Alpha Apache 2.0 CI on every PR

Mosquitto Control Manager

The operations layer Mosquitto deserves.

MCM is an open source control plane for Eclipse Mosquitto. Modern web UI, REST and WebSocket API, realtime broker observability, RBAC, audit trail, HTTPS — without replacing Mosquitto as the broker.

View on GitHub OpenAPI spec Roadmap

What MCM is

Operations, not a broker rewrite.

Mosquitto is lightweight, reliable, and widely adopted at the edge. But day-to-day operation usually means hand-editing config files, ACLs, password files, and stitching dashboards together. MCM fills that gap with a clean control plane: a Go binary plus a React dashboard backed by a single SQLite database.

MCM never tries to replace Mosquitto. It connects to your existing broker as a client, configures it where appropriate, and gives operators visibility, auditability, and least-privilege access without asking them to change MQTT engines.

Stack

  • Go 1.24
  • net/http + slog
  • SQLite (pure Go)
  • paho MQTT
  • Prometheus
  • OpenAPI 3.1
  • React 19 + Vite 8
  • Tailwind 4

One static Go binary. Pure-Go SQLite driver, so cross-compiling to Linux amd64/arm64, macOS arm64, and Windows works out of the box on every PR.

What works today

A complete first cut, in alpha.

The MVP scope is feature-complete and MCM is in a hardening phase. Every item below is shipped, tested, and exercised on every pull request.

Backend

Auth, RBAC, lockouts

JWT login, bcrypt hashing, four roles (viewer < auditor < operator < admin), and per-IP/per-username 429 lockouts.

ACL & schema management

Mosquitto ACL rules with wildcard validation, plus JSON Schema validators bound to MQTT topic filters.

Realtime broker stream

Eclipse paho.mqtt.golang client with keepalive and auto-reconnect, fanned out over an authenticated WebSocket.

Audit & security trail

Every admin action and security event persisted in SQLite, surfaced through dedicated read-only APIs.

Observability

Structured slog with request IDs, Prometheus /metrics with bounded labels, starter Grafana dashboard.

HTTPS / mTLS

Optional TLS listener with configurable minimum version and optional client certificate verification.

Frontend

Real login

Token-backed sign-in form against /api/v1/auth/login with restored-session flow.

Live dashboard

Broker status, traffic widgets, topic explorer, realtime log feed.

Audit & security panels

Browse persisted admin and security events with consistent token handling.

Operations

Single binary CLI

mcm server / doctor / status / config / backup / version — cross-compiled on every PR.

OpenAPI 3.1 contract

Every endpoint described, linted in CI, ready for client generation.

Docker Compose dev stack

Local Mosquitto broker for development and quick trials.

Quick start

Three commands to a local control plane.

  1. 01
    Clone git clone https://github.com/fgjcarlos/mcm.git && cd mcm
  2. 02
    Start the broker docker compose up -d
  3. 03
    Run MCM go run ./cmd/mcm server --config ./mcm.yaml

Need TLS, mTLS, or Prometheus scraping? Each is covered in the README.