ci: install Trivy from official Docker image; normalize .gitignore to UTF-8

Trivy install keeps failing on the deploy workflow:

  - empty TAG: install.sh falls back to 'latest', but the
    'latest' GitHub release tag is no longer published.
  - pin v0.71.0: pin alone is not durable. The release got
    unpublished and install.sh now dies with
    'unable to find v0.71.0 - use latest'.

Switch to the official aquasec/trivy Docker image:

  - Docker Hub tags are content-addressed and rarely removed,
    so the pin is durable.
  - The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
    and linux/s390x, so the same tag works on the GitHub-hosted
    runner and on the ARM64 Pi runner.
  - We just need docker pull + docker cp /usr/local/bin/trivy.
  - Pinned to 0.70.0 (April 2026) for reasonably current CVE data.

Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.

.gitea/workflows/deploy.yml

@@ -6,7 +6,7 @@ on:
       - main 
 
 env:
-  VERSION: 3.9.1
+  VERSION: 3.9.2
 
 jobs:
   # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)
@@ -72,7 +72,27 @@ jobs:
     steps:
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Install Trivy from the official Docker image instead of the
+          # upstream install.sh. Rationale:
+          #   1. install.sh resolves the positional tag against the
+          #      GitHub releases API; when a release is unpublished or
+          #      yanked, the script fails with
+          #      `unable to find '<tag>' - use 'latest' or see ...`
+          #      even when the release once existed. We hit this with
+          #      v0.71.0.
+          #   2. Docker Hub tags are content-addressed and rarely
+          #      removed, so a pinned image tag is much more stable.
+          #   3. The image is multi-arch (linux/amd64, linux/arm64,
+          #      linux/ppc64le, linux/s390x) so the same tag works on
+          #      the GitHub-hosted runner and on the ARM64 Pi runner.
+          set -euo pipefail
+          TRIVY_VERSION="0.70.0"
+          docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
+          docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
+          docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
+          docker rm trivy-tmp >/dev/null
+          chmod +x /usr/local/bin/trivy
+          trivy --version
 
       - name: Scan Bot image
         run: |

.gitea/workflows/pr-checks.yml

@@ -47,7 +47,19 @@ jobs:
 
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Install Trivy from the official Docker image instead of the
+          # upstream install.sh. Rationale (see deploy.yml for the long
+          # version): the GitHub release tag we pinned (v0.71.0) was
+          # unpublished, and install.sh fails hard on missing tags.
+          # Docker Hub images are content-addressed and rarely removed,
+          # and the multi-arch manifest covers linux/amd64 + linux/arm64.
+          set -euo pipefail
+          TRIVY_VERSION="0.70.0"
+          docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
+          docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
+          docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
+          docker rm trivy-tmp >/dev/null
+          chmod +x /usr/local/bin/trivy
           trivy --version
 
       - name: Trivy filesystem security scan

Directory.Build.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <Version>3.9.1</Version>
+    <Version>3.9.2</Version>
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>preview</LangVersion>
     <Nullable>enable</Nullable>

RELEASE_NOTES.md

@@ -1,4 +1,24 @@
-## 🐞 Patch 3.9.1 — Hotfix: Telegram-визард мёртв после 3.9.0
+## 🐞 Patch 3.9.2 — Hotfix: club-picker молча падал на шаге «Видимость» (3.9.1 неполный)
+
+В 3.9.1 был починен только `WizardDraftRepository` (самый частый путь). Тот же баг с `(CommandDefinition)`-оверлоадом Dapper остался в 4 клуб-пикерах / permission-локапах — Wizard доходил до шага «Видимость», и при выборе «Публичная в витрине клуба» / «Только для членов клуба» `PersistAndRenderAsync` дёргал `_messenger.GetOwnerClubsAsync` → `PlatformNotSupportedException` → `GameCreationWizard` глотал исключение → кнопка `ack` отправлялась с тостом «⚠️ Ошибка», но нового шага пользователь не видел. Privacy «не цеплялась».
+
+### 🩹 Что починено
+- `src/GmRelay.Bot/Features/Sessions/CreateSession/Wizard/TelegramWizardMessenger.cs::GetOwnerClubsAsync` — `new CommandDefinition(...)` → прямой `QueryAsync<WizardClubOption>(sql, params)`.
+- `src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardMessenger.cs::GetOwnerClubsAsync` — то же.
+- `src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardInteractionModule.cs::WizardClubLookup.LoadClubsAsync` — то же.
+- `src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordPermissionLookup.cs::LoadManagerUserIdsAsync` — то же.
+- `src/GmRelay.DiscordBot/GmRelay.DiscordBot.csproj` — добавлен `<InterceptorsPreviewNamespaces>$(InterceptorsPreviewNamespaces);Dapper.AOT</InterceptorsPreviewNamespaces>` (раньше был только в Shared и Bot). Без этого `Dapper.AOT`-генератор не сканировал DiscordBot, и `new CommandDefinition`-вызовы в DiscordBot падали бы в рантайме даже после фикса сигнатур.
+- `src/GmRelay.DiscordBot/Program.cs` — добавлен `[module: Dapper.DapperAot]` (раньше только в Bot и Shared).
+- `Directory.Build.props` / `compose.yaml` / `.gitea/workflows/deploy.yml` / `NavMenu.razor` — бамп 3.9.1 → 3.9.2.
+- `tests/.../WizardDraftRepositoryAotShapeTests.cs` — расширены `ClubPickerAndPermissionLookups_ShouldNotUseCommandDefinition` на 4 inline-cases + опциональный `containingClass` для дизамбигуации одинаковых имён методов в DiscordWizardInteractionModule.
+
+### ⚠️ Известные ограничения
+- Web-проект не под NativeAOT (Blazor Server), там `Dapper.AOT` не подключён и используется обычный Dapper; регрессия его не касается.
+
+### 🧪 Тесты
+- 592/594 passed (2 pre-existing skipped), `dotnet format` clean, `dotnet build` 0 warnings/errors, AOT-генератор эмитит интерсепторы для всех 4 клуб-пикеров + `WizardDraftRepository` (всего 5 файлов: 4 в Bot/DiscordBot/DiscordBot + 1 в Shared).
+
+## 🐞 Patch 3.9.1 — Hotfix: Telegram-визард мёртв после 3.9.0
 
 Регрессия в `WizardDraftRepository` (NativeAOT). В Telegram **не реагировали кнопки** и **не создавались игры**, потому что Dapper.AOT 1.0.48 не генерирует интерсепторы для оверлоада `(CommandDefinition)` — рантайм падал в `CreateParamInfoGenerator` → `PlatformNotSupportedException` на каждом апдейте, `TelegramBotService` глотал исключение и апдейт терялся.
 

compose.yaml

@@ -49,7 +49,7 @@ services:
         crond -f
 
   bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:3.9.1
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:3.9.2
     restart: always
     depends_on:
       db:
@@ -67,7 +67,7 @@ services:
       retries: 3
 
   discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:3.9.1
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:3.9.2
     restart: always
     depends_on:
       db:
@@ -86,7 +86,7 @@ services:
       retries: 3
 
   web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:3.9.1
+    image: git.codeanddice.ru/toutsu/gmrelay-web:3.9.2
     restart: always
     depends_on:
       db:

src/GmRelay.Bot/Features/Sessions/CreateSession/Wizard/TelegramWizardMessenger.cs

@@ -82,6 +82,14 @@ public sealed class TelegramWizardMessenger(
         // and game_groups has no `club_id` FK). The picker therefore returns the
         // game_groups the owner manages as a GM (via group_managers), matching
         // the WizardClubOption contract (UUID id, name) used downstream.
+        //
+        // NativeAOT: Dapper.AOT 1.0.48 only generates interceptors for the
+        // (sql, object?) extension overload — not the (CommandDefinition) overload.
+        // The wizard reaches this method on the PickClub visibility step
+        // (issue #112 follow-up); using CommandDefinition here would fall back
+        // to Dapper.SqlMapper.CreateParamInfoGenerator, which uses Reflection.Emit
+        // and throws PlatformNotSupportedException on AOT. Same root cause as
+        // WizardDraftRepository.GetActiveAsync in v3.9.0, same fix pattern.
         const string sql = """
             SELECT g.id   AS ClubId,
                    g.name AS Name
@@ -95,10 +103,8 @@ public sealed class TelegramWizardMessenger(
             """;
         await using var connection = await dataSource.OpenConnectionAsync(ct);
         var rows = await connection.QueryAsync<WizardClubOption>(
-            new CommandDefinition(
-                sql,
-                new { Platform = "Telegram", ExternalId = ownerId },
-                cancellationToken: ct));
+            sql,
+            new { Platform = "Telegram", ExternalId = ownerId });
         return rows.AsList();
     }
 

src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordPermissionLookup.cs

@@ -31,8 +31,10 @@ internal static class DiscordPermissionLookup
             """;
 
         await using var connection = await dataSource.OpenConnectionAsync(cancellationToken);
+        // NativeAOT: direct overload — see TelegramWizardMessenger.
         var rows = await connection.QueryAsync<ulong>(
-            new CommandDefinition(sql, new { GuildId = guildId.ToString() }, cancellationToken: cancellationToken));
+            sql,
+            new { GuildId = guildId.ToString() });
         return rows.ToList();
     }
 }

src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardInteractionModule.cs

@@ -537,11 +537,10 @@ internal static class WizardClubLookup
             ORDER BY g.name
             """;
         await using var conn = await dataSource.OpenConnectionAsync(ct);
+        // NativeAOT: direct overload — see TelegramWizardMessenger.
         var rows = await conn.QueryAsync<WizardClubOption>(
-            new CommandDefinition(
-                sql,
-                new { Platform = "Discord", OwnerId = ownerId },
-                cancellationToken: ct));
+            sql,
+            new { Platform = "Discord", OwnerId = ownerId });
         return rows.AsList();
     }
 }

src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardMessenger.cs

@@ -164,11 +164,11 @@ public sealed class DiscordWizardMessenger : IWizardMessenger
             ORDER BY g.name
             """;
         await using var conn = await _dataSource.OpenConnectionAsync(ct);
+        // NativeAOT: direct (sql, params) overload — see
+        // TelegramWizardMessenger.GetOwnerClubsAsync for why.
         var rows = await conn.QueryAsync<WizardClubOption>(
-            new CommandDefinition(
-                sql,
-                new { Platform = "Discord", ExternalId = ownerId },
-                cancellationToken: ct));
+            sql,
+            new { Platform = "Discord", ExternalId = ownerId });
         return rows.AsList();
     }
 

src/GmRelay.DiscordBot/GmRelay.DiscordBot.csproj

@@ -8,6 +8,7 @@
     <UserSecretsId>dotnet-GmRelay.DiscordBot-issue-26</UserSecretsId>
     <!-- DiscordBot uses vanilla Dapper in its own handlers; DAP005 requires AOT-enabled Dapper -->
     <NoWarn>$(NoWarn);DAP005</NoWarn>
+    <InterceptorsPreviewNamespaces>$(InterceptorsPreviewNamespaces);Dapper.AOT</InterceptorsPreviewNamespaces>
   </PropertyGroup>
 
   <ItemGroup>

src/GmRelay.DiscordBot/Program.cs

@@ -27,6 +27,8 @@ using NetCord.Services.ApplicationCommands;
 using NetCord.Services.ComponentInteractions;
 using Npgsql;
 
+[module: Dapper.DapperAot]
+
 var builder = Host.CreateApplicationBuilder(args);
 
 builder.AddServiceDefaults();

src/GmRelay.Web/Components/Layout/NavMenu.razor

@@ -82,7 +82,7 @@
                     </button>
                 </form>
 
-                <div class="nav-version">v3.9.1</div>
+                <div class="nav-version">v3.9.2</div>
             </div>
         </Authorized>
         <NotAuthorized>

tests/GmRelay.Bot.Tests/Features/Sessions/CreateSession/Wizard/WizardDraftRepositoryAotShapeTests.cs

@@ -28,7 +28,7 @@ public sealed class WizardDraftRepositoryAotShapeTests
             "Wizard",
             "WizardDraftRepository.cs"));
 
-        var getActive = ExtractMethodBody(source, "GetActiveAsync");
+        var getActive = ExtractMethodBody(source, "GetActiveAsync", "");
         Assert.DoesNotContain("new CommandDefinition", getActive, StringComparison.Ordinal);
     }
 
@@ -49,7 +49,29 @@ public sealed class WizardDraftRepositoryAotShapeTests
             "Wizard",
             "WizardDraftRepository.cs"));
 
-        var body = ExtractMethodBody(source, methodName);
+        var body = ExtractMethodBody(source, methodName, "");
+        Assert.DoesNotContain("new CommandDefinition", body, StringComparison.Ordinal);
+    }
+
+    /// <summary>
+    /// WizardDraftRepository was the only AOT-fatal site in v3.9.0, but the
+    /// same pattern (CommandDefinition on a Dapper extension that the AOT
+    /// generator cannot reach) is repeated in 4 club-picker / permission
+    /// lookups across Telegram and Discord messengers. v3.9.2 hotfix
+    /// converted them all to the direct (sql, params) overload. Lock the
+    /// regression so the next refactor doesn't reintroduce it.
+    /// </summary>
+    [Theory]
+    [InlineData("src/GmRelay.Bot/Features/Sessions/CreateSession/Wizard/TelegramWizardMessenger.cs", "GetOwnerClubsAsync", "")]
+    [InlineData("src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardMessenger.cs", "GetOwnerClubsAsync", "")]
+    [InlineData("src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordWizardInteractionModule.cs", "LoadClubsAsync", "internal static class WizardClubLookup")]
+    [InlineData("src/GmRelay.DiscordBot/Features/Sessions/Wizard/DiscordPermissionLookup.cs", "LoadManagerUserIdsAsync", "")]
+    public void ClubPickerAndPermissionLookups_ShouldNotUseCommandDefinition(string relativePath, string methodName, string containingClass)
+    {
+        var repoRoot = FindRepositoryRoot();
+        var source = File.ReadAllText(Path.Combine(repoRoot, relativePath.Replace('/', Path.DirectorySeparatorChar)));
+
+        var body = ExtractMethodBody(source, methodName, containingClass);
         Assert.DoesNotContain("new CommandDefinition", body, StringComparison.Ordinal);
     }
 
@@ -82,9 +104,24 @@ public sealed class WizardDraftRepositoryAotShapeTests
         Assert.DoesNotContain("public DateTimeOffset ExpiresAt", source, StringComparison.Ordinal);
     }
 
-    private static string ExtractMethodBody(string source, string methodName)
+    private static string ExtractMethodBody(string source, string methodName, string containingClass)
     {
         var searchFrom = source.IndexOf(methodName, StringComparison.Ordinal);
+
+        // If a containing class is given (non-empty), narrow the search
+        // to the first occurrence AFTER the class declaration. This is
+        // needed when the same method name is used as a call site
+        // elsewhere in the file.
+        if (!string.IsNullOrEmpty(containingClass))
+        {
+            var classIdx = source.IndexOf(containingClass, StringComparison.Ordinal);
+            if (classIdx < 0)
+            {
+                throw new InvalidOperationException($"Could not locate class {containingClass} in source.");
+            }
+            searchFrom = source.IndexOf(methodName, classIdx, StringComparison.Ordinal);
+        }
+
         if (searchFrom < 0)
         {
             throw new InvalidOperationException($"Could not locate {methodName} in source.");
@@ -92,9 +129,11 @@ public sealed class WizardDraftRepositoryAotShapeTests
 
         // Accept any return type: `public async Task` (no result) or
         // `public async Task<int>` (with result). Search for the keyword
-        // "Task" right before the method name.
-        var idx = source.IndexOf("Task", searchFrom - 16, StringComparison.Ordinal);
-        if (idx < 0 || !source.Substring(idx, 4).StartsWith("Task", StringComparison.Ordinal))
+        // "Task" in a 60-char window before the method name so we also
+        // pick up `public static async Task<IReadOnlyList<ulong>>`.
+        var windowStart = Math.Max(0, searchFrom - 60);
+        var idx = source.IndexOf("Task", windowStart, StringComparison.Ordinal);
+        if (idx < 0 || idx >= searchFrom)
         {
             throw new InvalidOperationException($"Could not locate {methodName} declaration in source.");
         }

tests/GmRelay.Bot.Tests/Web/CampaignTemplatesNavigationTests.cs

@@ -15,7 +15,7 @@ public sealed class CampaignTemplatesNavigationTests
     public async Task NavMenu_ShouldExposeCurrentProjectVersion()
     {
         var navMenu = await File.ReadAllTextAsync(FindRepositoryFile("src/GmRelay.Web/Components/Layout/NavMenu.razor"));
-        Assert.Contains("v3.9.1", navMenu, StringComparison.Ordinal);
+        Assert.Contains("v3.9.2", navMenu, StringComparison.Ordinal);
     }
 
     [Fact]