R3: backend rate-limit observability — ratewatch, auto-flag, admin throttled view

- accounts.flagged_high_rate_at baked into the R1 baseline (no prod data; the
  contour schema is wiped after merge); jet regenerated — the regen also picks
  up the previously missing game_drafts/game_hidden models.
- account.Store: FlagHighRate (set-once), ClearHighRateFlag, the flag in
  GetByID/ListUsers and a ListFlaggedHighRate review queue.
- New internal/ratewatch: ingests the gateway rejection reports, keeps a
  bounded in-memory episode window for the console and applies the
  conservative auto-flag (1000 rejected / 10 min, BACKEND_HIGHRATE_FLAG_*).
- POST /api/v1/internal/ratelimit/report (network-trusted, like
  sessions/resolve).
- Admin console: Throttled page (episodes + flagged accounts), a high-rate
  badge in the user list, the marker + operator clear action on the user card.
- Tests: ratewatch unit suite, report-route handler test, renderer cases,
  integration coverage for the store round-trip and the console flow.

backend/internal/postgres/migrations/00001_baseline.sql

@@ -35,6 +35,10 @@ CREATE TABLE accounts (
     merged_into               uuid        REFERENCES accounts (account_id) ON DELETE SET NULL,
     merged_at                 timestamptz,
     service_language          text        CHECK (service_language IN ('en', 'ru')),
+    -- Soft, reversible "suspected high-rate" marker (R3): set once when the gateway
+    -- reports sustained rate-limiter rejections past the threshold; an operator
+    -- clears it in the admin console. Never an automatic ban.
+    flagged_high_rate_at      timestamptz,
     CONSTRAINT accounts_preferred_language_chk CHECK (preferred_language IN ('en', 'ru')),
     CONSTRAINT accounts_hint_balance_chk CHECK (hint_balance >= 0)
 );