Merge feature/permissions-hardening: RBAC hardening + B-lite + P0 UX

Phase A (security): permission registry, audit log on perm/feature changes,

token_version bump on permission changes.

B-lite: requireFeature middleware blocks API on disabled global flags.

P0 UX: search, modified-dot, confirm on critical perms, badge wording.

Conflict resolution: admin.js monolith was restructured into

frontend/js/admin/sections/* by feature/admin-redesign merge. P0 UX

edits (originally in monolith) were manually ported to:

- sections/permissions.js — modDot, confirm gate, filterPermissions

- sections/users.js — 'Инд.' → 'Индивидуально' badge in user-perms modal

admin.html search input + dot CSS auto-merged cleanly.

frontend/admin.html

@@ -257,6 +257,12 @@
     .perm-toggle input:checked ~ .perm-track { background: var(--green, #06d6a0); }
     .perm-toggle input:checked ~ .perm-thumb { transform: translateX(20px); }
     .perm-toggle input:focus-visible ~ .perm-track { outline: 2px solid var(--violet); }
+    /* dot shown when a role-level perm differs from its registry default */
+    .perm-modified-dot {
+      display: inline-block; width: 8px; height: 8px; border-radius: 50%;
+      background: var(--amber, #FFB347); flex-shrink: 0;
+      vertical-align: middle; margin-left: 6px;
+    }
 
     /* toolbar */
     .t-toolbar { display: flex; gap: 12px; align-items: center; flex-wrap: wrap; margin-bottom: 24px; }
@@ -1219,6 +1225,12 @@
         <p style="color:var(--muted);font-size:13px;margin:4px 0 0">Настройте, что могут делать учителя и ученики. Администраторы имеют все права всегда.</p>
       </div>
 
+      <div class="perm-search-wrap" style="margin: 16px 0 20px">
+        <input type="search" id="perm-search-input" placeholder="Поиск по правам..."
+          style="width:100%;max-width:420px;padding:9px 14px;border:1.5px solid var(--border);border-radius:10px;font-family:inherit;font-size:0.9rem"
+          oninput="filterPermissions(this.value)">
+      </div>
+
       <div class="perm-role-block">
         <div class="perm-role-title">
           <span class="badge badge-warn" style="font-size:13px;padding:4px 12px">Учитель</span>
@@ -1559,10 +1571,11 @@
   <div class="q-modal" id="up-modal" onclick="if(event.target===this)closeUserPermsModal()">
     <div class="q-modal-box" style="max-width:520px">
       <div class="q-modal-title" id="up-modal-title">Права пользователя</div>
-      <p style="font-size:12.5px;color:var(--muted);margin:-8px 0 16px">Индивидуальные настройки переопределяют права роли для этого учителя.</p>
+      <p style="font-size:12.5px;color:var(--muted);margin:-8px 0 16px">Индивидуальные настройки переопределяют права роли для этого пользователя.</p>
       <div id="up-modal-list" style="display:flex;flex-direction:column;gap:8px;max-height:420px;overflow-y:auto;padding-right:4px"></div>
       <div style="display:flex;justify-content:space-between;align-items:center;margin-top:20px;gap:12px">
-        <button class="btn-del-q" onclick="doResetAllUserPerms()" id="up-modal-reset-btn">
+        <button class="btn-del-q" onclick="doResetAllUserPerms()" id="up-modal-reset-btn"
+          title="Удалить индивидуальные настройки — пользователь будет иметь права как у его роли">
           <i data-lucide="rotate-ccw" style="width:13px;height:13px;vertical-align:-2px"></i> Сбросить всё по умолчанию
         </button>
         <button class="btn-close" onclick="closeUserPermsModal()">Закрыть</button>

frontend/js/admin/sections/permissions.js

@@ -23,10 +23,14 @@
       const defs = definitions.filter(d => d.role === role);
       container.innerHTML = defs.map(def => {
         const enabled = permissions[role]?.[def.key] ?? def.default;
+        const isModified = (enabled ? 1 : 0) !== def.default;
+        const modDot = isModified
+          ? `<span class="perm-modified-dot" title="Отличается от значения по умолчанию"></span>`
+          : '';
         return `
           <div class="perm-card${enabled ? ' enabled' : ''}" id="perm-card-${role}-${def.key.replace('.','_')}">
             <div class="perm-info">
-              <div class="perm-label">${esc(def.label)}</div>
+              <div class="perm-label">${esc(def.label)}${modDot}</div>
               <div class="perm-desc">${esc(def.desc)}</div>
             </div>
             <label class="perm-toggle" title="${enabled ? 'Выключить' : 'Включить'}">
@@ -41,6 +45,17 @@
   }
 
   async function togglePermission(role, key, enabled, checkbox) {
+    if (!enabled) {
+      const def = (_permData.definitions || []).find(d => d.role === role && d.key === key);
+      if (def && def.requireConfirmOff) {
+        const roleLabel = role === 'teacher' ? 'Учитель' : 'Ученик';
+        const ok = await LS.confirm(
+          `Выключение «${def.label}» затронет всех пользователей роли «${roleLabel}». Они потеряют доступ. Продолжить?`,
+          { title: 'Подтвердите выключение права', confirmText: 'Выключить' }
+        );
+        if (!ok) { checkbox.checked = true; return; }
+      }
+    }
     checkbox.disabled = true;
     try {
       await LS.setPermission(role, key, enabled);
@@ -49,6 +64,8 @@
       const safeKey = key.replace('.', '_');
       const card = document.getElementById(`perm-card-${role}-${safeKey}`);
       if (card) card.classList.toggle('enabled', enabled);
+      // Re-render to refresh the modified-dot indicator across all cards.
+      renderPermissions();
       LS.toast(enabled ? 'Право включено' : 'Право отключено', 'success');
     } catch(e) {
       checkbox.checked = !enabled;
@@ -58,7 +75,25 @@
     }
   }
 
+  function filterPermissions(query) {
+    const q = (query || '').trim().toLowerCase();
+    ['teacher', 'student'].forEach(role => {
+      const block = document.querySelector(`#perm-${role}`)?.closest('.perm-role-block');
+      const cards = document.querySelectorAll(`#perm-${role} .perm-card`);
+      let visibleCount = 0;
+      cards.forEach(card => {
+        const label = (card.querySelector('.perm-label')?.textContent || '').toLowerCase();
+        const desc  = (card.querySelector('.perm-desc')?.textContent  || '').toLowerCase();
+        const show  = !q || label.includes(q) || desc.includes(q);
+        card.style.display = show ? '' : 'none';
+        if (show) visibleCount++;
+      });
+      if (block) block.style.display = visibleCount === 0 ? 'none' : '';
+    });
+  }
+
   window.togglePermission = togglePermission;
+  window.filterPermissions = filterPermissions;
 
   window.AdminSections = window.AdminSections || {};
   window.AdminSections.permissions = {

frontend/js/admin/sections/users.js

@@ -362,7 +362,7 @@
       const hasOverride = p.userVal !== undefined;
       const checked = p.effective;
       const badge = hasOverride
-        ? `<span style="font-size:10px;padding:2px 7px;border-radius:var(--r-pill);background:rgba(155,93,229,0.12);color:var(--violet);font-weight:700">Инд.</span>`
+        ? `<span style="font-size:11px;padding:2px 5px;border-radius:var(--r-pill);background:rgba(155,93,229,0.12);color:var(--violet);font-weight:700">Индивидуально</span>`
         : `<span style="font-size:10px;padding:2px 7px;border-radius:var(--r-pill);background:rgba(136,152,170,0.12);color:var(--text-3);font-weight:700">По роли</span>`;
       const resetBtn = hasOverride
         ? `<button style="background:none;border:none;cursor:pointer;color:var(--text-3);padding:3px 6px;border-radius:6px;font-size:11px;font-weight:700;transition:color .2s"