feat(moderation): add input moderation guard for the UI assistant

[albanm]

Add a per-message input-moderation guard for the UI-integrated assistant. Each new user message is classified by a configurable moderator model (falling back to the summarizer model) and out-of-scope / abusive / prompt-injection messages are blocked with a generic refusal before any assistant output is shown.

Why: protect the assistant from profanity, prompt-injection, persona-override, and out-of-scope abuse, without delaying the request — moderation runs concurrently with the assistant turn and only withholds the first visible byte until the verdict arrives.

What changed:

• api/src/moderation/{operations,service,router}.ts — new module: moderation prompt builder, tolerant verdict parser, model resolution (moderator → summarizer → skip), and a fail-open 1.5s-timeout service. GET returns the enabled flag, POST returns the verdict.
• api/types/settings/schema.js — new moderator model slot and a moderation settings block (enabled, refusalMessage).
• ui/src/composables/use-agent-chat.ts — parallel gate that buffers the stream until the verdict, blocks → refusal + drops the message from model context.
• ui/src/components/agent-chat/AgentChatDebugDialog.vue + session-recorder.ts — dedicated trace renderer; every decision (allow/skip/block) is recorded client-side.
• docs/architecture.md — new "Input Moderation Guard" section.
• Mock mock-moderator model variant + unit/api/e2e tests.
• Regenerated ui/src/components/vjsf/* and api/doc/settings/put-req/* (build-types output).

Regression risks:

• Auth/quota gap on the new endpoints (please confirm intentional). api/src/moderation/router.ts only calls reqSession — no assertCanUseModel / assertRoleQuota / checkQuota, unlike gateway/router.ts and summary/router.ts. Since reqSession permits anonymous sessions, any caller can POST /api/moderation/<any-owner>/<id> with arbitrary text and trigger that owner's configured model (consuming their provider API key/budget) with no quota accounting. GET also discloses any owner's moderation-enabled flag. Cheap per call, but ungated.
• Advisory, not a security boundary (by design, documented). A direct/anonymous gateway call bypasses moderation entirely.
• Enablement cached per chat mount — toggling moderation in settings only takes effect after a page reload.
• Block on a no-output turn is recorded but not enforced — the post-loop fallback in use-agent-chat.ts records the verdict but does not show the refusal if the stream produced no text-delta/tool-call. Edge case; a normal turn always streams something.
• Settings replaceOne now always writes a moderation field (defaulting to { enabled: false }); existing settings docs without it are unaffected on read via emptySettings/?? defaultModeration.