[ci skip] Refactor knowledge: CLAUDE.md 881→190 lines, extract reference data

CLAUDE.md changes:
- Extract service catalog + Cloudflare domains → .claude/reference/service-catalog.md
- Extract Proxmox VMs, hardware, network → .claude/reference/proxmox-inventory.md
- Extract GitHub/Drone API patterns → .claude/reference/github-drone-api.md
- Extract Authentik state snapshot → .claude/reference/authentik-state.md
- Remove Init Container pattern (duplicates setup-project skill)
- Remove Poison Fountain service notes (duplicates Anti-AI section)
- Consolidate Authentik section (link to skills + reference)
- Remove resource limit tables (kept tier definitions inline)

Skill merges (37→32):
- helm-release-force-rerender + helm-stuck-release-recovery → helm-release-troubleshooting
- containerd-multi-registry-pull-through-cache + k8s-docker-registry-cache-bypass → k8s-container-image-caching
- (traefik merges in previous commits)

.claude/reference/authentik-state.md

@@ -0,0 +1,50 @@
+# Authentik Current State
+
+> Snapshot of applications, groups, users, and flows. Use `authentik` skill for management tasks.
+
+## Applications (9)
+| Application | Provider Type | Auth Flow |
+|-------------|--------------|-----------|
+| Cloudflare Access | OAuth2/OIDC | explicit consent |
+| Domain wide catch all | Proxy (forward auth) | implicit consent |
+| Grafana | OAuth2/OIDC | implicit consent |
+| Headscale | OAuth2/OIDC | explicit consent |
+| Immich | OAuth2/OIDC | explicit consent |
+| Kubernetes | OAuth2/OIDC (public) | implicit consent |
+| linkwarden | OAuth2/OIDC | explicit consent |
+| Matrix | OAuth2/OIDC | implicit consent |
+| wrongmove | OAuth2/OIDC | implicit consent |
+
+## Groups (9)
+| Group | Parent | Superuser | Purpose |
+|-------|--------|-----------|---------|
+| Allow Login Users | — | No | Parent group for login-permitted users |
+| authentik Admins | — | Yes | Full admin access |
+| authentik Read-only | — | No | Read-only access (has role) |
+| Headscale Users | Allow Login Users | No | VPN access |
+| Home Server Admins | Allow Login Users | No | Server admin access |
+| Wrongmove Users | Allow Login Users | No | Real-estate app access |
+| kubernetes-admins | — | No | K8s cluster-admin RBAC |
+| kubernetes-power-users | — | No | K8s power-user RBAC |
+| kubernetes-namespace-owners | — | No | K8s namespace-owner RBAC |
+
+## Users (7 real)
+| Username | Name | Type | Groups |
+|----------|------|------|--------|
+| akadmin | authentik Default Admin | internal | authentik Admins, Home Server Admins, Headscale Users |
+| vbarzin@gmail.com | Viktor Barzin | internal | authentik Admins, Home Server Admins, Wrongmove Users, Headscale Users |
+| emil.barzin@gmail.com | Emil Barzin | internal | Home Server Admins, Headscale Users |
+| ancaelena98@gmail.com | Anca Milea | external | Wrongmove Users, Headscale Users |
+| vabbit81@gmail.com | GHEORGHE Milea | external | Headscale Users |
+| valentinakolevabarzina@gmail.com | Валентина Колева-Барзина | internal | Headscale Users |
+| anca.r.cristian10@gmail.com | — | internal | Wrongmove Users |
+| kadir.tugan@gmail.com | Kadir | internal | Wrongmove Users |
+
+## Login Sources
+- **Google** (OAuth) — user matching by identifier
+- **GitHub** (OAuth) — user matching by email_link
+- **Facebook** (OAuth) — user matching by email_link
+
+## Authorization Flows
+- **Explicit consent** (`default-provider-authorization-explicit-consent`): Shows consent screen
+- **Implicit consent** (`default-provider-authorization-implicit-consent`): Auto-redirects