Fix: bridge page идентична Navi, gnexus-ui-kit стили

Fix: bridge page строго в стиле gnexus-ui-kit, без закруглений ...

- Цвета взяты из реального kit.css: #16161e page, #1f2335 card, #c0caf5 primary,
  #a9b1d6 text-medium, #787c99 muted
- Карточка: .card с border 2px solid #c0caf5, без border-radius
- Заголовок: .card-title bg #c0caf5 color #16161e uppercase bold
- Кнопка: .btn-primary color #c0caf5 border 2px solid #c0caf5,
  hover bg #c0caf5 color #16161e — строго как в kit.css
- Убраны все border-radius и закругления

Fix: стилизованная bridge page для Android OAuth (адаптировано из navi-1) ...

- Адаптирована вёрстка bridge page из navi-1 под shserv gnexus-ui-kit стиль
- Цвета: --page #0f172a, --accent #12b7f5, --text-light #f1f5f9 и т.д.
- Логотип-галочка в rounded box, border-left accent, uppercase заголовок
- Fallback кнопка с hover-эффектом, spinner во время редиректа
- intent:// URL остаётся без изменений, работает на полном Chrome

Fix: OAuth mobile flow + desktop auth + storage abstraction ...

- Desktop: initAccessToken() теперь вызывается всегда, не только в native
  (исправлен бесконечный цикл логина на десктопе)
- Server: returnTo читается из сессии ДО handleCallback(), пока state живой
  (исправлено: OAuth после авторизации не возвращал на mobile-bridge)
- Storage abstraction: единый адаптер storage.js (Preferences / localStorage)
- Navigation abstraction: единый navigation.js (redirectToOAuth, getOAuthReturnTo)
- AuthController::mobileBridge() — bridge page с intent:// deep link
- Android: custom MainActivity с Theme override, статус бар opaque
- Android: AndroidManifest intent-filter для shserv://auth/callback
- .gitignore: добавлен server/.env, удалён из tracking

Feat: мобильная авторизация через OAuth bridge page + CapacitorHttp ...

- Добавлен серверный endpoint /auth/mobile-bridge:
  - После OAuth callback берёт токен из сессии (refreshAccessToken)
  - Рендерит HTML-страницу, которая редиректит WebView обратно в приложение
  - Редирект: https://localhost/#/mobile-auth?token=TOKEN&expires_in=EXPIRES

- Добавлена Vue-страница /mobile-auth:
  - Ловит токен из URL query params
  - Сохраняет в localStorage через setAccessToken()
  - Инициализирует authStore и редиректит на dashboard

- Все auth-редиректы в мобильном приложении исправлены:
  - 401 в API → /#/login (вместо прямого OAuth на сервере)
  - Logout → /#/login
  - LoginPage/AppShell login → /auth/login?return_to=/auth/mobile-bridge

- Включён CapacitorHttp в capacitor.config.json:
  - Нативный HTTP стек обходит CORS, никаких серверных заголовков не нужно

- Обновлён server/dist/ (production bundle)

Translate all error messages to English, add missing aliases

P1: Add structured business-logic logging across PHP server (auth, devices, scripts, areas, events)

Fix P0 review issues: dedup exception logs, SqlQueryLogger stack, chmod once, json_encode guard, RequestLogger guard

P0: super-verbose server logging — JSONL, levels, request/SQL/error/device HTTP logs

Fix PermissionResolver: fallback for missing/empty tables; add seed migration for roles and permissions

Fix production auth: disable IP/UA binding (breaks reverse-proxy), add /api/v1/auth/* aliases, prepare PHP-FPM reload

Phase 4 cleanup & polish: param migration seeds, gnexus-ui-kit LoginPage styles, single .env ...

- Replace raw string interpolation in migration with $tb->prepare() + execute()

- Remove all var(--color-*) from LoginPage.vue in favor of gnexus-ui-kit utility classes

- Unify .env: single server/.env, remove server/SHServ/.env override, update config.php

- Update auth-fix-plan.md: mark Phase 4 tasks complete

Phase 3 infrastructure hardening: IP/UA binding, nginx getallheaders fallback, auth rate limiting, permission cache

Phase 2 session stability: refresh queue, Bearer fallback, proactive refresh

Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ...

- Remove access_token from OAuth callback URL (token leak fix)
- Add sanitizeReturnTo() to prevent open redirect on login/callback
- Add Bearer token expiration check in resolve_user_by_bearer()
- Add user status check in load_user_by_id() (block inactive/banned)
- Cache authStore.init() promise to prevent race condition
- Await auth init in router beforeEach guard
- Remove URL token parsing from main.js and LoginPage
- Remove hasTokenInUrl workaround from client.js 401 handler

Fix OAuth callback URL: insert access_token query string BEFORE hash fragment so Vue can read it via window.location.search

Fix AppController and EventsHandlers to use __DIR__ instead of app()->root_folder() for prod compatibility

Integrate Vue webclient into server: serve SPA from /, remove proxy.php, update auth redirects

Fix UserResolver: use ThinBuilder::insert() return value ...

ThinBuilder::insert() already returns lastInsertId().
Calling lastInsertId() as a separate method does not exist.

Add Bearer token persistence for cross-domain SPA auth ...

- api/auth.js: persist access token in localStorage so it survives
  page reloads and works across domains (panel vs server IP).
- LoginPage.vue: on mount, check for access_token in URL query
  params (from OAuth callback) and initialize auth store.
- AuthController::callback(): append access_token + expires_in to
  the redirect URL so the SPA can capture it.

Add IP roaming reconciliation for active devices during network scan ...

- Extract reconcile_scan_results() into Devices model: updates device_ip
  and restores connection_status='active' when a known device is found on
  a different IP address.
- Refactor CronController to use the shared method.
- Also call reconcile_scan_results() in DevicesRESTAPIController::scanning__all()
  so manual scans from the UI update roaming device IPs.
- Add DevicesTest with coverage for IP update + lost device restore.
- Fix test bootstrap: remove non-existent SHServ\Sessions reference.

Fix logout: session_start + destroy cookie + redirect to local /login instead of /auth/login

Make user card avatar/name clickable link to gnexus-auth profile

Add GnUserCard drawer footer; fix proxy.php cookie forwarding and /auth/ whitelist

Fix auth session persistence: add credentials:include to fetch and session_start to auth flow ...

- http.js: add credentials: 'include' to fetch() so cookies are sent
  with every API request (fixes /auth/me returning 401 after callback)
- AuthControllerTrait::resolve_user(): ensure session_start() before
  reading
- AuthController::callback(): ensure session_start() before writing

- AuthService::handleCallback(): defer DB token persistence until
  local user ID is resolved; store temp token data in session
- UserResolver: fix lastInsertId() method name, remove avatarUrl()
  call (use profile array instead)

This fixes the loop where user was redirected back to /login after
successful OAuth callback because PHP session cookie was not sent
with the /auth/me request.

Fix E_WARNING in redirect: add exit after header() to prevent further output ...

Utils::redirect() now calls exit after sending Location header.
This stops script execution and prevents Fury framework from
attempting http_response_code() after headers have already been sent.

Fix .env resolution: fallback to parent dir if SHServ/.env missing GAUTH_* ...

- config.php: try SHServ/.env first, then fallback to server/.env
- This ensures AuthService can construct GAuthConfig with full credentials
  regardless of which .env file is present

Add missing text_msgs aliases and dev proxy for auth endpoints ...

- text-msgs.php: add unauthenticated, permission_denied, invalid_callback,
  auth_failed, session_expired error messages
- vite.config.js: add /auth proxy to PHP backend for dev server

Phase 4: Vue client auth store, Bearer token injection, router guards, login page ...

Server:
- AuthControllerTrait now supports both session and Bearer token auth
  (resolves user from Authorization: Bearer header via shserv_sessions)

Vue client:
- Add api/auth.js module for access token management
- Inject Authorization: Bearer header in http.js
- Handle 401 in client.js: clear token + redirect to /auth/login
- New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission
- New usePermission composable
- Router guards: redirect unauthenticated to /login, permission-based route blocking
- New LoginPage.vue with gnexus-auth login button
- AppShell: conditional nav items by permission, user bar with logout
- main.js: initialize auth before mounting app
- MSW mocks: /auth/me, /auth/logout, /auth/refresh
- Fix AppShell.spec.js for Pinia + router setup

All 167 tests pass.

Phase 2: Protect Areas, Scripts, Firmware REST API endpoints with permission checks ...

- AreasRESTAPIController: areas.view / areas.manage / devices.control / devices.view / scripts.view
- ScriptsRESTAPIController: scripts.view / scripts.edit / scripts.run
- FirmwareRESTAPIController: firmware.view / firmware.upload
- AuthControllerTrait added to all three controllers