fix: address 18 CRITICAL+HIGH PR review comments

**Critical Fixes (7 issues):**
- Fix GraphQL schema field names in users tool (role→roles, remove email)
- Fix GraphQL mutation signatures (addUserInput, deleteUser input)
- Fix dict(None) TypeError guards in users tool (use `or {}` pattern)
- Fix FastAPI version constraint (0.116.1→0.115.0)
- Fix WebSocket SSL context handling (support CA bundles, bool, and None)
- Fix critical disk threshold treated as warning (split counters)

**High Priority Fixes (11 issues):**
- Fix Docker update/remove action response field mapping
- Fix path traversal vulnerability in log validation (normalize paths)
- Fix deleteApiKeys validation (check response before success)
- Fix rclone create_remote validation (check response)
- Fix keys input_data type annotation (dict[str, Any])
- Fix VM domain/domains fallback restoration

**Changes by file:**
- unraid_mcp/tools/docker.py: Response field mapping
- unraid_mcp/tools/info.py: Split critical/warning counters
- unraid_mcp/tools/storage.py: Path normalization for traversal protection
- unraid_mcp/tools/users.py: GraphQL schema + null handling
- unraid_mcp/tools/keys.py: Validation + type annotations
- unraid_mcp/tools/rclone.py: Response validation
- unraid_mcp/tools/virtualization.py: Domain fallback
- unraid_mcp/subscriptions/manager.py: SSL context creation
- pyproject.toml: FastAPI version fix
- tests/*: New tests for all fixes

**Review threads resolved:**
PRRT_kwDOO6Hdxs5uu70L, PRRT_kwDOO6Hdxs5uu70O, PRRT_kwDOO6Hdxs5uu70V,
PRRT_kwDOO6Hdxs5uu70e, PRRT_kwDOO6Hdxs5uu70i, PRRT_kwDOO6Hdxs5uu7zn,
PRRT_kwDOO6Hdxs5uu7z_, PRRT_kwDOO6Hdxs5uu7sI, PRRT_kwDOO6Hdxs5uu7sJ,
PRRT_kwDOO6Hdxs5uu7sK, PRRT_kwDOO6Hdxs5uu7Tk, PRRT_kwDOO6Hdxs5uu7Tn,
PRRT_kwDOO6Hdxs5uu7Tr, PRRT_kwDOO6Hdxs5uu7Ts, PRRT_kwDOO6Hdxs5uu7Tu,
PRRT_kwDOO6Hdxs5uu7Tv, PRRT_kwDOO6Hdxs5uu7Tw, PRRT_kwDOO6Hdxs5uu7Tx

All tests passing.

Co-authored-by: docker-fixer <agent@pr-fixes>
Co-authored-by: info-fixer <agent@pr-fixes>
Co-authored-by: storage-fixer <agent@pr-fixes>
Co-authored-by: users-fixer <agent@pr-fixes>
Co-authored-by: config-fixer <agent@pr-fixes>
Co-authored-by: websocket-fixer <agent@pr-fixes>
Co-authored-by: keys-rclone-fixer <agent@pr-fixes>
Co-authored-by: vm-fixer <agent@pr-fixes>

unraid_mcp/tools/users.py

@@ -15,17 +15,17 @@ from ..core.exceptions import ToolError
 QUERIES: dict[str, str] = {
     "me": """
         query GetMe {
-          me { id name role email }
+          me { id name description roles }
         }
     """,
     "list": """
         query ListUsers {
-          users { id name role email }
+          users { id name description roles }
         }
     """,
     "get": """
-        query GetUser($id: PrefixedID!) {
-          user(id: $id) { id name role email }
+        query GetUser($id: ID!) {
+          user(id: $id) { id name description roles }
         }
     """,
     "cloud": """
@@ -47,13 +47,13 @@ QUERIES: dict[str, str] = {
 
 MUTATIONS: dict[str, str] = {
     "add": """
-        mutation AddUser($input: AddUserInput!) {
-          addUser(input: $input) { id name role }
+        mutation AddUser($input: addUserInput!) {
+          addUser(input: $input) { id name description roles }
         }
     """,
     "delete": """
-        mutation DeleteUser($id: PrefixedID!) {
-          deleteUser(id: $id)
+        mutation DeleteUser($input: deleteUserInput!) {
+          deleteUser(input: $input) { id name }
         }
     """,
 }
@@ -101,7 +101,7 @@ def register_users_tool(mcp: FastMCP) -> None:
 
             if action == "me":
                 data = await make_graphql_request(QUERIES["me"])
-                return dict(data.get("me", {}))
+                return data.get("me") or {}
 
             if action == "list":
                 data = await make_graphql_request(QUERIES["list"])
@@ -112,7 +112,7 @@ def register_users_tool(mcp: FastMCP) -> None:
                 if not user_id:
                     raise ToolError("user_id is required for 'get' action")
                 data = await make_graphql_request(QUERIES["get"], {"id": user_id})
-                return dict(data.get("user", {}))
+                return data.get("user") or {}
 
             if action == "add":
                 if not name or not password:
@@ -132,7 +132,7 @@ def register_users_tool(mcp: FastMCP) -> None:
                 if not user_id:
                     raise ToolError("user_id is required for 'delete' action")
                 data = await make_graphql_request(
-                    MUTATIONS["delete"], {"id": user_id}
+                    MUTATIONS["delete"], {"input": {"id": user_id}}
                 )
                 return {
                     "success": True,
@@ -141,11 +141,11 @@ def register_users_tool(mcp: FastMCP) -> None:
 
             if action == "cloud":
                 data = await make_graphql_request(QUERIES["cloud"])
-                return dict(data.get("cloud", {}))
+                return data.get("cloud") or {}
 
             if action == "remote_access":
                 data = await make_graphql_request(QUERIES["remote_access"])
-                return dict(data.get("remoteAccess", {}))
+                return data.get("remoteAccess") or {}
 
             if action == "origins":
                 data = await make_graphql_request(QUERIES["origins"])