mechub

Sovereign network-security automation. Open-source tools for people who run firewalls — self-hosted, offline-capable, no mandatory SaaS. Deterministic engines decide, models explain, and a human approves.

early · seeking testers open source self-hosted github.com/fastrevmd-lab
01 · sovereign

Your network. Your data. Your call.

"Sovereign" is not a slogan here — it is a design constraint every mechub tool is built against.

constraint/01

Runs on your infrastructure

Self-hosted and offline-capable. Your device credentials, configs, and telemetry stay on hardware you control — nothing phones home, and there is no SaaS you must sign up for.

constraint/02

Open source, inspectable

MIT licensed. Read the code before you point it at a firewall — we would. Every repo is public from the first commit.

constraint/03

Deterministic where it matters

Where AI is used at all, it runs locally and only phrases and assists. Detection logic and device changes stay deterministic — an LLM never makes a safety-relevant decision on its own.

Deterministic decides. The model explains. A human approves.
02 · tools

Seven repos, all open

Everything below is early. It works in our lab against real gear; we need it to work in yours. Stats refresh live from GitHub when you're online.

foundation/rust

rustnetconf

Async NETCONF client library for Rust — YANG code generation, vendor profiles, connection pooling, and a Terraform-like CLI for declarative network config.

Rust MIT early · seeking testers
2 0 open issues updated jul 2026
foundation/rust

rustez

A Rust replacement for Juniper PyEZ — async-first Junos device automation built on rustnetconf.

Rust MIT early · seeking testers
1 0 open issues updated jul 2026
mcp/rust

rustjunosmcp

MCP server that lets AI agents operate Juniper Junos devices — built on rustez, exercised daily against a 24-device vSRX lab.

Rust MIT early · seeking testers
1 4 open issues updated jul 2026
tool/browser/LLM

firewall-intent-converter

Browser-based conversion of firewall and cloud configs — PAN-OS, FortiGate, Cisco ASA/FTD, Check Point, AWS/Azure/GCP, and more — into reviewable Juniper SRX output, with an LLM-guided greenfield mode. Always a migration draft requiring review — never production-ready.

JavaScript MIT early · seeking testers
1 2 open issues updated jul 2026
tool/browser

fwconfigsantizer

Strips private data — addresses, hostnames, secrets — out of a firewall configuration so it can be shared for help or review.

HTML MIT early · seeking testers
1 0 open issues updated jul 2026
tool/python

srxsync

Pushes one SRX's config — policies, objects, NAT — out to a fleet of others, so a golden device can drive the rest.

Python MIT early · seeking testers
0 0 open issues updated jul 2026
skills/LLM

fwskillsshare

Agent skills for firewall work — parsing, auditing, and converting configs across Cisco, Fortinet, Palo Alto, and Juniper. Works with Claude Code, Codex, and Hermes so far.

Skills MIT early · seeking testers
4 0 open issues updated jul 2026
03 · where we are

Honest about where this is

Proof ahead of claims. Here is exactly what these tools are today — and what they are not yet.

  • Built against real gear. Everything public here is developed and used in one real lab: a Proxmox cluster running a 24-device Juniper vSRX topology, exercised through real NETCONF sessions, real commits, and real multi-vendor configs.
  • Not yet battle-tested elsewhere. No mechub tool has been proven at someone else's site. That is precisely the help we are asking for — see below.
  • Interfaces may change. Until a 1.0, expect breaking changes; they'll be called out in release notes, not hidden.
  • The AI boundary is fixed. Deterministic code decides, models explain, a human approves. That rule does not change as the tools mature.
04 · roadmap

Where it's going

These are goals in active development — not promises. Scope and timing may change; when something ships, it ships on GitHub first and gets announced here.

2026 · shipped

The foundation went public

Seven repositories, MIT licensed — from the Rust NETCONF stack up through browser firewall tools and shared Claude skills. All listed above; all taking issues.

in development · not yet released

agentofcomply

Sovereign firewall compliance-drift auditor. Subscribes a firewall to best-practice and compliance frameworks (PCI DSS, CIS Controls), records a baseline, and warns when config drift pushes the device out of compliance — with the offending config and a suggested fix. Detection is deterministic; a local model only phrases explanations and fixes.

in development · not yet released

ModelMeshSec

Sovereign firewall operations assurance. The goal: every connected alert accounted for, every managed change validated before it runs. Earliest of the two — the design is public before the code is.

05 · help out

We need testers more than anything

The single most valuable thing you can do is run a tool against your own gear and tell us what happened — especially when the answer is "it broke".

help/01

Run one in your lab

Point a tool at your own devices or configs — a vSRX in EVE-NG or a spare box is plenty. Twenty minutes and a "didn't build on my distro" is genuinely useful signal.

help/02

File an issue

What you ran, what broke, device model and OS version, what you expected. Every card above links straight to that repo's issue tracker. Rough notes beat silence.

help/03

Star, watch, improve

Stars and watches tell us where to spend effort. PRs are welcome too — but right now, issues from real environments matter more than code.