fix(scripts): dépersonnaliser les 3 scripts SUPERVISOR — VPS_WATCH_ROOT + VPS_SERVICE_USER

- brain-watch-vps.sh : WATCH_ROOT hardcodé → ${VPS_WATCH_ROOT:-$HOME/brain-watch}
  + message d'erreur git clone lit BRAIN_GIT_URL depuis MYSECRETS
- install-brain-watch.sh : VPS_WATCH_ROOT + GITEA_BRAIN_URL → MYSECRETS/env
  + validation explicite si BRAIN_GIT_URL absent
- install-brain-bot.sh : WATCH_ROOT + User=tetardtek → VPS_WATCH_ROOT + VPS_SERVICE_USER
  + fallback whoami pour le service systemd

Aucun path ou URL owner hardcodé — tout passe par env ou MYSECRETS.

scripts/install-brain-bot.sh

@@ -25,7 +25,7 @@ set -euo pipefail
 # Configuration — à adapter si besoin
 # ---------------------------------------------------------------------------
 
-WATCH_ROOT="/home/tetardtek/brain-watch"
+WATCH_ROOT="${VPS_WATCH_ROOT:-$HOME/brain-watch}"
 MYSECRETS="$WATCH_ROOT/MYSECRETS"
 BOT_PORT=5001
 BOT_SCRIPT="$WATCH_ROOT/brain-bot.py"
@@ -94,7 +94,7 @@ After=network.target
 
 [Service]
 Type=simple
-User=tetardtek
+User=${VPS_SERVICE_USER:-$(whoami)}
 WorkingDirectory=${WATCH_ROOT}
 Environment=BRAIN_WATCH_ROOT=${WATCH_ROOT}
 Environment=BRAIN_BOT_PORT=${BOT_PORT}