Fix dependency vulns and Dockerfile python version mismatch (#206)

* Fix high/critical dependency vulns and FastMCP init compatibility

* Add fastmcp.json to declare environment dependencies metadata

* fix(docker): match builder python version to pyatlan runtime

The switch to pyatlan base image in b8157d6 introduced two issues:

1. Builder stage used Python 3.12 while the pyatlan runtime image
   uses Python 3.11. Packages compiled against 3.12 (C extensions,
   bytecode) can fail on 3.11 at runtime.

2. The venv python symlink pointed to /usr/local/bin/python (builder
   path) which does not exist in the pyatlan runtime image where
   python lives at /usr/bin/python3. This caused the venv to be
   silently skipped, falling back to the system python without
   any of the installed dependencies (fastmcp, uvicorn, etc).

Changes:
- Builder image changed from python3.12 to python3.11
- Added symlink fixup after COPY to repoint venv python to
  the runtime's /usr/bin/python3

Author: fyzanshaik-atlan

modelcontextprotocol/Dockerfile

@@ -1,5 +1,5 @@
 # Use a Python image with uv pre-installed
-FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
+FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim AS builder
 
 # Set environment variables for build
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -22,6 +22,10 @@ WORKDIR /home/nonroot/app
 
 COPY --from=builder --chown=nonroot:nonroot /app /home/nonroot/app
 
+# Fix venv python symlink: builder has python at /usr/local/bin, runtime at /usr/bin
+RUN ln -sf /usr/bin/python3 /home/nonroot/app/.venv/bin/python && \
+    ln -sf /usr/bin/python3 /home/nonroot/app/.venv/bin/python3
+
 # Set the PATH to use the virtual environment
 ENV PATH="/home/nonroot/app/.venv/bin:$PATH"
 

modelcontextprotocol/fastmcp.json

@@ -0,0 +1,6 @@
+{
+  "entrypoint": "server.py",
+  "environment": {
+    "dependencies": ["pyatlan", "fastmcp"]
+  }
+}

modelcontextprotocol/pyproject.toml

@@ -16,14 +16,24 @@ classifiers = [
 ]
 
 dependencies = [
-    "fastmcp==2.13.2",
+    "fastmcp>=2.14.0",
     "pyatlan>=6.0.1",
     "uvicorn>=0.35.0"
 ]
 
 [project.scripts]
 atlan-mcp-server = "server:main"
 
+[tool.uv]
+constraint-dependencies = [
+    "authlib>=1.6.6",
+    "cryptography>=46.0.5",
+    "h11>=0.16.0",
+    "python-multipart>=0.0.22",
+    "starlette>=0.49.1",
+    "urllib3>=2.6.3",
+]
+
 [project.urls]
 "Homepage" = "https://github.com/atlanhq/agent-toolkit"
 "Documentation" = "https://ask.atlan.com/hc/en-us/articles/12525731740175-How-to-implement-the-Atlan-MCP-server"

modelcontextprotocol/server.py

@@ -32,7 +32,7 @@
 from settings import get_settings
 
 
-mcp = FastMCP("Atlan MCP Server", dependencies=["pyatlan", "fastmcp"])
+mcp = FastMCP("Atlan MCP Server")
 
 # Get restricted tools from environment variable or use default
 restricted_tools_env = os.getenv("RESTRICTED_TOOLS", "")