docs: observability stack + the single /_gm gate for Grafana/Mailpit

- ARCHITECTURE §17: the dev (production-mirror) collection stack
  (Prometheus / Loki / Tempo / promtail / node-exporter / cAdvisor) and
  the single /_gm Basic Auth gate fronting Grafana and the Mailpit UI.
- tools/dev-deploy/monitoring/README.md (new): services, what is
  collected, Grafana-behind-the-gate access, config delivery, tuning.
- tools/dev-deploy/README.md: an Observability section; the Mailpit UI
  under /_gm/mailpit/; Networking diagram and Files list updated.
- FUNCTIONAL §10.2.1 (+ ru mirror): the operator console nav links to
  Grafana and Mailpit under the same /_gm gate, one sign-in for all.

docs/ARCHITECTURE.md

@@ -888,6 +888,19 @@ addition.
 - Health probes are unauthenticated `GET /healthz` (process liveness) and
   `GET /readyz` (Postgres reachable, migrations applied, gRPC listener
   bound). Probes are excluded from anti-replay and rate limiting.
+- **Collection (dev, production mirror).** The long-lived dev environment
+  (`tools/dev-deploy/`) runs a full metrics + logs + traces stack on its
+  internal network with no host ports: Prometheus scrapes the backend
+  (`:9100`) and gateway (`:9191`) endpoints plus `node-exporter` and
+  cAdvisor; Tempo ingests OTLP traces from backend and gateway; Loki
+  stores container logs shipped by promtail (Docker service-discovery on
+  the `galaxy.stack=dev-deploy` label). Grafana (provisioned datasources
+  + dashboards) and the Mailpit capture UI are reached only through the
+  operator console's single `/_gm` Basic Auth gate (§14.1) — at
+  `/_gm/grafana/` and `/_gm/mailpit/` — so one password covers the
+  console and both UIs. Retention is tuned small (Prometheus 15d, Loki
+  7d, Tempo 3d). The same compose fragment is meant to back production.
+  See `tools/dev-deploy/monitoring/README.md`.
 
 ## 18. CI and Environments