Autonomous netops,
signed at every step.
A deterministic safety harness with a multi-agent reasoning layer on top. Every change is planned, approved with a signed quorum, executed against real devices, and recorded in a tamper-evident evidence chain. The LLM never writes to the network.
# try it in 60 seconds — no Python setup, no venv
$ docker run --rm -p 8080:8080 ghcr.io/cubby-network/platform:latest
✓ cubby.network listening on http://localhost:8080
✓ chain.tip advanced · evidence verifiedThree paths
Pick the one that matches your goal. Same platform — different on-ramps.
All three install the same platform. The difference is how much of the build chain you take on. Python 3.10+ for pipx and source paths; Docker has no Python prerequisite.
Docker
Zero Python setup, zero venv, zero C-extension build failures. Service boots on port 8080. Best for evaluation and the first 30 minutes.
# pull + run
$ docker run --rm -p 8080:8080 \
ghcr.io/cubby-network/platform:latest
# exec the CLI inside the container
$ docker exec -it <id> cubby smokeImage is published on every release tag. Pin to a specific version (e.g. :0.2.0-beta.1) for production.
pipx
Isolated venv, the cubby CLI on your PATH. Best for daily operators with an existing Python toolchain (Nornir, NAPALM, Ansible).
# pipx puts cubby on PATH
$ pipx install cubby-network
# sanity-check what's wired
$ cubby smoke
$ cubby configPlain pip install cubby-network works too if you'd rather use a venv you already manage.
From source
Editable install. Best for plugin authors, anyone writing a new vendor adapter, and contributors who want to land PRs.
# clone + editable install
$ git clone [email protected]:cubby-network/platform.git
$ cd platform
$ python3 -m venv .venv && . .venv/bin/activate
$ pip install -e ".[api,agents,dev]"See CONTRIBUTING and the quickstart for the lab walkthrough.
Why this exists
Network changes still break networks.
Three failure modes show up in every postmortem. Cubby is designed backwards from them.
Approval is a ticket, not a signature.
"Approved by lead@" in a CMDB free-text field doesn't survive audit. A reviewer can't prove what plan they actually agreed to. A plan-swap between approval and execution goes undetected.
Evidence is a manual export.
Pre/post snapshots live in an operator's screen buffer, not in a signed record. When a change caused an outage last Tuesday, you're reconstructing from memory.
Copilots drift toward executing.
Every LLM-for-networks product crosses a line where the model starts making decisions the network should only take from a signed operator. That's not a safety boundary — that's how incidents begin.
Cubby's answer: the LLM proposes; the deterministic core decides. Every approval is cryptographically bound to the canonical plan hash. Every stage writes a signed evidence bundle, chained to the previous. The safety boundary is protocol-level — write tools are refused at registration, not at runtime.
A co-worker, not an assistant
The rituals of a network engineer, encoded.
Cubby owns the parts of network operations that don't require physical hands on a device. It snapshots before it plans, validates before it signs, signs before it executes, and verifies before it closes. Nothing about the network changes without a paper trail.
Typed change workflows
Access-port VLAN, firewall rule, drift remediation, capacity forecast, incident triage. Each workflow pack declares its own required assertions, allowed verbs, and rollback plan.
CAB-signed approvals
Medium- and high-risk changes require a quorum of cryptographically signed approvals bound to the canonical plan hash. Swapping the plan after sign-off fails verification.
Signed evidence chain
Every workflow stage writes a signed bundle (HMAC-SHA256 default, Ed25519 in production). prev_sha256 links bundles into a tamper-evident chain.
Read-only agent boundary
LLM-backed agents call only read-only tools from their per-role allow-list, gated by a SafetyGate that scans for prompt injection. Write tools are refused at registration.
Seven real vendor adapters
Cisco IOS-XE and NX-OS, Arista EOS, JunOS, PAN-OS, Fortinet, Nokia SR Linux. Shared transport layer (Scrapli SSH, SSH-exec, gNMI) so adding a vendor is a contract, not a fork.
Fail-closed by default
Policy denial, validation failure, plan-hash mismatch, signature invalidity — every failure mode short-circuits into a FAILED workflow. Nothing silently degrades.
The eight states
Every change follows the same path.
The workflow state machine is a strict DAG. Each state has a narrow allow-list of legal next states; illegal transitions raise. Every transition is logged, signed, and chained.
What the harness promises
Six promises. Non-negotiable.
Every commit runs the test suite and the security audit that prove these. Production refuses to boot if any of them is unverifiable.
The LLM never writes to the network.
The tool registry refuses write tools at registration time. Every config change routes through the deterministic workflow with signed approvals.
Every medium/high-risk change has a signed quorum.
SignedApproval envelopes bind to the canonical plan hash. A rejector quorum symmetric to approvals is required to kill a change — no single veto.
Every workflow bundle is signed and chain-linked.
chain.tip advances on every write. Chain breaks are reportable. Legacy-key and chain-reset paths are explicit, never implicit.
Every tool call goes through SafetyGate.
Per-agent allow-lists, injection scanning with Unicode normalization (catches zero-width evasions), and a rewrite contract that cannot expand the privilege surface.
Every web fetch is provenance-tagged.
Research writes back to the wiki with URL, fetched_at, provider, and confidence. Poisoned hits are dropped by the injection scanner before they land.
Production refuses simulated plugins.
NETOPS_ENV=production flips the registry to strict mode. Any attempt to register a simulated plugin raises SimulationLeakError before the first request.
Start here
Pick your path.
Every doc page is generated from the canonical Markdown in the repo. If you find something out of date, the source link on each page opens the original on GitHub.
Quickstart →
Clone the repo, boot a free Nokia SR Linux lab, and push your first signed change end-to-end.
Pilot beta →
The supervised lab-beta deployment path: posture, pilot wizard, evidence-chain verification, escape hatches.
Operator guide →
Environment-variable matrix, demo-vs-production posture, real adapter wiring, the "before a second human drives this" checklist.
Rollback runbook →
How to recover when a change leaves the network in a bad state. Self-rollback, stuck workflows, evidence-chain recovery.
Security policy →
Threat model, disclosure process, signing-key custody, and what we explicitly do not protect against (yet).
Contributing →
Branching model, DCO sign-off, the hard rules every PR must follow before it lands on main.
Stop writing change tickets. Start signing them.
Cubby is open source, Apache-2.0, and runs on a laptop. Pull the image, point it at a lab, and watch a change pass through eight signed states in under a minute.