feat(it-ops): LAN bootstrap for read API, NPM proxy, Cloudflare DNS

- bootstrap-sankofa-it-read-api-lan.sh: rsync /opt/proxmox, systemd + env file,
  repo .env keys, portal CT 7801 merge, weekly export timer; tolerate export exit 2
- upsert-it-read-api-proxy-host.sh, add-it-api-sankofa-dns.sh
- systemd example uses EnvironmentFile; docs, spec, AGENTS, read API README

Made-with: Cursor

config/systemd/sankofa-it-read-api.service.example

@@ -12,10 +12,13 @@ After=network.target
 Type=simple
 User=root
 WorkingDirectory=/opt/proxmox
-Environment=IT_READ_API_HOST=127.0.0.1
-Environment=IT_READ_API_PORT=8787
+# Production pattern (see scripts/deployment/bootstrap-sankofa-it-read-api-lan.sh):
+EnvironmentFile=-/etc/sankofa-it-read-api.env
+# Or inline (dev):
+# Environment=IT_READ_API_HOST=127.0.0.1
+# Environment=IT_READ_API_PORT=8787
 # Environment=IT_READ_API_KEY=change-me
-# Optional browser CORS (prefer portal /api/it/* proxy): Environment=IT_READ_API_CORS_ORIGINS=https://portal.sankofa.nexus
+# Optional: IT_READ_API_CORS_ORIGINS=https://portal.sankofa.nexus
 ExecStart=/usr/bin/python3 /opt/proxmox/services/sankofa-it-read-api/server.py
 Restart=on-failure
 RestartSec=5