feat: self-observe — record bots that visit the API directly

Add selfObserve middleware that detects bot/scanner User-Agents (or
requests with no UA) hitting any endpoint except /health and /submit,
and logs them to the bots table as site_id='self', action='observed'.

Dashboard shows these with a cyan [LOCAL] badge and colours 'observed'
action in cyan to distinguish them from WordPress-reported blocks.
Geo-enrichment runs async on self-observed entries too.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

public/index.html

@@ -251,6 +251,10 @@ main {
 .feed-action { font-weight: bold; }
 .feed-action.blocked      { color: var(--red); }
 .feed-action.rate_limited { color: var(--amber); }
+.feed-action.observed     { color: var(--cyan2); }
+.feed-local { font-size: 9px; font-weight: 700; letter-spacing: .5px;
+              color: var(--bg); background: var(--cyan2); border-radius: 3px;
+              padding: 1px 5px; margin-left: 4px; vertical-align: middle; }
 .feed-reason { color: var(--dim); font-size: 10px; }
 .feed-geo    { color: var(--dim); font-size: 10px; }
 
@@ -661,6 +665,7 @@ function addRow(row) {
   el.className = 'feed-row';
   const f   = flag(row.country||'');
   const action = row.action||'blocked';
+  const isLocal = row.site_id === 'self';
   el.innerHTML = `
     <span class="feed-ts">${fmtTime(row.received_at)}</span>
     <span class="feed-ip">${esc(row.ip_masked||row.ip||'?')}</span>
@@ -668,6 +673,7 @@ function addRow(row) {
       ${f?`<span class="feed-geo">${f} ${esc(row.country||'')}</span><br>`:''}
       <span class="feed-bot">${esc(row.bot_type||'?')}</span>
       <span class="feed-action ${action}"> [${esc(action)}]</span>
+      ${isLocal?'<span class="feed-local">LOCAL</span>':''}
       <br><span class="feed-reason">${esc(row.reason||row.ua_family||'')}</span>
     </span>`;
   feedEl.prepend(el);