🔒

Self-Hosted

Runs entirely on your infrastructure. On-premises, air-gapped, or hybrid. Your data never leaves your network unless you explicitly configure it to.

🛡️

Air-Gap Ready

Core operations require zero internet connectivity. No telemetry, no phone-home, no cloud APIs. Fully operational offline with local LLM processing.

🔑

API-Key Auth

No OAuth middlemen. No third-party identity providers. Direct API key authentication on every endpoint. You control who accesses what.

📋

Full Audit Trail

Every mutation logged with actor, timestamp, and reason. Immutable audit log. Export to your SIEM. Compliance-ready by design.

TECHNICAL ARCHITECTURE

Built for environments that don't trust clouds.

Open stack. No vendor lock-in. Inspectable source.

PRESENTATION
Nginx gateway REST API (55+ endpoints) MCP server (10 tools)
SERVICE
Canister Core (FastAPI) Canister Retrieve (two-lane) Embedding workers Entity extraction
DATA
PostgreSQL 16 + pgvector Redis 7 (event bus) Knowledge graph (Memgraph) Vector store (Qdrant)
DEPLOYMENT
Docker Compose 10 containers ~14.5 GB RAM Mac Mini / rack server

Network Requirements

  • Ingress: None required (polling architecture)
  • Egress: None required for core operations
  • Optional: Internet for cloud LLM APIs (or use local models)
  • Ports: 8000 (API), 10002 (MCP), 5432 (DB), 7687 (graph)

Processing Pipeline

  • Ingestion: 500+ messages/minute throughput
  • Embedding: 100+ memories/minute (batch)
  • Search: < 500ms p99 (hybrid vector + BM25 + graph)
  • Quality gate: A-MAC scoring on every incoming item
OPERATIONAL CAPABILITIES

What Kanister does in the field.

01

Multi-Source Intelligence Ingestion

Automatically captures from encrypted messaging (Telegram, Signal, WhatsApp), email (Gmail, Exchange), radio transcripts, field reports, and document uploads. Configurable per-source sync intervals.

Telegram Signal Gmail Exchange Files API
02

Entity & Relationship Extraction

Auto-extracts people, organizations, locations, dates, amounts, and operational terms. Builds and maintains a knowledge graph linking every interaction. Fuzzy matching handles aliases and code names.

Auto-extraction Knowledge graph Alias resolution
03

Semantic Retrieval

Natural language queries across all sources. "What did the convoy commander report about route security last week?" — instant results with source, timestamp, and confidence. Hybrid vector + full-text + graph search.

< 500ms Natural language Cross-source
04

Contradiction & Anomaly Detection

Flags when new information conflicts with existing knowledge. Detects changes in reported facts, timeline inconsistencies, and contradictory statements across sources.

Conflict detection Timeline analysis Alert queue
05

Agent-Native Access (MCP)

AI agents query and store memories via MCP protocol. 10 agent tools covering search, capture, entity management, session tracking, and proactive context. Works with Claude, custom agents, and automated workflows.

MCP protocol 10 agent tools REST API
06

Automated Quality Gate

A-MAC scoring (Accuracy, Mission-relevance, Actionability, Completeness) on every incoming item. Rejects noise, surfaces signal. Human oversight for edge cases.

A-MAC scoring Noise rejection Human oversight
SECURITY & COMPLIANCE

Designed for zero-trust environments.

Data Sovereignty

All data stays on your hardware. PostgreSQL, Redis, and graph database run locally. No cloud sync. No third-party analytics. Export and delete on your terms.

No cloud dependencies for core
Encrypted at rest (AES-256)
No telemetry or phone-home

Access Control

API key authentication on every endpoint. No OAuth, no SSO middlemen, no third-party identity providers. Direct key management under your control.

API key on every endpoint
Webhook HMAC-SHA256 verification
Rate limiting per key

Audit & Observability

Every mutation logged with actor, timestamp, and reason. Prometheus metrics endpoint. Health checks on all services. Immutable audit log exportable to SIEM.

Immutable audit trail
/metrics (Prometheus format)
/health on all services

Deployment

Docker Compose with 10 containers. Runs on commodity hardware (Mac Mini / rack server). ~14.5 GB RAM total. No special hardware or GPU required for core operations.

Docker Compose (inspectable)
Open-source stack (PostgreSQL, Redis)
Automated daily backups (verified)
DEPLOYMENT SCENARIOS

Adapts to your environment.

FORWARD OPERATING BASE

Air-Gapped

Fully operational with zero internet connectivity. Local LLM for entity extraction. All data stays on local hardware. Portable via ruggedized server.

HEADQUARTERS

On-Premises

Standard deployment on your network. Optional cloud LLM APIs for enhanced processing. Full audit trail and access control. Integrates with existing SIEM.

MULTI-SITE

Distributed

Multiple Kanister instances with sync capability. Each site operates independently. Federated search across deployments. Centralized audit aggregation.