Update description text: Партнеры MONT и их заказчики

- Store request origin domain in PendingAccessRequest.portal_url
- Use per-request portal URL in approval/rejection emails
- Embed logo as base64 so it displays without external image loading
- Fix 'Предоставлен доступ к продуктам' text color to match body color
- Switch Telegram polling to 30-second interval with single-worker flock fix

app/auth.py

@@ -0,0 +1,102 @@
+import secrets
+from typing import Optional
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.responses import RedirectResponse
+from itsdangerous import BadSignature, URLSafeTimedSerializer
+from passlib.context import CryptContext
+from sqlalchemy.orm import Session
+
+from config import COOKIE_MAX_AGE, COOKIE_NAME, CSRF_COOKIE
+from database import get_db
+from models import User, UserServiceAccess
+from utils import now_utc
+from sqlalchemy import select
+
+import os
+
+_SIGNING_KEY = os.getenv("SIGNING_KEY", secrets.token_urlsafe(32))
+serializer = URLSafeTimedSerializer(_SIGNING_KEY, salt="portal-auth")
+pwd_context = CryptContext(schemes=["argon2"], deprecated="auto")
+
+
+def hash_password(password: str) -> str:
+    return pwd_context.hash(password)
+
+
+def verify_password(password: str, password_hash: str) -> bool:
+    return pwd_context.verify(password, password_hash)
+
+
+def user_is_valid(user: User) -> bool:
+    return bool(user.active and user.expires_at > now_utc())
+
+
+def issue_auth_cookie(response: RedirectResponse, user: User) -> None:
+    token = serializer.dumps({"user_id": user.id})
+    response.set_cookie(
+        key=COOKIE_NAME,
+        value=token,
+        httponly=True,
+        secure=True,
+        samesite="strict",
+        max_age=COOKIE_MAX_AGE,
+        path="/",
+    )
+
+
+def issue_csrf_cookie(response: RedirectResponse) -> str:
+    token = secrets.token_urlsafe(24)
+    response.set_cookie(
+        key=CSRF_COOKIE,
+        value=token,
+        httponly=False,
+        secure=True,
+        samesite="lax",
+        max_age=COOKIE_MAX_AGE,
+        path="/",
+    )
+    return token
+
+
+def get_current_user(request: Request, db: Session = Depends(get_db)) -> Optional[User]:
+    raw = request.cookies.get(COOKIE_NAME)
+    if not raw:
+        return None
+    try:
+        payload = serializer.loads(raw, max_age=COOKIE_MAX_AGE)
+    except BadSignature:
+        return None
+    user = db.get(User, int(payload["user_id"]))
+    if not user or not user_is_valid(user):
+        return None
+    return user
+
+
+def require_user(user: Optional[User] = Depends(get_current_user)) -> User:
+    if not user:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+    return user
+
+
+def require_admin(user: User = Depends(require_user)) -> User:
+    if not user.is_admin:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin only")
+    return user
+
+
+def validate_csrf(request: Request) -> None:
+    cookie = request.cookies.get(CSRF_COOKIE)
+    form_val = request.headers.get("X-CSRF-Token")
+    if request.headers.get("content-type", "").startswith("application/x-www-form-urlencoded"):
+        return
+    if not cookie or not form_val or cookie != form_val:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="CSRF failed")
+
+
+def has_access(db: Session, user_id: int, service_id: int) -> bool:
+    q = select(UserServiceAccess).where(
+        UserServiceAccess.user_id == user_id,
+        UserServiceAccess.service_id == service_id,
+    )
+    return db.scalar(q) is not None

app/config.py

@@ -0,0 +1,47 @@
+import os
+from pathlib import Path
+
+DATABASE_URL = os.getenv("DATABASE_URL", "postgresql+psycopg2://portal:portal@db:5432/portal")
+COOKIE_NAME = "portal_auth"
+CSRF_COOKIE = "csrf_token"
+COOKIE_MAX_AGE = 8 * 60 * 60
+SESSION_IDLE_SECONDS = int(os.getenv("SESSION_IDLE_SECONDS", "7200"))
+PUBLIC_HOST = os.getenv("PUBLIC_HOST", "stend.4mont.ru")
+LOG_LEVEL = os.getenv("LOG_LEVEL", "INFO").upper()
+LOG_SLOW_REQUEST_MS = int(os.getenv("LOG_SLOW_REQUEST_MS", "2000"))
+GO_USER_LOCK_TIMEOUT_SECONDS = float(os.getenv("GO_USER_LOCK_TIMEOUT_SECONDS", "8.0"))
+GO_POOL_LOCK_TIMEOUT_SECONDS = float(os.getenv("GO_POOL_LOCK_TIMEOUT_SECONDS", "20.0"))
+POOL_DISPATCH_RETRIES = int(os.getenv("POOL_DISPATCH_RETRIES", "6"))
+POOL_DISPATCH_REQUEST_TIMEOUT_SECONDS = float(os.getenv("POOL_DISPATCH_REQUEST_TIMEOUT_SECONDS", "2.0"))
+POOL_DISPATCH_SLEEP_SECONDS = float(os.getenv("POOL_DISPATCH_SLEEP_SECONDS", "0.3"))
+TRAEFIK_INTERNAL_URL = os.getenv("TRAEFIK_INTERNAL_URL", "http://traefik")
+PREWARM_POOL_SIZE = int(os.getenv("PREWARM_POOL_SIZE", "2"))
+UNIVERSAL_POOL_SIZE = int(os.getenv("UNIVERSAL_POOL_SIZE", "0"))
+WEB_POOL_SIZE = int(os.getenv("WEB_POOL_SIZE", "20"))
+WEB_POOL_BUFFER = int(os.getenv("WEB_POOL_BUFFER", "2"))
+X11VNC_FLAGS = os.getenv("X11VNC_FLAGS", "-wait 5 -defer 5 -threads")
+MAX_ACTIVE_SERVICES_PER_USER = int(os.getenv("MAX_ACTIVE_SERVICES_PER_USER", "4"))
+WEB_RESOLUTION_MIN_WIDTH = int(os.getenv("WEB_RESOLUTION_MIN_WIDTH", "1024"))
+WEB_RESOLUTION_MIN_HEIGHT = int(os.getenv("WEB_RESOLUTION_MIN_HEIGHT", "720"))
+WEB_RESOLUTION_MAX_WIDTH = int(os.getenv("WEB_RESOLUTION_MAX_WIDTH", "3840"))
+WEB_RESOLUTION_MAX_HEIGHT = int(os.getenv("WEB_RESOLUTION_MAX_HEIGHT", "2160"))
+ENABLE_STARTUP_MAINTENANCE = os.getenv("ENABLE_STARTUP_MAINTENANCE", "1") == "1"
+ICON_UPLOAD_MAX_BYTES = 2 * 1024 * 1024
+ICON_UPLOAD_TYPES = {
+    "image/png": "png",
+    "image/jpeg": "jpg",
+    "image/webp": "webp",
+}
+SERVICE_ICONS_DIR = Path("static/service-icons")
+
+TELEGRAM_BOT_TOKEN = os.getenv("TELEGRAM_BOT_TOKEN", "")
+TELEGRAM_CHAT_ID = os.getenv("TELEGRAM_CHAT_ID", "")
+TELEGRAM_API_URL = os.getenv("TELEGRAM_API_URL", "https://api.telegram.org/bot")
+
+SMTP_HOST     = os.getenv("SMTP_HOST", "mail.hosting.reg.ru")
+SMTP_PORT     = int(os.getenv("SMTP_PORT", "465"))
+SMTP_USERNAME = os.getenv("SMTP_USERNAME", "")
+SMTP_PASSWORD = os.getenv("SMTP_PASSWORD", "")
+SMTP_FROM_EMAIL = os.getenv("SMTP_FROM_EMAIL", "stand@4mont.ru")
+SMTP_FROM_NAME  = os.getenv("SMTP_FROM_NAME", "\u0418\u043d\u0444\u0440\u0430\u0441\u0442\u0443\u043a\u0442\u0443\u0440\u043d\u044b\u0439 \u043f\u043e\u043b\u0438\u0433\u043e\u043d MONT")
+PORTAL_URL    = os.getenv("PORTAL_URL", "https://stend.4mont.ru")

app/conftest.py

@@ -0,0 +1,101 @@
+import os
+import sys
+
+# SQLite in-memory for tests — no PostgreSQL needed
+os.environ.setdefault("DATABASE_URL", "sqlite:///./test.db")
+os.environ.setdefault("SIGNING_KEY", "test-signing-key-32chars-padding!!")
+os.environ.setdefault("ADMIN_USERNAME", "admin")
+os.environ.setdefault("ADMIN_PASSWORD", "testpass123")
+os.environ.setdefault("PUBLIC_HOST", "http://localhost")
+os.environ.setdefault("ENABLE_STARTUP_MAINTENANCE", "0")
+os.environ.setdefault("LOG_LEVEL", "ERROR")
+
+import pytest
+from unittest.mock import MagicMock, patch
+from fastapi.testclient import TestClient
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from sqlalchemy.pool import StaticPool
+
+# Patch docker before importing app modules
+_docker_mock = MagicMock()
+_docker_mock.containers.get.side_effect = Exception("no docker in tests")
+_docker_mock.containers.list.return_value = []
+_docker_mock.containers.run.return_value = MagicMock(id="test-container-id", status="running", name="test")
+
+sys.modules.setdefault("docker", MagicMock())
+
+with patch("docker.from_env", return_value=_docker_mock):
+    with patch("runtime.ensure_schema_compatibility", lambda: None):
+        from database import Base, get_db
+        import main as app_module
+
+engine = create_engine(
+    "sqlite:///./test.db",
+    connect_args={"check_same_thread": False},
+    poolclass=StaticPool,
+)
+TestingSessionLocal = sessionmaker(bind=engine)
+Base.metadata.create_all(bind=engine)
+
+# Create admin user
+from auth import hash_password
+from models import User
+with TestingSessionLocal() as db:
+    if not db.query(User).filter(User.username == "admin").first():
+        import datetime as _dt
+        db.add(User(
+            username="admin",
+            password_hash=hash_password("testpass123"),
+            is_admin=True,
+            active=True,
+            expires_at=_dt.datetime(2099, 1, 1, tzinfo=_dt.timezone.utc),
+        ))
+        db.commit()
+
+
+def override_get_db():
+    db = TestingSessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+
+app_module.app.dependency_overrides[get_db] = override_get_db
+
+
+@pytest.fixture(scope="session")
+def client():
+    with patch("runtime.docker_client", return_value=_docker_mock), \
+         patch("runtime.ensure_schema_compatibility", lambda: None):
+        with TestClient(app_module.app, raise_server_exceptions=False, base_url="https://testserver") as c:
+            yield c
+
+
+def _extract_csrf(client) -> str:
+    """GET / → берём CSRF из HTML и ставим куку вручную."""
+    import re
+    r = client.get("/", follow_redirects=True)
+    assert r.status_code == 200
+    m = re.search(r'name=["\']csrf_token["\'][^>]*value=["\']([^"\']+)["\']'
+                  r'|value=["\']([^"\']+)["\'][^>]*name=["\']csrf_token["\']', r.text)
+    if not m:
+        m = re.search(r'csrf_token["\']?\s*[=:]\s*["\']([^"\']{10,})["\']', r.text)
+    assert m, f"csrf_token not found in HTML: {r.text[:500]}"
+    csrf = m.group(1) or m.group(2)
+    client.cookies.set("portal_csrf", csrf, domain="testserver")
+    return csrf
+
+
+@pytest.fixture(scope="session")
+def auth_client(client):
+    """Client with admin session cookie."""
+    csrf = _extract_csrf(client)
+    r = client.post("/login", data={
+        "username": "admin",
+        "password": "testpass123",
+        "csrf_token": csrf,
+    }, follow_redirects=True)
+    assert r.status_code == 200, f"login failed: {r.status_code} {r.text[:300]}"
+    return client

app/database.py

@@ -0,0 +1,20 @@
+from sqlalchemy import create_engine
+from sqlalchemy.orm import DeclarativeBase, sessionmaker
+
+from config import DATABASE_URL
+
+
+engine = create_engine(DATABASE_URL, pool_pre_ping=True)
+SessionLocal = sessionmaker(bind=engine, autoflush=False, autocommit=False)
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

app/maintenance.py

@@ -0,0 +1,212 @@
+import datetime as dt
+import fcntl
+import logging
+import os
+import threading
+import time
+
+import docker
+from sqlalchemy import select
+
+from config import ENABLE_STARTUP_MAINTENANCE, SESSION_IDLE_SECONDS, WEB_POOL_SIZE
+from database import Base, SessionLocal, engine
+from models import RdpSlot, Service, ServiceType, SessionModel, SessionStatus, User
+from utils import ensure_icons_dir, now_utc
+from auth import hash_password
+from runtime import (
+    _rdp_slot_container_name,
+    disconnect_rdp_slot,
+    docker_client,
+    ensure_schema_compatibility,
+    ensure_universal_pool,
+    ensure_warm_pool,
+    ensure_web_pool,
+    start_rdp_slot_container,
+    stop_runtime_container,
+)
+
+logger = logging.getLogger("portal")
+maintenance_lock_file = None
+
+
+def cleanup_loop():
+    while True:
+        time.sleep(60)
+        db = SessionLocal()
+        try:
+            ensure_universal_pool()
+            ensure_web_pool()
+            for svc in db.scalars(
+                select(Service).where(
+                    Service.active == True,
+                    Service.type.in_([ServiceType.WEB, ServiceType.RDP]),
+                )
+            ).all():
+                if svc.type == ServiceType.WEB and WEB_POOL_SIZE <= 0:
+                    ensure_warm_pool(svc)
+            cutoff = now_utc() - dt.timedelta(seconds=SESSION_IDLE_SECONDS)
+            q = select(SessionModel).where(
+                SessionModel.status == SessionStatus.ACTIVE,
+                SessionModel.last_access_at < cutoff,
+            )
+            stale = db.scalars(q).all()
+            rdp_slots_to_restart: list[int] = []
+            for sess in stale:
+                cid = sess.container_id or ""
+                if cid.startswith("RDPSLOT:"):
+                    try:
+                        rdp_slots_to_restart.append(int(cid.split(":", 1)[1]))
+                    except Exception:
+                        pass
+                elif cid and not (
+                    cid.startswith("POOL:")
+                    or cid.startswith("POOLIDX:")
+                    or cid.startswith("WEBPOOLIDX:")
+                ):
+                    stop_runtime_container(cid)
+                sess.status = SessionStatus.EXPIRED
+            if stale:
+                db.commit()
+            for slot_id in rdp_slots_to_restart:
+                threading.Thread(target=disconnect_rdp_slot, args=(slot_id,), daemon=True).start()
+        except Exception:
+            db.rollback()
+            logger.exception("cleanup_loop_failed")
+        finally:
+            db.close()
+
+
+def bootstrap_admin():
+    admin_user = os.getenv("ADMIN_USERNAME", "admin")
+    admin_password = os.getenv("ADMIN_PASSWORD", "change_me")
+    ttl_days = int(os.getenv("ADMIN_TTL_DAYS", "3650"))
+
+    db = SessionLocal()
+    try:
+        existing = db.scalar(select(User).where(User.username == admin_user))
+        if not existing:
+            db.add(
+                User(
+                    username=admin_user,
+                    password_hash=hash_password(admin_password),
+                    active=True,
+                    is_admin=True,
+                    expires_at=now_utc() + dt.timedelta(days=ttl_days),
+                )
+            )
+            db.commit()
+    finally:
+        db.close()
+
+
+def try_acquire_maintenance_leader() -> bool:
+    global maintenance_lock_file
+    if maintenance_lock_file is not None:
+        return True
+    lock_file = open("/tmp/portal-maintenance.lock", "w")
+    try:
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+    except BlockingIOError:
+        lock_file.close()
+        return False
+    maintenance_lock_file = lock_file
+    return True
+
+
+def run_maintenance_service() -> None:
+    logger.info("maintenance_service_bootstrap_started")
+    with open("/tmp/portal-schema.lock", "w") as lock_file:
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_EX)
+        Base.metadata.create_all(bind=engine)
+        ensure_schema_compatibility()
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_UN)
+
+    ensure_icons_dir()
+    bootstrap_admin()
+
+    maintenance_lock = open("/tmp/portal-maintenance.lock", "w")
+    fcntl.flock(maintenance_lock.fileno(), fcntl.LOCK_EX)
+    logger.info("maintenance_service_leader_acquired")
+
+    db = SessionLocal()
+    try:
+        ensure_universal_pool()
+        ensure_web_pool()
+        for svc in db.scalars(
+            select(Service).where(
+                Service.active == True,
+                Service.type.in_([ServiceType.WEB, ServiceType.RDP]),
+            )
+        ).all():
+            if svc.type == ServiceType.WEB and WEB_POOL_SIZE <= 0:
+                ensure_warm_pool(svc)
+            elif svc.type == ServiceType.RDP:
+                slots = db.scalars(select(RdpSlot).where(RdpSlot.service_id == svc.id)).all()
+                for slot in slots:
+                    try:
+                        cname = _rdp_slot_container_name(svc.slug, slot.id)
+                        try:
+                            c = docker_client().containers.get(cname)
+                            if c.status != "running":
+                                c.start()
+                        except docker.errors.NotFound:
+                            start_rdp_slot_container(slot, svc)
+                            slot.container_name = cname
+                    except Exception:
+                        logger.exception("startup_rdp_slot_start_failed slot_id=%s", slot.id)
+                if slots:
+                    db.commit()
+    finally:
+        db.close()
+
+    logger.info("maintenance_service_loop_started")
+    cleanup_loop()
+
+
+def on_startup() -> None:
+    with open("/tmp/portal-schema.lock", "w") as lock_file:
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_EX)
+        Base.metadata.create_all(bind=engine)
+        ensure_schema_compatibility()
+        fcntl.flock(lock_file.fileno(), fcntl.LOCK_UN)
+    ensure_icons_dir()
+    bootstrap_admin()
+    if not try_acquire_maintenance_leader():
+        logger.info("maintenance_leader_skipped")
+        return
+
+    if ENABLE_STARTUP_MAINTENANCE:
+        db = SessionLocal()
+        try:
+            ensure_universal_pool()
+            ensure_web_pool()
+            for svc in db.scalars(
+                select(Service).where(
+                    Service.active == True,
+                    Service.type.in_([ServiceType.WEB, ServiceType.RDP]),
+                )
+            ).all():
+                if svc.type == ServiceType.WEB and WEB_POOL_SIZE <= 0:
+                    ensure_warm_pool(svc)
+                elif svc.type == ServiceType.RDP:
+                    slots = db.scalars(select(RdpSlot).where(RdpSlot.service_id == svc.id)).all()
+                    for slot in slots:
+                        try:
+                            cname = _rdp_slot_container_name(svc.slug, slot.id)
+                            try:
+                                c = docker_client().containers.get(cname)
+                                if c.status != "running":
+                                    c.start()
+                            except docker.errors.NotFound:
+                                start_rdp_slot_container(slot, svc)
+                                slot.container_name = cname
+                        except Exception:
+                            logger.exception("startup_rdp_slot_start_failed slot_id=%s", slot.id)
+                    if slots:
+                        db.commit()
+        finally:
+            db.close()
+
+    thread = threading.Thread(target=cleanup_loop, daemon=True)
+    thread.start()
+    logger.info("maintenance_leader_started")

app/maintenance_runner.py

@@ -1,5 +1,4 @@
-import main
-
+import maintenance
 
 if __name__ == "__main__":
-    main.run_maintenance_service()
+    maintenance.run_maintenance_service()

app/models.py

@@ -0,0 +1,132 @@
+import datetime as dt
+import enum
+from typing import Optional
+
+from sqlalchemy import (
+    Boolean, DateTime, Enum, ForeignKey, Integer, String, Text, UniqueConstraint,
+)
+from sqlalchemy.orm import Mapped, mapped_column
+
+from database import Base
+
+
+class ServiceType(str, enum.Enum):
+    WEB = "WEB"
+    VNC = "VNC"
+    RDP = "RDP"
+
+
+class SessionStatus(str, enum.Enum):
+    ACTIVE = "ACTIVE"
+    EXPIRED = "EXPIRED"
+    TERMINATED = "TERMINATED"
+    ROTATED = "ROTATED"
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    username: Mapped[str] = mapped_column(String(64), unique=True, index=True)
+    password_hash: Mapped[str] = mapped_column(String(255))
+    expires_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), index=True)
+    active: Mapped[bool] = mapped_column(Boolean, default=True, index=True)
+    is_admin: Mapped[bool] = mapped_column(Boolean, default=False)
+    first_name: Mapped[str] = mapped_column(String(64), default="")
+    last_name: Mapped[str] = mapped_column(String(64), default="")
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class Service(Base):
+    __tablename__ = "services"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    name: Mapped[str] = mapped_column(String(128))
+    slug: Mapped[str] = mapped_column(String(64), unique=True, index=True)
+    type: Mapped[ServiceType] = mapped_column(Enum(ServiceType), index=True)
+    target: Mapped[str] = mapped_column(Text)
+    comment: Mapped[str] = mapped_column(Text, default="")
+    svc_login: Mapped[str] = mapped_column(String(256), default="")
+    svc_password: Mapped[str] = mapped_column(String(256), default="")
+    svc_cred_hint: Mapped[str] = mapped_column(Text, default="")
+    icon_path: Mapped[str] = mapped_column(Text, default="")
+    active: Mapped[bool] = mapped_column(Boolean, default=True)
+    warm_pool_size: Mapped[int] = mapped_column(Integer, default=0)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class Category(Base):
+    __tablename__ = "categories"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    name: Mapped[str] = mapped_column(String(128), unique=True, index=True)
+    slug: Mapped[str] = mapped_column(String(64), unique=True, index=True)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class ServiceCategory(Base):
+    __tablename__ = "service_categories"
+    __table_args__ = (UniqueConstraint("service_id", "category_id", name="uq_service_category"),)
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    service_id: Mapped[int] = mapped_column(ForeignKey("services.id", ondelete="CASCADE"), index=True)
+    category_id: Mapped[int] = mapped_column(ForeignKey("categories.id", ondelete="CASCADE"), index=True)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class UserServiceAccess(Base):
+    __tablename__ = "user_service_access"
+    __table_args__ = (UniqueConstraint("user_id", "service_id", name="uq_user_service"),)
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), index=True)
+    service_id: Mapped[int] = mapped_column(ForeignKey("services.id", ondelete="CASCADE"), index=True)
+    granted_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class RdpSlot(Base):
+    __tablename__ = "rdp_slots"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    service_id: Mapped[int] = mapped_column(ForeignKey("services.id", ondelete="CASCADE"), index=True)
+    rdp_username: Mapped[str] = mapped_column(String(128))
+    rdp_password: Mapped[str] = mapped_column(String(256), default="")
+    container_name: Mapped[Optional[str]] = mapped_column(String(128), nullable=True)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))
+
+
+class SessionModel(Base):
+    __tablename__ = "sessions"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), index=True)
+    service_id: Mapped[int] = mapped_column(ForeignKey("services.id", ondelete="CASCADE"), index=True)
+    status: Mapped[SessionStatus] = mapped_column(Enum(SessionStatus), default=SessionStatus.ACTIVE, index=True)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc), index=True)
+    last_access_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc), index=True)
+    container_id: Mapped[Optional[str]] = mapped_column(String(128), nullable=True)
+
+
+class AuditLog(Base):
+    __tablename__ = "audit_logs"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    user_id: Mapped[Optional[int]] = mapped_column(Integer, nullable=True, index=True)
+    action: Mapped[str] = mapped_column(String(128), index=True)
+    details: Mapped[str] = mapped_column(Text)
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc), index=True)
+
+
+class PendingAccessRequest(Base):
+    __tablename__ = "pending_access_requests"
+
+    id: Mapped[str] = mapped_column(String(12), primary_key=True)
+    name: Mapped[str] = mapped_column(String(256))
+    company: Mapped[str] = mapped_column(String(256))
+    email: Mapped[str] = mapped_column(String(256))
+    phone: Mapped[str] = mapped_column(String(64))
+    manager: Mapped[str] = mapped_column(String(256), default="")
+    products_json: Mapped[str] = mapped_column(Text, default="[]")
+    portal_url: Mapped[str] = mapped_column(String(256), default="")
+    status: Mapped[str] = mapped_column(String(16), default="pending")
+    created_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), default=lambda: dt.datetime.now(dt.timezone.utc))

app/static/favicon.svg

@@ -1,11 +1,25 @@
-<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" role="img" aria-labelledby="title desc">
+  <title id="title">4MONT favicon</title>
+  <desc id="desc">A compact favicon inspired by the 4MONT logo: a blue geometric 4 and bold black M on a clean rounded square.</desc>
   <defs>
-    <linearGradient id='g' x1='0' y1='0' x2='1' y2='1'>
-      <stop offset='0%' stop-color='#1e6aa8'/>
-      <stop offset='100%' stop-color='#2f8ec8'/>
+    <linearGradient id="blue" x1="5" y1="8" x2="38" y2="58" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#0C5CAD"/>
+      <stop offset="0.45" stop-color="#004C92"/>
+      <stop offset="1" stop-color="#002F62"/>
     </linearGradient>
+    <filter id="softShadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="2" stdDeviation="2" flood-color="#001A33" flood-opacity="0.16"/>
+    </filter>
   </defs>
-  <rect width='64' height='64' rx='14' fill='#eaf3fb'/>
-  <rect x='14' y='14' width='36' height='36' transform='rotate(45 32 32)' fill='url(#g)'/>
-  <rect x='34' y='9' width='14' height='14' transform='rotate(45 41 16)' fill='#b7c0c9'/>
+
+  <rect x="3" y="3" width="58" height="58" rx="14" fill="#FFFFFF"/>
+  <rect x="3.5" y="3.5" width="57" height="57" rx="13.5" fill="none" stroke="#E6EAF0"/>
+
+  <g filter="url(#softShadow)">
+    <!-- Stylized 4 -->
+    <path fill="url(#blue)" d="M7 38.7 27.4 10.2h10.4v28.5h6.3v8.9h-6.3v7.3H27.9v-7.3H7v-8.9Zm20.9 0V25.2L18 38.7h9.9Z"/>
+
+    <!-- Compact M -->
+    <path fill="#050505" d="M39.2 54.9V10.2h9.4l5.7 16.1 5.7-16.1h9.1v44.7h-8.7V30.2l-4.7 13.3h-3.1l-4.8-13.3v24.7h-8.6Z" transform="translate(-5.4 0)"/>
+  </g>
 </svg>

app/static/robots.txt

@@ -0,0 +1,11 @@
+User-agent: *
+Allow: /
+Disallow: /admin
+Disallow: /api/
+Disallow: /go/
+Disallow: /s/
+Disallow: /w/
+Disallow: /u/
+Disallow: /rdp/
+
+Sitemap: https://stend.4mont.ru/sitemap.xml

app/static/sitemap.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+  <url>
+    <loc>https://stend.4mont.ru/</loc>
+    <changefreq>weekly</changefreq>
+    <priority>1.0</priority>
+  </url>
+</urlset>

app/templates/admin.html

@@ -6,13 +6,25 @@
   <title>Администрирование</title>
   <link rel="stylesheet" href="/static/style.css" />
   <link rel="icon" type="image/svg+xml" href="/static/favicon.svg" />
-  <link rel="alternate icon" type="image/png" href="/static/favicon.png" />
+  <link rel="icon" type="image/png" href="/static/favicon.png" />
+<!-- Yandex.Metrika counter -->
+<script type="text/javascript">
+    (function(m,e,t,r,i,k,a){
+        m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)};
+        m[i].l=1*new Date();
+        for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }}
+        k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)
+    })(window, document,"script","https://mc.yandex.ru/metrika/tag.js?id=109119977", "ym");
+    ym(109119977, "init", {ssr:true, webvisor:true, clickmap:true, ecommerce:"dataLayer", referrer: document.referrer, url: location.href, accurateTrackBounce:true, trackLinks:true});
+</script>
+<noscript><div><img src="https://mc.yandex.ru/watch/109119977" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
+<!-- /Yandex.Metrika counter -->
 </head>
 <body>
   <header class="header">
     <div style="display:flex; align-items:center; gap:0.6rem;">
-      <img src="/static/logo.png" alt="MONT" class="header-logo" />
-      <div>МОНТ - инфрастуктурный полигон | Админ: {{ admin.username }}</div>
+      <a href="https://4mont.ru"><img src="/static/logo.png?v=2" alt="MONT" class="header-logo" /></a>
+      <div>MONT - инфрастуктурный полигон | Админ: {{ admin.username }}</div>
     </div>
     <a href="/" class="btn-link secondary">Главная панель</a>
   </header>
@@ -42,8 +54,8 @@
           <input class="list-search" id="users_search" placeholder="Поиск пользователя..." oninput="filterList('users_search', '#users_list .user-item')" />
           <div class="list-box" id="users_list">
             {% for u in users %}
-              <button class="list-item user-item" data-user-id="{{u.id}}" data-filter="{{u.username|lower}}" onclick='selectUser({{u.id}}, {{u.username|tojson}}, {{u.active|tojson}}, {{u.is_admin|tojson}}, {{u.expires_at.isoformat()|tojson}})'>
-                <div>{{u.username}}</div>
+              <button class="list-item user-item" data-user-id="{{u.id}}" data-filter="{{u.username|lower}}" onclick='selectUser({{u.id}}, {{u.username|tojson}}, {{u.active|tojson}}, {{u.is_admin|tojson}}, {{u.expires_at.isoformat()|tojson}}, {{u.first_name|tojson}}, {{u.last_name|tojson}})'>
+                <div>{{u.username}}{% if u.first_name or u.last_name %} <small style="opacity:.6">— {{ (u.first_name + ' ' + u.last_name)|trim }}</small>{% endif %}</div>
                 <small class="user-days" data-exp="{{u.expires_at.isoformat()}}"></small>
               </button>
             {% endfor %}
@@ -55,6 +67,8 @@
           <div class="form-grid">
             <input id="u_id" type="hidden" />
             <input id="u_name" placeholder="username" />
+            <input id="u_first_name" placeholder="Имя" />
+            <input id="u_last_name" placeholder="Фамилия" />
             <input id="u_exp" type="date" required />
             <input id="u_pwd" placeholder="new password (optional)" type="password" />
             <select id="u_active"><option value="true">active</option><option value="false">inactive</option></select>
@@ -80,6 +94,8 @@
           <div class="list-title">Добавить пользователя</div>
           <div class="form-grid">
             <input id="new_u_name" placeholder="username" />
+            <input id="new_u_first_name" placeholder="Имя" />
+            <input id="new_u_last_name" placeholder="Фамилия" />
             <input id="new_u_pwd" placeholder="password" type="password" />
             <input id="new_u_exp" type="date" required />
             <select id="new_u_active"><option value="true">active</option><option value="false">inactive</option></select>
@@ -295,16 +311,16 @@
             <input id="r_id" type="hidden" />
             <input id="r_name" placeholder="Название сервиса (что увидит user)" oninput="autogenSlug('r_name','r_slug')" />
             <input id="r_slug" placeholder="Системный slug" />
-            <input id="r_host" placeholder="RDP host (например 192.168.1.60)" />
-            <input id="r_port" type="number" min="1" max="65535" placeholder="RDP порт, обычно 3389" />
-            <input id="r_domain" placeholder="Домен (опционально)" />
-            <select id="r_sec">
+            <input id="r_host" placeholder="RDP host (например 192.168.1.60)" oninput="buildRdpTarget('r')" />
+            <input id="r_port" type="number" min="1" max="65535" placeholder="RDP порт, обычно 3389" oninput="buildRdpTarget('r')" />
+            <input id="r_domain" placeholder="Домен (опционально)" oninput="buildRdpTarget('r')" />
+            <select id="r_sec" onchange="buildRdpTarget('r')">
               <option value="">auto</option>
               <option value="nla">nla</option>
               <option value="tls">tls</option>
               <option value="rdp">rdp</option>
             </select>
-            <input id="r_target" placeholder="Собранный target (авто)" />
+            <input id="r_target" placeholder="Собранный target (авто)" readonly style="background:rgba(255,255,255,.05);color:#888;cursor:default" />
             <textarea id="r_comment" placeholder="Описание для пользователя"></textarea>
             <input id="r_svc_login" placeholder="Логин сервиса (показывается на карточке)" />
             <input id="r_svc_password" placeholder="Пароль сервиса (показывается на карточке)" />
@@ -381,16 +397,16 @@
           <div class="form-grid">
             <input id="new_r_name" placeholder="Название сервиса" oninput="autogenSlug('new_r_name','new_r_slug')" />
             <input id="new_r_slug" placeholder="Системный slug" />
-            <input id="new_r_host" placeholder="RDP host" />
-            <input id="new_r_port" type="number" min="1" max="65535" placeholder="RDP порт (3389)" />
-            <input id="new_r_domain" placeholder="Домен (опционально)" />
-            <select id="new_r_sec">
+            <input id="new_r_host" placeholder="RDP host" oninput="buildRdpTarget('new_r')" />
+            <input id="new_r_port" type="number" min="1" max="65535" placeholder="RDP порт (3389)" oninput="buildRdpTarget('new_r')" />
+            <input id="new_r_domain" placeholder="Домен (опционально)" oninput="buildRdpTarget('new_r')" />
+            <select id="new_r_sec" onchange="buildRdpTarget('new_r')">
               <option value="">auto</option>
               <option value="nla">nla</option>
               <option value="tls">tls</option>
               <option value="rdp">rdp</option>
             </select>
-            <input id="new_r_target" placeholder="Собранный target (авто)" />
+            <input id="new_r_target" placeholder="Собранный target (авто)" readonly style="background:rgba(255,255,255,.05);color:#888;cursor:default" />
             <textarea id="new_r_comment" placeholder="Описание для пользователя"></textarea>
             <input id="new_r_svc_login" placeholder="Логин сервиса (необязательно)" />
             <input id="new_r_svc_password" placeholder="Пароль сервиса (необязательно)" />
@@ -657,9 +673,11 @@
       return r.json();
     }
 
-    function selectUser(id, username, active, isAdmin, expiresIso) {
+    function selectUser(id, username, active, isAdmin, expiresIso, firstName, lastName) {
       document.getElementById('u_id').value = id;
       document.getElementById('u_name').value = username;
+      document.getElementById('u_first_name').value = firstName || '';
+      document.getElementById('u_last_name').value = lastName || '';
       document.getElementById('u_exp').value = dateFromIso(expiresIso);
       document.getElementById('u_pwd').value = '';
       document.getElementById('u_active').value = String(active);
@@ -673,6 +691,8 @@
       if (!expDate) return alert('Выберите дату деактивации');
       await api('/api/admin/users', 'POST', {
         username: document.getElementById('new_u_name').value,
+        first_name: document.getElementById('new_u_first_name').value,
+        last_name: document.getElementById('new_u_last_name').value,
         password: document.getElementById('new_u_pwd').value,
         expires_at: expiryToApi(expDate),
         active: document.getElementById('new_u_active').value === 'true',
@@ -688,6 +708,8 @@
       if (!expDate) return alert('Выберите дату деактивации');
       const payload = {
         username: document.getElementById('u_name').value,
+        first_name: document.getElementById('u_first_name').value,
+        last_name: document.getElementById('u_last_name').value,
         expires_at: expiryToApi(expDate),
         active: document.getElementById('u_active').value === 'true',
         is_admin: document.getElementById('u_admin').value === 'true',

app/templates/dashboard.html

@@ -3,10 +3,22 @@
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>МОНТ - инфрастуктурный полигон</title>
+  <title>MONT - инфрастуктурный полигон</title>
   <link rel="stylesheet" href="/static/style.css" />
   <link rel="icon" type="image/svg+xml" href="/static/favicon.svg" />
-  <link rel="alternate icon" type="image/png" href="/static/favicon.png" />
+  <link rel="icon" type="image/png" href="/static/favicon.png" />
+<!-- Yandex.Metrika counter -->
+<script type="text/javascript">
+    (function(m,e,t,r,i,k,a){
+        m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)};
+        m[i].l=1*new Date();
+        for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }}
+        k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)
+    })(window, document,"script","https://mc.yandex.ru/metrika/tag.js?id=109119977", "ym");
+    ym(109119977, "init", {ssr:true, webvisor:true, clickmap:true, ecommerce:"dataLayer", referrer: document.referrer, url: location.href, accurateTrackBounce:true, trackLinks:true});
+</script>
+<noscript><div><img src="https://mc.yandex.ru/watch/109119977" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
+<!-- /Yandex.Metrika counter -->
 </head>
 <body class="dashboard-page">
 {% raw %}<style>
@@ -20,34 +32,37 @@
   .mw-footer{position:absolute;bottom:1.2rem;left:0;width:100%;text-align:center;font-size:clamp(.65rem,2.8vw,.78rem);color:rgba(160,184,204,.45);font-family:sans-serif}
 </style>{% endraw %}
 <div id="mobile-wall">
-  <img src="/static/logo.png" alt="MONT" style="position:absolute;top:1.2rem;left:50%;transform:translateX(-50%);height:clamp(4rem,16vw,6rem);opacity:.9">
+  <a href="https://4mont.ru"><img src="/static/logo.png?v=2" alt="MONT" style="position:absolute;top:1.2rem;left:50%;transform:translateX(-50%);height:clamp(4rem,16vw,6rem);opacity:.9"></a>
   <div class="mw-icon">🖥️</div>
   <div class="mw-title">Только для компьютера</div>
-  <div class="mw-sub">Инфраструктурный полигон МОНТ оптимизирован для работы на ПК.<br>Пожалуйста, откройте портал с настольного компьютера или ноутбука.</div>
+  <div class="mw-sub">Инфраструктурный полигон MONT оптимизирован для работы на ПК.<br>Пожалуйста, откройте портал с настольного компьютера или ноутбука.</div>
   <div class="mw-badge">
     <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="2" y="3" width="20" height="14" rx="2"/><path d="M8 21h8M12 17v4"/></svg>
     Минимальная ширина экрана: 1024 px
   </div>
-  <div class="mw-footer"><a href="mailto:rgalyaviev@mont.com" style="color:inherit;text-decoration:none">Made by Galyaviev</a></div>
+  <div class="mw-footer"><a href="mailto:ruslan@ipcom.su" style="color:inherit;text-decoration:none">Made by Galyaviev</a></div>
 </div>
 
   <header class="header">
-    <div style="display:flex; align-items:center; gap:0.6rem;">
-      <img src="/static/logo.png" alt="MONT" class="header-logo" />
-      <div>{{ user.username }}</div>
+    <div class="header-left">
+      <div class="user-avatar">{{ ((user.first_name[0] if user.first_name else user.username[0]) + (user.last_name[0] if user.last_name else ''))|upper }}</div>
+      <span class="header-username">{{ (user.first_name + ' ' + user.last_name)|trim or user.username }}</span>
     </div>
-    <div style="display:flex; gap:0.5rem;">
+    <div class="header-right">
       {% if user.is_admin %}
-        <a href="/admin" class="btn-link secondary">Администрирование</a>
+        <a href="/admin" class="header-btn">Администрирование</a>
       {% endif %}
       <form method="post" action="/logout">
-        <button type="submit">Выход</button>
+        <button type="submit" class="header-btn header-btn-logout">Выход</button>
       </form>
     </div>
   </header>
+  <div class="page-logo-wrap">
+    <a href="https://4mont.ru"><img src="/static/logo.png?v=2" alt="MONT" class="page-logo" /></a>
+  </div>
   <main class="admin-layout">
     <section class="panel">
-      <div class="admin-intro">Добро пожаловать в инфраструктурную песочницу</div>
+      <div class="admin-intro">Инфраструктурный полигон MONT</div>
       {% if session_notice %}
       <div class="session-notice">{{ session_notice }}</div>
       {% endif %}
@@ -127,7 +142,7 @@
       </div>
     {% endfor %}
     </section>
-    <footer class="made-by-wrap"><a class="made-by" href="mailto:rgalyaviev@mont.com">Made by Galyaviev</a></footer>
+    <footer class="made-by-wrap"><a class="made-by" href="mailto:ruslan@ipcom.su">Made by Galyaviev</a></footer>
   </main>
   <style>
     #loading-overlay{display:none;position:fixed;inset:0;z-index:8888;background:rgba(10,18,28,.88);

app/templates/login.html

@@ -1,31 +1,514 @@
+{% set _scheme = request.headers.get('x-forwarded-proto', request.url.scheme) %}
+{% set base_url = _scheme + '://' + request.url.netloc + '/' %}
 <!doctype html>
 <html lang="ru">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>МОНТ - инфрастуктурный полигон</title>
+  <title>Инфраструктурный полигон MONT — демо и пилоты российского ПО</title>
+  <meta name="description" content="Инфраструктурный полигон MONT: демонстрация и пилотное тестирование российского ПО для партнёров и заказчиков. Браузерный доступ к рабочим стендам — без установки и настройки." />
+  <meta name="keywords" content="инфраструктурный полигон MONT, пилоты MONT, демо MONT, партнёры MONT, демонстрация MONT, российское ПО демо, отечественное ПО тестирование, демостенд ПО" />
+  <meta name="robots" content="index, follow" />
+  <link rel="canonical" href="{{ base_url }}" />
+  <meta property="og:type" content="website" />
+  <meta property="og:url" content="{{ base_url }}" />
+  <meta property="og:title" content="Инфраструктурный полигон MONT — демо и пилоты российского ПО" />
+  <meta property="og:description" content="Демонстрация и тестирование российского ПО для партнёров и заказчиков MONT. Доступ к рабочим стендам прямо в браузере." />
+  <meta property="og:image" content="{{ base_url }}static/logo.png?v=2" />
+  <meta property="og:locale" content="ru_RU" />
+  <meta property="og:site_name" content="Полигон MONT" />
+  <meta name="twitter:card" content="summary" />
+  <meta name="twitter:title" content="Инфраструктурный полигон MONT" />
+  <meta name="twitter:description" content="Демо и пилоты российского ПО для партнёров и заказчиков MONT." />
+  <script type="application/ld+json">
+  {
+    "@context": "https://schema.org",
+    "@type": "WebSite",
+    "name": "Инфраструктурный полигон MONT",
+    "url": "{{ base_url }}",
+    "description": "Платформа для демонстрации и пилотного тестирования российского программного обеспечения. Партнеры MONT и их заказчики получают браузерный доступ к рабочим стендам.",
+    "publisher": {
+      "@type": "Organization",
+      "name": "MONT",
+      "url": "https://www.mont.ru/"
+    }
+  }
+  </script>
   <link rel="stylesheet" href="/static/style.css" />
   <link rel="icon" type="image/svg+xml" href="/static/favicon.svg" />
-  <link rel="alternate icon" type="image/png" href="/static/favicon.png" />
+  <link rel="icon" type="image/png" href="/static/favicon.png" />
+  <style>
+    body { background: #070f1c; overflow: hidden; height: 100vh; }
+    @media (max-width: 820px) { body { overflow: auto; height: auto; } }
+  </style>
+<!-- Yandex.Metrika counter -->
+<script type="text/javascript">
+    (function(m,e,t,r,i,k,a){
+        m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)};
+        m[i].l=1*new Date();
+        for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }}
+        k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)
+    })(window, document,"script","https://mc.yandex.ru/metrika/tag.js?id=109119977", "ym");
+    ym(109119977, "init", {ssr:true, webvisor:true, clickmap:true, ecommerce:"dataLayer", referrer: document.referrer, url: location.href, accurateTrackBounce:true, trackLinks:true});
+</script>
+<noscript><div><img src="https://mc.yandex.ru/watch/109119977" style="position:absolute; left:-9999px;" alt="" /></div></noscript>
+<!-- /Yandex.Metrika counter -->
 </head>
 <body>
-  <div class="login-corner-brand">МОНТ - инфрастуктурный полигон</div>
-  <main class="center-box login-page">
-    <section class="login-shell">
-      <img src="/static/logo.png" alt="MONT" class="brand-logo brand-logo-fullscreen" />
-      <div style="height:3.5rem"></div>
-{% if session_notice %}<div class="session-notice">{{ session_notice }}</div>{% endif %}
-      {% if login_error %}<div class="auth-error">{{ login_error }}</div>{% endif %}
-      <form method="post" action="/login" class="panel login-panel">
+<div class="login-wrap">
+  <aside class="login-left">
+    <div class="login-left-glow login-left-glow-top"></div>
+    <div class="login-left-glow login-left-glow-bottom"></div>
+    <div class="login-left-inner">
+      <a href="#" onclick="window.open(location.hostname==='stand.mont.ru'?'https://www.mont.ru':'https://4mont.ru','_blank');return false;"><img src="/static/logo.png?v=2" alt="MONT" class="login-corner-logo" /></a>
+      <h1 class="login-left-title">Инфраструктурный<br>полигон MONT</h1>
+      <p class="login-left-desc">Платформа для демонстрации и пилотного тестирования российского ПО. Партнеры MONT и их заказчики получают браузерный доступ к рабочим стендам с отечественными ОС, платформами виртуализации, СРК и другими решениями — без установки и настройки.</p>
+      <ul class="login-features">
+        <li class="login-feature">
+          <span class="login-feature-icon">🖥</span>
+          <span>Доступ к рабочим столам ОС</span>
+        </li>
+        <li class="login-feature">
+          <span class="login-feature-icon">🌐</span>
+          <span>Веб-интерфейсы сервисов</span>
+        </li>
+        <li class="login-feature">
+          <span class="login-feature-icon">⚡</span>
+          <span>Доступ в один клик</span>
+        </li>
+        <li class="login-feature">
+          <span class="login-feature-icon">🔒</span>
+          <span>Защищённый контур</span>
+        </li>
+      </ul>
+      <button type="button" class="login-distrib-btn" onclick="window.open(location.hostname==='stand.mont.ru'?'https://maps.mont.ru':'https://maps.4mont.ru','_blank')">Продукты нашей дистрибуции</button>
+    </div>
+  </aside>
+  <main class="login-right">
+    <div class="login-right-inner">
+      <div class="login-form-title">Вход в систему</div>
+      <div class="login-form-subtitle">Инфраструктурный полигон</div>
+{% if session_notice %}<div class="session-notice lp-session-notice">{{ session_notice }}</div>{% endif %}
+      {% if login_error %}<div class="auth-error lp-auth-error">{{ login_error }}</div>{% endif %}
+      <form method="post" action="/login" class="login-form">
         <input type="hidden" name="csrf_token" value="{{ csrf_token }}" />
+        <div class="login-field">
           <label>Логин</label>
-      <input type="text" name="username" placeholder="Введите логин" required />
+          <input type="text" name="username" placeholder="Введите логин" required autocomplete="username" />
+        </div>
+        <div class="login-field">
           <label>Пароль</label>
-      <input type="password" name="password" placeholder="Введите пароль" required />
-      <button type="submit">Войти</button>
+          <input type="password" name="password" placeholder="Введите пароль" required autocomplete="current-password" />
+        </div>
+        <button type="submit" class="login-submit">Войти</button>
       </form>
-    </section>
+      <button type="button" class="login-request-btn" id="btn-request-access" data-open-access-modal="1">Запросить доступ</button>
+    </div>
+    <footer class="login-footer">
+      <a href="mailto:ruslan@ipcom.su" class="login-footer-link">Made by Galyaviev</a>
+    </footer>
   </main>
-  <footer class="login-made-by-wrap"><a class="made-by login-made-by" href="mailto:rgalyaviev@mont.com">Made by Galyaviev</a></footer>
+</div>
+
+<!-- Request Access Modal -->
+<div id="access-modal" class="access-modal-overlay" style="display:none" aria-modal="true" role="dialog">
+  <div class="access-modal">
+    <div class="access-modal-header">
+      <div class="access-modal-title">Запрос на доступ</div>
+
+    </div>
+    <div class="access-modal-body">
+      <div class="access-field">
+        <label>Имя и фамилия <span class="req">*</span></label>
+        <input id="am-name" type="text" placeholder="Иван Иванов" />
+      </div>
+      <div class="access-field">
+        <label>Название компании <span class="req">*</span></label>
+        <input id="am-company" type="text" placeholder="ООО Компания" />
+      </div>
+      <div class="access-field">
+        <label>Email <span class="req">*</span></label>
+        <input id="am-email" type="email" placeholder="ivan@company.ru" />
+      </div>
+      <div class="access-field">
+        <label>Телефон <span class="req">*</span></label>
+        <input id="am-phone" type="tel" placeholder="+7 (999) 000-00-00" />
+      </div>
+      <div class="access-field">
+        <label>Ваш менеджер в MONT</label>
+        <input id="am-manager" type="text" placeholder="Если известно — укажите имя" />
+      </div>
+      <div class="access-field">
+        <label>Интересующие продукты</label>
+        <div id="am-products" class="access-products-wrap">
+          <div class="access-products-loading">Загрузка...</div>
+        </div>
+      </div>
+      <div class="access-consent-field">
+        <label class="access-consent-label">
+          <input type="checkbox" id="am-consent" />
+          <span>Согласен на <a href="/privacy" target="_blank" class="access-consent-link">обработку персональных данных</a></span>
+        </label>
+      </div>
+      <div id="am-error" class="access-modal-error" style="display:none"></div>
+    </div>
+    <div class="access-modal-footer">
+      <button type="button" class="access-btn-cancel" id="am-cancel">Отмена</button>
+      <button type="button" class="access-btn-submit" id="am-submit">Запросить доступ</button>
+    </div>
+  </div>
+</div>
+
+<script>
+(function() {
+  const overlay = document.getElementById('access-modal');
+  const btnCancel = document.getElementById('am-cancel');
+  const btnSubmit = document.getElementById('am-submit');
+  const errEl = document.getElementById('am-error');
+  let productsLoaded = false;
+
+  function resetAccessForm() {
+    if (!document.getElementById('am-name')) {
+      document.querySelector('.access-modal-body').innerHTML = `
+      <div class="access-field"><label>Имя и фамилия <span class="req">*</span></label><input id="am-name" type="text" placeholder="Иван Иванов" /></div>
+      <div class="access-field"><label>Название компании <span class="req">*</span></label><input id="am-company" type="text" placeholder="ООО Компания" /></div>
+      <div class="access-field"><label>Email <span class="req">*</span></label><input id="am-email" type="email" placeholder="ivan@company.ru" /></div>
+      <div class="access-field"><label>Телефон <span class="req">*</span></label><input id="am-phone" type="tel" placeholder="+7 (999) 000-00-00" /></div>
+      <div class="access-field"><label>Ваш менеджер в MONT</label><input id="am-manager" type="text" placeholder="Если известно — укажите имя" /></div>
+      <div class="access-field"><label>Интересующие продукты</label><div id="am-products" class="access-products-wrap"><div class="access-products-loading">Загрузка...</div></div></div>
+      <div class="access-consent-field"><label class="access-consent-label"><input type="checkbox" id="am-consent" /><span>Согласен на <a href="/privacy" target="_blank" class="access-consent-link">обработку персональных данных</a></span></label></div>
+      <div id="am-error" class="access-modal-error" style="display:none"></div>`;
+      document.querySelector('.access-modal-footer').innerHTML = `<button type="button" class="access-btn-cancel" id="am-cancel">Отмена</button><button type="button" class="access-btn-submit" id="am-submit">Запросить доступ</button>`;
+      document.getElementById('am-cancel').addEventListener('click', closeModal);
+      document.getElementById('am-submit').addEventListener('click', submitForm);
+      document.querySelectorAll('#am-name,#am-company,#am-email,#am-phone').forEach(function(el){ el.addEventListener('input', function(){ el.classList.remove('am-invalid'); }); });
+      productsLoaded = false;
+    } else {
+      ['am-name','am-company','am-email','am-phone','am-manager'].forEach(function(id){ var el=document.getElementById(id); if(el){el.value='';el.classList.remove('am-invalid');} });
+      document.querySelectorAll('#am-products input[type=checkbox]').forEach(function(cb){ cb.checked=false; });
+      var err=document.getElementById('am-error'); if(err) err.style.display='none';
+      var btn=document.getElementById('am-submit'); if(btn){btn.disabled=false;btn.textContent='Запросить доступ';}
+    }
+  }
+
+  function openModal() {
+    resetAccessForm();
+    overlay.style.display = 'flex';
+    document.body.style.overflow = 'hidden';
+    if (!productsLoaded) loadProducts();
+  }
+
+  function closeModal() {
+    overlay.style.display = 'none';
+    document.body.style.overflow = '';
+    errEl.style.display = 'none';
+    document.querySelectorAll('.am-invalid').forEach(el => el.classList.remove('am-invalid'));
+  }
+  window._closeAccessModal = function() { closeModal(); productsLoaded = false; };
+
+  async function loadProducts() {
+    const wrap = document.getElementById('am-products');
+    try {
+      const res = await fetch('/api/public/services-by-category');
+      const data = await res.json();
+      wrap.innerHTML = '';
+      for (const [cat, svcs] of Object.entries(data)) {
+        const group = document.createElement('div');
+        group.className = 'access-products-group';
+        group.innerHTML = '<div class="access-products-cat">' + cat + '</div>';
+        for (const svc of svcs) {
+          const lbl = document.createElement('label');
+          lbl.className = 'access-product-item';
+          lbl.innerHTML = '<input type="checkbox" value="' + svc.name.replace(/"/g, '&quot;') + '" /><span>' + svc.name + '</span>';
+          group.appendChild(lbl);
+        }
+        wrap.appendChild(group);
+      }
+      productsLoaded = true;
+    } catch(e) {
+      wrap.innerHTML = '<div class="access-products-loading">Не удалось загрузить список</div>';
+    }
+  }
+
+  async function submitForm() {
+    const nameEl    = document.getElementById('am-name');
+    const companyEl = document.getElementById('am-company');
+    const emailEl   = document.getElementById('am-email');
+    const phoneEl   = document.getElementById('am-phone');
+    const managerEl = document.getElementById('am-manager');
+    const submitBtn = document.getElementById('am-submit');
+    const errorEl   = document.getElementById('am-error');
+
+    const name    = nameEl    ? nameEl.value.trim()    : '';
+    const company = companyEl ? companyEl.value.trim() : '';
+    const email   = emailEl   ? emailEl.value.trim()   : '';
+    const phone   = phoneEl   ? phoneEl.value.trim()   : '';
+    const manager = managerEl ? managerEl.value.trim() : '';
+    const checked = [...document.querySelectorAll('#am-products input[type=checkbox]:checked')];
+    const products = checked.map(c => c.value);
+
+    const emailRe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    const phoneRe = /^[\+\d][\d\s\-\(\)]{6,18}$/;
+
+    const consentEl = document.getElementById('am-consent');
+    const fields = [
+      { el: nameEl,    check: () => !!name,              msg: 'Введите имя и фамилию' },
+      { el: companyEl, check: () => !!company,           msg: 'Введите название компании' },
+      { el: emailEl,   check: () => emailRe.test(email), msg: 'Введите корректный email' },
+      { el: phoneEl,   check: () => phoneRe.test(phone), msg: 'Введите корректный номер телефона' },
+    ];
+
+    const errors = [];
+    fields.forEach(f => {
+      if (f.el && !f.check()) { f.el.classList.add('am-invalid'); errors.push(f.msg); }
+      else if (f.el) f.el.classList.remove('am-invalid');
+    });
+    if (!consentEl || !consentEl.checked) {
+      errors.push('Необходимо согласие на обработку персональных данных');
+      const cf = document.querySelector('.access-consent-field');
+      if (cf) cf.classList.add('am-invalid-consent');
+    } else {
+      const cf = document.querySelector('.access-consent-field');
+      if (cf) cf.classList.remove('am-invalid-consent');
+    }
+
+    if (errors.length) {
+      if (errorEl) { errorEl.textContent = errors.join(' • '); errorEl.style.display = 'block'; }
+      return;
+    }
+
+    if (submitBtn) { submitBtn.disabled = true; submitBtn.textContent = 'Отправка...'; }
+    if (errorEl) errorEl.style.display = 'none';
+
+    try {
+      const res = await fetch('/api/request-access', {
+        method: 'POST',
+        headers: {'Content-Type': 'application/json'},
+        body: JSON.stringify({name, company, email, phone, manager, products}),
+      });
+      if (!res.ok) {
+        const d = await res.json().catch(() => ({}));
+        throw new Error(d.detail || 'Ошибка отправки');
+      }
+      const body   = document.querySelector('#access-modal .access-modal-body');
+      const footer = document.querySelector('#access-modal .access-modal-footer');
+      body.innerHTML = '<div class="am-success-msg">' +
+        '<div class="am-success-icon">✓</div>' +
+        '<div class="am-success-title">Запрос отправлен</div>' +
+        '<div class="am-success-sub">После утверждения доступы придут на электронную почту <strong>' + email + '</strong></div>' +
+        '</div>';
+      footer.innerHTML = '<button type="button" class="access-btn-cancel" onclick="window._closeAccessModal()">Закрыть</button>';
+    } catch(e) {
+      const eb = document.getElementById('am-error');
+      if (eb) { eb.textContent = e.message || 'Ошибка отправки, попробуйте позже'; eb.style.display = 'block'; }
+      const sb = document.getElementById('am-submit');
+      if (sb) { sb.disabled = false; sb.textContent = 'Запросить доступ'; }
+    }
+  }
+
+  // Clear invalid highlight on input
+  document.querySelectorAll('#am-name,#am-company,#am-email,#am-phone').forEach(el => {
+    el.addEventListener('input', () => el.classList.remove('am-invalid'));
+  });
+
+  // Wire up request-access button
+  document.querySelectorAll('.login-request-btn, [data-open-access-modal]').forEach(el => {
+    el.addEventListener('click', function(e) {
+      e.preventDefault();
+      openModal();
+    });
+  });
+
+  btnCancel.addEventListener('click', closeModal);
+  btnSubmit.addEventListener('click', submitForm);
+  overlay.addEventListener('click', function(e) {
+    if (e.target === overlay) closeModal();
+  });
+  document.addEventListener('keydown', function(e) {
+    if (e.key === 'Escape') closeModal();
+  });
+})();
+</script>
+
+<!-- Contact Ruslan Modal -->
+<div id="contact-modal" class="access-modal-overlay" style="display:none" aria-modal="true" role="dialog">
+  <div class="access-modal">
+    <div class="access-modal-header">
+      <div class="access-modal-title">Связаться с Русланом</div>
+      
+    </div>
+    <div class="access-modal-body" id="cm-body">
+      <div class="access-field">
+        <label>Ваше имя <span class="req">*</span></label>
+        <input id="cm-name" type="text" placeholder="Иван Иванов" />
+      </div>
+      <div class="access-field">
+        <label>Email <span class="req">*</span></label>
+        <input id="cm-email" type="email" placeholder="ivan@company.ru" />
+      </div>
+      <div class="access-field">
+        <label>Телефон <span class="req">*</span></label>
+        <input id="cm-phone" type="tel" placeholder="+7 (999) 000-00-00" />
+      </div>
+      <div class="access-field">
+        <label>Сообщение <span class="req">*</span></label>
+        <textarea id="cm-text" class="access-textarea" placeholder="Ваш вопрос или предложение..." rows="4"></textarea>
+      </div>
+      <div class="access-consent-field">
+        <label class="access-consent-label">
+          <input type="checkbox" id="cm-consent" />
+          <span>Согласен на <a href="/privacy" target="_blank" class="access-consent-link">обработку персональных данных</a></span>
+        </label>
+      </div>
+      <div id="cm-error" class="access-modal-error" style="display:none"></div>
+    </div>
+    <div class="access-modal-footer" id="cm-footer">
+      <button type="button" class="access-btn-cancel" id="cm-cancel">Отмена</button>
+      <button type="button" class="access-btn-submit" id="cm-submit">Отправить</button>
+    </div>
+  </div>
+</div>
+
+<script>
+(function() {
+  const overlay = document.getElementById('contact-modal');
+  const btnCancel = document.getElementById('cm-cancel');
+  const btnSubmit = document.getElementById('cm-submit');
+  const errEl = document.getElementById('cm-error');
+
+  function resetContactForm() {
+    if (!document.getElementById('cm-name')) {
+      document.getElementById('cm-body').innerHTML = `
+      <div class="access-field"><label>Ваше имя <span class="req">*</span></label><input id="cm-name" type="text" placeholder="Иван Иванов" /></div>
+      <div class="access-field"><label>Email <span class="req">*</span></label><input id="cm-email" type="email" placeholder="ivan@company.ru" /></div>
+      <div class="access-field"><label>Телефон <span class="req">*</span></label><input id="cm-phone" type="tel" placeholder="+7 (999) 000-00-00" /></div>
+      <div class="access-field"><label>Сообщение <span class="req">*</span></label><textarea id="cm-text" class="access-textarea" placeholder="Ваш вопрос или предложение..." rows="4"></textarea></div>
+      <div class="access-consent-field"><label class="access-consent-label"><input type="checkbox" id="cm-consent" /><span>Согласен на <a href="/privacy" target="_blank" class="access-consent-link">обработку персональных данных</a></span></label></div>
+<div id="cm-error" class="access-modal-error" style="display:none"></div>`;
+      document.getElementById('cm-footer').innerHTML = `<button type="button" class="access-btn-cancel" id="cm-cancel">Отмена</button><button type="button" class="access-btn-submit" id="cm-submit">Отправить</button>`;
+      document.getElementById('cm-cancel').addEventListener('click', closeContact);
+      document.getElementById('cm-submit').addEventListener('click', submitContact);
+      document.querySelectorAll('#cm-name,#cm-email,#cm-phone,#cm-text').forEach(function(el){ el.addEventListener('input', function(){ el.classList.remove('am-invalid'); }); });
+    } else {
+      ['cm-name','cm-email','cm-phone','cm-text'].forEach(function(id){ var el=document.getElementById(id); if(el){el.value='';el.classList.remove('am-invalid');} });
+      var err=document.getElementById('cm-error'); if(err) err.style.display='none';
+      var btn=document.getElementById('cm-submit'); if(btn){btn.disabled=false;btn.textContent='Отправить';}
+    }
+  }
+
+  function openContact() {
+    resetContactForm();
+    overlay.style.display = 'flex';
+    document.body.style.overflow = 'hidden';
+  }
+
+  function closeContact() {
+    overlay.style.display = 'none';
+    document.body.style.overflow = '';
+    errEl.style.display = 'none';
+    document.querySelectorAll('#contact-modal .am-invalid').forEach(el => el.classList.remove('am-invalid'));
+  }
+  window._closeContactModal = closeContact;
+
+  async function submitContact() {
+    const nameEl   = document.getElementById('cm-name');
+    const emailEl  = document.getElementById('cm-email');
+    const phoneEl  = document.getElementById('cm-phone');
+    const textEl   = document.getElementById('cm-text');
+    const submitBtn = document.getElementById('cm-submit');
+    const errorEl   = document.getElementById('cm-error');
+
+    const name  = nameEl  ? nameEl.value.trim()  : '';
+    const email = emailEl ? emailEl.value.trim()  : '';
+    const phone = phoneEl ? phoneEl.value.trim()  : '';
+    const text  = textEl  ? textEl.value.trim()   : '';
+
+    const emailRe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    const phoneRe = /^[\+\d][\d\s\-\(\)]{6,18}$/;
+
+    const consentEl = document.getElementById('cm-consent');
+    const fields = [
+      { el: nameEl,  check: () => !!name,              msg: 'Введите имя' },
+      { el: emailEl, check: () => emailRe.test(email), msg: 'Введите корректный email' },
+      { el: phoneEl, check: () => phoneRe.test(phone), msg: 'Введите корректный номер телефона' },
+      { el: textEl,  check: () => !!text,              msg: 'Введите сообщение' },
+    ];
+
+    const errors = [];
+    fields.forEach(f => {
+      if (f.el && !f.check()) { f.el.classList.add('am-invalid'); errors.push(f.msg); }
+      else if (f.el) f.el.classList.remove('am-invalid');
+    });
+    if (!consentEl || !consentEl.checked) {
+      errors.push('Необходимо согласие на обработку персональных данных');
+      const cf = document.querySelector('#contact-modal .access-consent-field');
+      if (cf) cf.classList.add('am-invalid-consent');
+    } else {
+      const cf = document.querySelector('#contact-modal .access-consent-field');
+      if (cf) cf.classList.remove('am-invalid-consent');
+    }
+
+    if (errors.length) {
+      if (errorEl) { errorEl.textContent = errors.join(' • '); errorEl.style.display = 'block'; }
+      return;
+    }
+
+    if (submitBtn) { submitBtn.disabled = true; submitBtn.textContent = 'Отправка...'; }
+    if (errorEl) errorEl.style.display = 'none';
+
+    try {
+      const res = await fetch('/api/contact', {
+        method: 'POST',
+        headers: {'Content-Type': 'application/json'},
+        body: JSON.stringify({name, email, phone, text}),
+      });
+      if (!res.ok) {
+        const d = await res.json().catch(() => ({}));
+        throw new Error(d.detail || 'Ошибка отправки');
+      }
+      document.getElementById('cm-body').innerHTML =
+        '<div class="am-success-msg">' +
+        '<div class="am-success-icon">✓</div>' +
+        '<div class="am-success-title">Отправлено</div>' +
+        '<div class="am-success-sub">Постараюсь ответить в ближайшее время</div>' +
+        '</div>';
+      document.getElementById('cm-footer').innerHTML =
+        '<button type="button" class="access-btn-cancel" onclick="window._closeContactModal()">Закрыть</button>';
+    } catch(e) {
+      const eb = document.getElementById('cm-error');
+      if (eb) { eb.textContent = e.message || 'Ошибка отправки, попробуйте позже'; eb.style.display = 'block'; }
+      const sb = document.getElementById('cm-submit');
+      if (sb) { sb.disabled = false; sb.textContent = 'Отправить'; }
+    }
+  }
+
+  document.querySelectorAll('#cm-name,#cm-email,#cm-phone,#cm-text').forEach(el => {
+    el.addEventListener('input', () => el.classList.remove('am-invalid'));
+  });
+
+  document.getElementById('btn-contact-ruslan').addEventListener('click', function(e) {
+    e.preventDefault();
+    openContact();
+  });
+  btnCancel.addEventListener('click', closeContact);
+  btnSubmit.addEventListener('click', submitContact);
+  overlay.addEventListener('click', function(e) { if (e.target === overlay) closeContact(); });
+  document.addEventListener('keydown', function(e) { if (e.key === 'Escape' && overlay.style.display !== 'none') closeContact(); });
+})();
+</script>
+
+<!-- Cookie Banner -->
+<div id="cookie-banner" style="display:none;position:fixed;bottom:0;left:0;right:0;z-index:99999;background:rgba(7,15,28,0.97);border-top:1px solid rgba(255,255,255,0.1);backdrop-filter:blur(8px);padding:14px 24px;align-items:center;justify-content:space-between;gap:16px;flex-wrap:wrap;">
+  <p style="margin:0;font-size:0.85rem;color:#c8d8ea;line-height:1.5;flex:1;min-width:200px;">
+    Мы используем файлы cookie, чтобы сделать работу с сайтом удобнее. Нажмите «Принять», чтобы согласиться с использованием файлов cookie в соответствии с <a href="https://www.mont.ru/ru-ru/confidential" target="_blank" style="color:#5b9bd5;text-decoration:underline;">Политикой конфиденциальности</a>.
+  </p>
+  <button onclick="document.getElementById('cookie-banner').style.display='none';localStorage.setItem('cookie_accepted','1');" style="flex-shrink:0;padding:8px 22px;background:linear-gradient(135deg,#1a5db5,#2d8cf0);color:#fff;border:none;border-radius:8px;font-size:0.88rem;font-weight:600;cursor:pointer;white-space:nowrap;">Принять</button>
+</div>
+<script>
+  if (!localStorage.getItem('cookie_accepted')) {
+    document.getElementById('cookie-banner').style.display = 'flex';
+  }
+</script>
+
 </body>
 </html>

app/templates/privacy.html

@@ -0,0 +1,137 @@
+<!DOCTYPE html>
+<html lang="ru">
+<head>
+  <meta charset="utf-8"/>
+  <meta name="viewport" content="width=device-width, initial-scale=1"/>
+  <title>Политика конфиденциальности — Полигон MONT</title>
+  <meta name="robots" content="noindex"/>
+  <link rel="icon" type="image/svg+xml" href="/static/favicon.svg"/>
+  <link rel="icon" type="image/png" href="/static/favicon.png"/>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      background: linear-gradient(160deg, #070f1c 0%, #0a1f3a 100%);
+      min-height: 100vh;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      color: #c8d8ea;
+      padding: 40px 20px 60px;
+    }
+    .wrap {
+      max-width: 780px;
+      margin: 0 auto;
+    }
+    .back-link {
+      display: inline-flex;
+      align-items: center;
+      gap: 6px;
+      color: #5b9bd5;
+      text-decoration: none;
+      font-size: 0.9rem;
+      margin-bottom: 32px;
+      opacity: 0.85;
+      transition: opacity 0.2s;
+    }
+    .back-link:hover { opacity: 1; }
+    h1 {
+      font-size: 1.7rem;
+      font-weight: 700;
+      color: #e8f1fb;
+      margin-bottom: 6px;
+    }
+    .subtitle {
+      font-size: 0.9rem;
+      color: #6a8aaa;
+      margin-bottom: 36px;
+    }
+    h2 {
+      font-size: 1.05rem;
+      font-weight: 600;
+      color: #d0e4f7;
+      margin: 28px 0 10px;
+    }
+    p, li {
+      font-size: 0.95rem;
+      line-height: 1.7;
+      color: #a8bdd4;
+    }
+    ul {
+      padding-left: 20px;
+      margin-top: 6px;
+    }
+    li { margin-bottom: 4px; }
+    a { color: #5b9bd5; }
+    .divider {
+      border: none;
+      border-top: 1px solid rgba(255,255,255,0.07);
+      margin: 32px 0;
+    }
+    .contact-box {
+      background: rgba(255,255,255,0.04);
+      border: 1px solid rgba(255,255,255,0.08);
+      border-radius: 10px;
+      padding: 20px 24px;
+      margin-top: 28px;
+    }
+    .contact-box p { color: #a8bdd4; }
+    .contact-box strong { color: #d0e4f7; }
+  </style>
+</head>
+<body>
+  <div class="wrap">
+    <a class="back-link" href="/">&#8592; Вернуться на главную</a>
+
+    <h1>Политика конфиденциальности</h1>
+    <p class="subtitle">Последнее обновление: 28 мая 2026 г.</p>
+
+    <p>Настоящая Политика конфиденциальности описывает, как ООО «МОНТ» (далее — «Оператор») осуществляет сбор, использование и хранение персональных данных пользователей, оставивших заявку на получение доступа к Инфраструктурному полигону MONT.</p>
+
+    <h2>1. Оператор персональных данных</h2>
+    <p>ООО «МОНТ»<br>
+    Юридический адрес: г. Москва<br>
+    Сайт: <a href="https://www.mont.ru/" target="_blank">www.mont.ru</a><br>
+    Email для обращений по вопросам ПД: <a href="mailto:privacy@mont.ru">privacy@mont.ru</a></p>
+
+    <h2>2. Какие данные мы собираем</h2>
+    <p>При заполнении формы запроса доступа мы получаем:</p>
+    <ul>
+      <li>Имя и фамилия</li>
+      <li>Название компании</li>
+      <li>Адрес электронной почты</li>
+      <li>Номер телефона</li>
+      <li>Имя вашего менеджера в MONT (необязательно)</li>
+      <li>Список интересующих продуктов</li>
+    </ul>
+
+    <h2>3. Цели обработки</h2>
+    <p>Персональные данные обрабатываются исключительно для рассмотрения заявки на доступ к демостендам и последующей связи с вами по вопросам предоставления доступа.</p>
+
+    <h2>4. Правовое основание</h2>
+    <p>Обработка персональных данных осуществляется на основании вашего явного согласия в соответствии со ст. 6, ч. 1, п. 1 и ст. 9 Федерального закона № 152-ФЗ «О персональных данных».</p>
+
+    <h2>5. Передача данных третьим лицам</h2>
+    <p>Персональные данные не хранятся в базе данных портала. После отправки формы данные передаются ответственным сотрудникам MONT по защищённому каналу для обработки заявки. Данные не продаются и не передаются третьим лицам в коммерческих целях.</p>
+
+    <h2>6. Срок хранения</h2>
+    <p>Данные хранятся в течение срока, необходимого для обработки заявки и предоставления доступа, но не более 1 года с момента подачи заявки, если иное не требуется законодательством РФ.</p>
+
+    <h2>7. Ваши права</h2>
+    <p>В соответствии с 152-ФЗ вы вправе:</p>
+    <ul>
+      <li>получить информацию об обработке ваших персональных данных;</li>
+      <li>потребовать уточнения, блокирования или уничтожения ваших данных;</li>
+      <li>отозвать согласие на обработку персональных данных в любой момент.</li>
+    </ul>
+    <p>Для реализации любого из перечисленных прав направьте запрос на <a href="mailto:privacy@mont.ru">privacy@mont.ru</a>.</p>
+
+    <h2>8. Защита данных</h2>
+    <p>Передача данных осуществляется по зашифрованному соединению (HTTPS). Доступ к данным имеют только уполномоченные сотрудники MONT.</p>
+
+    <hr class="divider"/>
+
+    <div class="contact-box">
+      <p><strong>Вопросы по обработке персональных данных:</strong><br>
+      <a href="mailto:privacy@mont.ru">privacy@mont.ru</a></p>
+    </div>
+  </div>
+</body>
+</html>

app/test_requirements.txt

@@ -0,0 +1,3 @@
+pytest==8.3.5
+httpx==0.28.1
+pytest-asyncio==0.24.0

app/test_routes.py

@@ -0,0 +1,103 @@
+"""
+Smoke-tests: проверяем что все ключевые роуты не падают с NameError/ImportError.
+Не проверяем бизнес-логику — только что страницы отдают ответ.
+"""
+import pytest
+
+
+# ── Публичные страницы ──────────────────────────────────────────────────────
+
+def test_index_anonymous(client):
+    """Главная без авторизации — либо страница сервисов, либо логин."""
+    r = client.get("/", follow_redirects=True)
+    assert r.status_code == 200
+
+
+def test_login_form_on_index(client):
+    """Форма логина рендерится на /."""
+    r = client.get("/", follow_redirects=True)
+    assert r.status_code == 200
+    assert "csrf" in r.text.lower() or "login" in r.text.lower() or "пароль" in r.text.lower()
+
+
+def _get_csrf(client):
+    from conftest import _extract_csrf
+    return _extract_csrf(client)
+
+
+def test_login_wrong_password(client):
+    csrf = _get_csrf(client)
+    r = client.post("/login", data={
+        "username": "admin",
+        "password": "wrongpass",
+        "csrf_token": csrf,
+    })
+    assert r.status_code in (200, 401)
+
+
+def test_login_csrf_fail(client):
+    r = client.post("/login", data={
+        "username": "admin",
+        "password": "testpass123",
+        "csrf_token": "bad-token",
+    })
+    assert r.status_code == 403
+
+
+def test_login_no_such_method(client):
+    r = client.get("/login")
+    assert r.status_code in (200, 405)  # только документируем поведение
+
+
+# ── Авторизованные страницы ─────────────────────────────────────────────────
+
+def test_login_success(auth_client):
+    r = auth_client.get("/", follow_redirects=True)
+    assert r.status_code == 200
+
+
+def test_admin_page(auth_client):
+    r = auth_client.get("/admin")
+    assert r.status_code == 200
+
+
+def test_admin_requires_auth(client):
+    from fastapi.testclient import TestClient
+    import main as app_module
+    fresh = TestClient(app_module.app, raise_server_exceptions=False)
+    r = fresh.get("/admin", follow_redirects=False)
+    assert r.status_code in (302, 303, 401, 403)
+
+
+# ── API роуты ───────────────────────────────────────────────────────────────
+
+def test_api_services_list(auth_client):
+    r = auth_client.get("/api/admin/services")
+    assert r.status_code in (200, 404, 405)
+
+
+def test_api_users_list(auth_client):
+    r = auth_client.get("/api/admin/users")
+    assert r.status_code in (200, 404, 405)
+
+
+def test_api_categories(auth_client):
+    r = auth_client.get("/api/admin/categories")
+    assert r.status_code in (200, 404, 405)
+
+
+# ── Несуществующие роуты ────────────────────────────────────────────────────
+
+def test_404(client):
+    r = client.get("/this-does-not-exist-xyz")
+    assert r.status_code == 404
+
+
+def test_session_unknown(auth_client):
+    r = auth_client.get("/s/00000000-0000-0000-0000-000000000000/")
+    assert r.status_code in (200, 302, 303, 404)
+
+
+def test_go_unknown_slug(auth_client):
+    r = auth_client.get("/go/nonexistent-service-slug", follow_redirects=False)
+    assert r.status_code in (302, 303, 404)

app/utils.py

@@ -0,0 +1,181 @@
+import datetime as dt
+import json
+import logging
+import contextvars
+from pathlib import Path
+from typing import Optional
+from urllib.parse import parse_qs, unquote, urlparse
+
+import mistune
+from fastapi import HTTPException, UploadFile
+from markupsafe import Markup
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from config import (
+    ICON_UPLOAD_MAX_BYTES, ICON_UPLOAD_TYPES, MAX_ACTIVE_SERVICES_PER_USER,
+    SERVICE_ICONS_DIR, SESSION_IDLE_SECONDS,
+)
+from models import AuditLog, Category, ServiceCategory, SessionModel, SessionStatus
+
+
+logger = logging.getLogger("portal")
+request_id_ctx = contextvars.ContextVar("request_id", default="-")
+
+
+def _normalize_log_value(value):
+    if isinstance(value, (str, int, float, bool)) or value is None:
+        return value
+    if isinstance(value, dt.datetime):
+        return value.isoformat()
+    return str(value)
+
+
+def log_event(event: str, level: int = logging.INFO, **fields) -> None:
+    payload = {"event": event, "req_id": request_id_ctx.get()}
+    for key, value in fields.items():
+        payload[key] = _normalize_log_value(value)
+    logger.log(level, json.dumps(payload, ensure_ascii=False, separators=(",", ":")))
+
+
+def now_utc() -> dt.datetime:
+    return dt.datetime.now(dt.timezone.utc)
+
+
+def session_closed_reason(sess: SessionModel, db: Session) -> str:
+    if not sess:
+        return "idle"
+    if sess.status == SessionStatus.EXPIRED:
+        return "idle"
+    if sess.status == SessionStatus.ROTATED:
+        return "limit"
+    if sess.status == SessionStatus.TERMINATED:
+        cutoff = now_utc() - dt.timedelta(seconds=SESSION_IDLE_SECONDS)
+        active_rows = db.scalars(
+            select(SessionModel).where(
+                SessionModel.user_id == sess.user_id,
+                SessionModel.status == SessionStatus.ACTIVE,
+                SessionModel.last_access_at >= cutoff,
+            )
+        ).all()
+        active_service_ids = {row.service_id for row in active_rows}
+        if len(active_service_ids) >= MAX_ACTIVE_SERVICES_PER_USER and sess.service_id not in active_service_ids:
+            return "limit"
+    return "idle"
+
+
+def normalize_web_target(url: str) -> str:
+    raw = (url or "").strip()
+    if not raw:
+        return raw
+    if raw.startswith(("http://", "https://")):
+        return raw
+    return f"http://{raw}"
+
+
+_md = mistune.create_markdown(
+    escape=True,
+    plugins=["strikethrough", "table", "task_lists"],
+)
+
+
+def format_service_comment(raw_text: str) -> Markup:
+    raw = (raw_text or "").replace("\r\n", "\n").replace("\r", "\n").strip()
+    if not raw:
+        return Markup("")
+    return Markup(_md(raw))
+
+
+def parse_rdp_target(target: str) -> dict:
+    raw = (target or "").strip()
+    if not raw:
+        raise HTTPException(status_code=400, detail="Empty RDP target")
+
+    parsed = urlparse(raw if "://" in raw else f"//{raw}")
+    host = parsed.hostname
+    if not host:
+        raise HTTPException(status_code=400, detail="Invalid RDP target. Use host:port or rdp://user:pass@host:port")
+    port = parsed.port or 3389
+
+    username = unquote(parsed.username) if parsed.username else ""
+    password = unquote(parsed.password) if parsed.password else ""
+
+    query = parse_qs(parsed.query or "")
+    if not username:
+        username = (query.get("u", [""])[0] or query.get("user", [""])[0] or "").strip()
+    if not password:
+        password = (query.get("p", [""])[0] or query.get("password", [""])[0] or "").strip()
+
+    domain = (query.get("domain", [""])[0] or query.get("d", [""])[0] or "").strip()
+    security = (query.get("sec", [""])[0] or query.get("security", [""])[0] or "").strip().lower()
+    if security and security not in {"nla", "tls", "rdp"}:
+        raise HTTPException(status_code=400, detail="Invalid RDP security. Use one of: nla, tls, rdp")
+
+    return {
+        "host": host,
+        "port": str(port),
+        "user": username,
+        "password": password,
+        "domain": domain,
+        "security": security,
+    }
+
+
+def set_service_categories(db: Session, service_id: int, category_ids: list[int]) -> None:
+    normalized = sorted({int(x) for x in (category_ids or [])})
+    if normalized:
+        existing_ids = set(db.scalars(select(Category.id).where(Category.id.in_(normalized))).all())
+        missing = sorted(set(normalized) - existing_ids)
+        if missing:
+            raise HTTPException(status_code=400, detail=f"Unknown category ids: {missing}")
+
+    existing_links = db.scalars(select(ServiceCategory).where(ServiceCategory.service_id == service_id)).all()
+    current = {row.category_id: row for row in existing_links}
+    wanted = set(normalized)
+
+    for cat_id in wanted:
+        if cat_id not in current:
+            db.add(ServiceCategory(service_id=service_id, category_id=cat_id))
+    for cat_id, row in current.items():
+        if cat_id not in wanted:
+            db.delete(row)
+
+
+def audit(db: Session, action: str, details: str, user_id: Optional[int] = None) -> None:
+    db.add(AuditLog(user_id=user_id, action=action, details=details))
+    db.commit()
+
+
+def ensure_icons_dir() -> None:
+    SERVICE_ICONS_DIR.mkdir(parents=True, exist_ok=True)
+
+
+def remove_icon_file(icon_path: str) -> None:
+    if not icon_path or not icon_path.startswith("/static/service-icons/"):
+        return
+    filename = icon_path.rsplit("/", 1)[-1]
+    candidate = SERVICE_ICONS_DIR / filename
+    try:
+        candidate.unlink(missing_ok=True)
+    except Exception:
+        logger.exception("icon_delete_failed path=%s", candidate)
+
+
+async def store_service_icon(service, upload: UploadFile) -> str:
+    ensure_icons_dir()
+    content_type = (upload.content_type or "").lower().strip()
+    ext = ICON_UPLOAD_TYPES.get(content_type)
+    if not ext:
+        raise HTTPException(status_code=400, detail="Unsupported file type. Use PNG/JPG/WEBP")
+
+    payload = await upload.read(ICON_UPLOAD_MAX_BYTES + 1)
+    if len(payload) > ICON_UPLOAD_MAX_BYTES:
+        raise HTTPException(status_code=400, detail="File too large. Max 2MB")
+    if not payload:
+        raise HTTPException(status_code=400, detail="Empty file")
+
+    stamp = dt.datetime.now(dt.timezone.utc).strftime("%Y%m%d_%H%M%S")
+    filename = f"svc_{service.id}_{stamp}.{ext}"
+    target = SERVICE_ICONS_DIR / filename
+    target.write_bytes(payload)
+    return f"/static/service-icons/{filename}"

docker-compose.yml

@@ -57,6 +57,16 @@ services:
       WEB_RESOLUTION_MAX_WIDTH: ${WEB_RESOLUTION_MAX_WIDTH:-3840}
       WEB_RESOLUTION_MAX_HEIGHT: ${WEB_RESOLUTION_MAX_HEIGHT:-2160}
       ENABLE_STARTUP_MAINTENANCE: ${ENABLE_STARTUP_MAINTENANCE:-0}
+      TELEGRAM_BOT_TOKEN: ${TELEGRAM_BOT_TOKEN:-}
+      TELEGRAM_CHAT_ID: ${TELEGRAM_CHAT_ID:-}
+      TELEGRAM_API_URL: ${TELEGRAM_API_URL:-https://api.telegram.org/bot}
+      SMTP_HOST: ${SMTP_HOST:-mail.hosting.reg.ru}
+      SMTP_PORT: ${SMTP_PORT:-465}
+      SMTP_USERNAME: ${SMTP_USERNAME:-}
+      SMTP_PASSWORD: ${SMTP_PASSWORD:-}
+      SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-}
+      SMTP_FROM_NAME: ${SMTP_FROM_NAME:-}
+      PORTAL_URL: ${PORTAL_URL:-https://stend.4mont.ru}
     depends_on:
       - db
     volumes:
@@ -65,7 +75,7 @@ services:
     labels:
       - traefik.enable=true
       - traefik.docker.network=portal_net
-      - traefik.http.routers.portal.rule=Host(`${PUBLIC_HOST}`)
+      - traefik.http.routers.portal.rule=Host(`${PUBLIC_HOST}`) || Host(`stand.mont.ru`)
       - traefik.http.routers.portal.entrypoints=websecure
       - traefik.http.routers.portal.tls=true
       - traefik.http.routers.portal.tls.certresolver=letsencrypt
@@ -107,6 +117,16 @@ services:
       WEB_RESOLUTION_MAX_WIDTH: ${WEB_RESOLUTION_MAX_WIDTH:-3840}
       WEB_RESOLUTION_MAX_HEIGHT: ${WEB_RESOLUTION_MAX_HEIGHT:-2160}
       ENABLE_STARTUP_MAINTENANCE: ${ENABLE_STARTUP_MAINTENANCE:-0}
+      TELEGRAM_BOT_TOKEN: ${TELEGRAM_BOT_TOKEN:-}
+      TELEGRAM_CHAT_ID: ${TELEGRAM_CHAT_ID:-}
+      TELEGRAM_API_URL: ${TELEGRAM_API_URL:-https://api.telegram.org/bot}
+      SMTP_HOST: ${SMTP_HOST:-mail.hosting.reg.ru}
+      SMTP_PORT: ${SMTP_PORT:-465}
+      SMTP_USERNAME: ${SMTP_USERNAME:-}
+      SMTP_PASSWORD: ${SMTP_PASSWORD:-}
+      SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-}
+      SMTP_FROM_NAME: ${SMTP_FROM_NAME:-}
+      PORTAL_URL: ${PORTAL_URL:-https://stend.4mont.ru}
     depends_on:
       - db
     volumes:

rdp-proxy/Dockerfile

@@ -3,6 +3,8 @@ FROM debian:bookworm-slim
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
+    tini \
+    python3 \
     xvfb \
     x11vnc \
     freerdp2-x11 \
@@ -14,7 +16,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 COPY entrypoint.sh /entrypoint.sh
+COPY manager.py /manager.py
 RUN chmod +x /entrypoint.sh
 
-EXPOSE 6080
-ENTRYPOINT ["/entrypoint.sh"]
+EXPOSE 6080 7001
+ENTRYPOINT ["/usr/bin/tini", "--", "/entrypoint.sh"]

rdp-proxy/entrypoint.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-RDP_HOST="${RDP_HOST:?RDP_HOST is required}"
+RDP_HOST="${RDP_HOST:-}"
 RDP_PORT="${RDP_PORT:-3389}"
 RDP_USER="${RDP_USER:-}"
 RDP_PASSWORD="${RDP_PASSWORD:-}"
@@ -40,8 +40,10 @@ cat > /opt/portal/index.html <<HTML
       position:fixed;left:16px;top:64px;z-index:99;display:flex;gap:10px;
       background:linear-gradient(180deg,rgba(15,24,36,.78),rgba(9,14,22,.86));
       border:1px solid rgba(255,255,255,.22);backdrop-filter:blur(5px);
-      box-shadow:0 10px 28px rgba(0,0,0,.36);padding:9px 10px;border-radius:14px
+      box-shadow:0 10px 28px rgba(0,0,0,.36);padding:9px 10px;border-radius:14px;
+      cursor:grab;user-select:none;touch-action:none
     }
+    .nav-panel.dragging{cursor:grabbing;opacity:.85}
     .nav-btn{
       border:1px solid rgba(255,255,255,.26);border-radius:999px;padding:9px 14px;cursor:pointer;
       background:linear-gradient(180deg,#2a8cd6,#1668a6);color:#fff;font:700 13px/1 sans-serif;
@@ -57,6 +59,7 @@ cat > /opt/portal/index.html <<HTML
   <div class="nav-panel">
     <button class="nav-btn" id="btn-back" type="button" title="Назад">←</button>
     <button class="nav-btn" id="btn-home" type="button" title="Главная">⌂</button>
+    <button class="nav-btn" id="btn-fs" type="button" title="На весь экран">⛶</button>
   </div>
   <script type="module">
     import RFB from './core/rfb.js';
@@ -174,8 +177,43 @@ cat > /opt/portal/index.html <<HTML
 
     document.getElementById('btn-back').addEventListener('click', () => chord(XK_ALT_L, XK_LEFT, 'AltLeft', 'ArrowLeft'));
     document.getElementById('btn-home').addEventListener('click', goHome);
+    document.getElementById('btn-fs').addEventListener('click', () => {
+      if (!document.fullscreenElement) document.documentElement.requestFullscreen();
+      else document.exitFullscreen();
+    });
+    document.addEventListener('fullscreenchange', () => {
+      document.getElementById('btn-fs').textContent = document.fullscreenElement ? '✕' : '⛶';
+      document.getElementById('btn-fs').title = document.fullscreenElement ? 'Выйти из полного экрана' : 'На весь экран';
+    });
     document.addEventListener('contextmenu', (e) => e.preventDefault());
 
+    (function(){
+      const p = document.querySelector('.nav-panel');
+      const SK = 'rdp_nav_pos';
+      try { const s = JSON.parse(localStorage.getItem(SK)); if(s){p.style.left=s.x+'px';p.style.top=s.y+'px';} } catch(e){}
+      let ox, oy, dragged = false;
+      p.addEventListener('pointerdown', e => {
+        if (e.target.closest('button')) return;
+        dragged = false;
+        ox = e.clientX - p.getBoundingClientRect().left;
+        oy = e.clientY - p.getBoundingClientRect().top;
+        p.setPointerCapture(e.pointerId);
+        p.classList.add('dragging');
+      });
+      p.addEventListener('pointermove', e => {
+        if (!p.hasPointerCapture(e.pointerId)) return;
+        dragged = true;
+        const x = Math.max(0, Math.min(window.innerWidth - p.offsetWidth, e.clientX - ox));
+        const y = Math.max(0, Math.min(window.innerHeight - p.offsetHeight, e.clientY - oy));
+        p.style.left = x + 'px';
+        p.style.top = y + 'px';
+      });
+      p.addEventListener('pointerup', () => {
+        p.classList.remove('dragging');
+        if (dragged) try { localStorage.setItem(SK, JSON.stringify({x: parseInt(p.style.left), y: parseInt(p.style.top)})); } catch(e){}
+      });
+    })();
+
     connect();
   </script>
 </body>
@@ -186,69 +224,30 @@ export DISPLAY="$DISPLAY_NUM"
 DISPLAY_N="${DISPLAY_NUM#:}"
 rm -f "/tmp/.X${DISPLAY_N}-lock" "/tmp/.X11-unix/X${DISPLAY_N}" 2>/dev/null || true
 Xvfb "$DISPLAY_NUM" -screen 0 "$SCREEN_GEOMETRY" >/tmp/xvfb.log 2>&1 &
+XVFB_PID=$!
 sleep 1
 
-RDP_ARGS=(
-  "/v:${RDP_HOST}:${RDP_PORT}"
-  "/cert:ignore"
-  "/f"
-  "/dynamic-resolution"
-  "/gfx-h264:avc444"
-  "/network:auto"
-  "+clipboard"
-)
-
-if [ -n "$RDP_SECURITY" ]; then
-  RDP_ARGS+=("/sec:${RDP_SECURITY}")
-fi
-
-if [ -n "$RDP_USER" ]; then
-  RDP_ARGS+=("/u:${RDP_USER}")
-fi
-if [ -n "$RDP_PASSWORD" ]; then
-  RDP_ARGS+=("/p:${RDP_PASSWORD}")
-fi
-if [ -n "$RDP_DOMAIN" ]; then
-  RDP_ARGS+=("/d:${RDP_DOMAIN}")
-fi
-
-xfreerdp "${RDP_ARGS[@]}" >/tmp/xfreerdp.log 2>&1 &
-XFREERDP_PID=$!
-
 x11vnc -display "$DISPLAY_NUM" -rfbport 5900 -forever -shared -nopw -noxdamage >/tmp/x11vnc.log 2>&1 &
 X11VNC_PID=$!
 
 websockify --verbose --idle-timeout="$IDLE_TIMEOUT" --web=/opt/portal 6080 localhost:5900 >/tmp/websockify.log 2>&1 &
 WEBSOCKIFY_PID=$!
 
+python3 /manager.py >/tmp/manager.log 2>&1 &
+MANAGER_PID=$!
 
-# Anti-idle: send Shift key to xfreerdp window every 30s to prevent remote lock screen
-anti_idle_loop() {
-    sleep 5
-    while true; do
-        WID=$(DISPLAY="$DISPLAY_NUM" xdotool search --pid "$XFREERDP_PID" 2>/dev/null | head -1)
-        if [ -n "$WID" ]; then
-            DISPLAY="$DISPLAY_NUM" xdotool key --window "$WID" shift 2>/dev/null || true
-        else
-            DISPLAY="$DISPLAY_NUM" xdotool mousemove --sync 500 300 2>/dev/null || true
-            sleep 1
-            DISPLAY="$DISPLAY_NUM" xdotool mousemove --sync 600 400 2>/dev/null || true
-        fi
-        sleep 30
-    done
-}
-anti_idle_loop &
-ANTI_IDLE_PID=$!
-
-# Graceful shutdown on docker stop (SIGTERM) — exit 0 so Docker does NOT auto-restart
 cleanup() {
-    kill "$XFREERDP_PID" "$X11VNC_PID" "$WEBSOCKIFY_PID" "$ANTI_IDLE_PID" 2>/dev/null
+    python3 -c "
+import urllib.request, sys
+try:
+    urllib.request.urlopen('http://localhost:7001/disconnect', b'', timeout=3)
+except Exception as e:
+    sys.stderr.write(str(e) + '\n')
+" 2>/dev/null || true
+    kill "$X11VNC_PID" "$WEBSOCKIFY_PID" "$MANAGER_PID" "$XVFB_PID" 2>/dev/null || true
     exit 0
 }
 trap cleanup TERM INT
 
-# Monitor xfreerdp — when it exits (disconnect/logoff) restart the container
-wait "$XFREERDP_PID"
-echo "xfreerdp exited (code $?), triggering container restart" >> /tmp/xfreerdp.log
-kill "$X11VNC_PID" "$WEBSOCKIFY_PID" 2>/dev/null
-exit 1
+wait "$WEBSOCKIFY_PID" || true
+cleanup

rdp-proxy/manager.py

@@ -0,0 +1,192 @@
+#!/usr/bin/env python3
+"""On-demand xfreerdp manager. HTTP on port 7001."""
+import json
+import logging
+import os
+import subprocess
+import threading
+import time
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
+log = logging.getLogger("rdp-manager")
+
+DISPLAY = os.environ.get("DISPLAY", ":1")
+RDP_HOST = os.environ.get("RDP_HOST", "")
+RDP_PORT = os.environ.get("RDP_PORT", "3389")
+RDP_USER = os.environ.get("RDP_USER", "")
+RDP_PASSWORD = os.environ.get("RDP_PASSWORD", "")
+RDP_DOMAIN = os.environ.get("RDP_DOMAIN", "")
+RDP_SECURITY = os.environ.get("RDP_SECURITY", "")
+
+STATE_FILE = "/tmp/rdp_state.json"
+
+_lock = threading.Lock()
+_proc: subprocess.Popen | None = None
+_should_be_connected = False
+
+
+def _save_state():
+    try:
+        with open(STATE_FILE, "w") as f:
+            json.dump({"should_be_connected": _should_be_connected}, f)
+    except Exception:
+        pass
+
+
+def _load_state() -> bool:
+    try:
+        with open(STATE_FILE) as f:
+            return json.load(f).get("should_be_connected", False)
+    except Exception:
+        return False
+
+
+def _build_args():
+    args = [
+        "xfreerdp",
+        f"/v:{RDP_HOST}:{RDP_PORT}",
+        "/cert:ignore",
+        "/f",
+        "/dynamic-resolution",
+        "/gfx-h264:avc444",
+        "/network:auto",
+        "+clipboard",
+    ]
+    if RDP_SECURITY:
+        args.append(f"/sec:{RDP_SECURITY}")
+    if RDP_USER:
+        args.append(f"/u:{RDP_USER}")
+    if RDP_PASSWORD:
+        args.append(f"/p:{RDP_PASSWORD}")
+    if RDP_DOMAIN:
+        args.append(f"/d:{RDP_DOMAIN}")
+    return args
+
+
+def _launch():
+    global _proc
+    env = dict(os.environ)
+    env["DISPLAY"] = DISPLAY
+    log_file = open("/tmp/xfreerdp.log", "a")
+    _proc = subprocess.Popen(_build_args(), stdout=log_file, stderr=log_file, env=env)
+    log.info("xfreerdp started pid=%s target=%s:%s", _proc.pid, RDP_HOST, RDP_PORT)
+    return _proc
+
+
+def _monitor_loop():
+    while True:
+        time.sleep(5)
+        with _lock:
+            if not _should_be_connected:
+                continue
+            if _proc is None or _proc.poll() is not None:
+                log.info("xfreerdp exited unexpectedly, reconnecting in 3s")
+                time.sleep(3)
+                _launch()
+
+
+def _anti_idle_loop():
+    env = {**os.environ, "DISPLAY": DISPLAY}
+    toggle = False
+    while True:
+        time.sleep(60)
+        with _lock:
+            active = _should_be_connected and _proc is not None and _proc.poll() is None
+        if not active:
+            continue
+        try:
+            r = subprocess.run(
+                ["xdotool", "search", "--name", "FreeRDP"],
+                env=env, capture_output=True, timeout=5,
+            )
+            win_id = r.stdout.decode().strip().splitlines()[0] if r.stdout.strip() else ""
+            if win_id:
+                x, y = (5, 80) if toggle else (6, 81)
+                subprocess.run(
+                    ["xdotool", "mousemove", "--window", win_id, str(x), str(y)],
+                    env=env, capture_output=True, timeout=5,
+                )
+                subprocess.run(
+                    ["xdotool", "click", "--window", win_id, "1"],
+                    env=env, capture_output=True, timeout=5,
+                )
+                subprocess.run(
+                    ["xdotool", "key", "--window", win_id, "--clearmodifiers", "shift"],
+                    env=env, capture_output=True, timeout=5,
+                )
+                toggle = not toggle
+                log.debug("anti_idle click window=%s pos=%s,%s", win_id, x, y)
+            else:
+                log.debug("anti_idle: xfreerdp window not found")
+        except Exception as e:
+            log.debug("anti_idle error: %s", e)
+
+
+threading.Thread(target=_monitor_loop, daemon=True).start()
+threading.Thread(target=_anti_idle_loop, daemon=True).start()
+
+
+class Handler(BaseHTTPRequestHandler):
+    def log_message(self, fmt, *args):
+        pass
+
+    def _json(self, code, data):
+        body = json.dumps(data).encode()
+        self.send_response(code)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        self.wfile.write(body)
+
+    def do_GET(self):
+        if self.path == "/health":
+            with _lock:
+                connected = _proc is not None and _proc.poll() is None
+                pid = _proc.pid if connected else None
+            self._json(200, {
+                "connected": connected,
+                "pid": pid,
+                "target": f"{RDP_HOST}:{RDP_PORT}",
+                "should_be_connected": _should_be_connected,
+            })
+        else:
+            self._json(404, {"error": "not found"})
+
+    def do_POST(self):
+        global _proc, _should_be_connected
+        if self.path == "/connect":
+            with _lock:
+                _should_be_connected = True
+                _save_state()
+                if _proc is not None and _proc.poll() is None:
+                    self._json(200, {"ok": True, "pid": _proc.pid, "already": True})
+                    return
+                proc = _launch()
+            self._json(200, {"ok": True, "pid": proc.pid})
+        elif self.path == "/disconnect":
+            with _lock:
+                _should_be_connected = False
+                _save_state()
+                if _proc is not None:
+                    _proc.terminate()
+                    try:
+                        _proc.wait(timeout=5)
+                    except subprocess.TimeoutExpired:
+                        _proc.kill()
+                    _proc = None
+            log.info("xfreerdp disconnected")
+            self._json(200, {"ok": True})
+        else:
+            self._json(404, {"error": "not found"})
+
+
+if __name__ == "__main__":
+    if not RDP_HOST:
+        log.warning("RDP_HOST not set — connect calls will fail")
+    if _load_state():
+        log.info("restoring state: reconnecting xfreerdp")
+        _should_be_connected = True
+        _launch()
+    log.info("manager started on :7001")
+    HTTPServer(("0.0.0.0", 7001), Handler).serve_forever()

traefik/traefik.yml

@@ -1,8 +1,18 @@
 entryPoints:
   web:
     address: ":80"
+    forwardedHeaders:
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
   websecure:
     address: ":443"
+    forwardedHeaders:
+      trustedIPs:
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
 
 providers:
   docker:

universal-runtime/Dockerfile

@@ -1,8 +1,12 @@
 FROM debian:bookworm-slim
 
-ENV DEBIAN_FRONTEND=noninteractive
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=ru_RU.UTF-8 \
+    LC_ALL=ru_RU.UTF-8 \
+    LANGUAGE=ru_RU:ru
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
+    tini \
     chromium \
     xvfb \
     x11vnc \
@@ -16,6 +20,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     x11-utils \
     fonts-dejavu-core \
     python3-cryptography \
+    locales \
+    && sed -i 's/# ru_RU.UTF-8/ru_RU.UTF-8/' /etc/locale.gen \
+    && locale-gen \
     && rm -rf /var/lib/apt/lists/*
 
 COPY entrypoint.sh /entrypoint.sh
@@ -23,4 +30,4 @@ COPY manager.py /manager.py
 RUN chmod +x /entrypoint.sh
 
 EXPOSE 6080
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/bin/tini", "--", "/entrypoint.sh"]

universal-runtime/entrypoint.sh

@@ -42,7 +42,8 @@ cat > /opt/portal/index.html <<'HTML'
     .nav-panel{
       position:fixed;left:16px;top:64px;z-index:99;display:flex;gap:10px;
       background:linear-gradient(180deg,rgba(15,24,36,.78),rgba(9,14,22,.86));border:1px solid rgba(255,255,255,.22);backdrop-filter: blur(5px);
-      box-shadow:0 10px 28px rgba(0,0,0,.36);padding:9px 10px;border-radius:14px
+      box-shadow:0 10px 28px rgba(0,0,0,.36);padding:9px 10px;border-radius:14px;
+      cursor:grab;user-select:none;touch-action:none
     }
     .nav-btn{
       border:1px solid rgba(255,255,255,.26);border-radius:999px;padding:9px 14px;cursor:pointer;letter-spacing:.01em;
@@ -50,6 +51,7 @@ cat > /opt/portal/index.html <<'HTML'
     }
     .nav-btn:hover{filter:brightness(1.08)}
     .nav-btn:active{transform:translateY(1px)}
+    .nav-panel.dragging{cursor:grabbing;opacity:.85}
   </style>
 </head>
 <body>
@@ -58,6 +60,7 @@ cat > /opt/portal/index.html <<'HTML'
   <div class="nav-panel">
     <button class="nav-btn" id="btn-back" type="button" title="Назад">←</button>
     <button class="nav-btn" id="btn-home" type="button" title="Главная">⌂</button>
+    <button class="nav-btn" id="btn-fs" type="button" title="На весь экран">⛶</button>
   </div>
   <script type="module">
     import RFB from './core/rfb.js';
@@ -251,8 +254,43 @@ cat > /opt/portal/index.html <<'HTML'
 
     document.getElementById('btn-back').addEventListener('click', () => chord(XK_ALT_L, XK_LEFT, 'AltLeft', 'ArrowLeft'));
     document.getElementById('btn-home').addEventListener('click', goHome);
+    document.getElementById('btn-fs').addEventListener('click', () => {
+      if (!document.fullscreenElement) document.documentElement.requestFullscreen();
+      else document.exitFullscreen();
+    });
+    document.addEventListener('fullscreenchange', () => {
+      document.getElementById('btn-fs').textContent = document.fullscreenElement ? '✕' : '⛶';
+      document.getElementById('btn-fs').title = document.fullscreenElement ? 'Выйти из полного экрана' : 'На весь экран';
+    });
     document.addEventListener('contextmenu', (e) => e.preventDefault());
 
+    (function(){
+      const p = document.querySelector('.nav-panel');
+      const SK = 'portal_nav_pos';
+      try { const s = JSON.parse(localStorage.getItem(SK)); if(s){p.style.left=s.x+'px';p.style.top=s.y+'px';} } catch(e){}
+      let ox, oy, dragged = false;
+      p.addEventListener('pointerdown', e => {
+        if (e.target.closest('button')) return;
+        dragged = false;
+        ox = e.clientX - p.getBoundingClientRect().left;
+        oy = e.clientY - p.getBoundingClientRect().top;
+        p.setPointerCapture(e.pointerId);
+        p.classList.add('dragging');
+      });
+      p.addEventListener('pointermove', e => {
+        if (!p.hasPointerCapture(e.pointerId)) return;
+        dragged = true;
+        const x = Math.max(0, Math.min(window.innerWidth - p.offsetWidth, e.clientX - ox));
+        const y = Math.max(0, Math.min(window.innerHeight - p.offsetHeight, e.clientY - oy));
+        p.style.left = x + 'px';
+        p.style.top = y + 'px';
+      });
+      p.addEventListener('pointerup', () => {
+        p.classList.remove('dragging');
+        if (dragged) try { localStorage.setItem(SK, JSON.stringify({x: parseInt(p.style.left), y: parseInt(p.style.top)})); } catch(e){}
+      });
+    })();
+
     connectRfb('Подключение к слоту...');
   </script>
 </body>

universal-runtime/manager.py

@@ -30,8 +30,6 @@ _lock = threading.Lock()
 _AUTOFILL_CONTENT_JS = r"""
 (function() {
   const CREDS = __CREDS__;
-  let userFilled = false;
-  let passFilled = false;
   console.log('[PortalAutofill] loaded for', location.href);
 
   function isVisible(el) {
@@ -102,33 +100,40 @@ _AUTOFILL_CONTENT_JS = r"""
   function setNativeValue(el, v) {
     if (!el) return false;
     if (el.value === v) return true;
+    el.dispatchEvent(new FocusEvent('focus', { bubbles: true }));
     const proto = Object.getPrototypeOf(el);
     const desc = Object.getOwnPropertyDescriptor(proto, 'value') ||
                  Object.getOwnPropertyDescriptor(window.HTMLInputElement.prototype, 'value');
     if (desc && desc.set) desc.set.call(el, v); else el.value = v;
-    el.dispatchEvent(new Event('input', { bubbles: true }));
+    el.dispatchEvent(new InputEvent('input', { bubbles: true, data: v, inputType: 'insertText' }));
     el.dispatchEvent(new Event('change', { bubbles: true }));
+    el.dispatchEvent(new KeyboardEvent('keyup', { bubbles: true, key: v.slice(-1) }));
+    el.dispatchEvent(new FocusEvent('blur', { bubbles: true }));
     return true;
   }
 
   function tryFill() {
-    if (userFilled && passFilled) return;
     const p = findPassField();
     const u = findUserField(p);
-    if (CREDS.password && p && !passFilled) {
-      if (setNativeValue(p, CREDS.password)) {
-        passFilled = true;
-        console.log('[PortalAutofill] password filled');
-      }
-    }
-    if (CREDS.login && u && !userFilled) {
+    // Fill login FIRST so password-triggered re-render doesn't clear it
+    if (CREDS.login && u) {
       if (setNativeValue(u, CREDS.login)) {
-        userFilled = true;
         console.log('[PortalAutofill] user filled');
       }
     }
-    if (!CREDS.login) userFilled = true;
-    if (!CREDS.password) passFilled = true;
+    if (CREDS.password && p) {
+      if (setNativeValue(p, CREDS.password)) {
+        console.log('[PortalAutofill] password filled');
+      }
+    }
+  }
+
+  // Watch for SPA re-renders clearing the fields and re-fill continuously
+  let _filling = false;
+  function scheduleFill() {
+    if (_filling) return;
+    _filling = true;
+    requestAnimationFrame(() => { tryFill(); _filling = false; });
   }
 
   if (document.readyState === 'loading') {
@@ -137,17 +142,22 @@ _AUTOFILL_CONTENT_JS = r"""
     tryFill();
   }
 
-  const obs = new MutationObserver(() => {
-    if (!(userFilled && passFilled)) tryFill();
-  });
+  // Periodic check for first 30s in case of async SPA resets
+  let _checks = 0;
+  const _interval = setInterval(() => {
+    tryFill();
+    if (++_checks >= 30) clearInterval(_interval);
+  }, 1000);
+
+  const obs = new MutationObserver(scheduleFill);
   if (document.documentElement) {
     obs.observe(document.documentElement, { childList: true, subtree: true });
   }
 
   const resetAndRefill = () => {
-    userFilled = !CREDS.login;
-    passFilled = !CREDS.password;
+    _checks = 0;
     setTimeout(tryFill, 150);
+    setTimeout(tryFill, 600);
   };
   ['pushState', 'replaceState'].forEach(fn => {
     const orig = history[fn];
@@ -352,8 +362,7 @@ def open_web(
     safe_w, safe_h = apply_resolution(width, height)
     profile_dir = _create_chrome_profile()
     extension_dir = _create_autofill_extension(login, password)
-    # Embed credentials in URL for HTTP Basic Auth (no dialog shown)
-    url_with_creds = _url_with_credentials(url, login, password)
+    url_with_creds = url  # credentials in URL break SPA fetch; extension handles auth
 
     # Use the real Chromium binary directly to avoid the Debian wrapper which
     # injects an empty `--load-extension=` from /etc/chromium.d/extensions.