Fix: OAuth mobile flow + desktop auth + storage abstraction ...

- Desktop: initAccessToken() теперь вызывается всегда, не только в native
  (исправлен бесконечный цикл логина на десктопе)
- Server: returnTo читается из сессии ДО handleCallback(), пока state живой
  (исправлено: OAuth после авторизации не возвращал на mobile-bridge)
- Storage abstraction: единый адаптер storage.js (Preferences / localStorage)
- Navigation abstraction: единый navigation.js (redirectToOAuth, getOAuthReturnTo)
- AuthController::mobileBridge() — bridge page с intent:// deep link
- Android: custom MainActivity с Theme override, статус бар opaque
- Android: AndroidManifest intent-filter для shserv://auth/callback
- .gitignore: добавлен server/.env, удалён из tracking

Feat: мобильная авторизация через OAuth bridge page + CapacitorHttp ...

- Добавлен серверный endpoint /auth/mobile-bridge:
  - После OAuth callback берёт токен из сессии (refreshAccessToken)
  - Рендерит HTML-страницу, которая редиректит WebView обратно в приложение
  - Редирект: https://localhost/#/mobile-auth?token=TOKEN&expires_in=EXPIRES

- Добавлена Vue-страница /mobile-auth:
  - Ловит токен из URL query params
  - Сохраняет в localStorage через setAccessToken()
  - Инициализирует authStore и редиректит на dashboard

- Все auth-редиректы в мобильном приложении исправлены:
  - 401 в API → /#/login (вместо прямого OAuth на сервере)
  - Logout → /#/login
  - LoginPage/AppShell login → /auth/login?return_to=/auth/mobile-bridge

- Включён CapacitorHttp в capacitor.config.json:
  - Нативный HTTP стек обходит CORS, никаких серверных заголовков не нужно

- Обновлён server/dist/ (production bundle)

Translate all error messages to English, add missing aliases

P1: Add structured business-logic logging across PHP server (auth, devices, scripts, areas, events)

Fix P0 review issues: dedup exception logs, SqlQueryLogger stack, chmod once, json_encode guard, RequestLogger guard

P0: super-verbose server logging — JSONL, levels, request/SQL/error/device HTTP logs

Fix PermissionResolver: fallback for missing/empty tables; add seed migration for roles and permissions

Fix production auth: disable IP/UA binding (breaks reverse-proxy), add /api/v1/auth/* aliases, prepare PHP-FPM reload

Phase 4 cleanup & polish: param migration seeds, gnexus-ui-kit LoginPage styles, single .env ...

- Replace raw string interpolation in migration with $tb->prepare() + execute()

- Remove all var(--color-*) from LoginPage.vue in favor of gnexus-ui-kit utility classes

- Unify .env: single server/.env, remove server/SHServ/.env override, update config.php

- Update auth-fix-plan.md: mark Phase 4 tasks complete

Phase 3 infrastructure hardening: IP/UA binding, nginx getallheaders fallback, auth rate limiting, permission cache

Phase 2 session stability: refresh queue, Bearer fallback, proactive refresh

Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ...

- Remove access_token from OAuth callback URL (token leak fix)
- Add sanitizeReturnTo() to prevent open redirect on login/callback
- Add Bearer token expiration check in resolve_user_by_bearer()
- Add user status check in load_user_by_id() (block inactive/banned)
- Cache authStore.init() promise to prevent race condition
- Await auth init in router beforeEach guard
- Remove URL token parsing from main.js and LoginPage
- Remove hasTokenInUrl workaround from client.js 401 handler

Fix OAuth callback URL: insert access_token query string BEFORE hash fragment so Vue can read it via window.location.search

Fix AppController and EventsHandlers to use __DIR__ instead of app()->root_folder() for prod compatibility

Integrate Vue webclient into server: serve SPA from /, remove proxy.php, update auth redirects

Fix UserResolver: use ThinBuilder::insert() return value ...

ThinBuilder::insert() already returns lastInsertId().
Calling lastInsertId() as a separate method does not exist.

Add Bearer token persistence for cross-domain SPA auth ...

- api/auth.js: persist access token in localStorage so it survives
  page reloads and works across domains (panel vs server IP).
- LoginPage.vue: on mount, check for access_token in URL query
  params (from OAuth callback) and initialize auth store.
- AuthController::callback(): append access_token + expires_in to
  the redirect URL so the SPA can capture it.

Add IP roaming reconciliation for active devices during network scan ...

- Extract reconcile_scan_results() into Devices model: updates device_ip
  and restores connection_status='active' when a known device is found on
  a different IP address.
- Refactor CronController to use the shared method.
- Also call reconcile_scan_results() in DevicesRESTAPIController::scanning__all()
  so manual scans from the UI update roaming device IPs.
- Add DevicesTest with coverage for IP update + lost device restore.
- Fix test bootstrap: remove non-existent SHServ\Sessions reference.

Fix logout: session_start + destroy cookie + redirect to local /login instead of /auth/login

Make user card avatar/name clickable link to gnexus-auth profile

Add GnUserCard drawer footer; fix proxy.php cookie forwarding and /auth/ whitelist

Fix auth session persistence: add credentials:include to fetch and session_start to auth flow ...

- http.js: add credentials: 'include' to fetch() so cookies are sent
  with every API request (fixes /auth/me returning 401 after callback)
- AuthControllerTrait::resolve_user(): ensure session_start() before
  reading
- AuthController::callback(): ensure session_start() before writing

- AuthService::handleCallback(): defer DB token persistence until
  local user ID is resolved; store temp token data in session
- UserResolver: fix lastInsertId() method name, remove avatarUrl()
  call (use profile array instead)

This fixes the loop where user was redirected back to /login after
successful OAuth callback because PHP session cookie was not sent
with the /auth/me request.

Fix E_WARNING in redirect: add exit after header() to prevent further output ...

Utils::redirect() now calls exit after sending Location header.
This stops script execution and prevents Fury framework from
attempting http_response_code() after headers have already been sent.

Fix .env resolution: fallback to parent dir if SHServ/.env missing GAUTH_* ...

- config.php: try SHServ/.env first, then fallback to server/.env
- This ensures AuthService can construct GAuthConfig with full credentials
  regardless of which .env file is present

Add missing text_msgs aliases and dev proxy for auth endpoints ...

- text-msgs.php: add unauthenticated, permission_denied, invalid_callback,
  auth_failed, session_expired error messages
- vite.config.js: add /auth proxy to PHP backend for dev server

Phase 4: Vue client auth store, Bearer token injection, router guards, login page ...

Server:
- AuthControllerTrait now supports both session and Bearer token auth
  (resolves user from Authorization: Bearer header via shserv_sessions)

Vue client:
- Add api/auth.js module for access token management
- Inject Authorization: Bearer header in http.js
- Handle 401 in client.js: clear token + redirect to /auth/login
- New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission
- New usePermission composable
- Router guards: redirect unauthenticated to /login, permission-based route blocking
- New LoginPage.vue with gnexus-auth login button
- AppShell: conditional nav items by permission, user bar with logout
- main.js: initialize auth before mounting app
- MSW mocks: /auth/me, /auth/logout, /auth/refresh
- Fix AppShell.spec.js for Pinia + router setup

All 167 tests pass.

Phase 2: Protect Areas, Scripts, Firmware REST API endpoints with permission checks ...

- AreasRESTAPIController: areas.view / areas.manage / devices.control / devices.view / scripts.view
- ScriptsRESTAPIController: scripts.view / scripts.edit / scripts.run
- FirmwareRESTAPIController: firmware.view / firmware.upload
- AuthControllerTrait added to all three controllers

Phase 2: Protect DevicesRESTAPIController endpoints with permission checks ...

- Add AuthControllerTrait
- devices.scan: scanning__ready_to_setup, scanning__all
- devices.setup: setup_new_device, resetup_device
- devices.delete: remove_device
- devices.control: reboot_device, do_device_action
- devices.view: device_info, device, device_status, devices_list
- devices.edit: place_in_area, unassign_from_area, update_name, update_description, update_alias, reset_device

Phase 0: gnexus-auth integration infrastructure ...

- Add gnexus/auth-client via Composer vcs
- Thin PSR-18/17 cURL adapter (zero extra deps)
- SessionStateStore, SessionPkceStore, DbTokenStore
- AuthService wrapper: login URL, callback, logout, refresh, me
- UserResolver + PermissionResolver
- AuthController (login, callback, logout, me, refresh)
- WebhookController + WebhookRouter + event handlers
- AuthControllerTrait for endpoint protection
- Migration: 9 tables (users, roles, permissions, overrides, groups, members, group_perms, sessions, audit) + seed data
- Remove old Example_AuthController
- Add GAUTH_* env variables to config and .env.example

Fix text_msg call in remove_device: use FCONF instead of undefined app()-method