build out morpheus-docs MCP stack, mirroring hvm-docs through Phases 1-13

Initial scaffold: the docs-mcp-template clone with all the
HVM-validated stack ported across, customized for Morpheus
Enterprise (PRODUCT_NAME=morpheus, server name morpheus-docs).

Bundles (live-discovered 2026-05-22; 1710 cataloged pages total):
* morpheus_user_manual_8_1_0  sd00007510en_us  568 pages (Feb 2026)
* morpheus_user_manual_8_1_1  sd00007621en_us  569 pages (Mar 2026)
* morpheus_user_manual_8_1_2  sd00007732en_us  569 pages (Apr 2026)
* morpheus_release_notes_8_1_0  sd00007496en_us  single-doc
* morpheus_release_notes_8_1_1  sd00007610en_us  single-doc
* morpheus_release_notes_8_1_2  sd00007733en_us  single-doc
* morpheus_quickspecs            a50009231enw     html-file (live
  curl_cffi against www.hpe.com; all 12+ Enterprise SKUs captured —
  S6E64..S6E73AAE for new/renewal/upgrade × 1/3/5-yr terms, plus
  services SKUs HA124A1#V38/V39 and H46SBA1).

No Deployment Guide or Qualification Matrix on HPE Support for
Morpheus Enterprise specifically — the only QM (sd00006551en_us)
covers HVM clusters managed by Morpheus and lives in hvm-docs.

Stack carried forward from hvm-docs:
* rag/{index,chunk,embeddings,bm25}.py — including the
  MAX_CHARS=4000 chunk-cap fix for table-dense content
* docs_mcp/{server,usage}.py — 11 MCP tools, BM25-default search,
  cross-encoder rerank, hybrid behind HYBRID_SEARCH=true,
  morpheus_api_lessons (renamed from hvm_api_lessons), env-gated
  submit_doc_bug
* docs_mcp/api_lessons.md — Morpheus-specific scaffold covering
  licensing model, HVM elevation path, REST vs Plugin API, with
  TODO markers for sections to flesh out from real ops experience
* scrape/{runner,quickspecs,changelog,bundles}.py — TOC + single-doc
  + html-file modes, curl_cffi Chrome120 for www.hpe.com edge bypass
* eval/{retrievers,run_eval}.py + queries.jsonl scaffold (4 placeholder
  queries; populate after first scrape)
* scripts/{rerank_server,usage_report,registry_gc}.py
* .gitea/workflows/{refresh,image-only}.yml — same Gitea Actions
  setup zerto-docs uses (push LAN, pull public-URL, GPU Ollama pool)
* deploy/docker-compose.yml — morpheus-docs-mcp service definition,
  shared jina-rerank sidecar, Watchtower-labeled
* Dockerfile, requirements.txt, requirements-rerank.txt

Verified locally: scrape produced 1599 .md pages (some TOC entries
are parent-only and yield no body), 6353 chunks all under the 4 KB
cap, MCP server boots and lists 11 tools cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-22 15:26:24 -04:00
parent 43728320bf
commit fa448f94e1
22 changed files with 2822 additions and 247 deletions
+65 -44
View File
@@ -14,21 +14,17 @@ on:
workflow_dispatch:
env:
REGISTRY_PUSH: <lan-host>:<port>
REGISTRY_PULL: <public-registry-hostname>
# Image name derives from the actual repo at runtime, so a clone
# doesn't need to find/replace anything. e.g. justin/my-product-docs.
# github.* context is Gitea Actions' inherited GitHub-Actions namespace
# — values come from the Gitea server, not github.com.
# PUSH goes to the LAN endpoint (HTTP) to bypass Cloudflare's 100 MB
# body cap. PULL uses the public hostname (HTTPS). Same Gitea registry.
REGISTRY_PUSH: 192.168.0.2:1234
REGISTRY_PULL: git.jpaul.io
IMAGE: ${{ github.repository_owner }}/${{ github.event.repository.name }}
OLLAMA_URL: http://<gpu-host>:11434
# Two GPU-pinned Ollama containers on the Gitea host — same infra
# zerto-docs uses. :11435 = Titan X, :11436 = 1080 Ti. Indexer
# round-robins per batch.
OLLAMA_URLS: http://192.168.0.2:11435,http://192.168.0.2:11436
EMBED_MODEL: nomic-embed-text
# PRODUCT_NAME defaults to the repo name so a clone works without
# editing. Override here if you want a different identifier (e.g.
# repo "my-product-docs" → PRODUCT_NAME "myproduct"). Used as the
# Chroma collection name, BM25 db filename, and MCP server name —
# see docs_mcp/server.py.
PRODUCT_NAME: ${{ github.event.repository.name }}
PRODUCT_NAME: morpheus
jobs:
build:
@@ -39,8 +35,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
with:
# Full history (not shallow) so the digest-history step can
# walk git log up to --history-days back.
# Full history so digest-history can walk git log.
fetch-depth: 0
- name: Set up Python
@@ -54,9 +49,8 @@ jobs:
python -m pip install -q -r requirements.txt
- name: Refresh digest history
# Cheap (a few seconds); doesn't touch corpus content.
# Without this step, a code-only deploy would ship an
# increasingly-stale digest history relative to git.
# Cheap (few seconds). Without this step, a code-only deploy
# would ship an increasingly-stale digest history.
run: |
mkdir -p corpus/.digest
python -m scrape.changelog \
@@ -71,42 +65,69 @@ jobs:
- name: Rebuild indexes from existing corpus
run: python -m rag.index --rebuild
- name: Log in to registry (LAN endpoint)
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${REGISTRY_PUSH}" -u "${{ github.repository_owner }}" --password-stdin
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
# LAN registry is HTTP only.
config-inline: |
[registry."192.168.0.2:1234"]
http = true
insecure = true
- name: Build & push image
- name: Configure registry credentials for buildx
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_USER: ${{ github.actor }}
run: |
SHA_TAG=$(echo "$GITHUB_SHA" | cut -c1-12)
DATE_TAG=$(date -u +%Y.%m.%d)
docker build \
-t "${REGISTRY_PUSH}/${IMAGE}:latest" \
-t "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}" \
-t "${REGISTRY_PUSH}/${IMAGE}:${DATE_TAG}" \
.
docker push "${REGISTRY_PUSH}/${IMAGE}:latest"
docker push "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}"
docker push "${REGISTRY_PUSH}/${IMAGE}:${DATE_TAG}"
mkdir -p ~/.docker
AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0)
cat > ~/.docker/config.json <<EOF
{
"auths": {
"192.168.0.2:1234": {
"auth": "$AUTH"
}
}
}
EOF
- name: Compute tags
id: meta
uses: docker/metadata-action@v5
with:
images: 192.168.0.2:1234/${{ github.repository_owner }}/${{ github.event.repository.name }}
tags: |
type=raw,value=latest
type=sha,prefix=,format=short
type=raw,value={{date 'YYYY.MM.DD'}}
labels: |
org.opencontainers.image.source=https://git.jpaul.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
org.opencontainers.image.url=https://git.jpaul.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
- name: Build & push (amd64)
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Link container package to this repo
# Gitea container packages are owned by a USER, not a repo —
# they don't auto-appear under the repo's Packages tab.
# This API call creates the association. One-time-effective:
# re-running returns 400 once linked, which we swallow.
# Endpoint requires Gitea 1.21+.
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
OWNER="${{ github.repository_owner }}"
PKG="${{ github.event.repository.name }}"
BODY=$(mktemp)
CODE=$(curl -sS -o "$BODY" -w "%{http_code}" -X POST \
code=$(curl -s -o /tmp/link.out -w "%{http_code}" -X POST \
-H "Authorization: token ${GITEA_TOKEN}" \
"https://${REGISTRY_PULL}/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
echo "link http=$CODE body=$(cat "$BODY")"
case "$CODE" in
201) echo "linked package to ${OWNER}/${PKG}" ;;
400) echo "already linked (re-link returns 400) — ok" ;;
*) echo "unexpected status $CODE"; exit 1 ;;
"https://git.jpaul.io/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
echo "link ${OWNER}/container/${PKG} -> ${PKG}: HTTP ${code}"
body=$(cat /tmp/link.out)
case "$code" in
201) echo "OK — newly linked" ;;
400|409) echo "OK — already linked: ${body}" ;;
*) echo "unexpected: ${body}"; exit 1 ;;
esac
- name: Prune old container versions
+92 -52
View File
@@ -19,27 +19,25 @@ on:
default: false
env:
# If your registry sits behind Cloudflare with its 100 MB body cap,
# use a LAN endpoint for pushes (bypasses CF) and the public hostname
# for pulls (response bodies aren't capped).
REGISTRY_PUSH: <lan-host>:<port>
REGISTRY_PULL: <public-registry-hostname>
# Image name derives from the actual repo at runtime, so a clone
# doesn't need to find/replace anything. e.g. justin/my-product-docs.
# github.* context is Gitea Actions' inherited GitHub-Actions namespace
# — values come from the Gitea server, not github.com.
# PUSH goes to the LAN endpoint (HTTP) to bypass Cloudflare Tunnel's
# 100 MB body cap. PULL uses the public hostname (HTTPS). Same Gitea
# registry either way — package lands under the same owner/repo.
REGISTRY_PUSH: 192.168.0.2:1234
REGISTRY_PULL: git.jpaul.io
# Image name derives from the repo at runtime — clones don't need to
# edit this. github.* is the Gitea-Actions inherited namespace.
IMAGE: ${{ github.repository_owner }}/${{ github.event.repository.name }}
# Embedder. One URL per GPU; the indexer round-robins.
OLLAMA_URL: http://<gpu-host>:11434
# Two GPU-pinned Ollama containers on the Gitea host — same infra
# zerto-docs uses (deploy/ollama-rag.docker-compose.yml over there).
# :11435 owns the Titan X, :11436 owns the 1080 Ti; the indexer
# round-robins per batch so both cards run in parallel. The host's
# primary Ollama on :11434 is left alone for OpenWebUI etc.
OLLAMA_URLS: http://192.168.0.2:11435,http://192.168.0.2:11436
EMBED_MODEL: nomic-embed-text
# PRODUCT_NAME defaults to the repo name so a clone works without
# editing. Override here if you want a different identifier (e.g.
# repo "my-product-docs" → PRODUCT_NAME "myproduct"). Used as the
# Chroma collection name, BM25 db filename, and MCP server name —
# see docs_mcp/server.py.
PRODUCT_NAME: ${{ github.event.repository.name }}
PRODUCT_NAME: morpheus
jobs:
refresh:
@@ -50,10 +48,12 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
with:
# Full history — required for the digest-history step to
# walk git log. Default fetch-depth: 1 silently produces a
# 0-byte history file.
# Full history — required for digest-history. Default depth 1
# silently produces a 0-byte history file.
fetch-depth: 0
# Set the credentials Gitea injects so we can push corpus
# commits back. Persist them across the run.
token: ${{ secrets.GITEA_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v5
@@ -89,8 +89,8 @@ jobs:
- name: Commit corpus changes (if any)
id: commit
run: |
git config user.name "<product>-docs-refresh"
git config user.email "actions@<your-domain>"
git config user.name "hvm-docs-refresh"
git config user.email "actions@jpaul.io"
git add bundles.json corpus
if git diff --cached --quiet; then
echo "no corpus changes — skipping reindex and image build"
@@ -132,49 +132,89 @@ jobs:
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
run: python -m rag.index --rebuild
# ---- Build & push image ------------------------------------
- name: Log in to registry (LAN endpoint)
# ---- Build & push image (LAN endpoint, buildx) -------------
- name: Set up Docker Buildx
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${REGISTRY_PUSH}" -u "${{ github.repository_owner }}" --password-stdin
uses: docker/setup-buildx-action@v3
with:
# LAN registry is HTTP only. Buildkit needs an explicit
# insecure-registry config or it tries to upgrade to HTTPS.
config-inline: |
[registry."192.168.0.2:1234"]
http = true
insecure = true
- name: Build & push image
- name: Configure registry credentials for buildx
# Can't use docker/login-action against the LAN endpoint —
# the host docker daemon errors on HTTP-vs-HTTPS. Buildx reads
# ~/.docker/config.json directly, so write the auth ourselves.
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
# Runner shell is /bin/sh — use cut instead of ${VAR::N}.
# Three tags: :latest (Watchtower target), :<sha12>
# (rollback pin), :<YYYY.MM.DD> (human-readable).
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_USER: ${{ github.actor }}
run: |
SHA_TAG=$(echo "$GITHUB_SHA" | cut -c1-12)
DATE_TAG=$(date -u +%Y.%m.%d)
docker build \
-t "${REGISTRY_PUSH}/${IMAGE}:latest" \
-t "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}" \
-t "${REGISTRY_PUSH}/${IMAGE}:${DATE_TAG}" \
.
docker push "${REGISTRY_PUSH}/${IMAGE}:latest"
docker push "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}"
docker push "${REGISTRY_PUSH}/${IMAGE}:${DATE_TAG}"
mkdir -p ~/.docker
AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0)
cat > ~/.docker/config.json <<EOF
{
"auths": {
"192.168.0.2:1234": {
"auth": "$AUTH"
}
}
}
EOF
- name: Compute tags
id: meta
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
uses: docker/metadata-action@v5
with:
# Tag with the LAN hostname so the push goes over LAN.
# docker-compose on the deploy host pulls via git.jpaul.io.
images: 192.168.0.2:1234/${{ github.repository_owner }}/${{ github.event.repository.name }}
tags: |
type=raw,value=latest
type=sha,prefix=,format=short
type=schedule,pattern={{date 'YYYY.MM.DD'}}
type=raw,value={{date 'YYYY.MM.DD'}}
# Override auto-derived labels with the PUBLIC URL so Gitea
# can auto-link the package back to this repo.
labels: |
org.opencontainers.image.source=https://git.jpaul.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
org.opencontainers.image.url=https://git.jpaul.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
- name: Build & push (amd64)
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Link container package to this repo
# Gitea container packages are owned by a USER, not a repo
# they don't auto-appear under the repo's Packages tab.
# This API call creates the association. One-time-effective:
# re-running returns 400 once linked, which we swallow.
# Endpoint requires Gitea 1.21+.
# Idempotent linkage so the package shows under the repo's
# Packages tab. Gitea's auto-link from the source label is
# unreliable in this setup (the runner reports an internal
# server URL), so we link explicitly. 201 = newly linked,
# 400 = already linked (treated as success).
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
OWNER="${{ github.repository_owner }}"
PKG="${{ github.event.repository.name }}"
BODY=$(mktemp)
CODE=$(curl -sS -o "$BODY" -w "%{http_code}" -X POST \
code=$(curl -s -o /tmp/link.out -w "%{http_code}" -X POST \
-H "Authorization: token ${GITEA_TOKEN}" \
"https://${REGISTRY_PULL}/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
echo "link http=$CODE body=$(cat "$BODY")"
case "$CODE" in
201) echo "linked package to ${OWNER}/${PKG}" ;;
400) echo "already linked (re-link returns 400) — ok" ;;
*) echo "unexpected status $CODE"; exit 1 ;;
"https://git.jpaul.io/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
echo "link ${OWNER}/container/${PKG} -> ${PKG}: HTTP ${code}"
body=$(cat /tmp/link.out)
case "$code" in
201) echo "OK — newly linked" ;;
400|409) echo "OK — already linked: ${body}" ;;
*) echo "unexpected: ${body}"; exit 1 ;;
esac
# ---- Registry GC -------------------------------------------