feat(auth): multi-provider account linking via member_accounts

New table member_accounts (provider, provider_id) → member_id.
One school_email can have multiple linked accounts:
  학교 이메일
  ├─ Google 계정 1
  ├─ Google 계정 2
  ├─ Notion (future)
  └─ Figma (future)

- Login: looks up member_accounts by (google, email) → member
- Register: creates member + google account link
- Duplicate check: google email + school_email both checked
- Migration 008: creates table + migrates existing emails to accounts
- UNIQUE(provider, provider_id) prevents duplicate account links

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ImTotem

alembic/versions/008_member_accounts.py

@@ -0,0 +1,42 @@
+"""member_accounts for multi-provider auth
+
+Revision ID: 008
+Revises: 007
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "008"
+down_revision = "007"
+
+
+def upgrade() -> None:
+    op.create_table(
+        "member_accounts",
+        sa.Column("id", sa.String, primary_key=True),
+        sa.Column("member_id", sa.String, sa.ForeignKey("members.id")),
+        sa.Column("provider", sa.String, nullable=False),
+        sa.Column("provider_id", sa.String, nullable=False),
+        sa.Column("created_at", sa.String),
+    )
+    op.create_unique_constraint(
+        "uq_member_accounts_provider",
+        "member_accounts",
+        ["provider", "provider_id"],
+    )
+    op.execute("""
+        INSERT INTO member_accounts (id, member_id, provider, provider_id, created_at)
+        SELECT
+            'MA-' || id,
+            id,
+            'google',
+            email,
+            join_date
+        FROM members
+        WHERE email IS NOT NULL AND email != ''
+    """)
+
+
+def downgrade() -> None:
+    op.drop_table("member_accounts")

src/bcsd_api/auth/service.py

@@ -19,7 +19,7 @@ def login(
     google_token: str, settings: Settings, repo: PgMemberRepository,
 ) -> str:
     profile = google_auth.verify_token(google_token, settings.google_client_id)
-    member = repo.find_by_email(profile["email"])
+    member = repo.find_by_provider("google", profile["email"])
     if not member:
         raise Unauthorized("member not found, registration required")
     payload = {"sub": member["id"], "email": profile["email"]}
@@ -41,13 +41,16 @@ def register(
     settings: Settings, repo: PgMemberRepository, conn: Connection,
 ) -> tuple[str, str]:
     profile = google_auth.verify_token(google_token, settings.google_client_id)
-    _check_duplicate(profile["email"], school_email, repo)
+    _check_google(profile["email"], repo)
+    _check_school_email(school_email, repo)
     member_id = generate_id("M")
+    now = _now_kst()
     row = _build_row(
         member_id, name, profile["email"],
         department, student_id, school_email, phone, track, grade,
     )
     repo.create(row)
+    repo.add_account(generate_id("MA"), member_id, "google", profile["email"], now)
     routing = _resolve_routing(grade, conn)
     token = _issue_jwt({"sub": member_id, "email": profile["email"]}, settings)
     return token, routing
@@ -60,9 +63,12 @@ def _issue_jwt(payload: dict, settings: Settings) -> str:
     )
 
 
-def _check_duplicate(email: str, school_email: str, repo: PgMemberRepository) -> None:
-    if repo.find_by_email(email):
+def _check_google(email: str, repo: PgMemberRepository) -> None:
+    if repo.find_account("google", email):
         raise Conflict("이미 가입된 Google 계정입니다")
+
+
+def _check_school_email(school_email: str, repo: PgMemberRepository) -> None:
     if repo.find_by_school_email(school_email):
         raise Conflict("이미 가입된 학교 이메일입니다")
 

src/bcsd_api/member/pg_repository.py

@@ -1,7 +1,7 @@
 from sqlalchemy import Connection, insert, select, update
 
 from bcsd_api.repository import BaseRepository
-from bcsd_api.tables import members
+from bcsd_api.tables import member_accounts, members
 
 
 class PgMemberRepository(BaseRepository):
@@ -24,9 +24,41 @@ def find_by_school_email(self, school_email: str) -> dict | None:
             return None
         return row._asdict()
 
+    def find_by_provider(self, provider: str, provider_id: str) -> dict | None:
+        stmt = (
+            select(members)
+            .join(member_accounts, member_accounts.c.member_id == members.c.id)
+            .where(
+                member_accounts.c.provider == provider,
+                member_accounts.c.provider_id == provider_id,
+            )
+        )
+        row = self._conn.execute(stmt).first()
+        if not row:
+            return None
+        return row._asdict()
+
     def create(self, row: dict) -> None:
         self._conn.execute(insert(members).values(**row))
 
+    def add_account(self, account_id: str, member_id: str, provider: str, provider_id: str, created_at: str) -> None:
+        self._conn.execute(insert(member_accounts).values(
+            id=account_id, member_id=member_id,
+            provider=provider, provider_id=provider_id,
+            created_at=created_at,
+        ))
+
+    def find_account(self, provider: str, provider_id: str) -> dict | None:
+        row = self._conn.execute(
+            select(member_accounts).where(
+                member_accounts.c.provider == provider,
+                member_accounts.c.provider_id == provider_id,
+            ),
+        ).first()
+        if not row:
+            return None
+        return row._asdict()
+
     def update_status(self, member_id: str, status: str) -> None:
         self._conn.execute(
             update(members).where(members.c.id == member_id).values(status=status),

src/bcsd_api/tables.py

@@ -162,6 +162,15 @@
     Column("value", Text, nullable=False),
 )
 
+member_accounts = Table(
+    "member_accounts", metadata,
+    Column("id", String, primary_key=True),
+    Column("member_id", String, ForeignKey("members.id")),
+    Column("provider", String, nullable=False),
+    Column("provider_id", String, nullable=False),
+    Column("created_at", String),
+)
+
 app_settings = Table(
     "app_settings", metadata,
     Column("key", String, primary_key=True),