Fix Telegram Stars replay attack: save and check provider_payment_charge_id

Job description

Task: Prevent Stars payment replay attack in aiogram bot Context FishBot — Telegram bot. Python 3.12, aiogram 3.x, SQLAlchemy 2.x async, PostgreSQL. File: bot/handlers/payment.py, bot/db.py Security Bug (CVSS 5.0) provider payment charge id from Telegram Stars payment is never stored or checked. An attacker could reuse the same payment notification to get multiple subscriptions. Current code (payment.py) Payment model (db.py) Fix needed Pass charge id as tx id to activate subscription. The function already has idempotency: Deliverable Updated successful payment handler that passes charge id as tx id. One line fix with explanation. Valid Python 3.12.