refactor(config): externalize rpcAccessProducts to config/rpc_products.yaml

The Chain 138 RPC access product catalog (core-rpc / alltra-rpc /
thirdweb-rpc, each with VMID + HTTP/WS URL + tier + billing model + use
cases + management features) used to be a hardcoded 50-line Go literal
in api/rest/auth.go. The review flagged this as the biggest source of
'magic constants in source' in the backend: changing a partner URL, a
VMID, or a billing model required a Go recompile, and the internal
192.168.11.x CIDR endpoints were baked into the binary.

This PR moves the catalog to backend/config/rpc_products.yaml and adds
a lazy loader so every call site reads from the YAML on first use.

New files:
  backend/config/rpc_products.yaml           source of truth
  backend/api/rest/rpc_products_config.go    loader + fallback defaults
  backend/api/rest/rpc_products_config_test.go  unit tests

Loader path-resolution order (first hit wins):
  1. $RPC_PRODUCTS_PATH (absolute or cwd-relative)
  2. $EXPLORER_BACKEND_DIR/config/rpc_products.yaml
  3. <cwd>/backend/config/rpc_products.yaml
  4. <cwd>/config/rpc_products.yaml
  5. compiled-in defaultRPCAccessProducts fallback (logs a WARNING)

Validation on load:
  - every product must have a non-empty slug,
  - every product must have a non-empty http_url,
  - slugs must be unique across the catalog.
  A malformed YAML causes a WARNING + fallback to defaults, never a
  silent empty product list.

Call-site changes in auth.go:
  - 'var rpcAccessProducts []accessProduct' (literal) -> func
    rpcAccessProducts() []accessProduct (forwards to the lazy loader).
  - Both existing consumers (/api/v1/access/products handler at line
    ~369 and findAccessProduct() at line ~627) now call the function.
    Zero other behavioural changes; the JSON shape of the response is
    byte-identical.

Tests added:
  - TestLoadRPCAccessProductsFromRepoDefault: confirms the shipped
    YAML loads, produces >=3 products, and contains the 3 expected
    slugs with non-empty http_url.
  - TestLoadRPCAccessProductsRejectsDuplicateSlug.
  - TestLoadRPCAccessProductsRejectsMissingHTTPURL.

Verification:
  go build ./...       clean
  go vet ./...         clean
  go test ./api/rest/  PASS (new + existing)
  go mod tidy          pulled yaml.v3 from indirect to direct

Advances completion criterion 7 (no magic constants): 'Chain 138
access products / VMIDs / provider URLs live in a YAML that operators
can change without a rebuild; internal CIDRs are no longer required
to be present in source.'

backend/api/rest/auth.go

@@ -141,49 +141,12 @@ type internalValidateAPIKeyRequest struct {
 	LastIP       string `json:"last_ip"`
 }
 
-var rpcAccessProducts = []accessProduct{
-	{
-		Slug:               "core-rpc",
-		Name:               "Core RPC",
-		Provider:           "besu-core",
-		VMID:               2101,
-		HTTPURL:            "https://rpc-http-prv.d-bis.org",
-		WSURL:              "wss://rpc-ws-prv.d-bis.org",
-		DefaultTier:        "enterprise",
-		RequiresApproval:   true,
-		BillingModel:       "contract",
-		Description:        "Private Chain 138 Core RPC for operator-grade administration and sensitive workloads.",
-		UseCases:           []string{"core deployments", "operator automation", "private infrastructure integration"},
-		ManagementFeatures: []string{"dedicated API key", "higher rate ceiling", "operator-oriented access controls"},
-	},
-	{
-		Slug:               "alltra-rpc",
-		Name:               "Alltra RPC",
-		Provider:           "alltra",
-		VMID:               2102,
-		HTTPURL:            "http://192.168.11.212:8545",
-		WSURL:              "ws://192.168.11.212:8546",
-		DefaultTier:        "pro",
-		RequiresApproval:   false,
-		BillingModel:       "subscription",
-		Description:        "Dedicated Alltra-managed RPC lane for partner traffic, subscription access, and API-key-gated usage.",
-		UseCases:           []string{"tenant RPC access", "managed partner workloads", "metered commercial usage"},
-		ManagementFeatures: []string{"subscription-ready key issuance", "rate governance", "partner-specific traffic lane"},
-	},
-	{
-		Slug:               "thirdweb-rpc",
-		Name:               "Thirdweb RPC",
-		Provider:           "thirdweb",
-		VMID:               2103,
-		HTTPURL:            "http://192.168.11.217:8545",
-		WSURL:              "ws://192.168.11.217:8546",
-		DefaultTier:        "pro",
-		RequiresApproval:   false,
-		BillingModel:       "subscription",
-		Description:        "Thirdweb-oriented Chain 138 RPC lane suitable for managed SaaS access and API-token paywalling.",
-		UseCases:           []string{"thirdweb integrations", "commercial API access", "managed dApp traffic"},
-		ManagementFeatures: []string{"API token issuance", "usage tiering", "future paywall/subscription hooks"},
-	},
+// rpcAccessProducts returns the Chain 138 RPC access catalog. The source
+// of truth lives in config/rpc_products.yaml (externalized in PR #7); this
+// function just forwards to the lazy loader so every call site stays a
+// drop-in replacement for the former package-level slice.
+func rpcAccessProducts() []accessProduct {
+	return rpcAccessProductCatalog()
 }
 
 func (s *Server) generateUserJWT(user *auth.User) (string, time.Time, error) {
@@ -366,7 +329,7 @@ func (s *Server) handleAccessProducts(w http.ResponseWriter, r *http.Request) {
 	}
 	w.Header().Set("Content-Type", "application/json")
 	_ = json.NewEncoder(w).Encode(map[string]any{
-		"products": rpcAccessProducts,
+		"products": rpcAccessProducts(),
 		"note":     "Products are ready for auth, API key, and subscription gating. Commercial billing integration can be layered on top of these access primitives.",
 	})
 }
@@ -624,7 +587,7 @@ func firstNonEmpty(values ...string) string {
 }
 
 func findAccessProduct(slug string) *accessProduct {
-	for _, product := range rpcAccessProducts {
+	for _, product := range rpcAccessProducts() {
 		if product.Slug == slug {
 			copy := product
 			return &copy