Stage 6: gateway edge (Connect/FlatBuffers over h2c, platform/email/guest auth, sessions, rate-limit, admin passthrough, live push bridge)

New public ingress and the first network edge. Framework + a vertical slice of
operations end-to-end; remaining ops reuse the same transcode pattern in Stage 7.

Contracts (new module scrabble/pkg):
- push.proto (backend->gateway gRPC server-stream) + scrabble.fbs (FlatBuffers
  edge payloads), committed generated Go; buf/flatc Makefiles (dev-time codegen).

Backend:
- REST handlers on the /api/v1 groups: internal session endpoints
  (telegram/guest/email login -> mint, resolve, revoke) and the user slice
  (profile, submit_play, state, lobby enqueue/poll, chat).
- internal/notify in-process Publisher hub + internal/pushgrpc gRPC server
  (BACKEND_GRPC_ADDR) streaming your_turn/opponent_moved/chat/nudge/match_found;
  emission in game.commit, social, matchmaker.
- migration 00005 accounts.is_guest; guests are durable rows excluded from stats;
  ProvisionGuest; email-as-login (RequestLoginCode/LoginWithCode).

Gateway (new module scrabble/gateway):
- Connect Gateway service over h2c (Execute + Subscribe), FlatBuffers<->JSON
  transcode registry, Telegram initData HMAC validator (seam), session cache,
  token-bucket rate limiter (3 classes), push fan-out hub, backend REST + push
  gRPC client, admin Basic-Auth reverse proxy.

go.work: use ./pkg, ./gateway + replace scrabble/pkg. CI: gateway/**, pkg/**
path filters; unit build/vet/test span all three modules. Docs (PLAN,
ARCHITECTURE, FUNCTIONAL+ru, TESTING, READMEs) updated; gateway/pkg unit tests +
guest/email-login integration tests.

gateway/internal/admin/admin_test.go

@@ -0,0 +1,73 @@
+package admin_test
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"scrabble/gateway/internal/admin"
+)
+
+func newAdmin(t *testing.T) (*httptest.Server, func()) {
+	t.Helper()
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/v1/admin/ping" {
+			t.Errorf("backend path = %q, want /api/v1/admin/ping", r.URL.Path)
+		}
+		_, _ = w.Write([]byte("pong"))
+	}))
+	proxy, err := admin.NewProxy(backend.URL, "ops", "secret", nil)
+	if err != nil {
+		t.Fatalf("new proxy: %v", err)
+	}
+	front := httptest.NewServer(proxy)
+	return front, func() { front.Close(); backend.Close() }
+}
+
+func TestAdminRejectsMissingCredentials(t *testing.T) {
+	front, cleanup := newAdmin(t)
+	defer cleanup()
+
+	resp, err := http.Get(front.URL + "/admin/ping")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Fatalf("status = %d, want 401", resp.StatusCode)
+	}
+}
+
+func TestAdminProxiesWithCredentials(t *testing.T) {
+	front, cleanup := newAdmin(t)
+	defer cleanup()
+
+	req, _ := http.NewRequest(http.MethodGet, front.URL+"/admin/ping", nil)
+	req.SetBasicAuth("ops", "secret")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusOK || string(body) != "pong" {
+		t.Fatalf("status = %d body = %q, want 200 pong", resp.StatusCode, body)
+	}
+}
+
+func TestAdminRejectsWrongPassword(t *testing.T) {
+	front, cleanup := newAdmin(t)
+	defer cleanup()
+
+	req, _ := http.NewRequest(http.MethodGet, front.URL+"/admin/ping", nil)
+	req.SetBasicAuth("ops", "wrong")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Fatalf("status = %d, want 401", resp.StatusCode)
+	}
+}