Decouple spam assessment from Akismet

Create a separate service that calls Akismet and also allows us to specify specific spam-detection logic not just for the content of the spam.

The eventual aim is for this service to take into account other factors - metadata specific to our system such as whether the user is a member of the project. This is a first iteration that does exactly what our current system does, but with a separate SpamVerdict service that tells the SpamActionService what action to take, rather than that logic being scattered.

This MR does the following:

• Add needs_recaptcha to flags on a spammable object. So we can decouple things that are spammy looking and things that for some other reason may need a recaptcha.
• Only shows the recaptcha dialogue if a spammable has been marked with needs_recaptcha, not spam. This means the API can be more decisive about what to do with a request based on many factors, not just "content looks spammy"
• Separates concerns
  • the Spammable object mutates the flags (spam, needs_recaptcha), and validates based on those flags
  • the SpamActionService acts as the intermediary between the SpamVerdictService and the spammable object itself, actioning the result of the SpamVerdictService and making the appropriate checks
  • the SpamVerdictService is given minimal information at present (as this refactor maintains current functionality), but will be given more information to make a clearer decision in the next iteration.

Follow-on issues:

• #212213 (closed)
• #214738 (closed)
• #214739 (closed)
• #214740 (closed)

Next iteration, the SpamVerdictService will be moved to an external API.

This MR is not meant to modify behaviour in any significant way.

Related to https://gitlab.com/gitlab-org/gitlab/issues/118613