feat(admin-console): Stage 5 — operators (admin accounts)

Add the operator-management page over *admin.Service (no new business logic).

- GET/POST /_gm/operators                       list + create operator
- POST     /_gm/operators/{user}/disable|enable  toggle access
- POST     /_gm/operators/{user}/reset-password  set a new password

Console depends on an OperatorAdmin interface (satisfied by *admin.Service) so
the page renders in tests without a database. Create POST is mounted on the
collection path; per-row disable/enable/reset are guarded by the CSRF middleware
and redirect back. Passwords are never logged.

Tests: list render, create (+ username/password assertions), username-taken
conflict, disable/enable, reset (+ password assertion), missing-password 400,
bad-CSRF 403, and unavailable 503.

Docs: backend/docs/admin-console.md page inventory extended.

backend/internal/server/handlers_admin_console.go

@@ -32,6 +32,7 @@ type AdminConsoleHandlers struct {
 	games          GameAdmin
 	runtime        RuntimeAdmin
 	engineVersions EngineVersionAdmin
+	operators      OperatorAdmin
 	logger         *zap.Logger
 }
 
@@ -49,6 +50,7 @@ type AdminConsoleDeps struct {
 	Games          GameAdmin
 	Runtime        RuntimeAdmin
 	EngineVersions EngineVersionAdmin
+	Operators      OperatorAdmin
 	Logger         *zap.Logger
 }
 
@@ -89,6 +91,7 @@ func NewAdminConsoleHandlers(deps AdminConsoleDeps) *AdminConsoleHandlers {
 		games:          deps.Games,
 		runtime:        deps.Runtime,
 		engineVersions: deps.EngineVersions,
+		operators:      deps.Operators,
 		logger:         logger.Named("http.admin.console"),
 	}
 }