phase2(lookups+integrity): GET /api/managers+projects + manager FK guard + SupplierLeadCost для manual

3 интеграционных доработки после backend-completion v1.57.

(1) GET /api/managers + /api/projects + manager FK guard:
- ManagerController::index — active users тенанта (is_active+deleted_at IS NULL).
  Формат {id, email, first_name, last_name, name, initials} с
  formatName/formatInitials helpers (fallback на email).
- ProjectController::index — active projects (is_active=true).
- Оба endpoint'а: tenant_id query-param, 422 без, 404 unknown, RLS-обёртка.
- DealController::store FK guard: manager_id должен принадлежать tenant'у +
  is_active. Иначе 422 (закрывает security-gap чужого менеджера).
- Pest +8 в LookupsTest.

(2) Replace MOCK_MANAGERS / MOCK_PROJECTS на API в NewDealDialog:
- projectOptions/managerOptions ref'ы с MOCK fallback.
- loadLookups через Promise.all([listProjects, listManagers]) на open
  диалога с tenantId.
- managerIdByName Map name→id для submit'а.
- Silent fallback на mock при network-error.
- Vitest +2.

(3) SupplierLeadCost для manual-leads:
- В DealController::store после Deal::create — resolveSupplierId (копия
  логики ProcessWebhookJob: project_suppliers JOIN suppliers + ORDER BY
  sort_order). Если supplier найден — SupplierLeadCost с snapshot cost_rub
  + supplier_lead_id=NULL (manual: нет внешнего id).
- Manual по-прежнему НЕ списывает баланс (Ю-2 reseller-модель — charge
  только при webhook'е); cost-аналитика всё равно нужна.
- Pest +2.
- TODO: рефактор resolveSupplierId в App\Services\SupplierResolver чтобы
  Job + Controller разделяли логику.

Старый тест manager_id=42 переписан под FK guard через User::factory.

PHPStan baseline регенерирован (+28 ignored Pest TestCall warnings).

Регресс: lint+type-check+format ✅; vitest 247/247 за 16.32 сек (+2);
vite build 951 ms; Pint+PHPStan passed; Pest 166/166 за 22.11 сек
(+10 от 156, 699 assertions). Реестр v1.57→v1.58, CLAUDE.md v1.48→v1.49.

Production TODO остаточные:
- resolveSupplierId → SupplierResolver service.
- XLSX-export через PhpSpreadsheet.
- GET /api/deals для replace MOCK_DEALS в DealsView/KanbanView.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/app/Http/Controllers/Api/ProjectController.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\Project;
+use App\Models\Tenant;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Проекты tenant'а — для NewDealDialog dropdown'а и DealsView/Smart-filters.
+ *
+ * На MVP: tenant_id параметром. На prod: middleware('auth:sanctum')+'tenant'.
+ */
+class ProjectController extends Controller
+{
+    /** GET /api/projects?tenant_id={id} */
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = (int) $request->query('tenant_id', '0');
+        if ($tenantId < 1) {
+            return response()->json(['message' => 'Параметр tenant_id обязателен.'], 422);
+        }
+
+        $tenant = Tenant::find($tenantId);
+        if ($tenant === null) {
+            return response()->json(['message' => 'Тенант не найден.'], 404);
+        }
+
+        $projects = DB::transaction(function () use ($tenantId) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
+
+            return Project::query()
+                ->where('is_active', true)
+                ->orderBy('name')
+                ->get(['id', 'name', 'tag', 'type']);
+        });
+
+        return response()->json([
+            'projects' => $projects->map(fn (Project $p) => [
+                'id' => $p->id,
+                'name' => $p->name,
+                'tag' => $p->tag,
+                'type' => $p->type,
+            ]),
+        ]);
+    }
+}