feat(bootstrap): GH_TOKEN-based clone of Scrum4Me + scrum4me-mcp

Fixes the 'no GitHub credentials' deadlock observed in the first
NAS-Docker batch run (2 May 2026): scrum4me-mcp's `wait_for_job`
expects a local clone at `~/Projects/<repo-name>` (convention-fallback
in resolveRepoRoot) but the container had no credentials and no clone.
Agent asked the user how to proceed; turn closed without claim.

Changes:
- `.env.example`: GH_TOKEN (fine-grained PAT, repo+PR scope) and
  GH_PRECLONE_REPOS (comma-separated owner/name list, default covers
  Scrum4Me + scrum4me-mcp).
- `bin/repo-bootstrap.sh` (new): runs as agent-user; configures git
  credential-helper with HTTPS oauth2 token, then clones-or-fetches
  each entry in GH_PRECLONE_REPOS into ~/Projects/<name>. Idempotent.
- `bin/entrypoint.sh`: hooks repo-bootstrap before run-agent.sh.
- `Dockerfile`:
  - installs `gh` CLI (used for auto_pr `gh pr create`; reads GH_TOKEN
    from env directly).
  - pre-creates `~agent/Projects` and `~agent/.scrum4me-agent-worktrees`
    so directory-ownership is right from the first boot.
- `README.md`: 'Repo bootstrap (clone-on-start)' section + GH_TOKEN
  step in the deploy checklist; corrects the obsolete 'no push
  credentials' note (agent now pushes feature-branches, gh creates PRs).

Same token covers clone, push and PR-creation — one secret to rotate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -12,10 +12,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates curl git tini gosu jq xz-utils \
         build-essential python3 \
         tzdata logrotate \
+        gnupg \
     && ln -fs /usr/share/zoneinfo/$TZ /etc/localtime \
     && dpkg-reconfigure --frontend=noninteractive tzdata \
     && rm -rf /var/lib/apt/lists/*
 
+# ----- gh CLI ------------------------------------------------------------
+# Required for auto_pr (`gh pr create`) and authenticates via the GH_TOKEN
+# env-var that is also used by the git credential helper for HTTPS.
+RUN install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+       | gpg --dearmor -o /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+       > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends gh \
+    && rm -rf /var/lib/apt/lists/*
+
 # ----- node 22 LTS -------------------------------------------------------
 # Voor zowel Claude Code (de native installer heeft geen node nodig, maar
 # scrum4me-mcp draait op tsx) als de health-server.
@@ -56,6 +70,7 @@ ARG AGENT_GID=1000
 RUN groupadd -g ${AGENT_GID} agent \
     && useradd  -u ${AGENT_UID} -g ${AGENT_GID} -m -s /bin/bash agent \
     && mkdir -p /var/cache/repos /var/cache/npm /var/log/agent /var/run/agent \
+    && mkdir -p /home/agent/Projects /home/agent/.scrum4me-agent-worktrees \
     && chown -R agent:agent /var/cache /var/log/agent /var/run/agent /home/agent
 
 # ----- runner files ------------------------------------------------------