Built to be extended
Write plugins with a typed SDK, distribute them through a signed marketplace, and bring AI into your operations (beta) with multi-provider LLM support and a governance model that keeps credentials and PII from leaving your environment.
Get started in 30 seconds
Install the SDK
Scaffold a plugin
Plugin System & SDK
Extend FreeSDN with two-tier extensibility: native first-party modules (full trust) and SDK plugins (permission-declared, SDK-bounded, super_admin install only). The Plugin SDK gives developers typed interfaces, testing utilities, and CLI tools. Install from PyPI with pip install freesdn-sdk.
Trusted-Author Model
The plugin loader applies load-time import hygiene and permission checks. It is not a security sandbox in the OS/container sense. Plugins are cooperative: they are expected to be authored by trusted parties (super_admin installs only). SDK interfaces, SSRF-locked HTTP, and permission gates provide the safety guardrails.
Full SDK Interfaces
Typed interfaces for devices, alerts, events, settings, and HTTP. Your plugin gets a PluginContext with DeviceSDK, AlertSDK, EventSDK, PluginSettingsSDK, and an SSRF-protected HTTP client (blocks internal IPs, private ranges, cloud metadata endpoints).
Manifest Validation
Every plugin declares a plugin.yaml manifest with ID, version, permissions, dependencies, event subscriptions, and settings schema. Validated at install time and at development time via the SDK CLI.
Event-Driven Architecture
Subscribe to any event pattern (device.status.changed, alert.created, etc.) with priority routing. Plugins can emit their own events. Full correlation and causation ID tracing across the event chain.
Ed25519-Signed Marketplace
Package plugins as versioned ZIPs. Marketplace catalog entries are Ed25519-signed by the publisher; unsigned packages are refused by default. SHA-256 verified at install. Per-organization plugin enablement. Super_admin install only.
Developer CLI
freesdn-sdk init, validate, package, and check commands. Scaffold a plugin in seconds, validate your manifest, build a distributable ZIP, and check for import hygiene issues before deploying.
Write a plugin in minutes
Subclass FreeSDNPlugin, implement lifecycle hooks, and use the typed SDK context to interact with devices, alerts, events, and settings. Permissions you declare in the manifest are the ceiling for what the platform will allow.
DeviceSDKQuery and manage devices across all adapters
list, get, get_ports, update
AlertSDKCreate alerts, resolve incidents, manage severity
list, create, resolve, update
EventSDKPublish and subscribe to domain events
emit, subscribe
PluginSettingsSDKPer-plugin configuration and encrypted secrets
get, set, get_secret, set_secret
PluginHTTPClientSSRF-protected HTTP client with timeout limits
get, post, put, delete, patch
Runtime Limits
Hard limits enforced by the FreeSDN runtime to prevent resource abuse.
50
Triggers per plugin
50
Actions per plugin
20
AI tools per plugin
50
Python dependencies
50 MB
Max ZIP size
60s
HTTP timeout
Fabric: universal app-interconnect
The Fabric layer (GET /api/v1/fabric/catalog) publishes a single tier-tagged catalog of operations, events, and AI-tool projections from both native modules and SDK plugins. Operators author Connections (event → step chain) that wire any app to any other without custom code. Three built-in sinks (notify / log / webhook), inbound org-key ingestion, outbound webhook, and a community n8n node (n8n-nodes-freesdn). Writes always ride the staged dual-gate.
LLM Integration & Governance BETA
Bring AI into your network operations with built-in governance. Three cloud and self-hosted providers, 11 platform tools, an agentic loop, and a 3-layer governance model that keeps credentials and PII from reaching the cloud. AI is off by default and must be explicitly enabled.
Supported Providers
| Provider | Models | Status |
|---|---|---|
| OpenAI | GPT-4o, GPT-4o-mini, and others | Ready |
| Anthropic | Claude Sonnet, Haiku, and others | Ready |
| Ollama | Llama 3, Mistral, Qwen (self-hosted) | Ready |
Global Kill-Switch (default OFF)
AI is disabled by default at the platform level. Administrators must explicitly enable it. No AI calls leave the platform until a super_admin opts in, preventing accidental cloud exposure.
Per-Org Policy
Each organization has its own AI policy: DISABLED, LOCAL_ONLY (Ollama only, no cloud), or CLOUD_APPROVED. Orgs cannot exceed the platform-level policy ceiling.
PII Redaction Before Cloud
Sensitive values are stripped from context before any prompt reaches a cloud provider. Device credentials, secrets, and personal data are redacted so they never leave your environment in plain text.
11 Built-in Tools & Agentic Loop
The assistant ships 11 platform tools (device queries, alert management, config review, diagnostics, and more). An agentic loop (up to 5 iterations) lets the model chain tool calls to complete multi-step tasks. Plugins can register up to 20 additional AI tools each.
Built-in Use Cases
Network Diagnostics
Ask AI to analyze device health, explain port errors, and suggest fixes based on real-time telemetry data.
Alert Triage
AI summarizes alert clusters, identifies root causes, and recommends remediation steps across device types.
Configuration Review
Submit config changes for AI review before deployment. Catch VLAN mismatches, routing loops, and security gaps.
Natural Language Queries
Ask questions in plain English: 'Which switches have high CPU?' or 'Show me all offline cameras at Site 3'.
Cooperative trusted-author model
The plugin loader applies load-time import hygiene and permission checks. It isnot an OS-level or container-level security sandbox. Plugins are expected to be authored by trusted parties; super_admin installation is required. Guardrails include: SDK-only interfaces, SSRF-locked HTTP, a confused-deputy permission check (plugin runs with plugin∩caller permissions), hash-pinned dependencies, and an Ed25519-signed marketplace catalog that refuses unsigned packages by default.
SDK
Typed Interfaces Only
Plugins access devices, alerts, events, and settings exclusively through typed SDK interfaces
SSRF
Protected HTTP
HTTP client blocks internal IPs, private ranges, and cloud metadata endpoints
Ed25519
Signed Catalog
Marketplace catalog is publisher-signed; unsigned packages refused by default
∩
Confused-Deputy Guard
Plugin executes with the intersection of plugin permissions and calling-user permissions
Free as in freedom
FreeSDN is fully open-source under the AGPLv3 (AGPL-3.0-only) license. No artificial limitations, no "community edition" crippling, no surprise licensing changes.
AGPL-3.0 Licensed
No vendor lock-in, no per-device fees, no phone-home telemetry. Fork it, extend it, build services on top of it. The source is yours.
No Per-Device Fees
Monitor a small lab or a large fleet. FreeSDN charges nothing per device. Compare that to commercial per-device licensing.
Self-Hosted
By default, your credentials and data stay on your own infrastructure. No cloud dependency, no SaaS outage risk, fully air-gappable.
Community-Driven
Built by network engineers for network engineers. Feature requests, bug reports, and pull requests are all welcome.
Ready to take control of your network?
Join the community managing their multi-vendor infrastructure with a single, open-source platform.
See it running in your browser
Explore the full FreeSDN dashboard with realistic sample data, no signup, no backend. Then install it in minutes.