feat(skill): add /add-caldav-tool

[cfis]

Type of Change

• Feature skill - adds a channel or integration (source code changes + SKILL.md)
• Utility skill - adds a standalone tool (code files in `.claude/skills//`, no source changes)
• Operational/container skill - adds a workflow or agent skill (SKILL.md only, no source changes)
• Fix - bug fix or security fix to source code
• Simplification - reduces or simplifies source code
• Documentation - docs, README, or CONTRIBUTING changes only

Description

What. A generic CalDAV calendar skill for Nextcloud, Fastmail, iCloud, Radicale, and anything else that speaks CalDAV with HTTP Basic auth. Mirrors `/add-gcal-tool`'s OneCLI stub-credential pattern, applied to Basic auth instead of OAuth Bearer.

Why. Google Calendar deprecated CalDAV Basic auth in 2024, so `/add-gcal-tool` only covers Google. There's no upstream path for everyone else self-hosting Nextcloud or using Fastmail / iCloud calendars. CalDAV's Authorization header is exactly the shape OneCLI's `--header-name Authorization --value-format 'Basic {value}'` rule is designed to inject — so the same no-raw-creds-in-container invariant from CHANGELOG 2.0.0 applies cleanly.

How it works.

• Skill installs the `caldav-mcp` npm package (MIT, by dominik1001) into the agent container via the standard Dockerfile ARG + `pnpm install -g` block.
• Container env carries `CALDAV_BASE_URL` / `CALDAV_USERNAME` / `CALDAV_PASSWORD=onecli-managed`. The MCP server builds `Authorization: Basic <base64(user:onecli-managed)>` and sends it to the CalDAV host.
• OneCLI gateway intercepts the request, matches on host pattern, and replaces the Authorization header with the real Basic value from its vault.
• Simpler than `/add-gcal-tool` — no on-disk stub file because `caldav-mcp` is env-var-only, so no `additionalMounts` entry either.
• Phase 3 wiring uses `pnpm run ncl groups config add-mcp-server` (DB-backed); no `TOOL_ALLOWLIST` edit since `claude.ts` auto-derives `mcp__caldav__*` from `mcpServers`.

Tools surfaced as `mcp__caldav__`: `list-calendars`, `list-events`, `create-event` (with RRULE), `update-event`, `delete-event`. Free/busy and search are not in the package — the agent substitutes by widening the `list-events` window.

How it was tested. Live end-to-end against Nextcloud:

1. Generated a Nextcloud app password.
2. Registered the OneCLI secret with `--host-pattern nextcloud.savagexi.com --header-name Authorization --value-format 'Basic {value}'`.
3. Edited Dockerfile per Phase 2; `./container/build.sh`.
4. `pnpm run ncl groups config add-mcp-server --id --name caldav --command caldav-mcp --args '[]' --env '{...}'`.
5. `pnpm run build && systemctl --user restart nanoclaw`; killed running containers.
6. Asked the agent "list my calendars" — got 6 calendars back from Nextcloud with names, URLs, and ctags. OneCLI did the header swap; agent saw the response cleanly.

Usage. `/add-caldav-tool` walks the operator through:

• Phase 1: generate app password, register the OneCLI secret, verify agent secret-mode.
• Phase 2: pin `CALDAV_MCP_VERSION`, add the install line, rebuild image.
• Phase 3: `ncl groups config add-mcp-server` per target group.
• Phase 4: build + restart + kill stale containers.
• Phase 5: smoke test + diagnostic checklist (401, ENOTFOUND, discovery failure, missing tools).

For Skills

• SKILL.md contains instructions, not inline code (code goes in separate files)
• SKILL.md is under 500 lines (256)
• I tested this skill on a fresh clone