feat: add node-runner base image for npm-based MCP servers

STDIO servers with packageName (e.g. @leval/mcp-grafana) need a Node.js container that runs `npx -y <package>`. Previously, packageName was used as a Docker image reference causing "invalid reference format" errors. - Add Dockerfile.node-runner: minimal node:20-alpine with npx entrypoint - Update instance.service.ts: detect npm-based servers and use node-runner image with npx command instead of treating packageName as image name - Fix NanoCPUs: only set when explicitly provided (kernel CFS not available on all hosts) - Add mcp-servers network with explicit name for container isolation - Configure MCPD_NODE_RUNNER_IMAGE and MCPD_MCP_NETWORK env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge pull request 'fix: error handling and --force flag for create commands' (#10 ) from fix/create-error-handling into main
2026-02-22 23:41:16 +00:00 · 2026-02-22 23:06:52 +00:00 · 2026-02-22 23:06:33 +00:00 · 2026-02-22 22:50:10 +00:00
7 changed files with 216 additions and 27 deletions
--- a/deploy/Dockerfile.node-runner
+++ b/deploy/Dockerfile.node-runner
@@ -0,0 +1,12 @@
 # Base container for npm-based MCP servers (STDIO transport).
 # mcpd uses this image to run `npx -y <packageName>` when a server
 # has packageName but no dockerImage.
 FROM node:20-alpine
 WORKDIR /mcp
 # Pre-warm npx cache directory
 RUN mkdir -p /root/.npm
 # Default entrypoint — overridden by mcpd via container command
 ENTRYPOINT ["npx", "-y"]
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -30,6 +30,8 @@ services:
      MCPD_PORT: "3100"
      MCPD_HOST: "0.0.0.0"
      MCPD_LOG_LEVEL: info
      MCPD_NODE_RUNNER_IMAGE: mcpctl-node-runner:latest
      MCPD_MCP_NETWORK: mcp-servers
    depends_on:
      postgres:
        condition: service_healthy
@@ -48,6 +50,16 @@ services:
      retries: 3
      start_period: 10s
  # Base image for npm-based MCP servers (built once, used by mcpd)
  node-runner:
    build:
      context: ..
      dockerfile: deploy/Dockerfile.node-runner
    image: mcpctl-node-runner:latest
    profiles:
      - build
    entrypoint: ["echo", "Image built successfully"]
  postgres-test:
    image: postgres:16-alpine
    container_name: mcpctl-postgres-test
@@ -71,8 +83,11 @@ networks:
  mcpctl:
    driver: bridge
  mcp-servers:
    name: mcp-servers
    driver: bridge
-    internal: true
+    # Not internal — MCP servers need outbound access to reach external APIs
    # (e.g., Grafana, Home Assistant). Isolation is enforced by not binding
    # host ports on MCP server containers; only mcpd can reach them.
 volumes:
  mcpctl-pgdata:
--- a/src/cli/src/commands/create.ts
+++ b/src/cli/src/commands/create.ts
@@ -1,5 +1,5 @@
 import { Command } from 'commander';
-import type { ApiClient } from '../api-client.js';
+import { type ApiClient, ApiError } from '../api-client.js';
 export interface CreateCommandDeps {
  client: ApiClient;
  log: (...args: unknown[]) => void;
@@ -72,6 +72,7 @@ export function createCreateCommand(deps: CreateCommandDeps): Command {
    .option('--replicas <count>', 'Number of replicas')
    .option('--env <entry>', 'Env var: KEY=value (inline) or KEY=secretRef:SECRET:KEY (secret ref, repeat for multiple)', collect, [])
    .option('--from-template <name>', 'Create from template (name or name:version)')
    .option('--force', 'Update if already exists')
    .action(async (name: string, opts) => {
      let base: Record<string, unknown> = {};
@@ -92,9 +93,12 @@ export function createCreateCommand(deps: CreateCommandDeps): Command {
          if (!template) throw new Error(`Template '${tplName}' not found`);
        }
-        // Copy template fields as base (strip template-only fields)
+        // Copy template fields as base (strip template-only, internal, and null fields)
-        const { id: _id, createdAt: _c, updatedAt: _u, ...tplFields } = template;
+        const { id: _id, createdAt: _c, updatedAt: _u, version: _v, name: _n, ...tplFields } = template;
-        base = { ...tplFields };
+        base = {};
        for (const [k, v] of Object.entries(tplFields)) {
          if (v !== null && v !== undefined) base[k] = v;
        }
        // Convert template env (description/required) to server env (name/value/valueFrom)
        const tplEnv = template.env as Array<{ name: string; description?: string; required?: boolean; defaultValue?: string }> | undefined;
@@ -144,8 +148,20 @@ export function createCreateCommand(deps: CreateCommandDeps): Command {
        if (!body.replicas) body.replicas = 1;
      }
-      const server = await client.post<{ id: string; name: string }>('/api/v1/servers', body);
+      try {
-      log(`server '${server.name}' created (id: ${server.id})`);
+        const server = await client.post<{ id: string; name: string }>('/api/v1/servers', body);
        log(`server '${server.name}' created (id: ${server.id})`);
      } catch (err) {
        if (err instanceof ApiError && err.status === 409 && opts.force) {
          const existing = (await client.get<Array<{ id: string; name: string }>>('/api/v1/servers')).find((s) => s.name === name);
          if (!existing) throw err;
          const { name: _n, ...updateBody } = body;
          await client.put(`/api/v1/servers/${existing.id}`, updateBody);
          log(`server '${name}' updated (id: ${existing.id})`);
        } else {
          throw err;
        }
      }
    });
  // --- create secret ---
@@ -153,13 +169,25 @@ export function createCreateCommand(deps: CreateCommandDeps): Command {
    .description('Create a secret')
    .argument('<name>', 'Secret name (lowercase, hyphens allowed)')
    .option('--data <entry>', 'Secret data KEY=value (repeat for multiple)', collect, [])
    .option('--force', 'Update if already exists')
    .action(async (name: string, opts) => {
      const data = parseEnvEntries(opts.data);
-      const secret = await client.post<{ id: string; name: string }>('/api/v1/secrets', {
+      try {
-        name,
+        const secret = await client.post<{ id: string; name: string }>('/api/v1/secrets', {
-        data,
+          name,
-      });
+          data,
-      log(`secret '${secret.name}' created (id: ${secret.id})`);
+        });
        log(`secret '${secret.name}' created (id: ${secret.id})`);
      } catch (err) {
        if (err instanceof ApiError && err.status === 409 && opts.force) {
          const existing = (await client.get<Array<{ id: string; name: string }>>('/api/v1/secrets')).find((s) => s.name === name);
          if (!existing) throw err;
          await client.put(`/api/v1/secrets/${existing.id}`, { data });
          log(`secret '${name}' updated (id: ${existing.id})`);
        } else {
          throw err;
        }
      }
    });
  // --- create project ---
@@ -167,12 +195,24 @@ export function createCreateCommand(deps: CreateCommandDeps): Command {
    .description('Create a project')
    .argument('<name>', 'Project name')
    .option('-d, --description <text>', 'Project description', '')
    .option('--force', 'Update if already exists')
    .action(async (name: string, opts) => {
-      const project = await client.post<{ id: string; name: string }>('/api/v1/projects', {
+      try {
-        name,
+        const project = await client.post<{ id: string; name: string }>('/api/v1/projects', {
-        description: opts.description,
+          name,
-      });
+          description: opts.description,
-      log(`project '${project.name}' created (id: ${project.id})`);
+        });
        log(`project '${project.name}' created (id: ${project.id})`);
      } catch (err) {
        if (err instanceof ApiError && err.status === 409 && opts.force) {
          const existing = (await client.get<Array<{ id: string; name: string }>>('/api/v1/projects')).find((p) => p.name === name);
          if (!existing) throw err;
          await client.put(`/api/v1/projects/${existing.id}`, { description: opts.description });
          log(`project '${name}' updated (id: ${existing.id})`);
        } else {
          throw err;
        }
      }
    });
  return cmd;
--- a/src/cli/src/index.ts
+++ b/src/cli/src/index.ts
@@ -14,7 +14,7 @@ import { createClaudeCommand } from './commands/claude.js';
 import { createProjectCommand } from './commands/project.js';
 import { createBackupCommand, createRestoreCommand } from './commands/backup.js';
 import { createLoginCommand, createLogoutCommand } from './commands/auth.js';
-import { ApiClient } from './api-client.js';
+import { ApiClient, ApiError } from './api-client.js';
 import { loadConfig } from './config/index.js';
 import { loadCredentials } from './auth/index.js';
 import { resolveNameOrId } from './commands/shared.js';
@@ -143,5 +143,21 @@ const isDirectRun =
  import.meta.url === `file://${process.argv[1]}`;
 if (isDirectRun) {
-  createProgram().parseAsync(process.argv);
+  createProgram().parseAsync(process.argv).catch((err: unknown) => {
    if (err instanceof ApiError) {
      let msg: string;
      try {
        const parsed = JSON.parse(err.body) as { error?: string; message?: string };
        msg = parsed.error ?? parsed.message ?? err.body;
      } catch {
        msg = err.body;
      }
      console.error(`Error: ${msg}`);
    } else if (err instanceof Error) {
      console.error(`Error: ${err.message}`);
    } else {
      console.error(`Error: ${String(err)}`);
    }
    process.exit(1);
  });
 }
--- a/src/cli/tests/commands/create.test.ts
+++ b/src/cli/tests/commands/create.test.ts
@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createCreateCommand } from '../../src/commands/create.js';
-import type { ApiClient } from '../../src/api-client.js';
+import { type ApiClient, ApiError } from '../../src/api-client.js';
 function mockClient(): ApiClient {
  return {
@@ -73,6 +73,59 @@ describe('create command', () => {
        transport: 'STDIO',
      }));
    });
    it('strips null values from template when using --from-template', async () => {
      vi.mocked(client.get).mockResolvedValueOnce([{
        id: 'tpl-1',
        name: 'grafana',
        version: '1.0.0',
        description: 'Grafana MCP',
        packageName: '@leval/mcp-grafana',
        dockerImage: null,
        transport: 'STDIO',
        repositoryUrl: 'https://github.com/test',
        externalUrl: null,
        command: null,
        containerPort: null,
        replicas: 1,
        env: [{ name: 'TOKEN', required: true, description: 'A token' }],
        healthCheck: { tool: 'test', arguments: {} },
        createdAt: '2025-01-01',
        updatedAt: '2025-01-01',
      }] as never);
      const cmd = createCreateCommand({ client, log });
      await cmd.parseAsync([
        'server', 'my-grafana', '--from-template=grafana',
        '--env', 'TOKEN=secretRef:creds:TOKEN',
      ], { from: 'user' });
      const call = vi.mocked(client.post).mock.calls[0]![1] as Record<string, unknown>;
      // null fields from template should NOT be in the body
      expect(call).not.toHaveProperty('dockerImage');
      expect(call).not.toHaveProperty('externalUrl');
      expect(call).not.toHaveProperty('command');
      expect(call).not.toHaveProperty('containerPort');
      // non-null fields should be present
      expect(call.packageName).toBe('@leval/mcp-grafana');
      expect(call.healthCheck).toEqual({ tool: 'test', arguments: {} });
      expect(call.templateName).toBe('grafana');
    });
    it('throws on 409 without --force', async () => {
      vi.mocked(client.post).mockRejectedValueOnce(new ApiError(409, '{"error":"Server already exists: my-server"}'));
      const cmd = createCreateCommand({ client, log });
      await expect(cmd.parseAsync(['server', 'my-server'], { from: 'user' })).rejects.toThrow('API error 409');
    });
    it('updates existing server on 409 with --force', async () => {
      vi.mocked(client.post).mockRejectedValueOnce(new ApiError(409, '{"error":"Server already exists"}'));
      vi.mocked(client.get).mockResolvedValueOnce([{ id: 'srv-1', name: 'my-server' }] as never);
      const cmd = createCreateCommand({ client, log });
      await cmd.parseAsync(['server', 'my-server', '--force'], { from: 'user' });
      expect(client.put).toHaveBeenCalledWith('/api/v1/servers/srv-1', expect.objectContaining({
        transport: 'STDIO',
      }));
      expect(output.join('\n')).toContain("server 'my-server' updated");
    });
  });
  describe('create secret', () => {
@@ -98,6 +151,21 @@ describe('create command', () => {
        data: {},
      });
    });
    it('throws on 409 without --force', async () => {
      vi.mocked(client.post).mockRejectedValueOnce(new ApiError(409, '{"error":"Secret already exists: my-creds"}'));
      const cmd = createCreateCommand({ client, log });
      await expect(cmd.parseAsync(['secret', 'my-creds', '--data', 'KEY=val'], { from: 'user' })).rejects.toThrow('API error 409');
    });
    it('updates existing secret on 409 with --force', async () => {
      vi.mocked(client.post).mockRejectedValueOnce(new ApiError(409, '{"error":"Secret already exists"}'));
      vi.mocked(client.get).mockResolvedValueOnce([{ id: 'sec-1', name: 'my-creds' }] as never);
      const cmd = createCreateCommand({ client, log });
      await cmd.parseAsync(['secret', 'my-creds', '--data', 'KEY=val', '--force'], { from: 'user' });
      expect(client.put).toHaveBeenCalledWith('/api/v1/secrets/sec-1', { data: { KEY: 'val' } });
      expect(output.join('\n')).toContain("secret 'my-creds' updated");
    });
  });
  describe('create project', () => {
@@ -119,5 +187,14 @@ describe('create command', () => {
        description: '',
      });
    });
    it('updates existing project on 409 with --force', async () => {
      vi.mocked(client.post).mockRejectedValueOnce(new ApiError(409, '{"error":"Project already exists"}'));
      vi.mocked(client.get).mockResolvedValueOnce([{ id: 'proj-1', name: 'my-proj' }] as never);
      const cmd = createCreateCommand({ client, log });
      await cmd.parseAsync(['project', 'my-proj', '-d', 'updated', '--force'], { from: 'user' });
      expect(client.put).toHaveBeenCalledWith('/api/v1/projects/proj-1', { description: 'updated' });
      expect(output.join('\n')).toContain("project 'my-proj' updated");
    });
  });
 });
--- a/src/mcpd/src/services/docker/container-manager.ts
+++ b/src/mcpd/src/services/docker/container-manager.ts
@@ -5,7 +5,7 @@ import type {
  ContainerInfo,
  ContainerLogs,
 } from '../orchestrator.js';
-import { DEFAULT_MEMORY_LIMIT, DEFAULT_NANO_CPUS } from '../orchestrator.js';
+import { DEFAULT_MEMORY_LIMIT } from '../orchestrator.js';
 const MCPCTL_LABEL = 'mcpctl.managed';
@@ -54,7 +54,7 @@ export class DockerContainerManager implements McpOrchestrator {
  async createContainer(spec: ContainerSpec): Promise<ContainerInfo> {
    const memoryLimit = spec.memoryLimit ?? DEFAULT_MEMORY_LIMIT;
-    const nanoCpus = spec.nanoCpus ?? DEFAULT_NANO_CPUS;
+    const nanoCpus = spec.nanoCpus;
    const portBindings: Record<string, Array<{ HostPort: string }>> = {};
    const exposedPorts: Record<string, Record<string, never>> = {};
@@ -83,7 +83,7 @@ export class DockerContainerManager implements McpOrchestrator {
      HostConfig: {
        PortBindings: portBindings,
        Memory: memoryLimit,
-        NanoCpus: nanoCpus,
+        ...(nanoCpus ? { NanoCpus: nanoCpus } : {}),
        NetworkMode: spec.network ?? 'bridge',
      },
    };
--- a/src/mcpd/src/services/instance.service.ts
+++ b/src/mcpd/src/services/instance.service.ts
@@ -4,6 +4,12 @@ import type { McpOrchestrator, ContainerSpec, ContainerInfo } from './orchestrat
 import { NotFoundError } from './mcp-server.service.js';
 import { resolveServerEnv } from './env-resolver.js';
 /** Default image for npm-based MCP servers (STDIO with packageName, no dockerImage). */
 const DEFAULT_NODE_RUNNER_IMAGE = process.env['MCPD_NODE_RUNNER_IMAGE'] ?? 'mcpctl-node-runner:latest';
 /** Network for MCP server containers (matches docker-compose mcp-servers network). */
 const MCP_SERVERS_NETWORK = process.env['MCPD_MCP_NETWORK'] ?? 'mcp-servers';
 export class InvalidStateError extends Error {
  readonly statusCode = 409;
  constructor(message: string) {
@@ -139,7 +145,23 @@ export class InstanceService {
      });
    }
-    const image = server.dockerImage ?? server.packageName ?? server.name;
+    // Determine image + command based on server config:
    // 1. Explicit dockerImage → use as-is
    // 2. packageName (npm) → use node-runner image + npx command
    // 3. Fallback → server name (legacy)
    let image: string;
    let npmCommand: string[] | undefined;
    if (server.dockerImage) {
      image = server.dockerImage;
    } else if (server.packageName) {
      image = DEFAULT_NODE_RUNNER_IMAGE;
      // Build npx command: entrypoint is ["npx", "-y"], so CMD = [packageName, ...args]
      const serverCommand = server.command as string[] | null;
      npmCommand = [server.packageName, ...(serverCommand ?? [])];
    } else {
      image = server.name;
    }
    let instance = await this.instanceRepo.create({
      serverId,
@@ -151,6 +173,7 @@ export class InstanceService {
        image,
        name: `mcpctl-${server.name}-${instance.id}`,
        hostPort: null,
        network: MCP_SERVERS_NETWORK,
        labels: {
          'mcpctl.server-id': serverId,
          'mcpctl.instance-id': instance.id,
@@ -159,9 +182,15 @@ export class InstanceService {
      if (server.transport === 'SSE' || server.transport === 'STREAMABLE_HTTP') {
        spec.containerPort = server.containerPort ?? 3000;
      }
-      const command = server.command as string[] | null;
+      // npm-based servers: command = [packageName, ...args] (entrypoint handles npx -y)
-      if (command) {
+      // Docker-image servers: use explicit command if provided
-        spec.command = command;
+      if (npmCommand) {
        spec.command = npmCommand;
      } else {
        const command = server.command as string[] | null;
        if (command) {
          spec.command = command;
        }
      }
      // Resolve env vars from inline values and secret refs
Author	SHA1	Message	Date
Michal	a2cda38850	feat: add node-runner base image for npm-based MCP servers Some checks failed CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build (pull_request) Has been cancelled Details CI / package (pull_request) Has been cancelled Details STDIO servers with packageName (e.g. @leval/mcp-grafana) need a Node.js container that runs `npx -y <package>`. Previously, packageName was used as a Docker image reference causing "invalid reference format" errors. - Add Dockerfile.node-runner: minimal node:20-alpine with npx entrypoint - Update instance.service.ts: detect npm-based servers and use node-runner image with npx command instead of treating packageName as image name - Fix NanoCPUs: only set when explicitly provided (kernel CFS not available on all hosts) - Add mcp-servers network with explicit name for container isolation - Configure MCPD_NODE_RUNNER_IMAGE and MCPD_MCP_NETWORK env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 23:41:16 +00:00
michal	081e90de0f	Merge pull request 'fix: error handling and --force flag for create commands' (#10 ) from fix/create-error-handling into main Some checks are pending CI / lint (push) Waiting to run Details CI / typecheck (push) Waiting to run Details CI / test (push) Waiting to run Details CI / build (push) Blocked by required conditions Details CI / package (push) Blocked by required conditions Details	2026-02-22 23:06:52 +00:00
Michal	4e3d896ef6	fix: proper error handling and --force flag for create commands Some checks failed CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build (pull_request) Has been cancelled Details CI / package (pull_request) Has been cancelled Details - Add global error handler: clean messages instead of stack traces - Add --force flag to create server/secret/project: updates on 409 conflict - Strip null values and template-only fields from --from-template payload - Add tests: 409 handling, --force update, null-stripping from templates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 23:06:33 +00:00
michal	0823e965bf	Merge pull request 'feat: MCP healthcheck probes + new templates' (#9 ) from feat/healthcheck-probes into main Some checks are pending CI / lint (push) Waiting to run Details CI / typecheck (push) Waiting to run Details CI / test (push) Waiting to run Details CI / build (push) Blocked by required conditions Details CI / package (push) Blocked by required conditions Details	2026-02-22 22:50:10 +00:00