Merge pull request #99: fix(discord): cast COUNT to int for slash command list query

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -6,7 +6,7 @@ on:
       - main 
 
 env:
-  VERSION: 2.8.0
+  VERSION: 3.0.6
 
 jobs:
   # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)

Directory.Build.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <Version>2.8.0</Version>
+    <Version>3.0.6</Version>
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>preview</LangVersion>
     <Nullable>enable</Nullable>

README.md

@@ -85,8 +85,10 @@ TELEGRAM_BOT_TOKEN=ваш_токен_здесь
 # Токен Discord application bot
 DISCORD_BOT_TOKEN=ваш_discord_токен_здесь
 
-# Client ID Discord application (используется для slash-команд)
-DISCORD_BOT_CLIENT_ID=ваш_discord_client_id_здесь
+# Discord OAuth (для Web Dashboard)
+DISCORD_CLIENT_ID=ваш_discord_client_id_здесь
+DISCORD_CLIENT_SECRET=ваш_discord_client_secret_здесь
+DISCORD_REDIRECT_URI=https://your-domain.example/auth/discord/callback
 
 # Имя бота без @ (для Telegram Login Widget)
 TELEGRAM_BOT_USERNAME=ваше_имя_бота_здесь
@@ -119,7 +121,7 @@ docker compose up -d
 1. Напишите боту `/start`.
 2. Создайте группу через `/newgroup`.
 3. Откройте Mini App или Web Dashboard для расширенного управления.
-4. Для Discord пригласите application bot на сервер с правами `bot` и `applications.commands`. Скопируйте `DISCORD_BOT_TOKEN` и `DISCORD_BOT_CLIENT_ID` в `.env`.
+4. Для Discord пригласите application bot на сервер с правами `bot` и `applications.commands`. Скопируйте `DISCORD_BOT_TOKEN` в `.env`; `DISCORD_CLIENT_ID`, `DISCORD_CLIENT_SECRET` и `DISCORD_REDIRECT_URI` нужны только для входа в Web Dashboard через Discord.
 5. Перезапустите Docker Compose (`docker compose up -d`), а затем в Discord создайте сессию через `/newsession` или опубликуйте расписание через `/listsessions`; игроки записываются и выходят кнопками в опубликованном сообщении.
 
 ## 💾 Backup и восстановление

compose.yaml

@@ -49,7 +49,7 @@ services:
         crond -f
 
   bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:3.0.6
     restart: always
     depends_on:
       db:
@@ -67,7 +67,7 @@ services:
       retries: 3
 
   discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:3.0.6
     restart: always
     depends_on:
       db:
@@ -84,7 +84,7 @@ services:
       retries: 3
 
   web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-web:3.0.6
     restart: always
     depends_on:
       db:

src/GmRelay.Bot/Migrations/V020__player_identity_links.sql

@@ -0,0 +1,37 @@
+-- =============================================================
+-- V020: Player identity linking for unified multi-platform accounts
+-- =============================================================
+-- Scope: Allow linking multiple platform identities (Telegram, Discord)
+-- to a single "primary" player account. All group/session permissions
+-- resolve through the effective (primary) player id.
+-- =============================================================
+
+-- player_links: secondary player → primary player (1:1 on secondary)
+CREATE TABLE player_links (
+    id                    UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    primary_player_id     UUID NOT NULL REFERENCES players(id) ON DELETE CASCADE,
+    secondary_player_id   UUID NOT NULL UNIQUE REFERENCES players(id) ON DELETE CASCADE,
+    linked_at             TIMESTAMPTZ NOT NULL DEFAULT now(),
+    linked_by_player_id   UUID REFERENCES players(id) ON DELETE SET NULL,
+    -- Prevent self-linking at the DB level
+    CONSTRAINT no_self_link CHECK (primary_player_id <> secondary_player_id)
+);
+
+CREATE INDEX ix_player_links_primary_player_id
+    ON player_links(primary_player_id);
+
+-- identity_audit_log: security-sensitive link/unlink actions
+CREATE TABLE identity_audit_log (
+    id                      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    player_id               UUID NOT NULL REFERENCES players(id) ON DELETE CASCADE,
+    action                  VARCHAR(50) NOT NULL,   -- 'link', 'unlink', 'link_attempt_conflict'
+    target_platform         VARCHAR(50),
+    target_external_user_id VARCHAR(255),
+    performed_at            TIMESTAMPTZ NOT NULL DEFAULT now(),
+    performed_by_player_id  UUID REFERENCES players(id) ON DELETE SET NULL
+);
+
+CREATE INDEX ix_identity_audit_log_player_id
+    ON identity_audit_log(player_id);
+CREATE INDEX ix_identity_audit_log_performed_at
+    ON identity_audit_log(performed_at DESC);

src/GmRelay.Bot/Migrations/V021__add_avatar_url.sql

@@ -0,0 +1,8 @@
+-- =============================================================
+-- V021: Add avatar_url column to players table
+-- =============================================================
+-- Scope: Support storing avatar URLs for Discord and other platforms.
+-- =============================================================
+
+ALTER TABLE players
+    ADD COLUMN avatar_url VARCHAR(500);

src/GmRelay.Bot/Migrations/V022__fix_discord_telegram_links.sql

@@ -0,0 +1,16 @@
+-- =============================================================
+-- V022: Fix incorrectly oriented player_links for Discord↔Telegram
+-- =============================================================
+-- Scope: Reverse player_links where Discord was incorrectly made primary
+-- and Telegram secondary. Telegram (with historical group/session data)
+-- must always be the primary account.
+-- =============================================================
+
+UPDATE player_links pl
+SET primary_player_id   = pl.secondary_player_id,
+    secondary_player_id = pl.primary_player_id
+FROM players p1, players p2
+WHERE pl.primary_player_id = p1.id
+  AND pl.secondary_player_id = p2.id
+  AND p1.platform = 'Discord'
+  AND p2.platform = 'Telegram';

src/GmRelay.DiscordBot/Features/Sessions/DiscordListSessionsCommand.cs

@@ -3,7 +3,6 @@ using NetCord.Services.ApplicationCommands;
 
 namespace GmRelay.DiscordBot.Features.Sessions;
 
-[SlashCommand("listsessions", "Show upcoming game sessions in this server")]
 public class DiscordListSessionsCommand : ApplicationCommandModule<SlashCommandContext>
 {
     private readonly DiscordListSessionsHandler _handler;
@@ -13,9 +12,10 @@ public class DiscordListSessionsCommand : ApplicationCommandModule<SlashCommandC
         _handler = handler;
     }
 
+    [SlashCommand("listsessions", "Show upcoming game sessions in this server")]
     public async Task ExecuteAsync()
     {
-        var guildId = Context.Guild?.Id.ToString()
+        var guildId = Context.Interaction.GuildId?.ToString()
             ?? throw new InvalidOperationException("This command can only be used in a guild.");
         var channelId = Context.Channel.Id.ToString();
 

src/GmRelay.DiscordBot/Features/Sessions/DiscordListSessionsHandler.cs

@@ -21,8 +21,8 @@ public sealed class DiscordListSessionsHandler(NpgsqlDataSource dataSource)
         var sessions = await connection.QueryAsync<DiscordSessionListItemDto>(
             @"SELECT s.id as Id, s.title as Title, s.scheduled_at as ScheduledAt, s.status as Status,
                      s.max_players as MaxPlayers,
-                     COUNT(sp.id) FILTER (WHERE sp.is_gm = false AND sp.registration_status = @Active) as PlayerCount,
-                     COUNT(sp.id) FILTER (WHERE sp.is_gm = false AND sp.registration_status = @Waitlisted) as WaitlistCount
+                     COUNT(sp.id) FILTER (WHERE sp.is_gm = false AND sp.registration_status = @Active)::int as PlayerCount,
+                     COUNT(sp.id) FILTER (WHERE sp.is_gm = false AND sp.registration_status = @Waitlisted)::int as WaitlistCount
               FROM sessions s
               JOIN game_groups g ON s.group_id = g.id
               LEFT JOIN session_participants sp ON s.id = sp.session_id

src/GmRelay.DiscordBot/Features/Sessions/DiscordNewSessionCommand.cs

@@ -4,7 +4,6 @@ using NetCord.Services.ApplicationCommands;
 
 namespace GmRelay.DiscordBot.Features.Sessions;
 
-[SlashCommand("newsession", "Create a new game session")]
 public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandContext>
 {
     private readonly DiscordNewSessionHandler _handler;
@@ -16,14 +15,17 @@ public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandCon
         _logger = logger;
     }
 
+    [SlashCommand("newsession", "Create a new game session")]
     public async Task ExecuteAsync(
         [SlashCommandParameter(Name = "title", Description = "Game title")] string title,
         [SlashCommandParameter(Name = "time", Description = "Session time (YYYY-MM-DD HH:mm or DD.MM.YYYY HH:mm)")] string time,
         [SlashCommandParameter(Name = "seats", Description = "Maximum number of players")] long? seats = null,
         [SlashCommandParameter(Name = "link", Description = "Join link")] string? link = null)
     {
-        var guild = Context.Guild
+        var guildId = Context.Interaction.GuildId
             ?? throw new InvalidOperationException("This command can only be used in a guild.");
+        var guild = await Context.Client.Rest.GetGuildAsync(guildId);
+        var member = await Context.Client.Rest.GetGuildUserAsync(guildId, Context.User.Id);
 
         var timeResult = DiscordNewSessionHandler.ParseTimeInput(time);
         if (!timeResult.IsSuccess)
@@ -33,7 +35,7 @@ public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandCon
             return;
         }
 
-        var resolvedPermissions = GetResolvedPermissions(guild, Context.User.Id);
+        var resolvedPermissions = GetResolvedPermissions(guild, member);
 
         try
         {
@@ -70,18 +72,17 @@ public class DiscordNewSessionCommand : ApplicationCommandModule<SlashCommandCon
         }
     }
 
-    private static ulong GetResolvedPermissions(NetCord.Gateway.Guild guild, ulong userId)
+    private static ulong GetResolvedPermissions(NetCord.Rest.RestGuild guild, NetCord.GuildUser member)
     {
-        if (!guild.Users.TryGetValue(userId, out var guildUser))
+        if (member is null)
             return 0;
 
         ulong resolved = 0;
-        foreach (var roleId in guildUser.RoleIds)
+        foreach (var roleId in member.RoleIds)
         {
             if (guild.Roles.TryGetValue(roleId, out var role))
                 resolved |= (ulong)role.Permissions;
         }
-
         return resolved;
     }
 }

src/GmRelay.DiscordBot/Features/Sessions/DiscordRescheduleCommand.cs

@@ -3,7 +3,6 @@ namespace GmRelay.DiscordBot.Features.Sessions;
 using NetCord.Rest;
 using NetCord.Services.ApplicationCommands;
 
-[SlashCommand("reschedule", "Initiate reschedule voting for a session")]
 public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandContext>
 {
     private readonly DiscordRescheduleHandler _handler;
@@ -15,6 +14,7 @@ public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandCon
         _logger = logger;
     }
 
+    [SlashCommand("reschedule", "Initiate reschedule voting for a session")]
     public async Task ExecuteAsync(
         [SlashCommandParameter(Name = "session", Description = "Session ID to reschedule")] string sessionIdText,
         [SlashCommandParameter(Name = "option1", Description = "First time option (YYYY-MM-DD HH:mm)")] string option1,
@@ -22,8 +22,10 @@ public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandCon
         [SlashCommandParameter(Name = "option3", Description = "Third time option (optional)")] string? option3 = null,
         [SlashCommandParameter(Name = "deadline", Description = "Voting deadline (YYYY-MM-DD HH:mm)")] string deadline = "")
     {
-        var guild = Context.Guild
+        var guildId = Context.Interaction.GuildId
             ?? throw new InvalidOperationException("This command can only be used in a guild.");
+        var guild = await Context.Client.Rest.GetGuildAsync(guildId);
+        var member = await Context.Client.Rest.GetGuildUserAsync(guildId, Context.User.Id);
 
         if (!Guid.TryParse(sessionIdText, out var sessionId))
         {
@@ -64,7 +66,7 @@ public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandCon
             return;
         }
 
-        var resolvedPermissions = GetResolvedPermissions(guild, Context.User.Id);
+        var resolvedPermissions = GetResolvedPermissions(guild, member);
 
         try
         {
@@ -102,12 +104,13 @@ public class DiscordRescheduleCommand : ApplicationCommandModule<SlashCommandCon
         }
     }
 
-    private static ulong GetResolvedPermissions(NetCord.Gateway.Guild guild, ulong userId)
+    private static ulong GetResolvedPermissions(NetCord.Rest.RestGuild guild, NetCord.GuildUser member)
     {
-        if (!guild.Users.TryGetValue(userId, out var guildUser))
+        if (member is null)
             return 0;
+
         ulong resolved = 0;
-        foreach (var roleId in guildUser.RoleIds)
+        foreach (var roleId in member.RoleIds)
         {
             if (guild.Roles.TryGetValue(roleId, out var role))
                 resolved |= (ulong)role.Permissions;

src/GmRelay.DiscordBot/Features/Sessions/DiscordSessionInteractionModule.cs

@@ -168,7 +168,7 @@ public sealed class DiscordSessionInteractionModule(
 
     private DiscordSessionInteractionInput CreateInput(Guid sessionId)
     {
-        var guild = Context.Guild
+        var guildId = Context.Interaction.GuildId?.ToString(CultureInfo.InvariantCulture)
             ?? throw new InvalidOperationException("Session buttons can only be used in a guild.");
         var message = Context.Interaction.Message
             ?? throw new InvalidOperationException("Session button interaction must include a message.");
@@ -176,7 +176,7 @@ public sealed class DiscordSessionInteractionModule(
         return new DiscordSessionInteractionInput(
             SessionId: sessionId,
             InteractionId: Context.Interaction.Id.ToString(System.Globalization.CultureInfo.InvariantCulture),
-            GuildId: guild.Id.ToString(CultureInfo.InvariantCulture),
+            GuildId: guildId,
             ChannelId: Context.Channel.Id.ToString(CultureInfo.InvariantCulture),
             MessageId: message.Id.ToString(CultureInfo.InvariantCulture),
             UserId: Context.User.Id,

src/GmRelay.DiscordBot/Program.cs

@@ -18,8 +18,10 @@ using Microsoft.Extensions.DependencyInjection;
 using NetCord;
 using NetCord.Gateway;
 using NetCord.Hosting.Gateway;
+using NetCord.Hosting.Services;
 using NetCord.Hosting.Services.ApplicationCommands;
 using NetCord.Hosting.Services.ComponentInteractions;
+using NetCord.Services.ApplicationCommands;
 using NetCord.Services.ComponentInteractions;
 using Npgsql;
 
@@ -82,12 +84,13 @@ builder.Services
         options.Token = discordOptions.Token;
         options.Intents = GatewayIntents.Guilds;
     })
-    .AddApplicationCommands()
+    .AddApplicationCommands<SlashCommandInteraction, SlashCommandContext>()
     .AddComponentInteractions<ButtonInteraction, ButtonInteractionContext>()
     .AddGatewayHandlers(typeof(Program).Assembly);
 
 var host = builder.Build();
 
 host.AddSlashCommand("ping", "Checks whether GM-Relay Discord is online.", () => "Pong!");
+host.AddModules(typeof(Program).Assembly);
 
 await host.RunAsync();

src/GmRelay.Web/Components/Layout/NavMenu.razor

@@ -34,6 +34,13 @@
                     </svg>
                     Шаблоны
                 </NavLink>
+                <NavLink class="nav-item" href="profile" @onclick="CloseMenu">
+                    <svg class="nav-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                        <path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/>
+                        <circle cx="12" cy="7" r="4"/>
+                    </svg>
+                    Профиль
+                </NavLink>
             </div>
 
             <div class="nav-footer">
@@ -66,7 +73,7 @@
                     </button>
                 </form>
 
-                <div class="nav-version">v2.8.0</div>
+                <div class="nav-version">v3.0.6</div>
             </div>
         </Authorized>
         <NotAuthorized>

src/GmRelay.Web/Components/Pages/Profile.razor

@@ -0,0 +1,191 @@
+@page "/profile"
+@using Microsoft.AspNetCore.Authorization
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.Extensions.Configuration
+@attribute [Authorize]
+@inject ISessionStore SessionStore
+@inject IConfiguration Configuration
+@inject NavigationManager Navigation
+
+<PageTitle>Профиль — GM-Relay</PageTitle>
+
+<div class="profile-container">
+    <h1 class="page-title">Профиль</h1>
+
+    @if (identities is null)
+    {
+        <p class="loading-text">Загрузка...</p>
+    }
+    else if (identities.Count == 0)
+    {
+        <div class="profile-card">
+            <p>Связанные аккаунты не найдены.</p>
+        </div>
+    }
+    else
+    {
+        <div class="profile-card">
+            <h2 class="section-title">Связанные аккаунты</h2>
+            <ul class="identity-list">
+                @foreach (var id in identities)
+                {
+                    <li class="identity-item">
+                        <div class="identity-info">
+                            <span class="identity-platform">@id.Platform</span>
+                            <span class="identity-name">@id.DisplayName</span>
+                        </div>
+                        @if (id.Platform != currentPlatform || id.ExternalUserId != currentExternalUserId)
+                        {
+                            <button class="btn btn-secondary btn-small"
+                                    @onclick="() => Unlink(id.Platform, id.ExternalUserId)"
+                                    disabled="@isUnlinking">
+                                Отвязать
+                            </button>
+                        }
+                        else
+                        {
+                            <span class="identity-badge">Текущий</span>
+                        }
+                    </li>
+                }
+            </ul>
+        </div>
+    }
+
+    <div class="profile-card">
+        <h2 class="section-title">Добавить аккаунт</h2>
+        @if (!HasLinkedPlatform("Discord"))
+        {
+            <a href="/auth/discord" class="btn btn-primary">
+                Привязать Discord
+            </a>
+        }
+        else
+        {
+            <p class="muted-text">Discord уже привязан.</p>
+        }
+
+        @if (currentPlatform == "Discord" && !HasLinkedPlatform("Telegram"))
+        {
+            var botUsername = Configuration["Telegram__BotUsername"] ?? Configuration["Telegram:BotUsername"];
+            if (!string.IsNullOrWhiteSpace(botUsername))
+            {
+                var authUrl = new Uri(new Uri(Navigation.BaseUri), "auth/telegram").ToString();
+                var widgetHtml = $"<script async src=\"https://telegram.org/js/telegram-widget.js?22\" data-telegram-login=\"{botUsername}\" data-size=\"large\" data-auth-url=\"{authUrl}\" data-request-access=\"write\"></script>";
+                <div class="telegram-widget-wrapper">
+                    @((MarkupString)widgetHtml)
+                </div>
+            }
+        }
+    </div>
+
+    @if (!string.IsNullOrWhiteSpace(errorMessage))
+    {
+        <div class="alert alert-error">@errorMessage</div>
+    }
+
+    @if (!string.IsNullOrWhiteSpace(successMessage))
+    {
+        <div class="alert alert-success">@successMessage</div>
+    }
+</div>
+
+@code {
+    private List<LinkedIdentity>? identities;
+    private string? currentPlatform;
+    private string? currentExternalUserId;
+    private bool isUnlinking;
+    private string? errorMessage;
+    private string? successMessage;
+
+    [CascadingParameter]
+    private Task<AuthenticationState>? AuthenticationStateTask { get; set; }
+
+    [SupplyParameterFromQuery]
+    public string? Linked { get; set; }
+
+    [SupplyParameterFromQuery(Name = "link_error")]
+    public string? LinkError { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (AuthenticationStateTask is not null)
+        {
+            var authState = await AuthenticationStateTask;
+            var user = authState.User;
+            if (user.TryGetPlatformIdentity(out var plat, out var extId))
+            {
+                currentPlatform = plat;
+                currentExternalUserId = extId;
+            }
+        }
+
+        if (!string.IsNullOrWhiteSpace(Linked))
+        {
+            successMessage = $"{Linked} аккаунт успешно привязан!";
+        }
+
+        if (!string.IsNullOrWhiteSpace(LinkError))
+        {
+            errorMessage = $"Ошибка привязки: {Uri.UnescapeDataString(LinkError)}";
+        }
+
+        await LoadIdentities();
+    }
+
+    private async Task LoadIdentities()
+    {
+        try
+        {
+            if (currentPlatform is not null && currentExternalUserId is not null)
+            {
+                identities = await SessionStore.GetLinkedIdentitiesAsync(currentPlatform, currentExternalUserId);
+            }
+            else
+            {
+                identities = [];
+            }
+        }
+        catch (Exception ex)
+        {
+            errorMessage = $"Не удалось загрузить аккаунты: {ex.Message}";
+        }
+    }
+
+    private bool HasLinkedPlatform(string platform)
+    {
+        return identities?.Any(i => i.Platform == platform) ?? false;
+    }
+
+    private async Task Unlink(string platform, string externalUserId)
+    {
+        isUnlinking = true;
+        errorMessage = null;
+        successMessage = null;
+
+        try
+        {
+            if (currentPlatform is null || currentExternalUserId is null)
+            {
+                errorMessage = "Не удалось определить текущего пользователя.";
+                return;
+            }
+
+            await SessionStore.UnlinkIdentityAsync(currentPlatform, currentExternalUserId, platform, externalUserId);
+            successMessage = $"{platform} аккаунт отвязан.";
+            await LoadIdentities();
+        }
+        catch (InvalidOperationException ex)
+        {
+            errorMessage = $"Ошибка отвязки: {ex.Message}";
+        }
+        catch (Exception ex)
+        {
+            errorMessage = $"Ошибка отвязки: {ex.Message}";
+        }
+        finally
+        {
+            isUnlinking = false;
+        }
+    }
+}

src/GmRelay.Web/Program.cs

@@ -39,6 +39,7 @@ builder.AddNpgsqlDataSource("gmrelaydb");
 builder.Services.AddSingleton<TelegramAuthService>();
 builder.Services.Configure<DiscordOAuthOptions>(builder.Configuration.GetSection("Discord"));
 builder.Services.AddSingleton<DiscordAuthService>();
+builder.Services.AddSingleton<DiscordOAuthStateStore>();
 builder.Services.AddSingleton<ISessionStore, SessionService>();
 builder.Services.AddScoped<AuthorizedSessionService>();
 builder.Services.AddScoped<CalendarSubscriptionService>();
@@ -60,7 +61,7 @@ builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationSc
         options.AccessDeniedPath = "/access-denied";
         options.Cookie.HttpOnly = true;
         options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-        options.Cookie.SameSite = SameSiteMode.Strict;
+        options.Cookie.SameSite = SameSiteMode.Lax;
         options.ExpireTimeSpan = TimeSpan.FromDays(7);
         options.SlidingExpiration = true;
     });
@@ -122,19 +123,39 @@ app.MapHealthChecks("/alive", new HealthCheckOptions
 });
 
 // Endpoint to handle Telegram Login callback
-app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService authService) =>
+app.MapGet("/auth/telegram", async (HttpContext context, TelegramAuthService authService, ISessionStore sessionStore) =>
 {
-    if (authService.Verify(context.Request.Query, out var telegramId, out var name))
+    if (!authService.Verify(context.Request.Query, out var telegramId, out var name))
+        return Results.Redirect("/login?error=auth_failed");
+
+    await sessionStore.UpsertPlayerAsync("Telegram", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture), name, null);
+
+    // If already authenticated via another platform, link instead of replacing session
+    if (context.User.Identity?.IsAuthenticated == true
+        && context.User.TryGetPlatformIdentity(out var currentPlatform, out var currentExternalUserId)
+        && currentPlatform != "Telegram")
     {
-        var authProperties = new AuthenticationProperties { IsPersistent = true };
-        await context.SignInAsync(
-            CookieAuthenticationDefaults.AuthenticationScheme,
-            CreateTelegramPrincipal(telegramId, name),
-            authProperties);
-        return Results.Redirect("/");
+        try
+        {
+            // Always make Telegram the primary (it has the historical data/groups)
+            await sessionStore.LinkIdentityAsync(
+                "Telegram", telegramId.ToString(System.Globalization.CultureInfo.InvariantCulture),
+                currentPlatform, currentExternalUserId,
+                name);
+            return Results.Redirect("/profile?linked=telegram");
+        }
+        catch (InvalidOperationException ex)
+        {
+            return Results.Redirect($"/profile?link_error={Uri.EscapeDataString(ex.Message)}");
+        }
     }
 
-    return Results.Redirect("/login?error=auth_failed");
+    var authProperties = new AuthenticationProperties { IsPersistent = true };
+    await context.SignInAsync(
+        CookieAuthenticationDefaults.AuthenticationScheme,
+        CreateTelegramPrincipal(telegramId, name),
+        authProperties);
+    return Results.Redirect("/");
 });
 
 app.MapPost("/auth/telegram-webapp", async (
@@ -185,16 +206,9 @@ app.MapPost("/auth/logout", async (HttpContext context) =>
 });
 
 // Discord OAuth endpoints
-app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth) =>
+app.MapGet("/auth/discord", (DiscordAuthService discordAuth, DiscordOAuthStateStore stateStore) =>
 {
-    var state = Guid.NewGuid().ToString("N");
-    context.Response.Cookies.Append("__DiscordOAuthState", state, new CookieOptions
-    {
-        HttpOnly = true,
-        Secure = true,
-        SameSite = SameSiteMode.Strict,
-        MaxAge = TimeSpan.FromMinutes(5)
-    });
+    var state = stateStore.CreateState();
     var url = discordAuth.BuildAuthorizeUrl(state);
     return Results.Redirect(url);
 });
@@ -202,19 +216,15 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
     HttpContext context,
     DiscordAuthService discordAuth,
+    DiscordOAuthStateStore stateStore,
     ISessionStore sessionStore) =>
 {
     var code = context.Request.Query["code"].ToString();
     var state = context.Request.Query["state"].ToString();
-    var storedState = context.Request.Cookies["__DiscordOAuthState"];
-
-    context.Response.Cookies.Delete("__DiscordOAuthState");
 
     if (string.IsNullOrWhiteSpace(code) ||
         string.IsNullOrWhiteSpace(state) ||
-        !CryptographicOperations.FixedTimeEquals(
-            System.Text.Encoding.UTF8.GetBytes(state),
-            System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
+        !stateStore.ValidateAndRemove(state))
     {
         return Results.Redirect("/login?error=auth_failed");
     }
@@ -225,6 +235,25 @@ app.MapGet("/auth/discord/callback", async (
 
     await sessionStore.UpsertDiscordUserAsync(user.Id, user.DisplayName, user.AvatarUrl);
 
+    // If already authenticated via another platform, link instead of replacing session
+    if (context.User.Identity?.IsAuthenticated == true
+        && context.User.TryGetPlatformIdentity(out var currentPlatform, out var currentExternalUserId)
+        && currentPlatform != "Discord")
+    {
+        try
+        {
+            await sessionStore.LinkIdentityAsync(
+                currentPlatform, currentExternalUserId,
+                "Discord", user.Id,
+                user.DisplayName);
+            return Results.Redirect("/profile?linked=discord");
+        }
+        catch (InvalidOperationException ex)
+        {
+            return Results.Redirect($"/profile?link_error={Uri.EscapeDataString(ex.Message)}");
+        }
+    }
+
     var authProperties = new AuthenticationProperties { IsPersistent = true };
     await context.SignInAsync(
         CookieAuthenticationDefaults.AuthenticationScheme,
@@ -234,6 +263,38 @@ app.MapGet("/auth/discord/callback", async (
     return Results.Redirect("/");
 });
 
+// Identity linking API endpoints
+app.MapGet("/api/me/identities", async (
+    HttpContext context,
+    ISessionStore sessionStore) =>
+{
+    if (!context.User.TryGetPlatformIdentity(out var platform, out var externalUserId))
+        return Results.Unauthorized();
+
+    var identities = await sessionStore.GetLinkedIdentitiesAsync(platform, externalUserId);
+    return Results.Ok(identities);
+}).RequireAuthorization();
+
+app.MapDelete("/api/me/identities/{targetPlatform}/{targetExternalUserId}", async (
+    HttpContext context,
+    ISessionStore sessionStore,
+    string targetPlatform,
+    string targetExternalUserId) =>
+{
+    if (!context.User.TryGetPlatformIdentity(out var platform, out var externalUserId))
+        return Results.Unauthorized();
+
+    try
+    {
+        await sessionStore.UnlinkIdentityAsync(platform, externalUserId, targetPlatform, targetExternalUserId);
+        return Results.NoContent();
+    }
+    catch (InvalidOperationException ex)
+    {
+        return Results.BadRequest(new { error = ex.Message });
+    }
+}).RequireAuthorization();
+
 // Public calendar subscription endpoint (no auth required)
 app.MapGet("/calendar/{token}.ics", async (
     string token,

src/GmRelay.Web/Services/DiscordAuthService.cs

@@ -5,7 +5,7 @@ using System.Text.Json.Serialization;
 
 namespace GmRelay.Web.Services;
 
-public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration)
+public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration, ILogger<DiscordAuthService> logger)
 {
     private readonly DiscordOAuthOptions _options = configuration.GetSection("Discord").Get<DiscordOAuthOptions>() ?? new DiscordOAuthOptions();
 
@@ -40,10 +40,14 @@ public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, ICo
         });
 
         var response = await client.PostAsync("https://discord.com/api/oauth2/token", content);
-        if (!response.IsSuccessStatusCode)
-            return null;
-
         var json = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            logger.LogError("Discord token exchange failed: {StatusCode} {Body}. client_id={ClientId}, redirect_uri={RedirectUri}",
+                (int)response.StatusCode, json, _options.ClientId, _options.RedirectUri);
+            return null;
+        }
+
         return JsonSerializer.Deserialize<DiscordTokenResponse>(json);
     }
 

src/GmRelay.Web/Services/DiscordOAuthStateStore.cs

@@ -0,0 +1,32 @@
+namespace GmRelay.Web.Services;
+
+public sealed class DiscordOAuthStateStore(ILogger<DiscordOAuthStateStore> logger)
+{
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<string, DateTime> _states = new();
+
+    public string CreateState()
+    {
+        var state = Guid.NewGuid().ToString("N");
+        _states[state] = DateTime.UtcNow.AddMinutes(5);
+        logger.LogDebug("Discord OAuth state created: {State}", state);
+        return state;
+    }
+
+    public bool ValidateAndRemove(string state)
+    {
+        if (!_states.TryRemove(state, out var expiresAt))
+        {
+            logger.LogWarning("Discord OAuth state not found or already used: {State}", state);
+            return false;
+        }
+
+        if (DateTime.UtcNow > expiresAt)
+        {
+            logger.LogWarning("Discord OAuth state expired: {State}", state);
+            return false;
+        }
+
+        logger.LogDebug("Discord OAuth state validated: {State}", state);
+        return true;
+    }
+}

src/GmRelay.Web/Services/ISessionStore.cs

@@ -53,4 +53,19 @@ public interface ISessionStore
     Task LogSessionChangeAsync(Guid sessionId, string actorExternalUserId, string actorName, string changeType, string? oldValue, string? newValue);
     Task<List<SessionAuditLogEntry>> GetSessionHistoryAsync(Guid sessionId);
     Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl);
+
+    // --- Identity linking (issue #35) ---
+    Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId);
+    Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId);
+    Task LinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId, string? currentName);
+    Task UnlinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId);
+    Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl);
 }
+
+public sealed record LinkedIdentity(
+    string Platform,
+    string ExternalUserId,
+    string DisplayName,
+    string? ExternalUsername,
+    string? AvatarUrl,
+    DateTime LinkedAt);

src/GmRelay.Web/Services/SessionService.cs

@@ -104,6 +104,10 @@ public sealed class SessionService(
     public async Task<List<WebGameGroup>> GetGroupsForUserAsync(string platform, string externalUserId)
     {
         await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return [];
+
         return (await conn.QueryAsync<WebGameGroup>(
             """
             SELECT g.id,
@@ -113,13 +117,11 @@ public sealed class SessionService(
                    g.platform AS Platform,
                    gm.role AS ManagerRole
             FROM group_managers gm
-            JOIN players p ON p.id = gm.player_id
             JOIN game_groups g ON g.id = gm.group_id
-            WHERE p.platform = @Platform
-              AND p.external_user_id = @ExternalUserId
+            WHERE gm.player_id = @PlayerId
             ORDER BY g.name
             """,
-            new { Platform = platform, ExternalUserId = externalUserId })).ToList();
+            new { PlayerId = effectiveId.Value })).ToList();
     }
 
     public async Task<WebGameGroup?> GetGroupAsync(Guid groupId)
@@ -142,36 +144,40 @@ public sealed class SessionService(
     public async Task<bool> IsGroupManagerAsync(Guid groupId, string platform, string externalUserId)
     {
         await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return false;
+
         return await conn.ExecuteScalarAsync<bool>(
             """
             SELECT EXISTS (
                 SELECT 1
-                FROM group_managers gm
-                JOIN players p ON p.id = gm.player_id
-                WHERE gm.group_id = @GroupId
-                  AND p.platform = @Platform
-                  AND p.external_user_id = @ExternalUserId
+                FROM group_managers
+                WHERE group_id = @GroupId
+                  AND player_id = @PlayerId
             )
             """,
-            new { GroupId = groupId, Platform = platform, ExternalUserId = externalUserId });
+            new { GroupId = groupId, PlayerId = effectiveId.Value });
     }
 
     public async Task<bool> IsGroupOwnerAsync(Guid groupId, string platform, string externalUserId)
     {
         await using var conn = await dataSource.OpenConnectionAsync();
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return false;
+
         return await conn.ExecuteScalarAsync<bool>(
             """
             SELECT EXISTS (
                 SELECT 1
-                FROM group_managers gm
-                JOIN players p ON p.id = gm.player_id
-                WHERE gm.group_id = @GroupId
-                  AND p.platform = @Platform
-                  AND p.external_user_id = @ExternalUserId
-                  AND gm.role = @OwnerRole
+                FROM group_managers
+                WHERE group_id = @GroupId
+                  AND player_id = @PlayerId
+                  AND role = @OwnerRole
             )
             """,
-            new { GroupId = groupId, Platform = platform, ExternalUserId = externalUserId, OwnerRole = GroupManagerRoleExtensions.OwnerValue });
+            new { GroupId = groupId, PlayerId = effectiveId.Value, OwnerRole = GroupManagerRoleExtensions.OwnerValue });
     }
 
     public async Task<List<WebGroupManager>> GetGroupManagersAsync(Guid groupId)
@@ -255,22 +261,6 @@ public sealed class SessionService(
         return entries.ToList();
     }
 
-    public async Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl)
-    {
-        await using var conn = await dataSource.OpenConnectionAsync();
-        await conn.ExecuteAsync(
-            """
-            INSERT INTO players (display_name, platform, external_user_id, external_username)
-            VALUES (@DisplayName, 'Discord', @DiscordId, @DisplayName)
-            ON CONFLICT (platform, external_user_id)
-            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
-            DO UPDATE
-            SET display_name = EXCLUDED.display_name,
-                external_username = EXCLUDED.external_username
-            """,
-            new { DisplayName = displayName, DiscordId = discordId });
-    }
-
     public async Task AddGroupCoGmAsync(
         Guid groupId,
         string ownerPlatform, string ownerExternalUserId,
@@ -280,35 +270,16 @@ public sealed class SessionService(
         await using var conn = await dataSource.OpenConnectionAsync();
         await using var transaction = await conn.BeginTransactionAsync();
 
-        await conn.ExecuteAsync(
-            """
-            INSERT INTO players (display_name, telegram_username, platform, external_user_id, external_username)
-            VALUES (@DisplayName, @ExternalUsername, @Platform, @ExternalUserId, @ExternalUsername)
-            ON CONFLICT (platform, external_user_id)
-            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
-            DO UPDATE
-            SET display_name = EXCLUDED.display_name,
-                external_username = EXCLUDED.external_username
-            """,
-            new
-            {
-                DisplayName = displayName,
-                ExternalUsername = externalUsername,
-                Platform = coGmPlatform,
-                ExternalUserId = coGmExternalUserId
-            },
-            transaction);
+        var ownerPlayerId = await _ResolveEffectivePlayerIdAsync(conn, ownerPlatform, ownerExternalUserId);
+        if (ownerPlayerId is null)
+            throw new InvalidOperationException("Owner player not found.");
+
+        var coGmPlayerId = await _UpsertPlayerAndGetIdAsync(conn, coGmPlatform, coGmExternalUserId, displayName, externalUsername, transaction);
 
         await conn.ExecuteAsync(
             """
             INSERT INTO group_managers (group_id, player_id, role, added_by_player_id)
-            SELECT @GroupId,
-                   co_gm.id,
-                   @CoGmRole,
-                   owner_player.id
-            FROM players co_gm
-            LEFT JOIN players owner_player ON owner_player.platform = @OwnerPlatform AND owner_player.external_user_id = @OwnerExternalUserId
-            WHERE co_gm.platform = @CoGmPlatform AND co_gm.external_user_id = @CoGmExternalUserId
+            VALUES (@GroupId, @CoGmPlayerId, @CoGmRole, @OwnerPlayerId)
             ON CONFLICT (group_id, player_id) DO UPDATE
             SET role = CASE
                     WHEN group_managers.role = @OwnerRole THEN group_managers.role
@@ -319,10 +290,8 @@ public sealed class SessionService(
             new
             {
                 GroupId = groupId,
-                OwnerPlatform = ownerPlatform,
-                OwnerExternalUserId = ownerExternalUserId,
-                CoGmPlatform = coGmPlatform,
-                CoGmExternalUserId = coGmExternalUserId,
+                OwnerPlayerId = ownerPlayerId.Value,
+                CoGmPlayerId = coGmPlayerId,
                 OwnerRole = GroupManagerRoleExtensions.OwnerValue,
                 CoGmRole = GroupManagerRoleExtensions.CoGmValue
             },
@@ -334,21 +303,21 @@ public sealed class SessionService(
     public async Task RemoveGroupCoGmAsync(Guid groupId, string coGmPlatform, string coGmExternalUserId)
     {
         await using var conn = await dataSource.OpenConnectionAsync();
+        var coGmPlayerId = await _ResolveEffectivePlayerIdAsync(conn, coGmPlatform, coGmExternalUserId);
+        if (coGmPlayerId is null)
+            return;
+
         await conn.ExecuteAsync(
             """
-            DELETE FROM group_managers gm
-            USING players p
-            WHERE gm.player_id = p.id
-              AND gm.group_id = @GroupId
-              AND p.platform = @Platform
-              AND p.external_user_id = @ExternalUserId
-              AND gm.role = @CoGmRole
+            DELETE FROM group_managers
+            WHERE group_id = @GroupId
+              AND player_id = @PlayerId
+              AND role = @CoGmRole
             """,
             new
             {
                 GroupId = groupId,
-                Platform = coGmPlatform,
-                ExternalUserId = coGmExternalUserId,
+                PlayerId = coGmPlayerId.Value,
                 CoGmRole = GroupManagerRoleExtensions.CoGmValue
             });
     }
@@ -1371,4 +1340,258 @@ public sealed class SessionService(
             new { BatchId = batchId, GroupId = groupId },
             transaction);
     }
+
+    // --- Identity linking (issue #35) ---
+
+    public async Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        return await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+    }
+
+    public async Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+
+        var effectiveId = await _ResolveEffectivePlayerIdAsync(conn, platform, externalUserId);
+        if (effectiveId is null)
+            return [];
+
+        return (await conn.QueryAsync<LinkedIdentity>(
+            """
+            SELECT p.platform AS Platform,
+                   p.external_user_id AS ExternalUserId,
+                   p.display_name AS DisplayName,
+                   p.external_username AS ExternalUsername,
+                   p.avatar_url AS AvatarUrl,
+                   COALESCE(pl.linked_at, p.created_at) AS LinkedAt
+            FROM players p
+            LEFT JOIN player_links pl ON pl.secondary_player_id = p.id
+            WHERE pl.primary_player_id = @EffectiveId
+               OR p.id = @EffectiveId
+            ORDER BY CASE WHEN p.id = @EffectiveId THEN 0 ELSE 1 END,
+                     p.platform
+            """,
+            new { EffectiveId = effectiveId.Value })).ToList();
+    }
+
+    public async Task LinkIdentityAsync(
+        string currentPlatform, string currentExternalUserId,
+        string targetPlatform, string targetExternalUserId,
+        string? currentName)
+    {
+        if (currentPlatform == targetPlatform && currentExternalUserId == targetExternalUserId)
+            throw new InvalidOperationException("Cannot link an identity to itself.");
+
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await using var transaction = await conn.BeginTransactionAsync();
+
+        // Resolve current player (must exist — they are logged in)
+        var currentPlayerId = await _ResolvePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (currentPlayerId is null)
+            throw new InvalidOperationException("Current player not found.");
+
+        // Upsert target player so it exists
+        var targetDisplayName = currentName ?? $"{targetPlatform} {targetExternalUserId}";
+        var targetPlayerId = await _UpsertPlayerAndGetIdAsync(conn, targetPlatform, targetExternalUserId, targetDisplayName, null, transaction);
+
+        // Check if target is already a primary of another link chain (conflict)
+        var targetIsPrimary = await conn.ExecuteScalarAsync<bool>(
+            """
+            SELECT EXISTS (
+                SELECT 1 FROM player_links WHERE primary_player_id = @TargetPlayerId
+            )
+            """,
+            new { TargetPlayerId = targetPlayerId }, transaction);
+
+        if (targetIsPrimary)
+        {
+            await _LogIdentityAuditAsync(conn, currentPlayerId.Value, "link_attempt_conflict",
+                targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+            await transaction.CommitAsync();
+            throw new InvalidOperationException("Target identity is already the primary account of another linked set.");
+        }
+
+        // Check if current is already a secondary (then their primary becomes the effective primary)
+        var currentPrimaryId = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id
+            FROM player_links
+            WHERE secondary_player_id = @CurrentPlayerId
+            """,
+            new { CurrentPlayerId = currentPlayerId.Value }, transaction);
+
+        var effectiveCurrentPrimary = currentPrimaryId ?? currentPlayerId.Value;
+
+        // Check if target is already linked to someone else as secondary
+        var existingLink = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id
+            FROM player_links
+            WHERE secondary_player_id = @TargetPlayerId
+            """,
+            new { TargetPlayerId = targetPlayerId }, transaction);
+
+        if (existingLink is not null && existingLink.Value != effectiveCurrentPrimary)
+        {
+            await _LogIdentityAuditAsync(conn, effectiveCurrentPrimary, "link_attempt_conflict",
+                targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+            await transaction.CommitAsync();
+            throw new InvalidOperationException("Target identity is already linked to another account.");
+        }
+
+        var effectivePrimary = currentPrimaryId ?? currentPlayerId.Value;
+
+        // Check if already linked
+        var alreadyLinked = await conn.ExecuteScalarAsync<bool>(
+            """
+            SELECT EXISTS (
+                SELECT 1 FROM player_links
+                WHERE primary_player_id = @EffectivePrimary AND secondary_player_id = @TargetPlayerId
+            )
+            """,
+            new { EffectivePrimary = effectivePrimary, TargetPlayerId = targetPlayerId }, transaction);
+
+        if (alreadyLinked)
+        {
+            await transaction.CommitAsync();
+            return; // Already linked, idempotent
+        }
+
+        await conn.ExecuteAsync(
+            """
+            INSERT INTO player_links (primary_player_id, secondary_player_id, linked_by_player_id)
+            VALUES (@PrimaryPlayerId, @SecondaryPlayerId, @LinkedByPlayerId)
+            """,
+            new
+            {
+                PrimaryPlayerId = effectivePrimary,
+                SecondaryPlayerId = targetPlayerId,
+                LinkedByPlayerId = currentPlayerId.Value
+            },
+            transaction);
+
+        await _LogIdentityAuditAsync(conn, effectivePrimary, "link",
+            targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+
+        await transaction.CommitAsync();
+    }
+
+    public async Task UnlinkIdentityAsync(
+        string currentPlatform, string currentExternalUserId,
+        string targetPlatform, string targetExternalUserId)
+    {
+        if (currentPlatform == targetPlatform && currentExternalUserId == targetExternalUserId)
+            throw new InvalidOperationException("Cannot unlink your own primary identity from itself.");
+
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await using var transaction = await conn.BeginTransactionAsync();
+
+        var currentPlayerId = await _ResolvePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (currentPlayerId is null)
+            throw new InvalidOperationException("Current player not found.");
+
+        var targetPlayerId = await _ResolvePlayerIdAsync(conn, targetPlatform, targetExternalUserId);
+        if (targetPlayerId is null)
+            throw new InvalidOperationException("Target identity not found.");
+
+        var effectivePrimary = await _ResolveEffectivePlayerIdAsync(conn, currentPlatform, currentExternalUserId);
+        if (effectivePrimary is null)
+            throw new InvalidOperationException("Effective primary not found.");
+
+        // Only the primary account owner (or the linked identity itself) can unlink
+        var rows = await conn.ExecuteAsync(
+            """
+            DELETE FROM player_links
+            WHERE primary_player_id = @EffectivePrimary
+              AND secondary_player_id = @TargetPlayerId
+            """,
+            new { EffectivePrimary = effectivePrimary.Value, TargetPlayerId = targetPlayerId.Value },
+            transaction);
+
+        if (rows == 0)
+        {
+            await transaction.RollbackAsync();
+            throw new InvalidOperationException("Identity is not linked to your account.");
+        }
+
+        await _LogIdentityAuditAsync(conn, effectivePrimary.Value, "unlink",
+            targetPlatform, targetExternalUserId, currentPlayerId.Value, transaction);
+
+        await transaction.CommitAsync();
+    }
+
+    public async Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await _UpsertPlayerAndGetIdAsync(conn, platform, externalUserId, displayName, avatarUrl, null);
+    }
+
+    public async Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl)
+    {
+        await using var conn = await dataSource.OpenConnectionAsync();
+        await _UpsertPlayerAndGetIdAsync(conn, "Discord", discordId, displayName, avatarUrl, null);
+    }
+
+    // --- Private helpers ---
+
+    private static async Task<Guid?> _ResolvePlayerIdAsync(NpgsqlConnection conn, string platform, string externalUserId)
+    {
+        return await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT id FROM players
+            WHERE platform = @Platform AND external_user_id = @ExternalUserId
+            """,
+            new { Platform = platform, ExternalUserId = externalUserId });
+    }
+
+    private static async Task<Guid?> _ResolveEffectivePlayerIdAsync(NpgsqlConnection conn, string platform, string externalUserId)
+    {
+        var playerId = await _ResolvePlayerIdAsync(conn, platform, externalUserId);
+        if (playerId is null)
+            return null;
+
+        var primaryId = await conn.QuerySingleOrDefaultAsync<Guid?>(
+            """
+            SELECT primary_player_id FROM player_links
+            WHERE secondary_player_id = @PlayerId
+            """,
+            new { PlayerId = playerId.Value });
+
+        return primaryId ?? playerId;
+    }
+
+    private static async Task<Guid> _UpsertPlayerAndGetIdAsync(
+        NpgsqlConnection conn, string platform, string externalUserId,
+        string displayName, string? avatarUrl, NpgsqlTransaction? transaction)
+    {
+        return await conn.QuerySingleAsync<Guid>(
+            """
+            INSERT INTO players (display_name, platform, external_user_id, external_username, avatar_url)
+            VALUES (@DisplayName, @Platform, @ExternalUserId, @DisplayName, @AvatarUrl)
+            ON CONFLICT (platform, external_user_id)
+            WHERE platform IS NOT NULL AND external_user_id IS NOT NULL
+            DO UPDATE
+            SET display_name = EXCLUDED.display_name,
+                external_username = EXCLUDED.external_username,
+                avatar_url = COALESCE(EXCLUDED.avatar_url, players.avatar_url)
+            RETURNING id
+            """,
+            new { DisplayName = displayName, Platform = platform, ExternalUserId = externalUserId, AvatarUrl = avatarUrl },
+            transaction);
+    }
+
+    private static async Task _LogIdentityAuditAsync(
+        NpgsqlConnection conn, Guid playerId, string action,
+        string? targetPlatform, string? targetExternalUserId,
+        Guid? performedByPlayerId, NpgsqlTransaction? transaction)
+    {
+        await conn.ExecuteAsync(
+            """
+            INSERT INTO identity_audit_log (player_id, action, target_platform, target_external_user_id, performed_by_player_id)
+            VALUES (@PlayerId, @Action, @TargetPlatform, @TargetExternalUserId, @PerformedByPlayerId)
+            """,
+            new { PlayerId = playerId, Action = action, TargetPlatform = targetPlatform, TargetExternalUserId = targetExternalUserId, PerformedByPlayerId = performedByPlayerId },
+            transaction);
+    }
 }

tests/GmRelay.Bot.Tests/Discord/DiscordProjectStructureTests.cs

@@ -61,7 +61,7 @@ public sealed class DiscordProjectStructureTests
         var prChecks = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "pr-checks.yml"));
         var deploy = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml"));
 
-        Assert.Contains("gmrelay-discord-bot:2.8.0", compose);
+        Assert.Contains("gmrelay-discord-bot:3.0.6", compose);
         Assert.Contains("Discord__Token=${DISCORD_BOT_TOKEN:?Set DISCORD_BOT_TOKEN in .env}", compose);
         Assert.Contains("src/GmRelay.DiscordBot/Dockerfile", deploy);
         Assert.Contains("DISCORD_BOT_TOKEN", deploy);
@@ -75,13 +75,13 @@ public sealed class DiscordProjectStructureTests
     {
         var repoRoot = GetRepoRoot();
 
-        Assert.Contains("<Version>2.8.0</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
-        Assert.Contains("VERSION: 2.8.0", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
-        Assert.Contains("gmrelay-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-web:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-discord-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("<Version>3.0.6</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
+        Assert.Contains("VERSION: 3.0.6", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
+        Assert.Contains("gmrelay-bot:3.0.6", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-web:3.0.6", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-discord-bot:3.0.6", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
         Assert.Contains(
-            "v2.8.0",
+            "v3.0.6",
             File.ReadAllText(Path.Combine(repoRoot, "src", "GmRelay.Web", "Components", "Layout", "NavMenu.razor")));
     }
 
@@ -94,6 +94,16 @@ public sealed class DiscordProjectStructureTests
         Assert.Contains("DISCORD_BOT_TOKEN", envExample);
     }
 
+    [Fact]
+    public void Readme_ShouldNotAskForUnusedDiscordBotClientId()
+    {
+        var repoRoot = GetRepoRoot();
+        var readme = File.ReadAllText(Path.Combine(repoRoot, "README.md"));
+
+        Assert.DoesNotContain("DISCORD_BOT_CLIENT_ID", readme);
+        Assert.Contains("DISCORD_CLIENT_ID", readme);
+    }
+
     [Fact]
     public void Compose_ShouldIncludeDiscordHealthcheck()
     {

tests/GmRelay.Bot.Tests/Discord/DiscordStartupTests.cs

@@ -1,5 +1,8 @@
 using System;
 using System.IO;
+using System.Reflection;
+using GmRelay.DiscordBot.Features.Sessions;
+using NetCord.Services.ApplicationCommands;
 
 namespace GmRelay.Bot.Tests.Discord;
 
@@ -47,6 +50,41 @@ public sealed class DiscordStartupTests
         Assert.Contains(".AddComponentInteractions", program);
         Assert.Contains(".AddGatewayHandlers", program);
         Assert.Contains("AddSlashCommand", program);
+        Assert.Contains("AddModules(typeof(Program).Assembly)", program);
+    }
+
+    [Theory]
+    [InlineData(typeof(DiscordNewSessionCommand), "newsession")]
+    [InlineData(typeof(DiscordListSessionsCommand), "listsessions")]
+    [InlineData(typeof(DiscordRescheduleCommand), "reschedule")]
+    public void DiscordSessionSlashCommands_ShouldBeDeclaredOnModuleMethods(Type moduleType, string commandName)
+    {
+        var executeMethod = moduleType.GetMethod("ExecuteAsync", BindingFlags.Instance | BindingFlags.Public);
+
+        Assert.NotNull(executeMethod);
+
+        var methodAttribute = Assert.Single(executeMethod.GetCustomAttributes<SlashCommandAttribute>(inherit: false));
+        var nameProperty = typeof(SlashCommandAttribute).GetProperty("Name")
+            ?? throw new InvalidOperationException("SlashCommandAttribute should expose command name.");
+
+        Assert.Equal(commandName, nameProperty.GetValue(methodAttribute));
+        Assert.Empty(moduleType.GetCustomAttributes<SlashCommandAttribute>(inherit: false));
+    }
+
+    [Fact]
+    public void DiscordSessionSlashCommands_ShouldBeDiscoverableByNetCordService()
+    {
+        var service = new ApplicationCommandService<SlashCommandContext>();
+
+        service.AddModules(typeof(DiscordNewSessionCommand).Assembly);
+
+        var commandNames = service.GetCommands()
+            .Select(command => command.Name)
+            .ToArray();
+
+        Assert.Contains("newsession", commandNames);
+        Assert.Contains("listsessions", commandNames);
+        Assert.Contains("reschedule", commandNames);
     }
 
     [Fact]

tests/GmRelay.Bot.Tests/Web/AuthorizedSessionServiceTests.cs

@@ -1121,6 +1121,21 @@ public sealed class AuthorizedSessionServiceTests
         public Task UpsertDiscordUserAsync(string discordId, string displayName, string? avatarUrl) =>
             Task.CompletedTask;
 
+        public Task<Guid?> ResolveEffectivePlayerIdAsync(string platform, string externalUserId) =>
+            Task.FromResult<Guid?>(Guid.NewGuid());
+
+        public Task<List<LinkedIdentity>> GetLinkedIdentitiesAsync(string platform, string externalUserId) =>
+            Task.FromResult(new List<LinkedIdentity>());
+
+        public Task LinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId, string? currentName) =>
+            Task.CompletedTask;
+
+        public Task UnlinkIdentityAsync(string currentPlatform, string currentExternalUserId, string targetPlatform, string targetExternalUserId) =>
+            Task.CompletedTask;
+
+        public Task UpsertPlayerAsync(string platform, string externalUserId, string displayName, string? avatarUrl) =>
+            Task.CompletedTask;
+
         private bool IsManager(Guid groupId, long telegramId) =>
             IsOwner(groupId, telegramId) ||
             managers.Any(manager => manager.GroupId == groupId && manager.TelegramId == telegramId);

tests/GmRelay.Bot.Tests/Web/CookieAuthOptionsTests.cs

@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace GmRelay.Bot.Tests.Web;
+
+public sealed class CookieAuthOptionsTests
+{
+    [Fact]
+    public void CookieAuthOptions_ShouldUseLaxSameSite_ToAllowOAuthCallback()
+    {
+        // Arrange
+        var services = new ServiceCollection();
+        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+            .AddCookie(options =>
+            {
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                options.Cookie.SameSite = SameSiteMode.Lax;
+                options.ExpireTimeSpan = TimeSpan.FromDays(7);
+                options.SlidingExpiration = true;
+            });
+
+        var provider = services.BuildServiceProvider();
+        var optionsMonitor = provider.GetRequiredService<IOptionsMonitor<CookieAuthenticationOptions>>();
+        var options = optionsMonitor.Get(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        // Assert
+        Assert.Equal(SameSiteMode.Lax, options.Cookie.SameSite);
+        Assert.True(options.Cookie.HttpOnly);
+        Assert.Equal(CookieSecurePolicy.Always, options.Cookie.SecurePolicy);
+    }
+}

tests/GmRelay.Bot.Tests/Web/DiscordAuthServiceTests.cs

@@ -3,6 +3,7 @@ using System.Text.Json;
 using GmRelay.Web;
 using GmRelay.Web.Services;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace GmRelay.Bot.Tests.Web;
 
@@ -20,7 +21,7 @@ public class DiscordAuthServiceTests
             })
             .Build();
 
-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);
         var url = service.BuildAuthorizeUrl("state123");
 
         Assert.Contains("client_id=12345", url);
@@ -33,7 +34,7 @@ public class DiscordAuthServiceTests
     public void BuildAuthorizeUrl_WithMissingConfig_ThrowsInvalidOperationException()
     {
         var config = new ConfigurationBuilder().Build();
-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);
 
         Assert.Throws<InvalidOperationException>(() => service.BuildAuthorizeUrl("state"));
     }
@@ -74,7 +75,7 @@ public class DiscordAuthServiceTests
             .Build();
 
         var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);
 
         var result = await service.ExchangeCodeAsync("valid_code");
 
@@ -102,7 +103,7 @@ public class DiscordAuthServiceTests
             .Build();
 
         var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);
 
         var result = await service.ExchangeCodeAsync("invalid_code");