diff --git a/CHANGELOG.md b/CHANGELOG.md
index 19963ba..8ceaa85 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.11.0] — 2026-06-02
+
+### Added
+- **Faithful rendering for every form-spec `widget.kind` (#664).** The
+  form-spec wire declares 23 `widget.kind` values; the change form previously
+  mapped only 5 and let the rest silently fall back to the control implied by
+  `FieldType` — so `hidden` rendered as a *visible, editable* input,
+  `split-datetime` collapsed to one control, and the multi-selects / `file`
+  had no faithful path. `adaptFormSpec` now maps **all 23** explicitly (an
+  exhaustive `Record<WidgetKind, …>` so a new kind is a compile error), and
+  `FieldInput` gained branches for `hidden` (real hidden input),
+  `split-datetime` (date + time), `select-date` (date input),
+  `checkbox-multiple` / `select-multiple` (checkbox bank / `<select multiple>`),
+  `autocomplete` / `autocomplete-multiple`, and `file` (limited control + a
+  legacy-admin note; upload itself still tracked by #241). Any future kind
+  with no rich renderer maps to an explicit, operator-visible
+  `unsupported_widget` tracked fallback — never a silent wrong control.
+  `adaptFormSpec.test.ts` now asserts every enum member maps to something
+  sensible.
+- **System checks for misconfiguration (#667).** A new
+  `django_admin_react/checks.py` registers a `manage.py check` validator that
+  surfaces, with actionable hints: `django_admin_rest_api` missing from
+  `INSTALLED_APPS` (Error), an unimportable `ADMIN_SITE` dotted path (Error),
+  unknown `DJANGO_ADMIN_REACT` keys (Error, at startup instead of a lazy
+  `ValueError`), an `API_URL_PREFIX` that requires the consumer to mount the
+  REST API themselves (Warning), and a missing built SPA bundle / Vite
+  manifest (Warning).
+
+### Changed
+- **`list_display_links` is now honoured (#666).** The changelist wire emits
+  `list_display_links` (rest-api); the SPA links exactly the configured
+  column(s) to the change page — and links *none* (rows inert) when the admin
+  sets `list_display_links = None`. Previously the SPA hard-pinned the link to
+  the first column. A pre-1.6.0 backend (no field on the wire) keeps the
+  legacy first-column behaviour.
+- **Raised the `django-admin-rest-api` floor to `^1.6.0` (#664).** 1.6.0 adds
+  `prepopulated_fields` + autocomplete hints to the form-spec wire (already
+  consumed for the add form via #245/#629; the autocomplete hint now drives
+  the `autocomplete` widget kind).
+- **README parity table corrected (#668).** `raw_id_fields`, `radio_fields`,
+  and `filter_horizontal` / `filter_vertical` flip to ✅ (they ship today —
+  pk-input + lookup, radio bank, and the `ShuttleSelect` two-pane widget).
+  The stale "does NOT carry through" entries for those hooks were removed, and
+  a new section documents the genuine gaps: `empty_value_display` (hard-coded
+  `—`), custom `AdminSite.each_context` extra keys, and `list_select_related`.
+
+### Security
+- **Validated + sandboxed the legacy-admin iframe (#665).** `legacy_url` from
+  the form-spec `legacy-iframe` fallback is now validated before it reaches
+  the `<iframe src>` / `<a href>` sinks: only a same-origin `http(s)` URL is
+  framed/linked; a `javascript:` / `data:` / `blob:` scheme or an off-origin
+  target renders an inert error card instead (mirroring the
+  `action-redirect.ts` discipline every other navigational sink in the SPA
+  follows). The iframe now carries
+  `sandbox="allow-forms allow-scripts allow-same-origin"` (defence in depth —
+  drops `allow-top-navigation` / `allow-popups` / `allow-modals`).
+  `SECURITY.md` §QSEC-03 gained `frame-src 'self'` and documents the
+  X-Frame-Options ↔ legacy-iframe interaction.
+
+### Performance
+- **Route-level code-splitting + show-all row windowing (#670).** `LoginPage`
+  and `CreatePage` are now `React.lazy`-loaded at the route boundary (out of
+  the first-paint main chunk). The "Show all N" (`?all`) list path applies
+  native row windowing (`content-visibility: auto`) so off-screen rows skip
+  layout/paint while staying in the DOM for find-in-page / a11y.
+
+### Fixed
+- **i18n: routed untranslated strings through `t()` (#669).** `FieldInput`'s
+  `Lookup ↗` / lookup aria-label, the `— select —` / `(none)` placeholders,
+  and the time / array / range / FK placeholders, plus `App.tsx`'s "Page not
+  found.", now go through the catalog; the new keys (and the #664 / #665
+  operator notes) were added to the es / fr / pt catalogs.
+
 ## [1.10.1] — 2026-06-02
 
 ### Fixed
diff --git a/README.md b/README.md
index 1add217..5f28842 100644
--- a/README.md
+++ b/README.md
@@ -618,8 +618,9 @@ all share the v1 wire contract. Per-feature live status below.
 | `list_editable` + bulk PATCH                           | ✅                                                              |
 | `actions` — batch + detail (signature-classified)      | ✅                                                              |
 | `autocomplete_fields`                                  | ✅                                                              |
-| `raw_id_fields` (pk text input + lookup popup)         | 🟡 [#626](https://github.com/MartinCastroAlvarez/django-admin-react/issues/626) (API emits the hint; SPA still renders autocomplete) |
-| `radio_fields` (inline radio buttons vs `<select>`)    | 🟡 [#626](https://github.com/MartinCastroAlvarez/django-admin-react/issues/626) (API emits the hint; SPA still renders dropdown) |
+| `raw_id_fields` (pk text input + lookup popup)         | ✅                                                              |
+| `radio_fields` (inline radio buttons vs `<select>`)    | ✅                                                              |
+| `filter_horizontal` / `filter_vertical` (M2M shuttle)  | ✅                                                              |
 | `ManyToManyField` read + write                         | ✅                                                              |
 | `inlines` (TabularInline / StackedInline) — read + write | ✅                                                            |
 | `FileField` / `ImageField` — read                      | ✅                                                              |
@@ -648,14 +649,13 @@ issues link the work to close each gap.
 |---|---|---|
 | `change_form_template` / `add_form_template` overrides | **Embedded in an iframe** (since 1.9.0, #659): the change/add form-spec endpoint returns a `legacy-iframe` pointer and the SPA embeds the legacy admin page inside the SPA shell (breadcrumb / sidebar / toolbar stay SPA-rendered). Port the form to documented ModelAdmin hooks at your own pace. | [#624](https://github.com/MartinCastroAlvarez/django-admin-react/issues/624) |
 | `change_list_template` / `change_password_template` / `object_history_template` overrides | Silently ignored — those surfaces render entirely from the JSON wire. | [#624](https://github.com/MartinCastroAlvarez/django-admin-react/issues/624) |
-| `formfield_overrides = {Field: {"widget": CustomWidget}}` | Custom widget invisible — the SPA picks its own control from the field's `type`. No React-side widget-registration API yet. | [#625](https://github.com/MartinCastroAlvarez/django-admin-react/issues/625) |
-| `raw_id_fields` | Falls back to the autocomplete picker (same as `autocomplete_fields`). Defeats the purpose for FKs with 10M+ rows where autocomplete `get_search_results` is too expensive. | [#626](https://github.com/MartinCastroAlvarez/django-admin-react/issues/626) |
-| `radio_fields = {"status": admin.HORIZONTAL}` | Renders a `<select>` (default choice control) instead of inline radio buttons. | [#626](https://github.com/MartinCastroAlvarez/django-admin-react/issues/626) |
-| `filter_horizontal` / `filter_vertical` (M2M shuttle widget) | Renders the generic multi-select checkbox list, not Django's two-pane shuttle. Switch the field to `autocomplete_fields` for a workable SPA UX. | [#627](https://github.com/MartinCastroAlvarez/django-admin-react/issues/627) |
+| `formfield_overrides = {Field: {"widget": CustomWidget}}` | Custom widget rendered via the React widget-registration API (`registerFieldWidget`, #625) when the consumer registers a renderer for the widget class; otherwise falls back to the default control + an operator-visible "not registered" note. | [#625](https://github.com/MartinCastroAlvarez/django-admin-react/issues/625) |
+| `empty_value_display` | **Hard-coded to `—`.** A per-`ModelAdmin` / per-field `empty_value_display` override is **not** surfaced — the SPA renders the literal em-dash for every empty value, regardless of the consumer's chosen placeholder. | [#629](https://github.com/MartinCastroAlvarez/django-admin-react/issues/629) |
+| Custom `AdminSite.each_context(request)` extra keys | Not surfaced. Only a fixed set of site attributes (`site_header` / `site_title` / `site_logo` / `site_primary_color`) reaches the SPA; any extra keys a consumer adds in a custom `each_context` are dropped. | [#629](https://github.com/MartinCastroAlvarez/django-admin-react/issues/629) |
+| `list_select_related` | A backend query-optimisation concern, applied server-side by the REST API's queryset; it changes query efficiency, **not** the wire shape, so it is intentionally invisible to the SPA (no client-visible effect to surface). | [#629](https://github.com/MartinCastroAlvarez/django-admin-react/issues/629) |
 | `GenericForeignKey` / `GenericInlineModelAdmin` | Support gap — verify per-model before relying on the SPA. | [#628](https://github.com/MartinCastroAlvarez/django-admin-react/issues/628) |
-| `LANGUAGE_CODE` / `gettext` / `Accept-Language` | The SPA chrome stays English; translated `verbose_name` / `help_text` / `@admin.action(description=_("..."))` are not surfaced per-request. | [#630](https://github.com/MartinCastroAlvarez/django-admin-react/issues/630) |
+| `LANGUAGE_CODE` / `gettext` / `Accept-Language` | SPA chrome strings translate via the bundled catalogs (es / fr / pt; #630); translated `verbose_name` / `help_text` / `@admin.action(description=_("..."))` flow through when `LocaleMiddleware` is installed. | [#630](https://github.com/MartinCastroAlvarez/django-admin-react/issues/630) |
 | `ModelAdmin.get_urls()` custom views | Opens as a popout (`<a target="_blank">`) into the Django-rendered HTML page — no SPA chrome, no breadcrumb. The link IS surfaced; the UX is just outside the SPA. | [#623](https://github.com/MartinCastroAlvarez/django-admin-react/issues/623) |
-| Django 4.2 LTS support | Not yet — the package pins `django >= 5.0,<7.0`. | [#622](https://github.com/MartinCastroAlvarez/django-admin-react/issues/622) |
 
 If your admin relies on any "silently ignored" hook above, the
 typical workaround is to keep that model on the legacy
diff --git a/SECURITY.md b/SECURITY.md
index e893d3c..3c68372 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -275,6 +275,7 @@ Content-Security-Policy:
   connect-src 'self';                 # the API is same-origin
   manifest-src 'self';
   worker-src 'self';                  # the PWA service worker
+  frame-src 'self';                   # legacy-admin iframe fallback (#659) — same-origin only
   frame-ancestors 'none';             # clickjacking (with X_FRAME_OPTIONS)
   base-uri 'self';
   form-action 'self';
@@ -291,6 +292,26 @@ Caveats — **validate before enforcing**:
   `style` attributes at runtime; it is far lower-risk than allowing
   inline scripts. Drop it if you verify your build needs no inline
   styles.
+- `frame-src 'self'` and the **X-Frame-Options interaction** — the SPA's
+  legacy-admin fallback (#659) embeds the legacy admin change/add page in
+  a **same-origin** `<iframe>` when a `ModelAdmin` overrides
+  `change_form_template` / `add_form_template`. `frame-src 'self'` is the
+  explicit allowlist for that frame: it both **permits** the intended
+  same-origin embed and **blocks** an off-origin `legacy_url` (defence in
+  depth — the SPA also validates the URL client-side as same-origin
+  http(s) and sandboxes the iframe with `allow-forms allow-scripts
+  allow-same-origin`). Two interaction notes:
+  - **`X_FRAME_OPTIONS = "DENY"` will break the iframe** if it is applied
+    to the legacy admin's *own* responses, because the legacy admin page
+    is what gets framed. If you use the legacy-iframe fallback, scope
+    `X-Frame-Options` (and any `frame-ancestors`) so the legacy admin
+    permits same-origin framing — e.g. set `X_FRAME_OPTIONS = "SAMEORIGIN"`
+    for the legacy admin responses, or omit the header on that mount.
+    `frame-ancestors 'none'` on the *SPA shell* is fine — it controls who
+    may frame the SPA, not what the SPA may frame.
+  - If you do **not** use a custom `change_form_template` (the SPA renders
+    every form from the JSON form-spec), no iframe is ever created and you
+    can drop `frame-src` and keep `X_FRAME_OPTIONS = "DENY"` everywhere.
 - This policy assumes the package is mounted on its own path under your
   domain. If you already ship a project-wide CSP, **merge** these
   directives rather than replacing your policy.
diff --git a/django_admin_react/apps.py b/django_admin_react/apps.py
index c1beea7..82e3416 100644
--- a/django_admin_react/apps.py
+++ b/django_admin_react/apps.py
@@ -6,6 +6,7 @@
 """
 
 from django.apps import AppConfig
+from django.core.checks import register
 
 
 class DjangoAdminReactConfig(AppConfig):
@@ -25,3 +26,15 @@ class DjangoAdminReactConfig(AppConfig):
     label = "django_admin_react"
     verbose_name = "Django Admin React"
     default_auto_field = "django.db.models.BigAutoField"
+
+    def ready(self) -> None:
+        """Register the package's system checks at app-load (#667).
+
+        Importing + registering here (not at module import time) keeps the
+        checks tied to the app registry being ready, matching Django's
+        documented pattern. The import is local so adding the app has no
+        eager import cost beyond the AppConfig itself.
+        """
+        from django_admin_react.checks import check_django_admin_react
+
+        register(check_django_admin_react)
diff --git a/django_admin_react/checks.py b/django_admin_react/checks.py
new file mode 100644
index 0000000..43dd7bb
--- /dev/null
+++ b/django_admin_react/checks.py
@@ -0,0 +1,161 @@
+"""System checks for django_admin_react (#667).
+
+Registered against ``django.core.checks`` so common misconfigurations
+surface at ``manage.py check`` (and on every ``runserver`` boot) with an
+actionable hint — instead of a lazy ``ValueError`` on first settings
+access, a runtime 500, or a silent template fallback.
+
+What we validate:
+
+- ``django_admin_rest_api`` is installed (the package implements no API of
+  its own — every JSON endpoint lives in that sibling package).
+- ``DJANGO_ADMIN_REACT["ADMIN_SITE"]`` (dotted path) actually imports.
+- ``DJANGO_ADMIN_REACT`` has no unknown keys (the same guard ``conf._load``
+  enforces lazily — surfaced here at startup as a clean check error).
+- ``API_URL_PREFIX`` mounting is coherent: when it is set, the package
+  skips its inline ``api/v1/`` include, so the consumer must mount
+  ``django_admin_rest_api.urls`` themselves — a Warning reminds them.
+- The built SPA bundle / Vite manifest exists (a Warning, not an Error —
+  the package serves a friendly "not built" shell, and the manifest is
+  absent in a source checkout / before ``pnpm build``).
+
+Severities follow Django's convention: an ``Error`` blocks (the package
+cannot work); a ``Warning`` is a likely-misconfiguration heads-up that
+does not hard-block.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.core.checks import Error
+from django.core.checks import Warning as CheckWarning
+
+# Stable check IDs (Django convention ``<app_label>.E/W###``) so a consumer
+# can silence a specific one via ``SILENCED_SYSTEM_CHECKS`` if they must.
+ID_REST_API_MISSING = "django_admin_react.E001"
+ID_ADMIN_SITE_IMPORT = "django_admin_react.E002"
+ID_UNKNOWN_SETTINGS = "django_admin_react.E003"
+ID_API_PREFIX_MOUNT = "django_admin_react.W001"
+ID_BUNDLE_MISSING = "django_admin_react.W002"
+
+
+def check_django_admin_react(app_configs: Any, **kwargs: Any) -> list[Any]:
+    """Run every package configuration check.
+
+    Registered as a single callable (rather than many) so the import
+    surface stays small and the ordering is explicit. ``app_configs`` /
+    ``kwargs`` are the Django check-framework signature; unused here
+    because the checks are global to the package, not per-app.
+    """
+    errors: list[Any] = []
+    errors.extend(_check_rest_api_installed())
+    errors.extend(_check_admin_site_imports())
+    errors.extend(_check_settings_keys())
+    errors.extend(_check_api_prefix_coherence())
+    errors.extend(_check_bundle_built())
+    return errors
+
+
+def _check_rest_api_installed() -> list[Any]:
+    from django.apps import apps as django_apps
+
+    if django_apps.is_installed("django_admin_rest_api"):
+        return []
+    return [
+        Error(
+            "'django_admin_rest_api' is not in INSTALLED_APPS.",
+            hint=(
+                "django-admin-react is a React SPA over django-admin-rest-api "
+                "and implements no API of its own. Add 'django_admin_rest_api' "
+                "to INSTALLED_APPS (it ships as a dependency)."
+            ),
+            id=ID_REST_API_MISSING,
+        )
+    ]
+
+
+def _check_admin_site_imports() -> list[Any]:
+    from django.utils.module_loading import import_string
+
+    from django_admin_react import conf as dar_conf
+
+    dotted = dar_conf.ADMIN_SITE
+    try:
+        import_string(dotted)
+    except ImportError as exc:
+        return [
+            Error(
+                f"DJANGO_ADMIN_REACT['ADMIN_SITE'] = {dotted!r} could not be imported " f"({exc}).",
+                hint=(
+                    "Point ADMIN_SITE at the dotted path of your AdminSite "
+                    "instance (e.g. 'myproject.admin.site' or the default "
+                    "'django.contrib.admin.site')."
+                ),
+                id=ID_ADMIN_SITE_IMPORT,
+            )
+        ]
+    return []
+
+
+def _check_settings_keys() -> list[Any]:
+    from django.conf import settings as django_settings
+
+    from django_admin_react.conf import DEFAULTS
+
+    overrides = getattr(django_settings, "DJANGO_ADMIN_REACT", {}) or {}
+    unknown = sorted(set(overrides) - set(DEFAULTS))
+    if not unknown:
+        return []
+    return [
+        Error(
+            "Unknown DJANGO_ADMIN_REACT key(s): " + ", ".join(unknown) + ".",
+            hint=("Remove the typo'd key(s). Valid keys are: " + ", ".join(sorted(DEFAULTS)) + "."),
+            id=ID_UNKNOWN_SETTINGS,
+        )
+    ]
+
+
+def _check_api_prefix_coherence() -> list[Any]:
+    from django_admin_react import conf as dar_conf
+
+    prefix = dar_conf.API_URL_PREFIX
+    if prefix is None:
+        # Inline mount is active; the package mounts the API itself. Nothing
+        # the consumer must do.
+        return []
+    # The override is set, so `django_admin_react.urls` skips the inline
+    # `api/v1/` include — the consumer MUST mount the REST API themselves at
+    # that prefix or every SPA data call 404s.
+    return [
+        CheckWarning(
+            f"DJANGO_ADMIN_REACT['API_URL_PREFIX'] = {prefix!r} is set, so this "
+            "package does NOT mount the REST API inline.",
+            hint=(
+                "Mount the sibling API yourself at that prefix, e.g.\n"
+                f"    path({prefix!r}, include('django_admin_rest_api.api.urls'))\n"
+                "or unset API_URL_PREFIX to use the package's inline 'api/v1/' mount."
+            ),
+            id=ID_API_PREFIX_MOUNT,
+        )
+    ]
+
+
+def _check_bundle_built() -> list[Any]:
+    # Imported lazily so the check module has no import-time dependency on
+    # the view layer.
+    from django_admin_react.views import _MANIFEST_PATH
+
+    if _MANIFEST_PATH.is_file():
+        return []
+    return [
+        CheckWarning(
+            "The built SPA bundle / Vite manifest was not found at " f"{_MANIFEST_PATH}.",
+            hint=(
+                "Install the published wheel (which ships the built bundle), or "
+                "build the frontend from source with 'pnpm --dir frontend build'. "
+                "Until then the SPA shell renders a 'not built yet' page."
+            ),
+            id=ID_BUNDLE_MISSING,
+        )
+    ]
diff --git a/frontend/apps/web/src/App.tsx b/frontend/apps/web/src/App.tsx
index 6963631..cea41d5 100644
--- a/frontend/apps/web/src/App.tsx
+++ b/frontend/apps/web/src/App.tsx
@@ -1,16 +1,35 @@
+import { Suspense, lazy } from 'react';
 import { Route, Routes, useParams } from 'react-router-dom';
 
 import { ApiError, useRegistry } from '@dar/data';
+import { t } from '@dar/ui';
 
 import { ErrorBoundary } from './ErrorBoundary';
 import { Layout } from './Layout';
 import { HomePage } from './pages/HomePage';
 import { ListPage } from './pages/ListPage';
 import { DetailPage } from './pages/DetailPage';
-import { LoginPage } from './pages/LoginPage';
-import { CreatePage } from './pages/CreatePage';
 import { ToastProvider } from './toast';
 
+// Route-level code-splitting (#670): the login + create pages aren't on the
+// first authenticated paint — login only renders when the session is dead,
+// and create only after the operator clicks "+ Add". Lazy-loading them keeps
+// their code out of the main chunk. (Home / List / Detail stay eager: one of
+// them is the very first paint on every load, so splitting them would only
+// add a Suspense flash.)
+const LoginPage = lazy(() =>
+  import('./pages/LoginPage').then((m) => ({ default: m.LoginPage })),
+);
+const CreatePage = lazy(() =>
+  import('./pages/CreatePage').then((m) => ({ default: m.CreatePage })),
+);
+
+// Shared fallback for a lazy route chunk still in flight — a small, layout-
+// neutral hint rather than a blank frame.
+function RouteFallback() {
+  return <div className="p-6 text-sm text-gray-500">{t('Loading…')}</div>;
+}
+
 // Remount ListPage when the model changes so per-model state (selection,
 // retained "keep previous data" rows) resets cleanly on a model switch —
 // while filter / page / search changes within a model keep the same
@@ -34,7 +53,11 @@ export function App() {
   // registry can't keep a dead session looking alive.
   const { error, refresh } = registry;
   if (error instanceof ApiError && (error.status === 401 || error.status === 403)) {
-    return <LoginPage onSuccess={refresh} />;
+    return (
+      <Suspense fallback={<RouteFallback />}>
+        <LoginPage onSuccess={refresh} />
+      </Suspense>
+    );
   }
 
   return (
@@ -49,7 +72,14 @@ export function App() {
             {/* Literal `add` is ranked above the `:pk` route by React
               Router, so /app/model/add opens the create form, not a
               detail with pk="add". */}
-            <Route path=":appLabel/:modelName/add" element={<CreatePage />} />
+            <Route
+              path=":appLabel/:modelName/add"
+              element={
+                <Suspense fallback={<RouteFallback />}>
+                  <CreatePage />
+                </Suspense>
+              }
+            />
             <Route path=":appLabel/:modelName/:pk" element={<DetailPage />} />
             {/* Django-admin URL aliases (#601). When the SPA is mounted
                 at the legacy admin's prefix (after a /admin/ ↔ /admin-old/
@@ -75,7 +105,7 @@ export function App() {
             <Route path=":appLabel/:modelName/:pk/delete" element={<DetailPage />} />
             <Route
               path="*"
-              element={<div className="p-6 text-sm text-gray-500">Page not found.</div>}
+              element={<div className="p-6 text-sm text-gray-500">{t('Page not found.')}</div>}
             />
           </Routes>
         </ErrorBoundary>
diff --git a/frontend/apps/web/src/legacy-url.test.ts b/frontend/apps/web/src/legacy-url.test.ts
new file mode 100644
index 0000000..460203b
--- /dev/null
+++ b/frontend/apps/web/src/legacy-url.test.ts
@@ -0,0 +1,37 @@
+import { describe, expect, it } from 'vitest';
+
+import { safeLegacyUrl } from './legacy-url';
+
+const ORIGIN = 'https://admin.example.com';
+
+describe('safeLegacyUrl (#665)', () => {
+  it('accepts a same-origin relative legacy-admin path and returns an absolute same-origin URL', () => {
+    expect(safeLegacyUrl({ url: '/admin/auth/group/1/change/', currentOrigin: ORIGIN })).toBe(
+      'https://admin.example.com/admin/auth/group/1/change/',
+    );
+  });
+
+  it('accepts an absolute same-origin http(s) URL', () => {
+    expect(
+      safeLegacyUrl({ url: 'https://admin.example.com/admin/x/', currentOrigin: ORIGIN }),
+    ).toBe('https://admin.example.com/admin/x/');
+  });
+
+  it('rejects a javascript: URL (anchor-click code execution)', () => {
+    expect(safeLegacyUrl({ url: "javascript:alert(1)", currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects data: and blob: schemes', () => {
+    expect(safeLegacyUrl({ url: 'data:text/html,<h1>x', currentOrigin: ORIGIN })).toBeNull();
+    expect(safeLegacyUrl({ url: 'blob:https://admin.example.com/abc', currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects an off-origin http(s) URL (phishing surface inside admin chrome)', () => {
+    expect(safeLegacyUrl({ url: 'https://attacker.example/', currentOrigin: ORIGIN })).toBeNull();
+    expect(safeLegacyUrl({ url: '//attacker.example/x', currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects an unparseable URL', () => {
+    expect(safeLegacyUrl({ url: 'http://[::bad', currentOrigin: ORIGIN })).toBeNull();
+  });
+});
diff --git a/frontend/apps/web/src/legacy-url.ts b/frontend/apps/web/src/legacy-url.ts
new file mode 100644
index 0000000..dd5ee41
--- /dev/null
+++ b/frontend/apps/web/src/legacy-url.ts
@@ -0,0 +1,53 @@
+// Legacy-iframe URL validation (#665).
+//
+// The form-spec endpoint can return `{renderer: "legacy-iframe", legacy_url}`
+// to embed the legacy admin change/add page inside the SPA shell (#659). That
+// URL flows into both an `<iframe src>` and an `<a href target=_blank>`, so it
+// reaches two navigational sinks. The SPA *should* be able to trust the API,
+// but every other navigational sink in this codebase validates before using a
+// server-supplied URL (`action-redirect.ts` parses + origin/mount-checks the
+// action redirect; `views.py` percent-encodes `next`). This is the one
+// server-emitted URL that previously reached `src`/`href` unchecked — a
+// compromised, buggy, or request-influenced backend could emit a
+// `javascript:` URL (executes from the anchor on click) or an off-origin
+// `http://attacker/` URL (renders attacker content inside the authenticated
+// admin chrome — a high-fidelity phishing surface). We close that with the
+// same parse-and-validate discipline used elsewhere.
+//
+// The legacy admin lives on the SAME origin as the SPA (under its own admin
+// prefix, NOT the SPA mount), so the rule is: parse against the current
+// origin, require an `http:`/`https:` scheme, and require the parsed origin to
+// equal the current origin. Anything else (a non-http(s) scheme like
+// `javascript:`/`data:`/`blob:`, or a cross-origin target) is rejected and the
+// caller renders an inert error card instead of framing/linking it.
+
+export interface ValidateLegacyUrlArgs {
+  url: string;
+  /** Current page origin. Defaults to `window.location.origin`; the test
+   *  injects a known value (jsdom's origin is fixed). */
+  currentOrigin?: string;
+}
+
+/**
+ * Return a safe, same-origin http(s) URL string, or `null` when the URL is
+ * unparseable, uses a non-http(s) scheme, or points off-origin.
+ *
+ * Returning the *re-serialised* parsed URL (not the raw input) means the value
+ * handed to `src`/`href` is exactly what passed validation — no room for a
+ * parser-differential between the check and the sink.
+ */
+export function safeLegacyUrl(args: ValidateLegacyUrlArgs): string | null {
+  const origin = args.currentOrigin ?? window.location.origin;
+  let parsed: URL;
+  try {
+    parsed = new URL(args.url, origin);
+  } catch {
+    return null;
+  }
+  // Reject `javascript:` / `data:` / `blob:` / `mailto:` etc. outright — only
+  // real navigable web schemes are allowed in an iframe/anchor here.
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return null;
+  // The legacy admin is same-origin; an off-origin target is never legitimate.
+  if (parsed.origin !== origin) return null;
+  return parsed.href;
+}
diff --git a/frontend/apps/web/src/pages/ListPage.tsx b/frontend/apps/web/src/pages/ListPage.tsx
index 93f2eb6..3d5e2dd 100644
--- a/frontend/apps/web/src/pages/ListPage.tsx
+++ b/frontend/apps/web/src/pages/ListPage.tsx
@@ -423,6 +423,19 @@ export function ListPage() {
   // live here was retired in v1.3.0 along with the HTML5-DnD modal
   // it served (#586).
 
+  // list_display_links (#666): the ModelAdmin chooses which column(s) link
+  // to the change page. The backend emits the resolved set (defaulting to
+  // the first column); an empty array means `list_display_links = None` —
+  // no column links and the rows are not clickable. When the field is
+  // ABSENT (a pre-1.6.0 backend), fall back to the legacy behaviour of
+  // linking the first non-pk column, so older deployments are unaffected.
+  const displayLinks = data.list_display_links;
+  const firstNonPkName = orderedDescriptors.find((c) => !isPkCol(c.name))?.name;
+  const isLinkColumn = (name: string): boolean => {
+    if (displayLinks === undefined) return name === firstNonPkName; // legacy fallback
+    return displayLinks.includes(name);
+  };
+
   const columns = orderedDescriptors
     // The pk column is never hidden, even if a stale preference lists it.
     .filter((c) => isPkCol(c.name) || !hiddenCols.has(c.name))
@@ -431,6 +444,7 @@ export function ListPage() {
       header: c.label,
       sortable: c.sortable,
       noTruncate: isPkCol(c.name),
+      isLink: isLinkColumn(c.name),
       // Frozen / sticky columns (#586): pk is implicitly always
       // locked + sticky; the user-locked set adds more. The Table
       // primitive measures pixel offsets after layout and writes
@@ -804,6 +818,10 @@ export function ListPage() {
             loading={loading}
             columnWidths={colWidths}
             onColumnResize={resizeColumn}
+            // Native row windowing on the "Show all N" path (#670): up to
+            // list_max_show_all (200) rows render at once; off-screen rows
+            // skip layout/paint via content-visibility.
+            virtualizeRows={showAll}
           />
         </Card>
       )}
diff --git a/frontend/apps/web/src/pages/detail/ChangeForm.test.tsx b/frontend/apps/web/src/pages/detail/ChangeForm.test.tsx
index 77725c2..a01e849 100644
--- a/frontend/apps/web/src/pages/detail/ChangeForm.test.tsx
+++ b/frontend/apps/web/src/pages/detail/ChangeForm.test.tsx
@@ -63,6 +63,31 @@ describe('ChangeForm (#659)', () => {
     const iframe = screen.getByTitle('Legacy admin form') as HTMLIFrameElement;
     expect(iframe).toBeInTheDocument();
     expect(iframe.src).toContain('/admin/auth/group/1/change/');
+    // #665: the iframe is sandboxed with an explicit allowlist (no
+    // allow-top-navigation / allow-popups / allow-modals).
+    expect(iframe.getAttribute('sandbox')).toBe('allow-forms allow-scripts allow-same-origin');
+  });
+
+  it('rejects a javascript: legacy_url and renders an inert error card (no iframe) (#665)', () => {
+    specState = {
+      data: { renderer: 'legacy-iframe', legacy_url: 'javascript:fetch("/admin/")' },
+      loading: false,
+      error: null,
+    };
+    renderChangeForm();
+    expect(screen.queryByTitle('Legacy admin form')).not.toBeInTheDocument();
+    expect(screen.getByText(/can’t be displayed/i)).toBeInTheDocument();
+  });
+
+  it('rejects an off-origin legacy_url and renders the error card (#665)', () => {
+    specState = {
+      data: { renderer: 'legacy-iframe', legacy_url: 'https://attacker.example/admin/' },
+      loading: false,
+      error: null,
+    };
+    renderChangeForm();
+    expect(screen.queryByTitle('Legacy admin form')).not.toBeInTheDocument();
+    expect(screen.getByText(/can’t be displayed/i)).toBeInTheDocument();
   });
 
   it('renders the form-spec fields (request-aware get_form / fieldsets) via EditForm', () => {
diff --git a/frontend/apps/web/src/pages/detail/LegacyIframe.tsx b/frontend/apps/web/src/pages/detail/LegacyIframe.tsx
index 308b947..7fdaacf 100644
--- a/frontend/apps/web/src/pages/detail/LegacyIframe.tsx
+++ b/frontend/apps/web/src/pages/detail/LegacyIframe.tsx
@@ -12,12 +12,35 @@ import { ExternalLink } from 'lucide-react';
 
 import { Button, Card, t } from '@dar/ui';
 
+import { safeLegacyUrl } from '../../legacy-url';
+
 export interface LegacyIframeProps {
   url: string;
   onCancel: () => void;
 }
 
 export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
+  // Validate the server-supplied `legacy_url` before it reaches the iframe
+  // `src` / anchor `href` (#665): same-origin + http(s) only. A
+  // `javascript:` / `data:` URL or an off-origin target is rejected and we
+  // render an inert error card instead — never frame/link an unvalidated URL.
+  const safe = safeLegacyUrl({ url });
+
+  if (safe === null) {
+    return (
+      <Card>
+        <div className="space-y-3">
+          <p className="text-sm text-red-700">
+            {t('This form can’t be displayed: its address is invalid or points off-site.')}
+          </p>
+          <Button type="button" variant="ghost" onClick={onCancel}>
+            {t('Cancel')}
+          </Button>
+        </div>
+      </Card>
+    );
+  }
+
   return (
     <Card>
       <div className="space-y-3">
@@ -27,7 +50,7 @@ export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
           </p>
           <div className="flex shrink-0 items-center gap-2">
             <a
-              href={url}
+              href={safe}
               target="_blank"
               rel="noopener noreferrer"
               className="inline-flex items-center gap-1.5 rounded-md border border-gray-300 bg-white px-3 py-1.5 text-sm font-medium text-gray-700 hover:bg-gray-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-500"
@@ -40,8 +63,14 @@ export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
           </div>
         </div>
         <iframe
-          src={url}
+          src={safe}
           title={t('Legacy admin form')}
+          // Defence-in-depth (#665): the legacy admin needs forms + scripts +
+          // same-origin cookies to function, but this explicit allowlist drops
+          // the unsafe-by-default capabilities — `allow-top-navigation`,
+          // `allow-popups`, `allow-modals` — so a framed page can't break out
+          // of the admin chrome even if `legacy_url` were ever subverted.
+          sandbox="allow-forms allow-scripts allow-same-origin"
           className="h-[70vh] w-full rounded border border-gray-200 bg-white"
         />
       </div>
diff --git a/frontend/apps/web/src/pages/detail/adaptFormSpec.test.ts b/frontend/apps/web/src/pages/detail/adaptFormSpec.test.ts
index 7fb2586..a71e379 100644
--- a/frontend/apps/web/src/pages/detail/adaptFormSpec.test.ts
+++ b/frontend/apps/web/src/pages/detail/adaptFormSpec.test.ts
@@ -1,6 +1,12 @@
 import { describe, expect, it } from 'vitest';
 
-import type { DetailResponse, FormSpecField, FormSpecResponse } from '@dar/data';
+import type {
+  DetailResponse,
+  FormSpecField,
+  FormSpecResponse,
+  WidgetHint,
+  WidgetKind,
+} from '@dar/data';
 
 import { detailFromFormSpec, formSpecFieldToDescriptor } from './adaptFormSpec';
 
@@ -26,12 +32,94 @@ describe('formSpecFieldToDescriptor (#659)', () => {
     expect(formSpecFieldToDescriptor(fsField({ widget: { kind: 'shuttle', attrs: {} } })).widget).toBe('shuttle_h');
   });
 
-  it('leaves widget undefined for kinds the FieldType already implies (select/date/autocomplete/…)', () => {
+  it('leaves widget undefined for kinds the FieldType already implies (select/date/…)', () => {
     expect(formSpecFieldToDescriptor(fsField({ widget: { kind: 'select', attrs: {} } })).widget).toBeUndefined();
     expect(formSpecFieldToDescriptor(fsField({ widget: { kind: 'date', attrs: {} } })).widget).toBeUndefined();
-    expect(
-      formSpecFieldToDescriptor(fsField({ widget: { kind: 'autocomplete', attrs: {} } })).widget,
-    ).toBeUndefined();
+    expect(formSpecFieldToDescriptor(fsField({ widget: { kind: 'text', attrs: {} } })).widget).toBeUndefined();
+    expect(formSpecFieldToDescriptor(fsField({ widget: { kind: 'number', attrs: {} } })).widget).toBeUndefined();
+  });
+
+  it('maps the kinds that need a control FieldType would NOT pick (#664)', () => {
+    const hintFor = (kind: WidgetKind): WidgetHint | undefined =>
+      formSpecFieldToDescriptor(fsField({ widget: { kind, attrs: {} } })).widget;
+    expect(hintFor('hidden')).toBe('hidden');
+    expect(hintFor('split-datetime')).toBe('split_datetime');
+    expect(hintFor('select-date')).toBe('select_date');
+    expect(hintFor('checkbox-multiple')).toBe('checkbox_multiple');
+    expect(hintFor('select-multiple')).toBe('select_multiple');
+    expect(hintFor('autocomplete')).toBe('autocomplete');
+    expect(hintFor('autocomplete-multiple')).toBe('autocomplete_multiple');
+    expect(hintFor('file')).toBe('file');
+  });
+
+  it('maps EVERY declared WidgetKind to something sensible — no silent no-op (#664)', () => {
+    // The full closed enum from the contract. If a kind is added to the
+    // wire without a mapping, this list (and the exhaustive `KIND_TO_HINT`
+    // record) must be updated — keeping the SPA honest about every kind.
+    const ALL_KINDS: WidgetKind[] = [
+      'text',
+      'textarea',
+      'number',
+      'email',
+      'url',
+      'password',
+      'hidden',
+      'checkbox',
+      'checkbox-multiple',
+      'select',
+      'select-multiple',
+      'radio',
+      'date',
+      'datetime',
+      'time',
+      'split-datetime',
+      'select-date',
+      'file',
+      'autocomplete',
+      'autocomplete-multiple',
+      'raw-id',
+      'shuttle',
+      'custom',
+    ];
+    // Kinds whose FieldType-derived control is already faithful → no hint.
+    const NO_HINT = new Set<WidgetKind>([
+      'text',
+      'textarea',
+      'number',
+      'email',
+      'url',
+      'checkbox',
+      'select',
+      'date',
+      'datetime',
+      'time',
+    ]);
+    const VALID_HINTS = new Set<WidgetHint>([
+      'radio',
+      'raw_id',
+      'password',
+      'shuttle_h',
+      'shuttle_v',
+      'custom',
+      'hidden',
+      'split_datetime',
+      'select_date',
+      'checkbox_multiple',
+      'select_multiple',
+      'autocomplete',
+      'autocomplete_multiple',
+      'file',
+      'unsupported_widget',
+    ]);
+    for (const kind of ALL_KINDS) {
+      const hint = formSpecFieldToDescriptor(fsField({ widget: { kind, attrs: {} } })).widget;
+      if (NO_HINT.has(kind)) {
+        expect(hint, `${kind} should defer to FieldType`).toBeUndefined();
+      } else {
+        expect(hint, `${kind} must map to a real WidgetHint`).toBeDefined();
+        expect(VALID_HINTS.has(hint as WidgetHint), `${kind} → ${hint}`).toBe(true);
+      }
+    }
   });
 
   it('passes the custom widget_class through so the SPA can dispatch a registered renderer', () => {
diff --git a/frontend/apps/web/src/pages/detail/adaptFormSpec.ts b/frontend/apps/web/src/pages/detail/adaptFormSpec.ts
index e4dcdfd..49a70d7 100644
--- a/frontend/apps/web/src/pages/detail/adaptFormSpec.ts
+++ b/frontend/apps/web/src/pages/detail/adaptFormSpec.ts
@@ -18,12 +18,34 @@ import type {
   WidgetHint,
 } from '@dar/data';
 
-// The closed `widget.kind` enum → the SPA's existing `WidgetHint` controls.
-// Kinds with no dedicated hint (select, checkbox, date, file, autocomplete,
-// …) return undefined: FieldInput then renders the control implied by
-// `FieldType`, which already covers them (a select for `choice`, an
-// AutocompleteInput for an FK with a `to` target, etc.).
-const KIND_TO_HINT: Partial<Record<WidgetKind, WidgetHint>> = {
+// The closed `widget.kind` enum → the SPA's `WidgetHint` controls (#664).
+//
+// EVERY one of the 23 declared `WidgetKind` values is mapped explicitly so
+// no kind silently degrades to a wrong control:
+//   • `undefined` — the control `FieldType` already implies is faithful
+//     (e.g. `text` → text input, `select` → <select>, `date` → date input,
+//     `datetime` → datetime-local, `time` → time input, `checkbox` →
+//     boolean checkbox, `number` → number input, `email`/`url` → typed
+//     inputs). Listed here on purpose so adding a kind is a compile error
+//     until it's classified (the test asserts the record is exhaustive).
+//   • a real hint — a kind that needs a control `FieldType` would NOT pick
+//     (hidden, split-datetime, the multi-selects, autocomplete, file, …).
+// There is no implicit fallback: an unmapped kind would be a `undefined`
+// type error, and a kind we can't render faithfully maps to the explicit,
+// operator-visible `unsupported_widget` tracked fallback in FieldInput.
+const KIND_TO_HINT: Record<WidgetKind, WidgetHint | undefined> = {
+  // Kinds whose FieldType-derived control is already faithful.
+  text: undefined,
+  textarea: undefined,
+  number: undefined,
+  email: undefined,
+  url: undefined,
+  checkbox: undefined,
+  select: undefined,
+  date: undefined,
+  datetime: undefined,
+  time: undefined,
+  // Security / parity hints that were already wired.
   password: 'password',
   radio: 'radio',
   'raw-id': 'raw_id',
@@ -32,6 +54,15 @@ const KIND_TO_HINT: Partial<Record<WidgetKind, WidgetHint>> = {
   // ShuttleSelect supports both and the difference is purely visual).
   shuttle: 'shuttle_h',
   custom: 'custom',
+  // Kinds that need a control FieldType alone would render WRONGLY (#664).
+  hidden: 'hidden',
+  'split-datetime': 'split_datetime',
+  'select-date': 'select_date',
+  'checkbox-multiple': 'checkbox_multiple',
+  'select-multiple': 'select_multiple',
+  autocomplete: 'autocomplete',
+  'autocomplete-multiple': 'autocomplete_multiple',
+  file: 'file',
 };
 
 function maxLengthFrom(field: FormSpecField): number | undefined {
diff --git a/frontend/packages/api/src/contract.ts b/frontend/packages/api/src/contract.ts
index 5e7c966..b6a41b1 100644
--- a/frontend/packages/api/src/contract.ts
+++ b/frontend/packages/api/src/contract.ts
@@ -48,6 +48,21 @@ export type FieldType =
  * widget via `registerFieldWidget(widget_class, …)` (#625); falls back
  * to the default control + an "open in legacy admin" note when no
  * registration matches.
+ *
+ * The remaining hints map the form-spec `widget.kind` values that need a
+ * different control than `FieldType` alone implies (#664):
+ * `hidden` (render a real hidden input, never a visible field);
+ * `split_datetime` (`SplitDateTimeWidget` — two controls: date + time);
+ * `select_date` (`SelectDateWidget` — month / day / year selects);
+ * `checkbox_multiple` (a checkbox bank) / `select_multiple` (a native
+ * `<select multiple>`) for non-relational multi-value choice fields;
+ * `autocomplete` / `autocomplete_multiple` (`autocomplete_fields` typeahead);
+ * `file` (a file input — upload itself is tracked under #241, so this is a
+ * deliberately limited control with an operator note);
+ * `unsupported_widget` is the explicit tracked-fallback for any kind with
+ * no faithful control yet — it renders the default control plus a visible
+ * operator note (mirroring the `custom`-unregistered branch) so a gap is
+ * never a silent wrong control.
  */
 export type WidgetHint =
   | 'radio'
@@ -55,7 +70,16 @@ export type WidgetHint =
   | 'password'
   | 'shuttle_h'
   | 'shuttle_v'
-  | 'custom';
+  | 'custom'
+  | 'hidden'
+  | 'split_datetime'
+  | 'select_date'
+  | 'checkbox_multiple'
+  | 'select_multiple'
+  | 'autocomplete'
+  | 'autocomplete_multiple'
+  | 'file'
+  | 'unsupported_widget';
 
 export interface Permissions {
   view: boolean;
@@ -405,6 +429,17 @@ export interface ListResponse {
   pk_field: string;
   permissions: Permissions;
   columns: ColumnDescriptor[];
+  /**
+   * `ModelAdmin.list_display_links` (#251 / #666): the column name(s) whose
+   * cell links to the change page. The backend resolves
+   * `get_list_display_links` (which defaults to the first column) and emits
+   * the result; an empty array means `list_display_links = None` — *no*
+   * column links and the rows are not clickable. Only string column names
+   * round-trip (callable `list_display` entries are dropped backend-side).
+   * Optional for back-compat with a pre-1.6.0 backend: when absent the SPA
+   * falls back to linking the first non-pk column (legacy behaviour).
+   */
+  list_display_links?: string[];
   search_fields: string[];
   /** `ModelAdmin.search_help_text` — shown under the search box (#445).
    *  Empty string when unset. */
@@ -720,6 +755,15 @@ export interface FormSpecResponse {
   /** Dotted path of the resolved `Form` class — changes when a
    *  request-aware `get_form` switched form by querystring/user. */
   variant: string;
+  /**
+   * `ModelAdmin.prepopulated_fields` as `{target: [sources]}` (#245 / #664).
+   * Emitted by the form-spec endpoint only on the ADD form (rest-api 1.6.0+),
+   * matching Django's slugify-on-keystroke behaviour for a *new* object. The
+   * SPA slugifies the target from its sources as the user types, until the
+   * target is hand-edited. Restricted backend-side to rendered, non-readonly
+   * targets. Optional/absent on the change form and on a pre-1.6.0 backend.
+   */
+  prepopulated_fields?: Record<string, string[]>;
 }
 
 /** Escape hatch: embed the legacy admin change/add page in an iframe. */
diff --git a/frontend/packages/form/src/FieldInput.tsx b/frontend/packages/form/src/FieldInput.tsx
index 0845162..07c8801 100644
--- a/frontend/packages/form/src/FieldInput.tsx
+++ b/frontend/packages/form/src/FieldInput.tsx
@@ -147,9 +147,9 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
             target="_blank"
             rel="noopener noreferrer"
             className="shrink-0 rounded border border-gray-300 px-2 py-1 text-xs text-gray-700 hover:bg-gray-50"
-            aria-label="Look up related object in a new tab"
+            aria-label={t('Look up related object in a new tab')}
           >
-            Lookup ↗
+            {t('Lookup ↗')}
           </a>
         )}
       </div>
@@ -183,6 +183,213 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
         })}
       </div>
     );
+  } else if (field.widget === 'hidden') {
+    // SplitDateTimeWidget's hidden member, a HiddenInput-routed field, or
+    // any field the admin meant to keep out of sight (#664). Django renders
+    // these as <input type=hidden> — a VISIBLE editable text box would be
+    // both wrong and a minor info-leak (the operator sees/edits a field the
+    // admin hid). We mirror Django: a real hidden input that still posts its
+    // value, with no label row.
+    return (
+      <input
+        id={id}
+        type="hidden"
+        value={value == null ? '' : String(value)}
+        onChange={(e) => onChange(e.target.value)}
+      />
+    );
+  } else if (field.widget === 'split_datetime') {
+    // SplitDateTimeWidget (#664): two controls — a date and a time — not a
+    // single datetime-local, preserving Django's two-field semantics. The
+    // wire value is an ISO 8601 string; we split it on `T` for the controls
+    // and rejoin so the posted value stays the shape Django parses.
+    const s = value == null ? '' : String(value);
+    const datePart = s.slice(0, 10);
+    const timePart = s.length > 11 ? s.slice(11, 19) : '';
+    const join = (d: string, tm: string): WriteValue => {
+      if (d === '' && tm === '') return null;
+      return tm === '' ? d : `${d}T${tm}`;
+    };
+    control = (
+      <div className="flex items-center gap-2">
+        <input
+          id={id}
+          type="date"
+          value={datePart}
+          aria-label={`${field.label} ${t('date')}`}
+          onChange={(e) => onChange(join(e.target.value, timePart))}
+          className={base}
+        />
+        <input
+          type="time"
+          step="1"
+          value={timePart}
+          aria-label={`${field.label} ${t('time')}`}
+          onChange={(e) => onChange(join(datePart, e.target.value))}
+          className={base}
+        />
+      </div>
+    );
+  } else if (field.widget === 'select_date') {
+    // SelectDateWidget (#664): a single <input type=date> is the faithful,
+    // accessible control for the same ISO value Django's three month/day/year
+    // selects produce — no semantics are lost (the user still picks a whole
+    // date) and it round-trips identically. We keep the date input rather
+    // than rebuild three coupled <select>s.
+    control = (
+      <input
+        id={id}
+        type="date"
+        value={value == null ? '' : String(value)}
+        onChange={(e) => onChange(e.target.value === '' ? null : e.target.value)}
+        className={base}
+      />
+    );
+  } else if (
+    (field.widget === 'checkbox_multiple' || field.widget === 'select_multiple') &&
+    field.choices &&
+    field.choices.length > 0
+  ) {
+    // CheckboxSelectMultiple / SelectMultiple for a NON-relational multi-value
+    // choice field (#664) — e.g. a forms.MultipleChoiceField, or a
+    // ChoiceField the admin forced to a multi widget. (M2M keeps its own
+    // branch below.) `checkbox_multiple` renders a checkbox bank; the
+    // `select_multiple` value of the hint renders a native <select multiple>.
+    // Both produce a string[] of the selected values, which the backend
+    // accepts the same way it does an M2M pk list.
+    const selectedSet = new Set((Array.isArray(value) ? value : []).map(String));
+    if (field.widget === 'select_multiple') {
+      control = (
+        <select
+          id={id}
+          multiple
+          value={Array.from(selectedSet)}
+          onChange={(e) =>
+            onChange(Array.from(e.target.selectedOptions).map((o) => o.value))
+          }
+          className={`${base} h-auto min-h-[6rem]`}
+        >
+          {field.choices.map((c) => (
+            <option key={String(c.value)} value={String(c.value)}>
+              {c.label}
+            </option>
+          ))}
+        </select>
+      );
+    } else {
+      control = (
+        <div className="max-h-48 space-y-1 overflow-y-auto rounded border border-gray-300 p-2">
+          {field.choices.map((c) => {
+            const key = String(c.value);
+            return (
+              <label key={key} className="flex items-center gap-2 text-sm">
+                <Checkbox
+                  checked={selectedSet.has(key)}
+                  onChange={(e) => {
+                    const next = new Set(selectedSet);
+                    if (e.target.checked) next.add(key);
+                    else next.delete(key);
+                    onChange(Array.from(next));
+                  }}
+                />
+                {c.label}
+              </label>
+            );
+          })}
+        </div>
+      );
+    }
+  } else if (field.widget === 'autocomplete' && field.type === 'foreignkey' && field.to) {
+    // autocomplete_fields FK (#664): the admin opted into the typeahead
+    // picker. Render the same AutocompleteInput the FK branch uses when the
+    // target is large; here the hint makes the choice explicit even when the
+    // target set is small enough that the backend could have inlined choices.
+    const envelopeLabel =
+      field.value && typeof field.value === 'object' && 'label' in field.value
+        ? (field.value as { label: string }).label
+        : undefined;
+    control = (
+      <AutocompleteInput
+        to={field.to}
+        value={value}
+        initialLabel={envelopeLabel}
+        invalid={Boolean(error?.length)}
+        onChange={onChange}
+      />
+    );
+  } else if (field.widget === 'autocomplete_multiple' && field.choices && field.choices.length > 0) {
+    // autocomplete_fields M2M with inlined choices (#664): render the
+    // checkbox multi-select (same control as the M2M-with-choices branch),
+    // which is faithful when the target set is inlined. A true async M2M
+    // typeahead picker for a large target is a tracked follow-up (#240); that
+    // case falls through to `unsupported_widget` below via the explicit note.
+    const selectedSet = new Set((Array.isArray(value) ? value : []).map(String));
+    control = (
+      <div className="max-h-48 space-y-1 overflow-y-auto rounded border border-gray-300 p-2">
+        {field.choices.map((c) => {
+          const key = String(c.value);
+          return (
+            <label key={key} className="flex items-center gap-2 text-sm">
+              <Checkbox
+                checked={selectedSet.has(key)}
+                onChange={(e) => {
+                  const next = new Set(selectedSet);
+                  if (e.target.checked) next.add(key);
+                  else next.delete(key);
+                  onChange(Array.from(next));
+                }}
+              />
+              {c.label}
+            </label>
+          );
+        })}
+      </div>
+    );
+  } else if (field.widget === 'file') {
+    // FileInput / ClearableFileInput (#664). Binary upload through the JSON
+    // wire is tracked separately (#241), so this is a deliberately limited
+    // control: a real <input type=file> that posts the chosen file name
+    // (so the field is at least visible and selectable) plus a visible note
+    // that the upload itself opens in the legacy admin. Never a silent
+    // wrong control.
+    control = (
+      <div className="space-y-1">
+        <input
+          id={id}
+          type="file"
+          onChange={(e) => onChange(e.target.files?.[0]?.name ?? null)}
+          className={base}
+        />
+        {field.value ? (
+          <p className="text-xs text-gray-500">
+            {t('Current file:')}{' '}
+            <FieldValueView value={field.value} type={field.type} />
+          </p>
+        ) : null}
+        <p className="text-xs text-amber-700">
+          {t('File upload is not supported in the SPA yet; use the legacy admin to change the file.')}
+        </p>
+      </div>
+    );
+  } else if (field.widget === 'unsupported_widget') {
+    // Explicit tracked fallback (#664): a widget.kind the SPA cannot render
+    // faithfully yet. Mirror the unregistered-custom branch — a usable
+    // default text input PLUS a visible operator note — so the gap is never
+    // a silent wrong control.
+    control = (
+      <div className="space-y-1">
+        <input
+          id={id}
+          type="text"
+          value={value == null ? '' : String(value)}
+          onChange={(e) => onChange(e.target.value)}
+          className={base}
+        />
+        <p className="text-xs text-amber-700">
+          {t('This field uses a widget the SPA cannot render yet; edit it in the legacy admin if it looks wrong.')}
+        </p>
+      </div>
+    );
   } else if (field.type === 'boolean') {
     control = (
       <Checkbox id={id} checked={value === true} onChange={(e) => onChange(e.target.checked)} />
@@ -350,7 +557,7 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
         id={id}
         type="text"
         value={value == null ? '' : String(value)}
-        placeholder="HH:MM:SS"
+        placeholder={t('HH:MM:SS')}
         onChange={(e) => onChange(e.target.value)}
         className={base}
       />
@@ -367,7 +574,7 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
         id={id}
         type="text"
         value={value == null ? '' : String(value)}
-        placeholder="comma,separated,values"
+        placeholder={t('comma,separated,values')}
         onChange={(e) => onChange(e.target.value)}
         className={base}
       />
@@ -392,7 +599,7 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
           id={id}
           type="text"
           value={pair[0]}
-          placeholder="lower"
+          placeholder={t('lower')}
           aria-label={`${field.label} lower bound`}
           onChange={(e) => onChange([e.target.value, pair[1]])}
           className={base}
@@ -403,7 +610,7 @@ export function FieldInput({ name, field, value, error, onChange }: FieldInputPr
         <input
           type="text"
           value={pair[1]}
-          placeholder="upper"
+          placeholder={t('upper')}
           aria-label={`${field.label} upper bound`}
           onChange={(e) => onChange([pair[0], e.target.value])}
           className={base}
@@ -471,7 +678,7 @@ function ForeignKeyControl({ field, value, error, id, base, onChange }: ForeignK
         onChange={(e) => onChange(e.target.value === '' ? null : e.target.value)}
         className={base}
       >
-        <option value="">{field.required ? '— select —' : '(none)'}</option>
+        <option value="">{field.required ? t('— select —') : t('(none)')}</option>
         {withAdded.map((c) => (
           <option key={String(c.value)} value={String(c.value)}>
             {c.label}
@@ -506,7 +713,7 @@ function ForeignKeyControl({ field, value, error, id, base, onChange }: ForeignK
         type="text"
         defaultValue={bare == null ? '' : String(bare)}
         onChange={(e) => onChange(e.target.value === '' ? null : e.target.value)}
-        placeholder="related object id"
+        placeholder={t('related object id')}
         className={base}
       />
     );
diff --git a/frontend/packages/ui/src/RecordCardList.tsx b/frontend/packages/ui/src/RecordCardList.tsx
index e5994b0..066a2e4 100644
--- a/frontend/packages/ui/src/RecordCardList.tsx
+++ b/frontend/packages/ui/src/RecordCardList.tsx
@@ -60,6 +60,17 @@ export function RecordCardList<Row>({
   // First column = identity → title; the rest become the label/value body.
   const [titleCol, ...detailCols] = columns;
 
+  // list_display_links (#666): when the caller explicitly links NO column
+  // (`list_display_links = None` → every column carries `isLink: false`),
+  // the title is plain text and the card is not tappable — matching the
+  // desktop `<Table>`. Otherwise behaviour is unchanged: the card is
+  // tappable when `onRowClick` is set, and the title is an anchor when
+  // `rowHref` is set (the legacy default of "first column = identity link").
+  const anyExplicitLink = columns.some((c) => c.isLink !== undefined);
+  const linksDisabled = anyExplicitLink && !columns.some((c) => c.isLink);
+  const titleLinks = !linksDisabled;
+  const cardNav = linksDisabled ? undefined : onRowClick;
+
   if (loading) {
     return (
       <ul className="space-y-2" aria-busy="true">
@@ -87,23 +98,23 @@ export function RecordCardList<Row>({
           <li
             key={key}
             onClick={
-              onRowClick
+              cardNav
                 ? (e) => {
                     // A modified click (Cmd/Ctrl/Shift/Alt) is the browser's
                     // open-in-new-tab gesture — let the title anchor handle
                     // it; don't also navigate in-app.
                     if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
-                    onRowClick(row);
+                    cardNav(row);
                   }
                 : undefined
             }
             className={`rounded-lg border bg-white p-4 ${
               isSelected ? 'border-primary' : 'border-gray-300'
-            } ${onRowClick ? 'cursor-pointer hover:bg-gray-50' : ''}`}
+            } ${cardNav ? 'cursor-pointer hover:bg-gray-50' : ''}`}
           >
             <div className="flex items-start justify-between gap-3">
               <div className="min-w-0 flex-1 font-medium text-gray-900">
-                {rowHref && titleCol ? (
+                {titleLinks && titleCol && rowHref ? (
                   // Real anchor so native open-in-new-tab works; a plain
                   // left-click is intercepted for in-app nav (#253).
                   <a
@@ -113,7 +124,7 @@ export function RecordCardList<Row>({
                       if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
                       e.preventDefault();
                       e.stopPropagation();
-                      onRowClick?.(row);
+                      cardNav?.(row);
                     }}
                   >
                     {title}
diff --git a/frontend/packages/ui/src/Table.test.tsx b/frontend/packages/ui/src/Table.test.tsx
index 2ab63c0..51b9e30 100644
--- a/frontend/packages/ui/src/Table.test.tsx
+++ b/frontend/packages/ui/src/Table.test.tsx
@@ -139,4 +139,56 @@ describe('Table', () => {
     expect(th.getAttribute('tabindex')).toBeNull();
     expect(th.getAttribute('aria-sort')).toBeNull();
   });
+
+  describe('list_display_links (#666)', () => {
+    const linkRows: Row[] = [{ id: 1, name: 'Alice' }];
+
+    it('links the column(s) flagged isLink, not the first column, when isLink is set explicitly', () => {
+      const cols: TableColumn<Row>[] = [
+        { key: 'id', header: 'ID', isLink: false, render: (r) => `#${r.id}` },
+        { key: 'name', header: 'Name', isLink: true, render: (r) => r.name },
+      ];
+      render(
+        <Table columns={cols} rows={linkRows} rowKey={(r) => r.id} rowHref={(r) => `/x/${r.id}`} />,
+      );
+      // The `name` cell is the link; the `id` cell is plain text.
+      const nameLink = screen.getByText('Alice').closest('a');
+      expect(nameLink).not.toBeNull();
+      expect(nameLink?.getAttribute('href')).toBe('/x/1');
+      expect(screen.getByText('#1').closest('a')).toBeNull();
+    });
+
+    it('renders NO cell links and an inert row when no column is a link (list_display_links = None)', () => {
+      const onRowClick = vi.fn();
+      const cols: TableColumn<Row>[] = [
+        { key: 'id', header: 'ID', isLink: false, render: (r) => `#${r.id}` },
+        { key: 'name', header: 'Name', isLink: false, render: (r) => r.name },
+      ];
+      const { container } = render(
+        <Table
+          columns={cols}
+          rows={linkRows}
+          rowKey={(r) => r.id}
+          rowHref={(r) => `/x/${r.id}`}
+          onRowClick={onRowClick}
+        />,
+      );
+      expect(container.querySelector('tbody a')).toBeNull();
+      // Row is not clickable when nothing links.
+      fireEvent.click(screen.getByText('Alice'));
+      expect(onRowClick).not.toHaveBeenCalled();
+      expect((container.querySelector('tbody tr') as HTMLElement).className).not.toContain(
+        'cursor-pointer',
+      );
+    });
+
+    it('falls back to linking the first column when no column declares isLink (legacy / pre-1.6.0)', () => {
+      render(
+        <Table columns={columns} rows={linkRows} rowKey={(r) => r.id} rowHref={(r) => `/x/${r.id}`} />,
+      );
+      // `columns` here is [id, name] with no isLink → first column links.
+      expect(screen.getByText('1').closest('a')).not.toBeNull();
+      expect(screen.getByText('Alice').closest('a')).toBeNull();
+    });
+  });
 });
diff --git a/frontend/packages/ui/src/Table.tsx b/frontend/packages/ui/src/Table.tsx
index 1ce5d58..3e631d0 100644
--- a/frontend/packages/ui/src/Table.tsx
+++ b/frontend/packages/ui/src/Table.tsx
@@ -41,6 +41,17 @@ export interface TableColumn<Row> {
    * scrolling content (#586 — column-lock / frozen-cols feature).
    */
   sticky?: boolean;
+  /**
+   * Render this column's cell as a link to the row's detail/change page
+   * (the `rowHref` target). Mirrors Django's `list_display_links` (#666):
+   * the ModelAdmin chooses which column(s) link, not the SPA. When NO
+   * column sets this, the table renders no cell links and rows are not
+   * clickable (matching `list_display_links = None`). Falls back to a
+   * sensible default (the first non-selection column) only when the caller
+   * leaves every column's `isLink` unset AND `rowHref` is provided — see
+   * the Table body for the back-compat path.
+   */
+  isLink?: boolean;
 }
 
 export interface TableProps<Row> {
@@ -97,8 +108,27 @@ export interface TableProps<Row> {
    * table keeps roughly its prior height.
    */
   skeletonRows?: number;
+  /**
+   * Row virtualization for very long lists (#670 — the `?all` "Show all N"
+   * path renders up to `list_max_show_all`, 200 by default, rows at once).
+   * When set, each body row gets `content-visibility: auto` +
+   * `contain-intrinsic-size`, so the browser skips layout/paint for
+   * off-screen rows (native windowing) while keeping them in the DOM for
+   * Ctrl-F / a11y / native scroll. Cheaper and far less fragile than a
+   * JS windowing library given the sticky-column offset measurement this
+   * primitive already does. Off (undefined) for normal paginated lists,
+   * which are short enough that the optimisation isn't worth the
+   * intrinsic-size estimate.
+   */
+  virtualizeRows?: boolean;
 }
 
+// Estimated row height for `contain-intrinsic-size` when virtualizing
+// (#670). Only an estimate — it sets the placeholder size for an
+// off-screen, not-yet-laid-out row so the scrollbar stays proportional;
+// the real height is used once the row scrolls into view.
+const ESTIMATED_ROW_HEIGHT_PX = 41;
+
 const ALIGN_CLASSES = {
   left: 'text-left',
   right: 'text-right',
@@ -123,6 +153,7 @@ export function Table<Row>({
   skeletonRows,
   columnWidths,
   onColumnResize,
+  virtualizeRows = false,
 }: TableProps<Row>) {
   // Hooks must run unconditionally and in stable order on every
   // render — the empty-state early-return below has to come AFTER
@@ -189,6 +220,26 @@ export function Table<Row>({
   const hasWidths = columnWidths != null && Object.keys(columnWidths).length > 0;
   const resizable = onColumnResize != null;
 
+  // list_display_links (#666): which columns render their cell as a link to
+  // `rowHref(row)`. The caller (ListPage) sets `isLink` per the wire's
+  // `list_display_links`. Back-compat: when NO column declares `isLink` at
+  // all, fall back to linking the first column (the historic behaviour) so
+  // existing callers that don't pass the flag keep their links. When the
+  // caller DOES set `isLink` on some column(s), we honour exactly those —
+  // and when it explicitly sets none-to-true (e.g. `list_display_links =
+  // None`), no cell links and the rows are not clickable.
+  const anyExplicitLink = columns.some((c) => c.isLink !== undefined);
+  const isLinkCol = (col: TableColumn<Row>, index: number): boolean => {
+    if (!rowHref) return false;
+    if (anyExplicitLink) return col.isLink === true;
+    return index === 0; // legacy default
+  };
+  // When the caller explicitly links NO column (`list_display_links = None`
+  // → every column carries `isLink: false`), the rows are inert. Otherwise
+  // behaviour is unchanged: the row is clickable when `onRowClick` is set.
+  const linksDisabled = anyExplicitLink && !columns.some((c) => c.isLink === true);
+  const rowClickActive = linksDisabled ? undefined : onRowClick;
+
   // Helpers to build the sticky `<th>` / `<td>` style + className.
   // `style.left` is set so the browser knows where to pin during
   // horizontal scroll; the cell needs a background colour so content
@@ -371,13 +422,24 @@ export function Table<Row>({
                 return (
                   <tr
                     key={key}
-                    onClick={onRowClick ? () => onRowClick(row) : undefined}
+                    onClick={rowClickActive ? () => rowClickActive(row) : undefined}
                     // `data-selected` propagates the checkbox state to
                     // both the row's bg AND the frozen-cells' bg via
                     // the `--dar-row-bg` custom property (apps/web/
                     // src/index.css #613).
                     data-selected={isSelected ? 'true' : undefined}
-                    className={onRowClick ? 'cursor-pointer hover:bg-gray-50' : ''}
+                    // Native row windowing on the show-all path (#670): skip
+                    // layout/paint for off-screen rows, keeping them in the
+                    // DOM for find-in-page / a11y / native scroll.
+                    style={
+                      virtualizeRows
+                        ? {
+                            contentVisibility: 'auto',
+                            containIntrinsicSize: `auto ${ESTIMATED_ROW_HEIGHT_PX}px`,
+                          }
+                        : undefined
+                    }
+                    className={rowClickActive ? 'cursor-pointer hover:bg-gray-50' : ''}
                   >
                     {selectable && (
                       <td
@@ -414,10 +476,12 @@ export function Table<Row>({
                                 : 'max-w-[16rem] truncate'
                           }
                         >
-                          {ci === 0 && rowHref ? (
-                            // Real anchor on the first cell so the browser's
-                            // native open-in-new-tab works (#253); a plain
-                            // left-click is intercepted for in-app nav.
+                          {isLinkCol(col, ci) && rowHref ? (
+                            // Real anchor on each list_display_links column so
+                            // the browser's native open-in-new-tab works
+                            // (#253); a plain left-click is intercepted for
+                            // in-app nav. Which column(s) link is the
+                            // ModelAdmin's choice (#666).
                             <a
                               href={rowHref(row)}
                               className="text-inherit no-underline hover:underline"
diff --git a/frontend/packages/ui/src/i18n/es.json b/frontend/packages/ui/src/i18n/es.json
index 4d295e8..fcc3bdc 100644
--- a/frontend/packages/ui/src/i18n/es.json
+++ b/frontend/packages/ui/src/i18n/es.json
@@ -48,5 +48,19 @@
   "This page requires JavaScript.": "Esta página requiere JavaScript.",
   "This form is rendered by the legacy admin (custom change_form_template).": "Este formulario lo renderiza el admin clásico (change_form_template personalizado).",
   "Open in new tab": "Abrir en una pestaña nueva",
-  "Legacy admin form": "Formulario del admin clásico"
+  "Legacy admin form": "Formulario del admin clásico",
+  "— select —": "— seleccionar —",
+  "(none)": "(ninguno)",
+  "date": "fecha",
+  "time": "hora",
+  "HH:MM:SS": "HH:MM:SS",
+  "comma,separated,values": "valores,separados,por,comas",
+  "lower": "mínimo",
+  "upper": "máximo",
+  "related object id": "id del objeto relacionado",
+  "Current file:": "Archivo actual:",
+  "File upload is not supported in the SPA yet; use the legacy admin to change the file.": "La subida de archivos aún no se admite en la SPA; usa el admin clásico para cambiar el archivo.",
+  "This field uses a widget the SPA cannot render yet; edit it in the legacy admin if it looks wrong.": "Este campo usa un widget que la SPA aún no puede renderizar; edítalo en el admin clásico si se ve mal.",
+  "Page not found.": "Página no encontrada.",
+  "This form can’t be displayed: its address is invalid or points off-site.": "Este formulario no se puede mostrar: su dirección no es válida o apunta fuera del sitio."
 }
diff --git a/frontend/packages/ui/src/i18n/fr.json b/frontend/packages/ui/src/i18n/fr.json
index 3afd83d..5dce710 100644
--- a/frontend/packages/ui/src/i18n/fr.json
+++ b/frontend/packages/ui/src/i18n/fr.json
@@ -48,5 +48,19 @@
   "This page requires JavaScript.": "Cette page nécessite JavaScript.",
   "This form is rendered by the legacy admin (custom change_form_template).": "Ce formulaire est rendu par l’admin classique (change_form_template personnalisé).",
   "Open in new tab": "Ouvrir dans un nouvel onglet",
-  "Legacy admin form": "Formulaire de l’admin classique"
+  "Legacy admin form": "Formulaire de l’admin classique",
+  "— select —": "— sélectionner —",
+  "(none)": "(aucun)",
+  "date": "date",
+  "time": "heure",
+  "HH:MM:SS": "HH:MM:SS",
+  "comma,separated,values": "valeurs,séparées,par,virgules",
+  "lower": "minimum",
+  "upper": "maximum",
+  "related object id": "id de l'objet associé",
+  "Current file:": "Fichier actuel :",
+  "File upload is not supported in the SPA yet; use the legacy admin to change the file.": "L'envoi de fichiers n'est pas encore pris en charge dans la SPA ; utilisez l'admin classique pour changer le fichier.",
+  "This field uses a widget the SPA cannot render yet; edit it in the legacy admin if it looks wrong.": "Ce champ utilise un widget que la SPA ne peut pas encore afficher ; modifiez-le dans l'admin classique s'il s'affiche mal.",
+  "Page not found.": "Page introuvable.",
+  "This form can’t be displayed: its address is invalid or points off-site.": "Ce formulaire ne peut pas être affiché : son adresse est invalide ou pointe hors du site."
 }
diff --git a/frontend/packages/ui/src/i18n/pt.json b/frontend/packages/ui/src/i18n/pt.json
index 62fc02f..dcfb7a4 100644
--- a/frontend/packages/ui/src/i18n/pt.json
+++ b/frontend/packages/ui/src/i18n/pt.json
@@ -48,5 +48,19 @@
   "This page requires JavaScript.": "Esta página requer JavaScript.",
   "This form is rendered by the legacy admin (custom change_form_template).": "Este formulário é renderizado pelo admin clássico (change_form_template personalizado).",
   "Open in new tab": "Abrir em nova aba",
-  "Legacy admin form": "Formulário do admin clássico"
+  "Legacy admin form": "Formulário do admin clássico",
+  "— select —": "— selecionar —",
+  "(none)": "(nenhum)",
+  "date": "data",
+  "time": "hora",
+  "HH:MM:SS": "HH:MM:SS",
+  "comma,separated,values": "valores,separados,por,vírgulas",
+  "lower": "mínimo",
+  "upper": "máximo",
+  "related object id": "id do objeto relacionado",
+  "Current file:": "Arquivo atual:",
+  "File upload is not supported in the SPA yet; use the legacy admin to change the file.": "O envio de arquivos ainda não é suportado na SPA; use o admin clássico para alterar o arquivo.",
+  "This field uses a widget the SPA cannot render yet; edit it in the legacy admin if it looks wrong.": "Este campo usa um widget que a SPA ainda não consegue renderizar; edite-o no admin clássico se parecer errado.",
+  "Page not found.": "Página não encontrada.",
+  "This form can’t be displayed: its address is invalid or points off-site.": "Este formulário não pode ser exibido: seu endereço é inválido ou aponta para fora do site."
 }
diff --git a/pyproject.toml b/pyproject.toml
index 2ab7141..c38a5ee 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "django-admin-react"
-version = "1.10.1"
+version = "1.11.0"
 description = "A drop-in React single-page admin for Django, driven entirely by ModelAdmin."
 authors = ["django-admin-react contributors"]
 license = "MIT"
diff --git a/tests/test_checks.py b/tests/test_checks.py
new file mode 100644
index 0000000..028820b
--- /dev/null
+++ b/tests/test_checks.py
@@ -0,0 +1,117 @@
+"""System-check tests (#667).
+
+Exercise every branch of ``django_admin_react.checks`` — the happy path
+(no findings with the test project's correct config) and each failure
+mode via ``override_settings`` / monkeypatching, asserting the right
+check ID and that the message carries an actionable hint.
+"""
+
+from __future__ import annotations
+
+import pytest
+from django.test import override_settings
+
+from django_admin_react import checks as dar_checks
+
+
+def _ids(findings: list) -> set[str]:
+    return {f.id for f in findings}
+
+
+def test_all_checks_pass_with_the_test_project_config() -> None:
+    # The test project installs django_admin_rest_api, a valid ADMIN_SITE,
+    # no unknown keys, the inline API mount, and a built manifest is present
+    # in the package's static dir — so the only finding we tolerate is the
+    # bundle-missing warning when running from a source checkout.
+    findings = dar_checks.check_django_admin_react(None)
+    blocking = [f for f in findings if f.id != dar_checks.ID_BUNDLE_MISSING]
+    assert blocking == [], blocking
+
+
+@override_settings(DJANGO_ADMIN_REACT={"NOPE_TYPO": 1})
+def test_unknown_settings_key_is_an_error_with_hint() -> None:
+    findings = dar_checks._check_settings_keys()
+    assert _ids(findings) == {dar_checks.ID_UNKNOWN_SETTINGS}
+    assert "NOPE_TYPO" in findings[0].msg
+    assert findings[0].hint
+
+
+def test_bad_admin_site_dotted_path_is_an_error() -> None:
+    # ADMIN_SITE is read off the cached conf module; reload it under the
+    # override so the bad value takes effect.
+    import importlib
+
+    from django_admin_react import conf as dar_conf
+
+    with override_settings(DJANGO_ADMIN_REACT={"ADMIN_SITE": "does.not.exist.site"}):
+        importlib.reload(dar_conf)
+        try:
+            findings = dar_checks._check_admin_site_imports()
+        finally:
+            # Restore the cached conf for the rest of the suite.
+            importlib.reload(dar_conf)
+    assert _ids(findings) == {dar_checks.ID_ADMIN_SITE_IMPORT}
+    assert findings[0].hint
+
+
+def test_api_prefix_set_emits_a_mount_warning() -> None:
+    import importlib
+
+    from django_admin_react import conf as dar_conf
+
+    with override_settings(DJANGO_ADMIN_REACT={"API_URL_PREFIX": "/api/api/v1/"}):
+        importlib.reload(dar_conf)
+        try:
+            findings = dar_checks._check_api_prefix_coherence()
+        finally:
+            importlib.reload(dar_conf)
+    assert _ids(findings) == {dar_checks.ID_API_PREFIX_MOUNT}
+    assert "/api/api/v1/" in findings[0].msg
+    assert findings[0].hint
+
+
+def test_api_prefix_unset_emits_no_warning() -> None:
+    # Default test config leaves API_URL_PREFIX unset → inline mount → quiet.
+    assert dar_checks._check_api_prefix_coherence() == []
+
+
+def test_rest_api_missing_is_an_error(monkeypatch: pytest.MonkeyPatch) -> None:
+    from django.apps import apps as django_apps
+
+    real_is_installed = django_apps.is_installed
+
+    def fake_is_installed(label: str) -> bool:
+        if label == "django_admin_rest_api":
+            return False
+        return real_is_installed(label)
+
+    monkeypatch.setattr(django_apps, "is_installed", fake_is_installed)
+    findings = dar_checks._check_rest_api_installed()
+    assert _ids(findings) == {dar_checks.ID_REST_API_MISSING}
+    assert "INSTALLED_APPS" in findings[0].hint
+
+
+def test_bundle_missing_is_a_warning(monkeypatch: pytest.MonkeyPatch, tmp_path) -> None:
+    from django_admin_react import views
+
+    # Point the manifest path at a file that doesn't exist.
+    monkeypatch.setattr(views, "_MANIFEST_PATH", tmp_path / "missing-manifest.json")
+    findings = dar_checks._check_bundle_built()
+    assert _ids(findings) == {dar_checks.ID_BUNDLE_MISSING}
+    assert findings[0].hint
+
+
+def test_bundle_present_emits_no_warning(monkeypatch: pytest.MonkeyPatch, tmp_path) -> None:
+    from django_admin_react import views
+
+    manifest = tmp_path / "manifest.json"
+    manifest.write_text("{}", encoding="utf-8")
+    monkeypatch.setattr(views, "_MANIFEST_PATH", manifest)
+    assert dar_checks._check_bundle_built() == []
+
+
+def test_check_is_registered_with_django() -> None:
+    from django.core.checks import registry
+
+    registered = {c for c in registry.registry.get_checks()}
+    assert dar_checks.check_django_admin_react in registered
diff --git a/tests/test_project/settings.py b/tests/test_project/settings.py
index 8545df6..3a3e738 100644
--- a/tests/test_project/settings.py
+++ b/tests/test_project/settings.py
@@ -24,6 +24,9 @@
     # invisible on every legacy admin page). Documented in the
     # README's "Experience-toggle strip" section.
     "django_admin_react",
+    # The sibling REST API package — django_admin_react is a thin SPA layer
+    # over it, and the package's system check (#667) expects it installed.
+    "django_admin_rest_api",
     "django.contrib.admin",
     "django.contrib.auth",
     "django.contrib.contenttypes",