phase 7+: i18n primitive + login language picker + autocomplete-off

Adds a minimal Svelte 5 i18n primitive (`src/lib/i18n/`) backing the login form, the layout blocker page, and the lobby placeholder. SUPPORTED_LOCALES drives both the picker and the runtime lookup; adding a language is a two-step change inside `src/lib/i18n/`. Login form gains a globe-icon language dropdown (English / Русский in their native names), defaulting to navigator.languages with `en` as the fallback. Switching the locale re-renders the form in place; on submit, the locale rides in the JSON body of `send-email-code` because Safari/WebKit silently drops JS-set Accept-Language. Gateway gains a body `locale` field that takes priority over the request header for preferred-language resolution. Email and code inputs disable browser autofill / suggestions (`autocomplete=off` + `autocorrect=off` + `autocapitalize=off` + `spellcheck=false`) so Keychain / address-book pickers and remembered-value dropdowns no longer fire on focus. Cross-cuts: - backend & gateway openapi: clarify that body `locale` is honored. - docs/FUNCTIONAL{,_ru}.md §1.2: document body-vs-header priority. - gateway tests: body `locale` overrides Accept-Language; blank body `locale` falls back to header. - new ui/docs/i18n.md; cross-links from auth-flow.md and ui/README. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 16:14:40 +02:00
parent 22b0710d04
commit 9101aba816
20 changed files with 918 additions and 66 deletions
@@ -134,10 +134,12 @@ paths:
        that must later be confirmed through
        `POST /api/v1/public/auth/confirm-email-code`.

-        The JSON body stays unchanged. Callers may additionally supply the
-        standard `Accept-Language` header so the gateway can derive the
-        auth-mail locale and first-login preferred-language candidate. Missing
-        or unsupported values fall back to `en`.
+        Callers select the auth-mail locale through the optional
+        `locale` field on the JSON body, which takes priority over the
+        request `Accept-Language` header. The body field is the canonical
+        channel because Safari silently drops JS-set `Accept-Language`
+        headers; non-Safari clients can still rely on the header alone.
+        Missing or unsupported values fall back to `en`.

        This route is unauthenticated and classified as `public_auth`.
        Public REST anti-abuse applies a per-IP bucket derived from
@@ -302,6 +304,16 @@ components:
          type: string
          description: Single client e-mail address that should receive the login code.
          format: email
+        locale:
+          type: string
+          description: |
+            Optional BCP 47 language tag the caller prefers for the
+            delivered code. The body field is the canonical channel
+            because Safari silently drops JS-set Accept-Language
+            headers; when set, it overrides the request
+            `Accept-Language` for preferred-language resolution.
+            Empty / malformed values fall back to the header, which
+            in turn falls back to `en`.
    SendEmailCodeResponse:
      type: object
      additionalProperties: false