feat(admin-console): Stage 1 — pipe + skeleton behind the gateway

Add the server-rendered operator console at /_gm, exposed publicly through
the gateway behind the existing admin_accounts Basic Auth.

Backend:
- new internal/adminconsole package (html/template Renderer, stateless HMAC
  CSRF signer, embedded stylesheet)
- /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard
  (per-operator token + same-origin check); dashboard landing page
- BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback)

Gateway:
- new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST
  method limits) classifying /_gm traffic
- reverse proxy to the backend /_gm surface, preserving Host and relaying the
  backend 401 Basic Auth challenge; 502 when the backend is unreachable
- GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config

dev-deploy:
- Caddy routes /_gm/* to the gateway
- bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on
  backend and gateway (forward-compat for a future Prometheus/Grafana stack)

Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and
gateway READMEs, new backend/docs/admin-console.md.

Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF;
gateway classifier, proxy forwarding/Host/401/405/413/429/502.

tools/dev-deploy/docker-compose.yml

@@ -109,7 +109,18 @@ services:
       BACKEND_MAIL_WORKER_INTERVAL: 500ms
       BACKEND_NOTIFICATION_WORKER_INTERVAL: 500ms
       BACKEND_OTEL_TRACES_EXPORTER: none
-      BACKEND_OTEL_METRICS_EXPORTER: none
+      # Prometheus metrics are enabled in dev so the `/metrics` scrape
+      # endpoint is live and stable ahead of standing up a Prometheus +
+      # Grafana stack on the internal network. The listener stays internal
+      # (not mapped to the host); nothing scrapes it yet.
+      BACKEND_OTEL_METRICS_EXPORTER: prometheus
+      BACKEND_OTEL_PROMETHEUS_LISTEN_ADDR: ":9100"
+      # Operator console (`/_gm`): Basic Auth bootstrap account plus the
+      # stateless CSRF key. Dev-only non-secrets, overridable via `.env`; a
+      # stable CSRF key keeps console forms valid across redeploys.
+      BACKEND_ADMIN_BOOTSTRAP_USER: ${BACKEND_ADMIN_BOOTSTRAP_USER:-gm}
+      BACKEND_ADMIN_BOOTSTRAP_PASSWORD: ${BACKEND_ADMIN_BOOTSTRAP_PASSWORD:-gm-dev-password}
+      BACKEND_ADMIN_CONSOLE_CSRF_KEY: ${BACKEND_ADMIN_CONSOLE_CSRF_KEY:-dev-admin-console-csrf-key}
       # Long-lived dev environment always opts into the fixed-code
       # override so a returning developer can sign in with `123456`
       # even after the matching browser session was cleared (the real
@@ -180,6 +191,10 @@ services:
       GATEWAY_LOG_LEVEL: info
       GATEWAY_PUBLIC_HTTP_ADDR: ":8080"
       GATEWAY_AUTHENTICATED_GRPC_ADDR: ":9090"
+      # Private admin listener exposes the Prometheus `/metrics` endpoint on
+      # the internal network — live and stable for a future scrape, not
+      # mapped to the host.
+      GATEWAY_ADMIN_HTTP_ADDR: ":9191"
       GATEWAY_BACKEND_HTTP_URL: "http://galaxy-backend:8080"
       GATEWAY_BACKEND_GRPC_PUSH_URL: "galaxy-backend:8081"
       GATEWAY_BACKEND_GATEWAY_CLIENT_ID: dev-gateway-1
@@ -208,6 +223,9 @@ services:
       GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_PUBLIC_MISC_RATE_LIMIT_BURST: "1000"
       GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_BROWSER_BOOTSTRAP_MAX_BODY_BYTES: "65536"
       GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_BROWSER_ASSET_MAX_BODY_BYTES: "65536"
+      GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_MAX_BODY_BYTES: "131072"
+      GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_RATE_LIMIT_REQUESTS: "10000"
+      GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_RATE_LIMIT_BURST: "1000"
       GATEWAY_AUTHENTICATED_GRPC_ANTI_ABUSE_IP_RATE_LIMIT_REQUESTS: "10000"
       GATEWAY_AUTHENTICATED_GRPC_ANTI_ABUSE_IP_RATE_LIMIT_BURST: "1000"
       GATEWAY_AUTHENTICATED_GRPC_ANTI_ABUSE_SESSION_RATE_LIMIT_REQUESTS: "10000"