devvm: personalize emo's cluster-health skill for ha-sofia

emo cares about ha-sofia + his Sofia smart-home devices (Tuya, the MPPT
ATS, the Барзини → Статус dashboard), and only about the cluster when it's
breaking those. Rewrite his vendored cluster-health into an ha-sofia-focused,
read-only variant:
- leads with ha-sofia's in-cluster dependency chain (tuya-bridge + the
  cloudflared/Traefik/DNS/TLS reachability path), all checkable read-only;
- fixes the script path to emo's own clone (/home/emo/code) — he can't read
  wizard's tree — and runs it --no-fix (he's cluster read-only);
- loads emo's own HA token (see below) so the ha-sofia checks (26-29, 45)
  actually run for him; documents the host-SSH/Vault checks that skip;
- triages: cluster FAIL/WARN matters only if on his chain; everything else is
  a one-line "admin's area"; escalate via /file-issue since he can't fix.

This snapshot copy is now an emo-specific variant, intentionally diverged
from the canonical 47-check admin skill — README updated to say "do not
re-sync from canonical".

Token: a dedicated long-lived HA token (client_name emo-cluster-health) was
minted on ha-sofia via the admin account and stored emo-readable at
/home/emo/.config/cluster-health/haos_token (600). It carries admin HA scope
(HA only mints tokens for the authenticating account); independently revocable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/workstation/claude-skills/README.md

@@ -19,11 +19,14 @@ unpinned-CLI dependencies out of the hourly **root** reconcile.
 
 - `mattpocock/skills` (https://github.com/mattpocock/skills) — all except `find-skills`
 - `vercel-labs/skills` (https://github.com/vercel-labs/skills) — `find-skills`
-- **homelab-local** — `cluster-health` is vendored from this repo's own
-  `.claude/skills/cluster-health/` (the canonical copy, a project skill in the
-  infra clone). It is NOT in `~/.agents/skills/`, so the `cp -a` refresh below
-  does NOT update it — re-copy it explicitly when the canonical skill changes
-  (see Refreshing).
+- **homelab-local, emo-PERSONALIZED** — `cluster-health` here is an
+  **emo-specific variant**, not a copy of the canonical skill. It started as a
+  copy of this repo's `.claude/skills/cluster-health/` but was rewritten on
+  2026-06-26 to focus on ha-sofia + emo's Sofia devices (emo is the only entry
+  in `SKILL_USERS`, a read-only power-user). The canonical admin skill
+  (`.claude/skills/cluster-health/`) is the full 47-check version and is left
+  untouched. **Do NOT `cp -a` the canonical copy over this one** — that would
+  clobber the personalization. Maintain the two independently.
 
 ## Refreshing
 
@@ -33,10 +36,12 @@ Re-snapshot the upstream skills from a current install and commit the diff:
 cp -a ~/.agents/skills/. scripts/workstation/claude-skills/
 ```
 
-Re-sync the homelab-local skill(s) from their canonical in-repo copy:
+`cluster-health` is hand-maintained (emo variant) — it is **not** covered by the
+`cp -a` above and must **not** be overwritten from `.claude/skills/`. Edit it in
+place here when emo's needs change, then refresh his live copy (the provisioner's
+`install_skills()` is if-absent, so it won't update an existing `~/.agents/skills`
+copy — `cp` the new `SKILL.md` to `/home/emo/.agents/skills/cluster-health/` and
+`chown emo:emo`, or remove emo's copy and re-run the reconcile).
 
-```sh
-cp -a .claude/skills/cluster-health scripts/workstation/claude-skills/
-```
-
-Snapshot taken 2026-06-23 (upstream); `cluster-health` vendored 2026-06-26.
+Snapshot taken 2026-06-23 (upstream); `cluster-health` vendored 2026-06-26,
+personalized for emo 2026-06-26.