feat(docker): add multi-stage secure Alpine image for stdio MCP

closes #4

CHANGES
- Add optimized Dockerfile with uv-based Alpine multi-stage build
- Implement .dockerignore for lean image builds
- Configure non-root user (appuser) for container security
- Set up stdio-specific environment variables and transport
- Update README.md with Docker usage and stdio transport focus
- Rename project to py_dep_man_companion in pyproject.toml
- Prepare workflows for Docker Hub publish automation

IMPACT
- Enables containerized deployment of MCP server
- Reduces image size through multi-stage Alpine build
- Enhances security with non-root execution
- Optimizes for stdio transport pattern (no HTTP endpoints)

TECHNICAL NOTES
- Uses ghcr.io/astral-sh/uv:python3.12-alpine base images
- Includes Rust toolchain for tantivy dependency compilation
- Implements build caching for faster rebuilds
- Stdio containers are ephemeral and client-initiated

Author: KemingHe

.dockerignore

@@ -0,0 +1,61 @@
+# Git
+.git
+.gitignore
+
+# Python
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+*.so
+.pytest_cache
+.coverage
+htmlcov
+.tox
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.log
+.mypy_cache
+.dmypy.json
+dmypy.json
+
+# Virtual environments
+venv/
+.venv/
+ENV/
+env/
+.env
+
+# IDEs
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Documentation
+*.md
+docs/
+
+# Development files
+.editorconfig
+.pre-commit-config.yaml
+
+# Build artifacts
+build/
+dist/
+*.egg-info/
+
+# Lock files are now needed for uv sync --frozen
+# uv.lock
+
+# Docker
+.dockerignore
+docker-compose*.yml

.github/workflows/README.md

@@ -12,21 +12,22 @@ graph LR
     ORCHESTRATOR["🎯 Orchestrator<br/>auto-update.yml"]
     UPDATE_DOCS["📚 Documentation Sync<br/>auto-update-docs.yml"]
     UPDATE_INDEX["🔍 Search Index<br/>auto-update-index.yml"]
+    PUBLISH["🐳 Publish Image<br/>auto-update-publish.yml"]
 
     CRON_TRIGGER --> ORCHESTRATOR
     ORCHESTRATOR --> UPDATE_DOCS
     UPDATE_DOCS --> UPDATE_INDEX
+    UPDATE_INDEX --> PUBLISH
 ```
 
-**Security**: Pinned action hashes, signed commits, sequential execution
+**Security**: Pinned 3rd-party actions, signed commits, modular execution
 
 ## 🚀 Planned Extensions
 
-- **Workflows**: `auto-build-and-deploy.yml` (Docker)
 - **Managers**: pipenv, pdm, pixi
 - **Features**: Conditional updates, performance monitoring
 
 ## 🔧 Operations
 
-- **Testing**: `workflow_dispatch` on all workflows  
+- **Testing**: `workflow_dispatch` on `update-docs`, `update-index`, and `publish`
 - **Monitoring**: Check Tuesday runs for upstream changes

.github/workflows/auto-update-docs.yml

@@ -11,6 +11,7 @@ concurrency:
 jobs:
   update-docs:
     name: Update ${{ matrix.manager }} docs
+    if: github.repository == 'KemingHe/python-dependency-manager-companion-mcp-server'
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/auto-update-index.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   update-index:
     name: Update Search Index
+    if: github.repository == 'KemingHe/python-dependency-manager-companion-mcp-server'
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/auto-update-publish.yml.example

@@ -0,0 +1,79 @@
+name: Publish Image to Docker Hub
+
+on:
+  workflow_call: {}
+  workflow_dispatch: {} # Manual trigger for testing
+
+env:
+  # Docker requires lowercase names for both images and cache references
+  IMAGE_NAME: py-dep-man-companion
+  REPO_NAME: ${{ vars.DOCKERHUB_USERNAME }}/py-dep-man-companion
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  build-and-push-image:
+    if: github.repository == 'KemingHe/python-dependency-manager-companion-mcp-server'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Log in to Docker Hub
+        # Pinned 3rd party action to commit hash of release v3.3.0 on 08/15/2024 to prevent supply chain attacks
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PAT }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        # Pinned 3rd party action to commit hash of release v5.5.1 on 01/23/2024 to prevent supply chain attacks
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.REPO_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=schedule,pattern=weekly-{{date 'YYYYMMDD'}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      # Add support for more platforms, i.e. linux/arm64 (macOS M1/M2) with QEMU
+      - name: Set up QEMU
+        # Pinned 3rd party action to commit hash of release v3.2.0 on 08/15/2024 to prevent supply chain attacks
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+
+      # Enable advanced build features like cache export
+      - name: Set up Docker Buildx
+        # Pinned 3rd party action to commit hash of release v3.6.1 on 08/15/2024 to prevent supply chain attacks
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
+        
+      - name: Build and push Docker image
+        id: push
+        # Pinned 3rd party action to commit hash of release v6.7.0 on 08/15/2024 to prevent supply chain attacks
+        uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+            VCS_REF=${{ github.sha }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/${{ env.REPO_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/auto-update.yml

@@ -20,7 +20,11 @@ jobs:
       contents: write
     uses: ./.github/workflows/auto-update-index.yml
 
-  # build-deploy:
-  #   name: Build and Deploy
+  # publish:
+  #   name: Publish Image
   #   needs: update-index
-  #   uses: ./.github/workflows/auto-build-and-deploy.yml
+  #   permissions:
+  #     contents: read
+  #     attestations: write
+  #     id-token: write
+  #   uses: ./.github/workflows/auto-update-publish.yml

Dockerfile

@@ -0,0 +1,77 @@
+# Optimized uv-based Alpine Docker image for MCP stdio transport
+# - Uses uv pre-built images for faster dependency management
+# - Multi-stage build for minimal final image size
+# - Non-root user for security
+# - Includes Rust support for tantivy dependency
+# - Configured for stdio transport (no HTTP endpoints)
+
+# ==============================================================================
+# Stage 1: Dependencies builder
+# ==============================================================================
+FROM ghcr.io/astral-sh/uv:python3.12-alpine AS builder
+
+# Set environment variables for uv
+ENV UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy \
+    UV_PROJECT_ENVIRONMENT=/app/.venv
+
+# Install system dependencies required for building Python packages
+RUN apk add --no-cache \
+    build-base \
+    libffi-dev \
+    rust \
+    cargo
+
+# Set working directory
+WORKDIR /app
+
+# Copy dependency specification files
+COPY pyproject.toml ./
+COPY uv.lock ./
+
+# Create virtual environment and install dependencies
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --frozen --no-install-project --no-dev
+
+# Copy application code and install project
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --frozen --no-dev
+
+# ==============================================================================
+# Stage 2: Runtime
+# ==============================================================================
+FROM ghcr.io/astral-sh/uv:python3.12-alpine AS runtime
+
+# Set environment variables for Python and stdio mode
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    UV_PROJECT_ENVIRONMENT=/app/.venv \
+    PYTHONPATH="/app" \
+    TMPDIR="/tmp/app"
+
+# Install runtime dependencies for Rust extensions
+RUN apk add --no-cache libgcc
+
+# Create non-root user and directories
+RUN addgroup -g 1000 appuser \
+    && adduser -u 1000 -G appuser -D appuser \
+    && mkdir -p /tmp/app \
+    && chown -R appuser:appuser /tmp/app
+
+# Copy application and virtual environment from builder
+COPY --from=builder --chown=appuser:appuser /app /app
+
+# Switch to non-root user
+USER appuser
+
+# Set working directory
+WORKDIR /app
+
+# NOTE: No healthcheck for stdio MCP containers
+# Stdio containers are ephemeral and client-initiated - they start on-demand when
+# MCP clients connect, process requests via stdin/stdout, then exit when disconnected.
+# Traditional health checks don't apply to this usage pattern.
+
+# Start MCP server in stdio mode (default)
+CMD ["uv", "run", "--with", "fastmcp>=2.10.5", "--with", "tantivy>=0.24.0", "fastmcp", "run", "src/mcp_server.py"]

README.md

@@ -2,7 +2,7 @@
 
 > Updated on 2025-07-15 by @KemingHe
 
-Local MCP server providing unified search across Python dependency manager documentation.
+Local stdio MCP server providing unified search across Python dependency managers' latest and official documentation.
 
 ## 📋 Overview
 
@@ -18,7 +18,7 @@ docker pull keminghe/py-dep-man-companion:latest
 
 ### Step 2: Configure Your IDE
 
-Add to VSCode User Settings (JSON):
+Add to VSCode/Cursor `mcp.json`:
 
 ```json
 {
@@ -35,31 +35,35 @@ Add to VSCode User Settings (JSON):
 
 ### Step 3: Start Searching
 
-Query latest and unified documentation across all supported Python dependency managers directly from your AI assistant.
+Query latest and unified documentation across all supported Python dependency managers directly within your agentic chat.
 
 ## 📁 Project Structure
 
 ```plaintext
 python-dep-manager-companion-mcp-server/
-├── .github/workflows/        # Automation workflows (see workflows/README.md)
-├── docs/                     # Project documentation
+├── .github/workflows/            # Automation workflows
+│   ├── auto-update-docs.yml      # Weekly docs update
+│   ├── auto-update-index.yml     # Search index rebuild
+│   ├── auto-update-publish.yml   # Multi-arch Docker publish
+│   ├── auto-update.yml           # Combined automation
+│   └── README.md                 # Workflow documentation
 ├── src/
-│   ├── server.py             # FastMCP server implementation
-│   ├── index.py              # Tantivy search engine
-│   └── assets/               # Auto-updated documentation files
+│   ├── assets/               # Documentation source files
+│   │   ├── conda/            # conda docs  
+│   │   ├── pip/              # pip docs
+│   │   ├── poetry/           # poetry docs
+│   │   └── uv/               # uv docs
+│   ├── index/                # Pre-built search index
+│   ├── build_index.py        # Tantivy index builder
+│   └── mcp_server.py         # FastMCP stdio server
 ├── Dockerfile                # Container build configuration
-└── pyproject.toml            # Project dependencies and metadata
+├── pyproject.toml            # Project dependencies and metadata
+└── uv.lock                   # Locked dependencies
 ```
 
 ## 🛠️ Development
 
-**Transport Support**: Stdio (default) and HTTP modes following MCP standards.
-
-**Environment Variables**:
-
-- `TRANSPORT_MODE`: `stdio` or `http` (default: `stdio`)
-- `TRANSPORT_PORT`: HTTP server port (default: `8080`)
-- `TRANSPORT_HOST`: Host binding (default: `127.0.0.1`)
+**Transport**: Stdio only (MCP standard for local tools).
 
 **Local Development**:
 
@@ -69,8 +73,11 @@ git clone <repo-url>
 cd python-dep-manager-companion-mcp-server
 uv sync
 
-# Run server
-uv run python src/server.py stdio
+# Run server locally
+uv run --with fastmcp --with tantivy fastmcp run src/mcp_server.py
+
+# Build Docker image
+docker build -t py-dep-man-companion .
 ```
 
 **Roadmap**: Adding support for pipenv, pdm, pixi, and additional Python package managers.

pyproject.toml

@@ -1,12 +1,12 @@
 [project]
-name = "python-dep-manager-companion-mcp-server"
+name = "py_dep_man_companion"
 version = "0.1.0"
-description = "Local MCP server providing unified search across Python dependency manager documentation"
+description = "Local stdio MCP server providing unified search across Python dependency managers' latest and official documentation."
 readme = "README.md"
 license = {file = "LICENSE"}
 requires-python = ">=3.12"
-urls.repository = "https://github.com/KemingHe/python-dep-manager-companion-mcp-server"
-urls.issues = "https://github.com/KemingHe/python-dep-manager-companion-mcp-server/issues"
+urls.repository = "https://github.com/KemingHe/python-dependency-manager-companion-mcp-server"
+urls.issues = "https://github.com/KemingHe/python-dependency-manager-companion-mcp-server/issues"
 dependencies = [
     "fastmcp>=2.10.5",
     "tantivy>=0.24.0",

src/build_index.py

@@ -133,6 +133,7 @@ def build_index():
     if INDEX_DIR.exists():
         logger.info(f"Removing existing index at {INDEX_DIR}")
         import shutil
+
         shutil.rmtree(INDEX_DIR)
 
     # Create index directory