feat(api): J1 — auth:sanctum+tenant middleware на /api/deals*

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/agents/rls-reviewer.md

@@ -7,6 +7,7 @@ description: |
   (crm_app_user, crm_app_admin, crm_supplier_worker BYPASSRLS,
   crm_readonly, crm_migrator). Reports orphan policies, missing tenant_id
   columns, inconsistent GRANTs, missing CHANGELOG entries.
+  For manually checking a single named table before commit - use the /rls-check skill.
 tools: Read, Grep, Glob, Bash
 ---
 
@@ -35,6 +36,23 @@ SaaS-level таблицы (e.g., `supplier_csv_reconcile_log`, `system_settings`
 
 Каждое schema change требует записи в `db/CHANGELOG_schema.md` (CLAUDE.md §5 п.8).
 
+## Граница со скилом /rls-check
+
+`rls-reviewer` (этот агент) и скил `/rls-check`
+(`.claude/skills/rls-check/SKILL.md`) оба проверяют RLS. Правило выбора:
+
+- Есть diff / ветка / PR с изменениями БД, набор таблиц заранее не известен →
+  **этот агент**.
+- Знаешь имя одной конкретной таблицы, проверка вручную перед коммитом →
+  **скил `/rls-check <table>`**.
+
+Этот агент прогоняет **7 статических пунктов** чеклиста. Живой дымовой тест
+(`pest --filter RlsSmokeTest`) намеренно **не входит** в агентский чеклист:
+запуск Pest в ревью-субагенте медленный и задевает гонки `--parallel`
+(квирки 72/77, см. `.claude/agents/pest-parallel-debugger.md`). Живой дымовой
+тест — 8-я строка скила `/rls-check`. 7 пунктов агента === первые 7 строк
+вывода скила (общее статическое ядро).
+
 ## Workflow
 
 1. Read target migration файл OR `db/schema.sql` diff (use `git diff HEAD~1 -- db/schema.sql` или указанные изменения).
@@ -77,6 +95,8 @@ Pass: <N>/7
 - General SQL style (squawk handles).
 - Business logic review (other agents).
 - Performance review (separate concern).
+- Проверка одной названной таблицы вручную перед коммитом + живой дымовой
+  тест — сценарий скила `/rls-check`, не агента.
 
 ## Verification protocol
 

.claude/settings.json

@@ -37,6 +37,24 @@
     ]
   },
   "hooks": {
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"C:/моя/проекты/портал crm/Документация/tools/ruflo-recall-hook.mjs\""
+          }
+        ]
+      },
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"C:/моя/проекты/портал crm/Документация/tools/ruflo-queen-hook.mjs\""
+          }
+        ]
+      }
+    ],
     "PreToolUse": [
       {
         "matcher": "Edit|Write",

.claude/skills/regression/SKILL.md

@@ -0,0 +1,75 @@
+---
+name: regression
+description: |
+  Run the project regression sweep and report a canonical status line + GREEN/RED/RED-INCOMPLETE verdict.
+  Two tiers: `quick` (lint/format/type-check — seconds) and `full` (everything incl.
+  Pest --parallel, Larastan, Vitest, Vite build, lychee, gitleaks — minutes).
+  Claude auto-runs only `quick` (e.g. during verification-before-completion);
+  `full` runs only on explicit `/regression full` or with user confirmation.
+---
+
+# Regression — канонический регрессионный свод
+
+## Когда использовать
+
+Перед закрытием задачи/спринта (`full`) или для быстрого фидбэка по ходу работы
+(`quick`). Скилл инкапсулирует ~12 команд свода, разбросанных по `package.json`,
+`app/package.json`, `app/composer.json` и `lefthook.yml`, в один вызов с
+детерминированной канонической строкой и машинным вердиктом.
+
+Invoke via `/regression [quick|full]` (без аргумента → `full`).
+
+## Workflow
+
+1. Определить уровень из аргумента: `quick`, `full`, либо `full` по умолчанию.
+2. Запустить через Bash из корня репозитория:
+
+   ```bash
+   node .claude/skills/regression/run.mjs <tier>
+   ```
+
+3. Показать пользователю полный вывод скрипта (таблица + каноническая строка +
+   вердикт + вывод упавших проверок).
+4. Интерпретировать вердикт:
+   - `GREEN` — свод чист, exit-код 0.
+   - `RED` — перечислены упавшие проверки, exit-код 1; полный вывод каждой —
+     после вердикта.
+   - `RED-INCOMPLETE` — проверка не прогналась (нет бинаря), exit-код 1; свод
+     неполон, зелёным признать нельзя. Если одновременно есть упавшие проверки,
+     они тоже перечислены в строке вердикта.
+
+## Уровни
+
+- **`quick`** (6 проверок, секунды): Pint, ESLint, Prettier, vue-tsc,
+  markdownlint, cspell.
+- **`full`** (12 проверок, минуты): всё из `quick` + Larastan, Pest `--parallel`,
+  Vitest, Vite build, lychee, gitleaks.
+
+## Правила инвокации (self-restraint)
+
+- Claude **авто-запускает только `quick`** — в том числе в рамках
+  `superpowers:verification-before-completion` перед claim «готово» / «passed» /
+  «closed».
+- `full` Claude **сам не запускает** — только по явному `/regression full` от
+  пользователя ИЛИ запросив подтверждение («запускаю полный свод, ~5–10 мин — ок?»).
+- Скилл **не правит `CLAUDE.md`** — он только печатает каноническую строку в
+  stdout; вставка строки в `CLAUDE.md` — отдельно, через канал
+  `claude-md-management` (`CLAUDE.md` §5 п.10).
+
+## Caveats
+
+- **Pest `--parallel` flake (квирки 72/73/77).** Если Pest показал 1–3 ошибки,
+  похожие на Redis-race / cumulative-state / unique-key-collision, — перепрогнать
+  `full` один раз ИЛИ свериться с агентом `pest-parallel-debugger` до объявления
+  реального RED.
+- **ruflo daemon (квирк 93).** Перед baseline-критичным `full` рассмотреть
+  `pm2 stop ruflo-daemon` — worker-jitter усиливает Pest-flake.
+- gitleaks и lychee: на Windows берутся из `bin\*.exe`, на Linux/Mac CI — из
+  `PATH`. Отсутствие бинаря → `[⚠] SKIPPED` + вердикт `RED-INCOMPLETE`.
+
+## Не использовать когда
+
+- Нужна одна конкретная проверка — запусти её npm/composer-скрипт напрямую
+  (быстрее, чем весь свод).
+- Pa11y и Semgrep SAST — это CI-tier, в свод намеренно не входят (см. дизайн-спек
+  `docs/superpowers/specs/2026-05-16-regression-skill-design.md` §5).

.claude/skills/regression/run.mjs

@@ -0,0 +1,258 @@
+#!/usr/bin/env node
+// .claude/skills/regression/run.mjs
+// Regression sweep orchestrator for the /regression skill.
+// Design: docs/superpowers/specs/2026-05-16-regression-skill-design.md
+import { spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+import process from 'node:process';
+
+// ── pure: platform binary resolution ───────────────────────────────
+export function resolveBinary(name, platform = process.platform) {
+  return platform === 'win32' ? `bin\\${name}.exe` : name;
+}
+
+// ── pure: output header line ───────────────────────────────────────
+export function buildHeader(tier) {
+  const head = `─ /regression ${tier} `;
+  return head + '─'.repeat(Math.max(3, 48 - head.length));
+}
+
+// ── pure: exit-code token ──────────────────────────────────────────
+export function parseExit(label, code) {
+  return `${label} ${code}`;
+}
+
+// ── pure: test-count parsers ───────────────────────────────────────
+export function parsePest(stdout) {
+  // pest --parallel emits a single JSON line: {"tool":"pest","result":...,"tests":N,"passed":N,"skipped":N,...}
+  const jsonMatch = stdout.match(/\{"tool"\s*:\s*"pest"[^}]+\}/);
+  if (jsonMatch) {
+    try {
+      const j = JSON.parse(jsonMatch[0]);
+      const passed = Number(j.passed ?? 0);
+      const skipped = Number(j.skipped ?? 0);
+      const total = Number(j.tests ?? passed + skipped);
+      const failed = total - passed - skipped;
+      return `Pest ${total}/${passed}/${skipped}sk/${Math.max(0, failed)}`;
+    } catch { /* fall through to regex */ }
+  }
+  const passed = Number(stdout.match(/(\d+)\s+passed/)?.[1] ?? 0);
+  const skipped = Number(stdout.match(/(\d+)\s+skipped/)?.[1] ?? 0);
+  const failed = Number(stdout.match(/(\d+)\s+failed/)?.[1] ?? 0);
+  return `Pest ${passed + skipped + failed}/${passed}/${skipped}sk/${failed}`;
+}
+
+export function parseVitest(stdout) {
+  const filesLine = stdout.match(/^.*Test Files.+$/m)?.[0] ?? '';
+  const files = Number(filesLine.match(/(\d+)\s+passed/)?.[1] ?? 0);
+  const line = stdout.match(/^\s*Tests\s+.+$/m)?.[0] ?? '';
+  const passed = Number(line.match(/(\d+)\s+passed/)?.[1] ?? 0);
+  const skipped = Number(line.match(/(\d+)\s+skipped/)?.[1] ?? 0);
+  const failed = Number(line.match(/(\d+)\s+failed/)?.[1] ?? 0);
+  return `Vitest ${files}f/${passed}/${skipped}sk/${failed}`;
+}
+
+// ── pure: content parsers ──────────────────────────────────────────
+export function parseViteBuild(stdout) {
+  const m = stdout.match(/built in ([\d.]+)\s*s/i);
+  return `Vite build ${m ? m[1] : '?'}s`;
+}
+
+export function parseLarastan(stdout) {
+  const m = stdout.match(/Found (\d+) error/i);
+  return `Larastan ${m ? m[1] : 0}`;
+}
+
+export function parseGitleaks(stdout, code) {
+  const commits = stdout.match(/(\d+)\s+commits?\s+scanned/i)?.[1] ?? '?';
+  const leaks = code === 0
+    ? '0'
+    : (stdout.match(/(\d+)\s+leaks?\s+found/i)?.[1]
+       ?? stdout.match(/leaks?\s+found:?\s*(\d+)/i)?.[1]
+       ?? '≥1');
+  return `gitleaks ${leaks}/${commits}`;
+}
+
+export function parseLychee(stdout) {
+  const ok = stdout.match(/(\d+)\s+OK/)?.[1] ?? '?';
+  const errors = stdout.match(/(\d+)\s+Errors?/i)?.[1] ?? '0';
+  return `lychee ${ok}/${errors}`;
+}
+
+// ── pure: verdict ──────────────────────────────────────────────────
+export function computeVerdict(results) {
+  const skipped = results.filter((r) => r.skipped).map((r) => r.label);
+  const failed = results
+    .filter((r) => !r.skipped && r.code !== 0)
+    .map((r) => r.label);
+  if (skipped.length) return { verdict: 'RED-INCOMPLETE', exitCode: 1, failed, skipped };
+  if (failed.length) return { verdict: 'RED', exitCode: 1, failed, skipped };
+  return { verdict: 'GREEN', exitCode: 0, failed, skipped };
+}
+
+// ── pure: output formatting ────────────────────────────────────────
+export function buildCanonicalLine(results) {
+  return results.map((r) => r.token).join(' / ');
+}
+
+export function formatRow(r) {
+  const mark = r.skipped ? '⚠' : r.code === 0 ? '✅' : '❌';
+  const label = r.label.padEnd(14);
+  const status = r.skipped
+    ? 'SKIPPED — binary not found'
+    : `${r.code}   ${(r.ms / 1000).toFixed(1)}s`;
+  return `[${mark}] ${label}${status}`;
+}
+
+export function verdictLine(v, total) {
+  if (v.verdict === 'GREEN') {
+    return `🟢 GREEN — все ${total} проверок passed`;
+  }
+  if (v.verdict === 'RED-INCOMPLETE') {
+    const tail = v.failed.length ? `; провал: ${v.failed.join(', ')}` : '';
+    return `🟠 RED-INCOMPLETE — не прогналось: ${v.skipped.join(', ')}${tail}`;
+  }
+  return `🔴 RED — ${v.failed.length}/${total} failed: ${v.failed.join(', ')}`;
+}
+
+// ── data: checks registry ──────────────────────────────────────────
+// Script-based checks carry `cmd`; binary-based checks carry `bin` + `argv`.
+// `parse(combinedOutput, exitCode)` → canonical token. `cwd`: '.' = repo root,
+// 'app' = the Laravel app. Execution order: quick checks first, then heavy.
+export const CHECKS = [
+  {
+    id: 'pint', label: 'Pint', tiers: ['quick', 'full'], cwd: 'app',
+    cmd: 'composer pint:test', parse: (_o, c) => parseExit('Pint', c),
+  },
+  {
+    id: 'eslint', label: 'ESLint', tiers: ['quick', 'full'], cwd: 'app',
+    cmd: 'npm run lint:vue', parse: (_o, c) => parseExit('ESLint', c),
+  },
+  {
+    id: 'prettier', label: 'Prettier', tiers: ['quick', 'full'], cwd: 'app',
+    cmd: 'npm run format:check', parse: (_o, c) => parseExit('Prettier', c),
+  },
+  {
+    id: 'vue-tsc', label: 'vue-tsc', tiers: ['quick', 'full'], cwd: 'app',
+    cmd: 'npm run type-check', parse: (_o, c) => parseExit('vue-tsc', c),
+  },
+  {
+    id: 'markdownlint', label: 'markdownlint', tiers: ['quick', 'full'], cwd: '.',
+    cmd: 'npm run lint:md', parse: (_o, c) => parseExit('markdownlint', c),
+  },
+  {
+    id: 'cspell', label: 'cspell', tiers: ['quick', 'full'], cwd: '.',
+    cmd: 'npm run spell', parse: (_o, c) => parseExit('cspell', c),
+  },
+  {
+    id: 'larastan', label: 'Larastan', tiers: ['full'], cwd: 'app',
+    cmd: 'composer stan', parse: (o) => parseLarastan(o),
+  },
+  {
+    id: 'pest', label: 'Pest', tiers: ['full'], cwd: 'app',
+    cmd: 'composer test:parallel', parse: (o) => parsePest(o),
+  },
+  {
+    id: 'vitest', label: 'Vitest', tiers: ['full'], cwd: 'app',
+    cmd: 'npm run test:vue', parse: (o) => parseVitest(o),
+  },
+  {
+    id: 'vite-build', label: 'Vite build', tiers: ['full'], cwd: 'app',
+    cmd: 'npm run build', parse: (o) => parseViteBuild(o),
+  },
+  {
+    id: 'lychee', label: 'lychee', tiers: ['full'], cwd: '.',
+    bin: 'lychee',
+    argv: ['--config', '.lychee.toml', 'docs/**/*.md', 'db/**/*.md', '*.md'],
+    parse: (o) => parseLychee(o),
+  },
+  {
+    id: 'gitleaks', label: 'gitleaks', tiers: ['full'], cwd: '.',
+    bin: 'gitleaks',
+    argv: ['detect', '--source', '.', '--no-banner', '--config', '.gitleaks.toml', '--redact'],
+    parse: (o, c) => parseGitleaks(o, c),
+  },
+];
+
+// ── I/O: run one check ─────────────────────────────────────────────
+function runCheck(check, repoRoot) {
+  const cwd = check.cwd === '.' ? repoRoot : path.join(repoRoot, check.cwd);
+  const start = Date.now();
+  const skippedResult = (reason) => ({
+    id: check.id, label: check.label, skipped: true, code: null,
+    ms: Date.now() - start, token: `${check.label} SKIPPED`, stdout: '', stderr: reason,
+  });
+
+  let command;
+  if (check.bin) {
+    const bin = resolveBinary(check.bin);
+    // bin/ executables: existsSync pre-check on Windows (the project ships
+    // bin\gitleaks.exe / bin\lychee.exe; on POSIX they come from PATH).
+    if (process.platform === 'win32' && !existsSync(path.join(repoRoot, bin))) {
+      return skippedResult(`${bin} not found`);
+    }
+    command = [bin, ...check.argv].join(' ');
+  } else {
+    command = check.cmd;
+  }
+
+  const res = spawnSync(command, {
+    cwd, shell: true, encoding: 'utf8', maxBuffer: 64 * 1024 * 1024,
+  });
+  const ms = Date.now() - start;
+  // ENOENT (POSIX missing binary), POSIX shell exit 127 ("command not found"),
+  // or the Windows cmd.exe "is not recognized" message → SKIPPED.
+  const notFound = (res.error && res.error.code === 'ENOENT')
+    || res.status === 127
+    || /is not recognized as an internal or external command/i.test(res.stderr ?? '');
+  if (notFound) {
+    return skippedResult(`command not found: ${command}`);
+  }
+  const stdout = res.stdout ?? '';
+  const stderr = res.stderr ?? '';
+  const code = res.status ?? 1;
+  const token = check.parse(`${stdout}\n${stderr}`, code);
+  return { id: check.id, label: check.label, skipped: false, code, ms, token, stdout, stderr };
+}
+
+// ── orchestrator ───────────────────────────────────────────────────
+export function main(argv) {
+  const tier = argv[0] ?? 'full';
+  if (tier !== 'quick' && tier !== 'full') {
+    process.stderr.write(
+      `regression: unknown argument "${tier}". Usage: run.mjs [quick|full]\n`,
+    );
+    process.exitCode = 2;
+    return;
+  }
+  const repoRoot = fileURLToPath(new URL('../../../', import.meta.url));
+  const checks = CHECKS.filter((c) => c.tiers.includes(tier));
+
+  process.stdout.write(`${buildHeader(tier)}\n`);
+  const results = [];
+  for (const check of checks) {
+    const r = runCheck(check, repoRoot);
+    results.push(r);
+    process.stdout.write(`${formatRow(r)}\n`);
+  }
+  process.stdout.write(`${'─'.repeat(48)}\n`);
+  process.stdout.write(`Canonical: ${buildCanonicalLine(results)}\n`);
+
+  const v = computeVerdict(results);
+  process.stdout.write(`VERDICT: ${verdictLine(v, results.length)}\n`);
+
+  // Full output of failed checks, so failures are visible with file:line.
+  for (const r of results) {
+    if (!r.skipped && r.code !== 0) {
+      process.stdout.write(`\n── ${r.label} output ──\n${r.stdout}\n${r.stderr}\n`);
+    }
+  }
+  process.exitCode = v.exitCode;
+}
+
+// Run main only when executed directly (not when imported by run.test.mjs).
+if (import.meta.url === pathToFileURL(process.argv[1] ?? '').href) {
+  main(process.argv.slice(2));
+}

.claude/skills/regression/run.test.mjs

@@ -0,0 +1,213 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { execFileSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import process from 'node:process';
+import {
+  resolveBinary, buildHeader, parseExit,
+  parsePest, parseVitest,
+  parseViteBuild, parseLarastan, parseGitleaks, parseLychee,
+  computeVerdict,
+  buildCanonicalLine, formatRow, verdictLine,
+  CHECKS,
+} from './run.mjs';
+
+test('resolveBinary: win32 → bin\\<name>.exe', () => {
+  assert.equal(resolveBinary('gitleaks', 'win32'), 'bin\\gitleaks.exe');
+});
+test('resolveBinary: non-win32 → bare name on PATH', () => {
+  assert.equal(resolveBinary('lychee', 'linux'), 'lychee');
+  assert.equal(resolveBinary('lychee', 'darwin'), 'lychee');
+});
+
+test('buildHeader: starts with the tier banner', () => {
+  assert.ok(buildHeader('quick').startsWith('─ /regression quick '));
+  assert.ok(buildHeader('full').startsWith('─ /regression full '));
+});
+test('buildHeader: is padded with dashes', () => {
+  assert.ok(buildHeader('full').length >= 30);
+});
+
+test('parseExit: builds "<label> <code>" token', () => {
+  assert.equal(parseExit('Pint', 0), 'Pint 0');
+  assert.equal(parseExit('ESLint', 1), 'ESLint 1');
+});
+
+test('parsePest: passed + skipped, no failures → total derived', () => {
+  const out = '  Tests:    3 skipped, 739 passed (2104 assertions)\n  Duration: 71.23s';
+  assert.equal(parsePest(out), 'Pest 742/739/3sk/0');
+});
+test('parsePest: with failures', () => {
+  const out = '  Tests:    2 failed, 1 skipped, 736 passed (2090 assertions)';
+  assert.equal(parsePest(out), 'Pest 739/736/1sk/2');
+});
+test('parsePest: passed only → zeros for skipped/failed', () => {
+  assert.equal(parsePest('  Tests:    19 passed (44 assertions)'), 'Pest 19/19/0sk/0');
+});
+test('parsePest: JSON format (pest --parallel) passed + skipped', () => {
+  const out = '{"tool":"pest","result":"passed","tests":793,"passed":790,"assertions":2391,"duration_ms":32200,"skipped":3}';
+  assert.equal(parsePest(out), 'Pest 793/790/3sk/0');
+});
+test('parsePest: JSON format with failures', () => {
+  const out = '{"tool":"pest","result":"failed","tests":793,"passed":788,"assertions":2380,"duration_ms":31000,"skipped":3}';
+  assert.equal(parsePest(out), 'Pest 793/788/3sk/2');
+});
+test('parsePest: JSON format no skipped', () => {
+  const out = '{"tool":"pest","result":"passed","tests":19,"passed":19,"assertions":44,"duration_ms":1711}';
+  assert.equal(parsePest(out), 'Pest 19/19/0sk/0');
+});
+
+test('parseVitest: files + passed + skipped', () => {
+  const out = ' Test Files  92 passed (92)\n      Tests  774 passed | 3 skipped (777)\n   Duration  12.6s';
+  assert.equal(parseVitest(out), 'Vitest 92f/774/3sk/0');
+});
+test('parseVitest: with failures, does not confuse "Test Files" with "Tests"', () => {
+  const out = ' Test Files  2 failed | 90 passed (92)\n      Tests  5 failed | 769 passed (774)';
+  assert.equal(parseVitest(out), 'Vitest 90f/769/0sk/5');
+});
+
+test('parseViteBuild: extracts build time', () => {
+  assert.equal(parseViteBuild('✓ 312 modules transformed.\n✓ built in 2.03s'), 'Vite build 2.03s');
+});
+test('parseViteBuild: no match → "?"', () => {
+  assert.equal(parseViteBuild('build crashed'), 'Vite build ?s');
+});
+
+test('parseLarastan: clean → 0', () => {
+  assert.equal(parseLarastan(' [OK] No errors'), 'Larastan 0');
+});
+test('parseLarastan: counts errors', () => {
+  assert.equal(parseLarastan(' [ERROR] Found 2 errors'), 'Larastan 2');
+});
+
+test('parseGitleaks: clean → 0 leaks', () => {
+  const out = 'INF 442 commits scanned.\nINF no leaks found';
+  assert.equal(parseGitleaks(out, 0), 'gitleaks 0/442');
+});
+test('parseGitleaks: leaks found (non-zero exit)', () => {
+  const out = 'INF 442 commits scanned.\nWRN 3 leaks found';
+  assert.equal(parseGitleaks(out, 1), 'gitleaks 3/442');
+});
+
+test('parseLychee: OK + errors', () => {
+  const out = '🔍 325 Total (in 9s)\n✅ 325 OK\n🚫 0 Errors';
+  assert.equal(parseLychee(out), 'lychee 325/0');
+});
+test('parseLychee: with broken links', () => {
+  const out = '🔍 327 Total\n✅ 325 OK\n🚫 2 Errors';
+  assert.equal(parseLychee(out), 'lychee 325/2');
+});
+
+test('computeVerdict: all exit 0 → GREEN, exit code 0', () => {
+  const v = computeVerdict([
+    { label: 'Pint', code: 0, skipped: false },
+    { label: 'ESLint', code: 0, skipped: false },
+  ]);
+  assert.equal(v.verdict, 'GREEN');
+  assert.equal(v.exitCode, 0);
+  assert.deepEqual(v.failed, []);
+});
+test('computeVerdict: one non-zero exit → RED, exit code 1', () => {
+  const v = computeVerdict([
+    { label: 'Pint', code: 0, skipped: false },
+    { label: 'Larastan', code: 1, skipped: false },
+  ]);
+  assert.equal(v.verdict, 'RED');
+  assert.equal(v.exitCode, 1);
+  assert.deepEqual(v.failed, ['Larastan']);
+});
+test('computeVerdict: a skipped check → RED-INCOMPLETE', () => {
+  const v = computeVerdict([
+    { label: 'Pint', code: 0, skipped: false },
+    { label: 'gitleaks', code: null, skipped: true },
+  ]);
+  assert.equal(v.verdict, 'RED-INCOMPLETE');
+  assert.equal(v.exitCode, 1);
+  assert.deepEqual(v.skipped, ['gitleaks']);
+});
+test('computeVerdict: skipped takes precedence over a failure', () => {
+  const v = computeVerdict([
+    { label: 'Larastan', code: 1, skipped: false },
+    { label: 'lychee', code: null, skipped: true },
+  ]);
+  assert.equal(v.verdict, 'RED-INCOMPLETE');
+  assert.deepEqual(v.failed, ['Larastan']);
+  assert.deepEqual(v.skipped, ['lychee']);
+});
+
+test('buildCanonicalLine: joins tokens in result order with " / "', () => {
+  const results = [
+    { token: 'Pint 0' }, { token: 'ESLint 0' }, { token: 'Pest 742/739/3sk/0' },
+  ];
+  assert.equal(buildCanonicalLine(results), 'Pint 0 / ESLint 0 / Pest 742/739/3sk/0');
+});
+
+test('formatRow: passed check → ✅ mark, label, code, time', () => {
+  const row = formatRow({ label: 'Pint', code: 0, ms: 1800, skipped: false });
+  assert.ok(row.startsWith('[✅] Pint'));
+  assert.ok(row.includes('1.8s'));
+});
+test('formatRow: failed check → ❌ mark', () => {
+  assert.ok(formatRow({ label: 'Larastan', code: 1, ms: 8400, skipped: false }).startsWith('[❌] Larastan'));
+});
+test('formatRow: skipped check → ⚠ mark + SKIPPED', () => {
+  const row = formatRow({ label: 'gitleaks', code: null, ms: 0, skipped: true });
+  assert.ok(row.startsWith('[⚠] gitleaks'));
+  assert.ok(row.includes('SKIPPED'));
+});
+
+test('verdictLine: GREEN', () => {
+  const line = verdictLine({ verdict: 'GREEN', failed: [], skipped: [] }, 12);
+  assert.ok(line.includes('🟢 GREEN'));
+  assert.ok(line.includes('12'));
+});
+test('verdictLine: RED lists failed checks', () => {
+  const line = verdictLine({ verdict: 'RED', failed: ['Larastan'], skipped: [] }, 12);
+  assert.ok(line.includes('🔴 RED'));
+  assert.ok(line.includes('Larastan'));
+});
+test('verdictLine: RED-INCOMPLETE lists skipped checks', () => {
+  const line = verdictLine({ verdict: 'RED-INCOMPLETE', failed: [], skipped: ['gitleaks'] }, 12);
+  assert.ok(line.includes('🟠 RED-INCOMPLETE'));
+  assert.ok(line.includes('gitleaks'));
+});
+
+test('CHECKS: quick tier has exactly 6 checks', () => {
+  assert.equal(CHECKS.filter((c) => c.tiers.includes('quick')).length, 6);
+});
+test('CHECKS: full tier has exactly 12 checks', () => {
+  assert.equal(CHECKS.filter((c) => c.tiers.includes('full')).length, 12);
+});
+test('CHECKS: quick is a strict subset of full', () => {
+  const full = new Set(CHECKS.filter((c) => c.tiers.includes('full')).map((c) => c.id));
+  for (const c of CHECKS.filter((c) => c.tiers.includes('quick'))) {
+    assert.ok(full.has(c.id), `${c.id} in quick must also be in full`);
+  }
+});
+test('CHECKS: every check has id, label, cwd, parse, and a command source', () => {
+  for (const c of CHECKS) {
+    assert.ok(c.id && c.label && c.cwd, `${c.id}: id/label/cwd`);
+    assert.equal(typeof c.parse, 'function', `${c.id}: parse is a function`);
+    assert.ok(c.cmd || (c.bin && Array.isArray(c.argv)), `${c.id}: has cmd or bin+argv`);
+  }
+});
+test('CHECKS: ids are unique', () => {
+  assert.equal(new Set(CHECKS.map((c) => c.id)).size, CHECKS.length);
+});
+
+const RUN = fileURLToPath(new URL('./run.mjs', import.meta.url));
+
+test('main: unknown argument → exit code 2 + error on stderr', () => {
+  try {
+    execFileSync(process.execPath, [RUN, 'bogus'], { encoding: 'utf8', stdio: 'pipe' });
+    assert.fail('expected non-zero exit');
+  } catch (err) {
+    assert.equal(err.status, 2);
+    assert.match(String(err.stderr), /unknown argument/i);
+  }
+});
+test('main: importing run.mjs does not auto-run the sweep', () => {
+  // If the import.meta guard were broken, importing run.mjs at the top of this
+  // file would have spawned a full sweep. Reaching this assertion proves it did not.
+  assert.ok(true);
+});

.claude/skills/rls-check/SKILL.md

@@ -5,6 +5,7 @@ description: |
   Use when adding a new table, adding/removing tenant_id column, or modifying
   RLS policies. Walks through 7-step checklist (tenant_id, ENABLE RLS, 2+ policies,
   5-role GRANTs, db/CHANGELOG_schema.md entry, squawk, smoke test).
+  For reviewing a diff, branch, or PR with DB changes - use the rls-reviewer agent.
 disable-model-invocation: true
 ---
 
@@ -16,6 +17,28 @@ disable-model-invocation: true
 
 Invoke via `/rls-check <table_name>`.
 
+## Граница с агентом rls-reviewer
+
+`rls-check` (этот скил) и `rls-reviewer` (агент, `.claude/agents/rls-reviewer.md`)
+оба проверяют RLS, но в разных ситуациях. Правило выбора:
+
+- Знаешь имя одной конкретной таблицы, проверка вручную перед коммитом →
+  **`/rls-check <table>`** (этот скил).
+- Есть diff / ветка / PR с изменениями БД, набор таблиц заранее не известен →
+  **агент `rls-reviewer`**.
+
+Скил работает в основном контексте по одной названной таблице и прогоняет
+**8 строк вывода** — 7 статических пунктов + живой дымовой тест
+(`pest --filter RlsSmokeTest`, шаг 7). Агент работает в отдельном контексте
+субагента, разбирает diff/миграцию/PR и прогоняет только **7 статических**
+строк — дымовой тест намеренно не запускает.
+
+Первые 7 строк вывода у обоих — общее статическое ядро (tenant_id, ENABLE RLS,
+SELECT/ALL политики, GRANT'ы 5 ролей, CHANGELOG, squawk). Это не дублирование:
+ядро проверок одно, сценарии вызова разные. Дымовой тест — только в скиле:
+запуск Pest в ревью-субагенте медленный и задевает гонки `--parallel`
+(квирки 72/77, см. `.claude/agents/pest-parallel-debugger.md`).
+
 ## Checklist
 
 1. **tenant_id column.** Grep `db/schema.sql` для `CREATE TABLE <name>`. Verify:
@@ -94,3 +117,5 @@ Or failure listing: `[❌] tenant_id column missing — db/schema.sql:NNNN`.
 
 - Modifying existing well-RLS'd table без новых columns — overhead.
 - Tables explicitly outside RLS (e.g., Laravel `migrations`, `cache` — internal).
+- Проверяешь не одну названную таблицу, а diff/ветку/PR с изменениями БД —
+  это сценарий агента `rls-reviewer`, не скила.

.gitignore

@@ -145,3 +145,45 @@ app/playwright/node_modules/
 
 # Vitest coverage output (app/coverage/) — генерируется npm run test:coverage
 /app/coverage/
+
+# ── Ruflo big-bang integration (2026-05-15) ──────────────────────────────────
+# ruflo runtime scaffolding и local-only routing config
+.claude-flow/
+CLAUDE.local.md
+# ruflo runtime state (created on activation 2026-05-15: memory DB + RuVector bridge)
+.swarm/
+ruvector.db
+# CLAUDE.md / .claude/ backups перед npx ruflo init --force (плановые artifacts Task 2.1)
+CLAUDE.md.pre-ruflo.bak
+.claude.pre-ruflo.bak/
+# ruflo install/dry-run logs (transient)
+ruflo-init.log
+ruflo-init-dryrun.log
+ruflo-mcp-stdout.log
+ruflo-mcp-stderr.log
+# ruflo init --force regen'ит 23 subdirs из upstream IPFS-registry — auto-regenerable, не tracking
+.claude/agents/analysis/
+.claude/agents/architecture/
+.claude/agents/browser/
+.claude/agents/consensus/
+.claude/agents/core/
+.claude/agents/custom/
+.claude/agents/data/
+.claude/agents/development/
+.claude/agents/devops/
+.claude/agents/documentation/
+.claude/agents/flow-nexus/
+.claude/agents/github/
+.claude/agents/goal/
+.claude/agents/optimization/
+.claude/agents/payments/
+.claude/agents/sona/
+.claude/agents/sparc/
+.claude/agents/specialized/
+.claude/agents/sublinear/
+.claude/agents/swarm/
+.claude/agents/templates/
+.claude/agents/testing/
+.claude/agents/v3/
+.claude/commands/
+.claude/helpers/

.mcp.json

@@ -37,6 +37,11 @@
       "command": "npx",
       "args": ["-y", "@modelcontextprotocol/server-redis", "redis://localhost:6379"],
       "comment": "Off-phase tool — Redis MCP для Memurai (Windows service, Redis 7-совместимый, localhost:6379). Pending формализация в Tooling §3.3 #35 — sync нормативки отдельным планом. Package: @modelcontextprotocol/server-redis@2025.4.25 — DEPRECATED по статусу npm («Package no longer supported»), но Anthropic source, простой протокол, рабочий. Post-MVP migration на community alternative (e.g., @easy-mcps/redis-mcp-server@1.0.8 или @wenit/redis-mcp-server@1.0.3) когда подтвердим trust. READ-ONLY use — отладка очередей, кэша, Pest --parallel race (memory quirk 72). НЕ для prod (нет prod). Если в будущем prod Redis с auth — отдельный entry redis-prod с url через env var."
+    },
+    "ruflo": {
+      "command": "npx",
+      "args": ["-y", "ruflo@latest", "mcp", "start"],
+      "comment": "Off-phase orchestration MCP — exposes ~210 ruflo tools (Core/Intelligence/Agents/Memory/DevTools). Package: ruflo v3.7.0-alpha.38+ MIT (npm `ruflo`, repo ruvnet/claude-flow legacy after rename Jan-2026; plugin namespace @claude-flow/*). Plugin discovery via IPFS (CID QmeXmAdbWVvT84GfDXPD2Vg1HWhiTW2VdZfRLhkS96KkX2) — Pinata+Cloudflare gateways flaky 2026-05-15, only ipfs.io reliable. stdio mode (no port-conflict). Big-bang integration per spec/plan 2026-05-15-ruflo-integration-design.md (commit a68a0a0+). Pending формализация в Tooling §4.10 — Phase 3 Task 3.4."
     }
   }
 }

app/app/Casts/PostgresIntArray.php

@@ -1,82 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Casts;
-
-use Illuminate\Contracts\Database\Eloquent\CastsAttributes;
-use Illuminate\Database\Eloquent\Model;
-
-/**
- * Eloquent cast for PostgreSQL native INT[] columns.
- *
- * Laravel stock 'array' cast uses json_encode/json_decode and sends `[1,2,3]`
- * (JSON), which Postgres rejects on INT[] columns (expects `{1,2,3}` array
- * literal). This cast:
- *
- *  - get(): parses Postgres array literal `{1,2,3}` (or empty `{}`) into PHP
- *           int array.
- *  - set(): serializes PHP array `[1,2,3]` into Postgres literal `{1,2,3}`.
- *
- * Used for projects.regions INT[] (Plan 6).
- *
- * @implements CastsAttributes<list<int>, list<int>|null>
- */
-class PostgresIntArray implements CastsAttributes
-{
-    /**
-     * @param  array<string, mixed>  $attributes
-     * @return list<int>
-     */
-    public function get(Model $model, string $key, mixed $value, array $attributes): array
-    {
-        if ($value === null || $value === '' || $value === '{}') {
-            return [];
-        }
-
-        // PG returns literal like "{1,2,3}".
-        if (is_string($value)) {
-            $trimmed = trim($value, '{}');
-
-            if ($trimmed === '') {
-                return [];
-            }
-
-            return array_map('intval', explode(',', $trimmed));
-        }
-
-        // Defensive: if driver already gave array.
-        if (is_array($value)) {
-            return array_values(array_map('intval', $value));
-        }
-
-        return [];
-    }
-
-    /**
-     * @param  array<string, mixed>  $attributes
-     */
-    public function set(Model $model, string $key, mixed $value, array $attributes): ?string
-    {
-        if ($value === null) {
-            return null;
-        }
-
-        // Defensive: interface phpdoc says list<int>|null, but $value is mixed at PHP level;
-        // protect against runtime misuse (e.g., string passed mistakenly).
-        // @phpstan-ignore function.alreadyNarrowedType
-        if (! is_array($value)) {
-            throw new \InvalidArgumentException(
-                "PostgresIntArray cast expects array for key '{$key}', got ".gettype($value)
-            );
-        }
-
-        if ($value === []) {
-            return '{}';
-        }
-
-        $ints = array_map('intval', $value);
-
-        return '{'.implode(',', $ints).'}';
-    }
-}

app/app/Http/Controllers/Api/AdminBillingController.php

@@ -4,7 +4,10 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api;
 
+use App\Http\Controllers\Concerns\ResolvesAdminUserId;
 use App\Http\Controllers\Controller;
+use App\Models\BalanceTransaction;
+use App\Models\SaasAdminAuditLog;
 use Carbon\CarbonImmutable;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -19,6 +22,183 @@ use Illuminate\Support\Facades\DB;
  */
 class AdminBillingController extends Controller
 {
+    use ResolvesAdminUserId;
+
+    /** GET /api/admin/billing/tariff-plans — список планов для диалога смены тарифа. */
+    public function tariffPlans(): JsonResponse
+    {
+        $plans = DB::table('tariff_plans')
+            ->select(['id', 'name', 'price_monthly'])
+            ->orderBy('price_monthly')
+            ->get()
+            ->map(fn ($p) => [
+                'id' => (int) $p->id,
+                'name' => $p->name,
+                'price_monthly' => (string) $p->price_monthly,
+            ]);
+
+        return response()->json(['plans' => $plans]);
+    }
+
+    /** PATCH /api/admin/billing/tenants/{id}/status — приостановить/разблокировать тенанта. */
+    public function updateStatus(Request $request, int $id): JsonResponse
+    {
+        $validated = $request->validate([
+            'status' => ['required', 'in:active,suspended'],
+            'reason' => ['required', 'string', 'min:10', 'max:1000'],
+        ]);
+
+        $tenant = $this->findActiveTenant($id);
+        $adminUserId = $this->resolveAdminUserId($request, 'system-billing@liderra.local', 'System Billing Bot');
+
+        DB::transaction(function () use ($tenant, $validated, $adminUserId, $request): void {
+            // tenants / saas_admin_audit_log не под RLS — SET LOCAL не нужен (ср. refund()).
+            DB::table('tenants')->where('id', $tenant->id)->update([
+                'status' => $validated['status'],
+                'updated_at' => now(),
+            ]);
+
+            SaasAdminAuditLog::create([
+                'admin_user_id' => $adminUserId,
+                'action' => $validated['status'] === 'suspended' ? 'tenant.suspend' : 'tenant.activate',
+                'target_type' => 'tenant',
+                'target_id' => $tenant->id,
+                'target_tenant_id' => $tenant->id,
+                'payload_before' => ['status' => $tenant->status],
+                'payload_after' => ['status' => $validated['status']],
+                'reason' => $validated['reason'],
+                'ip_address' => $request->ip() ?? '127.0.0.1',
+                'user_agent' => $request->userAgent(),
+            ]);
+        });
+
+        return response()->json(['id' => $tenant->id, 'status' => $validated['status']]);
+    }
+
+    /** POST /api/admin/billing/tenants/{id}/refund — возврат средств: списание с баланса + ledger-запись. */
+    public function refund(Request $request, int $id): JsonResponse
+    {
+        $validated = $request->validate([
+            'amount_rub' => ['required', 'numeric', 'gt:0'],
+            'reason' => ['required', 'string', 'min:10', 'max:1000'],
+        ]);
+
+        $this->findActiveTenant($id); // ранний 404; авторитетный баланс перечитывается под локом ниже
+        $amount = number_format((float) $validated['amount_rub'], 2, '.', '');
+        $adminUserId = $this->resolveAdminUserId($request, 'system-billing@liderra.local', 'System Billing Bot');
+
+        /** @var array{transaction_id:int, balance_rub:string} $result */
+        $result = DB::transaction(function () use ($id, $amount, $validated, $adminUserId, $request): array {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$id);
+
+            // Баланс — money-колонка: перечитываем под row-lock внутри транзакции,
+            // защита от lost-update (конвенция LedgerService — lockForUpdate на tenants).
+            $tenant = DB::table('tenants')->where('id', $id)->whereNull('deleted_at')
+                ->lockForUpdate()->first();
+            if ($tenant === null) {
+                abort(404, 'tenant not found');
+            }
+
+            $balance = (string) $tenant->balance_rub;
+            if (bccomp($amount, $balance, 2) === 1) {
+                abort(422, 'refund amount exceeds tenant balance');
+            }
+            $newBalance = bcsub($balance, $amount, 2);
+
+            DB::table('tenants')->where('id', $id)->update([
+                'balance_rub' => $newBalance,
+                'updated_at' => now(),
+            ]);
+
+            $tx = BalanceTransaction::create([
+                'tenant_id' => $id,
+                'type' => BalanceTransaction::TYPE_REFUND,
+                'amount_rub' => '-'.$amount,
+                'amount_leads' => 0,
+                'balance_rub_after' => $newBalance,
+                'description' => $validated['reason'],
+                'admin_user_id' => $adminUserId,
+                'created_at' => now(),
+            ]);
+
+            SaasAdminAuditLog::create([
+                'admin_user_id' => $adminUserId,
+                'action' => 'tenant.refund',
+                'target_type' => 'tenant',
+                'target_id' => $id,
+                'target_tenant_id' => $id,
+                'payload_before' => ['balance_rub' => $balance],
+                'payload_after' => ['balance_rub' => $newBalance, 'amount_rub' => $amount, 'transaction_id' => $tx->id],
+                'reason' => $validated['reason'],
+                'ip_address' => $request->ip() ?? '127.0.0.1',
+                'user_agent' => $request->userAgent(),
+            ]);
+
+            return ['transaction_id' => (int) $tx->id, 'balance_rub' => $newBalance];
+        });
+
+        return response()->json([
+            'id' => $id,
+            'balance_rub' => $result['balance_rub'],
+            'transaction_id' => $result['transaction_id'],
+        ]);
+    }
+
+    /** PATCH /api/admin/billing/tenants/{id}/tariff — сменить тарифный план тенанта. */
+    public function changeTariff(Request $request, int $id): JsonResponse
+    {
+        $validated = $request->validate([
+            'tariff_id' => ['required', 'integer', 'exists:tariff_plans,id'],
+            'reason' => ['required', 'string', 'min:10', 'max:1000'],
+        ]);
+
+        $tenant = $this->findActiveTenant($id);
+        $tariff = DB::table('tariff_plans')->where('id', $validated['tariff_id'])->first();
+        $adminUserId = $this->resolveAdminUserId($request, 'system-billing@liderra.local', 'System Billing Bot');
+
+        DB::transaction(function () use ($tenant, $tariff, $validated, $adminUserId, $request): void {
+            // tenants / saas_admin_audit_log не под RLS — SET LOCAL не нужен (ср. refund()).
+            DB::table('tenants')->where('id', $tenant->id)->update([
+                'current_tariff_id' => $tariff->id,
+                'updated_at' => now(),
+            ]);
+
+            SaasAdminAuditLog::create([
+                'admin_user_id' => $adminUserId,
+                'action' => 'tenant.change_tariff',
+                'target_type' => 'tenant',
+                'target_id' => $tenant->id,
+                'target_tenant_id' => $tenant->id,
+                'payload_before' => ['current_tariff_id' => $tenant->current_tariff_id],
+                'payload_after' => ['current_tariff_id' => (int) $tariff->id],
+                'reason' => $validated['reason'],
+                'ip_address' => $request->ip() ?? '127.0.0.1',
+                'user_agent' => $request->userAgent(),
+            ]);
+        });
+
+        return response()->json([
+            'id' => $tenant->id,
+            'tariff_id' => (int) $tariff->id,
+            'tariff_name' => $tariff->name,
+        ]);
+    }
+
+    /**
+     * Возвращает не-удалённого тенанта либо abort(404).
+     *
+     * @return object{id:int,status:string,balance_rub:string,current_tariff_id:int|null}
+     */
+    private function findActiveTenant(int $id): object
+    {
+        $tenant = DB::table('tenants')->where('id', $id)->whereNull('deleted_at')->first();
+        if ($tenant === null) {
+            abort(404, 'tenant not found');
+        }
+
+        return $tenant;
+    }
+
     /** GET /api/admin/billing?search= */
     public function index(Request $request): JsonResponse
     {

app/app/Http/Controllers/Api/AdminIncidentsController.php

@@ -4,7 +4,9 @@ declare(strict_types=1);
 
 namespace App\Http\Controllers\Api;
 
+use App\Http\Controllers\Concerns\ResolvesAdminUserId;
 use App\Http\Controllers\Controller;
+use App\Models\SaasAdminAuditLog;
 use Carbon\CarbonImmutable;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -21,6 +23,8 @@ use Illuminate\Support\Facades\DB;
  */
 class AdminIncidentsController extends Controller
 {
+    use ResolvesAdminUserId;
+
     /** GET /api/admin/incidents?type=&severity=&unresolved_only=&limit=&offset= */
     public function index(Request $request): JsonResponse
     {
@@ -83,6 +87,116 @@ class AdminIncidentsController extends Controller
         ]);
     }
 
+    /** POST /api/admin/incidents/{id}/rkn-notify — зафиксировать уведомление РКН (G6, 152-ФЗ). */
+    public function notifyRkn(Request $request, int $id): JsonResponse
+    {
+        $row = DB::table('incidents_log')->where('id', $id)->first();
+        if ($row === null) {
+            abort(404, 'incident not found');
+        }
+        if ($row->type !== 'data_breach') {
+            abort(422, 'РКН-уведомление применимо только к инцидентам типа data_breach');
+        }
+        if ($row->rkn_notified_at !== null) {
+            abort(409, 'РКН уже уведомлён по этому инциденту');
+        }
+
+        $adminUserId = $this->resolveAdminUserId($request, 'system-incidents@liderra.local', 'System Incidents Bot');
+
+        DB::transaction(function () use ($row, $adminUserId, $request): void {
+            DB::table('incidents_log')->where('id', $row->id)->update([
+                'rkn_notified_at' => now(),
+                'updated_at' => now(),
+            ]);
+
+            SaasAdminAuditLog::create([
+                'admin_user_id' => $adminUserId,
+                'action' => 'incident.rkn_notify',
+                'target_type' => 'incident',
+                'target_id' => $row->id,
+                'payload_before' => ['rkn_notified_at' => null],
+                'payload_after' => ['rkn_notified_at' => now()->toIso8601String()],
+                'reason' => 'Роскомнадзор уведомлён об утечке ПДн через админ-интерфейс (152-ФЗ).',
+                'ip_address' => $request->ip() ?? '127.0.0.1',
+                'user_agent' => $request->userAgent(),
+            ]);
+        });
+
+        return $this->show($id);
+    }
+
+    /** GET /api/admin/incidents/{id} — полная карточка инцидента (drill-down G5). */
+    public function show(int $id): JsonResponse
+    {
+        $row = DB::table('incidents_log')->where('id', $id)->first();
+        if ($row === null) {
+            abort(404, 'incident not found');
+        }
+
+        $tenantIds = is_array($row->affected_tenant_ids)
+            ? $row->affected_tenant_ids
+            : ($row->affected_tenant_ids !== null ? $this->parsePgArrayValues((string) $row->affected_tenant_ids) : []);
+
+        $tenants = $tenantIds === []
+            ? collect()
+            : DB::table('tenants')->whereIn('id', $tenantIds)
+                ->select(['id', 'organization_name'])->get();
+
+        $admins = DB::table('saas_admin_users')
+            ->whereIn('id', array_filter([$row->created_by_admin_id, $row->closed_by_admin_id]))
+            ->pluck('full_name', 'id');
+
+        return response()->json([
+            'incident' => [
+                'id' => (int) $row->id,
+                'incident_id' => $this->formatIncidentId($row),
+                'type' => $row->type,
+                'severity' => $row->severity,
+                'summary' => $row->summary,
+                'root_cause' => $row->root_cause,
+                'postmortem_url' => $row->postmortem_url,
+                'started_at' => CarbonImmutable::parse($row->started_at)->toIso8601String(),
+                'detected_at' => CarbonImmutable::parse($row->detected_at)->toIso8601String(),
+                'resolved_at' => $row->resolved_at !== null
+                    ? CarbonImmutable::parse($row->resolved_at)->toIso8601String() : null,
+                'status' => $this->deriveStatus($row),
+                'affected_tenants' => $tenants->map(fn ($t) => [
+                    'id' => (int) $t->id,
+                    'organization_name' => $t->organization_name,
+                ])->values(),
+                'affected_users_count' => $row->affected_users_count !== null ? (int) $row->affected_users_count : null,
+                'notification_sent_at' => $row->notification_sent_at !== null
+                    ? CarbonImmutable::parse($row->notification_sent_at)->toIso8601String() : null,
+                'rkn_notified' => $row->rkn_notified_at !== null,
+                'rkn_notified_at' => $row->rkn_notified_at !== null
+                    ? CarbonImmutable::parse($row->rkn_notified_at)->toIso8601String() : null,
+                'rkn_deadline_at' => $row->type === 'data_breach' && $row->rkn_notified_at === null
+                    ? CarbonImmutable::parse($row->detected_at)->addHours(24)->toIso8601String() : null,
+                'created_by_admin' => $admins->get($row->created_by_admin_id),
+                'closed_by_admin' => $row->closed_by_admin_id !== null ? $admins->get($row->closed_by_admin_id) : null,
+                'created_at' => $row->created_at !== null
+                    ? CarbonImmutable::parse($row->created_at)->toIso8601String() : null,
+                'updated_at' => $row->updated_at !== null
+                    ? CarbonImmutable::parse($row->updated_at)->toIso8601String() : null,
+            ],
+        ]);
+    }
+
+    /**
+     * PG-array literal '{1,2,3}' → массив int.
+     *
+     * @return list<int>
+     */
+    private function parsePgArrayValues(string $literal): array
+    {
+        $trimmed = trim($literal, '{}');
+        if ($trimmed === '') {
+            return [];
+        }
+
+        return array_map('intval', explode(',', $trimmed));
+    }
+
     /** Уникальный человеко-читаемый ID: INC-YYYY-MMDD-NNNN, NNNN = id padded. */
     private function formatIncidentId(object $row): string
     {

app/app/Http/Controllers/Api/ApiKeyController.php

@@ -0,0 +1,73 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\ApiKey;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Str;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * API-ключи тенанта (audit D2/D3/J5). Endpoints под auth:sanctum + tenant.
+ *
+ * Полный ключ показывается ОДИН раз — в ответе regenerate(). В БД хранится
+ * только bcrypt key_hash + key_prefix (первые 10 символов для UI). У тенанта
+ * поддерживается один активный ключ: regenerate деактивирует прежние.
+ */
+class ApiKeyController extends Controller
+{
+    private const KEY_PREFIX = 'lpkapi_';
+
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = (int) $request->user()->tenant_id;
+
+        // Defense-in-depth: явный where даже при RLS — в тестах PG superuser BYPASSRLS.
+        $keys = ApiKey::query()
+            ->where('tenant_id', $tenantId)
+            ->where('is_active', true)
+            ->where('expires_at', '>', now())
+            ->orderByDesc('created_at')
+            ->get(['id', 'name', 'key_prefix', 'last_used_at', 'expires_at', 'created_at']);
+
+        return response()->json(['data' => $keys]);
+    }
+
+    public function regenerate(Request $request): JsonResponse
+    {
+        $tenantId = (int) $request->user()->tenant_id;
+        $userId = (int) $request->user()->id;
+
+        // Один активный ключ на тенанта — прежние деактивируются.
+        ApiKey::query()
+            ->where('tenant_id', $tenantId)
+            ->where('is_active', true)
+            ->update(['is_active' => false]);
+
+        $plainKey = self::KEY_PREFIX.Str::random(48);
+
+        $key = ApiKey::query()->create([
+            'tenant_id' => $tenantId,
+            'user_id' => $userId,
+            'name' => 'API-ключ',
+            'key_hash' => Hash::make($plainKey),
+            'key_prefix' => substr($plainKey, 0, 10),
+            'scopes' => ['read'],
+            'expires_at' => now()->addYear(),
+            'is_active' => true,
+            'created_at' => now(),
+        ]);
+
+        return response()->json([
+            'id' => $key->id,
+            'name' => $key->name,
+            'key' => $plainKey,
+            'key_prefix' => $key->key_prefix,
+        ], Response::HTTP_CREATED);
+    }
+}

app/app/Http/Controllers/Api/AuthController.php

@@ -228,6 +228,31 @@ class AuthController extends Controller
         ]);
     }
 
+    /**
+     * PATCH /api/auth/me — обновление профиля текущего пользователя
+     * (имя, фамилия, телефон, тайм-зона). Email менять нельзя (через support).
+     *
+     * Audit J6/D1 (ProfileTab). Зеркалит updateNotificationPreferences:
+     * та же группа auth:sanctum, тот же inline-validate, тот же userResource.
+     */
+    public function updateProfile(Request $request): JsonResponse
+    {
+        $validated = $request->validate([
+            'first_name' => ['required', 'string', 'max:255'],
+            'last_name' => ['required', 'string', 'max:255'],
+            'phone' => ['nullable', 'string', 'max:20'],
+            'timezone' => ['required', 'timezone'],
+        ]);
+
+        /** @var User $user */
+        $user = $request->user();
+        $user->update($validated);
+
+        return response()->json([
+            'user' => $this->userResource($user->fresh()),
+        ]);
+    }
+
     /**
      * Ключ throttle для login: email|ip — защищает email от брутфорса даже
      * за NAT'ом, и IP от перебора емейлов с одного источника.
@@ -333,6 +358,8 @@ class AuthController extends Controller
             'email' => $user->email,
             'first_name' => $user->first_name,
             'last_name' => $user->last_name,
+            'phone' => $user->phone,
+            'timezone' => $user->timezone,
             'tenant_id' => $user->tenant_id,
             'totp_enabled' => $user->totp_enabled,
             'last_login_at' => $user->last_login_at,

app/app/Http/Controllers/Api/BillingController.php

@@ -0,0 +1,186 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\BalanceTransaction;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Billing\BillingTopupService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Биллинг тенанта — кошелёк, транзакции, счета, пополнение (audit E1/E3).
+ *
+ * Все эндпоинты под middleware [auth:sanctum, tenant] (RLS-контекст).
+ * Отдельно от TenantChargesController (lead_charges ledger) и
+ * AdminBillingController (SaaS-уровневые агрегаты).
+ *
+ * E1: POST /api/billing/topup — MVP-stub пополнения (без платёжного шлюза).
+ * E3: GET wallet/transactions/invoices — данные для BillingView Overview.
+ */
+class BillingController extends Controller
+{
+    public function __construct(
+        private readonly BillingTopupService $topupService,
+    ) {}
+
+    /**
+     * POST /api/billing/topup — пополнить рублёвый баланс.
+     *
+     * MVP-stub: кредитует баланс немедленно (без ЮKassa — реальная оплата
+     * post-Б-1). Записывает append-only строку balance_transactions(topup).
+     */
+    public function topup(Request $request): JsonResponse
+    {
+        $validated = $request->validate([
+            'amount_rub' => ['required', 'numeric', 'min:100', 'max:1000000', 'decimal:0,2'],
+        ]);
+
+        /** @var User $user */
+        $user = $request->user();
+
+        // Нормализуем в DECIMAL-строку scale 2 для bcmath (НЕ float).
+        $amountRub = bcadd((string) $validated['amount_rub'], '0', 2);
+
+        $tx = $this->topupService->topup((int) $user->tenant_id, $amountRub, (int) $user->id);
+
+        return response()->json([
+            'transaction' => [
+                'id' => $tx->id,
+                'type' => $tx->type,
+                'amount_rub' => $tx->amount_rub,
+                'balance_rub_after' => $tx->balance_rub_after,
+                'created_at' => $tx->created_at,
+            ],
+            'balance_rub' => $tx->balance_rub_after,
+        ], 201);
+    }
+
+    /**
+     * GET /api/billing/wallet — балансы тенанта + текущий тариф + runway.
+     */
+    public function wallet(Request $request): JsonResponse
+    {
+        /** @var User $user */
+        $user = $request->user();
+        /** @var Tenant $tenant */
+        $tenant = Tenant::query()->with('tariff')->findOrFail((int) $user->tenant_id);
+
+        return response()->json([
+            'balance_rub' => $tenant->balance_rub,
+            'balance_leads' => $tenant->balance_leads,
+            'runway_days' => $this->runwayDays($tenant),
+            'tariff' => $tenant->tariff === null ? null : [
+                'code' => $tenant->tariff->code,
+                'name' => $tenant->tariff->name,
+                'price_monthly' => $tenant->tariff->price_monthly,
+                'billing_model' => $tenant->tariff->billing_model,
+                'features' => $tenant->tariff->features ?? [],
+            ],
+        ]);
+    }
+
+    /**
+     * GET /api/billing/transactions?type=topup|lead_charge|refund&page=N
+     * — пагинированная история balance_transactions тенанта (20/страница).
+     */
+    public function transactions(Request $request): JsonResponse
+    {
+        /** @var User $user */
+        $user = $request->user();
+        $tenantId = (int) $user->tenant_id;
+
+        // Явный tenant_id фильтр — defense-in-depth поверх RLS (тесты идут
+        // под superuser BYPASSRLS; паттерн TenantChargesController).
+        $query = BalanceTransaction::query()
+            ->where('tenant_id', $tenantId)
+            ->orderBy('created_at', 'desc')
+            ->orderBy('id', 'desc');
+
+        $type = $request->query('type');
+        if (is_string($type) && in_array($type, ['topup', 'lead_charge', 'refund'], true)) {
+            $query->where('type', $type);
+        }
+
+        $page = $query->paginate(20);
+
+        return response()->json([
+            'data' => array_map(static fn (BalanceTransaction $tx): array => [
+                'id' => $tx->id,
+                'code' => 'TX-'.$tx->id,
+                'type' => $tx->type,
+                'description' => $tx->description,
+                'amount_rub' => $tx->amount_rub,
+                'amount_leads' => $tx->amount_leads,
+                'balance_rub_after' => $tx->balance_rub_after,
+                'created_at' => $tx->created_at,
+            ], $page->items()),
+            'meta' => [
+                'current_page' => $page->currentPage(),
+                'last_page' => $page->lastPage(),
+                'total' => $page->total(),
+                'per_page' => $page->perPage(),
+            ],
+        ]);
+    }
+
+    /**
+     * GET /api/billing/invoices — счета тенанта (saas_invoices).
+     *
+     * Real-but-empty на MVP: saas_invoices.legal_entity_id NOT NULL требует
+     * зарегистрированного юр-лица (блокируется Б-1). Read-only выборка через
+     * DB::table — без Eloquent-модели (паттерн AdminBillingController).
+     */
+    public function invoices(Request $request): JsonResponse
+    {
+        /** @var User $user */
+        $user = $request->user();
+        $tenantId = (int) $user->tenant_id;
+
+        $rows = DB::table('saas_invoices')
+            ->where('tenant_id', $tenantId)
+            ->orderBy('issued_at', 'desc')
+            ->get(['id', 'invoice_number', 'amount_total', 'status', 'issued_at', 'pdf_path']);
+
+        return response()->json([
+            'data' => $rows->map(static fn (\stdClass $r): array => [
+                'id' => $r->id,
+                'invoice_number' => $r->invoice_number,
+                'amount_total' => $r->amount_total,
+                'status' => $r->status,
+                'issued_at' => $r->issued_at,
+                'has_pdf' => $r->pdf_path !== null,
+            ])->all(),
+        ]);
+    }
+
+    /**
+     * Прогноз «на сколько дней хватит баланса» — оценочный UX-показатель.
+     *
+     * = balance_rub / (рублёвые списания за 30 дней / 30). NULL, если списаний
+     * не было. Float здесь допустим: грубая оценка для шапки, НЕ мутация
+     * баланса (мутации баланса — строго bcmath, см. BillingTopupService).
+     * Отрицательный баланс → 0 (тенант уже в минусе, runway не может быть < 0).
+     */
+    private function runwayDays(Tenant $tenant): ?int
+    {
+        $spent = abs((float) DB::table('balance_transactions')
+            ->where('tenant_id', $tenant->id)
+            ->where('type', BalanceTransaction::TYPE_LEAD_CHARGE)
+            ->where('created_at', '>=', now()->subDays(30))
+            ->sum('amount_rub'));
+
+        if ($spent <= 0.0) {
+            return null;
+        }
+
+        $perDay = $spent / 30.0;
+
+        return max(0, (int) floor((float) $tenant->balance_rub / $perDay));
+    }
+}

app/app/Http/Controllers/Api/DashboardController.php

@@ -0,0 +1,147 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\Tenant;
+use Carbon\CarbonImmutable;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Дашборд — агрегат для DashboardView (audit C1/J3).
+ *
+ * GET /api/dashboard/summary?tenant_id={id}&range=today|7d|30d
+ *
+ * На MVP без auth-middleware (tenant_id параметром, как DealController).
+ * Production: middleware('auth:sanctum','tenant') → tenant_id из user.
+ *
+ * Все агрегаты — tenant-scoped, deleted_at IS NULL, is_test=false.
+ * RLS-обёртка SET LOCAL app.current_tenant_id (PgBouncer-safe), как DealController.
+ */
+class DashboardController extends Controller
+{
+    private const RU_WEEKDAYS = ['вс', 'пн', 'вт', 'ср', 'чт', 'пт', 'сб'];
+
+    public function summary(Request $request): JsonResponse
+    {
+        $tenantId = (int) $request->query('tenant_id', '0');
+        if ($tenantId < 1) {
+            return response()->json(['message' => 'Параметр tenant_id обязателен.'], 422);
+        }
+
+        $tenant = Tenant::find($tenantId);
+        if ($tenant === null) {
+            return response()->json(['message' => 'Тенант не найден.'], 404);
+        }
+
+        $range = in_array($request->query('range'), ['today', '7d', '30d'], true)
+            ? (string) $request->query('range')
+            : '7d';
+
+        // MSK: activity-бакеты и range-границы должны совпадать с SQL
+        // `AT TIME ZONE 'Europe/Moscow'`. config('app.timezone') = UTC.
+        $now = CarbonImmutable::now('Europe/Moscow');
+        [$windowStart, $prevStart] = match ($range) {
+            'today' => [$now->startOfDay(), $now->startOfDay()->subDay()],
+            '30d' => [$now->subDays(30), $now->subDays(60)],
+            default => [$now->subDays(7), $now->subDays(14)],
+        };
+
+        $data = DB::transaction(function () use ($tenantId, $tenant, $now, $range, $windowStart, $prevStart) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
+
+            $base = fn () => DB::table('deals')
+                ->where('tenant_id', $tenantId)
+                ->whereNull('deleted_at')
+                ->where('is_test', false);
+
+            // --- leads received: текущее + предыдущее окно ---
+            $curLeads = (clone $base())->whereBetween('received_at', [$windowStart, $now])->count();
+            $prevLeads = (clone $base())->whereBetween('received_at', [$prevStart, $windowStart])->count();
+
+            // --- conversion: % статуса 'paid' в окне ---
+            $curPaid = (clone $base())->where('status', 'paid')
+                ->whereBetween('received_at', [$windowStart, $now])->count();
+            $prevPaid = (clone $base())->where('status', 'paid')
+                ->whereBetween('received_at', [$prevStart, $windowStart])->count();
+            $curConv = $curLeads > 0 ? round($curPaid / $curLeads * 100, 1) : 0.0;
+            $prevConv = $prevLeads > 0 ? round($prevPaid / $prevLeads * 100, 1) : 0.0;
+
+            // --- active projects ---
+            $activeProjects = DB::table('projects')
+                ->where('tenant_id', $tenantId)
+                ->whereNull('archived_at')
+                ->where('is_active', true)
+                ->count();
+            $maxProjects = (int) (($tenant->limits['max_projects'] ?? 0));
+
+            // --- activity: 7 daily-бакетов по received_at (MSK) ---
+            $activityStart = $now->subDays(6)->startOfDay();
+            $byDay = (clone $base())
+                ->where('received_at', '>=', $activityStart)
+                ->selectRaw("to_char((received_at AT TIME ZONE 'Europe/Moscow')::date, 'YYYY-MM-DD') AS d, COUNT(*) AS c")
+                ->groupBy('d')
+                ->pluck('c', 'd');
+            $points = [];
+            $labels = [];
+            for ($i = 6; $i >= 0; $i--) {
+                $day = $now->subDays($i);
+                $key = $day->format('Y-m-d');
+                $points[] = (int) ($byDay[$key] ?? 0);
+                $labels[] = $i === 0 ? 'сегодня' : self::RU_WEEKDAYS[(int) $day->format('w')];
+            }
+            $maxPoint = max(0, ...$points);
+            $axisMax = max(10, (int) (ceil($maxPoint / 10) * 10));
+
+            // --- funnel: текущий снимок по статусам ---
+            $funnel = (clone $base())
+                ->selectRaw('status, COUNT(*) AS c')
+                ->groupBy('status')
+                ->pluck('c', 'status')
+                ->map(fn ($c) => (int) $c)
+                ->toArray();
+
+            // --- runway ---
+            // runway опирается на приток за фиксированное 7-дневное окно,
+            // независимо от выбранного range (для today/30d $curLeads — не 7-дневный).
+            $leads7d = (clone $base())->whereBetween('received_at', [$now->subDays(7), $now])->count();
+            $avgDaily = $leads7d / 7.0;
+            $balanceLeads = (int) ($tenant->balance_leads ?? 0);
+            $runwayDays = $avgDaily > 0 ? (int) floor($balanceLeads / $avgDaily) : 0;
+
+            return [
+                'range' => $range,
+                'leads_received' => self::deltaBlock($curLeads, $prevLeads, 'delta_pct', self::pctDelta($curLeads, $prevLeads)),
+                'conversion' => self::deltaBlock($curConv, $prevConv, 'delta_pp', round($curConv - $prevConv, 1)),
+                'active_projects' => ['active' => $activeProjects, 'limit' => $maxProjects],
+                'balance' => [
+                    'amount_rub' => (string) $tenant->balance_rub,
+                    'runway_days' => $runwayDays,
+                    'runway_leads' => $balanceLeads,
+                ],
+                'activity' => ['points' => $points, 'labels' => $labels, 'max' => $axisMax],
+                'funnel' => (object) $funnel,
+            ];
+        });
+
+        return response()->json($data);
+    }
+
+    /** Процентная дельта current vs previous; 0.0 если previous=0. */
+    private static function pctDelta(float $cur, float $prev): float
+    {
+        return $prev > 0 ? round(($cur - $prev) / $prev * 100, 1) : 0.0;
+    }
+
+    /** Блок {value, <deltaKey>, delta_dir}. */
+    private static function deltaBlock(float $value, float $prev, string $deltaKey, float $delta): array
+    {
+        $dir = $value > $prev ? 'up' : ($value < $prev ? 'down' : 'neutral');
+
+        return ['value' => $value, $deltaKey => $delta, 'delta_dir' => $dir];
+    }
+}

app/app/Http/Controllers/Api/DealBulkActionController.php

@@ -7,7 +7,6 @@ namespace App\Http\Controllers\Api;
 use App\Http\Controllers\Controller;
 use App\Models\ActivityLog;
 use App\Models\Deal;
-use App\Models\Tenant;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
@@ -20,6 +19,8 @@ use Illuminate\Support\Facades\DB;
  * bulk + export + helpers). Этот класс отвечает только за многоразовые
  * массовые операции; single-resource действия остаются в DealController.
  *
+ * J1 (Sprint 3F): auth:sanctum+tenant, tenant_id из auth()->user().
+ *
  * O-perf-01: N+1 устранён.
  *
  *   transition: сначала SELECT всех сделок tenant'а из ids, чтобы отфильтровать
@@ -41,23 +42,19 @@ class DealBulkActionController extends Controller
     /**
      * POST /api/deals/transition — bulk status-update.
      *
-     * Body: {tenant_id, ids: [int...], status: slug}.
+     * Body: {ids: [int...], status: slug}.
      * Response: {updated, requested, status} (updated = реально изменённых,
      * без NO-OP).
      */
     public function transition(Request $request): JsonResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'ids' => 'required|array|min:1|max:1000',
             'ids.*' => 'integer|min:1',
             'status' => 'required|string|max:50',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         $statusExists = DB::table('lead_statuses')->where('slug', $validated['status'])->exists();
         if (! $statusExists) {
@@ -67,14 +64,14 @@ class DealBulkActionController extends Controller
             ], 422);
         }
 
-        $updated = DB::transaction(function () use ($validated, $tenant) {
-            DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+        $updated = DB::transaction(function () use ($validated, $tenantId) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
             // Фаза 1: SELECT — нужны id и предыдущий status для каждой строки,
             // чтобы (а) отфильтровать NO-OP и (б) сохранить prev в context.from.
             // Defense-in-depth where(tenant_id) — защита от кросс-tenant id.
             $rows = Deal::query()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $validated['ids'])
                 ->get(['id', 'status']);
 
@@ -88,7 +85,7 @@ class DealBulkActionController extends Controller
 
             // Фаза 2: bulk-UPDATE 1 запросом вместо N.
             Deal::query()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $changedIds)
                 ->update([
                     'status' => $validated['status'],
@@ -100,7 +97,7 @@ class DealBulkActionController extends Controller
             // массив сериализуем в JSON руками, остальные scalar-поля передаём
             // напрямую. Триггер audit_chain_hash() заполнит log_hash на уровне БД.
             $logRows = $changed->map(fn (Deal $d) => [
-                'tenant_id' => $tenant->id,
+                'tenant_id' => $tenantId,
                 'user_id' => null,
                 'deal_id' => $d->id,
                 'event' => ActivityLog::EVENT_DEAL_STATUS_CHANGED,
@@ -127,7 +124,7 @@ class DealBulkActionController extends Controller
     /**
      * DELETE /api/deals — bulk soft-delete.
      *
-     * Body: {tenant_id, ids: [int...]}.
+     * Body: {ids: [int...]}.
      * Response: {deleted, requested}.
      *
      * Soft-delete сохраняется (см. документацию в DealController.destroy на
@@ -137,23 +134,19 @@ class DealBulkActionController extends Controller
     public function destroy(Request $request): JsonResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'ids' => 'required|array|min:1|max:1000',
             'ids.*' => 'integer|min:1',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
-        $deleted = DB::transaction(function () use ($validated, $tenant) {
-            DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+        $deleted = DB::transaction(function () use ($validated, $tenantId) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
             // SELECT id'шников живых сделок tenant'а из ids — для bulk-INSERT
             // в activity_log по списку реально удаляемых (NO-OP idempotency).
             $targetIds = Deal::query()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $validated['ids'])
                 ->whereNull('deleted_at')
                 ->pluck('id')
@@ -166,7 +159,7 @@ class DealBulkActionController extends Controller
             $now = now();
 
             Deal::query()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $targetIds)
                 ->whereNull('deleted_at')
                 ->update([
@@ -175,7 +168,7 @@ class DealBulkActionController extends Controller
                 ]);
 
             $logRows = array_map(fn (int $id) => [
-                'tenant_id' => $tenant->id,
+                'tenant_id' => $tenantId,
                 'user_id' => null,
                 'deal_id' => $id,
                 'event' => ActivityLog::EVENT_DEAL_DELETED,
@@ -197,30 +190,26 @@ class DealBulkActionController extends Controller
     /**
      * POST /api/deals/restore — bulk restore soft-deleted.
      *
-     * Body: {tenant_id, ids: [int...]}.
+     * Body: {ids: [int...]}.
      * Response: {restored, requested}.
      */
     public function restore(Request $request): JsonResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'ids' => 'required|array|min:1|max:1000',
             'ids.*' => 'integer|min:1',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
-        $restored = DB::transaction(function () use ($validated, $tenant) {
-            DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+        $restored = DB::transaction(function () use ($validated, $tenantId) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
             // withTrashed обходит SoftDeletes global scope; whereNotNull —
             // NO-OP idempotency для уже живых.
             $targetIds = Deal::query()
                 ->withTrashed()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $validated['ids'])
                 ->whereNotNull('deleted_at')
                 ->pluck('id')
@@ -234,7 +223,7 @@ class DealBulkActionController extends Controller
 
             Deal::query()
                 ->withTrashed()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereIn('id', $targetIds)
                 ->whereNotNull('deleted_at')
                 ->update([
@@ -243,7 +232,7 @@ class DealBulkActionController extends Controller
                 ]);
 
             $logRows = array_map(fn (int $id) => [
-                'tenant_id' => $tenant->id,
+                'tenant_id' => $tenantId,
                 'user_id' => null,
                 'deal_id' => $id,
                 'event' => ActivityLog::EVENT_DEAL_RESTORED,

app/app/Http/Controllers/Api/DealController.php

@@ -9,7 +9,6 @@ use App\Models\ActivityLog;
 use App\Models\Deal;
 use App\Models\Project;
 use App\Models\SupplierLeadCost;
-use App\Models\Tenant;
 use App\Models\User;
 use App\Services\SupplierResolver;
 use Illuminate\Http\JsonResponse;
@@ -27,9 +26,7 @@ use Illuminate\Support\Facades\DB;
  * `WebhookReceiveController` + `ProcessWebhookJob` (асинхронно через очередь
  * с advisory lock + dedup). Этот controller — для ручных action'ов из UI.
  *
- * На MVP без auth-middleware (multi-tenant контекст резолвится по
- * `tenant_id` параметру). Production: middleware('auth:sanctum')+'tenant'
- * → tenant_id из request()->user()->tenant_id; user ID для manager/audit.
+ * J1 (Sprint 3F): auth:sanctum+tenant, tenant_id из auth()->user().
  *
  * Manual-create отличается от webhook'а:
  *   - source_crm_id = NULL (не из webhook).
@@ -42,7 +39,7 @@ use Illuminate\Support\Facades\DB;
 class DealController extends Controller
 {
     /**
-     * GET /api/deals?tenant_id={id}&status_in[]=...&project_id=...&manager_id=...&search=...&limit=...&offset=...
+     * GET /api/deals?status_in[]=...&project_id=...&manager_id=...&search=...&limit=...&offset=...
      *
      * Список сделок tenant'а с relations (project.name, manager.first/last/email).
      * Используется в `DealsView`/`KanbanView` вместо MOCK_DEALS.
@@ -53,20 +50,10 @@ class DealController extends Controller
      * (received_at, id)).
      *
      * RLS: SET LOCAL app.current_tenant_id внутри транзакции (PgBouncer-safe).
-     * Чужие сделки отфильтрует политика, даже если клиент подсунет чужой
-     * tenant_id (без auth — на MVP, на prod — middleware).
      */
     public function index(Request $request): JsonResponse
     {
-        $tenantId = (int) $request->query('tenant_id', '0');
-        if ($tenantId < 1) {
-            return response()->json(['message' => 'Параметр tenant_id обязателен.'], 422);
-        }
-
-        $tenant = Tenant::find($tenantId);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         $statuses = (array) $request->query('status_in', []);
         $projectId = $request->query('project_id') !== null ? (int) $request->query('project_id') : null;
@@ -203,7 +190,7 @@ class DealController extends Controller
     }
 
     /**
-     * GET /api/deals/{id}?tenant_id={id} — детали сделки + recent activity events.
+     * GET /api/deals/{id} — детали сделки + recent activity events.
      *
      * Используется в DealDetailDrawer (правая панель). Возвращает deal с
      * relations + до 50 последних activity_log событий по этой сделке.
@@ -213,15 +200,7 @@ class DealController extends Controller
      */
     public function show(Request $request, int $id): JsonResponse
     {
-        $tenantId = (int) $request->query('tenant_id', '0');
-        if ($tenantId < 1) {
-            return response()->json(['message' => 'Параметр tenant_id обязателен.'], 422);
-        }
-
-        $tenant = Tenant::find($tenantId);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         [$deal, $events] = DB::transaction(function () use ($tenantId, $id) {
             DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
@@ -291,7 +270,7 @@ class DealController extends Controller
     /**
      * PATCH /api/deals/{id} — частичное редактирование сделки из DealDetailDrawer.
      *
-     * Body (все поля optional, должно быть хотя бы одно): {tenant_id, comment?,
+     * Body (все поля optional, должно быть хотя бы одно): {comment?,
      * manager_id?, status?}.
      *
      * Каждое изменение пишется в ActivityLog с правильным event-type:
@@ -309,16 +288,12 @@ class DealController extends Controller
     public function update(Request $request, int $id): JsonResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'comment' => 'nullable|string|max:5000',
             'manager_id' => 'nullable|integer|min:1',
             'status' => 'nullable|string|max:50',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         // Validate status slug если передан.
         if (array_key_exists('status', $validated) && $validated['status'] !== null) {
@@ -335,7 +310,7 @@ class DealController extends Controller
         if (array_key_exists('manager_id', $validated) && $validated['manager_id'] !== null) {
             $managerExists = User::query()
                 ->where('id', $validated['manager_id'])
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereNull('deleted_at')
                 ->where('is_active', true)
                 ->exists();
@@ -347,11 +322,11 @@ class DealController extends Controller
             }
         }
 
-        $deal = DB::transaction(function () use ($validated, $tenant, $id) {
-            DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+        $deal = DB::transaction(function () use ($validated, $tenantId, $id) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
             $deal = Deal::query()
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->where('id', $id)
                 ->first();
 
@@ -363,7 +338,7 @@ class DealController extends Controller
             if (array_key_exists('comment', $validated) && $deal->comment !== $validated['comment']) {
                 $deal->comment = $validated['comment'];
                 ActivityLog::create([
-                    'tenant_id' => $tenant->id,
+                    'tenant_id' => $tenantId,
                     'user_id' => null,
                     'deal_id' => $deal->id,
                     'event' => 'deal.commented',
@@ -376,7 +351,7 @@ class DealController extends Controller
                 $deal->manager_id = $validated['manager_id'];
                 $deal->assigned_at = $validated['manager_id'] !== null ? now() : null;
                 ActivityLog::create([
-                    'tenant_id' => $tenant->id,
+                    'tenant_id' => $tenantId,
                     'user_id' => null,
                     'deal_id' => $deal->id,
                     'event' => ActivityLog::EVENT_DEAL_ASSIGNED,
@@ -388,7 +363,7 @@ class DealController extends Controller
                 $previousStatus = $deal->status;
                 $deal->status = $validated['status'];
                 ActivityLog::create([
-                    'tenant_id' => $tenant->id,
+                    'tenant_id' => $tenantId,
                     'user_id' => null,
                     'deal_id' => $deal->id,
                     'event' => ActivityLog::EVENT_DEAL_STATUS_CHANGED,
@@ -425,7 +400,6 @@ class DealController extends Controller
     public function store(Request $request): JsonResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'project_name' => 'required|string|max:255',
             'phone' => 'required|string|max:20',
             'contact_name' => 'nullable|string|max:255',
@@ -434,17 +408,14 @@ class DealController extends Controller
             'comment' => 'nullable|string|max:5000',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            return response()->json(['message' => 'Тенант не найден.'], 404);
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         // Manager FK guard: если manager_id передан, он должен принадлежать
         // этому tenant'у. Иначе можно назначить чужого менеджера на свою сделку.
         if (isset($validated['manager_id'])) {
             $managerExists = User::query()
                 ->where('id', $validated['manager_id'])
-                ->where('tenant_id', $tenant->id)
+                ->where('tenant_id', $tenantId)
                 ->whereNull('deleted_at')
                 ->where('is_active', true)
                 ->exists();
@@ -459,16 +430,16 @@ class DealController extends Controller
         $statusSlug = $validated['status'] ?? 'new';
 
         // Транзакция + RLS: SET LOCAL внутри (PgBouncer-safe).
-        $deal = DB::transaction(function () use ($validated, $tenant, $statusSlug) {
-            DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+        $deal = DB::transaction(function () use ($validated, $tenantId, $statusSlug) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
             $project = Project::firstOrCreate(
-                ['tenant_id' => $tenant->id, 'name' => $validated['project_name']],
+                ['tenant_id' => $tenantId, 'name' => $validated['project_name']],
                 ['type' => 'manual'],
             );
 
             $deal = Deal::create([
-                'tenant_id' => $tenant->id,
+                'tenant_id' => $tenantId,
                 'source_crm_id' => null, // manual
                 'project_id' => $project->id,
                 'phone' => $validated['phone'],
@@ -499,7 +470,7 @@ class DealController extends Controller
             }
 
             ActivityLog::create([
-                'tenant_id' => $tenant->id,
+                'tenant_id' => $tenantId,
                 'user_id' => null, // на prod — request()->user()->id
                 'deal_id' => $deal->id,
                 'event' => ActivityLog::EVENT_DEAL_CREATED,

app/app/Http/Controllers/Api/DealExportController.php

@@ -6,7 +6,6 @@ namespace App\Http\Controllers\Api;
 
 use App\Http\Controllers\Controller;
 use App\Models\Deal;
-use App\Models\Tenant;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
 use OpenSpout\Common\Entity\Row;
@@ -21,13 +20,15 @@ use Symfony\Component\HttpFoundation\StreamedResponse;
  *
  * Извлечено из DealController (Sprint 3 Phase A, audit O-refactor-01).
  *
+ * J1 (Sprint 3F): auth:sanctum+tenant, tenant_id из auth()->user().
+ *
  * O-perf-05: streaming устраняет memory pressure. PhpSpreadsheet строил
  * полный объект .xlsx в памяти (для 10K сделок ≈ 100+ MB). OpenSpout пишет
  * в php://output постранично через Writer + Row::fromValues и chunkById(500)
  * по сделкам — пик памяти O(1) от размера экспорта.
  *
  * API контракт сохранён:
- *   POST /api/deals/export {tenant_id, ids[], format?: csv|xlsx}
+ *   POST /api/deals/export {ids[], format?: csv|xlsx}
  *   Headers Content-Type / Content-Disposition без изменений.
  *   CSV: UTF-8 + BOM + ;-разделитель (Excel-friendly RU-локаль).
  *   XLSX: bold-header + auto-size columns.
@@ -43,16 +44,12 @@ class DealExportController extends Controller
     public function export(Request $request): StreamedResponse
     {
         $validated = $request->validate([
-            'tenant_id' => 'required|integer|min:1',
             'ids' => 'required|array|min:1|max:10000',
             'ids.*' => 'integer|min:1',
             'format' => 'nullable|string|in:csv,xlsx',
         ]);
 
-        $tenant = Tenant::find($validated['tenant_id']);
-        if ($tenant === null) {
-            abort(404, 'Тенант не найден.');
-        }
+        $tenantId = (int) $request->user()->tenant_id;
 
         $format = $validated['format'] ?? 'csv';
         $filename = 'deals_export_'.now()->format('Y-m-d').'.'.$format;
@@ -67,13 +64,13 @@ class DealExportController extends Controller
                 'Content-Disposition' => 'attachment; filename="'.$filename.'"',
             ];
 
-        return new StreamedResponse(function () use ($validated, $tenant, $format) {
+        return new StreamedResponse(function () use ($validated, $tenantId, $format) {
             // RLS-контекст должен быть установлен внутри транзакции на момент
             // фактического SELECT. StreamedResponse callback вызывается уже
             // после Laravel-response pipeline'а, поэтому открываем транзакцию
             // прямо здесь.
-            DB::transaction(function () use ($validated, $tenant, $format) {
-                DB::statement('SET LOCAL app.current_tenant_id = '.$tenant->id);
+            DB::transaction(function () use ($validated, $tenantId, $format) {
+                DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
 
                 $writer = $this->openWriter($format);
                 $writer->openToFile('php://output');
@@ -93,7 +90,7 @@ class DealExportController extends Controller
                 // chunkById(500) — keyset-friendly; в нашем DealsView это
                 // редкий тяжёлый action, экспортировать могут до 10K id.
                 Deal::query()
-                    ->where('tenant_id', $tenant->id)
+                    ->where('tenant_id', $tenantId)
                     ->whereIn('id', $validated['ids'])
                     ->orderBy('id')
                     ->chunkById(500, function ($deals) use ($writer) {

app/app/Http/Controllers/Api/ImpersonationController.php

@@ -123,15 +123,21 @@ class ImpersonationController extends Controller
         ]);
 
         // TODO: отправить email на $tenant->contact_email с $plainCode.
-        // На MVP возвращаем code в response для тестов / dev (на prod НЕ должно
-        // возвращаться никогда — токен только в email клиента).
-        return response()->json([
+        $payload = [
             'token_id' => $token->id,
             'expires_at' => $token->expires_at->toIso8601String(),
             'sent_to_email' => $token->sent_to_email,
-            // dev-only field — на prod исчезает после интеграции с MailService.
-            '_dev_plain_code' => $plainCode,
-        ]);
+        ];
+
+        // Audit-fix A2: plain-код возвращается в API-ответе ТОЛЬКО на dev/testing
+        // (для тестов и локальной разработки). На prod код уходит исключительно
+        // в email клиента — env-guard исключает захват impersonation-сессии
+        // через чтение ответа init.
+        if (app()->environment('local', 'testing')) {
+            $payload['_dev_plain_code'] = $plainCode;
+        }
+
+        return response()->json($payload);
     }
 
     /** POST /api/admin/impersonation/verify */

app/app/Http/Controllers/Api/ReportJobController.php

@@ -13,7 +13,9 @@ use Illuminate\Http\Request;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\URL;
 use Illuminate\Validation\Rule;
+use Symfony\Component\HttpFoundation\Response;
 
 /**
  * Reports API (schema §13.5). Все endpoint'ы под `auth:sanctum`.
@@ -340,6 +342,68 @@ class ReportJobController extends Controller
         });
     }
 
+    /**
+     * GET /api/reports/jobs/{id}/file?tenant=&expires=&signature= — скачать
+     * готовый файл отчёта (F2, OPEN-И-20).
+     *
+     * Под `signed`-middleware (не auth:sanctum): подпись URL = capability-token.
+     * `tenant` в подписи нужен для RLS-контекста (нет авторизованного user'а).
+     * Подпись покрывает все query-параметры — `tenant`/`id` подделать нельзя.
+     */
+    public function download(Request $request, int $id): Response
+    {
+        $tenantId = (int) $request->query('tenant', '0');
+
+        return DB::transaction(function () use ($id, $tenantId): Response {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
+
+            $job = ReportJob::query()
+                ->where('id', $id)
+                ->where('tenant_id', $tenantId)
+                ->first();
+
+            if ($job === null) {
+                return response()->json(['message' => 'Отчёт не найден.'], 404);
+            }
+
+            if ($job->status !== ReportJob::STATUS_DONE
+                || $job->file_path === null
+                || ($job->expires_at !== null && $job->expires_at->isPast())) {
+                return response()->json(['message' => 'Файл отчёта недоступен или истёк.'], 410);
+            }
+
+            if (! Storage::disk('local')->exists($job->file_path)) {
+                return response()->json(['message' => 'Файл отчёта не найден в хранилище.'], 404);
+            }
+
+            $extension = pathinfo($job->file_path, PATHINFO_EXTENSION);
+
+            return Storage::disk('local')->download(
+                $job->file_path,
+                sprintf('report-%d.%s', $job->id, $extension)
+            );
+        });
+    }
+
+    /**
+     * Signed URL (24 ч) на скачивание файла. NULL для не-готовых job'ов или
+     * после истечения retention (file_path обнулён cron'ом reports:cleanup-expired).
+     */
+    private function downloadUrl(ReportJob $job): ?string
+    {
+        if ($job->status !== ReportJob::STATUS_DONE
+            || $job->file_path === null
+            || ($job->expires_at !== null && $job->expires_at->isPast())) {
+            return null;
+        }
+
+        return URL::temporarySignedRoute(
+            'reports.download',
+            Carbon::now()->addHours(24),
+            ['id' => $job->id, 'tenant' => $job->tenant_id],
+        );
+    }
+
     /** @return array<string, mixed> */
     private function toResource(ReportJob $job): array
     {
@@ -358,6 +422,7 @@ class ReportJobController extends Controller
             'is_expired' => $job->expires_at !== null && $job->expires_at->isPast(),
             'retry_count' => (int) ($job->parameters['retry_count'] ?? 0),
             'retry_max' => self::RETRY_MAX_ATTEMPTS,
+            'download_url' => $this->downloadUrl($job),
         ];
     }
 }

app/app/Http/Controllers/Api/SupplierWebhookController.php

@@ -10,6 +10,7 @@ use App\Models\SupplierLead;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\RateLimiter;
 use Symfony\Component\HttpFoundation\IpUtils;
 
 /**
@@ -40,6 +41,9 @@ use Symfony\Component\HttpFoundation\IpUtils;
  */
 class SupplierWebhookController extends Controller
 {
+    /** Audit-fix C2: per-IP rate-limit (DoS-guard), запросов в минуту. */
+    private const RATE_LIMIT_PER_MINUTE = 600;
+
     public function receive(Request $request, string $secret): JsonResponse
     {
         if (! $this->verifySecret($secret)) {
@@ -50,6 +54,20 @@ class SupplierWebhookController extends Controller
             return response()->json(['message' => 'Not found.'], 404);
         }
 
+        // Audit-fix C2: per-IP rate-limit. Endpoint secret-gated, но защищаем
+        // от flood даже с валидным secret (DoS-guard). Лимит с запасом для
+        // легитимного stream'а лидов от crm.bp-gr.ru.
+        $rateKey = 'supplier-webhook:'.($request->ip() ?? 'unknown');
+        if (RateLimiter::tooManyAttempts($rateKey, self::RATE_LIMIT_PER_MINUTE)) {
+            $retryAfter = RateLimiter::availableIn($rateKey);
+
+            return response()->json([
+                'message' => 'Превышен лимит запросов.',
+                'retry_after' => $retryAfter,
+            ], 429)->header('Retry-After', (string) $retryAfter);
+        }
+        RateLimiter::hit($rateKey, 60);
+
         // Plan 2.6 fix #iii: timestamp partition guard. Партиции deals месячные
         // (deals_2026_MM); time за пределами текущего месяца → INSERT CRASH
         // "no partition of relation deals found for row" в RouteSupplierLeadJob.

app/app/Http/Controllers/Api/WebhookReceiveController.php

@@ -117,17 +117,19 @@ class WebhookReceiveController extends Controller
     }
 
     /**
-     * HMAC-обязательность. Если ключ отсутствует в БД — default false
-     * (backward-compat для существующих интеграций).
+     * HMAC-обязательность. Audit-fix B3: если ключ отсутствует в БД — default
+     * TRUE (HMAC обязателен по умолчанию). Отключить можно только явной
+     * установкой webhook_hmac_required=false. Неизвестное значение → fail-secure
+     * (HMAC требуется).
      */
     private function isHmacRequired(): bool
     {
         $setting = SystemSetting::find('webhook_hmac_required');
         if ($setting === null) {
-            return false;
+            return true;
         }
 
-        return in_array($setting->value, ['true', '1'], true);
+        return ! in_array($setting->value, ['false', '0'], true);
     }
 
     /**

app/app/Http/Controllers/Api/WebhookSettingsController.php

@@ -0,0 +1,137 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\OutboundWebhookSubscription;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Str;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Настройки исходящего webhook'а тенанта (audit D4/D5/J5).
+ * Endpoints под auth:sanctum + tenant.
+ *
+ * Одна подписка-ряд на тенанта. Секрет генерируется при создании и
+ * показывается ОДИН раз (в БД — bcrypt secret_hash + secret_prefix).
+ *
+ * test(): MVP делает unsigned connectivity-проверку (реальный POST на
+ * target_url, отчёт по HTTP-статусу). HMAC-подписанная доставка событий —
+ * отдельный пост-MVP эпик (outbound-pipeline пока не построен).
+ */
+class WebhookSettingsController extends Controller
+{
+    private const SECRET_PREFIX = 'whsec_';
+
+    /** @var list<string> События по умолчанию для новой подписки. */
+    private const DEFAULT_EVENTS = ['deal.created', 'deal.status_changed'];
+
+    public function show(Request $request): JsonResponse
+    {
+        $sub = $this->currentSubscription($request);
+
+        if ($sub === null) {
+            return response()->json(['data' => null]);
+        }
+
+        return response()->json(['data' => [
+            'target_url' => $sub->target_url,
+            'secret_prefix' => $sub->secret_prefix,
+            'events' => $sub->events,
+            'is_active' => $sub->is_active,
+        ]]);
+    }
+
+    public function update(Request $request): JsonResponse
+    {
+        $validated = $request->validate([
+            'target_url' => ['required', 'string', 'url', 'max:2048', 'starts_with:https://'],
+        ]);
+
+        $sub = $this->currentSubscription($request);
+        $plainSecret = null;
+
+        if ($sub === null) {
+            $plainSecret = self::SECRET_PREFIX.Str::random(40);
+            $sub = OutboundWebhookSubscription::query()->create([
+                'tenant_id' => (int) $request->user()->tenant_id,
+                'user_id' => (int) $request->user()->id,
+                'name' => 'Webhook',
+                'target_url' => $validated['target_url'],
+                'secret_hash' => Hash::make($plainSecret),
+                'secret_prefix' => substr($plainSecret, 0, 10),
+                'events' => self::DEFAULT_EVENTS,
+                'is_active' => true,
+            ]);
+        } else {
+            $sub->update(['target_url' => $validated['target_url']]);
+        }
+
+        $payload = [
+            'target_url' => $sub->target_url,
+            'secret_prefix' => $sub->secret_prefix,
+            'events' => $sub->events,
+            'is_active' => $sub->is_active,
+        ];
+        if ($plainSecret !== null) {
+            $payload['secret'] = $plainSecret;
+        }
+
+        return response()->json(['data' => $payload]);
+    }
+
+    public function test(Request $request): JsonResponse
+    {
+        $sub = $this->currentSubscription($request);
+
+        if ($sub === null) {
+            return response()->json([
+                'message' => 'Сначала сохраните URL webhook.',
+            ], Response::HTTP_UNPROCESSABLE_ENTITY);
+        }
+
+        $testPayload = [
+            'event' => 'webhook.test',
+            'sent_at' => now()->toIso8601String(),
+            'message' => 'Тестовая доставка webhook от Лидерра.',
+        ];
+
+        // MVP: unsigned connectivity-проверка. SSRF-харднинг (блок приватных
+        // IP) — пост-MVP security-review; URL уже ограничен https:// валидацией.
+        try {
+            $response = Http::timeout(10)
+                ->withHeaders(['X-Webhook-Event' => 'webhook.test'])
+                ->post($sub->target_url, $testPayload);
+
+            return response()->json([
+                'ok' => $response->successful(),
+                'status' => $response->status(),
+                'message' => $response->successful()
+                    ? "Тестовый запрос доставлен (HTTP {$response->status()})."
+                    : "Endpoint ответил HTTP {$response->status()}.",
+            ]);
+        } catch (\Throwable $e) {
+            return response()->json([
+                'ok' => false,
+                'status' => null,
+                'message' => 'Не удалось доставить тестовый запрос: '.$e->getMessage(),
+            ]);
+        }
+    }
+
+    private function currentSubscription(Request $request): ?OutboundWebhookSubscription
+    {
+        $tenantId = (int) $request->user()->tenant_id;
+
+        // Defense-in-depth: явный where даже при RLS — в тестах PG superuser BYPASSRLS.
+        return OutboundWebhookSubscription::query()
+            ->where('tenant_id', $tenantId)
+            ->orderByDesc('id')
+            ->first();
+    }
+}

app/app/Http/Controllers/Concerns/ResolvesAdminUserId.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Concerns;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Резолв saas_admin_users.id для audit-trail на MVP (saas-admin SSO ⏸ Б-1).
+ *
+ * Берёт admin_user_id из request-параметра; при отсутствии валидного —
+ * создаёт/переиспользует системный стаб-аккаунт (не loginable, is_active=false),
+ * чтобы соблюсти NOT NULL + FK на saas_admin_users в saas_admin_audit_log.
+ *
+ * Паттерн ранее дублировался в AdminPricingTiersController /
+ * AdminSystemSettingsController; новый код использует этот трейт.
+ */
+trait ResolvesAdminUserId
+{
+    protected function resolveAdminUserId(Request $request, string $stubEmail, string $stubName): int
+    {
+        $requested = $request->input('admin_user_id');
+        if (is_int($requested) || (is_string($requested) && ctype_digit($requested))) {
+            $existing = DB::table('saas_admin_users')->where('id', (int) $requested)->value('id');
+            if ($existing !== null) {
+                return (int) $existing;
+            }
+        }
+
+        $existingId = DB::table('saas_admin_users')->where('email', $stubEmail)->value('id');
+        if ($existingId !== null) {
+            return (int) $existingId;
+        }
+
+        return (int) DB::table('saas_admin_users')->insertGetId([
+            'email' => $stubEmail,
+            'full_name' => $stubName,
+            'password_hash' => '$2y$04$system-stub-not-loginable',
+            'role' => 'super_admin',
+            'is_active' => false,
+            'sso_provider' => 'local',
+            'is_break_glass' => false,
+        ]);
+    }
+}

app/app/Http/Middleware/EnsureSaasAdmin.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Гейт SaaS-admin зоны (/api/admin/*) — audit-находка J2.
+ *
+ * СТАБ (Sprint 3F): полноценная авторизация saas-admin требует Yandex 360
+ * SSO-входа, который гейтится Б-1 (регистрация ООО) + DO-4. До их закрытия
+ * реального механизма аутентификации нет.
+ *
+ * Поведение стаба:
+ *   - dev / testing (local, testing) → пропускаем. Admin-панель работает на
+ *     dev; admin_user_id передаётся параметром (трейт ResolvesAdminUserId).
+ *   - прочие окружения (production / staging) → fail-closed 503: зона
+ *     закрыта до подключения реального SSO. Явный 503 лучше, чем тихо
+ *     открытый /api/admin/* в проде.
+ *
+ * TODO (после Б-1 + DO-4): заменить на проверку Yandex 360 SSO-сессии
+ * saas-admin (отдельный guard) + роль (compliance и т.п. где требуется).
+ */
+class EnsureSaasAdmin
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (! app()->environment('local', 'testing')) {
+            abort(503, 'SaaS-admin авторизация не настроена (ожидает Б-1 + DO-4).');
+        }
+
+        return $next($request);
+    }
+}

app/app/Http/Middleware/SetTenantContext.php

@@ -66,7 +66,10 @@ class SetTenantContext
             }
         }
 
-        if ($request->hasHeader('X-Tenant-Id')) {
+        // Audit-fix A3: X-Tenant-Id принимается ТОЛЬКО на dev/testing. На prod
+        // заголовок игнорируется — иначе на любом роуте с `tenant`, но без
+        // auth-middleware возможен спуфинг тенанта произвольным значением.
+        if (app()->environment('local', 'testing') && $request->hasHeader('X-Tenant-Id')) {
             $headerValue = $request->header('X-Tenant-Id');
             if (is_string($headerValue) && ctype_digit($headerValue)) {
                 return (int) $headerValue;

app/app/Http/Requests/StoreProjectRequest.php

@@ -22,11 +22,8 @@ class StoreProjectRequest extends FormRequest
             'name' => ['required', 'string', 'max:255'],
             'signal_type' => ['required', Rule::in(['site', 'call', 'sms'])],
             'daily_limit_target' => ['required', 'integer', 'min:1', 'max:10000'],
-            // Plan 6: subject-level regions[] заменил region_mask/region_mode на API-уровне.
-            // Empty array = "вся РФ" (паритет с legacy region_mask=255 + region_mode='include').
-            // present = поле должно быть в payload (даже если []), enforces explicit choice.
-            'regions' => ['present', 'array'],
-            'regions.*' => ['integer', 'between:1,89'],
+            'region_mask' => ['required', 'integer', 'min:0'],
+            'region_mode' => ['required', Rule::in(['include', 'exclude'])],
             'delivery_days_mask' => ['required', 'integer', 'min:1', 'max:127'],
         ];
 

app/app/Http/Requests/UpdateProjectRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 class UpdateProjectRequest extends FormRequest
 {
@@ -19,10 +20,8 @@ class UpdateProjectRequest extends FormRequest
         return [
             'name' => ['sometimes', 'string', 'max:255'],
             'daily_limit_target' => ['sometimes', 'integer', 'min:1', 'max:10000'],
-            // Plan 6: subject-level regions[] заменил region_mask/region_mode на API-уровне.
-            // sometimes = поле omit-able (preserves prior DB value), массив + each 1..89.
-            'regions' => ['sometimes', 'array'],
-            'regions.*' => ['integer', 'between:1,89'],
+            'region_mask' => ['sometimes', 'integer', 'min:0'],
+            'region_mode' => ['sometimes', Rule::in(['include', 'exclude'])],
             'delivery_days_mask' => ['sometimes', 'integer', 'min:1', 'max:127'],
             'sms_senders' => ['sometimes', 'array', 'min:1'],
             'sms_senders.*' => ['string', 'max:11'],

app/app/Jobs/Supplier/SyncSupplierProjectsJob.php

@@ -207,7 +207,7 @@ class SyncSupplierProjectsJob implements ShouldQueue
      * Маппинг:
      *   daily_limit  ← daily_limit_target
      *   workdays     ← биты delivery_days_mask (bit 0=Пн, …, bit 6=Вс) → ISO 1..7
-     *   regions      ← projects.regions INT[] (subject codes 1..89) direct copy
+     *   regions      ← биты region_mask (bit 0=Центральный, …, bit 7=Дальневосточный) → 1..8
      *
      * @param  EloquentCollection<int, Project>  $projects
      * @return Collection<int, stdClass>
@@ -219,11 +219,12 @@ class SyncSupplierProjectsJob implements ShouldQueue
             $obj->daily_limit = (int) $p->daily_limit_target;
             $obj->workdays = $this->bitmaskToList((int) $p->delivery_days_mask, 7);
 
-            // Plan 6: projects.regions[] напрямую копируется в supplier_projects.current_regions.
-            // Empty array = "вся РФ" (паритет с supplier API semantics).
-            // Legacy region_mask/region_mode игнорируются — они dual-write для PhonePrefixService,
-            // outbound к supplier использует только regions[]. Cleanup в Plan 6.5.
-            $obj->regions = array_values((array) $p->regions);
+            // region_mask=255 (все 8 ФО, default) — catch-all семантика → пустой массив
+            // у supplier ("без региональных ограничений"). Иначе — список выставленных битов.
+            $regionMask = (int) $p->region_mask;
+            $obj->regions = $regionMask === 255
+                ? []
+                : $this->bitmaskToList($regionMask, 8);
 
             return $obj;
         })->values();

app/app/Models/ApiKey.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Database\Factories\ApiKeyFactory;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * API-ключ тенанта (таблица api_keys). Tenant-aware, RLS на уровне БД.
+ *
+ * key_hash — bcrypt-хэш; оригинал ключа показывается ОДИН раз при генерации
+ * (ApiKeyController::regenerate). key_prefix (10 символов) — для отображения
+ * в UI. Таблица имеет только created_at (без updated_at).
+ *
+ * @mixin IdeHelperApiKey
+ */
+class ApiKey extends Model
+{
+    /** @use HasFactory<ApiKeyFactory> */
+    use HasFactory;
+
+    public $timestamps = false;
+
+    protected $fillable = [
+        'tenant_id',
+        'user_id',
+        'name',
+        'key_hash',
+        'key_prefix',
+        'scopes',
+        'last_used_at',
+        'last_used_ip',
+        'expires_at',
+        'is_active',
+        'created_at',
+    ];
+
+    protected $hidden = ['key_hash'];
+
+    protected function casts(): array
+    {
+        return [
+            'scopes' => 'array',
+            'is_active' => 'boolean',
+            'last_used_at' => 'datetime',
+            'expires_at' => 'datetime',
+            'created_at' => 'datetime',
+        ];
+    }
+
+    /** @return BelongsTo<Tenant, $this> */
+    public function tenant(): BelongsTo
+    {
+        return $this->belongsTo(Tenant::class);
+    }
+
+    /** @return BelongsTo<User, $this> */
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

app/app/Models/BalanceTransaction.php

@@ -4,6 +4,8 @@ declare(strict_types=1);
 
 namespace App\Models;
 
+use Database\Factories\BalanceTransactionFactory;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
@@ -19,6 +21,9 @@ use Illuminate\Database\Eloquent\Relations\BelongsTo;
  */
 class BalanceTransaction extends Model
 {
+    /** @use HasFactory<BalanceTransactionFactory> */
+    use HasFactory;
+
     public const TYPE_TRIAL_BONUS = 'trial_bonus';
 
     public const TYPE_TOPUP = 'topup';

app/app/Models/OutboundWebhookSubscription.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Database\Factories\OutboundWebhookSubscriptionFactory;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * Исходящая webhook-подписка тенанта (таблица outbound_webhook_subscriptions).
+ *
+ * Tenant-aware, RLS на уровне БД.
+ *
+ * secret_hash — bcrypt-хэш; оригинал секрета показывается ОДИН раз при
+ * создании. events — JSONB-массив, CHECK требует ≥1 элемента.
+ *
+ * NB: outbound-доставка событий (подписанные webhook'и) — пост-MVP; пока
+ * подписка хранит URL + секрет, а WebhookSettingsController::test делает
+ * unsigned connectivity-проверку.
+ *
+ * @mixin IdeHelperOutboundWebhookSubscription
+ */
+class OutboundWebhookSubscription extends Model
+{
+    /** @use HasFactory<OutboundWebhookSubscriptionFactory> */
+    use HasFactory;
+
+    protected $fillable = [
+        'tenant_id',
+        'user_id',
+        'name',
+        'target_url',
+        'secret_hash',
+        'secret_prefix',
+        'events',
+        'custom_headers',
+        'is_active',
+        'paused_at',
+    ];
+
+    protected $hidden = ['secret_hash'];
+
+    protected function casts(): array
+    {
+        return [
+            'events' => 'array',
+            'custom_headers' => 'array',
+            'is_active' => 'boolean',
+            'consecutive_failures' => 'integer',
+            'paused_at' => 'datetime',
+            'last_delivery_at' => 'datetime',
+            'last_failure_at' => 'datetime',
+            'created_at' => 'datetime',
+            'updated_at' => 'datetime',
+        ];
+    }
+
+    /** @return BelongsTo<Tenant, $this> */
+    public function tenant(): BelongsTo
+    {
+        return $this->belongsTo(Tenant::class);
+    }
+
+    /** @return BelongsTo<User, $this> */
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

app/app/Models/Project.php

@@ -4,7 +4,6 @@ declare(strict_types=1);
 
 namespace App\Models;
 
-use App\Casts\PostgresIntArray;
 use Carbon\CarbonInterface;
 use Database\Factories\ProjectFactory;
 use Illuminate\Database\Eloquent\Builder;
@@ -46,9 +45,6 @@ class Project extends Model
         'effective_limit_calculated_at',
         'region_mask',
         'region_mode',
-        // Plan 6 (schema v8.20): Subject-level regions array (89 codes из resources/js/constants/regions.ts).
-        // Источник истины с Plan 6+; region_mask/region_mode — DEPRECATED (Plan 6.5 cleanup).
-        'regions',
         'delivery_days_mask',
         'assignment_strategy',
         'ttfr_target_minutes',
@@ -73,10 +69,6 @@ class Project extends Model
             'daily_limit_target' => 'integer',
             'effective_daily_limit_today' => 'integer',
             'region_mask' => 'integer',
-            // Plan 6: Subject-level regions array (89 codes). Используется кастомный
-            // PostgresIntArray cast — Laravel stock 'array' посылает JSON `[1,2,3]`,
-            // что Postgres отвергает на INT[] (ожидает literal `{1,2,3}`).
-            'regions' => PostgresIntArray::class,
             'delivery_days_mask' => 'integer',
             'ttfr_target_minutes' => 'integer',
             'effective_limit_calculated_at' => 'datetime',

app/app/Models/TariffPlan.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+/**
+ * Тарифный план SaaS-портала (каталог tariff_plans).
+ *
+ * Сидится из db/schema.sql (4 стартовых плана: start/basic/pro/enterprise).
+ * Read-mostly: редактируется только админкой SaaS. Tenant ссылается через
+ * tenants.current_tariff_id (см. Tenant::tariff()).
+ *
+ * Источник: db/schema.sql §20.2.1, table `tariff_plans`.
+ *
+ * @mixin IdeHelperTariffPlan
+ */
+class TariffPlan extends Model
+{
+    protected $fillable = [
+        'code',
+        'name',
+        'description',
+        'billing_model',
+        'price_per_lead',
+        'price_monthly',
+        'included_leads',
+        'limits',
+        'features',
+        'trial_bonus_leads',
+        'is_active',
+        'is_public',
+        'sort_order',
+    ];
+
+    protected function casts(): array
+    {
+        return [
+            'price_per_lead' => 'decimal:2',
+            'price_monthly' => 'decimal:2',
+            'included_leads' => 'integer',
+            'limits' => 'array',
+            'features' => 'array',
+            'trial_bonus_leads' => 'integer',
+            'is_active' => 'boolean',
+            'is_public' => 'boolean',
+            'sort_order' => 'integer',
+            'created_at' => 'datetime',
+            'updated_at' => 'datetime',
+        ];
+    }
+}

app/app/Models/Tenant.php

@@ -7,6 +7,7 @@ namespace App\Models;
 use Database\Factories\TenantFactory;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\SoftDeletes;
 
@@ -80,4 +81,10 @@ class Tenant extends Model
     {
         return $this->hasMany(Project::class);
     }
+
+    /** @return BelongsTo<TariffPlan, $this> */
+    public function tariff(): BelongsTo
+    {
+        return $this->belongsTo(TariffPlan::class, 'current_tariff_id');
+    }
 }

app/app/Services/Billing/BillingTopupService.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Billing;
+
+use App\Models\BalanceTransaction;
+use App\Models\Tenant;
+
+/**
+ * Сервис пополнения рублёвого баланса тенанта (audit E1).
+ *
+ * MVP-stub: кредитует tenants.balance_rub немедленно и пишет строку
+ * balance_transactions(type='topup'). Реальная оплата через платёжный
+ * шлюз — post-Б-1 (требует реквизитов ООО), здесь НЕ интегрирована.
+ *
+ * Контракт: вызывается ВНУТРИ транзакции (middleware `tenant` оборачивает
+ * HTTP-запрос в DB-транзакцию). lockForUpdate на строке tenant защищает от
+ * lost-update при конкурентных topup/charge.
+ *
+ * balance_transactions защищена hash-chain триггером (BEFORE INSERT
+ * audit_chain_hash) — log_hash заполняется автоматически. UPDATE/DELETE
+ * на таблице запрещены триггером audit_block_mutation, поэтому каждое
+ * пополнение — отдельная append-only строка; существующие не меняются.
+ */
+final class BillingTopupService
+{
+    /**
+     * Пополнить рублёвый баланс тенанта.
+     *
+     * @param  int  $tenantId  ID тенанта.
+     * @param  string  $amountRub  Сумма пополнения, DECIMAL-строка («100.00»).
+     * @param  int|null  $userId  Кто инициировал (NULL — системное).
+     * @return BalanceTransaction Созданная append-only строка ledger'а.
+     */
+    public function topup(int $tenantId, string $amountRub, ?int $userId): BalanceTransaction
+    {
+        /** @var Tenant $tenant */
+        $tenant = Tenant::query()->lockForUpdate()->findOrFail($tenantId);
+
+        // bcadd — DECIMAL-точность, НЕ PHP float (паттерн LedgerService).
+        $newBalanceRub = bcadd((string) $tenant->balance_rub, $amountRub, 2);
+
+        // Eloquent decimal:2 cast сохраняет bcmath-строку без потери точности
+        // при save() (в отличие от decrement(), который требует float|int —
+        // именно поэтому LedgerService использует raw DB::table()->update();
+        // здесь же присваивание уже посчитанной строки через модель безопасно).
+        $tenant->balance_rub = $newBalanceRub;
+        $tenant->save();
+
+        return BalanceTransaction::create([
+            'tenant_id' => $tenant->id,
+            'type' => BalanceTransaction::TYPE_TOPUP,
+            'amount_rub' => $amountRub,
+            'amount_leads' => 0,
+            'balance_rub_after' => $newBalanceRub,
+            'balance_leads_after' => (int) $tenant->balance_leads,
+            'description' => 'Пополнение баланса',
+            'user_id' => $userId,
+            'created_at' => now(),
+        ]);
+    }
+}

app/app/Services/Project/ProjectService.php

@@ -191,11 +191,6 @@ class ProjectService
 
         $data['tenant_id'] = $tenant->id;
         $data['is_active'] = true;
-        $data['regions'] = $data['regions'] ?? [];
-        // Plan 6 dual-write: regions[] источник истины; region_mask/mode — legacy для
-        // PhonePrefixService / LeadRouter, удаляются в Plan 6.5 после переключения читателей.
-        $data['region_mask'] = 255;
-        $data['region_mode'] = 'include';
         $project = Project::create($data);
 
         SyncSupplierProjectJob::dispatch($project->id);

app/app/Services/Reports/Providers/BillingSummaryProvider.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Reports\Providers;
+
+use App\Models\ReportJob;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * billing_summary — агрегат balance_transactions по типу операции (audit F1).
+ *
+ * Группировка по balance_transactions.type; count + SUM(amount_rub). Тип
+ * операции переводится в человекочитаемую метку. parameters: date_from,
+ * date_to (Y-m-d) — фильтр по created_at.
+ *
+ * RLS-обёртка SET LOCAL app.current_tenant_id (balance_transactions имеет RLS
+ * tenant_isolation) + явный where('tenant_id') — паттерн BillingController.
+ */
+class BillingSummaryProvider implements ReportDataProvider
+{
+    /** Канон-типы balance_transactions.type → RU-метка (schema §7.6 CHECK). */
+    private const TYPE_LABELS = [
+        'trial_bonus' => 'Стартовый бонус',
+        'topup' => 'Пополнение',
+        'lead_charge' => 'Списание за лиды',
+        'refund' => 'Возврат',
+        'manual_adjustment' => 'Ручная корректировка',
+        'historical_import' => 'Импорт истории',
+        'chargeback_writedown' => 'Chargeback — списание в долг',
+        'chargeback_repayment' => 'Chargeback — погашение долга',
+    ];
+
+    public function headers(): array
+    {
+        return ['Тип операции', 'Количество', 'Сумма (₽)'];
+    }
+
+    public function rows(ReportJob $job): array
+    {
+        $params = $job->parameters ?? [];
+        $dateFrom = Carbon::parse($params['date_from'])->startOfDay();
+        $dateTo = Carbon::parse($params['date_to'])->endOfDay();
+
+        return DB::transaction(function () use ($job, $dateFrom, $dateTo): array {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $job->tenant_id);
+
+            $rows = DB::table('balance_transactions')
+                ->where('tenant_id', $job->tenant_id)
+                ->whereBetween('created_at', [$dateFrom, $dateTo])
+                ->groupBy('type')
+                ->orderBy('type')
+                ->selectRaw('type, COUNT(*) AS cnt, COALESCE(SUM(amount_rub), 0) AS sum_rub')
+                ->get();
+
+            return $rows->map(function ($row): array {
+                $label = self::TYPE_LABELS[$row->type] ?? (string) $row->type;
+
+                return [$label, (int) $row->cnt, (string) $row->sum_rub];
+            })->all();
+        });
+    }
+
+    public function slug(): string
+    {
+        return 'billing';
+    }
+}

app/app/Services/Reports/Providers/ManagersSummaryProvider.php

@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Reports\Providers;
+
+use App\Models\ReportJob;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * managers_summary — агрегат сделок по менеджерам за период (audit F1).
+ *
+ * Группировка по deals.manager_id; неназначенные (manager_id IS NULL) сводятся
+ * в строку «Не назначен». «Оплачено» = status='paid' (won-статус воронки, как
+ * в DashboardController). Конверсия = paid / total * 100, округление до 0.1.
+ *
+ * parameters: date_from, date_to (Y-m-d). Исключаются soft-deleted
+ * (deleted_at IS NULL) и тестовые (is_test=false) сделки. RLS-обёртка
+ * SET LOCAL app.current_tenant_id — паттерн DealsExportProvider.
+ */
+class ManagersSummaryProvider implements ReportDataProvider
+{
+    public function headers(): array
+    {
+        return ['Менеджер', 'Всего сделок', 'Оплачено', 'Конверсия (%)'];
+    }
+
+    public function rows(ReportJob $job): array
+    {
+        $params = $job->parameters ?? [];
+        $dateFrom = Carbon::parse($params['date_from'])->startOfDay();
+        $dateTo = Carbon::parse($params['date_to'])->endOfDay();
+
+        return DB::transaction(function () use ($job, $dateFrom, $dateTo): array {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $job->tenant_id);
+
+            $rows = DB::table('deals')
+                ->leftJoin('users', 'deals.manager_id', '=', 'users.id')
+                ->where('deals.tenant_id', $job->tenant_id)
+                ->whereNull('deals.deleted_at')
+                ->where('deals.is_test', false)
+                ->whereBetween('deals.received_at', [$dateFrom, $dateTo])
+                ->groupBy('deals.manager_id', 'users.first_name', 'users.last_name', 'users.email')
+                ->orderByRaw('COUNT(*) DESC')
+                ->orderBy('deals.manager_id')
+                ->selectRaw(
+                    "deals.manager_id,
+                     users.first_name, users.last_name, users.email,
+                     COUNT(*) AS total,
+                     COUNT(*) FILTER (WHERE deals.status = 'paid') AS paid"
+                )
+                ->get();
+
+            return $rows->map(function ($row): array {
+                $name = trim(($row->first_name ?? '').' '.($row->last_name ?? ''));
+                if ($name === '') {
+                    $name = (string) ($row->email ?? '');
+                }
+                if ($name === '') {
+                    $name = 'Не назначен';
+                }
+                $total = (int) $row->total;
+                $paid = (int) $row->paid;
+                $conversion = $total > 0 ? round($paid / $total * 100, 1) : 0.0;
+
+                return [$name, $total, $paid, $conversion];
+            })->all();
+        });
+    }
+
+    public function slug(): string
+    {
+        return 'managers';
+    }
+}

app/app/Services/Reports/Providers/SourcesSummaryProvider.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Reports\Providers;
+
+use App\Models\ReportJob;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * sources_summary — агрегат сделок по источнику (utm_source) за период (audit F1).
+ *
+ * Группировка по deals.utm_source; сделки без метки (NULL/пусто) сводятся в
+ * строку «Прямые / без метки». «Оплачено» = status='paid'. Конверсия =
+ * paid / total * 100, округление до 0.1.
+ *
+ * parameters: date_from, date_to (Y-m-d). Исключаются soft-deleted и тестовые
+ * сделки. RLS-обёртка SET LOCAL app.current_tenant_id — паттерн DealsExportProvider.
+ */
+class SourcesSummaryProvider implements ReportDataProvider
+{
+    public function headers(): array
+    {
+        return ['Источник', 'Всего сделок', 'Оплачено', 'Конверсия (%)'];
+    }
+
+    public function rows(ReportJob $job): array
+    {
+        $params = $job->parameters ?? [];
+        $dateFrom = Carbon::parse($params['date_from'])->startOfDay();
+        $dateTo = Carbon::parse($params['date_to'])->endOfDay();
+
+        return DB::transaction(function () use ($job, $dateFrom, $dateTo): array {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $job->tenant_id);
+
+            $rows = DB::table('deals')
+                ->where('tenant_id', $job->tenant_id)
+                ->whereNull('deleted_at')
+                ->where('is_test', false)
+                ->whereBetween('received_at', [$dateFrom, $dateTo])
+                ->groupBy('utm_source')
+                ->orderByRaw('COUNT(*) DESC')
+                ->orderBy('utm_source')
+                ->selectRaw(
+                    "utm_source,
+                     COUNT(*) AS total,
+                     COUNT(*) FILTER (WHERE status = 'paid') AS paid"
+                )
+                ->get();
+
+            return $rows->map(function ($row): array {
+                $source = $row->utm_source !== null && trim((string) $row->utm_source) !== ''
+                    ? (string) $row->utm_source
+                    : 'Прямые / без метки';
+                $total = (int) $row->total;
+                $paid = (int) $row->paid;
+                $conversion = $total > 0 ? round($paid / $total * 100, 1) : 0.0;
+
+                return [$source, $total, $paid, $conversion];
+            })->all();
+        });
+    }
+
+    public function slug(): string
+    {
+        return 'sources';
+    }
+}

app/app/Services/Reports/ReportGeneratorRegistry.php

@@ -10,23 +10,28 @@ use App\Services\Reports\Formatters\JsonFormatter;
 use App\Services\Reports\Formatters\PdfStubFormatter;
 use App\Services\Reports\Formatters\ReportFormatter;
 use App\Services\Reports\Formatters\XlsxFormatter;
+use App\Services\Reports\Providers\BillingSummaryProvider;
 use App\Services\Reports\Providers\DealsExportProvider;
+use App\Services\Reports\Providers\ManagersSummaryProvider;
 use App\Services\Reports\Providers\ReportDataProvider;
+use App\Services\Reports\Providers\SourcesSummaryProvider;
 use InvalidArgumentException;
 
 /**
  * Резолвит ReportDataProvider по `type` и ReportFormatter по `format`.
  *
- * Этап 2 (текущий): 1 provider × 4 formatter = 4 комбинации
- *   (deals_export × csv|xlsx|json|pdf-stub).
- *
- * Этап 2b расширит до 4 × 4 = 16 (managers_summary, sources_summary,
- * billing_summary). Для PDF на MVP — stub, fallback'ит в RuntimeException.
+ * 4 provider'а (deals_export, managers_summary, sources_summary,
+ * billing_summary) × 4 formatter'а (csv, xlsx, json, pdf). PDF на MVP —
+ * stub: PdfStubFormatter кидает RuntimeException → GenerateReportJob
+ * ловит → failed-job (intended, Post-MVP).
  */
 class ReportGeneratorRegistry
 {
     public function __construct(
         private readonly DealsExportProvider $dealsExport,
+        private readonly ManagersSummaryProvider $managersSummary,
+        private readonly SourcesSummaryProvider $sourcesSummary,
+        private readonly BillingSummaryProvider $billingSummary,
         private readonly CsvFormatter $csv,
         private readonly XlsxFormatter $xlsx,
         private readonly JsonFormatter $json,
@@ -37,6 +42,9 @@ class ReportGeneratorRegistry
     {
         return match ($type) {
             'deals_export' => $this->dealsExport,
+            'managers_summary' => $this->managersSummary,
+            'sources_summary' => $this->sourcesSummary,
+            'billing_summary' => $this->billingSummary,
             default => throw new InvalidArgumentException("Тип отчёта не реализован: {$type}"),
         };
     }
@@ -54,18 +62,10 @@ class ReportGeneratorRegistry
 
     public function isSupported(string $type, string $format): bool
     {
-        if (! in_array($type, ReportJob::TYPES, true) || ! in_array($format, ReportJob::FORMATS, true)) {
-            return false;
-        }
-
-        // Этап 2: только deals_export (этап 2b добавит остальные).
-        $supportedTypes = ['deals_export'];
-        if (! in_array($type, $supportedTypes, true)) {
-            return false;
-        }
-
-        // PDF — stub: validates, но генерация даёт failed-job (intended).
-        // Считаем «поддерживается» — пусть GenerateReportJob сам catch'ит RuntimeException.
-        return true;
+        // Все 4 типа ReportJob::TYPES реализованы (F1, 2026-05-16).
+        // PDF валидируется, но PdfStubFormatter кидает RuntimeException →
+        // GenerateReportJob ловит → failed-job (intended, Post-MVP).
+        return in_array($type, ReportJob::TYPES, true)
+            && in_array($format, ReportJob::FORMATS, true);
     }
 }

app/bootstrap/app.php

@@ -1,5 +1,6 @@
 <?php
 
+use App\Http\Middleware\EnsureSaasAdmin;
 use App\Http\Middleware\SetTenantContext;
 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
@@ -18,6 +19,7 @@ return Application::configure(basePath: dirname(__DIR__))
 
         $middleware->alias([
             'tenant' => SetTenantContext::class,
+            'saas-admin' => EnsureSaasAdmin::class,
         ]);
 
         // Webhook receive endpoint (POST /api/webhook/{token}) не должен требовать

app/database/factories/ApiKeyFactory.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Database\Factories;
+
+use App\Models\ApiKey;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Str;
+
+/**
+ * @extends Factory<ApiKey>
+ */
+class ApiKeyFactory extends Factory
+{
+    protected $model = ApiKey::class;
+
+    public function definition(): array
+    {
+        return [
+            'tenant_id' => Tenant::factory(),
+            'user_id' => User::factory(),
+            'name' => 'API-ключ',
+            'key_hash' => Hash::make(Str::random(48)),
+            'key_prefix' => 'lpkapi_'.Str::lower(Str::random(3)),
+            'scopes' => ['read'],
+            'last_used_at' => null,
+            'expires_at' => now()->addYear(),
+            'is_active' => true,
+            'created_at' => now(),
+        ];
+    }
+}

app/database/factories/BalanceTransactionFactory.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Database\Factories;
+
+use App\Models\BalanceTransaction;
+use App\Models\Tenant;
+use Illuminate\Database\Eloquent\Factories\Factory;
+
+/**
+ * @extends Factory<BalanceTransaction>
+ */
+class BalanceTransactionFactory extends Factory
+{
+    protected $model = BalanceTransaction::class;
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function definition(): array
+    {
+        return [
+            'tenant_id' => Tenant::factory(),
+            'type' => BalanceTransaction::TYPE_TOPUP,
+            'amount_rub' => '100.00',
+            'amount_leads' => 0,
+            'balance_rub_after' => '100.00',
+            'balance_leads_after' => 0,
+            'description' => 'Тестовая транзакция',
+            'created_at' => now(),
+        ];
+    }
+}

app/database/factories/OutboundWebhookSubscriptionFactory.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Database\Factories;
+
+use App\Models\OutboundWebhookSubscription;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Str;
+
+/**
+ * @extends Factory<OutboundWebhookSubscription>
+ */
+class OutboundWebhookSubscriptionFactory extends Factory
+{
+    protected $model = OutboundWebhookSubscription::class;
+
+    public function definition(): array
+    {
+        return [
+            'tenant_id' => Tenant::factory(),
+            'user_id' => User::factory(),
+            'name' => 'Webhook',
+            'target_url' => 'https://'.fake()->domainName().'/webhook',
+            'secret_hash' => Hash::make('whsec_'.Str::random(40)),
+            'secret_prefix' => 'whsec_'.Str::lower(Str::random(4)),
+            'events' => ['deal.created', 'deal.status_changed'],
+            'is_active' => true,
+        ];
+    }
+}

app/phpstan-baseline.neon

@@ -1,25 +1,5 @@
 parameters:
 	ignoreErrors:
-		# Plan 6 (v8.20): Project::$regions INT[] cast via PostgresIntArray; ide-helper
-		# regen pending (will resolve after next `php artisan ide-helper:models -W`).
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$regions\.$#'
-			identifier: property.notFound
-			count: 1
-			path: tests/Feature/Plan5/Projects/ProjectsStoreTest.php
-
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$regions\.$#'
-			identifier: property.notFound
-			count: 2
-			path: tests/Feature/Plan5/Projects/ProjectsUpdateTest.php
-
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$regions\.$#'
-			identifier: property.notFound
-			count: 1
-			path: app/Jobs/Supplier/SyncSupplierProjectsJob.php
-
 		-
 			message: '#^Expression on left side of \?\? is not nullable\.$#'
 			identifier: nullCoalesce.expr
@@ -98,12 +78,6 @@ parameters:
 			count: 1
 			path: app/Http/Middleware/SetTenantContext.php
 
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$archived_at\.$#'
-			identifier: property.notFound
-			count: 1
-			path: app/Http/Resources/ProjectResource.php
-
 		-
 			message: '#^Using nullsafe property access "\?\-\>name" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
@@ -122,18 +96,18 @@ parameters:
 			count: 1
 			path: app/Services/NotificationService.php
 
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$archived_at\.$#'
-			identifier: property.notFound
-			count: 1
-			path: app/Services/Project/ProjectService.php
-
 		-
 			message: '#^Match expression does not handle remaining value\: string$#'
 			identifier: match.unhandled
 			count: 1
 			path: app/Services/Project/ProjectService.php
 
+		-
+			message: '#^Return type \(array\<string, mixed\>\) of method Database\\Factories\\BalanceTransactionFactory\:\:definition\(\) should be compatible with return type \(array\<model property of App\\Models\\BalanceTransaction, mixed\>\) of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\BalanceTransaction\>\:\:definition\(\)$#'
+			identifier: method.childReturnType
+			count: 1
+			path: database/factories/BalanceTransactionFactory.php
+
 		-
 			message: '#^Return type \(array\<string, mixed\>\) of method Database\\Factories\\ProjectFactory\:\:definition\(\) should be compatible with return type \(array\<model property of App\\Models\\Project, mixed\>\) of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\Project\>\:\:definition\(\)$#'
 			identifier: method.childReturnType
@@ -206,12 +180,54 @@ parameters:
 			count: 3
 			path: tests/Feature/Admin/AdminSuppliersControllerTest.php
 
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/AdminBillingActionsTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:patchJson\(\)\.$#'
+			identifier: method.notFound
+			count: 7
+			path: tests/Feature/AdminBillingActionsTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/AdminBillingActionsTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
 			count: 10
 			path: tests/Feature/AdminBillingIndexTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
+			identifier: property.notFound
+			count: 4
+			path: tests/Feature/AdminIncidentRknNotifyTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/AdminIncidentRknNotifyTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/AdminIncidentShowTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/AdminIncidentShowTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
 			identifier: property.notFound
@@ -272,6 +288,36 @@ parameters:
 			count: 14
 			path: tests/Feature/Api/ProjectBulkActionsTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/ApiKeyControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/ApiKeyControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/ApiKeyControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/ApiKeyControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/ApiKeyControllerTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -483,16 +529,58 @@ parameters:
 			path: tests/Feature/Auth/TwoFactorTest.php
 
 		-
-			message: '#^Access to an undefined property App\\Models\\LeadCharge\:\:\$charge_source\.$#'
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 2
-			path: tests/Feature/Billing/LedgerServiceTest.php
+			count: 1
+			path: tests/Feature/Auth/UpdateProfileTest.php
 
 		-
-			message: '#^Access to an undefined property App\\Models\\Tenant\:\:\$delivered_in_month\.$#'
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
 			identifier: property.notFound
-			count: 3
-			path: tests/Feature/Billing/LedgerServiceTest.php
+			count: 4
+			path: tests/Feature/Auth/UpdateProfileTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Auth/UpdateProfileTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Auth/UpdateProfileTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:patchJson\(\)\.$#'
+			identifier: method.notFound
+			count: 6
+			path: tests/Feature/Auth/UpdateProfileTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 12
+			path: tests/Feature/Billing/BillingOverviewControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Billing/BillingOverviewControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/BillingOverviewControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 18
+			path: tests/Feature/Billing/BillingOverviewControllerTest.php
 
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$ledger\.$#'
@@ -548,6 +636,36 @@ parameters:
 			count: 1
 			path: tests/Feature/Billing/TenantChargesControllerTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/Billing/TopupControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Billing/TopupControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/TopupControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:assertDatabaseHas\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Billing/TopupControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 8
+			path: tests/Feature/Billing/TopupControllerTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
@@ -560,22 +678,34 @@ parameters:
 			count: 2
 			path: tests/Feature/Console/ResetDeliveredTodayCommandTest.php
 
-		-
-			message: '#^Access to an undefined property App\\Models\\Tenant\:\:\$delivered_in_month\.$#'
-			identifier: property.notFound
-			count: 3
-			path: tests/Feature/Console/ResetMonthlyCountersCommandTest.php
-
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
 			count: 1
 			path: tests/Feature/Console/ResetMonthlyCountersCommandTest.php
 
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 9
+			path: tests/Feature/DashboardSummaryTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 37
+			count: 15
+			path: tests/Feature/DealCreateTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealCreateTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealCreateTest.php
 
 		-
@@ -599,7 +729,19 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 20
+			count: 11
+			path: tests/Feature/DealDestroyTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealDestroyTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealDestroyTest.php
 
 		-
@@ -641,13 +783,25 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 50
+			count: 30
+			path: tests/Feature/DealIndexTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealIndexTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealIndexTest.php
 
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
-			count: 22
+			count: 21
 			path: tests/Feature/DealIndexTest.php
 
 		-
@@ -665,7 +819,19 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 18
+			count: 9
+			path: tests/Feature/DealRestoreTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealRestoreTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealRestoreTest.php
 
 		-
@@ -701,19 +867,31 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
-			count: 7
+			count: 6
 			path: tests/Feature/DealShowTest.php
 
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 20
+			count: 13
+			path: tests/Feature/DealShowTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealShowTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealShowTest.php
 
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
-			count: 8
+			count: 7
 			path: tests/Feature/DealShowTest.php
 
 		-
@@ -731,7 +909,19 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 12
+			count: 7
+			path: tests/Feature/DealTransitionTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealTransitionTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealTransitionTest.php
 
 		-
@@ -755,19 +945,31 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
-			count: 10
+			count: 9
 			path: tests/Feature/DealUpdateTest.php
 
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 24
+			count: 15
+			path: tests/Feature/DealUpdateTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/DealUpdateTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DealUpdateTest.php
 
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:patchJson\(\)\.$#'
 			identifier: method.notFound
-			count: 10
+			count: 9
 			path: tests/Feature/DealUpdateTest.php
 
 		-
@@ -836,6 +1038,12 @@ parameters:
 			count: 16
 			path: tests/Feature/LookupsTest.php
 
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/LookupsTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
@@ -902,12 +1110,6 @@ parameters:
 			count: 6
 			path: tests/Feature/Plan5/Jobs/SyncSupplierProjectJobTest.php
 
-		-
-			message: '#^Access to an undefined property App\\Models\\Project\:\:\$archived_at\.$#'
-			identifier: property.notFound
-			count: 2
-			path: tests/Feature/Plan5/Projects/ProjectsActionsTest.php
-
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
@@ -923,13 +1125,13 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
-			count: 12
+			count: 9
 			path: tests/Feature/Plan5/Projects/ProjectsStoreTest.php
 
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
-			count: 8
+			count: 6
 			path: tests/Feature/Plan5/Projects/ProjectsUpdateTest.php
 
 		-
@@ -983,7 +1185,49 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 25
+			count: 9
+			path: tests/Feature/Reports/BillingSummaryProviderTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
+			identifier: property.notFound
+			count: 8
+			path: tests/Feature/Reports/ManagersSummaryProviderTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 14
+			path: tests/Feature/Reports/ManagersSummaryProviderTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 20
+			path: tests/Feature/Reports/ReportDownloadTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 14
+			path: tests/Feature/Reports/ReportDownloadTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Reports/ReportDownloadTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:get\(\)\.$#'
+			identifier: method.notFound
+			count: 8
+			path: tests/Feature/Reports/ReportDownloadTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 31
 			path: tests/Feature/Reports/ReportJobControllerTest.php
 
 		-
@@ -1007,7 +1251,7 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
-			count: 12
+			count: 14
 			path: tests/Feature/Reports/ReportJobControllerTest.php
 
 		-
@@ -1052,6 +1296,18 @@ parameters:
 			count: 12
 			path: tests/Feature/Reports/ReportLifecycleTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
+			identifier: property.notFound
+			count: 8
+			path: tests/Feature/Reports/SourcesSummaryProviderTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 12
+			path: tests/Feature/Reports/SourcesSummaryProviderTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project1Id\.$#'
 			identifier: property.notFound
@@ -1076,6 +1332,18 @@ parameters:
 			count: 5
 			path: tests/Feature/RlsSmokeTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$app\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/SaasAdminMiddlewareTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/SaasAdminMiddlewareTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
@@ -1136,18 +1404,6 @@ parameters:
 			count: 7
 			path: tests/Feature/Supplier/RetryFailedSupplierJobsCommandTest.php
 
-		-
-			message: '#^Access to an undefined property App\\Models\\LeadCharge\:\:\$charge_source\.$#'
-			identifier: property.notFound
-			count: 2
-			path: tests/Feature/Supplier/RouteSupplierLeadJobBillingTest.php
-
-		-
-			message: '#^Access to an undefined property App\\Models\\Tenant\:\:\$delivered_in_month\.$#'
-			identifier: property.notFound
-			count: 2
-			path: tests/Feature/Supplier/RouteSupplierLeadJobBillingTest.php
-
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
 			identifier: method.notFound
@@ -1178,6 +1434,48 @@ parameters:
 			count: 14
 			path: tests/Feature/WebhookReceiveTest.php
 
+		-
+			message: '#^Access to an undefined property Pest\\Mixins\\Expectation\<mixed\>\:\:\$not\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 7
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:putJson\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/WebhookSettingsControllerTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$resolver\.$#'
 			identifier: property.notFound

app/resources/js/api/admin.ts

@@ -331,3 +331,100 @@ export async function updateSystemSetting(
     );
     return data;
 }
+
+// === SaaS-admin → Биллинг: row-actions (Sprint 3D G4) ===
+
+export interface AdminTariffPlan {
+    id: number;
+    name: string;
+    price_monthly: string;
+}
+
+export async function listAdminTariffPlans(): Promise<AdminTariffPlan[]> {
+    const { data } = await apiClient.get<{ plans: AdminTariffPlan[] }>('/api/admin/billing/tariff-plans');
+    return data.plans;
+}
+
+export async function updateTenantStatus(
+    id: number,
+    status: 'active' | 'suspended',
+    reason: string,
+): Promise<{ id: number; status: string }> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.patch<{ id: number; status: string }>(
+        `/api/admin/billing/tenants/${id}/status`,
+        { status, reason },
+    );
+    return data;
+}
+
+export async function refundTenant(
+    id: number,
+    amountRub: number,
+    reason: string,
+): Promise<{ id: number; balance_rub: string; transaction_id: number }> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<{ id: number; balance_rub: string; transaction_id: number }>(
+        `/api/admin/billing/tenants/${id}/refund`,
+        { amount_rub: amountRub, reason },
+    );
+    return data;
+}
+
+export async function changeTenantTariff(
+    id: number,
+    tariffId: number,
+    reason: string,
+): Promise<{ id: number; tariff_id: number; tariff_name: string }> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.patch<{ id: number; tariff_id: number; tariff_name: string }>(
+        `/api/admin/billing/tenants/${id}/tariff`,
+        { tariff_id: tariffId, reason },
+    );
+    return data;
+}
+
+// === SaaS-admin → Инциденты: detail-view + РКН-notify (Sprint 3D G5/G6) ===
+
+export interface ApiIncidentAffectedTenant {
+    id: number;
+    organization_name: string;
+}
+
+export interface ApiAdminIncidentDetail {
+    id: number;
+    incident_id: string;
+    type: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    summary: string;
+    root_cause: string | null;
+    postmortem_url: string | null;
+    started_at: string;
+    detected_at: string;
+    resolved_at: string | null;
+    status: 'open' | 'investigating' | 'resolved';
+    affected_tenants: ApiIncidentAffectedTenant[];
+    affected_users_count: number | null;
+    notification_sent_at: string | null;
+    rkn_notified: boolean;
+    rkn_notified_at: string | null;
+    rkn_deadline_at: string | null;
+    created_by_admin: string | null;
+    closed_by_admin: string | null;
+    created_at: string | null;
+    updated_at: string | null;
+}
+
+export async function getAdminIncidentDetail(id: number): Promise<ApiAdminIncidentDetail> {
+    const { data } = await apiClient.get<{ incident: ApiAdminIncidentDetail }>(`/api/admin/incidents/${id}`);
+    return data.incident;
+}
+
+export async function notifyIncidentRkn(id: number): Promise<ApiAdminIncidentDetail> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<{ incident: ApiAdminIncidentDetail }>(
+        `/api/admin/incidents/${id}/rkn-notify`,
+        {},
+    );
+    return data.incident;
+}

app/resources/js/api/apiKeys.ts

@@ -0,0 +1,32 @@
+import { apiClient, ensureCsrfCookie } from './client';
+
+/**
+ * API-ключи тенанта (audit D2/D3). Backend: ApiKeyController.
+ * Полный ключ доступен только в ответе regenerateApiKey().
+ */
+export interface ApiKeyInfo {
+    id: number;
+    name: string;
+    key_prefix: string;
+    last_used_at: string | null;
+    expires_at: string | null;
+    created_at: string | null;
+}
+
+export interface RegeneratedApiKey {
+    id: number;
+    name: string;
+    key: string;
+    key_prefix: string;
+}
+
+export async function listApiKeys(): Promise<ApiKeyInfo[]> {
+    const { data } = await apiClient.get<{ data: ApiKeyInfo[] }>('/api/api-keys');
+    return data.data;
+}
+
+export async function regenerateApiKey(): Promise<RegeneratedApiKey> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<RegeneratedApiKey>('/api/api-keys/regenerate');
+    return data;
+}

app/resources/js/api/auth.ts

@@ -25,6 +25,8 @@ export interface AuthUser {
     email: string;
     first_name: string | null;
     last_name: string | null;
+    phone?: string | null;
+    timezone?: string | null;
     tenant_id: number;
     totp_enabled: boolean;
     last_login_at: string | null;
@@ -151,3 +153,16 @@ export async function updateNotificationPreferences(payload: UpdateNotificationP
     const { data } = await apiClient.patch<{ user: AuthUser }>('/api/auth/me/notification-preferences', payload);
     return data.user;
 }
+
+export interface UpdateProfilePayload {
+    first_name: string;
+    last_name: string;
+    phone: string | null;
+    timezone: string;
+}
+
+export async function updateProfile(payload: UpdateProfilePayload): Promise<AuthUser> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.patch<{ user: AuthUser }>('/api/auth/me', payload);
+    return data.user;
+}

app/resources/js/api/billing.ts

@@ -0,0 +1,90 @@
+import { apiClient, ensureCsrfCookie } from './client';
+
+/**
+ * API-модуль биллинга (Sprint 2 Plan C).
+ *
+ * Эндпоинты под [auth:sanctum, tenant]: GET wallet/transactions/invoices
+ * (E3), POST topup (E1 — добавляется в Task 5). GET'ы не требуют CSRF-cookie.
+ */
+
+/** Тариф в составе ответа GET /api/billing/wallet. */
+export interface WalletTariff {
+    code: string;
+    name: string;
+    price_monthly: string | null;
+    billing_model: string;
+    features: string[];
+}
+
+/** Ответ GET /api/billing/wallet — кошелёк тенанта. */
+export interface Wallet {
+    balance_rub: string;
+    balance_leads: number;
+    runway_days: number | null;
+    tariff: WalletTariff | null;
+}
+
+/** GET /api/billing/wallet — балансы + текущий тариф + runway. */
+export async function getWallet(): Promise<Wallet> {
+    const { data } = await apiClient.get<Wallet>('/api/billing/wallet');
+    return data;
+}
+
+/** Строка истории транзакций (GET /api/billing/transactions). */
+export interface BillingTransaction {
+    id: number;
+    code: string;
+    type: string;
+    description: string | null;
+    amount_rub: string;
+    amount_leads: number;
+    balance_rub_after: string | null;
+    created_at: string;
+}
+
+/** Пагинированный ответ GET /api/billing/transactions. */
+export interface TransactionsPage {
+    data: BillingTransaction[];
+    meta: { current_page: number; last_page: number; total: number; per_page: number };
+}
+
+/** Счёт тенанта (GET /api/billing/invoices). */
+export interface BillingInvoice {
+    id: number;
+    invoice_number: string;
+    amount_total: string;
+    status: string;
+    issued_at: string;
+    has_pdf: boolean;
+}
+
+/** GET /api/billing/transactions — пагинированная история транзакций. */
+export async function getTransactions(params: { page?: number; type?: string }): Promise<TransactionsPage> {
+    const { data } = await apiClient.get<TransactionsPage>('/api/billing/transactions', { params });
+    return data;
+}
+
+/** GET /api/billing/invoices — счета тенанта (real-but-empty до Б-1). */
+export async function getInvoices(): Promise<{ data: BillingInvoice[] }> {
+    const { data } = await apiClient.get<{ data: BillingInvoice[] }>('/api/billing/invoices');
+    return data;
+}
+
+/** Результат POST /api/billing/topup. */
+export interface TopupResult {
+    transaction: {
+        id: number;
+        type: string;
+        amount_rub: string;
+        balance_rub_after: string | null;
+        created_at: string;
+    };
+    balance_rub: string;
+}
+
+/** POST /api/billing/topup — пополнить рублёвый баланс (MVP-stub). */
+export async function topup(amountRub: number): Promise<TopupResult> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<TopupResult>('/api/billing/topup', { amount_rub: amountRub });
+    return data;
+}

app/resources/js/api/dashboard.ts

@@ -0,0 +1,26 @@
+import { apiClient } from './client';
+
+/**
+ * API-клиент дашборда (audit C1/J3). Эндпоинт GET /api/dashboard/summary.
+ * На MVP без auth — tenant_id параметром (на prod возьмётся из middleware).
+ */
+
+export type DeltaDir = 'up' | 'down' | 'neutral';
+export type DashboardRange = 'today' | '7d' | '30d';
+
+export interface DashboardSummary {
+    range: string;
+    leads_received: { value: number; delta_pct: number; delta_dir: DeltaDir };
+    conversion: { value: number; delta_pp: number; delta_dir: DeltaDir };
+    active_projects: { active: number; limit: number };
+    balance: { amount_rub: string; runway_days: number; runway_leads: number };
+    activity: { points: number[]; labels: string[]; max: number };
+    funnel: Record<string, number>;
+}
+
+export async function getDashboardSummary(tenantId: number, range: DashboardRange): Promise<DashboardSummary> {
+    const { data } = await apiClient.get<DashboardSummary>('/api/dashboard/summary', {
+        params: { tenant_id: tenantId, range },
+    });
+    return data;
+}

app/resources/js/api/reports.ts

@@ -32,6 +32,7 @@ export interface ApiReportJob {
     parameters: ApiReportParameters;
     status: ApiReportStatus;
     file_path: string | null;
+    download_url: string | null;
     file_size: number | null;
     generation_seconds: number | null;
     error_message: string | null;

app/resources/js/api/webhooks.ts

@@ -0,0 +1,40 @@
+import { apiClient, ensureCsrfCookie } from './client';
+
+/**
+ * Настройки исходящего webhook'а тенанта (audit D4/D5). Backend:
+ * WebhookSettingsController. Полный secret доступен только в ответе
+ * saveWebhookSettings() при первом создании подписки.
+ */
+export interface WebhookSettings {
+    target_url: string;
+    secret_prefix: string;
+    events: string[];
+    is_active: boolean;
+}
+
+export interface SavedWebhookSettings extends WebhookSettings {
+    secret?: string;
+}
+
+export interface WebhookTestResult {
+    ok: boolean;
+    status: number | null;
+    message: string;
+}
+
+export async function getWebhookSettings(): Promise<WebhookSettings | null> {
+    const { data } = await apiClient.get<{ data: WebhookSettings | null }>('/api/tenants/me/webhook-settings');
+    return data.data;
+}
+
+export async function saveWebhookSettings(payload: { target_url: string }): Promise<SavedWebhookSettings> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.put<{ data: SavedWebhookSettings }>('/api/tenants/me/webhook-settings', payload);
+    return data.data;
+}
+
+export async function testWebhook(): Promise<WebhookTestResult> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<WebhookTestResult>('/api/webhooks/test');
+    return data;
+}

app/resources/js/components/AppShell.vue

@@ -2,7 +2,7 @@
 /**
  * Корневой shell приложения. Мапит meta.layout текущего route'а на layout-компонент.
  *
- * meta.layout = 'auth' → AuthLayout (двухпанельный для login/register/2fa/forgot/recovery).
+ * meta.layout = 'auth' → AuthLayout (двухпанельный для login/register/2fa/forgot/recovery-use).
  * meta.layout = 'error' → RouterView напрямую (ErrorView сам предоставляет v-app + теало-нуар bg).
  * meta.layout не задан или 'app' → AppLayout (sidebar + topbar для авторизованных страниц).
  *

app/resources/js/components/admin/ImpersonationBanner.vue

@@ -0,0 +1,84 @@
+<script setup lang="ts">
+/**
+ * Глобальный индикатор активных impersonation-сессий (audit B5 / Ю-1).
+ *
+ * Размещён в AdminLayout над <RouterView> — виден на всех /admin/* страницах.
+ * На MVP saas-admin auth нет и реального переключения сессии нет, поэтому
+ * показываем счётчик ВСЕХ активных сессий (impersonationActive() =
+ * used_at != null AND session_ended_at == null). Polling 30 c — сессия может
+ * стартовать/завершиться, пока админ остаётся в админке (AdminLayout
+ * persistent, перемонтируется только <RouterView>).
+ *
+ * Если активных сессий 0 — компонент не рендерит ничего.
+ */
+import { computed, onMounted, ref } from 'vue';
+import { impersonationActive, type ImpersonationActiveSession } from '../../api/admin';
+import { usePolling } from '../../composables/usePolling';
+
+const sessions = ref<ImpersonationActiveSession[]>([]);
+
+async function load(): Promise<void> {
+    try {
+        sessions.value = await impersonationActive();
+    } catch {
+        // Баннер не критичен — ошибку детально покажет AdminImpersonationView.
+        // Сохраняем прежнее значение sessions, не падаем.
+    }
+}
+
+const count = computed(() => sessions.value.length);
+
+const label = computed(() => {
+    if (count.value === 1) {
+        const s = sessions.value[0];
+        return `Активна impersonation-сессия: ${s.tenant_name ?? `тенант #${s.tenant_id}`}`;
+    }
+    return `Активны impersonation-сессии: ${count.value}`;
+});
+
+onMounted(load);
+usePolling(load, { intervalMs: 30_000 });
+
+defineExpose({ sessions, load });
+</script>
+
+<template>
+    <div v-if="count > 0" class="impersonation-banner" role="status" data-testid="impersonation-banner">
+        <v-icon size="16" class="impersonation-banner__icon">mdi-account-switch</v-icon>
+        <span class="impersonation-banner__label">{{ label }}</span>
+        <RouterLink
+            to="/admin/impersonation"
+            class="impersonation-banner__link"
+            data-testid="impersonation-banner-link"
+        >
+            Открыть
+        </RouterLink>
+    </div>
+</template>
+
+<style scoped>
+.impersonation-banner {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    background: #fff4e0;
+    border-bottom: 1px solid #f0d8a8;
+    color: #8a5a00;
+    font-size: 13px;
+    padding: 8px 24px;
+}
+.impersonation-banner__icon {
+    color: #b87400;
+}
+.impersonation-banner__label {
+    flex: 1;
+}
+.impersonation-banner__link {
+    color: #0f6e56;
+    font-weight: 600;
+    text-decoration: none;
+}
+.impersonation-banner__link:hover {
+    text-decoration: underline;
+}
+</style>

app/resources/js/components/billing/BalanceCard.vue

@@ -1,15 +1,27 @@
 <script setup lang="ts">
 /**
- * BalanceCard — 3 wallet-cards в одной строке: Кошелёк ₽ (primary, dark) +
- * Баланс лидов + Тариф. Sprint 4 Phase B/2 — split BillingView (audit O-refactor-04 хвост).
+ * BalanceCard — 3 wallet-cards в одной строке: Кошелёк ₽ (dark) +
+ * Баланс лидов + Тариф. Данные — из GET /api/billing/wallet (E3).
+ * tariff* допускают null (тенант без назначенного тарифа — trial).
  */
-defineProps<{
+import { computed } from 'vue';
+
+const props = defineProps<{
     walletRub: number;
     leadsBalance: number;
-    tariffName: string;
-    tariffPrice: number;
+    tariffName: string | null;
+    tariffPrice: string | null;
     tariffFeatures: string[];
 }>();
+
+defineEmits<{ topup: [] }>();
+
+const walletText = computed(() => new Intl.NumberFormat('ru-RU').format(props.walletRub));
+
+const tariffPriceText = computed(() => {
+    if (props.tariffPrice === null) return 'по запросу';
+    return new Intl.NumberFormat('ru-RU').format(Number(props.tariffPrice)) + ' ₽/мес';
+});
 </script>
 
 <template>
@@ -21,12 +33,19 @@ defineProps<{
                     <v-chip size="x-small" color="primary" variant="elevated">LIVE</v-chip>
                 </div>
                 <div class="wallet-amount mt-2">
-                    <span class="num">{{ new Intl.NumberFormat('ru-RU').format(walletRub) }}</span>
+                    <span class="num">{{ walletText }}</span>
                     <span class="ru">&nbsp;₽</span>
                 </div>
                 <div class="wallet-foot mt-3">мин. пополнение <strong>100 ₽</strong> · округление вниз ₽→лиды</div>
                 <div class="wallet-actions mt-3">
-                    <v-btn color="primary" variant="flat" prepend-icon="mdi-plus" size="small">Пополнить</v-btn>
+                    <v-btn
+                        color="primary"
+                        variant="flat"
+                        prepend-icon="mdi-plus"
+                        size="small"
+                        @click="$emit('topup')"
+                        >Пополнить</v-btn
+                    >
                     <v-btn variant="outlined" prepend-icon="mdi-autorenew" size="small"> Автопополнение </v-btn>
                 </div>
             </v-card>
@@ -41,22 +60,24 @@ defineProps<{
                     <span class="num">{{ leadsBalance }}</span>
                     <span class="ru-text">&nbsp;лидов</span>
                 </div>
-                <div class="wallet-foot mt-3">средняя цена <strong>50 ₽/лид</strong> · потрачено за месяц 412</div>
             </v-card>
         </v-col>
 
         <v-col cols="12" md="4">
             <v-card variant="outlined" class="wallet-card pa-4 d-flex flex-column">
                 <span class="wallet-label">Тариф</span>
-                <div class="tariff-name mt-1">
-                    {{ tariffName }}
-                    <span class="tariff-price">· {{ tariffPrice }} ₽/мес</span>
-                </div>
-                <ul class="tariff-feats mt-3">
-                    <li v-for="f in tariffFeatures" :key="f">
-                        <v-icon size="14" color="success" class="mr-1">mdi-check</v-icon>{{ f }}
-                    </li>
-                </ul>
+                <template v-if="tariffName">
+                    <div class="tariff-name mt-1">
+                        {{ tariffName }}
+                        <span class="tariff-price">· {{ tariffPriceText }}</span>
+                    </div>
+                    <ul v-if="tariffFeatures.length" class="tariff-feats mt-3">
+                        <li v-for="f in tariffFeatures" :key="f">
+                            <v-icon size="14" color="success" class="mr-1">mdi-check</v-icon>{{ f }}
+                        </li>
+                    </ul>
+                </template>
+                <div v-else class="tariff-empty mt-2">Тариф не выбран</div>
                 <v-btn variant="outlined" size="small" class="mt-auto">Сменить тариф →</v-btn>
             </v-card>
         </v-col>
@@ -137,6 +158,10 @@ defineProps<{
     font-weight: 500;
     margin-left: 4px;
 }
+.tariff-empty {
+    color: #66635c;
+    font-size: 14px;
+}
 .tariff-feats {
     list-style: none;
     padding: 0;

app/resources/js/components/billing/InvoicesTable.vue

@@ -1,29 +1,84 @@
 <script setup lang="ts">
 /**
- * InvoicesTable — список счетов и УПД (PDF / 1С 8.3 XML).
- * Sprint 4 Phase B/2 — split BillingView.
+ * InvoicesTable — список счетов тенанта. Данные — GET /api/billing/invoices
+ * (E3). Real-but-empty до Б-1: на MVP saas_invoices пуста (нужно
+ * зарегистрированное юр-лицо), компонент показывает empty-state.
  */
-import { MOCK_INVOICES } from '../../composables/mockBilling';
-import { formatIcon, formatLabel, formatPlain } from '../../composables/billingFormatters';
+import { ref, onMounted } from 'vue';
+import { getInvoices, type BillingInvoice } from '../../api/billing';
+import { formatPlain } from '../../composables/billingFormatters';
+
+const invoices = ref<BillingInvoice[]>([]);
+const loading = ref(true);
+const loadError = ref<string | null>(null);
+
+const STATUS_LABELS: Record<string, string> = {
+    draft: 'Черновик',
+    issued: 'Выставлен',
+    paid: 'Оплачен',
+    overdue: 'Просрочен',
+    cancelled: 'Отменён',
+};
+
+function statusLabel(status: string): string {
+    return STATUS_LABELS[status] ?? status;
+}
+
+function formatDate(iso: string): string {
+    return new Date(iso).toLocaleDateString('ru-RU', { timeZone: 'Europe/Moscow' });
+}
+
+async function load(): Promise<void> {
+    loading.value = true;
+    loadError.value = null;
+    try {
+        invoices.value = (await getInvoices()).data;
+    } catch {
+        loadError.value = 'Не удалось загрузить счета.';
+    } finally {
+        loading.value = false;
+    }
+}
+
+onMounted(load);
+
+defineExpose({ load, invoices });
 </script>
 
 <template>
     <v-card variant="outlined" class="mt-4 panel">
         <div class="panel-h pa-4">
-            <h2 class="text-h6 panel-title ma-0">Счета и УПД</h2>
-            <v-btn variant="outlined" size="small" prepend-icon="mdi-download">Реестр XLSX</v-btn>
+            <h2 class="text-h6 panel-title ma-0">Счета</h2>
         </div>
         <v-divider />
-        <ul class="invoices-list pa-2 ma-0">
-            <li v-for="inv in MOCK_INVOICES" :key="inv.id" class="inv-row">
-                <span class="inv-when num">{{ inv.when }}</span>
+
+        <div v-if="loading" class="py-8 d-flex justify-center">
+            <v-progress-circular indeterminate color="primary" size="28" />
+        </div>
+
+        <v-alert v-else-if="loadError" type="error" variant="tonal" density="compact" class="ma-4" role="alert">
+            {{ loadError }}
+        </v-alert>
+
+        <div v-else-if="invoices.length === 0" class="empty pa-8 text-center text-medium-emphasis">
+            Счета появятся после первой оплаты.
+        </div>
+
+        <ul v-else class="invoices-list pa-2 ma-0">
+            <li v-for="inv in invoices" :key="inv.id" class="inv-row">
+                <span class="inv-when num">{{ formatDate(inv.issued_at) }}</span>
                 <span class="inv-name">
-                    {{ inv.title }}
-                    <span class="sub">{{ inv.sub }}</span>
+                    {{ inv.invoice_number }}
+                    <span class="sub">{{ statusLabel(inv.status) }}</span>
                 </span>
-                <span class="inv-amount num">{{ formatPlain(inv.amountRub) }}</span>
-                <v-btn variant="text" size="small" :prepend-icon="formatIcon(inv.format)">
-                    {{ formatLabel(inv.format) }}
+                <span class="inv-amount num">{{ formatPlain(Number(inv.amount_total)) }}</span>
+                <v-btn
+                    variant="text"
+                    size="small"
+                    prepend-icon="mdi-file-pdf-box"
+                    :disabled="!inv.has_pdf"
+                >
+                    PDF
                 </v-btn>
             </li>
         </ul>
@@ -52,6 +107,10 @@ import { formatIcon, formatLabel, formatPlain } from '../../composables/billingF
     letter-spacing: -0.01em;
 }
 
+.empty {
+    font-size: 14px;
+}
+
 .invoices-list {
     list-style: none;
     padding: 0;

app/resources/js/components/billing/TopupDialog.vue

@@ -0,0 +1,125 @@
+<script setup lang="ts">
+/**
+ * TopupDialog — диалог пополнения рублёвого баланса (audit E1).
+ *
+ * MVP-stub: POST /api/billing/topup кредитует баланс немедленно (без
+ * платёжного шлюза — реальная оплата post-Б-1). При успехе эмитит
+ * `success` с новым балансом и закрывается.
+ */
+import { ref, computed, watch } from 'vue';
+import { topup } from '../../api/billing';
+import { extractErrorMessage, extractValidationErrors } from '../../api/client';
+
+const model = defineModel<boolean>({ required: true });
+const emit = defineEmits<{ success: [balanceRub: string] }>();
+
+const PRESETS = [1000, 5000, 10000, 25000];
+
+const amount = ref<number | null>(null);
+const submitting = ref(false);
+const errorMsg = ref<string | null>(null);
+
+const amountError = computed<string | null>(() => {
+    if (amount.value === null || !Number.isFinite(amount.value)) return null;
+    if (amount.value < 100) return 'Минимум 100 ₽';
+    if (amount.value > 1000000) return 'Максимум 1 000 000 ₽';
+    return null;
+});
+
+const canSubmit = computed(
+    () => Number.isFinite(amount.value) && amountError.value === null && !submitting.value,
+);
+
+// Сброс состояния при каждом открытии диалога (паттерн ReminderDialog/
+// NewDealDialog) — нет префилла прошлой суммы и нет всплытия устаревшей ошибки.
+watch(model, (open) => {
+    if (open) {
+        amount.value = null;
+        errorMsg.value = null;
+    }
+});
+
+function setPreset(value: number): void {
+    amount.value = value;
+}
+
+async function submit(): Promise<void> {
+    if (!canSubmit.value || amount.value === null) return;
+    submitting.value = true;
+    errorMsg.value = null;
+    try {
+        const res = await topup(amount.value);
+        emit('success', res.balance_rub);
+        model.value = false;
+        amount.value = null;
+    } catch (e) {
+        const validation = extractValidationErrors(e);
+        errorMsg.value = validation?.amount_rub?.[0] ?? extractErrorMessage(e);
+    } finally {
+        submitting.value = false;
+    }
+}
+
+function close(): void {
+    if (submitting.value) return;
+    model.value = false;
+    errorMsg.value = null;
+}
+
+defineExpose({ amount, submit, canSubmit, errorMsg });
+</script>
+
+<template>
+    <v-dialog v-model="model" max-width="460">
+        <v-card>
+            <v-card-title class="text-h6">Пополнить баланс</v-card-title>
+            <v-card-text>
+                <v-text-field
+                    v-model.number="amount"
+                    type="number"
+                    label="Сумма пополнения"
+                    suffix="₽"
+                    density="comfortable"
+                    :error-messages="amountError ?? undefined"
+                    autofocus
+                />
+
+                <div class="presets mb-2">
+                    <v-chip
+                        v-for="p in PRESETS"
+                        :key="p"
+                        size="small"
+                        variant="outlined"
+                        @click="setPreset(p)"
+                    >
+                        {{ new Intl.NumberFormat('ru-RU').format(p) }} ₽
+                    </v-chip>
+                </div>
+
+                <v-alert type="info" variant="tonal" density="compact" class="mt-2">
+                    Платёжный шлюз подключается после регистрации юр. лица — на текущем этапе баланс
+                    пополняется сразу.
+                </v-alert>
+
+                <v-alert v-if="errorMsg" type="error" variant="tonal" density="compact" class="mt-3" role="alert">
+                    {{ errorMsg }}
+                </v-alert>
+            </v-card-text>
+            <v-card-actions>
+                <v-spacer />
+                <v-btn variant="text" :disabled="submitting" @click="close">Отмена</v-btn>
+                <v-btn color="primary" variant="flat" :loading="submitting" :disabled="!canSubmit" @click="submit">
+                    Пополнить
+                </v-btn>
+            </v-card-actions>
+        </v-card>
+    </v-dialog>
+</template>
+
+<style scoped>
+.presets {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 8px;
+}
+</style>

app/resources/js/components/billing/TransactionsTable.vue

@@ -1,63 +1,155 @@
 <script setup lang="ts">
 /**
- * TransactionsTable — VDataTable истории транзакций с табами фильтрации
- * (Все / Пополнения / Списания / Возвраты). Sprint 4 Phase B/2 — split BillingView.
+ * TransactionsTable — server-driven история транзакций с табами
+ * (Все / Пополнения / Списания / Возвраты). Данные — GET
+ * /api/billing/transactions (E3). Паттерн self-fetching из ChargesTab.
  */
-import { computed, ref } from 'vue';
-import { BILLING_TABS, MOCK_TRANSACTIONS, type BillingTransaction } from '../../composables/mockBilling';
-import { formatCost, statusChipColor, statusLabel, txAmountClass } from '../../composables/billingFormatters';
+import { ref, onMounted } from 'vue';
+import { getTransactions, type BillingTransaction } from '../../api/billing';
+import { formatCost, txAmountClass } from '../../composables/billingFormatters';
 
-const activeTab = ref<(typeof BILLING_TABS)[number]['id']>('all');
+interface Tab {
+    id: string;
+    label: string;
+    type: string | null;
+}
 
-const filteredTransactions = computed<BillingTransaction[]>(() => {
-    const tab = BILLING_TABS.find((t) => t.id === activeTab.value);
-    const types = tab?.types;
-    if (!types) return MOCK_TRANSACTIONS;
-    return MOCK_TRANSACTIONS.filter((tx) => types.includes(tx.type));
-});
+const TABS: Tab[] = [
+    { id: 'all', label: 'Все', type: null },
+    { id: 'topup', label: 'Пополнения', type: 'topup' },
+    { id: 'lead_charge', label: 'Списания', type: 'lead_charge' },
+    { id: 'refund', label: 'Возвраты', type: 'refund' },
+];
+
+const activeTab = ref<string>('all');
+const rows = ref<BillingTransaction[]>([]);
+const total = ref(0);
+const loading = ref(false);
+const loadError = ref<string | null>(null);
+const page = ref(1);
+
+const headers = [
+    { title: 'Дата', key: 'created_at', sortable: false },
+    { title: 'Операция', key: 'description', sortable: false },
+    { title: 'ID', key: 'code', sortable: false, width: 120 },
+    { title: 'Сумма', key: 'amount_rub', align: 'end' as const, sortable: false, width: 140 },
+];
+
+function formatWhen(iso: string): string {
+    return new Date(iso).toLocaleString('ru-RU', {
+        timeZone: 'Europe/Moscow',
+        day: '2-digit',
+        month: '2-digit',
+        hour: '2-digit',
+        minute: '2-digit',
+    });
+}
+
+/** Числовое значение движения: рубли приоритетно, иначе лиды. */
+function txAmountValue(tx: BillingTransaction): number {
+    const rub = Number(tx.amount_rub);
+    return rub !== 0 ? rub : tx.amount_leads;
+}
+
+/** Текст суммы: «+ 5 000 ₽» / «− 1 лид.» / «0 ₽». */
+function txAmountText(tx: BillingTransaction): string {
+    const rub = Number(tx.amount_rub);
+    if (rub !== 0) return formatCost(rub);
+    if (tx.amount_leads !== 0) {
+        const sign = tx.amount_leads > 0 ? '+ ' : '− ';
+        return sign + Math.abs(tx.amount_leads) + ' лид.';
+    }
+    return '0 ₽';
+}
+
+async function load(): Promise<void> {
+    loading.value = true;
+    loadError.value = null;
+    try {
+        const tab = TABS.find((t) => t.id === activeTab.value);
+        const params: { page: number; type?: string } = { page: page.value };
+        if (tab?.type) params.type = tab.type;
+        const res = await getTransactions(params);
+        rows.value = res.data;
+        total.value = res.meta.total;
+    } catch {
+        loadError.value = 'Не удалось загрузить транзакции.';
+        rows.value = [];
+        total.value = 0;
+    } finally {
+        loading.value = false;
+    }
+}
+
+async function changeTab(id: string): Promise<void> {
+    activeTab.value = id;
+    page.value = 1;
+    await load();
+}
+
+async function loadOptions(opts: { page: number }): Promise<void> {
+    page.value = opts.page;
+    await load();
+}
+
+async function refresh(): Promise<void> {
+    page.value = 1;
+    await load();
+}
+
+onMounted(load);
+
+defineExpose({ load, refresh, changeTab, activeTab, total, rows });
 </script>
 
 <template>
     <v-card variant="outlined" class="mt-4 panel">
         <div class="panel-h pa-4">
             <h2 class="text-h6 panel-title ma-0">История транзакций</h2>
-            <v-btn-toggle v-model="activeTab" mandatory color="primary" density="comfortable" variant="text">
-                <v-btn v-for="tab in BILLING_TABS" :key="tab.id" :value="tab.id" size="small">
+            <v-btn-toggle
+                :model-value="activeTab"
+                mandatory
+                color="primary"
+                density="comfortable"
+                variant="text"
+            >
+                <v-btn
+                    v-for="tab in TABS"
+                    :key="tab.id"
+                    :value="tab.id"
+                    size="small"
+                    @click="changeTab(tab.id)"
+                >
                     {{ tab.label }}
                 </v-btn>
             </v-btn-toggle>
         </div>
 
-        <v-data-table
-            :items="filteredTransactions"
-            :headers="[
-                { title: 'Дата', key: 'when', sortable: false },
-                { title: 'Операция', key: 'description', sortable: false },
-                { title: 'ID', key: 'code', sortable: false },
-                { title: 'Статус', key: 'status', sortable: false },
-                { title: 'Сумма', key: 'amount', align: 'end', sortable: false },
-            ]"
-            items-per-page="-1"
-            hide-default-footer
+        <v-alert v-if="loadError" type="error" variant="tonal" density="compact" class="mx-4 mb-4" role="alert">
+            {{ loadError }}
+        </v-alert>
+
+        <v-data-table-server
+            :headers="headers"
+            :items="rows"
+            :items-length="total"
+            :loading="loading"
+            :items-per-page="20"
             density="comfortable"
+            @update:options="loadOptions"
         >
-            <template #[`item.when`]="{ item }">
-                <span class="tx-when num">{{ item.when }}</span>
+            <template #[`item.created_at`]="{ item }">
+                <span class="tx-when num">{{ formatWhen(item.created_at) }}</span>
             </template>
             <template #[`item.code`]="{ item }">
                 <span class="tx-id">#{{ item.code }}</span>
             </template>
-            <template #[`item.status`]="{ item }">
-                <v-chip size="small" variant="tonal" :color="statusChipColor(item.status)">
-                    {{ statusLabel(item.status) }}
-                </v-chip>
-            </template>
-            <template #[`item.amount`]="{ item }">
-                <span class="num" :class="txAmountClass(item)">
-                    {{ item.status === 'rejected' ? '— 0 ₽' : formatCost(item.amount) }}
+            <template #[`item.amount_rub`]="{ item }">
+                <span class="num" :class="txAmountClass(txAmountValue(item))">
+                    {{ txAmountText(item) }}
                 </span>
             </template>
-        </v-data-table>
+        </v-data-table-server>
     </v-card>
 </template>
 

app/resources/js/components/layout/AppTopbar.vue

@@ -56,8 +56,8 @@ function formatRelative(iso: string | null): string {
 async function handleNotificationClick(id: number, dealId: number | null): Promise<void> {
     await notifications.markRead(id);
     if (dealId !== null) {
-        // На MVP — push на DealsView (deep-link на конкретный drawer — отдельный коммит).
-        await router.push('/deals');
+        // Audit F3: deep-link на конкретный drawer через ?openId=.
+        await router.push({ path: '/deals', query: { openId: dealId } });
     }
 }
 

app/resources/js/components/projects/BulkActionsBar.vue

@@ -55,6 +55,19 @@
             :count="store.selectedIds.size"
             @apply="(p) => runBulk({ action: 'update_limit', ...p })"
         />
+
+        <v-snackbar
+            v-model="skipToastOpen"
+            :timeout="6000"
+            color="warning"
+            location="bottom right"
+            data-testid="bulk-skip-toast"
+        >
+            {{ skipToastText }}
+            <template #actions>
+                <v-btn variant="text" @click="skipToastOpen = false">Закрыть</v-btn>
+            </template>
+        </v-snackbar>
     </v-card>
 </template>
 
@@ -72,6 +85,10 @@ const regionsOpen = ref(false);
 const daysOpen = ref(false);
 const limitOpen = ref(false);
 
+// Sprint 1 C5: window.alert → v-snackbar (non-blocking, accessible, не breaks браузерный automation).
+const skipToastOpen = ref(false);
+const skipToastText = ref('');
+
 const messages: Record<string, string> = {
     pause: 'Приостановить выбранные проекты?',
     resume: 'Возобновить выбранные проекты?',
@@ -87,13 +104,12 @@ async function confirmAndRun(action: 'pause' | 'resume' | 'archive') {
 async function runBulk(payload: Parameters<typeof store.bulkUpdate>[0]) {
     const result = await store.bulkUpdate(payload);
     if (result.skipped.length > 0) {
-        window.alert(
-            `Применено: ${result.updated}. Пропущено: ${result.skipped.length} (конфликт с уже доставленными лидами).`,
-        );
+        skipToastText.value = `Применено: ${result.updated}. Пропущено: ${result.skipped.length} (конфликт с уже доставленными лидами).`;
+        skipToastOpen.value = true;
     }
 }
 
-defineExpose({ regionsOpen, daysOpen, limitOpen });
+defineExpose({ regionsOpen, daysOpen, limitOpen, skipToastOpen, skipToastText, runBulk });
 </script>
 
 <style scoped>

app/resources/js/components/projects/ProjectDetailsDrawer.vue

@@ -3,7 +3,7 @@ import { ref, reactive, computed, onMounted, onBeforeUnmount, watch } from 'vue'
 import axios from 'axios';
 import type { Project } from '../../stores/projectsStore';
 import { useProjectsStore } from '../../stores/projectsStore';
-import { REGIONS, FEDERAL_DISTRICT_NAMES } from '../../constants/regions';
+import { REGIONS } from '../../constants/regions';
 
 const props = defineProps<{ project: Project | null }>();
 const emit = defineEmits<{ close: []; saved: [] }>();
@@ -11,7 +11,8 @@ const emit = defineEmits<{ close: []; saved: [] }>();
 interface FormState {
     name: string;
     daily_limit_target: number;
-    regions: number[];
+    region_mask: number;
+    region_mode: 'include' | 'exclude';
     delivery_days_mask: number;
     sms_senders: string[];
     sms_keyword: string;
@@ -20,31 +21,48 @@ interface FormState {
 const form = reactive<FormState>({
     name: '',
     daily_limit_target: 50,
-    regions: [],
+    region_mask: 0,
+    region_mode: 'include',
     delivery_days_mask: 127,
     sms_senders: [],
     sms_keyword: '',
 });
 
+const selectedRegions = ref<number[]>([]);
 const selectableRegions = REGIONS.filter((r) => r.code !== 0);
 
+function maskToCodes(mask: number): number[] {
+    const codes: number[] = [];
+    for (let i = 1; i <= 31; i++) if (mask & (1 << i)) codes.push(i);
+    return codes;
+}
+
 function reseedFromProject(p: Project | null): void {
     if (!p) return;
     form.name = p.name;
     form.daily_limit_target = p.daily_limit_target;
-    form.regions = Array.isArray(p.regions) ? [...p.regions] : [];
+    form.region_mask = p.region_mask ?? 0;
+    form.region_mode = (p.region_mode ?? 'include') as 'include' | 'exclude';
     form.delivery_days_mask = p.delivery_days_mask ?? 127;
     form.sms_senders = p.sms_senders ?? [];
     form.sms_keyword = p.sms_keyword ?? '';
+    selectedRegions.value = maskToCodes(form.region_mask);
 }
 reseedFromProject(props.project);
 
-watch(
-    () => props.project?.id,
-    () => {
-        reseedFromProject(props.project);
-    },
-);
+watch(() => props.project?.id, () => {
+    reseedFromProject(props.project);
+});
+
+watch(selectedRegions, (codes) => {
+    if (codes.length === 0) {
+        form.region_mask = 0;
+        form.region_mode = 'include';
+    } else {
+        form.region_mask = codes.reduce((acc, c) => (c >= 1 && c <= 31 ? acc | (1 << c) : acc), 0);
+        form.region_mode = 'exclude';
+    }
+});
 
 const saving = ref(false);
 const errors = reactive<Record<string, string[]>>({});
@@ -58,9 +76,7 @@ async function onPause(): Promise<void> {
 
 async function onDelete(): Promise<void> {
     if (!props.project) return;
-    const ok = window.confirm(
-        'Архивировать проект? Действие необратимо в Plan 5 (восстановление потребует ручного запроса).',
-    );
+    const ok = window.confirm('Архивировать проект? Действие необратимо в Plan 5 (восстановление потребует ручного запроса).');
     if (!ok) return;
     await store.archive(props.project.id);
     emit('close');
@@ -74,7 +90,8 @@ async function onSave(): Promise<void> {
         const payload: Record<string, unknown> = {
             name: form.name,
             daily_limit_target: form.daily_limit_target,
-            regions: form.regions,
+            region_mask: form.region_mask,
+            region_mode: form.region_mode,
             delivery_days_mask: form.delivery_days_mask,
         };
         if (props.project.signal_type === 'sms') {
@@ -105,7 +122,7 @@ const activeDays = computed<boolean[]>(() => {
 });
 
 function toggleDay(i: number): void {
-    form.delivery_days_mask ^= 1 << i;
+    form.delivery_days_mask ^= (1 << i);
 }
 
 const dayLabels = ['Пн', 'Вт', 'Ср', 'Чт', 'Пт', 'Сб', 'Вс'];
@@ -142,7 +159,7 @@ const dayLabels = ['Пн', 'Вт', 'Ср', 'Чт', 'Пт', 'Сб', 'Вс'];
                 <div class="pdd-field">
                     <span class="pdd-label">Регионы (пусто = вся РФ)</span>
                     <v-autocomplete
-                        v-model="form.regions"
+                        v-model="selectedRegions"
                         :items="selectableRegions"
                         item-title="name"
                         item-value="code"
@@ -152,15 +169,7 @@ const dayLabels = ['Пн', 'Вт', 'Ср', 'Чт', 'Пт', 'Сб', 'Вс'];
                         density="comfortable"
                         hide-details
                         data-testid="pdd-regions"
-                    >
-                        <template #item="{ props: itemProps, item }">
-                            <v-list-item v-bind="itemProps">
-                                <template #subtitle>
-                                    {{ FEDERAL_DISTRICT_NAMES[item.raw.federalDistrict] || '' }}
-                                </template>
-                            </v-list-item>
-                        </template>
-                    </v-autocomplete>
+                    />
                 </div>
 
                 <div class="pdd-field">
@@ -188,12 +197,13 @@ const dayLabels = ['Пн', 'Вт', 'Ср', 'Чт', 'Пт', 'Сб', 'Вс'];
                     <button class="pdd-btn pdd-btn-error" data-testid="pdd-delete" @click="onDelete">🗄 Удалить</button>
                 </div>
                 <div class="pdd-foot-right">
-                    <button class="pdd-btn pdd-btn-text" data-testid="pdd-cancel" @click="$emit('close')">
-                        Отмена
-                    </button>
-                    <button class="pdd-btn pdd-btn-primary" data-testid="pdd-save" :disabled="saving" @click="onSave">
-                        Сохранить
-                    </button>
+                    <button class="pdd-btn pdd-btn-text" data-testid="pdd-cancel" @click="$emit('close')">Отмена</button>
+                    <button
+                        class="pdd-btn pdd-btn-primary"
+                        data-testid="pdd-save"
+                        :disabled="saving"
+                        @click="onSave"
+                    >Сохранить</button>
                 </div>
             </footer>
         </div>
@@ -202,123 +212,34 @@ const dayLabels = ['Пн', 'Вт', 'Ср', 'Чт', 'Пт', 'Сб', 'Вс'];
 
 <style scoped>
 .project-details-drawer {
-    position: fixed;
-    top: 0;
-    right: 0;
-    bottom: 0;
+    position: fixed; top: 0; right: 0; bottom: 0;
     width: 480px;
     background: var(--liderra-surface, #ffffff);
     border-left: 1px solid var(--liderra-line, #e6e2d6);
     box-shadow: -4px 0 16px rgba(0, 0, 0, 0.06);
     transform: translateX(100%);
     transition: transform 240ms cubic-bezier(0.16, 1, 0.3, 1);
-    display: flex;
-    flex-direction: column;
+    display: flex; flex-direction: column;
     z-index: 5;
 }
-.project-details-drawer.open {
-    transform: translateX(0);
-}
-.pdd-content {
-    display: flex;
-    flex-direction: column;
-    height: 100%;
-}
-.pdd-head {
-    display: flex;
-    justify-content: space-between;
-    align-items: center;
-    padding: 16px 20px;
-    border-bottom: 1px solid var(--liderra-line, #e6e2d6);
-}
-.pdd-title {
-    font-weight: 600;
-    font-size: 16px;
-}
-.pdd-close {
-    background: none;
-    border: 0;
-    cursor: pointer;
-    font-size: 18px;
-    padding: 4px;
-}
-.pdd-body {
-    padding: 16px 20px;
-    display: flex;
-    flex-direction: column;
-    gap: 14px;
-    flex: 1;
-    overflow-y: auto;
-}
-.pdd-field {
-    display: flex;
-    flex-direction: column;
-    gap: 4px;
-}
-.pdd-label {
-    font-size: 12px;
-    color: #6b6f72;
-}
-.pdd-input {
-    padding: 8px 10px;
-    border: 1px solid var(--liderra-line, #e6e2d6);
-    border-radius: 6px;
-    font: inherit;
-}
-.pdd-days {
-    display: flex;
-    gap: 4px;
-}
-.pdd-day {
-    padding: 6px 10px;
-    border: 1px solid var(--liderra-line, #e6e2d6);
-    background: #ffffff;
-    border-radius: 4px;
-    cursor: pointer;
-    font: inherit;
-}
-.pdd-day.active {
-    background: #0f6e56;
-    color: #ffffff;
-    border-color: #0f6e56;
-}
-.pdd-foot {
-    display: flex;
-    justify-content: space-between;
-    padding: 12px 20px;
-    border-top: 1px solid var(--liderra-line, #e6e2d6);
-}
-.pdd-foot-left,
-.pdd-foot-right {
-    display: flex;
-    gap: 8px;
-}
-.pdd-btn {
-    padding: 6px 14px;
-    border: 0;
-    border-radius: 6px;
-    cursor: pointer;
-    font: inherit;
-}
-.pdd-btn-text {
-    background: transparent;
-    color: #081319;
-}
-.pdd-btn-primary {
-    background: #0f6e56;
-    color: #ffffff;
-}
-.pdd-btn-warning {
-    background: #f59e0b;
-    color: #ffffff;
-}
-.pdd-btn-error {
-    background: #dc2626;
-    color: #ffffff;
-}
-.pdd-error {
-    color: #dc2626;
-    font-size: 12px;
-    margin-top: 4px;
-}
+.project-details-drawer.open { transform: translateX(0); }
+.pdd-content { display: flex; flex-direction: column; height: 100%; }
+.pdd-head { display: flex; justify-content: space-between; align-items: center; padding: 16px 20px; border-bottom: 1px solid var(--liderra-line, #e6e2d6); }
+.pdd-title { font-weight: 600; font-size: 16px; }
+.pdd-close { background: none; border: 0; cursor: pointer; font-size: 18px; padding: 4px; }
+.pdd-body { padding: 16px 20px; display: flex; flex-direction: column; gap: 14px; flex: 1; overflow-y: auto; }
+.pdd-field { display: flex; flex-direction: column; gap: 4px; }
+.pdd-label { font-size: 12px; color: #6b6f72; }
+.pdd-input { padding: 8px 10px; border: 1px solid var(--liderra-line, #e6e2d6); border-radius: 6px; font: inherit; }
+.pdd-days { display: flex; gap: 4px; }
+.pdd-day { padding: 6px 10px; border: 1px solid var(--liderra-line, #e6e2d6); background: #ffffff; border-radius: 4px; cursor: pointer; font: inherit; }
+.pdd-day.active { background: #0f6e56; color: #ffffff; border-color: #0f6e56; }
+.pdd-foot { display: flex; justify-content: space-between; padding: 12px 20px; border-top: 1px solid var(--liderra-line, #e6e2d6); }
+.pdd-foot-left, .pdd-foot-right { display: flex; gap: 8px; }
+.pdd-btn { padding: 6px 14px; border: 0; border-radius: 6px; cursor: pointer; font: inherit; }
+.pdd-btn-text { background: transparent; color: #081319; }
+.pdd-btn-primary { background: #0f6e56; color: #ffffff; }
+.pdd-btn-warning { background: #f59e0b; color: #ffffff; }
+.pdd-btn-error { background: #dc2626; color: #ffffff; }
+.pdd-error { color: #dc2626; font-size: 12px; margin-top: 4px; }
 </style>

app/resources/js/components/reports/ReportJobsList.vue

@@ -98,7 +98,8 @@ function canRetry(job: ReportJob): boolean {
                 </v-chip>
                 <div class="job-actions">
                     <v-btn
-                        v-if="job.status === 'done'"
+                        v-if="job.status === 'done' && job.downloadUrl"
+                        :href="job.downloadUrl"
                         icon="mdi-download"
                         variant="text"
                         size="small"

app/resources/js/composables/billingFormatters.ts

@@ -1,9 +1,11 @@
 /**
- * Форматтеры для биллинга. Экспортируются для использования в нескольких
- * sub-components BillingView (BalanceCard, TransactionsTable, InvoicesTable).
- * Sprint 4 Phase B/2 — split BillingView.
+ * Форматтеры биллинга — BillingView + TransactionsTable + InvoicesTable.
+ *
+ * Sprint 2 Plan C: status/format-функции (statusChipColor/statusLabel/
+ * formatLabel/formatIcon) удалены — real-API транзакции не имеют статуса
+ * (append-only ledger), счета — отдельный формат. txAmountClass
+ * перетипизирован под знак суммы.
  */
-import type { BillingTransaction, InvoiceFormat, TxStatus } from './mockBilling';
 
 /** «5000» → «5 000 ₽» (без знака). */
 export function formatPlain(cost: number): string {
@@ -16,36 +18,25 @@ export function formatCost(cost: number): string {
     return sign + new Intl.NumberFormat('ru-RU').format(Math.abs(cost)) + ' ₽';
 }
 
-/** CSS-класс для суммы транзакции по статусу/знаку. */
-export function txAmountClass(tx: BillingTransaction): string {
-    if (tx.status === 'rejected') return 'tx-amount-neutral';
-    if (tx.amount > 0) return 'tx-amount-up';
-    if (tx.amount < 0) return 'tx-amount-down';
+/** CSS-класс суммы транзакции по знаку. */
+export function txAmountClass(amount: number): string {
+    if (amount > 0) return 'tx-amount-up';
+    if (amount < 0) return 'tx-amount-down';
     return 'tx-amount-neutral';
 }
 
-/** Vuetify-цвет чипа статуса транзакции. */
-export function statusChipColor(status: TxStatus): string {
-    if (status === 'pending') return 'warning';
-    if (status === 'completed') return 'success';
-    return 'error';
-}
+/** Человекочитаемые лейблы для feature-слагов tariff_plans.features. */
+export const FEATURE_LABELS: Record<string, string> = {
+    webhook: 'Webhook',
+    kanban: 'Канбан',
+    basic_analytics: 'Базовая аналитика',
+    advanced_analytics: 'Расширенная аналитика',
+    api: 'API',
+    '2fa': 'Двухфакторная аутентификация',
+    custom_domain: 'Свой домен',
+};
 
-/** Локализованный лейбл статуса транзакции. */
-export function statusLabel(status: TxStatus): string {
-    if (status === 'pending') return 'В обработке';
-    if (status === 'completed') return 'Проведён';
-    return 'Отклонено';
-}
-
-/** Лейбл формата файла счёта/УПД (PDF / 1С 8.3 XML). */
-export function formatLabel(format: InvoiceFormat): string {
-    if (format === 'pdf') return 'PDF';
-    return '1С 8.3 XML';
-}
-
-/** Иконка формата файла счёта/УПД. */
-export function formatIcon(format: InvoiceFormat): string {
-    if (format === 'pdf') return 'mdi-file-pdf-box';
-    return 'mdi-xml';
+/** Лейбл feature-слага; неизвестный слаг возвращается как есть. */
+export function featureLabel(slug: string): string {
+    return FEATURE_LABELS[slug] ?? slug;
 }

app/resources/js/composables/mockBilling.ts

@@ -1,167 +1,16 @@
 /**
- * Mock-данные для BillingView. Заменятся на API-fetch:
- *   GET /api/billing/wallet     — баланс ₽ + леды + tariff.
- *   GET /api/billing/transactions?type={all|topup|charge|refund} — `balance_transactions`.
- *   GET /api/billing/invoices   — `invoices` table (счета + УПД).
+ * Мок платежа «в обработке» для pending-баннера BillingView.
  *
- * Mock-структуры соответствуют схеме v8.7:
- * - balance_transactions (§4.4): type ∈ {topup, lead_charge, refund, tariff_charge, manager_addon}.
- * - invoices (§4.5): type ∈ {invoice, upd}, format ∈ {pdf, xml_1c83}.
+ * Кошелёк / транзакции / счета подключены к real API (api/billing.ts) в
+ * Sprint 2 Plan C (E3). Pending-баннер — отдельный эпик E4 (Sprint 5);
+ * до его реализации остаётся mock.
  */
-
-type TxType = 'topup' | 'lead_charge' | 'refund' | 'tariff_charge';
-export type TxStatus = 'pending' | 'completed' | 'rejected';
-
-export interface BillingTransaction {
-    id: number;
-    code: string; // 'TX-89421'
-    when: string; // '07.05 · 14:21'
-    type: TxType;
-    description: string;
-    status: TxStatus;
-    amount: number; // signed (+ topup/refund, − charge)
-}
-
-export const MOCK_TRANSACTIONS: BillingTransaction[] = [
-    {
-        id: 89421,
-        code: 'TX-89421',
-        when: '07.05 · 14:21',
-        type: 'topup',
-        description: 'Пополнение через ЮKassa',
-        status: 'pending',
-        amount: 5000,
-    },
-    {
-        id: 89384,
-        code: 'TX-89384',
-        when: '07.05 · 11:14',
-        type: 'lead_charge',
-        description: 'Списание · 3 лида проект «Окна Москва»',
-        status: 'completed',
-        amount: -6600,
-    },
-    {
-        id: 89370,
-        code: 'TX-89370',
-        when: '07.05 · 09:48',
-        type: 'refund',
-        description: 'Возврат лида #1018 · дубликат',
-        status: 'completed',
-        amount: 2200,
-    },
-    {
-        id: 89312,
-        code: 'TX-89312',
-        when: '06.05 · 22:06',
-        type: 'topup',
-        description: 'Пополнение через ЮKassa',
-        status: 'completed',
-        amount: 10000,
-    },
-    {
-        id: 89286,
-        code: 'TX-89286',
-        when: '06.05 · 18:32',
-        type: 'lead_charge',
-        description: 'Списание · 5 лидов проект «Натяжные потолки»',
-        status: 'completed',
-        amount: -9250,
-    },
-    {
-        id: 89108,
-        code: 'TX-89108',
-        when: '05.05 · 12:00',
-        type: 'tariff_charge',
-        description: 'Списание абонентской платы тарифа «Команда»',
-        status: 'completed',
-        amount: -990,
-    },
-    {
-        id: 88937,
-        code: 'TX-88937',
-        when: '04.05 · 16:42',
-        type: 'topup',
-        description: 'Попытка пополнения через банковский перевод',
-        status: 'rejected',
-        amount: 0,
-    },
-    {
-        id: 88714,
-        code: 'TX-88714',
-        when: '03.05 · 09:18',
-        type: 'refund',
-        description: 'Возврат лида #998 · спам',
-        status: 'completed',
-        amount: 1850,
-    },
-];
-
-export interface BillingTab {
-    id: 'all' | 'topup' | 'lead_charge' | 'refund';
-    label: string;
-    types: TxType[] | null;
-}
-
-export const BILLING_TABS: BillingTab[] = [
-    { id: 'all', label: 'Все', types: null },
-    { id: 'topup', label: 'Пополнения', types: ['topup'] },
-    { id: 'lead_charge', label: 'Списания', types: ['lead_charge', 'tariff_charge'] },
-    { id: 'refund', label: 'Возвраты', types: ['refund'] },
-];
-
-export type InvoiceFormat = 'pdf' | 'xml_1c83';
-
-export interface Invoice {
-    id: number;
-    when: string; // '07.05.2026'
-    title: string; // 'Счёт № 2026-0512'
-    sub: string; // 'Тариф «Команда» · май 2026'
-    amountRub: number;
-    format: InvoiceFormat;
-}
-
-export const MOCK_INVOICES: Invoice[] = [
-    {
-        id: 1,
-        when: '07.05.2026',
-        title: 'Счёт № 2026-0512',
-        sub: 'Тариф «Команда» · май 2026',
-        amountRub: 990,
-        format: 'pdf',
-    },
-    {
-        id: 2,
-        when: '06.05.2026',
-        title: 'УПД № УПД-2026-0492',
-        sub: 'Списания за апрель · 18 лидов',
-        amountRub: 29850,
-        format: 'xml_1c83',
-    },
-    {
-        id: 3,
-        when: '05.05.2026',
-        title: 'УПД № УПД-2026-0488',
-        sub: 'Списания за март · 24 лида',
-        amountRub: 38100,
-        format: 'xml_1c83',
-    },
-    {
-        id: 4,
-        when: '01.04.2026',
-        title: 'Счёт № 2026-0498',
-        sub: 'Тариф «Команда» · апрель 2026',
-        amountRub: 990,
-        format: 'pdf',
-    },
-];
-
 export interface PendingPayment {
     code: string;
     amount: number;
-    method: string; // 'ЮKassa'
-    startedAt: string; // '14:21'
-    autoCancelAt: string; // '14:51'
+    method: string;
+    startedAt: string;
+    autoCancelAt: string;
     timeoutMinutes: number;
 }
 

app/resources/js/composables/mockReports.ts

@@ -45,4 +45,5 @@ export interface ReportJob {
     progress: number | null; // 0..100 для running
     attempt: number; // 1..3
     error: string | null;
+    downloadUrl: string | null; // signed URL (24ч) скачивания готового файла; null для не-готовых
 }

app/resources/js/composables/reportsMapper.ts

@@ -43,6 +43,7 @@ export function mapApiReportJob(api: ApiReportJob, now: Date = new Date()): Repo
         progress: api.status === 'processing' ? 50 : null,
         attempt: api.retry_count + 1,
         error: api.error_message,
+        downloadUrl: api.download_url,
     };
 }
 

app/resources/js/constants/regions.ts

@@ -1,119 +1,42 @@
 export interface Region {
-    code: number;            // 1..89, sequential по конституционному порядку (Art. 65)
-    name: string;            // официальное название субъекта
-    federalDistrict: number; // 1..8 (см. FEDERAL_DISTRICT_NAMES)
+    code: number;
+    name: string;
 }
 
-// Конституционный порядок (ст. 65 Конституции РФ, ред. 2022):
-// 24 республики (1..24) → 9 краёв (25..33) → 48 областей (34..81) →
-// 3 города фед.знач. (82..84) → 1 АО Еврейская (85) → 4 АО (86..89).
-// Sentinel code:0 = "Вся РФ" (UI hint, в БД хранится как regions=[]).
+// MVP: 31 региона (коды 1..31) ограничены 32-bit region_mask из Plan 5 Task 9.
+// Sentinel code:0 = «Вся РФ» (включает все регионы, эквивалент пустой маски).
+// Имена — официальные субъекты РФ по конституционному порядку нумерации.
 export const REGIONS: Region[] = [
-    { code: 0,  name: 'Вся РФ',                                federalDistrict: 0 },
-    // 24 республики
-    { code: 1,  name: 'Республика Адыгея',                     federalDistrict: 3 },
-    { code: 2,  name: 'Республика Алтай',                      federalDistrict: 7 },
-    { code: 3,  name: 'Республика Башкортостан',               federalDistrict: 5 },
-    { code: 4,  name: 'Республика Бурятия',                    federalDistrict: 8 },
-    { code: 5,  name: 'Республика Дагестан',                   federalDistrict: 4 },
-    { code: 6,  name: 'Донецкая Народная Республика',          federalDistrict: 3 },
-    { code: 7,  name: 'Республика Ингушетия',                  federalDistrict: 4 },
-    { code: 8,  name: 'Кабардино-Балкарская Республика',       federalDistrict: 4 },
-    { code: 9,  name: 'Республика Калмыкия',                   federalDistrict: 3 },
-    { code: 10, name: 'Карачаево-Черкесская Республика',       federalDistrict: 4 },
-    { code: 11, name: 'Республика Карелия',                    federalDistrict: 2 },
-    { code: 12, name: 'Республика Коми',                       federalDistrict: 2 },
-    { code: 13, name: 'Республика Крым',                       federalDistrict: 3 },
-    { code: 14, name: 'Луганская Народная Республика',         federalDistrict: 3 },
-    { code: 15, name: 'Республика Марий Эл',                   federalDistrict: 5 },
-    { code: 16, name: 'Республика Мордовия',                   federalDistrict: 5 },
-    { code: 17, name: 'Республика Саха (Якутия)',              federalDistrict: 8 },
-    { code: 18, name: 'Республика Северная Осетия — Алания',   federalDistrict: 4 },
-    { code: 19, name: 'Республика Татарстан',                  federalDistrict: 5 },
-    { code: 20, name: 'Республика Тыва',                       federalDistrict: 7 },
-    { code: 21, name: 'Удмуртская Республика',                 federalDistrict: 5 },
-    { code: 22, name: 'Республика Хакасия',                    federalDistrict: 7 },
-    { code: 23, name: 'Чеченская Республика',                  federalDistrict: 4 },
-    { code: 24, name: 'Чувашская Республика',                  federalDistrict: 5 },
-    // 9 краёв
-    { code: 25, name: 'Алтайский край',                        federalDistrict: 7 },
-    { code: 26, name: 'Забайкальский край',                    federalDistrict: 8 },
-    { code: 27, name: 'Камчатский край',                       federalDistrict: 8 },
-    { code: 28, name: 'Краснодарский край',                    federalDistrict: 3 },
-    { code: 29, name: 'Красноярский край',                     federalDistrict: 7 },
-    { code: 30, name: 'Пермский край',                         federalDistrict: 5 },
-    { code: 31, name: 'Приморский край',                       federalDistrict: 8 },
-    { code: 32, name: 'Ставропольский край',                   federalDistrict: 4 },
-    { code: 33, name: 'Хабаровский край',                      federalDistrict: 8 },
-    // 48 областей
-    { code: 34, name: 'Амурская область',                      federalDistrict: 8 },
-    { code: 35, name: 'Архангельская область',                 federalDistrict: 2 },
-    { code: 36, name: 'Астраханская область',                  federalDistrict: 3 },
-    { code: 37, name: 'Белгородская область',                  federalDistrict: 1 },
-    { code: 38, name: 'Брянская область',                      federalDistrict: 1 },
-    { code: 39, name: 'Владимирская область',                  federalDistrict: 1 },
-    { code: 40, name: 'Волгоградская область',                 federalDistrict: 3 },
-    { code: 41, name: 'Вологодская область',                   federalDistrict: 2 },
-    { code: 42, name: 'Воронежская область',                   federalDistrict: 1 },
-    { code: 43, name: 'Запорожская область',                   federalDistrict: 3 },
-    { code: 44, name: 'Ивановская область',                    federalDistrict: 1 },
-    { code: 45, name: 'Иркутская область',                     federalDistrict: 7 },
-    { code: 46, name: 'Калининградская область',               federalDistrict: 2 },
-    { code: 47, name: 'Калужская область',                     federalDistrict: 1 },
-    { code: 48, name: 'Кемеровская область',                   federalDistrict: 7 },
-    { code: 49, name: 'Кировская область',                     federalDistrict: 5 },
-    { code: 50, name: 'Костромская область',                   federalDistrict: 1 },
-    { code: 51, name: 'Курганская область',                    federalDistrict: 6 },
-    { code: 52, name: 'Курская область',                       federalDistrict: 1 },
-    { code: 53, name: 'Ленинградская область',                 federalDistrict: 2 },
-    { code: 54, name: 'Липецкая область',                      federalDistrict: 1 },
-    { code: 55, name: 'Магаданская область',                   federalDistrict: 8 },
-    { code: 56, name: 'Московская область',                    federalDistrict: 1 },
-    { code: 57, name: 'Мурманская область',                    federalDistrict: 2 },
-    { code: 58, name: 'Нижегородская область',                 federalDistrict: 5 },
-    { code: 59, name: 'Новгородская область',                  federalDistrict: 2 },
-    { code: 60, name: 'Новосибирская область',                 federalDistrict: 7 },
-    { code: 61, name: 'Омская область',                        federalDistrict: 7 },
-    { code: 62, name: 'Оренбургская область',                  federalDistrict: 5 },
-    { code: 63, name: 'Орловская область',                     federalDistrict: 1 },
-    { code: 64, name: 'Пензенская область',                    federalDistrict: 5 },
-    { code: 65, name: 'Псковская область',                     federalDistrict: 2 },
-    { code: 66, name: 'Ростовская область',                    federalDistrict: 3 },
-    { code: 67, name: 'Рязанская область',                     federalDistrict: 1 },
-    { code: 68, name: 'Самарская область',                     federalDistrict: 5 },
-    { code: 69, name: 'Саратовская область',                   federalDistrict: 5 },
-    { code: 70, name: 'Сахалинская область',                   federalDistrict: 8 },
-    { code: 71, name: 'Свердловская область',                  federalDistrict: 6 },
-    { code: 72, name: 'Смоленская область',                    federalDistrict: 1 },
-    { code: 73, name: 'Тамбовская область',                    federalDistrict: 1 },
-    { code: 74, name: 'Тверская область',                      federalDistrict: 1 },
-    { code: 75, name: 'Томская область',                       federalDistrict: 7 },
-    { code: 76, name: 'Тульская область',                      federalDistrict: 1 },
-    { code: 77, name: 'Тюменская область',                     federalDistrict: 6 },
-    { code: 78, name: 'Ульяновская область',                   federalDistrict: 5 },
-    { code: 79, name: 'Херсонская область',                    federalDistrict: 3 },
-    { code: 80, name: 'Челябинская область',                   federalDistrict: 6 },
-    { code: 81, name: 'Ярославская область',                   federalDistrict: 1 },
-    // 3 города федерального значения
-    { code: 82, name: 'Москва',                                federalDistrict: 1 },
-    { code: 83, name: 'Санкт-Петербург',                       federalDistrict: 2 },
-    { code: 84, name: 'Севастополь',                           federalDistrict: 3 },
-    // 1 автономная область
-    { code: 85, name: 'Еврейская автономная область',          federalDistrict: 8 },
-    // 4 автономных округа
-    { code: 86, name: 'Ненецкий автономный округ',             federalDistrict: 2 },
-    { code: 87, name: 'Ханты-Мансийский автономный округ — Югра', federalDistrict: 6 },
-    { code: 88, name: 'Чукотский автономный округ',            federalDistrict: 8 },
-    { code: 89, name: 'Ямало-Ненецкий автономный округ',       federalDistrict: 6 },
+    { code: 0, name: 'Вся РФ' },
+    { code: 1, name: 'Республика Адыгея' },
+    { code: 2, name: 'Республика Башкортостан' },
+    { code: 3, name: 'Республика Бурятия' },
+    { code: 4, name: 'Республика Алтай' },
+    { code: 5, name: 'Республика Дагестан' },
+    { code: 6, name: 'Республика Ингушетия' },
+    { code: 7, name: 'Кабардино-Балкарская Республика' },
+    { code: 8, name: 'Республика Калмыкия' },
+    { code: 9, name: 'Карачаево-Черкесская Республика' },
+    { code: 10, name: 'Республика Карелия' },
+    { code: 11, name: 'Республика Коми' },
+    { code: 12, name: 'Республика Марий Эл' },
+    { code: 13, name: 'Республика Мордовия' },
+    { code: 14, name: 'Республика Саха (Якутия)' },
+    { code: 15, name: 'Республика Северная Осетия — Алания' },
+    { code: 16, name: 'Республика Татарстан' },
+    { code: 17, name: 'Республика Тыва' },
+    { code: 18, name: 'Удмуртская Республика' },
+    { code: 19, name: 'Республика Хакасия' },
+    { code: 20, name: 'Чеченская Республика' },
+    { code: 21, name: 'Чувашская Республика' },
+    { code: 22, name: 'Алтайский край' },
+    { code: 23, name: 'Краснодарский край' },
+    { code: 24, name: 'Красноярский край' },
+    { code: 25, name: 'Приморский край' },
+    { code: 26, name: 'Ставропольский край' },
+    { code: 27, name: 'Хабаровский край' },
+    { code: 28, name: 'Амурская область' },
+    { code: 29, name: 'Архангельская область' },
+    { code: 30, name: 'Астраханская область' },
+    { code: 31, name: 'Белгородская область' },
 ];
-
-export const FEDERAL_DISTRICT_NAMES: Record<number, string> = {
-    1: 'Центральный',
-    2: 'Северо-Западный',
-    3: 'Южный',
-    4: 'Северо-Кавказский',
-    5: 'Приволжский',
-    6: 'Уральский',
-    7: 'Сибирский',
-    8: 'Дальневосточный',
-};

app/resources/js/histoire.setup.ts

@@ -12,7 +12,6 @@ export const setupVue3 = defineSetupVue3(({ app }) => {
             { path: '/register', component: { template: '<div />' } },
             { path: '/forgot', component: { template: '<div />' } },
             { path: '/2fa', component: { template: '<div />' } },
-            { path: '/recovery', component: { template: '<div />' } },
             { path: '/recovery-use', component: { template: '<div />' } },
             { path: '/dashboard', component: { template: '<div />' } },
             { path: '/deals', component: { template: '<div />' } },

app/resources/js/layouts/AdminLayout.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 /**
- * Layout админки SaaS — отдельный sidebar с пометкой ADMIN, 4 nav-пункта,
+ * Layout админки SaaS — отдельный sidebar с пометкой ADMIN, 7 nav-пунктов,
  * без user-chip как в обычной AppLayout.
  *
  * Источник дизайна: liderra_v8_handoff/concepts/v8_admin.html.
@@ -8,7 +8,6 @@
  *
  * Не входит в этот коммит:
  * - Auth-guard на /admin/* — должен проверять `super_admin` role + 2FA.
- * - Impersonation banner (когда admin вошёл «как клиент» — Ю-1: 15 мин / 5 попыток).
  * - Audit-log записей для всех action'ов admin (по schema v8.7 §10
  *   `saas_admin_audit_log`).
  */
@@ -16,6 +15,7 @@ import { useAuthStore } from '../stores/auth';
 import { computed } from 'vue';
 import { RouterView, useRoute, useRouter } from 'vue-router';
 import DevIndexBadge from '../components/DevIndexBadge.vue';
+import ImpersonationBanner from '../components/admin/ImpersonationBanner.vue';
 
 interface NavItem {
     title: string;
@@ -27,6 +27,8 @@ interface NavItem {
 const navItems: NavItem[] = [
     { title: 'Тенанты', icon: 'mdi-account-group-outline', to: '/admin/tenants', count: 142 },
     { title: 'Биллинг', icon: 'mdi-credit-card-outline', to: '/admin/billing' },
+    { title: 'Тарифная сетка', icon: 'mdi-tag-arrow-right', to: '/admin/pricing-tiers' },
+    { title: 'Цены поставщиков', icon: 'mdi-currency-rub', to: '/admin/supplier-prices' },
     { title: 'Инциденты', icon: 'mdi-alert-outline', to: '/admin/incidents', count: 3 },
     { title: 'Impersonation', icon: 'mdi-account-switch', to: '/admin/impersonation' },
     { title: 'Система', icon: 'mdi-cog-outline', to: '/admin/system' },
@@ -129,6 +131,7 @@ const currentPageTitle = computed(() => {
         </v-app-bar>
 
         <v-main class="admin-main">
+            <ImpersonationBanner />
             <RouterView />
         </v-main>
         <DevIndexBadge :index="route.meta.devIndex" :label="route.meta.devLabel" />

app/resources/js/layouts/AuthLayout.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 /**
- * Двухпанельный layout для экранов аутентификации (login/register/2fa/forgot/recovery).
+ * Двухпанельный layout для экранов аутентификации (login/register/2fa/forgot/recovery-use).
  *
  * Источник дизайна: liderra_v8_handoff/concepts/v8_login.html (CSS .layout grid 1fr 1fr,
  * .brand-pane слева тёмный теало-нуар + radial-gradient'ы, .form-pane справа warm ivory).
@@ -44,8 +44,8 @@ const route = useRoute();
                         </p>
                         <div class="bp-foot">
                             <span>v8 · Forest</span>
-                            <a href="/legal/offer">Оферта</a>
-                            <a href="/legal/privacy">Политика</a>
+                            <RouterLink to="/legal/offer">Оферта</RouterLink>
+                            <RouterLink to="/legal/privacy">Политика</RouterLink>
                         </div>
                     </div>
                 </v-col>

app/resources/js/router/index.ts

@@ -58,18 +58,18 @@ const routes: RouteRecordRaw[] = [
         component: () => import('../views/auth/ForgotPasswordView.vue'),
         meta: { layout: 'auth', title: 'Сброс пароля', guestOnly: true, devIndex: 4, devLabel: 'Forgot password' },
     },
-    {
-        path: '/recovery',
-        name: 'recovery',
-        component: () => import('../views/auth/RecoveryCodesView.vue'),
-        meta: { layout: 'auth', title: 'Резервные коды', devIndex: 6, devLabel: 'Recovery codes' },
-    },
     {
         path: '/recovery-use',
         name: 'recovery-use',
         component: () => import('../views/auth/UseRecoveryCodeView.vue'),
         meta: { layout: 'auth', title: 'Вход по резервному коду', devIndex: 7, devLabel: 'Use recovery' },
     },
+    {
+        path: '/legal/:doc(offer|privacy)',
+        name: 'legal',
+        component: () => import('../views/legal/LegalDocView.vue'),
+        meta: { layout: 'auth', title: 'Правовые документы' },
+    },
     {
         path: '/reset/:token',
         name: 'reset-password',
@@ -210,6 +210,12 @@ const routes: RouteRecordRaw[] = [
         component: () => import('../views/admin/AdminIncidentsView.vue'),
         meta: { layout: 'admin', title: 'Инциденты', requiresAuth: true, devIndex: 24, devLabel: 'Admin Incidents' },
     },
+    {
+        path: '/admin/incidents/:id',
+        name: 'admin-incident-detail',
+        component: () => import('../views/admin/AdminIncidentDetailView.vue'),
+        meta: { layout: 'admin', title: 'Инцидент', requiresAuth: true },
+    },
     {
         path: '/admin/system',
         name: 'admin-system',

app/resources/js/stores/projectsStore.ts

@@ -16,7 +16,6 @@ export interface Project {
     archived_at: string | null;
     region_mask?: number;
     region_mode?: string;
-    regions?: number[]; // Plan 6 — subject codes 1..89; пустой массив = вся РФ
     delivery_days_mask?: number;
     sync_status: 'ok' | 'pending' | 'failed';
     last_synced_at?: string | null;

app/resources/js/views/BillingView.vue

@@ -1,47 +1,69 @@
 <script setup lang="ts">
 /**
  * Биллинг и тарифы — финансовый экран. Кошелёк ₽, баланс лидов,
- * текущий тариф, история транзакций и счета/УПД.
+ * текущий тариф, история транзакций и счета.
  *
- * Источник дизайна: liderra_v8_handoff/concepts/v8_billing.html.
- * MVP: page-head + pending banner + 3 wallet-cards (BalanceCard) +
- * transactions table с табами (TransactionsTable) + invoices list (InvoicesTable).
- * Mock-данные из composables/mockBilling.ts.
+ * Sprint 2 Plan C (E3): Overview-таб подвязан на real API
+ * (GET /api/billing/wallet → BalanceCard + шапка; TransactionsTable и
+ * InvoicesTable тянут данные сами). Списания — ChargesTab (Plan 4).
  *
- * Sprint 4 Phase B/2 — split на shell + 3 sub-components (audit O-refactor-04 хвост).
- *
- * Plan 4 Task 11 — добавлен top-level v-tabs split:
- *   - "Обзор" — существующий контент (mock-balance, transactions, invoices).
- *   - "Списания" — ChargesTab, real backend ledger (GET /api/billing/charges).
- *
- * Не входит в MVP:
- * - TopupDialog (диалог настройки автопополнения через ЮKassa).
- * - Tariff change wizard (диалог смены тарифа с расчётом разницы).
- * - Tariff comparison table (4 тарифа: Solo/Команда/Бизнес/Корпоративный).
- * - Refund-request dialog (заявка на возврат).
- *
- * Backend (отдельный коммит):
- * - GET /api/billing/wallet — балансы.
- * - GET /api/billing/transactions?type=...&page=... — пагинация.
- * - POST /api/billing/topup → ЮKassa-checkout.
- * - GET /api/billing/invoices/{id}/file — PDF/XML download.
+ * Pending-баннер остаётся mock (MOCK_PENDING) — это отдельный эпик E4
+ * (Sprint 5). TopupDialog «Пополнить баланс» — Task 5 (E1).
  */
-import { ref } from 'vue';
+import { ref, computed, onMounted } from 'vue';
 import BalanceCard from '../components/billing/BalanceCard.vue';
 import TransactionsTable from '../components/billing/TransactionsTable.vue';
 import InvoicesTable from '../components/billing/InvoicesTable.vue';
+import TopupDialog from '../components/billing/TopupDialog.vue';
 import ChargesTab from './billing/ChargesTab.vue';
 import { MOCK_PENDING } from '../composables/mockBilling';
-import { formatPlain } from '../composables/billingFormatters';
-
-const walletRub = 14250;
-const leadsBalance = 285;
-const runwayDays = 4;
-const tariffName = 'Команда';
-const tariffPrice = 990;
-const tariffFeatures = ['до 10 проектов', '4 менеджера + расширение', 'Канбан, Webhook, API'];
+import { formatPlain, featureLabel } from '../composables/billingFormatters';
+import { getWallet, type Wallet } from '../api/billing';
+import { extractErrorMessage } from '../api/client';
 
 const activeView = ref<'overview' | 'charges'>('overview');
+
+const wallet = ref<Wallet | null>(null);
+const loading = ref(true);
+const loadError = ref<string | null>(null);
+const topupOpen = ref(false);
+const topupSnackbar = ref(false);
+const txTableRef = ref<InstanceType<typeof TransactionsTable> | null>(null);
+
+const walletRub = computed(() => Number(wallet.value?.balance_rub ?? 0));
+const leadsBalance = computed(() => wallet.value?.balance_leads ?? 0);
+const runwayDays = computed(() => wallet.value?.runway_days ?? null);
+const tariffName = computed(() => wallet.value?.tariff?.name ?? null);
+const tariffPrice = computed(() => wallet.value?.tariff?.price_monthly ?? null);
+const tariffFeatures = computed<string[]>(() => (wallet.value?.tariff?.features ?? []).map(featureLabel));
+
+async function loadWallet(): Promise<void> {
+    loading.value = true;
+    loadError.value = null;
+    try {
+        wallet.value = await getWallet();
+    } catch (e) {
+        // Сброс устаревших данных: при неудачном повторе не оставляем
+        // прошлый успешный wallet в памяти (защита от ложного рендера).
+        wallet.value = null;
+        loadError.value = extractErrorMessage(e, 'Не удалось загрузить данные биллинга.');
+    } finally {
+        loading.value = false;
+    }
+}
+
+async function onTopupSuccess(): Promise<void> {
+    // success-событие несёт новый баланс, но мы намеренно перезапрашиваем
+    // кошелёк (loadWallet) — единый источник истины надёжнее точечного патча.
+    topupOpen.value = false;
+    topupSnackbar.value = true;
+    await loadWallet();
+    txTableRef.value?.refresh();
+}
+
+onMounted(loadWallet);
+
+defineExpose({ loadWallet, wallet, topupOpen });
 </script>
 
 <template>
@@ -49,7 +71,7 @@ const activeView = ref<'overview' | 'charges'>('overview');
         <header class="page-head">
             <div>
                 <h1 class="text-h4 mb-2 page-title">Биллинг и тарифы</h1>
-                <div class="page-stats text-body-2 text-medium-emphasis">
+                <div v-if="wallet" class="page-stats text-body-2 text-medium-emphasis">
                     <span
                         ><span class="num text-primary">{{ formatPlain(walletRub) }}</span> кошелёк</span
                     >
@@ -57,13 +79,17 @@ const activeView = ref<'overview' | 'charges'>('overview');
                     <span
                         ><span class="num">{{ leadsBalance }}</span> лидов запас</span
                     >
-                    <span class="sep">·</span>
-                    <span
-                        >хватит на <span class="num">{{ runwayDays }} дня</span></span
-                    >
+                    <template v-if="runwayDays !== null">
+                        <span class="sep">·</span>
+                        <span
+                            >хватит на <span class="num">{{ runwayDays }}</span> дн.</span
+                        >
+                    </template>
                 </div>
             </div>
-            <v-btn color="primary" variant="flat" prepend-icon="mdi-plus">Пополнить баланс</v-btn>
+            <v-btn color="primary" variant="flat" prepend-icon="mdi-plus" @click="topupOpen = true"
+                >Пополнить баланс</v-btn
+            >
         </header>
 
         <v-tabs v-model="activeView" color="primary" class="mt-4">
@@ -73,30 +99,56 @@ const activeView = ref<'overview' | 'charges'>('overview');
 
         <v-tabs-window v-model="activeView">
             <v-tabs-window-item value="overview">
-                <v-alert v-if="MOCK_PENDING" type="info" variant="tonal" density="compact" class="mt-4" role="status">
-                    <strong>1 платёж в обработке</strong> — {{ formatPlain(MOCK_PENDING.amount) }} от
-                    {{ MOCK_PENDING.method }}, начат {{ MOCK_PENDING.startedAt }}. Авто-восстановление в
-                    {{ MOCK_PENDING.autoCancelAt }} ({{ MOCK_PENDING.timeoutMinutes }} мин). Кнопки «Отменить» нет — это
-                    техническое решение.
+                <div v-if="loading" class="py-12 d-flex justify-center">
+                    <v-progress-circular indeterminate color="primary" />
+                </div>
+
+                <v-alert v-else-if="loadError" type="error" variant="tonal" class="mt-4" role="alert">
+                    {{ loadError }}
+                    <template #append>
+                        <v-btn size="small" variant="text" @click="loadWallet">Повторить</v-btn>
+                    </template>
                 </v-alert>
 
-                <BalanceCard
-                    :wallet-rub="walletRub"
-                    :leads-balance="leadsBalance"
-                    :tariff-name="tariffName"
-                    :tariff-price="tariffPrice"
-                    :tariff-features="tariffFeatures"
-                />
+                <template v-else-if="wallet">
+                    <v-alert
+                        v-if="MOCK_PENDING"
+                        type="info"
+                        variant="tonal"
+                        density="compact"
+                        class="mt-4"
+                        role="status"
+                    >
+                        <strong>1 платёж в обработке</strong> — {{ formatPlain(MOCK_PENDING.amount) }} от
+                        {{ MOCK_PENDING.method }}, начат {{ MOCK_PENDING.startedAt }}. Авто-восстановление в
+                        {{ MOCK_PENDING.autoCancelAt }} ({{ MOCK_PENDING.timeoutMinutes }} мин).
+                    </v-alert>
 
-                <TransactionsTable />
+                    <BalanceCard
+                        :wallet-rub="walletRub"
+                        :leads-balance="leadsBalance"
+                        :tariff-name="tariffName"
+                        :tariff-price="tariffPrice"
+                        :tariff-features="tariffFeatures"
+                        @topup="topupOpen = true"
+                    />
 
-                <InvoicesTable />
+                    <TransactionsTable ref="txTableRef" />
+
+                    <InvoicesTable />
+                </template>
             </v-tabs-window-item>
 
             <v-tabs-window-item value="charges">
                 <ChargesTab />
             </v-tabs-window-item>
         </v-tabs-window>
+
+        <TopupDialog v-model="topupOpen" @success="onTopupSuccess" />
+
+        <v-snackbar v-model="topupSnackbar" color="success" :timeout="4000">
+            Баланс пополнен.
+        </v-snackbar>
     </v-container>
 </template>
 
@@ -123,7 +175,7 @@ const activeView = ref<'overview' | 'charges'>('overview');
     align-items: center;
 }
 .page-stats .sep {
-    /* WCAG2AA 4.5:1 fix (was #92907b → 2.92:1 on ivory; #6b6356 → 5.33:1). */
+    /* WCAG2AA 4.5:1: #6b6356 → 5.33:1 on ivory. */
     color: #6b6356;
 }
 

app/resources/js/views/DashboardView.vue

@@ -1,67 +1,103 @@
 <script setup lang="ts">
 /**
- * Дашборд — стартовая страница для авторизованных пользователей.
- *
- * Источник дизайна: liderra_v8_handoff/concepts/v8_dashboard.html.
- * MVP: page-head + 4 KPI-cards (получено лидов / конверсия / активные проекты /
- * баланс). Графики (Активность по дням, Воронка из 14 статусов).
- *
- * Все числа сейчас mock'и — TODO: GET /api/dashboard/summary с tenant-context'ом
- * по middleware SetTenantContext (фаза backend).
- *
- * Sprint 4 Phase B/3 — split на DashboardPageHead + DashboardKpiRow +
- * DashboardBalance (audit O-refactor-04 закрытие). State (range, kpis, balance)
- * остаётся в parent ради единого mock-data flow и future API-fetch'а.
- *
- * Примечание: «recent deals list» в Phase B/3 plan'е — на текущем дашборде нет
- * (есть только charts row); если будет добавлено в будущем — выносится в
- * DashboardRecentDeals.vue по аналогии.
+ * Дашборд — стартовая страница. Audit C1/J3: KPI/баланс/активность/воронка
+ * грузятся из GET /api/dashboard/summary; при ошибке — fallback на mock,
+ * чтобы UI оставался работоспособным (dev / отсутствие backend).
  */
-import { ref } from 'vue';
+import { ref, watch } from 'vue';
 import ActivityChart from '../components/charts/ActivityChart.vue';
 import FunnelChart from '../components/charts/FunnelChart.vue';
 import DashboardPageHead from '../components/dashboard/DashboardPageHead.vue';
 import DashboardKpiRow, { type Kpi } from '../components/dashboard/DashboardKpiRow.vue';
 import DashboardBalance, { type Balance } from '../components/dashboard/DashboardBalance.vue';
+import { getDashboardSummary, type DashboardRange, type DashboardSummary } from '../api/dashboard';
+import { useAuthStore } from '../stores/auth';
 
-const range = ref<'today' | '7d' | '30d' | 'custom'>('7d');
+const auth = useAuthStore();
+const range = ref<DashboardRange | 'custom'>('7d');
 
-const kpis: Kpi[] = [
-    {
-        label: 'Получено лидов',
-        value: '247',
-        delta: { dir: 'up', text: '12.3%' },
-        sub: 'vs предыдущие 7 дней',
-    },
-    {
-        label: 'Конверсия в оплату',
-        value: '18.4',
-        unit: '%',
-        delta: { dir: 'up', text: '2.1pp' },
-        sub: 'vs предыдущие 7 дней',
-    },
-    {
-        label: 'Активные проекты',
-        value: '8',
-        unit: '/ 10',
-        delta: { dir: 'neutral', text: '2 свободно' },
-        sub: 'тариф «Команда»',
-    },
+// runwayMax — display-константа полосы (7 сегментов), не из API.
+const RUNWAY_MAX = 7;
+
+// Mock-fallback — UI работоспособен без backend (dev / 500 / нет auth).
+const MOCK_KPIS: Kpi[] = [
+    { label: 'Получено лидов', value: '247', delta: { dir: 'up', text: '12.3%' }, sub: 'vs предыдущий период' },
+    { label: 'Конверсия в оплату', value: '18.4', unit: '%', delta: { dir: 'up', text: '2.1pp' }, sub: 'vs предыдущий период' },
+    { label: 'Активные проекты', value: '8', unit: '/ 10', delta: { dir: 'neutral', text: '' }, sub: 'лимит тарифа' },
 ];
+const MOCK_BALANCE: Balance = { amount: '14 250', runwayDays: 4, runwayMax: RUNWAY_MAX, runwayLeads: 285 };
 
-const balance: Balance = {
-    amount: '14 250',
-    runwayDays: 4,
-    runwayMax: 7,
-    runwayLeads: 285,
-};
+const kpis = ref<Kpi[]>(MOCK_KPIS);
+const balance = ref<Balance>(MOCK_BALANCE);
+const activityPoints = ref<number[]>([16, 31, 27, 47, 39, 56, 50]);
+const activityLabels = ref<string[]>(['пн', 'вт', 'ср', 'чт', 'пт', 'сб', 'сегодня']);
+const activityMax = ref(60);
+const funnelCounts = ref<Record<string, number> | undefined>(undefined);
+const fetchError = ref(false);
+
+/** Форматирует число с пробелами-разделителями тысяч ('14250.00' → '14 250'). */
+function formatRub(raw: string): string {
+    const n = parseFloat(raw);
+    if (!Number.isFinite(n)) return '0';
+    const int = Math.round(n).toString();
+    return int.replace(/\B(?=(\d{3})+(?!\d))/g, ' ');
+}
+
+function applySummary(s: DashboardSummary): void {
+    kpis.value = [
+        {
+            label: 'Получено лидов',
+            value: String(s.leads_received.value),
+            delta: { dir: s.leads_received.delta_dir, text: `${s.leads_received.delta_pct}%` },
+            sub: 'vs предыдущий период',
+        },
+        {
+            label: 'Конверсия в оплату',
+            value: String(s.conversion.value),
+            unit: '%',
+            delta: { dir: s.conversion.delta_dir, text: `${s.conversion.delta_pp}pp` },
+            sub: 'vs предыдущий период',
+        },
+        {
+            label: 'Активные проекты',
+            value: String(s.active_projects.active),
+            unit: `/ ${s.active_projects.limit}`,
+            delta: { dir: 'neutral', text: '' },
+            sub: 'лимит тарифа',
+        },
+    ];
+    balance.value = {
+        amount: formatRub(s.balance.amount_rub),
+        runwayDays: Math.min(s.balance.runway_days, RUNWAY_MAX),
+        runwayMax: RUNWAY_MAX,
+        runwayLeads: s.balance.runway_leads,
+    };
+    activityPoints.value = s.activity.points;
+    activityLabels.value = s.activity.labels;
+    activityMax.value = s.activity.max;
+    funnelCounts.value = s.funnel;
+}
+
+async function load(): Promise<void> {
+    const tenantId = auth.user?.tenant_id;
+    if (!tenantId || range.value === 'custom') return;
+    try {
+        applySummary(await getDashboardSummary(tenantId, range.value as DashboardRange));
+        fetchError.value = false;
+    } catch {
+        fetchError.value = true; // оставляем последнее значение / mock
+    }
+}
+
+watch(range, load);
+load();
 </script>
 
 <template>
     <v-container fluid class="dashboard pa-6">
         <DashboardPageHead v-model="range" />
 
-        <div class="ld-meta mt-2">
+        <div v-show="!fetchError" class="ld-meta mt-2">
             <span class="ld-pulse" aria-hidden="true"></span>
             <span>Live · обновлено только что</span>
         </div>
@@ -71,12 +107,23 @@ const balance: Balance = {
             <DashboardBalance :balance="balance" />
         </v-row>
 
+        <v-alert
+            v-if="fetchError"
+            type="warning"
+            variant="tonal"
+            density="compact"
+            class="mt-3"
+            data-testid="dashboard-fetch-error"
+        >
+            Не удалось обновить данные дашборда — показаны последние известные значения.
+        </v-alert>
+
         <v-row class="charts-row mt-4">
             <v-col cols="12" md="7">
-                <ActivityChart />
+                <ActivityChart :points="activityPoints" :labels="activityLabels" :max="activityMax" />
             </v-col>
             <v-col cols="12" md="5">
-                <FunnelChart />
+                <FunnelChart :counts="funnelCounts" />
             </v-col>
         </v-row>
     </v-container>

app/resources/js/views/DealsView.vue

@@ -13,7 +13,8 @@
  *
  * Источник статусов — composables/leadStatuses.ts (snapshot из db/schema.sql:2130).
  */
-import { computed, defineAsyncComponent, onMounted, reactive, ref } from 'vue';
+import { computed, defineAsyncComponent, onMounted, reactive, ref, watch } from 'vue';
+import { useRoute } from 'vue-router';
 import { DEALS_TABS, MOCK_DEALS, type MockDeal } from '../composables/mockDeals';
 import { mapApiDeal } from '../composables/dealsApiMapper';
 import { usePolling } from '../composables/usePolling';
@@ -37,13 +38,64 @@ import { buildCsvString, triggerBlobDownload, triggerCsvDownload } from '../comp
 // Task 15: density-toggle composable (persists в localStorage, влияет на row height).
 const { rowHeight } = useDensity();
 
-// Task 15: stub-обработчики redesign-filter-chip'ов. На I1 — popover'ы Проект/Менеджер
-// не реализованы; chiprow служит quiet-luxury визуальной заменой для status-summary'ов.
-// Не ломает существующие VSelect'ы в DealsFilters — те остаются как полноценный filter UI.
+// Sprint 1 C2: popovers для Проект/Менеджер chip'ов. Draft-state накапливает
+// выбор внутри v-menu; копируется из filterProjects/filterManagers при открытии
+// (watch на menu open=true); переносится обратно в filterProjects/Managers на
+// «Применить» button. Status chip — read-only (P2 backlog Sprint 5).
+const projectMenuOpen = ref(false);
+const managerMenuOpen = ref(false);
+const projectMenuDraft = ref<string[]>([]);
+const managerMenuDraft = ref<string[]>([]);
+
+// При открытии меню — копируем текущий filter в draft (snapshot-on-open).
+// При закрытии без apply — draft остаётся, но не влияет на filterProjects
+// (apply нужен явно).
+watch(projectMenuOpen, (isOpen) => {
+    if (isOpen) projectMenuDraft.value = [...filterProjects.value];
+});
+watch(managerMenuOpen, (isOpen) => {
+    if (isOpen) managerMenuDraft.value = [...filterManagers.value];
+});
+
 function onRedesignFilterClick(name: string): void {
-    console.log(`[redesign filterbar] ${name} clicked — popover TBD`);
+    // Status chip — read-only summary (P2 backlog Sprint 5).
+    // Project/Manager managed by v-menu activator (no manual click handler needed).
+    if (name === 'Статус') {
+        // no-op — placeholder для будущей реализации
+    }
 }
 
+function applyProjectFilter(): void {
+    filterProjects.value = [...projectMenuDraft.value];
+    projectMenuOpen.value = false;
+}
+
+function applyManagerFilter(): void {
+    filterManagers.value = [...managerMenuDraft.value];
+    managerMenuOpen.value = false;
+}
+
+function clearProjectDraft(): void {
+    projectMenuDraft.value = [];
+}
+
+function clearManagerDraft(): void {
+    managerMenuDraft.value = [];
+}
+
+function toggleProjectDraft(proj: string): void {
+    projectMenuDraft.value = projectMenuDraft.value.includes(proj)
+        ? projectMenuDraft.value.filter((p) => p !== proj)
+        : [...projectMenuDraft.value, proj];
+}
+
+function toggleManagerDraft(name: string): void {
+    managerMenuDraft.value = managerMenuDraft.value.includes(name)
+        ? managerMenuDraft.value.filter((m) => m !== name)
+        : [...managerMenuDraft.value, name];
+}
+
+const route = useRoute();
 const auth = useAuthStore();
 const leadStatusesStore = useLeadStatusesStore();
 
@@ -115,11 +167,17 @@ async function applyBulkRestoreFromTrash() {
     deleteToastOpen.value = true;
 }
 
-onMounted(() => {
+onMounted(async () => {
     void leadStatusesStore.load();
-    void loadDeals();
+    await loadDeals();
+    openDealFromQuery();
 });
 
+watch(
+    () => route.query.openId,
+    () => openDealFromQuery(),
+);
+
 // Polling — каждые 30 сек авто-refresh dealsState. Pause при скрытой вкладке.
 // Включается только при наличии auth.user (без auth listDeals = no-op anyway).
 usePolling(loadDeals);
@@ -168,6 +226,16 @@ function openDeal(deal: MockDeal) {
     drawerOpen.value = true;
 }
 
+/** Audit C8/F3: deep-link — открыть drawer сделки по ?openId= из URL. */
+function openDealFromQuery(): void {
+    const raw = route.query.openId;
+    const id = Number(Array.isArray(raw) ? raw[0] : raw);
+    if (!Number.isInteger(id) || id <= 0) return;
+    if (selectedDeal.value?.id === id) return;
+    const deal = dealsState.find((d) => d.id === id);
+    if (deal) openDeal(deal);
+}
+
 async function applyBulkStatus(slug: MockDeal['statusSlug']) {
     const ids = [...selected.value];
     statusMenuOpen.value = false;
@@ -350,6 +418,18 @@ defineExpose({
     trashMode,
     toggleTrashMode,
     applyBulkRestoreFromTrash,
+    projectMenuOpen,
+    managerMenuOpen,
+    projectMenuDraft,
+    managerMenuDraft,
+    applyProjectFilter,
+    applyManagerFilter,
+    clearProjectDraft,
+    clearManagerDraft,
+    toggleProjectDraft,
+    toggleManagerDraft,
+    drawerOpen,
+    selectedDeal,
 });
 
 const leadStatuses = computed(() => leadStatusesStore.statuses);
@@ -463,10 +543,9 @@ const waitingPay = computed(() => dealsState.filter((d) => d.statusSlug === 'wai
             @clear-filters="clearFilters"
         />
 
-        <!-- Task 15: redesign-filterbar (quiet luxury chiprow + density toggle).
-             Минимальный набор: 3 FilterChip-ярлыка (Статус/Проект/Менеджер) + DensityToggle справа.
-             Клики на I1 — stub'ы (popover'ы — TBD); полноценные multi-select'ы остаются в DealsFilters выше.
-             Status-legend ниже визуализирует пул цветов StatusPill'ов воронки. -->
+        <!-- Sprint 1 C2: redesign-filterbar с popover'ами для Проект/Менеджер.
+             Status chip остаётся read-only (P2 backlog Sprint 5).
+             Полноценные multi-select'ы в DealsFilters выше сохранены. -->
         <div v-if="!trashMode" class="ld-filterbar mt-3">
             <div class="ld-filterbar__chips">
                 <FilterChip
@@ -475,18 +554,99 @@ const waitingPay = computed(() => dealsState.filter((d) => d.statusSlug === 'wai
                     :active="false"
                     @click="onRedesignFilterClick('Статус')"
                 />
-                <FilterChip
-                    label="Проект"
-                    :count="filterProjects.length"
-                    :active="filterProjects.length > 0"
-                    @click="onRedesignFilterClick('Проект')"
-                />
-                <FilterChip
-                    label="Менеджер"
-                    :count="filterManagers.length"
-                    :active="filterManagers.length > 0"
-                    @click="onRedesignFilterClick('Менеджер')"
-                />
+                <v-menu v-model="projectMenuOpen" :close-on-content-click="false" location="bottom start">
+                    <template #activator="{ props: activatorProps }">
+                        <span v-bind="activatorProps">
+                            <FilterChip
+                                label="Проект"
+                                :count="filterProjects.length"
+                                :active="filterProjects.length > 0"
+                            />
+                        </span>
+                    </template>
+                    <v-card min-width="260" max-width="320" data-testid="project-menu-card">
+                        <v-card-text class="pa-2">
+                            <v-list density="compact" class="pa-0">
+                                <v-list-item v-if="availableProjects.length === 0" class="text-medium-emphasis">
+                                    <v-list-item-title>Нет проектов в текущем списке</v-list-item-title>
+                                </v-list-item>
+                                <v-list-item
+                                    v-for="proj in availableProjects"
+                                    :key="proj"
+                                    class="py-1"
+                                    @click="toggleProjectDraft(proj)"
+                                >
+                                    <template #prepend>
+                                        <v-checkbox-btn :model-value="projectMenuDraft.includes(proj)" />
+                                    </template>
+                                    <v-list-item-title>{{ proj }}</v-list-item-title>
+                                </v-list-item>
+                            </v-list>
+                        </v-card-text>
+                        <v-card-actions class="px-3 pb-2">
+                            <v-btn variant="text" size="small" data-testid="project-menu-clear" @click="clearProjectDraft">
+                                Очистить
+                            </v-btn>
+                            <v-spacer />
+                            <v-btn
+                                color="primary"
+                                variant="flat"
+                                size="small"
+                                data-testid="project-menu-apply"
+                                @click="applyProjectFilter"
+                            >
+                                Применить
+                            </v-btn>
+                        </v-card-actions>
+                    </v-card>
+                </v-menu>
+                <v-menu v-model="managerMenuOpen" :close-on-content-click="false" location="bottom start">
+                    <template #activator="{ props: activatorProps }">
+                        <span v-bind="activatorProps">
+                            <FilterChip
+                                label="Менеджер"
+                                :count="filterManagers.length"
+                                :active="filterManagers.length > 0"
+                            />
+                        </span>
+                    </template>
+                    <v-card min-width="260" max-width="320" data-testid="manager-menu-card">
+                        <v-card-text class="pa-2">
+                            <v-list density="compact" class="pa-0">
+                                <v-list-item v-if="availableManagers.length === 0" class="text-medium-emphasis">
+                                    <v-list-item-title>Нет менеджеров в текущем списке</v-list-item-title>
+                                </v-list-item>
+                                <v-list-item
+                                    v-for="mgr in availableManagers"
+                                    :key="mgr.name"
+                                    class="py-1"
+                                    @click="toggleManagerDraft(mgr.name)"
+                                >
+                                    <template #prepend>
+                                        <v-checkbox-btn :model-value="managerMenuDraft.includes(mgr.name)" />
+                                    </template>
+                                    <v-list-item-title>{{ mgr.name }}</v-list-item-title>
+                                    <v-list-item-subtitle class="text-caption">{{ mgr.initials }}</v-list-item-subtitle>
+                                </v-list-item>
+                            </v-list>
+                        </v-card-text>
+                        <v-card-actions class="px-3 pb-2">
+                            <v-btn variant="text" size="small" data-testid="manager-menu-clear" @click="clearManagerDraft">
+                                Очистить
+                            </v-btn>
+                            <v-spacer />
+                            <v-btn
+                                color="primary"
+                                variant="flat"
+                                size="small"
+                                data-testid="manager-menu-apply"
+                                @click="applyManagerFilter"
+                            >
+                                Применить
+                            </v-btn>
+                        </v-card-actions>
+                    </v-card>
+                </v-menu>
             </div>
             <DensityToggle class="ld-filterbar__density" />
         </div>

app/resources/js/views/KanbanView.vue

@@ -5,13 +5,16 @@
  * Источник дизайна: liderra_v8_handoff/concepts/v8_kanban.html.
  * DnD реализован через vuedraggable@4 (обёртка SortableJS) — карточки можно
  * перетаскивать между колонками. При drop:
- *   - событие 'added' в целевой колонке → меняем `statusSlug` сделки.
+ *   - событие 'added' в целевой колонке → optimistic update statusSlug +
+ *     POST /api/deals/transition (через dealsApi). На failure — revert:
+ *     карточка возвращается в исходную колонку + toast «Не удалось переместить».
+ *     Без auth.user.tenant_id — local-only mode (API не зовётся).
  *   - событие 'removed' в исходной колонке → ничего не делаем (обработано в added).
  *   - событие 'moved' внутри одной колонки → только смена порядка (statusSlug
  *     не меняется; на API будущем — PATCH /api/deals/{id} {sort_order}).
  *
  * Не входит в этот коммит:
- * - PATCH /api/deals/{id} {status_slug} при drop — backend.
+ * - PATCH /api/deals/{id} {sort_order} при moved (intra-column reorder) — backend.
  * - Filters (Проект/Менеджер) — общий filter-bar с DealsView.
  * - DealDetailDrawer на click по карточке (event @open-deal).
  */
@@ -50,14 +53,44 @@ const dealsByStatus = reactive<Record<string, MockDeal[]>>(
     }, {}),
 );
 
-function onColumnChange(targetSlug: MockDeal['statusSlug'], event: DraggableChangeEvent) {
-    if (event.added) {
-        // Карточка переехала в эту колонку → синхронизируем statusSlug.
-        // На production будет POST /api/deals/{id}/transition с проверкой allowed-переходов.
-        event.added.element.statusSlug = targetSlug;
+async function onColumnChange(targetSlug: MockDeal['statusSlug'], event: DraggableChangeEvent) {
+    if (!event.added) {
+        // 'removed' и 'moved' — vuedraggable мутирует array; reactive triggers re-render.
+        return;
+    }
+
+    const dealItem = event.added.element;
+    const previousSlug = dealItem.statusSlug;
+
+    // Optimistic: меняем статус в local state сразу (UX отвечает мгновенно).
+    dealItem.statusSlug = targetSlug;
+
+    // Без auth — local-only mode (dev/demo без tenant context). API не зовём.
+    if (!auth.user?.tenant_id) return;
+
+    try {
+        await dealsApi.transitionDeals({
+            tenant_id: auth.user.tenant_id,
+            ids: [dealItem.id],
+            status: targetSlug,
+        });
+        // success — статус уже применён, тостить не нужно.
+    } catch {
+        // Revert на исходный статус + переместить карточку обратно в исходную колонку.
+        dealItem.statusSlug = previousSlug;
+        // Найдём целевую колонку и удалим из неё карточку, потом вернём в исходную.
+        const targetCol = dealsByStatus[targetSlug];
+        if (targetCol) {
+            const idx = targetCol.findIndex((d) => d.id === dealItem.id);
+            if (idx >= 0) targetCol.splice(idx, 1);
+        }
+        const sourceCol = dealsByStatus[previousSlug];
+        if (sourceCol && !sourceCol.find((d) => d.id === dealItem.id)) {
+            sourceCol.push(dealItem);
+        }
+        transitionToastText.value = `Не удалось переместить сделку #${dealItem.id} — восстановлен исходный статус.`;
+        transitionToastOpen.value = true;
     }
-    // 'removed' и 'moved' — обрабатываются автоматически через v-model
-    // (vuedraggable мутирует array; reactive triggers re-render).
 }
 
 const drawerOpen = ref(false);
@@ -80,6 +113,10 @@ const fetchError = ref(false);
 
 const newDealOpen = ref(false);
 
+// Sprint 1 C4: revert-on-fail toast при DnD-fail.
+const transitionToastOpen = ref(false);
+const transitionToastText = ref('');
+
 function onDealCreated(deal: MockDeal) {
     if (!dealsByStatus[deal.statusSlug]) dealsByStatus[deal.statusSlug] = [];
     dealsByStatus[deal.statusSlug].unshift(deal);
@@ -113,7 +150,17 @@ onMounted(() => {
 
 usePolling(loadDeals);
 
-defineExpose({ dealsByStatus, totalDeals, newDealOpen, onDealCreated, fetchError, loadDeals });
+defineExpose({
+    dealsByStatus,
+    totalDeals,
+    newDealOpen,
+    onDealCreated,
+    fetchError,
+    loadDeals,
+    onColumnChange,
+    transitionToastOpen,
+    transitionToastText,
+});
 </script>
 
 <template>
@@ -176,6 +223,16 @@ defineExpose({ dealsByStatus, totalDeals, newDealOpen, onDealCreated, fetchError
         <DealDetailDrawer v-model:open="drawerOpen" :deal="selectedDeal" :tenant-id="auth.user?.tenant_id" />
 
         <NewDealDialog v-model="newDealOpen" :tenant-id="auth.user?.tenant_id" @created="onDealCreated" />
+
+        <v-snackbar
+            v-model="transitionToastOpen"
+            :timeout="4000"
+            color="warning"
+            location="bottom right"
+            data-testid="kanban-transition-toast"
+        >
+            {{ transitionToastText }}
+        </v-snackbar>
     </v-container>
 </template>
 

app/resources/js/views/RemindersView.vue

@@ -68,8 +68,8 @@ async function executeComplete(id: number): Promise<void> {
 }
 
 async function openDeal(dealId: number): Promise<void> {
-    void dealId; // на MVP — без deep-link на конкретный drawer.
-    await router.push('/deals');
+    // Audit C8: deep-link на конкретный drawer через ?openId=.
+    await router.push({ path: '/deals', query: { openId: dealId } });
 }
 </script>
 

app/resources/js/views/admin/AdminBillingView.vue

@@ -12,6 +12,8 @@ import { ADMIN_BILLING_SUMMARY as MOCK_SUMMARY, ADMIN_BILLING_TENANTS } from '..
 import { computed, onMounted, reactive, ref } from 'vue';
 import { usePolling } from '../../composables/usePolling';
 import * as adminApi from '../../api/admin';
+import type { AdminTariffPlan } from '../../api/admin';
+import { extractErrorMessage } from '../../api/client';
 
 const search = ref('');
 
@@ -95,7 +97,92 @@ async function loadBilling() {
 onMounted(loadBilling);
 usePolling(loadBilling);
 
-defineExpose({ rowsState, summary, loading, fetchError, loadBilling });
+// === Row-actions state (Sprint 3D G4) ===
+
+const actionDialog = ref<null | 'status' | 'refund' | 'tariff'>(null);
+const actionRow = ref<BillingRow | null>(null);
+const actionReason = ref('');
+const actionAmount = ref<number | null>(null);
+const actionTariffId = ref<number | null>(null);
+const actionLoading = ref(false);
+const actionError = ref('');
+const tariffPlans = ref<AdminTariffPlan[]>([]);
+
+async function openAction(type: 'status' | 'refund' | 'tariff', row: BillingRow) {
+    actionDialog.value = type;
+    actionRow.value = row;
+    actionReason.value = '';
+    actionAmount.value = null;
+    actionTariffId.value = null;
+    actionError.value = '';
+
+    if (type === 'tariff') {
+        try {
+            tariffPlans.value = await adminApi.listAdminTariffPlans();
+        } catch (e) {
+            actionError.value = extractErrorMessage(e);
+        }
+    }
+}
+
+async function confirmAction() {
+    // Validate
+    if (actionReason.value.trim().length < 10) {
+        actionError.value = 'Укажите основание (минимум 10 символов).';
+        return;
+    }
+    if (actionDialog.value === 'refund' && (actionAmount.value === null || !Number.isFinite(actionAmount.value) || actionAmount.value <= 0)) {
+        actionError.value = 'Укажите сумму возврата больше нуля.';
+        return;
+    }
+    if (actionDialog.value === 'refund' && actionAmount.value! > actionRow.value!.balance_rub) {
+        actionError.value = 'Сумма возврата превышает баланс тенанта.';
+        return;
+    }
+    if (actionDialog.value === 'tariff' && actionTariffId.value === null) {
+        actionError.value = 'Выберите тарифный план.';
+        return;
+    }
+
+    const row = actionRow.value!;
+    actionLoading.value = true;
+    actionError.value = '';
+
+    try {
+        if (actionDialog.value === 'status') {
+            const newStatus = row.status === 'suspended' ? 'active' : 'suspended';
+            await adminApi.updateTenantStatus(row.id, newStatus, actionReason.value.trim());
+        } else if (actionDialog.value === 'refund') {
+            await adminApi.refundTenant(row.id, actionAmount.value!, actionReason.value.trim());
+        } else if (actionDialog.value === 'tariff') {
+            await adminApi.changeTenantTariff(row.id, actionTariffId.value!, actionReason.value.trim());
+        }
+        await loadBilling();
+        actionDialog.value = null;
+    } catch (e) {
+        actionError.value = extractErrorMessage(e);
+    } finally {
+        actionLoading.value = false;
+    }
+}
+
+defineExpose({
+    rowsState,
+    summary,
+    loading,
+    fetchError,
+    loadBilling,
+    actionDialog,
+    actionRow,
+    actionReason,
+    actionAmount,
+    actionTariffId,
+    actionError,
+    actionLoading,
+    tariffPlans,
+    openAction,
+    confirmAction,
+});
 
 const headers = [
     { title: 'Тенант', key: 'name', sortable: true },
@@ -105,6 +192,7 @@ const headers = [
     { title: 'Списания за мес', key: 'monthly_charges_rub', sortable: true, align: 'end' as const },
     { title: 'MRR', key: 'mrr_rub', sortable: true, align: 'end' as const },
     { title: 'Статус', key: 'status', sortable: true },
+    { title: '', key: 'actions', sortable: false, align: 'end' as const },
 ];
 
 const filteredRows = computed(() => {
@@ -257,8 +345,189 @@ function tariffLabel(t: string): string {
                         {{ statusInfo(item.status).label }}
                     </v-chip>
                 </template>
+                <template #[`item.actions`]="{ item }">
+                    <v-menu>
+                        <template #activator="{ props }">
+                            <v-btn
+                                v-bind="props"
+                                icon="mdi-dots-vertical"
+                                :data-testid="`row-actions-${item.id}`"
+                                variant="text"
+                                size="small"
+                                aria-label="Действия с тенантом"
+                            />
+                        </template>
+                        <v-list density="compact">
+                            <v-list-item
+                                :title="item.status === 'suspended' ? 'Разблокировать' : 'Приостановить'"
+                                prepend-icon="mdi-account-cancel"
+                                @click="openAction('status', item)"
+                            />
+                            <v-list-item
+                                title="Возврат средств"
+                                prepend-icon="mdi-cash-refund"
+                                @click="openAction('refund', item)"
+                            />
+                            <v-list-item
+                                title="Сменить тариф"
+                                prepend-icon="mdi-swap-horizontal"
+                                @click="openAction('tariff', item)"
+                            />
+                        </v-list>
+                    </v-menu>
+                </template>
             </v-data-table>
         </v-card>
+
+        <!-- Dialog: suspend / activate -->
+        <v-dialog :model-value="actionDialog === 'status'" max-width="480" @update:model-value="actionDialog = null">
+            <v-card>
+                <v-card-title>
+                    {{ actionRow?.status === 'suspended' ? 'Разблокировать тенанта' : 'Приостановить тенанта' }}
+                </v-card-title>
+                <v-card-text>
+                    <p class="mb-3 text-body-2">
+                        Тенант: <strong>{{ actionRow?.name }}</strong>
+                    </p>
+                    <v-alert
+                        v-if="actionError"
+                        type="error"
+                        variant="tonal"
+                        density="compact"
+                        class="mb-3"
+                        data-testid="action-error"
+                    >
+                        {{ actionError }}
+                    </v-alert>
+                    <v-textarea
+                        v-model="actionReason"
+                        label="Основание"
+                        placeholder="Минимум 10 символов"
+                        rows="3"
+                        variant="outlined"
+                        density="compact"
+                        data-testid="action-reason"
+                    />
+                </v-card-text>
+                <v-card-actions class="justify-end">
+                    <v-btn variant="text" @click="actionDialog = null">Отмена</v-btn>
+                    <v-btn
+                        :loading="actionLoading"
+                        color="primary"
+                        variant="flat"
+                        @click="confirmAction"
+                    >
+                        Подтвердить
+                    </v-btn>
+                </v-card-actions>
+            </v-card>
+        </v-dialog>
+
+        <!-- Dialog: refund -->
+        <v-dialog :model-value="actionDialog === 'refund'" max-width="480" @update:model-value="actionDialog = null">
+            <v-card>
+                <v-card-title>Возврат средств</v-card-title>
+                <v-card-text>
+                    <p class="mb-3 text-body-2">
+                        Тенант: <strong>{{ actionRow?.name }}</strong>
+                    </p>
+                    <v-alert
+                        v-if="actionError"
+                        type="error"
+                        variant="tonal"
+                        density="compact"
+                        class="mb-3"
+                        data-testid="action-error"
+                    >
+                        {{ actionError }}
+                    </v-alert>
+                    <v-text-field
+                        v-model.number="actionAmount"
+                        type="number"
+                        label="Сумма возврата, ₽"
+                        :hint="actionRow ? `доступно к возврату: ${formatRub(actionRow.balance_rub)}` : ''"
+                        persistent-hint
+                        variant="outlined"
+                        density="compact"
+                        class="mb-3"
+                        data-testid="refund-amount"
+                    />
+                    <v-textarea
+                        v-model="actionReason"
+                        label="Основание"
+                        placeholder="Минимум 10 символов"
+                        rows="3"
+                        variant="outlined"
+                        density="compact"
+                        data-testid="action-reason"
+                    />
+                </v-card-text>
+                <v-card-actions class="justify-end">
+                    <v-btn variant="text" @click="actionDialog = null">Отмена</v-btn>
+                    <v-btn
+                        :loading="actionLoading"
+                        color="primary"
+                        variant="flat"
+                        @click="confirmAction"
+                    >
+                        Выполнить возврат
+                    </v-btn>
+                </v-card-actions>
+            </v-card>
+        </v-dialog>
+
+        <!-- Dialog: change tariff -->
+        <v-dialog :model-value="actionDialog === 'tariff'" max-width="480" @update:model-value="actionDialog = null">
+            <v-card>
+                <v-card-title>Сменить тариф</v-card-title>
+                <v-card-text>
+                    <p class="mb-3 text-body-2">
+                        Тенант: <strong>{{ actionRow?.name }}</strong>
+                    </p>
+                    <v-alert
+                        v-if="actionError"
+                        type="error"
+                        variant="tonal"
+                        density="compact"
+                        class="mb-3"
+                        data-testid="action-error"
+                    >
+                        {{ actionError }}
+                    </v-alert>
+                    <v-select
+                        v-model="actionTariffId"
+                        :items="tariffPlans"
+                        item-title="name"
+                        item-value="id"
+                        label="Тарифный план"
+                        variant="outlined"
+                        density="compact"
+                        class="mb-3"
+                        data-testid="tariff-select"
+                    />
+                    <v-textarea
+                        v-model="actionReason"
+                        label="Основание"
+                        placeholder="Минимум 10 символов"
+                        rows="3"
+                        variant="outlined"
+                        density="compact"
+                        data-testid="action-reason"
+                    />
+                </v-card-text>
+                <v-card-actions class="justify-end">
+                    <v-btn variant="text" @click="actionDialog = null">Отмена</v-btn>
+                    <v-btn
+                        :loading="actionLoading"
+                        color="primary"
+                        variant="flat"
+                        @click="confirmAction"
+                    >
+                        Сменить тариф
+                    </v-btn>
+                </v-card-actions>
+            </v-card>
+        </v-dialog>
     </v-container>
 </template>
 

app/resources/js/views/admin/AdminIncidentDetailView.vue

@@ -0,0 +1,299 @@
+<script setup lang="ts">
+/**
+ * Карточка инцидента (drill-down из AdminIncidentsView).
+ *
+ * Sprint 3D G5/G6: детальный просмотр инцидента + кнопка «Уведомить РКН»
+ * (152-ФЗ — обязательное уведомление РКН для data_breach за 24ч).
+ *
+ * Маршрут: /admin/incidents/:id
+ */
+import { computed, onMounted, ref, watch } from 'vue';
+import { useRoute, useRouter } from 'vue-router';
+import { getAdminIncidentDetail, notifyIncidentRkn } from '../../api/admin';
+import type { ApiAdminIncidentDetail } from '../../api/admin';
+import { extractErrorMessage } from '../../api/client';
+
+const route = useRoute();
+const router = useRouter();
+
+const id = computed(() => Number(route.params.id));
+
+const incident = ref<ApiAdminIncidentDetail | null>(null);
+const loading = ref(false);
+const notFound = ref(false);
+const fetchError = ref<string | null>(null);
+const rknError = ref('');
+const rknLoading = ref(false);
+const rknDialog = ref(false);
+
+async function loadIncident(): Promise<void> {
+    loading.value = true;
+    fetchError.value = null;
+    notFound.value = false;
+    try {
+        incident.value = await getAdminIncidentDetail(id.value);
+    } catch (e: unknown) {
+        const status = (e as { response?: { status?: number } })?.response?.status;
+        if (status === 404) {
+            notFound.value = true;
+            incident.value = null;
+        } else {
+            fetchError.value = extractErrorMessage(e);
+        }
+    } finally {
+        loading.value = false;
+    }
+}
+
+onMounted(() => void loadIncident());
+watch(id, () => void loadIncident());
+
+async function confirmRkn(): Promise<void> {
+    rknLoading.value = true;
+    rknError.value = '';
+    try {
+        incident.value = await notifyIncidentRkn(id.value);
+        rknDialog.value = false;
+    } catch (e: unknown) {
+        rknError.value = extractErrorMessage(e);
+        // dialog stays open so error is visible
+    } finally {
+        rknLoading.value = false;
+    }
+}
+
+function goBack(): void {
+    void router.push({ name: 'admin-incidents' });
+}
+
+// Helpers (copied from AdminIncidentsView for self-containment)
+const statusMap: Record<string, { label: string; color: string }> = {
+    open: { label: 'Открыт', color: 'error' },
+    investigating: { label: 'Расследуется', color: 'warning' },
+    resolved: { label: 'Решён', color: 'info' },
+    closed: { label: 'Закрыт', color: 'success' },
+};
+function statusInfo(s: string) {
+    return statusMap[s] ?? { label: s, color: 'default' };
+}
+
+const severityMap: Record<string, { label: string; color: string }> = {
+    critical: { label: 'Critical', color: 'error' },
+    high: { label: 'High', color: 'warning' },
+    medium: { label: 'Medium', color: 'info' },
+    low: { label: 'Low', color: 'success' },
+};
+function severityInfo(s: string) {
+    return severityMap[s] ?? { label: s, color: 'default' };
+}
+
+function formatDate(iso: string | null): string {
+    if (!iso) return '—';
+    return new Date(iso).toLocaleString('ru-RU', {
+        day: '2-digit',
+        month: '2-digit',
+        year: 'numeric',
+        hour: '2-digit',
+        minute: '2-digit',
+    });
+}
+
+defineExpose({
+    incident,
+    loading,
+    notFound,
+    fetchError,
+    rknError,
+    rknLoading,
+    rknDialog,
+    loadIncident,
+    confirmRkn,
+});
+</script>
+
+<template>
+    <!-- Loading -->
+    <v-container v-if="loading" fluid class="pa-6" data-testid="incident-loading">
+        <v-progress-circular indeterminate color="primary" />
+        <span class="ml-3 text-medium-emphasis">Загрузка…</span>
+    </v-container>
+
+    <!-- Not found -->
+    <v-container v-else-if="notFound" fluid class="pa-6" data-testid="incident-not-found">
+        <v-alert type="error" variant="tonal" class="mb-4">
+            Инцидент <strong>#{{ id }}</strong> не найден.
+        </v-alert>
+        <v-btn variant="outlined" prepend-icon="mdi-arrow-left" @click="goBack">К списку инцидентов</v-btn>
+    </v-container>
+
+    <!-- Fetch error -->
+    <v-container v-else-if="fetchError" fluid class="pa-6" data-testid="incident-fetch-error">
+        <v-alert type="warning" variant="tonal" class="mb-4">
+            Не удалось загрузить инцидент: {{ fetchError }}
+        </v-alert>
+        <div class="d-flex ga-2">
+            <v-btn variant="outlined" prepend-icon="mdi-refresh" @click="loadIncident">Повторить</v-btn>
+            <v-btn variant="text" prepend-icon="mdi-arrow-left" @click="goBack">К списку</v-btn>
+        </div>
+    </v-container>
+
+    <!-- Content -->
+    <v-container v-else-if="incident" fluid class="incident-detail pa-6">
+        <!-- Header -->
+        <header class="d-flex justify-space-between align-start mb-4 flex-wrap ga-2">
+            <div>
+                <div class="d-flex align-center ga-2 mb-1">
+                    <span class="font-mono text-caption text-medium-emphasis">{{ incident.incident_id }}</span>
+                    <v-chip :color="severityInfo(incident.severity).color" size="x-small" variant="tonal">
+                        {{ severityInfo(incident.severity).label }}
+                    </v-chip>
+                    <v-chip :color="statusInfo(incident.status).color" size="x-small" variant="tonal">
+                        {{ statusInfo(incident.status).label }}
+                    </v-chip>
+                </div>
+                <h1 class="text-h5 font-weight-medium">{{ incident.summary }}</h1>
+            </div>
+            <v-btn variant="outlined" prepend-icon="mdi-arrow-left" @click="goBack">Назад</v-btn>
+        </header>
+
+        <v-row>
+            <!-- Main details -->
+            <v-col cols="12" md="8">
+                <v-card variant="outlined" class="pa-4 mb-4">
+                    <h2 class="text-h6 mb-3">Детали инцидента</h2>
+
+                    <div v-if="incident.root_cause" class="mb-3">
+                        <div class="text-caption text-medium-emphasis">Корневая причина</div>
+                        <div>{{ incident.root_cause }}</div>
+                    </div>
+
+                    <div v-if="incident.postmortem_url" class="mb-3">
+                        <div class="text-caption text-medium-emphasis">Postmortem</div>
+                        <a :href="incident.postmortem_url" target="_blank" rel="noopener">
+                            {{ incident.postmortem_url }}
+                        </a>
+                    </div>
+
+                    <v-divider class="my-3" />
+
+                    <v-row dense>
+                        <v-col cols="6">
+                            <div class="text-caption text-medium-emphasis">Начался</div>
+                            <div>{{ formatDate(incident.started_at) }}</div>
+                        </v-col>
+                        <v-col cols="6">
+                            <div class="text-caption text-medium-emphasis">Обнаружен</div>
+                            <div>{{ formatDate(incident.detected_at) }}</div>
+                        </v-col>
+                        <v-col cols="6" class="mt-2">
+                            <div class="text-caption text-medium-emphasis">Решён</div>
+                            <div>{{ formatDate(incident.resolved_at) }}</div>
+                        </v-col>
+                        <v-col v-if="incident.affected_users_count !== null" cols="6" class="mt-2">
+                            <div class="text-caption text-medium-emphasis">Затронуто пользователей</div>
+                            <div>{{ incident.affected_users_count }}</div>
+                        </v-col>
+                    </v-row>
+                </v-card>
+
+                <!-- Affected tenants -->
+                <v-card variant="outlined" class="pa-4 mb-4">
+                    <h2 class="text-h6 mb-3">Затронутые тенанты ({{ incident.affected_tenants.length }})</h2>
+                    <div v-if="incident.affected_tenants.length === 0" class="text-medium-emphasis text-body-2">
+                        Нет данных
+                    </div>
+                    <v-list v-else density="compact">
+                        <v-list-item
+                            v-for="t in incident.affected_tenants"
+                            :key="t.id"
+                            :title="t.organization_name"
+                            :subtitle="`ID: ${t.id}`"
+                        />
+                    </v-list>
+                </v-card>
+            </v-col>
+
+            <!-- РКН section -->
+            <v-col cols="12" md="4">
+                <v-card v-if="incident.type === 'data_breach'" variant="outlined" class="pa-4 mb-4">
+                    <h2 class="text-h6 mb-3">Уведомление РКН (152-ФЗ)</h2>
+
+                    <div v-if="incident.rkn_notified">
+                        <v-icon color="success" class="mr-1">mdi-check-circle</v-icon>
+                        РКН уведомлён {{ formatDate(incident.rkn_notified_at) }}
+                    </div>
+
+                    <template v-else>
+                        <div v-if="incident.rkn_deadline_at" class="mb-3">
+                            <div class="text-caption text-medium-emphasis">Дедлайн</div>
+                            <div class="text-error font-weight-medium">{{ formatDate(incident.rkn_deadline_at) }}</div>
+                        </div>
+
+                        <v-btn
+                            data-testid="rkn-notify-btn"
+                            color="error"
+                            :loading="rknLoading"
+                            block
+                            @click="rknDialog = true"
+                        >
+                            Уведомить РКН
+                        </v-btn>
+                    </template>
+
+                    <v-alert
+                        v-if="rknError"
+                        type="error"
+                        variant="tonal"
+                        density="compact"
+                        class="mt-3"
+                        data-testid="rkn-error"
+                    >
+                        {{ rknError }}
+                    </v-alert>
+                </v-card>
+
+                <!-- Admin meta -->
+                <v-card variant="outlined" class="pa-4">
+                    <h2 class="text-h6 mb-3">Служебная информация</h2>
+                    <div v-if="incident.created_by_admin" class="mb-2">
+                        <div class="text-caption text-medium-emphasis">Создал</div>
+                        <div>{{ incident.created_by_admin }}</div>
+                    </div>
+                    <div v-if="incident.closed_by_admin" class="mb-2">
+                        <div class="text-caption text-medium-emphasis">Закрыл</div>
+                        <div>{{ incident.closed_by_admin }}</div>
+                    </div>
+                    <div v-if="incident.created_at">
+                        <div class="text-caption text-medium-emphasis">Создан</div>
+                        <div>{{ formatDate(incident.created_at) }}</div>
+                    </div>
+                </v-card>
+            </v-col>
+        </v-row>
+
+        <!-- РКН confirm dialog -->
+        <v-dialog v-model="rknDialog" max-width="480">
+            <v-card>
+                <v-card-title class="text-h6">Подтверждение уведомления РКН</v-card-title>
+                <v-card-text>
+                    Это юридически значимое действие. После подтверждения будет зафиксировано время уведомления
+                    регулятора (152-ФЗ). Продолжить?
+                </v-card-text>
+                <v-card-actions>
+                    <v-spacer />
+                    <v-btn variant="text" @click="rknDialog = false">Отмена</v-btn>
+                    <v-btn color="error" :loading="rknLoading" @click="confirmRkn">Подтвердить</v-btn>
+                </v-card-actions>
+            </v-card>
+        </v-dialog>
+    </v-container>
+</template>
+
+<style scoped>
+.incident-detail {
+    max-width: 1200px;
+}
+.font-mono {
+    font-family: 'JetBrains Mono', ui-monospace, monospace;
+}
+</style>

app/resources/js/views/admin/AdminIncidentsView.vue

@@ -11,6 +11,7 @@
  */
 import { ADMIN_INCIDENTS } from '../../composables/mockAdmin';
 import { computed, onMounted, reactive, ref } from 'vue';
+import { useRouter } from 'vue-router';
 import { usePolling } from '../../composables/usePolling';
 import * as adminApi from '../../api/admin';
 
@@ -29,6 +30,8 @@ interface IncidentRow {
     rkn_deadline_at: string | null;
 }
 
+const router = useRouter();
+
 const filterStatus = ref<string>('all');
 
 const statusMap: Record<string, { label: string; color: string }> = {
@@ -210,7 +213,14 @@ function formatDate(iso: string): string {
             </div>
 
             <v-list lines="three" class="incidents-list">
-                <v-list-item v-for="row in filteredRows" :key="row.id" class="incident-row">
+                <v-list-item
+                    v-for="row in filteredRows"
+                    :key="row.id"
+                    class="incident-row"
+                    :data-testid="`incident-row-${row.id}`"
+                    style="cursor: pointer"
+                    @click="router.push({ name: 'admin-incident-detail', params: { id: row.id } })"
+                >
                     <div class="incident-header">
                         <span class="font-mono text-caption text-medium-emphasis">{{ row.incident_id }}</span>
                         <v-chip :color="severityInfo(row.severity).color" size="x-small" variant="tonal" class="ml-2">

app/resources/js/views/admin/AdminPricingTiersView.vue

@@ -2,6 +2,19 @@
     <div class="admin-pricing-tiers-view">
         <h1 class="text-h4 mb-6">Тарифная сетка</h1>
 
+        <v-alert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="compact"
+            data-testid="pricing-error-alert"
+            closable
+            @click:close="errorMessage = null"
+        >
+            {{ errorMessage }}
+        </v-alert>
+
         <v-card class="mb-6" elevation="1">
             <v-card-title>
                 Текущая активная сетка
@@ -88,21 +101,31 @@
                 </v-card-actions>
             </v-card>
         </v-dialog>
+
+        <v-snackbar
+            v-model="successToastOpen"
+            :timeout="4000"
+            color="success"
+            location="bottom right"
+            data-testid="pricing-success-toast"
+        >
+            {{ successMessage }}
+        </v-snackbar>
     </div>
 </template>
 
 <script setup lang="ts">
 import { ref, computed, onMounted } from 'vue';
 import axios from 'axios';
+import { extractErrorMessage } from '../../api/client';
 
 /**
- * SaaS-admin → Тарифная сетка (Plan 4 Task 9).
+ * SaaS-admin → Тарифная сетка (Plan 4 Task 9, Sprint 1 G1 error handling).
  *
  * Backend: AdminPricingTiersController (GET/POST/DELETE).
  * Палитра Forest + JetBrains Mono для tnum-цифр.
  *
- * defineExpose ниже — для Vitest unit-тестов (`load`/`submit`/`confirmDelete`/
- * `editorOpen`/`active`/`scheduled`/`editor`). На прод-сборку это не влияет.
+ * defineExpose ниже — для Vitest unit-тестов.
  */
 
 interface Tier {
@@ -122,6 +145,11 @@ const scheduled = ref<Record<string, Tier[]>>({});
 const editorOpen = ref(false);
 const saving = ref(false);
 
+// Sprint 1 G1: error/success state для UI feedback.
+const errorMessage = ref<string | null>(null);
+const successMessage = ref<string | null>(null);
+const successToastOpen = ref(false);
+
 const defaultEditor: EditorRow[] = [
     { tier_no: 1, leads_in_tier: 100, price_rub: '500.00' },
     { tier_no: 2, leads_in_tier: 200, price_rub: '450.00' },
@@ -149,17 +177,28 @@ const nextMonthStart = computed(() => {
 const hasScheduled = computed(() => Object.keys(scheduled.value).length > 0);
 
 async function load(): Promise<void> {
-    const { data } = await axios.get('/api/admin/pricing-tiers');
-    active.value = data.data.active;
-    scheduled.value = data.data.scheduled || {};
+    try {
+        const { data } = await axios.get('/api/admin/pricing-tiers');
+        active.value = data.data.active;
+        scheduled.value = data.data.scheduled || {};
+    } catch (err) {
+        errorMessage.value = extractErrorMessage(err, 'Не удалось загрузить тарифную сетку.');
+    }
 }
 
 async function submit(): Promise<void> {
     saving.value = true;
+    errorMessage.value = null;
+    successMessage.value = null;
     try {
         await axios.post('/api/admin/pricing-tiers', { tiers: editor.value });
         editorOpen.value = false;
+        successMessage.value = `Сохранено: новая сетка вступит в силу с ${nextMonthStart.value}.`;
+        successToastOpen.value = true;
         await load();
+    } catch (err) {
+        errorMessage.value = extractErrorMessage(err, 'Не удалось сохранить тарифную сетку.');
+        // Диалог остаётся открытым — пользователь может исправить и повторить.
     } finally {
         saving.value = false;
     }
@@ -169,13 +208,33 @@ async function confirmDelete(effectiveFrom: string): Promise<void> {
     if (!window.confirm(`Удалить запланированный набор с ${effectiveFrom}?`)) {
         return;
     }
-    await axios.delete(`/api/admin/pricing-tiers/scheduled/${effectiveFrom}`);
-    await load();
+    errorMessage.value = null;
+    successMessage.value = null;
+    try {
+        await axios.delete(`/api/admin/pricing-tiers/scheduled/${effectiveFrom}`);
+        successMessage.value = `Удалено: запланированный набор с ${effectiveFrom}.`;
+        successToastOpen.value = true;
+        await load();
+    } catch (err) {
+        errorMessage.value = extractErrorMessage(err, 'Не удалось удалить запланированный набор.');
+    }
 }
 
 onMounted(load);
 
-defineExpose({ load, submit, confirmDelete, editorOpen, active, scheduled, editor });
+defineExpose({
+    load,
+    submit,
+    confirmDelete,
+    editorOpen,
+    active,
+    scheduled,
+    editor,
+    errorMessage,
+    successMessage,
+    successToastOpen,
+    saving,
+});
 </script>
 
 <style scoped>

app/resources/js/views/admin/AdminSupplierPricesView.vue

@@ -1,6 +1,20 @@
 <template>
     <div class="admin-supplier-prices-view">
         <h1 class="text-h4 mb-6">Цены поставщиков (закупка)</h1>
+
+        <v-alert
+            v-if="fetchError"
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+            density="compact"
+            data-testid="suppliers-fetch-error"
+            closable
+            @click:close="fetchError = null"
+        >
+            {{ fetchError }}
+        </v-alert>
+
         <v-card elevation="1">
             <v-data-table :headers="headers" :items="suppliers" density="comfortable" class="numeric-tnum">
                 <template #[`item.cost_rub`]="{ item }">
@@ -38,27 +52,52 @@
                     />
                 </template>
                 <template #[`item.actions`]="{ item }">
-                    <v-btn size="small" color="primary" :loading="!!saving[item.id]" @click="save(item)">
-                        Сохранить
-                    </v-btn>
+                    <div class="d-flex flex-column align-end ga-1">
+                        <v-btn size="small" color="primary" :loading="!!saving[item.id]" @click="save(item)">
+                            Сохранить
+                        </v-btn>
+                        <v-tooltip v-if="errorMessages[item.id]" location="left">
+                            <template #activator="{ props: tooltipProps }">
+                                <v-icon
+                                    v-bind="tooltipProps"
+                                    color="error"
+                                    size="small"
+                                    :data-testid="`supplier-error-${item.id}`"
+                                >
+                                    mdi-alert-circle
+                                </v-icon>
+                            </template>
+                            <span>{{ errorMessages[item.id] }}</span>
+                        </v-tooltip>
+                    </div>
                 </template>
             </v-data-table>
         </v-card>
+
+        <v-snackbar
+            v-model="successToastOpen"
+            :timeout="3000"
+            color="success"
+            location="bottom right"
+            data-testid="supplier-success-toast"
+        >
+            {{ successToastText }}
+        </v-snackbar>
     </div>
 </template>
 
 <script setup lang="ts">
 import { ref, onMounted, reactive } from 'vue';
 import axios from 'axios';
+import { extractErrorMessage } from '../../api/client';
 
 /**
- * SaaS-admin → Цены поставщиков (Plan 4 Task 10).
+ * SaaS-admin → Цены поставщиков (Plan 4 Task 10, Sprint 1 G2 error handling).
  *
  * Backend: AdminSuppliersController (GET/PATCH).
  * Палитра Forest + JetBrains Mono для tnum-цифр.
  *
- * defineExpose ниже — для Vitest unit-тестов (`load`/`save`/`suppliers`/
- * `saving`). На прод-сборку это не влияет.
+ * defineExpose ниже — для Vitest unit-тестов.
  */
 
 interface SupplierRow {
@@ -72,6 +111,10 @@ interface SupplierRow {
 
 const suppliers = ref<SupplierRow[]>([]);
 const saving = reactive<Record<number, boolean>>({});
+const errorMessages = reactive<Record<number, string>>({});
+const fetchError = ref<string | null>(null);
+const successToastOpen = ref(false);
+const successToastText = ref('');
 
 const headers = [
     { title: 'Code', key: 'code', sortable: false, width: 80 },
@@ -83,18 +126,28 @@ const headers = [
 ];
 
 async function load(): Promise<void> {
-    const { data } = await axios.get('/api/admin/suppliers');
-    suppliers.value = data.data;
+    fetchError.value = null;
+    try {
+        const { data } = await axios.get('/api/admin/suppliers');
+        suppliers.value = data.data;
+    } catch (err) {
+        fetchError.value = extractErrorMessage(err, 'Не удалось загрузить список поставщиков.');
+    }
 }
 
 async function save(s: SupplierRow): Promise<void> {
     saving[s.id] = true;
+    delete errorMessages[s.id]; // очистить предыдущую ошибку перед retry
     try {
         await axios.patch(`/api/admin/suppliers/${s.id}`, {
             cost_rub: s.cost_rub,
             quality_score: s.quality_score,
             is_active: s.is_active,
         });
+        successToastText.value = `Сохранено: ${s.name} (${s.code}).`;
+        successToastOpen.value = true;
+    } catch (err) {
+        errorMessages[s.id] = extractErrorMessage(err, 'Не удалось сохранить изменения.');
     } finally {
         saving[s.id] = false;
     }
@@ -102,7 +155,7 @@ async function save(s: SupplierRow): Promise<void> {
 
 onMounted(load);
 
-defineExpose({ load, save, suppliers, saving });
+defineExpose({ load, save, suppliers, saving, errorMessages, fetchError, successToastOpen, successToastText });
 </script>
 
 <style scoped>

app/resources/js/views/auth/RecoveryCodesView.story.vue

@@ -1,24 +0,0 @@
-<script setup lang="ts">
-import RecoveryCodesView from './RecoveryCodesView.vue';
-</script>
-
-<template>
-    <Story title="Auth / RecoveryCodesView" :layout="{ type: 'single', iframe: true }">
-        <Variant title="default">
-            <v-app>
-                <v-main class="story-form-pane">
-                    <v-container class="d-flex justify-center align-center fill-height">
-                        <RecoveryCodesView />
-                    </v-container>
-                </v-main>
-            </v-app>
-        </Variant>
-    </Story>
-</template>
-
-<style scoped>
-.story-form-pane {
-    background: #f6f3ec;
-    min-height: 100vh;
-}
-</style>

app/resources/js/views/auth/RecoveryCodesView.vue

@@ -1,113 +0,0 @@
-<script setup lang="ts">
-/**
- * Экран резервных кодов (RecoveryCodesView).
- *
- * Источник дизайна: liderra_v8_handoff/concepts/v8_login.html секция #form-recovery.
- * Источник логики: ТЗ v8.5 §1.6 / Прил. Г.4.2 — 8 одноразовых 8-символьных кодов;
- * после использования код в БД удаляется (recovery_codes table); генерируются один
- * раз при включении 2FA, посмотреть повторно нельзя — только перегенерация.
- *
- * MVP: коды-заглушки. Реальные коды будут с backend через POST /2fa/recovery-codes.
- */
-import { ref } from 'vue';
-
-// TODO(phase2): получать из API после step1 настройки 2FA.
-const codes = ref([
-    'A4FX-91KZ',
-    '9MRT-2P3D',
-    'QH7B-XK4N',
-    '5VLW-T8RY',
-    'B2ZJ-N6FP',
-    'D3WK-Q9MX',
-    '7YHC-8GVB',
-    'RP4S-K1NA',
-]);
-
-function downloadTxt() {
-    const blob = new Blob([codes.value.join('\n') + '\n'], { type: 'text/plain;charset=utf-8' });
-    const url = URL.createObjectURL(blob);
-    const a = document.createElement('a');
-    a.href = url;
-    a.download = 'liderra-recovery-codes.txt';
-    document.body.appendChild(a);
-    a.click();
-    document.body.removeChild(a);
-    URL.revokeObjectURL(url);
-}
-
-async function copyAll() {
-    try {
-        await navigator.clipboard.writeText(codes.value.join('\n'));
-    } catch {
-        // Fallback на legacy execCommand добавим только если будут жалобы — у нас HTTPS-only.
-    }
-}
-
-function handleContinue() {
-    // TODO(phase2): редирект на /dashboard.
-}
-</script>
-
-<template>
-    <v-card variant="flat" :max-width="420" width="100%" color="transparent" class="recovery-card">
-        <header class="recovery-header">
-            <h1 class="text-h5 mb-1">Резервные коды</h1>
-            <p class="text-body-2 text-medium-emphasis ma-0">
-                Сохраните эти 8 одноразовых кодов в безопасном месте. Каждый можно использовать только раз вместо 2FA.
-            </p>
-        </header>
-
-        <div class="codes-grid">
-            <span v-for="code in codes" :key="code" class="code-item">{{ code }}</span>
-        </div>
-
-        <v-alert type="warning" variant="tonal" density="compact">
-            <strong>После закрытия страницы коды нельзя посмотреть снова</strong>. Скачайте файл или сделайте скриншот.
-        </v-alert>
-
-        <div class="d-flex ga-2">
-            <v-btn variant="outlined" prepend-icon="mdi-download" @click="downloadTxt"> Скачать .txt </v-btn>
-            <v-btn variant="outlined" prepend-icon="mdi-content-copy" @click="copyAll"> Копировать </v-btn>
-        </div>
-
-        <v-btn color="primary" block size="large" variant="flat" @click="handleContinue"> Понятно — продолжить </v-btn>
-    </v-card>
-</template>
-
-<style scoped>
-.recovery-card {
-    display: flex;
-    flex-direction: column;
-    gap: 16px;
-}
-
-.recovery-header h1 {
-    font-variation-settings: 'opsz' 26;
-    letter-spacing: -0.018em;
-}
-
-.codes-grid {
-    display: grid;
-    grid-template-columns: 1fr 1fr;
-    gap: 8px;
-}
-
-.code-item {
-    font-family: 'JetBrains Mono', ui-monospace, monospace;
-    font-size: 14px;
-    font-weight: 500;
-    padding: 10px 12px;
-    background: #fff;
-    border: 1px solid #d9d5cd;
-    border-radius: 6px;
-    text-align: center;
-    letter-spacing: 0.04em;
-}
-
-/* WCAG2AA contrast fix for Vuetify warning tonal variant (2.03:1 → ≥4.5:1).
-   Pa11y baseline 2026-05-14 — see docs/audit-baseline-pa11y.md. */
-.recovery-card :deep(.v-alert--variant-tonal.bg-warning .v-alert__content),
-.recovery-card :deep(.v-alert--variant-tonal.text-warning .v-alert__content) {
-    color: #0a0700;
-}
-</style>

app/resources/js/views/legal/LegalDocView.vue

@@ -0,0 +1,68 @@
+<script setup lang="ts">
+/**
+ * Правовые документы — заглушки оферты и политики конфиденциальности.
+ *
+ * Audit A7: ссылки /legal/offer и /legal/privacy в подвале AuthLayout вели
+ * на 404 (catch-all). Финальные тексты документов требуют юридической
+ * редактуры (реестр K3 / блокер Б-1) — до этого страницы показывают честную
+ * заглушку «документ готовится», а не фейк-текст (юридический риск).
+ *
+ * Один view на оба документа (DRY): контент выбирается по route.params.doc.
+ * Маршрут /legal/:doc(offer|privacy) — иные значения отсекает regex-constraint,
+ * уходя в catch-all 404.
+ */
+import { computed } from 'vue';
+import { useRoute } from 'vue-router';
+
+interface LegalDoc {
+    title: string;
+    intro: string;
+}
+
+const DOCS: Record<'offer' | 'privacy', LegalDoc> = {
+    offer: {
+        title: 'Договор-оферта',
+        intro: 'Публичная оферта на оказание услуг сервиса «Лидерра» — условия использования платформы, права и обязанности сторон, порядок оплаты.',
+    },
+    privacy: {
+        title: 'Политика конфиденциальности',
+        intro: 'Порядок обработки и защиты персональных данных пользователей сервиса «Лидерра» в соответствии с Федеральным законом № 152-ФЗ «О персональных данных».',
+    },
+};
+
+const route = useRoute();
+const doc = computed<LegalDoc>(() => (String(route.params.doc) === 'privacy' ? DOCS.privacy : DOCS.offer));
+</script>
+
+<template>
+    <v-card variant="flat" :max-width="480" width="100%" color="transparent" class="legal-card">
+        <header class="legal-header">
+            <h1 class="text-h5 mb-1">{{ doc.title }}</h1>
+            <p class="text-body-2 text-medium-emphasis ma-0">{{ doc.intro }}</p>
+        </header>
+
+        <v-alert type="info" variant="tonal" density="compact" role="note" data-testid="legal-stub-notice">
+            Финальная редакция документа готовится и будет опубликована до запуска сервиса.
+        </v-alert>
+
+        <RouterLink to="/login" class="text-body-2 text-primary legal-back">← Вернуться ко входу</RouterLink>
+    </v-card>
+</template>
+
+<style scoped>
+.legal-card {
+    display: flex;
+    flex-direction: column;
+    gap: 16px;
+}
+.legal-header h1 {
+    font-variation-settings: 'opsz' 24;
+    letter-spacing: -0.01em;
+}
+.legal-back {
+    text-decoration: none;
+}
+.legal-back:hover {
+    text-decoration: underline;
+}
+</style>

app/resources/js/views/projects/NewProjectDialog.vue

@@ -76,34 +76,12 @@
                     :error-messages="errors.daily_limit_target"
                 />
 
-                <v-autocomplete
-                    v-model="form.regions"
-                    :items="selectableRegions"
-                    item-title="name"
-                    item-value="code"
-                    label="Регионы (пусто = вся РФ)"
-                    multiple
-                    chips
-                    clearable
-                    density="comfortable"
-                    class="ld-input-quiet"
-                    data-testid="regions-autocomplete"
-                >
-                    <template #item="{ props: itemProps, item }">
-                        <v-list-item v-bind="itemProps">
-                            <template #subtitle>
-                                {{ FEDERAL_DISTRICT_NAMES[item.raw.federalDistrict] || '' }}
-                            </template>
-                        </v-list-item>
-                    </template>
-                </v-autocomplete>
-
                 <v-alert
                     v-if="generalError"
                     type="error"
                     variant="tonal"
                     density="compact"
-                    class="mt-3"
+                    class="mb-3"
                     closable
                     @click:close="generalError = null"
                 >
@@ -136,12 +114,9 @@
 <script setup lang="ts">
 import { ref, reactive, watch } from 'vue';
 import { apiClient, ensureCsrfCookie, extractErrorMessage } from '../../api/client';
-import { REGIONS, FEDERAL_DISTRICT_NAMES } from '../../constants/regions';
 import type { Project } from '../../stores/projectsStore';
 import DevIndexBadge from '../../components/DevIndexBadge.vue';
 
-const selectableRegions = REGIONS.filter((r) => r.code !== 0);
-
 const props = defineProps<{
     modelValue: boolean;
     mode?: 'create' | 'edit';
@@ -149,8 +124,9 @@ const props = defineProps<{
 }>();
 const emit = defineEmits(['update:modelValue', 'saved']);
 
-// Plan 6: regions = subject codes (1..89) — backend dual-writes region_mask/region_mode.
-// Пустой массив = вся РФ.
+// region_mask=255 = все 8 ФО (schema default, см. db/schema.sql §projects).
+// PDD regions UI отключён до закрытия Plan 6 — конфликт с 8-битной ФО-маской
+// в PhonePrefixService.php (1 phone prefix ↔ 1 ФО, не субъект).
 const form = reactive({
     name: '',
     signal_type: 'site' as 'site' | 'call' | 'sms',
@@ -158,7 +134,8 @@ const form = reactive({
     sms_senders: [] as string[],
     sms_keyword: '',
     daily_limit_target: 50,
-    regions: [] as number[],
+    region_mask: 255,
+    region_mode: 'include' as 'include' | 'exclude',
     delivery_days_mask: 127,
 });
 const errors = reactive<Record<string, string[]>>({});
@@ -182,7 +159,6 @@ watch(
         if (open) generalError.value = null;
         if (open && props.mode === 'edit' && props.project) {
             Object.assign(form, props.project);
-            form.regions = Array.isArray(props.project.regions) ? [...props.project.regions] : [];
             const days: number[] = [];
             for (let i = 0; i < 7; i++) if (form.delivery_days_mask & (1 << i)) days.push(i);
             selectedDays.value = days;
@@ -194,7 +170,8 @@ watch(
                 sms_senders: [],
                 sms_keyword: '',
                 daily_limit_target: 50,
-                regions: [],
+                region_mask: 255,
+                region_mode: 'include',
                 delivery_days_mask: 127,
             });
             selectedDays.value = [0, 1, 2, 3, 4, 5, 6];

app/resources/js/views/settings/ApiTab.vue

@@ -1,18 +1,150 @@
 <script setup lang="ts">
 /**
- * Settings → API и Webhook. Token + endpoint URL + signing secret + история webhook-вызовов.
- * Источник дизайна: liderra_v8_handoff/concepts/v8_settings.html секция #api.
+ * Settings → API и Webhook (audit D2/D3/D4/D5 + J5).
  *
- * Реальная логика по ТЗ §5/§5.5 + schema v8.7 webhook_dedup_keys (CTO-17 addendum).
- * Token + secret НЕ показываются в открытом виде после генерации (single-time view).
+ * API-ключ: GET /api/api-keys показывает key_prefix; «Копировать» — clipboard
+ *   + toast; «Перегенерировать» — POST /api/api-keys/regenerate, полный ключ
+ *   показывается ОДИН раз (затем доступен только префикс).
+ * Webhook: GET/PUT /api/tenants/me/webhook-settings (target_url + secret_prefix),
+ *   «Тестовый webhook» — POST /api/webhooks/test (реальный unsigned POST).
+ *
+ * Полный ключ и полный секрет показываются один раз — в БД только bcrypt-хэши.
+ * Подписанная outbound-доставка событий — пост-MVP.
  */
-import { ref } from 'vue';
+import { onMounted, ref } from 'vue';
+import { listApiKeys, regenerateApiKey } from '../../api/apiKeys';
+import { getWebhookSettings, saveWebhookSettings, testWebhook } from '../../api/webhooks';
+import { extractErrorMessage } from '../../api/client';
 
-const apiToken = ref('lpkapi_7g8h********************************2klm');
-const webhookUrl = ref('https://crm.example.ru/api/webhook/leads');
-const signingSecret = ref('whsec_********************************************');
+// --- API-ключ ---
+const apiKeyExists = ref(false);
+const apiTokenDisplay = ref('');
+const fullKeyShown = ref(false);
 const tokenVisible = ref(false);
+const apiKeyError = ref<string | null>(null);
+const regenDialogOpen = ref(false);
+const regenerating = ref(false);
+
+// --- Webhook ---
+const webhookUrl = ref('');
+const secretDisplay = ref('');
+const fullSecretShown = ref(false);
 const secretVisible = ref(false);
+const webhookError = ref<string | null>(null);
+const webhookSuccess = ref<string | null>(null);
+const savingWebhook = ref(false);
+const testingWebhook = ref(false);
+
+// --- общий toast (D2 copy + D5 test) ---
+const toastOpen = ref(false);
+const toastText = ref('');
+const toastColor = ref<'success' | 'error'>('success');
+
+function showToast(text: string, color: 'success' | 'error' = 'success'): void {
+    toastText.value = text;
+    toastColor.value = color;
+    toastOpen.value = true;
+}
+
+async function loadApiKey(): Promise<void> {
+    apiKeyError.value = null;
+    try {
+        const keys = await listApiKeys();
+        const active = keys[0];
+        if (active) {
+            apiKeyExists.value = true;
+            apiTokenDisplay.value = active.key_prefix;
+            fullKeyShown.value = false;
+        } else {
+            apiKeyExists.value = false;
+            apiTokenDisplay.value = '';
+        }
+    } catch (err) {
+        apiKeyError.value = extractErrorMessage(err, 'Не удалось загрузить API-ключ.');
+    }
+}
+
+async function loadWebhook(): Promise<void> {
+    webhookError.value = null;
+    try {
+        const settings = await getWebhookSettings();
+        if (settings) {
+            webhookUrl.value = settings.target_url;
+            secretDisplay.value = settings.secret_prefix;
+            fullSecretShown.value = false;
+        }
+    } catch (err) {
+        webhookError.value = extractErrorMessage(err, 'Не удалось загрузить настройки webhook.');
+    }
+}
+
+onMounted(() => {
+    void loadApiKey();
+    void loadWebhook();
+});
+
+async function copyToken(): Promise<void> {
+    if (apiTokenDisplay.value === '') return;
+    try {
+        await navigator.clipboard.writeText(apiTokenDisplay.value);
+        showToast('Скопировано в буфер обмена.', 'success');
+    } catch {
+        showToast('Не удалось скопировать — выделите и скопируйте вручную.', 'error');
+    }
+}
+
+async function confirmRegenerate(): Promise<void> {
+    regenerating.value = true;
+    apiKeyError.value = null;
+    try {
+        const result = await regenerateApiKey();
+        apiTokenDisplay.value = result.key;
+        fullKeyShown.value = true;
+        apiKeyExists.value = true;
+        tokenVisible.value = true;
+        regenDialogOpen.value = false;
+    } catch (err) {
+        apiKeyError.value = extractErrorMessage(err, 'Не удалось перегенерировать ключ.');
+        regenDialogOpen.value = false;
+    } finally {
+        regenerating.value = false;
+    }
+}
+
+async function saveWebhook(): Promise<void> {
+    if (savingWebhook.value) return;
+    savingWebhook.value = true;
+    webhookError.value = null;
+    webhookSuccess.value = null;
+    try {
+        const result = await saveWebhookSettings({ target_url: webhookUrl.value });
+        if (result.secret) {
+            secretDisplay.value = result.secret;
+            fullSecretShown.value = true;
+            secretVisible.value = true;
+        } else {
+            secretDisplay.value = result.secret_prefix;
+        }
+        webhookSuccess.value = 'Настройки webhook сохранены.';
+    } catch (err) {
+        webhookError.value = extractErrorMessage(err, 'Не удалось сохранить webhook.');
+    } finally {
+        savingWebhook.value = false;
+    }
+}
+
+async function runWebhookTest(): Promise<void> {
+    if (testingWebhook.value) return;
+    testingWebhook.value = true;
+    try {
+        const result = await testWebhook();
+        showToast(result.message, result.ok ? 'success' : 'error');
+    } catch (err) {
+        showToast(extractErrorMessage(err, 'Не удалось отправить тестовый запрос.'), 'error');
+    } finally {
+        testingWebhook.value = false;
+    }
+}
 </script>
 
 <template>
@@ -25,18 +157,60 @@ const secretVisible = ref(false);
                 Используется для подписи запросов в публичный API CRM. После регенерации старый ключ перестаёт работать
                 немедленно.
             </p>
+
+            <v-alert
+                v-if="apiKeyError"
+                type="warning"
+                variant="tonal"
+                density="compact"
+                class="mb-3"
+                closable
+                data-testid="api-key-error"
+                @click:close="apiKeyError = null"
+            >
+                {{ apiKeyError }}
+            </v-alert>
+            <v-alert
+                v-if="fullKeyShown"
+                type="warning"
+                variant="tonal"
+                density="compact"
+                class="mb-3"
+                data-testid="api-key-once-notice"
+            >
+                Новый ключ показывается <strong>один раз</strong>. Скопируйте и сохраните его сейчас.
+            </v-alert>
+
             <v-text-field
-                :model-value="apiToken"
+                :model-value="apiTokenDisplay"
                 :type="tokenVisible ? 'text' : 'password'"
+                :placeholder="apiKeyExists ? '' : 'Ключ ещё не создан — нажмите «Перегенерировать»'"
                 readonly
                 variant="outlined"
                 density="comfortable"
+                data-testid="api-key-field"
                 :append-inner-icon="tokenVisible ? 'mdi-eye-off' : 'mdi-eye'"
                 @click:append-inner="tokenVisible = !tokenVisible"
             />
             <div class="d-flex ga-2 mt-2">
-                <v-btn variant="outlined" size="small" prepend-icon="mdi-content-copy">Копировать</v-btn>
-                <v-btn variant="outlined" size="small" color="warning" prepend-icon="mdi-refresh">
+                <v-btn
+                    variant="outlined"
+                    size="small"
+                    prepend-icon="mdi-content-copy"
+                    :disabled="!apiTokenDisplay"
+                    data-testid="api-key-copy-btn"
+                    @click="copyToken"
+                >
+                    Копировать
+                </v-btn>
+                <v-btn
+                    variant="outlined"
+                    size="small"
+                    color="warning"
+                    prepend-icon="mdi-refresh"
+                    data-testid="api-key-regen-btn"
+                    @click="regenDialogOpen = true"
+                >
                     Перегенерировать
                 </v-btn>
             </div>
@@ -48,22 +222,117 @@ const secretVisible = ref(false);
                 URL источника лидов отправляет POST с подписью HMAC-SHA256. Дедуп по
                 <code>(tenant_id, source_crm_id)</code> в окне 24 ч (антифрод по phone — §10.8.1).
             </p>
-            <v-text-field v-model="webhookUrl" label="Endpoint URL" variant="outlined" density="comfortable" />
+
+            <v-alert
+                v-if="webhookError"
+                type="warning"
+                variant="tonal"
+                density="compact"
+                class="mb-3"
+                closable
+                data-testid="webhook-error"
+                @click:close="webhookError = null"
+            >
+                {{ webhookError }}
+            </v-alert>
+            <v-alert
+                v-if="webhookSuccess"
+                type="success"
+                variant="tonal"
+                density="compact"
+                class="mb-3"
+                closable
+                data-testid="webhook-success"
+                @click:close="webhookSuccess = null"
+            >
+                {{ webhookSuccess }}
+            </v-alert>
+            <v-alert
+                v-if="fullSecretShown"
+                type="warning"
+                variant="tonal"
+                density="compact"
+                class="mb-3"
+                data-testid="webhook-secret-once-notice"
+            >
+                Signing secret показывается <strong>один раз</strong>. Сохраните его в настройках вашего приёмника.
+            </v-alert>
+
             <v-text-field
-                :model-value="signingSecret"
+                v-model="webhookUrl"
+                label="Endpoint URL"
+                placeholder="https://..."
+                variant="outlined"
+                density="comfortable"
+                data-testid="webhook-url-field"
+            />
+            <v-text-field
+                :model-value="secretDisplay"
                 :type="secretVisible ? 'text' : 'password'"
                 label="Signing secret (HMAC)"
+                :placeholder="secretDisplay ? '' : 'Появится после первого сохранения URL'"
                 readonly
                 variant="outlined"
                 density="comfortable"
+                data-testid="webhook-secret-field"
                 :append-inner-icon="secretVisible ? 'mdi-eye-off' : 'mdi-eye'"
                 @click:append-inner="secretVisible = !secretVisible"
             />
             <div class="d-flex ga-2 mt-2">
-                <v-btn color="primary" variant="flat" size="small">Сохранить</v-btn>
-                <v-btn variant="outlined" size="small" prepend-icon="mdi-test-tube"> Тестовый webhook </v-btn>
+                <v-btn
+                    color="primary"
+                    variant="flat"
+                    size="small"
+                    :loading="savingWebhook"
+                    data-testid="webhook-save-btn"
+                    @click="saveWebhook"
+                >
+                    Сохранить
+                </v-btn>
+                <v-btn
+                    variant="outlined"
+                    size="small"
+                    prepend-icon="mdi-test-tube"
+                    :loading="testingWebhook"
+                    data-testid="webhook-test-btn"
+                    @click="runWebhookTest"
+                >
+                    Тестовый webhook
+                </v-btn>
             </div>
         </v-card>
+
+        <v-dialog v-model="regenDialogOpen" :max-width="440" data-testid="regen-dialog">
+            <v-card>
+                <v-card-title>Перегенерация API-ключа</v-card-title>
+                <v-card-text>
+                    Текущий ключ перестанет работать немедленно. Все интеграции с ним нужно будет обновить. Продолжить?
+                </v-card-text>
+                <v-card-actions>
+                    <v-spacer />
+                    <v-btn variant="text" :disabled="regenerating" @click="regenDialogOpen = false">Отмена</v-btn>
+                    <v-btn
+                        color="warning"
+                        variant="flat"
+                        :loading="regenerating"
+                        data-testid="regen-confirm-btn"
+                        @click="confirmRegenerate"
+                    >
+                        Перегенерировать
+                    </v-btn>
+                </v-card-actions>
+            </v-card>
+        </v-dialog>
+
+        <v-snackbar
+            v-model="toastOpen"
+            :timeout="4000"
+            :color="toastColor"
+            location="bottom right"
+            data-testid="api-tab-toast"
+        >
+            {{ toastText }}
+        </v-snackbar>
     </div>
 </template>
 

app/resources/js/views/settings/ProfileTab.vue

@@ -1,38 +1,129 @@
 <script setup lang="ts">
 /**
- * Settings → Профиль. Данные текущего user'а: имя, email, телефон, тайм-зона.
- * Источник дизайна: liderra_v8_handoff/concepts/v8_settings.html секция #profile.
+ * Settings → Профиль. Имя, фамилия, телефон, тайм-зона текущего пользователя
+ * из auth-store; сохранение через PATCH /api/auth/me (audit D1 / J6).
  *
- * MVP: form-fields без save (TODO: PATCH /api/me).
+ * Источник дизайна: liderra_v8_handoff/concepts/v8_settings.html секция #profile.
+ * Email — read-only (меняется через support). Поле «Роль» убрано: в таблице
+ * users нет колонки роли (было декоративной mock-заглушкой). Кнопка смены
+ * аватара пока без обработчика — загрузка аватара вне scope audit D1.
  */
-import { ref } from 'vue';
+import { computed, ref } from 'vue';
+import { useAuthStore } from '../../stores/auth';
+import { updateProfile } from '../../api/auth';
+import { extractErrorMessage } from '../../api/client';
 
-const fullName = ref('Иван Петров');
-const email = ref('ivan.petrov@example.ru');
-const phone = ref('+7 (916) 871-23-45');
-const timezone = ref('Europe/Moscow');
-const role = ref('Владелец');
+const auth = useAuthStore();
+
+// auth.user гарантированно не null здесь: router beforeEach дожидается
+// fetchMe() до навигации на requiresAuth-маршруты (см. router/index.ts).
+// Поэтому watch-ресинк (как в NotificationsTab) не нужен.
+const firstName = ref(auth.user?.first_name ?? '');
+const lastName = ref(auth.user?.last_name ?? '');
+const phone = ref(auth.user?.phone ?? '');
+const timezone = ref(auth.user?.timezone ?? 'Europe/Moscow');
+const email = computed(() => auth.user?.email ?? '');
+
+const initials = computed(() => {
+    const f = (auth.user?.first_name ?? '').charAt(0);
+    const l = (auth.user?.last_name ?? '').charAt(0);
+    return (f + l).toUpperCase() || '—';
+});
+
+const saving = ref(false);
+const saveSuccess = ref(false);
+const saveError = ref<string | null>(null);
+
+function resetForm(): void {
+    firstName.value = auth.user?.first_name ?? '';
+    lastName.value = auth.user?.last_name ?? '';
+    phone.value = auth.user?.phone ?? '';
+    timezone.value = auth.user?.timezone ?? 'Europe/Moscow';
+    saveSuccess.value = false;
+    saveError.value = null;
+}
+
+async function save(): Promise<void> {
+    if (saving.value) return;
+    saving.value = true;
+    saveSuccess.value = false;
+    saveError.value = null;
+    try {
+        const updated = await updateProfile({
+            first_name: firstName.value,
+            last_name: lastName.value,
+            phone: phone.value.trim() === '' ? null : phone.value.trim(),
+            timezone: timezone.value,
+        });
+        auth.user = { ...auth.user!, ...updated };
+        saveSuccess.value = true;
+    } catch (err) {
+        saveError.value = extractErrorMessage(err, 'Не удалось сохранить профиль.');
+    } finally {
+        saving.value = false;
+    }
+}
 </script>
 
 <template>
     <div class="tab-content">
         <h2 class="tab-title text-h6 mb-4">Профиль</h2>
 
+        <v-alert
+            v-if="saveSuccess"
+            type="success"
+            variant="tonal"
+            density="compact"
+            class="mb-3"
+            closable
+            data-testid="profile-save-success"
+            @click:close="saveSuccess = false"
+        >
+            Профиль сохранён.
+        </v-alert>
+        <v-alert
+            v-if="saveError"
+            type="warning"
+            variant="tonal"
+            density="compact"
+            class="mb-3"
+            closable
+            data-testid="profile-save-error"
+            @click:close="saveError = null"
+        >
+            {{ saveError }}
+        </v-alert>
+
         <v-row class="profile-row">
             <v-col cols="auto">
                 <v-avatar size="80" color="primary">
-                    <span class="text-h5">ИП</span>
+                    <span class="text-h5">{{ initials }}</span>
                 </v-avatar>
                 <v-btn variant="text" size="small" class="mt-2" prepend-icon="mdi-camera"> Сменить </v-btn>
             </v-col>
             <v-col>
                 <v-row dense>
                     <v-col cols="12" md="6">
-                        <v-text-field v-model="fullName" label="Полное имя" variant="outlined" density="comfortable" />
+                        <v-text-field
+                            v-model="firstName"
+                            label="Имя"
+                            variant="outlined"
+                            density="comfortable"
+                            data-testid="profile-first-name"
+                        />
                     </v-col>
                     <v-col cols="12" md="6">
                         <v-text-field
-                            v-model="email"
+                            v-model="lastName"
+                            label="Фамилия"
+                            variant="outlined"
+                            density="comfortable"
+                            data-testid="profile-last-name"
+                        />
+                    </v-col>
+                    <v-col cols="12" md="6">
+                        <v-text-field
+                            :model-value="email"
                             label="Email"
                             type="email"
                             variant="outlined"
@@ -43,7 +134,13 @@ const role = ref('Владелец');
                         />
                     </v-col>
                     <v-col cols="12" md="6">
-                        <v-text-field v-model="phone" label="Телефон" variant="outlined" density="comfortable" />
+                        <v-text-field
+                            v-model="phone"
+                            label="Телефон"
+                            variant="outlined"
+                            density="comfortable"
+                            data-testid="profile-phone"
+                        />
                     </v-col>
                     <v-col cols="12" md="6">
                         <v-text-field
@@ -53,16 +150,24 @@ const role = ref('Владелец');
                             density="comfortable"
                             persistent-hint
                             hint="Используется в логах и напоминаниях"
+                            data-testid="profile-timezone"
                         />
                     </v-col>
-                    <v-col cols="12" md="6">
-                        <v-text-field v-model="role" label="Роль" variant="outlined" density="comfortable" disabled />
-                    </v-col>
                 </v-row>
 
                 <div class="d-flex ga-2 mt-4">
-                    <v-btn color="primary" variant="flat">Сохранить</v-btn>
-                    <v-btn variant="text">Отмена</v-btn>
+                    <v-btn
+                        color="primary"
+                        variant="flat"
+                        :loading="saving"
+                        data-testid="profile-save-btn"
+                        @click="save"
+                    >
+                        Сохранить
+                    </v-btn>
+                    <v-btn variant="text" :disabled="saving" data-testid="profile-cancel-btn" @click="resetForm">
+                        Отмена
+                    </v-btn>
                 </div>
             </v-col>
         </v-row>

app/routes/web.php

@@ -35,6 +35,7 @@ Route::prefix('/api/auth')->group(function () {
     Route::post('/reset-password', 'App\Http\Controllers\Api\PasswordResetController@resetPassword');
     Route::middleware('auth:sanctum')->group(function () {
         Route::get('/me', 'App\Http\Controllers\Api\AuthController@me');
+        Route::patch('/me', 'App\Http\Controllers\Api\AuthController@updateProfile');
         Route::post('/logout', 'App\Http\Controllers\Api\AuthController@logout');
         Route::patch('/me/notification-preferences', 'App\Http\Controllers\Api\AuthController@updateNotificationPreferences');
     });
@@ -70,52 +71,82 @@ Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/reports/jobs')->grou
     Route::delete('/{id}', 'App\Http\Controllers\Api\ReportJobController@destroy')->where('id', '[0-9]+');
 });
 
-// SaaS-admin impersonation flow (Ю-1). На MVP без middleware (saas-admin auth
-// не реализован), production: middleware('auth:saas-admin') + role('compliance' if needed).
-Route::prefix('/api/admin/impersonation')->group(function () {
-    Route::get('/active', 'App\Http\Controllers\Api\ImpersonationController@active');
-    Route::get('/recent', 'App\Http\Controllers\Api\ImpersonationController@recent');
-    Route::post('/init', 'App\Http\Controllers\Api\ImpersonationController@init');
-    Route::post('/verify', 'App\Http\Controllers\Api\ImpersonationController@verify');
-    Route::post('/end', 'App\Http\Controllers\Api\ImpersonationController@end');
+// F2 (audit): скачивание готового файла отчёта по signed URL (24 ч, OPEN-И-20).
+// НЕ под auth:sanctum — подпись URL = capability-token (генерируется только
+// в ReportJobController::toResource() для отчётов своего тенанта).
+Route::get('/api/reports/jobs/{id}/file', 'App\Http\Controllers\Api\ReportJobController@download')
+    ->where('id', '[0-9]+')
+    ->name('reports.download')
+    ->middleware('signed');
+
+// J2 (Sprint 3F): стаб-гейт SaaS-admin зоны. EnsureSaasAdmin — dev/testing
+// пропускает, production fail-closed 503. Реальный Yandex 360 SSO — TODO под
+// Б-1+DO-4. admin_user_id внутри контроллеров (трейт ResolvesAdminUserId)
+// стаб не меняет — это отдельная зона ответственности.
+Route::middleware('saas-admin')->group(function () {
+    // SaaS-admin impersonation flow (Ю-1). На MVP без middleware (saas-admin auth
+    // не реализован), production: middleware('auth:saas-admin') + role('compliance' if needed).
+    Route::prefix('/api/admin/impersonation')->group(function () {
+        Route::get('/active', 'App\Http\Controllers\Api\ImpersonationController@active');
+        Route::get('/recent', 'App\Http\Controllers\Api\ImpersonationController@recent');
+        Route::post('/init', 'App\Http\Controllers\Api\ImpersonationController@init');
+        Route::post('/verify', 'App\Http\Controllers\Api\ImpersonationController@verify');
+        Route::post('/end', 'App\Http\Controllers\Api\ImpersonationController@end');
+    });
+
+    // SaaS-admin → Тенанты: lookup + детали для AdminTenantsView/AdminTenantDetailView.
+    Route::get('/api/admin/tenants', 'App\Http\Controllers\Api\AdminTenantsController@index');
+    Route::get('/api/admin/tenants/{subdomain}', 'App\Http\Controllers\Api\AdminTenantsController@show')
+        ->where('subdomain', '[a-z0-9_-]+');
+
+    // SaaS-admin → Биллинг: aggregates пополнений/списаний за текущий месяц.
+    Route::get('/api/admin/billing', 'App\Http\Controllers\Api\AdminBillingController@index');
+
+    // Sprint 3D (G4): SaaS-admin billing row-actions — приостановка/возврат/смена тарифа.
+    Route::get('/api/admin/billing/tariff-plans', 'App\Http\Controllers\Api\AdminBillingController@tariffPlans');
+    Route::patch('/api/admin/billing/tenants/{id}/status', 'App\Http\Controllers\Api\AdminBillingController@updateStatus')
+        ->where('id', '[0-9]+');
+    Route::post('/api/admin/billing/tenants/{id}/refund', 'App\Http\Controllers\Api\AdminBillingController@refund')
+        ->where('id', '[0-9]+');
+    Route::patch('/api/admin/billing/tenants/{id}/tariff', 'App\Http\Controllers\Api\AdminBillingController@changeTariff')
+        ->where('id', '[0-9]+');
+
+    // SaaS-admin → Инциденты: чтение incidents_log для AdminIncidentsView.
+    Route::get('/api/admin/incidents', 'App\Http\Controllers\Api\AdminIncidentsController@index');
+
+    // Sprint 3D (G5): SaaS-admin incident detail-view drill-down.
+    Route::get('/api/admin/incidents/{id}', 'App\Http\Controllers\Api\AdminIncidentsController@show')
+        ->where('id', '[0-9]+');
+
+    // Sprint 3D (G6): РКН-notify endpoint (152-ФЗ).
+    Route::post('/api/admin/incidents/{id}/rkn-notify', 'App\Http\Controllers\Api\AdminIncidentsController@notifyRkn')
+        ->where('id', '[0-9]+');
+
+    // SaaS-admin → Система: edit-flow для system_settings + audit-log (4-eyes-pattern).
+    // На MVP без auth-middleware (admin_user_id параметром); production: middleware('auth:saas-admin').
+    Route::prefix('/api/admin/system-settings')->group(function () {
+        Route::get('/', 'App\Http\Controllers\Api\AdminSystemSettingsController@index');
+        Route::put('/{key}', 'App\Http\Controllers\Api\AdminSystemSettingsController@update')->where('key', '[a-z0-9_\.]+');
+    });
+
+    // Plan 4: SaaS-admin pricing-tiers editor.
+    // CRUD для 7-ступенчатого тарифа. effective_from auto-computed = 1-е число
+    // следующего месяца (МСК). Audit-trail в saas_admin_audit_log.
+    Route::prefix('/api/admin/pricing-tiers')->group(function () {
+        Route::get('/', 'App\Http\Controllers\Api\AdminPricingTiersController@index');
+        Route::post('/', 'App\Http\Controllers\Api\AdminPricingTiersController@store');
+        Route::delete('/scheduled/{effective_from}',
+            'App\Http\Controllers\Api\AdminPricingTiersController@deleteScheduled')
+            ->where('effective_from', '\d{4}-\d{2}-\d{2}');
+    });
+
+    // Plan 4 Task 10: SaaS-admin supplier prices editor.
+    // CRUD для B1/B2/B3 закупочных цен. Audit-trail в saas_admin_audit_log.
+    Route::get('/api/admin/suppliers', 'App\Http\Controllers\Api\AdminSuppliersController@index');
+    Route::patch('/api/admin/suppliers/{id}', 'App\Http\Controllers\Api\AdminSuppliersController@update')
+        ->where('id', '[0-9]+');
 });
 
-// SaaS-admin → Тенанты: lookup + детали для AdminTenantsView/AdminTenantDetailView.
-// Без auth (saas-admin SSO ⏸ Б-1).
-Route::get('/api/admin/tenants', 'App\Http\Controllers\Api\AdminTenantsController@index');
-Route::get('/api/admin/tenants/{subdomain}', 'App\Http\Controllers\Api\AdminTenantsController@show')
-    ->where('subdomain', '[a-z0-9_-]+');
-
-// SaaS-admin → Биллинг: aggregates пополнений/списаний за текущий месяц.
-Route::get('/api/admin/billing', 'App\Http\Controllers\Api\AdminBillingController@index');
-
-// SaaS-admin → Инциденты: чтение incidents_log для AdminIncidentsView.
-Route::get('/api/admin/incidents', 'App\Http\Controllers\Api\AdminIncidentsController@index');
-
-// SaaS-admin → Система: edit-flow для system_settings + audit-log (4-eyes-pattern).
-// На MVP без auth-middleware (admin_user_id параметром); production: middleware('auth:saas-admin').
-Route::prefix('/api/admin/system-settings')->group(function () {
-    Route::get('/', 'App\Http\Controllers\Api\AdminSystemSettingsController@index');
-    Route::put('/{key}', 'App\Http\Controllers\Api\AdminSystemSettingsController@update')->where('key', '[a-z0-9_\.]+');
-});
-
-// Plan 4: SaaS-admin pricing-tiers editor.
-// CRUD для 7-ступенчатого тарифа. effective_from auto-computed = 1-е число
-// следующего месяца (МСК). Audit-trail в saas_admin_audit_log.
-Route::prefix('/api/admin/pricing-tiers')->group(function () {
-    Route::get('/', 'App\Http\Controllers\Api\AdminPricingTiersController@index');
-    Route::post('/', 'App\Http\Controllers\Api\AdminPricingTiersController@store');
-    Route::delete('/scheduled/{effective_from}',
-        'App\Http\Controllers\Api\AdminPricingTiersController@deleteScheduled')
-        ->where('effective_from', '\d{4}-\d{2}-\d{2}');
-});
-
-// Plan 4 Task 10: SaaS-admin supplier prices editor.
-// CRUD для B1/B2/B3 закупочных цен. Audit-trail в saas_admin_audit_log.
-Route::get('/api/admin/suppliers', 'App\Http\Controllers\Api\AdminSuppliersController@index');
-Route::patch('/api/admin/suppliers/{id}', 'App\Http\Controllers\Api\AdminSuppliersController@update')
-    ->where('id', '[0-9]+');
-
 // Plan 4 Task 11: tenant charges ledger (read-only + CSV export).
 // RLS изоляция через SetTenantContext (auth:sanctum + tenant) — текущий tenant
 // видит только свои lead_charges. Pagination 20/page, фильтры period/source.
@@ -124,21 +155,49 @@ Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/billing/charges')->g
     Route::post('/export', 'App\Http\Controllers\Api\TenantChargesController@export');
 });
 
-// Сделки — manual create через UI (NewDealDialog). На prod: middleware
-// 'auth:sanctum' + 'tenant', tenant_id берётся из user'а. На MVP — параметром.
+// Биллинг тенанта: пополнение/кошелёк/транзакции/счета (audit E1/E3).
+// RLS на balance_transactions / saas_invoices требует tenant middleware.
+Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/billing')->group(function () {
+    Route::post('/topup', 'App\Http\Controllers\Api\BillingController@topup');
+    Route::get('/wallet', 'App\Http\Controllers\Api\BillingController@wallet');
+    Route::get('/transactions', 'App\Http\Controllers\Api\BillingController@transactions');
+    Route::get('/invoices', 'App\Http\Controllers\Api\BillingController@invoices');
+});
+
+// API-ключи тенанта (audit D2/D3/J5). RLS на api_keys требует tenant middleware.
+Route::middleware(['auth:sanctum', 'tenant'])->prefix('/api/api-keys')->group(function () {
+    Route::get('/', 'App\Http\Controllers\Api\ApiKeyController@index');
+    Route::post('/regenerate', 'App\Http\Controllers\Api\ApiKeyController@regenerate');
+});
+
+// Настройки исходящего webhook'а тенанта (audit D4/D5/J5).
+Route::middleware(['auth:sanctum', 'tenant'])->group(function () {
+    Route::get('/api/tenants/me/webhook-settings', 'App\Http\Controllers\Api\WebhookSettingsController@show');
+    Route::put('/api/tenants/me/webhook-settings', 'App\Http\Controllers\Api\WebhookSettingsController@update');
+    Route::post('/api/webhooks/test', 'App\Http\Controllers\Api\WebhookSettingsController@test');
+});
+
+// Дашборд — агрегат KPI/баланса/активности/воронки (audit J3). На MVP без
+// auth-middleware (tenant_id параметром); production: middleware('auth:sanctum','tenant').
+Route::get('/api/dashboard/summary', 'App\Http\Controllers\Api\DashboardController@summary');
+
+// Сделки — single-resource CRUD + bulk + export. J1 (Sprint 3F, audit):
+// auth:sanctum + tenant. tenant_id берётся из auth()->user()->tenant_id
+// (SetTenantContext), НЕ из параметра запроса — закрывает кросс-tenant утечку.
 //
-// Sprint 3 Phase A (audit O-refactor-01): single-resource CRUD остаётся в
-// DealController, bulk-операции (transition/destroy/restore) — в
-// DealBulkActionController, export — в DealExportController. URL и shape
-// payload'ов сохранены, только controller@method обновлён.
-Route::get('/api/deals', 'App\Http\Controllers\Api\DealController@index');
-Route::get('/api/deals/{id}', 'App\Http\Controllers\Api\DealController@show')->where('id', '[0-9]+');
-Route::post('/api/deals', 'App\Http\Controllers\Api\DealController@store');
-Route::post('/api/deals/export', 'App\Http\Controllers\Api\DealExportController@export');
-Route::post('/api/deals/transition', 'App\Http\Controllers\Api\DealBulkActionController@transition');
-Route::patch('/api/deals/{id}', 'App\Http\Controllers\Api\DealController@update')->where('id', '[0-9]+');
-Route::delete('/api/deals', 'App\Http\Controllers\Api\DealBulkActionController@destroy');
-Route::post('/api/deals/restore', 'App\Http\Controllers\Api\DealBulkActionController@restore');
+// Sprint 3 Phase A (audit O-refactor-01): single-resource CRUD в
+// DealController, bulk (transition/destroy/restore) — в
+// DealBulkActionController, export — в DealExportController.
+Route::middleware(['auth:sanctum', 'tenant'])->group(function () {
+    Route::get('/api/deals', 'App\Http\Controllers\Api\DealController@index');
+    Route::get('/api/deals/{id}', 'App\Http\Controllers\Api\DealController@show')->where('id', '[0-9]+');
+    Route::post('/api/deals', 'App\Http\Controllers\Api\DealController@store');
+    Route::post('/api/deals/export', 'App\Http\Controllers\Api\DealExportController@export');
+    Route::post('/api/deals/transition', 'App\Http\Controllers\Api\DealBulkActionController@transition');
+    Route::patch('/api/deals/{id}', 'App\Http\Controllers\Api\DealController@update')->where('id', '[0-9]+');
+    Route::delete('/api/deals', 'App\Http\Controllers\Api\DealBulkActionController@destroy');
+    Route::post('/api/deals/restore', 'App\Http\Controllers\Api\DealBulkActionController@restore');
+});
 
 // Lookup endpoints — заполняют v-select'ы (NewDealDialog, smart-filters).
 Route::get('/api/managers', 'App\Http\Controllers\Api\ManagerController@index');
@@ -194,8 +253,9 @@ Route::view('/register', 'welcome');
 Route::view('/forgot', 'welcome');
 Route::view('/reset', 'welcome'); // SPA-router рендерит ResetPasswordView для /reset/{token}
 Route::view('/2fa', 'welcome');
-Route::view('/recovery', 'welcome');
 Route::view('/recovery-use', 'welcome');
+Route::view('/legal/offer', 'welcome');
+Route::view('/legal/privacy', 'welcome');
 Route::view('/dashboard', 'welcome');
 Route::view('/deals', 'welcome');
 Route::view('/kanban', 'welcome');

app/tests/Feature/AdminBillingActionsTest.php

@@ -0,0 +1,134 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\BalanceTransaction;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+function makeBillingTenant(array $overrides = []): int
+{
+    return (int) DB::table('tenants')->insertGetId(array_merge([
+        'subdomain' => 'bt-'.bin2hex(random_bytes(4)),
+        'organization_name' => 'Billing Test Co',
+        'contact_email' => 'bt-'.bin2hex(random_bytes(3)).'@test.local',
+        'webhook_token' => bin2hex(random_bytes(16)),
+        'status' => 'active',
+        'balance_rub' => '5000.00',
+        'is_trial' => false,
+        'created_at' => now(),
+    ], $overrides));
+}
+
+function makeTariffPlan(array $overrides = []): int
+{
+    return (int) DB::table('tariff_plans')->insertGetId(array_merge([
+        'code' => 'test-'.bin2hex(random_bytes(4)),
+        'name' => 'Test Plan',
+        'billing_model' => 'monthly',
+        'price_monthly' => '999.00',
+        'created_at' => now(),
+    ], $overrides));
+}
+
+test('GET tariff-plans возвращает список планов', function () {
+    $planId = makeTariffPlan(['name' => 'Visible Plan', 'price_monthly' => '1500.00']);
+    $r = $this->getJson('/api/admin/billing/tariff-plans');
+    $r->assertOk();
+    $plans = $r->json('plans');
+    expect($plans)->toBeArray();
+    $found = collect($plans)->first(fn ($p) => $p['id'] === $planId);
+    expect($found)->not->toBeNull();
+    expect($found['id'])->toBeInt();
+    expect($found['name'])->toBeString();
+    expect($found['price_monthly'])->toBeString();
+});
+
+test('PATCH status suspended меняет статус + пишет audit-log', function () {
+    $id = makeBillingTenant(['status' => 'active']);
+    $r = $this->patchJson("/api/admin/billing/tenants/{$id}/status", [
+        'status' => 'suspended',
+        'reason' => 'Просрочка оплаты более 30 дней.',
+    ]);
+    $r->assertOk();
+    expect($r->json('status'))->toBe('suspended');
+    expect(DB::table('tenants')->where('id', $id)->value('status'))->toBe('suspended');
+    expect(DB::table('saas_admin_audit_log')->where('action', 'tenant.suspend')->where('target_id', $id)->exists())->toBeTrue();
+});
+
+test('PATCH status active разблокирует', function () {
+    $id = makeBillingTenant(['status' => 'suspended']);
+    $this->patchJson("/api/admin/billing/tenants/{$id}/status", [
+        'status' => 'active', 'reason' => 'Оплата получена, блокировка снята.',
+    ])->assertOk();
+    expect(DB::table('tenants')->where('id', $id)->value('status'))->toBe('active');
+});
+
+test('PATCH status reason короче 10 символов → 422', function () {
+    $id = makeBillingTenant();
+    $this->patchJson("/api/admin/billing/tenants/{$id}/status", ['status' => 'suspended', 'reason' => 'мало'])
+        ->assertStatus(422);
+});
+
+test('PATCH status несуществующий тенант → 404', function () {
+    $this->patchJson('/api/admin/billing/tenants/99999999/status', [
+        'status' => 'suspended', 'reason' => 'Любое основание длиной более десяти.',
+    ])->assertStatus(404);
+});
+
+test('PATCH status soft-deleted тенант → 404', function () {
+    $id = makeBillingTenant(['deleted_at' => now()]);
+    $this->patchJson("/api/admin/billing/tenants/{$id}/status", [
+        'status' => 'suspended', 'reason' => 'Любое основание длиной более десяти.',
+    ])->assertStatus(404);
+});
+
+test('POST refund списывает с баланса + создаёт balance_transactions refund', function () {
+    $id = makeBillingTenant(['balance_rub' => '5000.00']);
+    $r = $this->postJson("/api/admin/billing/tenants/{$id}/refund", [
+        'amount_rub' => 1500, 'reason' => 'Возврат по обращению клиента №42.',
+    ]);
+    $r->assertOk();
+    expect($r->json('balance_rub'))->toBe('3500.00');
+    expect(DB::table('tenants')->where('id', $id)->value('balance_rub'))->toBe('3500.00');
+    $tx = BalanceTransaction::where('tenant_id', $id)->where('type', 'refund')->first();
+    expect($tx)->not->toBeNull();
+    expect((string) $tx->amount_rub)->toBe('-1500.00');
+    expect((string) $tx->balance_rub_after)->toBe('3500.00');
+    expect(DB::table('saas_admin_audit_log')->where('action', 'tenant.refund')->where('target_id', $id)->exists())->toBeTrue();
+});
+
+test('POST refund больше баланса → 422, баланс не меняется', function () {
+    $id = makeBillingTenant(['balance_rub' => '1000.00']);
+    $this->postJson("/api/admin/billing/tenants/{$id}/refund", [
+        'amount_rub' => 5000, 'reason' => 'Возврат по обращению клиента №7.',
+    ])->assertStatus(422);
+    expect(DB::table('tenants')->where('id', $id)->value('balance_rub'))->toBe('1000.00');
+    expect(BalanceTransaction::where('tenant_id', $id)->count())->toBe(0);
+});
+
+test('POST refund неположительная сумма → 422', function () {
+    $id = makeBillingTenant();
+    $this->postJson("/api/admin/billing/tenants/{$id}/refund", ['amount_rub' => 0, 'reason' => 'Основание длиннее десяти символов.'])
+        ->assertStatus(422);
+});
+
+test('PATCH tariff меняет current_tariff_id + audit-log', function () {
+    $id = makeBillingTenant();
+    $tariffId = makeTariffPlan(['name' => 'Corp Plan', 'price_monthly' => '2500.00']);
+    $r = $this->patchJson("/api/admin/billing/tenants/{$id}/tariff", [
+        'tariff_id' => $tariffId, 'reason' => 'Переход на тариф по договорённости с клиентом.',
+    ]);
+    $r->assertOk();
+    expect((int) DB::table('tenants')->where('id', $id)->value('current_tariff_id'))->toBe($tariffId);
+    expect(DB::table('saas_admin_audit_log')->where('action', 'tenant.change_tariff')->where('target_id', $id)->exists())->toBeTrue();
+});
+
+test('PATCH tariff несуществующий tariff_id → 422', function () {
+    $id = makeBillingTenant();
+    $this->patchJson("/api/admin/billing/tenants/{$id}/tariff", [
+        'tariff_id' => 88888888, 'reason' => 'Основание длиннее десяти символов.',
+    ])->assertStatus(422);
+});

app/tests/Feature/AdminIncidentRknNotifyTest.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    DB::table('incidents_log')->delete();
+    $this->adminId = (int) DB::table('saas_admin_users')->insertGetId([
+        'email' => 'rkn-'.bin2hex(random_bytes(3)).'@test',
+        'full_name' => 'RKN Admin',
+        'password_hash' => bcrypt('test1234'),
+        'is_active' => true,
+        'role' => 'support',
+        'created_at' => now(),
+    ]);
+});
+
+function makeRknIncident(int $adminId, array $overrides = []): int
+{
+    $started = $overrides['started_at'] ?? now()->subHours(2);
+
+    return (int) DB::table('incidents_log')->insertGetId(array_merge([
+        'type' => 'data_breach',
+        'severity' => 'critical',
+        'started_at' => $started,
+        'detected_at' => $started,
+        'summary' => 'PDN leak test',
+        'created_by_admin_id' => $adminId,
+        'created_at' => now(),
+    ], $overrides));
+}
+
+test('POST rkn-notify проставляет rkn_notified_at + audit-log', function () {
+    $id = makeRknIncident($this->adminId);
+    $r = $this->postJson("/api/admin/incidents/{$id}/rkn-notify");
+    $r->assertOk();
+    expect($r->json('incident.rkn_notified'))->toBeTrue();
+    expect($r->json('incident.rkn_notified_at'))->toBeString();
+    expect(DB::table('incidents_log')->where('id', $id)->value('rkn_notified_at'))->not->toBeNull();
+    expect(DB::table('saas_admin_audit_log')->where('action', 'incident.rkn_notify')->where('target_id', $id)->exists())
+        ->toBeTrue();
+});
+
+test('POST rkn-notify несуществующий инцидент → 404', function () {
+    $this->postJson('/api/admin/incidents/99999999/rkn-notify')->assertStatus(404);
+});
+
+test('POST rkn-notify не data_breach → 422', function () {
+    $id = makeRknIncident($this->adminId, ['type' => 'service_outage']);
+    $this->postJson("/api/admin/incidents/{$id}/rkn-notify")->assertStatus(422);
+    expect(DB::table('incidents_log')->where('id', $id)->value('rkn_notified_at'))->toBeNull();
+});
+
+test('POST rkn-notify повторно → 409', function () {
+    $id = makeRknIncident($this->adminId, ['rkn_notified_at' => now()->subHour()]);
+    $this->postJson("/api/admin/incidents/{$id}/rkn-notify")->assertStatus(409);
+});

app/tests/Feature/AdminIncidentShowTest.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    DB::table('incidents_log')->delete();
+    $this->adminId = (int) DB::table('saas_admin_users')->insertGetId([
+        'email' => 'inc-'.bin2hex(random_bytes(3)).'@test',
+        'full_name' => 'Incident Admin',
+        'password_hash' => bcrypt('test1234'),
+        'is_active' => true,
+        'role' => 'support',
+        'created_at' => now(),
+    ]);
+});
+
+function makeShowIncident(int $adminId, array $overrides = []): int
+{
+    $started = $overrides['started_at'] ?? now()->subHours(3);
+    $detected = $overrides['detected_at'] ?? $started;
+
+    return (int) DB::table('incidents_log')->insertGetId(array_merge([
+        'type' => 'service_outage',
+        'severity' => 'high',
+        'started_at' => $started,
+        'detected_at' => $detected,
+        'resolved_at' => null,
+        'summary' => 'Show test incident',
+        'created_by_admin_id' => $adminId,
+        'created_at' => now(),
+    ], $overrides));
+}
+
+test('GET /api/admin/incidents/{id} 200 + полная карточка', function () {
+    $id = makeShowIncident($this->adminId, ['summary' => 'API 502 burst', 'severity' => 'critical']);
+    $r = $this->getJson("/api/admin/incidents/{$id}");
+    $r->assertOk();
+    expect($r->json('incident.id'))->toBe($id);
+    expect($r->json('incident.summary'))->toBe('API 502 burst');
+    expect($r->json('incident.severity'))->toBe('critical');
+    expect($r->json('incident.incident_id'))->toMatch('/^INC-\d{4}-\d{4}-\d{4}$/');
+    expect($r->json('incident.status'))->toBe('investigating');
+    expect($r->json('incident.created_by_admin'))->toBe('Incident Admin');
+});
+
+test('GET /api/admin/incidents/{id} несуществующий → 404', function () {
+    $this->getJson('/api/admin/incidents/99999999')->assertStatus(404);
+});
+
+test('GET /api/admin/incidents/{id} data_breach без rkn_notified_at → rkn_deadline_at +24ч', function () {
+    $id = makeShowIncident($this->adminId, ['type' => 'data_breach', 'detected_at' => now()->subHour()]);
+    $r = $this->getJson("/api/admin/incidents/{$id}");
+    expect($r->json('incident.rkn_notified'))->toBeFalse();
+    expect($r->json('incident.rkn_deadline_at'))->toBeString();
+});
+
+test('GET /api/admin/incidents/{id} разрешает имена affected_tenants', function () {
+    $tenantId = (int) DB::table('tenants')->insertGetId([
+        'subdomain' => 'inc-'.bin2hex(random_bytes(4)),
+        'organization_name' => 'Affected Org',
+        'contact_email' => 'a@test.local',
+        'webhook_token' => bin2hex(random_bytes(16)),
+        'created_at' => now(),
+    ]);
+    $id = makeShowIncident($this->adminId, ['affected_tenant_ids' => '{'.$tenantId.'}']);
+    $r = $this->getJson("/api/admin/incidents/{$id}");
+    expect($r->json('incident.affected_tenants'))->toHaveCount(1);
+    expect($r->json('incident.affected_tenants.0.organization_name'))->toBe('Affected Org');
+});
+
+test('GET /api/admin/incidents/{id} resolved инцидент → status resolved', function () {
+    $id = makeShowIncident($this->adminId, ['resolved_at' => now()]);
+    expect($this->getJson("/api/admin/incidents/{$id}")->json('incident.status'))->toBe('resolved');
+});

app/tests/Feature/ApiKeyControllerTest.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\ApiKey;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\Hash;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    $this->tenant = Tenant::factory()->create();
+    $this->user = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->actingAs($this->user);
+});
+
+test('GET /api/api-keys возвращает активные ключи тенанта', function () {
+    ApiKey::factory()->create(['tenant_id' => $this->tenant->id, 'user_id' => $this->user->id]);
+
+    $response = $this->getJson('/api/api-keys');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(1);
+    expect($response->json('data.0'))->toHaveKeys(['id', 'name', 'key_prefix', 'last_used_at', 'created_at']);
+    expect($response->json('data.0'))->not->toHaveKey('key_hash');
+});
+
+test('GET /api/api-keys без auth: 401', function () {
+    auth()->logout();
+    $this->getJson('/api/api-keys')->assertStatus(401);
+});
+
+test('GET /api/api-keys изолирован по тенанту', function () {
+    $otherTenant = Tenant::factory()->create();
+    $otherUser = User::factory()->create(['tenant_id' => $otherTenant->id]);
+    ApiKey::factory()->create(['tenant_id' => $otherTenant->id, 'user_id' => $otherUser->id]);
+
+    $response = $this->getJson('/api/api-keys');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(0);
+});
+
+test('GET /api/api-keys не возвращает истёкшие ключи', function () {
+    ApiKey::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'is_active' => true,
+        'expires_at' => now()->subDay(),
+    ]);
+    ApiKey::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'is_active' => true,
+        'expires_at' => now()->addYear(),
+    ]);
+
+    $response = $this->getJson('/api/api-keys');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(1);
+});
+
+test('POST /api/api-keys/regenerate создаёт ключ и возвращает plaintext один раз', function () {
+    $response = $this->postJson('/api/api-keys/regenerate');
+
+    $response->assertStatus(201);
+    expect($response->json('key'))->toStartWith('lpkapi_');
+    expect($response->json('key_prefix'))->toBe(substr($response->json('key'), 0, 10));
+    expect($response->json())->toHaveKeys(['id', 'name', 'key', 'key_prefix']);
+
+    $row = ApiKey::query()->where('tenant_id', $this->tenant->id)->where('is_active', true)->first();
+    expect($row)->not->toBeNull();
+    expect($row->key_hash)->not->toBe($response->json('key'));
+    expect(Hash::check($response->json('key'), $row->key_hash))->toBeTrue();
+});
+
+test('POST /api/api-keys/regenerate деактивирует предыдущий активный ключ', function () {
+    $old = ApiKey::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'is_active' => true,
+    ]);
+
+    $this->postJson('/api/api-keys/regenerate')->assertStatus(201);
+
+    $old->refresh();
+    expect($old->is_active)->toBeFalse();
+    expect(ApiKey::query()->where('tenant_id', $this->tenant->id)->where('is_active', true)->count())->toBe(1);
+});
+
+test('POST /api/api-keys/regenerate без auth: 401', function () {
+    auth()->logout();
+    $this->postJson('/api/api-keys/regenerate')->assertStatus(401);
+});

app/tests/Feature/Auth/UpdateProfileTest.php

@@ -0,0 +1,89 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    $this->tenant = Tenant::factory()->create();
+    $this->user = User::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'first_name' => 'Новый',
+        'last_name' => 'Пользователь',
+        'phone' => null,
+        'timezone' => 'Europe/Moscow',
+    ]);
+    $this->actingAs($this->user);
+});
+
+test('PATCH /api/auth/me обновляет профиль и возвращает user', function () {
+    $response = $this->patchJson('/api/auth/me', [
+        'first_name' => 'Иван',
+        'last_name' => 'Петров',
+        'phone' => '+7 916 000-00-00',
+        'timezone' => 'Asia/Yekaterinburg',
+    ]);
+
+    $response->assertOk();
+    expect($response->json('user.first_name'))->toBe('Иван');
+    expect($response->json('user.last_name'))->toBe('Петров');
+    expect($response->json('user.phone'))->toBe('+7 916 000-00-00');
+    expect($response->json('user.timezone'))->toBe('Asia/Yekaterinburg');
+
+    $this->user->refresh();
+    expect($this->user->first_name)->toBe('Иван');
+    expect($this->user->timezone)->toBe('Asia/Yekaterinburg');
+});
+
+test('PATCH /api/auth/me без auth: 401', function () {
+    auth()->logout();
+    $this->patchJson('/api/auth/me', [
+        'first_name' => 'Иван',
+        'last_name' => 'Петров',
+        'timezone' => 'Europe/Moscow',
+    ])->assertStatus(401);
+});
+
+test('PATCH /api/auth/me: 422 при пустом first_name', function () {
+    $this->patchJson('/api/auth/me', [
+        'first_name' => '',
+        'last_name' => 'Петров',
+        'timezone' => 'Europe/Moscow',
+    ])->assertStatus(422)->assertJsonValidationErrorFor('first_name');
+});
+
+test('PATCH /api/auth/me: 422 при пустом last_name', function () {
+    $this->patchJson('/api/auth/me', [
+        'first_name' => 'Иван',
+        'last_name' => '',
+        'timezone' => 'Europe/Moscow',
+    ])->assertStatus(422)->assertJsonValidationErrorFor('last_name');
+});
+
+test('PATCH /api/auth/me: 422 при невалидной timezone', function () {
+    $this->patchJson('/api/auth/me', [
+        'first_name' => 'Иван',
+        'last_name' => 'Петров',
+        'timezone' => 'Mars/Olympus',
+    ])->assertStatus(422)->assertJsonValidationErrorFor('timezone');
+});
+
+test('PATCH /api/auth/me: phone опционален (nullable)', function () {
+    $response = $this->patchJson('/api/auth/me', [
+        'first_name' => 'Иван',
+        'last_name' => 'Петров',
+        'timezone' => 'Europe/Moscow',
+    ]);
+    $response->assertOk();
+    expect($response->json('user.phone'))->toBeNull();
+});
+
+test('GET /api/auth/me возвращает phone и timezone', function () {
+    $response = $this->getJson('/api/auth/me');
+    $response->assertOk();
+    expect($response->json('user'))->toHaveKeys(['phone', 'timezone']);
+});

app/tests/Feature/Billing/BillingOverviewControllerTest.php

@@ -0,0 +1,181 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\BalanceTransaction;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    $this->tenant = Tenant::factory()->create([
+        'balance_rub' => '14250.00',
+        'balance_leads' => 285,
+    ]);
+    $this->user = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->actingAs($this->user);
+});
+
+// ---- wallet ----
+
+test('GET /api/billing/wallet возвращает баланс тенанта', function () {
+    $this->getJson('/api/billing/wallet')
+        ->assertOk()
+        ->assertJsonPath('balance_rub', '14250.00')
+        ->assertJsonPath('balance_leads', 285);
+});
+
+test('GET /api/billing/wallet возвращает тариф, если он назначен', function () {
+    $tariffId = DB::table('tariff_plans')->where('code', 'pro')->value('id');
+    $this->tenant->update(['current_tariff_id' => $tariffId]);
+
+    $response = $this->getJson('/api/billing/wallet');
+
+    $response->assertOk()
+        ->assertJsonPath('tariff.code', 'pro')
+        ->assertJsonPath('tariff.name', 'Про');
+    expect($response->json('tariff.features'))->toBeArray();
+});
+
+test('GET /api/billing/wallet возвращает tariff=null без назначенного тарифа', function () {
+    $this->getJson('/api/billing/wallet')
+        ->assertOk()
+        ->assertJsonPath('tariff', null);
+});
+
+test('GET /api/billing/wallet: runway_days = null без списаний', function () {
+    $this->getJson('/api/billing/wallet')
+        ->assertOk()
+        ->assertJsonPath('runway_days', null);
+});
+
+test('GET /api/billing/wallet: runway_days рассчитан при наличии списаний', function () {
+    BalanceTransaction::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'type' => 'lead_charge',
+        'amount_rub' => '-3000.00',
+        'created_at' => now()->subDays(10),
+    ]);
+
+    // 3000 ₽ / 30 дн = 100 ₽/день; баланс 14250 → floor(142.5) = 142.
+    expect($this->getJson('/api/billing/wallet')->json('runway_days'))->toBe(142);
+});
+
+test('GET /api/billing/wallet: runway_days = 0 при отрицательном балансе', function () {
+    $this->tenant->update(['balance_rub' => '-500.00']);
+    BalanceTransaction::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'type' => 'lead_charge',
+        'amount_rub' => '-3000.00',
+        'created_at' => now()->subDays(10),
+    ]);
+
+    // Баланс уже отрицательный → runway не может быть отрицательным, клампится в 0.
+    expect($this->getJson('/api/billing/wallet')->json('runway_days'))->toBe(0);
+});
+
+test('GET /api/billing/wallet без auth: 401', function () {
+    auth()->logout();
+    $this->getJson('/api/billing/wallet')->assertStatus(401);
+});
+
+// ---- transactions ----
+
+test('GET /api/billing/transactions возвращает транзакции тенанта', function () {
+    BalanceTransaction::factory()->count(3)->create(['tenant_id' => $this->tenant->id]);
+
+    $response = $this->getJson('/api/billing/transactions');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(3);
+    expect($response->json('meta.total'))->toBe(3);
+    expect($response->json('data.0'))->toHaveKeys(['id', 'code', 'type', 'amount_rub', 'created_at']);
+});
+
+test('GET /api/billing/transactions изолирован по тенанту', function () {
+    BalanceTransaction::factory()->create(['tenant_id' => $this->tenant->id]);
+    $other = Tenant::factory()->create();
+    BalanceTransaction::factory()->create(['tenant_id' => $other->id]);
+
+    expect($this->getJson('/api/billing/transactions')->json('data'))->toHaveCount(1);
+});
+
+test('GET /api/billing/transactions фильтрует по type', function () {
+    BalanceTransaction::factory()->create(['tenant_id' => $this->tenant->id, 'type' => 'topup']);
+    BalanceTransaction::factory()->create(['tenant_id' => $this->tenant->id, 'type' => 'lead_charge', 'amount_rub' => '-50.00']);
+    BalanceTransaction::factory()->create(['tenant_id' => $this->tenant->id, 'type' => 'refund', 'amount_rub' => '10.00']);
+
+    $this->getJson('/api/billing/transactions?type=topup')
+        ->assertJsonCount(1, 'data')->assertJsonPath('data.0.type', 'topup');
+    $this->getJson('/api/billing/transactions?type=lead_charge')
+        ->assertJsonCount(1, 'data')->assertJsonPath('data.0.type', 'lead_charge');
+    $this->getJson('/api/billing/transactions?type=refund')
+        ->assertJsonCount(1, 'data')->assertJsonPath('data.0.type', 'refund');
+});
+
+test('GET /api/billing/transactions: пагинация 20/страница', function () {
+    BalanceTransaction::factory()->count(25)->create(['tenant_id' => $this->tenant->id]);
+
+    expect($this->getJson('/api/billing/transactions?page=1')->json('data'))->toHaveCount(20);
+    expect($this->getJson('/api/billing/transactions?page=2')->json('data'))->toHaveCount(5);
+});
+
+test('GET /api/billing/transactions без auth: 401', function () {
+    auth()->logout();
+    $this->getJson('/api/billing/transactions')->assertStatus(401);
+});
+
+// ---- invoices ----
+
+test('GET /api/billing/invoices возвращает пустой список без счетов', function () {
+    $this->getJson('/api/billing/invoices')
+        ->assertOk()
+        ->assertJsonCount(0, 'data');
+});
+
+test('GET /api/billing/invoices возвращает счета тенанта и изолирует чужие', function () {
+    $leId = DB::table('legal_entities')->insertGetId([
+        'code' => 'ooo_test_'.uniqid(),
+        'name' => 'ООО Тест',
+        'legal_form' => 'OOO',
+        'inn' => '7700000000',
+        'created_at' => now(),
+    ]);
+    DB::table('saas_invoices')->insert([
+        'tenant_id' => $this->tenant->id,
+        'legal_entity_id' => $leId,
+        'invoice_number' => 'СЧ-2026-00001',
+        'payer_type' => 'legal',
+        'amount_net' => '990.00',
+        'amount_total' => '990.00',
+        'status' => 'issued',
+        'issued_at' => now(),
+        'expires_at' => now()->addDays(5),
+    ]);
+    $other = Tenant::factory()->create();
+    DB::table('saas_invoices')->insert([
+        'tenant_id' => $other->id,
+        'legal_entity_id' => $leId,
+        'invoice_number' => 'СЧ-2026-00002',
+        'payer_type' => 'legal',
+        'amount_net' => '500.00',
+        'amount_total' => '500.00',
+        'status' => 'issued',
+        'issued_at' => now(),
+        'expires_at' => now()->addDays(5),
+    ]);
+
+    $response = $this->getJson('/api/billing/invoices');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(1);
+    expect($response->json('data.0.invoice_number'))->toBe('СЧ-2026-00001');
+});
+
+test('GET /api/billing/invoices без auth: 401', function () {
+    auth()->logout();
+    $this->getJson('/api/billing/invoices')->assertStatus(401);
+});

app/tests/Feature/Billing/BillingTopupServiceTest.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Billing\BillingTopupService;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Illuminate\Support\Facades\DB;
+
+uses(DatabaseTransactions::class);
+
+test('topup кредитует balance_rub и пишет append-only строку topup', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'balance_leads' => 7]);
+
+    $tx = app(BillingTopupService::class)->topup($tenant->id, '250.00', null);
+
+    expect($tx->type)->toBe('topup')
+        ->and($tx->amount_rub)->toBe('250.00')
+        ->and($tx->amount_leads)->toBe(0)
+        ->and($tx->balance_rub_after)->toBe('750.00')
+        ->and($tx->balance_leads_after)->toBe(7);
+
+    expect((string) $tenant->fresh()->balance_rub)->toBe('750.00');
+});
+
+test('topup использует bcmath — нет float-дрейфа на 0.1 + 0.2', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '0.10']);
+
+    app(BillingTopupService::class)->topup($tenant->id, '0.20', null);
+
+    expect((string) $tenant->fresh()->balance_rub)->toBe('0.30');
+});
+
+test('topup фиксирует user_id инициатора', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '0.00']);
+    $user = User::factory()->create(['tenant_id' => $tenant->id]);
+
+    $tx = app(BillingTopupService::class)->topup($tenant->id, '100.00', $user->id);
+
+    expect($tx->user_id)->toBe($user->id);
+});
+
+test('topup-строка получает log_hash через append-only hash-chain триггер', function () {
+    $tenant = Tenant::factory()->create(['balance_rub' => '0.00']);
+
+    $tx = app(BillingTopupService::class)->topup($tenant->id, '100.00', null);
+
+    $hasHash = DB::table('balance_transactions')
+        ->where('id', $tx->id)
+        ->whereNotNull('log_hash')
+        ->exists();
+    expect($hasHash)->toBeTrue();
+});

app/tests/Feature/Billing/TopupControllerTest.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+
+uses(DatabaseTransactions::class);
+
+beforeEach(function () {
+    $this->tenant = Tenant::factory()->create(['balance_rub' => '500.00', 'balance_leads' => 12]);
+    $this->user = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->actingAs($this->user);
+});
+
+test('POST /api/billing/topup кредитует баланс и возвращает 201', function () {
+    $response = $this->postJson('/api/billing/topup', ['amount_rub' => 250]);
+
+    $response->assertStatus(201)
+        ->assertJsonPath('balance_rub', '750.00')
+        ->assertJsonPath('transaction.type', 'topup')
+        ->assertJsonPath('transaction.amount_rub', '250.00');
+
+    expect((string) $this->tenant->fresh()->balance_rub)->toBe('750.00');
+});
+
+test('POST /api/billing/topup пишет строку balance_transactions с user_id', function () {
+    $this->postJson('/api/billing/topup', ['amount_rub' => 100])->assertStatus(201);
+
+    $this->assertDatabaseHas('balance_transactions', [
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'type' => 'topup',
+        'amount_rub' => '100.00',
+        'balance_rub_after' => '600.00',
+    ]);
+});
+
+test('POST /api/billing/topup использует bcmath-точность', function () {
+    $this->tenant->update(['balance_rub' => '0.10']);
+
+    $this->postJson('/api/billing/topup', ['amount_rub' => 100.20])->assertStatus(201);
+
+    expect((string) $this->tenant->fresh()->balance_rub)->toBe('100.30');
+});
+
+test('POST /api/billing/topup не затрагивает баланс чужого тенанта', function () {
+    $otherTenant = Tenant::factory()->create(['balance_rub' => '777.00']);
+
+    $this->postJson('/api/billing/topup', ['amount_rub' => 100])->assertStatus(201);
+
+    // Топап эндпоинт не принимает tenant_id — резолвит из auth-пользователя;
+    // баланс чужого тенанта неприкосновенен (defense-in-depth, паттерн проекта).
+    expect((string) $otherTenant->fresh()->balance_rub)->toBe('777.00');
+});
+
+test('POST /api/billing/topup отклоняет сумму ниже минимума 100 ₽', function () {
+    $this->postJson('/api/billing/topup', ['amount_rub' => 50])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors('amount_rub');
+});
+
+test('POST /api/billing/topup отклоняет отсутствующую сумму', function () {
+    $this->postJson('/api/billing/topup', [])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors('amount_rub');
+});
+
+test('POST /api/billing/topup отклоняет более 2 знаков после запятой', function () {
+    $this->postJson('/api/billing/topup', ['amount_rub' => 100.123])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors('amount_rub');
+});
+
+test('POST /api/billing/topup без auth: 401', function () {
+    auth()->logout();
+    $this->postJson('/api/billing/topup', ['amount_rub' => 100])->assertStatus(401);
+});

app/tests/Feature/DashboardSummaryTest.php

@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Deal;
+use App\Models\Project;
+use App\Models\Tenant;
+use Carbon\Carbon;
+use Carbon\CarbonImmutable;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+
+uses(DatabaseTransactions::class);
+
+/**
+ * Вспомогательная функция: создать сделку с заданными параметрами.
+ *
+ * Фабрика Deal::factory() по умолчанию: received_at = now() (текущий месяц,
+ * партиция deals_2026_05 существует). is_test = false, deleted_at = null.
+ * Для тестовых дат subDays(1..6) — всё в мае 2026, партиция есть.
+ */
+function makeDashboardDeal(
+    Tenant $tenant,
+    Project $project,
+    string $status,
+    Carbon|CarbonImmutable $receivedAt,
+    ?Carbon $deletedAt = null,
+    bool $isTest = false,
+): Deal {
+    return Deal::factory()->create([
+        'tenant_id' => $tenant->id,
+        'project_id' => $project->id,
+        'status' => $status,
+        'received_at' => $receivedAt,
+        'deleted_at' => $deletedAt,
+        'is_test' => $isTest,
+    ]);
+}
+
+it('422 без tenant_id', function () {
+    $this->getJson('/api/dashboard/summary')->assertStatus(422);
+});
+
+it('404 для несуществующего тенанта', function () {
+    $this->getJson('/api/dashboard/summary?tenant_id=999999')->assertStatus(404);
+});
+
+it('возвращает структуру summary с range по умолчанию 7d', function () {
+    $tenant = Tenant::factory()->create([
+        'limits' => ['max_projects' => 10],
+        'balance_rub' => '14250.00',
+        'balance_leads' => 285,
+    ]);
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}")
+        ->assertOk()
+        ->assertJsonPath('range', '7d')
+        ->assertJsonPath('balance.amount_rub', '14250.00')
+        ->assertJsonStructure([
+            'range',
+            'leads_received' => ['value', 'delta_pct', 'delta_dir'],
+            'conversion' => ['value', 'delta_pp', 'delta_dir'],
+            'active_projects' => ['active', 'limit'],
+            'balance' => ['amount_rub', 'runway_days', 'runway_leads'],
+            'activity' => ['points', 'labels', 'max'],
+            'funnel',
+        ]);
+});
+
+it('leads_received считает только сделки окна, без deleted и is_test', function () {
+    $tenant = Tenant::factory()->create();
+    $project = Project::factory()->create(['tenant_id' => $tenant->id]);
+    // 3 живые сделки в окне 7d + 1 deleted + 1 is_test + 1 вне окна (8 дней назад)
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(2));
+    makeDashboardDeal($tenant, $project, 'paid', now()->subDays(3));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1), deletedAt: now());
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1), isTest: true);
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(8));
+
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}&range=7d")
+        ->assertOk()
+        ->assertJsonPath('leads_received.value', 3);
+});
+
+it('conversion = доля статуса paid в окне', function () {
+    $tenant = Tenant::factory()->create();
+    $project = Project::factory()->create(['tenant_id' => $tenant->id]);
+    makeDashboardDeal($tenant, $project, 'paid', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    // 1 paid из 4 → 25.0%; PHP json_encode кодирует 25.0 как 25 (без дроби)
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}")
+        ->assertOk()
+        ->assertJsonPath('conversion.value', 25);
+});
+
+it('active_projects считает archived_at IS NULL AND is_active=true + limit из limits', function () {
+    $tenant = Tenant::factory()->create(['limits' => ['max_projects' => 10]]);
+    Project::factory()->create(['tenant_id' => $tenant->id, 'archived_at' => null, 'is_active' => true]);
+    Project::factory()->create(['tenant_id' => $tenant->id, 'archived_at' => null, 'is_active' => true]);
+    Project::factory()->create(['tenant_id' => $tenant->id, 'archived_at' => now(), 'is_active' => true]);
+    Project::factory()->create(['tenant_id' => $tenant->id, 'archived_at' => null, 'is_active' => false]);
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}")
+        ->assertOk()
+        ->assertJsonPath('active_projects.active', 2)
+        ->assertJsonPath('active_projects.limit', 10);
+});
+
+it('funnel группирует живые сделки по статусу', function () {
+    $tenant = Tenant::factory()->create();
+    $project = Project::factory()->create(['tenant_id' => $tenant->id]);
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'new', now()->subDays(1));
+    makeDashboardDeal($tenant, $project, 'paid', now()->subDays(1));
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}")
+        ->assertOk()
+        ->assertJsonPath('funnel.new', 2)
+        ->assertJsonPath('funnel.paid', 1);
+});
+
+it('activity возвращает 7 точек и 7 меток', function () {
+    $tenant = Tenant::factory()->create();
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}")
+        ->assertOk()
+        ->assertJsonCount(7, 'activity.points')
+        ->assertJsonCount(7, 'activity.labels');
+});
+
+it('runway_days использует фикс. 7д-окно независимо от range', function () {
+    // balance_leads = 70; 7 сделок за последние 7 дней → avgDaily=1 → runway=70.
+    // Баг: range=today → $curLeads=1 → avgDaily=1/7≈0.143 → runway≈490 (неверно).
+    $tenant = Tenant::factory()->create(['balance_leads' => 70]);
+    $project = Project::factory()->create(['tenant_id' => $tenant->id]);
+    for ($i = 0; $i <= 6; $i++) {
+        makeDashboardDeal($tenant, $project, 'new', now()->subDays($i));
+    }
+    $this->getJson("/api/dashboard/summary?tenant_id={$tenant->id}&range=today")
+        ->assertOk()
+        ->assertJsonPath('balance.runway_days', 70);
+});