feat: UNO-style table, social hub, cosmetics, speed mode, store IAB

Game table & play
- UNO-style restyle: suit-aware bolder cards (+xl size), pulsing playable glow,
  big "YOUR TURN" pill, active-seat ring, trick-win particle burst, round
  confetti, match coin-rain.
- Per-league turn time via turnMsForStake: 15s starter/AI, 10s pro, 7s expert;
  mirrored server-side in GameRoom.TurnMs.
- Speed (Blitz) mode for vs-AI/private: 5s turns, race to 5, ~halved pacing.
- Matchmaking waits ~15s (randomized 12-18s) then fills bots; elapsed timer + hint.

Rewards / gifts
- Richer post-match modal (floating coins, XP bar), celebration overlay reveals
  the unlocked sticker pack, boosted daily rewards (client+server synced),
  themed 7-day daily with special day-7.

Social
- Public profile modal (identity, stats, achievement board) from leaderboard /
  friends / discover / end-of-game roster; rate-limited add-friend (10/hour).
- Social hub: Friends / Discover (player search + suggestions) / Messages inbox.
- Profile gender (shown in finder/profile) + social links with public/friends/
  hidden visibility, enforced server-side.

Cosmetics
- Distinct card backs: per-design pattern families (stripes/argyle/grid/dots/
  rays/scales/crosshatch/royal/filigree/gem) + luxury motifs (lib/cardBack.ts),
  consistent on table/shop/profile; +Peacock/Rose-Gold backs.
- Purchasable titles (shop Titles section); title shown under the seat on the
  table and in discover/public profile.
- 10 new sticker packs (banter/kol-kol, Persian trends, court cards, moods).
- Persistent level+XP bar on Home and every inner screen.

Payments
- Buy-coins gateway opens in a new tab (no SPA dead-end) + focus refresh.
- Store IAB scaffolding: Cafe Bazaar deep-link purchase + redirect-token capture,
  Myket native-bridge contract, server-side IabService.Verify for both stores,
  config-driven via Iab__* env. POST /api/coins/iab/verify (JWT).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/src/Hokm.Server/Payments/IabService.cs

@@ -0,0 +1,121 @@
+using System.Net.Http.Json;
+using System.Text.Json;
+
+namespace Hokm.Server.Payments;
+
+/// <summary>
+/// Config for store in-app billing verification. Fill these from the Cafe Bazaar
+/// (pardakht) and Myket developer panels. Bound from the "Iab" config section /
+/// <c>Iab__*</c> env vars.
+/// </summary>
+public sealed class IabOptions
+{
+    /// <summary>Android package name registered in the store panels.</summary>
+    public string PackageName { get; set; } = "com.bargevasat.hokm";
+
+    // ── Cafe Bazaar (pardakht dev API, OAuth refresh-token flow) ──
+    public string BazaarClientId { get; set; } = "";
+    public string BazaarClientSecret { get; set; } = "";
+    public string BazaarRefreshToken { get; set; } = "";
+
+    // ── Myket (developer validation API) ──
+    public string MyketAccessToken { get; set; } = "";
+
+    /// <summary>
+    /// DEV ONLY. When true, purchases are credited WITHOUT remote verification
+    /// (use for local testing before you have store credentials). NEVER enable in
+    /// production — it lets a forged token mint coins.
+    /// </summary>
+    public bool AllowUnverified { get; set; } = false;
+}
+
+/// <summary>
+/// Verifies a store purchase token (Cafe Bazaar / Myket) server-to-server before
+/// coins are credited. Endpoints are config-driven; confirm the exact URLs against
+/// your store panel — the request/response shapes mirror Google Play's IAB API.
+/// </summary>
+public sealed class IabService
+{
+    private static readonly HttpClient Http = new();
+    private readonly IabOptions _opts;
+    private readonly ILogger<IabService> _log;
+
+    public IabService(IabOptions opts, ILogger<IabService> log)
+    {
+        _opts = opts;
+        _log = log;
+    }
+
+    public async Task<bool> Verify(string store, string productId, string token)
+    {
+        if (string.IsNullOrWhiteSpace(token)) return _opts.AllowUnverified;
+        store = (store ?? "").Trim().ToLowerInvariant();
+        try
+        {
+            return store switch
+            {
+                "bazaar" or "cafebazaar" => await VerifyBazaar(productId, token),
+                "myket" => await VerifyMyket(productId, token),
+                _ => _opts.AllowUnverified,
+            };
+        }
+        catch (Exception ex)
+        {
+            _log.LogWarning(ex, "IAB verify failed for store {Store} product {Product}", store, productId);
+            return _opts.AllowUnverified;
+        }
+    }
+
+    /// <summary>
+    /// Cafe Bazaar: exchange the refresh token for an access token, then validate
+    /// the in-app purchase. See https://pardakht.cafebazaar.ir/devapi/v2/.
+    /// </summary>
+    private async Task<bool> VerifyBazaar(string productId, string token)
+    {
+        if (string.IsNullOrWhiteSpace(_opts.BazaarRefreshToken)) return _opts.AllowUnverified;
+
+        // 1) refresh_token → access_token
+        var form = new FormUrlEncodedContent(new Dictionary<string, string>
+        {
+            ["grant_type"] = "refresh_token",
+            ["client_id"] = _opts.BazaarClientId,
+            ["client_secret"] = _opts.BazaarClientSecret,
+            ["refresh_token"] = _opts.BazaarRefreshToken,
+        });
+        var tokenResp = await Http.PostAsync("https://pardakht.cafebazaar.ir/devapi/v2/auth/token/", form);
+        if (!tokenResp.IsSuccessStatusCode) return false;
+        using var tokenDoc = JsonDocument.Parse(await tokenResp.Content.ReadAsStringAsync());
+        if (!tokenDoc.RootElement.TryGetProperty("access_token", out var at)) return false;
+        var access = at.GetString();
+
+        // 2) validate the purchase
+        var url = $"https://pardakht.cafebazaar.ir/devapi/v2/api/validate/{_opts.PackageName}/inapp/{Uri.EscapeDataString(productId)}/purchases/{Uri.EscapeDataString(token)}/?access_token={access}";
+        var vResp = await Http.GetAsync(url);
+        if (!vResp.IsSuccessStatusCode) return false;
+        using var vDoc = JsonDocument.Parse(await vResp.Content.ReadAsStringAsync());
+        // purchaseState: 0 = purchased (1 = refunded/cancelled). Absent ⇒ a 200 body
+        // is itself proof of a valid purchase.
+        if (vDoc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
+            return ps.GetInt32() == 0;
+        return true;
+    }
+
+    /// <summary>
+    /// Myket: validate via the developer API (mirrors Google Play). The access
+    /// token comes from the Myket developer panel.
+    /// </summary>
+    private async Task<bool> VerifyMyket(string productId, string token)
+    {
+        if (string.IsNullOrWhiteSpace(_opts.MyketAccessToken)) return _opts.AllowUnverified;
+
+        var url = $"https://developer.myket.ir/api/applications/{_opts.PackageName}/purchases/products/{Uri.EscapeDataString(productId)}/tokens/{Uri.EscapeDataString(token)}";
+        using var req = new HttpRequestMessage(HttpMethod.Get, url);
+        req.Headers.Add("X-Access-Token", _opts.MyketAccessToken);
+        var resp = await Http.SendAsync(req);
+        if (!resp.IsSuccessStatusCode) return false;
+        using var doc = JsonDocument.Parse(await resp.Content.ReadAsStringAsync());
+        if (doc.RootElement.TryGetProperty("purchaseState", out var ps) && ps.ValueKind == JsonValueKind.Number)
+            return ps.GetInt32() == 0;
+        return true;
+    }
+}