feat(doctor): add fn doctor CLI + 14 functions for system management

Adds `fn doctor` read-only diagnostic command with subcommands artefacts,
services, sync, uses-functions, unused, and --json flag for agents.
Each subcommand wraps a registry function in functions/infra/.

New functions:
- artefact_doctor, services_status, pc_locations_drift,
  audit_uses_functions, find_unused_functions (Go diagnostics)
- backup_sqlite_db, rotate_backups, wait_for_http, wait_for_port,
  port_kill, tail_journal, pre_commit_hook_install (bash utilities)
- notify_telegram (Go HTTP)
- backup_all pipeline (tag launcher)

Plus prior session leftovers (scan_secrets_in_dirty, append_diary_entry,
git utilities, http_session_cookie_middleware, compile/full-git pipelines).

Fixes pc_locations_drift filepath.Join bug with absolute dir_path.
Documents fn doctor in CLAUDE.md, .claude/rules/fn_doctor.md (rule 23),
docs/architecture.md, CHANGELOG.md (2026-05-07), and diary entry.

First fn doctor uses-functions run found drift in 7/12 apps (deuda
para sincronizar app.md con imports reales).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

bash/functions/cybersecurity/scan_secrets_in_dirty.md

@@ -0,0 +1,56 @@
+---
+name: scan_secrets_in_dirty
+kind: function
+lang: bash
+domain: cybersecurity
+version: "1.0.0"
+purity: impure
+signature: "scan_secrets_in_dirty(repo_dir: string) -> stdout: matched paths"
+description: "Para un repo git, lista archivos modificados/nuevos cuyo nombre matchee patron de secret. Patrones: .env, credentials, .key, .pem, id_rsa, secret, token*.txt. Stdout vacio si no hay matches. Exit 0 siempre que el repo exista."
+tags: [git, secrets, security, scan, credentials, cybersecurity]
+uses_functions: []
+uses_types: []
+returns: []
+returns_optional: false
+error_type: "error_go_core"
+imports: []
+params:
+  - name: repo_dir
+    desc: "path al repo git a escanear; default '.'"
+output: "paths sospechosos por stdout (uno por linea), vacio si todo limpio; exit 1 solo si repo_dir no es un repo git"
+tested: false
+tests: []
+test_file_path: ""
+file_path: "bash/functions/cybersecurity/scan_secrets_in_dirty.sh"
+---
+
+## Ejemplo
+
+```bash
+source bash/functions/cybersecurity/scan_secrets_in_dirty.sh
+
+# Escanear repo actual
+matches=$(scan_secrets_in_dirty .)
+if [[ -n "$matches" ]]; then
+    echo "ABORTAR: archivos sospechosos detectados:"
+    echo "$matches"
+    exit 1
+fi
+
+# Escanear repo especifico
+scan_secrets_in_dirty /home/lucas/fn_registry
+```
+
+## Patrones detectados
+
+- `.env`, `.env.local`, `.env.production`, etc.
+- `*credentials*`
+- `*.key`
+- `*.pem`
+- `id_rsa*`
+- `*secret*`
+- `*token*.txt`
+
+## Notas
+
+Usa `git status --porcelain` para listar solo archivos del working tree (modificados, nuevos, staged). No escanea el contenido del archivo, solo el nombre. Las claves GPG cifradas (`.gpg`) no se detectan intencionalmente — son opacas. Exit 0 siempre que el directorio sea un repo git valido, incluso si no hay matches.

bash/functions/cybersecurity/scan_secrets_in_dirty.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# scan_secrets_in_dirty — Para un repo git, lista archivos modificados/nuevos
+# cuyo nombre matchee patron de secret. Stdout vacio si no hay matches.
+# Exit 0 siempre que el repo exista (el caller decide si abortar).
+
+scan_secrets_in_dirty() {
+    local repo_dir="${1:-.}"
+
+    if [[ ! -d "$repo_dir/.git" ]]; then
+        echo "scan_secrets_in_dirty: '$repo_dir' no es un repo git" >&2
+        return 1
+    fi
+
+    # Listar archivos modificados o nuevos (excluyendo borrados)
+    # y filtrar por patron de secret en el nombre del archivo
+    git -C "$repo_dir" status --porcelain \
+        | awk '{print $NF}' \
+        | grep -E '(^|/)(\.env(\..*)?$|.*credentials.*|.*\.key$|.*\.pem$|id_rsa.*|.*secret.*|.*token.*\.txt$)' \
+        || true
+}
+
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    scan_secrets_in_dirty "$@"
+fi