fix(router-gate-v4): lastTurnEntries skips harness-injected skill bodies (isMeta + sourceToolUseID)

Sibling Claude session 2026-05-30 found that lastTurnEntries treats harness-injected skill bodies as spurious turn boundaries, breaking both enforce-memory-coverage (can't find user's coverage line) AND enforce-normative-content-rules::detectLegitSkillActive (can't find the Skill tool_use that lives in the assistant message BEFORE the body). Refinement applied here: this session inspected 29 isMeta:true entries across the live transcript (8f4ba767-...jsonl) via a debug helper and found isMeta:true is ALSO used for "Continue from where you left off" auto-resume, Stop hook feedback strings, and <local-command-caveat> wrappers — those are real user-equivalent boundaries that must remain visible. Sibling's blanket "skip isMeta" proposal would have broken them. Discriminator: skip ONLY when isMeta === true AND typeof sourceToolUseID === 'string' (tool-spawned content). Skill bodies have the linking field; the other isMeta sources do not. The sourceToolUseID field is harness- controlled and not writable by controller from inside a tool call — cannot be spoofed. Behaviour after fix: * Skill body injection → skipped → walk continues back to find user's real prompt (with coverage line). * The assistant message containing the Skill tool_use is now inside the turn → detectLegitSkillActive finds it → normative writes pass when invoked under an active claude-md-management skill. * "Continue from where you left off." → still treated as turn boundary. * Stop hook feedback strings → still treated as turn boundary. TDD: * 3 new tests in tools/enforce-hook-helpers.test.mjs under the "lastTurnEntries / lastUserPromptText / lastAssistantText / turnToolUses" describe block: - lastTurnEntries skips skill body injections (isMeta + sourceToolUseID) - lastTurnEntries does NOT skip "Continue from where you left off" (isMeta but no sourceToolUseID) - turnToolUses includes Skill tool_use spawned in same turn as the injected skill body * 2/3 RED→GREEN (the "Continue" negative test passed on baseline already since its string content satisfies the existing string-content branch). Scope: * Fixes 2 of the 5 structural quirks documented in the Stream H completion log (enforce-memory-coverage gap, enforce-normative- content-rules detectLegitSkillActive gap). * Does NOT fix: enforce-read-path-deny LEGIT_SKILLS exemption gap (separate hook, no lastTurnEntries dependency); TDD-gate cross-actor blindness (different mechanism — actor session boundaries); detectFullTestRun regex narrowness (command-pattern matching). Regression: vitest tools 1788/1788 GREEN (was 1785; +3 new tests). Plan: docs/superpowers/plans/2026-05-30-lastturnentries-skill-body-skip.md
docs(router-gate-v4): Stream H final — Layer 4 LLM-judge verified live via integration smoke
2026-05-30 14:16:12 +03:00 · 2026-05-30 13:30:34 +03:00 · 2026-05-30 12:08:33 +03:00 · 2026-05-30 11:46:32 +03:00 · 2026-05-30 11:43:31 +03:00 · 2026-05-30 11:39:47 +03:00
312 changed files with 43792 additions and 2673 deletions
@@ -66,16 +66,6 @@
          }
        ]
      },
-      {
-        "matcher": "Edit|Write|MultiEdit|NotebookEdit|Bash|Task|Agent",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node tools/enforce-chain-recommendation.mjs",
-            "timeout": 5
-          }
-        ]
-      },
      {
        "matcher": "Edit|Write|MultiEdit",
        "hooks": [
@@ -105,6 +95,86 @@
            "timeout": 5
          }
        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-router-gate.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "PowerShell",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-powershell-gate.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-normative-content-rules.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-tdd-real-test-verifier.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write|MultiEdit|Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-self-debrief-detector.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "AskUserQuestion",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/askuser-cosmetic-detector.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__.*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-mcp-classification.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-read-path-deny.mjs",
+            "timeout": 5
+          }
+        ]
      }
    ],
    "PostToolUse": [
@@ -150,6 +220,16 @@
            "timeout": 5
          }
        ]
+      },
+      {
+        "matcher": "Task",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-subagent-return-scanner.mjs",
+            "timeout": 10
+          }
+        ]
      }
    ],
    "Stop": [
@@ -184,7 +264,7 @@
        "hooks": [
          {
            "type": "command",
-            "command": "node tools/enforce-classifier-match.mjs",
+            "command": "node tools/enforce-todowrite-skill-verifier.mjs",
            "timeout": 5
          }
        ]
@@ -193,8 +273,8 @@
        "hooks": [
          {
            "type": "command",
-            "command": "node tools/enforce-graph-first.mjs",
-            "timeout": 5
+            "command": "node tools/cost-stop-hook.mjs",
+            "timeout": 10
          }
        ]
      }
@@ -21,8 +21,8 @@ Aggregator over observer evidence. Reads JSONL + optional MD notes, surfaces can

 ## Procedure

-> **MANDATORY DIGITAL ANALYSIS (added 2026-05-26 after retro #6 feedback).**
-> Каждый прогон /brain-retro ОБЯЗАН включать **количественные срезы**, не только causal narrative. Минимум 10 цифровых таблиц:
+> **MANDATORY DIGITAL ANALYSIS (added 2026-05-26 after retro #6 feedback; extended to 11 tables 2026-05-28; extended to 13 tables 2026-05-30 in Stream H Task 8).**
+> Каждый прогон /brain-retro ОБЯЗАН включать **количественные срезы**, не только causal narrative. Минимум 13 цифровых таблиц:
 >
 > 1. **Path-type breakdown** (regulated vs improvised, со счётчиками и %).
 > 2. **node_chosen distribution** (топ-15 узлов с count + %).
@@ -34,8 +34,11 @@ Aggregator over observer evidence. Reads JSONL + optional MD notes, surfaces can
 > 8. **Class × canon coverage** — таблица класс задач × канонические узлы из мозга (`observer-classification-map.json`) × роутер рекомендовал × я реально взял × попало ли в канон. Источник — `result.classCanonCoverage` из analyzer.
 > 9. **Router vs Opus** — три секции: A (роутер дал → Opus оценил, расхождение видно сразу), B (роутер молчал → Opus сказал «надо был скил»), C (роутер дал → Opus согласился что скил излишен). Источник — `result.routerVsOpus`.
 > 10. **Chain-ignore breakdown** — отдельный срез: сколько раз роутер рекомендовал цепочку vs одиночный узел, какой % я игнорировал, и rework-rate каждого; bucket по длине цепочки (1/2/3+). Источник — `result.chainIgnoreBreakdown`.
+> 11. **Chain-hook effectiveness** — парсит `~/.claude/runtime/hook-outcomes.jsonl` за период retro. Buckets: blocked / passed-with-skill / passed-inline-override / passed-global-override / passed-short-chain / passed-no-mutating. Источник — `result.chainHookEffectiveness` из analyzer. Источник правила — brain-retro #9 Candidate 2.
+> 12. **Router-gate hook effectiveness (per-rule)** — счётчики fires + blocks по каждому `hook_fired.rule` в эпизодах за период (path-deny / git-conditional / branch-switch / etc). Помогает увидеть, какие правила реально стреляли и какой % fires заканчивался блокировкой. Источник — `result.routerGateHookEffectiveness` (Stream H Task 8). Без таблицы — нет видимости качества защит router-gate v4.
+> 13. **Self-fabrication signals** — эпизоды, где `controller_claim` непустой (контроллер заявил действие) но `tool_uses` пуст или отсутствует (записи о реальном tool-call нет). 7 канонических паттернов фабрикации задокументированы в `docs/superpowers/runbooks/recovery-procedures.md` §5. Источник — `result.selfFabricationSignals` (Stream H Task 8).
 >
-> Без этих 10 таблиц retro считается недоделанным. Narrative-выводы должны опираться на цифры из них, не на «общие ощущения». **Если classifier_output=NULL > 30% эпизодов** — это сигнал, что классификатор сломан; в retro отдельным блоком отчитаться о состоянии классификатора (timeouts/errors/source distribution).
+> Без этих 13 таблиц retro считается недоделанным. Narrative-выводы должны опираться на цифры из них, не на «общие ощущения». **Если classifier_output=NULL > 30% эпизодов** — это сигнал, что классификатор сломан; в retro отдельным блоком отчитаться о состоянии классификатора (timeouts/errors/source distribution).
 >
 > Запрет на жаргон для блока «Report to user»: цифры остаются техническими, словесные выводы пользователю — простым языком (см. memory `feedback_plain_language.md`).

@@ -0,0 +1,119 @@
+name: Run artisan command on liderra.ru
+
+# Universal artisan-runner для прод-команд пока прямой SSH с dev-машины
+# заблокирован YC backbone-фильтром. Заказчик пишет команду строкой в
+# workflow_dispatch input, workflow проверяет её по whitelist, выполняет на
+# проде под sudo -u www-data, выводит результат в job summary.
+#
+# Whitelist охватывает read-only / dry-run / status команды без подтверждения
+# плюс несколько mutating команд с обязательным confirm_apply=true.
+#
+# Любая команда вне whitelist'а → fail before SSH.
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml/ssh-diagnose.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      command:
+        description: 'artisan-команда (например: supplier:rekey-orphans --dry-run)'
+        required: true
+        type: string
+      confirm_apply:
+        description: 'Подтверждаю выполнение mutating-команды (обязательно true для команд без --dry-run)'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  run:
+    name: ${{ github.event.inputs.command }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CMD: ${{ github.event.inputs.command }}
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Whitelist check
+        run: |
+          set -euo pipefail
+          CMD_TRIM=$(echo "$CMD" | sed 's/^ *//;s/ *$//')
+          echo "Requested: '$CMD_TRIM'"
+
+          # Group 1 — read-only / dry-run / inspection: всегда разрешены
+          READ_ONLY_RE='^(migrate:status|route:list|schedule:list|queue:listen --help|about|env:show|config:show|cache:table|view:cache|optimize:status|snapshot:backfill( --date=20[2-9][0-9]-[0-1][0-9]-[0-3][0-9])?|scheduler:check-heartbeats|incidents:watch-failures( --threshold-spike=[0-9]+)?( --threshold-daily=[0-9]+)?( --persistent-hours=[0-9]+)?|supplier:rekey-orphans --dry-run|audit:verify-chains|audit:rebuild-chain --partition=[a-z_0-9]+ --from-id=[0-9]+ --dry-run)( *)$'
+
+          # Group 2 — mutating: требуют confirm_apply=true
+          MUTATING_RE='^(supplier:rekey-orphans|cache:clear|view:clear|config:clear|route:clear|optimize:clear|optimize|queue:restart|partitions:create-months( --months=[0-9]+)?|partitions:drop-old|audit:rebuild-chain --partition=[a-z_0-9]+ --from-id=[0-9]+( --force)?)( *)$'
+
+          if [[ "$CMD_TRIM" =~ $READ_ONLY_RE ]]; then
+            echo "::notice::Command in read-only whitelist — proceeding."
+            exit 0
+          fi
+
+          if [[ "$CMD_TRIM" =~ $MUTATING_RE ]]; then
+            if [[ "$CONFIRM" != "true" ]]; then
+              echo "::error::Mutating command '$CMD_TRIM' requires confirm_apply=true. Re-run with confirm_apply checked."
+              exit 1
+            fi
+            echo "::warning::Mutating command authorized via confirm_apply=true."
+            exit 0
+          fi
+
+          echo "::error::Command '$CMD_TRIM' is NOT in whitelist. Allowed read-only patterns: $READ_ONLY_RE. Allowed mutating: $MUTATING_RE. Add to whitelist if needed."
+          exit 1
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run artisan on prod
+        run: |
+          set -o pipefail
+          CMD_B64=$(printf '%s' "$CMD" | base64 -w0)
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "CMD_B64='$CMD_B64' bash -s" <<'REMOTE' | tee /tmp/artisan-output.log
+            set +e
+            CMD=$(echo "$CMD_B64" | base64 -d)
+            cd /var/www/liderra/app
+            echo "=== Running: php artisan $CMD on $(hostname) at $(date -u) ==="
+            sudo -u www-data php artisan $CMD 2>&1
+            RC=$?
+            echo
+            echo "=== Exit code: $RC ==="
+            exit $RC
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## artisan \`$CMD\`"
+            echo
+            echo "- Host: $LIDERRA_HOST"
+            echo "- Confirm: $CONFIRM"
+            echo "- Triggered by: ${{ github.actor }}"
+            echo
+            echo '```'
+            cat /tmp/artisan-output.log 2>/dev/null || echo "(no output captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload output as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: artisan-output
+          path: /tmp/artisan-output.log
+          retention-days: 30
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,229 @@
+name: Deploy to liderra.ru
+
+# Запускается вручную через web-интерфейс GitHub или через `gh workflow run`.
+# Решает проблему «дев-машина не достучится по SSH до прод-сервера через YC backbone»:
+# GitHub Actions runner — внешний по отношению к YC, его IP не блокируется тем
+# фильтром что блокирует мой dev-IP `89.144.17.119`.
+#
+# Требуемые secrets (Settings → Secrets and variables → Actions):
+#   LIDERRA_SSH_KEY  — содержимое приватного ключа `~/.ssh/liderra_deploy`
+#                       (начинается с `-----BEGIN OPENSSH PRIVATE KEY-----`).
+# Host/user захардкожены — публичная информация, нет смысла в secrets.
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch/tag/SHA для деплоя (по умолчанию main)'
+        required: true
+        default: 'main'
+        type: string
+      backfill_snapshot:
+        description: 'Запустить snapshot:backfill за сегодня (default yes)'
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  deploy:
+    name: Deploy code + run redeploy.sh
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    concurrency:
+      group: liderra-prod-deploy
+      cancel-in-progress: false
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+
+      - name: Setup Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: app/package-lock.json
+
+      - name: Install frontend deps
+        # --legacy-peer-deps: Histoire 1.0-beta.1 заявляет peerDep vite ^7,
+        # установлено vite 8 — известный квирк проекта (memory feedback_environment.md #74).
+        working-directory: app
+        run: npm ci --legacy-peer-deps
+
+      - name: Build frontend
+        working-directory: app
+        run: npm run build
+
+      - name: Verify build artifacts present
+        run: |
+          test -f app/public/build/manifest.json
+          ls app/public/build/assets/ | head -5
+          du -sh app/public/build/
+
+      - name: Create deploy tarball
+        run: |
+          tar czf /tmp/deploy.tgz \
+            --exclude='app/.env' \
+            --exclude='app/.env.example' \
+            --exclude='app/.env.production' \
+            --exclude='app/storage' \
+            --exclude='app/vendor' \
+            --exclude='app/node_modules' \
+            --exclude='app/bootstrap/cache' \
+            app db
+          ls -lh /tmp/deploy.tgz
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Upload tarball to prod
+        run: |
+          scp -i ~/.ssh/liderra_deploy -o StrictHostKeyChecking=accept-new \
+            /tmp/deploy.tgz ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }}:/tmp/deploy.tgz
+
+      - name: Pre-apply partitioned migrations via postgres superuser
+        # Workaround for partitioned-table migrations:
+        # 2026_05_27_120000_create_project_routing_snapshots_table.php has SET ROLE crm_migrator
+        # which fails when pgsql connection = crm_app_user (not a member of crm_migrator),
+        # poisoning the transaction. Established prod pattern (memory: paused_at migration 26.05):
+        # apply schema via sudo -u postgres psql + insert into migrations table.
+        # Idempotent — skips if already applied.
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -euo pipefail
+            MIG_NAME='2026_05_27_120000_create_project_routing_snapshots_table'
+
+            ALREADY=$(sudo -u postgres psql -d liderra -tAc \
+              "SELECT 1 FROM migrations WHERE migration = '${MIG_NAME}' LIMIT 1")
+            if [ "${ALREADY}" = "1" ]; then
+              echo "Migration ${MIG_NAME} already in migrations table — skipping."
+              exit 0
+            fi
+
+            TABLE_EXISTS=$(sudo -u postgres psql -d liderra -tAc \
+              "SELECT 1 FROM information_schema.tables WHERE table_name='project_routing_snapshots' LIMIT 1")
+
+            if [ "${TABLE_EXISTS}" != "1" ]; then
+              echo "Applying CREATE TABLE project_routing_snapshots via postgres superuser..."
+              sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<'PSQL'
+              BEGIN;
+              CREATE TABLE project_routing_snapshots (
+                  snapshot_date      DATE        NOT NULL,
+                  project_id         BIGINT      NOT NULL,
+                  tenant_id          BIGINT      NOT NULL,
+                  daily_limit        INT         NOT NULL CHECK (daily_limit >= 0),
+                  delivery_days_mask INT         NOT NULL CHECK (delivery_days_mask BETWEEN 0 AND 127),
+                  regions            INT[]       NOT NULL DEFAULT '{}',
+                  signal_type        TEXT        NOT NULL CHECK (signal_type IN ('call','site','sms')),
+                  signal_identifier  TEXT,
+                  sms_senders        JSONB,
+                  sms_keyword        TEXT,
+                  expected_volume    INT         NOT NULL CHECK (expected_volume >= 0),
+                  delivered_count    INT         NOT NULL DEFAULT 0 CHECK (delivered_count >= 0),
+                  created_at         TIMESTAMP   NOT NULL DEFAULT NOW(),
+                  PRIMARY KEY (snapshot_date, project_id),
+                  FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE CASCADE
+              ) PARTITION BY RANGE (snapshot_date);
+              ALTER TABLE project_routing_snapshots OWNER TO crm_migrator;
+              CREATE INDEX project_routing_snapshots_tenant_date_idx
+                  ON project_routing_snapshots (tenant_id, snapshot_date);
+              CREATE INDEX project_routing_snapshots_signal_idx
+                  ON project_routing_snapshots (snapshot_date, signal_type, lower(signal_identifier));
+              ALTER TABLE project_routing_snapshots ENABLE ROW LEVEL SECURITY;
+              CREATE POLICY project_routing_snapshots_tenant_isolation
+                  ON project_routing_snapshots
+                  USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint);
+              GRANT SELECT, INSERT, UPDATE ON project_routing_snapshots TO crm_app_user;
+              GRANT SELECT, INSERT, UPDATE, DELETE ON project_routing_snapshots TO crm_supplier_worker;
+              CREATE TABLE project_routing_snapshots_y2026_m05
+                  PARTITION OF project_routing_snapshots
+                  FOR VALUES FROM ('2026-05-01') TO ('2026-06-01');
+              CREATE TABLE project_routing_snapshots_y2026_m06
+                  PARTITION OF project_routing_snapshots
+                  FOR VALUES FROM ('2026-06-01') TO ('2026-07-01');
+              ALTER TABLE project_routing_snapshots_y2026_m05 OWNER TO crm_migrator;
+              ALTER TABLE project_routing_snapshots_y2026_m06 OWNER TO crm_migrator;
+              INSERT INTO system_settings (key, value, type, description, updated_at)
+                  VALUES ('partition_retention_months_project_routing_snapshots', '3', 'int',
+                          'Retention в месяцах для project_routing_snapshots (90 дней)', NOW())
+                  ON CONFLICT (key) DO NOTHING;
+              COMMIT;
+          PSQL
+            else
+              echo "Table project_routing_snapshots already exists but migration not marked — marking only."
+            fi
+
+            # Mark migration as applied so Laravel migrate skips it.
+            # Laravel's migrations table has no UNIQUE on `migration` column, so
+            # ON CONFLICT doesn't work — use INSERT...SELECT WHERE NOT EXISTS for idempotency.
+            NEXT_BATCH=$(sudo -u postgres psql -d liderra -tAc "SELECT COALESCE(MAX(batch),0)+1 FROM migrations")
+            sudo -u postgres psql -d liderra -c \
+              "INSERT INTO migrations (migration, batch) SELECT '${MIG_NAME}', ${NEXT_BATCH} WHERE NOT EXISTS (SELECT 1 FROM migrations WHERE migration='${MIG_NAME}');"
+            echo "Marked ${MIG_NAME} as applied (batch ${NEXT_BATCH})"
+          REMOTE
+
+      - name: Extract + run redeploy.sh on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -euo pipefail
+            TS=$(date -u +%Y%m%d-%H%M%S)
+            echo "=== Backup current app ==="
+            sudo tar czf /home/ubuntu/deploy-backups/app-pre-deploy-${TS}.tgz \
+              --exclude='storage' --exclude='vendor' --exclude='node_modules' --exclude='public/build' \
+              -C /var/www/liderra app
+            ls -lh /home/ubuntu/deploy-backups/app-pre-deploy-${TS}.tgz
+
+            echo "=== Extract overlay ==="
+            cd /var/www/liderra
+            sudo tar xzf /tmp/deploy.tgz
+            sudo chown -R www-data:www-data /var/www/liderra/app /var/www/liderra/db
+
+            echo "=== redeploy.sh (composer + migrate + optimize + restart) ==="
+            sudo bash /var/www/liderra/redeploy.sh
+
+            rm -f /tmp/deploy.tgz
+          REMOTE
+
+      - name: Backfill today's snapshot
+        if: ${{ github.event.inputs.backfill_snapshot != 'false' }}
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -e
+            cd /var/www/liderra/app
+            sudo -u www-data php artisan snapshot:backfill --date=$(date +%Y-%m-%d) || \
+              echo "WARN: backfill returned non-zero — проверь вручную"
+          REMOTE
+
+      - name: Smoke tests
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -e
+            cd /var/www/liderra/app
+            echo '=== Migrations status (last 5) ==='
+            sudo -u www-data php artisan migrate:status 2>&1 | tail -5
+            echo '=== Snapshots count (last 3 dates) ==='
+            sudo -u postgres psql -d liderra -c "SELECT snapshot_date, COUNT(*) AS rows FROM project_routing_snapshots GROUP BY 1 ORDER BY 1 DESC LIMIT 3;" || true
+            echo '=== Service status ==='
+            systemctl is-active nginx php8.3-fpm postgresql liderra-queue
+            echo '=== Internal portal health ==='
+            curl -sf -o /dev/null -w 'https=%{http_code} time=%{time_total}s\n' --max-time 8 https://127.0.0.1/ -k || true
+          REMOTE
+
+      - name: External portal health (from runner)
+        run: |
+          curl -sf -o /dev/null -w 'external https=%{http_code} time=%{time_total}s\n' \
+            --max-time 15 https://liderra.ru/ || echo "external health returned non-zero"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,213 @@
+name: Disk-full recovery on liderra.ru
+
+# Incident response: PG в PANIC loop из-за / диск 100%.
+# 1) Диагностика: что где лежит (top-20 крупных, du по /var/log)
+# 2) Безопасная чистка:
+#    - truncate /var/log/postgresql/postgresql-16-main.log (PG в PANIC, не пишет, inode preserved)
+#    - journalctl --vacuum-size=200M
+#    - старые ротированные *.gz логи nginx >7 дней
+#    - apt-get clean
+#    - Laravel storage/logs *.log >7 дней
+# 3) Final df check + PG probe.
+#
+# Триггер: gh workflow run disk-recover.yml -f confirm_apply=true
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю удаление логов на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  recover:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required (this workflow mutates disk on prod)"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Diagnose + cleanup
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/recover.log
+          set +e
+
+          echo "=== A. BEFORE: df -h / ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+
+          echo "=== B. Top-20 largest files in /var (>50M) ==="
+          sudo find /var -xdev -type f -size +50M -printf "%s %p\n" 2>/dev/null | sort -rn | head -20 | awk '{printf "%8.1f MB  %s\n", $1/1024/1024, $2}'
+          echo
+
+          echo "=== C. du /var/log/ top-15 directories ==="
+          sudo du -sh /var/log/*/ 2>/dev/null | sort -rh | head -15
+          echo
+
+          echo "=== D. du /var/log/postgresql/* (individual files) ==="
+          sudo du -sh /var/log/postgresql/* 2>/dev/null | sort -rh | head -10
+          echo
+
+          echo "=== E. journalctl disk usage ==="
+          sudo journalctl --disk-usage 2>&1
+          echo
+
+          echo "=== F. /var/lib/postgresql/16/main top-15 subdirs ==="
+          sudo du -sh /var/lib/postgresql/16/main/*/ 2>/dev/null | sort -rh | head -15
+          echo
+
+          echo "=== G. /var/www top-10 if exists ==="
+          sudo du -sh /var/www/*/ 2>/dev/null | sort -rh | head -10
+          sudo du -sh /var/www/lidpotok/storage/logs/ 2>/dev/null
+          echo
+
+          echo "=== H. apt cache + tmp ==="
+          sudo du -sh /var/cache/apt/archives/ /tmp/ /var/tmp/ 2>/dev/null
+          echo
+
+          echo "=========================================="
+          echo "=== STARTING CLEANUP (confirm_apply=true) ==="
+          echo "=========================================="
+          echo
+
+          echo "=== 1a. PRIORITY: Truncate laravel.log (8.7 GB!) and rotated copies ==="
+          for f in /var/www/liderra/app/storage/logs/laravel.log /var/www/liderra/app/storage/logs/laravel.log.1; do
+            if [[ -f "$f" ]]; then
+              BEFORE=$(sudo du -m "$f" | cut -f1)
+              echo "BEFORE: $f = $BEFORE MB"
+              sudo bash -c ": > '$f'" 2>&1 || sudo truncate -s 0 "$f"
+              AFTER=$(sudo du -m "$f" | cut -f1)
+              echo "AFTER:  $f = $AFTER MB"
+            fi
+          done
+          # Старые laravel-* (если daily-rotated)
+          sudo find /var/www/liderra/app/storage/logs -name "laravel-*.log" -mtime +3 -print -delete 2>&1 | head -10
+          echo
+
+          echo "=== 1b. Truncate PG audit log via sudo bash redirect (workaround) ==="
+          if [[ -f /var/log/postgresql/postgresql-16-main.log ]]; then
+            BEFORE=$(sudo du -m /var/log/postgresql/postgresql-16-main.log | cut -f1)
+            echo "BEFORE: $BEFORE MB"
+            sudo bash -c ': > /var/log/postgresql/postgresql-16-main.log' 2>&1
+            AFTER=$(sudo du -m /var/log/postgresql/postgresql-16-main.log | cut -f1)
+            echo "AFTER:  $AFTER MB"
+          fi
+          sudo find /var/log/postgresql -type f \( -name "*.gz" -o -name "*.log.[0-9]*" \) -delete 2>&1
+          echo
+
+          echo "=== 1c. Truncate syslog (525M) ==="
+          sudo bash -c ': > /var/log/syslog' 2>&1
+          echo "syslog now: $(sudo du -m /var/log/syslog 2>/dev/null | cut -f1) MB"
+          echo
+
+          echo "=== 1d. Remove playwright dev cache (~440M, не нужен в проде) ==="
+          if [[ -d /var/www/.cache/ms-playwright ]]; then
+            sudo du -sh /var/www/.cache/ms-playwright 2>&1
+            sudo rm -rf /var/www/.cache/ms-playwright
+            echo "removed"
+          fi
+          echo
+
+          echo "=== 2. journalctl vacuum --size=200M ==="
+          sudo journalctl --vacuum-size=200M 2>&1 | tail -10
+          echo
+
+          echo "=== 3. nginx old rotated logs (gz files >3 days) ==="
+          sudo find /var/log/nginx -name "*.gz" -mtime +3 -print -delete 2>&1 | head -20
+          echo
+          # current access.log если >500M — truncate (nginx переоткрывает по reopen signal)
+          for f in /var/log/nginx/access.log /var/log/nginx/error.log; do
+            if [[ -f "$f" ]]; then
+              SIZE_MB=$(sudo du -m "$f" | cut -f1)
+              if [[ $SIZE_MB -gt 500 ]]; then
+                echo "Truncating $f ($SIZE_MB MB)"
+                sudo truncate -s 0 "$f"
+              fi
+            fi
+          done
+
+          echo
+          echo "=== 4. apt-get clean ==="
+          sudo apt-get clean 2>&1 | tail -5
+          echo
+
+          echo "=== 5. Laravel storage/logs *.log older 7 days ==="
+          if [[ -d /var/www/lidpotok ]]; then
+            sudo find /var/www/lidpotok -path '*/storage/logs/*.log' -mtime +7 -print -delete 2>&1 | head -20
+          fi
+          for d in /var/www/*/; do
+            if [[ -d "$d/storage/logs" ]]; then
+              for f in "$d"/storage/logs/laravel.log "$d"/storage/logs/worker.log; do
+                if [[ -f "$f" ]]; then
+                  SIZE_MB=$(sudo du -m "$f" | cut -f1)
+                  if [[ $SIZE_MB -gt 200 ]]; then
+                    echo "Truncating $f ($SIZE_MB MB)"
+                    sudo truncate -s 0 "$f"
+                  fi
+                fi
+              done
+            fi
+          done
+          echo
+
+          echo "=== 6. Old rotated *.1 *.2 *.gz logs >50M anywhere in /var/log ==="
+          sudo find /var/log -type f \( -name "*.1" -o -name "*.2" -o -name "*.3" -o -name "*.gz" \) -size +50M -print -delete 2>&1 | head -20
+          echo
+
+          echo "=========================================="
+          echo "=== AFTER CLEANUP ==="
+          echo "=========================================="
+          echo "=== Z1. df -h / ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+
+          echo "=== Z2. PG status quick check ==="
+          sudo systemctl status postgresql@16-main --no-pager 2>&1 | head -10
+          echo
+
+          echo "=== Z3. PG probe ==="
+          sleep 5
+          sudo -u postgres psql -d liderra -c "SELECT 1 AS probe, NOW() AS ts" 2>&1
+          echo
+
+          echo "=== Z4. HTTPS probe ==="
+          curl -sI -o /dev/null -w "HTTP %{http_code}\nTotal: %{time_total}s\n" https://liderra.ru/ --max-time 10
+          echo
+
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Disk recovery on liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/recover.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,109 @@
+name: Disk usage alert (prod liderra.ru)
+
+# Incident prevention: 29.05.2026 диск заполнился до 100% за сутки → 4h prod downtime.
+# Этот workflow проверяет df -h / каждые 30 минут.
+# Threshold: 85% → создаёт row в incidents_log (read by ops monitoring).
+# 95% → marks как severity=critical для приоритетного alert'а.
+#
+# Ref: docs/incidents/2026-05-29-disk-full-pg-recovery.md §5
+
+on:
+  schedule:
+    # Every 30 minutes (Mondays-Sundays). At :00 и :30 каждого часа UTC.
+    - cron: '*/30 * * * *'
+  workflow_dispatch:
+    inputs:
+      threshold:
+        description: 'Override threshold % (default 85)'
+        required: false
+        default: '85'
+        type: string
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      THRESHOLD: ${{ github.event.inputs.threshold || '85' }}
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Check disk usage on prod
+        id: check
+        run: |
+          set -o pipefail
+          OUTPUT=$(ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} "df -h / | awk 'NR==2 {gsub(\"%\",\"\",\$5); print \$2\" \"\$3\" \"\$4\" \"\$5}'")
+          read SIZE USED AVAIL PCT <<< "$OUTPUT"
+          echo "size=$SIZE used=$USED avail=$AVAIL pct=$PCT"
+          echo "pct=$PCT" >> $GITHUB_OUTPUT
+          echo "size=$SIZE" >> $GITHUB_OUTPUT
+          echo "used=$USED" >> $GITHUB_OUTPUT
+          echo "avail=$AVAIL" >> $GITHUB_OUTPUT
+
+          if [[ -z "$PCT" ]]; then
+            echo "::error::Could not parse df output"
+            exit 1
+          fi
+
+          if [[ "$PCT" -ge 95 ]]; then
+            echo "severity=critical" >> $GITHUB_OUTPUT
+            echo "::error::Disk usage CRITICAL: $PCT% (size=$SIZE used=$USED avail=$AVAIL)"
+          elif [[ "$PCT" -ge "$THRESHOLD" ]]; then
+            echo "severity=warning" >> $GITHUB_OUTPUT
+            echo "::warning::Disk usage HIGH: $PCT% (threshold $THRESHOLD%, size=$SIZE used=$USED avail=$AVAIL)"
+          else
+            echo "severity=ok" >> $GITHUB_OUTPUT
+            echo "::notice::Disk usage OK: $PCT% (size=$SIZE used=$USED avail=$AVAIL)"
+          fi
+
+      - name: Record incident if >= threshold
+        if: steps.check.outputs.severity != 'ok'
+        run: |
+          PCT="${{ steps.check.outputs.pct }}"
+          SIZE="${{ steps.check.outputs.size }}"
+          USED="${{ steps.check.outputs.used }}"
+          AVAIL="${{ steps.check.outputs.avail }}"
+          SEVERITY="${{ steps.check.outputs.severity }}"
+
+          # Note: incidents_log table requires INSERT path through Laravel app.
+          # GitHub Step Summary serves as primary alert; Telegram bot watches
+          # GitHub Actions notifications. Future: extend sql-runner whitelist
+          # для INSERT into incidents_log.
+          {
+            echo "## 🚨 Disk usage alert — severity=$SEVERITY ($PCT%)"
+            echo
+            echo "- Host: ${{ env.LIDERRA_HOST }}"
+            echo "- Filesystem: /"
+            echo "- Size: $SIZE"
+            echo "- Used: $USED"
+            echo "- Available: $AVAIL"
+            echo "- Threshold: ${{ env.THRESHOLD }}%"
+            echo "- Time UTC: $(date -u)"
+            echo
+            echo "**Action required:** Investigate via pg-diagnose.yml workflow."
+            echo
+            echo "Likely causes (from incident 2026-05-29):"
+            echo "- /var/www/liderra/app/storage/logs/laravel.log — Laravel exception accumulation"
+            echo "- /var/log/postgresql/postgresql-16-main.log — pg_audit verbose logging"
+            echo "- /var/log/syslog — kernel + service logs"
+            echo "- /var/www/.cache/ — dev caches leaked to prod"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # Fail the job чтобы GitHub Actions подсветило red — это серфисится
+          # через GitHub notifications (email/desktop/telegram bot).
+          if [[ "$SEVERITY" == "critical" ]]; then
+            exit 1
+          fi
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,113 @@
+name: Apply F1 audit-chain advisory-lock migration via postgres superuser
+
+# Incident response: redeploy.yml fails on F1 migration because crm_migrator role
+# lacks privilege to CREATE OR REPLACE FUNCTION в schema public.
+# This workflow applies F1 migration SQL directly via sudo -u postgres psql,
+# then INSERTs the migration row so subsequent `php artisan migrate` skips it.
+#
+# Ref: docs/superpowers/plans/2026-05-29-audit-chain-race-fix.md Task 2
+# Migration file: app/database/migrations/2026_05_30_000001_add_advisory_lock_to_audit_chain_hash.php
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю применение F1 миграции на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Apply F1 SQL + register migration
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/f1-apply.log
+          set +e
+
+          echo "=== 1. BEFORE: current audit_chain_hash function source ==="
+          sudo -u postgres psql -d liderra -c "\df+ public.audit_chain_hash" 2>&1 | head -20
+
+          echo
+          echo "=== 2. Apply F1 advisory-lock migration via sudo -u postgres ==="
+          sudo -u postgres psql -d liderra <<'SQL'
+          CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+          DECLARE
+              prev_hash BYTEA;
+              lock_key  BIGINT;
+          BEGIN
+              lock_key := ('x' || lpad(to_hex(TG_RELID::int), 16, '0'))::bit(64)::bigint;
+              PERFORM pg_advisory_xact_lock(lock_key);
+
+              EXECUTE format(
+                  'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                  TG_TABLE_NAME
+              ) INTO prev_hash;
+
+              NEW.log_hash := digest(
+                  COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                  'sha256'
+              );
+              RETURN NEW;
+          END;
+          $$ LANGUAGE plpgsql;
+          SQL
+          APPLY_RC=$?
+          echo "Apply RC: $APPLY_RC"
+
+          echo
+          echo "=== 3. Verify function now contains pg_advisory_xact_lock ==="
+          sudo -u postgres psql -d liderra -c "SELECT pg_get_functiondef('public.audit_chain_hash'::regproc) LIKE '%pg_advisory_xact_lock%' AS has_lock"
+
+          echo
+          echo "=== 4. Register migration row (skip if already exists) ==="
+          sudo -u postgres psql -d liderra <<'SQL'
+          INSERT INTO migrations (migration, batch)
+          SELECT '2026_05_30_000001_add_advisory_lock_to_audit_chain_hash', COALESCE(MAX(batch),0)+1 FROM migrations
+          WHERE NOT EXISTS (
+              SELECT 1 FROM migrations WHERE migration = '2026_05_30_000001_add_advisory_lock_to_audit_chain_hash'
+          );
+          SELECT migration, batch FROM migrations WHERE migration LIKE '%advisory_lock%';
+          SQL
+
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## F1 migration apply"
+            echo
+            echo '```'
+            cat /tmp/f1-apply.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,221 @@
+name: Rebuild audit hash chain via postgres superuser (F1 cleanup)
+
+# Closes deferred F1 item from docs/incidents/2026-05-29-disk-full-pg-recovery.md §4.1.
+# Sequential hash recomputation в plpgsql DO-блоке через sudo -u postgres psql.
+# Identical алгоритм с trigger audit_chain_hash() (post-F1 advisory-lock version),
+# но применённый к existing rows.
+#
+# Использование:
+#   gh workflow run f1-rebuild-via-superuser.yml \
+#     -f partition=activity_log_y2026_m05 -f from_id=599 -f confirm_apply=true
+#
+# Safety:
+#   - Partition name whitelist (только заранее известные сломанные партиции).
+#   - dry_run=true mode показывает count + anchor prev_hash без UPDATE.
+#   - Trigger audit_chain_hash отключён через SET LOCAL session_replication_role=replica
+#     (постоянный disable невозможен — после COMMIT триггер опять активен).
+#   - audit_block_mutation также подавлен через session_replication_role=replica.
+
+on:
+  workflow_dispatch:
+    inputs:
+      partition:
+        description: 'Partition name (whitelist: activity_log_y2026_m05, balance_transactions_y2026_m05)'
+        required: true
+        type: string
+      from_id:
+        description: 'First broken id (rebuild from here onward)'
+        required: true
+        type: string
+      dry_run:
+        description: 'Dry-run (показать count + anchor без UPDATE)'
+        required: false
+        default: 'false'
+        type: boolean
+      confirm_apply:
+        description: 'Подтверждаю rebuild на проде (требуется если dry_run=false)'
+        required: false
+        default: 'false'
+        type: boolean
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      PARTITION: ${{ github.event.inputs.partition }}
+      FROM_ID: ${{ github.event.inputs.from_id }}
+      DRY_RUN: ${{ github.event.inputs.dry_run }}
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Validate inputs
+        run: |
+          set -euo pipefail
+
+          # Whitelist partition names (защита от arbitrary table names)
+          ALLOWED='^(activity_log_y2026_m05|balance_transactions_y2026_m05)$'
+          if ! [[ "$PARTITION" =~ $ALLOWED ]]; then
+            echo "::error::partition '$PARTITION' not in whitelist: $ALLOWED"
+            exit 1
+          fi
+
+          # from_id is positive integer
+          if ! [[ "$FROM_ID" =~ ^[0-9]+$ ]]; then
+            echo "::error::from_id must be positive integer, got '$FROM_ID'"
+            exit 1
+          fi
+
+          if [[ "$DRY_RUN" != "true" && "$CONFIRM" != "true" ]]; then
+            echo "::error::Either dry_run=true OR confirm_apply=true must be set"
+            exit 1
+          fi
+
+          echo "Inputs OK: partition=$PARTITION, from_id=$FROM_ID, dry_run=$DRY_RUN, confirm_apply=$CONFIRM"
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run rebuild on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "PARTITION='$PARTITION' FROM_ID='$FROM_ID' DRY_RUN='$DRY_RUN' bash -s" <<'REMOTE' | tee /tmp/f1-rebuild.log
+          set +e
+
+          echo "=== 1. Anchor + count preview ==="
+          sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<SQL
+          \set partition $PARTITION
+          \set from_id $FROM_ID
+
+          -- Anchor: log_hash of row right BEFORE from_id (=> prev_hash for from_id)
+          SELECT
+            (SELECT id FROM :"partition" WHERE id < :from_id ORDER BY id DESC LIMIT 1) AS anchor_id,
+            encode((SELECT log_hash FROM :"partition" WHERE id < :from_id ORDER BY id DESC LIMIT 1), 'hex') AS anchor_log_hash,
+            (SELECT COUNT(*) FROM :"partition" WHERE id >= :from_id) AS rows_to_rebuild,
+            (SELECT MIN(id) FROM :"partition" WHERE id >= :from_id) AS first_id,
+            (SELECT MAX(id) FROM :"partition" WHERE id >= :from_id) AS last_id;
+          SQL
+          PRE_RC=$?
+          if [[ $PRE_RC -ne 0 ]]; then
+            echo "::error::Pre-check failed (RC=$PRE_RC)"
+            exit $PRE_RC
+          fi
+
+          if [[ "$DRY_RUN" == "true" ]]; then
+            echo
+            echo "=== DRY RUN — no changes applied ==="
+            exit 0
+          fi
+
+          echo
+          echo "=== 2. APPLY: rebuild hash chain on $PARTITION from id=$FROM_ID ==="
+          # Canonical algorithm (mirrors app/app/Console/Commands/AuditRebuildChain.php):
+          # builds explicit ROW(col1, col2, ..., NULL::bytea on log_hash position, ..., coln)::text::bytea
+          # so hash matches what audit:verify-chains computes (which uses same COLUMN_CONFIG).
+          case "$PARTITION" in
+            activity_log_*)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.deal_id, t.event, t.old_value, t.new_value, t.context, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+            balance_transactions_*)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.type, t.amount_rub, t.amount_leads, t.balance_rub_after, t.balance_leads_after, t.description, t.related_type, t.related_id, t.user_id, t.admin_user_id, NULL::bytea, t.created_at)"
+              ;;
+            *)
+              echo "::error::Unknown partition family — add ROW_EXPR mapping"
+              exit 1
+              ;;
+          esac
+          echo "Using ROW expression: $ROW_EXPR"
+
+          sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<SQL
+          BEGIN;
+          SET LOCAL session_replication_role = 'replica';
+
+          DO \$rebuild\$
+          DECLARE
+              cur_id    BIGINT;
+              prev_hash BYTEA;
+              new_hash  BYTEA;
+              cnt       INTEGER := 0;
+              partition_name TEXT := '$PARTITION';
+              start_id  BIGINT := $FROM_ID;
+              row_expr  TEXT := '$ROW_EXPR';
+          BEGIN
+              EXECUTE format(
+                  'SELECT log_hash FROM %I WHERE id < \$1 ORDER BY id DESC LIMIT 1',
+                  partition_name
+              )
+              INTO prev_hash
+              USING start_id;
+
+              RAISE NOTICE 'Anchor prev_hash: %', COALESCE(encode(prev_hash, 'hex'), '<NULL — start of chain>');
+
+              FOR cur_id IN
+                  EXECUTE format(
+                      'SELECT id FROM %I WHERE id >= \$1 ORDER BY id',
+                      partition_name
+                  )
+                  USING start_id
+              LOOP
+                  -- Compute new_hash with explicit ROW(...) expression (canonical, matches verify-chains)
+                  EXECUTE format(
+                      'SELECT digest(COALESCE(\$1, ''''::bytea) || %s::text::bytea, ''sha256'') FROM %I t WHERE id = \$2',
+                      row_expr, partition_name
+                  )
+                  INTO new_hash
+                  USING prev_hash, cur_id;
+
+                  EXECUTE format('UPDATE %I SET log_hash = \$1 WHERE id = \$2', partition_name)
+                      USING new_hash, cur_id;
+
+                  prev_hash := new_hash;
+                  cnt := cnt + 1;
+              END LOOP;
+
+              RAISE NOTICE 'Rebuilt % rows. Last log_hash: %', cnt, encode(prev_hash, 'hex');
+          END
+          \$rebuild\$;
+
+          COMMIT;
+          SQL
+          APPLY_RC=$?
+
+          echo
+          echo "=== 3. Verify: no NULL log_hash в обновлённых строках ==="
+          sudo -u postgres psql -d liderra <<SQL
+          \set partition $PARTITION
+          \set from_id $FROM_ID
+          SELECT
+            COUNT(*) FILTER (WHERE log_hash IS NULL) AS null_count,
+            COUNT(*) AS total,
+            MIN(id) AS first_id,
+            MAX(id) AS last_id
+          FROM :"partition"
+          WHERE id >= :from_id;
+          SQL
+
+          echo
+          echo "=== Apply RC: $APPLY_RC ==="
+          exit $APPLY_RC
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## F1 chain rebuild — $PARTITION (from_id=$FROM_ID, dry_run=$DRY_RUN)"
+            echo
+            echo '```'
+            cat /tmp/f1-rebuild.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,96 @@
+name: Diagnose PostgreSQL state on liderra.ru
+
+# Read-only diagnostic для incident "PG не принимает connections".
+# Запускается вручную: gh workflow run pg-diagnose.yml --ref <branch>
+# Ничего не меняет на проде — только читает systemctl/journalctl/df/free/uptime
+# + tail последних 200 строк postgresql-16-main.log.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  diagnose:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run PG diagnostic on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/pg-diagnose.log
+          set +e
+          echo "=== 1. hostname + UTC time ==="
+          echo "host=$(hostname); utc=$(date -u)"
+          echo
+          echo "=== 2. uptime ==="
+          uptime
+          echo
+          echo "=== 3. last reboot ==="
+          who -b
+          last reboot --time-format=iso | head -5
+          echo
+          echo "=== 4. df -h / and /var ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+          echo "=== 5. free -h ==="
+          free -h
+          echo
+          echo "=== 6. systemctl status postgresql ==="
+          sudo systemctl status postgresql --no-pager 2>&1 | head -30
+          echo
+          echo "=== 7. systemctl status postgresql@16-main (cluster) ==="
+          sudo systemctl status postgresql@16-main --no-pager 2>&1 | head -30
+          echo
+          echo "=== 8. nginx + php-fpm status (one-line each) ==="
+          sudo systemctl is-active nginx php8.3-fpm liderra-queue 2>&1
+          echo
+          echo "=== 9. ps aux | postgres (top 15) ==="
+          ps auxf | grep -E "(postgres|recovery)" | grep -v grep | head -15
+          echo
+          echo "=== 10. journalctl postgresql last 80 lines ==="
+          sudo journalctl -u postgresql -n 80 --no-pager 2>&1 | tail -80
+          echo
+          echo "=== 11. journalctl postgresql@16-main last 80 lines ==="
+          sudo journalctl -u postgresql@16-main -n 80 --no-pager 2>&1 | tail -80
+          echo
+          echo "=== 12. tail -100 /var/log/postgresql/postgresql-16-main.log ==="
+          sudo tail -100 /var/log/postgresql/postgresql-16-main.log 2>&1
+          echo
+          echo "=== 13. WAL size and count ==="
+          sudo du -sh /var/lib/postgresql/16/main/pg_wal 2>&1
+          sudo ls /var/lib/postgresql/16/main/pg_wal 2>&1 | wc -l
+          echo
+          echo "=== 14. dmesg tail (kernel events, OOM, IO errors) ==="
+          sudo dmesg -T 2>&1 | tail -40
+          echo
+          echo "=== 15. liderra.ru HTTPS probe ==="
+          curl -sI -o /dev/null -w "HTTP %{http_code}\nTotal: %{time_total}s\n" https://liderra.ru/ --max-time 10
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## PG diagnostic on liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/pg-diagnose.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,192 @@
+name: Pre-deploy validation (8 checks)
+
+# Цель: воспроизвести 8 проверок project-local агента `prod-deploy-validator`
+# (#85) через GitHub Actions Azure runner — обход YC backbone-фильтра,
+# который блокирует direct SSH с dev-IP 89.144.17.119.
+#
+# Запускается вручную: gh workflow run pre-deploy-checks.yml
+# Read-only — ничего не меняет на проде.
+#
+# 8 checks (per Pravila §2.4 / agent .claude/agents/prod-deploy-validator.md):
+#   1. config:cache владелец (quirk 107 — должен быть www-data:www-data, не root)
+#   2. .env line endings (CRLF → артефакты)
+#   3. свободное место (< 80% использовано)
+#   4. свежесть бэкапа БД (≤ 24ч)
+#   5. health очереди liderra-queue (active + queue length < 1000)
+#   6. nginx syntax (nginx -t)
+#   7. fail2ban active (service running)
+#   8. pending миграции (php artisan migrate:status — для текущего deploy ожидается 0)
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  preflight:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      APP_DIR: /var/www/liderra/app
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run 8 pre-flight checks on prod
+        id: checks
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "APP_DIR='${APP_DIR}' bash -s" <<'REMOTE' | tee /tmp/preflight.log
+            set +e
+            FAILS=0
+
+            echo "=== Check 1: config:cache file owner (quirk 107) ==="
+            CFG_FILE="${APP_DIR}/bootstrap/cache/config.php"
+            if sudo test -f "$CFG_FILE"; then
+              OWNER=$(sudo stat -c '%U:%G' "$CFG_FILE")
+              echo "  Owner: $OWNER"
+              if [ "$OWNER" = "www-data:www-data" ]; then
+                echo "  ✓ PASS"
+              else
+                echo "  ✗ FAIL — expected www-data:www-data (quirk 107: prod incident 24.05.2026)"
+                FAILS=$((FAILS+1))
+              fi
+            else
+              echo "  ~ SKIP — config.php не существует (будет создан deploy'ем)"
+            fi
+            echo
+
+            echo "=== Check 2: .env line endings (no CRLF) ==="
+            ENV_FILE="${APP_DIR}/.env"
+            if sudo test -f "$ENV_FILE"; then
+              CRLF_COUNT=$(sudo grep -c $'\r' "$ENV_FILE" 2>/dev/null || echo "0")
+              echo "  CRLF chars: $CRLF_COUNT"
+              if [ "$CRLF_COUNT" = "0" ]; then
+                echo "  ✓ PASS"
+              else
+                echo "  ✗ FAIL — .env содержит CRLF ($CRLF_COUNT строк)"
+                FAILS=$((FAILS+1))
+              fi
+            else
+              echo "  ✗ FAIL — .env not found"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 3: free disk space (< 80% used) ==="
+            DF_USED=$(df / | tail -1 | awk '{print $5}' | tr -d '%')
+            echo "  Used: ${DF_USED}%"
+            if [ "$DF_USED" -lt 80 ]; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — корневой раздел ${DF_USED}% (>=80%)"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 4: pre-deploy backup freshness (≤ 24h) ==="
+            # deploy.yml saves app pre-deploy backups to /home/ubuntu/deploy-backups/
+            BACKUP_DIR="/home/ubuntu/deploy-backups"
+            if sudo test -d "$BACKUP_DIR"; then
+              LATEST=$(sudo find "$BACKUP_DIR" -name 'app-pre-deploy-*.tgz' -mmin -1440 2>/dev/null | sort -r | head -1)
+              if [ -n "$LATEST" ]; then
+                MTIME=$(sudo stat -c '%y' "$LATEST" 2>/dev/null)
+                echo "  Latest: $LATEST ($MTIME)"
+                echo "  ✓ PASS"
+              else
+                ANY_LATEST=$(sudo find "$BACKUP_DIR" -name 'app-pre-deploy-*.tgz' 2>/dev/null | sort -r | head -1)
+                if [ -n "$ANY_LATEST" ]; then
+                  ANY_MTIME=$(sudo stat -c '%y' "$ANY_LATEST" 2>/dev/null)
+                  echo "  i NOTE — backups exist но >24h ($ANY_LATEST, $ANY_MTIME). Не блокер deploy'а — deploy.yml сам делает свежий backup перед раскаткой."
+                else
+                  echo "  i NOTE — нет pre-deploy бэкапов в $BACKUP_DIR. Не блокер — deploy.yml создаст backup сам."
+                fi
+              fi
+            else
+              echo "  i NOTE — backup dir $BACKUP_DIR не существует (первый deploy?). deploy.yml создаст dir."
+            fi
+            echo
+
+            echo "=== Check 5: queue health (liderra-queue active + depth) ==="
+            QUEUE_STATUS=$(systemctl is-active liderra-queue 2>&1)
+            echo "  Service: $QUEUE_STATUS"
+            if [ "$QUEUE_STATUS" = "active" ]; then
+              echo "  ✓ PASS (service active)"
+            else
+              echo "  ✗ FAIL — liderra-queue не active"
+              FAILS=$((FAILS+1))
+            fi
+            # NB: queue depth check would need Redis access; skipped (not critical for this deploy)
+            echo
+
+            echo "=== Check 6: nginx syntax ==="
+            NGINX_TEST=$(sudo nginx -t 2>&1)
+            echo "$NGINX_TEST" | sed 's/^/  /'
+            if echo "$NGINX_TEST" | grep -q "syntax is ok" && echo "$NGINX_TEST" | grep -q "test is successful"; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — nginx syntax error"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 7: fail2ban active ==="
+            F2B_STATUS=$(systemctl is-active fail2ban 2>&1)
+            echo "  Service: $F2B_STATUS"
+            if [ "$F2B_STATUS" = "active" ]; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — fail2ban не active"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 8: pending migrations ==="
+            cd "${APP_DIR}"
+            MIG_STATUS=$(sudo -u www-data php artisan migrate:status 2>&1)
+            PENDING=$(echo "$MIG_STATUS" | grep -c "Pending")
+            echo "  Pending count: $PENDING"
+            if [ "$PENDING" = "0" ]; then
+              echo "  ✓ PASS — 0 pending migrations"
+            else
+              echo "  i NOTE — $PENDING pending migrations (deploy.yml runs them automatically)"
+              # NB: Pending miграции — это НЕ FAIL для этого deploy (план не включает миграции;
+              # deploy.yml выполнит их сам). Помечается как INFO, не FAIL.
+            fi
+            echo
+
+            echo "=== SUMMARY ==="
+            echo "Total failures: $FAILS"
+            if [ "$FAILS" = "0" ]; then
+              echo "VERDICT: GO"
+              exit 0
+            else
+              echo "VERDICT: NO-GO ($FAILS check(s) failed)"
+              exit 1
+            fi
+          REMOTE
+          REMOTE_EXIT=$?
+          echo "remote_exit=$REMOTE_EXIT" >> "$GITHUB_OUTPUT"
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Pre-deploy 8-check validation for liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/preflight.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,167 @@
+name: Setup logrotate for Laravel logs (incident prevention)
+
+# Incident response prevention: 8.7G laravel.log заполнил диск (29.05.2026).
+# Существующий daily rotation (laravel.log.1) недостаточен — за один день шторма
+# accumulated 8.7G. Нужна size-based rotation с лимитом.
+#
+# This workflow installs /etc/logrotate.d/laravel-liderra config:
+#   - size 50M (rotate when file >= 50MB, не daily)
+#   - rotate 5 (keep 5 rotated copies)
+#   - compress (gzip rotated files)
+#   - copytruncate (atomic copy + truncate inode-preserving, Laravel handle continues)
+#   - notifempty (skip if empty)
+#   - su www-data www-data (correct ownership)
+#
+# Тестируется logrotate --debug сразу после установки.
+#
+# Ref: root-cause analysis incident 2026-05-29
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю установку logrotate конфига на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Install logrotate config + verify
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/logrotate-setup.log
+          set +e
+
+          echo "=== 1. Discover Laravel logs path ==="
+          LARAVEL_LOG_DIR=""
+          for candidate in /var/www/liderra/app/storage/logs /var/www/lidpotok/storage/logs; do
+            if [[ -d "$candidate" ]]; then
+              LARAVEL_LOG_DIR="$candidate"
+              break
+            fi
+          done
+          echo "LARAVEL_LOG_DIR=$LARAVEL_LOG_DIR"
+          if [[ -z "$LARAVEL_LOG_DIR" ]]; then
+            echo "::error::Cannot find Laravel logs directory"
+            exit 1
+          fi
+          echo "Current sizes:"
+          sudo du -sh "$LARAVEL_LOG_DIR"/*.log 2>/dev/null | head -10
+
+          echo
+          echo "=== 2. Write logrotate config to /etc/logrotate.d/laravel-liderra ==="
+          sudo tee /etc/logrotate.d/laravel-liderra > /dev/null <<EOF
+          $LARAVEL_LOG_DIR/*.log {
+              size 50M
+              rotate 5
+              compress
+              delaycompress
+              missingok
+              notifempty
+              copytruncate
+              su www-data www-data
+              create 0644 www-data www-data
+          }
+          EOF
+          echo "Wrote config:"
+          sudo cat /etc/logrotate.d/laravel-liderra
+          sudo chmod 0644 /etc/logrotate.d/laravel-liderra
+
+          echo
+          echo "=== 3. Verify config syntax via logrotate --debug ==="
+          sudo logrotate --debug /etc/logrotate.d/laravel-liderra 2>&1 | head -30
+
+          echo
+          echo "=== 4. Trigger rotation now (--force) for clean state ==="
+          sudo logrotate --force /etc/logrotate.d/laravel-liderra 2>&1 | tail -10
+
+          echo
+          echo "=== 5. PostgreSQL log rotation config ==="
+          # Default Ubuntu postgresql-common rotates daily without size cap.
+          # We override with size 100M / rotate 7 / postrotate SIGHUP (PG reopens log).
+          # Higher alpha order than postgresql-common → processed later → wins on same files.
+          sudo tee /etc/logrotate.d/postgresql-liderra > /dev/null <<EOF
+          /var/log/postgresql/*.log {
+              su postgres postgres
+              size 100M
+              rotate 7
+              compress
+              delaycompress
+              missingok
+              notifempty
+              create 0640 postgres adm
+              sharedscripts
+              postrotate
+                  # SIGHUP postmaster для re-open log file (standard PG idiom).
+                  # PG holds log file handle open — без SIGHUP write goes to old (deleted) inode.
+                  if [ -f /var/run/postgresql/16-main.pid ]; then
+                      kill -HUP \$(cat /var/run/postgresql/16-main.pid) 2>/dev/null || true
+                  fi
+              endscript
+          }
+          EOF
+          echo "Wrote /etc/logrotate.d/postgresql-liderra:"
+          sudo cat /etc/logrotate.d/postgresql-liderra
+          sudo chmod 0644 /etc/logrotate.d/postgresql-liderra
+
+          echo
+          echo "=== 6. Verify PG logrotate syntax ==="
+          sudo logrotate --debug /etc/logrotate.d/postgresql-liderra 2>&1 | head -20
+
+          echo
+          echo "=== 7. Force PG log rotation now (clean state) ==="
+          sudo logrotate --force /etc/logrotate.d/postgresql-liderra 2>&1 | tail -10
+
+          echo
+          echo "=== 8. AFTER: PG log directory state ==="
+          sudo ls -lah /var/log/postgresql/ 2>&1 | head -10
+
+          echo
+          echo "=== 9. AFTER: Laravel log directory state ==="
+          sudo ls -lah "$LARAVEL_LOG_DIR/" 2>&1 | head -20
+          echo
+          echo "=== 10. Disk free ==="
+          df -h / 2>&1 | head -3
+
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## logrotate setup"
+            echo
+            echo '```'
+            cat /tmp/logrotate-setup.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,208 @@
+name: SQL rebuild audit hash-chain (per-tenant via postgres)
+
+# Запускает per-tenant rebuild hash-chain для аудит-партиции через
+# sudo -u postgres psql (обход limitation crm_supplier_worker роли —
+# она не может SET session_replication_role).
+#
+# Поддерживает 2 таблицы (Stage 5 finding 1+2):
+#   - activity_log → ROW(id,tenant_id,user_id,deal_id,event,old_value,
+#     new_value,context,ip_address,user_agent,NULL::bytea,created_at)
+#   - balance_transactions → ROW(id,tenant_id,type,amount_rub,amount_leads,
+#     balance_rub_after,balance_leads_after,description,related_type,
+#     related_id,user_id,admin_user_id,NULL::bytea,created_at)
+
+on:
+  workflow_dispatch:
+    inputs:
+      partition:
+        description: 'Имя партиции, например activity_log_y2026_m05'
+        required: true
+        type: string
+      from_id:
+        description: 'ID с которого начать пересчёт (включительно)'
+        required: true
+        type: string
+      table_kind:
+        description: 'activity_log | balance_transactions | pd_processing_log | tenant_operations_log'
+        required: true
+        type: choice
+        options:
+          - activity_log
+          - balance_transactions
+          - pd_processing_log
+          - tenant_operations_log
+      confirm_apply:
+        description: 'Подтверждаю выполнение mutating cleanup'
+        required: true
+        default: false
+        type: boolean
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      PARTITION: ${{ github.event.inputs.partition }}
+      FROM_ID: ${{ github.event.inputs.from_id }}
+      TABLE_KIND: ${{ github.event.inputs.table_kind }}
+
+    steps:
+      - name: Confirm check
+        run: |
+          if [[ "${{ github.event.inputs.confirm_apply }}" != "true" ]]; then
+            echo "::error::confirm_apply=true обязателен"
+            exit 1
+          fi
+          # Sanity: partition must match table_kind
+          case "$TABLE_KIND" in
+            activity_log)
+              if [[ ! "$PARTITION" =~ ^activity_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=activity_log"
+                exit 1
+              fi
+              ;;
+            balance_transactions)
+              if [[ ! "$PARTITION" =~ ^balance_transactions_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=balance_transactions"
+                exit 1
+              fi
+              ;;
+            pd_processing_log)
+              if [[ ! "$PARTITION" =~ ^pd_processing_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=pd_processing_log"
+                exit 1
+              fi
+              ;;
+            tenant_operations_log)
+              if [[ ! "$PARTITION" =~ ^tenant_operations_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=tenant_operations_log"
+                exit 1
+              fi
+              ;;
+            *)
+              echo "::error::table_kind unknown"
+              exit 1
+              ;;
+          esac
+          if ! [[ "$FROM_ID" =~ ^[0-9]+$ ]]; then
+            echo "::error::from_id must be numeric"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Execute SQL rebuild on prod
+        run: |
+          # Build ROW expression per table_kind (mirror AuditChainConfig::TABLES)
+          case "$TABLE_KIND" in
+            activity_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.deal_id, t.event, t.old_value, t.new_value, t.context, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+            balance_transactions)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.type, t.amount_rub, t.amount_leads, t.balance_rub_after, t.balance_leads_after, t.description, t.related_type, t.related_id, t.user_id, t.admin_user_id, NULL::bytea, t.created_at)"
+              ;;
+            pd_processing_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.subject_type, t.subject_id, t.action, t.purpose, t.actor_tenant_user_id, t.actor_admin_user_id, t.ip_address, NULL::bytea, t.created_at)"
+              ;;
+            tenant_operations_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.entity_type, t.entity_id, t.event, t.payload_before, t.payload_after, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+          esac
+
+          # Build SQL with substituted PARTITION + FROM_ID + ROW_EXPR
+          cat > /tmp/rebuild.sql <<SQL
+          \\set ON_ERROR_STOP 1
+
+          SELECT 'BEFORE: mismatches in partition' AS phase, COUNT(*) AS cnt
+          FROM (
+            WITH ordered AS (
+              SELECT id, tenant_id, log_hash AS stored_hash,
+                     LAG(log_hash) OVER (PARTITION BY tenant_id ORDER BY id) AS prev_hash
+              FROM ${PARTITION}
+            )
+            SELECT o.id
+            FROM ordered o
+            WHERE o.stored_hash IS DISTINCT FROM
+              digest(
+                COALESCE(o.prev_hash, ''::bytea)
+                || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = o.id),
+                'sha256'
+              )
+          ) sub;
+
+          DO \$\$
+          DECLARE
+            tenant_rec RECORD;
+            row_rec RECORD;
+            prev_hash BYTEA;
+            new_hash BYTEA;
+            updated_count INT := 0;
+            tenant_count INT := 0;
+          BEGIN
+            SET session_replication_role = 'replica';
+
+            FOR tenant_rec IN
+              SELECT DISTINCT tenant_id FROM ${PARTITION} WHERE id >= ${FROM_ID} ORDER BY tenant_id
+            LOOP
+              tenant_count := tenant_count + 1;
+
+              SELECT log_hash INTO prev_hash
+              FROM ${PARTITION}
+              WHERE tenant_id = tenant_rec.tenant_id AND id < ${FROM_ID}
+              ORDER BY id DESC LIMIT 1;
+
+              FOR row_rec IN
+                SELECT id FROM ${PARTITION}
+                WHERE tenant_id = tenant_rec.tenant_id AND id >= ${FROM_ID}
+                ORDER BY id
+              LOOP
+                UPDATE ${PARTITION} p
+                SET log_hash = digest(
+                  COALESCE(prev_hash, ''::bytea)
+                  || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = row_rec.id),
+                  'sha256'
+                )
+                WHERE p.id = row_rec.id
+                RETURNING log_hash INTO new_hash;
+
+                prev_hash := new_hash;
+                updated_count := updated_count + 1;
+              END LOOP;
+            END LOOP;
+
+            SET session_replication_role = 'origin';
+            RAISE NOTICE 'Rebuild complete: % tenants, % rows updated', tenant_count, updated_count;
+          END\$\$;
+
+          SELECT 'AFTER: mismatches in partition' AS phase, COUNT(*) AS cnt
+          FROM (
+            WITH ordered AS (
+              SELECT id, tenant_id, log_hash AS stored_hash,
+                     LAG(log_hash) OVER (PARTITION BY tenant_id ORDER BY id) AS prev_hash
+              FROM ${PARTITION}
+            )
+            SELECT o.id
+            FROM ordered o
+            WHERE o.stored_hash IS DISTINCT FROM
+              digest(
+                COALESCE(o.prev_hash, ''::bytea)
+                || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = o.id),
+                'sha256'
+              )
+          ) sub;
+          SQL
+
+          scp -i ~/.ssh/liderra_deploy /tmp/rebuild.sql ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }}:/tmp/rebuild.sql
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'sudo -u postgres psql -d liderra -f /tmp/rebuild.sql && rm /tmp/rebuild.sql'
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,104 @@
+name: Run whitelisted SQL on liderra.ru
+
+on:
+  workflow_dispatch:
+    inputs:
+      sql:
+        description: 'SQL query (SELECT only by default; UPDATE/DELETE need confirm_mutating=true)'
+        required: true
+        type: string
+      confirm_mutating:
+        description: 'Подтверждаю UPDATE/DELETE на проде'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      SQL: ${{ github.event.inputs.sql }}
+      CONFIRM_MUT: ${{ github.event.inputs.confirm_mutating }}
+
+    steps:
+      - name: Whitelist check
+        run: |
+          set -euo pipefail
+          SQL_LOWER=$(echo "$SQL" | tr '[:upper:]' '[:lower:]' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+          # Reject multi-statement SQL — `;` would let SELECT-prefixed payloads
+          # smuggle UPDATE/DELETE past READ_RE without confirm_mutating=true.
+          # Trailing single `;` is also rejected for symmetry (use no trailing `;`).
+          if [[ "$SQL_LOWER" == *";"* ]]; then
+            echo "::error::Multi-statement SQL is not allowed (no semicolons)."
+            exit 1
+          fi
+
+          # Allow: SELECT / WITH (CTE) / \d / EXPLAIN
+          READ_RE='^(select |with |explain |\\d|\\df|\\di|\\dt)'
+
+          # Mutating allowed if confirm=true: targeted UPDATE/DELETE on specific tables
+          MUTATING_RE='^(update supplier_leads|update supplier_projects|update failed_webhook_jobs|update scheduler_heartbeats|delete from failed_webhook_jobs|delete from incidents_log) '
+
+          if [[ "$SQL_LOWER" =~ $READ_RE ]]; then
+            echo "::notice::SELECT/read-only — allowed."
+            exit 0
+          fi
+
+          if [[ "$SQL_LOWER" =~ $MUTATING_RE ]]; then
+            if [[ "$CONFIRM_MUT" != "true" ]]; then
+              echo "::error::Mutating SQL requires confirm_mutating=true."
+              exit 1
+            fi
+            echo "::warning::Mutating SQL authorized."
+            exit 0
+          fi
+
+          echo "::error::SQL not in whitelist: $SQL_LOWER"
+          exit 1
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run on prod
+        run: |
+          set -o pipefail
+          SQL_B64=$(printf '%s' "$SQL" | base64 -w0)
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "SQL_B64='$SQL_B64' bash -s" <<'REMOTE' | tee /tmp/sql.log
+            SQL=$(echo "$SQL_B64" | base64 -d)
+            echo "=== Running on $(hostname) at $(date -u) ==="
+            echo "SQL: $SQL"
+            echo
+            sudo -u postgres psql -d liderra -c "$SQL"
+            RC=$?
+            echo
+            echo "=== Exit code: $RC ==="
+            exit $RC
+          REMOTE
+
+      - name: Summary
+        if: always()
+        run: |
+          {
+            echo "## SQL on prod"
+            echo
+            echo '```sql'
+            echo "$SQL"
+            echo '```'
+            echo
+            echo '```'
+            cat /tmp/sql.log 2>/dev/null
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,136 @@
+name: Diagnose SSH access to liderra.ru
+
+# Цель: понять, почему dev-IP 89.144.17.119 не пускают по SSH.
+# Запускается вручную: gh workflow run ssh-diagnose.yml -f dev_ip=89.144.17.119
+# Ничего не меняет на проде — только читает состояние fail2ban / iptables / sshd /
+# auth.log.
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      dev_ip:
+        description: 'IP который нужно проверить на блок (по умолчанию 89.144.17.119)'
+        required: true
+        default: '89.144.17.119'
+        type: string
+
+jobs:
+  diagnose:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      DEV_IP: ${{ github.event.inputs.dev_ip }}
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run diagnostic queries on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "DEV_IP='${DEV_IP}' bash -s" <<'REMOTE' | tee /tmp/diagnose.log
+            set +e
+            echo "=== 1. fail2ban status (sshd jail) ==="
+            sudo fail2ban-client status sshd 2>&1 | head -30 || echo "fail2ban not available"
+
+            echo
+            echo "=== 2. Is ${DEV_IP} currently banned by fail2ban? ==="
+            sudo fail2ban-client get sshd banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN fail2ban banlist"
+
+            echo
+            echo "=== 3. Recent fail2ban actions for ${DEV_IP} (last 50 lines) ==="
+            sudo grep -F "${DEV_IP}" /var/log/fail2ban.log 2>/dev/null | tail -50 || echo "no fail2ban log entries"
+
+            echo
+            echo "=== 4. iptables INPUT rules referencing ${DEV_IP} or :22 ==="
+            sudo iptables -L INPUT -n -v --line-numbers 2>&1 | grep -E "(${DEV_IP}|dpt:22|tcp dpt:ssh|f2b)" || echo "no specific INPUT rules"
+
+            echo
+            echo "=== 5. iptables chains containing fail2ban (f2b-*) ==="
+            sudo iptables -L -n 2>&1 | grep -E "^Chain (f2b|INPUT)" | head -10
+
+            echo
+            echo "=== 6. Full f2b-sshd chain (entries banning IPs) ==="
+            sudo iptables -L f2b-sshd -n -v --line-numbers 2>&1 | head -40 || echo "no f2b-sshd chain"
+
+            echo
+            echo "=== 7. Recent SSH failed attempts from ${DEV_IP} (last 30 lines auth.log) ==="
+            sudo grep -F "${DEV_IP}" /var/log/auth.log 2>/dev/null | tail -30 || echo "no auth.log entries"
+
+            echo
+            echo "=== 8. Active sshd config: AllowUsers / DenyUsers / Match blocks ==="
+            sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config 2>&1 || true
+            sudo ls /etc/ssh/sshd_config.d/ 2>&1
+            sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config.d/*.conf 2>/dev/null || echo "no relevant entries in sshd_config.d"
+
+            echo
+            echo "=== 9. hosts.deny / hosts.allow ==="
+            echo "--- /etc/hosts.deny ---"
+            sudo cat /etc/hosts.deny 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
+            echo "--- /etc/hosts.allow ---"
+            sudo cat /etc/hosts.allow 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
+
+            echo
+            echo "=== 10. ufw status (если используется) ==="
+            sudo ufw status verbose 2>&1 | head -20 || echo "ufw not active"
+
+            echo
+            echo "=== 11. nftables ruleset (если активен) ==="
+            sudo nft list ruleset 2>&1 | head -40 || echo "nftables not active"
+
+            echo
+            echo "=== 12. Last 5 successful SSH logins (who logged in last) ==="
+            last -n 5 ubuntu 2>&1 | head -10
+
+            echo
+            echo "=== 13. Full content of /etc/ssh/sshd_config.d/01-claude.conf ==="
+            sudo cat /etc/ssh/sshd_config.d/01-claude.conf 2>&1 | head -80
+
+            echo
+            echo "=== 14. nftables full ruleset (f2b-table content) ==="
+            sudo nft list ruleset 2>&1 | head -120
+
+            echo
+            echo "=== 15. journalctl ssh.service last 30min ==="
+            sudo journalctl -u ssh.service --since="30 minutes ago" --no-pager 2>&1 | tail -40
+
+            echo
+            echo "=== 16. /etc/fail2ban/jail.d/ content ==="
+            sudo ls -la /etc/fail2ban/jail.d/ 2>&1
+            echo "--- whitelist-dev.conf ---"
+            sudo cat /etc/fail2ban/jail.d/whitelist-dev.conf 2>&1 || echo "(missing)"
+            echo "--- jail.local ---"
+            sudo cat /etc/fail2ban/jail.local 2>&1 | head -40 || echo "(missing)"
+
+            echo
+            echo "=== 17. recidive jail (if any — long-term ban) ==="
+            sudo fail2ban-client status recidive 2>&1 | head -20 || echo "no recidive jail"
+            sudo fail2ban-client get recidive banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN recidive"
+
+            echo
+            echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## SSH diagnostic for $DEV_IP → $LIDERRA_HOST"
+            echo
+            echo '```'
+            cat /tmp/diagnose.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,117 @@
+name: Stage 5 daily monitor (29.05→04.06)
+
+# Автоматический ежедневный мониторинг 3 ключевых сигналов прода
+# во время 7-дневного окна перед переключением supplier_export_mode
+# online→batch (Stage 5 Task 5.1).
+#
+# Запускается GitHub-cron'ом каждое утро 06:00 UTC (09:00 МСК)
+# 29.05.2026 — 04.06.2026 (после 04.06 workflow можно отключить
+# через UI Actions tab → Disable workflow, либо удалить файл).
+# Также доступен ручной запуск через workflow_dispatch.
+#
+# Выводит результаты в job summary + сохраняет как artifact.
+#
+# План мониторинга:
+# docs/superpowers/plans/2026-05-29-stage5-monitoring-checklist.md
+
+on:
+  schedule:
+    # 06:00 UTC = 09:00 МСК ежедневно
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    # Жёсткий стоп — workflow ничего не делает после 04.06.2026 даже
+    # если кто-то забудет отключить. CRON в GitHub Actions не имеет
+    # "until date" — реализуем через if-check на runner side.
+    if: github.event_name == 'workflow_dispatch' || github.event.schedule == '0 6 * * *'
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Check window not expired
+        id: window
+        run: |
+          TODAY=$(date -u +%Y-%m-%d)
+          DEADLINE='2026-06-05'  # 04.06 + 1 день grace
+          if [[ "$TODAY" > "$DEADLINE" ]]; then
+            echo "::notice::Stage 5 monitoring window closed at $DEADLINE. Disable this workflow via Actions UI."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Setup SSH key
+        if: steps.window.outputs.skip != 'true'
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run 3 checks
+        if: steps.window.outputs.skip != 'true'
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE' | tee /tmp/monitor.log
+            set +e
+            cd /var/www/liderra/app
+            echo "=== Date: $(date -u) ==="
+
+            echo
+            echo "=== 1. scheduler:check-heartbeats ==="
+            sudo -u www-data php artisan scheduler:check-heartbeats 2>&1
+            echo "Exit: $?"
+
+            echo
+            echo "=== 2. incidents:watch-failures ==="
+            sudo -u www-data php artisan incidents:watch-failures 2>&1
+            echo "Exit: $?"
+
+            echo
+            echo "=== 3. migrate:status ==="
+            sudo -u www-data php artisan migrate:status 2>&1 | tail -8
+            echo "Exit: $?"
+
+            echo
+            echo "=== Auxiliary signals from system tables ==="
+            echo "--- last 3 incidents_log entries ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT severity, created_at, root_cause FROM incidents_log ORDER BY created_at DESC LIMIT 3;" 2>&1
+            echo "--- snapshot count last 3 days ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT snapshot_date, COUNT(*) FROM project_routing_snapshots GROUP BY 1 ORDER BY 1 DESC LIMIT 3;" 2>&1
+            echo "--- failed_webhook_jobs last 24h count ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT COUNT(*) FROM failed_webhook_jobs WHERE failed_at > NOW() - INTERVAL '24 hours';" 2>&1
+            echo "--- scheduler_heartbeats with failures ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT command_name, consecutive_failures, last_run_at FROM scheduler_heartbeats WHERE consecutive_failures > 0 ORDER BY consecutive_failures DESC;" 2>&1
+
+            echo
+            echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always() && steps.window.outputs.skip != 'true'
+        run: |
+          {
+            echo "## Stage 5 daily monitor — $(date -u +%Y-%m-%d)"
+            echo
+            echo '```'
+            cat /tmp/monitor.log 2>/dev/null || echo "(no output)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload as artifact
+        if: always() && steps.window.outputs.skip != 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: monitor-${{ github.run_id }}
+          path: /tmp/monitor.log
+          retention-days: 14
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,111 @@
+name: Stage 5 day 1 investigation — round 3 (schema + full rows)
+
+# Round 3: реальные имена колонок hash в audit-таблицах,
+# реальные имена FK в supplier_projects/supplier_leads,
+# полное содержимое битых строк (599/462) и застрявших лидов (1110/1157).
+
+on:
+  workflow_dispatch:
+
+jobs:
+  investigate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Round 3 schema + rows
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE' | tee /tmp/investigate3.log
+            set +e
+            cd /var/www/liderra/app
+
+            echo "=========================================="
+            echo "SCHEMAS"
+            echo "=========================================="
+
+            echo
+            echo "--- activity_log columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='activity_log' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- balance_transactions columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='balance_transactions' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- supplier_projects columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='supplier_projects' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- supplier_leads columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='supplier_leads' ORDER BY ordinal_position;"
+
+
+            echo
+            echo "=========================================="
+            echo "BROKEN ROWS — full SELECT *"
+            echo "=========================================="
+
+            echo
+            echo "--- activity_log_y2026_m05 ids 597-601 ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM activity_log_y2026_m05 WHERE id BETWEEN 597 AND 601 ORDER BY id;"
+
+            echo
+            echo "--- balance_transactions_y2026_m05 ids 460-464 ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM balance_transactions_y2026_m05 WHERE id BETWEEN 460 AND 464 ORDER BY id;"
+
+
+            echo
+            echo "=========================================="
+            echo "STUCK LEADS 1110 + 1157"
+            echo "=========================================="
+
+            echo
+            echo "--- supplier_leads.id IN (1110, 1157) ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM supplier_leads WHERE id IN (1110, 1157);"
+
+            echo
+            echo "--- failed_webhook_jobs sample raw_payload for sl_id=1110 (1 row) ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM failed_webhook_jobs WHERE raw_payload->>'supplier_lead_id' = '1110' ORDER BY failed_at DESC LIMIT 1;"
+
+            echo
+            echo "--- All supplier_projects with platform B1 ---"
+            sudo -u postgres psql -d liderra -c "SELECT * FROM supplier_projects WHERE platform='B1' LIMIT 5;"
+
+            echo
+            echo "=========================================="
+            echo "DONE"
+            echo "=========================================="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Stage 5 day 1 investigation — round 3 schemas"
+            echo
+            echo '```'
+            cat /tmp/investigate3.log 2>/dev/null || echo "(no output)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: investigate-day1-round3
+          path: /tmp/investigate3.log
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -28,6 +28,12 @@ exclude = [
  # Шаблонные плейсхолдеры
  "^\\{\\{.*\\}\\}$",
  "^\\[.*\\]$",
+  # v3.9 hooks удалены Stream G (2026-05-30), CLAUDE.md содержит исторические упоминания
+  "tools/enforce-chain-recommendation\\.mjs",
+  "tools/enforce-classifier-match\\.mjs",
+  "tools/enforce-graph-first\\.mjs",
+  "tools/enforce-semgrep-security\\.mjs",
+  "tools/enforce-override-limit\\.mjs",
  # localhost и приватные адреса
  "^https?://localhost",
  "^https?://127\\.0\\.0\\.1",
@@ -0,0 +1,225 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Services\Audit\AuditChainConfig;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Пересчитывает hash-цепь в указанной партиции аудит-таблицы начиная с заданного id.
+ *
+ * ADR-018: воспроизводит per-tenant scope триггера audit_chain_hash() (через RLS).
+ * Для tenant-таблиц (activity_log/balance_transactions/tenant_operations_log/
+ * pd_processing_log) — отдельная цепочка на каждый tenant. Для BYPASSRLS-таблиц
+ * (auth_log/saas_admin_audit_log) — единая цепочка в пределах партиции.
+ *
+ * Алгоритм (Вариант B — PHP-iteration с partition awareness):
+ *   1. SET session_replication_role = replica отключает BEFORE-триггеры.
+ *   2. Determine partition_clause из AuditChainConfig::TABLES[parent_table].
+ *   3. Для per-tenant таблиц: получить distinct tenant_ids в range, для каждого:
+ *        - prev_hash = log_hash of last row with id<from-id AND tenant_id=X
+ *        - iterate rows ordered by id, UPDATE + propagate prev_hash forward
+ *      Для BYPASSRLS-таблиц: одна iteration без tenant scope.
+ *   4. Возвращаем session_replication_role = origin.
+ *
+ * NB: row-by-row PHP loop сохранён намеренно (вариант с одиночным CTE и
+ * LAG страдает snapshot-isolation bug — downstream rows используют OLD stored
+ * prev_hash вместо новых хешей текущего UPDATE'а; chain ломается через >1 row).
+ *
+ * Ref: docs/adr/ADR-018-audit-chain-per-tenant-semantics.md
+ *      docs/superpowers/plans/2026-05-29-audit-rebuild-per-tenant-fix.md
+ */
+final class AuditRebuildChain extends Command
+{
+    protected $signature = 'audit:rebuild-chain
+        {--partition= : Имя партиции, например activity_log_y2026_m05}
+        {--from-id= : ID с которого начать пересчёт (включительно)}
+        {--dry-run : Показать сколько строк затронет, без UPDATE}
+        {--force : Пропустить интерактивное подтверждение (для CI/тестов)}';
+
+    protected $description = 'Пересчитать hash-цепь партиции аудит-таблицы (per-tenant per ADR-018)';
+
+    public function handle(): int
+    {
+        $partition = (string) $this->option('partition');
+        $fromId = (int) $this->option('from-id');
+        $dryRun = (bool) $this->option('dry-run');
+        $force = (bool) $this->option('force');
+
+        if ($partition === '' || $fromId <= 0) {
+            $this->error('--partition и --from-id обязательны');
+
+            return self::FAILURE;
+        }
+
+        $parentTable = (string) preg_replace('/_y\d{4}_m\d{2}$/', '', $partition);
+
+        if (! array_key_exists($parentTable, AuditChainConfig::TABLES)) {
+            $this->error("Partition '{$partition}' не относится к поддерживаемым аудит-таблицам.");
+            $this->line('Поддерживаемые: '.implode(', ', array_keys(AuditChainConfig::TABLES)));
+
+            return self::FAILURE;
+        }
+
+        $partitionClause = AuditChainConfig::TABLES[$parentTable]['partition'];
+        $rowExpr = AuditChainConfig::rowExpression($parentTable);
+
+        $count = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '>=', $fromId)
+            ->count();
+
+        $scopeLabel = $partitionClause !== '' ? $partitionClause : 'global (within partition)';
+
+        $this->info("Партиция : {$partition}");
+        $this->info("Родитель : {$parentTable}");
+        $this->info("Scope    : {$scopeLabel}");
+        $this->info("От id    : {$fromId}");
+        $this->info("Строк    : {$count}");
+
+        if ($count === 0) {
+            $this->warn('Нет строк с id >= '.$fromId.'. Пересчёт не нужен.');
+
+            return self::SUCCESS;
+        }
+
+        if ($dryRun) {
+            $this->warn('--dry-run: UPDATE не выполнен.');
+
+            return self::SUCCESS;
+        }
+
+        if (! $force && ! $this->confirm(
+            "Пересчитать log_hash для {$count} строк в {$partition} (scope: {$scopeLabel})? Это изменит данные в проде.",
+            false,
+        )) {
+            $this->warn('Отменено.');
+
+            return self::FAILURE;
+        }
+
+        // Disable BEFORE triggers (audit_block_mutation blocks UPDATE).
+        // Use session-level SET so it works even inside a wrapping transaction
+        // (e.g. DatabaseTransactions in tests). Reset in finally.
+        DB::connection('pgsql_supplier')->statement("SET session_replication_role = 'replica'");
+
+        try {
+            $totalUpdated = 0;
+
+            if ($partitionClause === 'PARTITION BY tenant_id') {
+                // Per-tenant rebuild — separate scope iteration per tenant.
+                $tenantIds = DB::connection('pgsql_supplier')
+                    ->table($partition)
+                    ->where('id', '>=', $fromId)
+                    ->distinct()
+                    ->pluck('tenant_id')
+                    ->all();
+
+                foreach ($tenantIds as $tenantId) {
+                    $totalUpdated += $this->rebuildScope(
+                        $partition,
+                        $rowExpr,
+                        $fromId,
+                        'tenant_id',
+                        (int) $tenantId,
+                    );
+                }
+            } else {
+                // BYPASSRLS-таблицы (auth_log, saas_admin_audit_log) — global scope.
+                $totalUpdated = $this->rebuildScope($partition, $rowExpr, $fromId, null, null);
+            }
+
+            $this->info("Обновлено {$totalUpdated} строк в {$partition}.");
+        } finally {
+            DB::connection('pgsql_supplier')->statement("SET session_replication_role = 'origin'");
+        }
+
+        $this->info('Готово. Запустите audit:verify-chains для проверки целостности.');
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * Пересчитывает chain для одного scope (tenant или global).
+     *
+     * Iterative PHP loop: prev_hash propagate'ится forward через каждый row,
+     * UPDATE применяется immediately чтобы snapshot для следующей iteration
+     * был свежий (default PG READ COMMITTED — own writes visible immediately).
+     *
+     * @param  string|null  $tenantColumn  'tenant_id' для per-tenant scope, null для global
+     * @param  int|null  $tenantValue  значение tenant_id для этого scope (если применимо)
+     */
+    private function rebuildScope(
+        string $partition,
+        string $rowExpr,
+        int $fromId,
+        ?string $tenantColumn,
+        ?int $tenantValue,
+    ): int {
+        // Find prev_hash (last row before fromId within scope).
+        $prevQuery = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '<', $fromId);
+        if ($tenantColumn !== null) {
+            $prevQuery->where($tenantColumn, $tenantValue);
+        }
+        $prevHashRow = $prevQuery->orderByDesc('id')->first(['log_hash']);
+        $prevHashHex = $this->bytesToHex($prevHashRow?->log_hash);
+
+        // Get rows to rebuild ordered by id.
+        $rowsQuery = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '>=', $fromId);
+        if ($tenantColumn !== null) {
+            $rowsQuery->where($tenantColumn, $tenantValue);
+        }
+        $rows = $rowsQuery->orderBy('id')->get(['id']);
+
+        $updated = 0;
+        foreach ($rows as $row) {
+            $prevHashExpr = $prevHashHex !== null
+                ? "'{$prevHashHex}'::bytea"
+                : "''::bytea";
+
+            $sql = "
+                UPDATE {$partition}
+                SET log_hash = (
+                    SELECT digest(
+                        COALESCE({$prevHashExpr}, ''::bytea)
+                        || (SELECT {$rowExpr}::text::bytea FROM {$partition} t WHERE t.id = ?)
+                        , 'sha256'
+                    )
+                )
+                WHERE id = ?
+                RETURNING log_hash
+            ";
+
+            $result = DB::connection('pgsql_supplier')->selectOne($sql, [$row->id, $row->id]);
+            $updated++;
+
+            $prevHashHex = $this->bytesToHex($result?->log_hash);
+        }
+
+        return $updated;
+    }
+
+    /**
+     * Convert a BYTEA value (PHP resource or string) to hex literal for SQL.
+     * PostgreSQL PDO driver returns BYTEA as a PHP stream resource.
+     */
+    private function bytesToHex(mixed $value): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+        $bin = is_resource($value) ? stream_get_contents($value) : (string) $value;
+        if ($bin === '' || $bin === false) {
+            return null;
+        }
+
+        return '\\x'.bin2hex($bin);
+    }
+}
@@ -27,12 +27,13 @@ class IncidentsWatchFailures extends Command
    private const DB_CONNECTION = 'pgsql_supplier';

    protected $signature = 'incidents:watch-failures
-        {--window=10           : Окно сканирования в минутах}
-        {--threshold=200       : Порог спайка для failed_webhook_jobs}
-        {--threshold-spike=10  : Порог спайка для failed_jobs (за окно)}
-        {--threshold-daily=50  : Порог суммы за 24ч для failed_jobs}
-        {--persistent-hours=3  : Порог возраста persistent-exception для failed_jobs}
-        {--dedup-window=60     : Окно дедупа открытых инцидентов в минутах}';
+        {--window=10                  : Окно сканирования в минутах}
+        {--threshold=200              : Порог спайка для failed_webhook_jobs}
+        {--threshold-spike=10         : Порог спайка для failed_jobs (за окно)}
+        {--threshold-daily=50         : Порог суммы за 24ч для failed_jobs}
+        {--persistent-hours=3         : Порог возраста persistent-exception для failed_jobs}
+        {--dedup-window=60            : Окно дедупа открытых инцидентов в минутах}
+        {--threshold-single-lead=1000 : Порог storm detection: failures одного supplier_lead_id за окно}';

    protected $description = 'Сканирует failed_webhook_jobs и failed_jobs, создаёт incidents_log на превышение порогов';

@@ -45,6 +46,8 @@ class IncidentsWatchFailures extends Command
        $persistentHours = (int) $this->option('persistent-hours');
        $dedupMinutes = (int) $this->option('dedup-window');

+        $thresholdSingleLead = (int) $this->option('threshold-single-lead');
+
        $since = Carbon::now()->subMinutes($windowMinutes);
        $since24h = Carbon::now()->subHours(24);
        $dedupAt = Carbon::now()->subMinutes($dedupMinutes);
@@ -185,6 +188,39 @@ class IncidentsWatchFailures extends Command
            $this->info("Job persistent [medium]: {$jobClass}");
        }

+        // ===== БЛОК 5: single-lead storm detection =====
+        // Detects случай когда один supplier_lead_id генерирует >= threshold
+        // failures за окно — классический шторм от застрявшего лида (Finding 2,
+        // 2026-05-29). Создаём severity=high инцидент per lead_id.
+        if ($thresholdSingleLead > 0) {
+            $stormLeads = DB::connection(self::DB_CONNECTION)
+                ->table('failed_webhook_jobs')
+                ->selectRaw("raw_payload->>'supplier_lead_id' AS lead_id, COUNT(*) AS cnt")
+                ->whereNull('resolved_at')
+                ->where('failed_at', '>=', $since)
+                ->whereRaw("raw_payload ?? 'supplier_lead_id'")
+                ->groupByRaw("raw_payload->>'supplier_lead_id'")
+                ->havingRaw('COUNT(*) >= ?', [$thresholdSingleLead])
+                ->get();
+
+            foreach ($stormLeads as $row) {
+                $leadId = $row->lead_id;
+                $cnt = (int) $row->cnt;
+                $dedupKey = "single-lead-storm:{$leadId}";
+
+                if ($this->isDup($dedupKey, $dedupAt)) {
+                    $this->line("Skipping single-lead-storm (dedup): {$dedupKey}");
+
+                    continue;
+                }
+
+                $summary = "Автоматически: single-lead-storm {$cnt} failures supplier_lead_id={$leadId} за {$windowMinutes} мин. Вероятная причина: terminal error без fast-fail guard.";
+                $this->createIncident($adminId, 'other', 'high', $summary, $since, $now, $dedupKey);
+                $created++;
+                $this->info("Single-lead storm [high]: lead_id={$leadId} — {$cnt}");
+            }
+        }
+
        $this->info("Done. Created {$created} incident(s).");

        return self::SUCCESS;
@@ -0,0 +1,128 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Jobs\Supplier\DeleteSupplierProjectJob;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * One-time migration: clean up orphan supplier_projects rows created by the
+ * now-removed buildUniqueKey($p, $platform) divergence for SMS+keyword projects.
+ *
+ * Before R-17 unification (Stage 4 §4.4.1) SMS+keyword projects had two diverging
+ * supplier_projects keys per group:
+ *   B2: unique_key = sender+keyword
+ *   B3: unique_key = sender (without keyword) — ORPHAN after unification
+ *
+ * This command finds orphan B3 rows (sms, no '+' in unique_key, owning project has
+ * sms_keyword) and either UPDATEs them to sender+keyword (no sibling) or marks them
+ * for deletion via DeleteSupplierProjectJob (sibling at sender+keyword already exists).
+ *
+ * Usage:
+ *   php artisan supplier:rekey-orphans --dry-run   # preview
+ *   php artisan supplier:rekey-orphans             # apply
+ *
+ * Spec §4.4.1.
+ */
+final class SupplierRekeyOrphansCommand extends Command
+{
+    protected $signature = 'supplier:rekey-orphans {--dry-run : Preview without modifying anything}';
+
+    protected $description = 'One-time R-17 cleanup of orphan SMS supplier_projects keyed under sender alone';
+
+    public function handle(): int
+    {
+        $dryRun = (bool) $this->option('dry-run');
+
+        // Find candidate orphans: sms supplier_projects whose unique_key has no '+'
+        // and whose tenant has an SMS project with sms_keyword set matching this sender.
+        $orphans = DB::connection('pgsql_supplier')
+            ->table('supplier_projects as sp')
+            ->join('project_supplier_links as psl', 'psl.supplier_project_id', '=', 'sp.id')
+            ->join('projects as p', 'p.id', '=', 'psl.project_id')
+            ->where('sp.signal_type', 'sms')
+            ->where('sp.unique_key', 'NOT LIKE', '%+%')
+            ->whereNotNull('p.sms_keyword')
+            ->where('p.sms_keyword', '!=', '')
+            ->select([
+                'sp.id as sp_id',
+                'sp.unique_key as sender',
+                'sp.platform',
+                'p.tenant_id',
+                'p.sms_keyword as keyword',
+            ])
+            ->get();
+
+        if ($orphans->isEmpty()) {
+            $this->info('No orphan SMS supplier_projects found. Nothing to migrate.');
+
+            return self::SUCCESS;
+        }
+
+        $this->info(sprintf('Found %d orphan SMS supplier_projects row(s).', $orphans->count()));
+
+        $updated = 0;
+        $dispatched = 0;
+        $toDelete = [];
+
+        foreach ($orphans as $o) {
+            $sender = (string) $o->sender;
+            $keyword = (string) $o->keyword;
+            $newKey = $sender.'+'.$keyword;
+
+            // Sibling check: another supplier_project for same tenant/keyword combo already
+            // exists at the unified key? Look across pivot to the same tenant scope.
+            $siblingExists = DB::connection('pgsql_supplier')
+                ->table('supplier_projects as sp2')
+                ->join('project_supplier_links as psl2', 'psl2.supplier_project_id', '=', 'sp2.id')
+                ->join('projects as p2', 'p2.id', '=', 'psl2.project_id')
+                ->where('sp2.signal_type', 'sms')
+                ->where('sp2.unique_key', $newKey)
+                ->where('p2.tenant_id', $o->tenant_id)
+                ->where('sp2.id', '!=', $o->sp_id)
+                ->exists();
+
+            if ($siblingExists) {
+                $toDelete[] = (int) $o->sp_id;
+                $this->line(sprintf(
+                    '  orphan #%d (%s sender=%s) → DELETE (sibling at %s exists for tenant %d)',
+                    $o->sp_id, $o->platform, $sender, $newKey, $o->tenant_id
+                ));
+
+                continue;
+            }
+
+            $this->line(sprintf(
+                '  orphan #%d (%s sender=%s) → UPDATE unique_key=%s',
+                $o->sp_id, $o->platform, $sender, $newKey
+            ));
+
+            if (! $dryRun) {
+                DB::connection('pgsql_supplier')
+                    ->table('supplier_projects')
+                    ->where('id', $o->sp_id)
+                    ->update(['unique_key' => $newKey, 'updated_at' => now()]);
+                $updated++;
+            }
+        }
+
+        if (! $dryRun && $toDelete !== []) {
+            DeleteSupplierProjectJob::dispatch($toDelete);
+            $dispatched = count($toDelete);
+        }
+
+        if ($dryRun) {
+            $this->warn('--dry-run: no changes made.');
+        } else {
+            $this->info(sprintf(
+                'Migration complete: %d row(s) updated, %d row(s) queued for deletion.',
+                $updated, $dispatched
+            ));
+        }
+
+        return self::SUCCESS;
+    }
+}
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Console\Commands;

 use App\Mail\AuditChainBreachMail;
+use App\Services\Audit\AuditChainConfig;
 use Illuminate\Console\Command;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\DB;
@@ -83,166 +84,12 @@ class VerifyAuditChains extends Command

    protected $description = 'Проверяет целостность SHA-256 hash-chain в 6 audit-таблицах (per-partition)';

-    /**
-     * Конфигурация таблиц: имя таблицы → [columns, partition_clause].
-     *
-     * columns: список столбцов строго в порядке ordinal_position из db/schema.sql.
-     *   Специальное значение '__log_hash__' — маркер позиции log_hash → NULL::bytea.
-     *
-     * partition_clause: SQL-фрагмент для OVER (PARTITION BY … ORDER BY id),
-     *   воспроизводящий RLS-scope триггера внутри одной партиции.
-     *   Пустая строка = глобальная цепочка внутри партиции.
-     *
-     * @var array<string, array{columns: list<string>, partition: string}>
-     */
-    private const TABLE_CONFIG = [
-        // auth_log:
-        //   RLS: actor_type='tenant_user' AND tenant_id = current_setting(...)
-        //   Tenant-сессия видит только (actor_type='tenant_user', tenant_id=N).
-        //   saas_admin-сессия BYPASSRLS — видит всё.
-        //   Partition (actor_type, tenant_id) воспроизводит оба случая:
-        //   каждая пара образует независимую цепочку.
-        'auth_log' => [
-            'columns' => [
-                'id',
-                'actor_type',
-                'tenant_id',
-                'user_id',
-                'saas_admin_user_id',
-                'email',
-                'event',
-                'ip_address',
-                'user_agent',
-                'failure_reason',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            // global chain: auth_log пишется при ЛОГИНЕ под BYPASSRLS-роль
-            // (tenant ещё не установлен — пользователь не аутентифицирован),
-            // поэтому триггерный prev-SELECT видит ВСЕ строки → цепочка глобальная
-            // внутри данной партиции (эмпирически подтверждено прод-smoke).
-            'partition' => '',
-        ],
-
-        // activity_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'activity_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'user_id',
-                'deal_id',
-                'event',
-                'old_value',
-                'new_value',
-                'context',
-                'ip_address',
-                'user_agent',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // tenant_operations_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'tenant_operations_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'user_id',
-                'entity_type',
-                'entity_id',
-                'event',
-                'payload_before',
-                'payload_after',
-                'ip_address',
-                'user_agent',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // balance_transactions:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'balance_transactions' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'type',
-                'amount_rub',
-                'amount_leads',
-                'balance_rub_after',
-                'balance_leads_after',
-                'description',
-                'related_type',
-                'related_id',
-                'user_id',
-                'admin_user_id',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // pd_processing_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'pd_processing_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'subject_type',
-                'subject_id',
-                'action',
-                'purpose',
-                'actor_tenant_user_id',
-                'actor_admin_user_id',
-                'ip_address',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // saas_admin_audit_log:
-        //   Нет RLS-политики для tenant-ролей (REVOKE ALL FROM crm_app_user).
-        //   Вставляет только crm_admin_user (BYPASSRLS) — триггер's SELECT
-        //   видит ВСЕ строки партиции → цепочка глобальная внутри партиции.
-        //   Partition: нет (пустая строка = ORDER BY id без PARTITION BY).
-        'saas_admin_audit_log' => [
-            'columns' => [
-                'id',
-                'admin_user_id',
-                'action',
-                'target_type',
-                'target_id',
-                'target_tenant_id',
-                'payload_before',
-                'payload_after',
-                'reason',
-                'ip_address',
-                'user_agent',
-                'requires_approval',
-                'approved_by',
-                'approved_at',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => '',  // global chain within partition — inserting role is BYPASSRLS
-        ],
-    ];
-
    public function handle(): int
    {
        $anyBreach = false;
        $now = Carbon::now();

-        foreach (self::TABLE_CONFIG as $table => $config) {
+        foreach (AuditChainConfig::TABLES as $table => $config) {
            // Get all partitions for this table via pg_inherits.
            $partitions = $this->listPartitions($table);

@@ -252,7 +99,7 @@ class VerifyAuditChains extends Command
            }

            foreach ($partitions as $partitionName) {
-                $breaches = $this->checkPartition($partitionName, $config['columns'], $config['partition']);
+                $breaches = $this->checkPartition($partitionName, $table, $config['partition']);

                if (empty($breaches)) {
                    $this->line("  ✓ {$partitionName}: chain intact");
@@ -321,12 +168,11 @@ class VerifyAuditChains extends Command
     *      где ROW(...) имеет NULL::bytea на позиции log_hash.
     *   4. Возвращает строки, где stored IS DISTINCT FROM recomputed.
     *
-     * @param  list<string>  $columns
     * @return list<object>
     */
-    private function checkPartition(string $partitionName, array $columns, string $partition): array
+    private function checkPartition(string $partitionName, string $table, string $partition): array
    {
-        $rowExpr = $this->buildRowExpression($columns);
+        $rowExpr = AuditChainConfig::rowExpression($table);

        // Build OVER clause: with or without PARTITION BY depending on table's RLS scope.
        $overClause = $partition !== ''
@@ -366,25 +212,6 @@ class VerifyAuditChains extends Command
        return $results;
    }

-    /**
-     * Строит SQL-выражение ROW(col1, col2, ..., NULL::bytea, ..., coln)
-     * с NULL::bytea на месте log_hash.
-     *
-     * Пример для auth_log:
-     *   ROW(t.id, t.actor_type, t.tenant_id, ..., NULL::bytea, t.created_at)
-     *
-     * @param  list<string>  $columns
-     */
-    private function buildRowExpression(array $columns): string
-    {
-        $parts = [];
-        foreach ($columns as $col) {
-            $parts[] = ($col === '__log_hash__') ? 'NULL::bytea' : "t.{$col}";
-        }
-
-        return 'ROW('.implode(', ', $parts).')';
-    }
-
    /**
     * Вставляет запись в incidents_log (через pgsql_supplier BYPASSRLS).
     * Дедупликация: не создаёт повторный инцидент для той же таблицы,
@@ -71,8 +71,19 @@ final class BalancePreflightSweepJob implements ShouldQueue

            // Переход active → frozen.
            if (! $result->passes && ! $isFrozen) {
-                $tenant->frozen_by_balance_at = now();
+                $freezeAt = now();
+                $tenant->frozen_by_balance_at = $freezeAt;
                $tenant->save();
+
+                // Stage 3 R-13 (spec §4.3.2): помечаем все непаузнутые проекты
+                // тенанта моментом заморозки. Это даёт SupplierSnapshotGuard
+                // зацепку (paused_at свежее grace-периода) — клиент не сможет
+                // удалить/сменить источник пока хвост слепка ещё может прилететь.
+                DB::connection('pgsql_supplier')->table('projects')
+                    ->where('tenant_id', $tenant->id)
+                    ->whereNull('paused_at')
+                    ->update(['paused_at' => $freezeAt]);
+
                $this->logEvent($tenant, 'frozen', 'cutoff_18msk', $result);
                Mail::queue(new BalanceFrozenMail($tenant, $result));
                $this->dispatchSupplierSyncIfOnline($tenant);
@@ -82,8 +93,20 @@ final class BalancePreflightSweepJob implements ShouldQueue

            // Переход frozen → active.
            if ($result->passes && $isFrozen) {
+                // Stage 3 R-13: фиксируем frozen-moment ДО $tenant->save() — нужно
+                // для фильтра отката paused_at. Очищаем только те проекты,
+                // у которых paused_at >= frozen_at_was (== поставленные нами на паузу
+                // в freeze-блоке). Ручные паузы клиента ДО заморозки имеют
+                // paused_at < frozen_at_was и сохраняются.
+                $frozenAtWas = $tenant->frozen_by_balance_at;
                $tenant->frozen_by_balance_at = null;
                $tenant->save();
+
+                DB::connection('pgsql_supplier')->table('projects')
+                    ->where('tenant_id', $tenant->id)
+                    ->where('paused_at', '>=', $frozenAtWas)
+                    ->update(['paused_at' => null]);
+
                $this->logEvent($tenant, 'unfrozen', 'cutoff_18msk', $result);
                Mail::queue(new BalanceUnfrozenMail($tenant, $result));
                $this->dispatchSupplierSyncIfOnline($tenant);
@@ -116,6 +116,32 @@ class RouteSupplierLeadJob implements ShouldQueue
            return;
        }

+        // Fast-fail: лид уже был помечен terminal error и не имеет processed_at.
+        // Закрывает класс failed_webhook_jobs storm (Finding 2, 2026-05-29).
+        // Plan 2026-05-29-supplier-webhook-fast-fail-and-stuck-cleanup.md, Task 2.
+        $isTerminalError = $lead->error !== null && (
+            str_contains($lead->error, 'does not support')
+            || str_contains($lead->error, 'platform mismatch')
+            || str_contains($lead->error, 'no matching supplier_project')
+        );
+        if ($isTerminalError) {
+            // Capture original error BEFORE update — $lead->update() mutates
+            // the in-memory model, so $lead->error after update() returns the
+            // suffixed value, breaking debug logs (review fix).
+            // быстрый коммит
+            $originalError = $lead->error;
+            $lead->update([
+                'processed_at' => now(),
+                'error' => $originalError.' [fast-failed by RouteSupplierLeadJob]',
+            ]);
+            Log::info('supplier_lead.fast_failed_terminal_error', [
+                'supplier_lead_id' => $lead->id,
+                'original_error' => $originalError,
+            ]);
+
+            return;
+        }
+
        $projectField = (string) ($lead->raw_payload['project'] ?? '');
        [$platform, $signalType, $identifier] = $this->parseProjectField($projectField);

@@ -204,6 +204,13 @@ final class CsvReconcileJob implements ShouldQueue
                ->where('id', $logId)
                ->update($update);

+            // R-05 / §4.4.4 second pass — business-drift on project_routing_snapshots.
+            // Detects tenants where supplier under-delivered against the slepok plan
+            // (shortfall = (expected - delivered) / expected > 20%). Orthogonal to
+            // webhook-loss drift above — same lead can be missing from CSV AND from
+            // delivered_count (compounding R-05.1 + R-05.2).
+            $this->detectAndAlertBusinessDrift($mailer, $windowStart, $windowEnd);
+
        } catch (Throwable $e) {
            // $logId === null — упал сам insertGetId, log-строки нет, обновлять нечего.
            if ($logId !== null) {
@@ -251,4 +258,65 @@ final class CsvReconcileJob implements ShouldQueue

        return null;
    }
+
+    /**
+     * R-05 (Stage 4 §4.4.4) — business-drift second pass.
+     *
+     * Поверх существующего webhook-loss drift (R-05.1: «лид прилетел, мы webhook'а не
+     * получили») ищем business-drift (R-05.2: «лид прилетел, мы доставили не тому/никому»):
+     * для каждой пары (snapshot_date, tenant_id) считаем SUM(expected_volume) и
+     * SUM(delivered_count) по `project_routing_snapshots`, при shortfall > 20% шлём
+     * `TenantBusinessDriftAlertMail` админу.
+     *
+     * Окно — то же что у текущего CSV-reconcile run. Один email на тенанта на дату.
+     */
+    private const BUSINESS_DRIFT_THRESHOLD = 0.20;
+
+    private function detectAndAlertBusinessDrift(
+        Mailer $mailer,
+        \Carbon\CarbonInterface $windowStart,
+        \Carbon\CarbonInterface $windowEnd,
+    ): void {
+        $from = $windowStart->toDateString();
+        $to = $windowEnd->toDateString();
+
+        $rows = DB::connection(self::DB_CONNECTION)
+            ->table('project_routing_snapshots')
+            ->whereBetween('snapshot_date', [$from, $to])
+            ->groupBy('snapshot_date', 'tenant_id')
+            ->selectRaw('snapshot_date, tenant_id, SUM(expected_volume) AS expected, SUM(delivered_count) AS delivered')
+            ->havingRaw('SUM(expected_volume) > 0')
+            ->get();
+
+        foreach ($rows as $row) {
+            $expected = (int) $row->expected;
+            $delivered = (int) $row->delivered;
+            if ($expected <= 0) {
+                continue;
+            }
+            $shortfall = ($expected - $delivered) / $expected;
+            if ($shortfall <= self::BUSINESS_DRIFT_THRESHOLD) {
+                continue;
+            }
+
+            $mailer->to((string) config('services.supplier.alert_email'))
+                ->send(new \App\Mail\TenantBusinessDriftAlertMail(
+                    tenantId: (int) $row->tenant_id,
+                    snapshotDate: (string) $row->snapshot_date,
+                    expected: $expected,
+                    delivered: $delivered,
+                    shortfallRatio: $shortfall,
+                    windowStart: $windowStart,
+                    windowEnd: $windowEnd,
+                ));
+
+            Log::warning('csv_reconcile.business_drift_alert', [
+                'tenant_id' => (int) $row->tenant_id,
+                'snapshot_date' => (string) $row->snapshot_date,
+                'expected' => $expected,
+                'delivered' => $delivered,
+                'shortfall' => $shortfall,
+            ]);
+        }
+    }
 }
@@ -107,13 +107,16 @@ class SyncSupplierProjectJob implements ShouldQueue
            return;
        }

-        $identifier = SupplierProjectGrouping::buildUniqueKey($project, $platforms[0]);
+        // R-17 (Stage 4 §4.4.1): unified agnostic key (was buildUniqueKey($p, $platform[0])
+        // which diverged for SMS — B3 used sender alone while B2 used sender+keyword;
+        // created orphan supplier_projects rows during sharing rebalance).
+        $identifier = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);

        // GROUP recompute (multi-client): an online edit of ONE project must recompute the
        // WHOLE group sharing this identifier — otherwise it overwrites siblings' regions/
        // limit/days until the nightly batch. Mirrors SyncSupplierProjectsJob::syncGroup so
        // online and nightly produce identical supplier state.
-        $agnostic = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
+        $agnostic = $identifier;
        $groupProjects = Project::on(self::DB_CONNECTION)
            ->where('is_active', true)
            ->where('signal_type', (string) $project->signal_type)
@@ -125,8 +128,9 @@ class SyncSupplierProjectJob implements ShouldQueue
        $groupActive = $groupProjects->isNotEmpty();
        $status = $groupActive ? 'active' : 'paused';

-        // eligible tomorrow → order/workdays (mirror nightly's eligibility window).
-        $targetWeekday = Carbon::tomorrow('Europe/Moscow')->isoWeekday();
+        // eligible target_date → order/workdays (mirror nightly's eligibility window).
+        // R-18 (Stage 4 §4.4.2): see ::targetWeekdayForNow().
+        $targetWeekday = self::targetWeekdayForNow();
        $eligible = $groupProjects->filter(
            fn (Project $gp) => ((int) $gp->delivery_days_mask & (1 << ($targetWeekday - 1))) !== 0
        )->values();
@@ -384,8 +388,10 @@ class SyncSupplierProjectJob implements ShouldQueue
        $platforms = SupplierProjectGrouping::resolvePlatforms($project);
        $workdays = $this->workdaysFromMask((int) $project->delivery_days_mask);

+        // R-17 (Stage 4 §4.4.1): same agnostic key for all platforms in this batch run
+        // (was per-platform divergence for SMS — created orphan rows).
+        $uniqueKey = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
        foreach ($platforms as $platform) {
-            $uniqueKey = SupplierProjectGrouping::buildUniqueKey($project, $platform);
            $column = 'supplier_'.strtolower($platform).'_project_id';

            // Idempotency: local supplier_projects-запись уже есть?
@@ -537,4 +543,24 @@ class SyncSupplierProjectJob implements ShouldQueue

        return $out;
    }
+
+    /**
+     * R-18 (Stage 4 §4.4.2): ISO target weekday for online supplier sync.
+     *
+     * Slepok cut-off boundary is 21:00 МСК (matches supplier's snapshot fix-point), not midnight.
+     *   hour <  21 МСК → target = today + 1 day
+     *   hour >= 21 МСК → target = today + 2 days
+     *
+     * Before fix: `Carbon::tomorrow('Europe/Moscow')->isoWeekday()` flipped target at midnight
+     * (Thu 23:59 → Fri; Fri 00:01 → Sat), mis-aligning portal sync with supplier's already-fixed
+     * slepok. The post-21:00 portion of day N belongs to slepok dated N+1 (effective day N+2).
+     */
+    public static function targetWeekdayForNow(): int
+    {
+        $msk = Carbon::now('Europe/Moscow');
+
+        return $msk->hour >= 21
+            ? $msk->copy()->addDays(2)->startOfDay()->isoWeekday()
+            : $msk->copy()->addDay()->startOfDay()->isoWeekday();
+    }
 }
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use Carbon\CarbonInterface;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Email алерт админу Лидерры о business-shortfall'е тенанта: snapshot ожидал
+ * объём X, фактически доставили Y и (X-Y)/X > порога (20%).
+ *
+ * Отдельно от CsvDriftAlertMail — тот ловит webhook-loss (CSV vs БД),
+ * этот — bizness-drift (snapshot.expected vs delivered).
+ *
+ * Stage 4 §4.4.4 R-05.
+ */
+final class TenantBusinessDriftAlertMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly int $tenantId,
+        public readonly string $snapshotDate,
+        public readonly int $expected,
+        public readonly int $delivered,
+        public readonly float $shortfallRatio,
+        public readonly CarbonInterface $windowStart,
+        public readonly CarbonInterface $windowEnd,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        $pct = number_format($this->shortfallRatio * 100, 1, ',', ' ');
+
+        return new Envelope(
+            subject: "Лидерра ↔ Поставщик: business-shortfall tenant #{$this->tenantId} за {$this->snapshotDate} ({$pct}%)",
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.tenant_business_drift_alert');
+    }
+}
@@ -29,6 +29,8 @@ use Illuminate\Support\Facades\DB;
 * @property string $deadline_at
 * @property string|null $completed_at
 * @property bool $processing_restricted
+ *
+ * @mixin IdeHelperPdSubjectRequest
 */
 class PdSubjectRequest extends Model
 {
@@ -8,12 +8,15 @@ use Illuminate\Database\Eloquent\Model;

 /**
 * Замок «поставка ↔ клиент» (Billing v2 Spec B). Композитный PK без автоинкремента.
+ *
 * Пишется в шеринг-пути (RouteSupplierLeadJob) через insertOrIgnore под RLS-контекстом.
 *
 * @property int $supplier_lead_id
 * @property int $tenant_id
 * @property int|null $deal_id
 * @property string $created_at
+ *
+ * @mixin IdeHelperSupplierLeadDelivery
 */
 class SupplierLeadDelivery extends Model
 {
@@ -25,6 +25,8 @@ use Illuminate\Support\Carbon;
 * @property int|null $resolved_by_user_id
 * @property Carbon|null $created_at
 * @property Carbon|null $resolved_at
+ *
+ * @mixin IdeHelperSupplierManualSyncQueue
 */
 class SupplierManualSyncQueue extends Model
 {
@@ -10,6 +10,7 @@ use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Illuminate\Support\Facades\DB;

 /**
 * Тенант — клиент SaaS-портала Лидерра.
@@ -90,9 +91,67 @@ class Tenant extends Model
     */
    public function requiredLeadsForTomorrow(): int
    {
-        return (int) $this->projects()
-            ->where('is_active', true)
-            ->sum('daily_limit_target');
+        // R-19 (Stage 4 §4.4.3): share-aware preflight. For each active project
+        // count the tenant's PROPORTIONAL share of the supplier group order (not
+        // the raw daily_limit_target), since the supplier caps the group at
+        // max(max(limits), ceil(Σ/3)) and splits it across all clients sharing
+        // the same signal_identifier. Legacy projects (signal_type=null —
+        // webhook-only, no supplier sharing) still count their full limit.
+        $projects = $this->projects()->where('is_active', true)->get();
+        if ($projects->isEmpty()) {
+            return 0;
+        }
+
+        $total = 0;
+        foreach ($projects as $p) {
+            // Webhook-only legacy projects don't participate in supplier sharing.
+            if (! in_array($p->signal_type, ['site', 'call', 'sms'], true)) {
+                $total += (int) $p->daily_limit_target;
+
+                continue;
+            }
+
+            $groupLimits = DB::connection('pgsql_supplier')
+                ->table('projects')
+                ->where('is_active', true)
+                ->where('signal_type', $p->signal_type)
+                ->where(function ($q) use ($p): void {
+                    if (in_array($p->signal_type, ['site', 'call'], true)) {
+                        $q->where('signal_identifier', $p->signal_identifier);
+                    } else {
+                        // sms: agnostic group is (first sender, keyword-or-NULL).
+                        $firstSender = (string) ($p->sms_senders[0] ?? '');
+                        $q->whereJsonContains('sms_senders', $firstSender);
+                        if ($p->sms_keyword !== null && $p->sms_keyword !== '') {
+                            $q->where('sms_keyword', $p->sms_keyword);
+                        } else {
+                            $q->whereNull('sms_keyword');
+                        }
+                    }
+                })
+                ->pluck('daily_limit_target')
+                ->all();
+
+            if ($groupLimits === []) {
+                // Edge: project not yet visible from pgsql_supplier view (cross-conn race).
+                // Conservatively count full limit — avoids underestimating preflight.
+                $total += (int) $p->daily_limit_target;
+
+                continue;
+            }
+
+            $intLimits = array_map('intval', $groupLimits);
+            $sum = (int) array_sum($intLimits);
+            $max = (int) max($intLimits);
+            $groupOrder = max($max, (int) ceil($sum / 3));
+
+            if ($sum > 0) {
+                $share = (int) ceil($groupOrder * ((int) $p->daily_limit_target / $sum));
+                $total += $share;
+            }
+        }
+
+        return $total;
    }

    /** @return BelongsTo<TariffPlan, $this> */
@@ -0,0 +1,104 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Audit;
+
+use InvalidArgumentException;
+
+/**
+ * Shared config hash-chain for 6 audit tables.
+ *
+ * Single source of truth for writer (db/schema.sql trigger audit_chain_hash()),
+ * verify (App\Console\Commands\VerifyAuditChains) and rebuild
+ * (App\Console\Commands\AuditRebuildChain).
+ *
+ * ADR-018: per-tenant via RLS scope for tenant tables,
+ * global for BYPASSRLS tables.
+ *
+ * columns: list in ordinal_position order from db/schema.sql.
+ *   '__log_hash__' -- marker for log_hash position -> NULL::bytea in ROW().
+ *
+ * partition: SQL fragment for OVER (PARTITION BY ... ORDER BY id),
+ *   reproducing the RLS-scope of the trigger.
+ *   '' = global chain within partition (for BYPASSRLS tables).
+ */
+final class AuditChainConfig
+{
+    /**
+     * @var array<string, array{columns: list<string>, partition: string}>
+     */
+    public const TABLES = [
+        'auth_log' => [
+            'columns' => [
+                'id', 'actor_type', 'tenant_id', 'user_id', 'saas_admin_user_id',
+                'email', 'event', 'ip_address', 'user_agent', 'failure_reason',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => '',
+        ],
+        'activity_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'user_id', 'deal_id', 'event',
+                'old_value', 'new_value', 'context', 'ip_address', 'user_agent',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'tenant_operations_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'user_id', 'entity_type', 'entity_id',
+                'event', 'payload_before', 'payload_after', 'ip_address', 'user_agent',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'balance_transactions' => [
+            'columns' => [
+                'id', 'tenant_id', 'type', 'amount_rub', 'amount_leads',
+                'balance_rub_after', 'balance_leads_after', 'description',
+                'related_type', 'related_id', 'user_id', 'admin_user_id',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'pd_processing_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'subject_type', 'subject_id', 'action',
+                'purpose', 'actor_tenant_user_id', 'actor_admin_user_id', 'ip_address',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'saas_admin_audit_log' => [
+            'columns' => [
+                'id', 'admin_user_id', 'action', 'target_type', 'target_id',
+                'target_tenant_id', 'payload_before', 'payload_after', 'reason',
+                'ip_address', 'user_agent', 'requires_approval', 'approved_by', 'approved_at',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => '',
+        ],
+    ];
+
+    /**
+     * Build ROW(col1, col2, ..., NULL::bytea, ..., coln) with NULL::bytea at log_hash position.
+     *
+     * @throws InvalidArgumentException if table is not registered in TABLES
+     */
+    public static function rowExpression(string $table): string
+    {
+        if (! isset(self::TABLES[$table])) {
+            throw new InvalidArgumentException(
+                "Table '{$table}' is not registered in AuditChainConfig::TABLES"
+            );
+        }
+
+        $parts = [];
+        foreach (self::TABLES[$table]['columns'] as $col) {
+            $parts[] = ($col === '__log_hash__') ? 'NULL::bytea' : "t.{$col}";
+        }
+
+        return 'ROW('.implode(', ', $parts).')';
+    }
+}
@@ -56,6 +56,17 @@ final class LedgerService
        );
        $priceKopecks = (int) $tier->price_per_lead_kopecks;

+        // R-03 (Stage 3 §4.3.1): frozen tenant must not receive new charges even
+        // if balance_rub > 0. Throwing here triggers the same auto-pause flow as
+        // InsufficientBalance — RouteSupplierLeadJob::handleInsufficientBalance
+        // flips projects.is_active=false and queues ZeroBalancePausedMail rate-limited.
+        if ($lockedTenant->frozen_by_balance_at !== null) {
+            throw new InsufficientBalanceException(
+                priceKopecks: $priceKopecks,
+                balanceRub: (string) $lockedTenant->balance_rub,
+            );
+        }
+
        // bcmath: balance_rub × 100 ≥ priceKopecks — единственный путь списания.
        // Billing v2 Spec A: prepaid-лиды убраны, balance_leads НЕ читается и НЕ изменяется.
        $balanceKopecks = bcmul((string) $lockedTenant->balance_rub, '100', 0);
@@ -76,6 +76,8 @@ class LeadRouter
                      SELECT 1 FROM tenants
                      WHERE tenants.id = snap.tenant_id
                        AND tenants.balance_rub > 0
+                        -- R-03: frozen tenant must not receive new leads (Stage 3 §4.3.1)
+                        AND tenants.frozen_by_balance_at IS NULL
                  )
                ORDER BY snap.tenant_id,
                         (snap.daily_limit - projects.delivered_today) DESC,
@@ -110,6 +112,8 @@ class LeadRouter
                  SELECT 1 FROM tenants
                  WHERE tenants.id = snap.tenant_id
                    AND tenants.balance_rub > 0
+                    -- R-03: frozen tenant must not receive new leads (Stage 3 §4.3.1)
+                    AND tenants.frozen_by_balance_at IS NULL
              )
            ORDER BY snap.tenant_id,
                     (snap.daily_limit - projects.delivered_today) DESC,
@@ -178,9 +178,11 @@ class SupplierProjectImporter
                ]);
                $createdProjects++;

+                // R-17 (Stage 4 §4.4.1): unified agnostic key — was per-platform divergence
+                // for SMS (B3 used sender alone, B2 sender+keyword) creating orphan rows.
+                $uniqueKey = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
                foreach ($item['platforms'] as $pl) {
                    $platform = (string) $pl['platform'];
-                    $uniqueKey = SupplierProjectGrouping::buildUniqueKey($project, $platform);

                    /** @var SupplierProject $sp */
                    $sp = SupplierProject::on(self::DB_CONNECTION)->firstOrCreate(
@@ -19,37 +19,14 @@ use App\Models\Project;
 final class SupplierProjectGrouping
 {
    /**
-     * Строит unique_key для пары (project, platform):
-     *   site/call  → signal_identifier (домен / телефон)
-     *   sms B2     → sender + '+' + keyword
-     *   sms B3     → sender
-     *
-     * Для ночного батч-джоба используйте buildUniqueKeyNoplatform() — он
-     * выбирает B2-ключ автоматически при наличии keyword.
-     */
-    public static function buildUniqueKey(Project $project, string $platform): string
-    {
-        if (in_array($project->signal_type, ['site', 'call'], true)) {
-            return (string) $project->signal_identifier;
-        }
-
-        // sms
-        $sender = (string) ($project->sms_senders[0] ?? '');
-
-        if ($platform === 'B2') {
-            return $sender.'+'.($project->sms_keyword ?? '');
-        }
-
-        // B3
-        return $sender;
-    }
-
-    /**
-     * Unique identifier key без привязки к конкретной платформе
-     * (для группировки в ночном батч-джобе):
+     * Unique identifier key — единая агностическая формула для всех платформ
+     * (Stage 4 §4.4.1 R-17, ранее разделялась на platform-specific buildUniqueKey:
+     * B3 использовал sender alone, B2 sender+keyword, что создавало orphan
+     * supplier_projects при rebalance шеринга — мы не могли сопоставить B2/B3
+     * как одну группу):
     *   site/call → signal_identifier
-     *   sms+keyword → sender+keyword  (B2 ключ)
-     *   sms без keyword → sender       (B3 ключ)
+     *   sms+keyword → sender+keyword
+     *   sms без keyword → sender
     */
    public static function buildUniqueKeyAgnostic(Project $project): string
    {
@@ -95,7 +72,6 @@ final class SupplierProjectGrouping
    public static function subjectsOf(Project $project): array
    {
        $regions = array_values((array) $project->regions);
-        // @phpstan-ignore-next-line identical.alwaysFalse — PostgresIntArray PHPDoc non-empty, runtime can be empty
        if (count($regions) === 0) {
            return [null];
        }
@@ -8,6 +8,7 @@ use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Validation\ValidationException;

 return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
@@ -33,12 +34,43 @@ return Application::configure(basePath: dirname(__DIR__))
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions): void {
+        // Reduce verbosity of constraint-violation logging (SQLSTATE 23xxx):
+        // data-validity errors do not need a full stack trace в laravel.log.
+        // Incident 2026-05-29: 420k повторов B1+SMS check_violation накопили
+        // 8.7 GB stack traces → disk full → 4h prod downtime.
+        // Solution: log a warning summary с sqlstate, return false to stop
+        // default reporting (which would write full stack trace).
+        // Ref: docs/incidents/2026-05-29-disk-full-pg-recovery.md §5
+        $exceptions->reportable(function (QueryException $e) {
+            $sqlState = $e->errorInfo[0] ?? '';
+            if (is_string($sqlState) && str_starts_with($sqlState, '23')) {
+                Log::warning('db.constraint_violation', [
+                    'sqlstate' => $sqlState,
+                    'message' => mb_substr($e->getMessage(), 0, 200),
+                ]);
+
+                return false; // skip default reporting (no stack trace в laravel.log)
+            }
+
+            return null; // continue default reporting для non-constraint QueryExceptions
+        });
+
        $exceptions->render(function (QueryException $e, Request $request) {
-            Log::error('db.query_exception', [
-                'message' => $e->getMessage(),
-                'sql' => $e->getSql(),
-                'path' => $request->path(),
-            ]);
+            $sqlState = $e->errorInfo[0] ?? '';
+            $isConstraintViolation = is_string($sqlState) && str_starts_with($sqlState, '23');
+
+            if (! $isConstraintViolation) {
+                // Default verbose log для non-constraint QueryExceptions (table missing,
+                // syntax error, etc. — these are bugs needing investigation).
+                Log::error('db.query_exception', [
+                    'message' => $e->getMessage(),
+                    'sql' => $e->getSql(),
+                    'path' => $request->path(),
+                ]);
+            }
+            // Constraint violations уже залогированы в reportable() выше как warning,
+            // дублировать не нужно.
+
            if ($request->expectsJson()) {
                return response()->json([
                    'message' => 'Не удалось сохранить. Проверьте данные или попробуйте ещё раз.',
@@ -52,13 +84,14 @@ return Application::configure(basePath: dirname(__DIR__))
        // Without this render, Laravel's default ValidationException handler returns
        // 302 redirect to /, which strips POST body — losing supplier leads.
        // Confirmed 2026-05-25: 76 of 234 webhook hits today got 302 instead of 422.
-        $exceptions->render(function (\Illuminate\Validation\ValidationException $e, Request $request) {
+        $exceptions->render(function (ValidationException $e, Request $request) {
            if ($request->is('api/webhook/supplier/*')) {
                return response()->json([
                    'message' => 'Validation failed',
                    'errors' => $e->errors(),
                ], 422);
            }
+
            return null; // default render for other routes
        });
    })->create();
@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Adds per-partition advisory lock to audit_chain_hash() trigger function.
+ *
+ * Root cause: concurrent INSERT workers (e.g. supplier-webhook handlers) all
+ * read the same prev_hash before any of them commits → multiple rows derive
+ * their hash from the same predecessor → hash chain branches → validator finds
+ * mismatches (Finding 1 from Stage-5 Day-1 monitoring).
+ *
+ * Fix: derive a bigint lock key from the physical partition OID (TG_RELID).
+ * pg_advisory_xact_lock() serialises concurrent INSERTs into the SAME partition
+ * without blocking INSERTs to other partitions (distinct OIDs → distinct keys).
+ * The lock is automatically released at transaction end.
+ *
+ * Hash formula: unchanged (verbatim from db/schema.sql:3107-3127):
+ *   digest(COALESCE(prev_hash, ''::bytea) || NEW::text::bytea, 'sha256')
+ *
+ * Ref: docs/superpowers/plans/2026-05-29-audit-chain-race-fix.md Task 2
+ */
+return new class extends Migration
+{
+    public function up(): void
+    {
+        DB::statement(<<<'SQL'
+            CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+            DECLARE
+                prev_hash BYTEA;
+                lock_key  BIGINT;
+            BEGIN
+                -- Derive a partition-specific advisory lock key from the physical
+                -- table OID (TG_RELID). Each child partition has a distinct OID,
+                -- so concurrent INSERTs to DIFFERENT partitions do not block each
+                -- other, while concurrent INSERTs to the SAME partition are
+                -- serialised — preventing the race that branches the hash chain.
+                lock_key := ('x' || lpad(to_hex(TG_RELID::int), 16, '0'))::bit(64)::bigint;
+                PERFORM pg_advisory_xact_lock(lock_key);
+
+                -- Берём log_hash последней строки этой таблицы. NULL для первой записи.
+                -- TG_TABLE_NAME — имя таблицы, через которое триггер сработал; используем
+                -- format/EXECUTE для полиморфности.
+                EXECUTE format(
+                    'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                    TG_TABLE_NAME
+                ) INTO prev_hash;
+
+                -- log_hash = sha256(prev_hash || NEW::text). Если prev_hash NULL — берём
+                -- пустую байтовую строку (первая запись цепочки).
+                NEW.log_hash := digest(
+                    COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                    'sha256'
+                );
+                RETURN NEW;
+            END;
+            $$ LANGUAGE plpgsql;
+        SQL);
+    }
+
+    public function down(): void
+    {
+        // Restore verbatim original from db/schema.sql:3107-3127 (without advisory lock).
+        DB::statement(<<<'SQL'
+            CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+            DECLARE
+                prev_hash BYTEA;
+            BEGIN
+                -- Берём log_hash последней строки этой таблицы. NULL для первой записи.
+                -- TG_TABLE_NAME — имя таблицы, через которое триггер сработал; используем
+                -- format/EXECUTE для полиморфности.
+                EXECUTE format(
+                    'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                    TG_TABLE_NAME
+                ) INTO prev_hash;
+
+                -- log_hash = sha256(prev_hash || NEW::text). Если prev_hash NULL — берём
+                -- пустую байтовую строку (первая запись цепочки).
+                NEW.log_hash := digest(
+                    COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                    'sha256'
+                );
+                RETURN NEW;
+            END;
+            $$ LANGUAGE plpgsql;
+        SQL);
+    }
+};
@@ -41,6 +41,9 @@ deptrac:
    Request: [Rule, Model]
    Resource: [Model]
    Rule: [Model]
-    Mail: [Model]
+    # Mail может зависеть от Service value objects (PreflightResult и аналоги) —
+    # это legit dependency: template needs data DTO от Service для рендера.
+    # Decision: ADR-005 amend 2026-05-29 (incident-followup cleanup).
+    Mail: [Model, Service]
    Model: []
    Provider: [Controller, Service, Job, Console, Repository, Model, Mail, Middleware, Request, Resource, Rule, Exception]
@@ -51,7 +51,7 @@ parameters:
 		-
 			message: '#^Using nullsafe method call on non\-nullable type Illuminate\\Support\\Carbon\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
-			count: 5
+			count: 6
 			path: app/Http/Controllers/Api/DealController.php

 		-
@@ -84,6 +84,24 @@ parameters:
 			count: 1
 			path: app/Http/Middleware/SetTenantContext.php

+		-
+			message: '#^Access to an undefined property App\\Http\\Resources\\ProjectResource\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: app/Http/Resources/ProjectResource.php
+
+		-
+			message: '#^Parameter \#1 \$array \(non\-empty\-list\<int\>\) of array_values is already a list, call has no effect\.$#'
+			identifier: arrayValues.list
+			count: 1
+			path: app/Jobs/Supplier/SyncSupplierProjectsJob.php
+
+		-
+			message: '#^Parameter \#1 \$column of method Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\:\:where\(\) expects array\<int\|model property of App\\Models\\Project, mixed\>\|\(Closure\(Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\: Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\|\(Closure\(Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\: void\)\|Illuminate\\Contracts\\Database\\Query\\Expression\|model property of App\\Models\\Project, ''snap\.snapshot_date'' given\.$#'
+			identifier: argument.type
+			count: 1
+			path: app/Jobs/Supplier/SyncSupplierProjectsJob.php
+
 		-
 			message: '#^Using nullsafe property access "\?\-\>name" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
@@ -102,6 +120,12 @@ parameters:
 			count: 1
 			path: app/Services/NotificationService.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: app/Services/Project/ProjectService.php
+
 		-
 			message: '#^Match expression does not handle remaining value\: string$#'
 			identifier: match.unhandled
@@ -120,6 +144,90 @@ parameters:
 			count: 1
 			path: app/Services/Supplier/Channel/AjaxProjectChannel.php

+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenDefineFunctions not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenFinalClasses not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenNormalClasses not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenPrivateMethods not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenTraits not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\SyntaxCheck not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Metrics\\Architecture\\Classes not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\Commenting\\UselessFunctionDocCommentSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\Namespaces\\AlphabeticallySortedUsesSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DeclareStrictTypesSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DisallowMixedTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ParameterTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\PropertyTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ReturnTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
 		-
 			message: '#^Return type \(array\<string, mixed\>\) of method Database\\Factories\\BalanceTransactionFactory\:\:definition\(\) should be compatible with return type \(array\<model property of App\\Models\\BalanceTransaction, mixed\>\) of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\BalanceTransaction\>\:\:definition\(\)$#'
 			identifier: method.childReturnType
@@ -156,6 +264,12 @@ parameters:
 			count: 1
 			path: database/factories/UserFactory.php

+		-
+			message: '#^Offset ''SnapshotProjectRout…'' on null in isset\(\) does not exist\.$#'
+			identifier: isset.offset
+			count: 1
+			path: routes/console.php
+
 		-
 			message: '#^Offset ''projects\:reset…'' on null in isset\(\) does not exist\.$#'
 			identifier: isset.offset
@@ -444,6 +558,18 @@ parameters:
 			count: 3
 			path: tests/Feature/ApiKeyControllerTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Audit/AuditChainRaceConditionTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>cnt" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 1
+			path: tests/Feature/Audit/AuditRebuildChainTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
@@ -720,6 +846,36 @@ parameters:
 			count: 6
 			path: tests/Feature/Auth/UpdateProfileTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 6
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -750,10 +906,16 @@ parameters:
 			count: 1
 			path: tests/Feature/Billing/BillingOverviewControllerTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BillingPreflightInitialSweepTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$ledger\.$#'
 			identifier: property.notFound
-			count: 8
+			count: 9
 			path: tests/Feature/Billing/LedgerServiceTest.php

 		-
@@ -768,6 +930,12 @@ parameters:
 			count: 6
 			path: tests/Feature/Billing/PricingTierRepositoryTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Billing/ProjectPreflightTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -876,6 +1044,30 @@ parameters:
 			count: 1
 			path: tests/Feature/Console/ResetMonthlyCountersCommandTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Console/SnapshotBackfillCommandTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Console/SnapshotBackfillCommandTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Console/SnapshotRebuildCommandTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Console/SnapshotRebuildCommandTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
@@ -1296,6 +1488,12 @@ parameters:
 			count: 5
 			path: tests/Feature/EndpointAuthHardeningTest.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Http/Resources/ProjectResourceAppliesFromTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
@@ -1308,6 +1506,18 @@ parameters:
 			count: 2
 			path: tests/Feature/Http/Webhook/SupplierWebhookTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:call\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Http/Webhook/SupplierWebhookValidationFormatTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Http/Webhook/SupplierWebhookValidationFormatTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
 			identifier: property.notFound
@@ -1422,6 +1632,12 @@ parameters:
 			count: 8
 			path: tests/Feature/Incidents/IncidentsWatchFailuresExpandedTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/Incidents/SingleLeadStormTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
@@ -1434,12 +1650,48 @@ parameters:
 			count: 1
 			path: tests/Feature/Integration/SupplierLeadFlowTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Jobs/RouteSupplierLeadJobSnapshotTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Jobs/RouteSupplierLeadJobSnapshotTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Jobs/RouteSupplierLeadJobTest.php

+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 1
+			path: tests/Feature/Jobs/SnapshotProjectRoutingJobTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/Jobs/Supplier/SyncSupplierProjectsJobSnapshotTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 1
+			path: tests/Feature/LeadRouter/FrozenFilterTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/LeadRouter/SnapshotRoutingTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
@@ -2016,6 +2268,24 @@ parameters:
 			count: 3
 			path: tests/Feature/Security/WebhookUrlChangeAuditTest.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/Services/Project/ProjectServiceAppliesFromTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/Services/Project/ProjectServiceAppliesFromTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 5
+			path: tests/Feature/Services/Project/SupplierSnapshotGuardAppliesFromTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
@@ -2064,12 +2334,48 @@ parameters:
 			count: 1
 			path: tests/Feature/Supplier/CsvReconcileJobTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$sp\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 8
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
 		-
 			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:once\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Supplier/DeleteSupplierProjectJobTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Supplier/DirectPlatformTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Supplier/DirectPlatformTest.php
+
 		-
 			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:andThrow\(\)\.$#'
 			identifier: method.notFound
@@ -2148,12 +2454,30 @@ parameters:
 			count: 1
 			path: tests/Feature/Supplier/SupplierProjectImporterTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Supplier/SupplierRekeyOrphansCommandTest.php
+
 		-
 			message: '#^Call to an undefined method App\\Services\\Supplier\\PlaywrightBridge\:\:shouldReceive\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Supplier/SupplierSessionRefreshCommandTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$sharedProject\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Supplier/SupplierWebhookFastFailTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>error" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 2
+			path: tests/Feature/Supplier/SupplierWebhookFastFailTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:mock\(\)\.$#'
 			identifier: method.notFound
@@ -2274,6 +2598,42 @@ parameters:
 			count: 6
 			path: tests/Unit/Services/Pd/ImpersonationAuditServiceTest.php

+		-
+			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:once\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Call to method PHPUnit\\Framework\\Assert\:\:assertTrue\(\) with true will always evaluate to true\.$#'
+			identifier: method.alreadyNarrowedType
+			count: 3
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Parameter \#2 \$snapshotGuard of class App\\Services\\Project\\ProjectService constructor expects App\\Services\\Project\\SupplierSnapshotGuard, Mockery\\MockInterface given\.$#'
+			identifier: argument.type
+			count: 3
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:with\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
+		-
+			message: '#^Call to method PHPUnit\\Framework\\Assert\:\:assertTrue\(\) with true will always evaluate to true\.$#'
+			identifier: method.alreadyNarrowedType
+			count: 1
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
+		-
+			message: '#^Property App\\Models\\IdeHelperProject\:\:\$paused_at \(Illuminate\\Support\\Carbon\|null\) does not accept Carbon\\CarbonImmutable\.$#'
+			identifier: assign.propertyType
+			count: 2
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
 		-
 			message: '#^Call to an undefined method App\\Services\\Supplier\\ProcessFactory\:\:shouldReceive\(\)\.$#'
 			identifier: method.notFound
@@ -1 +0,0 @@
-.admin-billing[data-v-47839b68]{max-width:1400px}.page-title[data-v-47839b68]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.font-mono[data-v-47839b68]{font-family:JetBrains Mono,ui-monospace,monospace}.tabular[data-v-47839b68]{font-feature-settings:"tnum"}
@@ -1 +0,0 @@
-.admin-impersonation[data-v-95920034]{max-width:1440px}.page-head[data-v-95920034]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:12px;display:flex}.page-title[data-v-95920034]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.num[data-v-95920034]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.reason-cell[data-v-95920034]{white-space:normal;color:#081319;max-width:320px;font-size:13px;line-height:1.4}
@@ -1 +0,0 @@
-import{$r as e,An as t,Fn as n,Ln as r,On as i,Pn as a,Qn as o,S as s,Xn as c,br as l,er as u,jn as d,kn as f,t as p,ur as m,wn as h}from"./VBtn-jqIH42oB.js";import{r as g}from"./client-DciL1iD_.js";import{t as _}from"./VCard-C989ornn.js";import{t as v}from"./VContainer-C5vy10SJ.js";import{L as y,Q as b,X as x,Y as S,pt as C}from"./app-B35roqUp.js";import{t as w}from"./VTable-B_0j40S4.js";var T={class:`page-head mb-4`},E={class:`text-h6 mb-3`},D={key:0,class:`text-center py-4`},O={key:1,class:`text-medium-emphasis text-center py-4`,"data-testid":`active-empty`},k={class:`num`},A={class:`text-caption`},j={class:`reason-cell`},M={class:`num text-medium-emphasis`},N={class:`num text-medium-emphasis`},P={class:`text-end`},F={class:`text-h6 mb-3`},I={key:0,class:`text-center py-4`},L={key:1,class:`text-medium-emphasis text-center py-4`,"data-testid":`recent-empty`},R={class:`num`},z={class:`reason-cell`},B={class:`num`},V={class:`num text-medium-emphasis`},H=C(r({__name:`AdminImpersonationView`,setup(r,{expose:C}){let H=l([]),U=l([]),W=l(!1),G=l(!1),K=l(null),q=l(null);async function J(){W.value=!0;try{H.value=await S()}catch(e){K.value=g(e,`Не удалось загрузить активные сессии.`)}finally{W.value=!1}}async function Y(){G.value=!0;try{U.value=await b()}catch(e){K.value=g(e,`Не удалось загрузить недавние сессии.`)}finally{G.value=!1}}async function X(e){q.value=e;try{await x(e),await Promise.all([J(),Y()])}catch(e){K.value=g(e,`Не удалось завершить сессию.`)}finally{q.value=null}}function Z(e){return new Date(e).toLocaleString(`ru-RU`,{dateStyle:`short`,timeStyle:`short`})}function Q(e){return e===null?`—`:e<60?`${e} сек`:e<3600?`${Math.floor(e/60)} мин ${e%60} сек`:`${Math.floor(e/3600)} ч ${Math.floor(e%3600/60)} мин`}function $(e){let t=new Date(e).getTime()-Date.now();if(t<=0)return`истёк`;let n=Math.floor(t/6e4);return n<60?`через ${n} мин`:`через ${Math.floor(n/60)} ч`}return c(()=>{J(),Y()}),C({active:H,recent:U,loadActive:J,loadRecent:Y,endSession:X}),(r,c)=>(o(),f(v,{fluid:``,class:`admin-impersonation pa-6`},{default:m(()=>[i(`header`,T,[c[2]||=i(`div`,null,[i(`h1`,{class:`text-h4 page-title`},`Impersonation`),i(`p`,{class:`text-body-2 text-medium-emphasis ma-0`},`Активные сессии «вход как клиент» (Ю-1 / ТЗ §22.7).`)],-1),n(p,{variant:`outlined`,size:`small`,"prepend-icon":`mdi-refresh`,loading:W.value,"data-testid":`refresh-btn`,onClick:c[0]||=e=>{J(),Y()}},{default:m(()=>[...c[1]||=[a(` Обновить `,-1)]]),_:1},8,[`loading`])]),K.value?(o(),f(y,{key:0,type:`error`,variant:`tonal`,density:`compact`,class:`mb-4`,"data-testid":`error-alert`},{default:m(()=>[a(e(K.value),1)]),_:1})):t(``,!0),n(_,{variant:`outlined`,class:`pa-4 mb-4`,"data-testid":`active-section`},{default:m(()=>[i(`h2`,E,`Активные (`+e(H.value.length)+`)`,1),W.value?(o(),d(`div`,D,[n(s,{indeterminate:``,color:`primary`})])):H.value.length===0?(o(),d(`div`,O,` Нет активных impersonation-сессий. `)):(o(),f(w,{key:2,density:`comfortable`},{default:m(()=>[c[4]||=i(`thead`,null,[i(`tr`,null,[i(`th`,null,`Тенант`),i(`th`,null,`Admin ID`),i(`th`,null,`Email клиента`),i(`th`,null,`Основание`),i(`th`,null,`Активна с`),i(`th`,null,`TTL`),i(`th`,{class:`text-end`},`Действие`)])],-1),i(`tbody`,null,[(o(!0),d(h,null,u(H.value,t=>(o(),d(`tr`,{key:t.token_id,"data-testid":`active-row`},[i(`td`,null,e(t.tenant_name??`#${t.tenant_id}`),1),i(`td`,k,e(t.requested_by),1),i(`td`,A,e(t.sent_to_email),1),i(`td`,j,e(t.reason),1),i(`td`,M,e(Z(t.used_at)),1),i(`td`,N,e($(t.expires_at)),1),i(`td`,P,[n(p,{size:`small`,color:`error`,variant:`tonal`,"prepend-icon":`mdi-stop-circle-outline`,loading:q.value===t.token_id,"data-testid":`end-btn-${t.token_id}`,onClick:e=>X(t.token_id)},{default:m(()=>[...c[3]||=[a(` Завершить `,-1)]]),_:1},8,[`loading`,`data-testid`,`onClick`])])]))),128))])]),_:1}))]),_:1}),n(_,{variant:`outlined`,class:`pa-4`,"data-testid":`recent-section`},{default:m(()=>[i(`h2`,F,`Недавно завершённые (`+e(U.value.length)+`)`,1),G.value?(o(),d(`div`,I,[n(s,{indeterminate:``,color:`primary`})])):U.value.length===0?(o(),d(`div`,L,` История impersonation-сессий пуста. `)):(o(),f(w,{key:2,density:`comfortable`},{default:m(()=>[c[5]||=i(`thead`,null,[i(`tr`,null,[i(`th`,null,`Тенант`),i(`th`,null,`Admin`),i(`th`,null,`Основание`),i(`th`,null,`Длилась`),i(`th`,null,`Завершена`)])],-1),i(`tbody`,null,[(o(!0),d(h,null,u(U.value,t=>(o(),d(`tr`,{key:t.token_id,"data-testid":`recent-row`},[i(`td`,null,e(t.tenant_name??`#${t.tenant_id}`),1),i(`td`,R,e(t.requested_by),1),i(`td`,z,e(t.reason),1),i(`td`,B,e(Q(t.duration_seconds)),1),i(`td`,V,e(Z(t.session_ended_at)),1)]))),128))])]),_:1}))]),_:1})]),_:1}))}}),[[`__scopeId`,`data-v-95920034`]]);export{H as default};
@@ -1 +0,0 @@
-.incident-detail[data-v-ce603457]{max-width:1200px}.font-mono[data-v-ce603457]{font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-.admin-incidents[data-v-046c45ba]{max-width:1200px}.page-title[data-v-046c45ba]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.incident-row[data-v-046c45ba]{border-bottom:1px solid #e1eeea;padding-block:12px}.incident-row[data-v-046c45ba]:last-child{border-bottom:none}.incident-header[data-v-046c45ba]{flex-wrap:wrap;align-items:center;display:flex}.font-mono[data-v-046c45ba]{font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-.admin-pd[data-v-319667ee]{max-width:1200px}.page-title[data-v-319667ee]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.font-mono[data-v-319667ee]{font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-.numeric-tnum[data-v-e2a92351] td{font-feature-settings:"tnum";font-family:JetBrains Mono,monospace}.editor-table[data-v-e2a92351]{border-collapse:collapse;width:100%}.editor-table th[data-v-e2a92351],.editor-table td[data-v-e2a92351]{border-bottom:1px solid #0000000f;padding:8px 12px}
@@ -1 +0,0 @@
-import{$r as e,An as t,Fn as n,Ln as r,On as i,Pn as a,Qn as o,U as s,Un as c,Xn as l,br as u,jn as d,kn as f,t as p,ur as m,vr as h}from"./VBtn-jqIH42oB.js";import{r as g}from"./client-DciL1iD_.js";import{t as _}from"./VCard-C989ornn.js";import{t as v}from"./VDataTable-Dzc0CcJn.js";import{K as y,L as b,ct as x,n as S,pt as C}from"./app-B35roqUp.js";import{t as w}from"./VTooltip-B_F7vkTJ.js";import{t as T}from"./VSnackbar-CYtcr--G.js";import{t as E}from"./VSwitch-DWOKnc9M.js";var D={class:`admin-supplier-prices-view`},O={class:`d-flex flex-column align-end ga-1`},k=C(r({__name:`AdminSupplierPricesView`,setup(r,{expose:C}){let k=u([]),A=h({}),j=h({}),M=u(null),N=u(!1),P=u(``),F=[{title:`Code`,key:`code`,sortable:!1,width:80},{title:`Name`,key:`name`,sortable:!1},{title:`Cost (₽)`,key:`cost_rub`,sortable:!1,width:140},{title:`Quality`,key:`quality_score`,sortable:!1,width:100},{title:`Active`,key:`is_active`,sortable:!1,width:100},{title:`Действия`,key:`actions`,sortable:!1,width:120}];async function I(){M.value=null;try{k.value=await y()}catch(e){M.value=g(e,`Не удалось загрузить список поставщиков.`)}}async function L(e){A[e.id]=!0,delete j[e.id];try{await x(e.id,{cost_rub:e.cost_rub,quality_score:e.quality_score,is_active:e.is_active}),P.value=`Сохранено: ${e.name} (${e.code}).`,N.value=!0}catch(t){j[e.id]=g(t,`Не удалось сохранить изменения.`)}finally{A[e.id]=!1}}return l(I),C({load:I,save:L,suppliers:k,saving:A,errorMessages:j,fetchError:M,successToastOpen:N,successToastText:P}),(r,l)=>(o(),d(`div`,D,[l[4]||=i(`h1`,{class:`text-h4 mb-6`},`Цены поставщиков (закупка)`,-1),M.value?(o(),f(b,{key:0,type:`warning`,variant:`tonal`,class:`mb-4`,density:`compact`,"data-testid":`suppliers-fetch-error`,closable:``,"onClick:close":l[0]||=e=>M.value=null},{default:m(()=>[a(e(M.value),1)]),_:1})):t(``,!0),n(_,{elevation:`1`},{default:m(()=>[n(v,{headers:F,items:k.value,density:`comfortable`,class:`numeric-tnum`},{"item.cost_rub":m(({item:e})=>[n(S,{modelValue:e.cost_rub,"onUpdate:modelValue":t=>e.cost_rub=t,type:`number`,step:`0.01`,min:`0`,density:`compact`,"hide-details":``,variant:`plain`,"aria-label":`Cost (₽) для ${e.name}`},null,8,[`modelValue`,`onUpdate:modelValue`,`aria-label`])]),"item.quality_score":m(({item:e})=>[n(S,{modelValue:e.quality_score,"onUpdate:modelValue":t=>e.quality_score=t,type:`number`,step:`0.01`,min:`0`,max:`9.99`,density:`compact`,"hide-details":``,variant:`plain`,"aria-label":`Quality для ${e.name}`},null,8,[`modelValue`,`onUpdate:modelValue`,`aria-label`])]),"item.is_active":m(({item:e})=>[n(E,{modelValue:e.is_active,"onUpdate:modelValue":t=>e.is_active=t,"hide-details":``,inset:``,density:`compact`,"aria-label":`Active для ${e.name}`},null,8,[`modelValue`,`onUpdate:modelValue`,`aria-label`])]),"item.actions":m(({item:r})=>[i(`div`,O,[n(p,{size:`small`,color:`primary`,loading:!!A[r.id],onClick:e=>L(r)},{default:m(()=>[...l[2]||=[a(` Сохранить `,-1)]]),_:1},8,[`loading`,`onClick`]),j[r.id]?(o(),f(w,{key:0,location:`left`},{activator:m(({props:e})=>[n(s,c(e,{color:`error`,size:`small`,"data-testid":`supplier-error-${r.id}`}),{default:m(()=>[...l[3]||=[a(` mdi-alert-circle `,-1)]]),_:1},16,[`data-testid`])]),default:m(()=>[i(`span`,null,e(j[r.id]),1)]),_:2},1024)):t(``,!0)])]),_:2},1032,[`items`])]),_:1}),n(T,{modelValue:N.value,"onUpdate:modelValue":l[1]||=e=>N.value=e,timeout:3e3,color:`success`,location:`bottom right`,"data-testid":`supplier-success-toast`},{default:m(()=>[a(e(P.value),1)]),_:1},8,[`modelValue`])]))}}),[[`__scopeId`,`data-v-21c7d181`]]);export{k as default};
@@ -1 +0,0 @@
-.numeric-tnum[data-v-21c7d181] td{font-feature-settings:"tnum";font-family:JetBrains Mono,monospace}
@@ -1 +0,0 @@
-.font-mono[data-v-bf79a138]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.value-block[data-v-bf79a138]{word-break:break-all;background:#f6f3ec;border-radius:4px;padding:6px 10px;font-size:13px}.diff-block[data-v-bf79a138]{flex-direction:column;gap:12px;display:flex}.diff-row[data-v-bf79a138]{flex-direction:column;gap:4px;display:flex}.diff-before[data-v-bf79a138]{color:#842029;background:#fde8e8;text-decoration:line-through}.diff-after[data-v-bf79a138]{color:#0a4029;background:#d8f1e6}.reason-block[data-v-bf79a138]{background:#fff8e6;border-left:3px solid #b88a00;border-radius:4px;padding:8px 12px;font-size:13px}.admin-system[data-v-fc62e5e5]{max-width:1100px}.page-title[data-v-fc62e5e5]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.setting-row[data-v-fc62e5e5]{border-bottom:1px solid #e1eeea;padding-block:12px}.setting-row[data-v-fc62e5e5]:last-child{border-bottom:none}.setting-header[data-v-fc62e5e5]{align-items:center;display:flex}.setting-key[data-v-fc62e5e5]{color:#081319;font-size:14px;font-weight:500}.setting-value[data-v-fc62e5e5]{background:#f6f3ec;border-radius:4px;padding:4px 8px;font-size:13px;display:inline-block}.font-mono[data-v-fc62e5e5]{font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-.page-head[data-v-c9a2d228]{flex-direction:column;gap:12px;display:flex}.head-main[data-v-c9a2d228]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-title[data-v-c9a2d228]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-meta[data-v-c9a2d228]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-meta .sep[data-v-c9a2d228]{color:#6b6356}.head-actions[data-v-c9a2d228]{align-items:center;gap:12px;display:flex}.kpi-row[data-v-c9a2d228]{grid-template-columns:repeat(4,1fr);gap:12px;display:grid}@media (width<=960px){.kpi-row[data-v-c9a2d228]{grid-template-columns:repeat(2,1fr)}}.kpi-card[data-v-c9a2d228]{background:#fff}.kpi-label[data-v-c9a2d228]{text-transform:uppercase;letter-spacing:.05em}.kpi-value[data-v-c9a2d228]{color:#081319;margin-top:4px;font-size:24px}.kpi-sub[data-v-c9a2d228]{margin-top:4px}.num[data-v-c9a2d228],.num[data-v-17149fea]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.font-mono[data-v-17149fea]{font-family:JetBrains Mono,ui-monospace,monospace}.panel[data-v-17149fea]{background:#fff}.activity-list[data-v-17149fea]{margin:0;padding:0;list-style:none}.activity-item[data-v-17149fea]{border-bottom:1px solid #f0ede4;grid-template-columns:130px 1fr;gap:16px;padding:10px 0;display:grid}.activity-item[data-v-17149fea]:last-child{border-bottom:none}.act-event[data-v-17149fea]{margin-bottom:2px}.act-actor[data-v-17149fea]{margin-left:6px}.tenant-detail[data-v-770767cd]{max-width:1440px}
@@ -1 +0,0 @@
-.page-head[data-v-57e4b62a]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-title[data-v-57e4b62a]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-stats[data-v-57e4b62a]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-stats .sep[data-v-57e4b62a]{color:#6b6356}.num[data-v-57e4b62a]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.filter-bar[data-v-c327d3bb]{flex-wrap:wrap;align-items:center;gap:8px;display:flex}.search-input[data-v-c327d3bb]{flex:320px;max-width:360px}.panel[data-v-29e11ca8]{background:#fff}.num[data-v-29e11ca8]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.cell-tenant[data-v-29e11ca8]{padding:4px 0}.t-name[data-v-29e11ca8]{color:#081319;font-weight:500}.admin-tenants[data-v-36c2e556]{max-width:1440px}
@@ -1 +0,0 @@
-.activity-chart[data-v-d6b06d1f]{background:#fff}.panel-head[data-v-d6b06d1f]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.panel-title[data-v-d6b06d1f]{font-variation-settings:"opsz" 18;letter-spacing:-.01em;color:#081319}.chart-wrap[data-v-d6b06d1f]{width:100%}.chart-wrap svg[data-v-d6b06d1f]{width:100%;height:220px;display:block}.chart-axis-y[data-v-d6b06d1f],.chart-axis-x[data-v-d6b06d1f]{fill:#66635c;font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px}.chart-axis-x.today[data-v-d6b06d1f]{fill:#0f6e56;font-weight:600}.chart-legend[data-v-d6b06d1f]{color:#66635c;border-top:1px solid #f0ede4;gap:20px;padding-top:12px;font-size:12px;display:flex}.ldot[data-v-d6b06d1f]{vertical-align:-1px;border-radius:50%;width:10px;height:10px;margin-right:6px;display:inline-block}.ldot.received[data-v-d6b06d1f]{background:#0a1319}.ldot.paid[data-v-d6b06d1f]{background:#0f6e56}.ldot.refused[data-v-d6b06d1f]{background:#b94837}.funnel-chart[data-v-f4d15c97]{background:#fff}.panel-head[data-v-f4d15c97]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:4px;display:flex}.panel-title[data-v-f4d15c97]{font-variation-settings:"opsz" 18;letter-spacing:-.01em;color:#081319}.funnel-bar[data-v-f4d15c97]{background:#f0ede4;border-radius:6px;height:12px;display:flex;overflow:hidden}.funnel-seg[data-v-f4d15c97]{height:100%;transition:filter .15s}.funnel-seg[data-v-f4d15c97]:hover{filter:brightness(1.1)}.funnel-list[data-v-f4d15c97]{border-top:1px solid #f0ede4;grid-template-columns:repeat(2,1fr);gap:8px 16px;margin-top:12px;display:grid}.funnel-list-item[data-v-f4d15c97]{grid-template-columns:12px 1fr auto;align-items:center;gap:10px;font-size:13px;display:grid}.dot[data-v-f4d15c97]{border-radius:50%;width:10px;height:10px}.name[data-v-f4d15c97]{color:#343c41}.qty[data-v-f4d15c97]{font-feature-settings:"tnum";color:#081319;font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.page-head[data-v-7dc7f30a]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-greet[data-v-7dc7f30a]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-greet em[data-v-7dc7f30a]{font-style:normal;font-weight:600}.page-meta[data-v-7dc7f30a]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-meta .sep[data-v-7dc7f30a]{color:#6b6356}.num[data-v-7dc7f30a]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.kpi-card[data-v-c56e8e4f]{background:#fff;transition:border-color .15s;border-color:#d9d5cd!important}.kpi-card[data-v-c56e8e4f]:hover{border-color:#66635c!important}.kpi-label[data-v-c56e8e4f]{margin-bottom:8px;font-size:13px}.kpi-value[data-v-c56e8e4f]{font-feature-settings:"tnum";color:#081319;font-family:JetBrains Mono,ui-monospace,monospace;font-size:32px;font-weight:600;line-height:1.1}.kpi-unit[data-v-c56e8e4f]{color:#66635c;margin-left:2px;font-size:18px;font-weight:500}.kpi-foot[data-v-c56e8e4f]{flex-wrap:wrap;align-items:center;gap:4px;display:flex}.delta-up[data-v-c56e8e4f],.delta-down[data-v-c56e8e4f],.delta-neutral[data-v-c56e8e4f]{align-items:center;gap:2px;font-weight:500;display:inline-flex}.delta-up[data-v-c56e8e4f]{color:#1b6e3b}.delta-down[data-v-c56e8e4f]{color:#b83a3a}.balance-card[data-v-605b9eb2]{color:#fff;height:100%;background:#012019!important}.balance-row1[data-v-605b9eb2]{align-items:center;display:flex}.balance-label[data-v-605b9eb2]{text-transform:uppercase;letter-spacing:.06em;color:#7a8c87;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px}.balance-amount[data-v-605b9eb2]{margin-top:8px;font-size:32px;font-weight:600;line-height:1.1}.balance-amount .num[data-v-605b9eb2]{font-feature-settings:"tnum";color:#fff;letter-spacing:-.01em;font-family:JetBrains Mono,ui-monospace,monospace}.balance-amount .ru[data-v-605b9eb2]{color:#7a8c87;font-weight:500}.runway-bar[data-v-605b9eb2]{gap:4px;display:flex}.runway-fill[data-v-605b9eb2]{background:#ffffff14;border-radius:3px;flex:1;height:6px}.runway-fill.filled[data-v-605b9eb2]{background:#32c8a9}.runway-foot[data-v-605b9eb2]{color:#7a8c87;justify-content:space-between;margin-top:6px;font-family:JetBrains Mono,ui-monospace,monospace;display:flex}.runway-foot strong[data-v-605b9eb2]{color:#fff;font-weight:500}.runway-action[data-v-605b9eb2]{color:#32c8a9;text-decoration:none}.runway-action[data-v-605b9eb2]:hover{color:#fff}.dashboard[data-v-d996e311]{max-width:1440px}.ld-meta[data-v-d996e311]{color:#66635c;letter-spacing:.02em;align-items:center;gap:8px;font-size:12px;display:inline-flex}
@@ -1 +0,0 @@
-.hero-eyebrow[data-v-34aa2fc7]{text-transform:uppercase;letter-spacing:.06em;font-family:JetBrains Mono,ui-monospace,monospace}.hero-row[data-v-34aa2fc7]{justify-content:space-between;align-items:flex-start;gap:12px;display:flex}.hero-name[data-v-34aa2fc7]{font-variation-settings:"opsz" 24;letter-spacing:-.018em;color:#081319;line-height:1.2}.hero-meta[data-v-34aa2fc7]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.phone-link[data-v-34aa2fc7]{font-feature-settings:"tnum";color:#0f6e56;font-family:JetBrains Mono,ui-monospace,monospace;font-size:13px;text-decoration:none}.phone-link[data-v-34aa2fc7]:hover{text-decoration:underline}.hero-meta .sep[data-v-34aa2fc7]{color:#6b6356}.status-row[data-v-34aa2fc7]{display:flex}.status-dot[data-v-34aa2fc7]{border-radius:50%;width:6px;height:6px;margin-right:6px;display:inline-block}.section-title[data-v-ea3c482b]{color:#081319;font-weight:600}.timeline[data-v-ea3c482b]{flex-direction:column;gap:16px;margin:0;padding:0;list-style:none;display:flex}.timeline-item[data-v-ea3c482b]{align-items:flex-start;gap:12px;display:flex;position:relative}.timeline-item[data-v-ea3c482b]:before{content:"";background:#e8e3d6;width:1px;position:absolute;top:28px;bottom:-16px;left:11px}.timeline-item[data-v-ea3c482b]:last-child:before{display:none}.timeline-icon[data-v-ea3c482b]{color:#0f6e56;z-index:1;background:#e1eeea;border-radius:50%;flex-shrink:0;justify-content:center;align-items:center;width:24px;height:24px;display:flex}.timeline-body[data-v-ea3c482b]{flex:1;min-width:0}.timeline-head[data-v-ea3c482b]{justify-content:space-between;align-items:center;gap:8px;display:flex}.timeline-type[data-v-ea3c482b]{text-transform:uppercase;letter-spacing:.04em;font-size:11px}.timeline-time[data-v-ea3c482b]{font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px}.timeline-detail[data-v-ea3c482b]{color:#081319;margin-top:2px;line-height:1.4}.timeline-actor[data-v-ea3c482b]{align-items:center;margin-top:4px;font-size:11px;display:flex}.drawer-content[data-v-0bcffee3]{flex-direction:column;display:flex}.section-title[data-v-0bcffee3]{color:#081319;font-weight:600}.params[data-v-0bcffee3]{grid-template-columns:1fr 1fr;gap:16px 12px;margin:0;display:grid}.param dt[data-v-0bcffee3]{margin-bottom:2px;font-size:11px}.param dd[data-v-0bcffee3]{color:#081319;margin:0}.param .link[data-v-0bcffee3]{color:#0f6e56;cursor:pointer}.param .link[data-v-0bcffee3]:hover{text-decoration:underline}.num[data-v-0bcffee3]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.reminders-list[data-v-0bcffee3]{flex-direction:column;gap:6px;margin:0;padding:0;list-style:none;display:flex}.reminder-row[data-v-0bcffee3]{background:#fdfaf3;border:1px solid #e8e3d6;border-radius:6px;align-items:center;gap:8px;padding:6px 8px;display:flex}.reminder-body[data-v-0bcffee3]{flex:1;min-width:0}.reminder-text[data-v-0bcffee3]{color:#081319;font-size:13px;line-height:1.4}.reminder-meta[data-v-0bcffee3]{margin-top:2px}.deal-drawer[data-v-ac9a3618]{background:#fff}.deal-detail-inline[data-v-ac9a3618]{background:#fff;border:1px solid #e8e3d6;border-radius:8px;flex:0 0 400px;align-self:flex-start;width:400px;max-height:calc(100vh - 160px);position:sticky;top:16px;overflow-y:auto}
@@ -1 +0,0 @@
-.deals-filters[data-v-af2abc17]{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.filters-search[data-v-af2abc17]{flex:240px;max-width:320px}.filters-select[data-v-af2abc17]{min-width:170px;max-width:220px}.num[data-v-acc61311]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.status-dot[data-v-acc61311]{border-radius:50%;width:6px;height:6px;margin-right:6px;display:inline-block}.bulk-bar[data-v-acc61311]{z-index:4;position:sticky;top:0}.bulk-bar-inner[data-v-acc61311]{align-items:center;gap:8px;padding:8px 12px;display:flex}.bulk-count[data-v-acc61311]{color:#f6f3ec;font-size:13px}.ld-status-pill[data-v-f6f91b1f]{border-radius:var(--radius-full);align-items:center;padding:3px 9px;font-size:11px;font-weight:500;transition:background .3s cubic-bezier(.16,1,.3,1),color .3s cubic-bezier(.16,1,.3,1);display:inline-flex}.deals-table-card[data-v-890aefe6]{background:#fff}.num[data-v-890aefe6]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.cell-source[data-v-890aefe6]{flex-direction:column;line-height:1.3;display:flex}.source-project[data-v-890aefe6]{color:#081319;font-weight:500}.source-signal[data-v-890aefe6]{color:#6b6356;font-size:11px}.cell-comment[data-v-890aefe6]{text-overflow:ellipsis;white-space:nowrap;vertical-align:bottom;max-width:240px;display:inline-block;overflow:hidden}[data-v-890aefe6] .deals-row-active{background:#0f6e5612}.deals[data-v-200de09c]{max-width:1440px}.page-head[data-v-200de09c]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-title[data-v-200de09c]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.num[data-v-200de09c]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.export-panel[data-v-200de09c]{background:#fff}.export-panel-inner[data-v-200de09c]{flex-wrap:wrap;align-items:center;gap:12px;padding:12px 16px;display:flex}.export-label[data-v-200de09c]{color:#6b6356;flex-shrink:0}.date-input[data-v-200de09c]{max-width:170px}.perpage[data-v-200de09c]{align-items:center;gap:12px;display:flex}.deals-body[data-v-200de09c]{align-items:flex-start;gap:16px;display:flex}.deals-list[data-v-200de09c]{flex:auto;min-width:0}.tfoot[data-v-200de09c]{justify-content:center;display:flex}
@@ -1 +0,0 @@
-.top-brand[data-v-dae75305]{color:#fff;letter-spacing:-.01em;align-items:center;gap:10px;padding:24px 32px;font-size:16px;font-weight:600;text-decoration:none;display:inline-flex}.top-brand .mark[data-v-dae75305]{background:#ffffff0f;border-radius:5px;justify-content:center;align-items:center;width:24px;height:24px;display:inline-flex}.top-brand .dot[data-v-dae75305]{color:#32c8a9}.err-code[data-v-2c738e33]{color:#fff;letter-spacing:-.04em;margin:0 0 16px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:96px;font-weight:600;line-height:1}.err-code .accent[data-v-2c738e33]{color:#32c8a9}.err-actions[data-v-19c1ad5a]{flex-wrap:wrap;justify-content:center;gap:12px;margin-bottom:24px;display:flex}.status-list[data-v-046e8c3e]{flex-wrap:wrap;justify-content:center;gap:16px;margin-bottom:16px;display:flex}.status-item[data-v-046e8c3e]{color:#b1c2bd;align-items:center;gap:6px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px;display:inline-flex}.status-item .dot[data-v-046e8c3e]{border-radius:50%;width:8px;height:8px}.err-id[data-v-046e8c3e]{background:#ffffff0d;border-radius:6px;align-items:center;gap:8px;margin-bottom:12px;padding:6px 10px;display:inline-flex}.request-id[data-v-046e8c3e]{color:#fff;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px;font-weight:500}.err-help[data-v-046e8c3e]{color:#7a8c87;margin-top:16px}.err-help__link[data-v-046e8c3e]{color:#d3dad8;text-decoration:underline}.err-help__link[data-v-046e8c3e]:hover{color:#fff}.error-main[data-v-146e80bf]{color:#fff;background:#012019;flex-direction:column;min-height:100vh;display:flex}.error-content[data-v-146e80bf]{text-align:center;flex-direction:column;flex:1;justify-content:center;align-items:center;max-width:560px;margin:0 auto;padding:24px 32px 80px;display:flex}.err-title[data-v-146e80bf]{font-variation-settings:"opsz" 28;letter-spacing:-.018em;color:#fff;margin:0 0 12px;font-size:28px;font-weight:600}.err-desc[data-v-146e80bf]{color:#b1c2bd;margin:0 0 24px;font-size:15px;line-height:1.55}
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dn as r,Dr as i,Fn as a,Ln as o,On as s,Pn as c,Qn as l,br as u,kn as d,t as f,ur as p}from"./VBtn-jqIH42oB.js";import{a as m}from"./client-DciL1iD_.js";import{t as h}from"./VCard-C989ornn.js";import{L as g,mt as _,n as v,pt as y}from"./app-B35roqUp.js";import{t as b}from"./VForm-CfFpV0nz.js";var x=y(o({__name:`ForgotPasswordView`,setup(o){let y=u(``),x=u({}),S=u(!1),C=_(),w=r(()=>y.value.length>0&&/.+@.+/.test(y.value));async function T(){x.value={};try{await C.requestPasswordReset(y.value),S.value=!0}catch(e){let t=m(e);t?x.value=t:C.lockoutSeconds===null&&(x.value={email:[`Произошла ошибка. Попробуйте позже.`]})}}return(r,o)=>(l(),d(h,{variant:`flat`,"max-width":380,width:`100%`,color:`transparent`,class:`forgot-card`},{default:p(()=>[o[6]||=s(`header`,{class:`forgot-header`},[s(`h1`,{class:`text-h5 mb-1`},`Сброс пароля`),s(`p`,{class:`text-body-2 text-medium-emphasis ma-0`},` Введите email, на который зарегистрирован аккаунт. Отправим ссылку для сброса. `)],-1),S.value?(l(),d(g,{key:0,type:`success`,variant:`tonal`,density:`comfortable`,"data-testid":`forgot-success`},{default:p(()=>[...o[1]||=[c(` Если такой email зарегистрирован — мы отправили ссылку для сброса пароля. Проверьте почту в течение нескольких минут (письмо может попасть в спам). `,-1)]]),_:1})):t(``,!0),i(C).lockoutSeconds===null?t(``,!0):(l(),d(g,{key:1,type:`error`,variant:`tonal`,density:`compact`,"data-testid":`lockout-alert`},{default:p(()=>[c(` Слишком много попыток. Попробуйте через `+e(Math.ceil(i(C).lockoutSeconds/60))+` мин. `,1)]),_:1})),S.value?(l(),d(f,{key:3,to:{name:`login`},variant:`outlined`,block:``,size:`large`,"prepend-icon":`mdi-arrow-left`,class:`mt-2`},{default:p(()=>[...o[5]||=[c(` Назад ко входу `,-1)]]),_:1})):(l(),d(b,{key:2,class:`forgot-form`,onSubmit:n(T,[`prevent`])},{default:p(()=>[a(v,{modelValue:y.value,"onUpdate:modelValue":o[0]||=e=>y.value=e,label:`Email`,type:`email`,autocomplete:`email`,placeholder:`manager@yourcompany.ru`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":x.value.email},null,8,[`modelValue`,`error-messages`]),a(g,{type:`info`,variant:`tonal`,density:`compact`,class:`mb-2 a11y-info-darker`},{default:p(()=>[...o[2]||=[c(` Лимит — `,-1),s(`strong`,null,`5 попыток в 15 минут`,-1),c(`. Если не пришло письмо — проверьте спам или попробуйте через 15 минут. `,-1)]]),_:1}),a(f,{type:`submit`,color:`primary`,block:``,size:`large`,variant:`flat`,disabled:!w.value,loading:i(C).loading},{default:p(()=>[...o[3]||=[c(` Отправить ссылку `,-1)]]),_:1},8,[`disabled`,`loading`]),a(f,{to:{name:`login`},variant:`outlined`,block:``,size:`large`,"prepend-icon":`mdi-arrow-left`},{default:p(()=>[...o[4]||=[c(` Назад ко входу `,-1)]]),_:1})]),_:1}))]),_:1}))}}),[[`__scopeId`,`data-v-d73708c4`]]);export{x as default};
@@ -1 +0,0 @@
-.forgot-card[data-v-d73708c4]{flex-direction:column;gap:20px;display:flex}.a11y-info-darker[data-v-d73708c4] .v-alert__content,.a11y-info-darker[data-v-d73708c4] .v-alert__content strong{color:#2a5a6e}.forgot-header h1[data-v-d73708c4]{font-variation-settings:"opsz" 26;letter-spacing:-.018em}.forgot-form[data-v-d73708c4]{flex-direction:column;gap:8px;display:flex}
@@ -1 +0,0 @@
-.v-file-input--hide.v-input .v-field,.v-file-input--hide.v-input .v-input__control,.v-file-input--hide.v-input .v-input__details{display:none}.v-file-input--hide.v-input .v-input__prepend{grid-area:control;margin:0 auto}.v-file-input--chips.v-input--density-compact .v-field--variant-solo .v-label.v-field-label--floating,.v-file-input--chips.v-input--density-compact .v-field--variant-solo-inverted .v-label.v-field-label--floating,.v-file-input--chips.v-input--density-compact .v-field--variant-filled .v-label.v-field-label--floating,.v-file-input--chips.v-input--density-compact .v-field--variant-solo-filled .v-label.v-field-label--floating{top:0}.v-file-input .v-field__input{word-break:break-word}.v-file-input input[type=file]{opacity:0;z-index:0;width:100%;height:100%;position:absolute;top:0;left:0}.v-file-input--dragging input[type=file]{z-index:1}.v-file-input .v-input__details{padding-inline:16px}.v-input--plain-underlined.v-file-input .v-input__details{padding-inline:0}.import-view[data-v-23888a08]{max-width:1100px}
@@ -1 +0,0 @@
-.kanban-card[data-v-e5129a9b]{cursor:pointer;background:#fff;transition:border-color .15s,transform .15s}.kanban-card[data-v-e5129a9b]:hover{transform:translateY(-1px);border-color:#66635c!important}.card-name[data-v-e5129a9b]{color:#081319;font-size:13px;font-weight:500;line-height:1.3}.card-phone[data-v-e5129a9b]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px}.card-meta[data-v-e5129a9b]{justify-content:space-between;align-items:center;display:flex}.card-project[data-v-e5129a9b]{color:#66635c;text-overflow:ellipsis;white-space:nowrap;max-width:60%;overflow:hidden}.card-cost[data-v-e5129a9b]{font-feature-settings:"tnum";color:#081319;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px;font-weight:500}.card-foot[data-v-e5129a9b]{align-items:center;display:flex}.num[data-v-e5129a9b]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.kanban-column[data-v-4886dd38]{background:#f0ede4;border-radius:8px;flex-direction:column;flex:0 0 280px;width:280px;max-height:100%;display:flex}.column-head[data-v-4886dd38]{border-top:3px solid var(--accent);background:#f6f3ec;border-radius:8px 8px 0 0;padding:12px}.column-head-row[data-v-4886dd38]{justify-content:space-between;align-items:center;display:flex}.column-name[data-v-4886dd38]{color:#081319;letter-spacing:-.005em;font-size:13px;font-weight:600}.column-count[data-v-4886dd38]{font-feature-settings:"tnum";color:#66635c;background:#fff;border:1px solid #d9d5cd;border-radius:10px;padding:1px 8px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px}.column-total[data-v-4886dd38]{font-feature-settings:"tnum";color:var(--accent);margin-top:2px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px;font-weight:500}.column-body[data-v-4886dd38]{flex:auto;min-height:80px;padding:8px;overflow-y:auto}.column-empty[data-v-4886dd38]{text-align:center;color:#92907b;border:1px dashed #d9d5cd;border-radius:6px;margin-top:8px;padding:24px 0}.ghost-card[data-v-4886dd38]{opacity:.4;background:#e1eeea!important}.drag-card[data-v-4886dd38]{opacity:.95;transform:rotate(1deg)}.kanban[data-v-dcbc0809]{flex-direction:column;max-width:100%;height:100%;display:flex}.page-head[data-v-dcbc0809]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-title[data-v-dcbc0809]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-stats[data-v-dcbc0809]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-stats .sep[data-v-dcbc0809]{color:#6b6356}.num[data-v-dcbc0809]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.kanban-board[data-v-dcbc0809]{flex:auto;gap:12px;min-height:600px;padding-bottom:12px;display:flex;overflow:auto hidden}.kanban-board[data-v-dcbc0809]::-webkit-scrollbar{height:8px}.kanban-board[data-v-dcbc0809]::-webkit-scrollbar-track{background:0 0}.kanban-board[data-v-dcbc0809]::-webkit-scrollbar-thumb{background:#d9d5cd;border-radius:4px}.kanban-board[data-v-dcbc0809]::-webkit-scrollbar-thumb:hover{background:#92907b}
@@ -1 +0,0 @@
-.legal-card[data-v-46d32b6b]{flex-direction:column;gap:16px;display:flex}.legal-header h1[data-v-46d32b6b]{font-variation-settings:"opsz" 24;letter-spacing:-.01em}.legal-back[data-v-46d32b6b]{text-decoration:none}.legal-back[data-v-46d32b6b]:hover{text-decoration:underline}
@@ -1 +0,0 @@
-import{$r as e,Dn as t,Fn as n,Ln as r,On as i,Pn as a,Qn as o,kn as s,nr as c,ur as l}from"./VBtn-jqIH42oB.js";import{t as u}from"./VCard-C989ornn.js";import{L as d,pt as f,xt as p}from"./app-B35roqUp.js";var m={class:`legal-header`},h={class:`text-h5 mb-1`},g={class:`text-body-2 text-medium-emphasis ma-0`},_=f(r({__name:`LegalDocView`,setup(r){let f={offer:{title:`Договор-оферта`,intro:`Публичная оферта на оказание услуг сервиса «Лидерра» — условия использования платформы, права и обязанности сторон, порядок оплаты.`},privacy:{title:`Политика конфиденциальности`,intro:`Порядок обработки и защиты персональных данных пользователей сервиса «Лидерра» в соответствии с Федеральным законом № 152-ФЗ «О персональных данных».`}},_=p(),v=t(()=>String(_.params.doc)===`privacy`?f.privacy:f.offer);return(t,r)=>{let f=c(`RouterLink`);return o(),s(u,{variant:`flat`,"max-width":480,width:`100%`,color:`transparent`,class:`legal-card`},{default:l(()=>[i(`header`,m,[i(`h1`,h,e(v.value.title),1),i(`p`,g,e(v.value.intro),1)]),n(d,{type:`info`,variant:`tonal`,density:`compact`,role:`note`,"data-testid":`legal-stub-notice`},{default:l(()=>[...r[0]||=[a(` Финальная редакция документа готовится и будет опубликована до запуска сервиса. `,-1)]]),_:1}),n(f,{to:`/login`,class:`text-body-2 text-primary legal-back`},{default:l(()=>[...r[1]||=[a(`← Вернуться ко входу`,-1)]]),_:1})]),_:1})}}}),[[`__scopeId`,`data-v-46d32b6b`]]);export{_ as default};
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dr as r,Fn as i,Ln as a,On as o,Pn as s,Qn as c,Sn as l,U as u,Un as d,br as f,kn as p,nr as m,t as h,ur as g}from"./VBtn-jqIH42oB.js";import{a as _}from"./client-DciL1iD_.js";import{t as v}from"./VCard-C989ornn.js";import{F as y,L as b,St as x,mt as S,n as C,pt as w}from"./app-B35roqUp.js";import{t as T}from"./VForm-CfFpV0nz.js";import{t as E}from"./VTooltip-B_F7vkTJ.js";var D={class:`login-header`},O={class:`text-body-2 text-medium-emphasis ma-0`},k={class:`d-flex justify-end mb-2`},A=w(a({__name:`LoginView`,setup(a){let w=f(``),A=f(``),j=f(!1),M=f({}),N=S(),P=x();async function F(){M.value={};try{let e=await N.login({email:w.value,password:A.value});await P.push(e.requires_2fa?`/2fa`:`/dashboard`)}catch(e){let t=_(e);t?M.value=t:M.value={email:[`Произошла ошибка. Попробуйте позже.`]}}}return(a,f)=>{let _=m(`RouterLink`);return c(),p(v,{variant:`flat`,"max-width":380,width:`100%`,color:`transparent`,class:`login-card`},{default:g(()=>[o(`header`,D,[f[7]||=o(`h1`,{class:`text-h5 mb-1`},`Вход в Лидерру`,-1),o(`p`,O,[f[6]||=s(` Нет аккаунта? `,-1),i(_,{to:`/register`,class:`text-primary`},{default:g(()=>[...f[5]||=[s(` Зарегистрируйтесь `,-1)]]),_:1})])]),r(N).lockoutSeconds===null?t(``,!0):(c(),p(b,{key:0,type:`error`,variant:`tonal`,density:`compact`,class:`mb-3`,"data-testid":`lockout-alert`},{default:g(()=>[s(` Слишком много попыток. Попробуйте через `+e(Math.ceil(r(N).lockoutSeconds/60))+` мин. `,1)]),_:1})),i(T,{class:`login-form`,onSubmit:n(F,[`prevent`])},{default:g(()=>[i(C,{modelValue:w.value,"onUpdate:modelValue":f[0]||=e=>w.value=e,label:`Email`,type:`email`,autocomplete:`email`,placeholder:`manager@yourcompany.ru`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":M.value.email},null,8,[`modelValue`,`error-messages`]),i(C,{modelValue:A.value,"onUpdate:modelValue":f[4]||=e=>A.value=e,label:`Пароль`,type:j.value?`text`:`password`,autocomplete:`current-password`,placeholder:`Минимум 8 символов`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":M.value.password},{"append-inner":g(()=>[i(u,{class:`password-toggle`,icon:j.value?`mdi-eye-off`:`mdi-eye`,"aria-label":j.value?`Скрыть пароль`:`Показать пароль`,role:`button`,tabindex:`0`,onClick:f[1]||=e=>j.value=!j.value,onKeydown:[f[2]||=l(n(e=>j.value=!j.value,[`prevent`]),[`enter`]),f[3]||=l(n(e=>j.value=!j.value,[`prevent`]),[`space`])]},null,8,[`icon`,`aria-label`])]),_:1},8,[`modelValue`,`type`,`error-messages`]),o(`div`,k,[i(_,{to:`/forgot`,class:`text-body-2 text-primary`},{default:g(()=>[...f[8]||=[s(` Забыли пароль? `,-1)]]),_:1})]),i(h,{type:`submit`,color:`primary`,block:``,size:`large`,variant:`flat`,loading:r(N).loading},{default:g(()=>[...f[9]||=[s(` Войти `,-1)]]),_:1},8,[`loading`]),i(y,{class:`my-4`},{default:g(()=>[...f[10]||=[o(`span`,{class:`text-caption text-medium-emphasis`},`или`,-1)]]),_:1}),i(E,{text:`Вход через Yandex 360 станет доступен после регистрации юр. лица (Б-1).`,location:`top`},{activator:g(({props:e})=>[o(`div`,d(e,{class:`yandex-sso-wrap`}),[i(h,{block:``,size:`large`,variant:`outlined`,disabled:``},{default:g(()=>[...f[11]||=[s(` Войти через Yandex 360 `,-1)]]),_:1})],16)]),_:1})]),_:1})]),_:1})}}}),[[`__scopeId`,`data-v-d91dee69`]]);export{A as default};
@@ -1 +0,0 @@
-.login-card[data-v-d91dee69]{flex-direction:column;gap:20px;display:flex}.login-header h1[data-v-d91dee69]{font-variation-settings:"opsz" 26;letter-spacing:-.018em}.login-form[data-v-d91dee69]{flex-direction:column;gap:4px;display:flex}.yandex-sso-wrap[data-v-d91dee69]{width:100%}.password-toggle[data-v-d91dee69]:focus-visible{outline-offset:1px;border-radius:2px;outline:2px solid}
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dn as r,Dr as i,Fn as a,Ln as o,On as s,Pn as c,Qn as l,Sn as u,U as d,br as f,jn as p,kn as m,nr as h,p as g,t as _,ur as v}from"./VBtn-jqIH42oB.js";import{a as y}from"./client-DciL1iD_.js";import{t as b}from"./VCard-C989ornn.js";import{St as x,mt as S,n as C,pt as w}from"./app-B35roqUp.js";import{t as T}from"./VForm-CfFpV0nz.js";import{t as E}from"./VCheckbox-C5b-N6kS.js";var D={class:`register-header`},O={class:`text-body-2 text-medium-emphasis ma-0`},k={key:0,class:`strength-block mb-2`},A={class:`text-caption text-medium-emphasis`},j={class:`checks`},M=w(o({__name:`RegisterView`,setup(o){let w=f(``),M=f(``),N=f(!1),P=f(!1),F=f(!1),I=f({}),L=S(),R=x(),z=r(()=>{let e=M.value;if(!e)return 0;let t=0;return e.length>=8&&t++,/[A-ZА-Я]/.test(e)&&/[a-zа-я]/.test(e)&&t++,/\d/.test(e)&&t++,/[^A-Za-zА-Яа-я0-9]/.test(e)&&t++,t}),B=r(()=>[`—`,`Слабый`,`Средний`,`Хороший`,`Надёжный`][z.value]),V=r(()=>[``,`error`,`warning`,`info`,`success`][z.value]),H=r(()=>w.value.length>0&&M.value.length>=8&&P.value&&F.value);async function U(){I.value={};try{let e=await L.register({email:w.value,password:M.value,accept_offer:P.value,accept_pdn:F.value});await R.push(e.requires_2fa?`/2fa`:`/dashboard`)}catch(e){let t=y(e);t?I.value=t:I.value={email:[`Произошла ошибка. Попробуйте позже.`]}}}return(r,o)=>{let f=h(`RouterLink`);return l(),m(b,{variant:`flat`,"max-width":380,width:`100%`,color:`transparent`,class:`register-card`},{default:v(()=>[s(`header`,D,[o[9]||=s(`h1`,{class:`text-h5 mb-1`},`Создать аккаунт`,-1),s(`p`,O,[o[8]||=c(` Уже есть? `,-1),a(f,{to:`/login`,class:`text-primary`},{default:v(()=>[...o[7]||=[c(` Войдите `,-1)]]),_:1})])]),a(T,{class:`register-form`,onSubmit:n(U,[`prevent`])},{default:v(()=>[a(C,{modelValue:w.value,"onUpdate:modelValue":o[0]||=e=>w.value=e,label:`Рабочий email`,type:`email`,autocomplete:`email`,placeholder:`manager@yourcompany.ru`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":I.value.email},null,8,[`modelValue`,`error-messages`]),a(C,{modelValue:M.value,"onUpdate:modelValue":o[4]||=e=>M.value=e,label:`Пароль`,type:N.value?`text`:`password`,autocomplete:`new-password`,placeholder:`Минимум 8 символов`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":I.value.password},{"append-inner":v(()=>[a(d,{class:`password-toggle`,icon:N.value?`mdi-eye-off`:`mdi-eye`,"aria-label":N.value?`Скрыть пароль`:`Показать пароль`,role:`button`,tabindex:`0`,onClick:o[1]||=e=>N.value=!N.value,onKeydown:[o[2]||=u(n(e=>N.value=!N.value,[`prevent`]),[`enter`]),o[3]||=u(n(e=>N.value=!N.value,[`prevent`]),[`space`])]},null,8,[`icon`,`aria-label`])]),_:1},8,[`modelValue`,`type`,`error-messages`]),M.value?(l(),p(`div`,k,[a(g,{"model-value":z.value/4*100,color:V.value,height:`4`,rounded:``},null,8,[`model-value`,`color`]),s(`span`,A,e(B.value),1)])):t(``,!0),s(`div`,j,[a(E,{modelValue:P.value,"onUpdate:modelValue":o[5]||=e=>P.value=e,density:`compact`,"hide-details":``,color:`primary`},{label:v(()=>[...o[10]||=[s(`span`,{class:`text-body-2`},[c(` Принимаю `),s(`a`,{href:`/legal/offer`,class:`text-primary`,target:`_blank`,rel:`noopener`},`оферту`)],-1)]]),_:1},8,[`modelValue`]),a(E,{modelValue:F.value,"onUpdate:modelValue":o[6]||=e=>F.value=e,density:`compact`,"hide-details":``,color:`primary`},{label:v(()=>[...o[11]||=[s(`span`,{class:`text-body-2`},[c(` Согласен с `),s(`a`,{href:`/legal/privacy`,class:`text-primary`,target:`_blank`,rel:`noopener`},` политикой обработки персональных данных `)],-1)]]),_:1},8,[`modelValue`])]),a(_,{type:`submit`,color:`primary`,block:``,size:`large`,variant:`flat`,disabled:!H.value,loading:i(L).loading},{default:v(()=>[...o[12]||=[c(` Создать аккаунт `,-1)]]),_:1},8,[`disabled`,`loading`])]),_:1})]),_:1})}}}),[[`__scopeId`,`data-v-64384ef1`]]);export{M as default};
@@ -1 +0,0 @@
-.register-card[data-v-64384ef1]{flex-direction:column;gap:16px;display:flex}.register-header h1[data-v-64384ef1]{font-variation-settings:"opsz" 26;letter-spacing:-.018em}.register-form[data-v-64384ef1],.strength-block[data-v-64384ef1]{flex-direction:column;gap:4px;display:flex}.checks[data-v-64384ef1]{flex-direction:column;gap:4px;margin-bottom:8px;display:flex}.password-toggle[data-v-64384ef1]:focus-visible{outline-offset:1px;border-radius:2px;outline:2px solid}
@@ -1 +0,0 @@
-.datetime-row[data-v-963ac491]{flex-direction:column;gap:6px;margin-top:8px;display:flex}.datetime-label[data-v-963ac491]{color:#66635c;font-size:12px;font-weight:500}.datetime-input[data-v-963ac491]{background:#fff;border:1px solid #d9d5cd;border-radius:6px;width:100%;padding:10px 12px;font-family:inherit;font-size:14px}.datetime-input[data-v-963ac491]:focus{outline-offset:-1px;border-color:#0f6e56;outline:2px solid #0f6e56}
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dn as r,Fn as i,Hn as a,Ln as o,On as s,Pn as c,Qn as l,ar as u,bn as d,br as f,cr as p,dr as m,kn as h,t as g,ur as _}from"./VBtn-jqIH42oB.js";import{i as v,n as y,o as b,t as x}from"./VCard-C989ornn.js";import{L as S,M as C,i as w,pt as T,y as E}from"./app-B35roqUp.js";import{t as D}from"./VForm-CfFpV0nz.js";import{t as O}from"./VTextarea-D7tbGrFk.js";var k={class:`datetime-row`},A=T(o({__name:`ReminderDialog`,props:a({dealId:{},reminder:{}},{modelValue:{type:Boolean,required:!0},modelModifiers:{}}),emits:a([`saved`],[`update:modelValue`]),setup(a,{emit:o}){let T=u(a,`modelValue`),A=a,j=o,M=E(),N=r(()=>A.reminder!==null&&A.reminder!==void 0),P=r(()=>N.value?`Редактировать напоминание`:`Новое напоминание`),F=f(``),I=f(``),L=f(null),R=f(!1);function z(){let e=new Date(Date.now()+3600*1e3),t=e=>String(e).padStart(2,`0`);return`${e.getFullYear()}-${t(e.getMonth()+1)}-${t(e.getDate())}T${t(e.getHours())}:${t(e.getMinutes())}`}function B(e){if(!e)return z();let t=new Date(e),n=e=>String(e).padStart(2,`0`);return`${t.getFullYear()}-${n(t.getMonth()+1)}-${n(t.getDate())}T${n(t.getHours())}:${n(t.getMinutes())}`}p(T,e=>{e&&(N.value&&A.reminder?(F.value=A.reminder.text??``,I.value=B(A.reminder.remind_at)):(F.value=``,I.value=z()),L.value=null)},{immediate:!0});async function V(){if(L.value=null,!I.value){L.value=`Укажите дату и время напоминания.`;return}let e=new Date(I.value).toISOString();R.value=!0;try{let t=null;if(N.value&&A.reminder)t=await M.update(A.reminder.id,{text:F.value.trim()||null,remind_at:e});else{if(!A.dealId){L.value=`Не указан deal_id для создания.`;return}t=await M.create({deal_id:A.dealId,text:F.value.trim()||null,remind_at:e})}if(t===null){L.value=`Не удалось сохранить. Попробуйте позже.`;return}j(`saved`,t),T.value=!1}finally{R.value=!1}}function H(){T.value=!1}return(r,a)=>(l(),h(w,{modelValue:T.value,"onUpdate:modelValue":a[2]||=e=>T.value=e,"max-width":`480`,persistent:``},{default:_(()=>[i(x,null,{default:_(()=>[i(v,null,{default:_(()=>[c(e(P.value),1)]),_:1}),i(y,null,{default:_(()=>[i(D,{onSubmit:n(V,[`prevent`])},{default:_(()=>[i(O,{modelValue:F.value,"onUpdate:modelValue":a[0]||=e=>F.value=e,label:`Описание`,placeholder:`Перезвонить клиенту, обсудить условия...`,rows:`3`,counter:``,maxlength:`255`,"data-testid":`reminder-text`},null,8,[`modelValue`]),s(`div`,k,[a[3]||=s(`label`,{class:`datetime-label`,for:`reminder-at-input`},`Когда напомнить`,-1),m(s(`input`,{id:`reminder-at-input`,"onUpdate:modelValue":a[1]||=e=>I.value=e,type:`datetime-local`,class:`datetime-input`,"data-testid":`reminder-at`},null,512),[[d,I.value]])]),L.value?(l(),h(S,{key:0,type:`warning`,variant:`tonal`,density:`compact`,class:`mt-3`,"data-testid":`reminder-error`},{default:_(()=>[c(e(L.value),1)]),_:1})):t(``,!0)]),_:1})]),_:1}),i(b,null,{default:_(()=>[i(C),i(g,{variant:`text`,onClick:H},{default:_(()=>[...a[4]||=[c(`Отмена`,-1)]]),_:1}),i(g,{color:`primary`,loading:R.value,"data-testid":`reminder-submit`,onClick:V},{default:_(()=>[c(e(N.value?`Сохранить`:`Создать`),1)]),_:1},8,[`loading`])]),_:1})]),_:1})]),_:1},8,[`modelValue`]))}}),[[`__scopeId`,`data-v-963ac491`]]);export{A as default};
@@ -1 +0,0 @@
-.tab-chip[data-v-3580525e]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.reminders-list-card[data-v-8540cfc6]{min-height:200px}.empty-state[data-v-8540cfc6]{text-align:center;color:#66635c;padding:40px 16px;font-size:14px}.empty-hint[data-v-8540cfc6]{color:#6b6356;margin-top:6px;font-size:12px}.reminder-row[data-v-8540cfc6]{border-bottom:1px solid #f0ede4}.reminder-overdue .reminder-meta span:first-of-type+span[data-v-8540cfc6]{color:#b94837;font-weight:500}.reminder-completed .reminder-title[data-v-8540cfc6]{color:#9a9690;text-decoration:line-through}.reminder-title[data-v-8540cfc6]{font-weight:500}.reminder-meta[data-v-8540cfc6]{color:#66635c;margin-top:2px;font-size:12px}.deal-link[data-v-8540cfc6]{color:#0f6e56;font-family:JetBrains Mono,ui-monospace,monospace;text-decoration:none}.deal-link[data-v-8540cfc6]:hover{text-decoration:underline}.reminders-view[data-v-cd3f2c2f]{padding-top:24px;padding-bottom:32px}.page-head[data-v-cd3f2c2f]{align-items:center;gap:16px;margin-bottom:16px;display:flex}.page-title[data-v-cd3f2c2f]{flex-shrink:0;margin:0;font-size:24px;font-weight:600}.page-meta[data-v-cd3f2c2f]{flex:1;gap:16px;display:flex}.page-stat[data-v-cd3f2c2f]{color:#66635c;align-items:baseline;gap:4px;font-size:13px;display:flex}.page-stat strong[data-v-cd3f2c2f]{font-feature-settings:"tnum";color:#081319;font-family:JetBrains Mono,ui-monospace,monospace;font-size:16px}.page-stat.overdue strong[data-v-cd3f2c2f]{color:#b94837}
@@ -1 +0,0 @@
-.panel[data-v-e13bf82b]{background:#fff}.field-block[data-v-e13bf82b]{margin-top:8px}.field-label[data-v-e13bf82b]{color:#66635c;text-transform:uppercase;letter-spacing:.04em;margin-bottom:8px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:12px;font-weight:500;display:block}.type-grid[data-v-e13bf82b]{grid-template-columns:repeat(auto-fit,minmax(220px,1fr));gap:8px;display:grid}.tc-card[data-v-e13bf82b]{cursor:pointer;padding:12px;transition:border-color .15s,background .15s}.tc-card[data-v-e13bf82b]:hover{border-color:#66635c!important}.tc-card.active[data-v-e13bf82b]{background:#e1eeea!important;border-color:#0f6e56!important}.tc-name[data-v-e13bf82b]{color:#081319;font-weight:600}.fmt-row[data-v-e13bf82b]{flex-wrap:wrap;gap:8px;display:flex}.num-field[data-v-e13bf82b] input{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.panel[data-v-9221735d]{background:#fff}.panel-h[data-v-9221735d]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:12px;display:flex}.empty-state[data-v-9221735d]{font-size:14px}.jobs-list[data-v-9221735d]{list-style:none}.job-row[data-v-9221735d]{border-bottom:1px solid #f0ede4;grid-template-columns:auto 1fr auto auto;align-items:center;gap:12px;padding:14px 16px;display:grid}.job-row[data-v-9221735d]:last-child{border-bottom:none}.job-icon[data-v-9221735d]{flex-shrink:0}.job-info[data-v-9221735d]{min-width:0}.job-title[data-v-9221735d]{color:#081319;font-weight:500;line-height:1.3}.job-meta[data-v-9221735d]{font-feature-settings:"tnum";margin-top:2px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px}.job-actions[data-v-9221735d]{gap:4px;display:flex}.reports[data-v-114ed593]{max-width:1440px}.page-head[data-v-114ed593]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:12px;display:flex}.page-title[data-v-114ed593]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-stats[data-v-114ed593]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-stats .sep[data-v-114ed593]{color:#6b6356}.num[data-v-114ed593]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}
@@ -1 +0,0 @@
-.reset-card[data-v-9f6d3b04]{flex-direction:column;gap:20px;display:flex}.reset-header h1[data-v-9f6d3b04]{font-variation-settings:"opsz" 26;letter-spacing:-.018em}.reset-form[data-v-9f6d3b04]{flex-direction:column;gap:8px;display:flex}.password-toggle[data-v-9f6d3b04]:focus-visible{outline-offset:1px;border-radius:2px;outline:2px solid}
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dn as r,Dr as i,Fn as a,Ln as o,On as s,Pn as c,Qn as l,Sn as u,U as d,br as f,kn as p,t as m,ur as h}from"./VBtn-jqIH42oB.js";import{a as g}from"./client-DciL1iD_.js";import{t as _}from"./VCard-C989ornn.js";import{L as v,St as y,mt as b,n as x,pt as S,xt as C}from"./app-B35roqUp.js";import{t as w}from"./VForm-CfFpV0nz.js";var T=S(o({__name:`ResetPasswordView`,setup(o){let S=C(),T=y(),E=b(),D=r(()=>String(S.params.token??``)),O=f(typeof S.query.email==`string`?S.query.email:``),k=f(``),A=f(``),j=f(!1),M=f({}),N=f(!1),P=r(()=>D.value.length>0&&O.value.length>0&&k.value.length>=10&&k.value===A.value),F=r(()=>A.value.length>0&&k.value!==A.value?[`Пароли не совпадают`]:M.value.password_confirmation??[]);async function I(){M.value={};try{await E.resetPassword({token:D.value,email:O.value,password:k.value,password_confirmation:A.value}),N.value=!0,setTimeout(()=>T.push(`/login`),3e3)}catch(e){let t=g(e);t?M.value=t:E.lockoutSeconds===null&&(M.value={email:[`Произошла ошибка. Попробуйте позже.`]})}}return(r,o)=>(l(),p(_,{variant:`flat`,"max-width":380,width:`100%`,color:`transparent`,class:`reset-card`},{default:h(()=>[o[9]||=s(`header`,{class:`reset-header`},[s(`h1`,{class:`text-h5 mb-1`},`Новый пароль`),s(`p`,{class:`text-body-2 text-medium-emphasis ma-0`},`Установите новый пароль для вашего аккаунта.`)],-1),N.value?(l(),p(v,{key:0,type:`success`,variant:`tonal`,density:`comfortable`,"data-testid":`reset-success`},{default:h(()=>[...o[6]||=[c(` Пароль успешно изменён. Сейчас вы будете перенаправлены на страницу входа. `,-1)]]),_:1})):t(``,!0),i(E).lockoutSeconds===null?t(``,!0):(l(),p(v,{key:1,type:`error`,variant:`tonal`,density:`compact`,"data-testid":`lockout-alert`},{default:h(()=>[c(` Слишком много попыток. Попробуйте через `+e(Math.ceil(i(E).lockoutSeconds/60))+` мин. `,1)]),_:1})),N.value?t(``,!0):(l(),p(w,{key:2,class:`reset-form`,onSubmit:n(I,[`prevent`])},{default:h(()=>[a(x,{modelValue:O.value,"onUpdate:modelValue":o[0]||=e=>O.value=e,label:`Email`,type:`email`,autocomplete:`email`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":M.value.email},null,8,[`modelValue`,`error-messages`]),a(x,{modelValue:k.value,"onUpdate:modelValue":o[4]||=e=>k.value=e,label:`Новый пароль`,type:j.value?`text`:`password`,autocomplete:`new-password`,placeholder:`Минимум 10 символов`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":M.value.password},{"append-inner":h(()=>[a(d,{class:`password-toggle`,icon:j.value?`mdi-eye-off`:`mdi-eye`,"aria-label":j.value?`Скрыть пароль`:`Показать пароль`,role:`button`,tabindex:`0`,onClick:o[1]||=e=>j.value=!j.value,onKeydown:[o[2]||=u(n(e=>j.value=!j.value,[`prevent`]),[`enter`]),o[3]||=u(n(e=>j.value=!j.value,[`prevent`]),[`space`])]},null,8,[`icon`,`aria-label`])]),_:1},8,[`modelValue`,`type`,`error-messages`]),a(x,{modelValue:A.value,"onUpdate:modelValue":o[5]||=e=>A.value=e,label:`Повторите пароль`,type:j.value?`text`:`password`,autocomplete:`new-password`,variant:`outlined`,density:`comfortable`,required:``,"error-messages":F.value},null,8,[`modelValue`,`type`,`error-messages`]),a(m,{type:`submit`,color:`primary`,block:``,size:`large`,variant:`flat`,disabled:!P.value,loading:i(E).loading},{default:h(()=>[...o[7]||=[c(` Сохранить пароль `,-1)]]),_:1},8,[`disabled`,`loading`]),a(m,{to:{name:`login`},variant:`text`,block:``,size:`small`,"prepend-icon":`mdi-arrow-left`},{default:h(()=>[...o[8]||=[c(` Вернуться ко входу `,-1)]]),_:1})]),_:1}))]),_:1}))}}),[[`__scopeId`,`data-v-9f6d3b04`]]);export{T as default};
@@ -1 +0,0 @@
-.tab-title[data-v-0944a357],.tab-title[data-v-a1a18cd1]{font-variation-settings:"opsz" 18;letter-spacing:-.005em}.prefs-table[data-v-a1a18cd1]{border:1px solid #e8e3d6;border-radius:8px;overflow:hidden}.prefs-head[data-v-a1a18cd1],.prefs-row[data-v-a1a18cd1]{grid-template-columns:1fr 110px 110px 130px;align-items:center;display:grid}.prefs-head[data-v-a1a18cd1]{text-transform:uppercase;letter-spacing:.06em;color:#66635c;background:#f6f3ec;font-family:JetBrains Mono,ui-monospace,monospace;font-size:11px}.prefs-row[data-v-a1a18cd1]{border-top:1px solid #f0ede4}.prefs-cell[data-v-a1a18cd1]{padding:10px 12px}.event-col[data-v-a1a18cd1]{color:#081319;font-size:13px}.event-desc[data-v-a1a18cd1]{color:#66635c;margin-top:2px;font-size:11px}.ch-col[data-v-a1a18cd1]{text-align:center;justify-content:center;display:flex}.actions-row[data-v-a1a18cd1]{gap:12px;margin-top:8px;display:flex}.tab-title[data-v-7154ff08]{font-variation-settings:"opsz" 18;letter-spacing:-.005em}.profile-row[data-v-7154ff08]{align-items:flex-start}.codes-grid[data-v-4232e9dd]{grid-template-columns:repeat(2,1fr);gap:8px;display:grid}.code-item[data-v-4232e9dd]{text-align:center;letter-spacing:.06em;background:#f6f3ec;border-radius:6px;padding:8px 12px;font-size:14px}.codes-grid[data-v-eb879996]{grid-template-columns:repeat(2,1fr);gap:8px;display:grid}.code-item[data-v-eb879996]{text-align:center;letter-spacing:.06em;background:#f6f3ec;border-radius:6px;padding:8px 12px;font-size:14px}.sessions-list[data-v-9a36d248]{margin:0;padding:0;list-style:none}.session-row[data-v-9a36d248]{border-bottom:1px solid #f0ede4;justify-content:space-between;align-items:center;padding:10px 0;display:flex}.session-row[data-v-9a36d248]:last-child{border-bottom:none}.session-device[data-v-9a36d248]{color:#081319;font-weight:500}.tab-title[data-v-e4d722bf]{font-variation-settings:"opsz" 18;letter-spacing:-.005em}.settings[data-v-5e38d680]{max-width:1440px}.page-title[data-v-5e38d680]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.tabs-rail[data-v-5e38d680]{background:#fff}.tab-pane[data-v-5e38d680]{background:#fff;min-height:480px}
@@ -1 +0,0 @@
-.font-mono[data-v-4e777c99],.num[data-v-02465db2]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-.twofactor-card[data-v-a87d6667]{flex-direction:column;gap:20px;display:flex}.twofactor-header h1[data-v-a87d6667]{font-variation-settings:"opsz" 26;letter-spacing:-.018em}.twofactor-form[data-v-a87d6667]{flex-direction:column;gap:16px;display:flex}.code-row[data-v-a87d6667]{justify-content:space-between;gap:8px;display:flex}.code-cell[data-v-a87d6667]{text-align:center;color:#081319;background:#fff;border:1px solid #d9d5cd;border-radius:8px;width:48px;height:56px;font-family:JetBrains Mono,ui-monospace,monospace;font-size:22px;font-weight:500;transition:border-color .15s}.code-cell[data-v-a87d6667]:focus{border-color:#0f6e56;outline:none;box-shadow:0 0 0 2px #0f6e5633}.font-mono[data-v-a87d6667]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}
@@ -1 +0,0 @@
-import{$r as e,An as t,Cn as n,Dn as r,Dr as i,Fn as a,Ln as o,On as s,Pn as c,Qn as l,Wn as u,Xn as d,Zn as f,bn as p,br as m,dr as h,er as g,jn as _,kn as v,nr as y,or as b,t as x,ur as S,wn as C}from"./VBtn-jqIH42oB.js";import{a as w}from"./client-DciL1iD_.js";import{t as T}from"./VCard-C989ornn.js";import{L as E,St as D,mt as O,pt as k}from"./app-B35roqUp.js";import{t as A}from"./VForm-CfFpV0nz.js";var j={class:`twofactor-header`},M={class:`text-body-2 text-medium-emphasis ma-0`},N=[`onUpdate:modelValue`,`aria-label`,`onInput`,`onKeydown`],P={key:0,class:`text-error text-caption mb-1`},F={class:`d-flex justify-space-between align-center mb-2`},I=[`title`],L=k(o({__name:`TwoFactorView`,setup(o){let k=m([``,``,``,``,``,``]),L=b(`inputs`),R=r(()=>k.value.join(``)),z=r(()=>R.value.length===6&&/^\d{6}$/.test(R.value)),B=m({}),V=O(),H=D(),U=r(()=>V.user?.email??`аккаунт`);function W(){return 30-Math.floor(Date.now()/1e3)%30}let G=m(W()),K=r(()=>`00:${String(G.value).padStart(2,`0`)}`),q;d(()=>{if(!V.requires2fa&&!V.isAuthenticated){H.replace(`/login`);return}q=setInterval(()=>{G.value=W()},1e3)}),f(()=>{q&&clearInterval(q)});function J(e,t){let n=t.target.value.replace(/\D/g,``).slice(-1);k.value[e]=n,n&&e<5&&u(()=>L.value?.[e+1]?.focus())}function Y(e,t){t.key===`Backspace`&&!k.value[e]&&e>0&&u(()=>L.value?.[e-1]?.focus())}function X(e){let t=e.clipboardData?.getData(`text`).replace(/\D/g,``).slice(0,6)??``;if(t.length===6){e.preventDefault();for(let e=0;e<6;e++)k.value[e]=t[e];u(()=>L.value?.[5]?.focus())}}async function Z(){B.value={};try{await V.verifyTwoFactor(R.value),await H.push(`/dashboard`)}catch(e){let t=w(e);t?B.value=t:B.value={code:[`Произошла ошибка. Попробуйте ещё раз.`]},k.value=[``,``,``,``,``,``],u(()=>L.value?.[0]?.focus())}}return(r,o)=>{let u=y(`RouterLink`);return l(),v(T,{variant:`flat`,"max-width":380,width:`100%`,color:`transparent`,class:`twofactor-card`},{default:S(()=>[s(`header`,j,[o[1]||=s(`h1`,{class:`text-h5 mb-1`},`Двухфакторная проверка`,-1),s(`p`,M,[o[0]||=c(` Откройте приложение-аутентификатор и введите 6-значный код для `,-1),s(`strong`,null,e(U.value),1)])]),a(A,{class:`twofactor-form`,onSubmit:n(Z,[`prevent`])},{default:S(()=>[s(`div`,{class:`code-row`,onPaste:X},[(l(!0),_(C,null,g(k.value,(e,t)=>h((l(),_(`input`,{key:t,ref_for:!0,ref_key:`inputs`,ref:L,"onUpdate:modelValue":e=>k.value[t]=e,type:`text`,inputmode:`numeric`,maxlength:`1`,class:`code-cell`,"aria-label":`Цифра ${t+1}`,onInput:e=>J(t,e),onKeydown:e=>Y(t,e)},null,40,N)),[[p,k.value[t]]])),128))],32),B.value.code?.length?(l(),_(`div`,P,e(B.value.code[0]),1)):t(``,!0),i(V).lockoutSeconds===null?t(``,!0):(l(),v(E,{key:1,type:`error`,variant:`tonal`,density:`compact`,class:`mb-2`,"data-testid":`lockout-alert`},{default:S(()=>[c(` Слишком много попыток. Попробуйте через `+e(Math.ceil(i(V).lockoutSeconds/60))+` мин. `,1)]),_:1})),s(`div`,F,[a(u,{to:`/recovery-use`,class:`text-body-2 text-primary`},{default:S(()=>[...o[2]||=[c(` Использовать резервный код `,-1)]]),_:1}),s(`span`,{class:`text-caption text-medium-emphasis font-mono`,title:`До смены кода в приложении: ${K.value}`,"data-testid":`totp-countdown`},e(K.value),9,I)]),a(x,{type:`submit`,color:`primary`,block:``,size:`large`,variant:`flat`,disabled:!z.value,loading:i(V).loading},{default:S(()=>[...o[3]||=[c(` Подтвердить `,-1)]]),_:1},8,[`disabled`,`loading`])]),_:1})]),_:1})}}}),[[`__scopeId`,`data-v-a87d6667`]]);export{L as default};
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`.admin-billing[data-v-47839b68]{max-width:1400px}.page-title[data-v-47839b68]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.font-mono[data-v-47839b68]{font-family:JetBrains Mono,ui-monospace,monospace}.tabular[data-v-47839b68]{font-feature-settings:"tnum"}`
				`@@ -1 +0,0 @@`
				`.admin-impersonation[data-v-95920034]{max-width:1440px}.page-head[data-v-95920034]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:12px;display:flex}.page-title[data-v-95920034]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.num[data-v-95920034]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.reason-cell[data-v-95920034]{white-space:normal;color:#081319;max-width:320px;font-size:13px;line-height:1.4}`
				`@@ -1 +0,0 @@`
				import{$r as e,An as t,Fn as n,Ln as r,On as i,Pn as a,Qn as o,S as s,Xn as c,br as l,er as u,jn as d,kn as f,t as p,ur as m,wn as h}from"./VBtn-jqIH42oB.js";import{r as g}from"./client-DciL1iD_.js";import{t as _}from"./VCard-C989ornn.js";import{t as v}from"./VContainer-C5vy10SJ.js";import{L as y,Q as b,X as x,Y as S,pt as C}from"./app-B35roqUp.js";import{t as w}from"./VTable-B_0j40S4.js";var T={class:`page-head mb-4`},E={class:`text-h6 mb-3`},D={key:0,class:`text-center py-4`},O={key:1,class:`text-medium-emphasis text-center py-4`,"data-testid":`active-empty`},k={class:`num`},A={class:`text-caption`},j={class:`reason-cell`},M={class:`num text-medium-emphasis`},N={class:`num text-medium-emphasis`},P={class:`text-end`},F={class:`text-h6 mb-3`},I={key:0,class:`text-center py-4`},L={key:1,class:`text-medium-emphasis text-center py-4`,"data-testid":`recent-empty`},R={class:`num`},z={class:`reason-cell`},B={class:`num`},V={class:`num text-medium-emphasis`},H=C(r({__name:`AdminImpersonationView`,setup(r,{expose:C}){let H=l([]),U=l([]),W=l(!1),G=l(!1),K=l(null),q=l(null);async function J(){W.value=!0;try{H.value=await S()}catch(e){K.value=g(e,`Не удалось загрузить активные сессии.`)}finally{W.value=!1}}async function Y(){G.value=!0;try{U.value=await b()}catch(e){K.value=g(e,`Не удалось загрузить недавние сессии.`)}finally{G.value=!1}}async function X(e){q.value=e;try{await x(e),await Promise.all([J(),Y()])}catch(e){K.value=g(e,`Не удалось завершить сессию.`)}finally{q.value=null}}function Z(e){return new Date(e).toLocaleString(`ru-RU`,{dateStyle:`short`,timeStyle:`short`})}function Q(e){return e===null?`—`:e<60?`${e} сек`:e<3600?`${Math.floor(e/60)} мин ${e%60} сек`:`${Math.floor(e/3600)} ч ${Math.floor(e%3600/60)} мин`}function $(e){let t=new Date(e).getTime()-Date.now();if(t<=0)return`истёк`;let n=Math.floor(t/6e4);return n<60?`через ${n} мин`:`через ${Math.floor(n/60)} ч`}return c(()=>{J(),Y()}),C({active:H,recent:U,loadActive:J,loadRecent:Y,endSession:X}),(r,c)=>(o(),f(v,{fluid:``,class:`admin-impersonation pa-6`},{default:m(()=>[i(`header`,T,[c[2]\|\|=i(`div`,null,[i(`h1`,{class:`text-h4 page-title`},`Impersonation`),i(`p`,{class:`text-body-2 text-medium-emphasis ma-0`},`Активные сессии «вход как клиент» (Ю-1 / ТЗ §22.7).`)],-1),n(p,{variant:`outlined`,size:`small`,"prepend-icon":`mdi-refresh`,loading:W.value,"data-testid":`refresh-btn`,onClick:c[0]\|\|=e=>{J(),Y()}},{default:m(()=>[...c[1]\|\|=[a(` Обновить `,-1)]]),_:1},8,[`loading`])]),K.value?(o(),f(y,{key:0,type:`error`,variant:`tonal`,density:`compact`,class:`mb-4`,"data-testid":`error-alert`},{default:m(()=>[a(e(K.value),1)]),_:1})):t(``,!0),n(_,{variant:`outlined`,class:`pa-4 mb-4`,"data-testid":`active-section`},{default:m(()=>[i(`h2`,E,`Активные (`+e(H.value.length)+`)`,1),W.value?(o(),d(`div`,D,[n(s,{indeterminate:``,color:`primary`})])):H.value.length===0?(o(),d(`div`,O,` Нет активных impersonation-сессий. `)):(o(),f(w,{key:2,density:`comfortable`},{default:m(()=>[c[4]\|\|=i(`thead`,null,[i(`tr`,null,[i(`th`,null,`Тенант`),i(`th`,null,`Admin ID`),i(`th`,null,`Email клиента`),i(`th`,null,`Основание`),i(`th`,null,`Активна с`),i(`th`,null,`TTL`),i(`th`,{class:`text-end`},`Действие`)])],-1),i(`tbody`,null,[(o(!0),d(h,null,u(H.value,t=>(o(),d(`tr`,{key:t.token_id,"data-testid":`active-row`},[i(`td`,null,e(t.tenant_name??`#${t.tenant_id}`),1),i(`td`,k,e(t.requested_by),1),i(`td`,A,e(t.sent_to_email),1),i(`td`,j,e(t.reason),1),i(`td`,M,e(Z(t.used_at)),1),i(`td`,N,e($(t.expires_at)),1),i(`td`,P,[n(p,{size:`small`,color:`error`,variant:`tonal`,"prepend-icon":`mdi-stop-circle-outline`,loading:q.value===t.token_id,"data-testid":`end-btn-${t.token_id}`,onClick:e=>X(t.token_id)},{default:m(()=>[...c[3]\|\|=[a(` Завершить `,-1)]]),_:1},8,[`loading`,`data-testid`,`onClick`])])]))),128))])]),_:1}))]),_:1}),n(_,{variant:`outlined`,class:`pa-4`,"data-testid":`recent-section`},{default:m(()=>[i(`h2`,F,`Недавно завершённые (`+e(U.value.length)+`)`,1),G.value?(o(),d(`div`,I,[n(s,{indeterminate:``,color:`primary`})])):U.value.length===0?(o(),d(`div`,L,` История impersonation-сессий пуста. `)):(o(),f(w,{key:2,density:`comfortable`},{default:m(()=>[c[5]\|\|=i(`thead`,null,[i(`tr`,null,[i(`th`,null,`Тенант`),i(`th`,null,`Admin`),i(`th`,null,`Основание`),i(`th`,null,`Длилась`),i(`th`,null,`Завершена`)])],-1),i(`tbody`,null,[(o(!0),d(h,null,u(U.value,t=>(o(),d(`tr`,{key:t.token_id,"data-testid":`recent-row`},[i(`td`,null,e(t.tenant_name??`#${t.tenant_id}`),1),i(`td`,R,e(t.requested_by),1),i(`td`,z,e(t.reason),1),i(`td`,B,e(Q(t.duration_seconds)),1),i(`td`,V,e(Z(t.session_ended_at)),1)]))),128))])]),_:1}))]),_:1})]),_:1}))}}),[[`__scopeId`,`data-v-95920034`]]);export{H as default};
				`@@ -1 +0,0 @@`
				`.incident-detail[data-v-ce603457]{max-width:1200px}.font-mono[data-v-ce603457]{font-family:JetBrains Mono,ui-monospace,monospace}`
				`@@ -1 +0,0 @@`
				`.admin-incidents[data-v-046c45ba]{max-width:1200px}.page-title[data-v-046c45ba]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.incident-row[data-v-046c45ba]{border-bottom:1px solid #e1eeea;padding-block:12px}.incident-row[data-v-046c45ba]:last-child{border-bottom:none}.incident-header[data-v-046c45ba]{flex-wrap:wrap;align-items:center;display:flex}.font-mono[data-v-046c45ba]{font-family:JetBrains Mono,ui-monospace,monospace}`
				`@@ -1 +0,0 @@`
				`.admin-pd[data-v-319667ee]{max-width:1200px}.page-title[data-v-319667ee]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.font-mono[data-v-319667ee]{font-family:JetBrains Mono,ui-monospace,monospace}`
				`@@ -1 +0,0 @@`
				`.numeric-tnum[data-v-e2a92351] td{font-feature-settings:"tnum";font-family:JetBrains Mono,monospace}.editor-table[data-v-e2a92351]{border-collapse:collapse;width:100%}.editor-table th[data-v-e2a92351],.editor-table td[data-v-e2a92351]{border-bottom:1px solid #0000000f;padding:8px 12px}`
				`@@ -1 +0,0 @@`
				`.numeric-tnum[data-v-21c7d181] td{font-feature-settings:"tnum";font-family:JetBrains Mono,monospace}`
				`@@ -1 +0,0 @@`
				.font-mono[data-v-bf79a138]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace}.value-block[data-v-bf79a138]{word-break:break-all;background:#f6f3ec;border-radius:4px;padding:6px 10px;font-size:13px}.diff-block[data-v-bf79a138]{flex-direction:column;gap:12px;display:flex}.diff-row[data-v-bf79a138]{flex-direction:column;gap:4px;display:flex}.diff-before[data-v-bf79a138]{color:#842029;background:#fde8e8;text-decoration:line-through}.diff-after[data-v-bf79a138]{color:#0a4029;background:#d8f1e6}.reason-block[data-v-bf79a138]{background:#fff8e6;border-left:3px solid #b88a00;border-radius:4px;padding:8px 12px;font-size:13px}.admin-system[data-v-fc62e5e5]{max-width:1100px}.page-title[data-v-fc62e5e5]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.setting-row[data-v-fc62e5e5]{border-bottom:1px solid #e1eeea;padding-block:12px}.setting-row[data-v-fc62e5e5]:last-child{border-bottom:none}.setting-header[data-v-fc62e5e5]{align-items:center;display:flex}.setting-key[data-v-fc62e5e5]{color:#081319;font-size:14px;font-weight:500}.setting-value[data-v-fc62e5e5]{background:#f6f3ec;border-radius:4px;padding:4px 8px;font-size:13px;display:inline-block}.font-mono[data-v-fc62e5e5]{font-family:JetBrains Mono,ui-monospace,monospace}
				`@@ -1 +0,0 @@`
				.page-head[data-v-c9a2d228]{flex-direction:column;gap:12px;display:flex}.head-main[data-v-c9a2d228]{flex-wrap:wrap;justify-content:space-between;align-items:flex-start;gap:16px;display:flex}.page-title[data-v-c9a2d228]{font-variation-settings:"opsz" 28;letter-spacing:-.018em}.page-meta[data-v-c9a2d228]{flex-wrap:wrap;align-items:center;gap:6px;display:flex}.page-meta .sep[data-v-c9a2d228]{color:#6b6356}.head-actions[data-v-c9a2d228]{align-items:center;gap:12px;display:flex}.kpi-row[data-v-c9a2d228]{grid-template-columns:repeat(4,1fr);gap:12px;display:grid}@media (width<=960px){.kpi-row[data-v-c9a2d228]{grid-template-columns:repeat(2,1fr)}}.kpi-card[data-v-c9a2d228]{background:#fff}.kpi-label[data-v-c9a2d228]{text-transform:uppercase;letter-spacing:.05em}.kpi-value[data-v-c9a2d228]{color:#081319;margin-top:4px;font-size:24px}.kpi-sub[data-v-c9a2d228]{margin-top:4px}.num[data-v-c9a2d228],.num[data-v-17149fea]{font-feature-settings:"tnum";font-family:JetBrains Mono,ui-monospace,monospace;font-weight:500}.font-mono[data-v-17149fea]{font-family:JetBrains Mono,ui-monospace,monospace}.panel[data-v-17149fea]{background:#fff}.activity-list[data-v-17149fea]{margin:0;padding:0;list-style:none}.activity-item[data-v-17149fea]{border-bottom:1px solid #f0ede4;grid-template-columns:130px 1fr;gap:16px;padding:10px 0;display:grid}.activity-item[data-v-17149fea]:last-child{border-bottom:none}.act-event[data-v-17149fea]{margin-bottom:2px}.act-actor[data-v-17149fea]{margin-left:6px}.tenant-detail[data-v-770767cd]{max-width:1440px}