refactor(game): lock-free storage, remove /command, flatten engine wrapper

Three-stage refactor of the game-engine plumbing (game logic untouched):

Stage 1 — lock-free persistence + admin serialisation. Remove the file
lock from repo/fs (the .lock file, the Read/Write-vs-*Safe duality and the
dead ReadSafe polling) and replace the two-step rename with a single atomic
rename so concurrent reads are torn-free without a lock. Serialise the
state-mutating admin writers (init/turn/banish) with one shared router
LimitMiddleware, rewritten to block on the request context instead of a
racy shared 100ms timer.

Stage 2 — remove the obsolete immediate-command path end to end. Players
submit through PUT /api/v1/order; the legacy PUT /api/v1/command path is
deleted across game (route, handler, 24 command factories, Ctrl), backend
(Commands handler/route, engineclient.ExecuteCommands), gateway (dispatch +
executeUserGamesCommand + routing entry), the FlatBuffers/model contract
(UserGamesCommand[Response]) and transcoder, plus every affected
OpenAPI/README/FUNCTIONAL/ARCHITECTURE doc. The integration proxy test is
converted to the order path.

Stage 3 — flatten the REST->engine wrapper. Replace the executor adapter,
the controller package functions and RepoController with one concrete
controller.Service; drop the single-implementation Repo and Storage
interfaces (repo.Repo / fs.FS are now concrete). Handlers depend on a thin
handler.Engine seam and own the domain->REST projection; storage is
resolved once at startup instead of per request.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

game/README.md

@@ -47,7 +47,6 @@ described below. Endpoints split into two route classes:
 | Admin (GM-only) | `GET /api/v1/admin/status` | `Game Master` | Read the full game state. |
 | Admin (GM-only) | `PUT /api/v1/admin/turn` | `Game Master` | Generate the next turn. |
 | Admin (GM-only) | `POST /api/v1/admin/race/banish` | `Game Master` | Deactivate a race after a permanent platform removal. |
-| Player | `PUT /api/v1/command` | `Game Master` (forwarded from `Edge Gateway`) | Execute a batch of player commands. |
 | Player | `PUT /api/v1/order` | `Game Master` | Validate and store a batch of player orders. |
 | Player | `GET /api/v1/order` | `Game Master` | Fetch the previously stored player order for a turn. |
 | Player | `GET /api/v1/report` | `Game Master` | Fetch the per-player turn report. |
@@ -166,19 +165,17 @@ Alternatives considered and rejected:
 
 `game/internal/router/handler/handler.go` exports `ResolveStoragePath`,
 which returns the engine storage path from the env-var pair above and
-an error when neither is set. `cmd/http/main.go` calls it before
-constructing the router, prints the error to stderr, and exits non-zero.
-The existing `initConfig` closure also calls `ResolveStoragePath` to
-populate `controller.Param.StoragePath` at request time; the error there
-is dropped because `main` already validated the environment at startup.
+an error when neither is set. `cmd/http/main.go` calls it once at
+startup, prints the error to stderr and exits non-zero on failure, then
+builds the engine service (`controller.NewService(path)`) and hands it
+to `router.NewRouter`.
 
-This keeps the public router surface (`router.NewRouter`) unchanged —
-the env binding is satisfied by one helper plus a startup check, with
-no API ripple. Moving env reading entirely into `main` and changing
-`NewRouter` / `NewDefaultExecutor` to accept an explicit path was
-rejected: it churns multiple call sites for no functional gain. The
-current shape leaves the configurer closure ready for future
-config-injection refactors without forcing one now.
+Storage is resolved exactly once, at construction, rather than per
+request: the `Service` holds the file-backed repo for the process
+lifetime and `router.NewRouter` takes the `handler.Engine` it routes
+to (in production, the `Service`). This keeps the env binding in one
+place — a startup helper plus the `main` check — and leaves the
+handlers free of configuration concerns.
 
 ## Build