test: close critical coverage gaps and harden PR review fixes

Critical bug fixes from PR review agents:
- client.py: eager asyncio.Lock init, Final[frozenset] for _SENSITIVE_KEYS,
  explicit 429 ToolError after retries exhausted, removed lazy _get_client_lock()
  and _RateLimiter._get_lock() patterns
- exceptions.py: use builtin TimeoutError (UP041), explicit handler before broad
  except so asyncio timeouts get descriptive messages
- docker.py: add update_all to DESTRUCTIVE_ACTIONS (was missing), remove dead
  _MUTATION_ACTIONS constant
- manager.py: _cap_log_content returns new dict (immutable), lock write to
  resource_data, clean dead task from active_subscriptions after loop exits
- diagnostics.py: fix inaccurate comment about semicolon injection guard
- health.py: narrow except ValueError in _safe_display_url, fix TODO comment

New test coverage (98 tests added, 529 → 598 passing):
- test_subscription_validation.py: 27 tests for _validate_subscription_query
  (security-critical allow-list, forbidden keyword guards, word-boundary test)
- test_subscription_manager.py: 12 tests for _cap_log_content
  (immutability, truncation, nesting, passthrough)
- test_client.py: +57 tests — _RateLimiter (token math, refill, sleep-on-empty),
  _QueryCache (TTL, invalidation, is_cacheable), 429 retry loop (1/2/3 failures)
- test_health.py: +10 tests for _safe_display_url (credential strip, port,
  path/query removal, malformed IPv6 → <unparseable>)
- test_notifications.py: +7 importance enum and field length validation tests
- test_rclone.py: +7 _validate_config_data security guard tests
- test_storage.py: +15 (tail_lines bounds, format_kb, safe_get)
- test_docker.py: update_all now requires confirm=True + new guard test
- test_destructive_guards.py: update audit to include update_all

Co-authored-by: Claude <noreply@anthropic.com>

unraid_mcp/core/exceptions.py

@@ -6,7 +6,7 @@ throughout the application, with proper integration to FastMCP's error system.
 
 import contextlib
 import logging
-from collections.abc import Generator
+from collections.abc import Iterator
 
 from fastmcp.exceptions import ToolError as FastMCPToolError
 
@@ -28,11 +28,12 @@ def tool_error_handler(
     tool_name: str,
     action: str,
     logger: logging.Logger,
-) -> Generator[None]:
+) -> Iterator[None]:
     """Context manager that standardizes tool error handling.
 
-    Re-raises ToolError as-is. Catches all other exceptions, logs them
-    with full traceback, and wraps them in ToolError with a descriptive message.
+    Re-raises ToolError as-is. Gives TimeoutError a descriptive message.
+    Catches all other exceptions, logs them with full traceback, and wraps them
+    in ToolError with a descriptive message.
 
     Args:
         tool_name: The tool name for error messages (e.g., "docker", "vm").
@@ -43,6 +44,14 @@ def tool_error_handler(
         yield
     except ToolError:
         raise
+    except TimeoutError as e:
+        logger.error(
+            f"Timeout in unraid_{tool_name} action={action}: request exceeded time limit",
+            exc_info=True,
+        )
+        raise ToolError(
+            f"Request timed out executing {tool_name}/{action}. The Unraid API did not respond in time."
+        ) from e
     except Exception as e:
         logger.error(f"Error in unraid_{tool_name} action={action}: {e}", exc_info=True)
         raise ToolError(f"Failed to execute {tool_name}/{action}: {e!s}") from e