Cassian Gate

A deterministic validation gate for network changes

Runs your proposed change in a controlled environment, asserts real network behavior, and returns PASS or FAIL — with auditable artifacts you can attach to a PR or CI job.

Example run

$ cassian test topologies/first-run-proof-minimal.yaml [lifecycle] resolve ok [lifecycle] generate ok [lifecycle] deploy ok (containerlab, 4 nodes) [lifecycle] provision ok (interfaces, addressing, BGP, convergence) [tests] ping h1 -> h2 PASS tcp h1 -> h2:8080 PASS invariant bgp_session_up r1<->r2 PASS invariant route_present 10.0.2.0/24 on r1 PASS [scenarios] primary-path-failover PASS link_down r1<->r2 wait_for bgp_session_up r1<->r3 converged ping h1 -> h2 PASS link_up r1<->r2 [artifacts] artifacts/2026-04-24_1142/results.json artifacts/2026-04-24_1142/topology.resolved.yaml artifacts/2026-04-24_1142/results.summary.txt RESULT: PASS (4 tests, 1 scenario, 0 failures) exit 0

Every run writes results.json. That file is the authoritative artifact — not the terminal output.

Install

pipx install cassian-gate

Try it

git clone https://github.com/cassian-gate/cassian-gate.git
cd cassian-gate
cassian doctor
cassian test topologies/first-run-proof-minimal.yaml

First run pulls container images (about 500 MB) and may take several minutes. Subsequent runs complete in under a minute on the proof topologies.

To see the gate catch a real failure: cassian test topologies/first-run-proof-fail-catching.yaml

What it does

Behavior, not config text. Boots your topology, runs your change, asserts what actually happens — BGP sessions, route propagation, policy, reachability, failover.
Deterministic verdicts. Binary PASS/FAIL. Clean exit codes. No risk scores, no "probably fine," no AI deciding whether your change is safe.
CI-safe by design. Clean-state execution. Authoritative artifacts. Drops into GitHub Actions or GitLab CI as a single job.
Catches real failures. Route leaks, policy misconfigs, failover bugs, convergence issues, grey failures like packet loss and latency.

Scope — v2

Cassian Gate v2 validates FRR-based topologies. SONiC support is in progress. Arista cEOS support is planned next. The engine is runtime-agnostic by design, but supported NOS today means FRR plus host and firewall nodes.

Cassian Gate does not auto-remediate, does not replace monitoring, does not run against live infrastructure, and does not use AI for pass/fail decisions. AI is advisory only.

Links

Announcement post → GitHub repo → Documentation → v2.0.2 release → Discussions → Quickstart →