@dudousxd/adonis-authkit-server 0.4.0 → 0.5.0

package/build/index.d.ts

@@ -26,7 +26,7 @@ export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';
 export type { BrandingConfig, ClientBrand } from './src/host/branding.js';
-export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_MESSAGES, DEFAULT_LOCALE, } from './src/host/i18n.js';
 export type { I18nConfig, AuthMessages } from './src/host/i18n.js';
 export type { AuthHostRenderer, AuthSocialConfig } from './src/define_config.js';
 export { registerAuthHost } from './src/host/register_auth_host.js';

package/build/index.js

@@ -17,7 +17,7 @@ export { withAuditLog } from './src/mixins/with_audit_log.js';
 export { inertiaRenderer } from './src/host/renderers/inertia_renderer.js';
 export { edgeRenderer } from './src/host/renderers/edge_renderer.js';
 export { brandFor, isFirstParty } from './src/host/branding.js';
-export { resolveMessages, translate, DEFAULT_MESSAGES, DEFAULT_LOCALE } from './src/host/i18n.js';
+export { resolveMessages, translate, DEFAULT_MESSAGES, PT_BR_MESSAGES, BUILTIN_MESSAGES, DEFAULT_LOCALE, } from './src/host/i18n.js';
 export { registerAuthHost } from './src/host/register_auth_host.js';
 export { resolveRateLimit, resolveNotifications } from './src/define_config.js';
 export { createAuthThrottles } from './src/host/rate_limit.js';

package/build/src/host/controllers/account_mfa_controller.js

@@ -39,7 +39,9 @@ export default class AccountMfaController {
         const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
         const generated = await cfg.accountStore.generatePasskeyRegistrationOptions?.(userId);
         if (!generated) {
-            return ctx.response.notFound({ message: 'Passkeys indisponíveis' });
+            return ctx.response.notFound({
+                message: translate(cfg.messages, 'errors.passkeys_unavailable'),
+            });
         }
         ctx.session.put(PASSKEY_REG_CHALLENGE_KEY, generated.challenge);
         return generated.options;
@@ -54,7 +56,9 @@ export default class AccountMfaController {
         const userId = ctx.session.get(ACCOUNT_SESSION_KEY);
         const challenge = ctx.session.get(PASSKEY_REG_CHALLENGE_KEY);
         if (!challenge) {
-            return ctx.response.badRequest({ message: 'Desafio expirado' });
+            return ctx.response.badRequest({
+                message: translate(cfg.messages, 'errors.challenge_expired'),
+            });
         }
         const body = ctx.request.input('response', ctx.request.body());
         const ok = (await cfg.accountStore.verifyPasskeyRegistration?.(userId, body, challenge)) ?? false;

package/build/src/host/controllers/interaction_controller.js

@@ -240,11 +240,15 @@ export default class AuthInteractionController {
         const cfg = service.config;
         const accountId = ctx.session.get(MFA_PENDING_KEY);
         if (!accountId) {
-            return ctx.response.badRequest({ message: 'Sessão expirada' });
+            return ctx.response.badRequest({
+                message: translate(cfg.messages, 'errors.session_expired'),
+            });
         }
         const generated = await cfg.accountStore.generatePasskeyAuthenticationOptions?.(accountId);
         if (!generated) {
-            return ctx.response.notFound({ message: 'Nenhuma passkey registrada' });
+            return ctx.response.notFound({
+                message: translate(cfg.messages, 'errors.no_passkey_registered'),
+            });
         }
         ctx.session.put(PASSKEY_AUTH_CHALLENGE_KEY, generated.challenge);
         return generated.options;

package/build/src/host/default_mailer.js

@@ -7,6 +7,7 @@ var __rewriteRelativeImportExtension = (this && this.__rewriteRelativeImportExte
     return path;
 };
 import { renderTransactionalEmail } from './email_templates.js';
+import { resolveMessages, translate, } from './i18n.js';
 let mailServicePromise;
 /**
  * Importa o service de mail do HOST de forma preguiçosa e fail-safe.
@@ -78,6 +79,22 @@ function resolveBrand(ctx) {
     }
     return { appName: 'AuthKit' };
 }
+/**
+ * Resolve o catálogo de mensagens i18n a partir do `config/authkit.ts` (i18n).
+ * Cai no default (`en`) se a config não for resolvível. Usado para localizar
+ * os e-mails transacionais (assunto/cabeçalho/corpo).
+ */
+function resolveMailMessages(ctx) {
+    try {
+        const resolver = ctx.containerResolver;
+        const i18n = resolver.app?.config?.get?.('authkit')?.i18n;
+        return { messages: resolveMessages(i18n), locale: i18n?.locale ?? 'en' };
+    }
+    catch {
+        // sem config authkit resolvível — usa o default `en`.
+        return { messages: resolveMessages(), locale: 'en' };
+    }
+}
 async function sendEmail(ctx, to, content) {
     const mail = await loadMail();
     if (!mail)
@@ -97,14 +114,17 @@ async function sendEmail(ctx, to, content) {
 export async function sendPasswordResetEmail(ctx, data) {
     try {
         const brand = resolveBrand(ctx);
+        const { messages: t, locale } = resolveMailMessages(ctx);
         const content = renderTransactionalEmail({
             brand,
-            subject: 'Redefinição de senha',
-            heading: 'Redefinição de senha',
-            intro: `Recebemos um pedido para redefinir a senha da sua conta em ${brand.appName}. Clique no botão abaixo para escolher uma nova senha. Se não foi você, ignore este e-mail.`,
-            ctaLabel: 'Redefinir senha',
+            locale,
+            linkFallback: translate(t, 'mail.common.link_fallback'),
+            subject: translate(t, 'mail.reset.subject'),
+            heading: translate(t, 'mail.reset.heading'),
+            intro: translate(t, 'mail.reset.intro'),
+            ctaLabel: translate(t, 'mail.reset.cta'),
             ctaUrl: data.resetUrl,
-            footnote: 'Por segurança, este link expira em breve e só pode ser usado uma vez.',
+            footnote: translate(t, 'mail.reset.fallback'),
         });
         const sent = await sendEmail(ctx, data.email, content);
         if (!sent) {
@@ -122,14 +142,17 @@ export async function sendPasswordResetEmail(ctx, data) {
 export async function sendEmailChangeConfirmationEmail(ctx, data) {
     try {
         const brand = resolveBrand(ctx);
+        const { messages: t, locale } = resolveMailMessages(ctx);
         const content = renderTransactionalEmail({
             brand,
-            subject: 'Confirme seu novo e-mail',
-            heading: 'Confirme seu novo e-mail',
-            intro: `Recebemos um pedido para alterar o e-mail da sua conta em ${brand.appName} para este endereço. Clique no botão abaixo para confirmar a alteração. Se não foi você, ignore este e-mail — nada será alterado.`,
-            ctaLabel: 'Confirmar novo e-mail',
+            locale,
+            linkFallback: translate(t, 'mail.common.link_fallback'),
+            subject: translate(t, 'mail.email_change.subject'),
+            heading: translate(t, 'mail.email_change.heading'),
+            intro: translate(t, 'mail.email_change.intro'),
+            ctaLabel: translate(t, 'mail.email_change.cta'),
             ctaUrl: data.confirmUrl,
-            footnote: 'Por segurança, este link expira em breve e só pode ser usado uma vez.',
+            footnote: translate(t, 'mail.email_change.fallback'),
         });
         const sent = await sendEmail(ctx, data.email, content);
         if (!sent) {
@@ -147,15 +170,23 @@ export async function sendEmailChangeConfirmationEmail(ctx, data) {
 export async function sendNewLoginEmail(ctx, data) {
     try {
         const brand = resolveBrand(ctx);
+        const { messages: t, locale } = resolveMailMessages(ctx);
         const origin = `${ctx.request.protocol()}://${ctx.request.host()}`;
+        const intro = [
+            translate(t, 'mail.new_login.intro'),
+            translate(t, 'mail.new_login.when', { date: data.when }),
+            translate(t, 'mail.new_login.ip', { ip: data.ip }),
+        ].join(' ');
         const content = renderTransactionalEmail({
             brand,
-            subject: 'Novo acesso à sua conta',
-            heading: 'Novo acesso à sua conta',
-            intro: `Detectamos um novo acesso à sua conta em ${brand.appName} a partir do IP ${data.ip} em ${data.when}. Se foi você, nenhuma ação é necessária. Se não reconhece este acesso, altere sua senha imediatamente.`,
-            ctaLabel: 'Acessar minha conta',
+            locale,
+            linkFallback: translate(t, 'mail.common.link_fallback'),
+            subject: translate(t, 'mail.new_login.subject'),
+            heading: translate(t, 'mail.new_login.heading'),
+            intro,
+            ctaLabel: translate(t, 'account.security.title'),
             ctaUrl: `${origin}/account/security`,
-            footnote: 'Você está recebendo este alerta porque um login foi feito de um endereço de IP não visto antes.',
+            footnote: translate(t, 'mail.new_login.fallback'),
         });
         const sent = await sendEmail(ctx, data.email, content);
         if (!sent) {
@@ -173,12 +204,15 @@ export async function sendNewLoginEmail(ctx, data) {
 export async function sendEmailVerificationEmail(ctx, data) {
     try {
         const brand = resolveBrand(ctx);
+        const { messages: t, locale } = resolveMailMessages(ctx);
         const content = renderTransactionalEmail({
             brand,
-            subject: 'Verifique seu e-mail',
-            heading: 'Confirme seu e-mail',
-            intro: `Bem-vindo(a) ao ${brand.appName}! Confirme seu endereço de e-mail clicando no botão abaixo para ativar sua conta.`,
-            ctaLabel: 'Verificar e-mail',
+            locale,
+            linkFallback: translate(t, 'mail.common.link_fallback'),
+            subject: translate(t, 'mail.verify.subject'),
+            heading: translate(t, 'mail.verify.heading'),
+            intro: translate(t, 'mail.verify.intro'),
+            ctaLabel: translate(t, 'mail.verify.cta'),
             ctaUrl: data.verifyUrl,
         });
         const sent = await sendEmail(ctx, data.email, content);

package/build/src/host/email_templates.d.ts

@@ -30,6 +30,10 @@ interface EmailTemplateInput {
     ctaUrl: string;
     /** Linha auxiliar abaixo do botão (ex.: validade do link). */
     footnote?: string;
+    /** Texto que precede o link de fallback (i18n). Default em inglês. */
+    linkFallback?: string;
+    /** Locale do documento HTML (atributo `lang`). Default: 'en'. */
+    locale?: string;
 }
 export declare function renderTransactionalEmail(input: EmailTemplateInput): EmailContent;
 export {};

package/build/src/host/email_templates.js

@@ -21,8 +21,11 @@ export function renderTransactionalEmail(input) {
     const accent = input.brand.accent || FALLBACK_ACCENT;
     const company = input.brand.company || appName;
     const year = '©'; // ano resolvido fora (sem Date.* aqui); rodapé usa só o nome.
+    const lang = input.locale || 'en';
+    const linkFallback = input.linkFallback ||
+        'If the button does not work, copy and paste this link into your browser:';
     const html = `<!doctype html>
-<html lang="pt-BR">
+<html lang="${esc(lang)}">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
@@ -42,7 +45,7 @@ export function renderTransactionalEmail(input) {
 <a href="${esc(input.ctaUrl)}" style="display:inline-block;padding:12px 24px;font-size:15px;font-weight:600;color:#ffffff;text-decoration:none;border-radius:8px;">${esc(input.ctaLabel)}</a>
 </td></tr></table>
 ${input.footnote ? `<p style="margin:24px 0 0;font-size:13px;line-height:1.5;color:#6b7280;">${esc(input.footnote)}</p>` : ''}
-<p style="margin:24px 0 0;font-size:13px;line-height:1.5;color:#6b7280;">Se o botão não funcionar, copie e cole este link no navegador:<br><a href="${esc(input.ctaUrl)}" style="color:${esc(accent)};word-break:break-all;">${esc(input.ctaUrl)}</a></p>
+<p style="margin:24px 0 0;font-size:13px;line-height:1.5;color:#6b7280;">${esc(linkFallback)}<br><a href="${esc(input.ctaUrl)}" style="color:${esc(accent)};word-break:break-all;">${esc(input.ctaUrl)}</a></p>
 </td></tr>
 <tr><td style="padding:24px 28px 28px;border-top:1px solid #f3f4f6;">
 <p style="margin:0;font-size:12px;line-height:1.5;color:#9ca3af;">${esc(company)} ${year}</p>

package/build/src/host/i18n.d.ts

@@ -3,26 +3,29 @@
  *
  * Todas as strings visíveis ao usuário das views Edge (e as mensagens de
  * flash/erro produzidas pelos controllers) vivem num catálogo achatado de
- * chaves pontilhadas. O default embutido é pt-BR — os apps continuam
- * funcionando SEM nenhuma configuração. O host pode sobrescrever chaves
- * pontuais ou fornecer locales inteiros (ex.: `en`) via `I18nConfig`.
+ * chaves pontilhadas. O default embutido é inglês (`en`) — os apps continuam
+ * funcionando SEM nenhuma configuração. O pt-BR é um locale embutido: basta
+ * `i18n: { locale: 'pt-BR' }`. O host também pode sobrescrever chaves pontuais
+ * ou fornecer locales inteiros (ex.: `fr`) via `I18nConfig`.
  */
 /** Catálogo achatado de chaves de mensagem → strings. */
 export type AuthMessages = Record<string, string>;
 export interface I18nConfig {
-    /** Locale ativo. Default: 'pt-BR'. */
+    /** Locale ativo. Default: 'en'. Locale embutido extra: 'pt-BR'. */
     locale?: string;
     /**
      * Locales adicionais e/ou overrides pontuais. As chaves do locale ativo são
-     * mescladas SOBRE o default pt-BR — então o host pode trocar só algumas
-     * chaves ou trazer um locale novo por completo.
+     * mescladas SOBRE o catálogo embutido do locale (ou sobre o default `en`
+     * quando o locale não é embutido) — então o host pode trocar só algumas
+     * chaves, complementar um locale embutido, ou trazer um locale novo por
+     * completo.
      */
     messages?: Record<string, Partial<AuthMessages>>;
 }
 /** Locale default do host-kit. */
-export declare const DEFAULT_LOCALE = "pt-BR";
+export declare const DEFAULT_LOCALE = "en";
 /**
- * Catálogo default (pt-BR) — cobre TODAS as strings visíveis ao usuário das
+ * Catálogo default (inglês) — cobre TODAS as strings visíveis ao usuário das
  * views e as mensagens de flash/erro dos controllers. Chaves agrupadas por tela.
  */
 export declare const DEFAULT_MESSAGES: {
@@ -244,11 +247,302 @@ export declare const DEFAULT_MESSAGES: {
     'errors.signup_failed': string;
     'errors.invalid_or_expired_token': string;
     'errors.account_locked': string;
+    'errors.session_expired': string;
+    'errors.challenge_expired': string;
+    'errors.passkeys_unavailable': string;
+    'errors.no_passkey_registered': string;
+    'mail.common.link_fallback': string;
+    'mail.reset.subject': string;
+    'mail.reset.heading': string;
+    'mail.reset.intro': string;
+    'mail.reset.cta': string;
+    'mail.reset.fallback': string;
+    'mail.reset.expires': string;
+    'mail.verify.subject': string;
+    'mail.verify.heading': string;
+    'mail.verify.intro': string;
+    'mail.verify.cta': string;
+    'mail.verify.fallback': string;
+    'mail.verify.expires': string;
+    'mail.new_login.subject': string;
+    'mail.new_login.heading': string;
+    'mail.new_login.intro': string;
+    'mail.new_login.when': string;
+    'mail.new_login.ip': string;
+    'mail.new_login.device': string;
+    'mail.new_login.fallback': string;
+    'mail.email_change.subject': string;
+    'mail.email_change.heading': string;
+    'mail.email_change.intro': string;
+    'mail.email_change.cta': string;
+    'mail.email_change.fallback': string;
+    'mail.email_change.expires': string;
 };
 /**
- * Resolve o catálogo ativo: mescla os overrides do locale selecionado SOBRE o
- * default pt-BR. Sem config, retorna os defaults intactos. Chaves omitidas pelo
- * locale escolhido caem no default pt-BR (fallback de cobertura).
+ * Catálogo embutido pt-BR. Espelha TODAS as chaves do default `en`. Ativado
+ * com `i18n: { locale: 'pt-BR' }` sem nenhuma config extra de mensagens.
+ */
+export declare const PT_BR_MESSAGES: {
+    'common.app_fallback': string;
+    'common.brand_eyebrow': string;
+    'login.page_title': string;
+    'login.title': string;
+    'login.identifier_intro': string;
+    'login.email_label': string;
+    'login.identifier_submit': string;
+    'login.create_account': string;
+    'login.forgot_password': string;
+    'login.divider_or': string;
+    'login.google': string;
+    'login.greeting': string;
+    'login.switch_account': string;
+    'login.password_label': string;
+    'login.submit': string;
+    'signup.page_title': string;
+    'signup.title': string;
+    'signup.intro': string;
+    'signup.name_label': string;
+    'signup.email_label': string;
+    'signup.password_label': string;
+    'signup.submit': string;
+    'signup.have_account': string;
+    'forgot.page_title': string;
+    'forgot.sent_title': string;
+    'forgot.sent_body': string;
+    'forgot.title': string;
+    'forgot.intro': string;
+    'forgot.email_label': string;
+    'forgot.submit': string;
+    'reset.page_title': string;
+    'reset.done_title': string;
+    'reset.done_body': string;
+    'reset.title': string;
+    'reset.intro': string;
+    'reset.password_label': string;
+    'reset.submit': string;
+    'verify_email.page_title': string;
+    'verify_email.verified_title': string;
+    'verify_email.verified_body': string;
+    'verify_email.invalid_title': string;
+    'verify_email.invalid_body': string;
+    'mfa_challenge.page_title': string;
+    'mfa_challenge.title': string;
+    'mfa_challenge.intro': string;
+    'mfa_challenge.code_label': string;
+    'mfa_challenge.submit': string;
+    'mfa_challenge.recovery_summary': string;
+    'mfa_challenge.recovery_submit': string;
+    'mfa_challenge.passkey_button': string;
+    'mfa_challenge.passkey_error': string;
+    'consent.page_title': string;
+    'consent.title': string;
+    'consent.body': string;
+    'consent.submit': string;
+    'account.login.page_title': string;
+    'account.login.title': string;
+    'account.login.intro': string;
+    'account.login.email_label': string;
+    'account.login.password_label': string;
+    'account.login.submit': string;
+    'account.tokens.page_title': string;
+    'account.tokens.title': string;
+    'account.tokens.logout': string;
+    'account.tokens.security': string;
+    'account.tokens.created_notice': string;
+    'account.tokens.name_placeholder': string;
+    'account.tokens.create': string;
+    'account.tokens.empty': string;
+    'account.tokens.created_at': string;
+    'account.tokens.last_used': string;
+    'account.tokens.never_used': string;
+    'account.tokens.scopes': string;
+    'account.tokens.audience': string;
+    'account.tokens.revoke': string;
+    'account.security.page_title': string;
+    'account.security.title': string;
+    'account.security.logout': string;
+    'account.security.current_email': string;
+    'account.security.not_supported': string;
+    'account.security.password_section': string;
+    'account.security.current_password_label': string;
+    'account.security.new_password_label': string;
+    'account.security.change_password_submit': string;
+    'account.security.password_changed': string;
+    'account.security.email_section': string;
+    'account.security.email_intro': string;
+    'account.security.new_email_label': string;
+    'account.security.email_password_label': string;
+    'account.security.change_email_submit': string;
+    'account.security.email_change_requested': string;
+    'account.security.email_changed': string;
+    'account.email_confirmed.page_title': string;
+    'account.email_confirmed.ok_title': string;
+    'account.email_confirmed.ok_body': string;
+    'account.email_confirmed.invalid_title': string;
+    'account.email_confirmed.invalid_body': string;
+    'account.mfa.page_title': string;
+    'account.mfa.title': string;
+    'account.mfa.logout': string;
+    'account.mfa.recovery_codes_notice': string;
+    'account.mfa.enroll_intro': string;
+    'account.mfa.qr_alt': string;
+    'account.mfa.manual_intro': string;
+    'account.mfa.confirm_code_label': string;
+    'account.mfa.activate': string;
+    'account.mfa.enabled_html': string;
+    'account.mfa.disable': string;
+    'account.mfa.disabled_intro': string;
+    'account.mfa.enable': string;
+    'mfa.passkey.section_title': string;
+    'mfa.passkey.section_intro': string;
+    'mfa.passkey.add': string;
+    'mfa.passkey.remove': string;
+    'mfa.passkey.empty': string;
+    'mfa.passkey.unnamed': string;
+    'mfa.passkey.created_at': string;
+    'mfa.passkey.register_error': string;
+    'mfa.passkey.unsupported': string;
+    'admin.nav.dashboard': string;
+    'admin.nav.users': string;
+    'admin.nav.clients': string;
+    'admin.nav.audit': string;
+    'admin.nav.logout': string;
+    'admin.dashboard.page_title': string;
+    'admin.dashboard.title': string;
+    'admin.dashboard.users_count': string;
+    'admin.dashboard.clients_count': string;
+    'admin.dashboard.audit_count': string;
+    'admin.dashboard.recent_title': string;
+    'admin.users.page_title': string;
+    'admin.users.title': string;
+    'admin.users.search_placeholder': string;
+    'admin.users.search': string;
+    'admin.users.empty': string;
+    'admin.users.roles_placeholder': string;
+    'admin.users.save_roles': string;
+    'admin.users.sessions': string;
+    'admin.sessions.page_title': string;
+    'admin.sessions.title': string;
+    'admin.sessions.account': string;
+    'admin.sessions.back': string;
+    'admin.sessions.not_supported': string;
+    'admin.sessions.revoked_notice': string;
+    'admin.sessions.sessions_section': string;
+    'admin.sessions.sessions_empty': string;
+    'admin.sessions.session_login_ts': string;
+    'admin.sessions.session_amr': string;
+    'admin.sessions.grants_section': string;
+    'admin.sessions.grants_empty': string;
+    'admin.sessions.grant_client': string;
+    'admin.sessions.grant_tokens': string;
+    'admin.sessions.revoke_all': string;
+    'admin.sessions.revoke_confirm': string;
+    'admin.clients.page_title': string;
+    'admin.clients.title': string;
+    'admin.clients.empty': string;
+    'admin.clients.confidential': string;
+    'admin.clients.public': string;
+    'admin.clients.grants': string;
+    'admin.clients.redirect_uris': string;
+    'admin.clients.dynamic_notice': string;
+    'admin.clients.static_section': string;
+    'admin.clients.dynamic_section': string;
+    'admin.clients.dynamic_empty': string;
+    'admin.clients.dynamic_not_supported': string;
+    'admin.clients.new': string;
+    'admin.clients.new_title': string;
+    'admin.clients.edit_title': string;
+    'admin.clients.edit': string;
+    'admin.clients.delete': string;
+    'admin.clients.delete_confirm': string;
+    'admin.clients.regenerate_secret': string;
+    'admin.clients.regenerate_confirm': string;
+    'admin.clients.back': string;
+    'admin.clients.cancel': string;
+    'admin.clients.save': string;
+    'admin.clients.create': string;
+    'admin.clients.secret_once_title': string;
+    'admin.clients.secret_once_notice': string;
+    'admin.clients.field_client_id': string;
+    'admin.clients.field_client_id_placeholder': string;
+    'admin.clients.field_client_id_help': string;
+    'admin.clients.field_redirect_uris': string;
+    'admin.clients.field_redirect_uris_help': string;
+    'admin.clients.field_post_logout_uris': string;
+    'admin.clients.field_post_logout_uris_help': string;
+    'admin.clients.field_grant_types': string;
+    'admin.clients.field_auth_method': string;
+    'admin.audit.page_title': string;
+    'admin.audit.title': string;
+    'admin.audit.type_placeholder': string;
+    'admin.audit.subject_placeholder': string;
+    'admin.audit.filter': string;
+    'admin.audit.empty': string;
+    'admin.audit.not_supported': string;
+    'admin.pagination.page': string;
+    'admin.pagination.prev': string;
+    'admin.pagination.next': string;
+    'device.input.title': string;
+    'device.input.intro': string;
+    'device.input.submit': string;
+    'device.input.error_invalid': string;
+    'device.input.error_aborted': string;
+    'device.input.error_generic': string;
+    'device.confirm.title': string;
+    'device.confirm.body': string;
+    'device.confirm.submit': string;
+    'device.confirm.abort': string;
+    'device.success.title': string;
+    'device.success.body': string;
+    'mfa_challenge.required_no_enrollment': string;
+    'errors.invalid_credentials': string;
+    'errors.invalid_code': string;
+    'errors.email_taken': string;
+    'errors.signup_failed': string;
+    'errors.invalid_or_expired_token': string;
+    'errors.account_locked': string;
+    'errors.session_expired': string;
+    'errors.challenge_expired': string;
+    'errors.passkeys_unavailable': string;
+    'errors.no_passkey_registered': string;
+    'mail.common.link_fallback': string;
+    'mail.reset.subject': string;
+    'mail.reset.heading': string;
+    'mail.reset.intro': string;
+    'mail.reset.cta': string;
+    'mail.reset.fallback': string;
+    'mail.reset.expires': string;
+    'mail.verify.subject': string;
+    'mail.verify.heading': string;
+    'mail.verify.intro': string;
+    'mail.verify.cta': string;
+    'mail.verify.fallback': string;
+    'mail.verify.expires': string;
+    'mail.new_login.subject': string;
+    'mail.new_login.heading': string;
+    'mail.new_login.intro': string;
+    'mail.new_login.when': string;
+    'mail.new_login.ip': string;
+    'mail.new_login.device': string;
+    'mail.new_login.fallback': string;
+    'mail.email_change.subject': string;
+    'mail.email_change.heading': string;
+    'mail.email_change.intro': string;
+    'mail.email_change.cta': string;
+    'mail.email_change.fallback': string;
+    'mail.email_change.expires': string;
+};
+/**
+ * Locales embutidos no host-kit. O `en` é o default; o `pt-BR` está disponível
+ * com `i18n: { locale: 'pt-BR' }` sem nenhuma config de mensagens extra. Os
+ * overrides/locales do host (via `I18nConfig.messages`) são mesclados por cima.
+ */
+export declare const BUILTIN_MESSAGES: Record<string, AuthMessages>;
+/**
+ * Resolve o catálogo ativo. Começa do catálogo embutido do locale selecionado
+ * (ou do default `en` quando o locale não é embutido), depois mescla os
+ * overrides do host por cima. Sem config, retorna o default `en` intacto.
+ * Chaves omitidas caem no default `en` (fallback de cobertura).
  */
 export declare function resolveMessages(i18n?: I18nConfig): AuthMessages;
 /**

package/build/src/host/i18n.js

@@ -3,17 +3,299 @@
  *
  * Todas as strings visíveis ao usuário das views Edge (e as mensagens de
  * flash/erro produzidas pelos controllers) vivem num catálogo achatado de
- * chaves pontilhadas. O default embutido é pt-BR — os apps continuam
- * funcionando SEM nenhuma configuração. O host pode sobrescrever chaves
- * pontuais ou fornecer locales inteiros (ex.: `en`) via `I18nConfig`.
+ * chaves pontilhadas. O default embutido é inglês (`en`) — os apps continuam
+ * funcionando SEM nenhuma configuração. O pt-BR é um locale embutido: basta
+ * `i18n: { locale: 'pt-BR' }`. O host também pode sobrescrever chaves pontuais
+ * ou fornecer locales inteiros (ex.: `fr`) via `I18nConfig`.
  */
 /** Locale default do host-kit. */
-export const DEFAULT_LOCALE = 'pt-BR';
+export const DEFAULT_LOCALE = 'en';
 /**
- * Catálogo default (pt-BR) — cobre TODAS as strings visíveis ao usuário das
+ * Catálogo default (inglês) — cobre TODAS as strings visíveis ao usuário das
  * views e as mensagens de flash/erro dos controllers. Chaves agrupadas por tela.
  */
 export const DEFAULT_MESSAGES = {
+    // Comum / fallback de marca.
+    'common.app_fallback': 'Auth',
+    'common.brand_eyebrow': 'Auth',
+    // Tela de login (interaction OIDC: identifier + password).
+    'login.page_title': 'Login',
+    'login.title': 'Login',
+    'login.identifier_intro': 'Enter your email to continue.',
+    'login.email_label': 'Email',
+    'login.identifier_submit': 'Continue',
+    'login.create_account': 'Create account',
+    'login.forgot_password': 'Forgot password',
+    'login.divider_or': 'or',
+    'login.google': 'Sign in with Google',
+    'login.greeting': 'Hi, {name}',
+    'login.switch_account': 'Switch account',
+    'login.password_label': 'Password',
+    'login.submit': 'Log in',
+    // Tela de cadastro (signup).
+    'signup.page_title': 'Create account',
+    'signup.title': 'Create account',
+    'signup.intro': 'Fill in your details to get started.',
+    'signup.name_label': 'Name',
+    'signup.email_label': 'Email',
+    'signup.password_label': 'Password',
+    'signup.submit': 'Create account',
+    'signup.have_account': 'I already have an account',
+    // Recuperação de senha (forgot).
+    'forgot.page_title': 'Reset password',
+    'forgot.sent_title': 'Email sent',
+    'forgot.sent_body': 'If the email exists, we will send reset instructions.',
+    'forgot.title': 'Reset password',
+    'forgot.intro': 'We will send you a link to reset your password.',
+    'forgot.email_label': 'Email',
+    'forgot.submit': 'Send link',
+    // Redefinição de senha (reset).
+    'reset.page_title': 'Reset password',
+    'reset.done_title': 'Password reset',
+    'reset.done_body': 'You can now log in with your new password.',
+    'reset.title': 'New password',
+    'reset.intro': 'Choose a new password for your account.',
+    'reset.password_label': 'Password',
+    'reset.submit': 'Reset',
+    // Verificação de e-mail (verify-email).
+    'verify_email.page_title': 'Verify email',
+    'verify_email.verified_title': 'Email verified',
+    'verify_email.verified_body': 'Your email was confirmed successfully.',
+    'verify_email.invalid_title': 'Invalid link',
+    'verify_email.invalid_body': 'The verification link is invalid or has already been used.',
+    // Desafio de MFA no fluxo de login (mfa-challenge).
+    'mfa_challenge.page_title': 'Two-factor verification',
+    'mfa_challenge.title': 'Two-factor verification',
+    'mfa_challenge.intro': 'Open your authenticator app and enter the 6-digit code.',
+    'mfa_challenge.code_label': 'Code',
+    'mfa_challenge.submit': 'Verify',
+    'mfa_challenge.recovery_summary': 'Use a recovery code',
+    'mfa_challenge.recovery_submit': 'Log in with a recovery code',
+    'mfa_challenge.passkey_button': 'Use passkey',
+    'mfa_challenge.passkey_error': 'Could not authenticate with the passkey. Please try again.',
+    // Consent (autorização de cliente OIDC).
+    'consent.page_title': 'Authorize',
+    'consent.title': 'Authorize access',
+    // `{app}` é interpolado com o nome do app já envolto em <strong> (renderizado
+    // raw na view). O nome vem do branding (config-trusted).
+    'consent.body': 'The app <strong>{app}</strong> wants to access your account.',
+    'consent.submit': 'Authorize',
+    // Console de conta — login (account/login).
+    'account.login.page_title': 'My account',
+    'account.login.title': 'My account',
+    'account.login.intro': 'Manage your access tokens.',
+    'account.login.email_label': 'Email',
+    'account.login.password_label': 'Password',
+    'account.login.submit': 'Log in',
+    // Console de conta — tokens (account/tokens).
+    'account.tokens.page_title': 'Access tokens',
+    'account.tokens.title': 'Access tokens',
+    'account.tokens.logout': 'Log out',
+    'account.tokens.security': 'Security',
+    'account.tokens.created_notice': 'Token created — copy it now, it will not be shown again:',
+    'account.tokens.name_placeholder': 'Token name (e.g. CI deploy)',
+    'account.tokens.create': 'Create',
+    'account.tokens.empty': 'No tokens yet.',
+    'account.tokens.created_at': 'Created on {date}',
+    'account.tokens.last_used': '· last used {date}',
+    'account.tokens.never_used': '· never used',
+    'account.tokens.scopes': 'Scopes: {scopes}',
+    'account.tokens.audience': 'Audience: {audience}',
+    'account.tokens.revoke': 'Revoke',
+    // Console de conta — segurança (account/security): senha + e-mail.
+    'account.security.page_title': 'Account security',
+    'account.security.title': 'Account security',
+    'account.security.logout': 'Log out',
+    'account.security.current_email': 'Current email: {email}',
+    'account.security.not_supported': 'Changing password and email is not available in this installation.',
+    'account.security.password_section': 'Change password',
+    'account.security.current_password_label': 'Current password',
+    'account.security.new_password_label': 'New password',
+    'account.security.change_password_submit': 'Change password',
+    'account.security.password_changed': 'Password changed successfully.',
+    'account.security.email_section': 'Change email',
+    'account.security.email_intro': 'We will send a confirmation link to the new address. The change only takes effect after confirmation.',
+    'account.security.new_email_label': 'New email',
+    'account.security.email_password_label': 'Current password',
+    'account.security.change_email_submit': 'Request email change',
+    'account.security.email_change_requested': 'We sent a confirmation link to {email}. Click it to complete the change.',
+    'account.security.email_changed': 'Email changed successfully.',
+    // Confirmação de troca de e-mail (account/email-confirmed).
+    'account.email_confirmed.page_title': 'Email confirmation',
+    'account.email_confirmed.ok_title': 'Email changed',
+    'account.email_confirmed.ok_body': 'Your new email has been confirmed and is now active.',
+    'account.email_confirmed.invalid_title': 'Invalid link',
+    'account.email_confirmed.invalid_body': 'The confirmation link is invalid or has already been used.',
+    // Console de conta — MFA (account/mfa).
+    'account.mfa.page_title': 'Two-factor verification',
+    'account.mfa.title': 'Two-factor verification',
+    'account.mfa.logout': 'Log out',
+    'account.mfa.recovery_codes_notice': 'Save your recovery codes — they will not be shown again:',
+    'account.mfa.enroll_intro': 'Scan the QR code with your authenticator app (Google Authenticator, 1Password, etc.).',
+    'account.mfa.qr_alt': 'TOTP QR code',
+    'account.mfa.manual_intro': 'Or enter it manually:',
+    'account.mfa.confirm_code_label': 'Confirmation code',
+    'account.mfa.activate': 'Enable two-factor verification',
+    'account.mfa.enabled_html': 'Two-factor verification is <span class="font-semibold text-emerald-700">enabled</span> on this account.',
+    'account.mfa.disable': 'Disable',
+    'account.mfa.disabled_intro': 'Two-factor verification is disabled. Enable it to protect your account with an authenticator app.',
+    'account.mfa.enable': 'Enable two-factor verification',
+    // Console de conta — passkeys (WebAuthn) na tela de MFA.
+    'mfa.passkey.section_title': 'Passkeys',
+    'mfa.passkey.section_intro': 'Use a passkey (biometrics, device PIN, or security key) as a second factor, without typing codes.',
+    'mfa.passkey.add': 'Add passkey',
+    'mfa.passkey.remove': 'Remove',
+    'mfa.passkey.empty': 'No passkeys registered.',
+    'mfa.passkey.unnamed': 'Passkey',
+    'mfa.passkey.created_at': 'Created on {date}',
+    'mfa.passkey.register_error': 'Could not register the passkey. Please try again.',
+    'mfa.passkey.unsupported': 'Your browser does not support passkeys.',
+    // Console admin (B6) — navegação compartilhada.
+    'admin.nav.dashboard': 'Dashboard',
+    'admin.nav.users': 'Users',
+    'admin.nav.clients': 'Clients',
+    'admin.nav.audit': 'Audit',
+    'admin.nav.logout': 'Log out',
+    // Console admin — dashboard.
+    'admin.dashboard.page_title': 'Admin dashboard',
+    'admin.dashboard.title': 'Admin dashboard',
+    'admin.dashboard.users_count': 'Users',
+    'admin.dashboard.clients_count': 'Clients',
+    'admin.dashboard.audit_count': 'Audit events',
+    'admin.dashboard.recent_title': 'Recent events',
+    // Console admin — usuários.
+    'admin.users.page_title': 'Users',
+    'admin.users.title': 'Users',
+    'admin.users.search_placeholder': 'Search by email',
+    'admin.users.search': 'Search',
+    'admin.users.empty': 'No users found.',
+    'admin.users.roles_placeholder': 'Roles (comma-separated)',
+    'admin.users.save_roles': 'Save roles',
+    'admin.users.sessions': 'Sessions',
+    // Console admin — sessões/grants ativos de uma conta.
+    'admin.sessions.page_title': 'Active sessions',
+    'admin.sessions.title': 'Active sessions',
+    'admin.sessions.account': 'Account: {email}',
+    'admin.sessions.back': 'Back to users',
+    'admin.sessions.not_supported': 'The configured OIDC adapter does not support enumeration — session inspection is unavailable.',
+    'admin.sessions.revoked_notice': 'Revoked: {sessions} session(s), {grants} grant(s), {accessTokens} access token(s), {refreshTokens} refresh token(s).',
+    'admin.sessions.sessions_section': 'Sessions (IdP login)',
+    'admin.sessions.sessions_empty': 'No active sessions.',
+    'admin.sessions.session_login_ts': 'Login: {date}',
+    'admin.sessions.session_amr': 'Methods: {amr}',
+    'admin.sessions.grants_section': 'Grants (per-client authorizations)',
+    'admin.sessions.grants_empty': 'No active grants.',
+    'admin.sessions.grant_client': 'Client: {clientId}',
+    'admin.sessions.grant_tokens': '{accessTokens} access · {refreshTokens} refresh',
+    'admin.sessions.revoke_all': 'Revoke all sessions and grants',
+    'admin.sessions.revoke_confirm': 'Revoke all sessions and grants for this account? The user will need to log in again and issued tokens will stop working.',
+    // Console admin — clients.
+    'admin.clients.page_title': 'OAuth clients',
+    'admin.clients.title': 'OAuth clients',
+    'admin.clients.empty': 'No clients configured.',
+    'admin.clients.confidential': 'Confidential',
+    'admin.clients.public': 'Public',
+    'admin.clients.grants': 'Grants: {grants}',
+    'admin.clients.redirect_uris': 'Redirects: {uris}',
+    'admin.clients.dynamic_notice': 'Dynamic client registration (RFC 7591) is on — clients registered via /reg are persisted in the adapter and appear in the dynamic section below.',
+    'admin.clients.static_section': 'Static clients (config)',
+    'admin.clients.dynamic_section': 'Dynamic clients (adapter)',
+    'admin.clients.dynamic_empty': 'No dynamic clients persisted.',
+    'admin.clients.dynamic_not_supported': 'The configured OIDC adapter does not support client enumeration — dynamic management is unavailable.',
+    'admin.clients.new': 'New client',
+    'admin.clients.new_title': 'New OIDC client',
+    'admin.clients.edit_title': 'Edit OIDC client',
+    'admin.clients.edit': 'Edit',
+    'admin.clients.delete': 'Delete',
+    'admin.clients.delete_confirm': 'Delete this client? This action cannot be undone.',
+    'admin.clients.regenerate_secret': 'Regenerate secret',
+    'admin.clients.regenerate_confirm': 'Regenerate the secret? The current secret will stop working immediately.',
+    'admin.clients.back': 'Back',
+    'admin.clients.cancel': 'Cancel',
+    'admin.clients.save': 'Save',
+    'admin.clients.create': 'Create client',
+    'admin.clients.secret_once_title': 'Save the client_secret now',
+    'admin.clients.secret_once_notice': 'This is the only time the secret is shown. Copy it now — it cannot be retrieved later.',
+    'admin.clients.field_client_id': 'Client ID',
+    'admin.clients.field_client_id_placeholder': 'leave blank to generate automatically',
+    'admin.clients.field_client_id_help': 'Optional. If empty, a random identifier will be generated.',
+    'admin.clients.field_redirect_uris': 'Redirect URIs',
+    'admin.clients.field_redirect_uris_help': 'One URI per line.',
+    'admin.clients.field_post_logout_uris': 'Post-logout redirect URIs',
+    'admin.clients.field_post_logout_uris_help': 'One URI per line (optional).',
+    'admin.clients.field_grant_types': 'Grant types',
+    'admin.clients.field_auth_method': 'Token endpoint auth method',
+    // Console admin — auditoria.
+    'admin.audit.page_title': 'Audit',
+    'admin.audit.title': 'Audit log',
+    'admin.audit.type_placeholder': 'Filter by type',
+    'admin.audit.subject_placeholder': 'Filter by subject (accountId)',
+    'admin.audit.filter': 'Filter',
+    'admin.audit.empty': 'No events found.',
+    'admin.audit.not_supported': 'The configured audit sink does not support querying.',
+    // Console admin — paginação compartilhada.
+    'admin.pagination.page': 'Page {page} of {total}',
+    'admin.pagination.prev': 'Previous',
+    'admin.pagination.next': 'Next',
+    // Device Authorization Grant (RFC 8628) — telas servidas pelo oidc-provider.
+    'device.input.title': 'Sign in to the device',
+    'device.input.intro': 'Enter the code shown on your device.',
+    'device.input.submit': 'Continue',
+    'device.input.error_invalid': 'The code you entered is incorrect. Please try again.',
+    'device.input.error_aborted': 'The login request was aborted.',
+    'device.input.error_generic': 'An error occurred while processing your request.',
+    'device.confirm.title': 'Confirm device',
+    'device.confirm.body': 'The code below should be displayed on your device. Confirm only if you recognize it.',
+    'device.confirm.submit': 'Continue',
+    'device.confirm.abort': 'Cancel',
+    'device.success.title': 'Login complete',
+    'device.success.body': 'You are signed in. You can return to your device.',
+    // Step-up auth (acr_values): cliente exige MFA mas a conta não tem MFA enrolado.
+    'mfa_challenge.required_no_enrollment': 'This client requires two-factor verification. Set up MFA in your account console to continue.',
+    // Mensagens de erro/flash produzidas pelos controllers.
+    'errors.invalid_credentials': 'Invalid credentials',
+    'errors.invalid_code': 'Invalid code',
+    'errors.email_taken': 'Email already registered',
+    'errors.signup_failed': 'Could not create the account',
+    'errors.invalid_or_expired_token': 'Invalid or expired token',
+    'errors.account_locked': 'Account temporarily locked due to too many attempts. Try again in {seconds}s.',
+    'errors.session_expired': 'Session expired',
+    'errors.challenge_expired': 'Challenge expired',
+    'errors.passkeys_unavailable': 'Passkeys unavailable',
+    'errors.no_passkey_registered': 'No passkey registered',
+    // Assuntos/corpos de e-mail transacional (default_mailer).
+    'mail.common.link_fallback': "If the button does not work, copy and paste this link into your browser:",
+    'mail.reset.subject': 'Reset your password',
+    'mail.reset.heading': 'Reset your password',
+    'mail.reset.intro': 'We received a request to reset the password for your account.',
+    'mail.reset.cta': 'Reset password',
+    'mail.reset.fallback': 'If you did not request this, you can ignore this email.',
+    'mail.reset.expires': 'This link expires in {minutes} minutes.',
+    'mail.verify.subject': 'Verify your email',
+    'mail.verify.heading': 'Verify your email',
+    'mail.verify.intro': 'Confirm your email address to finish setting up your account.',
+    'mail.verify.cta': 'Verify email',
+    'mail.verify.fallback': 'If you did not create this account, you can ignore this email.',
+    'mail.verify.expires': 'This link expires in {minutes} minutes.',
+    'mail.new_login.subject': 'New login to your account',
+    'mail.new_login.heading': 'New login detected',
+    'mail.new_login.intro': 'We detected a new login to your account.',
+    'mail.new_login.when': 'When: {date}',
+    'mail.new_login.ip': 'IP address: {ip}',
+    'mail.new_login.device': 'Device: {device}',
+    'mail.new_login.fallback': 'If this was you, no action is needed. If not, reset your password right away.',
+    'mail.email_change.subject': 'Confirm your new email',
+    'mail.email_change.heading': 'Confirm your new email',
+    'mail.email_change.intro': 'We received a request to change the email address on your account. Confirm the new address below.',
+    'mail.email_change.cta': 'Confirm new email',
+    'mail.email_change.fallback': 'If you did not request this, you can ignore this email.',
+    'mail.email_change.expires': 'This link expires in {minutes} minutes.',
+};
+/**
+ * Catálogo embutido pt-BR. Espelha TODAS as chaves do default `en`. Ativado
+ * com `i18n: { locale: 'pt-BR' }` sem nenhuma config extra de mensagens.
+ */
+export const PT_BR_MESSAGES = {
     // Comum / fallback de marca.
     'common.app_fallback': 'Auth',
     'common.brand_eyebrow': 'Auth',
@@ -75,8 +357,6 @@ export const DEFAULT_MESSAGES = {
     // Consent (autorização de cliente OIDC).
     'consent.page_title': 'Autorizar',
     'consent.title': 'Autorizar acesso',
-    // `{app}` é interpolado com o nome do app já envolto em <strong> (renderizado
-    // raw na view). O nome vem do branding (config-trusted).
     'consent.body': 'O app <strong>{app}</strong> quer acessar sua conta.',
     'consent.submit': 'Autorizar',
     // Console de conta — login (account/login).
@@ -258,20 +538,63 @@ export const DEFAULT_MESSAGES = {
     'errors.signup_failed': 'Não foi possível criar a conta',
     'errors.invalid_or_expired_token': 'Token inválido ou expirado',
     'errors.account_locked': 'Conta temporariamente bloqueada por excesso de tentativas. Tente novamente em {seconds}s.',
+    'errors.session_expired': 'Sessão expirada',
+    'errors.challenge_expired': 'Desafio expirado',
+    'errors.passkeys_unavailable': 'Passkeys indisponíveis',
+    'errors.no_passkey_registered': 'Nenhuma passkey registrada',
+    // Assuntos/corpos de e-mail transacional (default_mailer).
+    'mail.common.link_fallback': 'Se o botão não funcionar, copie e cole este link no navegador:',
+    'mail.reset.subject': 'Redefinição de senha',
+    'mail.reset.heading': 'Redefinição de senha',
+    'mail.reset.intro': 'Recebemos um pedido para redefinir a senha da sua conta.',
+    'mail.reset.cta': 'Redefinir senha',
+    'mail.reset.fallback': 'Se você não solicitou isso, pode ignorar este e-mail.',
+    'mail.reset.expires': 'Este link expira em {minutes} minutos.',
+    'mail.verify.subject': 'Verifique seu e-mail',
+    'mail.verify.heading': 'Verifique seu e-mail',
+    'mail.verify.intro': 'Confirme seu endereço de e-mail para concluir a configuração da conta.',
+    'mail.verify.cta': 'Verificar e-mail',
+    'mail.verify.fallback': 'Se você não criou esta conta, pode ignorar este e-mail.',
+    'mail.verify.expires': 'Este link expira em {minutes} minutos.',
+    'mail.new_login.subject': 'Novo login na sua conta',
+    'mail.new_login.heading': 'Novo login detectado',
+    'mail.new_login.intro': 'Detectamos um novo login na sua conta.',
+    'mail.new_login.when': 'Quando: {date}',
+    'mail.new_login.ip': 'Endereço IP: {ip}',
+    'mail.new_login.device': 'Dispositivo: {device}',
+    'mail.new_login.fallback': 'Se foi você, nenhuma ação é necessária. Caso contrário, redefina sua senha imediatamente.',
+    'mail.email_change.subject': 'Confirme seu novo e-mail',
+    'mail.email_change.heading': 'Confirme seu novo e-mail',
+    'mail.email_change.intro': 'Recebemos um pedido para trocar o e-mail da sua conta. Confirme o novo endereço abaixo.',
+    'mail.email_change.cta': 'Confirmar novo e-mail',
+    'mail.email_change.fallback': 'Se você não solicitou isso, pode ignorar este e-mail.',
+    'mail.email_change.expires': 'Este link expira em {minutes} minutos.',
+};
+/**
+ * Locales embutidos no host-kit. O `en` é o default; o `pt-BR` está disponível
+ * com `i18n: { locale: 'pt-BR' }` sem nenhuma config de mensagens extra. Os
+ * overrides/locales do host (via `I18nConfig.messages`) são mesclados por cima.
+ */
+export const BUILTIN_MESSAGES = {
+    en: DEFAULT_MESSAGES,
+    'pt-BR': PT_BR_MESSAGES,
 };
 /**
- * Resolve o catálogo ativo: mescla os overrides do locale selecionado SOBRE o
- * default pt-BR. Sem config, retorna os defaults intactos. Chaves omitidas pelo
- * locale escolhido caem no default pt-BR (fallback de cobertura).
+ * Resolve o catálogo ativo. Começa do catálogo embutido do locale selecionado
+ * (ou do default `en` quando o locale não é embutido), depois mescla os
+ * overrides do host por cima. Sem config, retorna o default `en` intacto.
+ * Chaves omitidas caem no default `en` (fallback de cobertura).
  */
 export function resolveMessages(i18n) {
-    const base = { ...DEFAULT_MESSAGES };
     const locale = i18n?.locale ?? DEFAULT_LOCALE;
+    // Base: sempre o default `en` para garantir cobertura total das chaves; o
+    // catálogo embutido do locale (ex.: pt-BR) é mesclado por cima.
+    const base = { ...DEFAULT_MESSAGES, ...(BUILTIN_MESSAGES[locale] ?? {}) };
     const overrides = i18n?.messages?.[locale];
     if (!overrides)
         return base;
     // Mescla só valores definidos (o `Partial` permite undefined); chaves omitidas
-    // seguem caindo no default pt-BR.
+    // seguem caindo no catálogo base.
     for (const [key, value] of Object.entries(overrides)) {
         if (value !== undefined)
             base[key] = value;

package/build/src/observability/metrics_controller.js

@@ -5,11 +5,11 @@ function renderDashboardHtml(snapshot) {
     const histograms = Object.entries(snapshot.histograms)
         .map(([k, h]) => `<tr><td>${k}</td><td>${h.count}</td><td>${h.sum}</td><td>${h.min}</td><td>${h.max}</td></tr>`)
         .join('');
-    return `<!doctype html><html lang="pt-br"><head><meta charset="utf-8"><meta http-equiv="refresh" content="5"><title>AuthKit — Métricas</title>
+    return `<!doctype html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="refresh" content="5"><title>AuthKit — Metrics</title>
 <style>body{font-family:system-ui,sans-serif;margin:2rem;color:#111}h1{font-size:1.2rem}table{border-collapse:collapse;margin:1rem 0;width:100%}th,td{border:1px solid #ddd;padding:.4rem .6rem;text-align:left;font-size:.9rem}th{background:#f5f5f5}</style>
-</head><body><h1>AuthKit — Métricas</h1><p>Atualizado: ${snapshot.updatedAt ? new Date(snapshot.updatedAt).toISOString() : '—'}</p>
-<h2>Counters</h2><table><thead><tr><th>Métrica</th><th>Total</th></tr></thead><tbody>${counters || '<tr><td colspan="2">—</td></tr>'}</tbody></table>
-<h2>Histograms</h2><table><thead><tr><th>Métrica</th><th>Count</th><th>Sum</th><th>Min</th><th>Max</th></tr></thead><tbody>${histograms || '<tr><td colspan="5">—</td></tr>'}</tbody></table>
+</head><body><h1>AuthKit — Metrics</h1><p>Updated: ${snapshot.updatedAt ? new Date(snapshot.updatedAt).toISOString() : '—'}</p>
+<h2>Counters</h2><table><thead><tr><th>Metric</th><th>Total</th></tr></thead><tbody>${counters || '<tr><td colspan="2">—</td></tr>'}</tbody></table>
+<h2>Histograms</h2><table><thead><tr><th>Metric</th><th>Count</th><th>Sum</th><th>Min</th><th>Max</th></tr></thead><tbody>${histograms || '<tr><td colspan="5">—</td></tr>'}</tbody></table>
 </body></html>`;
 }
 export default class MetricsController {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dudousxd/adonis-authkit-server",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "AdonisJS OIDC/OAuth2 provider (Identity Provider) toolkit: ejectable auth server with sessions, rate-limiting, MFA/TOTP, audit log, federated logout and OpenTelemetry metrics.",
   "license": "MIT",
   "author": "dudousxd",