Next.js Supabase V3 (#463)

Version 3 of the kit:
- Radix UI replaced with Base UI (using the Shadcn UI patterns)
- next-intl replaces react-i18next
- enhanceAction deprecated; usage moved to next-safe-action
- main layout now wrapped with [locale] path segment
- Teams only mode
- Layout updates
- Zod v4
- Next.js 16.2
- Typescript 6
- All other dependencies updated
- Removed deprecated Edge CSRF
- Dynamic Github Action runner

apps/web/app/[locale]/admin/AGENTS.md

@@ -0,0 +1,56 @@
+# Super Admin
+
+## Critical Security Rules
+
+- **ALWAYS** use `AdminGuard` to protect pages
+- **ALWAYS** validate admin status before operations
+- **NEVER** bypass authentication or authorization
+- **ALWAYS** audit admin operations with logging
+- **ALWAYS** use `adminAction` to wrap admin actions @packages/features/admin/src/lib/server/utils/admin-action.ts
+
+## Page Structure
+
+```typescript
+import { AdminGuard } from '@kit/admin/components/admin-guard';
+import { PageBody, PageHeader } from '@kit/ui/page';
+
+async function AdminPage() {
+  return (
+    <>
+      <PageHeader title="Admin" />
+      <PageBody>{/* Content */}</PageBody>
+    </>
+  );
+}
+
+export default AdminGuard(AdminPage);
+```
+
+## Admin Client Usage
+
+```typescript
+import { isSuperAdmin } from '@kit/admin';
+import { getSupabaseServerAdminClient } from '@kit/supabase/server-admin-client';
+
+async function adminOperation() {
+  // CRITICAL: Validate first - admin client bypasses RLS
+  if (!(await isSuperAdmin(currentUser))) {
+    throw new Error('Unauthorized');
+  }
+
+  const adminClient = getSupabaseServerAdminClient();
+  // Safe to proceed
+}
+```
+
+## Audit Logging
+
+```typescript
+const logger = await getLogger();
+logger.info({
+  name: 'admin-audit',
+  action: 'delete-user',
+  adminId: currentUser.id,
+  targetId: userId,
+}, 'Admin action performed');
+```