[!] This project is provided as-is, without warranties or guarantees of any kind, and has not been validated in a production environment unless explicitly stated otherwise. You are solely responsible for evaluating, testing, securing, and operating it safely in your environment and for verifying compliance with any legal, regulatory, or contractual requirements. By using this project, you accept all risk, and the authors and contributors assume no liability for any loss, damage, outage, misuse, or other consequences arising from its use. [!]
ReadyCheck (readycheck) is a CLI for repeatable, audit-friendly connectivity
validation. It compares observed network behavior to declared intent
(allow or deny) and produces artifacts suitable for operations handoff,
change evidence, and baseline comparison.
Current release: 0.0.1
- YAML-driven source, destination, and check matrix.
- Checks:
tcp,tls,http,ssh,dns. - Normalized failure statuses for stable triage.
- Outputs:
results.json,results.csv,report.html,summary.txt. - Baseline comparison outputs:
diff.json,diff.html. - Optional CI/automation gate thresholds for policy mismatches and technical failures.
- No remote multi-probe orchestration in
0.0.1. - No generic UDP scanning beyond DNS-specific checks.
- No credentialed checks, login flows, or remote command execution.
- No certificate-policy validation beyond basic TLS handshake success.
- No guarantee that one probe host represents every real source path.
success: technical check result (trueorfalse).expected: policy intent (allowordeny).policy_pass: whether observed behavior matched intent.
success and policy outcome are intentionally separate:
- If
expected=allow, success is typically desired. - If
expected=deny, failure is typically desired.
- Python
3.11+ - Network authorization for every declared target
- A probe host whose routing and DNS path represent the source context you want to validate
- Each run is executed from one local probe host.
- The operator controls the YAML matrix and declares only approved targets.
- Timeout and retry values are tuned for the lab or network segment being tested.
- Create and activate a virtual environment.
python3 -m venv .venv
source .venv/bin/activate- Install ReadyCheck in editable mode with dev tooling.
python -m pip install -U pip
python -m pip install -e ".[dev]"- Copy the example matrix.
cp matrix.example.yaml matrix.yaml- Edit
matrix.yamlwith authorized hosts, ports, and expectations.
Run a standard validation:
python -m readycheck.cli run --spec matrix.yaml --output outFail the command if any policy assertion mismatches:
python -m readycheck.cli run \
--spec matrix.yaml \
--output out \
--fail-on-policy-failures 0Fail the command if more than one technical check fails:
python -m readycheck.cli run \
--spec matrix.yaml \
--output out \
--fail-on-check-failures 1Create a baseline:
python -m readycheck.cli run --spec matrix.yaml --output out_baselineCompare a later run to that baseline:
python -m readycheck.cli run \
--spec matrix.yaml \
--output out_current \
--baseline out_baseline/results.jsonDiff two existing result sets directly:
python -m readycheck.cli diff \
--baseline out_baseline/results.json \
--current out_current/results.json \
--output out_diffArtifacts are written to the selected output directory:
results.json: machine-readable source of truthresults.csv: spreadsheet-friendly exportreport.html: human-readable run reportsummary.txt: quick counters for tickets and CI commentsdiff.json: machine-readable change set when--baselineis useddiff.html: human-readable baseline comparison when--baselineis used
sourcesmust be a non-empty list.destinationsmust be a non-empty list withnameandhost.matrixmust be a non-empty list.- Each matrix row must reference known
sourceanddestination. - Each matrix row must include at least one check.
- Supported checks:
tcp,tls,http,ssh,dns.
Raw errors are mapped into:
timeoutrefusedunreachabletls_errorprotocol_errordns_errorunknown
This keeps reports and diffs stable across runtime environments.
Run the standard local gate:
./scripts/check.sh./scripts/check.sh delegates to the repo-level check.sh, which runs
formatting, linting, tests, configured security checks, and dependency audit
where tooling is available.
error: spec file does not exist: confirm--specpoints to the YAML file you intended to run.unknown sourceorunknown destination: thematrixsection does not match the names declared undersourcesordestinations.- Mostly
timeout: check routing, ACL state, resolver path, and timeout value. protocol_error: the target is reachable but did not behave like the expected protocol.readycheck gating failure: the run completed, but the configured failure threshold was exceeded.
- Live network validation against authorized hosts is still an operator-run step, not a fully automated integration test in this repo.
- The local gate can only prove code quality and local lab behavior, not real-world ACL correctness.
- HTML and JSON artifacts are deterministic, but network outcomes are still probe- and environment-dependent.
- ReadyCheck does not change remote systems; rollback is deleting or replacing
generated output directories such as
out/,out_baseline/, andout_diff/. - Keep prior
results.jsonartifacts when you need a stable baseline for comparison. - Treat matrix schema changes as compatibility changes and validate them with
./scripts/check.shbefore using them in CI or change evidence workflows.
- Operator guide: docs/OPERATORS_GUIDE.md
- WSL2 runbook: docs/WSL2_RUNBOOK.md
- Project spec: SPEC.md
- Current state snapshot: STATE.md
- Full disclaimer: DISCLAIMER.md
src/readycheck/cli.py: command orchestration (run,diff)src/readycheck/spec.py: matrix parsing, validation, and execution planningsrc/readycheck/checks/: protocol check implementationssrc/readycheck/classify.py: failure classificationsrc/readycheck/report/: JSON, CSV, HTML, and summary writerssrc/readycheck/diff.py: baseline comparison and severity scoringtests/: unit and light integration coverage
Use ReadyCheck only against systems and networks where you have explicit authorization. It is built for declared, targeted validation workflows and evidence collection, not exploration or broad scanning.