refactor(ansible): rename freecad_mcp env vars and rework deployment

- Drop `FREECAD_MCP_` prefix from env vars (use `FREECAD_*`)
- Update freecad_mcp port from 22032 to 22061
- Document that FreeCAD bridge is required for tool calls
- Replace kottos deployment with pallas deployment

ansible/freecad_mcp/README.md

@@ -1,8 +1,7 @@
 # FreeCAD Robust MCP Server — Ansible Deployment
 
 Deploys the [FreeCAD Robust MCP Server](https://pypi.org/project/freecad-robust-mcp/)
-to Caliban as a systemd service with HTTP transport, ready for MCP Switchboard
-consumption.
+to Caliban as a systemd service with HTTP transport.
 
 ## Architecture
 
@@ -12,8 +11,8 @@ consumption.
 │                                                 │
 │  ┌──────────────────────┐                       │
 │  │  freecad-mcp.service │                       │
-│  │  (streamable-http)   │◄─── :22032 ──────────┤◄── MCP Switchboard
-│  │  venv + PyPI package │                       │    (oberon.incus)
+│  │  (streamable-http)   │◄─── :22061  ──────────┤◄── MCP Client
+│  │  venv + PyPI package │                       │    
 │  └──────────────────────┘                       │
 │           │                                     │
 │           │ xmlrpc :9875                        │
@@ -25,6 +24,18 @@ consumption.
 └─────────────────────────────────────────────────┘
 ```
 
+## FreeCAD bridge required for tool calls
+
+The service starts and answers the MCP `initialize` handshake **without** FreeCAD
+running — the XML-RPC connection to FreeCAD is only attempted on the first CAD
+tool call (lazy connect). So a green Ansible healthcheck means "transport up",
+**not** "FreeCAD reachable".
+
+Actual CAD tool calls require FreeCAD running with the Robust MCP Bridge
+workbench started, listening on XML-RPC `localhost:9875`. Standing up that bridge
+(GUI or headless) on Caliban is a separate step from getting this service to
+boot.
+
 ## Prerequisites
 
 - Caliban host in Ansible inventory (already exists in Ouranos)
@@ -62,7 +73,7 @@ Add to `ansible/inventory/host_vars/caliban.incus.yml`:
 freecad_mcp_user: harper
 freecad_mcp_group: harper
 freecad_mcp_directory: /srv/freecad-mcp
-freecad_mcp_port: 22032
+freecad_mcp_port: 22061
 freecad_mcp_version: "0.5.0"
 ```
 
@@ -100,7 +111,7 @@ The playbook automatically validates the deployment by:
 You can also manually test:
 
 ```bash
-curl -X POST http://caliban.incus:22032/mcp \
+curl -X POST http://caliban.incus:22061/mcp \
   -H "Content-Type: application/json" \
   -d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"curl","version":"1.0.0"}}}'
 ```
@@ -126,5 +137,4 @@ The systemd service runs with hardened settings:
 | `PrivateTmp` | `true` | Isolated /tmp namespace |
 | `ReadWritePaths` | `/srv/freecad-mcp` | Only app directory is writable |
 
-This is significantly more hardened than the Kernos service (which needs
-broad filesystem access for shell commands).
+