Stage 6: gateway edge (Connect/FlatBuffers over h2c, platform/email/guest auth, sessions, rate-limit, admin passthrough, live push bridge)

New public ingress and the first network edge. Framework + a vertical slice of
operations end-to-end; remaining ops reuse the same transcode pattern in Stage 7.

Contracts (new module scrabble/pkg):
- push.proto (backend->gateway gRPC server-stream) + scrabble.fbs (FlatBuffers
  edge payloads), committed generated Go; buf/flatc Makefiles (dev-time codegen).

Backend:
- REST handlers on the /api/v1 groups: internal session endpoints
  (telegram/guest/email login -> mint, resolve, revoke) and the user slice
  (profile, submit_play, state, lobby enqueue/poll, chat).
- internal/notify in-process Publisher hub + internal/pushgrpc gRPC server
  (BACKEND_GRPC_ADDR) streaming your_turn/opponent_moved/chat/nudge/match_found;
  emission in game.commit, social, matchmaker.
- migration 00005 accounts.is_guest; guests are durable rows excluded from stats;
  ProvisionGuest; email-as-login (RequestLoginCode/LoginWithCode).

Gateway (new module scrabble/gateway):
- Connect Gateway service over h2c (Execute + Subscribe), FlatBuffers<->JSON
  transcode registry, Telegram initData HMAC validator (seam), session cache,
  token-bucket rate limiter (3 classes), push fan-out hub, backend REST + push
  gRPC client, admin Basic-Auth reverse proxy.

go.work: use ./pkg, ./gateway + replace scrabble/pkg. CI: gateway/**, pkg/**
path filters; unit build/vet/test span all three modules. Docs (PLAN,
ARCHITECTURE, FUNCTIONAL+ru, TESTING, READMEs) updated; gateway/pkg unit tests +
guest/email-login integration tests.

gateway/internal/ratelimit/ratelimit.go

@@ -0,0 +1,87 @@
+// Package ratelimit is the gateway's in-memory anti-abuse limiter: a token
+// bucket per key (golang.org/x/time/rate). The connect edge keys the public
+// class per client IP, the authenticated class per user id, and a stricter
+// sub-limit guards the email-code path; the admin proxy keys per IP. Buckets are
+// swept lazily so an idle key does not leak memory.
+package ratelimit
+
+import (
+	"sync"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+// Policy is a token-bucket rate and burst.
+type Policy struct {
+	Limit rate.Limit
+	Burst int
+}
+
+// PerMinute builds a Policy allowing perMinute events per minute with the given
+// burst.
+func PerMinute(perMinute, burst int) Policy {
+	return Policy{Limit: rate.Limit(float64(perMinute) / 60.0), Burst: burst}
+}
+
+// Per builds a Policy allowing events per window with the given burst.
+func Per(events int, window time.Duration, burst int) Policy {
+	return Policy{Limit: rate.Limit(float64(events) / window.Seconds()), Burst: burst}
+}
+
+// staleAfter is how long an unused bucket is retained before the lazy sweep
+// discards it; sweepInterval bounds how often the sweep runs.
+const (
+	staleAfter    = 10 * time.Minute
+	sweepInterval = time.Minute
+)
+
+// Limiter holds the per-key token buckets.
+type Limiter struct {
+	now func() time.Time
+
+	mu        sync.Mutex
+	buckets   map[string]*bucket
+	lastSweep time.Time
+}
+
+type bucket struct {
+	lim  *rate.Limiter
+	seen time.Time
+}
+
+// New constructs an empty Limiter.
+func New() *Limiter {
+	now := func() time.Time { return time.Now() }
+	return &Limiter{now: now, buckets: make(map[string]*bucket), lastSweep: now()}
+}
+
+// Allow reports whether one event under key is permitted by policy, consuming a
+// token when it is.
+func (l *Limiter) Allow(key string, p Policy) bool {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	now := l.now()
+	l.sweepLocked(now)
+	b, ok := l.buckets[key]
+	if !ok {
+		b = &bucket{lim: rate.NewLimiter(p.Limit, p.Burst)}
+		l.buckets[key] = b
+	}
+	b.seen = now
+	return b.lim.Allow()
+}
+
+// sweepLocked discards buckets unused for staleAfter, at most once per
+// sweepInterval. The caller holds l.mu.
+func (l *Limiter) sweepLocked(now time.Time) {
+	if now.Sub(l.lastSweep) < sweepInterval {
+		return
+	}
+	l.lastSweep = now
+	for k, b := range l.buckets {
+		if now.Sub(b.seen) > staleAfter {
+			delete(l.buckets, k)
+		}
+	}
+}