Откат пользовательской авторизации и миграционной системы ...

- Убран auth guard из EventsHandlers (API снова открыт)
- Удалены check_api_auth / api_auth_guard из App.php
- Удален Sessions.php и инстанцирование сессий
- Удалена миграционная система (Migration.php, MigrationsManager.php)
- Удалены файлы миграций create_sessions_table и fix_sessions_status
- Откачен console.php до прежнего состояния (убраны CLI migrate-команды)
- Удален тест AppAuthGuardTest.php
- Таблицы sessions и migrations дропнуты из БД

Пользовательский логин запланирован на потом; до тех пор API работает без Bearer/cookie auth.

Переписан механизм определения offline: last_contact-based вместо TCP ping + retry для сканера ...

CronController::status_update_scanning():
- Устройства помечаются lost по таймауту last_contact (device_offline_threshold, default 300s)
- TCP ping fallback удалён — больше не даёт ложных active
- Сканер теперь нужен только для восстановления lost и обновления IP при роуминге
- Добавлен createDeviceScanner() для тестируемости

DeviceScanner:
- BATCH_SIZE 32 -> 8 (меньше коллизий на WiFi)
- Таймаут 1s -> 2s
- Пауза 200мс между батчами
- Retry с 500мс backoff для failed IPs

EventsController::new_event():
- Восстанавливает connection_status = active при входящем событии

DevicesRESTAPIController::device_status():
- Больше не помечает lost при временном сетевом сбое

Config:
- Добавлен device_offline_threshold (env DEVICE_OFFLINE_THRESHOLD)

Тесты: 6 новых тестов CronController, 145 tests/345 assertions — все green

Phase 7: Separate ControlScripts from server core + CLI isolation + manifest ...

- Moved server/ControlScripts/ → automation/ in repo root.
  Updated composer.json autoload classmap (../automation/).
  Common.php keeps correct sync-map.json path via __DIR__.

- Removed RequiredControlScriptsScope; 'app:online' handler moved
  directly into EventsHandlers.php as core system behaviour.

- Replaced scandir() with scopes-manifest.json in App::control_scripts_init().
  New scopes require explicit manifest entry; no auto-discovery.

- Removed /api/v1/scripts/scopes/update route and scope_update() method.
  Remote scope editing via API is no longer available.

- Added ControlScripts::run_regular_script(alias) — unified entry point
  with state check and try/catch.

- CronController::run_regular_cron_scripts() now runs each script via
  CLI process (php console.php run-regular-script <alias>).
  Added 'run-regular-script' command to console.php.

- Updated tests:
  + CronControllerTest — verifies CLI dispatch and disabled skip.
  + ControlScriptsRegularTest — tests run_regular_script():
    missing alias, disabled state, exception catch, success path.

Server: 141 tests, 339 assertions — all pass.
Client: 167 tests — all pass.

Fix Model layer & API robustness batch (7 items) ...

- Entity::update() now checks rowCount; returns false when no rows affected.
- Entity::update() preserves modified_fields on PDOException (try/catch).
- Device::set_device_token() caches auth() call instead of 3 repeated invocations.
- User::__construct() removed eager profile query; profile() now lazy-loads via get_pet_instance().
- alias_is_uniq() in Areas and Devices models accepts optional exclude_id to skip self on update.
- Controllers updated to pass entity id to alias_is_uniq() so updating alias to current value succeeds.
- CronController::run_regular_cron_scripts() wraps each script in try/catch; logs failure and continues.
- App::api_auth_guard() replaced exit() with return false; EventsHandlers stops routing on auth rejection.
- Tests added: EntityCrud (missing-record + preserved-fields), UserEntity (lazy-loading),
  CronController (failure-continuation), AppAuthGuard (structured 401 output),
  Areas/Devices validation (same-alias update allowed).
- Test bootstrap: added logs_enable/logs_folder to FCONF to suppress PHP warnings in Cron tests.

All 136 server tests pass, 334 assertions.
All 167 Vue client tests pass.

Fix 10 critical/high issues from Phase 6-7 audit ...

- Entity::select_from_db() throws on missing record (fatal error fix)
- Scripts::select_scripts_by_aliases_types() early return on empty array (SQL syntax fix)
- ThinBuilder WHERE operator whitelist (SQL injection prevention)
- validate_identifier() rejects numeric start (SQL correctness)
- Remove escape_string_in_arr() dead code (security hygiene)
- MetaManager::create_or_update() wrapped in transaction (race condition)
- Scripts::remove_scope() deletes DB before file (consistency)
- IN clause guards against non-array values (PHP 8 TypeError fix)
- Short where syntax supports IN operator (correctness)
- DeviceAuth::kill() clears Device auth cache (stale data fix)

Fix critical issues: router method enforcement, cron localhost guard, rate limiter file-based, entity update_at optional, device race condition, area remove transaction, control scripts static flush

Add high-complexity PHPUnit tests: retry/backoff, auth guard, transactions, happy-paths, script state ...

- Refactor Base.php: extract executeCurl/getCurlInfo for mockability
- Refactor App.php: split api_auth_guard into check_api_auth (testable) + guard wrapper
- Refactor Devices.php: add optional ?Base DI to connect_new_device
- Update TestApp.php: add control_scripts_instances for script tests
- Update bootstrap.php: define PHPUNIT_TEST to skip new App() autoload side-effect

New test files:
- DeviceAPIBaseRetryTest (7 tests) — retry/backoff with mock cURL
- AppAuthGuardTest (7 tests) — auth + rate limiter without exit
- DevicesModelTransactionTest (4 tests) — happy path, rollback, mode checks
- AreasControllerHappyPathTest (7 tests) — full area CRUD success flows
- ScriptsModelStateTest (8 tests) — scope list, script state, enable/disable

Total: 113 tests, 285 assertions — all passing.

Add medium-complexity PHPUnit tests: Area recursion, controller validation ...

- AreaRecursionTest (10 tests): recursive traversal, depth limit ≤10,
  remove() cascade, inner devices/scripts lookup, parent_area()
- AreasRESTAPIControllerValidationTest (10 tests): new_area, update_alias,
  remove_area, place_in_area, update_display_name validation
- DevicesRESTAPIControllerValidationTest (12 tests): setup_new_device,
  do_device_action, update_alias, devices_list, place_in_area validation
- ScriptsRESTAPIControllerValidationTest (10 tests): run_action_script,
  set_*_state, place_in_area validation
- Fix Controller::validate_positive_int_ids() return type: ?array → ?string
- Add DevTools to TestApp/bootstrap for Model instantiation
- Expand bootstrap.php text_msgs with controller error aliases
- Update server-audit.md coverage table: 80 tests, 202 assertions

Add PHPUnit coverage: Entity CRUD, Area placing, Sessions, Utils ...

- EntityCrudTest: 6 tests covering update, get, remove, id, to_array
- AreaPlacingTest: 2 tests for place_in_area and place_in_area_id
- SessionsTest: 4 tests for create, get_by_token, close, status
- UtilsTest: 7 tests for response_error/success, table_row_is_exists,
  generate_token, dayname_translate, fast_ping_tcp
- TestApp helper + bootstrap init with SQLite :memory: for app() dependencies
- Update server-audit.md: 36 total tests, expand coverage roadmap

Add PHPUnit test suite: ThinBuilder, RateLimiter, PasswordHash (17 tests, all passing)