feat: add comprehensive framework features and deployment improvements

Major additions:
- Storage abstraction layer with filesystem and in-memory implementations
- Gitea API integration with MCP tools for repository management
- Console dialog mode with interactive command execution
- WireGuard VPN DNS fix implementation and documentation
- HTTP client streaming response support
- Router generic result type
- Parameter type validator for framework core

Framework enhancements:
- Console command registry improvements
- Console dialog components
- Method signature analyzer updates
- Route mapper refinements
- MCP server and tool mapper updates
- Queue job chain and dependency commands
- Discovery tokenizer improvements

Infrastructure:
- Deployment architecture documentation
- Ansible playbook updates for WireGuard client regeneration
- Production environment configuration updates
- Docker Compose local configuration updates
- Remove obsolete docker-compose.yml (replaced by environment-specific configs)

Documentation:
- PERMISSIONS.md for access control guidelines
- WireGuard DNS fix implementation details
- Console dialog mode usage guide
- Deployment architecture overview

Testing:
- Multi-purpose attribute tests
- Gitea Actions integration tests (typed and untyped)

docs/deployment/WIREGUARD-DNS-FIX-IMPLEMENTED.md

@@ -0,0 +1,283 @@
+# WireGuard DNS Fix - Implementation Status
+
+**Status**: ✅ Phase 1 COMPLETED - DNS Configuration Added
+**Datum**: 2025-01-29
+**Implementiert**: DNS-Konfiguration in Ansible Variables
+
+## Was wurde geändert?
+
+### 1. Ansible Group Variables Update
+
+**Datei**: `deployment/ansible/group_vars/production.yml`
+
+**Änderung**:
+```yaml
+# WireGuard DNS Configuration
+# DNS server for VPN clients (points to VPN server IP)
+# This ensures internal services are resolved to VPN IPs
+wireguard_dns_servers:
+  - "{{ wireguard_server_ip_default }}"
+```
+
+**Effekt**:
+- Template `wireguard-client.conf.j2` wird jetzt `DNS = 10.8.0.1` in Client-Configs generieren
+- Die `{% if wireguard_dns_servers | length > 0 %}` Bedingung im Template wird jetzt TRUE
+- Alle neu generierten Client-Configs enthalten DNS-Konfiguration
+
+## Wie funktioniert es?
+
+### Template Logic (bereits vorhanden)
+```jinja2
+{% if wireguard_dns_servers | length > 0 %}
+# DNS servers provided via Ansible (optional)
+DNS = {{ wireguard_dns_servers | join(', ') }}
+{% endif %}
+```
+
+### Generated Client Config (nach Regenerierung)
+```ini
+[Interface]
+PrivateKey = <client_private_key>
+Address = 10.8.0.7/24
+DNS = 10.8.0.1    # ← JETZT ENTHALTEN!
+
+[Peer]
+PublicKey = <server_public_key>
+Endpoint = michaelschiemer.de:51820
+AllowedIPs = 10.8.0.0/24
+PersistentKeepalive = 25
+```
+
+## Erwartetes Verhalten
+
+### DNS Resolution (Windows Client)
+```powershell
+# Nach Import der neuen Config:
+Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
+
+# Expected Output:
+InterfaceAlias       : WireGuard Tunnel wg0
+ServerAddresses      : {10.8.0.1}    # ← VPN DNS Server
+```
+
+### Service Resolution
+```powershell
+Resolve-DnsName grafana.michaelschiemer.de
+
+# Expected Output:
+Name                  Type  TTL   Section    IPAddress
+----                  ----  ---   -------    ---------
+grafana.michaelschiemer.de  A  300  Answer     10.8.0.1    # ← VPN IP statt Public IP!
+```
+
+### HTTP Traffic Routing
+```bash
+# Traefik Access Log (Server-Side):
+# VORHER (ohne DNS):
+89.246.96.244 - - [Date] "GET /grafana HTTP/2.0" 404
+      ↑ Public IP (FALSCH)
+
+# NACHHER (mit DNS):
+10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
+    ↑ VPN IP (KORREKT)
+```
+
+## Nächste Schritte (PENDING)
+
+### Phase 2: Client Config Regenerierung
+
+**Für Windows Client "mikepc"**:
+```bash
+cd ~/dev/michaelschiemer/deployment/ansible
+
+ansible-playbook -i inventory/production.yml \
+  playbooks/regenerate-wireguard-client.yml \
+  -e "client_name=mikepc" \
+  -e "client_ip=10.8.0.5"
+```
+
+**Output**:
+- Backup: `mikepc.conf.backup-<timestamp>`
+- Neue Config: `deployment/ansible/wireguard-clients/mikepc.conf`
+- QR Code: `deployment/ansible/wireguard-clients/mikepc.png`
+
+### Phase 3: Docker Container Test (OPTIONAL)
+
+Teste VPN-Funktionalität in isolierter Umgebung:
+```bash
+ansible-playbook -i inventory/production.yml \
+  playbooks/test-wireguard-docker-container.yml \
+  -e "client_name=mikepc"
+```
+
+**Verifizierung**:
+```bash
+# Ping Test
+docker exec wireguard-test-mikepc ping -c 4 10.8.0.1
+
+# DNS Test
+docker exec wireguard-test-mikepc nslookup grafana.michaelschiemer.de 10.8.0.1
+
+# HTTP Test
+docker exec wireguard-test-mikepc curl -v https://grafana.michaelschiemer.de
+```
+
+### Phase 4: Windows Client Import
+
+1. **WireGuard Application öffnen**
+2. **Tunnel "wg0" deaktivieren** (falls aktiv)
+3. **Tunnel "wg0" löschen** (alte Config entfernen)
+4. **Neue Config importieren**:
+   - "Add Tunnel" → "Import from file"
+   - Datei: `deployment/ansible/wireguard-clients/mikepc.conf`
+5. **Tunnel "wg0" aktivieren**
+
+### Phase 5: Verification (Windows)
+
+**DNS Check**:
+```powershell
+Get-DnsClientServerAddress | Where-Object {$_.InterfaceAlias -like "*WireGuard*"}
+# Expected: ServerAddresses = {10.8.0.1}
+
+Resolve-DnsName grafana.michaelschiemer.de
+# Expected: IPAddress = 10.8.0.1
+```
+
+**Browser Test**:
+```
+https://grafana.michaelschiemer.de
+Expected: Grafana Dashboard OHNE 404 Error
+```
+
+**Server-Side Verification**:
+```bash
+# Traefik Access Log
+ssh deploy@michaelschiemer.de
+docker logs traefik --tail 50 | grep grafana
+
+# Expected:
+# 10.8.0.5 - - [Date] "GET /grafana HTTP/2.0" 200
+#     ↑ VPN IP statt Public IP!
+```
+
+## Troubleshooting
+
+### Problem: DNS Still Not Working
+
+**Check 1: Verify Config Contains DNS Line**
+```powershell
+Get-Content "C:\Path\To\mikepc.conf" | Select-String -Pattern "DNS"
+
+# Expected:
+DNS = 10.8.0.1
+```
+
+**Check 2: Verify Windows Uses VPN DNS**
+```powershell
+Get-DnsClientServerAddress | Format-Table InterfaceAlias, ServerAddresses
+
+# WireGuard Interface should show 10.8.0.1
+```
+
+**Check 3: Flush DNS Cache**
+```powershell
+ipconfig /flushdns
+Clear-DnsClientCache
+```
+
+### Problem: VPN Connects But Still Uses Public IP
+
+**Check 1: Verify Routes**
+```powershell
+Get-NetRoute | Where-Object {$_.DestinationPrefix -eq "10.8.0.0/24"}
+
+# Should exist with WireGuard interface
+```
+
+**Check 2: Test DNS Resolution**
+```powershell
+Resolve-DnsName grafana.michaelschiemer.de -Server 10.8.0.1
+
+# Direct query to VPN DNS should work
+```
+
+### Problem: Cannot Reach grafana.michaelschiemer.de
+
+**Check 1: CoreDNS on Server**
+```bash
+ssh deploy@michaelschiemer.de
+docker ps | grep coredns
+docker logs coredns
+```
+
+**Check 2: Traefik Configuration**
+```bash
+docker logs traefik | grep grafana
+# Check for middleware configuration
+```
+
+## Rollback Plan
+
+Falls Probleme auftreten:
+
+### Rollback Client Config
+```bash
+# Restore backup on server
+ssh deploy@michaelschiemer.de
+cd /etc/wireguard/clients
+cp mikepc.conf.backup-<timestamp> mikepc.conf
+
+# Re-import on Windows
+```
+
+### Rollback Ansible Variables
+```bash
+git diff deployment/ansible/group_vars/production.yml
+git checkout deployment/ansible/group_vars/production.yml
+```
+
+## Success Criteria
+
+✅ **DNS Configuration Added**: Ansible variables updated
+⏳ **Client Config Regenerated**: PENDING
+⏳ **Windows Client Import**: PENDING
+⏳ **DNS Resolution Working**: PENDING
+⏳ **HTTP/HTTPS via VPN**: PENDING
+⏳ **Traefik Shows VPN IP**: PENDING
+
+## Alternative Options (If DNS Fix Fails)
+
+### Option B: Full Tunnel VPN
+```yaml
+# AllowedIPs = 0.0.0.0/0 statt 10.8.0.0/24
+# Routes ALL traffic through VPN
+```
+
+### Option C: Alternative VPN Software
+- OpenVPN (bewährt, stabil)
+- Tailscale (managed, einfach)
+- ZeroTier (mesh network)
+
+## Referenzen
+
+- **Implementation Plan**: `WIREGUARD-IMPLEMENTATION-PLAN.md`
+- **Original Analysis**: `WIREGUARD-WINDOWS-ROUTING-FINAL-ANALYSIS.md`
+- **DNS Solution**: `WIREGUARD-WINDOWS-DNS-FIX.md`
+- **Template**: `deployment/ansible/templates/wireguard-client.conf.j2`
+- **Variables**: `deployment/ansible/group_vars/production.yml`
+
+## Notes
+
+**Warum DNS-Konfiguration fehlt**:
+- Template hatte bereits Unterstützung via `{% if wireguard_dns_servers | length > 0 %}`
+- Variable `wireguard_dns_servers` fehlte in group_vars
+- Jetzt gesetzt auf `["{{ wireguard_server_ip_default }}"]` → `["10.8.0.1"]`
+
+**Erwarteter Effekt**:
+- Alle neuen Client-Configs enthalten `DNS = 10.8.0.1`
+- Windows nutzt VPN-DNS für Namensauflösung
+- Interne Services (grafana.michaelschiemer.de) werden zu VPN-IP (10.8.0.1) aufgelöst
+- HTTP/HTTPS Traffic geht über VPN statt Public Interface
+
+**Nächster kritischer Schritt**:
+Client Config für "mikepc" regenerieren und auf Windows importieren