Add Cloudflare and Loki MCP server integrations

Features:
- Cloudflare Code Mode MCP: Exposes entire Cloudflare API (2,500+ endpoints)
  via remote MCP server at https://mcp.cloudflare.com/mcp
  * Two tools: search() to query OpenAPI spec, execute() to run JS code
  * Uses npx mcp-remote as stdio bridge
  * Auth via CLOUDFLARE_API_TOKEN as Bearer header

- Loki MCP Server: Log querying and analysis via Loki HTTP API
  * Query logs with LogQL syntax
  * Real-time log streaming support
  * Label introspection and metrics queries
  * Configurable via LOKI_URL environment variable

Technical changes:
- Created mcp_servers/cloudflare/ with config and connection logic
- Created mcp_servers/loki/ with HTTP client and MCP tool wrappers
- Added promtail-config-optimized.yaml for syslog ingestion config
- Updated .env.example with Cloudflare and Loki configuration templates

Both integrations:
- Use environment variables for configuration (no hardcoded credentials)
- Include feature flags (CLOUDFLARE_MCP_ENABLED, LOKI_MCP_ENABLED)
- Follow existing MCP server patterns for consistency

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

promtail-config-optimized.yaml

@@ -0,0 +1,85 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+  - job_name: syslog_ingest
+    syslog:
+      listen_address: 0.0.0.0:1514
+      listen_protocol: tcp
+      idle_timeout: 60s
+      label_structured_data: yes
+      labels:
+        job: "syslog_combined"
+    relabel_configs:
+      - source_labels: ['__syslog_message_hostname']
+        target_label: 'host'
+
+    # ============================================================
+    # SYSLOG NOISE FILTERS
+    # Estimated ~80-85% volume reduction from Dream Router
+    # Applied: 2026-02-23
+    # ============================================================
+    pipeline_stages:
+      # --- HIGH VOLUME DROPS (~60-70% of all logs) ---
+
+      # mDNS multicast (IPv4) - Apple/Chromecast/IoT discovery
+      # Fires across EVERY VLAN (br0, br2, br5, br10, br11, br12)
+      - drop:
+          expression: 'DST=224\.0\.0\.251'
+          drop_counter_reason: "mdns_ipv4_multicast"
+
+      # mDNS multicast (IPv6)
+      - drop:
+          expression: 'DST=ff02::fb'
+          drop_counter_reason: "mdns_ipv6_multicast"
+
+      # mDNS port catch-all (anything remaining on port 5353)
+      - drop:
+          expression: 'DPT=5353'
+          drop_counter_reason: "mdns_port_5353"
+
+      # --- MEDIUM VOLUME DROPS (~15-20%) ---
+
+      # mca-ctrl / stahtd daemon noise - fires every 2-3 seconds
+      - drop:
+          expression: 'no input for event'
+          drop_counter_reason: "mca_ctrl_stahtd_noise"
+
+      # --- LOW VOLUME DROPS (~3-5%) ---
+
+      # UniFi device discovery broadcasts
+      - drop:
+          expression: 'DPT=10001'
+          drop_counter_reason: "unifi_discovery"
+
+      # hostapd WiFi AP check systemd spam (~every 30s)
+      - drop:
+          expression: 'hostapd-global-check'
+          drop_counter_reason: "hostapd_check_spam"
+
+      # Duplicate DNAT entries for port forwards (keeps the WAN_IN Allow line)
+      - drop:
+          expression: 'PortForward.*DNAT'
+          drop_counter_reason: "duplicate_dnat"
+
+      # Internal ICMP gateway pings - devices checking if gateway alive
+      - drop:
+          expression: 'PROTO=ICMP.*DST=192\.168\.'
+          drop_counter_reason: "internal_icmp_pings"
+
+      # ============================================================
+      # WHAT WE KEEP:
+      # - [WAN_LOCAL]Block  → real attack attempts (security value)
+      # - [WAN_IN]Allow     → legit inbound traffic log
+      # - Daemon errors/warnings
+      # - DHCP/DNS logs
+      # - mcad interval changes (rare, informational)
+      # - Everything from serviceslab (Proxmox host)
+      # ============================================================