feat: multi-persona support (single Cortex, multiple users)

- Add cortex/persona.py: ContextVar-based per-request routing with
  path traversal protection and persona validation
- Migrate inara/ → personas/inara/ (git history preserved via git mv)
- config.py: add personas_root(), inara_path() delegates to personas/inara
- All 14 settings.inara_path() call sites replaced with persona_path()
- ChatRequest + OrchestrateRequest: add persona field (default: "inara")
  with validation at request entry before any processing
- memory_distiller: add optional persona param for future per-persona distill
- cron_runner/tools/cron: stamp persona on jobs, prefix APScheduler IDs
  (persona:job_id) to prevent collisions across personas
- scheduler: _load_user_crons() iterates all personas at startup

Adding a new persona: create personas/<name>/ with IDENTITY.md + SOUL.md.
Auth: handled at nginx level (inject X-Cortex-Persona header per subdomain).
Future: persona maps to Aether account_id_random for full integration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/routers/files.py

@@ -4,7 +4,7 @@ Only whitelisted filenames are accessible — no path traversal possible.
 """
 from fastapi import APIRouter, HTTPException
 from pydantic import BaseModel
-from config import settings
+from persona import persona_path
 
 router = APIRouter()
 
@@ -25,12 +25,12 @@ ALLOWED = {
 def _path(filename: str):
     if filename not in ALLOWED:
         raise HTTPException(status_code=404, detail=f"File not found: {filename}")
-    return settings.inara_path() / filename
+    return persona_path() / filename
 
 
 @router.get("/files")
 async def list_files() -> dict:
-    inara_dir = settings.inara_path()
+    inara_dir = persona_path()
     files = []
     for name in sorted(ALLOWED):
         p = inara_dir / name