v0.2.0-beta.1 · Apache-2.0 · Python 3.9+

Autonomous network operations,
signed at every step.

A deterministic safety harness with a multi-agent reasoning layer on top. Every change is planned, approved with a signed quorum, executed against real devices, and recorded in a tamper-evident evidence chain. The LLM never acts on the network directly.

Get started Read the source Operator guide 
# clone and run the smoke test in ~30 seconds
$ git clone [email protected]:aethon-network/platform.git cubby
$ cd cubby && python3 -m venv .venv && source .venv/bin/activate
$ pip install -e ".[api,agents,dev]"
$ cubby smoke
✓ cubby.network — smoke test PASSED

What it is

A co-worker, not an assistant.

Cubby stands in for the part of a network engineering team that doesn't require physical hands on a device. It owns the rituals: snapshot before it plans, validate before it signs, sign before it executes, verify before it closes. Nothing about the network changes without a paper trail.

Typed change workflows

Access-port VLAN, firewall rule, drift remediation, capacity forecast, incident triage. Each workflow pack declares its own required assertions, allowed verbs, and rollback plan.

CAB-signed approvals

Medium- and high-risk changes require a quorum of cryptographically signed approvals bound to the canonical plan hash. Swapping the plan after sign-off fails verification.

Signed evidence chain

Every workflow stage writes a signed bundle (HMAC-SHA256 default, Ed25519 in production). prev_sha256 links bundles into a tamper-evident chain. verify-chain is a first-class command.

Read-only agent boundary

LLM-backed agents call only read-only tools from their per-role allow-list, gated by a SafetyGate that also scans for prompt injection in arguments. Write tools are refused at registration.

Seven real vendor adapters

Cisco IOS-XE and NX-OS, Arista EOS, JunOS, PAN-OS, Fortinet, Nokia SR Linux. All compose a shared transport layer (Scrapli SSH, SSH-exec, gNMI) so adding a vendor is a contract, not a fork.

Fail-closed by default

Policy denial, validation failure, plan-hash mismatch, signature invalidity — every failure mode short-circuits into a FAILED workflow. Nothing silently degrades; nothing side-effects through a half-open gate.

How it works

Every change follows the same path.

The workflow state machine is a strict DAG. Each state has a narrow allow-list of legal next states; illegal transitions raise. Every transition is logged, signed, and chained.

01
Normalize
Intent → typed request
02
Policy
Roles, verbs, window
03
Validate
Config-lint, Batfish, lab
04
Approve
CAB quorum, signed
05
Precheck
Live-device readiness
06
Canary
Scoped execution
07
Verify
Adapter re-poll
08
Close
Sign + chain

On any failure: ROLLBACK_PENDING → ROLLED_BACK → CLOSED, with the full forward + rollback plan signed as evidence either way.

Invariants

What the harness promises.

These are non-negotiable. Every commit runs the test suite and the security audit that prove them.

The LLM never writes to the network. The tool registry refuses write tools at registration time. Every config change routes through the deterministic workflow with signed approvals.
Every medium/high-risk change has a signed quorum. SignedApproval envelopes bind to the canonical plan hash. A rejector quorum symmetric to the approval quorum is required to kill a change — no single veto.
Every workflow bundle is signed and chain-linked. chain.tip advances on every write. Chain breaks are reportable. Legacy-key and chain-reset paths are explicit, never implicit.
Every tool call goes through the SafetyGate. Per-agent allow-lists, injection scanning on arguments (with Unicode normalisation to catch zero-width evasions), and a rewrite contract that cannot expand the privilege surface.
Every web fetch is provenance-tagged. Research writes back to the wiki with URL, fetched_at, provider, and confidence. Poisoned hits are dropped by the injection scanner before they land in the knowledge store.
Production boot fails fast on simulated adapters. NETOPS_ENV=production flips the plugin registry to strict mode. Any attempt to register a simulated plugin raises SimulationLeakError before the first request.
867
Tests passing
28
Audit findings closed
7
Vendor adapters
8
Incident-loop agents

Start here

Pick your path.

Quickstart →

Clone the repo, boot a free Nokia SR Linux lab, and push your first signed change end-to-end in about 30 minutes.

QUICKSTART · 151 lines

Operator guide →

The full environment-variable matrix, demo-vs-production posture, real adapter wiring, and the "before a second human drives this" checklist.

OPERATOR_GUIDE · deep-dive

Rollback runbook →

How to recover when a change leaves the network in a bad state. Self-rollback, stuck workflows, false-success, evidence-chain recovery.

ROLLBACK · incident path

Security policy →

Threat model, disclosure process, signing-key custody, and what we explicitly do not protect against (yet).

SECURITY · threat model