diff --git a/admin_ui/index.html b/admin_ui/index.html
index 595e546..c2bde3d 100644
--- a/admin_ui/index.html
+++ b/admin_ui/index.html
@@ -1,8 +1,8 @@
 <!doctype html>
-<html lang="en" class="h-full">
+<html lang="{{LANG_CODE}}" class="h-full">
 <head>
   <meta charset="utf-8" />
-  <title>RustDesk Admin</title>
+  <title>{{T_APP_TITLE}}</title>
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <script src="/admin/assets/tailwindcss.js"></script>
   <script src="/admin/assets/htmx.min.js"></script>
@@ -23,38 +23,51 @@
   <div class="min-h-full flex">
     <aside class="w-56 shrink-0 bg-slate-900 border-r border-slate-800 flex flex-col">
       <div class="px-4 py-5 border-b border-slate-800">
-        <h1 class="text-base font-semibold">RustDesk Admin</h1>
+        <h1 class="text-base font-semibold">{{T_APP_TITLE}}</h1>
         <p id="me-display" class="text-xs text-slate-500 mt-1" hx-get="/admin/me" hx-trigger="load" hx-swap="innerHTML">…</p>
       </div>
       <nav class="flex-1 px-2 py-3 space-y-1">
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/users" hx-target="#main" hx-push-url="#users">Users</a>
+           hx-get="/admin/pages/users" hx-target="#main" hx-push-url="#users">{{T_NAV_USERS}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/devices" hx-target="#main" hx-push-url="#devices">Devices</a>
+           hx-get="/admin/pages/devices" hx-target="#main" hx-push-url="#devices">{{T_NAV_DEVICES}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/groups" hx-target="#main" hx-push-url="#groups">Device groups</a>
+           hx-get="/admin/pages/groups" hx-target="#main" hx-push-url="#groups">{{T_NAV_GROUPS}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/strategies" hx-target="#main" hx-push-url="#strategies">Strategies</a>
+           hx-get="/admin/pages/strategies" hx-target="#main" hx-push-url="#strategies">{{T_NAV_STRATEGIES}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/address-books" hx-target="#main" hx-push-url="#address-books">Address books</a>
+           hx-get="/admin/pages/address-books" hx-target="#main" hx-push-url="#address-books">{{T_NAV_AB}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/audit" hx-target="#main" hx-push-url="#audit">Audit log</a>
+           hx-get="/admin/pages/audit" hx-target="#main" hx-push-url="#audit">{{T_NAV_AUDIT}}</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/deploy" hx-target="#main" hx-push-url="#deploy">Deploy</a>
+           hx-get="/admin/pages/deploy" hx-target="#main" hx-push-url="#deploy">{{T_NAV_DEPLOY}}</a>
       </nav>
       <div class="px-2 py-3 border-t border-slate-800 space-y-1">
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-400 hover:bg-slate-800"
-           hx-get="/admin/pages/profile" hx-target="#main" hx-push-url="#profile">My profile</a>
+           hx-get="/admin/pages/profile" hx-target="#main" hx-push-url="#profile">{{T_NAV_PROFILE}}</a>
         <button
           class="w-full text-left px-3 py-1.5 text-sm rounded text-slate-400 hover:bg-slate-800"
           hx-post="/admin/logout"
           hx-on::after-request="window.location.href = '/admin/login.html'"
-        >Sign out</button>
+        >{{T_NAV_SIGNOUT}}</button>
+        <div class="pt-2">
+          <label class="block text-[10px] uppercase tracking-wide text-slate-600 px-3 mb-1">{{T_LANGUAGE}}</label>
+          <select
+            class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs text-slate-300"
+            onchange="document.cookie='admin_lang='+this.value+'; path=/; max-age=31536000; samesite=strict'; window.location.reload();"
+          >
+            <option value="en"{{LANG_SEL_EN}}>English</option>
+            <option value="de"{{LANG_SEL_DE}}>Deutsch</option>
+            <option value="es"{{LANG_SEL_ES}}>Español</option>
+            <option value="fr"{{LANG_SEL_FR}}>Français</option>
+            <option value="ro"{{LANG_SEL_RO}}>Română</option>
+          </select>
+        </div>
       </div>
     </aside>
 
     <main id="main" class="flex-1 p-6 overflow-x-hidden">
-      <div class="text-slate-500 text-sm">Loading…</div>
+      <div class="text-slate-500 text-sm">{{T_LOADING}}</div>
     </main>
   </div>
 
diff --git a/admin_ui/login.html b/admin_ui/login.html
index eb43263..f347253 100644
--- a/admin_ui/login.html
+++ b/admin_ui/login.html
@@ -1,8 +1,8 @@
 <!doctype html>
-<html lang="en" class="h-full">
+<html lang="{{LANG_CODE}}" class="h-full">
 <head>
   <meta charset="utf-8" />
-  <title>Sign in — RustDesk Admin</title>
+  <title>{{T_SIGNIN}} — {{T_TITLE}}</title>
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <script src="/admin/assets/tailwindcss.js"></script>
   <script src="/admin/assets/htmx.min.js"></script>
@@ -13,8 +13,8 @@
 <body class="h-full bg-slate-950 text-slate-100 flex items-center justify-center">
   <main class="w-full max-w-sm px-6">
     <div class="text-center mb-8">
-      <h1 class="text-2xl font-semibold">RustDesk Admin</h1>
-      <p class="text-slate-400 text-sm mt-1">Sign in to manage the server.</p>
+      <h1 class="text-2xl font-semibold">{{T_TITLE}}</h1>
+      <p class="text-slate-400 text-sm mt-1">{{T_SUBTITLE}}</p>
     </div>
 
     <form
@@ -42,7 +42,7 @@
       "
     >
       <div>
-        <label class="block text-xs font-medium text-slate-400 mb-1" for="username">Username</label>
+        <label class="block text-xs font-medium text-slate-400 mb-1" for="username">{{T_USERNAME}}</label>
         <input
           id="username" name="username" type="text" required autocomplete="username"
           class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500"
@@ -50,7 +50,7 @@
       </div>
 
       <div>
-        <label class="block text-xs font-medium text-slate-400 mb-1" for="password">Password</label>
+        <label class="block text-xs font-medium text-slate-400 mb-1" for="password">{{T_PASSWORD}}</label>
         <input
           id="password" name="password" type="password" required autocomplete="current-password"
           class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500"
@@ -58,7 +58,7 @@
       </div>
 
       <div id="tfa-section" class="hidden">
-        <label class="block text-xs font-medium text-slate-400 mb-1" for="tfaCode">6-digit TOTP code</label>
+        <label class="block text-xs font-medium text-slate-400 mb-1" for="tfaCode">{{T_TOTP_LABEL}}</label>
         <input
           id="tfaCode" name="tfaCode" type="text" inputmode="numeric" pattern="[0-9]{6}" maxlength="6" autocomplete="one-time-code"
           class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm tracking-widest text-center focus:outline-none focus:border-sky-500"
@@ -70,7 +70,7 @@
         type="submit"
         class="w-full bg-sky-600 hover:bg-sky-500 text-white text-sm font-medium rounded px-4 py-2 transition"
       >
-        Sign in
+        {{T_SIGNIN}}
       </button>
 
       <div id="err" class="text-sm text-rose-400 min-h-[1.25em]"></div>
@@ -80,11 +80,25 @@
     <div id="oidc-block" class="mt-6 hidden">
       <div class="flex items-center gap-3 mb-3">
         <div class="flex-1 h-px bg-slate-800"></div>
-        <span class="text-xs text-slate-500">or</span>
+        <span class="text-xs text-slate-500">{{T_OR}}</span>
         <div class="flex-1 h-px bg-slate-800"></div>
       </div>
       <div id="oidc-buttons" class="space-y-2"></div>
     </div>
+
+    <div class="mt-6 text-center">
+      <label class="text-[10px] uppercase tracking-wide text-slate-600 mr-2">{{T_LANGUAGE}}</label>
+      <select
+        class="bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs text-slate-300"
+        onchange="document.cookie='admin_lang='+this.value+'; path=/; max-age=31536000; samesite=strict'; window.location.reload();"
+      >
+        <option value="en"{{LANG_SEL_EN}}>English</option>
+        <option value="de"{{LANG_SEL_DE}}>Deutsch</option>
+        <option value="es"{{LANG_SEL_ES}}>Español</option>
+        <option value="fr"{{LANG_SEL_FR}}>Français</option>
+        <option value="ro"{{LANG_SEL_RO}}>Română</option>
+      </select>
+    </div>
   </main>
 
   <script>
@@ -92,6 +106,7 @@
     // navigates to /admin/login/oidc/<name>, which 302s the browser to the
     // IdP. After the IdP redirects to /oidc/callback, the server sets our
     // session cookie and redirects to /admin/.
+    var SIGNIN_WITH = {{T_SIGNIN_WITH_JSON}};
     fetch('/admin/oidc/providers').then(r => r.json()).then(list => {
       if (!Array.isArray(list) || list.length === 0) return;
       const block = document.getElementById('oidc-block');
@@ -100,7 +115,7 @@
         const a = document.createElement('a');
         a.href = '/admin/login/oidc/' + encodeURIComponent(p.name);
         a.className = 'block w-full text-center bg-slate-800 hover:bg-slate-700 border border-slate-700 text-sm rounded px-4 py-2 transition';
-        a.textContent = 'Sign in with ' + (p.display_name || p.name);
+        a.textContent = SIGNIN_WITH + ' ' + (p.display_name || p.name);
         root.appendChild(a);
       });
       block.classList.remove('hidden');
diff --git a/src/api/admin/auth.rs b/src/api/admin/auth.rs
index 672847c..860b95a 100644
--- a/src/api/admin/auth.rs
+++ b/src/api/admin/auth.rs
@@ -4,6 +4,7 @@
 //! `/admin/*` and `/api/*`. The middleware in `api::middleware` already
 //! accepts both `Authorization: Bearer …` and the cookie.
 
+use crate::api::admin::i18n::{t, Lang};
 use crate::api::auth::mint_token;
 use crate::api::middleware::{sha256_token, SESSION_COOKIE};
 use crate::api::state::AppState;
@@ -32,6 +33,7 @@ pub struct LoginForm {
 
 pub async fn login(
     Extension(state): Extension<Arc<AppState>>,
+    lang: Lang,
     Form(form): Form<LoginForm>,
 ) -> Response {
     // First leg: password verify. Same DB call paths as `/api/login` —
@@ -39,7 +41,7 @@ pub async fn login(
     // diverge from the API's auth contract.
     let user = match state.db.user_find_by_username(&form.username).await {
         Ok(Some(u)) => u,
-        Ok(None) => return error_fragment("Bad credentials"),
+        Ok(None) => return error_fragment(t(lang, "login.bad_credentials")),
         Err(e) => return error_fragment(&format!("internal: {}", e)),
     };
     let pw_ok = match verify_password(user.password_hash.clone(), form.password.clone()).await {
@@ -47,16 +49,16 @@ pub async fn login(
         Err(e) => return error_fragment(&format!("internal: {}", e)),
     };
     if !pw_ok {
-        return error_fragment("Bad credentials");
+        return error_fragment(t(lang, "login.bad_credentials"));
     }
     if user.status == 0 {
-        return error_fragment("Account disabled");
+        return error_fragment(t(lang, "login.account_disabled"));
     }
     if !user.is_admin {
         // Only admins can use the dashboard. Non-admin users still get
         // tokens via `/api/login` for the desktop client; they just don't
         // see the management surface.
-        return error_fragment("Admin access required");
+        return error_fragment(t(lang, "login.admin_required"));
     }
     // Optional second leg: TOTP. If the user has a secret enrolled and the
     // form didn't carry a code, return a fragment that asks for one.
@@ -72,11 +74,12 @@ pub async fn login(
             // leg: it watches for the special marker via HX-Trigger and
             // reveals the #tfa-section.
             let frag = format!(
-                r#"<span data-tfa-required="1" class="text-amber-300">Enter your 6-digit authenticator code.</span>
+                r#"<span data-tfa-required="1" class="text-amber-300">{msg}</span>
 <script>
   document.getElementById('tfa-section').classList.remove('hidden');
   document.getElementById('tfaCode').focus();
-</script>"#
+</script>"#,
+                msg = t(lang, "login.totp_required"),
             );
             // We don't need a session yet — caller will resubmit with the
             // same username/password plus the code. (No nonce involved on
@@ -88,10 +91,10 @@ pub async fn login(
         // Verify the supplied code.
         let ok = match crate::api::auth::verify_totp(&secret_b32, &form.tfa_code) {
             Ok(b) => b,
-            Err(_) => return error_fragment("Internal TOTP error"),
+            Err(_) => return error_fragment(t(lang, "login.internal_totp")),
         };
         if !ok {
-            return error_fragment("Bad TOTP code");
+            return error_fragment(t(lang, "login.bad_totp"));
         }
     }
 
diff --git a/src/api/admin/i18n.rs b/src/api/admin/i18n.rs
new file mode 100644
index 0000000..df2c3cf
--- /dev/null
+++ b/src/api/admin/i18n.rs
@@ -0,0 +1,1996 @@
+//! Multi-language support for the admin dashboard.
+//!
+//! Language is selected per-browser via the `admin_lang` cookie (set by the
+//! language switcher in the sidebar / login page). Falls back to the
+//! `Accept-Language` header, then English.
+//!
+//! All translations live in this file as a big `match` table — no external
+//! resource files, no `phf` dependency, easy to grep. To add a new key,
+//! drop a new arm in `t()`. To add a new language, extend the `Lang` enum
+//! and add a branch to every `match lang` block.
+//!
+//! Format-string keys use `{0}` / `{1}` placeholders that callers fill in
+//! via `tf1` / `tf2`. We don't use `format!()` because the template comes
+//! from a runtime lookup (not a literal).
+
+use crate::api::error::ApiError;
+use async_trait::async_trait;
+use axum::extract::{FromRequest, RequestParts};
+use axum::http::header;
+
+/// Supported UI languages. Default = English.
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum Lang {
+    En,
+    De,
+    Fr,
+    Ro,
+    Es,
+}
+
+impl Lang {
+    pub fn code(self) -> &'static str {
+        match self {
+            Lang::En => "en",
+            Lang::De => "de",
+            Lang::Fr => "fr",
+            Lang::Ro => "ro",
+            Lang::Es => "es",
+        }
+    }
+
+    pub fn parse(s: &str) -> Option<Self> {
+        match s.trim().to_ascii_lowercase().as_str() {
+            "en" | "en-us" | "en-gb" => Some(Lang::En),
+            "de" | "de-de" | "de-ch" | "de-at" => Some(Lang::De),
+            "fr" | "fr-fr" | "fr-ch" | "fr-be" | "fr-ca" => Some(Lang::Fr),
+            "ro" | "ro-ro" | "ro-md" => Some(Lang::Ro),
+            "es" | "es-es" | "es-mx" | "es-ar" | "es-cl" | "es-co" | "es-pe" | "es-419" => {
+                Some(Lang::Es)
+            }
+            _ => None,
+        }
+    }
+
+    /// Cookie name we look at and write.
+    pub const COOKIE: &'static str = "admin_lang";
+}
+
+impl Default for Lang {
+    fn default() -> Self {
+        Lang::En
+    }
+}
+
+/// Resolve the user's preferred language from the `admin_lang` cookie first,
+/// then `Accept-Language`, otherwise English. Pure function so both the
+/// extractor and standalone serve handlers can call it.
+pub fn lang_from_headers(headers: &axum::http::HeaderMap) -> Lang {
+    if let Some(cookie_hdr) = headers.get(header::COOKIE) {
+        if let Ok(s) = cookie_hdr.to_str() {
+            for pair in s.split(';') {
+                if let Some((name, value)) = pair.trim().split_once('=') {
+                    if name.trim() == Lang::COOKIE {
+                        if let Some(l) = Lang::parse(value.trim()) {
+                            return l;
+                        }
+                    }
+                }
+            }
+        }
+    }
+    if let Some(al) = headers.get(header::ACCEPT_LANGUAGE) {
+        if let Ok(s) = al.to_str() {
+            // First language tag in the list (ignore q= weights — good enough).
+            for tag in s.split(',') {
+                let primary = tag.split(';').next().unwrap_or("").trim();
+                if let Some(l) = Lang::parse(primary) {
+                    return l;
+                }
+            }
+        }
+    }
+    Lang::En
+}
+
+#[async_trait]
+impl<B: Send> FromRequest<B> for Lang {
+    type Rejection = ApiError;
+
+    async fn from_request(req: &mut RequestParts<B>) -> Result<Self, Self::Rejection> {
+        Ok(lang_from_headers(req.headers()))
+    }
+}
+
+// ---------- translations ----------
+
+/// Look up a translation key. Returns `<missing translation>` if the key is
+/// unknown — that's deliberately ugly so any gap shows up in the UI rather
+/// than silently falling back to English.
+pub fn t(lang: Lang, key: &str) -> &'static str {
+    let (en, de, fr, ro, es) = match key {
+        // ---- generic ----
+        "common.loading" => (
+            "Loading…",
+            "Wird geladen…",
+            "Chargement…",
+            "Se încarcă…",
+            "Cargando…",
+        ),
+        "common.create" => ("Create", "Erstellen", "Créer", "Creează", "Crear"),
+        "common.save" => ("Save", "Speichern", "Enregistrer", "Salvează", "Guardar"),
+        "common.delete" => ("Delete", "Löschen", "Supprimer", "Șterge", "Eliminar"),
+        "common.add" => ("Add", "Hinzufügen", "Ajouter", "Adaugă", "Añadir"),
+        "common.remove" => ("Remove", "Entfernen", "Retirer", "Elimină", "Quitar"),
+        "common.update" => (
+            "Update",
+            "Aktualisieren",
+            "Mettre à jour",
+            "Actualizează",
+            "Actualizar",
+        ),
+        "common.cancel" => ("Cancel", "Abbrechen", "Annuler", "Anulează", "Cancelar"),
+        "common.confirm" => (
+            "Confirm",
+            "Bestätigen",
+            "Confirmer",
+            "Confirmă",
+            "Confirmar",
+        ),
+        "common.actions" => ("Actions", "Aktionen", "Actions", "Acțiuni", "Acciones"),
+        "common.back" => (
+            "← Back",
+            "← Zurück",
+            "← Retour",
+            "← Înapoi",
+            "← Volver",
+        ),
+        "common.never" => ("never", "nie", "jamais", "niciodată", "nunca"),
+        "common.already_gone" => (
+            "Already gone.",
+            "Bereits entfernt.",
+            "Déjà supprimé.",
+            "Deja șters.",
+            "Ya se eliminó.",
+        ),
+        "common.not_found" => (
+            "Not found.",
+            "Nicht gefunden.",
+            "Introuvable.",
+            "Negăsit.",
+            "No encontrado.",
+        ),
+        "common.language" => ("Language", "Sprache", "Langue", "Limbă", "Idioma"),
+
+        // ---- shell / sidebar ----
+        "shell.app_title" => (
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+        ),
+        "nav.users" => (
+            "Users",
+            "Benutzer",
+            "Utilisateurs",
+            "Utilizatori",
+            "Usuarios",
+        ),
+        "nav.devices" => (
+            "Devices",
+            "Geräte",
+            "Appareils",
+            "Dispozitive",
+            "Dispositivos",
+        ),
+        "nav.groups" => (
+            "Device groups",
+            "Gerätegruppen",
+            "Groupes d'appareils",
+            "Grupuri de dispozitive",
+            "Grupos de dispositivos",
+        ),
+        "nav.strategies" => (
+            "Strategies",
+            "Strategien",
+            "Stratégies",
+            "Strategii",
+            "Estrategias",
+        ),
+        "nav.address_books" => (
+            "Address books",
+            "Adressbücher",
+            "Carnets d'adresses",
+            "Agende",
+            "Libretas de direcciones",
+        ),
+        "nav.audit" => (
+            "Audit log",
+            "Audit-Protokoll",
+            "Journal d'audit",
+            "Jurnal de audit",
+            "Registro de auditoría",
+        ),
+        "nav.deploy" => (
+            "Deploy",
+            "Bereitstellen",
+            "Déployer",
+            "Implementare",
+            "Implementación",
+        ),
+        "nav.profile" => (
+            "My profile",
+            "Mein Profil",
+            "Mon profil",
+            "Profilul meu",
+            "Mi perfil",
+        ),
+        "nav.signout" => (
+            "Sign out",
+            "Abmelden",
+            "Se déconnecter",
+            "Deconectare",
+            "Cerrar sesión",
+        ),
+        "nav.signed_in_as" => (
+            "Signed in as",
+            "Angemeldet als",
+            "Connecté en tant que",
+            "Conectat ca",
+            "Conectado como",
+        ),
+
+        // ---- login ----
+        "login.title" => (
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+            "RustDesk Admin",
+        ),
+        "login.subtitle" => (
+            "Sign in to manage the server.",
+            "Melden Sie sich an, um den Server zu verwalten.",
+            "Connectez-vous pour gérer le serveur.",
+            "Conectați-vă pentru a administra serverul.",
+            "Inicia sesión para administrar el servidor.",
+        ),
+        "login.username" => (
+            "Username",
+            "Benutzername",
+            "Nom d'utilisateur",
+            "Utilizator",
+            "Usuario",
+        ),
+        "login.password" => (
+            "Password",
+            "Passwort",
+            "Mot de passe",
+            "Parolă",
+            "Contraseña",
+        ),
+        "login.totp_label" => (
+            "6-digit TOTP code",
+            "6-stelliger TOTP-Code",
+            "Code TOTP à 6 chiffres",
+            "Cod TOTP din 6 cifre",
+            "Código TOTP de 6 dígitos",
+        ),
+        "login.signin" => (
+            "Sign in",
+            "Anmelden",
+            "Se connecter",
+            "Conectare",
+            "Iniciar sesión",
+        ),
+        "login.or" => ("or", "oder", "ou", "sau", "o"),
+        "login.signin_with" => (
+            "Sign in with",
+            "Anmelden mit",
+            "Se connecter avec",
+            "Conectare cu",
+            "Iniciar sesión con",
+        ),
+        "login.bad_credentials" => (
+            "Bad credentials",
+            "Ungültige Anmeldedaten",
+            "Identifiants incorrects",
+            "Date de autentificare incorecte",
+            "Credenciales incorrectas",
+        ),
+        "login.account_disabled" => (
+            "Account disabled",
+            "Konto deaktiviert",
+            "Compte désactivé",
+            "Cont dezactivat",
+            "Cuenta deshabilitada",
+        ),
+        "login.admin_required" => (
+            "Admin access required",
+            "Administrator-Zugriff erforderlich",
+            "Accès administrateur requis",
+            "Acces de administrator necesar",
+            "Se requiere acceso de administrador",
+        ),
+        "login.bad_totp" => (
+            "Bad TOTP code",
+            "Ungültiger TOTP-Code",
+            "Code TOTP incorrect",
+            "Cod TOTP incorect",
+            "Código TOTP incorrecto",
+        ),
+        "login.totp_required" => (
+            "Enter your 6-digit authenticator code.",
+            "Geben Sie den 6-stelligen Authentifizierungs-Code ein.",
+            "Saisissez votre code d'authentification à 6 chiffres.",
+            "Introduceți codul de autentificare din 6 cifre.",
+            "Introduce tu código de autenticación de 6 dígitos.",
+        ),
+        "login.internal_totp" => (
+            "Internal TOTP error",
+            "Interner TOTP-Fehler",
+            "Erreur TOTP interne",
+            "Eroare TOTP internă",
+            "Error TOTP interno",
+        ),
+
+        // ---- users ----
+        "users.heading" => (
+            "Users",
+            "Benutzer",
+            "Utilisateurs",
+            "Utilizatori",
+            "Usuarios",
+        ),
+        "users.create_heading" => (
+            "Create user",
+            "Benutzer erstellen",
+            "Créer un utilisateur",
+            "Creează utilizator",
+            "Crear usuario",
+        ),
+        "users.username" => (
+            "username",
+            "Benutzername",
+            "nom d'utilisateur",
+            "utilizator",
+            "usuario",
+        ),
+        "users.display_name" => (
+            "display name",
+            "Anzeigename",
+            "nom affiché",
+            "nume afișat",
+            "nombre visible",
+        ),
+        "users.email_optional" => (
+            "email (optional)",
+            "E-Mail (optional)",
+            "e-mail (optionnel)",
+            "email (opțional)",
+            "correo (opcional)",
+        ),
+        "users.password" => (
+            "password",
+            "Passwort",
+            "mot de passe",
+            "parolă",
+            "contraseña",
+        ),
+        "users.admin_label" => ("admin", "Administrator", "admin", "admin", "admin"),
+        "users.username_required" => (
+            "Username required",
+            "Benutzername erforderlich",
+            "Nom d'utilisateur requis",
+            "Numele de utilizator este obligatoriu",
+            "Se requiere el usuario",
+        ),
+        "users.password_min" => (
+            "Password must be at least 4 characters",
+            "Das Passwort muss mindestens 4 Zeichen lang sein",
+            "Le mot de passe doit contenir au moins 4 caractères",
+            "Parola trebuie să aibă cel puțin 4 caractere",
+            "La contraseña debe tener al menos 4 caracteres",
+        ),
+        "users.created" => (
+            "Created user '{0}'.",
+            "Benutzer „{0}\" erstellt.",
+            "Utilisateur « {0} » créé.",
+            "Utilizator „{0}\" creat.",
+            "Usuario «{0}» creado.",
+        ),
+        "users.profile_updated" => (
+            "Profile updated.",
+            "Profil aktualisiert.",
+            "Profil mis à jour.",
+            "Profil actualizat.",
+            "Perfil actualizado.",
+        ),
+        "users.password_updated" => (
+            "Password updated.",
+            "Passwort aktualisiert.",
+            "Mot de passe mis à jour.",
+            "Parolă actualizată.",
+            "Contraseña actualizada.",
+        ),
+        "users.user_not_found" => (
+            "User not found.",
+            "Benutzer nicht gefunden.",
+            "Utilisateur introuvable.",
+            "Utilizator negăsit.",
+            "Usuario no encontrado.",
+        ),
+        "users.user_deleted" => (
+            "User deleted.",
+            "Benutzer gelöscht.",
+            "Utilisateur supprimé.",
+            "Utilizator șters.",
+            "Usuario eliminado.",
+        ),
+        "users.cant_revoke_self" => (
+            "You can't revoke your own admin flag here. Edit another admin's row instead.",
+            "Sie können Ihren eigenen Administrator-Status hier nicht entziehen. Bearbeiten Sie stattdessen einen anderen Administrator.",
+            "Vous ne pouvez pas retirer votre propre statut d'administrateur ici. Modifiez la ligne d'un autre administrateur.",
+            "Nu vă puteți revoca propriul statut de administrator aici. Editați rândul altui administrator.",
+            "No puedes revocar tu propio rol de administrador desde aquí. Edita la fila de otro administrador.",
+        ),
+        "users.cant_disable_self" => (
+            "You can't disable your own account from here.",
+            "Sie können Ihr eigenes Konto hier nicht deaktivieren.",
+            "Vous ne pouvez pas désactiver votre propre compte d'ici.",
+            "Nu vă puteți dezactiva propriul cont de aici.",
+            "No puedes deshabilitar tu propia cuenta desde aquí.",
+        ),
+        "users.cant_delete_self" => (
+            "You can't delete the account you're signed in with.",
+            "Sie können das Konto, mit dem Sie angemeldet sind, nicht löschen.",
+            "Vous ne pouvez pas supprimer le compte avec lequel vous êtes connecté.",
+            "Nu puteți șterge contul cu care sunteți conectat.",
+            "No puedes eliminar la cuenta con la que has iniciado sesión.",
+        ),
+        "users.totp_removed" => (
+            "TOTP removed.",
+            "TOTP entfernt.",
+            "TOTP supprimé.",
+            "TOTP eliminat.",
+            "TOTP eliminado.",
+        ),
+        "users.no_totp" => (
+            "User had no TOTP.",
+            "Benutzer hatte kein TOTP.",
+            "L'utilisateur n'avait pas de TOTP.",
+            "Utilizatorul nu avea TOTP.",
+            "El usuario no tenía TOTP.",
+        ),
+        "users.oidc_password_disabled" => (
+            "This account is linked to OIDC — set the password at the identity provider instead.",
+            "Dieses Konto ist mit OIDC verknüpft — legen Sie das Passwort beim Identitätsanbieter fest.",
+            "Ce compte est lié à OIDC — définissez le mot de passe chez le fournisseur d'identité.",
+            "Acest cont este legat de OIDC — setați parola la furnizorul de identitate.",
+            "Esta cuenta está vinculada a OIDC — establece la contraseña en el proveedor de identidad.",
+        ),
+        "users.col_username" => (
+            "Username",
+            "Benutzername",
+            "Nom d'utilisateur",
+            "Utilizator",
+            "Usuario",
+        ),
+        "users.col_display_name" => (
+            "Display name",
+            "Anzeigename",
+            "Nom affiché",
+            "Nume afișat",
+            "Nombre visible",
+        ),
+        "users.col_email" => ("Email", "E-Mail", "E-mail", "Email", "Correo"),
+        "users.col_status" => ("Status", "Status", "Statut", "Status", "Estado"),
+        "users.col_admin" => (
+            "Admin",
+            "Administrator",
+            "Admin",
+            "Admin",
+            "Administrador",
+        ),
+        "users.col_totp" => ("TOTP", "TOTP", "TOTP", "TOTP", "TOTP"),
+        "users.col_last_seen" => (
+            "Last seen",
+            "Zuletzt gesehen",
+            "Dernière connexion",
+            "Văzut ultima dată",
+            "Última conexión",
+        ),
+        "users.status_active" => ("active", "aktiv", "actif", "activ", "activo"),
+        "users.status_disabled" => (
+            "disabled",
+            "deaktiviert",
+            "désactivé",
+            "dezactivat",
+            "deshabilitado",
+        ),
+        "users.status_unverified" => (
+            "unverified",
+            "unbestätigt",
+            "non vérifié",
+            "neverificat",
+            "sin verificar",
+        ),
+        "users.totp_enrolled" => (
+            "enrolled",
+            "registriert",
+            "activé",
+            "activat",
+            "activado",
+        ),
+        "users.password_set" => (
+            "Set",
+            "Setzen",
+            "Définir",
+            "Setează",
+            "Establecer",
+        ),
+        "users.new_password" => (
+            "new password",
+            "neues Passwort",
+            "nouveau mot de passe",
+            "parolă nouă",
+            "nueva contraseña",
+        ),
+        "users.oidc_disabled" => (
+            "Linked to OIDC — password sign-in is disabled.",
+            "Mit OIDC verknüpft — Passwort-Anmeldung ist deaktiviert.",
+            "Lié à OIDC — la connexion par mot de passe est désactivée.",
+            "Legat de OIDC — autentificarea cu parolă este dezactivată.",
+            "Vinculado a OIDC — el inicio de sesión con contraseña está deshabilitado.",
+        ),
+        "users.save_profile" => (
+            "Save profile",
+            "Profil speichern",
+            "Enregistrer le profil",
+            "Salvează profil",
+            "Guardar perfil",
+        ),
+        "users.grant_admin" => (
+            "Grant admin",
+            "Admin gewähren",
+            "Donner admin",
+            "Acordă admin",
+            "Conceder admin",
+        ),
+        "users.revoke_admin" => (
+            "Revoke admin",
+            "Admin entziehen",
+            "Retirer admin",
+            "Revocă admin",
+            "Revocar admin",
+        ),
+        "users.disable_user" => (
+            "Disable user",
+            "Benutzer deaktivieren",
+            "Désactiver l'utilisateur",
+            "Dezactivează utilizator",
+            "Deshabilitar usuario",
+        ),
+        "users.enable_user" => (
+            "Enable user",
+            "Benutzer aktivieren",
+            "Activer l'utilisateur",
+            "Activează utilizator",
+            "Habilitar usuario",
+        ),
+        "users.disable_totp" => (
+            "Disable TOTP",
+            "TOTP deaktivieren",
+            "Désactiver TOTP",
+            "Dezactivează TOTP",
+            "Deshabilitar TOTP",
+        ),
+        "users.confirm_disable_totp" => (
+            "Disable TOTP for {0}? They'll be able to sign in without a 6-digit code until they re-enroll.",
+            "TOTP für {0} deaktivieren? Diese Person kann sich ohne 6-stelligen Code anmelden, bis TOTP erneut aktiviert wird.",
+            "Désactiver TOTP pour {0} ? Cette personne pourra se connecter sans code à 6 chiffres jusqu'à la réinscription.",
+            "Dezactivați TOTP pentru {0}? Acest utilizator se va putea conecta fără cod din 6 cifre până la reînregistrare.",
+            "¿Deshabilitar TOTP para {0}? Podrá iniciar sesión sin un código de 6 dígitos hasta que vuelva a activarlo.",
+        ),
+        "users.delete_user" => (
+            "Delete user",
+            "Benutzer löschen",
+            "Supprimer l'utilisateur",
+            "Șterge utilizator",
+            "Eliminar usuario",
+        ),
+        "users.confirm_delete" => (
+            "Delete user {0}? This cascades into their tokens, group memberships and AB shares.",
+            "Benutzer {0} löschen? Das entfernt auch seine Tokens, Gruppenmitgliedschaften und Adressbuch-Freigaben.",
+            "Supprimer l'utilisateur {0} ? Cela supprime aussi ses jetons, appartenances aux groupes et partages de carnet.",
+            "Ștergeți utilizatorul {0}? Aceasta elimină și tokenurile, apartenențele la grupuri și partajările de agendă.",
+            "¿Eliminar al usuario {0}? Esto también elimina sus tokens, pertenencias a grupos y compartidos de libreta.",
+        ),
+        "users.totp_enrolled_for" => (
+            "TOTP enrolled for {0}",
+            "TOTP registriert für {0}",
+            "TOTP activé pour {0}",
+            "TOTP activat pentru {0}",
+            "TOTP activado para {0}",
+        ),
+        "users.secret_b32" => (
+            "Secret (base32):",
+            "Geheimnis (Base32):",
+            "Secret (base32) :",
+            "Secret (base32):",
+            "Secreto (base32):",
+        ),
+        "users.otpauth_url" => (
+            "otpauth URL:",
+            "otpauth-URL:",
+            "URL otpauth :",
+            "URL otpauth:",
+            "URL otpauth:",
+        ),
+        "users.otpauth_hint" => (
+            "Show this once to the user (or scan the URL as a QR code) — it isn't displayed again.",
+            "Zeigen Sie dies dem Benutzer einmal (oder scannen Sie die URL als QR-Code) — sie wird nicht erneut angezeigt.",
+            "Montrez ceci à l'utilisateur une seule fois (ou scannez l'URL comme QR code) — elle ne sera plus affichée.",
+            "Afișați acest lucru o singură dată utilizatorului (sau scanați URL-ul ca un cod QR) — nu va mai fi afișat din nou.",
+            "Muéstralo al usuario una sola vez (o escanea la URL como código QR) — no se mostrará de nuevo.",
+        ),
+
+        // ---- devices ----
+        "devices.heading" => (
+            "Devices",
+            "Geräte",
+            "Appareils",
+            "Dispozitive",
+            "Dispositivos",
+        ),
+        "devices.tagline" => (
+            "Force-disconnect / force-sysinfo are delivered on the peer's next heartbeat tick (~15 s).",
+            "Trennung / Sysinfo werden beim nächsten Heartbeat des Peers ausgelöst (~15 s).",
+            "Déconnexion / sysinfo sont appliqués au prochain heartbeat du pair (~15 s).",
+            "Deconectarea / sysinfo se aplică la următorul heartbeat al peer-ului (~15 s).",
+            "La desconexión y sysinfo forzadas se aplican en el próximo heartbeat del par (~15 s).",
+        ),
+        "devices.col_peer_id" => (
+            "Peer ID",
+            "Peer-ID",
+            "ID du pair",
+            "ID peer",
+            "ID del par",
+        ),
+        "devices.col_owner" => (
+            "Owner",
+            "Besitzer",
+            "Propriétaire",
+            "Proprietar",
+            "Propietario",
+        ),
+        "devices.col_hostname" => (
+            "Hostname",
+            "Hostname",
+            "Nom d'hôte",
+            "Hostname",
+            "Nombre de host",
+        ),
+        "devices.col_user" => ("User", "Benutzer", "Utilisateur", "Utilizator", "Usuario"),
+        "devices.col_unattended_pwd" => (
+            "Unattended pwd",
+            "Unbeaufsichtigtes Pwd",
+            "Mot de passe sans surveillance",
+            "Parolă nesupravegheată",
+            "Contraseña desatendida",
+        ),
+        "devices.col_os" => ("OS", "Betriebssystem", "OS", "SO", "SO"),
+        "devices.col_version" => ("Version", "Version", "Version", "Versiune", "Versión"),
+        "devices.col_last_heartbeat" => (
+            "Last heartbeat",
+            "Letzter Heartbeat",
+            "Dernier heartbeat",
+            "Ultimul heartbeat",
+            "Último heartbeat",
+        ),
+        "devices.col_conns" => (
+            "Conns",
+            "Verbindungen",
+            "Connexions",
+            "Conexiuni",
+            "Conexiones",
+        ),
+        "devices.no_devices" => (
+            "No devices have heartbeated yet.",
+            "Noch keine Geräte mit Heartbeat.",
+            "Aucun appareil n'a encore envoyé de heartbeat.",
+            "Niciun dispozitiv nu a trimis încă heartbeat.",
+            "Ningún dispositivo ha enviado heartbeat aún.",
+        ),
+        "devices.online" => (
+            "Online — last heartbeat {0}s ago",
+            "Online — letzter Heartbeat vor {0}s",
+            "En ligne — dernier heartbeat il y a {0}s",
+            "Online — ultimul heartbeat acum {0}s",
+            "En línea — último heartbeat hace {0}s",
+        ),
+        "devices.no_heartbeat" => (
+            "No heartbeat recorded",
+            "Kein Heartbeat aufgezeichnet",
+            "Aucun heartbeat enregistré",
+            "Niciun heartbeat înregistrat",
+            "Sin heartbeat registrado",
+        ),
+        "devices.offline" => (
+            "Offline — last heartbeat {0} ago",
+            "Offline — letzter Heartbeat vor {0}",
+            "Hors ligne — dernier heartbeat il y a {0}",
+            "Offline — ultimul heartbeat acum {0}",
+            "Sin conexión — último heartbeat hace {0}",
+        ),
+        "devices.connect_web" => (
+            "Connect (web client)",
+            "Verbinden (Web-Client)",
+            "Connecter (client web)",
+            "Conectează (client web)",
+            "Conectar (cliente web)",
+        ),
+        "devices.details" => (
+            "Details & inventory",
+            "Details & Inventar",
+            "Détails & inventaire",
+            "Detalii și inventar",
+            "Detalles e inventario",
+        ),
+        "devices.force_disconnect" => (
+            "Force disconnect",
+            "Trennung erzwingen",
+            "Forcer la déconnexion",
+            "Forțează deconectarea",
+            "Forzar desconexión",
+        ),
+        "devices.force_sysinfo" => (
+            "Force sysinfo refresh",
+            "Sysinfo-Aktualisierung erzwingen",
+            "Forcer la mise à jour sysinfo",
+            "Forțează reîmprospătarea sysinfo",
+            "Forzar actualización sysinfo",
+        ),
+        "devices.confirm_disconnect" => (
+            "Disconnect all active sessions on {0}?",
+            "Alle aktiven Sitzungen von {0} trennen?",
+            "Déconnecter toutes les sessions actives de {0} ?",
+            "Deconectați toate sesiunile active de pe {0}?",
+            "¿Desconectar todas las sesiones activas en {0}?",
+        ),
+        "devices.delete_device" => (
+            "Delete device",
+            "Gerät löschen",
+            "Supprimer l'appareil",
+            "Șterge dispozitivul",
+            "Eliminar dispositivo",
+        ),
+        "devices.confirm_delete" => (
+            "Delete {0}? This removes the dashboard row and the rendezvous identity. Audit logs and recordings are kept.",
+            "{0} löschen? Damit werden der Dashboard-Eintrag und die Rendezvous-Identität entfernt. Audit-Protokolle und Aufzeichnungen bleiben erhalten.",
+            "Supprimer {0} ? Cela supprime la ligne du tableau de bord et l'identité rendezvous. Les journaux d'audit et enregistrements sont conservés.",
+            "Ștergeți {0}? Aceasta elimină rândul din panou și identitatea rendezvous. Jurnalele de audit și înregistrările sunt păstrate.",
+            "¿Eliminar {0}? Esto elimina la fila del panel y la identidad rendezvous. Se conservan los registros de auditoría y grabaciones.",
+        ),
+        "devices.queued_disconnect" => (
+            "Queued disconnect for {0} (conns={1})",
+            "Trennung für {0} eingereiht (conns={1})",
+            "Déconnexion mise en file pour {0} (conns={1})",
+            "Deconectare pusă în coadă pentru {0} (conns={1})",
+            "Desconexión en cola para {0} (conns={1})",
+        ),
+        "devices.queued_sysinfo" => (
+            "Queued sysinfo refresh for {0}",
+            "Sysinfo-Aktualisierung für {0} eingereiht",
+            "Mise à jour sysinfo mise en file pour {0}",
+            "Reîmprospătare sysinfo pusă în coadă pentru {0}",
+            "Actualización sysinfo en cola para {0}",
+        ),
+        "devices.deleted" => (
+            "Deleted device {0}.",
+            "Gerät {0} gelöscht.",
+            "Appareil {0} supprimé.",
+            "Dispozitiv {0} șters.",
+            "Dispositivo {0} eliminado.",
+        ),
+        "devices.already_gone" => (
+            "Device already gone.",
+            "Gerät bereits entfernt.",
+            "Appareil déjà supprimé.",
+            "Dispozitivul a fost deja șters.",
+            "El dispositivo ya se eliminó.",
+        ),
+        "devices.back" => (
+            "← Back to devices",
+            "← Zurück zu Geräten",
+            "← Retour aux appareils",
+            "← Înapoi la dispozitive",
+            "← Volver a dispositivos",
+        ),
+        "devices.detail_view" => (
+            "Detail view",
+            "Detailansicht",
+            "Vue détaillée",
+            "Vizualizare detaliată",
+            "Vista detallada",
+        ),
+        "devices.device_label" => (
+            "Device",
+            "Gerät",
+            "Appareil",
+            "Dispozitiv",
+            "Dispositivo",
+        ),
+        "devices.detail_active_user" => (
+            "Active user",
+            "Aktiver Benutzer",
+            "Utilisateur actif",
+            "Utilizator activ",
+            "Usuario activo",
+        ),
+        "devices.detail_agent" => ("Agent", "Agent", "Agent", "Agent", "Agente"),
+        "devices.detail_os_runtime" => (
+            "OS (runtime)",
+            "Betriebssystem (Laufzeit)",
+            "OS (runtime)",
+            "SO (runtime)",
+            "SO (runtime)",
+        ),
+        "devices.detail_cpu_runtime" => (
+            "CPU (runtime)",
+            "CPU (Laufzeit)",
+            "CPU (runtime)",
+            "CPU (runtime)",
+            "CPU (runtime)",
+        ),
+        "devices.detail_memory_runtime" => (
+            "Memory (runtime)",
+            "Speicher (Laufzeit)",
+            "Mémoire (runtime)",
+            "Memorie (runtime)",
+            "Memoria (runtime)",
+        ),
+        "devices.inventory" => (
+            "Inventory",
+            "Inventar",
+            "Inventaire",
+            "Inventar",
+            "Inventario",
+        ),
+        "devices.inventory_pending" => (
+            "Inventory data not yet reported. The agent collects it on startup and uploads on the next sysinfo cycle (≤120 s).",
+            "Inventardaten noch nicht gemeldet. Der Agent sammelt sie beim Start und überträgt sie beim nächsten Sysinfo-Zyklus (≤120 s).",
+            "Données d'inventaire non encore signalées. L'agent les collecte au démarrage et les transmet au prochain cycle sysinfo (≤120 s).",
+            "Datele de inventar nu au fost încă raportate. Agentul le colectează la pornire și le încarcă la următorul ciclu sysinfo (≤120 s).",
+            "Aún no se han reportado datos de inventario. El agente los recopila al iniciar y los envía en el próximo ciclo sysinfo (≤120 s).",
+        ),
+        "devices.inventory_unsupported" => (
+            "Inventory data is only reported by HelloAgent. This device is running {0}; the standard RustDesk client does not collect hardware or BitLocker inventory.",
+            "Inventardaten werden nur von HelloAgent gemeldet. Auf diesem Gerät läuft {0}; der Standard-RustDesk-Client erfasst keine Hardware- oder BitLocker-Inventardaten.",
+            "Les données d'inventaire ne sont rapportées que par HelloAgent. Cet appareil exécute {0} ; le client RustDesk standard ne collecte pas l'inventaire matériel ou BitLocker.",
+            "Datele de inventar sunt raportate doar de HelloAgent. Acest dispozitiv rulează {0}; clientul RustDesk standard nu colectează inventar hardware sau BitLocker.",
+            "Los datos de inventario solo los reporta HelloAgent. Este dispositivo está ejecutando {0}; el cliente RustDesk estándar no recopila inventario de hardware ni BitLocker.",
+        ),
+        "devices.serial_number" => (
+            "Serial number",
+            "Seriennummer",
+            "Numéro de série",
+            "Număr de serie",
+            "Número de serie",
+        ),
+        "devices.manufacturer" => (
+            "Manufacturer",
+            "Hersteller",
+            "Fabricant",
+            "Producător",
+            "Fabricante",
+        ),
+        "devices.model" => ("Model", "Modell", "Modèle", "Model", "Modelo"),
+        "devices.windows_domain" => (
+            "Windows domain",
+            "Windows-Domäne",
+            "Domaine Windows",
+            "Domeniu Windows",
+            "Dominio de Windows",
+        ),
+        "devices.os_distro" => (
+            "OS distribution",
+            "OS-Distribution",
+            "Distribution OS",
+            "Distribuție SO",
+            "Distribución del SO",
+        ),
+        "devices.os_release" => (
+            "OS release",
+            "OS-Release",
+            "Version OS",
+            "Versiune SO",
+            "Versión del SO",
+        ),
+        "devices.cpu_model" => (
+            "CPU model",
+            "CPU-Modell",
+            "Modèle CPU",
+            "Model CPU",
+            "Modelo de CPU",
+        ),
+        "devices.cpu_speed" => (
+            "CPU speed (GHz)",
+            "CPU-Takt (GHz)",
+            "Vitesse CPU (GHz)",
+            "Viteză CPU (GHz)",
+            "Velocidad de CPU (GHz)",
+        ),
+        "devices.cpu_phys_cores" => (
+            "CPU physical cores",
+            "Physische CPU-Kerne",
+            "Cœurs physiques CPU",
+            "Nuclee fizice CPU",
+            "Núcleos físicos de CPU",
+        ),
+        "devices.cpu_logical_cores" => (
+            "CPU logical cores",
+            "Logische CPU-Kerne",
+            "Cœurs logiques CPU",
+            "Nuclee logice CPU",
+            "Núcleos lógicos de CPU",
+        ),
+        "devices.ram_gb" => ("RAM (GB)", "RAM (GB)", "RAM (Go)", "RAM (GB)", "RAM (GB)"),
+        "devices.disks" => (
+            "Disks",
+            "Festplatten",
+            "Disques",
+            "Discuri",
+            "Discos",
+        ),
+        "devices.disk_name" => ("Name", "Name", "Nom", "Nume", "Nombre"),
+        "devices.disk_model" => ("Model", "Modell", "Modèle", "Model", "Modelo"),
+        "devices.disk_size" => (
+            "Size (GB)",
+            "Größe (GB)",
+            "Taille (Go)",
+            "Dimensiune (GB)",
+            "Tamaño (GB)",
+        ),
+        "devices.disk_media" => ("Media", "Medium", "Support", "Suport", "Soporte"),
+        "devices.network_interfaces" => (
+            "Network interfaces",
+            "Netzwerkschnittstellen",
+            "Interfaces réseau",
+            "Interfețe de rețea",
+            "Interfaces de red",
+        ),
+        "devices.nic_description" => (
+            "Description",
+            "Beschreibung",
+            "Description",
+            "Descriere",
+            "Descripción",
+        ),
+        "devices.nic_status" => ("Status", "Status", "Statut", "Status", "Estado"),
+        "devices.wifi_current" => (
+            "Wi-Fi (current connection)",
+            "WLAN (aktuelle Verbindung)",
+            "Wi-Fi (connexion actuelle)",
+            "Wi-Fi (conexiune curentă)",
+            "Wi-Fi (conexión actual)",
+        ),
+        "devices.wifi_signal" => ("Signal", "Signal", "Signal", "Semnal", "Señal"),
+        "devices.wifi_auth" => (
+            "Authentication",
+            "Authentifizierung",
+            "Authentification",
+            "Autentificare",
+            "Autenticación",
+        ),
+        "devices.wifi_cipher" => (
+            "Cipher",
+            "Verschlüsselung",
+            "Chiffrement",
+            "Cifru",
+            "Cifrado",
+        ),
+        "devices.wifi_rate" => ("Rate", "Datenrate", "Débit", "Rată", "Velocidad"),
+        "devices.wifi_not_connected" => (
+            "Not connected to a Wi-Fi network.",
+            "Nicht mit einem WLAN-Netzwerk verbunden.",
+            "Non connecté à un réseau Wi-Fi.",
+            "Neconectat la o rețea Wi-Fi.",
+            "Sin conexión a una red Wi-Fi.",
+        ),
+        "devices.wifi_nearby" => (
+            "Nearby SSIDs ({0})",
+            "Verfügbare SSIDs ({0})",
+            "SSID à proximité ({0})",
+            "SSID-uri din apropiere ({0})",
+            "SSID cercanos ({0})",
+        ),
+        "devices.public_ip" => (
+            "Public IP (egress, last lookup)",
+            "Öffentliche IP (Egress, letzte Abfrage)",
+            "IP publique (sortie, dernière recherche)",
+            "IP publică (egress, ultima căutare)",
+            "IP pública (salida, última consulta)",
+        ),
+        "devices.public_ip_failed" => (
+            "— (lookup failed or blocked)",
+            "— (Abfrage fehlgeschlagen oder blockiert)",
+            "— (échec de la recherche ou bloqué)",
+            "— (căutare eșuată sau blocată)",
+            "— (consulta fallida o bloqueada)",
+        ),
+        "devices.bitlocker" => (
+            "BitLocker recovery key (system drive)",
+            "BitLocker-Wiederherstellungsschlüssel (Systemlaufwerk)",
+            "Clé de récupération BitLocker (disque système)",
+            "Cheie de recuperare BitLocker (unitate de sistem)",
+            "Clave de recuperación BitLocker (unidad del sistema)",
+        ),
+        "devices.bitlocker_unavailable" => (
+            "— (not reported; non-Pro SKU, not encrypted, or no admin rights)",
+            "— (nicht gemeldet; keine Pro-Edition, nicht verschlüsselt oder keine Admin-Rechte)",
+            "— (non signalé ; édition non Pro, non chiffré, ou pas de droits admin)",
+            "— (neraportat; ediție non-Pro, necriptat sau fără drepturi de admin)",
+            "— (no reportado; edición no Pro, sin cifrar o sin permisos de administrador)",
+        ),
+        "devices.no_device_with_id" => (
+            "No device with peer ID",
+            "Kein Gerät mit Peer-ID",
+            "Aucun appareil avec l'ID de pair",
+            "Niciun dispozitiv cu ID-ul peer",
+            "Ningún dispositivo con el ID de par",
+        ),
+        "devices.in_dashboard" => (
+            "in the dashboard.",
+            "im Dashboard.",
+            "dans le tableau de bord.",
+            "în panou.",
+            "en el panel.",
+        ),
+        "devices.devices_count" => (
+            "{0} device(s).",
+            "{0} Gerät(e).",
+            "{0} appareil(s).",
+            "{0} dispozitiv(e).",
+            "{0} dispositivo(s).",
+        ),
+
+        // ---- groups ----
+        "groups.heading" => (
+            "Device groups",
+            "Gerätegruppen",
+            "Groupes d'appareils",
+            "Grupuri de dispozitive",
+            "Grupos de dispositivos",
+        ),
+        "groups.create_heading" => (
+            "Create group",
+            "Gruppe erstellen",
+            "Créer un groupe",
+            "Creează grup",
+            "Crear grupo",
+        ),
+        "groups.group_name" => (
+            "group name",
+            "Gruppenname",
+            "nom du groupe",
+            "nume grup",
+            "nombre del grupo",
+        ),
+        "groups.name_required" => (
+            "Name required",
+            "Name erforderlich",
+            "Nom requis",
+            "Nume necesar",
+            "Se requiere el nombre",
+        ),
+        "groups.created" => (
+            "Group '{0}' created.",
+            "Gruppe „{0}\" erstellt.",
+            "Groupe « {0} » créé.",
+            "Grupul „{0}\" creat.",
+            "Grupo «{0}» creado.",
+        ),
+        "groups.deleted" => (
+            "Group deleted.",
+            "Gruppe gelöscht.",
+            "Groupe supprimé.",
+            "Grup șters.",
+            "Grupo eliminado.",
+        ),
+        "groups.no_groups" => (
+            "No device groups yet.",
+            "Noch keine Gerätegruppen.",
+            "Aucun groupe d'appareils.",
+            "Nu există încă grupuri.",
+            "Aún no hay grupos de dispositivos.",
+        ),
+        "groups.delete_group" => (
+            "Delete group",
+            "Gruppe löschen",
+            "Supprimer le groupe",
+            "Șterge grup",
+            "Eliminar grupo",
+        ),
+        "groups.confirm_delete" => (
+            "Delete group {0}? Members aren't deleted; just unassigned.",
+            "Gruppe {0} löschen? Mitglieder werden nicht gelöscht, nur die Zuordnung wird entfernt.",
+            "Supprimer le groupe {0} ? Les membres ne sont pas supprimés, seulement désassignés.",
+            "Ștergeți grupul {0}? Membrii nu sunt șterși, doar dezasignați.",
+            "¿Eliminar el grupo {0}? Los miembros no se eliminan; solo se desasignan.",
+        ),
+        "groups.users" => (
+            "Users",
+            "Benutzer",
+            "Utilisateurs",
+            "Utilizatori",
+            "Usuarios",
+        ),
+        "groups.no_user_members" => (
+            "No user members yet.",
+            "Noch keine Benutzer als Mitglieder.",
+            "Aucun utilisateur membre.",
+            "Niciun utilizator membru.",
+            "Aún no hay usuarios miembros.",
+        ),
+        "groups.add_user" => (
+            "Add user",
+            "Benutzer hinzufügen",
+            "Ajouter utilisateur",
+            "Adaugă utilizator",
+            "Añadir usuario",
+        ),
+        "groups.devices_section" => (
+            "Devices",
+            "Geräte",
+            "Appareils",
+            "Dispozitive",
+            "Dispositivos",
+        ),
+        "groups.no_peer_members" => (
+            "No devices added directly. (Devices owned by user members above are also visible to them.)",
+            "Keine Geräte direkt hinzugefügt. (Geräte der oben genannten Benutzer-Mitglieder sind ebenfalls sichtbar.)",
+            "Aucun appareil ajouté directement. (Les appareils possédés par les membres ci-dessus leur sont aussi visibles.)",
+            "Nu există dispozitive adăugate direct. (Dispozitivele deținute de membrii de mai sus sunt vizibile pentru aceștia.)",
+            "No se añadieron dispositivos directamente. (Los dispositivos de los miembros anteriores también son visibles para ellos.)",
+        ),
+        "groups.unowned" => (
+            "unowned",
+            "ohne Besitzer",
+            "sans propriétaire",
+            "fără proprietar",
+            "sin propietario",
+        ),
+        "groups.owner_label" => (
+            "owner: {0}",
+            "Besitzer: {0}",
+            "propriétaire : {0}",
+            "proprietar: {0}",
+            "propietario: {0}",
+        ),
+        "groups.add_device" => (
+            "Add device",
+            "Gerät hinzufügen",
+            "Ajouter appareil",
+            "Adaugă dispozitiv",
+            "Añadir dispositivo",
+        ),
+        "groups.peer_id_placeholder" => (
+            "Device ID (e.g. 123456789)",
+            "Geräte-ID (z. B. 123456789)",
+            "ID d'appareil (ex. 123456789)",
+            "ID dispozitiv (ex. 123456789)",
+            "ID de dispositivo (p. ej. 123456789)",
+        ),
+        "groups.peer_id_required" => (
+            "Device ID required",
+            "Geräte-ID erforderlich",
+            "ID d'appareil requis",
+            "ID dispozitiv necesar",
+            "Se requiere el ID del dispositivo",
+        ),
+        "groups.no_device_yet" => (
+            "No device '{0}' has reported in yet.",
+            "Es hat sich noch kein Gerät „{0}\" gemeldet.",
+            "Aucun appareil « {0} » ne s'est encore manifesté.",
+            "Niciun dispozitiv „{0}\" nu s-a raportat încă.",
+            "Ningún dispositivo «{0}» se ha reportado aún.",
+        ),
+
+        // ---- strategies ----
+        "strategies.heading" => (
+            "Strategies",
+            "Strategien",
+            "Stratégies",
+            "Strategii",
+            "Estrategias",
+        ),
+        "strategies.tagline" => (
+            "Pushed to clients via heartbeat. Use SQL to assign — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).",
+            "Wird Clients per Heartbeat zugestellt. Zur Zuweisung SQL verwenden — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).",
+            "Distribué aux clients via heartbeat. Utilisez SQL pour assigner — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).",
+            "Trimis clienților prin heartbeat. Folosiți SQL pentru atribuire — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).",
+            "Se envía a los clientes por heartbeat. Usa SQL para asignar — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).",
+        ),
+        "strategies.create_heading" => (
+            "Create strategy",
+            "Strategie erstellen",
+            "Créer une stratégie",
+            "Creează strategie",
+            "Crear estrategia",
+        ),
+        "strategies.name_unique" => (
+            "name (unique)",
+            "Name (eindeutig)",
+            "nom (unique)",
+            "nume (unic)",
+            "nombre (único)",
+        ),
+        "strategies.json_obj_required" => (
+            "config_options must be a JSON object",
+            "config_options muss ein JSON-Objekt sein",
+            "config_options doit être un objet JSON",
+            "config_options trebuie să fie un obiect JSON",
+            "config_options debe ser un objeto JSON",
+        ),
+        "strategies.invalid_json" => (
+            "invalid JSON: {0}",
+            "ungültiges JSON: {0}",
+            "JSON invalide : {0}",
+            "JSON invalid: {0}",
+            "JSON inválido: {0}",
+        ),
+        "strategies.created" => (
+            "Strategy '{0}' created.",
+            "Strategie „{0}\" erstellt.",
+            "Stratégie « {0} » créée.",
+            "Strategie „{0}\" creată.",
+            "Estrategia «{0}» creada.",
+        ),
+        "strategies.updated" => (
+            "Strategy updated.",
+            "Strategie aktualisiert.",
+            "Stratégie mise à jour.",
+            "Strategie actualizată.",
+            "Estrategia actualizada.",
+        ),
+        "strategies.deleted" => (
+            "Strategy deleted.",
+            "Strategie gelöscht.",
+            "Stratégie supprimée.",
+            "Strategie ștearsă.",
+            "Estrategia eliminada.",
+        ),
+        "strategies.no_strategies" => (
+            "No strategies yet.",
+            "Noch keine Strategien.",
+            "Aucune stratégie.",
+            "Nu există încă strategii.",
+            "Aún no hay estrategias.",
+        ),
+        "strategies.config_label" => (
+            "config_options (JSON object)",
+            "config_options (JSON-Objekt)",
+            "config_options (objet JSON)",
+            "config_options (obiect JSON)",
+            "config_options (objeto JSON)",
+        ),
+        "strategies.confirm_delete" => (
+            "Delete strategy {0}? Assignments will be cleaned up too.",
+            "Strategie {0} löschen? Zuweisungen werden ebenfalls bereinigt.",
+            "Supprimer la stratégie {0} ? Les affectations seront également nettoyées.",
+            "Ștergeți strategia {0}? Atribuirile vor fi curățate de asemenea.",
+            "¿Eliminar la estrategia {0}? También se limpiarán las asignaciones.",
+        ),
+        "strategies.id_modified" => (
+            "id={0}, modified_at={1}",
+            "id={0}, modified_at={1}",
+            "id={0}, modified_at={1}",
+            "id={0}, modified_at={1}",
+            "id={0}, modified_at={1}",
+        ),
+
+        // ---- address books ----
+        "ab.heading" => (
+            "Address books",
+            "Adressbücher",
+            "Carnets d'adresses",
+            "Agende",
+            "Libretas de direcciones",
+        ),
+        "ab.tagline" => (
+            "Personal books are owned by users and managed from their desktop client. Shared books are server-side: create one here, share it with users / rules, and the client picks it up on its next AB sync.",
+            "Persönliche Adressbücher gehören Benutzern und werden im Desktop-Client verwaltet. Geteilte Adressbücher sind serverseitig: Erstellen Sie hier eines, teilen Sie es mit Benutzern/Regeln, und der Client übernimmt es bei der nächsten AB-Synchronisierung.",
+            "Les carnets personnels appartiennent aux utilisateurs et sont gérés depuis leur client de bureau. Les carnets partagés sont côté serveur : créez-en un ici, partagez-le avec des utilisateurs / règles, et le client le récupère à la prochaine synchronisation.",
+            "Agendele personale aparțin utilizatorilor și sunt gestionate din clientul desktop. Agendele partajate sunt pe server: creați una aici, partajați-o cu utilizatori / reguli, iar clientul o preia la următoarea sincronizare.",
+            "Las libretas personales son de los usuarios y se gestionan desde su cliente de escritorio. Las libretas compartidas están en el servidor: crea una aquí, compártela con usuarios/reglas, y el cliente la recogerá en su próxima sincronización.",
+        ),
+        "ab.new_shared" => (
+            "New shared book",
+            "Neues geteiltes Adressbuch",
+            "Nouveau carnet partagé",
+            "Agendă partajată nouă",
+            "Nueva libreta compartida",
+        ),
+        "ab.name_required" => (
+            "Name is required.",
+            "Name ist erforderlich.",
+            "Le nom est requis.",
+            "Numele este obligatoriu.",
+            "El nombre es obligatorio.",
+        ),
+        "ab.created" => (
+            "Shared address book '{0}' created.",
+            "Geteiltes Adressbuch „{0}\" erstellt.",
+            "Carnet partagé « {0} » créé.",
+            "Agenda partajată „{0}\" creată.",
+            "Libreta compartida «{0}» creada.",
+        ),
+        "ab.exists" => (
+            "An address book with that name already exists.",
+            "Ein Adressbuch mit diesem Namen existiert bereits.",
+            "Un carnet avec ce nom existe déjà.",
+            "Există deja o agendă cu acest nume.",
+            "Ya existe una libreta con ese nombre.",
+        ),
+        "ab.create_failed" => (
+            "Create failed: {0}",
+            "Erstellen fehlgeschlagen: {0}",
+            "Échec de la création : {0}",
+            "Creare eșuată: {0}",
+            "Error al crear: {0}",
+        ),
+        "ab.deleted" => ("Deleted.", "Gelöscht.", "Supprimé.", "Șters.", "Eliminado."),
+        "ab.not_found" => (
+            "Address book not found.",
+            "Adressbuch nicht gefunden.",
+            "Carnet d'adresses introuvable.",
+            "Agenda nu a fost găsită.",
+            "Libreta de direcciones no encontrada.",
+        ),
+        "ab.no_books" => (
+            "No address books exist yet.",
+            "Es existieren noch keine Adressbücher.",
+            "Aucun carnet n'existe encore.",
+            "Nu există încă agende.",
+            "Aún no existen libretas de direcciones.",
+        ),
+        "ab.col_owner" => (
+            "Owner",
+            "Besitzer",
+            "Propriétaire",
+            "Proprietar",
+            "Propietario",
+        ),
+        "ab.col_kind" => ("Kind", "Art", "Type", "Tip", "Tipo"),
+        "ab.col_name" => ("Name", "Name", "Nom", "Nume", "Nombre"),
+        "ab.col_peers" => ("Peers", "Peers", "Pairs", "Peers", "Pares"),
+        "ab.col_guid" => ("GUID", "GUID", "GUID", "GUID", "GUID"),
+        "ab.col_created" => ("Created", "Erstellt", "Créé", "Creat", "Creado"),
+        "ab.kind_personal" => (
+            "personal",
+            "persönlich",
+            "personnel",
+            "personal",
+            "personal",
+        ),
+        "ab.kind_shared" => ("shared", "geteilt", "partagé", "partajat", "compartida"),
+        "ab.manage_shares" => (
+            "Manage shares",
+            "Freigaben verwalten",
+            "Gérer les partages",
+            "Gestionează partajări",
+            "Gestionar compartidos",
+        ),
+        "ab.delete_book" => (
+            "Delete book",
+            "Adressbuch löschen",
+            "Supprimer le carnet",
+            "Șterge agenda",
+            "Eliminar libreta",
+        ),
+        "ab.confirm_delete_shared" => (
+            "Delete shared book '{0}'? Peers, tags, and shares will be removed.",
+            "Geteiltes Adressbuch „{0}\" löschen? Peers, Tags und Freigaben werden entfernt.",
+            "Supprimer le carnet partagé « {0} » ? Les pairs, étiquettes et partages seront retirés.",
+            "Ștergeți agenda partajată „{0}\"? Peer-urile, etichetele și partajările vor fi eliminate.",
+            "¿Eliminar la libreta compartida «{0}»? Se eliminarán pares, etiquetas y compartidos.",
+        ),
+        "ab.confirm_delete_personal" => (
+            "Delete {0}'s personal book? This wipes all peers and tags on the server. If {0}'s desktop client is still signed in, it will recreate an empty personal book on its next sync (~30 s).",
+            "Persönliches Adressbuch von {0} löschen? Damit werden alle Peers und Tags auf dem Server gelöscht. Wenn der Desktop-Client von {0} noch angemeldet ist, wird beim nächsten Sync (~30 s) ein leeres persönliches Adressbuch erstellt.",
+            "Supprimer le carnet personnel de {0} ? Cela efface tous les pairs et étiquettes sur le serveur. Si le client de bureau de {0} est encore connecté, il recréera un carnet personnel vide à la prochaine synchronisation (~30 s).",
+            "Ștergeți agenda personală a lui {0}? Aceasta șterge toți peer-ii și etichetele de pe server. Dacă clientul desktop al lui {0} este încă conectat, va recrea o agendă personală goală la următoarea sincronizare (~30 s).",
+            "¿Eliminar la libreta personal de {0}? Esto borra todos los pares y etiquetas en el servidor. Si el cliente de escritorio de {0} sigue conectado, recreará una libreta personal vacía en la próxima sincronización (~30 s).",
+        ),
+        "ab.manage_heading" => (
+            "Manage shares",
+            "Freigaben verwalten",
+            "Gérer les partages",
+            "Gestionează partajări",
+            "Gestionar compartidos",
+        ),
+        "ab.add_or_update" => (
+            "Add or update a share",
+            "Freigabe hinzufügen oder aktualisieren",
+            "Ajouter ou mettre à jour un partage",
+            "Adaugă sau actualizează o partajare",
+            "Añadir o actualizar un compartido",
+        ),
+        "ab.user_label" => (
+            "User",
+            "Benutzer",
+            "Utilisateur",
+            "Utilizator",
+            "Usuario",
+        ),
+        "ab.no_users" => (
+            "No users defined",
+            "Keine Benutzer definiert",
+            "Aucun utilisateur défini",
+            "Niciun utilizator definit",
+            "Sin usuarios definidos",
+        ),
+        "ab.existing_will_update" => (
+            " (existing — will update rule)",
+            " (existiert — Regel wird aktualisiert)",
+            " (existant — la règle sera mise à jour)",
+            " (existent — regula va fi actualizată)",
+            " (existente — se actualizará la regla)",
+        ),
+        "ab.rule" => ("Rule", "Regel", "Règle", "Regulă", "Regla"),
+        "ab.rule_read" => ("Read", "Lesen", "Lecture", "Citire", "Lectura"),
+        "ab.rule_read_write" => (
+            "Read + write",
+            "Lesen + Schreiben",
+            "Lecture + écriture",
+            "Citire + scriere",
+            "Lectura + escritura",
+        ),
+        "ab.rule_full" => (
+            "Full",
+            "Vollständig",
+            "Complet",
+            "Complet",
+            "Completo",
+        ),
+        "ab.invalid_rule" => (
+            "Invalid rule.",
+            "Ungültige Regel.",
+            "Règle invalide.",
+            "Regulă invalidă.",
+            "Regla inválida.",
+        ),
+        "ab.share_saved" => (
+            "Share saved.",
+            "Freigabe gespeichert.",
+            "Partage enregistré.",
+            "Partajare salvată.",
+            "Compartido guardado.",
+        ),
+        "ab.share_removed" => (
+            "Share removed.",
+            "Freigabe entfernt.",
+            "Partage supprimé.",
+            "Partajare eliminată.",
+            "Compartido eliminado.",
+        ),
+        "ab.current_shares" => (
+            "Current shares ({0})",
+            "Aktuelle Freigaben ({0})",
+            "Partages actuels ({0})",
+            "Partajări curente ({0})",
+            "Compartidos actuales ({0})",
+        ),
+        "ab.no_shares" => (
+            "No shares yet. The book is invisible to non-owners until you add at least one user share.",
+            "Noch keine Freigaben. Das Adressbuch ist für Nicht-Besitzer unsichtbar, bis mindestens eine Benutzer-Freigabe hinzugefügt wird.",
+            "Aucun partage. Le carnet est invisible pour les non-propriétaires jusqu'à ce qu'au moins un partage utilisateur soit ajouté.",
+            "Nu există partajări. Agenda este invizibilă pentru cei care nu sunt proprietari până când adăugați cel puțin o partajare către un utilizator.",
+            "Aún no hay compartidos. La libreta es invisible para los no propietarios hasta que añadas al menos un compartido con un usuario.",
+        ),
+        "ab.confirm_remove" => (
+            "Remove {0}'s access?",
+            "Zugriff von {0} entfernen?",
+            "Retirer l'accès de {0} ?",
+            "Eliminați accesul lui {0}?",
+            "¿Quitar el acceso de {0}?",
+        ),
+        "ab.personal_managed_at_client" => (
+            "Personal address books are managed from the desktop client.",
+            "Persönliche Adressbücher werden im Desktop-Client verwaltet.",
+            "Les carnets d'adresses personnels sont gérés depuis le client de bureau.",
+            "Agendele personale sunt gestionate din clientul desktop.",
+            "Las libretas personales se gestionan desde el cliente de escritorio.",
+        ),
+
+        // ---- audit ----
+        "audit.heading" => (
+            "Audit log",
+            "Audit-Protokoll",
+            "Journal d'audit",
+            "Jurnal de audit",
+            "Registro de auditoría",
+        ),
+        "audit.latest" => (
+            "Latest {0} rows.",
+            "Letzte {0} Einträge.",
+            "Dernières {0} lignes.",
+            "Ultimele {0} rânduri.",
+            "Últimas {0} filas.",
+        ),
+        "audit.tab_conn" => (
+            "Connections",
+            "Verbindungen",
+            "Connexions",
+            "Conexiuni",
+            "Conexiones",
+        ),
+        "audit.tab_file" => (
+            "File transfers",
+            "Dateiübertragungen",
+            "Transferts de fichiers",
+            "Transferuri de fișiere",
+            "Transferencias de archivos",
+        ),
+        "audit.tab_alarm" => ("Alarms", "Alarme", "Alarmes", "Alarme", "Alarmas"),
+        "audit.col_when" => ("When", "Wann", "Quand", "Când", "Cuándo"),
+        "audit.col_peer" => ("Peer", "Peer", "Pair", "Peer", "Par"),
+        "audit.col_conn_session" => (
+            "Conn / Session",
+            "Verb. / Sitzung",
+            "Conn / Session",
+            "Conn / Sesiune",
+            "Conn / Sesión",
+        ),
+        "audit.col_ip" => ("IP", "IP", "IP", "IP", "IP"),
+        "audit.col_action" => ("Action", "Aktion", "Action", "Acțiune", "Acción"),
+        "audit.col_note" => ("Note", "Notiz", "Note", "Notă", "Nota"),
+        "audit.col_direction" => (
+            "Direction",
+            "Richtung",
+            "Direction",
+            "Direcție",
+            "Dirección",
+        ),
+        "audit.col_path" => ("Path", "Pfad", "Chemin", "Cale", "Ruta"),
+        "audit.col_remote" => ("Remote", "Remote", "Distant", "Remote", "Remoto"),
+        "audit.col_type" => ("Type", "Typ", "Type", "Tip", "Tipo"),
+        "audit.col_info" => ("Info", "Info", "Info", "Info", "Info"),
+        "audit.no_conn" => (
+            "No connection audit rows yet.",
+            "Noch keine Verbindungs-Audit-Einträge.",
+            "Aucune ligne d'audit de connexion.",
+            "Nu există încă rânduri de audit pentru conexiuni.",
+            "Aún no hay filas de auditoría de conexiones.",
+        ),
+        "audit.no_file" => (
+            "No file-transfer audit rows yet.",
+            "Noch keine Dateiübertragungs-Audit-Einträge.",
+            "Aucune ligne d'audit de transfert de fichiers.",
+            "Nu există încă rânduri de audit pentru transferuri.",
+            "Aún no hay filas de auditoría de transferencias de archivos.",
+        ),
+        "audit.no_alarm" => (
+            "No alarm audit rows yet.",
+            "Noch keine Alarm-Audit-Einträge.",
+            "Aucune ligne d'audit d'alarme.",
+            "Nu există încă rânduri de audit pentru alarme.",
+            "Aún no hay filas de auditoría de alarmas.",
+        ),
+        "audit.dir_to_remote" => (
+            "→ remote",
+            "→ remote",
+            "→ distant",
+            "→ remote",
+            "→ remoto",
+        ),
+        "audit.dir_from_remote" => (
+            "← remote",
+            "← remote",
+            "← distant",
+            "← remote",
+            "← remoto",
+        ),
+
+        // ---- profile ----
+        "profile.heading" => ("Profile", "Profil", "Profil", "Profil", "Perfil"),
+        "profile.signed_in_as" => (
+            "Signed in as",
+            "Angemeldet als",
+            "Connecté en tant que",
+            "Conectat ca",
+            "Conectado como",
+        ),
+        "profile.info_heading" => (
+            "Profile info",
+            "Profilinformationen",
+            "Informations du profil",
+            "Informații profil",
+            "Información del perfil",
+        ),
+        "profile.display_name" => (
+            "Display name",
+            "Anzeigename",
+            "Nom affiché",
+            "Nume afișat",
+            "Nombre visible",
+        ),
+        "profile.email" => ("Email", "E-Mail", "E-mail", "Email", "Correo"),
+        "profile.profile_updated" => (
+            "Profile updated.",
+            "Profil aktualisiert.",
+            "Profil mis à jour.",
+            "Profil actualizat.",
+            "Perfil actualizado.",
+        ),
+        "profile.password_heading" => (
+            "Change password",
+            "Passwort ändern",
+            "Changer le mot de passe",
+            "Schimbă parola",
+            "Cambiar contraseña",
+        ),
+        "profile.password_oidc" => (
+            "Password",
+            "Passwort",
+            "Mot de passe",
+            "Parolă",
+            "Contraseña",
+        ),
+        "profile.password_oidc_msg" => (
+            "Your account signs in via your organisation's identity provider — there's no local password to change here.",
+            "Ihr Konto meldet sich über den Identitätsanbieter Ihrer Organisation an — hier gibt es kein lokales Passwort zum Ändern.",
+            "Votre compte se connecte via le fournisseur d'identité de votre organisation — il n'y a pas de mot de passe local à changer ici.",
+            "Contul dvs. se autentifică prin furnizorul de identitate al organizației dvs. — nu există o parolă locală de schimbat aici.",
+            "Tu cuenta inicia sesión a través del proveedor de identidad de tu organización — no hay una contraseña local que cambiar aquí.",
+        ),
+        "profile.current_password" => (
+            "current password",
+            "aktuelles Passwort",
+            "mot de passe actuel",
+            "parola curentă",
+            "contraseña actual",
+        ),
+        "profile.new_password" => (
+            "new password",
+            "neues Passwort",
+            "nouveau mot de passe",
+            "parolă nouă",
+            "nueva contraseña",
+        ),
+        "profile.confirm_new" => (
+            "confirm new",
+            "neues bestätigen",
+            "confirmer",
+            "confirmă",
+            "confirmar nueva",
+        ),
+        "profile.update_password" => (
+            "Update password",
+            "Passwort aktualisieren",
+            "Mettre à jour le mot de passe",
+            "Actualizează parola",
+            "Actualizar contraseña",
+        ),
+        "profile.password_updated" => (
+            "Password updated.",
+            "Passwort aktualisiert.",
+            "Mot de passe mis à jour.",
+            "Parolă actualizată.",
+            "Contraseña actualizada.",
+        ),
+        "profile.password_oidc_change" => (
+            "Your account signs in via the identity provider — change the password there.",
+            "Ihr Konto meldet sich über den Identitätsanbieter an — ändern Sie das Passwort dort.",
+            "Votre compte se connecte via le fournisseur d'identité — changez le mot de passe là-bas.",
+            "Contul dvs. se autentifică prin furnizorul de identitate — schimbați parola acolo.",
+            "Tu cuenta inicia sesión a través del proveedor de identidad — cambia la contraseña ahí.",
+        ),
+        "profile.password_min" => (
+            "New password must be at least 4 characters.",
+            "Das neue Passwort muss mindestens 4 Zeichen lang sein.",
+            "Le nouveau mot de passe doit contenir au moins 4 caractères.",
+            "Parola nouă trebuie să aibă cel puțin 4 caractere.",
+            "La nueva contraseña debe tener al menos 4 caracteres.",
+        ),
+        "profile.password_mismatch" => (
+            "New password and confirmation don't match.",
+            "Neues Passwort und Bestätigung stimmen nicht überein.",
+            "Le nouveau mot de passe et la confirmation ne correspondent pas.",
+            "Parola nouă și confirmarea nu se potrivesc.",
+            "La nueva contraseña y la confirmación no coinciden.",
+        ),
+        "profile.current_incorrect" => (
+            "Current password is incorrect.",
+            "Aktuelles Passwort ist falsch.",
+            "Le mot de passe actuel est incorrect.",
+            "Parola curentă este incorectă.",
+            "La contraseña actual es incorrecta.",
+        ),
+        "profile.tfa" => (
+            "Two-factor authentication",
+            "Zwei-Faktor-Authentifizierung",
+            "Authentification à deux facteurs",
+            "Autentificare în doi pași",
+            "Autenticación en dos pasos",
+        ),
+        "profile.tfa_oidc_msg" => (
+            "MFA is managed by your identity provider — local TOTP isn't used for OIDC sign-ins.",
+            "MFA wird von Ihrem Identitätsanbieter verwaltet — lokales TOTP wird für OIDC-Anmeldungen nicht verwendet.",
+            "La MFA est gérée par votre fournisseur d'identité — le TOTP local n'est pas utilisé pour les connexions OIDC.",
+            "MFA este gestionată de furnizorul de identitate — TOTP local nu este folosit pentru autentificările OIDC.",
+            "La MFA la gestiona tu proveedor de identidad — el TOTP local no se usa en los inicios de sesión OIDC.",
+        ),
+        "profile.tfa_enrolled_msg" => (
+            "Sign-ins require a 6-digit code from your authenticator.",
+            "Anmeldungen erfordern einen 6-stelligen Code aus Ihrer Authenticator-App.",
+            "Les connexions nécessitent un code à 6 chiffres de votre authentificateur.",
+            "Autentificările necesită un cod din 6 cifre din aplicația de autentificare.",
+            "Los inicios de sesión requieren un código de 6 dígitos de tu autenticador.",
+        ),
+        "profile.tfa_disable" => (
+            "Disable TOTP",
+            "TOTP deaktivieren",
+            "Désactiver TOTP",
+            "Dezactivează TOTP",
+            "Deshabilitar TOTP",
+        ),
+        "profile.tfa_confirm_remove" => (
+            "Remove TOTP from your account?",
+            "TOTP aus Ihrem Konto entfernen?",
+            "Supprimer TOTP de votre compte ?",
+            "Eliminați TOTP din contul dvs.?",
+            "¿Quitar TOTP de tu cuenta?",
+        ),
+        "profile.tfa_intro" => (
+            "Add a TOTP authenticator (1Password, Authy, Google Authenticator, etc.) so sign-ins also require a 6-digit code.",
+            "Fügen Sie einen TOTP-Authenticator hinzu (1Password, Authy, Google Authenticator usw.), damit Anmeldungen zusätzlich einen 6-stelligen Code erfordern.",
+            "Ajoutez un authentificateur TOTP (1Password, Authy, Google Authenticator, etc.) pour que les connexions nécessitent aussi un code à 6 chiffres.",
+            "Adăugați un autentificator TOTP (1Password, Authy, Google Authenticator etc.) pentru ca autentificările să necesite și un cod din 6 cifre.",
+            "Añade un autenticador TOTP (1Password, Authy, Google Authenticator, etc.) para que los inicios de sesión también requieran un código de 6 dígitos.",
+        ),
+        "profile.tfa_enroll" => (
+            "Enroll TOTP",
+            "TOTP registrieren",
+            "Activer TOTP",
+            "Activează TOTP",
+            "Activar TOTP",
+        ),
+        "profile.tfa_already" => (
+            "You already have TOTP enrolled. Disable it first if you want to re-enroll.",
+            "Sie haben TOTP bereits registriert. Deaktivieren Sie es zuerst, wenn Sie es erneut registrieren möchten.",
+            "TOTP est déjà activé. Désactivez-le d'abord pour le réactiver.",
+            "TOTP este deja activat. Dezactivați-l mai întâi dacă doriți să îl reactivați.",
+            "Ya tienes TOTP activado. Desactívalo primero si quieres volver a activarlo.",
+        ),
+        "profile.tfa_confirm_heading" => (
+            "Confirm TOTP enrollment",
+            "TOTP-Registrierung bestätigen",
+            "Confirmer l'activation TOTP",
+            "Confirmă activarea TOTP",
+            "Confirmar activación TOTP",
+        ),
+        "profile.tfa_confirm_intro" => (
+            "Scan the QR code with your authenticator app, then enter the 6-digit code it shows to confirm. Nothing is enrolled until you submit a valid code.",
+            "Scannen Sie den QR-Code mit Ihrer Authenticator-App und geben Sie dann den 6-stelligen Code zur Bestätigung ein. Es wird nichts gespeichert, bis Sie einen gültigen Code übermitteln.",
+            "Scannez le QR code avec votre application d'authentification, puis saisissez le code à 6 chiffres pour confirmer. Rien n'est activé tant que vous n'avez pas soumis un code valide.",
+            "Scanați codul QR cu aplicația dvs. de autentificare, apoi introduceți codul din 6 cifre pentru a confirma. Nimic nu este activat până nu trimiteți un cod valid.",
+            "Escanea el código QR con tu aplicación de autenticación, luego introduce el código de 6 dígitos para confirmar. Nada queda activado hasta que envíes un código válido.",
+        ),
+        "profile.tfa_secret_manual" => (
+            "Secret (manual entry):",
+            "Geheimnis (manuelle Eingabe):",
+            "Secret (saisie manuelle) :",
+            "Secret (introducere manuală):",
+            "Secreto (introducción manual):",
+        ),
+        "profile.tfa_missing_secret" => (
+            "Missing secret in confirm form.",
+            "Geheimnis im Bestätigungsformular fehlt.",
+            "Secret manquant dans le formulaire de confirmation.",
+            "Lipsește secretul din formularul de confirmare.",
+            "Falta el secreto en el formulario de confirmación.",
+        ),
+        "profile.tfa_bad_code" => (
+            "Code didn't match. Try again — make sure the time on the authenticator device is in sync.",
+            "Code stimmt nicht. Versuchen Sie es erneut — stellen Sie sicher, dass die Uhrzeit auf dem Authenticator-Gerät synchronisiert ist.",
+            "Le code ne correspond pas. Réessayez — assurez-vous que l'heure de l'appareil d'authentification est synchronisée.",
+            "Codul nu se potrivește. Încercați din nou — asigurați-vă că ora de pe dispozitivul de autentificare este sincronizată.",
+            "El código no coincide. Inténtalo de nuevo — asegúrate de que la hora del dispositivo de autenticación esté sincronizada.",
+        ),
+        "profile.tfa_enrolled" => (
+            "TOTP enrolled. Future sign-ins will require a 6-digit code.",
+            "TOTP registriert. Zukünftige Anmeldungen erfordern einen 6-stelligen Code.",
+            "TOTP activé. Les connexions futures nécessiteront un code à 6 chiffres.",
+            "TOTP activat. Autentificările viitoare vor necesita un cod din 6 cifre.",
+            "TOTP activado. Los próximos inicios de sesión requerirán un código de 6 dígitos.",
+        ),
+        "profile.tfa_current_pw_incorrect" => (
+            "Current password is incorrect — TOTP not removed.",
+            "Aktuelles Passwort ist falsch — TOTP wurde nicht entfernt.",
+            "Le mot de passe actuel est incorrect — TOTP non supprimé.",
+            "Parola curentă este incorectă — TOTP nu a fost eliminat.",
+            "La contraseña actual es incorrecta — TOTP no se eliminó.",
+        ),
+        "profile.tfa_removed" => (
+            "TOTP removed.",
+            "TOTP entfernt.",
+            "TOTP supprimé.",
+            "TOTP eliminat.",
+            "TOTP eliminado.",
+        ),
+
+        // ---- deploy ----
+        "deploy.heading" => (
+            "Deploy",
+            "Bereitstellen",
+            "Déployer",
+            "Implementare",
+            "Implementación",
+        ),
+        "deploy.intro" => (
+            "Generate a config blob the stock client accepts via <code>rustdesk --config &lt;blob&gt;</code>, or the equivalent renamed-installer filename. The public key below is read from <code>id_ed25519.pub</code> on the server; override if you bootstrapped a custom keypair.",
+            "Erzeugen Sie ein Konfig-Blob, das der Standard-Client per <code>rustdesk --config &lt;blob&gt;</code> akzeptiert, oder den entsprechenden umbenannten Installer-Dateinamen. Der öffentliche Schlüssel unten wird aus <code>id_ed25519.pub</code> auf dem Server gelesen; überschreiben Sie ihn bei einem benutzerdefinierten Schlüsselpaar.",
+            "Générez un blob de configuration que le client standard accepte via <code>rustdesk --config &lt;blob&gt;</code>, ou le nom d'installeur renommé équivalent. La clé publique ci-dessous est lue depuis <code>id_ed25519.pub</code> sur le serveur ; remplacez-la si vous avez initialisé une paire de clés personnalisée.",
+            "Generați un blob de configurare pe care clientul standard îl acceptă prin <code>rustdesk --config &lt;blob&gt;</code>, sau numele de fișier echivalent al instalatorului redenumit. Cheia publică de mai jos este citită din <code>id_ed25519.pub</code> de pe server; suprascrieți dacă ați inițializat o pereche de chei personalizată.",
+            "Genera un blob de configuración que el cliente estándar acepta vía <code>rustdesk --config &lt;blob&gt;</code>, o el nombre de archivo equivalente del instalador renombrado. La clave pública de abajo se lee de <code>id_ed25519.pub</code> en el servidor; sobrescríbela si inicializaste un par de claves personalizado.",
+        ),
+        "deploy.host_label" => (
+            "Rendezvous host (required)",
+            "Rendezvous-Host (erforderlich)",
+            "Hôte rendezvous (requis)",
+            "Gazdă rendezvous (obligatoriu)",
+            "Host rendezvous (obligatorio)",
+        ),
+        "deploy.host_hint" => (
+            "The hostname or IP clients reach hbbs at (TCP/UDP 21116).",
+            "Der Hostname oder die IP, über die Clients hbbs erreichen (TCP/UDP 21116).",
+            "Le nom d'hôte ou l'IP par laquelle les clients atteignent hbbs (TCP/UDP 21116).",
+            "Numele de gazdă sau IP-ul prin care clienții ajung la hbbs (TCP/UDP 21116).",
+            "El nombre de host o la IP por la que los clientes llegan a hbbs (TCP/UDP 21116).",
+        ),
+        "deploy.api_label" => (
+            "API URL (optional)",
+            "API-URL (optional)",
+            "URL API (optionnel)",
+            "URL API (opțional)",
+            "URL de la API (opcional)",
+        ),
+        "deploy.api_hint" => (
+            "Full URL of this admin/login API. Defaults to <code>https://&lt;host&gt;</code>; edit if your API runs on a different scheme/port. Leave blank to disable login on the client.",
+            "Vollständige URL dieser Admin-/Login-API. Standard ist <code>https://&lt;host&gt;</code>; bearbeiten Sie sie, wenn Ihre API auf einem anderen Schema/Port läuft. Lassen Sie das Feld leer, um die Anmeldung im Client zu deaktivieren.",
+            "URL complète de cette API admin/login. Par défaut <code>https://&lt;host&gt;</code> ; modifiez si votre API fonctionne sur un autre schéma/port. Laissez vide pour désactiver la connexion sur le client.",
+            "URL-ul complet al acestei API admin/login. Implicit <code>https://&lt;host&gt;</code>; editați dacă API-ul rulează pe un alt protocol/port. Lăsați gol pentru a dezactiva autentificarea pe client.",
+            "URL completa de esta API admin/login. Por defecto <code>https://&lt;host&gt;</code>; edítala si tu API funciona en otro esquema/puerto. Déjala en blanco para desactivar el inicio de sesión en el cliente.",
+        ),
+        "deploy.relay_label" => (
+            "Relay host (optional)",
+            "Relay-Host (optional)",
+            "Hôte relais (optionnel)",
+            "Gazdă relay (opțional)",
+            "Host relay (opcional)",
+        ),
+        "deploy.relay_hint" => (
+            "Only set if hbbr runs on a separate host; otherwise leave blank.",
+            "Nur ausfüllen, wenn hbbr auf einem separaten Host läuft; ansonsten leer lassen.",
+            "À renseigner uniquement si hbbr fonctionne sur un hôte séparé ; sinon laisser vide.",
+            "Setați doar dacă hbbr rulează pe o gazdă separată; altfel lăsați gol.",
+            "Establece esto solo si hbbr se ejecuta en un host distinto; en caso contrario, déjalo en blanco.",
+        ),
+        "deploy.key_label" => (
+            "Public key",
+            "Öffentlicher Schlüssel",
+            "Clé publique",
+            "Cheie publică",
+            "Clave pública",
+        ),
+        "deploy.key_hint" => (
+            "Base64 contents of <code>id_ed25519.pub</code>.",
+            "Base64-Inhalt von <code>id_ed25519.pub</code>.",
+            "Contenu base64 de <code>id_ed25519.pub</code>.",
+            "Conținut base64 al <code>id_ed25519.pub</code>.",
+            "Contenido en base64 de <code>id_ed25519.pub</code>.",
+        ),
+        "deploy.generate" => (
+            "Generate",
+            "Generieren",
+            "Générer",
+            "Generează",
+            "Generar",
+        ),
+        "deploy.host_required" => (
+            "Host is required.",
+            "Host ist erforderlich.",
+            "L'hôte est requis.",
+            "Gazda este obligatorie.",
+            "El host es obligatorio.",
+        ),
+        "deploy.artifact_heading" => (
+            "Deployment artifact",
+            "Bereitstellungs-Artefakt",
+            "Artefact de déploiement",
+            "Artefact de implementare",
+            "Artefacto de implementación",
+        ),
+        "deploy.artifact_intro" => (
+            "Pick whichever path fits your rollout. All three produce the same client config.",
+            "Wählen Sie den Weg, der zu Ihrem Rollout passt. Alle drei erzeugen die gleiche Client-Konfiguration.",
+            "Choisissez le chemin qui correspond à votre déploiement. Les trois produisent la même configuration client.",
+            "Alegeți calea care se potrivește implementării. Toate trei produc aceeași configurație de client.",
+            "Elige la opción que mejor se ajuste a tu despliegue. Las tres producen la misma configuración del cliente.",
+        ),
+        "deploy.cmd_a_label" => (
+            "A. Post-install command (Windows, Administrator)",
+            "A. Befehl nach Installation (Windows, Administrator)",
+            "A. Commande post-installation (Windows, administrateur)",
+            "A. Comandă post-instalare (Windows, administrator)",
+            "A. Comando post-instalación (Windows, administrador)",
+        ),
+        "deploy.cmd_a_hint" => (
+            "Requires the client to be installed and running as admin. Equivalent on macOS/Linux: <code class=\"text-slate-300\">{0}</code>.",
+            "Erfordert, dass der Client installiert ist und als Administrator läuft. Entsprechend auf macOS/Linux: <code class=\"text-slate-300\">{0}</code>.",
+            "Nécessite que le client soit installé et exécuté en tant qu'admin. Équivalent sur macOS/Linux : <code class=\"text-slate-300\">{0}</code>.",
+            "Necesită ca clientul să fie instalat și rulat ca administrator. Echivalent pe macOS/Linux: <code class=\"text-slate-300\">{0}</code>.",
+            "Requiere que el cliente esté instalado y ejecutándose como administrador. Equivalente en macOS/Linux: <code class=\"text-slate-300\">{0}</code>.",
+        ),
+        "deploy.cmd_b_label" => (
+            "B. Renamed installer (drop-in)",
+            "B. Umbenannter Installer (Drop-in)",
+            "B. Installeur renommé (drop-in)",
+            "B. Instalator redenumit (drop-in)",
+            "B. Instalador renombrado (drop-in)",
+        ),
+        "deploy.cmd_b_hint" => (
+            "Rename the official RustDesk installer to this exact name and run it; the client reads its own filename on first launch and writes the config into the registry.",
+            "Benennen Sie den offiziellen RustDesk-Installer genau in diesen Namen um und führen Sie ihn aus; der Client liest beim ersten Start seinen eigenen Dateinamen und schreibt die Konfiguration in die Registry.",
+            "Renommez l'installeur officiel RustDesk avec exactement ce nom et lancez-le ; le client lit son propre nom de fichier au premier lancement et écrit la configuration dans le registre.",
+            "Redenumiți instalatorul oficial RustDesk exact la acest nume și rulați-l; clientul citește propriul nume de fișier la prima lansare și scrie configurația în registru.",
+            "Renombra el instalador oficial de RustDesk exactamente con este nombre y ejecútalo; el cliente lee su propio nombre de archivo en el primer arranque y escribe la configuración en el registro.",
+        ),
+        "deploy.cmd_c_label" => (
+            "C. HelloAgent (Windows, MDM one-liner)",
+            "C. HelloAgent (Windows, MDM-Einzeiler)",
+            "C. HelloAgent (Windows, ligne unique MDM)",
+            "C. HelloAgent (Windows, comandă unică MDM)",
+            "C. HelloAgent (Windows, comando único MDM)",
+        ),
+        "deploy.cmd_c_hint" => (
+            "Headless agent — registers the Windows service and imports this config in a single command. Run elevated.",
+            "Headless-Agent — registriert den Windows-Dienst und importiert diese Konfiguration in einem einzigen Befehl. Mit erhöhten Rechten ausführen.",
+            "Agent sans interface — enregistre le service Windows et importe cette configuration en une seule commande. Exécuter en mode élevé.",
+            "Agent fără interfață — înregistrează serviciul Windows și importă această configurație într-o singură comandă. Rulați cu privilegii ridicate.",
+            "Agente sin interfaz — registra el servicio de Windows e importa esta configuración en un solo comando. Ejecútalo con privilegios elevados.",
+        ),
+        "deploy.raw_blob" => (
+            "Raw blob",
+            "Rohes Blob",
+            "Blob brut",
+            "Blob brut",
+            "Blob sin procesar",
+        ),
+
+        // unknown key — return a stable placeholder so callers see something
+        // they can grep for. We can't return `key` itself since the function
+        // signature promises a `'static` borrow.
+        _ => return "<missing translation>",
+    };
+    match lang {
+        Lang::En => en,
+        Lang::De => de,
+        Lang::Fr => fr,
+        Lang::Ro => ro,
+        Lang::Es => es,
+    }
+}
+
+/// One-arg formatted lookup. Replaces `{0}` in the template.
+pub fn tf1(lang: Lang, key: &str, a: &str) -> String {
+    t(lang, key).replace("{0}", a)
+}
+
+/// Two-arg formatted lookup. Replaces `{0}` and `{1}` in the template.
+pub fn tf2(lang: Lang, key: &str, a: &str, b: &str) -> String {
+    t(lang, key).replace("{0}", a).replace("{1}", b)
+}
diff --git a/src/api/admin/me.rs b/src/api/admin/me.rs
index 25b5b87..2893322 100644
--- a/src/api/admin/me.rs
+++ b/src/api/admin/me.rs
@@ -3,14 +3,16 @@
 //! the cookie isn't valid, the AuthedUser extractor 401s and the page-level
 //! HTMX response handler bounces back to the login form.
 
+use crate::api::admin::i18n::{t, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use axum::response::Html;
 
-pub async fn me(user: AuthedUser) -> Result<Html<String>, ApiError> {
+pub async fn me(user: AuthedUser, lang: Lang) -> Result<Html<String>, ApiError> {
     Ok(Html(format!(
-        "Signed in as <span class=\"text-slate-300\">{}</span>",
-        html_escape(&user.name)
+        "{label} <span class=\"text-slate-300\">{name}</span>",
+        label = t(lang, "nav.signed_in_as"),
+        name = html_escape(&user.name),
     )))
 }
 
diff --git a/src/api/admin/mod.rs b/src/api/admin/mod.rs
index fd06cfc..0468262 100644
--- a/src/api/admin/mod.rs
+++ b/src/api/admin/mod.rs
@@ -16,16 +16,19 @@
 //!   /admin/pages/*           GET fragments (one per page)
 
 pub mod auth;
+pub mod i18n;
 pub mod me;
 pub mod oidc_login;
 pub mod pages;
 
-use axum::http::{header, HeaderValue, StatusCode};
+use axum::http::{header, HeaderMap, HeaderValue, StatusCode};
 use axum::response::{Html, IntoResponse, Response};
 use axum::routing::{get, post};
 use axum::Router;
 use std::sync::Arc;
 
+use crate::api::admin::i18n::{lang_from_headers, t, Lang};
+
 /// Files embedded into the binary. Paths are relative to this source file
 /// per `include_str!`. Adding a new HTML asset = one new entry here.
 const INDEX_HTML: &str = include_str!("../../../admin_ui/index.html");
@@ -218,16 +221,105 @@ pub fn build(state: Arc<crate::api::state::AppState>) -> Option<Router> {
     Some(r)
 }
 
-async fn serve_index() -> Response {
-    html_response(INDEX_HTML)
+async fn serve_index(headers: HeaderMap) -> Response {
+    let lang = lang_from_headers(&headers);
+    html_response_owned(render_index(lang))
 }
 
-async fn serve_login() -> Response {
-    html_response(LOGIN_HTML)
+async fn serve_login(headers: HeaderMap) -> Response {
+    let lang = lang_from_headers(&headers);
+    html_response_owned(render_login(lang))
 }
 
-fn html_response(body: &'static str) -> Response {
-    // We hand back `Html<&'static str>` so axum sets `text/html` for us.
+/// Apply i18n placeholders to the embedded `index.html` template.
+fn render_index(lang: Lang) -> String {
+    let body = INDEX_HTML
+        .replace("{{LANG_CODE}}", lang.code())
+        .replace("{{T_APP_TITLE}}", t(lang, "shell.app_title"))
+        .replace("{{T_NAV_USERS}}", t(lang, "nav.users"))
+        .replace("{{T_NAV_DEVICES}}", t(lang, "nav.devices"))
+        .replace("{{T_NAV_GROUPS}}", t(lang, "nav.groups"))
+        .replace("{{T_NAV_STRATEGIES}}", t(lang, "nav.strategies"))
+        .replace("{{T_NAV_AB}}", t(lang, "nav.address_books"))
+        .replace("{{T_NAV_AUDIT}}", t(lang, "nav.audit"))
+        .replace("{{T_NAV_DEPLOY}}", t(lang, "nav.deploy"))
+        .replace("{{T_NAV_PROFILE}}", t(lang, "nav.profile"))
+        .replace("{{T_NAV_SIGNOUT}}", t(lang, "nav.signout"))
+        .replace("{{T_LANGUAGE}}", t(lang, "common.language"))
+        .replace("{{T_LOADING}}", t(lang, "common.loading"));
+    apply_lang_selected(body, lang)
+}
+
+/// Apply i18n placeholders to the embedded `login.html` template.
+fn render_login(lang: Lang) -> String {
+    let body = LOGIN_HTML
+        .replace("{{LANG_CODE}}", lang.code())
+        .replace("{{T_TITLE}}", t(lang, "login.title"))
+        .replace("{{T_SUBTITLE}}", t(lang, "login.subtitle"))
+        .replace("{{T_USERNAME}}", t(lang, "login.username"))
+        .replace("{{T_PASSWORD}}", t(lang, "login.password"))
+        .replace("{{T_TOTP_LABEL}}", t(lang, "login.totp_label"))
+        .replace("{{T_SIGNIN}}", t(lang, "login.signin"))
+        .replace("{{T_OR}}", t(lang, "login.or"))
+        .replace("{{T_LANGUAGE}}", t(lang, "common.language"))
+        .replace(
+            "{{T_SIGNIN_WITH_JSON}}",
+            &json_string(t(lang, "login.signin_with")),
+        );
+    apply_lang_selected(body, lang)
+}
+
+/// Inject `selected` into the matching `<option>` for the active language and
+/// blank out the others. Both templates use the same `{{LANG_SEL_XX}}` markers.
+fn apply_lang_selected(body: String, lang: Lang) -> String {
+    let mut sel_en = "";
+    let mut sel_de = "";
+    let mut sel_fr = "";
+    let mut sel_ro = "";
+    let mut sel_es = "";
+    match lang {
+        Lang::En => sel_en = " selected",
+        Lang::De => sel_de = " selected",
+        Lang::Fr => sel_fr = " selected",
+        Lang::Ro => sel_ro = " selected",
+        Lang::Es => sel_es = " selected",
+    }
+    body.replace("{{LANG_SEL_EN}}", sel_en)
+        .replace("{{LANG_SEL_DE}}", sel_de)
+        .replace("{{LANG_SEL_FR}}", sel_fr)
+        .replace("{{LANG_SEL_RO}}", sel_ro)
+        .replace("{{LANG_SEL_ES}}", sel_es)
+}
+
+/// JSON-encode a string so it can be embedded inside a `<script>` block as a
+/// JS string literal. We only need to escape `"`, `\`, and the control chars
+/// that show up in our translations — none of them realistically contain
+/// newlines or `</script>`, but escape them defensively anyway.
+fn json_string(s: &str) -> String {
+    let mut out = String::with_capacity(s.len() + 2);
+    out.push('"');
+    for c in s.chars() {
+        match c {
+            '"' => out.push_str("\\\""),
+            '\\' => out.push_str("\\\\"),
+            '\n' => out.push_str("\\n"),
+            '\r' => out.push_str("\\r"),
+            '\t' => out.push_str("\\t"),
+            '<' => out.push_str("\\u003c"),
+            '>' => out.push_str("\\u003e"),
+            '&' => out.push_str("\\u0026"),
+            c if (c as u32) < 0x20 => {
+                use std::fmt::Write as _;
+                let _ = write!(out, "\\u{:04x}", c as u32);
+            }
+            c => out.push(c),
+        }
+    }
+    out.push('"');
+    out
+}
+
+fn html_response_owned(body: String) -> Response {
     // Cache-Control: no-cache so the operator sees fresh HTML after a
     // server upgrade without having to bump asset URLs.
     let mut resp = Html(body).into_response();
diff --git a/src/api/admin/pages/address_books.rs b/src/api/admin/pages/address_books.rs
index 64843d4..9f93449 100644
--- a/src/api/admin/pages/address_books.rs
+++ b/src/api/admin/pages/address_books.rs
@@ -6,6 +6,7 @@
 //! up via `/api/ab/shared/profiles` on the next AB sync (~30 s).
 
 use super::shared::{fmt_unix, html_escape, notice_html, require_admin};
+use crate::api::admin::i18n::{t, tf1, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -18,9 +19,10 @@ use std::sync::Arc;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_index(&state, None).await?))
+    Ok(Html(render_index(&state, lang, None).await?))
 }
 
 #[derive(Debug, Deserialize)]
@@ -31,35 +33,39 @@ pub struct CreateForm {
 pub async fn create(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Form(f): Form<CreateForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     let name = f.name.trim();
     if name.is_empty() {
-        return Ok(Html(render_index(&state, Some(("error", "Name is required."))).await?));
+        return Ok(Html(
+            render_index(&state, lang, Some(("error", t(lang, "ab.name_required")))).await?,
+        ));
     }
     let res = state.db.ab_create_shared(admin.user_id, name).await;
     let notice = match res {
-        Ok(_) => Some(("ok", format!("Shared address book '{}' created.", name))),
+        Ok(_) => Some(("ok", tf1(lang, "ab.created", name))),
         Err(e) => {
             // The unique index trips when the same admin creates two books
             // with the same name. Surface that cleanly instead of leaking
             // the raw SQL error.
             let msg = if e.to_string().to_lowercase().contains("unique") {
-                "An address book with that name already exists.".to_string()
+                t(lang, "ab.exists").to_string()
             } else {
-                format!("Create failed: {}", e)
+                tf1(lang, "ab.create_failed", &e.to_string())
             };
             Some(("error", msg))
         }
     };
     let n = notice.as_ref().map(|(k, m)| (*k, m.as_str()));
-    Ok(Html(render_index(&state, n).await?))
+    Ok(Html(render_index(&state, lang, n).await?))
 }
 
 pub async fn delete(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(guid): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -69,20 +75,21 @@ pub async fn delete(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     let notice = if ok {
-        ("ok", "Deleted.")
+        ("ok", t(lang, "ab.deleted"))
     } else {
-        ("error", "Address book not found.")
+        ("error", t(lang, "ab.not_found"))
     };
-    Ok(Html(render_index(&state, Some(notice)).await?))
+    Ok(Html(render_index(&state, lang, Some(notice)).await?))
 }
 
 pub async fn manage(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(guid): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_manage(&state, &guid, None).await?))
+    Ok(Html(render_manage(&state, lang, &guid, None).await?))
 }
 
 #[derive(Debug, Deserialize)]
@@ -94,24 +101,30 @@ pub struct ShareForm {
 pub async fn share_add(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(guid): Path<String>,
     Form(f): Form<ShareForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if !(1..=3).contains(&f.rule) {
-        return Ok(Html(render_manage(&state, &guid, Some(("error", "Invalid rule."))).await?));
+        return Ok(Html(
+            render_manage(&state, lang, &guid, Some(("error", t(lang, "ab.invalid_rule")))).await?,
+        ));
     }
     state
         .db
         .ab_share_set(&guid, f.user_id, f.rule)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_manage(&state, &guid, Some(("ok", "Share saved."))).await?))
+    Ok(Html(
+        render_manage(&state, lang, &guid, Some(("ok", t(lang, "ab.share_saved")))).await?,
+    ))
 }
 
 pub async fn share_remove(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path((guid, user_id)): Path<(String, i64)>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -120,13 +133,16 @@ pub async fn share_remove(
         .ab_share_remove(&guid, user_id)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_manage(&state, &guid, Some(("ok", "Share removed."))).await?))
+    Ok(Html(
+        render_manage(&state, lang, &guid, Some(("ok", t(lang, "ab.share_removed")))).await?,
+    ))
 }
 
 // ---------- rendering ----------
 
 async fn render_index(
     state: &Arc<AppState>,
+    lang: Lang,
     notice: Option<(&str, &str)>,
 ) -> Result<String, ApiError> {
     let books = state
@@ -140,8 +156,8 @@ async fn render_index(
         s,
         r##"<div id="ab-region" class="space-y-6">
   <header>
-    <h2 class="text-lg font-semibold">Address books</h2>
-    <p class="text-xs text-slate-500 mt-1">Personal books are owned by users and managed from their desktop client. Shared books are server-side: create one here, share it with users / rules, and the client picks it up on its next AB sync.</p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500 mt-1">{tagline}</p>
   </header>
 
   {notice_html}
@@ -152,41 +168,63 @@ async fn render_index(
     hx-target="#ab-region" hx-swap="outerHTML"
   >
     <div class="flex-1">
-      <label class="block text-xs font-medium text-slate-400 mb-1" for="ab-name">New shared book</label>
+      <label class="block text-xs font-medium text-slate-400 mb-1" for="ab-name">{new_shared}</label>
       <input id="ab-name" name="name" type="text" required
         placeholder="Engineering laptops"
         class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500" />
     </div>
     <button type="submit"
       class="bg-sky-600 hover:bg-sky-500 text-white text-sm font-medium rounded px-4 py-2 transition">
-      Create
+      {create}
     </button>
   </form>
-"##
+"##,
+        heading = t(lang, "ab.heading"),
+        tagline = t(lang, "ab.tagline"),
+        new_shared = t(lang, "ab.new_shared"),
+        create = t(lang, "common.create"),
     );
     if books.is_empty() {
-        s.push_str(r##"<p class="text-slate-500 text-sm">No address books exist yet.</p></div>"##);
+        let _ = write!(
+            s,
+            r##"<p class="text-slate-500 text-sm">{}</p></div>"##,
+            t(lang, "ab.no_books"),
+        );
         return Ok(s);
     }
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div class="rounded-md border border-slate-800 bg-slate-900">
   <table class="w-full text-sm">
     <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">Owner</th>
-      <th class="text-left font-medium px-3 py-2">Kind</th>
-      <th class="text-left font-medium px-3 py-2">Name</th>
-      <th class="text-left font-medium px-3 py-2">Peers</th>
-      <th class="text-left font-medium px-3 py-2">GUID</th>
-      <th class="text-left font-medium px-3 py-2">Created</th>
-      <th class="text-right font-medium px-3 py-2 w-1">Actions</th>
+      <th class="text-left font-medium px-3 py-2">{c_owner}</th>
+      <th class="text-left font-medium px-3 py-2">{c_kind}</th>
+      <th class="text-left font-medium px-3 py-2">{c_name}</th>
+      <th class="text-left font-medium px-3 py-2">{c_peers}</th>
+      <th class="text-left font-medium px-3 py-2">{c_guid}</th>
+      <th class="text-left font-medium px-3 py-2">{c_created}</th>
+      <th class="text-right font-medium px-3 py-2 w-1">{c_actions}</th>
     </tr></thead>
     <tbody class="divide-y divide-slate-800">"##,
+        c_owner = t(lang, "ab.col_owner"),
+        c_kind = t(lang, "ab.col_kind"),
+        c_name = t(lang, "ab.col_name"),
+        c_peers = t(lang, "ab.col_peers"),
+        c_guid = t(lang, "ab.col_guid"),
+        c_created = t(lang, "ab.col_created"),
+        c_actions = t(lang, "common.actions"),
     );
     for b in &books {
         let kind_pill = match b.kind {
-            0 => r#"<span class="text-xs px-1.5 py-0.5 rounded bg-slate-800 border border-slate-700 text-slate-300">personal</span>"#,
-            1 => r#"<span class="text-xs px-1.5 py-0.5 rounded bg-violet-900/40 border border-violet-700/50 text-violet-300">shared</span>"#,
-            _ => "",
+            0 => format!(
+                r#"<span class="text-xs px-1.5 py-0.5 rounded bg-slate-800 border border-slate-700 text-slate-300">{}</span>"#,
+                t(lang, "ab.kind_personal"),
+            ),
+            1 => format!(
+                r#"<span class="text-xs px-1.5 py-0.5 rounded bg-violet-900/40 border border-violet-700/50 text-violet-300">{}</span>"#,
+                t(lang, "ab.kind_shared"),
+            ),
+            _ => String::new(),
         };
         // Both kinds get a delete action. Shared books additionally get
         // "Manage shares". Personal books carry an extra warning in the
@@ -201,19 +239,21 @@ async fn render_index(
         <button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
           hx-get="/admin/pages/address-books/{guid}/manage"
           hx-target="#ab-region" hx-swap="outerHTML">
-          Manage shares
+          {manage}
         </button>
         <hr class="border-slate-700 my-1" />
         <button class="w-full text-left px-2 py-1 text-xs text-rose-300 hover:bg-rose-900/40 rounded"
           hx-post="/admin/pages/address-books/{guid}/delete"
           hx-target="#ab-region" hx-swap="outerHTML"
-          hx-confirm="Delete shared book '{name}'? Peers, tags, and shares will be removed.">
-          Delete book
+          hx-confirm="{confirm}">
+          {delete}
         </button>
       </div>
     </details>"##,
                 guid = html_escape(&b.guid),
-                name = html_escape(&b.name)
+                manage = t(lang, "ab.manage_shares"),
+                confirm = html_escape(&tf1(lang, "ab.confirm_delete_shared", &b.name)),
+                delete = t(lang, "ab.delete_book"),
             )
         } else {
             format!(
@@ -223,13 +263,14 @@ async fn render_index(
         <button class="w-full text-left px-2 py-1 text-xs text-rose-300 hover:bg-rose-900/40 rounded"
           hx-post="/admin/pages/address-books/{guid}/delete"
           hx-target="#ab-region" hx-swap="outerHTML"
-          hx-confirm="Delete {owner}'s personal book? This wipes all peers and tags on the server. If {owner}'s desktop client is still signed in, it will recreate an empty personal book on its next sync (~30 s).">
-          Delete book
+          hx-confirm="{confirm}">
+          {delete}
         </button>
       </div>
     </details>"##,
                 guid = html_escape(&b.guid),
-                owner = html_escape(&b.owner_username)
+                confirm = html_escape(&tf1(lang, "ab.confirm_delete_personal", &b.owner_username)),
+                delete = t(lang, "ab.delete_book"),
             )
         };
         let _ = write!(
@@ -258,6 +299,7 @@ async fn render_index(
 
 async fn render_manage(
     state: &Arc<AppState>,
+    lang: Lang,
     guid: &str,
     notice: Option<(&str, &str)>,
 ) -> Result<String, ApiError> {
@@ -269,13 +311,13 @@ async fn render_manage(
     let Some((_owner_id, kind)) = owner_kind else {
         return Ok(format!(
             r##"<div id="ab-region">{notice}</div>"##,
-            notice = notice_html("error", "Address book not found."),
+            notice = notice_html("error", t(lang, "ab.not_found")),
         ));
     };
     if kind != 1 {
         return Ok(format!(
             r##"<div id="ab-region">{notice}</div>"##,
-            notice = notice_html("error", "Personal address books are managed from the desktop client."),
+            notice = notice_html("error", t(lang, "ab.personal_managed_at_client")),
         ));
     }
     let shares = state
@@ -298,38 +340,47 @@ async fn render_manage(
         r##"<div id="ab-region" class="space-y-6">
   <header class="flex items-center justify-between">
     <div>
-      <h2 class="text-lg font-semibold">Manage shares</h2>
+      <h2 class="text-lg font-semibold">{heading}</h2>
       <p class="text-xs text-slate-500 mt-1 font-mono">{guid}</p>
     </div>
     <button
       class="text-xs text-slate-300 hover:text-slate-100 px-2 py-1 rounded border border-slate-700 hover:border-slate-500"
       hx-get="/admin/pages/address-books"
       hx-target="#ab-region" hx-swap="outerHTML">
-      ← Back
+      {back}
     </button>
   </header>
 
   {notice_html}
 
   <section class="rounded-md border border-slate-800 bg-slate-900 p-4 space-y-3">
-    <h3 class="text-sm font-semibold text-slate-200">Add or update a share</h3>
+    <h3 class="text-sm font-semibold text-slate-200">{add_or_update}</h3>
     <form
       class="flex flex-wrap items-end gap-2"
       hx-post="/admin/pages/address-books/{guid}/shares/add"
       hx-target="#ab-region" hx-swap="outerHTML"
     >
       <div class="flex-1 min-w-[200px]">
-        <label class="block text-xs font-medium text-slate-400 mb-1" for="share-user">User</label>
+        <label class="block text-xs font-medium text-slate-400 mb-1" for="share-user">{user_label}</label>
         <select id="share-user" name="user_id" required
           class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500">"##,
+        heading = t(lang, "ab.manage_heading"),
+        back = t(lang, "ab.back"),
+        add_or_update = t(lang, "ab.add_or_update"),
+        user_label = t(lang, "ab.user_label"),
         guid = html_escape(guid),
         notice_html = notice_html,
     );
     if users.is_empty() {
-        s.push_str(r#"<option disabled>No users defined</option>"#);
+        let _ = write!(
+            s,
+            r#"<option disabled>{}</option>"#,
+            t(lang, "ab.no_users"),
+        );
     }
+    let already_text = t(lang, "ab.existing_will_update");
     for u in &users {
-        let already = if already_shared.contains(&u.id) { " (existing — will update rule)" } else { "" };
+        let already = if already_shared.contains(&u.id) { already_text } else { "" };
         let _ = write!(
             s,
             r#"<option value="{id}">{name}{already}</option>"#,
@@ -343,46 +394,58 @@ async fn render_manage(
         r##"</select>
       </div>
       <div>
-        <label class="block text-xs font-medium text-slate-400 mb-1" for="share-rule">Rule</label>
+        <label class="block text-xs font-medium text-slate-400 mb-1" for="share-rule">{rule}</label>
         <select id="share-rule" name="rule"
           class="bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500">
-          <option value="1">Read</option>
-          <option value="2" selected>Read + write</option>
-          <option value="3">Full</option>
+          <option value="1">{r_read}</option>
+          <option value="2" selected>{r_rw}</option>
+          <option value="3">{r_full}</option>
         </select>
       </div>
       <button type="submit"
         class="bg-sky-600 hover:bg-sky-500 text-white text-sm font-medium rounded px-4 py-2 transition">
-        Save
+        {save}
       </button>
     </form>
   </section>
 
   <section class="rounded-md border border-slate-800 bg-slate-900">
     <header class="px-4 py-2 text-xs uppercase text-slate-500 border-b border-slate-800">
-      Current shares ({n})
+      {current_shares}
     </header>
 "##,
-        n = shares.len()
+        rule = t(lang, "ab.rule"),
+        r_read = t(lang, "ab.rule_read"),
+        r_rw = t(lang, "ab.rule_read_write"),
+        r_full = t(lang, "ab.rule_full"),
+        save = t(lang, "common.save"),
+        current_shares = tf1(lang, "ab.current_shares", &shares.len().to_string()),
     );
     if shares.is_empty() {
-        s.push_str(r##"<p class="px-4 py-3 text-slate-500 text-sm">No shares yet. The book is invisible to non-owners until you add at least one user share.</p></section></div>"##);
+        let _ = write!(
+            s,
+            r##"<p class="px-4 py-3 text-slate-500 text-sm">{}</p></section></div>"##,
+            t(lang, "ab.no_shares"),
+        );
         return Ok(s);
     }
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<table class="w-full text-sm">
       <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-        <th class="text-left font-medium px-3 py-2">User</th>
-        <th class="text-left font-medium px-3 py-2">Rule</th>
+        <th class="text-left font-medium px-3 py-2">{user_l}</th>
+        <th class="text-left font-medium px-3 py-2">{rule_l}</th>
         <th class="text-right font-medium px-3 py-2 w-1"></th>
       </tr></thead>
       <tbody class="divide-y divide-slate-800">"##,
+        user_l = t(lang, "ab.user_label"),
+        rule_l = t(lang, "ab.rule"),
     );
     for sh in &shares {
         let rule = match sh.rule {
-            1 => "Read",
-            2 => "Read + write",
-            3 => "Full",
+            1 => t(lang, "ab.rule_read"),
+            2 => t(lang, "ab.rule_read_write"),
+            3 => t(lang, "ab.rule_full"),
             _ => "?",
         };
         let _ = write!(
@@ -394,8 +457,8 @@ async fn render_manage(
     <button class="text-xs text-rose-300 hover:text-rose-200 px-2 py-1 rounded hover:bg-rose-900/40"
       hx-post="/admin/pages/address-books/{guid}/shares/{uid}/remove"
       hx-target="#ab-region" hx-swap="outerHTML"
-      hx-confirm="Remove {user}'s access?">
-      Remove
+      hx-confirm="{confirm}">
+      {remove}
     </button>
   </td>
 </tr>"##,
@@ -403,6 +466,8 @@ async fn render_manage(
             rule = rule,
             guid = html_escape(guid),
             uid = sh.user_id,
+            confirm = html_escape(&tf1(lang, "ab.confirm_remove", &sh.username)),
+            remove = t(lang, "common.remove"),
         );
     }
     s.push_str("</tbody></table></section></div>");
diff --git a/src/api/admin/pages/audit.rs b/src/api/admin/pages/audit.rs
index eb67a9b..7f817d1 100644
--- a/src/api/admin/pages/audit.rs
+++ b/src/api/admin/pages/audit.rs
@@ -3,6 +3,7 @@
 //! a follow-up if the operator outgrows this view.
 
 use super::shared::{fmt_unix, html_escape, require_admin};
+use crate::api::admin::i18n::{t, tf1, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -23,14 +24,15 @@ pub struct TabQuery {
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Query(q): Query<TabQuery>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     let tab = q.tab.as_deref().unwrap_or("conn");
     let body = match tab {
-        "file" => render_file(&state).await?,
-        "alarm" => render_alarm(&state).await?,
-        _ => render_conn(&state).await?,
+        "file" => render_file(&state, lang).await?,
+        "alarm" => render_alarm(&state, lang).await?,
+        _ => render_conn(&state, lang).await?,
     };
     let pill = |id: &str, label: &str| {
         let active = id == tab;
@@ -49,42 +51,50 @@ pub async fn index(
     Ok(Html(format!(
         r##"<div class="space-y-4">
   <header class="flex items-center justify-between">
-    <h2 class="text-lg font-semibold">Audit log</h2>
-    <p class="text-xs text-slate-500">Latest {n} rows.</p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500">{latest}</p>
   </header>
   <div class="flex gap-2 text-xs">{pill_conn}{pill_file}{pill_alarm}</div>
   {body}
 </div>"##,
-        n = PAGE_SIZE,
-        pill_conn = pill("conn", "Connections"),
-        pill_file = pill("file", "File transfers"),
-        pill_alarm = pill("alarm", "Alarms"),
+        heading = t(lang, "audit.heading"),
+        latest = tf1(lang, "audit.latest", &PAGE_SIZE.to_string()),
+        pill_conn = pill("conn", t(lang, "audit.tab_conn")),
+        pill_file = pill("file", t(lang, "audit.tab_file")),
+        pill_alarm = pill("alarm", t(lang, "audit.tab_alarm")),
         body = body,
     )))
 }
 
-async fn render_conn(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_conn(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let rows = state
         .db
         .audit_conn_list(PAGE_SIZE)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     if rows.is_empty() {
-        return Ok(empty_table("No connection audit rows yet."));
+        return Ok(empty_table(t(lang, "audit.no_conn")));
     }
     let mut s = String::new();
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden">
   <table class="w-full text-sm">
     <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">When</th>
-      <th class="text-left font-medium px-3 py-2">Peer</th>
-      <th class="text-left font-medium px-3 py-2">Conn / Session</th>
-      <th class="text-left font-medium px-3 py-2">IP</th>
-      <th class="text-left font-medium px-3 py-2">Action</th>
-      <th class="text-left font-medium px-3 py-2">Note</th>
+      <th class="text-left font-medium px-3 py-2">{c_when}</th>
+      <th class="text-left font-medium px-3 py-2">{c_peer}</th>
+      <th class="text-left font-medium px-3 py-2">{c_conn}</th>
+      <th class="text-left font-medium px-3 py-2">{c_ip}</th>
+      <th class="text-left font-medium px-3 py-2">{c_action}</th>
+      <th class="text-left font-medium px-3 py-2">{c_note}</th>
     </tr></thead>
     <tbody class="divide-y divide-slate-800">"##,
+        c_when = t(lang, "audit.col_when"),
+        c_peer = t(lang, "audit.col_peer"),
+        c_conn = t(lang, "audit.col_conn_session"),
+        c_ip = t(lang, "audit.col_ip"),
+        c_action = t(lang, "audit.col_action"),
+        c_note = t(lang, "audit.col_note"),
     );
     for r in &rows {
         let _ = write!(
@@ -110,32 +120,38 @@ async fn render_conn(state: &Arc<AppState>) -> Result<String, ApiError> {
     Ok(s)
 }
 
-async fn render_file(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_file(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let rows = state
         .db
         .audit_file_list(PAGE_SIZE)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     if rows.is_empty() {
-        return Ok(empty_table("No file-transfer audit rows yet."));
+        return Ok(empty_table(t(lang, "audit.no_file")));
     }
     let mut s = String::new();
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden">
   <table class="w-full text-sm">
     <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">When</th>
-      <th class="text-left font-medium px-3 py-2">Peer</th>
-      <th class="text-left font-medium px-3 py-2">Direction</th>
-      <th class="text-left font-medium px-3 py-2">Path</th>
-      <th class="text-left font-medium px-3 py-2">Remote</th>
+      <th class="text-left font-medium px-3 py-2">{c_when}</th>
+      <th class="text-left font-medium px-3 py-2">{c_peer}</th>
+      <th class="text-left font-medium px-3 py-2">{c_dir}</th>
+      <th class="text-left font-medium px-3 py-2">{c_path}</th>
+      <th class="text-left font-medium px-3 py-2">{c_remote}</th>
     </tr></thead>
     <tbody class="divide-y divide-slate-800">"##,
+        c_when = t(lang, "audit.col_when"),
+        c_peer = t(lang, "audit.col_peer"),
+        c_dir = t(lang, "audit.col_direction"),
+        c_path = t(lang, "audit.col_path"),
+        c_remote = t(lang, "audit.col_remote"),
     );
     for r in &rows {
         let dir = match r.direction {
-            0 => "→ remote",
-            1 => "← remote",
+            0 => t(lang, "audit.dir_to_remote"),
+            1 => t(lang, "audit.dir_from_remote"),
             _ => "?",
         };
         let _ = write!(
@@ -158,26 +174,31 @@ async fn render_file(state: &Arc<AppState>) -> Result<String, ApiError> {
     Ok(s)
 }
 
-async fn render_alarm(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_alarm(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let rows = state
         .db
         .audit_alarm_list(PAGE_SIZE)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     if rows.is_empty() {
-        return Ok(empty_table("No alarm audit rows yet."));
+        return Ok(empty_table(t(lang, "audit.no_alarm")));
     }
     let mut s = String::new();
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden">
   <table class="w-full text-sm">
     <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">When</th>
-      <th class="text-left font-medium px-3 py-2">Peer</th>
-      <th class="text-left font-medium px-3 py-2">Type</th>
-      <th class="text-left font-medium px-3 py-2">Info</th>
+      <th class="text-left font-medium px-3 py-2">{c_when}</th>
+      <th class="text-left font-medium px-3 py-2">{c_peer}</th>
+      <th class="text-left font-medium px-3 py-2">{c_type}</th>
+      <th class="text-left font-medium px-3 py-2">{c_info}</th>
     </tr></thead>
     <tbody class="divide-y divide-slate-800">"##,
+        c_when = t(lang, "audit.col_when"),
+        c_peer = t(lang, "audit.col_peer"),
+        c_type = t(lang, "audit.col_type"),
+        c_info = t(lang, "audit.col_info"),
     );
     for r in &rows {
         let typ = match r.typ {
diff --git a/src/api/admin/pages/deploy.rs b/src/api/admin/pages/deploy.rs
index e206bd1..6111039 100644
--- a/src/api/admin/pages/deploy.rs
+++ b/src/api/admin/pages/deploy.rs
@@ -6,6 +6,7 @@
 //! signature verification, so we don't need the Pro private key.
 
 use super::shared::{html_escape, require_admin};
+use crate::api::admin::i18n::{t, tf1, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use axum::extract::Form;
@@ -14,7 +15,11 @@ use axum::response::Html;
 use serde::Deserialize;
 use serde_json::json;
 
-pub async fn index(admin: AuthedUser, headers: HeaderMap) -> Result<Html<String>, ApiError> {
+pub async fn index(
+    admin: AuthedUser,
+    lang: Lang,
+    headers: HeaderMap,
+) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     let pubkey = read_pubkey();
     // Best-effort prefill: the Host the admin's browser is currently
@@ -35,6 +40,7 @@ pub async fn index(admin: AuthedUser, headers: HeaderMap) -> Result<Html<String>
         (format!("https://{}", host_default), host_default.clone())
     };
     Ok(Html(render_form(
+        lang,
         &pubkey,
         &host_default,
         &api_default,
@@ -71,22 +77,25 @@ pub struct DeployForm {
 
 pub async fn generate(
     admin: AuthedUser,
+    lang: Lang,
     Form(f): Form<DeployForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if f.host.trim().is_empty() {
         return Ok(Html(render_form(
+            lang,
             &f.key,
             &f.host,
             &f.api,
             &f.relay,
             "",
-            Some(("error", "Host is required.")),
+            Some(("error", t(lang, "deploy.host_required"))),
         )));
     }
     let blob = encode_blob(&f.host, &f.key, &f.api, &f.relay);
-    let result = render_result(&f.host, &f.key, &f.api, &f.relay, &blob);
+    let result = render_result(lang, &f.host, &f.key, &f.api, &f.relay, &blob);
     Ok(Html(render_form(
+        lang,
         &f.key,
         &f.host,
         &f.api,
@@ -125,6 +134,7 @@ fn encode_blob(host: &str, key: &str, api: &str, relay: &str) -> String {
 }
 
 fn render_form(
+    lang: Lang,
     key: &str,
     host: &str,
     api: &str,
@@ -139,8 +149,8 @@ fn render_form(
     format!(
         r##"<div class="space-y-6">
   <header>
-    <h2 class="text-lg font-semibold">Deploy</h2>
-    <p class="text-xs text-slate-500 mt-1">Generate a config blob the stock client accepts via <code>rustdesk --config &lt;blob&gt;</code>, or the equivalent renamed-installer filename. The public key below is read from <code>id_ed25519.pub</code> on the server; override if you bootstrapped a custom keypair.</p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500 mt-1">{intro}</p>
   </header>
 
   {notice_html}
@@ -152,7 +162,7 @@ fn render_form(
     hx-swap="innerHTML"
   >
     <div>
-      <label class="block text-xs font-medium text-slate-400 mb-1" for="host">Rendezvous host (required)</label>
+      <label class="block text-xs font-medium text-slate-400 mb-1" for="host">{host_label}</label>
       <input id="host" name="host" type="text" required value="{host}"
         placeholder="rustdesk.example.com or 203.0.113.10"
         oninput="
@@ -164,42 +174,53 @@ fn render_form(
           api.placeholder = h ? 'https://' + h : 'https://rustdesk.example.com';
         "
         class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500" />
-      <p class="text-xs text-slate-500 mt-1">The hostname or IP clients reach hbbs at (TCP/UDP 21116).</p>
+      <p class="text-xs text-slate-500 mt-1">{host_hint}</p>
     </div>
 
     <div>
-      <label class="block text-xs font-medium text-slate-400 mb-1" for="api">API URL (optional)</label>
+      <label class="block text-xs font-medium text-slate-400 mb-1" for="api">{api_label}</label>
       <input id="api" name="api" type="text" value="{api}"
         placeholder="https://rustdesk.example.com"
         oninput="this.dataset.derived = '0';"
         class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500" />
-      <p class="text-xs text-slate-500 mt-1">Full URL of this admin/login API. Defaults to <code>https://&lt;host&gt;</code>; edit if your API runs on a different scheme/port. Leave blank to disable login on the client.</p>
+      <p class="text-xs text-slate-500 mt-1">{api_hint}</p>
     </div>
 
     <div>
-      <label class="block text-xs font-medium text-slate-400 mb-1" for="relay">Relay host (optional)</label>
+      <label class="block text-xs font-medium text-slate-400 mb-1" for="relay">{relay_label}</label>
       <input id="relay" name="relay" type="text" value="{relay}"
         placeholder="rustdesk.example.com"
         oninput="this.dataset.derived = '0';"
         class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-sm focus:outline-none focus:border-sky-500" />
-      <p class="text-xs text-slate-500 mt-1">Only set if hbbr runs on a separate host; otherwise leave blank.</p>
+      <p class="text-xs text-slate-500 mt-1">{relay_hint}</p>
     </div>
 
     <div>
-      <label class="block text-xs font-medium text-slate-400 mb-1" for="key">Public key</label>
+      <label class="block text-xs font-medium text-slate-400 mb-1" for="key">{key_label}</label>
       <textarea id="key" name="key" rows="2"
         class="w-full bg-slate-800 border border-slate-700 rounded px-3 py-2 text-xs font-mono focus:outline-none focus:border-sky-500">{key}</textarea>
-      <p class="text-xs text-slate-500 mt-1">Base64 contents of <code>id_ed25519.pub</code>.</p>
+      <p class="text-xs text-slate-500 mt-1">{key_hint}</p>
     </div>
 
     <button type="submit"
       class="bg-sky-600 hover:bg-sky-500 text-white text-sm font-medium rounded px-4 py-2 transition">
-      Generate
+      {generate}
     </button>
   </form>
 
   {result_html}
 </div>"##,
+        heading = t(lang, "deploy.heading"),
+        intro = t(lang, "deploy.intro"),
+        host_label = t(lang, "deploy.host_label"),
+        host_hint = t(lang, "deploy.host_hint"),
+        api_label = t(lang, "deploy.api_label"),
+        api_hint = t(lang, "deploy.api_hint"),
+        relay_label = t(lang, "deploy.relay_label"),
+        relay_hint = t(lang, "deploy.relay_hint"),
+        key_label = t(lang, "deploy.key_label"),
+        key_hint = t(lang, "deploy.key_hint"),
+        generate = t(lang, "deploy.generate"),
         host = html_escape(host),
         api = html_escape(api),
         relay = html_escape(relay),
@@ -209,7 +230,7 @@ fn render_form(
     )
 }
 
-fn render_result(host: &str, key: &str, api: &str, relay: &str, blob: &str) -> String {
+fn render_result(lang: Lang, host: &str, key: &str, api: &str, relay: &str, blob: &str) -> String {
     // Build the rename-the-installer alternative. Windows filenames disallow
     // `:` and `/`, which the API URL is full of (`http://host:21114`). The
     // client falls back to `http://<host>:21114` when `api` is empty
@@ -258,36 +279,44 @@ fn render_result(host: &str, key: &str, api: &str, relay: &str, blob: &str) -> S
     format!(
         r##"<section class="space-y-4 bg-slate-900 border border-slate-800 rounded-lg p-4">
   <header>
-    <h3 class="text-sm font-semibold text-slate-200">Deployment artifact</h3>
-    <p class="text-xs text-slate-500 mt-1">Pick whichever path fits your rollout. All three produce the same client config.</p>
+    <h3 class="text-sm font-semibold text-slate-200">{artifact_heading}</h3>
+    <p class="text-xs text-slate-500 mt-1">{artifact_intro}</p>
   </header>
 
   <div>
-    <label class="block text-xs font-medium text-slate-400 mb-1">A. Post-install command (Windows, Administrator)</label>
+    <label class="block text-xs font-medium text-slate-400 mb-1">{a_label}</label>
     <pre class="text-xs bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{cmd_win}</pre>
-    <p class="text-xs text-slate-500 mt-1">Requires the client to be installed and running as admin. Equivalent on macOS/Linux: <code class="text-slate-300">{cmd_unix}</code>.</p>
+    <p class="text-xs text-slate-500 mt-1">{a_hint}</p>
   </div>
 
   <div>
-    <label class="block text-xs font-medium text-slate-400 mb-1">B. Renamed installer (drop-in)</label>
+    <label class="block text-xs font-medium text-slate-400 mb-1">{b_label}</label>
     <pre class="text-xs bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{renamed}</pre>
-    <p class="text-xs text-slate-500 mt-1">Rename the official RustDesk installer to this exact name and run it; the client reads its own filename on first launch and writes the config into the registry.</p>
+    <p class="text-xs text-slate-500 mt-1">{b_hint}</p>
     {renamed_note}
   </div>
 
   <div>
-    <label class="block text-xs font-medium text-slate-400 mb-1">C. HelloAgent (Windows, MDM one-liner)</label>
+    <label class="block text-xs font-medium text-slate-400 mb-1">{c_label}</label>
     <pre class="text-xs bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{cmd_hello}</pre>
-    <p class="text-xs text-slate-500 mt-1">Headless agent — registers the Windows service and imports this config in a single command. Run elevated.</p>
+    <p class="text-xs text-slate-500 mt-1">{c_hint}</p>
   </div>
 
   <details class="text-xs text-slate-400">
-    <summary class="cursor-pointer text-slate-300 select-none">Raw blob</summary>
+    <summary class="cursor-pointer text-slate-300 select-none">{raw_blob}</summary>
     <pre class="mt-2 bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{blob}</pre>
   </details>
 </section>"##,
+        artifact_heading = t(lang, "deploy.artifact_heading"),
+        artifact_intro = t(lang, "deploy.artifact_intro"),
+        a_label = t(lang, "deploy.cmd_a_label"),
+        a_hint = tf1(lang, "deploy.cmd_a_hint", &html_escape(&cmd_unix)),
+        b_label = t(lang, "deploy.cmd_b_label"),
+        b_hint = t(lang, "deploy.cmd_b_hint"),
+        c_label = t(lang, "deploy.cmd_c_label"),
+        c_hint = t(lang, "deploy.cmd_c_hint"),
+        raw_blob = t(lang, "deploy.raw_blob"),
         cmd_win = html_escape(&cmd_win),
-        cmd_unix = html_escape(&cmd_unix),
         cmd_hello = html_escape(&cmd_hello),
         renamed = html_escape(&renamed),
         renamed_note = renamed_note,
diff --git a/src/api/admin/pages/devices.rs b/src/api/admin/pages/devices.rs
index de1299b..a5d5656 100644
--- a/src/api/admin/pages/devices.rs
+++ b/src/api/admin/pages/devices.rs
@@ -2,6 +2,7 @@
 //! force-disconnect (queues a `heartbeat_commands` row consumed on the
 //! peer's next /api/heartbeat tick) and force-sysinfo refresh.
 
+use crate::api::admin::i18n::{t, tf1, tf2, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -21,25 +22,30 @@ const ONLINE_THRESHOLD_SECS: i64 = 45;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    let table = render_table(&state).await?;
+    let table = render_table(&state, lang).await?;
     Ok(Html(format!(
         r##"<div class="space-y-6">
   <header class="flex items-center justify-between">
-    <h2 class="text-lg font-semibold">Devices</h2>
-    <p class="text-xs text-slate-500">Force-disconnect / force-sysinfo are delivered on the peer's next heartbeat tick (~15 s).</p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500">{tagline}</p>
   </header>
   <section id="devices-region">
     {table}
   </section>
-</div>"##
+</div>"##,
+        heading = t(lang, "devices.heading"),
+        tagline = t(lang, "devices.tagline"),
+        table = table,
     )))
 }
 
 pub async fn force_disconnect(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(peer_id): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -55,8 +61,9 @@ pub async fn force_disconnect(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then_table(
         &state,
+        lang,
         "ok",
-        &format!("Queued disconnect for {} (conns={})", peer_id, conns),
+        &tf2(lang, "devices.queued_disconnect", &peer_id, &conns),
     )
     .await
 }
@@ -64,6 +71,7 @@ pub async fn force_disconnect(
 pub async fn force_sysinfo(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(peer_id): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -74,8 +82,9 @@ pub async fn force_sysinfo(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then_table(
         &state,
+        lang,
         "ok",
-        &format!("Queued sysinfo refresh for {}", peer_id),
+        &tf1(lang, "devices.queued_sysinfo", &peer_id),
     )
     .await
 }
@@ -83,6 +92,7 @@ pub async fn force_sysinfo(
 pub async fn delete(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(peer_id): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -92,11 +102,11 @@ pub async fn delete(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     let msg = if ok {
-        format!("Deleted device {}.", peer_id)
+        tf1(lang, "devices.deleted", &peer_id)
     } else {
-        "Device already gone.".to_string()
+        t(lang, "devices.already_gone").to_string()
     };
-    notice_then_table(&state, if ok { "ok" } else { "error" }, &msg).await
+    notice_then_table(&state, lang, if ok { "ok" } else { "error" }, &msg).await
 }
 
 /// Per-device detail page: hardware / OS inventory reported by hello-agent
@@ -107,6 +117,7 @@ pub async fn delete(
 pub async fn detail(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(peer_id): Path<String>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -116,15 +127,17 @@ pub async fn detail(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     let html = match row {
-        Some(d) => render_detail(&d),
+        Some(d) => render_detail(lang, &d),
         None => format!(
             r##"<div class="space-y-4">
   {back}
   <div class="rounded border border-rose-700/50 bg-rose-900/30 p-3 text-sm text-rose-300">
-    No device with peer ID <code class="font-mono">{id}</code> in the dashboard.
+    {no_device} <code class="font-mono">{id}</code> {in_dashboard}
   </div>
 </div>"##,
-            back = back_button(),
+            back = back_button(lang),
+            no_device = t(lang, "devices.no_device_with_id"),
+            in_dashboard = t(lang, "devices.in_dashboard"),
             id = html_escape(&peer_id),
         ),
     };
@@ -150,7 +163,7 @@ fn online_state(last_heartbeat_at: &str, now: chrono::DateTime<chrono::Utc>) ->
     }
 }
 
-async fn render_table(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_table(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let (total, devices) = state
         .db
         .devices_list_all(0, PAGE_SIZE)
@@ -167,39 +180,57 @@ async fn render_table(state: &Arc<AppState>) -> Result<String, ApiError> {
 <table class="w-full text-sm">
   <thead class="text-xs uppercase text-slate-500 bg-slate-950">
     <tr>
-      <th class="text-left font-medium px-3 py-2">Peer ID</th>
-      <th class="text-left font-medium px-3 py-2">Owner</th>
-      <th class="text-left font-medium px-3 py-2">Hostname</th>
-      <th class="text-left font-medium px-3 py-2">User</th>
-      <th class="text-left font-medium px-3 py-2">Unattended pwd</th>
-      <th class="text-left font-medium px-3 py-2">OS</th>
-      <th class="text-left font-medium px-3 py-2">Version</th>
-      <th class="text-left font-medium px-3 py-2">Last heartbeat</th>
-      <th class="text-left font-medium px-3 py-2">Conns</th>
-      <th class="text-right font-medium px-3 py-2 w-1">Actions</th>
+      <th class="text-left font-medium px-3 py-2">{c_peer}</th>
+      <th class="text-left font-medium px-3 py-2">{c_owner}</th>
+      <th class="text-left font-medium px-3 py-2">{c_host}</th>
+      <th class="text-left font-medium px-3 py-2">{c_user}</th>
+      <th class="text-left font-medium px-3 py-2">{c_pwd}</th>
+      <th class="text-left font-medium px-3 py-2">{c_os}</th>
+      <th class="text-left font-medium px-3 py-2">{c_ver}</th>
+      <th class="text-left font-medium px-3 py-2">{c_last}</th>
+      <th class="text-left font-medium px-3 py-2">{c_conns}</th>
+      <th class="text-right font-medium px-3 py-2 w-1">{c_actions}</th>
     </tr>
   </thead>
-  <tbody class="divide-y divide-slate-800">"##
+  <tbody class="divide-y divide-slate-800">"##,
+        c_peer = t(lang, "devices.col_peer_id"),
+        c_owner = t(lang, "devices.col_owner"),
+        c_host = t(lang, "devices.col_hostname"),
+        c_user = t(lang, "devices.col_user"),
+        c_pwd = t(lang, "devices.col_unattended_pwd"),
+        c_os = t(lang, "devices.col_os"),
+        c_ver = t(lang, "devices.col_version"),
+        c_last = t(lang, "devices.col_last_heartbeat"),
+        c_conns = t(lang, "devices.col_conns"),
+        c_actions = t(lang, "common.actions"),
     );
     if devices.is_empty() {
-        s.push_str(
-            r##"<tr><td colspan="10" class="px-3 py-4 text-slate-500 text-center text-xs">No devices have heartbeated yet.</td></tr>"##,
+        let _ = write!(
+            s,
+            r##"<tr><td colspan="10" class="px-3 py-4 text-slate-500 text-center text-xs">{}</td></tr>"##,
+            t(lang, "devices.no_devices"),
         );
     }
     for d in &devices {
-        render_device_row(&mut s, d, now);
+        render_device_row(&mut s, lang, d, now);
     }
     let _ = write!(
         s,
         r##"</tbody>
 </table>
-<div class="px-3 py-2 text-xs text-slate-500 border-t border-slate-800">{total} device(s).</div>
-</div>"##
+<div class="px-3 py-2 text-xs text-slate-500 border-t border-slate-800">{count}</div>
+</div>"##,
+        count = tf1(lang, "devices.devices_count", &total.to_string()),
     );
     Ok(s)
 }
 
-fn render_device_row(s: &mut String, d: &DashboardDeviceRow, now: chrono::DateTime<chrono::Utc>) {
+fn render_device_row(
+    s: &mut String,
+    lang: Lang,
+    d: &DashboardDeviceRow,
+    now: chrono::DateTime<chrono::Utc>,
+) {
     let parsed: serde_json::Value =
         serde_json::from_str(&d.sysinfo_payload).unwrap_or(serde_json::Value::Null);
     let pick = |k: &str| -> String {
@@ -246,14 +277,14 @@ fn render_device_row(s: &mut String, d: &DashboardDeviceRow, now: chrono::DateTi
     let (dot_class, tooltip) = if is_online {
         (
             "bg-emerald-400",
-            format!("Online — last heartbeat {}s ago", age_secs),
+            tf1(lang, "devices.online", &age_secs.to_string()),
         )
     } else if age_secs == i64::MAX {
-        ("bg-slate-500", "No heartbeat recorded".to_string())
+        ("bg-slate-500", t(lang, "devices.no_heartbeat").to_string())
     } else {
         (
             "bg-rose-500",
-            format!("Offline — last heartbeat {} ago", fmt_age(age_secs)),
+            tf1(lang, "devices.offline", &fmt_age(age_secs)),
         )
     };
     // Per-boot unattended-access password reported by hello-agent. Visible
@@ -304,31 +335,31 @@ fn render_device_row(s: &mut String, d: &DashboardDeviceRow, now: chrono::DateTi
       <div class="absolute right-2 mt-1 z-10 w-56 bg-slate-900 border border-slate-700 rounded shadow-lg p-2 space-y-1 text-left">
         <a class="block w-full text-left px-2 py-1 text-xs text-sky-300 hover:bg-sky-900/40 rounded"
           href="/admin/connect/{id}" target="_blank" rel="noopener">
-          Connect (web client)
+          {connect_web}
         </a>
         <button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
           hx-get="/admin/pages/devices/{id}/detail"
           hx-target="#devices-region" hx-swap="innerHTML">
-          Details &amp; inventory
+          {details}
         </button>
         <hr class="border-slate-700 my-1" />
         <button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
           hx-post="/admin/pages/devices/{id}/disconnect"
           hx-target="#devices-region" hx-swap="innerHTML"
-          hx-confirm="Disconnect all active sessions on {id}?">
-          Force disconnect
+          hx-confirm="{confirm_disc}">
+          {force_disc}
         </button>
         <button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
           hx-post="/admin/pages/devices/{id}/sysinfo-refresh"
           hx-target="#devices-region" hx-swap="innerHTML">
-          Force sysinfo refresh
+          {force_sysinfo}
         </button>
         <hr class="border-slate-700 my-1" />
         <button class="w-full text-left px-2 py-1 text-xs text-rose-300 hover:bg-rose-900/40 rounded"
           hx-post="/admin/pages/devices/{id}/delete"
           hx-target="#devices-region" hx-swap="innerHTML"
-          hx-confirm="Delete {id}? This removes the dashboard row and the rendezvous identity. Audit logs and recordings are kept.">
-          Delete device
+          hx-confirm="{confirm_delete}">
+          {delete_device}
         </button>
       </div>
     </details>
@@ -347,7 +378,14 @@ fn render_device_row(s: &mut String, d: &DashboardDeviceRow, now: chrono::DateTi
         os = html_escape(&os),
         ver = html_escape(&version_label),
         last = html_escape(&d.last_heartbeat_at),
-        n = conn_count
+        n = conn_count,
+        connect_web = t(lang, "devices.connect_web"),
+        details = t(lang, "devices.details"),
+        confirm_disc = html_escape(&tf1(lang, "devices.confirm_disconnect", &d.id)),
+        force_disc = t(lang, "devices.force_disconnect"),
+        force_sysinfo = t(lang, "devices.force_sysinfo"),
+        confirm_delete = html_escape(&tf1(lang, "devices.confirm_delete", &d.id)),
+        delete_device = t(lang, "devices.delete_device"),
     );
 }
 
@@ -361,19 +399,22 @@ fn render_device_row(s: &mut String, d: &DashboardDeviceRow, now: chrono::DateTi
 pub async fn list_fragment(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_table(&state).await?))
+    Ok(Html(render_table(&state, lang).await?))
 }
 
 /// "Back to devices" — refetches the devices table fragment via HTMX
 /// and swaps it back into `#devices-region`. Used by the detail page.
-fn back_button() -> String {
-    r##"<button class="text-xs text-sky-300 hover:text-sky-200"
+fn back_button(lang: Lang) -> String {
+    format!(
+        r##"<button class="text-xs text-sky-300 hover:text-sky-200"
   hx-get="/admin/pages/devices/list-fragment"
   hx-target="#devices-region"
-  hx-swap="innerHTML">&larr; Back to devices</button>"##
-        .to_string()
+  hx-swap="innerHTML">{label}</button>"##,
+        label = t(lang, "devices.back"),
+    )
 }
 
 /// Pretty-print a JSON value for the inventory table cells. Strings are
@@ -391,7 +432,7 @@ fn fmt_inv_value(v: Option<&serde_json::Value>) -> String {
     }
 }
 
-fn render_detail(d: &DashboardDeviceRow) -> String {
+fn render_detail(lang: Lang, d: &DashboardDeviceRow) -> String {
     let parsed: serde_json::Value =
         serde_json::from_str(&d.sysinfo_payload).unwrap_or(serde_json::Value::Null);
     let pick = |k: &str| -> String {
@@ -426,20 +467,29 @@ fn render_detail(d: &DashboardDeviceRow) -> String {
     let header = format!(
         r##"<div class="rounded-md border border-slate-800 bg-slate-900 p-4">
   <div class="flex items-baseline justify-between">
-    <h2 class="text-lg font-semibold">Device <code class="font-mono text-sky-300">{id}</code></h2>
+    <h2 class="text-lg font-semibold">{device_label} <code class="font-mono text-sky-300">{id}</code></h2>
     <span class="text-xs text-slate-500">UUID <code class="font-mono">{uuid}</code></span>
   </div>
   <dl class="mt-3 grid grid-cols-2 gap-x-6 gap-y-1 text-sm md:grid-cols-3">
-    <div><dt class="text-xs text-slate-500">Hostname</dt><dd class="text-slate-200">{host}</dd></div>
-    <div><dt class="text-xs text-slate-500">Owner</dt><dd class="text-slate-200">{owner}</dd></div>
-    <div><dt class="text-xs text-slate-500">Active user</dt><dd class="text-slate-200">{user}</dd></div>
-    <div><dt class="text-xs text-slate-500">Agent</dt><dd class="text-slate-200">{ident}</dd></div>
-    <div><dt class="text-xs text-slate-500">OS (runtime)</dt><dd class="text-slate-200">{os_rt}</dd></div>
-    <div><dt class="text-xs text-slate-500">Last heartbeat</dt><dd class="text-slate-200">{last}</dd></div>
-    <div><dt class="text-xs text-slate-500">CPU (runtime)</dt><dd class="text-slate-200">{cpu_rt}</dd></div>
-    <div><dt class="text-xs text-slate-500">Memory (runtime)</dt><dd class="text-slate-200">{mem_rt}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_host}</dt><dd class="text-slate-200">{host}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_owner}</dt><dd class="text-slate-200">{owner}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_user}</dt><dd class="text-slate-200">{user}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_agent}</dt><dd class="text-slate-200">{ident}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_os_rt}</dt><dd class="text-slate-200">{os_rt}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_last}</dt><dd class="text-slate-200">{last}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_cpu_rt}</dt><dd class="text-slate-200">{cpu_rt}</dd></div>
+    <div><dt class="text-xs text-slate-500">{l_mem_rt}</dt><dd class="text-slate-200">{mem_rt}</dd></div>
   </dl>
 </div>"##,
+        device_label = t(lang, "devices.device_label"),
+        l_host = t(lang, "devices.col_hostname"),
+        l_owner = t(lang, "devices.col_owner"),
+        l_user = t(lang, "devices.detail_active_user"),
+        l_agent = t(lang, "devices.detail_agent"),
+        l_os_rt = t(lang, "devices.detail_os_runtime"),
+        l_last = t(lang, "devices.col_last_heartbeat"),
+        l_cpu_rt = t(lang, "devices.detail_cpu_runtime"),
+        l_mem_rt = t(lang, "devices.detail_memory_runtime"),
         id = html_escape(&d.id),
         uuid = html_escape(&d.uuid),
         host = html_escape(if hostname.is_empty() { "—" } else { &hostname }),
@@ -463,22 +513,24 @@ fn render_detail(d: &DashboardDeviceRow) -> String {
     // hello-agent's main.rs; absence means vanilla rustdesk.
     let inventory_section = if agent_name == "HelloAgent" {
         match parsed.get("inventory") {
-            Some(inv) if inv.is_object() => render_inventory_table(inv),
+            Some(inv) if inv.is_object() => render_inventory_table(lang, inv),
             _ => format!(
                 r##"<div class="rounded-md border border-amber-700/50 bg-amber-900/20 p-3 text-sm text-amber-300">
-  Inventory data not yet reported. The agent collects it on startup and
-  uploads on the next sysinfo cycle (≤120 s).
-</div>"##
+  {msg}
+</div>"##,
+                msg = t(lang, "devices.inventory_pending"),
             ),
         }
     } else {
         format!(
             r##"<div class="rounded-md border border-slate-700 bg-slate-900 p-3 text-sm text-slate-400">
-  Inventory data is only reported by HelloAgent. This device is running
-  <span class="text-slate-200">{ident}</span>; the standard RustDesk client
-  does not collect hardware or BitLocker inventory.
+  {msg}
 </div>"##,
-            ident = html_escape(&identity_label),
+            msg = tf1(
+                lang,
+                "devices.inventory_unsupported",
+                &format!("<span class=\"text-slate-200\">{}</span>", html_escape(&identity_label))
+            ),
         )
     };
 
@@ -486,19 +538,21 @@ fn render_detail(d: &DashboardDeviceRow) -> String {
         r##"<div class="space-y-4">
   <div class="flex items-center justify-between">
     {back}
-    <div class="text-xs text-slate-500">Detail view</div>
+    <div class="text-xs text-slate-500">{detail_view}</div>
   </div>
   {header}
-  <h3 class="text-sm font-semibold text-slate-300 mt-4">Inventory</h3>
+  <h3 class="text-sm font-semibold text-slate-300 mt-4">{inventory}</h3>
   {inv}
 </div>"##,
-        back = back_button(),
+        back = back_button(lang),
+        detail_view = t(lang, "devices.detail_view"),
+        inventory = t(lang, "devices.inventory"),
         header = header,
         inv = inventory_section,
     )
 }
 
-fn render_inventory_table(inv: &serde_json::Value) -> String {
+fn render_inventory_table(lang: Lang, inv: &serde_json::Value) -> String {
     let row = |label: &str, key: &str| {
         format!(
             r##"<tr class="border-b border-slate-800">
@@ -513,8 +567,12 @@ fn render_inventory_table(inv: &serde_json::Value) -> String {
     // Disks need their own renderer — they're an array of objects.
     let disks_html = match inv.get("disks") {
         Some(serde_json::Value::Array(arr)) if !arr.is_empty() => {
-            let mut s = String::from(
-                r##"<table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">Name</th><th class="text-left font-medium px-2 py-1">Model</th><th class="text-right font-medium px-2 py-1">Size (GB)</th><th class="text-left font-medium px-2 py-1">Media</th></tr></thead><tbody>"##,
+            let mut s = format!(
+                r##"<table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">{c_name}</th><th class="text-left font-medium px-2 py-1">{c_model}</th><th class="text-right font-medium px-2 py-1">{c_size}</th><th class="text-left font-medium px-2 py-1">{c_media}</th></tr></thead><tbody>"##,
+                c_name = t(lang, "devices.disk_name"),
+                c_model = t(lang, "devices.disk_model"),
+                c_size = t(lang, "devices.disk_size"),
+                c_media = t(lang, "devices.disk_media"),
             );
             for disk in arr {
                 let name = fmt_inv_value(disk.get("name"));
@@ -540,7 +598,10 @@ fn render_inventory_table(inv: &serde_json::Value) -> String {
         .and_then(|v| v.as_str())
         .unwrap_or("");
     let bl_html = if bl_key_raw.is_empty() {
-        r##"<span class="text-slate-500">— (not reported; non-Pro SKU, not encrypted, or no admin rights)</span>"##.to_string()
+        format!(
+            r##"<span class="text-slate-500">{}</span>"##,
+            t(lang, "devices.bitlocker_unavailable"),
+        )
     } else {
         format!(
             r##"<code class="block font-mono text-xs text-amber-300 bg-slate-950 px-2 py-1 rounded border border-slate-800 select-all break-all">{}</code>"##,
@@ -548,14 +609,17 @@ fn render_inventory_table(inv: &serde_json::Value) -> String {
         )
     };
 
-    let nics_html = render_nics(inv.get("network_interfaces"));
-    let wifi_html = render_wifi(inv.get("wifi_current"), inv.get("wifi_nearby"));
+    let nics_html = render_nics(lang, inv.get("network_interfaces"));
+    let wifi_html = render_wifi(lang, inv.get("wifi_current"), inv.get("wifi_nearby"));
     let public_ip_raw = inv
         .get("public_ip")
         .and_then(|v| v.as_str())
         .unwrap_or("");
     let public_ip_html = if public_ip_raw.is_empty() {
-        r##"<span class="text-slate-500">— (lookup failed or blocked)</span>"##.to_string()
+        format!(
+            r##"<span class="text-slate-500">{}</span>"##,
+            t(lang, "devices.public_ip_failed"),
+        )
     } else {
         format!(
             r##"<code class="font-mono text-xs text-sky-300 bg-slate-950 px-2 py-1 rounded border border-slate-800 select-all">{}</code>"##,
@@ -583,40 +647,44 @@ fn render_inventory_table(inv: &serde_json::Value) -> String {
     </table>
   </div>
   <div>
-    <h4 class="text-xs uppercase text-slate-500 mb-1">Disks</h4>
+    <h4 class="text-xs uppercase text-slate-500 mb-1">{l_disks}</h4>
     <div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden p-2">
       {disks}
     </div>
   </div>
   <div>
-    <h4 class="text-xs uppercase text-slate-500 mb-1">Network interfaces</h4>
+    <h4 class="text-xs uppercase text-slate-500 mb-1">{l_nics}</h4>
     {nics}
   </div>
   {wifi}
   <div>
-    <h4 class="text-xs uppercase text-slate-500 mb-1">Public IP (egress, last lookup)</h4>
+    <h4 class="text-xs uppercase text-slate-500 mb-1">{l_pip}</h4>
     {public_ip}
   </div>
   <div>
-    <h4 class="text-xs uppercase text-slate-500 mb-1">BitLocker recovery key (system drive)</h4>
+    <h4 class="text-xs uppercase text-slate-500 mb-1">{l_bl}</h4>
     {bl}
   </div>
 </div>"##,
-        sn = row("Serial number", "serial_number"),
-        mfr = row("Manufacturer", "manufacturer"),
-        model = row("Model", "model"),
-        dom = row("Windows domain", "domain"),
-        os_d = row("OS distribution", "os_distro"),
-        os_r = row("OS release", "os_release"),
-        cpu_m = row("CPU model", "cpu_model"),
-        cpu_s = row("CPU speed (GHz)", "cpu_speed_ghz"),
-        cpu_pc = row("CPU physical cores", "cpu_cores_physical"),
-        cpu_lc = row("CPU logical cores", "cpu_cores_logical"),
-        ram = row("RAM (GB)", "ram_gb"),
+        sn = row(t(lang, "devices.serial_number"), "serial_number"),
+        mfr = row(t(lang, "devices.manufacturer"), "manufacturer"),
+        model = row(t(lang, "devices.model"), "model"),
+        dom = row(t(lang, "devices.windows_domain"), "domain"),
+        os_d = row(t(lang, "devices.os_distro"), "os_distro"),
+        os_r = row(t(lang, "devices.os_release"), "os_release"),
+        cpu_m = row(t(lang, "devices.cpu_model"), "cpu_model"),
+        cpu_s = row(t(lang, "devices.cpu_speed"), "cpu_speed_ghz"),
+        cpu_pc = row(t(lang, "devices.cpu_phys_cores"), "cpu_cores_physical"),
+        cpu_lc = row(t(lang, "devices.cpu_logical_cores"), "cpu_cores_logical"),
+        ram = row(t(lang, "devices.ram_gb"), "ram_gb"),
         disks = disks_html,
         nics = nics_html,
         wifi = wifi_html,
         public_ip = public_ip_html,
+        l_disks = t(lang, "devices.disks"),
+        l_nics = t(lang, "devices.network_interfaces"),
+        l_pip = t(lang, "devices.public_ip"),
+        l_bl = t(lang, "devices.bitlocker"),
         bl = bl_html,
     )
 }
@@ -624,15 +692,18 @@ fn render_inventory_table(inv: &serde_json::Value) -> String {
 /// Render the network-interfaces array as a table (one row per NIC).
 /// Wi-Fi NICs get a small badge so the operator can spot them at a glance
 /// next to the Wi-Fi-current section. Empty input → dash.
-fn render_nics(nics: Option<&serde_json::Value>) -> String {
+fn render_nics(lang: Lang, nics: Option<&serde_json::Value>) -> String {
     let arr = match nics {
         Some(serde_json::Value::Array(a)) if !a.is_empty() => a,
         _ => {
             return r##"<div class="rounded-md border border-slate-800 bg-slate-900 p-2"><span class="text-slate-500">—</span></div>"##.to_string();
         }
     };
-    let mut s = String::from(
-        r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden p-2"><table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">Name</th><th class="text-left font-medium px-2 py-1">Description</th><th class="text-left font-medium px-2 py-1">MAC</th><th class="text-left font-medium px-2 py-1">Status</th><th class="text-left font-medium px-2 py-1">IPv4</th><th class="text-left font-medium px-2 py-1">IPv6</th><th class="text-right font-medium px-2 py-1">Mbps</th></tr></thead><tbody>"##,
+    let mut s = format!(
+        r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden p-2"><table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">{c_name}</th><th class="text-left font-medium px-2 py-1">{c_desc}</th><th class="text-left font-medium px-2 py-1">MAC</th><th class="text-left font-medium px-2 py-1">{c_status}</th><th class="text-left font-medium px-2 py-1">IPv4</th><th class="text-left font-medium px-2 py-1">IPv6</th><th class="text-right font-medium px-2 py-1">Mbps</th></tr></thead><tbody>"##,
+        c_name = t(lang, "devices.disk_name"),
+        c_desc = t(lang, "devices.nic_description"),
+        c_status = t(lang, "devices.nic_status"),
     );
     for nic in arr {
         let name = fmt_inv_value(nic.get("name"));
@@ -687,6 +758,7 @@ fn render_ip_list(v: Option<&serde_json::Value>) -> String {
 /// Returns an empty string when neither is present, so the surrounding
 /// detail page can omit the heading entirely.
 fn render_wifi(
+    lang: Lang,
     current: Option<&serde_json::Value>,
     nearby: Option<&serde_json::Value>,
 ) -> String {
@@ -726,10 +798,10 @@ fn render_wifi(
   <dl class="grid grid-cols-2 gap-x-6 gap-y-1 text-xs md:grid-cols-3">
     <div><dt class="text-slate-500">SSID</dt><dd class="text-slate-200 font-mono">{ssid}</dd></div>
     <div><dt class="text-slate-500">BSSID</dt><dd class="text-slate-300 font-mono">{bssid}</dd></div>
-    <div><dt class="text-slate-500">Signal</dt><dd class="text-slate-200">{sig}</dd></div>
-    <div><dt class="text-slate-500">Authentication</dt><dd class="text-slate-300">{auth}</dd></div>
-    <div><dt class="text-slate-500">Cipher</dt><dd class="text-slate-300">{cipher}</dd></div>
-    <div><dt class="text-slate-500">Rate</dt><dd class="text-slate-300">{rate}</dd></div>
+    <div><dt class="text-slate-500">{l_signal}</dt><dd class="text-slate-200">{sig}</dd></div>
+    <div><dt class="text-slate-500">{l_auth}</dt><dd class="text-slate-300">{auth}</dd></div>
+    <div><dt class="text-slate-500">{l_cipher}</dt><dd class="text-slate-300">{cipher}</dd></div>
+    <div><dt class="text-slate-500">{l_rate}</dt><dd class="text-slate-300">{rate}</dd></div>
   </dl>
 </div>"##,
             ssid = fmt_inv_value(c.get("ssid")),
@@ -738,18 +810,28 @@ fn render_wifi(
             auth = fmt_inv_value(c.get("auth")),
             cipher = fmt_inv_value(c.get("cipher")),
             rate = rate_mbps,
+            l_signal = t(lang, "devices.wifi_signal"),
+            l_auth = t(lang, "devices.wifi_auth"),
+            l_cipher = t(lang, "devices.wifi_cipher"),
+            l_rate = t(lang, "devices.wifi_rate"),
         )
     } else {
-        r##"<div class="rounded-md border border-slate-800 bg-slate-900 p-3 text-xs text-slate-500">Not connected to a Wi-Fi network.</div>"##.to_string()
+        format!(
+            r##"<div class="rounded-md border border-slate-800 bg-slate-900 p-3 text-xs text-slate-500">{}</div>"##,
+            t(lang, "devices.wifi_not_connected"),
+        )
     };
 
     let nearby_html = if let Some(arr) = nearby_arr {
-        let mut s = String::from(
+        let mut s = format!(
             r##"<details class="rounded-md border border-slate-800 bg-slate-900">
-  <summary class="cursor-pointer px-3 py-2 text-xs text-slate-400 hover:text-slate-200 select-none">Nearby SSIDs ({n})</summary>
-  <div class="p-2"><table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">SSID</th><th class="text-left font-medium px-2 py-1">Authentication</th><th class="text-left font-medium px-2 py-1">Cipher</th><th class="text-right font-medium px-2 py-1">Signal</th></tr></thead><tbody>"##,
+  <summary class="cursor-pointer px-3 py-2 text-xs text-slate-400 hover:text-slate-200 select-none">{nearby_label}</summary>
+  <div class="p-2"><table class="w-full text-xs"><thead><tr class="text-slate-500"><th class="text-left font-medium px-2 py-1">SSID</th><th class="text-left font-medium px-2 py-1">{l_auth}</th><th class="text-left font-medium px-2 py-1">{l_cipher}</th><th class="text-right font-medium px-2 py-1">{l_signal}</th></tr></thead><tbody>"##,
+            nearby_label = tf1(lang, "devices.wifi_nearby", &arr.len().to_string()),
+            l_auth = t(lang, "devices.wifi_auth"),
+            l_cipher = t(lang, "devices.wifi_cipher"),
+            l_signal = t(lang, "devices.wifi_signal"),
         );
-        s = s.replace("{n}", &arr.len().to_string());
         for net in arr {
             let _ = write!(
                 &mut s,
@@ -768,10 +850,11 @@ fn render_wifi(
 
     format!(
         r##"<div>
-  <h4 class="text-xs uppercase text-slate-500 mb-1">Wi-Fi (current connection)</h4>
+  <h4 class="text-xs uppercase text-slate-500 mb-1">{wifi_current}</h4>
   {current}
   {nearby}
 </div>"##,
+        wifi_current = t(lang, "devices.wifi_current"),
         current = current_html,
         nearby = if nearby_html.is_empty() {
             String::new()
@@ -798,11 +881,12 @@ fn fmt_age(secs: i64) -> String {
 
 async fn notice_then_table(
     state: &Arc<AppState>,
+    lang: Lang,
     kind: &str,
     msg: &str,
 ) -> Result<Html<String>, ApiError> {
     let mut html = notice_html(kind, msg);
-    html.push_str(&render_table(state).await?);
+    html.push_str(&render_table(state, lang).await?);
     Ok(Html(html))
 }
 
diff --git a/src/api/admin/pages/groups.rs b/src/api/admin/pages/groups.rs
index 0c726c4..a65e0f5 100644
--- a/src/api/admin/pages/groups.rs
+++ b/src/api/admin/pages/groups.rs
@@ -3,6 +3,7 @@
 //! the canonical place to manage who can see whose devices.
 
 use super::shared::{html_escape, notice_html, require_admin};
+use crate::api::admin::i18n::{t, tf1, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -15,9 +16,10 @@ use std::sync::Arc;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 #[derive(Debug, Deserialize)]
@@ -28,23 +30,25 @@ pub struct CreateForm {
 pub async fn create(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Form(form): Form<CreateForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if form.name.trim().is_empty() {
-        return notice_then(&state, "error", "Name required").await;
+        return notice_then(&state, lang, "error", t(lang, "groups.name_required")).await;
     }
     state
         .db
         .device_group_create(form.name.trim())
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    notice_then(&state, "ok", &format!("Group '{}' created.", form.name)).await
+    notice_then(&state, lang, "ok", &tf1(lang, "groups.created", &form.name)).await
 }
 
 pub async fn delete(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -55,8 +59,9 @@ pub async fn delete(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then(
         &state,
+        lang,
         if ok { "ok" } else { "error" },
-        if ok { "Group deleted." } else { "Already gone." },
+        if ok { t(lang, "groups.deleted") } else { t(lang, "common.already_gone") },
     )
     .await
 }
@@ -69,6 +74,7 @@ pub struct MemberForm {
 pub async fn add_member(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
     Form(form): Form<MemberForm>,
 ) -> Result<Html<String>, ApiError> {
@@ -78,12 +84,13 @@ pub async fn add_member(
         .device_group_add_member(id, form.user_id)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 pub async fn remove_member(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path((id, user_id)): Path<(i64, i64)>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -92,7 +99,7 @@ pub async fn remove_member(
         .device_group_remove_member(id, user_id)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 #[derive(Debug, Deserialize)]
@@ -103,13 +110,14 @@ pub struct PeerForm {
 pub async fn add_peer(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
     Form(form): Form<PeerForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     let peer_id = form.peer_id.trim();
     if peer_id.is_empty() {
-        return notice_then(&state, "error", "Device ID required").await;
+        return notice_then(&state, lang, "error", t(lang, "groups.peer_id_required")).await;
     }
     let exists = state
         .db
@@ -119,8 +127,9 @@ pub async fn add_peer(
     if !exists {
         return notice_then(
             &state,
+            lang,
             "error",
-            &format!("No device '{}' has reported in yet.", peer_id),
+            &tf1(lang, "groups.no_device_yet", peer_id),
         )
         .await;
     }
@@ -129,12 +138,13 @@ pub async fn add_peer(
         .device_group_add_peer(id, peer_id)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 pub async fn remove_peer(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path((id, peer_id)): Path<(i64, String)>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -143,7 +153,7 @@ pub async fn remove_peer(
         .device_group_remove_peer(id, &peer_id)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 // ---------- rendering ----------
@@ -169,15 +179,16 @@ fn url_encode(s: &str) -> String {
 
 async fn notice_then(
     state: &Arc<AppState>,
+    lang: Lang,
     kind: &str,
     msg: &str,
 ) -> Result<Html<String>, ApiError> {
     let mut html = notice_html(kind, msg);
-    html.push_str(&render_full(state).await?);
+    html.push_str(&render_full(state, lang).await?);
     Ok(Html(html))
 }
 
-async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_full(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let groups = state
         .db
         .device_groups_list_all()
@@ -190,22 +201,29 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
         .map_err(|e| ApiError::Internal(e.to_string()))?;
 
     let mut s = String::new();
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div id="groups-region" class="space-y-6">
-  <header><h2 class="text-lg font-semibold">Device groups</h2></header>
+  <header><h2 class="text-lg font-semibold">{heading}</h2></header>
   <section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-    <h3 class="text-sm font-semibold text-slate-300 mb-3">Create group</h3>
+    <h3 class="text-sm font-semibold text-slate-300 mb-3">{create_heading}</h3>
     <form class="flex gap-2 text-sm" hx-post="/admin/pages/groups/create" hx-target="#groups-region" hx-swap="outerHTML">
-      <input name="name" placeholder="group name" required class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-      <button class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">Create</button>
+      <input name="name" placeholder="{ph}" required class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+      <button class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">{create}</button>
     </form>
   </section>
 "##,
+        heading = t(lang, "groups.heading"),
+        create_heading = t(lang, "groups.create_heading"),
+        ph = t(lang, "groups.group_name"),
+        create = t(lang, "common.create"),
     );
 
     if groups.is_empty() {
-        s.push_str(
-            r##"<p class="text-slate-500 text-sm">No device groups yet.</p>"##,
+        let _ = write!(
+            s,
+            r##"<p class="text-slate-500 text-sm">{}</p>"##,
+            t(lang, "groups.no_groups"),
         );
     }
     for g in &groups {
@@ -226,18 +244,23 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
     <h3 class="font-semibold">{name}</h3>
     <button class="text-xs text-rose-400 hover:text-rose-300"
       hx-post="/admin/pages/groups/{id}/delete"
-      hx-confirm="Delete group {name}? Members aren't deleted; just unassigned."
-      hx-target="#groups-region" hx-swap="outerHTML">Delete group</button>
+      hx-confirm="{confirm}"
+      hx-target="#groups-region" hx-swap="outerHTML">{delete_group}</button>
   </header>
   <div>
-    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">Users</h4>
+    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">{users}</h4>
     <ul class="text-sm divide-y divide-slate-800">"##,
             id = g.id,
-            name = html_escape(&g.name)
+            name = html_escape(&g.name),
+            confirm = html_escape(&tf1(lang, "groups.confirm_delete", &g.name)),
+            delete_group = t(lang, "groups.delete_group"),
+            users = t(lang, "groups.users"),
         );
         if members.is_empty() {
-            s.push_str(
-                r##"<li class="py-2 text-slate-500 text-xs">No user members yet.</li>"##,
+            let _ = write!(
+                s,
+                r##"<li class="py-2 text-slate-500 text-xs">{}</li>"##,
+                t(lang, "groups.no_user_members"),
             );
         }
         for u in &members {
@@ -247,11 +270,12 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
   <span class="text-slate-200">{username}</span>
   <button class="text-xs text-slate-400 hover:text-rose-300"
     hx-post="/admin/pages/groups/{gid}/members/{uid}/remove"
-    hx-target="#groups-region" hx-swap="outerHTML">Remove</button>
+    hx-target="#groups-region" hx-swap="outerHTML">{remove}</button>
 </li>"##,
                 username = html_escape(&u.username),
                 gid = g.id,
-                uid = u.id
+                uid = u.id,
+                remove = t(lang, "common.remove"),
             );
         }
         s.push_str("</ul>");
@@ -278,10 +302,12 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
                     username = html_escape(&u.username)
                 );
             }
-            s.push_str(
+            let _ = write!(
+                s,
                 r##"</select>
-  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Add user</button>
+  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">{add_user}</button>
 </form>"##,
+                add_user = t(lang, "groups.add_user"),
             );
         }
         s.push_str("</div>");
@@ -290,21 +316,27 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
         let _ = write!(
             s,
             r##"<div>
-    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">Devices</h4>
-    <ul class="text-sm divide-y divide-slate-800">"##
+    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">{devices}</h4>
+    <ul class="text-sm divide-y divide-slate-800">"##,
+            devices = t(lang, "groups.devices_section"),
         );
         if peer_members.is_empty() {
-            s.push_str(
-                r##"<li class="py-2 text-slate-500 text-xs">No devices added directly. (Devices owned by user members above are also visible to them.)</li>"##,
+            let _ = write!(
+                s,
+                r##"<li class="py-2 text-slate-500 text-xs">{}</li>"##,
+                t(lang, "groups.no_peer_members"),
             );
         }
         for (peer_id, owner) in &peer_members {
             let owner_label = if owner.is_empty() {
-                String::from(r##"<span class="text-slate-500">unowned</span>"##)
+                format!(
+                    r##"<span class="text-slate-500">{}</span>"##,
+                    t(lang, "groups.unowned"),
+                )
             } else {
                 format!(
-                    r##"<span class="text-slate-500">owner: {}</span>"##,
-                    html_escape(owner)
+                    r##"<span class="text-slate-500">{}</span>"##,
+                    html_escape(&tf1(lang, "groups.owner_label", owner)),
                 )
             };
             let _ = write!(
@@ -315,13 +347,14 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
     {owner_label}
     <button class="text-slate-400 hover:text-rose-300"
       hx-post="/admin/pages/groups/{gid}/peers/{pid_url}/remove"
-      hx-target="#groups-region" hx-swap="outerHTML">Remove</button>
+      hx-target="#groups-region" hx-swap="outerHTML">{remove}</button>
   </span>
 </li>"##,
                 pid = html_escape(peer_id),
                 pid_url = url_encode(peer_id),
                 gid = g.id,
                 owner_label = owner_label,
+                remove = t(lang, "common.remove"),
             );
         }
         s.push_str("</ul>");
@@ -330,11 +363,13 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
             r##"<form class="flex gap-2 text-sm pt-2 border-t border-slate-800"
   hx-post="/admin/pages/groups/{id}/peers/add"
   hx-target="#groups-region" hx-swap="outerHTML">
-  <input name="peer_id" placeholder="Device ID (e.g. 123456789)" required
+  <input name="peer_id" placeholder="{ph}" required
     class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1.5 font-mono"/>
-  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Add device</button>
+  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">{add_device}</button>
 </form></div>"##,
-            id = g.id
+            id = g.id,
+            ph = t(lang, "groups.peer_id_placeholder"),
+            add_device = t(lang, "groups.add_device"),
         );
 
         s.push_str("</section>");
diff --git a/src/api/admin/pages/profile.rs b/src/api/admin/pages/profile.rs
index a6a33b0..04c7f8e 100644
--- a/src/api/admin/pages/profile.rs
+++ b/src/api/admin/pages/profile.rs
@@ -16,6 +16,7 @@
 //! is written to `user_totp_secrets`. This means a half-finished enroll
 //! (user closes the tab) leaves no garbage state.
 
+use crate::api::admin::i18n::{t, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -32,8 +33,9 @@ use totp_rs::Secret;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
-    Ok(Html(render_full_page(&state, &user, None).await?))
+    Ok(Html(render_full_page(&state, lang, &user, None).await?))
 }
 
 // ---------- update profile info ----------
@@ -49,6 +51,7 @@ pub struct InfoForm {
 pub async fn update_info(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
     Form(form): Form<InfoForm>,
 ) -> Result<Html<String>, ApiError> {
     state
@@ -62,7 +65,13 @@ pub async fn update_info(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     Ok(Html(
-        render_full_page(&state, &user, Some(("ok", "Profile updated."))).await?,
+        render_full_page(
+            &state,
+            lang,
+            &user,
+            Some(("ok", t(lang, "profile.profile_updated"))),
+        )
+        .await?,
     ))
 }
 
@@ -78,6 +87,7 @@ pub struct PasswordForm {
 pub async fn change_password(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
     Form(form): Form<PasswordForm>,
 ) -> Result<Html<String>, ApiError> {
     let row = state
@@ -90,11 +100,9 @@ pub async fn change_password(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some((
-                    "error",
-                    "Your account signs in via the identity provider — change the password there.",
-                )),
+                Some(("error", t(lang, "profile.password_oidc_change"))),
             )
             .await?,
         ));
@@ -103,8 +111,9 @@ pub async fn change_password(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "New password must be at least 4 characters.")),
+                Some(("error", t(lang, "profile.password_min"))),
             )
             .await?,
         ));
@@ -113,8 +122,9 @@ pub async fn change_password(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "New password and confirmation don't match.")),
+                Some(("error", t(lang, "profile.password_mismatch"))),
             )
             .await?,
         ));
@@ -126,8 +136,9 @@ pub async fn change_password(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "Current password is incorrect.")),
+                Some(("error", t(lang, "profile.current_incorrect"))),
             )
             .await?,
         ));
@@ -141,7 +152,13 @@ pub async fn change_password(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     Ok(Html(
-        render_full_page(&state, &user, Some(("ok", "Password updated."))).await?,
+        render_full_page(
+            &state,
+            lang,
+            &user,
+            Some(("ok", t(lang, "profile.password_updated"))),
+        )
+        .await?,
     ))
 }
 
@@ -153,6 +170,7 @@ pub async fn change_password(
 pub async fn totp_start(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     // Reject if the user already has TOTP — they should remove it first.
     let already = state
@@ -164,8 +182,9 @@ pub async fn totp_start(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "You already have TOTP enrolled. Disable it first if you want to re-enroll.")),
+                Some(("error", t(lang, "profile.tfa_already"))),
             )
             .await?,
         ));
@@ -185,6 +204,7 @@ pub async fn totp_start(
 
     Ok(Html(render_totp_enroll_panel(
         &state,
+        lang,
         &user,
         &secret_b32,
         &qr_svg,
@@ -204,6 +224,7 @@ pub struct TotpConfirmForm {
 pub async fn totp_confirm(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
     Form(form): Form<TotpConfirmForm>,
 ) -> Result<Html<String>, ApiError> {
     let code = form.code.trim();
@@ -212,8 +233,9 @@ pub async fn totp_confirm(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "Missing secret in confirm form.")),
+                Some(("error", t(lang, "profile.tfa_missing_secret"))),
             )
             .await?,
         ));
@@ -236,10 +258,11 @@ pub async fn totp_confirm(
         return Ok(Html(
             render_totp_enroll_panel(
                 &state,
+                lang,
                 &user,
                 secret,
                 &qr_svg,
-                Some(("error", "Code didn't match. Try again — make sure the time on the authenticator device is in sync.")),
+                Some(("error", t(lang, "profile.tfa_bad_code"))),
             )
             .await?,
         ));
@@ -252,8 +275,9 @@ pub async fn totp_confirm(
     Ok(Html(
         render_full_page(
             &state,
+            lang,
             &user,
-            Some(("ok", "TOTP enrolled. Future sign-ins will require a 6-digit code.")),
+            Some(("ok", t(lang, "profile.tfa_enrolled"))),
         )
         .await?,
     ))
@@ -269,6 +293,7 @@ pub struct TotpRemoveForm {
 pub async fn totp_remove(
     Extension(state): Extension<Arc<AppState>>,
     user: AuthedUser,
+    lang: Lang,
     Form(form): Form<TotpRemoveForm>,
 ) -> Result<Html<String>, ApiError> {
     let row = state
@@ -284,8 +309,9 @@ pub async fn totp_remove(
         return Ok(Html(
             render_full_page(
                 &state,
+                lang,
                 &user,
-                Some(("error", "Current password is incorrect — TOTP not removed.")),
+                Some(("error", t(lang, "profile.tfa_current_pw_incorrect"))),
             )
             .await?,
         ));
@@ -296,7 +322,13 @@ pub async fn totp_remove(
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     Ok(Html(
-        render_full_page(&state, &user, Some(("ok", "TOTP removed."))).await?,
+        render_full_page(
+            &state,
+            lang,
+            &user,
+            Some(("ok", t(lang, "profile.tfa_removed"))),
+        )
+        .await?,
     ))
 }
 
@@ -304,10 +336,11 @@ pub async fn totp_remove(
 
 async fn render_full_page(
     state: &Arc<AppState>,
+    lang: Lang,
     user: &AuthedUser,
     notice: Option<(&str, &str)>,
 ) -> Result<String, ApiError> {
-    render_full_page_with_totp_override(state, user, notice, None).await
+    render_full_page_with_totp_override(state, lang, user, notice, None).await
 }
 
 /// `totp_panel_override = Some(html)` swaps in a custom TOTP block —
@@ -316,6 +349,7 @@ async fn render_full_page(
 /// stay visible above it.
 async fn render_full_page_with_totp_override(
     state: &Arc<AppState>,
+    lang: Lang,
     user: &AuthedUser,
     notice: Option<(&str, &str)>,
     totp_panel_override: Option<String>,
@@ -339,16 +373,20 @@ async fn render_full_page_with_totp_override(
     // local TOTP both moot. Replace those sections with a short note.
     let oidc_linked = row.is_oidc_linked();
     let password_section = if oidc_linked {
-        r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-  <h3 class="text-sm font-semibold text-slate-300 mb-2">Password</h3>
+        format!(
+            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
+  <h3 class="text-sm font-semibold text-slate-300 mb-2">{heading}</h3>
   <p class="text-sm text-slate-400">
-    Your account signs in via your organisation's identity provider — there's no local password to change here.
+    {msg}
   </p>
-</section>"##
-            .to_string()
+</section>"##,
+            heading = t(lang, "profile.password_oidc"),
+            msg = t(lang, "profile.password_oidc_msg"),
+        )
     } else {
-        r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-  <h3 class="text-sm font-semibold text-slate-300 mb-3">Change password</h3>
+        format!(
+            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
+  <h3 class="text-sm font-semibold text-slate-300 mb-3">{heading}</h3>
   <form
     class="grid grid-cols-1 sm:grid-cols-3 gap-3 text-sm"
     hx-post="/admin/pages/profile/change-password"
@@ -356,69 +394,89 @@ async fn render_full_page_with_totp_override(
     hx-swap="innerHTML"
     hx-on::after-request="if (event.detail.successful) this.reset()"
   >
-    <input name="current_password" type="password" required placeholder="current password" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-    <input name="new_password" type="password" required minlength="4" placeholder="new password" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-    <input name="confirm_password" type="password" required minlength="4" placeholder="confirm new" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-    <button type="submit" class="sm:col-span-3 justify-self-start bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">Update password</button>
+    <input name="current_password" type="password" required placeholder="{cur}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+    <input name="new_password" type="password" required minlength="4" placeholder="{new}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+    <input name="confirm_password" type="password" required minlength="4" placeholder="{conf}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+    <button type="submit" class="sm:col-span-3 justify-self-start bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">{btn}</button>
   </form>
-</section>"##.to_string()
+</section>"##,
+            heading = t(lang, "profile.password_heading"),
+            cur = t(lang, "profile.current_password"),
+            new = t(lang, "profile.new_password"),
+            conf = t(lang, "profile.confirm_new"),
+            btn = t(lang, "profile.update_password"),
+        )
     };
 
     let totp_section = if let Some(panel) = totp_panel_override {
         panel
     } else if oidc_linked {
-        r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-  <h3 class="text-sm font-semibold text-slate-300 mb-2">Two-factor authentication</h3>
+        format!(
+            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
+  <h3 class="text-sm font-semibold text-slate-300 mb-2">{heading}</h3>
   <p class="text-sm text-slate-400">
-    MFA is managed by your identity provider — local TOTP isn't used for OIDC sign-ins.
+    {msg}
   </p>
-</section>"##
-            .to_string()
+</section>"##,
+            heading = t(lang, "profile.tfa"),
+            msg = t(lang, "profile.tfa_oidc_msg"),
+        )
     } else if has_totp {
         format!(
             r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-  <h3 class="text-sm font-semibold text-slate-300 mb-2">Two-factor authentication</h3>
+  <h3 class="text-sm font-semibold text-slate-300 mb-2">{heading}</h3>
   <div class="flex items-center gap-3 mb-3">
-    <span class="inline-flex px-1.5 py-0.5 rounded bg-violet-900/50 border border-violet-700/50 text-violet-300 text-xs">enrolled</span>
-    <span class="text-xs text-slate-400">Sign-ins require a 6-digit code from your authenticator.</span>
+    <span class="inline-flex px-1.5 py-0.5 rounded bg-violet-900/50 border border-violet-700/50 text-violet-300 text-xs">{enrolled}</span>
+    <span class="text-xs text-slate-400">{tfa_msg}</span>
   </div>
   <form
     class="flex gap-2 items-center text-sm"
     hx-post="/admin/pages/profile/totp/remove"
     hx-target="#main"
     hx-swap="innerHTML"
-    hx-confirm="Remove TOTP from your account?"
+    hx-confirm="{confirm}"
   >
-    <input name="current_password" type="password" required placeholder="current password" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5 flex-1 max-w-xs"/>
-    <button class="bg-rose-700 hover:bg-rose-600 rounded px-3 py-1.5 text-white text-xs">Disable TOTP</button>
+    <input name="current_password" type="password" required placeholder="{cur}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5 flex-1 max-w-xs"/>
+    <button class="bg-rose-700 hover:bg-rose-600 rounded px-3 py-1.5 text-white text-xs">{btn}</button>
   </form>
-</section>"##
+</section>"##,
+            heading = t(lang, "profile.tfa"),
+            enrolled = t(lang, "users.totp_enrolled"),
+            tfa_msg = t(lang, "profile.tfa_enrolled_msg"),
+            confirm = t(lang, "profile.tfa_confirm_remove"),
+            cur = t(lang, "profile.current_password"),
+            btn = t(lang, "profile.tfa_disable"),
         )
     } else {
-        r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-  <h3 class="text-sm font-semibold text-slate-300 mb-2">Two-factor authentication</h3>
+        format!(
+            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4">
+  <h3 class="text-sm font-semibold text-slate-300 mb-2">{heading}</h3>
   <p class="text-sm text-slate-400 mb-3">
-    Add a TOTP authenticator (1Password, Authy, Google Authenticator, etc.) so sign-ins also require a 6-digit code.
+    {intro}
   </p>
   <button
     class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm"
     hx-post="/admin/pages/profile/totp/start"
     hx-target="#main"
     hx-swap="innerHTML"
-  >Enroll TOTP</button>
-</section>"##.to_string()
+  >{btn}</button>
+</section>"##,
+            heading = t(lang, "profile.tfa"),
+            intro = t(lang, "profile.tfa_intro"),
+            btn = t(lang, "profile.tfa_enroll"),
+        )
     };
 
     Ok(format!(
         r##"<div class="space-y-6 max-w-3xl">
   <header>
-    <h2 class="text-lg font-semibold">Profile</h2>
-    <p class="text-xs text-slate-500 mt-0.5">Signed in as <span class="text-slate-300">{username}</span></p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500 mt-0.5">{signed_in_as} <span class="text-slate-300">{username}</span></p>
   </header>
   {notice}
 
   <section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-    <h3 class="text-sm font-semibold text-slate-300 mb-3">Profile info</h3>
+    <h3 class="text-sm font-semibold text-slate-300 mb-3">{info_heading}</h3>
     <form
       class="grid grid-cols-1 sm:grid-cols-2 gap-3 text-sm"
       hx-post="/admin/pages/profile/update-info"
@@ -426,14 +484,14 @@ async fn render_full_page_with_totp_override(
       hx-swap="innerHTML"
     >
       <label class="block">
-        <span class="text-xs text-slate-400">Display name</span>
+        <span class="text-xs text-slate-400">{display_name_l}</span>
         <input name="display_name" value="{display_name}" class="mt-1 w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
       </label>
       <label class="block">
-        <span class="text-xs text-slate-400">Email</span>
+        <span class="text-xs text-slate-400">{email_l}</span>
         <input name="email" type="email" value="{email}" class="mt-1 w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
       </label>
-      <button type="submit" class="sm:col-span-2 justify-self-start bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">Save</button>
+      <button type="submit" class="sm:col-span-2 justify-self-start bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">{save}</button>
     </form>
   </section>
 
@@ -441,6 +499,12 @@ async fn render_full_page_with_totp_override(
 
   {totp_section}
 </div>"##,
+        heading = t(lang, "profile.heading"),
+        signed_in_as = t(lang, "profile.signed_in_as"),
+        info_heading = t(lang, "profile.info_heading"),
+        display_name_l = t(lang, "profile.display_name"),
+        email_l = t(lang, "profile.email"),
+        save = t(lang, "common.save"),
         username = html_escape(&user.name),
         display_name = html_escape(&row.display_name),
         email = html_escape(&row.email),
@@ -452,6 +516,7 @@ async fn render_full_page_with_totp_override(
 
 async fn render_totp_enroll_panel(
     state: &Arc<AppState>,
+    lang: Lang,
     user: &AuthedUser,
     secret_b32: &str,
     qr_svg: &str,
@@ -459,16 +524,15 @@ async fn render_totp_enroll_panel(
 ) -> Result<String, ApiError> {
     let panel = format!(
         r##"<section class="rounded-md border border-sky-700/60 bg-sky-900/20 p-4">
-  <h3 class="text-sm font-semibold text-sky-200 mb-2">Confirm TOTP enrollment</h3>
+  <h3 class="text-sm font-semibold text-sky-200 mb-2">{heading}</h3>
   <p class="text-xs text-sky-200/80 mb-3">
-    Scan the QR code with your authenticator app, then enter the 6-digit code it shows to confirm.
-    Nothing is enrolled until you submit a valid code.
+    {intro}
   </p>
   <div class="flex flex-col sm:flex-row gap-4 items-start">
     <div class="bg-white p-2 rounded inline-block">{qr}</div>
     <div class="flex-1 space-y-2 text-sm">
       <div>
-        <span class="text-xs text-slate-400">Secret (manual entry):</span>
+        <span class="text-xs text-slate-400">{secret_label}</span>
         <code class="block mt-1 break-all text-emerald-200 bg-slate-950 px-2 py-1.5 rounded text-xs">{secret}</code>
       </div>
       <form
@@ -489,15 +553,19 @@ async fn render_totp_enroll_panel(
           placeholder="123456"
           class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5 w-32 font-mono tracking-widest"
         />
-        <button type="submit" class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">Confirm</button>
+        <button type="submit" class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 text-white text-sm">{confirm}</button>
       </form>
     </div>
   </div>
 </section>"##,
+        heading = t(lang, "profile.tfa_confirm_heading"),
+        intro = t(lang, "profile.tfa_confirm_intro"),
+        secret_label = t(lang, "profile.tfa_secret_manual"),
+        confirm = t(lang, "common.confirm"),
         qr = qr_svg,
         secret = html_escape(secret_b32),
     );
-    render_full_page_with_totp_override(state, user, notice, Some(panel)).await
+    render_full_page_with_totp_override(state, lang, user, notice, Some(panel)).await
 }
 
 fn render_qr_svg(payload: &str) -> String {
diff --git a/src/api/admin/pages/strategies.rs b/src/api/admin/pages/strategies.rs
index 4f2f130..0cf6e34 100644
--- a/src/api/admin/pages/strategies.rs
+++ b/src/api/admin/pages/strategies.rs
@@ -3,6 +3,7 @@
 //! full assignment matrix UI is a follow-up.
 
 use super::shared::{html_escape, notice_html, require_admin};
+use crate::api::admin::i18n::{t, tf1, tf2, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -15,9 +16,10 @@ use std::sync::Arc;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_full(&state).await?))
+    Ok(Html(render_full(&state, lang).await?))
 }
 
 #[derive(Debug, Deserialize)]
@@ -30,11 +32,12 @@ pub struct CreateForm {
 pub async fn create(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Form(form): Form<CreateForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if form.name.trim().is_empty() {
-        return notice_then(&state, "error", "Name required").await;
+        return notice_then(&state, lang, "error", t(lang, "groups.name_required")).await;
     }
     let cfg = if form.config_options_json.trim().is_empty() {
         "{}".to_string()
@@ -44,9 +47,17 @@ pub async fn create(
         match serde_json::from_str::<serde_json::Value>(&form.config_options_json) {
             Ok(v) if v.is_object() => form.config_options_json.clone(),
             Ok(_) => {
-                return notice_then(&state, "error", "config_options must be a JSON object").await
+                return notice_then(&state, lang, "error", t(lang, "strategies.json_obj_required")).await
+            }
+            Err(e) => {
+                return notice_then(
+                    &state,
+                    lang,
+                    "error",
+                    &tf1(lang, "strategies.invalid_json", &e.to_string()),
+                )
+                .await
             }
-            Err(e) => return notice_then(&state, "error", &format!("invalid JSON: {}", e)).await,
         }
     };
     state
@@ -56,8 +67,9 @@ pub async fn create(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then(
         &state,
+        lang,
         "ok",
-        &format!("Strategy '{}' created.", form.name),
+        &tf1(lang, "strategies.created", &form.name),
     )
     .await
 }
@@ -70,6 +82,7 @@ pub struct UpdateForm {
 pub async fn update(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
     Form(form): Form<UpdateForm>,
 ) -> Result<Html<String>, ApiError> {
@@ -77,7 +90,7 @@ pub async fn update(
     let cfg = match serde_json::from_str::<serde_json::Value>(&form.config_options_json) {
         Ok(v) if v.is_object() => form.config_options_json.clone(),
         _ => {
-            return notice_then(&state, "error", "config_options must be a JSON object").await
+            return notice_then(&state, lang, "error", t(lang, "strategies.json_obj_required")).await
         }
     };
     state
@@ -85,12 +98,13 @@ pub async fn update(
         .strategy_update_config(id, &cfg)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    notice_then(&state, "ok", "Strategy updated.").await
+    notice_then(&state, lang, "ok", t(lang, "strategies.updated")).await
 }
 
 pub async fn delete(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -101,8 +115,9 @@ pub async fn delete(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then(
         &state,
+        lang,
         if ok { "ok" } else { "error" },
-        if ok { "Strategy deleted." } else { "Already gone." },
+        if ok { t(lang, "strategies.deleted") } else { t(lang, "common.already_gone") },
     )
     .await
 }
@@ -111,40 +126,51 @@ pub async fn delete(
 
 async fn notice_then(
     state: &Arc<AppState>,
+    lang: Lang,
     kind: &str,
     msg: &str,
 ) -> Result<Html<String>, ApiError> {
     let mut html = notice_html(kind, msg);
-    html.push_str(&render_full(state).await?);
+    html.push_str(&render_full(state, lang).await?);
     Ok(Html(html))
 }
 
-async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_full(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let strategies = state
         .db
         .strategies_list_all()
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     let mut s = String::new();
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div id="strategies-region" class="space-y-6">
   <header>
-    <h2 class="text-lg font-semibold">Strategies</h2>
-    <p class="text-xs text-slate-500 mt-1">Pushed to clients via heartbeat. Use SQL to assign — strategy_assignments(strategy_id, user_id|device_group_id|peer_id, priority).</p>
+    <h2 class="text-lg font-semibold">{heading}</h2>
+    <p class="text-xs text-slate-500 mt-1">{tagline}</p>
   </header>
   <section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-    <h3 class="text-sm font-semibold text-slate-300 mb-3">Create strategy</h3>
+    <h3 class="text-sm font-semibold text-slate-300 mb-3">{create_heading}</h3>
     <form class="space-y-2 text-sm" hx-post="/admin/pages/strategies/create" hx-target="#strategies-region" hx-swap="outerHTML">
-      <input name="name" placeholder="name (unique)" required class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-      <textarea name="config_options_json" rows="3" placeholder='{"enable-udp": "N", "whitelist": ""}'
+      <input name="name" placeholder="{ph}" required class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+      <textarea name="config_options_json" rows="3" placeholder='{{"enable-udp": "N", "whitelist": ""}}'
         class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5 font-mono text-xs"></textarea>
-      <button class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">Create</button>
+      <button class="bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">{create}</button>
     </form>
   </section>
 "##,
+        heading = t(lang, "strategies.heading"),
+        tagline = t(lang, "strategies.tagline"),
+        create_heading = t(lang, "strategies.create_heading"),
+        ph = t(lang, "strategies.name_unique"),
+        create = t(lang, "common.create"),
     );
     if strategies.is_empty() {
-        s.push_str(r##"<p class="text-slate-500 text-sm">No strategies yet.</p>"##);
+        let _ = write!(
+            s,
+            r##"<p class="text-slate-500 text-sm">{}</p>"##,
+            t(lang, "strategies.no_strategies"),
+        );
     }
     for str_ in &strategies {
         let _ = write!(
@@ -153,26 +179,30 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
   <header class="flex items-center justify-between">
     <div>
       <h3 class="font-semibold">{name}</h3>
-      <p class="text-xs text-slate-500">id={id}, modified_at={mod_at}</p>
+      <p class="text-xs text-slate-500">{meta}</p>
     </div>
     <button class="text-xs text-rose-400 hover:text-rose-300"
       hx-post="/admin/pages/strategies/{id}/delete"
-      hx-confirm="Delete strategy {name}? Assignments will be cleaned up too."
-      hx-target="#strategies-region" hx-swap="outerHTML">Delete</button>
+      hx-confirm="{confirm}"
+      hx-target="#strategies-region" hx-swap="outerHTML">{delete}</button>
   </header>
   <form class="space-y-2 text-sm"
     hx-post="/admin/pages/strategies/{id}/update"
     hx-target="#strategies-region" hx-swap="outerHTML">
-    <label class="block text-xs text-slate-400">config_options (JSON object)</label>
+    <label class="block text-xs text-slate-400">{cfg_label}</label>
     <textarea name="config_options_json" rows="4"
       class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1.5 font-mono text-xs">{cfg}</textarea>
-    <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Save</button>
+    <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">{save}</button>
   </form>
 </section>"##,
             id = str_.id,
             name = html_escape(&str_.name),
-            mod_at = str_.modified_at,
+            meta = tf2(lang, "strategies.id_modified", &str_.id.to_string(), &str_.modified_at.to_string()),
             cfg = html_escape(&str_.config_options_json),
+            confirm = html_escape(&tf1(lang, "strategies.confirm_delete", &str_.name)),
+            delete = t(lang, "common.delete"),
+            cfg_label = t(lang, "strategies.config_label"),
+            save = t(lang, "common.save"),
         );
     }
     s.push_str("</div>");
diff --git a/src/api/admin/pages/users.rs b/src/api/admin/pages/users.rs
index 97f996b..5c29968 100644
--- a/src/api/admin/pages/users.rs
+++ b/src/api/admin/pages/users.rs
@@ -1,6 +1,7 @@
 //! Users page — list / create / set-password / toggle-admin / toggle-status
 //! / TOTP enroll-unenroll / delete.
 
+use crate::api::admin::i18n::{t, tf1, Lang};
 use crate::api::error::ApiError;
 use crate::api::middleware::AuthedUser;
 use crate::api::state::AppState;
@@ -20,9 +21,10 @@ const PAGE_SIZE: i64 = 50;
 pub async fn index(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
-    Ok(Html(render_full_page(&state).await?))
+    Ok(Html(render_full_page(&state, lang).await?))
 }
 
 // ---------- create ----------
@@ -43,19 +45,15 @@ pub struct CreateForm {
 pub async fn create(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Form(form): Form<CreateForm>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if form.username.trim().is_empty() {
-        return notice_then_table(&state, "error", "Username required").await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.username_required")).await;
     }
     if form.password.len() < 4 {
-        return notice_then_table(
-            &state,
-            "error",
-            "Password must be at least 4 characters",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.password_min")).await;
     }
     let hash = hash_password(form.password)
         .await
@@ -73,7 +71,7 @@ pub async fn create(
     if !form.email.trim().is_empty() {
         let _ = set_email_inline(&state, id, form.email.trim()).await;
     }
-    notice_then_table(&state, "ok", &format!("Created user '{}'.", form.username)).await
+    notice_then_table(&state, lang, "ok", &tf1(lang, "users.created", &form.username)).await
 }
 
 async fn set_email_inline(
@@ -101,6 +99,7 @@ pub struct UpdateInfoForm {
 pub async fn update_info(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
     Form(form): Form<UpdateInfoForm>,
 ) -> Result<Html<String>, ApiError> {
@@ -115,7 +114,7 @@ pub async fn update_info(
         .raw_update_user_email(id, form.email.trim())
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    notice_then_table(&state, "ok", "Profile updated.").await
+    notice_then_table(&state, lang, "ok", t(lang, "users.profile_updated")).await
 }
 
 #[derive(Debug, Deserialize)]
@@ -126,6 +125,7 @@ pub struct PasswordResetForm {
 pub async fn reset_password(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
     Form(form): Form<PasswordResetForm>,
 ) -> Result<Html<String>, ApiError> {
@@ -141,20 +141,10 @@ pub async fn reset_password(
         .map_err(|e| ApiError::Internal(e.to_string()))?
         .ok_or(ApiError::NotFound)?;
     if target.is_oidc_linked() {
-        return notice_then_table(
-            &state,
-            "error",
-            "This account is linked to OIDC — set the password at the identity provider instead.",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.oidc_password_disabled")).await;
     }
     if form.password.len() < 4 {
-        return notice_then_table(
-            &state,
-            "error",
-            "Password must be at least 4 characters",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.password_min")).await;
     }
     let hash = hash_password(form.password)
         .await
@@ -166,8 +156,9 @@ pub async fn reset_password(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then_table(
         &state,
+        lang,
         if ok { "ok" } else { "error" },
-        if ok { "Password updated." } else { "User not found." },
+        if ok { t(lang, "users.password_updated") } else { t(lang, "users.user_not_found") },
     )
     .await
 }
@@ -175,16 +166,12 @@ pub async fn reset_password(
 pub async fn toggle_admin(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if id == admin.user_id {
-        return notice_then_table(
-            &state,
-            "error",
-            "You can't revoke your own admin flag here. Edit another admin's row instead.",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.cant_revoke_self")).await;
     }
     let user = state
         .db
@@ -197,22 +184,18 @@ pub async fn toggle_admin(
         .user_set_admin(id, !user.is_admin)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_table(&state).await?))
+    Ok(Html(render_table(&state, lang).await?))
 }
 
 pub async fn toggle_status(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if id == admin.user_id {
-        return notice_then_table(
-            &state,
-            "error",
-            "You can't disable your own account from here.",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.cant_disable_self")).await;
     }
     let user = state
         .db
@@ -226,22 +209,18 @@ pub async fn toggle_status(
         .user_set_status(id, new_status)
         .await
         .map_err(|e| ApiError::Internal(e.to_string()))?;
-    Ok(Html(render_table(&state).await?))
+    Ok(Html(render_table(&state, lang).await?))
 }
 
 pub async fn delete(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
     if id == admin.user_id {
-        return notice_then_table(
-            &state,
-            "error",
-            "You can't delete the account you're signed in with.",
-        )
-        .await;
+        return notice_then_table(&state, lang, "error", t(lang, "users.cant_delete_self")).await;
     }
     let ok = state
         .db
@@ -250,8 +229,9 @@ pub async fn delete(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then_table(
         &state,
+        lang,
         if ok { "ok" } else { "error" },
-        if ok { "User deleted." } else { "Already gone." },
+        if ok { t(lang, "users.user_deleted") } else { t(lang, "common.already_gone") },
     )
     .await
 }
@@ -261,6 +241,7 @@ pub async fn delete(
 pub async fn totp_enroll(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -286,26 +267,30 @@ pub async fn totp_enroll(
     );
     let mut html = format!(
         r##"<div class="rounded border border-emerald-700/50 bg-emerald-900/30 p-4 mb-4 text-sm">
-  <div class="font-semibold text-emerald-300 mb-1">TOTP enrolled for {user}</div>
+  <div class="font-semibold text-emerald-300 mb-1">{enrolled_for}</div>
   <div class="space-y-1">
-    <div><span class="text-slate-400">Secret (base32):</span> <code class="text-emerald-200">{secret}</code></div>
-    <div><span class="text-slate-400">otpauth URL:</span> <code class="text-emerald-200 break-all">{otpauth}</code></div>
+    <div><span class="text-slate-400">{secret_label}</span> <code class="text-emerald-200">{secret}</code></div>
+    <div><span class="text-slate-400">{url_label}</span> <code class="text-emerald-200 break-all">{otpauth}</code></div>
     <div class="text-xs text-slate-400 pt-1">
-      Show this once to the user (or scan the URL as a QR code) — it isn't displayed again.
+      {hint}
     </div>
   </div>
 </div>"##,
-        user = html_escape(&user.username),
+        enrolled_for = html_escape(&tf1(lang, "users.totp_enrolled_for", &user.username)),
+        secret_label = t(lang, "users.secret_b32"),
+        url_label = t(lang, "users.otpauth_url"),
         secret = html_escape(&secret_b32),
         otpauth = html_escape(&otpauth),
+        hint = t(lang, "users.otpauth_hint"),
     );
-    html.push_str(&render_table(&state).await?);
+    html.push_str(&render_table(&state, lang).await?);
     Ok(Html(html))
 }
 
 pub async fn totp_unenroll(
     Extension(state): Extension<Arc<AppState>>,
     admin: AuthedUser,
+    lang: Lang,
     Path(id): Path<i64>,
 ) -> Result<Html<String>, ApiError> {
     require_admin(&admin)?;
@@ -316,8 +301,9 @@ pub async fn totp_unenroll(
         .map_err(|e| ApiError::Internal(e.to_string()))?;
     notice_then_table(
         &state,
+        lang,
         if removed { "ok" } else { "error" },
-        if removed { "TOTP removed." } else { "User had no TOTP." },
+        if removed { t(lang, "users.totp_removed") } else { t(lang, "users.no_totp") },
     )
     .await
 }
@@ -326,24 +312,25 @@ pub async fn totp_unenroll(
 
 async fn notice_then_table(
     state: &Arc<AppState>,
+    lang: Lang,
     kind: &str,
     msg: &str,
 ) -> Result<Html<String>, ApiError> {
     let mut html = notice_html(kind, msg);
-    html.push_str(&render_table(state).await?);
+    html.push_str(&render_table(state, lang).await?);
     Ok(Html(html))
 }
 
-async fn render_full_page(state: &Arc<AppState>) -> Result<String, ApiError> {
-    let table = render_table(state).await?;
+async fn render_full_page(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
+    let table = render_table(state, lang).await?;
     Ok(format!(
         r##"<div class="space-y-6">
   <header class="flex items-center justify-between">
-    <h2 class="text-lg font-semibold">Users</h2>
+    <h2 class="text-lg font-semibold">{heading}</h2>
   </header>
 
   <section class="rounded-md border border-slate-800 bg-slate-900 p-4">
-    <h3 class="text-sm font-semibold text-slate-300 mb-3">Create user</h3>
+    <h3 class="text-sm font-semibold text-slate-300 mb-3">{create_heading}</h3>
     <form
       class="grid grid-cols-1 sm:grid-cols-6 gap-3 text-sm"
       hx-post="/admin/pages/users/create"
@@ -351,23 +338,32 @@ async fn render_full_page(state: &Arc<AppState>) -> Result<String, ApiError> {
       hx-swap="innerHTML"
       hx-on::after-request="if (event.detail.successful) this.reset()"
     >
-      <input name="username" placeholder="username" required class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-      <input name="display_name" placeholder="display name" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-      <input name="email" type="email" placeholder="email (optional)" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5 col-span-2"/>
-      <input name="password" type="password" placeholder="password" required class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
-      <label class="flex items-center gap-2 text-slate-400 px-2"><input type="checkbox" name="is_admin"> admin</label>
-      <button type="submit" class="sm:col-span-6 bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">Create</button>
+      <input name="username" placeholder="{username}" required class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+      <input name="display_name" placeholder="{display_name}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+      <input name="email" type="email" placeholder="{email}" class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5 col-span-2"/>
+      <input name="password" type="password" placeholder="{password}" required class="bg-slate-800 border border-slate-700 rounded px-2 py-1.5"/>
+      <label class="flex items-center gap-2 text-slate-400 px-2"><input type="checkbox" name="is_admin"> {admin}</label>
+      <button type="submit" class="sm:col-span-6 bg-sky-600 hover:bg-sky-500 rounded px-3 py-1.5 font-medium text-white">{create}</button>
     </form>
   </section>
 
   <section id="users-region">
     {table}
   </section>
-</div>"##
+</div>"##,
+        heading = t(lang, "users.heading"),
+        create_heading = t(lang, "users.create_heading"),
+        username = t(lang, "users.username"),
+        display_name = t(lang, "users.display_name"),
+        email = t(lang, "users.email_optional"),
+        password = t(lang, "users.password"),
+        admin = t(lang, "users.admin_label"),
+        create = t(lang, "common.create"),
+        table = table,
     ))
 }
 
-async fn render_table(state: &Arc<AppState>) -> Result<String, ApiError> {
+async fn render_table(state: &Arc<AppState>, lang: Lang) -> Result<String, ApiError> {
     let (_total, users) = state
         .db
         .users_list_all(0, PAGE_SIZE)
@@ -391,26 +387,36 @@ async fn render_table(state: &Arc<AppState>) -> Result<String, ApiError> {
     // No `overflow-hidden` on the table wrapper: the per-row action menu is
     // an absolutely-positioned `<details>` popover inside a <td>, and the
     // wrapper's clipping was hiding the bottom half of the menu.
-    s.push_str(
+    let _ = write!(
+        s,
         r##"<div class="rounded-md border border-slate-800 bg-slate-900">
 <table class="w-full text-sm">
   <thead class="text-xs uppercase text-slate-500 bg-slate-950">
     <tr>
-      <th class="text-left font-medium px-3 py-2">Username</th>
-      <th class="text-left font-medium px-3 py-2">Display name</th>
-      <th class="text-left font-medium px-3 py-2">Email</th>
-      <th class="text-left font-medium px-3 py-2">Status</th>
-      <th class="text-left font-medium px-3 py-2">Admin</th>
-      <th class="text-left font-medium px-3 py-2">TOTP</th>
-      <th class="text-left font-medium px-3 py-2">Last seen</th>
-      <th class="text-right font-medium px-3 py-2 w-1">Actions</th>
+      <th class="text-left font-medium px-3 py-2">{c_username}</th>
+      <th class="text-left font-medium px-3 py-2">{c_display_name}</th>
+      <th class="text-left font-medium px-3 py-2">{c_email}</th>
+      <th class="text-left font-medium px-3 py-2">{c_status}</th>
+      <th class="text-left font-medium px-3 py-2">{c_admin}</th>
+      <th class="text-left font-medium px-3 py-2">{c_totp}</th>
+      <th class="text-left font-medium px-3 py-2">{c_last_seen}</th>
+      <th class="text-right font-medium px-3 py-2 w-1">{c_actions}</th>
     </tr>
   </thead>
   <tbody class="divide-y divide-slate-800">"##,
+        c_username = t(lang, "users.col_username"),
+        c_display_name = t(lang, "users.col_display_name"),
+        c_email = t(lang, "users.col_email"),
+        c_status = t(lang, "users.col_status"),
+        c_admin = t(lang, "users.col_admin"),
+        c_totp = t(lang, "users.col_totp"),
+        c_last_seen = t(lang, "users.col_last_seen"),
+        c_actions = t(lang, "common.actions"),
     );
     for u in &users {
         render_user_row(
             &mut s,
+            lang,
             u,
             *totp.get(&u.id).unwrap_or(&false),
             last_seen.get(&u.id).map(String::as_str),
@@ -420,50 +426,75 @@ async fn render_table(state: &Arc<AppState>) -> Result<String, ApiError> {
     Ok(s)
 }
 
-fn render_user_row(s: &mut String, u: &UserRow, has_totp: bool, last_seen: Option<&str>) {
+fn render_user_row(
+    s: &mut String,
+    lang: Lang,
+    u: &UserRow,
+    has_totp: bool,
+    last_seen: Option<&str>,
+) {
     let status_badge = match u.status {
-        1 => r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-emerald-900/50 border border-emerald-700/50 text-emerald-300 text-xs">active</span>"#,
-        0 => r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-slate-800 border border-slate-700 text-slate-400 text-xs">disabled</span>"#,
-        -1 => r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-amber-900/50 border border-amber-700/50 text-amber-300 text-xs">unverified</span>"#,
-        _ => "",
+        1 => format!(
+            r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-emerald-900/50 border border-emerald-700/50 text-emerald-300 text-xs">{}</span>"#,
+            t(lang, "users.status_active")
+        ),
+        0 => format!(
+            r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-slate-800 border border-slate-700 text-slate-400 text-xs">{}</span>"#,
+            t(lang, "users.status_disabled")
+        ),
+        -1 => format!(
+            r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-amber-900/50 border border-amber-700/50 text-amber-300 text-xs">{}</span>"#,
+            t(lang, "users.status_unverified")
+        ),
+        _ => String::new(),
     };
     let admin_badge = if u.is_admin {
-        r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-sky-900/50 border border-sky-700/50 text-sky-300 text-xs">admin</span>"#
+        format!(
+            r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-sky-900/50 border border-sky-700/50 text-sky-300 text-xs">{}</span>"#,
+            t(lang, "users.admin_label"),
+        )
     } else {
-        ""
+        String::new()
     };
     // The TOTP column doubles as an "auth path" indicator: OIDC-linked
     // users get an "OIDC" badge (their MFA lives at the IdP — local
     // TOTP is moot), and OIDC takes precedence over local TOTP if both
     // somehow exist.
     let totp_badge = if u.is_oidc_linked() {
-        r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-cyan-900/50 border border-cyan-700/50 text-cyan-300 text-xs">OIDC</span>"#
+        r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-cyan-900/50 border border-cyan-700/50 text-cyan-300 text-xs">OIDC</span>"#.to_string()
     } else if has_totp {
-        r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-violet-900/50 border border-violet-700/50 text-violet-300 text-xs">enrolled</span>"#
+        format!(
+            r#"<span class="inline-flex px-1.5 py-0.5 rounded bg-violet-900/50 border border-violet-700/50 text-violet-300 text-xs">{}</span>"#,
+            t(lang, "users.totp_enrolled")
+        )
     } else {
-        ""
+        String::new()
     };
     let oidc_linked = u.is_oidc_linked();
     // OIDC-linked users sign in via the IdP — adding a local password
     // would let them bypass the IdP (and any MFA enforced there). Show
     // a note instead of the password-reset form for these accounts.
     let password_form = if oidc_linked {
-        r##"<div class="px-2 py-1.5 text-xs text-slate-500 italic border border-slate-800 rounded">
-          Linked to OIDC — password sign-in is disabled.
-        </div>"##
-            .to_string()
+        format!(
+            r##"<div class="px-2 py-1.5 text-xs text-slate-500 italic border border-slate-800 rounded">
+          {msg}
+        </div>"##,
+            msg = t(lang, "users.oidc_disabled"),
+        )
     } else {
         format!(
             r##"<form class="flex gap-1" hx-post="/admin/pages/users/{id}/password-reset" hx-target="#users-region" hx-swap="innerHTML">
-          <input name="password" type="password" required minlength="4" placeholder="new password" class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
-          <button class="bg-sky-700 hover:bg-sky-600 rounded px-2 py-1 text-xs">Set</button>
+          <input name="password" type="password" required minlength="4" placeholder="{ph}" class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
+          <button class="bg-sky-700 hover:bg-sky-600 rounded px-2 py-1 text-xs">{set}</button>
         </form>"##,
             id = u.id,
+            ph = t(lang, "users.new_password"),
+            set = t(lang, "users.password_set"),
         )
     };
     let (last_seen_rel, last_seen_abs) = match last_seen {
         Some(ts) => (relative_ts(ts), html_escape(ts)),
-        None => ("never".to_string(), String::new()),
+        None => (t(lang, "common.never").to_string(), String::new()),
     };
     // TOTP enrollment is self-service (the user does it on their
     // profile page so they can scan the QR + verify a code before
@@ -473,11 +504,12 @@ fn render_user_row(s: &mut String, u: &UserRow, has_totp: bool, last_seen: Optio
         format!(
             r##"<button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
           hx-post="/admin/pages/users/{id}/totp-unenroll" hx-target="#users-region" hx-swap="innerHTML"
-          hx-confirm="Disable TOTP for {username}? They'll be able to sign in without a 6-digit code until they re-enroll.">
-          Disable TOTP
+          hx-confirm="{confirm}">
+          {label}
         </button>"##,
             id = u.id,
-            username = html_escape(&u.username),
+            confirm = html_escape_attr(&tf1(lang, "users.confirm_disable_totp", &u.username)),
+            label = t(lang, "users.disable_totp"),
         )
     } else {
         String::new()
@@ -497,9 +529,9 @@ fn render_user_row(s: &mut String, u: &UserRow, has_totp: bool, last_seen: Optio
       <summary class="cursor-pointer list-none text-xs text-slate-400 hover:text-slate-200 select-none">···</summary>
       <div class="absolute right-2 mt-1 z-10 w-64 bg-slate-900 border border-slate-700 rounded shadow-lg p-2 space-y-1 text-left">
         <form class="space-y-1" hx-post="/admin/pages/users/{id}/update-info" hx-target="#users-region" hx-swap="innerHTML">
-          <input name="display_name" value="{display_name}" placeholder="display name" class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
-          <input name="email" type="email" value="{email}" placeholder="email" class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
-          <button class="w-full bg-sky-700 hover:bg-sky-600 rounded px-2 py-1 text-xs">Save profile</button>
+          <input name="display_name" value="{display_name}" placeholder="{ph_dn}" class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
+          <input name="email" type="email" value="{email}" placeholder="{ph_email}" class="w-full bg-slate-800 border border-slate-700 rounded px-2 py-1 text-xs"/>
+          <button class="w-full bg-sky-700 hover:bg-sky-600 rounded px-2 py-1 text-xs">{save_profile}</button>
         </form>
         {password_form}
         <button class="w-full text-left px-2 py-1 text-xs hover:bg-slate-800 rounded"
@@ -513,9 +545,9 @@ fn render_user_row(s: &mut String, u: &UserRow, has_totp: bool, last_seen: Optio
         {totp_button}
         <button class="w-full text-left px-2 py-1 text-xs text-rose-300 hover:bg-rose-900/30 rounded"
           hx-post="/admin/pages/users/{id}/delete"
-          hx-confirm="Delete user {username}? This cascades into their tokens, group memberships and AB shares."
+          hx-confirm="{confirm_delete}"
           hx-target="#users-region" hx-swap="innerHTML">
-          Delete user
+          {delete_user}
         </button>
       </div>
     </details>
@@ -528,15 +560,32 @@ fn render_user_row(s: &mut String, u: &UserRow, has_totp: bool, last_seen: Optio
         status = status_badge,
         admin = admin_badge,
         totp = totp_badge,
-        admin_label = if u.is_admin { "Revoke admin" } else { "Grant admin" },
-        status_label = if u.status == 1 { "Disable user" } else { "Enable user" },
+        ph_dn = t(lang, "users.display_name"),
+        ph_email = t(lang, "users.col_email"),
+        save_profile = t(lang, "users.save_profile"),
+        admin_label = if u.is_admin {
+            t(lang, "users.revoke_admin")
+        } else {
+            t(lang, "users.grant_admin")
+        },
+        status_label = if u.status == 1 {
+            t(lang, "users.disable_user")
+        } else {
+            t(lang, "users.enable_user")
+        },
         totp_button = totp_button,
         last_seen_rel = last_seen_rel,
         last_seen_abs = last_seen_abs,
         password_form = password_form,
+        confirm_delete = html_escape_attr(&tf1(lang, "users.confirm_delete", &u.username)),
+        delete_user = t(lang, "users.delete_user"),
     );
 }
 
+fn html_escape_attr(s: &str) -> String {
+    html_escape(s)
+}
+
 /// Format a SQLite `current_timestamp` string ("YYYY-MM-DD HH:MM:SS",
 /// always UTC) as a relative time-ago label. Renders short forms — "5m
 /// ago", "3h ago", "2d ago" — for the at-a-glance column; the absolute