Ops MCP for re8ch/qwen

Public URLs:
- Headlamp: https://headlamp.re8ch.com
- Grafana:  https://grafana.re8ch.com
- Registry: https://registry.re8ch.com

Authentication:
- HTTP API and MCP both require Authorization: Bearer <ops-token>
- You can also send X-Ops-Token: <ops-token>

HTTP API:
- GET  /healthz
- GET  /api/me
- GET  /api/resources?kind=pods
- GET  /api/resources?kind=deployments
- GET  /api/resources?kind=services
- GET  /api/resources?kind=nodes
- GET  /api/resources?kind=podmetrics
- GET  /api/kubeconfig
- GET  /api/registry/info
- GET  /api/grafana/links
- POST /api/restart {"deployment":"name"}
- GET  /api/admin/dex-users                    admin token required
- GET  /api/admin/dex-hash-instructions        admin token required
- POST /api/admin/ensure-tenant-access         admin token required
- POST /api/admin/create-dex-user              admin token required
- POST /api/admin/grant-user-namespace         admin token required

MCP endpoint:
- POST /mcp with JSON-RPC 2.0
- Supported methods: initialize, tools/list, tools/call

Safety boundary:
- Tenant namespace: qwen
- Normal token writes are limited to restarting deployments in qwen.
- Node access is read-only for topology and metrics.
- Admin token can reconcile Dex static users and tenant RBAC.