netapi: Decisions & Risks

1. Decision Log

Date Decision Rationale Decided By

Date	Decision	Rationale	Decided By
2025 (initial)	Language: Python	Richest network automation ecosystem (netmiko, ncclient, scrapli, ciscoisesdk). Fastest prototyping for validating patterns across vendors.	Evan Rosado
2025 (initial)	Atomic Design architecture	Composability from primitives to workflows mirrors how network operations actually compose. Prevents the one-off script graveyard.	Evan Rosado
2026-03-25	Remove genie/pyats from parsing extra	Unfixed CVE in pyasn1 dependency creates transitive vulnerability. Security > convenience.	Evan Rosado
2026-03-25	Unified exception hierarchy	Bare `except:` clauses across vendor modules hid real errors. `NetapiError` base class enables single-catch patterns while preserving specificity.	Evan Rosado
2026-03-25	Apache-2.0 license	Permissive for commercial use. Consistent with Kubernetes, Docker ecosystem. Allows Kora (Go rewrite) to exist as separate commercial product.	Evan Rosado
2026-03-25	Keep netapi private, Kora public	netapi is the battle-tested proving ground. Kora is the clean-room public product. Private repo protects proprietary patterns while public repo builds community.	Evan Rosado
2026-03-25	dsec for credential management	No `--password` flags, no credentials in config files or shell history. All secrets loaded via dsource/gopass/Vault integration.	Evan Rosado

2025 (initial)

Language: Python

Richest network automation ecosystem (netmiko, ncclient, scrapli, ciscoisesdk). Fastest prototyping for validating patterns across vendors.

Evan Rosado

2025 (initial)

Atomic Design architecture

Composability from primitives to workflows mirrors how network operations actually compose. Prevents the one-off script graveyard.

Evan Rosado

2026-03-25

Remove genie/pyats from parsing extra

Unfixed CVE in pyasn1 dependency creates transitive vulnerability. Security > convenience.

Evan Rosado

2026-03-25

Unified exception hierarchy

Bare except: clauses across vendor modules hid real errors. NetapiError base class enables single-catch patterns while preserving specificity.

Evan Rosado

2026-03-25

Apache-2.0 license

Permissive for commercial use. Consistent with Kubernetes, Docker ecosystem. Allows Kora (Go rewrite) to exist as separate commercial product.

Evan Rosado

2026-03-25

Keep netapi private, Kora public

netapi is the battle-tested proving ground. Kora is the clean-room public product. Private repo protects proprietary patterns while public repo builds community.

Evan Rosado

2026-03-25

dsec for credential management

No --password flags, no credentials in config files or shell history. All secrets loaded via dsource/gopass/Vault integration.

Evan Rosado

2. Risk Assessment

Risk	Likelihood	Impact	Mitigation	Contingency
Test coverage stays at 1/10 — regressions ship silently	High	High	Phase 1 commercialization focuses entirely on pytest infrastructure. Block PyPI publish until 70% coverage.	Freeze feature development until tests exist for all ISE clients
Dependency CVEs in transitive packages	Medium	High	Dependabot enabled. Quarterly audit of all extras. genie/pyats already removed as precedent.	Pin vulnerable packages, document known CVEs, provide workarounds
netapi stays private too long — Kora never launches	Medium	High	Kora Phase 1 has hard deadline (June 2026). netapi patterns are already validated — porting is translation, not invention.	Ship netapi to PyPI as-is with ISE-only scope if Kora stalls
Python ecosystem loses relevance for network automation	Low	Medium	Go rewrite (Kora) hedges this bet. Atomic Design patterns are language-agnostic.	Accelerate Kora timeline, maintain netapi for existing users
Vendor API breaking changes (ISE, pfSense, WLC)	Medium	Medium	Version-pinned API clients. Integration test suite against lab instances. Change detection in CI.	Deprecate affected vendor module version, document migration path
Burnout — 18 vendors is too much surface area	High	High	ISE is the flagship. Other vendors are opportunistic. Do not chase feature parity across all 18.	Freeze vendor count. Deepen ISE/WLC/pfSense only. Community handles the rest via Kora plugins.

Risk

Likelihood

Impact

Mitigation

Contingency

Test coverage stays at 1/10 — regressions ship silently

High

Phase 1 commercialization focuses entirely on pytest infrastructure. Block PyPI publish until 70% coverage.

Freeze feature development until tests exist for all ISE clients

Dependency CVEs in transitive packages

Medium

High

Dependabot enabled. Quarterly audit of all extras. genie/pyats already removed as precedent.

Pin vulnerable packages, document known CVEs, provide workarounds

netapi stays private too long — Kora never launches

Medium

High

Kora Phase 1 has hard deadline (June 2026). netapi patterns are already validated — porting is translation, not invention.

Ship netapi to PyPI as-is with ISE-only scope if Kora stalls

Python ecosystem loses relevance for network automation

Low

Medium

Go rewrite (Kora) hedges this bet. Atomic Design patterns are language-agnostic.

Accelerate Kora timeline, maintain netapi for existing users

Vendor API breaking changes (ISE, pfSense, WLC)

Medium

Version-pinned API clients. Integration test suite against lab instances. Change detection in CI.

Deprecate affected vendor module version, document migration path

Burnout — 18 vendors is too much surface area

High

ISE is the flagship. Other vendors are opportunistic. Do not chase feature parity across all 18.

Freeze vendor count. Deepen ISE/WLC/pfSense only. Community handles the rest via Kora plugins.