Stage 16: deploy infra & test contour

- backend + gateway multi-stage distroless Dockerfiles; the gateway embeds and
  serves the SPA at / and /telegram/ via go:embed (committed dist placeholder,
  real build baked in by the image's node stage)
- deploy/docker-compose.yml: backend + gateway + Postgres + Telegram connector
  (VPN sidecar) + OTel Collector + Prometheus (15d) + Tempo (72h) + Grafana,
  fronted by a caddy owning a single /_gm Basic-Auth (admin console + Grafana
  subpath); inter-service on a private network, only caddy on the edge network
- new metrics: backend accounts_created_total{kind} (robots excluded) and an
  in-memory gateway active_users{window=24h,7d} gauge
- CI: single .gitea/workflows/ci.yaml (unit/integration/ui + a gated test-contour
  deploy) on the new feature/* -> development -> master branch model; the old
  go-unit/integration/ui-test workflows are folded in; the connector-scoped
  compose is retired (superseded by deploy/)
- docs: ARCHITECTURE §11/§12/§13, root + gateway READMEs, CLAUDE.md branching,
  PLAN.md (stage 16 done + refinements + Stage 17 forward-notes)

platform/telegram/deploy/docker-compose.yml

@@ -1,62 +0,0 @@
-# Deploy descriptor for the Telegram connector (the platform side-service).
-#
-# Networking mirrors the sibling ../15-puzzle/deploy/docker-compose.yml:
-#   - The `vpn` sidecar (developer/amneziawg-sidecar) holds the tunnel and provides
-#     the netns shared by `app` (network_mode: "service:vpn"). All of the
-#     connector's egress to api.telegram.org therefore leaves through the tunnel.
-#   - `vpn` is the one attached to the external `edge` network, with the alias
-#     `telegram`, so the other services reach the connector's gRPC port at
-#     `telegram:9091` inside the shared netns. The connector needs NO public
-#     ingress — it long-polls Telegram and only answers internal gRPC.
-#
-# The connector joins the same `edge` network as `backend` and `gateway` (the full
-# service set rolled out together on a dev-environment deploy). The gateway calls it
-# with GATEWAY_CONNECTOR_ADDR=telegram:9091; the backend admin surface (Stage 10)
-# will use the same address. The single public ingress for the host reverse proxy
-# (caddy) is the gateway's HTTP port, which also serves the Mini App under /telegram/
-# (ARCHITECTURE.md §13). The full multi-service compose lands with Stage 12; this is
-# the connector-scoped descriptor.
-name: scrabble-telegram
-
-services:
-  vpn:
-    container_name: scrabble-telegram-vpn
-    image: docker.iliadenisov.ru/developer/amneziawg-sidecar:latest
-    restart: unless-stopped
-    privileged: true
-    environment:
-      AWG_CONF: ${AWG_CONF:?set AWG_CONF}
-    networks:
-      edge:
-        aliases:
-          - telegram
-
-  app:
-    container_name: scrabble-telegram
-    image: scrabble-telegram:latest
-    build:
-      # Build from the repository root so go.work, pkg/ and platform/telegram/ are
-      # all in the Docker context (see platform/telegram/Dockerfile).
-      context: ../../..
-      dockerfile: platform/telegram/Dockerfile
-    restart: unless-stopped
-    depends_on:
-      - vpn
-    network_mode: "service:vpn"
-    environment:
-      # The bot tokens live ONLY in this container (ARCHITECTURE.md §12). One bot per
-      # service language (en/ru); at least one token is required (the connector
-      # validates this at boot — compose cannot express "one of").
-      TELEGRAM_BOT_TOKEN_EN: ${TELEGRAM_BOT_TOKEN_EN:-}
-      TELEGRAM_BOT_TOKEN_RU: ${TELEGRAM_BOT_TOKEN_RU:-}
-      TELEGRAM_GAME_CHANNEL_ID_EN: ${TELEGRAM_GAME_CHANNEL_ID_EN:-}
-      TELEGRAM_GAME_CHANNEL_ID_RU: ${TELEGRAM_GAME_CHANNEL_ID_RU:-}
-      TELEGRAM_MINIAPP_URL: ${TELEGRAM_MINIAPP_URL:?set TELEGRAM_MINIAPP_URL}
-      TELEGRAM_GRPC_ADDR: ${TELEGRAM_GRPC_ADDR:-:9091}
-      # Set to true when deploying into Telegram's test environment.
-      TELEGRAM_TEST_ENV: ${TELEGRAM_TEST_ENV:-false}
-      TELEGRAM_API_BASE_URL: ${TELEGRAM_API_BASE_URL:-}
-
-networks:
-  edge:
-    external: true