Settings: add dedicated DAV/Pushover tabs, fix CalDAV/CardDAV bugs

- Add admin DAV tab (rename from CalDAV/CardDAV) and Pushover tab
  - Add per-user Pushover tab (User Key only; App Token stays admin-managed)
  - Remove system-wide CalDAV/CardDAV fallback — per-user config only
  - Rewrite contacts_tool.py using httpx directly (caldav 2.x dropped AddressBook)
  - Fix CardDAV REPORT/PROPFIND using SOGo URL pattern
  - Fix CalDAV/CardDAV test endpoints (POST method, URL scheme normalization)
  - Fix Show Password button — API now returns actual credential values
  - Convert Credentials tab to generic key-value store; dedicated keys
    (CalDAV, Pushover, trusted_proxy) excluded via _DEDICATED_CRED_KEYS

server/tools/pushover_tool.py

@@ -72,13 +72,26 @@ class PushoverTool(BaseTool):
             # If we got here, it was approved.
             pass
 
-        # Load credentials
+        # Load credentials — per-user key first, then system fallback
         try:
             app_token = await credential_store.require("pushover_app_token")
-            user_key  = await credential_store.require("pushover_user_key")
         except RuntimeError as e:
             return ToolResult(success=False, error=str(e))
 
+        user_key: str | None = None
+        try:
+            from ..context_vars import current_user as _cu
+            u = _cu.get()
+            if u:
+                from ..database import user_settings_store as _us
+                user_key = await _us.get(u.id, "pushover_user_key")
+        except Exception:
+            pass
+        if not user_key:
+            user_key = await credential_store.get("pushover_user_key")
+        if not user_key:
+            return ToolResult(success=False, error="Pushover user key not configured. Set it in Settings → Pushover.")
+
         payload: dict = {
             "token": app_token,
             "user": user_key,