Why do you need two applications? In my opinion, you only have 1 application, namely the REST api.

The backoffice client as you refer to, can then consume the REST api. I am very much against two seperate applications talking to the same database; for me 1 database = 1 application, which is responsible for maintaining the data integrity, and should validate all permissions and restrictions.

If you create two completely seperate applications, which one is responsible for what? It makes no sense to me.

I agree with you. I will propose this change.

Yes, in practice you choose one repository to do your migrations.

We've more than 3 code repositories accessing the same database; only one has the proper migration information (the others usually have shallow copies or similar for unit test).