test: sync version assertions to 3.0.4

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(discord): use correct slash command context type in AddApplicationCommands
2026-05-25 17:08:01 +03:00 · 2026-05-25 17:05:51 +03:00 · 2026-05-25 16:37:15 +03:00 · 2026-05-25 16:27:29 +03:00 · 2026-05-25 16:04:42 +03:00 · 2026-05-25 15:49:36 +03:00
21 changed files with 809 additions and 120 deletions
@@ -6,7 +6,7 @@ on:
      - main 

 env:
-  VERSION: 2.8.1
+  VERSION: 3.0.4

 jobs:
  # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -1,6 +1,6 @@
 <Project>
  <PropertyGroup>
-    <Version>2.8.1</Version>
+    <Version>3.0.4</Version>
    <TargetFramework>net10.0</TargetFramework>
    <LangVersion>preview</LangVersion>
    <Nullable>enable</Nullable>
@@ -85,8 +85,10 @@ TELEGRAM_BOT_TOKEN=ваш_токен_здесь
 # Токен Discord application bot
 DISCORD_BOT_TOKEN=ваш_discord_токен_здесь

-# Client ID Discord application (используется для slash-команд)
-DISCORD_BOT_CLIENT_ID=ваш_discord_client_id_здесь
+# Discord OAuth (для Web Dashboard)
+DISCORD_CLIENT_ID=ваш_discord_client_id_здесь
+DISCORD_CLIENT_SECRET=ваш_discord_client_secret_здесь
+DISCORD_REDIRECT_URI=https://your-domain.example/auth/discord/callback

 # Имя бота без @ (для Telegram Login Widget)
 TELEGRAM_BOT_USERNAME=ваше_имя_бота_здесь
@@ -119,7 +121,7 @@ docker compose up -d
 1. Напишите боту `/start`.
 2. Создайте группу через `/newgroup`.
 3. Откройте Mini App или Web Dashboard для расширенного управления.
-4. Для Discord пригласите application bot на сервер с правами `bot` и `applications.commands`. Скопируйте `DISCORD_BOT_TOKEN` и `DISCORD_BOT_CLIENT_ID` в `.env`.
+4. Для Discord пригласите application bot на сервер с правами `bot` и `applications.commands`. Скопируйте `DISCORD_BOT_TOKEN` в `.env`; `DISCORD_CLIENT_ID`, `DISCORD_CLIENT_SECRET` и `DISCORD_REDIRECT_URI` нужны только для входа в Web Dashboard через Discord.
 5. Перезапустите Docker Compose (`docker compose up -d`), а затем в Discord создайте сессию через `/newsession` или опубликуйте расписание через `/listsessions`; игроки записываются и выходят кнопками в опубликованном сообщении.

 ## 💾 Backup и восстановление
@@ -49,7 +49,7 @@ services:
        crond -f

  bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.1
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:3.0.4
    restart: always
    depends_on:
      db:
@@ -67,7 +67,7 @@ services:
      retries: 3

  discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.1
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:3.0.4
    restart: always
    depends_on:
      db:
@@ -84,7 +84,7 @@ services:
      retries: 3

  web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.1
+    image: git.codeanddice.ru/toutsu/gmrelay-web:3.0.4
    restart: always
    depends_on:
      db:
@@ -0,0 +1,37 @@
+-- =============================================================
+-- V020: Player identity linking for unified multi-platform accounts
+-- =============================================================
+-- Scope: Allow linking multiple platform identities (Telegram, Discord)
+-- to a single "primary" player account. All group/session permissions
+-- resolve through the effective (primary) player id.
+-- =============================================================
+
+-- player_links: secondary player → primary player (1:1 on secondary)
+CREATE TABLE player_links (
+    id                    UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    primary_player_id     UUID NOT NULL REFERENCES players(id) ON DELETE CASCADE,
+    secondary_player_id   UUID NOT NULL UNIQUE REFERENCES players(id) ON DELETE CASCADE,
+    linked_at             TIMESTAMPTZ NOT NULL DEFAULT now(),
+    linked_by_player_id   UUID REFERENCES players(id) ON DELETE SET NULL,
+    -- Prevent self-linking at the DB level
+    CONSTRAINT no_self_link CHECK (primary_player_id <> secondary_player_id)
+);
+
+CREATE INDEX ix_player_links_primary_player_id
+    ON player_links(primary_player_id);
+
+-- identity_audit_log: security-sensitive link/unlink actions
+CREATE TABLE identity_audit_log (
+    id                      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    player_id               UUID NOT NULL REFERENCES players(id) ON DELETE CASCADE,
+    action                  VARCHAR(50) NOT NULL,   -- 'link', 'unlink', 'link_attempt_conflict'
+    target_platform         VARCHAR(50),
+    target_external_user_id VARCHAR(255),
+    performed_at            TIMESTAMPTZ NOT NULL DEFAULT now(),
+    performed_by_player_id  UUID REFERENCES players(id) ON DELETE SET NULL
+);
+
+CREATE INDEX ix_identity_audit_log_player_id
+    ON identity_audit_log(player_id);
+CREATE INDEX ix_identity_audit_log_performed_at
+    ON identity_audit_log(performed_at DESC);
@@ -0,0 +1,8 @@
+-- =============================================================
+-- V021: Add avatar_url column to players table
+-- =============================================================
+-- Scope: Support storing avatar URLs for Discord and other platforms.
+-- =============================================================
+
+ALTER TABLE players
+    ADD COLUMN avatar_url VARCHAR(500);
@@ -0,0 +1,16 @@
+-- =============================================================
+-- V022: Fix incorrectly oriented player_links for Discord↔Telegram
+-- =============================================================
+-- Scope: Reverse player_links where Discord was incorrectly made primary
+-- and Telegram secondary. Telegram (with historical group/session data)
+-- must always be the primary account.
+-- =============================================================
+
+UPDATE player_links pl
+SET primary_player_id   = pl.secondary_player_id,
+    secondary_player_id = pl.primary_player_id
+FROM players p1, players p2
+WHERE pl.primary_player_id = p1.id
+  AND pl.secondary_player_id = p2.id
+  AND p1.platform = 'Discord'
+  AND p2.platform = 'Telegram';
@@ -3,7 +3,6 @@ using NetCord.Services.ApplicationCommands;

 namespace GmRelay.DiscordBot.Features.Sessions;

-[SlashCommand("listsessions", "Show upcoming game sessions in this server")]
 public class DiscordListSessionsCommand : ApplicationCommandModule<SlashCommandContext>
 {
    private readonly DiscordListSessionsHandler _handler;
@@ -13,6 +12,7 @@ public class DiscordListSessionsCommand : ApplicationCommandModule<SlashCommandC
        _handler = handler;
    }

+    [SlashCommand("listsessions", "Show upcoming game sessions in this server")]
    public async Task ExecuteAsync()
    {
        var guildId = Context.Guild?.Id.ToString()
@@ -4,7 +4,6 @@ using NetCord.Services.ApplicationCommands;

 namespace GmRelay.DiscordBot.Features.Sessions;

-[SlashCommand("newsession", "Create a new game session")]
 public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandContext>
 {
    private readonly DiscordNewSessionHandler _handler;
@@ -16,6 +15,7 @@ public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandCon
        _logger = logger;
    }

+    [SlashCommand("newsession", "Create a new game session")]
    public async Task ExecuteAsync(
        [SlashCommandParameter(Name = "title", Description = "Game title")] string title,
        [SlashCommandParameter(Name = "time", Description = "Session time (YYYY-MM-DD HH:mm or DD.MM.YYYY HH:mm)")] string time,
@@ -3,7 +3,6 @@ namespace GmRelay.DiscordBot.Features.Sessions;
 using NetCord.Rest;
 using NetCord.Services.ApplicationCommands;

-[SlashCommand("reschedule", "Initiate reschedule voting for a session")]
 public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandContext>
 {
    private readonly DiscordRescheduleHandler _handler;
@@ -15,6 +14,7 @@ public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandCon
        _logger = logger;
    }

+    [SlashCommand("reschedule", "Initiate reschedule voting for a session")]
    public async Task ExecuteAsync(
        [SlashCommandParameter(Name = "session", Description = "Session ID to reschedule")] string sessionIdText,
        [SlashCommandParameter(Name = "option1", Description = "First time option (YYYY-MM-DD HH:mm)")] string option1,
@@ -18,8 +18,10 @@ using Microsoft.Extensions.DependencyInjection;
 using NetCord;
 using NetCord.Gateway;
 using NetCord.Hosting.Gateway;
+using NetCord.Hosting.Services;
 using NetCord.Hosting.Services.ApplicationCommands;
 using NetCord.Hosting.Services.ComponentInteractions;
+using NetCord.Services.ApplicationCommands;
 using NetCord.Services.ComponentInteractions;
 using Npgsql;

@@ -82,12 +84,13 @@ builder.Services
        options.Token = discordOptions.Token;
        options.Intents = GatewayIntents.Guilds;
    })
-    .AddApplicationCommands()
+    .AddApplicationCommands<SlashCommandInteraction, SlashCommandContext>()
    .AddComponentInteractions<ButtonInteraction, ButtonInteractionContext>()
    .AddGatewayHandlers(typeof(Program).Assembly);

 var host = builder.Build();

 host.AddSlashCommand("ping", "Checks whether GM-Relay Discord is online.", () => "Pong!");
+host.AddModules(typeof(Program).Assembly);

 await host.RunAsync();
@@ -34,6 +34,13 @@
                    </svg>
                    Шаблоны
                </NavLink>
+                <NavLink class="nav-item" href="profile" @onclick="CloseMenu">
+                    <svg class="nav-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                        <path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/>
+                        <circle cx="12" cy="7" r="4"/>
+                    </svg>
+                    Профиль
+                </NavLink>
            </div>

            <div class="nav-footer">
@@ -66,7 +73,7 @@
                    </button>
                </form>

-                <div class="nav-version">v2.8.1</div>
+                <div class="nav-version">v3.0.4</div>
            </div>
        </Authorized>
        <NotAuthorized>
@@ -0,0 +1,191 @@
+@page "/profile"
+@using Microsoft.AspNetCore.Authorization
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.Extensions.Configuration
+@attribute [Authorize]
+@inject ISessionStore SessionStore
+@inject IConfiguration Configuration
+@inject NavigationManager Navigation
+
+<PageTitle>Профиль — GM-Relay</PageTitle>
+
+<div class="profile-container">
+    <h1 class="page-title">Профиль</h1>
+
+    @if (identities is null)
+    {
+        <p class="loading-text">Загрузка...</p>
+    }
+    else if (identities.Count == 0)
+    {
+        <div class="profile-card">
+            <p>Связанные аккаунты не найдены.</p>
+        </div>
+    }
+    else
+    {
+        <div class="profile-card">
+            <h2 class="section-title">Связанные аккаунты</h2>
+            <ul class="identity-list">
+                @foreach (var id in identities)
+                {
+                    <li class="identity-item">
+                        <div class="identity-info">
+                            <span class="identity-platform">@id.Platform</span>
+                            <span class="identity-name">@id.DisplayName</span>
+                        </div>
+                        @if (id.Platform != currentPlatform || id.ExternalUserId != currentExternalUserId)
+                        {
+                            <button class="btn btn-secondary btn-small"
+                                    @onclick="() => Unlink(id.Platform, id.ExternalUserId)"
+                                    disabled="@isUnlinking">
+                                Отвязать
+                            </button>
+                        }
+                        else
+                        {
+                            <span class="identity-badge">Текущий</span>
+                        }
+                    </li>
+                }
+            </ul>
+        </div>
+    }
+
+    <div class="profile-card">
+        <h2 class="section-title">Добавить аккаунт</h2>
+        @if (!HasLinkedPlatform("Discord"))
+        {
+            <a href="/auth/discord" class="btn btn-primary">
+                Привязать Discord
+            </a>
+        }
+        else
+        {
+            <p class="muted-text">Discord уже привязан.</p>
+        }
+
+        @if (currentPlatform == "Discord" && !HasLinkedPlatform("Telegram"))
+        {
+            var botUsername = Configuration["Telegram__BotUsername"] ?? Configuration["Telegram:BotUsername"];
+            if (!string.IsNullOrWhiteSpace(botUsername))
+            {
+                var authUrl = new Uri(new Uri(Navigation.BaseUri), "auth/telegram").ToString();
+                var widgetHtml = $"<script async src=\"https://telegram.org/js/telegram-widget.js?22\" data-telegram-login=\"{botUsername}\" data-size=\"large\" data-auth-url=\"{authUrl}\" data-request-access=\"write\"></script>";
+                <div class="telegram-widget-wrapper">
+                    @((MarkupString)widgetHtml)
+                </div>
+            }
+        }
+    </div>
+
+    @if (!string.IsNullOrWhiteSpace(errorMessage))
+    {
+        <div class="alert alert-error">@errorMessage</div>
+    }
+
+    @if (!string.IsNullOrWhiteSpace(successMessage))
+    {
+        <div class="alert alert-success">@successMessage</div>
+    }
+</div>
+
+@code {
+    private List<LinkedIdentity>? identities;
+    private string? currentPlatform;
+    private string? currentExternalUserId;
+    private bool isUnlinking;
+    private string? errorMessage;
+    private string? successMessage;
+
+    [CascadingParameter]
+    private Task<AuthenticationState>? AuthenticationStateTask { get; set; }
+
+    [SupplyParameterFromQuery]
+    public string? Linked { get; set; }
+
+    [SupplyParameterFromQuery(Name = "link_error")]
+    public string? LinkError { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (AuthenticationStateTask is not null)
+        {
+            var authState = await AuthenticationStateTask;
+            var user = authState.User;
+            if (user.TryGetPlatformIdentity(out var plat, out var extId))
+            {
+                currentPlatform = plat;
+                currentExternalUserId = extId;
+            }
+        }
+
+        if (!string.IsNullOrWhiteSpace(Linked))
+        {
+            successMessage = $"{Linked} аккаунт успешно привязан!";
+        }
+
+        if (!string.IsNullOrWhiteSpace(LinkError))
+        {
+            errorMessage = $"Ошибка привязки: {Uri.UnescapeDataString(LinkError)}";
+        }
+
+        await LoadIdentities();
+    }
+
+    private async Task LoadIdentities()
+    {
+        try
+        {
+            if (currentPlatform is not null && currentExternalUserId is not null)
+            {
+                identities = await SessionStore.GetLinkedIdentitiesAsync(currentPlatform, currentExternalUserId);
+            }
+            else
+            {
+                identities = [];
+            }
+        }
+        catch (Exception ex)
+        {
+            errorMessage = $"Не удалось загрузить аккаунты: {ex.Message}";
+        }
+    }
+
+    private bool HasLinkedPlatform(string platform)
+    {
+        return identities?.Any(i => i.Platform == platform) ?? false;
+    }
+
+    private async Task Unlink(string platform, string externalUserId)
+    {
+        isUnlinking = true;
+        errorMessage = null;
+        successMessage = null;
+
+        try
+        {
+            if (currentPlatform is null || currentExternalUserId is null)
+            {
+                errorMessage = "Не удалось определить текущего пользователя.";
+                return;
+            }
+
+            await SessionStore.UnlinkIdentityAsync(currentPlatform, currentExternalUserId, platform, externalUserId);
+            successMessage = $"{platform} аккаунт отвязан.";
+            await LoadIdentities();
+        }
+        catch (InvalidOperationException ex)
+        {
+            errorMessage = $"Ошибка отвязки: {ex.Message}";
+        }
+        catch (Exception ex)
+        {
+            errorMessage = $"Ошибка отвязки: {ex.Message}";
+        }
+        finally
+        {
+            isUnlinking = false;
+        }
+    }
+}
@@ -39,6 +39,7 @@ builder.AddNpgsqlDataSource("gmrelaydb");
 builder.Services.AddSingleton<TelegramAuthService>();
 builder.Services.Configure<DiscordOAuthOptions>(builder.Configuration.GetSection("Discord"));
 builder.Services.AddSingleton<DiscordAuthService>();
+builder.Services.AddSingleton<DiscordOAuthStateStore>();
 builder.Services.AddSingleton<ISessionStore, SessionService>();
 builder.Services.AddScoped<AuthorizedSessionService>();
 builder.Services.AddScoped<CalendarSubscriptionService>();
@@ -60,7 +61,7 @@ builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationSc
        options.AccessDeniedPath = "/access-denied";
        options.Cookie.HttpOnly = true;
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-        options.Cookie.SameSite = SameSiteMode.Strict;
+        options.Cookie.SameSite = SameSiteMode.Lax;
        options.ExpireTimeSpan = TimeSpan.FromDays(7);
        options.SlidingExpiration = true;
    });
@@ -122,19 +123,39 @@ app.MapHealthChecks("/alive", new HealthCheckOptions
 });

 // Endpoint to handle Telegram Login callback
-app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService authService) =>
+app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService authService, ISessionStore sessionStore) =>
 {
-    if (authService.Verify(context.Request.Query, out var telegramId, out var name))
+    if (!authService.Verify(context.Request.Query, out var telegramId, out var name))
+        return Results.Redirect("/login?error=auth_failed");
+
+    await sessionStore.UpsertPlayerAsync("Telegram", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture), name, null);
+
+    // If already authenticated via another platform, link instead of replacing session
+    if (context.User.Identity?.IsAuthenticated == true
+        && context.User.TryGetPlatformIdentity(out var currentPlatform, out var currentExternalUserId)
+        && currentPlatform != "Telegram")
    {
-        var authProperties = new AuthenticationProperties { IsPersistent = true };
-        await context.SignInAsync(
-            CookieAuthenticationDefaults.AuthenticationScheme,
-            CreateTelegramPrincipal(telegramId, name),
-            authProperties);
-        return Results.Redirect("/");
+        try
+        {
+            // Always make Telegram the primary (it has the historical data/groups)
+            await sessionStore.LinkIdentityAsync(
+                "Telegram", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture),
+                currentPlatform, currentExternalUserId,
+                name);
+            return Results.Redirect("/profile?linked=telegram");
+        }
+        catch (InvalidOperationException ex)
+        {
+            return Results.Redirect($"/profile?link_error={Uri.EscapeDataString(ex.Message)}");
+        }
    }

-    return Results.Redirect("/login?error=auth_failed");
+    var authProperties = new AuthenticationProperties { IsPersistent = true };
+    await context.SignInAsync(
+        CookieAuthenticationDefaults.AuthenticationScheme,
+        CreateTelegramPrincipal(telegramId, name),
+        authProperties);
+    return Results.Redirect("/");
 });

 app.MapPost("/auth/telegram-webapp", async (
@@ -185,16 +206,9 @@ app.MapPost("/auth/logout", async (HttpContext context) =>
 });

 // Discord OAuth endpoints
-app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth) =>
+app.MapGet("/auth/discord", (DiscordAuthService discordAuth, DiscordOAuthStateStore stateStore) =>
 {
-    var state = Guid.NewGuid().ToString("N");
-    context.Response.Cookies.Append("__DiscordOAuthState", state, new CookieOptions
-    {
-        HttpOnly = true,
-        Secure = true,
-        SameSite = SameSiteMode.None,
-        MaxAge = TimeSpan.FromMinutes(5)
-    });
+    var state = stateStore.CreateState();
    var url = discordAuth.BuildAuthorizeUrl(state);
    return Results.Redirect(url);
 });
@@ -202,23 +216,16 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
    HttpContext context,
    DiscordAuthService discordAuth,
-    ISessionStore sessionStore,
-    ILogger<Program> logger) =>
+    DiscordOAuthStateStore stateStore,
+    ISessionStore sessionStore) =>
 {
    var code = context.Request.Query["code"].ToString();
    var state = context.Request.Query["state"].ToString();
-    var storedState = context.Request.Cookies["__DiscordOAuthState"];
-
-    context.Response.Cookies.Delete("__DiscordOAuthState");

    if (string.IsNullOrWhiteSpace(code) ||
        string.IsNullOrWhiteSpace(state) ||
-        !CryptographicOperations.FixedTimeEquals(
-            System.Text.Encoding.UTF8.GetBytes(state),
-            System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
+        !stateStore.ValidateAndRemove(state))
    {
-        logger.LogWarning("Discord OAuth CSRF validation failed. code_present={CodePresent}, state_present={StatePresent}, stored_state_present={StoredStatePresent}",
-            !string.IsNullOrWhiteSpace(code), !string.IsNullOrWhiteSpace(state), !string.IsNullOrWhiteSpace(storedState));
        return Results.Redirect("/login?error=auth_failed");
    }

@@ -228,6 +235,25 @@ app.MapGet("/auth/discord/callback", async (

    await sessionStore.UpsertDiscordUserAsync(user.Id, user.DisplayName, user.AvatarUrl);

+    // If already authenticated via another platform, link instead of replacing session
+    if (context.User.Identity?.IsAuthenticated == true
+        && context.User.TryGetPlatformIdentity(out var currentPlatform, out var currentExternalUserId)
+        && currentPlatform != "Discord")
+    {
+        try
+        {
+            await sessionStore.LinkIdentityAsync(
+                currentPlatform, currentExternalUserId,
+                "Discord", user.Id,
+                user.DisplayName);
+            return Results.Redirect("/profile?linked=discord");
+        }
+        catch (InvalidOperationException ex)
+        {
+            return Results.Redirect($"/profile?link_error={Uri.EscapeDataString(ex.Message)}");
+        }
+    }
+
    var authProperties = new AuthenticationProperties { IsPersistent = true };
    await context.SignInAsync(
        CookieAuthenticationDefaults.AuthenticationScheme,
@@ -237,6 +263,38 @@ app.MapGet("/auth/discord/callback", async (
    return Results.Redirect("/");
 });

+// Identity linking API endpoints
+app.MapGet("/api/me/identities", async (
+    HttpContext context,
+    ISessionStore sessionStore) =>
+{
+    if (!context.User.TryGetPlatformIdentity(out var platform, out var externalUserId))
+        return Results.Unauthorized();
+
+    var identities = await sessionStore.GetLinkedIdentitiesAsync(platform, externalUserId);
+    return Results.Ok(identities);
+}).RequireAuthorization();
+
+app.MapDelete("/api/me/identities/{targetPlatform}/{targetExternalUserId}", async (
+    HttpContext context,
+    ISessionStore sessionStore,
+    string targetPlatform,
+    string targetExternalUserId) =>
+{
+    if (!context.User.TryGetPlatformIdentity(out var platform, out var externalUserId))
+        return Results.Unauthorized();
+
+    try
+    {
+        await sessionStore.UnlinkIdentityAsync(platform, externalUserId, targetPlatform, targetExternalUserId);
+        return Results.NoContent();
+    }
+    catch (InvalidOperationException ex)
+    {
+        return Results.BadRequest(new { error = ex.Message });
+    }
+}).RequireAuthorization();
+
 // Public calendar subscription endpoint (no auth required)
 app.MapGet("/calendar/{token}.ics", async (
    string token,
@@ -0,0 +1,32 @@
+namespace GmRelay.Web.Services;
+
+public sealed class DiscordOAuthStateStore(ILogger<DiscordOAuthStateStore> logger)
+{
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<string, DateTime> _states = new();
+
+    public string CreateState()
+    {
+        var state = Guid.NewGuid().ToString("N");
+        _states[state] = DateTime.UtcNow.AddMinutes(5);
+        logger.LogDebug("Discord OAuth state created: {State}", state);
+        return state;
+    }
+
+    public bool ValidateAndRemove(string state)
+    {
+        if (!_states.TryRemove(state, out var expiresAt))
+        {
+            logger.LogWarning("Discord OAuth state not found or already used: {State}", state);
+            return false;
+        }
+
+        if (DateTime.UtcNow > expiresAt)
+        {
+            logger.LogWarning("Discord OAuth state expired: {State}", state);
+            return false;
+        }
+
+        logger.LogDebug("Discord OAuth state validated: {State}", state);
+        return true;
+    }
+}
@@ -53,4 +53,19 @@ public interface ISessionStore
    Task LogSessionChangeAsync(Guid sessionId, string actorExternalUserId, string actorName, string changeType, string? oldValue, string? newValue);
    Task<List<SessionAuditLogEntry>> GetSessionHistoryAsync(Guid sessionId);
    Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl);
+
+    // --- Identity linking (issue #35) ---
+    Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId);
+    Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId);
+    Task LinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId, string? currentName);
+    Task UnlinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId);
+    Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl);
 }
+
+public sealed record LinkedIdentity(
+    string Platform,
+    string ExternalUserId,
+    string DisplayName,
+    string? ExternalUsername,
+    string? AvatarUrl,
+    DateTime LinkedAt);
@@ -104,6 +104,10 @@ public sealed class SessionService(
    public async Task<List<WebGameGroup>> GetGroupsForUserAsync(string platform, string externalUserId)
    {
        await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return [];
+
        return (await conn.QueryAsync<WebGameGroup>(
            """
            SELECT g.id,
@@ -113,13 +117,11 @@ public sealed class SessionService(
                   g.platform AS Platform,
                   gm.role AS ManagerRole
            FROM group_managers gm
-            JOIN players p ON p.id = gm.player_id
            JOIN game_groups g ON g.id = gm.group_id
-            WHERE p.platform = @Platform
-              AND p.external_user_id = @ExternalUserId
+            WHERE gm.player_id = @PlayerId
            ORDER BY g.name
            """,
-            new { Platform = platform, ExternalUserId = externalUserId })).ToList();
+            new { PlayerId = effectiveId.Value })).ToList();
    }

    public async Task<WebGameGroup?> GetGroupAsync(Guid groupId)
@@ -142,36 +144,40 @@ public sealed class SessionService(
    public async Task<bool> IsGroupManagerAsync(Guid groupId, string platform, string externalUserId)
    {
        await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return false;
+
        return await conn.ExecuteScalarAsync<bool>(
            """
            SELECT EXISTS (
                SELECT 1
-                FROM group_managers gm
-                JOIN players p ON p.id = gm.player_id
-                WHERE gm.group_id = @GroupId
-                  AND p.platform = @Platform
-                  AND p.external_user_id = @ExternalUserId
+                FROM group_managers
+                WHERE group_id = @GroupId
+                  AND player_id = @PlayerId
            )
            """,
-            new { GroupId = groupId, Platform = platform, ExternalUserId = externalUserId });
+            new { GroupId = groupId, PlayerId = effectiveId.Value });
    }

    public async Task<bool> IsGroupOwnerAsync(Guid groupId, string platform, string externalUserId)
    {
        await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return false;
+
        return await conn.ExecuteScalarAsync<bool>(
            """
            SELECT EXISTS (
                SELECT 1
-                FROM group_managers gm
-                JOIN players p ON p.id = gm.player_id
-                WHERE gm.group_id = @GroupId
-                  AND p.platform = @Platform
-                  AND p.external_user_id = @ExternalUserId
-                  AND gm.role = @OwnerRole
+                FROM group_managers
+                WHERE group_id = @GroupId
+                  AND player_id = @PlayerId
+                  AND role = @OwnerRole
            )
            """,
-            new { GroupId = groupId, Platform = platform, ExternalUserId = externalUserId, OwnerRole = GroupManagerRoleExtensions.OwnerValue });
+            new { GroupId = groupId, PlayerId = effectiveId.Value, OwnerRole = GroupManagerRoleExtensions.OwnerValue });
    }

    public async Task<List<WebGroupManager>> GetGroupManagersAsync(Guid groupId)
@@ -255,22 +261,6 @@ public sealed class SessionService(
        return entries.ToList();
    }

-    public async Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl)
-    {
-        await using var conn = await dataSource.OpenConnectionAsync();
-        await conn.ExecuteAsync(
-            """
-            INSERT INTO players (display_name, platform, external_user_id, external_username)
-            VALUES (@DisplayName, 'Discord', @DiscordId, @DisplayName)
-            ON CONFLICT (platform, external_user_id)
-            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
-            DO UPDATE
-            SET display_name = EXCLUDED.display_name,
-                external_username = EXCLUDED.external_username
-            """,
-            new { DisplayName = displayName, DiscordId = discordId });
-    }
-
    public async Task AddGroupCoGmAsync(
        Guid groupId,
        string ownerPlatform, string ownerExternalUserId,
@@ -280,35 +270,16 @@ public sealed class SessionService(
        await using var conn = await dataSource.OpenConnectionAsync();
        await using var transaction = await conn.BeginTransactionAsync();

-        await conn.ExecuteAsync(
-            """
-            INSERT INTO players (display_name, telegram_username, platform, external_user_id, external_username)
-            VALUES (@DisplayName, @ExternalUsername, @Platform, @ExternalUserId, @ExternalUsername)
-            ON CONFLICT (platform, external_user_id)
-            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
-            DO UPDATE
-            SET display_name = EXCLUDED.display_name,
-                external_username = EXCLUDED.external_username
-            """,
-            new
-            {
-                DisplayName = displayName,
-                ExternalUsername = externalUsername,
-                Platform = coGmPlatform,
-                ExternalUserId = coGmExternalUserId
-            },
-            transaction);
+        var ownerPlayerId = await _ResolveEffectivePlayerIdAsync(conn, ownerPlatform, ownerExternalUserId);
+        if (ownerPlayerId is null)
+            throw new InvalidOperationException("Owner player not found.");
+
+        var coGmPlayerId = await _UpsertPlayerAndGetIdAsync(conn, coGmPlatform, coGmExternalUserId, displayName, externalUsername, transaction);

        await conn.ExecuteAsync(
            """
            INSERT INTO group_managers (group_id, player_id, role, added_by_player_id)
-            SELECT @GroupId,
-                   co_gm.id,
-                   @CoGmRole,
-                   owner_player.id
-            FROM players co_gm
-            LEFT JOIN players owner_player ON owner_player.platform = @OwnerPlatform AND owner_player.external_user_id = @OwnerExternalUserId
-            WHERE co_gm.platform = @CoGmPlatform AND co_gm.external_user_id = @CoGmExternalUserId
+            VALUES (@GroupId, @CoGmPlayerId, @CoGmRole, @OwnerPlayerId)
            ON CONFLICT (group_id, player_id) DO UPDATE
            SET role = CASE
                    WHEN group_managers.role = @OwnerRole THEN group_managers.role
@@ -319,10 +290,8 @@ public sealed class SessionService(
            new
            {
                GroupId = groupId,
-                OwnerPlatform = ownerPlatform,
-                OwnerExternalUserId = ownerExternalUserId,
-                CoGmPlatform = coGmPlatform,
-                CoGmExternalUserId = coGmExternalUserId,
+                OwnerPlayerId = ownerPlayerId.Value,
+                CoGmPlayerId = coGmPlayerId,
                OwnerRole = GroupManagerRoleExtensions.OwnerValue,
                CoGmRole = GroupManagerRoleExtensions.CoGmValue
            },
@@ -334,21 +303,21 @@ public sealed class SessionService(
    public async Task RemoveGroupCoGmAsync(Guid groupId, string coGmPlatform, string coGmExternalUserId)
    {
        await using var conn = await dataSource.OpenConnectionAsync();
+        var coGmPlayerId = await _ResolveEffectivePlayerIdAsync(conn, coGmPlatform, coGmExternalUserId);
+        if (coGmPlayerId is null)
+            return;
+
        await conn.ExecuteAsync(
            """
-            DELETE FROM group_managers gm
-            USING players p
-            WHERE gm.player_id = p.id
-              AND gm.group_id = @GroupId
-              AND p.platform = @Platform
-              AND p.external_user_id = @ExternalUserId
-              AND gm.role = @CoGmRole
+            DELETE FROM group_managers
+            WHERE group_id = @GroupId
+              AND player_id = @PlayerId
+              AND role = @CoGmRole
            """,
            new
            {
                GroupId = groupId,
-                Platform = coGmPlatform,
-                ExternalUserId = coGmExternalUserId,
+                PlayerId = coGmPlayerId.Value,
                CoGmRole = GroupManagerRoleExtensions.CoGmValue
            });
    }
@@ -1371,4 +1340,258 @@ public sealed class SessionService(
            new { BatchId = batchId, GroupId = groupId },
            transaction);
    }
+
+    // --- Identity linking (issue #35) ---
+
+    public async Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        return await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+    }
+
+    public async Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return [];
+
+        return (await conn.QueryAsync<LinkedIdentity>(
+            """
+            SELECT p.platform AS Platform,
+                   p.external_user_id AS ExternalUserId,
+                   p.display_name AS DisplayName,
+                   p.external_username AS ExternalUsername,
+                   p.avatar_url AS AvatarUrl,
+                   COALESCE(pl.linked_at, p.created_at) AS LinkedAt
+            FROM players p
+            LEFT JOIN player_links pl ON pl.secondary_player_id = p.id
+            WHERE pl.primary_player_id = @EffectiveId
+               OR p.id = @EffectiveId
+            ORDER BY CASE WHEN p.id = @EffectiveId THEN 0 ELSE 1 END,
+                     p.platform
+            """,
+            new { EffectiveId = effectiveId.Value })).ToList();
+    }
+
+    public async Task LinkIdentityAsync(
+        string currentPlatform, string currentExternalUserId,
+        string targetPlatform, string targetExternalUserId,
+        string? currentName)
+    {
+        if (currentPlatform == targetPlatform && currentExternalUserId == targetExternalUserId)
+            throw new InvalidOperationException("Cannot link an identity to itself.");
+
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await using var transaction = await conn.BeginTransactionAsync();
+
+        // Resolve current player (must exist — they are logged in)
+        var currentPlayerId = await _ResolvePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (currentPlayerId is null)
+            throw new InvalidOperationException("Current player not found.");
+
+        // Upsert target player so it exists
+        var targetDisplayName = currentName ?? $"{targetPlatform} {targetExternalUserId}";
+        var targetPlayerId = await _UpsertPlayerAndGetIdAsync(conn, targetPlatform, targetExternalUserId, targetDisplayName, null, transaction);
+
+        // Check if target is already a primary of another link chain (conflict)
+        var targetIsPrimary = await conn.ExecuteScalarAsync<bool>(
+            """
+            SELECT EXISTS (
+                SELECT 1 FROM player_links WHERE primary_player_id = @TargetPlayerId
+            )
+            """,
+            new { TargetPlayerId = targetPlayerId }, transaction);
+
+        if (targetIsPrimary)
+        {
+            await _LogIdentityAuditAsync(conn, currentPlayerId.Value, "link_attempt_conflict",
+                targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+            await transaction.CommitAsync();
+            throw new InvalidOperationException("Target identity is already the primary account of another linked set.");
+        }
+
+        // Check if current is already a secondary (then their primary becomes the effective primary)
+        var currentPrimaryId = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id
+            FROM player_links
+            WHERE secondary_player_id = @CurrentPlayerId
+            """,
+            new { CurrentPlayerId = currentPlayerId.Value }, transaction);
+
+        var effectiveCurrentPrimary = currentPrimaryId ?? currentPlayerId.Value;
+
+        // Check if target is already linked to someone else as secondary
+        var existingLink = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id
+            FROM player_links
+            WHERE secondary_player_id = @TargetPlayerId
+            """,
+            new { TargetPlayerId = targetPlayerId }, transaction);
+
+        if (existingLink is not null && existingLink.Value != effectiveCurrentPrimary)
+        {
+            await _LogIdentityAuditAsync(conn, effectiveCurrentPrimary, "link_attempt_conflict",
+                targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+            await transaction.CommitAsync();
+            throw new InvalidOperationException("Target identity is already linked to another account.");
+        }
+
+        var effectivePrimary = currentPrimaryId ?? currentPlayerId.Value;
+
+        // Check if already linked
+        var alreadyLinked = await conn.ExecuteScalarAsync<bool>(
+            """
+            SELECT EXISTS (
+                SELECT 1 FROM player_links
+                WHERE primary_player_id = @EffectivePrimary AND secondary_player_id = @TargetPlayerId
+            )
+            """,
+            new { EffectivePrimary = effectivePrimary, TargetPlayerId = targetPlayerId }, transaction);
+
+        if (alreadyLinked)
+        {
+            await transaction.CommitAsync();
+            return; // Already linked, idempotent
+        }
+
+        await conn.ExecuteAsync(
+            """
+            INSERT INTO player_links (primary_player_id, secondary_player_id, linked_by_player_id)
+            VALUES (@PrimaryPlayerId, @SecondaryPlayerId, @LinkedByPlayerId)
+            """,
+            new
+            {
+                PrimaryPlayerId = effectivePrimary,
+                SecondaryPlayerId = targetPlayerId,
+                LinkedByPlayerId = currentPlayerId.Value
+            },
+            transaction);
+
+        await _LogIdentityAuditAsync(conn, effectivePrimary, "link",
+            targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+
+        await transaction.CommitAsync();
+    }
+
+    public async Task UnlinkIdentityAsync(
+        string currentPlatform, string currentExternalUserId,
+        string targetPlatform, string targetExternalUserId)
+    {
+        if (currentPlatform == targetPlatform && currentExternalUserId == targetExternalUserId)
+            throw new InvalidOperationException("Cannot unlink your own primary identity from itself.");
+
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await using var transaction = await conn.BeginTransactionAsync();
+
+        var currentPlayerId = await _ResolvePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (currentPlayerId is null)
+            throw new InvalidOperationException("Current player not found.");
+
+        var targetPlayerId = await _ResolvePlayerIdAsync(conn, targetPlatform, targetExternalUserId);
+        if (targetPlayerId is null)
+            throw new InvalidOperationException("Target identity not found.");
+
+        var effectivePrimary = await _ResolveEffectivePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (effectivePrimary is null)
+            throw new InvalidOperationException("Effective primary not found.");
+
+        // Only the primary account owner (or the linked identity itself) can unlink
+        var rows = await conn.ExecuteAsync(
+            """
+            DELETE FROM player_links
+            WHERE primary_player_id = @EffectivePrimary
+              AND secondary_player_id = @TargetPlayerId
+            """,
+            new { EffectivePrimary = effectivePrimary.Value, TargetPlayerId = targetPlayerId.Value },
+            transaction);
+
+        if (rows == 0)
+        {
+            await transaction.RollbackAsync();
+            throw new InvalidOperationException("Identity is not linked to your account.");
+        }
+
+        await _LogIdentityAuditAsync(conn, effectivePrimary.Value, "unlink",
+            targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+
+        await transaction.CommitAsync();
+    }
+
+    public async Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await _UpsertPlayerAndGetIdAsync(conn, platform, externalUserId, displayName, avatarUrl, null);
+    }
+
+    public async Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await _UpsertPlayerAndGetIdAsync(conn, "Discord", discordId, displayName, avatarUrl, null);
+    }
+
+    // --- Private helpers ---
+
+    private static async Task<Guid?> _ResolvePlayerIdAsync(NpgsqlConnection conn, string platform, string externalUserId)
+    {
+        return await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT id FROM players
+            WHERE platform = @Platform AND external_user_id = @ExternalUserId
+            """,
+            new { Platform = platform, ExternalUserId = externalUserId });
+    }
+
+    private static async Task<Guid?> _ResolveEffectivePlayerIdAsync(NpgsqlConnection conn, string platform, string externalUserId)
+    {
+        var playerId = await _ResolvePlayerIdAsync(conn, platform, externalUserId);
+        if (playerId is null)
+            return null;
+
+        var primaryId = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id FROM player_links
+            WHERE secondary_player_id = @PlayerId
+            """,
+            new { PlayerId = playerId.Value });
+
+        return primaryId ?? playerId;
+    }
+
+    private static async Task<Guid> _UpsertPlayerAndGetIdAsync(
+        NpgsqlConnection conn, string platform, string externalUserId,
+        string displayName, string? avatarUrl, NpgsqlTransaction? transaction)
+    {
+        return await conn.QuerySingleAsync<Guid>(
+            """
+            INSERT INTO players (display_name, platform, external_user_id, external_username, avatar_url)
+            VALUES (@DisplayName, @Platform, @ExternalUserId, @DisplayName, @AvatarUrl)
+            ON CONFLICT (platform, external_user_id)
+            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
+            DO UPDATE
+            SET display_name = EXCLUDED.display_name,
+                external_username = EXCLUDED.external_username,
+                avatar_url = COALESCE(EXCLUDED.avatar_url, players.avatar_url)
+            RETURNING id
+            """,
+            new { DisplayName = displayName, Platform = platform, ExternalUserId = externalUserId, AvatarUrl = avatarUrl },
+            transaction);
+    }
+
+    private static async Task _LogIdentityAuditAsync(
+        NpgsqlConnection conn, Guid playerId, string action,
+        string? targetPlatform, string? targetExternalUserId,
+        Guid? performedByPlayerId, NpgsqlTransaction? transaction)
+    {
+        await conn.ExecuteAsync(
+            """
+            INSERT INTO identity_audit_log (player_id, action, target_platform, target_external_user_id, performed_by_player_id)
+            VALUES (@PlayerId, @Action, @TargetPlatform, @TargetExternalUserId, @PerformedByPlayerId)
+            """,
+            new { PlayerId = playerId, Action = action, TargetPlatform = targetPlatform, TargetExternalUserId = targetExternalUserId, PerformedByPlayerId = performedByPlayerId },
+            transaction);
+    }
 }
@@ -61,7 +61,7 @@ public sealed class DiscordProjectStructureTests
        var prChecks = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "pr-checks.yml"));
        var deploy = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml"));

-        Assert.Contains("gmrelay-discord-bot:2.8.1", compose);
+        Assert.Contains("gmrelay-discord-bot:3.0.4", compose);
        Assert.Contains("Discord__Token=${DISCORD_BOT_TOKEN:?Set DISCORD_BOT_TOKEN in .env}", compose);
        Assert.Contains("src/GmRelay.DiscordBot/Dockerfile", deploy);
        Assert.Contains("DISCORD_BOT_TOKEN", deploy);
@@ -75,13 +75,13 @@ public sealed class DiscordProjectStructureTests
    {
        var repoRoot = GetRepoRoot();

-        Assert.Contains("<Version>2.8.1</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
-        Assert.Contains("VERSION: 2.8.1", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
-        Assert.Contains("gmrelay-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-web:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-discord-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("<Version>3.0.4</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
+        Assert.Contains("VERSION: 3.0.4", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
+        Assert.Contains("gmrelay-bot:3.0.4", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-web:3.0.4", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-discord-bot:3.0.4", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
        Assert.Contains(
-            "v2.8.1",
+            "v3.0.4",
            File.ReadAllText(Path.Combine(repoRoot, "src", "GmRelay.Web", "Components", "Layout", "NavMenu.razor")));
    }

@@ -94,6 +94,16 @@ public sealed class DiscordProjectStructureTests
        Assert.Contains("DISCORD_BOT_TOKEN", envExample);
    }

+    [Fact]
+    public void Readme_ShouldNotAskForUnusedDiscordBotClientId()
+    {
+        var repoRoot = GetRepoRoot();
+        var readme = File.ReadAllText(Path.Combine(repoRoot, "README.md"));
+
+        Assert.DoesNotContain("DISCORD_BOT_CLIENT_ID", readme);
+        Assert.Contains("DISCORD_CLIENT_ID", readme);
+    }
+
    [Fact]
    public void Compose_ShouldIncludeDiscordHealthcheck()
    {
@@ -1,5 +1,8 @@
 using System;
 using System.IO;
+using System.Reflection;
+using GmRelay.DiscordBot.Features.Sessions;
+using NetCord.Services.ApplicationCommands;

 namespace GmRelay.Bot.Tests.Discord;

@@ -47,6 +50,41 @@ public sealed class DiscordStartupTests
        Assert.Contains(".AddComponentInteractions", program);
        Assert.Contains(".AddGatewayHandlers", program);
        Assert.Contains("AddSlashCommand", program);
+        Assert.Contains("AddModules(typeof(Program).Assembly)", program);
+    }
+
+    [Theory]
+    [InlineData(typeof(DiscordNewSessionCommand), "newsession")]
+    [InlineData(typeof(DiscordListSessionsCommand), "listsessions")]
+    [InlineData(typeof(DiscordRescheduleCommand), "reschedule")]
+    public void DiscordSessionSlashCommands_ShouldBeDeclaredOnModuleMethods(Type moduleType, string commandName)
+    {
+        var executeMethod = moduleType.GetMethod("ExecuteAsync", BindingFlags.Instance | BindingFlags.Public);
+
+        Assert.NotNull(executeMethod);
+
+        var methodAttribute = Assert.Single(executeMethod.GetCustomAttributes<SlashCommandAttribute>(inherit: false));
+        var nameProperty = typeof(SlashCommandAttribute).GetProperty("Name")
+            ?? throw new InvalidOperationException("SlashCommandAttribute should expose command name.");
+
+        Assert.Equal(commandName, nameProperty.GetValue(methodAttribute));
+        Assert.Empty(moduleType.GetCustomAttributes<SlashCommandAttribute>(inherit: false));
+    }
+
+    [Fact]
+    public void DiscordSessionSlashCommands_ShouldBeDiscoverableByNetCordService()
+    {
+        var service = new ApplicationCommandService<SlashCommandContext>();
+
+        service.AddModules(typeof(DiscordNewSessionCommand).Assembly);
+
+        var commandNames = service.GetCommands()
+            .Select(command => command.Name)
+            .ToArray();
+
+        Assert.Contains("newsession", commandNames);
+        Assert.Contains("listsessions", commandNames);
+        Assert.Contains("reschedule", commandNames);
    }

    [Fact]
@@ -1121,6 +1121,21 @@ public sealed class AuthorizedSessionServiceTests
        public Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl) =>
            Task.CompletedTask;

+        public Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId) =>
+            Task.FromResult<Guid?>(Guid.NewGuid());
+
+        public Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId) =>
+            Task.FromResult(new List<LinkedIdentity>());
+
+        public Task LinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId, string? currentName) =>
+            Task.CompletedTask;
+
+        public Task UnlinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId) =>
+            Task.CompletedTask;
+
+        public Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl) =>
+            Task.CompletedTask;
+
        private bool IsManager(Guid groupId, long telegramId) =>
            IsOwner(groupId, telegramId) ||
            managers.Any(manager => manager.GroupId == groupId && manager.TelegramId == telegramId);
@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace GmRelay.Bot.Tests.Web;
+
+public sealed class CookieAuthOptionsTests
+{
+    [Fact]
+    public void CookieAuthOptions_ShouldUseLaxSameSite_ToAllowOAuthCallback()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+            .AddCookie(options =>
+            {
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                options.Cookie.SameSite = SameSiteMode.Lax;
+                options.ExpireTimeSpan = TimeSpan.FromDays(7);
+                options.SlidingExpiration = true;
+            });
+
+        var provider = services.BuildServiceProvider();
+        var optionsMonitor = provider.GetRequiredService<IOptionsMonitor<CookieAuthenticationOptions>>();
+        var options = optionsMonitor.Get(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        // Assert
+        Assert.Equal(SameSiteMode.Lax, options.Cookie.SameSite);
+        Assert.True(options.Cookie.HttpOnly);
+        Assert.Equal(CookieSecurePolicy.Always, options.Cookie.SecurePolicy);
+    }
+}
Author	SHA1	Message	Date
Toutsu	9bd5fe75c9	test: sync version assertions to 3.0.4 PR Checks / test-and-build (pull_request) Successful in 8m35s Details Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 17:08:01 +03:00
Toutsu	d931da37ec	fix(discord): use correct slash command context type in AddApplicationCommands PR Checks / test-and-build (pull_request) Failing after 8m7s Details The default AddApplicationCommands() registers ApplicationCommandService<ApplicationCommandContext>, but our modules inherit ApplicationCommandModule<SlashCommandContext>. Because SlashCommandContext does not inherit from ApplicationCommandContext in NetCord, AddModules(typeof(Program).Assembly) failed to discover the modules, so /newsession, /listsessions, /reschedule were never published to Discord. Only /ping worked because it uses the minimal API route. Fix: specify AddApplicationCommands<SlashCommandInteraction, SlashCommandContext>() so the service matches the module context type, allowing module discovery to succeed. Bump version to 3.0.4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 17:05:51 +03:00
Toutsu	9375fa45b2	Merge pull request #96 : fix(discord): declare slash commands on module methods Deploy Telegram Bot / build-and-push (push) Successful in 4m47s Details Deploy Telegram Bot / scan-images (push) Successful in 2m9s Details Deploy Telegram Bot / deploy (push) Successful in 27s Details	2026-05-25 16:37:15 +03:00
Toutsu	0b45aee96d	fix(discord): declare slash commands on module methods PR Checks / test-and-build (pull_request) Successful in 8m26s Details	2026-05-25 16:27:29 +03:00
Toutsu	80e346d6b5	Merge pull request #95 : fix(discord): register slash command modules Deploy Telegram Bot / build-and-push (push) Successful in 4m53s Details Deploy Telegram Bot / scan-images (push) Successful in 2m12s Details Deploy Telegram Bot / deploy (push) Successful in 27s Details	2026-05-25 16:04:42 +03:00
Toutsu	eff0128d29	fix(discord): register slash command modules PR Checks / test-and-build (pull_request) Successful in 8m27s Details Register NetCord application command modules after the host is built so module-based commands are published alongside the minimal /ping command. Update README Discord env guidance to avoid the unused DISCORD_BOT_CLIENT_ID variable. Bump version to 3.0.2.	2026-05-25 15:49:36 +03:00
Toutsu	8214e052af	bump: version 3.0.1 Deploy Telegram Bot / build-and-push (push) Successful in 4m55s Details Deploy Telegram Bot / scan-images (push) Successful in 2m2s Details Deploy Telegram Bot / deploy (push) Successful in 28s Details Synchronize version across all files: - Directory.Build.props → 3.0.1 - compose.yaml → gmrelay-bot/web/discord-bot:3.0.1 - deploy.yml → VERSION: 3.0.1 - NavMenu.razor → v3.0.1 - DiscordProjectStructureTests → 3.0.1 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 15:34:25 +03:00
Toutsu	2a233b2b1e	fix: ensure Telegram is always primary in identity links Deploy Telegram Bot / build-and-push (push) Successful in 5m6s Details Deploy Telegram Bot / scan-images (push) Successful in 1m59s Details Deploy Telegram Bot / deploy (push) Successful in 29s Details When a Discord user linked Telegram via the Telegram Login Widget, LinkIdentityAsync incorrectly made Discord primary and Telegram secondary. This broke access to all Telegram groups/sessions because ResolveEffectivePlayerIdAsync returned the (empty) Discord primary. - In /auth/telegram callback, swap LinkIdentityAsync args so Telegram is always treated as the current (primary) account. - Add V022 migration to reverse any existing incorrectly-oriented player_links where Discord is primary and Telegram is secondary. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 15:19:08 +03:00
Toutsu	5e3028e470	fix: SameSite=Lax for auth cookie + bidirectional identity linking Deploy Telegram Bot / build-and-push (push) Successful in 4m45s Details Deploy Telegram Bot / scan-images (push) Successful in 2m7s Details Deploy Telegram Bot / deploy (push) Successful in 28s Details - Change cookie auth SameSite from Strict to Lax so Discord OAuth callback can see existing Telegram auth session and perform linking instead of creating a new standalone Discord session (root cause of broken linking). - Add linking logic to /auth/telegram endpoint for Discord→Telegram linking. - Add Telegram Login Widget in Profile.razor for Discord users. - Add CookieAuthOptionsTests to verify Lax SameSite configuration. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 14:58:25 +03:00
Toutsu	63193310f2	hotfix: fix Blazor circuit crash on Discord link + add missing avatar_url column Deploy Telegram Bot / build-and-push (push) Successful in 4m53s Details Deploy Telegram Bot / scan-images (push) Successful in 1m47s Details Deploy Telegram Bot / deploy (push) Successful in 28s Details - Replace @onclick button with plain <a href="/auth/discord"> to avoid circuit disconnect from forceLoad navigation during event handlers. - Add query param handling (?linked, ?link_error) in Profile.razor for Discord callback feedback. - Add V021 migration: ALTER TABLE players ADD COLUMN avatar_url. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 14:39:24 +03:00
Toutsu	af37f3a8ec	fix: Profile.razor use ISessionStore directly + forceLoad for Discord link Deploy Telegram Bot / build-and-push (push) Successful in 4m38s Details Deploy Telegram Bot / scan-images (push) Successful in 1m41s Details Deploy Telegram Bot / deploy (push) Successful in 26s Details - Replace HttpClient API calls with direct ISessionStore DI to avoid 302 redirect from missing auth cookie in Blazor Server interactive mode - Use NavigationManager.NavigateTo with forceLoad=true for Discord OAuth to bypass Blazor circuit navigation and trigger full HTTP request Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 14:20:26 +03:00
Toutsu	66228cf106	Merge pull request #93 : feat: unify Telegram and Discord accounts via identity linking Deploy Telegram Bot / build-and-push (push) Successful in 5m6s Details Deploy Telegram Bot / scan-images (push) Successful in 1m48s Details Deploy Telegram Bot / deploy (push) Successful in 26s Details	2026-05-25 14:07:33 +03:00
Toutsu	9c59240f48	fix: connection leak in UpsertDiscordUserAsync + false conflict in LinkIdentityAsync PR Checks / test-and-build (pull_request) Successful in 7m25s Details - UpsertDiscordUserAsync: restore await using on opened connection - LinkIdentityAsync: compute effectiveCurrentPrimary before existingLink check to prevent false conflict when current user is a secondary identity Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 13:59:41 +03:00
Toutsu	baa25f2e1e	feat: unify Telegram and Discord accounts via identity linking PR Checks / test-and-build (pull_request) Successful in 7m6s Details - Add V020 migration: player_links + identity_audit_log tables - Add ISessionStore methods: ResolveEffectivePlayerId, LinkIdentity, UnlinkIdentity, GetLinkedIdentities - Update SessionService to resolve effective player id for all permission checks - Add /auth/discord/callback linking flow when already authenticated - Add /api/me/identities GET/DELETE endpoints - Add Profile.razor page for managing linked accounts - Update NavMenu with profile link and v3.0.0 badge - Bump version to 3.0.0 across all files Bump version → 3.0.0 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 13:51:10 +03:00
Toutsu	7a2ed808c4	fix: replace cookie-based Discord OAuth CSRF with server-side state store Deploy Telegram Bot / build-and-push (push) Successful in 4m19s Details Deploy Telegram Bot / scan-images (push) Successful in 1m24s Details Deploy Telegram Bot / deploy (push) Successful in 11s Details - Replace __DiscordOAuthState cookie (blocked by third-party cookie policies) with in-memory DiscordOAuthStateStore singleton - State is created server-side and validated on callback, eliminating cross-site cookie transmission issues entirely - Removed CryptographicOperations dependency from Program.cs Bump version → 2.8.1 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 13:18:23 +03:00
Toutsu	dd0828a63d	Merge pull request #92 : fix Discord OAuth CSRF cookie SameSite Deploy Telegram Bot / build-and-push (push) Successful in 4m18s Details Deploy Telegram Bot / scan-images (push) Successful in 1m28s Details Deploy Telegram Bot / deploy (push) Successful in 34s Details	2026-05-25 13:08:31 +03:00
Toutsu	e1fac04775	Merge pull request #92 : fix: add Discord OAuth token exchange logging for production diagnostics Deploy Telegram Bot / build-and-push (push) Successful in 4m17s Details Deploy Telegram Bot / scan-images (push) Successful in 1m24s Details Deploy Telegram Bot / deploy (push) Successful in 23s Details	2026-05-25 12:47:19 +03:00