fix(docker): build from repo root for npm workspaces layout

The multiplatform image build was failing at `npm ci` because the
workflow set `context: ./packages/server` — but npm workspaces
monorepos keep a single `package-lock.json` at the repo root, so the
server subtree has no lockfile to copy. `npm ci` requires a lockfile
and aborts with EUSAGE.

Switch the build to repo-root context and rewrite the Dockerfile to
understand the workspace graph: copy the root lockfile + every
workspace package.json, run `npm ci`, then build only the server
workspace. A separate prod-deps stage installs production-only deps
scoped to @ibm/ibmi-mcp-server so the runner image doesn't carry dev
tooling or CLI workspace deps. Runner stage populates packages/server/
so the node_modules symlink resolves correctly.

Also tighten .dockerignore so nested node_modules (app/agent-ui,
client/, etc.) don't bloat the build context — otherwise COPY . .
pulls in ~500MB of unrelated Node deps and OOMs the builder.

Verified locally (npm ci all-deps + npm ci --omit=dev --workspace) —
the CI failure mode no longer reproduces.

Signed-off-by: Adam Shedivy <ajshedivyaj@gmail.com>

Author: ajshedivy

.dockerignore

@@ -25,6 +25,7 @@ Thumbs.db
 # NODE.JS & PACKAGE MANAGERS
 # =============================================================================
 node_modules/
+**/node_modules
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
@@ -195,8 +196,11 @@ duckdata/
 # LARGE PROJECT DIRECTORIES (exclude from Docker build context)
 # =============================================================================
 agents/
+app/
+client/
 release/
 coverage/
 .git/
 .github/
-changelogs/
+changelogs/
+tmp/

.github/workflows/docker-multiplatform.yml

@@ -103,7 +103,7 @@ jobs:
         id: build
         uses: docker/build-push-action@v6
         with:
-          context: ./packages/server
+          context: .
           file: ./packages/server/Dockerfile
           platforms: ${{ matrix.platform }}
           push: true

packages/server/Dockerfile

@@ -1,69 +1,89 @@
-# ---- Base Node ----
-# Use a specific Node.js version known to work, Alpine for smaller size
+# syntax=docker/dockerfile:1.7
+#
+# Build context: REPO ROOT (npm workspaces monorepo uses a single root
+# package-lock.json shared by every workspace). The workflow must set
+# `context: .` so this Dockerfile can see the root lockfile.
+#
+# Produces a runtime image for @ibm/ibmi-mcp-server only — the CLI
+# workspace is not shipped.
+
+# ---- Base ----
 FROM node:bookworm-slim AS base
-WORKDIR /usr/src/app
-# NODE_ENV will be set by docker-compose from .env file
-
-# Update system packages and install security updates
-# This resolves all system-level CVEs
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install -y --no-install-recommends \
-        ca-certificates \
-        && \
-    npm install -g npm@latest && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# ---- Dependencies ----
-# Install dependencies first to leverage Docker cache
-FROM base AS deps
-WORKDIR /usr/src/app
-ENV NODE_ENV=production
-COPY package.json package-lock.json* ./
-# Use npm ci for deterministic installs based on lock file
-# Install only production dependencies in this stage for the final image
-RUN npm ci --only=production
+WORKDIR /app
 
-# ---- Builder ----
-# Build the application
+# System updates + recent npm (lockfileVersion 3 needs npm >= 7)
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends ca-certificates \
+    && npm install -g npm@latest \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# ---- Builder: install all deps, build the server workspace ----
 FROM base AS builder
-WORKDIR /usr/src/app
-# Override NODE_ENV to ensure devDependencies (including TypeScript) are installed
+WORKDIR /app
 ENV NODE_ENV=development
-# Copy dependency manifests and install *all* dependencies (including dev)
-COPY package.json package-lock.json* ./
+
+# Copy manifests first so the Docker layer cache is invalidated only when
+# dependency declarations change, not on every source edit. Every workspace
+# package.json must be present for `npm ci` to resolve the workspace graph
+# that the root lockfile describes.
+COPY package.json package-lock.json ./
+COPY packages/server/package.json ./packages/server/
+COPY packages/cli/package.json ./packages/cli/
+
 RUN npm ci
-# Copy the rest of the source code
+
+# Copy the full source tree and build only the server workspace.
+# (.dockerignore keeps node_modules/, dist/, .git/, .github/, .claude/,
+# agents/, and .env files out of the build context.)
 COPY . .
-# Build the TypeScript project
-RUN npm run build
+
+RUN npm run build -w @ibm/ibmi-mcp-server
+
+# ---- Production dependencies only ----
+# Separate stage so the runtime image carries only what the server needs
+# to execute — no TypeScript, no test frameworks, no CLI workspace deps.
+FROM base AS prod-deps
+WORKDIR /app
+ENV NODE_ENV=production
+
+COPY package.json package-lock.json ./
+COPY packages/server/package.json ./packages/server/
+COPY packages/cli/package.json ./packages/cli/
+
+# --workspace=@ibm/ibmi-mcp-server + --include-workspace-root installs
+# exactly the production deps the server needs plus anything hoisted to
+# the root. The CLI workspace's deps are skipped.
+RUN npm ci --omit=dev \
+      --workspace=@ibm/ibmi-mcp-server \
+      --include-workspace-root
 
 # ---- Runner ----
-# Final stage with all dependencies and built code
 FROM base AS runner
-WORKDIR /usr/src/app
-# Copy ALL node_modules from the 'builder' stage (includes dev dependencies)
-COPY --from=builder /usr/src/app/node_modules ./node_modules
-# Copy built application from the 'builder' stage
-COPY --from=builder /usr/src/app/dist ./dist
-# Copy package.json (needed for potential runtime info, like version)
-COPY package.json .
-
-# Create a non-root user and switch to it
-RUN groupadd -r appgroup && useradd -r -g appgroup appuser
-
-# Change ownership of app directory to appuser and create npm cache directory
-RUN chown -R appuser:appgroup /usr/src/app && \
-    mkdir -p /home/appuser/.npm && \
-    chown -R appuser:appgroup /home/appuser/.npm
+WORKDIR /app
+
+# node_modules carries a symlink `@ibm/ibmi-mcp-server -> ../packages/server`.
+# Copying node_modules from prod-deps preserves the symlink; populating
+# packages/server/ from the builder makes the symlink resolve to the
+# actual built dist output.
+COPY --from=prod-deps /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./package.json
+COPY --from=builder /app/packages/server/package.json ./packages/server/package.json
+COPY --from=builder /app/packages/server/dist ./packages/server/dist
+
+# Non-root user + npm cache dir
+RUN groupadd -r appgroup \
+    && useradd -r -g appgroup appuser \
+    && chown -R appuser:appgroup /app \
+    && mkdir -p /home/appuser/.npm \
+    && chown -R appuser:appgroup /home/appuser/.npm
 
 USER appuser
 
-# Expose port if the application runs a server (adjust if needed)
 ENV MCP_TRANSPORT_TYPE=http
 EXPOSE 3010
 
-# Command to run the application
-# This will execute the binary defined in package.json
-CMD ["npx", "ibmi-mcp-server"]
+# Run node directly on the built entry rather than via `npx` — avoids
+# any bin-resolution surprises and gives a cleaner PID 1.
+CMD ["node", "packages/server/dist/index.js"]