Centralize version management and migrate to UV-first dependency architecture (#23)

* Create centralized version and package metadata files

- Add src/_version.py as single source of truth for version
- Add src/_package.py with dynamic repository detection
- Update src/__init__.py to import from centralized files
- Support both SSH and HTTPS git remote URLs

* Update Makefile with dynamic variables and container targets

- Add centralized Python version settings (3.9-3.13, default 3.13)
- Add dynamic package metadata variables from centralized files
- Add container build targets for multi-Python support
- Update status target to show dynamic package information
- Add show-package-info target for metadata display

* Reorganize container deployment files and enhance build script

- Move docker-compose files to deployment/docker/ directory
- Move dev-tools/docker/build.sh to dev-tools/scripts/container-build.sh
- Update container build script to use centralized package name
- Add Python version support via environment variables from Makefile
- Update Makefile targets to use moved script and deployment paths
- Maintain all existing sophisticated build features (multi-arch, caching, etc.)

* Enhance container build script with Python version support

- Add PYTHON_VERSION and MULTI_PYTHON environment variable support
- Update tagging logic to include Python version in tags (e.g., 0.1.0-python3.11)
- Add PYTHON_VERSION as build argument for Dockerfile
- Update build info display to show Python version configuration
- Maintain all existing sophisticated features while adding multi-Python support

* Complete centralized version and package management implementation

Summary of changes:
- Centralized version management in src/_version.py (single source of truth)
- Centralized package metadata in src/_package.py with dynamic git detection
- Updated Makefile with dynamic variables from centralized files
- Enhanced container build system with multi-Python support (3.9-3.13)
- Reorganized deployment files to deployment/docker/ directory
- Updated all scripts to use centralized configuration
- Maintained consistency across all build and deployment processes

All version and package name references now come from single sources,
eliminating duplication and enabling easy repository management.

* Implement template-based centralized configuration system

Complete implementation of centralized package management:

Template System:
- Move pyproject.toml to pyproject.toml.template with {{PLACEHOLDER}} syntax
- Create executable dev-tools/scripts/generate-pyproject.py script
- Add pyproject.toml to .gitignore (generated file)

Makefile Updates:
- Add generate-pyproject target that creates pyproject.toml from template
- Update all installation targets to depend on generate-pyproject
- Update clean target to remove generated pyproject.toml
- Convert all dev-tools Python script calls to use executable scripts
- Update completion generation to use dynamic package names

Script Improvements:
- Make all dev-tools Python scripts executable (chmod +x)
- All scripts already have proper #!/usr/bin/env python3 shebangs

Medium Priority Fixes:
- Update MCP server to use centralized PACKAGE_NAME and __version__
- Fix completion script paths to use dynamic PACKAGE_NAME_SHORT

Benefits:
- Single source of truth for all package metadata
- Clean separation between template (tracked) and generated files
- Professional executable script approach
- Easy repository forking/renaming
- Consistent centralized configuration across all systems

* Fix CI pipelines to generate pyproject.toml before package operations

CI Pipeline Fixes:
- Add pyproject.toml generation step to all ci.yml jobs before package installation
- Update cache-dependency-glob to use pyproject.toml.template instead of pyproject.toml
- Add pyproject.toml generation to publish.yml before package building
- Ensure all workflows that need pyproject.toml generate it from template

This resolves CI failures where tools like Black, isort, and build commands
failed due to missing pyproject.toml file (now generated from template).

* Add work/ directory to .gitignore

Prevent accidental commit of working/cache directories that may be
created during development or testing.

* Remove all dynamic configuration from pyproject.toml template

Fix setuptools build error by removing [tool.setuptools.dynamic] section entirely.
Since we generate the complete pyproject.toml from template with static values,
no dynamic configuration is needed or allowed.

This resolves the setuptools error:
'tool.setuptools.dynamic must not contain {name} properties'

All package metadata is now generated statically from centralized sources.

* Fix CI pipeline enforcement and code formatting

CI Pipeline Improvements:
- Remove continue-on-error from critical quality checks (black, isort, flake8)
- Keep continue-on-error for mypy, pylint, and tests (to be fixed later)
- CI will now properly fail when formatting/style issues are found

Code Formatting:
- Run black formatting on entire codebase (270 files reformatted)
- Fix formatting issues in centralized configuration files
- Note: 3 test files have syntax errors and need separate investigation

This ensures CI properly enforces code quality standards while allowing
gradual improvement of other quality checks.

* fix: correct invalid exception raising syntax in test files

- Fix AssertionError(), 'message' syntax to AssertionError('message')
- Update tests/integration/test_hostfactory_lifecycle.py (lines 208, 215)
- Update tests/unit/patterns/test_di_pattern.py (line 422)
- Update tests/unit/test_corner_cases.py (lines 384, 395)
- Resolves Black formatting AST parsing errors in CI pipeline
- Maintains test functionality while using correct Python syntax

* fix: resolve flake8 B014 redundant exception type violations

- Remove redundant IOError from except (OSError, IOError) clauses (lines 335, 364)
- Remove redundant UnicodeError from except clause (line 626) since UnicodeError is subclass of ValueError
- Maintain identical exception handling behavior while following flake8 best practices
- Ensures CI pipeline passes all code quality checks (Black, flake8, isort)

* fix: resolve isort import formatting violations across codebase

- Fix import ordering in src/__init__.py (_package before _version)
- Fix import ordering in src/interface/mcp/server/core.py (local imports after third-party)
- Apply isort formatting to all source and test files for consistency
- Ensure CI pipeline passes isort quality checks
- Maintain Clean Architecture import patterns and professional standards

Files updated:
- 10 source files in src/ directory
- 12 test files across unit/integration/interface test suites
- All changes maintain existing functionality while following import conventions

* fix: resolve flake8 bare except violations and isort version compatibility

- Fix bare except clauses in src/_package.py (B001, E722 violations)
  - Replace bare except: with specific exception types
  - Remove redundant FileNotFoundError (subclass of OSError)
- Fix isort formatting in tests/unit/application/test_cqrs_patterns.py
  - Upgrade local isort to 6.0.1 to match CI environment
  - Apply isort 6.x formatting rules for import consolidation
- Ensure CI pipeline passes all code quality checks

Technical details:
- Exception handling now catches specific types: subprocess.CalledProcessError, OSError, AttributeError, IndexError
- isort version mismatch resolved (local 5.13.2 → 6.0.1 to match CI)
- Maintains existing functionality while meeting professional code standards

* feat: migrate to UV-first dependency management

- Migrate dependencies from requirements-dev.txt to pyproject.toml
- Pin isort==6.0.1 for CI consistency
- Generate uv.lock as single source of truth
- Update Makefile with UV-first targets (dev-install uses uv sync)
- Update all CI workflows to use uv sync --frozen
- Add enhanced Dependabot setup with UV lock file support
- Add monthly dependency maintenance workflow
- Remove requirements files (generated on-demand for pip compatibility)

* fix: correct Dependabot configuration validation errors

- Fix security-updates group to use valid update-types (patch, minor, major)
- Fix schedule day from 'first monday' to 'monday' for GitHub Actions and Docker
- Ensure all configuration follows Dependabot schema requirements

* fix: use Makefile targets in CI workflows instead of hardcoded commands

- Replace all hardcoded 'uv sync --frozen' with 'make ci-install'
- Replace all hardcoded 'uv pip install' with 'make ci-install'
- Ensures CI uses same workflow as local development
- Centralizes installation logic in Makefile for consistency
- Fixes security workflow and other missed workflows

* fix: update Makefile for UV migration and remove emojis

- Change virtual environment dependency from requirements.txt to uv.lock
- Remove emoji from requirements-generate target output
- Remove unnecessary backward compatibility aliases (install-uv, dev-install-uv)
- Fix virtual environment setup to work with UV lock file approach

* fix: remove redundant installations and fix docs build for UV

- Remove dev-install dependencies from all ci-* targets to eliminate redundant package installations
- CI workflows now assume dependencies are already installed via make ci-install
- Update docs build scripts to use 'uv run mkdocs' for UV-managed environments
- Fix mkdocs not found error by using correct UV execution context
- Improves CI performance by eliminating duplicate dependency installations

* fix: use python -m mkdocs with uv run for docs build

- Change from 'uv run mkdocs' to 'uv run python -m mkdocs'
- mkdocs needs to be run as a Python module, not as standalone command
- Fixes 'Failed to spawn: mkdocs' error in CI docs build

* fix: use uv run --frozen for docs build in CI

- Add --frozen flag to ensure UV uses exact lock file versions
- Matches the uv sync --frozen pattern used in CI installation
- Should resolve mkdocs module not found in UV environment

* fix: remove redundant security-scan job and add individual tool jobs

- Remove security-scan job that duplicated bandit and safety scans
- Add dedicated security-hadolint job for Dockerfile scanning
- Add dedicated security-semgrep job for static analysis
- Add dedicated security-trufflehog job for secrets detection
- Eliminates redundant tool executions (bandit/safety ran 3x each)
- Each tool now runs once in its own dedicated job with proper SARIF upload

* feat: add Trivy filesystem scanning to security workflow

- Add security-trivy-fs job for filesystem vulnerability scanning
- Complements existing container-security job (Trivy container scanning)
- Scans source code and dependencies for known vulnerabilities
- Uploads SARIF results to GitHub Security tab
- Provides comprehensive Trivy coverage: filesystem + container

* refactor: consolidate dependabot workflows into single workflow

- Remove 3 separate workflows: dependabot-automerge.yml, dependabot-uv-lock.yml, dependency-maintenance.yml
- Create single dependabot.yml workflow with 3 jobs: update-uv-lock, auto-merge, monthly-maintenance
- Keep .github/dependabot.yml configuration file (required by GitHub)
- Maintains all existing functionality in cleaner single-file structure
- Reduces workflow complexity and maintenance overhead

* fix: standardize CI installation to use make ci-install

- Replace all 'uv pip install --system -e ".[dev]"' with 'make ci-install'
- All CI jobs now use consistent UV lock file installation
- Keep 'uv pip install --system build wheel setuptools' for build job (correct)
- Fixes pipeline failures caused by mixed installation approaches
- Ensures all jobs use same frozen dependency versions

* fix: ensure CI installs all dependencies including dev extras

- Update ci-install target to use 'uv sync --frozen --all-extras'
- Fixes docs build failure where mkdocs was not available in CI
- Ensures all dev dependencies (mkdocs, testing tools, etc.) are installed
- Tested locally: docs build now works correctly with UV-managed environment

* refactor: restructure dependencies with CI and dev groups

- Add dependency-groups section with ci and dev groups
- CI group contains testing, linting, docs, and security tools
- Dev group contains additional development tools
- Update Makefile targets to use appropriate dependency groups
- Fix template to prevent duplicate dev sections
- Addresses dependency separation for production vs CI vs dev environments

Note: Dependency resolution conflicts need to be addressed in follow-up

* fix: resolve dependency conflicts and clean up unnecessary packages

DEPENDENCY ANALYSIS & CLEANUP:
- Analyzed actual codebase usage vs declared dependencies
- boto3: Used in 6 files (legitimate runtime dependency)
- botocore: Used in 18 files but only for exceptions/config (auto-included with boto3)
- requests: Used in 1 file only (cognito_strategy.py for JWKS)

REMOVED CONFLICTING PACKAGES FROM CI:
- boto3-stubs[essential] (caused urllib3 version conflicts)
- types-requests (required urllib3>=2, conflicts with botocore's urllib3<1.27)
- All mypy-boto3-* stubs (not essential for CI, can be added to dev if needed)

KEPT ESSENTIAL CI DEPENDENCIES:
- Testing: pytest, moto[all], coverage
- Code quality: black, isort, mypy, pylint
- Documentation: mkdocs and plugins
- Security: bandit, safety, semgrep
- Core type stubs: types-PyYAML, types-python-dateutil

RESULT:
- CI dependency installation now works without conflicts
- Docs build works correctly (mkdocs available)
- Reduced CI dependency bloat by ~15 packages
- Optional type stubs documented in dev group for manual installation

Fixes both CI pipeline failures and docs build issues.

* feat: implement centralized tool execution for CI consistency

- Add centralized run_tool.sh script for consistent tool execution
- Update all CI quality, security, and test targets to use centralized execution
- Ensure UV environment tools are properly accessed in CI workflows
- Maintain fallback support for venv, system, and Python module execution
- Fix import sorting issue in test file

All CI workflows now consistently use UV-managed tools while maintaining
compatibility with different execution environments.

* feat: optimize Dependabot schedule and add CODEOWNERS

- Change Dependabot schedule from Monday to Sunday for fresh PRs on Monday
- Reduce PR limits for better manageability (Python: 5→3, Actions: 3→2, Docker: 2→1)
- Make GitHub Actions and Docker updates weekly instead of monthly
- Remove deprecated reviewers field from Dependabot config
- Add CODEOWNERS file with team members: flamurg, fgogolli, kirillsc, canonicalname
- Ensure automatic review requests for critical files and workflows

* fix: correct YAML syntax error in security workflow

- Fix malformed YAML on line 196 where dependency-review job definition
  was incorrectly merged into TruffleHog extra_args parameter
- Properly separate TruffleHog step from dependency-review job definition
- Ensure valid YAML structure for GitHub Actions workflow

Author: fgogolli

.github/CODEOWNERS

@@ -0,0 +1,21 @@
+# Global code owners for the Open Host Factory Plugin
+# These users will be automatically requested for review when PRs are opened
+
+# Default owners for everything in the repo
+* @flamurg @fgogolli @kirillsc @canonicalname
+
+# Specific ownership for critical files
+/.github/ @flamurg @fgogolli @kirillsc @canonicalname
+/pyproject.toml @flamurg @fgogolli @kirillsc @canonicalname
+/Makefile @flamurg @fgogolli @kirillsc @canonicalname
+/src/_version.py @flamurg @fgogolli @kirillsc @canonicalname
+/src/_package.py @flamurg @fgogolli @kirillsc @canonicalname
+
+# Documentation
+/docs/ @flamurg @fgogolli @kirillsc @canonicalname
+/README.md @flamurg @fgogolli @kirillsc @canonicalname
+
+# Security and CI/CD
+/.github/workflows/ @flamurg @fgogolli @kirillsc @canonicalname
+/.github/dependabot.yml @flamurg @fgogolli @kirillsc @canonicalname
+/dev-tools/security/ @flamurg @fgogolli @kirillsc @canonicalname

.github/dependabot.yml

@@ -1,72 +1,101 @@
 version: 2
 updates:
-  # Python dependencies
+  # Python dependencies with smart grouping
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:00"
-      timezone: "Etc/UTC"
+      day: "sunday"
+      time: "06:00"
+      timezone: "America/New_York"
     labels:
       - "dependencies"
       - "python"
     commit-message:
-      prefix: "chore"
-      prefix-development: "chore(dev)"
+      prefix: "chore(deps)"
       include: "scope"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "aws-samples/hostfactory-maintainers"
-    assignees:
-      - "aws-samples/hostfactory-maintainers"
+    open-pull-requests-limit: 3
+    
+    # Group related dependencies together
     groups:
-      dev-dependencies:
+      aws-dependencies:
         patterns:
-          - "*"
+          - "boto*"
+          - "aws-*"
+          - "moto*"
+        update-types:
+          - "minor"
+          - "patch"
+      
+      dev-tools:
+        patterns:
+          - "black"
+          - "isort"
+          - "mypy"
+          - "pylint"
+          - "flake8"
+          - "autopep8"
         update-types:
           - "minor"
           - "patch"
-    allow:
-      - dependency-type: "direct"
-      - dependency-type: "indirect"
+      
+      testing-tools:
+        patterns:
+          - "pytest*"
+          - "coverage"
+          - "tox"
+        update-types:
+          - "minor"
+          - "patch"
+      
+      security-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+          - "minor"
+          - "major"
+    
+    # Ignore problematic updates
+    ignore:
+      # Don't update major versions automatically for critical tools
+      - dependency-name: "black"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "pytest"
+        update-types: ["version-update:semver-major"]
 
   # GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:00"
-      timezone: "Etc/UTC"
+      day: "sunday"
+      time: "06:00"
+      timezone: "America/New_York"
     labels:
       - "dependencies"
       - "github-actions"
     commit-message:
-      prefix: "chore"
+      prefix: "chore(ci)"
       include: "scope"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 2
+    groups:
+      github-actions:
+        patterns:
+          - "*"
 
-  # Docker dependencies (merged configuration)
+  # Docker dependencies
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:00"
-      timezone: "Etc/UTC"
+      day: "sunday"
+      time: "06:00"
+      timezone: "America/New_York"
     labels:
       - "dependencies"
       - "docker"
     commit-message:
-      prefix: "chore"
+      prefix: "chore(docker)"
       include: "scope"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "aws-samples/hostfactory-maintainers"
-    assignees:
-      - "aws-samples/hostfactory-maintainers"
-    groups:
-      docker:
-        patterns:
-          - "*"
+    open-pull-requests-limit: 1