Debmatic Mcp
@claymore666
# debmatic-mcp
Overview
What is Debmatic Mcp?
Debmatic Mcp connects to any HomeMatic CCU (debmatic, CCU3, or OpenCCU) via its built-in JSON-RPC API and exposes devices, rooms, programs, and system variables as MCP tools. It works directly on your local network — no addons, no XML-API, no cloud required.
How to use Debmatic Mcp?
Install via npx ccu-mcp --stdio or run a Docker container with environment variables CCU_HOST and CCU_PASSWORD. Configure your MCP client (e.g., Claude Code) by adding a debmatic server entry in .mcp.json — either as a stdio subprocess or an HTTP server. The HTTP mode uses a bearer token generated on first startup.
Key features of Debmatic Mcp
- Connects directly to any HomeMatic CCU via its JSON-RPC API
- Exposes devices, rooms, programs, and system variables as MCP tools
- Supports stdio (subprocess) and HTTP (standalone) transports
- Bearer token authentication with rotation, TTL, and grace period
- TLS support with cert pinning, CA trust, or system verification
- CORS and DNS-rebinding protection for secure HTTP access
Use cases of Debmatic Mcp
- Ask an AI assistant for room temperatures, open windows, or low‑battery devices
- Set heating to a specific temperature or rename devices with consistent naming
- Find which room a window sensor belongs to or list devices with stale data
- Read gas meter readings or detect naming inconsistencies across channels
FAQ from Debmatic Mcp
What are the prerequisites?
A running HomeMatic CCU (debmatic, CCU3, or OpenCCU) reachable on your network, the CCU’s admin username and password, and Node.js 22+ (for stdio mode) or Docker.
How do I get the auth token for HTTP mode?
Run docker exec ccu-mcp grep MCP_AUTH_TOKEN /data/.env — the token is the part after =. The server generates it on first startup and saves it to the container’s data volume.
Does it work with HTTPS? How do I handle self‑signed certificates?
Yes. Set CCU_HTTPS=true and optionally CCU_PORT=443. The server accepts self‑signed certificates by default — you can pin the certificate fingerprint via CCU_TLS_FINGERPRINT, trust a CA file via CCU_CA_CERT, or enable system trust with CCU_TLS_VERIFY=true.
How can I protect against brute‑force attacks?
Use fail2ban. The server logs every rejected request as a structured JSON line to stderr, making it easy to parse. Ready‑to‑use fail2ban filter and jail configuration are provided in the fail2ban/ directory.
What transport options are available?
Stdio (the server runs as a subprocess of the MCP client) and HTTP (a standalone Docker container that clients connect to over the network). Both are fully supported.