feat(mcp): HTTP+Bearer CRA-MCP-Server für den Repo-Scanner + Finding-Adapter

Register-Flow für compliance-scanner-agent (anderes Team, Rust): deren MCP-Client
(McpServerConfig) erwartet Streamable HTTP + Bearer — unser MCP war stdio/ohne Auth.
- server.py auf FastMCP umgestellt: Tools cra_assess_findings + cra_list_requirements,
  Dual-Transport (stdio default; Streamable HTTP wenn MCP_PORT gesetzt), Bearer-Gate
  via CRA_MCP_TOKEN.
- ScannerFinding.from_dict tolerant für ihr Finding-Schema (_id/fingerprint,
  scan_type→category, cvss_score→cvss, file_path→location, severity info→low).
- Eigenständiger docker-compose-Dienst bp-compliance-mcp (Port 8099, pure/kein DB,
  isoliert von der Haupt-API) + Hetzner-amd64-Override.
- Tests: test_cra_scanner_adapter, test_mcp_server (Bearer-Gate + Tool-Registry).

Pull-Flow (wir holen ihre Findings über ihren MCP) + öffentliches nginx-Routing
folgen separat (brauchen ihren Endpoint/Token).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docker-compose.yml

@@ -144,6 +144,31 @@ services:
     networks:
       - breakpilot-network
 
+  # MCP server for the external repo-scanner (compliance-scanner-agent).
+  # Standalone: exposes cra_assess_findings over Streamable HTTP + Bearer.
+  # Pure/deterministic (no DB/core) — isolated from the main API on purpose.
+  mcp-compliance:
+    build:
+      args:
+        BUILD_SHA: ${BUILD_SHA:-unknown}
+      context: ./backend-compliance
+      dockerfile: Dockerfile
+    container_name: bp-compliance-mcp
+    platform: linux/arm64
+    command: ["python", "-m", "compliance.mcp.server"]
+    expose:
+      - "8099"
+    ports:
+      - "8099:8099"
+    environment:
+      MCP_PORT: 8099
+      CRA_MCP_TOKEN: ${CRA_MCP_TOKEN:-}
+    healthcheck:
+      disable: true
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
   # =========================================================
   # SDK SERVICES
   # =========================================================