feat: tool risk policy UI + wiring through all orchestrators

- New /settings/tools page: max_risk selector (low/medium/high) + per-tool
  override dropdowns (Default / Force include / Force exclude) for all 58 tools
  grouped by category with color-coded risk badges; JS updates Auto status live
- get_tools_for_role() + get_openai_tools_for_role() now accept max_risk,
  whitelist, blacklist; _apply_risk_policy() handles the filtering logic
- get_risk_policy() helper in auth_utils reads from tool_policy.json
- Risk policy wired through orchestrator.py, openai_orchestrator.py,
  orchestrator_engine.py, nextcloud_talk.py, homeassistant.py
- Tools nav link added to settings.html and notifications.html
- CLAUDE.md and ARCH__SYSTEM.md updated: tool count 50→58, risk system docs,
  tool access control three-layer model documented

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -205,7 +205,13 @@ Cortex is a no-black-box system. Docs must match reality — at all times.
 1. Implement the tool function in `cortex/tools/<domain>.py`
    - Must be `async def`; use `asyncio.to_thread` for blocking calls
    - Return a plain string result
-2. Add a `FunctionDeclaration` and register it in `cortex/tools/__init__.py`
+2. Add a `FunctionDeclaration` and register it in `cortex/tools/__init__.py`:
+   - Import the callable
+   - Add to `TOOL_CATEGORIES` (pick an existing category or create one)
+   - Add to `_CALLABLES`
+   - Add a `TOOL_RISK` rating (low/medium/high)
+   - Add to `TOOL_ROLES` if admin-only; add to `CONFIRM_REQUIRED` if destructive
+   - Add module to `_ALL_DECLARATIONS`
 3. Syntax check: `python3 -m py_compile cortex/tools/<domain>.py`
 4. Restart Cortex
 
@@ -269,14 +275,21 @@ Cortex is running and stable. All channels are live:
 
 Active users: scott (inara), holly (tina), brian (wintermute)
 
-**50 orchestrator tools:** web_search, http_fetch, web_read, http_post,
-file_read/list/write/session_read/session_search, shell_exec, claude_allow_dir,
+**58 orchestrator tools** across 15 domain modules:
+web_search/http_fetch/web_read/http_post,
+project_file_read/list + file_stat/grep/syntax_check (project-scoped),
+file_read/list/write/session_read/session_search (system-scoped, admin),
+shell_exec/claude_allow_dir,
 cortex_restart/logs/status/update,
 task_list/create/update/complete, cron_list/add/remove/toggle,
 reminders_add/list/remove/clear, scratch_read/write/append/clear,
-web_push, email_send, nc_talk_send, nc_talk_history,
-ae_journal_list/search/entries_list/entry_read/entry_create/entry_update/entry_disable/entry_append/entry_prepend,
-ae_task_list, agent_notes_read/write/append/clear, spawn_agent.
+web_push/email_send/nc_talk_send/nc_talk_history,
+ae_journal_list/search/entries_list/entry_read/create/update/disable/append/prepend,
+ae_task_list, agent_notes_read/write/append/clear, spawn_agent,
+ha_get_state/ha_get_states/ha_call_service.
+
+Each tool has a `TOOL_RISK` rating (low/medium/high). Configure access at `/settings/tools`
+(max_risk threshold + per-tool whitelist/blacklist). Risk policy stored in `home/{user}/tool_policy.json`.
 
 See `documentation/TODO__Agents.md` for the active task list.
 See `documentation/ROADMAP.md` for phases and what's next.