fix: secure all Convex mutations against direct client access

Convert all mutations to internalMutation + secret-gated action wrappers.
Route client-side calls through authenticated Next.js API routes instead
of calling Convex directly. Caps exploitBonus, validates solvedProblemIds
against session, prevents attempts-griefing, adds session rate limiting.

Co-authored-by: Cursor <cursoragent@cursor.com>