feat(t-paliad-155): real Claude SKILL.md + per-user tmux session

Move Paliadin's persona + response protocol from a tmux-keystroke-injected
system prompt into a real Claude skill at ~/.claude/skills/paliadin/SKILL.md
(repo source: scripts/skills/paliadin/SKILL.md, install script:
scripts/install-paliadin-skill). Claude's skill router auto-matches the
[PALIADIN:<uuid>] envelope on every turn, so the protocol contract
survives /clear, fresh sessions, and pane restarts — root-cause fix for
the post-/clear stuck-spinner that triggered this task.

Per-user tmux session keying: each Paliad user gets a session named
<prefix>-<userid8> (first 8 hex chars of UUID). One persistent session
per user, conversation history accumulates per visit, ResetSession kills
the session entirely. Health-check cache becomes per-session.

Service-side simplifications:
- paliadin_prompt.go (paliadinSystemPrompt) deleted; trailer parser stays
  in paliadin.go.
- paliadin_remote.go: ensureBootstrapped removed; healthGate takes a
  session arg + caches per-key; ResetSession derives session from UserID
  and shells out to 'reset <session>'.
- paliadin.go (LocalPaliadinService): per-user pane cache, ensurePane
  takes UserID, no more in-process system-prompt send.
- Paliadin interface: ResetSession now takes UserID.

Shim refactor (scripts/paliadin-shim):
- All verbs accept the tmux session as their first positional arg.
- 'bootstrap' verb removed (skill replaces it).
- 'reset' kills the named session via tmux kill-session.
- Session name validated against [A-Za-z0-9_.-]{1,64}.

Env var rename: PALIADIN_TMUX_SESSION -> PALIADIN_SESSION_PREFIX (semantic
shift from literal session name to per-user prefix); CLAUDE.md updated.

Tests cover per-session health caching, session-name derivation,
ResetSession kill-session shape, and health-cache eviction on reset.

cmd/server/main.go

@@ -189,9 +189,9 @@ func main() {
 			log.Printf("paliadin: remote mode → ssh %s@%s:%d (owner=%s)",
 				cfg.SSHUser, cfg.SSHHost, cfg.SSHPort, services.PaliadinOwnerEmail)
 		} else if _, err := exec.LookPath("tmux"); err == nil {
-			tmuxSession := os.Getenv("PALIADIN_TMUX_SESSION")
+			sessionPrefix := os.Getenv("PALIADIN_SESSION_PREFIX")
 			responseDir := os.Getenv("PALIADIN_RESPONSE_DIR")
-			svcBundle.Paliadin = services.NewLocalPaliadinService(pool, users, tmuxSession, responseDir)
+			svcBundle.Paliadin = services.NewLocalPaliadinService(pool, users, sessionPrefix, responseDir)
 			log.Printf("paliadin: local tmux mode (owner=%s)", services.PaliadinOwnerEmail)
 		} else {
 			svcBundle.Paliadin = services.NewDisabledPaliadinService(pool, users)
@@ -252,9 +252,10 @@ func main() {
 // (default 22022 — bypasses Tailscale SSH on :22, see design §4.5).
 func buildPaliadinRemoteConfig(host string) (services.RemotePaliadinConfig, error) {
 	cfg := services.RemotePaliadinConfig{
-		SSHHost: host,
-		SSHUser: cmpOr(os.Getenv("PALIADIN_REMOTE_USER"), "m"),
-		SSHPort: 22022,
+		SSHHost:       host,
+		SSHUser:       cmpOr(os.Getenv("PALIADIN_REMOTE_USER"), "m"),
+		SSHPort:       22022,
+		SessionPrefix: os.Getenv("PALIADIN_SESSION_PREFIX"),
 	}
 	if p := os.Getenv("PALIADIN_REMOTE_PORT"); p != "" {
 		n, err := strconv.Atoi(p)