feat: consolidate 26 tools into 10 tools with 90 actions

Refactor the entire tool layer to use the consolidated action pattern
(action: Literal[...] with QUERIES/MUTATIONS dicts). This reduces LLM
context from ~12k to ~5k tokens while adding ~60 new API capabilities.

New tools: unraid_info (19 actions), unraid_array (12), unraid_notifications (9),
unraid_users (8), unraid_keys (5). Rewritten: unraid_docker (15), unraid_vm (9),
unraid_storage (6), unraid_rclone (4), unraid_health (3).

Includes 129 tests across 10 test files, code review fixes for 16 issues
(severity ordering, PrefixedID regex, sensitive var redaction, etc.).

Removes tools/system.py (replaced by tools/info.py). Version bumped to 0.2.0.

unraid_mcp/tools/keys.py

@@ -0,0 +1,146 @@
+"""API key management.
+
+Provides the `unraid_keys` tool with 5 actions for listing, viewing,
+creating, updating, and deleting API keys.
+"""
+
+from typing import Any, Literal
+
+from fastmcp import FastMCP
+
+from ..config.logging import logger
+from ..core.client import make_graphql_request
+from ..core.exceptions import ToolError
+
+QUERIES: dict[str, str] = {
+    "list": """
+        query ListApiKeys {
+          apiKeys { id name roles permissions createdAt lastUsed }
+        }
+    """,
+    "get": """
+        query GetApiKey($id: PrefixedID!) {
+          apiKey(id: $id) { id name roles permissions createdAt lastUsed }
+        }
+    """,
+}
+
+MUTATIONS: dict[str, str] = {
+    "create": """
+        mutation CreateApiKey($input: CreateApiKeyInput!) {
+          createApiKey(input: $input) { id name key roles }
+        }
+    """,
+    "update": """
+        mutation UpdateApiKey($input: UpdateApiKeyInput!) {
+          updateApiKey(input: $input) { id name roles }
+        }
+    """,
+    "delete": """
+        mutation DeleteApiKeys($input: DeleteApiKeysInput!) {
+          deleteApiKeys(input: $input)
+        }
+    """,
+}
+
+DESTRUCTIVE_ACTIONS = {"delete"}
+
+KEY_ACTIONS = Literal[
+    "list", "get", "create", "update", "delete",
+]
+
+
+def register_keys_tool(mcp: FastMCP) -> None:
+    """Register the unraid_keys tool with the FastMCP instance."""
+
+    @mcp.tool()
+    async def unraid_keys(
+        action: KEY_ACTIONS,
+        confirm: bool = False,
+        key_id: str | None = None,
+        name: str | None = None,
+        roles: list[str] | None = None,
+        permissions: list[str] | None = None,
+    ) -> dict[str, Any]:
+        """Manage Unraid API keys.
+
+        Actions:
+          list - List all API keys
+          get - Get a specific API key (requires key_id)
+          create - Create a new API key (requires name; optional roles, permissions)
+          update - Update an API key (requires key_id; optional name, roles)
+          delete - Delete API keys (requires key_id, confirm=True)
+        """
+        all_actions = set(QUERIES) | set(MUTATIONS)
+        if action not in all_actions:
+            raise ToolError(f"Invalid action '{action}'. Must be one of: {sorted(all_actions)}")
+
+        if action in DESTRUCTIVE_ACTIONS and not confirm:
+            raise ToolError(f"Action '{action}' is destructive. Set confirm=True to proceed.")
+
+        try:
+            logger.info(f"Executing unraid_keys action={action}")
+
+            if action == "list":
+                data = await make_graphql_request(QUERIES["list"])
+                keys = data.get("apiKeys", [])
+                return {"keys": list(keys) if isinstance(keys, list) else []}
+
+            if action == "get":
+                if not key_id:
+                    raise ToolError("key_id is required for 'get' action")
+                data = await make_graphql_request(QUERIES["get"], {"id": key_id})
+                return dict(data.get("apiKey", {}))
+
+            if action == "create":
+                if not name:
+                    raise ToolError("name is required for 'create' action")
+                input_data: dict[str, Any] = {"name": name}
+                if roles:
+                    input_data["roles"] = roles
+                if permissions:
+                    input_data["permissions"] = permissions
+                data = await make_graphql_request(
+                    MUTATIONS["create"], {"input": input_data}
+                )
+                return {
+                    "success": True,
+                    "key": data.get("createApiKey", {}),
+                }
+
+            if action == "update":
+                if not key_id:
+                    raise ToolError("key_id is required for 'update' action")
+                input_data = {"id": key_id}
+                if name:
+                    input_data["name"] = name
+                if roles:
+                    input_data["roles"] = roles
+                data = await make_graphql_request(
+                    MUTATIONS["update"], {"input": input_data}
+                )
+                return {
+                    "success": True,
+                    "key": data.get("updateApiKey", {}),
+                }
+
+            if action == "delete":
+                if not key_id:
+                    raise ToolError("key_id is required for 'delete' action")
+                data = await make_graphql_request(
+                    MUTATIONS["delete"], {"input": {"ids": [key_id]}}
+                )
+                return {
+                    "success": True,
+                    "message": f"API key '{key_id}' deleted",
+                }
+
+            return {}
+
+        except ToolError:
+            raise
+        except Exception as e:
+            logger.error(f"Error in unraid_keys action={action}: {e}", exc_info=True)
+            raise ToolError(f"Failed to execute keys/{action}: {str(e)}") from e
+
+    logger.info("Keys tool registered successfully")