Mcaster1StackSmith
DevSecOps container and infrastructure management platform. Docker, Podman, and Kubernetes in one pane. Built on the Celenite Stack — a compiled C++ daemon with PHP web admin, REST API, and Qt6 desktop. Single binary. Sub-100 MB container. No SaaS lock-in.
What It Replaces
One platform that consolidates the tooling teams currently glue together.
| Capability | StackSmith | Docker Desktop | Portainer | Rancher |
|---|---|---|---|---|
| Container management (Docker + Podman) | Yes | Yes | Yes | Yes |
| Kubernetes multi-cluster | Yes (9-tab dashboard) | Single cluster | Yes | Yes |
| Encrypted credential vault | AES-256-GCM | No | Limited | External |
| Multi-registry (ECR/ACR/Harbor/Quay/GHCR/DockerHub) | Yes | DockerHub focus | Yes | Yes |
| Alert rules + SMS/email | Built-in | No | No | Webhooks only |
| SOC2-ready audit trail | HMAC-chained | No | Basic | Basic |
| nginx + KVM management | Integrated | No | No | No |
| Container size | < 100 MB | ~500 MB | ~150 MB | > 500 MB |
| Licensing | Self-host, no SaaS | Paid for > 250 emp | CE / BE tiers | Open / SUSE |
Architecture — The Celenite Stack
A compiled C++ daemon owns HTTP/TLS termination, threading, and business logic. PHP renders the admin. Qt6 desktop talks the same REST API.
Capabilities
Everything the platform team needs, on one daemon.
Container Lifecycle
Full Docker + Podman management: list, start, stop, restart, remove, logs, inspect, stats. Image browser with tags, sizes, and history. Volume and network management included.
Kubernetes Multi-Cluster
9-tab dashboard: Overview, Nodes, Workloads, Services, Storage, Config, Helm, Events, Networking. Live API, 30s auto-refresh, CRUD on scale, restart, cordon, drain, pod delete.
Encrypted Credential Vault
AES-256-GCM-encrypted storage for registry credentials, SSH keys, cloud API tokens, kubeconfig files, and TLS material. Argon2id-hashed user passwords. Vault unlock is workflow-gated.
Registry Hub
One pane for AWS ECR, Azure ACR, DockerHub, Harbor, GitHub Container Registry, GitLab Container Registry, and Quay. Browse repositories, pull tags, push images.
Alerting
Rule engine on container, pod, and node state. Email + SMS via the Mcaster1MailCaster integration. Webhook hooks for Slack, PagerDuty, or Mcaster1Chatter.
Helm Chart Repository
MinIO-backed chart repo with push/pull, version history, one-click cluster install, and YAML values editor. Rollback and upgrade flows handled inline.
Web SSH
Browser xterm.js SSH with AD/LDAP, PAM, or internal-auth. Multi-tab sessions. Per-cluster kubectl shells with namespace context preserved across reconnects.
SOC2-Ready Audit
Every privileged action logged with HMAC-chained integrity. Admin / Operator / Viewer RBAC. Per-user activity exports for compliance review.
nginx & KVM
Template-based nginx vhost generation with dry-run validation. KVM VM lifecycle (planned): template provisioning, noVNC console, snapshot/clone/resize, golden-image library.
Agent Fleet
Public-cloud and in-cluster agents heartbeat back to StackSmith every 60s with host stats, container state, and Kubernetes cluster telemetry. Already running on 5 production OVH hosts.
Multi-Auth
Active Directory / LDAP, local PAM, or StackSmith-internal users — toggable in stacksmith.yaml. SSO-ready via Keycloak federation.
Package Manager Hooks
Homebrew, Chocolatey, and apt integration for host-level tooling installs from the same interface that manages your containers.
Technical Specifications
Engineering details for evaluators.
| Architecture | Celenite Stack — C++17 daemon + PHP 8.4 FPM + Qt6 desktop |
|---|---|
| Daemon Language | C++17 with hardware-aware thread pool, lock-free queues |
| Web Admin | PHP 8.4, FastCGI over Unix domain socket |
| Desktop Client | Qt6 (macOS, Windows, Linux) consuming REST API |
| Base OS (container) | Debian Trixie, multi-stage Docker build |
| Container Footprint | < 100 MB image, ~150 MB resident |
| Database | MariaDB 11, 19+ tables |
| Vault Cipher | AES-256-GCM with Argon2id-derived key |
| TLS | TLS 1.3 (self-signed for dev, Let's Encrypt or commercial for prod) |
| Ports | 9580 (web + API), 9581 (API-only), 13307 (MariaDB, debug) |
| Authentication | Internal (bcrypt), AD/LDAP (SSSD), local PAM — toggable |
| Audit Log | HMAC-chained, append-only, per-record signatures |
| Live Demo | # |
| Repository | github.com/davestj/Mcaster1StackSmith |
Who It's For
Three target users we built StackSmith for.
Solo Operators & Small Teams
You can't afford Docker Desktop's per-seat license. Portainer is fine until you need multi-cluster K8s or a credential vault. StackSmith is one binary that does the whole job, self-hosted.
Mid-Market DevSecOps Teams
You need SOC2-grade audit and RBAC, but Rancher is overkill and locks you into SUSE. StackSmith ships compliance features as defaults, runs on any host, and never phones home.
Air-Gapped & Regulated
No SaaS dependency. Single binary. Multi-stage Docker build < 100MB. Runs in disconnected environments, on-prem, or on isolated K8s clusters where Cloud-Native UI gateways aren't an option.
Part of the Mcaster1 Ecosystem
StackSmith is the platform companion to the broadcast suite. The C++ Celenite Stack core is shared with Mcaster1DSPEncoder, Mcaster1DNAS, and Mcaster1Webmail. The web admin pattern is shared across all server-side Mcaster1 products. Same compile flags, same audit-log format, same vault primitive.