i18n: Audit and fix hardcoded strings - use translation keys consistently

[kevalyq]

Summary

Many API response messages and error strings are hardcoded in English instead of using Laravel's __() translation helper. This prevents proper internationalization and is inconsistent with our translation.io integration.

Problem

During code review, the following hardcoded strings were identified:

API Controllers (without __() wrapper)

AuthController.php:

• 'Logged out successfully.'
• 'Token revoked successfully.'
• 'All tokens revoked successfully.'
• 'Password reset email sent if account exists'
• 'Invalid or expired reset token' (4 occurrences)
• 'Password has been reset successfully'

OrganizationalUnitController.php:

• "Cannot delete: {$childCount} child unit(s) exist"
• 'Delete or move child units first'

RoleManagementController.php:

• 'Cannot delete role while assigned to users'

PermissionManagementController.php:

• 'Cannot delete permission while assigned to roles'

UserPermissionController.php:

• 'Permissions assigned successfully'
• 'User does not have this permission directly assigned'
• 'Permission revoked successfully'

SecretController.php:

• 'Invalid or missing tenant_id.'

RoleController.php:

• 'Role already assigned to user'

Contrast: Proper Usage (examples to follow)

Some controllers already use translations correctly:

// OrganizationalScopeController.php
'message' => __('Scope not found')

// CheckOrganizationalScope.php middleware
return $this->unauthorizedResponse(__('Authentication required'));
return $this->notFoundResponse(__('Organizational unit not found'));

Expected Behavior

All user-facing strings should use Laravel's translation helper:

// Before (wrong)
'message' => 'Cannot delete role while assigned to users'

// After (correct)
'message' => __('Cannot delete role while assigned to users')

Technical Notes

Translation.io Compatibility

We use translation.io for managing translations. The implementation must be compatible with their Laravel integration:

1. Use Laravel's __() helper function consistently
2. Translation keys should be the English source text (not abstract keys like error.role.delete_assigned)
3. Translation.io will automatically sync new strings from the codebase
4. Existing translations in lang/de.json etc. will be matched

Scope

This issue covers:

• API (SecPal/api): Audit all Controllers, Middleware, Services for hardcoded strings
• Frontend (SecPal/frontend): Separate audit needed - uses Lingui with t() macro

Acceptance Criteria

1. All user-facing messages in API use __() helper
2. German translations added to lang/de.json for all new keys
3. PHPStan and tests pass
4. No functional changes - only i18n wrapping

Labels

• i18n
• tech-debt
• good first issue

Related

• Translation.io Laravel docs: https://translation.io/laravel/usage
• Laravel Localization: https://laravel.com/docs/localization

[github-actions]

✅ This issue has been added to the SecPal Feature Roadmap with status: 💡 Ideas

New idea - needs discussion and evaluation

Status Flow:
💡 Ideas → 💬 Discussion → 📥 Backlog → 📋 Planned → 🚧 In Progress → 👀 In Review → ✅ Done

Note: Ideas that won't be implemented should be moved to 🚫 Won't Do with a reason.