Next.js Supabase V3 (#463)

Version 3 of the kit:
- Radix UI replaced with Base UI (using the Shadcn UI patterns)
- next-intl replaces react-i18next
- enhanceAction deprecated; usage moved to next-safe-action
- main layout now wrapped with [locale] path segment
- Teams only mode
- Layout updates
- Zod v4
- Next.js 16.2
- Typescript 6
- All other dependencies updated
- Removed deprecated Edge CSRF
- Dynamic Github Action runner

docs/data-fetching/csrf-protection.mdoc

@@ -0,0 +1,32 @@
+---
+status: "published"
+title: "CSRF Protection"
+description: "How CSRF protection works in Makerkit."
+label: "CSRF Protection"
+order: 6
+---
+
+## CSRF Protection
+
+CSRF protection is handled automatically by Next.js when using Server Actions. You do not need to manage CSRF tokens manually.
+
+### Server Actions
+
+Server Actions are inherently protected against CSRF attacks by Next.js. The framework validates the origin of all Server Action requests, ensuring they come from the same origin as your application.
+
+No additional configuration or token passing is needed.
+
+### API Route Handlers
+
+API Route Handlers under `/api/*` do not have CSRF protection, as they are typically used for webhooks, external services, and third-party integrations. If you need to protect an API route from unauthorized access, use authentication checks via `enhanceRouteHandler` with `auth: true`.
+
+### Recommendations
+
+- **Prefer Server Actions** for all mutations from client components. They provide built-in CSRF protection and type safety.
+- **Use Route Handlers** only for webhooks, streaming responses, or integrations that require standard HTTP endpoints.
+
+---
+
+## V2 Legacy
+
+In v2, Makerkit used `@edge-csrf/nextjs` middleware to protect non-API routes against CSRF attacks. A `useCsrfToken` hook from `@kit/shared/hooks` was used to retrieve the CSRF token and pass it as an `X-CSRF-Token` header on fetch requests. Both have been removed in v3 since Server Actions handle CSRF protection natively.