One inventory and topology context feeds automation, drift, RCA, and packet investigation.
Network as Code
Netcode Shell — governed SSH.
The daily workspace for network engineers: direct SSH when you need speed, guarded SSH when you need governance, and evidence for every session.
Automation, diagnostics, and approvals in one workflow.
Use this screen to see what is ready to plan, what is blocked by verification, which Rez incidents have draft fixes, and which changes are waiting for human approval.
Region 3 edge remediation: 7 sites, 42 devices, rollback generated, canary ready.
INC-2048 Rez RCA found missing outbound NAT evidence for the scoped flow.
Next: review generated commands, approve canary, apply, then verify live state.
SSH/API credentials stay on the Windows or Linux runner next to the network.
Rez can collect evidence and propose remediation, but it cannot apply configuration.
Writes require plan, policy gates, canary, approval, apply, and verification.
Every device write is gated by a plan, validation, and proof.
Engineers declare the result; the platform builds the artifacts.
Each change ends with commands, evidence, Git history, and rollback.
Use Git, YAML, templates, and Rez through guided workflows.
Get ready
Git, source of truth, read access, and a safe test target — verified before any change.
CheckingBring devices under management
Point at an IP, read its live state, review the record, save it to source of truth.
CheckingMake a safe change
Declare the outcome, branch it, see exact commands, prove it, apply, verify, push for review.
WaitingTroubleshoot / Investigate
Run read-only Rez checks, compare expected vs live, attach evidence to the change.
Not checkedProve it
One evidence package with request, intent, branch, commands, proof, investigation, rollback.
WaitingSetup Wizard — run this once
Connect the pieces Netcode needs before daily SSH work: Git, source of truth, runner reachability, and proof mode. After these gates are green, most engineers should live in Shell.
Required before you can start a change
Git connected
Can changes be reviewed and audited?
Checking.
Source of truth
Does the platform know your network?
Checking.
How your changes will be proven (informational — these never block planning)
Device reachability
Can the platform read your devices?
Checking.
Verification and drift read live device state. If the platform cannot read, you are blind after an apply.
Proof mode
Where do changes get proven before they matter?
Checking.
Runner mode — device actions run on your runner
The control plane queues changes; an on-prem runner next to your devices executes them and returns signed evidence. The browser and control plane never touch devices.
Run this on the machine next to your devices (single-use token, shown once):
Advanced: platform configuration
Control the options this UI uses
Configuration has not been loaded yet.
Full configuration JSON
Edit change cards, field labels, defaults, vendor choices, gates, paths, and audit settings.
Inventory
Bring devices under management: discover them live with Rez, or import them from NetBox — the de-facto network source of truth.
Import devices from NetBox
Read-only. Set the URL and API token, test, then sync devices into inventory. Local YAML stays the default.
No discovery run yet.
Discovery is read-only. It collects device state and creates an import candidate; it does not change device config.
Desired State
Pick the outcome first. The platform builds the right YAML, template, validation, plan, and apply gates for that intent type.
Add VLAN
Choose a change type and fill in the outcome. YAML remains visible as an artifact, not as the primary workflow.
Create a plan to see the YAML intent.
Plan
Preview the exact impact — forward and rollback — before the lab switch sees anything.
Create a desired state first.
No commands generated yet.
No rollback plan yet.
Validate
Policy checks must pass for every intent. Lab dry-run is available only for intent types with an Arista write adapter.
Create a plan first.
Run dry-run after validation is reviewed.
Apply + Verify
Apply stays locked until the selected intent type supports lab writes, policy validation passes, and dry-run proof exists.
No device command has been committed.
Send for review
Commit every artifact of this change to its branch, then push it so your team can review before merge.
Commit and push to produce a review-ready summary.
Fleet rollout — canary, then batches, halt on first failure
One change, many devices. Every device gets its own change record with the full safety spine (plan, policy gate, dry-run proof, apply, verify) — the rollout only sequences the waves. A failure anywhere stops everything that has not started.
No rollout planned yet.
Plan a rollout to see the canary and batch waves before anything touches a device.
Fleet drift
Live state vs the committed baseline for every device in the source of truth — the out-of-band change finder. Runs on the on-prem runner; the sweep is recorded as an evidence report.
Troubleshoot / Investigate
Read-only checks use Rez SSH/API adapters to collect live evidence. Use them before a change, after a change, or during an incident. If a change is active, the result is attached to that change record.
No investigation run yet.
Pick a device and check type. The result will show the live evidence and whether it matches what you expected.
Read-only evidence will appear here.
Create a plan, then check drift for that intent.
Evidence — the change record
One readable package per change: request, plan, safety, lab proof, apply proof, verification, Git record, rollback. Attach it to a ticket.
Pick a change to see its full record.
Advanced: raw artifacts
No artifacts yet. Start with Setup or Desired State.