fix(router-gate): session-lock skips readonly Bash (scope calibration)

The parallel-session-lock fired on every PreToolUse tool, blocking even readonly Bash (git status/log/diff, cat, grep, ls) from a peer session. The lock's purpose is to serialize concurrent FILE MUTATION on the same worktree; readonly commands mutate nothing, so they are outside that scope. isReadonlyBashEvent() reuses the router-gate Bash classifier (an allow-verdict whose reason is readonly/reading), mirroring the LLM-judge readonly calibration. main() short-circuits readonly Bash to allow without acquiring/blocking. Mutating tools, git commit/push, dangerous Bash, and every non-Bash tool still acquire/check the lock — same-worktree mutation serialization is unchanged (scope fix, NOT a discipline drop). TDD: +6 unit tests. Full tools-vitest 2038 passed / 2 skipped.
ci(a11y): bump Pa11y workflow Node 20 -> 22 (cspell@10 engine requirement)
2026-06-01 07:46:26 +03:00 · 2026-05-31 19:00:05 +03:00 · 2026-05-31 18:37:44 +03:00 · 2026-05-31 18:18:44 +03:00 · 2026-05-31 17:43:03 +03:00 · 2026-05-31 17:02:32 +03:00
351 changed files with 61078 additions and 1191 deletions
@@ -95,6 +95,86 @@
            "timeout": 5
          }
        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-router-gate.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "PowerShell",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-powershell-gate.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-normative-content-rules.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-tdd-real-test-verifier.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Edit|Write|MultiEdit|Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-self-debrief-detector.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "AskUserQuestion",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/askuser-cosmetic-detector.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "mcp__.*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-mcp-classification.mjs",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Read",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-read-path-deny.mjs",
+            "timeout": 5
+          }
+        ]
      }
    ],
    "PostToolUse": [
@@ -140,6 +220,16 @@
            "timeout": 5
          }
        ]
+      },
+      {
+        "matcher": "Task",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/enforce-subagent-return-scanner.mjs",
+            "timeout": 10
+          }
+        ]
      }
    ],
    "Stop": [
@@ -148,7 +238,7 @@
          {
            "type": "command",
            "command": "node tools/observer-stop-hook.mjs",
-            "timeout": 15
+            "timeout": 60
          }
        ]
      },
@@ -174,10 +264,19 @@
        "hooks": [
          {
            "type": "command",
-            "command": "node tools/enforce-classifier-match.mjs",
+            "command": "node tools/enforce-todowrite-skill-verifier.mjs",
            "timeout": 5
          }
        ]
+      },
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node tools/cost-stop-hook.mjs",
+            "timeout": 10
+          }
+        ]
      }
    ],
    "UserPromptSubmit": [
@@ -186,7 +285,7 @@
          {
            "type": "command",
            "command": "node tools/router-prehook.mjs",
-            "timeout": 10
+            "timeout": 60
          }
        ]
      },
@@ -21,13 +21,41 @@ Aggregator over observer evidence. Reads JSONL + optional MD notes, surfaces can

 ## Procedure

+> **MANDATORY DIGITAL ANALYSIS (added 2026-05-26 after retro #6 feedback; extended to 11 tables 2026-05-28; extended to 13 tables 2026-05-30 in Stream H Task 8).**
+> Каждый прогон /brain-retro ОБЯЗАН включать **количественные срезы**, не только causal narrative. Минимум 13 цифровых таблиц:
+>
+> 1. **Path-type breakdown** (regulated vs improvised, со счётчиками и %).
+> 2. **node_chosen distribution** (топ-15 узлов с count + %).
+> 3. **recommended_node distribution** (что классификатор предложил, count + %).
+> 4. **GAP «рекомендован но выбран direct»** (per-node count + rework rate этого подмножества).
+> 5. **outcome × node_chosen group**: 3 группы (skill_used / direct_no_rec / direct_ignored_rec) со счётчиками + rework rate per group.
+> 6. **classifier_output presence by source** (prefilter / llm / regex / cache / NULL) — даёт диагностику здоровья самого классификатора.
+> 7. **Per-classification trigger-match + via-skill** (analysis / planning / bugfix / feature / refactor / security).
+> 8. **Class × canon coverage** — таблица класс задач × канонические узлы из мозга (`observer-classification-map.json`) × роутер рекомендовал × я реально взял × попало ли в канон. Источник — `result.classCanonCoverage` из analyzer.
+> 9. **Router vs Opus** — три секции: A (роутер дал → Opus оценил, расхождение видно сразу), B (роутер молчал → Opus сказал «надо был скил»), C (роутер дал → Opus согласился что скил излишен). Источник — `result.routerVsOpus`.
+> 10. **Chain-ignore breakdown** — отдельный срез: сколько раз роутер рекомендовал цепочку vs одиночный узел, какой % я игнорировал, и rework-rate каждого; bucket по длине цепочки (1/2/3+). Источник — `result.chainIgnoreBreakdown`.
+> 11. **Chain-hook effectiveness** — парсит `~/.claude/runtime/hook-outcomes.jsonl` за период retro. Buckets: blocked / passed-with-skill / passed-inline-override / passed-global-override / passed-short-chain / passed-no-mutating. Источник — `result.chainHookEffectiveness` из analyzer. Источник правила — brain-retro #9 Candidate 2.
+> 12. **Router-gate hook effectiveness (per-rule)** — счётчики fires + blocks по каждому `hook_fired.rule` в эпизодах за период (path-deny / git-conditional / branch-switch / etc). Помогает увидеть, какие правила реально стреляли и какой % fires заканчивался блокировкой. Источник — `result.routerGateHookEffectiveness` (Stream H Task 8). Без таблицы — нет видимости качества защит router-gate v4.
+> 13. **Self-fabrication signals** — эпизоды, где `controller_claim` непустой (контроллер заявил действие) но `tool_uses` пуст или отсутствует (записи о реальном tool-call нет). 7 канонических паттернов фабрикации задокументированы в `docs/superpowers/runbooks/recovery-procedures.md` §5. Источник — `result.selfFabricationSignals` (Stream H Task 8).
+>
+> Без этих 13 таблиц retro считается недоделанным. Narrative-выводы должны опираться на цифры из них, не на «общие ощущения». **Если classifier_output=NULL > 30% эпизодов** — это сигнал, что классификатор сломан; в retro отдельным блоком отчитаться о состоянии классификатора (timeouts/errors/source distribution).
+>
+> Запрет на жаргон для блока «Report to user»: цифры остаются техническими, словесные выводы пользователю — простым языком (см. memory `feedback_plain_language.md`).
+
+<!-- markdownlint-disable MD029 MD032 -->
+
 1. **Determine period**: ask user «за какой период» or default to «since last brain-retro» (find latest `docs/observer/notes/YYYY-MM-DD-brain-retro-*.md`).
 2. **Read evidence**: glob `docs/observer/episodes-YYYY-MM.jsonl` for the period; read all lines as JSON.
 3. **Read optional notes**: glob `docs/observer/notes/*.md` filtered by date.
 4. **Update read-counter**: run `node tools/observer-of-observer.mjs record`. This atomically bumps `docs/observer/.read-counter.json` `last_read_at` to now and increments `read_count_last_period`. (Side-effect — used by C3 observer-of-observer for 54-week self-prune detection.)
 5. **Run the deterministic analyzer**: `node tools/brain-retro-analyzer.mjs docs/observer/episodes-YYYY-MM.jsonl` (pass every monthly file in the period). It returns JSON with `episodeCount`, `observerErrorCount`, `tasks` (episodes grouped into tasks), `causalChains` (error→fix candidates) and `factorMatrix` (outcome distribution per factor). The analyzer deduplicates the routing-gate double-write and infers the true `outcome` of each episode from the next episode's `prompt_signal` — never trust the stored `outcome` (it is `unknown` at write time).
-5a. **[Phase 3] Sanity questions (spec §4.7)** — `node tools/brain-retro-sanity-generator.mjs` (called as a module from analyzer-driven flow, OR direct via `import { generateCandidateQuestions } from '../../../tools/brain-retro-sanity-generator.mjs'`) returns up to 5 candidate questions. Pick 3-4, ask via AskUserQuestion (multiple-choice + free comment). **Before persist:** sanitize free comments with `tools/observer-pii-filter.mjs` (`sanitize` export, RU_PHONE / EMAIL / TOKEN strip). Write answers to `docs/observer/sanity-checks/YYYY-MM-DD.json` `{schema_version: 1, questions: [...]}`.
-5b. **[Phase 3] Reviewer subagent pickup (spec §4.6)** — for each unreviewed episode in the period: `Task(subagent_type='reviewer-agent', prompt=<episode JSON + sanity-answers context>)`. Parse the returned JSON, write `review.*` + `outcome_reviewed` + `outcome_reviewed_source` into the episode. Per-episode try/catch — on subagent crash/timeout, fall back to `tools/brain-retro-opus-reviewer.mjs` `reviewViaDirectApi(episode)` (direct Opus API). If both fail, leave `review.reviewer_error: <msg>` for the next retro.
+5a. **[Phase 3] Sanity questions (spec §4.7)** — `node tools/brain-retro-sanity-generator.mjs` (called as a module from analyzer-driven flow, OR direct via `import { generateCandidateQuestions } from '../../../tools/brain-retro-sanity-generator.mjs'`) returns up to 5 candidate questions. Pick 3-4, ask via AskUserQuestion (multiple-choice + free comment). **Вопросы заказчику — простым языком**, не «rework / wrong_skill / TDD pattern / self_assessment», а «переделки / выбор не того инструмента / самопроверка» (memory `feedback_plain_language.md`). Если первый раунд содержит жаргон — переформулировать и переспросить. **Before persist:** sanitize free comments with `tools/observer-pii-filter.mjs` (`sanitize` export, RU_PHONE / EMAIL / TOKEN strip). Write answers to `docs/observer/sanity-checks/YYYY-MM-DD.json` `{schema_version: 1, questions: [...]}`.
+5b. **Reviewer pass** — pragmatic two-mode policy (added 2026-05-26 after brain-retro #6, replacing original spec §4.6 «subagent only» which was unrealistic at retro scale):
+
+- **Batch mode (default, fast)** — `node tools/brain-retro-batch-reviewer.mjs docs/observer/episodes-YYYY-MM.jsonl <cutoff-iso> [limit=30] [conc=5]`. Direct Opus API via `reviewViaDirectApi` from `tools/brain-retro-opus-reviewer.mjs` with concurrency 5. Use for **N ≥ 20 unreviewed episodes** — typical retro workload (retro #6 processed 132 episodes in 293s = ~2.2s/episode, well under per-subagent overhead).
+- **Subagent mode (per spec §4.6, deeper context)** — `Task(subagent_type='reviewer-agent', prompt=<episode JSON + sanity-answers context>)`. Use for **N < 20 episodes** OR when the reviewer needs access to other tools (read related files, grep history). Per-episode try/catch — on subagent crash/timeout, fall back to `reviewViaDirectApi`.
+
+  Both modes write the same payload back: `review.*` + `outcome_reviewed` + `outcome_reviewed_source` (`direct_api_batch` for batch, `subagent` for Task(), `direct_api_fallback` when subagent fails). If both fail, leave `review.reviewer_error: <msg>` for the next retro.
 6. **Aggregate** per `references/aggregation-template.md` — fill the Factor analysis matrix from the analyzer's `factorMatrix`, the task groups from `tasks`, the causal-chain candidates from `causalChains`, plus the new sections: sanity-check results, reviewer-agent outcomes distribution, self-retrospect trigger status.
 7. **Propose candidates** — clearly separated section «Candidates for owner review». Each candidate has rationale + suggested edit + rejection-option.
 8. **Save retro note**: `docs/observer/notes/YYYY-MM-DD-brain-retro.md` with full aggregation.
@@ -36,6 +64,8 @@ Aggregator over observer evidence. Reads JSONL + optional MD notes, surfaces can
 10. **Cost report** — read `~/.claude/runtime/cost-daily.json`; include classifier + self_assessment + reviewer cost totals for the period in the retro note.
 11. **Report to user**: high-signal summary including sanity highlights, reviewer outcome distribution, and any escalations.

+<!-- markdownlint-enable MD029 MD032 -->
+
 ## Output anatomy

 See `references/aggregation-template.md`.
@@ -21,10 +21,10 @@ jobs:
          extensions: pdo, pdo_pgsql, redis, mbstring, intl, bcmath
          coverage: none

-      - name: Setup Node 20
+      - name: Setup Node 22
        uses: actions/setup-node@v4
        with:
-          node-version: '20'
+          node-version: '22'
          cache: 'npm'

      - name: Install root JS deps
@@ -0,0 +1,119 @@
+name: Run artisan command on liderra.ru
+
+# Universal artisan-runner для прод-команд пока прямой SSH с dev-машины
+# заблокирован YC backbone-фильтром. Заказчик пишет команду строкой в
+# workflow_dispatch input, workflow проверяет её по whitelist, выполняет на
+# проде под sudo -u www-data, выводит результат в job summary.
+#
+# Whitelist охватывает read-only / dry-run / status команды без подтверждения
+# плюс несколько mutating команд с обязательным confirm_apply=true.
+#
+# Любая команда вне whitelist'а → fail before SSH.
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml/ssh-diagnose.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      command:
+        description: 'artisan-команда (например: supplier:rekey-orphans --dry-run)'
+        required: true
+        type: string
+      confirm_apply:
+        description: 'Подтверждаю выполнение mutating-команды (обязательно true для команд без --dry-run)'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  run:
+    name: ${{ github.event.inputs.command }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CMD: ${{ github.event.inputs.command }}
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Whitelist check
+        run: |
+          set -euo pipefail
+          CMD_TRIM=$(echo "$CMD" | sed 's/^ *//;s/ *$//')
+          echo "Requested: '$CMD_TRIM'"
+
+          # Group 1 — read-only / dry-run / inspection: всегда разрешены
+          READ_ONLY_RE='^(migrate:status|route:list|schedule:list|queue:listen --help|about|env:show|config:show|cache:table|view:cache|optimize:status|snapshot:backfill( --date=20[2-9][0-9]-[0-1][0-9]-[0-3][0-9])?|scheduler:check-heartbeats|incidents:watch-failures( --threshold-spike=[0-9]+)?( --threshold-daily=[0-9]+)?( --persistent-hours=[0-9]+)?|supplier:rekey-orphans --dry-run|audit:verify-chains|audit:rebuild-chain --partition=[a-z_0-9]+ --from-id=[0-9]+ --dry-run)( *)$'
+
+          # Group 2 — mutating: требуют confirm_apply=true
+          MUTATING_RE='^(supplier:rekey-orphans|cache:clear|view:clear|config:clear|route:clear|optimize:clear|optimize|queue:restart|partitions:create-months( --months=[0-9]+)?|partitions:drop-old|audit:rebuild-chain --partition=[a-z_0-9]+ --from-id=[0-9]+( --force)?)( *)$'
+
+          if [[ "$CMD_TRIM" =~ $READ_ONLY_RE ]]; then
+            echo "::notice::Command in read-only whitelist — proceeding."
+            exit 0
+          fi
+
+          if [[ "$CMD_TRIM" =~ $MUTATING_RE ]]; then
+            if [[ "$CONFIRM" != "true" ]]; then
+              echo "::error::Mutating command '$CMD_TRIM' requires confirm_apply=true. Re-run with confirm_apply checked."
+              exit 1
+            fi
+            echo "::warning::Mutating command authorized via confirm_apply=true."
+            exit 0
+          fi
+
+          echo "::error::Command '$CMD_TRIM' is NOT in whitelist. Allowed read-only patterns: $READ_ONLY_RE. Allowed mutating: $MUTATING_RE. Add to whitelist if needed."
+          exit 1
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run artisan on prod
+        run: |
+          set -o pipefail
+          CMD_B64=$(printf '%s' "$CMD" | base64 -w0)
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "CMD_B64='$CMD_B64' bash -s" <<'REMOTE' | tee /tmp/artisan-output.log
+            set +e
+            CMD=$(echo "$CMD_B64" | base64 -d)
+            cd /var/www/liderra/app
+            echo "=== Running: php artisan $CMD on $(hostname) at $(date -u) ==="
+            sudo -u www-data php artisan $CMD 2>&1
+            RC=$?
+            echo
+            echo "=== Exit code: $RC ==="
+            exit $RC
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## artisan \`$CMD\`"
+            echo
+            echo "- Host: $LIDERRA_HOST"
+            echo "- Confirm: $CONFIRM"
+            echo "- Triggered by: ${{ github.actor }}"
+            echo
+            echo '```'
+            cat /tmp/artisan-output.log 2>/dev/null || echo "(no output captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload output as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: artisan-output
+          path: /tmp/artisan-output.log
+          retention-days: 30
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,229 @@
+name: Deploy to liderra.ru
+
+# Запускается вручную через web-интерфейс GitHub или через `gh workflow run`.
+# Решает проблему «дев-машина не достучится по SSH до прод-сервера через YC backbone»:
+# GitHub Actions runner — внешний по отношению к YC, его IP не блокируется тем
+# фильтром что блокирует мой dev-IP `89.144.17.119`.
+#
+# Требуемые secrets (Settings → Secrets and variables → Actions):
+#   LIDERRA_SSH_KEY  — содержимое приватного ключа `~/.ssh/liderra_deploy`
+#                       (начинается с `-----BEGIN OPENSSH PRIVATE KEY-----`).
+# Host/user захардкожены — публичная информация, нет смысла в secrets.
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch/tag/SHA для деплоя (по умолчанию main)'
+        required: true
+        default: 'main'
+        type: string
+      backfill_snapshot:
+        description: 'Запустить snapshot:backfill за сегодня (default yes)'
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  deploy:
+    name: Deploy code + run redeploy.sh
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    concurrency:
+      group: liderra-prod-deploy
+      cancel-in-progress: false
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+
+      - name: Setup Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: app/package-lock.json
+
+      - name: Install frontend deps
+        # --legacy-peer-deps: Histoire 1.0-beta.1 заявляет peerDep vite ^7,
+        # установлено vite 8 — известный квирк проекта (memory feedback_environment.md #74).
+        working-directory: app
+        run: npm ci --legacy-peer-deps
+
+      - name: Build frontend
+        working-directory: app
+        run: npm run build
+
+      - name: Verify build artifacts present
+        run: |
+          test -f app/public/build/manifest.json
+          ls app/public/build/assets/ | head -5
+          du -sh app/public/build/
+
+      - name: Create deploy tarball
+        run: |
+          tar czf /tmp/deploy.tgz \
+            --exclude='app/.env' \
+            --exclude='app/.env.example' \
+            --exclude='app/.env.production' \
+            --exclude='app/storage' \
+            --exclude='app/vendor' \
+            --exclude='app/node_modules' \
+            --exclude='app/bootstrap/cache' \
+            app db
+          ls -lh /tmp/deploy.tgz
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Upload tarball to prod
+        run: |
+          scp -i ~/.ssh/liderra_deploy -o StrictHostKeyChecking=accept-new \
+            /tmp/deploy.tgz ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }}:/tmp/deploy.tgz
+
+      - name: Pre-apply partitioned migrations via postgres superuser
+        # Workaround for partitioned-table migrations:
+        # 2026_05_27_120000_create_project_routing_snapshots_table.php has SET ROLE crm_migrator
+        # which fails when pgsql connection = crm_app_user (not a member of crm_migrator),
+        # poisoning the transaction. Established prod pattern (memory: paused_at migration 26.05):
+        # apply schema via sudo -u postgres psql + insert into migrations table.
+        # Idempotent — skips if already applied.
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -euo pipefail
+            MIG_NAME='2026_05_27_120000_create_project_routing_snapshots_table'
+
+            ALREADY=$(sudo -u postgres psql -d liderra -tAc \
+              "SELECT 1 FROM migrations WHERE migration = '${MIG_NAME}' LIMIT 1")
+            if [ "${ALREADY}" = "1" ]; then
+              echo "Migration ${MIG_NAME} already in migrations table — skipping."
+              exit 0
+            fi
+
+            TABLE_EXISTS=$(sudo -u postgres psql -d liderra -tAc \
+              "SELECT 1 FROM information_schema.tables WHERE table_name='project_routing_snapshots' LIMIT 1")
+
+            if [ "${TABLE_EXISTS}" != "1" ]; then
+              echo "Applying CREATE TABLE project_routing_snapshots via postgres superuser..."
+              sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<'PSQL'
+              BEGIN;
+              CREATE TABLE project_routing_snapshots (
+                  snapshot_date      DATE        NOT NULL,
+                  project_id         BIGINT      NOT NULL,
+                  tenant_id          BIGINT      NOT NULL,
+                  daily_limit        INT         NOT NULL CHECK (daily_limit >= 0),
+                  delivery_days_mask INT         NOT NULL CHECK (delivery_days_mask BETWEEN 0 AND 127),
+                  regions            INT[]       NOT NULL DEFAULT '{}',
+                  signal_type        TEXT        NOT NULL CHECK (signal_type IN ('call','site','sms')),
+                  signal_identifier  TEXT,
+                  sms_senders        JSONB,
+                  sms_keyword        TEXT,
+                  expected_volume    INT         NOT NULL CHECK (expected_volume >= 0),
+                  delivered_count    INT         NOT NULL DEFAULT 0 CHECK (delivered_count >= 0),
+                  created_at         TIMESTAMP   NOT NULL DEFAULT NOW(),
+                  PRIMARY KEY (snapshot_date, project_id),
+                  FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE CASCADE
+              ) PARTITION BY RANGE (snapshot_date);
+              ALTER TABLE project_routing_snapshots OWNER TO crm_migrator;
+              CREATE INDEX project_routing_snapshots_tenant_date_idx
+                  ON project_routing_snapshots (tenant_id, snapshot_date);
+              CREATE INDEX project_routing_snapshots_signal_idx
+                  ON project_routing_snapshots (snapshot_date, signal_type, lower(signal_identifier));
+              ALTER TABLE project_routing_snapshots ENABLE ROW LEVEL SECURITY;
+              CREATE POLICY project_routing_snapshots_tenant_isolation
+                  ON project_routing_snapshots
+                  USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint);
+              GRANT SELECT, INSERT, UPDATE ON project_routing_snapshots TO crm_app_user;
+              GRANT SELECT, INSERT, UPDATE, DELETE ON project_routing_snapshots TO crm_supplier_worker;
+              CREATE TABLE project_routing_snapshots_y2026_m05
+                  PARTITION OF project_routing_snapshots
+                  FOR VALUES FROM ('2026-05-01') TO ('2026-06-01');
+              CREATE TABLE project_routing_snapshots_y2026_m06
+                  PARTITION OF project_routing_snapshots
+                  FOR VALUES FROM ('2026-06-01') TO ('2026-07-01');
+              ALTER TABLE project_routing_snapshots_y2026_m05 OWNER TO crm_migrator;
+              ALTER TABLE project_routing_snapshots_y2026_m06 OWNER TO crm_migrator;
+              INSERT INTO system_settings (key, value, type, description, updated_at)
+                  VALUES ('partition_retention_months_project_routing_snapshots', '3', 'int',
+                          'Retention в месяцах для project_routing_snapshots (90 дней)', NOW())
+                  ON CONFLICT (key) DO NOTHING;
+              COMMIT;
+          PSQL
+            else
+              echo "Table project_routing_snapshots already exists but migration not marked — marking only."
+            fi
+
+            # Mark migration as applied so Laravel migrate skips it.
+            # Laravel's migrations table has no UNIQUE on `migration` column, so
+            # ON CONFLICT doesn't work — use INSERT...SELECT WHERE NOT EXISTS for idempotency.
+            NEXT_BATCH=$(sudo -u postgres psql -d liderra -tAc "SELECT COALESCE(MAX(batch),0)+1 FROM migrations")
+            sudo -u postgres psql -d liderra -c \
+              "INSERT INTO migrations (migration, batch) SELECT '${MIG_NAME}', ${NEXT_BATCH} WHERE NOT EXISTS (SELECT 1 FROM migrations WHERE migration='${MIG_NAME}');"
+            echo "Marked ${MIG_NAME} as applied (batch ${NEXT_BATCH})"
+          REMOTE
+
+      - name: Extract + run redeploy.sh on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -euo pipefail
+            TS=$(date -u +%Y%m%d-%H%M%S)
+            echo "=== Backup current app ==="
+            sudo tar czf /home/ubuntu/deploy-backups/app-pre-deploy-${TS}.tgz \
+              --exclude='storage' --exclude='vendor' --exclude='node_modules' --exclude='public/build' \
+              -C /var/www/liderra app
+            ls -lh /home/ubuntu/deploy-backups/app-pre-deploy-${TS}.tgz
+
+            echo "=== Extract overlay ==="
+            cd /var/www/liderra
+            sudo tar xzf /tmp/deploy.tgz
+            sudo chown -R www-data:www-data /var/www/liderra/app /var/www/liderra/db
+
+            echo "=== redeploy.sh (composer + migrate + optimize + restart) ==="
+            sudo bash /var/www/liderra/redeploy.sh
+
+            rm -f /tmp/deploy.tgz
+          REMOTE
+
+      - name: Backfill today's snapshot
+        if: ${{ github.event.inputs.backfill_snapshot != 'false' }}
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -e
+            cd /var/www/liderra/app
+            sudo -u www-data php artisan snapshot:backfill --date=$(date +%Y-%m-%d) || \
+              echo "WARN: backfill returned non-zero — проверь вручную"
+          REMOTE
+
+      - name: Smoke tests
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE'
+            set -e
+            cd /var/www/liderra/app
+            echo '=== Migrations status (last 5) ==='
+            sudo -u www-data php artisan migrate:status 2>&1 | tail -5
+            echo '=== Snapshots count (last 3 dates) ==='
+            sudo -u postgres psql -d liderra -c "SELECT snapshot_date, COUNT(*) AS rows FROM project_routing_snapshots GROUP BY 1 ORDER BY 1 DESC LIMIT 3;" || true
+            echo '=== Service status ==='
+            systemctl is-active nginx php8.3-fpm postgresql liderra-queue
+            echo '=== Internal portal health ==='
+            curl -sf -o /dev/null -w 'https=%{http_code} time=%{time_total}s\n' --max-time 8 https://127.0.0.1/ -k || true
+          REMOTE
+
+      - name: External portal health (from runner)
+        run: |
+          curl -sf -o /dev/null -w 'external https=%{http_code} time=%{time_total}s\n' \
+            --max-time 15 https://liderra.ru/ || echo "external health returned non-zero"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,213 @@
+name: Disk-full recovery on liderra.ru
+
+# Incident response: PG в PANIC loop из-за / диск 100%.
+# 1) Диагностика: что где лежит (top-20 крупных, du по /var/log)
+# 2) Безопасная чистка:
+#    - truncate /var/log/postgresql/postgresql-16-main.log (PG в PANIC, не пишет, inode preserved)
+#    - journalctl --vacuum-size=200M
+#    - старые ротированные *.gz логи nginx >7 дней
+#    - apt-get clean
+#    - Laravel storage/logs *.log >7 дней
+# 3) Final df check + PG probe.
+#
+# Триггер: gh workflow run disk-recover.yml -f confirm_apply=true
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю удаление логов на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  recover:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required (this workflow mutates disk on prod)"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Diagnose + cleanup
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/recover.log
+          set +e
+
+          echo "=== A. BEFORE: df -h / ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+
+          echo "=== B. Top-20 largest files in /var (>50M) ==="
+          sudo find /var -xdev -type f -size +50M -printf "%s %p\n" 2>/dev/null | sort -rn | head -20 | awk '{printf "%8.1f MB  %s\n", $1/1024/1024, $2}'
+          echo
+
+          echo "=== C. du /var/log/ top-15 directories ==="
+          sudo du -sh /var/log/*/ 2>/dev/null | sort -rh | head -15
+          echo
+
+          echo "=== D. du /var/log/postgresql/* (individual files) ==="
+          sudo du -sh /var/log/postgresql/* 2>/dev/null | sort -rh | head -10
+          echo
+
+          echo "=== E. journalctl disk usage ==="
+          sudo journalctl --disk-usage 2>&1
+          echo
+
+          echo "=== F. /var/lib/postgresql/16/main top-15 subdirs ==="
+          sudo du -sh /var/lib/postgresql/16/main/*/ 2>/dev/null | sort -rh | head -15
+          echo
+
+          echo "=== G. /var/www top-10 if exists ==="
+          sudo du -sh /var/www/*/ 2>/dev/null | sort -rh | head -10
+          sudo du -sh /var/www/lidpotok/storage/logs/ 2>/dev/null
+          echo
+
+          echo "=== H. apt cache + tmp ==="
+          sudo du -sh /var/cache/apt/archives/ /tmp/ /var/tmp/ 2>/dev/null
+          echo
+
+          echo "=========================================="
+          echo "=== STARTING CLEANUP (confirm_apply=true) ==="
+          echo "=========================================="
+          echo
+
+          echo "=== 1a. PRIORITY: Truncate laravel.log (8.7 GB!) and rotated copies ==="
+          for f in /var/www/liderra/app/storage/logs/laravel.log /var/www/liderra/app/storage/logs/laravel.log.1; do
+            if [[ -f "$f" ]]; then
+              BEFORE=$(sudo du -m "$f" | cut -f1)
+              echo "BEFORE: $f = $BEFORE MB"
+              sudo bash -c ": > '$f'" 2>&1 || sudo truncate -s 0 "$f"
+              AFTER=$(sudo du -m "$f" | cut -f1)
+              echo "AFTER:  $f = $AFTER MB"
+            fi
+          done
+          # Старые laravel-* (если daily-rotated)
+          sudo find /var/www/liderra/app/storage/logs -name "laravel-*.log" -mtime +3 -print -delete 2>&1 | head -10
+          echo
+
+          echo "=== 1b. Truncate PG audit log via sudo bash redirect (workaround) ==="
+          if [[ -f /var/log/postgresql/postgresql-16-main.log ]]; then
+            BEFORE=$(sudo du -m /var/log/postgresql/postgresql-16-main.log | cut -f1)
+            echo "BEFORE: $BEFORE MB"
+            sudo bash -c ': > /var/log/postgresql/postgresql-16-main.log' 2>&1
+            AFTER=$(sudo du -m /var/log/postgresql/postgresql-16-main.log | cut -f1)
+            echo "AFTER:  $AFTER MB"
+          fi
+          sudo find /var/log/postgresql -type f \( -name "*.gz" -o -name "*.log.[0-9]*" \) -delete 2>&1
+          echo
+
+          echo "=== 1c. Truncate syslog (525M) ==="
+          sudo bash -c ': > /var/log/syslog' 2>&1
+          echo "syslog now: $(sudo du -m /var/log/syslog 2>/dev/null | cut -f1) MB"
+          echo
+
+          echo "=== 1d. Remove playwright dev cache (~440M, не нужен в проде) ==="
+          if [[ -d /var/www/.cache/ms-playwright ]]; then
+            sudo du -sh /var/www/.cache/ms-playwright 2>&1
+            sudo rm -rf /var/www/.cache/ms-playwright
+            echo "removed"
+          fi
+          echo
+
+          echo "=== 2. journalctl vacuum --size=200M ==="
+          sudo journalctl --vacuum-size=200M 2>&1 | tail -10
+          echo
+
+          echo "=== 3. nginx old rotated logs (gz files >3 days) ==="
+          sudo find /var/log/nginx -name "*.gz" -mtime +3 -print -delete 2>&1 | head -20
+          echo
+          # current access.log если >500M — truncate (nginx переоткрывает по reopen signal)
+          for f in /var/log/nginx/access.log /var/log/nginx/error.log; do
+            if [[ -f "$f" ]]; then
+              SIZE_MB=$(sudo du -m "$f" | cut -f1)
+              if [[ $SIZE_MB -gt 500 ]]; then
+                echo "Truncating $f ($SIZE_MB MB)"
+                sudo truncate -s 0 "$f"
+              fi
+            fi
+          done
+
+          echo
+          echo "=== 4. apt-get clean ==="
+          sudo apt-get clean 2>&1 | tail -5
+          echo
+
+          echo "=== 5. Laravel storage/logs *.log older 7 days ==="
+          if [[ -d /var/www/lidpotok ]]; then
+            sudo find /var/www/lidpotok -path '*/storage/logs/*.log' -mtime +7 -print -delete 2>&1 | head -20
+          fi
+          for d in /var/www/*/; do
+            if [[ -d "$d/storage/logs" ]]; then
+              for f in "$d"/storage/logs/laravel.log "$d"/storage/logs/worker.log; do
+                if [[ -f "$f" ]]; then
+                  SIZE_MB=$(sudo du -m "$f" | cut -f1)
+                  if [[ $SIZE_MB -gt 200 ]]; then
+                    echo "Truncating $f ($SIZE_MB MB)"
+                    sudo truncate -s 0 "$f"
+                  fi
+                fi
+              done
+            fi
+          done
+          echo
+
+          echo "=== 6. Old rotated *.1 *.2 *.gz logs >50M anywhere in /var/log ==="
+          sudo find /var/log -type f \( -name "*.1" -o -name "*.2" -o -name "*.3" -o -name "*.gz" \) -size +50M -print -delete 2>&1 | head -20
+          echo
+
+          echo "=========================================="
+          echo "=== AFTER CLEANUP ==="
+          echo "=========================================="
+          echo "=== Z1. df -h / ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+
+          echo "=== Z2. PG status quick check ==="
+          sudo systemctl status postgresql@16-main --no-pager 2>&1 | head -10
+          echo
+
+          echo "=== Z3. PG probe ==="
+          sleep 5
+          sudo -u postgres psql -d liderra -c "SELECT 1 AS probe, NOW() AS ts" 2>&1
+          echo
+
+          echo "=== Z4. HTTPS probe ==="
+          curl -sI -o /dev/null -w "HTTP %{http_code}\nTotal: %{time_total}s\n" https://liderra.ru/ --max-time 10
+          echo
+
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Disk recovery on liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/recover.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,109 @@
+name: Disk usage alert (prod liderra.ru)
+
+# Incident prevention: 29.05.2026 диск заполнился до 100% за сутки → 4h prod downtime.
+# Этот workflow проверяет df -h / каждые 30 минут.
+# Threshold: 85% → создаёт row в incidents_log (read by ops monitoring).
+# 95% → marks как severity=critical для приоритетного alert'а.
+#
+# Ref: docs/incidents/2026-05-29-disk-full-pg-recovery.md §5
+
+on:
+  schedule:
+    # Every 30 minutes (Mondays-Sundays). At :00 и :30 каждого часа UTC.
+    - cron: '*/30 * * * *'
+  workflow_dispatch:
+    inputs:
+      threshold:
+        description: 'Override threshold % (default 85)'
+        required: false
+        default: '85'
+        type: string
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      THRESHOLD: ${{ github.event.inputs.threshold || '85' }}
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Check disk usage on prod
+        id: check
+        run: |
+          set -o pipefail
+          OUTPUT=$(ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} "df -h / | awk 'NR==2 {gsub(\"%\",\"\",\$5); print \$2\" \"\$3\" \"\$4\" \"\$5}'")
+          read SIZE USED AVAIL PCT <<< "$OUTPUT"
+          echo "size=$SIZE used=$USED avail=$AVAIL pct=$PCT"
+          echo "pct=$PCT" >> $GITHUB_OUTPUT
+          echo "size=$SIZE" >> $GITHUB_OUTPUT
+          echo "used=$USED" >> $GITHUB_OUTPUT
+          echo "avail=$AVAIL" >> $GITHUB_OUTPUT
+
+          if [[ -z "$PCT" ]]; then
+            echo "::error::Could not parse df output"
+            exit 1
+          fi
+
+          if [[ "$PCT" -ge 95 ]]; then
+            echo "severity=critical" >> $GITHUB_OUTPUT
+            echo "::error::Disk usage CRITICAL: $PCT% (size=$SIZE used=$USED avail=$AVAIL)"
+          elif [[ "$PCT" -ge "$THRESHOLD" ]]; then
+            echo "severity=warning" >> $GITHUB_OUTPUT
+            echo "::warning::Disk usage HIGH: $PCT% (threshold $THRESHOLD%, size=$SIZE used=$USED avail=$AVAIL)"
+          else
+            echo "severity=ok" >> $GITHUB_OUTPUT
+            echo "::notice::Disk usage OK: $PCT% (size=$SIZE used=$USED avail=$AVAIL)"
+          fi
+
+      - name: Record incident if >= threshold
+        if: steps.check.outputs.severity != 'ok'
+        run: |
+          PCT="${{ steps.check.outputs.pct }}"
+          SIZE="${{ steps.check.outputs.size }}"
+          USED="${{ steps.check.outputs.used }}"
+          AVAIL="${{ steps.check.outputs.avail }}"
+          SEVERITY="${{ steps.check.outputs.severity }}"
+
+          # Note: incidents_log table requires INSERT path through Laravel app.
+          # GitHub Step Summary serves as primary alert; Telegram bot watches
+          # GitHub Actions notifications. Future: extend sql-runner whitelist
+          # для INSERT into incidents_log.
+          {
+            echo "## 🚨 Disk usage alert — severity=$SEVERITY ($PCT%)"
+            echo
+            echo "- Host: ${{ env.LIDERRA_HOST }}"
+            echo "- Filesystem: /"
+            echo "- Size: $SIZE"
+            echo "- Used: $USED"
+            echo "- Available: $AVAIL"
+            echo "- Threshold: ${{ env.THRESHOLD }}%"
+            echo "- Time UTC: $(date -u)"
+            echo
+            echo "**Action required:** Investigate via pg-diagnose.yml workflow."
+            echo
+            echo "Likely causes (from incident 2026-05-29):"
+            echo "- /var/www/liderra/app/storage/logs/laravel.log — Laravel exception accumulation"
+            echo "- /var/log/postgresql/postgresql-16-main.log — pg_audit verbose logging"
+            echo "- /var/log/syslog — kernel + service logs"
+            echo "- /var/www/.cache/ — dev caches leaked to prod"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # Fail the job чтобы GitHub Actions подсветило red — это серфисится
+          # через GitHub notifications (email/desktop/telegram bot).
+          if [[ "$SEVERITY" == "critical" ]]; then
+            exit 1
+          fi
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,113 @@
+name: Apply F1 audit-chain advisory-lock migration via postgres superuser
+
+# Incident response: redeploy.yml fails on F1 migration because crm_migrator role
+# lacks privilege to CREATE OR REPLACE FUNCTION в schema public.
+# This workflow applies F1 migration SQL directly via sudo -u postgres psql,
+# then INSERTs the migration row so subsequent `php artisan migrate` skips it.
+#
+# Ref: docs/superpowers/plans/2026-05-29-audit-chain-race-fix.md Task 2
+# Migration file: app/database/migrations/2026_05_30_000001_add_advisory_lock_to_audit_chain_hash.php
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю применение F1 миграции на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Apply F1 SQL + register migration
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/f1-apply.log
+          set +e
+
+          echo "=== 1. BEFORE: current audit_chain_hash function source ==="
+          sudo -u postgres psql -d liderra -c "\df+ public.audit_chain_hash" 2>&1 | head -20
+
+          echo
+          echo "=== 2. Apply F1 advisory-lock migration via sudo -u postgres ==="
+          sudo -u postgres psql -d liderra <<'SQL'
+          CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+          DECLARE
+              prev_hash BYTEA;
+              lock_key  BIGINT;
+          BEGIN
+              lock_key := ('x' || lpad(to_hex(TG_RELID::int), 16, '0'))::bit(64)::bigint;
+              PERFORM pg_advisory_xact_lock(lock_key);
+
+              EXECUTE format(
+                  'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                  TG_TABLE_NAME
+              ) INTO prev_hash;
+
+              NEW.log_hash := digest(
+                  COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                  'sha256'
+              );
+              RETURN NEW;
+          END;
+          $$ LANGUAGE plpgsql;
+          SQL
+          APPLY_RC=$?
+          echo "Apply RC: $APPLY_RC"
+
+          echo
+          echo "=== 3. Verify function now contains pg_advisory_xact_lock ==="
+          sudo -u postgres psql -d liderra -c "SELECT pg_get_functiondef('public.audit_chain_hash'::regproc) LIKE '%pg_advisory_xact_lock%' AS has_lock"
+
+          echo
+          echo "=== 4. Register migration row (skip if already exists) ==="
+          sudo -u postgres psql -d liderra <<'SQL'
+          INSERT INTO migrations (migration, batch)
+          SELECT '2026_05_30_000001_add_advisory_lock_to_audit_chain_hash', COALESCE(MAX(batch),0)+1 FROM migrations
+          WHERE NOT EXISTS (
+              SELECT 1 FROM migrations WHERE migration = '2026_05_30_000001_add_advisory_lock_to_audit_chain_hash'
+          );
+          SELECT migration, batch FROM migrations WHERE migration LIKE '%advisory_lock%';
+          SQL
+
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## F1 migration apply"
+            echo
+            echo '```'
+            cat /tmp/f1-apply.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,221 @@
+name: Rebuild audit hash chain via postgres superuser (F1 cleanup)
+
+# Closes deferred F1 item from docs/incidents/2026-05-29-disk-full-pg-recovery.md §4.1.
+# Sequential hash recomputation в plpgsql DO-блоке через sudo -u postgres psql.
+# Identical алгоритм с trigger audit_chain_hash() (post-F1 advisory-lock version),
+# но применённый к existing rows.
+#
+# Использование:
+#   gh workflow run f1-rebuild-via-superuser.yml \
+#     -f partition=activity_log_y2026_m05 -f from_id=599 -f confirm_apply=true
+#
+# Safety:
+#   - Partition name whitelist (только заранее известные сломанные партиции).
+#   - dry_run=true mode показывает count + anchor prev_hash без UPDATE.
+#   - Trigger audit_chain_hash отключён через SET LOCAL session_replication_role=replica
+#     (постоянный disable невозможен — после COMMIT триггер опять активен).
+#   - audit_block_mutation также подавлен через session_replication_role=replica.
+
+on:
+  workflow_dispatch:
+    inputs:
+      partition:
+        description: 'Partition name (whitelist: activity_log_y2026_m05, balance_transactions_y2026_m05)'
+        required: true
+        type: string
+      from_id:
+        description: 'First broken id (rebuild from here onward)'
+        required: true
+        type: string
+      dry_run:
+        description: 'Dry-run (показать count + anchor без UPDATE)'
+        required: false
+        default: 'false'
+        type: boolean
+      confirm_apply:
+        description: 'Подтверждаю rebuild на проде (требуется если dry_run=false)'
+        required: false
+        default: 'false'
+        type: boolean
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      PARTITION: ${{ github.event.inputs.partition }}
+      FROM_ID: ${{ github.event.inputs.from_id }}
+      DRY_RUN: ${{ github.event.inputs.dry_run }}
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Validate inputs
+        run: |
+          set -euo pipefail
+
+          # Whitelist partition names (защита от arbitrary table names)
+          ALLOWED='^(activity_log_y2026_m05|balance_transactions_y2026_m05)$'
+          if ! [[ "$PARTITION" =~ $ALLOWED ]]; then
+            echo "::error::partition '$PARTITION' not in whitelist: $ALLOWED"
+            exit 1
+          fi
+
+          # from_id is positive integer
+          if ! [[ "$FROM_ID" =~ ^[0-9]+$ ]]; then
+            echo "::error::from_id must be positive integer, got '$FROM_ID'"
+            exit 1
+          fi
+
+          if [[ "$DRY_RUN" != "true" && "$CONFIRM" != "true" ]]; then
+            echo "::error::Either dry_run=true OR confirm_apply=true must be set"
+            exit 1
+          fi
+
+          echo "Inputs OK: partition=$PARTITION, from_id=$FROM_ID, dry_run=$DRY_RUN, confirm_apply=$CONFIRM"
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run rebuild on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "PARTITION='$PARTITION' FROM_ID='$FROM_ID' DRY_RUN='$DRY_RUN' bash -s" <<'REMOTE' | tee /tmp/f1-rebuild.log
+          set +e
+
+          echo "=== 1. Anchor + count preview ==="
+          sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<SQL
+          \set partition $PARTITION
+          \set from_id $FROM_ID
+
+          -- Anchor: log_hash of row right BEFORE from_id (=> prev_hash for from_id)
+          SELECT
+            (SELECT id FROM :"partition" WHERE id < :from_id ORDER BY id DESC LIMIT 1) AS anchor_id,
+            encode((SELECT log_hash FROM :"partition" WHERE id < :from_id ORDER BY id DESC LIMIT 1), 'hex') AS anchor_log_hash,
+            (SELECT COUNT(*) FROM :"partition" WHERE id >= :from_id) AS rows_to_rebuild,
+            (SELECT MIN(id) FROM :"partition" WHERE id >= :from_id) AS first_id,
+            (SELECT MAX(id) FROM :"partition" WHERE id >= :from_id) AS last_id;
+          SQL
+          PRE_RC=$?
+          if [[ $PRE_RC -ne 0 ]]; then
+            echo "::error::Pre-check failed (RC=$PRE_RC)"
+            exit $PRE_RC
+          fi
+
+          if [[ "$DRY_RUN" == "true" ]]; then
+            echo
+            echo "=== DRY RUN — no changes applied ==="
+            exit 0
+          fi
+
+          echo
+          echo "=== 2. APPLY: rebuild hash chain on $PARTITION from id=$FROM_ID ==="
+          # Canonical algorithm (mirrors app/app/Console/Commands/AuditRebuildChain.php):
+          # builds explicit ROW(col1, col2, ..., NULL::bytea on log_hash position, ..., coln)::text::bytea
+          # so hash matches what audit:verify-chains computes (which uses same COLUMN_CONFIG).
+          case "$PARTITION" in
+            activity_log_*)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.deal_id, t.event, t.old_value, t.new_value, t.context, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+            balance_transactions_*)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.type, t.amount_rub, t.amount_leads, t.balance_rub_after, t.balance_leads_after, t.description, t.related_type, t.related_id, t.user_id, t.admin_user_id, NULL::bytea, t.created_at)"
+              ;;
+            *)
+              echo "::error::Unknown partition family — add ROW_EXPR mapping"
+              exit 1
+              ;;
+          esac
+          echo "Using ROW expression: $ROW_EXPR"
+
+          sudo -u postgres psql -d liderra -v ON_ERROR_STOP=1 <<SQL
+          BEGIN;
+          SET LOCAL session_replication_role = 'replica';
+
+          DO \$rebuild\$
+          DECLARE
+              cur_id    BIGINT;
+              prev_hash BYTEA;
+              new_hash  BYTEA;
+              cnt       INTEGER := 0;
+              partition_name TEXT := '$PARTITION';
+              start_id  BIGINT := $FROM_ID;
+              row_expr  TEXT := '$ROW_EXPR';
+          BEGIN
+              EXECUTE format(
+                  'SELECT log_hash FROM %I WHERE id < \$1 ORDER BY id DESC LIMIT 1',
+                  partition_name
+              )
+              INTO prev_hash
+              USING start_id;
+
+              RAISE NOTICE 'Anchor prev_hash: %', COALESCE(encode(prev_hash, 'hex'), '<NULL — start of chain>');
+
+              FOR cur_id IN
+                  EXECUTE format(
+                      'SELECT id FROM %I WHERE id >= \$1 ORDER BY id',
+                      partition_name
+                  )
+                  USING start_id
+              LOOP
+                  -- Compute new_hash with explicit ROW(...) expression (canonical, matches verify-chains)
+                  EXECUTE format(
+                      'SELECT digest(COALESCE(\$1, ''''::bytea) || %s::text::bytea, ''sha256'') FROM %I t WHERE id = \$2',
+                      row_expr, partition_name
+                  )
+                  INTO new_hash
+                  USING prev_hash, cur_id;
+
+                  EXECUTE format('UPDATE %I SET log_hash = \$1 WHERE id = \$2', partition_name)
+                      USING new_hash, cur_id;
+
+                  prev_hash := new_hash;
+                  cnt := cnt + 1;
+              END LOOP;
+
+              RAISE NOTICE 'Rebuilt % rows. Last log_hash: %', cnt, encode(prev_hash, 'hex');
+          END
+          \$rebuild\$;
+
+          COMMIT;
+          SQL
+          APPLY_RC=$?
+
+          echo
+          echo "=== 3. Verify: no NULL log_hash в обновлённых строках ==="
+          sudo -u postgres psql -d liderra <<SQL
+          \set partition $PARTITION
+          \set from_id $FROM_ID
+          SELECT
+            COUNT(*) FILTER (WHERE log_hash IS NULL) AS null_count,
+            COUNT(*) AS total,
+            MIN(id) AS first_id,
+            MAX(id) AS last_id
+          FROM :"partition"
+          WHERE id >= :from_id;
+          SQL
+
+          echo
+          echo "=== Apply RC: $APPLY_RC ==="
+          exit $APPLY_RC
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## F1 chain rebuild — $PARTITION (from_id=$FROM_ID, dry_run=$DRY_RUN)"
+            echo
+            echo '```'
+            cat /tmp/f1-rebuild.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,96 @@
+name: Diagnose PostgreSQL state on liderra.ru
+
+# Read-only diagnostic для incident "PG не принимает connections".
+# Запускается вручную: gh workflow run pg-diagnose.yml --ref <branch>
+# Ничего не меняет на проде — только читает systemctl/journalctl/df/free/uptime
+# + tail последних 200 строк postgresql-16-main.log.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  diagnose:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run PG diagnostic on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/pg-diagnose.log
+          set +e
+          echo "=== 1. hostname + UTC time ==="
+          echo "host=$(hostname); utc=$(date -u)"
+          echo
+          echo "=== 2. uptime ==="
+          uptime
+          echo
+          echo "=== 3. last reboot ==="
+          who -b
+          last reboot --time-format=iso | head -5
+          echo
+          echo "=== 4. df -h / and /var ==="
+          df -h / /var /var/lib/postgresql 2>&1 | head -10
+          echo
+          echo "=== 5. free -h ==="
+          free -h
+          echo
+          echo "=== 6. systemctl status postgresql ==="
+          sudo systemctl status postgresql --no-pager 2>&1 | head -30
+          echo
+          echo "=== 7. systemctl status postgresql@16-main (cluster) ==="
+          sudo systemctl status postgresql@16-main --no-pager 2>&1 | head -30
+          echo
+          echo "=== 8. nginx + php-fpm status (one-line each) ==="
+          sudo systemctl is-active nginx php8.3-fpm liderra-queue 2>&1
+          echo
+          echo "=== 9. ps aux | postgres (top 15) ==="
+          ps auxf | grep -E "(postgres|recovery)" | grep -v grep | head -15
+          echo
+          echo "=== 10. journalctl postgresql last 80 lines ==="
+          sudo journalctl -u postgresql -n 80 --no-pager 2>&1 | tail -80
+          echo
+          echo "=== 11. journalctl postgresql@16-main last 80 lines ==="
+          sudo journalctl -u postgresql@16-main -n 80 --no-pager 2>&1 | tail -80
+          echo
+          echo "=== 12. tail -100 /var/log/postgresql/postgresql-16-main.log ==="
+          sudo tail -100 /var/log/postgresql/postgresql-16-main.log 2>&1
+          echo
+          echo "=== 13. WAL size and count ==="
+          sudo du -sh /var/lib/postgresql/16/main/pg_wal 2>&1
+          sudo ls /var/lib/postgresql/16/main/pg_wal 2>&1 | wc -l
+          echo
+          echo "=== 14. dmesg tail (kernel events, OOM, IO errors) ==="
+          sudo dmesg -T 2>&1 | tail -40
+          echo
+          echo "=== 15. liderra.ru HTTPS probe ==="
+          curl -sI -o /dev/null -w "HTTP %{http_code}\nTotal: %{time_total}s\n" https://liderra.ru/ --max-time 10
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## PG diagnostic on liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/pg-diagnose.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,192 @@
+name: Pre-deploy validation (8 checks)
+
+# Цель: воспроизвести 8 проверок project-local агента `prod-deploy-validator`
+# (#85) через GitHub Actions Azure runner — обход YC backbone-фильтра,
+# который блокирует direct SSH с dev-IP 89.144.17.119.
+#
+# Запускается вручную: gh workflow run pre-deploy-checks.yml
+# Read-only — ничего не меняет на проде.
+#
+# 8 checks (per Pravila §2.4 / agent .claude/agents/prod-deploy-validator.md):
+#   1. config:cache владелец (quirk 107 — должен быть www-data:www-data, не root)
+#   2. .env line endings (CRLF → артефакты)
+#   3. свободное место (< 80% использовано)
+#   4. свежесть бэкапа БД (≤ 24ч)
+#   5. health очереди liderra-queue (active + queue length < 1000)
+#   6. nginx syntax (nginx -t)
+#   7. fail2ban active (service running)
+#   8. pending миграции (php artisan migrate:status — для текущего deploy ожидается 0)
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  preflight:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      APP_DIR: /var/www/liderra/app
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run 8 pre-flight checks on prod
+        id: checks
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "APP_DIR='${APP_DIR}' bash -s" <<'REMOTE' | tee /tmp/preflight.log
+            set +e
+            FAILS=0
+
+            echo "=== Check 1: config:cache file owner (quirk 107) ==="
+            CFG_FILE="${APP_DIR}/bootstrap/cache/config.php"
+            if sudo test -f "$CFG_FILE"; then
+              OWNER=$(sudo stat -c '%U:%G' "$CFG_FILE")
+              echo "  Owner: $OWNER"
+              if [ "$OWNER" = "www-data:www-data" ]; then
+                echo "  ✓ PASS"
+              else
+                echo "  ✗ FAIL — expected www-data:www-data (quirk 107: prod incident 24.05.2026)"
+                FAILS=$((FAILS+1))
+              fi
+            else
+              echo "  ~ SKIP — config.php не существует (будет создан deploy'ем)"
+            fi
+            echo
+
+            echo "=== Check 2: .env line endings (no CRLF) ==="
+            ENV_FILE="${APP_DIR}/.env"
+            if sudo test -f "$ENV_FILE"; then
+              CRLF_COUNT=$(sudo grep -c $'\r' "$ENV_FILE" 2>/dev/null || echo "0")
+              echo "  CRLF chars: $CRLF_COUNT"
+              if [ "$CRLF_COUNT" = "0" ]; then
+                echo "  ✓ PASS"
+              else
+                echo "  ✗ FAIL — .env содержит CRLF ($CRLF_COUNT строк)"
+                FAILS=$((FAILS+1))
+              fi
+            else
+              echo "  ✗ FAIL — .env not found"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 3: free disk space (< 80% used) ==="
+            DF_USED=$(df / | tail -1 | awk '{print $5}' | tr -d '%')
+            echo "  Used: ${DF_USED}%"
+            if [ "$DF_USED" -lt 80 ]; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — корневой раздел ${DF_USED}% (>=80%)"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 4: pre-deploy backup freshness (≤ 24h) ==="
+            # deploy.yml saves app pre-deploy backups to /home/ubuntu/deploy-backups/
+            BACKUP_DIR="/home/ubuntu/deploy-backups"
+            if sudo test -d "$BACKUP_DIR"; then
+              LATEST=$(sudo find "$BACKUP_DIR" -name 'app-pre-deploy-*.tgz' -mmin -1440 2>/dev/null | sort -r | head -1)
+              if [ -n "$LATEST" ]; then
+                MTIME=$(sudo stat -c '%y' "$LATEST" 2>/dev/null)
+                echo "  Latest: $LATEST ($MTIME)"
+                echo "  ✓ PASS"
+              else
+                ANY_LATEST=$(sudo find "$BACKUP_DIR" -name 'app-pre-deploy-*.tgz' 2>/dev/null | sort -r | head -1)
+                if [ -n "$ANY_LATEST" ]; then
+                  ANY_MTIME=$(sudo stat -c '%y' "$ANY_LATEST" 2>/dev/null)
+                  echo "  i NOTE — backups exist но >24h ($ANY_LATEST, $ANY_MTIME). Не блокер deploy'а — deploy.yml сам делает свежий backup перед раскаткой."
+                else
+                  echo "  i NOTE — нет pre-deploy бэкапов в $BACKUP_DIR. Не блокер — deploy.yml создаст backup сам."
+                fi
+              fi
+            else
+              echo "  i NOTE — backup dir $BACKUP_DIR не существует (первый deploy?). deploy.yml создаст dir."
+            fi
+            echo
+
+            echo "=== Check 5: queue health (liderra-queue active + depth) ==="
+            QUEUE_STATUS=$(systemctl is-active liderra-queue 2>&1)
+            echo "  Service: $QUEUE_STATUS"
+            if [ "$QUEUE_STATUS" = "active" ]; then
+              echo "  ✓ PASS (service active)"
+            else
+              echo "  ✗ FAIL — liderra-queue не active"
+              FAILS=$((FAILS+1))
+            fi
+            # NB: queue depth check would need Redis access; skipped (not critical for this deploy)
+            echo
+
+            echo "=== Check 6: nginx syntax ==="
+            NGINX_TEST=$(sudo nginx -t 2>&1)
+            echo "$NGINX_TEST" | sed 's/^/  /'
+            if echo "$NGINX_TEST" | grep -q "syntax is ok" && echo "$NGINX_TEST" | grep -q "test is successful"; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — nginx syntax error"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 7: fail2ban active ==="
+            F2B_STATUS=$(systemctl is-active fail2ban 2>&1)
+            echo "  Service: $F2B_STATUS"
+            if [ "$F2B_STATUS" = "active" ]; then
+              echo "  ✓ PASS"
+            else
+              echo "  ✗ FAIL — fail2ban не active"
+              FAILS=$((FAILS+1))
+            fi
+            echo
+
+            echo "=== Check 8: pending migrations ==="
+            cd "${APP_DIR}"
+            MIG_STATUS=$(sudo -u www-data php artisan migrate:status 2>&1)
+            PENDING=$(echo "$MIG_STATUS" | grep -c "Pending")
+            echo "  Pending count: $PENDING"
+            if [ "$PENDING" = "0" ]; then
+              echo "  ✓ PASS — 0 pending migrations"
+            else
+              echo "  i NOTE — $PENDING pending migrations (deploy.yml runs them automatically)"
+              # NB: Pending miграции — это НЕ FAIL для этого deploy (план не включает миграции;
+              # deploy.yml выполнит их сам). Помечается как INFO, не FAIL.
+            fi
+            echo
+
+            echo "=== SUMMARY ==="
+            echo "Total failures: $FAILS"
+            if [ "$FAILS" = "0" ]; then
+              echo "VERDICT: GO"
+              exit 0
+            else
+              echo "VERDICT: NO-GO ($FAILS check(s) failed)"
+              exit 1
+            fi
+          REMOTE
+          REMOTE_EXIT=$?
+          echo "remote_exit=$REMOTE_EXIT" >> "$GITHUB_OUTPUT"
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Pre-deploy 8-check validation for liderra.ru"
+            echo
+            echo '```'
+            cat /tmp/preflight.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,167 @@
+name: Setup logrotate for Laravel logs (incident prevention)
+
+# Incident response prevention: 8.7G laravel.log заполнил диск (29.05.2026).
+# Существующий daily rotation (laravel.log.1) недостаточен — за один день шторма
+# accumulated 8.7G. Нужна size-based rotation с лимитом.
+#
+# This workflow installs /etc/logrotate.d/laravel-liderra config:
+#   - size 50M (rotate when file >= 50MB, не daily)
+#   - rotate 5 (keep 5 rotated copies)
+#   - compress (gzip rotated files)
+#   - copytruncate (atomic copy + truncate inode-preserving, Laravel handle continues)
+#   - notifempty (skip if empty)
+#   - su www-data www-data (correct ownership)
+#
+# Тестируется logrotate --debug сразу после установки.
+#
+# Ref: root-cause analysis incident 2026-05-29
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm_apply:
+        description: 'Подтверждаю установку logrotate конфига на проде'
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      CONFIRM: ${{ github.event.inputs.confirm_apply }}
+
+    steps:
+      - name: Guard
+        run: |
+          if [[ "$CONFIRM" != "true" ]]; then
+            echo "::error::confirm_apply=true required"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Install logrotate config + verify
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "bash -s" <<'REMOTE' | tee /tmp/logrotate-setup.log
+          set +e
+
+          echo "=== 1. Discover Laravel logs path ==="
+          LARAVEL_LOG_DIR=""
+          for candidate in /var/www/liderra/app/storage/logs /var/www/lidpotok/storage/logs; do
+            if [[ -d "$candidate" ]]; then
+              LARAVEL_LOG_DIR="$candidate"
+              break
+            fi
+          done
+          echo "LARAVEL_LOG_DIR=$LARAVEL_LOG_DIR"
+          if [[ -z "$LARAVEL_LOG_DIR" ]]; then
+            echo "::error::Cannot find Laravel logs directory"
+            exit 1
+          fi
+          echo "Current sizes:"
+          sudo du -sh "$LARAVEL_LOG_DIR"/*.log 2>/dev/null | head -10
+
+          echo
+          echo "=== 2. Write logrotate config to /etc/logrotate.d/laravel-liderra ==="
+          sudo tee /etc/logrotate.d/laravel-liderra > /dev/null <<EOF
+          $LARAVEL_LOG_DIR/*.log {
+              size 50M
+              rotate 5
+              compress
+              delaycompress
+              missingok
+              notifempty
+              copytruncate
+              su www-data www-data
+              create 0644 www-data www-data
+          }
+          EOF
+          echo "Wrote config:"
+          sudo cat /etc/logrotate.d/laravel-liderra
+          sudo chmod 0644 /etc/logrotate.d/laravel-liderra
+
+          echo
+          echo "=== 3. Verify config syntax via logrotate --debug ==="
+          sudo logrotate --debug /etc/logrotate.d/laravel-liderra 2>&1 | head -30
+
+          echo
+          echo "=== 4. Trigger rotation now (--force) for clean state ==="
+          sudo logrotate --force /etc/logrotate.d/laravel-liderra 2>&1 | tail -10
+
+          echo
+          echo "=== 5. PostgreSQL log rotation config ==="
+          # Default Ubuntu postgresql-common rotates daily without size cap.
+          # We override with size 100M / rotate 7 / postrotate SIGHUP (PG reopens log).
+          # Higher alpha order than postgresql-common → processed later → wins on same files.
+          sudo tee /etc/logrotate.d/postgresql-liderra > /dev/null <<EOF
+          /var/log/postgresql/*.log {
+              su postgres postgres
+              size 100M
+              rotate 7
+              compress
+              delaycompress
+              missingok
+              notifempty
+              create 0640 postgres adm
+              sharedscripts
+              postrotate
+                  # SIGHUP postmaster для re-open log file (standard PG idiom).
+                  # PG holds log file handle open — без SIGHUP write goes to old (deleted) inode.
+                  if [ -f /var/run/postgresql/16-main.pid ]; then
+                      kill -HUP \$(cat /var/run/postgresql/16-main.pid) 2>/dev/null || true
+                  fi
+              endscript
+          }
+          EOF
+          echo "Wrote /etc/logrotate.d/postgresql-liderra:"
+          sudo cat /etc/logrotate.d/postgresql-liderra
+          sudo chmod 0644 /etc/logrotate.d/postgresql-liderra
+
+          echo
+          echo "=== 6. Verify PG logrotate syntax ==="
+          sudo logrotate --debug /etc/logrotate.d/postgresql-liderra 2>&1 | head -20
+
+          echo
+          echo "=== 7. Force PG log rotation now (clean state) ==="
+          sudo logrotate --force /etc/logrotate.d/postgresql-liderra 2>&1 | tail -10
+
+          echo
+          echo "=== 8. AFTER: PG log directory state ==="
+          sudo ls -lah /var/log/postgresql/ 2>&1 | head -10
+
+          echo
+          echo "=== 9. AFTER: Laravel log directory state ==="
+          sudo ls -lah "$LARAVEL_LOG_DIR/" 2>&1 | head -20
+          echo
+          echo "=== 10. Disk free ==="
+          df -h / 2>&1 | head -3
+
+          echo
+          echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## logrotate setup"
+            echo
+            echo '```'
+            cat /tmp/logrotate-setup.log 2>/dev/null || echo "(no log)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,208 @@
+name: SQL rebuild audit hash-chain (per-tenant via postgres)
+
+# Запускает per-tenant rebuild hash-chain для аудит-партиции через
+# sudo -u postgres psql (обход limitation crm_supplier_worker роли —
+# она не может SET session_replication_role).
+#
+# Поддерживает 2 таблицы (Stage 5 finding 1+2):
+#   - activity_log → ROW(id,tenant_id,user_id,deal_id,event,old_value,
+#     new_value,context,ip_address,user_agent,NULL::bytea,created_at)
+#   - balance_transactions → ROW(id,tenant_id,type,amount_rub,amount_leads,
+#     balance_rub_after,balance_leads_after,description,related_type,
+#     related_id,user_id,admin_user_id,NULL::bytea,created_at)
+
+on:
+  workflow_dispatch:
+    inputs:
+      partition:
+        description: 'Имя партиции, например activity_log_y2026_m05'
+        required: true
+        type: string
+      from_id:
+        description: 'ID с которого начать пересчёт (включительно)'
+        required: true
+        type: string
+      table_kind:
+        description: 'activity_log | balance_transactions | pd_processing_log | tenant_operations_log'
+        required: true
+        type: choice
+        options:
+          - activity_log
+          - balance_transactions
+          - pd_processing_log
+          - tenant_operations_log
+      confirm_apply:
+        description: 'Подтверждаю выполнение mutating cleanup'
+        required: true
+        default: false
+        type: boolean
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      PARTITION: ${{ github.event.inputs.partition }}
+      FROM_ID: ${{ github.event.inputs.from_id }}
+      TABLE_KIND: ${{ github.event.inputs.table_kind }}
+
+    steps:
+      - name: Confirm check
+        run: |
+          if [[ "${{ github.event.inputs.confirm_apply }}" != "true" ]]; then
+            echo "::error::confirm_apply=true обязателен"
+            exit 1
+          fi
+          # Sanity: partition must match table_kind
+          case "$TABLE_KIND" in
+            activity_log)
+              if [[ ! "$PARTITION" =~ ^activity_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=activity_log"
+                exit 1
+              fi
+              ;;
+            balance_transactions)
+              if [[ ! "$PARTITION" =~ ^balance_transactions_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=balance_transactions"
+                exit 1
+              fi
+              ;;
+            pd_processing_log)
+              if [[ ! "$PARTITION" =~ ^pd_processing_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=pd_processing_log"
+                exit 1
+              fi
+              ;;
+            tenant_operations_log)
+              if [[ ! "$PARTITION" =~ ^tenant_operations_log_y[0-9]{4}_m[0-9]{2}$ ]]; then
+                echo "::error::partition '$PARTITION' не соответствует table_kind=tenant_operations_log"
+                exit 1
+              fi
+              ;;
+            *)
+              echo "::error::table_kind unknown"
+              exit 1
+              ;;
+          esac
+          if ! [[ "$FROM_ID" =~ ^[0-9]+$ ]]; then
+            echo "::error::from_id must be numeric"
+            exit 1
+          fi
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Execute SQL rebuild on prod
+        run: |
+          # Build ROW expression per table_kind (mirror AuditChainConfig::TABLES)
+          case "$TABLE_KIND" in
+            activity_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.deal_id, t.event, t.old_value, t.new_value, t.context, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+            balance_transactions)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.type, t.amount_rub, t.amount_leads, t.balance_rub_after, t.balance_leads_after, t.description, t.related_type, t.related_id, t.user_id, t.admin_user_id, NULL::bytea, t.created_at)"
+              ;;
+            pd_processing_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.subject_type, t.subject_id, t.action, t.purpose, t.actor_tenant_user_id, t.actor_admin_user_id, t.ip_address, NULL::bytea, t.created_at)"
+              ;;
+            tenant_operations_log)
+              ROW_EXPR="ROW(t.id, t.tenant_id, t.user_id, t.entity_type, t.entity_id, t.event, t.payload_before, t.payload_after, t.ip_address, t.user_agent, NULL::bytea, t.created_at)"
+              ;;
+          esac
+
+          # Build SQL with substituted PARTITION + FROM_ID + ROW_EXPR
+          cat > /tmp/rebuild.sql <<SQL
+          \\set ON_ERROR_STOP 1
+
+          SELECT 'BEFORE: mismatches in partition' AS phase, COUNT(*) AS cnt
+          FROM (
+            WITH ordered AS (
+              SELECT id, tenant_id, log_hash AS stored_hash,
+                     LAG(log_hash) OVER (PARTITION BY tenant_id ORDER BY id) AS prev_hash
+              FROM ${PARTITION}
+            )
+            SELECT o.id
+            FROM ordered o
+            WHERE o.stored_hash IS DISTINCT FROM
+              digest(
+                COALESCE(o.prev_hash, ''::bytea)
+                || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = o.id),
+                'sha256'
+              )
+          ) sub;
+
+          DO \$\$
+          DECLARE
+            tenant_rec RECORD;
+            row_rec RECORD;
+            prev_hash BYTEA;
+            new_hash BYTEA;
+            updated_count INT := 0;
+            tenant_count INT := 0;
+          BEGIN
+            SET session_replication_role = 'replica';
+
+            FOR tenant_rec IN
+              SELECT DISTINCT tenant_id FROM ${PARTITION} WHERE id >= ${FROM_ID} ORDER BY tenant_id
+            LOOP
+              tenant_count := tenant_count + 1;
+
+              SELECT log_hash INTO prev_hash
+              FROM ${PARTITION}
+              WHERE tenant_id = tenant_rec.tenant_id AND id < ${FROM_ID}
+              ORDER BY id DESC LIMIT 1;
+
+              FOR row_rec IN
+                SELECT id FROM ${PARTITION}
+                WHERE tenant_id = tenant_rec.tenant_id AND id >= ${FROM_ID}
+                ORDER BY id
+              LOOP
+                UPDATE ${PARTITION} p
+                SET log_hash = digest(
+                  COALESCE(prev_hash, ''::bytea)
+                  || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = row_rec.id),
+                  'sha256'
+                )
+                WHERE p.id = row_rec.id
+                RETURNING log_hash INTO new_hash;
+
+                prev_hash := new_hash;
+                updated_count := updated_count + 1;
+              END LOOP;
+            END LOOP;
+
+            SET session_replication_role = 'origin';
+            RAISE NOTICE 'Rebuild complete: % tenants, % rows updated', tenant_count, updated_count;
+          END\$\$;
+
+          SELECT 'AFTER: mismatches in partition' AS phase, COUNT(*) AS cnt
+          FROM (
+            WITH ordered AS (
+              SELECT id, tenant_id, log_hash AS stored_hash,
+                     LAG(log_hash) OVER (PARTITION BY tenant_id ORDER BY id) AS prev_hash
+              FROM ${PARTITION}
+            )
+            SELECT o.id
+            FROM ordered o
+            WHERE o.stored_hash IS DISTINCT FROM
+              digest(
+                COALESCE(o.prev_hash, ''::bytea)
+                || (SELECT ${ROW_EXPR}::text::bytea FROM ${PARTITION} t WHERE t.id = o.id),
+                'sha256'
+              )
+          ) sub;
+          SQL
+
+          scp -i ~/.ssh/liderra_deploy /tmp/rebuild.sql ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }}:/tmp/rebuild.sql
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'sudo -u postgres psql -d liderra -f /tmp/rebuild.sql && rm /tmp/rebuild.sql'
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,104 @@
+name: Run whitelisted SQL on liderra.ru
+
+on:
+  workflow_dispatch:
+    inputs:
+      sql:
+        description: 'SQL query (SELECT only by default; UPDATE/DELETE need confirm_mutating=true)'
+        required: true
+        type: string
+      confirm_mutating:
+        description: 'Подтверждаю UPDATE/DELETE на проде'
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      SQL: ${{ github.event.inputs.sql }}
+      CONFIRM_MUT: ${{ github.event.inputs.confirm_mutating }}
+
+    steps:
+      - name: Whitelist check
+        run: |
+          set -euo pipefail
+          SQL_LOWER=$(echo "$SQL" | tr '[:upper:]' '[:lower:]' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+          # Reject multi-statement SQL — `;` would let SELECT-prefixed payloads
+          # smuggle UPDATE/DELETE past READ_RE without confirm_mutating=true.
+          # Trailing single `;` is also rejected for symmetry (use no trailing `;`).
+          if [[ "$SQL_LOWER" == *";"* ]]; then
+            echo "::error::Multi-statement SQL is not allowed (no semicolons)."
+            exit 1
+          fi
+
+          # Allow: SELECT / WITH (CTE) / \d / EXPLAIN
+          READ_RE='^(select |with |explain |\\d|\\df|\\di|\\dt)'
+
+          # Mutating allowed if confirm=true: targeted UPDATE/DELETE on specific tables
+          MUTATING_RE='^(update supplier_leads|update supplier_projects|update failed_webhook_jobs|update scheduler_heartbeats|delete from failed_webhook_jobs|delete from incidents_log) '
+
+          if [[ "$SQL_LOWER" =~ $READ_RE ]]; then
+            echo "::notice::SELECT/read-only — allowed."
+            exit 0
+          fi
+
+          if [[ "$SQL_LOWER" =~ $MUTATING_RE ]]; then
+            if [[ "$CONFIRM_MUT" != "true" ]]; then
+              echo "::error::Mutating SQL requires confirm_mutating=true."
+              exit 1
+            fi
+            echo "::warning::Mutating SQL authorized."
+            exit 0
+          fi
+
+          echo "::error::SQL not in whitelist: $SQL_LOWER"
+          exit 1
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run on prod
+        run: |
+          set -o pipefail
+          SQL_B64=$(printf '%s' "$SQL" | base64 -w0)
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "SQL_B64='$SQL_B64' bash -s" <<'REMOTE' | tee /tmp/sql.log
+            SQL=$(echo "$SQL_B64" | base64 -d)
+            echo "=== Running on $(hostname) at $(date -u) ==="
+            echo "SQL: $SQL"
+            echo
+            sudo -u postgres psql -d liderra -c "$SQL"
+            RC=$?
+            echo
+            echo "=== Exit code: $RC ==="
+            exit $RC
+          REMOTE
+
+      - name: Summary
+        if: always()
+        run: |
+          {
+            echo "## SQL on prod"
+            echo
+            echo '```sql'
+            echo "$SQL"
+            echo '```'
+            echo
+            echo '```'
+            cat /tmp/sql.log 2>/dev/null
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,136 @@
+name: Diagnose SSH access to liderra.ru
+
+# Цель: понять, почему dev-IP 89.144.17.119 не пускают по SSH.
+# Запускается вручную: gh workflow run ssh-diagnose.yml -f dev_ip=89.144.17.119
+# Ничего не меняет на проде — только читает состояние fail2ban / iptables / sshd /
+# auth.log.
+#
+# Использует тот же LIDERRA_SSH_KEY что и deploy.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      dev_ip:
+        description: 'IP который нужно проверить на блок (по умолчанию 89.144.17.119)'
+        required: true
+        default: '89.144.17.119'
+        type: string
+
+jobs:
+  diagnose:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+      DEV_IP: ${{ github.event.inputs.dev_ip }}
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run diagnostic queries on prod
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} \
+            "DEV_IP='${DEV_IP}' bash -s" <<'REMOTE' | tee /tmp/diagnose.log
+            set +e
+            echo "=== 1. fail2ban status (sshd jail) ==="
+            sudo fail2ban-client status sshd 2>&1 | head -30 || echo "fail2ban not available"
+
+            echo
+            echo "=== 2. Is ${DEV_IP} currently banned by fail2ban? ==="
+            sudo fail2ban-client get sshd banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN fail2ban banlist"
+
+            echo
+            echo "=== 3. Recent fail2ban actions for ${DEV_IP} (last 50 lines) ==="
+            sudo grep -F "${DEV_IP}" /var/log/fail2ban.log 2>/dev/null | tail -50 || echo "no fail2ban log entries"
+
+            echo
+            echo "=== 4. iptables INPUT rules referencing ${DEV_IP} or :22 ==="
+            sudo iptables -L INPUT -n -v --line-numbers 2>&1 | grep -E "(${DEV_IP}|dpt:22|tcp dpt:ssh|f2b)" || echo "no specific INPUT rules"
+
+            echo
+            echo "=== 5. iptables chains containing fail2ban (f2b-*) ==="
+            sudo iptables -L -n 2>&1 | grep -E "^Chain (f2b|INPUT)" | head -10
+
+            echo
+            echo "=== 6. Full f2b-sshd chain (entries banning IPs) ==="
+            sudo iptables -L f2b-sshd -n -v --line-numbers 2>&1 | head -40 || echo "no f2b-sshd chain"
+
+            echo
+            echo "=== 7. Recent SSH failed attempts from ${DEV_IP} (last 30 lines auth.log) ==="
+            sudo grep -F "${DEV_IP}" /var/log/auth.log 2>/dev/null | tail -30 || echo "no auth.log entries"
+
+            echo
+            echo "=== 8. Active sshd config: AllowUsers / DenyUsers / Match blocks ==="
+            sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config 2>&1 || true
+            sudo ls /etc/ssh/sshd_config.d/ 2>&1
+            sudo grep -E "^(AllowUsers|DenyUsers|AllowGroups|DenyGroups|Match)" /etc/ssh/sshd_config.d/*.conf 2>/dev/null || echo "no relevant entries in sshd_config.d"
+
+            echo
+            echo "=== 9. hosts.deny / hosts.allow ==="
+            echo "--- /etc/hosts.deny ---"
+            sudo cat /etc/hosts.deny 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
+            echo "--- /etc/hosts.allow ---"
+            sudo cat /etc/hosts.allow 2>/dev/null | grep -v '^#' | grep -v '^$' || echo "(empty)"
+
+            echo
+            echo "=== 10. ufw status (если используется) ==="
+            sudo ufw status verbose 2>&1 | head -20 || echo "ufw not active"
+
+            echo
+            echo "=== 11. nftables ruleset (если активен) ==="
+            sudo nft list ruleset 2>&1 | head -40 || echo "nftables not active"
+
+            echo
+            echo "=== 12. Last 5 successful SSH logins (who logged in last) ==="
+            last -n 5 ubuntu 2>&1 | head -10
+
+            echo
+            echo "=== 13. Full content of /etc/ssh/sshd_config.d/01-claude.conf ==="
+            sudo cat /etc/ssh/sshd_config.d/01-claude.conf 2>&1 | head -80
+
+            echo
+            echo "=== 14. nftables full ruleset (f2b-table content) ==="
+            sudo nft list ruleset 2>&1 | head -120
+
+            echo
+            echo "=== 15. journalctl ssh.service last 30min ==="
+            sudo journalctl -u ssh.service --since="30 minutes ago" --no-pager 2>&1 | tail -40
+
+            echo
+            echo "=== 16. /etc/fail2ban/jail.d/ content ==="
+            sudo ls -la /etc/fail2ban/jail.d/ 2>&1
+            echo "--- whitelist-dev.conf ---"
+            sudo cat /etc/fail2ban/jail.d/whitelist-dev.conf 2>&1 || echo "(missing)"
+            echo "--- jail.local ---"
+            sudo cat /etc/fail2ban/jail.local 2>&1 | head -40 || echo "(missing)"
+
+            echo
+            echo "=== 17. recidive jail (if any — long-term ban) ==="
+            sudo fail2ban-client status recidive 2>&1 | head -20 || echo "no recidive jail"
+            sudo fail2ban-client get recidive banip 2>&1 | grep -F "${DEV_IP}" || echo "NOT IN recidive"
+
+            echo
+            echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## SSH diagnostic for $DEV_IP → $LIDERRA_HOST"
+            echo
+            echo '```'
+            cat /tmp/diagnose.log 2>/dev/null || echo "(no log captured)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,117 @@
+name: Stage 5 daily monitor (29.05→04.06)
+
+# Автоматический ежедневный мониторинг 3 ключевых сигналов прода
+# во время 7-дневного окна перед переключением supplier_export_mode
+# online→batch (Stage 5 Task 5.1).
+#
+# Запускается GitHub-cron'ом каждое утро 06:00 UTC (09:00 МСК)
+# 29.05.2026 — 04.06.2026 (после 04.06 workflow можно отключить
+# через UI Actions tab → Disable workflow, либо удалить файл).
+# Также доступен ручной запуск через workflow_dispatch.
+#
+# Выводит результаты в job summary + сохраняет как artifact.
+#
+# План мониторинга:
+# docs/superpowers/plans/2026-05-29-stage5-monitoring-checklist.md
+
+on:
+  schedule:
+    # 06:00 UTC = 09:00 МСК ежедневно
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    # Жёсткий стоп — workflow ничего не делает после 04.06.2026 даже
+    # если кто-то забудет отключить. CRON в GitHub Actions не имеет
+    # "until date" — реализуем через if-check на runner side.
+    if: github.event_name == 'workflow_dispatch' || github.event.schedule == '0 6 * * *'
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Check window not expired
+        id: window
+        run: |
+          TODAY=$(date -u +%Y-%m-%d)
+          DEADLINE='2026-06-05'  # 04.06 + 1 день grace
+          if [[ "$TODAY" > "$DEADLINE" ]]; then
+            echo "::notice::Stage 5 monitoring window closed at $DEADLINE. Disable this workflow via Actions UI."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Setup SSH key
+        if: steps.window.outputs.skip != 'true'
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Run 3 checks
+        if: steps.window.outputs.skip != 'true'
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE' | tee /tmp/monitor.log
+            set +e
+            cd /var/www/liderra/app
+            echo "=== Date: $(date -u) ==="
+
+            echo
+            echo "=== 1. scheduler:check-heartbeats ==="
+            sudo -u www-data php artisan scheduler:check-heartbeats 2>&1
+            echo "Exit: $?"
+
+            echo
+            echo "=== 2. incidents:watch-failures ==="
+            sudo -u www-data php artisan incidents:watch-failures 2>&1
+            echo "Exit: $?"
+
+            echo
+            echo "=== 3. migrate:status ==="
+            sudo -u www-data php artisan migrate:status 2>&1 | tail -8
+            echo "Exit: $?"
+
+            echo
+            echo "=== Auxiliary signals from system tables ==="
+            echo "--- last 3 incidents_log entries ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT severity, created_at, root_cause FROM incidents_log ORDER BY created_at DESC LIMIT 3;" 2>&1
+            echo "--- snapshot count last 3 days ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT snapshot_date, COUNT(*) FROM project_routing_snapshots GROUP BY 1 ORDER BY 1 DESC LIMIT 3;" 2>&1
+            echo "--- failed_webhook_jobs last 24h count ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT COUNT(*) FROM failed_webhook_jobs WHERE failed_at > NOW() - INTERVAL '24 hours';" 2>&1
+            echo "--- scheduler_heartbeats with failures ---"
+            sudo -u postgres psql -d liderra -tA -c "SELECT command_name, consecutive_failures, last_run_at FROM scheduler_heartbeats WHERE consecutive_failures > 0 ORDER BY consecutive_failures DESC;" 2>&1
+
+            echo
+            echo "=== DONE ==="
+          REMOTE
+
+      - name: Print summary
+        if: always() && steps.window.outputs.skip != 'true'
+        run: |
+          {
+            echo "## Stage 5 daily monitor — $(date -u +%Y-%m-%d)"
+            echo
+            echo '```'
+            cat /tmp/monitor.log 2>/dev/null || echo "(no output)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload as artifact
+        if: always() && steps.window.outputs.skip != 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: monitor-${{ github.run_id }}
+          path: /tmp/monitor.log
+          retention-days: 14
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -0,0 +1,111 @@
+name: Stage 5 day 1 investigation — round 3 (schema + full rows)
+
+# Round 3: реальные имена колонок hash в audit-таблицах,
+# реальные имена FK в supplier_projects/supplier_leads,
+# полное содержимое битых строк (599/462) и застрявших лидов (1110/1157).
+
+on:
+  workflow_dispatch:
+
+jobs:
+  investigate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    env:
+      LIDERRA_HOST: 111.88.246.137
+      LIDERRA_USER: ubuntu
+
+    steps:
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.LIDERRA_SSH_KEY }}" > ~/.ssh/liderra_deploy
+          chmod 600 ~/.ssh/liderra_deploy
+          ssh-keyscan -H ${{ env.LIDERRA_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+
+      - name: Round 3 schema + rows
+        run: |
+          ssh -i ~/.ssh/liderra_deploy ${{ env.LIDERRA_USER }}@${{ env.LIDERRA_HOST }} 'bash -s' <<'REMOTE' | tee /tmp/investigate3.log
+            set +e
+            cd /var/www/liderra/app
+
+            echo "=========================================="
+            echo "SCHEMAS"
+            echo "=========================================="
+
+            echo
+            echo "--- activity_log columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='activity_log' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- balance_transactions columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='balance_transactions' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- supplier_projects columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='supplier_projects' ORDER BY ordinal_position;"
+
+            echo
+            echo "--- supplier_leads columns ---"
+            sudo -u postgres psql -d liderra -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_name='supplier_leads' ORDER BY ordinal_position;"
+
+
+            echo
+            echo "=========================================="
+            echo "BROKEN ROWS — full SELECT *"
+            echo "=========================================="
+
+            echo
+            echo "--- activity_log_y2026_m05 ids 597-601 ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM activity_log_y2026_m05 WHERE id BETWEEN 597 AND 601 ORDER BY id;"
+
+            echo
+            echo "--- balance_transactions_y2026_m05 ids 460-464 ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM balance_transactions_y2026_m05 WHERE id BETWEEN 460 AND 464 ORDER BY id;"
+
+
+            echo
+            echo "=========================================="
+            echo "STUCK LEADS 1110 + 1157"
+            echo "=========================================="
+
+            echo
+            echo "--- supplier_leads.id IN (1110, 1157) ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM supplier_leads WHERE id IN (1110, 1157);"
+
+            echo
+            echo "--- failed_webhook_jobs sample raw_payload for sl_id=1110 (1 row) ---"
+            sudo -u postgres psql -d liderra -x -c "SELECT * FROM failed_webhook_jobs WHERE raw_payload->>'supplier_lead_id' = '1110' ORDER BY failed_at DESC LIMIT 1;"
+
+            echo
+            echo "--- All supplier_projects with platform B1 ---"
+            sudo -u postgres psql -d liderra -c "SELECT * FROM supplier_projects WHERE platform='B1' LIMIT 5;"
+
+            echo
+            echo "=========================================="
+            echo "DONE"
+            echo "=========================================="
+          REMOTE
+
+      - name: Print summary
+        if: always()
+        run: |
+          {
+            echo "## Stage 5 day 1 investigation — round 3 schemas"
+            echo
+            echo '```'
+            cat /tmp/investigate3.log 2>/dev/null || echo "(no output)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: investigate-day1-round3
+          path: /tmp/investigate3.log
+
+      - name: Cleanup SSH key
+        if: always()
+        run: rm -f ~/.ssh/liderra_deploy
@@ -151,6 +151,12 @@ app/playwright/node_modules/
 # Superpowers using-git-worktrees — локальные worktrees вне репо
 .claude/worktrees/

+# Graphify knowledge-graph build artefacts (ADR-017 #86) — ~5MB graph.json + 1.8MB
+# graph.html + cache/. Local-only, не коммитятся; восстанавливается пересборкой
+# через /graphify --update. В main worktree graphify-out — junction на spike worktree.
+graphify-out/
+graphify-out-*/
+
 # Vitest coverage output (app/coverage/) — генерируется npm run test:coverage
 /app/coverage/

@@ -39,3 +39,13 @@ a2f6714440c925e8ffdec8667373511dcce1b3aa:ПИЛОТ.md:ru-phone-unmasked:31
 16ac37aba9fdeb8a153e92e44ed42e1693377b58:docs/observer/episodes-2026-05.jsonl:ru-phone-unmasked:46
 16ac37aba9fdeb8a153e92e44ed42e1693377b58:docs/observer/episodes-2026-05.jsonl:ru-phone-unmasked:48
 16ac37aba9fdeb8a153e92e44ed42e1693377b58:docs/observer/episodes-2026-05.jsonl:ru-phone-unmasked:76
+
+# 2026-05-26 — реальные RU-телефоны в ПИЛОТ.md и spec'ах от параллельных сессий
+# Дмитрия (33184985 / f48f79d2 / da4ab729 уже на origin/main — историю не переписать;
+# 6b2597ff / d2100a9b на ветке fix/supplier-platform-prefix, не в main lineage).
+# TODO: маскировать +7XXXXXXXXXX в новых коммитах ПИЛОТ.md / специов supplier-*.
+6b2597ff4ac2a34ed3d4d5a05c47318502b3f469:ПИЛОТ.md:ru-phone-unmasked:11
+d2100a9bab954296fa71dcfdb59568a1986e0dbe:docs/superpowers/specs/2026-05-26-supplier-platform-prefix-design.md:ru-phone-unmasked:18
+f48f79d2f333cd5acffb7751e6c3554d0807cb39:ПИЛОТ.md:ru-phone-unmasked:13
+33184985875ac8219464fd3d0f65b6740d587f50:ПИЛОТ.md:ru-phone-unmasked:11
+da4ab729df08ded7aa7d2523ef6c81efeacc1849:docs/superpowers/specs/2026-05-25-supplier-webhook-reliability-design.md:ru-phone-unmasked:34
@@ -28,6 +28,12 @@ exclude = [
  # Шаблонные плейсхолдеры
  "^\\{\\{.*\\}\\}$",
  "^\\[.*\\]$",
+  # v3.9 hooks удалены Stream G (2026-05-30), CLAUDE.md содержит исторические упоминания
+  "tools/enforce-chain-recommendation\\.mjs",
+  "tools/enforce-classifier-match\\.mjs",
+  "tools/enforce-graph-first\\.mjs",
+  "tools/enforce-semgrep-security\\.mjs",
+  "tools/enforce-override-limit\\.mjs",
  # localhost и приватные адреса
  "^https?://localhost",
  "^https?://127\\.0\\.0\\.1",
@@ -54,32 +54,7 @@
      },
      "comment": "A3 integration-tooling #47 — OpenAPI MCP (ivo-toby/mcp-openapi-server, @ivotoby/openapi-mcp-server v1.14.0, MIT). Exposes Лидерра REST API endpoints (docs/api/openapi.yaml) as MCP tools. Config via env-vars API_BASE_URL + OPENAPI_SPEC_PATH (stdio transport default). READ scope: API discovery/introspection for Claude Code. Формализован в Tooling §4.22, PSR_v1 R10.1 блок 3, Pravila §13.2."
    },
-    "marketing-metrika": {
-      "command": "npx",
-      "args": ["-y", "github:atomkraft/yandex-metrika-mcp"],
-      "env": {
-        "YANDEX_OAUTH_TOKEN": "${YANDEX_OAUTH_TOKEN}"
-      },
-      "comment": "C1 marketing-tooling #78 — Yandex Metrika MCP (vetted source: github:atomkraft/yandex-metrika-mcp, MIT — выбран по IS9-вету из 3 кандидатов, см. docs/security/marketing-vet.md). READ-ONLY аналитика: посещаемость, источники трафика, конверсии. Env: YANDEX_OAUTH_TOKEN — OAuth-токен с правами read-only. Постура IS9: READ-ONLY, мутации API Метрики не задействуются. Tooling §4.53. docs/marketing/README.md."
-    },
-    "marketing-wordstat": {
-      "command": "npx",
-      "args": ["-y", "github:SvechaPVL/yandex-mcp"],
-      "env": {
-        "YANDEX_OAUTH_TOKEN": "${YANDEX_OAUTH_TOKEN}"
-      },
-      "comment": "C1 marketing-tooling #79 — Yandex Direct+Wordstat MCP (vetted source: github:SvechaPVL/yandex-mcp, MIT — выбран по IS9-вету, см. docs/security/marketing-vet.md). Репозиторий отдаёт 128 tools (Direct + Wordstat + Метрика); по IS9-условию используются ТОЛЬКО Wordstat-инструменты для подбора ключевых слов и оценки спроса — Direct-мутации (создание/правка кампаний, изменение ставок) поведенчески запрещены через marketing-ru #77 и MKT8 (никаких автоматических трат рекламного бюджета). Env: YANDEX_OAUTH_TOKEN с минимальным scope. Tooling §4.54. docs/marketing/README.md."
-    },
-    "marketing-telegram": {
-      "command": "npx",
-      "args": ["-y", "github:chigwell/telegram-mcp"],
-      "env": {
-        "TELEGRAM_API_ID": "${TELEGRAM_API_ID}",
-        "TELEGRAM_API_HASH": "${TELEGRAM_API_HASH}",
-        "TELEGRAM_SESSION_STRING": "${TELEGRAM_SESSION_STRING}"
-      },
-      "comment": "C1 marketing-tooling #80 — Telegram MCP (chigwell/telegram-mcp, Apache-2.0, GitHub-only — не npm). Работа с Telegram-каналами и чатами Лидерры: публикация, планирование, аналитика. Env: TELEGRAM_API_ID + TELEGRAM_API_HASH (получить на https://my.telegram.org/apps) + TELEGRAM_SESSION_STRING (генерируется один раз через GramJS/Telethon, хранить в .env.local gitignored). ОБЯЗАТЕЛЬНО: выделенный Telegram-аккаунт для Лидерры, не личный (IS9-постура MKT8). Tooling §4.51. docs/marketing/README.md."
-    },
+    "_disabled_marketing_servers_note": "ОТКЛЮЧЕНЫ 2026-05-31 (владелец: «отрежь маркетинг»). Причина: их авто-генерируемые схемы (особенно wordstat — 128 tools из Яндекс.Директа) — главный подозреваемый в API 400 tools.110/113, ронявшем субагентов при bulk-load всех инструментов (subagent-driven-development). Серверы off-phase и без OAuth-токенов всё равно не стартовали. Полный конфиг — в git до этого коммита. Чтобы вернуть, восстановить три блока mcpServers: marketing-metrika (npx -y github:atomkraft/yandex-metrika-mcp; env YANDEX_OAUTH_TOKEN; READ-ONLY; Tooling §4.53), marketing-wordstat (npx -y github:SvechaPVL/yandex-mcp; env YANDEX_OAUTH_TOKEN; ТОЛЬКО Wordstat per IS9/MKT8; Tooling §4.54), marketing-telegram (npx -y github:chigwell/telegram-mcp; env TELEGRAM_API_ID/API_HASH/SESSION_STRING; выделенный аккаунт IS9; Tooling §4.51). См. docs/security/marketing-vet.md и docs/marketing/README.md.",
    "_comment_postiz_skeleton": "TODO: C1 marketing-tooling #81 — Postiz MCP (gitroomhq/postiz-app self-host + antoniolg/postiz-mcp). Активировать ПОСЛЕ: 1) развернуть Postiz self-hosted (git clone https://github.com/gitroomhq/postiz-app + docker-compose, AGPL-3.0: internal-only, no modifications); 2) провести vet лицензии antoniolg/postiz-mcp (NOT YET VERIFIED — см. docs/marketing/README.md Open vet notes); 3) подключить соцсети в Postiz UI. Будущий entry: \"marketing-postiz\": { \"command\": \"npx\", \"args\": [\"-y\", \"postiz-mcp\"], \"env\": { \"POSTIZ_API_URL\": \"${POSTIZ_API_URL}\", \"POSTIZ_API_KEY\": \"${POSTIZ_API_KEY}\" }, \"comment\": \"C1 #81 post-activation\" }. Tooling §4.52. docs/marketing/README.md."
  }
 }
@@ -0,0 +1,225 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Services\Audit\AuditChainConfig;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Пересчитывает hash-цепь в указанной партиции аудит-таблицы начиная с заданного id.
+ *
+ * ADR-018: воспроизводит per-tenant scope триггера audit_chain_hash() (через RLS).
+ * Для tenant-таблиц (activity_log/balance_transactions/tenant_operations_log/
+ * pd_processing_log) — отдельная цепочка на каждый tenant. Для BYPASSRLS-таблиц
+ * (auth_log/saas_admin_audit_log) — единая цепочка в пределах партиции.
+ *
+ * Алгоритм (Вариант B — PHP-iteration с partition awareness):
+ *   1. SET session_replication_role = replica отключает BEFORE-триггеры.
+ *   2. Determine partition_clause из AuditChainConfig::TABLES[parent_table].
+ *   3. Для per-tenant таблиц: получить distinct tenant_ids в range, для каждого:
+ *        - prev_hash = log_hash of last row with id<from-id AND tenant_id=X
+ *        - iterate rows ordered by id, UPDATE + propagate prev_hash forward
+ *      Для BYPASSRLS-таблиц: одна iteration без tenant scope.
+ *   4. Возвращаем session_replication_role = origin.
+ *
+ * NB: row-by-row PHP loop сохранён намеренно (вариант с одиночным CTE и
+ * LAG страдает snapshot-isolation bug — downstream rows используют OLD stored
+ * prev_hash вместо новых хешей текущего UPDATE'а; chain ломается через >1 row).
+ *
+ * Ref: docs/adr/ADR-018-audit-chain-per-tenant-semantics.md
+ *      docs/superpowers/plans/2026-05-29-audit-rebuild-per-tenant-fix.md
+ */
+final class AuditRebuildChain extends Command
+{
+    protected $signature = 'audit:rebuild-chain
+        {--partition= : Имя партиции, например activity_log_y2026_m05}
+        {--from-id= : ID с которого начать пересчёт (включительно)}
+        {--dry-run : Показать сколько строк затронет, без UPDATE}
+        {--force : Пропустить интерактивное подтверждение (для CI/тестов)}';
+
+    protected $description = 'Пересчитать hash-цепь партиции аудит-таблицы (per-tenant per ADR-018)';
+
+    public function handle(): int
+    {
+        $partition = (string) $this->option('partition');
+        $fromId = (int) $this->option('from-id');
+        $dryRun = (bool) $this->option('dry-run');
+        $force = (bool) $this->option('force');
+
+        if ($partition === '' || $fromId <= 0) {
+            $this->error('--partition и --from-id обязательны');
+
+            return self::FAILURE;
+        }
+
+        $parentTable = (string) preg_replace('/_y\d{4}_m\d{2}$/', '', $partition);
+
+        if (! array_key_exists($parentTable, AuditChainConfig::TABLES)) {
+            $this->error("Partition '{$partition}' не относится к поддерживаемым аудит-таблицам.");
+            $this->line('Поддерживаемые: '.implode(', ', array_keys(AuditChainConfig::TABLES)));
+
+            return self::FAILURE;
+        }
+
+        $partitionClause = AuditChainConfig::TABLES[$parentTable]['partition'];
+        $rowExpr = AuditChainConfig::rowExpression($parentTable);
+
+        $count = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '>=', $fromId)
+            ->count();
+
+        $scopeLabel = $partitionClause !== '' ? $partitionClause : 'global (within partition)';
+
+        $this->info("Партиция : {$partition}");
+        $this->info("Родитель : {$parentTable}");
+        $this->info("Scope    : {$scopeLabel}");
+        $this->info("От id    : {$fromId}");
+        $this->info("Строк    : {$count}");
+
+        if ($count === 0) {
+            $this->warn('Нет строк с id >= '.$fromId.'. Пересчёт не нужен.');
+
+            return self::SUCCESS;
+        }
+
+        if ($dryRun) {
+            $this->warn('--dry-run: UPDATE не выполнен.');
+
+            return self::SUCCESS;
+        }
+
+        if (! $force && ! $this->confirm(
+            "Пересчитать log_hash для {$count} строк в {$partition} (scope: {$scopeLabel})? Это изменит данные в проде.",
+            false,
+        )) {
+            $this->warn('Отменено.');
+
+            return self::FAILURE;
+        }
+
+        // Disable BEFORE triggers (audit_block_mutation blocks UPDATE).
+        // Use session-level SET so it works even inside a wrapping transaction
+        // (e.g. DatabaseTransactions in tests). Reset in finally.
+        DB::connection('pgsql_supplier')->statement("SET session_replication_role = 'replica'");
+
+        try {
+            $totalUpdated = 0;
+
+            if ($partitionClause === 'PARTITION BY tenant_id') {
+                // Per-tenant rebuild — separate scope iteration per tenant.
+                $tenantIds = DB::connection('pgsql_supplier')
+                    ->table($partition)
+                    ->where('id', '>=', $fromId)
+                    ->distinct()
+                    ->pluck('tenant_id')
+                    ->all();
+
+                foreach ($tenantIds as $tenantId) {
+                    $totalUpdated += $this->rebuildScope(
+                        $partition,
+                        $rowExpr,
+                        $fromId,
+                        'tenant_id',
+                        (int) $tenantId,
+                    );
+                }
+            } else {
+                // BYPASSRLS-таблицы (auth_log, saas_admin_audit_log) — global scope.
+                $totalUpdated = $this->rebuildScope($partition, $rowExpr, $fromId, null, null);
+            }
+
+            $this->info("Обновлено {$totalUpdated} строк в {$partition}.");
+        } finally {
+            DB::connection('pgsql_supplier')->statement("SET session_replication_role = 'origin'");
+        }
+
+        $this->info('Готово. Запустите audit:verify-chains для проверки целостности.');
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * Пересчитывает chain для одного scope (tenant или global).
+     *
+     * Iterative PHP loop: prev_hash propagate'ится forward через каждый row,
+     * UPDATE применяется immediately чтобы snapshot для следующей iteration
+     * был свежий (default PG READ COMMITTED — own writes visible immediately).
+     *
+     * @param  string|null  $tenantColumn  'tenant_id' для per-tenant scope, null для global
+     * @param  int|null  $tenantValue  значение tenant_id для этого scope (если применимо)
+     */
+    private function rebuildScope(
+        string $partition,
+        string $rowExpr,
+        int $fromId,
+        ?string $tenantColumn,
+        ?int $tenantValue,
+    ): int {
+        // Find prev_hash (last row before fromId within scope).
+        $prevQuery = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '<', $fromId);
+        if ($tenantColumn !== null) {
+            $prevQuery->where($tenantColumn, $tenantValue);
+        }
+        $prevHashRow = $prevQuery->orderByDesc('id')->first(['log_hash']);
+        $prevHashHex = $this->bytesToHex($prevHashRow?->log_hash);
+
+        // Get rows to rebuild ordered by id.
+        $rowsQuery = DB::connection('pgsql_supplier')
+            ->table($partition)
+            ->where('id', '>=', $fromId);
+        if ($tenantColumn !== null) {
+            $rowsQuery->where($tenantColumn, $tenantValue);
+        }
+        $rows = $rowsQuery->orderBy('id')->get(['id']);
+
+        $updated = 0;
+        foreach ($rows as $row) {
+            $prevHashExpr = $prevHashHex !== null
+                ? "'{$prevHashHex}'::bytea"
+                : "''::bytea";
+
+            $sql = "
+                UPDATE {$partition}
+                SET log_hash = (
+                    SELECT digest(
+                        COALESCE({$prevHashExpr}, ''::bytea)
+                        || (SELECT {$rowExpr}::text::bytea FROM {$partition} t WHERE t.id = ?)
+                        , 'sha256'
+                    )
+                )
+                WHERE id = ?
+                RETURNING log_hash
+            ";
+
+            $result = DB::connection('pgsql_supplier')->selectOne($sql, [$row->id, $row->id]);
+            $updated++;
+
+            $prevHashHex = $this->bytesToHex($result?->log_hash);
+        }
+
+        return $updated;
+    }
+
+    /**
+     * Convert a BYTEA value (PHP resource or string) to hex literal for SQL.
+     * PostgreSQL PDO driver returns BYTEA as a PHP stream resource.
+     */
+    private function bytesToHex(mixed $value): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+        $bin = is_resource($value) ? stream_get_contents($value) : (string) $value;
+        if ($bin === '' || $bin === false) {
+            return null;
+        }
+
+        return '\\x'.bin2hex($bin);
+    }
+}
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Jobs\Billing\BalanceFrozenReminderJob;
+use Illuminate\Console\Command;
+
+/**
+ * Daily: повторные письма заморозки баланса.
+ *   • reminder в окне 24-48ч после freeze;
+ *   • final в окне 72-96ч после freeze.
+ *
+ * Запускается @18:30 MSK (routes/console.php), после основного preflight-sweep @18:00.
+ * Throttle живёт в BalanceFrozenReminderJob через balance_freeze_log markers.
+ */
+final class BillingFrozenReminderCommand extends Command
+{
+    /** @var string */
+    protected $signature = 'billing:frozen-reminder';
+
+    /** @var string */
+    protected $description = 'Повторные письма заморозки баланса (reminder +1д, final +3д)';
+
+    public function handle(): int
+    {
+        (new BalanceFrozenReminderJob)->handle();
+        $this->info('Повторные письма заморозки разосланы (если есть кандидаты в окнах).');
+
+        return self::SUCCESS;
+    }
+}
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Jobs\Billing\BalancePreflightSweepJob;
+use Illuminate\Console\Command;
+
+/**
+ * One-time: при выкатке преfflight прогнать всех тенантов и заморозить
+ * недофинансированных. Запускается ОДИН раз вручную после миграции.
+ *
+ * См. спек §3.9: «Клиент уже в минусовом балансе на момент запуска
+ * преfflight (legacy состояние) — одноразовая artisan-команда».
+ *
+ * Идемпотентна: повторный запуск не пере-замораживает уже замороженных
+ * (логика sweep-джоба — переход active→frozen / frozen→active, стабильное
+ * состояние не трогается).
+ */
+final class BillingPreflightInitialSweepCommand extends Command
+{
+    /** @var string */
+    protected $signature = 'billing:preflight-initial-sweep';
+
+    /** @var string */
+    protected $description = 'Разовый преfflight при внедрении — заморозить недофинансированных тенантов';
+
+    public function handle(): int
+    {
+        $this->warn('Разовый преfflight всех тенантов. Запускать ОДИН раз после выкатки Spec C.');
+        (new BalancePreflightSweepJob)->handle();
+        $this->info('Initial sweep завершён.');
+
+        return self::SUCCESS;
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Jobs\Billing\BalancePreflightSweepJob;
+use Illuminate\Console\Command;
+
+final class BillingPreflightSweepCommand extends Command
+{
+    protected $signature = 'billing:preflight-sweep';
+
+    protected $description = 'Ежедневный преfflight баланса — заморозка/разморозка тенантов (cut-off 18:00 MSK)';
+
+    public function handle(): int
+    {
+        (new BalancePreflightSweepJob)->handle();
+        $this->info('Преfflight sweep завершён.');
+
+        return self::SUCCESS;
+    }
+}
@@ -27,12 +27,13 @@ class IncidentsWatchFailures extends Command
    private const DB_CONNECTION = 'pgsql_supplier';

    protected $signature = 'incidents:watch-failures
-        {--window=10           : Окно сканирования в минутах}
-        {--threshold=200       : Порог спайка для failed_webhook_jobs}
-        {--threshold-spike=10  : Порог спайка для failed_jobs (за окно)}
-        {--threshold-daily=50  : Порог суммы за 24ч для failed_jobs}
-        {--persistent-hours=3  : Порог возраста persistent-exception для failed_jobs}
-        {--dedup-window=60     : Окно дедупа открытых инцидентов в минутах}';
+        {--window=10                  : Окно сканирования в минутах}
+        {--threshold=200              : Порог спайка для failed_webhook_jobs}
+        {--threshold-spike=10         : Порог спайка для failed_jobs (за окно)}
+        {--threshold-daily=50         : Порог суммы за 24ч для failed_jobs}
+        {--persistent-hours=3         : Порог возраста persistent-exception для failed_jobs}
+        {--dedup-window=60            : Окно дедупа открытых инцидентов в минутах}
+        {--threshold-single-lead=1000 : Порог storm detection: failures одного supplier_lead_id за окно}';

    protected $description = 'Сканирует failed_webhook_jobs и failed_jobs, создаёт incidents_log на превышение порогов';

@@ -45,6 +46,8 @@ class IncidentsWatchFailures extends Command
        $persistentHours = (int) $this->option('persistent-hours');
        $dedupMinutes = (int) $this->option('dedup-window');

+        $thresholdSingleLead = (int) $this->option('threshold-single-lead');
+
        $since = Carbon::now()->subMinutes($windowMinutes);
        $since24h = Carbon::now()->subHours(24);
        $dedupAt = Carbon::now()->subMinutes($dedupMinutes);
@@ -185,6 +188,39 @@ class IncidentsWatchFailures extends Command
            $this->info("Job persistent [medium]: {$jobClass}");
        }

+        // ===== БЛОК 5: single-lead storm detection =====
+        // Detects случай когда один supplier_lead_id генерирует >= threshold
+        // failures за окно — классический шторм от застрявшего лида (Finding 2,
+        // 2026-05-29). Создаём severity=high инцидент per lead_id.
+        if ($thresholdSingleLead > 0) {
+            $stormLeads = DB::connection(self::DB_CONNECTION)
+                ->table('failed_webhook_jobs')
+                ->selectRaw("raw_payload->>'supplier_lead_id' AS lead_id, COUNT(*) AS cnt")
+                ->whereNull('resolved_at')
+                ->where('failed_at', '>=', $since)
+                ->whereRaw("raw_payload ?? 'supplier_lead_id'")
+                ->groupByRaw("raw_payload->>'supplier_lead_id'")
+                ->havingRaw('COUNT(*) >= ?', [$thresholdSingleLead])
+                ->get();
+
+            foreach ($stormLeads as $row) {
+                $leadId = $row->lead_id;
+                $cnt = (int) $row->cnt;
+                $dedupKey = "single-lead-storm:{$leadId}";
+
+                if ($this->isDup($dedupKey, $dedupAt)) {
+                    $this->line("Skipping single-lead-storm (dedup): {$dedupKey}");
+
+                    continue;
+                }
+
+                $summary = "Автоматически: single-lead-storm {$cnt} failures supplier_lead_id={$leadId} за {$windowMinutes} мин. Вероятная причина: terminal error без fast-fail guard.";
+                $this->createIncident($adminId, 'other', 'high', $summary, $since, $now, $dedupKey);
+                $created++;
+                $this->info("Single-lead storm [high]: lead_id={$leadId} — {$cnt}");
+            }
+        }
+
        $this->info("Done. Created {$created} incident(s).");

        return self::SUCCESS;
@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use Carbon\Carbon;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Создаёт project_routing_snapshots за указанную дату из текущего live-состояния.
+ * Используется один раз при выкатке Этапа 2 + для ручного recovery после падения cron'а.
+ *
+ * Spec §4.2.6.
+ */
+final class SnapshotBackfillCommand extends Command
+{
+    protected $signature = 'snapshot:backfill {--date= : YYYY-MM-DD, по умолчанию сегодня}';
+
+    protected $description = 'Заполнить project_routing_snapshots за указанную дату из live projects';
+
+    public function handle(): int
+    {
+        $dateStr = (string) ($this->option('date') ?? Carbon::today('Europe/Moscow')->toDateString());
+        $date = Carbon::parse($dateStr, 'Europe/Moscow');
+        $weekdayBit = 1 << ($date->isoWeekday() - 1);
+
+        $count = DB::connection('pgsql_supplier')->transaction(function () use ($dateStr, $weekdayBit) {
+            return DB::connection('pgsql_supplier')->insert(<<<SQL
+                INSERT INTO project_routing_snapshots (
+                    snapshot_date, project_id, tenant_id,
+                    daily_limit, delivery_days_mask, regions,
+                    signal_type, signal_identifier, sms_senders, sms_keyword,
+                    expected_volume
+                )
+                SELECT
+                    ?::date,
+                    p.id, p.tenant_id,
+                    COALESCE(p.effective_daily_limit_today, p.daily_limit_target),
+                    p.delivery_days_mask, p.regions,
+                    p.signal_type, p.signal_identifier, p.sms_senders, p.sms_keyword,
+                    COALESCE(p.effective_daily_limit_today, p.daily_limit_target)
+                FROM projects p
+                INNER JOIN tenants t ON t.id = p.tenant_id
+                WHERE p.is_active = true
+                  AND (p.delivery_days_mask & ?::int) <> 0
+                  AND p.preflight_blocked_at IS NULL
+                  AND t.frozen_by_balance_at IS NULL
+                  AND t.deleted_at IS NULL
+                ON CONFLICT (snapshot_date, project_id) DO NOTHING
+            SQL, [$dateStr, $weekdayBit]);
+        });
+
+        $this->info("Snapshot backfilled for {$dateStr}: {$count} rows.");
+        Log::info('snapshot.backfill', ['date' => $dateStr, 'rows' => $count]);
+
+        return self::SUCCESS;
+    }
+}
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use Carbon\Carbon;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Перестраивает project_routing_snapshots за указанную дату из текущего
+ * live-состояния, ПЕРЕЗАПИСЫВАЯ существующий snapshot.
+ *
+ * В отличие от `snapshot:backfill` (идемпотентный — ON CONFLICT DO NOTHING),
+ * `snapshot:rebuild` всегда сначала DELETE'ит существующий snapshot за дату,
+ * затем создаёт новый. Используется для manual recovery после падения
+ * `SnapshotProjectRoutingJob` cron'а с уже частично записанным snapshot'ом
+ * (см. Task 2.10, Spec §4.2.6 fail-loud strategy).
+ *
+ * Fail-loud strategy:
+ *   1. Heartbeat alarm via SchedulerHeartbeatTracker (Task 2.4).
+ *   2. LeadRouter Log::error on missing snapshot (Task 2.5).
+ *   3. Manual recovery: `php artisan snapshot:rebuild --date=YYYY-MM-DD`.
+ *
+ * NO fallback to live projects — explicit downtime + alert is safer
+ * than silent regression.
+ */
+final class SnapshotRebuildCommand extends Command
+{
+    protected $signature = 'snapshot:rebuild {--date= : YYYY-MM-DD, по умолчанию сегодня}';
+
+    protected $description = 'Перестроить project_routing_snapshots за указанную дату (DELETE+INSERT, для recovery)';
+
+    public function handle(): int
+    {
+        $dateStr = (string) ($this->option('date') ?? Carbon::today('Europe/Moscow')->toDateString());
+        $date = Carbon::parse($dateStr, 'Europe/Moscow');
+        $weekdayBit = 1 << ($date->isoWeekday() - 1);
+
+        // NB: НЕ оборачиваем в ->transaction() — это recovery-команда, half-done state
+        // допустим (retry восстанавливает; на проде admin контроль). Wrapper конфликтует
+        // с tests SharesSupplierPdo (shared PDO + nested transaction levels).
+        $deleted = DB::connection('pgsql_supplier')
+            ->table('project_routing_snapshots')
+            ->where('snapshot_date', $dateStr)
+            ->delete();
+
+        $inserted = DB::connection('pgsql_supplier')->insert(<<<SQL
+            INSERT INTO project_routing_snapshots (
+                snapshot_date, project_id, tenant_id,
+                daily_limit, delivery_days_mask, regions,
+                signal_type, signal_identifier, sms_senders, sms_keyword,
+                expected_volume
+            )
+            SELECT
+                ?::date,
+                p.id, p.tenant_id,
+                COALESCE(p.effective_daily_limit_today, p.daily_limit_target),
+                p.delivery_days_mask, p.regions,
+                p.signal_type, p.signal_identifier, p.sms_senders, p.sms_keyword,
+                COALESCE(p.effective_daily_limit_today, p.daily_limit_target)
+            FROM projects p
+            INNER JOIN tenants t ON t.id = p.tenant_id
+            WHERE p.is_active = true
+              AND (p.delivery_days_mask & ?::int) <> 0
+              AND p.preflight_blocked_at IS NULL
+              AND t.frozen_by_balance_at IS NULL
+              AND t.deleted_at IS NULL
+        SQL, [$dateStr, $weekdayBit]);
+
+        $this->info("Snapshot rebuilt for {$dateStr}: deleted={$deleted}, inserted={$inserted}.");
+        Log::warning('snapshot.rebuild', [
+            'date' => $dateStr,
+            'deleted' => $deleted,
+            'inserted' => $inserted,
+        ]);
+
+        return self::SUCCESS;
+    }
+}
@@ -0,0 +1,128 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Jobs\Supplier\DeleteSupplierProjectJob;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * One-time migration: clean up orphan supplier_projects rows created by the
+ * now-removed buildUniqueKey($p, $platform) divergence for SMS+keyword projects.
+ *
+ * Before R-17 unification (Stage 4 §4.4.1) SMS+keyword projects had two diverging
+ * supplier_projects keys per group:
+ *   B2: unique_key = sender+keyword
+ *   B3: unique_key = sender (without keyword) — ORPHAN after unification
+ *
+ * This command finds orphan B3 rows (sms, no '+' in unique_key, owning project has
+ * sms_keyword) and either UPDATEs them to sender+keyword (no sibling) or marks them
+ * for deletion via DeleteSupplierProjectJob (sibling at sender+keyword already exists).
+ *
+ * Usage:
+ *   php artisan supplier:rekey-orphans --dry-run   # preview
+ *   php artisan supplier:rekey-orphans             # apply
+ *
+ * Spec §4.4.1.
+ */
+final class SupplierRekeyOrphansCommand extends Command
+{
+    protected $signature = 'supplier:rekey-orphans {--dry-run : Preview without modifying anything}';
+
+    protected $description = 'One-time R-17 cleanup of orphan SMS supplier_projects keyed under sender alone';
+
+    public function handle(): int
+    {
+        $dryRun = (bool) $this->option('dry-run');
+
+        // Find candidate orphans: sms supplier_projects whose unique_key has no '+'
+        // and whose tenant has an SMS project with sms_keyword set matching this sender.
+        $orphans = DB::connection('pgsql_supplier')
+            ->table('supplier_projects as sp')
+            ->join('project_supplier_links as psl', 'psl.supplier_project_id', '=', 'sp.id')
+            ->join('projects as p', 'p.id', '=', 'psl.project_id')
+            ->where('sp.signal_type', 'sms')
+            ->where('sp.unique_key', 'NOT LIKE', '%+%')
+            ->whereNotNull('p.sms_keyword')
+            ->where('p.sms_keyword', '!=', '')
+            ->select([
+                'sp.id as sp_id',
+                'sp.unique_key as sender',
+                'sp.platform',
+                'p.tenant_id',
+                'p.sms_keyword as keyword',
+            ])
+            ->get();
+
+        if ($orphans->isEmpty()) {
+            $this->info('No orphan SMS supplier_projects found. Nothing to migrate.');
+
+            return self::SUCCESS;
+        }
+
+        $this->info(sprintf('Found %d orphan SMS supplier_projects row(s).', $orphans->count()));
+
+        $updated = 0;
+        $dispatched = 0;
+        $toDelete = [];
+
+        foreach ($orphans as $o) {
+            $sender = (string) $o->sender;
+            $keyword = (string) $o->keyword;
+            $newKey = $sender.'+'.$keyword;
+
+            // Sibling check: another supplier_project for same tenant/keyword combo already
+            // exists at the unified key? Look across pivot to the same tenant scope.
+            $siblingExists = DB::connection('pgsql_supplier')
+                ->table('supplier_projects as sp2')
+                ->join('project_supplier_links as psl2', 'psl2.supplier_project_id', '=', 'sp2.id')
+                ->join('projects as p2', 'p2.id', '=', 'psl2.project_id')
+                ->where('sp2.signal_type', 'sms')
+                ->where('sp2.unique_key', $newKey)
+                ->where('p2.tenant_id', $o->tenant_id)
+                ->where('sp2.id', '!=', $o->sp_id)
+                ->exists();
+
+            if ($siblingExists) {
+                $toDelete[] = (int) $o->sp_id;
+                $this->line(sprintf(
+                    '  orphan #%d (%s sender=%s) → DELETE (sibling at %s exists for tenant %d)',
+                    $o->sp_id, $o->platform, $sender, $newKey, $o->tenant_id
+                ));
+
+                continue;
+            }
+
+            $this->line(sprintf(
+                '  orphan #%d (%s sender=%s) → UPDATE unique_key=%s',
+                $o->sp_id, $o->platform, $sender, $newKey
+            ));
+
+            if (! $dryRun) {
+                DB::connection('pgsql_supplier')
+                    ->table('supplier_projects')
+                    ->where('id', $o->sp_id)
+                    ->update(['unique_key' => $newKey, 'updated_at' => now()]);
+                $updated++;
+            }
+        }
+
+        if (! $dryRun && $toDelete !== []) {
+            DeleteSupplierProjectJob::dispatch($toDelete);
+            $dispatched = count($toDelete);
+        }
+
+        if ($dryRun) {
+            $this->warn('--dry-run: no changes made.');
+        } else {
+            $this->info(sprintf(
+                'Migration complete: %d row(s) updated, %d row(s) queued for deletion.',
+                $updated, $dispatched
+            ));
+        }
+
+        return self::SUCCESS;
+    }
+}
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Console\Commands;

 use App\Mail\AuditChainBreachMail;
+use App\Services\Audit\AuditChainConfig;
 use Illuminate\Console\Command;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\DB;
@@ -83,166 +84,12 @@ class VerifyAuditChains extends Command

    protected $description = 'Проверяет целостность SHA-256 hash-chain в 6 audit-таблицах (per-partition)';

-    /**
-     * Конфигурация таблиц: имя таблицы → [columns, partition_clause].
-     *
-     * columns: список столбцов строго в порядке ordinal_position из db/schema.sql.
-     *   Специальное значение '__log_hash__' — маркер позиции log_hash → NULL::bytea.
-     *
-     * partition_clause: SQL-фрагмент для OVER (PARTITION BY … ORDER BY id),
-     *   воспроизводящий RLS-scope триггера внутри одной партиции.
-     *   Пустая строка = глобальная цепочка внутри партиции.
-     *
-     * @var array<string, array{columns: list<string>, partition: string}>
-     */
-    private const TABLE_CONFIG = [
-        // auth_log:
-        //   RLS: actor_type='tenant_user' AND tenant_id = current_setting(...)
-        //   Tenant-сессия видит только (actor_type='tenant_user', tenant_id=N).
-        //   saas_admin-сессия BYPASSRLS — видит всё.
-        //   Partition (actor_type, tenant_id) воспроизводит оба случая:
-        //   каждая пара образует независимую цепочку.
-        'auth_log' => [
-            'columns' => [
-                'id',
-                'actor_type',
-                'tenant_id',
-                'user_id',
-                'saas_admin_user_id',
-                'email',
-                'event',
-                'ip_address',
-                'user_agent',
-                'failure_reason',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            // global chain: auth_log пишется при ЛОГИНЕ под BYPASSRLS-роль
-            // (tenant ещё не установлен — пользователь не аутентифицирован),
-            // поэтому триггерный prev-SELECT видит ВСЕ строки → цепочка глобальная
-            // внутри данной партиции (эмпирически подтверждено прод-smoke).
-            'partition' => '',
-        ],
-
-        // activity_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'activity_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'user_id',
-                'deal_id',
-                'event',
-                'old_value',
-                'new_value',
-                'context',
-                'ip_address',
-                'user_agent',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // tenant_operations_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'tenant_operations_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'user_id',
-                'entity_type',
-                'entity_id',
-                'event',
-                'payload_before',
-                'payload_after',
-                'ip_address',
-                'user_agent',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // balance_transactions:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'balance_transactions' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'type',
-                'amount_rub',
-                'amount_leads',
-                'balance_rub_after',
-                'balance_leads_after',
-                'description',
-                'related_type',
-                'related_id',
-                'user_id',
-                'admin_user_id',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // pd_processing_log:
-        //   RLS: tenant_id = current_setting(...) — простая tenant-изоляция.
-        //   Partition: tenant_id.
-        'pd_processing_log' => [
-            'columns' => [
-                'id',
-                'tenant_id',
-                'subject_type',
-                'subject_id',
-                'action',
-                'purpose',
-                'actor_tenant_user_id',
-                'actor_admin_user_id',
-                'ip_address',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => 'PARTITION BY tenant_id',
-        ],
-
-        // saas_admin_audit_log:
-        //   Нет RLS-политики для tenant-ролей (REVOKE ALL FROM crm_app_user).
-        //   Вставляет только crm_admin_user (BYPASSRLS) — триггер's SELECT
-        //   видит ВСЕ строки партиции → цепочка глобальная внутри партиции.
-        //   Partition: нет (пустая строка = ORDER BY id без PARTITION BY).
-        'saas_admin_audit_log' => [
-            'columns' => [
-                'id',
-                'admin_user_id',
-                'action',
-                'target_type',
-                'target_id',
-                'target_tenant_id',
-                'payload_before',
-                'payload_after',
-                'reason',
-                'ip_address',
-                'user_agent',
-                'requires_approval',
-                'approved_by',
-                'approved_at',
-                '__log_hash__',   // log_hash → NULL::bytea
-                'created_at',
-            ],
-            'partition' => '',  // global chain within partition — inserting role is BYPASSRLS
-        ],
-    ];
-
    public function handle(): int
    {
        $anyBreach = false;
        $now = Carbon::now();

-        foreach (self::TABLE_CONFIG as $table => $config) {
+        foreach (AuditChainConfig::TABLES as $table => $config) {
            // Get all partitions for this table via pg_inherits.
            $partitions = $this->listPartitions($table);

@@ -252,7 +99,7 @@ class VerifyAuditChains extends Command
            }

            foreach ($partitions as $partitionName) {
-                $breaches = $this->checkPartition($partitionName, $config['columns'], $config['partition']);
+                $breaches = $this->checkPartition($partitionName, $table, $config['partition']);

                if (empty($breaches)) {
                    $this->line("  ✓ {$partitionName}: chain intact");
@@ -321,12 +168,11 @@ class VerifyAuditChains extends Command
     *      где ROW(...) имеет NULL::bytea на позиции log_hash.
     *   4. Возвращает строки, где stored IS DISTINCT FROM recomputed.
     *
-     * @param  list<string>  $columns
     * @return list<object>
     */
-    private function checkPartition(string $partitionName, array $columns, string $partition): array
+    private function checkPartition(string $partitionName, string $table, string $partition): array
    {
-        $rowExpr = $this->buildRowExpression($columns);
+        $rowExpr = AuditChainConfig::rowExpression($table);

        // Build OVER clause: with or without PARTITION BY depending on table's RLS scope.
        $overClause = $partition !== ''
@@ -366,25 +212,6 @@ class VerifyAuditChains extends Command
        return $results;
    }

-    /**
-     * Строит SQL-выражение ROW(col1, col2, ..., NULL::bytea, ..., coln)
-     * с NULL::bytea на месте log_hash.
-     *
-     * Пример для auth_log:
-     *   ROW(t.id, t.actor_type, t.tenant_id, ..., NULL::bytea, t.created_at)
-     *
-     * @param  list<string>  $columns
-     */
-    private function buildRowExpression(array $columns): string
-    {
-        $parts = [];
-        foreach ($columns as $col) {
-            $parts[] = ($col === '__log_hash__') ? 'NULL::bytea' : "t.{$col}";
-        }
-
-        return 'ROW('.implode(', ', $parts).')';
-    }
-
    /**
     * Вставляет запись в incidents_log (через pgsql_supplier BYPASSRLS).
     * Дедупликация: не создаёт повторный инцидент для той же таблицы,
@@ -6,11 +6,14 @@ namespace App\Http\Controllers\Api;

 use App\Http\Controllers\Controller;
 use App\Models\BalanceTransaction;
+use App\Models\PricingTier;
+use App\Models\Project;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Repositories\PricingTierRepository;
 use App\Services\Billing\BalanceToLeadsConverter;
 use App\Services\Billing\BillingTopupService;
+use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Carbon;
@@ -111,6 +114,101 @@ class BillingController extends Controller
        ]);
    }

+    /**
+     * GET /api/billing/balance-status — лёгкий статус баланса для UI префлайта
+     * (Billing v2 Spec C §3.6). Питает глобальный баннер заморозки
+     * (BalanceFrozenBanner: frozen_by_balance_at + дефицит) и индикатор ёмкости
+     * (BalanceCapacityIndicator: balance / capacity / required). Грузится в
+     * AppLayout на всех страницах, поэтому без tiers_preview и истории.
+     */
+    public function balanceStatus(Request $request): JsonResponse
+    {
+        /** @var User $user */
+        $user = $request->user();
+        /** @var Tenant $tenant */
+        $tenant = Tenant::query()->findOrFail((int) $user->tenant_id);
+
+        $activeTiers = app(PricingTierRepository::class)->activeAt(Carbon::now('Europe/Moscow'));
+        $deliveredInMonth = (int) ($tenant->delivered_in_month ?? 0);
+
+        $capacityLeads = (int) app(BalanceToLeadsConverter::class)->convert(
+            (string) $tenant->balance_rub,
+            $deliveredInMonth,
+            $activeTiers,
+        )['leads'];
+
+        // Требуемые лиды/день — сумма лимитов активных не-заблокированных проектов
+        // (та же выборка, что в ProjectController preflight).
+        $requiredLeads = (int) Project::query()
+            ->where('tenant_id', $tenant->id)
+            ->where('is_active', true)
+            ->whereNull('preflight_blocked_at')
+            ->sum('daily_limit_target');
+
+        $deficitLeads = max(0, $requiredLeads - $capacityLeads);
+        $deficitRub = '0.00';
+        if ($deficitLeads > 0) {
+            $needed = $this->minBalanceForLeads($requiredLeads, $deliveredInMonth, $activeTiers);
+            $deficitRub = bcsub($needed, (string) $tenant->balance_rub, 2);
+            if (bccomp($deficitRub, '0', 2) < 0) {
+                $deficitRub = '0.00';
+            }
+        }
+
+        return response()->json([
+            'frozen_by_balance_at' => $tenant->frozen_by_balance_at?->toISOString(),
+            'balance_rub' => (string) $tenant->balance_rub,
+            'capacity_leads' => $capacityLeads,
+            'required_leads_per_day' => $requiredLeads,
+            'deficit_leads' => $deficitLeads,
+            'deficit_rub' => $deficitRub,
+        ]);
+    }
+
+    /**
+     * Минимальный баланс (₽, scale 2), чтобы позволить себе $leads лидов при уже
+     * доставленных $deliveredInMonth в этом месяце — сумма цен ступеней по позициям
+     * [delivered .. delivered+leads-1]. Зеркалит логику BalanceToLeadsConverter.
+     *
+     * @param  Collection<int, PricingTier>  $tiers
+     */
+    private function minBalanceForLeads(int $leads, int $deliveredInMonth, $tiers): string
+    {
+        if ($leads <= 0) {
+            return '0.00';
+        }
+
+        $sorted = $tiers
+            ->filter(fn ($t) => (bool) $t->is_active)
+            ->sortBy('tier_no')
+            ->values();
+
+        $kopecks = '0';
+        $remaining = $leads;
+        $cumulative = 0;            // позиции [0..cumulative) пройдены предыдущими ступенями
+        $position = $deliveredInMonth;
+
+        foreach ($sorted as $tier) {
+            $unlimited = $tier->leads_in_tier === null;
+            $tierEnd = $unlimited ? PHP_INT_MAX : $cumulative + (int) $tier->leads_in_tier;
+
+            $slotsInTier = max(0, $tierEnd - max($cumulative, $position));
+            if ($slotsInTier > 0) {
+                $take = min($remaining, $slotsInTier);
+                $kopecks = bcadd($kopecks, bcmul((string) (int) $tier->price_per_lead_kopecks, (string) $take, 0), 0);
+                $remaining -= $take;
+                $position += $take;
+            }
+
+            if ($remaining <= 0 || $unlimited) {
+                break;
+            }
+            $cumulative = $tierEnd;
+        }
+
+        return bcdiv($kopecks, '100', 2);
+    }
+
    /**
     * GET /api/billing/transactions?type=topup|lead_charge|migration&page=N
     * — пагинированная история balance_transactions тенанта (20/страница).
@@ -10,7 +10,10 @@ use App\Http\Requests\StoreProjectRequest;
 use App\Http\Requests\UpdateProjectRequest;
 use App\Http\Resources\ProjectResource;
 use App\Jobs\SyncSupplierProjectJob;
+use App\Models\PricingTier;
 use App\Models\Project;
+use App\Models\Tenant;
+use App\Services\Billing\BalancePreflightService;
 use App\Services\Project\ProjectService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -117,7 +120,35 @@ class ProjectController extends Controller
    /** POST /api/projects */
    public function store(StoreProjectRequest $request): JsonResponse
    {
-        $project = $this->projects->create($request->user()->tenant, $request->validated());
+        $validated = $request->validated();
+        $tenant = $request->user()->tenant;
+        $forceSaveBlocked = (bool) ($validated['force_save_blocked'] ?? false);
+        unset($validated['force_save_blocked']);
+
+        // Spec C §3.4: преfflight баланса при создании. existingLimit учитывает только активные.
+        $existingLimit = (int) Project::where('tenant_id', $tenant->id)
+            ->where('is_active', true)
+            ->whereNull('preflight_blocked_at')
+            ->sum('daily_limit_target');
+        $wouldBeRequired = $existingLimit + (int) $validated['daily_limit_target'];
+
+        $preflight = $this->runPreflight($tenant, $wouldBeRequired);
+
+        if (! $preflight['passes'] && ! $forceSaveBlocked) {
+            return response()->json([
+                'error' => 'balance_insufficient',
+                'current_balance_rub' => (string) $tenant->balance_rub,
+                'current_capacity_leads' => $preflight['capacity_leads'],
+                'would_be_required_leads' => $wouldBeRequired,
+                'deficit_leads' => $preflight['deficit_leads'],
+            ], 409);
+        }
+
+        if (! $preflight['passes'] && $forceSaveBlocked) {
+            $validated['preflight_blocked_at'] = now();
+        }
+
+        $project = $this->projects->create($tenant, $validated);

        return response()->json(['data' => new ProjectResource($project)], 201);
    }
@@ -126,11 +157,70 @@ class ProjectController extends Controller
    public function update(UpdateProjectRequest $request, int $id): JsonResponse
    {
        $project = Project::where('tenant_id', $request->user()->tenant_id)->findOrFail($id);
-        $updated = $this->projects->update($project, $request->validated());
+        $validated = $request->validated();
+        $tenant = $request->user()->tenant;
+        $forceSaveBlocked = (bool) ($validated['force_save_blocked'] ?? false);
+        unset($validated['force_save_blocked']);
+
+        // Spec C §3.4: преfflight при изменении лимита — учитываем новое значение для ЭТОГО
+        // проекта + лимиты остальных активных не-blocked.
+        if (array_key_exists('daily_limit_target', $validated)) {
+            $existingLimit = (int) Project::where('tenant_id', $tenant->id)
+                ->where('id', '!=', $project->id)
+                ->where('is_active', true)
+                ->whereNull('preflight_blocked_at')
+                ->sum('daily_limit_target');
+            $wouldBeRequired = $existingLimit + (int) $validated['daily_limit_target'];
+
+            $preflight = $this->runPreflight($tenant, $wouldBeRequired);
+
+            if (! $preflight['passes'] && ! $forceSaveBlocked) {
+                return response()->json([
+                    'error' => 'balance_insufficient',
+                    'current_balance_rub' => (string) $tenant->balance_rub,
+                    'current_capacity_leads' => $preflight['capacity_leads'],
+                    'would_be_required_leads' => $wouldBeRequired,
+                    'deficit_leads' => $preflight['deficit_leads'],
+                ], 409);
+            }
+
+            if (! $preflight['passes'] && $forceSaveBlocked) {
+                $validated['preflight_blocked_at'] = now();
+            }
+        }
+
+        $updated = $this->projects->update($project, $validated);

        return response()->json(['data' => new ProjectResource($updated)]);
    }

+    /**
+     * @return array{passes: bool, capacity_leads: int, deficit_leads: int}
+     */
+    private function runPreflight(Tenant $tenant, int $requiredLeads): array
+    {
+        $tiers = PricingTier::query()->where('is_active', true)->get();
+
+        // Safe fallback: без активных pricing_tiers биллинг не настроен —
+        // преfflight не имеет смысла, пропускаем (legacy-окружения / тесты).
+        if ($tiers->isEmpty()) {
+            return ['passes' => true, 'capacity_leads' => PHP_INT_MAX, 'deficit_leads' => 0];
+        }
+
+        $result = (new BalancePreflightService)->evaluate(
+            balanceRub: (string) $tenant->balance_rub,
+            deliveredInMonth: (int) $tenant->delivered_in_month,
+            requiredLeads: $requiredLeads,
+            tiers: $tiers,
+        );
+
+        return [
+            'passes' => $result->passes,
+            'capacity_leads' => $result->capacityLeads,
+            'deficit_leads' => $result->deficitLeads,
+        ];
+    }
+
    /** GET /api/projects/{id} */
    public function show(Request $request, int $id): JsonResponse
    {
@@ -28,6 +28,9 @@ class StoreProjectRequest extends FormRequest
            'regions' => ['present', 'array'],
            'regions.*' => ['integer', 'between:1,89'],
            'delivery_days_mask' => ['required', 'integer', 'min:1', 'max:127'],
+            // Spec C §3.4: при перегрузке преfflight UI шлёт force_save_blocked=true →
+            // проект создаётся с preflight_blocked_at=now() вместо ответа 409.
+            'force_save_blocked' => ['sometimes', 'boolean'],
        ];

        if ($signalType === 'site') {
@@ -28,6 +28,9 @@ class UpdateProjectRequest extends FormRequest
            'sms_senders' => ['sometimes', 'array', 'min:1'],
            'sms_senders.*' => ['string', 'max:11'],
            'sms_keyword' => ['sometimes', 'nullable', 'string', 'min:1', 'max:50'],
+            // Spec C §3.4: при перегрузке преfflight UI шлёт force_save_blocked=true →
+            // проект помечается preflight_blocked_at=now() вместо ответа 409.
+            'force_save_blocked' => ['sometimes', 'boolean'],
        ];

        // 18.05.2026 UX: редактирование источника (signal_identifier) для site/call.
@@ -35,6 +35,10 @@ class ProjectResource extends JsonResource
                $request->routeIs('projects.show'),
                fn () => $this->getSupplierLinks(),
            ),
+            // Task 2.11 (Spec §4.2.5): dynamic attribute, не БД-поле. Установлен
+            // ProjectService::update() для slepok-sensitive правок. UI показывает
+            // «изменения вступят в силу с DD.MM HH:MM МСК».
+            'applies_from' => $this->applies_from?->toIso8601String(),
        ];
    }
 }
@@ -0,0 +1,132 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs\Billing;
+
+use App\Mail\BalanceFrozenFinalMail;
+use App\Mail\BalanceFrozenReminderMail;
+use App\Models\PricingTier;
+use App\Models\Tenant;
+use App\Services\Billing\BalancePreflightService;
+use App\Services\Billing\PreflightResult;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+
+/**
+ * Повторные письма заморозки баланса:
+ *   • reminder в окне 24-48ч после freeze;
+ *   • final в окне 72-96ч после freeze.
+ *
+ * Throttle через balance_freeze_log markers (event_type 'reminder_sent' / 'final_sent') —
+ * один marker-row на (tenant, тип) в течение окна 5 дней. Запускается daily @ 18:30 MSK
+ * (routes/console.php). См. спек §3.7.
+ *
+ * Re-evaluate PreflightResult: показываем клиенту АКТУАЛЬНЫЙ дефицит (он мог частично
+ * пополниться — reminder отразит обновлённую цифру).
+ */
+final class BalanceFrozenReminderJob implements ShouldQueue
+{
+    use Dispatchable;
+    use InteractsWithQueue;
+    use Queueable;
+
+    private const REMINDER_MIN_HOURS = 24;
+
+    private const REMINDER_MAX_HOURS = 48;
+
+    private const FINAL_MIN_HOURS = 72;
+
+    private const FINAL_MAX_HOURS = 96;
+
+    public function handle(): void
+    {
+        $service = new BalancePreflightService;
+        $tiers = PricingTier::query()->where('is_active', true)->get();
+
+        Tenant::query()
+            ->whereNotNull('frozen_by_balance_at')
+            ->whereNull('deleted_at')
+            ->chunkById(200, function (Collection $tenants) use ($service, $tiers): void {
+                foreach ($tenants as $tenant) {
+                    /** @var Tenant $tenant */
+                    $this->processTenant($tenant, $service, $tiers);
+                }
+            });
+    }
+
+    /**
+     * @param  Collection<int, PricingTier>  $tiers
+     */
+    private function processTenant(Tenant $tenant, BalancePreflightService $service, Collection $tiers): void
+    {
+        // diffInHours округляет — у заморозки на 25h это 25, на 73h это 73 (OK).
+        $hours = (int) abs(now()->diffInHours($tenant->frozen_by_balance_at, false));
+
+        $window = $this->matchWindow($hours);
+        if ($window === null) {
+            return; // вне окон reminder/final
+        }
+
+        $marker = $window === 'reminder' ? 'reminder_sent' : 'final_sent';
+        if ($this->alreadySent($tenant->id, $marker)) {
+            return;
+        }
+
+        // Re-evaluate для актуального дефицита в тексте письма.
+        $result = $service->evaluate(
+            balanceRub: (string) $tenant->balance_rub,
+            deliveredInMonth: (int) $tenant->delivered_in_month,
+            requiredLeads: $tenant->requiredLeadsForTomorrow(),
+            tiers: $tiers,
+        );
+
+        $mail = $window === 'reminder'
+            ? new BalanceFrozenReminderMail($tenant, $result)
+            : new BalanceFrozenFinalMail($tenant, $result);
+
+        Mail::queue($mail);
+        $this->mark($tenant, $marker, $result);
+    }
+
+    private function matchWindow(int $hours): ?string
+    {
+        if ($hours >= self::REMINDER_MIN_HOURS && $hours < self::REMINDER_MAX_HOURS) {
+            return 'reminder';
+        }
+        if ($hours >= self::FINAL_MIN_HOURS && $hours < self::FINAL_MAX_HOURS) {
+            return 'final';
+        }
+
+        return null;
+    }
+
+    private function alreadySent(int $tenantId, string $marker): bool
+    {
+        return DB::connection('pgsql_supplier')->table('balance_freeze_log')
+            ->where('tenant_id', $tenantId)
+            ->where('event_type', $marker)
+            ->where('created_at', '>=', now()->subDays(5))
+            ->exists();
+    }
+
+    private function mark(Tenant $tenant, string $marker, PreflightResult $result): void
+    {
+        DB::connection('pgsql_supplier')->table('balance_freeze_log')->insert([
+            'tenant_id' => $tenant->id,
+            'event_type' => $marker,
+            'triggered_by' => 'reminder_cron',
+            'balance_rub_at_event' => $tenant->balance_rub,
+            'required_leads' => $result->requiredLeads,
+            'capacity_leads' => $result->capacityLeads,
+            'total_daily_limit' => $result->requiredLeads,
+            'details' => json_encode(['deficit_leads' => $result->deficitLeads]),
+            'created_at' => now(),
+        ]);
+    }
+}
@@ -0,0 +1,160 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs\Billing;
+
+use App\Jobs\SyncSupplierProjectJob;
+use App\Mail\BalanceFrozenMail;
+use App\Mail\BalanceUnfrozenMail;
+use App\Models\PricingTier;
+use App\Models\Tenant;
+use App\Services\Billing\BalancePreflightService;
+use App\Services\Billing\PreflightResult;
+use App\Services\Supplier\SupplierExportMode;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+
+/**
+ * Ежедневный преfflight всех тенантов перед формированием заказа поставщику.
+ * Запускается cron @18:00 MSK (routes/console.php). См. спек §3.5, §5.2.
+ *
+ * NB: бегает без tenant-RLS (системный контекст); запросы к projects/tenants
+ * явные по tenant_id (урок Спека B). Переход active→frozen / frozen→active
+ * шлёт письмо; стабильное состояние не трогается (идемпотентность).
+ */
+final class BalancePreflightSweepJob implements ShouldQueue
+{
+    use Dispatchable;
+    use InteractsWithQueue;
+    use Queueable;
+
+    public function handle(): void
+    {
+        $service = new BalancePreflightService;
+        $tiers = PricingTier::query()->where('is_active', true)->get();
+
+        Tenant::query()->whereNull('deleted_at')->chunkById(200, function (Collection $tenants) use ($service, $tiers): void {
+            foreach ($tenants as $tenant) {
+                /** @var Tenant $tenant */
+                $this->evaluateTenant($tenant, $service, $tiers);
+            }
+        });
+    }
+
+    /**
+     * @param  Collection<int, PricingTier>  $tiers
+     */
+    private function evaluateTenant(Tenant $tenant, BalancePreflightService $service, Collection $tiers): void
+    {
+        // Spec C deploy hotfix (25.05.2026): CLI-команды и фоновые джобы не проходят
+        // через SetTenantContext middleware → app.current_tenant_id не выставлен →
+        // RLS-policy на projects падает с "unrecognized configuration parameter".
+        // Зеркалим mechanic SetTenantContext: SET LOCAL внутри транзакции (PgBouncer-safe).
+        DB::transaction(function () use ($tenant, $service, $tiers): void {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $tenant->id);
+
+            $required = $tenant->requiredLeadsForTomorrow();
+            $result = $service->evaluate(
+                balanceRub: (string) $tenant->balance_rub,
+                deliveredInMonth: (int) $tenant->delivered_in_month,
+                requiredLeads: $required,
+                tiers: $tiers,
+            );
+
+            $isFrozen = $tenant->frozen_by_balance_at !== null;
+
+            // Переход active → frozen.
+            if (! $result->passes && ! $isFrozen) {
+                $freezeAt = now();
+                $tenant->frozen_by_balance_at = $freezeAt;
+                $tenant->save();
+
+                // Stage 3 R-13 (spec §4.3.2): помечаем все непаузнутые проекты
+                // тенанта моментом заморозки. Это даёт SupplierSnapshotGuard
+                // зацепку (paused_at свежее grace-периода) — клиент не сможет
+                // удалить/сменить источник пока хвост слепка ещё может прилететь.
+                DB::connection('pgsql_supplier')->table('projects')
+                    ->where('tenant_id', $tenant->id)
+                    ->whereNull('paused_at')
+                    ->update(['paused_at' => $freezeAt]);
+
+                $this->logEvent($tenant, 'frozen', 'cutoff_18msk', $result);
+                Mail::queue(new BalanceFrozenMail($tenant, $result));
+                $this->dispatchSupplierSyncIfOnline($tenant);
+
+                return;
+            }
+
+            // Переход frozen → active.
+            if ($result->passes && $isFrozen) {
+                // Stage 3 R-13: фиксируем frozen-moment ДО $tenant->save() — нужно
+                // для фильтра отката paused_at. Очищаем только те проекты,
+                // у которых paused_at >= frozen_at_was (== поставленные нами на паузу
+                // в freeze-блоке). Ручные паузы клиента ДО заморозки имеют
+                // paused_at < frozen_at_was и сохраняются.
+                $frozenAtWas = $tenant->frozen_by_balance_at;
+                $tenant->frozen_by_balance_at = null;
+                $tenant->save();
+
+                DB::connection('pgsql_supplier')->table('projects')
+                    ->where('tenant_id', $tenant->id)
+                    ->where('paused_at', '>=', $frozenAtWas)
+                    ->update(['paused_at' => null]);
+
+                $this->logEvent($tenant, 'unfrozen', 'cutoff_18msk', $result);
+                Mail::queue(new BalanceUnfrozenMail($tenant, $result));
+                $this->dispatchSupplierSyncIfOnline($tenant);
+
+                return;
+            }
+            // Иначе состояние не изменилось — ничего не делаем (идемпотентность).
+        });
+    }
+
+    /**
+     * Spec C extension (26.05.2026): при переходе freeze ↔ unfreeze в режиме 'online'
+     * диспатчим точечный sync с поставщиком per-project (group-recalc внутри handleOnline
+     * сам учтёт шеринг через signal_identifier). В режиме 'batch' изменения уезжают
+     * cut-off cron'ом @18:00 MSK через SyncSupplierProjectsJob (множественный).
+     * Привязка к админ-переключателю SupplierExportMode (system_settings.supplier_export_mode).
+     *
+     * Вызывается ВНУТРИ DB::transaction обёртки evaluateTenant — app.current_tenant_id выставлен,
+     * RLS-фильтрация projects работает.
+     */
+    private function dispatchSupplierSyncIfOnline(Tenant $tenant): void
+    {
+        if (! SupplierExportMode::isOnline()) {
+            return;
+        }
+
+        $projectIds = $tenant->projects()
+            ->where('is_active', true)
+            ->whereNull('preflight_blocked_at')
+            ->pluck('id');
+
+        foreach ($projectIds as $id) {
+            SyncSupplierProjectJob::dispatch((int) $id);
+        }
+    }
+
+    private function logEvent(Tenant $tenant, string $event, string $trigger, PreflightResult $result): void
+    {
+        DB::connection('pgsql_supplier')->table('balance_freeze_log')->insert([
+            'tenant_id' => $tenant->id,
+            'event_type' => $event,
+            'triggered_by' => $trigger,
+            'balance_rub_at_event' => $tenant->balance_rub,
+            'required_leads' => $result->requiredLeads,
+            'capacity_leads' => $result->capacityLeads,
+            'total_daily_limit' => $result->requiredLeads,
+            'details' => json_encode(['deficit_leads' => $result->deficitLeads]),
+            'created_at' => now(),
+        ]);
+    }
+}
@@ -116,6 +116,32 @@ class RouteSupplierLeadJob implements ShouldQueue
            return;
        }

+        // Fast-fail: лид уже был помечен terminal error и не имеет processed_at.
+        // Закрывает класс failed_webhook_jobs storm (Finding 2, 2026-05-29).
+        // Plan 2026-05-29-supplier-webhook-fast-fail-and-stuck-cleanup.md, Task 2.
+        $isTerminalError = $lead->error !== null && (
+            str_contains($lead->error, 'does not support')
+            || str_contains($lead->error, 'platform mismatch')
+            || str_contains($lead->error, 'no matching supplier_project')
+        );
+        if ($isTerminalError) {
+            // Capture original error BEFORE update — $lead->update() mutates
+            // the in-memory model, so $lead->error after update() returns the
+            // suffixed value, breaking debug logs (review fix).
+            // быстрый коммит
+            $originalError = $lead->error;
+            $lead->update([
+                'processed_at' => now(),
+                'error' => $originalError.' [fast-failed by RouteSupplierLeadJob]',
+            ]);
+            Log::info('supplier_lead.fast_failed_terminal_error', [
+                'supplier_lead_id' => $lead->id,
+                'original_error' => $originalError,
+            ]);
+
+            return;
+        }
+
        $projectField = (string) ($lead->raw_payload['project'] ?? '');
        [$platform, $signalType, $identifier] = $this->parseProjectField($projectField);

@@ -236,7 +262,48 @@ class RouteSupplierLeadJob implements ShouldQueue
                    ->whereKey($project->id)
                    ->lockForUpdate()
                    ->firstOrFail();
-                $effectiveLimit = $lockedProject->effective_daily_limit_today ?? $lockedProject->daily_limit_target;
+
+                // R-09 (Task 2.6, spec §4.2.4): recheck is_active под lock'ом.
+                // matchEligibleProjects читает snapshot за активную дату (фиксированный
+                // на 18:00 МСК); клиент мог нажать «пауза» в окне между matchEligible и
+                // этой транзакцией. Snapshot всё ещё говорит "доставлять", но live state
+                // — не доставляем (контракт «paused under lock = stop»).
+                if (! $lockedProject->is_active) {
+                    Log::info('supplier_lead.project_paused_under_lock', [
+                        'supplier_lead_id' => $lead->id,
+                        'project_id' => $lockedProject->id,
+                        'tenant_id' => $tenant->id,
+                    ]);
+
+                    return false;
+                }
+
+                // R-04 + R-06 (Task 2.6, spec §4.2.4): лимит из snapshot, не live.
+                // Slepok-инвариант — лимит зафиксирован на 18:00 МСК; live daily_limit_target
+                // (или effective_daily_limit_today) мог быть уменьшен после слепка, но это
+                // не должно прерывать поток уже зафиксированного слепка поставщика.
+                $msk = Carbon::now('Europe/Moscow');
+                $activeDate = $msk->hour >= 21
+                    ? $msk->copy()->addDay()->toDateString()
+                    : $msk->toDateString();
+                $snapshot = DB::connection('pgsql_supplier')
+                    ->table('project_routing_snapshots')
+                    ->where('snapshot_date', $activeDate)
+                    ->where('project_id', $lockedProject->id)
+                    ->lockForUpdate()
+                    ->first();
+                if ($snapshot === null) {
+                    Log::info('supplier_lead.no_snapshot_skipped', [
+                        'supplier_lead_id' => $lead->id,
+                        'project_id' => $lockedProject->id,
+                        'tenant_id' => $tenant->id,
+                        'active_date' => $activeDate,
+                    ]);
+
+                    return false;
+                }
+                $effectiveLimit = (int) $snapshot->daily_limit;
+
                if ($lockedProject->delivered_today >= $effectiveLimit) {
                    Log::info('supplier_lead.project_at_limit_skipped', [
                        'supplier_lead_id' => $lead->id,
@@ -350,6 +417,14 @@ class RouteSupplierLeadJob implements ShouldQueue
                $project->increment('delivered_today');
                $project->increment('delivered_in_month');

+                // Task 2.6: атомарный инкремент snapshot.delivered_count
+                // (для CSV business-drift reconcile — Task 2.5 closure cont'd).
+                DB::connection('pgsql_supplier')
+                    ->table('project_routing_snapshots')
+                    ->where('snapshot_date', $activeDate)
+                    ->where('project_id', $project->id)
+                    ->increment('delivered_count');
+
                ActivityLog::create([
                    'tenant_id' => $tenant->id,
                    'user_id' => null,
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use Carbon\Carbon;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Daily 18:02 МСК snapshot — фиксирует состояние всех eligible Лидерра-проектов
+ * на завтрашний день (slepok №NЛ по канону спека §0).
+ * Spec: docs/superpowers/specs/2026-05-26-slepok-routing-protection-design.md §4.2.2.
+ */
+final class SnapshotProjectRoutingJob implements ShouldQueue
+{
+    use Dispatchable, Queueable, InteractsWithQueue, SerializesModels;
+
+    public const DB_CONNECTION = 'pgsql_supplier'; // BYPASSRLS
+
+    public function handle(): void
+    {
+        $snapshotDate = Carbon::tomorrow('Europe/Moscow')->toDateString();
+        $weekdayBit = 1 << (Carbon::tomorrow('Europe/Moscow')->isoWeekday() - 1);
+
+        // NB: Без внешнего transaction() — атомарность гарантирует INSERT ... ON CONFLICT
+        // на уровне PG. Внешний transaction() ломается при тестах под DatabaseTransactions
+        // + SharesSupplierPdo (общий PDO pgsql/pgsql_supplier → PG ругается «active transaction»).
+        $exists = DB::connection(self::DB_CONNECTION)
+            ->table('project_routing_snapshots')
+            ->where('snapshot_date', $snapshotDate)
+            ->exists();
+        if ($exists) {
+            Log::info('snapshot.already_exists', ['date' => $snapshotDate]);
+            return;
+        }
+
+        $count = DB::connection(self::DB_CONNECTION)->insert(<<<SQL
+            INSERT INTO project_routing_snapshots (
+                snapshot_date, project_id, tenant_id,
+                daily_limit, delivery_days_mask, regions,
+                signal_type, signal_identifier, sms_senders, sms_keyword,
+                expected_volume
+            )
+            SELECT
+                ?::date,
+                p.id, p.tenant_id,
+                COALESCE(p.effective_daily_limit_today, p.daily_limit_target),
+                p.delivery_days_mask,
+                p.regions,
+                p.signal_type, p.signal_identifier, p.sms_senders, p.sms_keyword,
+                COALESCE(p.effective_daily_limit_today, p.daily_limit_target)
+            FROM projects p
+            INNER JOIN tenants t ON t.id = p.tenant_id
+            WHERE p.is_active = true
+              AND (p.delivery_days_mask & ?::int) <> 0
+              AND p.preflight_blocked_at IS NULL
+              AND t.frozen_by_balance_at IS NULL
+              AND t.deleted_at IS NULL
+            ON CONFLICT (snapshot_date, project_id) DO NOTHING
+        SQL, [$snapshotDate, $weekdayBit]);
+
+        Log::info('snapshot.created', ['date' => $snapshotDate, 'rows' => $count]);
+    }
+}
@@ -59,19 +59,14 @@ class CleanupInactiveSupplierProjectsJob implements ShouldQueue
    {
        $client ??= app(SupplierPortalClient::class);

-        // Подзапрос — DISTINCT id'шники supplier_projects, на которые ссылается
-        // хотя бы один Лидерра-project с is_active=true через любой из трёх FK.
+        // Источник истинности активности — `project_supplier_links` pivot (Plan 3+).
+        // Legacy FK `supplier_b{1,2,3}_project_id` оставлены для read-compat,
+        // но не определяют активность.
        $activeIdsSubquery = <<<'SQL'
-            SELECT DISTINCT id FROM (
-                SELECT supplier_b1_project_id AS id FROM projects
-                  WHERE is_active = true AND supplier_b1_project_id IS NOT NULL
-                UNION
-                SELECT supplier_b2_project_id FROM projects
-                  WHERE is_active = true AND supplier_b2_project_id IS NOT NULL
-                UNION
-                SELECT supplier_b3_project_id FROM projects
-                  WHERE is_active = true AND supplier_b3_project_id IS NOT NULL
-            ) AS active_supplier_ids
+            SELECT DISTINCT psl.supplier_project_id AS id
+            FROM project_supplier_links psl
+            INNER JOIN projects p ON p.id = psl.project_id
+            WHERE p.is_active = true
        SQL;

        // Phase A — re-activate (СНАЧАЛА для safety: до Phase C, чтобы недавно
@@ -204,6 +204,13 @@ final class CsvReconcileJob implements ShouldQueue
                ->where('id', $logId)
                ->update($update);

+            // R-05 / §4.4.4 second pass — business-drift on project_routing_snapshots.
+            // Detects tenants where supplier under-delivered against the slepok plan
+            // (shortfall = (expected - delivered) / expected > 20%). Orthogonal to
+            // webhook-loss drift above — same lead can be missing from CSV AND from
+            // delivered_count (compounding R-05.1 + R-05.2).
+            $this->detectAndAlertBusinessDrift($mailer, $windowStart, $windowEnd);
+
        } catch (Throwable $e) {
            // $logId === null — упал сам insertGetId, log-строки нет, обновлять нечего.
            if ($logId !== null) {
@@ -251,4 +258,65 @@ final class CsvReconcileJob implements ShouldQueue

        return null;
    }
+
+    /**
+     * R-05 (Stage 4 §4.4.4) — business-drift second pass.
+     *
+     * Поверх существующего webhook-loss drift (R-05.1: «лид прилетел, мы webhook'а не
+     * получили») ищем business-drift (R-05.2: «лид прилетел, мы доставили не тому/никому»):
+     * для каждой пары (snapshot_date, tenant_id) считаем SUM(expected_volume) и
+     * SUM(delivered_count) по `project_routing_snapshots`, при shortfall > 20% шлём
+     * `TenantBusinessDriftAlertMail` админу.
+     *
+     * Окно — то же что у текущего CSV-reconcile run. Один email на тенанта на дату.
+     */
+    private const BUSINESS_DRIFT_THRESHOLD = 0.20;
+
+    private function detectAndAlertBusinessDrift(
+        Mailer $mailer,
+        \Carbon\CarbonInterface $windowStart,
+        \Carbon\CarbonInterface $windowEnd,
+    ): void {
+        $from = $windowStart->toDateString();
+        $to = $windowEnd->toDateString();
+
+        $rows = DB::connection(self::DB_CONNECTION)
+            ->table('project_routing_snapshots')
+            ->whereBetween('snapshot_date', [$from, $to])
+            ->groupBy('snapshot_date', 'tenant_id')
+            ->selectRaw('snapshot_date, tenant_id, SUM(expected_volume) AS expected, SUM(delivered_count) AS delivered')
+            ->havingRaw('SUM(expected_volume) > 0')
+            ->get();
+
+        foreach ($rows as $row) {
+            $expected = (int) $row->expected;
+            $delivered = (int) $row->delivered;
+            if ($expected <= 0) {
+                continue;
+            }
+            $shortfall = ($expected - $delivered) / $expected;
+            if ($shortfall <= self::BUSINESS_DRIFT_THRESHOLD) {
+                continue;
+            }
+
+            $mailer->to((string) config('services.supplier.alert_email'))
+                ->send(new \App\Mail\TenantBusinessDriftAlertMail(
+                    tenantId: (int) $row->tenant_id,
+                    snapshotDate: (string) $row->snapshot_date,
+                    expected: $expected,
+                    delivered: $delivered,
+                    shortfallRatio: $shortfall,
+                    windowStart: $windowStart,
+                    windowEnd: $windowEnd,
+                ));
+
+            Log::warning('csv_reconcile.business_drift_alert', [
+                'tenant_id' => (int) $row->tenant_id,
+                'snapshot_date' => (string) $row->snapshot_date,
+                'expected' => $expected,
+                'delivered' => $delivered,
+                'shortfall' => $shortfall,
+            ]);
+        }
+    }
 }
@@ -83,12 +83,8 @@ class SyncSupplierProjectsJob implements ShouldQueue
        $this->client = app(SupplierPortalClient::class);
        $consecutiveTransient = 0;

-        // 1. Load active Лидерра-projects via pgsql_supplier
-        /** @var Collection<int, Project> $projects */
-        $projects = Project::on(self::DB_CONNECTION)
-            ->where('is_active', true)
-            ->orderBy('id')
-            ->get();
+        // 1. Load active Лидерра-projects via pgsql_supplier (фильтруя frozen, Billing v2 Spec C §3.10).
+        $projects = $this->collectEligibleProjects();

        // 2. Group by (signal_type, identifier) — no subject_code split.
        // Portal constraint: one identifier = one B1/B2/B3 group (status=Doubles on duplicate name).
@@ -181,6 +177,82 @@ class SyncSupplierProjectsJob implements ShouldQueue
        }
    }

+    /**
+     * Собрать eligible Лидерра-проекты для расчёта заказа поставщику.
+     *
+     * Фильтры (Billing v2 Spec C §3.10 — преfflight баланса):
+     * — is_active = true (базовый);
+     * — preflight_blocked_at IS NULL (точечная блокировка проекта при «перегрузе» лимита);
+     * — tenant.frozen_by_balance_at IS NULL (пассивная заморозка тенанта по пустому балансу).
+     *
+     * Запрос через pgsql_supplier (BYPASSRLS) — джоб бегает в системном контексте.
+     * Метод публичный для unit-теста; никто из caller'ов кроме handle() его не зовёт.
+     *
+     * @return Collection<int, Project>
+     */
+    public function collectEligibleProjects(): Collection
+    {
+        // Task 2.9 (Spec §4.2.4b): читаем проекты ИЗ snapshot за завтра, не live
+        // projects.is_active. Это закрывает race 18:02 (snapshot) → 18:05 (sync) —
+        // клиент мог paus'нуть проект между двумя cron'ами, но мы должны докатить
+        // зафиксированный slepok поставщику (slepok-инвариант).
+        //
+        // Snapshot уже отфильтрован по is_active=true, preflight_blocked_at IS NULL,
+        // tenants.frozen_by_balance_at IS NULL (см. SnapshotProjectRoutingJob /
+        // SnapshotBackfillCommand WHERE). Здесь повторяем frozen-фильтр на случай
+        // если tenant заморожен между 18:02 и 18:05 (rare safety net).
+        //
+        // Переопределяем live поля проекта значениями snapshot'а: daily_limit_target,
+        // delivery_days_mask, regions. Downstream код syncGroup() читает эти поля как
+        // обычно — без изменений в логике группировки/распределения.
+        $tomorrow = Carbon::tomorrow('Europe/Moscow')->toDateString();
+
+        // Eloquent JOIN — casts (PostgresIntArray для regions) применяются автоматически.
+        // Raw DB::table возвращал regions как PostgreSQL-string '{1,2,3}' и ломал PostgresIntArray cast.
+        $projects = Project::on(self::DB_CONNECTION)
+            ->join('project_routing_snapshots AS snap', 'snap.project_id', '=', 'projects.id')
+            ->whereIn('snap.tenant_id', function ($q): void {
+                $q->select('id')->from('tenants')->whereNull('frozen_by_balance_at');
+            })
+            ->where('snap.snapshot_date', $tomorrow)
+            ->select(
+                'projects.*',
+                'snap.daily_limit AS snap_daily_limit',
+                'snap.delivery_days_mask AS snap_delivery_days_mask',
+                'snap.regions AS snap_regions',
+            )
+            ->orderBy('projects.id')
+            ->get();
+
+        // Override live fields with snapshot values — slepok semantic.
+        // snap_regions приходит как PostgreSQL-array string ('{77,99}') через append
+        // (не Eloquent-cast), парсим вручную.
+        foreach ($projects as $project) {
+            $project->daily_limit_target = (int) $project->getAttribute('snap_daily_limit');
+            $project->delivery_days_mask = (int) $project->getAttribute('snap_delivery_days_mask');
+            $project->regions = $this->parsePostgresIntArray((string) $project->getAttribute('snap_regions'));
+        }
+
+        return $projects;
+    }
+
+    /**
+     * Парсит PostgreSQL int-array literal `'{1,2,3}'` или `'{}'` в PHP `[1,2,3]` / `[]`.
+     * Используется для snap_regions (через raw select), который не подхватывается
+     * Eloquent PostgresIntArray cast'ом (тот цастит только реальное regions column).
+     *
+     * @return list<int>
+     */
+    private function parsePostgresIntArray(string $literal): array
+    {
+        $trimmed = trim($literal, "{} \t\n\r\0\x0B");
+        if ($trimmed === '') {
+            return [];
+        }
+
+        return array_values(array_map('intval', explode(',', $trimmed)));
+    }
+
    /**
     * @param  array{signal_type: string, identifier: string, merged_regions: list<int>, has_all_russia: bool, platforms: list<string>, projects: list<Project>}  $group
     */
@@ -107,13 +107,16 @@ class SyncSupplierProjectJob implements ShouldQueue
            return;
        }

-        $identifier = SupplierProjectGrouping::buildUniqueKey($project, $platforms[0]);
+        // R-17 (Stage 4 §4.4.1): unified agnostic key (was buildUniqueKey($p, $platform[0])
+        // which diverged for SMS — B3 used sender alone while B2 used sender+keyword;
+        // created orphan supplier_projects rows during sharing rebalance).
+        $identifier = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);

        // GROUP recompute (multi-client): an online edit of ONE project must recompute the
        // WHOLE group sharing this identifier — otherwise it overwrites siblings' regions/
        // limit/days until the nightly batch. Mirrors SyncSupplierProjectsJob::syncGroup so
        // online and nightly produce identical supplier state.
-        $agnostic = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
+        $agnostic = $identifier;
        $groupProjects = Project::on(self::DB_CONNECTION)
            ->where('is_active', true)
            ->where('signal_type', (string) $project->signal_type)
@@ -125,8 +128,9 @@ class SyncSupplierProjectJob implements ShouldQueue
        $groupActive = $groupProjects->isNotEmpty();
        $status = $groupActive ? 'active' : 'paused';

-        // eligible tomorrow → order/workdays (mirror nightly's eligibility window).
-        $targetWeekday = Carbon::tomorrow('Europe/Moscow')->isoWeekday();
+        // eligible target_date → order/workdays (mirror nightly's eligibility window).
+        // R-18 (Stage 4 §4.4.2): see ::targetWeekdayForNow().
+        $targetWeekday = self::targetWeekdayForNow();
        $eligible = $groupProjects->filter(
            fn (Project $gp) => ((int) $gp->delivery_days_mask & (1 << ($targetWeekday - 1))) !== 0
        )->values();
@@ -384,8 +388,10 @@ class SyncSupplierProjectJob implements ShouldQueue
        $platforms = SupplierProjectGrouping::resolvePlatforms($project);
        $workdays = $this->workdaysFromMask((int) $project->delivery_days_mask);

+        // R-17 (Stage 4 §4.4.1): same agnostic key for all platforms in this batch run
+        // (was per-platform divergence for SMS — created orphan rows).
+        $uniqueKey = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
        foreach ($platforms as $platform) {
-            $uniqueKey = SupplierProjectGrouping::buildUniqueKey($project, $platform);
            $column = 'supplier_'.strtolower($platform).'_project_id';

            // Idempotency: local supplier_projects-запись уже есть?
@@ -537,4 +543,24 @@ class SyncSupplierProjectJob implements ShouldQueue

        return $out;
    }
+
+    /**
+     * R-18 (Stage 4 §4.4.2): ISO target weekday for online supplier sync.
+     *
+     * Slepok cut-off boundary is 21:00 МСК (matches supplier's snapshot fix-point), not midnight.
+     *   hour <  21 МСК → target = today + 1 day
+     *   hour >= 21 МСК → target = today + 2 days
+     *
+     * Before fix: `Carbon::tomorrow('Europe/Moscow')->isoWeekday()` flipped target at midnight
+     * (Thu 23:59 → Fri; Fri 00:01 → Sat), mis-aligning portal sync with supplier's already-fixed
+     * slepok. The post-21:00 portion of day N belongs to slepok dated N+1 (effective day N+2).
+     */
+    public static function targetWeekdayForNow(): int
+    {
+        $msk = Carbon::now('Europe/Moscow');
+
+        return $msk->hour >= 21
+            ? $msk->copy()->addDays(2)->startOfDay()->isoWeekday()
+            : $msk->copy()->addDay()->startOfDay()->isoWeekday();
+    }
 }
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\Tenant;
+use App\Services\Billing\PreflightResult;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Финальное письмо: приём лидов приостановлен 3 дня (Billing v2 Spec C §3.7, T+72h).
+ * После него повторов нет до следующего цикла заморозки.
+ */
+final class BalanceFrozenFinalMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly Tenant $tenant,
+        public readonly PreflightResult $result,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Приём лидов приостановлен 3 дня',
+            to: [$this->tenant->contact_email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.balance_frozen_final');
+    }
+}
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\Tenant;
+use App\Services\Billing\PreflightResult;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Письмо клиенту: приём лидов приостановлен из-за нехватки баланса (Billing v2 Spec C §3.7).
+ *
+ * Триггер: BalancePreflightSweepJob при переходе тенанта active → frozen (cut-off 18:00 MSK).
+ */
+final class BalanceFrozenMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly Tenant $tenant,
+        public readonly PreflightResult $result,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Приём лидов приостановлен — недостаточно баланса',
+            to: [$this->tenant->contact_email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.balance_frozen');
+    }
+}
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\Tenant;
+use App\Services\Billing\PreflightResult;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Письмо-напоминание: приём лидов всё ещё приостановлен (Billing v2 Spec C §3.7, T+24h).
+ */
+final class BalanceFrozenReminderMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly Tenant $tenant,
+        public readonly PreflightResult $result,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Приём лидов всё ещё приостановлен',
+            to: [$this->tenant->contact_email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.balance_frozen_reminder');
+    }
+}
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\Tenant;
+use App\Services\Billing\PreflightResult;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Письмо клиенту: приём лидов возобновлён (Billing v2 Spec C §3.7).
+ *
+ * Триггер: BalancePreflightSweepJob при переходе frozen → active (пополнение/снижение лимита).
+ */
+final class BalanceUnfrozenMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly Tenant $tenant,
+        public readonly PreflightResult $result,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Приём лидов возобновлён',
+            to: [$this->tenant->contact_email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.balance_unfrozen');
+    }
+}
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use Carbon\CarbonInterface;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Email алерт админу Лидерры о business-shortfall'е тенанта: snapshot ожидал
+ * объём X, фактически доставили Y и (X-Y)/X > порога (20%).
+ *
+ * Отдельно от CsvDriftAlertMail — тот ловит webhook-loss (CSV vs БД),
+ * этот — bizness-drift (snapshot.expected vs delivered).
+ *
+ * Stage 4 §4.4.4 R-05.
+ */
+final class TenantBusinessDriftAlertMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly int $tenantId,
+        public readonly string $snapshotDate,
+        public readonly int $expected,
+        public readonly int $delivered,
+        public readonly float $shortfallRatio,
+        public readonly CarbonInterface $windowStart,
+        public readonly CarbonInterface $windowEnd,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        $pct = number_format($this->shortfallRatio * 100, 1, ',', ' ');
+
+        return new Envelope(
+            subject: "Лидерра ↔ Поставщик: business-shortfall tenant #{$this->tenantId} за {$this->snapshotDate} ({$pct}%)",
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.tenant_business_drift_alert');
+    }
+}
@@ -29,6 +29,8 @@ use Illuminate\Support\Facades\DB;
 * @property string $deadline_at
 * @property string|null $completed_at
 * @property bool $processing_restricted
+ *
+ * @mixin IdeHelperPdSubjectRequest
 */
 class PdSubjectRequest extends Model
 {
@@ -64,6 +64,8 @@ class Project extends Model
        // Plan 2/5 Task 1 (schema v8.18): дневной счётчик доставленных лидов
        // (сбрасывается cron'ом в 00:00 МСК, используется LeadRouter'ом).
        'delivered_today',
+        // Billing v2 Spec C: флаг точечной блокировки проекта по преfflight (NULL = не заблокирован).
+        'preflight_blocked_at',
    ];

    protected function casts(): array
@@ -81,6 +83,8 @@ class Project extends Model
            'delivery_days_mask' => 'integer',
            'ttfr_target_minutes' => 'integer',
            'effective_limit_calculated_at' => 'datetime',
+            // Billing v2 Spec C: флаг преfflight-блокировки проекта.
+            'preflight_blocked_at' => 'datetime',
            'created_at' => 'datetime',
            'updated_at' => 'datetime',
            // Supplier integration:
@@ -8,12 +8,15 @@ use Illuminate\Database\Eloquent\Model;

 /**
 * Замок «поставка ↔ клиент» (Billing v2 Spec B). Композитный PK без автоинкремента.
+ *
 * Пишется в шеринг-пути (RouteSupplierLeadJob) через insertOrIgnore под RLS-контекстом.
 *
 * @property int $supplier_lead_id
 * @property int $tenant_id
 * @property int|null $deal_id
 * @property string $created_at
+ *
+ * @mixin IdeHelperSupplierLeadDelivery
 */
 class SupplierLeadDelivery extends Model
 {
@@ -25,6 +25,8 @@ use Illuminate\Support\Carbon;
 * @property int|null $resolved_by_user_id
 * @property Carbon|null $created_at
 * @property Carbon|null $resolved_at
+ *
+ * @mixin IdeHelperSupplierManualSyncQueue
 */
 class SupplierManualSyncQueue extends Model
 {
@@ -10,6 +10,7 @@ use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Illuminate\Support\Facades\DB;

 /**
 * Тенант — клиент SaaS-портала Лидерра.
@@ -44,6 +45,7 @@ class Tenant extends Model
        'delivered_in_month',
        'api_key_limit',
        'limits',
+        'frozen_by_balance_at',
    ];

    protected function casts(): array
@@ -61,6 +63,8 @@ class Tenant extends Model
            'limits' => 'array',
            'last_activity_at' => 'datetime',
            'last_webhook_at' => 'datetime',
+            // Billing v2 Spec C: флаг заморозки по балансу (NULL = не заморожен).
+            'frozen_by_balance_at' => 'datetime',
            'created_at' => 'datetime',
            'updated_at' => 'datetime',
            'deleted_at' => 'datetime',
@@ -79,6 +83,77 @@ class Tenant extends Model
        return $this->hasMany(Project::class);
    }

+    /**
+     * Сумма daily_limit_target активных проектов — «сколько лидов клиент хочет в день».
+     * Используется преfflight'ом (Billing v2 Spec C §3.3) как requiredLeads.
+     *
+     * NB: фильтр по `is_active` (boolean), не `status` — у projects нет колонки status.
+     */
+    public function requiredLeadsForTomorrow(): int
+    {
+        // R-19 (Stage 4 §4.4.3): share-aware preflight. For each active project
+        // count the tenant's PROPORTIONAL share of the supplier group order (not
+        // the raw daily_limit_target), since the supplier caps the group at
+        // max(max(limits), ceil(Σ/3)) and splits it across all clients sharing
+        // the same signal_identifier. Legacy projects (signal_type=null —
+        // webhook-only, no supplier sharing) still count their full limit.
+        $projects = $this->projects()->where('is_active', true)->get();
+        if ($projects->isEmpty()) {
+            return 0;
+        }
+
+        $total = 0;
+        foreach ($projects as $p) {
+            // Webhook-only legacy projects don't participate in supplier sharing.
+            if (! in_array($p->signal_type, ['site', 'call', 'sms'], true)) {
+                $total += (int) $p->daily_limit_target;
+
+                continue;
+            }
+
+            $groupLimits = DB::connection('pgsql_supplier')
+                ->table('projects')
+                ->where('is_active', true)
+                ->where('signal_type', $p->signal_type)
+                ->where(function ($q) use ($p): void {
+                    if (in_array($p->signal_type, ['site', 'call'], true)) {
+                        $q->where('signal_identifier', $p->signal_identifier);
+                    } else {
+                        // sms: agnostic group is (first sender, keyword-or-NULL).
+                        $firstSender = (string) ($p->sms_senders[0] ?? '');
+                        $q->whereJsonContains('sms_senders', $firstSender);
+                        if ($p->sms_keyword !== null && $p->sms_keyword !== '') {
+                            $q->where('sms_keyword', $p->sms_keyword);
+                        } else {
+                            $q->whereNull('sms_keyword');
+                        }
+                    }
+                })
+                ->pluck('daily_limit_target')
+                ->all();
+
+            if ($groupLimits === []) {
+                // Edge: project not yet visible from pgsql_supplier view (cross-conn race).
+                // Conservatively count full limit — avoids underestimating preflight.
+                $total += (int) $p->daily_limit_target;
+
+                continue;
+            }
+
+            $intLimits = array_map('intval', $groupLimits);
+            $sum = (int) array_sum($intLimits);
+            $max = (int) max($intLimits);
+            $groupOrder = max($max, (int) ceil($sum / 3));
+
+            if ($sum > 0) {
+                $share = (int) ceil($groupOrder * ((int) $p->daily_limit_target / $sum));
+                $total += $share;
+            }
+        }
+
+        return $total;
+    }
+
    /** @return BelongsTo<TariffPlan, $this> */
    public function tariff(): BelongsTo
    {
@@ -0,0 +1,104 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Audit;
+
+use InvalidArgumentException;
+
+/**
+ * Shared config hash-chain for 6 audit tables.
+ *
+ * Single source of truth for writer (db/schema.sql trigger audit_chain_hash()),
+ * verify (App\Console\Commands\VerifyAuditChains) and rebuild
+ * (App\Console\Commands\AuditRebuildChain).
+ *
+ * ADR-018: per-tenant via RLS scope for tenant tables,
+ * global for BYPASSRLS tables.
+ *
+ * columns: list in ordinal_position order from db/schema.sql.
+ *   '__log_hash__' -- marker for log_hash position -> NULL::bytea in ROW().
+ *
+ * partition: SQL fragment for OVER (PARTITION BY ... ORDER BY id),
+ *   reproducing the RLS-scope of the trigger.
+ *   '' = global chain within partition (for BYPASSRLS tables).
+ */
+final class AuditChainConfig
+{
+    /**
+     * @var array<string, array{columns: list<string>, partition: string}>
+     */
+    public const TABLES = [
+        'auth_log' => [
+            'columns' => [
+                'id', 'actor_type', 'tenant_id', 'user_id', 'saas_admin_user_id',
+                'email', 'event', 'ip_address', 'user_agent', 'failure_reason',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => '',
+        ],
+        'activity_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'user_id', 'deal_id', 'event',
+                'old_value', 'new_value', 'context', 'ip_address', 'user_agent',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'tenant_operations_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'user_id', 'entity_type', 'entity_id',
+                'event', 'payload_before', 'payload_after', 'ip_address', 'user_agent',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'balance_transactions' => [
+            'columns' => [
+                'id', 'tenant_id', 'type', 'amount_rub', 'amount_leads',
+                'balance_rub_after', 'balance_leads_after', 'description',
+                'related_type', 'related_id', 'user_id', 'admin_user_id',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'pd_processing_log' => [
+            'columns' => [
+                'id', 'tenant_id', 'subject_type', 'subject_id', 'action',
+                'purpose', 'actor_tenant_user_id', 'actor_admin_user_id', 'ip_address',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => 'PARTITION BY tenant_id',
+        ],
+        'saas_admin_audit_log' => [
+            'columns' => [
+                'id', 'admin_user_id', 'action', 'target_type', 'target_id',
+                'target_tenant_id', 'payload_before', 'payload_after', 'reason',
+                'ip_address', 'user_agent', 'requires_approval', 'approved_by', 'approved_at',
+                '__log_hash__', 'created_at',
+            ],
+            'partition' => '',
+        ],
+    ];
+
+    /**
+     * Build ROW(col1, col2, ..., NULL::bytea, ..., coln) with NULL::bytea at log_hash position.
+     *
+     * @throws InvalidArgumentException if table is not registered in TABLES
+     */
+    public static function rowExpression(string $table): string
+    {
+        if (! isset(self::TABLES[$table])) {
+            throw new InvalidArgumentException(
+                "Table '{$table}' is not registered in AuditChainConfig::TABLES"
+            );
+        }
+
+        $parts = [];
+        foreach (self::TABLES[$table]['columns'] as $col) {
+            $parts[] = ($col === '__log_hash__') ? 'NULL::bytea' : "t.{$col}";
+        }
+
+        return 'ROW('.implode(', ', $parts).')';
+    }
+}
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Billing;
+
+use App\Models\PricingTier;
+use Illuminate\Database\Eloquent\Collection;
+
+/**
+ * Pure: проходит ли клиент преfflight — хватает ли баланса на ПОЛНЫЙ дневной
+ * лимит всех его eligible-проектов по текущему тарифу.
+ *
+ * Сравнение в ЛИДАХ (capacity vs required), не в рублях — переиспользует
+ * BalanceToLeadsConverter::convert, который учитывает 7 ступеней и накопленный
+ * месячный объём (deliveredInMonth).
+ *
+ * Spec: docs/superpowers/specs/2026-05-24-billing-v2-spec-c-preflight-vtb-design.md §3.3
+ */
+final class BalancePreflightService
+{
+    public function __construct(
+        private readonly BalanceToLeadsConverter $converter = new BalanceToLeadsConverter,
+    ) {}
+
+    /**
+     * @param  Collection<int, PricingTier>  $tiers
+     */
+    public function evaluate(
+        string $balanceRub,
+        int $deliveredInMonth,
+        int $requiredLeads,
+        Collection $tiers,
+    ): PreflightResult {
+        if ($requiredLeads <= 0) {
+            return new PreflightResult(true, 0, 0, 0);
+        }
+
+        $capacity = (int) $this->converter->convert($balanceRub, $deliveredInMonth, $tiers)['leads'];
+        $passes = $capacity >= $requiredLeads;
+
+        return new PreflightResult(
+            passes: $passes,
+            requiredLeads: $requiredLeads,
+            capacityLeads: $capacity,
+            deficitLeads: $passes ? 0 : ($requiredLeads - $capacity),
+        );
+    }
+}
@@ -56,6 +56,17 @@ final class LedgerService
        );
        $priceKopecks = (int) $tier->price_per_lead_kopecks;

+        // R-03 (Stage 3 §4.3.1): frozen tenant must not receive new charges even
+        // if balance_rub > 0. Throwing here triggers the same auto-pause flow as
+        // InsufficientBalance — RouteSupplierLeadJob::handleInsufficientBalance
+        // flips projects.is_active=false and queues ZeroBalancePausedMail rate-limited.
+        if ($lockedTenant->frozen_by_balance_at !== null) {
+            throw new InsufficientBalanceException(
+                priceKopecks: $priceKopecks,
+                balanceRub: (string) $lockedTenant->balance_rub,
+            );
+        }
+
        // bcmath: balance_rub × 100 ≥ priceKopecks — единственный путь списания.
        // Billing v2 Spec A: prepaid-лиды убраны, balance_leads НЕ читается и НЕ изменяется.
        $balanceKopecks = bcmul((string) $lockedTenant->balance_rub, '100', 0);
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Billing;
+
+/**
+ * Результат преfflight-проверки платёжеспособности тенанта (Billing v2 Spec C).
+ *
+ * Spec: docs/superpowers/specs/2026-05-24-billing-v2-spec-c-preflight-vtb-design.md §3.3
+ */
+final class PreflightResult
+{
+    public function __construct(
+        public readonly bool $passes,
+        public readonly int $requiredLeads,
+        public readonly int $capacityLeads,
+        public readonly int $deficitLeads,
+    ) {}
+}
@@ -9,13 +9,22 @@ use App\Models\SupplierProject;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;

 /**
 * Подбор eligible Лидерра-проектов для входящего лида (sharing-model §6).
 *
- * Eligibility — структурно через pivot project_supplier_links: проект eligible,
- * если связан с пришедшим supplier_project (= источник × субъект) + активен +
- * сегодня рабочий день + есть остаток лимита + у тенанта есть баланс.
+ * Eligibility — структурно через snapshot `project_routing_snapshots` за активную
+ * дату слепка (slepok-инвариант): до 21:00 МСК активен snapshot сегодняшней даты,
+ * с 21:00 МСК — завтрашней. Все эффективные параметры маршрутизации
+ * (daily_limit, delivery_days_mask, regions, signal_type/signal_identifier и т.д.)
+ * берутся из snapshot. Из live `projects` — только `delivered_today` (счётчик
+ * остатка лимита, обновляется в течение дня) и из `tenants` — `balance_rub`
+ * (live auto-pause при нулевом балансе).
+ *
+ * Это закрывает R-01..R-04, R-06..R-08, R-15 (spec §1.3) — клиент Лидерры,
+ * который paus'нул проект ПОСЛЕ зафиксированного слепка поставщика, всё равно
+ * получает свои оплаченные лиды по уже зафиксированному slepok'у.
 *
 * Регион сопоставляется самим supplier_project (тег = субъект) — phone-prefix
 * фильтр убран (эпик миграции проектов, Q5): для мобильных он no-op, а регион
@@ -24,7 +33,7 @@ use Illuminate\Support\Facades\DB;
 * Запрос через connection pgsql_supplier (BYPASSRLS crm_supplier_worker) — в
 * sharing-flow tenant ещё не определён, SELECT видит проекты всех tenant'ов.
 *
- * Spec: docs/superpowers/specs/2026-05-20-project-migration-redesign-design.md §4.5.
+ * Spec: docs/superpowers/specs/2026-05-26-slepok-routing-protection-design.md §4.2.3.
 */
 class LeadRouter
 {
@@ -44,67 +53,120 @@ class LeadRouter
     */
    public function matchEligibleProjects(SupplierProject $supplierProject): Collection
    {
-        // МСК-aligned ISO day-of-week (reset-cron тоже 00:00 МСК).
-        $todayBit = 1 << (Carbon::now('Europe/Moscow')->isoWeekday() - 1);
+        // Активная дата слепка вычисляется в PHP — детерминирована для всего запроса,
+        // тестируема через Carbon::setTestNow, исключает дрейф между PHP- и DB-часами.
+        $activeDate = $this->activeSnapshotDate();

        // Phase 3: для DIRECT-supplier_project — fallback на signal_type+signal_identifier
-        // match с Лидерра-проектами, потому что project_supplier_links для DIRECT-row'ов
-        // не создаются (новые DIRECT supplier_projects создаются автоматически при
-        // получении webhook'а без B-префикса; explicit psl-link для них не настраивается).
+        // match с Лидерра-проектами через snapshot (project_supplier_links для
+        // DIRECT-row'ов не создаются — DIRECT supplier_projects создаются автоматически
+        // при получении webhook'а без B-префикса).
        if ($supplierProject->platform === 'DIRECT') {
            $directSql = <<<'SQL'
-                SELECT DISTINCT ON (projects.tenant_id) projects.*
-                FROM projects
-                WHERE projects.signal_type = ?
-                  AND LOWER(projects.signal_identifier) = LOWER(?)
-                  AND projects.is_active = true
-                  AND (projects.delivery_days_mask & ?) <> 0
-                  AND projects.delivered_today < COALESCE(projects.effective_daily_limit_today, projects.daily_limit_target)
+                SELECT DISTINCT ON (snap.tenant_id)
+                    projects.*,
+                    snap.daily_limit AS snapshot_daily_limit
+                FROM project_routing_snapshots snap
+                INNER JOIN projects ON projects.id = snap.project_id
+                WHERE snap.snapshot_date = ?::date
+                  AND snap.signal_type = ?
+                  AND LOWER(snap.signal_identifier) = LOWER(?)
+                  AND projects.delivered_today < snap.daily_limit
                  AND EXISTS (
                      SELECT 1 FROM tenants
-                      WHERE tenants.id = projects.tenant_id
-                        AND (tenants.balance_leads > 0 OR tenants.balance_rub > 0)
+                      WHERE tenants.id = snap.tenant_id
+                        AND tenants.balance_rub > 0
+                        -- R-03: frozen tenant must not receive new leads (Stage 3 §4.3.1)
+                        AND tenants.frozen_by_balance_at IS NULL
                  )
-                ORDER BY
-                    projects.tenant_id,
-                    (COALESCE(projects.effective_daily_limit_today, projects.daily_limit_target) - projects.delivered_today) DESC,
-                    projects.created_at,
-                    projects.id
+                ORDER BY snap.tenant_id,
+                         (snap.daily_limit - projects.delivered_today) DESC,
+                         projects.created_at,
+                         projects.id
            SQL;
            $directRows = DB::connection('pgsql_supplier')->select(
                $directSql,
-                [$supplierProject->signal_type, $supplierProject->unique_key, $todayBit]
+                [$activeDate, $supplierProject->signal_type, $supplierProject->unique_key]
            );

+            $this->logIfNoSnapshot($directRows, $supplierProject, $activeDate);
+
            return Project::hydrate($directRows)->values();
        }

        // Existing B1/B2/B3 path — explicit project_supplier_links pivot.
        $sql = <<<'SQL'
-            SELECT DISTINCT ON (projects.tenant_id) projects.*
-            FROM projects
-            WHERE EXISTS (
-                SELECT 1 FROM project_supplier_links psl
-                WHERE psl.project_id = projects.id
-                  AND psl.supplier_project_id = ?
-            )
-            AND projects.is_active = true
-            AND (projects.delivery_days_mask & ?) <> 0
-            AND projects.delivered_today < COALESCE(projects.effective_daily_limit_today, projects.daily_limit_target)
-            AND EXISTS (
-                SELECT 1 FROM tenants
-                WHERE tenants.id = projects.tenant_id
-                  AND (tenants.balance_leads > 0 OR tenants.balance_rub > 0)
-            )
-            ORDER BY
-                projects.tenant_id,
-                (COALESCE(projects.effective_daily_limit_today, projects.daily_limit_target) - projects.delivered_today) DESC,
-                projects.created_at,
-                projects.id
+            SELECT DISTINCT ON (snap.tenant_id)
+                projects.*,
+                snap.daily_limit AS snapshot_daily_limit
+            FROM project_routing_snapshots snap
+            INNER JOIN projects ON projects.id = snap.project_id
+            WHERE snap.snapshot_date = ?::date
+              AND EXISTS (
+                  SELECT 1 FROM project_supplier_links psl
+                  WHERE psl.project_id = snap.project_id
+                    AND psl.supplier_project_id = ?
+              )
+              AND projects.delivered_today < snap.daily_limit
+              AND EXISTS (
+                  SELECT 1 FROM tenants
+                  WHERE tenants.id = snap.tenant_id
+                    AND tenants.balance_rub > 0
+                    -- R-03: frozen tenant must not receive new leads (Stage 3 §4.3.1)
+                    AND tenants.frozen_by_balance_at IS NULL
+              )
+            ORDER BY snap.tenant_id,
+                     (snap.daily_limit - projects.delivered_today) DESC,
+                     projects.created_at,
+                     projects.id
        SQL;
+        $rows = DB::connection('pgsql_supplier')->select($sql, [$activeDate, $supplierProject->id]);

-        $rows = DB::connection('pgsql_supplier')->select($sql, [$supplierProject->id, $todayBit]);
+        $this->logIfNoSnapshot($rows, $supplierProject, $activeDate);

        return Project::hydrate($rows)->values();
    }
+
+    /**
+     * Активная дата слепка по правилу slepok-инварианта:
+     *   до 21:00 МСК — сегодняшняя дата;
+     *   с 21:00 МСК — завтрашняя.
+     *
+     * Spec §4.2.3.
+     */
+    private function activeSnapshotDate(): string
+    {
+        $msk = Carbon::now('Europe/Moscow');
+
+        return $msk->hour >= 21
+            ? $msk->copy()->addDay()->toDateString()
+            : $msk->toDateString();
+    }
+
+    /**
+     * Fail-loud: пишет в лог если по активной дате слепка вообще нет ни одной строки
+     * snapshot'а — это значит, что cron `SnapshotProjectRoutingJob` не отработал.
+     * (Если строки есть, но ни одна не сматчилась — это валидный 0-результат, не алерт.)
+     *
+     * @param  array<int, object>  $rows
+     */
+    private function logIfNoSnapshot(array $rows, SupplierProject $supplierProject, string $activeDate): void
+    {
+        if ($rows !== []) {
+            return;
+        }
+
+        $snapshotEmpty = DB::connection('pgsql_supplier')
+            ->table('project_routing_snapshots')
+            ->where('snapshot_date', $activeDate)
+            ->doesntExist();
+
+        if ($snapshotEmpty) {
+            Log::error('lead_router.no_snapshot_for_active_date', [
+                'active_date' => $activeDate,
+                'supplier_project_id' => $supplierProject->id,
+                'platform' => $supplierProject->platform,
+            ]);
+        }
+    }
 }
@@ -57,6 +57,8 @@ class MonthlyPartitionManager
        'balance_transactions' => 'created_at',
        'pd_processing_log' => 'created_at',
        'saas_admin_audit_log' => 'created_at',
+        // Slepok routing (Этап 2, 27.05.2026)
+        'project_routing_snapshots' => 'snapshot_date',
    ];

    /**
@@ -106,7 +106,26 @@ class ProjectService
            SyncSupplierProjectJob::dispatch($project->id);
        }

-        return $project->fresh();
+        // Task 2.8 (Spec §4.2.5): для каждого изменённого slepok-sensitive поля
+        // вычислить applies_from — момент, с которого правка реально вступит в силу
+        // (slepok-инвариант: до 18:00 МСК → сегодня 21:00 МСК, после → завтра 21:00 МСК).
+        // Берём максимум среди затронутых полей. NULL = применяется немедленно.
+        $appliesFrom = null;
+        foreach (SupplierSnapshotGuard::SLEPOK_SENSITIVE_FIELDS as $field) {
+            if (! array_key_exists($field, $data)) {
+                continue;
+            }
+            $candidate = $this->snapshotGuard->appliesFrom($project, $field);
+            if ($candidate !== null && ($appliesFrom === null || $candidate->gt($appliesFrom))) {
+                $appliesFrom = $candidate;
+            }
+        }
+
+        $fresh = $project->fresh();
+        // Dynamic attribute — не в БД, сериализуется ProjectResource (Task 2.11).
+        $fresh->applies_from = $appliesFrom;
+
+        return $fresh;
    }

    /**
@@ -62,6 +62,59 @@ class SupplierSnapshotGuard
        return $effectiveNow->lt($graceUntil);
    }

+    /**
+     * Slepok-sensitive поля проекта — изменения этих полей попадают в slepok №NЛ
+     * (фиксируется в 18:00 МСК) и начинают действовать с N.21:00 МСК.
+     *
+     * Spec §4.2.5 — Task 2.7.
+     */
+    public const SLEPOK_SENSITIVE_FIELDS = [
+        'is_active',
+        'daily_limit_target',
+        'delivery_days_mask',
+        'regions',
+        'signal_identifier',
+        'sms_senders',
+        'sms_keyword',
+    ];
+
+    /**
+     * Возвращает момент, с которого правка `$field` вступит в силу:
+     *   правка до 18:00 МСК → сегодня в 21:00 МСК;
+     *   правка с 18:00 МСК и позже → завтра в 21:00 МСК.
+     *
+     * Возвращает null когда правка применяется немедленно:
+     *   поле не slepok-sensitive (см. SLEPOK_SENSITIVE_FIELDS), либо
+     *   проект не связан с поставщиком (нет project_supplier_links → нет slepok-риска).
+     *
+     * Используется ProjectService (Task 2.8) для прикрепления к UI-ответу
+     * метки «изменения вступят в силу с DD.MM HH:MM».
+     *
+     * Spec §4.2.5.
+     */
+    public function appliesFrom(Project $project, string $field): ?CarbonImmutable
+    {
+        if (! in_array($field, self::SLEPOK_SENSITIVE_FIELDS, true)) {
+            return null;
+        }
+
+        $hasLinks = DB::table('project_supplier_links')
+            ->where('project_id', $project->id)
+            ->exists();
+        if (! $hasLinks) {
+            return null;
+        }
+
+        $nowMsk = CarbonImmutable::now('Europe/Moscow');
+        $todayCutoff = $nowMsk->setTime(18, 0, 0);
+
+        if ($nowMsk->gte($todayCutoff)) {
+            return $nowMsk->addDay()->setTime(21, 0, 0);
+        }
+
+        return $nowMsk->setTime(21, 0, 0);
+    }
+
    /**
     * @param  'delete'|'change_source'  $action
     */
@@ -178,9 +178,11 @@ class SupplierProjectImporter
                ]);
                $createdProjects++;

+                // R-17 (Stage 4 §4.4.1): unified agnostic key — was per-platform divergence
+                // for SMS (B3 used sender alone, B2 sender+keyword) creating orphan rows.
+                $uniqueKey = SupplierProjectGrouping::buildUniqueKeyAgnostic($project);
                foreach ($item['platforms'] as $pl) {
                    $platform = (string) $pl['platform'];
-                    $uniqueKey = SupplierProjectGrouping::buildUniqueKey($project, $platform);

                    /** @var SupplierProject $sp */
                    $sp = SupplierProject::on(self::DB_CONNECTION)->firstOrCreate(
@@ -19,37 +19,14 @@ use App\Models\Project;
 final class SupplierProjectGrouping
 {
    /**
-     * Строит unique_key для пары (project, platform):
-     *   site/call  → signal_identifier (домен / телефон)
-     *   sms B2     → sender + '+' + keyword
-     *   sms B3     → sender
-     *
-     * Для ночного батч-джоба используйте buildUniqueKeyNoplatform() — он
-     * выбирает B2-ключ автоматически при наличии keyword.
-     */
-    public static function buildUniqueKey(Project $project, string $platform): string
-    {
-        if (in_array($project->signal_type, ['site', 'call'], true)) {
-            return (string) $project->signal_identifier;
-        }
-
-        // sms
-        $sender = (string) ($project->sms_senders[0] ?? '');
-
-        if ($platform === 'B2') {
-            return $sender.'+'.($project->sms_keyword ?? '');
-        }
-
-        // B3
-        return $sender;
-    }
-
-    /**
-     * Unique identifier key без привязки к конкретной платформе
-     * (для группировки в ночном батч-джобе):
+     * Unique identifier key — единая агностическая формула для всех платформ
+     * (Stage 4 §4.4.1 R-17, ранее разделялась на platform-specific buildUniqueKey:
+     * B3 использовал sender alone, B2 sender+keyword, что создавало orphan
+     * supplier_projects при rebalance шеринга — мы не могли сопоставить B2/B3
+     * как одну группу):
     *   site/call → signal_identifier
-     *   sms+keyword → sender+keyword  (B2 ключ)
-     *   sms без keyword → sender       (B3 ключ)
+     *   sms+keyword → sender+keyword
+     *   sms без keyword → sender
     */
    public static function buildUniqueKeyAgnostic(Project $project): string
    {
@@ -95,7 +72,6 @@ final class SupplierProjectGrouping
    public static function subjectsOf(Project $project): array
    {
        $regions = array_values((array) $project->regions);
-        // @phpstan-ignore-next-line identical.alwaysFalse — PostgresIntArray PHPDoc non-empty, runtime can be empty
        if (count($regions) === 0) {
            return [null];
        }
@@ -8,6 +8,7 @@ use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Validation\ValidationException;

 return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
@@ -33,12 +34,43 @@ return Application::configure(basePath: dirname(__DIR__))
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions): void {
+        // Reduce verbosity of constraint-violation logging (SQLSTATE 23xxx):
+        // data-validity errors do not need a full stack trace в laravel.log.
+        // Incident 2026-05-29: 420k повторов B1+SMS check_violation накопили
+        // 8.7 GB stack traces → disk full → 4h prod downtime.
+        // Solution: log a warning summary с sqlstate, return false to stop
+        // default reporting (which would write full stack trace).
+        // Ref: docs/incidents/2026-05-29-disk-full-pg-recovery.md §5
+        $exceptions->reportable(function (QueryException $e) {
+            $sqlState = $e->errorInfo[0] ?? '';
+            if (is_string($sqlState) && str_starts_with($sqlState, '23')) {
+                Log::warning('db.constraint_violation', [
+                    'sqlstate' => $sqlState,
+                    'message' => mb_substr($e->getMessage(), 0, 200),
+                ]);
+
+                return false; // skip default reporting (no stack trace в laravel.log)
+            }
+
+            return null; // continue default reporting для non-constraint QueryExceptions
+        });
+
        $exceptions->render(function (QueryException $e, Request $request) {
-            Log::error('db.query_exception', [
-                'message' => $e->getMessage(),
-                'sql' => $e->getSql(),
-                'path' => $request->path(),
-            ]);
+            $sqlState = $e->errorInfo[0] ?? '';
+            $isConstraintViolation = is_string($sqlState) && str_starts_with($sqlState, '23');
+
+            if (! $isConstraintViolation) {
+                // Default verbose log для non-constraint QueryExceptions (table missing,
+                // syntax error, etc. — these are bugs needing investigation).
+                Log::error('db.query_exception', [
+                    'message' => $e->getMessage(),
+                    'sql' => $e->getSql(),
+                    'path' => $request->path(),
+                ]);
+            }
+            // Constraint violations уже залогированы в reportable() выше как warning,
+            // дублировать не нужно.
+
            if ($request->expectsJson()) {
                return response()->json([
                    'message' => 'Не удалось сохранить. Проверьте данные или попробуйте ещё раз.',
@@ -52,13 +84,14 @@ return Application::configure(basePath: dirname(__DIR__))
        // Without this render, Laravel's default ValidationException handler returns
        // 302 redirect to /, which strips POST body — losing supplier leads.
        // Confirmed 2026-05-25: 76 of 234 webhook hits today got 302 instead of 422.
-        $exceptions->render(function (\Illuminate\Validation\ValidationException $e, Request $request) {
+        $exceptions->render(function (ValidationException $e, Request $request) {
            if ($request->is('api/webhook/supplier/*')) {
                return response()->json([
                    'message' => 'Validation failed',
                    'errors' => $e->errors(),
                ], 422);
            }
+
            return null; // default render for other routes
        });
    })->create();
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // Всё DDL через pgsql_supplier — избегаем deadlock при смешивании соединений.
+        // Laravel оборачивает миграцию в транзакцию на дефолтном pgsql; ALTER TABLE tenants
+        // на pgsql + CREATE TABLE с FK на tenants через pgsql_supplier = взаимная блокировка.
+        // На dev pgsql_supplier = postgres superuser (те же права), на prod — явные GRANT'ы ниже.
+        $supplier = DB::connection('pgsql_supplier');
+
+        // Флаги заморозки. tenant-level — пассивный износ; project-level — точечная перегрузка.
+        $supplier->statement('ALTER TABLE tenants ADD COLUMN IF NOT EXISTS frozen_by_balance_at TIMESTAMPTZ NULL');
+        $supplier->statement('ALTER TABLE projects ADD COLUMN IF NOT EXISTS preflight_blocked_at TIMESTAMPTZ NULL');
+
+        $supplier->statement('CREATE INDEX IF NOT EXISTS tenants_frozen_by_balance_idx ON tenants (frozen_by_balance_at) WHERE frozen_by_balance_at IS NOT NULL');
+        $supplier->statement('CREATE INDEX IF NOT EXISTS projects_preflight_blocked_idx ON projects (preflight_blocked_at) WHERE preflight_blocked_at IS NOT NULL');
+
+        // Журнал заморозок/разморозок. Создаём через pgsql_supplier (урок Спека B — prod-роли).
+        $supplier->statement(<<<'SQL'
+            CREATE TABLE IF NOT EXISTS balance_freeze_log (
+                id BIGSERIAL PRIMARY KEY,
+                tenant_id BIGINT NOT NULL REFERENCES tenants(id),
+                event_type VARCHAR(30) NOT NULL,
+                triggered_by VARCHAR(30) NOT NULL,
+                balance_rub_at_event DECIMAL(12,2) NOT NULL,
+                required_leads INTEGER NOT NULL,
+                capacity_leads INTEGER NOT NULL,
+                total_daily_limit INTEGER NOT NULL,
+                details JSONB,
+                created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+            )
+        SQL);
+        $supplier->statement('ALTER TABLE balance_freeze_log ENABLE ROW LEVEL SECURITY');
+        $supplier->statement(<<<'SQL'
+            CREATE POLICY tenant_isolation ON balance_freeze_log
+            USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint)
+        SQL);
+        $supplier->statement('CREATE INDEX IF NOT EXISTS balance_freeze_log_tenant_idx ON balance_freeze_log (tenant_id, created_at DESC)');
+
+        // Гранты для 4 ролей (mirror webhook_dedup_keys / supplier_lead_deliveries).
+        foreach (['crm_app_user', 'crm_supplier_worker', 'crm_migrator', 'crm_admin_user'] as $role) {
+            $supplier->statement(<<<SQL
+                DO \$\$
+                BEGIN
+                    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{$role}') THEN
+                        GRANT SELECT, INSERT ON balance_freeze_log TO {$role};
+                        GRANT USAGE, SELECT ON SEQUENCE balance_freeze_log_id_seq TO {$role};
+                    END IF;
+                END
+                \$\$
+            SQL);
+        }
+    }
+
+    public function down(): void
+    {
+        $supplier = DB::connection('pgsql_supplier');
+        $supplier->statement('DROP TABLE IF EXISTS balance_freeze_log');
+        $supplier->statement('ALTER TABLE projects DROP COLUMN IF EXISTS preflight_blocked_at');
+        $supplier->statement('ALTER TABLE tenants DROP COLUMN IF EXISTS frozen_by_balance_at');
+    }
+};
@@ -0,0 +1,95 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration {
+    public function up(): void
+    {
+        // SET ROLE crm_migrator для прода (postgres superuser может SET ROLE).
+        // На dev/testing crm_migrator не имеет GRANT на public schema → пропускаем.
+        try {
+            DB::statement('SET ROLE crm_migrator');
+            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
+            if (!$canCreate || !$canCreate->ok) {
+                DB::statement('RESET ROLE');
+            }
+        } catch (\Throwable) {
+            // На окружениях без роли — продолжаем как postgres superuser.
+        }
+
+        DB::unprepared(<<<'SQL'
+            CREATE TABLE project_routing_snapshots (
+                snapshot_date      DATE        NOT NULL,
+                project_id         BIGINT      NOT NULL,
+                tenant_id          BIGINT      NOT NULL,
+                daily_limit        INT         NOT NULL CHECK (daily_limit >= 0),
+                delivery_days_mask INT         NOT NULL CHECK (delivery_days_mask BETWEEN 0 AND 127),
+                regions            INT[]       NOT NULL DEFAULT '{}',
+                signal_type        TEXT        NOT NULL CHECK (signal_type IN ('call','site','sms')),
+                signal_identifier  TEXT,
+                sms_senders        JSONB,
+                sms_keyword        TEXT,
+                expected_volume    INT         NOT NULL CHECK (expected_volume >= 0),
+                delivered_count    INT         NOT NULL DEFAULT 0 CHECK (delivered_count >= 0),
+                created_at         TIMESTAMP   NOT NULL DEFAULT NOW(),
+                PRIMARY KEY (snapshot_date, project_id),
+                FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE CASCADE
+                -- NB: НЕ ссылаемся на projects(id) — проект может быть удалён,
+                --     а snapshot должен пережить (хвост слепка ещё летит).
+            ) PARTITION BY RANGE (snapshot_date);
+
+            CREATE INDEX project_routing_snapshots_tenant_date_idx
+                ON project_routing_snapshots (tenant_id, snapshot_date);
+            CREATE INDEX project_routing_snapshots_signal_idx
+                ON project_routing_snapshots (snapshot_date, signal_type, lower(signal_identifier));
+
+            ALTER TABLE project_routing_snapshots ENABLE ROW LEVEL SECURITY;
+            CREATE POLICY project_routing_snapshots_tenant_isolation
+                ON project_routing_snapshots
+                USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint);
+
+            GRANT SELECT, INSERT, UPDATE ON project_routing_snapshots TO crm_app_user;
+            GRANT SELECT, INSERT, UPDATE, DELETE ON project_routing_snapshots TO crm_supplier_worker;
+
+            -- Партиция для текущего месяца (создаётся также через partitions:create-months).
+            CREATE TABLE project_routing_snapshots_y2026_m05
+                PARTITION OF project_routing_snapshots
+                FOR VALUES FROM ('2026-05-01') TO ('2026-06-01');
+            CREATE TABLE project_routing_snapshots_y2026_m06
+                PARTITION OF project_routing_snapshots
+                FOR VALUES FROM ('2026-06-01') TO ('2026-07-01');
+        SQL);
+
+        // Регистрация в retention (system_settings).
+        $exists = DB::table('system_settings')
+            ->where('key', 'partition_retention_months_project_routing_snapshots')
+            ->exists();
+        if (! $exists) {
+            DB::table('system_settings')->insert([
+                'key' => 'partition_retention_months_project_routing_snapshots',
+                'value' => '3',
+                'type' => 'int',
+                'description' => 'Retention в месяцах для project_routing_snapshots (90 дней)',
+                'updated_at' => now(),
+            ]);
+        }
+    }
+
+    public function down(): void
+    {
+        try {
+            DB::statement('SET ROLE crm_migrator');
+            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
+            if (!$canCreate || !$canCreate->ok) {
+                DB::statement('RESET ROLE');
+            }
+        } catch (\Throwable) {
+            // На окружениях без роли — продолжаем как postgres superuser.
+        }
+        DB::statement('DROP TABLE IF EXISTS project_routing_snapshots CASCADE');
+        DB::table('system_settings')->where('key', 'partition_retention_months_project_routing_snapshots')->delete();
+    }
+};
@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Adds per-partition advisory lock to audit_chain_hash() trigger function.
+ *
+ * Root cause: concurrent INSERT workers (e.g. supplier-webhook handlers) all
+ * read the same prev_hash before any of them commits → multiple rows derive
+ * their hash from the same predecessor → hash chain branches → validator finds
+ * mismatches (Finding 1 from Stage-5 Day-1 monitoring).
+ *
+ * Fix: derive a bigint lock key from the physical partition OID (TG_RELID).
+ * pg_advisory_xact_lock() serialises concurrent INSERTs into the SAME partition
+ * without blocking INSERTs to other partitions (distinct OIDs → distinct keys).
+ * The lock is automatically released at transaction end.
+ *
+ * Hash formula: unchanged (verbatim from db/schema.sql:3107-3127):
+ *   digest(COALESCE(prev_hash, ''::bytea) || NEW::text::bytea, 'sha256')
+ *
+ * Ref: docs/superpowers/plans/2026-05-29-audit-chain-race-fix.md Task 2
+ */
+return new class extends Migration
+{
+    public function up(): void
+    {
+        DB::statement(<<<'SQL'
+            CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+            DECLARE
+                prev_hash BYTEA;
+                lock_key  BIGINT;
+            BEGIN
+                -- Derive a partition-specific advisory lock key from the physical
+                -- table OID (TG_RELID). Each child partition has a distinct OID,
+                -- so concurrent INSERTs to DIFFERENT partitions do not block each
+                -- other, while concurrent INSERTs to the SAME partition are
+                -- serialised — preventing the race that branches the hash chain.
+                lock_key := ('x' || lpad(to_hex(TG_RELID::int), 16, '0'))::bit(64)::bigint;
+                PERFORM pg_advisory_xact_lock(lock_key);
+
+                -- Берём log_hash последней строки этой таблицы. NULL для первой записи.
+                -- TG_TABLE_NAME — имя таблицы, через которое триггер сработал; используем
+                -- format/EXECUTE для полиморфности.
+                EXECUTE format(
+                    'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                    TG_TABLE_NAME
+                ) INTO prev_hash;
+
+                -- log_hash = sha256(prev_hash || NEW::text). Если prev_hash NULL — берём
+                -- пустую байтовую строку (первая запись цепочки).
+                NEW.log_hash := digest(
+                    COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                    'sha256'
+                );
+                RETURN NEW;
+            END;
+            $$ LANGUAGE plpgsql;
+        SQL);
+    }
+
+    public function down(): void
+    {
+        // Restore verbatim original from db/schema.sql:3107-3127 (without advisory lock).
+        DB::statement(<<<'SQL'
+            CREATE OR REPLACE FUNCTION public.audit_chain_hash() RETURNS trigger AS $$
+            DECLARE
+                prev_hash BYTEA;
+            BEGIN
+                -- Берём log_hash последней строки этой таблицы. NULL для первой записи.
+                -- TG_TABLE_NAME — имя таблицы, через которое триггер сработал; используем
+                -- format/EXECUTE для полиморфности.
+                EXECUTE format(
+                    'SELECT log_hash FROM %I ORDER BY id DESC LIMIT 1',
+                    TG_TABLE_NAME
+                ) INTO prev_hash;
+
+                -- log_hash = sha256(prev_hash || NEW::text). Если prev_hash NULL — берём
+                -- пустую байтовую строку (первая запись цепочки).
+                NEW.log_hash := digest(
+                    COALESCE(prev_hash, ''::bytea) || NEW::text::bytea,
+                    'sha256'
+                );
+                RETURN NEW;
+            END;
+            $$ LANGUAGE plpgsql;
+        SQL);
+    }
+};
@@ -41,6 +41,9 @@ deptrac:
    Request: [Rule, Model]
    Resource: [Model]
    Rule: [Model]
-    Mail: [Model]
+    # Mail может зависеть от Service value objects (PreflightResult и аналоги) —
+    # это legit dependency: template needs data DTO от Service для рендера.
+    # Decision: ADR-005 amend 2026-05-29 (incident-followup cleanup).
+    Mail: [Model, Service]
    Model: []
    Provider: [Controller, Service, Job, Console, Repository, Model, Mail, Middleware, Request, Resource, Rule, Exception]
@@ -51,7 +51,7 @@ parameters:
 		-
 			message: '#^Using nullsafe method call on non\-nullable type Illuminate\\Support\\Carbon\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
-			count: 5
+			count: 6
 			path: app/Http/Controllers/Api/DealController.php

 		-
@@ -84,6 +84,24 @@ parameters:
 			count: 1
 			path: app/Http/Middleware/SetTenantContext.php

+		-
+			message: '#^Access to an undefined property App\\Http\\Resources\\ProjectResource\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: app/Http/Resources/ProjectResource.php
+
+		-
+			message: '#^Parameter \#1 \$array \(non\-empty\-list\<int\>\) of array_values is already a list, call has no effect\.$#'
+			identifier: arrayValues.list
+			count: 1
+			path: app/Jobs/Supplier/SyncSupplierProjectsJob.php
+
+		-
+			message: '#^Parameter \#1 \$column of method Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\:\:where\(\) expects array\<int\|model property of App\\Models\\Project, mixed\>\|\(Closure\(Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\: Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\|\(Closure\(Illuminate\\Database\\Eloquent\\Builder\<App\\Models\\Project\>\)\: void\)\|Illuminate\\Contracts\\Database\\Query\\Expression\|model property of App\\Models\\Project, ''snap\.snapshot_date'' given\.$#'
+			identifier: argument.type
+			count: 1
+			path: app/Jobs/Supplier/SyncSupplierProjectsJob.php
+
 		-
 			message: '#^Using nullsafe property access "\?\-\>name" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
@@ -102,6 +120,12 @@ parameters:
 			count: 1
 			path: app/Services/NotificationService.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: app/Services/Project/ProjectService.php
+
 		-
 			message: '#^Match expression does not handle remaining value\: string$#'
 			identifier: match.unhandled
@@ -120,6 +144,90 @@ parameters:
 			count: 1
 			path: app/Services/Supplier/Channel/AjaxProjectChannel.php

+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenDefineFunctions not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenFinalClasses not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenNormalClasses not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenPrivateMethods not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenTraits not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\SyntaxCheck not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Metrics\\Architecture\\Classes not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\Commenting\\UselessFunctionDocCommentSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\Namespaces\\AlphabeticallySortedUsesSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DeclareStrictTypesSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DisallowMixedTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ParameterTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\PropertyTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
+		-
+			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ReturnTypeHintSniff not found\.$#'
+			identifier: class.notFound
+			count: 1
+			path: config/insights.php
+
 		-
 			message: '#^Return type \(array\<string, mixed\>\) of method Database\\Factories\\BalanceTransactionFactory\:\:definition\(\) should be compatible with return type \(array\<model property of App\\Models\\BalanceTransaction, mixed\>\) of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\BalanceTransaction\>\:\:definition\(\)$#'
 			identifier: method.childReturnType
@@ -156,6 +264,12 @@ parameters:
 			count: 1
 			path: database/factories/UserFactory.php

+		-
+			message: '#^Offset ''SnapshotProjectRout…'' on null in isset\(\) does not exist\.$#'
+			identifier: isset.offset
+			count: 1
+			path: routes/console.php
+
 		-
 			message: '#^Offset ''projects\:reset…'' on null in isset\(\) does not exist\.$#'
 			identifier: isset.offset
@@ -444,6 +558,18 @@ parameters:
 			count: 3
 			path: tests/Feature/ApiKeyControllerTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Audit/AuditChainRaceConditionTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>cnt" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 1
+			path: tests/Feature/Audit/AuditRebuildChainTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
@@ -720,6 +846,36 @@ parameters:
 			count: 6
 			path: tests/Feature/Auth/UpdateProfileTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 6
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BalanceStatusTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -750,10 +906,16 @@ parameters:
 			count: 1
 			path: tests/Feature/Billing/BillingOverviewControllerTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BillingPreflightInitialSweepTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$ledger\.$#'
 			identifier: property.notFound
-			count: 8
+			count: 9
 			path: tests/Feature/Billing/LedgerServiceTest.php

 		-
@@ -768,6 +930,12 @@ parameters:
 			count: 6
 			path: tests/Feature/Billing/PricingTierRepositoryTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Billing/ProjectPreflightTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -876,6 +1044,30 @@ parameters:
 			count: 1
 			path: tests/Feature/Console/ResetMonthlyCountersCommandTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Console/SnapshotBackfillCommandTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Console/SnapshotBackfillCommandTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Console/SnapshotRebuildCommandTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Console/SnapshotRebuildCommandTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
@@ -1296,6 +1488,12 @@ parameters:
 			count: 5
 			path: tests/Feature/EndpointAuthHardeningTest.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Http/Resources/ProjectResourceAppliesFromTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
@@ -1308,6 +1506,18 @@ parameters:
 			count: 2
 			path: tests/Feature/Http/Webhook/SupplierWebhookTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:call\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Http/Webhook/SupplierWebhookValidationFormatTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Http/Webhook/SupplierWebhookValidationFormatTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
 			identifier: property.notFound
@@ -1422,6 +1632,12 @@ parameters:
 			count: 8
 			path: tests/Feature/Incidents/IncidentsWatchFailuresExpandedTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/Incidents/SingleLeadStormTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
@@ -1434,12 +1650,48 @@ parameters:
 			count: 1
 			path: tests/Feature/Integration/SupplierLeadFlowTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Jobs/RouteSupplierLeadJobSnapshotTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 2
+			path: tests/Feature/Jobs/RouteSupplierLeadJobSnapshotTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Jobs/RouteSupplierLeadJobTest.php

+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 1
+			path: tests/Feature/Jobs/SnapshotProjectRoutingJobTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/Jobs/Supplier/SyncSupplierProjectsJobSnapshotTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 1
+			path: tests/Feature/LeadRouter/FrozenFilterTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/LeadRouter/SnapshotRoutingTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
@@ -2016,6 +2268,24 @@ parameters:
 			count: 3
 			path: tests/Feature/Security/WebhookUrlChangeAuditTest.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/Services/Project/ProjectServiceAppliesFromTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 4
+			path: tests/Feature/Services/Project/ProjectServiceAppliesFromTest.php
+
+		-
+			message: '#^Static method Carbon\\Carbon\:\:setTestNow\(\) invoked with 2 parameters, 0\-1 required\.$#'
+			identifier: arguments.count
+			count: 5
+			path: tests/Feature/Services/Project/SupplierSnapshotGuardAppliesFromTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
@@ -2064,12 +2334,48 @@ parameters:
 			count: 1
 			path: tests/Feature/Supplier/CsvReconcileJobTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$sp\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 8
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Supplier/CsvWebhookRaceTest.php
+
 		-
 			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:once\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Supplier/DeleteSupplierProjectJobTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Supplier/DirectPlatformTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Supplier/DirectPlatformTest.php
+
 		-
 			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:andThrow\(\)\.$#'
 			identifier: method.notFound
@@ -2148,12 +2454,30 @@ parameters:
 			count: 1
 			path: tests/Feature/Supplier/SupplierProjectImporterTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Supplier/SupplierRekeyOrphansCommandTest.php
+
 		-
 			message: '#^Call to an undefined method App\\Services\\Supplier\\PlaywrightBridge\:\:shouldReceive\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Supplier/SupplierSessionRefreshCommandTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$sharedProject\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/Supplier/SupplierWebhookFastFailTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>error" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 2
+			path: tests/Feature/Supplier/SupplierWebhookFastFailTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:mock\(\)\.$#'
 			identifier: method.notFound
@@ -2274,6 +2598,42 @@ parameters:
 			count: 6
 			path: tests/Unit/Services/Pd/ImpersonationAuditServiceTest.php

+		-
+			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:once\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Call to method PHPUnit\\Framework\\Assert\:\:assertTrue\(\) with true will always evaluate to true\.$#'
+			identifier: method.alreadyNarrowedType
+			count: 3
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Parameter \#2 \$snapshotGuard of class App\\Services\\Project\\ProjectService constructor expects App\\Services\\Project\\SupplierSnapshotGuard, Mockery\\MockInterface given\.$#'
+			identifier: argument.type
+			count: 3
+			path: tests/Unit/Services/Project/ProjectServiceGuardWiringTest.php
+
+		-
+			message: '#^Call to an undefined method Mockery\\ExpectationInterface\|Mockery\\HigherOrderMessage\:\:with\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
+		-
+			message: '#^Call to method PHPUnit\\Framework\\Assert\:\:assertTrue\(\) with true will always evaluate to true\.$#'
+			identifier: method.alreadyNarrowedType
+			count: 1
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
+		-
+			message: '#^Property App\\Models\\IdeHelperProject\:\:\$paused_at \(Illuminate\\Support\\Carbon\|null\) does not accept Carbon\\CarbonImmutable\.$#'
+			identifier: assign.propertyType
+			count: 2
+			path: tests/Unit/Services/Project/SupplierSnapshotGuardTest.php
+
 		-
 			message: '#^Call to an undefined method App\\Services\\Supplier\\ProcessFactory\:\:shouldReceive\(\)\.$#'
 			identifier: method.notFound
@@ -106,3 +106,27 @@ export async function topup(amountRub: number): Promise<TopupResult> {
    const { data } = await apiClient.post<TopupResult>('/api/billing/topup', { amount_rub: amountRub });
    return data;
 }
+
+/**
+ * Ответ GET /api/billing/balance-status — лёгкий статус баланса для UI префлайта
+ * (Billing v2 Spec C §3.6): питает баннер заморозки + индикатор ёмкости.
+ */
+export interface BalanceStatus {
+    /** ISO-дата заморозки или null (не заморожен). */
+    frozen_by_balance_at: string | null;
+    balance_rub: string;
+    /** Сколько лидов покрывает баланс по текущему тарифу. */
+    capacity_leads: number;
+    /** Суммарный дневной заказ активных не-заблокированных проектов. */
+    required_leads_per_day: number;
+    /** На сколько лидов заказ превышает ёмкость (0 если хватает). */
+    deficit_leads: number;
+    /** Сколько ₽ не хватает, чтобы покрыть дефицит (scale 2, "0.00" если хватает). */
+    deficit_rub: string;
+}
+
+/** GET /api/billing/balance-status — статус для баннера заморозки и индикатора ёмкости. */
+export async function getBalanceStatus(): Promise<BalanceStatus> {
+    const { data } = await apiClient.get<BalanceStatus>('/api/billing/balance-status');
+    return data;
+}
@@ -0,0 +1,68 @@
+<script setup lang="ts">
+/**
+ * Постоянная подсказка под балансом (Billing v2 Spec C §3.6, Task 1.10).
+ *
+ * Чистый presentational-компонент: показывает, на сколько дней хватит ёмкости
+ * баланса (в лидах) при текущем дневном заказе всех eligible-проектов.
+ * Зелёный — хватает на 3+ дня; жёлтый — меньше 3 дней; красный — не хватает.
+ */
+import { computed } from 'vue';
+
+const props = defineProps<{
+    /** Баланс в рублях (строка scale 2, например "1000.00"). */
+    balanceRub: string;
+    /** Сколько лидов покрывает баланс по текущему тарифу. */
+    capacityLeads: number;
+    /** Суммарный дневной заказ всех активных проектов (лидов/день). */
+    requiredLeadsPerDay: number;
+}>();
+
+const daysLeft = computed(() =>
+    props.requiredLeadsPerDay > 0 ? props.capacityLeads / props.requiredLeadsPerDay : Infinity,
+);
+
+const statusClass = computed(() => {
+    if (props.requiredLeadsPerDay > 0 && props.capacityLeads < props.requiredLeadsPerDay) {
+        return 'capacity-insufficient';
+    }
+    if (daysLeft.value < 3) return 'capacity-warning';
+    return 'capacity-ok';
+});
+
+const daysLabel = computed(() => (Number.isFinite(daysLeft.value) ? daysLeft.value.toFixed(1) : '∞'));
+</script>
+
+<template>
+    <div class="balance-capacity text-body-2" :class="statusClass" data-testid="balance-capacity-indicator">
+        <div>Баланс: {{ balanceRub }}₽ = до {{ capacityLeads }} лидов по тарифу</div>
+        <div>Проекты заказывают: {{ requiredLeadsPerDay }} лидов в день</div>
+        <div v-if="statusClass === 'capacity-insufficient'" class="capacity-note">
+            ⚠️ Не хватает — пополните счёт
+        </div>
+        <div v-else-if="statusClass === 'capacity-warning'" class="capacity-note">
+            Хватит на ~{{ daysLabel }} дн. — скоро потребуется пополнение
+        </div>
+        <div v-else class="capacity-note">✅ Хватит на ~{{ daysLabel }} дн.</div>
+    </div>
+</template>
+
+<style scoped>
+.balance-capacity {
+    display: flex;
+    flex-direction: column;
+    gap: 2px;
+    line-height: 1.4;
+}
+.capacity-note {
+    font-weight: 600;
+}
+.capacity-ok .capacity-note {
+    color: rgb(var(--v-theme-success));
+}
+.capacity-warning .capacity-note {
+    color: rgb(var(--v-theme-warning));
+}
+.capacity-insufficient .capacity-note {
+    color: rgb(var(--v-theme-error));
+}
+</style>
@@ -0,0 +1,52 @@
+<script setup lang="ts">
+/**
+ * Красный баннер заморозки баланса (Billing v2 Spec C §3.6, Task 1.10).
+ *
+ * Показывается на всех страницах, когда tenant.frozen_by_balance_at !== null
+ * (проп `frozen`). Источник данных — tenantStore, загружаемый глобально в
+ * AppLayout. Чистый presentational-компонент.
+ */
+import { computed } from 'vue';
+
+const props = defineProps<{
+    frozen: boolean;
+    /** Сколько ₽ не хватает на дневной заказ (строка scale 2). */
+    deficitRub?: string;
+    /** Сколько лидов превышают ёмкость баланса. */
+    deficitLeads?: number;
+}>();
+
+const hasDeficit = computed(() => (props.deficitLeads ?? 0) > 0);
+</script>
+
+<template>
+    <v-alert
+        v-if="frozen"
+        type="error"
+        variant="tonal"
+        density="comfortable"
+        rounded="lg"
+        class="balance-frozen-banner ma-4 mb-0"
+        data-testid="balance-frozen-banner"
+    >
+        <div class="text-subtitle-2 font-weight-bold">Приём лидов приостановлен</div>
+        <div class="text-body-2 mb-2">
+            Не хватает баланса на дневной заказ.<span v-if="hasDeficit">
+                Нужно ещё {{ deficitRub }}₽ (или сократи лимиты на {{ deficitLeads }} лидов).</span>
+        </div>
+        <RouterLink to="/billing" data-testid="banner-topup-link" class="banner-link">
+            Пополнить счёт
+        </RouterLink>
+        <RouterLink to="/projects" data-testid="banner-projects-link" class="banner-link ml-4">
+            Перейти к проектам
+        </RouterLink>
+    </v-alert>
+</template>
+
+<style scoped>
+.banner-link {
+    font-weight: 600;
+    color: rgb(var(--v-theme-error));
+    text-decoration: underline;
+}
+</style>
@@ -7,7 +7,7 @@ import { REGIONS, FEDERAL_DISTRICT_NAMES } from '../../constants/regions';
 import { repositionMenuAfterOpen } from '../../utils/menuRepositionFix';

 const props = defineProps<{ project: Project | null }>();
-const emit = defineEmits<{ close: []; saved: [] }>();
+const emit = defineEmits<{ close: []; saved: [appliesFrom: string | null] }>();

 interface FormState {
    name: string;
@@ -100,8 +100,11 @@ async function onSave(): Promise<void> {
            payload.sms_senders = form.sms_senders;
            payload.sms_keyword = form.sms_keyword;
        }
-        await axios.patch(`/api/projects/${props.project.id}`, payload);
-        emit('saved');
+        const { data } = await axios.patch(`/api/projects/${props.project.id}`, payload);
+        // Backend кладёт applies_from когда правка задела slepok-чувствительные поля
+        // (см. ProjectService::updateAndExposeAppliesFrom / Task 2.8).
+        const appliesFrom: string | null = data?.data?.applies_from ?? null;
+        emit('saved', appliesFrom);
    } catch (e: unknown) {
        const err = e as { response?: { status?: number; data?: { errors?: Record<string, string[]> } } };
        if (err.response?.status === 422 && err.response.data?.errors) {
@@ -0,0 +1,70 @@
+<script setup lang="ts">
+/**
+ * Диалог перегрузки лимита (Billing v2 Spec C §6.2, Task 1.10).
+ *
+ * Открывается, когда POST/PATCH /api/projects вернул 409 `balance_insufficient`.
+ * Показывает дефицит и предлагает три исхода:
+ *  - «Сохранить и приостановить» → save-blocked (родитель пере-сабмитит с
+ *    force_save_blocked=true → проект создаётся с preflight_blocked_at);
+ *  - «Поставить лимит 0»          → set-zero (родитель ставит daily_limit_target=0);
+ *  - «Отмена»                     → закрытие без сохранения.
+ */
+export interface OverloadPayload {
+    current_balance_rub: string;
+    current_capacity_leads: number;
+    would_be_required_leads: number;
+    deficit_leads: number;
+}
+
+defineProps<{
+    modelValue: boolean;
+    payload: OverloadPayload | null;
+}>();
+
+defineEmits<{
+    'update:modelValue': [value: boolean];
+    'save-blocked': [];
+    'set-zero': [];
+}>();
+</script>
+
+<template>
+    <v-dialog
+        :model-value="modelValue"
+        max-width="520"
+        @update:model-value="$emit('update:modelValue', $event)"
+    >
+        <v-card v-if="payload" data-testid="overload-dialog">
+            <v-card-title>Лимит превышает баланс</v-card-title>
+            <v-card-text>
+                <p>
+                    У тебя {{ payload.current_balance_rub }}₽ =
+                    {{ payload.current_capacity_leads }} лидов по текущему тарифу.
+                </p>
+                <p>После сохранения нужно {{ payload.would_be_required_leads }} лидов.</p>
+                <p class="font-weight-medium">Не хватает: {{ payload.deficit_leads }} лидов.</p>
+                <p class="text-medium-emphasis mt-2">
+                    Чтобы проект начал работать — пополни счёт, поставь его лимит 0
+                    или уменьши лимиты других проектов.
+                </p>
+            </v-card-text>
+            <v-card-actions>
+                <v-spacer />
+                <v-btn variant="text" data-testid="overload-cancel" @click="$emit('update:modelValue', false)">
+                    Отмена
+                </v-btn>
+                <v-btn variant="text" data-testid="overload-set-zero" @click="$emit('set-zero')">
+                    Поставить лимит 0
+                </v-btn>
+                <v-btn
+                    color="primary"
+                    variant="flat"
+                    data-testid="overload-save-blocked"
+                    @click="$emit('save-blocked')"
+                >
+                    Сохранить и приостановить
+                </v-btn>
+            </v-card-actions>
+        </v-card>
+    </v-dialog>
+</template>
@@ -0,0 +1,23 @@
+/**
+ * Форматирует сообщение для тоста после сохранения slepok-чувствительных
+ * правок проекта.
+ *
+ * Бизнес-инвариант: applies_from = N.21:00 МСК — час, когда поставщик
+ * фиксирует свой slepok (см. docs/superpowers/specs/2026-05-26-slepok-routing-protection-design.md).
+ * Поэтому в UI всегда показываем «21:00 МСК», а календарную дату берём
+ * по часовому поясу Москвы — независимо от локали браузера клиента.
+ */
+const moscowDateFmt = new Intl.DateTimeFormat('ru-RU', {
+    timeZone: 'Europe/Moscow',
+    day: '2-digit',
+    month: '2-digit',
+    year: 'numeric',
+});
+
+export function formatAppliesFromMessage(appliesFrom: string | null | undefined): string {
+    if (!appliesFrom) {
+        return 'Сохранено.';
+    }
+    const date = moscowDateFmt.format(new Date(appliesFrom));
+    return `Сохранено. Изменения вступят в силу ${date} в 21:00 МСК.`;
+}
@@ -14,16 +14,19 @@ import { RouterView, useRoute } from 'vue-router';
 import { useAuthStore } from '../stores/auth';
 import { useNotificationsStore } from '../stores/notifications';
 import { useRemindersStore } from '../stores/reminders';
+import { useTenantStore } from '../stores/tenantStore';
 import { usePolling } from '../composables/usePolling';
 import { POLLING_INTERVAL_MS, POLLING_REMINDERS_INTERVAL_MS } from '../constants/polling';
 import AppSidebar from '../components/layout/AppSidebar.vue';
 import AppTopbar from '../components/layout/AppTopbar.vue';
 import DevIndexBadge from '../components/DevIndexBadge.vue';
 import CommandPalette from '../components/layout/CommandPalette.vue';
+import BalanceFrozenBanner from '../components/billing/BalanceFrozenBanner.vue';

 const auth = useAuthStore();
 const notifications = useNotificationsStore();
 const reminders = useRemindersStore();
+const tenant = useTenantStore();
 const route = useRoute();

 const drawerOpen = ref(true);
@@ -60,12 +63,19 @@ async function loadReminderCounts(): Promise<void> {
    await reminders.refreshCounts();
 }

+async function loadBalanceStatus(): Promise<void> {
+    if (!auth.user) return;
+    await tenant.load();
+}
+
 onMounted(() => {
    void loadNotifications();
    void loadReminderCounts();
+    void loadBalanceStatus();
 });
 usePolling(loadNotifications, { intervalMs: POLLING_INTERVAL_MS, enabled: true });
 usePolling(loadReminderCounts, { intervalMs: POLLING_REMINDERS_INTERVAL_MS, enabled: true });
+usePolling(loadBalanceStatus, { intervalMs: POLLING_REMINDERS_INTERVAL_MS, enabled: true });
 </script>

 <template>
@@ -74,6 +84,11 @@ usePolling(loadReminderCounts, { intervalMs: POLLING_REMINDERS_INTERVAL_MS, enab
        <AppTopbar :page-title="currentPageTitle" @toggle-drawer="drawerOpen = !drawerOpen" />

        <v-main class="app-main">
+            <BalanceFrozenBanner
+                :frozen="tenant.frozen"
+                :deficit-rub="tenant.deficitRub"
+                :deficit-leads="tenant.deficitLeads"
+            />
            <RouterView v-slot="{ Component, route: r }">
                <Transition :name="(r.meta.transition as string) ?? 'ld-route-fadeup'" mode="out-in">
                    <component :is="Component" :key="r.fullPath" />
@@ -0,0 +1,43 @@
+import { defineStore } from 'pinia';
+import { computed, ref } from 'vue';
+import * as billingApi from '../api/billing';
+import type { BalanceStatus } from '../api/billing';
+
+/**
+ * Tenant-store: статус баланса текущего тенанта для UI префлайта (Billing v2
+ * Spec C Task 1.10). Единый источник для глобального баннера заморозки
+ * (BalanceFrozenBanner в AppLayout) и индикатора ёмкости (BalanceCapacityIndicator
+ * в BillingView) — чтобы не делать два запроса.
+ *
+ * Загружается глобально в AppLayout (load + polling). `load()` молча проглатывает
+ * ошибку: баннер/индикатор не критичны и не должны валить страницу.
+ */
+export const useTenantStore = defineStore('tenant', () => {
+    const status = ref<BalanceStatus | null>(null);
+
+    const frozen = computed(() => status.value?.frozen_by_balance_at != null);
+    const deficitRub = computed(() => status.value?.deficit_rub ?? '0.00');
+    const deficitLeads = computed(() => status.value?.deficit_leads ?? 0);
+    const balanceRub = computed(() => status.value?.balance_rub ?? '0.00');
+    const capacityLeads = computed(() => status.value?.capacity_leads ?? 0);
+    const requiredLeadsPerDay = computed(() => status.value?.required_leads_per_day ?? 0);
+
+    async function load(): Promise<void> {
+        try {
+            status.value = await billingApi.getBalanceStatus();
+        } catch {
+            // Не критично — оставляем прошлый статус (или null → баннер скрыт).
+        }
+    }
+
+    return {
+        status,
+        frozen,
+        deficitRub,
+        deficitLeads,
+        balanceRub,
+        capacityLeads,
+        requiredLeadsPerDay,
+        load,
+    };
+});
@@ -11,6 +11,7 @@
 */
 import { ref, computed, onMounted } from 'vue';
 import BalanceCard from '../components/billing/BalanceCard.vue';
+import BalanceCapacityIndicator from '../components/billing/BalanceCapacityIndicator.vue';
 import TierPricesPanel from '../components/billing/TierPricesPanel.vue';
 import TransactionsTable from '../components/billing/TransactionsTable.vue';
 import InvoicesTable from '../components/billing/InvoicesTable.vue';
@@ -19,8 +20,10 @@ import ChargesTab from './billing/ChargesTab.vue';
 import { formatPlain, featureLabel } from '../composables/billingFormatters';
 import { getWallet, type Wallet } from '../api/billing';
 import { extractErrorMessage } from '../api/client';
+import { useTenantStore } from '../stores/tenantStore';

 const activeView = ref<'overview' | 'charges'>('overview');
+const tenant = useTenantStore();

 const wallet = ref<Wallet | null>(null);
 const loading = ref(true);
@@ -59,10 +62,15 @@ async function onTopupSuccess(): Promise<void> {
    topupOpen.value = false;
    topupSnackbar.value = true;
    await loadWallet();
+    // Пополнение могло снять заморозку → обновляем статус баланса (баннер/индикатор).
+    await tenant.load();
    txTableRef.value?.refresh();
 }

-onMounted(loadWallet);
+onMounted(() => {
+    void loadWallet();
+    void tenant.load();
+});

 defineExpose({ loadWallet, wallet, topupOpen });
 </script>
@@ -117,6 +125,14 @@ defineExpose({ loadWallet, wallet, topupOpen });
                        @topup="topupOpen = true"
                    />

+                    <BalanceCapacityIndicator
+                        v-if="tenant.status"
+                        class="mt-3"
+                        :balance-rub="tenant.balanceRub"
+                        :capacity-leads="tenant.capacityLeads"
+                        :required-leads-per-day="tenant.requiredLeadsPerDay"
+                    />
+
                    <TierPricesPanel :tiers="tiersPreview" :current-tier-no="currentTierNo" />

                    <TransactionsTable ref="txTableRef" />
@@ -173,8 +173,17 @@
            @close="onDrawerClose"
            @saved="onDrawerSaved"
        />
-        <NewProjectDialog v-model="createOpen" mode="create" @saved="store.fetch()" />
-        <EditProjectDialog v-model="editOpen" :project="editing" @saved="store.fetch()" />
+        <NewProjectDialog v-model="createOpen" mode="create" @saved="onProjectSaved" />
+        <EditProjectDialog v-model="editOpen" :project="editing" @saved="onProjectSaved" />
+
+        <v-snackbar
+            v-model="savedSnackbarOpen"
+            color="success"
+            :timeout="appliesFromShown ? 7000 : 3500"
+            data-testid="projects-saved-snackbar"
+        >
+            {{ savedSnackbarMessage }}
+        </v-snackbar>
    </v-container>
 </template>

@@ -187,12 +196,25 @@ import BulkActionsBar from '../components/projects/BulkActionsBar.vue';
 import NewProjectDialog from './projects/NewProjectDialog.vue';
 import EditProjectDialog from './projects/EditProjectDialog.vue';
 import { REGIONS } from '../constants/regions';
+import { formatAppliesFromMessage } from '../composables/appliesFromMessage';

 const store = useProjectsStore();
 const createOpen = ref(false);
 const editOpen = ref(false);
 const editing = ref<Project | null>(null);

+// Тост «Сохранено» после правки проекта. Если правка задела slepok-чувствительные
+// поля (regions / delivery_days_mask / daily_limit_target / источник), backend
+// возвращает applies_from = N.21:00 МСК — показываем расширенное сообщение.
+const savedSnackbarOpen = ref(false);
+const savedSnackbarMessage = ref('');
+const appliesFromShown = ref(false);
+function showSavedSnackbar(appliesFrom: string | null): void {
+    savedSnackbarMessage.value = formatAppliesFromMessage(appliesFrom);
+    appliesFromShown.value = appliesFrom !== null;
+    savedSnackbarOpen.value = true;
+}
+
 // Информационный баннер о сроке внесения изменений (синхронизация с поставщиком в 18:00 МСК).
 // Закрытие запоминается, чтобы не показывать повторно.
 const CUTOFF_BANNER_KEY = 'projects.cutoffBannerDismissed';
@@ -211,10 +233,15 @@ const singleSelectedProject = computed<Project | null>(() => {
 function onDrawerClose(): void {
    store.clearSelection();
 }
-function onDrawerSaved(): void {
+function onDrawerSaved(appliesFrom: string | null): void {
    // #4: после Save/Pause/Delete панель и галочка должны исчезнуть.
    store.clearSelection();
    void store.fetch();
+    showSavedSnackbar(appliesFrom);
+}
+function onProjectSaved(appliesFrom: string | null): void {
+    void store.fetch();
+    showSavedSnackbar(appliesFrom);
 }

 const typeFilters = [
@@ -4,7 +4,7 @@
        mode="edit"
        :project="project"
        @update:model-value="$emit('update:modelValue', $event)"
-        @saved="$emit('saved')"
+        @saved="(appliesFrom) => $emit('saved', appliesFrom)"
    />
 </template>

@@ -13,5 +13,8 @@ import NewProjectDialog from './NewProjectDialog.vue';
 import type { Project } from '../../stores/projectsStore';

 defineProps<{ modelValue: boolean; project: Project | null }>();
-defineEmits(['update:modelValue', 'saved']);
+defineEmits<{
+    'update:modelValue': [value: boolean];
+    saved: [appliesFrom: string | null];
+}>();
 </script>
@@ -190,6 +190,13 @@
            </v-card-actions>
        </v-card>
    </v-dialog>
+
+    <ProjectLimitOverloadDialog
+        v-model="overloadOpen"
+        :payload="overloadPayload"
+        @save-blocked="onOverloadSaveBlocked"
+        @set-zero="onOverloadSetZero"
+    />
 </template>

 <script setup lang="ts">
@@ -199,6 +206,7 @@ import { REGIONS, FEDERAL_DISTRICT_NAMES } from '../../constants/regions';
 import { repositionMenuAfterOpen } from '../../utils/menuRepositionFix';
 import type { Project } from '../../stores/projectsStore';
 import DevIndexBadge from '../../components/DevIndexBadge.vue';
+import ProjectLimitOverloadDialog from '../../components/projects/ProjectLimitOverloadDialog.vue';

 const selectableRegions = REGIONS.filter((r) => r.code !== 0);

@@ -207,7 +215,10 @@ const props = defineProps<{
    mode?: 'create' | 'edit';
    project?: Project | null;
 }>();
-const emit = defineEmits(['update:modelValue', 'saved']);
+const emit = defineEmits<{
+    'update:modelValue': [value: boolean];
+    saved: [appliesFrom: string | null];
+}>();

 // Plan 6: regions = subject codes (1..89) — backend dual-writes region_mask/region_mode.
 // Пустой массив = вся РФ.
@@ -225,6 +236,16 @@ const errors = reactive<Record<string, string[]>>({});
 const saving = ref(false);
 const generalError = ref<string | null>(null);

+// Spec C §6.2: префлайт баланса — диалог перегрузки лимита по 409.
+interface OverloadPayloadShape {
+    current_balance_rub: string;
+    current_capacity_leads: number;
+    would_be_required_leads: number;
+    deficit_leads: number;
+}
+const overloadOpen = ref(false);
+const overloadPayload = ref<OverloadPayloadShape | null>(null);
+
 // Plan 4 Task 4: обязательный выбор региона + явная «Вся РФ» с подтверждением.
 // vsyaRf — чекбокс выбран; vsyaRfConfirmed — подтверждён через предупреждение.
 // На бэке regions=[] (Вся РФ) и «забыл» неотличимы → гейт намеренно UI-only.
@@ -303,6 +324,41 @@ watch(
    { immediate: true },
 );

+async function persist(extra: Record<string, unknown> = {}): Promise<void> {
+    saving.value = true;
+    try {
+        await ensureCsrfCookie();
+        const body = { ...form, ...extra };
+        let appliesFrom: string | null = null;
+        if (props.mode === 'edit' && props.project) {
+            const { data } = await apiClient.patch(`/api/projects/${props.project.id}`, body);
+            // Backend кладёт applies_from только когда правка задела slepok-чувствительные поля.
+            appliesFrom = data?.data?.applies_from ?? null;
+        } else {
+            await apiClient.post('/api/projects', body);
+            // Create НЕ генерирует applies_from (новый проект сразу попадает в snapshot).
+        }
+        overloadOpen.value = false;
+        emit('saved', appliesFrom);
+        close();
+    } catch (e: unknown) {
+        const err = e as {
+            response?: { status?: number; data?: { error?: string; errors?: Record<string, string[]> } };
+        };
+        // Spec C §6.2: лимит превышает баланс — открываем диалог перегрузки.
+        if (err.response?.status === 409 && err.response.data?.error === 'balance_insufficient') {
+            overloadPayload.value = err.response.data as OverloadPayloadShape;
+            overloadOpen.value = true;
+        } else if (err.response?.status === 422 && err.response.data?.errors) {
+            Object.assign(errors, err.response.data.errors);
+        } else {
+            generalError.value = extractErrorMessage(e);
+        }
+    } finally {
+        saving.value = false;
+    }
+}
+
 async function submit() {
    generalError.value = null;
    Object.keys(errors).forEach((k) => delete errors[k]);
@@ -313,26 +369,18 @@ async function submit() {
        return;
    }

-    saving.value = true;
-    try {
-        await ensureCsrfCookie();
-        if (props.mode === 'edit' && props.project) {
-            await apiClient.patch(`/api/projects/${props.project.id}`, { ...form });
-        } else {
-            await apiClient.post('/api/projects', { ...form });
-        }
-        emit('saved');
-        close();
-    } catch (e: unknown) {
-        const err = e as { response?: { status?: number; data?: { errors?: Record<string, string[]> } } };
-        if (err.response?.status === 422 && err.response.data?.errors) {
-            Object.assign(errors, err.response.data.errors);
-        } else {
-            generalError.value = extractErrorMessage(e);
-        }
-    } finally {
-        saving.value = false;
-    }
+    await persist();
+}
+
+// Spec C §6.2 — исходы диалога перегрузки лимита.
+async function onOverloadSaveBlocked(): Promise<void> {
+    await persist({ force_save_blocked: true });
+}
+
+async function onOverloadSetZero(): Promise<void> {
+    form.daily_limit_target = 0;
+    overloadOpen.value = false;
+    await persist();
 }

 function close() {
@@ -0,0 +1,12 @@
+Здравствуйте, {{ $tenant->organization_name }}!
+
+Приём лидов по вашим проектам приостановлен — на счёте недостаточно средств
+на завтрашний дневной заказ.
+
+Сейчас баланса хватает на {{ $result->capacityLeads }} лидов, а ваши проекты
+заказывают {{ $result->requiredLeads }} лидов в день. Не хватает: {{ $result->deficitLeads }} лидов.
+
+Чтобы возобновить приём, пополните счёт или уменьшите дневные лимиты проектов
+до 18:00 по московскому времени.
+
+С уважением, команда Лидерра.
@@ -0,0 +1,11 @@
+Здравствуйте, {{ $tenant->organization_name }}!
+
+Приём лидов по вашим проектам приостановлен уже 3 дня из-за нехватки баланса.
+Это последнее напоминание.
+
+Баланса хватает на {{ $result->capacityLeads }} лидов, проекты заказывают
+{{ $result->requiredLeads }} в день. Не хватает: {{ $result->deficitLeads }} лидов.
+
+Чтобы возобновить приём — пополните счёт или уменьшите лимиты проектов.
+
+С уважением, команда Лидерра.
@@ -0,0 +1,10 @@
+Здравствуйте, {{ $tenant->organization_name }}!
+
+Напоминаем: приём лидов по вашим проектам всё ещё приостановлен из-за нехватки баланса.
+
+Баланса хватает на {{ $result->capacityLeads }} лидов, проекты заказывают
+{{ $result->requiredLeads }} в день. Не хватает: {{ $result->deficitLeads }} лидов.
+
+Пополните счёт или уменьшите лимиты до 18:00 МСК, чтобы возобновить приём.
+
+С уважением, команда Лидерра.
@@ -0,0 +1,10 @@
+Здравствуйте, {{ $tenant->organization_name }}!
+
+Приём лидов по вашим проектам возобновлён — баланса снова хватает на дневной заказ.
+
+Текущий запас: {{ $result->capacityLeads }} лидов, проекты заказывают
+{{ $result->requiredLeads }} в день.
+
+Заказ поставщику будет сформирован в ближайшем вечернем цикле (18:00 МСК).
+
+С уважением, команда Лидерра.
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html lang="ru">
+<head><meta charset="UTF-8"><title>Tenant business drift alert</title></head>
+<body style="font-family: Arial, sans-serif;">
+  <h3>Business-shortfall тенанта Лидерры</h3>
+  <p>Тенант <strong>#{{ $tenantId }}</strong>, дата слепка: <strong>{{ $snapshotDate }}</strong></p>
+  <ul>
+    <li>Ожидалось по слепку: <strong>{{ $expected }}</strong> лидов</li>
+    <li>Доставлено фактически: <strong>{{ $delivered }}</strong> лидов</li>
+    <li>Shortfall ratio: <strong>{{ number_format($shortfallRatio * 100, 1, ',', ' ') }}%</strong> (порог 20%)</li>
+  </ul>
+  <p>Окно сверки: <strong>{{ $windowStart->format('Y-m-d H:i') }} — {{ $windowEnd->format('Y-m-d H:i') }}</strong></p>
+  <p>Проверь причину — поставщик не закрывает заказ, расхождение масок workdays или regions, либо проект потерял eligibility внутри slepok'а.</p>
+</body>
+</html>
@@ -3,6 +3,7 @@
 use App\Jobs\Supplier\CleanupInactiveSupplierProjectsJob;
 use App\Jobs\Supplier\CsvReconcileJob;
 use App\Jobs\Supplier\RefreshSupplierSessionJob;
+use App\Jobs\SnapshotProjectRoutingJob;
 use App\Jobs\Supplier\SyncSupplierProjectsJob;
 use App\Services\SchedulerHeartbeatTracker;
 use Illuminate\Foundation\Inspiring;
@@ -64,6 +65,25 @@ Schedule::command('partitions:drop-expired')
    ->onSuccess(fn () => $hb->recordRunResult('partitions:drop-expired', true, null, null))
    ->onFailure(fn () => $hb->recordRunResult('partitions:drop-expired', false, 'Command failed', null));

+// Billing v2 Spec C §3.2: преfflight баланса в 18:00 MSK — заморозка/разморозка
+// тенантов перед формированием заказа поставщику (без «бедных» клиентов).
+// ВАЖНО: идёт ДО SyncSupplierProjectsJob (сдвинут на 18:05) — фильтр frozen-проектов
+// должен примениться к расчёту заказа того же вечера.
+Schedule::command('billing:preflight-sweep')
+    ->dailyAt('18:00')
+    ->timezone('Europe/Moscow')
+    ->onSuccess(fn () => $hb->recordRunResult('billing:preflight-sweep', true, null, null))
+    ->onFailure(fn () => $hb->recordRunResult('billing:preflight-sweep', false, 'Command failed', null));
+
+// Billing v2 Spec C §3.7: повторные письма заморозки (reminder +1д, final +3д).
+// Идёт ПОСЛЕ основного sweep — если sweep только что заморозил тенанта, окно reminder
+// (24h+) ещё не открылось, повторного письма в тот же день не будет (correct).
+Schedule::command('billing:frozen-reminder')
+    ->dailyAt('18:30')
+    ->timezone('Europe/Moscow')
+    ->onSuccess(fn () => $hb->recordRunResult('billing:frozen-reminder', true, null, null))
+    ->onFailure(fn () => $hb->recordRunResult('billing:frozen-reminder', false, 'Command failed', null));
+
 // Plan 3 Task 8: 5 Schedule entries для supplier-flow.
 //
 // NB: ->onOneServer() требует cache_locks таблицу, которой у нас нет
@@ -83,8 +103,24 @@ Schedule::job(new RefreshSupplierSessionJob)
    ->timezone('Europe/Moscow')
    ->onSuccess(fn () => $hb->recordRunResult('App\Jobs\Supplier\RefreshSupplierSessionJob@daily', true, null, null))
    ->onFailure(fn () => $hb->recordRunResult('App\Jobs\Supplier\RefreshSupplierSessionJob@daily', false, 'Job failed', null));
+// Spec 2026-05-26-slepok-routing-protection §4.2.2:
+// SnapshotProjectRoutingJob создаёт slepok №NЛ для дня N+1 в 18:02 МСК.
+// Запускается ПОСЛЕ billing:preflight-sweep (18:00) и ДО SyncSupplierProjectsJob (18:05).
+Schedule::job(new SnapshotProjectRoutingJob)
+    ->dailyAt('18:02')
+    ->timezone('Europe/Moscow')
+    ->before(fn () => $startTimes['SnapshotProjectRoutingJob'] = microtime(true))
+    ->onSuccess(function () use ($hb, &$startTimes): void {
+        $name = 'SnapshotProjectRoutingJob';
+        $ms = isset($startTimes[$name]) ? (int) ((microtime(true) - $startTimes[$name]) * 1000) : null;
+        $hb->recordRunResult($name, true, null, $ms);
+    })
+    ->onFailure(fn () => $hb->recordRunResult('SnapshotProjectRoutingJob', false, 'Job failed', null));
+
+// Billing v2 Spec C: сдвинут 18:00 → 18:05, чтобы billing:preflight-sweep (18:00)
+// успел проставить frozen-флаги до формирования заказа поставщику.
 Schedule::job(new SyncSupplierProjectsJob)
-    ->dailyAt('18:00')
+    ->dailyAt('18:05')
    ->timezone('Europe/Moscow')
    ->onSuccess(fn () => $hb->recordRunResult('App\Jobs\Supplier\SyncSupplierProjectsJob', true, null, null))
    ->onFailure(fn () => $hb->recordRunResult('App\Jobs\Supplier\SyncSupplierProjectsJob', false, 'Job failed', null));
@@ -189,6 +189,7 @@ Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/billing/charges')->g
 Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/billing')->group(function () {
    Route::post('/topup', 'App\Http\Controllers\Api\BillingController@topup');
    Route::get('/wallet', 'App\Http\Controllers\Api\BillingController@wallet');
+    Route::get('/balance-status', 'App\Http\Controllers\Api\BillingController@balanceStatus');
    Route::get('/transactions', 'App\Http\Controllers\Api\BillingController@transactions');
    Route::get('/invoices', 'App\Http\Controllers\Api\BillingController@invoices');
 });
@@ -0,0 +1,126 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+/**
+ * Race-condition reproduction test for audit_chain_hash() trigger.
+ *
+ * Two tests:
+ *  1. pcntl_fork-based concurrent INSERT test — skipped on Windows (no pcntl).
+ *     Expected: FAIL before migration (concurrent inserts branch the chain),
+ *               PASS after migration (advisory lock serialises inserts).
+ *
+ *  2. pg_locks advisory lock presence test — runs on Windows.
+ *     Asserts that within an INSERT transaction the advisory lock key derived
+ *     from the partition OID is held (proves the lock is actually acquired).
+ */
+
+it(
+    'audit_chain_hash trigger preserves sequential chain under concurrent INSERTs',
+    function (): void {
+        $tenant = Tenant::factory()->create();
+        DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+
+        $startCount = DB::table('activity_log')
+            ->where('tenant_id', $tenant->id)
+            ->count();
+
+        // Spawn 5 concurrent processes each inserting into activity_log for the same tenant.
+        // Without advisory lock, concurrent reads of prev_hash return the same value
+        // → multiple rows hash to the same prev → chain branch → validator fails.
+        $pids = [];
+        for ($i = 0; $i < 5; $i++) {
+            $pid = pcntl_fork();
+            if ($pid === 0) {
+                // Child: own DB connection, own transaction
+                DB::reconnect();
+                DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+                DB::table('activity_log')->insert([
+                    'tenant_id' => $tenant->id,
+                    'event'     => 'deal.created',
+                    'context'   => json_encode(['worker' => $i]),
+                    'created_at' => now(),
+                ]);
+                exit(0);
+            }
+            $pids[] = $pid;
+        }
+        foreach ($pids as $pid) {
+            pcntl_waitpid($pid, $status);
+        }
+
+        $rows = DB::table('activity_log')
+            ->where('tenant_id', $tenant->id)
+            ->orderBy('id')
+            ->get(['id', 'log_hash']);
+
+        expect($rows->count())->toBe($startCount + 5);
+
+        // Run the chain validator; it should find no mismatches (after migration).
+        $exitCode = $this->artisan('audit:verify-chains')->run();
+        expect($exitCode)->toBe(0);
+    }
+)->skip(! function_exists('pcntl_fork'), 'pcntl required for race-condition test (not available on Windows)');
+
+it('audit_chain_hash holds pg_advisory_xact_lock on the partition OID during INSERT', function (): void {
+    $tenant = Tenant::factory()->create();
+    DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+
+    // Resolve the OID of the current-month activity_log partition (or parent).
+    $partitionName = 'activity_log_y'.date('Y').'_m'.date('m');
+    $oid = DB::selectOne(
+        "SELECT COALESCE(
+            (SELECT c.oid FROM pg_class c WHERE c.relname = ?),
+            (SELECT c.oid FROM pg_class c WHERE c.relname = 'activity_log')
+        ) AS oid",
+        [$partitionName]
+    )?->oid;
+
+    expect($oid)->not->toBeNull('Could not resolve partition/parent OID');
+
+    // Compute the lock key using the same formula as the trigger:
+    //   ('x' || lpad(to_hex(TG_RELID::int), 16, '0'))::bit(64)::bigint
+    $lockKeyRow = DB::selectOne(
+        "SELECT ('x' || lpad(to_hex(?::int), 16, '0'))::bit(64)::bigint AS lock_key",
+        [(int) $oid]
+    );
+    $lockKey = $lockKeyRow?->lock_key;
+    expect($lockKey)->not->toBeNull();
+
+    // Wrap an INSERT in a transaction and check pg_locks DURING that transaction.
+    $lockHeld = false;
+    DB::transaction(function () use ($tenant, $lockKey, &$lockHeld): void {
+        DB::table('activity_log')->insert([
+            'tenant_id'  => $tenant->id,
+            'event'      => 'deal.created',
+            'context'    => json_encode(['test' => 'advisory_lock_check']),
+            'created_at' => now(),
+        ]);
+
+        // pg_advisory_xact_lock releases at END of transaction — still held here.
+        $held = DB::selectOne(
+            'SELECT EXISTS (
+                SELECT 1
+                FROM pg_locks
+                WHERE locktype = \'advisory\'
+                  AND classid  = (? >> 32)::int
+                  AND objid    = (? & x\'ffffffff\'::bigint)::int
+                  AND granted  = true
+                  AND pid      = pg_backend_pid()
+             ) AS held',
+            [(int) $lockKey, (int) $lockKey]
+        );
+        $lockHeld = (bool) ($held->held ?? false);
+    });
+
+    expect($lockHeld)->toBeTrue(
+        'pg_advisory_xact_lock was not observed in pg_locks during the INSERT transaction. '
+        .'This means the migration has not been applied or the lock key formula is wrong.'
+    );
+});
@@ -0,0 +1,324 @@
+<?php
+
+// Tests for audit:rebuild-chain command (Task 3).
+
+declare(strict_types=1);
+
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Tests\Concerns\SharesSupplierPdo;
+
+uses(DatabaseTransactions::class);
+uses(SharesSupplierPdo::class);
+
+/**
+ * Tests for audit:rebuild-chain command.
+ *
+ * Verifies that:
+ * 1. The command recomputes log_hash values using the same formula as audit_chain_hash():
+ *      digest(COALESCE(prev_hash, ''::bytea) || ROW(col1, ..., NULL::bytea, ..., coln)::text::bytea, 'sha256')
+ * 2. The rebuilt hashes match what VerifyAuditChains expects (validates as intact).
+ * 3. --dry-run does not modify hashes.
+ * 4. Unknown partition names are rejected.
+ *
+ * Note: we use direct SQL verification (mirroring VerifyAuditChains logic)
+ * rather than calling audit:verify-chains, because the full command checks ALL
+ * partitions and a pre-existing mismatch in any other partition would cause
+ * false failure. This keeps the test focused on our specific partition.
+ */
+
+/**
+ * Check chain integrity for a specific partition using the same SQL as VerifyAuditChains.
+ * Returns the count of mismatched rows (0 = intact).
+ */
+function checkPartitionIntegrity(string $partition, string $partitionClause, string $rowExpr): int
+{
+    $overClause = $partitionClause !== ''
+        ? "({$partitionClause} ORDER BY id)"
+        : '(ORDER BY id)';
+
+    $sql = <<<SQL
+        WITH ordered AS (
+            SELECT
+                id,
+                log_hash AS stored_hash,
+                LAG(log_hash) OVER {$overClause} AS prev_hash
+            FROM {$partition}
+        )
+        SELECT count(*) AS cnt
+        FROM ordered o
+        WHERE o.stored_hash IS DISTINCT FROM
+            digest(
+                COALESCE(o.prev_hash, ''::bytea)
+                || (SELECT {$rowExpr}::text::bytea FROM {$partition} t WHERE t.id = o.id),
+                'sha256'
+            )
+    SQL;
+
+    $result = DB::connection('pgsql_supplier')->selectOne($sql);
+
+    return (int) ($result?->cnt ?? 0);
+}
+
+// Column list for activity_log (must match VerifyAuditChains::TABLE_CONFIG).
+const ACTIVITY_LOG_ROW_EXPR = 'ROW(t.id, t.tenant_id, t.user_id, t.deal_id, t.event, t.old_value, t.new_value, t.context, t.ip_address, t.user_agent, NULL::bytea, t.created_at)';
+
+// Column list for balance_transactions (must match VerifyAuditChains::TABLE_CONFIG).
+const BALANCE_TX_ROW_EXPR = 'ROW(t.id, t.tenant_id, t.type, t.amount_rub, t.amount_leads, t.balance_rub_after, t.balance_leads_after, t.description, t.related_type, t.related_id, t.user_id, t.admin_user_id, NULL::bytea, t.created_at)';
+
+it('audit:rebuild-chain repairs broken hash chain from given id in activity_log', function (): void {
+    $tenant = Tenant::factory()->create();
+
+    DB::statement('SET app.current_tenant_id = '.$tenant->id);
+
+    // Insert 3 valid rows via normal flow (trigger writes correct hashes).
+    DB::table('activity_log')->insert([
+        ['tenant_id' => $tenant->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'deal.created', 'context' => null, 'created_at' => now()],
+        ['tenant_id' => $tenant->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'deal.updated', 'context' => null, 'created_at' => now()->addMicrosecond()],
+        ['tenant_id' => $tenant->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'deal.closed', 'context' => null, 'created_at' => now()->addMicroseconds(2)],
+    ]);
+
+    $rows = DB::table('activity_log')
+        ->where('tenant_id', $tenant->id)
+        ->orderBy('id')
+        ->get(['id', 'log_hash', 'event']);
+
+    expect($rows)->toHaveCount(3);
+
+    $partition = 'activity_log_y'.now()->format('Y').'_m'.now()->format('m');
+
+    // Verify initial state: chain is intact for our tenant's rows.
+    $initialMismatches = checkPartitionIntegrity(
+        $partition,
+        'PARTITION BY tenant_id',
+        ACTIVITY_LOG_ROW_EXPR,
+    );
+    expect($initialMismatches)->toBe(0, 'Initial chain should be intact');
+
+    // Manually corrupt row 2's log_hash (simulating race-condition branch).
+    DB::statement("SET session_replication_role = 'replica'");
+    DB::statement('UPDATE activity_log SET log_hash = \'\\xdeadbeef\'::bytea WHERE id = '.$rows[1]->id);
+    DB::statement("SET session_replication_role = 'origin'");
+
+    // Verify: now there's a mismatch (row 2 + row 3 that depends on row 2).
+    $mismatchesBefore = checkPartitionIntegrity(
+        $partition,
+        'PARTITION BY tenant_id',
+        ACTIVITY_LOG_ROW_EXPR,
+    );
+    expect($mismatchesBefore)->toBeGreaterThan(0, 'Chain should have mismatch after corruption');
+
+    // Rebuild from the corrupted row onwards.
+    $fromId = $rows[1]->id;
+
+    $exitRebuild = Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $fromId,
+        '--force' => true,
+    ]);
+    expect($exitRebuild)->toBe(0);
+
+    // Verify: chain is now intact again.
+    $mismatchesAfter = checkPartitionIntegrity(
+        $partition,
+        'PARTITION BY tenant_id',
+        ACTIVITY_LOG_ROW_EXPR,
+    );
+    expect($mismatchesAfter)->toBe(0, 'Chain should be intact after rebuild');
+
+    // Verify the hashes actually changed (the corrupt value was replaced).
+    $rebuilt = DB::table('activity_log')
+        ->where('tenant_id', $tenant->id)
+        ->where('id', '>=', $fromId)
+        ->orderBy('id')
+        ->pluck('log_hash');
+
+    foreach ($rebuilt as $hash) {
+        // BYTEA columns returned as PHP stream resources via PDO pgsql driver.
+        $bin = is_resource($hash) ? stream_get_contents($hash) : (string) $hash;
+        expect(bin2hex($bin))->not->toBe('deadbeef')
+            ->and(strlen($bin))->toBe(32); // sha256 = 32 bytes
+    }
+});
+
+it('audit:rebuild-chain works for balance_transactions partition', function (): void {
+    $tenant = Tenant::factory()->create();
+
+    DB::statement('SET app.current_tenant_id = '.$tenant->id);
+
+    DB::table('balance_transactions')->insert([
+        ['tenant_id' => $tenant->id, 'type' => 'topup', 'amount_rub' => 100, 'amount_leads' => 0, 'created_at' => now()],
+        ['tenant_id' => $tenant->id, 'type' => 'lead_charge', 'amount_rub' => -10, 'amount_leads' => 0, 'created_at' => now()->addMicrosecond()],
+    ]);
+
+    $rows = DB::table('balance_transactions')
+        ->where('tenant_id', $tenant->id)
+        ->orderBy('id')
+        ->get(['id', 'log_hash']);
+
+    expect($rows)->toHaveCount(2);
+
+    $partition = 'balance_transactions_y'.now()->format('Y').'_m'.now()->format('m');
+
+    // Corrupt second row.
+    DB::statement("SET session_replication_role = 'replica'");
+    DB::statement('UPDATE balance_transactions SET log_hash = \'\\xbaadf00d\'::bytea WHERE id = '.$rows[1]->id);
+    DB::statement("SET session_replication_role = 'origin'");
+
+    $mismatchesBefore = checkPartitionIntegrity($partition, 'PARTITION BY tenant_id', BALANCE_TX_ROW_EXPR);
+    expect($mismatchesBefore)->toBeGreaterThan(0);
+
+    $exit = Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $rows[1]->id,
+        '--force' => true,
+    ]);
+    expect($exit)->toBe(0);
+
+    $mismatchesAfter = checkPartitionIntegrity($partition, 'PARTITION BY tenant_id', BALANCE_TX_ROW_EXPR);
+    expect($mismatchesAfter)->toBe(0, 'Balance transaction chain should be intact after rebuild');
+});
+
+it('audit:rebuild-chain --dry-run does not modify hashes', function (): void {
+    $tenant = Tenant::factory()->create();
+
+    DB::statement('SET app.current_tenant_id = '.$tenant->id);
+
+    DB::table('activity_log')->insert([
+        ['tenant_id' => $tenant->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'dry.run.test', 'context' => null, 'created_at' => now()],
+    ]);
+
+    $row = DB::table('activity_log')
+        ->where('tenant_id', $tenant->id)
+        ->orderByDesc('id')
+        ->first(['id', 'log_hash']);
+
+    // Corrupt the hash.
+    DB::statement("SET session_replication_role = 'replica'");
+    DB::statement('UPDATE activity_log SET log_hash = \'\\xcafebabe\'::bytea WHERE id = '.$row->id);
+    DB::statement("SET session_replication_role = 'origin'");
+
+    $partition = 'activity_log_y'.now()->format('Y').'_m'.now()->format('m');
+
+    Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $row->id,
+        '--dry-run' => true,
+    ]);
+
+    // Hash must remain corrupted — dry-run made no changes.
+    // BYTEA columns are returned as PHP stream resources via PDO pgsql driver.
+    $afterRaw = DB::table('activity_log')->where('id', $row->id)->value('log_hash');
+    $afterBin = is_resource($afterRaw) ? stream_get_contents($afterRaw) : (string) $afterRaw;
+    expect(bin2hex($afterBin))->toBe('cafebabe');
+});
+
+it('audit:rebuild-chain rejects unknown partition names', function (): void {
+    Artisan::call('audit:rebuild-chain', [
+        '--partition' => 'deals_y2026_m05',  // not an audit table
+        '--from-id' => 1,
+        '--force' => true,
+    ]);
+    expect(Artisan::output())->toContain('поддерживаемым аудит-таблицам');
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// ADR-018 Task 3: failing tests для per-tenant rebuild (RED phase).
+// После Task 4 (per-tenant LAG OVER) — должны стать PASS.
+// ──────────────────────────────────────────────────────────────────────────────
+
+// Column list for auth_log (must match AuditChainConfig::TABLES['auth_log']).
+const AUTH_LOG_ROW_EXPR = 'ROW(t.id, t.actor_type, t.tenant_id, t.user_id, t.saas_admin_user_id, t.email, t.event, t.ip_address, t.user_agent, t.failure_reason, NULL::bytea, t.created_at)';
+
+it('audit:rebuild-chain produces per-tenant chain matching trigger semantics в activity_log', function (): void {
+    $tenantA = Tenant::factory()->create();
+    $tenantB = Tenant::factory()->create();
+
+    // Tenant A — 2 rows.
+    DB::statement('SET app.current_tenant_id = '.$tenantA->id);
+    DB::table('activity_log')->insert([
+        ['tenant_id' => $tenantA->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'deal.a1', 'context' => null, 'created_at' => now()],
+        ['tenant_id' => $tenantA->id, 'user_id' => null, 'deal_id' => 1, 'event' => 'deal.a2', 'context' => null, 'created_at' => now()->addMicrosecond()],
+    ]);
+
+    // Tenant B — 2 rows (interleaved IDs with tenant A, но цепочка независимая per-tenant).
+    DB::statement('SET app.current_tenant_id = '.$tenantB->id);
+    DB::table('activity_log')->insert([
+        ['tenant_id' => $tenantB->id, 'user_id' => null, 'deal_id' => 2, 'event' => 'deal.b1', 'context' => null, 'created_at' => now()->addMicroseconds(2)],
+        ['tenant_id' => $tenantB->id, 'user_id' => null, 'deal_id' => 2, 'event' => 'deal.b2', 'context' => null, 'created_at' => now()->addMicroseconds(3)],
+    ]);
+
+    $partition = 'activity_log_y'.now()->format('Y').'_m'.now()->format('m');
+    $firstId = (int) DB::connection('pgsql_supplier')->table($partition)->min('id');
+
+    // NB: pre-rebuild sanity-check на trigger output опущен намеренно — в test env
+    // `SharesSupplierPdo` trait + postgres superuser обходят RLS, и trigger пишет
+    // global chain, а не per-tenant. На prod RLS активен и trigger пишет per-tenant
+    // (валидация — live `audit:verify-chains` на проде, не в этом тесте).
+    //
+    // Что тестируется здесь: AFTER rebuild чейн должен match семантике своего
+    // partition_clause (self-consistency). Pre-Task-4 rebuild делает global LAG →
+    // verify с PARTITION BY tenant_id обнаруживает mismatch → RED. Post-Task-4
+    // rebuild делает per-tenant LAG → verify с PARTITION BY tenant_id match → GREEN.
+
+    $exit = Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $firstId,
+        '--force' => true,
+    ]);
+    expect($exit)->toBe(0);
+
+    $postMismatches = checkPartitionIntegrity($partition, 'PARTITION BY tenant_id', ACTIVITY_LOG_ROW_EXPR);
+    expect($postMismatches)->toBe(0, 'Rebuild должен produce per-tenant chain matching PARTITION BY tenant_id semantics (ADR-018)');
+});
+
+it('audit:rebuild-chain produces global chain for BYPASSRLS auth_log', function (): void {
+    // auth_log пишется под BYPASSRLS pre-auth role. INSERT direct через pgsql_supplier.
+    DB::connection('pgsql_supplier')->table('auth_log')->insert([
+        ['actor_type' => 'tenant_user', 'tenant_id' => null, 'event' => 'login', 'email' => 'a@x.com', 'created_at' => now()],
+        ['actor_type' => 'tenant_user', 'tenant_id' => null, 'event' => 'login', 'email' => 'b@x.com', 'created_at' => now()->addMicrosecond()],
+    ]);
+
+    $partition = 'auth_log_y'.now()->format('Y').'_m'.now()->format('m');
+    $firstId = (int) DB::connection('pgsql_supplier')->table($partition)->min('id');
+
+    $preMismatches = checkPartitionIntegrity($partition, '', AUTH_LOG_ROW_EXPR);
+    expect($preMismatches)->toBe(0, 'Trigger writes global chain correctly for auth_log');
+
+    $exit = Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $firstId,
+        '--force' => true,
+    ]);
+    expect($exit)->toBe(0);
+
+    $postMismatches = checkPartitionIntegrity($partition, '', AUTH_LOG_ROW_EXPR);
+    expect($postMismatches)->toBe(0, 'Rebuild должен сохранить global chain для BYPASSRLS-таблицы');
+});
+
+it('audit:rebuild-chain handles single-row partition (first row of tenant) корректно', function (): void {
+    $tenant = Tenant::factory()->create();
+    DB::statement('SET app.current_tenant_id = '.$tenant->id);
+
+    DB::table('activity_log')->insert([
+        'tenant_id' => $tenant->id, 'user_id' => null, 'deal_id' => 1,
+        'event' => 'deal.solo', 'context' => null, 'created_at' => now(),
+    ]);
+
+    $partition = 'activity_log_y'.now()->format('Y').'_m'.now()->format('m');
+    $firstId = (int) DB::connection('pgsql_supplier')->table($partition)
+        ->where('tenant_id', $tenant->id)
+        ->min('id');
+
+    $exit = Artisan::call('audit:rebuild-chain', [
+        '--partition' => $partition,
+        '--from-id' => $firstId,
+        '--force' => true,
+    ]);
+    expect($exit)->toBe(0);
+
+    $postMismatches = checkPartitionIntegrity($partition, 'PARTITION BY tenant_id', ACTIVITY_LOG_ROW_EXPR);
+    expect($postMismatches)->toBe(0, 'Single-row per-tenant partition должен остаться intact');
+});
@@ -0,0 +1,65 @@
+<?php
+
+// Tests for audit:verify-chains command — regression guard for Task 2 refactor.
+// Verifies that the command uses AuditChainConfig::TABLES (shared config)
+// and that AuditChainConfig::rowExpression() works for all registered tables.
+
+declare(strict_types=1);
+
+use App\Console\Commands\VerifyAuditChains;
+use App\Services\Audit\AuditChainConfig;
+
+/**
+ * Regression tests for VerifyAuditChains → AuditChainConfig refactor (ADR-018 Task 2).
+ *
+ * These tests do NOT require a DB connection — they verify the static config
+ * integrity used by both VerifyAuditChains and AuditRebuildChain.
+ */
+it('AuditChainConfig::TABLES registers all six expected audit tables', function (): void {
+    $tables = array_keys(AuditChainConfig::TABLES);
+
+    expect($tables)->toContain('auth_log')
+        ->toContain('activity_log')
+        ->toContain('tenant_operations_log')
+        ->toContain('balance_transactions')
+        ->toContain('pd_processing_log')
+        ->toContain('saas_admin_audit_log');
+
+    expect(count($tables))->toBe(6);
+});
+
+it('AuditChainConfig::rowExpression builds ROW expression with NULL::bytea at log_hash position', function (): void {
+    $expr = AuditChainConfig::rowExpression('auth_log');
+
+    expect($expr)->toStartWith('ROW(')
+        ->toContain('NULL::bytea')
+        ->not->toContain('t.__log_hash__');
+});
+
+it('AuditChainConfig::rowExpression produces same result for all six tables', function (): void {
+    foreach (array_keys(AuditChainConfig::TABLES) as $table) {
+        $expr = AuditChainConfig::rowExpression($table);
+
+        expect($expr)
+            ->toStartWith('ROW(')
+            ->toContain('NULL::bytea')
+            ->not->toContain('t.__log_hash__');
+    }
+});
+
+it('AuditChainConfig::rowExpression throws for unknown table', function (): void {
+    AuditChainConfig::rowExpression('nonexistent_table');
+})->throws(InvalidArgumentException::class);
+
+it('VerifyAuditChains command class exists and is registered', function (): void {
+    expect(class_exists(VerifyAuditChains::class))->toBeTrue();
+});
+
+it('VerifyAuditChains does not have private TABLE_CONFIG const after ADR-018 refactor', function (): void {
+    $reflection = new ReflectionClass(VerifyAuditChains::class);
+    $constants = $reflection->getReflectionConstants();
+    $names = array_map(fn ($c) => $c->getName(), $constants);
+
+    // After Task 2 refactor, TABLE_CONFIG should be removed (delegated to AuditChainConfig::TABLES)
+    expect($names)->not->toContain('TABLE_CONFIG');
+});
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Mail\BalanceFrozenMail;
+use App\Mail\BalanceUnfrozenMail;
+use App\Models\Tenant;
+use App\Services\Billing\PreflightResult;
+
+it('renders frozen mail with deficit', function () {
+    $tenant = Tenant::factory()->create(['organization_name' => 'ООО Альфа']);
+    $result = new PreflightResult(false, 30, 20, 10);
+
+    $rendered = (new BalanceFrozenMail($tenant, $result))->render();
+
+    expect($rendered)->toContain('приостановлен');
+    expect($rendered)->toContain('10'); // дефицит лидов
+    expect($rendered)->toContain('ООО Альфа');
+});
+
+it('renders unfrozen mail', function () {
+    $tenant = Tenant::factory()->create(['organization_name' => 'ООО Бета']);
+    $result = new PreflightResult(true, 25, 40, 0);
+
+    $rendered = (new BalanceUnfrozenMail($tenant, $result))->render();
+
+    expect($rendered)->toContain('возобновлён');
+    expect($rendered)->toContain('ООО Бета');
+});
@@ -0,0 +1,101 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Jobs\Billing\BalanceFrozenReminderJob;
+use App\Mail\BalanceFrozenFinalMail;
+use App\Mail\BalanceFrozenReminderMail;
+use App\Models\PricingTier;
+use App\Models\Project;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+use Tests\Concerns\SharesSupplierPdo;
+
+// Изоляция: liderra_testing persistent — DatabaseTransactions откатывает default-pgsql,
+// SharesSupplierPdo делает pgsql_supplier общим PDO (паттерн Спека B / Task 1.4).
+// Per-tenant Mail-фильтры обязательны — DemoSeeder тенанты могут попасть в sweep
+// (прецедент idempotent-fixup 55a1bc05).
+uses(DatabaseTransactions::class);
+uses(SharesSupplierPdo::class);
+
+beforeEach(function () {
+    // RLS-контекст (системный tenant 0).
+    DB::statement("SELECT set_config('app.current_tenant_id', '0', true)");
+    PricingTier::query()->create([
+        'tier_no' => 1,
+        'leads_in_tier' => null,
+        'price_per_lead_kopecks' => 5000,
+        'is_active' => true,
+        'effective_from' => now(),
+    ]);
+});
+
+it('sends reminder ~1 day after freeze', function () {
+    Mail::fake();
+    // frozen 25h назад — попадает в окно reminder (24-48h).
+    Carbon::setTestNow('2026-05-25 12:00:00');
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '0.00',
+        'frozen_by_balance_at' => Carbon::now()->subHours(25),
+    ]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalanceFrozenReminderJob)->handle();
+
+    Mail::assertQueued(BalanceFrozenReminderMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+    Mail::assertNotQueued(BalanceFrozenFinalMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
+
+it('sends final ~3 days after freeze', function () {
+    Mail::fake();
+    // frozen 73h назад — попадает в окно final (72-96h).
+    Carbon::setTestNow('2026-05-25 12:00:00');
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '0.00',
+        'frozen_by_balance_at' => Carbon::now()->subHours(73),
+    ]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalanceFrozenReminderJob)->handle();
+
+    Mail::assertQueued(BalanceFrozenFinalMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+    Mail::assertNotQueued(BalanceFrozenReminderMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
+
+it('sends nothing for freshly frozen tenant', function () {
+    Mail::fake();
+    // frozen 2h назад — окно ещё не открылось.
+    Carbon::setTestNow('2026-05-25 12:00:00');
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '0.00',
+        'frozen_by_balance_at' => Carbon::now()->subHours(2),
+    ]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalanceFrozenReminderJob)->handle();
+
+    Mail::assertNotQueued(BalanceFrozenReminderMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+    Mail::assertNotQueued(BalanceFrozenFinalMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
+
+it('is throttled — does not re-send reminder for same tenant in window', function () {
+    Mail::fake();
+    Carbon::setTestNow('2026-05-25 12:00:00');
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '0.00',
+        'frozen_by_balance_at' => Carbon::now()->subHours(25),
+    ]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    // Первый прогон — отправляет reminder.
+    (new BalanceFrozenReminderJob)->handle();
+    Mail::assertQueued(BalanceFrozenReminderMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+
+    // Сброс fake и второй прогон в том же окне — повторного письма быть не должно.
+    Mail::fake();
+    (new BalanceFrozenReminderJob)->handle();
+    Mail::assertNotQueued(BalanceFrozenReminderMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
@@ -0,0 +1,169 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Jobs\Billing\BalancePreflightSweepJob;
+use App\Jobs\SyncSupplierProjectJob;
+use App\Mail\BalanceFrozenMail;
+use App\Models\PricingTier;
+use App\Models\Project;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Facades\Queue;
+use Tests\Concerns\SharesSupplierPdo;
+
+// Изоляция: liderra_testing persistent (RefreshDatabase off). DatabaseTransactions
+// откатывает default-pgsql после каждого теста; SharesSupplierPdo делает pgsql_supplier
+// общим PDO с pgsql — иначе job-запись balance_freeze_log (pgsql_supplier) не видит
+// незакоммиченного tenant и падает на FK (паттерн Спека B / AutoPauseFlowTest).
+uses(DatabaseTransactions::class);
+uses(SharesSupplierPdo::class);
+
+beforeEach(function () {
+    // RLS-контекст (системный tenant 0) — паттерн supplier-тестов.
+    DB::statement("SELECT set_config('app.current_tenant_id', '0', true)");
+    PricingTier::query()->create(['tier_no' => 1, 'leads_in_tier' => null, 'price_per_lead_kopecks' => 5000, 'is_active' => true, 'effective_from' => now()]);
+});
+
+it('freezes tenant whose balance no longer covers daily limit', function () {
+    Mail::fake();
+    // 500₽ / 50₽ = 10 лидов; проекты хотят 25 → заморозка.
+    $tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'frozen_by_balance_at' => null]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->not->toBeNull();
+    Mail::assertQueued(BalanceFrozenMail::class);
+});
+
+it('unfreezes tenant whose balance now covers daily limit', function () {
+    Mail::fake();
+    // 2000₽ / 50₽ = 40 лидов; хотят 25 → разморозка.
+    $tenant = Tenant::factory()->create(['balance_rub' => '2000.00', 'frozen_by_balance_at' => now()->subDay()]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->toBeNull();
+});
+
+it('is idempotent — does not re-freeze already frozen tenant', function () {
+    Mail::fake();
+    $frozenAt = now()->subDay();
+    $tenant = Tenant::factory()->create(['balance_rub' => '0.00', 'frozen_by_balance_at' => $frozenAt]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    // Дата заморозки не перезаписана; для ЭТОГО tenant повторного письма нет.
+    // NB: per-tenant фильтр, т.к. liderra_testing persistent (DemoSeeder тенанты
+    // могут попасть в sweep и тоже получить BalanceFrozenMail — не наш ответ).
+    expect($tenant->fresh()->frozen_by_balance_at->timestamp)->toBe($frozenAt->timestamp);
+    Mail::assertNotQueued(BalanceFrozenMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
+
+// Spec C extension (26.05.2026): freeze/unfreeze дёргают supplier sync в режиме 'online'.
+// Привязка к существующему админ-переключателю SupplierExportMode (system_settings.supplier_export_mode).
+// Online нужен сейчас для отладки (моментальный sync с поставщиком); batch будет рабочим режимом
+// при росте числа клиентов (накопленные изменения уезжают одним cut-off-cron'ом в 18:00 MSK).
+
+it('dispatches SyncSupplierProjectJob for each active project on freeze when supplier mode is online', function () {
+    Mail::fake();
+    Queue::fake();
+    DB::table('system_settings')->updateOrInsert(['key' => 'supplier_export_mode'], ['value' => 'online']);
+
+    // 500₽ / 50₽ = 10 лидов; 2 проекта по 15 = 30 → заморозка.
+    $tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'frozen_by_balance_at' => null]);
+    $p1 = Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 15]);
+    $p2 = Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 15]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->not->toBeNull();
+    Queue::assertPushed(SyncSupplierProjectJob::class, fn (SyncSupplierProjectJob $job) => $job->projectId === $p1->id);
+    Queue::assertPushed(SyncSupplierProjectJob::class, fn (SyncSupplierProjectJob $job) => $job->projectId === $p2->id);
+});
+
+it('does NOT dispatch SyncSupplierProjectJob on freeze when supplier mode is batch', function () {
+    Mail::fake();
+    Queue::fake();
+    DB::table('system_settings')->updateOrInsert(['key' => 'supplier_export_mode'], ['value' => 'batch']);
+
+    $tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'frozen_by_balance_at' => null]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->not->toBeNull();
+    // batch-режим: sync с поставщиком отложен до cut-off 18:00 MSK через SyncSupplierProjectsJob (множественный).
+    Queue::assertNotPushed(SyncSupplierProjectJob::class, fn (SyncSupplierProjectJob $job) => $job->projectId === Project::query()->where('tenant_id', $tenant->id)->value('id'));
+});
+
+it('dispatches SyncSupplierProjectJob on unfreeze when supplier mode is online', function () {
+    Mail::fake();
+    Queue::fake();
+    DB::table('system_settings')->updateOrInsert(['key' => 'supplier_export_mode'], ['value' => 'online']);
+
+    // 2000₽ / 50₽ = 40 лидов; хотят 25 → разморозка.
+    $tenant = Tenant::factory()->create(['balance_rub' => '2000.00', 'frozen_by_balance_at' => now()->subDay()]);
+    $project = Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->toBeNull();
+    Queue::assertPushed(SyncSupplierProjectJob::class, fn (SyncSupplierProjectJob $job) => $job->projectId === $project->id);
+});
+
+// Stage 3 / Task 3.2 — R-13 (spec §4.3.2): freeze/unfreeze sync paused_at on tenant projects.
+// SupplierSnapshotGuard блокирует delete/change_source когда paused_at свежее grace-периода.
+// Без этой синхронизации frozen-тенант остаётся «голым» для guard'а — клиент мог бы удалить
+// проект во время заморозки и пропустить хвост слепка поставщика.
+
+it('sets paused_at on tenant projects without paused_at when freezing', function () {
+    Mail::fake();
+    // 500₽ / 50₽ = 10 лидов; проект хочет 25 → заморозка.
+    $tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'frozen_by_balance_at' => null]);
+    $project = Project::factory()->for($tenant)->create([
+        'is_active' => true,
+        'daily_limit_target' => 25,
+        'paused_at' => null,
+    ]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    $fresh = $project->fresh();
+    expect($fresh->paused_at)->not->toBeNull();
+    // freeze-moment должен совпадать с tenant.frozen_by_balance_at для последующего unfreeze-matcher'а.
+    expect($fresh->paused_at->timestamp)->toBe($tenant->fresh()->frozen_by_balance_at->timestamp);
+});
+
+it('clears paused_at on auto-paused projects when unfreezing, preserves manual pauses', function () {
+    Mail::fake();
+    // Frozen вчера в 12:00; пауза до этого момента = ручная, после = авто.
+    $frozenAt = now()->subDay();
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '2000.00',
+        'frozen_by_balance_at' => $frozenAt,
+    ]);
+    // Auto-paused в момент freeze (timestamp == frozenAt → попадает в >= filter).
+    $autoPaused = Project::factory()->for($tenant)->create([
+        'is_active' => false,
+        'daily_limit_target' => 5,
+        'paused_at' => $frozenAt,
+    ]);
+    // Manual-paused за 2 дня до freeze (timestamp < frozenAt → НЕ попадает в >= filter).
+    $manualPaused = Project::factory()->for($tenant)->create([
+        'is_active' => false,
+        'daily_limit_target' => 5,
+        'paused_at' => now()->subDays(2),
+    ]);
+
+    (new BalancePreflightSweepJob)->handle();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->toBeNull();
+    expect($autoPaused->fresh()->paused_at)->toBeNull();
+    expect($manualPaused->fresh()->paused_at)->not->toBeNull();
+});
@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Project;
+use App\Models\Tenant;
+use App\Models\User;
+use Database\Seeders\PricingTierSeeder;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+
+uses(DatabaseTransactions::class);
+
+/**
+ * GET /api/billing/balance-status — статус баланса для UI префлайта (Billing v2
+ * Spec C Task 1.10): питает баннер заморозки (BalanceFrozenBanner) и индикатор
+ * ёмкости (BalanceCapacityIndicator).
+ *
+ * PricingTierSeeder: ступень 1 — 100 лидов × 500₽ (см. BillingOverviewControllerTest).
+ */
+beforeEach(function () {
+    $this->seed(PricingTierSeeder::class);
+    $this->tenant = Tenant::factory()->create([
+        'balance_rub' => '5000.00',
+        'delivered_in_month' => 0,
+        'frozen_by_balance_at' => null,
+    ]);
+    $this->user = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->actingAs($this->user);
+});
+
+test('GET /api/billing/balance-status: структура ответа', function () {
+    $this->getJson('/api/billing/balance-status')
+        ->assertOk()
+        ->assertJsonStructure([
+            'frozen_by_balance_at',
+            'balance_rub',
+            'capacity_leads',
+            'required_leads_per_day',
+            'deficit_leads',
+            'deficit_rub',
+        ]);
+});
+
+test('balance-status: хватает баланса — deficit=0, не заморожен', function () {
+    // 5000₽ при ступени 1 (500₽/лид) = 10 лидов ёмкости. Проект лимит 5 — впритык.
+    Project::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'is_active' => true,
+        'daily_limit_target' => 5,
+    ]);
+
+    $resp = $this->getJson('/api/billing/balance-status')->assertOk();
+
+    expect($resp->json('balance_rub'))->toBe('5000.00');
+    expect($resp->json('capacity_leads'))->toBe(10);
+    expect($resp->json('required_leads_per_day'))->toBe(5);
+    expect($resp->json('deficit_leads'))->toBe(0);
+    expect($resp->json('deficit_rub'))->toBe('0.00');
+    expect($resp->json('frozen_by_balance_at'))->toBeNull();
+});
+
+test('balance-status: не хватает — deficit_leads + deficit_rub точные', function () {
+    // Ёмкость = 10 лидов. Проект лимит 25 → нужно 25, дефицит 15 лидов.
+    // minBalanceForLeads(25) = 25 × 500₽ = 12500₽ → deficit_rub = 12500 − 5000 = 7500.00.
+    Project::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'is_active' => true,
+        'daily_limit_target' => 25,
+    ]);
+
+    $resp = $this->getJson('/api/billing/balance-status')->assertOk();
+
+    expect($resp->json('capacity_leads'))->toBe(10);
+    expect($resp->json('required_leads_per_day'))->toBe(25);
+    expect($resp->json('deficit_leads'))->toBe(15);
+    expect($resp->json('deficit_rub'))->toBe('7500.00');
+});
+
+test('balance-status: required исключает inactive и preflight_blocked проекты', function () {
+    Project::factory()->create([
+        'tenant_id' => $this->tenant->id, 'is_active' => true, 'daily_limit_target' => 5,
+    ]);
+    Project::factory()->create([
+        'tenant_id' => $this->tenant->id, 'is_active' => false, 'daily_limit_target' => 100,
+    ]);
+    Project::factory()->create([
+        'tenant_id' => $this->tenant->id, 'is_active' => true, 'daily_limit_target' => 100,
+        'preflight_blocked_at' => now(),
+    ]);
+
+    $resp = $this->getJson('/api/billing/balance-status')->assertOk();
+
+    expect($resp->json('required_leads_per_day'))->toBe(5);
+});
+
+test('balance-status: возвращает frozen_by_balance_at когда установлен', function () {
+    $this->tenant->update(['frozen_by_balance_at' => now()]);
+
+    $resp = $this->getJson('/api/billing/balance-status')->assertOk();
+
+    expect($resp->json('frozen_by_balance_at'))->not->toBeNull();
+});
+
+test('GET /api/billing/balance-status без auth: 401', function () {
+    auth()->logout();
+    $this->getJson('/api/billing/balance-status')->assertStatus(401);
+});
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Mail\BalanceFrozenMail;
+use App\Models\PricingTier;
+use App\Models\Project;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Mail;
+use Tests\Concerns\SharesSupplierPdo;
+
+uses(DatabaseTransactions::class);
+uses(SharesSupplierPdo::class);
+
+beforeEach(function () {
+    DB::statement("SELECT set_config('app.current_tenant_id', '0', true)");
+    PricingTier::query()->create([
+        'tier_no' => 1,
+        'leads_in_tier' => null,
+        'price_per_lead_kopecks' => 5000,
+        'is_active' => true,
+        'effective_from' => now(),
+    ]);
+});
+
+it('freezes pre-existing underfunded tenant on first run', function () {
+    Mail::fake();
+    // 0₽ + проекты на 25 лидов → должен быть заморожен.
+    $tenant = Tenant::factory()->create(['balance_rub' => '0.00', 'frozen_by_balance_at' => null]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 25]);
+
+    $this->artisan('billing:preflight-initial-sweep')->assertSuccessful();
+
+    expect($tenant->fresh()->frozen_by_balance_at)->not->toBeNull();
+    Mail::assertQueued(BalanceFrozenMail::class, fn ($mail) => $mail->tenant->id === $tenant->id);
+});
@@ -168,3 +168,29 @@ it('writes supplier_lead_costs (gap-fix: Plan 2/3 не писали в sharing-f
    expect((int) $cost->supplier_id)->toBe($supplier->id);
    expect((string) $cost->cost_rub)->toBe($supplier->cost_rub);
 });
+
+// Stage 3 / Task 3.1 — R-03 (spec §4.3.1): a frozen tenant must be rejected at
+// charge time even when balance_rub > 0. Guard is BEFORE bcmath arithmetic so
+// no balance / charges state is touched on rejection. The same auto-pause flow
+// kicks in (InsufficientBalanceException → RouteSupplierLeadJob handler flips
+// projects.is_active=false and queues ZeroBalancePausedMail rate-limited).
+it('throws InsufficientBalanceException when tenant frozen_by_balance_at is set', function () {
+    $tenant = Tenant::factory()->create([
+        'balance_rub' => '500.00',
+        'frozen_by_balance_at' => now(),
+    ]);
+    $deal = makeDealForTenant($tenant);
+
+    expect(function () use ($tenant, $deal) {
+        DB::transaction(function () use ($tenant, $deal) {
+            DB::statement("SET LOCAL app.current_tenant_id = '{$tenant->id}'");
+            $locked = Tenant::whereKey($tenant->id)->lockForUpdate()->firstOrFail();
+            $this->ledger->chargeForDelivery($locked, $deal);
+        });
+    })->toThrow(InsufficientBalanceException::class);
+
+    // No side effects on frozen reject — balance and charges untouched.
+    $tenant->refresh();
+    expect((string) $tenant->balance_rub)->toBe('500.00');
+    expect(LeadCharge::where('tenant_id', $tenant->id)->count())->toBe(0);
+});
@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\PricingTier;
+use App\Models\Project;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Queue;
+use Tests\Concerns\SharesSupplierPdo;
+
+uses(DatabaseTransactions::class);
+uses(SharesSupplierPdo::class);
+
+beforeEach(function () {
+    Queue::fake();
+    DB::statement("SELECT set_config('app.current_tenant_id', '0', true)");
+    PricingTier::query()->create([
+        'tier_no' => 1,
+        'leads_in_tier' => null,
+        'price_per_lead_kopecks' => 5000, // 50₽/лид — capacity = balance/50
+        'is_active' => true,
+        'effective_from' => now(),
+    ]);
+});
+
+it('returns 409 when new project would overload balance', function () {
+    // 1000₽ / 50₽ = 20 лидов capacity; запрашиваем daily_limit_target=30 → дефицит 10.
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    $user = User::factory()->create(['tenant_id' => $tenant->id]);
+
+    $response = $this->actingAs($user)->postJson('/api/projects', [
+        'name' => 'Перегрузка',
+        'signal_type' => 'site',
+        'signal_identifier' => 'overload.ru',
+        'daily_limit_target' => 30,
+        'regions' => [],
+        'delivery_days_mask' => 127,
+    ]);
+
+    $response->assertStatus(409);
+    $response->assertJsonPath('error', 'balance_insufficient');
+    $response->assertJsonPath('deficit_leads', 10);
+    $response->assertJsonPath('current_capacity_leads', 20);
+    $response->assertJsonPath('would_be_required_leads', 30);
+    expect(Project::where('signal_identifier', 'overload.ru')->exists())->toBeFalse();
+});
+
+it('creates blocked project when force_save_blocked=true', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    $user = User::factory()->create(['tenant_id' => $tenant->id]);
+
+    $response = $this->actingAs($user)->postJson('/api/projects', [
+        'name' => 'Заблокированный',
+        'signal_type' => 'site',
+        'signal_identifier' => 'force-blocked.ru',
+        'daily_limit_target' => 30,
+        'regions' => [],
+        'delivery_days_mask' => 127,
+        'force_save_blocked' => true,
+    ]);
+
+    $response->assertCreated();
+    $project = Project::where('signal_identifier', 'force-blocked.ru')->first();
+    expect($project)->not->toBeNull();
+    expect($project->preflight_blocked_at)->not->toBeNull();
+});
+
+it('creates normally when within balance', function () {
+    // 2000₽ / 50₽ = 40 лидов capacity; daily_limit_target=30 — passes.
+    $tenant = Tenant::factory()->create(['balance_rub' => '2000.00']);
+    $user = User::factory()->create(['tenant_id' => $tenant->id]);
+
+    $response = $this->actingAs($user)->postJson('/api/projects', [
+        'name' => 'Норма',
+        'signal_type' => 'site',
+        'signal_identifier' => 'ok-balance.ru',
+        'daily_limit_target' => 30,
+        'regions' => [],
+        'delivery_days_mask' => 127,
+    ]);
+
+    $response->assertCreated();
+    $project = Project::where('signal_identifier', 'ok-balance.ru')->first();
+    expect($project->preflight_blocked_at)->toBeNull();
+});
+
+it('returns 409 on update when increased limit overloads balance', function () {
+    // существующий проект на 15 лидов, всё ок (capacity 20).
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    $user = User::factory()->create(['tenant_id' => $tenant->id]);
+    $project = Project::factory()->for($tenant)->create([
+        'is_active' => true,
+        'daily_limit_target' => 15,
+    ]);
+
+    // UPDATE до 30 → suma 30 > capacity 20 → 409.
+    $response = $this->actingAs($user)->patchJson("/api/projects/{$project->id}", [
+        'daily_limit_target' => 30,
+    ]);
+
+    $response->assertStatus(409);
+    $response->assertJsonPath('error', 'balance_insufficient');
+    expect($project->fresh()->daily_limit_target)->toBe(15); // не изменилось
+});
@@ -0,0 +1,83 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Project;
+use App\Models\Tenant;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Str;
+use Tests\Concerns\SharesSupplierPdo;
+
+uses(DatabaseTransactions::class, SharesSupplierPdo::class);
+
+it('sums daily_limit_target of active projects for required leads', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 10]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 15]);
+    Project::factory()->for($tenant)->create(['is_active' => false, 'daily_limit_target' => 100]); // не считается
+
+    expect($tenant->requiredLeadsForTomorrow())->toBe(25);
+});
+
+it('casts frozen_by_balance_at to datetime', function () {
+    $tenant = Tenant::factory()->create(['frozen_by_balance_at' => now()]);
+    expect($tenant->frozen_by_balance_at)->toBeInstanceOf(Carbon::class);
+});
+
+it('casts project preflight_blocked_at to datetime', function () {
+    $project = Project::factory()->create(['preflight_blocked_at' => now()]);
+    expect($project->preflight_blocked_at)->toBeInstanceOf(Carbon::class);
+});
+
+// ---------------------------------------------------------------------------
+// Stage 4 / Task 4.4 — R-19 (spec §4.4.3): share-aware requiredLeadsForTomorrow.
+// Before fix: simple SUM(daily_limit_target). Overcharges preflight when a tenant
+// shares a call/site signal with other tenants — supplier order is capped at
+// max(max(limits), ceil(Σ/3)) and split proportionally, so a single tenant's
+// share is typically much smaller than its raw limit.
+// Formula per project:
+//   group_limits = limits of all is_active projects sharing the same
+//                  (signal_type, agnostic signal — phone/domain/sms-sender+keyword)
+//   group_order  = max(max(group_limits), ceil(Σ group_limits / 3))
+//   tenant_share = ceil(group_order × (project_limit / Σ group_limits))
+// Legacy projects (signal_type=null — webhook-only, no supplier share) → full limit.
+// ---------------------------------------------------------------------------
+
+it('R-19 single call project (no sharing) — returns full daily_limit_target', function () {
+    $phone = '7919'.Str::random(7); // unique per run to dodge any pre-existing leakage
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    Project::factory()->for($tenant)->asCallSignal($phone)->create([
+        'is_active' => true, 'daily_limit_target' => 10,
+    ]);
+    // groupLimits = [10] (only this project) → sum=10, max=10, order=max(10, ceil(10/3))=10,
+    // share = ceil(10 × 10/10) = 10. Same as legacy.
+    expect($tenant->fresh()->requiredLeadsForTomorrow())->toBe(10);
+});
+
+it('R-19 3 tenants sharing same call source — each tenant gets proportional share, not full limit', function () {
+    $sharedPhone = '7929'.Str::random(7); // unique shared identifier per run
+    // 3 tenants, same call source $sharedPhone, each daily_limit_target=10.
+    // group_order = max(max([10,10,10]), ceil(30/3)) = max(10, 10) = 10.
+    // share per tenant = ceil(10 × 10/30) = ceil(3.33) = 4.
+    // Legacy formula would give 10 (4 vs 10 = the bug R-19 fixes).
+    $tenants = [];
+    foreach (range(1, 3) as $i) {
+        $t = Tenant::factory()->create(['balance_rub' => '1000.00']);
+        Project::factory()->for($t)->asCallSignal($sharedPhone)->create([
+            'is_active' => true,
+            'daily_limit_target' => 10,
+        ]);
+        $tenants[] = $t;
+    }
+    expect($tenants[0]->fresh()->requiredLeadsForTomorrow())->toBe(4);
+});
+
+it('R-19 legacy webhook projects (signal_type=null) — still summed as full limit (no shared group)', function () {
+    // Regression-protection for existing TenantPreflightTest behavior.
+    // Webhook-only projects don't participate in supplier sharing — their full limit counts.
+    $tenant = Tenant::factory()->create(['balance_rub' => '1000.00']);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 10]);
+    Project::factory()->for($tenant)->create(['is_active' => true, 'daily_limit_target' => 15]);
+    expect($tenant->fresh()->requiredLeadsForTomorrow())->toBe(25);
+});
--- a/Show More
+++ b/Show More