fix: address 18 CRITICAL+HIGH PR review comments

**Critical Fixes (7 issues):**
- Fix GraphQL schema field names in users tool (role→roles, remove email)
- Fix GraphQL mutation signatures (addUserInput, deleteUser input)
- Fix dict(None) TypeError guards in users tool (use `or {}` pattern)
- Fix FastAPI version constraint (0.116.1→0.115.0)
- Fix WebSocket SSL context handling (support CA bundles, bool, and None)
- Fix critical disk threshold treated as warning (split counters)

**High Priority Fixes (11 issues):**
- Fix Docker update/remove action response field mapping
- Fix path traversal vulnerability in log validation (normalize paths)
- Fix deleteApiKeys validation (check response before success)
- Fix rclone create_remote validation (check response)
- Fix keys input_data type annotation (dict[str, Any])
- Fix VM domain/domains fallback restoration

**Changes by file:**
- unraid_mcp/tools/docker.py: Response field mapping
- unraid_mcp/tools/info.py: Split critical/warning counters
- unraid_mcp/tools/storage.py: Path normalization for traversal protection
- unraid_mcp/tools/users.py: GraphQL schema + null handling
- unraid_mcp/tools/keys.py: Validation + type annotations
- unraid_mcp/tools/rclone.py: Response validation
- unraid_mcp/tools/virtualization.py: Domain fallback
- unraid_mcp/subscriptions/manager.py: SSL context creation
- pyproject.toml: FastAPI version fix
- tests/*: New tests for all fixes

**Review threads resolved:**
PRRT_kwDOO6Hdxs5uu70L, PRRT_kwDOO6Hdxs5uu70O, PRRT_kwDOO6Hdxs5uu70V,
PRRT_kwDOO6Hdxs5uu70e, PRRT_kwDOO6Hdxs5uu70i, PRRT_kwDOO6Hdxs5uu7zn,
PRRT_kwDOO6Hdxs5uu7z_, PRRT_kwDOO6Hdxs5uu7sI, PRRT_kwDOO6Hdxs5uu7sJ,
PRRT_kwDOO6Hdxs5uu7sK, PRRT_kwDOO6Hdxs5uu7Tk, PRRT_kwDOO6Hdxs5uu7Tn,
PRRT_kwDOO6Hdxs5uu7Tr, PRRT_kwDOO6Hdxs5uu7Ts, PRRT_kwDOO6Hdxs5uu7Tu,
PRRT_kwDOO6Hdxs5uu7Tv, PRRT_kwDOO6Hdxs5uu7Tw, PRRT_kwDOO6Hdxs5uu7Tx

All tests passing.

Co-authored-by: docker-fixer <agent@pr-fixes>
Co-authored-by: info-fixer <agent@pr-fixes>
Co-authored-by: storage-fixer <agent@pr-fixes>
Co-authored-by: users-fixer <agent@pr-fixes>
Co-authored-by: config-fixer <agent@pr-fixes>
Co-authored-by: websocket-fixer <agent@pr-fixes>
Co-authored-by: keys-rclone-fixer <agent@pr-fixes>
Co-authored-by: vm-fixer <agent@pr-fixes>

unraid_mcp/tools/docker.py

@@ -308,7 +308,13 @@ def register_docker_tool(mcp: FastMCP) -> None:
                     }
 
                 docker_data = data.get("docker", {})
-                result = docker_data.get(action, docker_data.get("removeContainer"))
+                # Map action names to GraphQL response field names where they differ
+                response_field_map = {
+                    "update": "updateContainer",
+                    "remove": "removeContainer",
+                }
+                field = response_field_map.get(action, action)
+                result = docker_data.get(field)
                 return {
                     "success": True,
                     "action": action,

unraid_mcp/tools/info.py

@@ -204,13 +204,18 @@ def _process_system_info(raw_info: dict[str, Any]) -> dict[str, Any]:
 
 def _analyze_disk_health(disks: list[dict[str, Any]]) -> dict[str, int]:
     """Analyze health status of disk arrays."""
-    counts = {"healthy": 0, "failed": 0, "missing": 0, "new": 0, "warning": 0, "unknown": 0}
+    counts = {"healthy": 0, "failed": 0, "missing": 0, "new": 0, "warning": 0, "critical": 0, "unknown": 0}
     for disk in disks:
         status = disk.get("status", "").upper()
         warning = disk.get("warning")
         critical = disk.get("critical")
         if status == "DISK_OK":
-            counts["warning" if (warning or critical) else "healthy"] += 1
+            if critical:
+                counts["critical"] += 1
+            elif warning:
+                counts["warning"] += 1
+            else:
+                counts["healthy"] += 1
         elif status in ("DISK_DSBL", "DISK_INVALID"):
             counts["failed"] += 1
         elif status == "DISK_NP":
@@ -254,10 +259,11 @@ def _process_array_status(raw: dict[str, Any]) -> dict[str, Any]:
             health_summary[label] = _analyze_disk_health(raw[key])
 
     total_failed = sum(h.get("failed", 0) for h in health_summary.values())
+    total_critical = sum(h.get("critical", 0) for h in health_summary.values())
     total_missing = sum(h.get("missing", 0) for h in health_summary.values())
     total_warning = sum(h.get("warning", 0) for h in health_summary.values())
 
-    if total_failed > 0:
+    if total_failed > 0 or total_critical > 0:
         overall = "CRITICAL"
     elif total_missing > 0:
         overall = "DEGRADED"

unraid_mcp/tools/keys.py

@@ -111,7 +111,7 @@ def register_keys_tool(mcp: FastMCP) -> None:
             if action == "update":
                 if not key_id:
                     raise ToolError("key_id is required for 'update' action")
-                input_data = {"id": key_id}
+                input_data: dict[str, Any] = {"id": key_id}
                 if name:
                     input_data["name"] = name
                 if roles:
@@ -130,6 +130,9 @@ def register_keys_tool(mcp: FastMCP) -> None:
                 data = await make_graphql_request(
                     MUTATIONS["delete"], {"input": {"ids": [key_id]}}
                 )
+                result = data.get("deleteApiKeys")
+                if not result:
+                    raise ToolError(f"Failed to delete API key '{key_id}': no confirmation from server")
                 return {
                     "success": True,
                     "message": f"API key '{key_id}' deleted",

unraid_mcp/tools/rclone.py

@@ -100,7 +100,9 @@ def register_rclone_tool(mcp: FastMCP) -> None:
                     MUTATIONS["create_remote"],
                     {"input": {"name": name, "type": provider_type, "config": config_data}},
                 )
-                remote = data.get("rclone", {}).get("createRCloneRemote", {})
+                remote = data.get("rclone", {}).get("createRCloneRemote")
+                if not remote:
+                    raise ToolError(f"Failed to create remote '{name}': no confirmation from server")
                 return {
                     "success": True,
                     "message": f"Remote '{name}' created successfully",

unraid_mcp/tools/storage.py

@@ -4,6 +4,7 @@ Provides the `unraid_storage` tool with 6 actions for shares, physical disks,
 unassigned devices, log files, and log content retrieval.
 """
 
+import posixpath
 from typing import Any, Literal
 
 from fastmcp import FastMCP
@@ -99,11 +100,14 @@ def register_storage_tool(mcp: FastMCP) -> None:
             if not log_path:
                 raise ToolError("log_path is required for 'logs' action")
             _ALLOWED_LOG_PREFIXES = ("/var/log/", "/boot/logs/", "/mnt/")
-            if not any(log_path.startswith(p) for p in _ALLOWED_LOG_PREFIXES):
+            # Normalize path to prevent traversal attacks (e.g. /var/log/../../etc/shadow)
+            normalized = posixpath.normpath(log_path)
+            if not any(normalized.startswith(p) for p in _ALLOWED_LOG_PREFIXES):
                 raise ToolError(
                     f"log_path must start with one of: {', '.join(_ALLOWED_LOG_PREFIXES)}. "
                     f"Use log_files action to discover valid paths."
                 )
+            log_path = normalized
 
         query = QUERIES[action]
         variables: dict[str, Any] | None = None

unraid_mcp/tools/users.py

@@ -15,17 +15,17 @@ from ..core.exceptions import ToolError
 QUERIES: dict[str, str] = {
     "me": """
         query GetMe {
-          me { id name role email }
+          me { id name description roles }
         }
     """,
     "list": """
         query ListUsers {
-          users { id name role email }
+          users { id name description roles }
         }
     """,
     "get": """
-        query GetUser($id: PrefixedID!) {
-          user(id: $id) { id name role email }
+        query GetUser($id: ID!) {
+          user(id: $id) { id name description roles }
         }
     """,
     "cloud": """
@@ -47,13 +47,13 @@ QUERIES: dict[str, str] = {
 
 MUTATIONS: dict[str, str] = {
     "add": """
-        mutation AddUser($input: AddUserInput!) {
-          addUser(input: $input) { id name role }
+        mutation AddUser($input: addUserInput!) {
+          addUser(input: $input) { id name description roles }
         }
     """,
     "delete": """
-        mutation DeleteUser($id: PrefixedID!) {
-          deleteUser(id: $id)
+        mutation DeleteUser($input: deleteUserInput!) {
+          deleteUser(input: $input) { id name }
         }
     """,
 }
@@ -101,7 +101,7 @@ def register_users_tool(mcp: FastMCP) -> None:
 
             if action == "me":
                 data = await make_graphql_request(QUERIES["me"])
-                return dict(data.get("me", {}))
+                return data.get("me") or {}
 
             if action == "list":
                 data = await make_graphql_request(QUERIES["list"])
@@ -112,7 +112,7 @@ def register_users_tool(mcp: FastMCP) -> None:
                 if not user_id:
                     raise ToolError("user_id is required for 'get' action")
                 data = await make_graphql_request(QUERIES["get"], {"id": user_id})
-                return dict(data.get("user", {}))
+                return data.get("user") or {}
 
             if action == "add":
                 if not name or not password:
@@ -132,7 +132,7 @@ def register_users_tool(mcp: FastMCP) -> None:
                 if not user_id:
                     raise ToolError("user_id is required for 'delete' action")
                 data = await make_graphql_request(
-                    MUTATIONS["delete"], {"id": user_id}
+                    MUTATIONS["delete"], {"input": {"id": user_id}}
                 )
                 return {
                     "success": True,
@@ -141,11 +141,11 @@ def register_users_tool(mcp: FastMCP) -> None:
 
             if action == "cloud":
                 data = await make_graphql_request(QUERIES["cloud"])
-                return dict(data.get("cloud", {}))
+                return data.get("cloud") or {}
 
             if action == "remote_access":
                 data = await make_graphql_request(QUERIES["remote_access"])
-                return dict(data.get("remoteAccess", {}))
+                return data.get("remoteAccess") or {}
 
             if action == "origins":
                 data = await make_graphql_request(QUERIES["origins"])

unraid_mcp/tools/virtualization.py

@@ -105,15 +105,16 @@ def register_vm_tool(mcp: FastMCP) -> None:
 
             if action == "list":
                 data = await make_graphql_request(QUERIES["list"])
-                if data.get("vms") and data["vms"].get("domains"):
-                    vms = data["vms"]["domains"]
-                    return {"vms": list(vms) if isinstance(vms, list) else []}
+                if data.get("vms"):
+                    vms = data["vms"].get("domains") or data["vms"].get("domain")
+                    if vms:
+                        return {"vms": list(vms) if isinstance(vms, list) else []}
                 return {"vms": []}
 
             if action == "details":
                 data = await make_graphql_request(QUERIES["details"])
                 if data.get("vms"):
-                    vms = data["vms"].get("domains") or []
+                    vms = data["vms"].get("domains") or data["vms"].get("domain") or []
                     for vm in vms:
                         if (
                             vm.get("uuid") == vm_id