v2.1  ·  release notes  ·  docs

Cassian Gate

A deterministic validation gate for network changes

Runs your proposed change in a controlled environment, asserts real network behavior, and returns PASS or FAIL — with auditable artifacts you can attach to a PR or CI job.

New — v2.1 is out: actionable failure output, user-defined invariants, +2 BGP invariants. What's new →

Example run

$ cassian test topologies/first-run-proof-minimal.yaml MODE: GATE | AUTHORITATIVE: YES | CLEAN-STATE: YES | DESTROY: YES | LIFECYCLE: RESOLVE>GENERATE>DEPLOY>PROVISION>TEST>COLLECT>DESTROY NOTICE: This run may require sudo for container networking. ──────────────────────────────────────── Cassian Gate Result ──────────────────────────────────────── Lab: first-run-proof-minimal Authority: GATE (authoritative) Mode: gate (clean-state topology) Prereqs executed: 0 Declared tests executed: 1 Scenarios executed: 0 Execution: full lifecycle through test (collect+destroy still executed) RESULT: PASS Tests: - PASS h1_tcp_8443_to_h2_pass TOTAL: 1 PASS: 1 FAIL: 0 SKIP: 0 EXIT: 0 ✅ Declared tests PASS (1 checks) ✅ TEST PASS: containers running + checks OK Lab: first-run-proof-minimal Action: destroy runtime RESULT: DESTROYED OK first-run-proof-minimal: destroyed Lab lifecycle: DESTROYED Artifacts: labs/clab-first-run-proof-minimal/ - topology.resolved.yaml (generated execution model used for execution; non-authoritative) - results.json (authoritative verdict artifact) - results.summary.txt (human-readable summary only; non-authoritative)

Every run writes results.json. That file is the authoritative artifact — not the terminal output.

Run from a clone of the repository (see Try it below) — topologies/ ships in the repo, not the pipx wheel.

Install

pipx install cassian-gate

Try it

git clone https://github.com/cassian-gate/cassian-gate.git
cd cassian-gate
cassian doctor
cassian test topologies/first-run-proof-minimal.yaml

First run pulls container images (about 500 MB) and may take several minutes. Subsequent runs complete in under a minute on the proof topologies.

To see the gate catch a real failure: cassian test topologies/first-run-proof-fail-catching.yaml

What it does

Latest release — v2.1

Full write-up: What's new in v2.1 →

Scope — v2

Cassian Gate v2 validates FRR-based topologies — FRR plus host and firewall nodes. The engine is runtime-agnostic by design; SONiC is the next NOS (Phase 2), scoped by a strategic reassessment before it begins.

Cassian Gate does not auto-remediate, does not replace monitoring, does not run against live infrastructure, and does not use AI for pass/fail decisions. AI is advisory only.

Links