Поддержка Docker: контейнеризация и управление roots

- Dockerfile с multi-stage сборкой (eclipse-temurin:25-jdk/jre-alpine)
- GitHub Actions workflow для автоматической публикации в ghcr.io
- Переменная NTS_DOCKER_ROOTS для явного указания корневых директорий
- Клиентские roots переопределяются в Docker-режиме (пути хоста недоступны внутри контейнера)
- docker-compose.yml для локальной разработки
- Обновлённая документация README (EN/RU)

Граничные случаи NTS_DOCKER_ROOTS:
- Пустое значение → fallback к PROJECT_ROOT или CWD
- Множественные пути через двоеточие
- Пути с пробелами
- Пустые элементы (trailing separators) игнорируются

Author: Nefrols

.dockerignore

@@ -0,0 +1,38 @@
+# =============================================================================
+# Docker ignore file for NTS MCP FileSystem Server
+# =============================================================================
+
+# Git
+.git/
+.gitignore
+
+# IDE
+.idea/
+.vscode/
+*.iml
+
+# Build artifacts (we rebuild in Docker)
+build/
+app/build/
+.gradle/
+**/bin/
+**/out/
+
+# Documentation (not needed in image)
+docs/
+*.md
+!README.md
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Logs and temp files
+*.log
+*.tmp
+.nts/
+
+# Docker files (no recursion needed)
+Dockerfile
+docker-compose*.yml
+.dockerignore

.github/workflows/docker-publish.yml

@@ -0,0 +1,107 @@
+# =============================================================================
+# GitHub Actions: Build and publish Docker image to GitHub Container Registry
+# =============================================================================
+# Triggers:
+#   - On release: builds and tags with version (v1.2.3 -> 1.2.3, latest)
+#   - On push to main: builds and tags as 'edge' (development version)
+#
+# Images are published to: ghcr.io/nefrols/nts-mcp-fs
+# =============================================================================
+
+name: Docker Build & Publish
+
+on:
+  release:
+    types: [published]
+  push:
+    branches: [main]
+    paths:
+      - 'app/**'
+      - 'gradle/**'
+      - 'Dockerfile'
+      - '.github/workflows/docker-publish.yml'
+  workflow_dispatch:  # Manual trigger
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: nefrols/nts-mcp-fs
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      # ----------------------------------------------------------------------
+      # Setup
+      # ----------------------------------------------------------------------
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (for multi-platform builds)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # ----------------------------------------------------------------------
+      # Authentication
+      # ----------------------------------------------------------------------
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # ----------------------------------------------------------------------
+      # Metadata (tags and labels)
+      # ----------------------------------------------------------------------
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # For releases: v1.2.3 -> 1.2.3, 1.2, 1, latest
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            # For main branch pushes: edge
+            type=edge,branch=main
+            # Always include commit SHA for traceability
+            type=sha,prefix=
+          labels: |
+            org.opencontainers.image.title=NTS MCP FileSystem Server
+            org.opencontainers.image.description=Transactional File System server for Model Context Protocol
+            org.opencontainers.image.vendor=Nefrols
+
+      # ----------------------------------------------------------------------
+      # Build and Push
+      # ----------------------------------------------------------------------
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # ----------------------------------------------------------------------
+      # Attestation (provenance)
+      # ----------------------------------------------------------------------
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -0,0 +1,106 @@
+# =============================================================================
+# NTS MCP FileSystem Server - Docker Image
+# =============================================================================
+# Multi-stage build for optimized image size
+#
+# IMPORTANT: Docker Mode and Roots
+# --------------------------------
+# In Docker, the server cannot access host filesystem paths directly.
+# You MUST explicitly mount directories and specify them via NTS_DOCKER_ROOTS.
+# These roots will OVERRIDE any roots sent by the MCP client.
+#
+# Usage Examples:
+#
+#   Single project:
+#     docker run -i --rm \
+#       -v /home/user/myproject:/mnt/project \
+#       -e NTS_DOCKER_ROOTS=/mnt/project \
+#       nts-mcp-fs
+#
+#   Multiple projects:
+#     docker run -i --rm \
+#       -v /home/user/project1:/mnt/p1 \
+#       -v /home/user/project2:/mnt/p2 \
+#       -e NTS_DOCKER_ROOTS=/mnt/p1:/mnt/p2 \
+#       nts-mcp-fs
+#
+# For MCP clients (Claude Desktop, Cursor), configure:
+#   {
+#     "command": "docker",
+#     "args": [
+#       "run", "-i", "--rm",
+#       "-v", "/home/user/project:/mnt/project",
+#       "-e", "NTS_DOCKER_ROOTS=/mnt/project",
+#       "nts-mcp-fs"
+#     ]
+#   }
+#
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Stage 1: Build
+# -----------------------------------------------------------------------------
+FROM eclipse-temurin:25-jdk AS builder
+
+WORKDIR /build
+
+# Copy Gradle wrapper and build files first (for layer caching)
+COPY gradlew gradlew.bat ./
+COPY gradle/ gradle/
+COPY settings.gradle.kts ./
+COPY app/build.gradle.kts app/
+
+# Download dependencies (cached layer)
+RUN chmod +x gradlew && ./gradlew dependencies --no-daemon || true
+
+# Copy source code
+COPY app/src/ app/src/
+
+# Build fat JAR
+RUN ./gradlew shadowJar --no-daemon
+
+# -----------------------------------------------------------------------------
+# Stage 2: Runtime
+# -----------------------------------------------------------------------------
+FROM eclipse-temurin:25-jre-alpine
+
+LABEL org.opencontainers.image.title="NTS MCP FileSystem Server"
+LABEL org.opencontainers.image.description="Transactional File System server for Model Context Protocol"
+LABEL org.opencontainers.image.source="https://github.com/Nefrols/nts-mcp-fs"
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+
+# Create non-root user for security
+RUN addgroup -g 1000 nts && \
+    adduser -u 1000 -G nts -s /bin/sh -D nts
+
+WORKDIR /app
+
+# Copy JAR from builder
+COPY --from=builder /build/app/build/libs/app-all.jar /app/nts-mcp-fs.jar
+
+# Create default mount point
+RUN mkdir -p /mnt && chown nts:nts /mnt
+
+# Switch to non-root user
+USER nts
+
+# Environment variables:
+#   NTS_DOCKER_ROOTS - Colon-separated list of root paths inside container.
+#                      These OVERRIDE client-provided roots (required for Docker).
+#                      Must match your -v volume mount points.
+#                      Example: /mnt/project1:/mnt/project2
+#
+#   JAVA_OPTS        - JVM options (default: ZGC with 512MB heap)
+#   MCP_DEBUG        - Set to "true" for debug logging to stderr
+#   MCP_LOG_FILE     - Path to log file for debugging
+
+# ZGC is generational by default in Java 25+
+ENV JAVA_OPTS="-XX:+UseZGC -Xmx512m"
+
+# Health check (optional, for orchestrators)
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD pgrep -f "nts-mcp-fs.jar" || exit 1
+
+# MCP servers communicate via stdio, so we need interactive mode
+# The entrypoint uses exec to properly handle signals
+ENTRYPOINT ["sh", "-c", "exec java $JAVA_OPTS -jar /app/nts-mcp-fs.jar"]