feat(acl): redesign ACL with conversation scope selector (#297)

Backend
- New subject kinds: all / channel_identity / channel_type
- Source scope fields on bot_acl_rules: source_channel,
  source_conversation_type, source_conversation_id, source_thread_id
- Fix source_scope_check constraint: resolve source_channel server-side
  (channel_type → subject_channel_type; channel_identity → DB lookup)
- Add GET /bots/:id/acl/channel-types/:type/conversations to list
  observed conversations by platform type
- ListObservedConversations: include private/DM chats, normalise
  conversation_type; COALESCE(name, handle) for display name
- enrichConversationAvatar: persist entry.Name → conversation_name
  (keeps Telegram group titles current on every message)
- Unify Priority type to int32 across Go types to match DB INTEGER;
  remove all int/int32 casts in service layer
- Fix duplicate nil guard in Evaluate; drop dead SourceScope.Channel field
- Migration 0048_acl_redesign

Frontend
- Drag-and-drop rule priority reordering (SortableJS/useSortable);
  fix reorder: compute new order from oldIndex/newIndex directly,
  not from the array (which useSortable syncs after onEnd)
- Conversation scope selector: searchable popover backed by observed
  conversations (by identity or platform type); collapsible manual-ID fallback
- Display: name as primary label, stable channel·type·id always shown
  as subtitle for verification
- bot-terminal: accessibility fix on close-tab button (keyboard events)
- i18n: drag-to-reorder, conversation source, manual IDs (en/zh)

Tests: update fakeChatACL to Evaluate interface; fix SourceScope literals.
SDK/spec regenerated.

db/migrations/0048_acl_redesign.down.sql

@@ -0,0 +1,57 @@
+-- 0044_acl_redesign
+-- Rollback: restore old bot_acl_rules schema and remove bots.acl_default_effect.
+
+DO $$
+BEGIN
+  IF EXISTS (
+    SELECT 1 FROM bot_acl_rules
+    WHERE subject_kind IN ('all', 'channel_type')
+  ) THEN
+    RAISE EXCEPTION 'cannot rollback 0044_acl_redesign while "all" or "channel_type" ACL rules exist';
+  END IF;
+END $$;
+
+-- Restore user_id column
+ALTER TABLE bot_acl_rules
+  ADD COLUMN IF NOT EXISTS user_id UUID REFERENCES users(id) ON DELETE CASCADE;
+
+CREATE INDEX IF NOT EXISTS idx_bot_acl_rules_user_id ON bot_acl_rules(user_id);
+
+-- Drop new columns
+ALTER TABLE bot_acl_rules
+  DROP COLUMN IF EXISTS priority,
+  DROP COLUMN IF EXISTS enabled,
+  DROP COLUMN IF EXISTS description,
+  DROP COLUMN IF EXISTS subject_channel_type;
+
+DROP INDEX IF EXISTS idx_bot_acl_rules_bot_priority;
+
+-- Drop new constraints
+ALTER TABLE bot_acl_rules
+  DROP CONSTRAINT IF EXISTS bot_acl_rules_subject_kind_check,
+  DROP CONSTRAINT IF EXISTS bot_acl_rules_subject_value_check,
+  DROP CONSTRAINT IF EXISTS bot_acl_rules_unique_channel_identity;
+
+-- Restore old constraints
+ALTER TABLE bot_acl_rules
+  ADD CONSTRAINT bot_acl_rules_subject_kind_check CHECK (subject_kind IN ('guest_all', 'user', 'channel_identity')),
+  ADD CONSTRAINT bot_acl_rules_subject_value_check CHECK (
+    (subject_kind = 'guest_all' AND user_id IS NULL AND channel_identity_id IS NULL) OR
+    (subject_kind = 'user' AND user_id IS NOT NULL AND channel_identity_id IS NULL) OR
+    (subject_kind = 'channel_identity' AND user_id IS NULL AND channel_identity_id IS NOT NULL)
+  ),
+  ADD CONSTRAINT bot_acl_rules_unique_user UNIQUE NULLS NOT DISTINCT (
+    bot_id, action, effect, subject_kind, user_id,
+    source_channel, source_conversation_type, source_conversation_id, source_thread_id
+  ),
+  ADD CONSTRAINT bot_acl_rules_unique_channel_identity UNIQUE NULLS NOT DISTINCT (
+    bot_id, action, effect, subject_kind, channel_identity_id,
+    source_channel, source_conversation_type, source_conversation_id, source_thread_id
+  );
+
+-- Remove acl_default_effect from bots
+ALTER TABLE bots
+  DROP CONSTRAINT IF EXISTS bots_acl_default_effect_check;
+
+ALTER TABLE bots
+  DROP COLUMN IF EXISTS acl_default_effect;