[EPIC][BUILD]: Frontend package management with npm

[crivetimihai]

📦 Epic: Frontend Package Management with npm

Goal

Adopt npm for managing frontend vendor dependencies (HTMX, Alpine.js, Chart.js, CodeMirror, etc.) to replace the current curl-based download-cdn-assets.sh script. This provides reproducible builds, lockfile integrity, vulnerability scanning, and a standard developer workflow.

Why Now?

The current air-gapped deployment workflow has several pain points:

1. Manual Version Management: Versions hardcoded in scripts/download-cdn-assets.sh (HTMX 1.9.10, Alpine 3.14.1, etc.)
2. No Lockfile: No package-lock.json means no integrity verification of downloaded assets
3. No Standard Workflow: Developers must run curl script manually or rely on CDN during development
4. Duplicate Version Tracking: Versions in shell script must match CDN URLs in Jinja templates
5. Limited Vulnerability Scanning: Retire.js configured but npm audit provides broader coverage
6. Container Build Complexity: Containerfile.lite uses curl instead of standard npm ci

Current Architecture

scripts/download-cdn-assets.sh
    ├── curl → Tailwind CDN
    ├── curl → unpkg (HTMX)
    ├── curl → cdnjs (CodeMirror, Font Awesome)
    └── curl → jsdelivr (Alpine.js, Chart.js)
    
    ↓ Downloads to
    
mcpgateway/static/vendor/
    ├── tailwindcss/
    ├── htmx/
    ├── codemirror/
    ├── alpinejs/
    ├── chartjs/
    └── fontawesome/

templates/admin.html
    └── {% if ui_airgapped %}
            <script src="/static/vendor/...">
        {% else %}
            <script src="https://cdn...">
        {% endif %}

Proposed Architecture

package.json
    ├── htmx.org: "1.9.10"
    ├── alpinejs: "3.14.1"
    ├── chart.js: "4.4.1"
    ├── codemirror: "5.65.18"
    ├── marked: "..."
    ├── dompurify: "..."
    └── @fortawesome/fontawesome-free: "6.4.0"

package-lock.json (integrity hashes)

npm ci / npm install
    ↓
    
node_modules/
    ↓
    
scripts/copy-vendor-assets.js
    ↓ Copies to
    
mcpgateway/static/vendor/ (same structure)

---

📖 User Stories

US-1: Developer - Standard npm Workflow for Frontend Dependencies

As a developer
I want to run npm install to get all frontend vendor dependencies
So that I have a standard, reproducible workflow for local development

Acceptance Criteria:

Scenario: Fresh clone and setup
  Given a developer clones the repository
  When they run "npm install"
  Then all vendor dependencies should be installed to node_modules/
  And no manual curl commands should be needed

Scenario: Copy vendor assets to static directory
  Given npm install has completed
  When the developer runs "make vendor"
  Then vendor files should be copied to mcpgateway/static/vendor/
  And the UI should load correctly with local assets

Scenario: One-command setup
  Given a developer runs "make install-dev"
  Then npm install should run automatically
  And vendor assets should be copied automatically

Technical Requirements:

• package.json declares all vendor dependencies with pinned versions
• package-lock.json committed with integrity hashes
• npm ci used in CI/container builds for reproducibility

US-2: Developer - Single Source of Truth for Versions

As a developer
I want vendor library versions defined in one place (package.json)
So that I don't have to update versions in multiple files

Acceptance Criteria:

Scenario: Version defined once
  Given all vendor libraries are in package.json
  When I need to check a library version
  Then I only need to look in package.json
  And download-cdn-assets.sh is deprecated

Scenario: Update a library version
  Given I want to update HTMX to a new version
  When I run "npm update htmx.org"
  And then run "make vendor"
  Then the new version should be copied to static/vendor/
  And no other files need manual updates

Technical Requirements:

• All vendor versions in package.json
• CDN URLs in templates removed or auto-generated from package versions
• download-cdn-assets.sh deprecated

US-3: Security Engineer - Vulnerability Scanning for Frontend Deps

As a security engineer
I want automated vulnerability scanning for frontend dependencies
So that I'm alerted to known CVEs in vendor libraries

Acceptance Criteria:

Scenario: CI runs npm audit
  Given the CI pipeline runs
  When the audit step executes
  Then "npm audit" should check for vulnerabilities
  And high/critical vulnerabilities should fail the build

Scenario: Local audit check
  Given a developer runs "make audit-js"
  Then npm audit should run
  And vulnerability report should be displayed

Technical Requirements:

• npm audit runs in CI pipeline
• CI fails on high/critical vulnerabilities
• make audit-js target runs npm audit
• Retire.js continues as additional scanner

US-4: DevOps Engineer - Reproducible Container Builds

As a DevOps engineer
I want container builds to use npm ci for vendor dependencies
So that builds are reproducible and use lockfile integrity

Acceptance Criteria:

Scenario: Container build uses npm ci
  Given Containerfile.lite is updated
  When the container builds
  Then "npm ci" should install exact versions from lockfile
  And no network calls to CDN should occur after npm ci
  And vendor files match local development

Scenario: Reproducible builds
  Given the same commit hash
  When two containers are built separately
  Then vendor files should be byte-for-byte identical

Technical Requirements:

• Containerfile.lite uses npm ci instead of curl script
• Build uses exact versions from lockfile
• Same vendor files in container and local dev

US-5: Developer - Easy Dependency Updates

As a developer
I want to update frontend dependencies using standard npm commands
So that I can easily upgrade libraries and test changes

Acceptance Criteria:

Scenario: Check for outdated packages
  When I run "npm outdated"
  Then I should see a list of packages with available updates

Scenario: Update a specific package
  Given chart.js has a new version available
  When I run "npm update chart.js"
  And run "make vendor"
  Then the new version should be available in static/vendor/

Technical Requirements:

• npm update workflow documented
• Changelog reviewed before major updates
• Playwright tests run after updates to catch regressions

---

🏗 Architecture

flowchart TD
    A[package.json] --> B[npm ci]
    B --> C[node_modules/]
    C --> D[copy-vendor-assets.js]
    D --> E[mcpgateway/static/vendor/]
    E --> F[admin.html templates]
    
    subgraph "CI Pipeline"
        G[npm ci] --> H[npm audit]
        H --> I[copy-vendor-assets.js]
        I --> J[Container image]
    end

Loading

---

📋 Implementation Tasks

Phase 1: Package Configuration

• Add vendor dependencies to package.json
  • htmx.org@1.9.10
  • alpinejs@3.14.1
  • chart.js@4.4.1
  • codemirror@5.65.18
  • marked@latest
  • dompurify@latest
  • @fortawesome/fontawesome-free@6.4.0
• Generate package-lock.json with npm install
• Commit lockfile to repository

Phase 2: Copy Script

• Create scripts/copy-vendor-assets.js
  • Copy from node_modules/ to mcpgateway/static/vendor/
  • Maintain existing directory structure
  • Handle Font Awesome webfonts and CSS path fix
  • Log copied files for verification
• Add make vendor target: npm ci && node scripts/copy-vendor-assets.js

Phase 3: Build Integration

• Update Makefile:
  • make install-dev includes npm ci and vendor copy
  • make vendor copies vendor assets
  • make audit-js runs npm audit
• Update Containerfile.lite:
  • Install Node.js in builder stage
  • Run npm ci instead of curl script
  • Run copy script
  • Remove download-cdn-assets.sh invocation

Phase 4: CI Integration

• Add npm ci to CI workflow
• Add npm audit step
• Cache node_modules/ for faster builds
• Verify vendor assets match expected checksums

Phase 5: Cleanup & Documentation

• Deprecate scripts/download-cdn-assets.sh
• Update docs/docs/development/building.md
• Update docs/docs/manage/ui-customization.md
• Update developer onboarding checklist
• Document upgrade workflow

---

⚙️ Configuration

package.json (new dependencies section)

{
  "name": "mcp-context-forge",
  "private": true,
  "dependencies": {
    "htmx.org": "1.9.10",
    "alpinejs": "3.14.1",
    "chart.js": "4.4.1",
    "codemirror": "5.65.18",
    "marked": "^12.0.0",
    "dompurify": "^3.0.0",
    "@fortawesome/fontawesome-free": "6.4.0"
  },
  "scripts": {
    "vendor": "node scripts/copy-vendor-assets.js",
    "audit": "npm audit"
  }
}

scripts/copy-vendor-assets.js (example)

const fs = require('fs');
const path = require('path');

const VENDOR_DIR = path.join(__dirname, '../mcpgateway/static/vendor');

const copies = [
  { src: 'node_modules/htmx.org/dist/htmx.min.js', dest: 'htmx/htmx.min.js' },
  { src: 'node_modules/alpinejs/dist/cdn.min.js', dest: 'alpinejs/alpine.min.js' },
  { src: 'node_modules/chart.js/dist/chart.umd.min.js', dest: 'chartjs/chart.umd.min.js' },
  // ... etc
];

copies.forEach(({ src, dest }) => {
  const destPath = path.join(VENDOR_DIR, dest);
  fs.mkdirSync(path.dirname(destPath), { recursive: true });
  fs.copyFileSync(src, destPath);
  console.log(`Copied: ${dest}`);
});

---

✅ Success Criteria

• npm install installs all vendor dependencies
• package-lock.json committed with integrity hashes
• make vendor copies assets to correct locations
• Admin UI loads correctly with npm-managed assets
• Container builds use npm ci (no curl to CDN)
• npm audit runs in CI and fails on high/critical CVEs
• download-cdn-assets.sh is deprecated
• Developer documentation updated

---

🏁 Definition of Done

• package.json with all vendor dependencies created
• package-lock.json generated and committed
• scripts/copy-vendor-assets.js implemented
• Makefile targets (vendor, audit-js) added
• Containerfile.lite updated to use npm ci
• CI workflow includes npm ci and audit
• Documentation updated
• download-cdn-assets.sh marked as deprecated
• All Playwright tests pass with npm-managed assets
• Code passes make verify
• PR reviewed and approved

---

🔗 Related Issues

• Related to frontend testing ([EPIC][TESTING]: Frontend testing and code quality #2270)
• Air-gapped deployment documentation