multi-tenant phase 3: per-user Home Assistant + enrolled services

- tools/home_assistant.py: remove hardcoded URL/token; read from per-user
  config injected via set_ha_config() at invocation time; return helpful
  enrollment prompt when HA not configured
- main.py: inject HA config from user_profile.services at startup; add
  manage_service tool (enroll/remove/list) that persists to DynamoDB;
  show enrolled services in user context; add USERS_TABLE_NAME env var
- agent-runner/handler.py: pass services dict from DDB user record in
  user_profile payload; initialize services={} for new users
- cdk/lib/agent-claw-stack.ts: grant usersTable read/write to runtime1Role
  so manage_service tool can update user records
- agentclaw/agentcore/agentcore.json: add USERS_TABLE_NAME env var

agentclaw/agentcore/agentcore.json

@@ -17,7 +17,8 @@
       "networkMode": "PUBLIC",
       "protocol": "HTTP",
       "environmentVariables": {
-        "OAUTH_START_URL": "https://sptejrymri.execute-api.us-east-1.amazonaws.com/oauth/start"
+        "OAUTH_START_URL": "https://sptejrymri.execute-api.us-east-1.amazonaws.com/oauth/start",
+        "USERS_TABLE_NAME": "agent-claw-users"
       }
     }
   ],