Harden fastmcp metadata parsing in proxy paths

[jlowin]

Motivation

• Proxy component ingestion assumed meta["fastmcp"] (or legacy _fastmcp) is always a mapping, so a remote server returning a non-dict value could cause .get("tags") to raise and crash proxy listing/ingestion paths.
• The change defends against malformed upstream metadata by treating non-dict fastmcp/_fastmcp values as absent, restoring the previous tolerant behavior and preventing a remote DoS vector.

Description

• Make get_fastmcp_metadata(meta) defensive: it now returns the first namespace value that is a dict and otherwise returns {} so non-dict upstream values are ignored.
• Add unit tests for the helper to verify valid fastmcp dict is returned, legacy _fastmcp is used when appropriate, and non-dict values are ignored.
• Files changed: src/fastmcp/utilities/components.py (metadata parsing logic) and tests/utilities/test_components.py (new tests).

Example usage after the change:

meta = {"fastmcp": "not-a-dict", "_fastmcp": {"tags": ["legacy"]}}
metadata = get_fastmcp_metadata(meta)
tags = metadata.get("tags", [])  # safe, legacy tags preserved

Testing

• Ran uv sync successfully to prepare the environment.
• Ran the full test suite with uv run pytest -n auto, which surfaced unrelated existing failures/timeouts in this environment (several unrelated tests failed); these failures are not caused by this patch.
• Ran focused tests covering the change with uv run pytest tests/utilities/test_components.py tests/server/providers/proxy/test_proxy_server.py -n auto, which completed successfully (the component/proxy tests passed).
• Attempted uv run prek run --all-files but hook initialization failed due to external network access when fetching hooks (pre-commit mirror bootstrap error), so lint hooks were not executed in this environment.

---

Codex Task

[jlowin]

Auto-reviewed and merging on behalf of @jlowin — CI is green (Windows OAuth proxy timeouts are pre-existing flaky tests).