diff --git a/pyproject.toml b/pyproject.toml
index a5d2c3d80..364b9add0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -54,6 +54,24 @@ mcp = "mcp.cli:app [cli]"
 [tool.uv]
 default-groups = ["dev", "docs"]
 required-version = ">=0.9.5"
+# PEP 517 build isolation fetches [build-system].requires (and transitives) at
+# floating-latest with no hash check on every fresh sync; uv does not lock them
+# (astral-sh/uv#5190). Pinning here narrows that to known-good versions. Covers
+# the workspace builds (hatchling + uv-dynamic-versioning) and the legacy
+# setuptools fallback used by the strict-no-cover git dep.
+build-constraint-dependencies = [
+    "hatchling==1.29.0",
+    "uv-dynamic-versioning==0.14.0",
+    "dunamai==1.26.1",
+    "jinja2==3.1.6",
+    "markupsafe==3.0.3",
+    "packaging==26.1",
+    "pathspec==1.0.4",
+    "pluggy==1.6.0",
+    "tomlkit==0.14.0",
+    "trove-classifiers==2026.1.14.14",
+    "setuptools==82.0.1",
+]
 
 [dependency-groups]
 dev = [
diff --git a/uv.lock b/uv.lock
index 705d014aa..b396898b6 100644
--- a/uv.lock
+++ b/uv.lock
@@ -28,6 +28,19 @@ members = [
     "mcp-sse-polling-demo",
     "mcp-structured-output-lowlevel",
 ]
+build-constraints = [
+    { name = "dunamai", specifier = "==1.26.1" },
+    { name = "hatchling", specifier = "==1.29.0" },
+    { name = "jinja2", specifier = "==3.1.6" },
+    { name = "markupsafe", specifier = "==3.0.3" },
+    { name = "packaging", specifier = "==26.1" },
+    { name = "pathspec", specifier = "==1.0.4" },
+    { name = "pluggy", specifier = "==1.6.0" },
+    { name = "setuptools", specifier = "==82.0.1" },
+    { name = "tomlkit", specifier = "==0.14.0" },
+    { name = "trove-classifiers", specifier = "==2026.1.14.14" },
+    { name = "uv-dynamic-versioning", specifier = "==0.14.0" },
+]
 
 [[package]]
 name = "annotated-types"