Initial commit: Alfred Proxy with OAuth, TTS, and FCM push notifications

- Environment-based configuration (no hardcoded secrets)
- OAuth authentication via Authentik
- ElevenLabs TTS integration via SAG CLI
- FCM push notification support
- User preferences sync system
- Multi-user support with per-user context files
- No internal IPs or service accounts in tracked files

QUICKSTART.md

@@ -0,0 +1,174 @@
+# Alfred Proxy Quick Start
+
+## Your Configuration
+
+### Backend Details for HAProxy
+
+**Add to HAProxy backend:**
+```
+Server IP: 192.168.1.169
+Server Port: 18790
+```
+
+**Full HAProxy backend config:**
+```haproxy
+backend alfred_mobile_proxy-backend
+    mode http
+    option forwardfor
+    
+    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
+    http-request set-header X-Real-IP %[var(txn.real_ip)]
+    http-request set-header X-Forwarded-For %[var(txn.real_ip)]
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    
+    timeout tunnel 1h
+    timeout client 1h
+    timeout server 1h
+    
+    server alfred_proxy 192.168.1.169:18790 check
+```
+
+### URLs
+
+- **Mobile app connects to:** `wss://alfred-app.dnspegasus.net`
+- **OAuth authentication:** `https://auth.dnspegasus.net`
+- **Web browser redirect:** `https://alfred.dnspegasus.net`
+
+### DNS
+
+Your wildcard DNS (`*.dnspegasus.net`) should already resolve `alfred-app.dnspegasus.net` to HAProxy.
+
+Test: `nslookup alfred-app.dnspegasus.net`
+
+### Android App Configuration
+
+```kotlin
+// OAuthConfig.kt
+object OAuthConfig {
+    const val AUTHENTIK_URL = "https://auth.dnspegasus.net"
+    const val CLIENT_ID = "QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR"
+    const val REDIRECT_URI = "alfredmobile://oauth/callback"
+    const val SCOPE = "openid profile email"
+    
+    const val AUTHORIZATION_ENDPOINT = "$AUTHENTIK_URL/application/o/authorize/"
+    const val TOKEN_ENDPOINT = "$AUTHENTIK_URL/application/o/token/"
+    const val USERINFO_ENDPOINT = "$AUTHENTIK_URL/application/o/userinfo/"
+}
+
+// AlfredConfig.kt
+object AlfredConfig {
+    const val GATEWAY_URL = "wss://alfred-app.dnspegasus.net"
+}
+```
+
+### Start the Proxy
+
+```bash
+cd ~/.openclaw/workspace/alfred-proxy
+
+# 1. Create .env
+cat > .env << 'EOF'
+PROXY_PORT=18790
+OPENCLAW_URL=ws://127.0.0.1:18789
+OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba
+AUTHENTIK_URL=https://auth.dnspegasus.net
+AUTHENTIK_CLIENT_ID=QeSNaZPqZUz5pPClZMA2bakSsddkStiEhqbE4QZR
+REQUIRE_AUTH=true
+EOF
+
+# 2. Install and start
+npm install
+npm run dev
+
+# 3. Test health
+curl http://localhost:18790/health
+```
+
+### HAProxy Configuration
+
+See `haproxy-alfred-app.cfg` for complete config.
+
+**Key points:**
+- Frontend ACL: `alfred-app.dnspegasus.net`
+- WebSocket connections → `alfred_mobile_proxy-backend`
+- Browser visits → Redirect to main web UI
+- Backend server: `192.168.1.169:18790`
+
+### Network Diagram
+
+```
+Android App
+    ↓
+    wss://alfred-app.dnspegasus.net (OAuth token in Authorization header)
+    ↓
+HAProxy (192.168.1.20:443)
+    ↓
+Alfred Proxy (192.168.1.169:18790)
+    - Validates OAuth token with Authentik
+    - Injects OpenClaw gateway token
+    ↓
+OpenClaw (127.0.0.1:18789)
+    ↓
+Alfred AI assistant
+```
+
+### Testing Flow
+
+1. **Test proxy locally:**
+   ```bash
+   curl http://localhost:18790/health
+   ```
+
+2. **Test from HAProxy server:**
+   ```bash
+   curl http://192.168.1.169:18790/health
+   ```
+
+3. **Test DNS:**
+   ```bash
+   nslookup alfred-app.dnspegasus.net
+   ```
+
+4. **Test redirect (browser):**
+   ```bash
+   curl -I https://alfred-app.dnspegasus.net
+   # Should redirect to alfred.dnspegasus.net
+   ```
+
+5. **Test WebSocket (with OAuth token):**
+   ```bash
+   # Get token from Authentik first, then:
+   wscat -c "wss://alfred-app.dnspegasus.net" \
+     -H "Authorization: Bearer YOUR_TOKEN"
+   ```
+
+### Troubleshooting
+
+**Can't reach proxy from HAProxy:**
+```bash
+# Test direct connection
+curl http://192.168.1.169:18790/health
+
+# Check Windows firewall
+# PowerShell (Admin):
+New-NetFirewallRule -DisplayName "Alfred Proxy" `
+  -Direction Inbound -LocalPort 18790 -Protocol TCP -Action Allow
+```
+
+**WebSocket upgrade fails:**
+- Check HAProxy ACL matches `alfred-app.dnspegasus.net`
+- Verify WebSocket headers are present
+- Check proxy logs: `journalctl --user -u alfred-proxy.service -f`
+
+**Invalid token:**
+- Verify Client ID in proxy `.env` matches Authentik
+- Test token: `curl -H "Authorization: Bearer TOKEN" https://auth.dnspegasus.net/application/o/userinfo/`
+
+### Next Steps
+
+1. ✅ Start proxy locally
+2. ✅ Configure HAProxy with correct backend
+3. ✅ Test DNS resolves
+4. ✅ Test redirect in browser
+5. ✅ Implement OAuth in Android app
+6. ✅ Test end-to-end flow