-
Notifications
You must be signed in to change notification settings - Fork 0
CAVRA Trial Field Guide
The CAVRA Trial Field Guide is the public-safe operating handbook for approved Community and Enterprise Trial evaluators. It walks trial users through CAVRA from first contact to closeout without exposing Enterprise source code, license material, private package credentials, customer data, raw prompts, or private policy-pack implementation details.
Use this guide with the public Community portal, the approved Enterprise Trial request flow, and the validation packets linked from the release evidence index.
| Role | Primary Question | Field Guide Path |
|---|---|---|
| Developer | Will CAVRA govern agent actions before they change code or tools? | Labs 1, 3, and 4 |
| Platform engineer | Can we wire CAVRA into repositories, CI, and runtime control points? | Labs 2, 3, 6, and 7 |
| Security engineer | Can we see risky agent actions, violations, and control coverage? | Labs 3, 4, 5, and 7 |
| Auditor | Can we prove what happened, who approved it, and what evidence exists? | Labs 4, 5, 6, and 8 |
| CSO/CISO | Is the AI-agent security posture understandable and board-reviewable? | Labs 4, 5, 7, and 8 |
| Lab | Name | Outcome | Primary Surface |
|---|---|---|---|
| 1 | Product orientation | Understand Community, Enterprise Trial, SaaS, and private-source boundaries. | Public docs and portal |
| 2 | Trial access request | Understand approved-access signup, operator review, package access, and license validation. | Trial portal |
| 3 | Governed agent action | Review allow, warn, block, approval, and attestation decisions. | Community dashboard |
| 4 | AISPM posture review | Inspect risk, agent coverage, timelines, evidence confidence, and control coverage. | AI Posture |
| 5 | CSO report center | Download Community reports and understand Enterprise delivery, audit, and retention controls. | Report Center |
| 6 | Operator readiness | Review release gates, trial handoff, runtime controls, and package-readiness boundaries. | Readiness packets |
| 7 | Pilot evidence room | Review pilot launch, exception, risk, board-pack, deployment, report-delivery, and runtime-workflow evidence. | Evidence packets |
| 8 | Trial closeout | Understand revocation, expiry, package access removal, blocked runtime validation, and feedback capture. | Closeout pages |

The dashboard introduces the product, shows public-safe controls, and links to Community documentation, trial access, demo flows, and release evidence.

The AISPM posture view uses sample or local data in Community and live, authenticated, tenant-scoped data in Enterprise.

The CSO Report Center gives executives and auditors a central place to download public-safe reports. Enterprise expands this with signed exports, email delivery, retention, evidence rooms, and audit trails.

The board-pack view groups launch decision, evidence room, risk acceptance, exceptions, reviewer checklist, and report artifacts into one executive review surface.
- Open
https://huzefaaa2.github.io/cavra/#dashboard. - Confirm that the product is CAVRA: Controlled Agentic Verification & Runtime Authority.
- Review the open-core boundary: Community source is public; Enterprise source, license service, SaaS backend, private policy packs, and private trial package implementation remain private.
- Open the documentation links for AISPM Dashboard Roadmap, AI Security Posture Dashboard Contract, and Enterprise Trial Availability.
Checkpoint: checkpoint-product-surfaces
Expected result: the evaluator can explain Community, Enterprise Trial, SaaS, and private-source boundaries.
- Open
https://cavra-trial.mind-ops.cloud. - Submit a trial request with business contact details.
- Confirm the request is recorded as pending approval.
- Review Trial Access And Operator Approval to understand operator approval, package access, and license issuance.
Checkpoint: checkpoint-trial-request
Expected result: the evaluator understands why Enterprise Trial access is approved and gated instead of anonymous.
- Open the public dashboard and run the sample agent scenario.
- Inspect the generated decision: allow, warn, block, require approval, or allow with attestation.
- Download the public-safe evidence JSON.
- Confirm the evidence identifies what the agent attempted, what CAVRA decided, why, and which evidence references support the decision.
Checkpoint: checkpoint-agent-decision
Expected result: the evaluator can see how CAVRA governs an AI-agent action before relying on after-the-fact review.
- Open
AI Posture. - Review live activity sample data, risk queue, execution timeline, approval lineage, control coverage heatmap, evidence confidence, and evidence freshness panels.
- Confirm each tile clearly indicates public-safe sample/local provenance.
- Review the executive risk narrative and near-miss queue.
Checkpoint: checkpoint-aispm-posture
Expected result: CSO/CISO, security, and platform teams can inspect AI-agent posture without raw prompt or private payload exposure in Community.
- Open the report center inside the AI Posture route.
- Download Community-safe executive, audit, control coverage, evidence freshness, and agent-risk reports.
- Review AISPM CSO Report Center for the Enterprise expansion: PDF, XLSX, DOCX, HTML, signed JSON, JSONL, GRC packages, scheduled email delivery, retry evidence, retention, and evidence-room access events.
Checkpoint: checkpoint-report-center
Expected result: executives and auditors can identify which reports exist in Community and which delivery/governance capabilities require Enterprise.
- Review the Enterprise Trial readiness public summary:
docs/release-verifications/aispm-enterprise-trial-readiness-public-summary.json. - Confirm the public-safe gates are ready: runtime binding, alert transport, release dashboard publication, trial field guide, operator audit archive, runtime-control closeout, systems-of-record attachment, and announcement closeout.
- Review the release evidence index for validator paths and packet names.
Checkpoint: checkpoint-operator-readiness
Expected result: evaluators can see the readiness trail without seeing private operator records or package credentials.
- Review the public-safe pilot evidence room packet.
- Confirm it references launch decision, reviewer checklist, exception register, risk acceptance, board pack, deployment runtime validation, report-delivery validation, and runtime-workflow validation.
- Confirm the private implementation owns signed acceptance, board minutes, private ACLs, customer data, and authenticated evidence-room access logs.
Checkpoint: checkpoint-pilot-evidence-room
Expected result: CSO/CISO and auditors can understand the pilot evidence room without receiving customer-private evidence.
- Review Trial Revocation, Expiry, And Closeout.
- Confirm closeout expectations: license expiry or revocation, package access removal, blocked runtime validation, archived evidence packet, evaluator feedback, and commercial/pilot handoff decision.
Checkpoint: checkpoint-revocation-expiry
Expected result: the evaluator understands how trial access is ended or converted without leaving stale package or license access behind.
| Checkpoint | Expected Evidence |
|---|---|
| Product surfaces | Public dashboard and open-core docs reviewed. |
| Trial request | Approved-access flow understood. |
| Agent decision | Public-safe decision evidence downloaded. |
| AISPM posture | Risk, coverage, timeline, and freshness panels reviewed. |
| Report center | Community downloads and Enterprise delivery boundary understood. |
| Operator readiness | Public-safe readiness summary reviewed. |
| Pilot evidence room | Required artifact families identified. |
| Revocation and expiry | Closeout and blocked-access expectations understood. |
Do not publish or attach Enterprise source code, license keys, package tokens, private container URLs, SMTP credentials, signing keys, private policy-pack implementation details, customer records, evaluator identities, operator identities, IP addresses, raw prompts, model reasoning, raw tool output, provider responses, private evidence room ACLs, signed download URLs, or tenant-specific findings in this public guide.
Use public-safe summaries, screenshots, diagrams, packet names, hashes, and status fields only.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion