-
Notifications
You must be signed in to change notification settings - Fork 0
CAVRA Developer Portal Smoke Validation
The sandbox portal smoke validator protects the public GitHub Pages experience as a user-facing product surface. It verifies that the static portal still contains the required routes, command palette, mobile navigation, architecture workbench, compliance filters, brand assets, and deployment workflow checks.
Run the validator from the repository root:
python scripts/validate-sandbox-portal.pyExpected success output:
CAVRA sandbox portal smoke validation passed.
- Required portal files and brand assets exist.
- Required routes are present: dashboard, AI Posture, architecture, policy engine, evidence, integrations, compliance, use cases, documentation, and roadmap.
- The command palette includes page, policy, integration, control, and use-case search content, plus AI Posture entries for agent observability, kill switch, evidence confidence, trace replay, approval lineage, behavior fingerprinting, policy context gaps, pre-action risk forecasts, intent-to-action drift, tool-chain risk graphing, agent blast-radius mapping, control coverage heatmap views, replay-to-policy draft and copy/download test fixture previews, replay-to-policy review workflow checks, replay-to-policy review packet export actions, replay-to-policy PR attachment guidance, and replay-to-policy CI gate setup paths, readiness summary, rollout checklist export, audit packet export, and readiness export actions.
- Theme selectors remain available on desktop and mobile for Sentinel, Classic, Retro, and Executive dashboard themes.
- Mobile drawer and bottom navigation anchors remain available.
- Architecture nodes remain visible for GitHub, GitLab, IaC, Kubernetes, CAVRA, Policy Engine, Evidence Engine, Audit Trail, and cloud providers.
- AI Posture DOM anchors remain available for provenance, overview cards,
agent coverage, findings, control coverage, near misses, timeline, trace
replay drill-down, approval lineage, behavior fingerprinting, pre-action
risk forecasts, intent-to-action drift, tool-chain risk graph, agent blast-radius map, control coverage heatmap, replay-to-policy draft, replay-to-policy review workflow, replay-to-policy review packet export, replay-to-policy PR attachment guidance, replay-to-policy CI gate setup, readiness summary, rollout checklist export, audit packet export, and readiness export, replay-to-policy test fixture copy/download actions, payload,
/aispm/posture,/aispm/trace-replay,/aispm/replay-to-policy-draft,/aispm/replay-to-policy-tests,/aispm/approval-lineage, and/aispm/behavior-fingerprintsplus/aispm/policy-context-gapsand/aispm/pre-action-risk-forecasts,/aispm/intent-action-drift,/aispm/tool-chain-graph, and/aispm/agent-blast-radius, and/aispm/control-coverage-heatmapfallback loading. - Compliance filters still include NIST, SOC2, ISO27001, CIS, PCI DSS, and OWASP.
- The GitHub Pages workflow still smoke-tests the page, JavaScript, stylesheet, brand assets, C4 diagram, evidence JSON, Enterprise Trial portal link, and AISPM trial lab notebook readiness summary link.
- The Enterprise Trial page links to the AISPM trial lab notebook publication readiness Markdown, readiness JSON, and GitHub Wiki lab notebook.
- The Enterprise Trial page exposes a stable page-local TOC anchor for AISPM trial lab notebook readiness.
- The AI Posture page exposes an AISPM Enterprise Trial readiness checklist for lab notebook, access portal, operator approval, revocation/expiry, release evidence, and Enterprise automation boundary review.
- The readiness checklist can copy a Markdown summary and download
cavra-aispm-enterprise-trial-readiness-packet.json. - The AI Posture page shows the Enterprise Trial evaluator handoff covering trial portal, package reference, license boundary, lab notebook, support path, and revocation/expiry closeout.
- The AI Posture page shows the Enterprise Trial evaluation journey from request submission through operator approval, package pull, license validation, scenario execution, evidence review, and closeout verification.
- The AI Posture page shows AISPM Trial Closeout Evidence for license expiry, revocation, package access removal, blocked runtime validation, archived evidence, and evaluator feedback.
- The AI Posture page shows AISPM Trial Feedback Intake categories for setup friction, policy clarity, dashboard usefulness, report usefulness, integration gaps, procurement concerns, and go/no-go decision.
- The AI Posture page shows AISPM Trial Outcome Summary for readiness, evaluator handoff, journey coverage, closeout evidence, feedback coverage, and CSO/CISO go/no-go review.
- The AI Posture page can copy or download
cavra-aispm-trial-review-packet.jsonas a public-safe trial review bundle. - The AI Posture page shows AISPM Trial Review Packet Integrity for schema, generated timestamp, expected filename, public-safety boundary, excluded private fields, and Enterprise-only boundary signals.
- The AI Posture page shows AISPM Trial Procurement Readiness for legal, security, deployment, support, licensing, data handling, and pilot-scope buyer review.
- The AI Posture page shows AISPM Trial Pilot Scope Builder for target repositories, AI agents, required checks, policies, evidence owners, success criteria, and go/no-go date.
- The AI Posture page can copy or download
cavra-aispm-trial-pilot-scope-packet.jsonas a public-safe pilot approval attachment. - The AI Posture page shows AISPM Pilot Approval Checklist for owner assignment, repository selection, agent registration, required checks, policy selection, evidence owners, support path, and go/no-go acceptance.
- The AI Posture page can copy or download
cavra-aispm-pilot-approval-packet.jsonas a public-safe production-pilot approval attachment. - The AI Posture page shows AISPM Pilot Launch Readiness Summary for scope definition, approval readiness, report availability, evidence review, support confirmation, and CSO/CISO go/no-go readiness.
- The AI Posture page can copy or download
cavra-aispm-pilot-launch-decision-packet.jsonas a public-safe launch decision record attachment. - The AI Posture page shows Production Pilot Evidence Room for CSO/CISO, security, platform, procurement, auditor, and operator review catalogs.
- The AI Posture page can copy or download
cavra-aispm-pilot-evidence-room-packet.jsonas a public-safe evidence room reviewer handoff artifact. - The AI Posture page shows Evidence Room Reviewer Checklist for CSO/CISO, security, platform, procurement, auditor, and operator pre-pilot acceptance criteria.
- The AI Posture page can copy or download
cavra-aispm-evidence-reviewer-checklist-packet.jsonas a public-safe launch reviewer checklist artifact. - The AI Posture page shows Pilot Exception Register for unresolved risks, accepted exceptions, owners, status, expiry expectations, and Enterprise workflow boundaries.
- The AI Posture page can copy or download
cavra-aispm-pilot-exception-register-packet.jsonas a public-safe exception register launch approval artifact. - The AI Posture page shows Pilot Risk Acceptance Summary for open exceptions, accepted risks, monitored risks, accountable owners, launch-blocking items, and Enterprise-only signed risk acceptance.
- The AI Posture page can copy or download
cavra-aispm-pilot-risk-acceptance-packet.jsonas a public-safe CSO/CISO risk acceptance launch approval artifact. - The AI Posture page shows Pilot Launch Board Pack for launch decision, evidence room, risk acceptance, exception register, reviewer checklist, and executive report artifacts.
- The AI Posture page can copy or download
cavra-aispm-pilot-launch-board-pack-packet.jsonas a public-safe board/CISO artifact index with freshness and integrity metadata. - The AISPM launch artifact index is maintained at
docs/release-verifications/aispm-launch-board-pack-artifact-index.jsonand validated byscripts/validate-aispm-launch-artifacts.py. - Playwright visual smoke validation is available through
npm run validate:sandbox:visual, implemented byscripts/validate-sandbox-visual.mjs. It captures public-safe desktop and mobile screenshots under.cavra/visual-smoke/and checks the dashboard, AISPM board-pack panel, report center panel, command palette, and theme readability. - The visual smoke validation record is maintained at
docs/release-verifications/aispm-visual-smoke-validation.mdanddocs/release-verifications/aispm-visual-smoke-validation.json. - Visual freshness is enforced by
scripts/validate-aispm-visual-freshness.py, which keeps the visual smoke record, board-pack artifact index, wiki navigation, package script, and GitHub workflow references synchronized. - The AISPM launch readiness rollup is maintained at
docs/release-verifications/aispm-launch-readiness-rollup.mdanddocs/release-verifications/aispm-launch-readiness-rollup.json, and is validated byscripts/validate-aispm-launch-readiness.py. - Hosted GitHub Pages browser smoke is recorded at
docs/release-verifications/hosted-sandbox-pages-smoke-validation.mdanddocs/release-verifications/hosted-sandbox-pages-smoke-validation.json, and is validated after deploy byscripts/validate-hosted-sandbox-pages.mjs. - Hosted GitHub Pages deployment freshness is recorded at
docs/release-verifications/hosted-sandbox-deployment-freshness.mdanddocs/release-verifications/hosted-sandbox-deployment-freshness.json, and is validated byscripts/validate-hosted-sandbox-deployment-freshness.pyusing the build sentinelcommunity-v1.0.0-aispm-release-evidence-index. - Hosted release operator status is recorded at
docs/release-verifications/hosted-sandbox-operator-release-status.mdanddocs/release-verifications/hosted-sandbox-operator-release-status.json, validated byscripts/validate-hosted-sandbox-operator-status.py, and exported from the portal ascavra-hosted-sandbox-operator-status-packet.json. - Hosted GitHub Pages post-deploy evidence is defined at
docs/release-verifications/hosted-sandbox-post-deploy-evidence.mdanddocs/release-verifications/hosted-sandbox-post-deploy-evidence.json, generated byscripts/generate-hosted-sandbox-deploy-evidence.py, validated byscripts/validate-hosted-sandbox-deploy-evidence.py, and uploaded ascavra-hosted-sandbox-post-deploy-evidence. - The AISPM Release Evidence Index is defined at
docs/release-verifications/aispm-release-evidence-index.mdanddocs/release-verifications/aispm-release-evidence-index.json, validated byscripts/validate-aispm-release-evidence-index.py, and exported from the portal ascavra-aispm-release-evidence-index-packet.json. - AISPM report catalog readiness is defined at
docs/release-verifications/aispm-report-catalog-readiness.mdanddocs/release-verifications/aispm-report-catalog-readiness.json, validated byscripts/validate-aispm-report-catalog-readiness.py, and exported from the portal ascavra-aispm-report-catalog-packet.json. - AISPM report delivery setup readiness is defined at
docs/release-verifications/aispm-report-delivery-setup-readiness.mdanddocs/release-verifications/aispm-report-delivery-setup-readiness.json, validated byscripts/validate-aispm-report-delivery-setup-readiness.py, and exported from the portal ascavra-aispm-report-delivery-setup-packet.json. - AISPM report operations readiness is defined at
docs/release-verifications/aispm-report-operations-readiness.mdanddocs/release-verifications/aispm-report-operations-readiness.json, validated byscripts/validate-aispm-report-operations-readiness.py, and exported from the portal ascavra-aispm-report-operations-readiness-packet.json. - AISPM report governance readiness is defined at
docs/release-verifications/aispm-report-governance-readiness.mdanddocs/release-verifications/aispm-report-governance-readiness.json, validated byscripts/validate-aispm-report-governance-readiness.py, and exported from the portal ascavra-aispm-report-governance-readiness-packet.json. - AISPM report assurance readiness is defined at
docs/release-verifications/aispm-report-assurance-readiness.mdanddocs/release-verifications/aispm-report-assurance-readiness.json, validated byscripts/validate-aispm-report-assurance-readiness.py, and exported from the portal ascavra-aispm-report-assurance-readiness-packet.json. - AISPM report response readiness is defined at
docs/release-verifications/aispm-report-response-readiness.mdanddocs/release-verifications/aispm-report-response-readiness.json, validated byscripts/validate-aispm-report-response-readiness.py, and exported from the portal ascavra-aispm-report-response-readiness-packet.json. - AISPM report trial operations readiness is defined at
docs/release-verifications/aispm-report-trial-operations-readiness.mdanddocs/release-verifications/aispm-report-trial-operations-readiness.json, validated byscripts/validate-aispm-report-trial-operations-readiness.py, and exported from the portal ascavra-aispm-report-trial-operations-readiness-packet.json. - AISPM pilot control readiness is defined at
docs/release-verifications/aispm-pilot-control-readiness.mdanddocs/release-verifications/aispm-pilot-control-readiness.json, validated byscripts/validate-aispm-pilot-control-readiness.py, and exported from the portal ascavra-aispm-pilot-control-readiness-packet.json. - AISPM v1.0 public release readiness is defined at
docs/release-verifications/aispm-v1.0-public-release-readiness.mdanddocs/release-verifications/aispm-v1.0-public-release-readiness.json, validated byscripts/validate-aispm-v100-public-release.py, and supported bydocs/releases/community-v1.0.0-aispm.mdanddocs/aispm-v1.0-public-walkthrough.md. - AISPM final announcement readiness is defined at
docs/release-verifications/aispm-final-announcement-readiness.mdanddocs/release-verifications/aispm-final-announcement-readiness.json, validated byscripts/validate-aispm-final-announcement-readiness.py, and exported from the portal ascavra-aispm-final-announcement-readiness-packet.json. - The board pack freshness gate covers
cavra-aispm-pilot-launch-decision-packet.json,cavra-aispm-pilot-evidence-room-packet.json,cavra-aispm-pilot-risk-acceptance-packet.json,cavra-aispm-pilot-exception-register-packet.json,cavra-aispm-evidence-reviewer-checklist-packet.json,cavra-aispm-executive-risk-brief.md,cavra-aispm-board-kpi-pack.json, andcavra-aispm-soc2-audit-summary.md. - The command palette can find the AISPM trial lab notebook readiness summary,
readiness JSON, and GitHub Wiki lab notebook from
Ctrl+K. - README and wiki navigation link to the portal documentation.
The validator is enforced by:
.github/workflows/community-ci.yml.github/workflows/security-scan.yml.github/workflows/release-community.yml.github/workflows/cavra-governance.yml.github/workflows/deploy-sandbox.yml
This validator only checks public Community Edition portal contracts. It does not require Enterprise source code, private policy packs, SaaS backend logic, license-service internals, customer data, provider credentials, or private registry paths.
- As a CISO, I can trust that the public portal still explains CAVRA's control model clearly before a release.
- As an auditor, I can inspect a stable compliance and evidence navigation surface without needing private systems.
- As a platform engineer, I can catch broken route, asset, and workflow regressions before GitHub Pages deployment.
- As a buyer evaluating CAVRA, I can see a coherent public product experience with architecture, policies, integrations, compliance, and documentation in one place.
Enterprise AI governance tools are often evaluated through public demos before security teams grant deeper access. This validator keeps the public portal credible by ensuring the most important buyer, auditor, and operator surfaces do not silently regress.
Implement Community v1.0.0 release-candidate hardening packet from the completed Node 24 readiness baseline with signed artifacts, reproducible provenance verification, GA announcement checklist, and final operator evidence.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion