fix: per-persona session/file isolation + onboarding route order

- session_store: store sessions under home/{user}/persona/{name}/session_data/
  instead of the shared cortex/data/sessions/ bucket
- chat endpoints: add user/persona query params to /sessions, /history/*,
  /sessions/*, /note so they resolve the correct persona context
- files router: add user/persona query params to /files and /files/{name}
  so the file browser loads the right persona's files
- app.js: pass user/persona on all session, history, and file fetches;
  move _fileParams to top-level scope so it is available everywhere
- onboarding: fix FastAPI route ordering — register /persona before /{token}
  so the literal path wins and does not get captured as a token value
- ui.py: read Emoji field from IDENTITY.md and inject into CORTEX_CONFIG
  so the header icon reflects each persona's chosen emoji
- .gitignore: exclude home/**/session_data/ (runtime state)
- migrate scott/inara sessions from cortex/data/sessions/ to session_data/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/routers/chat.py

@@ -1,6 +1,6 @@
 import asyncio
 import json
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Query
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel
 from context_loader import load_context
@@ -143,18 +143,41 @@ async def set_backend(req: BackendRequest) -> dict:
     return {"primary": settings.primary_backend, "fallback": other}
 
 
+def _set_ctx(user: str, persona: str) -> None:
+    """Validate and set persona context from query params. Raises HTTPException on bad input."""
+    try:
+        u, p = validate_persona(user, persona)
+        set_context(u, p)
+    except ValueError as e:
+        raise HTTPException(status_code=404, detail=str(e))
+
+
 @router.get("/history/{session_id}")
-async def get_history(session_id: str) -> dict:
+async def get_history(
+    session_id: str,
+    user: str = Query("scott"),
+    persona: str = Query("inara"),
+) -> dict:
+    _set_ctx(user, persona)
     return {"session_id": session_id, "messages": load_session(session_id)}
 
 
 @router.get("/sessions")
-async def list_sessions() -> dict:
+async def list_sessions(
+    user: str = Query("scott"),
+    persona: str = Query("inara"),
+) -> dict:
+    _set_ctx(user, persona)
     return {"sessions": list_all()}
 
 
 @router.delete("/sessions/{session_id}")
-async def delete_session_endpoint(session_id: str) -> dict:
+async def delete_session_endpoint(
+    session_id: str,
+    user: str = Query("scott"),
+    persona: str = Query("inara"),
+) -> dict:
+    _set_ctx(user, persona)
     found = delete_session(session_id)
     if not found:
         raise HTTPException(status_code=404, detail=f"Session {session_id} not found")
@@ -162,8 +185,14 @@ async def delete_session_endpoint(session_id: str) -> dict:
 
 
 @router.put("/history/{session_id}")
-async def replace_history(session_id: str, req: HistoryUpdate) -> dict:
+async def replace_history(
+    session_id: str,
+    req: HistoryUpdate,
+    user: str = Query("scott"),
+    persona: str = Query("inara"),
+) -> dict:
     """Replace the full message list for a session (used by edit/delete UI)."""
+    _set_ctx(user, persona)
     save_session(session_id, req.messages)
     return {"ok": True, "session_id": session_id}
 
@@ -193,8 +222,13 @@ async def sse_events() -> StreamingResponse:
 
 
 @router.post("/note")
-async def add_note(req: NoteRequest) -> dict:
+async def add_note(
+    req: NoteRequest,
+    user: str = Query("scott"),
+    persona: str = Query("inara"),
+) -> dict:
     """Inject a public note into session history so the LLM sees it next turn."""
+    _set_ctx(user, persona)
     history = load_session(req.session_id)
     history.append({"role": "user", "content": f"[NOTE] {req.note}"})
     save_session(req.session_id, history)