release: v1.2.0 — каталог, email заказа, SEO, админ CSV

Co-authored-by: Cursor <cursoragent@cursor.com>
fix: shop.service 203/EXEC — bash, +x на scripts, убрать CRLF
2026-05-17 14:58:11 +03:00 · 2026-05-17 14:50:12 +03:00 · 2026-05-17 14:48:33 +03:00 · 2026-05-17 14:46:36 +03:00 · 2026-05-17 14:43:59 +03:00 · 2026-05-17 14:41:45 +03:00
109 changed files with 7517 additions and 265 deletions
@@ -1,5 +1,6 @@
-# Скопируйте: cp .env.docker.example .env
+# Docker: лучше запустить интерактивный установщик:
-# Используется docker compose (переменные подставляются в compose)
+#   bash scripts/install.sh
 # Или вручную: cp .env.docker.example .env
 POSTGRES_USER=shop
 POSTGRES_PASSWORD=shop
@@ -9,4 +10,7 @@ APP_PORT=3000
 SESSION_SECRET=change-me-to-a-long-random-string
 TRUST_PROXY=0
-# С профилем proxy (Caddy): TRUST_PROXY=1
+ADMIN_EMAIL=admin@site.com
 ADMIN_PASSWORD=admin
 ADMIN_NAME=Администратор
 SITE_URL=http://localhost:3000
@@ -4,6 +4,43 @@ NODE_ENV=production
 TRUST_PROXY=1
 SESSION_SECRET=change-me-to-a-long-random-string
 # Единственный администратор (зарегистрированный пользователь с этим email)
 # При регистрации через сайт все получают роль customer; admin — только этот аккаунт
 ADMIN_EMAIL=admin@site.com
 ADMIN_PASSWORD=admin
 ADMIN_NAME=Администратор
 # URL сайта (ссылки в письмах, WebAuthn origin)
 SITE_URL=http://localhost:3000
 # Капча: google (reCAPTCHA) или cloudflare (Turnstile). yandex — заблокирован
 CAPTCHA_PROVIDER=google
 # CAPTCHA_ENABLED=0
 RECAPTCHA_SITE_KEY=
 RECAPTCHA_SECRET_KEY=
 # TURNSTILE_SITE_KEY=
 # TURNSTILE_SECRET_KEY=
 # Passkey (WebAuthn) — по умолчанию hostname из SITE_URL
 # WEBAUTHN_RP_ID=shop.example.com
 # WEBAUTHN_RP_NAME=Shop
 # WEBAUTHN_ORIGIN=https://shop.example.com,http://localhost:3000
 # SMTP — сброс пароля и уведомления о брони
 SMTP_HOST=smtp.example.com
 SMTP_PORT=587
 SMTP_SECURE=false
 SMTP_USER=
 SMTP_PASS=
 SMTP_FROM=shop@example.com
 # Обновление из админки (/admin/system)
 # SHOP_ROOT=/opt/shop/shop10
 # ADMIN_UPDATE_ENABLED=1
 # ADMIN_UPDATE_USE_SUDO=1
 # SHOP_GIT_USER=root
 # SHOP_SERVICE_USER=www-data
 # PostgreSQL 17 (одна строка или отдельные переменные)
 DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop
 # PGHOST=127.0.0.1
@@ -0,0 +1,29 @@
 ## 0.20.0
 Расширенный релиз: роли, админка, профиль, cookies, бронирование, email.
 ### Новое
 - **Роли:** клиент (`customer`) и администратор (`admin`), вход `admin@site.com`
 - **Админ-панель:** заказы, пользователи, товары, бронирования
 - **Профиль:** просмотр, смена имени, email и пароля
 - **Cookies:** согласие обязательно для входа и регистрации
 - **Бронирование товаров** (48 ч) + письмо на email
 - **Сброс пароля** по ссылке из письма (SMTP)
 - **Wiki:** инструкции Docker и без Docker
 ### Настройка email (.env)
 ```env
 SITE_URL=https://ваш-сайт
 SMTP_HOST=...
 SMTP_FROM=...
 ```
 ### Установка
 ```bash
 git checkout v0.20.0
 npm install --omit=dev
 # или docker compose up -d --build
 ```
@@ -0,0 +1,42 @@
 ## 1.0.0
 Стабильный релиз **1.0** — всё новое после **v0.20.0**.
 ### Магазин
 - Промокоды (%, фикс. сумма), баллы лояльности, таймер акции в корзине
 - Акционная цена на товаре: старая цена зачёркнута, новая цена и % скидки
 - Подписка «сообщить о поступлении» + email при появлении на складе
 ### Вход и админ
 - Passkey (WebAuthn) в профиле и на странице входа
 - Один админ — только `ADMIN_EMAIL` в `.env`
 - Админка: цены/скидки на товарах, промокоды, **обновление с Git** (`/admin/system`)
 - Иконки и улучшенное отображение цен
 ### Сервер
 - `scripts/install.sh` — интерактивная установка
 - `SHOP_ROOT`, `server-update.sh`, `git-sync.sh`, systemd-скрипты
 - Wiki: Server-Operations, Troubleshooting
 ### Обновление с 0.20
 ```bash
 export SHOP_ROOT=/opt/shop/shop10   # ваш каталог
 git fetch origin && git checkout main && git pull
 bash "$SHOP_ROOT/scripts/server-update.sh"
 ```
 Или после настройки sudo: **Админ → Обновление →** ввести `update`.
 ### Новые переменные (.env)
 ```env
 SHOP_ROOT=/opt/shop
 ADMIN_EMAIL=admin@site.com
 # Обновление из админки (опционально):
 ADMIN_UPDATE_ENABLED=1
 ADMIN_UPDATE_USE_SUDO=1
 ```
@@ -0,0 +1,28 @@
 ## 1.0.1
 Патч после **v1.0.0**.
 ### Новое
 - Капча **Google reCAPTCHA** или **Cloudflare Turnstile** (вход, регистрация, сброс пароля)
 - **Яндекс SmartCaptcha** заблокирован — японский сервис недоступен по решению администратора
 ### Исправления
 - Обновление из админки: `safe.directory`, `git ls-remote`, pull от владельца `.git`
 ### Настройка (.env)
 ```env
 CAPTCHA_PROVIDER=google
 RECAPTCHA_SITE_KEY=...
 RECAPTCHA_SECRET_KEY=...
 # или cloudflare: TURNSTILE_SITE_KEY / TURNSTILE_SECRET_KEY
 ```
 ### Обновление
 ```bash
 export SHOP_ROOT=/opt/shop/shop10
 git pull && bash "$SHOP_ROOT/scripts/server-update.sh"
 ```
@@ -0,0 +1,31 @@
 # v1.2.0
 **Дата:** 2026-05-16
 ## Каталог
 - Сортировка: название, цена, новинки
 - Фильтр «только со скидкой» и показ товаров без остатка
 - Бейдж низкого остатка и блок «Вы недавно смотрели»
 ## Заказы
 - Email-подтверждение заказа (нужен `SMTP_*` и `SITE_URL`)
 - Вкладка «Заказы» в `/account`
 ## Прочее
 - `robots.txt`, `sitemap.xml`
 - Защита от перебора на login/register
 - Админ: фильтр заказов, экспорт CSV
 ## Обновление
 ```bash
 cd /opt/shop/shop10   # или ваш SHOP_ROOT
 git pull
 bash scripts/server-update.sh
 # или: npm install --omit=dev && systemctl restart shop
 ```
 Переменные для писем и sitemap: `SITE_URL`, `SMTP_HOST`, `SMTP_FROM`.
@@ -1,5 +1,119 @@
 # Changelog
 ## [1.2.0] — 2026-05-16
 Улучшения каталога, уведомлений и админки.
 ### Каталог и UX
 - **Сортировка:** по названию, цене (↑/↓), дате добавления
 - **Фильтры:** только товары со скидкой; показ позиций «нет в наличии»
 - **Бейдж «Осталось N»** при остатке ≤ 5
 - **Недавно просмотренные** товары на главной (сессия, до 8 позиций)
 - **Meta description** на странице товара
 ### Заказы и почта
 - **Письмо после оформления** заказа (SMTP или лог в консоль)
 - Вкладка **«Заказы»** в личном кабинете
 ### SEO и безопасность
 - **`/robots.txt`** и **`/sitemap.xml`**
 - Заголовки **X-Content-Type-Options**, **X-Frame-Options**, **Referrer-Policy**
 - **Rate limit** на вход и регистрацию (429 при превышении)
 ### Админка
 - **Фильтр заказов** по статусу
 - **Экспорт заказов в CSV**
 [1.2.0]: https://git.evilfox.cc/test/shop10/releases/tag/v1.2.0
 ## [1.0.1] — 2026-05-17
 Патч после **v1.0.0**: капча, доработка обновления из админки.
 ### Безопасность
 - **Капча:** Google reCAPTCHA или Cloudflare Turnstile на входе, регистрации и сбросе пароля
 - **Яндекс SmartCaptcha заблокирован** — сообщение администратора на формах; попытки отправки отклоняются
 ### Админка и сервер
 - **Обновление с Git** (`/admin/system`): исправлены `safe.directory`, проверка через `git ls-remote` без прав на `.git`, pull от владельца репозитория
 - Подсказки по `SHOP_GIT_USER`, sudoers в интерфейсе
 [1.0.1]: https://git.evilfox.cc/test/shop10/releases/tag/v1.0.1
 ## [1.0.0] — 2026-05-17
 Первый мажорный релиз после **v0.20.0**: безопасность, лояльность, акции на товары, удобная установка и обновление с сервера.
 ### Безопасность и вход
 - **Passkey (WebAuthn):** привязка в профиле, вход без пароля
 - **Один администратор:** только email из `ADMIN_EMAIL`; остальные регистрируются как `customer`
 - Документация только под **PostgreSQL 17** (SQLite убран из описаний)
 ### Магазин и маркетинг
 - **Промокоды:** процент или фиксированная скидка, мин. сумма, лимит использований, таймер до конца акции в корзине
 - **Баллы лояльности:** списание при оплате, начисление с заказа
 - **Цена со скидкой на товар:** `sale_price_cents`, дата окончания акции; в каталоге — зачёркнутая старая цена и бейдж
 - **Уведомление о поступлении:** подписка при нулевом остатке, email при пополнении склада
 ### Админ-панель
 - Товары: цена, цена со скидкой, срок акции, остаток
 - Промокоды: создание и редактирование
 - **Обновление с Git:** `/admin/system` — `git pull`, `npm install`, перезапуск `shop` (с подтверждением)
 - Улучшенный UI: SVG-иконки, наглядные цены со скидкой
 ### Установка и эксплуатация
 - Интерактивный **`scripts/install.sh`** (Docker или Ubuntu, админ, БД, SMTP)
 - **`SHOP_ROOT`**, **`git-sync.sh`**, **`server-update.sh`** — обновление без detached HEAD
 - **`install-shop-service.sh`**, **`wait-postgres.sh`**, освобождение порта 3000
 - Wiki: [Server-Operations](wiki/Server-Operations.md), универсальное развёртывание
 ### Исправления
 - Пути `include` иконок в EJS (Internal Server Error после UI-обновления)
 - Быстрое развёртывание Ubuntu: PGDG PostgreSQL 17, корректный каталог репозитория
 [1.0.0]: https://git.evilfox.cc/test/shop10/releases/tag/v1.0.0
 ## [0.20.0] — 2026-05-17
 ### Роли и администрирование
 - Роли `customer` и `admin`, админ-панель `/admin`
 - Администратор по умолчанию: `admin@site.com` (создаётся при старте)
 - Управление заказами, пользователями, товарами, бронированиями
 ### Личный кабинет
 - Просмотр профиля, смена имени, email (с подтверждением пароля), пароля
 ### Cookies
 - Баннер согласия; без принятия недоступны вход, регистрация, кабинет, оформление заказа
 - Политика: `/cookies/policy`
 ### Бронирование и почта
 - Бронирование товара на 48 часов, уведомление на email
 - Сброс пароля: `/forgot-password`, ссылка в письме (nodemailer + SMTP)
 - Переменные: `SITE_URL`, `SMTP_*`
 ### Документация
 - Wiki: установка Docker и без Docker
 - Скрипт `scripts/publish-gitea-release.sh`
 [0.20.0]: https://git.evilfox.cc/test/shop10/releases/tag/v0.20.0
 ## [0.10.0] — 2026-05-17
 Первый стабильный релиз с PostgreSQL 17. Два способа развёртывания: **Docker Compose** и **без Docker** (Ubuntu + systemd).
@@ -1,17 +1,23 @@
 # Shop
-**v0.10.0** — интернет-магазин на **Node.js** и **PostgreSQL 17**.
+**v1.2.0** — интернет-магазин на **Node.js** и **PostgreSQL 17**.
 Два способа установки: [Docker Compose](#docker-compose-рекомендуется-для-теста) | [без Docker (Ubuntu)](#postgresql-17-без-docker)
-Подробности релиза: [CHANGELOG.md](CHANGELOG.md) · [docs/RELEASE-0.10.md](docs/RELEASE-0.10.md)
+Подробности релиза: [CHANGELOG.md](CHANGELOG.md) · [docs/RELEASE-1.0.1.md](docs/RELEASE-1.0.1.md) · [1.0.0](docs/RELEASE-1.0.md)
 **Сервер (установка, обновление, ошибки):** [wiki/Server-Operations.md](wiki/Server-Operations.md) · [wiki/Troubleshooting.md](wiki/Troubleshooting.md)
 ## Возможности
 - Каталог товаров с категориями и поиском
 - Корзина и оформление заказа
- Регистрация и вход пользователей
+- Регистрация, вход (пароль или passkey), сброс пароля по email
- История заказов в личном кабинете
+- Личный кабинет: профиль, бронирования
 - Роли: клиент (`customer`) и **один** администратор (`admin`) — аккаунт из `ADMIN_EMAIL` в `.env`
 - Согласие на cookies
 - Подписка «сообщить о поступлении», если товара нет в наличии
 - Лояльность (баллы), промокоды со скидкой и таймером до конца акции
 ## Требования
@@ -96,7 +102,7 @@ apt install -y postgresql-17 postgresql-client-17
 Пользователь и база `shop`:
 ```bash
-cd /opt/shop
+cd "$SHOP_ROOT"
 bash scripts/setup-postgres-ubuntu.sh
 ```
@@ -106,36 +112,46 @@ bash scripts/setup-postgres-ubuntu.sh
 ---
-## Быстрый развёртывание на Ubuntu
+## Интерактивный установщик
 Задаёт вопросы: **Docker или Ubuntu**, данные **администратора**, **PostgreSQL**, URL сайта, опционально SMTP.
 ```bash
-# 1. Система + Node.js 20
+cd /path/to/shop
-apt update
+bash scripts/install.sh
 apt install -y git curl
 curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
 apt install -y nodejs
 # 2. PostgreSQL 17
 apt install -y postgresql-17 postgresql-client-17
 # 3. Код
 cd /opt
 git clone <URL_РЕПОЗИТОРИЯ> shop
 cd shop
 # 4. БД
 bash scripts/setup-postgres-ubuntu.sh
 # 5. Окружение
 cp .env.example .env
 sed -i "s/change-me-to-a-long-random-string/$(openssl rand -hex 32)/" .env
 # Проверьте DATABASE_URL в .env
 # 6. Приложение
 npm install --omit=dev
 npm start
 ```
 Нативная установка на сервере — от root: `sudo bash scripts/install.sh`.
 ---
 ## Быстрый развёртывание на Ubuntu
 Подставьте **URL своего репозитория** и каталог клона `SHOP_ROOT` (часто `/opt/shop`):
 ```bash
 export SHOP_ROOT=/opt/shop
 export SHOP_GIT_URL='https://ваш-forge/пользователь/shop.git'
 apt update && apt install -y git curl
 git clone "$SHOP_GIT_URL" "$SHOP_ROOT"
 cd "$SHOP_ROOT"
 sudo SHOP_INSTALL_DIR="$SHOP_ROOT" SHOP_GIT_URL="$SHOP_GIT_URL" bash scripts/quick-deploy-ubuntu.sh
 ```
 **Обновление** (сайт уже работает) — **лучше так** (из любого каталога):
 ```bash
 export SHOP_ROOT=/opt/shop/shop10
 bash "$SHOP_ROOT/scripts/server-update.sh"
 ```
 `SHOP_ROOT` — путь к клону с `package.json` (у вас может быть `/opt/shop` вместо `/opt/shop/shop10`).
 Не копируйте в shell шаблоны вроде `<URL_РЕПОЗИТОРИЯ>` — это подсказки в тексте, не команды.
 Подробно: **[wiki/Server-Operations.md](wiki/Server-Operations.md)** (PostgreSQL PGDG, git, systemd, порт 3000).
 Проверка:
 ```bash
@@ -159,28 +175,31 @@ DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop
 | `DATABASE_URL` | Строка подключения PostgreSQL |
 | `PGHOST`, `PGPORT`, `PGUSER`, `PGPASSWORD`, `PGDATABASE` | Альтернатива `DATABASE_URL` |
 | `HOST` | `127.0.0.1` в production (доступ через Caddy) |
 | `ADMIN_EMAIL` | Email **единственного** администратора (создаётся/обновляется при старте) |
 | `ADMIN_PASSWORD` | Пароль администратора (только при первом создании аккаунта) |
 | `ADMIN_NAME` | Имя администратора |
 ### Роли и администратор
 - Через **регистрацию** на сайте все пользователи получают роль **клиент** (`customer`).
 - **Один** зарегистрированный пользователь — **администратор**: аккаунт с email из `ADMIN_EMAIL` (по умолчанию `admin@site.com`). При старте приложения он создаётся, если ещё нет, или ему назначается роль `admin`.
 - Админ-панель: `/admin` (кнопка в шапке и в личном кабинете — только у администратора).
 - Сменить администратора: укажите другой email в `ADMIN_EMAIL` и перезапустите shop (прежние admin-аккаунты станут клиентами).
 ---
 ## Запуск как служба (systemd)
 ```bash
-cp /opt/shop/deploy/shop.service /etc/systemd/system/shop.service
+cd "$SHOP_ROOT"
-
+cp .env.example .env   # при первой установке — SESSION_SECRET, DATABASE_URL
-cd /opt/shop
+sudo bash scripts/install-shop-service.sh
 cp .env.example .env   # при первой установке
 # Заполните SESSION_SECRET и DATABASE_URL
 npm install --omit=dev
 # Не делайте chown -R www-data на весь /opt/shop (ломает git pull)
 systemctl daemon-reload
 systemctl enable shop
 systemctl start shop
 journalctl -u shop -f
 ```
-`EnvironmentFile=/opt/shop/.env` должен содержать `DATABASE_URL`.
+Не делайте `chown -R www-data` на весь каталог репозитория (ломает `git pull`).
 `EnvironmentFile` в unit должен указывать на `$SHOP_ROOT/.env` с `DATABASE_URL`.
 ---
@@ -199,18 +218,23 @@ journalctl -u shop -n 5 --no-pager
 ## Обновление на сервере (git pull)
 См. **[wiki/Server-Operations.md](wiki/Server-Operations.md)**.
 **Рекомендуемый способ** (надёжнее, чем вручную `cd` и `git pull`):
 ```bash
-cd /opt/shop
+export SHOP_ROOT=/opt/shop/shop10
-git config --global --add safe.directory /opt/shop
+bash "$SHOP_ROOT/scripts/server-update.sh"
 bash scripts/server-update.sh
 ```
 `WorkingDirectory` в `deploy/shop.service` должен совпадать с `$SHOP_ROOT`.
 Скрипт: `git pull` → `npm install` → проверка PostgreSQL → `restart shop` → `curl /health` → `reload caddy`.
 Вручную:
 ```bash
-cd /opt/shop
+cd "$SHOP_ROOT"
 git pull
 npm install --omit=dev
 systemctl restart shop
@@ -220,50 +244,6 @@ systemctl reload caddy
 ---
 ## Переход с SQLite на PostgreSQL 17
 Если сервер уже работал на старой версии (файлы `data/*.db`):
 ```bash
 # 1. PostgreSQL
 apt install -y postgresql-17 postgresql-client-17
 systemctl start postgresql
 # 2. Код
 cd /opt/shop
 git config --global --add safe.directory /opt/shop
 git pull
 # 3. База shop
 bash scripts/setup-postgres-ubuntu.sh
 # 4. .env — обязательно DATABASE_URL
 cp -n .env.example .env
 nano .env
 # DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop
 # HOST=127.0.0.1
 # NODE_ENV=production
 # TRUST_PROXY=1
 # 5. Зависимости и перезапуск
 npm install --omit=dev
 systemctl restart shop
 # 6. Проверка
 curl -s http://127.0.0.1:3000/health
 systemctl reload caddy
 ```
 Каталог `data/` больше не используется. Демо-товары появятся при пустой таблице `products`. Аккаунты и заказы из SQLite не переносятся — нужна повторная регистрация или ручной импорт.
 Проверка PostgreSQL:
 ```bash
 psql "postgresql://shop:shop@127.0.0.1:5432/shop" -c '\dt'
 ```
 ---
 ## Caddy — SSL и reverse proxy
 **Перед Caddy:** `curl http://127.0.0.1:3000/health` → OK.
@@ -306,19 +286,17 @@ shop.example.com {
 **Быстрое исправление (одной командой):**
 ```bash
-cd /opt/shop
+bash "$SHOP_ROOT/scripts/fix-db-connection.sh"
 git pull
 bash scripts/fix-db-connection.sh
 ```
 **Вручную:**
 ```bash
-apt install -y postgresql-17 postgresql-client-17
+cd "$SHOP_ROOT"
 sudo bash scripts/install-postgresql-ubuntu.sh
 systemctl enable --now postgresql
 pg_isready -h 127.0.0.1 -p 5432
 cd /opt/shop
 bash scripts/setup-postgres-ubuntu.sh
 nano .env   # DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop
@@ -331,7 +309,7 @@ curl -s http://127.0.0.1:3000/health
 ### HTTP 502
 ```bash
-bash /opt/shop/scripts/diagnose-502.sh
+bash "$SHOP_ROOT/scripts/diagnose-502.sh"
 journalctl -u shop -n 50 --no-pager
 ```
@@ -374,28 +352,34 @@ caddy/Caddyfile.docker.example
 deploy/shop.service
 scripts/
  setup-postgres-ubuntu.sh
  install.sh
  install-postgresql-ubuntu.sh
  quick-deploy-ubuntu.sh
  fix-db-connection.sh
  diagnose-502.sh
  server-update.sh
 src/
 ```
-## Релиз 0.10.0
+## Релиз 1.0.1
 ```bash
-git clone <URL_РЕПОЗИТОРИЯ> shop
+git clone <URL-вашего-репозитория> /opt/shop
-cd shop
+cd /opt/shop
-git checkout v0.10.0
+git checkout v1.0.1
 ```
 | Способ | Команда |
 |--------|---------|
 | Интерактивно | `bash scripts/install.sh` |
 | Docker | `docker compose up -d --build` |
 | Без Docker | `bash scripts/setup-postgres-ubuntu.sh` → `systemctl start shop` |
 Обновление с **0.20**: `bash "$SHOP_ROOT/scripts/server-update.sh"` или **Админ → Обновление**.
 ## Репозиторий
 ```bash
-git clone <URL_РЕПОЗИТОРИЯ> shop
+git clone <URL-вашего-репозитория> /opt/shop
-cd shop
+cd /opt/shop
 ```
@@ -1,7 +1,7 @@
 [Unit]
 Description=Shop Node.js
-After=network.target postgresql.service
+After=network.target
-Wants=postgresql.service
+Wants=network-online.target
 [Service]
 Type=simple
@@ -9,12 +9,15 @@ User=www-data
 Group=www-data
 WorkingDirectory=/opt/shop
 EnvironmentFile=/opt/shop/.env
-# Дождаться PostgreSQL (запуск от root, +)
+ExecStartPre=+/bin/bash /opt/shop/scripts/wait-postgres.sh
 ExecStartPre=+/bin/bash -c 'for i in $(seq 1 60); do pg_isready -h 127.0.0.1 -p 5432 -q && exit 0; sleep 1; done; echo "PostgreSQL не отвечает на 127.0.0.1:5432"; exit 1'
 ExecStart=/usr/bin/node src/server.js
 Restart=on-failure
 RestartSec=5
 # Логи в journal
 StandardOutput=journal
 StandardError=journal
 UMask=0022
 [Install]
@@ -23,6 +23,8 @@ services:
    build: .
    container_name: shop-app
    restart: unless-stopped
    env_file:
      - .env
    depends_on:
      postgres:
        condition: service_healthy
@@ -31,7 +33,6 @@ services:
      HOST: 0.0.0.0
      PORT: 3000
      TRUST_PROXY: ${TRUST_PROXY:-0}
      SESSION_SECRET: ${SESSION_SECRET:-change-me-in-docker-compose-env}
      DATABASE_URL: postgresql://${POSTGRES_USER:-shop}:${POSTGRES_PASSWORD:-shop}@postgres:5432/${POSTGRES_DB:-shop}
    ports:
      - '${APP_PORT:-3000}:3000'
@@ -5,7 +5,7 @@
 ## Вариант A — Docker Compose
 ```bash
-git clone <URL_РЕПОЗИТОРИЯ> shop && cd shop
+git clone https://git.evilfox.cc/test/shop10.git /opt/shop/shop10 && cd /opt/shop/shop10
 git checkout v0.10.0
 cp .env.docker.example .env
@@ -27,7 +27,7 @@ docker compose --profile proxy up -d --build
 ## Вариант B — без Docker (Ubuntu)
 ```bash
-git clone <URL_РЕПОЗИТОРИЯ> shop && cd shop
+git clone https://git.evilfox.cc/test/shop10.git /opt/shop/shop10 && cd /opt/shop/shop10
 git checkout v0.10.0
 apt install -y git curl
@@ -50,7 +50,6 @@ Caddy на хосте — см. `README.md`, раздел «Caddy».
 ## Обновление с более ранних версий
 - С **SQLite**: раздел «Переход с SQLite на PostgreSQL 17» в README
 - С **0.10-beta**: `git pull`, `npm install`, `systemctl restart shop`
 ## Тег и Release в Gitea
@@ -0,0 +1,58 @@
 # Релиз 0.20.0
 ## Что нового относительно 0.10.0
 | Функция | Описание |
 |---------|----------|
 | Админ-панель | `/admin` — статистика, заказы, пользователи, товары, брони |
 | Роли | `customer`, `admin` |
 | Профиль | `/account` — имя, email, пароль |
 | Cookies | Баннер согласия, блок входа без принятия |
 | Бронирование | Кнопка на товаре, вкладка в кабинете |
 | Сброс пароля | `/forgot-password` → письмо → новый пароль |
 ## Быстрый старт
 ### Docker
 ```bash
 git checkout v0.20.0
 cp .env.docker.example .env
 # SESSION_SECRET, при необходимости SMTP и SITE_URL
 docker compose up -d --build
 ```
 ### Ubuntu
 ```bash
 git checkout v0.20.0
 bash scripts/setup-postgres-ubuntu.sh
 cp .env.example .env
 npm install --omit=dev
 systemctl restart shop
 ```
 ## Администратор по умолчанию
 - Email: `admin@site.com`
 - Пароль: `admin` (смените в production)
 ## SMTP (письма)
 Обязательно для production-сброса пароля. Без SMTP ссылка выводится в лог сервера.
 ```env
 SITE_URL=https://shop.example.com
 SMTP_HOST=smtp.example.com
 SMTP_PORT=587
 SMTP_USER=...
 SMTP_PASS=...
 SMTP_FROM=shop@example.com
 ```
 ## Gitea Release
 ```bash
 export GITEA_TOKEN=...
 bash scripts/publish-gitea-release.sh 0.20.0
 ```
@@ -0,0 +1,24 @@
 # Релиз 1.0.1
 Патч после [1.0.0](RELEASE-1.0.md): капча (Google / Cloudflare), блокировка Яндекс SmartCaptcha, исправления Git-обновления в админке.
 ## Что нового
 | Изменение | Описание |
 |-----------|----------|
 | Капча | Google reCAPTCHA или Cloudflare Turnstile |
 | Яндекс | SmartCaptcha заблокирован, предупреждение на формах |
 | `/admin/system` | `safe.directory`, `ls-remote`, pull от владельца репозитория |
 ## Обновление с 1.0.0
 ```bash
 export SHOP_ROOT=/opt/shop/shop10
 cd "$SHOP_ROOT"
 git fetch origin && git checkout v1.0.1
 bash "$SHOP_ROOT/scripts/server-update.sh"
 ```
 Добавьте в `.env` ключи капчи (см. `.env.example`) и перезапустите `shop`.
 Полный список: [CHANGELOG.md](../CHANGELOG.md)
@@ -0,0 +1,51 @@
 # Релиз 1.0.0
 Мажорный релиз после **v0.20.0**. Кратко: passkey, лояльность и промокоды, акционные цены, уведомления о поступлении, обновление из админки, установщик `install.sh`.
 ## Что нового после 0.20
 | Область | Изменения |
 |---------|-----------|
 | Вход | Passkey (WebAuthn), один админ (`ADMIN_EMAIL`) |
 | Цены | Скидка на товар, промокоды, баллы лояльности |
 | Склад | Подписка на email при поступлении товара |
 | Админка | Цены/скидки, промокоды, **/admin/system** — обновление с Git |
 | UI | Иконки, зачёркнутая старая цена, бейдж «−N%» |
 | Deploy | `install.sh`, `SHOP_ROOT`, `git-sync`, wiki Server-Operations |
 ## Быстрый старт
 ### Новая установка
 ```bash
 git clone <URL-репозитория> /opt/shop
 cd /opt/shop
 git checkout v1.0.0
 bash scripts/install.sh
 ```
 ### Обновление с v0.20.0
 ```bash
 export SHOP_ROOT=/opt/shop   # или /opt/shop/shop10
 cd "$SHOP_ROOT"
 git fetch origin && git checkout main && git pull origin main
 bash "$SHOP_ROOT/scripts/server-update.sh"
 ```
 ## Админ: обновление без SSH
 1. В `.env`: `SHOP_ROOT`, `ADMIN_UPDATE_ENABLED=1`
 2. Sudoers для `www-data` на `scripts/admin-web-update.sh` (см. `/admin/system`)
 3. Админ → **Обновление** → проверить Git → ввести `update`
 ## Тег и Release в Gitea
 ```bash
 git tag -a v1.0.0 -m "Release 1.0.0"
 git push origin v1.0.0
 export GITEA_TOKEN=...
 bash scripts/publish-gitea-release.sh 1.0.0
 ```
 Полный список: [CHANGELOG.md](../CHANGELOG.md)
@@ -1,6 +1,6 @@
 {
  "name": "shop",
-  "version": "0.10.0",
+  "version": "1.2.0",
  "description": "Интернет-магазин на Node.js с PostgreSQL 17",
  "main": "src/server.js",
  "scripts": {
@@ -13,10 +13,13 @@
  },
  "dependencies": {
    "bcryptjs": "^2.4.3",
    "cookie-parser": "^1.4.7",
    "connect-pg-simple": "^10.0.0",
    "ejs": "^3.1.10",
    "express": "^4.21.2",
    "express-session": "^1.18.1",
-    "pg": "^8.13.1"
+    "nodemailer": "^6.9.16",
    "pg": "^8.13.1",
    "@simplewebauthn/server": "^13.1.1"
  }
 }
@@ -5,9 +5,13 @@ CREATE TABLE IF NOT EXISTS users (
  email TEXT NOT NULL UNIQUE,
  password_hash TEXT NOT NULL,
  name TEXT NOT NULL,
  role TEXT NOT NULL DEFAULT 'customer'
    CHECK (role IN ('customer', 'admin')),
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
 CREATE TABLE IF NOT EXISTS categories (
  id SERIAL PRIMARY KEY,
  slug TEXT NOT NULL UNIQUE,
@@ -0,0 +1,14 @@
 -- Роли пользователей (миграция для существующих БД)
 ALTER TABLE users ADD COLUMN IF NOT EXISTS role TEXT NOT NULL DEFAULT 'customer';
 DO $$
 BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM pg_constraint WHERE conname = 'users_role_check'
  ) THEN
    ALTER TABLE users ADD CONSTRAINT users_role_check
      CHECK (role IN ('customer', 'admin'));
  END IF;
 END $$;
 CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
@@ -0,0 +1,28 @@
 -- Бронирование товаров
 CREATE TABLE IF NOT EXISTS reservations (
  id SERIAL PRIMARY KEY,
  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
  product_id INTEGER NOT NULL REFERENCES products(id) ON DELETE CASCADE,
  quantity INTEGER NOT NULL CHECK (quantity > 0),
  status TEXT NOT NULL DEFAULT 'active'
    CHECK (status IN ('active', 'fulfilled', 'cancelled', 'expired')),
  expires_at TIMESTAMPTZ NOT NULL DEFAULT (NOW() + INTERVAL '48 hours'),
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_reservations_user ON reservations(user_id);
 CREATE INDEX IF NOT EXISTS idx_reservations_product ON reservations(product_id);
 CREATE INDEX IF NOT EXISTS idx_reservations_status ON reservations(status);
 -- Сброс пароля
 CREATE TABLE IF NOT EXISTS password_reset_tokens (
  id SERIAL PRIMARY KEY,
  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
  token_hash TEXT NOT NULL,
  expires_at TIMESTAMPTZ NOT NULL,
  used_at TIMESTAMPTZ,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_password_reset_user ON password_reset_tokens(user_id);
 CREATE INDEX IF NOT EXISTS idx_password_reset_expires ON password_reset_tokens(expires_at);
@@ -0,0 +1,17 @@
 -- Passkey (WebAuthn) — опциональный вход вместо пароля
 ALTER TABLE users ADD COLUMN IF NOT EXISTS passkey_enabled BOOLEAN NOT NULL DEFAULT false;
 CREATE TABLE IF NOT EXISTS webauthn_credentials (
  id SERIAL PRIMARY KEY,
  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
  credential_id TEXT NOT NULL UNIQUE,
  public_key BYTEA NOT NULL,
  counter BIGINT NOT NULL DEFAULT 0,
  device_type VARCHAR(32),
  backed_up BOOLEAN NOT NULL DEFAULT false,
  transports TEXT,
  label TEXT NOT NULL DEFAULT 'Passkey',
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_webauthn_credentials_user_id ON webauthn_credentials(user_id);
@@ -0,0 +1,14 @@
 -- Подписка «сообщить о поступлении»
 CREATE TABLE IF NOT EXISTS product_stock_alerts (
  id SERIAL PRIMARY KEY,
  product_id INTEGER NOT NULL REFERENCES products(id) ON DELETE CASCADE,
  email TEXT NOT NULL,
  user_id INTEGER REFERENCES users(id) ON DELETE SET NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  notified_at TIMESTAMPTZ,
  UNIQUE (product_id, email)
 );
 CREATE INDEX IF NOT EXISTS idx_stock_alerts_product_pending
  ON product_stock_alerts (product_id)
  WHERE notified_at IS NULL;
@@ -0,0 +1,28 @@
 -- Лояльность и промокоды
 ALTER TABLE users ADD COLUMN IF NOT EXISTS loyalty_points INTEGER NOT NULL DEFAULT 0
  CHECK (loyalty_points >= 0);
 CREATE TABLE IF NOT EXISTS promo_codes (
  id SERIAL PRIMARY KEY,
  code TEXT NOT NULL UNIQUE,
  description TEXT NOT NULL DEFAULT '',
  discount_type TEXT NOT NULL CHECK (discount_type IN ('percent', 'fixed')),
  discount_value INTEGER NOT NULL CHECK (discount_value > 0),
  starts_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  expires_at TIMESTAMPTZ NOT NULL,
  min_order_cents INTEGER NOT NULL DEFAULT 0 CHECK (min_order_cents >= 0),
  max_uses INTEGER CHECK (max_uses IS NULL OR max_uses > 0),
  use_count INTEGER NOT NULL DEFAULT 0 CHECK (use_count >= 0),
  active BOOLEAN NOT NULL DEFAULT true,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 CREATE INDEX IF NOT EXISTS idx_promo_codes_active ON promo_codes (active, expires_at);
 ALTER TABLE orders ADD COLUMN IF NOT EXISTS subtotal_cents INTEGER;
 ALTER TABLE orders ADD COLUMN IF NOT EXISTS discount_cents INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE orders ADD COLUMN IF NOT EXISTS promo_code_id INTEGER REFERENCES promo_codes(id);
 ALTER TABLE orders ADD COLUMN IF NOT EXISTS loyalty_points_used INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE orders ADD COLUMN IF NOT EXISTS loyalty_points_earned INTEGER NOT NULL DEFAULT 0;
 UPDATE orders SET subtotal_cents = total_cents WHERE subtotal_cents IS NULL;
@@ -0,0 +1,4 @@
 -- Цена со скидкой на товар (акция)
 ALTER TABLE products ADD COLUMN IF NOT EXISTS sale_price_cents INTEGER
  CHECK (sale_price_cents IS NULL OR sale_price_cents >= 0);
 ALTER TABLE products ADD COLUMN IF NOT EXISTS sale_ends_at TIMESTAMPTZ;
@@ -0,0 +1,93 @@
 #!/bin/bash
 # Обновление кода из админки (git pull + npm + перезапуск shop)
 # Запуск: bash scripts/admin-web-update.sh
 # С www-data: ADMIN_UPDATE_USE_SUDO=1 + sudoers NOPASSWD на этот скрипт
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=shop-root.sh
 source "$SCRIPT_DIR/shop-root.sh"
 PORT="${PORT:-3000}"
 REPO_OWNER="${SHOP_GIT_USER:-$(stat -c '%U' "$SHOP_ROOT/.git" 2>/dev/null || stat -c '%U' "$SHOP_ROOT" 2>/dev/null || echo root)}"
 SHOP_SERVICE_USER="${SHOP_SERVICE_USER:-www-data}"
 ensure_git_safe() {
  local user="$1"
  if [ -z "$user" ]; then return; fi
  if [ "$(id -u)" -eq 0 ]; then
    sudo -u "$user" git config --global --add safe.directory "$SHOP_ROOT" 2>/dev/null || true
  else
    git config --global --add safe.directory "$SHOP_ROOT" 2>/dev/null || true
  fi
 }
 run_as_owner() {
  local cmd="$1"
  if [ "$(id -u)" -eq 0 ] && [ "$(whoami)" != "$REPO_OWNER" ]; then
    sudo -u "$REPO_OWNER" env SHOP_ROOT="$SHOP_ROOT" bash -c "cd \"$SHOP_ROOT\" && $cmd"
  else
    bash -c "cd \"$SHOP_ROOT\" && $cmd"
  fi
 }
 ensure_git_safe "$REPO_OWNER"
 ensure_git_safe "$(whoami)"
 echo "=== Обновление Shop (админка) ==="
 echo "Каталог: $SHOP_ROOT"
 echo "Git от пользователя: $REPO_OWNER (текущий: $(whoami))"
 if [ ! -d .git ]; then
  echo "Ошибка: нет .git в $SHOP_ROOT"
  exit 1
 fi
 echo ""
 echo "Текущая версия:"
 run_as_owner "git log -1 --oneline"
 echo ""
 echo "--- git sync ---"
 run_as_owner "bash scripts/git-sync.sh"
 echo ""
 echo "--- npm install ---"
 if [ "$(id -u)" -eq 0 ]; then
  npm install --omit=dev
 else
  run_as_owner "npm install --omit=dev"
 fi
 echo ""
 echo "--- права для службы shop ($SHOP_SERVICE_USER) ---"
 if [ "$(id -u)" -eq 0 ]; then
  bash "$SCRIPT_DIR/fix-shop-permissions.sh"
 else
  echo "WARN: запустите от root: sudo bash scripts/fix-shop-permissions.sh"
 fi
 echo ""
 echo "Новая версия:"
 run_as_owner "git log -1 --oneline"
 echo ""
 echo "--- перезапуск shop ---"
 if command -v systemctl >/dev/null 2>&1 && systemctl cat shop.service >/dev/null 2>&1; then
  if systemctl restart shop; then
    sleep 2
    if curl -sf "http://127.0.0.1:${PORT}/health" >/dev/null; then
      echo "OK: служба shop перезапущена, /health отвечает"
    else
      echo "WARN: shop перезапущен, но /health не ответил — journalctl -u shop -n 40"
    fi
  else
    echo "WARN: systemctl restart shop не удался. Выполните от root: systemctl restart shop"
    exit 1
  fi
 else
  echo "INFO: служба shop не найдена — перезапустите Node вручную"
 fi
 echo ""
 echo "Готово."
@@ -2,7 +2,9 @@
 # Диагностика HTTP 502 (Caddy не достучался до Node / БД)
 set -e
-echo "=== Shop / Caddy 502 diagnostic ==="
+source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/shop-root.sh" 2>/dev/null || SHOP_ROOT=/opt/shop
 echo "=== Shop / Caddy 502 diagnostic ($SHOP_ROOT) ==="
 echo
 echo "1. PostgreSQL"
@@ -40,11 +42,11 @@ fi
 echo
 echo "6. .env"
-if [ -f /opt/shop/.env ]; then
+if [ -f "$SHOP_ROOT/.env" ]; then
-  grep -E '^(DATABASE_URL|HOST|PORT)=' /opt/shop/.env 2>/dev/null | sed 's/=.*/=***/' || true
+  grep -E '^(DATABASE_URL|HOST|PORT)=' "$SHOP_ROOT/.env" 2>/dev/null | sed 's/=.*/=***/' || true
-  grep -E '^DATABASE_URL=' /opt/shop/.env || echo "  DATABASE_URL не задан"
+  grep -E '^DATABASE_URL=' "$SHOP_ROOT/.env" || echo "  DATABASE_URL не задан"
 else
-  echo "  /opt/shop/.env не найден"
+  echo "  $SHOP_ROOT/.env не найден"
 fi
 echo
@@ -0,0 +1,47 @@
 #!/bin/bash
 # Диагностика службы shop
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/shop-root.sh"
 echo "=== Диагностика shop.service ==="
 echo "SHOP_ROOT=$SHOP_ROOT"
 echo
 echo "1. Unit"
 systemctl cat shop.service 2>/dev/null | head -25 || echo "  shop.service не найден"
 echo
 echo "2. PostgreSQL"
 systemctl is-active postgresql 2>/dev/null || systemctl is-active 'postgresql@*' 2>/dev/null || echo "  postgresql: не active"
 pg_isready -q 2>/dev/null && echo "  pg_isready (socket): OK" || echo "  pg_isready (socket): FAIL"
 pg_isready -h 127.0.0.1 -p 5432 -q 2>/dev/null && echo "  pg_isready 127.0.0.1: OK" || echo "  pg_isready 127.0.0.1: FAIL"
 echo
 echo "3. .env"
 if [ -f "$SHOP_ROOT/.env" ]; then
  ls -la "$SHOP_ROOT/.env"
  grep -E '^(DATABASE_URL|HOST|PORT|NODE_ENV)=' "$SHOP_ROOT/.env" | sed 's/=.*/=***/' || true
 else
  echo "  .env не найден"
 fi
 echo
 echo "4. Порт 3000"
 ss -tlnp | grep ':3000' || echo "  порт 3000 свободен"
 echo
 echo "5. www-data доступ"
 sudo -u www-data test -r "$SHOP_ROOT/package.json" && echo "  package.json: OK" || echo "  package.json: FAIL"
 sudo -u www-data test -x "$SHOP_ROOT" && echo "  каталог: OK" || echo "  каталог: FAIL"
 echo
 echo "6. Тест Node (5 сек)"
 set +e
 timeout 8 sudo -u www-data bash -c "cd '$SHOP_ROOT' && set -a && source .env 2>/dev/null && set +a && node src/server.js" 2>&1 | head -20
 set -e
 echo
 echo "7. journalctl shop"
 journalctl -u shop -n 30 --no-pager 2>/dev/null || true
@@ -2,29 +2,30 @@
 # Быстрое исправление ECONNREFUSED 127.0.0.1:5432
 set -euo pipefail
-cd /opt/shop 2>/dev/null || cd "$(dirname "$0")/.."
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/shop-root.sh"
-echo "=== Исправление подключения к PostgreSQL ==="
+echo "=== Исправление подключения к PostgreSQL ($SHOP_ROOT) ==="
-if ! dpkg -l | grep -q postgresql; then
+if ! command -v psql >/dev/null; then
-  echo "Установка PostgreSQL 17..."
+  bash "$SCRIPT_DIR/install-postgresql-ubuntu.sh"
  apt update
  apt install -y postgresql-17 postgresql-client-17 || {
    echo "Если пакет не найден — см. README (репозиторий PGDG)"
    exit 1
  }
 fi
-bash scripts/setup-postgres-ubuntu.sh
+bash "$SCRIPT_DIR/setup-postgres-ubuntu.sh"
 if [ -f .env ] && ! grep -q '^DATABASE_URL=' .env; then
-  echo "DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop" >> .env
+  echo 'DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop' >> .env
  echo "Добавлен DATABASE_URL в .env"
 fi
 if [ -f deploy/shop.service ]; then
  cp -f deploy/shop.service /etc/systemd/system/shop.service
  sed -i "s|WorkingDirectory=.*|WorkingDirectory=${SHOP_ROOT}|" /etc/systemd/system/shop.service
  sed -i "s|EnvironmentFile=.*|EnvironmentFile=${SHOP_ROOT}/.env|" /etc/systemd/system/shop.service
  systemctl daemon-reload
-systemctl restart shop
+fi
 systemctl restart shop 2>/dev/null || true
 sleep 2
 if curl -sf http://127.0.0.1:3000/health; then
@@ -0,0 +1,52 @@
 #!/bin/bash
 # Права на каталог магазина для пользователя systemd (www-data)
 #   sudo bash "$SHOP_ROOT/scripts/fix-shop-permissions.sh"
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=shop-root.sh
 source "$SCRIPT_DIR/shop-root.sh"
 SHOP_SERVICE_USER="${SHOP_SERVICE_USER:-www-data}"
 if [ "$(id -u)" -ne 0 ]; then
  echo "Запустите от root: sudo bash $0"
  exit 1
 fi
 if ! id "$SHOP_SERVICE_USER" &>/dev/null; then
  echo "Ошибка: пользователь $SHOP_SERVICE_USER не найден"
  exit 1
 fi
 echo "=== Права Shop: $SHOP_ROOT → $SHOP_SERVICE_USER ==="
 # CRLF из Windows → 203/EXEC в systemd
 if [ -d "$SHOP_ROOT/scripts" ]; then
  find "$SHOP_ROOT/scripts" -name '*.sh' -type f -exec sed -i 's/\r$//' {} +
 fi
 chown -R "$SHOP_SERVICE_USER:$SHOP_SERVICE_USER" "$SHOP_ROOT"
 # Исполняемые скрипты (wait-postgres.sh для ExecStartPre)
 if [ -d "$SHOP_ROOT/scripts" ]; then
  chmod +x "$SHOP_ROOT"/scripts/*.sh 2>/dev/null || true
 fi
 # npm cache/logs для www-data
 for dir in /var/www/.npm /var/www/.cache; do
  mkdir -p "$dir"
  chown -R "$SHOP_SERVICE_USER:$SHOP_SERVICE_USER" "$dir"
 done
 if [ -f "$SHOP_ROOT/.env" ]; then
  chmod 640 "$SHOP_ROOT/.env"
  chown "$SHOP_SERVICE_USER:$SHOP_SERVICE_USER" "$SHOP_ROOT/.env"
 fi
 # Родительские каталоги — traverse для www-data
 chmod o+x /opt /opt/shop 2>/dev/null || true
 echo "OK: владелец $SHOP_SERVICE_USER, скрипты +x"
 echo "Проверка unit: grep ExecStartPre /etc/systemd/system/shop.service"
 echo "  sudo systemctl daemon-reload && sudo systemctl restart shop"
@@ -0,0 +1,31 @@
 #!/bin/bash
 # Освободить порт 3000 (ручной npm start / старый процесс)
 set -euo pipefail
 PORT="${1:-3000}"
 if ! command -v ss >/dev/null; then
  echo "ss не найден"
  exit 0
 fi
 if ! ss -tlnp | grep -q ":${PORT} "; then
  echo "Порт ${PORT} свободен"
  exit 0
 fi
 echo "Порт ${PORT} занят:"
 ss -tlnp | grep ":${PORT} " || true
 if command -v fuser >/dev/null; then
  echo "Останавливаем процессы на ${PORT}/tcp..."
  fuser -k "${PORT}/tcp" 2>/dev/null || true
  sleep 2
 fi
 if ss -tlnp | grep -q ":${PORT} "; then
  echo "Порт ${PORT} всё ещё занят — остановите процесс вручную"
  exit 1
 fi
 echo "Порт ${PORT} свободен"
@@ -0,0 +1,38 @@
 #!/bin/bash
 # Синхронизация с origin/main (исправляет detached HEAD)
 set -euo pipefail
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/shop-root.sh"
 if [ ! -d .git ]; then
  echo "Ошибка: в $SHOP_ROOT нет .git — нужен полный clone:"
  echo "  git clone <URL-репозитория> /opt/shop"
  exit 1
 fi
 git config --global --add safe.directory "$SHOP_ROOT" 2>/dev/null || true
 echo "=== git sync: $SHOP_ROOT ==="
 git fetch origin
 if git symbolic-ref -q HEAD >/dev/null 2>&1; then
  BRANCH=$(git branch --show-current)
  echo "Текущая ветка: ${BRANCH:-?}"
 else
  echo "Состояние: detached HEAD ($(git rev-parse --short HEAD))"
  BRANCH=""
 fi
 if [ "$BRANCH" != "main" ]; then
  if git show-ref --verify --quiet refs/remotes/origin/main; then
    git checkout -B main origin/main
  elif git show-ref --verify --quiet refs/heads/main; then
    git checkout main
  else
    echo "Ветка main не найдена на origin"
    exit 1
  fi
 fi
 git pull origin main
 echo "OK: $(git log -1 --oneline)"
@@ -0,0 +1,59 @@
 #!/bin/bash
 # Установка PostgreSQL 17 (PGDG) или postgresql из Ubuntu
 # sudo bash scripts/install-postgresql-ubuntu.sh
 set -euo pipefail
 if command -v psql >/dev/null; then
  echo "PostgreSQL уже установлен: $(psql --version | head -1)"
  systemctl enable postgresql 2>/dev/null || true
  systemctl start postgresql 2>/dev/null || true
  exit 0
 fi
 echo "=== Установка PostgreSQL ==="
 apt update
 apt install -y curl ca-certificates gnupg lsb-release
 if [ ! -f /etc/os-release ]; then
  echo "Ошибка: не найден /etc/os-release"
  exit 1
 fi
 # shellcheck source=/dev/null
 . /etc/os-release
 CODENAME="${VERSION_CODENAME:-}"
 if [ -z "$CODENAME" ]; then
  echo "Ошибка: не удалось определить VERSION_CODENAME (Ubuntu/Debian?)"
  exit 1
 fi
 install -d /usr/share/postgresql-common/pgdg
 curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
  -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
 echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${CODENAME}-pgdg main" \
  > /etc/apt/sources.list.d/pgdg.list
 apt update
 if apt install -y postgresql-17 postgresql-client-17; then
  echo "Установлен PostgreSQL 17 (PGDG)"
 else
  echo "Пакет postgresql-17 недоступен — устанавливаем postgresql из репозитория Ubuntu..."
  apt install -y postgresql postgresql-contrib
 fi
 systemctl enable postgresql
 systemctl start postgresql
 for i in $(seq 1 30); do
  if pg_isready -h 127.0.0.1 -p 5432 -q 2>/dev/null; then
    echo "pg_isready: OK"
    psql --version | head -1
    exit 0
  fi
  sleep 1
 done
 echo "PostgreSQL установлен, но не отвечает на 127.0.0.1:5432"
 echo "  journalctl -u postgresql -n 30 --no-pager"
 exit 1
@@ -0,0 +1,108 @@
 #!/bin/bash
 # Установка systemd-службы shop (после git clone и .env)
 # sudo bash scripts/install-shop-service.sh
 set -euo pipefail
 if [ "$(id -u)" -ne 0 ]; then
  echo "Запустите от root: sudo bash scripts/install-shop-service.sh"
  exit 1
 fi
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/shop-root.sh"
 echo "=== Установка службы shop ==="
 echo "Каталог: $SHOP_ROOT"
 if [ ! -f "$SHOP_ROOT/package.json" ]; then
  echo "Ошибка: нет package.json в $SHOP_ROOT"
  exit 1
 fi
 # .env в родительском каталоге (если переносили клон)
 PARENT_ENV="$(dirname "$SHOP_ROOT")/.env"
 if [ ! -f "$SHOP_ROOT/.env" ] && [ -f "$PARENT_ENV" ]; then
  cp "$PARENT_ENV" "$SHOP_ROOT/.env"
  echo "Скопирован .env из $(dirname "$SHOP_ROOT")"
 fi
 if [ ! -f "$SHOP_ROOT/.env" ]; then
  if [ -f "$SHOP_ROOT/.env.example" ]; then
    cp "$SHOP_ROOT/.env.example" "$SHOP_ROOT/.env"
    if command -v openssl >/dev/null; then
      sed -i "s/change-me-to-a-long-random-string/$(openssl rand -hex 32)/" "$SHOP_ROOT/.env"
    fi
    echo "Создан .env — проверьте DATABASE_URL"
  else
    echo "Ошибка: нет .env"
    exit 1
  fi
 fi
 if ! grep -q '^DATABASE_URL=' "$SHOP_ROOT/.env"; then
  echo "Добавляю DATABASE_URL по умолчанию..."
  echo 'DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop' >> "$SHOP_ROOT/.env"
 fi
 NODE_BIN=$(command -v node)
 echo "Node: $NODE_BIN ($($NODE_BIN -v))"
 chmod +x "$SHOP_ROOT/scripts/wait-postgres.sh" 2>/dev/null || true
 if command -v pg_isready >/dev/null; then
  bash "$SCRIPT_DIR/install-postgresql-ubuntu.sh" 2>/dev/null || true
  systemctl enable postgresql 2>/dev/null || true
  systemctl start postgresql 2>/dev/null || true
  bash "$SCRIPT_DIR/setup-postgres-ubuntu.sh" 2>/dev/null || true
 fi
 npm install --omit=dev --prefix "$SHOP_ROOT"
 bash "$SCRIPT_DIR/fix-shop-permissions.sh"
 cp -f "$SHOP_ROOT/deploy/shop.service" /etc/systemd/system/shop.service
 sed -i "s|WorkingDirectory=.*|WorkingDirectory=${SHOP_ROOT}|" /etc/systemd/system/shop.service
 sed -i "s|EnvironmentFile=.*|EnvironmentFile=${SHOP_ROOT}/.env|" /etc/systemd/system/shop.service
 sed -i "s|ExecStartPre=.*|ExecStartPre=+/bin/bash ${SHOP_ROOT}/scripts/wait-postgres.sh|" /etc/systemd/system/shop.service
 sed -i "s|ExecStart=.*|ExecStart=${NODE_BIN} src/server.js|" /etc/systemd/system/shop.service
 if ! sudo -u www-data test -r "$SHOP_ROOT/package.json"; then
  echo "Ошибка: www-data не читает $SHOP_ROOT"
  ls -la "$SHOP_ROOT" | head -5
  exit 1
 fi
 systemctl daemon-reload
 systemctl enable shop
 systemctl stop shop 2>/dev/null || true
 bash "$SCRIPT_DIR/free-port-3000.sh" 3000
 echo "Запуск shop..."
 if ! systemctl restart shop; then
  echo ""
  echo "=== Ошибка запуска — лог ==="
  journalctl -u shop -n 40 --no-pager
  echo ""
  bash "$SCRIPT_DIR/diagnose-shop-service.sh" || true
  exit 1
 fi
 sleep 3
 if ! systemctl is-active --quiet shop; then
  echo "shop.service не в состоянии active"
  journalctl -u shop -n 40 --no-pager
  exit 1
 fi
 if curl -sf http://127.0.0.1:3000/health; then
  echo ""
  echo "OK — служба shop запущена (systemd active)"
  systemctl status shop --no-pager | head -15
  systemctl reload caddy 2>/dev/null || true
 else
  echo "health не отвечает"
  journalctl -u shop -n 40 --no-pager
  exit 1
 fi
@@ -0,0 +1,257 @@
 #!/bin/bash
 # Интерактивный установщик Shop
 #   bash scripts/install.sh
 #   sudo bash scripts/install.sh   (нативная установка на Ubuntu)
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 # --- ввод ---
 read_default() {
  local prompt="$1"
  local default="$2"
  local value
  if [ -n "$default" ]; then
    read -rp "$prompt [$default]: " value
    echo "${value:-$default}"
  else
    read -rp "$prompt: " value
    echo "$value"
  fi
 }
 read_secret() {
  local prompt="$1"
  local value
  read -rsp "$prompt" value
  echo ""
  echo "$value"
 }
 read_secret_confirm() {
  local prompt="$1"
  local a b
  while true; do
    a=$(read_secret "$prompt")
    b=$(read_secret "Повторите: ")
    if [ "$a" = "$b" ]; then
      echo "$a"
      return
    fi
    echo "Пароли не совпадают. Попробуйте снова."
  done
 }
 gen_secret() {
  if command -v openssl >/dev/null; then
    openssl rand -hex 32
  else
    head -c 32 /dev/urandom | od -An -tx1 | tr -d ' \n'
  fi
 }
 # Безопасная запись значения в .env (одинарные кавычки)
 env_quote() {
  printf "'%s'" "$(printf '%s' "$1" | sed "s/'/'\\\\''/g")"
 }
 email_ok() {
  [[ "$1" =~ ^[^\s@]+@[^\s@]+\.[^\s@]+$ ]]
 }
 # --- главная ---
 clear 2>/dev/null || true
 echo "============================================"
 echo "  Shop — интерактивная установка"
 echo "============================================"
 echo ""
 # Каталог установки
 if [ -f "$REPO_ROOT/package.json" ]; then
  INSTALL_DIR=$(read_default "Каталог установки" "$REPO_ROOT")
 else
  INSTALL_DIR=$(read_default "Каталог установки" "/opt/shop")
  if [ ! -f "$INSTALL_DIR/package.json" ]; then
    GIT_URL=$(read_default "URL git-репозитория" "")
    if [ -z "$GIT_URL" ]; then
      echo "Ошибка: укажите URL репозитория или запустите установщик из клона."
      exit 1
    fi
    echo "Клонирование $GIT_URL -> $INSTALL_DIR ..."
    mkdir -p "$(dirname "$INSTALL_DIR")"
    git clone "$GIT_URL" "$INSTALL_DIR"
  fi
 fi
 cd "$INSTALL_DIR"
 export SHOP_ROOT="$INSTALL_DIR"
 # Режим
 echo ""
 echo "Способ установки:"
 echo "  1) Docker Compose (PostgreSQL + приложение в контейнерах)"
 echo "  2) Без Docker (Ubuntu: Node.js + PostgreSQL + systemd)"
 echo ""
 MODE=$(read_default "Выберите [1/2]" "1")
 # Администратор
 echo ""
 echo "--- Администратор магазина (единственный admin) ---"
 ADMIN_EMAIL=$(read_default "Email администратора" "admin@site.com")
 while ! email_ok "$ADMIN_EMAIL"; do
  echo "Некорректный email."
  ADMIN_EMAIL=$(read_default "Email администратора" "admin@site.com")
 done
 ADMIN_NAME=$(read_default "Имя администратора" "Администратор")
 ADMIN_PASSWORD=$(read_secret_confirm "Пароль администратора: ")
 # База данных
 echo ""
 echo "--- PostgreSQL ---"
 PG_USER=$(read_default "Пользователь БД" "shop")
 PG_PASS=$(read_secret_confirm "Пароль БД: ")
 PG_DB=$(read_default "Имя базы данных" "shop")
 if [ "$MODE" = "1" ]; then
  PG_HOST="postgres"
  PG_PORT="5432"
  APP_PORT=$(read_default "Порт сайта на хосте" "3000")
  TRUST_PROXY="0"
  echo ""
  read -rp "Включить Caddy (HTTPS, порты 80/443)? [y/N]: " USE_CADDY
  if [[ "${USE_CADDY,,}" == "y" || "${USE_CADDY,,}" == "yes" ]]; then
    TRUST_PROXY="1"
    USE_CADDY=1
  else
    USE_CADDY=0
  fi
 else
  PG_HOST=$(read_default "Хост PostgreSQL" "127.0.0.1")
  PG_PORT=$(read_default "Порт PostgreSQL" "5432")
  APP_PORT="3000"
  TRUST_PROXY=$(read_default "За reverse proxy (Caddy)? TRUST_PROXY [1/0]" "1")
  USE_CADDY=0
 fi
 # Сайт и секрет
 echo ""
 echo "--- Прочие настройки ---"
 if [ "$MODE" = "1" ] && [ "$USE_CADDY" = "1" ]; then
  SITE_DEFAULT="https://shop.example.com"
 else
  SITE_DEFAULT="http://localhost:${APP_PORT}"
 fi
 SITE_URL=$(read_default "URL сайта (SITE_URL)" "$SITE_DEFAULT")
 SESSION_SECRET=$(read_default "SESSION_SECRET (Enter = сгенерировать)" "")
 SESSION_SECRET=${SESSION_SECRET:-$(gen_secret)}
 echo ""
 read -rp "Настроить SMTP для писем? [y/N]: " SET_SMTP
 SMTP_BLOCK=""
 if [[ "${SET_SMTP,,}" == "y" || "${SET_SMTP,,}" == "yes" ]]; then
  SMTP_HOST=$(read_default "SMTP_HOST" "smtp.example.com")
  SMTP_PORT=$(read_default "SMTP_PORT" "587")
  SMTP_USER=$(read_default "SMTP_USER" "")
  SMTP_PASS=$(read_secret "SMTP_PASS: ")
  SMTP_FROM=$(read_default "SMTP_FROM" "shop@example.com")
  SMTP_BLOCK="# SMTP
 SMTP_HOST=${SMTP_HOST}
 SMTP_PORT=${SMTP_PORT}
 SMTP_SECURE=false
 SMTP_USER=${SMTP_USER}
 SMTP_PASS=${SMTP_PASS}
 SMTP_FROM=${SMTP_FROM}
 "
 fi
 DATABASE_URL="postgresql://${PG_USER}:${PG_PASS}@${PG_HOST}:${PG_PORT}/${PG_DB}"
 # --- запись .env ---
 ENV_FILE="$INSTALL_DIR/.env"
 APP_HOST=$([ "$MODE" = "1" ] && echo "0.0.0.0" || echo "127.0.0.1")
 {
  echo "# Создано scripts/install.sh $(date -Iseconds)"
  echo ""
  echo "PORT=${APP_PORT}"
  echo "HOST=${APP_HOST}"
  echo "NODE_ENV=production"
  echo "TRUST_PROXY=${TRUST_PROXY}"
  echo "SESSION_SECRET=$(env_quote "$SESSION_SECRET")"
  echo ""
  echo "ADMIN_EMAIL=$(env_quote "$ADMIN_EMAIL")"
  echo "ADMIN_PASSWORD=$(env_quote "$ADMIN_PASSWORD")"
  echo "ADMIN_NAME=$(env_quote "$ADMIN_NAME")"
  echo ""
  echo "SITE_URL=$(env_quote "$SITE_URL")"
  echo ""
  if [ -n "$SMTP_BLOCK" ]; then
    echo "$SMTP_BLOCK"
  fi
  echo "# PostgreSQL"
  echo "POSTGRES_USER=$(env_quote "$PG_USER")"
  echo "POSTGRES_PASSWORD=$(env_quote "$PG_PASS")"
  echo "POSTGRES_DB=$(env_quote "$PG_DB")"
  echo "DATABASE_URL=$(env_quote "$DATABASE_URL")"
  echo "PGHOST=$(env_quote "$PG_HOST")"
  echo "PGPORT=${PG_PORT}"
  echo "PGUSER=$(env_quote "$PG_USER")"
  echo "PGPASSWORD=$(env_quote "$PG_PASS")"
  echo "PGDATABASE=$(env_quote "$PG_DB")"
 } > "$ENV_FILE"
 chmod 600 "$ENV_FILE" 2>/dev/null || true
 echo ""
 echo "Сохранено: $ENV_FILE"
 # --- установка ---
 echo ""
 if [ "$MODE" = "1" ]; then
  echo "=== Установка через Docker ==="
  if ! command -v docker >/dev/null; then
    echo "Ошибка: Docker не установлен. Установите Docker и повторите."
    exit 1
  fi
  if ! docker compose version >/dev/null 2>&1; then
    echo "Ошибка: нужен Docker Compose v2 (docker compose)."
    exit 1
  fi
  COMPOSE_CMD=(docker compose)
  if [ "$USE_CADDY" = "1" ]; then
    echo "Запуск: postgres + app + caddy ..."
    "${COMPOSE_CMD[@]}" --profile proxy up -d --build
  else
    echo "Запуск: postgres + app ..."
    "${COMPOSE_CMD[@]}" up -d --build
  fi
  echo "Ожидание health..."
  sleep 5
  curl -sf "http://127.0.0.1:${APP_PORT}/health" && echo "" || echo "Проверьте: docker compose logs app"
 else
  echo "=== Установка без Docker (Ubuntu) ==="
  if [ "$(id -u)" -ne 0 ]; then
    echo "Запустите с root: sudo bash scripts/install.sh"
    exit 1
  fi
  bash "$SCRIPT_DIR/install-postgresql-ubuntu.sh"
  export DB_USER="$PG_USER" DB_PASS="$PG_PASS" DB_NAME="$PG_DB"
  bash "$SCRIPT_DIR/setup-postgres-ubuntu.sh"
  npm install --omit=dev
  bash "$SCRIPT_DIR/install-shop-service.sh"
 fi
 echo ""
 echo "============================================"
 echo "  Установка завершена"
 echo "============================================"
 echo "  Каталог:    $INSTALL_DIR"
 echo "  Сайт:       $SITE_URL"
 echo "  Админ:      $ADMIN_EMAIL"
 if [ "$MODE" = "1" ]; then
  echo "  Порт:       $APP_PORT"
  echo "  Логи:       docker compose -f $INSTALL_DIR/docker-compose.yml logs -f"
 else
  echo "  Служба:     systemctl status shop"
  echo "  Health:     curl http://127.0.0.1:3000/health"
 fi
 echo "  Обновление: bash $INSTALL_DIR/scripts/server-update.sh"
 echo "============================================"
@@ -0,0 +1,67 @@
 #!/bin/bash
 # Публикация wiki/ в Gitea Wiki
 #
 # Способ 1 — токен (рекомендуется):
 #   export GITEA_TOKEN=ваш_токен
 #
 # Способ 2 — логин и пароль (не передавайте в чат, только в терминале):
 #   export GITEA_USER=логин
 #   export GITEA_PASSWORD=пароль
 #
 #   bash scripts/push-wiki.sh
 set -euo pipefail
 GITEA_WIKI_URL="${GITEA_WIKI_URL:-https://git.evilfox.cc/test/shop10.wiki.git}"
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 WIKI_SRC="${REPO_ROOT}/wiki"
 TMPDIR="${TMPDIR:-/tmp}/shop-wiki-$$"
 if [ ! -d "$WIKI_SRC" ]; then
  echo "Нет каталога wiki/"
  exit 1
 fi
 if [ -z "${GITEA_TOKEN:-}" ] && { [ -z "${GITEA_USER:-}" ] || [ -z "${GITEA_PASSWORD:-}" ]; }; then
  echo "Задайте GITEA_TOKEN или пару GITEA_USER + GITEA_PASSWORD"
  exit 1
 fi
 cleanup() { rm -rf "$TMPDIR"; }
 trap cleanup EXIT
 HOST_PATH="${GITEA_WIKI_URL#https://}"
 HOST_PATH="${HOST_PATH#http://}"
 if [ -n "${GITEA_TOKEN:-}" ]; then
  CLONE_URL="https://${GITEA_TOKEN}@${HOST_PATH}"
 else
  # URL-encode не делаем — пароль без спецсимволов; иначе используйте токен
  CLONE_URL="https://${GITEA_USER}:${GITEA_PASSWORD}@${HOST_PATH}"
 fi
 mkdir -p "$TMPDIR"
 cd "$TMPDIR"
 if git clone "$CLONE_URL" . 2>/dev/null; then
  echo "Wiki репозиторий склонирован."
 else
  echo "Инициализация нового wiki репозитория..."
  git init -b main
  git remote add origin "$CLONE_URL"
 fi
 rsync -a --delete "${WIKI_SRC}/" ./
 git add -A
 if git diff --staged --quiet 2>/dev/null; then
  echo "Wiki без изменений."
  exit 0
 fi
 git config user.email "wiki@shop.local"
 git config user.name "Shop Wiki"
 git commit -m "docs: установка Docker и без Docker (v0.10.0)"
 git push -u origin main
 echo ""
 echo "Готово: https://git.evilfox.cc/test/shop10/wiki"
@@ -0,0 +1,79 @@
 #!/bin/bash
 # Быстрое развёртывание / обновление на Ubuntu (без Docker)
 # sudo bash scripts/quick-deploy-ubuntu.sh
 #
 # Каталог: SHOP_INSTALL_DIR (по умолчанию /opt/shop)
 # URL репозитория: SHOP_GIT_URL (обязателен при первом clone)
 set -euo pipefail
 INSTALL_DIR="${SHOP_INSTALL_DIR:-/opt/shop}"
 GIT_URL="${SHOP_GIT_URL:-}"
 if [ "$(id -u)" -ne 0 ]; then
  echo "Запустите от root: sudo bash scripts/quick-deploy-ubuntu.sh"
  exit 1
 fi
 echo "=== Shop: быстрое развёртывание ==="
 echo "Каталог: $INSTALL_DIR"
 if ! command -v node >/dev/null; then
  echo "Установка Node.js 20..."
  apt update
  apt install -y git curl ca-certificates
  curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
  apt install -y nodejs
 fi
 if [ ! -f "$INSTALL_DIR/package.json" ]; then
  if [ -z "$GIT_URL" ]; then
    echo "Задайте URL репозитория:"
    echo "  export SHOP_GIT_URL='https://ваш-forge/user/shop.git'"
    echo "  sudo SHOP_GIT_URL=\"\$SHOP_GIT_URL\" bash scripts/quick-deploy-ubuntu.sh"
    exit 1
  fi
  echo "Клонирование: $GIT_URL -> $INSTALL_DIR"
  mkdir -p "$(dirname "$INSTALL_DIR")"
  git clone "$GIT_URL" "$INSTALL_DIR"
 fi
 export SHOP_ROOT="$INSTALL_DIR"
 cd "$INSTALL_DIR"
 git config --global --add safe.directory "$INSTALL_DIR" 2>/dev/null || true
 git pull
 bash scripts/install-postgresql-ubuntu.sh
 bash scripts/setup-postgres-ubuntu.sh
 if [ ! -f .env ]; then
  cp .env.example .env
  if command -v openssl >/dev/null; then
    SECRET=$(openssl rand -hex 32)
    sed -i "s/change-me-to-a-long-random-string/${SECRET}/" .env
  fi
  if ! grep -q '^DATABASE_URL=' .env; then
    echo 'DATABASE_URL=postgresql://shop:shop@127.0.0.1:5432/shop' >> .env
  fi
  echo "Создан .env — проверьте SITE_URL и SMTP"
 fi
 npm install --omit=dev
 if [ -f deploy/shop.service ]; then
  cp -f deploy/shop.service /etc/systemd/system/shop.service
  # Подставить фактический путь в unit
  sed -i "s|WorkingDirectory=.*|WorkingDirectory=${INSTALL_DIR}|" /etc/systemd/system/shop.service
  sed -i "s|EnvironmentFile=.*|EnvironmentFile=${INSTALL_DIR}/.env|" /etc/systemd/system/shop.service
  systemctl daemon-reload
  systemctl enable shop 2>/dev/null || true
  systemctl restart shop
  sleep 2
  curl -sf http://127.0.0.1:3000/health && echo && echo "OK — shop запущен (systemd)"
  systemctl reload caddy 2>/dev/null || true
 else
  echo "deploy/shop.service не найден — запустите: npm start"
 fi
 echo ""
 echo "Обновления в будущем:"
 echo "  bash ${INSTALL_DIR}/scripts/server-update.sh"
@@ -1,13 +1,32 @@
 #!/bin/bash
-# Обновление на сервере (запускать от root в /opt/shop)
+# Обновление на сервере: git pull, npm, restart shop
 #   bash "$SHOP_ROOT/scripts/server-update.sh"
 set -euo pipefail
-cd /opt/shop
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=shop-root.sh
 source "$SCRIPT_DIR/shop-root.sh"
-git config --global --add safe.directory /opt/shop 2>/dev/null || true
+echo "=== Shop update: $SHOP_ROOT ==="
 git pull
 if [ ! -d .git ]; then
  echo "Ошибка: $SHOP_ROOT не git-репозиторий (нет .git)."
  echo "Если нет .git — клонируйте заново:"
  echo "  export SHOP_GIT_URL='<URL-репозитория>'"
  echo "  mv \"$SHOP_ROOT\" \"\${SHOP_ROOT}.bak\""
  echo "  git clone \"\$SHOP_GIT_URL\" \"$SHOP_ROOT\""
  exit 1
 fi
 bash "$SCRIPT_DIR/git-sync.sh"
 if [ "$(id -u)" -eq 0 ]; then
  npm install --omit=dev
  bash "$SCRIPT_DIR/fix-shop-permissions.sh"
 else
  npm install --omit=dev
  echo "ВНИМАНИЕ: для прав www-data выполните: sudo bash $SCRIPT_DIR/fix-shop-permissions.sh"
 fi
 if [ -f .env ] && ! grep -q '^DATABASE_URL=' .env; then
  echo "ВНИМАНИЕ: добавьте DATABASE_URL в .env (см. .env.example)"
@@ -21,15 +40,25 @@ if command -v pg_isready >/dev/null; then
  }
 fi
-if systemctl is-active --quiet shop 2>/dev/null; then
+if [ -f /etc/systemd/system/shop.service ]; then
  systemctl daemon-reload
  bash "$SCRIPT_DIR/free-port-3000.sh" 3000 2>/dev/null || true
  systemctl restart shop
-  sleep 1
+  sleep 2
-  curl -sf http://127.0.0.1:3000/health && echo || {
+  if curl -sf http://127.0.0.1:3000/health; then
-    echo "shop не отвечает — смотрите: journalctl -u shop -n 30"
+    echo ""
    exit 1
  }
  systemctl reload caddy 2>/dev/null || true
    echo "OK"
    systemctl reload caddy 2>/dev/null || true
  else
-  echo "Служба shop не установлена. См. deploy/shop.service в README."
+    echo "shop не отвечает — journalctl -u shop -n 30"
    exit 1
  fi
 elif [ "$(id -u)" -eq 0 ]; then
  echo "Служба shop не установлена — устанавливаем..."
  bash "$SCRIPT_DIR/install-shop-service.sh"
 else
  echo "Служба shop не установлена. Выполните от root:"
  echo "  sudo bash $SHOP_ROOT/scripts/install-shop-service.sh"
  echo "WorkingDirectory: $SHOP_ROOT"
  exit 1
 fi
@@ -1,16 +1,18 @@
 #!/bin/bash
-# PostgreSQL 17 на Ubuntu — установка службы, пользователь и БД shop
+# PostgreSQL — пользователь и БД shop (после install-postgresql-ubuntu.sh)
-# Запуск: sudo bash scripts/setup-postgres-ubuntu.sh
+# sudo bash scripts/setup-postgres-ubuntu.sh
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 SHOP_ROOT="${SHOP_ROOT:-$(cd "$SCRIPT_DIR/.." && pwd)}"
 DB_USER="${DB_USER:-shop}"
 DB_PASS="${DB_PASS:-shop}"
 DB_NAME="${DB_NAME:-shop}"
 if ! command -v psql >/dev/null; then
-  echo "PostgreSQL не установлен."
+  echo "PostgreSQL не установлен. Запустите:"
-  echo "  apt install -y postgresql-17 postgresql-client-17"
+  echo "  sudo bash $SCRIPT_DIR/install-postgresql-ubuntu.sh"
  echo "  systemctl enable --now postgresql"
  exit 1
 fi
@@ -52,7 +54,7 @@ EOF
 echo ""
 echo "PostgreSQL готов."
-echo "Добавьте в /opt/shop/.env:"
+echo "Добавьте в ${SHOP_ROOT}/.env:"
 echo "DATABASE_URL=postgresql://${DB_USER}:${DB_PASS}@127.0.0.1:5432/${DB_NAME}"
 echo ""
 echo "Проверка: psql \"postgresql://${DB_USER}:${DB_PASS}@127.0.0.1:5432/${DB_NAME}\" -c 'SELECT 1'"
@@ -0,0 +1,38 @@
 #!/bin/bash
 # Каталог репозитория (package.json + по возможности .git)
 # Переопределение: SHOP_ROOT=/opt/shop/shop10
 _resolve_shop_root() {
  local d
  for d in \
    "${SHOP_ROOT:-}" \
    "$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" \
    "/opt/shop" \
    "/opt/shop/app"; do
    [ -z "$d" ] && continue
    [ -f "${d}/package.json" ] && [ -d "${d}/.git" ] && SHOP_ROOT="$d" && return 0
  done
  for d in \
    "${SHOP_ROOT:-}" \
    "$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" \
    "/opt/shop" \
    "/opt/shop/app"; do
    [ -z "$d" ] && continue
    [ -f "${d}/package.json" ] && SHOP_ROOT="$d" && return 0
  done
  return 1
 }
 if ! _resolve_shop_root; then
  echo "Ошибка: не найден каталог Shop (нет package.json)."
  echo "  export SHOP_ROOT=/opt/shop   # каталог с package.json"
  echo "  git clone <URL-репозитория> \"\$SHOP_ROOT\""
  echo "  SHOP_ROOT=\$SHOP_ROOT bash scripts/server-update.sh"
  exit 1
 fi
 export SHOP_ROOT
 cd "$SHOP_ROOT"
 if [ -d "$SHOP_ROOT/.git" ]; then
  git config --global --add safe.directory "$SHOP_ROOT" 2>/dev/null || true
 fi
@@ -0,0 +1,13 @@
 #!/bin/bash
 # Ожидание PostgreSQL (сокет или TCP 127.0.0.1:5432)
 for i in $(seq 1 45); do
  if pg_isready -q 2>/dev/null; then
    exit 0
  fi
  if pg_isready -h 127.0.0.1 -p 5432 -q 2>/dev/null; then
    exit 0
  fi
  sleep 1
 done
 echo "PostgreSQL недоступен (проверьте: systemctl status postgresql)"
 exit 1
@@ -1,4 +1,5 @@
 const { query } = require('./db');
 const { getEffectivePriceCents, isSaleActive } = require('./utils/productPrice');
 function getCart(req) {
  if (!req.session.cart) {
@@ -22,11 +23,17 @@ async function cartItems(cart) {
  );
  return products
-    .map((p) => ({
+    .map((p) => {
      const effective = getEffectivePriceCents(p);
      const qty = cart[p.id] || 0;
      return {
        ...p,
-      quantity: cart[p.id] || 0,
+        quantity: qty,
-      line_total: (cart[p.id] || 0) * p.price_cents,
+        effective_price_cents: effective,
-    }))
+        on_sale: isSaleActive(p),
        line_total: qty * effective,
      };
    })
    .filter((p) => p.quantity > 0);
 }
@@ -0,0 +1,11 @@
 const ROLES = {
  CUSTOMER: 'customer',
  ADMIN: 'admin',
 };
 const ROLE_LABELS = {
  customer: 'Клиент',
  admin: 'Администратор',
 };
 module.exports = { ROLES, ROLE_LABELS };
@@ -26,10 +26,13 @@ async function query(text, params) {
 }
 async function initSchema() {
-  const schemaPath = path.join(__dirname, '..', 'postgres', 'init', '01_schema.sql');
+  const initDir = path.join(__dirname, '..', 'postgres', 'init');
-  const sql = fs.readFileSync(schemaPath, 'utf8');
+  const files = fs.readdirSync(initDir).filter((f) => f.endsWith('.sql')).sort();
  for (const file of files) {
    const sql = fs.readFileSync(path.join(initDir, file), 'utf8');
    await pool.query(sql);
  }
 }
 async function checkConnection() {
  await pool.query('SELECT 1');
@@ -1,5 +1,6 @@
 const { query } = require('../db');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { ROLES } = require('../constants/roles');
 function requireAuth(req, res, next) {
  if (!req.session.userId) {
@@ -9,17 +10,33 @@ function requireAuth(req, res, next) {
  next();
 }
 function requireAdmin(req, res, next) {
  if (!req.session.userId) {
    const nextUrl = encodeURIComponent(req.originalUrl);
    return res.redirect(`/login?next=${nextUrl}`);
  }
  if (res.locals.user?.role !== ROLES.ADMIN) {
    return res.status(403).render('error', {
      title: 'Доступ запрещён',
      message: 'Недостаточно прав. Требуется роль администратора.',
      code: 403,
    });
  }
  next();
 }
 const loadUser = asyncHandler(async (req, res, next) => {
  if (req.session.userId) {
    const { rows } = await query(
-      'SELECT id, email, name FROM users WHERE id = $1',
+      'SELECT id, email, name, role FROM users WHERE id = $1',
      [req.session.userId]
    );
    res.locals.user = rows[0] || null;
  } else {
    res.locals.user = null;
  }
  res.locals.isAdmin = res.locals.user?.role === ROLES.ADMIN;
  next();
 });
-module.exports = { requireAuth, loadUser };
+module.exports = { requireAuth, requireAdmin, loadUser };
@@ -0,0 +1,25 @@
 const {
  getCaptchaConfig,
  YANDEX_BLOCKED_MSG,
  isYandexCaptchaAttempt,
 } = require('../services/captcha');
 function loadCaptchaLocals(req, res, next) {
  res.locals.captcha = getCaptchaConfig();
  res.locals.yandexCaptchaBlockedMsg = YANDEX_BLOCKED_MSG;
  next();
 }
 /** Блокировка попыток отправить Яндекс-капчу */
 function rejectYandexCaptcha(req, res, next) {
  if (req.method === 'POST' && isYandexCaptchaAttempt(req)) {
    return res.status(403).render('error', {
      title: 'Доступ запрещён',
      message: YANDEX_BLOCKED_MSG,
      code: 403,
    });
  }
  next();
 }
 module.exports = { loadCaptchaLocals, rejectYandexCaptcha };
@@ -0,0 +1,48 @@
 const CONSENT_COOKIE = 'cookie_consent';
 const CONSENT_VALUE = 'accepted';
 const CONSENT_MAX_AGE_MS = 365 * 24 * 60 * 60 * 1000;
 function hasCookieConsent(req) {
  return req.cookies?.[CONSENT_COOKIE] === CONSENT_VALUE;
 }
 function loadCookieConsent(req, res, next) {
  res.locals.cookieConsent = hasCookieConsent(req);
  res.locals.returnTo = req.originalUrl;
  next();
 }
 function requireCookieConsent(req, res, next) {
  if (hasCookieConsent(req)) {
    return next();
  }
  if (req.method === 'GET') {
    return res.status(403).render('cookies-required', {
      title: 'Согласие на cookies',
      returnTo: req.originalUrl,
    });
  }
  return res.redirect(
    '/?error=' + encodeURIComponent('Примите согласие на использование cookies')
  );
 }
 function setConsentCookie(res, isProduction) {
  res.cookie(CONSENT_COOKIE, CONSENT_VALUE, {
    maxAge: CONSENT_MAX_AGE_MS,
    httpOnly: true,
    sameSite: 'lax',
    secure: isProduction,
    path: '/',
  });
 }
 module.exports = {
  CONSENT_COOKIE,
  hasCookieConsent,
  loadCookieConsent,
  requireCookieConsent,
  setConsentCookie,
 };
@@ -0,0 +1,25 @@
 const buckets = new Map();
 function rateLimit({ windowMs = 15 * 60 * 1000, max = 20, keyPrefix = '' }) {
  return (req, res, next) => {
    const ip = req.ip || req.socket?.remoteAddress || 'unknown';
    const key = `${keyPrefix}:${ip}`;
    const now = Date.now();
    let entry = buckets.get(key);
    if (!entry || now > entry.resetAt) {
      entry = { count: 0, resetAt: now + windowMs };
      buckets.set(key, entry);
    }
    entry.count += 1;
    if (entry.count > max) {
      return res.status(429).render('error', {
        title: 'Слишком много запросов',
        message: 'Подождите несколько минут и попробуйте снова.',
        code: 429,
      });
    }
    next();
  };
 }
 module.exports = { rateLimit };
@@ -0,0 +1,9 @@
 function securityHeaders(_req, res, next) {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
  next();
 }
 module.exports = { securityHeaders };
@@ -0,0 +1,112 @@
 /**
 * WebAuthn (passkey) — требуется современный браузер с parseCreationOptionsFromJSON / toJSON.
 */
 (function () {
  function supportsPasskey() {
    return (
      window.PublicKeyCredential &&
      typeof PublicKeyCredential.parseCreationOptionsFromJSON === 'function' &&
      typeof PublicKeyCredential.parseRequestOptionsFromJSON === 'function'
    );
  }
  function showError(el, message) {
    if (!el) return;
    el.textContent = message;
    el.hidden = false;
  }
  function hideError(el) {
    if (el) el.hidden = true;
  }
  async function postJson(url, body) {
    const res = await fetch(url, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      credentials: 'same-origin',
      body: JSON.stringify(body),
    });
    const data = await res.json().catch(() => ({}));
    if (!res.ok) {
      throw new Error(data.error || 'Ошибка запроса');
    }
    return data;
  }
  async function registerPasskey(passwordInput, errorEl, btn) {
    if (!supportsPasskey()) {
      showError(errorEl, 'Браузер не поддерживает passkey. Обновите браузер или используйте Chrome, Edge, Safari.');
      return;
    }
    const password = passwordInput?.value;
    if (!password) {
      showError(errorEl, 'Введите текущий пароль для подтверждения');
      return;
    }
    hideError(errorEl);
    if (btn) btn.disabled = true;
    try {
      const options = await postJson('/webauthn/register/options', {
        current_password: password,
      });
      const credential = await navigator.credentials.create({
        publicKey: PublicKeyCredential.parseCreationOptionsFromJSON(options),
      });
      const result = await postJson('/webauthn/register/verify', credential.toJSON());
      if (result.redirect) {
        window.location.href = result.redirect;
      } else {
        window.location.reload();
      }
    } catch (err) {
      showError(errorEl, err.message || 'Не удалось привязать passkey');
    } finally {
      if (btn) btn.disabled = false;
    }
  }
  async function loginWithPasskey(emailInput, nextInput, errorEl, btn) {
    if (!supportsPasskey()) {
      showError(errorEl, 'Браузер не поддерживает passkey');
      return;
    }
    const email = (emailInput?.value || '').trim();
    if (!email) {
      showError(errorEl, 'Сначала укажите email');
      emailInput?.focus();
      return;
    }
    hideError(errorEl);
    if (btn) btn.disabled = true;
    try {
      const options = await postJson('/webauthn/login/options', { email });
      const credential = await navigator.credentials.get({
        publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(options),
      });
      const result = await postJson('/webauthn/login/verify', {
        ...credential.toJSON(),
        next: nextInput?.value || '/',
      });
      window.location.href = result.redirect || '/';
    } catch (err) {
      showError(errorEl, err.message || 'Не удалось войти по passkey');
    } finally {
      if (btn) btn.disabled = false;
    }
  }
  window.ShopPasskey = {
    supportsPasskey,
    registerPasskey,
    loginWithPasskey,
  };
 })();
@@ -0,0 +1,34 @@
 (function () {
  function pad(n) {
    return String(n).padStart(2, '0');
  }
  function formatRemaining(ms) {
    if (ms <= 0) return 'акция завершена';
    const s = Math.floor(ms / 1000);
    const d = Math.floor(s / 86400);
    const h = Math.floor((s % 86400) / 3600);
    const m = Math.floor((s % 3600) / 60);
    const sec = s % 60;
    if (d > 0) return `${d} д ${pad(h)}:${pad(m)}:${pad(sec)}`;
    return `${pad(h)}:${pad(m)}:${pad(sec)}`;
  }
  document.querySelectorAll('.promo-countdown[data-expires]').forEach((el) => {
    const expires = new Date(el.dataset.expires).getTime();
    const timer = el.querySelector('.promo-countdown__timer');
    if (!timer || Number.isNaN(expires)) return;
    function tick() {
      const left = expires - Date.now();
      timer.textContent = formatRemaining(left);
      if (left <= 0) timer.classList.add('promo-countdown__timer--ended');
    }
    tick();
    const id = setInterval(tick, 1000);
    if (typeof window !== 'undefined') {
      window.addEventListener('beforeunload', () => clearInterval(id));
    }
  });
 })();
@@ -0,0 +1,248 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
 const { query, formatPrice } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { ROLES, ROLE_LABELS } = require('../constants/roles');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { expireOldReservations } = require('../services/reservations');
 const webauthn = require('../services/webauthn');
 const router = express.Router();
 router.use(requireCookieConsent);
 router.use((req, res, next) => {
  const cart = getCart(req);
  res.locals.cartCount = cartCount(cart);
  res.locals.formatPrice = formatPrice;
  next();
 });
 async function loadAccountUser(userId) {
  const { rows } = await query(
    'SELECT id, email, name, role, created_at, passkey_enabled, loyalty_points FROM users WHERE id = $1',
    [userId]
  );
  return rows[0];
 }
 async function verifyPassword(userId, password) {
  const { rows } = await query('SELECT password_hash FROM users WHERE id = $1', [
    userId,
  ]);
  if (!rows[0]) return false;
  return bcrypt.compareSync(password || '', rows[0].password_hash);
 }
 function accountRender(res, options) {
  const {
    user,
    orderCount,
    reservations,
    error,
    success,
    activeTab,
    formatPrice,
    passkeys,
    isAdmin,
    recentOrders,
  } = options;
  res.render('account/index', {
    title: 'Личный кабинет',
    user,
    orderCount,
    recentOrders: recentOrders || [],
    reservations: reservations || [],
    passkeys: passkeys || [],
    isAdmin: Boolean(isAdmin),
    roleLabels: ROLE_LABELS,
    formatPrice: formatPrice || res.locals.formatPrice,
    error: error || null,
    success: success || null,
    activeTab: activeTab || 'profile',
  });
 }
 router.get(
  '/',
  requireAuth,
  asyncHandler(async (req, res) => {
    await expireOldReservations();
    const user = await loadAccountUser(req.session.userId);
    const countResult = await query(
      'SELECT COUNT(*)::int AS n FROM orders WHERE user_id = $1',
      [user.id]
    );
    const { rows: reservations } = await query(
      `SELECT r.*, p.name AS product_name, p.slug AS product_slug, p.price_cents, p.image_url
       FROM reservations r
       JOIN products p ON p.id = r.product_id
       WHERE r.user_id = $1
       ORDER BY r.created_at DESC`,
      [user.id]
    );
    const passkeys = await webauthn.getCredentialsForUser(user.id);
    const { rows: recentOrders } = await query(
      `SELECT id, status, total_cents, created_at
       FROM orders WHERE user_id = $1
       ORDER BY created_at DESC LIMIT 10`,
      [user.id]
    );
    accountRender(res, {
      user,
      orderCount: countResult.rows[0].n,
      recentOrders,
      reservations,
      passkeys,
      isAdmin: user.role === ROLES.ADMIN,
      formatPrice,
      success: req.query.success ? decodeURIComponent(String(req.query.success)) : null,
      error: req.query.error ? decodeURIComponent(String(req.query.error)) : null,
      activeTab: req.query.tab || 'profile',
    });
  })
 );
 router.post(
  '/profile',
  requireAuth,
  asyncHandler(async (req, res) => {
    const name = (req.body.name || '').trim();
    if (!name) {
      return res.redirect('/account?tab=profile&error=' + encodeURIComponent('Укажите имя'));
    }
    await query('UPDATE users SET name = $1 WHERE id = $2', [name, req.session.userId]);
    res.redirect('/account?tab=profile&success=' + encodeURIComponent('Имя обновлено'));
  })
 );
 router.post(
  '/email',
  requireAuth,
  asyncHandler(async (req, res) => {
    const newEmail = (req.body.email || '').trim().toLowerCase();
    const { current_password } = req.body;
    if (!newEmail) {
      return res.redirect(
        '/account?tab=email&error=' + encodeURIComponent('Укажите новый email')
      );
    }
    const emailRe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
    if (!emailRe.test(newEmail)) {
      return res.redirect(
        '/account?tab=email&error=' + encodeURIComponent('Некорректный email')
      );
    }
    const user = await loadAccountUser(req.session.userId);
    if (newEmail === user.email) {
      return res.redirect(
        '/account?tab=email&error=' + encodeURIComponent('Это уже ваш текущий email')
      );
    }
    if (!(await verifyPassword(req.session.userId, current_password))) {
      return res.redirect(
        '/account?tab=email&error=' + encodeURIComponent('Неверный текущий пароль')
      );
    }
    try {
      await query('UPDATE users SET email = $1 WHERE id = $2', [
        newEmail,
        req.session.userId,
      ]);
      res.redirect('/account?tab=email&success=' + encodeURIComponent('Email изменён'));
    } catch (err) {
      if (err.code === '23505') {
        return res.redirect(
          '/account?tab=email&error=' + encodeURIComponent('Этот email уже занят')
        );
      }
      throw err;
    }
  })
 );
 router.post(
  '/password',
  requireAuth,
  asyncHandler(async (req, res) => {
    const { current_password, password, password2 } = req.body;
    if (!(await verifyPassword(req.session.userId, current_password))) {
      return res.redirect(
        '/account?tab=password&error=' + encodeURIComponent('Неверный текущий пароль')
      );
    }
    if (!password || password.length < 6) {
      return res.redirect(
        '/account?tab=password&error=' +
          encodeURIComponent('Новый пароль не менее 6 символов')
      );
    }
    if (password !== password2) {
      return res.redirect(
        '/account?tab=password&error=' + encodeURIComponent('Пароли не совпадают')
      );
    }
    const hash = bcrypt.hashSync(password, 10);
    await query('UPDATE users SET password_hash = $1 WHERE id = $2', [
      hash,
      req.session.userId,
    ]);
    res.redirect('/account?tab=password&success=' + encodeURIComponent('Пароль изменён'));
  })
 );
 router.post(
  '/passkey/disable',
  requireAuth,
  asyncHandler(async (req, res) => {
    const { current_password } = req.body;
    if (!(await verifyPassword(req.session.userId, current_password))) {
      return res.redirect(
        '/account?tab=passkey&error=' + encodeURIComponent('Неверный пароль')
      );
    }
    await webauthn.disablePasskeys(req.session.userId);
    res.redirect(
      '/account?tab=passkey&success=' + encodeURIComponent('Вход по passkey отключён')
    );
  })
 );
 router.post(
  '/passkey/credentials/:id/delete',
  requireAuth,
  asyncHandler(async (req, res) => {
    const { current_password } = req.body;
    if (!(await verifyPassword(req.session.userId, current_password))) {
      return res.redirect(
        '/account?tab=passkey&error=' + encodeURIComponent('Неверный пароль')
      );
    }
    const credId = parseInt(req.params.id, 10);
    if (!Number.isFinite(credId)) {
      return res.redirect('/account?tab=passkey&error=' + encodeURIComponent('Некорректный ключ'));
    }
    const ok = await webauthn.deleteCredential(req.session.userId, credId);
    if (!ok) {
      return res.redirect('/account?tab=passkey&error=' + encodeURIComponent('Ключ не найден'));
    }
    res.redirect('/account?tab=passkey&success=' + encodeURIComponent('Passkey удалён'));
  })
 );
 module.exports = router;
@@ -0,0 +1,459 @@
 const express = require('express');
 const { query, formatPrice } = require('../db');
 const { requireAdmin } = require('../middleware/auth');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { ROLE_LABELS } = require('../constants/roles');
 const { notifyIfBackInStock } = require('../services/stock-alerts');
 const gitDeploy = require('../services/git-deploy');
 const router = express.Router();
 router.use(requireAdmin);
 router.get(
  '/',
  asyncHandler(async (req, res) => {
    const [users, products, orders, revenue] = await Promise.all([
      query('SELECT COUNT(*)::int AS n FROM users'),
      query('SELECT COUNT(*)::int AS n FROM products'),
      query('SELECT COUNT(*)::int AS n FROM orders'),
      query(
        `SELECT COALESCE(SUM(total_cents), 0)::int AS total FROM orders WHERE status != 'cancelled'`
      ),
    ]);
    const { rows: recentOrders } = await query(
      `SELECT o.id, o.status, o.total_cents, o.created_at, o.customer_name, u.email AS user_email
       FROM orders o
       JOIN users u ON u.id = o.user_id
       ORDER BY o.created_at DESC
       LIMIT 10`
    );
    res.render('admin/dashboard', {
      title: 'Админ-панель',
      stats: {
        users: users.rows[0].n,
        products: products.rows[0].n,
        orders: orders.rows[0].n,
        revenue: revenue.rows[0].total,
      },
      recentOrders,
      formatPrice,
    });
  })
 );
 router.get(
  '/users',
  asyncHandler(async (req, res) => {
    const { rows: users } = await query(
      `SELECT id, email, name, role, created_at FROM users ORDER BY created_at DESC`
    );
    res.render('admin/users', {
      title: 'Пользователи',
      users,
      roleLabels: ROLE_LABELS,
    });
  })
 );
 router.get(
  '/orders',
  asyncHandler(async (req, res) => {
    const statusFilter = req.query.status || '';
    const allowed = ['pending', 'paid', 'shipped', 'cancelled'];
    let sql = `
      SELECT o.id, o.status, o.total_cents, o.created_at, o.customer_name, o.customer_email,
             u.email AS account_email
      FROM orders o
      JOIN users u ON u.id = o.user_id
    `;
    const params = [];
    if (statusFilter && allowed.includes(statusFilter)) {
      sql += ' WHERE o.status = $1';
      params.push(statusFilter);
    }
    sql += ' ORDER BY o.created_at DESC';
    const { rows: orders } = await query(sql, params);
    res.render('admin/orders', {
      title: 'Заказы',
      orders,
      formatPrice,
      statusFilter,
    });
  })
 );
 router.get(
  '/orders/export.csv',
  asyncHandler(async (req, res) => {
    const { rows } = await query(
      `SELECT o.id, o.status, o.total_cents, o.created_at,
              o.customer_name, o.customer_email, o.customer_phone, o.address
       FROM orders o
       ORDER BY o.created_at DESC`
    );
    const esc = (v) => `"${String(v ?? '').replace(/"/g, '""')}"`;
    const lines = [
      'id;status;total_rub;customer;email;phone;address;created_at',
      ...rows.map((o) =>
        [
          o.id,
          o.status,
          (o.total_cents / 100).toFixed(2),
          esc(o.customer_name),
          esc(o.customer_email),
          esc(o.customer_phone),
          esc(o.address),
          new Date(o.created_at).toISOString(),
        ].join(';')
      ),
    ];
    res.setHeader('Content-Type', 'text/csv; charset=utf-8');
    res.setHeader('Content-Disposition', 'attachment; filename="orders.csv"');
    res.send('\uFEFF' + lines.join('\n'));
  })
 );
 router.post(
  '/orders/:id/status',
  asyncHandler(async (req, res) => {
    const { status } = req.body;
    const allowed = ['pending', 'paid', 'shipped', 'cancelled'];
    if (!allowed.includes(status)) {
      return res.redirect('/admin/orders');
    }
    await query('UPDATE orders SET status = $1 WHERE id = $2', [status, req.params.id]);
    res.redirect('/admin/orders');
  })
 );
 router.get(
  '/products',
  asyncHandler(async (req, res) => {
    const { rows: products } = await query(
      `SELECT p.*, c.name AS category_name,
              (SELECT COUNT(*)::int FROM product_stock_alerts a
               WHERE a.product_id = p.id AND a.notified_at IS NULL) AS alert_count
       FROM products p
       LEFT JOIN categories c ON c.id = p.category_id
       ORDER BY p.id`
    );
    const productPrice = require('../utils/productPrice');
    res.render('admin/products', {
      title: 'Товары',
      products,
      formatPrice,
      isSaleActive: productPrice.isSaleActive,
      effectivePrice: productPrice.getEffectivePriceCents,
      salePercent: productPrice.salePercent,
      stockUpdated: req.query.stock_updated === '1',
      notified: req.query.notified ? parseInt(req.query.notified, 10) : 0,
      pricingUpdated: req.query.pricing_updated === '1',
      pricingError: req.query.pricing_error
        ? decodeURIComponent(String(req.query.pricing_error))
        : null,
    });
  })
 );
 router.post(
  '/products/:id/stock',
  asyncHandler(async (req, res) => {
    const productId = parseInt(req.params.id, 10);
    const stock = parseInt(req.body.stock, 10);
    if (!Number.isFinite(productId) || !Number.isFinite(stock) || stock < 0) {
      return res.redirect('/admin/products');
    }
    const { rows } = await query('SELECT stock FROM products WHERE id = $1', [productId]);
    const oldStock = rows[0]?.stock ?? 0;
    await query('UPDATE products SET stock = $1 WHERE id = $2', [stock, productId]);
    let notified = 0;
    if (oldStock <= 0 && stock > 0) {
      const result = await notifyIfBackInStock(productId);
      notified = result.sent;
    }
    const qs = new URLSearchParams({ stock_updated: '1' });
    if (notified > 0) qs.set('notified', String(notified));
    res.redirect(`/admin/products?${qs}`);
  })
 );
 router.post(
  '/products/:id/pricing',
  asyncHandler(async (req, res) => {
    const productId = parseInt(req.params.id, 10);
    const priceRub = parseFloat(String(req.body.price_rub || '').replace(',', '.'));
    const saleRubRaw = String(req.body.sale_price_rub ?? '').trim();
    const clearSale = req.body.clear_sale === '1';
    if (clearSale) {
      const price_cents = Number.isFinite(priceRub) ? Math.round(priceRub * 100) : null;
      if (!Number.isFinite(productId) || price_cents == null || price_cents < 0) {
        return res.redirect('/admin/products?pricing_error=' + encodeURIComponent('Некорректная цена'));
      }
      await query(
        `UPDATE products SET price_cents = $1, sale_price_cents = NULL, sale_ends_at = NULL WHERE id = $2`,
        [price_cents, productId]
      );
      return res.redirect('/admin/products?pricing_updated=1');
    }
    if (!Number.isFinite(productId) || !Number.isFinite(priceRub) || priceRub < 0) {
      return res.redirect('/admin/products?pricing_error=' + encodeURIComponent('Некорректная цена'));
    }
    const { rows: existingRows } = await query(
      'SELECT sale_price_cents, sale_ends_at FROM products WHERE id = $1',
      [productId]
    );
    const existing = existingRows[0] || {};
    const price_cents = Math.round(priceRub * 100);
    let sale_price_cents = existing.sale_price_cents ?? null;
    let sale_ends_at = existing.sale_ends_at ?? null;
    if (saleRubRaw !== '') {
      const saleRub = parseFloat(saleRubRaw.replace(',', '.'));
      if (!Number.isFinite(saleRub) || saleRub < 0) {
        return res.redirect(
          '/admin/products?pricing_error=' + encodeURIComponent('Некорректная цена со скидкой')
        );
      }
      sale_price_cents = Math.round(saleRub * 100);
      if (sale_price_cents >= price_cents) {
        return res.redirect(
          '/admin/products?pricing_error=' +
            encodeURIComponent('Цена со скидкой должна быть ниже обычной')
        );
      }
    } else if (!('sale_ends_at' in req.body)) {
      sale_price_cents = null;
      sale_ends_at = null;
    }
    if ('sale_ends_at' in req.body) {
      sale_ends_at = req.body.sale_ends_at
        ? new Date(req.body.sale_ends_at).toISOString()
        : null;
    }
    await query(
      `UPDATE products SET price_cents = $1, sale_price_cents = $2, sale_ends_at = $3 WHERE id = $4`,
      [price_cents, sale_price_cents, sale_ends_at, productId]
    );
    res.redirect('/admin/products?pricing_updated=1');
  })
 );
 router.post(
  '/promo-codes/:id/update',
  asyncHandler(async (req, res) => {
    const id = parseInt(req.params.id, 10);
    const description = (req.body.description || '').trim();
    const discount_type = req.body.discount_type === 'fixed' ? 'fixed' : 'percent';
    const discount_value = parseInt(req.body.discount_value, 10);
    const min_order_cents = Math.max(0, parseInt(req.body.min_order_rub, 10) || 0) * 100;
    const max_uses =
      req.body.max_uses === '' || req.body.max_uses == null
        ? null
        : parseInt(req.body.max_uses, 10);
    const { rows: promoRows } = await query('SELECT expires_at FROM promo_codes WHERE id = $1', [
      id,
    ]);
    let expires_at = promoRows[0]?.expires_at;
    if (req.body.valid_days) {
      const days = Math.max(1, parseInt(req.body.valid_days, 10) || 7);
      const expires = new Date();
      expires.setDate(expires.getDate() + days);
      expires_at = expires.toISOString();
    }
    const value =
      discount_type === 'percent'
        ? Math.min(100, discount_value)
        : discount_value * 100;
    await query(
      `UPDATE promo_codes SET
         description = $1, discount_type = $2, discount_value = $3,
         expires_at = $4, min_order_cents = $5, max_uses = $6
       WHERE id = $7`,
      [description, discount_type, value, expires_at, min_order_cents, max_uses, id]
    );
    res.redirect('/admin/promo-codes?updated=1');
  })
 );
 router.get(
  '/reservations',
  asyncHandler(async (req, res) => {
    const { expireOldReservations } = require('../services/reservations');
    await expireOldReservations();
    const { rows: reservations } = await query(
      `SELECT r.*, p.name AS product_name, u.email AS user_email, u.name AS user_name
       FROM reservations r
       JOIN products p ON p.id = r.product_id
       JOIN users u ON u.id = r.user_id
       ORDER BY r.created_at DESC`
    );
    res.render('admin/reservations', {
      title: 'Бронирования',
      reservations,
      formatPrice,
    });
  })
 );
 router.post(
  '/reservations/:id/status',
  asyncHandler(async (req, res) => {
    const { status } = req.body;
    const allowed = ['active', 'fulfilled', 'cancelled', 'expired'];
    if (!allowed.includes(status)) {
      return res.redirect('/admin/reservations');
    }
    await query('UPDATE reservations SET status = $1 WHERE id = $2', [
      status,
      req.params.id,
    ]);
    res.redirect('/admin/reservations');
  })
 );
 router.get(
  '/promo-codes',
  asyncHandler(async (req, res) => {
    const { rows: promos } = await query(
      `SELECT * FROM promo_codes ORDER BY created_at DESC`
    );
    res.render('admin/promo-codes', {
      title: 'Промокоды',
      promos,
      formatPrice,
      created: req.query.created === '1',
      updated: req.query.updated === '1',
    });
  })
 );
 router.post(
  '/promo-codes',
  asyncHandler(async (req, res) => {
    const code = (req.body.code || '').trim().toUpperCase();
    const description = (req.body.description || '').trim();
    const discount_type = req.body.discount_type === 'fixed' ? 'fixed' : 'percent';
    const discount_value = parseInt(req.body.discount_value, 10);
    const days = Math.max(1, parseInt(req.body.valid_days, 10) || 30);
    const min_order_cents = Math.max(0, parseInt(req.body.min_order_rub, 10) || 0) * 100;
    const max_uses = req.body.max_uses ? parseInt(req.body.max_uses, 10) : null;
    if (!code || !discount_value) {
      return res.redirect('/admin/promo-codes?error=1');
    }
    const expires = new Date();
    expires.setDate(expires.getDate() + days);
    const value =
      discount_type === 'percent'
        ? Math.min(100, discount_value)
        : discount_value * 100;
    await query(
      `INSERT INTO promo_codes (code, description, discount_type, discount_value, expires_at, min_order_cents, max_uses)
       VALUES ($1, $2, $3, $4, $5, $6, $7)`,
      [code, description, discount_type, value, expires.toISOString(), min_order_cents, max_uses]
    );
    res.redirect('/admin/promo-codes?created=1');
  })
 );
 router.post(
  '/promo-codes/:id/toggle',
  asyncHandler(async (req, res) => {
    await query(
      `UPDATE promo_codes SET active = NOT active WHERE id = $1`,
      [req.params.id]
    );
    res.redirect('/admin/promo-codes');
  })
 );
 router.get(
  '/system',
  asyncHandler(async (req, res) => {
    const fetchRemote =
      req.query.checked === '1' || req.query.done === '1' || req.query.failed === '1';
    let updateLog = null;
    let updateOk = false;
    let updateFail = false;
    let updateCode = null;
    if (req.query.done === '1' || req.query.failed === '1') {
      updateLog = req.session.adminUpdateLog || null;
      updateOk = req.session.adminUpdateOk === true;
      updateFail = req.session.adminUpdateOk === false;
      updateCode = req.session.adminUpdateCode ?? null;
      delete req.session.adminUpdateLog;
      delete req.session.adminUpdateOk;
      delete req.session.adminUpdateCode;
    }
    const git = await gitDeploy.getGitInfo({ fetchRemote: !!fetchRemote });
    res.render('admin/system', {
      title: 'Обновление',
      git,
      updateLog,
      updateOk,
      updateFail,
      updateCode,
      confirmError: req.query.error === 'confirm',
      disabledError: req.query.error === 'disabled',
    });
  })
 );
 router.post(
  '/system/check',
  asyncHandler(async (req, res) => {
    res.redirect('/admin/system?checked=1');
  })
 );
 router.post(
  '/system/update',
  asyncHandler(async (req, res) => {
    if (!gitDeploy.isUpdateEnabled()) {
      return res.redirect('/admin/system?error=disabled');
    }
    const confirm = (req.body.confirm || '').trim().toLowerCase();
    if (confirm !== 'update') {
      return res.redirect('/admin/system?error=confirm');
    }
    const result = await gitDeploy.runDeployUpdate();
    req.session.adminUpdateLog = result.output;
    req.session.adminUpdateOk = result.ok;
    req.session.adminUpdateCode = result.code;
    if (result.ok) {
      return res.redirect('/admin/system?done=1');
    }
    return res.redirect('/admin/system?failed=1');
  })
 );
 module.exports = router;
@@ -3,9 +3,14 @@ const bcrypt = require('bcryptjs');
 const { query, formatPrice } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { ROLES } = require('../constants/roles');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { verifyCaptcha } = require('../services/captcha');
 const { rateLimit } = require('../middleware/rateLimit');
 const router = express.Router();
 const authRateLimit = rateLimit({ windowMs: 15 * 60 * 1000, max: 30, keyPrefix: 'auth' });
 router.use((req, res, next) => {
  const cart = getCart(req);
@@ -14,17 +19,28 @@ router.use((req, res, next) => {
  next();
 });
-router.get('/register', (req, res) => {
+router.get('/register', requireCookieConsent, (req, res) => {
  if (req.session.userId) return res.redirect('/account');
  res.render('register', { title: 'Регистрация', error: null, values: {} });
 });
 router.post(
  '/register',
  requireCookieConsent,
  authRateLimit,
  asyncHandler(async (req, res) => {
    const { name, email, password, password2 } = req.body;
    const values = { name, email };
    const captchaCheck = await verifyCaptcha(req);
    if (!captchaCheck.ok) {
      return res.status(400).render('register', {
        title: 'Регистрация',
        error: captchaCheck.error,
        values,
      });
    }
    if (!name?.trim() || !email?.trim() || !password) {
      return res.status(400).render('register', {
        title: 'Регистрация',
@@ -50,8 +66,9 @@ router.post(
    const hash = bcrypt.hashSync(password, 10);
    try {
      const { rows } = await query(
-        'INSERT INTO users (email, password_hash, name) VALUES ($1, $2, $3) RETURNING id',
+        `INSERT INTO users (email, password_hash, name, role)
-        [email.trim().toLowerCase(), hash, name.trim()]
+         VALUES ($1, $2, $3, $4) RETURNING id`,
        [email.trim().toLowerCase(), hash, name.trim(), ROLES.CUSTOMER]
      );
      req.session.userId = rows[0].id;
      res.redirect('/');
@@ -68,7 +85,7 @@ router.post(
  })
 );
-router.get('/login', (req, res) => {
+router.get('/login', requireCookieConsent, (req, res) => {
  if (req.session.userId) return res.redirect('/account');
  res.render('login', {
    title: 'Вход',
@@ -80,11 +97,23 @@ router.get('/login', (req, res) => {
 router.post(
  '/login',
  requireCookieConsent,
  authRateLimit,
  asyncHandler(async (req, res) => {
    const { email, password } = req.body;
    const next = req.body.next || '/';
    const values = { email };
    const captchaCheck = await verifyCaptcha(req);
    if (!captchaCheck.ok) {
      return res.status(400).render('login', {
        title: 'Вход',
        error: captchaCheck.error,
        next,
        values,
      });
    }
    const { rows } = await query('SELECT * FROM users WHERE email = $1', [
      (email || '').trim().toLowerCase(),
    ]);
@@ -100,6 +129,9 @@ router.post(
    }
    req.session.userId = user.id;
    if (user.role === ROLES.ADMIN && (next === '/' || next === '/account')) {
      return res.redirect('/admin');
    }
    res.redirect(next.startsWith('/') ? next : '/');
  })
 );
@@ -110,27 +142,4 @@ router.post('/logout', (req, res) => {
  });
 });
 router.get(
  '/account',
  requireAuth,
  asyncHandler(async (req, res) => {
    const { rows } = await query(
      'SELECT id, email, name, created_at FROM users WHERE id = $1',
      [req.session.userId]
    );
    const user = rows[0];
    const countResult = await query(
      'SELECT COUNT(*)::int AS n FROM orders WHERE user_id = $1',
      [user.id]
    );
    res.render('account', {
      title: 'Личный кабинет',
      user,
      orderCount: countResult.rows[0].n,
    });
  })
 );
 module.exports = router;
@@ -0,0 +1,24 @@
 const express = require('express');
 const { setConsentCookie } = require('../middleware/cookieConsent');
 const router = express.Router();
 const isProduction = process.env.NODE_ENV === 'production';
 router.get('/policy', (req, res) => {
  res.render('cookies-policy', {
    title: 'Политика cookies',
    cookieConsent: res.locals.cookieConsent,
  });
 });
 router.post('/accept', (req, res) => {
  setConsentCookie(res, isProduction);
  const returnTo = req.body.return_to || req.query.return_to || '/';
  const safe =
    typeof returnTo === 'string' && returnTo.startsWith('/') && !returnTo.startsWith('//')
      ? returnTo
      : '/';
  res.redirect(safe);
 });
 module.exports = router;
@@ -0,0 +1,164 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
 const { query, formatPrice } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { ROLES } = require('../constants/roles');
 const { asyncHandler } = require('../utils/asyncHandler');
 const webauthn = require('../services/webauthn');
 const router = express.Router();
 router.use((req, res, next) => {
  const cart = getCart(req);
  res.locals.cartCount = cartCount(cart);
  res.locals.formatPrice = formatPrice;
  next();
 });
 async function verifyPasswordById(userId, password) {
  const { rows } = await query('SELECT password_hash FROM users WHERE id = $1', [
    userId,
  ]);
  if (!rows[0]) return false;
  return bcrypt.compareSync(password || '', rows[0].password_hash);
 }
 async function loadUserById(userId) {
  const { rows } = await query(
    'SELECT id, email, name, role, passkey_enabled FROM users WHERE id = $1',
    [userId]
  );
  return rows[0];
 }
 function saveChallenge(req, challenge, extra = {}) {
  req.session.webauthnChallenge = challenge;
  Object.assign(req.session, extra);
 }
 function clearChallenge(req) {
  delete req.session.webauthnChallenge;
  delete req.session.webauthnLoginUserId;
 }
 function adminRedirect(user, next) {
  if (user.role === ROLES.ADMIN && (next === '/' || next === '/account')) {
    return '/admin';
  }
  return next.startsWith('/') ? next : '/';
 }
 // --- Регистрация passkey (в профиле, нужен вход) ---
 router.post(
  '/register/options',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const { current_password } = req.body || {};
    if (!(await verifyPasswordById(req.session.userId, current_password))) {
      return res.status(401).json({ error: 'Неверный пароль' });
    }
    const user = await loadUserById(req.session.userId);
    if (!user) return res.status(404).json({ error: 'Пользователь не найден' });
    webauthn.assertOrigin(req);
    const options = await webauthn.generateRegisterOptions(user);
    saveChallenge(req, options.challenge);
    res.json(options);
  })
 );
 router.post(
  '/register/verify',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const expectedChallenge = req.session.webauthnChallenge;
    if (!expectedChallenge) {
      return res.status(400).json({ error: 'Сессия истекла, повторите привязку' });
    }
    const user = await loadUserById(req.session.userId);
    if (!user) return res.status(404).json({ error: 'Пользователь не найден' });
    const origin = webauthn.assertOrigin(req);
    const result = await webauthn.verifyRegister(
      user,
      req.body,
      expectedChallenge,
      origin
    );
    clearChallenge(req);
    if (!result.verified) {
      return res.status(400).json({ error: 'Не удалось подтвердить passkey' });
    }
    res.json({ ok: true, redirect: '/account?tab=passkey&success=' + encodeURIComponent('Passkey привязан') });
  })
 );
 // --- Вход по passkey ---
 router.post(
  '/login/options',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const email = (req.body?.email || '').trim().toLowerCase();
    if (!email) {
      return res.status(400).json({ error: 'Укажите email' });
    }
    const { user, options } = await webauthn.generateLoginOptions(email);
    if (!user || !options) {
      return res.status(404).json({
        error: 'Passkey не настроен для этого аккаунта',
      });
    }
    webauthn.assertOrigin(req);
    saveChallenge(req, options.challenge, { webauthnLoginUserId: user.id });
    res.json(options);
  })
 );
 router.post(
  '/login/verify',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const expectedChallenge = req.session.webauthnChallenge;
    const userId = req.session.webauthnLoginUserId;
    if (!expectedChallenge || !userId) {
      return res.status(400).json({ error: 'Сессия истекла, начните вход заново' });
    }
    const user = await loadUserById(userId);
    if (!user || !user.passkey_enabled) {
      clearChallenge(req);
      return res.status(400).json({ error: 'Вход по passkey недоступен' });
    }
    const origin = webauthn.assertOrigin(req);
    const result = await webauthn.verifyLogin(
      user,
      req.body,
      expectedChallenge,
      origin
    );
    clearChallenge(req);
    if (!result.verified) {
      return res.status(401).json({ error: 'Не удалось войти по passkey' });
    }
    req.session.userId = user.id;
    const next = req.body?.next || '/';
    res.json({ ok: true, redirect: adminRedirect(user, next) });
  })
 );
 module.exports = router;
@@ -0,0 +1,187 @@
 const express = require('express');
 const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
 const { query } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { formatPrice } = require('../db');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { verifyCaptcha } = require('../services/captcha');
 const { sendPasswordResetEmail, siteUrl } = require('../services/mail');
 const router = express.Router();
 const TOKEN_TTL_MS = 60 * 60 * 1000;
 router.use((req, res, next) => {
  res.locals.cartCount = cartCount(getCart(req));
  res.locals.formatPrice = formatPrice;
  next();
 });
 function hashToken(token) {
  return crypto.createHash('sha256').update(token).digest('hex');
 }
 router.get('/forgot-password', requireCookieConsent, (req, res) => {
  res.render('auth/forgot-password', {
    title: 'Сброс пароля',
    error: null,
    success: null,
    values: {},
  });
 });
 router.post(
  '/forgot-password',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const email = (req.body.email || '').trim().toLowerCase();
    const values = { email };
    const genericSuccess =
      'Если аккаунт с таким email существует, мы отправили ссылку для сброса пароля.';
    const captchaCheck = await verifyCaptcha(req);
    if (!captchaCheck.ok) {
      return res.status(400).render('auth/forgot-password', {
        title: 'Сброс пароля',
        error: captchaCheck.error,
        success: null,
        values,
      });
    }
    if (!email) {
      return res.status(400).render('auth/forgot-password', {
        title: 'Сброс пароля',
        error: 'Укажите email',
        success: null,
        values,
      });
    }
    const { rows } = await query('SELECT id, email FROM users WHERE email = $1', [email]);
    if (rows[0]) {
      const token = crypto.randomBytes(32).toString('hex');
      const tokenHash = hashToken(token);
      const expiresAt = new Date(Date.now() + TOKEN_TTL_MS);
      await query(
        `UPDATE password_reset_tokens SET used_at = NOW()
         WHERE user_id = $1 AND used_at IS NULL`,
        [rows[0].id]
      );
      await query(
        `INSERT INTO password_reset_tokens (user_id, token_hash, expires_at)
         VALUES ($1, $2, $3)`,
        [rows[0].id, tokenHash, expiresAt]
      );
      const resetLink = `${siteUrl()}/reset-password?token=${token}`;
      try {
        await sendPasswordResetEmail(rows[0].email, resetLink);
      } catch (err) {
        console.error('Ошибка отправки email:', err.message);
        return res.status(500).render('auth/forgot-password', {
          title: 'Сброс пароля',
          error: 'Не удалось отправить письмо. Проверьте настройки SMTP.',
          success: null,
          values,
        });
      }
    }
    res.render('auth/forgot-password', {
      title: 'Сброс пароля',
      error: null,
      success: genericSuccess,
      values: {},
    });
  })
 );
 router.get(
  '/reset-password',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const token = req.query.token || '';
    if (!token) {
      return res.redirect('/forgot-password');
    }
    const valid = await findValidToken(token);
    if (!valid) {
      return res.render('auth/reset-password', {
        title: 'Новый пароль',
        error: 'Ссылка недействительна или устарела. Запросите сброс снова.',
        token: null,
      });
    }
    res.render('auth/reset-password', {
      title: 'Новый пароль',
      error: null,
      token,
    });
  })
 );
 router.post(
  '/reset-password',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const { token, password, password2 } = req.body;
    if (!token) {
      return res.redirect('/forgot-password');
    }
    if (!password || password.length < 6) {
      return res.render('auth/reset-password', {
        title: 'Новый пароль',
        error: 'Пароль не менее 6 символов',
        token,
      });
    }
    if (password !== password2) {
      return res.render('auth/reset-password', {
        title: 'Новый пароль',
        error: 'Пароли не совпадают',
        token,
      });
    }
    const row = await findValidToken(token);
    if (!row) {
      return res.render('auth/reset-password', {
        title: 'Новый пароль',
        error: 'Ссылка недействительна или устарела',
        token: null,
      });
    }
    const hash = bcrypt.hashSync(password, 10);
    await query('UPDATE users SET password_hash = $1 WHERE id = $2', [hash, row.user_id]);
    await query(
      `UPDATE password_reset_tokens SET used_at = NOW() WHERE id = $1`,
      [row.id]
    );
    res.render('auth/reset-password-done', { title: 'Пароль изменён' });
  })
 );
 async function findValidToken(token) {
  const tokenHash = hashToken(token);
  const { rows } = await query(
    `SELECT id, user_id FROM password_reset_tokens
     WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()
     ORDER BY created_at DESC LIMIT 1`,
    [tokenHash]
  );
  return rows[0] || null;
 }
 module.exports = router;
@@ -0,0 +1,86 @@
 const express = require('express');
 const { formatPrice } = require('../db');
 const { getCart, cartCount, cartItems } = require('../cart');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { asyncHandler } = require('../utils/asyncHandler');
 const promoService = require('../services/promo');
 const loyaltyService = require('../services/loyalty');
 const { buildCartPricing } = require('../services/pricing');
 const router = express.Router();
 router.use(requireCookieConsent);
 router.use((req, res, next) => {
  res.locals.cartCount = cartCount(getCart(req));
  res.locals.formatPrice = formatPrice;
  next();
 });
 function cartRedirect(msg, type = 'error') {
  const param = type === 'success' ? 'promo_ok' : 'promo_error';
  return `/cart?${param}=${encodeURIComponent(msg)}`;
 }
 router.post(
  '/cart/promo',
  asyncHandler(async (req, res) => {
    const cart = getCart(req);
    const items = await cartItems(cart);
    if (!items.length) {
      return res.redirect(cartRedirect('Корзина пуста'));
    }
    const subtotal = items.reduce((s, i) => s + i.line_total, 0);
    const promo = await promoService.findPromoByCode(req.body.code);
    const check = promoService.validatePromo(promo, subtotal);
    if (!check.ok) {
      delete req.session.appliedPromoCode;
      return res.redirect(cartRedirect(check.error));
    }
    req.session.appliedPromoCode = promo.code;
    res.redirect(cartRedirect(`Промокод ${promo.code} применён`, 'success'));
  })
 );
 router.post('/cart/promo/remove', (req, res) => {
  delete req.session.appliedPromoCode;
  res.redirect(cartRedirect('Промокод удалён', 'success'));
 });
 router.post(
  '/cart/loyalty',
  asyncHandler(async (req, res) => {
    if (!req.session.userId) {
      return res.redirect('/login?next=/cart');
    }
    const cart = getCart(req);
    const items = await cartItems(cart);
    if (!items.length) {
      return res.redirect(cartRedirect('Корзина пуста'));
    }
    const pricing = await buildCartPricing(items, req.session, req.session.userId);
    const maxPoints = loyaltyService.pointsForDiscount(
      Math.max(0, pricing.subtotal - pricing.promoDiscount)
    );
    const balance = pricing.loyaltyBalance;
    if (req.body.use_all === '1') {
      req.session.loyaltyPointsToUse = Math.min(balance, maxPoints);
    } else {
      const pts = Math.max(0, parseInt(req.body.points, 10) || 0);
      req.session.loyaltyPointsToUse = Math.min(pts, balance, maxPoints);
    }
    res.redirect(cartRedirect('Баллы лояльности применены', 'success'));
  })
 );
 router.post('/cart/loyalty/remove', (req, res) => {
  delete req.session.loyaltyPointsToUse;
  res.redirect(cartRedirect('Списание баллов отменено', 'success'));
 });
 module.exports = router;
@@ -0,0 +1,95 @@
 const express = require('express');
 const { query, formatPrice } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { sendReservationEmail } = require('../services/mail');
 const router = express.Router();
 router.use(requireCookieConsent);
 router.use(requireAuth);
 router.use((req, res, next) => {
  res.locals.cartCount = cartCount(getCart(req));
  res.locals.formatPrice = formatPrice;
  next();
 });
 router.post(
  '/',
  asyncHandler(async (req, res) => {
    const productId = parseInt(req.body.product_id, 10);
    const quantity = Math.max(1, parseInt(req.body.quantity, 10) || 1);
    const slug = req.body.slug || '';
    const { rows: products } = await query(
      'SELECT id, name, stock FROM products WHERE id = $1',
      [productId]
    );
    const product = products[0];
    if (!product) {
      return res.redirect('/');
    }
    if (product.stock < quantity) {
      return res.redirect(
        `/product/${slug}?error=${encodeURIComponent('Недостаточно товара на складе')}`
      );
    }
    const { rows: existing } = await query(
      `SELECT id FROM reservations
       WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
      [req.session.userId, productId]
    );
    if (existing[0]) {
      return res.redirect(
        `/product/${slug}?error=${encodeURIComponent('У вас уже есть активная бронь этого товара')}`
      );
    }
    const { rows: inserted } = await query(
      `INSERT INTO reservations (user_id, product_id, quantity, status, expires_at)
       VALUES ($1, $2, $3, 'active', NOW() + INTERVAL '48 hours')
       RETURNING id, expires_at`,
      [req.session.userId, productId, quantity]
    );
    const { rows: userRows } = await query('SELECT email FROM users WHERE id = $1', [
      req.session.userId,
    ]);
    try {
      await sendReservationEmail(
        userRows[0].email,
        product.name,
        quantity,
        inserted[0].expires_at
      );
    } catch (err) {
      console.error('Ошибка email бронирования:', err.message);
    }
    res.redirect(
      `/product/${slug}?reserved=1`
    );
  })
 );
 router.post(
  '/:id/cancel',
  asyncHandler(async (req, res) => {
    await query(
      `UPDATE reservations SET status = 'cancelled'
       WHERE id = $1 AND user_id = $2 AND status = 'active'`,
      [req.params.id, req.session.userId]
    );
    res.redirect('/account?tab=reservations&success=' + encodeURIComponent('Бронь отменена'));
  })
 );
 module.exports = router;
@@ -0,0 +1,49 @@
 const express = require('express');
 const { query } = require('../db');
 const { siteUrl } = require('../services/mail');
 const { asyncHandler } = require('../utils/asyncHandler');
 const router = express.Router();
 router.get('/robots.txt', (_req, res) => {
  const base = siteUrl();
  res.type('text/plain').send(
    `User-agent: *\nAllow: /\nDisallow: /admin\nDisallow: /account\nSitemap: ${base}/sitemap.xml\n`
  );
 });
 router.get(
  '/sitemap.xml',
  asyncHandler(async (_req, res) => {
    const base = siteUrl();
    const { rows: products } = await query(
      `SELECT slug, created_at FROM products ORDER BY id`
    );
    const urls = [
      { loc: `${base}/`, priority: '1.0' },
      { loc: `${base}/cart`, priority: '0.5' },
    ];
    for (const p of products) {
      urls.push({
        loc: `${base}/product/${p.slug}`,
        lastmod: new Date(p.created_at).toISOString().slice(0, 10),
        priority: '0.8',
      });
    }
    const xml = `<?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 ${urls
  .map(
    (u) => `  <url>
    <loc>${u.loc}</loc>
    ${u.lastmod ? `<lastmod>${u.lastmod}</lastmod>` : ''}
    <priority>${u.priority}</priority>
  </url>`
  )
  .join('\n')}
 </urlset>`;
    res.type('application/xml').send(xml);
  })
 );
 module.exports = router;
@@ -2,7 +2,14 @@ const express = require('express');
 const { query, pool, formatPrice } = require('../db');
 const { getCart, cartCount, cartItems, cartTotal } = require('../cart');
 const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { asyncHandler } = require('../utils/asyncHandler');
 const { buildCartPricing } = require('../services/pricing');
 const productPrice = require('../utils/productPrice');
 const promoService = require('../services/promo');
 const loyaltyService = require('../services/loyalty');
 const recentlyViewed = require('../services/recentlyViewed');
 const { sendOrderConfirmationEmail } = require('../services/mail');
 const router = express.Router();
@@ -14,24 +21,42 @@ function enrichLocals(req, res) {
 router.use((req, res, next) => {
  enrichLocals(req, res);
  res.locals.isSaleActive = productPrice.isSaleActive;
  res.locals.effectivePrice = productPrice.getEffectivePriceCents;
  res.locals.salePercent = productPrice.salePercent;
  next();
 });
 const EFFECTIVE_PRICE_SQL = `CASE
  WHEN p.sale_price_cents IS NOT NULL
       AND p.sale_price_cents < p.price_cents
       AND (p.sale_ends_at IS NULL OR p.sale_ends_at > NOW())
  THEN p.sale_price_cents
  ELSE p.price_cents
 END`;
 router.get(
  '/',
  asyncHandler(async (req, res) => {
    const category = req.query.category || '';
    const q = (req.query.q || '').trim();
    const sort = req.query.sort || 'name';
    const saleOnly = req.query.sale === '1';
    const showAll = req.query.all === '1';
    let sql = `
-      SELECT p.*, c.name AS category_name, c.slug AS category_slug
+      SELECT p.*, c.name AS category_name, c.slug AS category_slug,
             (${EFFECTIVE_PRICE_SQL}) AS catalog_price_cents
      FROM products p
      LEFT JOIN categories c ON c.id = p.category_id
-      WHERE p.stock > 0
+      WHERE 1=1
    `;
    const params = [];
    let n = 1;
    if (!showAll) {
      sql += ' AND p.stock > 0';
    }
    if (category) {
      sql += ` AND c.slug = $${n++}`;
      params.push(category);
@@ -41,10 +66,23 @@ router.get(
      params.push(`%${q}%`);
      n++;
    }
-    sql += ' ORDER BY p.name';
+    if (saleOnly) {
      sql += ` AND p.sale_price_cents IS NOT NULL
        AND p.sale_price_cents < p.price_cents
        AND (p.sale_ends_at IS NULL OR p.sale_ends_at > NOW())`;
    }
    const orderMap = {
      name: 'p.name ASC',
      price_asc: 'catalog_price_cents ASC, p.name ASC',
      price_desc: 'catalog_price_cents DESC, p.name ASC',
      newest: 'p.created_at DESC',
    };
    sql += ` ORDER BY ${orderMap[sort] || orderMap.name}`;
    const { rows: products } = await query(sql, params);
    const { rows: categories } = await query('SELECT * FROM categories ORDER BY name');
    const recentProducts = await recentlyViewed.loadProducts(query, req.session);
    res.render('home', {
      title: 'Каталог',
@@ -52,6 +90,10 @@ router.get(
      categories,
      activeCategory: category,
      searchQuery: q,
      sort,
      saleOnly,
      showAll,
      recentProducts,
    });
  })
 );
@@ -76,7 +118,56 @@ router.get(
      });
    }
-    res.render('product', { title: product.name, product });
+    recentlyViewed.pushProduct(req.session, product.id);
    let userReservation = null;
    if (req.session.userId) {
      const { rows: resRows } = await query(
        `SELECT id, quantity, expires_at FROM reservations
         WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
        [req.session.userId, product.id]
      );
      userReservation = resRows[0] || null;
    }
    const errorMsg = req.query.error ? decodeURIComponent(String(req.query.error)) : null;
    const reserved = req.query.reserved === '1';
    const notifySuccess = req.query.notify_success
      ? decodeURIComponent(String(req.query.notify_success))
      : null;
    const notifyError = req.query.notify_error
      ? decodeURIComponent(String(req.query.notify_error))
      : null;
    let stockAlertSubscribed = false;
    let notifyEmail = res.locals.user?.email || '';
    if (product.stock <= 0) {
      const stockAlerts = require('../services/stock-alerts');
      if (notifyEmail) {
        stockAlertSubscribed = await stockAlerts.isSubscribed(
          product.id,
          notifyEmail,
          req.session.userId
        );
      }
    }
    const metaDescription =
      (product.description || product.name).replace(/\s+/g, ' ').trim().slice(0, 160) ||
      product.name;
    res.render('product', {
      title: product.name,
      metaDescription,
      product,
      userReservation,
      error: errorMsg,
      reserved,
      notifySuccess,
      notifyError,
      stockAlertSubscribed,
      notifyEmail,
    });
  })
 );
@@ -85,14 +176,21 @@ router.get(
  asyncHandler(async (req, res) => {
    const cart = getCart(req);
    const items = await cartItems(cart);
-    const total = cartTotal(items);
+    const pricing = await buildCartPricing(items, req.session, req.session.userId);
    const errorMsg = req.query.error ? decodeURIComponent(String(req.query.error)) : null;
    const promoOk = req.query.promo_ok ? decodeURIComponent(String(req.query.promo_ok)) : null;
    const promoErr = req.query.promo_error
      ? decodeURIComponent(String(req.query.promo_error))
      : null;
    res.render('cart', {
      title: 'Корзина',
      items,
-      total,
+      pricing,
      total: pricing.total,
      error: errorMsg,
      promoOk,
      promoErr,
    });
  })
 );
@@ -155,6 +253,7 @@ router.post('/cart/remove/:id', (req, res) => {
 router.get(
  '/checkout',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const cart = getCart(req);
@@ -163,10 +262,13 @@ router.get(
      return res.redirect('/cart');
    }
    const pricing = await buildCartPricing(items, req.session, req.session.userId);
    res.render('checkout', {
      title: 'Оформление заказа',
      items,
-      total: cartTotal(items),
+      pricing,
      total: pricing.total,
      error: null,
    });
  })
@@ -174,6 +276,7 @@ router.get(
 router.post(
  '/checkout',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const cart = getCart(req);
@@ -182,17 +285,19 @@ router.post(
      return res.redirect('/cart');
    }
    const pricing = await buildCartPricing(items, req.session, req.session.userId);
    const { name, email, phone, address } = req.body;
    if (!name?.trim() || !email?.trim() || !address?.trim()) {
      return res.status(400).render('checkout', {
        title: 'Оформление заказа',
        items,
-        total: cartTotal(items),
+        pricing,
        total: pricing.total,
        error: 'Заполните имя, email и адрес доставки',
      });
    }
    const total = cartTotal(items);
    const client = await pool.connect();
    try {
@@ -208,13 +313,40 @@ router.post(
        }
      }
      let promoId = null;
      if (pricing.promo) {
        const promoRow = await promoService.findPromoByCode(pricing.promo.code);
        const check = promoService.validatePromo(
          promoRow,
          pricing.subtotal
        );
        if (!check.ok) throw new Error(check.error);
        promoId = promoRow.id;
      }
      if (pricing.loyaltyPointsUsed > 0) {
        const bal = await loyaltyService.getBalance(req.session.userId);
        if (bal < pricing.loyaltyPointsUsed) {
          throw new Error('Недостаточно баллов лояльности');
        }
      }
      const orderResult = await client.query(
-        `INSERT INTO orders (user_id, status, total_cents, customer_name, customer_email, customer_phone, address)
+        `INSERT INTO orders (
-         VALUES ($1, 'pending', $2, $3, $4, $5, $6)
+           user_id, status, subtotal_cents, discount_cents, total_cents,
           promo_code_id, loyalty_points_used, loyalty_points_earned,
           customer_name, customer_email, customer_phone, address
         )
         VALUES ($1, 'pending', $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
         RETURNING id`,
        [
          req.session.userId,
-          total,
+          pricing.subtotal,
          pricing.promoDiscount + pricing.loyaltyDiscount,
          pricing.total,
          promoId,
          pricing.loyaltyPointsUsed,
          pricing.pointsEarned,
          name.trim(),
          email.trim(),
          (phone || '').trim(),
@@ -223,11 +355,24 @@ router.post(
      );
      const orderId = orderResult.rows[0].id;
      if (promoId) {
        await promoService.incrementPromoUse(promoId, client);
      }
      if (pricing.loyaltyPointsUsed > 0 || pricing.pointsEarned > 0) {
        await loyaltyService.applyLoyaltyOnOrder(
          client,
          req.session.userId,
          pricing.loyaltyPointsUsed,
          pricing.pointsEarned
        );
      }
      for (const item of items) {
        await client.query(
          `INSERT INTO order_items (order_id, product_id, quantity, price_cents)
           VALUES ($1, $2, $3, $4)`,
-          [orderId, item.id, item.quantity, item.price_cents]
+          [orderId, item.id, item.quantity, item.effective_price_cents ?? item.price_cents]
        );
        await client.query('UPDATE products SET stock = stock - $1 WHERE id = $2', [
          item.quantity,
@@ -237,6 +382,23 @@ router.post(
      await client.query('COMMIT');
      req.session.cart = {};
      delete req.session.appliedPromoCode;
      delete req.session.loyaltyPointsToUse;
      const emailItems = items.map((item) => ({
        name: item.name,
        quantity: item.quantity,
        lineFormatted: formatPrice(
          (item.effective_price_cents ?? item.price_cents) * item.quantity
        ),
      }));
      sendOrderConfirmationEmail(
        email.trim(),
        orderId,
        formatPrice(pricing.total),
        emailItems
      ).catch((err) => console.error('order email:', err.message));
      res.redirect(`/orders/${orderId}?success=1`);
    } catch (err) {
      await client.query('ROLLBACK');
@@ -249,6 +411,7 @@ router.post(
 router.get(
  '/orders',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const { rows: orders } = await query(
@@ -264,6 +427,7 @@ router.get(
 router.get(
  '/orders/:id',
  requireCookieConsent,
  requireAuth,
  asyncHandler(async (req, res) => {
    const { rows } = await query(
@@ -0,0 +1,75 @@
 const express = require('express');
 const { query, formatPrice } = require('../db');
 const { getCart, cartCount } = require('../cart');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { asyncHandler } = require('../utils/asyncHandler');
 const stockAlerts = require('../services/stock-alerts');
 const router = express.Router();
 router.use((req, res, next) => {
  const cart = getCart(req);
  res.locals.cartCount = cartCount(cart);
  res.locals.formatPrice = formatPrice;
  next();
 });
 const emailRe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 router.post(
  '/product/:slug/notify-stock',
  requireCookieConsent,
  asyncHandler(async (req, res) => {
    const slug = req.params.slug;
    const { rows } = await query('SELECT id, name, stock FROM products WHERE slug = $1', [
      slug,
    ]);
    const product = rows[0];
    if (!product) {
      return res.status(404).render('error', {
        title: 'Не найдено',
        message: 'Товар не найден',
        code: 404,
      });
    }
    if (product.stock > 0) {
      return res.redirect(
        `/product/${slug}?notify_error=${encodeURIComponent('Товар уже в наличии')}`
      );
    }
    let email = (req.body.email || '').trim().toLowerCase();
    if (req.session.userId) {
      const { rows: users } = await query('SELECT email FROM users WHERE id = $1', [
        req.session.userId,
      ]);
      if (users[0]) email = users[0].email;
    }
    if (!email || !emailRe.test(email)) {
      return res.redirect(
        `/product/${slug}?notify_error=${encodeURIComponent('Укажите корректный email')}`
      );
    }
    if (await stockAlerts.isSubscribed(product.id, email, req.session.userId)) {
      return res.redirect(
        `/product/${slug}?notify_success=${encodeURIComponent('Вы уже подписаны — сообщим на почту')}`
      );
    }
    await stockAlerts.subscribe({
      productId: product.id,
      email,
      userId: req.session.userId || null,
    });
    res.redirect(
      `/product/${slug}?notify_success=${encodeURIComponent('Когда товар появится, отправим письмо на ' + email)}`
    );
  })
 );
 module.exports = router;
@@ -0,0 +1,38 @@
 const bcrypt = require('bcryptjs');
 const { query } = require('./db');
 const { ROLES } = require('./constants/roles');
 async function seedAdmin() {
  const email = (process.env.ADMIN_EMAIL || 'admin@site.com').trim().toLowerCase();
  const password = process.env.ADMIN_PASSWORD || 'admin';
  const name = process.env.ADMIN_NAME || 'Администратор';
  // Только один администратор — пользователь с ADMIN_EMAIL (остальные customer)
  const { rowCount: demoted } = await query(
    `UPDATE users SET role = $1 WHERE role = $2 AND email != $3`,
    [ROLES.CUSTOMER, ROLES.ADMIN, email]
  );
  if (demoted > 0) {
    console.log('Снята роль admin у', demoted, 'пользоват(елей) — админ только:', email);
  }
  const { rows } = await query('SELECT id, role FROM users WHERE email = $1', [email]);
  if (!rows[0]) {
    const hash = bcrypt.hashSync(password, 10);
    await query(
      `INSERT INTO users (email, password_hash, name, role)
       VALUES ($1, $2, $3, $4)`,
      [email, hash, name, ROLES.ADMIN]
    );
    console.log('Создан администратор (единственный):', email);
    return;
  }
  if (rows[0].role !== ROLES.ADMIN) {
    await query('UPDATE users SET role = $1 WHERE id = $2', [ROLES.ADMIN, rows[0].id]);
    console.log('Назначен единственный администратор:', email);
  }
 }
 module.exports = { seedAdmin };
@@ -0,0 +1,20 @@
 const { query } = require('./db');
 async function seedPromoCodes() {
  const { rows } = await query('SELECT COUNT(*)::int AS n FROM promo_codes');
  if (rows[0].n > 0) return;
  const expires = new Date();
  expires.setDate(expires.getDate() + 30);
  await query(
    `INSERT INTO promo_codes (code, description, discount_type, discount_value, expires_at, min_order_cents)
     VALUES
       ('WELCOME10', 'Скидка 10% новым покупателям', 'percent', 10, $1, 0),
       ('SALE500', 'Скидка 500 ₽ от 3000 ₽', 'fixed', 50000, $1, 300000)`,
    [expires.toISOString()]
  );
  console.log('Демо-промокоды: WELCOME10, SALE500');
 }
 module.exports = { seedPromoCodes };
@@ -3,7 +3,6 @@ const { query } = require('./db');
 async function runSeed() {
  const { rows } = await query('SELECT COUNT(*)::int AS n FROM products');
  if (rows[0].n > 0) {
    console.log('База уже содержит товары, пропуск seed.');
    return;
  }
@@ -1,14 +1,29 @@
 const path = require('path');
 const express = require('express');
 const cookieParser = require('cookie-parser');
 const session = require('express-session');
 const pgSession = require('connect-pg-simple')(session);
 const { pool, initSchema, checkConnection } = require('./db');
 const { runSeed } = require('./seed');
 const { seedAdmin } = require('./seed-admin');
 const { seedPromoCodes } = require('./seed-promo');
 const { loadUser } = require('./middleware/auth');
 const { loadCookieConsent } = require('./middleware/cookieConsent');
 const { loadCaptchaLocals, rejectYandexCaptcha } = require('./middleware/captcha');
 const healthRoutes = require('./routes/health');
 const shopRoutes = require('./routes/shop');
 const authRoutes = require('./routes/auth');
 const accountRoutes = require('./routes/account');
 const adminRoutes = require('./routes/admin');
 const cookiesRoutes = require('./routes/cookies');
 const passwordResetRoutes = require('./routes/password-reset');
 const reservationsRoutes = require('./routes/reservations');
 const passkeyRoutes = require('./routes/passkey');
 const stockAlertsRoutes = require('./routes/stock-alerts');
 const promoRoutes = require('./routes/promo');
 const seoRoutes = require('./routes/seo');
 const { securityHeaders } = require('./middleware/securityHeaders');
 const PORT = process.env.PORT || 3000;
 const HOST = process.env.HOST || '0.0.0.0';
@@ -18,6 +33,8 @@ async function start() {
  await checkConnection();
  await initSchema();
  await runSeed();
  await seedAdmin();
  await seedPromoCodes();
  const app = express();
@@ -29,8 +46,12 @@ async function start() {
  app.set('views', path.join(__dirname, 'views'));
  app.use(healthRoutes);
  app.use(securityHeaders);
  app.use(seoRoutes);
  app.use(express.static(path.join(__dirname, 'public')));
  app.use(express.urlencoded({ extended: true }));
  app.use(express.json({ limit: '64kb' }));
  app.use(cookieParser());
  app.use(
    session({
@@ -51,9 +72,20 @@ async function start() {
    })
  );
  app.use(loadCookieConsent);
  app.use(loadCaptchaLocals);
  app.use(rejectYandexCaptcha);
  app.use(loadUser);
  app.use('/cookies', cookiesRoutes);
  app.use('/', passwordResetRoutes);
  app.use('/reservations', reservationsRoutes);
  app.use('/', stockAlertsRoutes);
  app.use('/', promoRoutes);
  app.use('/', shopRoutes);
  app.use('/', authRoutes);
  app.use('/webauthn', passkeyRoutes);
  app.use('/account', accountRoutes);
  app.use('/admin', adminRoutes);
  app.use((req, res) => {
    res.status(404).render('error', {
@@ -77,7 +109,13 @@ async function start() {
  });
  server.on('error', (err) => {
    if (err.code === 'EADDRINUSE') {
      console.error(
        `Порт ${PORT} уже занят (часто старый «npm start»). Выполните: bash scripts/free-port-3000.sh`
      );
    } else {
      console.error('Не удалось запустить сервер:', err.message);
    }
    process.exit(1);
  });
 }
@@ -88,8 +126,12 @@ start().catch((err) => {
    console.error('  systemctl start postgresql');
    console.error('  bash scripts/setup-postgres-ubuntu.sh');
    console.error('  Проверьте DATABASE_URL в .env');
  } else if (err.code === 'MODULE_NOT_FOUND') {
    console.error('Не найден модуль:', err.message);
    console.error('  cd', path.join(__dirname, '..'), '&& npm install --omit=dev');
  } else {
    console.error('Ошибка запуска:', err.message);
    if (err.stack) console.error(err.stack);
  }
  process.exit(1);
 });
@@ -0,0 +1,129 @@
 const YANDEX_BLOCKED_MSG =
  'Яндекс SmartCaptcha (японский сервис) заблокирован администратором сайта. Используйте проверку Google или Cloudflare.';
 function clientIp(req) {
  return (
    req.headers['x-forwarded-for']?.split(',')[0]?.trim() ||
    req.socket?.remoteAddress ||
    ''
  );
 }
 function isYandexCaptchaAttempt(req) {
  const b = req.body || {};
  return Boolean(
    b['smart-token'] ||
      b.smartcaptcha ||
      b.yandex_captcha ||
      b['yandex-token'] ||
      (typeof b.captcha_provider === 'string' && b.captcha_provider.toLowerCase() === 'yandex')
  );
 }
 function getCaptchaConfig() {
  const raw = (process.env.CAPTCHA_PROVIDER || 'google').toLowerCase().trim();
  if (raw === 'yandex' || raw === 'yandex-smartcaptcha') {
    return {
      enabled: true,
      provider: 'yandex',
      blocked: true,
      siteKey: null,
    };
  }
  if (process.env.CAPTCHA_ENABLED === '0') {
    return { enabled: false, provider: null, blocked: false, siteKey: null };
  }
  if (raw === 'cloudflare' || raw === 'turnstile') {
    const siteKey = process.env.TURNSTILE_SITE_KEY || '';
    const secret = process.env.TURNSTILE_SECRET_KEY || '';
    if (!siteKey || !secret) {
      return { enabled: false, provider: 'cloudflare', blocked: false, siteKey: null };
    }
    return { enabled: true, provider: 'cloudflare', blocked: false, siteKey };
  }
  const siteKey = process.env.RECAPTCHA_SITE_KEY || '';
  const secret = process.env.RECAPTCHA_SECRET_KEY || '';
  if (!siteKey || !secret) {
    return { enabled: false, provider: 'google', blocked: false, siteKey: null };
  }
  return { enabled: true, provider: 'google', blocked: false, siteKey };
 }
 async function verifyGoogle(token, secret, ip) {
  const params = new URLSearchParams({ secret, response: token });
  if (ip) params.set('remoteip', ip);
  const res = await fetch('https://www.google.com/recaptcha/api/siteverify', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: params.toString(),
  });
  const data = await res.json();
  return Boolean(data.success);
 }
 async function verifyTurnstile(token, secret, ip) {
  const params = new URLSearchParams({ secret, response: token });
  if (ip) params.set('remoteip', ip);
  const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: params.toString(),
  });
  const data = await res.json();
  return Boolean(data.success);
 }
 async function verifyCaptcha(req) {
  if (isYandexCaptchaAttempt(req)) {
    return { ok: false, error: YANDEX_BLOCKED_MSG };
  }
  const config = getCaptchaConfig();
  if (config.blocked) {
    return { ok: false, error: YANDEX_BLOCKED_MSG };
  }
  if (!config.enabled) {
    return { ok: true };
  }
  const ip = clientIp(req);
  const secret =
    config.provider === 'cloudflare'
      ? process.env.TURNSTILE_SECRET_KEY
      : process.env.RECAPTCHA_SECRET_KEY;
  const token =
    config.provider === 'cloudflare'
      ? req.body?.['cf-turnstile-response']
      : req.body?.['g-recaptcha-response'];
  if (!token) {
    return { ok: false, error: 'Подтвердите, что вы не робот (капча)' };
  }
  let valid = false;
  if (config.provider === 'cloudflare') {
    valid = await verifyTurnstile(token, secret, ip);
  } else {
    valid = await verifyGoogle(token, secret, ip);
  }
  if (!valid) {
    return { ok: false, error: 'Проверка капчи не пройдена. Попробуйте снова.' };
  }
  return { ok: true };
 }
 module.exports = {
  YANDEX_BLOCKED_MSG,
  getCaptchaConfig,
  verifyCaptcha,
  isYandexCaptchaAttempt,
 };
@@ -0,0 +1,300 @@
 const { execFile, spawn } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const { promisify } = require('util');
 const execFileAsync = promisify(execFile);
 function resolveShopRoot() {
  const candidates = [
    process.env.SHOP_ROOT,
    path.resolve(__dirname, '../..'),
    '/opt/shop',
  ].filter(Boolean);
  for (const dir of candidates) {
    const resolved = path.resolve(dir);
    if (fs.existsSync(path.join(resolved, 'package.json'))) {
      return resolved;
    }
  }
  return null;
 }
 function isUpdateEnabled() {
  if (process.env.ADMIN_UPDATE_ENABLED === '0') return false;
  const root = resolveShopRoot();
  if (!root) return false;
  if (!fs.existsSync(path.join(root, '.git'))) return false;
  if (process.platform === 'win32') return false;
  return fs.existsSync(path.join(root, 'scripts', 'admin-web-update.sh'));
 }
 function gitEnv(root) {
  const resolved = path.resolve(root);
  return {
    ...process.env,
    GIT_TERMINAL_PROMPT: '0',
    GIT_CONFIG_COUNT: '1',
    GIT_CONFIG_KEY_0: 'safe.directory',
    GIT_CONFIG_VALUE_0: resolved,
  };
 }
 async function getRepoOwner(root) {
  if (process.env.SHOP_GIT_USER) {
    return process.env.SHOP_GIT_USER.trim();
  }
  if (process.platform === 'win32') return null;
  const gitPath = path.join(root, '.git');
  try {
    const target = fs.statSync(gitPath).isDirectory() ? gitPath : root;
    const { stdout } = await execFileAsync('stat', ['-c', '%U', target], { timeout: 5000 });
    const user = stdout.trim();
    return user || null;
  } catch {
    return null;
  }
 }
 async function ensureSafeDirectory(root, user) {
  const resolved = path.resolve(root);
  const targets = [{ home: process.env.HOME || '/var/www' }];
  if (user) {
    try {
      const { stdout } = await execFileAsync('getent', ['passwd', user], { timeout: 5000 });
      const home = stdout.split(':')[5];
      if (home) targets.push({ home });
    } catch {
      /* ignore */
    }
  }
  for (const { home } of targets) {
    try {
      await execFileAsync('git', ['config', '--global', '--add', 'safe.directory', resolved], {
        timeout: 15000,
        env: { ...process.env, HOME: home },
      });
    } catch {
      /* ignore */
    }
  }
 }
 async function execGit(args, cwd, runAs) {
  const root = path.resolve(cwd);
  const gitArgs = ['-c', `safe.directory=${root}`, ...args];
  const opts = {
    cwd: root,
    maxBuffer: 1024 * 1024,
    timeout: 120000,
    env: gitEnv(root),
  };
  if (runAs && process.env.ADMIN_UPDATE_USE_SUDO === '1') {
    const { stdout, stderr } = await execFileAsync('sudo', ['-n', '-u', runAs, 'git', ...gitArgs], opts);
    return `${stdout}${stderr}`.trim();
  }
  const { stdout, stderr } = await execFileAsync('git', gitArgs, opts);
  return `${stdout}${stderr}`.trim();
 }
 async function gitCmd(args, cwd, { needsWrite = false } = {}) {
  const root = path.resolve(cwd);
  const owner = await getRepoOwner(root);
  try {
    return await execGit(args, root, null);
  } catch (err) {
    const msg = err.message || '';
    const denied = /permission denied|EACCES|FETCH_HEAD/i.test(msg);
    if ((needsWrite || denied) && owner) {
      await ensureSafeDirectory(root, owner);
      return execGit(args, root, owner);
    }
    throw err;
  }
 }
 /**
 * Сравнение с origin/main через ls-remote + merge-base (без fetch, без записи в .git).
 */
 async function getRemoteSyncStatus(root) {
  const localHead = (await gitCmd(['rev-parse', 'HEAD'], root)).split('\n')[0].trim();
  const remoteOut = await gitCmd(['ls-remote', 'origin', 'refs/heads/main'], root);
  const remoteSha = remoteOut.split(/\s+/)[0]?.trim();
  if (!remoteSha) {
    throw new Error('Не найден refs/heads/main на origin');
  }
  const remoteShort = (
    await gitCmd(['rev-parse', '--short', remoteSha], root)
  ).split('\n')[0].trim();
  if (remoteSha === localHead) {
    return { behind: 0, ahead: 0, diverged: false, remoteShort, remoteSha };
  }
  let mergeBase;
  try {
    mergeBase = (await gitCmd(['merge-base', localHead, remoteSha], root)).split('\n')[0].trim();
  } catch {
    throw new Error(
      'Не удалось сравнить с origin/main (нет общего предка). Выполните на сервере: git fetch && git reset --hard origin/main'
    );
  }
  if (!mergeBase) {
    throw new Error('Нет общего предка с origin/main');
  }
  let behind = 0;
  let ahead = 0;
  if (mergeBase !== remoteSha) {
    const behindStr = await gitCmd(['rev-list', '--count', `${mergeBase}..${remoteSha}`], root);
    behind = parseInt(behindStr, 10) || 0;
  }
  if (mergeBase !== localHead) {
    const aheadStr = await gitCmd(['rev-list', '--count', `${mergeBase}..${localHead}`], root);
    ahead = parseInt(aheadStr, 10) || 0;
  }
  return {
    behind,
    ahead,
    diverged: behind > 0 && ahead > 0,
    remoteShort,
    remoteSha,
  };
 }
 async function getGitInfo({ fetchRemote = false } = {}) {
  const root = resolveShopRoot();
  const pkg = root ? JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8')) : null;
  const repoOwner = root ? await getRepoOwner(root) : null;
  if (!root || !fs.existsSync(path.join(root, '.git'))) {
    return {
      available: false,
      packageVersion: pkg?.version || null,
      shopRoot: root,
      reason: 'Каталог не является git-репозиторием. Задайте SHOP_ROOT в .env.',
    };
  }
  const info = {
    available: true,
    shopRoot: root,
    repoOwner,
    packageVersion: pkg?.version || null,
    branch: null,
    commit: null,
    commitShort: null,
    commitSubject: null,
    commitDate: null,
    dirty: false,
    dirtyHint: null,
    behind: null,
    ahead: null,
    diverged: false,
    remoteShort: null,
    updateEnabled: isUpdateEnabled(),
    platform: process.platform,
  };
  try {
    await ensureSafeDirectory(root, repoOwner);
    info.branch = await gitCmd(['branch', '--show-current'], root);
    if (!info.branch) {
      info.branch = '(detached)';
      info.commitShort = await gitCmd(['rev-parse', '--short', 'HEAD'], root);
    }
    info.commit = await gitCmd(['rev-parse', 'HEAD'], root);
    info.commitShort = info.commitShort || (await gitCmd(['rev-parse', '--short', 'HEAD'], root));
    info.commitSubject = await gitCmd(['log', '-1', '--pretty=%s'], root);
    info.commitDate = await gitCmd(['log', '-1', '--pretty=%ci'], root);
    try {
      const status = await gitCmd(['status', '--porcelain'], root);
      info.dirty = status.length > 0;
      if (info.dirty) {
        info.dirtyHint =
          'На сервере есть локальные изменения. Обновление может их перезаписать; при ошибке выполните git stash или git reset --hard с машины администратора.';
      }
    } catch {
      info.dirty = null;
      info.dirtyHint = 'Не удалось прочитать статус (права на .git).';
    }
  } catch (err) {
    info.available = false;
    info.reason = err.message;
    return info;
  }
  if (fetchRemote) {
    try {
      const sync = await getRemoteSyncStatus(root);
      info.behind = sync.behind;
      info.ahead = sync.ahead;
      info.diverged = sync.diverged;
      info.remoteShort = sync.remoteShort;
    } catch (err) {
      info.fetchError = err.message;
      if (repoOwner) {
        info.fetchError += ` Владелец репозитория: ${repoOwner}. Задайте SHOP_GIT_USER=${repoOwner} и ADMIN_UPDATE_USE_SUDO=1 в .env.`;
      }
    }
  }
  return info;
 }
 function runDeployUpdate() {
  const root = resolveShopRoot();
  const scriptPath = path.join(root, 'scripts', 'admin-web-update.sh');
  return new Promise((resolve) => {
    const useSudo = process.env.ADMIN_UPDATE_USE_SUDO === '1';
    const cmd = useSudo ? 'sudo' : 'bash';
    const args = useSudo ? ['-n', scriptPath] : [scriptPath];
    const child = spawn(cmd, args, {
      cwd: root,
      env: { ...gitEnv(root), SHOP_ROOT: root },
      timeout: 300000,
    });
    let output = '';
    child.stdout.on('data', (chunk) => {
      output += chunk.toString();
    });
    child.stderr.on('data', (chunk) => {
      output += chunk.toString();
    });
    child.on('error', (err) => {
      resolve({
        ok: false,
        code: -1,
        output: `${output}\n${err.message}`.trim(),
      });
    });
    child.on('close', (code) => {
      resolve({
        ok: code === 0,
        code: code ?? 1,
        output: output.trim() || '(нет вывода)',
      });
    });
  });
 }
 module.exports = {
  resolveShopRoot,
  isUpdateEnabled,
  getGitInfo,
  runDeployUpdate,
  getRepoOwner,
 };
@@ -0,0 +1,48 @@
 const { query } = require('../db');
 /** Баллов за каждые 100 ₽ subtotal после скидок */
 const EARN_PER_100_RUB = 10;
 /** 1 балл = 1 копейка скидки */
 const POINT_VALUE_CENTS = 1;
 async function getBalance(userId) {
  const { rows } = await query('SELECT loyalty_points FROM users WHERE id = $1', [
    userId,
  ]);
  return rows[0]?.loyalty_points ?? 0;
 }
 function calcEarnedPoints(payableCents) {
  if (payableCents <= 0) return 0;
  return Math.floor((payableCents / 10000) * EARN_PER_100_RUB);
 }
 function calcLoyaltyDiscountCents(pointsToUse, balance, maxCents) {
  const use = Math.min(
    Math.max(0, parseInt(pointsToUse, 10) || 0),
    balance,
    maxCents
  );
  return use * POINT_VALUE_CENTS;
 }
 function pointsForDiscount(discountCents) {
  return Math.floor(discountCents / POINT_VALUE_CENTS);
 }
 async function applyLoyaltyOnOrder(client, userId, pointsUsed, pointsEarned) {
  await client.query(
    `UPDATE users SET loyalty_points = loyalty_points - $1 + $2 WHERE id = $3`,
    [pointsUsed, pointsEarned, userId]
  );
 }
 module.exports = {
  EARN_PER_100_RUB,
  POINT_VALUE_CENTS,
  getBalance,
  calcEarnedPoints,
  calcLoyaltyDiscountCents,
  pointsForDiscount,
  applyLoyaltyOnOrder,
 };
@@ -0,0 +1,112 @@
 const nodemailer = require('nodemailer');
 let transporter = null;
 function isConfigured() {
  return Boolean(process.env.SMTP_HOST && process.env.SMTP_FROM);
 }
 function getTransporter() {
  if (!isConfigured()) return null;
  if (!transporter) {
    transporter = nodemailer.createTransport({
      host: process.env.SMTP_HOST,
      port: parseInt(process.env.SMTP_PORT || '587', 10),
      secure: process.env.SMTP_SECURE === 'true',
      auth:
        process.env.SMTP_USER && process.env.SMTP_PASS
          ? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS }
          : undefined,
    });
  }
  return transporter;
 }
 function siteUrl() {
  return (process.env.SITE_URL || 'http://localhost:3000').replace(/\/$/, '');
 }
 async function sendMail({ to, subject, text, html }) {
  const from = process.env.SMTP_FROM || 'shop@localhost';
  const payload = { from, to, subject, text, html: html || text };
  const transport = getTransporter();
  if (!transport) {
    console.log('--- Email (SMTP не настроен) ---');
    console.log('To:', to);
    console.log('Subject:', subject);
    console.log(text);
    console.log('--------------------------------');
    return { logged: true };
  }
  await transport.sendMail(payload);
  return { sent: true };
 }
 async function sendPasswordResetEmail(to, resetLink) {
  const subject = 'Сброс пароля — Shop';
  const text = `Вы запросили сброс пароля.\n\nПерейдите по ссылке (действует 1 час):\n${resetLink}\n\nЕсли это были не вы, проигнорируйте письмо.`;
  const html = `
    <p>Вы запросили сброс пароля в магазине Shop.</p>
    <p><a href="${resetLink}">Сбросить пароль</a></p>
    <p>Ссылка действует <strong>1 час</strong>.</p>
    <p style="color:#666">Если вы не запрашивали сброс, просто удалите это письмо.</p>
  `;
  return sendMail({ to, subject, text, html });
 }
 async function sendReservationEmail(to, productName, quantity, expiresAt) {
  const subject = `Бронирование: ${productName}`;
  const exp = new Date(expiresAt).toLocaleString('ru-RU');
  const text = `Товар «${productName}» забронирован (${quantity} шт.) до ${exp}.\n\n${siteUrl()}/account?tab=reservations`;
  const html = `
    <p>Вы забронировали <strong>${productName}</strong> — ${quantity} шт.</p>
    <p>Бронь активна до: <strong>${exp}</strong></p>
    <p><a href="${siteUrl()}/account?tab=reservations">Мои бронирования</a></p>
  `;
  return sendMail({ to, subject, text, html });
 }
 async function sendOrderConfirmationEmail(to, orderId, totalFormatted, items) {
  const orderUrl = `${siteUrl()}/orders/${orderId}`;
  const subject = `Заказ #${orderId} оформлен — Shop`;
  const lines = items
    .map((i) => `• ${i.name} × ${i.quantity} — ${i.lineFormatted}`)
    .join('\n');
  const text = `Спасибо за заказ #${orderId}!\n\n${lines}\n\nИтого: ${totalFormatted}\n\nСтатус: ${orderUrl}`;
  const htmlItems = items
    .map(
      (i) =>
        `<li>${i.name} × ${i.quantity} — <strong>${i.lineFormatted}</strong></li>`
    )
    .join('');
  const html = `
    <p>Спасибо за покупку! Заказ <strong>#${orderId}</strong> принят.</p>
    <ul>${htmlItems}</ul>
    <p><strong>Итого: ${totalFormatted}</strong></p>
    <p><a href="${orderUrl}">Открыть заказ в личном кабинете</a></p>
  `;
  return sendMail({ to, subject, text, html });
 }
 async function sendStockAvailableEmail(to, productName, productUrl) {
  const subject = `Снова в наличии: ${productName}`;
  const text = `Товар «${productName}» снова в наличии.\n\nПерейти: ${productUrl}`;
  const html = `
    <p>Товар <strong>${productName}</strong> снова в наличии.</p>
    <p><a href="${productUrl}">Открыть товар в магазине</a></p>
    <p style="color:#666">Вы получили это письмо, потому что подписались на уведомление о поступлении.</p>
  `;
  return sendMail({ to, subject, text, html });
 }
 module.exports = {
  isConfigured,
  sendMail,
  sendPasswordResetEmail,
  sendReservationEmail,
  sendStockAvailableEmail,
  sendOrderConfirmationEmail,
  siteUrl,
 };
@@ -0,0 +1,66 @@
 const promoService = require('./promo');
 const loyaltyService = require('./loyalty');
 async function buildCartPricing(items, session, userId) {
  const subtotal = items.reduce((s, i) => s + i.line_total, 0);
  let promo = null;
  let promoDiscount = 0;
  let promoError = null;
  if (session.appliedPromoCode) {
    promo = await promoService.findPromoByCode(session.appliedPromoCode);
    const check = promoService.validatePromo(promo, subtotal);
    if (!check.ok) {
      promoError = check.error;
      promo = null;
      delete session.appliedPromoCode;
    } else {
      promoDiscount = promoService.calcPromoDiscountCents(promo, subtotal);
    }
  }
  const afterPromo = Math.max(0, subtotal - promoDiscount);
  let loyaltyBalance = 0;
  let loyaltyDiscount = 0;
  let loyaltyPointsUsed = 0;
  if (userId) {
    loyaltyBalance = await loyaltyService.getBalance(userId);
    const requested = session.loyaltyPointsToUse ?? 0;
    loyaltyDiscount = loyaltyService.calcLoyaltyDiscountCents(
      requested,
      loyaltyBalance,
      afterPromo
    );
    loyaltyPointsUsed = loyaltyService.pointsForDiscount(loyaltyDiscount);
  }
  const total = Math.max(0, afterPromo - loyaltyDiscount);
  const pointsEarned =
    userId && total > 0 ? loyaltyService.calcEarnedPoints(total) : 0;
  return {
    subtotal,
    promoDiscount,
    loyaltyDiscount,
    loyaltyPointsUsed,
    loyaltyPointsUsedDisplay: loyaltyPointsUsed,
    loyaltyBalance,
    pointsEarned,
    total,
    promo: promo
      ? {
          code: promo.code,
          description: promo.description,
          discount_type: promo.discount_type,
          discount_value: promo.discount_value,
          expires_at: promo.expires_at,
        }
      : null,
    promoError,
  };
 }
 module.exports = { buildCartPricing };
@@ -0,0 +1,62 @@
 const { query } = require('../db');
 function normalizeCode(code) {
  return String(code || '')
    .trim()
    .toUpperCase()
    .replace(/\s+/g, '');
 }
 async function findPromoByCode(code) {
  const normalized = normalizeCode(code);
  if (!normalized) return null;
  const { rows } = await query(
    `SELECT * FROM promo_codes WHERE UPPER(code) = $1 AND active = true`,
    [normalized]
  );
  return rows[0] || null;
 }
 function validatePromo(promo, subtotalCents) {
  if (!promo) return { ok: false, error: 'Промокод не найден' };
  const now = new Date();
  if (new Date(promo.starts_at) > now) {
    return { ok: false, error: 'Промокод ещё не действует' };
  }
  if (new Date(promo.expires_at) <= now) {
    return { ok: false, error: 'Срок действия промокода истёк' };
  }
  if (promo.max_uses != null && promo.use_count >= promo.max_uses) {
    return { ok: false, error: 'Лимит использований промокода исчерпан' };
  }
  if (subtotalCents < promo.min_order_cents) {
    const min = (promo.min_order_cents / 100).toFixed(0);
    return { ok: false, error: `Минимальная сумма заказа ${min} ₽` };
  }
  return { ok: true };
 }
 function calcPromoDiscountCents(promo, subtotalCents) {
  if (!promo) return 0;
  if (promo.discount_type === 'percent') {
    const pct = Math.min(100, Math.max(1, promo.discount_value));
    return Math.floor((subtotalCents * pct) / 100);
  }
  return Math.min(subtotalCents, promo.discount_value);
 }
 async function incrementPromoUse(promoId, client) {
  const q = client ? client.query.bind(client) : query;
  await q('UPDATE promo_codes SET use_count = use_count + 1 WHERE id = $1', [promoId]);
 }
 module.exports = {
  normalizeCode,
  findPromoByCode,
  validatePromo,
  calcPromoDiscountCents,
  incrementPromoUse,
 };
@@ -0,0 +1,33 @@
 const MAX = 8;
 function getList(session) {
  if (!session.recentlyViewed || !Array.isArray(session.recentlyViewed)) {
    session.recentlyViewed = [];
  }
  return session.recentlyViewed;
 }
 function pushProduct(session, productId) {
  const id = parseInt(productId, 10);
  if (!id) return;
  const list = getList(session).filter((x) => x !== id);
  list.unshift(id);
  session.recentlyViewed = list.slice(0, MAX);
 }
 async function loadProducts(query, session) {
  const ids = getList(session);
  if (!ids.length) return [];
  const placeholders = ids.map((_, i) => `$${i + 1}`).join(',');
  const { rows } = await query(
    `SELECT p.*, c.name AS category_name, c.slug AS category_slug
     FROM products p
     LEFT JOIN categories c ON c.id = p.category_id
     WHERE p.id IN (${placeholders})`,
    ids
  );
  const byId = new Map(rows.map((p) => [p.id, p]));
  return ids.map((id) => byId.get(id)).filter(Boolean);
 }
 module.exports = { pushProduct, loadProducts, MAX };
@@ -0,0 +1,10 @@
 const { query } = require('../db');
 async function expireOldReservations() {
  await query(
    `UPDATE reservations SET status = 'expired'
     WHERE status = 'active' AND expires_at < NOW()`
  );
 }
 module.exports = { expireOldReservations };
@@ -0,0 +1,74 @@
 const { query } = require('../db');
 const { sendStockAvailableEmail, siteUrl } = require('./mail');
 async function isSubscribed(productId, email, userId) {
  const normalized = email.trim().toLowerCase();
  const params = [productId, normalized];
  let sql = `SELECT 1 FROM product_stock_alerts
             WHERE product_id = $1 AND notified_at IS NULL
             AND (email = $2`;
  if (userId) {
    sql += ' OR user_id = $3';
    params.push(userId);
  }
  sql += ')';
  const { rows } = await query(sql, params);
  return rows.length > 0;
 }
 async function subscribe({ productId, email, userId }) {
  const normalized = email.trim().toLowerCase();
  await query(
    `INSERT INTO product_stock_alerts (product_id, email, user_id)
     VALUES ($1, $2, $3)
     ON CONFLICT (product_id, email) DO UPDATE SET
       user_id = COALESCE(EXCLUDED.user_id, product_stock_alerts.user_id),
       notified_at = NULL,
       created_at = CASE
         WHEN product_stock_alerts.notified_at IS NOT NULL THEN NOW()
         ELSE product_stock_alerts.created_at
       END`,
    [productId, normalized, userId || null]
  );
 }
 async function notifyIfBackInStock(productId) {
  const { rows: products } = await query(
    'SELECT id, slug, name, stock FROM products WHERE id = $1',
    [productId]
  );
  const product = products[0];
  if (!product || product.stock <= 0) return { sent: 0 };
  const { rows: alerts } = await query(
    `SELECT id, email FROM product_stock_alerts
     WHERE product_id = $1 AND notified_at IS NULL`,
    [productId]
  );
  if (!alerts.length) return { sent: 0 };
  const productUrl = `${siteUrl()}/product/${product.slug}`;
  let sent = 0;
  for (const alert of alerts) {
    try {
      await sendStockAvailableEmail(alert.email, product.name, productUrl);
      await query(
        'UPDATE product_stock_alerts SET notified_at = NOW() WHERE id = $1',
        [alert.id]
      );
      sent++;
    } catch (err) {
      console.error('stock alert email failed:', alert.email, err.message);
    }
  }
  return { sent };
 }
 module.exports = {
  isSubscribed,
  subscribe,
  notifyIfBackInStock,
 };
@@ -0,0 +1,242 @@
 const crypto = require('crypto');
 const {
  generateRegistrationOptions,
  verifyRegistrationResponse,
  generateAuthenticationOptions,
  verifyAuthenticationResponse,
 } = require('@simplewebauthn/server');
 const { isoBase64URL } = require('@simplewebauthn/server/helpers');
 const { query } = require('../db');
 function getRpId() {
  if (process.env.WEBAUTHN_RP_ID) {
    return process.env.WEBAUTHN_RP_ID.trim();
  }
  const site = process.env.SITE_URL || 'http://localhost:3000';
  try {
    return new URL(site).hostname;
  } catch {
    return 'localhost';
  }
 }
 function getRpName() {
  return process.env.WEBAUTHN_RP_NAME || 'Shop';
 }
 function getOrigins() {
  const list = [];
  if (process.env.SITE_URL) list.push(process.env.SITE_URL.replace(/\/$/, ''));
  if (process.env.WEBAUTHN_ORIGIN) {
    process.env.WEBAUTHN_ORIGIN.split(',').forEach((o) => {
      const t = o.trim().replace(/\/$/, '');
      if (t) list.push(t);
    });
  }
  if (!list.length) list.push('http://localhost:3000');
  const expanded = [...list];
  for (const o of list) {
    if (o.includes('localhost')) {
      expanded.push(o.replace('localhost', '127.0.0.1'));
    }
  }
  return [...new Set(expanded)];
 }
 function getOriginFromRequest(req) {
  const proto = req.get('x-forwarded-proto') || req.protocol;
  const host = req.get('x-forwarded-host') || req.get('host');
  return `${proto}://${host}`.replace(/\/$/, '');
 }
 function assertOrigin(req) {
  const origin = getOriginFromRequest(req);
  const allowed = getOrigins();
  if (!allowed.includes(origin)) {
    const err = new Error('Недопустимый origin для WebAuthn');
    err.status = 400;
    throw err;
  }
  return origin;
 }
 function userIdToBuffer(userId) {
  const buf = Buffer.alloc(8);
  buf.writeBigUInt64BE(BigInt(userId), 0);
  return new Uint8Array(buf);
 }
 async function getCredentialsForUser(userId) {
  const { rows } = await query(
    `SELECT id, credential_id, public_key, counter, device_type, backed_up, transports, label, created_at
     FROM webauthn_credentials WHERE user_id = $1 ORDER BY created_at`,
    [userId]
  );
  return rows;
 }
 function rowToAuthenticator(row) {
  return {
    id: row.credential_id,
    publicKey: row.public_key,
    counter: Number(row.counter),
    transports: row.transports ? row.transports.split(',') : undefined,
  };
 }
 async function generateRegisterOptions(user, excludeIds = []) {
  const credentials = await getCredentialsForUser(user.id);
  return generateRegistrationOptions({
    rpName: getRpName(),
    rpID: getRpId(),
    userName: user.email,
    userDisplayName: user.name,
    userID: userIdToBuffer(user.id),
    attestationType: 'none',
    excludeCredentials: credentials.map((c) => ({
      id: c.credential_id,
      transports: c.transports ? c.transports.split(',') : undefined,
    })),
    authenticatorSelection: {
      residentKey: 'preferred',
      userVerification: 'preferred',
    },
  });
 }
 async function verifyRegister(user, response, expectedChallenge, expectedOrigin) {
  const verification = await verifyRegistrationResponse({
    response,
    expectedChallenge,
    expectedOrigin,
    expectedRPID: getRpId(),
    requireUserVerification: false,
  });
  if (!verification.verified || !verification.registrationInfo) {
    return { verified: false };
  }
  const { credential, credentialDeviceType, credentialBackedUp } =
    verification.registrationInfo;
  const credentialId =
    typeof credential.id === 'string'
      ? credential.id
      : isoBase64URL.fromBuffer(credential.id);
  const label =
    credentialDeviceType === 'singleDevice' ? 'Это устройство' : 'Passkey';
  await query(
    `INSERT INTO webauthn_credentials
       (user_id, credential_id, public_key, counter, device_type, backed_up, transports, label)
     VALUES ($1, $2, $3, $4, $5, $6, $7, $8)`,
    [
      user.id,
      credentialId,
      Buffer.from(credential.publicKey),
      credential.counter,
      credentialDeviceType,
      credentialBackedUp,
      credential.transports?.join(',') || null,
      label,
    ]
  );
  await query('UPDATE users SET passkey_enabled = true WHERE id = $1', [user.id]);
  return { verified: true };
 }
 async function generateLoginOptions(email) {
  const { rows } = await query(
    `SELECT id, email, name, passkey_enabled FROM users WHERE email = $1`,
    [email.trim().toLowerCase()]
  );
  const user = rows[0];
  if (!user || !user.passkey_enabled) {
    return { user: null, options: null };
  }
  const credentials = await getCredentialsForUser(user.id);
  if (!credentials.length) {
    return { user: null, options: null };
  }
  const options = await generateAuthenticationOptions({
    rpID: getRpId(),
    allowCredentials: credentials.map((c) => ({
      id: c.credential_id,
      transports: c.transports ? c.transports.split(',') : undefined,
    })),
    userVerification: 'preferred',
  });
  return { user, options };
 }
 async function verifyLogin(user, response, expectedChallenge, expectedOrigin) {
  const credentialId = response.id;
  const { rows } = await query(
    `SELECT * FROM webauthn_credentials WHERE user_id = $1 AND credential_id = $2`,
    [user.id, credentialId]
  );
  const row = rows[0];
  if (!row) {
    return { verified: false };
  }
  const verification = await verifyAuthenticationResponse({
    response,
    expectedChallenge,
    expectedOrigin,
    expectedRPID: getRpId(),
    credential: rowToAuthenticator(row),
    requireUserVerification: false,
  });
  if (!verification.verified) {
    return { verified: false };
  }
  const { newCounter } = verification.authenticationInfo;
  await query('UPDATE webauthn_credentials SET counter = $1 WHERE id = $2', [
    newCounter,
    row.id,
  ]);
  return { verified: true };
 }
 async function disablePasskeys(userId) {
  await query('DELETE FROM webauthn_credentials WHERE user_id = $1', [userId]);
  await query('UPDATE users SET passkey_enabled = false WHERE id = $1', [userId]);
 }
 async function deleteCredential(userId, credentialDbId) {
  const { rowCount } = await query(
    'DELETE FROM webauthn_credentials WHERE id = $1 AND user_id = $2',
    [credentialDbId, userId]
  );
  const remaining = await query(
    'SELECT COUNT(*)::int AS n FROM webauthn_credentials WHERE user_id = $1',
    [userId]
  );
  if (remaining.rows[0].n === 0) {
    await query('UPDATE users SET passkey_enabled = false WHERE id = $1', [userId]);
  }
  return rowCount > 0;
 }
 module.exports = {
  getRpId,
  getOrigins,
  assertOrigin,
  getCredentialsForUser,
  generateRegisterOptions,
  verifyRegister,
  generateLoginOptions,
  verifyLogin,
  disablePasskeys,
  deleteCredential,
 };
@@ -0,0 +1,19 @@
 function isSaleActive(product) {
  if (product.sale_price_cents == null) return false;
  if (product.sale_price_cents >= product.price_cents) return false;
  if (product.sale_ends_at && new Date(product.sale_ends_at) <= new Date()) return false;
  return true;
 }
 function getEffectivePriceCents(product) {
  return isSaleActive(product) ? product.sale_price_cents : product.price_cents;
 }
 function salePercent(product) {
  if (!isSaleActive(product) || !product.price_cents) return 0;
  return Math.round(
    ((product.price_cents - product.sale_price_cents) / product.price_cents) * 100
  );
 }
 module.exports = { isSaleActive, getEffectivePriceCents, salePercent };
@@ -1,15 +0,0 @@
 <%- include('partials/layout-start') %>
 <div class="account">
  <h1>Личный кабинет</h1>
  <div class="card account-card">
    <p><strong><%= user.name %></strong></p>
    <p class="muted"><%= user.email %></p>
    <p class="muted">С нами с <%= new Date(user.created_at).toLocaleDateString('ru-RU') %></p>
    <div class="account-actions">
      <a href="/orders" class="btn btn--primary">Мои заказы (<%= orderCount %>)</a>
    </div>
  </div>
 </div>
 <%- include('partials/layout-end') %>
@@ -0,0 +1,232 @@
 <%- include('../partials/layout-start') %>
 <div class="account">
  <h1>Личный кабинет</h1>
  <% if (success) { %><p class="alert alert--success"><%= success %></p><% } %>
  <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
  <nav class="account-tabs" aria-label="Разделы профиля">
    <a href="/account?tab=profile" class="account-tabs__link <%= activeTab === 'profile' ? 'account-tabs__link--active' : '' %>">Профиль</a>
    <a href="/account?tab=email" class="account-tabs__link <%= activeTab === 'email' ? 'account-tabs__link--active' : '' %>">Смена email</a>
    <a href="/account?tab=password" class="account-tabs__link <%= activeTab === 'password' ? 'account-tabs__link--active' : '' %>">Смена пароля</a>
    <a href="/account?tab=passkey" class="account-tabs__link <%= activeTab === 'passkey' ? 'account-tabs__link--active' : '' %>">Passkey</a>
    <a href="/account?tab=reservations" class="account-tabs__link <%= activeTab === 'reservations' ? 'account-tabs__link--active' : '' %>">Бронирования</a>
    <a href="/account?tab=orders" class="account-tabs__link <%= activeTab === 'orders' ? 'account-tabs__link--active' : '' %>">Заказы</a>
  </nav>
  <% if (activeTab === 'profile') { %>
    <div class="account-grid">
      <section class="card account-section">
        <h2>Мой профиль</h2>
        <dl class="profile-dl">
          <dt>ID</dt>
          <dd><%= user.id %></dd>
          <dt>Email</dt>
          <dd><%= user.email %></dd>
          <dt>Роль</dt>
          <dd><span class="role-badge role-badge--<%= user.role %>"><%= roleLabels[user.role] || user.role %></span></dd>
          <dt>Регистрация</dt>
          <dd><%= new Date(user.created_at).toLocaleString('ru-RU') %></dd>
          <dt>Заказов</dt>
          <dd><%= orderCount %></dd>
          <dt>Баллы лояльности</dt>
          <dd><strong><%= user.loyalty_points || 0 %></strong> <span class="muted">(1 балл = 1 коп. скидки)</span></dd>
        </dl>
        <div class="account-actions">
          <a href="/orders" class="btn btn--primary">Мои заказы</a>
          <% if (isAdmin) { %>
            <a href="/admin" class="btn btn--admin">Админ-панель</a>
          <% } %>
        </div>
      </section>
      <section class="card account-section">
        <h2>Изменить имя</h2>
        <form action="/account/profile" method="post" class="form">
          <label class="label">
            Имя
            <input type="text" name="name" class="input" required value="<%= user.name %>" autocomplete="name">
          </label>
          <button type="submit" class="btn btn--primary">Сохранить</button>
        </form>
      </section>
    </div>
  <% } %>
  <% if (activeTab === 'email') { %>
    <section class="card account-section account-section--narrow">
      <h2>Смена email</h2>
      <p class="muted">Текущий email: <strong><%= user.email %></strong></p>
      <form action="/account/email" method="post" class="form">
        <label class="label">
          Новый email
          <input type="email" name="email" class="input" required autocomplete="email">
        </label>
        <label class="label">
          Текущий пароль (подтверждение)
          <input type="password" name="current_password" class="input" required autocomplete="current-password">
        </label>
        <button type="submit" class="btn btn--primary">Изменить email</button>
      </form>
    </section>
  <% } %>
  <% if (activeTab === 'orders') { %>
    <section class="card account-section">
      <h2>Последние заказы</h2>
      <% if (!recentOrders.length) { %>
        <p class="muted">Заказов пока нет. <a href="/">Перейти в каталог</a></p>
      <% } else { %>
        <table class="cart-table">
          <thead>
            <tr>
              <th>№</th>
              <th>Дата</th>
              <th>Статус</th>
              <th>Сумма</th>
              <th></th>
            </tr>
          </thead>
          <tbody>
            <% const statusLabels = { pending: 'Ожидает', paid: 'Оплачен', shipped: 'Отправлен', cancelled: 'Отменён' }; %>
            <% recentOrders.forEach(o => { %>
              <tr>
                <td>#<%= o.id %></td>
                <td><%= new Date(o.created_at).toLocaleString('ru-RU') %></td>
                <td><span class="status status--<%= o.status %>"><%= statusLabels[o.status] || o.status %></span></td>
                <td><%= formatPrice(o.total_cents) %></td>
                <td><a href="/orders/<%= o.id %>">Подробнее</a></td>
              </tr>
            <% }) %>
          </tbody>
        </table>
        <p class="account-actions"><a href="/orders" class="btn btn--ghost">Все заказы</a></p>
      <% } %>
    </section>
  <% } %>
  <% if (activeTab === 'reservations') { %>
    <section class="card account-section">
      <h2>Мои бронирования</h2>
      <% if (!reservations.length) { %>
        <p class="muted">Активных броней нет.</p>
      <% } else { %>
        <table class="cart-table">
          <thead>
            <tr>
              <th>Товар</th>
              <th>Кол-во</th>
              <th>Статус</th>
              <th>До</th>
              <th></th>
            </tr>
          </thead>
          <tbody>
            <% const resStatus = { active: 'Активна', fulfilled: 'Выполнена', cancelled: 'Отменена', expired: 'Истекла' }; %>
            <% reservations.forEach(r => { %>
              <tr>
                <td><a href="/product/<%= r.product_slug %>"><%= r.product_name %></a></td>
                <td><%= r.quantity %></td>
                <td><span class="status status--<%= r.status === 'active' ? 'pending' : r.status %>"><%= resStatus[r.status] || r.status %></span></td>
                <td><%= r.status === 'active' ? new Date(r.expires_at).toLocaleString('ru-RU') : '—' %></td>
                <td>
                  <% if (r.status === 'active') { %>
                    <form action="/reservations/<%= r.id %>/cancel" method="post" class="inline-form">
                      <button type="submit" class="btn btn--ghost btn--sm">Отменить</button>
                    </form>
                  <% } %>
                </td>
              </tr>
            <% }) %>
          </tbody>
        </table>
      <% } %>
    </section>
  <% } %>
  <% if (activeTab === 'passkey') { %>
    <section class="card account-section account-section--narrow">
      <h2>Вход по passkey</h2>
      <p class="muted">
        Passkey — вход по отпечатку, Face ID или PIN устройства. Пароль остаётся доступен.
        Включение необязательно: привяжите ключ, когда будете готовы.
      </p>
      <% if (user.passkey_enabled) { %>
        <p class="alert alert--success" style="margin-bottom:1rem">Passkey включён</p>
      <% } else { %>
        <p class="muted" style="margin-bottom:1rem">Passkey не настроен</p>
      <% } %>
      <% if (passkeys.length) { %>
        <ul class="passkey-list">
          <% passkeys.forEach(pk => { %>
            <li class="passkey-list__item">
              <span><strong><%= pk.label %></strong> · с <%= new Date(pk.created_at).toLocaleDateString('ru-RU') %></span>
              <form action="/account/passkey/credentials/<%= pk.id %>/delete" method="post" class="inline-form">
                <input type="password" name="current_password" class="input input--sm" placeholder="Пароль" required autocomplete="current-password" aria-label="Пароль для удаления">
                <button type="submit" class="btn btn--ghost btn--sm">Удалить</button>
              </form>
            </li>
          <% }) %>
        </ul>
      <% } %>
      <div class="passkey-actions">
        <p id="passkey-register-error" class="alert alert--error" hidden></p>
        <label class="label">
          Текущий пароль (для привязки нового ключа)
          <input type="password" id="passkey-register-password" class="input" autocomplete="current-password">
        </label>
        <button type="button" id="passkey-register-btn" class="btn btn--primary">Привязать passkey</button>
      </div>
      <% if (user.passkey_enabled) { %>
        <hr class="divider">
        <h3>Отключить passkey</h3>
        <p class="muted">Все привязанные ключи будут удалены. Вход только по паролю.</p>
        <form action="/account/passkey/disable" method="post" class="form">
          <label class="label">
            Текущий пароль
            <input type="password" name="current_password" class="input" required autocomplete="current-password">
          </label>
          <button type="submit" class="btn btn--ghost">Отключить passkey</button>
        </form>
      <% } %>
    </section>
    <script src="/js/passkey.js"></script>
    <script>
      document.getElementById('passkey-register-btn')?.addEventListener('click', function () {
        ShopPasskey.registerPasskey(
          document.getElementById('passkey-register-password'),
          document.getElementById('passkey-register-error'),
          this
        );
      });
    </script>
  <% } %>
  <% if (activeTab === 'password') { %>
    <section class="card account-section account-section--narrow">
      <h2>Смена пароля</h2>
      <form action="/account/password" method="post" class="form">
        <label class="label">
          Текущий пароль
          <input type="password" name="current_password" class="input" required autocomplete="current-password">
        </label>
        <label class="label">
          Новый пароль
          <input type="password" name="password" class="input" required minlength="6" autocomplete="new-password">
        </label>
        <label class="label">
          Повторите новый пароль
          <input type="password" name="password2" class="input" required minlength="6" autocomplete="new-password">
        </label>
        <button type="submit" class="btn btn--primary">Изменить пароль</button>
      </form>
    </section>
  <% } %>
 </div>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,62 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Админ-панель</h1>
  <%- include('../partials/admin-nav', { adminNav: 'dashboard' }) %>
 </div>
 <section class="card" style="margin-bottom:1.5rem">
  <h2 style="margin-top:0">Обновление с Git</h2>
  <p class="muted">Подтянуть новую версию и перезапустить магазин без SSH.</p>
  <a href="/admin/system" class="btn btn--primary">Перейти к обновлению →</a>
 </section>
 <div class="stats-grid">
  <div class="stat-card">
    <span class="stat-card__label">Пользователи</span>
    <strong class="stat-card__value"><%= stats.users %></strong>
  </div>
  <div class="stat-card">
    <span class="stat-card__label">Товары</span>
    <strong class="stat-card__value"><%= stats.products %></strong>
  </div>
  <div class="stat-card">
    <span class="stat-card__label">Заказы</span>
    <strong class="stat-card__value"><%= stats.orders %></strong>
  </div>
  <div class="stat-card">
    <span class="stat-card__label">Выручка</span>
    <strong class="stat-card__value"><%= formatPrice(stats.revenue) %></strong>
  </div>
 </div>
 <h2>Последние заказы</h2>
 <% if (!recentOrders.length) { %>
  <p class="muted">Заказов пока нет.</p>
 <% } else { %>
  <table class="cart-table">
    <thead>
      <tr>
        <th>№</th>
        <th>Клиент</th>
        <th>Статус</th>
        <th>Сумма</th>
        <th>Дата</th>
      </tr>
    </thead>
    <tbody>
      <% const statusLabels = { pending: 'Ожидает', paid: 'Оплачен', shipped: 'Отправлен', cancelled: 'Отменён' }; %>
      <% recentOrders.forEach(o => { %>
        <tr>
          <td>#<%= o.id %></td>
          <td><%= o.customer_name %><br><span class="muted"><%= o.user_email %></span></td>
          <td><span class="status status--<%= o.status %>"><%= statusLabels[o.status] || o.status %></span></td>
          <td><%= formatPrice(o.total_cents) %></td>
          <td><%= new Date(o.created_at).toLocaleString('ru-RU') %></td>
        </tr>
      <% }) %>
    </tbody>
  </table>
 <% } %>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,61 @@
 <%- include('../partials/layout-start') %>
 <% const statusLabels = { pending: 'Ожидает', paid: 'Оплачен', shipped: 'Отправлен', cancelled: 'Отменён' }; %>
 <div class="admin-header">
  <h1>Заказы</h1>
  <div class="admin-header__actions">
    <a href="/admin/orders/export.csv" class="btn btn--ghost btn--sm">Экспорт CSV</a>
    <%- include('../partials/admin-nav', { adminNav: 'orders' }) %>
  </div>
 </div>
 <form class="catalog-toolbar" method="get" action="/admin/orders">
  <label class="catalog-toolbar__field">
    <span class="catalog-toolbar__label">Статус</span>
    <select name="status" class="input input--sm" onchange="this.form.submit()">
      <option value="">Все</option>
      <% ['pending','paid','shipped','cancelled'].forEach(s => { %>
        <option value="<%= s %>" <%= statusFilter === s ? 'selected' : '' %>><%= statusLabels[s] %></option>
      <% }) %>
    </select>
  </label>
 </form>
 <table class="cart-table">
  <thead>
    <tr>
      <th>№</th>
      <th>Клиент</th>
      <th>Статус</th>
      <th>Сумма</th>
      <th>Дата</th>
      <th>Действие</th>
    </tr>
  </thead>
  <tbody>
    <% orders.forEach(o => { %>
      <tr>
        <td>#<%= o.id %></td>
        <td>
          <%= o.customer_name %><br>
          <span class="muted"><%= o.customer_email %></span>
        </td>
        <td><span class="status status--<%= o.status %>"><%= statusLabels[o.status] || o.status %></span></td>
        <td><%= formatPrice(o.total_cents) %></td>
        <td><%= new Date(o.created_at).toLocaleString('ru-RU') %></td>
        <td>
          <form method="post" action="/admin/orders/<%= o.id %>/status" class="inline-form admin-status-form">
            <select name="status" class="input input--sm">
              <% ['pending','paid','shipped','cancelled'].forEach(s => { %>
                <option value="<%= s %>" <%= o.status === s ? 'selected' : '' %>><%= statusLabels[s] %></option>
              <% }) %>
            </select>
            <button type="submit" class="btn btn--ghost btn--sm">OK</button>
          </form>
        </td>
      </tr>
    <% }) %>
  </tbody>
 </table>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,89 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Товары — цены и скидки</h1>
  <%- include('../partials/admin-nav', { adminNav: 'products' }) %>
 </div>
 <% if (stockUpdated) { %>
  <p class="alert alert--success">
    Остаток обновлён.<% if (notified > 0) { %> Уведомления о поступлении: <%= notified %>.<% } %>
  </p>
 <% } %>
 <% if (pricingUpdated) { %><p class="alert alert--success">Цены обновлены</p><% } %>
 <% if (pricingError) { %><p class="alert alert--error"><%= pricingError %></p><% } %>
 <p class="muted admin-hint">Укажите обычную цену и цену со скидкой (₽). Пустая скидка или «Сбросить» — без акции. Для акции можно задать дату окончания.</p>
 <table class="cart-table admin-products-table">
  <thead>
    <tr>
      <th>Товар</th>
      <th>Цена / скидка (₽)</th>
      <th>Акция до</th>
      <th>Остаток</th>
      <th></th>
    </tr>
  </thead>
  <tbody>
    <% products.forEach(p => { %>
      <% const onSale = isSaleActive(p); %>
      <% const eff = effectivePrice(p); %>
      <tr>
        <td>
          <strong><%= p.name %></strong><br>
          <span class="muted"><%= p.category_name || '—' %></span>
          <% if (onSale) { %>
            <br><span class="badge badge--sale">−<%= salePercent(p) %>% на сайте</span>
          <% } %>
        </td>
        <td>
          <form action="/admin/products/<%= p.id %>/pricing" method="post" class="admin-pricing-form">
            <label class="label label--inline">
              Цена
              <input type="number" name="price_rub" class="input input--sm" min="0" step="0.01" required
                value="<%= (p.price_cents / 100).toFixed(2) %>">
            </label>
            <label class="label label--inline">
              Со скидкой
              <input type="number" name="sale_price_rub" class="input input--sm" min="0" step="0.01" placeholder="—"
                value="<%= p.sale_price_cents != null ? (p.sale_price_cents / 100).toFixed(2) : '' %>">
            </label>
            <button type="submit" class="btn btn--primary btn--sm">Сохранить</button>
          </form>
          <% if (onSale) { %>
            <p class="muted" style="margin:0.35rem 0 0">На сайте: <strong><%= formatPrice(eff) %></strong> вместо <%= formatPrice(p.price_cents) %></p>
          <% } %>
        </td>
        <td>
          <form action="/admin/products/<%= p.id %>/pricing" method="post" class="admin-pricing-form admin-pricing-form--ends">
            <input type="hidden" name="price_rub" value="<%= (p.price_cents / 100).toFixed(2) %>">
            <input type="hidden" name="sale_price_rub" value="<%= p.sale_price_cents != null ? (p.sale_price_cents / 100).toFixed(2) : '' %>">
            <input type="datetime-local" name="sale_ends_at" class="input input--sm"
              value="<%= p.sale_ends_at ? new Date(p.sale_ends_at).toISOString().slice(0, 16) : '' %>">
            <button type="submit" class="btn btn--ghost btn--sm">OK</button>
            <% if (p.sale_price_cents != null) { %>
              <button type="submit" formaction="/admin/products/<%= p.id %>/pricing" name="clear_sale" value="1" class="btn btn--ghost btn--sm">Сбросить скидку</button>
            <% } %>
          </form>
          <% if (onSale && p.sale_ends_at) { %>
            <div class="promo-countdown" data-expires="<%= p.sale_ends_at %>" style="margin-top:0.35rem">
              <span class="promo-countdown__timer">—</span>
            </div>
          <% } %>
        </td>
        <td>
          <form action="/admin/products/<%= p.id %>/stock" method="post" class="inline-form admin-stock-form">
            <input type="number" name="stock" class="input input--sm" min="0" value="<%= p.stock %>">
            <button type="submit" class="btn btn--ghost btn--sm">OK</button>
          </form>
        </td>
        <td><a href="/product/<%= p.slug %>">На сайте</a></td>
      </tr>
    <% }) %>
  </tbody>
 </table>
 <script src="/js/promo-countdown.js"></script>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,107 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Промокоды и скидки</h1>
  <%- include('../partials/admin-nav', { adminNav: 'promo' }) %>
 </div>
 <% if (created) { %><p class="alert alert--success">Промокод создан</p><% } %>
 <% if (updated) { %><p class="alert alert--success">Промокод обновлён</p><% } %>
 <section class="card account-section--narrow" style="margin-bottom:1.5rem">
  <h2>Новый промокод</h2>
  <form action="/admin/promo-codes" method="post" class="form form--grid">
    <label class="label">Код <input type="text" name="code" class="input" required placeholder="SUMMER20"></label>
    <label class="label">Описание <input type="text" name="description" class="input" placeholder="Летняя скидка"></label>
    <label class="label">Тип скидки
      <select name="discount_type" class="input" id="promo-type-new">
        <option value="percent">Процент (%)</option>
        <option value="fixed">Фиксированная сумма (₽)</option>
      </select>
    </label>
    <label class="label">
      <span id="promo-value-label-new">Размер скидки (%)</span>
      <input type="number" name="discount_value" class="input" min="1" required placeholder="10">
    </label>
    <label class="label">Действует (дней с сегодня) <input type="number" name="valid_days" class="input" value="30" min="1"></label>
    <label class="label">Мин. сумма заказа (₽) <input type="number" name="min_order_rub" class="input" value="0" min="0" step="1"></label>
    <label class="label">Лимит использований <input type="number" name="max_uses" class="input" min="1" placeholder="без лимита"></label>
    <button type="submit" class="btn btn--primary">Создать</button>
  </form>
 </section>
 <table class="cart-table">
  <thead>
    <tr>
      <th>Код</th>
      <th>Настройки скидки</th>
      <th>Срок / лимит</th>
      <th>Использовано</th>
      <th></th>
    </tr>
  </thead>
  <tbody>
    <% promos.forEach(p => { %>
      <tr>
        <td><strong><%= p.code %></strong></td>
        <td>
          <form action="/admin/promo-codes/<%= p.id %>/update" method="post" class="admin-promo-form">
            <input type="text" name="description" class="input input--sm" value="<%= p.description || '' %>" placeholder="Описание">
            <select name="discount_type" class="input input--sm promo-type-select">
              <option value="percent"<%= p.discount_type === 'percent' ? ' selected' : '' %>>%</option>
              <option value="fixed"<%= p.discount_type === 'fixed' ? ' selected' : '' %>>₽</option>
            </select>
            <input type="number" name="discount_value" class="input input--sm" min="1" required
              value="<%= p.discount_type === 'percent' ? p.discount_value : (p.discount_value / 100) %>"
              title="<%= p.discount_type === 'percent' ? 'Процент' : 'Рубли' %>">
            <label class="label label--inline muted">мин. заказ ₽
              <input type="number" name="min_order_rub" class="input input--sm" min="0"
                value="<%= Math.round(p.min_order_cents / 100) %>">
            </label>
            <button type="submit" class="btn btn--ghost btn--sm">Сохранить</button>
          </form>
        </td>
        <td>
          <form action="/admin/promo-codes/<%= p.id %>/update" method="post" class="admin-promo-form">
            <input type="hidden" name="description" value="<%= p.description || '' %>">
            <input type="hidden" name="discount_type" value="<%= p.discount_type %>">
            <input type="hidden" name="discount_value" value="<%= p.discount_type === 'percent' ? p.discount_value : (p.discount_value / 100) %>">
            <input type="hidden" name="min_order_rub" value="<%= Math.round(p.min_order_cents / 100) %>">
            <label class="label label--inline">ещё дней
              <input type="number" name="valid_days" class="input input--sm" value="7" min="1">
            </label>
            <label class="label label--inline">лимит
              <input type="number" name="max_uses" class="input input--sm" min="1"
                value="<%= p.max_uses || '' %>" placeholder="∞">
            </label>
            <button type="submit" class="btn btn--ghost btn--sm">Продлить</button>
            <p class="muted" style="margin:0.25rem 0 0;font-size:0.85rem">до <%= new Date(p.expires_at).toLocaleString('ru-RU') %></p>
          </form>
        </td>
        <td><%= p.use_count %><% if (p.max_uses) { %> / <%= p.max_uses %><% } %></td>
        <td>
          <span class="badge<%= p.active ? '' : ' badge--muted' %>"><%= p.active ? 'Активен' : 'Выкл.' %></span>
          <form action="/admin/promo-codes/<%= p.id %>/toggle" method="post" style="margin-top:0.35rem">
            <button type="submit" class="btn btn--ghost btn--sm"><%= p.active ? 'Выключить' : 'Включить' %></button>
          </form>
        </td>
      </tr>
    <% }) %>
  </tbody>
 </table>
 <script>
  function bindPromoType(selectId, labelId) {
    const sel = document.getElementById(selectId);
    const lab = document.getElementById(labelId);
    if (!sel || !lab) return;
    const sync = () => {
      lab.textContent = sel.value === 'fixed' ? 'Скидка (₽)' : 'Размер скидки (%)';
    };
    sel.addEventListener('change', sync);
    sync();
  }
  bindPromoType('promo-type-new', 'promo-value-label-new');
 </script>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,46 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Бронирования</h1>
  <%- include('../partials/admin-nav', { adminNav: 'reservations' }) %>
 </div>
 <% const resStatus = { active: 'Активна', fulfilled: 'Выполнена', cancelled: 'Отменена', expired: 'Истекла' }; %>
 <table class="cart-table">
  <thead>
    <tr>
      <th>№</th>
      <th>Клиент</th>
      <th>Товар</th>
      <th>Кол-во</th>
      <th>Статус</th>
      <th>До</th>
      <th>Действие</th>
    </tr>
  </thead>
  <tbody>
    <% reservations.forEach(r => { %>
      <tr>
        <td>#<%= r.id %></td>
        <td><%= r.user_name %><br><span class="muted"><%= r.user_email %></span></td>
        <td><%= r.product_name %></td>
        <td><%= r.quantity %></td>
        <td><span class="status status--<%= r.status === 'active' ? 'pending' : r.status %>"><%= resStatus[r.status] || r.status %></span></td>
        <td><%= r.status === 'active' ? new Date(r.expires_at).toLocaleString('ru-RU') : '—' %></td>
        <td>
          <form method="post" action="/admin/reservations/<%= r.id %>/status" class="admin-status-form">
            <select name="status" class="input input--sm">
              <% ['active','fulfilled','cancelled','expired'].forEach(s => { %>
                <option value="<%= s %>" <%= r.status === s ? 'selected' : '' %>><%= resStatus[s] %></option>
              <% }) %>
            </select>
            <button type="submit" class="btn btn--ghost btn--sm">OK</button>
          </form>
        </td>
      </tr>
    <% }) %>
  </tbody>
 </table>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,131 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Обновление с Git</h1>
  <%- include('../partials/admin-nav', { adminNav: 'system' }) %>
 </div>
 <% if (updateOk) { %>
  <p class="alert alert--success">Обновление выполнено успешно. Если сайт не открывается — подождите 10–20 сек и обновите страницу.</p>
 <% } %>
 <% if (updateFail) { %>
  <p class="alert alert--error">Обновление завершилось с ошибкой (код <%= updateCode %>).</p>
 <% } %>
 <% if (confirmError) { %>
  <p class="alert alert--error">Введите <strong>update</strong> для подтверждения.</p>
 <% } %>
 <% if (disabledError) { %>
  <p class="alert alert--warn">Обновление из админки отключено на этом сервере.</p>
 <% } %>
 <section class="card admin-system">
  <h2>Текущая версия</h2>
  <% if (!git.available) { %>
    <p class="alert alert--warn"><%= git.reason || 'Git недоступен' %></p>
  <% } else { %>
    <dl class="profile-dl admin-system__meta">
      <dt>Версия приложения</dt>
      <dd><strong>v<%= git.packageVersion || '?' %></strong></dd>
      <dt>Каталог</dt>
      <dd><code class="admin-system__path"><%= git.shopRoot %></code></dd>
      <% if (git.repoOwner) { %>
        <dt>Владелец .git</dt>
        <dd><code><%= git.repoOwner %></code> <span class="muted">(git pull выполняется от этого пользователя)</span></dd>
      <% } %>
      <dt>Ветка</dt>
      <dd><%= git.branch %></dd>
      <dt>Коммит</dt>
      <dd>
        <code><%= git.commitShort %></code>
        — <%= git.commitSubject %>
        <span class="muted">(<%= git.commitDate %>)</span>
      </dd>
      <% if (git.dirty) { %>
        <dt>Состояние</dt>
        <dd>
          <span class="badge badge--warn">Есть незакоммиченные изменения</span>
          <% if (git.dirtyHint) { %><p class="muted" style="margin:0.35rem 0 0;font-size:0.85rem"><%= git.dirtyHint %></p><% } %>
        </dd>
      <% } %>
      <% if (git.behind != null) { %>
        <dt>На origin/main</dt>
        <dd>
          <% if (git.remoteShort) { %>
            <span class="muted">Удалённо: <code><%= git.remoteShort %></code></span><br>
          <% } %>
          <% if (git.diverged) { %>
            <span class="badge badge--warn">Истории разошлись</span>
            <span class="badge badge--sale">Можно подтянуть: <%= git.behind %> комм.</span>
            <span class="muted">Локально впереди на <%= git.ahead %> комм.</span>
            <p class="muted" style="margin:0.35rem 0 0;font-size:0.85rem">Обновление из админки сделает <code>git pull</code> (как на origin). Локальные коммиты могут быть сброшены.</p>
          <% } else if (git.behind > 0) { %>
            <span class="badge badge--sale">Доступно обновлений: <%= git.behind %></span>
          <% } else if (git.ahead > 0) { %>
            <span class="badge badge--warn">Локально впереди origin на <%= git.ahead %> комм.</span>
          <% } else { %>
            <span class="badge">Актуально</span>
          <% } %>
        </dd>
      <% } %>
      <% if (git.fetchError) { %>
        <dt>origin</dt>
        <dd class="muted">Не удалось проверить: <%= git.fetchError %></dd>
      <% } %>
    </dl>
  <% } %>
  <div class="admin-system__actions">
    <form action="/admin/system/check" method="post" class="inline-form">
      <button type="submit" class="btn btn--ghost">
        <%- include('../partials/icon', { name: 'refresh', iconSize: 18 }) %>
        Проверить на Git
      </button>
    </form>
  </div>
  <% if (git.updateEnabled) { %>
    <hr class="admin-system__hr">
    <h2>Обновить сейчас</h2>
    <p class="muted admin-hint">
      Выполняется <code>git pull</code>, <code>npm install</code> и перезапуск службы <code>shop</code>.
      Страница может оборваться на несколько секунд — это нормально.
    </p>
    <form action="/admin/system/update" method="post" class="form admin-system__form" onsubmit="return confirm('Обновить код с Git и перезапустить магазин?');">
      <label class="label">
        Подтверждение: введите <strong>update</strong>
        <input type="text" name="confirm" class="input" required autocomplete="off" placeholder="update">
      </label>
      <button type="submit" class="btn btn--primary btn--lg">
        <%- include('../partials/icon', { name: 'download', iconSize: 20 }) %>
        Обновить с Git
      </button>
    </form>
  <% } else if (git.available) { %>
    <p class="alert alert--warn">
      Обновление из админки отключено (Windows, нет .git или <code>ADMIN_UPDATE_ENABLED=0</code>).
      На сервере: <code>bash "$SHOP_ROOT/scripts/server-update.sh"</code>
    </p>
  <% } %>
 </section>
 <% if (updateLog) { %>
  <section class="card admin-system__log">
    <h2>Журнал обновления</h2>
    <pre class="admin-system__pre"><%= updateLog %></pre>
  </section>
 <% } %>
 <section class="card admin-system__help muted">
  <h2>Настройка сервера</h2>
  <p>В <code>.env</code>:</p>
  <pre class="admin-system__pre">SHOP_ROOT=<%= git.shopRoot || '/opt/shop/shop10' %>
 ADMIN_UPDATE_ENABLED=1
 ADMIN_UPDATE_USE_SUDO=1
 SHOP_GIT_USER=<%= git.repoOwner || 'root' %></pre>
  <p>Sudoers для <code>www-data</code> (от root):</p>
  <pre class="admin-system__pre">www-data ALL=(root) NOPASSWD: <%= git.shopRoot || '/opt/shop/shop10' %>/scripts/admin-web-update.sh
 www-data ALL=(<%= git.repoOwner || 'root' %>) NOPASSWD: /usr/bin/git</pre>
  <p class="muted">«Проверить на Git» — через <code>ls-remote</code> (без записи в .git). Pull — от владельца каталога.</p>
 </section>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,38 @@
 <%- include('../partials/layout-start') %>
 <div class="admin-header">
  <h1>Пользователи</h1>
  <%- include('../partials/admin-nav', { adminNav: 'users' }) %>
 </div>
 <p class="muted admin-hint">
  Один администратор — зарегистрированный пользователь с email из <code>ADMIN_EMAIL</code> в <code>.env</code>.
  Остальные при регистрации получают роль «Клиент».
 </p>
 <table class="cart-table">
  <thead>
    <tr>
      <th>ID</th>
      <th>Имя</th>
      <th>Email</th>
      <th>Роль</th>
      <th>Регистрация</th>
    </tr>
  </thead>
  <tbody>
    <% users.forEach(u => { %>
      <tr>
        <td><%= u.id %></td>
        <td><%= u.name %></td>
        <td><%= u.email %></td>
        <td>
          <span class="role-badge role-badge--<%= u.role %>"><%= roleLabels[u.role] || u.role %></span>
        </td>
        <td><%= new Date(u.created_at).toLocaleString('ru-RU') %></td>
      </tr>
    <% }) %>
  </tbody>
 </table>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,19 @@
 <%- include('../partials/layout-start') %>
 <div class="auth">
  <form action="/forgot-password" method="post" class="form card">
    <h1>Сброс пароля</h1>
    <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
    <% if (success) { %><p class="alert alert--success"><%= success %></p><% } %>
    <p class="muted">Укажите email аккаунта — отправим ссылку для нового пароля.</p>
    <label class="label">
      Email
      <input type="email" name="email" class="input" required value="<%= values.email || '' %>" autocomplete="email">
    </label>
    <%- include('../partials/captcha-widget') %>
    <button type="submit" class="btn btn--primary btn--block">Отправить ссылку</button>
    <p class="form-footer"><a href="/login">← Вход</a></p>
  </form>
 </div>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,11 @@
 <%- include('../partials/layout-start') %>
 <div class="auth">
  <div class="card form">
    <h1>Пароль изменён</h1>
    <p class="alert alert--success">Теперь можно войти с новым паролем.</p>
    <a href="/login" class="btn btn--primary btn--block">Войти</a>
  </div>
 </div>
 <%- include('../partials/layout-end') %>
@@ -0,0 +1,28 @@
 <%- include('../partials/layout-start') %>
 <div class="auth">
  <% if (token) { %>
  <form action="/reset-password" method="post" class="form card">
    <h1>Новый пароль</h1>
    <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
    <input type="hidden" name="token" value="<%= token %>">
    <label class="label">
      Новый пароль
      <input type="password" name="password" class="input" required minlength="6" autocomplete="new-password">
    </label>
    <label class="label">
      Повторите пароль
      <input type="password" name="password2" class="input" required minlength="6" autocomplete="new-password">
    </label>
    <button type="submit" class="btn btn--primary btn--block">Сохранить пароль</button>
  </form>
  <% } else { %>
  <div class="card form">
    <h1>Ссылка недействительна</h1>
    <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
    <a href="/forgot-password" class="btn btn--primary">Запросить снова</a>
  </div>
  <% } %>
 </div>
 <%- include('../partials/layout-end') %>
@@ -3,6 +3,8 @@
 <h1>Корзина</h1>
 <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
 <% if (promoOk) { %><p class="alert alert--success"><%= promoOk %></p><% } %>
 <% if (promoErr) { %><p class="alert alert--error"><%= promoErr %></p><% } %>
 <% if (!items.length) { %>
  <p class="empty">Корзина пуста. <a href="/">Перейти в каталог</a></p>
@@ -27,28 +29,97 @@
              <% } %>
              <a href="/product/<%= item.slug %>"><%= item.name %></a>
            </td>
-            <td><%= formatPrice(item.price_cents) %></td>
+            <td class="cart-table__price">
              <%- include('partials/product-price', {
                product: item,
                forceOnSale: item.on_sale,
                forceEffective: item.effective_price_cents,
                priceSize: 'sm'
              }) %>
            </td>
            <td>
              <input type="number" name="items[<%= item.id %>]" value="<%= item.quantity %>" min="0" max="<%= item.stock %>" class="input input--qty">
            </td>
            <td><%= formatPrice(item.line_total) %></td>
            <td>
-              <button type="submit" formaction="/cart/remove/<%= item.id %>" formmethod="post" class="btn btn--ghost btn--sm" title="Удалить">×</button>
+              <button type="submit" formaction="/cart/remove/<%= item.id %>" formmethod="post" class="btn btn--ghost btn--sm btn--icon" title="Удалить" aria-label="Удалить">
                <%- include('partials/icon', { name: 'trash', iconSize: 16 }) %>
              </button>
            </td>
          </tr>
        <% }) %>
      </tbody>
    </table>
-    <div class="cart-actions">
+
-      <button type="submit" class="btn btn--ghost">Обновить</button>
+    <div class="cart-sidebar">
-      <p class="cart-total">Итого: <strong><%= formatPrice(total) %></strong></p>
+      <section class="card promo-box">
        <h2 class="promo-box__title">Промокод</h2>
        <% if (pricing.promo) { %>
          <p class="promo-box__applied">
            <strong><%= pricing.promo.code %></strong>
            <% if (pricing.promo.description) { %> — <%= pricing.promo.description %><% } %>
          </p>
          <p class="promo-box__discount">Скидка: −<%= formatPrice(pricing.promoDiscount) %></p>
          <div class="promo-countdown" data-expires="<%= pricing.promo.expires_at %>">
            <span class="promo-countdown__label">До конца акции:</span>
            <span class="promo-countdown__timer">—</span>
          </div>
          <form action="/cart/promo/remove" method="post" class="inline-form">
            <button type="submit" class="btn btn--ghost btn--sm">Убрать промокод</button>
          </form>
        <% } else { %>
          <form action="/cart/promo" method="post" class="promo-box__form">
            <input type="text" name="code" class="input" placeholder="WELCOME10" required autocomplete="off">
            <button type="submit" class="btn btn--primary">Применить</button>
          </form>
        <% } %>
      </section>
      <% if (user) { %>
-        <a href="/checkout" class="btn btn--primary btn--lg">Оформить заказ</a>
+        <section class="card promo-box">
          <h2 class="promo-box__title">Баллы лояльности</h2>
          <p class="muted">На счёте: <strong><%= pricing.loyaltyBalance %></strong> баллов (1 балл = 1 коп.)</p>
          <% if (pricing.pointsEarned > 0) { %>
            <p class="muted">За этот заказ начислим: +<%= pricing.pointsEarned %> баллов</p>
          <% } %>
          <% if (pricing.loyaltyDiscount > 0) { %>
            <p class="promo-box__discount">Списано: −<%= formatPrice(pricing.loyaltyDiscount) %> (<%= pricing.loyaltyPointsUsed %> баллов)</p>
            <form action="/cart/loyalty/remove" method="post">
              <button type="submit" class="btn btn--ghost btn--sm">Отменить списание</button>
            </form>
          <% } else if (pricing.loyaltyBalance > 0) { %>
            <form action="/cart/loyalty" method="post" class="promo-box__form">
              <button type="submit" name="use_all" value="1" class="btn btn--ghost">Списать все доступные</button>
            </form>
          <% } %>
        </section>
      <% } %>
      <section class="card cart-summary">
        <dl class="cart-summary__dl">
          <dt>Товары</dt>
          <dd><%= formatPrice(pricing.subtotal) %></dd>
          <% if (pricing.promoDiscount > 0) { %>
            <dt>Промокод</dt>
            <dd class="cart-summary__discount">−<%= formatPrice(pricing.promoDiscount) %></dd>
          <% } %>
          <% if (pricing.loyaltyDiscount > 0) { %>
            <dt>Лояльность</dt>
            <dd class="cart-summary__discount">−<%= formatPrice(pricing.loyaltyDiscount) %></dd>
          <% } %>
          <dt class="cart-summary__total-label">К оплате</dt>
          <dd class="cart-summary__total"><%= formatPrice(pricing.total) %></dd>
        </dl>
        <% if (user) { %>
          <a href="/checkout" class="btn btn--primary btn--lg btn--block">Оформить заказ</a>
        <% } else { %>
          <p class="hint"><a href="/login?next=/checkout">Войдите</a>, чтобы оформить заказ.</p>
        <% } %>
      </section>
    </div>
  </form>
 <% } %>
 <script src="/js/promo-countdown.js"></script>
 <%- include('partials/layout-end') %>
@@ -36,8 +36,36 @@
        </li>
      <% }) %>
    </ul>
-    <p class="checkout-total">Итого: <strong><%= formatPrice(total) %></strong></p>
+    <% if (pricing.promo) { %>
      <p class="checkout-promo">
        Промокод <strong><%= pricing.promo.code %></strong>
        <span class="promo-countdown" data-expires="<%= pricing.promo.expires_at %>">
          (<span class="promo-countdown__timer">—</span>)
        </span>
      </p>
    <% } %>
    <dl class="cart-summary__dl">
      <dt>Товары</dt>
      <dd><%= formatPrice(pricing.subtotal) %></dd>
      <% if (pricing.promoDiscount > 0) { %>
        <dt>Скидка по промокоду</dt>
        <dd class="cart-summary__discount">−<%= formatPrice(pricing.promoDiscount) %></dd>
      <% } %>
      <% if (pricing.loyaltyDiscount > 0) { %>
        <dt>Баллы лояльности</dt>
        <dd class="cart-summary__discount">−<%= formatPrice(pricing.loyaltyDiscount) %></dd>
      <% } %>
      <% if (pricing.pointsEarned > 0) { %>
        <dt>Начислим баллов</dt>
        <dd>+<%= pricing.pointsEarned %></dd>
      <% } %>
      <dt class="cart-summary__total-label">К оплате</dt>
      <dd class="cart-summary__total"><%= formatPrice(pricing.total) %></dd>
    </dl>
    <p class="muted"><a href="/cart">Изменить корзину или промокод</a></p>
  </aside>
 </div>
 <script src="/js/promo-countdown.js"></script>
 <%- include('partials/layout-end') %>
@@ -0,0 +1,24 @@
 <%- include('partials/layout-start') %>
 <article class="legal-page card">
  <h1>Политика использования cookies</h1>
  <h2>Что такое cookies</h2>
  <p>Cookies — небольшие файлы, которые сайт сохраняет в браузере для корректной работы сервиса.</p>
  <h2>Какие cookies мы используем</h2>
  <ul>
    <li><strong>cookie_consent</strong> — запоминает ваш выбор (принятие политики), срок до 1 года.</li>
    <li><strong>connect.sid</strong> — сессия: корзина, вход в аккаунт, безопасность. Удаляется после выхода или по истечении срока.</li>
  </ul>
  <h2>Без согласия</h2>
  <p>Вы можете просматривать каталог. Вход, регистрация и личный кабинет недоступны до нажатия «Принимаю».</p>
  <h2>Управление</h2>
  <p>Вы можете удалить cookies в настройках браузера. После этого потребуется снова принять политику и войти в аккаунт.</p>
  <p><a href="/">← На главную</a></p>
 </article>
 <%- include('partials/layout-end') %>
@@ -0,0 +1,15 @@
 <%- include('partials/layout-start', { returnTo: returnTo }) %>
 <div class="cookies-required">
  <h1>Согласие на cookies</h1>
  <p>Для этой страницы (вход, регистрация, личный кабинет) необходимо принять использование cookies.</p>
  <p class="muted">Мы сохраняем только технические cookies для сессии и безопасности.</p>
  <form action="/cookies/accept" method="post" class="cookie-banner__actions" style="margin-top:1rem">
    <input type="hidden" name="return_to" value="<%= returnTo %>">
    <button type="submit" class="btn btn--primary btn--lg">Принимаю cookies</button>
    <a href="/" class="btn btn--ghost">На главную</a>
  </form>
  <p style="margin-top:1rem"><a href="/cookies/policy">Политика cookies</a></p>
 </div>
 <%- include('partials/layout-end') %>
@@ -1,26 +1,91 @@
 <%- include('partials/layout-start') %>
 <%
  function catalogHref(extra) {
    const p = new URLSearchParams();
    if (searchQuery) p.set('q', searchQuery);
    if (saleOnly) p.set('sale', '1');
    if (showAll) p.set('all', '1');
    if (sort && sort !== 'name') p.set('sort', sort);
    if (extra && extra.category) p.set('category', extra.category);
    const s = p.toString();
    return s ? '/?' + s : '/';
  }
 %>
 <section class="hero">
  <h1>Каталог товаров</h1>
-  <p>Доставка по России. Оплата при получении.</p>
+  <p class="hero__lead">Доставка по России · Оплата при получении · Акции со скидкой в каталоге</p>
 </section>
 <% if (categories.length) { %>
 <nav class="categories" aria-label="Категории">
-  <a href="/" class="chip <%= !activeCategory ? 'chip--active' : '' %>">Все</a>
+  <a href="<%= catalogHref() %>" class="chip <%= !activeCategory ? 'chip--active' : '' %>">Все</a>
  <% categories.forEach(c => { %>
-    <a href="/?category=<%= c.slug %>" class="chip <%= activeCategory === c.slug ? 'chip--active' : '' %>"><%= c.name %></a>
+    <a href="<%= catalogHref({ category: c.slug }) %>" class="chip <%= activeCategory === c.slug ? 'chip--active' : '' %>"><%= c.name %></a>
  <% }) %>
 </nav>
 <% } %>
 <form class="catalog-toolbar" method="get" action="/">
  <% if (searchQuery) { %><input type="hidden" name="q" value="<%= searchQuery %>"><% } %>
  <% if (activeCategory) { %><input type="hidden" name="category" value="<%= activeCategory %>"><% } %>
  <label class="catalog-toolbar__field">
    <span class="catalog-toolbar__label">Сортировка</span>
    <select name="sort" class="input input--sm" onchange="this.form.submit()">
      <option value="name" <%= sort === 'name' ? 'selected' : '' %>>По названию</option>
      <option value="price_asc" <%= sort === 'price_asc' ? 'selected' : '' %>>Цена ↑</option>
      <option value="price_desc" <%= sort === 'price_desc' ? 'selected' : '' %>>Цена ↓</option>
      <option value="newest" <%= sort === 'newest' ? 'selected' : '' %>>Сначала новые</option>
    </select>
  </label>
  <label class="catalog-toolbar__check">
    <input type="checkbox" name="sale" value="1" <%= saleOnly ? 'checked' : '' %> onchange="this.form.submit()">
    Только со скидкой
  </label>
  <label class="catalog-toolbar__check">
    <input type="checkbox" name="all" value="1" <%= showAll ? 'checked' : '' %> onchange="this.form.submit()">
    Показать нет в наличии
  </label>
 </form>
 <% if (recentProducts && recentProducts.length) { %>
 <section class="recently-viewed">
  <h2 class="recently-viewed__title">Вы недавно смотрели</h2>
  <div class="recently-viewed__grid">
    <% recentProducts.forEach(p => { %>
      <a href="/product/<%= p.slug %>" class="recently-viewed__card card">
        <% if (p.image_url) { %>
          <img src="<%= p.image_url %>" alt="" class="recently-viewed__img" loading="lazy">
        <% } %>
        <span class="recently-viewed__name"><%= p.name %></span>
      </a>
    <% }) %>
  </div>
 </section>
 <% } %>
 <% if (!products.length) { %>
  <p class="empty">Товары не найдены. Попробуйте другой запрос.</p>
 <% } else { %>
  <div class="grid">
    <% products.forEach(p => { %>
-      <article class="card">
+      <% const onSale = isSaleActive(p); %>
      <% const outOfStock = p.stock <= 0; %>
      <% const lowStock = !outOfStock && p.stock <= 5; %>
      <article class="card<%= onSale ? ' card--sale' : '' %><%= outOfStock ? ' card--out-of-stock' : '' %>">
        <a href="/product/<%= p.slug %>" class="card__image-wrap">
          <% if (onSale) { %>
            <span class="card__sale-ribbon" aria-hidden="true">
              <%- include('partials/icon', { name: 'tag', iconSize: 14 }) %>
              −<%= salePercent(p) %>%
            </span>
          <% } %>
          <% if (lowStock) { %>
            <span class="card__stock-badge">Осталось <%= p.stock %></span>
          <% } %>
          <% if (outOfStock) { %>
            <span class="card__stock-badge card__stock-badge--out">Нет в наличии</span>
          <% } %>
          <% if (p.image_url) { %>
            <img src="<%= p.image_url %>" alt="<%= p.name %>" class="card__image" loading="lazy">
          <% } else { %>
@@ -32,12 +97,19 @@
            <span class="card__category"><%= p.category_name %></span>
          <% } %>
          <h2 class="card__title"><a href="/product/<%= p.slug %>"><%= p.name %></a></h2>
-          <p class="card__price"><%= formatPrice(p.price_cents) %></p>
+          <%- include('partials/product-price', { product: p, priceSize: 'md' }) %>
          <% if (!outOfStock) { %>
          <form action="/cart/add" method="post" class="card__form">
            <input type="hidden" name="product_id" value="<%= p.id %>">
            <input type="hidden" name="redirect" value="/cart">
-            <button type="submit" class="btn btn--primary btn--block">В корзину</button>
+            <button type="submit" class="btn btn--primary btn--block">
              <%- include('partials/icon', { name: 'cart', iconSize: 18 }) %>
              В корзину
            </button>
          </form>
          <% } else { %>
            <a href="/product/<%= p.slug %>" class="btn btn--ghost btn--block">Подробнее</a>
          <% } %>
        </div>
      </article>
    <% }) %>
@@ -4,18 +4,41 @@
  <form action="/login" method="post" class="form card">
    <h1>Вход</h1>
    <% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
-    <input type="hidden" name="next" value="<%= next %>">
+    <input type="hidden" name="next" id="login-next" value="<%= next %>">
    <label class="label">
      Email
-      <input type="email" name="email" class="input" required value="<%= values.email || '' %>">
+      <input type="email" name="email" id="login-email" class="input" required value="<%= values.email || '' %>">
    </label>
    <label class="label">
      Пароль
-      <input type="password" name="password" class="input" required>
+      <input type="password" name="password" class="input" required autocomplete="current-password">
    </label>
-    <button type="submit" class="btn btn--primary btn--block">Войти</button>
+    <%- include('partials/captcha-widget') %>
-    <p class="form-footer">Нет аккаунта? <a href="/register">Регистрация</a></p>
+    <button type="submit" class="btn btn--primary btn--block">Войти по паролю</button>
    <p class="form-footer">
      <a href="/forgot-password">Забыли пароль?</a><br>
      Нет аккаунта? <a href="/register">Регистрация</a>
    </p>
  </form>
  <div class="card passkey-login">
    <h2 class="passkey-login__title">Или passkey</h2>
    <p class="muted passkey-login__hint">Если в профиле включён passkey — войдите без пароля (нужен тот же email).</p>
    <p id="passkey-login-error" class="alert alert--error" hidden></p>
    <button type="button" id="passkey-login-btn" class="btn btn--ghost btn--block">Войти с passkey</button>
  </div>
 </div>
 <script src="/js/passkey.js"></script>
 <script>
  document.getElementById('passkey-login-btn')?.addEventListener('click', function () {
    ShopPasskey.loginWithPasskey(
      document.getElementById('login-email'),
      document.getElementById('login-next'),
      document.getElementById('passkey-login-error'),
      this
    );
  });
 </script>
 <%- include('partials/layout-end') %>
@@ -22,7 +22,19 @@
      </li>
    <% }) %>
  </ul>
-  <p class="checkout-total">Итого: <strong><%= formatPrice(order.total_cents) %></strong></p>
+  <% const subtotal = order.subtotal_cents != null ? order.subtotal_cents : order.total_cents; %>
  <% if (order.discount_cents > 0) { %>
    <dl class="cart-summary__dl">
      <dt>Товары</dt>
      <dd><%= formatPrice(subtotal) %></dd>
      <dt>Скидка</dt>
      <dd class="cart-summary__discount">−<%= formatPrice(order.discount_cents) %></dd>
    </dl>
  <% } %>
  <% if (order.loyalty_points_earned > 0) { %>
    <p class="muted">Начислено баллов лояльности: +<%= order.loyalty_points_earned %></p>
  <% } %>
  <p class="checkout-total">К оплате: <strong><%= formatPrice(order.total_cents) %></strong></p>
 </div>
 <p><a href="/orders" class="link-back">← Все заказы</a></p>
@@ -0,0 +1,16 @@
 <%
  const nav = typeof adminNav !== 'undefined' ? adminNav : '';
  function navClass(id) {
    return 'admin-nav__link' + (nav === id ? ' admin-nav__link--active' : '');
  }
 %>
 <nav class="admin-nav">
  <a href="/admin" class="<%= navClass('dashboard') %>">Обзор</a>
  <a href="/admin/orders" class="<%= navClass('orders') %>">Заказы</a>
  <a href="/admin/users" class="<%= navClass('users') %>">Пользователи</a>
  <a href="/admin/products" class="<%= navClass('products') %>">Товары</a>
  <a href="/admin/promo-codes" class="<%= navClass('promo') %>">Промокоды</a>
  <a href="/admin/reservations" class="<%= navClass('reservations') %>">Бронирования</a>
  <a href="/admin/system" class="<%= navClass('system') %>">Обновление</a>
  <a href="/" class="admin-nav__link">В магазин</a>
 </nav>
@@ -0,0 +1,23 @@
 <aside class="captcha-block" aria-label="Защита от ботов">
  <p class="captcha-block__yandex-notice">
    <%- include('icon', { name: 'shield', iconSize: 14 }) %>
    <%= yandexCaptchaBlockedMsg %>
  </p>
  <% if (captcha && captcha.blocked) { %>
    <p class="alert alert--error">Капча недоступна: выбран заблокированный провайдер. В .env укажите <code>CAPTCHA_PROVIDER=google</code> или <code>cloudflare</code>.</p>
  <% } else if (captcha && captcha.enabled) { %>
    <div class="captcha-widget">
      <% if (captcha.provider === 'cloudflare') { %>
        <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
        <div class="cf-turnstile" data-sitekey="<%= captcha.siteKey %>" data-theme="dark"></div>
      <% } else { %>
        <script src="https://www.google.com/recaptcha/api.js" async defer></script>
        <div class="g-recaptcha" data-sitekey="<%= captcha.siteKey %>" data-theme="dark"></div>
      <% } %>
    </div>
    <p class="muted captcha-block__provider">
      <% if (captcha.provider === 'cloudflare') { %>Проверка: Cloudflare Turnstile<% } else { %>Проверка: Google reCAPTCHA<% } %>
    </p>
  <% } %>
 </aside>
@@ -0,0 +1,18 @@
 <% if (!cookieConsent) { %>
 <div class="cookie-banner" role="dialog" aria-labelledby="cookie-banner-title" aria-live="polite">
  <div class="cookie-banner__inner container">
    <div class="cookie-banner__text">
      <p id="cookie-banner-title"><strong>Мы используем cookies</strong></p>
      <p class="muted">
        Для входа, регистрации и личного кабинета нужны технические cookies (сессия).
        Продолжая без согласия, каталог доступен; авторизация и регистрация — нет.
        <a href="/cookies/policy">Подробнее</a>
      </p>
    </div>
    <form action="/cookies/accept" method="post" class="cookie-banner__actions">
      <input type="hidden" name="return_to" value="<%= typeof returnTo !== 'undefined' ? returnTo : '/' %>">
      <button type="submit" class="btn btn--primary">Принимаю</button>
    </form>
  </div>
 </div>
 <% } %>
@@ -0,0 +1,29 @@
 <%
  const sz = typeof iconSize !== 'undefined' ? iconSize : 20;
  const cls = 'icon' + (typeof iconClass !== 'undefined' ? ' ' + iconClass : '');
 %>
 <% if (name === 'cart') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="9" cy="21" r="1"/><circle cx="20" cy="21" r="1"/><path d="M1 1h4l2.68 13.39a2 2 0 0 0 2 1.61h9.72a2 2 0 0 0 2-1.61L23 6H6"/></svg>
 <% } else if (name === 'search') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="11" cy="11" r="8"/><path d="m21 21-4.3-4.3"/></svg>
 <% } else if (name === 'tag') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M20.59 13.41l-7.17 7.17a2 2 0 0 1-2.83 0L2 12V2h10l8.59 8.59a2 2 0 0 1 0 2.82z"/><line x1="7" y1="7" x2="7.01" y2="7"/></svg>
 <% } else if (name === 'user') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>
 <% } else if (name === 'shield') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/></svg>
 <% } else if (name === 'plus') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M12 5v14M5 12h14"/></svg>
 <% } else if (name === 'trash') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M3 6h18M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"/></svg>
 <% } else if (name === 'clock') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="12" cy="12" r="10"/><polyline points="12 6 12 12 16 14"/></svg>
 <% } else if (name === 'arrow-left') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="m12 19-7-7 7-7M19 12H5"/></svg>
 <% } else if (name === 'refresh') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M21 12a9 9 0 1 1-2.64-6.36"/><path d="M21 3v6h-6"/></svg>
 <% } else if (name === 'download') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M21 15v4a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2v-4"/><polyline points="7 10 12 15 17 10"/><line x1="12" y1="15" x2="12" y2="3"/></svg>
 <% } else if (name === 'package') { %>
 <svg class="<%= cls %>" width="<%= sz %>" height="<%= sz %>" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M16.5 9.4 7.55 4.24M21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16z"/><polyline points="3.27 6.96 12 12.01 20.73 6.96"/><line x1="12" y1="22.08" x2="12" y2="12"/></svg>
 <% } %>
@@ -1,8 +1,13 @@
  </main>
  <footer class="footer">
    <div class="container">
-      <p>&copy; <%= new Date().getFullYear() %> Shop — локальный интернет-магазин на Node.js + SQLite</p>
+      <p>&copy; <%= new Date().getFullYear() %> Shop ·
        <a href="/orders">Заказы</a> ·
        <a href="/sitemap.xml">Карта сайта</a> ·
        <a href="/cookies/policy">Cookies</a>
      </p>
    </div>
  </footer>
  <%- include('cookie-banner') %>
 </body>
 </html>
@@ -4,6 +4,9 @@
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title><%= title %> — Shop</title>
  <% if (typeof metaDescription !== 'undefined' && metaDescription) { %>
  <meta name="description" content="<%= metaDescription %>">
  <% } %>
  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  <link href="https://fonts.googleapis.com/css2?family=DM+Sans:ital,opsz,wght@0,9..40,400;0,9..40,500;0,9..40,600;0,9..40,700;1,9..40,400&display=swap" rel="stylesheet">
@@ -12,24 +15,44 @@
 <body>
  <header class="header">
    <div class="container header__inner">
-      <a href="/" class="logo">Shop</a>
+      <a href="/" class="logo">
        <%- include('icon', { name: 'package', iconSize: 22, iconClass: 'logo__icon' }) %>
        Shop
      </a>
      <form class="search" action="/" method="get">
        <span class="search__icon" aria-hidden="true"><%- include('icon', { name: 'search', iconSize: 18 }) %></span>
        <input type="search" name="q" placeholder="Поиск товаров…" value="<%= typeof searchQuery !== 'undefined' ? searchQuery : '' %>" aria-label="Поиск">
-        <button type="submit" class="btn btn--ghost">Найти</button>
+        <button type="submit" class="btn btn--ghost btn--icon-text">Найти</button>
      </form>
      <nav class="nav">
-        <a href="/cart" class="nav__link nav__cart">
+        <a href="/cart" class="nav__link nav__cart nav__link--icon">
-          Корзина
+          <%- include('icon', { name: 'cart', iconSize: 18 }) %>
          <span>Корзина</span>
          <% if (cartCount > 0) { %><span class="badge"><%= cartCount %></span><% } %>
        </a>
        <% if (user) { %>
-          <a href="/account" class="nav__link"><%= user.name %></a>
+          <% if (typeof isAdmin !== 'undefined' && isAdmin) { %>
            <a href="/admin" class="nav__link nav__link--icon nav__admin">
              <%- include('icon', { name: 'shield', iconSize: 18 }) %>
              <span>Админ</span>
            </a>
          <% } %>
          <a href="/account" class="nav__link nav__link--icon">
            <%- include('icon', { name: 'user', iconSize: 18 }) %>
            <span><%= user.name %></span>
          </a>
          <form action="/logout" method="post" class="inline-form">
            <button type="submit" class="btn btn--ghost btn--sm">Выйти</button>
          </form>
-        <% } else { %>
+        <% } else if (cookieConsent) { %>
-          <a href="/login" class="nav__link">Вход</a>
+          <a href="/login" class="nav__link nav__link--icon">
            <%- include('icon', { name: 'user', iconSize: 18 }) %>
            <span>Вход</span>
          </a>
          <a href="/register" class="btn btn--primary btn--sm">Регистрация</a>
        <% } else { %>
          <span class="nav__link nav__link--disabled" title="Примите cookies">Вход</span>
          <span class="nav__link nav__link--disabled" title="Примите cookies">Регистрация</span>
        <% } %>
      </nav>
    </div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
shop	980b31df06	release: v1.2.0 — каталог, email заказа, SEO, админ CSV Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:58:11 +03:00
shop	e81bd79607	fix: shop.service 203/EXEC — bash, +x на scripts, убрать CRLF Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:50:12 +03:00
shop	7cb61d4242	fix: права www-data после git pull и npm install Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:48:33 +03:00
shop	db6ab9a701	fix: сравнение с origin через merge-base (расхождение веток) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:46:36 +03:00
shop	c5e8653b30	release: v1.0.1 — капча, блокировка Яндекс, правки Git в админке Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:43:59 +03:00
shop	9025677fd8	feat: капча Google/Cloudflare, блокировка Яндекс SmartCaptcha Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:41:45 +03:00
shop	f9f0446c12	docs: подсказки sudoers на странице обновления Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:35:33 +03:00
shop	4c37f4ac1a	fix: git в админке — ls-remote и pull от владельца репозитория Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:35:15 +03:00
shop	d4166ec62a	fix: git safe.directory для админки (dubious ownership) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:32:43 +03:00
shop	af2901152d	release: v1.0.0 — changelog и документация после v0.20 Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:28:32 +03:00
shop	69dfd2a93a	feat: обновление с Git из админки (/admin/system) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:26:11 +03:00
shop	d4dd1fb587	fix: пути include иконок в EJS (Internal Server Error) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:17:59 +03:00
shop	0c2cee410f	ui: иконки и наглядное отображение цен со скидкой SVG-иконки в шапке и кнопках, зачёркнутая старая цена и акцент на цене со скидкой в каталоге, корзине и на карточке товара. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:14:38 +03:00
shop	9b688b2af4	feat: скидки на товары и редактирование промокодов в админке Цена со скидкой и срок акции на товаре; отображение в каталоге и корзине. Улучшенный UI промокодов с редактированием. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 14:08:03 +03:00
shop	db4bc9bfe1	feat: интерактивный установщик install.sh (Docker / Ubuntu, админ, БД) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:57:54 +03:00
shop	dedef454c8	docs: обновление в Troubleshooting — SHOP_ROOT + server-update Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:49:47 +03:00
shop	42a1ca312f	docs: рекомендуемое обновление через SHOP_ROOT и server-update.sh Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:49:32 +03:00
shop	ed9850c96f	docs: один зарегистрированный администратор (ADMIN_EMAIL) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:41:16 +03:00
shop	e2a7c79245	feat: подписка на уведомление о поступлении товара Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:38:03 +03:00
shop	561fbd22e0	docs: Server-Operations — универсальное развёртывание без привязки к домену Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:34:25 +03:00
shop	d31a63829c	fix: освобождать порт 3000 перед запуском shop.service Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:31:56 +03:00
shop	f13ec7f29a	fix: shop.service — wait-postgres, диагностика, права .env Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:28:46 +03:00
shop	b44419aebd	feat: install-shop-service.sh для установки systemd unit Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:25:57 +03:00
shop	da77b1f8da	fix: git-sync для detached HEAD, shop-root требует .git Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:24:06 +03:00
shop	b7c8d2ed80	fix: быстрое развёртывание — PGDG, /opt/shop/shop10, без placeholder URL Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:23:00 +03:00
shop	42177555ac	fix: server-update ищет корень репо (в т.ч. /opt/shop/shop10) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 13:14:06 +03:00
shop	e71bfa35dc	feat: passkey в профиле и входе, кнопка админки в кабинете Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 12:58:00 +03:00
shop	711110c03b	docs: убрать упоминания SQLite — проект только на PostgreSQL Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 12:51:07 +03:00
shop	a6e6cc9943	chore: релиз v0.20.0 — админка, профиль, cookies, брони, email Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 11:41:32 +03:00
shop	ade031b0e7	feat: бронирование товаров и сброс пароля по email Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 11:38:52 +03:00
shop	bda73e1662	feat: согласие на cookies — блокировка входа и регистрации Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 11:32:08 +03:00
shop	14e0e875f1	feat: профиль — просмотр, смена имени, email и пароля Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 11:29:30 +03:00
shop	f24f35d0fc	feat: роли customer/admin, админ-панель, admin@site.com Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 11:19:01 +03:00
shop	58c789d5f8	chore: push-wiki — авторизация по токену или логину Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 09:52:33 +03:00
shop	b9e6060610	docs: wiki — установка Docker и без Docker (v0.10.0) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-17 09:47:47 +03:00