feat(admin-console): Stage 1 — pipe + skeleton behind the gateway

Add the server-rendered operator console at /_gm, exposed publicly through
the gateway behind the existing admin_accounts Basic Auth.

Backend:
- new internal/adminconsole package (html/template Renderer, stateless HMAC
  CSRF signer, embedded stylesheet)
- /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard
  (per-operator token + same-origin check); dashboard landing page
- BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback)

Gateway:
- new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST
  method limits) classifying /_gm traffic
- reverse proxy to the backend /_gm surface, preserving Host and relaying the
  backend 401 Basic Auth challenge; 502 when the backend is unreachable
- GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config

dev-deploy:
- Caddy routes /_gm/* to the gateway
- bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on
  backend and gateway (forward-compat for a future Prometheus/Grafana stack)

Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and
gateway READMEs, new backend/docs/admin-console.md.

Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF;
gateway classifier, proxy forwarding/Host/401/405/413/429/502.

gateway/internal/restapi/server.go

@@ -48,6 +48,10 @@ const (
 	// PublicRouteClassPublicMisc identifies public traffic that does not match a
 	// more specific class.
 	PublicRouteClassPublicMisc PublicRouteClass = "public_misc"
+
+	// PublicRouteClassAdmin identifies operator console traffic reverse-proxied
+	// to the backend under the `/_gm` prefix.
+	PublicRouteClassAdmin PublicRouteClass = "admin"
 )
 
 var configureGinModeOnce sync.Once
@@ -60,6 +64,7 @@ func (c PublicRouteClass) Normalized() PublicRouteClass {
 	case PublicRouteClassPublicAuth,
 		PublicRouteClassBrowserBootstrap,
 		PublicRouteClassBrowserAsset,
+		PublicRouteClassAdmin,
 		PublicRouteClassPublicMisc:
 		return c
 	default:
@@ -110,6 +115,14 @@ type ServerDependencies struct {
 	// Telemetry records low-cardinality edge metrics. When nil, metrics are
 	// disabled.
 	Telemetry *telemetry.Runtime
+
+	// AdminConsoleProxy, when non-nil, handles `/_gm` and `/_gm/*` by
+	// reverse-proxying to the backend operator console after the public
+	// anti-abuse layer (per-IP rate limit, body, and method checks for the
+	// admin route class) has run. Authentication is delegated to the
+	// backend's admin Basic Auth, whose 401 challenge passes straight back
+	// to the browser. When nil, the admin console surface is not mounted.
+	AdminConsoleProxy http.Handler
 }
 
 // Server owns the public unauthenticated REST listener exposed by the gateway.
@@ -229,6 +242,8 @@ type defaultPublicTrafficClassifier struct{}
 // later drive anti-abuse policy and rate limiting.
 func (defaultPublicTrafficClassifier) Classify(r *http.Request) PublicRouteClass {
 	switch {
+	case isAdminConsoleRequest(r):
+		return PublicRouteClassAdmin
 	case isPublicAuthRequest(r):
 		return PublicRouteClassPublicAuth
 	case isBrowserBootstrapRequest(r):
@@ -290,6 +305,12 @@ func newPublicHandlerWithConfig(cfg config.PublicHTTPConfig, deps ServerDependen
 	router.POST("/api/v1/public/auth/send-email-code", handleSendEmailCode(deps.AuthService, cfg.AuthUpstreamTimeout))
 	router.POST("/api/v1/public/auth/confirm-email-code", handleConfirmEmailCode(deps.AuthService, cfg.AuthUpstreamTimeout))
 
+	if deps.AdminConsoleProxy != nil {
+		adminConsole := gin.WrapH(deps.AdminConsoleProxy)
+		router.Any("/_gm", adminConsole)
+		router.Any("/_gm/*proxyPath", adminConsole)
+	}
+
 	router.NoMethod(func(c *gin.Context) {
 		allowMethods := allowedMethodsForPath(c.Request.URL.Path)
 		if allowMethods != "" {