CUTSHEET v0.1 SOON

Know what changed on your network.

Cutsheet watches your device configs, keeps a git-backed history, and turns every change into a risk-analyzed report a human can read. Built for the team that finds out about config changes the hard way.

See the quickstart Follow the build

Open source. Apache-2.0. Single binary. Read-only by design.

cutsheet :: change 0142 :: core-switch

$ change detected 02:47 UTC commit 62a9a1f8 device core-switch (cisco-ios) - permit tcp 198.18.0.0 0.0.0.255 any eq 22 + permit tcp any any eq 22 - switchport trunk allowed vlan 10,20,30 + switchport trunk allowed vlan all HIGH RISK-001 ACL broadened to any/any on management port evidence: permit tcp any any eq 22 recommend: restrict source to management subnet MED RISK-002 Trunk now carries all VLANs evidence: switchport trunk allowed vlan all reports: risk-analysis.md rollback-plan.md stakeholder-brief.md ... notify : discord #netops ██

How it works

Collect. Commit. Explain.

01 / COLLECT

Read-only snapshots

Agentless SSH and API collectors pull running configs on a schedule. Credentials encrypted at rest. Nothing is ever written to your devices.

02 / COMMIT

Git-backed history

Every real change becomes a commit. Full history, blame, and diffs for every device, mirrorable anywhere git goes.

03 / EXPLAIN

Risk-analyzed reports

Deterministic analysis flags broadened ACLs, trunk changes, AAA edits, lost monitoring. Reports written for operators, reviewers, and the change board.

What you get

Built like a tool, not a dashboard.

▶Severity findings

Routes, ACLs, VLANs, trunks, NAT, VPN, AAA, management plane, and monitoring changes ranked low to high with evidence lines.

▶Rollback plans

Every change ships with before-state facts and rollback guidance, plus a validation checklist for the maintenance window.

▶Stakeholder briefs

A plain-language impact summary your manager can read. Bring evidence to the CAB meeting instead of a screenshot of PuTTY.

▶Timeline UI

An embedded web UI with an org-wide change feed, device inventory, and full HTML reports. One binary, no app server.

▶Notifications

Severity-filtered webhooks and Discord alerts the moment a change lands. Quiet on no-ops, loud on any/any.

▶Offline diff CLI

The same analysis engine works standalone: feed it a before and after config, get the full report bundle. No server required.

Vendor support

Multi-vendor from day one.

Cisco IOS / IOS XE Juniper Junos Fortinet FortiOS Palo Alto PAN-OS Ubiquiti EdgeOS / EdgeSwitch VyOS UniFi Controller Generic text configs

Deterministic parsers, not regex roulette. Auto-detection with vendor-exclusive structural tokens, and a generic fallback for everything else.

Cutsheet never pushes config.

Read-only collectors, full stop. No config push, no remediation scripts run against your gear, no "just let us fix it for you". Cutsheet observes and explains; your hands stay on the keyboard. That is a design decision, not a missing feature.

Quickstart

Fifteen minutes to a timeline.

$ docker compose up -d
$ docker compose exec cutsheet cutsheet token create --data-dir /data --name admin
token: cst_... (shown once)
$ cutsheet device add --id core-sw --collector ssh --vendor cisco-ios ...

# no hardware handy? seed a demo timeline:
$ cutsheet demo --data-dir ./data && cutsheet serve --data-dir ./data

v0.1 source and binaries land soon. Until then the build is happening in the open on GitHub.