feat(admin-console): Stage 1 — pipe + skeleton behind the gateway

Add the server-rendered operator console at /_gm, exposed publicly through
the gateway behind the existing admin_accounts Basic Auth.

Backend:
- new internal/adminconsole package (html/template Renderer, stateless HMAC
  CSRF signer, embedded stylesheet)
- /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard
  (per-operator token + same-origin check); dashboard landing page
- BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback)

Gateway:
- new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST
  method limits) classifying /_gm traffic
- reverse proxy to the backend /_gm surface, preserving Host and relaying the
  backend 401 Basic Auth challenge; 502 when the backend is unreachable
- GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config

dev-deploy:
- Caddy routes /_gm/* to the gateway
- bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on
  backend and gateway (forward-compat for a future Prometheus/Grafana stack)

Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and
gateway READMEs, new backend/docs/admin-console.md.

Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF;
gateway classifier, proxy forwarding/Host/401/405/413/429/502.

docs/ARCHITECTURE.md

@@ -581,6 +581,30 @@ directly.
   `/api/v1/admin/notifications/*`) reuse the per-domain logic of the
   module they target.
 
+### 14.1 Operator console (`/_gm`)
+
+`backend` also serves a server-rendered operator console under the `/_gm`
+route group — the human-facing surface for the admin operations otherwise
+exposed as JSON under `/api/v1/admin/*`. It reuses the `admin_accounts`
+Basic Auth verifier and renders pages with the standard library's
+`html/template` (navigation by path and query, Post/Redirect/Get on
+writes; no client framework or build step).
+
+Unlike the internal-only JSON admin API, the console is reachable from the
+public edge: Caddy routes `/_gm/*` to the gateway public listener, which
+classifies it as the `admin` anti-abuse class (per-IP rate limit, body and
+method limits) and reverse-proxies it to `backend`'s `/_gm` surface. The
+gateway preserves the inbound `Host` and relays the backend's 401 Basic
+Auth challenge unchanged, so the browser shows its native credential
+dialog. Authentication is enforced by `backend`; the gateway contributes
+only the edge anti-abuse layer.
+
+State-changing requests are guarded against CSRF by a stateless token
+(HMAC-SHA256 over the authenticated username, keyed by
+`BACKEND_ADMIN_CONSOLE_CSRF_KEY`; a per-process random key is used when the
+variable is unset) plus a same-origin `Origin`/`Referer` check. See
+`backend/docs/admin-console.md` for the console design.
+
 ## 15. Transport Security Model (gateway boundary)
 
 This section describes the secure exchange model between client and
@@ -823,7 +847,8 @@ business validation and authorisation.
 | Session revocation propagation                           | backend → gateway       | `session_invalidation` over the gRPC push stream flips the gateway-side cache entry to revoked and closes any active push stream. |
 | Authorisation, ownership, state transitions              | backend                 | `X-User-ID` is the sole identity input on the user surface.                                     |
 | Edge rate limiting                                       | gateway                 | Backend has no rate-limit responsibility in MVP.                                                |
-| Admin authentication                                     | backend                 | Basic Auth against `admin_accounts`.                                                            |
+| Admin authentication                                     | backend                 | Basic Auth against `admin_accounts`; the `/_gm` operator console reuses the same verifier.       |
+| Admin console CSRF                                        | backend                 | Stateless HMAC token (`BACKEND_ADMIN_CONSOLE_CSRF_KEY`) + same-origin `Origin`/`Referer` check on `/_gm` writes. |
 | Engine API authentication                                | network                 | Engine listens only on the trusted network; backend is the only caller.                         |
 
 ### Backend ↔ Gateway trust

docs/FUNCTIONAL.md

@@ -1162,6 +1162,22 @@ operator's password manager can match it across deployments.
 After the first deployment, the bootstrap password should be
 rotated through the admin surface.
 
+### 10.2.1 Operator console (`/_gm`)
+
+Administrators drive these operations either programmatically through
+the JSON admin API or through a server-rendered web console at `/_gm`.
+The console authenticates with the same Basic Auth credentials: opening
+any `/_gm` page prompts the browser's native credential dialog, and the
+operator stays signed in for the session. Navigation is by ordinary
+links and query parameters; every change is submitted as a form and
+answered with a redirect back to the affected page.
+
+The console is the only admin surface reachable from outside the trusted
+network. It is fronted by the gateway, so it inherits the same edge rate
+limiting and request limits as the public API, and it carries an
+anti-CSRF token on every change. The JSON admin API stays internal to
+the deployment.
+
 ### 10.3 Admin account management
 
 Existing admins can list other admins, create new ones, look up a

docs/FUNCTIONAL_ru.md

@@ -1197,6 +1197,23 @@ deployments.
 После первого деплоя bootstrap-пароль должен быть ротирован
 через admin-surface.
 
+### 10.2.1 Операторская консоль (`/_gm`)
+
+Администраторы выполняют эти операции либо программно через JSON
+admin-API, либо через серверно-рендеримую веб-консоль на `/_gm`.
+Консоль аутентифицируется теми же Basic Auth-учётными данными:
+открытие любой страницы `/_gm` вызывает нативный диалог браузера для
+ввода учётных данных, и оператор остаётся залогинен на время сессии.
+Навигация — обычными ссылками и query-параметрами; каждое изменение
+отправляется формой и завершается редиректом обратно на затронутую
+страницу.
+
+Консоль — единственная admin-поверхность, достижимая извне
+доверенной сети. Она проксируется через gateway, поэтому наследует те
+же edge-rate-limiting и лимиты запросов, что и публичный API, и несёт
+анти-CSRF-токен на каждом изменении. JSON admin-API остаётся
+внутренним для деплоя.
+
 ### 10.3 Управление admin-аккаунтами
 
 Существующие админы могут перечислять других админов, создавать