P2E: add anti-abuse and Sybil controls

[ilyar]

Source PRD: tasks/prd-full-play-to-earn.md
Parent epic: #86
PRD section: US-009

Description

Reward farming, collusion, fake accounts, and scripted matches must not auto-convert into payouts.

Acceptance Criteria

• Add abuse signals for repeated account pairs, abnormal win/loss patterns, match duration anomalies, device/account clustering where available, payment/refund anomalies, and high-volume automation.
• Reward claims can be held for review when risk score exceeds a threshold.
• Admin can mark a reward as rejected or claimable with an audit reason.
• The system never auto-pays rewards under active abuse review.
• Abuse logic is explainable enough for support, without exposing exact thresholds to users.
• Tests cover repeated pair farming, self-match attempts, rapid forfeits, and duplicate device/account signals where feasible.

Constraints

• Keep current paid PvP settlement as entry fee, not player-funded prize pool.
• Do not make Season Points redeemable or refundable.
• Keep payout/compliance/provider secrets backend-only.
• Treat this as deferred future-phase work until mechanics/self-host production readiness is stable.

Notes

Do not expose exact risk thresholds to users or public bug reports.