switch os truststore libraries

[joe-clickhouse]

This PR switches OS trust-store handling from pip-system-certs to truststore and inject at startup.

This is happening because pip-system-certs pulls in pip transitively. Some hardened Docker image scanners fail any image that contains pip because CVE-2018-20225 gets flagged even though it’s considered intended behavior. See issue #70.

We only used pip-system-certs to auto-enable system CA bundles; we don’t need pip for that.

This is achieved by:

1. removing pip-system-certs from dependencies and adding truststore>=0.10.
2. In mcp_clickhouse/__init__.py, call:

if os.getenv("MCP_CLICKHOUSE_TRUSTSTORE_DISABLE") != "1":
    try:
        import truststore
        truststore.inject_into_ssl()
    except Exception:
        pass  # fallback to default SSL behavior if unavailable

This keeps behavior the same as before, using OS trust store by default and silently falls back if injection isn’t possible. As a result, runtime images no longer include pip, reducing scanner friction and addressing #70’s concern.

Closes #70

[Copilot]

Pull Request Overview

This PR switches OS trust-store handling from pip-system-certs to truststore to eliminate the transitive dependency on pip, which causes Docker image scanner issues due to CVE-2018-20225 flagging.

• Replaces pip-system-certs dependency with truststore>=0.10
• Adds truststore injection at startup with fallback handling
• Updates documentation to reflect the new trust store behavior

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File	Description
pyproject.toml	Updates dependency from pip-system-certs to truststore
mcp_clickhouse/init.py	Adds truststore injection logic at module initialization
fastmcp.json	Updates FastMCP configuration dependencies
README.md	Documents new TLS certificate trust store behavior

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}