Route all auth/login requests through proxy.php for cross-domain SPA ...

- Replace direct /auth/login with /proxy.php?path=/auth/login so the
  request reaches the PHP backend through proxy.php when the SPA runs
  on a different domain (panel.smarthome.arp vs 192.168.1.101).
- Pass full window.location.href as return_to so the OAuth callback
  redirects back to the panel domain, not the bare server IP.

Add Bearer token persistence for cross-domain SPA auth ...

- api/auth.js: persist access token in localStorage so it survives
  page reloads and works across domains (panel vs server IP).
- LoginPage.vue: on mount, check for access_token in URL query
  params (from OAuth callback) and initialize auth store.
- AuthController::callback(): append access_token + expires_in to
  the redirect URL so the SPA can capture it.

Add IP roaming reconciliation for active devices during network scan ...

- Extract reconcile_scan_results() into Devices model: updates device_ip
  and restores connection_status='active' when a known device is found on
  a different IP address.
- Refactor CronController to use the shared method.
- Also call reconcile_scan_results() in DevicesRESTAPIController::scanning__all()
  so manual scans from the UI update roaming device IPs.
- Add DevicesTest with coverage for IP update + lost device restore.
- Fix test bootstrap: remove non-existent SHServ\Sessions reference.

Set user-card-compact in drawer footer to full width

Close drawer on logout via backdrop click

Fix logout: session_start + destroy cookie + redirect to local /login instead of /auth/login

Make user card avatar/name clickable link to gnexus-auth profile

Remove border and padding from user-card-compact in drawer footer

Add GnUserCard drawer footer; fix proxy.php cookie forwarding and /auth/ whitelist

Fix auth session persistence: add credentials:include to fetch and session_start to auth flow ...

- http.js: add credentials: 'include' to fetch() so cookies are sent
  with every API request (fixes /auth/me returning 401 after callback)
- AuthControllerTrait::resolve_user(): ensure session_start() before
  reading
- AuthController::callback(): ensure session_start() before writing

- AuthService::handleCallback(): defer DB token persistence until
  local user ID is resolved; store temp token data in session
- UserResolver: fix lastInsertId() method name, remove avatarUrl()
  call (use profile array instead)

This fixes the loop where user was redirected back to /login after
successful OAuth callback because PHP session cookie was not sent
with the /auth/me request.

Fix E_WARNING in redirect: add exit after header() to prevent further output ...

Utils::redirect() now calls exit after sending Location header.
This stops script execution and prevents Fury framework from
attempting http_response_code() after headers have already been sent.

Fix .env resolution: fallback to parent dir if SHServ/.env missing GAUTH_* ...

- config.php: try SHServ/.env first, then fallback to server/.env
- This ensures AuthService can construct GAuthConfig with full credentials
  regardless of which .env file is present

Improve LoginPage design: centered card with brand, hint and clear auth button ...

- Replace GnEmptyState with custom centered login card
- Add brand icon, title and subtitle
- Make 'Sign in with gnexus-auth' button large and full-width
- Show session-check spinner while authStore.init() runs
- Rebuild production dist/

Add missing text_msgs aliases and dev proxy for auth endpoints ...

- text-msgs.php: add unauthenticated, permission_denied, invalid_callback,
  auth_failed, session_expired error messages
- vite.config.js: add /auth proxy to PHP backend for dev server

Phase 4.5: Conditional UI rendering by permissions ...

Add usePermission() guards across Vue client pages and components:

- DeviceTable: Reboot button only when devices.control
- ActionScriptsGrid: Run button only when scripts.run
- ScriptTable: Enable/Disable only when scripts.edit
- AreaTreePage: Create area only when areas.manage
- AreaDetailPage: Rename/Assign/Unassign/Remove only when areas.manage
- DeviceDetailPage: Edit/Assign/Reset only when devices.edit; ReSetup only when devices.setup; Reboot only when devices.control; Remove only when devices.delete; Firmware Update only when firmware.upload
- DevicesScanningPage: Add (setup) button only when devices.setup
- ScriptDetailPage: Run only when scripts.run; Assign/Unassign/Enable toggle only when scripts.edit
- ScriptsScopesPage: Enable/Disable only when scripts.edit
- FirmwaresListPage: Refresh Catalog only when firmware.upload

Fix ActionScriptsGrid.spec.js to seed auth store with scripts.run permission.

All 167 tests pass.

Phase 4: Vue client auth store, Bearer token injection, router guards, login page ...

Server:
- AuthControllerTrait now supports both session and Bearer token auth
  (resolves user from Authorization: Bearer header via shserv_sessions)

Vue client:
- Add api/auth.js module for access token management
- Inject Authorization: Bearer header in http.js
- Handle 401 in client.js: clear token + redirect to /auth/login
- New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission
- New usePermission composable
- Router guards: redirect unauthenticated to /login, permission-based route blocking
- New LoginPage.vue with gnexus-auth login button
- AppShell: conditional nav items by permission, user bar with logout
- main.js: initialize auth before mounting app
- MSW mocks: /auth/me, /auth/logout, /auth/refresh
- Fix AppShell.spec.js for Pinia + router setup

All 167 tests pass.

Phase 2: Protect Areas, Scripts, Firmware REST API endpoints with permission checks ...

- AreasRESTAPIController: areas.view / areas.manage / devices.control / devices.view / scripts.view
- ScriptsRESTAPIController: scripts.view / scripts.edit / scripts.run
- FirmwareRESTAPIController: firmware.view / firmware.upload
- AuthControllerTrait added to all three controllers

Phase 2: Protect DevicesRESTAPIController endpoints with permission checks ...

- Add AuthControllerTrait
- devices.scan: scanning__ready_to_setup, scanning__all
- devices.setup: setup_new_device, resetup_device
- devices.delete: remove_device
- devices.control: reboot_device, do_device_action
- devices.view: device_info, device, device_status, devices_list
- devices.edit: place_in_area, unassign_from_area, update_name, update_description, update_alias, reset_device

Update docs: guest is explicit authenticated role, no anonymous access

Add .env with real gnexus-auth Client credentials for dev

Phase 0: gnexus-auth integration infrastructure ...

- Add gnexus/auth-client via Composer vcs
- Thin PSR-18/17 cURL adapter (zero extra deps)
- SessionStateStore, SessionPkceStore, DbTokenStore
- AuthService wrapper: login URL, callback, logout, refresh, me
- UserResolver + PermissionResolver
- AuthController (login, callback, logout, me, refresh)
- WebhookController + WebhookRouter + event handlers
- AuthControllerTrait for endpoint protection
- Migration: 9 tables (users, roles, permissions, overrides, groups, members, group_perms, sessions, audit) + seed data
- Remove old Example_AuthController
- Add GAUTH_* env variables to config and .env.example

Fix text_msg call in remove_device: use FCONF instead of undefined app()-method

Fix ErrorHandler to catch Throwable (not just Exception) and safe null-check in remove_device

Move scan debug log to sys temp dir as well

Move scan lock file to sys temp dir to avoid prod permission issues

Allow deleting offline devices: make /reset best-effort, always remove from DB

Fix web proxy timeout 30s→120s to match scan duration

Increase scan batch size 8→32 to cut usleep overhead (~54s→37s)

Fix scan speed: use CURLOPT_*_MS for sub-second timeouts (was ~3s per IP on Linux)

Debug scan locking: add shutdown cleanup + connection_aborted checks + debug log