787fe1f702
External security audit of KNEL-AIMiddleware before release: - FINAL-REPORT.md: Executive summary, risk assessment, remediation roadmap - 01-dockerfile-security.md: 38/40 containers run as root (HIGH) - 02-shell-script-security.md: 83 missing set -e/u directives (HIGH) - 03-docker-compose-security.md: 3 privileged services documented (MEDIUM) - 04-secrets-audit.md: PASS - no hardcoded secrets found - 05-vulnerability-scan.md: 14+ CVEs, 1 CRITICAL OpenSSL (golang:1.23-alpine) Assessment: CONDITIONAL PASS for release 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
KNEL-AIMiddleware
MCP and LSP infrastructure for OpenWebUI and Crush to utilize
Overview
KNEL-AIMiddleware is a comprehensive Docker-based infrastructure for running Model Context Protocol (MCP) servers and Language Server Protocol (LSP) providers. It enables AI assistants like OpenWebUI and Crush to seamlessly integrate with external tools, services, and code intelligence.
Use Cases
- OpenWebUI Integration: Provide MCP servers for enhanced AI context and tooling
- Crush Integration: LSP servers for intelligent code completion and analysis
- Development: Individual server isolation for easy debugging and updates
- Production: Scalable, containerized service deployment
Features
- Modular architecture with each service in its own container
- Docker Compose orchestration and management
- Prebuilt images with minimal dependencies
- Crush-ready LSP server configuration
- Environment variables for secure configuration
- Built-in logging and container health checks
Server Status
For detailed build and configuration status of all MCP/LSP servers, see STATUS.md.
Available Servers
MCP Servers
Design & Engineering (4 servers)
| Service | Container Name | Description |
|---|---|---|
| kicad-mcp | kneldevstack-aimiddleware-kicad-mcp | PCB design automation with 64 tools, JLCPCB integration (host-only) |
| blender-mcp | kneldevstack-aimiddleware-blender-mcp | 3D modeling, materials, scenes, AI 3D model generation |
| freecad-mcp | kneldevstack-aimiddleware-freecad-mcp | CAD modeling, Python execution, parts library |
| gimp-mcp | kneldevstack-aimiddleware-gimp-mcp | Image editing with GIMP 3.0, OCR support |
Hosting & Infrastructure (5 servers)
| Service | Container Name | Description |
|---|---|---|
| kubernetes-mcp | kneldevstack-aimiddleware-kubernetes-mcp | K8s/OpenShift management (native Go implementation) |
| docker-mcp | kneldevstack-aimiddleware-docker-mcp | Container and compose stack management |
| proxmox-mcp | kneldevstack-aimiddleware-proxmox-mcp | Hypervisor VM/container management |
| terraform-mcp | kneldevstack-aimiddleware-terraform-mcp | IaC automation, HCP Terraform, workspace management |
| cloudron-mcp | kneldevstack-aimiddleware-cloudron-mcp | Self-hosted app management |
Development Tools (1 server)
| Service | Container Name | Description |
|---|---|---|
| context7-mcp | kneldevstack-aimiddleware-context7-mcp | MCP server framework and SDK for documentation |
Content Management (4 servers)
| Service | Container Name | Description |
|---|---|---|
| nextcloud-mcp | kneldevstack-aimiddleware-nextcloud-mcp | 90+ tools across 8 apps (Notes, Calendar, Files, Deck, etc.) |
| ghost-mcp | kneldevstack-aimiddleware-ghost-mcp | CMS post, member, newsletter management |
| docspace-mcp | kneldevstack-aimiddleware-docspace-mcp | Room, file, collaboration management |
| wordpress-mcp | kneldevstack-aimiddleware-wordpress-mcp | WordPress integration via Abilities API |
Communication & Collaboration (3 servers)
| Service | Container Name | Description |
|---|---|---|
| discourse-mcp | kneldevstack-aimiddleware-discourse-mcp | Forum search, posts, topics, categories (read/write modes) |
| imap-mcp | kneldevstack-aimiddleware-imap-mcp | Email browsing, composition, Gmail OAuth2 support |
| postizz-mcp | kneldevstack-aimiddleware-postizz-mcp | Social media management platform |
Analytics & Security (2 servers)
| Service | Container Name | Description |
|---|---|---|
| matomo-mcp | kneldevstack-aimiddleware-matomo-mcp | Analytics integration |
| bitwarden-mcp | kneldevstack-aimiddleware-bitwarden-mcp | Official password vault management |
Productivity & Automation (6 servers)
| Service | Container Name | Description |
|---|---|---|
| audiobook-mcp | kneldevstack-aimiddleware-audiobook-mcp | Audiobook management with AI-powered features |
| snipeit-mcp | kneldevstack-aimiddleware-snipeit-mcp | Asset inventory, maintenance tracking |
| mcp-redmine | kneldevstack-aimiddleware-mcp-redmine | Project management, issue tracking, file operations |
| mcp-ansible | kneldevstack-aimiddleware-mcp-ansible | IT automation playbooks |
| elasticsearch-mcp | kneldevstack-aimiddleware-elasticsearch-mcp | Search and index management (Rust) |
| drawio-mcp | kneldevstack-aimiddleware-drawio-mcp | Draw.io diagram management |
Additional Tools (2 servers)
| Service | Container Name | Description |
|---|---|---|
| penpot-mcp | kneldevstack-aimiddleware-penpot-mcp | Design collaboration platform integration |
| webserial-mcp | kneldevstack-aimiddleware-webserial-mcp | ESP32 MicroPython development via WebSerial (requires bridge server) |
Reverse Engineering (2 servers)
| Service | Container Name | Description |
|---|---|---|
| ghidra-mcp | kneldevstack-aimiddleware-ghidra-mcp | Binary analysis and reverse engineering (HTTP REST, not MCP) |
| reverse-engineering-assistant | kneldevstack-aimiddleware-reverse-engineering-assistant | ReVa - AI-assisted reverse engineering via MCP |
LSP Servers (4 servers)
| Service | Container Name | Description |
|---|---|---|
| bash-language-server | kneldevstack-aimiddleware-bash-language-server | LSP for bash (diagnostics, completion, formatting) |
| docker-language-server | kneldevstack-aimiddleware-docker-language-server | LSP for Dockerfiles, Compose files, Bake files |
| marksman | kneldevstack-aimiddleware-marksman | LSP for Markdown (diagnostics, completion, navigation) |
| terraform-ls | kneldevstack-aimiddleware-terraform-ls | LSP for Terraform (diagnostics, completion, navigation) |
Server Technologies by Language
TypeScript/Node.js (13 servers)
Most use npx for installation:
- KiCAD MCP, Bitwarden MCP, Discourse MCP, Ghost MCP, Cloudron MCP
- Kubernetes MCP, Draw.io MCP, Matomo MCP, Postiz MCP, WordPress MCP
- Audiobook MCP, Context7 MCP, Bash Language Server
Python (11 servers)
Most use uvx for installation:
- Blender MCP, FreeCAD MCP, GIMP MCP, Docker MCP, Proxmox MCP
- Snipe-IT MCP, Redmine MCP, IMAP MCP, Ansible MCP
- Nextcloud MCP (hybrid), WebSerial MCP
Go (2 servers)
- Kubernetes MCP (also available via npx), Terraform MCP
Rust (1 server)
- Elasticsearch MCP
Prebuilt Binaries (4 servers)
- bash-language-server (npm prebuilt)
- docker-language-server (Go binary)
- marksman (prebuilt binary)
- terraform-ls (HashiCorp release binary)
Installation
Prerequisites
- Docker 20.10+
- Docker Compose 2.0+
- (Optional) Crush for LSP integration
Quick Start
-
Clone the repository
git clone https://github.com/KNEL/KNEL-AIMiddleware.git cd KNEL-AIMiddleware -
Configure environment variables
cp .env.example .env # Edit .env with your API keys and configurations -
Build and start services
# Start all built services docker compose up -d # Or start specific service docker compose up -d <service-name>
Setup Scripts
The repository includes helpful scripts in the scripts/ directory:
scripts/CloneVendorRepos.sh
Clone all upstream vendor MCP/LSP repositories:
./scripts/CloneVendorRepos.sh
scripts/BuildAll.sh
Build all MCP/LSP services:
./scripts/BuildAll.sh
scripts/CleanVendor.sh
Remove all cloned vendor repositories:
./scripts/CleanVendor.sh
scripts/StatusCheck.sh
Check build status of all services:
./scripts/StatusCheck.sh
Usage
Docker Compose Commands
Build and Start
# Build specific service
docker compose build <service-name>
# Build without cache
docker compose build --no-cache <service-name>
# Start service (detached mode)
docker compose up -d <service-name>
# Start all services
docker compose up -d
View Logs
# Follow logs for service
docker compose logs -f <service-name>
# View last 100 lines
docker compose logs --tail 100 <service-name>
Stop and Clean
# Stop service
docker compose stop <service-name>
# Remove service (also deletes container)
docker compose rm -f <service-name>
# Stop all services
docker compose down
# Remove all volumes
docker compose down -v
Service Profiles
Services are organized into profiles for selective startup:
# Development services (LSP + MCP)
docker compose --profile dev up
# Production services
docker compose --profile prod up
# Design tools (KiCAD, Blender, etc.)
docker compose --profile design up
Environment Variables
Required variables for MCP servers (see .env.example):
| Service | Required Variables |
|---|---|
| bitwarden-mcp | BITWARDEN_CLIENT_ID, BITWARDEN_CLIENT_SECRET, BITWARDEN_PASSWORD, BITWARDEN_SERVER_URL |
| discourse-mcp | DISCOURSE_URL, DISCOURSE_API_KEY, DISCOURSE_API_USERNAME |
| ghost-mcp | GHOST_API_URL, GHOST_ADMIN_API_KEY |
| cloudron-mcp | CLOUDRON_URL, CLOUDRON_TOKEN |
| nextcloud-mcp | NEXTCLOUD_HOST, NEXTCLOUD_USERNAME, NEXTCLOUD_APP_PASSWORD |
| proxmox-mcp | PROXMOX_HOST, PROXMOX_USER, PROXMOX_TOKEN, PROXMOX_NODE |
| snipeit-mcp | SNIPEIT_URL, SNIPEIT_TOKEN |
| redmine-mcp | REDMINE_URL, REDMINE_API_KEY |
| wordpress-mcp | WORDPRESS_URL, WORDPRESS_USERNAME, WORDPRESS_APPLICATION_PASSWORD |
| docspace-mcp | DOCSPACE_HOST, DOCSPACE_TOKEN |
| imap-mcp | IMAP_SERVER, IMAP_PORT, IMAP_USERNAME, IMAP_PASSWORD |
| postizz-mcp | POSTIZ_API_KEY, POSTIZ_URL |
| matomo-mcp | MATOMO_URL, MATOMO_TOKEN |
| elasticsearch-mcp | ELASTICSEARCH_URL, ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD |
| kicad-mcp | KICAD_HOST (default: host.docker.internal), KICAD_PORT (default: 5555) |
| context7-mcp | UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN |
| penpot-mcp | PENPOT_URL (default: https://design.penpot.app), PENPOT_TOKEN |
Security Note: Never commit .env file to version control.
Crush Integration
All LSP and MCP instances must be configured in crush.json for Crush to use them.
crush.json Format
{
"$schema": "https://charm.land/crush.json",
"lsp": {
"bash": {
"command": "docker",
"args": ["run", "-i", "--rm", "kneldevstack-aimiddleware-bash-language-server", "start"]
},
"docker": {
"command": "docker",
"args": ["run", "-i", "--rm", "kneldevstack-aimiddleware-docker-language-server", "start", "--stdio"]
},
"markdown": {
"command": "docker",
"args": ["run", "-i", "--rm", "kneldevstack-aimiddleware-marksman", "server"]
}
}
}
Configuration Priority
Crush looks for configuration files in this order:
.crush.json(project-local)crush.json(project-local)$HOME/.config/crush/crush.json(global)
Docker-based LSP Configuration
For Docker-based LSP instances, use this pattern:
{
"command": "docker",
"args": [
"run",
"-i", // Interactive mode (required for stdio)
"--rm", // Auto-cleanup after use
"kneldevstack-aimiddleware-<service-name>",
"<server-args>" // e.g., "start", "--stdio"
]
}
Project Structure
KNEL-AIMiddleware/
├── docker-compose.yml # Service orchestration
├── .env # Environment variables (not committed)
├── .env.example # Environment template
├── dockerfiles/ # Custom Dockerfiles (tracked in git)
│ ├── bash-language-server/
│ ├── docker-language-server/
│ └── marksman/
├── vendor/ # Cloned repositories (gitignored)
├── docs/ # Documentation
│ └── SDLC.md # Software Development Lifecycle
├── AGENTS.md # AI agent guidelines and rules
├── STATUS.md # Server status and progress tracking
├── JOURNAL.md # Development journal (ADRs, insights)
└── README.md # This file
Dockerfile Management
Custom Dockerfiles are created in dockerfiles/ and referenced in docker-compose.yml:
service-name:
build:
context: ./vendor/service-name
dockerfile: ../../dockerfiles/service-name/Dockerfile
container_name: kneldevstack-aimiddleware-service-name
restart: unless-stopped
This approach:
- Keeps custom Dockerfiles under version control
- Uses vendor repository as build context
- Maintains clean separation of concerns
Troubleshooting
Container Not Starting
# Check container logs
docker compose logs <service-name>
# Inspect container state
docker inspect <container-name>
MCP Server Not Connecting
- Verify service is running:
docker ps - Check logs for errors:
docker compose logs <service> - Verify environment variables in
.env - Test connectivity:
docker compose exec <service> curl localhost:8080
LSP Server Not Responding (Crush)
- Verify Docker image exists:
docker images | grep knel - Test container manually:
echo '{"jsonrpc":"2.0","method":"initialize","params":{}}' | \ docker run -i --rm kneldevstack-aimiddleware-<lsp-name> - Check
crush.jsonconfiguration - Verify container runs with
-iflag for stdio
Port Conflicts
If ports are already in use, modify docker-compose.yml:
ports:
- "8081:8080" # Change host port
Contributing
Contributions are welcome! Please see AGENTS.md for development guidelines and docs/SDLC.md for the development workflow.
References
License
This project is licensed under the MIT License - see LICENSE file for details.
Maintained by: KNEL Development Team