feat: Evotor + VK catalog sync, connections, and store/group filters

- Evotor catalog: background Celery task syncing stores/groups/products
  from Evotor API; UI pages with per-store and per-group sync toggles
- VK connection: manual token + group ID entry with inline test button
- Evotor connection: inline test button (calls /stores)
- VK catalog: background task syncing VK Market albums and products;
  separate catalog UI at /vk-catalog/albums
- SyncFilter extended to support entity_type=group with parent_entity_id
- Migration 0004: vk_cached_albums + vk_cached_products tables
- Beat schedule updated to run both refresh_catalog and refresh_vk_catalog
- README updated with new schema, routes, tasks, and config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.example

@@ -0,0 +1,17 @@
+# Database
+DB_ROOT_PASSWORD=rootpassword
+DB_NAME=evosync
+DB_USER=evosync
+DB_PASSWORD=evosync
+
+# App
+SECRET_KEY=change-me-in-production
+BASE_URL=https://evosync.ru
+
+# Evotor
+EVOTOR_APP_ID=
+EVOTOR_WEBHOOK_SECRET=
+
+# Celery Flower
+FLOWER_USER=admin
+FLOWER_PASSWORD=changeme

.gitignore

@@ -13,3 +13,10 @@ run/test.log
 vk/whitelist
 logs/
 passwords.txt
+.env
+__pycache__/
+*.pyc
+certbot
+web-resources
+.coverage
+password|*

CHANGELOG.md

@@ -1,20 +0,0 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [1.6.0] - 2025-06-15
-
-### Added
-- Initial changelog implementation
-- Version tracking system
-
-### Changed
-- Minor version bump from 1.5.2 to 1.6.0
-
-## [1.5.2] - Previous Release
-
-### Notes
-- Historical version before changelog implementation

Dockerfile.web

@@ -0,0 +1,16 @@
+FROM python:3.12-slim
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1
+
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --upgrade pip && pip install -r requirements.txt
+
+COPY . .
+
+CMD ["uvicorn", "web.main:app", "--host", "0.0.0.0", "--port", "8000"]

README.md

@@ -1,3 +1,226 @@
-# evo-sync
+# EvoSync
 
-evo-sync is a command-line synchronization tool that fetches product, group, and store data from the Evo platform and syncs it with VK (VKontakte).
+Web service for syncing a product catalog from Evotor POS → VK Market. Users connect their Evotor account and a VK community; products from the cash register then appear automatically in the VK store.
+
+---
+
+## Architecture
+
+```
+                        ┌─────────────────────────────────────────┐
+                        │              Docker Compose              │
+                        │                                         │
+  Browser / Evotor ─────►  web :8000  (FastAPI + Uvicorn)         │
+        :8080           │     │                                   │
+                        │     ├── MariaDB :3306  (primary DB)     │
+                        │     ├── Redis   :6379  (Celery broker)  │
+                        │     │                                   │
+                        │     ├── worker  (Celery worker)         │
+                        │     ├── beat    (Celery beat scheduler) │
+                        │     └── flower  :5555  (queue monitor)  │
+                        └─────────────────────────────────────────┘
+```
+
+### Services
+
+| Service  | Image / Dockerfile  | Purpose                                       | External port |
+|----------|---------------------|-----------------------------------------------|---------------|
+| `web`    | `Dockerfile.web`    | FastAPI app, runs Alembic migrations on start | 8080 → 8000   |
+| `worker` | `Dockerfile.web`    | Celery worker (sync, health, notifications…)  | —             |
+| `beat`   | `Dockerfile.web`    | Celery Beat — periodic task scheduler         | —             |
+| `flower` | `Dockerfile.web`    | Celery queue monitoring UI                    | 5555          |
+| `db`     | `mariadb:11.4`      | Primary relational database                   | —             |
+| `redis`  | `redis:7-alpine`    | Celery broker and result backend              | —             |
+
+### Stack
+
+- **Python 3.12**, FastAPI 0.115, Uvicorn
+- **SQLAlchemy 2** + Alembic, MariaDB (PyMySQL)
+- **Celery 5** + Redis — background tasks, periodic catalog sync
+- **Jinja2** — server-side HTML rendering (`web/templates/`)
+- **Pydantic Settings** — configuration from env vars / `.env`
+- bcrypt — password hashing
+- python-json-logger — structured JSON logs to stdout
+
+---
+
+## Database Schema
+
+| Table                 | Purpose                                                                              |
+|-----------------------|--------------------------------------------------------------------------------------|
+| `users`               | User accounts (roles: system / admin / user; statuses: pending / active / suspended) |
+| `evotor_connections`  | User ↔ Evotor link (access_token, api_token returned to Evotor webhooks)             |
+| `vk_connections`      | User ↔ VK link (user access token + VK community ID)                                 |
+| `sync_configs`        | Per-user sync settings                                                               |
+| `sync_filters`        | Store / group inclusion filters (entity_type: store / group)                         |
+| `cached_stores`       | Cached list of Evotor stores                                                         |
+| `cached_groups`       | Cached Evotor product groups                                                         |
+| `cached_products`     | Cached Evotor product catalog                                                        |
+| `vk_cached_albums`    | Cached VK Market albums (product groups)                                             |
+| `vk_cached_products`  | Cached VK Market products                                                            |
+| `roles`               | RBAC roles                                                                           |
+| `permissions`         | RBAC permissions                                                                     |
+| `role_permissions`    | M2M: role ↔ permission                                                               |
+| `user_roles`          | M2M: user ↔ role                                                                     |
+
+---
+
+## Background Tasks
+
+Periodic tasks run via **Celery Beat** and are executed by the **worker** service.
+
+| Task | Schedule | Description |
+|------|----------|-------------|
+| `web.tasks.catalog.refresh_catalog` | Every `CATALOG_REFRESH_INTERVAL_SECONDS` | Fetches stores, product groups, and products from the Evotor API for every connected user; upserts into `cached_stores`, `cached_groups`, `cached_products` |
+| `web.tasks.vk_catalog.refresh_vk_catalog` | Every `CATALOG_REFRESH_INTERVAL_SECONDS` | Fetches Market albums and products from VK API for every connected user; upserts into `vk_cached_albums`, `vk_cached_products` |
+
+**Evotor sync sequence per user:**
+1. `GET /stores` → upsert `cached_stores`
+2. For each store: `GET /stores/{id}/product-groups` → upsert `cached_groups`
+3. For each store: `GET /stores/{id}/products` → upsert `cached_products`
+
+**VK sync sequence per user:**
+1. `market.getAlbums` → upsert `vk_cached_albums`
+2. `market.get` (extended=1, paginated) → upsert `vk_cached_products` with album membership
+
+Per-user failures are logged and skipped — one broken token does not block other users.
+Evotor stores that return `402 Payment Required` (subscription limit) are silently skipped at debug log level.
+
+---
+
+## Routes
+
+### Connections
+
+| Method | Path                              | Description                              |
+|--------|-----------------------------------|------------------------------------------|
+| GET    | `/connections`                    | View Evotor and VK connection status     |
+| POST   | `/connections/evotor`             | Save / update Evotor API token manually  |
+| POST   | `/connections/evotor/disconnect`  | Remove Evotor connection                 |
+| POST   | `/connections/evotor/test`        | Test Evotor connection (JSON)            |
+| POST   | `/connections/vk`                 | Save / update VK token and group ID      |
+| POST   | `/connections/vk/disconnect`      | Remove VK connection                     |
+| POST   | `/connections/vk/test`            | Test VK connection (JSON)                |
+
+### Public / Authentication
+
+| Method   | Path               | Description                            |
+|----------|--------------------|----------------------------------------|
+| GET      | `/`                | Redirects to `/profile` or `/login`    |
+| GET      | `/health`          | Health check (JSON)                    |
+| GET/POST | `/register`        | User registration                      |
+| GET      | `/confirm-email`   | Email confirmation via token           |
+| GET      | `/resend-confirm`  | Resend confirmation email              |
+| GET/POST | `/login`           | Login                                  |
+| GET      | `/logout`          | Logout                                 |
+| GET/POST | `/forgot-password` | Request password reset                 |
+| GET/POST | `/reset-password`  | Reset password via token               |
+| GET/POST | `/invite`          | Complete registration via invite link  |
+
+### Profile (requires session)
+
+| Method   | Path                       | Description          |
+|----------|----------------------------|----------------------|
+| GET      | `/profile`                 | View profile         |
+| GET/POST | `/profile/edit`            | Edit profile         |
+| GET/POST | `/profile/change-password` | Change password      |
+| GET/POST | `/profile/delete`          | Delete account       |
+
+### Admin panel (`/admin`, roles: admin / system)
+
+| Method | Path                               | Description               |
+|--------|------------------------------------|---------------------------|
+| GET    | `/admin/users`                     | User list                 |
+| GET    | `/admin/users/{id}`                | User detail               |
+| POST   | `/admin/users/{id}/activate`       | Activate user             |
+| POST   | `/admin/users/{id}/suspend`        | Suspend user              |
+| POST   | `/admin/users/{id}/reset-password` | Reset user password       |
+| POST   | `/admin/users/{id}/send-invite`    | Send invite email         |
+| POST   | `/admin/users/{id}/edit`           | Edit user data            |
+| POST   | `/admin/users/{id}/delete`         | Delete user               |
+| GET    | `/admin/roles`                     | Roles and permissions     |
+| POST   | `/admin/roles/{id}/permissions`    | Update role permissions   |
+
+### Evotor Webhooks (Bearer `EVOTOR_WEBHOOK_SECRET`)
+
+| Method | Path           | Description                                               |
+|--------|----------------|-----------------------------------------------------------|
+| POST   | `/user/create` | Evotor creates/links a user; returns api_token            |
+| POST   | `/user/verify` | Evotor verifies user credentials; returns api_token       |
+| POST   | `/user/token`  | Evotor delivers its own access_token for a user           |
+
+### Evotor Catalog (requires session)
+
+| Method | Path                                              | Description                                |
+|--------|---------------------------------------------------|--------------------------------------------|
+| GET    | `/catalog`                                        | Redirects to `/catalog/stores`             |
+| GET    | `/catalog/stores`                                 | Evotor stores with per-store sync toggle   |
+| GET    | `/catalog/stores/{id}/groups`                     | Product groups with per-group sync toggle  |
+| GET    | `/catalog/stores/{id}/products`                   | Products (filterable by group)             |
+| POST   | `/catalog/stores/{id}/toggle`                     | Enable / disable store sync                |
+| POST   | `/catalog/stores/{id}/groups/{gid}/toggle`        | Enable / disable group sync                |
+
+### VK Catalog (requires session)
+
+| Method | Path                                  | Description                        |
+|--------|---------------------------------------|------------------------------------|
+| GET    | `/vk-catalog/albums`                  | VK Market albums (product groups)  |
+| GET    | `/vk-catalog/albums/{id}/products`    | Products in a VK album             |
+
+### API Docs
+
+| Path     | Description |
+|----------|-------------|
+| `/docs`  | Swagger UI  |
+| `/redoc` | ReDoc       |
+
+---
+
+## Configuration
+
+All settings are read from environment variables or a `.env` file:
+
+| Variable                           | Default                             | Description                           |
+|------------------------------------|-------------------------------------|---------------------------------------|
+| `DATABASE_URL`                     | `mysql+pymysql://…@db:3306/evosync` | MariaDB connection string             |
+| `REDIS_URL`                        | `redis://redis:6379/0`              | Redis connection string               |
+| `SECRET_KEY`                       | `change-me-in-production`           | Session signing key                   |
+| `BASE_URL`                         | `http://localhost:8000`             | Public URL of the service             |
+| `EVOTOR_APP_ID`                    | —                                   | Evotor application ID                 |
+| `EVOTOR_WEBHOOK_SECRET`            | —                                   | Bearer secret for webhook endpoints   |
+| `JIVOSITE_WIDGET_ID`               | —                                   | JivoSite widget ID                    |
+| `VK_DEFAULT_PHOTO_PATH`            | `/app/default_product.png`          | Fallback image path for VK products   |
+| `VK_API_VERSION`                   | `5.199`                             | VK API version                        |
+| `CATALOG_REFRESH_INTERVAL_SECONDS` | `3600`                              | Evotor + VK catalog sync interval (s) |
+| `INVITE_EXPIRE_HOURS`              | `48`                                | Invite link TTL in hours              |
+| `EMAIL_PROVIDER`                   | `console`                           | Email provider (console / smtp / …)   |
+| `SMS_PROVIDER`                     | `console`                           | SMS provider                          |
+| `FLOWER_USER` / `FLOWER_PASSWORD`  | `admin` / `changeme`                | Basic Auth credentials for Flower     |
+
+---
+
+## Running
+
+```bash
+cp .env.example .env   # fill in your values
+docker compose up -d --build
+```
+
+App is available at `http://localhost:8080`.  
+Flower (queue monitor) at `http://localhost:5555`.
+
+### Development
+
+```bash
+pip install -r requirements.txt
+alembic upgrade head
+uvicorn web.main:app --reload --port 8000
+```
+
+---
+
+## Tests
+
+```bash
+pytest --cov=web
+```

alembic.ini

@@ -0,0 +1,38 @@
+[alembic]
+script_location = web/migrations
+prepend_sys_path = .
+version_path_separator = os
+
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

docker-compose.yml

@@ -0,0 +1,111 @@
+services:
+  db:
+    image: mariadb:11.4
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
+      MYSQL_DATABASE: ${DB_NAME}
+      MYSQL_USER: ${DB_USER}
+      MYSQL_PASSWORD: ${DB_PASSWORD}
+    volumes:
+      - db_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    command: redis-server --save 60 1 --loglevel warning
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  web:
+    build:
+      context: .
+      dockerfile: Dockerfile.web
+    restart: unless-stopped
+    ports:
+      - "8080:8000"
+    environment:
+      DATABASE_URL: mysql+pymysql://${DB_USER}:${DB_PASSWORD}@db:3306/${DB_NAME}
+      REDIS_URL: redis://redis:6379/0
+      SECRET_KEY: ${SECRET_KEY:-change-me-in-production}
+      BASE_URL: ${BASE_URL:-https://evosync.ru}
+      EVOTOR_APP_ID: ${EVOTOR_APP_ID:-}
+      EVOTOR_WEBHOOK_SECRET: ${EVOTOR_WEBHOOK_SECRET:-}
+      JIVOSITE_WIDGET_ID: ${JIVOSITE_WIDGET_ID:-}
+      VK_DEFAULT_PHOTO_PATH: /app/default_product.png
+    volumes:
+      - ./5393364294319597854.png:/app/default_product.png:ro
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    command: >
+      sh -c "alembic upgrade head && uvicorn web.main:app --host 0.0.0.0 --port 8000"
+
+  worker:
+    build:
+      context: .
+      dockerfile: Dockerfile.web
+    restart: unless-stopped
+    environment:
+      DATABASE_URL: mysql+pymysql://${DB_USER}:${DB_PASSWORD}@db:3306/${DB_NAME}
+      REDIS_URL: redis://redis:6379/0
+      SECRET_KEY: ${SECRET_KEY:-change-me-in-production}
+      EVOTOR_APP_ID: ${EVOTOR_APP_ID:-}
+      EVOTOR_WEBHOOK_SECRET: ${EVOTOR_WEBHOOK_SECRET:-}
+      VK_DEFAULT_PHOTO_PATH: /app/default_product.png
+    volumes:
+      - ./5393364294319597854.png:/app/default_product.png:ro
+    depends_on:
+      redis:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    command: celery -A web.tasks.celery_app worker --loglevel=info --concurrency=2 --queues=default,sync,health,notifications -E
+
+  beat:
+    build:
+      context: .
+      dockerfile: Dockerfile.web
+    restart: unless-stopped
+    environment:
+      DATABASE_URL: mysql+pymysql://${DB_USER}:${DB_PASSWORD}@db:3306/${DB_NAME}
+      REDIS_URL: redis://redis:6379/0
+      SECRET_KEY: ${SECRET_KEY:-change-me-in-production}
+      CATALOG_REFRESH_INTERVAL_SECONDS: ${CATALOG_REFRESH_INTERVAL_SECONDS:-3600}
+    depends_on:
+      redis:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    command: celery -A web.tasks.celery_app beat --loglevel=info --scheduler celery.beat:PersistentScheduler --schedule /tmp/celerybeat-schedule
+
+  flower:
+    build:
+      context: .
+      dockerfile: Dockerfile.web
+    restart: unless-stopped
+    ports:
+      - "5555:5555"
+    environment:
+      REDIS_URL: redis://redis:6379/0
+      FLOWER_BASIC_AUTH: ${FLOWER_USER:-admin}:${FLOWER_PASSWORD:-changeme}
+    depends_on:
+      - redis
+    command: celery -A web.tasks.celery_app flower --port=5555 --basic_auth=${FLOWER_USER:-admin}:${FLOWER_PASSWORD:-changeme}
+
+volumes:
+  db_data:
+  redis_data:

docker-entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+alembic upgrade head
+exec uvicorn web.main:app --host 0.0.0.0 --port 8000

docs/PLAN_evotor_user_lifecycle.md

@@ -0,0 +1,296 @@
+# Plan: Evotor User Lifecycle + RBAC + Admin Panel
+
+## Context
+
+Evotor (Russian POS ecosystem) sends webhook calls to register and verify users who buy the EvoSync app on their marketplace. Currently the web app has no webhook receivers for user lifecycle events, no role-based access control, and no admin panel. We need to:
+
+1. Receive Evotor user webhooks (`/user/create`, `/user/verify`, `/user/token`)
+2. Create users in `pending` status, link them to a local account, send an invite to set password
+3. Abstract email/SMS providers (no concrete provider chosen yet — console output for now)
+4. Add role-based access control (system / admin / user) with a full roles+permissions table structure
+5. Build an admin panel for user management
+6. Extend the user profile card with role/status/Evotor metadata
+
+**Target:** Python/FastAPI on current HEAD (`15a362c`). The v3 scaffold is minimal — `main.py` is a bare FastAPI app, `web/models/` is empty, `web/tasks/celery_app.py` is a stub.
+
+**Reference:** The Node.js commit `854c912` has all existing features (auth, profile, catalog, sync) — use it as the schema and UI reference for porting.
+
+---
+
+## Architecture Decisions
+
+- **Session:** Starlette `SessionMiddleware` (already a FastAPI dep) — `request.session["user_id"]` cookie, mirroring Node.js pattern. No extra package.
+- **RBAC:** `role` enum directly on `users` table (fast path in middleware) **plus** `roles` / `permissions` / `user_roles` / `role_permissions` tables for fine-grained, admin-configurable permissions.
+- **Evotor app token:** Store a random UUID token in `evotor_connections.api_token` (new column). No `itsdangerous` dependency needed. Return this token in webhook responses.
+- **`password_hash` nullable:** Users arriving via `/user/create` have no password yet; they set it via invite link. Migration must `ALTER COLUMN` to allow NULL.
+- **Notifications:** Celery tasks on a new `notifications` queue → abstract `EmailProvider`/`SMSProvider` → `ConsoleEmailProvider`/`ConsoleSMSProvider` by default.
+- **Migrations:** Three incremental migrations. 0002 creates the full schema (conditionally, since live DB may have Node.js tables). 0003 creates RBAC tables + seeds default roles/permissions. 0004 is optional seed for a system user.
+
+---
+
+## File Structure
+
+```
+web/
+├── main.py                          — add SessionMiddleware, Jinja2, static, router includes
+├── config.py                        — add INVITE_EXPIRE_HOURS, EMAIL_PROVIDER, SMS_PROVIDER
+├── database.py                      — add get_db() dependency (sync Session)
+├── templates_env.py                 — NEW: Jinja2Templates singleton with datefmt/price filters
+│
+├── models/
+│   ├── __init__.py                  — import all models (for Alembic autogenerate)
+│   ├── user.py                      — NEW: User, UserRoleEnum, UserStatusEnum
+│   ├── rbac.py                      — NEW: Role, Permission, role_permissions, UserRole
+│   └── connections.py               — NEW: EvotorConnection, VkConnection, SyncConfig, etc.
+│
+├── auth/
+│   ├── __init__.py
+│   ├── session.py                   — NEW: get_current_user() helper, session utils
+│   ├── password.py                  — NEW: hash_password(), verify_password() via passlib
+│   └── rbac.py                      — NEW: require_role(), require_permission() FastAPI deps
+│
+├── notifications/
+│   ├── __init__.py
+│   ├── base.py                      — NEW: abstract EmailProvider, SMSProvider
+│   ├── console.py                   — NEW: ConsoleEmailProvider, ConsoleSMSProvider
+│   ├── registry.py                  — NEW: get_email_provider(), get_sms_provider() factories
+│   └── tasks.py                     — NEW: send_email_task, send_sms_task Celery tasks
+│
+├── routes/
+│   ├── __init__.py
+│   ├── auth.py                      — NEW: register, login, logout, confirm-email
+│   ├── reset.py                     — NEW: forgot-password, reset-password
+│   ├── invite.py                    — NEW: GET/POST /invite (Evotor invite flow)
+│   ├── profile.py                   — NEW: /profile, /profile/edit, change-password, delete
+│   ├── connections.py               — NEW: /connections (port from Node.js)
+│   ├── evotor.py                    — NEW: /evotor UI + /evotor/token (port from Node.js)
+│   ├── evotor_webhooks.py           — NEW: POST /user/create, /user/verify, /user/token
+│   ├── vk.py                        — NEW: /vk + /vk/callback (port from Node.js)
+│   ├── catalog.py                   — NEW: /catalog (port from Node.js)
+│   ├── sync.py                      — NEW: /sync (port from Node.js)
+│   └── admin.py                     — NEW: /admin/* panel
+│
+├── tasks/
+│   ├── celery_app.py                — add notifications queue + route
+│   ├── sync.py                      — NEW: sync Celery tasks
+│   └── health.py                    — NEW: health-check tasks
+│
+├── templates/
+│   ├── base.html                    — port base.njk; nav shows Admin link if role=admin/system
+│   ├── login.html, register.html, confirm_email.html, email_confirmed.html
+│   ├── forgot_password.html, reset_password.html
+│   ├── invite.html                  — NEW: set-password form for invite flow
+│   ├── message.html, profile_view.html, profile_edit.html
+│   ├── profile_change_password.html, profile_delete.html
+│   ├── connections.html, connections_add.html
+│   ├── evotor.html, vk.html, vk_callback.html
+│   ├── catalog_stores.html, catalog_groups.html, catalog_products.html
+│   ├── sync.html
+│   └── admin/
+│       ├── users.html               — paginated user list with filters
+│       ├── user_detail.html         — user card + Evotor meta JSON + action buttons
+│       └── roles.html               — roles and permission assignment
+│
+├── static/
+│   └── style.css                    — port from 854c912:web/static/style.css
+│
+└── migrations/versions/
+    ├── 0001_initial.py              — exists (empty placeholder)
+    ├── 0002_users_and_connections.py — NEW: full schema + new user fields
+    ├── 0003_rbac_tables.py          — NEW: RBAC tables + seed roles/permissions
+    └── 0004_seed_system_user.py     — NEW (optional): seed system user from env vars
+```
+
+---
+
+## DB Schema Additions
+
+### `web/models/user.py`
+
+```python
+class UserRoleEnum(str, enum.Enum):
+    system = "system"
+    admin = "admin"
+    user = "user"
+
+class UserStatusEnum(str, enum.Enum):
+    pending = "pending"
+    active = "active"
+    suspended = "suspended"
+
+class User(Base):
+    __tablename__ = "users"
+    # existing fields (port from 854c912 schema.ts)
+    id, first_name, last_name, email, phone
+    password_hash = Column(String(255), nullable=True)   # nullable: invite flow
+    is_email_confirmed, email_confirm_token
+    password_reset_token, password_reset_expires
+    created_at, updated_at
+    # new fields
+    role     = Column(Enum(UserRoleEnum), default=UserRoleEnum.user, index=True)
+    status   = Column(Enum(UserStatusEnum), default=UserStatusEnum.pending, index=True)
+    evotor_user_id  = Column(String(255), unique=True, nullable=True)
+    evotor_meta     = Column(JSON, nullable=True)
+    invite_token    = Column(String(255), nullable=True)
+    invite_expires  = Column(DateTime, nullable=True)
+    phone_otp       = Column(String(10), nullable=True)
+    phone_otp_expires = Column(DateTime, nullable=True)
+```
+
+### `web/models/connections.py`
+
+Port all tables from `854c912:web/src/db/schema.ts` verbatim:
+`evotor_connections` (add `api_token varchar(255)` column for our app token), `vk_connections`, `sync_configs`, `sync_filters`, `cached_stores`, `cached_groups`, `cached_products`.
+
+### `web/models/rbac.py`
+
+```python
+class Role(Base):           # name: system/admin/user
+class Permission(Base):     # name: e.g. "admin.users.edit"
+role_permissions = Table(...)   # join table Role ↔ Permission
+class UserRole(Base):       # join table User ↔ Role (fine-grained assignment)
+```
+
+---
+
+## Route List
+
+### Evotor Webhooks (`web/routes/evotor_webhooks.py`)
+| Method | Path | Auth |
+|--------|------|------|
+| POST | `/user/create` | Bearer `EVOTOR_WEBHOOK_SECRET` |
+| POST | `/user/verify` | Bearer `EVOTOR_WEBHOOK_SECRET` |
+| POST | `/user/token`  | Bearer `EVOTOR_WEBHOOK_SECRET` |
+
+**`/user/create` flow:**
+1. Verify Bearer token (401 if wrong, skip check if secret is unset — dev mode)
+2. Parse `{userId, customField}` — attempt JSON parse of `customField`; extract `email`, `phone`, `first_name`, `last_name`
+3. Try to find existing user by email → phone → `evotor_user_id`
+4. If found: set `evotor_user_id`, update `evotor_meta`, set `status=active` if was pending
+5. If not found: create `User(status=pending, role=user, evotor_user_id=..., password_hash=None)`
+6. Generate `invite_token = secrets.token_urlsafe(32)`, `invite_expires = now + 48h`
+7. Dispatch `send_email_task.delay(email, "Приглашение в ЭвоСинк", html)` via Celery
+8. Generate a random `api_token = secrets.token_urlsafe(32)`, upsert into `evotor_connections`
+9. Return `{"userId": payload.userId, "token": api_token}`
+
+**`/user/verify` flow:**
+1. Verify Bearer; parse `{userId, username, password}`
+2. Find user by email OR phone (username field)
+3. Check: `password_hash` not None, status not suspended, `verify_password(password, hash)`
+4. Return `{"userId": user.evotor_user_id, "token": evotor_connection.api_token}`
+
+**`/user/token` flow:**
+1. Verify Bearer; parse `{userId, token}`
+2. Find user by `evotor_user_id`; upsert `evotor_connections.access_token = token`
+3. Return HTTP 200 `{}`
+
+### Admin Panel (`web/routes/admin.py`) — all require `Depends(require_role("admin", "system"))`
+| Method | Path |
+|--------|------|
+| GET    | `/admin/users` — paginated list with role/status/search filters |
+| GET    | `/admin/users/{id}` — user card, evotor_meta JSON display |
+| POST   | `/admin/users/{id}/activate` — set status=active |
+| POST   | `/admin/users/{id}/suspend`  — set status=suspended |
+| POST   | `/admin/users/{id}/reset-password` — generate token, dispatch email task |
+| POST   | `/admin/users/{id}/send-invite`    — regenerate invite_token, dispatch email task |
+| POST   | `/admin/users/{id}/edit`    — update name/email/phone/role |
+| POST   | `/admin/users/{id}/delete`  — hard delete (system only) |
+| GET    | `/admin/roles`              — role + permission list (system only) |
+| POST   | `/admin/roles/{id}/permissions` — set permissions for role |
+
+### User Profile (`web/routes/profile.py`)
+Extend existing profile card with: `role`, `status`, Evotor connection info, "Confirm email" action (if `is_email_confirmed=False`).
+
+### Auth/Invite (new)
+| Method | Path |
+|--------|------|
+| GET/POST | `/invite?token=...` — Evotor-invited user sets password + activates account |
+
+---
+
+## Notifications Layer
+
+```python
+# base.py
+class EmailProvider(ABC):
+    @abstractmethod
+    def send(self, to: str, subject: str, html_body: str) -> None: ...
+
+class SMSProvider(ABC):
+    @abstractmethod
+    def send(self, to: str, text: str) -> None: ...
+
+# console.py — prints formatted block to stdout (like Node.js "="*40 pattern)
+# registry.py — factory: EMAIL_PROVIDER env var selects implementation
+# tasks.py
+@celery_app.task(queue="notifications")
+def send_email_task(to, subject, html_body): get_email_provider().send(...)
+
+@celery_app.task(queue="notifications")
+def send_sms_task(to, text): get_sms_provider().send(...)
+```
+
+Add to docker-compose worker command: `--queues=default,sync,health,notifications`
+
+---
+
+## RBAC Middleware
+
+```python
+# auth/rbac.py
+def require_role(*roles):
+    def dep(request, db=Depends(get_db)):
+        user = get_current_user(request, db)
+        if user.role.value not in roles: raise HTTPException(403)
+        return user
+    return Depends(dep)
+
+def require_permission(permission_name):
+    def dep(request, db=Depends(get_db)):
+        user = get_current_user(request, db)
+        if user.role == UserRoleEnum.system: return user  # bypass
+        # walk user_roles → role_permissions → permissions
+        ...
+    return Depends(dep)
+```
+
+---
+
+## Migration Strategy
+
+**0002:** Full schema (conditionally — `IF NOT EXISTS` / `ADD COLUMN IF NOT EXISTS` for live DBs with Node.js tables). Includes `ALTER COLUMN password_hash` to nullable. Adds `api_token` to `evotor_connections`. Adds `role`, `status`, `evotor_user_id`, `evotor_meta`, `invite_token`, `invite_expires`, `phone_otp`, `phone_otp_expires` to `users`.
+
+**0003:** RBAC tables (`roles`, `permissions`, `role_permissions`, `user_roles`). Seeds three default Role rows and baseline permission set (`admin.users.view`, `admin.users.edit`, `admin.users.delete`, `admin.roles.manage`).
+
+**0004 (optional):** Seeds a system user from `SYSTEM_USER_EMAIL` / `SYSTEM_USER_PASSWORD` env vars.
+
+---
+
+## Order of Implementation
+
+1. **Models** — `user.py`, `connections.py`, `rbac.py`, `__init__.py`
+2. **Migrations** — 0002, 0003 (run `alembic upgrade head` to verify)
+3. **Auth foundation** — `auth/password.py`, `auth/session.py`, `templates_env.py`, update `main.py`
+4. **Core auth routes** — `routes/auth.py`, `routes/reset.py` + templates (`base.html`, login, register, etc.)
+5. **Notifications** — `notifications/` package + `tasks.py` + update `celery_app.py`
+6. **Invite flow** — `routes/invite.py` + `invite.html`
+7. **Evotor webhooks** — `routes/evotor_webhooks.py` (the most novel piece)
+8. **Profile + Connections** — port from Node.js `854c912`
+9. **RBAC middleware** — `auth/rbac.py`
+10. **Admin panel** — `routes/admin.py` + admin templates
+11. **Catalog + Sync** — port remaining routes and Celery tasks from Node.js
+
+---
+
+## Verification
+
+1. `alembic upgrade head` — all migrations run clean on a fresh DB
+2. `POST /user/create` with `curl` + Bearer token → check user created in DB, invite email printed to console
+3. `GET /invite?token=<token>` → set password → check `status=active`, `is_email_confirmed=True`
+4. `POST /login` with the set password → session created, redirect to `/profile`
+5. `POST /user/verify` with username+password → returns `{userId, token}`
+6. `POST /user/token` with `{userId, token}` → 200, evotor_connection updated
+7. Login as admin user, visit `/admin/users` — user list renders
+8. Admin activates/suspends a user — status changes in DB
+9. `POST /login` as suspended user → rejected
+10. `uvicorn web.main:app --reload` — no import errors, health check returns 200

nginx/nginx.conf

@@ -0,0 +1,36 @@
+upstream web {
+    server 127.0.0.1:8080;
+}
+
+server {
+    listen 80;
+    server_name evosync.ru www.evosync.ru;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name evosync.ru www.evosync.ru;
+
+    ssl_certificate /etc/letsencrypt/live/evosync.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/evosync.ru/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        proxy_pass http://web;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

pyproject.toml

@@ -0,0 +1,11 @@
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]
+addopts = "--tb=short"
+
+[tool.coverage.run]
+source = ["web"]
+omit = ["web/migrations/*"]
+
+[tool.coverage.report]
+show_missing = true

requirements.txt

@@ -0,0 +1,20 @@
+fastapi==0.115.5
+uvicorn[standard]==0.32.1
+python-multipart==0.0.12
+jinja2==3.1.4
+sqlalchemy==2.0.36
+alembic==1.14.0
+pymysql==1.1.1
+itsdangerous>=2.1.0
+cryptography>=44.0.0
+bcrypt>=4.2.1
+pydantic-settings==2.6.1
+httpx==0.28.1
+celery[redis]==5.4.0
+redis==5.2.1
+flower==2.0.1
+python-json-logger==3.2.1
+pytest==8.3.4
+pytest-asyncio==0.24.0
+pytest-cov==6.0.0
+factory-boy==3.3.1

run/read_config.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+"""
+Read sync configuration for a user from the database and output JSON.
+Usage: python run/read_config.py <user_id>
+
+Output JSON structure:
+{
+    "enabled": true,
+    "confirmed": true,
+    "filters": {
+        "stores": [{"id": "...", "name": "...", "mode": "include"}],
+        "groups": [{"id": "...", "name": "...", "mode": "include", "parent_store_id": "..."}],
+        "products": [{"id": "...", "name": "...", "mode": "exclude", "parent_group_id": "..."}]
+    }
+}
+"""
+import json
+import sys
+import os
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))
+
+from web.database import SessionLocal
+from web.models import SyncConfig, SyncFilter
+
+
+def read_config(user_id: int) -> dict:
+    db = SessionLocal()
+    try:
+        config = db.query(SyncConfig).filter(SyncConfig.user_id == user_id).first()
+        if not config:
+            return {"enabled": False, "confirmed": False, "filters": {"stores": [], "groups": [], "products": []}}
+
+        enabled = config.is_enabled
+        confirmed = config.confirmed_at is not None
+
+        stores = []
+        groups = []
+        products = []
+
+        for f in config.filters:
+            entry = {"id": f.entity_id, "name": f.entity_name, "mode": f.filter_mode}
+            if f.entity_type == "store":
+                stores.append(entry)
+            elif f.entity_type == "group":
+                stores.append({**entry, "parent_store_id": f.parent_entity_id})
+            elif f.entity_type == "product":
+                products.append({**entry, "parent_group_id": f.parent_entity_id})
+
+        return {
+            "enabled": enabled,
+            "confirmed": confirmed,
+            "filters": {"stores": stores, "groups": groups, "products": products},
+        }
+    finally:
+        db.close()
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: read_config.py <user_id>", file=sys.stderr)
+        sys.exit(1)
+
+    user_id = int(sys.argv[1])
+    print(json.dumps(read_config(user_id), ensure_ascii=False, indent=2))

scripts/create_admin.py

@@ -0,0 +1,78 @@
+"""
+Create (or promote) an admin user with all permissions.
+
+Usage:
+    python -m scripts.create_admin --email admin@example.com --password secret
+    python -m scripts.create_admin --email admin@example.com --password secret --role system
+"""
+import argparse
+import sys
+
+from web.auth.password import hash_password
+from web.database import SessionLocal
+from web.models.rbac import Permission, Role, UserRole, role_permissions
+from web.models.user import User, UserRoleEnum, UserStatusEnum
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--email", required=True)
+    parser.add_argument("--password", required=True)
+    parser.add_argument("--first-name", default="Admin")
+    parser.add_argument("--last-name", default="")
+    parser.add_argument("--phone", default="")
+    parser.add_argument("--role", default="system", choices=["admin", "system"])
+    args = parser.parse_args()
+
+    db = SessionLocal()
+    try:
+        user = db.query(User).filter(User.email == args.email).first()
+        if user:
+            user.role = UserRoleEnum(args.role)
+            user.status = UserStatusEnum.active
+            user.is_email_confirmed = True
+            user.password_hash = hash_password(args.password)
+            print(f"Updated existing user: {args.email} → role={args.role}")
+        else:
+            user = User(
+                first_name=args.first_name,
+                last_name=args.last_name,
+                email=args.email,
+                phone=args.phone,
+                password_hash=hash_password(args.password),
+                role=UserRoleEnum(args.role),
+                status=UserStatusEnum.active,
+                is_email_confirmed=True,
+            )
+            db.add(user)
+            db.flush()
+            print(f"Created user: {args.email} role={args.role}")
+
+        # Assign all permissions via the system role
+        system_role = db.query(Role).filter(Role.name == args.role).first()
+        if system_role:
+            existing = db.query(UserRole).filter(
+                UserRole.user_id == user.id,
+                UserRole.role_id == system_role.id,
+            ).first()
+            if not existing:
+                db.add(UserRole(user_id=user.id, role_id=system_role.id))
+
+        db.commit()
+
+        # Report permissions this user now has
+        perms = (
+            db.query(Permission.name)
+            .join(role_permissions, Permission.id == role_permissions.c.permission_id)
+            .join(UserRole, UserRole.role_id == role_permissions.c.role_id)
+            .filter(UserRole.user_id == user.id)
+            .all()
+        )
+        print("Permissions:", [p.name for p in perms] or "(inherited via role)")
+
+    finally:
+        db.close()
+
+
+if __name__ == "__main__":
+    main()

scripts/evotor-get-token.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Obtain an Evotor developer access token via password grant (no browser required).
+# Uses dev.evotor.ru credentials (your Evotor developer account).
+#
+# Usage: ./scripts/evotor-get-token.sh
+
+set -euo pipefail
+
+# Load .env if present
+if [[ -f .env ]]; then
+    set -a; source .env; set +a
+fi
+
+EVOTOR_TOKEN_URL="https://dev.evotor.ru/oauth/token"
+
+# Prompt for credentials
+read -rp "Evotor developer login (email): " EVOTOR_LOGIN
+read -rsp "Evotor developer password: " EVOTOR_PASSWORD
+echo
+
+echo
+echo "A 2FA code will be sent to your email if this IP is not recognized."
+read -rp "2FA code (leave blank if not required): " EVOTOR_2FA
+
+# Build request body
+BODY="type=LOGIN&grant_type=password&client_id=Evo-UI&username=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" "$EVOTOR_LOGIN")&password=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" "$EVOTOR_PASSWORD")"
+
+EXTRA_HEADERS=()
+if [[ -n "$EVOTOR_2FA" ]]; then
+    EXTRA_HEADERS+=(-H "2fa_confirmation: $EVOTOR_2FA")
+fi
+
+echo
+echo "Requesting token..."
+RESPONSE=$(curl -s -X POST "$EVOTOR_TOKEN_URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    "${EXTRA_HEADERS[@]}" \
+    -d "$BODY")
+
+echo
+echo "Response:"
+echo "$RESPONSE" | python3 -m json.tool 2>/dev/null || echo "$RESPONSE"
+
+ACCESS_TOKEN=$(echo "$RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null || true)
+
+if [[ -z "$ACCESS_TOKEN" ]]; then
+    echo
+    echo "ERROR: No access_token in response." >&2
+    exit 1
+fi
+
+echo
+echo "Access token:"
+echo "$ACCESS_TOKEN"
+echo
+echo "To save this token to .env, add or update:"
+echo "  EVOTOR_ACCESS_TOKEN=$ACCESS_TOKEN"

scripts/init-letsencrypt.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# Obtain TLS certificates from Let's Encrypt for evosync.ru
+# Run once on first deploy: sudo ./scripts/init-letsencrypt.sh
+# Requires nginx running on the host with acme-challenge location configured
+
+set -euo pipefail
+
+DOMAIN="evosync.ru"
+EMAIL="${LETSENCRYPT_EMAIL:-admin@evosync.ru}"
+CERTBOT_DIR="./certbot"
+ACME_DIR="/var/www/certbot"
+
+echo "==> Creating certbot directories..."
+mkdir -p "$CERTBOT_DIR/conf" "$CERTBOT_DIR/www"
+
+echo "==> Ensuring acme-challenge directory exists on host..."
+sudo mkdir -p "$ACME_DIR"
+sudo chmod 755 "$ACME_DIR"
+
+echo "==> Requesting certificate from Let's Encrypt..."
+sudo certbot certonly \
+    --webroot \
+    --webroot-path="$ACME_DIR" \
+    --email "$EMAIL" \
+    --agree-tos \
+    --no-eff-email \
+    -d "$DOMAIN" \
+    -d "www.$DOMAIN"
+
+echo "==> Copying certificates to project directory..."
+sudo cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" "$CERTBOT_DIR/conf/fullchain.pem"
+sudo cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" "$CERTBOT_DIR/conf/privkey.pem"
+sudo chown "$(whoami):$(whoami)" "$CERTBOT_DIR/conf"/*.pem
+
+echo "==> Done! TLS certificate installed for $DOMAIN"
+echo ""
+echo "Certificate files:"
+echo "  - $CERTBOT_DIR/conf/fullchain.pem"
+echo "  - $CERTBOT_DIR/conf/privkey.pem"
+echo ""
+echo "Configure nginx:"
+echo "  ssl_certificate $CERTBOT_DIR/conf/fullchain.pem;"
+echo "  ssl_certificate_key $CERTBOT_DIR/conf/privkey.pem;"
+echo ""
+echo "Set up auto-renewal with: sudo crontab -e"
+echo "Add: 0 3 * * * certbot renew --quiet && systemctl reload nginx"

scripts/release.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+#
+# Release script: bump version, generate changelog, commit, and tag.
+#
+# Usage:
+#   ./scripts/release.sh <major|minor|patch>
+#   ./scripts/release.sh 2.0.0          # explicit version
+#
+set -euo pipefail
+
+VERSION_FILE="version"
+
+current_version=$(cat "$VERSION_FILE")
+echo "Current version: $current_version"
+
+IFS='.' read -r major minor patch <<< "$current_version"
+
+case "${1:-}" in
+    major) new_version="$((major + 1)).0.0" ;;
+    minor) new_version="${major}.$((minor + 1)).0" ;;
+    patch) new_version="${major}.${minor}.$((patch + 1))" ;;
+    "")
+        echo "Usage: $0 <major|minor|patch|VERSION>"
+        exit 1
+        ;;
+    *)
+        # Validate explicit semver
+        if [[ ! "$1" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: '$1' is not a valid semver (X.Y.Z)"
+            exit 1
+        fi
+        new_version="$1"
+        ;;
+esac
+
+echo "Bumping to: $new_version"
+
+# Update version file
+echo "$new_version" > "$VERSION_FILE"
+
+# Generate changelog
+git-cliff --tag "v${new_version}" --output CHANGELOG.md
+
+# Commit and tag
+git add "$VERSION_FILE" CHANGELOG.md
+git commit -m "chore(release): v${new_version}"
+git tag "v${new_version}"
+
+echo ""
+echo "Released v${new_version}"
+echo "Don't forget to push: git push && git push --tags"

tests/conftest.py

@@ -0,0 +1,103 @@
+import pytest
+import factory
+from httpx import ASGITransport, AsyncClient
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+
+import web.models  # noqa: F401 — ensure all tables are registered on Base.metadata
+from web.auth.password import hash_password
+from web.database import Base, get_db
+from web.main import app
+from web.models.user import User, UserRoleEnum, UserStatusEnum
+
+
+# ── Database fixtures ─────────────────────────────────────────────────────────
+
+@pytest.fixture(scope="session")
+def engine():
+    eng = create_engine(
+        "sqlite:///:memory:",
+        echo=False,
+        connect_args={"check_same_thread": False},
+    )
+    Base.metadata.create_all(eng)
+    yield eng
+    Base.metadata.drop_all(eng)
+
+
+@pytest.fixture
+def db_session(engine):
+    connection = engine.connect()
+    transaction = connection.begin()
+    Session = sessionmaker(bind=connection)
+    session = Session()
+    yield session
+    session.close()
+    transaction.rollback()
+    connection.close()
+
+
+@pytest.fixture
+def override_db(db_session):
+    """Override FastAPI's get_db dependency with the transactional test session."""
+    app.dependency_overrides[get_db] = lambda: db_session
+    yield db_session
+    app.dependency_overrides.clear()
+
+
+# ── HTTP client ───────────────────────────────────────────────────────────────
+
+@pytest.fixture
+async def client(override_db):
+    async with AsyncClient(
+        transport=ASGITransport(app=app),
+        base_url="http://test",
+    ) as c:
+        yield c
+
+
+# ── Factories ─────────────────────────────────────────────────────────────────
+
+class UserFactory(factory.alchemy.SQLAlchemyModelFactory):
+    class Meta:
+        model = User
+        sqlalchemy_session_persistence = "commit"
+
+    first_name = factory.Faker("first_name")
+    last_name = factory.Faker("last_name")
+    email = factory.Sequence(lambda n: f"user{n}@test.com")
+    phone = factory.Sequence(lambda n: f"+7900{n:07d}")
+    password_hash = factory.LazyFunction(lambda: hash_password("testpass123"))
+    status = UserStatusEnum.active
+    is_email_confirmed = True
+    role = UserRoleEnum.user
+
+
+@pytest.fixture
+def user_factory(db_session):
+    UserFactory._meta.sqlalchemy_session = db_session
+    return UserFactory
+
+
+@pytest.fixture
+def active_user(user_factory):
+    return user_factory.create()
+
+
+@pytest.fixture
+def admin_user(user_factory):
+    return user_factory.create(role=UserRoleEnum.admin)
+
+
+@pytest.fixture
+def system_user(user_factory):
+    return user_factory.create(role=UserRoleEnum.system)
+
+
+@pytest.fixture
+def pending_user(user_factory):
+    return user_factory.create(
+        status=UserStatusEnum.pending,
+        is_email_confirmed=False,
+        password_hash=None,
+    )

tests/test_auth_password.py

@@ -0,0 +1,26 @@
+from web.auth.password import hash_password, verify_password
+
+
+def test_hash_is_not_plaintext():
+    h = hash_password("secret123")
+    assert h != "secret123"
+    assert len(h) > 20
+
+
+def test_verify_correct_password():
+    h = hash_password("mysecret")
+    assert verify_password("mysecret", h) is True
+
+
+def test_verify_wrong_password():
+    h = hash_password("mysecret")
+    assert verify_password("wrongpassword", h) is False
+
+
+def test_two_hashes_differ():
+    # bcrypt uses random salt — same plaintext produces different hashes
+    h1 = hash_password("same")
+    h2 = hash_password("same")
+    assert h1 != h2
+    assert verify_password("same", h1)
+    assert verify_password("same", h2)

tests/test_health.py

@@ -0,0 +1,12 @@
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+from web.main import app
+
+
+@pytest.mark.asyncio
+async def test_health_returns_ok():
+    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+        resp = await client.get("/health")
+    assert resp.status_code == 200
+    assert resp.json() == {"status": "ok"}

tests/test_notifications.py

@@ -0,0 +1,47 @@
+import logging
+
+import pytest
+
+from web.notifications.console import ConsoleEmailProvider, ConsoleSMSProvider
+from web.notifications.registry import get_email_provider, get_sms_provider
+
+
+def test_console_email_logs(caplog):
+    provider = ConsoleEmailProvider()
+    with caplog.at_level(logging.INFO, logger="web.notifications.console"):
+        provider.send("user@example.com", "Тест", '<a href="http://example.com/link">click</a>')
+    assert "user@example.com" in caplog.text
+    assert "Тест" in caplog.text
+    assert "http://example.com/link" in caplog.text
+
+
+def test_console_sms_logs(caplog):
+    provider = ConsoleSMSProvider()
+    with caplog.at_level(logging.INFO, logger="web.notifications.console"):
+        provider.send("+79001234567", "Ваш код: 1234")
+    assert "+79001234567" in caplog.text
+    assert "Ваш код: 1234" in caplog.text
+
+
+def test_registry_returns_console_email(monkeypatch):
+    monkeypatch.setattr("web.notifications.registry.settings.EMAIL_PROVIDER", "console")
+    provider = get_email_provider()
+    assert isinstance(provider, ConsoleEmailProvider)
+
+
+def test_registry_returns_console_sms(monkeypatch):
+    monkeypatch.setattr("web.notifications.registry.settings.SMS_PROVIDER", "console")
+    provider = get_sms_provider()
+    assert isinstance(provider, ConsoleSMSProvider)
+
+
+def test_registry_unknown_email_provider_raises(monkeypatch):
+    monkeypatch.setattr("web.notifications.registry.settings.EMAIL_PROVIDER", "sendgrid")
+    with pytest.raises(ValueError, match="sendgrid"):
+        get_email_provider()
+
+
+def test_registry_unknown_sms_provider_raises(monkeypatch):
+    monkeypatch.setattr("web.notifications.registry.settings.SMS_PROVIDER", "twilio")
+    with pytest.raises(ValueError, match="twilio"):
+        get_sms_provider()

tests/test_routes_admin.py

@@ -0,0 +1,181 @@
+"""Integration tests for admin panel routes."""
+import pytest
+
+from web.models.user import User, UserRoleEnum, UserStatusEnum
+
+
+def _set_session(client, user_id: int):
+    """Inject a session cookie so the client appears logged in as user_id."""
+    client.cookies.set("session", "")  # will be overwritten by actual login
+    # We inject directly into the app's session via a helper request
+    # The simplest approach: use the login endpoint to set the real session cookie
+    return user_id
+
+
+async def _login(client, user):
+    """Log in as user via the /login endpoint to get a real session cookie."""
+    resp = await client.post("/login", data={
+        "email": user.email,
+        "password": "testpass123",
+    }, follow_redirects=False)
+    assert resp.status_code == 303, f"Login failed: {resp.text}"
+
+
+# ── Access control ────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_users_requires_auth(client):
+    resp = await client.get("/admin/users", follow_redirects=False)
+    # Unauthenticated → redirect to login
+    assert resp.status_code in (302, 303, 307)
+
+
+@pytest.mark.asyncio
+async def test_admin_users_requires_admin_role(client, active_user):
+    await _login(client, active_user)
+    resp = await client.get("/admin/users", follow_redirects=False)
+    # Regular user → redirect (not admin)
+    assert resp.status_code in (302, 303, 307)
+
+
+@pytest.mark.asyncio
+async def test_admin_users_accessible_by_admin(client, admin_user):
+    await _login(client, admin_user)
+    resp = await client.get("/admin/users")
+    assert resp.status_code == 200
+    assert "Пользователи" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_admin_users_accessible_by_system(client, system_user):
+    await _login(client, system_user)
+    resp = await client.get("/admin/users")
+    assert resp.status_code == 200
+
+
+# ── User list + filters ───────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_users_shows_all_users(client, admin_user, user_factory):
+    extra = user_factory.create(email="findme@test.com")
+    await _login(client, admin_user)
+    resp = await client.get("/admin/users")
+    assert resp.status_code == 200
+    assert extra.email in resp.text
+
+
+@pytest.mark.asyncio
+async def test_admin_users_search_filter(client, admin_user, user_factory):
+    target = user_factory.create(email="searchable@test.com")
+    await _login(client, admin_user)
+    resp = await client.get("/admin/users?search=searchable")
+    assert resp.status_code == 200
+    assert target.email in resp.text
+
+
+# ── User detail ───────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_user_detail(client, admin_user, active_user):
+    await _login(client, admin_user)
+    resp = await client.get(f"/admin/users/{active_user.id}")
+    assert resp.status_code == 200
+    assert active_user.email in resp.text
+
+
+@pytest.mark.asyncio
+async def test_admin_user_detail_not_found(client, admin_user):
+    await _login(client, admin_user)
+    resp = await client.get("/admin/users/99999", follow_redirects=False)
+    assert resp.status_code in (302, 303, 307)
+
+
+# ── Activate / suspend ────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_activate_user(client, admin_user, user_factory, override_db):
+    target = user_factory.create(status=UserStatusEnum.suspended)
+    await _login(client, admin_user)
+    resp = await client.post(f"/admin/users/{target.id}/activate", follow_redirects=False)
+    assert resp.status_code == 303
+    override_db.refresh(target)
+    assert target.status == UserStatusEnum.active
+
+
+@pytest.mark.asyncio
+async def test_admin_suspend_user(client, admin_user, active_user, override_db):
+    await _login(client, admin_user)
+    resp = await client.post(f"/admin/users/{active_user.id}/suspend", follow_redirects=False)
+    assert resp.status_code == 303
+    override_db.refresh(active_user)
+    assert active_user.status == UserStatusEnum.suspended
+
+
+# ── Delete (system only) ──────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_delete_user_by_system(client, system_user, user_factory, override_db):
+    target = user_factory.create()
+    target_id = target.id
+    await _login(client, system_user)
+    resp = await client.post(f"/admin/users/{target_id}/delete", follow_redirects=False)
+    assert resp.status_code == 303
+    assert override_db.get(User, target_id) is None
+
+
+@pytest.mark.asyncio
+async def test_admin_delete_blocked_for_admin_role(client, admin_user, active_user, override_db):
+    target_id = active_user.id
+    await _login(client, admin_user)
+    resp = await client.post(f"/admin/users/{target_id}/delete", follow_redirects=False)
+    assert resp.status_code == 303
+    # Admin cannot delete — user still exists
+    assert override_db.get(User, target_id) is not None
+
+
+# ── Reset password / send invite ──────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_reset_password_generates_token(client, admin_user, active_user, override_db):
+    from unittest.mock import patch
+    with patch("web.routes.admin.send_email_task") as mock_task:
+        await _login(client, admin_user)
+        resp = await client.post(
+            f"/admin/users/{active_user.id}/reset-password", follow_redirects=False
+        )
+    assert resp.status_code == 303
+    override_db.refresh(active_user)
+    assert active_user.password_reset_token is not None
+    mock_task.delay.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_admin_send_invite(client, admin_user, active_user, override_db):
+    from unittest.mock import patch
+    with patch("web.routes.admin.send_email_task") as mock_task:
+        await _login(client, admin_user)
+        resp = await client.post(
+            f"/admin/users/{active_user.id}/send-invite", follow_redirects=False
+        )
+    assert resp.status_code == 303
+    override_db.refresh(active_user)
+    assert active_user.invite_token is not None
+    mock_task.delay.assert_called_once()
+
+
+# ── Roles page (system only) ──────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_admin_roles_accessible_by_system(client, system_user):
+    await _login(client, system_user)
+    resp = await client.get("/admin/roles")
+    assert resp.status_code == 200
+    assert "Роли" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_admin_roles_blocked_for_admin(client, admin_user):
+    await _login(client, admin_user)
+    resp = await client.get("/admin/roles", follow_redirects=False)
+    # Admin is redirected away from roles page
+    assert resp.status_code in (302, 303, 307)

tests/test_routes_auth.py

@@ -0,0 +1,182 @@
+"""Integration tests for auth routes (register / login / confirm-email / logout)."""
+import secrets
+from unittest.mock import patch
+
+import pytest
+
+from web.models.user import User, UserStatusEnum
+
+
+# ── /register ────────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_register_get(client):
+    resp = await client.get("/register")
+    assert resp.status_code == 200
+    assert "Регистрация" in resp.text
+
+
+@pytest.mark.asyncio
+@patch("web.routes.auth.send_email_task")
+async def test_register_creates_pending_user(mock_task, client, override_db):
+    resp = await client.post("/register", data={
+        "first_name": "Иван",
+        "last_name": "Иванов",
+        "email": "ivan@test.com",
+        "phone": "+79001234567",
+        "password": "password123",
+        "password_confirm": "password123",
+    })
+    assert resp.status_code == 200
+    assert "Подтвердите" in resp.text
+
+    user = override_db.query(User).filter(User.email == "ivan@test.com").first()
+    assert user is not None
+    assert user.status == UserStatusEnum.pending
+    assert user.is_email_confirmed is False
+    assert user.email_confirm_token is not None
+    mock_task.delay.assert_called_once()
+
+
+@pytest.mark.asyncio
+@patch("web.routes.auth.send_email_task")
+async def test_register_duplicate_email(mock_task, client, active_user):
+    resp = await client.post("/register", data={
+        "first_name": "X",
+        "last_name": "Y",
+        "email": active_user.email,
+        "phone": "+79999999999",
+        "password": "password123",
+        "password_confirm": "password123",
+    })
+    assert resp.status_code == 200
+    assert "уже существует" in resp.text
+    mock_task.delay.assert_not_called()
+
+
+@pytest.mark.asyncio
+async def test_register_password_mismatch(client):
+    resp = await client.post("/register", data={
+        "email": "new@test.com",
+        "phone": "+79000000001",
+        "password": "password123",
+        "password_confirm": "different",
+    })
+    assert resp.status_code == 200
+    assert "не совпадают" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_register_short_password(client):
+    resp = await client.post("/register", data={
+        "email": "new@test.com",
+        "phone": "+79000000002",
+        "password": "short",
+        "password_confirm": "short",
+    })
+    assert resp.status_code == 200
+    assert "минимум 8" in resp.text
+
+
+# ── /confirm-email ────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_confirm_email_valid_token(client, override_db, user_factory):
+    token = secrets.token_urlsafe(32)
+    user = user_factory.create(
+        is_email_confirmed=False,
+        email_confirm_token=token,
+        status=UserStatusEnum.pending,
+    )
+    resp = await client.get(f"/confirm-email?token={token}")
+    assert resp.status_code == 200
+    assert "подтвержден" in resp.text.lower()
+
+    override_db.refresh(user)
+    assert user.is_email_confirmed is True
+    assert user.status == UserStatusEnum.active
+    assert user.email_confirm_token is None
+
+
+@pytest.mark.asyncio
+async def test_confirm_email_invalid_token(client):
+    resp = await client.get("/confirm-email?token=bogustoken")
+    assert resp.status_code == 200
+    assert "Ошибка" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_confirm_email_missing_token(client):
+    resp = await client.get("/confirm-email")
+    assert resp.status_code == 200
+    assert "Ошибка" in resp.text
+
+
+# ── /login ────────────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_login_get(client):
+    resp = await client.get("/login")
+    assert resp.status_code == 200
+    assert "Вход" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_login_success(client, active_user):
+    resp = await client.post("/login", data={
+        "email": active_user.email,
+        "password": "testpass123",
+    }, follow_redirects=False)
+    assert resp.status_code == 303
+    assert resp.headers["location"] == "/profile"
+
+
+@pytest.mark.asyncio
+async def test_login_wrong_password(client, active_user):
+    resp = await client.post("/login", data={
+        "email": active_user.email,
+        "password": "wrongpassword",
+    })
+    assert resp.status_code == 200
+    assert "Неверный" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_login_unknown_email(client):
+    resp = await client.post("/login", data={
+        "email": "nobody@test.com",
+        "password": "testpass123",
+    })
+    assert resp.status_code == 200
+    assert "Неверный" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_login_suspended_user(client, user_factory):
+    user = user_factory.create(status=UserStatusEnum.suspended)
+    resp = await client.post("/login", data={
+        "email": user.email,
+        "password": "testpass123",
+    })
+    assert resp.status_code == 200
+    assert "заблокирован" in resp.text.lower()
+
+
+@pytest.mark.asyncio
+async def test_login_unconfirmed_email(client, user_factory):
+    user = user_factory.create(is_email_confirmed=False, status=UserStatusEnum.pending)
+    resp = await client.post("/login", data={
+        "email": user.email,
+        "password": "testpass123",
+    })
+    assert resp.status_code == 200
+    assert "подтвердите" in resp.text.lower()
+
+
+# ── /logout ───────────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_logout_redirects(client):
+    resp = await client.get("/logout", follow_redirects=False)
+    assert resp.status_code == 303
+    assert resp.headers["location"] == "/login"

tests/test_routes_evotor_webhooks.py

@@ -0,0 +1,196 @@
+"""Integration tests for Evotor webhook endpoints."""
+import json
+from unittest.mock import patch
+
+import pytest
+
+from web.models.connections import EvotorConnection
+from web.models.user import User, UserStatusEnum
+
+
+WEBHOOK_SECRET = "test-secret-abc"
+
+
+def auth_headers(secret=WEBHOOK_SECRET):
+    return {"Authorization": f"Bearer {secret}"}
+
+
+# ── /user/create ──────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+@patch("web.routes.evotor_webhooks.send_email_task")
+async def test_user_create_new_user(mock_task, client, override_db, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.INVITE_EXPIRE_HOURS", 48)
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.BASE_URL", "http://test")
+
+    payload = {
+        "userId": "evo-001",
+        "customField": json.dumps({"email": "newuser@test.com", "phone": "+79001234501"}),
+    }
+    resp = await client.post("/user/create", json=payload, headers=auth_headers())
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["userId"] == "evo-001"
+    assert "token" in data
+    assert len(data["token"]) > 10
+
+    user = override_db.query(User).filter(User.evotor_user_id == "evo-001").first()
+    assert user is not None
+    assert user.status == UserStatusEnum.pending
+    assert user.invite_token is not None
+    assert user.password_hash is None
+
+    conn = override_db.query(EvotorConnection).filter(
+        EvotorConnection.evotor_user_id == "evo-001"
+    ).first()
+    assert conn is not None
+    assert conn.api_token == data["token"]
+
+    mock_task.delay.assert_called_once()
+
+
+@pytest.mark.asyncio
+@patch("web.routes.evotor_webhooks.send_email_task")
+async def test_user_create_links_existing_user_by_email(mock_task, client, override_db, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.INVITE_EXPIRE_HOURS", 48)
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.BASE_URL", "http://test")
+
+    existing = user_factory.create(email="existing@test.com")
+    assert existing.evotor_user_id is None
+
+    payload = {
+        "userId": "evo-link-001",
+        "customField": json.dumps({"email": "existing@test.com"}),
+    }
+    resp = await client.post("/user/create", json=payload, headers=auth_headers())
+    assert resp.status_code == 200
+
+    override_db.refresh(existing)
+    assert existing.evotor_user_id == "evo-link-001"
+
+
+@pytest.mark.asyncio
+async def test_user_create_wrong_secret(client, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    resp = await client.post("/user/create", json={"userId": "x"}, headers={"Authorization": "Bearer wrong"})
+    assert resp.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_user_create_missing_user_id(client, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", "")
+    resp = await client.post("/user/create", json={"customField": "{}"})
+    assert resp.status_code == 400
+
+
+@pytest.mark.asyncio
+@patch("web.routes.evotor_webhooks.send_email_task")
+async def test_user_create_no_secret_dev_mode(mock_task, client, override_db, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", "")
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.INVITE_EXPIRE_HOURS", 48)
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.BASE_URL", "http://test")
+
+    resp = await client.post("/user/create", json={"userId": "evo-dev-001"})
+    assert resp.status_code == 200
+    assert resp.json()["userId"] == "evo-dev-001"
+
+
+# ── /user/verify ──────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_user_verify_success(client, override_db, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    user = user_factory.create(evotor_user_id="evo-verify-001")
+    conn = EvotorConnection(
+        user_id=user.id,
+        evotor_user_id="evo-verify-001",
+        access_token="evotor-access-token",
+        api_token="my-api-token-xyz",
+    )
+    override_db.add(conn)
+    override_db.commit()
+
+    resp = await client.post("/user/verify", json={
+        "userId": "evo-verify-001",
+        "username": user.email,
+        "password": "testpass123",
+    }, headers=auth_headers())
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["userId"] == "evo-verify-001"
+    assert "token" in data
+
+
+@pytest.mark.asyncio
+async def test_user_verify_wrong_password(client, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    user = user_factory.create()
+    resp = await client.post("/user/verify", json={
+        "userId": "x",
+        "username": user.email,
+        "password": "wrongpass",
+    }, headers=auth_headers())
+    assert resp.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_user_verify_suspended(client, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    user = user_factory.create(status=UserStatusEnum.suspended)
+    resp = await client.post("/user/verify", json={
+        "userId": "x",
+        "username": user.email,
+        "password": "testpass123",
+    }, headers=auth_headers())
+    assert resp.status_code == 403
+
+
+@pytest.mark.asyncio
+async def test_user_verify_no_password_hash(client, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    user = user_factory.create(password_hash=None)
+    resp = await client.post("/user/verify", json={
+        "userId": "x",
+        "username": user.email,
+        "password": "anything",
+    }, headers=auth_headers())
+    assert resp.status_code == 401
+
+
+# ── /user/token ───────────────────────────────────────────────────────────────
+
+@pytest.mark.asyncio
+async def test_user_token_updates_connection(client, override_db, user_factory, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    user = user_factory.create(evotor_user_id="evo-token-001")
+    old_conn = EvotorConnection(
+        user_id=user.id,
+        evotor_user_id="evo-token-001",
+        access_token="old-token",
+        api_token="api-tok",
+    )
+    override_db.add(old_conn)
+    override_db.commit()
+
+    resp = await client.post("/user/token", json={
+        "userId": "evo-token-001",
+        "token": "new-evotor-token-xyz",
+    }, headers=auth_headers())
+    assert resp.status_code == 200
+    assert resp.json() == {}
+
+    override_db.refresh(old_conn)
+    assert old_conn.access_token == "new-evotor-token-xyz"
+    assert old_conn.is_online is True
+
+
+@pytest.mark.asyncio
+async def test_user_token_unknown_user(client, monkeypatch):
+    monkeypatch.setattr("web.routes.evotor_webhooks.settings.EVOTOR_WEBHOOK_SECRET", WEBHOOK_SECRET)
+    resp = await client.post("/user/token", json={
+        "userId": "does-not-exist",
+        "token": "some-token",
+    }, headers=auth_headers())
+    assert resp.status_code == 404

tests/test_routes_invite.py

@@ -0,0 +1,95 @@
+"""Integration tests for the Evotor invite flow (/invite)."""
+import secrets
+from datetime import datetime, timezone, timedelta
+from unittest.mock import patch
+
+import pytest
+
+from web.models.user import User, UserStatusEnum
+
+
+@pytest.mark.asyncio
+async def test_invite_get_valid_token(client, override_db, user_factory):
+    token = secrets.token_urlsafe(32)
+    user = user_factory.create(
+        invite_token=token,
+        invite_expires=datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(hours=48),
+        password_hash=None,
+        status=UserStatusEnum.pending,
+        is_email_confirmed=False,
+    )
+    resp = await client.get(f"/invite?token={token}")
+    assert resp.status_code == 200
+    assert "Завершение регистрации" in resp.text or "ЭВОСИНК" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_invite_get_expired_token(client, user_factory):
+    token = secrets.token_urlsafe(32)
+    user_factory.create(
+        invite_token=token,
+        invite_expires=datetime.now(timezone.utc).replace(tzinfo=None) - timedelta(hours=1),
+        password_hash=None,
+        status=UserStatusEnum.pending,
+    )
+    resp = await client.get(f"/invite?token={token}")
+    assert resp.status_code == 200
+    assert "недействительна" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_invite_get_bogus_token(client):
+    resp = await client.get("/invite?token=notexist")
+    assert resp.status_code == 200
+    assert "недействительна" in resp.text
+
+
+@pytest.mark.asyncio
+async def test_invite_post_activates_user(client, override_db, user_factory):
+    token = secrets.token_urlsafe(32)
+    user = user_factory.create(
+        email="invite@test.com",
+        phone="+79001119999",
+        invite_token=token,
+        invite_expires=datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(hours=48),
+        password_hash=None,
+        status=UserStatusEnum.pending,
+        is_email_confirmed=False,
+    )
+    resp = await client.post(f"/invite?token={token}", data={
+        "first_name": "Петр",
+        "last_name": "Петров",
+        "email": "invite@test.com",
+        "phone": "+79001119999",
+        "password": "newpassword1",
+        "password_confirm": "newpassword1",
+    })
+    assert resp.status_code == 200
+    assert "активирован" in resp.text.lower()
+
+    override_db.refresh(user)
+    assert user.status == UserStatusEnum.active
+    assert user.is_email_confirmed is True
+    assert user.password_hash is not None
+    assert user.invite_token is None
+
+
+@pytest.mark.asyncio
+async def test_invite_post_password_mismatch(client, user_factory):
+    token = secrets.token_urlsafe(32)
+    user_factory.create(
+        invite_token=token,
+        invite_expires=datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(hours=48),
+        password_hash=None,
+        status=UserStatusEnum.pending,
+    )
+    resp = await client.post(f"/invite?token={token}", data={
+        "first_name": "А",
+        "last_name": "Б",
+        "email": "x@test.com",
+        "phone": "+79001112233",
+        "password": "password123",
+        "password_confirm": "different",
+    })
+    assert resp.status_code == 200
+    assert "не совпадают" in resp.text

tests/test_webhook_parsing.py

@@ -0,0 +1,40 @@
+"""Unit tests for _parse_custom_fields — no DB or HTTP needed."""
+import json
+
+from web.routes.evotor_webhooks import _parse_custom_fields
+
+
+def test_none_returns_empty():
+    assert _parse_custom_fields(None) == {}
+
+
+def test_dict_passthrough():
+    d = {"email": "a@b.com", "phone": "+79001234567"}
+    assert _parse_custom_fields(d) == d
+
+
+def test_json_string_parsed():
+    raw = json.dumps({"email": "a@b.com", "firstName": "Иван"})
+    result = _parse_custom_fields(raw)
+    assert result["email"] == "a@b.com"
+    assert result["firstName"] == "Иван"
+
+
+def test_plain_string_returns_empty():
+    # A plain non-JSON string cannot be parsed into fields
+    assert _parse_custom_fields("just some text") == {}
+
+
+def test_json_array_returns_empty():
+    # A JSON array is not a dict — treat as unparseable
+    assert _parse_custom_fields("[1, 2, 3]") == {}
+
+
+def test_empty_string_returns_empty():
+    assert _parse_custom_fields("") == {}
+
+
+def test_nested_values_preserved():
+    raw = {"email": "x@y.com", "meta": {"key": "val"}}
+    result = _parse_custom_fields(raw)
+    assert result["meta"]["key"] == "val"

version

@@ -1 +0,0 @@
-1.7.2

web/auth/password.py

@@ -0,0 +1,12 @@
+import bcrypt
+
+
+def hash_password(plain: str) -> str:
+    return bcrypt.hashpw(plain.encode(), bcrypt.gensalt(rounds=12)).decode()
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    try:
+        return bcrypt.checkpw(plain.encode(), hashed.encode())
+    except Exception:
+        return False

web/auth/rbac.py

@@ -0,0 +1,35 @@
+from fastapi import Depends, HTTPException
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+
+from web.auth.session import get_current_user
+from web.database import get_db
+from web.models.rbac import Permission, UserRole, role_permissions
+from web.models.user import User, UserRoleEnum
+
+
+def require_role(*roles: str):
+    def dep(request: Request, db: Session = Depends(get_db)) -> User:
+        user = get_current_user(request, db)
+        if user.role.value not in roles:
+            raise HTTPException(status_code=403, detail="Недостаточно прав")
+        return user
+    return Depends(dep)
+
+
+def require_permission(permission_name: str):
+    def dep(request: Request, db: Session = Depends(get_db)) -> User:
+        user = get_current_user(request, db)
+        if user.role == UserRoleEnum.system:
+            return user
+        has = (
+            db.query(Permission)
+            .join(role_permissions, Permission.id == role_permissions.c.permission_id)
+            .join(UserRole, UserRole.role_id == role_permissions.c.role_id)
+            .filter(UserRole.user_id == user.id, Permission.name == permission_name)
+            .first()
+        )
+        if not has:
+            raise HTTPException(status_code=403, detail="Недостаточно прав")
+        return user
+    return Depends(dep)

web/auth/session.py

@@ -0,0 +1,25 @@
+from fastapi import HTTPException
+from fastapi.responses import RedirectResponse
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+
+from web.models.user import User, UserStatusEnum
+
+
+def get_session_user_id(request: Request) -> int | None:
+    return request.session.get("user_id")
+
+
+def get_current_user(request: Request, db: Session) -> User:
+    user_id = get_session_user_id(request)
+    if not user_id:
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    user = db.get(User, user_id)
+    if not user or user.status == UserStatusEnum.suspended:
+        request.session.clear()
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    return user
+
+
+def login_redirect() -> RedirectResponse:
+    return RedirectResponse("/login", status_code=303)

web/config.py

@@ -0,0 +1,36 @@
+from pydantic_settings import BaseSettings
+
+
+class Settings(BaseSettings):
+    DATABASE_URL: str = "mysql+pymysql://evosync:evosync@db:3306/evosync"
+    REDIS_URL: str = "redis://redis:6379/0"
+    SECRET_KEY: str = "change-me-in-production"
+    BASE_URL: str = "http://localhost:8000"
+    PASSWORD_RESET_EXPIRE_MINUTES: int = 60
+
+    EVOTOR_APP_ID: str = ""
+    EVOTOR_WEBHOOK_SECRET: str = ""
+
+    JIVOSITE_WIDGET_ID: str = ""
+    VK_DEFAULT_PHOTO_PATH: str = "/app/default_product.png"
+    VK_API_VERSION: str = "5.199"
+
+    CATALOG_REFRESH_INTERVAL_SECONDS: int = 3600
+    INVITE_EXPIRE_HOURS: int = 48
+    EMAIL_PROVIDER: str = "console"
+    SMS_PROVIDER: str = "console"
+    SYSTEM_USER_EMAIL: str = ""
+    SYSTEM_USER_PASSWORD: str = ""
+
+    FLOWER_USER: str = "admin"
+    FLOWER_PASSWORD: str = "changeme"
+
+    DB_ROOT_PASSWORD: str = ""
+    DB_NAME: str = ""
+    DB_USER: str = ""
+    DB_PASSWORD: str = ""
+
+    model_config = {"env_file": ".env", "case_sensitive": False, "extra": "ignore"}
+
+
+settings = Settings()

web/database.py

@@ -0,0 +1,24 @@
+from sqlalchemy import create_engine
+from sqlalchemy.orm import DeclarativeBase, sessionmaker
+
+from web.config import settings
+
+engine = create_engine(
+    settings.DATABASE_URL,
+    pool_pre_ping=True,
+    pool_recycle=3600,
+)
+
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

web/main.py

@@ -0,0 +1,90 @@
+import logging
+
+from fastapi import FastAPI, Request
+from fastapi.responses import HTMLResponse
+from fastapi.staticfiles import StaticFiles
+from starlette.middleware.sessions import SessionMiddleware
+
+try:
+    from pythonjsonlogger import jsonlogger
+    handler = logging.StreamHandler()
+    handler.setFormatter(jsonlogger.JsonFormatter("%(asctime)s %(levelname)s %(name)s %(message)s"))
+    logging.root.addHandler(handler)
+except ImportError:
+    logging.basicConfig(level=logging.INFO)
+logging.root.setLevel(logging.INFO)
+
+from web.config import settings  # noqa: E402 — after logging setup
+from web.templates_env import templates  # noqa: E402
+
+app = FastAPI(title="ЭвоСинк")
+
+app.add_middleware(
+    SessionMiddleware,
+    secret_key=settings.SECRET_KEY,
+    max_age=86400 * 30,
+    https_only=False,
+)
+
+app.mount("/static", StaticFiles(directory="web/static"), name="static")
+
+# ── Routers ───────────────────────────────────────────────────────────────────
+from web.routes.auth import router as auth_router  # noqa: E402
+from web.routes.reset import router as reset_router  # noqa: E402
+from web.routes.invite import router as invite_router  # noqa: E402
+from web.routes.profile import router as profile_router  # noqa: E402
+from web.routes.evotor_webhooks import router as evotor_webhooks_router  # noqa: E402
+from web.routes.admin import router as admin_router  # noqa: E402
+from web.routes.catalog import router as catalog_router  # noqa: E402
+from web.routes.connections import router as connections_router  # noqa: E402
+from web.routes.vk_catalog import router as vk_catalog_router  # noqa: E402
+
+app.include_router(auth_router)
+app.include_router(reset_router)
+app.include_router(invite_router)
+app.include_router(profile_router)
+app.include_router(evotor_webhooks_router)
+app.include_router(admin_router)
+app.include_router(catalog_router)
+app.include_router(connections_router)
+app.include_router(vk_catalog_router)
+
+
+# ── Catalog redirect ─────────────────────────────────────────────────────────
+@app.get("/catalog")
+async def catalog_redirect():
+    from fastapi.responses import RedirectResponse
+    return RedirectResponse("/catalog/stores", 302)
+
+
+# ── Health ────────────────────────────────────────────────────────────────────
+@app.get("/health")
+async def health():
+    return {"status": "ok"}
+
+
+# ── Root redirect ─────────────────────────────────────────────────────────────
+@app.get("/")
+async def root(request: Request):
+    from fastapi.responses import RedirectResponse
+    user_id = request.session.get("user_id")
+    if user_id:
+        return RedirectResponse("/profile", 303)
+    return RedirectResponse("/login", 303)
+
+
+# ── 403 handler ───────────────────────────────────────────────────────────────
+from fastapi import HTTPException  # noqa: E402
+from fastapi.exception_handlers import http_exception_handler  # noqa: E402
+
+
+@app.exception_handler(403)
+async def forbidden_handler(request: Request, exc: HTTPException) -> HTMLResponse:
+    return templates.TemplateResponse(request, "message.html", {
+        "user": None,
+        "title": "Нет доступа",
+        "message": "У вас недостаточно прав для просмотра этой страницы.",
+        "link": "/profile",
+        "link_text": "В личный кабинет",
+        "jivosite_widget_id": settings.JIVOSITE_WIDGET_ID,
+    }, status_code=403)

web/migrations/env.py

@@ -0,0 +1,50 @@
+from logging.config import fileConfig
+
+from alembic import context
+from sqlalchemy import engine_from_config, pool
+
+from web.database import Base
+import web.models  # noqa: F401 — ensure all models are imported before autogenerate
+
+config = context.config
+
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+target_metadata = Base.metadata
+
+
+def run_migrations_offline() -> None:
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    from web.config import settings
+
+    configuration = config.get_section(config.config_ini_section, {})
+    configuration["sqlalchemy.url"] = settings.DATABASE_URL
+
+    connectable = engine_from_config(
+        configuration,
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(connection=connection, target_metadata=target_metadata)
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

web/migrations/script.py.mako

@@ -0,0 +1,25 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

web/migrations/versions/0001_initial.py

@@ -0,0 +1,21 @@
+"""initial
+
+Revision ID: 0001
+Revises:
+Create Date: 2026-04-27
+
+"""
+from typing import Sequence, Union
+
+revision: str = "0001"
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    pass
+
+
+def downgrade() -> None:
+    pass

web/migrations/versions/0002_users_and_connections.py

@@ -0,0 +1,238 @@
+"""users and connections schema
+
+Revision ID: 0002
+Revises: 0001
+Create Date: 2026-04-28
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+revision: str = "0002"
+down_revision: Union[str, None] = "0001"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    # ── users ────────────────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS users (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            first_name      VARCHAR(100) NOT NULL,
+            last_name       VARCHAR(100) NOT NULL,
+            email           VARCHAR(255) NOT NULL,
+            phone           VARCHAR(20)  NOT NULL,
+            password_hash   VARCHAR(255) NULL,
+            is_email_confirmed BOOLEAN NOT NULL DEFAULT FALSE,
+            email_confirm_token VARCHAR(255) NULL,
+            password_reset_token VARCHAR(255) NULL,
+            password_reset_expires DATETIME NULL,
+            role   ENUM('system','admin','user') NOT NULL DEFAULT 'user',
+            status ENUM('pending','active','suspended') NOT NULL DEFAULT 'pending',
+            evotor_user_id  VARCHAR(255) NULL,
+            evotor_meta     JSON NULL,
+            invite_token    VARCHAR(255) NULL,
+            invite_expires  DATETIME NULL,
+            phone_otp       VARCHAR(10) NULL,
+            phone_otp_expires DATETIME NULL,
+            created_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            updated_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+            CONSTRAINT ix_users_email UNIQUE (email),
+            CONSTRAINT ix_users_phone UNIQUE (phone),
+            CONSTRAINT ix_users_evotor_user_id UNIQUE (evotor_user_id)
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    # Add new columns if migrating from the Node.js schema (which lacked them)
+    for col_sql in [
+        "ALTER TABLE users MODIFY COLUMN password_hash VARCHAR(255) NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS role ENUM('system','admin','user') NOT NULL DEFAULT 'user'",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS status ENUM('pending','active','suspended') NOT NULL DEFAULT 'pending'",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS evotor_user_id VARCHAR(255) NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS evotor_meta JSON NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS invite_token VARCHAR(255) NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS invite_expires DATETIME NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS phone_otp VARCHAR(10) NULL",
+        "ALTER TABLE users ADD COLUMN IF NOT EXISTS phone_otp_expires DATETIME NULL",
+    ]:
+        try:
+            conn.execute(sa.text(col_sql))
+        except Exception:
+            pass  # column/constraint already exists
+
+    # Add unique index on evotor_user_id if missing
+    try:
+        conn.execute(sa.text(
+            "ALTER TABLE users ADD CONSTRAINT ix_users_evotor_user_id UNIQUE (evotor_user_id)"
+        ))
+    except Exception:
+        pass
+
+    # Add role/status indexes if missing
+    for idx_sql in [
+        "CREATE INDEX IF NOT EXISTS ix_users_role ON users (role)",
+        "CREATE INDEX IF NOT EXISTS ix_users_status ON users (status)",
+    ]:
+        try:
+            conn.execute(sa.text(idx_sql))
+        except Exception:
+            pass
+
+    # ── evotor_connections ───────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS evotor_connections (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            user_id         INT NULL,
+            evotor_user_id  VARCHAR(255) NULL,
+            access_token    TEXT NOT NULL,
+            api_token       VARCHAR(255) NULL,
+            store_id        VARCHAR(255) NULL,
+            store_name      VARCHAR(255) NULL,
+            refresh_token   TEXT NULL,
+            token_expires_at DATETIME NULL,
+            is_online       BOOLEAN NOT NULL DEFAULT FALSE,
+            last_checked_at DATETIME NULL,
+            connected_at    DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            updated_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+            CONSTRAINT ix_evotor_connections_user_id UNIQUE (user_id),
+            CONSTRAINT ix_evotor_connections_evotor_user_id UNIQUE (evotor_user_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    try:
+        conn.execute(sa.text(
+            "ALTER TABLE evotor_connections ADD COLUMN IF NOT EXISTS api_token VARCHAR(255) NULL"
+        ))
+    except Exception:
+        pass
+
+    # ── vk_connections ───────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS vk_connections (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            user_id         INT NOT NULL,
+            access_token    TEXT NOT NULL,
+            vk_user_id      VARCHAR(50) NULL,
+            first_name      VARCHAR(255) NULL,
+            last_name       VARCHAR(255) NULL,
+            is_online       BOOLEAN NOT NULL DEFAULT FALSE,
+            last_checked_at DATETIME NULL,
+            connected_at    DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            updated_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+            CONSTRAINT ix_vk_connections_user_id UNIQUE (user_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    # ── sync_configs ─────────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS sync_configs (
+            id          INT AUTO_INCREMENT PRIMARY KEY,
+            user_id     INT NOT NULL,
+            is_enabled  BOOLEAN NOT NULL DEFAULT FALSE,
+            confirmed_at DATETIME NULL,
+            created_at  DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            updated_at  DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+            CONSTRAINT ix_sync_configs_user_id UNIQUE (user_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    # ── sync_filters ─────────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS sync_filters (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            sync_config_id  INT NOT NULL,
+            entity_type     VARCHAR(20) NOT NULL,
+            entity_id       VARCHAR(255) NOT NULL,
+            entity_name     VARCHAR(255) NULL,
+            filter_mode     VARCHAR(10) NOT NULL,
+            parent_entity_id VARCHAR(255) NULL,
+            created_at      DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            CONSTRAINT uq_sync_filters_config_type_entity UNIQUE (sync_config_id, entity_type, entity_id),
+            FOREIGN KEY (sync_config_id) REFERENCES sync_configs(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    # ── cached_stores ────────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS cached_stores (
+            id          INT AUTO_INCREMENT PRIMARY KEY,
+            user_id     INT NOT NULL,
+            evotor_id   VARCHAR(255) NOT NULL,
+            name        VARCHAR(255) NOT NULL,
+            address     VARCHAR(500) NULL,
+            fetched_at  DATETIME NOT NULL,
+            CONSTRAINT uq_cached_stores_user_evotor UNIQUE (user_id, evotor_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+    try:
+        conn.execute(sa.text("CREATE INDEX IF NOT EXISTS ix_cached_stores_user_id ON cached_stores (user_id)"))
+    except Exception:
+        pass
+
+    # ── cached_groups ────────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS cached_groups (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            user_id         INT NOT NULL,
+            evotor_id       VARCHAR(255) NOT NULL,
+            store_evotor_id VARCHAR(255) NOT NULL,
+            name            VARCHAR(255) NOT NULL,
+            fetched_at      DATETIME NOT NULL,
+            CONSTRAINT uq_cached_groups_user_evotor UNIQUE (user_id, evotor_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+    try:
+        conn.execute(sa.text(
+            "CREATE INDEX IF NOT EXISTS ix_cached_groups_user_store ON cached_groups (user_id, store_evotor_id)"
+        ))
+    except Exception:
+        pass
+
+    # ── cached_products ──────────────────────────────────────────────────────
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS cached_products (
+            id              INT AUTO_INCREMENT PRIMARY KEY,
+            user_id         INT NOT NULL,
+            evotor_id       VARCHAR(255) NOT NULL,
+            store_evotor_id VARCHAR(255) NOT NULL,
+            group_evotor_id VARCHAR(255) NULL,
+            name            VARCHAR(255) NOT NULL,
+            price           DECIMAL(12,2) NULL,
+            quantity        DECIMAL(12,3) NULL,
+            measure_name    VARCHAR(20) NULL,
+            article_number  VARCHAR(100) NULL,
+            allow_to_sell   BOOLEAN NULL,
+            fetched_at      DATETIME NOT NULL,
+            synced_at       DATETIME NULL,
+            CONSTRAINT uq_cached_products_user_evotor UNIQUE (user_id, evotor_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+    try:
+        conn.execute(sa.text(
+            "CREATE INDEX IF NOT EXISTS ix_cached_products_user_store_group "
+            "ON cached_products (user_id, store_evotor_id, group_evotor_id)"
+        ))
+    except Exception:
+        pass
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    for table in [
+        "cached_products", "cached_groups", "cached_stores",
+        "sync_filters", "sync_configs",
+        "vk_connections", "evotor_connections",
+        "users",
+    ]:
+        conn.execute(sa.text(f"DROP TABLE IF EXISTS {table}"))

web/migrations/versions/0003_rbac_tables.py

@@ -0,0 +1,105 @@
+"""RBAC tables with default roles and permissions
+
+Revision ID: 0003
+Revises: 0002
+Create Date: 2026-04-28
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+revision: str = "0003"
+down_revision: Union[str, None] = "0002"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+DEFAULT_ROLES = [
+    ("system", "Системный администратор — полный доступ"),
+    ("admin",  "Администратор — управление пользователями"),
+    ("user",   "Обычный пользователь"),
+]
+
+DEFAULT_PERMISSIONS = [
+    ("admin.users.view",    "Просмотр списка пользователей"),
+    ("admin.users.edit",    "Редактирование пользователей"),
+    ("admin.users.delete",  "Удаление пользователей"),
+    ("admin.roles.manage",  "Управление ролями и правами"),
+]
+
+# system gets all permissions; admin gets view+edit
+ROLE_PERMISSION_MAP = {
+    "system": ["admin.users.view", "admin.users.edit", "admin.users.delete", "admin.roles.manage"],
+    "admin":  ["admin.users.view", "admin.users.edit"],
+    "user":   [],
+}
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS roles (
+            id          INT AUTO_INCREMENT PRIMARY KEY,
+            name        VARCHAR(50) NOT NULL,
+            description VARCHAR(255) NULL,
+            CONSTRAINT uq_roles_name UNIQUE (name)
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS permissions (
+            id          INT AUTO_INCREMENT PRIMARY KEY,
+            name        VARCHAR(100) NOT NULL,
+            description VARCHAR(255) NULL,
+            CONSTRAINT uq_permissions_name UNIQUE (name)
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS role_permissions (
+            role_id       INT NOT NULL,
+            permission_id INT NOT NULL,
+            PRIMARY KEY (role_id, permission_id),
+            FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE,
+            FOREIGN KEY (permission_id) REFERENCES permissions(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    conn.execute(sa.text("""
+        CREATE TABLE IF NOT EXISTS user_roles (
+            user_id INT NOT NULL,
+            role_id INT NOT NULL,
+            PRIMARY KEY (user_id, role_id),
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+            FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE
+        ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+    """))
+
+    # Seed default roles
+    for name, description in DEFAULT_ROLES:
+        conn.execute(sa.text(
+            "INSERT IGNORE INTO roles (name, description) VALUES (:name, :desc)"
+        ), {"name": name, "desc": description})
+
+    # Seed default permissions
+    for name, description in DEFAULT_PERMISSIONS:
+        conn.execute(sa.text(
+            "INSERT IGNORE INTO permissions (name, description) VALUES (:name, :desc)"
+        ), {"name": name, "desc": description})
+
+    # Seed role_permissions
+    for role_name, perm_names in ROLE_PERMISSION_MAP.items():
+        for perm_name in perm_names:
+            conn.execute(sa.text("""
+                INSERT IGNORE INTO role_permissions (role_id, permission_id)
+                SELECT r.id, p.id FROM roles r, permissions p
+                WHERE r.name = :role AND p.name = :perm
+            """), {"role": role_name, "perm": perm_name})
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    for table in ["user_roles", "role_permissions", "permissions", "roles"]:
+        conn.execute(sa.text(f"DROP TABLE IF EXISTS {table}"))

web/migrations/versions/0004_vk_catalog_tables.py

@@ -0,0 +1,56 @@
+"""VK catalog tables (albums + products)
+
+Revision ID: 0004
+Revises: 0003
+Create Date: 2026-05-01
+
+"""
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+revision: str = "0004"
+down_revision: Union[str, None] = "0003"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "vk_cached_albums",
+        sa.Column("id", sa.Integer, primary_key=True, autoincrement=True),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
+        sa.Column("vk_group_id", sa.String(50), nullable=False),
+        sa.Column("album_id", sa.String(50), nullable=False),
+        sa.Column("title", sa.String(255), nullable=False),
+        sa.Column("count", sa.Integer, nullable=True),
+        sa.Column("fetched_at", sa.DateTime, nullable=False),
+        sa.UniqueConstraint("user_id", "vk_group_id", "album_id", name="uq_vk_cached_albums"),
+    )
+    op.create_index("ix_vk_cached_albums_user_group", "vk_cached_albums", ["user_id", "vk_group_id"])
+
+    op.create_table(
+        "vk_cached_products",
+        sa.Column("id", sa.Integer, primary_key=True, autoincrement=True),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
+        sa.Column("vk_group_id", sa.String(50), nullable=False),
+        sa.Column("vk_product_id", sa.String(50), nullable=False),
+        sa.Column("album_id", sa.String(50), nullable=True),
+        sa.Column("name", sa.String(255), nullable=False),
+        sa.Column("description", sa.Text, nullable=True),
+        sa.Column("price", sa.Numeric(12, 2), nullable=True),
+        sa.Column("availability", sa.Integer, nullable=True),
+        sa.Column("thumb_url", sa.String(1024), nullable=True),
+        sa.Column("fetched_at", sa.DateTime, nullable=False),
+        sa.UniqueConstraint("user_id", "vk_group_id", "vk_product_id", name="uq_vk_cached_products"),
+    )
+    op.create_index(
+        "ix_vk_cached_products_user_group_album",
+        "vk_cached_products", ["user_id", "vk_group_id", "album_id"],
+    )
+
+
+def downgrade() -> None:
+    op.drop_table("vk_cached_products")
+    op.drop_table("vk_cached_albums")

web/models/__init__.py

@@ -0,0 +1,11 @@
+from web.models.user import User, UserRoleEnum, UserStatusEnum  # noqa: F401
+from web.models.rbac import Role, Permission, role_permissions, UserRole  # noqa: F401
+from web.models.connections import (  # noqa: F401
+    EvotorConnection,
+    VkConnection,
+    SyncConfig,
+    SyncFilter,
+    CachedStore,
+    CachedGroup,
+    CachedProduct,
+)

web/models/connections.py

@@ -0,0 +1,174 @@
+from sqlalchemy import (
+    Boolean, Column, DateTime, ForeignKey, Index, Integer,
+    Numeric, String, Text, UniqueConstraint, func,
+)
+
+from web.database import Base
+
+
+class EvotorConnection(Base):
+    __tablename__ = "evotor_connections"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=True)
+    evotor_user_id = Column(String(255), nullable=True)
+    access_token = Column(Text, nullable=False)
+    api_token = Column(String(255), nullable=True)  # token we return to Evotor in webhook responses
+    store_id = Column(String(255), nullable=True)
+    store_name = Column(String(255), nullable=True)
+    refresh_token = Column(Text, nullable=True)
+    token_expires_at = Column(DateTime, nullable=True)
+    is_online = Column(Boolean, nullable=False, default=False)
+    last_checked_at = Column(DateTime, nullable=True)
+    connected_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(DateTime, nullable=False, server_default=func.now(), onupdate=func.now())
+
+    __table_args__ = (
+        UniqueConstraint("user_id", name="ix_evotor_connections_user_id"),
+        UniqueConstraint("evotor_user_id", name="ix_evotor_connections_evotor_user_id"),
+    )
+
+
+class VkConnection(Base):
+    __tablename__ = "vk_connections"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    access_token = Column(Text, nullable=False)
+    vk_user_id = Column(String(50), nullable=True)
+    first_name = Column(String(255), nullable=True)
+    last_name = Column(String(255), nullable=True)
+    is_online = Column(Boolean, nullable=False, default=False)
+    last_checked_at = Column(DateTime, nullable=True)
+    connected_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(DateTime, nullable=False, server_default=func.now(), onupdate=func.now())
+
+    __table_args__ = (
+        UniqueConstraint("user_id", name="ix_vk_connections_user_id"),
+    )
+
+
+class SyncConfig(Base):
+    __tablename__ = "sync_configs"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    is_enabled = Column(Boolean, nullable=False, default=False)
+    confirmed_at = Column(DateTime, nullable=True)
+    created_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(DateTime, nullable=False, server_default=func.now(), onupdate=func.now())
+
+    __table_args__ = (
+        UniqueConstraint("user_id", name="ix_sync_configs_user_id"),
+    )
+
+
+class SyncFilter(Base):
+    __tablename__ = "sync_filters"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    sync_config_id = Column(Integer, ForeignKey("sync_configs.id", ondelete="CASCADE"), nullable=False)
+    entity_type = Column(String(20), nullable=False)
+    entity_id = Column(String(255), nullable=False)
+    entity_name = Column(String(255), nullable=True)
+    filter_mode = Column(String(10), nullable=False)
+    parent_entity_id = Column(String(255), nullable=True)
+    created_at = Column(DateTime, nullable=False, server_default=func.now())
+
+    __table_args__ = (
+        UniqueConstraint("sync_config_id", "entity_type", "entity_id",
+                         name="uq_sync_filters_config_type_entity"),
+    )
+
+
+class VkCachedAlbum(Base):
+    __tablename__ = "vk_cached_albums"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    vk_group_id = Column(String(50), nullable=False)
+    album_id = Column(String(50), nullable=False)
+    title = Column(String(255), nullable=False)
+    count = Column(Integer, nullable=True)
+    fetched_at = Column(DateTime, nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "vk_group_id", "album_id", name="uq_vk_cached_albums"),
+        Index("ix_vk_cached_albums_user_group", "user_id", "vk_group_id"),
+    )
+
+
+class VkCachedProduct(Base):
+    __tablename__ = "vk_cached_products"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    vk_group_id = Column(String(50), nullable=False)
+    vk_product_id = Column(String(50), nullable=False)
+    album_id = Column(String(50), nullable=True)
+    name = Column(String(255), nullable=False)
+    description = Column(Text, nullable=True)
+    price = Column(Numeric(12, 2), nullable=True)
+    availability = Column(Integer, nullable=True)
+    thumb_url = Column(String(1024), nullable=True)
+    fetched_at = Column(DateTime, nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "vk_group_id", "vk_product_id", name="uq_vk_cached_products"),
+        Index("ix_vk_cached_products_user_group_album", "user_id", "vk_group_id", "album_id"),
+    )
+
+
+class CachedStore(Base):
+    __tablename__ = "cached_stores"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    evotor_id = Column(String(255), nullable=False)
+    name = Column(String(255), nullable=False)
+    address = Column(String(500), nullable=True)
+    fetched_at = Column(DateTime, nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "evotor_id", name="uq_cached_stores_user_evotor"),
+        Index("ix_cached_stores_user_id", "user_id"),
+    )
+
+
+class CachedGroup(Base):
+    __tablename__ = "cached_groups"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    evotor_id = Column(String(255), nullable=False)
+    store_evotor_id = Column(String(255), nullable=False)
+    name = Column(String(255), nullable=False)
+    fetched_at = Column(DateTime, nullable=False)
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "evotor_id", name="uq_cached_groups_user_evotor"),
+        Index("ix_cached_groups_user_store", "user_id", "store_evotor_id"),
+    )
+
+
+class CachedProduct(Base):
+    __tablename__ = "cached_products"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+    evotor_id = Column(String(255), nullable=False)
+    store_evotor_id = Column(String(255), nullable=False)
+    group_evotor_id = Column(String(255), nullable=True)
+    name = Column(String(255), nullable=False)
+    price = Column(Numeric(12, 2), nullable=True)
+    quantity = Column(Numeric(12, 3), nullable=True)
+    measure_name = Column(String(20), nullable=True)
+    article_number = Column(String(100), nullable=True)
+    allow_to_sell = Column(Boolean, nullable=True)
+    fetched_at = Column(DateTime, nullable=False)
+    synced_at = Column(DateTime, nullable=True)
+
+    __table_args__ = (
+        UniqueConstraint("user_id", "evotor_id", name="uq_cached_products_user_evotor"),
+        Index("ix_cached_products_user_store_group", "user_id", "store_evotor_id", "group_evotor_id"),
+    )

web/models/rbac.py

@@ -0,0 +1,34 @@
+from sqlalchemy import Column, ForeignKey, Integer, String, Table
+
+from web.database import Base
+
+
+role_permissions = Table(
+    "role_permissions",
+    Base.metadata,
+    Column("role_id", Integer, ForeignKey("roles.id", ondelete="CASCADE"), primary_key=True),
+    Column("permission_id", Integer, ForeignKey("permissions.id", ondelete="CASCADE"), primary_key=True),
+)
+
+
+class Role(Base):
+    __tablename__ = "roles"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(50), nullable=False, unique=True)
+    description = Column(String(255), nullable=True)
+
+
+class Permission(Base):
+    __tablename__ = "permissions"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(100), nullable=False, unique=True)
+    description = Column(String(255), nullable=True)
+
+
+class UserRole(Base):
+    __tablename__ = "user_roles"
+
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), primary_key=True)
+    role_id = Column(Integer, ForeignKey("roles.id", ondelete="CASCADE"), primary_key=True)

web/models/user.py

@@ -0,0 +1,50 @@
+import enum
+
+from sqlalchemy import Boolean, Column, DateTime, Enum, Index, Integer, JSON, String, UniqueConstraint, func
+
+from web.database import Base
+
+
+class UserRoleEnum(str, enum.Enum):
+    system = "system"
+    admin = "admin"
+    user = "user"
+
+
+class UserStatusEnum(str, enum.Enum):
+    pending = "pending"
+    active = "active"
+    suspended = "suspended"
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    first_name = Column(String(100), nullable=False)
+    last_name = Column(String(100), nullable=False)
+    email = Column(String(255), nullable=False)
+    phone = Column(String(20), nullable=False)
+    password_hash = Column(String(255), nullable=True)
+    is_email_confirmed = Column(Boolean, nullable=False, default=False)
+    email_confirm_token = Column(String(255), nullable=True)
+    password_reset_token = Column(String(255), nullable=True)
+    password_reset_expires = Column(DateTime, nullable=True)
+    role = Column(Enum(UserRoleEnum), nullable=False, default=UserRoleEnum.user)
+    status = Column(Enum(UserStatusEnum), nullable=False, default=UserStatusEnum.pending)
+    evotor_user_id = Column(String(255), nullable=True)
+    evotor_meta = Column(JSON, nullable=True)
+    invite_token = Column(String(255), nullable=True)
+    invite_expires = Column(DateTime, nullable=True)
+    phone_otp = Column(String(10), nullable=True)
+    phone_otp_expires = Column(DateTime, nullable=True)
+    created_at = Column(DateTime, nullable=False, server_default=func.now())
+    updated_at = Column(DateTime, nullable=False, server_default=func.now(), onupdate=func.now())
+
+    __table_args__ = (
+        UniqueConstraint("email", name="ix_users_email"),
+        UniqueConstraint("phone", name="ix_users_phone"),
+        UniqueConstraint("evotor_user_id", name="ix_users_evotor_user_id"),
+        Index("ix_users_role", "role"),
+        Index("ix_users_status", "status"),
+    )

web/notifications/base.py

@@ -0,0 +1,11 @@
+from abc import ABC, abstractmethod
+
+
+class EmailProvider(ABC):
+    @abstractmethod
+    def send(self, to: str, subject: str, html_body: str) -> None: ...
+
+
+class SMSProvider(ABC):
+    @abstractmethod
+    def send(self, to: str, text: str) -> None: ...

web/notifications/console.py

@@ -0,0 +1,28 @@
+import logging
+import re
+
+from web.notifications.base import EmailProvider, SMSProvider
+
+logger = logging.getLogger(__name__)
+
+
+class ConsoleEmailProvider(EmailProvider):
+    def send(self, to: str, subject: str, html_body: str) -> None:
+        # Extract plain URLs from HTML for readability in dev logs
+        urls = re.findall(r'href=["\']([^"\']+)["\']', html_body)
+        logger.info("=" * 50)
+        logger.info("EMAIL")
+        logger.info("Кому:  %s", to)
+        logger.info("Тема:  %s", subject)
+        for url in urls:
+            logger.info("Ссылка: %s", url)
+        logger.info("=" * 50)
+
+
+class ConsoleSMSProvider(SMSProvider):
+    def send(self, to: str, text: str) -> None:
+        logger.info("=" * 50)
+        logger.info("SMS")
+        logger.info("Номер: %s", to)
+        logger.info("Текст: %s", text)
+        logger.info("=" * 50)

web/notifications/registry.py

@@ -0,0 +1,17 @@
+from web.config import settings
+from web.notifications.base import EmailProvider, SMSProvider
+from web.notifications.console import ConsoleEmailProvider, ConsoleSMSProvider
+
+
+def get_email_provider() -> EmailProvider:
+    provider = settings.EMAIL_PROVIDER
+    if provider == "console":
+        return ConsoleEmailProvider()
+    raise ValueError(f"Unknown EMAIL_PROVIDER: {provider!r}")
+
+
+def get_sms_provider() -> SMSProvider:
+    provider = settings.SMS_PROVIDER
+    if provider == "console":
+        return ConsoleSMSProvider()
+    raise ValueError(f"Unknown SMS_PROVIDER: {provider!r}")

web/notifications/tasks.py

@@ -0,0 +1,12 @@
+from web.tasks.celery_app import celery_app
+from web.notifications.registry import get_email_provider, get_sms_provider
+
+
+@celery_app.task(name="web.notifications.tasks.send_email_task", queue="notifications")
+def send_email_task(to: str, subject: str, html_body: str) -> None:
+    get_email_provider().send(to, subject, html_body)
+
+
+@celery_app.task(name="web.notifications.tasks.send_sms_task", queue="notifications")
+def send_sms_task(to: str, text: str) -> None:
+    get_sms_provider().send(to, text)

web/routes/admin.py

@@ -0,0 +1,271 @@
+import secrets
+from datetime import datetime, timezone, timedelta
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy.orm import Session
+
+from web.auth.password import hash_password
+from web.auth.rbac import require_role
+from web.auth.session import get_current_user
+from web.config import settings
+from web.database import get_db
+from web.models.rbac import Permission, Role, UserRole, role_permissions
+from web.models.user import User, UserRoleEnum, UserStatusEnum
+from web.notifications.tasks import send_email_task
+from web.templates_env import templates
+
+router = APIRouter(prefix="/admin")
+
+PAGE_SIZE = 25
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+def _admin_user(request: Request, db: Session) -> User:
+    """Get current user and verify admin/system role."""
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        raise
+    if user.role not in (UserRoleEnum.admin, UserRoleEnum.system):
+        from fastapi import HTTPException
+        raise HTTPException(403, "Недостаточно прав")
+    return user
+
+
+# ── User list ─────────────────────────────────────────────────────────────────
+
+@router.get("/users")
+async def admin_users(request: Request, db: Session = Depends(get_db)):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    q = db.query(User)
+    search = request.query_params.get("search", "").strip()
+    status_filter = request.query_params.get("status", "")
+    role_filter = request.query_params.get("role", "")
+    page = max(1, int(request.query_params.get("page", 1)))
+
+    if search:
+        q = q.filter(
+            (User.first_name.ilike(f"%{search}%")) |
+            (User.last_name.ilike(f"%{search}%")) |
+            (User.email.ilike(f"%{search}%")) |
+            (User.phone.ilike(f"%{search}%"))
+        )
+    if status_filter:
+        try:
+            q = q.filter(User.status == UserStatusEnum(status_filter))
+        except ValueError:
+            pass
+    if role_filter:
+        try:
+            q = q.filter(User.role == UserRoleEnum(role_filter))
+        except ValueError:
+            pass
+
+    total = q.count()
+    users = q.order_by(User.created_at.desc()).offset((page - 1) * PAGE_SIZE).limit(PAGE_SIZE).all()
+    total_pages = max(1, (total + PAGE_SIZE - 1) // PAGE_SIZE)
+
+    return _render(request, "admin/users.html", {
+        "user": admin,
+        "users": users,
+        "search": search,
+        "status_filter": status_filter,
+        "role_filter": role_filter,
+        "page": page,
+        "total_pages": total_pages,
+        "total": total,
+    })
+
+
+# ── User detail ───────────────────────────────────────────────────────────────
+
+@router.get("/users/{user_id}")
+async def admin_user_detail(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    target = db.get(User, user_id)
+    if not target:
+        return RedirectResponse("/admin/users", 303)
+    return _render(request, "admin/user_detail.html", {"user": admin, "target": target})
+
+
+# ── User actions ──────────────────────────────────────────────────────────────
+
+@router.post("/users/{user_id}/activate")
+async def admin_activate(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if user:
+        user.status = UserStatusEnum.active
+        db.commit()
+    return RedirectResponse(f"/admin/users/{user_id}", 303)
+
+
+@router.post("/users/{user_id}/suspend")
+async def admin_suspend(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if user:
+        user.status = UserStatusEnum.suspended
+        db.commit()
+    return RedirectResponse(f"/admin/users/{user_id}", 303)
+
+
+@router.post("/users/{user_id}/reset-password")
+async def admin_reset_password(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if user:
+        token = secrets.token_urlsafe(32)
+        user.password_reset_token = token
+        user.password_reset_expires = datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(
+            minutes=settings.PASSWORD_RESET_EXPIRE_MINUTES
+        )
+        db.commit()
+        reset_url = f"{settings.BASE_URL}/reset-password?token={token}"
+        html = f'<p>Сброс пароля (запрошен администратором): <a href="{reset_url}">{reset_url}</a></p>'
+        send_email_task.delay(user.email, "Сброс пароля — ЭВОСИНК", html)
+    return RedirectResponse(f"/admin/users/{user_id}?success=reset_sent", 303)
+
+
+@router.post("/users/{user_id}/send-invite")
+async def admin_send_invite(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if user:
+        token = secrets.token_urlsafe(32)
+        user.invite_token = token
+        user.invite_expires = datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(hours=settings.INVITE_EXPIRE_HOURS)
+        db.commit()
+        invite_url = f"{settings.BASE_URL}/invite?token={token}"
+        html = (
+            f"<p>Вам отправлено приглашение в ЭВОСИНК.</p>"
+            f'<p><a href="{invite_url}">{invite_url}</a></p>'
+            f"<p>Ссылка действительна {settings.INVITE_EXPIRE_HOURS} часов.</p>"
+        )
+        send_email_task.delay(user.email, "Приглашение в ЭВОСИНК", html)
+    return RedirectResponse(f"/admin/users/{user_id}?success=invite_sent", 303)
+
+
+@router.post("/users/{user_id}/edit")
+async def admin_edit_user(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if not user:
+        return RedirectResponse("/admin/users", 303)
+
+    form = await request.form()
+    data = {k: str(v).strip() for k, v in form.items()}
+    errors = []
+
+    if not data.get("first_name"):
+        errors.append("Имя обязательно")
+    if not data.get("last_name"):
+        errors.append("Фамилия обязательна")
+
+    if errors:
+        return _render(request, "admin/user_detail.html", {
+            "user": admin, "target": user, "errors": errors,
+        })
+
+    user.first_name = data["first_name"]
+    user.last_name = data["last_name"]
+    if data.get("email"):
+        user.email = data["email"]
+    if data.get("phone"):
+        user.phone = data["phone"]
+    if data.get("role") and admin.role == UserRoleEnum.system:
+        try:
+            user.role = UserRoleEnum(data["role"])
+        except ValueError:
+            pass
+    db.commit()
+    return RedirectResponse(f"/admin/users/{user_id}?success=saved", 303)
+
+
+@router.post("/users/{user_id}/delete")
+async def admin_delete_user(user_id: int, request: Request, db: Session = Depends(get_db)):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    if admin.role != UserRoleEnum.system:
+        return RedirectResponse(f"/admin/users/{user_id}", 303)
+    user = db.get(User, user_id)
+    if user:
+        db.delete(user)
+        db.commit()
+    return RedirectResponse("/admin/users", 303)
+
+
+# ── Roles ─────────────────────────────────────────────────────────────────────
+
+@router.get("/roles")
+async def admin_roles(request: Request, db: Session = Depends(get_db)):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    if admin.role != UserRoleEnum.system:
+        return RedirectResponse("/admin/users", 303)
+    roles = db.query(Role).order_by(Role.id).all()
+    permissions = db.query(Permission).order_by(Permission.name).all()
+    role_perm_ids: dict[int, set[int]] = {}
+    for role in roles:
+        rows = db.execute(
+            role_permissions.select().where(role_permissions.c.role_id == role.id)
+        ).fetchall()
+        role_perm_ids[role.id] = {r.permission_id for r in rows}
+    return _render(request, "admin/roles.html", {
+        "user": admin, "roles": roles, "permissions": permissions,
+        "role_perm_ids": role_perm_ids,
+    })
+
+
+@router.post("/roles/{role_id}/permissions")
+async def admin_update_role_permissions(
+    role_id: int, request: Request, db: Session = Depends(get_db)
+):
+    try:
+        admin = _admin_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    if admin.role != UserRoleEnum.system:
+        return RedirectResponse("/admin/roles", 303)
+
+    form = await request.form()
+    selected_ids = {int(v) for k, v in form.items() if k.startswith("perm_")}
+
+    # Remove all existing, re-insert selected
+    db.execute(role_permissions.delete().where(role_permissions.c.role_id == role_id))
+    for perm_id in selected_ids:
+        db.execute(role_permissions.insert().values(role_id=role_id, permission_id=perm_id))
+    db.commit()
+    return RedirectResponse("/admin/roles", 303)

web/routes/auth.py

@@ -0,0 +1,170 @@
+import secrets
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy import or_
+from sqlalchemy.orm import Session
+
+from web.auth.password import hash_password, verify_password
+from web.auth.session import get_session_user_id
+from web.config import settings
+from web.database import get_db
+from web.models.user import User, UserStatusEnum
+from web.notifications.tasks import send_email_task
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+@router.get("/register")
+async def register_get(request: Request, db: Session = Depends(get_db)):
+    if get_session_user_id(request):
+        return RedirectResponse("/profile", 303)
+    return _render(request, "register.html", {"user": None})
+
+
+@router.post("/register")
+async def register_post(request: Request, db: Session = Depends(get_db)):
+    form = await request.form()
+    data = {k: str(v).strip() for k, v in form.items()}
+    errors = []
+
+    if not data.get("email"):
+        errors.append("Email обязателен")
+    if not data.get("phone"):
+        errors.append("Телефон обязателен")
+    if not data.get("password"):
+        errors.append("Пароль обязателен")
+    if len(data.get("password", "")) < 8:
+        errors.append("Пароль должен содержать минимум 8 символов")
+    if data.get("password") != data.get("password_confirm"):
+        errors.append("Пароли не совпадают")
+
+    if not errors:
+        existing = db.query(User).filter(
+            or_(User.email == data["email"], User.phone == data["phone"])
+        ).first()
+        if existing:
+            if existing.email == data["email"]:
+                errors.append("Пользователь с таким email уже существует")
+            else:
+                errors.append("Пользователь с таким телефоном уже существует")
+
+    if errors:
+        return _render(request, "register.html", {"user": None, "errors": errors, "form": data})
+
+    token = secrets.token_urlsafe(32)
+    user = User(
+        first_name=data.get("first_name", ""),
+        last_name=data.get("last_name", ""),
+        email=data["email"],
+        phone=data["phone"],
+        password_hash=await _hash(data["password"]),
+        email_confirm_token=token,
+        status=UserStatusEnum.pending,
+    )
+    db.add(user)
+    db.commit()
+
+    confirm_url = f"{settings.BASE_URL}/confirm-email?token={token}"
+    html = f'<p>Подтвердите email: <a href="{confirm_url}">{confirm_url}</a></p>'
+    send_email_task.delay(user.email, "Подтвердите ваш email — ЭВОСИНК", html)
+
+    return _render(request, "confirm_email.html", {"user": None})
+
+
+@router.get("/confirm-email")
+async def confirm_email(request: Request, db: Session = Depends(get_db)):
+    token = request.query_params.get("token")
+    if not token:
+        return _render(request, "message.html", {
+            "user": None, "title": "Ошибка", "message": "Неверная или устаревшая ссылка.",
+            "link": "/login", "link_text": "Войти",
+        })
+    user = db.query(User).filter(User.email_confirm_token == token).first()
+    if not user:
+        return _render(request, "message.html", {
+            "user": None, "title": "Ошибка", "message": "Неверная или устаревшая ссылка.",
+            "link": "/login", "link_text": "Войти",
+        })
+    user.is_email_confirmed = True
+    user.email_confirm_token = None
+    user.status = UserStatusEnum.active
+    db.commit()
+    return _render(request, "email_confirmed.html", {"user": None})
+
+
+@router.get("/resend-confirm")
+async def resend_confirm(request: Request, db: Session = Depends(get_db)):
+    user_id = get_session_user_id(request)
+    if not user_id:
+        return RedirectResponse("/login", 303)
+    user = db.get(User, user_id)
+    if not user or user.is_email_confirmed:
+        return RedirectResponse("/profile", 303)
+    token = secrets.token_urlsafe(32)
+    user.email_confirm_token = token
+    db.commit()
+    confirm_url = f"{settings.BASE_URL}/confirm-email?token={token}"
+    html = f'<p>Подтвердите email: <a href="{confirm_url}">{confirm_url}</a></p>'
+    send_email_task.delay(user.email, "Подтвердите ваш email — ЭВОСИНК", html)
+    return _render(request, "message.html", {
+        "user": user,
+        "title": "Письмо отправлено",
+        "message": "Проверьте почту и нажмите на ссылку для подтверждения.",
+        "link": "/profile", "link_text": "Назад",
+    })
+
+
+@router.get("/login")
+async def login_get(request: Request, db: Session = Depends(get_db)):
+    if get_session_user_id(request):
+        return RedirectResponse("/profile", 303)
+    return _render(request, "login.html", {"user": None})
+
+
+@router.post("/login")
+async def login_post(request: Request, db: Session = Depends(get_db)):
+    form = await request.form()
+    email = str(form.get("email", "")).strip()
+    password = str(form.get("password", ""))
+    errors = []
+
+    if not email:
+        errors.append("Email обязателен")
+    if not password:
+        errors.append("Пароль обязателен")
+
+    if not errors:
+        user = db.query(User).filter(User.email == email).first()
+        if not user or not user.password_hash or not verify_password(password, user.password_hash):
+            errors.append("Неверный email или пароль")
+        elif user.status == UserStatusEnum.suspended:
+            errors.append("Ваш аккаунт заблокирован. Обратитесь к администратору.")
+        elif not user.is_email_confirmed:
+            errors.append("Пожалуйста, подтвердите ваш email")
+
+    if errors:
+        return _render(request, "login.html", {
+            "user": None, "errors": errors, "form": {"email": email},
+        })
+
+    request.session["user_id"] = user.id
+    return RedirectResponse("/profile", 303)
+
+
+@router.get("/logout")
+async def logout(request: Request):
+    request.session.clear()
+    return RedirectResponse("/login", 303)
+
+
+async def _hash(plain: str) -> str:
+    import asyncio
+    return await asyncio.get_event_loop().run_in_executor(None, hash_password, plain)

web/routes/catalog.py

@@ -0,0 +1,252 @@
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy.orm import Session
+
+from web.auth.session import get_current_user
+from web.config import settings
+from web.database import get_db
+from web.models.connections import CachedGroup, CachedProduct, CachedStore, SyncConfig, SyncFilter
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _get_or_create_sync_config(db: Session, user_id: int) -> SyncConfig:
+    cfg = db.query(SyncConfig).filter_by(user_id=user_id).first()
+    if not cfg:
+        cfg = SyncConfig(user_id=user_id, is_enabled=True)
+        db.add(cfg)
+        db.flush()
+    return cfg
+
+
+def _enabled_store_ids(db: Session, user_id: int) -> set[str] | None:
+    """Return set of enabled store evotor_ids, or None if no filters set (all enabled)."""
+    cfg = db.query(SyncConfig).filter_by(user_id=user_id).first()
+    if not cfg:
+        return None
+    filters = db.query(SyncFilter).filter_by(
+        sync_config_id=cfg.id, entity_type="store", filter_mode="include"
+    ).all()
+    if not filters:
+        return None
+    return {f.entity_id for f in filters}
+
+
+def _enabled_group_ids(db: Session, user_id: int, store_evotor_id: str) -> set[str] | None:
+    """Return set of enabled group evotor_ids for a store, or None if all enabled."""
+    cfg = db.query(SyncConfig).filter_by(user_id=user_id).first()
+    if not cfg:
+        return None
+    filters = db.query(SyncFilter).filter_by(
+        sync_config_id=cfg.id, entity_type="group", filter_mode="include",
+        parent_entity_id=store_evotor_id,
+    ).all()
+    if not filters:
+        return None
+    return {f.entity_id for f in filters}
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+@router.get("/catalog/stores")
+async def catalog_stores(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    stores = (
+        db.query(CachedStore)
+        .filter(CachedStore.user_id == user.id)
+        .order_by(CachedStore.name)
+        .all()
+    )
+    enabled_ids = _enabled_store_ids(db, user.id)
+    return _render(request, "catalog/stores.html", {
+        "user": user,
+        "stores": stores,
+        "enabled_ids": enabled_ids,  # None = all enabled, set = explicit list
+        "refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
+    })
+
+
+@router.get("/catalog/stores/{store_evotor_id}/groups")
+async def catalog_groups(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    store = (
+        db.query(CachedStore)
+        .filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
+        .first()
+    )
+    if not store:
+        return RedirectResponse("/catalog/stores", 303)
+
+    groups = (
+        db.query(CachedGroup)
+        .filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
+        .order_by(CachedGroup.name)
+        .all()
+    )
+    enabled_ids = _enabled_group_ids(db, user.id, store_evotor_id)
+    return _render(request, "catalog/groups.html", {
+        "user": user, "store": store, "groups": groups,
+        "enabled_ids": enabled_ids,
+    })
+
+
+@router.get("/catalog/stores/{store_evotor_id}/products")
+async def catalog_products(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    store = (
+        db.query(CachedStore)
+        .filter(CachedStore.user_id == user.id, CachedStore.evotor_id == store_evotor_id)
+        .first()
+    )
+    if not store:
+        return RedirectResponse("/catalog/stores", 303)
+
+    group_id = request.query_params.get("group")
+    q = db.query(CachedProduct).filter(
+        CachedProduct.user_id == user.id,
+        CachedProduct.store_evotor_id == store_evotor_id,
+    )
+    if group_id:
+        q = q.filter(CachedProduct.group_evotor_id == group_id)
+
+    products = q.order_by(CachedProduct.name).all()
+    groups = (
+        db.query(CachedGroup)
+        .filter(CachedGroup.user_id == user.id, CachedGroup.store_evotor_id == store_evotor_id)
+        .order_by(CachedGroup.name)
+        .all()
+    )
+    return _render(request, "catalog/products.html", {
+        "user": user,
+        "store": store,
+        "products": products,
+        "groups": groups,
+        "group_id": group_id,
+    })
+
+
+@router.post("/catalog/stores/{store_evotor_id}/toggle")
+async def catalog_store_toggle(store_evotor_id: str, request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    cfg = _get_or_create_sync_config(db, user.id)
+
+    # If no filters exist yet, that means all stores are implicitly enabled.
+    # Toggling one store OFF means we create include-filters for all OTHER stores.
+    existing = db.query(SyncFilter).filter_by(
+        sync_config_id=cfg.id, entity_type="store", filter_mode="include"
+    ).all()
+    existing_ids = {f.entity_id for f in existing}
+
+    if store_evotor_id in existing_ids:
+        # Currently enabled → disable: remove its filter
+        db.query(SyncFilter).filter_by(
+            sync_config_id=cfg.id, entity_type="store",
+            entity_id=store_evotor_id, filter_mode="include",
+        ).delete()
+    else:
+        if not existing_ids:
+            # First toggle: seed include-filters for all OTHER stores
+            all_stores = db.query(CachedStore).filter_by(user_id=user.id).all()
+            now = datetime.now(timezone.utc).replace(tzinfo=None)
+            for s in all_stores:
+                if s.evotor_id == store_evotor_id:
+                    continue
+                db.add(SyncFilter(
+                    sync_config_id=cfg.id,
+                    entity_type="store",
+                    entity_id=s.evotor_id,
+                    entity_name=s.name,
+                    filter_mode="include",
+                    created_at=now,
+                ))
+        else:
+            # Re-enable: add its filter back
+            db.add(SyncFilter(
+                sync_config_id=cfg.id,
+                entity_type="store",
+                entity_id=store_evotor_id,
+                filter_mode="include",
+                created_at=datetime.now(timezone.utc).replace(tzinfo=None),
+            ))
+
+    db.commit()
+    return RedirectResponse("/catalog/stores", 303)
+
+
+@router.post("/catalog/stores/{store_evotor_id}/groups/{group_evotor_id}/toggle")
+async def catalog_group_toggle(
+    store_evotor_id: str, group_evotor_id: str,
+    request: Request, db: Session = Depends(get_db),
+):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    cfg = _get_or_create_sync_config(db, user.id)
+
+    existing = db.query(SyncFilter).filter_by(
+        sync_config_id=cfg.id, entity_type="group", filter_mode="include",
+        parent_entity_id=store_evotor_id,
+    ).all()
+    existing_ids = {f.entity_id for f in existing}
+
+    if group_evotor_id in existing_ids:
+        db.query(SyncFilter).filter_by(
+            sync_config_id=cfg.id, entity_type="group",
+            entity_id=group_evotor_id, filter_mode="include",
+        ).delete()
+    else:
+        if not existing_ids:
+            # First toggle: seed include-filters for all OTHER groups in this store
+            all_groups = db.query(CachedGroup).filter_by(
+                user_id=user.id, store_evotor_id=store_evotor_id,
+            ).all()
+            now = datetime.now(timezone.utc).replace(tzinfo=None)
+            for g in all_groups:
+                if g.evotor_id == group_evotor_id:
+                    continue
+                db.add(SyncFilter(
+                    sync_config_id=cfg.id,
+                    entity_type="group",
+                    entity_id=g.evotor_id,
+                    entity_name=g.name,
+                    filter_mode="include",
+                    parent_entity_id=store_evotor_id,
+                    created_at=now,
+                ))
+        else:
+            db.add(SyncFilter(
+                sync_config_id=cfg.id,
+                entity_type="group",
+                entity_id=group_evotor_id,
+                filter_mode="include",
+                parent_entity_id=store_evotor_id,
+                created_at=datetime.now(timezone.utc).replace(tzinfo=None),
+            ))
+
+    db.commit()
+    return RedirectResponse(f"/catalog/stores/{store_evotor_id}/groups", 303)

web/routes/connections.py

@@ -0,0 +1,229 @@
+import secrets
+from datetime import datetime, timezone
+
+import httpx
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+from sqlalchemy.orm import Session
+
+from web.auth.session import get_current_user
+from web.config import settings
+from web.database import get_db
+from web.models.connections import EvotorConnection, VkConnection
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+def _now() -> datetime:
+    return datetime.now(timezone.utc).replace(tzinfo=None)
+
+
+@router.get("/connections")
+async def connections_get(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    evotor = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+    vk = db.query(VkConnection).filter_by(user_id=user.id).first()
+    return _render(request, "connections.html", {"user": user, "evotor": evotor, "vk": vk})
+
+
+@router.post("/connections/evotor")
+async def connections_evotor_post(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    form = await request.form()
+    access_token = str(form.get("access_token", "")).strip()
+    evotor_user_id = str(form.get("evotor_user_id", "")).strip() or None
+
+    if not access_token:
+        evotor = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+        return _render(request, "connections.html", {
+            "user": user,
+            "evotor": evotor,
+            "errors": ["API-токен обязателен"],
+        })
+
+    now = _now()
+    conn = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+    if conn:
+        conn.access_token = access_token
+        if evotor_user_id:
+            conn.evotor_user_id = evotor_user_id
+        conn.updated_at = now
+    else:
+        conn = EvotorConnection(
+            user_id=user.id,
+            evotor_user_id=evotor_user_id,
+            access_token=access_token,
+            api_token=secrets.token_urlsafe(32),
+            connected_at=now,
+            updated_at=now,
+        )
+        db.add(conn)
+
+    if evotor_user_id and not user.evotor_user_id:
+        user.evotor_user_id = evotor_user_id
+
+    db.commit()
+    return RedirectResponse("/connections?success=1", 303)
+
+
+@router.post("/connections/evotor/disconnect")
+async def connections_evotor_disconnect(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    conn = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+    if conn:
+        db.delete(conn)
+        db.commit()
+    return RedirectResponse("/connections", 303)
+
+
+@router.post("/connections/vk")
+async def connections_vk_post(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    form = await request.form()
+    access_token = str(form.get("access_token", "")).strip()
+    vk_group_id = str(form.get("vk_group_id", "")).strip() or None
+
+    if not access_token:
+        evotor = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+        vk = db.query(VkConnection).filter_by(user_id=user.id).first()
+        return _render(request, "connections.html", {
+            "user": user,
+            "evotor": evotor,
+            "vk": vk,
+            "errors": ["Токен VK обязателен"],
+        })
+
+    now = _now()
+    conn = db.query(VkConnection).filter_by(user_id=user.id).first()
+    if conn:
+        conn.access_token = access_token
+        if vk_group_id:
+            conn.vk_user_id = vk_group_id
+        conn.updated_at = now
+    else:
+        conn = VkConnection(
+            user_id=user.id,
+            access_token=access_token,
+            vk_user_id=vk_group_id,
+            connected_at=now,
+            updated_at=now,
+        )
+        db.add(conn)
+
+    db.commit()
+    return RedirectResponse("/connections?success=1", 303)
+
+
+@router.post("/connections/vk/disconnect")
+async def connections_vk_disconnect(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    conn = db.query(VkConnection).filter_by(user_id=user.id).first()
+    if conn:
+        db.delete(conn)
+        db.commit()
+    return RedirectResponse("/connections", 303)
+
+
+@router.post("/connections/evotor/test")
+async def connections_evotor_test(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return JSONResponse({"ok": False, "message": "Не авторизован"}, status_code=401)
+
+    conn = db.query(EvotorConnection).filter_by(user_id=user.id).first()
+    if not conn:
+        return JSONResponse({"ok": False, "message": "Подключение не настроено"})
+
+    try:
+        r = httpx.get(
+            "https://api.evotor.ru/stores",
+            headers={
+                "Authorization": f"Bearer {conn.access_token}",
+                "Accept": "application/vnd.evotor.v2+json",
+            },
+            timeout=10,
+        )
+        if r.status_code == 200:
+            data = r.json()
+            items = data.get("items", data) if isinstance(data, dict) else data
+            count = len(items) if isinstance(items, list) else "?"
+            return JSONResponse({"ok": True, "message": f"Успешно. Найдено магазинов: {count}"})
+        elif r.status_code == 401:
+            return JSONResponse({"ok": False, "message": "Токен недействителен (401)"})
+        else:
+            return JSONResponse({"ok": False, "message": f"Ошибка API: HTTP {r.status_code}"})
+    except httpx.TimeoutException:
+        return JSONResponse({"ok": False, "message": "Таймаут запроса к Эвотор"})
+    except Exception as e:
+        return JSONResponse({"ok": False, "message": f"Ошибка: {e}"})
+
+
+@router.post("/connections/vk/test")
+async def connections_vk_test(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return JSONResponse({"ok": False, "message": "Не авторизован"}, status_code=401)
+
+    conn = db.query(VkConnection).filter_by(user_id=user.id).first()
+    if not conn:
+        return JSONResponse({"ok": False, "message": "Подключение не настроено"})
+
+    try:
+        params = {
+            "access_token": conn.access_token,
+            "v": settings.VK_API_VERSION,
+        }
+        if conn.vk_user_id:
+            params["group_ids"] = conn.vk_user_id
+
+        r = httpx.get(
+            "https://api.vk.com/method/groups.getById",
+            params=params,
+            timeout=10,
+        )
+        data = r.json()
+        if "error" in data:
+            code = data["error"].get("error_code")
+            msg = data["error"].get("error_msg", "Неизвестная ошибка")
+            return JSONResponse({"ok": False, "message": f"Ошибка VK API ({code}): {msg}"})
+
+        groups = data.get("response", {}).get("groups", [])
+        if groups:
+            name = groups[0].get("name", "—")
+            return JSONResponse({"ok": True, "message": f"Успешно. Сообщество: «{name}»"})
+        else:
+            return JSONResponse({"ok": True, "message": "Токен действителен. Укажите ID сообщества для полной проверки."})
+    except httpx.TimeoutException:
+        return JSONResponse({"ok": False, "message": "Таймаут запроса к VK"})
+    except Exception as e:
+        return JSONResponse({"ok": False, "message": f"Ошибка: {e}"})
+

web/routes/evotor_webhooks.py

@@ -0,0 +1,269 @@
+"""
+Evotor webhook endpoints.
+
+POST /user/create  — Evotor creates a new subscriber; we create/link a local user and return a token.
+POST /user/verify  — Evotor verifies credentials for a user trying to log in via the Evotor interface.
+POST /user/token   — Evotor sends us its own API token for the user.
+"""
+import json
+import logging
+import secrets
+from datetime import datetime, timezone, timedelta
+from typing import Any
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import JSONResponse
+from sqlalchemy import or_
+from sqlalchemy.orm import Session
+
+from web.auth.password import verify_password
+from web.config import settings
+from web.database import get_db
+from web.models.connections import EvotorConnection
+from web.models.user import User, UserRoleEnum, UserStatusEnum
+from web.notifications.tasks import send_email_task
+
+logger = logging.getLogger(__name__)
+router = APIRouter()
+
+EVOTOR_STORES_URL = "https://api.evotor.ru/stores"
+
+
+def _verify_secret(request: Request) -> bool:
+    secret = settings.EVOTOR_WEBHOOK_SECRET
+    if not secret:
+        return True  # dev mode: no secret configured
+    auth = request.headers.get("Authorization", "")
+    return auth == f"Bearer {secret}"
+
+
+def _parse_custom_fields(raw: Any) -> dict:
+    """Extract known fields from Evotor customField (may be JSON string or dict)."""
+    if raw is None:
+        return {}
+    if isinstance(raw, dict):
+        return raw
+    if isinstance(raw, str):
+        try:
+            parsed = json.loads(raw)
+            if isinstance(parsed, dict):
+                return parsed
+        except (json.JSONDecodeError, ValueError):
+            pass
+    return {}
+
+
+def _upsert_evotor_connection(
+    db: Session,
+    user_id: int | None,
+    evotor_user_id: str,
+    access_token: str | None = None,
+) -> str:
+    """Create or update an evotor_connections row; always regenerates api_token."""
+    api_token = secrets.token_urlsafe(32)
+    conn = db.query(EvotorConnection).filter(
+        EvotorConnection.evotor_user_id == evotor_user_id
+    ).first()
+    now = datetime.now(timezone.utc).replace(tzinfo=None)
+    if conn:
+        conn.api_token = api_token
+        if user_id is not None:
+            conn.user_id = user_id
+        if access_token:
+            conn.access_token = access_token
+        conn.updated_at = now
+    else:
+        conn = EvotorConnection(
+            user_id=user_id,
+            evotor_user_id=evotor_user_id,
+            access_token=access_token or "",
+            api_token=api_token,
+            connected_at=now,
+            updated_at=now,
+        )
+        db.add(conn)
+    db.flush()
+    return api_token
+
+
+@router.post("/user/create")
+async def user_create(request: Request, db: Session = Depends(get_db)):
+    if not _verify_secret(request):
+        return JSONResponse({"error": "Unauthorized"}, status_code=401)
+
+    try:
+        body = await request.json()
+    except Exception:
+        return JSONResponse({"error": "Invalid JSON"}, status_code=400)
+
+    evotor_user_id: str = body.get("userId", "")
+    if not evotor_user_id:
+        return JSONResponse({"error": "userId required"}, status_code=400)
+
+    custom = _parse_custom_fields(body.get("customField"))
+    email = (custom.get("email") or "").strip().lower() or None
+    phone = (custom.get("phone") or "").strip() or None
+    first_name = (custom.get("first_name") or custom.get("firstName") or "").strip() or None
+    last_name = (custom.get("last_name") or custom.get("lastName") or "").strip() or None
+
+    # Try to find existing user
+    user: User | None = None
+
+    # 1. By evotor_user_id
+    user = db.query(User).filter(User.evotor_user_id == evotor_user_id).first()
+
+    # 2. By email
+    if user is None and email:
+        user = db.query(User).filter(User.email == email).first()
+
+    # 3. By phone
+    if user is None and phone:
+        user = db.query(User).filter(User.phone == phone).first()
+
+    now = datetime.now(timezone.utc).replace(tzinfo=None)
+
+    if user:
+        # Link Evotor to existing user
+        user.evotor_user_id = evotor_user_id
+        user.evotor_meta = custom or body
+        if user.status == UserStatusEnum.pending:
+            user.status = UserStatusEnum.active
+        db.flush()
+    else:
+        # Create new pending user
+        user = User(
+            first_name=first_name or "",
+            last_name=last_name or "",
+            email=email or f"{evotor_user_id}@evotor.placeholder",
+            phone=phone or "",
+            password_hash=None,
+            role=UserRoleEnum.user,
+            status=UserStatusEnum.pending,
+            evotor_user_id=evotor_user_id,
+            evotor_meta=custom or body,
+            created_at=now,
+            updated_at=now,
+        )
+        db.add(user)
+        db.flush()  # get user.id
+
+    # Generate invite
+    invite_token = secrets.token_urlsafe(32)
+    user.invite_token = invite_token
+    user.invite_expires = now + timedelta(hours=settings.INVITE_EXPIRE_HOURS)
+
+    api_token = _upsert_evotor_connection(db, user.id, evotor_user_id)
+    db.commit()
+
+    # Send invite email if we have a real email address
+    if email:
+        invite_url = f"{settings.BASE_URL}/invite?token={invite_token}"
+        html = (
+            f"<p>Здравствуйте!</p>"
+            f"<p>Вам открыт доступ к ЭВОСИНК. Завершите регистрацию по ссылке:</p>"
+            f'<p><a href="{invite_url}">{invite_url}</a></p>'
+            f"<p>Ссылка действительна {settings.INVITE_EXPIRE_HOURS} часов.</p>"
+        )
+        send_email_task.delay(email, "Приглашение в ЭВОСИНК", html)
+    else:
+        logger.info("No email for evotor_user_id=%s, invite URL: %s/invite?token=%s",
+                    evotor_user_id, settings.BASE_URL, invite_token)
+
+    return JSONResponse({"userId": evotor_user_id, "token": api_token})
+
+
+@router.post("/user/verify")
+async def user_verify(request: Request, db: Session = Depends(get_db)):
+    if not _verify_secret(request):
+        return JSONResponse({"error": "Unauthorized"}, status_code=401)
+
+    try:
+        body = await request.json()
+    except Exception:
+        return JSONResponse({"error": "Invalid JSON"}, status_code=400)
+
+    evotor_user_id: str = body.get("userId", "")
+    username: str = body.get("username", "").strip()
+    password: str = body.get("password", "")
+
+    if not username or not password:
+        return JSONResponse({"error": "username and password required"}, status_code=400)
+
+    # username is email or phone
+    user = db.query(User).filter(
+        or_(User.email == username, User.phone == username)
+    ).first()
+
+    if not user or not user.password_hash:
+        return JSONResponse({"error": "Неверные данные"}, status_code=401)
+
+    if user.status == UserStatusEnum.suspended:
+        return JSONResponse({"error": "Аккаунт заблокирован"}, status_code=403)
+
+    if not verify_password(password, user.password_hash):
+        return JSONResponse({"error": "Неверные данные"}, status_code=401)
+
+    # Get or create connection to retrieve api_token
+    conn = db.query(EvotorConnection).filter(
+        EvotorConnection.evotor_user_id == (user.evotor_user_id or evotor_user_id)
+    ).first()
+    if not conn:
+        # Auto-link: create connection with Evotor userId from request
+        if evotor_user_id and not user.evotor_user_id:
+            user.evotor_user_id = evotor_user_id
+            db.flush()
+        api_token = _upsert_evotor_connection(db, user.id, evotor_user_id or (user.evotor_user_id or ""))
+        db.commit()
+    else:
+        api_token = conn.api_token or secrets.token_urlsafe(32)
+        if not conn.api_token:
+            conn.api_token = api_token
+            db.commit()
+
+    return JSONResponse({"userId": user.evotor_user_id or evotor_user_id, "token": api_token})
+
+
+@router.post("/user/token")
+async def user_token(request: Request, db: Session = Depends(get_db)):
+    if not _verify_secret(request):
+        return JSONResponse({"error": "Unauthorized"}, status_code=401)
+
+    try:
+        body = await request.json()
+    except Exception:
+        return JSONResponse({"error": "Invalid JSON"}, status_code=400)
+
+    evotor_user_id: str = body.get("userId", "")
+    evotor_token: str = body.get("token", "")
+
+    if not evotor_user_id or not evotor_token:
+        return JSONResponse({"error": "userId and token required"}, status_code=400)
+
+    user = db.query(User).filter(User.evotor_user_id == evotor_user_id).first()
+    if not user:
+        return JSONResponse({"error": "User not found"}, status_code=404)
+
+    conn = db.query(EvotorConnection).filter(
+        EvotorConnection.evotor_user_id == evotor_user_id
+    ).first()
+    now = datetime.now(timezone.utc).replace(tzinfo=None)
+    if conn:
+        conn.access_token = evotor_token
+        conn.is_online = True
+        conn.last_checked_at = now
+        conn.updated_at = now
+    else:
+        conn = EvotorConnection(
+            user_id=user.id,
+            evotor_user_id=evotor_user_id,
+            access_token=evotor_token,
+            api_token=secrets.token_urlsafe(32),
+            is_online=True,
+            last_checked_at=now,
+            connected_at=now,
+            updated_at=now,
+        )
+        db.add(conn)
+    db.commit()
+
+    return JSONResponse({})

web/routes/invite.py

@@ -0,0 +1,99 @@
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy import or_
+from sqlalchemy.orm import Session
+
+from web.auth.password import hash_password
+from web.config import settings
+from web.database import get_db
+from web.models.user import User, UserStatusEnum
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+def _bad_token(request: Request) -> HTMLResponse:
+    return _render(request, "message.html", {
+        "user": None,
+        "title": "Ссылка недействительна",
+        "message": "Ссылка приглашения устарела или недействительна. Обратитесь к администратору.",
+        "link": "/login", "link_text": "Войти",
+    })
+
+
+@router.get("/invite")
+async def invite_get(request: Request, db: Session = Depends(get_db)):
+    token = request.query_params.get("token", "")
+    user = db.query(User).filter(User.invite_token == token).first()
+    if not user or not user.invite_expires or user.invite_expires < datetime.now(timezone.utc).replace(tzinfo=None):
+        return _bad_token(request)
+    return _render(request, "invite.html", {"user": None, "invite_user": user, "token": token})
+
+
+@router.post("/invite")
+async def invite_post(request: Request, db: Session = Depends(get_db)):
+    token = request.query_params.get("token", "")
+    invite_user = db.query(User).filter(User.invite_token == token).first()
+    if not invite_user or not invite_user.invite_expires or invite_user.invite_expires < datetime.now(timezone.utc).replace(tzinfo=None):
+        return _bad_token(request)
+
+    form = await request.form()
+    data = {k: str(v).strip() for k, v in form.items()}
+    errors = []
+
+    if not data.get("first_name"):
+        errors.append("Имя обязательно")
+    if not data.get("last_name"):
+        errors.append("Фамилия обязательна")
+    if not data.get("email"):
+        errors.append("Email обязателен")
+    if not data.get("phone"):
+        errors.append("Телефон обязателен")
+    if len(data.get("password", "")) < 8:
+        errors.append("Пароль должен содержать минимум 8 символов")
+    if data.get("password") != data.get("password_confirm"):
+        errors.append("Пароли не совпадают")
+
+    if not errors:
+        # Check uniqueness (excluding current invite_user)
+        dup = db.query(User).filter(
+            or_(User.email == data["email"], User.phone == data["phone"]),
+            User.id != invite_user.id,
+        ).first()
+        if dup:
+            if dup.email == data["email"]:
+                errors.append("Пользователь с таким email уже существует")
+            else:
+                errors.append("Пользователь с таким телефоном уже существует")
+
+    if errors:
+        return _render(request, "invite.html", {
+            "user": None, "invite_user": invite_user, "token": token,
+            "errors": errors, "form": data,
+        })
+
+    invite_user.first_name = data["first_name"]
+    invite_user.last_name = data["last_name"]
+    invite_user.email = data["email"]
+    invite_user.phone = data["phone"]
+    invite_user.password_hash = hash_password(data["password"])
+    invite_user.is_email_confirmed = True
+    invite_user.status = UserStatusEnum.active
+    invite_user.invite_token = None
+    invite_user.invite_expires = None
+    db.commit()
+
+    return _render(request, "message.html", {
+        "user": None,
+        "title": "Регистрация завершена!",
+        "message": "Ваш аккаунт активирован. Теперь вы можете войти.",
+        "link": "/login", "link_text": "Войти",
+    })

web/routes/profile.py

@@ -0,0 +1,143 @@
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy import or_
+from sqlalchemy.orm import Session
+
+from web.auth.password import hash_password, verify_password
+from web.auth.session import get_current_user
+from web.config import settings
+from web.database import get_db
+from web.models.user import User
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+@router.get("/profile")
+async def profile_view(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    return _render(request, "profile_view.html", {"user": user})
+
+
+@router.get("/profile/edit")
+async def profile_edit_get(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    return _render(request, "profile_edit.html", {"user": user})
+
+
+@router.post("/profile/edit")
+async def profile_edit_post(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    form = await request.form()
+    data = {k: str(v).strip() for k, v in form.items()}
+    errors = []
+
+    if not data.get("first_name"):
+        errors.append("Имя обязательно")
+    if not data.get("last_name"):
+        errors.append("Фамилия обязательна")
+    if not data.get("phone"):
+        errors.append("Телефон обязателен")
+
+    if not errors:
+        dup = db.query(User).filter(
+            User.phone == data["phone"], User.id != user.id
+        ).first()
+        if dup:
+            errors.append("Пользователь с таким телефоном уже существует")
+
+    if errors:
+        return _render(request, "profile_edit.html", {"user": user, "errors": errors, "form": data})
+
+    user.first_name = data["first_name"]
+    user.last_name = data["last_name"]
+    user.phone = data["phone"]
+    db.commit()
+    return _render(request, "profile_edit.html", {
+        "user": user, "success": "Профиль обновлён",
+    })
+
+
+@router.get("/profile/change-password")
+async def change_pw_get(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    return _render(request, "profile_change_password.html", {"user": user})
+
+
+@router.post("/profile/change-password")
+async def change_pw_post(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    form = await request.form()
+    current = str(form.get("current_password", ""))
+    new_pw = str(form.get("password", ""))
+    confirm = str(form.get("password_confirm", ""))
+    errors = []
+
+    if not user.password_hash or not verify_password(current, user.password_hash):
+        errors.append("Неверный текущий пароль")
+    if len(new_pw) < 8:
+        errors.append("Новый пароль должен содержать минимум 8 символов")
+    if new_pw != confirm:
+        errors.append("Пароли не совпадают")
+
+    if errors:
+        return _render(request, "profile_change_password.html", {"user": user, "errors": errors})
+
+    user.password_hash = hash_password(new_pw)
+    db.commit()
+    return _render(request, "profile_change_password.html", {
+        "user": user, "success": "Пароль изменён",
+    })
+
+
+@router.get("/profile/delete")
+async def delete_get(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+    return _render(request, "profile_delete.html", {"user": user})
+
+
+@router.post("/profile/delete")
+async def delete_post(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    form = await request.form()
+    password = str(form.get("password", ""))
+
+    if not user.password_hash or not verify_password(password, user.password_hash):
+        return _render(request, "profile_delete.html", {
+            "user": user, "errors": ["Неверный пароль"],
+        })
+
+    db.delete(user)
+    db.commit()
+    request.session.clear()
+    return RedirectResponse("/login", 303)

web/routes/reset.py

@@ -0,0 +1,101 @@
+import secrets
+from datetime import datetime, timezone, timedelta
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy.orm import Session
+
+from web.auth.password import hash_password
+from web.config import settings
+from web.database import get_db
+from web.models.user import User
+from web.notifications.tasks import send_email_task
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+@router.get("/forgot-password")
+async def forgot_get(request: Request):
+    return _render(request, "forgot_password.html", {"user": None})
+
+
+@router.post("/forgot-password")
+async def forgot_post(request: Request, db: Session = Depends(get_db)):
+    form = await request.form()
+    email = str(form.get("email", "")).strip()
+    user = db.query(User).filter(User.email == email).first()
+    if user:
+        token = secrets.token_urlsafe(32)
+        user.password_reset_token = token
+        user.password_reset_expires = datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(
+            minutes=settings.PASSWORD_RESET_EXPIRE_MINUTES
+        )
+        db.commit()
+        reset_url = f"{settings.BASE_URL}/reset-password?token={token}"
+        html = f'<p>Сброс пароля: <a href="{reset_url}">{reset_url}</a></p>'
+        send_email_task.delay(user.email, "Сброс пароля — ЭВОСИНК", html)
+    # Always show same message to prevent user enumeration
+    return _render(request, "message.html", {
+        "user": None,
+        "title": "Ссылка отправлена",
+        "message": "Если указанный email зарегистрирован, вы получите ссылку для сброса пароля.",
+        "link": "/login", "link_text": "Войти",
+    })
+
+
+@router.get("/reset-password")
+async def reset_get(request: Request, db: Session = Depends(get_db)):
+    token = request.query_params.get("token", "")
+    user = db.query(User).filter(User.password_reset_token == token).first()
+    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
+        return _render(request, "message.html", {
+            "user": None, "title": "Ссылка недействительна",
+            "message": "Ссылка для сброса пароля устарела или недействительна.",
+            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
+        })
+    return _render(request, "reset_password.html", {"user": None, "token": token})
+
+
+@router.post("/reset-password")
+async def reset_post(request: Request, db: Session = Depends(get_db)):
+    token = request.query_params.get("token", "")
+    form = await request.form()
+    password = str(form.get("password", ""))
+    password_confirm = str(form.get("password_confirm", ""))
+    errors = []
+
+    user = db.query(User).filter(User.password_reset_token == token).first()
+    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
+        return _render(request, "message.html", {
+            "user": None, "title": "Ссылка недействительна",
+            "message": "Ссылка для сброса пароля устарела.",
+            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
+        })
+
+    if len(password) < 8:
+        errors.append("Пароль должен содержать минимум 8 символов")
+    if password != password_confirm:
+        errors.append("Пароли не совпадают")
+
+    if errors:
+        return _render(request, "reset_password.html", {
+            "user": None, "token": token, "errors": errors,
+        })
+
+    user.password_hash = hash_password(password)
+    user.password_reset_token = None
+    user.password_reset_expires = None
+    db.commit()
+
+    return _render(request, "message.html", {
+        "user": None, "title": "Пароль изменён",
+        "message": "Ваш пароль успешно изменён.",
+        "link": "/login", "link_text": "Войти",
+    })

web/routes/vk_catalog.py

@@ -0,0 +1,63 @@
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy.orm import Session
+
+from web.auth.session import get_current_user
+from web.config import settings
+from web.database import get_db
+from web.models.connections import VkCachedAlbum, VkCachedProduct, VkConnection
+from web.templates_env import templates
+
+router = APIRouter()
+
+
+def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
+    ctx["request"] = request
+    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
+    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
+
+
+@router.get("/vk-catalog/albums")
+async def vk_catalog_albums(request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    vk_conn = db.query(VkConnection).filter_by(user_id=user.id).first()
+    albums = (
+        db.query(VkCachedAlbum)
+        .filter(VkCachedAlbum.user_id == user.id)
+        .order_by(VkCachedAlbum.title)
+        .all()
+    )
+    return _render(request, "vk_catalog/albums.html", {
+        "user": user,
+        "albums": albums,
+        "vk_conn": vk_conn,
+        "refresh_interval": settings.CATALOG_REFRESH_INTERVAL_SECONDS,
+    })
+
+
+@router.get("/vk-catalog/albums/{album_id}/products")
+async def vk_catalog_products(album_id: str, request: Request, db: Session = Depends(get_db)):
+    try:
+        user = get_current_user(request, db)
+    except Exception:
+        return RedirectResponse("/login", 303)
+
+    album = db.query(VkCachedAlbum).filter_by(user_id=user.id, album_id=album_id).first()
+    if not album:
+        return RedirectResponse("/vk-catalog/albums", 303)
+
+    products = (
+        db.query(VkCachedProduct)
+        .filter(VkCachedProduct.user_id == user.id, VkCachedProduct.album_id == album_id)
+        .order_by(VkCachedProduct.name)
+        .all()
+    )
+    return _render(request, "vk_catalog/products.html", {
+        "user": user,
+        "album": album,
+        "products": products,
+    })

web/static/style.css

@@ -0,0 +1,431 @@
+/* Brand colors */
+:root {
+    --pico-primary: #F05023;
+    --pico-primary-hover: #d44420;
+    --pico-primary-focus: rgba(240, 80, 35, 0.25);
+    --pico-primary-inverse: #fff;
+    --brand-primary: #F05023;
+    --brand-secondary: #0986E2;
+    --brand-secondary-hover: #0770c0;
+}
+
+/* Header / nav */
+.site-header {
+    background: #fff;
+    border-bottom: 2px solid var(--brand-primary);
+    padding: 0;
+    margin-bottom: 0;
+}
+
+.site-header nav {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    padding-top: 0.75rem;
+    padding-bottom: 0.75rem;
+    gap: 1rem;
+}
+
+.site-header nav > ul {
+    margin: 0;
+    padding: 0;
+    list-style: none;
+    display: flex;
+    align-items: center;
+    gap: 0.25rem;
+}
+
+.brand-logo {
+    font-size: 1.3rem;
+    font-weight: 700;
+    color: var(--brand-primary) !important;
+    text-decoration: none;
+}
+
+.nav-links {
+    flex: 1;
+    justify-content: flex-end;
+}
+
+.nav-links a {
+    color: var(--pico-color);
+    text-decoration: none;
+    padding: 0.25rem 0.5rem;
+    border-radius: 4px;
+}
+
+.nav-links a:hover {
+    color: var(--brand-primary);
+}
+
+.nav-links a.secondary {
+    color: var(--pico-muted-color);
+}
+
+.mobile-menu {
+    display: none;
+}
+
+.mobile-menu summary {
+    padding: 0.25rem 0.5rem;
+    font-size: 1.25rem;
+}
+
+.mobile-menu > ul {
+    position: absolute;
+    right: 1rem;
+    background: var(--pico-background-color);
+    border: 1px solid var(--pico-border-color);
+    border-radius: var(--pico-border-radius);
+    padding: 0.5rem 0;
+    list-style: none;
+    margin: 0;
+    z-index: 100;
+    min-width: 180px;
+    box-shadow: 0 4px 12px rgba(0,0,0,0.1);
+}
+
+.mobile-menu > ul li a {
+    display: block;
+    padding: 0.5rem 1rem;
+    text-decoration: none;
+    color: var(--pico-color);
+}
+
+.mobile-menu > ul li a:hover {
+    background: var(--pico-muted-background-color);
+}
+
+@media (max-width: 768px) {
+    .nav-links { display: none; }
+    .mobile-menu { display: block; }
+}
+
+/* Page spacing */
+.py-4 {
+    padding-top: 1.5rem;
+    padding-bottom: 1.5rem;
+}
+
+/* Alerts */
+.alert {
+    border-radius: var(--pico-border-radius);
+    padding: 0.75rem 1rem;
+    margin-bottom: 1rem;
+}
+
+.alert p { margin: 0; }
+.alert p + p { margin-top: 0.25rem; }
+
+.alert-danger {
+    background: #fef2f2;
+    border: 1px solid #fecaca;
+    color: #b91c1c;
+}
+
+.alert-success {
+    background: #f0fdf4;
+    border: 1px solid #bbf7d0;
+    color: #15803d;
+}
+
+.alert-warning {
+    background: #fffbeb;
+    border: 1px solid #fde68a;
+    color: #b45309;
+}
+
+/* Cards (using <article>) */
+article.card {
+    margin: 0;
+    padding: 0;
+    overflow: hidden;
+}
+
+article.card > header {
+    padding: 0.75rem 1rem;
+    background: var(--pico-muted-background-color);
+    border-bottom: 1px solid var(--pico-border-color);
+    margin: 0;
+}
+
+article.card > header h1,
+article.card > header h2,
+article.card > header h5 {
+    margin: 0;
+    font-size: 1rem;
+    font-weight: 600;
+}
+
+article.card > .card-body {
+    padding: 1.25rem;
+}
+
+article.card > footer {
+    padding: 0.75rem 1rem;
+    background: var(--pico-muted-background-color);
+    border-top: 1px solid var(--pico-border-color);
+    margin: 0;
+}
+
+/* List groups */
+.list-group {
+    list-style: none;
+    padding: 0;
+    margin: 0;
+}
+
+.list-group-item {
+    padding: 0.6rem 1rem;
+    border-bottom: 1px solid var(--pico-border-color);
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+.list-group-item:last-child { border-bottom: none; }
+
+/* Badges */
+.badge {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.25rem;
+    padding: 0.2rem 0.5rem;
+    border-radius: 999px;
+    font-size: 0.75rem;
+    font-weight: 600;
+    line-height: 1;
+}
+
+.badge-success { background: #dcfce7; color: #15803d; }
+.badge-danger  { background: #fee2e2; color: #b91c1c; }
+.badge-warning { background: #fef3c7; color: #b45309; }
+.badge-secondary { background: var(--pico-muted-background-color); color: var(--pico-muted-color); }
+.badge-light { background: var(--pico-muted-background-color); color: var(--pico-muted-color); border: 1px solid var(--pico-border-color); }
+
+/* Buttons */
+button.secondary, a[role="button"].secondary {
+    --pico-background-color: var(--brand-secondary);
+    --pico-border-color: var(--brand-secondary);
+    --pico-color: #fff;
+}
+
+button.outline.danger, a[role="button"].outline.danger {
+    --pico-color: #dc2626;
+    --pico-border-color: #dc2626;
+}
+
+button.danger, a[role="button"].danger {
+    --pico-background-color: #dc2626;
+    --pico-border-color: #dc2626;
+    --pico-color: #fff;
+}
+
+button.sm, a[role="button"].sm {
+    padding: 0.25rem 0.6rem;
+    font-size: 0.875rem;
+}
+
+/* Layout helpers */
+.row {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 1rem;
+}
+
+.col { flex: 1 1 0; }
+.col-auto { flex: 0 0 auto; }
+
+.col-sm-6 { flex: 0 0 calc(50% - 0.5rem); min-width: 200px; }
+.col-sm-10 { flex: 0 0 calc(83.33% - 0.5rem); }
+.col-md-6 { flex: 0 0 calc(50% - 0.5rem); }
+.col-md-7 { flex: 0 0 calc(58.33% - 0.5rem); }
+.col-lg-4 { flex: 0 0 calc(33.33% - 0.67rem); }
+.col-lg-5 { flex: 0 0 calc(41.67% - 0.5rem); }
+.col-lg-6 { flex: 0 0 calc(50% - 0.5rem); }
+.col-12 { flex: 0 0 100%; }
+.col-md-6-auto { flex: 0 0 calc(50% - 0.5rem); }
+
+@media (max-width: 768px) {
+    .col-sm-6, .col-md-6, .col-md-7, .col-lg-4, .col-lg-5, .col-lg-6, .col-md-6-auto { flex: 0 0 100%; }
+}
+
+.justify-center { justify-content: center; }
+.justify-between { justify-content: space-between; }
+.justify-end { justify-content: flex-end; }
+.align-center { align-items: center; }
+.flex-wrap { flex-wrap: wrap; }
+.flex-col { flex-direction: column; }
+.flex-1 { flex: 1; }
+.flex-fill { flex: 1 1 0; }
+
+.gap-1 { gap: 0.25rem; }
+.gap-2 { gap: 0.5rem; }
+.gap-3 { gap: 0.75rem; }
+
+.mt-2 { margin-top: 0.5rem; }
+.mt-3 { margin-top: 0.75rem; }
+.mt-4 { margin-top: 1.5rem; }
+.mt-5 { margin-top: 3rem; }
+.mb-0 { margin-bottom: 0; }
+.mb-1 { margin-bottom: 0.25rem; }
+.mb-2 { margin-bottom: 0.5rem; }
+.mb-3 { margin-bottom: 0.75rem; }
+.mb-4 { margin-bottom: 1.5rem; }
+.ms-auto { margin-left: auto; }
+.me-1 { margin-right: 0.25rem; }
+.me-2 { margin-right: 0.5rem; }
+.me-3 { margin-right: 0.75rem; }
+
+.d-flex { display: flex; }
+.d-grid { display: grid; }
+.d-none { display: none; }
+.d-block { display: block; }
+
+.text-center { text-align: center; }
+.text-end { text-align: right; }
+.text-muted { color: var(--pico-muted-color); }
+.small { font-size: 0.875rem; }
+.fs-1 { font-size: 2rem; }
+.fs-2 { font-size: 1.5rem; }
+.fs-5 { font-size: 1.15rem; }
+.fs-6 { font-size: 0.875rem; }
+
+.text-success { color: #15803d; }
+.text-danger  { color: #dc2626; }
+.text-warning { color: #b45309; }
+.text-primary { color: var(--brand-primary); }
+.text-secondary { color: var(--brand-secondary); }
+.text-white { color: #fff; }
+
+.bg-danger-header {
+    background: #dc2626;
+    color: #fff;
+}
+
+.font-monospace { font-family: monospace; }
+.w-100 { width: 100%; }
+.h-100 { height: 100%; }
+
+/* Table */
+.table-scroll {
+    overflow-x: auto;
+}
+
+table.align-middle td,
+table.align-middle th {
+    vertical-align: middle;
+}
+
+/* Breadcrumb */
+.breadcrumb {
+    display: flex;
+    align-items: center;
+    gap: 0.25rem;
+    list-style: none;
+    padding: 0;
+    margin: 0 0 1rem;
+    font-size: 0.9rem;
+    color: var(--pico-muted-color);
+}
+
+.breadcrumb-item + .breadcrumb-item::before {
+    content: "/";
+    margin-right: 0.25rem;
+    color: var(--pico-muted-color);
+}
+
+.breadcrumb-item.active { color: var(--pico-color); }
+
+/* Dropdown */
+.dropdown {
+    position: relative;
+    display: inline-block;
+}
+
+.dropdown-menu {
+    display: none;
+    position: absolute;
+    right: 0;
+    top: calc(100% + 4px);
+    background: var(--pico-background-color);
+    border: 1px solid var(--pico-border-color);
+    border-radius: var(--pico-border-radius);
+    box-shadow: 0 4px 12px rgba(0,0,0,0.12);
+    z-index: 200;
+    min-width: 220px;
+    padding: 0.25rem 0;
+    list-style: none;
+    margin: 0;
+}
+
+.dropdown.open .dropdown-menu { display: block; }
+
+.dropdown-item {
+    display: block;
+    width: 100%;
+    padding: 0.45rem 1rem;
+    background: none;
+    border: none;
+    text-align: left;
+    cursor: pointer;
+    color: var(--pico-color);
+    font-size: 0.9rem;
+    text-decoration: none;
+}
+
+.dropdown-item:hover {
+    background: var(--pico-muted-background-color);
+}
+
+.dropdown-item.muted { color: var(--pico-muted-color); }
+
+.dropdown-divider {
+    border: none;
+    border-top: 1px solid var(--pico-border-color);
+    margin: 0.25rem 0;
+}
+
+/* Spinner */
+.spinner {
+    display: inline-block;
+    width: 2rem;
+    height: 2rem;
+    border: 3px solid var(--pico-muted-background-color);
+    border-top-color: var(--brand-primary);
+    border-radius: 50%;
+    animation: spin 0.75s linear infinite;
+}
+
+@keyframes spin { to { transform: rotate(360deg); } }
+
+/* Input group */
+.input-group {
+    display: flex;
+    gap: 0;
+}
+
+.input-group input {
+    border-radius: var(--pico-border-radius) 0 0 var(--pico-border-radius);
+    margin: 0;
+    flex: 1;
+}
+
+.input-group button {
+    border-radius: 0 var(--pico-border-radius) var(--pico-border-radius) 0;
+    margin: 0;
+    white-space: nowrap;
+}
+
+/* Empty state */
+.empty-state {
+    text-align: center;
+    padding: 3rem 1rem;
+    color: var(--pico-muted-color);
+}
+
+.empty-state .empty-icon {
+    font-size: 3rem;
+    display: block;
+    margin-bottom: 0.75rem;
+}

web/tasks/catalog.py

@@ -0,0 +1,227 @@
+"""
+Periodic catalog sync: fetch stores / product-groups / products from Evotor
+for every connected user and upsert into cached_* tables.
+
+Beat schedule entry (set in celery_app.py):
+    refresh_catalog  — runs every CATALOG_REFRESH_INTERVAL_SECONDS seconds
+"""
+import logging
+from datetime import datetime, timezone
+
+import httpx
+from celery import shared_task
+
+from web.config import settings
+from web.database import SessionLocal
+from web.models.connections import CachedGroup, CachedProduct, CachedStore, EvotorConnection, SyncConfig, SyncFilter
+
+logger = logging.getLogger(__name__)
+
+EVO_API = "https://api.evotor.ru"
+
+
+def _headers(token: str) -> dict:
+    return {
+        "Authorization": f"Bearer {token}",
+        "Accept": "application/vnd.evotor.v2+json",
+        "Content-Type": "application/json",
+    }
+
+
+def _now() -> datetime:
+    return datetime.now(timezone.utc).replace(tzinfo=None)
+
+
+# ── per-user helpers ──────────────────────────────────────────────────────────
+
+def _fetch_stores(token: str) -> list[dict]:
+    r = httpx.get(f"{EVO_API}/stores", headers=_headers(token), timeout=15)
+    r.raise_for_status()
+    data = r.json()
+    return data.get("items", data) if isinstance(data, dict) else data
+
+
+def _fetch_groups(token: str, store_id: str) -> list[dict] | None:
+    """Returns None if the store is not accessible (402/403), list otherwise."""
+    r = httpx.get(
+        f"{EVO_API}/stores/{store_id}/product-groups",
+        headers=_headers(token), timeout=15,
+    )
+    if r.status_code in (402, 403):
+        return None
+    r.raise_for_status()
+    data = r.json()
+    return data.get("items", data) if isinstance(data, dict) else data
+
+
+def _fetch_products(token: str, store_id: str) -> list[dict] | None:
+    """Returns None if the store is not accessible (402/403), list otherwise."""
+    r = httpx.get(
+        f"{EVO_API}/stores/{store_id}/products",
+        headers=_headers(token), timeout=30,
+    )
+    if r.status_code in (402, 403):
+        return None
+    r.raise_for_status()
+    data = r.json()
+    return data.get("items", data) if isinstance(data, dict) else data
+
+
+def _sync_user(db, user_id: int, token: str) -> None:
+    now = _now()
+
+    # ── stores ────────────────────────────────────────────────────────────────
+    try:
+        stores = _fetch_stores(token)
+    except Exception as e:
+        logger.warning("user=%s fetch stores failed: %s", user_id, e)
+        return
+
+    store_ids = []
+    for s in stores:
+        evo_id = s.get("id") or s.get("uuid")
+        if not evo_id:
+            continue
+        store_ids.append(evo_id)
+        row = db.query(CachedStore).filter_by(user_id=user_id, evotor_id=evo_id).first()
+        if row:
+            row.name = s.get("name", "")
+            row.address = s.get("address", {}).get("str") if isinstance(s.get("address"), dict) else s.get("address")
+            row.fetched_at = now
+        else:
+            db.add(CachedStore(
+                user_id=user_id,
+                evotor_id=evo_id,
+                name=s.get("name", ""),
+                address=s.get("address", {}).get("str") if isinstance(s.get("address"), dict) else s.get("address"),
+                fetched_at=now,
+            ))
+
+    db.flush()
+
+    # ── apply store filter ────────────────────────────────────────────────────
+    cfg = db.query(SyncConfig).filter_by(user_id=user_id).first()
+    if cfg:
+        include_filters = db.query(SyncFilter).filter_by(
+            sync_config_id=cfg.id, entity_type="store", filter_mode="include"
+        ).all()
+        if include_filters:
+            allowed = {f.entity_id for f in include_filters}
+            store_ids = [s for s in store_ids if s in allowed]
+
+    # ── groups & products per store ───────────────────────────────────────────
+    for store_evo_id in store_ids:
+        # groups
+        try:
+            groups = _fetch_groups(token, store_evo_id)
+        except Exception as e:
+            logger.warning("user=%s store=%s fetch groups failed: %s", user_id, store_evo_id, e)
+            groups = []
+        if groups is None:
+            logger.debug("user=%s store=%s groups not available (402/403), skipping", user_id, store_evo_id)
+            continue
+
+        for g in groups:
+            evo_id = g.get("id") or g.get("uuid")
+            if not evo_id:
+                continue
+            row = db.query(CachedGroup).filter_by(user_id=user_id, evotor_id=evo_id).first()
+            if row:
+                row.name = g.get("name", "")
+                row.store_evotor_id = store_evo_id
+                row.fetched_at = now
+            else:
+                db.add(CachedGroup(
+                    user_id=user_id,
+                    evotor_id=evo_id,
+                    store_evotor_id=store_evo_id,
+                    name=g.get("name", ""),
+                    fetched_at=now,
+                ))
+
+        # products
+        try:
+            products = _fetch_products(token, store_evo_id)
+        except Exception as e:
+            logger.warning("user=%s store=%s fetch products failed: %s", user_id, store_evo_id, e)
+            products = []
+        if products is None:
+            logger.debug("user=%s store=%s products not available (402/403), skipping", user_id, store_evo_id)
+            products = []
+
+        for p in products:
+            evo_id = p.get("id") or p.get("uuid")
+            if not evo_id:
+                continue
+            price = p.get("price")
+            quantity = p.get("quantity")
+            row = db.query(CachedProduct).filter_by(user_id=user_id, evotor_id=evo_id).first()
+            if row:
+                row.store_evotor_id = store_evo_id
+                row.group_evotor_id = p.get("group") or p.get("parentUuid")
+                row.name = p.get("name", "")
+                row.price = float(price) if price is not None else None
+                row.quantity = float(quantity) if quantity is not None else None
+                row.measure_name = p.get("measureName") or p.get("measure_name")
+                row.article_number = p.get("code") or p.get("article_number")
+                row.allow_to_sell = p.get("allowToSell") if p.get("allowToSell") is not None else p.get("allow_to_sell")
+                row.fetched_at = now
+            else:
+                db.add(CachedProduct(
+                    user_id=user_id,
+                    evotor_id=evo_id,
+                    store_evotor_id=store_evo_id,
+                    group_evotor_id=p.get("group") or p.get("parentUuid"),
+                    name=p.get("name", ""),
+                    price=float(price) if price is not None else None,
+                    quantity=float(quantity) if quantity is not None else None,
+                    measure_name=p.get("measureName") or p.get("measure_name"),
+                    article_number=p.get("code") or p.get("article_number"),
+                    allow_to_sell=p.get("allowToSell") if p.get("allowToSell") is not None else p.get("allow_to_sell"),
+                    fetched_at=now,
+                ))
+
+    db.commit()
+    logger.info(
+        "user=%s catalog synced: %d stores, %d groups, %d products",
+        user_id,
+        len(stores),
+        sum(1 for _ in db.query(CachedGroup).filter_by(user_id=user_id)),
+        sum(1 for _ in db.query(CachedProduct).filter_by(user_id=user_id)),
+    )
+
+
+# ── Celery task ───────────────────────────────────────────────────────────────
+
+@shared_task(
+    name="web.tasks.catalog.refresh_catalog",
+    queue="default",
+    bind=True,
+    max_retries=2,
+    default_retry_delay=60,
+)
+def refresh_catalog(self) -> dict:
+    """Fetch and cache stores/groups/products for all connected Evotor users."""
+    db = SessionLocal()
+    results = {"ok": 0, "failed": 0}
+    try:
+        connections = (
+            db.query(EvotorConnection)
+            .filter(
+                EvotorConnection.user_id.isnot(None),
+                EvotorConnection.access_token.isnot(None),
+                EvotorConnection.access_token != "",
+            )
+            .all()
+        )
+        for conn in connections:
+            try:
+                _sync_user(db, conn.user_id, conn.access_token)
+                results["ok"] += 1
+            except Exception as exc:
+                logger.error("catalog sync failed for user=%s: %s", conn.user_id, exc)
+                results["failed"] += 1
+    finally:
+        db.close()
+    logger.info("refresh_catalog done: %s", results)
+    return results

web/tasks/celery_app.py

@@ -0,0 +1,37 @@
+from celery import Celery
+from celery.schedules import timedelta
+
+from web.config import settings
+
+celery_app = Celery("evosync", broker=settings.REDIS_URL, backend=settings.REDIS_URL)
+
+celery_app.conf.update(
+    task_serializer="json",
+    result_serializer="json",
+    accept_content=["json"],
+    timezone="Europe/Moscow",
+    enable_utc=True,
+    task_track_started=True,
+    task_acks_late=True,
+    worker_prefetch_multiplier=1,
+    broker_connection_retry_on_startup=True,
+    task_routes={
+        "web.tasks.sync.*": {"queue": "sync"},
+        "web.tasks.health.*": {"queue": "health"},
+        "web.tasks.catalog.*": {"queue": "default"},
+        "web.notifications.tasks.*": {"queue": "notifications"},
+    },
+    beat_schedule={
+        "refresh-catalog": {
+            "task": "web.tasks.catalog.refresh_catalog",
+            "schedule": timedelta(seconds=settings.CATALOG_REFRESH_INTERVAL_SECONDS),
+        },
+        "refresh-vk-catalog": {
+            "task": "web.tasks.vk_catalog.refresh_vk_catalog",
+            "schedule": timedelta(seconds=settings.CATALOG_REFRESH_INTERVAL_SECONDS),
+        },
+    },
+)
+
+# Register task modules so beat/worker can discover them
+celery_app.autodiscover_tasks(["web.tasks.catalog", "web.tasks.vk_catalog"])

web/tasks/vk_catalog.py

@@ -0,0 +1,167 @@
+"""
+Periodic VK catalog sync: fetch albums and products from VK Market
+for every connected user and upsert into vk_cached_* tables.
+"""
+import logging
+from datetime import datetime, timezone
+
+import httpx
+from celery import shared_task
+
+from web.config import settings
+from web.database import SessionLocal
+from web.models.connections import VkCachedAlbum, VkCachedProduct, VkConnection
+
+logger = logging.getLogger(__name__)
+
+VK_API = "https://api.vk.com/method"
+
+
+def _now() -> datetime:
+    return datetime.now(timezone.utc).replace(tzinfo=None)
+
+
+def _vk_get(method: str, params: dict, token: str) -> dict:
+    params = {**params, "access_token": token, "v": settings.VK_API_VERSION}
+    r = httpx.get(f"{VK_API}/{method}", params=params, timeout=20)
+    r.raise_for_status()
+    return r.json()
+
+
+def _sync_user(db, user_id: int, token: str, group_id: str) -> None:
+    now = _now()
+    owner_id = f"-{group_id}"
+
+    # ── albums ────────────────────────────────────────────────────────────────
+    try:
+        data = _vk_get("market.getAlbums", {"owner_id": owner_id, "count": 100}, token)
+    except Exception as e:
+        logger.warning("user=%s vk fetch albums failed: %s", user_id, e)
+        return
+
+    if "error" in data:
+        logger.warning("user=%s vk albums error: %s", user_id, data["error"])
+        return
+
+    albums = data.get("response", {}).get("items", [])
+    album_ids = []
+    for a in albums:
+        aid = str(a["id"])
+        album_ids.append(aid)
+        row = db.query(VkCachedAlbum).filter_by(user_id=user_id, vk_group_id=group_id, album_id=aid).first()
+        if row:
+            row.title = a.get("title", "")
+            row.count = a.get("count")
+            row.fetched_at = now
+        else:
+            db.add(VkCachedAlbum(
+                user_id=user_id,
+                vk_group_id=group_id,
+                album_id=aid,
+                title=a.get("title", ""),
+                count=a.get("count"),
+                fetched_at=now,
+            ))
+    db.flush()
+
+    # ── products (extended=1 gives albums_ids per product) ───────────────────
+    offset = 0
+    all_products = []
+    while True:
+        try:
+            data = _vk_get(
+                "market.get",
+                {"owner_id": owner_id, "count": 200, "offset": offset, "extended": 1},
+                token,
+            )
+        except Exception as e:
+            logger.warning("user=%s vk fetch products (extended) failed: %s", user_id, e)
+            break
+
+        if "error" in data:
+            logger.warning("user=%s vk products (extended) error: %s", user_id, data["error"])
+            break
+
+        items = data.get("response", {}).get("items", [])
+        all_products.extend(items)
+        if len(items) < 200:
+            break
+        offset += 200
+
+    for p in all_products:
+        pid = str(p["id"])
+        album_id = str(p["albums_ids"][0]) if p.get("albums_ids") else None
+        price_raw = p.get("price", {}).get("amount")
+        price = float(price_raw) / 100 if price_raw is not None else None
+        thumb = None
+        if p.get("thumb_photo"):
+            sizes = p["thumb_photo"].get("sizes", [])
+            if sizes:
+                thumb = sizes[-1].get("url")
+
+        row = db.query(VkCachedProduct).filter_by(
+            user_id=user_id, vk_group_id=group_id, vk_product_id=pid,
+        ).first()
+        if row:
+            row.album_id = album_id
+            row.name = p.get("title", "")
+            row.description = p.get("description")
+            row.price = price
+            row.availability = p.get("availability")
+            row.thumb_url = thumb
+            row.fetched_at = now
+        else:
+            db.add(VkCachedProduct(
+                user_id=user_id,
+                vk_group_id=group_id,
+                vk_product_id=pid,
+                album_id=album_id,
+                name=p.get("title", ""),
+                description=p.get("description"),
+                price=price,
+                availability=p.get("availability"),
+                thumb_url=thumb,
+                fetched_at=now,
+            ))
+
+    db.commit()
+    logger.info(
+        "user=%s vk catalog synced: group=%s albums=%d products=%d",
+        user_id, group_id, len(albums), len(all_products),
+    )
+
+
+@shared_task(
+    name="web.tasks.vk_catalog.refresh_vk_catalog",
+    queue="default",
+    bind=True,
+    max_retries=2,
+    default_retry_delay=60,
+)
+def refresh_vk_catalog(self) -> dict:
+    """Fetch and cache VK Market albums and products for all connected users."""
+    db = SessionLocal()
+    results = {"ok": 0, "failed": 0}
+    try:
+        connections = (
+            db.query(VkConnection)
+            .filter(
+                VkConnection.user_id.isnot(None),
+                VkConnection.access_token.isnot(None),
+                VkConnection.access_token != "",
+                VkConnection.vk_user_id.isnot(None),
+                VkConnection.vk_user_id != "",
+            )
+            .all()
+        )
+        for conn in connections:
+            try:
+                _sync_user(db, conn.user_id, conn.access_token, conn.vk_user_id)
+                results["ok"] += 1
+            except Exception as exc:
+                logger.error("vk catalog sync failed for user=%s: %s", conn.user_id, exc)
+                results["failed"] += 1
+    finally:
+        db.close()
+    logger.info("refresh_vk_catalog done: %s", results)
+    return results

web/templates/admin/roles.html

@@ -0,0 +1,40 @@
+{% extends "base.html" %}
+{% block title %}Роли и права — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<nav class="breadcrumb">
+    <li class="breadcrumb-item"><a href="/admin/users">Пользователи</a></li>
+    <li class="breadcrumb-item active">Роли и права</li>
+</nav>
+
+<h1 style="font-size:1.3rem;" class="mb-3"><i class="bi bi-shield-lock me-2"></i>Роли и права</h1>
+
+{% for role in roles %}
+<article class="card mb-3">
+    <header>
+        <h2 style="font-size:1rem;">{{ role.name }}
+            <span class="text-muted small fw-normal">— {{ role.description or '' }}</span>
+        </h2>
+    </header>
+    <div class="card-body">
+        <form method="post" action="/admin/roles/{{ role.id }}/permissions">
+            <div class="row gap-2 flex-wrap">
+                {% for perm in permissions %}
+                <div class="col-auto">
+                    <label style="display:flex; align-items:center; gap:0.4rem; margin:0;">
+                        <input type="checkbox" name="perm_{{ perm.id }}" value="{{ perm.id }}"
+                               {% if perm.id in role_perm_ids[role.id] %}checked{% endif %}>
+                        {{ perm.name }}
+                        {% if perm.description %}
+                        <span class="text-muted small">({{ perm.description }})</span>
+                        {% endif %}
+                    </label>
+                </div>
+                {% endfor %}
+            </div>
+            <button type="submit" class="sm mt-3">Сохранить права для «{{ role.name }}»</button>
+        </form>
+    </div>
+</article>
+{% endfor %}
+{% endblock %}

web/templates/admin/user_detail.html

@@ -0,0 +1,147 @@
+{% extends "base.html" %}
+{% block title %}{{ target.first_name }} {{ target.last_name }} — Админ — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<nav class="breadcrumb">
+    <li class="breadcrumb-item"><a href="/admin/users">Пользователи</a></li>
+    <li class="breadcrumb-item active">{{ target.first_name }} {{ target.last_name }}</li>
+</nav>
+
+{% if request.query_params.get('success') == 'reset_sent' %}
+<div class="alert alert-success mb-3"><p>Ссылка для сброса пароля отправлена.</p></div>
+{% elif request.query_params.get('success') == 'invite_sent' %}
+<div class="alert alert-success mb-3"><p>Приглашение отправлено.</p></div>
+{% elif request.query_params.get('success') == 'saved' %}
+<div class="alert alert-success mb-3"><p>Данные сохранены.</p></div>
+{% endif %}
+
+<div class="row gap-3 align-start">
+    <div class="col-lg-6">
+        <article class="card">
+            <header><h2>Профиль</h2></header>
+            <ul class="list-group">
+                <li class="list-group-item"><span class="text-muted small">ID</span><span>{{ target.id }}</span></li>
+                <li class="list-group-item"><span class="text-muted small">Имя</span><span>{{ target.first_name }} {{ target.last_name }}</span></li>
+                <li class="list-group-item"><span class="text-muted small">Email</span>
+                    <span>{{ target.email }}
+                        {% if target.is_email_confirmed %}
+                            <span class="badge badge-success ms-1">подтверждён</span>
+                        {% else %}
+                            <span class="badge badge-warning ms-1">не подтверждён</span>
+                        {% endif %}
+                    </span>
+                </li>
+                <li class="list-group-item"><span class="text-muted small">Телефон</span><span>{{ target.phone }}</span></li>
+                <li class="list-group-item"><span class="text-muted small">Роль</span>
+                    <span>
+                        {% if target.role == 'system' %}<span class="badge badge-danger">Системный</span>
+                        {% elif target.role == 'admin' %}<span class="badge badge-warning">Администратор</span>
+                        {% else %}<span class="badge badge-secondary">Пользователь</span>
+                        {% endif %}
+                    </span>
+                </li>
+                <li class="list-group-item"><span class="text-muted small">Статус</span>
+                    <span>
+                        {% if target.status == 'active' %}<span class="badge badge-success">Активен</span>
+                        {% elif target.status == 'pending' %}<span class="badge badge-warning">Ожидает</span>
+                        {% else %}<span class="badge badge-danger">Заблокирован</span>
+                        {% endif %}
+                    </span>
+                </li>
+                <li class="list-group-item"><span class="text-muted small">Регистрация</span><span>{{ target.created_at | datefmt }}</span></li>
+                {% if target.evotor_user_id %}
+                <li class="list-group-item"><span class="text-muted small">Эвотор ID</span><span class="font-monospace small">{{ target.evotor_user_id }}</span></li>
+                {% endif %}
+                {% if target.invite_token %}
+                <li class="list-group-item"><span class="text-muted small">Приглашение до</span><span>{{ target.invite_expires | datefmt }}</span></li>
+                {% endif %}
+            </ul>
+        </article>
+
+        {% if target.evotor_meta %}
+        <article class="card mt-3">
+            <header><h2>Данные Эвотор</h2></header>
+            <div class="card-body">
+                <pre class="font-monospace small" style="overflow-x:auto; white-space:pre-wrap; margin:0;">{{ target.evotor_meta | tojson(indent=2) }}</pre>
+            </div>
+        </article>
+        {% endif %}
+    </div>
+
+    <div class="col-lg-6">
+        <article class="card">
+            <header><h2>Действия</h2></header>
+            <div class="card-body d-grid gap-2">
+                {% if target.status != 'active' %}
+                <form method="post" action="/admin/users/{{ target.id }}/activate">
+                    <button type="submit" class="w-100">
+                        <i class="bi bi-check-circle me-1"></i>Активировать
+                    </button>
+                </form>
+                {% endif %}
+                {% if target.status != 'suspended' %}
+                <form method="post" action="/admin/users/{{ target.id }}/suspend">
+                    <button type="submit" class="w-100 outline danger">
+                        <i class="bi bi-slash-circle me-1"></i>Заблокировать
+                    </button>
+                </form>
+                {% endif %}
+                <form method="post" action="/admin/users/{{ target.id }}/reset-password">
+                    <button type="submit" class="w-100 outline secondary">
+                        <i class="bi bi-key me-1"></i>Сбросить пароль
+                    </button>
+                </form>
+                <form method="post" action="/admin/users/{{ target.id }}/send-invite">
+                    <button type="submit" class="w-100 outline secondary">
+                        <i class="bi bi-envelope me-1"></i>Отправить приглашение
+                    </button>
+                </form>
+                {% if user.role == 'system' and target.id != user.id %}
+                <form method="post" action="/admin/users/{{ target.id }}/delete"
+                      onsubmit="return confirm('Удалить пользователя {{ target.email }}? Это действие необратимо.')">
+                    <button type="submit" class="w-100 danger sm">
+                        <i class="bi bi-trash me-1"></i>Удалить
+                    </button>
+                </form>
+                {% endif %}
+            </div>
+        </article>
+
+        <article class="card mt-3">
+            <header><h2>Редактировать</h2></header>
+            <div class="card-body">
+                <form method="post" action="/admin/users/{{ target.id }}/edit">
+                    <div class="row gap-2 mb-2">
+                        <div class="col">
+                            <label for="first_name">Имя
+                                <input type="text" id="first_name" name="first_name" value="{{ target.first_name }}" required>
+                            </label>
+                        </div>
+                        <div class="col">
+                            <label for="last_name">Фамилия
+                                <input type="text" id="last_name" name="last_name" value="{{ target.last_name }}" required>
+                            </label>
+                        </div>
+                    </div>
+                    <label for="email">Email
+                        <input type="email" id="email" name="email" value="{{ target.email }}">
+                    </label>
+                    <label for="phone">Телефон
+                        <input type="tel" id="phone" name="phone" value="{{ target.phone }}">
+                    </label>
+                    {% if user.role == 'system' %}
+                    <label for="role">Роль
+                        <select id="role" name="role">
+                            <option value="user" {% if target.role == 'user' %}selected{% endif %}>Пользователь</option>
+                            <option value="admin" {% if target.role == 'admin' %}selected{% endif %}>Администратор</option>
+                            <option value="system" {% if target.role == 'system' %}selected{% endif %}>Системный</option>
+                        </select>
+                    </label>
+                    {% endif %}
+                    <button type="submit">Сохранить</button>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/admin/users.html

@@ -0,0 +1,118 @@
+{% extends "base.html" %}
+{% block title %}Пользователи — Администрирование — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-people me-2"></i>Пользователи</h1>
+    <span class="text-muted small">Всего: {{ total }}</span>
+</div>
+
+<article class="card mb-3">
+    <div class="card-body">
+        <form method="get" action="/admin/users" class="d-flex gap-2 flex-wrap align-center">
+            <input type="text" name="search" value="{{ search }}" placeholder="Поиск по имени, email, телефону" style="flex:1; min-width:200px; margin:0;">
+            <select name="status" style="width:auto; margin:0;">
+                <option value="">Все статусы</option>
+                <option value="pending" {% if status_filter == 'pending' %}selected{% endif %}>Ожидает</option>
+                <option value="active" {% if status_filter == 'active' %}selected{% endif %}>Активен</option>
+                <option value="suspended" {% if status_filter == 'suspended' %}selected{% endif %}>Заблокирован</option>
+            </select>
+            <select name="role" style="width:auto; margin:0;">
+                <option value="">Все роли</option>
+                <option value="user" {% if role_filter == 'user' %}selected{% endif %}>Пользователь</option>
+                <option value="admin" {% if role_filter == 'admin' %}selected{% endif %}>Администратор</option>
+                <option value="system" {% if role_filter == 'system' %}selected{% endif %}>Системный</option>
+            </select>
+            <button type="submit" class="sm">Найти</button>
+            {% if search or status_filter or role_filter %}
+            <a href="/admin/users" role="button" class="outline secondary sm">Сбросить</a>
+            {% endif %}
+        </form>
+    </div>
+</article>
+
+<article class="card">
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th>ID</th>
+                    <th>Имя</th>
+                    <th>Email</th>
+                    <th>Телефон</th>
+                    <th>Роль</th>
+                    <th>Статус</th>
+                    <th>Эвотор</th>
+                    <th>Регистрация</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for u in users %}
+                <tr>
+                    <td class="text-muted small">{{ u.id }}</td>
+                    <td>{{ u.first_name }} {{ u.last_name }}</td>
+                    <td>
+                        {{ u.email }}
+                        {% if not u.is_email_confirmed %}
+                            <span class="badge badge-warning ms-1" title="Email не подтверждён"><i class="bi bi-exclamation-circle"></i></span>
+                        {% endif %}
+                    </td>
+                    <td>{{ u.phone }}</td>
+                    <td>
+                        {% if u.role == 'system' %}<span class="badge badge-danger">Системный</span>
+                        {% elif u.role == 'admin' %}<span class="badge badge-warning">Админ</span>
+                        {% else %}<span class="badge badge-secondary">Польз.</span>
+                        {% endif %}
+                    </td>
+                    <td>
+                        {% if u.status == 'active' %}<span class="badge badge-success">Активен</span>
+                        {% elif u.status == 'pending' %}<span class="badge badge-warning">Ожидает</span>
+                        {% else %}<span class="badge badge-danger">Заблок.</span>
+                        {% endif %}
+                    </td>
+                    <td>
+                        {% if u.evotor_user_id %}
+                            <i class="bi bi-check-circle text-success" title="{{ u.evotor_user_id }}"></i>
+                        {% else %}
+                            <span class="text-muted">—</span>
+                        {% endif %}
+                    </td>
+                    <td class="text-muted small">{{ u.created_at | datefmt }}</td>
+                    <td>
+                        <a href="/admin/users/{{ u.id }}" role="button" class="outline sm">
+                            <i class="bi bi-eye"></i>
+                        </a>
+                    </td>
+                </tr>
+                {% else %}
+                <tr>
+                    <td colspan="9" class="text-center text-muted py-4">Пользователи не найдены</td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% if total_pages > 1 %}
+    <footer>
+        <div class="d-flex gap-2 justify-center align-center">
+            {% if page > 1 %}
+            <a href="?page={{ page - 1 }}&search={{ search }}&status={{ status_filter }}&role={{ role_filter }}" role="button" class="outline sm">«</a>
+            {% endif %}
+            <span class="text-muted small">Стр. {{ page }} из {{ total_pages }}</span>
+            {% if page < total_pages %}
+            <a href="?page={{ page + 1 }}&search={{ search }}&status={{ status_filter }}&role={{ role_filter }}" role="button" class="outline sm">»</a>
+            {% endif %}
+        </div>
+    </footer>
+    {% endif %}
+</article>
+
+{% if user.role == 'system' %}
+<div class="mt-3 text-end">
+    <a href="/admin/roles" role="button" class="outline secondary sm">
+        <i class="bi bi-shield-lock me-1"></i>Управление ролями
+    </a>
+</div>
+{% endif %}
+{% endblock %}

web/templates/base.html

@@ -0,0 +1,108 @@
+<!DOCTYPE html>
+<html lang="ru" data-theme="light">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{% block title %}ЭВОСИНК{% endblock %}</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@2/css/pico.min.css">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
+    <link rel="stylesheet" href="/static/style.css">
+</head>
+<body>
+    <header class="site-header">
+        <nav class="container">
+            <ul>
+                <li><a href="/" class="brand-logo">ЭВОСИНК</a></li>
+            </ul>
+            <ul class="nav-links">
+                {% if user %}
+                    <li><a href="/connections">Подключения</a></li>
+                    <li><a href="/catalog">Каталог Эвотор</a></li>
+                    <li><a href="/vk-catalog/albums">Каталог ВК</a></li>
+                    <li><a href="/sync">Синхронизация</a></li>
+                    {% if user.role in ('admin', 'system') %}
+                    <li><a href="/admin/users"><i class="bi bi-shield-lock"></i> Админ</a></li>
+                    {% endif %}
+                    <li><a href="/profile"><i class="bi bi-person-circle"></i> Личный кабинет</a></li>
+                    <li><a href="/logout" class="secondary">Выход</a></li>
+                {% else %}
+                    <li><a href="/login">Вход</a></li>
+                    <li><a href="/register">Регистрация</a></li>
+                {% endif %}
+            </ul>
+            {% if user %}
+            <details class="mobile-menu">
+                <summary role="button" class="outline secondary icon-btn"><i class="bi bi-list"></i></summary>
+                <ul>
+                    <li><a href="/connections">Подключения</a></li>
+                    <li><a href="/catalog">Каталог Эвотор</a></li>
+                    <li><a href="/vk-catalog/albums">Каталог ВК</a></li>
+                    <li><a href="/sync">Синхронизация</a></li>
+                    {% if user.role in ('admin', 'system') %}
+                    <li><a href="/admin/users">Админ</a></li>
+                    {% endif %}
+                    <li><a href="/profile">Личный кабинет</a></li>
+                    <li><a href="/logout">Выход</a></li>
+                </ul>
+            </details>
+            {% else %}
+            <details class="mobile-menu">
+                <summary role="button" class="outline secondary icon-btn"><i class="bi bi-list"></i></summary>
+                <ul>
+                    <li><a href="/login">Вход</a></li>
+                    <li><a href="/register">Регистрация</a></li>
+                </ul>
+            </details>
+            {% endif %}
+        </nav>
+    </header>
+
+    <main class="container py-4">
+        {% if errors %}
+        <div role="alert" class="alert alert-danger">
+            {% for error in errors %}
+                <p>{{ error }}</p>
+            {% endfor %}
+        </div>
+        {% endif %}
+
+        {% if success %}
+        <div role="alert" class="alert alert-success">
+            <p>{{ success }}</p>
+        </div>
+        {% endif %}
+
+        {% block content %}{% endblock %}
+    </main>
+
+    {% if jivosite_widget_id %}
+    <script src="//code.jivosite.com/widget/{{ jivosite_widget_id }}" async></script>
+    {% endif %}
+    <script src="https://cdn.jsdelivr.net/npm/inputmask@5.0.9/dist/inputmask.min.js"></script>
+    <script>
+        document.addEventListener('DOMContentLoaded', function() {
+            var phoneInputs = document.querySelectorAll('input[name="phone"]');
+            if (phoneInputs.length) {
+                Inputmask('+7 (999) 999-99-99', {
+                    placeholder: '_',
+                    showMaskOnHover: false,
+                    clearMaskOnLostFocus: false
+                }).mask(phoneInputs);
+            }
+        });
+    </script>
+    <script>
+        document.addEventListener('invalid', function(e) {
+            if (e.target.validity.valueMissing) {
+                e.target.setCustomValidity('Пожалуйста, заполните это поле');
+            } else if (e.target.validity.typeMismatch) {
+                e.target.setCustomValidity('Пожалуйста, введите корректное значение');
+            }
+        }, true);
+        document.addEventListener('input', function(e) {
+            if (e.target.required) e.target.setCustomValidity('');
+        }, true);
+    </script>
+    {% block scripts %}{% endblock %}
+</body>
+</html>

web/templates/catalog/groups.html

@@ -0,0 +1,69 @@
+{% extends "base.html" %}
+{% block title %}Группы — {{ store.name }} — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<nav aria-label="breadcrumb" class="mb-3">
+    <ol class="breadcrumb">
+        <li><a href="/catalog/stores">Магазины</a></li>
+        <li>{{ store.name }}</li>
+        <li>Группы</li>
+    </ol>
+</nav>
+
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-folder me-2"></i>Группы товаров — {{ store.name }}</h1>
+    <span class="text-muted small">Всего: {{ groups | length }}</span>
+</div>
+
+<article class="card">
+    {% if groups %}
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th>Синхронизация</th>
+                    <th>Название</th>
+                    <th>ID</th>
+                    <th>Обновлено</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for g in groups %}
+                {% set is_enabled = (enabled_ids is none) or (g.evotor_id in enabled_ids) %}
+                <tr class="{% if not is_enabled %}text-muted{% endif %}">
+                    <td>
+                        <form method="post" action="/catalog/stores/{{ store.evotor_id }}/groups/{{ g.evotor_id }}/toggle" style="margin:0;">
+                            <button type="submit"
+                                class="outline sm {% if is_enabled %}success{% else %}secondary{% endif %}"
+                                title="{% if is_enabled %}Отключить синхронизацию{% else %}Включить синхронизацию{% endif %}"
+                                style="padding:0.2rem 0.6rem;">
+                                {% if is_enabled %}
+                                    <i class="bi bi-toggle-on"></i>
+                                {% else %}
+                                    <i class="bi bi-toggle-off"></i>
+                                {% endif %}
+                            </button>
+                        </form>
+                    </td>
+                    <td><i class="bi bi-folder2 me-1 text-muted"></i> <strong>{{ g.name }}</strong></td>
+                    <td class="text-muted small">{{ g.evotor_id }}</td>
+                    <td class="text-muted small">{{ g.fetched_at | datefmt }}</td>
+                    <td>
+                        <a href="/catalog/stores/{{ store.evotor_id }}/products?group={{ g.evotor_id }}" role="button" class="outline sm">
+                            <i class="bi bi-box-seam"></i> Товары
+                        </a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% else %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-folder" style="font-size:2rem;"></i>
+        <p class="mt-2">Группы для этого магазина ещё не загружены.</p>
+    </div>
+    {% endif %}
+</article>
+{% endblock %}

web/templates/catalog/products.html

@@ -0,0 +1,81 @@
+{% extends "base.html" %}
+{% block title %}Товары — {{ store.name }} — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<nav aria-label="breadcrumb" class="mb-3">
+    <ol class="breadcrumb">
+        <li><a href="/catalog/stores">Магазины</a></li>
+        <li>{{ store.name }}</li>
+        <li>Товары</li>
+    </ol>
+</nav>
+
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-box-seam me-2"></i>Товары — {{ store.name }}</h1>
+    <span class="text-muted small">Всего: {{ products | length }}</span>
+</div>
+
+{% if groups %}
+<article class="card mb-3">
+    <div class="card-body">
+        <form method="get" class="d-flex gap-2 align-center flex-wrap">
+            <select name="group" style="width:auto; margin:0;" onchange="this.form.submit()">
+                <option value="">Все группы</option>
+                {% for g in groups %}
+                <option value="{{ g.evotor_id }}" {% if group_id == g.evotor_id %}selected{% endif %}>{{ g.name }}</option>
+                {% endfor %}
+            </select>
+            {% if group_id %}
+            <a href="/catalog/stores/{{ store.evotor_id }}/products" role="button" class="outline secondary sm">Сбросить</a>
+            {% endif %}
+        </form>
+    </div>
+</article>
+{% endif %}
+
+<article class="card">
+    {% if products %}
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th>Название</th>
+                    <th>Артикул</th>
+                    <th>Цена</th>
+                    <th>Остаток</th>
+                    <th>Ед.</th>
+                    <th>Продаётся</th>
+                    <th>Обновлено</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for p in products %}
+                <tr>
+                    <td>{{ p.name }}</td>
+                    <td class="text-muted small">{{ p.article_number or '—' }}</td>
+                    <td>{% if p.price is not none %}{{ p.price | price }}{% else %}—{% endif %}</td>
+                    <td>{% if p.quantity is not none %}{{ p.quantity }}{% else %}—{% endif %}</td>
+                    <td class="text-muted small">{{ p.measure_name or '—' }}</td>
+                    <td>
+                        {% if p.allow_to_sell %}
+                            <i class="bi bi-check-circle text-success"></i>
+                        {% elif p.allow_to_sell == false %}
+                            <i class="bi bi-x-circle text-danger"></i>
+                        {% else %}
+                            <span class="text-muted">—</span>
+                        {% endif %}
+                    </td>
+                    <td class="text-muted small">{{ p.fetched_at | datefmt }}</td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% else %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-box-seam" style="font-size:2rem;"></i>
+        <p class="mt-2">Товары не найдены.</p>
+    </div>
+    {% endif %}
+</article>
+{% endblock %}

web/templates/catalog/stores.html

@@ -0,0 +1,66 @@
+{% extends "base.html" %}
+{% block title %}Магазины — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-shop me-2"></i>Магазины Эвотор</h1>
+    <span class="text-muted small">Всего: {{ stores | length }}</span>
+</div>
+
+<article class="card">
+    {% if stores %}
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th>Синхронизация</th>
+                    <th>Название</th>
+                    <th>Адрес</th>
+                    <th>ID</th>
+                    <th>Обновлено</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for s in stores %}
+                {% set is_enabled = (enabled_ids is none) or (s.evotor_id in enabled_ids) %}
+                <tr class="{% if not is_enabled %}text-muted{% endif %}">
+                    <td>
+                        <form method="post" action="/catalog/stores/{{ s.evotor_id }}/toggle" style="margin:0;">
+                            <button type="submit"
+                                class="outline sm {% if is_enabled %}success{% else %}secondary{% endif %}"
+                                title="{% if is_enabled %}Отключить синхронизацию{% else %}Включить синхронизацию{% endif %}"
+                                style="padding:0.2rem 0.6rem;">
+                                {% if is_enabled %}
+                                    <i class="bi bi-toggle-on"></i>
+                                {% else %}
+                                    <i class="bi bi-toggle-off"></i>
+                                {% endif %}
+                            </button>
+                        </form>
+                    </td>
+                    <td><strong>{{ s.name }}</strong></td>
+                    <td class="text-muted">{{ s.address or '—' }}</td>
+                    <td class="text-muted small">{{ s.evotor_id }}</td>
+                    <td class="text-muted small">{{ s.fetched_at | datefmt }}</td>
+                    <td>
+                        <a href="/catalog/stores/{{ s.evotor_id }}/products" role="button" class="outline sm" title="Товары">
+                            <i class="bi bi-box-seam"></i> Товары
+                        </a>
+                        <a href="/catalog/stores/{{ s.evotor_id }}/groups" role="button" class="outline secondary sm" title="Группы">
+                            <i class="bi bi-folder"></i> Группы
+                        </a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% else %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-shop" style="font-size:2rem;"></i>
+        <p class="mt-2">Магазины ещё не загружены.<br>Синхронизация выполняется каждые {{ refresh_interval }} сек. автоматически.</p>
+    </div>
+    {% endif %}
+</article>
+{% endblock %}

web/templates/confirm_email.html

@@ -0,0 +1,16 @@
+{% extends "base.html" %}
+{% block title %}Подтверждение email — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-5 text-center">
+            <div class="card-body" style="padding: 2.5rem;">
+                <i class="bi bi-envelope-check fs-1 text-primary mb-3 d-block"></i>
+                <h1 style="font-size:1.3rem;" class="mb-3">Подтвердите ваш email</h1>
+                <p class="text-muted">Проверьте почту и нажмите на ссылку для подтверждения.</p>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/connections.html

@@ -0,0 +1,209 @@
+{% extends "base.html" %}
+{% block title %}Подключения — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-8 col-lg-6">
+
+        <h1 style="font-size:1.3rem; margin-bottom:1.5rem;">
+            <i class="bi bi-plug me-2"></i>Подключения
+        </h1>
+
+        {% if request.query_params.get('success') %}
+        <div role="alert" class="alert alert-success mb-3">
+            <p>Подключение сохранено.</p>
+        </div>
+        {% endif %}
+
+        {# ── Evotor ── #}
+        <article class="card mb-4">
+            <header class="d-flex align-center justify-between">
+                <span><i class="bi bi-cpu me-2"></i><strong>Эвотор</strong></span>
+                {% if evotor %}
+                    <span class="badge badge-success"><i class="bi bi-check-circle me-1"></i>Подключено</span>
+                {% else %}
+                    <span class="badge badge-secondary">Не подключено</span>
+                {% endif %}
+            </header>
+
+            {% if evotor %}
+            <ul class="list-group mb-3">
+                <li class="list-group-item">
+                    <span class="text-muted small">Токен</span>
+                    <span class="font-monospace small">{{ evotor.access_token[:8] }}••••••••</span>
+                </li>
+                {% if evotor.evotor_user_id %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Evotor User ID</span>
+                    <span class="font-monospace small">{{ evotor.evotor_user_id }}</span>
+                </li>
+                {% endif %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Подключено</span>
+                    <span>{{ evotor.connected_at | datefmt }}</span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Обновлено</span>
+                    <span>{{ evotor.updated_at | datefmt }}</span>
+                </li>
+            </ul>
+            {% endif %}
+
+            <div class="card-body">
+                <details {% if not evotor %}open{% endif %}>
+                    <summary>
+                        {% if evotor %}Обновить токен{% else %}Ввести API-токен{% endif %}
+                    </summary>
+                    <form method="post" action="/connections/evotor" class="mt-3">
+                        <label>
+                            API-токен Эвотор
+                            <input type="text" name="access_token"
+                                   placeholder="Вставьте токен из личного кабинета Эвотор"
+                                   value="{{ evotor.access_token if evotor else '' }}"
+                                   required autocomplete="off">
+                        </label>
+                        <label>
+                            Evotor User ID <span class="text-muted small">(необязательно)</span>
+                            <input type="text" name="evotor_user_id"
+                                   placeholder="Например: 01234567-89ab-cdef-0123-456789abcdef"
+                                   value="{{ evotor.evotor_user_id if evotor and evotor.evotor_user_id else '' }}"
+                                   autocomplete="off">
+                        </label>
+                        <button type="submit">
+                            <i class="bi bi-save me-1"></i>Сохранить
+                        </button>
+                    </form>
+                </details>
+
+                {% if evotor %}
+                <div class="d-flex gap-2 mt-3" style="flex-wrap:wrap; align-items:center;">
+                    <button type="button" class="outline sm" onclick="testConnection('evotor', this)">
+                        <i class="bi bi-wifi me-1"></i>Проверить соединение
+                    </button>
+                    <span id="evotor-test-result" class="small"></span>
+                </div>
+                <form method="post" action="/connections/evotor/disconnect"
+                      class="mt-2"
+                      onsubmit="return confirm('Отключить Эвотор? Кешированные данные каталога останутся.')">
+                    <button type="submit" class="outline danger sm">
+                        <i class="bi bi-plug me-1"></i>Отключить
+                    </button>
+                </form>
+                {% endif %}
+            </div>
+        </article>
+
+        {# ── VK ── #}
+        <article class="card mb-4">
+            <header class="d-flex align-center justify-between">
+                <span><i class="bi bi-badge-vr me-2"></i><strong>ВКонтакте (Маркет)</strong></span>
+                {% if vk %}
+                    <span class="badge badge-success"><i class="bi bi-check-circle me-1"></i>Подключено</span>
+                {% else %}
+                    <span class="badge badge-secondary">Не подключено</span>
+                {% endif %}
+            </header>
+
+            {% if vk %}
+            <ul class="list-group mb-3">
+                <li class="list-group-item">
+                    <span class="text-muted small">Токен</span>
+                    <span class="font-monospace small">{{ vk.access_token[:8] }}••••••••</span>
+                </li>
+                {% if vk.vk_user_id %}
+                <li class="list-group-item">
+                    <span class="text-muted small">ID сообщества</span>
+                    <span class="font-monospace small">{{ vk.vk_user_id }}</span>
+                </li>
+                {% endif %}
+                {% if vk.first_name or vk.last_name %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Аккаунт</span>
+                    <span>{{ vk.first_name }} {{ vk.last_name }}</span>
+                </li>
+                {% endif %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Подключено</span>
+                    <span>{{ vk.connected_at | datefmt }}</span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Обновлено</span>
+                    <span>{{ vk.updated_at | datefmt }}</span>
+                </li>
+            </ul>
+            {% endif %}
+
+            <div class="card-body">
+                <details {% if not vk %}open{% endif %}>
+                    <summary>
+                        {% if vk %}Обновить подключение{% else %}Подключить ВКонтакте{% endif %}
+                    </summary>
+                    <p class="text-muted small mt-2">
+                        Укажите токен пользователя VK с правами <code>market,photos,groups</code>
+                        и ID сообщества, в котором включён Маркет.
+                    </p>
+                    <form method="post" action="/connections/vk" class="mt-2">
+                        <label>
+                            Токен доступа VK
+                            <input type="text" name="access_token"
+                                   placeholder="vk1.a.xxxxxxxxxxxxxxxx…"
+                                   value="{{ vk.access_token if vk else '' }}"
+                                   required autocomplete="off">
+                        </label>
+                        <label>
+                            ID сообщества ВКонтакте
+                            <input type="text" name="vk_group_id"
+                                   placeholder="Например: 229744980"
+                                   value="{{ vk.vk_user_id if vk and vk.vk_user_id else '' }}"
+                                   autocomplete="off">
+                            <small class="text-muted">Числовой ID группы/паблика с включённым Маркетом (без минуса)</small>
+                        </label>
+                        <button type="submit">
+                            <i class="bi bi-save me-1"></i>Сохранить
+                        </button>
+                    </form>
+                </details>
+
+                {% if vk %}
+                <div class="d-flex gap-2 mt-3" style="flex-wrap:wrap; align-items:center;">
+                    <button type="button" class="outline sm" onclick="testConnection('vk', this)">
+                        <i class="bi bi-wifi me-1"></i>Проверить соединение
+                    </button>
+                    <span id="vk-test-result" class="small"></span>
+                </div>
+                <form method="post" action="/connections/vk/disconnect"
+                      class="mt-2"
+                      onsubmit="return confirm('Отключить ВКонтакте?')">
+                    <button type="submit" class="outline danger sm">
+                        <i class="bi bi-plug me-1"></i>Отключить
+                    </button>
+                </form>
+                {% endif %}
+            </div>
+        </article>
+
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script>
+async function testConnection(provider, btn) {
+    const resultEl = document.getElementById(provider + '-test-result');
+    btn.disabled = true;
+    resultEl.textContent = 'Проверяем…';
+    resultEl.style.color = '';
+    try {
+        const resp = await fetch('/connections/' + provider + '/test', {method: 'POST'});
+        const data = await resp.json();
+        resultEl.textContent = data.message;
+        resultEl.style.color = data.ok ? 'var(--pico-color-green-500, #2d8a4e)' : 'var(--pico-color-red-500, #c0392b)';
+    } catch (e) {
+        resultEl.textContent = 'Ошибка сети';
+        resultEl.style.color = 'var(--pico-color-red-500, #c0392b)';
+    } finally {
+        btn.disabled = false;
+    }
+}
+</script>
+{% endblock %}

web/templates/email_confirmed.html

@@ -0,0 +1,17 @@
+{% extends "base.html" %}
+{% block title %}Email подтвержден — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-5 text-center">
+            <div class="card-body" style="padding: 2.5rem;">
+                <i class="bi bi-check-circle fs-1 text-success mb-3 d-block"></i>
+                <h1 style="font-size:1.3rem;" class="mb-3">Email подтвержден!</h1>
+                <p class="text-muted">Ваш email успешно подтвержден. Теперь вы можете войти в систему.</p>
+                <a href="/login" role="button" class="mt-2">Войти</a>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/forgot_password.html

@@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% block title %}Забыли пароль — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-4">
+            <div class="card-body">
+                <h1 style="font-size:1.3rem;" class="mb-2">Забыли пароль?</h1>
+                <p class="text-muted small mb-4">Введите email, указанный при регистрации.</p>
+                <form method="post" action="/forgot-password">
+                    <label for="email">Email
+                        <input type="email" id="email" name="email" required>
+                    </label>
+                    <button type="submit" class="w-100">Отправить ссылку для сброса</button>
+                </form>
+                <div class="text-center small mt-3">
+                    <a href="/login">Вернуться ко входу</a>
+                </div>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/invite.html

@@ -0,0 +1,44 @@
+{% extends "base.html" %}
+{% block title %}Завершение регистрации — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-7 col-lg-6">
+        <article class="card mt-4">
+            <header>
+                <h1><i class="bi bi-person-plus me-2"></i>Добро пожаловать в ЭВОСИНК!</h1>
+            </header>
+            <div class="card-body">
+                <p class="text-muted mb-4">Ваш аккаунт был создан через Эвотор. Заполните данные профиля и задайте пароль для входа.</p>
+                <form method="post" action="/invite?token={{ token }}">
+                    <div class="row gap-2 mb-2">
+                        <div class="col">
+                            <label for="first_name">Имя <span class="text-danger">*</span>
+                                <input type="text" id="first_name" name="first_name" value="{{ form.first_name if form else (invite_user.first_name or '') }}" required>
+                            </label>
+                        </div>
+                        <div class="col">
+                            <label for="last_name">Фамилия <span class="text-danger">*</span>
+                                <input type="text" id="last_name" name="last_name" value="{{ form.last_name if form else (invite_user.last_name or '') }}" required>
+                            </label>
+                        </div>
+                    </div>
+                    <label for="email">Email <span class="text-danger">*</span>
+                        <input type="email" id="email" name="email" value="{{ form.email if form else (invite_user.email or '') }}" required>
+                    </label>
+                    <label for="phone">Телефон <span class="text-danger">*</span>
+                        <input type="tel" id="phone" name="phone" value="{{ form.phone if form else (invite_user.phone or '') }}" required>
+                    </label>
+                    <label for="password">Пароль <span class="text-danger">*</span>
+                        <input type="password" id="password" name="password" required minlength="8">
+                    </label>
+                    <label for="password_confirm">Подтверждение пароля <span class="text-danger">*</span>
+                        <input type="password" id="password_confirm" name="password_confirm" required>
+                    </label>
+                    <button type="submit" class="w-100">Завершить регистрацию</button>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/login.html

@@ -0,0 +1,27 @@
+{% extends "base.html" %}
+{% block title %}Вход — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-4">
+            <div class="card-body">
+                <h1 class="mb-4" style="font-size:1.3rem;">Вход</h1>
+                <form method="post" action="/login">
+                    <label for="email">Email
+                        <input type="email" id="email" name="email" value="{{ form.email if form else '' }}" required>
+                    </label>
+                    <label for="password">Пароль
+                        <input type="password" id="password" name="password" required>
+                    </label>
+                    <button type="submit" class="w-100">Войти</button>
+                </form>
+                <div class="text-center small mt-3">
+                    <a href="/forgot-password">Забыли пароль?</a><br>
+                    <a href="/register">Зарегистрироваться</a>
+                </div>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/message.html

@@ -0,0 +1,18 @@
+{% extends "base.html" %}
+{% block title %}{{ title }} — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-5 text-center">
+            <div class="card-body" style="padding: 2.5rem;">
+                <h1 style="font-size:1.3rem;" class="mb-3">{{ title }}</h1>
+                <p class="text-muted">{{ message }}</p>
+                {% if link %}
+                    <a href="{{ link }}" role="button" class="mt-2">{{ link_text }}</a>
+                {% endif %}
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/profile_change_password.html

@@ -0,0 +1,31 @@
+{% extends "base.html" %}
+{% block title %}Изменить пароль — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-4">
+            <header>
+                <h1><i class="bi bi-key me-2"></i>Изменить пароль</h1>
+            </header>
+            <div class="card-body">
+                <form method="post" action="/profile/change-password">
+                    <label for="current_password">Текущий пароль
+                        <input type="password" id="current_password" name="current_password" required>
+                    </label>
+                    <label for="password">Новый пароль
+                        <input type="password" id="password" name="password" required>
+                    </label>
+                    <label for="password_confirm">Подтвердить пароль
+                        <input type="password" id="password_confirm" name="password_confirm" required>
+                    </label>
+                    <div class="d-flex gap-2">
+                        <button type="submit">Изменить пароль</button>
+                        <a href="/profile" role="button" class="outline secondary">Отмена</a>
+                    </div>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/profile_delete.html

@@ -0,0 +1,31 @@
+{% extends "base.html" %}
+{% block title %}Удалить аккаунт — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-4" style="border-color: #dc2626;">
+            <header class="bg-danger-header">
+                <h1><i class="bi bi-trash me-2"></i>Удалить аккаунт</h1>
+            </header>
+            <div class="card-body">
+                <div role="alert" class="alert alert-warning mb-3">
+                    <i class="bi bi-exclamation-triangle me-1"></i>
+                    <strong>Внимание!</strong> Это действие необратимо. Все ваши данные будут удалены.
+                </div>
+                <form method="post" action="/profile/delete">
+                    <label for="password">Введите пароль для подтверждения
+                        <input type="password" id="password" name="password" required>
+                    </label>
+                    <div class="d-flex gap-2">
+                        <button type="submit" class="danger">
+                            <i class="bi bi-trash me-1"></i>Удалить мой аккаунт
+                        </button>
+                        <a href="/profile" role="button" class="outline secondary">Отмена</a>
+                    </div>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/profile_edit.html

@@ -0,0 +1,43 @@
+{% extends "base.html" %}
+{% block title %}Редактировать профиль — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-7 col-lg-6">
+        <article class="card mt-4">
+            <header>
+                <h1><i class="bi bi-pencil me-2"></i>Редактировать профиль</h1>
+            </header>
+            <div class="card-body">
+                <form method="post" action="/profile/edit">
+                    <div class="row gap-2 mb-2">
+                        <div class="col">
+                            <label for="first_name">Имя
+                                <input type="text" id="first_name" name="first_name"
+                                       value="{{ form.first_name if form else user.first_name }}" required>
+                            </label>
+                        </div>
+                        <div class="col">
+                            <label for="last_name">Фамилия
+                                <input type="text" id="last_name" name="last_name"
+                                       value="{{ form.last_name if form else user.last_name }}" required>
+                            </label>
+                        </div>
+                    </div>
+                    <label>Email
+                        <input type="email" value="{{ user.email }}" disabled>
+                    </label>
+                    <label for="phone">Телефон
+                        <input type="tel" id="phone" name="phone"
+                               value="{{ form.phone if form else user.phone }}" required>
+                    </label>
+                    <div class="d-flex gap-2">
+                        <button type="submit">Сохранить</button>
+                        <a href="/profile" role="button" class="outline secondary">Отмена</a>
+                    </div>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/profile_view.html

@@ -0,0 +1,86 @@
+{% extends "base.html" %}
+{% block title %}Личный кабинет — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-7 col-lg-6">
+        <article class="card mt-4">
+            <header>
+                <h1><i class="bi bi-person-circle me-2"></i>Личный кабинет</h1>
+            </header>
+            <ul class="list-group">
+                <li class="list-group-item">
+                    <span class="text-muted small">Имя</span>
+                    <span>{{ user.first_name }}</span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Фамилия</span>
+                    <span>{{ user.last_name }}</span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Email</span>
+                    <span>
+                        {{ user.email }}
+                        {% if user.is_email_confirmed %}
+                            <span class="badge badge-success ms-1"><i class="bi bi-check-circle"></i> подтверждён</span>
+                        {% else %}
+                            <span class="badge badge-warning ms-1"><i class="bi bi-exclamation-circle"></i> не подтверждён</span>
+                        {% endif %}
+                    </span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Телефон</span>
+                    <span>{{ user.phone }}</span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Роль</span>
+                    <span>
+                        {% if user.role == 'system' %}<span class="badge badge-danger">Системный</span>
+                        {% elif user.role == 'admin' %}<span class="badge badge-warning">Администратор</span>
+                        {% else %}<span class="badge badge-secondary">Пользователь</span>
+                        {% endif %}
+                    </span>
+                </li>
+                <li class="list-group-item">
+                    <span class="text-muted small">Статус</span>
+                    <span>
+                        {% if user.status == 'active' %}<span class="badge badge-success">Активен</span>
+                        {% elif user.status == 'pending' %}<span class="badge badge-warning">Ожидает подтверждения</span>
+                        {% else %}<span class="badge badge-danger">Заблокирован</span>
+                        {% endif %}
+                    </span>
+                </li>
+                {% if user.evotor_user_id %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Эвотор ID</span>
+                    <span class="font-monospace small">{{ user.evotor_user_id }}</span>
+                </li>
+                {% endif %}
+                <li class="list-group-item">
+                    <span class="text-muted small">Регистрация</span>
+                    <span>{{ user.created_at | datefmt }}</span>
+                </li>
+            </ul>
+            <div class="card-body d-grid gap-2">
+                <a href="/profile/edit" role="button">
+                    <i class="bi bi-pencil me-1"></i>Редактировать профиль
+                </a>
+                <a href="/profile/change-password" role="button" class="secondary">
+                    <i class="bi bi-key me-1"></i>Изменить пароль
+                </a>
+                {% if not user.is_email_confirmed %}
+                <a href="/resend-confirm" role="button" class="outline secondary">
+                    <i class="bi bi-envelope me-1"></i>Отправить письмо с подтверждением
+                </a>
+                {% endif %}
+                <a href="/logout" role="button" class="outline secondary">
+                    <i class="bi bi-box-arrow-right me-1"></i>Выход
+                </a>
+                <a href="/profile/delete" role="button" class="outline danger sm mt-2">
+                    <i class="bi bi-trash me-1"></i>Удалить аккаунт
+                </a>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/register.html

@@ -0,0 +1,44 @@
+{% extends "base.html" %}
+{% block title %}Регистрация — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-7 col-lg-6">
+        <article class="card mt-4">
+            <div class="card-body">
+                <h1 class="mb-4" style="font-size:1.3rem;">Регистрация</h1>
+                <form method="post" action="/register">
+                    <div class="row gap-2 mb-2">
+                        <div class="col">
+                            <label for="first_name">Имя
+                                <input type="text" id="first_name" name="first_name" value="{{ form.first_name if form else '' }}">
+                            </label>
+                        </div>
+                        <div class="col">
+                            <label for="last_name">Фамилия
+                                <input type="text" id="last_name" name="last_name" value="{{ form.last_name if form else '' }}">
+                            </label>
+                        </div>
+                    </div>
+                    <label for="email">Email <span class="text-danger">*</span>
+                        <input type="email" id="email" name="email" value="{{ form.email if form else '' }}" required>
+                    </label>
+                    <label for="phone">Телефон <span class="text-danger">*</span>
+                        <input type="tel" id="phone" name="phone" value="{{ form.phone if form else '' }}" required>
+                    </label>
+                    <label for="password">Пароль <span class="text-danger">*</span>
+                        <input type="password" id="password" name="password" required>
+                    </label>
+                    <label for="password_confirm">Подтверждение пароля <span class="text-danger">*</span>
+                        <input type="password" id="password_confirm" name="password_confirm" required>
+                    </label>
+                    <button type="submit" class="w-100">Зарегистрироваться</button>
+                </form>
+                <div class="text-center small mt-3">
+                    <a href="/login">Уже есть аккаунт? Войти</a>
+                </div>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/reset_password.html

@@ -0,0 +1,23 @@
+{% extends "base.html" %}
+{% block title %}Новый пароль — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="row justify-center">
+    <div class="col-sm-10 col-md-6 col-lg-5">
+        <article class="card mt-4">
+            <div class="card-body">
+                <h1 style="font-size:1.3rem;" class="mb-4">Новый пароль</h1>
+                <form method="post" action="/reset-password?token={{ token }}">
+                    <label for="password">Новый пароль
+                        <input type="password" id="password" name="password" required>
+                    </label>
+                    <label for="password_confirm">Подтверждение пароля
+                        <input type="password" id="password_confirm" name="password_confirm" required>
+                    </label>
+                    <button type="submit" class="w-100">Сменить пароль</button>
+                </form>
+            </div>
+        </article>
+    </div>
+</div>
+{% endblock %}

web/templates/vk_catalog/albums.html

@@ -0,0 +1,52 @@
+{% extends "base.html" %}
+{% block title %}Альбомы ВК — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-badge-vr me-2"></i>Каталог ВКонтакте — Альбомы</h1>
+    <span class="text-muted small">Всего: {{ albums | length }}</span>
+</div>
+
+<article class="card">
+    {% if not vk_conn %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-plug" style="font-size:2rem;"></i>
+        <p class="mt-2">ВКонтакте не подключён.<br><a href="/connections">Перейти к подключениям</a></p>
+    </div>
+    {% elif albums %}
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th>Название</th>
+                    <th>Товаров</th>
+                    <th>ID</th>
+                    <th>Обновлено</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for a in albums %}
+                <tr>
+                    <td><i class="bi bi-collection me-1 text-muted"></i> <strong>{{ a.title }}</strong></td>
+                    <td class="text-muted">{{ a.count if a.count is not none else '—' }}</td>
+                    <td class="text-muted small">{{ a.album_id }}</td>
+                    <td class="text-muted small">{{ a.fetched_at | datefmt }}</td>
+                    <td>
+                        <a href="/vk-catalog/albums/{{ a.album_id }}/products" role="button" class="outline sm">
+                            <i class="bi bi-box-seam"></i> Товары
+                        </a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% else %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-collection" style="font-size:2rem;"></i>
+        <p class="mt-2">Альбомы ещё не загружены.<br>Синхронизация выполняется каждые {{ refresh_interval }} сек. автоматически.</p>
+    </div>
+    {% endif %}
+</article>
+{% endblock %}

web/templates/vk_catalog/products.html

@@ -0,0 +1,75 @@
+{% extends "base.html" %}
+{% block title %}Товары ВК — {{ album.title }} — ЭВОСИНК{% endblock %}
+
+{% block content %}
+<nav aria-label="breadcrumb" class="mb-3">
+    <ol class="breadcrumb">
+        <li><a href="/vk-catalog/albums">Альбомы ВК</a></li>
+        <li>{{ album.title }}</li>
+    </ol>
+</nav>
+
+<div class="d-flex justify-between align-center mb-3">
+    <h1 style="font-size:1.3rem; margin:0;"><i class="bi bi-box-seam me-2"></i>{{ album.title }}</h1>
+    <span class="text-muted small">Всего: {{ products | length }}</span>
+</div>
+
+<article class="card">
+    {% if products %}
+    <div class="table-scroll">
+        <table class="align-middle">
+            <thead>
+                <tr>
+                    <th></th>
+                    <th>Название</th>
+                    <th>Цена</th>
+                    <th>Статус</th>
+                    <th>ID</th>
+                    <th>Обновлено</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for p in products %}
+                <tr>
+                    <td style="width:48px;">
+                        {% if p.thumb_url %}
+                        <img src="{{ p.thumb_url }}" alt="" style="width:40px;height:40px;object-fit:cover;border-radius:4px;">
+                        {% else %}
+                        <span class="text-muted"><i class="bi bi-image" style="font-size:1.5rem;"></i></span>
+                        {% endif %}
+                    </td>
+                    <td>
+                        <strong>{{ p.name }}</strong>
+                        {% if p.description %}
+                        <br><span class="text-muted small">{{ p.description[:80] }}{% if p.description|length > 80 %}…{% endif %}</span>
+                        {% endif %}
+                    </td>
+                    <td class="text-muted">
+                        {% if p.price is not none %}{{ p.price | price }}{% else %}—{% endif %}
+                    </td>
+                    <td>
+                        {% if p.availability == 0 %}
+                        <span class="badge badge-success">В наличии</span>
+                        {% elif p.availability == 1 %}
+                        <span class="badge badge-secondary">Удалён</span>
+                        {% elif p.availability == 2 %}
+                        <span class="badge badge-warning">Недоступен</span>
+                        {% else %}
+                        <span class="text-muted small">—</span>
+                        {% endif %}
+                    </td>
+                    <td class="text-muted small">{{ p.vk_product_id }}</td>
+                    <td class="text-muted small">{{ p.fetched_at | datefmt }}</td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    {% else %}
+    <div class="text-center py-5 text-muted">
+        <i class="bi bi-box-seam" style="font-size:2rem;"></i>
+        <p class="mt-2">Товары в этом альбоме не найдены.</p>
+    </div>
+    {% endif %}
+</article>
+{% endblock %}

web/templates_env.py

@@ -0,0 +1,21 @@
+from datetime import datetime
+
+from fastapi.templating import Jinja2Templates
+
+templates = Jinja2Templates(directory="web/templates")
+
+
+def _datefmt(value: datetime | None, fmt: str = "%d.%m.%Y %H:%M") -> str:
+    if value is None:
+        return "—"
+    return value.strftime(fmt)
+
+
+def _price(value) -> str:
+    if value is None:
+        return "—"
+    return f"{float(value):,.2f} ₽".replace(",", " ")
+
+
+templates.env.filters["datefmt"] = _datefmt
+templates.env.filters["price"] = _price