feat(platform): add new services, tools, tests and crews modules

New router intelligence modules (26 files): alert_ingest/store, audit_store,
architecture_pressure, backlog_generator/store, cost_analyzer, data_governance,
dependency_scanner, drift_analyzer, incident_* (5 files), llm_enrichment,
platform_priority_digest, provider_budget, release_check_runner, risk_* (6 files),
signature_state_store, sofiia_auto_router, tool_governance

New services:
- sofiia-console: Dockerfile, adapters/, monitor/nodes/ops/voice modules, launchd, react static
- memory-service: integration_endpoints, integrations, voice_endpoints, static UI
- aurora-service: full app suite (analysis, job_store, orchestrator, reporting, schemas, subagents)
- sofiia-supervisor: new supervisor service
- aistalk-bridge-lite: Telegram bridge lite
- calendar-service: CalDAV calendar service with reminders
- mlx-stt-service / mlx-tts-service: Apple Silicon speech services
- binance-bot-monitor: market monitor service
- node-worker: STT/TTS memory providers

New tools (9): agent_email, browser_tool, contract_tool, observability_tool,
oncall_tool, pr_reviewer_tool, repo_tool, safe_code_executor, secure_vault

New crews: agromatrix_crew (10 modules: depth_classifier, doc_facts, doc_focus,
farm_state, light_reply, llm_factory, memory_manager, proactivity, reflection_engine,
session_context, style_adapter, telemetry)

Tests: 85+ test files for all new modules
Made-with: Cursor

services/calendar-service/docs/calendar-sovereign.md

@@ -0,0 +1,154 @@
+# Calendar Sovereignty - Self-Hosted Calendar Infrastructure
+
+## Philosophy
+
+DAARION follows the principle of **digital sovereignty** - owning and controlling our communication infrastructure. Calendar is no exception.
+
+## Current Stack
+
+### Radicale + Caddy (Self-Hosted)
+
+```
+┌─────────────────────────────────────────────────────────┐
+│                    DAARION Network                      │
+│                                                         │
+│   ┌─────────────┐      ┌─────────────┐                 │
+│   │   Caddy     │──────│   Radicale  │                 │
+│   │ (TLS/Proxy) │      │   (CalDAV)  │                 │
+│   └─────────────┘      └─────────────┘                 │
+│        │                     │                         │
+│        │               ┌──────┴──────┐                  │
+│        │               │             │                  │
+│   ┌────▼────┐    ┌────▼────┐  ┌────▼────┐             │
+│   │ iOS     │    │ Android │  │  Sofiia │             │
+│   │ Calendar│    │ Calendar│  │  Agent  │             │
+│   └─────────┘    └─────────┘  └─────────┘             │
+│                                                         │
+└─────────────────────────────────────────────────────────┘
+```
+
+### Why Self-Hosted?
+
+1. **Data Ownership** - Your calendar data stays on your servers
+2. **No Vendor Lock-in** - Not dependent on Google/Apple/Microsoft
+3. **Privacy** - No third parties reading your schedule
+4. **Cost** - Free open-source software
+5. **Control** - Full control over access, backups, retention
+
+## Radicale Configuration
+
+### Features
+- CalDAV protocol support (RFC 4791)
+- CardDAV for contacts (optional)
+- HTTP Basic Auth
+- Server-side encryption (optional)
+- Web interface for users
+
+### Endpoints
+- Base URL: `https://caldav.daarion.space`
+- Web Interface: `http://localhost:5232` (local only)
+
+### User Management
+
+Users are created automatically on first login. No admin panel needed.
+
+```bash
+# Access Radicale container
+docker exec -it daarion-radicale /bin/sh
+
+# View logs
+docker logs daarion-radicale
+```
+
+## Client Configuration
+
+### iOS
+1. Settings → Calendar → Accounts → Add Account
+2. Select "CalDAV"
+3. Server: `caldav.daarion.space`
+4. Username/Password: Your credentials
+
+### Android (DAVDroid)
+1. Install DAVdroid from F-Droid
+2. Add Account → CalDAV
+3. Server URL: `https://caldav.daarion.space`
+
+### macOS
+1. Calendar → Preferences → Accounts
+2. Add Account → CalDAV
+3. Server: `https://caldav.daarion.space`
+
+### Thunderbird
+1. Calendar → New Calendar
+2. On the Network → CalDAV
+3. Location: `https://caldav.daarion.space/username/`
+
+## Security
+
+### Network Isolation
+- Radicale listens only on internal Docker network
+- Caddy handles all external traffic
+- TLS 1.3 enforced by Caddy
+
+### Authentication
+- HTTP Basic Auth (username/password)
+- Each user has isolated calendar space (`/username/`)
+- Credentials stored in Radicale config
+
+### Firewall Rules
+Only allow:
+- Port 443 (HTTPS) - public
+- Port 5232 - internal only (localhost)
+
+## Backup & Recovery
+
+### Backup Script
+```bash
+#!/bin/bash
+# backup-calendar.sh
+docker cp daarion-radicale:/data /backup/calendar-data
+tar -czf calendar-backup-$(date +%Y%m%d).tar.gz /backup/calendar-data
+```
+
+### Restore
+```bash
+docker cp /backup/calendar-data/. daarion-radicale:/data/
+docker restart daarion-radicale
+```
+
+## Monitoring
+
+### Health Checks
+- Radicale: `docker inspect --format='{{.State.Health.Status}}' daarion-radicale`
+- Caddy: `curl -f http://localhost:8080/health || exit 1`
+
+### Metrics
+- Calendar Service: `GET /metrics`
+- Account count, pending reminders
+
+## Troubleshooting
+
+### Common Issues
+
+#### "Cannot connect to CalDAV server"
+1. Check Caddy is running: `docker ps | grep caddy`
+2. Check DNS: `nslookup caldav.daarion.space`
+3. Check TLS: `curl -vI https://caldav.daarion.space`
+
+#### "Authentication failed"
+1. Check credentials in Radicale container
+2. Verify user exists: `ls /data/`
+3. Check Caddy logs: `docker logs daarion-caldav-proxy`
+
+#### "Calendar not syncing"
+1. Force refresh on client
+2. Check network connectivity
+3. Verify SSL certificate: `openssl s_client -connect caldav.daarion.space:443`
+
+## Future Enhancements
+
+1. **Radicale Cluster** - Multiple Radicale instances with load balancing
+2. **Two-Factor Auth** - Add TOTP to CalDAV authentication
+3. **Encryption at Rest** - Encrypt calendar data on disk
+4. **Audit Logging** - Track all calendar access
+5. **Multiple Providers** - Add Google Calendar, iCloud as backup

services/calendar-service/docs/calendar-tool.md

@@ -0,0 +1,176 @@
+# Calendar Tool - Documentation
+
+## Overview
+
+Calendar Tool provides unified calendar management for Sofiia agent via CalDAV protocol. Currently supports Radicale server, extensible to Google Calendar, iCloud, etc.
+
+## Architecture
+
+```
+┌─────────────┐     CalDAV      ┌─────────────┐
+│   Sofiia    │ ──────────────► │   Radicale  │
+│   Agent     │ ◄──────────────  │   Server    │
+└─────────────┘                 └─────────────┘
+       │
+       ▼
+┌─────────────────────────┐
+│   Calendar Service     │
+│   (FastAPI)            │
+├─────────────────────────┤
+│ • /v1/calendar/*       │
+│ • /v1/tools/calendar   │
+│ • Reminder Worker      │
+└─────────────────────────┘
+```
+
+## Configuration
+
+### Environment Variables
+
+```bash
+# Radicale Server URL
+RADICALE_URL=https://caldav.daarion.space
+
+# Database
+DATABASE_URL=sqlite:///./calendar.db
+```
+
+## API Endpoints
+
+### Connection Management
+
+#### Connect Radicale Account
+```bash
+POST /v1/calendar/connect/radicale
+{
+  "workspace_id": "ws1",
+  "user_id": "user1", 
+  "username": "calendar_user",
+  "password": "secure_password"
+}
+```
+
+#### List Accounts
+```bash
+GET /v1/calendar/accounts?workspace_id=ws1&user_id=user1
+```
+
+### Calendar Operations
+
+#### List Calendars
+```bash
+GET /v1/calendar/calendars?account_id=acc_1
+```
+
+#### List Events
+```bash
+GET /v1/calendar/events?account_id=acc_1&time_min=2024-01-01&time_max=2024-12-31
+```
+
+#### Create Event
+```bash
+POST /v1/calendar/events?account_id=acc_1
+{
+  "title": "Meeting with Team",
+  "start": "2024-01-15T10:00:00",
+  "end": "2024-01-15T11:00:00",
+  "timezone": "Europe/Kiev",
+  "location": "Conference Room A",
+  "description": "Weekly sync",
+  "attendees": ["team@example.com"]
+}
+```
+
+#### Update Event
+```bash
+PATCH /v1/calendar/events/{uid}?account_id=acc_1
+{
+  "title": "Updated Title",
+  "description": "New description"
+}
+```
+
+#### Delete Event
+```bash
+DELETE /v1/calendar/events/{uid}?account_id=acc_1
+```
+
+### Reminders
+
+#### Set Reminder
+```bash
+POST /v1/calendar/reminders?account_id=acc_1
+{
+  "event_uid": "evt-123",
+  "remind_at": "2024-01-15T09:00:00",
+  "channel": "inapp"  # inapp, telegram, email
+}
+```
+
+## Unified Tool Endpoint
+
+For Sofiia agent, use the unified `/v1/tools/calendar` endpoint:
+
+```bash
+POST /v1/tools/calendar
+{
+  "action": "create_event",
+  "workspace_id": "ws1",
+  "user_id": "user1",
+  "account_id": "acc_1",
+  "params": {
+    "title": "Doctor Appointment",
+    "start": "2024-02-01T14:00:00",
+    "end": "2024-02-01T14:30:00",
+    "timezone": "Europe/Kiev"
+  }
+}
+```
+
+### Available Actions
+
+| Action | Description | Required Params |
+|--------|-------------|-----------------|
+| `connect` | Connect Radicale account | `username`, `password` |
+| `list_calendars` | List calendars | `account_id` |
+| `list_events` | List events | `account_id`, `calendar_id` (optional) |
+| `get_event` | Get single event | `account_id`, `uid` |
+| `create_event` | Create event | `account_id`, `title`, `start`, `end` |
+| `update_event` | Update event | `account_id`, `uid` |
+| `delete_event` | Delete event | `account_id`, `uid` |
+| `set_reminder` | Set reminder | `account_id`, `event_uid`, `remind_at` |
+
+## Deployment
+
+### Docker Compose
+
+```bash
+cd ops
+docker-compose -f docker-compose.calendar.yml up -d
+```
+
+This starts:
+- Radicale CalDAV server on port 5232
+- Caddy reverse proxy with TLS on port 8443
+
+### Local Development
+
+```bash
+cd services/calendar-service
+pip install -r requirements.txt
+uvicorn main:app --reload --port 8001
+```
+
+## Testing
+
+```bash
+cd services/calendar-service
+pytest tests/ -v
+```
+
+## Security Notes
+
+- Passwords are stored in plaintext (in production, use encryption)
+- Caddy handles TLS termination
+- Radicale uses HTTP Basic Auth
+- No external API dependencies (self-hosted)