fix: address 18 CRITICAL+HIGH PR review comments

**Critical Fixes (7 issues):**
- Fix GraphQL schema field names in users tool (role→roles, remove email)
- Fix GraphQL mutation signatures (addUserInput, deleteUser input)
- Fix dict(None) TypeError guards in users tool (use `or {}` pattern)
- Fix FastAPI version constraint (0.116.1→0.115.0)
- Fix WebSocket SSL context handling (support CA bundles, bool, and None)
- Fix critical disk threshold treated as warning (split counters)

**High Priority Fixes (11 issues):**
- Fix Docker update/remove action response field mapping
- Fix path traversal vulnerability in log validation (normalize paths)
- Fix deleteApiKeys validation (check response before success)
- Fix rclone create_remote validation (check response)
- Fix keys input_data type annotation (dict[str, Any])
- Fix VM domain/domains fallback restoration

**Changes by file:**
- unraid_mcp/tools/docker.py: Response field mapping
- unraid_mcp/tools/info.py: Split critical/warning counters
- unraid_mcp/tools/storage.py: Path normalization for traversal protection
- unraid_mcp/tools/users.py: GraphQL schema + null handling
- unraid_mcp/tools/keys.py: Validation + type annotations
- unraid_mcp/tools/rclone.py: Response validation
- unraid_mcp/tools/virtualization.py: Domain fallback
- unraid_mcp/subscriptions/manager.py: SSL context creation
- pyproject.toml: FastAPI version fix
- tests/*: New tests for all fixes

**Review threads resolved:**
PRRT_kwDOO6Hdxs5uu70L, PRRT_kwDOO6Hdxs5uu70O, PRRT_kwDOO6Hdxs5uu70V,
PRRT_kwDOO6Hdxs5uu70e, PRRT_kwDOO6Hdxs5uu70i, PRRT_kwDOO6Hdxs5uu7zn,
PRRT_kwDOO6Hdxs5uu7z_, PRRT_kwDOO6Hdxs5uu7sI, PRRT_kwDOO6Hdxs5uu7sJ,
PRRT_kwDOO6Hdxs5uu7sK, PRRT_kwDOO6Hdxs5uu7Tk, PRRT_kwDOO6Hdxs5uu7Tn,
PRRT_kwDOO6Hdxs5uu7Tr, PRRT_kwDOO6Hdxs5uu7Ts, PRRT_kwDOO6Hdxs5uu7Tu,
PRRT_kwDOO6Hdxs5uu7Tv, PRRT_kwDOO6Hdxs5uu7Tw, PRRT_kwDOO6Hdxs5uu7Tx

All tests passing.

Co-authored-by: docker-fixer <agent@pr-fixes>
Co-authored-by: info-fixer <agent@pr-fixes>
Co-authored-by: storage-fixer <agent@pr-fixes>
Co-authored-by: users-fixer <agent@pr-fixes>
Co-authored-by: config-fixer <agent@pr-fixes>
Co-authored-by: websocket-fixer <agent@pr-fixes>
Co-authored-by: keys-rclone-fixer <agent@pr-fixes>
Co-authored-by: vm-fixer <agent@pr-fixes>

skills/unraid/scripts/dashboard.sh

@@ -0,0 +1,214 @@
+#!/bin/bash
+# Complete Unraid Monitoring Dashboard (Multi-Server)
+# Gets system status, disk health, and resource usage for all configured servers
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd -P "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+source "$REPO_ROOT/lib/load-env.sh"
+
+QUERY_SCRIPT="$SCRIPT_DIR/unraid-query.sh"
+OUTPUT_FILE="$HOME/memory/bank/unraid-inventory.md"
+
+# Load credentials from .env for all servers
+load_env_file || exit 1
+for server in "TOOTIE" "SHART"; do
+    url_var="UNRAID_${server}_URL"
+    key_var="UNRAID_${server}_API_KEY"
+    name_var="UNRAID_${server}_NAME"
+    validate_env_vars "$url_var" "$key_var" || exit 1
+done
+
+# Ensure output directory exists
+mkdir -p "$(dirname "$OUTPUT_FILE")"
+
+# Start the report
+echo "# Unraid Fleet Dashboard" > "$OUTPUT_FILE"
+echo "Generated at: $(date)" >> "$OUTPUT_FILE"
+echo "" >> "$OUTPUT_FILE"
+
+# Function to process a single server
+process_server() {
+    local NAME="$1"
+    local URL="$2"
+    local API_KEY="$3"
+
+    echo "Querying server: $NAME..."
+    
+    export UNRAID_URL="$URL"
+    export UNRAID_API_KEY="$API_KEY"
+    export IGNORE_ERRORS="true"
+
+    QUERY='query Dashboard {
+      info {
+        time
+        cpu { model cores threads }
+        os { platform distro release arch }
+        system { manufacturer model version uuid }
+      }
+      metrics {
+        cpu { percentTotal }
+        memory { total used free percentTotal }
+      }
+      array {
+        state
+        capacity { kilobytes { total free used } }
+        disks { name device temp status fsSize fsFree fsUsed isSpinning numErrors }
+        caches { name device temp status fsSize fsFree fsUsed fsType type }
+        parityCheckStatus { status progress errors }
+      }
+      disks { id name device size status temp numErrors }
+      shares { name comment free }
+      docker {
+        containers { names image state status }
+      }
+      vms { domains { id name state } }
+      vars { timeZone regTy regTo }
+      notifications { id title subject description importance timestamp }
+      recentLog: logFile(path: \"syslog\", lines: 50) { content }
+      online
+      isSSOEnabled
+    }'
+
+    RESPONSE=$("$QUERY_SCRIPT" -q "$QUERY" -f json)
+    
+    # Debug output
+    echo "$RESPONSE" > "${NAME}_debug.json"
+    
+    # Check if response is valid JSON
+    if ! echo "$RESPONSE" | jq -e . >/dev/null 2>&1; then
+        echo "Error querying $NAME: Invalid response"
+        echo "Response saved to ${NAME}_debug.json"
+        echo "## Server: $NAME (⚠️ Error)" >> "$OUTPUT_FILE"
+        echo "Failed to retrieve data." >> "$OUTPUT_FILE"
+        return
+    fi
+
+    # Append to report
+    echo "## Server: $NAME" >> "$OUTPUT_FILE"
+    
+    # System Info
+    CPU_MODEL=$(echo "$RESPONSE" | jq -r '.data.info.cpu.model')
+    CPU_CORES=$(echo "$RESPONSE" | jq -r '.data.info.cpu.cores')
+    CPU_THREADS=$(echo "$RESPONSE" | jq -r '.data.info.cpu.threads')
+    OS_REL=$(echo "$RESPONSE" | jq -r '.data.info.os.release')
+    OS_ARCH=$(echo "$RESPONSE" | jq -r '.data.info.os.arch // "x64"')
+    SYS_MFG=$(echo "$RESPONSE" | jq -r '.data.info.system.manufacturer // "Unknown"')
+    SYS_MODEL=$(echo "$RESPONSE" | jq -r '.data.info.system.model // "Unknown"')
+    TIMEZONE=$(echo "$RESPONSE" | jq -r '.data.vars.timeZone // "N/A"')
+    LICENSE=$(echo "$RESPONSE" | jq -r '.data.vars.regTy // "Unknown"')
+    REG_TO=$(echo "$RESPONSE" | jq -r '.data.vars.regTo // "N/A"')
+    CPU_LOAD=$(echo "$RESPONSE" | jq -r '.data.metrics.cpu.percentTotal // 0')
+    TOTAL_MEM=$(echo "$RESPONSE" | jq -r '.data.metrics.memory.total // 0')
+    MEM_USED_PCT=$(echo "$RESPONSE" | jq -r '.data.metrics.memory.percentTotal // 0')
+    TOTAL_MEM_GB=$((TOTAL_MEM / 1024 / 1024 / 1024))
+    
+    echo "### System" >> "$OUTPUT_FILE"
+    echo "- **Hardware:** $SYS_MFG $SYS_MODEL" >> "$OUTPUT_FILE"
+    echo "- **OS:** Unraid $OS_REL ($OS_ARCH)" >> "$OUTPUT_FILE"
+    echo "- **License:** $LICENSE (Registered to: $REG_TO)" >> "$OUTPUT_FILE"
+    echo "- **Timezone:** $TIMEZONE" >> "$OUTPUT_FILE"
+    echo "- **CPU:** Model $CPU_MODEL ($CPU_CORES cores / $CPU_THREADS threads) - **${CPU_LOAD}% load**" >> "$OUTPUT_FILE"
+    echo "- **Memory:** ${TOTAL_MEM_GB}GB - **${MEM_USED_PCT}% used**" >> "$OUTPUT_FILE"
+    echo "" >> "$OUTPUT_FILE"
+
+    # Array capacity
+    ARRAY_TOTAL=$(echo "$RESPONSE" | jq -r '.data.array.capacity.kilobytes.total')
+    ARRAY_FREE=$(echo "$RESPONSE" | jq -r '.data.array.capacity.kilobytes.free')
+    ARRAY_USED=$(echo "$RESPONSE" | jq -r '.data.array.capacity.kilobytes.used')
+    
+    if [ "$ARRAY_TOTAL" != "null" ] && [ "$ARRAY_TOTAL" -gt 0 ]; then
+        ARRAY_TOTAL_GB=$((ARRAY_TOTAL / 1024 / 1024))
+        ARRAY_FREE_GB=$((ARRAY_FREE / 1024 / 1024))
+        ARRAY_USED_GB=$((ARRAY_USED / 1024 / 1024))
+        ARRAY_USED_PCT=$((ARRAY_USED * 100 / ARRAY_TOTAL))
+        echo "### Storage" >> "$OUTPUT_FILE"
+        echo "- **Array:** ${ARRAY_USED_GB}GB / ${ARRAY_TOTAL_GB}GB used (${ARRAY_USED_PCT}%)" >> "$OUTPUT_FILE"
+    fi
+
+    # Cache pools
+    echo "- **Cache Pools:**" >> "$OUTPUT_FILE"
+    echo "$RESPONSE" | jq -r '.data.array.caches[] | "  - \(.name) (\(.device)): \(.temp)°C - \(.status) - \(if .fsSize then "\((.fsUsed / 1024 / 1024 | floor))GB / \((.fsSize / 1024 / 1024 | floor))GB used" else "N/A" end)"' >> "$OUTPUT_FILE"
+    
+    # Docker
+    TOTAL_CONTAINERS=$(echo "$RESPONSE" | jq '[.data.docker.containers[]] | length')
+    RUNNING_CONTAINERS=$(echo "$RESPONSE" | jq '[.data.docker.containers[] | select(.state == "RUNNING")] | length')
+    
+    echo "" >> "$OUTPUT_FILE"
+    echo "### Workloads" >> "$OUTPUT_FILE"
+    echo "- **Docker:** ${TOTAL_CONTAINERS} containers (${RUNNING_CONTAINERS} running)" >> "$OUTPUT_FILE"
+    
+    # Unhealthy containers
+    UNHEALTHY=$(echo "$RESPONSE" | jq -r '.data.docker.containers[] | select(.status | test("unhealthy|restarting"; "i")) | "  - ⚠️  \(.names[0]): \(.status)"')
+    if [ -n "$UNHEALTHY" ]; then
+        echo "$UNHEALTHY" >> "$OUTPUT_FILE"
+    fi
+
+    # VMs
+    if [ "$(echo "$RESPONSE" | jq -r '.data.vms.domains')" != "null" ]; then
+        TOTAL_VMS=$(echo "$RESPONSE" | jq '[.data.vms.domains[]] | length')
+        RUNNING_VMS=$(echo "$RESPONSE" | jq '[.data.vms.domains[] | select(.state == "RUNNING")] | length')
+        echo "- **VMs:** ${TOTAL_VMS} VMs (${RUNNING_VMS} running)" >> "$OUTPUT_FILE"
+    else
+        echo "- **VMs:** Service disabled or no data" >> "$OUTPUT_FILE"
+    fi
+    
+    # Disk Health
+    echo "" >> "$OUTPUT_FILE"
+    echo "### Health" >> "$OUTPUT_FILE"
+    
+    HOT_DISKS=$(echo "$RESPONSE" | jq -r '.data.array.disks[] | select(.temp > 45) | "- ⚠️  \(.name): \(.temp)°C (HIGH)"')
+    DISK_ERRORS=$(echo "$RESPONSE" | jq -r '.data.array.disks[] | select(.numErrors > 0) | "- ❌ \(.name): \(.numErrors) errors"')
+    
+    if [ -z "$HOT_DISKS" ] && [ -z "$DISK_ERRORS" ]; then
+        echo "- ✅ All disks healthy" >> "$OUTPUT_FILE"
+    else
+        [ -n "$HOT_DISKS" ] && echo "$HOT_DISKS" >> "$OUTPUT_FILE"
+        [ -n "$DISK_ERRORS" ] && echo "$DISK_ERRORS" >> "$OUTPUT_FILE"
+    fi
+    
+    # Notifications (Alerts)
+    echo "" >> "$OUTPUT_FILE"
+    echo "### Notifications" >> "$OUTPUT_FILE"
+    
+    NOTIF_COUNT=$(echo "$RESPONSE" | jq '[.data.notifications[]] | length' 2>/dev/null || echo "0")
+    if [ "$NOTIF_COUNT" -gt 0 ] && [ "$NOTIF_COUNT" != "null" ]; then
+        # Show recent notifications (last 10)
+        ALERT_NOTIFS=$(echo "$RESPONSE" | jq -r '.data.notifications | sort_by(.timestamp) | reverse | .[0:10][] | "- [\(.importance // "info")] \(.title // .subject): \(.description // "No description") (\(.timestamp | split("T")[0]))"' 2>/dev/null)
+        if [ -n "$ALERT_NOTIFS" ]; then
+            echo "$ALERT_NOTIFS" >> "$OUTPUT_FILE"
+        else
+            echo "- ✅ No recent notifications" >> "$OUTPUT_FILE"
+        fi
+        
+        # Count by importance
+        ALERT_COUNT=$(echo "$RESPONSE" | jq '[.data.notifications[] | select(.importance == "alert" or .importance == "warning")] | length' 2>/dev/null || echo "0")
+        if [ "$ALERT_COUNT" -gt 0 ]; then
+            echo "" >> "$OUTPUT_FILE"
+            echo "**⚠️ $ALERT_COUNT alert/warning notifications**" >> "$OUTPUT_FILE"
+        fi
+    else
+        echo "- ✅ No notifications" >> "$OUTPUT_FILE"
+    fi
+    
+    echo "" >> "$OUTPUT_FILE"
+    echo "---" >> "$OUTPUT_FILE"
+    echo "" >> "$OUTPUT_FILE"
+}
+
+# Main loop - process each server from environment variables
+for server in "TOOTIE" "SHART"; do
+    name_var="UNRAID_${server}_NAME"
+    url_var="UNRAID_${server}_URL"
+    key_var="UNRAID_${server}_API_KEY"
+
+    NAME="${!name_var}"
+    URL="${!url_var}"
+    KEY="${!key_var}"
+
+    process_server "$NAME" "$URL" "$KEY"
+done
+
+echo "Dashboard saved to: $OUTPUT_FILE"
+cat "$OUTPUT_FILE"

skills/unraid/scripts/unraid-query.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+# Unraid GraphQL API Query Helper
+# Makes it easy to query the Unraid API from the command line
+
+set -e
+
+# Usage function
+usage() {
+    cat << EOF
+Usage: $0 [OPTIONS]
+
+Query the Unraid GraphQL API
+
+OPTIONS:
+    -u, --url URL          Unraid server URL (required)
+    -k, --key KEY          API key (required)
+    -q, --query QUERY      GraphQL query (required)
+    -f, --format FORMAT    Output format: json (default), raw, pretty
+    -h, --help             Show this help message
+
+ENVIRONMENT VARIABLES:
+    UNRAID_URL             Default Unraid server URL
+    UNRAID_API_KEY         Default API key
+
+EXAMPLES:
+    # Get system status
+    $0 -u https://unraid.local/graphql -k YOUR_KEY -q "{ online }"
+
+    # Use environment variables
+    export UNRAID_URL="https://unraid.local/graphql"
+    export UNRAID_API_KEY="your-api-key"
+    $0 -q "{ metrics { cpu { percentTotal } } }"
+
+    # Pretty print output
+    $0 -q "{ array { state } }" -f pretty
+
+EOF
+    exit 1
+}
+
+# Default values
+URL="${UNRAID_URL:-}"
+API_KEY="${UNRAID_API_KEY:-}"
+QUERY=""
+FORMAT="json"
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -u|--url)
+            URL="$2"
+            shift 2
+            ;;
+        -k|--key)
+            API_KEY="$2"
+            shift 2
+            ;;
+        -q|--query)
+            QUERY="$2"
+            shift 2
+            ;;
+        -f|--format)
+            FORMAT="$2"
+            shift 2
+            ;;
+        -h|--help)
+            usage
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            ;;
+    esac
+done
+
+# Validate required arguments
+if [[ -z "$URL" ]]; then
+    echo "Error: Unraid URL is required (use -u or set UNRAID_URL)"
+    exit 1
+fi
+
+if [[ -z "$API_KEY" ]]; then
+    echo "Error: API key is required (use -k or set UNRAID_API_KEY)"
+    exit 1
+fi
+
+if [[ -z "$QUERY" ]]; then
+    echo "Error: GraphQL query is required (use -q)"
+    exit 1
+fi
+
+# Make the request
+RESPONSE=$(curl -skL -X POST "$URL" \
+    -H "Content-Type: application/json" \
+    -H "x-api-key: $API_KEY" \
+    -d "{\"query\":\"$QUERY\"}")
+
+# Check for errors
+if echo "$RESPONSE" | jq -e '.errors' > /dev/null 2>&1; then
+    # If we have data despite errors, and --ignore-errors is set, continue
+    if [[ "$IGNORE_ERRORS" == "true" ]] && echo "$RESPONSE" | jq -e '.data' > /dev/null 2>&1; then
+        echo "GraphQL Warning:" >&2
+        echo "$RESPONSE" | jq -r '.errors[0].message' >&2
+    else
+        echo "GraphQL Error:" >&2
+        echo "$RESPONSE" | jq -r '.errors[0].message' >&2
+        exit 1
+    fi
+fi
+
+# Output based on format
+case "$FORMAT" in
+    json)
+        echo "$RESPONSE"
+        ;;
+    raw)
+        echo "$RESPONSE" | jq -r '.data'
+        ;;
+    pretty)
+        echo "$RESPONSE" | jq '.'
+        ;;
+    *)
+        echo "Unknown format: $FORMAT" >&2
+        exit 1
+        ;;
+esac