feat(leaderboard): opt-out support — server endpoint, client method, UI button

- Server: DELETE /api/leaderboard/opt-in sets leaderboard_opt_in=0,
  hiding the player without deleting their row (scores preserved for re-opt-in)
- SyncProvider trait: opt_out_leaderboard() default no-op method + blanket impl
- SolitaireServerClient: implements opt_out_leaderboard via DELETE request with JWT refresh
- Leaderboard UI: "Opt Out" button (dark red) alongside existing "Opt In" button
- Server integration test: opt-out hides, opt-in restores (round-trip verified)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

solitaire_server/src/leaderboard.rs

@@ -84,6 +84,25 @@ pub async fn get_leaderboard(
     Ok(Json(entries?))
 }
 
+/// `DELETE /api/leaderboard/opt-in` — opt out, hiding the player's entry.
+///
+/// Sets `leaderboard_opt_in = 0` on the user row so the entry no longer
+/// appears in `GET /api/leaderboard`. The leaderboard row itself is kept
+/// so scores are preserved if the player opts back in later.
+pub async fn opt_out(
+    State(pool): State<SqlitePool>,
+    user: AuthenticatedUser,
+) -> Result<Json<serde_json::Value>, AppError> {
+    sqlx::query!(
+        "UPDATE users SET leaderboard_opt_in = 0 WHERE id = ?",
+        user.user_id
+    )
+    .execute(&pool)
+    .await?;
+
+    Ok(Json(serde_json::json!({ "ok": true })))
+}
+
 /// `POST /api/leaderboard/opt-in` — opt in and upsert the player's entry.
 ///
 /// Sets `leaderboard_opt_in = 1` on the user row and creates/updates the

solitaire_server/src/lib.rs

@@ -44,6 +44,7 @@ fn build_router_inner(pool: SqlitePool, rate_limit: bool) -> Router {
         .route("/api/sync/push", post(sync::push))
         .route("/api/leaderboard", get(leaderboard::get_leaderboard))
         .route("/api/leaderboard/opt-in", post(leaderboard::opt_in))
+        .route("/api/leaderboard/opt-in", delete(leaderboard::opt_out))
         .route("/api/account", delete(auth::delete_account))
         .layer(axum_middleware::from_fn(middleware::require_auth));