-
Notifications
You must be signed in to change notification settings - Fork 0
AI Agent Enforcement And Anti Bypass Model
CAVRA must be enforced at trusted engineering boundaries, not only inside an AI coding agent prompt or local wrapper. An agent can ignore local instructions if it has raw shell, Git, cloud, or API credentials. The production model is layered: CAVRA guides agents before action, and repository, CI, runner, package, and deployment controls reject work that lacks valid CAVRA evidence.
Defensible claim:
AI agents may choose whether to cooperate locally, but protected branches, required checks, governed runners, and deployment gates must reject unverified work that did not pass through CAVRA.
Non-defensible claim:
No agent can bypass CAVRA anywhere.
That is only true in a fully controlled environment where the agent has no direct credentials, no unrestricted shell, no unmanaged network path, no direct repository write access, and no ability to disable policy gates.
| Layer | Goal | CAVRA control |
|---|---|---|
| Agent adapter | Encourage pre-action evaluation | Claude Code/Codex/MCP wrappers call CAVRA before file, command, Git, and MCP actions. |
| Local runtime | Reduce accidental bypass | Go/Python runtime guard, daemon mode, command wrappers, policy packs, and evidence generation. |
| Git identity | Prevent anonymous automation | Transparent bot identities, .github/agents/ manifests, branch naming, signed commits where available. |
| Pull request | Block ungoverned changes | PR template, CAVRA attestation, required review, CODEOWNERS, docs and test evidence. |
| Branch protection | Enforce merge boundary | Required cavra-required-check, required reviews, stale review dismissal, no direct push, no force push, no bypass. |
| CI runner | Re-evaluate in trusted automation | Required workflow verifies policy, evidence, PR attestation, tests, and boundary rules. |
| Release/package | Prevent unverified artifacts | Signed release package, SBOM, provenance, release evidence, keyless attestations. |
| Deployment | Prevent unverified rollout | Environment protection, deployment approvals, rollout evidence, immutable evidence storage. |
- Require pull request before merge.
- Require at least one non-author review.
- Dismiss stale approvals when new commits are pushed.
- Require conversation resolution.
- Require CodeQL or equivalent security checks.
- Require
cavra-required-check. - Restrict who can push to protected branches.
- Disable force pushes and branch deletion.
- Enable Do not allow bypassing the above settings where available.
- Bind required status checks to the expected GitHub App or workflow source when supported.
| Bypass attempt | Expected result |
|---|---|
| Agent edits files without calling local CAVRA | PR fails because cavra-required-check cannot verify evidence. |
Agent pushes directly to main
|
Branch protection rejects the push. |
| Agent opens PR without attestation | Required check fails. |
| Agent disables workflow or required check | Permission model blocks it; security monitoring alerts if an admin changes it. |
| Agent uses a personal access token | Token lacks protected-branch, ruleset, secret, and workflow-admin permissions. |
| Agent modifies CAVRA policy to allow itself | CODEOWNERS, required review, and policy-relaxation approval block merge. |
This is required for CAVRA to be credible as an enterprise AI-agent governance product.
Community Edition should provide required-check templates, agent manifests, PR attestation, evidence verification, public-safe policies, and protected-branch documentation.
Enterprise Edition should later add central agent registry enforcement, hosted policy decisions, organization-wide rollout, SIEM bypass alerts, managed runner enforcement, and SaaS dashboards for non-compliant repositories.
CAVRA includes an automated agent enforcement readiness report:
cavra agent enforcement-readiness --jsonThe API exposes the same report:
GET /agents/enforcement-readiness
Use --settings agent-enforcement-settings.json or CAVRA_AGENT_ENFORCEMENT_SETTINGS to include exported branch protection, required checks, and security checks. The report verifies required-check workflow coverage, agent manifests, PR template evidence language, CODEOWNERS, agentic-delivery policies, branch protection expectations, security checks, and risky workflow permission patterns.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion