Docs/readme and docker publishing

[basebandit]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[sonarqubecloud]

Quality Gate failed

Failed conditions
6 Security Hotspots

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR updates the documentation and adds Docker image publishing capabilities to the Kai project. The changes transform the README from a basic overview to a comprehensive, user-friendly guide with detailed installation instructions, examples, and troubleshooting tips. The PR also configures automated multi-architecture Docker image builds using GoReleaser and GitHub Actions.

Changes:

• Extensively rewrote and expanded README.md with improved structure, installation methods, configuration examples, and production deployment guidance
• Added Dockerfile for manual Docker builds and Dockerfile.goreleaser for automated releases
• Configured multi-architecture Docker image builds (amd64/arm64) in .goreleaser.yaml with GitHub Container Registry publishing
• Updated GitHub Actions workflow to include Docker image publishing with proper permissions and authentication

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
README.md	Complete documentation overhaul with installation guides, usage examples, MCP client configurations, CLI options, production deployment examples, and troubleshooting section
Dockerfile	Multi-stage build configuration for local Docker image builds using Go 1.24-alpine
Dockerfile.goreleaser	Minimal runtime image for GoReleaser-based Docker builds
.goreleaser.yaml	Added Docker image build configuration with multi-architecture support (amd64/arm64) and manifest creation
.github/workflows/release.yml	Added Docker build dependencies (QEMU, Buildx) and GitHub Container Registry authentication for automated releases

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The download URLs in the README don't match the actual artifact naming from goreleaser. The goreleaser config (lines 57-62 of .goreleaser.yaml) generates names like "kai_VERSION_Darwin_x86_64.tar.gz" (including the version), but these download instructions assume files without the version in the name. Users will get 404 errors when trying to download. Either update the README to include the version placeholder (e.g., "kai_VERSION_Darwin_arm64.tar.gz") or modify the goreleaser name_template to exclude the version.

[Copilot]

The Kubernetes deployment example is missing a Service resource to expose the Kai deployment. While the Deployment includes containerPort 8080 and health check endpoints, without a Service resource, the deployment won't be accessible from outside the pod. Consider adding a Service manifest (e.g., ClusterIP, LoadBalancer, or NodePort) depending on the intended access pattern for production deployments.

[Copilot]

The example Kubernetes manifest binds the kai ServiceAccount to the cluster-admin ClusterRole, which grants full cluster-wide administrative privileges. If this configuration is used in a real cluster, any compromise or misuse of the kai service (including bugs or prompt injection driving dangerous actions) would immediately lead to complete cluster takeover. Replace cluster-admin with a dedicated, least-privilege ClusterRole that grants only the specific verbs and resources Kai needs, and update the example to clearly show a production-safe RBAC configuration.

Suggested change

	kind: ClusterRoleBinding
	metadata:
	name: kai
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: cluster-admin # Scope down for production!
	kind: ClusterRole
	metadata:
	name: kai-read-only
	rules:
	- apiGroups: [""]
	resources: ["pods", "pods/log", "services", "namespaces", "events"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["apps"]
	resources: ["deployments", "replicasets", "statefulsets"]
	verbs: ["get", "list", "watch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: kai-read-only
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: kai-read-only