feat: free-tier credit system + Syttende Mai access for Google users

- FreeTier.php: credit check/deduct/reset engine with hourly rate limit
- bootstrap.php: dbnmDb() singleton, dbnToolsIsFreeTier(), credit gate helpers
- index.php: store tier=free|approved in session from SSO JWT
- All 7 API endpoints: credit gate (402/429) + X-Credits-Remaining header
- layout.php: credit meta tag, JS balance var, Syttende Mai banner (05-17 only)
- tools.js: credit badge in topbar, 402 modal, 429 toast, dbnUpdateCredits()
- barnevernet.js + deep-research.js: wire 402/429 handling for NDJSON streams
- tools.css: styles for credit badge, no-credits modal, rate-limit toast

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

assets/js/barnevernet.js

@@ -432,10 +432,19 @@
     }
 
     if (!response.ok || !response.body) {
-      setStatus(`Request failed (${response.status}).`, 'error');
+      if (response.status === 402 || response.status === 429) {
+        const d = await response.json().catch(() => ({}));
+        if (typeof window.dbnFreeTierError === 'function') window.dbnFreeTierError(response.status, d);
+      } else {
+        setStatus(`Request failed (${response.status}).`, 'error');
+      }
       els.runButton.disabled = false;
       return;
     }
+    const creditsRemaining = response.headers.get('X-Credits-Remaining');
+    if (creditsRemaining !== null && typeof window.dbnUpdateCredits === 'function') {
+      window.dbnUpdateCredits(parseInt(creditsRemaining, 10));
+    }
 
     const reader = response.body.getReader();
     const decoder = new TextDecoder('utf-8');