codesteward/Dockerfile.mcp at main · Codesteward/codesteward · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Codesteward MCP Graph Server
# Multi-stage build — keeps the final image lean.
#
# Build targets:
#   default (graph-all)  — all 14 tree-sitter language grammars
#   graph-core           — TypeScript / JavaScript / Python / Java only
#   base                 — no tree-sitter (query-only mode)
#
# Graph backend:
#   The image supports both Neo4j and JanusGraph. Select at runtime via
#   GRAPH_BACKEND=neo4j (default) or GRAPH_BACKEND=janusgraph.
#
# Taint analysis (optional):
#   The codesteward-taint binary is bundled by default using the latest GitHub
#   release. Pin a specific version with --build-arg TAINT_VERSION=<version>.
#   Set --build-arg TAINT_VERSION=none to build without the binary.
#
# Usage:
#   docker build -t codesteward-mcp .                                  # latest taint
#   docker build --build-arg TAINT_VERSION=0.1.0 -t codesteward-mcp .  # pinned taint
#   docker build --build-arg TAINT_VERSION=none -t codesteward-mcp .   # no taint
#
#   # Neo4j backend:
#   docker run -p 3000:3000 \
#     -e NEO4J_URI=bolt://neo4j:7687 \
#     -e NEO4J_USER=neo4j \
#     -e NEO4J_PASSWORD=secret \
#     codesteward-mcp
#
#   # JanusGraph backend:
#   docker run -p 3000:3000 \
#     -e GRAPH_BACKEND=janusgraph \
#     -e JANUSGRAPH_URL=ws://janusgraph:8182/gremlin \
#     codesteward-mcp

ARG PYTHON_VERSION=3.12
ARG INSTALL_EXTRA=graph-all
ARG TAINT_VERSION=latest

# ── taint-fetcher stage ───────────────────────────────────────────────────────
# Downloads the codesteward-taint binary from GitHub Releases.
# TAINT_VERSION=latest  → /releases/latest/download/  (default)
# TAINT_VERSION=0.1.0   → /releases/download/v0.1.0/  (pinned)
# TAINT_VERSION=none    → skipped; server starts without taint_analysis tool
FROM alpine:3.20 AS taint-fetcher

ARG TAINT_VERSION

SHELL ["/bin/ash", "-eo", "pipefail", "-c"]

# hadolint ignore=DL3018
RUN apk add --no-cache curl \
 && mkdir -p /opt/taint \
 && if [ "${TAINT_VERSION}" != "none" ]; then \
      ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') \
   && if [ "${TAINT_VERSION}" = "latest" ]; then \
        URL="https://github.com/bitkaio/codesteward-taint/releases/latest/download/codesteward-taint-linux-${ARCH}"; \
      else \
        URL="https://github.com/bitkaio/codesteward-taint/releases/download/v${TAINT_VERSION}/codesteward-taint-linux-${ARCH}"; \
      fi \
   && curl -fsSL "${URL}" -o /opt/taint/codesteward-taint \
   && chmod +x /opt/taint/codesteward-taint; \
    fi

# ── builder stage ────────────────────────────────────────────────────────────
FROM python:${PYTHON_VERSION}-slim AS builder

ARG INSTALL_EXTRA

WORKDIR /build

# System build deps for tree-sitter native extensions
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \
        build-essential \
        gcc \
    && rm -rf /var/lib/apt/lists/*

# Copy workspace and package sources
COPY pyproject.toml .
COPY packages/ packages/

# Install the MCP package (and its codesteward-graph dependency) into a prefix
# we can copy across.  Both packages are workspace members, so pip resolves them
# from the local packages/ tree without hitting PyPI.
RUN pip install --no-cache-dir --prefix=/install \
    "./packages/codesteward-graph[${INSTALL_EXTRA},janusgraph]" \
    "./packages/codesteward-mcp"

# ── final stage ──────────────────────────────────────────────────────────────
FROM python:${PYTHON_VERSION}-slim

LABEL org.opencontainers.image.title="Codesteward MCP Graph Server"
LABEL org.opencontainers.image.description="Structural codebase graph server over MCP (HTTP+SSE / stdio)"
LABEL org.opencontainers.image.source="https://github.com/bitkaio/codesteward-mcp"

# Apply outstanding Debian security updates on top of the python:slim base.
# The upstream image is rebuilt on a slower cadence than Debian security
# advisories, so pick up any waiting patches (e.g. openssl) at image-build time.
# hadolint ignore=DL3008
RUN apt-get update \
    && apt-get upgrade -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

# Copy installed packages from builder
COPY --from=builder /install /usr/local

# Non-root user for security
RUN useradd --uid 1001 --no-create-home --shell /bin/false codesteward

# Install taint binary when present (absent when TAINT_VERSION=none).
RUN --mount=type=bind,from=taint-fetcher,source=/opt/taint,target=/opt/taint-src \
    [ ! -f /opt/taint-src/codesteward-taint ] || \
    install -m 0755 /opt/taint-src/codesteward-taint /usr/local/bin/codesteward-taint

# Workspace directory for build metadata (must be created as root, then chowned)
RUN mkdir -p /workspace && chown codesteward /workspace
VOLUME ["/workspace"]

USER codesteward

ENV TRANSPORT=sse
ENV HOST=0.0.0.0
ENV PORT=3000
ENV WORKSPACE_BASE=/workspace
ENV LOG_LEVEL=INFO

EXPOSE 3000

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD python -c "import socket; s=socket.socket(); s.settimeout(3); s.connect(('localhost',3000)); s.close()" \
    || exit 1

ENTRYPOINT ["codesteward-mcp"]
CMD ["--transport", "sse"]