phase 7+: i18n primitive + login language picker + autocomplete-off

Adds a minimal Svelte 5 i18n primitive (`src/lib/i18n/`) backing the
login form, the layout blocker page, and the lobby placeholder.
SUPPORTED_LOCALES drives both the picker and the runtime lookup;
adding a language is a two-step change inside `src/lib/i18n/`.

Login form gains a globe-icon language dropdown (English / Русский
in their native names), defaulting to navigator.languages with `en`
as the fallback. Switching the locale re-renders the form in place;
on submit, the locale rides in the JSON body of `send-email-code`
because Safari/WebKit silently drops JS-set Accept-Language. Gateway
gains a body `locale` field that takes priority over the request
header for preferred-language resolution.

Email and code inputs disable browser autofill / suggestions
(`autocomplete=off` + `autocorrect=off` + `autocapitalize=off` +
`spellcheck=false`) so Keychain / address-book pickers and
remembered-value dropdowns no longer fire on focus.

Cross-cuts:
- backend & gateway openapi: clarify that body `locale` is honored.
- docs/FUNCTIONAL{,_ru}.md §1.2: document body-vs-header priority.
- gateway tests: body `locale` overrides Accept-Language; blank
  body `locale` falls back to header.
- new ui/docs/i18n.md; cross-links from auth-flow.md and ui/README.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

gateway/internal/restapi/public_auth.go

@@ -56,9 +56,16 @@ type SendEmailCodeInput struct {
 	// code challenge.
 	Email string `json:"email"`
 
-	// PreferredLanguage stores the canonical BCP 47 language tag derived from
-	// the public Accept-Language header for upstream auth-mail localization and
-	// create-only user registration context.
+	// Locale is the optional BCP 47 language tag the caller wants the
+	// auth-mail in. The body field is the canonical channel because Safari
+	// silently drops JS-set Accept-Language headers; when set, it overrides
+	// the request Accept-Language for preferred-language resolution.
+	Locale string `json:"locale,omitempty"`
+
+	// PreferredLanguage stores the canonical BCP 47 language tag derived
+	// from Locale (preferred) or the Accept-Language header (fallback) for
+	// upstream auth-mail localization and create-only user registration
+	// context.
 	PreferredLanguage string `json:"-"`
 }
 
@@ -209,7 +216,15 @@ func handleSendEmailCode(authService AuthServiceClient, timeout time.Duration) g
 			abortInvalidRequest(c, err.Error())
 			return
 		}
-		input.PreferredLanguage = resolvePreferredLanguage(c.Request.Header.Get("Accept-Language"))
+		// Body locale wins over the request header so Safari clients,
+		// which cannot set Accept-Language from JavaScript, can still
+		// pick a non-system mail language. Empty / malformed values
+		// fall through resolvePreferredLanguage to the default.
+		if strings.TrimSpace(input.Locale) != "" {
+			input.PreferredLanguage = resolvePreferredLanguage(input.Locale)
+		} else {
+			input.PreferredLanguage = resolvePreferredLanguage(c.Request.Header.Get("Accept-Language"))
+		}
 
 		callCtx, cancel := context.WithTimeout(c.Request.Context(), timeout)
 		defer cancel()

gateway/internal/restapi/public_auth_test.go

@@ -52,6 +52,64 @@ func TestSendEmailCodeHandlerSuccess(t *testing.T) {
 	assert.Equal(t, PublicRouteClassPublicAuth, authService.sendEmailCodeRouteClass)
 }
 
+func TestSendEmailCodeHandlerBodyLocaleOverridesHeader(t *testing.T) {
+	t.Parallel()
+
+	authService := &recordingAuthServiceClient{
+		sendEmailCodeResult: SendEmailCodeResult{
+			ChallengeID: "challenge-456",
+		},
+	}
+	handler := newPublicHandler(ServerDependencies{AuthService: authService})
+
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/api/v1/public/auth/send-email-code",
+		strings.NewReader(`{"email":"pilot@example.com","locale":"ru"}`),
+	)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept-Language", "fr-FR")
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+	assert.Equal(t, SendEmailCodeInput{
+		Email:             "pilot@example.com",
+		Locale:             "ru",
+		PreferredLanguage: "ru",
+	}, authService.sendEmailCodeInput)
+}
+
+func TestSendEmailCodeHandlerEmptyBodyLocaleFallsBackToHeader(t *testing.T) {
+	t.Parallel()
+
+	authService := &recordingAuthServiceClient{
+		sendEmailCodeResult: SendEmailCodeResult{
+			ChallengeID: "challenge-789",
+		},
+	}
+	handler := newPublicHandler(ServerDependencies{AuthService: authService})
+
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/api/v1/public/auth/send-email-code",
+		strings.NewReader(`{"email":"pilot@example.com","locale":"   "}`),
+	)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept-Language", "ru-RU")
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	assert.Equal(t, http.StatusOK, recorder.Code)
+	assert.Equal(t, SendEmailCodeInput{
+		Email:             "pilot@example.com",
+		Locale:             "   ",
+		PreferredLanguage: "ru-RU",
+	}, authService.sendEmailCodeInput)
+}
+
 func TestConfirmEmailCodeHandlerSuccess(t *testing.T) {
 	t.Parallel()
 

gateway/openapi.yaml

@@ -134,10 +134,12 @@ paths:
         that must later be confirmed through
         `POST /api/v1/public/auth/confirm-email-code`.
 
-        The JSON body stays unchanged. Callers may additionally supply the
-        standard `Accept-Language` header so the gateway can derive the
-        auth-mail locale and first-login preferred-language candidate. Missing
-        or unsupported values fall back to `en`.
+        Callers select the auth-mail locale through the optional
+        `locale` field on the JSON body, which takes priority over the
+        request `Accept-Language` header. The body field is the canonical
+        channel because Safari silently drops JS-set `Accept-Language`
+        headers; non-Safari clients can still rely on the header alone.
+        Missing or unsupported values fall back to `en`.
 
         This route is unauthenticated and classified as `public_auth`.
         Public REST anti-abuse applies a per-IP bucket derived from
@@ -302,6 +304,16 @@ components:
           type: string
           description: Single client e-mail address that should receive the login code.
           format: email
+        locale:
+          type: string
+          description: |
+            Optional BCP 47 language tag the caller prefers for the
+            delivered code. The body field is the canonical channel
+            because Safari silently drops JS-set Accept-Language
+            headers; when set, it overrides the request
+            `Accept-Language` for preferred-language resolution.
+            Empty / malformed values fall back to the header, which
+            in turn falls back to `en`.
     SendEmailCodeResponse:
       type: object
       additionalProperties: false