-
Notifications
You must be signed in to change notification settings - Fork 0
AI Security Posture Dashboard Contract
CAVRA now exposes the first public-safe AI Security Posture Management dashboard contract for Community Edition. The current public implementation includes Phase A contract fields plus Phase B control coverage, near-miss visibility, public-safe trace replay packets, public-safe approval lineage, public-safe behavior fingerprints, public-safe policy context gaps, and public-safe pre-action risk forecasts, public-safe intent-to-action drift, and public-safe tool-chain risk graphing, public-safe agent blast-radius mapping, public-safe control coverage heatmap views, public-safe evidence confidence drilldowns, public-safe evidence freshness SLO panels, and deterministic public-safe executive risk narratives, and public-safe replay-to-policy draft authoring. It also includes a Community CSO Report Center and a public-safe Enterprise report delivery contract without exposing Enterprise rendering, scheduling, email delivery, tenant persistence, or license enforcement implementation.
Community Edition provides:
GET /aispm/dashboard/contractGET /aispm/dashboard/sampleGET /aispm/postureGET /aispm/agentsGET /aispm/findingsGET /aispm/timelineGET /aispm/control-coverageGET /aispm/control-coverage-heatmapGET /aispm/near-missesGET /aispm/trace-replay/{session_id}GET /aispm/approval-lineageGET /aispm/behavior-fingerprintsGET /aispm/policy-context-gapsGET /aispm/pre-action-risk-forecastsGET /aispm/intent-action-driftGET /aispm/tool-chain-graphGET /aispm/agent-blast-radiusGET /aispm/evidence-confidenceGET /aispm/evidence-freshnessGET /aispm/executive-risk-narrative- Browser-generated Community report downloads in the static
AI Postureroute GET /aispm/replay-to-policy-draftGET /aispm/replay-to-policy-tests
The public portal now includes an AI Posture route that renders the contract
with sample data by default and reads /aispm/posture when
window.CAVRA_API_BASE is configured. The route shows posture overview, agent
coverage, risk findings, control coverage, near misses, execution timeline, and
approval lineage, behavior fingerprinting, pre-action risk forecasts, and the
intent-to-action drift queue, tool-chain risk graph, agent blast-radius map, and
the raw public-safe payload. It also shows
policy context gaps for missing
environment, ownership, data, change-window, criticality, approval-route, or
trust-tier metadata.
It also includes an agent blast-radius map for observed repository, target,
tool, policy, approval, and control-surface reach per agent.
It includes a control coverage heatmap for enforced, approval-gated,
warning-only, observed, and unobserved control surfaces per agent/repository
path.
It also includes an evidence confidence drilldown for signed evidence,
activity evidence references, sample evidence, metadata-only facts, and missing
evidence.
It also includes an evidence freshness and retention SLO panel for stale
evidence, missing timestamps, retention gaps, and Enterprise archive-readiness
boundaries.
It also includes an executive risk narrative panel for CSO/CISO users that
summarizes Community-safe posture, top risks, evidence gaps, and recommended
actions.
It also includes a replay-to-policy draft panel for candidate controls derived
from observed replay decisions before reviewed policy changes are committed.
The same panel also shows replay-to-policy test fixture exports for expected
policy assertions before reviewed tests are added to CI.
The portal also offers a replay-to-policy review packet export that combines
the candidate policy draft, review-only test fixture, and reviewer checklist
into one public-safe JSON packet for PR attachment or auditor review.
The same view includes PR attachment guidance with exact packet, draft, and
fixture attachment paths plus copyable reviewer approval language, and a compact
CI gate panel plus readiness summary, rollout checklist export, audit packet export, and readiness export for GitHub Actions, GitLab CI, and Azure Pipelines setup paths.
Community trace replay reconstructs normalized decision steps, evidence references, risk classifications, and redaction status. It does not expose raw prompts, model reasoning, raw tool output, private customer context, or Enterprise replay retention logic.
Community approval lineage reconstructs "who approved what" from local approval records using approver groups, state, timestamps, decision linkage, and evidence references. Human actors are reduced to role labels; raw identity-provider claims, RBAC policy context, private routing rules, and connector payloads remain Enterprise-only.
Community behavior fingerprinting summarizes agent action profiles, decision profiles, observed repositories, control surfaces, risk signals, drift status, and evidence references. Raw prompts, reasoning traces, tool output, private customer context, and organization-specific behavior baselines remain Enterprise-only.
Community policy context gap detection identifies when local decision metadata is missing business context required for explainable governance. Private enrichment from CMDB, data catalogs, identity providers, cloud inventory, ticketing, and change calendars remains Enterprise-only.
Community pre-action risk forecasts project blast radius and likely impact from normalized local decision metadata. Private asset graphs, dependency graphs, identity blast radius, cloud inventory, runtime state, and prompt-intent context remain Enterprise-only.
Community intent-to-action drift compares declared intent metadata with observed action type, target summary, control surface, and policy outcome. Raw prompt intent extraction, reasoning analysis, conversation history, private ticket context, full tool payloads, and semantic intent models remain Enterprise-only.
Community tool-chain graphing maps agents, safe tool labels, redacted targets, policy packs, hotspots, and risk-scored execution edges from local decision metadata. Raw tool requests, tool results, connector spans, cross-system call graphs, private network targets, and Enterprise trace correlation remain Enterprise-only.
Community agent blast-radius mapping rolls normalized local activity into per-agent reach cards. It shows repositories, target classes, safe tool labels, policy packs, control surfaces, approval paths, top risks, recommended controls, and evidence references. Private asset graphs, identity permission graphs, cloud inventory, dependency graphs, secret names, and customer topology remain Enterprise-only.
Community control coverage heatmaps pivot normalized local decisions by agent, repository, and control surface. They show cell status, coverage score, action counts, evidence confidence, and recommended action. Private repository owner graphs, identity-provider claims, repository permission matrices, environment criticality, CMDB service mapping, and live organization baselines remain Enterprise-only.
Community evidence confidence drilldowns classify local decision and session evidence references as signed evidence, activity evidence references, sample evidence, metadata-only records, or missing evidence. Raw evidence payloads, private artifact contents, signature trust chains, external ticket payloads, customer data, and tenant evidence stores remain Enterprise-only.
Community evidence freshness SLOs classify local decision/session timestamps and public evidence-reference patterns only. Immutable archive probes, object-lock status, KMS key health, lifecycle policies, external archive metadata, and auditor export manifests remain Enterprise-only.
Community executive risk narratives generate deterministic, public-safe leadership summaries from local posture score, top risks, blocked and approval-gated decisions, and evidence freshness metrics. AI-assisted board summaries, private tenant trends, business owner and service criticality enrichment, customer impact analysis, scheduled executive brief delivery, and GRC/incident packet export remain Enterprise-only.
Community replay-to-policy draft authoring converts normalized block,
require-approval, warning, high, and critical decisions into a read-only policy
pack preview. It can suggest public-safe filesystem, command, Git, MCP,
approval, evidence, and compliance controls from local metadata only. It does
not write to policies/, publish policy packs, inspect raw prompts, inspect
model reasoning, read raw tool payloads, enrich from tickets or asset graphs,
simulate tenant history, or automate production write-back.
Community replay-to-policy test fixture export converts the same candidate controls into review-only JSON cases. Each case includes public-safe input metadata, expected decision metadata, evidence references, and validation notes. It does not run private simulation, generate tests from prompts or raw tool payloads, open pull requests, or write CI files.
Community replay-to-policy review packet export combines the policy draft, test fixture, checklist status, provenance, and redaction boundaries into a single review-only JSON packet. It is intended for PR attachment and auditor review only; it is not an automated approval, policy write-back, CI write-back, or production rollout action.
Community replay-to-policy review packet validation is available through
cavra aispm validate-review-packet <packet.json> and
POST /aispm/replay-to-policy-review-packet/validate. It verifies the
packaged schema, fixture case counts, review checklist totals, required human
approval, and review-only export metadata without approving or mutating any
policy files. Reusable GitHub Actions, GitLab CI, and Azure Pipelines gates are
available under examples/ for teams that want replay-derived policy and
fixture changes to require a valid review packet before merge.
Community CI gate readiness validation is available through
cavra aispm validate-ci-gate-readiness <readiness.json> --repo-root . and
POST /aispm/replay-to-policy-ci-gate-readiness/validate. It verifies the
packaged readiness schema, required check names, expected CI template paths,
review-packet linkage, and optional repository template files without writing
branch protection, connector configuration, or CI files.
The dashboard also exports a reviewer-ready Markdown rollout checklist that summarizes readiness status, validator commands, required checks, template paths, and manual branch-protection steps. It is documentation evidence only; automated branch-protection write-back remains Enterprise-only.
The same dashboard exports a public-safe rollout audit packet that bundles the readiness JSON, rollout checklist metadata, platform outcomes, evidence attachment names, and Enterprise boundary flags. It excludes raw prompts, model reasoning, customer context, and any live branch-protection mutation.
Community PR attachment guidance tells reviewers where to attach the review packet, where to commit the reviewed policy draft and fixture, and what approval wording to use. It remains advisory guidance only and does not submit, approve, or mutate pull requests.
These endpoints derive posture from local activity metadata or sample data. They do not expose private prompts, proprietary reasoning traces, Enterprise policy logic, customer data, license-server state, or SaaS tenant records.
Enterprise remains responsible for live authenticated multi-tenant posture, prompt/reasoning traces, private asset-graph forecasting, prompt-derived intent extraction, private workflow correlation, raw tool-call graphs, cross-system execution traces, full trace replay, private blast-radius enrichment, organization-wide heatmaps, immutable evidence validation, object-lock/KMS/archive lifecycle validation, AI-assisted executive narratives, replay-to-policy authoring from private prompts/reasoning/tool payloads/tickets/assets, private trend history, tenant benchmarks, Enterprise replay-to-policy test generation with tenant-history regression and approved CI write-back, organization controls, kill switch, runtime overrides, centralized retention, immutable audit exports, GRC/incident packet export, and compliance reporting.
The packaged dashboard schema is src/cavra/schemas/aispm-dashboard.schema.json.
The packaged Community trace replay schema is
src/cavra/schemas/aispm-trace-replay.schema.json, with a deterministic sample
packet at examples/aispm/community-trace-replay-sample.json.
The packaged Community approval lineage schema is
src/cavra/schemas/aispm-approval-lineage.schema.json, with a deterministic
sample packet at examples/aispm/community-approval-lineage-sample.json.
The packaged Community behavior fingerprint schema is
src/cavra/schemas/aispm-behavior-fingerprints.schema.json, with a
deterministic sample packet at
examples/aispm/community-behavior-fingerprints-sample.json.
The packaged Community policy context gap schema is
src/cavra/schemas/aispm-policy-context-gaps.schema.json, with a deterministic
sample packet at examples/aispm/community-policy-context-gaps-sample.json.
The packaged Community pre-action risk forecast schema is
src/cavra/schemas/aispm-pre-action-risk-forecasts.schema.json, with a
deterministic sample packet at
examples/aispm/community-pre-action-risk-forecasts-sample.json.
The packaged Community intent-to-action drift schema is
src/cavra/schemas/aispm-intent-action-drift.schema.json, with a
deterministic sample packet at
examples/aispm/community-intent-action-drift-sample.json.
The packaged Community tool-chain graph schema is
src/cavra/schemas/aispm-tool-chain-graph.schema.json, with a deterministic
sample packet at examples/aispm/community-tool-chain-graph-sample.json.
The packaged Community agent blast-radius schema is
src/cavra/schemas/aispm-agent-blast-radius.schema.json, with a deterministic
sample packet at examples/aispm/community-agent-blast-radius-sample.json.
The packaged Community control coverage heatmap schema is
src/cavra/schemas/aispm-control-coverage-heatmap.schema.json, with a
deterministic sample packet at
examples/aispm/community-control-coverage-heatmap-sample.json.
The packaged Community evidence confidence schema is
src/cavra/schemas/aispm-evidence-confidence.schema.json, with a deterministic
sample packet at examples/aispm/community-evidence-confidence-sample.json.
The packaged Community evidence freshness schema is
src/cavra/schemas/aispm-evidence-freshness.schema.json, with a deterministic
sample packet at examples/aispm/community-evidence-freshness-sample.json.
The packaged Community executive risk narrative schema is
src/cavra/schemas/aispm-executive-risk-narrative.schema.json, with a
deterministic sample packet at
examples/aispm/community-executive-risk-narrative-sample.json.
The packaged Community replay-to-policy draft schema is
src/cavra/schemas/aispm-replay-to-policy-draft.schema.json, with a
deterministic sample packet at
examples/aispm/community-replay-to-policy-draft-sample.json.
The packaged Community replay-to-policy test fixture schema is
src/cavra/schemas/aispm-replay-to-policy-tests.schema.json, with a
deterministic sample packet at
examples/aispm/community-replay-to-policy-tests-sample.json.
The packaged Community replay-to-policy review packet schema is
src/cavra/schemas/aispm-replay-to-policy-review-packet.schema.json, with a
deterministic sample packet at
examples/aispm/community-replay-to-policy-review-packet-sample.json.
The packaged Community replay-to-policy CI gate readiness schema is
src/cavra/schemas/aispm-replay-to-policy-ci-gate-readiness.schema.json, with
a deterministic sample packet at
examples/aispm/community-replay-to-policy-ci-gate-readiness-sample.json.
The packaged public Enterprise live ingestion envelope contract is
src/cavra/schemas/aispm-enterprise-live-ingestion-envelope.schema.json, with
a redacted public contract example at
examples/aispm/enterprise-live-ingestion-envelope-public-contract.example.json.
Collectors, tenant persistence, streaming transport, raw payload storage, and
license enforcement remain private Enterprise responsibilities.
The packaged AISPM report delivery contract is
src/cavra/schemas/aispm-report-delivery-contract.schema.json, with a
public-safe sample contract at
examples/aispm/enterprise-report-delivery-contract-public.example.json.
The packaged AISPM report setup wizard contract is
src/cavra/schemas/aispm-report-setup-wizard-contract.schema.json, with a
public-safe sample wizard contract at
examples/aispm/enterprise-report-setup-wizard-contract-public.example.json.
The packaged AISPM report delivery audit event contract is
src/cavra/schemas/aispm-report-delivery-audit-event.schema.json, with a
public-safe sample audit event at
examples/aispm/enterprise-report-delivery-audit-event-public.example.json.
The packaged AISPM report operations dashboard contract is
src/cavra/schemas/aispm-report-operations-dashboard.schema.json, with a
public-safe sample dashboard at
examples/aispm/enterprise-report-operations-dashboard-public.example.json.
The packaged AISPM report retention lifecycle contract is
src/cavra/schemas/aispm-report-retention-lifecycle.schema.json, with a
public-safe sample lifecycle packet at
examples/aispm/enterprise-report-retention-lifecycle-public.example.json.
The packaged AISPM report search and evidence retrieval contract is
src/cavra/schemas/aispm-report-search-retrieval.schema.json, with a
public-safe sample retrieval packet at
examples/aispm/enterprise-report-search-retrieval-public.example.json.
The packaged AISPM report export package manifest contract is
src/cavra/schemas/aispm-report-export-package-manifest.schema.json, with a
public-safe sample export package manifest at
examples/aispm/enterprise-report-export-package-manifest-public.example.json.
The packaged AISPM report schedule policy contract is
src/cavra/schemas/aispm-report-schedule-policy.schema.json, with a
public-safe sample schedule policy at
examples/aispm/enterprise-report-schedule-policy-public.example.json.
The packaged AISPM report recipient policy contract is
src/cavra/schemas/aispm-report-recipient-policy.schema.json, with a
public-safe sample recipient policy at
examples/aispm/enterprise-report-recipient-policy-public.example.json.
The packaged AISPM report approval decision contract is
src/cavra/schemas/aispm-report-approval-decision.schema.json, with a
public-safe sample approval decision at
examples/aispm/enterprise-report-approval-decision-public.example.json.
The packaged AISPM report exception lifecycle contract is
src/cavra/schemas/aispm-report-exception-lifecycle.schema.json, with a
public-safe sample exception lifecycle packet at
examples/aispm/enterprise-report-exception-lifecycle-public.example.json.
The packaged AISPM report evidence room contract is
src/cavra/schemas/aispm-report-evidence-room.schema.json, with a
public-safe sample evidence room packet at
examples/aispm/enterprise-report-evidence-room-public.example.json.
The packaged AISPM report evidence room access event contract is
src/cavra/schemas/aispm-report-evidence-room-access-event.schema.json, with a
public-safe sample access event at
examples/aispm/enterprise-report-evidence-room-access-event-public.example.json.
The packaged AISPM report incident packet contract is
src/cavra/schemas/aispm-report-incident-packet.schema.json, with a
public-safe sample incident packet at
examples/aispm/enterprise-report-incident-packet-public.example.json.
The packaged AISPM report incident closure contract is
src/cavra/schemas/aispm-report-incident-closure.schema.json, with a
public-safe sample incident closure at
examples/aispm/enterprise-report-incident-closure-public.example.json.
The packaged AISPM report KPI metrics contract is
src/cavra/schemas/aispm-report-kpi-metrics.schema.json, with a public-safe
aggregate KPI metrics sample at
examples/aispm/enterprise-report-kpi-metrics-public.example.json.
The packaged AISPM report alert escalation contract is
src/cavra/schemas/aispm-report-alert-escalation.schema.json, with a
public-safe alert escalation sample at
examples/aispm/enterprise-report-alert-escalation-public.example.json.
The packaged AISPM report alert operations dashboard contract is
src/cavra/schemas/aispm-report-alert-operations-dashboard.schema.json, with a
public-safe alert operations dashboard sample at
examples/aispm/enterprise-report-alert-operations-dashboard-public.example.json.
The packaged AISPM report alert drilldown contract is
src/cavra/schemas/aispm-report-alert-drilldown.schema.json, with a
public-safe alert drilldown sample at
examples/aispm/enterprise-report-alert-drilldown-public.example.json.
The packaged AISPM report alert remediation plan contract is
src/cavra/schemas/aispm-report-alert-remediation-plan.schema.json, with a
public-safe alert remediation plan sample at
examples/aispm/enterprise-report-alert-remediation-plan-public.example.json.
The packaged AISPM report alert remediation closure contract is
src/cavra/schemas/aispm-report-alert-remediation-closure.schema.json, with a
public-safe alert remediation closure sample at
examples/aispm/enterprise-report-alert-remediation-closure-public.example.json.
The packaged AISPM report remediation closure operations dashboard contract is
src/cavra/schemas/aispm-report-remediation-closure-operations-dashboard.schema.json,
with a public-safe remediation closure operations dashboard sample at
examples/aispm/enterprise-report-remediation-closure-operations-dashboard-public.example.json.
The packaged AISPM report remediation closure executive digest contract is
src/cavra/schemas/aispm-report-remediation-closure-executive-digest.schema.json,
with a public-safe remediation closure executive digest sample at
examples/aispm/enterprise-report-remediation-closure-executive-digest-public.example.json.
The packaged AISPM report remediation closure digest distribution contract is
src/cavra/schemas/aispm-report-remediation-closure-digest-distribution.schema.json,
with a public-safe remediation closure digest distribution sample at
examples/aispm/enterprise-report-remediation-closure-digest-distribution-public.example.json.
The packaged AISPM Report Center Enterprise Trial validation packet contract is
src/cavra/schemas/aispm-report-center-trial-validation-packet.schema.json,
with a public-safe trial validation packet sample at
examples/aispm/enterprise-report-center-trial-validation-packet-public.example.json.
The packaged AISPM Report Center trial operator dashboard readiness contract is
src/cavra/schemas/aispm-report-center-trial-operator-dashboard-readiness.schema.json,
with a public-safe trial operator dashboard readiness sample at
examples/aispm/enterprise-report-center-trial-operator-dashboard-readiness-public.example.json.
The packaged AISPM Report Center trial operator dashboard API/view-model
contract is
src/cavra/schemas/aispm-report-center-trial-operator-api-view-model.schema.json,
with a public-safe trial operator dashboard API/view-model sample at
examples/aispm/enterprise-report-center-trial-operator-api-view-model-public.example.json.
The packaged AISPM Report Center trial evaluator handoff packet contract is
src/cavra/schemas/aispm-report-center-trial-evaluator-handoff-packet.schema.json,
with a public-safe trial evaluator handoff packet sample at
examples/aispm/enterprise-report-center-trial-evaluator-handoff-packet-public.example.json.
The packaged AISPM Report Center trial revocation and expiry evidence contract
is
src/cavra/schemas/aispm-report-center-trial-revocation-expiry-evidence.schema.json,
with a public-safe trial revocation and expiry evidence sample at
examples/aispm/enterprise-report-center-trial-revocation-expiry-evidence-public.example.json.
The packaged AISPM Report Center trial lab notebook outline contract is
src/cavra/schemas/aispm-report-center-trial-lab-notebook-outline.schema.json,
with a public-safe trial lab notebook outline sample at
examples/aispm/enterprise-report-center-trial-lab-notebook-outline-public.example.json.
The packaged AISPM Report Center trial lab notebook publication readiness
contract is
src/cavra/schemas/aispm-report-center-trial-lab-notebook-publication-readiness.schema.json,
with a public-safe trial lab notebook publication readiness sample at
examples/aispm/enterprise-report-center-trial-lab-notebook-publication-readiness-public.example.json.
Renderer, scheduler, email delivery, tenant persistence, delivery audit
storage, and license enforcement remain private Enterprise responsibilities.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion