORY?.trim()
 const token = process.env.GITEA_RELEASE_TOKEN?.trim()
 if (!tag) {
  throw new Error("RELEASE_TAG is required")
 }
 if (!serverUrl || !repository) {
  throw new Error("GITHUB_SERVER_URL and GITHUB_REPOSITORY are required")
 }
 if (!token) {
  throw new Error("GITEA_RELEASE_TOKEN is required")
 }
 const body = readFileSync(bodyFile, "utf8")
 const baseApi = `${serverUrl.replace(/\/$/, "")}/api/v1/repos/${repository}`
 async function request(path, options = {}) {
  const response = await fetch(`${baseApi}${path}`, {
    ...options,
    headers: {
      "content-type": "application/json",
      authorization: `token ${token}`,
      ...(options.headers ?? {}),
    },
  })
  return response
 }
 const payload = {
  tag_name: tag,
  target_commitish: "main",
  name: releaseName,
  body,
  draft: false,
  prerelease: false,
 }
 const existingResponse = await request(`/releases/tags/${encodeURIComponent(tag)}`)
 if (existingResponse.ok) {
  const existing = await existingResponse.json()
  const updateResponse = await request(`/releases/${existing.id}`, {
    method: "PATCH",
    body: JSON.stringify({
      ...payload,
      target_commitish: existing.target_commitish ?? payload.target_commitish,
    }),
  })
  if (!updateResponse.ok) {
    const message = await updateResponse.text()
    throw new Error(`Failed to update release: ${updateResponse.status} ${message}`)
  }
  console.log(`Updated release for tag ${tag}`)
 } else if (existingResponse.status === 404) {
  const createResponse = await request("/releases", {
    method: "POST",
    body: JSON.stringify(payload),
  })
  if (!createResponse.ok) {
    const message = await createResponse.text()
    throw new Error(`Failed to create release: ${createResponse.status} ${message}`)
  }
  console.log(`Created release for tag ${tag}`)
 } else {
  const message = await existingResponse.text()
  throw new Error(`Failed to query existing release: ${existingResponse.status} ${message}`)
 }
--- a/.gitea/scripts/validate-tag-version.sh
+++ b/.gitea/scripts/validate-tag-version.sh
@@ -0,0 +1,18 @@
 #!/usr/bin/env sh
 set -eu
 tag="${1:-}"
 if [ -z "$tag" ]; then
  echo "Missing tag ref name (expected vX.Y.Z)."
  exit 1
 fi
 version="$(node -p "require('./package.json').version")"
 if [ "$tag" != "v$version" ]; then
  echo "Tag/version mismatch: tag=$tag package.json=$version"
  exit 1
 fi
 echo "Tag matches package.json version: $tag"
--- a/.gitea/workflows/ci-cd-theoretical.yml
+++ b/.gitea/workflows/ci-cd-theoretical.yml
@@ -1,113 +0,0 @@
 name: CMS CI/CD (Theoretical)
 on:
  pull_request:
  push:
    branches:
      - dev
      - main
      - staging
    tags:
      - "v*"
  workflow_dispatch:
 env:
  BUN_VERSION: "1.3.5"
 jobs:
  quality:
    name: Lint Typecheck Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies
        run: bun install --frozen-lockfile
      - name: Generate Prisma client
        run: bun run db:generate
      - name: Lint
        run: bun run lint
      - name: Typecheck
        run: bun run typecheck
      - name: Unit and component tests
        run: bun run test
      - name: E2E suite discovery check
        run: bun run test:e2e --list
      - name: Conventional commit check (latest commit)
        run: bun run commitlint
  build_staging_images:
    name: Build Staging Images
    runs-on: ubuntu-latest
    needs: quality
    if: github.ref == 'refs/heads/staging'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Build web image (staging)
        run: docker build -f apps/web/Dockerfile -t cms-web:staging .
      - name: Build admin image (staging)
        run: docker build -f apps/admin/Dockerfile -t cms-admin:staging .
  build_production_images:
    name: Build Production Images
    runs-on: ubuntu-latest
    needs: quality
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Build web image (production)
        run: docker build -f apps/web/Dockerfile -t cms-web:${{ github.ref_name }} .
      - name: Build admin image (production)
        run: docker build -f apps/admin/Dockerfile -t cms-admin:${{ github.ref_name }} .
      - name: Generate changelog
        run: |
          bun install --frozen-lockfile
          bun run changelog:release
      - name: Push images (placeholder)
        run: |
          echo "TODO: docker login to registry"
          echo "TODO: docker push cms-web:${{ github.ref_name }}"
          echo "TODO: docker push cms-admin:${{ github.ref_name }}"
          echo "TODO: publish CHANGELOG.md content as release notes"
  deploy_staging:
    name: Deploy Staging (Placeholder)
    runs-on: ubuntu-latest
    needs: build_staging_images
    if: github.ref == 'refs/heads/staging'
    steps:
      - name: Deploy placeholder
        run: |
          echo "TODO: Pull and restart staging compose on target host"
          echo "docker compose -f docker-compose.staging.yml up -d"
  deploy_production:
    name: Deploy Production (Placeholder)
    runs-on: ubuntu-latest
    needs: build_production_images
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Deploy placeholder
        run: |
          echo "TODO: Pull and restart production compose on target host"
          echo "docker compose -f docker-compose.production.yml up -d"
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,109 @@
 name: CMS CI
 on:
  pull_request:
  push:
    branches:
      - dev
      - staging
      - main
  workflow_dispatch:
 env:
  BUN_VERSION: "1.3.5"
  NODE_ENV: "test"
  DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/cms?schema=public"
  BETTER_AUTH_SECRET: "ci-test-secret-change-me"
  BETTER_AUTH_URL: "http://localhost:3001"
  CMS_ADMIN_ORIGIN: "http://127.0.0.1:3001"
  CMS_WEB_ORIGIN: "http://127.0.0.1:3000"
  CMS_ADMIN_SELF_REGISTRATION_ENABLED: "false"
  CMS_SUPPORT_USERNAME: "support"
  CMS_SUPPORT_EMAIL: "support@cms.local"
  CMS_SUPPORT_PASSWORD: "support-ci-password"
  CMS_SUPPORT_NAME: "Technical Support"
  CMS_SUPPORT_LOGIN_KEY: "support-access"
 jobs:
  governance:
    name: Governance Checks
    runs-on: node22-bun
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Validate branch naming
        run: |
          branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          sh .gitea/scripts/check-branch-name.sh "$branch"
      - name: Validate PR TODO reference
        if: github.event_name == 'pull_request'
        run: |
          body='${{ github.event.pull_request.body }}'
          sh .gitea/scripts/check-pr-todo-reference.sh "$body"
      - name: Commit schema check (latest commit)
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies for commitlint
        run: bun install --frozen-lockfile
      - name: Commitlint
        run: bun run commitlint
  quality:
    name: Lint Typecheck Unit E2E
    needs: governance
    runs-on: node22-bun
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_DB: cms
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres -d cms"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies
        run: bun install --frozen-lockfile
      - name: Resolve build metadata
        run: |
          version=$(bun -e 'const pkg = JSON.parse(await Bun.file("package.json").text()); console.log(pkg.version)')
          echo "NEXT_PUBLIC_APP_VERSION=$version" >> "$GITHUB_ENV"
          echo "NEXT_PUBLIC_GIT_SHA=${GITHUB_SHA}" >> "$GITHUB_ENV"
      - name: Install Playwright browser deps
        run: bunx playwright install --with-deps chromium
      - name: Lint and format checks
        run: bun run check
      - name: Generate Prisma client
        run: bun run db:generate
      - name: Typecheck
        run: bun run typecheck
      - name: Unit and integration tests
        run: bun run test
      - name: E2E tests
        run: bun run test:e2e
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,54 @@
 name: CMS Deploy
 on:
  workflow_dispatch:
    inputs:
      environment:
        description: "Target environment"
        required: true
        type: choice
        options:
          - staging
          - production
      image_tag:
        description: "Image tag to deploy (e.g. v0.1.0)"
        required: true
      rollback_tag:
        description: "Optional rollback tag"
        required: false
 jobs:
  deploy:
    name: Deploy Compose Stack
    runs-on: node22-bun
    steps:
      - name: Resolve deployment target
        id: target
        run: |
          if [ "${{ github.event.inputs.environment }}" = "staging" ]; then
            echo "host=${{ secrets.CMS_STAGING_HOST }}" >> "$GITHUB_OUTPUT"
            echo "user=${{ secrets.CMS_STAGING_USER }}" >> "$GITHUB_OUTPUT"
            echo "compose=docker-compose.staging.yml" >> "$GITHUB_OUTPUT"
          else
            echo "host=${{ secrets.CMS_PRODUCTION_HOST }}" >> "$GITHUB_OUTPUT"
            echo "user=${{ secrets.CMS_PRODUCTION_USER }}" >> "$GITHUB_OUTPUT"
            echo "compose=docker-compose.production.yml" >> "$GITHUB_OUTPUT"
          fi
      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.CMS_DEPLOY_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -H "${{ steps.target.outputs.host }}" >> ~/.ssh/known_hosts
      - name: Deploy image tag
        run: |
          ssh "${{ steps.target.outputs.user }}@${{ steps.target.outputs.host }}" \
            "cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.image_tag }} docker compose -f ${{ steps.target.outputs.compose }} up -d"
      - name: Optional rollback
        if: github.event.inputs.rollback_tag != ''
        run: |
          ssh "${{ steps.target.outputs.user }}@${{ steps.target.outputs.host }}" \
            "cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_tag }} docker compose -f ${{ steps.target.outputs.compose }} up -d"
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,103 @@
 name: CMS Release
 on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      release_tag:
        description: "Release tag in vX.Y.Z format"
        required: false
      rollback_image_tag:
        description: "Optional rollback image tag"
        required: false
 env:
  BUN_VERSION: "1.3.5"
  REGISTRY: ${{ secrets.CMS_IMAGE_REGISTRY }}
  IMAGE_NAMESPACE: ${{ secrets.CMS_IMAGE_NAMESPACE }}
 jobs:
  release:
    name: Build Push Changelog
    if: github.event_name == 'push' || github.event.inputs.rollback_image_tag == ''
    runs-on: node22-bun
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}
      - name: Install dependencies
        run: bun install --frozen-lockfile
      - name: Resolve release tag
        id: tag
        run: |
          if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
            if [ -z "${{ github.event.inputs.release_tag }}" ]; then
              echo "release_tag input is required when publishing a release manually."
              exit 1
            fi
            echo "value=${{ github.event.inputs.release_tag }}" >> "$GITHUB_OUTPUT"
          else
            echo "value=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
          fi
      - name: Validate tag against package version
        run: sh .gitea/scripts/validate-tag-version.sh "${{ steps.tag.outputs.value }}"
      - name: Generate changelog
        run: bun run changelog:release
      - name: Build release notes payload
        run: |
          if ! sh .gitea/scripts/extract-release-notes.sh "${{ steps.tag.outputs.value }}" > .gitea-release-notes.md; then
            echo "Could not isolate section for tag ${{ steps.tag.outputs.value }}. Falling back to full CHANGELOG.md."
            cp CHANGELOG.md .gitea-release-notes.md
          fi
      - name: Login to image registry
        run: |
          echo "${{ secrets.CMS_IMAGE_REGISTRY_PASSWORD }}" | docker login "${{ env.REGISTRY }}" -u "${{ secrets.CMS_IMAGE_REGISTRY_USER }}" --password-stdin
      - name: Build and push web image
        run: |
          image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-web:${{ steps.tag.outputs.value }}"
          docker build -f apps/web/Dockerfile -t "$image" .
          docker push "$image"
      - name: Build and push admin image
        run: |
          image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-admin:${{ steps.tag.outputs.value }}"
          docker build -f apps/admin/Dockerfile -t "$image" .
          docker push "$image"
      - name: Publish release notes to Gitea
        env:
          RELEASE_TAG: ${{ steps.tag.outputs.value }}
          RELEASE_NAME: ${{ steps.tag.outputs.value }}
          RELEASE_BODY_FILE: ".gitea-release-notes.md"
          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: bun .gitea/scripts/publish-gitea-release.mjs
  rollback:
    name: Rollback Production (Manual)
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.rollback_image_tag != ''
    runs-on: node22-bun
    steps:
      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.CMS_DEPLOY_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -H "${{ secrets.CMS_PRODUCTION_HOST }}" >> ~/.ssh/known_hosts
      - name: Apply rollback image tag on production
        run: |
          ssh "${{ secrets.CMS_PRODUCTION_USER }}@${{ secrets.CMS_PRODUCTION_HOST }}" \
            "cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_image_tag }} docker compose -f docker-compose.production.yml pull && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_image_tag }} docker compose -f docker-compose.production.yml up -d"
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,8 @@ out
 # build
 dist
 coverage
 docs/.vitepress/dist
 docs/.vitepress/cache
 *.tsbuildinfo
 playwright-report
 test-results
@@ -22,9 +24,15 @@ test-results
 !.env.example
 !.env.staging.example
 !.env.production.example
 !.env.gitea-runner.example
 # prisma
 packages/db/prisma/dev.db*
 packages/db/prisma/generated/
 # misc
 .DS_Store
 # local media storage
 .data/
 apps/admin/.data/
--- a/BRANCHING.md
+++ b/BRANCHING.md
@@ -96,6 +96,13 @@ Apply in repository settings:
 Optional:
 - Protect `dev` from direct push if team size/process requires stricter control.
 - Automate protection via `.gitea/scripts/configure-branch-protection.sh`.
 ## Governance Automation
 - Branch naming check: `.gitea/scripts/check-branch-name.sh`
 - PR TODO reference check: `.gitea/scripts/check-pr-todo-reference.sh`
 - PR template: `.gitea/PULL_REQUEST_TEMPLATE.md`
 ## Commit Signing Notes
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
 ## 0.1.0 (2026-02-10)
 ### Features
 * **auth:** add better-auth core wiring for admin and db ([ba8abb3](https://git.fellies.net/Citali/cms.fellies.org/commit/ba8abb3b1bc42f87bc19460107311f53b27799d8))
 * **rbac:** enforce admin access checks and document permission model ([947cb0a](https://git.fellies.net/Citali/cms.fellies.org/commit/947cb0a3d79104d82c4b97fb6584633b4c6a7c92))
 ### Bug Fixes
 * **next:** migrate admin middleware to proxy convention ([efb93f2](https://git.fellies.net/Citali/cms.fellies.org/commit/efb93f212bc8d8976fc6b443e415be812d12961a))
 # Changelog
 All notable changes to this project will be documented in this file.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,6 +4,8 @@
 Follow `BRANCHING.md` for long-lived and task branch rules.
 Pull requests should use `.gitea/PULL_REQUEST_TEMPLATE.md` and link the exact TODO item.
 ## Commit Message Schema
 This repository uses Conventional Commits.
--- a/README.md
+++ b/README.md
@@ -3,6 +3,7 @@
 Roadmap and progress are tracked in `TODO.md` (also visible in admin at `/todo`).
 Branch model and promotion flow are documented in `BRANCHING.md`.
 Commit schema and changelog workflow are documented in `CONTRIBUTING.md`.
 Versioning and release policy are documented in `VERSIONING.md`.
 A baseline monorepo with:
@@ -38,6 +39,8 @@ bun install
 cp .env.example .env
 ```
 Set `BETTER_AUTH_SECRET` before production use.
 3. Generate Prisma client and run migrations:
 ```bash
@@ -54,15 +57,20 @@ bun run dev
 - Web: http://localhost:3000
 - Admin: http://localhost:3001
 - Admin login: http://localhost:3001/login
 ## Useful scripts
 - `bun run dev`
 - `bun run dev:web`
 - `bun run dev:admin`
 - `bun run docs:dev`
 - `bun run docs:build`
 - `bun run docs:preview`
 - `bun run test`
 - `bun run test:watch`
 - `bun run test:coverage`
 - `bun run test:e2e:prepare`
 - `bun run test:e2e`
 - `bun run lint`
 - `bun run typecheck`
@@ -79,6 +87,7 @@ bun run dev
 - Unit/integration/component: Vitest + Testing Library + MSW
 - E2E: Playwright (separate projects for `web` and `admin`)
 - Use `bun run test` and `bun run test:e2e` (not plain `bun test`, which uses Bun's runner)
 - E2E data prep (migrations + seed): `bun run test:e2e:prepare`
 One-time Playwright browser install:
@@ -88,9 +97,11 @@ bunx playwright install
 ## Delivery Scaffolding
-The repo includes a theoretical CI/CD and deployment baseline:
+The repo includes a CI/CD and deployment baseline:
- Gitea workflow: `.gitea/workflows/ci-cd-theoretical.yml`
+- Quality gate workflow: `.gitea/workflows/ci.yml`
 - Deployment workflow: `.gitea/workflows/deploy.yml`
 - Release workflow: `.gitea/workflows/release.yml`
 - App images:
  - `apps/web/Dockerfile`
  - `apps/admin/Dockerfile`
@@ -109,12 +120,20 @@ Environment examples:
 - `.env.staging.example`
 - `.env.production.example`
 - `.env.gitea-runner.example`
 Notes:
 - `dev` remains your local non-docker Bun workflow.
 - Staging and production compose files are templates and still require real secrets, registry strategy, and deployment host wiring.
 Gitea Actions runner compose (self-hosted):
 ```bash
 cp .env.gitea-runner.example .env.gitea-runner
 docker compose --env-file .env.gitea-runner -f docker-compose.gitea-runner.yml up -d
 ```
 ## Changelog
 - Changelog file: `CHANGELOG.md`
@@ -131,6 +150,23 @@ bun run changelog:release
 bun run changelog:preview
 ```
 ## Docs Tool
 - Docs tool: VitePress
 - Docs source directory: `docs/`
 Run docs locally:
 ```bash
 bun run docs:dev
 ```
 Build static docs:
 ```bash
 bun run docs:build
 ```
 ## Recommended next packages
 - Auth: `better-auth` or `next-auth`
--- a/TODO.md
+++ b/TODO.md
@@ -18,95 +18,179 @@ This file is the single source of truth for roadmap and delivery progress.
 ### MVP1 Gate: Mandatory Before Feature Work
- [ ] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
+- [x] [P1] RBAC domain model finalized (roles, permissions, resource scopes)
- [ ] [P1] RBAC enforcement at route and action level in admin
+- [x] [P1] RBAC enforcement at route and action level in admin
- [ ] [P1] Permission matrix documented and tested
+- [x] [P1] Permission matrix documented and tested
- [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
+- [x] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
- [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
+- [x] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
- [ ] [P1] Shared error and audit hooks for CRUD mutations
+- [x] [P1] Locale persistence and switcher base component (cookie/header + UI)
 - [x] [P1] Integrate Better Auth core configuration and session wiring
 - [x] [P1] Bootstrap first-run owner account creation via initial registration flow
 - [x] [P1] Enforce invariant: exactly one owner user must always exist
 - [x] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
 - [x] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [x] [P1] First-start onboarding route for initial owner creation (`/welcome`)
 - [x] [P1] Split auth entry points (`/welcome`, `/login`, `/register`) with cross-links
 - [x] [P2] Support fallback sign-in route (`/support/:key`) as break-glass access
 - [x] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
 - [x] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
 - [x] [P1] Shared error and audit hooks for CRUD mutations
 ### Admin App
 - [x] [P1] Separate Next.js admin app in monorepo
 - [x] [P1] App Router + TypeScript + `src/` structure
 - [x] [P1] Shared DB access via `@cms/db`
- [~] [P2] Base admin dashboard shell and roadmap page (`/todo`)
+- [x] [P2] Base admin dashboard shell and roadmap page (`/todo`)
- [ ] [P1] Authentication and session model (`admin`, `editor`, `manager`)
+- [x] [P1] Authentication and session model (`admin`, `editor`, `manager`)
- [ ] [P1] Protected admin routes and session handling
+- [x] [P1] Protected admin routes and session handling
- [ ] [P1] Core admin IA (pages/media/users/commissions/settings)
+- [x] [P1] Temporary admin posts CRUD sandbox for baseline functional validation
 - [x] [P1] Core admin IA (pages/media/users/commissions/settings)
 ### Public App
 - [x] [P1] Separate Next.js public app in monorepo
 - [x] [P1] App Router + TypeScript + `src/` structure
- [~] [P1] Public app connected to shared data layer
+- [x] [P1] Public app connected to shared data layer
- [ ] [P2] Public layout system (header/footer/navigation)
+- [x] [P1] Localized route structure and middleware rules
- [ ] [P1] Header banner rendering from CMS-managed content
+- [x] [P2] Public layout system (header/footer/navigation)
- [ ] [P2] Basic SEO defaults (metadata, OG, sitemap, robots)
+- [x] [P1] Header banner rendering from CMS-managed content
 - [x] [P2] Basic SEO defaults (metadata, OG, sitemap, robots)
 ### Testing
 - [x] [P1] Vitest + Testing Library + MSW baseline
 - [x] [P1] Playwright baseline with web/admin projects
- [ ] [P1] CI workflow for lint/typecheck/unit/e2e gates
+- [x] [P1] CI workflow for lint/typecheck/unit/e2e gates
- [ ] [P1] Test data strategy (seed fixtures + isolated e2e data)
+- [x] [P1] Test data strategy (seed fixtures + isolated e2e data)
- [ ] [P1] RBAC policy unit tests and permission regression suite
+- [x] [P1] RBAC policy unit tests and permission regression suite
- [ ] [P1] CRUD contract tests for shared service patterns
+- [x] [P1] i18n unit tests (locale resolution, fallback, message key loading)
 - [x] [P1] i18n integration tests (admin/public locale switch and persistence)
 - [x] [P1] i18n e2e smoke tests (localized headings/content per route)
 - [x] [P1] CRUD contract tests for shared service patterns
 ### Documentation
 - [x] [P1] Docs tool baseline added (`docs/` via VitePress)
 - [x] [P1] RBAC and permission model documentation in docs site
 - [x] [P2] i18n conventions docs (keys, namespaces, fallback, translation workflow)
 - [x] [P1] CRUD base patterns documentation and examples
 - [x] [P1] Environment and deployment runbook docs (dev/staging/production)
 - [x] [P2] API and domain glossary pages
 - [x] [P2] Architecture Decision Records (ADR) structure and first ADRs
 ### Delivery Pipeline And Runtime
- [x] [P2] Theoretical Gitea Actions workflow scaffold (`.gitea/workflows/ci-cd-theoretical.yml`)
+- [x] [P2] Gitea workflow baseline (`.gitea/workflows/ci.yml`, `.gitea/workflows/deploy.yml`, `.gitea/workflows/release.yml`)
 - [x] [P2] Bun-based Dockerfiles for public and admin apps
 - [x] [P2] Staging and production docker-compose templates
- [ ] [P1] Registry credentials and image push strategy
+- [x] [P1] Registry credentials and image push strategy
- [ ] [P1] Staging deployment automation against real host
+- [~] [P1] Staging deployment automation against real host
- [ ] [P1] Production promotion and rollback procedure
+- [~] [P1] Production promotion and rollback procedure
 ### Git Flow And Branching
- [ ] [P1] Protect `main` and `staging` branches in Gitea
+- [~] [P1] Protect `main` and `staging` branches in Gitea
- [ ] [P1] Define PR gates: lint + typecheck + unit + e2e list minimum
+- [x] [P1] Define PR gates: lint + typecheck + unit + e2e list minimum
- [ ] [P1] Enforce one todo item per branch naming convention
+- [x] [P1] Enforce one todo item per branch naming convention
- [ ] [P2] Add PR template requiring linked TODO step
+- [x] [P2] Add PR template requiring linked TODO step
- [ ] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*`
+- [x] [P2] Define branch lifecycle for `todo/*`, `refactor/*`, and `code/*`
 - [x] [P2] Conventional commit schema documentation (`CONTRIBUTING.md`)
 - [x] [P2] Changelog scaffold and generation scripts (`CHANGELOG.md`, `bun run changelog:*`)
- [ ] [P1] Release tagging and changelog publication policy in CI
+- [x] [P1] Versioning policy definition (SemVer strategy + when to bump major/minor/patch)
 - [x] [P1] Source of truth for version (`package.json` root) and release tagging rules (`vX.Y.Z`)
 - [x] [P1] Build metadata policy for git hash (`+sha.<short>`) in app runtime footer
 - [x] [P1] App footer implementation plan for version + commit hash (admin + web)
 - [x] [P2] Automated version injection in CI (stamping build from tag + commit hash)
 - [x] [P2] Validation tests for displayed version/hash consistency per deployment
 - [x] [P1] Release tagging and changelog publication policy in CI
 ### MVP0 Close-Out Checklist
 - [~] [P1] Verify and document protected branch rules in Gitea (`main`, `staging`)
 - [~] [P1] Run first staging deployment against a real host with deploy workflow and document result
 - [x] [P1] Replace release workflow placeholders with real release-notes and rollback execution steps
 - [x] [P1] Expose runtime version + short git hash in admin and public app footer
 - [x] [P2] Add CI build stamping for version/hash values consumed by app footers
 - [x] [P2] Add automated tests validating displayed version/hash format and consistency
 ## MVP 1: Core CMS Business Features
 ### MVP1 Suggested Branch Order
 - [x] [P1] `todo/mvp1-media-foundation`:
  media model, artwork entity, grouping primitives (gallery/album/category/tag), rendition slots
 - [~] [P1] `todo/mvp1-media-upload-pipeline`:
  S3/local upload adapter, media processing presets, metadata input flows, admin media CRUD UI
 - [~] [P1] `todo/mvp1-pages-navigation-builder`:
  page CRUD, navigation tree, reusable page blocks (forms/price cards/gallery embeds)
 - [ ] [P1] `todo/mvp1-commissions-customers`:
  commission request intake + admin CRUD + kanban + customer entity/linking
 - [ ] [P1] `todo/mvp1-announcements-news`:
  announcement management/rendering + news/blog CRUD and public rendering
 - [ ] [P1] `todo/mvp1-public-rendering-integration`:
  public rendering for pages/navigation/media/portfolio/announcements and commissioning entrypoints
 - [ ] [P1] `todo/mvp1-e2e-happy-paths`:
  end-to-end scenarios for page publish, media flow, announcement display, commission flow
 ### Separate Product Ideas Backlog (Non-Blocking)
 - [ ] [P2] Smart homepage section presets for artists (featured artwork, latest news, open commissions)
 - [ ] [P2] Portfolio narrative mode (series story + process notes + ordered media sequence)
 - [ ] [P2] Reusable CTA/form snippets with per-page override tokens
 - [ ] [P2] Lightweight CRM timeline per customer (requests, replies, outcomes)
 - [ ] [P3] AI-assisted alt text and metadata suggestion workflow (human approval required)
 - [ ] [P3] Auto-generated social crops/promo packs from selected artworks
 ### Admin App (Primary Focus)
- [ ] [P1] Page management (create/edit/publish/unpublish/schedule)
+- [~] [P1] Page management (create/edit/publish/unpublish/schedule)
- [ ] [P1] Navigation management (menus, nested items, order, visibility)
+- [ ] [P1] Page builder with reusable content blocks (hero, rich text, gallery, CTA, forms, price cards)
- [ ] [P1] Media library (upload, browse, replace, delete)
+- [~] [P1] Navigation management (menus, nested items, order, visibility)
- [ ] [P1] Media enrichment metadata (alt text, copyright, author, source, tags)
+- [~] [P1] Media library (upload, browse, replace, delete) with media-type classification (artwork, banner, promo, generic, video/gif)
- [ ] [P1] Media refinement for artworks (medium, dimensions, year, framing, availability)
+- [ ] [P1] Media enrichment metadata (alt text, copyright, author, source, tags, licensing, usage context)
 - [ ] [P1] Portfolio grouping primitives (galleries, albums, categories, tags) with ordering/visibility controls
 - [ ] [P1] Artwork refinement fields (medium, dimensions, year, framing, availability, price visibility)
 - [ ] [P1] Artwork rendition management (thumbnail, card, full, retina/custom sizes)
 - [ ] [P1] Type-specific processing presets (artwork/banner/promo/video/gif) with validation rules
 - [ ] [P1] Users management (invite, roles, status)
- [ ] [P1] Commissions management (request intake, owner, due date, notes)
+- [ ] [P1] Disable/ban user function and enforcement in auth/session checks
 - [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
 - [ ] [P1] Commissions management (request intake, owner, due date, notes, linked customer, linked artworks)
 - [ ] [P1] Customer records (contact profile, notes, consent flags, recurrence marker)
 - [ ] [P1] Customer-to-commission linkage and reuse workflow (no re-entry for recurring customers)
 - [ ] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
 - [ ] [P1] Header banner management (message, CTA, active window)
 - [ ] [P1] Announcements management (prominent site notices with schedule, priority, and audience targeting)
 - [ ] [P2] News/blog editorial workflow (draft/review/publish, authoring metadata)
 ### Public App
 - [ ] [P1] Dynamic page rendering from CMS page entities
 - [ ] [P1] Navigation rendering from managed menu structure
 - [ ] [P1] Media entity rendering with enrichment data
 - [ ] [P1] Portfolio views (gallery/album/category/tag) for artworks with filter and sort controls
 - [ ] [P1] Rendition-aware media delivery (thumbnail/card/full) per template slot
 - [ ] [P1] Translation-ready content model for public entities (pages/news/navigation labels)
 - [ ] [P2] Artwork views and listing filters
 - [ ] [P1] Commission request submission flow
 - [ ] [P1] Header banner render logic and fallbacks
 - [ ] [P1] Announcement render slots (homepage + optional global/top banner position)
 ### News / Blog (Secondary Track)
- [ ] [P2] News/blog content type (not primary CMS domain)
+- [ ] [P1] News/blog content type (editorial content for artist updates and process posts)
- [ ] [P2] Admin list/editor for news posts
+- [ ] [P1] Admin list/editor for news posts
- [ ] [P2] Public news index + detail pages
+- [ ] [P1] Public news index + detail pages
- [ ] [P3] Tag/category and basic archive support
+- [ ] [P2] Tag/category and basic archive support
 ### Testing
 - [ ] [P1] Unit tests for content schemas and service logic
 - [ ] [P1] Component tests for admin forms (pages/media/navigation)
 - [ ] [P1] Integration tests for owner invariant and hidden support-user protection
 - [ ] [P1] Integration tests for registration allow/deny behavior
 - [ ] [P1] Integration tests for translated content CRUD and locale-specific validation
 - [ ] [P1] E2E happy paths: create page, publish, see on public app
 - [ ] [P1] E2E happy paths: media upload + artwork refinement display
 - [ ] [P1] E2E happy paths: commissions kanban transitions
@@ -118,6 +202,18 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] Audit log for key content operations
 - [ ] [P2] Revision history for pages/navigation/media metadata
 - [ ] [P1] Permission matrix refinement with granular scopes
 - [ ] [P2] Media processing orchestration UI (queue status, retries, processing diagnostics)
 - [ ] [P2] Automatic color palette extraction from artworks (stored for theming/filtering)
 - [ ] [P2] Watermark pipeline for artwork renditions with configurable watermark asset/position/opacity
 - [ ] [P2] Advanced media transforms by type (video transcode profiles, gif optimization, banner safe-area presets)
 - [ ] [P2] Announcement targeting refinement (locale/segment targeting rules)
 - [ ] [P2] Customer lifecycle tooling (status stages, communication history, export)
 - [ ] [P1] Verify email pipeline and operational templates (welcome/verify/resend)
 - [ ] [P1] Forgot password/reset password pipeline and support tooling
 - [ ] [P2] GUI page to edit role-permission mappings with safety guardrails
 - [ ] [P2] Translation management UI for admin (language toggles, key coverage, missing translation markers)
 - [ ] [P2] Time-boxed support access keys generated by privileged admins; while active, disable direct support-user password login on the regular auth form
 - [ ] [P2] Keep permanent emergency support key fallback via env (`CMS_SUPPORT_LOGIN_KEY`)
 - [ ] [P2] Error boundaries and UX fallback states
 ### Public App
@@ -126,6 +222,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P2] Performance budget checks (Core Web Vitals)
 - [ ] [P1] 404/500 content-aware error pages
 - [ ] [P1] Accessibility review and fixes
 - [ ] [P2] Theme assistance from extracted artwork palettes (opt-in per page/section)
 ### Platform
@@ -141,12 +238,43 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P2] Load/perf tests for key public routes
 - [ ] [P2] Flake tracking and quarantine policy for e2e
 - [ ] [P1] Coverage thresholds and enforcement policy
 - [ ] [P1] Locale matrix regression suite for critical user journeys
 ## Discovery Log
 - [2026-02-10] Prisma client must be generated before app/e2e startup to avoid runtime module errors.
 - [2026-02-10] `bun test` conflicts with Playwright-style test files; keep e2e files on `*.pw.ts` and run e2e via Playwright.
 - [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`.
 - [2026-02-10] Next.js 16 deprecates `middleware.ts` convention in favor of `proxy.ts`; admin route guard now lives at `apps/admin/src/proxy.ts`.
 - [2026-02-10] `server-only` imports break Bun CLI scripts; shared auth bootstrap code used by scripts must avoid Next-only runtime markers.
 - [2026-02-10] Auth delete-account endpoints now block protected users (support + canonical owner); admin user-management delete/demote guards remain to be implemented.
 - [2026-02-10] Public app i18n baseline now uses `next-intl` with a Zustand-backed language switcher and path-stable routes.
 - [2026-02-10] Public baseline locales are now `de`, `en`, `es`, `fr`; locale enable/disable policy will move to admin settings later.
 - [2026-02-10] Shared CRUD base (`@cms/crud`) is live with validation, not-found errors, and audit hook contracts; only posts are migrated so far.
 - [2026-02-10] Admin dashboard includes a temporary posts CRUD sandbox (create/update/delete) to validate the shared CRUD base through the real app UI.
 - [2026-02-10] Admin i18n baseline now resolves locale from cookie and loads runtime message dictionaries in root layout; admin locale switcher is active on auth and dashboard views.
 - [2026-02-10] Admin self-registration policy is now managed via `/settings` and persisted in `system_setting`; env var is fallback/default only.
 - [2026-02-10] E2E now runs with deterministic preparation (`test:e2e:prepare`: generate + migrate deploy + seed) before Playwright execution.
 - [2026-02-10] CI quality workflow `.gitea/workflows/ci.yml` enforces `check`, `typecheck`, `test`, and `test:e2e` against a PostgreSQL service.
 - [2026-02-10] Admin app now uses a shared shell with permission-aware navigation and dedicated IA routes (`/pages`, `/media`, `/users`, `/commissions`).
 - [2026-02-10] Public app now has a shared site layout (`banner/header/footer`), DB-backed header banner config, and SEO defaults (`metadata`, `robots`, `sitemap`).
 - [2026-02-10] Testing baseline now includes explicit RBAC regression checks, locale-resolution unit tests (admin/web), CRUD service contract tests, and i18n smoke e2e routes.
 - [2026-02-10] i18n conventions are now documented as an engineering standard (`docs/product-engineering/i18n-conventions.md`).
 - [2026-02-10] Docs now include a domain glossary, public API glossary, and ADR baseline with initial accepted decision (`ADR 0001`).
 - [2026-02-10] Delivery and release governance now include branch/PR policy checks, deploy/release workflows, and explicit versioning policy (`VERSIONING.md`).
 - [2026-02-11] Release workflow now publishes changelog-derived notes to Gitea releases and supports executable production rollback via SSH + compose tag switch.
 - [2026-02-11] Branch protection verification checklist is now documented; final UI-level verification remains environment-specific.
 - [2026-02-11] Added a staging deployment execution checklist and deployment-record template to capture first real-host rollout evidence.
 - [2026-02-11] Artist-focused feature map refined: MVP1 covers portfolio media/domain CRUD + announcements + customer/commission linking; MVP2 covers advanced automation (watermark, palette extraction, media transform pipelines).
 - [2026-02-11] `gaertan` inspiration to reuse: S3 object strategy with signed delivery, commission type/options/extras/custom-input modeling, request-status kanban mapping, and gallery rendition/color extraction patterns.
 - [2026-02-11] MVP1 media foundation started: portfolio domain models (`MediaAsset`, `Artwork`, galleries/albums/categories/tags, rendition links) plus initial admin `/media` and `/portfolio` data views.
 - [2026-02-11] `prisma migrate dev --name media_foundation` can fail when DB endpoint is unreachable; apply this named migration once `DATABASE_URL` host is reachable again.
 - [2026-02-11] MVP1 media foundation now includes baseline create/link workflows in admin (`/media`, `/portfolio`), seeded sample portfolio entities, and schema/service test coverage.
 - [2026-02-12] MVP1 media upload pipeline started: admin `/api/media/upload` accepts metadata + file upload with permission checks, stores files via local adapter (`.data/media`), and persists upload metadata to `MediaAsset`.
 - [2026-02-12] Upload storage is now provider-based (`local` + `s3`) via `CMS_MEDIA_STORAGE_PROVIDER`; admin-side GUI toggle remains a later MVP item.
 - [2026-02-12] Media storage keys now use asset-centric layout (`tenant/<id>/asset/<assetId>/<fileRole>/<assetId>__<variant>.<ext>`) with DB-managed media taxonomy.
 - [2026-02-12] Admin media CRUD now includes list-to-detail flow (`/media/:id`) with metadata edit and delete actions.
 - [2026-02-12] MVP1 pages/navigation baseline started: `Page`, `NavigationMenu`, and `NavigationItem` models plus admin CRUD routes (`/pages`, `/pages/:id`, `/navigation`).
 ## How We Use This File
--- a/VERSIONING.md
+++ b/VERSIONING.md
@@ -0,0 +1,71 @@
 # Versioning Policy
 ## Source Of Truth
 - Canonical version: root `package.json` field `version`
 - Tag format: `vX.Y.Z`
 Tag validation is enforced in CI:
 - `.gitea/scripts/validate-tag-version.sh`
 ## SemVer Strategy
 - `major`: breaking API/behavior changes
 - `minor`: backward-compatible features
 - `patch`: backward-compatible fixes
 ## Build Metadata Policy
 Use git metadata in runtime display format:
 - `<version>+sha.<short>`
 Example:
 - `0.1.0+sha.a1b2c3d`
 ## Footer Display Plan (Admin + Web)
 Planned runtime footer fields:
 - app name
 - version from root `package.json`
 - commit hash (short)
 - environment (`dev|staging|production`)
 Implementation note:
 - inject values at build/deploy time through env vars
 - render in shared footer components
 ## CI Version Injection
 Release/deploy workflows pass release tag and commit metadata:
 - `.gitea/workflows/release.yml`
 - `.gitea/workflows/deploy.yml`
 Required inputs:
 - release tag (`vX.Y.Z`)
 - image tag for deployment
 ## Validation Strategy
 CI validations:
 - tag equals `v${package.json.version}`
 - required checks pass before release builds
 Runtime validations (planned):
 - smoke tests assert footer version/hash format
 - environment-specific deployment checks assert expected image tag
 ## Changelog and Release Publication
 - changelog generation command:
  - `bun run changelog:release`
 - release workflow generates changelog on tag pipeline
 - release notes publication remains a dedicated step in CI workflow.
--- a/apps/admin/package.json
+++ b/apps/admin/package.json
@@ -7,30 +7,34 @@
    "dev": "bun --env-file=../../.env next dev --port 3001",
    "build": "bun --env-file=../../.env next build",
    "start": "bun --env-file=../../.env next start --port 3001",
    "auth:seed:support": "bun --env-file=../../.env ./scripts/seed-support-user.ts",
    "lint": "biome check src",
    "typecheck": "tsc -p tsconfig.json --noEmit"
  },
  "dependencies": {
    "@aws-sdk/client-s3": "3.988.0",
    "@cms/content": "workspace:*",
    "@cms/db": "workspace:*",
    "@cms/i18n": "workspace:*",
    "@cms/ui": "workspace:*",
-    "@tanstack/react-form": "latest",
+    "@tanstack/react-form": "1.28.0",
-    "@tanstack/react-query": "latest",
+    "@tanstack/react-query": "5.90.20",
-    "@tanstack/react-query-devtools": "latest",
+    "@tanstack/react-query-devtools": "5.91.3",
-    "@tanstack/react-table": "latest",
+    "@tanstack/react-table": "8.21.3",
-    "next": "latest",
+    "better-auth": "1.4.18",
-    "react": "latest",
+    "next": "16.1.6",
-    "react-dom": "latest",
+    "react": "19.2.4",
-    "zustand": "latest"
+    "react-dom": "19.2.4",
    "zustand": "5.0.11"
  },
  "devDependencies": {
    "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
+    "@biomejs/biome": "2.3.14",
-    "@tailwindcss/postcss": "latest",
+    "@tailwindcss/postcss": "4.1.18",
-    "@types/node": "latest",
+    "@types/node": "25.2.2",
-    "@types/react": "latest",
+    "@types/react": "19.2.13",
-    "@types/react-dom": "latest",
+    "@types/react-dom": "19.2.3",
-    "tailwindcss": "latest",
+    "tailwindcss": "4.1.18",
-    "typescript": "latest"
+    "typescript": "5.9.3"
  }
 }
--- a/apps/admin/scripts/seed-support-user.ts
+++ b/apps/admin/scripts/seed-support-user.ts
@@ -0,0 +1,11 @@
 import { ensureSupportUserBootstrap } from "../src/lib/auth/server"
 async function main() {
  await ensureSupportUserBootstrap()
  console.log("Support user bootstrap completed")
 }
 main().catch((error) => {
  console.error(error)
  process.exit(1)
 })
--- a/apps/admin/src/app/api/auth/[...all]/route.ts
+++ b/apps/admin/src/app/api/auth/[...all]/route.ts
@@ -0,0 +1,252 @@
 import {
  auth,
  authRouteHandlers,
  canDeleteUserAccount,
  canUserSelfRegister,
  ensureSupportUserBootstrap,
  ensureUserUsername,
  hasOwnerUser,
  promoteFirstRegisteredUserToOwner,
  resolveEmailFromLoginIdentifier,
 } from "@/lib/auth/server"
 export const runtime = "nodejs"
 type AuthPostResponse = {
  user?: {
    id?: string
    role?: string
    email?: string
    name?: string
    username?: string
  }
  message?: string
 }
 function jsonResponse(payload: unknown, status: number): Response {
  return Response.json(payload, { status })
 }
 async function parseJsonBody(request: Request): Promise<Record<string, unknown> | null> {
  return (await request.json().catch(() => null)) as Record<string, unknown> | null
 }
 function buildJsonRequest(request: Request, body: Record<string, unknown>): Request {
  const headers = new Headers(request.headers)
  headers.set("content-type", "application/json")
  return new Request(request.url, {
    method: request.method,
    headers,
    body: JSON.stringify(body),
  })
 }
 function isDeleteUserAuthPath(pathname: string): boolean {
  const actionPrefix = "/api/auth/"
  const actionIndex = pathname.indexOf(actionPrefix)
  if (actionIndex === -1) {
    return false
  }
  const actionPath = pathname.slice(actionIndex + actionPrefix.length)
  return actionPath === "delete-user" || actionPath.startsWith("delete-user/")
 }
 async function guardProtectedAccountDeletion(request: Request): Promise<Response | null> {
  const pathname = new URL(request.url).pathname
  if (!isDeleteUserAuthPath(pathname)) {
    return null
  }
  const session = await auth.api
    .getSession({
      headers: request.headers,
    })
    .catch(() => null)
  const userId = session?.user?.id
  if (!userId) {
    return null
  }
  const allowed = await canDeleteUserAccount(userId)
  if (allowed) {
    return null
  }
  return jsonResponse(
    {
      message: "This account is protected and cannot be deleted.",
    },
    403,
  )
 }
 async function handleSignInPost(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const body = await parseJsonBody(request)
  const identifier = typeof body?.identifier === "string" ? body.identifier : null
  const rawEmail = typeof body?.email === "string" ? body.email : null
  const resolvedEmail = await resolveEmailFromLoginIdentifier(identifier ?? rawEmail)
  if (!resolvedEmail) {
    return jsonResponse(
      {
        message: "Invalid email or username.",
      },
      401,
    )
  }
  const rewrittenBody = {
    ...(body ?? {}),
    email: resolvedEmail,
  }
  return authRouteHandlers.POST(buildJsonRequest(request, rewrittenBody))
 }
 async function handleSignUpPost(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const signUpBody = await parseJsonBody(request)
  const preferredUsername =
    typeof signUpBody?.username === "string" ? signUpBody.username : undefined
  const { username: _ignoredUsername, ...signUpBodyWithoutUsername } = signUpBody ?? {}
  const hadOwnerBeforeSignUp = await hasOwnerUser()
  const registrationEnabled = await canUserSelfRegister()
  if (!registrationEnabled) {
    return jsonResponse(
      {
        message: "Registration is currently disabled.",
      },
      403,
    )
  }
  const response = await authRouteHandlers.POST(
    buildJsonRequest(request, {
      ...signUpBodyWithoutUsername,
    }),
  )
  if (!response.ok) {
    return response
  }
  const payload = (await response
    .clone()
    .json()
    .catch(() => null)) as AuthPostResponse | null
  const userId = payload?.user?.id
  if (!userId) {
    return response
  }
  await ensureUserUsername(userId, {
    preferred: preferredUsername,
    fallbackEmail: payload?.user?.email,
    fallbackName: payload?.user?.name,
  })
  if (hadOwnerBeforeSignUp || !payload?.user) {
    return response
  }
  const promoted = await promoteFirstRegisteredUserToOwner(userId)
  if (!promoted) {
    return jsonResponse(
      {
        message: "Initial owner registration window has just closed. Please sign in instead.",
      },
      409,
    )
  }
  payload.user.role = "owner"
  return new Response(JSON.stringify(payload), {
    status: response.status,
    headers: response.headers,
  })
 }
 export async function GET(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
  if (deletionGuardResponse) {
    return deletionGuardResponse
  }
  return authRouteHandlers.GET(request)
 }
 export async function POST(request: Request): Promise<Response> {
  const pathname = new URL(request.url).pathname
  if (pathname.endsWith("/sign-in/email")) {
    return handleSignInPost(request)
  }
  if (pathname.endsWith("/sign-up/email")) {
    return handleSignUpPost(request)
  }
  await ensureSupportUserBootstrap()
  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
  if (deletionGuardResponse) {
    return deletionGuardResponse
  }
  return authRouteHandlers.POST(request)
 }
 export async function PATCH(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
  if (deletionGuardResponse) {
    return deletionGuardResponse
  }
  return authRouteHandlers.PATCH(request)
 }
 export async function PUT(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
  if (deletionGuardResponse) {
    return deletionGuardResponse
  }
  return authRouteHandlers.PUT(request)
 }
 export async function DELETE(request: Request): Promise<Response> {
  await ensureSupportUserBootstrap()
  const deletionGuardResponse = await guardProtectedAccountDeletion(request)
  if (deletionGuardResponse) {
    return deletionGuardResponse
  }
  return authRouteHandlers.DELETE(request)
 }
--- a/apps/admin/src/app/api/media/file/[id]/route.ts
+++ b/apps/admin/src/app/api/media/file/[id]/route.ts
@@ -0,0 +1,120 @@
 import { readFile } from "node:fs/promises"
 import path from "node:path"
 import { GetObjectCommand } from "@aws-sdk/client-s3"
 import { hasPermission } from "@cms/content/rbac"
 import { getMediaAssetById } from "@cms/db"
 import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
 import { resolveLocalMediaBaseDirectory } from "@/lib/media/local-storage"
 import { createS3Client, resolveS3Config } from "@/lib/media/s3-storage"
 import { resolveMediaStorageProvider } from "@/lib/media/storage"
 export const runtime = "nodejs"
 type RouteContext = {
  params: Promise<{ id: string }>
 }
 async function readFromLocalStorage(storageKey: string): Promise<Uint8Array> {
  const baseDirectory = resolveLocalMediaBaseDirectory()
  const outputPath = path.join(baseDirectory, storageKey)
  return readFile(outputPath)
 }
 async function readFromS3Storage(storageKey: string): Promise<Uint8Array> {
  const config = resolveS3Config()
  const client = createS3Client(config)
  const response = await client.send(
    new GetObjectCommand({
      Bucket: config.bucket,
      Key: storageKey,
    }),
  )
  if (!response.Body) {
    throw new Error("S3 object body is empty")
  }
  return response.Body.transformToByteArray()
 }
 function toBody(data: Uint8Array): BodyInit {
  const bytes = new Uint8Array(data.byteLength)
  bytes.set(data)
  return bytes
 }
 export async function GET(request: Request, context: RouteContext): Promise<Response> {
  const session = await auth.api
    .getSession({
      headers: request.headers,
    })
    .catch(() => null)
  const role = resolveRoleFromAuthSession(session)
  if (!role) {
    return Response.json(
      {
        message: "Unauthorized",
      },
      { status: 401 },
    )
  }
  if (!hasPermission(role, "media:read", "team")) {
    return Response.json(
      {
        message: "Missing permission: media:read",
      },
      { status: 403 },
    )
  }
  const { id } = await context.params
  const asset = await getMediaAssetById(id)
  if (!asset || !asset.storageKey) {
    return Response.json(
      {
        message: "Media file not found",
      },
      { status: 404 },
    )
  }
  const preferred = resolveMediaStorageProvider(process.env.CMS_MEDIA_STORAGE_PROVIDER)
  const reads =
    preferred === "s3"
      ? [
          () => readFromS3Storage(asset.storageKey as string),
          () => readFromLocalStorage(asset.storageKey as string),
        ]
      : [
          () => readFromLocalStorage(asset.storageKey as string),
          () => readFromS3Storage(asset.storageKey as string),
        ]
  for (const read of reads) {
    try {
      const data = await read()
      return new Response(toBody(data), {
        status: 200,
        headers: {
          "content-type": asset.mimeType || "application/octet-stream",
          "cache-control": "private, max-age=0, no-store",
        },
      })
    } catch {
      // Try next backend.
    }
  }
  return Response.json(
    {
      message: "Unable to read media file from configured storage backends",
    },
    { status: 404 },
  )
 }
--- a/apps/admin/src/app/api/media/upload/route.ts
+++ b/apps/admin/src/app/api/media/upload/route.ts
@@ -0,0 +1,207 @@
 import { randomUUID } from "node:crypto"
 import { hasPermission } from "@cms/content/rbac"
 import { createMediaAsset } from "@cms/db"
 import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
 import { storeUpload } from "@/lib/media/storage"
 export const runtime = "nodejs"
 const MAX_UPLOAD_BYTES = Number(process.env.CMS_MEDIA_UPLOAD_MAX_BYTES ?? 25 * 1024 * 1024)
 type AllowedRule = {
  mimePrefix?: string
  mimeExact?: string[]
 }
 const ALLOWED_MIME_BY_TYPE: Record<string, AllowedRule> = {
  artwork: {
    mimePrefix: "image/",
  },
  banner: {
    mimePrefix: "image/",
  },
  promotion: {
    mimePrefix: "image/",
  },
  video: {
    mimePrefix: "video/",
  },
  gif: {
    mimeExact: ["image/gif"],
  },
  generic: {
    mimePrefix: "",
  },
 }
 function parseTextField(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function parseOptionalField(formData: FormData, field: string): string | undefined {
  const value = parseTextField(formData, field)
  return value.length > 0 ? value : undefined
 }
 function parseTags(formData: FormData): string[] {
  const value = parseTextField(formData, "tags")
  if (!value) {
    return []
  }
  return value
    .split(",")
    .map((item) => item.trim())
    .filter((item) => item.length > 0)
 }
 function deriveTitleFromFilename(fileName: string): string {
  const trimmed = fileName.trim()
  if (!trimmed) {
    return "Untitled media"
  }
  const dotIndex = trimmed.lastIndexOf(".")
  const base = dotIndex > 0 ? trimmed.slice(0, dotIndex) : trimmed
  const normalized = base.trim()
  return normalized.length > 0 ? normalized : "Untitled media"
 }
 function isMimeAllowed(mediaType: string, mimeType: string): boolean {
  const rule = ALLOWED_MIME_BY_TYPE[mediaType]
  if (!rule) {
    return false
  }
  if (rule.mimeExact?.includes(mimeType)) {
    return true
  }
  if (rule.mimePrefix === "") {
    return true
  }
  return rule.mimePrefix ? mimeType.startsWith(rule.mimePrefix) : false
 }
 function badRequest(message: string): Response {
  return Response.json(
    {
      message,
    },
    { status: 400 },
  )
 }
 export async function POST(request: Request): Promise<Response> {
  const session = await auth.api
    .getSession({
      headers: request.headers,
    })
    .catch(() => null)
  const role = resolveRoleFromAuthSession(session)
  if (!role) {
    return Response.json(
      {
        message: "Unauthorized",
      },
      { status: 401 },
    )
  }
  if (!hasPermission(role, "media:write", "team")) {
    return Response.json(
      {
        message: "Missing permission: media:write",
      },
      { status: 403 },
    )
  }
  const formData = await request.formData().catch(() => null)
  if (!formData) {
    return badRequest("Invalid form payload.")
  }
  const type = parseTextField(formData, "type")
  const fileEntry = formData.get("file")
  if (!type) {
    return badRequest("Type is required.")
  }
  if (!(fileEntry instanceof File)) {
    return badRequest("File is required.")
  }
  if (fileEntry.size === 0) {
    return badRequest("File is empty.")
  }
  if (fileEntry.size > MAX_UPLOAD_BYTES) {
    return badRequest(
      `File is too large. Maximum upload is ${Math.floor(MAX_UPLOAD_BYTES / 1024 / 1024)} MB.`,
    )
  }
  if (!isMimeAllowed(type, fileEntry.type)) {
    return badRequest(`File type ${fileEntry.type || "unknown"} is not allowed for ${type}.`)
  }
  const title = parseTextField(formData, "title") || deriveTitleFromFilename(fileEntry.name)
  const mediaAssetId = randomUUID()
  const variant = "original"
  const fileRole = "original"
  try {
    const stored = await storeUpload({
      file: fileEntry,
      assetId: mediaAssetId,
      variant,
      fileRole,
    })
    const created = await createMediaAsset({
      id: mediaAssetId,
      title,
      type,
      description: parseOptionalField(formData, "description"),
      altText: parseOptionalField(formData, "altText"),
      source: parseOptionalField(formData, "source"),
      copyright: parseOptionalField(formData, "copyright"),
      author: parseOptionalField(formData, "author"),
      tags: parseTags(formData),
      storageKey: stored.storageKey,
      mimeType: fileEntry.type || undefined,
      sizeBytes: fileEntry.size,
      isPublished: parseTextField(formData, "isPublished") === "true",
    })
    return Response.json(
      {
        id: created.id,
        provider: stored.provider,
        warning: stored.fallbackReason,
        notice: "Media uploaded successfully.",
      },
      { status: 201 },
    )
  } catch (error) {
    const message = error instanceof Error ? error.message : "Upload failed. Please try again."
    return Response.json(
      {
        message,
      },
      { status: 500 },
    )
  }
 }
--- a/apps/admin/src/app/commissions/page.tsx
+++ b/apps/admin/src/app/commissions/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function CommissionsManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/commissions",
    permission: "commissions:read",
    scope: "own",
  })
  return (
    <AdminShell
      role={role}
      activePath="/commissions"
      badge="Admin App"
      title="Commissions"
      description="Prepare commissions intake and kanban workflow tooling."
    >
      <AdminSectionPlaceholder
        feature="Commissions Workflow"
        summary="This route is reserved for request intake, ownership assignment, and kanban transitions."
        requiredPermission="commissions:read (own)"
        nextSteps={[
          "Add commissions board with status columns.",
          "Add assignment, due-date, and notes editing.",
          "Add transition rules and audit history.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/layout.tsx
+++ b/apps/admin/src/app/layout.tsx
@@ -1,6 +1,7 @@
 import type { Metadata } from "next"
 import type { ReactNode } from "react"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import "./globals.css"
 import { Providers } from "./providers"
@@ -9,11 +10,16 @@ export const metadata: Metadata = {
  description: "Admin dashboard for the CMS monorepo",
 }
-export default function RootLayout({ children }: { children: ReactNode }) {
+export default async function RootLayout({ children }: { children: ReactNode }) {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (
-    <html lang="en">
+    <html lang={locale}>
      <body>
-        <Providers>{children}</Providers>
+        <Providers locale={locale} messages={messages}>
          {children}
        </Providers>
      </body>
    </html>
  )
--- a/apps/admin/src/app/login/login-form.tsx
+++ b/apps/admin/src/app/login/login-form.tsx
@@ -0,0 +1,318 @@
 "use client"
 import Link from "next/link"
 import { useRouter, useSearchParams } from "next/navigation"
 import { type FormEvent, useMemo, useState } from "react"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { useAdminT } from "@/providers/admin-i18n-provider"
 type LoginFormProps = {
  mode: "signin" | "signup-owner" | "signup-user" | "signup-disabled"
 }
 type AuthResponse = {
  user?: {
    role?: string
  }
  message?: string
 }
 function persistRoleCookie(role: unknown) {
  if (typeof role !== "string") {
    return
  }
  // biome-ignore lint/suspicious/noDocumentCookie: Temporary fallback for middleware role resolution.
  document.cookie = `cms_role=${encodeURIComponent(role)}; Path=/; SameSite=Lax`
 }
 export function LoginForm({ mode }: LoginFormProps) {
  const router = useRouter()
  const searchParams = useSearchParams()
  const t = useAdminT()
  const nextPath = useMemo(() => searchParams.get("next") || "/", [searchParams])
  const [name, setName] = useState("Admin User")
  const [username, setUsername] = useState("")
  const [email, setEmail] = useState("")
  const [password, setPassword] = useState("")
  const [isBusy, setIsBusy] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [success, setSuccess] = useState<string | null>(null)
  const canSubmitSignUp = mode === "signup-owner" || mode === "signup-user"
  async function handleSignIn(event: FormEvent<HTMLFormElement>) {
    event.preventDefault()
    setIsBusy(true)
    setError(null)
    setSuccess(null)
    try {
      const response = await fetch("/api/auth/sign-in/email", {
        method: "POST",
        headers: {
          "content-type": "application/json",
        },
        body: JSON.stringify({
          identifier: email,
          password,
          callbackURL: nextPath,
        }),
      })
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
        setError(payload?.message ?? t("auth.errors.signInFailed", "Sign in failed"))
        return
      }
      persistRoleCookie(payload?.user?.role)
      router.push(nextPath)
      router.refresh()
    } catch {
      setError(t("auth.errors.networkSignIn", "Network error while signing in"))
    } finally {
      setIsBusy(false)
    }
  }
  async function handleSignUp(event: FormEvent<HTMLFormElement>) {
    event.preventDefault()
    if (!name.trim()) {
      setError(t("auth.errors.nameRequired", "Name is required for account creation"))
      return
    }
    setIsBusy(true)
    setError(null)
    setSuccess(null)
    try {
      const response = await fetch("/api/auth/sign-up/email", {
        method: "POST",
        headers: {
          "content-type": "application/json",
        },
        body: JSON.stringify({
          name,
          username,
          email,
          password,
          callbackURL: nextPath,
        }),
      })
      const payload = (await response.json().catch(() => null)) as AuthResponse | null
      if (!response.ok) {
        setError(payload?.message ?? t("auth.errors.signUpFailed", "Sign up failed"))
        return
      }
      persistRoleCookie(payload?.user?.role)
      setSuccess(
        mode === "signup-owner"
          ? t("auth.messages.ownerCreated", "Owner account created. Registration is now disabled.")
          : t("auth.messages.accountCreated", "Account created."),
      )
      router.push(nextPath)
      router.refresh()
    } catch {
      setError(t("auth.errors.networkSignUp", "Network error while signing up"))
    } finally {
      setIsBusy(false)
    }
  }
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-md flex-col justify-center px-6 py-16">
      <div className="space-y-3">
        <div className="flex items-center justify-between gap-3">
          <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">
            {t("auth.badge", "Admin Auth")}
          </p>
          <AdminLocaleSwitcher />
        </div>
        <h1 className="text-3xl font-semibold tracking-tight">
          {mode === "signin"
            ? t("auth.titles.signIn", "Sign in to CMS Admin")
            : mode === "signup-owner"
              ? t("auth.titles.signUpOwner", "Welcome to CMS Admin")
              : mode === "signup-user"
                ? t("auth.titles.signUpUser", "Create an admin account")
                : t("auth.titles.signUpDisabled", "Registration is disabled")}
        </h1>
        <p className="text-sm text-neutral-600">
          {mode === "signin"
            ? t("auth.descriptions.signIn", "Better Auth is active on this app via /api/auth.")
            : mode === "signup-owner"
              ? t(
                  "auth.descriptions.signUpOwner",
                  "Create the first owner account to initialize this admin instance.",
                )
              : mode === "signup-user"
                ? t("auth.descriptions.signUpUser", "Self-registration is enabled for admin users.")
                : t(
                    "auth.descriptions.signUpDisabled",
                    "Self-registration is currently turned off by an administrator.",
                  )}
        </p>
      </div>
      {mode === "signin" ? (
        <form
          onSubmit={handleSignIn}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              {t("auth.fields.emailOrUsername", "Email or username")}
            </label>
            <input
              id="email"
              type="text"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
              ? t("auth.actions.signInBusy", "Signing in...")
              : t("auth.actions.signInIdle", "Sign in")}
          </button>
          <p className="text-xs text-neutral-600">
            {t("auth.links.needAccount", "Need an account?")}{" "}
            <Link href={`/register?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.register", "Register")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
        </form>
      ) : canSubmitSignUp ? (
        <form
          onSubmit={handleSignUp}
          className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6"
        >
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="name">
              {t("auth.fields.name", "Name")}
            </label>
            <input
              id="name"
              type="text"
              value={name}
              onChange={(event) => setName(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="email">
              {t("auth.fields.email", "Email")}
            </label>
            <input
              id="email"
              type="email"
              required
              value={email}
              onChange={(event) => setEmail(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="username">
              {t("auth.fields.username", "Username (optional)")}
            </label>
            <input
              id="username"
              type="text"
              value={username}
              onChange={(event) => setUsername(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <div className="space-y-1">
            <label className="text-sm font-medium" htmlFor="password">
              {t("auth.fields.password", "Password")}
            </label>
            <input
              id="password"
              type="password"
              minLength={8}
              required
              value={password}
              onChange={(event) => setPassword(event.target.value)}
              className="w-full rounded-md border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <button
            type="submit"
            disabled={isBusy}
            className="w-full rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white disabled:opacity-60"
          >
            {isBusy
              ? t("auth.actions.signUpBusy", "Creating account...")
              : mode === "signup-owner"
                ? t("auth.actions.signUpOwnerIdle", "Create owner account")
                : t("auth.actions.signUpUserIdle", "Create account")}
          </button>
          <p className="text-xs text-neutral-600">
            {t("auth.links.alreadyHaveAccount", "Already have an account?")}{" "}
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
          {error ? <p className="text-sm text-red-600">{error}</p> : null}
          {success ? <p className="text-sm text-green-700">{success}</p> : null}
        </form>
      ) : (
        <section className="mt-8 space-y-4 rounded-xl border border-neutral-200 p-6">
          <p className="text-sm text-neutral-700">
            {t(
              "auth.messages.registrationDisabled",
              "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration.",
            )}
          </p>
          <p className="text-xs text-neutral-600">
            <Link href={`/login?next=${encodeURIComponent(nextPath)}`} className="underline">
              {t("auth.links.goToSignIn", "Go to sign in")}
            </Link>
          </p>
        </section>
      )}
    </main>
  )
 }
--- a/apps/admin/src/app/login/page.tsx
+++ b/apps/admin/src/app/login/page.tsx
@@ -0,0 +1,36 @@
 import { redirect } from "next/navigation"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { hasOwnerUser } from "@/lib/auth/server"
 import { LoginForm } from "./login-form"
 export const dynamic = "force-dynamic"
 type SearchParams = Promise<Record<string, string | string[] | undefined>>
 function getSingleValue(input: string | string[] | undefined): string | undefined {
  if (Array.isArray(input)) {
    return input[0]
  }
  return input
 }
 export default async function LoginPage({ searchParams }: { searchParams: SearchParams }) {
  const params = await searchParams
  const nextPath = getSingleValue(params.next) ?? "/"
  const role = await resolveRoleFromServerContext()
  if (role) {
    redirect("/")
  }
  const hasOwner = await hasOwnerUser()
  if (!hasOwner) {
    redirect(`/welcome?next=${encodeURIComponent(nextPath)}`)
  }
  return <LoginForm mode="signin" />
 }
--- a/apps/admin/src/app/logout-button.tsx
+++ b/apps/admin/src/app/logout-button.tsx
@@ -0,0 +1,36 @@
 "use client"
 import { Button } from "@cms/ui/button"
 import { useRouter } from "next/navigation"
 import { useState } from "react"
 export function LogoutButton() {
  const router = useRouter()
  const [isBusy, setIsBusy] = useState(false)
  async function handleLogout() {
    setIsBusy(true)
    try {
      await fetch("/api/auth/sign-out", {
        method: "POST",
        headers: {
          "content-type": "application/json",
        },
        body: JSON.stringify({ callbackURL: "/login" }),
      })
    } finally {
      // biome-ignore lint/suspicious/noDocumentCookie: Temporary cookie fallback until role resolution no longer needs this cookie.
      document.cookie = "cms_role=; Path=/; Max-Age=0; SameSite=Lax"
      router.push("/login")
      router.refresh()
      setIsBusy(false)
    }
  }
  return (
    <Button type="button" onClick={() => void handleLogout()} disabled={isBusy} variant="secondary">
      {isBusy ? "Signing out..." : "Sign out"}
    </Button>
  )
 }
--- a/apps/admin/src/app/media/[id]/page.tsx
+++ b/apps/admin/src/app/media/[id]/page.tsx
@@ -0,0 +1,423 @@
 import { deleteMediaAsset, getMediaAssetById, updateMediaAsset } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { deleteStoredMediaObject } from "@/lib/media/storage"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 type PageProps = {
  params: Promise<{ id: string }>
  searchParams: Promise<SearchParamsInput>
 }
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readInputString(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function readNullableString(formData: FormData, field: string): string | null {
  const value = readInputString(formData, field)
  return value.length > 0 ? value : null
 }
 function readNullableInt(formData: FormData, field: string): number | null {
  const value = readInputString(formData, field)
  if (!value) {
    return null
  }
  const parsed = Number.parseInt(value, 10)
  if (!Number.isFinite(parsed)) {
    return null
  }
  return parsed
 }
 function readTags(formData: FormData): string[] {
  const raw = readInputString(formData, "tags")
  if (!raw) {
    return []
  }
  return raw
    .split(",")
    .map((item) => item.trim())
    .filter((item) => item.length > 0)
 }
 function redirectWithState(mediaAssetId: string, params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/media/${mediaAssetId}?${value}` : `/media/${mediaAssetId}`)
 }
 function toLocalDateTimeInputValue(date: Date): string {
  const offset = date.getTimezoneOffset() * 60_000
  return new Date(date.getTime() - offset).toISOString().slice(0, 16)
 }
 export default async function MediaAssetEditorPage({ params, searchParams }: PageProps) {
  const role = await requirePermissionForRoute({
    nextPath: "/media",
    permission: "media:read",
    scope: "team",
  })
  const resolvedParams = await params
  const mediaAssetId = resolvedParams.id
  const [resolvedSearchParams, asset] = await Promise.all([
    searchParams,
    getMediaAssetById(mediaAssetId),
  ])
  if (!asset) {
    redirect("/media?error=Media+asset+not+found")
  }
  const mediaAsset = asset
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  const previewUrl = mediaAsset.storageKey ? `/api/media/file/${mediaAsset.id}` : null
  const isImage = Boolean(mediaAsset.mimeType?.startsWith("image/"))
  const isVideo = Boolean(mediaAsset.mimeType?.startsWith("video/"))
  async function updateMediaAssetAction(formData: FormData) {
    "use server"
    await requirePermissionForRoute({
      nextPath: "/media",
      permission: "media:write",
      scope: "team",
    })
    try {
      await updateMediaAsset({
        id: mediaAssetId,
        title: readInputString(formData, "title"),
        type: readInputString(formData, "type"),
        description: readNullableString(formData, "description"),
        altText: readNullableString(formData, "altText"),
        source: readNullableString(formData, "source"),
        copyright: readNullableString(formData, "copyright"),
        author: readNullableString(formData, "author"),
        tags: readTags(formData),
        mimeType: readNullableString(formData, "mimeType"),
        width: readNullableInt(formData, "width"),
        height: readNullableInt(formData, "height"),
        sizeBytes: readNullableInt(formData, "sizeBytes"),
        isPublished: readInputString(formData, "isPublished") === "true",
      })
    } catch {
      redirectWithState(mediaAssetId, {
        error: "Failed to update media asset. Validate values and try again.",
      })
    }
    redirectWithState(mediaAssetId, { notice: "Media asset updated." })
  }
  async function deleteMediaAssetAction() {
    "use server"
    await requirePermissionForRoute({
      nextPath: "/media",
      permission: "media:write",
      scope: "team",
    })
    try {
      if (mediaAsset.storageKey) {
        await deleteStoredMediaObject(mediaAsset.storageKey)
      }
      await deleteMediaAsset(mediaAssetId)
    } catch {
      redirectWithState(mediaAssetId, {
        error:
          "Failed to delete media asset and file from storage. Check storage config and links.",
      })
    }
    redirect("/media?notice=Media+asset+deleted")
  }
  return (
    <AdminShell
      role={role}
      activePath="/media"
      badge="Admin App"
      title="Media Asset"
      description="View, edit, and delete uploaded media metadata."
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <h3 className="text-lg font-medium">Preview</h3>
        <p className="mt-1 text-sm text-neutral-600">
          {mediaAsset.mimeType ? `MIME: ${mediaAsset.mimeType}` : "MIME: unknown"}
        </p>
        <div className="mt-4 rounded-lg border border-neutral-200 bg-neutral-50 p-3">
          {!previewUrl ? (
            <p className="text-sm text-neutral-600">
              No stored file is linked for this media asset.
            </p>
          ) : isImage ? (
            // biome-ignore lint/performance/noImgElement: Auth-protected media preview requires direct browser request with session cookies.
            <img
              src={previewUrl}
              alt={mediaAsset.altText || mediaAsset.title}
              className="max-h-[26rem] w-auto rounded border border-neutral-200 bg-white"
            />
          ) : isVideo ? (
            // biome-ignore lint/a11y/useMediaCaption: Preview uses source assets without guaranteed caption tracks.
            <video
              src={previewUrl}
              controls
              preload="metadata"
              className="max-h-[26rem] w-full rounded border border-neutral-200 bg-black"
            />
          ) : (
            <p className="text-sm text-neutral-700">
              Inline preview is not available for this media type.
            </p>
          )}
        </div>
        {previewUrl ? (
          <a
            href={previewUrl}
            target="_blank"
            rel="noreferrer"
            className="mt-3 inline-block text-sm text-neutral-700 underline underline-offset-2"
          >
            Open raw media file
          </a>
        ) : null}
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="flex flex-wrap items-center justify-between gap-3">
          <div>
            <h2 className="text-xl font-medium">{mediaAsset.title}</h2>
            <p className="mt-1 text-xs text-neutral-600">ID: {mediaAsset.id}</p>
          </div>
          <Link href="/media" className="text-sm text-neutral-700 underline underline-offset-2">
            Back to media list
          </Link>
        </div>
        <form action={updateMediaAssetAction} className="mt-6 space-y-3">
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Title</span>
              <input
                name="title"
                defaultValue={mediaAsset.title}
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Type</span>
              <select
                name="type"
                defaultValue={mediaAsset.type}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                <option value="artwork">artwork</option>
                <option value="banner">banner</option>
                <option value="promotion">promotion</option>
                <option value="video">video</option>
                <option value="gif">gif</option>
                <option value="generic">generic</option>
              </select>
            </label>
          </div>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Description</span>
            <textarea
              name="description"
              rows={3}
              defaultValue={mediaAsset.description ?? ""}
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Alt text</span>
              <input
                name="altText"
                defaultValue={mediaAsset.altText ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Author</span>
              <input
                name="author"
                defaultValue={mediaAsset.author ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Source</span>
              <input
                name="source"
                defaultValue={mediaAsset.source ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Copyright</span>
              <input
                name="copyright"
                defaultValue={mediaAsset.copyright ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <div className="grid gap-3 md:grid-cols-3">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">MIME type</span>
              <input
                name="mimeType"
                defaultValue={mediaAsset.mimeType ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Width</span>
              <input
                name="width"
                type="number"
                min={1}
                defaultValue={mediaAsset.width ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Height</span>
              <input
                name="height"
                type="number"
                min={1}
                defaultValue={mediaAsset.height ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Size (bytes)</span>
              <input
                name="sizeBytes"
                type="number"
                min={0}
                defaultValue={mediaAsset.sizeBytes ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Tags (comma-separated)</span>
              <input
                name="tags"
                defaultValue={mediaAsset.tags.join(", ")}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
            <input
              type="checkbox"
              name="isPublished"
              value="true"
              defaultChecked={mediaAsset.isPublished}
              className="size-4"
            />
            Published
          </label>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Storage key</span>
              <input
                value={mediaAsset.storageKey ?? "-"}
                readOnly
                className="w-full rounded border border-neutral-200 bg-neutral-50 px-3 py-2 text-xs text-neutral-600"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Last updated</span>
              <input
                value={toLocalDateTimeInputValue(mediaAsset.updatedAt)}
                readOnly
                className="w-full rounded border border-neutral-200 bg-neutral-50 px-3 py-2 text-xs text-neutral-600"
              />
            </label>
          </div>
          <Button type="submit">Save changes</Button>
        </form>
      </section>
      <section className="rounded-xl border border-red-300 bg-red-50 p-6">
        <h3 className="text-lg font-medium text-red-800">Danger Zone</h3>
        <p className="mt-1 text-sm text-red-700">
          Deleting this media asset is permanent. Any linked artwork rendition references will also
          be removed.
        </p>
        <form action={deleteMediaAssetAction} className="mt-4">
          <Button type="submit" variant="secondary" className="border border-red-300 text-red-800">
            Delete media asset
          </Button>
        </form>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/media/page.tsx
+++ b/apps/admin/src/app/media/page.tsx
@@ -0,0 +1,169 @@
 import { getMediaFoundationSummary, listMediaAssets } from "@cms/db"
 import Link from "next/link"
 import { AdminShell } from "@/components/admin-shell"
 import { FlashQueryCleanup } from "@/components/media/flash-query-cleanup"
 import { MediaUploadForm } from "@/components/media/media-upload-form"
 import { resolveMediaStorageProvider } from "@/lib/media/storage"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 export default async function MediaManagementPage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/media",
    permission: "media:read",
    scope: "team",
  })
  const [resolvedSearchParams, summary, assets] = await Promise.all([
    searchParams,
    getMediaFoundationSummary(),
    listMediaAssets(20),
  ])
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  const uploadedVia = readFirstValue(resolvedSearchParams.uploadedVia)
  const warning = readFirstValue(resolvedSearchParams.warning)
  const activeStorageProvider = resolveMediaStorageProvider(process.env.CMS_MEDIA_STORAGE_PROVIDER)
  const hasFlashQuery = Boolean(notice || error || warning || uploadedVia)
  return (
    <AdminShell
      role={role}
      activePath="/media"
      badge="Admin App"
      title="Media"
      description="Media foundation baseline for assets, artwork renditions, and grouping metadata."
    >
      <FlashQueryCleanup enabled={hasFlashQuery} />
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          <div className="flex flex-wrap items-center gap-2">
            <span>{notice}</span>
            {uploadedVia ? (
              <span className="rounded border border-emerald-300 bg-white px-2 py-0.5 text-xs font-medium uppercase tracking-wide text-emerald-700">
                Stored via: {uploadedVia}
              </span>
            ) : null}
          </div>
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      {warning ? (
        <section className="rounded-xl border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-900">
          {warning}
        </section>
      ) : null}
      <section className="grid gap-3 sm:grid-cols-2 xl:grid-cols-3">
        <article className="rounded-xl border border-neutral-200 p-4">
          <p className="text-xs uppercase tracking-[0.2em] text-neutral-500">Media Assets</p>
          <p className="mt-2 text-3xl font-semibold">{summary.mediaAssets}</p>
        </article>
        <article className="rounded-xl border border-neutral-200 p-4">
          <p className="text-xs uppercase tracking-[0.2em] text-neutral-500">Artworks</p>
          <p className="mt-2 text-3xl font-semibold">{summary.artworks}</p>
        </article>
        <article className="rounded-xl border border-neutral-200 p-4">
          <p className="text-xs uppercase tracking-[0.2em] text-neutral-500">Groups</p>
          <p className="mt-2 text-3xl font-semibold">
            {summary.galleries + summary.albums + summary.categories + summary.tags}
          </p>
          <p className="mt-1 text-xs text-neutral-500">
            {summary.galleries} galleries · {summary.albums} albums · {summary.categories}{" "}
            categories · {summary.tags} tags
          </p>
        </article>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Upload Media Asset</h2>
        <p className="mt-1 text-sm text-neutral-600">
          Upload storage provider: <strong>{activeStorageProvider}</strong>. You can switch via
          `CMS_MEDIA_STORAGE_PROVIDER` (`s3` default, `local` fallback) until the admin settings
          toggle lands.
        </p>
        <MediaUploadForm />
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="flex items-center justify-between gap-2">
          <h2 className="text-xl font-medium">Recent Media Assets</h2>
          <span className="text-xs uppercase tracking-[0.2em] text-neutral-500">
            MVP1 Upload Pipeline
          </span>
        </div>
        <div className="mt-4 overflow-x-auto">
          <table className="min-w-full text-left text-sm">
            <thead className="text-xs uppercase tracking-wide text-neutral-500">
              <tr>
                <th className="py-2 pr-4">Title</th>
                <th className="py-2 pr-4">Type</th>
                <th className="py-2 pr-4">MIME</th>
                <th className="py-2 pr-4">Size</th>
                <th className="py-2 pr-4">Published</th>
                <th className="py-2 pr-4">Updated</th>
                <th className="py-2 pr-4">Actions</th>
              </tr>
            </thead>
            <tbody>
              {assets.length === 0 ? (
                <tr>
                  <td className="py-3 text-neutral-500" colSpan={7}>
                    No media assets yet. Upload your first asset above.
                  </td>
                </tr>
              ) : (
                assets.map((asset) => (
                  <tr key={asset.id} className="border-t border-neutral-200">
                    <td className="py-3 pr-4">{asset.title}</td>
                    <td className="py-3 pr-4">{asset.type}</td>
                    <td className="py-3 pr-4 text-neutral-600">{asset.mimeType ?? "-"}</td>
                    <td className="py-3 pr-4 text-neutral-600">
                      {typeof asset.sizeBytes === "number"
                        ? `${Math.max(1, Math.round(asset.sizeBytes / 1024))} KB`
                        : "-"}
                    </td>
                    <td className="py-3 pr-4">{asset.isPublished ? "yes" : "no"}</td>
                    <td className="py-3 pr-4 text-neutral-600">
                      {asset.updatedAt.toLocaleDateString("en-US")}
                    </td>
                    <td className="py-3 pr-4">
                      <Link
                        href={`/media/${asset.id}`}
                        className="text-xs font-medium text-neutral-700 underline underline-offset-2"
                      >
                        Open
                      </Link>
                    </td>
                  </tr>
                ))
              )}
            </tbody>
          </table>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/navigation/page.tsx
+++ b/apps/admin/src/app/navigation/page.tsx
@@ -0,0 +1,446 @@
 import {
  createNavigationItem,
  createNavigationMenu,
  deleteNavigationItem,
  listNavigationMenus,
  listPages,
  updateNavigationItem,
 } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readInputString(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function readNullableString(formData: FormData, field: string): string | null {
  const value = readInputString(formData, field)
  return value.length > 0 ? value : null
 }
 function readInt(formData: FormData, field: string, fallback = 0): number {
  const value = readInputString(formData, field)
  if (!value) {
    return fallback
  }
  const parsed = Number.parseInt(value, 10)
  if (!Number.isFinite(parsed)) {
    return fallback
  }
  return parsed
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/navigation?${value}` : "/navigation")
 }
 async function createMenuAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await createNavigationMenu({
      name: readInputString(formData, "name"),
      slug: readInputString(formData, "slug"),
      location: readInputString(formData, "location"),
      isVisible: readInputString(formData, "isVisible") === "true",
    })
  } catch {
    redirectWithState({ error: "Failed to create navigation menu." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation menu created." })
 }
 async function createItemAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await createNavigationItem({
      menuId: readInputString(formData, "menuId"),
      label: readInputString(formData, "label"),
      href: readNullableString(formData, "href"),
      pageId: readNullableString(formData, "pageId"),
      parentId: readNullableString(formData, "parentId"),
      sortOrder: readInt(formData, "sortOrder", 0),
      isVisible: readInputString(formData, "isVisible") === "true",
    })
  } catch {
    redirectWithState({ error: "Failed to create navigation item." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation item created." })
 }
 async function updateItemAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await updateNavigationItem({
      id: readInputString(formData, "id"),
      label: readInputString(formData, "label"),
      href: readNullableString(formData, "href"),
      pageId: readNullableString(formData, "pageId"),
      parentId: readNullableString(formData, "parentId"),
      sortOrder: readInt(formData, "sortOrder", 0),
      isVisible: readInputString(formData, "isVisible") === "true",
    })
  } catch {
    redirectWithState({ error: "Failed to update navigation item." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation item updated." })
 }
 async function deleteItemAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await deleteNavigationItem(readInputString(formData, "id"))
  } catch {
    redirectWithState({ error: "Failed to delete navigation item." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation item deleted." })
 }
 export default async function NavigationManagementPage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:read",
    scope: "team",
  })
  const [resolvedSearchParams, menus, pages] = await Promise.all([
    searchParams,
    listNavigationMenus(),
    listPages(200),
  ])
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  return (
    <AdminShell
      role={role}
      activePath="/navigation"
      badge="Admin App"
      title="Navigation"
      description="Manage menus and navigation entries linked to pages or custom routes."
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="grid gap-4 lg:grid-cols-2">
        <article className="rounded-xl border border-neutral-200 p-6">
          <h2 className="text-xl font-medium">Create Menu</h2>
          <form action={createMenuAction} className="mt-4 space-y-3">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Name</span>
              <input
                name="name"
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Slug</span>
              <input
                name="slug"
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Location</span>
              <input
                name="location"
                defaultValue="primary"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
              <input
                name="isVisible"
                type="checkbox"
                value="true"
                defaultChecked
                className="size-4"
              />
              Visible
            </label>
            <Button type="submit">Create menu</Button>
          </form>
        </article>
        <article className="rounded-xl border border-neutral-200 p-6">
          <h2 className="text-xl font-medium">Create Navigation Item</h2>
          <form action={createItemAction} className="mt-4 space-y-3">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Menu</span>
              <select
                name="menuId"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                {menus.map((menu) => (
                  <option key={menu.id} value={menu.id}>
                    {menu.name} ({menu.location})
                  </option>
                ))}
              </select>
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Label</span>
              <input
                name="label"
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <div className="grid gap-3 md:grid-cols-2">
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">Custom href</span>
                <input
                  name="href"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">Linked page</span>
                <select
                  name="pageId"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                >
                  <option value="">(none)</option>
                  {pages.map((page) => (
                    <option key={page.id} value={page.id}>
                      {page.title} (/{page.slug})
                    </option>
                  ))}
                </select>
              </label>
            </div>
            <div className="grid gap-3 md:grid-cols-2">
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">Parent item id</span>
                <input
                  name="parentId"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">Sort order</span>
                <input
                  name="sortOrder"
                  defaultValue="0"
                  type="number"
                  min={0}
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
            </div>
            <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
              <input
                name="isVisible"
                type="checkbox"
                value="true"
                defaultChecked
                className="size-4"
              />
              Visible
            </label>
            <Button type="submit">Create item</Button>
          </form>
        </article>
      </section>
      <section className="space-y-4">
        {menus.length === 0 ? (
          <article className="rounded-xl border border-neutral-200 p-6 text-sm text-neutral-600">
            No navigation menus yet.
          </article>
        ) : (
          menus.map((menu) => (
            <article key={menu.id} className="rounded-xl border border-neutral-200 p-6">
              <div className="flex flex-wrap items-center justify-between gap-2">
                <h3 className="text-lg font-medium">
                  {menu.name} <span className="text-sm text-neutral-500">({menu.location})</span>
                </h3>
                <span className="text-xs text-neutral-500">
                  {menu.isVisible ? "visible" : "hidden"}
                </span>
              </div>
              <div className="mt-4 space-y-3">
                {menu.items.length === 0 ? (
                  <p className="text-sm text-neutral-600">No items in this menu.</p>
                ) : (
                  menu.items.map((item) => (
                    <form
                      key={item.id}
                      action={updateItemAction}
                      className="rounded-lg border border-neutral-200 p-3"
                    >
                      <input type="hidden" name="id" value={item.id} />
                      <div className="grid gap-3 md:grid-cols-5">
                        <label className="space-y-1 md:col-span-2">
                          <span className="text-xs text-neutral-600">Label</span>
                          <input
                            name="label"
                            defaultValue={item.label}
                            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                          />
                        </label>
                        <label className="space-y-1 md:col-span-2">
                          <span className="text-xs text-neutral-600">Href</span>
                          <input
                            name="href"
                            defaultValue={item.href ?? ""}
                            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                          />
                        </label>
                        <label className="space-y-1">
                          <span className="text-xs text-neutral-600">Sort</span>
                          <input
                            name="sortOrder"
                            type="number"
                            min={0}
                            defaultValue={item.sortOrder}
                            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                          />
                        </label>
                      </div>
                      <div className="mt-3 grid gap-3 md:grid-cols-2">
                        <label className="space-y-1">
                          <span className="text-xs text-neutral-600">Linked page</span>
                          <select
                            name="pageId"
                            defaultValue={item.pageId ?? ""}
                            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                          >
                            <option value="">(none)</option>
                            {pages.map((page) => (
                              <option key={page.id} value={page.id}>
                                {page.title} (/{page.slug})
                              </option>
                            ))}
                          </select>
                        </label>
                        <label className="space-y-1">
                          <span className="text-xs text-neutral-600">Parent id</span>
                          <input
                            name="parentId"
                            defaultValue={item.parentId ?? ""}
                            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                          />
                        </label>
                      </div>
                      <div className="mt-3 flex flex-wrap items-center justify-between gap-3">
                        <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
                          <input
                            type="checkbox"
                            name="isVisible"
                            value="true"
                            defaultChecked={item.isVisible}
                            className="size-4"
                          />
                          Visible
                        </label>
                        <div className="flex items-center gap-2">
                          <Button type="submit" size="sm">
                            Save item
                          </Button>
                          <button
                            type="submit"
                            formAction={deleteItemAction}
                            className="rounded-md border border-red-300 px-3 py-2 text-sm text-red-700"
                          >
                            Delete
                          </button>
                        </div>
                      </div>
                    </form>
                  ))
                )}
              </div>
            </article>
          ))
        )}
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/page.tsx
+++ b/apps/admin/src/app/page.tsx
@@ -1,48 +1,405 @@
-import { listPosts } from "@cms/db"
+import { hasPermission } from "@cms/content/rbac"
 import { createPost, deletePost, listPosts, updatePost } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
-export default async function AdminHomePage() {
+type SearchParamsInput = Record<string, string | string[] | undefined>
-  const posts = await listPosts()
+
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readRequiredField(formData: FormData, field: string): string {
  const value = formData.get(field)
  if (typeof value !== "string") {
    return ""
  }
  return value.trim()
 }
 function readOptionalField(formData: FormData, field: string): string | undefined {
  const value = readRequiredField(formData, field)
  return value.length > 0 ? value : undefined
 }
 async function requireNewsWritePermission() {
  await requirePermissionForRoute({
    nextPath: "/",
    permission: "news:write",
    scope: "team",
  })
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/?${value}` : "/")
 }
 async function getDashboardTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function createPostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const status = readRequiredField(formData, "status")
  try {
    await createPost({
      title: readRequiredField(formData, "title"),
      slug: readRequiredField(formData, "slug"),
      excerpt: readOptionalField(formData, "excerpt"),
      body: readRequiredField(formData, "body"),
      status: status === "published" ? "published" : "draft",
    })
  } catch {
    redirectWithState({
      error: t("dashboard.posts.errors.createFailed", "Create failed. Please check your input."),
    })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.created", "Post created.") })
 }
 async function updatePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  const status = readRequiredField(formData, "status")
  if (!id) {
    redirectWithState({
      error: t("dashboard.posts.errors.updateMissingId", "Update failed. Missing post id."),
    })
  }
  try {
    await updatePost(id, {
      title: readRequiredField(formData, "title"),
      slug: readRequiredField(formData, "slug"),
      excerpt: readOptionalField(formData, "excerpt"),
      body: readRequiredField(formData, "body"),
      status: status === "published" ? "published" : "draft",
    })
  } catch {
    redirectWithState({
      error: t("dashboard.posts.errors.updateFailed", "Update failed. Please check your input."),
    })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.updated", "Post updated.") })
 }
 async function deletePostAction(formData: FormData) {
  "use server"
  await requireNewsWritePermission()
  const t = await getDashboardTranslator()
  const id = readRequiredField(formData, "id")
  if (!id) {
    redirectWithState({
      error: t("dashboard.posts.errors.deleteMissingId", "Delete failed. Missing post id."),
    })
  }
  try {
    await deletePost(id)
  } catch {
    redirectWithState({ error: t("dashboard.posts.errors.deleteFailed", "Delete failed.") })
  }
  revalidatePath("/")
  redirectWithState({ notice: t("dashboard.posts.success.deleted", "Post deleted.") })
 }
 export default async function AdminHomePage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/",
    permission: "news:read",
    scope: "team",
  })
  const [resolvedSearchParams, locale, posts] = await Promise.all([
    searchParams,
    resolveAdminLocale(),
    listPosts(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  const canCreatePost = hasPermission(role, "news:write", "team")
  return (
-    <main className="mx-auto flex min-h-screen w-full max-w-4xl flex-col gap-8 px-6 py-16">
+    <AdminShell
-      <header className="space-y-3">
+      role={role}
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
+      activePath="/"
-        <h1 className="text-4xl font-semibold tracking-tight">Content Dashboard</h1>
+      badge={t("dashboard.badge", "Admin App")}
-        <p className="text-neutral-600">Manage posts from a dedicated admin surface.</p>
+      title={t("dashboard.title", "Content Dashboard")}
-        <div className="pt-2">
+      description={t("dashboard.description", "Manage posts from a dedicated admin surface.")}
      actions={
        <>
          <Link
            href="/todo"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
-            Open roadmap and progress
+            {t("dashboard.actions.openRoadmap", "Open roadmap and progress")}
          </Link>
-        </div>
+          <Link
-      </header>
+            href="/settings"
            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
          >
            {t("settings.title", "Settings")}
          </Link>
        </>
      }
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
-        <div className="mb-4 flex items-center justify-between">
+        <div className="space-y-4">
-          <h2 className="text-xl font-medium">Posts</h2>
+          <div className="flex items-center justify-between">
-          <Button>Create post</Button>
+            <h2 className="text-xl font-medium">
              {t("dashboard.posts.title", "Posts CRUD Sandbox")}
            </h2>
            <p className="text-xs uppercase tracking-wide text-neutral-500">
              {t("dashboard.notices.crudSandboxTag", "MVP0 functional test")}
            </p>
          </div>
          {canCreatePost ? (
            <form
              action={createPostAction}
              className="space-y-3 rounded-lg border border-neutral-200 p-4"
            >
              <h3 className="text-sm font-semibold">
                {t("dashboard.posts.createTitle", "Create post")}
              </h3>
              <div className="grid gap-3 md:grid-cols-2">
                <label className="space-y-1">
                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.title", "Title")}
                  </span>
                  <input
                    name="title"
                    required
                    minLength={3}
                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                  />
                </label>
                <label className="space-y-1">
                  <span className="text-xs text-neutral-600">
                    {t("dashboard.posts.fields.slug", "Slug")}
                  </span>
                  <input
                    name="slug"
                    required
                    minLength={3}
                    className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                  />
                </label>
              </div>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.excerpt", "Excerpt")}
                </span>
                <input
                  name="excerpt"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.body", "Body")}
                </span>
                <textarea
                  name="body"
                  required
                  minLength={1}
                  rows={4}
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                />
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">
                  {t("dashboard.posts.fields.status", "Status")}
                </span>
                <select
                  name="status"
                  defaultValue="draft"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                >
                  <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
                  <option value="published">
                    {t("dashboard.posts.status.published", "Published")}
                  </option>
                </select>
              </label>
              <Button type="submit">{t("dashboard.posts.actions.create", "Create post")}</Button>
            </form>
          ) : (
            <div className="rounded-lg border border-amber-300 bg-amber-50 px-4 py-3 text-sm text-amber-800">
              {t(
                "dashboard.notices.noCrudPermission",
                "You can read posts, but your role cannot create/update/delete posts.",
              )}
            </div>
          )}
        </div>
        <div className="space-y-3">
          {posts.map((post) => (
            <article key={post.id} className="rounded-lg border border-neutral-200 p-4">
-              <div className="flex items-center justify-between gap-3">
+              {canCreatePost ? (
-                <h3 className="text-lg font-medium">{post.title}</h3>
+                <>
-                <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
+                  <form action={updatePostAction} className="space-y-3">
-                  {post.status}
+                    <input type="hidden" name="id" value={post.id} />
-                </span>
+                    <div className="grid gap-3 md:grid-cols-2">
-              </div>
+                      <label className="space-y-1">
-              <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
+                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.title", "Title")}
                        </span>
                        <input
                          name="title"
                          required
                          minLength={3}
                          defaultValue={post.title}
                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                        />
                      </label>
                      <label className="space-y-1">
                        <span className="text-xs text-neutral-600">
                          {t("dashboard.posts.fields.slug", "Slug")}
                        </span>
                        <input
                          name="slug"
                          required
                          minLength={3}
                          defaultValue={post.slug}
                          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                        />
                      </label>
                    </div>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.excerpt", "Excerpt")}
                      </span>
                      <input
                        name="excerpt"
                        defaultValue={post.excerpt ?? ""}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      />
                    </label>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.body", "Body")}
                      </span>
                      <textarea
                        name="body"
                        required
                        minLength={1}
                        rows={4}
                        defaultValue={post.body}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      />
                    </label>
                    <label className="space-y-1">
                      <span className="text-xs text-neutral-600">
                        {t("dashboard.posts.fields.status", "Status")}
                      </span>
                      <select
                        name="status"
                        defaultValue={post.status}
                        className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                      >
                        <option value="draft">{t("dashboard.posts.status.draft", "Draft")}</option>
                        <option value="published">
                          {t("dashboard.posts.status.published", "Published")}
                        </option>
                      </select>
                    </label>
                    <Button type="submit">
                      {t("dashboard.posts.actions.save", "Save changes")}
                    </Button>
                  </form>
                  <form action={deletePostAction} className="mt-3">
                    <input type="hidden" name="id" value={post.id} />
                    <Button type="submit" variant="secondary">
                      {t("dashboard.posts.actions.delete", "Delete")}
                    </Button>
                  </form>
                </>
              ) : (
                <>
                  <div className="flex items-center justify-between gap-3">
                    <h3 className="text-lg font-medium">{post.title}</h3>
                    <span className="rounded-full bg-neutral-100 px-3 py-1 text-xs uppercase tracking-wide">
                      {post.status}
                    </span>
                  </div>
                  <p className="mt-2 text-sm text-neutral-600">{post.slug}</p>
                  <p className="mt-2 text-sm text-neutral-600">
                    {post.excerpt ?? t("dashboard.posts.fallback.noExcerpt", "No excerpt")}
                  </p>
                </>
              )}
            </article>
          ))}
        </div>
      </section>
-    </main>
+    </AdminShell>
  )
 }
--- a/apps/admin/src/app/pages/[id]/page.tsx
+++ b/apps/admin/src/app/pages/[id]/page.tsx
@@ -0,0 +1,242 @@
 import { deletePage, getPageById, updatePage } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 type PageProps = {
  params: Promise<{ id: string }>
  searchParams: Promise<SearchParamsInput>
 }
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readInputString(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function readNullableString(formData: FormData, field: string): string | null {
  const value = readInputString(formData, field)
  return value.length > 0 ? value : null
 }
 function redirectWithState(pageId: string, params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/pages/${pageId}?${value}` : `/pages/${pageId}`)
 }
 export default async function PageEditorPage({ params, searchParams }: PageProps) {
  const role = await requirePermissionForRoute({
    nextPath: "/pages",
    permission: "pages:read",
    scope: "team",
  })
  const resolvedParams = await params
  const pageId = resolvedParams.id
  const [resolvedSearchParams, pageRecord] = await Promise.all([searchParams, getPageById(pageId)])
  if (!pageRecord) {
    redirect("/pages?error=Page+not+found")
  }
  const page = pageRecord
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  async function updatePageAction(formData: FormData) {
    "use server"
    await requirePermissionForRoute({
      nextPath: "/pages",
      permission: "pages:write",
      scope: "team",
    })
    try {
      await updatePage({
        id: pageId,
        title: readInputString(formData, "title"),
        slug: readInputString(formData, "slug"),
        status: readInputString(formData, "status"),
        summary: readNullableString(formData, "summary"),
        content: readInputString(formData, "content"),
        seoTitle: readNullableString(formData, "seoTitle"),
        seoDescription: readNullableString(formData, "seoDescription"),
      })
    } catch {
      redirectWithState(pageId, {
        error: "Failed to update page. Validate values and try again.",
      })
    }
    redirectWithState(pageId, {
      notice: "Page updated.",
    })
  }
  async function deletePageAction() {
    "use server"
    await requirePermissionForRoute({
      nextPath: "/pages",
      permission: "pages:write",
      scope: "team",
    })
    try {
      await deletePage(pageId)
    } catch {
      redirectWithState(pageId, {
        error: "Failed to delete page. Remove linked navigation references first.",
      })
    }
    redirect("/pages?notice=Page+deleted")
  }
  return (
    <AdminShell
      role={role}
      activePath="/pages"
      badge="Admin App"
      title="Page Editor"
      description="Edit page metadata, content, and publication status."
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="flex flex-wrap items-center justify-between gap-3">
          <div>
            <h2 className="text-xl font-medium">{page.title}</h2>
            <p className="mt-1 text-xs text-neutral-600">ID: {page.id}</p>
          </div>
          <Link href="/pages" className="text-sm text-neutral-700 underline underline-offset-2">
            Back to pages
          </Link>
        </div>
        <form action={updatePageAction} className="mt-6 space-y-3">
          <div className="grid gap-3 md:grid-cols-3">
            <label className="space-y-1 md:col-span-2">
              <span className="text-xs text-neutral-600">Title</span>
              <input
                name="title"
                defaultValue={page.title}
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Status</span>
              <select
                name="status"
                defaultValue={page.status}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                <option value="draft">draft</option>
                <option value="published">published</option>
              </select>
            </label>
          </div>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Slug</span>
            <input
              name="slug"
              defaultValue={page.slug}
              required
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Summary</span>
            <input
              name="summary"
              defaultValue={page.summary ?? ""}
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Content</span>
            <textarea
              name="content"
              rows={10}
              defaultValue={page.content}
              required
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">SEO title</span>
              <input
                name="seoTitle"
                defaultValue={page.seoTitle ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">SEO description</span>
              <input
                name="seoDescription"
                defaultValue={page.seoDescription ?? ""}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <Button type="submit">Save page</Button>
        </form>
      </section>
      <section className="rounded-xl border border-red-300 bg-red-50 p-6">
        <h3 className="text-lg font-medium text-red-800">Danger Zone</h3>
        <p className="mt-1 text-sm text-red-700">
          Deleting this page is permanent and may break linked navigation items.
        </p>
        <form action={deletePageAction} className="mt-4">
          <Button type="submit" variant="secondary" className="border border-red-300 text-red-800">
            Delete page
          </Button>
        </form>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/pages/page.tsx
+++ b/apps/admin/src/app/pages/page.tsx
@@ -0,0 +1,230 @@
 import { createPage, listPages } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readInputString(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function readNullableString(formData: FormData, field: string): string | null {
  const value = readInputString(formData, field)
  return value.length > 0 ? value : null
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/pages?${value}` : "/pages")
 }
 async function createPageAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/pages",
    permission: "pages:write",
    scope: "team",
  })
  try {
    await createPage({
      title: readInputString(formData, "title"),
      slug: readInputString(formData, "slug"),
      status: readInputString(formData, "status"),
      summary: readNullableString(formData, "summary"),
      content: readInputString(formData, "content"),
      seoTitle: readNullableString(formData, "seoTitle"),
      seoDescription: readNullableString(formData, "seoDescription"),
    })
  } catch {
    redirectWithState({
      error: "Failed to create page. Validate slug/title/content and try again.",
    })
  }
  revalidatePath("/pages")
  revalidatePath("/navigation")
  redirectWithState({ notice: "Page created." })
 }
 export default async function PagesManagementPage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/pages",
    permission: "pages:read",
    scope: "team",
  })
  const [resolvedSearchParams, pages] = await Promise.all([searchParams, listPages(100)])
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  return (
    <AdminShell
      role={role}
      activePath="/pages"
      badge="Admin App"
      title="Pages"
      description="Create, update, and manage published page entities."
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Create Page</h2>
        <form action={createPageAction} className="mt-4 space-y-3">
          <div className="grid gap-3 md:grid-cols-3">
            <label className="space-y-1 md:col-span-2">
              <span className="text-xs text-neutral-600">Title</span>
              <input
                name="title"
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Status</span>
              <select
                name="status"
                defaultValue="draft"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                <option value="draft">draft</option>
                <option value="published">published</option>
              </select>
            </label>
          </div>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Slug</span>
            <input
              name="slug"
              required
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Summary</span>
            <input
              name="summary"
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Content</span>
            <textarea
              name="content"
              rows={6}
              required
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">SEO title</span>
              <input
                name="seoTitle"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">SEO description</span>
              <input
                name="seoDescription"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <Button type="submit">Create page</Button>
        </form>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Pages</h2>
        <div className="mt-4 overflow-x-auto">
          <table className="min-w-full text-left text-sm">
            <thead className="text-xs uppercase tracking-wide text-neutral-500">
              <tr>
                <th className="py-2 pr-4">Title</th>
                <th className="py-2 pr-4">Slug</th>
                <th className="py-2 pr-4">Status</th>
                <th className="py-2 pr-4">Updated</th>
                <th className="py-2 pr-4">Action</th>
              </tr>
            </thead>
            <tbody>
              {pages.length === 0 ? (
                <tr>
                  <td className="py-3 text-neutral-500" colSpan={5}>
                    No pages yet.
                  </td>
                </tr>
              ) : (
                pages.map((page) => (
                  <tr key={page.id} className="border-t border-neutral-200">
                    <td className="py-3 pr-4">{page.title}</td>
                    <td className="py-3 pr-4 text-neutral-600">/{page.slug}</td>
                    <td className="py-3 pr-4">{page.status}</td>
                    <td className="py-3 pr-4 text-neutral-600">
                      {page.updatedAt.toLocaleDateString("en-US")}
                    </td>
                    <td className="py-3 pr-4">
                      <Link
                        href={`/pages/${page.id}`}
                        className="text-xs font-medium text-neutral-700 underline underline-offset-2"
                      >
                        Open
                      </Link>
                    </td>
                  </tr>
                ))
              )}
            </tbody>
          </table>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/portfolio/page.tsx
+++ b/apps/admin/src/app/portfolio/page.tsx
@@ -0,0 +1,481 @@
 import {
  attachArtworkRendition,
  createAlbum,
  createArtwork,
  createCategory,
  createGallery,
  createTag,
  linkArtworkToGrouping,
  listArtworks,
  listMediaAssets,
  listMediaFoundationGroups,
 } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type SearchParamsInput = Record<string, string | string[] | undefined>
 type GroupType = "gallery" | "album" | "category" | "tag"
 function readField(formData: FormData, key: string): string {
  const value = formData.get(key)
  return typeof value === "string" ? value.trim() : ""
 }
 function readOptionalField(formData: FormData, key: string): string | undefined {
  const value = readField(formData, key)
  return value.length > 0 ? value : undefined
 }
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function slugify(input: string): string {
  return input
    .toLowerCase()
    .trim()
    .replace(/[^a-z0-9]+/g, "-")
    .replace(/^-+|-+$/g, "")
    .slice(0, 180)
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/portfolio?${value}` : "/portfolio")
 }
 async function requireWritePermission() {
  await requirePermissionForRoute({
    nextPath: "/portfolio",
    permission: "media:write",
    scope: "team",
  })
 }
 async function createArtworkAction(formData: FormData) {
  "use server"
  await requireWritePermission()
  const title = readField(formData, "title")
  const slug = slugify(readField(formData, "slug") || title)
  try {
    await createArtwork({
      title,
      slug,
      description: readOptionalField(formData, "description"),
      medium: readOptionalField(formData, "medium"),
      dimensions: readOptionalField(formData, "dimensions"),
      framing: readOptionalField(formData, "framing"),
      availability: readOptionalField(formData, "availability"),
      year: (() => {
        const raw = readField(formData, "year")
        return raw ? Number(raw) : undefined
      })(),
    })
  } catch {
    redirectWithState({ error: "Failed to create artwork." })
  }
  revalidatePath("/portfolio")
  redirectWithState({ notice: "Artwork created." })
 }
 async function createGroupAction(formData: FormData) {
  "use server"
  await requireWritePermission()
  const type = readField(formData, "groupType") as GroupType
  const name = readField(formData, "name")
  const slug = slugify(readField(formData, "slug") || name)
  try {
    if (type === "gallery") {
      await createGallery({
        name,
        slug,
        description: readOptionalField(formData, "description"),
      })
    } else if (type === "album") {
      await createAlbum({
        name,
        slug,
        description: readOptionalField(formData, "description"),
      })
    } else if (type === "category") {
      await createCategory({
        name,
        slug,
        description: readOptionalField(formData, "description"),
      })
    } else {
      await createTag({
        name,
        slug,
      })
    }
  } catch {
    redirectWithState({ error: "Failed to create grouping entity." })
  }
  revalidatePath("/portfolio")
  redirectWithState({ notice: `${type} created.` })
 }
 async function linkArtworkGroupAction(formData: FormData) {
  "use server"
  await requireWritePermission()
  const artworkId = readField(formData, "artworkId")
  const groupType = readField(formData, "groupType") as GroupType
  const groupId = readField(formData, "groupId")
  try {
    await linkArtworkToGrouping({
      artworkId,
      groupType,
      groupId,
    })
  } catch {
    redirectWithState({ error: "Failed to link artwork to grouping." })
  }
  revalidatePath("/portfolio")
  redirectWithState({ notice: "Artwork linked to grouping." })
 }
 async function attachRenditionAction(formData: FormData) {
  "use server"
  await requireWritePermission()
  try {
    await attachArtworkRendition({
      artworkId: readField(formData, "artworkId"),
      mediaAssetId: readField(formData, "mediaAssetId"),
      slot: readField(formData, "slot"),
      width: (() => {
        const raw = readField(formData, "width")
        return raw ? Number(raw) : undefined
      })(),
      height: (() => {
        const raw = readField(formData, "height")
        return raw ? Number(raw) : undefined
      })(),
      isPrimary: readField(formData, "isPrimary") === "true",
    })
  } catch {
    redirectWithState({ error: "Failed to attach artwork rendition." })
  }
  revalidatePath("/portfolio")
  redirectWithState({ notice: "Rendition attached." })
 }
 export default async function PortfolioPage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/portfolio",
    permission: "media:read",
    scope: "team",
  })
  const [resolvedSearchParams, artworks, mediaAssets, groups] = await Promise.all([
    searchParams,
    listArtworks(30),
    listMediaAssets(200),
    listMediaFoundationGroups(),
  ])
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  return (
    <AdminShell
      role={role}
      activePath="/portfolio"
      badge="Admin App"
      title="Portfolio"
      description="Artwork foundation with rendition slots and grouping relations."
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Create Artwork</h2>
        <form action={createArtworkAction} className="mt-4 space-y-3">
          <div className="grid gap-3 md:grid-cols-2">
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Title</span>
              <input
                name="title"
                required
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Slug (optional)</span>
              <input
                name="slug"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
          </div>
          <label className="space-y-1">
            <span className="text-xs text-neutral-600">Description</span>
            <textarea
              name="description"
              rows={3}
              className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </label>
          <div className="grid gap-3 md:grid-cols-2 xl:grid-cols-4">
            <input
              name="medium"
              placeholder="Medium"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="dimensions"
              placeholder="Dimensions"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="year"
              type="number"
              placeholder="Year"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="framing"
              placeholder="Framing"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <input
            name="availability"
            placeholder="Availability"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
          <Button type="submit">Create artwork</Button>
        </form>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Create Group Entity</h2>
        <form action={createGroupAction} className="mt-4 space-y-3">
          <div className="grid gap-3 md:grid-cols-3">
            <select
              name="groupType"
              defaultValue="gallery"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            >
              <option value="gallery">gallery</option>
              <option value="album">album</option>
              <option value="category">category</option>
              <option value="tag">tag</option>
            </select>
            <input
              name="name"
              required
              placeholder="Name"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="slug"
              placeholder="Slug (optional)"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
          </div>
          <textarea
            name="description"
            rows={2}
            placeholder="Description (optional)"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
          <Button type="submit">Create group</Button>
        </form>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Link Artwork To Group</h2>
        <div className="mt-4 grid gap-4 lg:grid-cols-2">
          {(
            [
              { type: "gallery" as const, label: "Gallery", items: groups.galleries },
              { type: "album" as const, label: "Album", items: groups.albums },
              { type: "category" as const, label: "Category", items: groups.categories },
              { type: "tag" as const, label: "Tag", items: groups.tags },
            ] as const
          ).map((groupConfig) => (
            <form
              key={groupConfig.type}
              action={linkArtworkGroupAction}
              className="space-y-3 rounded border border-neutral-200 p-4"
            >
              <h3 className="text-sm font-semibold">{groupConfig.label} Link</h3>
              <input type="hidden" name="groupType" value={groupConfig.type} />
              <select
                name="artworkId"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                {artworks.map((artwork) => (
                  <option key={`${groupConfig.type}-${artwork.id}`} value={artwork.id}>
                    {artwork.title}
                  </option>
                ))}
              </select>
              <select
                name="groupId"
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              >
                {groupConfig.items.map((group) => (
                  <option key={`${groupConfig.type}-${group.id}`} value={group.id}>
                    {group.name}
                  </option>
                ))}
              </select>
              <Button type="submit">Link artwork</Button>
            </form>
          ))}
        </div>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Attach Artwork Rendition Slot</h2>
        <form
          action={attachRenditionAction}
          className="mt-4 grid gap-3 md:grid-cols-3 xl:grid-cols-6"
        >
          <select name="artworkId" className="rounded border border-neutral-300 px-3 py-2 text-sm">
            {artworks.map((artwork) => (
              <option key={artwork.id} value={artwork.id}>
                {artwork.title}
              </option>
            ))}
          </select>
          <select
            name="mediaAssetId"
            className="rounded border border-neutral-300 px-3 py-2 text-sm"
          >
            {mediaAssets.map((asset) => (
              <option key={asset.id} value={asset.id}>
                {asset.title}
              </option>
            ))}
          </select>
          <select
            name="slot"
            defaultValue="thumbnail"
            className="rounded border border-neutral-300 px-3 py-2 text-sm"
          >
            <option value="thumbnail">thumbnail</option>
            <option value="card">card</option>
            <option value="full">full</option>
            <option value="custom">custom</option>
          </select>
          <input
            name="width"
            type="number"
            placeholder="width"
            className="rounded border border-neutral-300 px-3 py-2 text-sm"
          />
          <input
            name="height"
            type="number"
            placeholder="height"
            className="rounded border border-neutral-300 px-3 py-2 text-sm"
          />
          <select
            name="isPrimary"
            defaultValue="false"
            className="rounded border border-neutral-300 px-3 py-2 text-sm"
          >
            <option value="false">not primary</option>
            <option value="true">primary</option>
          </select>
          <div className="md:col-span-3 xl:col-span-6">
            <Button type="submit">Attach rendition</Button>
          </div>
        </form>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="flex items-center justify-between gap-2">
          <h2 className="text-xl font-medium">Artworks</h2>
          <span className="text-xs uppercase tracking-[0.2em] text-neutral-500">
            MVP1 Foundation
          </span>
        </div>
        <div className="mt-4 overflow-x-auto">
          <table className="min-w-full text-left text-sm">
            <thead className="text-xs uppercase tracking-wide text-neutral-500">
              <tr>
                <th className="py-2 pr-4">Title</th>
                <th className="py-2 pr-4">Slug</th>
                <th className="py-2 pr-4">Published</th>
                <th className="py-2 pr-4">Renditions</th>
                <th className="py-2 pr-4">Groups</th>
              </tr>
            </thead>
            <tbody>
              {artworks.length === 0 ? (
                <tr>
                  <td className="py-3 text-neutral-500" colSpan={5}>
                    No artworks yet. Add creation flows after media upload pipeline lands.
                  </td>
                </tr>
              ) : (
                artworks.map((artwork) => (
                  <tr key={artwork.id} className="border-t border-neutral-200">
                    <td className="py-3 pr-4">{artwork.title}</td>
                    <td className="py-3 pr-4 font-mono text-xs">{artwork.slug}</td>
                    <td className="py-3 pr-4">{artwork.isPublished ? "yes" : "no"}</td>
                    <td className="py-3 pr-4">{artwork.renditions.length}</td>
                    <td className="py-3 pr-4 text-neutral-600">
                      g:{artwork.galleryLinks.length} a:{artwork.albumLinks.length} c:
                      {artwork.categoryLinks.length} t:{artwork.tagLinks.length}
                    </td>
                  </tr>
                ))
              )}
            </tbody>
          </table>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/providers.tsx
+++ b/apps/admin/src/app/providers.tsx
@@ -1,9 +1,24 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import type { ReactNode } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { AdminI18nProvider } from "@/providers/admin-i18n-provider"
 import { QueryProvider } from "@/providers/query-provider"
-export function Providers({ children }: { children: ReactNode }) {
+export function Providers({
-  return <QueryProvider>{children}</QueryProvider>
+  children,
  locale,
  messages,
 }: {
  children: ReactNode
  locale: AppLocale
  messages: AdminMessages
 }) {
  return (
    <AdminI18nProvider locale={locale} messages={messages}>
      <QueryProvider>{children}</QueryProvider>
    </AdminI18nProvider>
  )
 }
--- a/apps/admin/src/app/register/page.tsx
+++ b/apps/admin/src/app/register/page.tsx
@@ -0,0 +1,40 @@
 import { redirect } from "next/navigation"
 import { LoginForm } from "@/app/login/login-form"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { hasOwnerUser, isSelfRegistrationEnabled } from "@/lib/auth/server"
 export const dynamic = "force-dynamic"
 type SearchParams = Promise<Record<string, string | string[] | undefined>>
 function getSingleValue(input: string | string[] | undefined): string | undefined {
  if (Array.isArray(input)) {
    return input[0]
  }
  return input
 }
 export default async function RegisterPage({ searchParams }: { searchParams: SearchParams }) {
  const params = await searchParams
  const nextPath = getSingleValue(params.next) ?? "/"
  const role = await resolveRoleFromServerContext()
  if (role) {
    redirect("/")
  }
  const hasOwner = await hasOwnerUser()
  if (!hasOwner) {
    redirect(`/welcome?next=${encodeURIComponent(nextPath)}`)
  }
  const enabled = await isSelfRegistrationEnabled()
  if (!enabled) {
    return <LoginForm mode="signup-disabled" />
  }
  return <LoginForm mode="signup-user" />
 }
--- a/apps/admin/src/app/settings/page.tsx
+++ b/apps/admin/src/app/settings/page.tsx
@@ -0,0 +1,180 @@
 import { isAdminSelfRegistrationEnabled, setAdminSelfRegistrationEnabled } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import Link from "next/link"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import { translateMessage } from "@/i18n/messages"
 import { getAdminMessages, resolveAdminLocale } from "@/i18n/server"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 type SearchParamsInput = Promise<Record<string, string | string[] | undefined>>
 function toSingleValue(input: string | string[] | undefined): string | null {
  if (Array.isArray(input)) {
    return input[0] ?? null
  }
  return input ?? null
 }
 async function requireSettingsPermission() {
  await requirePermissionForRoute({
    nextPath: "/settings",
    permission: "users:manage_roles",
    scope: "global",
  })
 }
 async function getSettingsTranslator() {
  const locale = await resolveAdminLocale()
  const messages = await getAdminMessages(locale)
  return (key: string, fallback: string) => translateMessage(messages, key, fallback)
 }
 async function updateRegistrationPolicyAction(formData: FormData) {
  "use server"
  await requireSettingsPermission()
  const t = await getSettingsTranslator()
  const enabled = formData.get("enabled") === "on"
  try {
    await setAdminSelfRegistrationEnabled(enabled)
  } catch (error) {
    const errorMessage = error instanceof Error ? error.message : ""
    const normalizedMessage = errorMessage.toLowerCase()
    const isDatabaseUnavailable = errorMessage.includes("P1001")
    const isSchemaMissing =
      errorMessage.includes("P2021") ||
      normalizedMessage.includes("system_setting") ||
      normalizedMessage.includes("does not exist")
    const userMessage = isDatabaseUnavailable
      ? t(
          "settings.registration.errors.databaseUnavailable",
          "Saving settings failed. The database is currently unreachable.",
        )
      : isSchemaMissing
        ? t(
            "settings.registration.errors.schemaMissing",
            "Saving settings failed. Apply the latest database migrations and try again.",
          )
        : t(
            "settings.registration.errors.updateFailed",
            "Saving settings failed. Ensure database migrations are applied.",
          )
    redirect(`/settings?error=${encodeURIComponent(userMessage)}`)
  }
  revalidatePath("/settings")
  revalidatePath("/register")
  redirect(
    `/settings?notice=${encodeURIComponent(
      t("settings.registration.success.updated", "Registration policy updated."),
    )}`,
  )
 }
 export default async function SettingsPage({ searchParams }: { searchParams: SearchParamsInput }) {
  const role = await requirePermissionForRoute({
    nextPath: "/settings",
    permission: "users:manage_roles",
    scope: "global",
  })
  const [params, locale, isRegistrationEnabled] = await Promise.all([
    searchParams,
    resolveAdminLocale(),
    isAdminSelfRegistrationEnabled(),
  ])
  const messages = await getAdminMessages(locale)
  const t = (key: string, fallback: string) => translateMessage(messages, key, fallback)
  const notice = toSingleValue(params.notice)
  const error = toSingleValue(params.error)
  return (
    <AdminShell
      role={role}
      activePath="/settings"
      badge={t("settings.badge", "Admin Settings")}
      title={t("settings.title", "Settings")}
      description={t(
        "settings.description",
        "Manage runtime policies for the admin authentication and onboarding flow.",
      )}
      actions={
        <Link
          href="/"
          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
        >
          {t("settings.actions.backToDashboard", "Back to dashboard")}
        </Link>
      }
    >
      {notice ? (
        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
          {notice}
        </section>
      ) : null}
      {error ? (
        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
          {error}
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <div className="space-y-5">
          <div className="space-y-2">
            <h2 className="text-xl font-medium">
              {t("settings.registration.title", "Admin self-registration")}
            </h2>
            <p className="text-sm text-neutral-600">
              {t(
                "settings.registration.description",
                "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
              )}
            </p>
          </div>
          <div className="rounded-lg border border-neutral-200 p-4 text-sm text-neutral-700">
            <p>
              {t("settings.registration.currentStatusLabel", "Current status")}:{" "}
              <strong>
                {isRegistrationEnabled
                  ? t("settings.registration.status.enabled", "Enabled")
                  : t("settings.registration.status.disabled", "Disabled")}
              </strong>
            </p>
          </div>
          <form action={updateRegistrationPolicyAction} className="space-y-4">
            <label className="flex items-center gap-3 text-sm">
              <input
                type="checkbox"
                name="enabled"
                defaultChecked={isRegistrationEnabled}
                className="h-4 w-4 rounded border-neutral-300"
              />
              <span>
                {t(
                  "settings.registration.checkboxLabel",
                  "Allow self-registration on /register for admin users",
                )}
              </span>
            </label>
            <Button type="submit">
              {t("settings.registration.actions.save", "Save registration policy")}
            </Button>
          </form>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/support/[key]/page.tsx
+++ b/apps/admin/src/app/support/[key]/page.tsx
@@ -0,0 +1,23 @@
 import { notFound, redirect } from "next/navigation"
 import { LoginForm } from "@/app/login/login-form"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { resolveSupportLoginKey } from "@/lib/auth/server"
 export const dynamic = "force-dynamic"
 type Params = Promise<{ key: string }>
 export default async function SupportLoginPage({ params }: { params: Params }) {
  const { key } = await params
  const role = await resolveRoleFromServerContext()
  if (role) {
    redirect("/")
  }
  if (key !== resolveSupportLoginKey()) {
    notFound()
  }
  return <LoginForm mode="signin" />
 }
--- a/apps/admin/src/app/todo/page.tsx
+++ b/apps/admin/src/app/todo/page.tsx
@@ -2,6 +2,9 @@ import { readFile } from "node:fs/promises"
 import path from "node:path"
 import Link from "next/link"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 type TodoState = "done" | "partial" | "planned"
@@ -401,6 +404,12 @@ function filterButtonClass(active: boolean): string {
 export default async function AdminTodoPage(props: {
  searchParams?: SearchParamsInput | Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/todo",
    permission: "roadmap:read",
    scope: "global",
  })
  const content = await getTodoMarkdown()
  const sections = parseTodo(content)
  const progress = getProgressCounts(sections)
@@ -420,26 +429,21 @@ export default async function AdminTodoPage(props: {
  }
  return (
-    <main className="mx-auto flex min-h-screen w-full max-w-6xl flex-col gap-8 px-6 py-12">
+    <AdminShell
-      <header className="space-y-4">
+      role={role}
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
+      activePath="/todo"
-        <div className="flex flex-wrap items-end justify-between gap-4">
+      badge="Admin App"
-          <div className="space-y-2">
+      title="Roadmap and Progress"
-            <h1 className="text-4xl font-semibold tracking-tight">Roadmap and Progress</h1>
+      description="Structured view from root TODO.md (single source of truth)."
-            <p className="text-neutral-600">
+      actions={
-              Structured view from root `TODO.md` (single source of truth).
+        <Link
-            </p>
+          href="/"
-          </div>
+          className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
-
+        >
-          <Link
+          Back to dashboard
-            href="/"
+        </Link>
-            className="inline-flex rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
+      }
-          >
+    >
            Back to dashboard
          </Link>
        </div>
      </header>
      <section className="rounded-xl border border-neutral-200 bg-neutral-50 p-5">
        <div className="mb-4 flex items-center justify-between gap-4">
          <p className="text-sm font-medium text-neutral-600">Weighted completion</p>
@@ -593,6 +597,6 @@ export default async function AdminTodoPage(props: {
          {content}
        </pre>
      </details>
-    </main>
+    </AdminShell>
  )
 }
--- a/apps/admin/src/app/unauthorized/page.tsx
+++ b/apps/admin/src/app/unauthorized/page.tsx
@@ -0,0 +1,57 @@
 import Link from "next/link"
 type SearchParams = Promise<Record<string, string | string[] | undefined>>
 function getSingleValue(input: string | string[] | undefined): string | undefined {
  if (Array.isArray(input)) {
    return input[0]
  }
  return input
 }
 export default async function UnauthorizedPage({ searchParams }: { searchParams: SearchParams }) {
  const params = await searchParams
  const required = getSingleValue(params.required)
  const scope = getSingleValue(params.scope)
  const reason = getSingleValue(params.reason)
  return (
    <main className="mx-auto flex min-h-screen w-full max-w-xl flex-col gap-6 px-6 py-20">
      <header className="space-y-3">
        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Admin App</p>
        <h1 className="text-4xl font-semibold tracking-tight">Access denied</h1>
        <p className="text-neutral-600">
          You do not have the required role/permission for this admin route.
        </p>
      </header>
      <section className="rounded-xl border border-neutral-200 p-5">
        <dl className="space-y-2 text-sm">
          <div className="flex items-center justify-between gap-3">
            <dt className="text-neutral-500">Reason</dt>
            <dd className="font-medium text-neutral-800">{reason ?? "insufficient-permission"}</dd>
          </div>
          <div className="flex items-center justify-between gap-3">
            <dt className="text-neutral-500">Required permission</dt>
            <dd className="font-medium text-neutral-800">{required ?? "n/a"}</dd>
          </div>
          <div className="flex items-center justify-between gap-3">
            <dt className="text-neutral-500">Required scope</dt>
            <dd className="font-medium text-neutral-800">{scope ?? "n/a"}</dd>
          </div>
        </dl>
      </section>
      <Link
        href="/"
        className="inline-flex w-fit rounded-md border border-neutral-300 px-4 py-2 text-sm font-medium hover:bg-neutral-100"
      >
        Back to dashboard
      </Link>
    </main>
  )
 }
--- a/apps/admin/src/app/users/page.tsx
+++ b/apps/admin/src/app/users/page.tsx
@@ -0,0 +1,34 @@
 import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
 import { AdminShell } from "@/components/admin-shell"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
 export default async function UsersManagementPage() {
  const role = await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:read",
    scope: "own",
  })
  return (
    <AdminShell
      role={role}
      activePath="/users"
      badge="Admin App"
      title="Users"
      description="Prepare user lifecycle and role management operations."
    >
      <AdminSectionPlaceholder
        feature="Users Management"
        summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
        requiredPermission="users:read (own)"
        nextSteps={[
          "Add user list, filter, and detail views.",
          "Add role and permission editing actions with owner/support safety rules.",
          "Add disable/ban and invite workflows.",
        ]}
      />
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/welcome/page.tsx
+++ b/apps/admin/src/app/welcome/page.tsx
@@ -0,0 +1,34 @@
 import { redirect } from "next/navigation"
 import { LoginForm } from "@/app/login/login-form"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 import { hasOwnerUser } from "@/lib/auth/server"
 export const dynamic = "force-dynamic"
 type SearchParams = Promise<Record<string, string | string[] | undefined>>
 function getSingleValue(input: string | string[] | undefined): string | undefined {
  if (Array.isArray(input)) {
    return input[0]
  }
  return input
 }
 export default async function WelcomePage({ searchParams }: { searchParams: SearchParams }) {
  const params = await searchParams
  const nextPath = getSingleValue(params.next) ?? "/"
  const role = await resolveRoleFromServerContext()
  if (role) {
    redirect("/")
  }
  const hasOwner = await hasOwnerUser()
  if (hasOwner) {
    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
  }
  return <LoginForm mode="signup-owner" />
 }
--- a/apps/admin/src/components/admin-locale-switcher.tsx
+++ b/apps/admin/src/components/admin-locale-switcher.tsx
@@ -0,0 +1,41 @@
 "use client"
 import { type AppLocale, localeLabels, locales } from "@cms/i18n"
 import { useRouter } from "next/navigation"
 import { useTransition } from "react"
 import { ADMIN_LOCALE_COOKIE } from "@/i18n/shared"
 import { useAdminI18n, useAdminT } from "@/providers/admin-i18n-provider"
 export function AdminLocaleSwitcher() {
  const router = useRouter()
  const [isPending, startTransition] = useTransition()
  const { locale } = useAdminI18n()
  const t = useAdminT()
  return (
    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
      <span>{t("common.language", "Language")}</span>
      <select
        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
        value={locale}
        disabled={isPending}
        onChange={(event) => {
          const nextLocale = event.target.value as AppLocale
          // biome-ignore lint/suspicious/noDocumentCookie: locale preference is intentionally persisted client-side.
          document.cookie = `${ADMIN_LOCALE_COOKIE}=${nextLocale}; Path=/; Max-Age=31536000; SameSite=Lax`
          startTransition(() => {
            router.refresh()
          })
        }}
      >
        {locales.map((value) => (
          <option key={value} value={value}>
            {t(`common.localeNames.${value}`, localeLabels[value])} ({localeLabels[value]})
          </option>
        ))}
      </select>
    </label>
  )
 }
--- a/apps/admin/src/components/admin-section-placeholder.tsx
+++ b/apps/admin/src/components/admin-section-placeholder.tsx
@@ -0,0 +1,40 @@
 import type { ReactNode } from "react"
 type AdminSectionPlaceholderProps = {
  feature: string
  summary: string
  requiredPermission: string
  nextSteps: string[]
  children?: ReactNode
 }
 export function AdminSectionPlaceholder({
  feature,
  summary,
  requiredPermission,
  nextSteps,
  children,
 }: AdminSectionPlaceholderProps) {
  return (
    <section className="space-y-5 rounded-xl border border-neutral-200 p-6">
      <div className="space-y-2">
        <h2 className="text-xl font-medium">{feature}</h2>
        <p className="text-sm text-neutral-600">{summary}</p>
        <p className="text-xs uppercase tracking-wide text-neutral-500">
          Required permission: {requiredPermission}
        </p>
      </div>
      {children}
      <div className="rounded-lg border border-neutral-200 bg-neutral-50 p-4">
        <p className="text-sm font-medium text-neutral-800">Planned next steps</p>
        <ul className="mt-2 list-disc space-y-1 pl-5 text-sm text-neutral-600">
          {nextSteps.map((step) => (
            <li key={step}>{step}</li>
          ))}
        </ul>
      </div>
    </section>
  )
 }
--- a/apps/admin/src/components/admin-shell.tsx
+++ b/apps/admin/src/components/admin-shell.tsx
@@ -0,0 +1,126 @@
 import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
 import Link from "next/link"
 import type { ReactNode } from "react"
 import { LogoutButton } from "@/app/logout-button"
 import { AdminLocaleSwitcher } from "@/components/admin-locale-switcher"
 import { getBuildInfo } from "@/lib/build-info"
 type AdminShellProps = {
  role: Role
  activePath: string
  badge: string
  title: string
  description: string
  actions?: ReactNode
  children: ReactNode
 }
 type NavItem = {
  href: string
  label: string
  permission: Permission
  scope: PermissionScope
 }
 const navItems: NavItem[] = [
  { href: "/", label: "Dashboard", permission: "dashboard:read", scope: "global" },
  { href: "/pages", label: "Pages", permission: "pages:read", scope: "team" },
  { href: "/navigation", label: "Navigation", permission: "navigation:read", scope: "team" },
  { href: "/media", label: "Media", permission: "media:read", scope: "team" },
  { href: "/portfolio", label: "Portfolio", permission: "media:read", scope: "team" },
  { href: "/users", label: "Users", permission: "users:read", scope: "own" },
  { href: "/commissions", label: "Commissions", permission: "commissions:read", scope: "own" },
  { href: "/settings", label: "Settings", permission: "users:manage_roles", scope: "global" },
  { href: "/todo", label: "Roadmap", permission: "roadmap:read", scope: "global" },
 ]
 function navItemClass(active: boolean): string {
  if (active) {
    return "bg-neutral-900 text-white border-neutral-900"
  }
  return "bg-white text-neutral-700 border-neutral-300 hover:bg-neutral-100"
 }
 function isActiveRoute(activePath: string, href: string): boolean {
  if (href === "/") {
    return activePath === "/"
  }
  return activePath === href || activePath.startsWith(`${href}/`)
 }
 export function AdminShell({
  role,
  activePath,
  badge,
  title,
  description,
  actions,
  children,
 }: AdminShellProps) {
  const buildInfo = getBuildInfo()
  return (
    <div className="mx-auto flex min-h-screen w-full max-w-7xl gap-8 px-6 py-10">
      <aside className="sticky top-0 hidden h-fit w-64 shrink-0 space-y-4 lg:block">
        <div className="rounded-xl border border-neutral-200 bg-white p-4">
          <p className="text-xs font-semibold uppercase tracking-[0.2em] text-neutral-500">
            CMS Admin
          </p>
          <p className="mt-2 text-sm text-neutral-600">Role: {role}</p>
        </div>
        <nav className="space-y-2">
          {navItems
            .filter((item) => hasPermission(role, item.permission, item.scope))
            .map((item) => (
              <Link
                key={item.href}
                href={item.href}
                className={`block rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
              >
                {item.label}
              </Link>
            ))}
        </nav>
      </aside>
      <div className="min-w-0 flex-1 space-y-8">
        <nav className="flex flex-wrap gap-2 lg:hidden">
          {navItems
            .filter((item) => hasPermission(role, item.permission, item.scope))
            .map((item) => (
              <Link
                key={`mobile-${item.href}`}
                href={item.href}
                className={`rounded-md border px-3 py-2 text-sm font-medium ${navItemClass(isActiveRoute(activePath, item.href))}`}
              >
                {item.label}
              </Link>
            ))}
        </nav>
        <header className="space-y-3">
          <div className="flex flex-wrap items-center justify-between gap-3">
            <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{badge}</p>
            <div className="flex items-center gap-2">
              <AdminLocaleSwitcher />
              <LogoutButton />
            </div>
          </div>
          <h1 className="text-4xl font-semibold tracking-tight">{title}</h1>
          <p className="text-neutral-600">{description}</p>
          {actions ? <div className="flex flex-wrap items-center gap-3 pt-1">{actions}</div> : null}
        </header>
        {children}
        <footer className="border-t border-neutral-200 pt-4 text-xs text-neutral-500">
          Build v{buildInfo.version} +sha.{buildInfo.sha}
        </footer>
      </div>
    </div>
  )
 }
--- a/apps/admin/src/components/media/flash-query-cleanup.tsx
+++ b/apps/admin/src/components/media/flash-query-cleanup.tsx
@@ -0,0 +1,19 @@
 "use client"
 import { useEffect } from "react"
 type FlashQueryCleanupProps = {
  enabled: boolean
 }
 export function FlashQueryCleanup({ enabled }: FlashQueryCleanupProps) {
  useEffect(() => {
    if (!enabled) {
      return
    }
    window.history.replaceState(window.history.state, "", "/media")
  }, [enabled])
  return null
 }
--- a/apps/admin/src/components/media/media-upload-form.tsx
+++ b/apps/admin/src/components/media/media-upload-form.tsx
@@ -0,0 +1,167 @@
 "use client"
 import { Button } from "@cms/ui/button"
 import { type FormEvent, useState } from "react"
 type MediaType = "artwork" | "banner" | "promotion" | "video" | "gif" | "generic"
 const ACCEPT_BY_TYPE: Record<MediaType, string> = {
  artwork: "image/jpeg,image/png,image/webp,image/avif,image/gif",
  banner: "image/jpeg,image/png,image/webp,image/avif",
  promotion: "image/jpeg,image/png,image/webp,image/avif,image/gif,video/mp4,video/webm",
  video: "video/mp4,video/webm,video/quicktime",
  gif: "image/gif",
  generic: "image/*,video/*",
 }
 export function MediaUploadForm() {
  const [isSubmitting, setIsSubmitting] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [mediaType, setMediaType] = useState<MediaType>("artwork")
  async function handleSubmit(event: FormEvent<HTMLFormElement>) {
    event.preventDefault()
    const form = event.currentTarget
    const formData = new FormData(form)
    setError(null)
    setIsSubmitting(true)
    try {
      const response = await fetch("/api/media/upload", {
        method: "POST",
        body: formData,
      })
      if (!response.ok) {
        const payload = (await response.json().catch(() => null)) as {
          message?: string
        } | null
        setError(payload?.message ?? "Upload failed. Please verify file and metadata.")
        return
      }
      const payload = (await response.json().catch(() => null)) as {
        notice?: string
        provider?: "s3" | "local"
        warning?: string
      } | null
      const notice = payload?.notice ?? "Media uploaded."
      const provider = payload?.provider ?? "local"
      const warning = payload?.warning
      const warningQuery = warning ? `&warning=${encodeURIComponent(warning)}` : ""
      window.location.href = `/media?notice=${encodeURIComponent(notice)}&uploadedVia=${encodeURIComponent(provider)}${warningQuery}`
    } catch {
      setError("Upload request failed. Please retry.")
    } finally {
      setIsSubmitting(false)
    }
  }
  return (
    <form onSubmit={handleSubmit} className="mt-4 space-y-3">
      {error ? (
        <p className="rounded border border-red-300 bg-red-50 px-3 py-2 text-sm text-red-700">
          {error}
        </p>
      ) : null}
      <div className="grid gap-3 md:grid-cols-2">
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Title</span>
          <input
            name="title"
            placeholder="Optional (defaults to file name)"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
        </label>
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Type</span>
          <select
            name="type"
            value={mediaType}
            onChange={(event) => setMediaType(event.target.value as MediaType)}
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          >
            <option value="artwork">artwork</option>
            <option value="banner">banner</option>
            <option value="promotion">promotion</option>
            <option value="video">video</option>
            <option value="gif">gif</option>
            <option value="generic">generic</option>
          </select>
        </label>
      </div>
      <label className="space-y-1">
        <span className="text-xs text-neutral-600">File</span>
        <input
          name="file"
          type="file"
          required
          accept={ACCEPT_BY_TYPE[mediaType]}
          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
        />
      </label>
      <label className="space-y-1">
        <span className="text-xs text-neutral-600">Description</span>
        <textarea
          name="description"
          rows={3}
          className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
        />
      </label>
      <div className="grid gap-3 md:grid-cols-2">
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Alt text</span>
          <input
            name="altText"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
        </label>
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Author</span>
          <input
            name="author"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
        </label>
      </div>
      <div className="grid gap-3 md:grid-cols-2">
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Source</span>
          <input
            name="source"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
        </label>
        <label className="space-y-1">
          <span className="text-xs text-neutral-600">Copyright</span>
          <input
            name="copyright"
            className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
          />
        </label>
      </div>
      <label className="space-y-1">
        <span className="text-xs text-neutral-600">Tags (comma-separated)</span>
        <input name="tags" className="w-full rounded border border-neutral-300 px-3 py-2 text-sm" />
      </label>
      <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
        <input name="isPublished" type="checkbox" value="true" className="size-4" />
        Publish immediately
      </label>
      <Button type="submit" disabled={isSubmitting}>
        {isSubmitting ? "Uploading..." : "Upload media"}
      </Button>
    </form>
  )
 }
--- a/apps/admin/src/i18n/messages.test.ts
+++ b/apps/admin/src/i18n/messages.test.ts
@@ -0,0 +1,147 @@
 import { describe, expect, it } from "vitest"
 import type { AdminMessages } from "./messages"
 import { translateMessage } from "./messages"
 const messages: AdminMessages = {
  common: {
    language: "Language",
    localeNames: {
      de: "German",
      en: "English",
      es: "Spanish",
      fr: "French",
    },
  },
  auth: {
    badge: "Admin Auth",
    titles: {
      signIn: "Sign in",
      signUpOwner: "Welcome",
      signUpUser: "Create account",
      signUpDisabled: "Registration disabled",
    },
    descriptions: {
      signIn: "Sign in description",
      signUpOwner: "Owner description",
      signUpUser: "User description",
      signUpDisabled: "Disabled description",
    },
    fields: {
      name: "Name",
      emailOrUsername: "Email or username",
      email: "Email",
      username: "Username",
      password: "Password",
    },
    actions: {
      signInIdle: "Sign in",
      signInBusy: "Signing in...",
      signUpOwnerIdle: "Create owner account",
      signUpUserIdle: "Create account",
      signUpBusy: "Creating account...",
    },
    links: {
      needAccount: "Need an account?",
      register: "Register",
      alreadyHaveAccount: "Already have an account?",
      goToSignIn: "Go to sign in",
    },
    messages: {
      ownerCreated: "Owner account created.",
      accountCreated: "Account created.",
      registrationDisabled: "Registration is disabled.",
    },
    errors: {
      nameRequired: "Name is required.",
      signInFailed: "Sign in failed",
      signUpFailed: "Sign up failed",
      networkSignIn: "Network sign in error",
      networkSignUp: "Network sign up error",
    },
  },
  settings: {
    badge: "Admin Settings",
    title: "Settings",
    description: "Settings description",
    actions: {
      backToDashboard: "Back to dashboard",
    },
    registration: {
      title: "Registration",
      description: "Registration description",
      currentStatusLabel: "Current status",
      status: {
        enabled: "Enabled",
        disabled: "Disabled",
      },
      checkboxLabel: "Allow registration",
      actions: {
        save: "Save",
      },
      success: {
        updated: "Updated",
      },
      errors: {
        updateFailed: "Update failed",
      },
    },
  },
  dashboard: {
    badge: "Admin App",
    title: "Content Dashboard",
    description: "Manage content.",
    actions: {
      openRoadmap: "Open roadmap",
    },
    notices: {
      noCrudPermission: "No permission.",
      crudSandboxTag: "MVP0 functional test",
    },
    posts: {
      title: "Posts CRUD Sandbox",
      createTitle: "Create post",
      fields: {
        title: "Title",
        slug: "Slug",
        excerpt: "Excerpt",
        body: "Body",
        status: "Status",
      },
      status: {
        draft: "Draft",
        published: "Published",
      },
      actions: {
        create: "Create post",
        save: "Save changes",
        delete: "Delete",
      },
      errors: {
        createFailed: "Create failed.",
        updateFailed: "Update failed.",
        updateMissingId: "Missing post id.",
        deleteFailed: "Delete failed.",
        deleteMissingId: "Missing post id.",
      },
      success: {
        created: "Post created.",
        updated: "Post updated.",
        deleted: "Post deleted.",
      },
      fallback: {
        noExcerpt: "No excerpt",
      },
    },
  },
 }
 describe("translateMessage", () => {
  it("resolves nested keys", () => {
    expect(translateMessage(messages, "dashboard.title")).toBe("Content Dashboard")
  })
  it("returns fallback for unknown keys", () => {
    expect(translateMessage(messages, "dashboard.unknown", "Fallback")).toBe("Fallback")
  })
 })
--- a/apps/admin/src/i18n/messages.ts
+++ b/apps/admin/src/i18n/messages.ts
@@ -0,0 +1,27 @@
 import type enMessages from "../messages/en.json"
 export type AdminMessages = typeof enMessages
 function resolveNestedValue(source: unknown, key: string): unknown {
  let current: unknown = source
  for (const segment of key.split(".")) {
    if (!current || typeof current !== "object") {
      return null
    }
    current = (current as Record<string, unknown>)[segment]
  }
  return current
 }
 export function translateMessage(messages: AdminMessages, key: string, fallback?: string): string {
  const resolved = resolveNestedValue(messages, key)
  if (typeof resolved === "string") {
    return resolved
  }
  return fallback ?? key
 }
--- a/apps/admin/src/i18n/server.test.ts
+++ b/apps/admin/src/i18n/server.test.ts
@@ -0,0 +1,17 @@
 import { describe, expect, it } from "vitest"
 import { resolveAdminLocaleFromCookieValue } from "./server"
 describe("resolveAdminLocaleFromCookieValue", () => {
  it("accepts supported locales", () => {
    expect(resolveAdminLocaleFromCookieValue("de")).toBe("de")
    expect(resolveAdminLocaleFromCookieValue("en")).toBe("en")
    expect(resolveAdminLocaleFromCookieValue("es")).toBe("es")
    expect(resolveAdminLocaleFromCookieValue("fr")).toBe("fr")
  })
  it("falls back to default locale for unknown values", () => {
    expect(resolveAdminLocaleFromCookieValue("it")).toBe("en")
    expect(resolveAdminLocaleFromCookieValue(undefined)).toBe("en")
  })
 })
--- a/apps/admin/src/i18n/server.ts
+++ b/apps/admin/src/i18n/server.ts
@@ -0,0 +1,23 @@
 import { type AppLocale, defaultLocale, isAppLocale } from "@cms/i18n"
 import { cookies } from "next/headers"
 import type { AdminMessages } from "./messages"
 import { ADMIN_LOCALE_COOKIE } from "./shared"
 export function resolveAdminLocaleFromCookieValue(value: string | undefined): AppLocale {
  if (value && isAppLocale(value)) {
    return value
  }
  return defaultLocale
 }
 export async function resolveAdminLocale(): Promise<AppLocale> {
  const cookieStore = await cookies()
  const value = cookieStore.get(ADMIN_LOCALE_COOKIE)?.value
  return resolveAdminLocaleFromCookieValue(value)
 }
 export async function getAdminMessages(locale: AppLocale): Promise<AdminMessages> {
  return (await import(`../messages/${locale}.json`)).default as AdminMessages
 }
--- a/apps/admin/src/i18n/shared.ts
+++ b/apps/admin/src/i18n/shared.ts
@@ -0,0 +1 @@
 export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"
--- a/apps/admin/src/lib/access-server.ts
+++ b/apps/admin/src/lib/access-server.ts
@@ -0,0 +1,42 @@
 import "server-only"
 import type { Role } from "@cms/content/rbac"
 import { cookies, headers } from "next/headers"
 import { auth, resolveRoleFromAuthSession } from "@/lib/auth/server"
 import { resolveDefaultRole, resolveRoleFromRawValue } from "./access"
 export async function resolveRoleFromServerContext(): Promise<Role | null> {
  const roleFromAuthSession = await resolveRoleFromAuthSessionInServerContext()
  if (roleFromAuthSession) {
    return roleFromAuthSession
  }
  const cookieStore = await cookies()
  const headerStore = await headers()
  const roleFromCookie = cookieStore.get("cms_role")?.value
  const roleFromHeader = headerStore.get("x-cms-role")
  const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
  if (resolved) {
    return resolved
  }
  return resolveDefaultRole()
 }
 async function resolveRoleFromAuthSessionInServerContext(): Promise<Role | null> {
  try {
    const headerStore = await headers()
    const session = await auth.api.getSession({
      headers: headerStore,
    })
    return resolveRoleFromAuthSession(session)
  } catch {
    return null
  }
 }
--- a/apps/admin/src/lib/access.test.ts
+++ b/apps/admin/src/lib/access.test.ts
@@ -0,0 +1,51 @@
 import { describe, expect, it } from "vitest"
 import { canAccessRoute, getRequiredPermission, isPublicRoute } from "./access"
 describe("admin route access rules", () => {
  it("treats support fallback route as public", () => {
    expect(isPublicRoute("/support/support-access")).toBe(true)
    expect(canAccessRoute("editor", "/support/support-access")).toBe(true)
  })
  it("keeps settings route restricted to role with users:manage_roles", () => {
    expect(isPublicRoute("/settings")).toBe(false)
    expect(canAccessRoute("manager", "/settings")).toBe(false)
    expect(canAccessRoute("admin", "/settings")).toBe(true)
    expect(canAccessRoute("owner", "/settings")).toBe(true)
  })
  it("resolves route-specific permission requirements", () => {
    expect(getRequiredPermission("/todo")).toEqual({
      permission: "roadmap:read",
      scope: "global",
    })
  })
  it("maps new admin IA routes to dedicated permissions", () => {
    expect(getRequiredPermission("/pages")).toEqual({
      permission: "pages:read",
      scope: "team",
    })
    expect(getRequiredPermission("/navigation")).toEqual({
      permission: "navigation:read",
      scope: "team",
    })
    expect(getRequiredPermission("/media")).toEqual({
      permission: "media:read",
      scope: "team",
    })
    expect(getRequiredPermission("/portfolio")).toEqual({
      permission: "media:read",
      scope: "team",
    })
    expect(getRequiredPermission("/users")).toEqual({
      permission: "users:read",
      scope: "own",
    })
    expect(getRequiredPermission("/commissions")).toEqual({
      permission: "commissions:read",
      scope: "own",
    })
  })
 })
--- a/apps/admin/src/lib/access.ts
+++ b/apps/admin/src/lib/access.ts
@@ -0,0 +1,163 @@
 import { hasPermission, normalizeRole, type PermissionScope, type Role } from "@cms/content/rbac"
 import type { NextRequest } from "next/server"
 type RoutePermission = {
  permission: Parameters<typeof hasPermission>[1]
  scope: PermissionScope
 }
 type GuardRule = {
  route: RegExp
  requirement: RoutePermission | null
 }
 const guardRules: GuardRule[] = [
  {
    route: /^\/unauthorized(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/api\/auth(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/login(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/register(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/welcome(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/support\/[^/]+(?:\/|$)/,
    requirement: null,
  },
  {
    route: /^\/todo(?:\/|$)/,
    requirement: {
      permission: "roadmap:read",
      scope: "global",
    },
  },
  {
    route: /^\/pages(?:\/|$)/,
    requirement: {
      permission: "pages:read",
      scope: "team",
    },
  },
  {
    route: /^\/navigation(?:\/|$)/,
    requirement: {
      permission: "navigation:read",
      scope: "team",
    },
  },
  {
    route: /^\/media(?:\/|$)/,
    requirement: {
      permission: "media:read",
      scope: "team",
    },
  },
  {
    route: /^\/portfolio(?:\/|$)/,
    requirement: {
      permission: "media:read",
      scope: "team",
    },
  },
  {
    route: /^\/users(?:\/|$)/,
    requirement: {
      permission: "users:read",
      scope: "own",
    },
  },
  {
    route: /^\/commissions(?:\/|$)/,
    requirement: {
      permission: "commissions:read",
      scope: "own",
    },
  },
  {
    route: /^\/settings(?:\/|$)/,
    requirement: {
      permission: "users:manage_roles",
      scope: "global",
    },
  },
  {
    route: /^\/(?:$|\?)/,
    requirement: {
      permission: "dashboard:read",
      scope: "global",
    },
  },
 ]
 export function resolveDefaultRole(): Role | null {
  if (process.env.NODE_ENV === "production") {
    return null
  }
  return normalizeRole(process.env.CMS_DEV_ROLE)
 }
 export function resolveRoleFromRawValue(raw: string | null | undefined): Role | null {
  return normalizeRole(raw)
 }
 export function resolveRoleFromRequest(request: NextRequest): Role | null {
  const roleFromCookie = request.cookies.get("cms_role")?.value
  const roleFromHeader = request.headers.get("x-cms-role")
  const resolved = resolveRoleFromRawValue(roleFromCookie ?? roleFromHeader)
  if (resolved) {
    return resolved
  }
  return resolveDefaultRole()
 }
 export function getRequiredPermission(pathname: string): RoutePermission {
  for (const rule of guardRules) {
    if (rule.route.test(pathname)) {
      return (
        rule.requirement ?? {
          permission: "dashboard:read",
          scope: "global",
        }
      )
    }
  }
  return {
    permission: "dashboard:read",
    scope: "global",
  }
 }
 export function canAccessRoute(role: Role, pathname: string): boolean {
  const rule = guardRules.find((item) => item.route.test(pathname))
  if (rule && rule.requirement === null) {
    return true
  }
  const requirement = getRequiredPermission(pathname)
  return hasPermission(role, requirement.permission, requirement.scope)
 }
 export function isPublicRoute(pathname: string): boolean {
  const rule = guardRules.find((item) => item.route.test(pathname))
  return rule?.requirement === null
 }
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@@ -0,0 +1,522 @@
 import { normalizeRole, type Role } from "@cms/content/rbac"
 import { db, isAdminSelfRegistrationEnabled } from "@cms/db"
 import { betterAuth } from "better-auth"
 import { prismaAdapter } from "better-auth/adapters/prisma"
 import { toNextJsHandler } from "better-auth/next-js"
 const FALLBACK_DEV_SECRET = "dev-only-change-me-for-production"
 const isProduction = process.env.NODE_ENV === "production"
 const adminOrigin = process.env.CMS_ADMIN_ORIGIN ?? "http://localhost:3001"
 const webOrigin = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
 const DEFAULT_SUPPORT_USERNAME = "support"
 const DEFAULT_SUPPORT_PASSWORD = "change-me-support-password"
 const DEFAULT_SUPPORT_NAME = "Technical Support"
 const DEFAULT_SUPPORT_LOGIN_KEY = "support-access"
 const USERNAME_MAX_LENGTH = 32
 function resolveAuthSecret(): string {
  const value = process.env.BETTER_AUTH_SECRET
  if (value) {
    return value
  }
  if (isProduction) {
    throw new Error("BETTER_AUTH_SECRET is required in production")
  }
  return FALLBACK_DEV_SECRET
 }
 export async function hasOwnerUser(): Promise<boolean> {
  const ownerCount = await db.user.count({
    where: { role: "owner" },
  })
  return ownerCount > 0
 }
 export async function isInitialOwnerRegistrationOpen(): Promise<boolean> {
  return !(await hasOwnerUser())
 }
 export async function isSelfRegistrationEnabled(): Promise<boolean> {
  return isAdminSelfRegistrationEnabled()
 }
 export async function canUserSelfRegister(): Promise<boolean> {
  if (!(await hasOwnerUser())) {
    return true
  }
  return isSelfRegistrationEnabled()
 }
 export function resolveSupportLoginKey(): string {
  const value = process.env.CMS_SUPPORT_LOGIN_KEY
  if (value) {
    return value
  }
  if (isProduction) {
    throw new Error("CMS_SUPPORT_LOGIN_KEY is required in production")
  }
  return DEFAULT_SUPPORT_LOGIN_KEY
 }
 function resolveBootstrapValue(
  envKey: string,
  fallback: string,
  options: {
    requiredInProduction?: boolean
  } = {},
 ): string {
  const value = process.env[envKey]
  if (value) {
    return value
  }
  if (isProduction && options.requiredInProduction) {
    throw new Error(`${envKey} is required in production`)
  }
  return fallback
 }
 function normalizeUsernameCandidate(input: string | null | undefined): string | null {
  if (!input) {
    return null
  }
  const normalized = input
    .trim()
    .toLowerCase()
    .replace(/[^a-z0-9._-]+/g, "-")
    .replace(/^[._-]+|[._-]+$/g, "")
    .slice(0, USERNAME_MAX_LENGTH)
  if (!normalized) {
    return null
  }
  return normalized
 }
 function extractEmailLocalPart(email: string): string {
  return email.split("@")[0] ?? email
 }
 async function getAvailableUsername(base: string): Promise<string> {
  const normalizedBase = normalizeUsernameCandidate(base) ?? "user"
  for (let suffix = 0; suffix < 1000; suffix += 1) {
    const candidate =
      suffix === 0 ? normalizedBase : `${normalizedBase}-${suffix}`.slice(0, USERNAME_MAX_LENGTH)
    const existing = await db.user.findUnique({
      where: { username: candidate },
      select: { id: true },
    })
    if (!existing) {
      return candidate
    }
  }
  throw new Error("Unable to allocate unique username")
 }
 export async function ensureUserUsername(
  userId: string,
  options: {
    preferred?: string | null | undefined
    fallbackEmail?: string | null | undefined
    fallbackName?: string | null | undefined
  } = {},
 ): Promise<string | null> {
  const user = await db.user.findUnique({
    where: { id: userId },
    select: { id: true, username: true, email: true, name: true },
  })
  if (!user) {
    return null
  }
  if (user.username) {
    return user.username
  }
  const baseCandidate =
    normalizeUsernameCandidate(options.preferred) ??
    normalizeUsernameCandidate(
      options.fallbackEmail ? extractEmailLocalPart(options.fallbackEmail) : null,
    ) ??
    normalizeUsernameCandidate(options.fallbackName) ??
    normalizeUsernameCandidate(extractEmailLocalPart(user.email)) ??
    normalizeUsernameCandidate(user.name) ??
    "user"
  const username = await getAvailableUsername(baseCandidate)
  await db.user.update({
    where: { id: user.id },
    data: { username },
  })
  return username
 }
 export async function resolveEmailFromLoginIdentifier(
  identifier: string | null | undefined,
 ): Promise<string | null> {
  const value = identifier?.trim()
  if (!value) {
    return null
  }
  if (value.includes("@")) {
    return value.toLowerCase()
  }
  const username = normalizeUsernameCandidate(value)
  if (!username) {
    return null
  }
  const user = await db.user.findUnique({
    where: { username },
    select: { email: true },
  })
  return user?.email ?? null
 }
 export const auth = betterAuth({
  appName: "CMS Admin",
  baseURL: process.env.BETTER_AUTH_URL ?? adminOrigin,
  secret: resolveAuthSecret(),
  trustedOrigins: [adminOrigin, webOrigin],
  database: prismaAdapter(db, {
    provider: "postgresql",
  }),
  emailAndPassword: {
    enabled: true,
    // Sign-up gating is handled in route layer so we can close registration
    // automatically after the first owner account is created.
    disableSignUp: false,
  },
  user: {
    additionalFields: {
      role: {
        type: "string",
        required: true,
        defaultValue: "editor",
        input: false,
      },
      username: {
        type: "string",
        required: false,
        input: false,
      },
      isBanned: {
        type: "boolean",
        required: true,
        defaultValue: false,
        input: false,
      },
      isSystem: {
        type: "boolean",
        required: true,
        defaultValue: false,
        input: false,
      },
      isHidden: {
        type: "boolean",
        required: true,
        defaultValue: false,
        input: false,
      },
      isProtected: {
        type: "boolean",
        required: true,
        defaultValue: false,
        input: false,
      },
    },
  },
 })
 export const authRouteHandlers = toNextJsHandler(auth)
 export type AuthSession = typeof auth.$Infer.Session
 let supportBootstrapPromise: Promise<void> | null = null
 type BootstrapUserConfig = {
  email: string
  username: string
  name: string
  password: string
  role: Role
  isHidden: boolean
 }
 async function ensureCredentialUser(config: BootstrapUserConfig): Promise<void> {
  const ctx = await auth.$context
  const normalizedEmail = config.email.toLowerCase()
  const existing = await ctx.internalAdapter.findUserByEmail(normalizedEmail, {
    includeAccounts: true,
  })
  if (existing?.user) {
    await db.user.update({
      where: { id: existing.user.id },
      data: {
        name: config.name,
        role: config.role,
        isBanned: false,
        isSystem: true,
        isHidden: config.isHidden,
        isProtected: true,
      },
    })
    const hasCredentialAccount = existing.accounts.some(
      (account) => account.providerId === "credential",
    )
    if (!hasCredentialAccount) {
      const passwordHash = await ctx.password.hash(config.password)
      await ctx.internalAdapter.linkAccount({
        userId: existing.user.id,
        providerId: "credential",
        accountId: existing.user.id,
        password: passwordHash,
      })
    }
    await ensureUserUsername(existing.user.id, {
      preferred: config.username,
      fallbackEmail: existing.user.email,
      fallbackName: config.name,
    })
    return
  }
  const availableUsername = await getAvailableUsername(config.username)
  const passwordHash = await ctx.password.hash(config.password)
  const createdUser = await ctx.internalAdapter.createUser({
    name: config.name,
    email: normalizedEmail,
    username: availableUsername,
    emailVerified: true,
    role: config.role,
    isBanned: false,
    isSystem: true,
    isHidden: config.isHidden,
    isProtected: true,
  })
  await ctx.internalAdapter.linkAccount({
    userId: createdUser.id,
    providerId: "credential",
    accountId: createdUser.id,
    password: passwordHash,
  })
 }
 async function bootstrapSystemUsers(): Promise<void> {
  const supportUsername = resolveBootstrapValue("CMS_SUPPORT_USERNAME", DEFAULT_SUPPORT_USERNAME)
  const supportEmail = resolveBootstrapValue("CMS_SUPPORT_EMAIL", `${supportUsername}@cms.local`)
  const supportPassword = resolveBootstrapValue("CMS_SUPPORT_PASSWORD", DEFAULT_SUPPORT_PASSWORD, {
    requiredInProduction: true,
  })
  const supportName = resolveBootstrapValue("CMS_SUPPORT_NAME", DEFAULT_SUPPORT_NAME)
  await ensureCredentialUser({
    email: supportEmail,
    username: supportUsername,
    name: supportName,
    password: supportPassword,
    role: "support",
    isHidden: true,
  })
 }
 export async function ensureSupportUserBootstrap(): Promise<void> {
  if (supportBootstrapPromise) {
    await supportBootstrapPromise
    return
  }
  supportBootstrapPromise = (async () => {
    await bootstrapSystemUsers()
    await enforceOwnerInvariant()
  })()
  try {
    await supportBootstrapPromise
  } catch (error) {
    supportBootstrapPromise = null
    throw error
  }
 }
 type OwnerInvariantState = {
  ownerId: string | null
  ownerCount: number
  repaired: boolean
 }
 export async function enforceOwnerInvariant(): Promise<OwnerInvariantState> {
  return db.$transaction(async (tx) => {
    const owners = await tx.user.findMany({
      where: { role: "owner" },
      orderBy: [{ createdAt: "asc" }, { id: "asc" }],
      select: { id: true, isProtected: true, isBanned: true },
    })
    if (owners.length === 0) {
      const candidate = await tx.user.findFirst({
        where: {
          role: {
            not: "support",
          },
        },
        orderBy: [{ createdAt: "asc" }, { id: "asc" }],
        select: { id: true },
      })
      if (!candidate) {
        return {
          ownerId: null,
          ownerCount: 0,
          repaired: false,
        }
      }
      await tx.user.update({
        where: { id: candidate.id },
        data: {
          role: "owner",
          isProtected: true,
          isBanned: false,
        },
      })
      return {
        ownerId: candidate.id,
        ownerCount: 1,
        repaired: true,
      }
    }
    const canonicalOwner = owners[0]
    const extraOwnerIds = owners.slice(1).map((owner) => owner.id)
    if (extraOwnerIds.length > 0) {
      await tx.user.updateMany({
        where: { id: { in: extraOwnerIds } },
        data: {
          role: "admin",
          isProtected: false,
        },
      })
    }
    if (!canonicalOwner.isProtected || canonicalOwner.isBanned) {
      await tx.user.update({
        where: { id: canonicalOwner.id },
        data: {
          isProtected: true,
          isBanned: false,
        },
      })
    }
    return {
      ownerId: canonicalOwner.id,
      ownerCount: 1,
      repaired: extraOwnerIds.length > 0 || !canonicalOwner.isProtected || canonicalOwner.isBanned,
    }
  })
 }
 export async function canDeleteUserAccount(userId: string): Promise<boolean> {
  const user = await db.user.findUnique({
    where: { id: userId },
    select: { role: true, isProtected: true },
  })
  if (!user) {
    return false
  }
  // Protected/system users (support + canonical owner) are never deletable
  // through self-service endpoints.
  if (user.isProtected) {
    return false
  }
  if (user.role !== "owner") {
    return true
  }
  // Defensive fallback for drifted data; normal flow should already keep one owner.
  const ownerCount = await db.user.count({
    where: { role: "owner" },
  })
  return ownerCount > 1
 }
 export async function promoteFirstRegisteredUserToOwner(userId: string): Promise<boolean> {
  const promoted = await db.$transaction(async (tx) => {
    const existingOwner = await tx.user.findFirst({
      where: { role: "owner" },
      select: { id: true },
    })
    if (existingOwner) {
      return false
    }
    await tx.user.update({
      where: { id: userId },
      data: {
        role: "owner",
        isSystem: false,
        isHidden: false,
        isProtected: true,
        isBanned: false,
      },
    })
    return true
  })
  if (promoted) {
    await enforceOwnerInvariant()
  }
  return promoted
 }
 export function resolveRoleFromAuthSession(session: AuthSession | null | undefined): Role | null {
  const sessionUserRole = session?.user?.role
  if (typeof sessionUserRole !== "string") {
    return null
  }
  return normalizeRole(sessionUserRole)
 }
--- a/apps/admin/src/lib/build-info.test.ts
+++ b/apps/admin/src/lib/build-info.test.ts
@@ -0,0 +1,29 @@
 import { afterEach, describe, expect, it, vi } from "vitest"
 import { getBuildInfo } from "./build-info"
 afterEach(() => {
  vi.unstubAllEnvs()
 })
 describe("getBuildInfo (admin)", () => {
  it("returns fallback values when env is missing", () => {
    vi.stubEnv("NEXT_PUBLIC_APP_VERSION", "")
    vi.stubEnv("NEXT_PUBLIC_GIT_SHA", "")
    expect(getBuildInfo()).toEqual({
      version: "0.0.1-dev",
      sha: "local",
    })
  })
  it("uses env values and truncates git sha", () => {
    vi.stubEnv("NEXT_PUBLIC_APP_VERSION", "0.2.0")
    vi.stubEnv("NEXT_PUBLIC_GIT_SHA", "abcdef123456")
    expect(getBuildInfo()).toEqual({
      version: "0.2.0",
      sha: "abcdef1",
    })
  })
 })
--- a/apps/admin/src/lib/build-info.ts
+++ b/apps/admin/src/lib/build-info.ts
@@ -0,0 +1,21 @@
 const FALLBACK_VERSION = "0.0.1-dev"
 const FALLBACK_SHA = "local"
 function shortenSha(input: string): string {
  const value = input.trim()
  if (!value) {
    return FALLBACK_SHA
  }
  return value.slice(0, 7)
 }
 export function getBuildInfo() {
  const version = process.env.NEXT_PUBLIC_APP_VERSION?.trim() || FALLBACK_VERSION
  const sha = shortenSha(process.env.NEXT_PUBLIC_GIT_SHA ?? "")
  return {
    version,
    sha,
  }
 }
--- a/apps/admin/src/lib/media/local-storage.ts
+++ b/apps/admin/src/lib/media/local-storage.ts
@@ -0,0 +1,66 @@
 import { mkdir, rm, writeFile } from "node:fs/promises"
 import path from "node:path"
 import { buildMediaStorageKey } from "@/lib/media/storage-key"
 type StoreLocalUploadParams = {
  file: File
  tenantId: string
  assetId: string
  fileRole: string
  variant: string
 }
 type StoredUpload = {
  storageKey: string
 }
 export function resolveLocalMediaBaseDirectory(): string {
  const configured = process.env.CMS_MEDIA_LOCAL_STORAGE_DIR?.trim()
  if (configured) {
    return path.resolve(configured)
  }
  return path.resolve(process.cwd(), ".data", "media")
 }
 export async function storeUploadLocally(params: StoreLocalUploadParams): Promise<StoredUpload> {
  const storageKey = buildMediaStorageKey({
    tenantId: params.tenantId,
    assetId: params.assetId,
    fileRole: params.fileRole,
    variant: params.variant,
    fileName: params.file.name,
  })
  const baseDirectory = resolveLocalMediaBaseDirectory()
  const outputPath = path.join(baseDirectory, storageKey)
  await mkdir(path.dirname(outputPath), { recursive: true })
  const bytes = new Uint8Array(await params.file.arrayBuffer())
  await writeFile(outputPath, bytes)
  return { storageKey }
 }
 export async function deleteLocalStorageObject(storageKey: string): Promise<boolean> {
  const baseDirectory = resolveLocalMediaBaseDirectory()
  const outputPath = path.join(baseDirectory, storageKey)
  try {
    await rm(outputPath)
    return true
  } catch (error) {
    const code =
      typeof error === "object" && error !== null && "code" in error
        ? String((error as { code?: unknown }).code)
        : ""
    if (code === "ENOENT") {
      return false
    }
    throw error
  }
 }
--- a/apps/admin/src/lib/media/s3-storage.ts
+++ b/apps/admin/src/lib/media/s3-storage.ts
@@ -0,0 +1,103 @@
 import { DeleteObjectCommand, PutObjectCommand, S3Client } from "@aws-sdk/client-s3"
 import { buildMediaStorageKey } from "@/lib/media/storage-key"
 type StoreS3UploadParams = {
  file: File
  tenantId: string
  assetId: string
  fileRole: string
  variant: string
 }
 type StoredUpload = {
  storageKey: string
 }
 type S3Config = {
  bucket: string
  region: string
  endpoint?: string
  accessKeyId: string
  secretAccessKey: string
  forcePathStyle?: boolean
 }
 function parseBoolean(value: string | undefined): boolean {
  return value?.toLowerCase() === "true"
 }
 export function resolveS3Config(): S3Config {
  const bucket = process.env.CMS_MEDIA_S3_BUCKET?.trim()
  const region = process.env.CMS_MEDIA_S3_REGION?.trim()
  const accessKeyId = process.env.CMS_MEDIA_S3_ACCESS_KEY_ID?.trim()
  const secretAccessKey = process.env.CMS_MEDIA_S3_SECRET_ACCESS_KEY?.trim()
  const endpoint = process.env.CMS_MEDIA_S3_ENDPOINT?.trim() || undefined
  if (!bucket || !region || !accessKeyId || !secretAccessKey) {
    throw new Error(
      "S3 storage selected but required env vars are missing: CMS_MEDIA_S3_BUCKET, CMS_MEDIA_S3_REGION, CMS_MEDIA_S3_ACCESS_KEY_ID, CMS_MEDIA_S3_SECRET_ACCESS_KEY",
    )
  }
  return {
    bucket,
    region,
    endpoint,
    accessKeyId,
    secretAccessKey,
    forcePathStyle: parseBoolean(process.env.CMS_MEDIA_S3_FORCE_PATH_STYLE),
  }
 }
 export function createS3Client(config: S3Config): S3Client {
  return new S3Client({
    region: config.region,
    endpoint: config.endpoint,
    forcePathStyle: config.forcePathStyle,
    credentials: {
      accessKeyId: config.accessKeyId,
      secretAccessKey: config.secretAccessKey,
    },
  })
 }
 export async function storeUploadToS3(params: StoreS3UploadParams): Promise<StoredUpload> {
  const config = resolveS3Config()
  const client = createS3Client(config)
  const storageKey = buildMediaStorageKey({
    tenantId: params.tenantId,
    assetId: params.assetId,
    fileRole: params.fileRole,
    variant: params.variant,
    fileName: params.file.name,
  })
  const payload = new Uint8Array(await params.file.arrayBuffer())
  await client.send(
    new PutObjectCommand({
      Bucket: config.bucket,
      Key: storageKey,
      Body: payload,
      ContentType: params.file.type || undefined,
      ContentLength: params.file.size,
      CacheControl: "public, max-age=31536000, immutable",
    }),
  )
  return { storageKey }
 }
 export async function deleteS3Object(storageKey: string): Promise<boolean> {
  const config = resolveS3Config()
  const client = createS3Client(config)
  await client.send(
    new DeleteObjectCommand({
      Bucket: config.bucket,
      Key: storageKey,
    }),
  )
  return true
 }
--- a/apps/admin/src/lib/media/storage-key.test.ts
+++ b/apps/admin/src/lib/media/storage-key.test.ts
@@ -0,0 +1,19 @@
 import { describe, expect, it } from "vitest"
 import { buildMediaStorageKey } from "@/lib/media/storage-key"
 describe("buildMediaStorageKey", () => {
  it("builds asset-centric key with fileRole and variant", () => {
    const key = buildMediaStorageKey({
      tenantId: "default",
      assetId: "550e8400-e29b-41d4-a716-446655440000",
      fileRole: "original",
      variant: "thumb",
      fileName: "My File.PNG",
    })
    expect(key).toBe(
      "tenant/default/asset/550e8400-e29b-41d4-a716-446655440000/original/550e8400-e29b-41d4-a716-446655440000__thumb.png",
    )
  })
 })
--- a/apps/admin/src/lib/media/storage-key.ts
+++ b/apps/admin/src/lib/media/storage-key.ts
@@ -0,0 +1,49 @@
 import path from "node:path"
 const FALLBACK_EXTENSION = "bin"
 const DEFAULT_VARIANT = "original"
 type BuildMediaStorageKeyParams = {
  tenantId: string
  assetId: string
  fileRole: string
  variant?: string
  fileName: string
 }
 function normalizeSegment(value: string): string {
  return value
    .toLowerCase()
    .replace(/[^a-z0-9._-]+/g, "-")
    .replace(/^-+|-+$/g, "")
 }
 function extensionFromFilename(fileName: string): string {
  const extension = path.extname(fileName).slice(1)
  if (!extension) {
    return FALLBACK_EXTENSION
  }
  const normalized = normalizeSegment(extension)
  return normalized.length > 0 ? normalized : FALLBACK_EXTENSION
 }
 export function buildMediaStorageKey(params: BuildMediaStorageKeyParams): string {
  const normalizedTenantId = normalizeSegment(params.tenantId) || "default"
  const normalizedAssetId = normalizeSegment(params.assetId)
  const normalizedFileRole = normalizeSegment(params.fileRole) || "original"
  const normalizedVariant = normalizeSegment(params.variant ?? DEFAULT_VARIANT) || DEFAULT_VARIANT
  const extension = extensionFromFilename(params.fileName)
  const fileName = `${normalizedAssetId}__${normalizedVariant}.${extension}`
  return [
    "tenant",
    normalizedTenantId,
    "asset",
    normalizedAssetId,
    normalizedFileRole,
    fileName,
  ].join("/")
 }
--- a/apps/admin/src/lib/media/storage.test.ts
+++ b/apps/admin/src/lib/media/storage.test.ts
@@ -0,0 +1,23 @@
 import { describe, expect, it } from "vitest"
 import { resolveMediaStorageProvider } from "@/lib/media/storage"
 describe("resolveMediaStorageProvider", () => {
  it("defaults to s3 when unset", () => {
    expect(resolveMediaStorageProvider(undefined)).toBe("s3")
  })
  it("resolves s3", () => {
    expect(resolveMediaStorageProvider("s3")).toBe("s3")
    expect(resolveMediaStorageProvider("S3")).toBe("s3")
  })
  it("resolves local explicitly", () => {
    expect(resolveMediaStorageProvider("local")).toBe("local")
    expect(resolveMediaStorageProvider("LOCAL")).toBe("local")
  })
  it("falls back to s3 for unknown values", () => {
    expect(resolveMediaStorageProvider("foo")).toBe("s3")
  })
 })
--- a/apps/admin/src/lib/media/storage.ts
+++ b/apps/admin/src/lib/media/storage.ts
@@ -0,0 +1,149 @@
 import { deleteLocalStorageObject, storeUploadLocally } from "@/lib/media/local-storage"
 import { deleteS3Object, storeUploadToS3 } from "@/lib/media/s3-storage"
 export type MediaStorageProvider = "local" | "s3"
 type StoreUploadParams = {
  file: File
  assetId: string
  variant: string
  fileRole: string
 }
 type StoredUpload = {
  storageKey: string
  provider: MediaStorageProvider
  fallbackReason?: string
 }
 type S3LikeError = {
  name?: unknown
  message?: unknown
  Code?: unknown
  code?: unknown
  $metadata?: {
    httpStatusCode?: unknown
    requestId?: unknown
  }
 }
 function resolveTenantId(): string {
  return process.env.CMS_MEDIA_STORAGE_TENANT_ID?.trim() || "default"
 }
 function describeS3Error(error: unknown): string {
  if (!error || typeof error !== "object") {
    return "Unknown S3 error"
  }
  const err = error as S3LikeError
  const details: string[] = []
  if (typeof err.name === "string" && err.name.length > 0) {
    details.push(`name=${err.name}`)
  }
  if (typeof err.message === "string" && err.message.length > 0) {
    details.push(`message=${err.message}`)
  }
  if (typeof err.Code === "string" && err.Code.length > 0) {
    details.push(`code=${err.Code}`)
  } else if (typeof err.code === "string" && err.code.length > 0) {
    details.push(`code=${err.code}`)
  }
  const status = err.$metadata?.httpStatusCode
  if (typeof status === "number") {
    details.push(`status=${status}`)
  }
  const requestId = err.$metadata?.requestId
  if (typeof requestId === "string" && requestId.length > 0) {
    details.push(`requestId=${requestId}`)
  }
  return details.length > 0 ? details.join(", ") : "Unknown S3 error"
 }
 export function resolveMediaStorageProvider(raw: string | undefined): MediaStorageProvider {
  if (raw?.toLowerCase() === "local") {
    return "local"
  }
  return "s3"
 }
 export async function storeUpload(params: StoreUploadParams): Promise<StoredUpload> {
  const provider = resolveMediaStorageProvider(process.env.CMS_MEDIA_STORAGE_PROVIDER)
  const tenantId = resolveTenantId()
  if (provider === "s3") {
    try {
      const stored = await storeUploadToS3({
        file: params.file,
        tenantId,
        assetId: params.assetId,
        fileRole: params.fileRole,
        variant: params.variant,
      })
      return {
        ...stored,
        provider,
      }
    } catch (error) {
      const detail = describeS3Error(error)
      const fallbackStored = await storeUploadLocally({
        file: params.file,
        tenantId,
        assetId: params.assetId,
        fileRole: params.fileRole,
        variant: params.variant,
      })
      return {
        ...fallbackStored,
        provider: "local",
        fallbackReason: `S3 upload failed; file stored locally instead. ${detail}`,
      }
    }
  }
  const stored = await storeUploadLocally({
    file: params.file,
    tenantId,
    assetId: params.assetId,
    fileRole: params.fileRole,
    variant: params.variant,
  })
  return {
    ...stored,
    provider,
  }
 }
 export async function deleteStoredMediaObject(storageKey: string): Promise<void> {
  const preferred = resolveMediaStorageProvider(process.env.CMS_MEDIA_STORAGE_PROVIDER)
  const deleteOperations =
    preferred === "s3"
      ? [() => deleteS3Object(storageKey), () => deleteLocalStorageObject(storageKey)]
      : [() => deleteLocalStorageObject(storageKey), () => deleteS3Object(storageKey)]
  const errors: string[] = []
  for (const performDelete of deleteOperations) {
    try {
      const deleted = await performDelete()
      if (deleted) {
        return
      }
    } catch (error) {
      const detail = describeS3Error(error)
      errors.push(detail)
    }
  }
  if (errors.length > 0) {
    throw new Error(`Storage object deletion failed for key "${storageKey}": ${errors.join(" | ")}`)
  }
 }
--- a/apps/admin/src/lib/route-guards.ts
+++ b/apps/admin/src/lib/route-guards.ts
@@ -0,0 +1,30 @@
 import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
 import { redirect } from "next/navigation"
 import { resolveRoleFromServerContext } from "@/lib/access-server"
 type RequirePermissionParams = {
  nextPath: string
  permission: Permission
  scope: PermissionScope
 }
 export async function requireRoleForRoute(nextPath: string): Promise<Role> {
  const role = await resolveRoleFromServerContext()
  if (!role) {
    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
  }
  return role
 }
 export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
  const role = await requireRoleForRoute(params.nextPath)
  if (!hasPermission(role, params.permission, params.scope)) {
    redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
  }
  return role
 }
--- a/apps/admin/src/messages/de.json
+++ b/apps/admin/src/messages/de.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Sprache",
    "localeNames": {
      "de": "Deutsch",
      "en": "Englisch",
      "es": "Spanisch",
      "fr": "Französisch"
    }
  },
  "auth": {
    "badge": "Admin-Authentifizierung",
    "titles": {
      "signIn": "Bei CMS Admin anmelden",
      "signUpOwner": "Willkommen bei CMS Admin",
      "signUpUser": "Admin-Konto erstellen",
      "signUpDisabled": "Registrierung ist deaktiviert"
    },
    "descriptions": {
      "signIn": "Better Auth ist in dieser App über /api/auth aktiv.",
      "signUpOwner": "Erstelle das erste Owner-Konto, um diese Admin-Instanz zu initialisieren.",
      "signUpUser": "Selbstregistrierung für Admin-Benutzer ist aktiviert.",
      "signUpDisabled": "Selbstregistrierung wurde von einer Administratorin oder einem Administrator deaktiviert."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "E-Mail oder Benutzername",
      "email": "E-Mail",
      "username": "Benutzername (optional)",
      "password": "Passwort"
    },
    "actions": {
      "signInIdle": "Anmelden",
      "signInBusy": "Anmeldung läuft...",
      "signUpOwnerIdle": "Owner-Konto erstellen",
      "signUpUserIdle": "Konto erstellen",
      "signUpBusy": "Konto wird erstellt..."
    },
    "links": {
      "needAccount": "Du brauchst ein Konto?",
      "register": "Registrieren",
      "alreadyHaveAccount": "Du hast bereits ein Konto?",
      "goToSignIn": "Zur Anmeldung"
    },
    "messages": {
      "ownerCreated": "Owner-Konto erstellt. Registrierung ist jetzt deaktiviert.",
      "accountCreated": "Konto erstellt.",
      "registrationDisabled": "Für diese Admin-Instanz ist die Registrierung deaktiviert. Bitte wende dich an eine Administratorin oder einen Administrator."
    },
    "errors": {
      "nameRequired": "Name ist für die Kontoerstellung erforderlich",
      "signInFailed": "Anmeldung fehlgeschlagen",
      "signUpFailed": "Registrierung fehlgeschlagen",
      "networkSignIn": "Netzwerkfehler bei der Anmeldung",
      "networkSignUp": "Netzwerkfehler bei der Registrierung"
    }
  },
  "settings": {
    "badge": "Admin-Einstellungen",
    "title": "Einstellungen",
    "description": "Verwalte Laufzeitrichtlinien für Authentifizierung und Onboarding im Admin-Bereich.",
    "actions": {
      "backToDashboard": "Zurück zum Dashboard"
    },
    "registration": {
      "title": "Admin-Selbstregistrierung",
      "description": "Wenn aktiviert, können über /register nach der initialen Owner-Erstellung weitere Admin-Konten erstellt werden.",
      "currentStatusLabel": "Aktueller Status",
      "status": {
        "enabled": "Aktiviert",
        "disabled": "Deaktiviert"
      },
      "checkboxLabel": "Selbstregistrierung auf /register für Admin-Benutzer erlauben",
      "actions": {
        "save": "Registrierungsrichtlinie speichern"
      },
      "success": {
        "updated": "Registrierungsrichtlinie aktualisiert."
      },
      "errors": {
        "updateFailed": "Speichern der Einstellungen fehlgeschlagen. Stelle sicher, dass Datenbankmigrationen angewendet wurden."
      }
    }
  },
  "dashboard": {
    "badge": "Admin-App",
    "title": "Content-Dashboard",
    "description": "Verwalte Beiträge in einer dedizierten Admin-Oberfläche.",
    "actions": {
      "openRoadmap": "Roadmap und Fortschritt öffnen"
    },
    "notices": {
      "noCrudPermission": "Du kannst Beiträge lesen, aber deine Rolle darf keine Beiträge erstellen/ändern/löschen.",
      "crudSandboxTag": "MVP0 Funktionstest"
    },
    "posts": {
      "title": "Beiträge CRUD-Sandbox",
      "createTitle": "Beitrag erstellen",
      "fields": {
        "title": "Titel",
        "slug": "Slug",
        "excerpt": "Auszug",
        "body": "Inhalt",
        "status": "Status"
      },
      "status": {
        "draft": "Entwurf",
        "published": "Veröffentlicht"
      },
      "actions": {
        "create": "Beitrag erstellen",
        "save": "Änderungen speichern",
        "delete": "Löschen"
      },
      "errors": {
        "createFailed": "Erstellen fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateFailed": "Aktualisierung fehlgeschlagen. Bitte Eingaben prüfen.",
        "updateMissingId": "Aktualisierung fehlgeschlagen. Beitrags-ID fehlt.",
        "deleteFailed": "Löschen fehlgeschlagen.",
        "deleteMissingId": "Löschen fehlgeschlagen. Beitrags-ID fehlt."
      },
      "success": {
        "created": "Beitrag erstellt.",
        "updated": "Beitrag aktualisiert.",
        "deleted": "Beitrag gelöscht."
      },
      "fallback": {
        "noExcerpt": "Kein Auszug"
      }
    }
  }
 }
--- a/apps/admin/src/messages/en.json
+++ b/apps/admin/src/messages/en.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Language",
    "localeNames": {
      "de": "German",
      "en": "English",
      "es": "Spanish",
      "fr": "French"
    }
  },
  "auth": {
    "badge": "Admin Auth",
    "titles": {
      "signIn": "Sign in to CMS Admin",
      "signUpOwner": "Welcome to CMS Admin",
      "signUpUser": "Create an admin account",
      "signUpDisabled": "Registration is disabled"
    },
    "descriptions": {
      "signIn": "Better Auth is active on this app via /api/auth.",
      "signUpOwner": "Create the first owner account to initialize this admin instance.",
      "signUpUser": "Self-registration is enabled for admin users.",
      "signUpDisabled": "Self-registration is currently turned off by an administrator."
    },
    "fields": {
      "name": "Name",
      "emailOrUsername": "Email or username",
      "email": "Email",
      "username": "Username (optional)",
      "password": "Password"
    },
    "actions": {
      "signInIdle": "Sign in",
      "signInBusy": "Signing in...",
      "signUpOwnerIdle": "Create owner account",
      "signUpUserIdle": "Create account",
      "signUpBusy": "Creating account..."
    },
    "links": {
      "needAccount": "Need an account?",
      "register": "Register",
      "alreadyHaveAccount": "Already have an account?",
      "goToSignIn": "Go to sign in"
    },
    "messages": {
      "ownerCreated": "Owner account created. Registration is now disabled.",
      "accountCreated": "Account created.",
      "registrationDisabled": "Registration is disabled for this admin instance. Ask an administrator to create an account or enable self-registration."
    },
    "errors": {
      "nameRequired": "Name is required for account creation",
      "signInFailed": "Sign in failed",
      "signUpFailed": "Sign up failed",
      "networkSignIn": "Network error while signing in",
      "networkSignUp": "Network error while signing up"
    }
  },
  "settings": {
    "badge": "Admin Settings",
    "title": "Settings",
    "description": "Manage runtime policies for the admin authentication and onboarding flow.",
    "actions": {
      "backToDashboard": "Back to dashboard"
    },
    "registration": {
      "title": "Admin self-registration",
      "description": "When enabled, /register can create additional admin accounts after initial owner bootstrap.",
      "currentStatusLabel": "Current status",
      "status": {
        "enabled": "Enabled",
        "disabled": "Disabled"
      },
      "checkboxLabel": "Allow self-registration on /register for admin users",
      "actions": {
        "save": "Save registration policy"
      },
      "success": {
        "updated": "Registration policy updated."
      },
      "errors": {
        "updateFailed": "Saving settings failed. Ensure database migrations are applied."
      }
    }
  },
  "dashboard": {
    "badge": "Admin App",
    "title": "Content Dashboard",
    "description": "Manage posts from a dedicated admin surface.",
    "actions": {
      "openRoadmap": "Open roadmap and progress"
    },
    "notices": {
      "noCrudPermission": "You can read posts, but your role cannot create/update/delete posts.",
      "crudSandboxTag": "MVP0 functional test"
    },
    "posts": {
      "title": "Posts CRUD Sandbox",
      "createTitle": "Create post",
      "fields": {
        "title": "Title",
        "slug": "Slug",
        "excerpt": "Excerpt",
        "body": "Body",
        "status": "Status"
      },
      "status": {
        "draft": "Draft",
        "published": "Published"
      },
      "actions": {
        "create": "Create post",
        "save": "Save changes",
        "delete": "Delete"
      },
      "errors": {
        "createFailed": "Create failed. Please check your input.",
        "updateFailed": "Update failed. Please check your input.",
        "updateMissingId": "Update failed. Missing post id.",
        "deleteFailed": "Delete failed.",
        "deleteMissingId": "Delete failed. Missing post id."
      },
      "success": {
        "created": "Post created.",
        "updated": "Post updated.",
        "deleted": "Post deleted."
      },
      "fallback": {
        "noExcerpt": "No excerpt"
      }
    }
  }
 }
--- a/apps/admin/src/messages/es.json
+++ b/apps/admin/src/messages/es.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Idioma",
    "localeNames": {
      "de": "Alemán",
      "en": "Inglés",
      "es": "Español",
      "fr": "Francés"
    }
  },
  "auth": {
    "badge": "Autenticación de Admin",
    "titles": {
      "signIn": "Iniciar sesión en CMS Admin",
      "signUpOwner": "Bienvenido a CMS Admin",
      "signUpUser": "Crear una cuenta de admin",
      "signUpDisabled": "El registro está deshabilitado"
    },
    "descriptions": {
      "signIn": "Better Auth está activo en esta app mediante /api/auth.",
      "signUpOwner": "Crea la primera cuenta owner para inicializar esta instancia de administración.",
      "signUpUser": "El registro automático está habilitado para usuarios admin.",
      "signUpDisabled": "El auto-registro está desactivado actualmente por un administrador."
    },
    "fields": {
      "name": "Nombre",
      "emailOrUsername": "Correo o nombre de usuario",
      "email": "Correo",
      "username": "Nombre de usuario (opcional)",
      "password": "Contraseña"
    },
    "actions": {
      "signInIdle": "Iniciar sesión",
      "signInBusy": "Iniciando sesión...",
      "signUpOwnerIdle": "Crear cuenta owner",
      "signUpUserIdle": "Crear cuenta",
      "signUpBusy": "Creando cuenta..."
    },
    "links": {
      "needAccount": "¿Necesitas una cuenta?",
      "register": "Registrarse",
      "alreadyHaveAccount": "¿Ya tienes una cuenta?",
      "goToSignIn": "Ir a iniciar sesión"
    },
    "messages": {
      "ownerCreated": "Cuenta owner creada. El registro ahora está deshabilitado.",
      "accountCreated": "Cuenta creada.",
      "registrationDisabled": "El registro está deshabilitado para esta instancia de administración. Pide a un administrador que cree una cuenta o habilite el auto-registro."
    },
    "errors": {
      "nameRequired": "El nombre es obligatorio para crear la cuenta",
      "signInFailed": "Error al iniciar sesión",
      "signUpFailed": "Error al registrarse",
      "networkSignIn": "Error de red al iniciar sesión",
      "networkSignUp": "Error de red al registrarse"
    }
  },
  "settings": {
    "badge": "Ajustes de Admin",
    "title": "Ajustes",
    "description": "Gestiona políticas de ejecución para autenticación y onboarding del panel admin.",
    "actions": {
      "backToDashboard": "Volver al panel"
    },
    "registration": {
      "title": "Auto-registro de admin",
      "description": "Cuando está habilitado, /register puede crear cuentas admin adicionales después del bootstrap inicial del owner.",
      "currentStatusLabel": "Estado actual",
      "status": {
        "enabled": "Habilitado",
        "disabled": "Deshabilitado"
      },
      "checkboxLabel": "Permitir auto-registro en /register para usuarios admin",
      "actions": {
        "save": "Guardar política de registro"
      },
      "success": {
        "updated": "Política de registro actualizada."
      },
      "errors": {
        "updateFailed": "No se pudieron guardar los ajustes. Asegúrate de que las migraciones de base de datos estén aplicadas."
      }
    }
  },
  "dashboard": {
    "badge": "App Admin",
    "title": "Panel de Contenido",
    "description": "Gestiona publicaciones desde una superficie de administración dedicada.",
    "actions": {
      "openRoadmap": "Abrir hoja de ruta y progreso"
    },
    "notices": {
      "noCrudPermission": "Puedes leer publicaciones, pero tu rol no puede crear/editar/eliminar publicaciones.",
      "crudSandboxTag": "Prueba funcional MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD de Publicaciones",
      "createTitle": "Crear publicación",
      "fields": {
        "title": "Título",
        "slug": "Slug",
        "excerpt": "Extracto",
        "body": "Contenido",
        "status": "Estado"
      },
      "status": {
        "draft": "Borrador",
        "published": "Publicado"
      },
      "actions": {
        "create": "Crear publicación",
        "save": "Guardar cambios",
        "delete": "Eliminar"
      },
      "errors": {
        "createFailed": "Error al crear. Revisa tus datos.",
        "updateFailed": "Error al actualizar. Revisa tus datos.",
        "updateMissingId": "Error al actualizar. Falta el id de la publicación.",
        "deleteFailed": "Error al eliminar.",
        "deleteMissingId": "Error al eliminar. Falta el id de la publicación."
      },
      "success": {
        "created": "Publicación creada.",
        "updated": "Publicación actualizada.",
        "deleted": "Publicación eliminada."
      },
      "fallback": {
        "noExcerpt": "Sin extracto"
      }
    }
  }
 }
--- a/apps/admin/src/messages/fr.json
+++ b/apps/admin/src/messages/fr.json
@@ -0,0 +1,132 @@
 {
  "common": {
    "language": "Langue",
    "localeNames": {
      "de": "Allemand",
      "en": "Anglais",
      "es": "Espagnol",
      "fr": "Français"
    }
  },
  "auth": {
    "badge": "Authentification Admin",
    "titles": {
      "signIn": "Se connecter à CMS Admin",
      "signUpOwner": "Bienvenue sur CMS Admin",
      "signUpUser": "Créer un compte admin",
      "signUpDisabled": "L’inscription est désactivée"
    },
    "descriptions": {
      "signIn": "Better Auth est actif sur cette application via /api/auth.",
      "signUpOwner": "Créez le premier compte owner pour initialiser cette instance d’administration.",
      "signUpUser": "L’auto-inscription est activée pour les utilisateurs admin.",
      "signUpDisabled": "L’auto-inscription est actuellement désactivée par un administrateur."
    },
    "fields": {
      "name": "Nom",
      "emailOrUsername": "E-mail ou nom d’utilisateur",
      "email": "E-mail",
      "username": "Nom d’utilisateur (optionnel)",
      "password": "Mot de passe"
    },
    "actions": {
      "signInIdle": "Se connecter",
      "signInBusy": "Connexion en cours...",
      "signUpOwnerIdle": "Créer le compte owner",
      "signUpUserIdle": "Créer un compte",
      "signUpBusy": "Création du compte..."
    },
    "links": {
      "needAccount": "Besoin d’un compte ?",
      "register": "S’inscrire",
      "alreadyHaveAccount": "Vous avez déjà un compte ?",
      "goToSignIn": "Aller à la connexion"
    },
    "messages": {
      "ownerCreated": "Compte owner créé. L’inscription est maintenant désactivée.",
      "accountCreated": "Compte créé.",
      "registrationDisabled": "L’inscription est désactivée pour cette instance admin. Demandez à un administrateur de créer un compte ou de réactiver l’auto-inscription."
    },
    "errors": {
      "nameRequired": "Le nom est requis pour créer un compte",
      "signInFailed": "Échec de la connexion",
      "signUpFailed": "Échec de l’inscription",
      "networkSignIn": "Erreur réseau lors de la connexion",
      "networkSignUp": "Erreur réseau lors de l’inscription"
    }
  },
  "settings": {
    "badge": "Paramètres Admin",
    "title": "Paramètres",
    "description": "Gérez les politiques d’exécution pour l’authentification et l’onboarding de l’admin.",
    "actions": {
      "backToDashboard": "Retour au tableau de bord"
    },
    "registration": {
      "title": "Auto-inscription admin",
      "description": "Lorsqu’elle est activée, /register peut créer des comptes admin supplémentaires après l’initialisation du premier owner.",
      "currentStatusLabel": "Statut actuel",
      "status": {
        "enabled": "Activé",
        "disabled": "Désactivé"
      },
      "checkboxLabel": "Autoriser l’auto-inscription sur /register pour les utilisateurs admin",
      "actions": {
        "save": "Enregistrer la politique d’inscription"
      },
      "success": {
        "updated": "Politique d’inscription mise à jour."
      },
      "errors": {
        "updateFailed": "Échec de l’enregistrement des paramètres. Vérifiez que les migrations de base de données sont appliquées."
      }
    }
  },
  "dashboard": {
    "badge": "Application Admin",
    "title": "Tableau de bord contenu",
    "description": "Gérez les publications depuis une surface d’administration dédiée.",
    "actions": {
      "openRoadmap": "Ouvrir la feuille de route et la progression"
    },
    "notices": {
      "noCrudPermission": "Vous pouvez lire les publications, mais votre rôle ne peut pas créer/modifier/supprimer des publications.",
      "crudSandboxTag": "Test fonctionnel MVP0"
    },
    "posts": {
      "title": "Sandbox CRUD des publications",
      "createTitle": "Créer une publication",
      "fields": {
        "title": "Titre",
        "slug": "Slug",
        "excerpt": "Extrait",
        "body": "Contenu",
        "status": "Statut"
      },
      "status": {
        "draft": "Brouillon",
        "published": "Publié"
      },
      "actions": {
        "create": "Créer une publication",
        "save": "Enregistrer les modifications",
        "delete": "Supprimer"
      },
      "errors": {
        "createFailed": "Échec de la création. Vérifiez vos données.",
        "updateFailed": "Échec de la mise à jour. Vérifiez vos données.",
        "updateMissingId": "Échec de la mise à jour. ID de publication manquant.",
        "deleteFailed": "Échec de la suppression.",
        "deleteMissingId": "Échec de la suppression. ID de publication manquant."
      },
      "success": {
        "created": "Publication créée.",
        "updated": "Publication mise à jour.",
        "deleted": "Publication supprimée."
      },
      "fallback": {
        "noExcerpt": "Aucun extrait"
      }
    }
  }
 }
--- a/apps/admin/src/providers/admin-i18n-provider.tsx
+++ b/apps/admin/src/providers/admin-i18n-provider.tsx
@@ -0,0 +1,53 @@
 "use client"
 import type { AppLocale } from "@cms/i18n"
 import { createContext, type ReactNode, useContext, useMemo } from "react"
 import type { AdminMessages } from "@/i18n/messages"
 import { translateMessage } from "@/i18n/messages"
 type AdminI18nContextValue = {
  locale: AppLocale
  messages: AdminMessages
 }
 const AdminI18nContext = createContext<AdminI18nContextValue | null>(null)
 export function AdminI18nProvider({
  locale,
  messages,
  children,
 }: {
  locale: AppLocale
  messages: AdminMessages
  children: ReactNode
 }) {
  const value = useMemo(
    () => ({
      locale,
      messages,
    }),
    [locale, messages],
  )
  return <AdminI18nContext.Provider value={value}>{children}</AdminI18nContext.Provider>
 }
 export function useAdminI18n(): AdminI18nContextValue {
  const context = useContext(AdminI18nContext)
  if (!context) {
    throw new Error("useAdminI18n must be used inside AdminI18nProvider")
  }
  return context
 }
 export function useAdminT() {
  const { messages } = useAdminI18n()
  return useMemo(
    () => (key: string, fallback?: string) => translateMessage(messages, key, fallback),
    [messages],
  )
 }
--- a/apps/admin/src/proxy.ts
+++ b/apps/admin/src/proxy.ts
@@ -0,0 +1,46 @@
 import { type NextRequest, NextResponse } from "next/server"
 import {
  canAccessRoute,
  getRequiredPermission,
  isPublicRoute,
  resolveRoleFromRequest,
 } from "@/lib/access"
 export function proxy(request: NextRequest) {
  const { pathname } = request.nextUrl
  if (isPublicRoute(pathname)) {
    return NextResponse.next()
  }
  const role = resolveRoleFromRequest(request)
  if (!role) {
    const loginUrl = request.nextUrl.clone()
    loginUrl.pathname = "/login"
    loginUrl.searchParams.set("next", pathname)
    return NextResponse.redirect(loginUrl)
  }
  if (!canAccessRoute(role, pathname)) {
    const unauthorizedUrl = request.nextUrl.clone()
    unauthorizedUrl.pathname = "/unauthorized"
    const required = getRequiredPermission(pathname)
    unauthorizedUrl.searchParams.set("required", required.permission)
    unauthorizedUrl.searchParams.set("scope", required.scope)
    return NextResponse.redirect(unauthorizedUrl)
  }
  const response = NextResponse.next()
  response.headers.set("x-cms-role", role)
  return response
 }
 export const config = {
  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
 }
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -1,7 +1,10 @@
 import type { NextConfig } from "next"
 import createNextIntlPlugin from "next-intl/plugin"
 const withNextIntl = createNextIntlPlugin("./src/i18n/request.ts")
 const nextConfig: NextConfig = {
-  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db"],
+  transpilePackages: ["@cms/ui", "@cms/content", "@cms/db", "@cms/i18n"],
 }
-export default nextConfig
+export default withNextIntl(nextConfig)
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -13,22 +13,24 @@
  "dependencies": {
    "@cms/content": "workspace:*",
    "@cms/db": "workspace:*",
    "@cms/i18n": "workspace:*",
    "@cms/ui": "workspace:*",
-    "@tanstack/react-query": "latest",
+    "@tanstack/react-query": "5.90.20",
-    "@tanstack/react-query-devtools": "latest",
+    "@tanstack/react-query-devtools": "5.91.3",
-    "next": "latest",
+    "next": "16.1.6",
-    "react": "latest",
+    "next-intl": "4.4.0",
-    "react-dom": "latest",
+    "react": "19.2.4",
-    "zustand": "latest"
+    "react-dom": "19.2.4",
    "zustand": "5.0.11"
  },
  "devDependencies": {
    "@cms/config": "workspace:*",
-    "@biomejs/biome": "latest",
+    "@biomejs/biome": "2.3.14",
-    "@tailwindcss/postcss": "latest",
+    "@tailwindcss/postcss": "4.1.18",
-    "@types/node": "latest",
+    "@types/node": "25.2.2",
-    "@types/react": "latest",
+    "@types/react": "19.2.13",
-    "@types/react-dom": "latest",
+    "@types/react-dom": "19.2.3",
-    "tailwindcss": "latest",
+    "tailwindcss": "4.1.18",
-    "typescript": "latest"
+    "typescript": "5.9.3"
  }
 }
--- a/apps/web/src/app/[locale]/about/page.tsx
+++ b/apps/web/src/app/[locale]/about/page.tsx
@@ -0,0 +1,13 @@
 import { getTranslations } from "next-intl/server"
 export default async function AboutPage() {
  const t = await getTranslations("About")
  return (
    <section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
      <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
      <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
      <p className="max-w-3xl text-neutral-600">{t("description")}</p>
    </section>
  )
 }
--- a/apps/web/src/app/[locale]/contact/page.tsx
+++ b/apps/web/src/app/[locale]/contact/page.tsx
@@ -0,0 +1,13 @@
 import { getTranslations } from "next-intl/server"
 export default async function ContactPage() {
  const t = await getTranslations("Contact")
  return (
    <section className="mx-auto w-full max-w-6xl space-y-4 px-6 py-16">
      <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
      <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
      <p className="max-w-3xl text-neutral-600">{t("description")}</p>
    </section>
  )
 }
--- a/apps/web/src/app/[locale]/layout.tsx
+++ b/apps/web/src/app/[locale]/layout.tsx
@@ -0,0 +1,61 @@
 import { getPublicHeaderBanner } from "@cms/db"
 import { notFound } from "next/navigation"
 import { hasLocale, NextIntlClientProvider } from "next-intl"
 import { getTranslations } from "next-intl/server"
 import type { ReactNode } from "react"
 import { PublicHeaderBanner } from "@/components/public-header-banner"
 import { PublicSiteFooter } from "@/components/public-site-footer"
 import { PublicSiteHeader } from "@/components/public-site-header"
 import { routing } from "@/i18n/routing"
 import { Providers } from "../providers"
 type LocaleLayoutProps = {
  children: ReactNode
  params: Promise<{
    locale: string
  }>
 }
 export async function generateMetadata({ params }: LocaleLayoutProps) {
  const { locale } = await params
  if (!hasLocale(routing.locales, locale)) {
    return {}
  }
  const t = await getTranslations({
    locale,
    namespace: "Seo",
  })
  return {
    title: t("title"),
    description: t("description"),
    openGraph: {
      title: t("title"),
      description: t("description"),
    },
  }
 }
 export default async function LocaleLayout({ children, params }: LocaleLayoutProps) {
  const { locale } = await params
  if (!hasLocale(routing.locales, locale)) {
    notFound()
  }
  const banner = await getPublicHeaderBanner()
  return (
    <NextIntlClientProvider locale={locale}>
      <Providers>
        <PublicHeaderBanner banner={banner} />
        <PublicSiteHeader />
        <main>{children}</main>
        <PublicSiteFooter />
      </Providers>
    </NextIntlClientProvider>
  )
 }
--- a/apps/web/src/app/[locale]/page.tsx
+++ b/apps/web/src/app/[locale]/page.tsx
@@ -1,25 +1,24 @@
 import { listPosts } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { getTranslations } from "next-intl/server"
 export const dynamic = "force-dynamic"
 export default async function HomePage() {
-  const posts = await listPosts()
+  const [posts, t] = await Promise.all([listPosts(), getTranslations("Home")])
  return (
-    <main className="mx-auto flex min-h-screen w-full max-w-3xl flex-col gap-6 px-6 py-16">
+    <section className="mx-auto flex w-full max-w-6xl flex-col gap-6 px-6 py-16">
      <header className="space-y-3">
-        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">Web App</p>
+        <p className="text-sm uppercase tracking-[0.2em] text-neutral-500">{t("badge")}</p>
-        <h1 className="text-4xl font-semibold tracking-tight">Your Next.js CMS Frontend</h1>
+        <h1 className="text-4xl font-semibold tracking-tight">{t("title")}</h1>
-        <p className="text-neutral-600">
+        <p className="text-neutral-600">{t("description")}</p>
          This page reads posts through the shared database package.
        </p>
      </header>
      <section className="space-y-4 rounded-xl border border-neutral-200 p-6">
        <div className="flex items-center justify-between">
-          <h2 className="text-xl font-medium">Latest posts</h2>
+          <h2 className="text-xl font-medium">{t("latestPosts")}</h2>
-          <Button variant="secondary">Explore</Button>
+          <Button variant="secondary">{t("explore")}</Button>
        </div>
        <ul className="space-y-3">
@@ -27,11 +26,11 @@ export default async function HomePage() {
            <li key={post.id} className="rounded-lg border border-neutral-200 p-4">
              <p className="text-xs uppercase tracking-wide text-neutral-500">{post.status}</p>
              <h3 className="mt-1 text-lg font-medium">{post.title}</h3>
-              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? "No excerpt"}</p>
+              <p className="mt-2 text-sm text-neutral-600">{post.excerpt ?? t("noExcerpt")}</p>
            </li>
          ))}
        </ul>
      </section>
-    </main>
+    </section>
  )
 }
--- a/apps/web/src/app/layout.tsx
+++ b/apps/web/src/app/layout.tsx
@@ -2,19 +2,37 @@ import type { Metadata } from "next"
 import type { ReactNode } from "react"
 import "./globals.css"
-import { Providers } from "./providers"
+
 const metadataBase = new URL(process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000")
 export const metadata: Metadata = {
-  title: "CMS Web",
+  metadataBase,
  title: {
    default: "CMS Web",
    template: "%s | CMS Web",
  },
  description: "Public frontend for the CMS monorepo",
  applicationName: "CMS Web",
  openGraph: {
    type: "website",
    siteName: "CMS Web",
    title: "CMS Web",
    description: "Public frontend for the CMS monorepo",
    url: metadataBase,
  },
  alternates: {
    canonical: "/",
  },
  robots: {
    index: true,
    follow: true,
  },
 }
 export default function RootLayout({ children }: { children: ReactNode }) {
  return (
    <html lang="en">
-      <body>
+      <body>{children}</body>
        <Providers>{children}</Providers>
      </body>
    </html>
  )
 }
--- a/apps/web/src/app/robots.ts
+++ b/apps/web/src/app/robots.ts
@@ -0,0 +1,13 @@
 import type { MetadataRoute } from "next"
 const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
 export default function robots(): MetadataRoute.Robots {
  return {
    rules: {
      userAgent: "*",
      allow: "/",
    },
    sitemap: `${baseUrl}/sitemap.xml`,
  }
 }
--- a/apps/web/src/app/sitemap.ts
+++ b/apps/web/src/app/sitemap.ts
@@ -0,0 +1,14 @@
 import type { MetadataRoute } from "next"
 const baseUrl = process.env.CMS_WEB_ORIGIN ?? "http://localhost:3000"
 const publicRoutes = ["/", "/about", "/contact"]
 export default function sitemap(): MetadataRoute.Sitemap {
  const now = new Date()
  return publicRoutes.map((route) => ({
    url: `${baseUrl}${route}`,
    lastModified: now,
  }))
 }
--- a/apps/web/src/components/language-switcher.tsx
+++ b/apps/web/src/components/language-switcher.tsx
@@ -0,0 +1,50 @@
 "use client"
 import { type AppLocale, localeLabels, locales } from "@cms/i18n"
 import { useLocale, useTranslations } from "next-intl"
 import { useEffect, useTransition } from "react"
 import { usePathname, useRouter } from "@/i18n/navigation"
 import { useLocaleStore } from "@/store/locale"
 export function LanguageSwitcher() {
  const t = useTranslations("LanguageSwitcher")
  const currentLocale = useLocale() as AppLocale
  const pathname = usePathname()
  const router = useRouter()
  const [isPending, startTransition] = useTransition()
  const locale = useLocaleStore((state) => state.locale)
  const setLocale = useLocaleStore((state) => state.setLocale)
  useEffect(() => {
    if (locale !== currentLocale) {
      setLocale(currentLocale)
    }
  }, [currentLocale, locale, setLocale])
  return (
    <label className="inline-flex items-center gap-2 text-sm text-neutral-700">
      <span>{t("label")}</span>
      <select
        className="rounded-md border border-neutral-300 bg-white px-2 py-1 text-sm"
        value={locale}
        disabled={isPending}
        onChange={(event) => {
          const nextLocale = event.target.value as AppLocale
          setLocale(nextLocale)
          startTransition(() => {
            router.replace(pathname, { locale: nextLocale })
          })
        }}
      >
        {locales.map((value) => (
          <option key={value} value={value}>
            {t(`localeNames.${value}`)} ({localeLabels[value]})
          </option>
        ))}
      </select>
    </label>
  )
 }
--- a/apps/web/src/components/public-header-banner.tsx
+++ b/apps/web/src/components/public-header-banner.tsx
@@ -0,0 +1,25 @@
 import type { PublicHeaderBanner as PublicHeaderBannerData } from "@cms/db"
 import Link from "next/link"
 type PublicHeaderBannerProps = {
  banner: PublicHeaderBannerData | null
 }
 export function PublicHeaderBanner({ banner }: PublicHeaderBannerProps) {
  if (!banner) {
    return null
  }
  return (
    <div className="border-b border-amber-200 bg-amber-50">
      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-3 px-6 py-2 text-sm text-amber-900">
        <p>{banner.message}</p>
        {banner.ctaLabel && banner.ctaHref ? (
          <Link href={banner.ctaHref} className="font-medium underline underline-offset-2">
            {banner.ctaLabel}
          </Link>
        ) : null}
      </div>
    </div>
  )
 }
--- a/apps/web/src/components/public-site-footer.tsx
+++ b/apps/web/src/components/public-site-footer.tsx
@@ -0,0 +1,27 @@
 "use client"
 import { useTranslations } from "next-intl"
 import { getBuildInfo } from "@/lib/build-info"
 export function PublicSiteFooter() {
  const t = useTranslations("Layout")
  const year = new Date().getFullYear()
  const buildInfo = getBuildInfo()
  return (
    <footer className="border-t border-neutral-200 bg-neutral-50">
      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-2 px-6 py-4 text-sm text-neutral-600">
        <p>
          {t("footer.copyright", {
            year,
          })}
        </p>
        <p>{t("footer.tagline")}</p>
        <p className="font-mono text-xs text-neutral-500">
          Build v{buildInfo.version} +sha.{buildInfo.sha}
        </p>
      </div>
    </footer>
  )
 }
--- a/apps/web/src/components/public-site-header.tsx
+++ b/apps/web/src/components/public-site-header.tsx
@@ -0,0 +1,44 @@
 "use client"
 import { useTranslations } from "next-intl"
 import { Link } from "@/i18n/navigation"
 import { LanguageSwitcher } from "./language-switcher"
 export function PublicSiteHeader() {
  const t = useTranslations("Layout")
  const navItems = [
    { href: "/", label: t("nav.home") },
    { href: "/about", label: t("nav.about") },
    { href: "/contact", label: t("nav.contact") },
  ]
  return (
    <header className="border-b border-neutral-200 bg-white/80 backdrop-blur">
      <div className="mx-auto flex w-full max-w-6xl flex-wrap items-center justify-between gap-4 px-6 py-4">
        <Link
          href="/"
          className="text-sm font-semibold uppercase tracking-[0.2em] text-neutral-700"
        >
          {t("brand")}
        </Link>
        <nav className="flex flex-wrap items-center gap-2">
          {navItems.map((item) => (
            <Link
              key={item.href}
              href={item.href}
              className="rounded-md border border-neutral-300 px-3 py-1.5 text-sm font-medium text-neutral-700 hover:bg-neutral-100"
            >
              {item.label}
            </Link>
          ))}
        </nav>
        <LanguageSwitcher />
      </div>
    </header>
  )
 }
--- a/apps/web/src/i18n/navigation.ts
+++ b/apps/web/src/i18n/navigation.ts
@@ -0,0 +1,5 @@
 import { createNavigation } from "next-intl/navigation"
 import { routing } from "./routing"
 export const { Link, redirect, usePathname, useRouter, getPathname } = createNavigation(routing)
--- a/apps/web/src/i18n/request.test.ts
+++ b/apps/web/src/i18n/request.test.ts
@@ -0,0 +1,17 @@
 import { describe, expect, it } from "vitest"
 import { resolveRequestLocale } from "./request"
 describe("resolveRequestLocale", () => {
  it("accepts supported locales", () => {
    expect(resolveRequestLocale("de")).toBe("de")
    expect(resolveRequestLocale("en")).toBe("en")
    expect(resolveRequestLocale("es")).toBe("es")
    expect(resolveRequestLocale("fr")).toBe("fr")
  })
  it("falls back to default locale for unsupported values", () => {
    expect(resolveRequestLocale("it")).toBe("en")
    expect(resolveRequestLocale(undefined)).toBe("en")
  })
 })
--- a/apps/web/src/i18n/request.ts
+++ b/apps/web/src/i18n/request.ts
@@ -0,0 +1,19 @@
 import type { AppLocale } from "@cms/i18n"
 import { hasLocale } from "next-intl"
 import { getRequestConfig } from "next-intl/server"
 import { routing } from "./routing"
 export function resolveRequestLocale(requested: string | undefined): AppLocale {
  return hasLocale(routing.locales, requested) ? requested : routing.defaultLocale
 }
 export default getRequestConfig(async ({ requestLocale }) => {
  const requested = await requestLocale
  const locale = resolveRequestLocale(requested)
  return {
    locale,
    messages: (await import(`../messages/${locale}.json`)).default,
  }
 })
--- a/apps/web/src/i18n/routing.ts
+++ b/apps/web/src/i18n/routing.ts
@@ -0,0 +1,8 @@
 import { defaultLocale, locales } from "@cms/i18n"
 import { defineRouting } from "next-intl/routing"
 export const routing = defineRouting({
  locales: [...locales],
  defaultLocale,
  localePrefix: "never",
 })
--- a/apps/web/src/lib/build-info.test.ts
+++ b/apps/web/src/lib/build-info.test.ts
@@ -0,0 +1,29 @@
 import { afterEach, describe, expect, it, vi } from "vitest"
 import { getBuildInfo } from "./build-info"
 afterEach(() => {
  vi.unstubAllEnvs()
 })
 describe("getBuildInfo (web)", () => {
  it("returns fallback values when env is missing", () => {
    vi.stubEnv("NEXT_PUBLIC_APP_VERSION", "")
    vi.stubEnv("NEXT_PUBLIC_GIT_SHA", "")
    expect(getBuildInfo()).toEqual({
      version: "0.0.1-dev",
      sha: "local",
    })
  })
  it("uses env values and truncates git sha", () => {
    vi.stubEnv("NEXT_PUBLIC_APP_VERSION", "0.2.0")
    vi.stubEnv("NEXT_PUBLIC_GIT_SHA", "123456789abc")
    expect(getBuildInfo()).toEqual({
      version: "0.2.0",
      sha: "1234567",
    })
  })
 })
--- a/apps/web/src/lib/build-info.ts
+++ b/apps/web/src/lib/build-info.ts
@@ -0,0 +1,21 @@
 const FALLBACK_VERSION = "0.0.1-dev"
 const FALLBACK_SHA = "local"
 function shortenSha(input: string): string {
  const value = input.trim()
  if (!value) {
    return FALLBACK_SHA
  }
  return value.slice(0, 7)
 }
 export function getBuildInfo() {
  const version = process.env.NEXT_PUBLIC_APP_VERSION?.trim() || FALLBACK_VERSION
  const sha = shortenSha(process.env.NEXT_PUBLIC_GIT_SHA ?? "")
  return {
    version,
    sha,
  }
 }
--- a/apps/web/src/messages/de.json
+++ b/apps/web/src/messages/de.json
@@ -0,0 +1,45 @@
 {
  "Home": {
    "badge": "Web-App",
    "title": "Dein Next.js CMS Frontend",
    "description": "Diese Seite liest Beiträge über das gemeinsame Datenbank-Paket.",
    "latestPosts": "Neueste Beiträge",
    "explore": "Entdecken",
    "noExcerpt": "Kein Auszug"
  },
  "LanguageSwitcher": {
    "label": "Sprache",
    "localeNames": {
      "de": "Deutsch",
      "en": "Englisch",
      "es": "Spanisch",
      "fr": "Französisch"
    }
  },
  "Layout": {
    "brand": "CMS Web",
    "nav": {
      "home": "Start",
      "about": "Über uns",
      "contact": "Kontakt"
    },
    "footer": {
      "copyright": "© {year} CMS Web",
      "tagline": "Powered by Next.js, Bun, Prisma und TanStack."
    }
  },
  "Seo": {
    "title": "CMS Web",
    "description": "Öffentliches Frontend für das CMS-Monorepo."
  },
  "About": {
    "badge": "Über uns",
    "title": "Über dieses Projekt",
    "description": "Diese öffentliche App ist die Frontend-Oberfläche für CMS-gesteuerte Inhalte und kommende dynamische Seiten."
  },
  "Contact": {
    "badge": "Kontakt",
    "title": "Kontakt",
    "description": "Kontakt- und Auftragsabläufe werden in den nächsten MVP-Schritten eingeführt."
  }
 }
--- a/apps/web/src/messages/en.json
+++ b/apps/web/src/messages/en.json
@@ -0,0 +1,45 @@
 {
  "Home": {
    "badge": "Web App",
    "title": "Your Next.js CMS Frontend",
    "description": "This page reads posts through the shared database package.",
    "latestPosts": "Latest posts",
    "explore": "Explore",
    "noExcerpt": "No excerpt"
  },
  "LanguageSwitcher": {
    "label": "Language",
    "localeNames": {
      "de": "German",
      "en": "English",
      "es": "Spanish",
      "fr": "French"
    }
  },
  "Layout": {
    "brand": "CMS Web",
    "nav": {
      "home": "Home",
      "about": "About",
      "contact": "Contact"
    },
    "footer": {
      "copyright": "© {year} CMS Web",
      "tagline": "Powered by Next.js, Bun, Prisma, and TanStack."
    }
  },
  "Seo": {
    "title": "CMS Web",
    "description": "Public frontend for the CMS monorepo."
  },
  "About": {
    "badge": "About",
    "title": "About this project",
    "description": "This public app is the frontend surface for CMS-driven content and upcoming dynamic pages."
  },
  "Contact": {
    "badge": "Contact",
    "title": "Contact",
    "description": "Contact and commission flows will be introduced in upcoming MVP steps."
  }
 }
--- a/apps/web/src/messages/es.json
+++ b/apps/web/src/messages/es.json
@@ -0,0 +1,45 @@
 {
  "Home": {
    "badge": "Aplicación Web",
    "title": "Tu Frontend CMS con Next.js",
    "description": "Esta página lee publicaciones a través del paquete compartido de base de datos.",
    "latestPosts": "Últimas publicaciones",
    "explore": "Explorar",
    "noExcerpt": "Sin extracto"
  },
  "LanguageSwitcher": {
    "label": "Idioma",
    "localeNames": {
      "de": "Alemán",
      "en": "Inglés",
      "es": "Español",
      "fr": "Francés"
    }
  },
  "Layout": {
    "brand": "CMS Web",
    "nav": {
      "home": "Inicio",
      "about": "Acerca de",
      "contact": "Contacto"
    },
    "footer": {
      "copyright": "© {year} CMS Web",
      "tagline": "Impulsado por Next.js, Bun, Prisma y TanStack."
    }
  },
  "Seo": {
    "title": "CMS Web",
    "description": "Frontend público para el monorepo CMS."
  },
  "About": {
    "badge": "Acerca de",
    "title": "Sobre este proyecto",
    "description": "Esta app pública es la superficie frontend para contenido gestionado por CMS y próximas páginas dinámicas."
  },
  "Contact": {
    "badge": "Contacto",
    "title": "Contacto",
    "description": "Los flujos de contacto y comisiones se incorporarán en los siguientes pasos del MVP."
  }
 }
--- a/apps/web/src/messages/fr.json
+++ b/apps/web/src/messages/fr.json
@@ -0,0 +1,45 @@
 {
  "Home": {
    "badge": "Application Web",
    "title": "Votre Frontend CMS Next.js",
    "description": "Cette page lit les publications via le package base de données partagé.",
    "latestPosts": "Dernières publications",
    "explore": "Explorer",
    "noExcerpt": "Aucun extrait"
  },
  "LanguageSwitcher": {
    "label": "Langue",
    "localeNames": {
      "de": "Allemand",
      "en": "Anglais",
      "es": "Espagnol",
      "fr": "Français"
    }
  },
  "Layout": {
    "brand": "CMS Web",
    "nav": {
      "home": "Accueil",
      "about": "À propos",
      "contact": "Contact"
    },
    "footer": {
      "copyright": "© {year} CMS Web",
      "tagline": "Propulsé par Next.js, Bun, Prisma et TanStack."
    }
  },
  "Seo": {
    "title": "CMS Web",
    "description": "Frontend public pour le monorepo CMS."
  },
  "About": {
    "badge": "À propos",
    "title": "À propos de ce projet",
    "description": "Cette application publique est la surface frontend pour le contenu piloté par CMS et les futures pages dynamiques."
  },
  "Contact": {
    "badge": "Contact",
    "title": "Contact",
    "description": "Les flux de contact et de commission seront introduits dans les prochaines étapes MVP."
  }
 }
--- a/apps/web/src/proxy.ts
+++ b/apps/web/src/proxy.ts
@@ -0,0 +1,14 @@
 import type { NextRequest } from "next/server"
 import createMiddleware from "next-intl/middleware"
 import { routing } from "@/i18n/routing"
 const handleI18nRouting = createMiddleware(routing)
 export function proxy(request: NextRequest) {
  return handleI18nRouting(request)
 }
 export const config = {
  matcher: ["/((?!api|trpc|_next|_vercel|.*\\..*).*)"],
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Citali	281b1d7a1b	feat(pages): add pages and navigation builder baseline	2026-02-12 19:30:09 +01:00
Citali	7d9bc9dca9	feat(media): add admin media CRUD preview and storage cleanup	2026-02-12 19:15:26 +01:00
Citali	3e4f0b6c75	refactor(media): use asset-centric storage key layout	2026-02-12 18:41:01 +01:00
Citali	86a8af25d8	feat(media): default to s3 with local upload fallback	2026-02-12 18:16:11 +01:00
Citali	19738b77d8	feat(media): support local and s3 upload providers	2026-02-12 12:02:31 +01:00
Citali	5becba602c	feat(media): add mvp1 upload pipeline baseline	2026-02-12 11:57:39 +01:00
Citali	ad351ed73a	feat(media): complete mvp1 media foundation workflows	2026-02-11 22:56:01 +01:00
Citali	d727ab8b5b	feat(media): scaffold mvp1 media and portfolio foundation	2026-02-11 22:46:24 +01:00
Citali	5b47fafe89	docs(product): add cms feature topics, package catalog, and inspiration notes Some checks failed CMS CI / Governance Checks (push) Successful in 1m2s Details CMS CI / Lint Typecheck Unit E2E (push) Failing after 3m24s Details	2026-02-11 22:35:46 +01:00
Citali	37fabad1f8	chore(repo): update turbo dependency Some checks failed CMS CI / Governance Checks (push) Successful in 1m5s Details CMS CI / Lint Typecheck Unit E2E (push) Failing after 3m40s Details	2026-02-11 22:08:01 +01:00
Citali	637dfd2651	docs(ops): add staging deployment checklist and evidence template	2026-02-11 19:11:45 +01:00
Citali	f9f2b4eb15	docs(gitflow): add branch protection verification checklist	2026-02-11 19:09:57 +01:00
Citali	ccac669454	feat(release): publish gitea release notes and enable production rollback	2026-02-11 19:09:22 +01:00
Citali	af52b8581f	feat(ci): stamp build metadata and validate footer version hash	2026-02-11 19:06:55 +01:00
Citali	3de4d5732e	feat(versioning): show runtime version and git hash in app footers	2026-02-11 19:01:53 +01:00
Citali	14c3df623a	fix(db): organize imports for biome check Some checks failed CMS CI / Governance Checks (push) Successful in 1m2s Details CMS CI / Lint Typecheck Unit E2E (push) Failing after 3m38s Details	2026-02-11 18:45:30 +01:00
Citali	a57464d818	chore(repo): remove theoretical workflow and fix prisma ci generation Some checks failed CMS CI / Governance Checks (push) Successful in 1m6s Details CMS CI / Lint Typecheck Unit E2E (push) Failing after 1m8s Details	2026-02-11 18:26:42 +01:00
Citali	c174f840bc	fix(ci): gitea workflows Some checks failed CMS CI/CD (Theoretical) / Lint Typecheck Tests (push) Failing after 35s Details CMS CI / Governance Checks (push) Successful in 1m1s Details CMS CI/CD (Theoretical) / Build Staging Images (push) Has been skipped Details CMS CI/CD (Theoretical) / Build Production Images (push) Has been skipped Details CMS CI/CD (Theoretical) / Deploy Staging (Placeholder) (push) Has been skipped Details CMS CI / Lint Typecheck Unit E2E (push) Failing after 1m25s Details CMS CI/CD (Theoretical) / Deploy Production (Placeholder) (push) Has been skipped Details	2026-02-11 13:12:12 +01:00
Citali	334a5e3526	chore(ci): add gitea actions runner compose setup	2026-02-11 12:25:57 +01:00
Citali	516b773012	docs(versioning): define release policy and close MVP0 pipeline tasks Some checks failed CMS CI/CD (Theoretical) / Lint Typecheck Tests (push) Failing after 5m34s Details CMS CI / Governance Checks (push) Failing after 4m47s Details CMS CI/CD (Theoretical) / Build Staging Images (push) Has been skipped Details CMS CI / Lint Typecheck Unit E2E (push) Has been skipped Details CMS CI/CD (Theoretical) / Build Production Images (push) Has been skipped Details CMS CI/CD (Theoretical) / Deploy Staging (Placeholder) (push) Has been skipped Details CMS CI/CD (Theoretical) / Deploy Production (Placeholder) (push) Has been skipped Details	2026-02-11 12:19:50 +01:00
Citali	21cc55a1b9	ci(gitflow): enforce branch and PR governance checks	2026-02-11 12:19:39 +01:00
Citali	969e88670f	ci(delivery): add deploy and release workflow scaffolds	2026-02-11 12:19:31 +01:00
Citali	cec87679ca	docs(adr): add glossary pages and ADR baseline structure	2026-02-11 12:12:34 +01:00
Citali	4d6e17a13b	docs(ops): add environment and deployment runbook	2026-02-11 12:11:08 +01:00
Citali	7b4b23fc4f	docs(crud): add implementation examples and complete docs task	2026-02-11 12:10:28 +01:00
Citali	5872593b01	docs(i18n): add conventions guide and wire docs navigation	2026-02-11 12:09:43 +01:00
Citali	3b130568e9	test(mvp0): complete remaining i18n, RBAC, and CRUD coverage	2026-02-11 12:06:27 +01:00
Citali	8390689c8d	feat(web): complete MVP0 public layout, banner, and SEO baseline	2026-02-10 22:04:53 +01:00
Citali	bf1a92d129	feat(admin): add IA shell and protected section skeleton routes	2026-02-10 21:34:26 +01:00
Citali	36b09cd9d7	test(crud): finalize MVP1 gate CRUD contract coverage	2026-02-10 21:26:49 +01:00
Citali	70fc154f97	merge: todo/mvp0-admin-i18n-baseline into dev	2026-02-10 21:21:35 +01:00
Citali	c4d0499d12	merge: todo/mvp0-crud-foundation into dev	2026-02-10 21:21:32 +01:00
Citali	d16fb6e121	merge: todo/mvp0-i18n-baseline into dev	2026-02-10 21:21:28 +01:00
Citali	a508e3203a	merge: todo/mvp0-owner-invariant-enforcement into dev	2026-02-10 21:21:25 +01:00
Citali	4d4b583cf4	test(ci): add quality gates, e2e data prep, and i18n integration coverage	2026-02-10 21:17:41 +01:00
Citali	4ac7410148	test(admin): cover support fallback route and mark todo complete	2026-02-10 21:11:49 +01:00
Citali	d0f731743c	feat(admin): add registration policy settings and disabled register state	2026-02-10 21:10:39 +01:00
Citali	b618c8cb51	feat(admin-i18n): add cookie-based locale runtime and switcher baseline	2026-02-10 20:56:03 +01:00
Citali	07e5f53793	feat(admin): add posts CRUD sandbox and shared CRUD foundation	2026-02-10 19:35:41 +01:00
Citali	de26cb7647	feat(web-i18n): add es/fr locales and expand switcher locale set	2026-02-10 19:23:36 +01:00
Citali	0e2248b5c7	feat(auth): block protected account deletion in auth endpoints	2026-02-10 18:47:52 +01:00
Citali	29a6e38ff3	feat(auth): enforce single-owner invariant in bootstrap flow	2026-02-10 18:43:06 +01:00
Citali	b96cd6d800	feat(admin-auth): support username login and add dashboard logout	2026-02-10 18:35:19 +01:00
Citali	7b665ae633	feat(admin-auth): add first-start onboarding flow and dev db reset command	2026-02-10 18:14:47 +01:00
Citali	411861419f	feat(auth): bootstrap protected support and first owner users	2026-02-10 17:50:16 +01:00
Citali	df1280af4a	refactor(db): simplify to single prisma schema workflow	2026-02-10 17:42:48 +01:00
Citali	670f7d3fb2	chore(release): initialize versioning roadmap and changelog	2026-02-10 12:58:42 +01:00
Citali	2dcb8a80ba	docs(todo): mark auth routing baseline complete	2026-02-10 12:53:44 +01:00
Citali	efb93f212b	fix(next): migrate admin middleware to proxy convention	2026-02-10 12:52:38 +01:00
Citali	24eca3e740	refactor(auth): localize admin auth and replace latest ranges	2026-02-10 12:49:59 +01:00
Citali	ba8abb3b1b	feat(auth): add better-auth core wiring for admin and db	2026-02-10 12:42:49 +01:00
Citali	3949fd2c11	docs(todo): add i18n milestones and test coverage tasks	2026-02-10 12:17:14 +01:00
Citali	947cb0a3d7	feat(rbac): enforce admin access checks and document permission model	2026-02-10 12:16:36 +01:00
Citali	4041a4ac4a	Docs	2026-02-10 11:57:42 +01:00
Citali	7ba96f6a03	Add docs	2026-02-10 02:27:12 +01:00
		`@@ -0,0 +1 @@`
							`export const ADMIN_LOCALE_COOKIE = "cms_admin_locale"`