Enabling vector-search tool as well as Authentication

Author: anshulkhantwal

.dockerignore

@@ -1,11 +1,44 @@
+### Runtime build context reduction
+### Runtime build context reduction
 dist
 node_modules
-.vscode
-.github
+
+### VCS / metadata
 .git
-# Environment variables
+.github
+.smithery
+
+### Tool / editor configs
+.vscode
+*.swp
+*.tmp
+*.DS_Store
+Thumbs.db
+
+### Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+### Temp
+tmp
+**/tmp
+
+### Environment variables & secrets
 .env
+.env.*
+env.list
 
+### Tests & coverage (not needed in runtime image)
 tests
 coverage
-scripts
+scripts/accuracy
+**/test-data-dumps
+.vitest
+
+### Local certificates (copy explicitly if needed)
+certs
+
+### Misc local exports
+exports

Dockerfile

@@ -1,11 +1,87 @@
-FROM node:22-alpine
-ARG VERSION=latest
+###
+# Optimized multi-stage Dockerfile for mongodb-mcp-server
+#
+# Build args:
+#   NODE_VERSION       Node.js version (default 22-alpine)
+#   INSTALL_DEV        Keep dev dependencies (true|false, default: false)
+#   RUNTIME_IMAGE      Base runtime image (default: node:22-alpine)
+#
+# Typical build:
+#   docker build -t mongodb-mcp-server:local .
+#   docker build --build-arg INSTALL_DEV=true -t mongodb-mcp-server:dev .
+#
+# Runtime (stdio transport):
+#   docker run --rm -it mongodb-mcp-server:local --transport stdio
+#
+# Runtime (http transport):
+#   docker run --rm -p 3000:3000 mongodb-mcp-server:local --transport http --httpHost 0.0.0.0
+#   curl -s -X POST http://localhost:3000/mcp -H 'Content-Type: application/json' \
+#     -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{}}}'
+#
+# Optional HTTP auth (Azure Managed Identity):
+#   docker run --rm -p 3000:3000 \
+#     -e MDB_MCP_HTTP_AUTH_MODE=azure-managed-identity \
+#     -e MDB_MCP_AZURE_MANAGED_IDENTITY_TENANT_ID=<tenant-guid> \
+#     -e MDB_MCP_AZURE_MANAGED_IDENTITY_CLIENT_ID=<app-client-id> \
+#     mongodb-mcp-server:local --transport http --httpHost 0.0.0.0
+###
+
+# syntax=docker/dockerfile:1.7-labs
+
+ARG NODE_VERSION=22-alpine
+ARG RUNTIME_IMAGE=node:${NODE_VERSION}
+ARG INSTALL_DEV=false
+
+#############################################
+# Builder Stage
+#############################################
+FROM node:${NODE_VERSION} AS builder
+WORKDIR /app
+
+# Leverage Docker layer caching: copy only dependency manifests + tsconfigs first (needed by build scripts)
+COPY package.json package-lock.json* .npmrc* tsconfig*.json eslint.config.js vitest.config.ts ./
+
+# Install dependencies without running lifecycle scripts (avoid premature build via prepare)
+RUN --mount=type=cache,target=/root/.npm \
+	npm ci --ignore-scripts
+
+# Copy application sources
+COPY src ./src
+COPY scripts ./scripts
+
+# Now run the build explicitly (includes prepare sequence tasks)
+RUN npm run build
+
+# Optionally prune dev dependencies for slimmer runtime
+ARG INSTALL_DEV
+RUN if [ "${INSTALL_DEV}" != "true" ]; then npm prune --omit=dev; fi
+
+#############################################
+# Runtime Stage
+#############################################
+FROM ${RUNTIME_IMAGE} AS runtime
+ENV NODE_ENV=production \
+	MDB_MCP_LOGGERS=stderr,mcp
+
+# Create non-root user
 RUN addgroup -S mcp && adduser -S mcp -G mcp
-RUN npm install -g mongodb-mcp-server@${VERSION}
-USER mcp
 WORKDIR /home/mcp
-ENV MDB_MCP_LOGGERS=stderr,mcp
-ENTRYPOINT ["mongodb-mcp-server"]
-LABEL maintainer="MongoDB Inc <info@mongodb.com>"
-LABEL description="MongoDB MCP Server"
-LABEL version=${VERSION}
+
+# Copy only required artifacts (preserve ownership in a single layer)
+COPY --chown=mcp:mcp --from=builder /app/package*.json ./
+COPY --chown=mcp:mcp --from=builder /app/node_modules ./node_modules
+COPY --chown=mcp:mcp --from=builder /app/dist ./dist
+
+USER mcp
+
+# Expose default HTTP port (matches default config httpPort=3000)
+EXPOSE 3000
+
+LABEL maintainer="MongoDB Inc <info@mongodb.com>" \
+	  org.opencontainers.image.title="mongodb-mcp-server" \
+	  org.opencontainers.image.description="MongoDB MCP Server" \
+	  org.opencontainers.image.source="https://github.com/mongodb-js/mongodb-mcp-server"
+
+# Use exec form for clarity; default command may be overridden at runtime
+ENTRYPOINT ["node", "dist/index.js"]
+CMD ["--transport", "http"]

package-lock.json

@@ -35,12 +35,12 @@
     "start": "node dist/index.js --transport http --loggers stderr mcp",
     "start:stdio": "node dist/index.js --transport stdio --loggers stderr mcp",
     "prepare": "npm run build",
-    "build:clean": "rm -rf dist",
+    "build:clean": "rimraf dist",
     "build:update-package-version": "tsx scripts/updatePackageVersion.ts",
     "build:esm": "tsc --project tsconfig.esm.json",
     "build:cjs": "tsc --project tsconfig.cjs.json",
     "build:universal-package": "tsx scripts/createUniversalPackage.ts",
-    "build:chmod": "chmod +x dist/esm/index.js",
+  "build:chmod": "node -e \"try{if(process.platform!=='win32'){require('fs').chmodSync('dist/esm/index.js',0o755)}}catch(e){console.error(e);process.exit(1)}\"",
     "build": "npm run build:clean && npm run build:esm && npm run build:cjs && npm run build:universal-package && npm run build:chmod",
     "inspect": "npm run build && mcp-inspector -- dist/esm/index.js",
     "prettier": "prettier",
@@ -87,6 +87,7 @@
     "openapi-typescript": "^7.9.1",
     "prettier": "^3.6.2",
     "proper-lockfile": "^4.1.2",
+    "rimraf": "^5.0.10",
     "semver": "^7.7.2",
     "simple-git": "^3.28.0",
     "tsx": "^4.20.5",
@@ -104,6 +105,7 @@
     "@mongosh/service-provider-node-driver": "^3.17.0",
     "bson": "^6.10.4",
     "express": "^5.1.0",
+    "jose": "^5.9.6",
     "lru-cache": "^11.1.0",
     "mongodb-connection-string-url": "^3.0.2",
     "mongodb-log-writer": "^2.4.1",