R3: backend rate-limit observability — ratewatch, auto-flag, admin throttled view

- accounts.flagged_high_rate_at baked into the R1 baseline (no prod data; the
  contour schema is wiped after merge); jet regenerated — the regen also picks
  up the previously missing game_drafts/game_hidden models.
- account.Store: FlagHighRate (set-once), ClearHighRateFlag, the flag in
  GetByID/ListUsers and a ListFlaggedHighRate review queue.
- New internal/ratewatch: ingests the gateway rejection reports, keeps a
  bounded in-memory episode window for the console and applies the
  conservative auto-flag (1000 rejected / 10 min, BACKEND_HIGHRATE_FLAG_*).
- POST /api/v1/internal/ratelimit/report (network-trusted, like
  sessions/resolve).
- Admin console: Throttled page (episodes + flagged accounts), a high-rate
  badge in the user list, the marker + operator clear action on the user card.
- Tests: ratewatch unit suite, report-route handler test, renderer cases,
  integration coverage for the store round-trip and the console flow.

backend/internal/inttest/account_test.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"testing"
+	"time"
 
 	"github.com/google/uuid"
 
@@ -195,6 +196,62 @@ func TestServiceLanguageRoundTrip(t *testing.T) {
 	}
 }
 
+// TestHighRateFlagRoundTrip covers the R3 soft high-rate marker: a fresh account
+// is unflagged, FlagHighRate stamps it exactly once (a second sustained episode
+// never moves the timestamp), ClearHighRateFlag reverses it, and a re-flag after
+// the operator clear takes a fresh timestamp.
+func TestHighRateFlagRoundTrip(t *testing.T) {
+	ctx := context.Background()
+	store := account.NewStore(testDB)
+	acc, err := store.ProvisionTelegram(ctx, "tg-"+uuid.NewString(), "en", "", "Player")
+	if err != nil {
+		t.Fatalf("provision telegram: %v", err)
+	}
+	if !acc.FlaggedHighRateAt.IsZero() {
+		t.Fatalf("fresh FlaggedHighRateAt = %v, want zero", acc.FlaggedHighRateAt)
+	}
+
+	first := time.Date(2026, 6, 1, 12, 0, 0, 0, time.UTC)
+	set, err := store.FlagHighRate(ctx, acc.ID, first)
+	if err != nil {
+		t.Fatalf("flag: %v", err)
+	}
+	if !set {
+		t.Fatal("first FlagHighRate reported not set")
+	}
+	if set, err = store.FlagHighRate(ctx, acc.ID, first.Add(time.Hour)); err != nil {
+		t.Fatalf("re-flag: %v", err)
+	} else if set {
+		t.Fatal("second FlagHighRate must not overwrite the marker")
+	}
+	got, err := store.GetByID(ctx, acc.ID)
+	if err != nil {
+		t.Fatalf("get by id: %v", err)
+	}
+	if !got.FlaggedHighRateAt.Equal(first) {
+		t.Errorf("FlaggedHighRateAt = %v, want %v", got.FlaggedHighRateAt, first)
+	}
+
+	if err := store.ClearHighRateFlag(ctx, acc.ID); err != nil {
+		t.Fatalf("clear: %v", err)
+	}
+	if got, err = store.GetByID(ctx, acc.ID); err != nil {
+		t.Fatalf("get by id: %v", err)
+	} else if !got.FlaggedHighRateAt.IsZero() {
+		t.Errorf("cleared FlaggedHighRateAt = %v, want zero", got.FlaggedHighRateAt)
+	}
+
+	second := first.Add(24 * time.Hour)
+	if set, err = store.FlagHighRate(ctx, acc.ID, second); err != nil || !set {
+		t.Fatalf("re-flag after clear = (%v, %v), want (true, nil)", set, err)
+	}
+	if got, err = store.GetByID(ctx, acc.ID); err != nil {
+		t.Fatalf("get by id: %v", err)
+	} else if !got.FlaggedHighRateAt.Equal(second) {
+		t.Errorf("re-flagged FlaggedHighRateAt = %v, want %v", got.FlaggedHighRateAt, second)
+	}
+}
+
 // TestIdentityExternalID covers the reverse identity lookup the push-target route
 // uses: it returns the external_id for the matching kind and ErrNotFound otherwise,
 // including for a guest that carries no identity.