announcement · v2.0.2 · release notes

Cassian Gate v2 — a deterministic validation gate for network changes

Update: Use v2.0.2 or later. Versions v2.0.0 and v2.0.1 were published before the Apache 2.0 repository license file and package license metadata were added. v2.0.2 is the correctly licensed public release.

The hardest network failures are not the ones you missed in config review. They are the ones config review could not have caught.

A configuration can be internally consistent and still be operationally wrong. A failover path can look fine on paper and still converge incorrectly. A route policy can appear correct and still leak or suppress something under real protocol interaction. By the time monitoring tells you there is a problem, you are already in production.

That is the gap Cassian Gate is built to close.

Cassian Gate v2 is the first public release line. It is a deterministic, execution-backed validation gate for network changes. It sits between change proposed and change deployed. You declare a topology and the tests and scenarios you care about. Cassian Gate runs them in a controlled environment and returns a binary PASS or FAIL verdict with authoritative artifacts.

It is not a static config analysis tool. It is not a monitoring system. It is not an AI system deciding whether your change is safe. It is an execution-backed proof gate.

The problem

Network change review still depends heavily on some combination of config review, intent review, peer experience, maintenance-window caution, and post-change monitoring. All of these matter. None of them are the same as proving actual behavior before production.

Cassian Gate is built for the question those methods cannot fully answer:

Should this change proceed?

What Cassian Gate does

You give Cassian Gate a topology, the tests you want to run, and the scenarios you want to exercise (failovers, link outages, grey failures, policy changes). Cassian Gate then:

Builds the declared environment using containerlab.
Provisions it deterministically — interfaces, addressing, routing, convergence.
Runs the tests and scenarios you declared.
Records expected, observed, verdict, and evidence for each assertion.
Writes authoritative artifacts — results.json, topology.resolved.yaml, results.summary.txt.
Exits cleanly for CI with a binary PASS or FAIL.

The goal is not interesting simulation. It is explicit pre-deployment proof.

Example run

$ cassian test topologies/first-run-proof-minimal.yaml [lifecycle] resolve ok [lifecycle] generate ok [lifecycle] deploy ok (containerlab, 4 nodes) [lifecycle] provision ok (interfaces, addressing, BGP, convergence) [tests] ping h1 -> h2 PASS tcp h1 -> h2:8080 PASS invariant bgp_session_up r1<->r2 PASS invariant route_present 10.0.2.0/24 on r1 PASS [scenarios] primary-path-failover PASS link_down r1<->r2 wait_for bgp_session_up r1<->r3 converged ping h1 -> h2 PASS link_up r1<->r2 RESULT: PASS (4 tests, 1 scenario, 0 failures) exit 0

That output is a UI for humans. The authoritative artifact is results.json — machine-consumable, schema-versioned, and the only thing a CI job should trust for its verdict.

What it is

Execution-backed. Cassian Gate validates behavior by running the declared environment and checking what actually happens. Not config text analysis. Not intent graph reasoning.
Deterministic. Same topology, same commit, same verdict. The gate is reproducible from its own artifacts via cassian replay.
CI-safe. Clean-state execution, clean exit codes, authoritative artifacts. Drops into GitHub Actions or GitLab CI as a single job.
Narrow. Cassian Gate v2 validates FRR-based topologies. That means FRR as the routing NOS, plus host and firewall (nftables) nodes. SONiC support is in progress. Arista cEOS support is planned next.

What it is not

Cassian Gate does not give you a confidence score, a heuristic safety estimate, or an AI-generated guess. The gate either passes or it does not.

Cassian Gate does not auto-remediate, does not replace monitoring, does not run against live infrastructure, and does not claim feature-parity NOS simulation.

AI is advisory only — it can explain results or summarize evidence, but AI does not decide pass/fail, alter artifacts, or change execution meaning. That separation is not negotiable.

The narrowness is deliberate. Trust comes from explicit scope and deterministic behavior, not from overclaiming.

How to try it

Install:

pipx install cassian-gate

Run the proof kit:

git clone https://github.com/cassian-gate/cassian-gate.git
cd cassian-gate
cassian doctor
cassian test topologies/first-run-proof-minimal.yaml

First run pulls container images (about 500 MB) and may take several minutes. Subsequent runs complete in under a minute on the proof topologies.

To see the gate catch a real failure — a change that looks fine but breaks behavior:

cassian test topologies/first-run-proof-fail-catching.yaml

That topology is designed to reach a FAIL verdict and produce a clear artifact showing what was caught and why.

What's next

v2 is the foundation. The next work is visible and committed:

SONiC support — second NOS. In progress.
Arista cEOS support — planned next, with paid commercial delivery.
Deepening the FRR surface — additional invariants (OSPF, interface state, BGP policy), richer state capture, user-defined invariants.
Proof surface improvements — better invariant failure output, test tags, topology composition.

The expansion path is deliberate and documented. What the community shapes is the edges — which invariants matter most, where onboarding breaks, what proof recipes convert.

Try it and tell us what happened

If you try Cassian Gate, the most valuable thing you can do is tell us what happened — especially if something confused you, broke, or was missing.

Friction reports, missing invariants, topology authoring pain, and "the docs did not explain X" are all valuable. If you run Cassian Gate in CI against a real change and it catches something, that is the kind of signal that shapes what gets built next.