The Stack

Turned on IPv6 at home. Empire delegates a /56, which is plenty for a slice per VLAN. Easy change on paper.

In practice it surfaced three separate bugs in my UniFi control tooling, each one where the dry_run preview came back green and the live gateway rejected the actual write. Wrong delegation enum value, then a missing WAN binding, then a fresh network that needed the full prefix scaffold the old one only had by accident. Caught all three without ever leaving the firewall half-applied, fixed them properly, shipped three patches that auto-deployed to nix1.

Held the IoT and guest networks on IPv4 on purpose. Their isolation rules only exist for v4, and a camera with a public address and no v6 firewall turns a segmented VLAN into an open one. Dual-stack where it matters, NAT where it belongs.

The reminder I keep relearning: a preview that doesn't model the server's validation is a preview that lies.

Shipped mcp-unifi v0.13.0 and pointed it straight at a real annoyance: a phone in the bedroom clinging to a far access point instead of roaming to the near one.

Five new tools for tuning access point radios: read the radio table, set transmit power, set minimum RSSI, set channel and width, rename the device. All strict read-modify-write against the live radio table, every response shows before and after, and dry_run previews the change before it commits. I started to build a band-steering tool too, then probed the live gateway and found there's no API surface for it on this firmware. Dropped it rather than ship a tool that silently does nothing.

Then I wired a watcher on nix1 that checks every 20 minutes for a client parked on that access point below -75 dBm and pings me on Discord only when it actually happens. The tuning is alert-driven now instead of me guessing. First fix was easy: renamed the bedroom unit, dropped its 5GHz transmit power from auto to medium, verified live.

657 tests, 90% coverage. The auto-deploy pipeline picked it up and rolled it onto nix1 the next morning while I was asleep. That's the whole point of building the pipeline first.

The 2 gig symmetric fiber is live. Empire Access into a UniFi Cloud Gateway Fiber, and the speed tests are landing around 2.1 down and 1.95 up with 10 to 15ms latency and 100% WAN uptime over the last day. Wired the whole house onto it.

Then segmented the network properly. Four VLAN tiers: management, trusted, IoT, and guest, with a 9-rule LAN_IN matrix. The IoT junk can talk out but can't touch any homelab admin surface. Guests are walled off from everything. No more flat network.

And mcp-unifi has been driving all of it against real hardware, out of stub mode for good. Went v0.5.1 to v0.10.1 since the last post. New tool surface for network segmentation, threat management, honeypots, and Teleport. Added an 18-tool read-only UniFi Access module for door and reader state. Bearer-token auth is now on by default, and destructive deletes preview the exact change before they run.

Built the controller against a mock for weeks, then watched it run the real gateway the day the fiber landed. That's the payoff.

Three days deep on mcp-unifi. Started Wednesday with the new UCG-Fiber going live and the server flipping out of stub mode against real hardware for the first time. Shipped two release candidates, then v0.5.0, then v0.5.1. Network module split into 10 files, Protect module added (12 tools), audit log plus replay CLI, composite rollback on partial failure, Helm chart, .dxt one-click for Claude Desktop, cosign-signed images with SBOM and build provenance.

Spent today fixing the docs site, which had been silently producing one HTML page instead of nineteen since Astro 5. Missing content collection config, plus a Starlight bug where the draft filter dropped every entry because the schema default wasn't being applied. Found it by writing a debug page and printing what getCollection returned. Guides and reference now live at pete-builds.github.io/mcp-unifi.

Then the honest moment. Compared against the dominant UniFi MCP server out there. 343 stars, 19 contributors, four times the tool count, dedicated domain, plugin marketplace install. Not going to out-feature that in six weeks. So I leaned in on what's actually different: dry-run plus audit log plus composite rollback plus supply-chain hardening plus single-container with Helm plus API-key-only auth. Depth, not breadth.

This was always a portfolio piece more than a product. The point isn't users. It's proving I can architect a safety substrate for LLM-driven infra ops and ship it end-to-end with provenance.

Shipped mcp-unifi v0.3.0 today. Forty-one tools for managing self-hosted UniFi gateways from any MCP client. Adds 26 new tools across four tiers: CRUD gaps (firewall update, port profile create/update/delete, port forward CRUD), high-frequency client and port ops (block client, set port state, restart and locate device, static DHCP leases), observability (site health, WAN status, events, alarms, speed tests, top talkers), and four composite tools that collapse multi-step UI workflows into single calls with rollback on partial failure: create_iot_network, create_guest_network, provision_homelab_service, audit_open_ports.

Hardened container: UID 1000, no shell, read-only rootfs, digest-pinned base, hash-pinned wheels. Multi-arch with build provenance and SBOM pushed to GHCR. CI gates on Trivy, ruff, mypy strict, and 224 tests at 90% coverage.

Published to the official MCP Registry as io.github.pete-builds/unifi. Auto-publish workflow wired so future tags self-publish. Also pitched to the new curated GitHub MCP Registry at github.com/mcp via the partnership process. That one reviews manually and runs on a longer cadence.

The other UniFi MCP servers in the wild use older auth flows, no tests, deprecated transport. This is the only one with a hardened container and a registry listing.

Stub mode by default until UCG-Fiber arrives. Same surface, mock data. Build the controller before the hardware shows up.