Harden posture/borg audit scripts (robustness + coverage)

Working-tree improvements to the audit scripts (authored locally, not by me;
reviewed for correctness + bash -n clean before commit):

- compose-runtime-drift: prefer `docker compose config` for the expected image
  with a raw-parse fallback; raw parser now resolves YAML anchors (*alias) so
  anchor-based composes (e.g. dawarich) no longer mis-report drift.
- komodo-stack-hygiene: treat an unreachable Komodo API as critical and exit 3
  so the Healthchecks EXIT trap sends /fail (the monitor itself is down, not
  "all green"); git fetch before hash-drift compare; clearer "cannot compare"
  message; pin in-container km host to localhost:9120.
- cert-token-check: expand monitored cert domains to the full set incl.
  hc.kaleschke.info.
- gitea-bundle-mirror: skip empty repos without refs instead of failing.
- unraid-user-scripts.md: document SEND_NTFY/NTFY_TOPIC for the daily report.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

ops/borg-ui/scripts/gitea-bundle-mirror.sh

@@ -87,13 +87,20 @@ main() {
       continue
     fi
 
+    rel="${repo#$SOURCE_ROOT/}"
+    if ! git --git-dir="$repo" show-ref --quiet; then
+      skipped=$((skipped + 1))
+      printf 'SKIP\t%s\tempty repository without refs\n' "$rel" >> "$details"
+      printf '%s\t%s\t%s\t%s\n' "$total" "$bundled" "$skipped" "$failed" > "$run_tmp/counts"
+      continue
+    fi
+
     target="$(bundle_target_for_repo "$repo")"
     target_dir="$(dirname "$target")"
     tmp="$run_tmp/$(basename "$target").tmp"
     target_tmp="$target_dir/.$(basename "$target").tmp"
     mkdir -p "$target_dir"
 
-    rel="${repo#$SOURCE_ROOT/}"
     log "Bundling $rel"
 
     if git --git-dir="$repo" bundle create "$tmp" --all >/dev/null 2>&1 &&