Metadata-Version: 2.4
Name: netbox_rpki
Version: 0.2.3
Summary: NetBox plugin for BGP RPKI support.
Author-email: Mencken Davidson <mencken@gmail.com>
Maintainer-email: Mencken Davidson <mencken@gmail.com>
License: 
                                         Apache License
                                   Version 2.0, January 2004
                                http://www.apache.org/licenses/
        
           TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
        
           1. Definitions.
        
              "License" shall mean the terms and conditions for use, reproduction,
              and distribution as defined by Sections 1 through 9 of this document.
        
              "Licensor" shall mean the copyright owner or entity authorized by
              the copyright owner that is granting the License.
        
              "Legal Entity" shall mean the union of the acting entity and all
              other entities that control, are controlled by, or are under common
              control with that entity. For the purposes of this definition,
              "control" means (i) the power, direct or indirect, to cause the
              direction or management of such entity, whether by contract or
              otherwise, or (ii) ownership of fifty percent (50%) or more of the
              outstanding shares, or (iii) beneficial ownership of such entity.
        
              "You" (or "Your") shall mean an individual or Legal Entity
              exercising permissions granted by this License.
        
              "Source" form shall mean the preferred form for making modifications,
              including but not limited to software source code, documentation
              source, and configuration files.
        
              "Object" form shall mean any form resulting from mechanical
              transformation or translation of a Source form, including but
              not limited to compiled object code, generated documentation,
              and conversions to other media types.
        
              "Work" shall mean the work of authorship, whether in Source or
              Object form, made available under the License, as indicated by a
              copyright notice that is included in or attached to the work
              (an example is provided in the Appendix below).
        
              "Derivative Works" shall mean any work, whether in Source or Object
              form, that is based on (or derived from) the Work and for which the
              editorial revisions, annotations, elaborations, or other modifications
              represent, as a whole, an original work of authorship. For the purposes
              of this License, Derivative Works shall not include works that remain
              separable from, or merely link (or bind by name) to the interfaces of,
              the Work and Derivative Works thereof.
        
              "Contribution" shall mean any work of authorship, including
              the original version of the Work and any modifications or additions
              to that Work or Derivative Works thereof, that is intentionally
              submitted to Licensor for inclusion in the Work by the copyright owner
              or by an individual or Legal Entity authorized to submit on behalf of
              the copyright owner. For the purposes of this definition, "submitted"
              means any form of electronic, verbal, or written communication sent
              to the Licensor or its representatives, including but not limited to
              communication on electronic mailing lists, source code control systems,
              and issue tracking systems that are managed by, or on behalf of, the
              Licensor for the purpose of discussing and improving the Work, but
              excluding communication that is conspicuously marked or otherwise
              designated in writing by the copyright owner as "Not a Contribution."
        
              "Contributor" shall mean Licensor and any individual or Legal Entity
              on behalf of whom a Contribution has been received by Licensor and
              subsequently incorporated within the Work.
        
           2. Grant of Copyright License. Subject to the terms and conditions of
              this License, each Contributor hereby grants to You a perpetual,
              worldwide, non-exclusive, no-charge, royalty-free, irrevocable
              copyright license to reproduce, prepare Derivative Works of,
              publicly display, publicly perform, sublicense, and distribute the
              Work and such Derivative Works in Source or Object form.
        
           3. Grant of Patent License. Subject to the terms and conditions of
              this License, each Contributor hereby grants to You a perpetual,
              worldwide, non-exclusive, no-charge, royalty-free, irrevocable
              (except as stated in this section) patent license to make, have made,
              use, offer to sell, sell, import, and otherwise transfer the Work,
              where such license applies only to those patent claims licensable
              by such Contributor that are necessarily infringed by their
              Contribution(s) alone or by combination of their Contribution(s)
              with the Work to which such Contribution(s) was submitted. If You
              institute patent litigation against any entity (including a
              cross-claim or counterclaim in a lawsuit) alleging that the Work
              or a Contribution incorporated within the Work constitutes direct
              or contributory patent infringement, then any patent licenses
              granted to You under this License for that Work shall terminate
              as of the date such litigation is filed.
        
           4. Redistribution. You may reproduce and distribute copies of the
              Work or Derivative Works thereof in any medium, with or without
              modifications, and in Source or Object form, provided that You
              meet the following conditions:
        
              (a) You must give any other recipients of the Work or
                  Derivative Works a copy of this License; and
        
              (b) You must cause any modified files to carry prominent notices
                  stating that You changed the files; and
        
              (c) You must retain, in the Source form of any Derivative Works
                  that You distribute, all copyright, patent, trademark, and
                  attribution notices from the Source form of the Work,
                  excluding those notices that do not pertain to any part of
                  the Derivative Works; and
        
              (d) If the Work includes a "NOTICE" text file as part of its
                  distribution, then any Derivative Works that You distribute must
                  include a readable copy of the attribution notices contained
                  within such NOTICE file, excluding those notices that do not
                  pertain to any part of the Derivative Works, in at least one
                  of the following places: within a NOTICE text file distributed
                  as part of the Derivative Works; within the Source form or
                  documentation, if provided along with the Derivative Works; or,
                  within a display generated by the Derivative Works, if and
                  wherever such third-party notices normally appear. The contents
                  of the NOTICE file are for informational purposes only and
                  do not modify the License. You may add Your own attribution
                  notices within Derivative Works that You distribute, alongside
                  or as an addendum to the NOTICE text from the Work, provided
                  that such additional attribution notices cannot be construed
                  as modifying the License.
        
              You may add Your own copyright statement to Your modifications and
              may provide additional or different license terms and conditions
              for use, reproduction, or distribution of Your modifications, or
              for any such Derivative Works as a whole, provided Your use,
              reproduction, and distribution of the Work otherwise complies with
              the conditions stated in this License.
        
           5. Submission of Contributions. Unless You explicitly state otherwise,
              any Contribution intentionally submitted for inclusion in the Work
              by You to the Licensor shall be under the terms and conditions of
              this License, without any additional terms or conditions.
              Notwithstanding the above, nothing herein shall supersede or modify
              the terms of any separate license agreement you may have executed
              with Licensor regarding such Contributions.
        
           6. Trademarks. This License does not grant permission to use the trade
              names, trademarks, service marks, or product names of the Licensor,
              except as required for reasonable and customary use in describing the
              origin of the Work and reproducing the content of the NOTICE file.
        
           7. Disclaimer of Warranty. Unless required by applicable law or
              agreed to in writing, Licensor provides the Work (and each
              Contributor provides its Contributions) on an "AS IS" BASIS,
              WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
              implied, including, without limitation, any warranties or conditions
              of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
              PARTICULAR PURPOSE. You are solely responsible for determining the
              appropriateness of using or redistributing the Work and assume any
              risks associated with Your exercise of permissions under this License.
        
           8. Limitation of Liability. In no event and under no legal theory,
              whether in tort (including negligence), contract, or otherwise,
              unless required by applicable law (such as deliberate and grossly
              negligent acts) or agreed to in writing, shall any Contributor be
              liable to You for damages, including any direct, indirect, special,
              incidental, or consequential damages of any character arising as a
              result of this License or out of the use or inability to use the
              Work (including but not limited to damages for loss of goodwill,
              work stoppage, computer failure or malfunction, or any and all
              other commercial damages or losses), even if such Contributor
              has been advised of the possibility of such damages.
        
           9. Accepting Warranty or Additional Liability. While redistributing
              the Work or Derivative Works thereof, You may choose to offer,
              and charge a fee for, acceptance of support, warranty, indemnity,
              or other liability obligations and/or rights consistent with this
              License. However, in accepting such obligations, You may act only
              on Your own behalf and on Your sole responsibility, not on behalf
              of any other Contributor, and only if You agree to indemnify,
              defend, and hold each Contributor harmless for any liability
              incurred by, or claims asserted against, such Contributor by reason
              of your accepting any such warranty or additional liability.
        
           END OF TERMS AND CONDITIONS
        
Project-URL: Documentation, https://menckend.github.io/netbox_rpki/
Project-URL: Source, https://github.com/menckend/netbox_rpki
Project-URL: Tracker, https://github.com/menckend/netbox_rpki/issues
Keywords: netbox,plugin,bgp,rpki,roa
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Requires-Python: >=3.12
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: test
Requires-Dist: black==24.3.0; extra == "test"
Requires-Dist: flake8; extra == "test"
Requires-Dist: pre-commit==3.7.0; extra == "test"
Dynamic: license-file

# NetBox RPKI Plugin

Bring RPKI inventory, validation, routing intent, and hosted-provider workflows into NetBox 4.5.x.

`netbox_rpki` extends NetBox with a broad RPKI data model plus the operational workflows needed to ingest validator state, model publication intent, reconcile intent against published objects, and manage write-back to supported providers. The detailed reference documentation lives in the Sphinx site; this README is the top-level summary required to evaluate whether the plugin fits a deployment.

<img src="images/nb_rpki-icon-new.svg" alt="NetBox RPKI plugin icon" width="512">

* Free software: Apache-2.0
* [Documentation](https://menckend.github.io/netbox_rpki)
* [Repository](https://github.com/menckend/netbox_rpki)
* [Python Package](https://pypi.org/project/netbox_rpki/)

## Summary

The plugin is aimed at operators who want NetBox to hold both raw RPKI state and higher-level publication intent.

- Track native RPKI inventory such as certificates, ROAs, ASPAs, manifests, signed objects, repositories, and publication points
- Import external observations from validators and hosted providers
- Author ROA and ASPA intent, simulate changes, reconcile drift, and retain approval history
- Expose the same object families through the NetBox UI, REST API, GraphQL, tables, and navigation

## Compatibility

`netbox-plugin.yaml`

The plugin declares NetBox compatibility for the 4.5.x release line. Verification has been completed against real development installs of NetBox 4.5.0 and NetBox 4.5.7, covering plugin bootstrap, `manage.py check`, provider-sync, models, API, GraphQL, view, and navigation suites, browser smoke testing, and the full routing-intent and bulk-authoring workflow.

| NetBox | Python | Status | Notes |
| --- | --- | --- | --- |
| 4.5.0 | 3.12 | GA | Release-gated developer install verified end-to-end. |
| 4.5.7 | 3.12 | GA | Release-gated developer install verified end-to-end. |
| 4.5.x | 3.12 | Beta | Supported release line, but exact patch combinations other than the GA anchors are not release-gated. |
| 4.5.x | 3.13 - 3.14 | Best effort | Allowed for operator evaluation and covered by the compatibility contract tests, but not release-gated. |
| < 4.5 or >= 4.6 | any | Unsupported | Outside the plugin compatibility window. |
| 4.5.x | < 3.12 or > 3.14 | Unsupported | Outside the documented Python range. |

Non-GA combinations emit a runtime `RuntimeWarning` during plugin startup so unsupported and best-effort deployments are visible before operators proceed.

Operators can also run `manage.py diagnose_netbox_rpki --format text|json` after installation to verify plugin registration, migrations, Redis-backed job prerequisites, and integration wiring before troubleshooting workflow-specific failures.

Contributors who need a real hosted-provider integration path without RIR test credentials can use the documented public Krill testbed workflow in `LOCAL_DEV_SETUP.md`, including the `devrun/public-krill-testbed.sh` helper for the `live-provider` lane.

## Dependencies

| Component | Required for | Supported versions | Notes |
| --- | --- | --- | --- |
| NetBox | All plugin functionality | 4.5.0 to 4.5.99 | The certified support window currently targets the NetBox 4.5 release line. |
| Python | All plugin functionality | 3.12 to 3.14 | 3.12 is the release-gated version today. |
| PostgreSQL | NetBox runtime and tests | NetBox-supported versions for 4.5.x | Required by NetBox itself; the plugin does not replace this dependency. |
| Redis | NetBox runtime and tests | NetBox-supported versions for 4.5.x | Required by NetBox task and caching subsystems. |
| Routinator | Validator import workflows | Current API compatible `jsonext` endpoint or snapshot export | Optional unless validator-ingest features are used. |
| Krill | Hosted-provider sync and write-back workflows | API-compatible Krill deployments | Optional unless Krill-backed provider workflows are used. |
| ARIN RPKI API | Hosted-provider sync workflows | Current ARIN API behavior supported by the plugin | Optional unless ARIN-backed provider workflows are used. |
| IRRd-compatible service | IRR snapshot and coordination workflows | IRRd-compatible HTTP/WHOIS source | Optional unless IRR ingest and coordination workflows are used. |
| Node.js and Playwright | Browser E2E development workflow | Node 18+ and the Playwright version pinned in `package-lock.json` | Optional for plugin runtime; used only for browser smoke tests. |

## Installation

For adding to a NetBox Docker setup see
[the general instructions for using netbox-docker with plugins](https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins).

Install using pip:

```bash
pip install netbox_rpki
```

or by adding to your `local_requirements.txt` or `plugin_requirements.txt` (netbox-docker):

```bash
netbox_rpki
```

Enable the plugin in `/opt/netbox/netbox/netbox/configuration.py`,
 or if you use netbox-docker, your `/configuration/plugins.py` file :

```python
PLUGINS = [
   'netbox_rpki'
]

PLUGINS_CONFIG = {
   "netbox_rpki": {
      'top_level_menu': False,
      'structured_logging': {
         'debug_subsystems': ['provider_sync', 'provider_write'],
      },
   },
}
```

Run `python -m manage.py migrate` from the NetBox project directory in your installation, then run `python manage.py check` to confirm the plugin loads cleanly.

`structured_logging.debug_subsystems` accepts subsystem names such as `provider_sync`, `provider_write`, `irr_sync`, `irr_write`, `external_validation`, `lifecycle_hooks`, and `jobs`. When enabled, those subsystems emit additional structured debug events with consistent redaction of credentials, bearer/basic auth headers, webhook signatures, and write payload bodies.

## Maintainer Engagement

Use GitHub issues for bug reports, feature requests, and documentation requests. The repo ships issue templates under `.github/ISSUE_TEMPLATE/` for those entry points.

## User Support

User support currently runs through the same public GitHub issue tracker used for bugs and documentation requests. There is no separate commercial support, discussion forum, or Slack channel maintained specifically for this plugin at this time.

## Features

Implements NetBox models, API endpoints, GraphQL types, tables, and UI views across the following functional areas:

**RPKI inventory** covers organizations, resource certificates, ROAs, ROA prefixes, certificate prefixes, and certificate ASNs. Resource certificates and ROAs carry optional links into the broader RPKI object hierarchy through trust-anchor, publication-point, and signed-object references.

**Repository and publication infrastructure** models the full RPKI signed-object and publication hierarchy: repositories, publication points, trust anchors, trust anchor locators, trust anchor keys, end-entity certificates, a generic signed-object type, CRLs, revoked certificate references, manifests, manifest entries, ASPAs, ASPA providers, RSCs, RSC file hashes, and BGPsec router certificates.

**External validator import** captures and retains normalized output from external RPKI validators. Validator instances, validation runs, object validation results, and validated ROA and ASPA payload records hold imported observations. The included Routinator adapter ingests `jsonext` output from either the live API or exported snapshot files.

**Routing intent** lets operators define and manage publication intent for ROAs and ASPAs. Routing intent profiles, rules, context groups, context criteria, and policy bundles express derivation policy. ROA intent overrides handle explicit per-prefix exceptions. Reusable templates, template rules, template bindings, and typed exceptions support scalable policy authoring across organizations. Bulk intent runs with per-scope results drive organization-scoped derivation, and the operations dashboard surfaces stale bindings, expiring exceptions, and recent bulk-run health.

**ROA and ASPA reconciliation** compares derived intent against published objects. Intent derivation runs, ROA intent rows, match records, reconciliation runs, intent results, and published results form the ROA reconciliation pipeline. A parallel family covers ASPA reconciliation. External management exceptions let operators record approved, time-bounded exceptions for prefixes or objects that remain intentionally managed outside the plugin, while keeping those results visible in reconciliation. All derivation and reconciliation run and result objects are read-only reporting surfaces.

**ROA lint** provides configurable quality analysis of locally recorded ROA inventory through lint runs, findings, acknowledgements, suppressions, and per-rule configurations.

**ROA and ASPA change planning and write-back** supports reviewed, approved, and rollback-capable publication of ROA and ASPA changes to hosted providers. ROA change plans, change plan items, approval records, provider write executions, and rollback bundles implement the ROA write-back workflow. A parallel ASPA change plan family covers ASPA write-back. ROA validation simulation runs and results let operators preview approval impact before committing.

**Hosted provider synchronization** imports and tracks publication state for Krill and ARIN accounts. Provider accounts, sync runs, snapshots, snapshot diffs, and diff items manage import lifecycle. Imported families include ROA authorizations, ASPAs, CA metadata, parent and child CA links, resource entitlements, publication points, signed objects, and certificate observations. Stable evidence summaries on imported objects support publication-linkage, authored-linkage, freshness, and family-level churn reporting without generating false diffs across unchanged snapshots. ARIN currently supports ROA synchronization only; the shared reporting contract preserves that capability boundary explicitly.

**IRR snapshot import** provides a read-only correlation substrate for validating plugin-managed RPKI intent against externally managed IRR/RPSL intent. IRR sources and retained snapshots hold normalized imported objects (`route`, `route6`, `route-set`, `as-set`, `aut-num`, `mntner`) from configured external IRR sources. Coordination runs and results compare RPKI-derived intent against observed IRR state. IRR change plans and write executions model planned corrections to external IRR records based on coordination findings. The included adapter targets IRRd-compatible sources; snapshot-file import is also supported.

**Delegated authorization** models operator posture for delegated RPKI entities. Delegated authorization entities, managed authorization relationships, authored CA relationships, authored AS-sets, and delegated publication workflows track delegated topology and publication state. Delegation workflows support API and web-UI approval, and detail views expose readiness, approval state, and authored-topology linkage summaries.

**BGP telemetry** captures imported MRT-derived route-visibility data through telemetry sources, telemetry runs, and BGP path observations. Each observation stores raw AS-path text, normalized ASN-sequence JSON, and a stable path hash for correlation and historical comparison against intent and reconciliation surfaces.

**Lifecycle health** provides a structured event substrate for tracking certificate and object lifecycle health through policies, hooks, and events.

### Models / DB tables

#### Core inventory models

#### Organization
   - Represents a customer or consumer of RIR RPKI services.
   - Fields include `org_id`, `name`, `ext_url`, and `parent_rir`.

#### Resource Certificate
   - Represents an RPKI resource certificate.
   - Tracks identity and lifecycle fields including `issuer`, `subject`, `serial`, `valid_from`, `valid_to`, `auto_renews`, `public_key`, `publication_url`, `ca_repository`, `self_hosted`, and `rpki_org`.
   - Links optionally to a trust anchor and a publication point.

#### Route Origination Authorization (ROA)
   - Represents an RPKI ROA authorizing origination of one or more prefixes by an ASN.
   - Tracks `origin_as`, validity dates, `auto_renews`, and the signing resource certificate.
   - Links optionally to a signed object record.

#### ROA Prefix
   - Represents the attestation relationship between a ROA and a prefix, including `max_length`.
   - Available through the plugin but not a top-level menu item.

#### Certificate Prefix
   - Represents the relationship between a resource certificate and a prefix.
   - Available through the plugin but not a top-level menu item.

#### Certificate ASN
   - Represents the relationship between a resource certificate and an ASN.
   - Available through the plugin but not a top-level menu item.

#### Repository and publication models

#### Repository
   - Represents an rsync, RRDP, or mixed repository endpoint.

#### Publication Point
   - Represents a publication location within a repository and tracks retrieval and validation state.

#### Trust and certificate hierarchy models

#### Trust Anchor
   - Represents a trust anchor and its rollover state.

#### Trust Anchor Locator
   - Stores TAL-style discovery information for a trust anchor.

#### Trust Anchor Key
   - Represents a published trust-anchor key object and its rollover relationships.

#### End-Entity Certificate
   - Represents the EE certificate used to sign individual RPKI signed objects.

#### Signed object and repository-integrity models

#### Signed Object
   - Generic record for published RPKI signed objects including ROAs, manifests, ASPAs, RSCs, and trust-anchor keys.
   - Tracks object type, publication metadata, manifest linkage, CMS metadata, validity, and validation state.

#### Certificate Revocation List
   - Represents a CRL issued by a resource certificate, linked to publication and manifest state.

#### Revoked Certificate
   - Represents an individual revoked certificate or EE certificate reference carried by a CRL.

#### Manifest
   - Represents an RPKI manifest object.

#### Manifest Entry
   - Represents an individual manifest member, with optional links to the referenced signed object, certificate, EE certificate, or CRL.

#### Additional signed-object families

#### ASPA
   - Represents an Autonomous System Provider Authorization object.

#### ASPA Provider
   - Represents a provider ASN authorized by an ASPA.

#### RSC
   - Represents an RPKI Signed Checklist object.

#### RSC File Hash
   - Represents an individual file-hash member of an RSC.

#### Router Certificate
   - Represents a BGPsec router certificate tied to an ASN, resource certificate, and publication point.

#### Validation and validated-payload models

#### Validator Instance
   - Represents an external RPKI validator and its current run state.

#### Validation Run
   - Represents one validation execution against repository content.

#### Object Validation Result
   - Stores validation outcome and disposition for an individual signed object.

#### Validated ROA Payload
   - Represents a validated prefix-origin payload imported from a validator run.

#### Validated ASPA Payload
   - Represents a validated customer-provider authorization payload imported from a validator run.

#### Routing intent authoring models

#### Routing Intent Profile
   - Defines routing-intent policy defaults, derivation trigger mode, and prefix or ASN selection behavior for an organization.

#### Routing Intent Rule
   - Represents an ordered rule used to include, exclude, or modify ROA or ASPA intent during derivation.

#### Routing Intent Context Group
   - Groups related context criteria for scoped rule evaluation.

#### Routing Intent Context Criterion
   - Represents an individual matching criterion within a context group.

#### Routing Intent Policy Bundle
   - Collects a set of profiles and their associated rules into a reusable policy bundle.

#### ROA Intent Override
   - Represents an explicit per-prefix or per-scope exception to derived ROA intent.

#### Routing Intent Template
   - Represents a reusable routing-intent template that can be bound to organizations to generate profiles and rules.

#### Routing Intent Template Rule
   - Represents an ordered rule within a routing intent template.

#### Routing Intent Template Binding
   - Represents the association between a template and a target organization, including binding state and generated profile references.

#### Routing Intent Exception
   - Represents a typed exception encountered during intent derivation, with configurable effect modes.

#### Bulk Intent Run
   - Represents an organization-scoped bulk derivation run, including trigger mode, target scope, and overall run health.

#### Bulk Intent Run Scope Result
   - Stores the per-scope result of a single organization within a bulk intent run.

#### ROA reconciliation models

#### Intent Derivation Run
   - Stores metadata for a derived-intent calculation run.
   - Read-only reporting surface.

#### ROA Intent
   - Represents a derived ROA intent row tied to a derivation run, profile, scope, and optional override.
   - Read-only reporting surface.

#### ROA Intent Match
   - Stores a candidate match between a derived intent row and a locally recorded ROA.
   - Read-only reporting surface.

#### ROA Reconciliation Run
   - Stores metadata for a reconciliation comparison between ROA intent and published ROA records.
   - Read-only reporting surface.

#### ROA Intent Result
   - Stores the intent-side reconciliation result for a derived ROA intent row.
   - Read-only reporting surface.

#### Published ROA Result
   - Stores the published-side reconciliation result for a recorded ROA.
   - Read-only reporting surface.

#### ASPA reconciliation models

#### ASPA Intent
   - Represents a derived ASPA intent row tied to a derivation run, profile, and scope.
   - Read-only reporting surface.

#### ASPA Intent Match
   - Stores a candidate match between a derived ASPA intent row and a locally recorded ASPA.
   - Read-only reporting surface.

#### ASPA Reconciliation Run
   - Stores metadata for a reconciliation comparison between ASPA intent and published ASPA records.
   - Read-only reporting surface.

#### ASPA Intent Result
   - Stores the intent-side reconciliation result for a derived ASPA intent row.
   - Read-only reporting surface.

#### Published ASPA Result
   - Stores the published-side reconciliation result for a recorded ASPA.
   - Read-only reporting surface.

#### ROA lint models

#### ROA Lint Run
   - Represents one execution of the ROA lint analysis against locally recorded ROA inventory.

#### ROA Lint Finding
   - Represents an individual quality finding produced during a lint run.

#### ROA Lint Acknowledgement
   - Records an operator acknowledgement of a lint finding.

#### ROA Lint Suppression
   - Represents a configured suppression rule that mutes specific lint finding types.

#### ROA Lint Rule Config
   - Stores per-rule configuration controlling lint severity and enablement.

#### External Management Exception
   - Records an approved external-management exception for a ROA prefix, ROA object, ASPA customer scope, or imported/local published object, including owner, reason, start, review, and end dates.

#### ROA change plan and write-back models

#### ROA Change Plan
   - Represents a set of planned ROA create, update, or delete operations against a hosted provider, including approval and execution state.

#### ROA Change Plan Item
   - Represents an individual ROA operation within a change plan.

#### Approval Record
   - Records an approval decision for a change plan, including approver identity and timestamp.

#### Provider Write Execution
   - Represents one execution of a change plan against the target hosted provider, including per-item outcomes.

#### ROA Change Plan Rollback Bundle
   - Stores the rollback state for a completed ROA change plan execution.

#### ASPA change plan and write-back models

#### ASPA Change Plan
   - Represents a set of planned ASPA create, update, or delete operations against a hosted provider, including approval and execution state.

#### ASPA Change Plan Item
   - Represents an individual ASPA operation within an ASPA change plan.

#### ASPA Change Plan Rollback Bundle
   - Stores the rollback state for a completed ASPA change plan execution.

#### ROA validation simulation models

#### ROA Validation Simulation Run
   - Represents a simulation run that evaluates how a set of planned ROA changes would affect RPKI validation outcomes for observed routes.

#### ROA Validation Simulation Result
   - Stores the per-route validation outcome and approval impact produced by a simulation run.

#### Provider account and sync models

#### RPKI Provider Account
   - Represents a Krill or ARIN hosted-provider account, including connection parameters, sync state, and capability metadata.

#### Provider Sync Run
   - Represents one import execution against a provider account.

#### Provider Snapshot
   - Represents the normalized state of a provider account's published objects at the time of a sync run, with family-level rollup summaries.

#### Provider Snapshot Diff
   - Represents the diff between two consecutive provider snapshots, with family-level churn summaries.

#### Provider Snapshot Diff Item
   - Represents an individual create, update, or delete change between two snapshots.

#### Imported provider inventory models

#### External Object Reference
   - Stores a stable external identity reference linking an imported object to its provider-assigned identifier.

#### Imported ROA Authorization
   - Represents an imported ROA authorization record from a hosted provider, including evidence summaries for publication linkage, authored linkage, and source ambiguity.

#### Imported ASPA
   - Represents an imported ASPA record from a hosted provider.

#### Imported ASPA Provider
   - Represents an individual provider ASN within an imported ASPA.

#### Imported CA Metadata
   - Represents imported metadata about a CA instance within a hosted provider account.

#### Imported Parent Link
   - Represents an imported parent CA relationship observed on a provider account.

#### Imported Child Link
   - Represents an imported child CA relationship observed on a provider account.

#### Imported Resource Entitlement
   - Represents an imported IP prefix or ASN resource entitlement associated with a CA within a provider account.

#### Imported Publication Point
   - Represents an imported publication point observation from a hosted provider, with evidence summaries for publication linkage and freshness.

#### Imported Signed Object
   - Represents an imported signed object observation from a hosted provider, with evidence summaries for manifest linkage and publication state.

#### Imported Certificate Observation
   - Represents an imported certificate observation associated with a CA within a provider account.

#### IRR import models

#### IRR Source
   - Represents a configured external IRR source used to import RPSL objects for RPKI intent correlation.

#### IRR Snapshot
   - Represents a retained snapshot of imported IRR data from a source, including import status and object counts by family.

#### Imported IRR Route Object
   - Represents an imported `route` or `route6` RPSL object from an IRR snapshot.

#### Imported IRR Route Set
   - Represents an imported `route-set` RPSL object from an IRR snapshot.

#### Imported IRR Route Set Member
   - Represents an individual member of an imported route set.

#### Imported IRR AS Set
   - Represents an imported `as-set` RPSL object from an IRR snapshot.

#### Imported IRR AS Set Member
   - Represents an individual ASN or nested set reference within an imported AS set.

#### Imported IRR Aut-Num
   - Represents an imported `aut-num` RPSL object from an IRR snapshot.

#### Imported IRR Maintainer
   - Represents an imported `mntner` RPSL object from an IRR snapshot.

#### IRR Coordination Run
   - Represents one execution of RPKI-vs-IRR coordination analysis, comparing plugin-managed RPKI intent against imported IRR data.

#### IRR Coordination Result
   - Stores the per-object comparison result from a coordination run.

#### IRR Change Plan
   - Represents a set of planned corrections to external IRR records based on coordination findings.

#### IRR Change Plan Item
   - Represents an individual IRR object operation within a change plan.

#### IRR Write Execution
   - Represents one execution of an IRR change plan against the target IRR source.

#### Delegated authorization models

#### Delegated Authorization Entity
   - Represents an operator or organization that holds delegated RPKI authority, including posture and readiness state.

#### Managed Authorization Relationship
   - Represents a managed authorization relationship between a delegating authority and a delegated entity, including role and approval state.

#### Delegated Publication Workflow
   - Represents a publication workflow initiated by a delegated entity, including approval state and authored object references.

#### Authored CA Relationship
   - Represents a modeled CA relationship between two entities in the plugin's delegated topology, including relationship type and status.

#### Authored AS Set
   - Represents an AS-set authored by a delegated entity, used for routing-intent and delegation scope purposes.

#### Authored AS Set Member
   - Represents an individual ASN or nested set reference within an authored AS set.

#### BGP telemetry models

#### Telemetry Source
   - Represents a configured source of MRT-derived BGP telemetry data.

#### Telemetry Run
   - Represents one import execution against a telemetry source.

#### BGP Path Observation
   - Represents an observed BGP path from an imported telemetry snapshot.
   - Stores raw AS-path text, normalized ASN-sequence JSON, and a stable path hash for correlation and historical comparison.

#### Lifecycle health models

#### Lifecycle Health Policy
   - Defines a set of lifecycle health rules applied to a monitored RPKI object family.

#### Lifecycle Health Hook
   - Represents a configured hook within a lifecycle health policy that triggers on specific lifecycle events or conditions.

#### Lifecycle Health Event
   - Represents a recorded lifecycle health event produced by a hook evaluation.


## Screenshots

### RPKI Organizations/Certificates/Resources

![image](/images/rpki-org-detail.png)

![image](/images/rpki-cert-detail.png)

![image](/images/rpki-certasn-detail.png)

![image](/images/rpki-certprefix-detail.png)

### RPKI ROAs

![image](/images/rpki-roa-detail.png)

![image](/images/rpki-roaprefix-detail.png)




## Browser E2E Tests

The repo includes a minimal Playwright suite under `tests/e2e/` for real plugin Web UI CRUD coverage.

- It targets a running local NetBox dev instance, defaulting to `http://127.0.0.1:8000`
- It logs in as the local `admin` user created by `devrun/dev.sh start`
- It prepares only the core NetBox prerequisites the plugin forms depend on and cleans up prior E2E-marked plugin objects
- It does not require `dev.sh seed`, though seeded data remains compatible with the suite
- The recommended entry point in WSL is `cd devrun && ./dev.sh e2e`

See `tests/e2e/README.md` for setup, environment variables, and exact commands.
