build: pin PEP 517 build dependencies

[maxisbey]

uv does not lock [build-system].requires or its transitives (astral-sh/uv#5190). On every fresh uv sync, the build-isolation step for the workspace packages resolves hatchling, uv-dynamic-versioning, and ~8 transitives at floating-latest with no hash check. The strict-no-cover git dep additionally pulls latest setuptools via the legacy fallback.

This pins those packages via [tool.uv].build-constraint-dependencies so the build environment is reproducible across machines and CI. uv records the constraints in uv.lock's [manifest] section but does not add them to the resolution graph.

Motivation and Context

Reproducible builds — without this, two fresh syncs on different days can use different build-backend versions.

How Has This Been Tested?

uv sync --frozen --reinstall-package mcp -v shows the build-isolation resolver now selecting the pinned versions. uv lock --check is a no-op.

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update / build configuration

Checklist

• I have read the CONTRIBUTING document.
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

If/when strict-no-cover moves from a git dep to a PyPI release, the setuptools pin can be dropped.

[claude]

LGTM — additive build-env constraints, strictly improves reproducibility; the inline note about wheel/tomli is a non-blocking nit.

Extended reasoning...

Overview

This PR adds a [tool.uv].build-constraint-dependencies list to pyproject.toml pinning 11 packages (hatchling, uv-dynamic-versioning, their transitives, and setuptools) that uv otherwise resolves at floating-latest inside PEP 517 build-isolation environments. The uv.lock change is the auto-generated [manifest].build-constraints mirror of the same list. No source code, runtime dependencies, or test configuration is touched.

Security risks

None. Build constraints only narrow which versions uv may select for already-required build backends; they cannot introduce new packages into the resolution. All pinned packages are well-known PyPI projects already implicitly fetched today. If anything, pinning reduces supply-chain exposure by removing the floating-latest fetch.

Level of scrutiny

Low. This is a purely additive tooling/config change with a clear, well-documented rationale (astral-sh/uv#5190). The worst plausible failure mode — a stale pin breaking uv sync after a future toolchain bump — would surface immediately and loudly in CI, and is trivially fixed by bumping the pin. The change is self-contained to two files and has no effect on the published wheel or runtime behavior.

Other factors

• The one finding (missing wheel pin for examples/snippets and tomli for the py3.10 lane) is a minor coverage gap, not a regression: those two packages float today and will continue to float, while 11 others stop floating. The PR remains a strict improvement.
• No CODEOWNERS file in the repo; no prior reviewer comments or outstanding discussion on the PR.
• Author verified locally with uv sync --frozen --reinstall-package mcp -v and uv lock --check.