feat(messaging): friend-gated direct messages

[danjdewhurst]

Summary

Implements the Direct Friend Messaging follow-up from FOLLOW_UPS.md.

Design choice (the follow-up asked to define it): persisted friend-to-friend direct messages, not ephemeral room whispers — room chat already covers same-room talk, so DMs add private, cross-room, offline-capable messaging. Privacy: only mutual friends can message each other or read history.

Protocol

• dm.send client message ({ toUserId, text }) and dm.message server message ({ id, fromUserId, toUserId, text, sentAt }). Text is sanitized + length-bounded by the schema.

Server

• DirectMessageService gates every send and history read on a mutual-friendship check (FriendStore.areFriends), persists to a new direct_messages table (migration 0009, with a no-self CHECK and conversation indexes).
• The WS handler publishes dm.message to the recipient's and sender's per-user topic (user:<id>) for realtime delivery to every open tab; each socket subscribes to its user topic on open.
• Sends are rate-limited via a new dm token bucket. GET /friends/:id/messages returns friend-gated, bounded, oldest-first history.

Client

• A "Message" action on each friend opens a DirectMessagePanel — history loaded over HTTP, live messages appended over the socket, own vs. incoming alignment, styled to match the app.
• Game routes dm.message to onDirectMessage and exposes sendDirectMessage.

Test plan

• bun run lint ✅ · bun run typecheck ✅
• bun test ✅ 272 pass / 1 skip · bun run coverage:check ✅ 91.6% (critical dirs ≥81%)
• RUN_DB_TESTS=1 (real Postgres) ✅ 277 pass incl. a DM-store integration test (round-trip + bidirectional conversation + the no-self CHECK)
• Two-user browser test (Playwright): A befriends B → A messages B → A's panel shows it → B opens the conversation and loads the persisted message → A sends again → B receives it live, aligned as incoming. A stranger's dm.send is rejected with NOT_FRIENDS.

🤖 Generated with Claude Code