Phase 2c — testing infrastructure (43 tests, CI gating, docker-compose)

Brings the project to a TDD/BDD-friendly state — apologies for shipping
Phase 1.5 + Phase 2 code-first, that violated feedback_tdd_first_bdd_required.

What's added :

- helpers_test.go : FakeTelegram (httptest server that records sendMessage /
  deleteMessage / setWebhook / etc.), miniredis bootstrap, MakeUpdate /
  PostWebhook helpers. The same harness simulates 'a user DMing the bot'
  end-to-end without hitting Telegram cloud — answer to the user question.
- 43 tests covering : allowlist parsing, telegram type helpers (UserID /
  ChatID / Text / messageID), secret_token constant-time compare, Backoff
  schedule, Auth (login wrong/right/logout/TTL/nil-receiver), EchoHandler,
  HTTPHandler (forward / timeout / non-2xx / empty body), AuthHandler
  (start / auth / whoami / logout / replay defense delete), Server (bad
  secret 401, unknown bot 404, allowlist drop, gated bot prompt,
  full /auth → echo → /logout flow, healthz/readyz).
- All tests pass with -race in 1.6s, no external deps (miniredis +
  httptest in-process).

Infra :

- Updated .gitea/workflows/dockerimage.yaml : new 'test' job
  (go vet + go test -race) gates the build-and-push-image job. CI now
  also runs on pull_request.
- docker-compose.yml : redis + postgres for full local stack.
- Makefile : test-race, compose-up/down targets.
- README updated with test + local-dev sections.

Refs ~/.claude/plans/pour-les-notifications-on-inherited-seal.md § Phase 2.

docker-compose.yml

@@ -0,0 +1,49 @@
+# Local-dev stack for telegram-gateway. Brings up Redis (Phase 1.5 auth) and
+# Postgres (Phase 2b queue) so you can run the gateway locally with the same
+# env-var contract as in cluster.
+#
+# Usage :
+#
+#   docker compose up -d
+#   export REDIS_URL=redis://localhost:6379/0
+#   export DATABASE_URL=postgres://gateway:gateway@localhost:5432/gateway?sslmode=disable
+#   export AUTH_SECRET=$(openssl rand -hex 16)
+#   export ALLOWED_USERS=<your-tg-user-id>
+#   export BOT_FACTORY_TOKEN=<botfather-token>
+#   export BOT_FACTORY_SECRET=$(openssl rand -hex 32)
+#   make run
+#
+# Tests don't need this — they use miniredis in-process and (eventually)
+# testcontainers-go for Postgres.
+
+services:
+  redis:
+    image: redis:8-alpine
+    container_name: tg-gateway-redis
+    ports:
+      - "6379:6379"
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: tg-gateway-postgres
+    environment:
+      POSTGRES_USER: gateway
+      POSTGRES_PASSWORD: gateway
+      POSTGRES_DB: gateway
+    ports:
+      - "5432:5432"
+    volumes:
+      - tg-gateway-pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gateway -d gateway"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+volumes:
+  tg-gateway-pgdata: