docs(ПИЛОТ): снимок 19.06 — G1-G7 выкачены на боевой liderra.ru, метод/грабли/бэкапы

fix(G7-B): stray не-lpimp Bearer на sanctum-роуте → чистый 401 вместо 500 (нет таблицы PAT)
chore(G7-B): baseline Pest TestCall-ложноположительных для impersonation-тестов (0 продуктовых подавлений)
2026-06-19 19:29:33 +03:00 · 2026-06-19 17:35:53 +03:00 · 2026-06-19 17:25:28 +03:00 · 2026-06-19 17:09:59 +03:00 · 2026-06-19 17:04:48 +03:00 · 2026-06-19 16:51:21 +03:00
1103 changed files with 91539 additions and 22405 deletions
@@ -47,6 +47,16 @@ demo-*.jpeg
 # gitleaks
 gitleaks-report.json

+# ward (security-сканер) — отчёты в корне
+ward-report.*
+lychee-links-report.txt
+walk-*.png
+
+# ZAP active scan — сырые отчёты (анализ коммитится как .md, сырьё локально:
+# может содержать снимки ответов dev-приложения)
+docs/security/*-zap-active-scan.json
+docs/security/*-zap-active-scan.html
+
 # ── IDE / редакторы ─────────────────────────────────────────────────────────
 .vscode/*
 !.vscode/extensions.json
@@ -129,6 +139,7 @@ c--Users-*/
 # ── Временные файлы ─────────────────────────────────────────────────────────
 *.tmp
 *.bak
+.mcp.json.bak-*
 *.log
 tmp/
 .tmp/
@@ -202,3 +213,14 @@ ruflo-mcp-stderr.log
 .claude/commands/*
 !.claude/commands/security-review.md
 .claude/helpers/
+
+# ── Локальные бэкапы settings.json + эталон-снимки (M7 canon backups, local-only) ──
+.claude/arh settings/
+.claude/settings - *.json
+.claude/settings эталон*.json
+.claude/эталон/
+.claude/scheduled_tasks.lock
+/settings.json
+settings copy.json
+# Строчный Ctemp-дамп (CTemp* выше не ловит из-за регистра)
+Ctemp*
@@ -89,10 +89,17 @@ paths = [
  '''app/tests/.*\.php''',
  # Database seeders с демо-данными (admin@demo.local + +7916123XXXX демо-телефоны)
  '''app/database/seeders/.*\.php''',
+  # Database factories — генераторы тестовых фикстур (фейковые телефоны/ИНН,
+  # напр. TenantFactory::withRequisites +79150000000), не реальные ПДн. Та же
+  # категория, что seeders/tests.
+  '''app/database/factories/.*\.php''',
  # Audit-internal docs (findings/blocked/report/plan) — содержат демо-телефоны и
  # script-смешанные artifacts как finding'и для review (не реальные ПДн)
  '''docs/superpowers/audits/.*\.md''',
  '''docs/superpowers/plans/.*\.md''',
+  # Internal design specs — внутренние проектные доки с демо-данными (демо-телефоны
+  # в примерах, напр. spec про log-PII-scrubbing), не реальные ПДн. Как plans/audits.
+  '''docs/superpowers/specs/.*\.md''',
  # Mock-данные для UI-разводки фронтенда (фиктивные имена/телефоны)
  '''app/resources/js/composables/mockDeals\.ts''',
  # Vitest-тесты с assertion на mock-данные (mock-телефоны из mockDeals)
@@ -101,7 +108,10 @@ paths = [
  '''app/resources/js/views/settings/.*\.vue''',
  # Test fixtures for the observer PII filter — contains synthetic JWT / AWS /
  # Yandex tokens that the filter is supposed to redact. Not real secrets.
-  '''tools/observer-pii-filter\.test\.mjs'''
+  '''tools/observer-pii-filter\.test\.mjs''',
+  # Test fixture for the secret-scanner / read-path-deny (M5) — PEM-header marker +
+  # AWS EXAMPLE key, used to verify detection. Not a real key; file deleted in brain split.
+  '''tools/enforce-read-path-deny\.test\.mjs'''
 ]
 regexTarget = "match"
 regexes = [
@@ -54,8 +54,9 @@ exclude = [
  # Sample/примерные адреса
  "^https?://example\\.com",
  "^https?://example\\.org",
-  # Приватный репозиторий проекта (404 для анонимных запросов — это норма)
-  "^https?://github\\.com/CoralMinister/liderra",
+  # Покойный GitHub-аккаунт CoralMinister (suspended) — все ссылки на него мертвы:
+  # исторические compare/actions-runs в ПИЛОТ.md / handoffs / plans. Бэкап теперь Gitea.
+  "^https?://github\\.com/CoralMinister/",
  # web/v8/*.html — статические концепты, root-relative ссылки на будущие маршруты Vue
  "^/(login|register|legal|dashboard|deals|admin|reports|reminders|billing|impersonation|notifications)(/|$|\\?)",
  # Корневой `/` в концептах (логотип-якорь для будущей главной)
@@ -6,3 +6,4 @@ CLAUDE.md
 .claude/skills/ccpm/
 .claude/skills/data-scientist/
 .claude/skills/marketingskills/
+docs/superpowers/
@@ -54,6 +54,31 @@
      },
      "comment": "A3 integration-tooling #47 — OpenAPI MCP (ivo-toby/mcp-openapi-server, @ivotoby/openapi-mcp-server v1.14.0, MIT). Exposes Лидерра REST API endpoints (docs/api/openapi.yaml) as MCP tools. Config via env-vars API_BASE_URL + OPENAPI_SPEC_PATH (stdio transport default). READ scope: API discovery/introspection for Claude Code. Формализован в Tooling §4.22, PSR_v1 R10.1 блок 3, Pravila §13.2."
    },
+    "perplexity": {
+      "command": "npx",
+      "args": ["-y", "@perplexity-ai/mcp-server"],
+      "env": {
+        "PERPLEXITY_API_KEY": "${PERPLEXITY_API_KEY}",
+        "PERPLEXITY_BASE_URL": "https://api.aitunnel.ru/v1"
+      },
+      "comment": "research-tooling (Perplexity Pack) #87 — research-канал. Официальный @perplexity-ai/mcp-server (репо perplexityai/modelcontextprotocol), MIT, подписанная сборка. Tools: perplexity_search/ask/research/reason (sonar-*). ПЛАТНЫЙ API; ключ PERPLEXITY_API_KEY только в user env (не в репо). Вет ПРИНЯТ — docs/research/research-vet.md. Перенос plan-v13 2026-06-14 (owner waiver, Вариант 2)."
+    },
+    "exa": {
+      "command": "npx",
+      "args": ["-y", "exa-mcp-server"],
+      "env": {
+        "EXA_API_KEY": "${EXA_API_KEY}"
+      },
+      "comment": "research-tooling (Perplexity Pack) #88 — Exa нейро/семантический поиск. exa-mcp-server (репо exa-labs), MIT (license-поле npm пусто — см. вет). Tools: web_search_exa / web_fetch_exa (default). ПЛАТНЫЙ API; ключ EXA_API_KEY только в user env. Вет ПРИНЯТ — docs/research/research-vet.md."
+    },
+    "firecrawl": {
+      "command": "npx",
+      "args": ["-y", "firecrawl-mcp"],
+      "env": {
+        "FIRECRAWL_API_KEY": "${FIRECRAWL_API_KEY}"
+      },
+      "comment": "research-tooling (Perplexity Pack) #89 — Firecrawl глубокое чтение/обход. firecrawl-mcp (репо firecrawl/firecrawl-mcp-server), MIT, очень активен. Tools: scrape/crawl/extract + firecrawl_agent. ПЛАТНЫЙ API; ключ FIRECRAWL_API_KEY только в user env. Вет ПРИНЯТ — docs/research/research-vet.md."
+    },
    "_disabled_marketing_servers_note": "ОТКЛЮЧЕНЫ 2026-05-31 (владелец: «отрежь маркетинг»). Причина: их авто-генерируемые схемы (особенно wordstat — 128 tools из Яндекс.Директа) — главный подозреваемый в API 400 tools.110/113, ронявшем субагентов при bulk-load всех инструментов (subagent-driven-development). Серверы off-phase и без OAuth-токенов всё равно не стартовали. Полный конфиг — в git до этого коммита. Чтобы вернуть, восстановить три блока mcpServers: marketing-metrika (npx -y github:atomkraft/yandex-metrika-mcp; env YANDEX_OAUTH_TOKEN; READ-ONLY; Tooling §4.53), marketing-wordstat (npx -y github:SvechaPVL/yandex-mcp; env YANDEX_OAUTH_TOKEN; ТОЛЬКО Wordstat per IS9/MKT8; Tooling §4.54), marketing-telegram (npx -y github:chigwell/telegram-mcp; env TELEGRAM_API_ID/API_HASH/SESSION_STRING; выделенный аккаунт IS9; Tooling §4.51). См. docs/security/marketing-vet.md и docs/marketing/README.md.",
    "_comment_postiz_skeleton": "TODO: C1 marketing-tooling #81 — Postiz MCP (gitroomhq/postiz-app self-host + antoniolg/postiz-mcp). Активировать ПОСЛЕ: 1) развернуть Postiz self-hosted (git clone https://github.com/gitroomhq/postiz-app + docker-compose, AGPL-3.0: internal-only, no modifications); 2) провести vet лицензии antoniolg/postiz-mcp (NOT YET VERIFIED — см. docs/marketing/README.md Open vet notes); 3) подключить соцсети в Postiz UI. Будущий entry: \"marketing-postiz\": { \"command\": \"npx\", \"args\": [\"-y\", \"postiz-mcp\"], \"env\": { \"POSTIZ_API_URL\": \"${POSTIZ_API_URL}\", \"POSTIZ_API_KEY\": \"${POSTIZ_API_KEY}\" }, \"comment\": \"C1 #81 post-activation\" }. Tooling §4.52. docs/marketing/README.md."
  }
@@ -70,6 +70,8 @@ MAIL_USERNAME=null
 MAIL_PASSWORD=null
 MAIL_FROM_ADDRESS="hello@example.com"
 MAIL_FROM_NAME="${APP_NAME}"
+SUPPORT_EMAIL=support@liderra.app
+JIVO_WIDGET_ID=

 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
@@ -0,0 +1,119 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands\Pd;
+
+use App\Models\SystemSetting;
+use Carbon\CarbonImmutable;
+use Illuminate\Console\Command;
+use Illuminate\Database\Query\Builder;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * F-P1 / 152-ФЗ ретеншен: анонимизирует ПДн soft-deleted сделок по истечении
+ * настраиваемого срока (спека 2026-06-17-fp1-deal-pii-retention-spec).
+ *
+ * Срок (дней) — в system_settings, ключ `pd_scrub_soft_deleted_deals_days`.
+ * Отсутствие ключа или значение < 1 → no-op (юридический срок не зашит в код,
+ * выставляется на проде). Паттерн безопасности идентичен PartitionsDropExpired.
+ *
+ * Значения анонимизации идентичны PdErasureService::eraseSubject. Работает
+ * cross-tenant через pgsql_supplier (BYPASSRLS). Идемпотентно: уже затёртые
+ * (phone = ANON_PHONE) исключаются из выборки.
+ */
+class ScrubSoftDeletedDealsCommand extends Command
+{
+    private const DB = 'pgsql_supplier';
+
+    private const SETTING_KEY = 'pd_scrub_soft_deleted_deals_days';
+
+    private const ANON_PHONE = '+7000XXXXXXX';
+
+    private const ANON_NAME = 'Удалено';
+
+    /** @var string */
+    protected $signature = 'pd:scrub-soft-deleted-deals
+                            {--dry-run : Показать число кандидатов, не анонимизировать}';
+
+    /** @var string */
+    protected $description = 'Анонимизирует ПДн (телефон/имя) soft-deleted сделок старше retention-срока (152-ФЗ, F-P1)';
+
+    public function handle(): int
+    {
+        $days = $this->resolveRetentionDays();
+
+        if ($days === null) {
+            $this->line('<fg=gray>skip</> retention не настроен (system_settings.'.self::SETTING_KEY.' отсутствует или < 1).');
+
+            return self::SUCCESS;
+        }
+
+        $cutoff = CarbonImmutable::now()->subDays($days);
+        $candidates = $this->candidateQuery($cutoff)->count();
+
+        if ($this->option('dry-run')) {
+            $this->line("<fg=yellow>[dry-run]</> кандидатов на анонимизацию: {$candidates} (deleted_at старше {$days} дн.)");
+
+            return self::SUCCESS;
+        }
+
+        if ($candidates === 0) {
+            $this->info("Кандидатов на анонимизацию нет (retention={$days} дн.).");
+
+            return self::SUCCESS;
+        }
+
+        $now = CarbonImmutable::now();
+
+        // Bulk-UPDATE атомарен одним SQL; лог — одна summary-запись. Явная
+        // транзакция не нужна и несовместима с shared-PDO в тестах
+        // (pgsql_supplier делит сессию с уже открытой транзакцией pgsql).
+        $this->candidateQuery($cutoff)->update([
+            'phone' => self::ANON_PHONE,
+            'contact_name' => self::ANON_NAME,
+            'phones' => null,
+            'updated_at' => $now,
+        ]);
+
+        // Системное действие: оба actor-поля NULL (допускается chk_pd_actor).
+        // log_hash заполняется триггером цепочки целостности.
+        DB::connection(self::DB)->table('pd_processing_log')->insert([
+            'tenant_id' => null,
+            'subject_type' => 'deal',
+            'subject_id' => null,
+            'action' => 'deleted',
+            'purpose' => '152-FZ retention scrub',
+            'actor_tenant_user_id' => null,
+            'actor_admin_user_id' => null,
+            'created_at' => $now,
+        ]);
+
+        $this->info("Анонимизировано сделок: {$candidates} (retention={$days} дн.).");
+
+        return self::SUCCESS;
+    }
+
+    /** Кандидаты: soft-deleted старше cutoff, ещё не анонимизированные. */
+    private function candidateQuery(CarbonImmutable $cutoff): Builder
+    {
+        return DB::connection(self::DB)->table('deals')
+            ->whereNotNull('deleted_at')
+            ->where('deleted_at', '<', $cutoff)
+            ->where('phone', '<>', self::ANON_PHONE);
+    }
+
+    /** Срок ретеншена из system_settings; null если ключа нет или значение < 1. */
+    private function resolveRetentionDays(): ?int
+    {
+        $setting = SystemSetting::find(self::SETTING_KEY);
+
+        if ($setting === null) {
+            return null;
+        }
+
+        $value = (int) $setting->value;
+
+        return $value >= 1 ? $value : null;
+    }
+}
@@ -6,6 +6,7 @@ namespace App\Console\Commands;

 use App\Support\RussianRegions;
 use Illuminate\Console\Command;
+use Illuminate\Database\Connection;
 use Illuminate\Support\Facades\DB;
 use OpenSpout\Reader\XLSX\Reader as XlsxReader;

@@ -100,7 +101,10 @@ class PhoneRangesImportCommand extends Command
            $rows = [];
            foreach ($files as $file) {
                foreach ($this->parseFile($file) as $rec) {
-                    $subjectCode = RussianRegions::nameToCode()[trim($rec['region'])] ?? null;
+                    $regionNormalized = RussianRegions::canonicalRegionName($rec['region']);
+                    $subjectCode = $regionNormalized === null
+                        ? null
+                        : (RussianRegions::nameToCode()[$regionNormalized] ?? null);
                    if ($subjectCode === null && trim($rec['region']) !== '') {
                        $unmatched[trim($rec['region'])] = true;
                    }
@@ -110,6 +114,7 @@ class PhoneRangesImportCommand extends Command
                        'to_num' => $rec['to_num'],
                        'operator' => $rec['operator'],
                        'region' => $rec['region'],
+                        'region_normalized' => $regionNormalized,
                        'subject_code' => $subjectCode,
                        'imported_at' => now(),
                        'import_id' => $importId,
@@ -118,7 +123,7 @@ class PhoneRangesImportCommand extends Command
            }

            // 5. Сборка staging.
-            $this->buildStaging($rows);
+            $this->buildStaging($rows, $importId);

            $unmatchedNote = $unmatched === []
                ? ''
@@ -131,7 +136,7 @@ class PhoneRangesImportCommand extends Command
                    'error' => trim('dry-run (swap не выполнен). '.$unmatchedNote),
                    'completed_at' => now(),
                ]);
-                $this->info('dry-run: '.count($rows)." строк в phone_ranges_staging, swap не выполнен.");
+                $this->info('dry-run: '.count($rows).' строк в phone_ranges_staging, swap не выполнен.');
                if ($unmatchedNote !== '') {
                    $this->warn($unmatchedNote);
                }
@@ -167,7 +172,7 @@ class PhoneRangesImportCommand extends Command
    }

    /**
-     * @return list<string>|null  Список файлов или null при ошибке валидации опций.
+     * @return list<string>|null Список файлов или null при ошибке валидации опций.
     */
    private function resolveFiles(): ?array
    {
@@ -290,7 +295,7 @@ class PhoneRangesImportCommand extends Command
     */
    private function parseXlsx(string $path): array
    {
-        $reader = new XlsxReader();
+        $reader = new XlsxReader;
        $reader->open($path);

        $out = [];
@@ -367,15 +372,27 @@ class PhoneRangesImportCommand extends Command
    /**
     * Собирает phone_ranges_staging (LIKE phone_ranges) и заливает строки.
     *
+     * id: НЕ копируем серийный default через INCLUDING DEFAULTS — он ссылается на
+     * исходную последовательность phone_ranges, которую atomic-swap уничтожает
+     * (DROP phone_ranges_old CASCADE) после первого импорта, оставляя staging.id
+     * без default (NOT NULL violation на повторном импорте). Вместо этого даём
+     * staging собственную последовательность с уникальным по import_id именем,
+     * OWNED BY колонкой id → она переезжает при RENAME и дропается вместе со
+     * старой таблицей (без коллизий имён и без утечки последовательностей).
+     *
     * @param  list<array<string, mixed>>  $rows
     */
-    private function buildStaging(array $rows): void
+    private function buildStaging(array $rows, int $importId): void
    {
        $c = DB::connection(self::DDL_CONNECTION);
        $this->elevate($c);

+        $seq = "phone_ranges_stg_seq_{$importId}";
        $c->statement('DROP TABLE IF EXISTS phone_ranges_staging CASCADE');
-        $c->statement('CREATE TABLE phone_ranges_staging (LIKE phone_ranges INCLUDING DEFAULTS INCLUDING CONSTRAINTS)');
+        $c->statement('CREATE TABLE phone_ranges_staging (LIKE phone_ranges INCLUDING CONSTRAINTS)');
+        $c->statement("CREATE SEQUENCE {$seq}");
+        $c->statement("ALTER TABLE phone_ranges_staging ALTER COLUMN id SET DEFAULT nextval('{$seq}')");
+        $c->statement("ALTER SEQUENCE {$seq} OWNED BY phone_ranges_staging.id");
        $c->statement('CREATE INDEX IF NOT EXISTS idx_phone_ranges_staging_lookup ON phone_ranges_staging (def_code, from_num, to_num)');

        foreach (array_chunk($rows, self::INSERT_CHUNK) as $chunk) {
@@ -414,7 +431,7 @@ class PhoneRangesImportCommand extends Command
     * SET ROLE crm_migrator для корректного ownership на проде; на dev/test роль
     * отсутствует → RESET и работаем как superuser (зеркало миграционного паттерна).
     */
-    private function elevate(\Illuminate\Database\Connection $c): void
+    private function elevate(Connection $c): void
    {
        try {
            $c->statement('SET ROLE crm_migrator');
@@ -1,110 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Console\Commands;
-
-use App\Models\Reminder;
-use App\Services\NotificationService;
-use Illuminate\Console\Command;
-use Illuminate\Support\Carbon;
-use Illuminate\Support\Facades\DB;
-
-/**
- * Cron-команда диспатча due-reminders.
- *
- * Идёт по `reminders` где `is_sent=false AND completed_at IS NULL AND
- * remind_at <= NOW()`. Для каждой строки:
- *   1) NotificationService::notifyReminder (email + inapp по prefs);
- *   2) UPDATE is_sent=true, sent_at=NOW().
- *
- * RLS: SET LOCAL app.current_tenant_id = reminder.tenant_id внутри
- * транзакции каждой обработки (по одному reminder в транзакции — иначе
- * нельзя переключить tenant между строками с разных tenant'ов).
- *
- * Запускается каждую минуту через Windows Task Scheduler / cron.
- * Идемпотентна: повторный вызов на отправленных ($is_sent=true) skipаются.
- *
- * --dry-run печатает плановых получателей без реальных INSERT'ов.
- *
- * Источник: db/schema.sql §17.5; ТЗ §6.6 / §18.5.
- */
-class RemindersDispatchDue extends Command
-{
-    /** @var string */
-    protected $signature = 'reminders:dispatch-due
-        {--dry-run : Не отправлять, только напечатать список плановых получателей}
-        {--limit=500 : Максимум reminders за один запуск}';
-
-    /** @var string */
-    protected $description = 'Диспатч due-reminders: email/inapp уведомления + is_sent=true (ТЗ §18.5)';
-
-    public function handle(NotificationService $service): int
-    {
-        $dryRun = (bool) $this->option('dry-run');
-        $limit = max(1, (int) $this->option('limit'));
-        $now = Carbon::now();
-
-        // Cross-tenant gather via BYPASSRLS connection — on prod crm_app_user cannot
-        // call current_setting('app.current_tenant_id') without a GUC set first.
-        // pgsql_supplier (crm_supplier_worker, BYPASSRLS) is the canonical pattern
-        // for SaaS-admin cron queries (precedent: IncidentsWatchFailures, Reset*).
-        $rows = DB::connection('pgsql_supplier')
-            ->table('reminders')
-            ->select(['id', 'tenant_id', 'deal_id', 'remind_at'])
-            ->where('is_sent', false)
-            ->whereNull('completed_at')
-            ->where('remind_at', '<=', $now)
-            ->orderBy('remind_at')
-            ->limit($limit)
-            ->get();
-
-        if ($rows->isEmpty()) {
-            $this->info('Нет due-reminders.');
-
-            return self::SUCCESS;
-        }
-
-        $sent = 0;
-        $failed = 0;
-
-        foreach ($rows as $row) {
-            if ($dryRun) {
-                $this->line(sprintf(
-                    '  would dispatch <fg=yellow>id=%d</> tenant=%d deal=%d remind_at=%s',
-                    $row->id,
-                    $row->tenant_id,
-                    $row->deal_id,
-                    $row->remind_at ?? '-',
-                ));
-
-                continue;
-            }
-
-            try {
-                DB::transaction(function () use ($row, $service): void {
-                    // SET LOCAL scopes GUC to this transaction — PgBouncer-safe.
-                    DB::statement('SET LOCAL app.current_tenant_id = '.(int) $row->tenant_id);
-                    // Fetch the full Eloquent model with tenant context active so
-                    // relations (user, etc.) work correctly inside NotificationService.
-                    $reminder = Reminder::query()->findOrFail((int) $row->id);
-                    $service->notifyReminder($reminder);
-                    $reminder->update([
-                        'is_sent' => true,
-                        'sent_at' => Carbon::now(),
-                    ]);
-                });
-                $sent++;
-                $this->info("  dispatched <fg=green>id={$row->id}</>");
-            } catch (\Throwable $e) {
-                $failed++;
-                $this->error("  failed <fg=red>id={$row->id}</>: {$e->getMessage()}");
-            }
-        }
-
-        $this->newLine();
-        $this->info("Done: {$sent} sent, {$failed} failed (limit={$limit}, dry-run=".($dryRun ? '1' : '0').').');
-
-        return self::SUCCESS;
-    }
-}
@@ -28,7 +28,7 @@ final class SnapshotBackfillCommand extends Command
        $weekdayBit = 1 << ($date->isoWeekday() - 1);

        $count = DB::connection('pgsql_supplier')->transaction(function () use ($dateStr, $weekdayBit) {
-            return DB::connection('pgsql_supplier')->insert(<<<SQL
+            return DB::connection('pgsql_supplier')->insert(<<<'SQL'
                INSERT INTO project_routing_snapshots (
                    snapshot_date, project_id, tenant_id,
                    daily_limit, delivery_days_mask, regions,
@@ -47,7 +47,7 @@ final class SnapshotRebuildCommand extends Command
            ->where('snapshot_date', $dateStr)
            ->delete();

-        $inserted = DB::connection('pgsql_supplier')->insert(<<<SQL
+        $inserted = DB::connection('pgsql_supplier')->insert(<<<'SQL'
            INSERT INTO project_routing_snapshots (
                snapshot_date, project_id, tenant_id,
                daily_limit, delivery_days_mask, regions,
@@ -7,8 +7,8 @@ namespace App\Http\Controllers\Api;
 use App\Http\Controllers\Concerns\WritesAuthLog;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Auth\LoginRequest;
-use App\Http\Requests\Auth\RegisterRequest;
 use App\Mail\SuspiciousLoginNotification;
+use App\Models\ImpersonationToken;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\NotificationService;
@@ -131,46 +131,25 @@ class AuthController extends Controller
        ]);
    }

-    public function register(RegisterRequest $request): JsonResponse
-    {
-        // На MVP — attach нового user'а к первому tenant'у (для UI-разводки).
-        // Production: wizard с tenant_name + ИНН + создание Tenant + первый user owner-роли.
-        $tenant = Tenant::first();
-        if (! $tenant) {
-            return response()->json([
-                'message' => 'Tenants не настроены. Обратитесь к администратору.',
-            ], 503);
-        }
-
-        $user = User::create([
-            'tenant_id' => $tenant->id,
-            'email' => $request->string('email')->toString(),
-            'password_hash' => Hash::make($request->string('password')->toString()),
-            'first_name' => 'Новый',
-            'last_name' => 'Пользователь',
-            'is_active' => true,
-            'totp_enabled' => false,
-        ]);
-
-        Auth::login($user);
-        $request->session()->regenerate();
-
-        $this->logAuthEvent('register_success', $user->id, $user->tenant_id, $user->email, $request->ip(), $request->userAgent(), null);
-
-        return response()->json([
-            'user' => $this->userResource($user),
-            'requires_2fa' => false,
-        ], 201);
-    }
-
    public function me(Request $request): JsonResponse
    {
        /** @var User $user */
        $user = $request->user();
+        $resource = $this->userResource($user);

-        return response()->json([
-            'user' => $this->userResource($user),
-        ]);
+        $marker = $request->hasSession() ? $request->session()->get('impersonation') : null;
+        if ($marker !== null) {
+            $token = ImpersonationToken::on('pgsql_supplier')->find($marker['token_id']);
+            $tenant = $token?->tenant;
+            $resource['impersonation'] = [
+                'active' => true,
+                'tenant_name' => $tenant?->organization_name,
+                'started_at' => $marker['started_at'] ?? null,
+                'expires_at' => $token?->sessionExpiresAt()?->toIso8601String(),
+            ];
+        }
+
+        return response()->json(['user' => $resource]);
    }

    public function logout(Request $request): JsonResponse
@@ -13,6 +13,7 @@ use App\Models\User;
 use App\Repositories\PricingTierRepository;
 use App\Services\Billing\BalanceToLeadsConverter;
 use App\Services\Billing\BillingTopupService;
+use App\Services\Billing\RunwayCalculator;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -316,21 +317,8 @@ class BillingController extends Controller
     */
    private function runwayDays(Tenant $tenant, int $affordableLeads): ?int
    {
-        if ($affordableLeads <= 0) {
-            return 0;
-        }
-
-        $leadsLast30Days = (int) DB::table('lead_charges')
-            ->where('tenant_id', $tenant->id)
-            ->where('charged_at', '>=', now()->subDays(30))
-            ->count();
-
-        if ($leadsLast30Days <= 0) {
-            return null;
-        }
-
-        $avgPerDay = $leadsLast30Days / 30.0;
-
-        return max(0, (int) floor($affordableLeads / $avgPerDay));
+        // F3 (17.06.2026): единый источник расчёта — RunwayCalculator (общий с дашбордом),
+        // чтобы прогноз «хватит на дни» не расходился между биллингом и дашбордом.
+        return app(RunwayCalculator::class)->daysLeft((int) $tenant->id, $affordableLeads);
    }
 }
@@ -6,6 +6,10 @@ namespace App\Http\Controllers\Api;

 use App\Http\Controllers\Controller;
 use App\Models\Tenant;
+use App\Repositories\PricingTierRepository;
+use App\Services\Billing\BalanceToLeadsConverter;
+use App\Services\Billing\RunwayCalculator;
+use Carbon\Carbon;
 use Carbon\CarbonImmutable;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -103,13 +107,32 @@ class DashboardController extends Controller
                ->map(fn ($c) => (int) $c)
                ->toArray();

-            // --- runway ---
-            // runway опирается на приток за фиксированное 7-дневное окно,
-            // независимо от выбранного range (для today/30d $curLeads — не 7-дневный).
-            $leads7d = (clone $base())->whereBetween('received_at', [$now->subDays(7), $now])->count();
-            $avgDaily = $leads7d / 7.0;
-            $balanceLeads = (int) ($tenant->balance_leads ?? 0);
-            $runwayDays = $avgDaily > 0 ? (int) floor($balanceLeads / $avgDaily) : 0;
+            // --- runway (F3, 17.06.2026: единый источник с биллингом) ---
+            // Раньше дашборд считал от legacy `balance_leads` (после Billing v2 ≈0
+            // для рублёвых тенантов) → расходился с биллингом «0 дней ↔ N дней».
+            // Теперь — affordable leads от рублёвого баланса по тарифу
+            // (BalanceToLeadsConverter) + общий RunwayCalculator.
+            $activeTiers = app(PricingTierRepository::class)
+                ->activeAt(Carbon::now('Europe/Moscow'));
+            $conversion = app(BalanceToLeadsConverter::class)->convert(
+                (string) $tenant->balance_rub,
+                (int) ($tenant->delivered_in_month ?? 0),
+                $activeTiers,
+            );
+            $affordableLeads = (int) $conversion['leads'];
+            $runwayDays = app(RunwayCalculator::class)
+                ->daysLeft($tenantId, $affordableLeads) ?? 0;
+
+            // --- средняя стоимость лида (F5): среднее фактически списанных rub-сумм
+            // за окно периода. Только charge_source='rub' (у prepaid цена 0 по CHECK —
+            // иначе среднее занижается); источник тот же, что у карточки сделки (F2).
+            // null, если в окне нет rub-списаний (ничего ещё не списано).
+            $avgKopecks = DB::table('lead_charges')
+                ->where('tenant_id', $tenantId)
+                ->where('charge_source', 'rub')
+                ->whereBetween('charged_at', [$windowStart, $now])
+                ->avg('price_per_lead_kopecks');
+            $avgLeadCostRub = $avgKopecks !== null ? round((float) $avgKopecks / 100, 2) : null;

            return [
                'range' => $range,
@@ -119,10 +142,11 @@ class DashboardController extends Controller
                'balance' => [
                    'amount_rub' => (string) $tenant->balance_rub,
                    'runway_days' => $runwayDays,
-                    'runway_leads' => $balanceLeads,
+                    'runway_leads' => $affordableLeads,
                ],
                'activity' => ['points' => $points, 'labels' => $labels, 'max' => $axisMax],
                'funnel' => (object) $funnel,
+                'avg_lead_cost_rub' => $avgLeadCostRub,
            ];
        });

@@ -7,6 +7,7 @@ namespace App\Http\Controllers\Api;
 use App\Http\Controllers\Controller;
 use App\Models\ActivityLog;
 use App\Models\Deal;
+use App\Models\LeadCharge;
 use App\Models\Project;
 use App\Models\SupplierLeadCost;
 use App\Models\User;
@@ -102,13 +103,6 @@ class DealController extends Controller
            // whereNotNull('deleted_at') фильтрует только удалённые.
            $query = Deal::query()
                ->select('deals.*')
-                ->addSelect(['next_reminder_at' => DB::table('reminders')
-                    ->select('remind_at')
-                    ->whereColumn('reminders.deal_id', 'deals.id')
-                    ->whereNull('reminders.completed_at')
-                    ->orderBy('remind_at')
-                    ->limit(1),
-                ])
                ->where('tenant_id', $tenantId)
                ->with(['project:id,name,signal_type,signal_identifier,sms_keyword,sms_senders', 'manager:id,email,first_name,last_name']);

@@ -217,9 +211,6 @@ class DealController extends Controller
                'project_signal_identifier' => $d->project?->signal_identifier,
                'project_sms_keyword' => $d->project?->sms_keyword,
                'project_sms_senders' => $d->project?->sms_senders,
-                'next_reminder_at' => $d->next_reminder_at
-                    ? Carbon::parse($d->next_reminder_at)->toIso8601String()
-                    : null,
            ]),
            'limit' => $limit,
            'next_cursor' => $nextCursor,
@@ -246,7 +237,7 @@ class DealController extends Controller
    {
        $tenantId = (int) $request->user()->tenant_id;

-        [$deal, $events] = DB::transaction(function () use ($tenantId, $id) {
+        [$deal, $events, $charge] = DB::transaction(function () use ($tenantId, $id) {
            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);

            $deal = Deal::query()
@@ -256,7 +247,7 @@ class DealController extends Controller
                ->first();

            if ($deal === null) {
-                return [null, []];
+                return [null, [], null];
            }

            $events = ActivityLog::query()
@@ -268,7 +259,14 @@ class DealController extends Controller
                ->limit(50)
                ->get();

-            return [$deal, $events];
+            // F2: реальная стоимость лида — снимок списания из lead_charges
+            // (rub-провенанс). Запрос в транзакции, где выставлен app.current_tenant_id.
+            $charge = LeadCharge::query()
+                ->where('tenant_id', $tenantId)
+                ->where('deal_id', $id)
+                ->first();
+
+            return [$deal, $events, $charge];
        });

        if ($deal === null) {
@@ -309,6 +307,8 @@ class DealController extends Controller
                'project_signal_identifier' => $deal->project?->signal_identifier,
                'project_sms_keyword' => $deal->project?->sms_keyword,
                'project_sms_senders' => $deal->project?->sms_senders,
+                // F2: стоимость лида = снимок rub-списания (копейки) или null (prepaid/не списано).
+                'cost_kopecks' => ($charge && $charge->charge_source === 'rub') ? $charge->price_per_lead_kopecks : null,
            ],
            'events' => $events->map(fn (ActivityLog $e) => [
                'id' => $e->id,
@@ -5,12 +5,19 @@ declare(strict_types=1);
 namespace App\Http\Controllers\Api;

 use App\Http\Controllers\Controller;
+use App\Mail\ImpersonationCodeMail;
+use App\Mail\ImpersonationEndedMail;
 use App\Models\ImpersonationToken;
 use App\Models\Tenant;
+use App\Models\User;
 use App\Services\Pd\ImpersonationAuditService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Str;

 /**
 * SaaS-admin impersonation flow (ТЗ §22.7 / Ю-1).
@@ -39,6 +46,8 @@ class ImpersonationController extends Controller

    private const MAX_FAILED_ATTEMPTS = 5;

+    private const SESSION_TTL_MINUTES = 60;
+
    /**
     * SaaS-admin — кросс-тенантная зона: запросы к impersonation_tokens / tenants
     * идут через BYPASSRLS-подключение pgsql_supplier (роль crm_supplier_worker).
@@ -134,7 +143,12 @@ class ImpersonationController extends Controller

        $audit->recordInit($token, adminId: $requestedBy, ip: $request->ip());

-        // TODO: отправить email на $tenant->contact_email с $plainCode.
+        try {
+            Mail::to((string) $tenant->contact_email)
+                ->queue(new ImpersonationCodeMail($plainCode, (string) $tenant->contact_email));
+        } catch (\Throwable $e) {
+            Log::warning('impersonation init: не удалось поставить письмо с кодом: '.$e->getMessage());
+        }
        $payload = [
            'token_id' => $token->id,
            'expires_at' => $token->expires_at->toIso8601String(),
@@ -190,10 +204,33 @@ class ImpersonationController extends Controller
            ], 422);
        }

-        // Success: mark used. Создание saas_admin_session с
-        // impersonating_token_id — отдельный коммит после saas-admin auth.
+        // Success: целевой пользователь тенанта = самый ранний активный.
+        $targetUser = User::on(self::DB_CONNECTION)
+            ->where('tenant_id', $token->tenant_id)
+            ->where('is_active', true)
+            ->orderBy('id')
+            ->first();
+
+        if ($targetUser === null) {
+            return response()->json(['message' => 'У тенанта нет активного пользователя для входа.'], 422);
+        }
+
+        // Машинный ключ для ИИ: lpimp_<id>_<secret>. Храним только хеш секрета.
+        $secret = Str::random(48);
+        $machineToken = 'lpimp_'.$token->id.'_'.$secret;
+
        $token->update([
            'used_at' => now(),
+            'session_token_hash' => Hash::make($secret),
+        ]);
+
+        // Путь человека: логиним браузер целевым пользователем + маркер impersonation в сессию.
+        Auth::login($targetUser);
+        $request->session()->put('impersonation', [
+            'token_id' => $token->id,
+            'tenant_id' => $token->tenant_id,
+            'target_user_id' => $targetUser->id,
+            'started_at' => now()->toIso8601String(),
        ]);

        $audit->recordVerify($token, adminId: (int) $token->requested_by, ip: $request->ip());
@@ -202,6 +239,8 @@ class ImpersonationController extends Controller
            'token_id' => $token->id,
            'tenant_id' => $token->tenant_id,
            'used_at' => $token->used_at->toIso8601String(),
+            'expires_at' => $token->sessionExpiresAt(self::SESSION_TTL_MINUTES)->toIso8601String(),
+            'machine_token' => $machineToken,
            'message' => 'Impersonation начат. Сессия активна 1 час.',
        ]);
    }
@@ -232,7 +271,12 @@ class ImpersonationController extends Controller

        $audit->recordEnd($token, adminId: (int) $token->requested_by, ip: $request->ip());

-        // TODO: уведомление клиенту по email о завершении (как и в init flow).
+        try {
+            Mail::to((string) $token->sent_to_email)
+                ->queue(new ImpersonationEndedMail((string) $token->sent_to_email));
+        } catch (\Throwable $e) {
+            Log::warning('impersonation end mail: '.$e->getMessage());
+        }

        return response()->json([
            'token_id' => $token->id,
@@ -240,4 +284,35 @@ class ImpersonationController extends Controller
            'message' => 'Impersonation завершён.',
        ]);
    }
+
+    /**
+     * POST /api/impersonation/leave — завершить свою impersonation-сессию из кабинета.
+     *
+     * Маркер `impersonation` из сессии НЕ удаляется здесь намеренно:
+     * ImpersonationContext (global web middleware) на следующем запросе
+     * обнаружит isSessionActive()=false и вернёт 401 явно, не доходя до auth:sanctum.
+     * Это обеспечивает корректный 401 как в реальном браузере, так и в тест-среде
+     * (где Auth::guard('web')->logout() может не повлиять на кэш sanctum-guard).
+     */
+    public function leave(Request $request, ImpersonationAuditService $audit): JsonResponse
+    {
+        $marker = $request->session()->get('impersonation');
+        if ($marker === null) {
+            return response()->json(['message' => 'Сессия impersonation не активна.'], 422);
+        }
+
+        $token = ImpersonationToken::on(self::DB_CONNECTION)->find($marker['token_id']);
+        if ($token !== null && $token->session_ended_at === null) {
+            $token->update(['session_ended_at' => now()]);
+            $audit->recordEnd($token, adminId: (int) $token->requested_by, ip: $request->ip());
+            try {
+                Mail::to((string) $token->sent_to_email)
+                    ->queue(new ImpersonationEndedMail((string) $token->sent_to_email));
+            } catch (\Throwable $e) {
+                Log::warning('impersonation leave mail: '.$e->getMessage());
+            }
+        }
+
+        return response()->json(['message' => 'Вы вышли из режима поддержки.']);
+    }
 }
@@ -15,6 +15,7 @@ use App\Models\Project;
 use App\Models\Tenant;
 use App\Services\Billing\BalancePreflightService;
 use App\Services\Project\ProjectService;
+use App\Services\Requisites\RequisitesService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;

@@ -29,7 +30,10 @@ use Illuminate\Http\Request;
 */
 class ProjectController extends Controller
 {
-    public function __construct(private readonly ProjectService $projects) {}
+    public function __construct(
+        private readonly ProjectService $projects,
+        private readonly RequisitesService $requisites,
+    ) {}

    /** GET /api/projects */
    public function index(Request $request): JsonResponse
@@ -122,6 +126,13 @@ class ProjectController extends Controller
    {
        $validated = $request->validated();
        $tenant = $request->user()->tenant;
+
+        // G1/SP2: гейт первого проекта — нельзя создать первый проект без минимальных реквизитов.
+        if (Project::where('tenant_id', $tenant->id)->count() === 0
+            && ! $this->requisites->isLightComplete($tenant)) {
+            return response()->json(['error' => 'requisites_required'], 422);
+        }
+
        $forceSaveBlocked = (bool) ($validated['force_save_blocked'] ?? false);
        unset($validated['force_save_blocked']);

@@ -0,0 +1,121 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Concerns\WritesAuthLog;
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Auth\ConfirmEmailRequest;
+use App\Http\Requests\Auth\RegisterRequest;
+use App\Http\Requests\Auth\ResendCodeRequest;
+use App\Models\User;
+use App\Services\Auth\RegistrationException;
+use App\Services\Auth\RegistrationService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Auth;
+
+/**
+ * Самозапись клиента (G1/SP1): register → confirm-email → (вход).
+ * Подтверждение почты 6-значным кодом; новый тенант создаётся в статусе
+ * pending_email_confirm, активируется и получает 300 ₽ при подтверждении.
+ */
+class RegistrationController extends Controller
+{
+    use WritesAuthLog;
+
+    public function register(RegisterRequest $request, RegistrationService $service): JsonResponse
+    {
+        try {
+            $result = $service->register(
+                $request->string('email')->toString(),
+                $request->string('password')->toString(),
+                $request->input('captcha_token'),
+                $request->ip(),
+            );
+        } catch (RegistrationException $e) {
+            return $this->registrationError($e);
+        }
+
+        $payload = [
+            'status' => $result['status'],
+            'email' => $result['user']->email,
+            'expires_at' => $result['verification']->expires_at->toIso8601String(),
+        ];
+        if ($result['dev_code'] !== null) {
+            $payload['_dev_plain_code'] = $result['dev_code'];
+        }
+
+        return response()->json($payload, 201);
+    }
+
+    public function confirmEmail(ConfirmEmailRequest $request, RegistrationService $service): JsonResponse
+    {
+        try {
+            $user = $service->confirm(
+                $request->string('email')->toString(),
+                $request->string('code')->toString(),
+            );
+        } catch (RegistrationException $e) {
+            $payload = ['message' => 'Код подтверждения недействителен.', 'reason' => $e->reason];
+            if ($e->attemptsRemaining !== null) {
+                $payload['attempts_remaining'] = $e->attemptsRemaining;
+            }
+
+            return response()->json($payload, 422);
+        }
+
+        Auth::login($user);
+        $request->session()->regenerate();
+        $this->logAuthEvent('register_success', $user->id, $user->tenant_id, $user->email, $request->ip(), $request->userAgent(), null);
+
+        return response()->json([
+            'user' => $this->userResource($user),
+            'requires_2fa' => false,
+        ]);
+    }
+
+    public function resendCode(ResendCodeRequest $request, RegistrationService $service): JsonResponse
+    {
+        $devCode = $service->resend($request->string('email')->toString());
+
+        $payload = ['message' => 'Если аккаунт ожидает подтверждения, мы отправили новый код на указанный email.'];
+        if ($devCode !== null) {
+            $payload['_dev_plain_code'] = $devCode;
+        }
+
+        return response()->json($payload);
+    }
+
+    private function registrationError(RegistrationException $e): JsonResponse
+    {
+        $map = [
+            'captcha_failed' => ['captcha_token', 'Проверка «я не робот» не пройдена.'],
+            'email_taken' => ['email', 'Аккаунт с таким email уже существует.'],
+        ];
+        [$field, $message] = $map[$e->reason] ?? ['email', 'Не удалось зарегистрировать аккаунт.'];
+
+        return response()->json([
+            'message' => $message,
+            'errors' => [$field => [$message]],
+        ], 422);
+    }
+
+    /** @return array<string, mixed> */
+    private function userResource(User $user): array
+    {
+        return [
+            'id' => $user->id,
+            'email' => $user->email,
+            'first_name' => $user->first_name,
+            'last_name' => $user->last_name,
+            'phone' => $user->phone,
+            'timezone' => $user->timezone,
+            'tenant_id' => $user->tenant_id,
+            'totp_enabled' => $user->totp_enabled,
+            'last_login_at' => $user->last_login_at,
+            'notification_preferences' => $user->notification_preferences,
+            'sound_enabled' => $user->sound_enabled,
+        ];
+    }
+}
@@ -1,303 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Http\Controllers\Api;
-
-use App\Http\Controllers\Controller;
-use App\Models\Reminder;
-use App\Models\User;
-use Illuminate\Http\JsonResponse;
-use Illuminate\Http\Request;
-use Illuminate\Support\Carbon;
-use Illuminate\Support\Facades\DB;
-
-/**
- * Reminders API (schema v8.10 §17.5). Все endpoint'ы под `auth:sanctum`.
- *
- * Фильтры filter= для GET /api/reminders:
- *   today      — completed_at IS NULL AND remind_at в (now-1d, now+1d)
- *   upcoming   — completed_at IS NULL AND remind_at > now+1d
- *   overdue    — completed_at IS NULL AND remind_at < now-1d
- *   completed  — completed_at IS NOT NULL
- *   active     — completed_at IS NULL (default)
- *
- * RLS: внутри транзакции SET LOCAL app.current_tenant_id = $user->tenant_id.
- * Защита от кражи: явный where('tenant_id', $user->tenant_id) поверх RLS.
- */
-class ReminderController extends Controller
-{
-    private const FILTERS = ['active', 'today', 'upcoming', 'overdue', 'completed'];
-
-    /**
-     * GET /api/reminders?filter=&deal_id=&limit=
-     */
-    public function index(Request $request): JsonResponse
-    {
-        $validated = $request->validate([
-            'filter' => 'nullable|string|in:'.implode(',', self::FILTERS),
-            'deal_id' => 'nullable|integer|min:1',
-            'limit' => 'nullable|integer|min:1|max:200',
-        ]);
-
-        /** @var User $user */
-        $user = $request->user();
-        $filter = $validated['filter'] ?? 'active';
-        $limit = (int) ($validated['limit'] ?? 100);
-
-        return DB::transaction(function () use ($user, $filter, $validated, $limit): JsonResponse {
-            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
-
-            $query = Reminder::query()
-                ->with('creator:id,email,first_name,last_name')
-                ->where('tenant_id', $user->tenant_id);
-
-            if (isset($validated['deal_id'])) {
-                $query->where('deal_id', (int) $validated['deal_id']);
-            }
-
-            $now = Carbon::now();
-            switch ($filter) {
-                case 'today':
-                    $query->whereNull('completed_at')
-                        ->whereBetween('remind_at', [$now->copy()->subDay(), $now->copy()->addDay()]);
-                    break;
-                case 'upcoming':
-                    $query->whereNull('completed_at')
-                        ->where('remind_at', '>', $now->copy()->addDay());
-                    break;
-                case 'overdue':
-                    $query->whereNull('completed_at')
-                        ->where('remind_at', '<', $now->copy()->subDay());
-                    break;
-                case 'completed':
-                    $query->whereNotNull('completed_at');
-                    break;
-                case 'active':
-                default:
-                    $query->whereNull('completed_at');
-                    break;
-            }
-
-            $items = $query->orderBy('remind_at')->limit($limit)->get();
-
-            // Counters для UI badges (today/upcoming/overdue) — отдельные SELECT'ы.
-            $base = Reminder::query()->where('tenant_id', $user->tenant_id);
-            $counts = [
-                'today' => (clone $base)->whereNull('completed_at')
-                    ->whereBetween('remind_at', [$now->copy()->subDay(), $now->copy()->addDay()])
-                    ->count(),
-                'upcoming' => (clone $base)->whereNull('completed_at')
-                    ->where('remind_at', '>', $now->copy()->addDay())
-                    ->count(),
-                'overdue' => (clone $base)->whereNull('completed_at')
-                    ->where('remind_at', '<', $now->copy()->subDay())
-                    ->count(),
-                'active' => (clone $base)->whereNull('completed_at')->count(),
-            ];
-
-            return response()->json([
-                'items' => $items->map(fn (Reminder $r) => $this->toResource($r))->all(),
-                'counts' => $counts,
-            ]);
-        });
-    }
-
-    /**
-     * POST /api/reminders {deal_id, text?, remind_at}.
-     */
-    public function store(Request $request): JsonResponse
-    {
-        $validated = $request->validate([
-            'deal_id' => 'required|integer|min:1',
-            'text' => 'nullable|string|max:255',
-            'remind_at' => 'required|date',
-            'assignee_id' => 'nullable|integer|min:1',
-        ]);
-
-        /** @var User $user */
-        $user = $request->user();
-
-        // Manager FK guard для assignee_id: должен принадлежать тому же tenant'у.
-        if (isset($validated['assignee_id'])) {
-            $exists = User::query()
-                ->where('id', $validated['assignee_id'])
-                ->where('tenant_id', $user->tenant_id)
-                ->whereNull('deleted_at')
-                ->where('is_active', true)
-                ->exists();
-            if (! $exists) {
-                return response()->json([
-                    'message' => 'Менеджер не найден в этом тенанте.',
-                    'errors' => ['assignee_id' => ['Не принадлежит вашему тенанту или не активен.']],
-                ], 422);
-            }
-        }
-
-        return DB::transaction(function () use ($user, $validated): JsonResponse {
-            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
-
-            $reminder = Reminder::create([
-                'tenant_id' => $user->tenant_id,
-                'deal_id' => (int) $validated['deal_id'],
-                'text' => $validated['text'] ?? null,
-                'remind_at' => Carbon::parse($validated['remind_at']),
-                'created_by' => $user->id,
-                'assignee_id' => $validated['assignee_id'] ?? null,
-                'is_sent' => false,
-            ]);
-
-            return response()->json([
-                'reminder' => $this->toResource($reminder->load('creator:id,email,first_name,last_name')),
-            ], 201);
-        });
-    }
-
-    /**
-     * PATCH /api/reminders/{id} {text?, remind_at?, assignee_id?}.
-     */
-    public function update(Request $request, int $id): JsonResponse
-    {
-        $validated = $request->validate([
-            'text' => 'nullable|string|max:255',
-            'remind_at' => 'nullable|date',
-            'assignee_id' => 'nullable|integer|min:1',
-        ]);
-
-        if (count($validated) === 0) {
-            return response()->json([
-                'message' => 'Передайте хотя бы одно поле.',
-                'errors' => ['_general' => ['Нужно хотя бы одно поле для обновления.']],
-            ], 422);
-        }
-
-        /** @var User $user */
-        $user = $request->user();
-
-        if (isset($validated['assignee_id'])) {
-            $exists = User::query()
-                ->where('id', $validated['assignee_id'])
-                ->where('tenant_id', $user->tenant_id)
-                ->whereNull('deleted_at')
-                ->where('is_active', true)
-                ->exists();
-            if (! $exists) {
-                return response()->json([
-                    'message' => 'Менеджер не найден.',
-                    'errors' => ['assignee_id' => ['Не принадлежит вашему тенанту или не активен.']],
-                ], 422);
-            }
-        }
-
-        return DB::transaction(function () use ($user, $id, $validated): JsonResponse {
-            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
-
-            $reminder = Reminder::query()
-                ->where('id', $id)
-                ->where('tenant_id', $user->tenant_id)
-                ->first();
-
-            if ($reminder === null) {
-                return response()->json(['message' => 'Напоминание не найдено.'], 404);
-            }
-
-            $update = [];
-            if (array_key_exists('text', $validated)) {
-                $update['text'] = $validated['text'];
-            }
-            if (isset($validated['remind_at'])) {
-                $update['remind_at'] = Carbon::parse($validated['remind_at']);
-                // При сдвиге remind_at сбрасываем is_sent, чтобы cron смог
-                // снова отправить уведомление к новому времени.
-                $update['is_sent'] = false;
-                $update['sent_at'] = null;
-            }
-            if (array_key_exists('assignee_id', $validated)) {
-                $update['assignee_id'] = $validated['assignee_id'];
-            }
-
-            $reminder->update($update);
-
-            return response()->json([
-                'reminder' => $this->toResource($reminder->fresh('creator')),
-            ]);
-        });
-    }
-
-    /**
-     * POST /api/reminders/{id}/complete — пометить выполненным.
-     * Идемпотентно: повторный вызов NO-OP.
-     */
-    public function complete(Request $request, int $id): JsonResponse
-    {
-        /** @var User $user */
-        $user = $request->user();
-
-        return DB::transaction(function () use ($user, $id): JsonResponse {
-            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
-
-            $reminder = Reminder::query()
-                ->where('id', $id)
-                ->where('tenant_id', $user->tenant_id)
-                ->first();
-
-            if ($reminder === null) {
-                return response()->json(['message' => 'Напоминание не найдено.'], 404);
-            }
-
-            if ($reminder->completed_at === null) {
-                $reminder->update(['completed_at' => Carbon::now()]);
-            }
-
-            return response()->json([
-                'reminder' => $this->toResource($reminder->fresh('creator')),
-            ]);
-        });
-    }
-
-    /**
-     * DELETE /api/reminders/{id}.
-     */
-    public function destroy(Request $request, int $id): JsonResponse
-    {
-        /** @var User $user */
-        $user = $request->user();
-
-        return DB::transaction(function () use ($user, $id): JsonResponse {
-            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
-
-            $deleted = Reminder::query()
-                ->where('id', $id)
-                ->where('tenant_id', $user->tenant_id)
-                ->delete();
-
-            if ($deleted === 0) {
-                return response()->json(['message' => 'Напоминание не найдено.'], 404);
-            }
-
-            return response()->json(['message' => 'Удалено.']);
-        });
-    }
-
-    /** @return array<string, mixed> */
-    private function toResource(Reminder $reminder): array
-    {
-        $creator = $reminder->creator;
-
-        return [
-            'id' => $reminder->id,
-            'deal_id' => $reminder->deal_id,
-            'text' => $reminder->text,
-            'remind_at' => $reminder->remind_at?->toIso8601String(),
-            'completed_at' => $reminder->completed_at?->toIso8601String(),
-            'is_sent' => $reminder->is_sent,
-            'sent_at' => $reminder->sent_at?->toIso8601String(),
-            'created_at' => $reminder->created_at?->toIso8601String(),
-            'created_by' => $reminder->created_by,
-            'assignee_id' => $reminder->assignee_id,
-            'creator_name' => $creator
-                ? trim(($creator->first_name ?? '').' '.($creator->last_name ?? '')) ?: $creator->email
-                : null,
-        ];
-    }
-}
@@ -44,9 +44,22 @@ class SupplierWebhookController extends Controller
    /** Audit-fix C2: per-IP rate-limit (DoS-guard), запросов в минуту. */
    private const RATE_LIMIT_PER_MINUTE = 600;

-    public function receive(Request $request, string $secret): JsonResponse
+    public function receive(Request $request, string $secret = ''): JsonResponse
    {
-        if (! $this->verifySecret($secret)) {
+        // Аутентификация (аддитивно): URL-секрет (backward-compat) ИЛИ HMAC-подпись
+        // тела (X-Webhook-Signature = hash_hmac sha256 от raw body на том же
+        // supplier_webhook_secret). HMAC позволяет поставщику не слать секрет в URL
+        // — тот течёт в access-логи (P2/E4). verifySecret('') всегда false.
+        $sig = (string) $request->header('X-Webhook-Signature', '');
+        $sig = str_starts_with($sig, 'sha256=') ? substr($sig, 7) : $sig;
+        $secretRow = DB::table('system_settings')->where('key', 'supplier_webhook_secret')->first();
+        $expectedSecret = $secretRow !== null ? (string) $secretRow->value : '';
+        $hmacValid = $sig !== ''
+            && $expectedSecret !== '__SET_ON_DEPLOY__'
+            && strlen($expectedSecret) >= 32
+            && hash_equals(hash_hmac('sha256', $request->getContent(), $expectedSecret), $sig);
+
+        if (! $this->verifySecret($secret) && ! $hmacValid) {
            $this->logSupplierWebhook($request, null, 'rejected_secret');

            return response()->json(['message' => 'Not found.'], 404);
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Mail\SupportRequestMail;
+use App\Models\SupportRequest;
+use App\Models\User;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
+
+/**
+ * G7-A: приём клиентских заявок в техподдержку. Запись в БД — основной канал;
+ * письмо в поддержку — best-effort (сбой SMTP не валит запрос, паттерн G1 sendCode).
+ */
+class SupportRequestController extends Controller
+{
+    public function store(Request $request): JsonResponse
+    {
+        $validated = $request->validate([
+            'name' => 'required|string|max:255',
+            'contact' => 'required|string|max:255',
+            'message' => 'required|string|max:5000',
+        ]);
+
+        /** @var User $user */
+        $user = $request->user();
+
+        $supportRequest = DB::transaction(function () use ($user, $validated): SupportRequest {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $user->tenant_id);
+
+            return SupportRequest::create([
+                'tenant_id' => $user->tenant_id,
+                'user_id' => $user->id,
+                'name' => $validated['name'],
+                'contact' => $validated['contact'],
+                'message' => $validated['message'],
+            ]);
+        });
+
+        // Письмо — best-effort: заявка уже в БД, сбой почты не теряет её и не валит запрос.
+        try {
+            Mail::to(config('services.support.email'))->queue(new SupportRequestMail($supportRequest));
+        } catch (\Throwable $e) {
+            Log::warning('SupportRequestMail queue failed', ['id' => $supportRequest->id, 'error' => $e->getMessage()]);
+        }
+
+        return response()->json(['ok' => true], 201);
+    }
+}
@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\LookupInnRequest;
+use App\Http\Requests\UpdateRequisitesRequest;
+use App\Http\Resources\RequisitesResource;
+use App\Models\TenantRequisites;
+use App\Services\DaData\PartyLookup;
+use App\Services\Requisites\RequisitesService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class TenantRequisitesController extends Controller
+{
+    public function __construct(
+        private readonly RequisitesService $service,
+        private readonly PartyLookup $party,
+    ) {}
+
+    /** GET /api/tenant/requisites */
+    public function show(Request $request): JsonResponse
+    {
+        $req = TenantRequisites::where('tenant_id', $request->user()->tenant_id)->first();
+
+        return response()->json(['data' => $req ? new RequisitesResource($req) : null]);
+    }
+
+    /** PUT /api/tenant/requisites */
+    public function update(UpdateRequisitesRequest $request): JsonResponse
+    {
+        $req = $this->service->upsert($request->user()->tenant, $request->validated());
+
+        return response()->json(['data' => new RequisitesResource($req)]);
+    }
+
+    /** POST /api/tenant/requisites/lookup-inn — мягкая подтяжка, ничего не сохраняет */
+    public function lookupInn(LookupInnRequest $request): JsonResponse
+    {
+        $res = $this->party->findByInn($request->validated()['inn']);
+        if ($res === null) {
+            return response()->json(['found' => false]);
+        }
+
+        return response()->json([
+            'found' => true,
+            'legal_name' => $res->legalName,
+            'kpp' => $res->kpp,
+            'ogrn' => $res->ogrn,
+            'legal_address' => $res->address,
+            'subject_type_hint' => $res->type === 'INDIVIDUAL' ? 'sole_proprietor' : 'legal_entity',
+        ]);
+    }
+}
@@ -0,0 +1,95 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Controller;
+use App\Models\Deal;
+use Carbon\Carbon;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Публичный read-API сделок тенанта (G6). Аутентификация — middleware ApiKeyAuth
+ * (tenant_id в request->attributes['api_tenant_id']). Только сделки (deals), не
+ * supplier_leads.
+ */
+class DealsController extends Controller
+{
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = (int) $request->attributes->get('api_tenant_id');
+
+        $limit = max(1, min(500, (int) $request->query('limit', '100')));
+
+        $since = trim((string) $request->query('since', ''));
+        $sinceDt = null;
+        if ($since !== '') {
+            try {
+                $sinceDt = Carbon::parse($since);
+            } catch (\Throwable) {
+                return response()->json(['message' => 'Невалидный since.'], 422);
+            }
+        }
+
+        $cursorRaw = (string) $request->query('cursor', '');
+        $cursor = null;
+        if ($cursorRaw !== '') {
+            $decoded = base64_decode($cursorRaw, true);
+            $parsed = $decoded === false ? null : json_decode($decoded, true);
+            if (! is_array($parsed) || ! isset($parsed['r'], $parsed['i'])) {
+                return response()->json(['message' => 'Невалидный cursor.'], 422);
+            }
+            $cursor = ['r' => (string) $parsed['r'], 'i' => (int) $parsed['i']];
+        }
+
+        [$rows, $next] = DB::transaction(function () use ($tenantId, $limit, $sinceDt, $cursor) {
+            DB::statement('SET LOCAL app.current_tenant_id = '.$tenantId);
+
+            $query = Deal::query()
+                ->where('tenant_id', $tenantId)
+                ->with('project:id,name');
+
+            if ($sinceDt !== null) {
+                $query->where('received_at', '>=', $sinceDt);
+            }
+            if ($cursor !== null) {
+                $query->whereRaw('(received_at, id) < (?, ?)', [$cursor['r'], $cursor['i']]);
+            }
+
+            $rows = $query->orderByDesc('received_at')->orderByDesc('id')
+                ->limit($limit + 1)->get();
+
+            $hasNext = $rows->count() > $limit;
+            if ($hasNext) {
+                $rows = $rows->slice(0, $limit)->values();
+            }
+
+            $next = null;
+            if ($hasNext && $rows->isNotEmpty()) {
+                $last = $rows->last();
+                $next = base64_encode((string) json_encode([
+                    'r' => $last->received_at->toIso8601String(),
+                    'i' => $last->id,
+                ]));
+            }
+
+            return [$rows, $next];
+        });
+
+        return response()->json([
+            'data' => $rows->map(fn (Deal $d) => [
+                'id' => $d->id,
+                'received_at' => $d->received_at->toIso8601String(),
+                'phone' => $d->phone,
+                'contact_name' => $d->contact_name,
+                'city' => $d->city,
+                'status' => $d->status,
+                'project' => $d->project?->name,
+            ])->all(),
+            'next_cursor' => $next,
+        ]);
+    }
+}
@@ -127,15 +127,16 @@ class WebhookSettingsController extends Controller
            ], Response::HTTP_UNPROCESSABLE_ENTITY);
        }

-        // SSRF-гард: target_url задаёт админ тенанта; блокируем адреса во
-        // внутренней/зарезервированной сети (cloud-metadata 169.254.169.254,
-        // loopback, RFC1918), которые https://-валидация на сохранении не ловит.
-        $blockReason = WebhookUrlGuard::blockReason($sub->target_url);
-        if ($blockReason !== null) {
+        // SSRF-гард + DNS-rebind пиннинг: ОДИН резолв target_url даёт причину
+        // блокировки И безопасный IP. Блокируем адреса во внутренней/зарезервированной
+        // сети (cloud-metadata 169.254.169.254, loopback, RFC1918), которые
+        // https://-валидация на сохранении не ловит.
+        $delivery = WebhookUrlGuard::safeDeliveryIp($sub->target_url);
+        if ($delivery['blockReason'] !== null) {
            return response()->json([
                'ok' => false,
                'status' => null,
-                'message' => $blockReason,
+                'message' => $delivery['blockReason'],
            ], Response::HTTP_UNPROCESSABLE_ENTITY);
        }

@@ -145,9 +146,19 @@ class WebhookSettingsController extends Controller
            'message' => 'Тестовая доставка webhook от Лидерра.',
        ];

+        // DNS-rebind пиннинг: подключаемся к УЖЕ проверенному IP, не давая
+        // HTTP-клиенту резолвить хост повторно (TOCTOU). Host/SNI — исходный хост.
+        $httpOptions = [];
+        if ($delivery['ip'] !== null) {
+            $host = trim((string) parse_url($sub->target_url, PHP_URL_HOST), '[]');
+            $port = parse_url($sub->target_url, PHP_URL_PORT) ?? 443;
+            $httpOptions['curl'] = [CURLOPT_RESOLVE => ["{$host}:{$port}:{$delivery['ip']}"]];
+        }
+
        // Unsigned connectivity-проверка (HMAC-подписанная доставка — отдельный эпик).
        try {
-            $response = Http::timeout(10)
+            $response = Http::withOptions($httpOptions)
+                ->timeout(10)
                ->withHeaders(['X-Webhook-Event' => 'webhook.test'])
                ->post($sub->target_url, $testPayload);

@@ -0,0 +1,73 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use App\Models\ApiKey;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Аутентификация публичного API по ключу тенанта (G6).
+ *
+ * Ключ — `Authorization: Bearer lpkapi_...`. В БД лежит bcrypt key_hash + key_prefix
+ * (первые 10 символов). Ищем кандидатов по префиксу через pgsql_supplier (BYPASSRLS —
+ * публичный роут не ставит tenant-GUC, под RLS api_keys вернул бы пусто), затем
+ * Hash::check. Успех → tenant_id в request->attributes (api_tenant_id) + last_used.
+ */
+class ApiKeyAuth
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $key = $this->bearer($request);
+        if ($key === null || $key === '') {
+            return response()->json(['message' => 'Требуется API-ключ.'], 401);
+        }
+
+        $prefix = substr($key, 0, 10);
+
+        $candidates = ApiKey::on('pgsql_supplier')
+            ->where('key_prefix', $prefix)
+            ->where('is_active', true)
+            ->where('expires_at', '>', now())
+            ->get();
+
+        $matched = null;
+        foreach ($candidates as $candidate) {
+            if (Hash::check($key, (string) $candidate->key_hash)) {
+                $matched = $candidate;
+                break;
+            }
+        }
+
+        if ($matched === null) {
+            return response()->json(['message' => 'Неверный или неактивный API-ключ.'], 401);
+        }
+
+        if (! in_array('read', (array) $matched->scopes, true)) {
+            return response()->json(['message' => 'Недостаточно прав ключа.'], 403);
+        }
+
+        ApiKey::on('pgsql_supplier')->whereKey($matched->getKey())->update([
+            'last_used_at' => now(),
+            'last_used_ip' => $request->ip(),
+        ]);
+
+        $request->attributes->set('api_tenant_id', (int) $matched->tenant_id);
+
+        return $next($request);
+    }
+
+    private function bearer(Request $request): ?string
+    {
+        $header = (string) $request->header('Authorization', '');
+        if (str_starts_with($header, 'Bearer ')) {
+            return trim(substr($header, 7));
+        }
+
+        return null;
+    }
+}
@@ -24,6 +24,9 @@ use Symfony\Component\HttpFoundation\Response;
 * admin_user_id для audit-trail по-прежнему резолвится трейтом
 * ResolvesAdminUserId (стаб super_admin) — это отдельная зона.
 *
+ * G7-B: пока активен impersonation (маркер сессии ИЛИ машинный ключ) —
+ * вход в saas-admin зону запрещён (запрет эскалации к другим тенантам).
+ *
 * TODO (после Б-1 + DO-4): заменить nginx-дверь на настоящий saas-admin
 * guard (Yandex 360 SSO-сессия + роль), вернуть проверку в это middleware.
 */
@@ -31,6 +34,14 @@ class EnsureSaasAdmin
 {
    public function handle(Request $request, Closure $next): Response
    {
+        // G7-B: пока активен impersonation (маркер сессии ИЛИ машинный ключ) —
+        // вход в saas-admin зону запрещён (запрет эскалации к другим тенантам).
+        $hasMarker = $request->hasSession() && $request->session()->has('impersonation');
+        $hasBearer = str_starts_with((string) $request->header('Authorization', ''), 'Bearer lpimp_');
+        if ($hasMarker || $hasBearer) {
+            abort(403, 'Во время сессии impersonation доступ в админ-зону запрещён.');
+        }
+
        return $next($request);
    }
 }
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use App\Mail\ImpersonationEndedMail;
+use App\Models\ImpersonationToken;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * G7-B: на web-запросах с активным impersonation-маркером проверяет 60-мин
+ * лимит. Истёк (или токен уже неактивен) → завершает токен, шлёт письмо,
+ * разлогинивает, чистит маркер. No-op, если маркера нет.
+ */
+class ImpersonationContext
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (! $request->hasSession() || ! $request->session()->has('impersonation')) {
+            return $next($request);
+        }
+
+        $marker = $request->session()->get('impersonation');
+        $token = ImpersonationToken::on('pgsql_supplier')->find($marker['token_id'] ?? 0);
+
+        if ($token === null || ! $token->isSessionActive()) {
+            if ($token !== null && $token->session_ended_at === null) {
+                $token->update(['session_ended_at' => now()]);
+                try {
+                    Mail::to((string) $token->sent_to_email)
+                        ->queue(new ImpersonationEndedMail((string) $token->sent_to_email));
+                } catch (\Throwable $e) {
+                    Log::warning('impersonation expiry mail: '.$e->getMessage());
+                }
+            }
+            Auth::guard('web')->logout();
+            $request->session()->forget('impersonation');
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+
+            // Завершаем текущий запрос немедленно — auth:sanctum уже мог
+            // резолвить user'а из сессии, поэтому не передаём $next, а
+            // возвращаем 401 явно, чтобы клиент знал о разрыве сессии.
+            if ($request->expectsJson()) {
+                return response()->json(['message' => 'Сессия impersonation истекла.'], 401);
+            }
+
+            return redirect('/login');
+        }
+
+        return $next($request);
+    }
+}
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Auth;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Валидация POST /api/auth/confirm-email — подтверждение почты 6-значным кодом.
+ */
+class ConfirmEmailRequest extends FormRequest
+{
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        return [
+            'email' => ['required', 'string', 'email', 'max:255'],
+            'code' => ['required', 'string', 'regex:/^\d{6}$/'],
+        ];
+    }
+
+    /** @return array<string, string> */
+    public function messages(): array
+    {
+        return [
+            'email.required' => 'Укажите email.',
+            'code.required' => 'Укажите код из письма.',
+            'code.regex' => 'Код состоит из 6 цифр.',
+        ];
+    }
+}
@@ -18,14 +18,21 @@ class RegisterRequest extends FormRequest
 {
    use HasPasswordRules;

-    /** @return array<string, mixed> */
+    /**
+     * @return array<string, mixed>
+     *
+     * NB: уникальность email НЕ через DB-rule — её решает RegistrationService
+     * (активный email → 422 email_taken; неподтверждённый → перевыпуск кода).
+     * Капча проверяется на КАЖДОМ register-запросе (это независимый публичный POST).
+     */
    public function rules(): array
    {
        return [
-            'email' => ['required', 'string', 'email', 'max:255', Rule::unique('users', 'email')],
+            'email' => ['required', 'string', 'email', 'max:255'],
            'password' => $this->passwordRules(),
            'accept_offer' => ['required', 'accepted'],
            'accept_pdn' => ['required', 'accepted'],
+            'captcha_token' => ['required', 'string'],
        ];
    }

@@ -35,9 +42,9 @@ class RegisterRequest extends FormRequest
        return array_merge($this->passwordMessages(), [
            'email.required' => 'Укажите email.',
            'email.email' => 'Email указан некорректно.',
-            'email.unique' => 'Аккаунт с таким email уже существует.',
            'accept_offer.accepted' => 'Необходимо принять оферту.',
            'accept_pdn.accepted' => 'Необходимо согласие на обработку персональных данных.',
+            'captcha_token.required' => 'Подтвердите, что вы не робот.',
        ]);
    }
 }
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Auth;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+/**
+ * Валидация POST /api/auth/resend-code — повторная отправка кода подтверждения.
+ */
+class ResendCodeRequest extends FormRequest
+{
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        return [
+            'email' => ['required', 'string', 'email', 'max:255'],
+        ];
+    }
+
+    /** @return array<string, string> */
+    public function messages(): array
+    {
+        return [
+            'email.required' => 'Укажите email.',
+            'email.email' => 'Email указан некорректно.',
+        ];
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class LookupInnRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return $this->user() !== null;
+    }
+
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        return [
+            'inn' => ['required', 'string', 'regex:/^(\d{10}|\d{12})$/'],
+        ];
+    }
+}
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests;
+
+use App\Support\InnValidator;
+use App\Support\PhoneNormalizer;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+class UpdateRequisitesRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return $this->user() !== null;
+    }
+
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        $subjectType = (string) $this->input('subject_type');
+
+        return [
+            'subject_type' => ['required', Rule::in(['individual', 'sole_proprietor', 'legal_entity'])],
+            'contact_name' => ['required', 'string', 'max:255'],
+            'contact_phone' => ['required', 'string', function ($attr, $value, $fail) {
+                if (PhoneNormalizer::normalize((string) $value) === null) {
+                    $fail('Некорректный телефон.');
+                }
+            }],
+            'inn' => [
+                Rule::requiredIf(in_array($subjectType, ['legal_entity', 'sole_proprietor'], true)),
+                'nullable', 'string',
+                function ($attr, $value, $fail) use ($subjectType) {
+                    if (in_array($subjectType, ['legal_entity', 'sole_proprietor'], true)
+                        && is_string($value) && $value !== ''
+                        && ! InnValidator::isValid($value, $subjectType)) {
+                        $fail('Некорректный ИНН (контрольная цифра).');
+                    }
+                },
+            ],
+            'legal_name' => ['nullable', 'string', 'max:255'],
+            'kpp' => ['nullable', 'string', 'regex:/^\d{9}$/'],
+            'ogrn' => ['nullable', 'string', 'regex:/^(\d{13}|\d{15})$/'],
+            'legal_address' => ['nullable', 'string'],
+            'bank_name' => ['nullable', 'string', 'max:255'],
+            'bank_bik' => ['nullable', 'string', 'regex:/^\d{9}$/'],
+            'bank_account' => ['nullable', 'string', 'regex:/^\d{20}$/'],
+            'corr_account' => ['nullable', 'string', 'regex:/^\d{20}$/'],
+        ];
+    }
+}
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Resources;
+
+use App\Models\TenantRequisites;
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\JsonResource;
+
+/** @mixin TenantRequisites */
+class RequisitesResource extends JsonResource
+{
+    /** @return array<string, mixed> */
+    public function toArray(Request $request): array
+    {
+        return [
+            'subject_type' => $this->subject_type,
+            'contact_name' => $this->contact_name,
+            'contact_phone' => $this->contact_phone,
+            'inn' => $this->inn,
+            'legal_name' => $this->legal_name,
+            'kpp' => $this->kpp,
+            'ogrn' => $this->ogrn,
+            'legal_address' => $this->legal_address,
+            'bank_name' => $this->bank_name,
+            'bank_bik' => $this->bank_bik,
+            'bank_account' => $this->bank_account,
+            'corr_account' => $this->corr_account,
+            'requisites_completed_at' => $this->requisites_completed_at,
+        ];
+    }
+}
@@ -605,7 +605,7 @@ class RouteSupplierLeadJob implements ShouldQueue
    }

    /**
-     * @return list<int>  '{82,83}' → [82,83]; '{}'/'' → []
+     * @return list<int> '{82,83}' → [82,83]; '{}'/'' → []
     */
    private function parseSubjectCodes(string $regionsLiteral): array
    {
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use App\Models\Deal;
+use App\Models\Tenant;
+use App\Services\NotificationService;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Database\Eloquent\Collection as EloquentCollection;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * G2-A: раз в 30 минут (routes/console.php) рассылает дайджест новых сделок.
+ * Окно — последние 30 минут по received_at. Идемпотентен (непересекающееся окно).
+ * Паттерн по-тенантного джоба — BalancePreflightSweepJob (SET LOCAL tenant).
+ */
+final class SendNewLeadsDigestJob implements ShouldQueue
+{
+    use Dispatchable;
+    use InteractsWithQueue;
+    use Queueable;
+
+    public function handle(NotificationService $notifier): void
+    {
+        Tenant::query()->whereNull('deleted_at')->chunkById(200, function (EloquentCollection $tenants) use ($notifier): void {
+            foreach ($tenants as $tenant) {
+                /** @var Tenant $tenant */
+                $this->digestForTenant($tenant, $notifier);
+            }
+        });
+    }
+
+    private function digestForTenant(Tenant $tenant, NotificationService $notifier): void
+    {
+        DB::transaction(function () use ($tenant, $notifier): void {
+            DB::statement('SET LOCAL app.current_tenant_id = '.(int) $tenant->id);
+
+            $deals = Deal::query()
+                ->where('tenant_id', $tenant->id)
+                ->where('received_at', '>', now()->subMinutes(30))
+                ->where('is_test', false)
+                ->whereNull('deleted_at')
+                ->orderBy('received_at')
+                ->get();
+
+            if ($deals->isEmpty()) {
+                return;
+            }
+
+            $notifier->notifyNewLeadsDigest($tenant, $deals);
+        });
+    }
+}
@@ -20,7 +20,7 @@ use Illuminate\Support\Facades\Log;
 */
 final class SnapshotProjectRoutingJob implements ShouldQueue
 {
-    use Dispatchable, Queueable, InteractsWithQueue, SerializesModels;
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

    public const DB_CONNECTION = 'pgsql_supplier'; // BYPASSRLS

@@ -38,10 +38,11 @@ final class SnapshotProjectRoutingJob implements ShouldQueue
            ->exists();
        if ($exists) {
            Log::info('snapshot.already_exists', ['date' => $snapshotDate]);
+
            return;
        }

-        $count = DB::connection(self::DB_CONNECTION)->insert(<<<SQL
+        $count = DB::connection(self::DB_CONNECTION)->insert(<<<'SQL'
            INSERT INTO project_routing_snapshots (
                snapshot_date, project_id, tenant_id,
                daily_limit, delivery_days_mask, regions,
@@ -6,9 +6,11 @@ namespace App\Jobs\Supplier;

 use App\Jobs\RouteSupplierLeadJob;
 use App\Mail\CsvDriftAlertMail;
+use App\Mail\TenantBusinessDriftAlertMail;
 use App\Models\SupplierLead;
 use App\Services\Supplier\SupplierCsvParser;
 use App\Services\Supplier\SupplierPortalClient;
+use Carbon\CarbonInterface;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Cache\LockProvider;
 use Illuminate\Contracts\Mail\Mailer;
@@ -274,8 +276,8 @@ final class CsvReconcileJob implements ShouldQueue

    private function detectAndAlertBusinessDrift(
        Mailer $mailer,
-        \Carbon\CarbonInterface $windowStart,
-        \Carbon\CarbonInterface $windowEnd,
+        CarbonInterface $windowStart,
+        CarbonInterface $windowEnd,
    ): void {
        $from = $windowStart->toDateString();
        $to = $windowEnd->toDateString();
@@ -300,7 +302,7 @@ final class CsvReconcileJob implements ShouldQueue
            }

            $mailer->to((string) config('services.supplier.alert_email'))
-                ->send(new \App\Mail\TenantBusinessDriftAlertMail(
+                ->send(new TenantBusinessDriftAlertMail(
                    tenantId: (int) $row->tenant_id,
                    snapshotDate: (string) $row->snapshot_date,
                    expected: $expected,
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Logging;
+
+use Monolog\LogRecord;
+use Monolog\Processor\ProcessorInterface;
+
+/**
+ * Monolog-процессор: маскирует ПДн в логах перед записью.
+ *
+ * Закрывает Medium go-live: laravel.log (LOG_LEVEL=debug) мог сохранить телефон/email
+ * открытым, если они попадут в текст исключения или контекст. Процессор ловит ВСЕ
+ * записи каналов, к которым подключён (см. App\Logging\ScrubPii + config/logging.php),
+ * централизованно — надёжнее правки отдельных вызовов Log::.
+ */
+final class PiiScrubbingProcessor implements ProcessorInterface
+{
+    /**
+     * Телефоны РФ: 11 цифр в формате 7XXXXXXXXXX / 8XXXXXXXXXX / +7XXXXXXXXXX.
+     * Lookbehind/lookahead не дают маскировать часть более длинной цифровой строки
+     * (например 14-значный технический id).
+     */
+    private const PHONE_PATTERN = '/(?<!\d)(?:\+?7|8)\d{10}(?!\d)/';
+
+    private const EMAIL_PATTERN = '/[\p{L}0-9._%+\-]+@[\p{L}0-9.\-]+\.\p{L}{2,}/u';
+
+    public function __invoke(LogRecord $record): LogRecord
+    {
+        return $record->with(
+            message: $this->scrub($record->message),
+            context: $this->scrubArray($record->context),
+            extra: $this->scrubArray($record->extra),
+        );
+    }
+
+    private function scrub(string $value): string
+    {
+        $value = preg_replace(self::PHONE_PATTERN, '[PHONE]', $value) ?? $value;
+
+        return preg_replace(self::EMAIL_PATTERN, '[EMAIL]', $value) ?? $value;
+    }
+
+    /**
+     * @param  array<array-key, mixed>  $data
+     * @return array<array-key, mixed>
+     */
+    private function scrubArray(array $data): array
+    {
+        $result = [];
+        foreach ($data as $key => $value) {
+            if (is_string($value)) {
+                $result[$key] = $this->scrub($value);
+            } elseif (is_array($value)) {
+                $result[$key] = $this->scrubArray($value);
+            } else {
+                $result[$key] = $value;
+            }
+        }
+
+        return $result;
+    }
+}
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Logging;
+
+use Illuminate\Log\Logger;
+
+/**
+ * Tap для config/logging.php: вешает PiiScrubbingProcessor на канал.
+ *
+ * Использование: 'tap' => [\App\Logging\ScrubPii::class] в описании канала.
+ */
+final class ScrubPii
+{
+    public function __invoke(Logger $logger): void
+    {
+        // Illuminate\Log\Logger::getLogger() типизирован как PSR LoggerInterface,
+        // но фактически возвращает Monolog\Logger (у него есть pushProcessor).
+        $monolog = $logger->getLogger();
+        if ($monolog instanceof \Monolog\Logger) {
+            $monolog->pushProcessor(new PiiScrubbingProcessor);
+        }
+    }
+}
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Письмо с 6-значным кодом подтверждения почты при самозаписи (G1/SP1).
+ */
+final class EmailVerificationCodeMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly string $code,
+        public readonly string $email,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Код подтверждения регистрации в Лидерре',
+            to: [$this->email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(
+            view: 'emails.email_verification_code',
+            with: ['code' => $this->code],
+        );
+    }
+}
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/** Код-согласие на вход поддержки в кабинет клиента (G7-B / Ю-1). */
+final class ImpersonationCodeMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly string $code,
+        public readonly string $email,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Код доступа: запрос входа поддержки в ваш кабинет',
+            to: [$this->email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.impersonation_code', with: ['code' => $this->code]);
+    }
+}
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/** Уведомление о завершении сессии поддержки в кабинете клиента (G7-B / Ю-1). */
+final class ImpersonationEndedMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public readonly string $email,
+        public readonly ?string $tenantName = null,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Сессия поддержки в вашем кабинете завершена',
+            to: [$this->email],
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(view: 'emails.impersonation_ended', with: ['tenantName' => $this->tenantName]);
+    }
+}
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\Deal;
+use App\Models\Tenant;
+use App\Models\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Collection;
+
+/**
+ * Письмо-сводка о новых сделках за окно (G2-A дайджест).
+ * Заменяет пер-лид NewLeadNotification как email-канал события new_lead.
+ *
+ * @property Collection<int, Deal> $deals
+ */
+class NewLeadsDigestMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(
+        public User $user,
+        public Tenant $tenant,
+        public Collection $deals,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Лидерра. Новые сделки — '.$this->deals->count(),
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(
+            view: 'emails.new_leads_digest',
+            with: [
+                'user' => $this->user,
+                'tenant' => $this->tenant,
+                'deals' => $this->deals,
+                'count' => $this->deals->count(),
+            ],
+        );
+    }
+}
@@ -1,54 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Mail;
-
-use App\Models\Reminder;
-use App\Models\User;
-use Illuminate\Bus\Queueable;
-use Illuminate\Mail\Mailable;
-use Illuminate\Mail\Mailables\Content;
-use Illuminate\Mail\Mailables\Envelope;
-use Illuminate\Queue\SerializesModels;
-
-/**
- * Email-уведомление о наступлении срока напоминания (ТЗ §18.5, событие reminder).
- *
- * Триггер: cron-команда `reminders:dispatch-due` находит rows с
- * `is_sent=false AND completed_at IS NULL AND remind_at <= NOW()`,
- * вызывает NotificationService::notifyReminder для каждой,
- * затем ставит `is_sent=true, sent_at=NOW()`.
- */
-class ReminderDueNotification extends Mailable
-{
-    use Queueable;
-    use SerializesModels;
-
-    public function __construct(
-        public User $recipient,
-        public Reminder $reminder,
-    ) {}
-
-    public function envelope(): Envelope
-    {
-        $shortText = $this->reminder->text
-            ? mb_substr($this->reminder->text, 0, 60)
-            : 'Срок касания клиента';
-
-        return new Envelope(
-            subject: "Лидерра. Напоминание — {$shortText}",
-        );
-    }
-
-    public function content(): Content
-    {
-        return new Content(
-            view: 'emails.reminder',
-            with: [
-                'recipient' => $this->recipient,
-                'reminder' => $this->reminder,
-            ],
-        );
-    }
-}
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\SupportRequest;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Письмо в техподдержку о новой заявке клиента (G7-A). Адресат — config('services.support.email').
+ */
+class SupportRequestMail extends Mailable
+{
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(public SupportRequest $request) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Лидерра. Заявка в поддержку #'.$this->request->id,
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(
+            view: 'emails.support_request',
+            with: ['r' => $this->request],
+        );
+    }
+}
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Support\Carbon;
+
+/**
+ * Код подтверждения почты при самозаписи клиента (G1/SP1).
+ *
+ * 6-значный код, bcrypt-хеш в code_hash, plain уходит письмом. TTL 15 мин,
+ * 5 попыток. Механика зеркалит ImpersonationToken. Таблица RLS-изолирована
+ * (через user_id→users.tenant_id) — на публичном роуте читается/пишется через
+ * BYPASSRLS pgsql_supplier.
+ *
+ * @property int $id
+ * @property int $user_id
+ * @property string $email
+ * @property string $token
+ * @property string|null $code_hash
+ * @property int $failed_attempts
+ * @property Carbon $expires_at
+ * @property Carbon|null $verified_at
+ * @property Carbon $created_at
+ */
+class EmailVerification extends Model
+{
+    /** schema-таблица не имеет updated_at. */
+    public const UPDATED_AT = null;
+
+    protected $fillable = [
+        'user_id',
+        'email',
+        'token',
+        'code_hash',
+        'failed_attempts',
+        'expires_at',
+        'verified_at',
+    ];
+
+    protected function casts(): array
+    {
+        return [
+            'failed_attempts' => 'integer',
+            'expires_at' => 'datetime',
+            'verified_at' => 'datetime',
+            'created_at' => 'datetime',
+        ];
+    }
+
+    public function isExpired(): bool
+    {
+        return $this->expires_at->isPast();
+    }
+
+    public function isUsable(): bool
+    {
+        return $this->verified_at === null
+            && $this->failed_attempts < 5
+            && ! $this->isExpired();
+    }
+
+    /** @return BelongsTo<User, $this> */
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}
@@ -32,6 +32,7 @@ use Illuminate\Support\Carbon;
 * @property int|null $second_approver_id
 * @property Carbon|null $second_approval_at
 * @property Carbon $created_at
+ * @property string|null $session_token_hash
 *
 * @mixin IdeHelperImpersonationToken
 */
@@ -54,6 +55,7 @@ class ImpersonationToken extends Model
        'invalidated_at',
        'second_approver_id',
        'second_approval_at',
+        'session_token_hash',
    ];

    protected function casts(): array
@@ -81,6 +83,20 @@ class ImpersonationToken extends Model
            && ! $this->isExpired();
    }

+    /** Сессия impersonation активна: код подтверждён, не завершена, не инвалидирована, в пределах TTL минут. */
+    public function isSessionActive(int $ttlMinutes = 60): bool
+    {
+        return $this->used_at !== null
+            && $this->session_ended_at === null
+            && $this->invalidated_at === null
+            && $this->used_at->copy()->addMinutes($ttlMinutes)->isFuture();
+    }
+
+    public function sessionExpiresAt(int $ttlMinutes = 60): ?Carbon
+    {
+        return $this->used_at?->copy()->addMinutes($ttlMinutes);
+    }
+
    /** @return BelongsTo<Tenant, $this> */
    public function tenant(): BelongsTo
    {
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\QueryException;
+use Laravel\Sanctum\PersonalAccessToken as SanctumPersonalAccessToken;
+
+/**
+ * Расширение Sanctum PersonalAccessToken.
+ *
+ * Перехватывает Bearer-токены с префиксом «lpimp_» (машинные ключи
+ * impersonation-guard, G7-B) и возвращает null без обращения к БД.
+ * Это предотвращает crash при отсутствии таблицы personal_access_tokens
+ * (проект использует SPA cookie-auth, таблица не создаётся).
+ */
+class PersonalAccessToken extends SanctumPersonalAccessToken
+{
+    /**
+     * Find the token instance matching the given token.
+     *
+     * Returns null immediately for impersonation machine-key tokens so
+     * Sanctum does not attempt a DB lookup on personal_access_tokens.
+     */
+    public static function findToken($token): ?static
+    {
+        if (str_starts_with((string) $token, 'lpimp_')) {
+            return null;
+        }
+
+        // В проекте нет таблицы personal_access_tokens (SPA cookie-auth, Sanctum
+        // PAT не используются). Без этого try/catch любой иной Bearer на
+        // sanctum-роуте ронял бы запрос в 500 (Undefined table) вместо чистого
+        // 401. Гасим QueryException до null — guard вернёт 401.
+        try {
+            return parent::findToken($token);
+        } catch (QueryException) {
+            return null;
+        }
+    }
+}
@@ -1,88 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Models;
-
-use Database\Factories\ReminderFactory;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-/**
- * Напоминание на сделке (schema v8.10 §17.5).
- *
- * Tenant-aware модель с RLS. Композитные индексы:
- * - idx_reminders_due (remind_at) WHERE is_sent=FALSE AND completed_at IS NULL — cron;
- * - idx_reminders_deal (deal_id) — UI карточки сделки;
- * - idx_reminders_tenant_user_active — дашборд «today/last/future».
- *
- * deal_id БЕЗ FK (deals партиционирована, FK на partitioned-родительскую
- * таблицу не поддерживается без partition-key в составе).
- *
- * MVP: assignee_id всегда NULL — паритет с histories[].to оригинала. Поле
- * зарезервировано для Post-MVP (multi-assignee).
- *
- * @mixin IdeHelperReminder
- */
-class Reminder extends Model
-{
-    /** @use HasFactory<ReminderFactory> */
-    use HasFactory;
-
-    protected $fillable = [
-        'tenant_id',
-        'deal_id',
-        'text',
-        'remind_at',
-        'created_by',
-        'assignee_id',
-        'completed_at',
-        'is_sent',
-        'sent_at',
-    ];
-
-    protected function casts(): array
-    {
-        return [
-            'tenant_id' => 'integer',
-            'deal_id' => 'integer',
-            'created_by' => 'integer',
-            'assignee_id' => 'integer',
-            'is_sent' => 'boolean',
-            'remind_at' => 'datetime',
-            'completed_at' => 'datetime',
-            'sent_at' => 'datetime',
-            'created_at' => 'datetime',
-            'updated_at' => 'datetime',
-        ];
-    }
-
-    /** @return BelongsTo<Tenant, $this> */
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    /** @return BelongsTo<User, $this> */
-    public function creator(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'created_by');
-    }
-
-    /** @return BelongsTo<User, $this> */
-    public function assignee(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'assignee_id');
-    }
-
-    public function isCompleted(): bool
-    {
-        return $this->completed_at !== null;
-    }
-
-    public function isOverdue(): bool
-    {
-        return $this->completed_at === null && $this->remind_at < now();
-    }
-}
@@ -18,6 +18,14 @@ use Illuminate\Database\Eloquent\Relations\BelongsTo;
 *
 * Spec: docs/superpowers/specs/2026-05-10-supplier-integration-design.md §5.1
 *
+ * Поля резолва региона (lead-region) аннотированы явно — ide-helper:models
+ * не подхватил их в стаб IdeHelperSupplierLead:
+ *
+ * @property int|null $dadata_qc
+ * @property string|null $phone_operator
+ * @property string|null $region_source
+ * @property int|null $resolved_subject_code
+ *
 * @mixin IdeHelperSupplierLead
 */
 class SupplierLead extends Model
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Carbon;
+
+/**
+ * Заявка клиента в техподдержку (G7-A). RLS по tenant_id; created_at — DB default.
+ *
+ * @property int $id
+ * @property int $tenant_id
+ * @property int $user_id
+ * @property string $name
+ * @property string $contact
+ * @property string $message
+ * @property Carbon $created_at
+ */
+class SupportRequest extends Model
+{
+    protected $table = 'support_requests';
+
+    public $timestamps = false; // только created_at (DB DEFAULT now()), updated_at нет
+
+    protected $fillable = [
+        'tenant_id', 'user_id', 'name', 'contact', 'message',
+    ];
+
+    protected function casts(): array
+    {
+        return ['created_at' => 'datetime'];
+    }
+}
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Carbon;
+
+/**
+ * Реквизиты тенанта (G1/SP2). 1:1 с tenants. RLS по tenant_id.
+ *
+ * Свойства аннотированы явно: `ide-helper:models` пропускает эту модель при
+ * интроспекции (стаб IdeHelperTenantRequisites не генерируется), поэтому
+ *
+ * @property-аннотации заданы вручную по db/schema.sql (tenant_requisites).
+ *
+ * @property int $id
+ * @property int $tenant_id
+ * @property string $subject_type
+ * @property string $contact_name
+ * @property string $contact_phone
+ * @property string|null $inn
+ * @property string|null $legal_name
+ * @property string|null $kpp
+ * @property string|null $ogrn
+ * @property string|null $legal_address
+ * @property string|null $bank_name
+ * @property string|null $bank_bik
+ * @property string|null $bank_account
+ * @property string|null $corr_account
+ * @property array<string, mixed>|null $dadata_raw
+ * @property Carbon|null $dadata_synced_at
+ * @property Carbon|null $requisites_completed_at
+ * @property Carbon|null $created_at
+ * @property Carbon|null $updated_at
+ */
+class TenantRequisites extends Model
+{
+    protected $table = 'tenant_requisites';
+
+    protected $fillable = [
+        'tenant_id', 'subject_type', 'contact_name', 'contact_phone',
+        'inn', 'legal_name', 'kpp', 'ogrn', 'legal_address',
+        'bank_name', 'bank_bik', 'bank_account', 'corr_account',
+        'dadata_raw', 'dadata_synced_at', 'requisites_completed_at',
+    ];
+
+    protected function casts(): array
+    {
+        return [
+            'dadata_raw' => 'array',
+            'dadata_synced_at' => 'datetime',
+            'requisites_completed_at' => 'datetime',
+            'created_at' => 'datetime',
+            'updated_at' => 'datetime',
+        ];
+    }
+}
@@ -2,14 +2,28 @@

 namespace App\Providers;

+use App\Models\ImpersonationToken;
+use App\Models\PersonalAccessToken;
+use App\Models\User;
+use App\Services\Captcha\CaptchaVerifier;
+use App\Services\Captcha\NullCaptchaVerifier;
+use App\Services\DaData\DaDataPartyClient;
+use App\Services\DaData\NullPartyLookup;
+use App\Services\DaData\PartyLookup;
 use App\Services\Supplier\Channel\AjaxProjectChannel;
 use App\Services\Supplier\Channel\FailoverProjectChannel;
 use App\Services\Supplier\Channel\FormProjectChannel;
 use App\Services\Supplier\Channel\SupplierProjectChannel;
 use App\Services\Supplier\ProcessFactory;
 use App\Services\Supplier\SymfonyProcessFactory;
+use Illuminate\Cache\RateLimiting\Limit;
 use Illuminate\Contracts\Mail\Mailer;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\ServiceProvider;
+use Laravel\Sanctum\Sanctum;

 class AppServiceProvider extends ServiceProvider
 {
@@ -34,6 +48,22 @@ class AppServiceProvider extends ServiceProvider
                $app->make(Mailer::class),
            ),
        );
+
+        // Шов капчи самозаписи (G1/SP1). SP1 — Null-драйвер; реальный
+        // Yandex SmartCaptcha встанет сюда позже через match по драйверу.
+        $this->app->bind(
+            CaptchaVerifier::class,
+            NullCaptchaVerifier::class,
+        );
+
+        // Шов подтяжки организации по ИНН (G1/SP2). По флагу party_enabled —
+        // реальный DaData suggestions; иначе Null (dev/тесты не ходят в сеть).
+        $this->app->bind(
+            PartyLookup::class,
+            fn ($app) => config('services.dadata.party_enabled')
+                ? $app->make(DaDataPartyClient::class)
+                : $app->make(NullPartyLookup::class),
+        );
    }

    /**
@@ -41,6 +71,54 @@ class AppServiceProvider extends ServiceProvider
     */
    public function boot(): void
    {
-        //
+        // P1 go-live: per-IP route-throttle поверх прикладного per-credential
+        // rate-limit в auth-контроллерах. Именованные лимитеры изолируют счётчики
+        // login / 2fa / password. Применение — throttle:<name> в routes/web.php.
+        // 20/мин — стартовое значение (выше максимума тестовых циклов), снижать по
+        // боевому трафику. Runbook: docs/superpowers/runbooks/2026-06-17-auth-throttle-limits.md
+        foreach (['auth-login', 'auth-2fa', 'auth-password', 'auth-register'] as $limiterName) {
+            RateLimiter::for(
+                $limiterName,
+                fn (Request $request) => Limit::perMinute(20)->by($request->ip() ?: 'unknown'),
+            );
+        }
+
+        // G7-B: заменяем Sanctum PersonalAccessToken на расширение, которое
+        // возвращает null для lpimp_-токенов без запроса к personal_access_tokens.
+        // Проект использует SPA cookie-auth — таблица personal_access_tokens отсутствует.
+        Sanctum::usePersonalAccessTokenModel(PersonalAccessToken::class);
+
+        // G7-B: кастомный auth-guard «impersonation».
+        // По Bearer-токену вида lpimp_<id>_<secret> резолвит первого активного
+        // пользователя тенанта из impersonation_tokens.
+        // Запросы к БД идут через pgsql_supplier (BYPASSRLS), чтобы не упереться
+        // в RLS до SetTenantContext (middleware «tenant» применяется позже).
+        Auth::viaRequest('impersonation', function (Request $request) {
+            $header = (string) $request->header('Authorization', '');
+            if (! str_starts_with($header, 'Bearer lpimp_')) {
+                return null;
+            }
+            $raw = trim(substr($header, 7)); // lpimp_<id>_<secret>
+            $parts = explode('_', $raw, 3);
+            if (count($parts) !== 3 || $parts[0] !== 'lpimp' || ! ctype_digit($parts[1])) {
+                return null;
+            }
+            $idStr = $parts[1];
+            $secret = $parts[2];
+
+            $token = ImpersonationToken::on('pgsql_supplier')->find((int) $idStr);
+            if ($token === null || $token->session_token_hash === null || ! $token->isSessionActive()) {
+                return null;
+            }
+            if (! Hash::check($secret, (string) $token->session_token_hash)) {
+                return null;
+            }
+
+            return User::on('pgsql_supplier')
+                ->where('tenant_id', $token->tenant_id)
+                ->where('is_active', true)
+                ->orderBy('id')
+                ->first();
+        });
    }
 }
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Auth;
+
+use RuntimeException;
+
+/**
+ * Доменная ошибка самозаписи. reason — машинный код для ответа контроллера:
+ * email_taken | captcha_failed | not_found | expired | too_many_attempts | invalid_code.
+ */
+final class RegistrationException extends RuntimeException
+{
+    public function __construct(
+        public readonly string $reason,
+        public readonly ?int $attemptsRemaining = null,
+    ) {
+        parent::__construct($reason);
+    }
+}
@@ -0,0 +1,264 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Auth;
+
+use App\Mail\EmailVerificationCodeMail;
+use App\Models\EmailVerification;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Captcha\CaptchaVerifier;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Str;
+
+/**
+ * Оркестрация самозаписи (G1/SP1): register / confirm / resend.
+ *
+ * Все обращения к tenants/users/email_verifications — через BYPASSRLS-подключение
+ * pgsql_supplier: публичные роуты не выставляют app.current_tenant_id, и под RLS
+ * (роль crm_app_user) SELECT/INSERT по этим таблицам не прошёл бы.
+ *
+ * Гонка дублей: в схеме нет глобального UNIQUE(users.email) (только
+ * UNIQUE(tenant_id,email)), поэтому «проверка-потом-вставка» сериализуется
+ * advisory-локом по email внутри транзакции — два параллельных register на один
+ * новый email не создадут два тенанта (лок снимается на commit/rollback).
+ */
+class RegistrationService
+{
+    private const DB_CONNECTION = 'pgsql_supplier';
+
+    private const CODE_TTL_MINUTES = 15;
+
+    private const MAX_FAILED_ATTEMPTS = 5;
+
+    private const START_BALANCE_RUB = '300.00';
+
+    public function __construct(private readonly CaptchaVerifier $captcha) {}
+
+    /**
+     * @return array{status:string, user:User, verification:EmailVerification, dev_code:?string}
+     */
+    public function register(string $email, string $password, ?string $captchaToken, ?string $ip): array
+    {
+        if (! $this->captcha->verify($captchaToken, $ip)) {
+            throw new RegistrationException('captcha_failed');
+        }
+
+        $email = mb_strtolower(trim($email));
+        $conn = DB::connection(self::DB_CONNECTION);
+
+        // Сериализация одновременных регистраций одного email (TOCTOU-защита, см. docblock).
+        // Письмо отправляем ПОСЛЕ commit — не держим SMTP внутри транзакции.
+        $issued = $this->atomic(function () use ($conn, $email, $password) {
+            $conn->statement('SELECT pg_advisory_xact_lock(hashtext(?))', ['liderra:self-register:'.$email]);
+
+            $existing = User::on(self::DB_CONNECTION)->where('email', $email)->first();
+            if ($existing && $existing->is_active) {
+                throw new RegistrationException('email_taken');
+            }
+
+            $user = $existing ?: $this->createPendingTenantOwner($email, $password);
+
+            return $this->createCodeRecord($user);
+        });
+
+        $this->sendCode($issued['user']->email, $issued['plain']);
+
+        return [
+            'status' => 'pending_email_confirm',
+            'user' => $issued['user'],
+            'verification' => $issued['record'],
+            'dev_code' => $issued['dev_code'],
+        ];
+    }
+
+    public function confirm(string $email, string $code): User
+    {
+        $email = mb_strtolower(trim($email));
+        $user = User::on(self::DB_CONNECTION)->where('email', $email)->first();
+        if (! $user) {
+            throw new RegistrationException('not_found');
+        }
+
+        $record = EmailVerification::on(self::DB_CONNECTION)
+            ->where('user_id', $user->id)
+            ->whereNull('verified_at')
+            ->orderByDesc('id')
+            ->first();
+
+        if (! $record || ! $record->isUsable()) {
+            $reason = $record === null ? 'not_found'
+                : ($record->isExpired() ? 'expired' : 'too_many_attempts');
+            throw new RegistrationException($reason);
+        }
+
+        if (! Hash::check($code, (string) $record->code_hash)) {
+            // increment ВНЕ транзакции: счётчик должен пережить 422 (откат сбросил
+            // бы failed_attempts и сломал лимит 5 попыток).
+            $record->increment('failed_attempts');
+            throw new RegistrationException(
+                'invalid_code',
+                max(0, self::MAX_FAILED_ATTEMPTS - $record->failed_attempts),
+            );
+        }
+
+        // Успех — атомарно: пометка кода + активация владельца + статус/баланс тенанта.
+        $this->atomic(function () use ($record, $user): void {
+            $record->update(['verified_at' => now()]);
+            $user->update(['is_active' => true]);
+            Tenant::on(self::DB_CONNECTION)->where('id', $user->tenant_id)->update([
+                'status' => 'active',
+                'balance_rub' => self::START_BALANCE_RUB,
+            ]);
+        });
+
+        return $user->fresh();
+    }
+
+    /** @return ?string dev-код (только local/testing), иначе null. Anti-enumeration: тихо для active/missing. */
+    public function resend(string $email): ?string
+    {
+        $email = mb_strtolower(trim($email));
+        $conn = DB::connection(self::DB_CONNECTION);
+
+        $issued = $this->atomic(function () use ($conn, $email) {
+            $conn->statement('SELECT pg_advisory_xact_lock(hashtext(?))', ['liderra:self-register:'.$email]);
+
+            $user = User::on(self::DB_CONNECTION)->where('email', $email)->first();
+            if ($user && ! $user->is_active) {
+                return $this->createCodeRecord($user);
+            }
+
+            return null;
+        });
+
+        if ($issued === null) {
+            return null;
+        }
+
+        $this->sendCode($issued['user']->email, $issued['plain']);
+
+        return $issued['dev_code'];
+    }
+
+    /**
+     * Выполнить $work атомарно на pgsql_supplier.
+     *
+     * Прод-путь: соединение НЕ в транзакции → открываем свою (`transaction()`),
+     * advisory xact-lock держится до commit/rollback — корректная сериализация.
+     *
+     * Если PDO УЖЕ в транзакции (внешний caller обернул нас ИЛИ тест-харнес
+     * SharesSupplierPdo делит уже-открытый PDO под DatabaseTransactions) —
+     * участвуем в существующей транзакции без вложенного beginTransaction:
+     * pgsql_supplier-connection не отслеживает уровень внешней транзакции, и
+     * `transaction()` попытался бы `PDO::beginTransaction()` поверх открытой →
+     * «There is already an active transaction». Это nested-transaction-safety,
+     * не тест-специфичная ветка: повторный вызов внутри открытой транзакции
+     * корректно переиспользует её.
+     *
+     * @template T
+     *
+     * @param  callable():T  $work
+     * @return T
+     */
+    private function atomic(callable $work): mixed
+    {
+        $conn = DB::connection(self::DB_CONNECTION);
+
+        if ($conn->getPdo()->inTransaction()) {
+            return $work();
+        }
+
+        return $conn->transaction($work);
+    }
+
+    private function createPendingTenantOwner(string $email, string $password): User
+    {
+        $tenant = Tenant::on(self::DB_CONNECTION)->create([
+            'subdomain' => $this->generateSubdomain($email),
+            'organization_name' => $email,   // плейсхолдер; уточняется в SP2 (реквизиты)
+            'contact_email' => $email,
+            'balance_rub' => 0,
+            'is_trial' => true,
+        ]);
+        // tenants.status НЕ в $fillable модели Tenant (колонка DEFAULT 'active') —
+        // выставляем явно, минуя mass-assignment; иначе самозапись активировала бы
+        // тенанта до подтверждения почты (баг: tenant создавался 'active').
+        $tenant->status = 'pending_email_confirm';
+        $tenant->save();
+
+        return User::on(self::DB_CONNECTION)->create([
+            'tenant_id' => $tenant->id,
+            'email' => $email,
+            'password_hash' => Hash::make($password),
+            'first_name' => 'Новый',
+            'last_name' => 'клиент',
+            'is_active' => false,
+            'totp_enabled' => false,
+        ]);
+    }
+
+    /**
+     * @return array{user:User, record:EmailVerification, plain:string, dev_code:?string}
+     */
+    private function createCodeRecord(User $user): array
+    {
+        // Гасим прежние непогашенные коды этого пользователя (делаем неюзабельными).
+        EmailVerification::on(self::DB_CONNECTION)
+            ->where('user_id', $user->id)
+            ->whereNull('verified_at')
+            ->update(['failed_attempts' => self::MAX_FAILED_ATTEMPTS]);
+
+        $plain = (string) random_int(100_000, 999_999);
+
+        $record = EmailVerification::on(self::DB_CONNECTION)->create([
+            'user_id' => $user->id,
+            'email' => $user->email,
+            'token' => (string) Str::uuid(),
+            'code_hash' => Hash::make($plain),
+            'failed_attempts' => 0,
+            'expires_at' => now()->addMinutes(self::CODE_TTL_MINUTES),
+        ]);
+
+        return [
+            'user' => $user,
+            'record' => $record,
+            'plain' => $plain,
+            'dev_code' => app()->environment('local', 'testing') ? $plain : null,
+        ];
+    }
+
+    private function sendCode(string $email, string $plain): void
+    {
+        // Письмо ставим в очередь (не держим SMTP в HTTP-пути) и НЕ валим самозапись
+        // при сбое доставки: запись кода уже создана, клиент может «отправить повторно».
+        // Email в лог не пишем (ПДн §5.2) — только факт и текст ошибки.
+        try {
+            Mail::to($email)->queue(new EmailVerificationCodeMail($plain, $email));
+        } catch (\Throwable $e) {
+            Log::warning('register: не удалось поставить письмо с кодом в очередь: '.$e->getMessage());
+        }
+    }
+
+    private function generateSubdomain(string $email): string
+    {
+        $base = Str::of($email)->before('@')->lower()->replaceMatches('/[^a-z0-9]/', '')->value();
+        if ($base === '') {
+            $base = 'client';
+        }
+        $base = Str::limit($base, 50, '');
+
+        $candidate = $base;
+        $i = 0;
+        while (Tenant::on(self::DB_CONNECTION)->where('subdomain', $candidate)->exists()) {
+            $i++;
+            $candidate = $base.$i;
+        }
+
+        return Str::limit($candidate, 63, '');
+    }
+}
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Billing;
+
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Единый расчёт «на сколько дней хватит affordable_leads» (F3, 17.06.2026).
+ *
+ * Единственный источник истины для прогноза runway — используется и биллингом
+ * (BillingController::wallet), и дашбордом (DashboardController::summary), чтобы
+ * исключить расхождение «0 дней (дашборд) ↔ N дней (биллинг)»: раньше дашборд
+ * считал от legacy `balance_leads`, а биллинг — от рублёвого affordable.
+ *
+ * Billing v2 Spec A: affordable_leads — выход BalanceToLeadsConverter (точная
+ * конверсия ₽ по ступеням), делённый на среднюю скорость списания за 30 дней
+ * (count(lead_charges)/30).
+ *
+ * - affordable_leads ≤ 0 → 0 (тенант не может купить ни одного лида).
+ * - leadsLast30Days = 0 → null (нет истории, не от чего считать).
+ * - иначе → floor(affordable_leads / (leadsLast30Days / 30)).
+ */
+class RunwayCalculator
+{
+    public function daysLeft(int $tenantId, int $affordableLeads): ?int
+    {
+        if ($affordableLeads <= 0) {
+            return 0;
+        }
+
+        $leadsLast30Days = (int) DB::table('lead_charges')
+            ->where('tenant_id', $tenantId)
+            ->where('charged_at', '>=', now()->subDays(30))
+            ->count();
+
+        if ($leadsLast30Days <= 0) {
+            return null;
+        }
+
+        $avgPerDay = $leadsLast30Days / 30.0;
+
+        return max(0, (int) floor($affordableLeads / $avgPerDay));
+    }
+}
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Captcha;
+
+/**
+ * Шов проверки капчи. SP1 — dev-драйвер NullCaptchaVerifier; реальный
+ * Yandex SmartCaptcha-драйвер подключается позже (SP3/ops) без изменения
+ * контроллера/сервиса — они зовут только этот интерфейс.
+ */
+interface CaptchaVerifier
+{
+    /** true — капча пройдена; false — отклонить регистрацию. */
+    public function verify(?string $token, ?string $ip = null): bool;
+}
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Captcha;
+
+/**
+ * Dev/test-драйвер: пустой токен — всегда провал; непустой — исход из конфига
+ * services.captcha.fake_passes (тест переключает на false, чтобы проверить
+ * ветку отклонения). На prod вместо него встанет Yandex SmartCaptcha-драйвер.
+ */
+final class NullCaptchaVerifier implements CaptchaVerifier
+{
+    public function verify(?string $token, ?string $ip = null): bool
+    {
+        if ($token === null || $token === '') {
+            return false;
+        }
+
+        return (bool) config('services.captcha.fake_passes', true);
+    }
+}
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\DaData;
+
+use App\Services\DaData\Dto\PartyLookupResult;
+use Illuminate\Http\Client\ConnectionException;
+use Illuminate\Http\Client\Factory as HttpFactory;
+
+/**
+ * Suggestions findById/party — подтяжка организации по ИНН (бесплатный эндпоинт DaData).
+ * POST https://suggestions.dadata.ru/suggestions/api/4_1/rs/findById/party
+ *   Authorization: Token <api_key> ; body {"query":"<inn>"}
+ *
+ * Все ошибки (нет ключа / сеть / 4xx / 5xx / пустой ответ) → null (мягко, не бросаем).
+ */
+final class DaDataPartyClient implements PartyLookup
+{
+    private const URL = 'https://suggestions.dadata.ru/suggestions/api/4_1/rs/findById/party';
+
+    public function __construct(private readonly HttpFactory $http) {}
+
+    public function findByInn(string $inn): ?PartyLookupResult
+    {
+        $cfg = (array) config('services.dadata');
+        $apiKey = (string) ($cfg['api_key'] ?? '');
+        if ($apiKey === '') {
+            return null;
+        }
+        $timeoutSec = max(1, (int) round(((int) ($cfg['timeout_ms'] ?? 2000)) / 1000));
+
+        try {
+            $response = $this->http
+                ->asJson()
+                ->acceptJson()
+                ->timeout($timeoutSec)
+                ->withHeaders(['Authorization' => 'Token '.$apiKey])
+                ->post(self::URL, ['query' => $inn]);
+        } catch (ConnectionException) {
+            return null;
+        }
+
+        if (! $response->successful()) {
+            return null;
+        }
+
+        return $this->parse($response->json());
+    }
+
+    /** @param  mixed  $body */
+    private function parse($body): ?PartyLookupResult
+    {
+        $sug = (is_array($body) && isset($body['suggestions'][0]) && is_array($body['suggestions'][0]))
+            ? $body['suggestions'][0]
+            : null;
+        if ($sug === null) {
+            return null;
+        }
+
+        $data = is_array($sug['data'] ?? null) ? $sug['data'] : [];
+        $name = (string) ($sug['value'] ?? '');
+        if ($name === '') {
+            return null;
+        }
+
+        return new PartyLookupResult(
+            legalName: $name,
+            kpp: isset($data['kpp']) ? (string) $data['kpp'] : null,
+            ogrn: isset($data['ogrn']) ? (string) $data['ogrn'] : null,
+            address: isset($data['address']['value']) ? (string) $data['address']['value'] : null,
+            type: isset($data['type']) ? (string) $data['type'] : '',
+            raw: $sug,
+        );
+    }
+}
@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\DaData\Dto;
+
+final class PartyLookupResult
+{
+    /** @param  array<string,mixed>  $raw */
+    public function __construct(
+        public readonly string $legalName,
+        public readonly ?string $kpp,
+        public readonly ?string $ogrn,
+        public readonly ?string $address,
+        public readonly string $type,   // 'LEGAL' | 'INDIVIDUAL' | ''
+        public readonly array $raw,
+    ) {}
+}
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\DaData;
+
+use App\Services\DaData\Dto\PartyLookupResult;
+
+final class NullPartyLookup implements PartyLookup
+{
+    public function findByInn(string $inn): ?PartyLookupResult
+    {
+        return null; // dev/тесты по умолчанию — «не найдено»
+    }
+}
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\DaData;
+
+use App\Services\DaData\Dto\PartyLookupResult;
+
+interface PartyLookup
+{
+    public function findByInn(string $inn): ?PartyLookupResult;
+}
@@ -8,7 +8,6 @@ use App\Models\Deal;
 use App\Models\ImportLog;
 use App\Models\ImportUnknownStatus;
 use App\Models\Project;
-use App\Models\Reminder;
 use App\Services\MonthlyPartitionManager;
 use App\Services\Pd\PdAuditLogger;
 use Illuminate\Support\Facades\DB;
@@ -164,7 +163,6 @@ final class HistoricalImportService
                    'contact_name' => $row->contactName,
                    'comment' => $row->comment,
                ]);
-                $this->syncReminder($tenantId, $userId, $deal, $row);

                return false;
            }
@@ -188,8 +186,6 @@ final class HistoricalImportService
                'created_at' => now(),
            ]);

-            $this->syncReminder($tenantId, $userId, $deal, $row);
-
            $this->pdLog->record(
                action: 'created',
                subjectType: 'lead',
@@ -205,35 +201,6 @@ final class HistoricalImportService
        });
    }

-    /**
-     * Создаёт reminders-строку для непустого «Напоминание» (ТЗ §6.3 — поле
-     * deals.reminder_at удалено в v8.3, заменено таблицей reminders).
-     * Идемпотентно: не дублирует напоминание при повторном импорте.
-     */
-    private function syncReminder(int $tenantId, int $userId, Deal $deal, ParsedLeadRow $row): void
-    {
-        if ($row->reminderAt === null) {
-            return;
-        }
-
-        $exists = Reminder::query()
-            ->where('deal_id', $deal->id)
-            ->where('remind_at', $row->reminderAt)
-            ->exists();
-
-        if ($exists) {
-            return;
-        }
-
-        Reminder::create([
-            'tenant_id' => $tenantId,
-            'deal_id' => $deal->id,
-            'text' => 'Импортировано из crm.bp-gr.ru',
-            'remind_at' => $row->reminderAt,
-            'created_by' => $userId,
-        ]);
-    }
-
    /**
     * upsert import_unknown_statuses: инкремент occurrences, маппинг не трогаем.
     *
@@ -152,7 +152,7 @@ class LeadRegionResolver
    }

    /**
-     * @return array<string, mixed>  сырой ответ DaData с маскированным телефоном (§7.1)
+     * @return array<string, mixed> сырой ответ DaData с маскированным телефоном (§7.1)
     */
    private function maskResponse(DaDataPhoneResponse $response): array
    {
@@ -5,14 +5,12 @@ declare(strict_types=1);
 namespace App\Services;

 use App\Mail\InvoicePaidNotification;
-use App\Mail\NewLeadNotification;
-use App\Mail\ReminderDueNotification;
+use App\Mail\NewLeadsDigestMail;
 use App\Mail\TopupSuccessNotification;
 use App\Mail\ZeroBalancePausedMail;
 use App\Models\Deal;
 use App\Models\InAppNotification;
 use App\Models\Project;
-use App\Models\Reminder;
 use App\Models\Tenant;
 use App\Models\User;
 use Illuminate\Support\Collection;
@@ -27,7 +25,6 @@ use Throwable;
 * Матрица 8 событий × 3 каналов (inapp / push / email) хранится в
 * `users.notification_preferences` JSONB. По умолчанию (см. schema.sql:699):
 *   new_lead         {inapp:true, push:true, email:false}
- *   reminder         {inapp:true, push:true, email:true}
 *   low_balance      {email:true}
 *   zero_balance     {email:true}
 *   topup_success    {email:true}
@@ -44,8 +41,6 @@ class NotificationService
 {
    public const EVENT_NEW_LEAD = 'new_lead';

-    public const EVENT_REMINDER = 'reminder';
-
    public const EVENT_LOW_BALANCE = 'low_balance';

    public const EVENT_ZERO_BALANCE = 'zero_balance';
@@ -60,7 +55,6 @@ class NotificationService

    public const ALL_EVENTS = [
        self::EVENT_NEW_LEAD,
-        self::EVENT_REMINDER,
        self::EVENT_LOW_BALANCE,
        self::EVENT_ZERO_BALANCE,
        self::EVENT_TOPUP_SUCCESS,
@@ -90,11 +84,8 @@ class NotificationService
    {
        $projectName = $deal->project?->name ?? 'Без проекта';

-        // Канал email.
-        foreach ($this->recipientsForEvent($tenant, self::EVENT_NEW_LEAD, self::CHANNEL_EMAIL) as $user) {
-            $this->sendEmail($user, self::EVENT_NEW_LEAD, new NewLeadNotification($user, $deal, $tenant));
-        }
-
+        // Канал email события new_lead переведён на дайджест (SendNewLeadsDigestJob).
+        // Здесь — только in-app (колокольчик) на каждую сделку.
        // Канал inapp.
        $title = "Новый лид — {$projectName}";
        $body = $deal->contact_name ?: $deal->phone;
@@ -107,41 +98,14 @@ class NotificationService
    }

    /**
-     * Уведомление о наступлении срока напоминания. Получатели:
-     *   — assignee_id, если задан и активен;
-     *   — иначе created_by (создатель напоминания).
-     *
-     * Каналы: email + inapp по prefs пользователя. Триггер — Artisan
-     * команда `reminders:dispatch-due`.
+     * G2-A дайджест: одно письмо-сводка о новых сделках за окно — каждому
+     * активному пользователю тенанта с включённым new_lead.email. Заменяет
+     * пер-лид email-канал события new_lead.
     */
-    public function notifyReminder(Reminder $reminder): void
+    public function notifyNewLeadsDigest(Tenant $tenant, Collection $deals): void
    {
-        $recipientId = $reminder->assignee_id ?? $reminder->created_by;
-        $recipient = User::query()
-            ->where('id', $recipientId)
-            ->where('tenant_id', $reminder->tenant_id)
-            ->where('is_active', true)
-            ->whereNull('deleted_at')
-            ->first();
-
-        if ($recipient === null) {
-            // Получатель удалён/деактивирован — некому слать.
-            return;
-        }
-
-        $shortText = $reminder->text ? mb_substr($reminder->text, 0, 80) : 'Срок касания клиента';
-        $title = "Напоминание — {$shortText}";
-        $body = 'Сделка #'.$reminder->deal_id;
-
-        if ($this->prefEnabled($recipient, self::EVENT_REMINDER, self::CHANNEL_EMAIL)) {
-            $this->sendEmail($recipient, self::EVENT_REMINDER, new ReminderDueNotification($recipient, $reminder));
-        }
-
-        if ($this->prefEnabled($recipient, self::EVENT_REMINDER, self::CHANNEL_INAPP)) {
-            $this->notifyInApp($recipient, self::EVENT_REMINDER, $title, $body, [
-                'reminder_id' => $reminder->id,
-                'deal_id' => $reminder->deal_id,
-            ]);
+        foreach ($this->recipientsForEvent($tenant, self::EVENT_NEW_LEAD, self::CHANNEL_EMAIL) as $user) {
+            $this->sendEmail($user, self::EVENT_NEW_LEAD, new NewLeadsDigestMail($user, $tenant, $deals));
        }
    }

@@ -135,45 +135,56 @@ class PdErasureService
            $counts['leads'] = $leads->count();

            // ------------------------------------------------------------------
-            // 3. deals  (phone + contact_name)
-            //    Deals партиционированы — UPDATE без WHERE на партиции через
-            //    parent table работает начиная с PG 11+.
+            // 3. deals  (скалярный phone + JSONB phones — доп. телефоны субъекта)
+            //    Email в deals не хранится (нет колонки и нет JSONB-поля с email),
+            //    поэтому erasure только по email для сделок — корректный no-op:
+            //    сопоставлять нечего, counts['deals'] остаётся 0 (F-P1b, решение 2).
+            //    Сделки партиционированы — UPDATE по id на parent работает на PG 11+.
            // ------------------------------------------------------------------
-            $dealQuery = DB::connection(self::DB)->table('deals');
-            $dealQuery->where(function ($q) use ($email, $phone): void {
-                if ($phone !== null) {
-                    $q->orWhere('phone', $phone);
+            if ($phone !== null) {
+                $dealQuery = DB::connection(self::DB)->table('deals');
+                $dealQuery->where(function ($q) use ($phone): void {
+                    $q->where('phone', $phone)
+                        ->orWhereRaw('phones @> ?::jsonb', [json_encode([$phone])]);
+                });
+                if ($tenantId !== null) {
+                    $dealQuery->where('tenant_id', $tenantId);
                }
-                if ($email !== null) {
-                    // Дополнительно: UTM/phones JSONB может хранить email, но в
-                    // минимуме ищем только по phone. Email в deals не хранится
-                    // в отдельной колонке.
+
+                $deals = $dealQuery->get(['id', 'phone', 'phones']);
+
+                // Хирургическое удаление телефона субъекта из JSONB-массива доп.
+                // телефонов: остаются все элементы, не равные $phone; пустой
+                // результат -> NULL. COALESCE — NULL-безопасность; порядок
+                // со-контактов сохраняется (152-ФЗ: чужие телефоны не трогаем).
+                $phonesScrubExpr = '(SELECT JSONB_AGG(elem) '
+                    ."FROM JSONB_ARRAY_ELEMENTS(COALESCE(phones, '[]'::jsonb)) AS elem "
+                    .'WHERE elem <> TO_JSONB(?::text))';
+
+                foreach ($deals as $deal) {
+                    $dealId = (int) $deal->id;
+
+                    if ($deal->phone === $phone) {
+                        // Субъект — владелец сделки: анонимизируем скалярные ПДн
+                        // и хирургически чистим массив доп. телефонов.
+                        DB::connection(self::DB)->update(
+                            'UPDATE deals SET phone = ?, contact_name = ?, '
+                            ."phones = {$phonesScrubExpr}, updated_at = ? WHERE id = ?",
+                            ['+7000XXXXXXX', 'Удалено', $phone, $now, $dealId],
+                        );
+                    } else {
+                        // Субъект — лишь доп. телефон чужой сделки: скалярные
+                        // phone/contact_name владельца НЕ трогаем, чистим только массив.
+                        DB::connection(self::DB)->update(
+                            "UPDATE deals SET phones = {$phonesScrubExpr}, "
+                            .'updated_at = ? WHERE id = ?',
+                            [$phone, $now, $dealId],
+                        );
+                    }
                }
-            });
-            if ($tenantId !== null) {
-                $dealQuery->where('tenant_id', $tenantId);
+
+                $counts['deals'] = $deals->count();
            }
-            // Исключаем строки без совпадения по phone (когда phone=null — ничего не ищем)
-            if ($phone === null) {
-                // deals не имеет email-колонки, пропускаем
-                $dealQuery->whereRaw('FALSE');
-            }
-
-            $deals = $dealQuery->get(['id']);
-
-            foreach ($deals as $deal) {
-                $dealId = (int) $deal->id;
-
-                DB::connection(self::DB)->table('deals')
-                    ->where('id', $dealId)
-                    ->update([
-                        'phone' => '+7000XXXXXXX',
-                        'contact_name' => 'Удалено',
-                        'updated_at' => $now,
-                    ]);
-            }
-
-            $counts['deals'] = $deals->count();

            // ------------------------------------------------------------------
            // 4. Обновить pd_subject_requests если requestId передан
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Requisites;
+
+use App\Models\Tenant;
+use App\Models\TenantRequisites;
+use App\Support\PhoneNormalizer;
+
+final class RequisitesService
+{
+    /**
+     * @param  array<string,mixed>  $data  валидированный payload (телефон ещё в сыром виде)
+     */
+    public function upsert(Tenant $tenant, array $data): TenantRequisites
+    {
+        if (isset($data['contact_phone'])) {
+            $data['contact_phone'] = PhoneNormalizer::normalize((string) $data['contact_phone']);
+        }
+
+        $req = TenantRequisites::firstOrNew(['tenant_id' => $tenant->id]);
+        $req->fill($data);
+        $req->tenant_id = $tenant->id;
+        $req->requisites_completed_at = filled($req->bank_account) ? now() : null;
+        $req->save();
+
+        return $req;
+    }
+
+    public function isLightComplete(Tenant $tenant): bool
+    {
+        $r = TenantRequisites::where('tenant_id', $tenant->id)->first();
+        if ($r === null) {
+            return false;
+        }
+        if (blank($r->subject_type) || blank($r->contact_name) || blank($r->contact_phone)) {
+            return false;
+        }
+        if (in_array($r->subject_type, ['legal_entity', 'sole_proprietor'], true) && blank($r->inn)) {
+            return false;
+        }
+
+        return true;
+    }
+}
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support;
+
+final class InnValidator
+{
+    public static function isValid(string $inn, string $subjectType): bool
+    {
+        if ($subjectType === 'individual') {
+            return true; // физлицу ИНН не требуется (SP2)
+        }
+        if (! ctype_digit($inn)) {
+            return false;
+        }
+
+        return match ($subjectType) {
+            'legal_entity' => self::valid10($inn),
+            'sole_proprietor' => self::valid12($inn),
+            default => false,
+        };
+    }
+
+    private static function valid10(string $inn): bool
+    {
+        if (strlen($inn) !== 10) {
+            return false;
+        }
+
+        return self::checksum($inn, [2, 4, 10, 3, 5, 9, 4, 6, 8]) === (int) $inn[9];
+    }
+
+    private static function valid12(string $inn): bool
+    {
+        if (strlen($inn) !== 12) {
+            return false;
+        }
+
+        return self::checksum($inn, [7, 2, 4, 10, 3, 5, 9, 4, 6, 8]) === (int) $inn[10]
+            && self::checksum($inn, [3, 7, 2, 4, 10, 3, 5, 9, 4, 6, 8]) === (int) $inn[11];
+    }
+
+    /** @param  int[]  $weights */
+    private static function checksum(string $inn, array $weights): int
+    {
+        $sum = 0;
+        foreach ($weights as $i => $w) {
+            $sum += $w * (int) $inn[$i];
+        }
+
+        return ($sum % 11) % 10;
+    }
+}
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support;
+
+final class PhoneNormalizer
+{
+    /**
+     * Нормализует российский номер к виду +7XXXXXXXXXX (12 символов) или null, если невалиден.
+     */
+    public static function normalize(string $raw): ?string
+    {
+        $digits = preg_replace('/\D+/', '', $raw) ?? '';
+
+        if (strlen($digits) === 11 && ($digits[0] === '8' || $digits[0] === '7')) {
+            $digits = '7'.substr($digits, 1);
+        } elseif (strlen($digits) === 10) {
+            $digits = '7'.$digits;
+        } else {
+            return null;
+        }
+
+        return '+'.$digits;
+    }
+}
@@ -114,9 +114,97 @@ final class RussianRegions
        89 => 'Ямало-Ненецкий автономный округ',
    ];

+    /**
+     * Алиасы нестандартных форм реестра Россвязи → каноничное имя субъекта.
+     * Города фед. значения приходят с префиксом «г. »; «Республика Удмуртская» —
+     * перевёрнутый порядок слов; «Кемеровская область - Кузбасс обл.» — спец-форма.
+     *
+     * @var array<string, string>
+     */
+    private const REGION_ALIASES = [
+        'г. Москва' => 'Москва',
+        'Город Москва' => 'Москва',
+        'г. Санкт-Петербург' => 'Санкт-Петербург',
+        'г. Санкт - Петербург' => 'Санкт-Петербург',
+        'г. Севастополь' => 'Севастополь',
+        'Республика Саха /Якутия/' => 'Республика Саха (Якутия)',
+        'Чувашская Республика - Чувашия' => 'Чувашская Республика',
+        'Кемеровская область - Кузбасс обл.' => 'Кемеровская область',
+        'Кемеровская область - Кузбасс область' => 'Кемеровская область',
+        'Кемеровская область - Кузбасс' => 'Кемеровская область',
+    ];
+
    /** @return array<string, int> name => code (обратный индекс) */
    public static function nameToCode(): array
    {
        return array_flip(self::CODE_TO_NAME);
    }
+
+    /**
+     * Нормализует строку региона реестра Россвязи в каноничное имя субъекта (или null).
+     *
+     * Реестр кодирует субъект как ПОСЛЕДНИЙ сегмент после «|»
+     * (напр. «г. Воскресенск|р-н Воскресенский|Московская обл.» → «Московская обл.»),
+     * с сокращением «обл.» вместо «область» и рядом нестандартных форм (см. REGION_ALIASES).
+     * Безнадёжные/неоднозначные строки («-», «Российская Федерация»,
+     * «Москва и Московская область», «г.о. Тольятти») → null.
+     */
+    public static function canonicalRegionName(string $raw): ?string
+    {
+        $segment = self::lastRegionSegment($raw);
+        if ($segment === '') {
+            return null;
+        }
+
+        // ХМАО приходит в множестве форм (em-dash/дефис, «Югра», « АО», капитализация) —
+        // ловим по двум устойчивым маркерам до общих правил.
+        if (mb_stripos($segment, 'Ханты') !== false && mb_stripos($segment, 'Мансийск') !== false) {
+            return 'Ханты-Мансийский автономный округ — Югра';
+        }
+
+        if (isset(self::REGION_ALIASES[$segment])) {
+            return self::REGION_ALIASES[$segment];
+        }
+
+        // «обл.» → «область»; « АО» → « автономный округ».
+        $name = (string) preg_replace('/\s*обл\.$/u', ' область', $segment);
+        $name = (string) preg_replace('/\s+АО$/u', ' автономный округ', $name);
+        // Дефис с пробелами → длинное тире (эталон: «Республика Северная Осетия — Алания»).
+        // Безопасно: ни одно каноническое имя не содержит дефис, окружённый пробелами
+        // (составные имена вроде «Кабардино-Балкарская» используют дефис без пробелов).
+        $name = str_replace(' - ', ' — ', $name);
+
+        if (isset(self::nameToCode()[$name])) {
+            return $name;
+        }
+
+        // Перевёрнутый порядок «Республика X» → «X Республика» (Удмуртская/Чеченская/
+        // Чувашская/Кабардино-Балкарская/Карачаево-Черкесская, Донецкая Народная/
+        // Луганская Народная). Республика-first каноны (Татарстан, Карелия…) уже
+        // отловлены прямым попаданием выше.
+        if (preg_match('/^Республика\s+(.+)$/u', $name, $m) === 1) {
+            $reordered = trim($m[1]).' Республика';
+            if (isset(self::nameToCode()[$reordered])) {
+                return $reordered;
+            }
+        }
+
+        return null;
+    }
+
+    /** Резолвит строку региона реестра Россвязи в subject_code (1..89) или null. */
+    public static function resolveSubjectCode(string $raw): ?int
+    {
+        $name = self::canonicalRegionName($raw);
+
+        return $name === null ? null : (self::nameToCode()[$name] ?? null);
+    }
+
+    /** Последний сегмент после «|» (субъект в формате Россвязи), trimmed. */
+    private static function lastRegionSegment(string $raw): string
+    {
+        $parts = explode('|', $raw);
+
+        return trim((string) end($parts));
+    }
 }
@@ -38,6 +38,34 @@ final class WebhookUrlGuard
        return null;
    }

+    /**
+     * Один резолв хоста для доставки: причина блокировки И безопасный IP для
+     * пиннинга соединения. Закрывает DNS-rebind TOCTOU — блок-решение и адрес
+     * подключения берутся из ОДНОГО резолва, а не из двух независимых (как было
+     * бы при blockReason + повторный резолв в HTTP-клиенте).
+     *
+     * @return array{ip: string|null, blockReason: string|null}
+     */
+    public static function safeDeliveryIp(string $url): array
+    {
+        $host = parse_url($url, PHP_URL_HOST);
+        if (! is_string($host) || $host === '') {
+            return ['ip' => null, 'blockReason' => 'Некорректный URL webhook.'];
+        }
+        $host = trim($host, '[]');
+
+        $ips = self::resolve($host);
+        foreach ($ips as $ip) {
+            if (! self::isPublicIp($ip)) {
+                return ['ip' => null, 'blockReason' => 'URL webhook ведёт во внутреннюю/зарезервированную сеть — запрещено.'];
+            }
+        }
+
+        // Все записи публичны (или хост не резолвится → ip=null, пиннинг не
+        // применяется, запрос упадёт сам — как и в blockReason).
+        return ['ip' => $ips[0] ?? null, 'blockReason' => null];
+    }
+
    /** @return list<string> Все IP, в которые разрешается хост (пусто, если не разрешается). */
    private static function resolve(string $host): array
    {
@@ -1,6 +1,8 @@
 <?php

+use App\Http\Middleware\ApiKeyAuth;
 use App\Http\Middleware\EnsureSaasAdmin;
+use App\Http\Middleware\ImpersonationContext;
 use App\Http\Middleware\SetTenantContext;
 use Illuminate\Database\QueryException;
 use Illuminate\Foundation\Application;
@@ -24,8 +26,20 @@ return Application::configure(basePath: dirname(__DIR__))
        $middleware->alias([
            'tenant' => SetTenantContext::class,
            'saas-admin' => EnsureSaasAdmin::class,
+            'apikey' => ApiKeyAuth::class,
        ]);

+        $middleware->web(append: [
+            ImpersonationContext::class,
+        ]);
+
+        // Защитные HTTP-заголовки (CSP, X-Frame-Options, X-Content-Type-Options,
+        // Referrer-Policy, HSTS, Permissions-Policy, COOP/CORP) ставит nginx —
+        // единый источник: /etc/nginx/sites-available/liderra (add_header ... always).
+        // App-уровневый middleware SecurityHeaders удалён 18.06.2026: он дублировал
+        // те же заголовки, и на проде add_header always + PHP-заголовок давали дубль
+        // в ответе. CSP в nginx — enforcing (был Report-Only в middleware).
+
        // Webhook receive endpoint (POST /api/webhook/{token}) не должен требовать
        // CSRF — запросы приходят от внешних CRM-систем без сессии браузера.
        // Авторизация — через webhook_token в URL + (на prod) HMAC.
@@ -42,6 +42,13 @@ return [
            'driver' => 'session',
            'provider' => 'users',
        ],
+
+        // G7-B: guard для машинных ключей impersonation (lpimp_<id>_<secret>).
+        // Driver «impersonation» регистрируется через Auth::viaRequest в AppServiceProvider::boot.
+        // Используется в паре с auth:sanctum,impersonation на рабочих группах кабинета.
+        'impersonation' => [
+            'driver' => 'impersonation',
+        ],
    ],

    /*
@@ -1,5 +1,7 @@
 <?php

+use App\Logging\PiiScrubbingProcessor;
+use App\Logging\ScrubPii;
 use Monolog\Handler\NullHandler;
 use Monolog\Handler\StreamHandler;
 use Monolog\Handler\SyslogUdpHandler;
@@ -63,6 +65,8 @@ return [
            'path' => storage_path('logs/laravel.log'),
            'level' => env('LOG_LEVEL', 'debug'),
            'replace_placeholders' => true,
+            // PII-scrubbing: маскирует телефоны/email в записях laravel.log.
+            'tap' => [ScrubPii::class],
        ],

        'daily' => [
@@ -71,6 +75,8 @@ return [
            'level' => env('LOG_LEVEL', 'debug'),
            'days' => env('LOG_DAILY_DAYS', 14),
            'replace_placeholders' => true,
+            // PII-scrubbing: маскирует телефоны/email в записях laravel.log.
+            'tap' => [ScrubPii::class],
        ],

        'slack' => [
@@ -80,6 +86,8 @@ return [
            'emoji' => env('LOG_SLACK_EMOJI', ':boom:'),
            'level' => env('LOG_LEVEL', 'critical'),
            'replace_placeholders' => true,
+            // PII-scrubbing: маскирует телефоны/email в сообщениях в Slack.
+            'tap' => [ScrubPii::class],
        ],

        'papertrail' => [
@@ -91,7 +99,8 @@ return [
                'port' => env('PAPERTRAIL_PORT'),
                'connectionString' => 'tls://'.env('PAPERTRAIL_URL').':'.env('PAPERTRAIL_PORT'),
            ],
-            'processors' => [PsrLogMessageProcessor::class],
+            // PII-scrubbing добавлен после PsrLogMessageProcessor.
+            'processors' => [PsrLogMessageProcessor::class, PiiScrubbingProcessor::class],
        ],

        'stderr' => [
@@ -102,7 +111,8 @@ return [
                'stream' => 'php://stderr',
            ],
            'formatter' => env('LOG_STDERR_FORMATTER'),
-            'processors' => [PsrLogMessageProcessor::class],
+            // PII-scrubbing добавлен после PsrLogMessageProcessor.
+            'processors' => [PsrLogMessageProcessor::class, PiiScrubbingProcessor::class],
        ],

        'syslog' => [
@@ -35,6 +35,14 @@ return [
        ],
    ],

+    // Капча самозаписи (G1/SP1). driver=null → NullCaptchaVerifier (dev/test).
+    // Реальный Yandex SmartCaptcha подключается позже (SP3/ops).
+    'captcha' => [
+        'driver' => env('CAPTCHA_DRIVER', 'null'),
+        'fake_passes' => filter_var(env('CAPTCHA_FAKE_PASSES', true), FILTER_VALIDATE_BOOL),
+        'yandex_server_key' => env('YANDEX_SMARTCAPTCHA_SERVER_KEY'),
+    ],
+
    'supplier' => [
        'login' => env('SUPPLIER_LOGIN'),
        'password' => env('SUPPLIER_PASSWORD'),
@@ -53,6 +61,17 @@ return [
        'call_cost_kopecks' => (int) env('DADATA_CALL_COST_KOPECKS', 60), // ≈0.60 ₽/вызов, откалибровать по тарифу
        'enabled' => filter_var(env('LEAD_REGION_RESOLVER_ENABLED', false), FILTER_VALIDATE_BOOL),
        'cache_ttl_days' => (int) env('PHONE_REGION_CACHE_TTL_DAYS', 30),
+        // G1/SP2: подтяжка организации по ИНН (suggestions findById/party). Тот же api_key
+        // (Token), secret не нужен. Default false → NullPartyLookup (dev/тесты не ходят в сеть).
+        'party_enabled' => filter_var(env('DADATA_PARTY_ENABLED', false), FILTER_VALIDATE_BOOL),
+    ],
+
+    // G7-A: клиентская «Помощь».
+    'support' => [
+        'email' => env('SUPPORT_EMAIL', 'support@liderra.app'),
+    ],
+    'jivosite' => [
+        'widget_id' => env('JIVO_WIDGET_ID'),
    ],

 ];
@@ -1,55 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Database\Factories;
-
-use App\Models\Reminder;
-use App\Models\Tenant;
-use App\Models\User;
-use Illuminate\Database\Eloquent\Factories\Factory;
-use Illuminate\Support\Carbon;
-
-/**
- * @extends Factory<Reminder>
- */
-class ReminderFactory extends Factory
-{
-    public function definition(): array
-    {
-        // remind_at +1 час по умолчанию (in future, неотправлено).
-        // Тесты для overdue/completed-flow явно ставят remind_at и completed_at.
-        $tenant = Tenant::factory();
-
-        return [
-            'tenant_id' => $tenant,
-            'deal_id' => fake()->numberBetween(1, 999999),  // deal_id без FK
-            'text' => fake()->sentence(),
-            'remind_at' => Carbon::now()->addHour(),
-            'created_by' => User::factory()->state(fn (array $attrs, Reminder $r) => ['tenant_id' => $r->tenant_id]),
-            'assignee_id' => null,
-            'is_sent' => false,
-        ];
-    }
-
-    public function overdue(): static
-    {
-        return $this->state(['remind_at' => Carbon::now()->subHours(2)]);
-    }
-
-    public function completed(): static
-    {
-        return $this->state([
-            'completed_at' => Carbon::now()->subMinutes(10),
-            'remind_at' => Carbon::now()->subHour(),
-        ]);
-    }
-
-    public function sent(): static
-    {
-        return $this->state([
-            'is_sent' => true,
-            'sent_at' => Carbon::now()->subMinute(),
-        ]);
-    }
-}
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace Database\Factories;

 use App\Models\Tenant;
+use App\Models\TenantRequisites;
 use Illuminate\Database\Eloquent\Factories\Factory;
 use Illuminate\Support\Str;

@@ -28,4 +29,20 @@ class TenantFactory extends Factory
            'api_key_limit' => 5,
        ];
    }
+
+    /**
+     * G1/SP2: тенант с заполненными лёгкими реквизитами — проходит гейт первого
+     * проекта. Используется тестами, которые создают проекты у нового тенанта.
+     */
+    public function withRequisites(): static
+    {
+        return $this->afterCreating(function (Tenant $tenant): void {
+            TenantRequisites::create([
+                'tenant_id' => $tenant->id,
+                'subject_type' => 'individual',
+                'contact_name' => 'Test Contact',
+                'contact_phone' => '+79150000000',
+            ]);
+        });
+    }
 }
@@ -36,8 +36,7 @@ class UserFactory extends Factory
            // строку после INSERT, поэтому колонки с DB-DEFAULT'ами видны как
            // null на свежесозданной модели — нужно явно задать здесь.
            'notification_preferences' => [
-                'new_lead' => ['inapp' => true, 'push' => true, 'email' => false],
-                'reminder' => ['inapp' => true, 'push' => true, 'email' => true],
+                'new_lead' => ['inapp' => true, 'push' => true, 'email' => true],
                'low_balance' => ['email' => true],
                'zero_balance' => ['email' => true],
                'topup_success' => ['email' => true],
@@ -4,8 +4,8 @@ declare(strict_types=1);

 use Illuminate\Database\Migrations\Migration;
 use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Support\Facades\Schema;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;

 return new class extends Migration
 {
@@ -5,7 +5,8 @@ declare(strict_types=1);
 use Illuminate\Database\Migrations\Migration;
 use Illuminate\Support\Facades\DB;

-return new class extends Migration {
+return new class extends Migration
+{
    public function up(): void
    {
        // SET ROLE crm_migrator для прода (postgres superuser может SET ROLE).
@@ -13,15 +14,15 @@ return new class extends Migration {
        try {
            DB::statement('SET ROLE crm_migrator');
            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
-            if (!$canCreate || !$canCreate->ok) {
+            if (! $canCreate || ! $canCreate->ok) {
                DB::statement('RESET ROLE');
            }
-        } catch (\Throwable) {
+        } catch (Throwable) {
            // На окружениях без роли — продолжаем как postgres superuser.
        }

        DB::unprepared(<<<'SQL'
-            CREATE TABLE project_routing_snapshots (
+            CREATE TABLE IF NOT EXISTS project_routing_snapshots (
                snapshot_date      DATE        NOT NULL,
                project_id         BIGINT      NOT NULL,
                tenant_id          BIGINT      NOT NULL,
@@ -41,12 +42,15 @@ return new class extends Migration {
                --     а snapshot должен пережить (хвост слепка ещё летит).
            ) PARTITION BY RANGE (snapshot_date);

-            CREATE INDEX project_routing_snapshots_tenant_date_idx
+            CREATE INDEX IF NOT EXISTS project_routing_snapshots_tenant_date_idx
                ON project_routing_snapshots (tenant_id, snapshot_date);
-            CREATE INDEX project_routing_snapshots_signal_idx
+            CREATE INDEX IF NOT EXISTS project_routing_snapshots_signal_idx
                ON project_routing_snapshots (snapshot_date, signal_type, lower(signal_identifier));

            ALTER TABLE project_routing_snapshots ENABLE ROW LEVEL SECURITY;
+            -- Idempotent: drop policy first так как PG не знает CREATE POLICY IF NOT EXISTS,
+            -- а migrate:fresh (schema.sql уже создал политику) иначе упадёт.
+            DROP POLICY IF EXISTS project_routing_snapshots_tenant_isolation ON project_routing_snapshots;
            CREATE POLICY project_routing_snapshots_tenant_isolation
                ON project_routing_snapshots
                USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint);
@@ -55,10 +59,10 @@ return new class extends Migration {
            GRANT SELECT, INSERT, UPDATE, DELETE ON project_routing_snapshots TO crm_supplier_worker;

            -- Партиция для текущего месяца (создаётся также через partitions:create-months).
-            CREATE TABLE project_routing_snapshots_y2026_m05
+            CREATE TABLE IF NOT EXISTS project_routing_snapshots_y2026_m05
                PARTITION OF project_routing_snapshots
                FOR VALUES FROM ('2026-05-01') TO ('2026-06-01');
-            CREATE TABLE project_routing_snapshots_y2026_m06
+            CREATE TABLE IF NOT EXISTS project_routing_snapshots_y2026_m06
                PARTITION OF project_routing_snapshots
                FOR VALUES FROM ('2026-06-01') TO ('2026-07-01');
        SQL);
@@ -83,10 +87,10 @@ return new class extends Migration {
        try {
            DB::statement('SET ROLE crm_migrator');
            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
-            if (!$canCreate || !$canCreate->ok) {
+            if (! $canCreate || ! $canCreate->ok) {
                DB::statement('RESET ROLE');
            }
-        } catch (\Throwable) {
+        } catch (Throwable) {
            // На окружениях без роли — продолжаем как postgres superuser.
        }
        DB::statement('DROP TABLE IF EXISTS project_routing_snapshots CASCADE');
@@ -5,7 +5,8 @@ declare(strict_types=1);
 use Illuminate\Database\Migrations\Migration;
 use Illuminate\Support\Facades\DB;

-return new class extends Migration {
+return new class extends Migration
+{
    public function up(): void
    {
        // SET ROLE crm_migrator на проде (postgres superuser может SET ROLE).
@@ -14,16 +15,16 @@ return new class extends Migration {
        try {
            DB::statement('SET ROLE crm_migrator');
            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
-            if (!$canCreate || !$canCreate->ok) {
+            if (! $canCreate || ! $canCreate->ok) {
                DB::statement('RESET ROLE');
            }
-        } catch (\Throwable) {
+        } catch (Throwable) {
            // окружение без роли — продолжаем как superuser
        }

        DB::unprepared(<<<'SQL'
            -- 1. phone_ranges_imports (журнал импортов; на него FK из phone_ranges, создаём первым)
-            CREATE TABLE phone_ranges_imports (
+            CREATE TABLE IF NOT EXISTS phone_ranges_imports (
                id              BIGSERIAL PRIMARY KEY,
                imported_at     TIMESTAMPTZ NOT NULL DEFAULT NOW(),
                source_url      TEXT NOT NULL,
@@ -39,7 +40,7 @@ return new class extends Migration {
                'Журнал импортов реестра Россвязи (idempotency по checksum_sha256, atomic-swap откат).';

            -- 2. phone_ranges (реестр диапазонов Россвязи; SaaS-level, без RLS — публичные данные)
-            CREATE TABLE phone_ranges (
+            CREATE TABLE IF NOT EXISTS phone_ranges (
                id                BIGSERIAL PRIMARY KEY,
                def_code          SMALLINT NOT NULL,
                from_num          BIGINT NOT NULL,
@@ -54,14 +55,14 @@ return new class extends Migration {
                CONSTRAINT chk_phone_ranges_subject_code CHECK (subject_code IS NULL OR subject_code BETWEEN 1 AND 89),
                CONSTRAINT chk_phone_ranges_range_valid CHECK (from_num <= to_num)
            );
-            CREATE INDEX idx_phone_ranges_lookup ON phone_ranges (def_code, from_num, to_num);
+            CREATE INDEX IF NOT EXISTS idx_phone_ranges_lookup ON phone_ranges (def_code, from_num, to_num);
            COMMENT ON TABLE phone_ranges IS
                'Реестр диапазонов нумерации Россвязи (rossvyaz.gov.ru). Локальный fallback для LeadRegionResolver. Обновляется ежемесячным cron-импортом.';

            GRANT SELECT ON phone_ranges, phone_ranges_imports TO crm_app_user, crm_supplier_worker;

            -- 3. lead_region_resolution_log (SaaS-level, партиционирован по received_at, паттерн activity_log)
-            CREATE TABLE lead_region_resolution_log (
+            CREATE TABLE IF NOT EXISTS lead_region_resolution_log (
                id                       BIGSERIAL,
                supplier_lead_id         BIGINT NOT NULL,
                received_at              TIMESTAMPTZ NOT NULL,
@@ -88,8 +89,8 @@ return new class extends Migration {
                PRIMARY KEY (id, received_at)
            ) PARTITION BY RANGE (received_at);

-            CREATE INDEX idx_lrrl_lead_id ON lead_region_resolution_log (supplier_lead_id);
-            CREATE INDEX idx_lrrl_source ON lead_region_resolution_log (region_source, received_at);
+            CREATE INDEX IF NOT EXISTS idx_lrrl_lead_id ON lead_region_resolution_log (supplier_lead_id);
+            CREATE INDEX IF NOT EXISTS idx_lrrl_source ON lead_region_resolution_log (region_source, received_at);
            COMMENT ON TABLE lead_region_resolution_log IS
                'Аудит каждого резолва региона лида (источник, qc, оператор, шаг каскада). Партиции помесячно по received_at (MonthlyPartitionManager).';

@@ -97,26 +98,26 @@ return new class extends Migration {
            GRANT SELECT ON lead_region_resolution_log TO crm_app_user;

            -- Стартовые партиции (далее их подхватывает partitions:create-months после Task 1.2).
-            CREATE TABLE lead_region_resolution_log_y2026_m05
+            CREATE TABLE IF NOT EXISTS lead_region_resolution_log_y2026_m05
                PARTITION OF lead_region_resolution_log
                FOR VALUES FROM ('2026-05-01') TO ('2026-06-01');
-            CREATE TABLE lead_region_resolution_log_y2026_m06
+            CREATE TABLE IF NOT EXISTS lead_region_resolution_log_y2026_m06
                PARTITION OF lead_region_resolution_log
                FOR VALUES FROM ('2026-06-01') TO ('2026-07-01');

            -- 4. supplier_leads: +4 колонки (denormalized display + persistent idempotency для retry).
            ALTER TABLE supplier_leads
-                ADD COLUMN resolved_subject_code SMALLINT
+                ADD COLUMN IF NOT EXISTS resolved_subject_code SMALLINT
                    CHECK (resolved_subject_code IS NULL OR resolved_subject_code BETWEEN 1 AND 89),
-                ADD COLUMN region_source TEXT
+                ADD COLUMN IF NOT EXISTS region_source TEXT
                    CHECK (region_source IN ('dadata','rossvyaz','tag','unknown')),
-                ADD COLUMN dadata_qc SMALLINT,
-                ADD COLUMN phone_operator TEXT;
+                ADD COLUMN IF NOT EXISTS dadata_qc SMALLINT,
+                ADD COLUMN IF NOT EXISTS phone_operator TEXT;

            -- 5. deals: +2 колонки (UI-карточка + флаг подмены региона).
            ALTER TABLE deals
-                ADD COLUMN phone_operator TEXT,
-                ADD COLUMN region_substituted BOOLEAN NOT NULL DEFAULT FALSE;
+                ADD COLUMN IF NOT EXISTS phone_operator TEXT,
+                ADD COLUMN IF NOT EXISTS region_substituted BOOLEAN NOT NULL DEFAULT FALSE;
        SQL);

        // Регистрация retention для lead_region_resolution_log (system_settings, 12 месяцев ≈ 365 дней).
@@ -139,10 +140,10 @@ return new class extends Migration {
        try {
            DB::statement('SET ROLE crm_migrator');
            $canCreate = DB::selectOne("SELECT has_schema_privilege('crm_migrator', 'public', 'CREATE') AS ok");
-            if (!$canCreate || !$canCreate->ok) {
+            if (! $canCreate || ! $canCreate->ok) {
                DB::statement('RESET ROLE');
            }
-        } catch (\Throwable) {
+        } catch (Throwable) {
            // окружение без роли — продолжаем как superuser
        }

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * F-P1 (152-ФЗ ретеншен): частичный индекс по deals.deleted_at для дешёвой
+ * выборки soft-deleted сделок командой pd:scrub-soft-deleted-deals.
+ *
+ * Партиционированная deals — индекс на parent распространяется на все партиции.
+ * Частичный (WHERE deleted_at IS NOT NULL) — покрывает только удалённые строки
+ * (малое подмножество), не раздувает индекс для живых сделок.
+ */
+return new class extends Migration
+{
+    public function up(): void
+    {
+        DB::statement(
+            'CREATE INDEX IF NOT EXISTS deals_deleted_at_index '
+            .'ON deals (deleted_at) WHERE deleted_at IS NOT NULL'
+        );
+    }
+
+    public function down(): void
+    {
+        DB::statement('DROP INDEX IF EXISTS deals_deleted_at_index');
+    }
+};
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // DDL через pgsql_supplier (урок Спека B — prod-роли + избегаем deadlock смешивания
+        // соединений). На dev pgsql_supplier = postgres superuser, на prod — crm_supplier_worker.
+        $supplier = DB::connection('pgsql_supplier');
+
+        $supplier->statement('ALTER TABLE email_verifications ADD COLUMN IF NOT EXISTS code_hash VARCHAR(255)');
+        $supplier->statement('ALTER TABLE email_verifications ADD COLUMN IF NOT EXISTS failed_attempts SMALLINT NOT NULL DEFAULT 0');
+
+        // tenants.status был VARCHAR(20), но CHECK допускает 'pending_email_confirm' (21 симв.) —
+        // латентный дефект: значение не влезало в колонку. Самозапись (G1/SP1) первой реально
+        // ставит этот статус, поэтому расширяем до VARCHAR(30). Идемпотентно (повторный ALTER TYPE — no-op).
+        $supplier->statement('ALTER TABLE tenants ALTER COLUMN status TYPE VARCHAR(30)');
+
+        // Самозапись пишет/читает email_verifications через BYPASSRLS-роль (нет tenant-GUC
+        // на публичном роуте). Гарантируем права на проде (на dev — superuser, no-op).
+        foreach (['crm_app_user', 'crm_supplier_worker', 'crm_migrator', 'crm_admin_user'] as $role) {
+            $supplier->statement(<<<SQL
+                DO \$\$
+                BEGIN
+                    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{$role}') THEN
+                        GRANT SELECT, INSERT, UPDATE ON email_verifications TO {$role};
+                    END IF;
+                END
+                \$\$
+            SQL);
+        }
+    }
+
+    public function down(): void
+    {
+        $supplier = DB::connection('pgsql_supplier');
+        $supplier->statement('ALTER TABLE email_verifications DROP COLUMN IF EXISTS failed_attempts');
+        $supplier->statement('ALTER TABLE email_verifications DROP COLUMN IF EXISTS code_hash');
+    }
+};
@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // DDL через pgsql_supplier (урок SP1: prod-роли + избегаем deadlock смешивания соединений).
+        // На dev/testing pgsql_supplier = postgres superuser, на prod — crm_supplier_worker.
+        $supplier = DB::connection('pgsql_supplier');
+
+        $supplier->unprepared(<<<'SQL'
+            CREATE TABLE IF NOT EXISTS tenant_requisites (
+                id                       BIGSERIAL PRIMARY KEY,
+                tenant_id                BIGINT NOT NULL UNIQUE REFERENCES tenants(id) ON DELETE CASCADE,
+                subject_type             VARCHAR(20) NOT NULL
+                                         CHECK (subject_type IN ('individual','sole_proprietor','legal_entity')),
+                contact_name             VARCHAR(255) NOT NULL,
+                contact_phone            VARCHAR(16)  NOT NULL,
+                inn                      VARCHAR(12),
+                legal_name               VARCHAR(255),
+                kpp                      VARCHAR(9),
+                ogrn                     VARCHAR(15),
+                legal_address            TEXT,
+                bank_name                VARCHAR(255),
+                bank_bik                 VARCHAR(9),
+                bank_account             VARCHAR(20),
+                corr_account             VARCHAR(20),
+                dadata_raw               JSONB,
+                dadata_synced_at         TIMESTAMPTZ,
+                requisites_completed_at  TIMESTAMPTZ,
+                created_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+                updated_at               TIMESTAMPTZ
+            );
+
+            ALTER TABLE tenant_requisites ENABLE ROW LEVEL SECURITY;
+            -- migrate:fresh грузит schema.sql первой миграцией (где политика уже есть);
+            -- PostgreSQL не поддерживает CREATE POLICY IF NOT EXISTS → дроп-перед-создание.
+            DROP POLICY IF EXISTS tenant_requisites_tenant_isolation ON tenant_requisites;
+            CREATE POLICY tenant_requisites_tenant_isolation
+                ON tenant_requisites
+                USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint)
+                WITH CHECK (tenant_id = current_setting('app.current_tenant_id', true)::bigint);
+        SQL);
+
+        // GRANT-ы под прод-роли (на dev — superuser, роли могут отсутствовать → guard по pg_roles).
+        foreach (['crm_app_user', 'crm_supplier_worker', 'crm_admin_user'] as $role) {
+            $grant = $role === 'crm_supplier_worker'
+                ? 'SELECT, INSERT, UPDATE, DELETE'
+                : 'SELECT, INSERT, UPDATE';
+            $supplier->statement(<<<SQL
+                DO \$\$
+                BEGIN
+                    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{$role}') THEN
+                        GRANT {$grant} ON tenant_requisites TO {$role};
+                        GRANT USAGE, SELECT ON SEQUENCE tenant_requisites_id_seq TO {$role};
+                    END IF;
+                END
+                \$\$
+            SQL);
+        }
+    }
+
+    public function down(): void
+    {
+        DB::connection('pgsql_supplier')->statement('DROP TABLE IF EXISTS tenant_requisites CASCADE');
+    }
+};
@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // DDL/data через pgsql_supplier (как add_code_fields_to_email_verifications):
+        // на dev = postgres superuser, на prod = crm_supplier_worker (BYPASSRLS) —
+        // UPDATE users под RLS проходит без tenant-GUC.
+        $supplier = DB::connection('pgsql_supplier');
+
+        $default = <<<'JSON'
+{
+  "new_lead":         {"inapp": true,  "push": true,  "email": true},
+  "reminder":         {"inapp": true,  "push": true,  "email": true},
+  "low_balance":      {"email": true},
+  "zero_balance":     {"email": true},
+  "topup_success":    {"email": true},
+  "invoice_paid":     {"email": true},
+  "new_device_login": {"email": true},
+  "marketing":        {"email": false}
+}
+JSON;
+
+        $supplier->statement(
+            "ALTER TABLE users ALTER COLUMN notification_preferences SET DEFAULT '".$default."'::jsonb"
+        );
+
+        // Дотяжка существующих: точечно (jsonb_set), только живые, только текущие false.
+        $supplier->statement(<<<'SQL'
+            UPDATE users
+               SET notification_preferences = jsonb_set(notification_preferences, '{new_lead,email}', 'true'::jsonb)
+             WHERE deleted_at IS NULL
+               AND notification_preferences #> '{new_lead,email}' = 'false'::jsonb
+            SQL);
+    }
+
+    public function down(): void
+    {
+        // Возвращаем только DEFAULT. Дотяжку назад НЕ откатываем: после флипа
+        // «исходный false» и выставленный нами «true» неразличимы — откат был бы догадкой.
+        $supplier = DB::connection('pgsql_supplier');
+
+        $old = <<<'JSON'
+{
+  "new_lead":         {"inapp": true,  "push": true,  "email": false},
+  "reminder":         {"inapp": true,  "push": true,  "email": true},
+  "low_balance":      {"email": true},
+  "zero_balance":     {"email": true},
+  "topup_success":    {"email": true},
+  "invoice_paid":     {"email": true},
+  "new_device_login": {"email": true},
+  "marketing":        {"email": false}
+}
+JSON;
+
+        $supplier->statement(
+            "ALTER TABLE users ALTER COLUMN notification_preferences SET DEFAULT '".$old."'::jsonb"
+        );
+    }
+};
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        // G3: фича «Напоминания» удалена из продукта. RLS-политика и индексы
+        // (idx_reminders_*) уходят каскадом вместе с таблицей.
+        Schema::dropIfExists('reminders');
+    }
+
+    public function down(): void
+    {
+        DB::statement(<<<'SQL'
+        CREATE TABLE reminders (
+            id              BIGSERIAL PRIMARY KEY,
+            tenant_id       BIGINT NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+            deal_id         BIGINT NOT NULL,                       -- БЕЗ FK (deals партиционирована)
+            text            VARCHAR(255),                          -- = note в оригинале, лимит 255
+            remind_at       TIMESTAMPTZ NOT NULL,
+            created_by      BIGINT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+                                                                   -- = histories[].from в оригинале
+            assignee_id     BIGINT REFERENCES users(id),           -- зарезервировано (= to, всегда NULL
+                                                                   -- в оригинале, наше расширение Post-MVP)
+            completed_at    TIMESTAMPTZ,                           -- NULL = активное; not NULL = выполнено
+                                                                   -- (наше расширение, в оригинале нет)
+            is_sent         BOOLEAN DEFAULT FALSE,                 -- для cron уведомлений
+            sent_at         TIMESTAMPTZ,
+            created_at      TIMESTAMPTZ DEFAULT NOW(),
+            updated_at      TIMESTAMPTZ
+        );
+        SQL);
+
+        DB::statement(<<<'SQL'
+        CREATE INDEX idx_reminders_due
+            ON reminders(remind_at)
+            WHERE is_sent = FALSE AND completed_at IS NULL;
+        SQL);
+
+        DB::statement(<<<'SQL'
+        CREATE INDEX idx_reminders_deal
+            ON reminders(deal_id);
+        SQL);
+
+        DB::statement(<<<'SQL'
+        CREATE INDEX idx_reminders_tenant_user_active
+            ON reminders(tenant_id, created_by, remind_at)
+            WHERE completed_at IS NULL;
+        SQL);
+
+        DB::statement(<<<'SQL'
+        CREATE INDEX idx_reminders_tenant_active
+            ON reminders(tenant_id, remind_at)
+            WHERE completed_at IS NULL;
+        SQL);
+
+        DB::statement(<<<'SQL'
+        ALTER TABLE reminders ENABLE ROW LEVEL SECURITY;
+        SQL);
+
+        DB::statement(<<<'SQL'
+        CREATE POLICY tenant_isolation ON reminders USING (tenant_id = current_setting('app.current_tenant_id')::bigint);
+        SQL);
+    }
+};
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        $supplier = DB::connection('pgsql_supplier');
+
+        $supplier->statement(<<<'SQL'
+            CREATE TABLE IF NOT EXISTS support_requests (
+                id         BIGSERIAL PRIMARY KEY,
+                tenant_id  BIGINT NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+                user_id    BIGINT NOT NULL REFERENCES users(id),
+                name       VARCHAR(255) NOT NULL,
+                contact    VARCHAR(255) NOT NULL,
+                message    TEXT NOT NULL,
+                created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+            )
+        SQL);
+        $supplier->statement('CREATE INDEX IF NOT EXISTS idx_support_requests_tenant ON support_requests (tenant_id, created_at DESC)');
+        $supplier->statement('ALTER TABLE support_requests ENABLE ROW LEVEL SECURITY');
+        // PG не поддерживает CREATE POLICY IF NOT EXISTS → дроп-перед-создание (идемпотентность к schema.sql).
+        $supplier->statement('DROP POLICY IF EXISTS support_requests_tenant_isolation ON support_requests');
+        $supplier->statement(<<<'SQL'
+            CREATE POLICY support_requests_tenant_isolation ON support_requests
+                USING (tenant_id = current_setting('app.current_tenant_id', true)::bigint)
+        SQL);
+        foreach (['crm_app_user', 'crm_supplier_worker'] as $role) {
+            $supplier->statement(<<<SQL
+                DO \$\$
+                BEGIN
+                    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '{$role}') THEN
+                        GRANT SELECT, INSERT ON support_requests TO {$role};
+                        GRANT USAGE, SELECT ON SEQUENCE support_requests_id_seq TO {$role};
+                    END IF;
+                END
+                \$\$
+            SQL);
+        }
+    }
+
+    public function down(): void
+    {
+        DB::connection('pgsql_supplier')->statement('DROP TABLE IF EXISTS support_requests CASCADE');
+    }
+};
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        DB::statement('ALTER TABLE impersonation_tokens ADD COLUMN IF NOT EXISTS session_token_hash VARCHAR(255)');
+    }
+
+    public function down(): void
+    {
+        DB::statement('ALTER TABLE impersonation_tokens DROP COLUMN IF EXISTS session_token_hash');
+    }
+};
@@ -48,7 +48,6 @@ class DemoSeeder extends Seeder
                'email_verified_at' => now(),
                'notification_preferences' => [
                    'new_lead' => ['inapp' => true, 'push' => true, 'email' => false],
-                    'reminder' => ['inapp' => true, 'push' => true, 'email' => true],
                    'low_balance' => ['email' => true],
                    'zero_balance' => ['email' => true],
                    'topup_success' => ['email' => true],
@@ -1,5 +1,11 @@
 parameters:
 	ignoreErrors:
+		-
+			message: '#^Parameter \#1 \$array \(non\-empty\-list\<string\>\) of array_values is already a list, call has no effect\.$#'
+			identifier: arrayValues.list
+			count: 1
+			path: app/Console/Commands/PhoneRangesImportCommand.php
+
 		-
 			message: '#^Access to an undefined property App\\Models\\Tenant\:\:\$tariff_name\.$#'
 			identifier: property.notFound
@@ -42,12 +48,6 @@ parameters:
 			count: 1
 			path: app/Http/Controllers/Api/AdminTenantsController.php

-		-
-			message: '#^Access to an undefined property App\\Models\\Deal\:\:\$next_reminder_at\.$#'
-			identifier: property.notFound
-			count: 1
-			path: app/Http/Controllers/Api/DealController.php
-
 		-
 			message: '#^Using nullsafe method call on non\-nullable type Illuminate\\Support\\Carbon\. Use \-\> instead\.$#'
 			identifier: nullsafe.neverNull
@@ -72,12 +72,6 @@ parameters:
 			count: 1
 			path: app/Http/Controllers/Api/DealExportController.php

-		-
-			message: '#^Using nullsafe method call on non\-nullable type Illuminate\\Support\\Carbon\. Use \-\> instead\.$#'
-			identifier: nullsafe.neverNull
-			count: 1
-			path: app/Http/Controllers/Api/ReminderController.php
-
 		-
 			message: '#^Strict comparison using \!\=\= between int and null will always evaluate to true\.$#'
 			identifier: notIdentical.alwaysTrue
@@ -90,6 +84,18 @@ parameters:
 			count: 1
 			path: app/Http/Resources/ProjectResource.php

+		-
+			message: '#^Parameter \#1 \$array \(non\-empty\-list\<int\>\) of array_values is already a list, call has no effect\.$#'
+			identifier: arrayValues.list
+			count: 1
+			path: app/Jobs/RouteSupplierLeadJob.php
+
+		-
+			message: '#^Strict comparison using \!\=\= between App\\Models\\Project and null will always evaluate to true\.$#'
+			identifier: notIdentical.alwaysTrue
+			count: 1
+			path: app/Jobs/RouteSupplierLeadJob.php
+
 		-
 			message: '#^Parameter \#1 \$array \(non\-empty\-list\<int\>\) of array_values is already a list, call has no effect\.$#'
 			identifier: arrayValues.list
@@ -108,6 +114,18 @@ parameters:
 			count: 2
 			path: app/Mail/NewLeadNotification.php

+		-
+			message: '#^Call to function is_array\(\) with array\<mixed\> will always evaluate to true\.$#'
+			identifier: function.alreadyNarrowedType
+			count: 1
+			path: app/Services/LeadRegionResolver.php
+
+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$snapshot_daily_limit\.$#'
+			identifier: property.notFound
+			count: 1
+			path: app/Services/LeadRouter.php
+
 		-
 			message: '#^Call to function is_array\(\) with array\<mixed\> will always evaluate to true\.$#'
 			identifier: function.alreadyNarrowedType
@@ -145,88 +163,10 @@ parameters:
 			path: app/Services/Supplier/Channel/AjaxProjectChannel.php

 		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenDefineFunctions not found\.$#'
-			identifier: class.notFound
+			message: '#^Offset non\-empty\-string on array\{\} on left side of \?\? does not exist\.$#'
+			identifier: nullCoalesce.offset
 			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenFinalClasses not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenNormalClasses not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenPrivateMethods not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\ForbiddenTraits not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Insights\\SyntaxCheck not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class NunoMaduro\\PhpInsights\\Domain\\Metrics\\Architecture\\Classes not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\Commenting\\UselessFunctionDocCommentSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\Namespaces\\AlphabeticallySortedUsesSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DeclareStrictTypesSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\DisallowMixedTypeHintSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ParameterTypeHintSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\PropertyTypeHintSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
-
-		-
-			message: '#^Class SlevomatCodingStandard\\Sniffs\\TypeHints\\ReturnTypeHintSniff not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: config/insights.php
+			path: app/Support/DaDataRegionMap.php

 		-
 			message: '#^Return type \(array\<string, mixed\>\) of method Database\\Factories\\BalanceTransactionFactory\:\:definition\(\) should be compatible with return type \(array\<model property of App\\Models\\BalanceTransaction, mixed\>\) of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\BalanceTransaction\>\:\:definition\(\)$#'
@@ -240,12 +180,6 @@ parameters:
 			count: 1
 			path: database/factories/ProjectFactory.php

-		-
-			message: '#^Parameter \#1 \$state of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\User\>\:\:state\(\) expects array\<string, mixed\>\|\(callable\(array\<string, mixed\>, Illuminate\\Database\\Eloquent\\Model\|null\)\: array\<string, mixed\>\), Closure\(array, App\\Models\\Reminder\)\: array\{tenant_id\: int\} given\.$#'
-			identifier: argument.type
-			count: 1
-			path: database/factories/ReminderFactory.php
-
 		-
 			message: '#^Parameter \#1 \$state of method Illuminate\\Database\\Eloquent\\Factories\\Factory\<App\\Models\\User\>\:\:state\(\) expects array\<string, mixed\>\|\(callable\(array\<string, mixed\>, Illuminate\\Database\\Eloquent\\Model\|null\)\: array\<string, mixed\>\), Closure\(array, App\\Models\\ReportJob\)\: array\{tenant_id\: int\} given\.$#'
 			identifier: argument.type
@@ -276,12 +210,6 @@ parameters:
 			count: 1
 			path: routes/console.php

-		-
-			message: '#^Trait Tests\\Concerns\\SharesSupplierPdo is used zero times and is not analysed\.$#'
-			identifier: trait.unused
-			count: 1
-			path: tests/Concerns/SharesSupplierPdo.php
-
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
@@ -354,6 +282,54 @@ parameters:
 			count: 8
 			path: tests/Feature/Admin/AdminTenantBalanceUpdateTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:assertAuthenticatedAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Admin/ImpersonationDoorTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Admin/ImpersonationDoorTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 8
+			path: tests/Feature/Admin/ImpersonationDoorTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:travel\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Admin/ImpersonationDoorTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Admin/ImpersonationMachineTokenTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:withHeader\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/Admin/ImpersonationMachineTokenTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\|Pest\\Support\\HigherOrderTapProxy\:\:flushSession\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Admin/ImpersonationMachineTokenTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\|Pest\\Support\\HigherOrderTapProxy\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Admin/ImpersonationMachineTokenTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
 			identifier: method.notFound
@@ -528,6 +504,12 @@ parameters:
 			count: 15
 			path: tests/Feature/Api/ProjectBulkActionsTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 7
+			path: tests/Feature/Api/V1/PublicDealsApiTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -583,15 +565,15 @@ parameters:
 			path: tests/Feature/Audit/OperationalFullFlowTest.php

 		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
-			identifier: method.notFound
-			count: 1
-			path: tests/Feature/Audit/OperationalFullFlowTest.php
+			message: '#^Access to an undefined property Pest\\Mixins\\Expectation\<string\|null\>\:\:\$not\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Audit/VerifyAuditChainsTest.php

 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 9
+			count: 8
 			path: tests/Feature/Auth/AuthControllerTest.php

 		-
@@ -603,7 +585,7 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
 			identifier: method.notFound
-			count: 14
+			count: 10
 			path: tests/Feature/Auth/AuthControllerTest.php

 		-
@@ -624,6 +606,12 @@ parameters:
 			count: 21
 			path: tests/Feature/Auth/AuthLogCoverageTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Auth/AuthRouteThrottleTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -720,6 +708,18 @@ parameters:
 			count: 5
 			path: tests/Feature/Auth/RecoveryCodeTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Auth/RegistrationTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 23
+			path: tests/Feature/Auth/RegistrationTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -1020,6 +1020,12 @@ parameters:
 			count: 4
 			path: tests/Feature/Console/CheckSupplierWebhookSecretCommandTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Console/DealsBackfillRegionCityCommandTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
@@ -1032,6 +1038,18 @@ parameters:
 			count: 6
 			path: tests/Feature/Console/PartitionsDropExpiredTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 6
+			path: tests/Feature/Console/PhoneRangesImportCommandTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Console/PhoneRegionSmokeCommandTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
 			identifier: method.notFound
@@ -1077,7 +1095,13 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
-			count: 8
+			count: 10
+			path: tests/Feature/DashboardSummaryTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
 			path: tests/Feature/DashboardSummaryTest.php

 		-
@@ -1299,13 +1323,13 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project\.$#'
 			identifier: property.notFound
-			count: 6
+			count: 9
 			path: tests/Feature/DealShowTest.php

 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 20
+			count: 27
 			path: tests/Feature/DealShowTest.php

 		-
@@ -1323,7 +1347,7 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
-			count: 10
+			count: 13
 			path: tests/Feature/DealShowTest.php

 		-
@@ -1518,6 +1542,108 @@ parameters:
 			count: 1
 			path: tests/Feature/Http/Webhook/SupplierWebhookValidationFormatTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:call\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Http/Webhook/WebhookHardeningTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Http/Webhook/WebhookHardeningTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ImitationSeedCommandTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/LeadInjectorTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioA_WeightedLotteryTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioBC_RegionCascadeTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>region_source" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 1
+			path: tests/Feature/Imitation/ScenarioBC_RegionCascadeTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>routing_step" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 4
+			path: tests/Feature/Imitation/ScenarioBC_RegionCascadeTest.php
+
+		-
+			message: '#^Using nullsafe property access "\?\-\>subject_code_resolved" on left side of \?\? is unnecessary\. Use \-\> instead\.$#'
+			identifier: nullsafe.neverNull
+			count: 4
+			path: tests/Feature/Imitation/ScenarioBC_RegionCascadeTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioD_DeliveryDaysTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioEF_FreezeLimitTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioG3_OrphanLeadTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Imitation/ScenarioG5G6_SpecialLeadsTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/ScenarioX1X3_SubstitutionJournalTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/SnapshotForgeTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 6
+			path: tests/Feature/Imitation/TopologyMoneyIntakeTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Imitation/TopologyMoneyIntakeTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$adminId\.$#'
 			identifier: property.notFound
@@ -1545,19 +1671,19 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$service\.$#'
 			identifier: property.notFound
-			count: 10
+			count: 9
 			path: tests/Feature/Import/HistoricalImportServiceTest.php

 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 23
+			count: 21
 			path: tests/Feature/Import/HistoricalImportServiceTest.php

 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
 			identifier: property.notFound
-			count: 20
+			count: 17
 			path: tests/Feature/Import/HistoricalImportServiceTest.php

 		-
@@ -1650,6 +1776,24 @@ parameters:
 			count: 1
 			path: tests/Feature/Integration/SupplierLeadFlowTest.php

+		-
+			message: '#^Access to an undefined property App\\Models\\Deal\:\:\$phone_operator\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Jobs/RouteSupplierLeadJobRegionResolutionTest.php
+
+		-
+			message: '#^Access to an undefined property App\\Models\\Deal\:\:\$region_substituted\.$#'
+			identifier: property.notFound
+			count: 2
+			path: tests/Feature/Jobs/RouteSupplierLeadJobRegionResolutionTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Jobs/RouteSupplierLeadJobRegionResolutionTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:seed\(\)\.$#'
 			identifier: method.notFound
@@ -1770,6 +1914,12 @@ parameters:
 			count: 2
 			path: tests/Feature/Notifications/InAppNotificationApiTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Notifications/NewLeadEmailDefaultOnTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$partitionsBefore\.$#'
 			identifier: property.notFound
@@ -1956,6 +2106,12 @@ parameters:
 			count: 1
 			path: tests/Feature/Pd/ReportFileDeletePdLogTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/Pd/ScrubSoftDeletedDealsCommandTest.php
+
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:mock\(\)\.$#'
 			identifier: method.notFound
@@ -2028,54 +2184,6 @@ parameters:
 			count: 4
 			path: tests/Feature/Projects/ProjectMutationsAuditTest.php

-		-
-			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
-			identifier: property.notFound
-			count: 21
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
-			identifier: property.notFound
-			count: 21
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
-			identifier: method.notFound
-			count: 1
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:deleteJson\(\)\.$#'
-			identifier: method.notFound
-			count: 2
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
-			identifier: method.notFound
-			count: 8
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:patchJson\(\)\.$#'
-			identifier: method.notFound
-			count: 4
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
-			identifier: method.notFound
-			count: 8
-			path: tests/Feature/ReminderControllerTest.php
-
-		-
-			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:artisan\(\)\.$#'
-			identifier: method.notFound
-			count: 11
-			path: tests/Feature/RemindersDispatchDueTest.php
-
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
@@ -2202,6 +2310,54 @@ parameters:
 			count: 12
 			path: tests/Feature/Reports/SourcesSummaryProviderTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 3
+			path: tests/Feature/Requisites/ProjectGateTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Requisites/ProjectGateTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 5
+			path: tests/Feature/Requisites/RequisitesHttpTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
+			identifier: method.notFound
+			count: 1
+			path: tests/Feature/Requisites/RequisitesHttpTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:putJson\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/Requisites/RequisitesHttpTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$app\.$#'
+			identifier: property.notFound
+			count: 1
+			path: tests/Feature/Requisites/TenantRequisitesLookupTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:actingAs\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Requisites/TenantRequisitesLookupTest.php
+
+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:postJson\(\)\.$#'
+			identifier: method.notFound
+			count: 2
+			path: tests/Feature/Requisites/TenantRequisitesLookupTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$project1Id\.$#'
 			identifier: property.notFound
@@ -2268,6 +2424,18 @@ parameters:
 			count: 3
 			path: tests/Feature/Security/WebhookUrlChangeAuditTest.php

+		-
+			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:get\(\)\.$#'
+			identifier: method.notFound
+			count: 4
+			path: tests/Feature/SecurityHeadersTest.php
+
+		-
+			message: '#^Access to an undefined property App\\Models\\Project\:\:\$routing_step\.$#'
+			identifier: property.notFound
+			count: 6
+			path: tests/Feature/Services/LeadRouterCascadeTest.php
+
 		-
 			message: '#^Access to an undefined property App\\Models\\Project\:\:\$applies_from\.$#'
 			identifier: property.notFound
@@ -2484,6 +2652,18 @@ parameters:
 			count: 6
 			path: tests/Feature/Supplier/SyncSupplierProjectJobTest.php

+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
+			identifier: property.notFound
+			count: 3
+			path: tests/Feature/Support/SupportRequestControllerTest.php
+
+		-
+			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
+			identifier: property.notFound
+			count: 5
+			path: tests/Feature/Support/SupportRequestControllerTest.php
+
 		-
 			message: '#^Access to an undefined property Pest\\Mixins\\Expectation\<mixed\>\:\:\$not\.$#'
 			identifier: property.notFound
@@ -38,6 +38,8 @@ export interface ImpersonationVerifyResponse {
    tenant_id: number;
    used_at: string;
    message: string;
+    machine_token: string;
+    expires_at: string;
 }

 export async function impersonationVerify(payload: ImpersonationVerifyPayload): Promise<ImpersonationVerifyResponse> {
@@ -351,10 +353,10 @@ export async function updateTenantStatus(
    reason: string,
 ): Promise<{ id: number; status: string }> {
    await ensureCsrfCookie();
-    const { data } = await apiClient.patch<{ id: number; status: string }>(
-        `/api/admin/billing/tenants/${id}/status`,
-        { status, reason },
-    );
+    const { data } = await apiClient.patch<{ id: number; status: string }>(`/api/admin/billing/tenants/${id}/status`, {
+        status,
+        reason,
+    });
    return data;
 }

@@ -567,9 +569,6 @@ export async function createPdSubjectRequest(payload: CreatePdRequestPayload): P
 export async function executePdErasure(id: number, adminUserId?: number): Promise<EraseSubjectResult> {
    await ensureCsrfCookie();
    const payload = adminUserId !== undefined ? { admin_user_id: adminUserId } : {};
-    const { data } = await apiClient.post<EraseSubjectResult>(
-        `/api/admin/pd-subject-requests/${id}/erase`,
-        payload,
-    );
+    const { data } = await apiClient.post<EraseSubjectResult>(`/api/admin/pd-subject-requests/${id}/erase`, payload);
    return data;
 }
@@ -32,6 +32,12 @@ export interface AuthUser {
    last_login_at: string | null;
    notification_preferences?: NotificationPreferences;
    sound_enabled?: boolean;
+    impersonation?: {
+        active: boolean;
+        tenant_name: string | null;
+        started_at: string | null;
+        expires_at: string | null;
+    };
 }

 export interface LoginPayload {
@@ -50,6 +56,24 @@ export interface RegisterPayload {
    password: string;
    accept_offer: boolean;
    accept_pdn: boolean;
+    captcha_token: string;
+}
+
+export interface RegisterResult {
+    status: string;
+    email: string;
+    expires_at: string;
+    _dev_plain_code?: string;
+}
+
+export interface ConfirmEmailPayload {
+    email: string;
+    code: string;
+}
+
+export interface ResendCodeResult {
+    message: string;
+    _dev_plain_code?: string;
 }

 export async function login(payload: LoginPayload): Promise<LoginResponse> {
@@ -58,9 +82,21 @@ export async function login(payload: LoginPayload): Promise<LoginResponse> {
    return data;
 }

-export async function register(payload: RegisterPayload): Promise<LoginResponse> {
+export async function register(payload: RegisterPayload): Promise<RegisterResult> {
    await ensureCsrfCookie();
-    const { data } = await apiClient.post<LoginResponse>('/api/auth/register', payload);
+    const { data } = await apiClient.post<RegisterResult>('/api/auth/register', payload);
+    return data;
+}
+
+export async function confirmEmail(payload: ConfirmEmailPayload): Promise<{ user: AuthUser }> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<{ user: AuthUser }>('/api/auth/confirm-email', payload);
+    return data;
+}
+
+export async function resendCode(email: string): Promise<ResendCodeResult> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post<ResendCodeResult>('/api/auth/resend-code', { email });
    return data;
 }

@@ -74,6 +110,11 @@ export async function logout(): Promise<void> {
    await apiClient.post('/api/auth/logout');
 }

+export async function impersonationLeave(): Promise<void> {
+    await ensureCsrfCookie();
+    await apiClient.post('/api/impersonation/leave');
+}
+
 export async function verifyTwoFactor(code: string): Promise<LoginResponse> {
    await ensureCsrfCookie();
    const { data } = await apiClient.post<LoginResponse>('/api/auth/2fa/verify', { code });
@@ -16,6 +16,8 @@ export interface DashboardSummary {
    balance: { amount_rub: string; runway_days: number; runway_leads: number };
    activity: { points: number[]; labels: string[]; max: number };
    funnel: Record<string, number>;
+    /** Средняя стоимость лида (₽) за окно периода; null — если в окне нет rub-списаний. */
+    avg_lead_cost_rub: number | null;
 }

 export async function getDashboardSummary(tenantId: number, range: DashboardRange): Promise<DashboardSummary> {
@@ -164,11 +164,13 @@ export interface ApiDeal {
    received_at: string | null;
    comment: string | null;
    city: string | null;
+    // F2: стоимость лида в копейках (снимок rub-списания из lead_charges) или null
+    // (prepaid/не списано). Отдаётся deal-detail (show); в листинге может отсутствовать.
+    cost_kopecks?: number | null;
    project_signal_type: string | null;
    project_signal_identifier?: string | null;
    project_sms_keyword?: string | null;
    project_sms_senders?: string[] | null;
-    next_reminder_at: string | null;
 }

 export interface ApiDealEvent {
@@ -9,7 +9,6 @@ import { apiClient, ensureCsrfCookie } from './client';

 type NotificationEvent =
    | 'new_lead'
-    | 'reminder'
    | 'low_balance'
    | 'zero_balance'
    | 'topup_success'
@@ -1,89 +0,0 @@
-import { apiClient, ensureCsrfCookie } from './client';
-
-/**
- * Reminders API (schema v8.10 §17.5).
- *
- * Все endpoint'ы под Sanctum SPA auth.
- * Mutating-вызовы (POST/PATCH/DELETE) делают ensureCsrfCookie().
- */
-
-export type ReminderFilter = 'active' | 'today' | 'upcoming' | 'overdue' | 'completed';
-
-export interface ApiReminder {
-    id: number;
-    deal_id: number;
-    text: string | null;
-    remind_at: string | null;
-    completed_at: string | null;
-    is_sent: boolean;
-    sent_at: string | null;
-    created_at: string | null;
-    created_by: number;
-    assignee_id: number | null;
-    creator_name: string | null;
-}
-
-export interface ReminderCounts {
-    active: number;
-    today: number;
-    upcoming: number;
-    overdue: number;
-}
-
-export interface ListRemindersResponse {
-    items: ApiReminder[];
-    counts: ReminderCounts;
-}
-
-export interface ListRemindersParams {
-    filter?: ReminderFilter;
-    dealId?: number;
-    limit?: number;
-}
-
-export async function listReminders(params: ListRemindersParams = {}): Promise<ListRemindersResponse> {
-    const { data } = await apiClient.get<ListRemindersResponse>('/api/reminders', {
-        params: {
-            filter: params.filter,
-            deal_id: params.dealId,
-            limit: params.limit,
-        },
-    });
-    return data;
-}
-
-export interface CreateReminderPayload {
-    deal_id: number;
-    text?: string | null;
-    remind_at: string;
-    assignee_id?: number | null;
-}
-
-export async function createReminder(payload: CreateReminderPayload): Promise<ApiReminder> {
-    await ensureCsrfCookie();
-    const { data } = await apiClient.post<{ reminder: ApiReminder }>('/api/reminders', payload);
-    return data.reminder;
-}
-
-export interface UpdateReminderPayload {
-    text?: string | null;
-    remind_at?: string;
-    assignee_id?: number | null;
-}
-
-export async function updateReminder(id: number, payload: UpdateReminderPayload): Promise<ApiReminder> {
-    await ensureCsrfCookie();
-    const { data } = await apiClient.patch<{ reminder: ApiReminder }>(`/api/reminders/${id}`, payload);
-    return data.reminder;
-}
-
-export async function completeReminder(id: number): Promise<ApiReminder> {
-    await ensureCsrfCookie();
-    const { data } = await apiClient.post<{ reminder: ApiReminder }>(`/api/reminders/${id}/complete`);
-    return data.reminder;
-}
-
-export async function deleteReminder(id: number): Promise<void> {
-    await ensureCsrfCookie();
-    await apiClient.delete(`/api/reminders/${id}`);
-}
@@ -0,0 +1,48 @@
+import { apiClient, ensureCsrfCookie } from './client';
+
+/** Реквизиты тенанта. Совпадает с RequisitesResource (бэкенд SP2). */
+export interface Requisites {
+    subject_type: 'individual' | 'sole_proprietor' | 'legal_entity' | null;
+    contact_name: string | null;
+    contact_phone: string | null;
+    inn: string | null;
+    legal_name: string | null;
+    kpp: string | null;
+    ogrn: string | null;
+    legal_address: string | null;
+    bank_name: string | null;
+    bank_bik: string | null;
+    bank_account: string | null;
+    corr_account: string | null;
+    requisites_completed_at: string | null;
+}
+
+/** Ответ POST /lookup-inn (мягкая подтяжка по DaData). */
+export interface InnLookupResult {
+    found: boolean;
+    legal_name?: string;
+    kpp?: string;
+    ogrn?: string;
+    legal_address?: string;
+    subject_type_hint?: 'sole_proprietor' | 'legal_entity';
+}
+
+/** GET /api/tenant/requisites — null если ещё не заполнялись. */
+export async function getRequisites(): Promise<Requisites | null> {
+    const { data } = await apiClient.get('/api/tenant/requisites');
+    return data.data ?? null;
+}
+
+/** PUT /api/tenant/requisites — upsert, возвращает сохранённое. */
+export async function updateRequisites(payload: Partial<Requisites>): Promise<Requisites> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.put('/api/tenant/requisites', payload);
+    return data.data;
+}
+
+/** POST /api/tenant/requisites/lookup-inn — ничего не сохраняет. */
+export async function lookupInn(inn: string): Promise<InnLookupResult> {
+    await ensureCsrfCookie();
+    const { data } = await apiClient.post('/api/tenant/requisites/lookup-inn', { inn });
+    return data;
+}
@@ -0,0 +1,11 @@
+import { apiClient } from './client';
+
+export interface SupportRequestPayload {
+    name: string;
+    contact: string;
+    message: string;
+}
+
+export async function submitSupportRequest(payload: SupportRequestPayload): Promise<void> {
+    await apiClient.post('/api/support-requests', payload);
+}
--- a/Show More
+++ b/Show More