feat(go-services): tracker WS servers (/ws/position + /ws/live) + robust shadow

Completes the Go tracker as a cutover-ready drop-in:
- wslive.go: browser broadcast hub with per-client subscribe filters (nil=all),
  request_dungeon_map replies, and command routing; auth = internal-trust or
  session cookie. The ingestor broadcasts every handled event to it.
- wsposition.go: plugin ingest server with X-Plugin-Secret/SHARED_SECRET auth
  (constant-time, fails closed, legacy fallback), register -> plugin_conns, and
  dispatch into the shared Ingestor. plugin registry for backend->plugin commands.
- main.go: statusRecorder.Unwrap() so coder/websocket can hijack through the
  logging middleware (WS handshakes failed without it); /ws/ bypasses HTTP auth.

Shadow consumer robustness (the harness was being evicted under the full
firehose): decouple socket read from processing — the read loop only copies raw
frames to a queue; a worker unmarshals + dispatches. JSON parsing in the read
loop was slowing it enough that Python's broadcast send errored and evicted us
(Read then blocked forever). Added a 25s read-deadline watchdog to self-heal.

Validated live: shadow /live online = 73 = production; telemetry sustained ~12/s,
0 drops, no eviction; and the shadow's /ws/live re-broadcast stream is IDENTICAL
to production's (TOTAL 2150=2150, every event type exact).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

go-services/docker-compose.go.yml

@@ -110,6 +110,8 @@ services:
       READ_ONLY: "false"           # owns its DB; creates schema on boot
       INVENTORY_SERVICE_URL: "http://inventory-service:8000"
       SECRET_KEY: "${SECRET_KEY}"
+      SHARED_SECRET: "${SHARED_SECRET}"             # /ws/position plugin auth (cutover-ready)
+      SHARED_SECRET_LEGACY: "${SHARED_SECRET_LEGACY:-}"
       # Replay the Python /ws/live firehose into the ingest handlers (shadow).
       SHADOW_INGEST_WS: "ws://dereth-tracker:8765/ws/live"
       LOG_LEVEL: "INFO"