feat: consolidate 26 tools into 10 tools with 90 actions

Refactor the entire tool layer to use the consolidated action pattern
(action: Literal[...] with QUERIES/MUTATIONS dicts). This reduces LLM
context from ~12k to ~5k tokens while adding ~60 new API capabilities.

New tools: unraid_info (19 actions), unraid_array (12), unraid_notifications (9),
unraid_users (8), unraid_keys (5). Rewritten: unraid_docker (15), unraid_vm (9),
unraid_storage (6), unraid_rclone (4), unraid_health (3).

Includes 129 tests across 10 test files, code review fixes for 16 issues
(severity ordering, PrefixedID regex, sensitive var redaction, etc.).

Removes tools/system.py (replaced by tools/info.py). Version bumped to 0.2.0.

unraid_mcp/tools/users.py

@@ -0,0 +1,163 @@
+"""User management.
+
+Provides the `unraid_users` tool with 8 actions for managing users,
+cloud access, remote access settings, and allowed origins.
+"""
+
+from typing import Any, Literal
+
+from fastmcp import FastMCP
+
+from ..config.logging import logger
+from ..core.client import make_graphql_request
+from ..core.exceptions import ToolError
+
+QUERIES: dict[str, str] = {
+    "me": """
+        query GetMe {
+          me { id name role email }
+        }
+    """,
+    "list": """
+        query ListUsers {
+          users { id name role email }
+        }
+    """,
+    "get": """
+        query GetUser($id: PrefixedID!) {
+          user(id: $id) { id name role email }
+        }
+    """,
+    "cloud": """
+        query GetCloud {
+          cloud { status apiKey error }
+        }
+    """,
+    "remote_access": """
+        query GetRemoteAccess {
+          remoteAccess { enabled url }
+        }
+    """,
+    "origins": """
+        query GetAllowedOrigins {
+          allowedOrigins
+        }
+    """,
+}
+
+MUTATIONS: dict[str, str] = {
+    "add": """
+        mutation AddUser($input: AddUserInput!) {
+          addUser(input: $input) { id name role }
+        }
+    """,
+    "delete": """
+        mutation DeleteUser($id: PrefixedID!) {
+          deleteUser(id: $id)
+        }
+    """,
+}
+
+DESTRUCTIVE_ACTIONS = {"delete"}
+
+USER_ACTIONS = Literal[
+    "me", "list", "get", "add", "delete", "cloud", "remote_access", "origins",
+]
+
+
+def register_users_tool(mcp: FastMCP) -> None:
+    """Register the unraid_users tool with the FastMCP instance."""
+
+    @mcp.tool()
+    async def unraid_users(
+        action: USER_ACTIONS,
+        confirm: bool = False,
+        user_id: str | None = None,
+        name: str | None = None,
+        password: str | None = None,
+        role: str | None = None,
+    ) -> dict[str, Any]:
+        """Manage Unraid users and access settings.
+
+        Actions:
+          me - Get current authenticated user info
+          list - List all users
+          get - Get a specific user (requires user_id)
+          add - Add a new user (requires name, password; optional role)
+          delete - Delete a user (requires user_id, confirm=True)
+          cloud - Get Unraid Connect cloud status
+          remote_access - Get remote access settings
+          origins - Get allowed origins
+        """
+        all_actions = set(QUERIES) | set(MUTATIONS)
+        if action not in all_actions:
+            raise ToolError(f"Invalid action '{action}'. Must be one of: {sorted(all_actions)}")
+
+        if action in DESTRUCTIVE_ACTIONS and not confirm:
+            raise ToolError(f"Action '{action}' is destructive. Set confirm=True to proceed.")
+
+        try:
+            logger.info(f"Executing unraid_users action={action}")
+
+            if action == "me":
+                data = await make_graphql_request(QUERIES["me"])
+                return dict(data.get("me", {}))
+
+            if action == "list":
+                data = await make_graphql_request(QUERIES["list"])
+                users = data.get("users", [])
+                return {"users": list(users) if isinstance(users, list) else []}
+
+            if action == "get":
+                if not user_id:
+                    raise ToolError("user_id is required for 'get' action")
+                data = await make_graphql_request(QUERIES["get"], {"id": user_id})
+                return dict(data.get("user", {}))
+
+            if action == "add":
+                if not name or not password:
+                    raise ToolError("add requires name and password")
+                input_data: dict[str, Any] = {"name": name, "password": password}
+                if role:
+                    input_data["role"] = role.upper()
+                data = await make_graphql_request(
+                    MUTATIONS["add"], {"input": input_data}
+                )
+                return {
+                    "success": True,
+                    "user": data.get("addUser", {}),
+                }
+
+            if action == "delete":
+                if not user_id:
+                    raise ToolError("user_id is required for 'delete' action")
+                data = await make_graphql_request(
+                    MUTATIONS["delete"], {"id": user_id}
+                )
+                return {
+                    "success": True,
+                    "message": f"User '{user_id}' deleted",
+                }
+
+            if action == "cloud":
+                data = await make_graphql_request(QUERIES["cloud"])
+                return dict(data.get("cloud", {}))
+
+            if action == "remote_access":
+                data = await make_graphql_request(QUERIES["remote_access"])
+                return dict(data.get("remoteAccess", {}))
+
+            if action == "origins":
+                data = await make_graphql_request(QUERIES["origins"])
+                origins = data.get("allowedOrigins", [])
+                return {"origins": list(origins) if isinstance(origins, list) else []}
+
+            return {}
+
+        except ToolError:
+            raise
+        except Exception as e:
+            logger.error(f"Error in unraid_users action={action}: {e}", exc_info=True)
+            raise ToolError(f"Failed to execute users/{action}: {str(e)}") from e
+
+    logger.info("Users tool registered successfully")