Vendor telegram webapp sdk and bump to 0.10.4

[RAprogramm]

Summary

• vendor the telegram-webapp-sdk crate and point the workspace at the local copy via a crates.io patch
• update the vendored manifest to depend on the workspace masterror (optional) and bump masterror itself to 0.10.4
• refresh the changelog and README to describe the dependency update and new version

Testing

• cargo +nightly fmt --
• cargo +1.90.0 build --all-targets
• cargo +1.90.0 clippy -- -D warnings
• cargo +1.90.0 test --all-targets
• cargo +1.90.0 doc --no-deps
• cargo deny check
• cargo audit

---

https://chatgpt.com/codex/tasks/task_e_68ce7718599c832ba1fb793a384df2e6

[chatgpt-codex-connector]

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

[chatgpt-codex-connector]

[P1] Derive Telegram secret key with HMAC not SHA256

The new verify_init_data_hash helper derives secret_key using Hash::hash(format!("WebAppData{}", bot_token).as_bytes()) before calling HMAC::mac on the data check string. According to Telegram’s WebApp verification rules, the secret key must be HMAC_SHA256(b"WebAppData", bot_token), not a plain SHA256 of the concatenated string. Because the intermediate key is wrong, the routine will return false for every valid init_data payload, making the helper unusable for legitimate verification flows.

Useful? React with 👍 / 👎.