A source-backed collection for operators running AI services on infrastructure they control: local model runtime, CPU and GPU inference, model gateway, self-hosted MCP access, retrieval storage, model API packaging, container rebuilds, and image security checks.
Self-hosted AI endpoints can execute expensive inference, tool calls, retrieval, uploads, and container rebuilds; require authentication, rate limits, resource limits, and audit logs before network exposure., Model runtimes and OpenAI-compatible gateways can be swapped into agent stacks quickly, so verify route policy, model capability, tool-call handling, and fallback behavior before production use., Container rebuild and image scan hooks can read Docker state, pull images, start builds, and fail workflows; pin versions, bound permissions, and keep rollback commands tested., Local or self-hosted models do not provide a safety layer by themselves; prompts, outputs, embeddings, tool inputs, and generated code still need abuse, correctness, and data-handling review.
Privacy notes
Self-hosting reduces third-party model-provider exposure, but prompts, files, embeddings, retrieved documents, model outputs, logs, traces, and admin actions can still persist on operator infrastructure., Gateways, MCP servers, retrieval databases, model API servers, Docker logs, scanner reports, and backup jobs can duplicate sensitive data across disks, containers, volumes, and observability systems., Pulling models, images, packages, vulnerability data, or provider fallbacks can disclose model names, image names, IP addresses, repository names, and timing metadata to external services.
Author
MkDev11
Submitted by
MkDev11
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
4 safety and 3 privacy notes across 6 risk areas. Review closely: permissions & scopes, network access, third-party handling.
6 areas
SafetyNetwork accessSelf-hosted AI endpoints can execute expensive inference, tool calls, retrieval, uploads, and container rebuilds; require authentication, rate limits, resource limits, and audit logs before network exposure.
SafetyExecution & processesModel runtimes and OpenAI-compatible gateways can be swapped into agent stacks quickly, so verify route policy, model capability, tool-call handling, and fallback behavior before production use.
SafetyPermissions & scopesContainer rebuild and image scan hooks can read Docker state, pull images, start builds, and fail workflows; pin versions, bound permissions, and keep rollback commands tested.
SafetyGeneralLocal or self-hosted models do not provide a safety layer by themselves; prompts, outputs, embeddings, tool inputs, and generated code still need abuse, correctness, and data-handling review.
PrivacyPermissions & scopesSelf-hosting reduces third-party model-provider exposure, but prompts, files, embeddings, retrieved documents, model outputs, logs, traces, and admin actions can still persist on operator infrastructure.
PrivacyLocal filesGateways, MCP servers, retrieval databases, model API servers, Docker logs, scanner reports, and backup jobs can duplicate sensitive data across disks, containers, volumes, and observability systems.
PrivacyThird-party handlingPulling models, images, packages, vulnerability data, or provider fallbacks can disclose model names, image names, IP addresses, repository names, and timing metadata to external services.
Safety notes
Self-hosted AI endpoints can execute expensive inference, tool calls, retrieval, uploads, and container rebuilds; require authentication, rate limits, resource limits, and audit logs before network exposure.
Model runtimes and OpenAI-compatible gateways can be swapped into agent stacks quickly, so verify route policy, model capability, tool-call handling, and fallback behavior before production use.
Container rebuild and image scan hooks can read Docker state, pull images, start builds, and fail workflows; pin versions, bound permissions, and keep rollback commands tested.
Local or self-hosted models do not provide a safety layer by themselves; prompts, outputs, embeddings, tool inputs, and generated code still need abuse, correctness, and data-handling review.
Privacy notes
Self-hosting reduces third-party model-provider exposure, but prompts, files, embeddings, retrieved documents, model outputs, logs, traces, and admin actions can still persist on operator infrastructure.
Gateways, MCP servers, retrieval databases, model API servers, Docker logs, scanner reports, and backup jobs can duplicate sensitive data across disks, containers, volumes, and observability systems.
Pulling models, images, packages, vulnerability data, or provider fallbacks can disclose model names, image names, IP addresses, repository names, and timing metadata to external services.
Prerequisites
A host or small cluster with enough CPU, RAM, disk, and optional GPU/VRAM for the selected local or open model workloads.
A private network, firewall, TLS/auth plan, and operator-owned secrets store before exposing model, MCP, retrieval, or app endpoints.
Model license, weight source, quantization, context-length, embedding, and safety-policy decisions for the workloads you intend to run.
Container runtime and registry policy for Docker Compose services, rebuild triggers, image scanning, log retention, backups, and rollback.
Clear boundaries for what stays self-hosted and what may still call external model providers, registries, package indexes, or telemetry endpoints.
## What this collection sets up
This collection is for the operator side of a self-hosted AI stack. It starts
with the local-first architecture, then separates responsibilities into model
runtime selection, OpenAI-compatible routing, self-hosted MCP access, retrieval
storage, model API packaging, container rebuilds, and image security checks.
The goal is not to make every workload fully offline. It is to make data paths,
runtime choices, network exposure, credentials, logs, and rebuild behavior
visible before agents or users depend on the stack.
## Layers
### 1. Architecture and model runtime
- **local-first-ai-dev-stack** frames what stays on owned infrastructure and
what may still call an external orchestrator or provider.
- **ollama** is the simplest local model runner for developer machines,
delegation tasks, and offline fallback.
- **llama-cpp** covers lightweight GGUF-based inference for CPU, edge, and
memory-constrained hosts.
- **vllm** covers higher-throughput GPU serving with OpenAI-compatible APIs,
batching, structured outputs, and tool-calling support.
### 2. Gateway, tools, and retrieval
- **litellm** puts a model gateway in front of local and external providers so
operators can manage routes, virtual keys, spending, and fallbacks.
- **mcp-supergateway-hub** exposes a fleet of stdio MCP servers over HTTP for
private-network access from approved clients.
- **chroma** stores documents, embeddings, metadata, and retrieval indexes for
local or self-hosted RAG and memory workflows.
- **bentoml** packages model inference code into model APIs and deployable
service artifacts when the stack needs a production API surface.
### 3. Container operations
- **docker-container-auto-rebuild** helps rebuild affected containers after
source or configuration changes.
- **docker-image-security-scanner** checks container images before they become
part of the self-hosted AI environment.
## Suggested order
Start by writing the local-first boundary and choosing the runtime for each
workload: Ollama for simple local use, llama.cpp for compact GGUF serving, and
vLLM for GPU-backed throughput. Add LiteLLM only after route and credential
rules are clear. Bring up MCP Supergateway Hub and Chroma on a private network,
then package production inference services with BentoML. Finish by adding
container rebuild and image scanning hooks so stack changes are repeatable and
reviewed.
## Operator checklist
- [ ] {"task": "Boundary is written", "description": "Operators know which prompts, tools, models, embeddings, logs, and fallbacks are allowed to leave owned infrastructure"}
- [ ] {"task": "Runtime fits hardware", "description": "CPU, RAM, GPU, VRAM, disk, context length, and concurrency match the selected model runtimes"}
- [ ] {"task": "Endpoints are private", "description": "Model, MCP, retrieval, and API services have authentication, TLS or private-network controls, and rate limits"}
- [ ] {"task": "Credentials are scoped", "description": "Model gateway keys, registry tokens, provider fallbacks, and MCP secrets are rotated and least-privilege"}
- [ ] {"task": "Containers are reviewable", "description": "Rebuilds, image scans, logs, and rollbacks are part of the normal operator workflow"}
- [ ] {"task": "Retention is explicit", "description": "Prompts, outputs, embeddings, traces, scanner reports, and backups have an owner and deletion policy"}
## Source and references
- Ollama documentation: https://docs.ollama.com/
- llama.cpp documentation: https://github.com/ggml-org/llama.cpp/tree/master/docs
- vLLM documentation: https://docs.vllm.ai/en/stable/
- LiteLLM documentation: https://docs.litellm.ai/docs/
- Model Context Protocol documentation: https://modelcontextprotocol.io/docs/getting-started/intro
- MCP Supergateway Hub repository: https://github.com/dpdanpittman/mcp-supergateway-hub
- Chroma documentation: https://docs.trychroma.com/docs/overview/introduction
- BentoML documentation: https://docs.bentoml.com/en/latest/
- Docker Compose documentation: https://docs.docker.com/compose/
- Trivy documentation: https://aquasecurity.github.io/trivy/
## Duplicate check
Checked existing collections, guides, tools, skills, hooks, open PRs, closed
PRs, and issue history for `self-hosted-ai-operator-stack`, self-hosted AI
operator, local-first AI stack, Ollama, llama.cpp, vLLM, LiteLLM, MCP
Supergateway Hub, Chroma, BentoML, Docker rebuild hooks, and image security
scanning. `local-first-ai-dev-stack` is a guide for one local-first developer
architecture. `agent-operator-growth-master-pack` is a broad product-operator
bundle covering review, release, growth, and automation. This collection is
narrower and operational: it bundles the runtime, gateway, MCP, retrieval, model
API, rebuild, and scan entries needed to run self-hosted AI services.
## Disclosure
Editorial collection. No paid placement or affiliate link is used.
About this resource
What this collection sets up
This collection is for the operator side of a self-hosted AI stack. It starts
with the local-first architecture, then separates responsibilities into model
runtime selection, OpenAI-compatible routing, self-hosted MCP access, retrieval
storage, model API packaging, container rebuilds, and image security checks.
The goal is not to make every workload fully offline. It is to make data paths,
runtime choices, network exposure, credentials, logs, and rebuild behavior
visible before agents or users depend on the stack.
Layers
1. Architecture and model runtime
local-first-ai-dev-stack frames what stays on owned infrastructure and
what may still call an external orchestrator or provider.
ollama is the simplest local model runner for developer machines,
delegation tasks, and offline fallback.
llama-cpp covers lightweight GGUF-based inference for CPU, edge, and
memory-constrained hosts.
vllm covers higher-throughput GPU serving with OpenAI-compatible APIs,
batching, structured outputs, and tool-calling support.
2. Gateway, tools, and retrieval
litellm puts a model gateway in front of local and external providers so
operators can manage routes, virtual keys, spending, and fallbacks.
mcp-supergateway-hub exposes a fleet of stdio MCP servers over HTTP for
private-network access from approved clients.
chroma stores documents, embeddings, metadata, and retrieval indexes for
local or self-hosted RAG and memory workflows.
bentoml packages model inference code into model APIs and deployable
service artifacts when the stack needs a production API surface.
3. Container operations
docker-container-auto-rebuild helps rebuild affected containers after
source or configuration changes.
docker-image-security-scanner checks container images before they become
part of the self-hosted AI environment.
Suggested order
Start by writing the local-first boundary and choosing the runtime for each
workload: Ollama for simple local use, llama.cpp for compact GGUF serving, and
vLLM for GPU-backed throughput. Add LiteLLM only after route and credential
rules are clear. Bring up MCP Supergateway Hub and Chroma on a private network,
then package production inference services with BentoML. Finish by adding
container rebuild and image scanning hooks so stack changes are repeatable and
reviewed.
Operator checklist
{"task": "Boundary is written", "description": "Operators know which prompts, tools, models, embeddings, logs, and fallbacks are allowed to leave owned infrastructure"}
{"task": "Runtime fits hardware", "description": "CPU, RAM, GPU, VRAM, disk, context length, and concurrency match the selected model runtimes"}
{"task": "Endpoints are private", "description": "Model, MCP, retrieval, and API services have authentication, TLS or private-network controls, and rate limits"}
{"task": "Credentials are scoped", "description": "Model gateway keys, registry tokens, provider fallbacks, and MCP secrets are rotated and least-privilege"}
{"task": "Containers are reviewable", "description": "Rebuilds, image scans, logs, and rollbacks are part of the normal operator workflow"}
{"task": "Retention is explicit", "description": "Prompts, outputs, embeddings, traces, scanner reports, and backups have an owner and deletion policy"}
Checked existing collections, guides, tools, skills, hooks, open PRs, closed
PRs, and issue history for self-hosted-ai-operator-stack, self-hosted AI
operator, local-first AI stack, Ollama, llama.cpp, vLLM, LiteLLM, MCP
Supergateway Hub, Chroma, BentoML, Docker rebuild hooks, and image security
scanning. local-first-ai-dev-stack is a guide for one local-first developer
architecture. agent-operator-growth-master-pack is a broad product-operator
bundle covering review, release, growth, and automation. This collection is
narrower and operational: it bundles the runtime, gateway, MCP, retrieval, model
API, rebuild, and scan entries needed to run self-hosted AI services.
Disclosure
Editorial collection. No paid placement or affiliate link is used.
Show that Self-Hosted AI Operator Stack is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/collections/self-hosted-ai-operator-stack)
How it compares
Self-Hosted AI Operator Stack side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
A source-backed collection for operators running AI services on infrastructure they control: local model runtime, CPU and GPU inference, model gateway, self-hosted MCP access, retrieval storage, model API packaging, container rebuilds, and image security checks.
Run the parts of your AI dev workflow that touch your code and data — tools, memory, and auxiliary models — on infrastructure you control, while still using Claude as the orchestrator. A practical architecture for a self-hosted, privacy-first developer stack.
✓Self-hosted AI endpoints can execute expensive inference, tool calls, retrieval, uploads, and container rebuilds; require authentication, rate limits, resource limits, and audit logs before network exposure.
Model runtimes and OpenAI-compatible gateways can be swapped into agent stacks quickly, so verify route policy, model capability, tool-call handling, and fallback behavior before production use.
Container rebuild and image scan hooks can read Docker state, pull images, start builds, and fail workflows; pin versions, bound permissions, and keep rollback commands tested.
Local or self-hosted models do not provide a safety layer by themselves; prompts, outputs, embeddings, tool inputs, and generated code still need abuse, correctness, and data-handling review.
✓Downloaded models can be large and may carry their own license, usage, and safety constraints; review model cards before use.
Ollama exposes a local service and REST API, so bind addresses, firewall rules, and shared-machine access should be configured intentionally.
Generated outputs from local models still need review before they are applied to code, documentation, or operational decisions.
✓Exposing MCP servers over HTTP makes their tools reachable on the network — run them on a trusted/private network or behind authentication, never a public interface.
Self-hosted services are yours to patch and secure; a local model runtime executes code/tools on your machine, so only run models and servers you trust.
✓llama.cpp runs model inference, but it does not make model outputs factual, policy-compliant, safe to execute, or appropriate for automated account, code, data, or infrastructure actions.
llama-server exposes a local web UI and OpenAI-compatible HTTP endpoints; do not bind it to shared networks or public interfaces without authentication, TLS, firewalling, quotas, and monitoring.
GGUF files, LoRA adapters, tokenizer configuration, chat templates, multimodal projectors, and model metadata should be reviewed for provenance, license, task fit, and prompt-format compatibility.
Grammars and JSON constraints can improve output shape, but they do not prove semantic correctness, authorization, data validity, or downstream action safety.
Local inference can still consume substantial CPU, GPU, memory, disk, and power; set context length, thread count, batch size, GPU offload, concurrency, and cache settings intentionally.
Small local models often underperform frontier models on coding, reasoning, tool use, and safety-sensitive tasks; evaluate behavior before substituting them into Claude-adjacent workflows.
Privacy notes
✓Self-hosting reduces third-party model-provider exposure, but prompts, files, embeddings, retrieved documents, model outputs, logs, traces, and admin actions can still persist on operator infrastructure.
Gateways, MCP servers, retrieval databases, model API servers, Docker logs, scanner reports, and backup jobs can duplicate sensitive data across disks, containers, volumes, and observability systems.
Pulling models, images, packages, vulnerability data, or provider fallbacks can disclose model names, image names, IP addresses, repository names, and timing metadata to external services.
✓Local prompts and responses can stay on the machine when using local models, but they may appear in client logs, shell history, or application telemetry around the integration.
Any remote model source, community integration, or connected chat/workflow client may add its own data handling behavior.
Do not assume local execution removes the need to protect secrets or sensitive repository context from prompts and logs.
✓The point of the stack is data locality — prompts, tool I/O, and memory stay on infrastructure you control instead of scattered across SaaS.
Caveat: if Claude Code is the orchestrator, its prompts still go to Anthropic's model. For full data locality, run a local model loop (Ollama + an MCP-capable client) and accept the smaller-model tradeoffs.
The memory knowledge-graph persists on local disk — secure and back it up like any other sensitive store.
✓llama.cpp can keep prompts, chat messages, retrieved context, embeddings, reranking inputs, generated outputs, grammar-constrained outputs, and multimodal inputs on local infrastructure when configured locally.
Local-first operation reduces third-party model-provider exposure, but prompts and outputs can still appear in terminal history, server logs, web UI state, reverse proxies, monitoring, crash reports, caches, and saved transcripts.
GGUF model files, adapters, tokenizer files, and Hugging Face cache entries can reveal model choices, licensed assets, private fine-tunes, or internal evaluation targets.
Exposed OpenAI-compatible endpoints can receive sensitive data from clients that assume a cloud provider-style security boundary; document who operates the server and where request data is retained.
Prompt caches, KV caches, embedding stores, reranking inputs, and downstream app logs need retention, access-control, deletion, and backup policies even when inference happens locally.
Prerequisites
A host or small cluster with enough CPU, RAM, disk, and optional GPU/VRAM for the selected local or open model workloads.
A private network, firewall, TLS/auth plan, and operator-owned secrets store before exposing model, MCP, retrieval, or app endpoints.
Model license, weight source, quantization, context-length, embedding, and safety-policy decisions for the workloads you intend to run.
Container runtime and registry policy for Docker Compose services, rebuild triggers, image scanning, log retention, backups, and rollback.
A supported macOS, Windows, Linux, or Docker environment with enough CPU, memory, disk, and optional GPU capacity for the selected model.
Locally downloaded models from the Ollama library or imported model files you are allowed to use.
A reviewed integration path before connecting Ollama to Claude Code, Codex, OpenCode, or other agent clients.
A machine with enough RAM/VRAM for local models (16GB+ for small quantized models; a GPU helps for larger ones).
Node.js 18+ and Python 3.10+ (with uv) to run the common MCP servers.
Claude Code or another MCP client as the orchestrator.
Optional: Docker or a small Kubernetes setup to host a server fleet, and a private network (e.g., Tailscale) to reach it from other machines.
Compatible local machine, container, or server environment with enough CPU, RAM, GPU, VRAM, storage, drivers, and backend support for the target model and quantization level.
Approved GGUF model files, model licenses, tokenizer/chat-template expectations, LoRA adapters, multimodal files, and any Hugging Face credentials or mirror configuration needed to fetch models.
Build, package, or binary distribution path reviewed for the target backend, such as Metal, CUDA, HIP, Vulkan, SYCL, BLAS, CPU-only, or Docker.
Network, authentication, TLS, API-key, firewall, and rate-limit plan before exposing `llama-server`, its web UI, or OpenAI-compatible endpoints beyond a trusted local machine.