@open-mercato/core 0.4.2-canary-da2b080494 → 0.4.2-canary-19353c5970

package/src/modules/auth/backend/users/create/page.tsx

@@ -11,6 +11,7 @@ import { TenantSelect } from '@open-mercato/core/modules/directory/components/Te
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type CreateUserFormValues = {
   email: string
@@ -84,6 +85,16 @@ export default function CreateUserPage() {
   const [selectedWidgets, setSelectedWidgets] = React.useState<string[]>([])
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     let cancelled = false
@@ -156,7 +167,13 @@ export default function CreateUserPage() {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text', required: true },
+      {
+        id: 'password',
+        label: t('auth.users.form.field.password', 'Password'),
+        type: 'text',
+        required: true,
+        description: passwordDescription,
+      },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -203,7 +220,7 @@ export default function CreateUserPage() {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']

package/src/modules/auth/backend/users/page.tsx

@@ -383,9 +383,9 @@ export default function UsersListPage() {
           perspective={{ tableId: 'auth.users.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
-              { label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
-              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
+              { id: 'show-roles', label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
+              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 50, total, totalPages, onPageChange: setPage }}

package/src/modules/auth/cli.ts

@@ -16,6 +16,8 @@ import { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { env } from 'process'
 import type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'
 import crypto from 'node:crypto'
+import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'
+import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const addUser: ModuleCli = {
   command: 'add-user',
@@ -34,6 +36,7 @@ const addUser: ModuleCli = {
       console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any
     const org =
@@ -102,6 +105,16 @@ function hashSecret(value: string | null | undefined): string | null {
   return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)
 }
 
+function ensurePasswordPolicy(password: string): boolean {
+  const policy = getPasswordPolicy()
+  const result = validatePassword(password, policy)
+  if (result.ok) return true
+  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)
+  const suffix = requirements ? `: ${requirements}` : ''
+  console.error(`Password does not meet the requirements${suffix}.`)
+  return false
+}
+
 async function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {
   const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG
   process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'
@@ -392,20 +405,33 @@ const addOrganization: ModuleCli = {
 const setupApp: ModuleCli = {
   command: 'setup',
   async run(rest) {
-    const args: Record<string, string> = {}
-    for (let i = 0; i < rest.length; i += 2) {
-      const k = rest[i]?.replace(/^--/, '')
-      const v = rest[i + 1]
-      if (k) args[k] = v
-    }
-    const orgName = args.orgName || args.name
-    const email = args.email
-    const password = args.password
-    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()
+    const args = parseArgs(rest)
+    const orgName = typeof args.orgName === 'string'
+      ? args.orgName
+      : typeof args.name === 'string'
+        ? args.name
+        : undefined
+    const email = typeof args.email === 'string' ? args.email : undefined
+    const password = typeof args.password === 'string' ? args.password : undefined
+    const rolesCsv = typeof args.roles === 'string'
+      ? args.roles.trim()
+      : 'superadmin,admin,employee'
+    const skipPasswordPolicyRaw =
+      args['skip-password-policy'] ??
+      args.skipPasswordPolicy ??
+      args['allow-weak-password'] ??
+      args.allowWeakPassword
+    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'
+      ? skipPasswordPolicyRaw
+      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false
     if (!orgName || !email || !password) {
-      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')
+      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')
       return
     }
+    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return
+    if (skipPasswordPolicy) {
+      console.warn('⚠️  Password policy validation skipped for setup.')
+    }
     const { resolve } = await createRequestContainer()
     const em = resolve<EntityManager>('em')
     const roleNames = rolesCsv
@@ -595,6 +621,7 @@ const setPassword: ModuleCli = {
       console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any

package/src/modules/auth/commands/users.ts

@@ -27,6 +27,10 @@ import {
 import { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type SerializedUser = {
   email: string
@@ -63,9 +67,11 @@ type UserSnapshots = {
   undo: UserUndoSnapshot
 }
 
+const passwordSchema = buildPasswordSchema()
+
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -73,7 +79,7 @@ const createSchema = z.object({
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })
@@ -105,6 +111,46 @@ export const userCrudIndexer: CrudIndexerConfig = {
   }),
 }
 
+async function notifyRoleChanges(
+  ctx: CommandRuntimeContext,
+  user: User,
+  assignedRoles: string[],
+  revokedRoles: string[],
+): Promise<void> {
+  const tenantId = user.tenantId ? String(user.tenantId) : null
+  if (!tenantId) return
+  const organizationId = user.organizationId ? String(user.organizationId) : null
+
+  try {
+    const notificationService = resolveNotificationService(ctx.container)
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.users.roles] Failed to create notification:', err)
+  }
+}
+
 const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
   id: 'auth.users.create',
   async execute(rawInput, ctx) {
@@ -147,8 +193,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       throw error
     }
 
+    let assignedRoles: string[] = []
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId)
+      assignedRoles = await loadUserRoleNames(em, String(user.id))
     }
 
     await setCustomFieldsIfAny({
@@ -173,6 +221,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, [])
+    }
+
     return user
   },
   captureAfter: async (_input, result, ctx) => {
@@ -288,6 +340,9 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)
     const em = (ctx.container.resolve('em') as EntityManager)
+    const rolesBefore = Array.isArray(parsed.roles)
+      ? await loadUserRoleNames(em, parsed.id)
+      : null
 
     if (parsed.email !== undefined) {
       const emailHash = computeEmailHash(parsed.email)
@@ -377,6 +432,14 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id))
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked)
+      }
+    }
+
     await invalidateUserCache(ctx, parsed.id)
 
     return user
@@ -772,6 +835,14 @@ async function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {
   }
 }
 
+function diffRoleChanges(before: string[], after: string[]) {
+  const beforeSet = new Set(before)
+  const afterSet = new Set(after)
+  const assigned = after.filter((role) => !beforeSet.has(role))
+  const revoked = before.filter((role) => !afterSet.has(role))
+  return { assigned, revoked }
+}
+
 function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   if (!left) return false
   if (left.length !== right.length) return false

package/src/modules/auth/data/validators.ts

@@ -1,4 +1,7 @@
 import { z } from 'zod'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
+
+const passwordSchema = buildPasswordSchema()
 
 // Core auth validators
 export const userLoginSchema = z.object({
@@ -13,7 +16,7 @@ export const requestPasswordResetSchema = z.object({
 
 export const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6),
+  password: passwordSchema,
 })
 
 export const sidebarPreferencesInputSchema = z.object({
@@ -29,7 +32,7 @@ export const sidebarPreferencesInputSchema = z.object({
 // Optional helpers for CLI or admin forms
 export const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional(),

package/src/modules/auth/frontend/reset/[token]/page.tsx

@@ -4,11 +4,20 @@ import { Input } from '@open-mercato/ui/primitives/input'
 import { Label } from '@open-mercato/ui/primitives/label'
 import { useState } from 'react'
 import { useRouter } from 'next/navigation'
+import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 export default function ResetWithTokenPage({ params }: { params: { token: string } }) {
   const router = useRouter()
+  const t = useT()
   const [error, setError] = useState<string | null>(null)
   const [submitting, setSubmitting] = useState(false)
+  const passwordPolicy = getPasswordPolicy()
+  const passwordRequirements = formatPasswordRequirements(passwordPolicy, t)
+  const passwordDescription = passwordRequirements
+    ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+    : ''
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {
     e.preventDefault()
@@ -17,13 +26,15 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     try {
       const form = new FormData(e.currentTarget)
       form.set('token', params.token)
-      const res = await fetch('/api/auth/reset/confirm', { method: 'POST', body: form })
-      const data = await res.json().catch(() => null)
-      if (!res.ok) {
-        setError(data?.error || 'Unable to reset password')
+      const { ok, result } = await apiCall<{ ok?: boolean; error?: string; redirect?: string }>(
+        '/api/auth/reset/confirm',
+        { method: 'POST', body: form },
+      )
+      if (!ok || result?.ok === false) {
+        setError(result?.error || t('auth.reset.errors.failed', 'Unable to reset password'))
         return
       }
-      router.replace(data?.redirect || '/login')
+      router.replace(result?.redirect || '/login')
     } finally {
       setSubmitting(false)
     }
@@ -33,18 +44,21 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     <div className="min-h-svh flex items-center justify-center p-4">
       <Card className="w-full max-w-sm">
         <CardHeader>
-          <CardTitle>Set a new password</CardTitle>
-          <CardDescription>Choose a strong password for your account.</CardDescription>
+          <CardTitle>{t('auth.reset.title', 'Set a new password')}</CardTitle>
+          <CardDescription>{t('auth.reset.subtitle', 'Choose a strong password for your account.')}</CardDescription>
         </CardHeader>
         <CardContent>
           <form className="grid gap-3" onSubmit={onSubmit}>
             {error && <div className="text-sm text-red-600">{error}</div>}
             <div className="grid gap-1">
-              <Label htmlFor="password">New password</Label>
-              <Input id="password" name="password" type="password" required minLength={6} />
+              <Label htmlFor="password">{t('auth.reset.form.password', 'New password')}</Label>
+              <Input id="password" name="password" type="password" required minLength={passwordPolicy.minLength} />
+              {passwordDescription ? (
+                <p className="text-xs text-muted-foreground">{passwordDescription}</p>
+              ) : null}
             </div>
             <button disabled={submitting} className="h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60">
-              {submitting ? '...' : 'Update password'}
+              {submitting ? t('auth.reset.form.loading', '...') : t('auth.reset.form.submit', 'Update password')}
             </button>
           </form>
         </CardContent>
@@ -52,4 +66,3 @@ export default function ResetWithTokenPage({ params }: { params: { token: string
     </div>
   )
 }
-

package/src/modules/auth/i18n/de.json

@@ -2,8 +2,20 @@
   "auth.signIn": "Anmelden",
   "auth.email": "E-Mail",
   "auth.password": "Passwort",
+  "auth.password.requirements.help": "Passwortanforderungen: {requirements}",
+  "auth.password.requirements.minLength": "Mindestens {min} Zeichen",
+  "auth.password.requirements.digit": "Eine Zahl",
+  "auth.password.requirements.uppercase": "Ein Großbuchstabe",
+  "auth.password.requirements.special": "Ein Sonderzeichen",
+  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Link zum Zurücksetzen senden",
   "auth.resetPassword": "Passwort zurücksetzen",
+  "auth.reset.title": "Neues Passwort festlegen",
+  "auth.reset.subtitle": "Wähle ein sicheres Passwort für dein Konto.",
+  "auth.reset.form.password": "Neues Passwort",
+  "auth.reset.form.loading": "...",
+  "auth.reset.form.submit": "Passwort aktualisieren",
+  "auth.reset.errors.failed": "Passwort konnte nicht zurückgesetzt werden",
   "auth.usersRoles": "Benutzer und Rollen",
   "auth.manageAuthSettings": "Verwalte die Authentifizierungseinstellungen.",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
@@ -80,6 +92,21 @@
   "auth.users.form.errors.load": "Benutzerdaten konnten nicht geladen werden",
   "auth.users.form.errors.aclUpdate": "Aktualisierung der Benutzerberechtigungen fehlgeschlagen",
   "auth.users.form.errors.delete": "Benutzer konnte nicht gelöscht werden",
+  "auth.profile.title": "Profil",
+  "auth.profile.subtitle": "Passwort ändern",
+  "auth.profile.form.email": "E-Mail",
+  "auth.profile.form.password": "Neues Passwort",
+  "auth.profile.form.confirmPassword": "Neues Passwort bestätigen",
+  "auth.profile.form.save": "Änderungen speichern",
+  "auth.profile.form.loading": "Profil wird geladen...",
+  "auth.profile.form.errors.load": "Profil konnte nicht geladen werden.",
+  "auth.profile.form.errors.save": "Profil konnte nicht aktualisiert werden.",
+  "auth.profile.form.errors.invalid": "Ungültige Profilaktualisierung.",
+  "auth.profile.form.errors.passwordMismatch": "Die Passwörter stimmen nicht überein.",
+  "auth.profile.form.errors.passwordRequirements": "Das Passwort muss die Anforderungen erfüllen.",
+  "auth.profile.form.errors.noChanges": "Keine Änderungen zu speichern.",
+  "auth.profile.form.errors.emailRequired": "E-Mail ist erforderlich.",
+  "auth.profile.form.success": "Profil aktualisiert.",
   "auth.users.list.error.load": "Benutzer konnten nicht geladen werden",
   "auth.users.list.error.delete": "Benutzer konnte nicht gelöscht werden",
   "auth.users.flash.created": "Benutzer erstellt",
@@ -95,5 +122,20 @@
   "auth.email.resetPassword.title": "Passwort zurücksetzen",
   "auth.email.resetPassword.body": "Klicken Sie auf den Link unten, um ein neues Passwort festzulegen. Dieser Link läuft in 60 Minuten ab.",
   "auth.email.resetPassword.cta": "Neues Passwort festlegen",
-  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren."
+  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren.",
+  "auth.notifications.passwordReset.requested.title": "Passwort-Zurücksetzung angefordert",
+  "auth.notifications.passwordReset.requested.body": "Ein Link zum Zurücksetzen des Passworts wurde an Ihre E-Mail gesendet",
+  "auth.notifications.passwordReset.completed.title": "Passwort erfolgreich geändert",
+  "auth.notifications.passwordReset.completed.body": "Ihr Passwort wurde erfolgreich aktualisiert",
+  "auth.notifications.account.locked.title": "Konto gesperrt",
+  "auth.notifications.account.locked.body": "Ihr Konto wurde aus Sicherheitsgründen gesperrt. Bitte wenden Sie sich an den Support.",
+  "auth.notifications.login.newDevice.title": "Neues Gerät erkannt",
+  "auth.notifications.login.newDevice.body": "Es wurde eine Anmeldung von einem unbekannten Gerät für Ihr Konto erkannt",
+  "auth.notifications.role.assigned.title": "Neue Rolle zugewiesen",
+  "auth.notifications.role.assigned.body": "Ihnen wurde eine neue Rolle mit zusätzlichen Berechtigungen zugewiesen",
+  "auth.notifications.role.revoked.title": "Rolle entfernt",
+  "auth.notifications.role.revoked.body": "Eine Rolle wurde von Ihrem Konto entfernt",
+  "auth.actions.contactSupport": "Support kontaktieren",
+  "auth.actions.viewSessions": "Sitzungen anzeigen",
+  "auth.actions.viewPermissions": "Berechtigungen anzeigen"
 }

package/src/modules/auth/i18n/en.json

@@ -2,8 +2,20 @@
   "auth.signIn": "Sign in",
   "auth.email": "Email",
   "auth.password": "Password",
+  "auth.password.requirements.help": "Password requirements: {requirements}",
+  "auth.password.requirements.minLength": "At least {min} characters",
+  "auth.password.requirements.digit": "One number",
+  "auth.password.requirements.uppercase": "One uppercase letter",
+  "auth.password.requirements.special": "One special character",
+  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Send reset link",
   "auth.resetPassword": "Reset password",
+  "auth.reset.title": "Set a new password",
+  "auth.reset.subtitle": "Choose a strong password for your account.",
+  "auth.reset.form.password": "New password",
+  "auth.reset.form.loading": "...",
+  "auth.reset.form.submit": "Update password",
+  "auth.reset.errors.failed": "Unable to reset password",
   "auth.usersRoles": "Users & Roles",
   "auth.manageAuthSettings": "Manage authentication settings.",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
@@ -80,6 +92,21 @@
   "auth.users.form.errors.load": "Failed to load user data",
   "auth.users.form.errors.aclUpdate": "Failed to update user access control",
   "auth.users.form.errors.delete": "Failed to delete user",
+  "auth.profile.title": "Profile",
+  "auth.profile.subtitle": "Change password",
+  "auth.profile.form.email": "Email",
+  "auth.profile.form.password": "New password",
+  "auth.profile.form.confirmPassword": "Confirm new password",
+  "auth.profile.form.save": "Save changes",
+  "auth.profile.form.loading": "Loading profile...",
+  "auth.profile.form.errors.load": "Failed to load profile.",
+  "auth.profile.form.errors.save": "Failed to update profile.",
+  "auth.profile.form.errors.invalid": "Invalid profile update.",
+  "auth.profile.form.errors.passwordMismatch": "Passwords do not match.",
+  "auth.profile.form.errors.passwordRequirements": "Password must meet the requirements.",
+  "auth.profile.form.errors.noChanges": "No changes to save.",
+  "auth.profile.form.errors.emailRequired": "Email is required.",
+  "auth.profile.form.success": "Profile updated.",
   "auth.users.list.error.load": "Failed to load users",
   "auth.users.list.error.delete": "Failed to delete user",
   "auth.users.flash.created": "User created",
@@ -95,5 +122,20 @@
   "auth.email.resetPassword.title": "Reset your password",
   "auth.email.resetPassword.body": "Click the link below to set a new password. This link will expire in 60 minutes.",
   "auth.email.resetPassword.cta": "Set a new password",
-  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email."
+  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email.",
+  "auth.notifications.passwordReset.requested.title": "Password reset requested",
+  "auth.notifications.passwordReset.requested.body": "A password reset link has been sent to your email",
+  "auth.notifications.passwordReset.completed.title": "Password successfully changed",
+  "auth.notifications.passwordReset.completed.body": "Your password has been updated successfully",
+  "auth.notifications.account.locked.title": "Account locked",
+  "auth.notifications.account.locked.body": "Your account has been locked due to security reasons. Please contact support.",
+  "auth.notifications.login.newDevice.title": "New device login detected",
+  "auth.notifications.login.newDevice.body": "A new login from an unrecognized device was detected on your account",
+  "auth.notifications.role.assigned.title": "New role assigned",
+  "auth.notifications.role.assigned.body": "You have been assigned a new role with additional permissions",
+  "auth.notifications.role.revoked.title": "Role removed",
+  "auth.notifications.role.revoked.body": "A role has been removed from your account",
+  "auth.actions.contactSupport": "Contact Support",
+  "auth.actions.viewSessions": "View Sessions",
+  "auth.actions.viewPermissions": "View Permissions"
 }

package/src/modules/auth/i18n/es.json

@@ -2,8 +2,20 @@
   "auth.signIn": "Iniciar sesión",
   "auth.email": "Correo electrónico",
   "auth.password": "Contraseña",
+  "auth.password.requirements.help": "Requisitos de la contraseña: {requirements}",
+  "auth.password.requirements.minLength": "Al menos {min} caracteres",
+  "auth.password.requirements.digit": "Un número",
+  "auth.password.requirements.uppercase": "Una letra mayúscula",
+  "auth.password.requirements.special": "Un carácter especial",
+  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Enviar enlace de restablecimiento",
   "auth.resetPassword": "Restablecer contraseña",
+  "auth.reset.title": "Establecer una nueva contraseña",
+  "auth.reset.subtitle": "Elige una contraseña segura para tu cuenta.",
+  "auth.reset.form.password": "Nueva contraseña",
+  "auth.reset.form.loading": "...",
+  "auth.reset.form.submit": "Actualizar contraseña",
+  "auth.reset.errors.failed": "No se pudo restablecer la contraseña",
   "auth.usersRoles": "Usuarios y roles",
   "auth.manageAuthSettings": "Administra la configuración de autenticación.",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
@@ -80,6 +92,21 @@
   "auth.users.form.errors.load": "No se pudieron cargar los datos del usuario",
   "auth.users.form.errors.aclUpdate": "No se pudo actualizar el control de acceso del usuario",
   "auth.users.form.errors.delete": "No se pudo eliminar el usuario",
+  "auth.profile.title": "Perfil",
+  "auth.profile.subtitle": "Cambiar contraseña",
+  "auth.profile.form.email": "Correo electrónico",
+  "auth.profile.form.password": "Nueva contraseña",
+  "auth.profile.form.confirmPassword": "Confirmar nueva contraseña",
+  "auth.profile.form.save": "Guardar cambios",
+  "auth.profile.form.loading": "Cargando perfil...",
+  "auth.profile.form.errors.load": "No se pudo cargar el perfil.",
+  "auth.profile.form.errors.save": "No se pudo actualizar el perfil.",
+  "auth.profile.form.errors.invalid": "Actualización de perfil inválida.",
+  "auth.profile.form.errors.passwordMismatch": "Las contraseñas no coinciden.",
+  "auth.profile.form.errors.passwordRequirements": "La contraseña debe cumplir los requisitos.",
+  "auth.profile.form.errors.noChanges": "No hay cambios para guardar.",
+  "auth.profile.form.errors.emailRequired": "El correo electrónico es obligatorio.",
+  "auth.profile.form.success": "Perfil actualizado.",
   "auth.users.list.error.load": "No se pudieron cargar los usuarios",
   "auth.users.list.error.delete": "No se pudo eliminar el usuario",
   "auth.users.flash.created": "Usuario creado",
@@ -95,5 +122,20 @@
   "auth.email.resetPassword.title": "Restablecer tu contraseña",
   "auth.email.resetPassword.body": "Haz clic en el siguiente enlace para establecer una nueva contraseña. Este enlace caducará en 60 minutos.",
   "auth.email.resetPassword.cta": "Establecer nueva contraseña",
-  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura."
+  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura.",
+  "auth.notifications.passwordReset.requested.title": "Solicitud de restablecimiento de contraseña",
+  "auth.notifications.passwordReset.requested.body": "Se ha enviado un enlace de restablecimiento de contraseña a tu correo electrónico",
+  "auth.notifications.passwordReset.completed.title": "Contraseña cambiada correctamente",
+  "auth.notifications.passwordReset.completed.body": "Tu contraseña se actualizó correctamente",
+  "auth.notifications.account.locked.title": "Cuenta bloqueada",
+  "auth.notifications.account.locked.body": "Tu cuenta ha sido bloqueada por razones de seguridad. Ponte en contacto con soporte.",
+  "auth.notifications.login.newDevice.title": "Nuevo inicio de sesión detectado",
+  "auth.notifications.login.newDevice.body": "Se detectó un inicio de sesión desde un dispositivo no reconocido en tu cuenta",
+  "auth.notifications.role.assigned.title": "Nuevo rol asignado",
+  "auth.notifications.role.assigned.body": "Se te ha asignado un nuevo rol con permisos adicionales",
+  "auth.notifications.role.revoked.title": "Rol eliminado",
+  "auth.notifications.role.revoked.body": "Se ha eliminado un rol de tu cuenta",
+  "auth.actions.contactSupport": "Contactar soporte",
+  "auth.actions.viewSessions": "Ver sesiones",
+  "auth.actions.viewPermissions": "Ver permisos"
 }