Initial commit: Alfred Proxy with OAuth, TTS, and FCM push notifications

- Environment-based configuration (no hardcoded secrets)
- OAuth authentication via Authentik
- ElevenLabs TTS integration via SAG CLI
- FCM push notification support
- User preferences sync system
- Multi-user support with per-user context files
- No internal IPs or service accounts in tracked files

alfred-proxy.service

@@ -0,0 +1,33 @@
+[Unit]
+Description=Alfred Authentication Proxy
+Documentation=file:///home/jknapp/.openclaw/workspace/alfred-proxy/README.md
+After=network.target openclaw-gateway.service
+Wants=openclaw-gateway.service
+
+[Service]
+Type=simple
+WorkingDirectory=/home/jknapp/.openclaw/workspace/alfred-proxy
+ExecStart=/home/jknapp/.nvm/versions/node/v24.13.0/bin/node server.js
+Restart=always
+RestartSec=10
+StandardOutput=journal
+StandardError=journal
+
+# Environment (override with ~/.config/systemd/user/alfred-proxy.service.d/override.conf)
+Environment="NODE_ENV=production"
+Environment="PROXY_PORT=18790"
+Environment="OPENCLAW_URL=ws://127.0.0.1:18789"
+Environment="OPENCLAW_TOKEN=9b87d15fee3922ecfbe77b0ea1744851757cda618beceeba"
+Environment="AUTHENTIK_URL=https://auth.dnspegasus.net"
+Environment="AUTHENTIK_CLIENT_ID="
+Environment="REQUIRE_AUTH=true"
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/home/jknapp/.openclaw/workspace/alfred-proxy
+
+[Install]
+WantedBy=default.target