Server-side WebSocket message rate limiting & size enforcement (#3424)

## Description:

* Adds ClientMsgRateLimiter — a per-client token-bucket rate limiter
that gates all incoming WebSocket messages. Returns "ok", "limit"
(drop), or "kick" based on the violation type.

* Intent messages are capped at 500 bytes each (they are stored in turn
history for the game duration, so oversized intents
accumulate in server RAM). Violations kick the client.

* Winner messages bypass the byte rate limit (they include stats for all
players and can be 100s of KB) but are strictly capped at one per client
— a second winner message kicks the client.

* All other messages go through the standard per-second (10/s) and
per-minute (150/min) rate limits. Violations drop the message; byte
budget exhaustion kicks the client.

* WebSocket maxPayload set to 2 MB on game workers.
Invalid (unparseable) messages now immediately kick the client rather
than being silently dropped.
Unit tests added for all rate limiting behaviors.

## Please complete the following:

- [x] I have added screenshots for all UI updates
- [x] I process any text displayed to the user through translateText()
and I've added it to the en.json file
- [x] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Please put your Discord username so you can be contacted if a bug or
regression is found:

evan

src/server/ClientMsgRateLimiter.ts

@@ -0,0 +1,69 @@
+import { RateLimiter } from "limiter";
+import { ClientID } from "../core/Schemas";
+
+const INTENTS_PER_SECOND = 10;
+const INTENTS_PER_MINUTE = 150;
+const MAX_BYTES_PER_MINUTE = 25 * 1024; // 25KB/min per client
+const MAX_INTENT_BYTES = 500; // intents are stored in turns, keep them small
+export type RateLimitResult = "ok" | "limit" | "kick";
+
+interface ClientBucket {
+  perSecond: RateLimiter;
+  perMinute: RateLimiter;
+  bytesPerMinute: RateLimiter;
+  hasSentWinnerMsg: boolean;
+}
+
+export class ClientMsgRateLimiter {
+  private buckets = new Map<ClientID, ClientBucket>();
+
+  check(clientID: ClientID, type: string, bytes: number): RateLimitResult {
+    const bucket = this.getOrCreate(clientID);
+
+    // Winner message contains stats for all players and can be large (100s of KB).
+    // It bypasses the byte rate limit but is strictly limited to one per client.
+    if (type === "winner") {
+      if (bucket.hasSentWinnerMsg) return "kick";
+      bucket.hasSentWinnerMsg = true;
+      return "ok";
+    }
+
+    // Intents are stored in turn history for the duration of the game, so
+    // oversized intents would accumulate and fill up server RAM.
+    if (type === "intent" && bytes > MAX_INTENT_BYTES) return "kick";
+
+    if (!bucket.bytesPerMinute.tryRemoveTokens(bytes)) return "kick";
+
+    if (
+      !bucket.perSecond.tryRemoveTokens(1) ||
+      !bucket.perMinute.tryRemoveTokens(1)
+    )
+      return "limit";
+
+    return "ok";
+  }
+
+  private getOrCreate(clientID: ClientID): ClientBucket {
+    const existing = this.buckets.get(clientID);
+    if (existing) {
+      return existing;
+    }
+    const bucket = {
+      perSecond: new RateLimiter({
+        tokensPerInterval: INTENTS_PER_SECOND,
+        interval: "second",
+      }),
+      perMinute: new RateLimiter({
+        tokensPerInterval: INTENTS_PER_MINUTE,
+        interval: "minute",
+      }),
+      bytesPerMinute: new RateLimiter({
+        tokensPerInterval: MAX_BYTES_PER_MINUTE,
+        interval: "minute",
+      }),
+      hasSentWinnerMsg: false,
+    };
+    this.buckets.set(clientID, bucket);
+    return bucket;
+  }
+}