izteamslots 1.5.5 → 1.6.1

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [1.6.1](https://github.com/izzzzzi/izTeamSlots/compare/v1.6.0...v1.6.1) (2026-03-07)
+
+
+### Bug Fixes
+
+* **ci:** install python deps before unit tests ([5c57d2a](https://github.com/izzzzzi/izTeamSlots/commit/5c57d2a5c9f22ed667d9cbdedacb69c465d136ba))
+
+# [1.6.0](https://github.com/izzzzzi/izTeamSlots/compare/v1.5.5...v1.6.0) (2026-03-06)
+
+
+### Features
+
+* **auth:** disable automatic admin login ([930313f](https://github.com/izzzzzi/izTeamSlots/commit/930313f6ef2f06674cc9da6e8d45061dc8c89a93))
+
 ## [1.5.5](https://github.com/izzzzzi/izTeamSlots/compare/v1.5.4...v1.5.5) (2026-03-06)
 
 

package/CONTRIBUTING.md

@@ -42,19 +42,30 @@ izTeamSlots/
 └── .github/workflows/ # CI/CD
 ```
 
-## Линтеры
+## Проверки и тесты
 
 Перед коммитом убедитесь что код проходит проверки:
 
 ```bash
-# Python — ruff
-ruff check backend/
+# Python — lint + unit tests
+ruff check backend tests
+python -m unittest discover -s tests -p 'test_*.py'
 
-# TypeScript — tsc
-npm run typecheck:ui
+# TypeScript — typecheck + unit tests
+npm --prefix ui run typecheck
+npm --prefix ui run test
 ```
 
-CI автоматически запускает оба линтера на каждый push и PR.
+CI автоматически запускает эти проверки на каждый PR.
+
+## Требование по тестам
+
+- Любая новая функциональность или заметное изменение логики должно сопровождаться тестами.
+- Минимум: покрывайте тот слой, который можно проверить локально без браузерного e2e.
+- Для Python-логики добавляйте `unittest`-тесты в `tests/`.
+- Для чистой TypeScript-логики добавляйте тесты в `ui/tests/`.
+- Если изменение нельзя адекватно покрыть unit-тестом, это нужно явно отметить в описании PR.
+- PR без тестов для новой логики может быть отклонён.
 
 ## Conventional Commits
 
@@ -100,8 +111,9 @@ chore: update seleniumbase to 4.33
 
 1. Один PR — одно логическое изменение.
 2. Следуйте Conventional Commits.
-3. Убедитесь что `ruff check` и `tsc --noEmit` проходят.
-4. Обновите документацию если изменение затрагивает пользовательское поведение.
+3. Добавьте или обновите тесты, если меняется логика приложения.
+4. Убедитесь что lint, unit tests и typecheck проходят локально.
+5. Обновите документацию если изменение затрагивает пользовательское поведение.
 
 ### Новый почтовый провайдер
 

package/backend/rpc_server.py

@@ -155,6 +155,19 @@ class RPCServer:
             )
             return make_success_response(req.request_id, {"job_id": job_id})
 
+        if m == "workspace.sync_preview":
+            admin_email = self._as_str_param(p, "admin_email")
+            result = self.facade.preview_workspace_sync(admin_email)
+            return make_success_response(req.request_id, result)
+
+        if m == "job.sync_workspace":
+            admin_email = self._as_str_param(p, "admin_email")
+            job_id = self._run_job(
+                f"Синхронизация WS: {admin_email}",
+                lambda ctx: self.facade.sync_workspace(admin_email, ctx.log),
+            )
+            return make_success_response(req.request_id, {"job_id": job_id})
+
         if m == "job.open_admin_browser":
             email = self._as_str_param(p, "email")
             job_id = self._run_job(

package/backend/slot_orchestrator.py

@@ -173,25 +173,7 @@ class SlotManager:
         self._finalize_admin_login(page, session, manual_web_flow=True)
 
     def login_admin(self) -> None:
-        """Логин админа через OAuth PKCE — получаем все токены (access, id, refresh)."""
-        if not self._admin:
-            raise RuntimeError(f"Админ {self.admin_email} не найден в AccountStore")
-
-        mailbox = Mailbox(email=self._admin.email, password=self._admin.password)
-        profile_dir = self.store.get_admin_profile_dir(self._admin)
-        mail = self._get_admin_mail()
-
-        self._log("Логин админа (OAuth PKCE)...")
-        page, session = oauth_login(
-            email=self._admin.email,
-            password=self._admin.password,
-            mail_client=mail,
-            mailbox=mailbox,
-            profile_dir=profile_dir,
-            log=self._log,
-            headless=self._headless,
-        )
-        self._finalize_admin_login(page, session)
+        raise RuntimeError("Авто-вход админа временно отключён. Используйте ручной вход через браузер.")
 
     def login_admin_manual(self) -> None:
         """Ручной логин админа в браузере с последующим автоматическим сохранением токенов."""
@@ -328,6 +310,106 @@ class SlotManager:
         api = self._get_api(page)
         return api.get_members()
 
+    def _build_workspace_sync_plan(
+        self,
+        members: list[dict[str, Any]],
+        pending_invites: list[dict[str, Any]],
+    ) -> dict[str, Any]:
+        local_emails = {w.email.strip().lower() for w in self._get_workers() if w.email}
+        admin_email = (self.admin_email or "").strip().lower()
+
+        extra_members: list[dict[str, str]] = []
+        extra_invites: list[dict[str, str]] = []
+        skipped: list[dict[str, str]] = []
+
+        for member in members:
+            email = str(member.get("email") or "").strip()
+            if not email:
+                continue
+            email_key = email.lower()
+            role = str(member.get("role") or "")
+
+            if email_key == admin_email:
+                skipped.append({"type": "member", "email": email, "reason": "self"})
+                continue
+            if role and role != "standard-user":
+                skipped.append({"type": "member", "email": email, "reason": f"role:{role}"})
+                continue
+            if email_key in local_emails:
+                continue
+
+            extra_members.append(
+                {
+                    "email": email,
+                    "id": str(member.get("id") or ""),
+                    "role": role or "standard-user",
+                }
+            )
+
+        for invite in pending_invites:
+            email = str(invite.get("email") or invite.get("email_address") or "").strip()
+            if not email:
+                continue
+            email_key = email.lower()
+            if email_key == admin_email:
+                skipped.append({"type": "invite", "email": email, "reason": "self"})
+                continue
+            if email_key in local_emails:
+                continue
+
+            extra_invites.append({"email": email})
+
+        return {
+            "admin_email": self.admin_email,
+            "workspace_id": self.account_id,
+            "local_workers_total": len(local_emails),
+            "members_total": len(members),
+            "pending_invites_total": len(pending_invites),
+            "extra_members": extra_members,
+            "extra_invites": extra_invites,
+            "skipped": skipped,
+            "removed_members": [],
+            "removed_invites": [],
+        }
+
+    def sync_workspace(self, *, dry_run: bool = True) -> dict[str, Any]:
+        page = self._ensure_admin_page()
+        api = self._get_api(page)
+
+        members = api.get_members()
+        pending_invites = api.get_pending_invites()
+        result = self._build_workspace_sync_plan(members, pending_invites)
+        result["dry_run"] = dry_run
+
+        if dry_run:
+            self._log(f"WS preview: лишних участников {len(result['extra_members'])}, лишних инвайтов {len(result['extra_invites'])}")
+            return result
+
+        for member in result["extra_members"]:
+            member_id = member.get("id")
+            email = member.get("email", "")
+            if not member_id:
+                self._log(f"[предупреждение] Пропускаю участника без id: {email}")
+                continue
+            api.delete_member(member_id)
+            result["removed_members"].append(email)
+            self._log(f"Удалён участник WS: {email}")
+
+        for invite in result["extra_invites"]:
+            email = invite.get("email", "")
+            if not email:
+                continue
+            api.delete_invite(email)
+            result["removed_invites"].append(email)
+            self._log(f"Удалён инвайт WS: {email}")
+
+        self._log(
+            "WS синхронизирован: "
+            f"участников удалено {len(result['removed_members'])}, "
+            f"инвайтов удалено {len(result['removed_invites'])}"
+        )
+        return result
+
     def register_slot(self, worker: WorkerAccount, invite_url: str) -> None:
         """Зарегистрировать приглашённый аккаунт через инвайт-ссылку."""
         mailbox = self._mailboxes.get(worker.email)

package/backend/ui_facade.py

@@ -201,10 +201,7 @@ class UIFacade:
         self.manager = manager
 
     def login_admin(self, email: str, log: LogFunc) -> None:
-        manager = SlotManager(store=self.store, admin_email=email, log=log)
-        self._replace_manager(manager)
-        manager.login_admin()
-        self.sync_codex_files()
+        raise RuntimeError("Авто-вход админа временно отключён. Используйте ручной вход через браузер.")
 
     def login_admin_manual(self, email: str, log: LogFunc) -> None:
         manager = SlotManager(store=self.store, admin_email=email, log=log)
@@ -212,6 +209,18 @@ class UIFacade:
         manager.login_admin_manual()
         self.sync_codex_files()
 
+    def preview_workspace_sync(self, admin_email: str) -> dict[str, Any]:
+        manager = SlotManager(store=self.store, admin_email=admin_email, log=lambda _msg: None, headless=True)
+        try:
+            return manager.sync_workspace(dry_run=True)
+        finally:
+            manager.close()
+
+    def sync_workspace(self, admin_email: str, log: LogFunc) -> dict[str, Any]:
+        manager = SlotManager(store=self.store, admin_email=admin_email, log=log, headless=False)
+        self._replace_manager(manager)
+        return manager.sync_workspace(dry_run=False)
+
     def run_slots_pipeline(
         self,
         admin_email: str,
@@ -307,4 +316,3 @@ class UIFacade:
         log(f"Готово: {ok}/{total}")
         self.sync_codex_files()
         return {"ok": ok, "total": total}
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "izteamslots",
-  "version": "1.5.5",
+  "version": "1.6.1",
   "description": "ChatGPT Team slot management — automated invite, register, OAuth login & codex token pipeline",
   "bin": {
     "izteamslots": "bin/izteamslots.mjs"

package/tests/test_account_store.py

@@ -0,0 +1,86 @@
+from __future__ import annotations
+
+import json
+import tempfile
+import unittest
+from pathlib import Path
+
+from backend.account_store import AccountStore
+
+
+class TestAccountStore(unittest.TestCase):
+    def setUp(self) -> None:
+        self.temp_dir = tempfile.TemporaryDirectory()
+        self.base_dir = Path(self.temp_dir.name) / "accounts"
+        self.store = AccountStore(self.base_dir)
+
+    def tearDown(self) -> None:
+        self.temp_dir.cleanup()
+
+    def test_admin_crud_roundtrip(self) -> None:
+        admin = self.store.add_admin("admin@example.com", "pw")
+        admin.access_token = "token"
+        admin.workspace_id = "ws-1"
+        admin.account_id = "acc-1"
+        admin.workspaces = [{"workspace_id": "ws-1"}]
+        admin.last_login = "2026-03-07T00:00:00Z"
+        self.store.update_admin(admin)
+
+        loaded = self.store.get_admin("admin@example.com")
+
+        self.assertIsNotNone(loaded)
+        assert loaded is not None
+        self.assertEqual(loaded.access_token, "token")
+        self.assertEqual(loaded.workspace_id, "ws-1")
+        self.assertEqual(loaded.account_id, "acc-1")
+        self.assertEqual(loaded.workspaces, [{"workspace_id": "ws-1"}])
+        self.assertEqual(loaded.last_login, "2026-03-07T00:00:00Z")
+
+        self.store.delete_admin("admin@example.com")
+        self.assertIsNone(self.store.get_admin("admin@example.com"))
+
+    def test_worker_crud_roundtrip(self) -> None:
+        worker = self.store.add_worker("slot@example.com", "pw", "admin@example.com")
+        worker.status = "registered"
+        worker.openai_password = "openai-pw"
+        worker.access_token = "token"
+        worker.workspace_id = "ws-1"
+        self.store.update_worker(worker)
+
+        loaded = self.store.get_worker("slot@example.com")
+
+        self.assertIsNotNone(loaded)
+        assert loaded is not None
+        self.assertEqual(loaded.status, "registered")
+        self.assertEqual(loaded.openai_password, "openai-pw")
+        self.assertEqual(loaded.access_token, "token")
+        self.assertEqual(loaded.workspace_id, "ws-1")
+        self.assertEqual(loaded.admin_email, "admin@example.com")
+
+        self.store.delete_worker("slot@example.com")
+        self.assertIsNone(self.store.get_worker("slot@example.com"))
+
+    def test_doctor_rebuilds_broken_worker_index(self) -> None:
+        worker = self.store.add_worker("slot@example.com", "pw", "admin@example.com")
+        worker_dir = self.store.worker_dir / worker.id
+        index_path = self.store.worker_dir / "index.json"
+        index_path.write_text("{broken", encoding="utf-8")
+
+        fixes = self.store.doctor()
+
+        rebuilt = json.loads(index_path.read_text(encoding="utf-8"))
+        self.assertIn("slot@example.com", rebuilt)
+        self.assertTrue(any("index.json был повреждён" in fix for fix in fixes))
+        self.assertTrue(worker_dir.exists())
+
+    def test_doctor_recreates_missing_meta(self) -> None:
+        worker = self.store.add_worker("slot@example.com", "pw", "admin@example.com")
+        meta_path = self.store.worker_dir / worker.id / "meta.json"
+        meta_path.unlink()
+
+        fixes = self.store.doctor()
+
+        rebuilt = json.loads(meta_path.read_text(encoding="utf-8"))
+        self.assertEqual(rebuilt["email"], "slot@example.com")
+        self.assertEqual(rebuilt["status"], "created")
+        self.assertTrue(any("meta.json отсутствовал" in fix for fix in fixes))

package/tests/test_dto.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+import unittest
+
+from backend.account_store import AdminAccount, WorkerAccount
+from backend.dto import AdminRow, AppStateDTO, WorkerRow
+
+
+class TestDTO(unittest.TestCase):
+    def test_admin_row_statuses(self) -> None:
+        account = AdminAccount(id="1", email="admin@example.com", password="pw")
+        self.assertEqual(AdminRow.from_account(account).status_label, "Не настроен")
+        self.assertEqual(AdminRow.from_account(account, has_browser_profile=True).status_label, "Нужен вход")
+
+        account.access_token = "token"
+        self.assertEqual(AdminRow.from_account(account).status_label, "Есть токен")
+        self.assertEqual(AdminRow.from_account(account, has_browser_profile=True).status_label, "Готов")
+
+    def test_worker_row_statuses(self) -> None:
+        account = WorkerAccount(id="1", email="slot@example.com", password="pw", admin_email="admin@example.com")
+        self.assertEqual(WorkerRow.from_account(account).status_label, "Создан")
+
+        account.status = "invited"
+        self.assertEqual(WorkerRow.from_account(account).status_label, "Инвайт отправлен")
+
+        account.status = "registered"
+        self.assertEqual(WorkerRow.from_account(account).status_label, "Зарегистрирован")
+
+        account.access_token = "token"
+        self.assertEqual(WorkerRow.from_account(account, has_browser_profile=True).status_label, "Готов")
+
+    def test_app_state_to_dict(self) -> None:
+        dto = AppStateDTO(
+            admins=[AdminRow.from_account(AdminAccount(id="1", email="admin@example.com", password="pw"))],
+            workers=[WorkerRow.from_account(WorkerAccount(id="2", email="slot@example.com", password="pw"))],
+        )
+
+        result = dto.to_dict()
+
+        self.assertIn("admins", result)
+        self.assertIn("workers", result)
+        self.assertEqual(result["admins"][0]["email"], "admin@example.com")
+        self.assertEqual(result["workers"][0]["email"], "slot@example.com")

package/tests/test_jobs.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import threading
+import time
+import unittest
+from typing import Any
+from uuid import uuid4
+
+from backend import DATA_ROOT
+from backend.file_logger import FileLogger
+from backend.jobs import JobManager
+
+
+class TestJobManager(unittest.TestCase):
+    def setUp(self) -> None:
+        self.events: list[tuple[str, dict[str, Any]]] = []
+        self.logs_root = DATA_ROOT / "downloaded_files" / f"test-logs-{uuid4().hex}"
+        self.logger = FileLogger(self.logs_root)
+
+    def tearDown(self) -> None:
+        if self.logs_root.exists():
+            for child in sorted(self.logs_root.rglob("*"), reverse=True):
+                if child.is_file():
+                    child.unlink()
+                elif child.is_dir():
+                    child.rmdir()
+
+    def emit(self, event: str, data: dict[str, Any]) -> None:
+        self.events.append((event, data))
+
+    def test_successful_job_emits_started_progress_done(self) -> None:
+        manager = JobManager(self.emit, file_logger=self.logger)
+
+        def handler(ctx):
+            ctx.log("hello")
+            ctx.progress(1, 2, "step")
+            return {"ok": True}
+
+        job_id = manager.start("test job", handler)
+        manager.wait_all()
+
+        event_names = [name for name, _ in self.events]
+        self.assertEqual(job_id, self.events[0][1]["job_id"])
+        self.assertIn("job.started", event_names)
+        self.assertIn("job.log", event_names)
+        self.assertIn("job.progress", event_names)
+        self.assertIn("job.done", event_names)
+
+    def test_failed_job_emits_error(self) -> None:
+        manager = JobManager(self.emit, file_logger=self.logger)
+
+        def handler(_ctx):
+            raise RuntimeError("boom")
+
+        manager.start("failing job", handler)
+        manager.wait_all()
+
+        last_event, payload = self.events[-1]
+        self.assertEqual(last_event, "job.error")
+        self.assertEqual(payload["error"], "boom")
+
+    def test_cannot_start_second_job_while_busy(self) -> None:
+        manager = JobManager(self.emit, file_logger=self.logger)
+        release = threading.Event()
+
+        def handler(_ctx):
+            release.wait(timeout=2)
+            time.sleep(0.05)
+
+        manager.start("long job", handler)
+        try:
+            with self.assertRaises(RuntimeError):
+                manager.start("second job", handler)
+        finally:
+            release.set()
+            manager.wait_all()

package/tests/test_rpc_protocol.py

@@ -0,0 +1,33 @@
+from __future__ import annotations
+
+import unittest
+
+from backend.rpc_protocol import RPCError, make_error_response, make_event, make_success_response, parse_request
+
+
+class TestRPCProtocol(unittest.TestCase):
+    def test_parse_request_success(self) -> None:
+        req = parse_request('{"id":"1","method":"ping","params":{"x":1}}')
+        self.assertEqual(req.request_id, "1")
+        self.assertEqual(req.method, "ping")
+        self.assertEqual(req.params, {"x": 1})
+
+    def test_parse_request_rejects_invalid_payloads(self) -> None:
+        with self.assertRaises(RPCError) as bad_json:
+            parse_request("{")
+        self.assertEqual(bad_json.exception.code, -32700)
+
+        with self.assertRaises(RPCError) as bad_id:
+            parse_request('{"id":"","method":"ping"}')
+        self.assertEqual(bad_id.exception.code, -32600)
+
+        with self.assertRaises(RPCError) as bad_params:
+            parse_request('{"id":"1","method":"ping","params":[]}')
+        self.assertEqual(bad_params.exception.code, -32602)
+
+    def test_response_helpers(self) -> None:
+        err = RPCError(-1, "boom", {"detail": "x"})
+
+        self.assertEqual(make_success_response("1", {"ok": True})["ok"], True)
+        self.assertEqual(make_error_response("1", err)["error"]["message"], "boom")
+        self.assertEqual(make_event("job.done", {"id": "1"})["type"], "event")

package/tests/test_slot_orchestrator.py

@@ -0,0 +1,115 @@
+from __future__ import annotations
+
+import tempfile
+import unittest
+from pathlib import Path
+from typing import Any
+
+from backend.account_store import AccountStore
+from backend.slot_orchestrator import SlotManager
+
+
+class FakeWorkspaceAPI:
+    def __init__(self, members: list[dict[str, Any]], invites: list[dict[str, Any]]) -> None:
+        self._members = members
+        self._invites = invites
+        self.deleted_members: list[str] = []
+        self.deleted_invites: list[str] = []
+
+    def get_members(self) -> list[dict[str, Any]]:
+        return list(self._members)
+
+    def get_pending_invites(self) -> list[dict[str, Any]]:
+        return list(self._invites)
+
+    def delete_member(self, user_id: str) -> dict[str, Any]:
+        self.deleted_members.append(user_id)
+        return {"ok": True}
+
+    def delete_invite(self, email: str) -> dict[str, Any]:
+        self.deleted_invites.append(email)
+        return {"ok": True}
+
+
+class TestSlotManagerWorkspaceSync(unittest.TestCase):
+    def setUp(self) -> None:
+        self.temp_dir = tempfile.TemporaryDirectory()
+        self.store = AccountStore(Path(self.temp_dir.name) / "accounts")
+        admin = self.store.add_admin("owner@example.com", "secret")
+        admin.access_token = "token"
+        admin.account_id = "acc-123"
+        admin.workspace_id = "acc-123"
+        self.store.update_admin(admin)
+        self.store.add_worker("slot1@example.com", "pw", "owner@example.com")
+        self.store.add_worker("slot2@example.com", "pw", "owner@example.com")
+
+    def tearDown(self) -> None:
+        self.temp_dir.cleanup()
+
+    def make_manager(self) -> SlotManager:
+        return SlotManager(store=self.store, admin_email="owner@example.com", log=lambda _msg: None, headless=True)
+
+    def test_build_workspace_sync_plan_filters_local_and_protected_entries(self) -> None:
+        manager = self.make_manager()
+        members = [
+            {"id": "owner-id", "email": "owner@example.com", "role": "account-owner"},
+            {"id": "slot-id", "email": "slot1@example.com", "role": "standard-user"},
+            {"id": "extra-id", "email": "extra@example.com", "role": "standard-user"},
+            {"id": "admin-id", "email": "admin2@example.com", "role": "workspace-admin"},
+        ]
+        invites = [
+            {"email": "slot2@example.com"},
+            {"email": "invite@example.com"},
+            {"email_address": "owner@example.com"},
+        ]
+
+        plan = manager._build_workspace_sync_plan(members, invites)
+
+        self.assertEqual([item["email"] for item in plan["extra_members"]], ["extra@example.com"])
+        self.assertEqual([item["email"] for item in plan["extra_invites"]], ["invite@example.com"])
+        self.assertEqual(
+            sorted((item["email"], item["reason"]) for item in plan["skipped"]),
+            [
+                ("admin2@example.com", "role:workspace-admin"),
+                ("owner@example.com", "self"),
+                ("owner@example.com", "self"),
+            ],
+        )
+
+    def test_sync_workspace_dry_run_does_not_delete_anything(self) -> None:
+        manager = self.make_manager()
+        api = FakeWorkspaceAPI(
+            members=[{"id": "extra-id", "email": "extra@example.com", "role": "standard-user"}],
+            invites=[{"email": "invite@example.com"}],
+        )
+        manager._ensure_admin_page = lambda: object()  # type: ignore[method-assign]
+        manager._get_api = lambda _page: api  # type: ignore[method-assign]
+
+        result = manager.sync_workspace(dry_run=True)
+
+        self.assertTrue(result["dry_run"])
+        self.assertEqual([item["email"] for item in result["extra_members"]], ["extra@example.com"])
+        self.assertEqual([item["email"] for item in result["extra_invites"]], ["invite@example.com"])
+        self.assertEqual(api.deleted_members, [])
+        self.assertEqual(api.deleted_invites, [])
+
+    def test_sync_workspace_apply_deletes_extra_members_and_invites(self) -> None:
+        manager = self.make_manager()
+        api = FakeWorkspaceAPI(
+            members=[{"id": "extra-id", "email": "extra@example.com", "role": "standard-user"}],
+            invites=[{"email": "invite@example.com"}],
+        )
+        manager._ensure_admin_page = lambda: object()  # type: ignore[method-assign]
+        manager._get_api = lambda _page: api  # type: ignore[method-assign]
+
+        result = manager.sync_workspace(dry_run=False)
+
+        self.assertFalse(result["dry_run"])
+        self.assertEqual(result["removed_members"], ["extra@example.com"])
+        self.assertEqual(result["removed_invites"], ["invite@example.com"])
+        self.assertEqual(api.deleted_members, ["extra-id"])
+        self.assertEqual(api.deleted_invites, ["invite@example.com"])
+
+
+if __name__ == "__main__":
+    unittest.main()

package/ui/package.json

@@ -5,7 +5,8 @@
   "type": "module",
   "scripts": {
     "start": "bun run src/main.ts",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit",
+    "test": "bun test tests"
   },
   "dependencies": {
     "@opentui/core": "^0.1.86"

package/ui/src/menus/mainMenus.ts

@@ -14,6 +14,7 @@ export function getMenuOptions(menuName: MenuName, state: AppState): MenuOption[
     return [
       { id: "adm_add", label: "Добавить админа", hint: "Новый админ", description: "Добавить админа и выбрать способ входа." },
       { id: "adm_relogin", label: "Перелогинить", hint: "Обновить доступ", description: "Перелогинить выбранного админа." },
+      { id: "adm_sync_ws", label: "Синхронизировать WS", hint: "Удалить лишних", description: "Сверить workspace с локальными слотами и удалить лишние записи." },
       { id: "adm_open", label: "Открыть браузер", hint: "Открыть профиль", description: "Открыть браузерный профиль админа." },
       { id: "adm_delete", label: "Удалить", hint: "Удалить данные", description: "Удалить админа и его локальные файлы.", destructive: true },
     ]

package/ui/src/menus/types.ts

@@ -59,6 +59,12 @@ export interface MenuContext {
   admin_email?: string
   target?: string
   confirm_action?: string
+  sync_preview?: {
+    admin_email: string
+    extra_members: string[]
+    extra_invites: string[]
+    skipped: string[]
+  }
 }
 
 export interface DashboardData {

package/ui/src/screens/MainScreen.ts

@@ -13,6 +13,12 @@ const EMPTY_STATE: AppState = {
 }
 
 type RpcJobResult = { job_id: string }
+type WorkspaceSyncPreview = {
+  admin_email: string
+  extra_members: Array<{ email?: string }>
+  extra_invites: Array<{ email?: string }>
+  skipped: Array<{ email?: string; reason?: string; type?: string }>
+}
 
 type PromptOption = {
   label: string
@@ -147,6 +153,7 @@ function getMenuOptionDescription(option: MenuOption | undefined): string {
 
   if (optionId === "adm_add") return "Добавить нового админа."
   if (optionId === "adm_relogin") return "Перелогинить админа."
+  if (optionId === "adm_sync_ws") return "Сверить workspace с локальными слотами и удалить лишнее."
   if (optionId === "adm_open") return "Открыть профиль админа."
   if (optionId === "adm_delete") return "Удалить админа."
 
@@ -1090,6 +1097,30 @@ export class MainScreen {
     }
 
     if (this.menuName === "confirm") {
+      const preview = this.menuCtx.sync_preview
+      if (preview) {
+        const lines = [
+          `Админ: ${preview.admin_email}`,
+          `Лишних участников: ${preview.extra_members.length}`,
+          `Лишних инвайтов: ${preview.extra_invites.length}`,
+        ]
+        if (preview.extra_members.length > 0) {
+          lines.push(`Members: ${preview.extra_members.slice(0, 4).join(", ")}`)
+          if (preview.extra_members.length > 4) {
+            lines.push(`Ещё участников: ${preview.extra_members.length - 4}`)
+          }
+        }
+        if (preview.extra_invites.length > 0) {
+          lines.push(`Invites: ${preview.extra_invites.slice(0, 4).join(", ")}`)
+          if (preview.extra_invites.length > 4) {
+            lines.push(`Ещё инвайтов: ${preview.extra_invites.length - 4}`)
+          }
+        }
+        if (preview.skipped.length > 0) {
+          lines.push(`Пропущено защищённых: ${preview.skipped.length}`)
+        }
+        return lines
+      }
       return [
         `Действие: ${this.menuCtx.confirm_action ?? "подтверждение"}`,
         `Объект: ${this.menuCtx.target ?? "не выбран"}`,
@@ -1166,9 +1197,14 @@ export class MainScreen {
 
   private async promptLoginMode(): Promise<"auto" | "manual" | null> {
     const value = await this.promptSelect("Режим входа", [
-      { value: "auto", label: "Авто", hint: "Логин по данным из TUI." },
+      { value: "auto", label: "Авто", hint: "Временно недоступно." },
       { value: "manual", label: "Вручную", hint: "Логин вручную в браузере." },
     ])
+    if (value === "auto") {
+      this.pushLog("Авто-вход админа временно отключён. Используйте ручной режим.")
+      this.render()
+      return null
+    }
     if (value === "auto" || value === "manual") return value
     return null
   }
@@ -1232,6 +1268,10 @@ export class MainScreen {
         this.goToPicker("pick_admin", "admins", "relogin_admin", "Выберите админа")
         return
       }
+      if (optionId === "adm_sync_ws") {
+        this.goToPicker("pick_admin", "admins", "sync_workspace", "Выберите админа для синхронизации WS")
+        return
+      }
       if (optionId === "adm_open") {
         this.goToPicker("pick_admin", "admins", "open_admin", "Открыть браузер админа")
         return
@@ -1302,6 +1342,61 @@ export class MainScreen {
         await this.startJob("job.open_admin_browser", { email })
         return
       }
+      if (action === "sync_workspace") {
+        let preview: WorkspaceSyncPreview
+        try {
+          preview = await this.rpc.request<WorkspaceSyncPreview>("workspace.sync_preview", { admin_email: email })
+          this.backendOnline = true
+        } catch (error) {
+          this.pushLog(`Ошибка preview WS: ${String(error)}`)
+          this.render()
+          return
+        }
+
+        const extraMembers = preview.extra_members
+          .map((item) => item.email?.trim())
+          .filter((item): item is string => Boolean(item))
+        const extraInvites = preview.extra_invites
+          .map((item) => item.email?.trim())
+          .filter((item): item is string => Boolean(item))
+        const skipped = preview.skipped
+          .map((item) => {
+            const emailPart = item.email?.trim() || "?"
+            const reasonPart = item.reason ? ` (${item.reason})` : ""
+            return `${emailPart}${reasonPart}`
+          })
+          .filter((item): item is string => Boolean(item))
+
+        if (extraMembers.length === 0 && extraInvites.length === 0) {
+          this.pushLog(`WS уже синхронизирован: ${email}`)
+          if (skipped.length > 0) {
+            this.pushLog(`Пропущено защищённых записей: ${skipped.length}`)
+          }
+          this.menuName = parent
+          this.menuCtx = {}
+          await this.refreshState()
+          return
+        }
+
+        this.menuName = "confirm"
+        this.menuCtx = {
+          parent,
+          action: "sync_workspace",
+          admin_email: email,
+          confirm_action: "Синхронизация WS",
+          title: `Синхронизация WS: ${email}`,
+          target: `${email} • members ${extraMembers.length} • invites ${extraInvites.length}`,
+          sync_preview: {
+            admin_email: email,
+            extra_members: extraMembers,
+            extra_invites: extraInvites,
+            skipped,
+          },
+        }
+        this.selectedIndex = 1
+        this.render()
+        return
+      }
       if (action === "delete_admin") {
         this.goToConfirm(parent, "delete_admin", "Удаление админа", email)
         return
@@ -1367,6 +1462,14 @@ export class MainScreen {
             await this.rpc.request("worker.delete", { email: target })
             this.pushLog(`Удалён слот: ${target}`)
           }
+          if (action === "sync_workspace") {
+            const adminEmail = this.menuCtx.admin_email
+            if (!adminEmail) throw new Error("admin_email не задан")
+            await this.startJob("job.sync_workspace", { admin_email: adminEmail })
+            this.menuName = parent
+            this.menuCtx = {}
+            return
+          }
         } catch (error) {
           this.pushLog(`Ошибка: ${String(error)}`)
         }

package/ui/tests/mainMenus.test.ts

@@ -0,0 +1,71 @@
+import test from "node:test"
+import assert from "node:assert/strict"
+
+import { getDashboard, getMenuOptions, getTable } from "../src/menus/mainMenus"
+import type { AppState } from "../src/menus/types"
+
+const state: AppState = {
+  admins: [
+    {
+      email: "admin@example.com",
+      has_access_token: true,
+      has_browser_profile: true,
+      workspace_id: "ws-1",
+      workspace_count: 2,
+      created_at: "2026-03-07T00:00:00Z",
+      last_login: "2026-03-07T01:00:00Z",
+      status_label: "Готов",
+    },
+  ],
+  workers: [
+    {
+      email: "slot1@example.com",
+      status: "registered",
+      has_access_token: true,
+      has_browser_profile: true,
+      workspace_id: "ws-1",
+      admin_email: "admin@example.com",
+      has_openai_password: true,
+      created_at: "2026-03-07T00:00:00Z",
+      status_label: "Готов",
+    },
+    {
+      email: "slot2@example.com",
+      status: "invited",
+      has_access_token: false,
+      has_browser_profile: false,
+      workspace_id: "ws-1",
+      admin_email: "other@example.com",
+      has_openai_password: false,
+      created_at: "2026-03-07T00:00:00Z",
+      status_label: "Инвайт отправлен",
+    },
+  ],
+}
+
+test("admin menu exposes workspace sync action", () => {
+  const options = getMenuOptions("admins", state)
+  const syncOption = options.find((option) => option.id === "adm_sync_ws")
+
+  assert.ok(syncOption)
+  assert.equal(syncOption?.label, "Синхронизировать WS")
+})
+
+test("dashboard counts ready and invited entities", () => {
+  const dashboard = getDashboard(state)
+
+  assert.equal(dashboard.admins_total, 1)
+  assert.equal(dashboard.admins_ready, 1)
+  assert.equal(dashboard.workers_total, 2)
+  assert.equal(dashboard.workers_ready, 1)
+  assert.equal(dashboard.workers_invited, 1)
+  assert.equal(dashboard.workers_with_password, 1)
+})
+
+test("worker table respects admin filter", () => {
+  const table = getTable("slots", state, { admin_email: "admin@example.com" })
+
+  assert.deepEqual(table.headers, ["Email", "Состояние", "Доступ", "Админ", "Пароль"])
+  assert.equal(table.rows.length, 1)
+  assert.equal(table.rows[0][0], "slot1@example.com")
+})