Stage 11: account linking & merge (email + Telegram Login Widget)

Link an email (confirm-code) or Telegram (web Login Widget) to the current
account; if the identity already has its own account, merge the two into the
one in use (the current account is primary, except a guest initiator whose
durable counterpart wins). The merge runs in one transaction
(internal/accountmerge): stats + hint wallet summed, paid_account ORed,
identities/games/chat/complaints transferred, friends/blocks de-duplicated,
the secondary kept as a merged_into tombstone so a shared finished game's
no-cascade FKs hold; a shared active game blocks the merge.

- migration 00009: accounts.paid_account, merged_into, merged_at (+ jetgen)
- internal/link orchestrator; session.RevokeAllForAccount on merge
- connector ValidateLoginWidget RPC + loginwidget HMAC validator
- edge ops link.email.request/confirm/merge, link.telegram.confirm/merge;
  supersedes the Stage 8 email.bind.* surface (request never reveals 'taken'
  before the code is verified, so a probe cannot enumerate addresses)
- UI Profile link section + irreversible-merge dialog; Telegram web sign-in
- focused regression tests (merge core, guest inversion, active-game refusal,
  finished-shared-game kept), gateway transcode + connector + UI codec/e2e
- docs: PLAN, ARCHITECTURE 3/4/9, FUNCTIONAL(+ru), module READMEs

platform/telegram/internal/connector/server.go

@@ -16,6 +16,7 @@ import (
 
 	telegramv1 "scrabble/pkg/proto/telegram/v1"
 	"scrabble/platform/telegram/internal/initdata"
+	"scrabble/platform/telegram/internal/loginwidget"
 	"scrabble/platform/telegram/internal/render"
 )
 
@@ -30,19 +31,21 @@ type Sender interface {
 // Server implements telegramv1.TelegramServer.
 type Server struct {
 	telegramv1.UnimplementedTelegramServer
-	validator initdata.Validator
-	sender    Sender
-	channelID int64
-	log       *zap.Logger
+	validator       initdata.Validator
+	widgetValidator loginwidget.Validator
+	sender          Sender
+	channelID       int64
+	log             *zap.Logger
 }
 
-// NewServer builds the gRPC service from a validator (for ValidateInitData), a
-// sender (the bot), and the configured game channel id (0 disables channel posts).
-func NewServer(validator initdata.Validator, sender Sender, channelID int64, log *zap.Logger) *Server {
+// NewServer builds the gRPC service from the Mini App initData validator, the Login
+// Widget validator (Stage 11), a sender (the bot), and the configured game channel
+// id (0 disables channel posts).
+func NewServer(validator initdata.Validator, widgetValidator loginwidget.Validator, sender Sender, channelID int64, log *zap.Logger) *Server {
 	if log == nil {
 		log = zap.NewNop()
 	}
-	return &Server{validator: validator, sender: sender, channelID: channelID, log: log}
+	return &Server{validator: validator, widgetValidator: widgetValidator, sender: sender, channelID: channelID, log: log}
 }
 
 // ValidateInitData verifies Mini App launch data and returns the user identity.
@@ -59,6 +62,20 @@ func (s *Server) ValidateInitData(ctx context.Context, req *telegramv1.ValidateI
 	}, nil
 }
 
+// ValidateLoginWidget verifies Login Widget authorization data and returns the user
+// identity, for attaching a Telegram identity to an existing account (Stage 11).
+func (s *Server) ValidateLoginWidget(ctx context.Context, req *telegramv1.ValidateLoginWidgetRequest) (*telegramv1.ValidateLoginWidgetResponse, error) {
+	u, err := s.widgetValidator.Validate(req.GetData())
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+	return &telegramv1.ValidateLoginWidgetResponse{
+		ExternalId: u.ExternalID,
+		Username:   u.Username,
+		FirstName:  u.FirstName,
+	}, nil
+}
+
 // Notify renders and delivers an out-of-app notification. It reports
 // delivered=false (without an error) for a kind that is not pushed out-of-app or a
 // delivery the bot could not complete (e.g. the user never started the bot), so the