ui/phase-24: push events, turn-ready toast, single SubscribeEvents consumer

Wires the gateway's signed SubscribeEvents stream end-to-end:

- backend: emit game.turn.ready from lobby.OnRuntimeSnapshot on every
  current_turn advance, addressed to every active membership, push-only
  channel, idempotency key turn-ready:<game_id>:<turn>;
- ui: single EventStream singleton replaces revocation-watcher.ts and
  carries both per-event dispatch and revocation detection; toast
  primitive (store + host) lives in lib/; GameStateStore gains
  pendingTurn/markPendingTurn/advanceToPending and a persisted
  lastViewedTurn so a return after multiple turns surfaces the same
  "view now" affordance as a live push event;
- mandatory event-signature verification through ui/core
  (verifyPayloadHash + verifyEvent), full-jitter exponential backoff
  1s -> 30s on transient failure, signOut("revoked") on
  Unauthenticated or clean end-of-stream;
- catalog and migration accept the new kind; tests cover producer
  (testcontainers + capturing publisher), consumer (Vitest event
  stream, toast, game-state extensions), and a Playwright e2e
  delivering a signed frame to the live UI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ui/frontend/tests/e2e/fixtures/canon.ts

@@ -6,6 +6,7 @@
 // truth; this TS copy stays small enough to read against that test.
 
 const RESPONSE_DOMAIN_MARKER_V1 = "galaxy-response-v1";
+const EVENT_DOMAIN_MARKER_V1 = "galaxy-event-v1";
 
 export interface ResponseSigningFields {
 	protocolVersion: string;
@@ -15,6 +16,15 @@ export interface ResponseSigningFields {
 	payloadHash: Uint8Array;
 }
 
+export interface EventSigningFields {
+	eventType: string;
+	eventId: string;
+	timestampMs: bigint;
+	requestId: string;
+	traceId: string;
+	payloadHash: Uint8Array;
+}
+
 export function buildResponseSigningInput(
 	fields: ResponseSigningFields,
 ): Uint8Array {
@@ -28,6 +38,24 @@ export function buildResponseSigningInput(
 	return new Uint8Array(parts);
 }
 
+// `buildEventSigningInput` mirrors `ui/core/canon/event.go`
+// `BuildEventSigningInput`. The Go-side parity test
+// (`gateway/authn/parity_with_ui_core_test.go`) is the source of truth;
+// this TS copy stays close enough to that test to read against it.
+export function buildEventSigningInput(
+	fields: EventSigningFields,
+): Uint8Array {
+	const parts: number[] = [];
+	appendLengthPrefixedString(parts, EVENT_DOMAIN_MARKER_V1);
+	appendLengthPrefixedString(parts, fields.eventType);
+	appendLengthPrefixedString(parts, fields.eventId);
+	appendBigEndianUint64(parts, fields.timestampMs);
+	appendLengthPrefixedString(parts, fields.requestId);
+	appendLengthPrefixedString(parts, fields.traceId);
+	appendLengthPrefixedBytes(parts, fields.payloadHash);
+	return new Uint8Array(parts);
+}
+
 function appendLengthPrefixedString(dst: number[], value: string): void {
 	const bytes = new TextEncoder().encode(value);
 	appendLengthPrefixedBytes(dst, bytes);

ui/frontend/tests/e2e/fixtures/sign-event.ts

@@ -0,0 +1,94 @@
+// `forgeGatewayEventFrame` produces one Connect HTTP/1.1
+// server-streaming frame carrying a `GatewayEvent` signed with the
+// fixture private key. The Playwright `turn-ready.spec.ts` route
+// handler returns this body when the UI opens `SubscribeEvents` so
+// the production verification path (`core.verifyEvent`) accepts the
+// frame under the matching public key the dev server picks up via
+// `VITE_GATEWAY_RESPONSE_PUBLIC_KEY`.
+//
+// Connect HTTP/1.1 server-streaming framing per request:
+//   1 byte  flag    (0x00 = message)
+//   4 bytes length  (big-endian, payload size)
+//   N bytes payload (JSON-encoded GatewayEvent for the JSON codec)
+//
+// The route handler closes the response after one frame; the UI's
+// `events.svelte.ts` reconnect loop treats the abrupt end-of-body as
+// a transient error and backs off, which keeps the toast visible
+// long enough for the test to assert on it.
+
+import { create, toJsonString } from "@bufbuild/protobuf";
+import { webcrypto } from "node:crypto";
+import { GatewayEventSchema } from "../../../src/proto/galaxy/gateway/v1/edge_gateway_pb";
+import { buildEventSigningInput } from "./canon";
+import {
+	FIXTURE_PRIVATE_KEY_PKCS8_BASE64,
+	decodeBase64,
+} from "./gateway-key";
+
+export interface ForgedEventInput {
+	eventType: string;
+	eventId: string;
+	timestampMs: bigint;
+	requestId: string;
+	traceId: string;
+	payloadBytes: Uint8Array;
+}
+
+let cachedPrivateKey: CryptoKey | null = null;
+
+async function privateKey(): Promise<CryptoKey> {
+	if (cachedPrivateKey !== null) {
+		return cachedPrivateKey;
+	}
+	const pkcs8 = decodeBase64(FIXTURE_PRIVATE_KEY_PKCS8_BASE64);
+	cachedPrivateKey = await webcrypto.subtle.importKey(
+		"pkcs8",
+		pkcs8,
+		{ name: "Ed25519" },
+		false,
+		["sign"],
+	);
+	return cachedPrivateKey;
+}
+
+async function sha256(payload: Uint8Array): Promise<Uint8Array> {
+	const digest = await webcrypto.subtle.digest("SHA-256", payload);
+	return new Uint8Array(digest);
+}
+
+export async function forgeGatewayEventFrame(
+	input: ForgedEventInput,
+): Promise<Uint8Array> {
+	const payloadHash = await sha256(input.payloadBytes);
+	const canonical = buildEventSigningInput({
+		eventType: input.eventType,
+		eventId: input.eventId,
+		timestampMs: input.timestampMs,
+		requestId: input.requestId,
+		traceId: input.traceId,
+		payloadHash,
+	});
+	const signatureBuf = await webcrypto.subtle.sign(
+		{ name: "Ed25519" },
+		await privateKey(),
+		canonical,
+	);
+	const event = create(GatewayEventSchema, {
+		eventType: input.eventType,
+		eventId: input.eventId,
+		timestampMs: input.timestampMs,
+		payloadBytes: input.payloadBytes,
+		payloadHash,
+		signature: new Uint8Array(signatureBuf),
+		requestId: input.requestId,
+		traceId: input.traceId,
+	});
+	const body = new TextEncoder().encode(
+		toJsonString(GatewayEventSchema, event),
+	);
+	const frame = new Uint8Array(5 + body.length);
+	frame[0] = 0x00; // message frame
+	new DataView(frame.buffer).setUint32(1, body.length, false);
+	frame.set(body, 5);
+	return frame;
+}