rustnetconf
Async NETCONF client library for Rust — YANG code generation, vendor profiles, connection pooling, and a Terraform-like CLI for declarative network config.
Sovereign network-security automation. Open-source tools for people who run firewalls — self-hosted, offline-capable, no mandatory SaaS. Deterministic engines decide, models explain, and a human approves.
"Sovereign" is not a slogan here — it is a design constraint every mechub tool is built against.
Self-hosted and offline-capable. Your device credentials, configs, and telemetry stay on hardware you control — nothing phones home, and there is no SaaS you must sign up for.
MIT licensed. Read the code before you point it at a firewall — we would. Every repo is public from the first commit.
Where AI is used at all, it runs locally and only phrases and assists. Detection logic and device changes stay deterministic — an LLM never makes a safety-relevant decision on its own.
Deterministic decides. The model explains. A human approves.
Everything below is early. It works in our lab against real gear; we need it to work in yours. Stats refresh live from GitHub when you're online.
Async NETCONF client library for Rust — YANG code generation, vendor profiles, connection pooling, and a Terraform-like CLI for declarative network config.
A Rust replacement for Juniper PyEZ — async-first Junos device automation built on rustnetconf.
MCP server that lets AI agents operate Juniper Junos devices — built on rustez, exercised daily against a 24-device vSRX lab.
Browser-based conversion of firewall and cloud configs — PAN-OS, FortiGate, Cisco ASA/FTD, Check Point, AWS/Azure/GCP, and more — into reviewable Juniper SRX output, with an LLM-guided greenfield mode. Always a migration draft requiring review — never production-ready.
Strips private data — addresses, hostnames, secrets — out of a firewall configuration so it can be shared for help or review.
Pushes one SRX's config — policies, objects, NAT — out to a fleet of others, so a golden device can drive the rest.
Agent skills for firewall work — parsing, auditing, and converting configs across Cisco, Fortinet, Palo Alto, and Juniper. Works with Claude Code, Codex, and Hermes so far.
Proof ahead of claims. Here is exactly what these tools are today — and what they are not yet.
These are goals in active development — not promises. Scope and timing may change; when something ships, it ships on GitHub first and gets announced here.
Seven repositories, MIT licensed — from the Rust NETCONF stack up through browser firewall tools and shared Claude skills. All listed above; all taking issues.
Sovereign firewall compliance-drift auditor. Subscribes a firewall to best-practice and compliance frameworks (PCI DSS, CIS Controls), records a baseline, and warns when config drift pushes the device out of compliance — with the offending config and a suggested fix. Detection is deterministic; a local model only phrases explanations and fixes.
Sovereign firewall operations assurance. The goal: every connected alert accounted for, every managed change validated before it runs. Earliest of the two — the design is public before the code is.
The single most valuable thing you can do is run a tool against your own gear and tell us what happened — especially when the answer is "it broke".
Point a tool at your own devices or configs — a vSRX in EVE-NG or a spare box is plenty. Twenty minutes and a "didn't build on my distro" is genuinely useful signal.
What you ran, what broke, device model and OS version, what you expected. Every card above links straight to that repo's issue tracker. Rough notes beat silence.
Stars and watches tell us where to spend effort. PRs are welcome too — but right now, issues from real environments matter more than code.