kin: KIN-BIZ-006 Проверить промпт sysadmin.md на поддержку сценария env_scan

2026-03-16 19:26:51 +02:00 · 2026-03-16 19:26:51 +02:00 · a58578bb9d
commit a58578bb9d
parent 531275e4ce
14 changed files with 1619 additions and 13 deletions
--- a/agents/prompts/sysadmin.md
+++ b/agents/prompts/sysadmin.md
@ -36,6 +36,8 @@ Run these commands one by one. Analyze each result before proceeding:
 6. `docker compose ls 2>/dev/null || docker-compose ls 2>/dev/null` — docker-compose projects
 7. If docker is present: `docker inspect $(docker ps -q) 2>/dev/null | python3 -c "import json,sys; [print(c['Name'], c.get('HostConfig',{}).get('Binds',[])) for c in json.load(sys.stdin)]" 2>/dev/null` — volume mounts
 8. For each key config found — read with `ssh ... "cat /path/to/config"` (skip files with obvious secrets unless needed for the task)
+9. `find /opt /home /root /srv -maxdepth 4 -name '.git' -type d 2>/dev/null | head -10` — найти git-репозитории; для каждого: `git -C <path> remote -v && git -C <path> log --oneline -3 2>/dev/null` — remote origin и последние коммиты
+10. `ls -la ~/.ssh/ 2>/dev/null && cat ~/.ssh/authorized_keys 2>/dev/null` — список установленных SSH-ключей. Не читать приватные ключи (id_rsa, id_ed25519 без .pub)

 ## Rules

@ -90,6 +92,13 @@ Return ONLY valid JSON (no markdown, no explanation):
      "owner_role": "sysadmin"
    }
  ],
+  "git_repos": [
+    {"path": "/opt/myapp", "remote": "git@github.com:org/myapp.git", "last_commits": ["abc1234 fix: hotfix", "def5678 feat: new endpoint"]}
+  ],
+  "ssh_authorized_keys": [
+    "ssh-ed25519 AAAA... user@host",
+    "ssh-rsa AAAA... deploy-key"
+  ],
  "files_read": ["/etc/nginx/nginx.conf"],
  "commands_run": ["uname -a", "docker ps"],
  "notes": "Any important caveats, things to investigate further, or follow-up tasks needed"
--- a/core/chat_intent.py
+++ b/core/chat_intent.py
@ -0,0 +1,48 @@
+"""Kin — chat intent classifier (heuristic, no LLM).
+
+classify_intent(text) → 'task_request' | 'status_query' | 'question'
+"""
+
+import re
+from typing import Literal
+
+_STATUS_PATTERNS = [
+    r'что сейчас',
+    r'в работе',
+    r'\bстатус\b',
+    r'список задач',
+    r'покажи задачи',
+    r'покажи список',
+    r'какие задачи',
+    r'что идёт',
+    r'что делается',
+    r'что висит',
+]
+
+_QUESTION_STARTS = (
+    'почему', 'зачем', 'как ', 'что такое', 'что значит',
+    'объясни', 'расскажи', 'что делает', 'как работает',
+    'в чём', 'когда', 'кто',
+)
+
+
+def classify_intent(text: str) -> Literal['task_request', 'status_query', 'question']:
+    """Classify user message intent.
+
+    Returns:
+      'status_query' — user is asking about current project status/tasks
+      'question'     — user is asking a question (no action implied)
+      'task_request' — everything else; default: create a task and run pipeline
+    """
+    lower = text.lower().strip()
+
+    for pattern in _STATUS_PATTERNS:
+        if re.search(pattern, lower):
+            return 'status_query'
+
+    if lower.endswith('?'):
+        for word in _QUESTION_STARTS:
+            if lower.startswith(word):
+                return 'question'
+
+    return 'task_request'
--- a/core/db.py
+++ b/core/db.py
@ -224,6 +224,24 @@ CREATE TABLE IF NOT EXISTS support_bot_config (
    escalation_keywords JSON
 );

+-- Среды развёртывания проекта (prod/dev серверы)
+CREATE TABLE IF NOT EXISTS project_environments (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    project_id TEXT NOT NULL REFERENCES projects(id),
+    name TEXT NOT NULL,
+    host TEXT NOT NULL,
+    port INTEGER DEFAULT 22,
+    username TEXT NOT NULL,
+    auth_type TEXT NOT NULL DEFAULT 'password',
+    auth_value TEXT,
+    is_installed INTEGER NOT NULL DEFAULT 0,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(project_id, name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_environments_project ON project_environments(project_id);
+
 -- Индексы
 CREATE INDEX IF NOT EXISTS idx_tasks_project_status ON tasks(project_id, status);
 CREATE INDEX IF NOT EXISTS idx_decisions_project ON decisions(project_id);
@ -232,6 +250,19 @@ CREATE INDEX IF NOT EXISTS idx_agent_logs_project ON agent_logs(project_id, crea
 CREATE INDEX IF NOT EXISTS idx_agent_logs_cost ON agent_logs(project_id, cost_usd);
 CREATE INDEX IF NOT EXISTS idx_tickets_project ON support_tickets(project_id, status);
 CREATE INDEX IF NOT EXISTS idx_tickets_client ON support_tickets(client_id);
+
+-- Чат-сообщения (KIN-OBS-012)
+CREATE TABLE IF NOT EXISTS chat_messages (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    project_id TEXT NOT NULL REFERENCES projects(id),
+    role TEXT NOT NULL,
+    content TEXT NOT NULL,
+    message_type TEXT DEFAULT 'text',
+    task_id TEXT REFERENCES tasks(id),
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_chat_messages_project ON chat_messages(project_id, created_at);
 """


@ -333,6 +364,26 @@ def _migrate(conn: sqlite3.Connection):
    existing_tables = {r[0] for r in conn.execute(
        "SELECT name FROM sqlite_master WHERE type='table'"
    ).fetchall()}
+    if "project_environments" not in existing_tables:
+        conn.executescript("""
+            CREATE TABLE IF NOT EXISTS project_environments (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                project_id TEXT NOT NULL REFERENCES projects(id),
+                name TEXT NOT NULL,
+                host TEXT NOT NULL,
+                port INTEGER DEFAULT 22,
+                username TEXT NOT NULL,
+                auth_type TEXT NOT NULL DEFAULT 'password',
+                auth_value TEXT,
+                is_installed INTEGER NOT NULL DEFAULT 0,
+                created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+                updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+                UNIQUE(project_id, name)
+            );
+            CREATE INDEX IF NOT EXISTS idx_environments_project ON project_environments(project_id);
+        """)
+        conn.commit()
+
    if "project_phases" not in existing_tables:
        conn.executescript("""
            CREATE TABLE IF NOT EXISTS project_phases (
@ -441,6 +492,21 @@ def _migrate(conn: sqlite3.Connection):
            PRAGMA foreign_keys=ON;
        """)

+    if "chat_messages" not in existing_tables:
+        conn.executescript("""
+            CREATE TABLE IF NOT EXISTS chat_messages (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                project_id TEXT NOT NULL REFERENCES projects(id),
+                role TEXT NOT NULL,
+                content TEXT NOT NULL,
+                message_type TEXT DEFAULT 'text',
+                task_id TEXT REFERENCES tasks(id),
+                created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+            );
+            CREATE INDEX IF NOT EXISTS idx_chat_messages_project ON chat_messages(project_id, created_at);
+        """)
+        conn.commit()
+
    # Rename legacy 'auto' → 'auto_complete' (KIN-063)
    conn.execute(
        "UPDATE projects SET execution_mode = 'auto_complete' WHERE execution_mode = 'auto'"
--- a/core/models.py
+++ b/core/models.py
@ -3,7 +3,9 @@ Kin — data access functions for all tables.
 Pure functions: (conn, params) → dict | list[dict]. No ORM, no classes.
 """

+import base64
 import json
+import os
 import sqlite3
 from datetime import datetime
 from typing import Any
@ -102,7 +104,8 @@ def get_project(conn: sqlite3.Connection, id: str) -> dict | None:
 def delete_project(conn: sqlite3.Connection, id: str) -> None:
    """Delete a project and all its related data (modules, decisions, tasks, phases)."""
    # Delete tables that have FK references to tasks BEFORE deleting tasks
-    for table in ("modules", "agent_logs", "decisions", "pipelines", "project_phases", "tasks"):
+    # project_environments must come before tasks (FK on project_id)
+    for table in ("modules", "agent_logs", "decisions", "pipelines", "project_phases", "project_environments", "chat_messages", "tasks"):
        conn.execute(f"DELETE FROM {table} WHERE project_id = ?", (id,))
    conn.execute("DELETE FROM projects WHERE id = ?", (id,))
    conn.commit()
@ -700,3 +703,187 @@ def update_phase(conn: sqlite3.Connection, phase_id: int, **fields) -> dict:
    conn.execute(f"UPDATE project_phases SET {sets} WHERE id = ?", vals)
    conn.commit()
    return get_phase(conn, phase_id)
+
+
+# ---------------------------------------------------------------------------
+# Project Environments (KIN-087)
+# ---------------------------------------------------------------------------
+
+def _get_fernet():
+    """Get Fernet instance using KIN_SECRET_KEY env var.
+
+    Raises RuntimeError if KIN_SECRET_KEY is not set.
+    """
+    key = os.environ.get("KIN_SECRET_KEY")
+    if not key:
+        raise RuntimeError(
+            "KIN_SECRET_KEY environment variable is not set. "
+            "Generate with: python -c \"from cryptography.fernet import Fernet; "
+            "print(Fernet.generate_key().decode())\""
+        )
+    from cryptography.fernet import Fernet
+    return Fernet(key.encode())
+
+
+def _encrypt_auth(value: str) -> str:
+    """Encrypt auth_value using Fernet (AES-128-CBC + HMAC-SHA256)."""
+    return _get_fernet().encrypt(value.encode()).decode()
+
+
+def _decrypt_auth(
+    stored: str,
+    conn: sqlite3.Connection | None = None,
+    env_id: int | None = None,
+) -> str:
+    """Decrypt auth_value. Handles migration from legacy base64 obfuscation.
+
+    If stored value uses the old b64: prefix, decodes it and re-encrypts
+    in the DB (re-encrypt on read) if conn and env_id are provided.
+    """
+    if not stored:
+        return stored
+    from cryptography.fernet import InvalidToken
+    try:
+        return _get_fernet().decrypt(stored.encode()).decode()
+    except (InvalidToken, Exception):
+        # Legacy b64: format — migrate on read
+        if stored.startswith("b64:"):
+            plaintext = base64.b64decode(stored[4:]).decode()
+            if conn is not None and env_id is not None:
+                new_encrypted = _encrypt_auth(plaintext)
+                conn.execute(
+                    "UPDATE project_environments SET auth_value = ? WHERE id = ?",
+                    (new_encrypted, env_id),
+                )
+                conn.commit()
+            return plaintext
+        return stored
+
+
+def create_environment(
+    conn: sqlite3.Connection,
+    project_id: str,
+    name: str,
+    host: str,
+    username: str,
+    port: int = 22,
+    auth_type: str = "password",
+    auth_value: str | None = None,
+    is_installed: bool = False,
+) -> dict:
+    """Create a project environment. auth_value stored Fernet-encrypted; returned as None."""
+    obfuscated = _encrypt_auth(auth_value) if auth_value else None
+    cur = conn.execute(
+        """INSERT INTO project_environments
+           (project_id, name, host, port, username, auth_type, auth_value, is_installed)
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
+        (project_id, name, host, port, username, auth_type, obfuscated, int(is_installed)),
+    )
+    conn.commit()
+    row = conn.execute(
+        "SELECT * FROM project_environments WHERE id = ?", (cur.lastrowid,)
+    ).fetchone()
+    result = _row_to_dict(row)
+    result["auth_value"] = None  # never expose in API responses
+    return result
+
+
+def get_environment(conn: sqlite3.Connection, env_id: int) -> dict | None:
+    """Get environment by id including raw obfuscated auth_value (for internal use)."""
+    row = conn.execute(
+        "SELECT * FROM project_environments WHERE id = ?", (env_id,)
+    ).fetchone()
+    return _row_to_dict(row)
+
+
+def list_environments(conn: sqlite3.Connection, project_id: str) -> list[dict]:
+    """List all environments for a project. auth_value is always None in response."""
+    rows = conn.execute(
+        "SELECT * FROM project_environments WHERE project_id = ? ORDER BY created_at",
+        (project_id,),
+    ).fetchall()
+    result = _rows_to_list(rows)
+    for env in result:
+        env["auth_value"] = None
+    return result
+
+
+def update_environment(conn: sqlite3.Connection, env_id: int, **fields) -> dict:
+    """Update environment fields. Auto-sets updated_at. Returns record with auth_value=None."""
+    if not fields:
+        result = get_environment(conn, env_id)
+        if result:
+            result["auth_value"] = None
+        return result
+    if "auth_value" in fields and fields["auth_value"]:
+        fields["auth_value"] = _encrypt_auth(fields["auth_value"])
+    elif "auth_value" in fields:
+        del fields["auth_value"]  # empty/None = don't update auth_value
+    fields["updated_at"] = datetime.now().isoformat()
+    sets = ", ".join(f"{k} = ?" for k in fields)
+    vals = list(fields.values()) + [env_id]
+    conn.execute(f"UPDATE project_environments SET {sets} WHERE id = ?", vals)
+    conn.commit()
+    result = get_environment(conn, env_id)
+    if result:
+        result["auth_value"] = None
+    return result
+
+
+def delete_environment(conn: sqlite3.Connection, env_id: int) -> bool:
+    """Delete environment by id. Returns True if deleted, False if not found."""
+    cur = conn.execute(
+        "DELETE FROM project_environments WHERE id = ?", (env_id,)
+    )
+    conn.commit()
+    return cur.rowcount > 0
+
+
+# ---------------------------------------------------------------------------
+# Chat Messages (KIN-OBS-012)
+# ---------------------------------------------------------------------------
+
+def add_chat_message(
+    conn: sqlite3.Connection,
+    project_id: str,
+    role: str,
+    content: str,
+    message_type: str = "text",
+    task_id: str | None = None,
+) -> dict:
+    """Add a chat message and return it as dict.
+
+    role: 'user' | 'assistant' | 'system'
+    message_type: 'text' | 'task_created' | 'error'
+    task_id: set for message_type='task_created' to link to the created task.
+    """
+    cur = conn.execute(
+        """INSERT INTO chat_messages (project_id, role, content, message_type, task_id)
+           VALUES (?, ?, ?, ?, ?)""",
+        (project_id, role, content, message_type, task_id),
+    )
+    conn.commit()
+    row = conn.execute(
+        "SELECT * FROM chat_messages WHERE id = ?", (cur.lastrowid,)
+    ).fetchone()
+    return _row_to_dict(row)
+
+
+def get_chat_messages(
+    conn: sqlite3.Connection,
+    project_id: str,
+    limit: int = 50,
+    before_id: int | None = None,
+) -> list[dict]:
+    """Get chat messages for a project in chronological order (oldest first).
+
+    before_id: pagination cursor — return messages with id < before_id.
+    """
+    query = "SELECT * FROM chat_messages WHERE project_id = ?"
+    params: list = [project_id]
+    if before_id is not None:
+        query += " AND id < ?"
+        params.append(before_id)
+    query += " ORDER BY created_at ASC, id ASC LIMIT ?"
+    params.append(limit)
+    return _rows_to_list(conn.execute(query, params).fetchall())
--- a/pyproject.toml
+++ b/pyproject.toml
@ -7,7 +7,7 @@ name = "kin"
 version = "0.1.0"
 description = "Multi-agent project orchestrator"
 requires-python = ">=3.11"
-dependencies = ["click>=8.0", "fastapi>=0.110", "uvicorn>=0.29"]
+dependencies = ["click>=8.0", "fastapi>=0.110", "uvicorn>=0.29", "cryptography>=41.0"]

 [project.scripts]
 kin = "cli.main:cli"
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -4,6 +4,13 @@ import pytest
 from unittest.mock import patch


+@pytest.fixture(autouse=True)
+def _set_kin_secret_key(monkeypatch):
+    """Set KIN_SECRET_KEY for all tests (required by _encrypt_auth/_decrypt_auth)."""
+    from cryptography.fernet import Fernet
+    monkeypatch.setenv("KIN_SECRET_KEY", Fernet.generate_key().decode())
+
+
@pytest.fixture(autouse=True)
 def _mock_check_claude_auth():
    """Авто-мок agents.runner.check_claude_auth для всех тестов.
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -1713,4 +1713,412 @@ def test_delete_project_ok(client):
 def test_delete_project_not_found(client):
    r = client.delete("/api/projects/99999")
    assert r.status_code == 404
-    assert "tasks_count" in data
+
+
+# ---------------------------------------------------------------------------
+# Environments (KIN-087)
+# ---------------------------------------------------------------------------
+
+def test_create_environment(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "prod",
+        "host": "10.0.0.1",
+        "username": "pelmen",
+        "port": 22,
+        "auth_type": "password",
+        "auth_value": "s3cr3t",
+        "is_installed": False,
+    })
+    assert r.status_code == 201
+    data = r.json()
+    assert data["name"] == "prod"
+    assert data["host"] == "10.0.0.1"
+    assert data["username"] == "pelmen"
+    # auth_value must be hidden in responses
+    assert data.get("auth_value") is None
+    assert "scan_task_id" not in data
+
+
+def test_create_environment_project_not_found(client):
+    r = client.post("/api/projects/nope/environments", json={
+        "name": "prod",
+        "host": "10.0.0.1",
+        "username": "root",
+    })
+    assert r.status_code == 404
+
+
+def test_create_environment_invalid_auth_type(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "prod",
+        "host": "10.0.0.1",
+        "username": "root",
+        "auth_type": "oauth",
+    })
+    assert r.status_code == 422
+
+
+def test_create_environment_invalid_port(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "prod",
+        "host": "10.0.0.1",
+        "username": "root",
+        "port": 99999,
+    })
+    assert r.status_code == 422
+
+
+def test_create_environment_triggers_scan_when_installed(client):
+    """is_installed=True на POST должен создать задачу sysadmin и вернуть scan_task_id."""
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=12345)
+        r = client.post("/api/projects/p1/environments", json={
+            "name": "prod",
+            "host": "10.0.0.2",
+            "username": "pelmen",
+            "is_installed": True,
+        })
+    assert r.status_code == 201
+    data = r.json()
+    assert "scan_task_id" in data
+    task_id = data["scan_task_id"]
+    # Verify the task exists with sysadmin role
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    task = m.get_task(conn, task_id)
+    conn.close()
+    assert task is not None
+    assert task["assigned_role"] == "sysadmin"
+    assert task["category"] == "INFRA"
+
+
+def test_list_environments(client):
+    client.post("/api/projects/p1/environments", json={
+        "name": "dev", "host": "10.0.0.10", "username": "dev",
+    })
+    client.post("/api/projects/p1/environments", json={
+        "name": "prod", "host": "10.0.0.11", "username": "prod",
+    })
+    r = client.get("/api/projects/p1/environments")
+    assert r.status_code == 200
+    data = r.json()
+    assert len(data) == 2
+    names = {e["name"] for e in data}
+    assert names == {"dev", "prod"}
+
+
+def test_list_environments_project_not_found(client):
+    r = client.get("/api/projects/nope/environments")
+    assert r.status_code == 404
+
+
+def test_patch_environment(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "dev", "host": "10.0.0.20", "username": "root",
+    })
+    env_id = r.json()["id"]
+
+    r = client.patch(f"/api/projects/p1/environments/{env_id}", json={
+        "host": "10.0.0.99",
+    })
+    assert r.status_code == 200
+    assert r.json()["host"] == "10.0.0.99"
+
+
+def test_patch_environment_triggers_scan_on_false_to_true(client):
+    """PATCH is_installed false→true должен запустить скан."""
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "staging", "host": "10.0.0.30", "username": "root", "is_installed": False,
+    })
+    env_id = r.json()["id"]
+
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=22222)
+        r = client.patch(f"/api/projects/p1/environments/{env_id}", json={
+            "is_installed": True,
+        })
+    assert r.status_code == 200
+    assert "scan_task_id" in r.json()
+
+
+def test_patch_environment_no_duplicate_scan(client):
+    """Повторный PATCH is_installed=True (true→true) не создаёт новую задачу."""
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=33333)
+        r = client.post("/api/projects/p1/environments", json={
+            "name": "prod2", "host": "10.0.0.40", "username": "root", "is_installed": True,
+        })
+    first_task_id = r.json().get("scan_task_id")
+    assert first_task_id is not None
+    env_id = r.json()["id"]
+
+    # Second PATCH with host change — was_installed=True, so no scan triggered
+    with patch("subprocess.Popen") as mock_popen2:
+        mock_popen2.return_value = MagicMock(pid=44444)
+        r2 = client.patch(f"/api/projects/p1/environments/{env_id}", json={
+            "host": "10.0.0.41",
+        })
+    assert r2.status_code == 200
+    assert "scan_task_id" not in r2.json()
+
+
+def test_patch_environment_nothing_to_update(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "dev", "host": "10.0.0.50", "username": "root",
+    })
+    env_id = r.json()["id"]
+    r = client.patch(f"/api/projects/p1/environments/{env_id}", json={})
+    assert r.status_code == 400
+
+
+def test_patch_environment_not_found(client):
+    r = client.patch("/api/projects/p1/environments/99999", json={"host": "1.2.3.4"})
+    assert r.status_code == 404
+
+
+def test_delete_environment(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "dev", "host": "10.0.0.60", "username": "root",
+    })
+    env_id = r.json()["id"]
+
+    r = client.delete(f"/api/projects/p1/environments/{env_id}")
+    assert r.status_code == 204
+
+    # Verify gone
+    r = client.get("/api/projects/p1/environments")
+    ids = [e["id"] for e in r.json()]
+    assert env_id not in ids
+
+
+def test_delete_environment_not_found(client):
+    r = client.delete("/api/projects/p1/environments/99999")
+    assert r.status_code == 404
+
+
+def test_scan_environment(client):
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "prod", "host": "10.0.0.70", "username": "root",
+    })
+    env_id = r.json()["id"]
+
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=55555)
+        r = client.post(f"/api/projects/p1/environments/{env_id}/scan")
+    assert r.status_code == 202
+    data = r.json()
+    assert data["status"] == "started"
+    assert "task_id" in data
+
+
+def test_scan_environment_not_found(client):
+    r = client.post("/api/projects/p1/environments/99999/scan")
+    assert r.status_code == 404
+
+
+# ---------------------------------------------------------------------------
+# Environments (KIN-087) — дополнительные тесты по acceptance criteria
+# ---------------------------------------------------------------------------
+
+def test_list_environments_auth_value_hidden():
+    """GET /environments не должен возвращать auth_value (AC: маскировка)."""
+    import web.api as api_module2
+    from pathlib import Path
+    import tempfile
+    with tempfile.TemporaryDirectory() as tmp:
+        db_path = Path(tmp) / "t.db"
+        api_module2.DB_PATH = db_path
+        from web.api import app
+        from fastapi.testclient import TestClient
+        c = TestClient(app)
+        c.post("/api/projects", json={"id": "p2", "name": "P2", "path": "/p2"})
+        c.post("/api/projects/p2/environments", json={
+            "name": "prod", "host": "1.2.3.4", "username": "root",
+            "auth_type": "password", "auth_value": "supersecret",
+        })
+        r = c.get("/api/projects/p2/environments")
+        assert r.status_code == 200
+        for env in r.json():
+            assert env.get("auth_value") is None
+
+
+def test_patch_environment_auth_value_hidden(client):
+    """PATCH /environments/{id} не должен возвращать auth_value в ответе (AC: маскировка)."""
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "masked", "host": "5.5.5.5", "username": "user",
+        "auth_value": "topsecret",
+    })
+    env_id = r.json()["id"]
+    r = client.patch(f"/api/projects/p1/environments/{env_id}", json={"host": "6.6.6.6"})
+    assert r.status_code == 200
+    assert r.json().get("auth_value") is None
+
+
+def test_is_installed_flag_persisted(client):
+    """is_installed=True сохраняется и возвращается в GET-списке (AC: чекбокс работает)."""
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=99001)
+        r = client.post("/api/projects/p1/environments", json={
+            "name": "installed_prod", "host": "7.7.7.7", "username": "admin",
+            "is_installed": True,
+        })
+    assert r.status_code == 201
+    env_id = r.json()["id"]
+
+    r = client.get("/api/projects/p1/environments")
+    envs = {e["id"]: e for e in r.json()}
+    assert bool(envs[env_id]["is_installed"]) is True
+
+
+def test_is_installed_false_not_installed(client):
+    """is_installed=False по умолчанию сохраняется корректно."""
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "notinstalled", "host": "8.8.8.8", "username": "ops",
+        "is_installed": False,
+    })
+    assert r.status_code == 201
+    env_id = r.json()["id"]
+
+    r = client.get("/api/projects/p1/environments")
+    envs = {e["id"]: e for e in r.json()}
+    assert not bool(envs[env_id]["is_installed"])
+
+
+def test_sysadmin_scan_task_has_escalation_in_brief(client):
+    """Задача sysadmin должна содержать инструкцию об эскалации при нехватке данных (AC#4)."""
+    with patch("subprocess.Popen") as mock_popen:
+        mock_popen.return_value = MagicMock(pid=99002)
+        r = client.post("/api/projects/p1/environments", json={
+            "name": "esc_test", "host": "9.9.9.9", "username": "deploy",
+            "is_installed": True,
+        })
+    task_id = r.json()["scan_task_id"]
+
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    task = m.get_task(conn, task_id)
+    conn.close()
+
+    brief = task["brief"]
+    assert isinstance(brief, dict), "brief must be a dict"
+    text = brief.get("text", "")
+    assert "эскалация" in text.lower(), (
+        "Sysadmin task brief must mention escalation to user when data is insufficient"
+    )
+
+
+def test_create_environment_key_auth_type(client):
+    """auth_type='key' должен быть принят и сохранён (AC: ключ SSH)."""
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "ssh_key_env", "host": "10.10.10.10", "username": "git",
+        "auth_type": "key", "auth_value": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    })
+    assert r.status_code == 201
+    data = r.json()
+    assert data["auth_type"] == "key"
+    assert data.get("auth_value") is None
+
+
+def test_create_environment_duplicate_name_conflict(client):
+    """Повторное создание среды с тем же именем в проекте → 409 Conflict."""
+    client.post("/api/projects/p1/environments", json={
+        "name": "unique_env", "host": "11.11.11.11", "username": "root",
+    })
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "unique_env", "host": "22.22.22.22", "username": "root",
+    })
+    assert r.status_code == 409
+
+
+def test_patch_environment_empty_auth_value_preserves_stored(client):
+    """PATCH с пустым auth_value не стирает сохранённый credential (AC: безопасность)."""
+    r = client.post("/api/projects/p1/environments", json={
+        "name": "cred_safe", "host": "33.33.33.33", "username": "ops",
+        "auth_value": "original_password",
+    })
+    env_id = r.json()["id"]
+
+    # Patch без auth_value — credential должен сохраниться
+    r = client.patch(f"/api/projects/p1/environments/{env_id}", json={"host": "44.44.44.44"})
+    assert r.status_code == 200
+
+    # Читаем raw запись из БД (get_environment возвращает obfuscated auth_value)
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    raw = m.get_environment(conn, env_id)
+    conn.close()
+
+    assert raw["auth_value"] is not None, "Stored credential must be preserved after PATCH without auth_value"
+    decrypted = m._decrypt_auth(raw["auth_value"])
+    assert decrypted == "original_password", "Stored credential must be decryptable and match original"
+
+
+# ---------------------------------------------------------------------------
+# KIN-088 — POST /run возвращает 409 если задача уже in_progress
+# ---------------------------------------------------------------------------
+
+def test_run_returns_409_when_task_already_in_progress(client):
+    """KIN-088: повторный POST /run для задачи со статусом in_progress → 409 с task_already_running."""
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    m.update_task(conn, "P1-001", status="in_progress")
+    conn.close()
+
+    r = client.post("/api/tasks/P1-001/run")
+    assert r.status_code == 409
+    assert r.json()["error"] == "task_already_running"
+
+
+def test_run_409_error_key_is_task_already_running(client):
+    """KIN-088: тело ответа 409 содержит ключ error='task_already_running'."""
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    m.update_task(conn, "P1-001", status="in_progress")
+    conn.close()
+
+    r = client.post("/api/tasks/P1-001/run")
+    body = r.json()
+    assert "error" in body
+    assert body["error"] == "task_already_running"
+
+
+def test_run_second_call_does_not_change_status(client):
+    """KIN-088: при повторном /run задача остаётся in_progress, статус не сбрасывается."""
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    m.update_task(conn, "P1-001", status="in_progress")
+    conn.close()
+
+    client.post("/api/tasks/P1-001/run")  # второй вызов — должен вернуть 409
+
+    r = client.get("/api/tasks/P1-001")
+    assert r.json()["status"] == "in_progress"
+
+
+def test_run_pending_task_still_returns_202(client):
+    """KIN-088: задача со статусом pending запускается без ошибки — 202."""
+    r = client.post("/api/tasks/P1-001/run")
+    assert r.status_code == 202
+
+
+def test_run_kin085_parallel_different_tasks_not_blocked(client):
+    """KIN-085: /run для разных задач независимы — in_progress одной не блокирует другую."""
+    # Создаём вторую задачу
+    client.post("/api/tasks", json={"project_id": "p1", "title": "Second task"})
+
+    # Ставим первую задачу в in_progress
+    from core.db import init_db
+    from core import models as m
+    conn = init_db(api_module.DB_PATH)
+    m.update_task(conn, "P1-001", status="in_progress")
+    conn.close()
+
+    # Запуск второй задачи должен быть успешным
+    r = client.post("/api/tasks/P1-002/run")
+    assert r.status_code == 202
--- a/web/api.py
+++ b/web/api.py
@ -815,6 +815,9 @@ def run_task(task_id: str):
    if not t:
        conn.close()
        raise HTTPException(404, f"Task '{task_id}' not found")
+    if t.get("status") == "in_progress":
+        conn.close()
+        return JSONResponse({"error": "task_already_running"}, status_code=409)
    # Set task to in_progress immediately so UI updates
    models.update_task(conn, task_id, status="in_progress")
    conn.close()
@ -1017,6 +1020,259 @@ def bootstrap(body: BootstrapRequest):
    }


+# ---------------------------------------------------------------------------
+# Environments (KIN-087)
+# ---------------------------------------------------------------------------
+
+VALID_AUTH_TYPES = {"password", "key"}
+
+
+class EnvironmentCreate(BaseModel):
+    name: str
+    host: str
+    port: int = 22
+    username: str
+    auth_type: str = "password"
+    auth_value: str | None = None
+    is_installed: bool = False
+
+    @model_validator(mode="after")
+    def validate_env_fields(self) -> "EnvironmentCreate":
+        if not self.name.strip():
+            raise ValueError("name must not be empty")
+        if not self.host.strip():
+            raise ValueError("host must not be empty")
+        if not self.username.strip():
+            raise ValueError("username must not be empty")
+        if self.auth_type not in VALID_AUTH_TYPES:
+            raise ValueError(f"auth_type must be one of: {', '.join(VALID_AUTH_TYPES)}")
+        if not (1 <= self.port <= 65535):
+            raise ValueError("port must be between 1 and 65535")
+        return self
+
+
+class EnvironmentPatch(BaseModel):
+    name: str | None = None
+    host: str | None = None
+    port: int | None = None
+    username: str | None = None
+    auth_type: str | None = None
+    auth_value: str | None = None
+    is_installed: bool | None = None
+
+
+def _trigger_sysadmin_scan(conn, project_id: str, env: dict) -> str:
+    """Create a sysadmin env-scan task and launch it in background.
+
+    env must be the raw record from get_environment() (contains obfuscated auth_value).
+    Guard: skips if an active sysadmin task for this environment already exists.
+    Returns task_id of the created (or existing) task.
+    """
+    env_id = env["id"]
+    existing = conn.execute(
+        """SELECT id FROM tasks
+           WHERE project_id = ? AND assigned_role = 'sysadmin'
+             AND status NOT IN ('done', 'cancelled')
+             AND brief LIKE ?""",
+        (project_id, f'%"env_id": {env_id}%'),
+    ).fetchone()
+    if existing:
+        return existing["id"]
+
+    task_id = models.next_task_id(conn, project_id, category="INFRA")
+    brief = {
+        "type": "env_scan",
+        "env_id": env_id,
+        "host": env["host"],
+        "port": env["port"],
+        "username": env["username"],
+        "auth_type": env["auth_type"],
+        # auth_value is Fernet-encrypted. Stored in tasks.brief — treat as sensitive.
+        # Decrypt with _decrypt_auth() from core/models.py.
+        "auth_value_b64": env.get("auth_value"),
+        "text": (
+            f"Провести полный аудит среды '{env['name']}' на сервере {env['host']}.\n\n"
+            f"Подключение: {env['username']}@{env['host']}:{env['port']} (auth_type={env['auth_type']}).\n\n"
+            "Задачи:\n"
+            "1. Проверить git config (user, remote, текущую ветку)\n"
+            "2. Установленный стек (python/node/java версии, package managers)\n"
+            "3. Переменные окружения (.env файлы, systemd EnvironmentFile)\n"
+            "4. Nginx/caddy конфиги (виртуальные хосты, SSL)\n"
+            "5. Systemd/supervisor сервисы проекта\n"
+            "6. SSH-ключи (authorized_keys, known_hosts)\n"
+            "7. Если чего-то не хватает для подключения или аудита — эскалация к человеку."
+        ),
+    }
+    models.create_task(
+        conn, task_id, project_id,
+        title=f"[{env['name']}] Env scan: {env['host']}",
+        assigned_role="sysadmin",
+        category="INFRA",
+        brief=brief,
+    )
+    models.update_task(conn, task_id, status="in_progress")
+
+    kin_root = Path(__file__).parent.parent
+    cmd = [sys.executable, "-m", "cli.main", "--db", str(DB_PATH), "run", task_id]
+    cmd.append("--allow-write")
+    import os as _os
+    env_vars = _os.environ.copy()
+    env_vars["KIN_NONINTERACTIVE"] = "1"
+    try:
+        subprocess.Popen(
+            cmd,
+            cwd=str(kin_root),
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            stdin=subprocess.DEVNULL,
+            env=env_vars,
+        )
+    except Exception as e:
+        _logger.warning("Failed to start sysadmin scan for %s: %s", task_id, e)
+
+    return task_id
+
+
+@app.get("/api/projects/{project_id}/environments")
+def list_environments(project_id: str):
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    envs = models.list_environments(conn, project_id)
+    conn.close()
+    return envs
+
+
+@app.post("/api/projects/{project_id}/environments", status_code=201)
+def create_environment(project_id: str, body: EnvironmentCreate):
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    try:
+        env = models.create_environment(
+            conn, project_id,
+            name=body.name,
+            host=body.host,
+            port=body.port,
+            username=body.username,
+            auth_type=body.auth_type,
+            auth_value=body.auth_value,
+            is_installed=body.is_installed,
+        )
+    except Exception as e:
+        conn.close()
+        if "UNIQUE constraint" in str(e):
+            raise HTTPException(409, f"Environment '{body.name}' already exists for this project")
+        raise HTTPException(500, str(e))
+    scan_task_id = None
+    if body.is_installed:
+        raw_env = models.get_environment(conn, env["id"])
+        scan_task_id = _trigger_sysadmin_scan(conn, project_id, raw_env)
+    conn.close()
+    result = {**env}
+    if scan_task_id:
+        result["scan_task_id"] = scan_task_id
+    return JSONResponse(result, status_code=201)
+
+
+@app.patch("/api/projects/{project_id}/environments/{env_id}")
+def patch_environment(project_id: str, env_id: int, body: EnvironmentPatch):
+    all_none = all(v is None for v in [
+        body.name, body.host, body.port, body.username,
+        body.auth_type, body.auth_value, body.is_installed,
+    ])
+    if all_none:
+        raise HTTPException(400, "Nothing to update.")
+    if body.auth_type is not None and body.auth_type not in VALID_AUTH_TYPES:
+        raise HTTPException(400, f"auth_type must be one of: {', '.join(VALID_AUTH_TYPES)}")
+    if body.port is not None and not (1 <= body.port <= 65535):
+        raise HTTPException(400, "port must be between 1 and 65535")
+    if body.name is not None and not body.name.strip():
+        raise HTTPException(400, "name must not be empty")
+    if body.username is not None and not body.username.strip():
+        raise HTTPException(400, "username must not be empty")
+    if body.host is not None and not body.host.strip():
+        raise HTTPException(400, "host must not be empty")
+
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    existing = models.get_environment(conn, env_id)
+    if not existing or existing.get("project_id") != project_id:
+        conn.close()
+        raise HTTPException(404, f"Environment #{env_id} not found")
+
+    was_installed = bool(existing.get("is_installed"))
+
+    fields = {}
+    if body.name is not None:
+        fields["name"] = body.name
+    if body.host is not None:
+        fields["host"] = body.host
+    if body.port is not None:
+        fields["port"] = body.port
+    if body.username is not None:
+        fields["username"] = body.username
+    if body.auth_type is not None:
+        fields["auth_type"] = body.auth_type
+    if body.auth_value:  # only update if non-empty (empty = don't change stored cred)
+        fields["auth_value"] = body.auth_value
+    if body.is_installed is not None:
+        fields["is_installed"] = int(body.is_installed)
+
+    updated = models.update_environment(conn, env_id, **fields)
+
+    scan_task_id = None
+    if body.is_installed is True and not was_installed:
+        raw_env = models.get_environment(conn, env_id)
+        scan_task_id = _trigger_sysadmin_scan(conn, project_id, raw_env)
+
+    conn.close()
+    result = {**updated}
+    if scan_task_id:
+        result["scan_task_id"] = scan_task_id
+    return result
+
+
+@app.delete("/api/projects/{project_id}/environments/{env_id}", status_code=204)
+def delete_environment(project_id: str, env_id: int):
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    existing = models.get_environment(conn, env_id)
+    if not existing or existing.get("project_id") != project_id:
+        conn.close()
+        raise HTTPException(404, f"Environment #{env_id} not found")
+    models.delete_environment(conn, env_id)
+    conn.close()
+    return Response(status_code=204)
+
+
+@app.post("/api/projects/{project_id}/environments/{env_id}/scan", status_code=202)
+def scan_environment(project_id: str, env_id: int):
+    """Manually re-trigger sysadmin env scan for an environment."""
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    raw_env = models.get_environment(conn, env_id)
+    if not raw_env or raw_env.get("project_id") != project_id:
+        conn.close()
+        raise HTTPException(404, f"Environment #{env_id} not found")
+    task_id = _trigger_sysadmin_scan(conn, project_id, raw_env)
+    conn.close()
+    return JSONResponse({"status": "started", "task_id": task_id}, status_code=202)
+
+
 # ---------------------------------------------------------------------------
 # Notifications (escalations from blocked agents)
 # ---------------------------------------------------------------------------
@ -1055,6 +1311,142 @@ def get_notifications(project_id: str | None = None):
    return notifications


+# ---------------------------------------------------------------------------
+# Chat (KIN-OBS-012)
+# ---------------------------------------------------------------------------
+
+class ChatMessageIn(BaseModel):
+    content: str
+
+
+@app.get("/api/projects/{project_id}/chat")
+def get_chat_history(
+    project_id: str,
+    limit: int = Query(50, ge=1, le=200),
+    before_id: int | None = None,
+):
+    """Return chat history for a project. Enriches task_created messages with task_stub."""
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+    messages = models.get_chat_messages(conn, project_id, limit=limit, before_id=before_id)
+    for msg in messages:
+        if msg.get("message_type") == "task_created" and msg.get("task_id"):
+            task = models.get_task(conn, msg["task_id"])
+            if task:
+                msg["task_stub"] = {
+                    "id": task["id"],
+                    "title": task["title"],
+                    "status": task["status"],
+                }
+    conn.close()
+    return messages
+
+
+@app.post("/api/projects/{project_id}/chat")
+def send_chat_message(project_id: str, body: ChatMessageIn):
+    """Process a user message: classify intent, create task or answer, return both messages."""
+    from core.chat_intent import classify_intent
+
+    if not body.content.strip():
+        raise HTTPException(400, "content must not be empty")
+
+    conn = get_conn()
+    p = models.get_project(conn, project_id)
+    if not p:
+        conn.close()
+        raise HTTPException(404, f"Project '{project_id}' not found")
+
+    # 1. Save user message
+    user_msg = models.add_chat_message(conn, project_id, "user", body.content)
+
+    # 2. Classify intent
+    intent = classify_intent(body.content)
+
+    task = None
+
+    if intent == "task_request":
+        # 3a. Create task (category OBS) and run pipeline in background
+        task_id = models.next_task_id(conn, project_id, category="OBS")
+        title = body.content[:120].strip()
+        t = models.create_task(
+            conn, task_id, project_id, title,
+            brief={"text": body.content, "source": "chat"},
+            category="OBS",
+        )
+        task = t
+
+        import os as _os
+        env_vars = _os.environ.copy()
+        env_vars["KIN_NONINTERACTIVE"] = "1"
+        kin_root = Path(__file__).parent.parent
+        try:
+            subprocess.Popen(
+                [sys.executable, "-m", "cli.main", "--db", str(DB_PATH),
+                 "run", task_id, "--allow-write"],
+                cwd=str(kin_root),
+                stdout=subprocess.DEVNULL,
+                stderr=subprocess.DEVNULL,
+                stdin=subprocess.DEVNULL,
+                env=env_vars,
+            )
+        except Exception as e:
+            _logger.warning("Failed to start pipeline for chat task %s: %s", task_id, e)
+
+        assistant_content = f"Создал задачу {task_id}: {title}"
+        assistant_msg = models.add_chat_message(
+            conn, project_id, "assistant", assistant_content,
+            message_type="task_created", task_id=task_id,
+        )
+        assistant_msg["task_stub"] = {
+            "id": t["id"],
+            "title": t["title"],
+            "status": t["status"],
+        }
+
+    elif intent == "status_query":
+        # 3b. Return current task status summary
+        in_progress = models.list_tasks(conn, project_id=project_id, status="in_progress")
+        pending = models.list_tasks(conn, project_id=project_id, status="pending")
+        review = models.list_tasks(conn, project_id=project_id, status="review")
+
+        parts = []
+        if in_progress:
+            parts.append("В работе ({}):\n{}".format(
+                len(in_progress),
+                "\n".join(f"  • {t['id']} — {t['title'][:60]}" for t in in_progress[:5]),
+            ))
+        if review:
+            parts.append("На ревью ({}):\n{}".format(
+                len(review),
+                "\n".join(f"  • {t['id']} — {t['title'][:60]}" for t in review[:5]),
+            ))
+        if pending:
+            parts.append("Ожидает ({}):\n{}".format(
+                len(pending),
+                "\n".join(f"  • {t['id']} — {t['title'][:60]}" for t in pending[:5]),
+            ))
+
+        content = "\n\n".join(parts) if parts else "Нет активных задач."
+        assistant_msg = models.add_chat_message(conn, project_id, "assistant", content)
+
+    else:  # question
+        assistant_msg = models.add_chat_message(
+            conn, project_id, "assistant",
+            "Я пока не умею отвечать на вопросы напрямую. "
+            "Если хотите — опишите задачу, я создам её и запущу агентов.",
+        )
+
+    conn.close()
+    return {
+        "user_message": user_msg,
+        "assistant_message": assistant_msg,
+        "task": task,
+    }
+
+
 # ---------------------------------------------------------------------------
 # SPA static files (AFTER all /api/ routes)
 # ---------------------------------------------------------------------------
--- a/web/frontend/src/api.ts
+++ b/web/frontend/src/api.ts
@ -226,6 +226,19 @@ export interface AuditResult {
  error?: string
 }

+export interface ProjectEnvironment {
+  id: number
+  project_id: string
+  name: string
+  host: string
+  port: number
+  username: string
+  auth_type: string
+  is_installed: number
+  created_at: string
+  updated_at: string
+}
+
 export interface EscalationNotification {
  task_id: string
  project_id: string
@ -236,6 +249,26 @@ export interface EscalationNotification {
  telegram_sent: boolean
 }

+export interface ChatMessage {
+  id: number
+  project_id: string
+  role: 'user' | 'assistant'
+  content: string
+  message_type: string
+  task_id: string | null
+  created_at: string
+  task_stub?: {
+    id: string
+    title: string
+    status: string
+  } | null
+}
+
+export interface ChatSendResult {
+  user_message: ChatMessage
+  assistant_message: ChatMessage
+}
+
 export const api = {
  projects: () => get<Project[]>('/projects'),
  project: (id: string) => get<ProjectDetail>(`/projects/${id}`),
@ -291,4 +324,18 @@ export const api = {
    post<{ phase: Phase; new_task: Task }>(`/phases/${phaseId}/revise`, { comment }),
  startPhase: (projectId: string) =>
    post<{ status: string; phase_id: number; task_id: string }>(`/projects/${projectId}/phases/start`, {}),
+  environments: (projectId: string) =>
+    get<ProjectEnvironment[]>(`/projects/${projectId}/environments`),
+  createEnvironment: (projectId: string, data: { name: string; host: string; port?: number; username: string; auth_type?: string; auth_value?: string; is_installed?: boolean }) =>
+    post<ProjectEnvironment & { scan_task_id?: string }>(`/projects/${projectId}/environments`, data),
+  updateEnvironment: (projectId: string, envId: number, data: { name?: string; host?: string; port?: number; username?: string; auth_type?: string; auth_value?: string; is_installed?: boolean }) =>
+    patch<ProjectEnvironment & { scan_task_id?: string }>(`/projects/${projectId}/environments/${envId}`, data),
+  deleteEnvironment: (projectId: string, envId: number) =>
+    del<void>(`/projects/${projectId}/environments/${envId}`),
+  scanEnvironment: (projectId: string, envId: number) =>
+    post<{ status: string; task_id: string }>(`/projects/${projectId}/environments/${envId}/scan`, {}),
+  chatHistory: (projectId: string, limit = 50) =>
+    get<ChatMessage[]>(`/projects/${projectId}/chat?limit=${limit}`),
+  sendChatMessage: (projectId: string, content: string) =>
+    post<ChatSendResult>(`/projects/${projectId}/chat`, { content }),
 }
--- a/web/frontend/src/main.ts
+++ b/web/frontend/src/main.ts
@ -6,6 +6,7 @@ import Dashboard from './views/Dashboard.vue'
 import ProjectView from './views/ProjectView.vue'
 import TaskDetail from './views/TaskDetail.vue'
 import SettingsView from './views/SettingsView.vue'
+import ChatView from './views/ChatView.vue'

 const router = createRouter({
  history: createWebHistory(),
@ -14,6 +15,7 @@ const router = createRouter({
    { path: '/project/:id', component: ProjectView, props: true },
    { path: '/task/:id', component: TaskDetail, props: true },
    { path: '/settings', component: SettingsView },
+    { path: '/chat/:projectId', component: ChatView, props: true },
  ],
 })

--- a/web/frontend/src/views/ChatView.vue
+++ b/web/frontend/src/views/ChatView.vue
@ -0,0 +1,215 @@
+<script setup lang="ts">
+import { ref, watch, nextTick, onUnmounted } from 'vue'
+import { useRouter } from 'vue-router'
+import { api, ApiError, type ChatMessage } from '../api'
+import Badge from '../components/Badge.vue'
+
+const props = defineProps<{ projectId: string }>()
+const router = useRouter()
+
+const messages = ref<ChatMessage[]>([])
+const input = ref('')
+const sending = ref(false)
+const loading = ref(true)
+const error = ref('')
+const projectName = ref('')
+const messagesEl = ref<HTMLElement | null>(null)
+
+let pollTimer: ReturnType<typeof setInterval> | null = null
+
+function stopPoll() {
+  if (pollTimer) {
+    clearInterval(pollTimer)
+    pollTimer = null
+  }
+}
+
+function hasRunningTasks(msgs: ChatMessage[]) {
+  return msgs.some(
+    m => m.task_stub?.status === 'in_progress' || m.task_stub?.status === 'pending'
+  )
+}
+
+function checkAndPoll() {
+  stopPoll()
+  if (!hasRunningTasks(messages.value)) return
+  pollTimer = setInterval(async () => {
+    try {
+      const updated = await api.chatHistory(props.projectId)
+      messages.value = updated
+      if (!hasRunningTasks(updated)) stopPoll()
+    } catch {}
+  }, 3000)
+}
+
+async function load() {
+  stopPoll()
+  loading.value = true
+  error.value = ''
+  try {
+    const [msgs, project] = await Promise.all([
+      api.chatHistory(props.projectId),
+      api.project(props.projectId),
+    ])
+    messages.value = msgs
+    projectName.value = project.name
+  } catch (e: any) {
+    if (e instanceof ApiError && e.message.includes('not found')) {
+      router.push('/')
+      return
+    }
+    error.value = e.message
+  } finally {
+    loading.value = false
+  }
+  await nextTick()
+  scrollToBottom()
+  checkAndPoll()
+}
+
+watch(() => props.projectId, () => {
+  messages.value = []
+  input.value = ''
+  error.value = ''
+  projectName.value = ''
+  loading.value = true
+  load()
+}, { immediate: true })
+
+onUnmounted(stopPoll)
+
+async function send() {
+  const text = input.value.trim()
+  if (!text || sending.value) return
+  sending.value = true
+  error.value = ''
+  try {
+    const result = await api.sendChatMessage(props.projectId, text)
+    input.value = ''
+    messages.value.push(result.user_message, result.assistant_message)
+    await nextTick()
+    scrollToBottom()
+    checkAndPoll()
+  } catch (e: any) {
+    error.value = e.message
+  } finally {
+    sending.value = false
+  }
+}
+
+function onKeydown(e: KeyboardEvent) {
+  if (e.key === 'Enter' && !e.shiftKey) {
+    e.preventDefault()
+    send()
+  }
+}
+
+function scrollToBottom() {
+  if (messagesEl.value) {
+    messagesEl.value.scrollTop = messagesEl.value.scrollHeight
+  }
+}
+
+function taskStatusColor(status: string): string {
+  const map: Record<string, string> = {
+    done: 'green',
+    in_progress: 'blue',
+    review: 'yellow',
+    blocked: 'red',
+    pending: 'gray',
+    cancelled: 'gray',
+  }
+  return map[status] ?? 'gray'
+}
+
+function formatTime(dt: string) {
+  return new Date(dt).toLocaleTimeString('ru-RU', { hour: '2-digit', minute: '2-digit' })
+}
+</script>
+
+<template>
+  <div class="flex flex-col h-[calc(100vh-112px)]">
+    <!-- Header -->
+    <div class="flex items-center gap-3 pb-4 border-b border-gray-800">
+      <router-link
+        :to="`/project/${projectId}`"
+        class="text-gray-400 hover:text-gray-200 text-sm no-underline"
+      >← Проект</router-link>
+      <span class="text-gray-600">|</span>
+      <h1 class="text-base font-semibold text-gray-100">
+        {{ projectName || projectId }}
+      </h1>
+      <span class="text-xs text-gray-500 ml-1">— чат</span>
+    </div>
+
+    <!-- Error -->
+    <div v-if="error" class="mt-3 text-sm text-red-400 bg-red-900/20 border border-red-800 rounded px-3 py-2">
+      {{ error }}
+    </div>
+
+    <!-- Loading -->
+    <div v-if="loading" class="flex-1 flex items-center justify-center">
+      <span class="text-gray-500 text-sm">Загрузка...</span>
+    </div>
+
+    <!-- Messages -->
+    <div
+      v-else
+      ref="messagesEl"
+      class="flex-1 overflow-y-auto py-4 flex flex-col gap-3 min-h-0"
+    >
+      <div v-if="messages.length === 0" class="text-center text-gray-500 text-sm mt-8">
+        Опишите задачу или спросите о статусе проекта
+      </div>
+
+      <div
+        v-for="msg in messages"
+        :key="msg.id"
+        class="flex"
+        :class="msg.role === 'user' ? 'justify-end' : 'justify-start'"
+      >
+        <div
+          class="max-w-[70%] rounded-2xl px-4 py-2.5"
+          :class="msg.role === 'user'
+            ? 'bg-indigo-900/60 border border-indigo-700/50 text-gray-100 rounded-br-sm'
+            : 'bg-gray-800/70 border border-gray-700/50 text-gray-200 rounded-bl-sm'"
+        >
+          <p class="text-sm whitespace-pre-wrap break-words">{{ msg.content }}</p>
+
+          <!-- Task stub for task_created messages -->
+          <div
+            v-if="msg.message_type === 'task_created' && msg.task_stub"
+            class="mt-2 pt-2 border-t border-gray-700/40 flex items-center gap-2"
+          >
+            <router-link
+              :to="`/task/${msg.task_stub.id}`"
+              class="text-xs text-indigo-400 hover:text-indigo-300 no-underline font-mono"
+            >{{ msg.task_stub.id }}</router-link>
+            <Badge :color="taskStatusColor(msg.task_stub.status)" :text="msg.task_stub.status" />
+          </div>
+
+          <p class="text-xs mt-1.5 text-gray-500">{{ formatTime(msg.created_at) }}</p>
+        </div>
+      </div>
+    </div>
+
+    <!-- Input -->
+    <div class="pt-3 border-t border-gray-800 flex gap-2 items-end">
+      <textarea
+        v-model="input"
+        :disabled="sending || loading"
+        placeholder="Опишите задачу или вопрос... (Enter — отправить, Shift+Enter — перенос)"
+        rows="2"
+        class="flex-1 bg-gray-800/60 border border-gray-700 rounded-xl px-4 py-2.5 text-sm text-gray-100 placeholder-gray-500 resize-none focus:outline-none focus:border-indigo-600 disabled:opacity-50"
+        @keydown="onKeydown"
+      />
+      <button
+        :disabled="sending || loading || !input.trim()"
+        class="px-4 py-2.5 bg-indigo-600 hover:bg-indigo-500 disabled:opacity-40 disabled:cursor-not-allowed text-white text-sm rounded-xl font-medium transition-colors"
+        @click="send"
+      >
+        {{ sending ? '...' : 'Отправить' }}
+      </button>
+    </div>
+  </div>
+</template>
--- a/web/frontend/src/views/ProjectView.vue
+++ b/web/frontend/src/views/ProjectView.vue
@ -1,7 +1,7 @@
 <script setup lang="ts">
 import { ref, onMounted, onUnmounted, computed, watch } from 'vue'
 import { useRoute, useRouter } from 'vue-router'
-import { api, ApiError, type ProjectDetail, type AuditResult, type Phase, type Task } from '../api'
+import { api, ApiError, type ProjectDetail, type AuditResult, type Phase, type Task, type ProjectEnvironment } from '../api'
 import Badge from '../components/Badge.vue'
 import Modal from '../components/Modal.vue'

@ -12,7 +12,7 @@ const router = useRouter()
 const project = ref<ProjectDetail | null>(null)
 const loading = ref(true)
 const error = ref('')
-const activeTab = ref<'tasks' | 'phases' | 'decisions' | 'modules' | 'kanban'>('tasks')
+const activeTab = ref<'tasks' | 'phases' | 'decisions' | 'modules' | 'kanban' | 'environments'>('tasks')

 // Phases
 const phases = ref<Phase[]>([])
@ -246,6 +246,83 @@ async function applyAudit() {
  }
 }

+// Environments
+const environments = ref<ProjectEnvironment[]>([])
+const envsLoading = ref(false)
+const envsError = ref('')
+const showEnvModal = ref(false)
+const editingEnv = ref<ProjectEnvironment | null>(null)
+const envForm = ref({ name: 'prod', host: '', port: 22, username: '', auth_type: 'password', auth_value: '', is_installed: false })
+const envFormError = ref('')
+const envSaving = ref(false)
+const scanTaskId = ref<string | null>(null)
+const showScanBanner = ref(false)
+
+async function loadEnvironments() {
+  envsLoading.value = true
+  envsError.value = ''
+  try {
+    environments.value = await api.environments(props.id)
+  } catch (e: any) {
+    envsError.value = e.message
+  } finally {
+    envsLoading.value = false
+  }
+}
+
+function openEnvModal(env?: ProjectEnvironment) {
+  editingEnv.value = env || null
+  if (env) {
+    envForm.value = { name: env.name, host: env.host, port: env.port, username: env.username, auth_type: env.auth_type, auth_value: '', is_installed: !!env.is_installed }
+  } else {
+    envForm.value = { name: 'prod', host: '', port: 22, username: '', auth_type: 'password', auth_value: '', is_installed: false }
+  }
+  envFormError.value = ''
+  showEnvModal.value = true
+}
+
+async function submitEnv() {
+  envFormError.value = ''
+  envSaving.value = true
+  try {
+    const payload = {
+      name: envForm.value.name,
+      host: envForm.value.host,
+      port: envForm.value.port,
+      username: envForm.value.username,
+      auth_type: envForm.value.auth_type,
+      auth_value: envForm.value.auth_value || undefined,
+      is_installed: envForm.value.is_installed,
+    }
+    let res: ProjectEnvironment & { scan_task_id?: string }
+    if (editingEnv.value) {
+      res = await api.updateEnvironment(props.id, editingEnv.value.id, payload)
+    } else {
+      res = await api.createEnvironment(props.id, payload)
+    }
+    showEnvModal.value = false
+    await loadEnvironments()
+    if (res.scan_task_id) {
+      scanTaskId.value = res.scan_task_id
+      showScanBanner.value = true
+    }
+  } catch (e: any) {
+    envFormError.value = e.message
+  } finally {
+    envSaving.value = false
+  }
+}
+
+async function deleteEnv(envId: number) {
+  if (!confirm('Удалить среду?')) return
+  try {
+    await api.deleteEnvironment(props.id, envId)
+    await loadEnvironments()
+  } catch (e: any) {
+    envsError.value = e.message
+  }
+}
+
 // Add task modal
 const TASK_CATEGORIES = ['SEC', 'UI', 'API', 'INFRA', 'BIZ', 'DB', 'ARCH', 'TEST', 'PERF', 'DOCS', 'FIX', 'OBS']
 const CATEGORY_COLORS: Record<string, string> = {
@ -280,6 +357,9 @@ watch(selectedStatuses, (val) => {

 watch(() => props.id, () => {
  taskSearch.value = ''
+  environments.value = []
+  showScanBanner.value = false
+  scanTaskId.value = null
 })

 onMounted(async () => {
@ -287,6 +367,7 @@ onMounted(async () => {
  loadMode()
  loadAutocommit()
  await loadPhases()
+  await loadEnvironments()
 })

 onUnmounted(() => {
@ -384,16 +465,25 @@ async function addTask() {
  }
 }

+const runningTaskId = ref<string | null>(null)
+
 async function runTask(taskId: string, event: Event) {
  event.preventDefault()
  event.stopPropagation()
  if (!confirm(`Run pipeline for ${taskId}?`)) return
+  runningTaskId.value = taskId
  try {
    await api.runTask(taskId)
    await load()
    if (activeTab.value === 'kanban') checkAndPollKanban()
  } catch (e: any) {
-    error.value = e.message
+    if (e instanceof ApiError && e.code === 'task_already_running') {
+      error.value = 'Pipeline уже запущен'
+    } else {
+      error.value = e.message
+    }
+  } finally {
+    runningTaskId.value = null
  }
 }

@ -518,6 +608,8 @@ async function addDecision() {
    <div class="mb-6">
      <div class="flex items-center gap-2 mb-1">
        <router-link to="/" class="text-gray-600 hover:text-gray-400 text-sm no-underline">&larr; back</router-link>
+        <span class="text-gray-700">|</span>
+        <router-link :to="`/chat/${project.id}`" class="text-indigo-500 hover:text-indigo-400 text-sm no-underline">Чат</router-link>
      </div>
      <div class="flex items-center gap-3 mb-2">
        <h1 class="text-xl font-bold text-gray-100">{{ project.id }}</h1>
@ -545,18 +637,19 @@ async function addDecision() {

    <!-- Tabs -->
    <div class="flex gap-1 mb-4 border-b border-gray-800">
-      <button v-for="tab in (['tasks', 'phases', 'decisions', 'modules', 'kanban'] as const)" :key="tab"
+      <button v-for="tab in (['tasks', 'phases', 'decisions', 'modules', 'kanban', 'environments'] as const)" :key="tab"
        @click="activeTab = tab"
        class="px-4 py-2 text-sm border-b-2 transition-colors"
        :class="activeTab === tab
          ? 'text-gray-200 border-blue-500'
          : 'text-gray-500 border-transparent hover:text-gray-300'">
-        {{ tab === 'kanban' ? 'Kanban' : tab.charAt(0).toUpperCase() + tab.slice(1) }}
+        {{ tab === 'kanban' ? 'Kanban' : tab === 'environments' ? 'Среды' : tab.charAt(0).toUpperCase() + tab.slice(1) }}
        <span class="text-xs text-gray-600 ml-1">
          {{ tab === 'tasks' ? project.tasks.length
           : tab === 'phases' ? phases.length
           : tab === 'decisions' ? project.decisions.length
           : tab === 'modules' ? project.modules.length
+           : tab === 'environments' ? environments.length
           : project.tasks.length }}
        </span>
      </button>
@ -697,8 +790,12 @@ async function addDecision() {
            </select>
            <button v-if="t.status === 'pending'"
              @click="runTask(t.id, $event)"
-              class="px-2 py-0.5 bg-blue-900/40 text-blue-400 border border-blue-800 rounded hover:bg-blue-900 text-[10px]"
-              title="Run pipeline">&#9654;</button>
+              :disabled="runningTaskId === t.id"
+              class="px-2 py-0.5 bg-blue-900/40 text-blue-400 border border-blue-800 rounded hover:bg-blue-900 text-[10px] disabled:opacity-50"
+              title="Run pipeline">
+              <span v-if="runningTaskId === t.id" class="inline-block w-2 h-2 border border-blue-400 border-t-transparent rounded-full animate-spin"></span>
+              <span v-else>&#9654;</span>
+            </button>
            <span v-if="t.status === 'in_progress'"
              class="inline-block w-2 h-2 bg-blue-500 rounded-full animate-pulse" title="Running"></span>
          </div>
@ -939,6 +1036,61 @@ async function addDecision() {
      </div>
    </div>

+    <!-- Environments Tab -->
+    <div v-if="activeTab === 'environments'">
+      <!-- Scan started banner -->
+      <div v-if="showScanBanner" class="mb-4 px-4 py-3 border border-blue-700 bg-blue-950/30 rounded flex items-start justify-between gap-2">
+        <div>
+          <p class="text-sm font-semibold text-blue-300">&#128269; Запускаем сканирование среды...</p>
+          <p class="text-xs text-blue-200/70 mt-1">Создана задача сисадмина:
+            <router-link v-if="scanTaskId" :to="`/task/${scanTaskId}`" class="text-blue-400 hover:text-blue-300 no-underline">{{ scanTaskId }}</router-link>
+          </p>
+          <p class="text-xs text-gray-500 mt-1">Агент опишет среду, установленное ПО и настроенный git. При нехватке данных — эскалация к вам.</p>
+        </div>
+        <button @click="showScanBanner = false" class="text-gray-600 hover:text-gray-400 bg-transparent border-none cursor-pointer text-xs shrink-0">✕</button>
+      </div>
+
+      <div class="flex items-center justify-between mb-3">
+        <span class="text-xs text-gray-500">Серверные окружения проекта</span>
+        <button @click="openEnvModal()"
+          class="px-3 py-1 text-xs bg-gray-800 text-gray-300 border border-gray-700 rounded hover:bg-gray-700">
+          + Среда
+        </button>
+      </div>
+
+      <p v-if="envsLoading" class="text-gray-500 text-sm">Загрузка...</p>
+      <p v-else-if="envsError" class="text-red-400 text-sm">{{ envsError }}</p>
+      <div v-else-if="environments.length === 0" class="text-gray-600 text-sm">Нет сред. Добавьте сервер для развёртывания.</div>
+      <div v-else class="space-y-2">
+        <div v-for="env in environments" :key="env.id"
+          class="px-4 py-3 border border-gray-800 rounded hover:border-gray-700">
+          <div class="flex items-center justify-between">
+            <div class="flex items-center gap-2">
+              <span class="text-sm font-medium text-gray-200">{{ env.name }}</span>
+              <span class="px-1.5 py-0.5 text-[10px] rounded border"
+                :class="env.is_installed ? 'bg-green-900/30 text-green-400 border-green-800' : 'bg-gray-800 text-gray-500 border-gray-700'">
+                {{ env.is_installed ? '&#x2713; установлен' : 'не установлен' }}
+              </span>
+              <span class="px-1.5 py-0.5 text-[10px] bg-gray-800 text-gray-500 border border-gray-700 rounded">{{ env.auth_type }}</span>
+            </div>
+            <div class="flex items-center gap-2">
+              <button @click="openEnvModal(env)" title="Редактировать"
+                class="px-2 py-0.5 text-xs bg-gray-800 text-gray-400 border border-gray-700 rounded hover:bg-gray-700 hover:text-gray-200">
+                ✎
+              </button>
+              <button @click="deleteEnv(env.id)" title="Удалить"
+                class="px-2 py-0.5 text-xs bg-gray-800 text-red-500 border border-gray-700 rounded hover:bg-red-950/30 hover:border-red-800">
+                ✕
+              </button>
+            </div>
+          </div>
+          <div class="mt-1 text-xs text-gray-500 flex gap-3 flex-wrap">
+            <span><span class="text-gray-600">host:</span> <span class="text-orange-400">{{ env.username }}@{{ env.host }}:{{ env.port }}</span></span>
+          </div>
+        </div>
+      </div>
+    </div>
+
    <!-- Add Task Modal -->
    <Modal v-if="showAddTask" title="Add Task" @close="showAddTask = false">
      <form @submit.prevent="addTask" class="space-y-3">
@ -1000,6 +1152,72 @@ async function addDecision() {
      </form>
    </Modal>

+    <!-- Environment Modal -->
+    <Modal v-if="showEnvModal" :title="editingEnv ? 'Редактировать среду' : 'Добавить среду'" @close="showEnvModal = false">
+      <form @submit.prevent="submitEnv" class="space-y-3">
+        <div>
+          <label class="block text-xs text-gray-500 mb-1">Название</label>
+          <select v-model="envForm.name"
+            class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-sm text-gray-300">
+            <option value="prod">prod</option>
+            <option value="dev">dev</option>
+            <option value="staging">staging</option>
+          </select>
+        </div>
+        <div class="flex gap-2">
+          <div class="flex-1">
+            <label class="block text-xs text-gray-500 mb-1">Host (IP или домен)</label>
+            <input v-model="envForm.host" placeholder="10.0.0.1" required
+              class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-sm text-gray-200 placeholder-gray-600" />
+          </div>
+          <div class="w-24">
+            <label class="block text-xs text-gray-500 mb-1">Port</label>
+            <input v-model.number="envForm.port" type="number" min="1" max="65535"
+              class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-sm text-gray-200" />
+          </div>
+        </div>
+        <div>
+          <label class="block text-xs text-gray-500 mb-1">Login</label>
+          <input v-model="envForm.username" placeholder="root" required
+            class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-sm text-gray-200 placeholder-gray-600" />
+        </div>
+        <div>
+          <label class="block text-xs text-gray-500 mb-2">Тип авторизации</label>
+          <div class="flex gap-4">
+            <label class="flex items-center gap-1.5 text-sm text-gray-300 cursor-pointer">
+              <input type="radio" v-model="envForm.auth_type" value="password" class="accent-blue-500" />
+              Пароль
+            </label>
+            <label class="flex items-center gap-1.5 text-sm text-gray-300 cursor-pointer">
+              <input type="radio" v-model="envForm.auth_type" value="key" class="accent-blue-500" />
+              SSH ключ
+            </label>
+          </div>
+        </div>
+        <div>
+          <label class="block text-xs text-gray-500 mb-1">{{ envForm.auth_type === 'key' ? 'SSH ключ (private key)' : 'Пароль' }}</label>
+          <textarea v-if="envForm.auth_type === 'key'" v-model="envForm.auth_value" rows="4"
+            placeholder="-----BEGIN OPENSSH PRIVATE KEY-----&#10;..."
+            class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-xs text-gray-200 placeholder-gray-600 resize-y font-mono"></textarea>
+          <input v-else v-model="envForm.auth_value" type="password"
+            :placeholder="editingEnv ? 'Оставьте пустым, чтобы не менять' : 'Пароль'"
+            class="w-full bg-gray-800 border border-gray-700 rounded px-3 py-2 text-sm text-gray-200 placeholder-gray-600" />
+        </div>
+        <label class="flex items-center gap-2 cursor-pointer select-none">
+          <input type="checkbox" v-model="envForm.is_installed" class="accent-blue-500" />
+          <span class="text-sm text-gray-300">&#9745; Проект уже установлен на сервере</span>
+        </label>
+        <div v-if="envForm.is_installed" class="px-3 py-2 border border-blue-800 bg-blue-950/20 rounded text-xs text-blue-300">
+          После сохранения будет запущен агент-сисадмин для сканирования среды.
+        </div>
+        <p v-if="envFormError" class="text-red-400 text-xs">{{ envFormError }}</p>
+        <button type="submit" :disabled="envSaving"
+          class="w-full py-2 bg-blue-900/50 text-blue-400 border border-blue-800 rounded text-sm hover:bg-blue-900 disabled:opacity-50">
+          {{ envSaving ? 'Сохраняем...' : editingEnv ? 'Сохранить' : 'Добавить' }}
+        </button>
+      </form>
+    </Modal>
+
    <!-- Audit Modal -->
    <Modal v-if="showAuditModal && auditResult" title="Backlog Audit Results" @close="showAuditModal = false">
      <div v-if="!auditResult.success" class="text-red-400 text-sm">
--- a/web/frontend/src/views/SettingsView.vue
+++ b/web/frontend/src/views/SettingsView.vue
@ -141,6 +141,7 @@ async function runSync(projectId: string) {
          <div v-for="err in syncResults[project.id]!.errors" :key="err" class="text-red-400">{{ err }}</div>
        </div>
      </div>
+
    </div>
  </div>
 </template>
--- a/web/frontend/src/views/TaskDetail.vue
+++ b/web/frontend/src/views/TaskDetail.vue
@ -15,6 +15,7 @@ const error = ref('')
 const claudeLoginError = ref(false)
 const selectedStep = ref<PipelineStep | null>(null)
 const polling = ref(false)
+const pipelineStarting = ref(false)
 let pollTimer: ReturnType<typeof setInterval> | null = null

 // Approve modal
@ -208,6 +209,7 @@ async function revise() {

 async function runPipeline() {
  claudeLoginError.value = false
+  pipelineStarting.value = true
  try {
    await api.runTask(props.id)
    startPolling()
@ -215,9 +217,13 @@ async function runPipeline() {
  } catch (e: any) {
    if (e instanceof ApiError && e.code === 'claude_auth_required') {
      claudeLoginError.value = true
+    } else if (e instanceof ApiError && e.code === 'task_already_running') {
+      error.value = 'Pipeline уже запущен'
    } else {
      error.value = e.message
    }
+  } finally {
+    pipelineStarting.value = false
  }
 }

@ -506,10 +512,10 @@ async function saveEdit() {
      </button>
      <button v-if="task.status === 'pending' || task.status === 'blocked'"
        @click="runPipeline"
-        :disabled="polling"
+        :disabled="polling || pipelineStarting"
        class="px-4 py-2 text-sm bg-blue-900/50 text-blue-400 border border-blue-800 rounded hover:bg-blue-900 disabled:opacity-50">
-        <span v-if="polling" class="inline-block w-3 h-3 border-2 border-blue-400 border-t-transparent rounded-full animate-spin mr-1"></span>
-        {{ polling ? 'Pipeline running...' : '&#9654; Run Pipeline' }}
+        <span v-if="polling || pipelineStarting" class="inline-block w-3 h-3 border-2 border-blue-400 border-t-transparent rounded-full animate-spin mr-1"></span>
+        {{ (polling || pipelineStarting) ? 'Pipeline running...' : '&#9654; Run Pipeline' }}
      </button>
      <button v-if="isManualEscalation && task.status !== 'done' && task.status !== 'cancelled'"
        @click="resolveManually"