feat: add Telegram integration with forum topic support and creator tracking

Adds full Telegram ZIP ingestion pipeline: TDLib worker service scans source
channels for archive files, deduplicates by content hash, extracts metadata,
uploads to archive channel, and indexes in Postgres. Forum supergroups are
scanned per-topic with topic names used as creator. Filename-based creator
extraction (e.g. "Mammoth Factory - 2026-01.zip") serves as fallback.

Includes admin UI for managing accounts/channels, simplified account setup
(API credentials via env vars), auth code/password submission dialog,
package browser with creator column, and live ingestion activity tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/lib/telegram/api-auth.ts

@@ -0,0 +1,45 @@
+import { auth } from "@/lib/auth";
+import { NextResponse } from "next/server";
+
+/**
+ * Authenticate an API request. Checks:
+ * 1. X-API-Key header against TELEGRAM_API_KEY env var
+ * 2. NextAuth session
+ *
+ * Returns null if authenticated, or a NextResponse error if not.
+ */
+export async function authenticateApiRequest(
+  request: Request,
+  requireAdmin = false
+): Promise<{ error: NextResponse } | { userId: string; role: string }> {
+  // Check API key first
+  const apiKey = request.headers.get("X-API-Key");
+  const envKey = process.env.TELEGRAM_API_KEY;
+
+  if (apiKey && envKey && apiKey === envKey) {
+    // API key auth — treated as admin
+    return { userId: "api-key", role: "ADMIN" };
+  }
+
+  // Fall back to session auth
+  const session = await auth();
+  if (!session?.user?.id) {
+    return {
+      error: NextResponse.json(
+        { error: "Unauthorized" },
+        { status: 401 }
+      ),
+    };
+  }
+
+  if (requireAdmin && session.user.role !== "ADMIN") {
+    return {
+      error: NextResponse.json(
+        { error: "Forbidden: admin role required" },
+        { status: 403 }
+      ),
+    };
+  }
+
+  return { userId: session.user.id, role: session.user.role };
+}