-
Notifications
You must be signed in to change notification settings - Fork 0
CLI
Primary commands: cavra version, cavra evaluate, cavra agent start, cavra agent exec, cavra agent attest, cavra policy list, cavra policy validate, cavra policy test, cavra policy explain, cavra policy sign, cavra policy verify, cavra approval create, cavra approval list, cavra approval approve, cavra approval deny, cavra approval expire, cavra approval break-glass, cavra approval route, cavra approval migrate, cavra approval export-notifications, cavra approval provider-requests, cavra approval deliver, cavra integration deliver, cavra registry agent-register, cavra registry agent-list, cavra registry profiles, cavra registry mcp-register, cavra registry mcp-list, cavra registry mcp-check, cavra registry mcp-classifications, cavra registry migrate, cavra ops stores, cavra ops backup, cavra ops restore, cavra ops retention-plan, cavra evidence generate-keypair, cavra evidence trust-root, cavra evidence trust-bundle, cavra evidence trust-distribution, cavra evidence bundle, cavra evidence verify, cavra evidence siem-event, cavra evidence export-siem, cavra evidence retention-policy, cavra evidence storage-plan, cavra evidence verify-attestation, cavra evidence migrate, cavra evidence index, cavra evidence search, cavra release verify-go-package, cavra release verify-airgap-bundle, cavra release validate-upgrade, cavra release smoke-installers, cavra release channel-manifest, cavra release updater-policy, cavra release request-channel-promotion, cavra release export-endpoint-management, cavra release deliver-endpoint-export, cavra release reconcile-endpoint-deployment, cavra release ingest-endpoint-inventory, cavra release endpoint-inventory-history, cavra release endpoint-inventory-dashboard, cavra release endpoint-inventory-freshness, cavra release endpoint-inventory-freshness-history, cavra release endpoint-inventory-freshness-dashboard, cavra release automate-endpoint-reconciliation, cavra release endpoint-reconciliation-automation-history, cavra release endpoint-reconciliation-automation-dashboard, cavra release request-endpoint-remediation, cavra release execute-endpoint-remediation, cavra release endpoint-remediation-history, cavra release endpoint-remediation-dashboard, cavra release export-endpoint-remediation-handoff, cavra release record-endpoint-remediation-handoff-status, cavra release endpoint-remediation-handoff-history, cavra release endpoint-remediation-handoff-dashboard, cavra release endpoint-remediation-handoff-status-history, cavra release endpoint-remediation-handoff-status-dashboard, cavra release endpoint-remediation-sla-report, cavra release deliver-endpoint-remediation-sla, cavra release ack-endpoint-remediation-sla, cavra release endpoint-remediation-sla-notification-history, cavra release endpoint-remediation-sla-notification-dashboard, cavra release endpoint-remediation-sla-escalation-plan, cavra release deliver-endpoint-remediation-sla-escalation, cavra release review-endpoint-remediation-sla-escalation, cavra release endpoint-remediation-sla-escalation-action-history, cavra release endpoint-remediation-sla-escalation-action-dashboard, cavra release endpoint-remediation-sla-escalation-recurrence-plan, cavra release deliver-endpoint-remediation-sla-escalation-recurrence, cavra release export-endpoint-remediation-sla-escalation-suppression-audit, cavra release endpoint-remediation-sla-escalation-recurrence-retry-plan, cavra release deliver-endpoint-remediation-sla-escalation-owner-digest, cavra release endpoint-remediation-sla-escalation-suppression-trends, cavra release endpoint-remediation-sla-escalation-recurrence-history, cavra release endpoint-remediation-sla-escalation-recurrence-dashboard, cavra release endpoint-remediation-sla-escalation-history, cavra release endpoint-remediation-sla-escalation-dashboard, cavra release endpoint-remediation-sla-history, cavra release endpoint-remediation-sla-dashboard, cavra release endpoint-publication-history, cavra release endpoint-publication-dashboard, cavra release endpoint-reconciliation-history, cavra release endpoint-reconciliation-dashboard, cavra release capture-rollout, cavra release verify-rollout, cavra release request-rollout-promotion, cavra release execute-rollout-promotion, cavra release execute-rollout-rollback, cavra release export-promotion-audit, cavra release deliver-promotion-audit, cavra release deliver-rollback-execution, cavra release connector-delivery-history, cavra release connector-delivery-dashboard, cavra init claude-code, and cavra demo before-the-agent-acts.
Approval examples:
cavra evaluate write_file iam/admin-role.tf --json > /tmp/cavra-decision.json
cavra approval migrate --sqlite .cavra/approvals.db
cavra approval create /tmp/cavra-decision.json --requested-by developer
cavra approval create /tmp/cavra-decision.json --sqlite .cavra/approvals.db --routing-file .cavra/approval-routing.json --requested-by developer
cavra approval route /tmp/cavra-decision.json
cavra approval route /tmp/cavra-decision.json --routing-file .cavra/approval-routing.json
cavra approval list --state pending
cavra approval approve apr_123 --actor platform-security --reason "Scoped IAM change reviewed" --external-ref CHG-123
cavra approval approve apr_123 --actor iam@example.com --actor-claims /tmp/oidc-claims.json --reason "Scoped IAM change reviewed"
cavra approval approve apr_123 --actor iam@example.com --actor-token /tmp/oidc.jwt --oidc-config .cavra/approval-oidc.json --rbac-file .cavra/approval-rbac.yaml --reason "Signed identity verified"
cavra approval deny apr_123 --actor platform-security --reason "Missing rollback plan"
cavra approval expire apr_123
cavra approval break-glass /tmp/cavra-decision.json --actor incident-commander --reason "Production recovery" --external-ref INC-777
cavra approval export-notifications apr_123 --output .cavra/approvals/notifications
cavra approval provider-requests apr_123 --provider jira --output .cavra/approvals/provider-requests
cavra approval deliver apr_123 --config .cavra/approval-providers.yaml --provider jira --retries 2 --timeout-seconds 10 --output .cavra/approvals/deliveriesEvidence integration examples:
cavra evidence bundle --output .cavra/evidence/latest --key "$CAVRA_EVIDENCE_SIGNING_KEY"
cavra evidence generate-keypair --private-key .cavra/keys/evidence-private.pem --public-key .cavra/keys/evidence-public.pem
cavra evidence trust-root .cavra/keys/evidence-public.pem --output .cavra/keys/evidence-trust-root.json --key-id prod-evidence
cavra evidence trust-bundle .cavra/keys/evidence-trust-root.json --output .cavra/keys/evidence-trust-roots.json
cavra evidence trust-distribution .cavra/keys/evidence-trust-root.json --output .cavra/keys/trust-root-distribution --distribution-id prod-trust-roots-2026-q2 --channel source-control --channel offline-media
cavra evidence verify .cavra/evidence/latest --trust-root .cavra/keys/evidence-trust-roots.json --key-id prod-evidence --minimum-retention-days 2555
cavra evidence export-siem .cavra/evidence/latest --output .cavra/evidence/siem
cavra evidence retention-policy .cavra/evidence/latest --output .cavra/evidence/retention --retention-days 2555
cavra evidence storage-plan .cavra/evidence/latest --output .cavra/evidence/storage --retention-days 2555
cavra evidence verify-attestation .cavra/evidence/latest --output .cavra/evidence/attestation
cavra evidence migrate --sqlite .cavra/evidence/metadata.db
cavra evidence index .cavra/evidence/latest --sqlite .cavra/evidence/metadata.db
cavra evidence search --sqlite .cavra/evidence/metadata.db --min-blocked 1 --limit 25
cavra evidence search --sqlite .cavra/evidence/metadata.db --metadata-kind managed-endpoint-rollout --rollout-status staged --environment production --deployment-target github-actions-linux-amd64-runner
cavra release verify-airgap-bundle go/cavra-runtime/dist/cavra-go-runtime-v0.1.0.zip
cavra release validate-upgrade go/cavra-runtime/dist/go-runtime-v0.1.0 go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1
cavra release smoke-installers go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --json
cavra release channel-manifest go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --channel stable --json
cavra release updater-policy go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --json
cavra release request-channel-promotion go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --channel stable --approval-store .cavra/api/approvals.json --metadata-json .cavra/evidence/metadata.json --json
cavra release export-endpoint-management go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --channel stable --provider all --promotion-request .cavra/release/channel-promotion/release-channel-promotion-request.json --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-endpoint-export .cavra/release/endpoint-management-export/endpoint-management-export-manifest.json --config .cavra/connectors.json --provider jamf --metadata-json .cavra/evidence/metadata.json --json
cavra release ingest-endpoint-inventory .cavra/release/jamf-inventory.json --provider jamf --channel stable --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-inventory-history --metadata-json .cavra/evidence/metadata.json --provider jamf
cavra release endpoint-inventory-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-inventory-freshness --metadata-json .cavra/evidence/metadata.json --max-age-hours 24 --critical-age-hours 48 --json
cavra release endpoint-inventory-freshness-history --metadata-json .cavra/evidence/metadata.json --alert-level critical
cavra release endpoint-inventory-freshness-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release reconcile-endpoint-deployment go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 .cavra/release/endpoint-inventory/endpoint-inventory.json --metadata-json .cavra/evidence/metadata.json --json
cavra release automate-endpoint-reconciliation go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 .cavra/release/endpoint-inventory/endpoint-inventory-ingestion.json --approval-store .cavra/api/approvals.json --metadata-json .cavra/evidence/metadata.json --json
cavra release capture-rollout go/cavra-runtime/dist/go-runtime-v0.2.0-rc.1 --deployment-id github-actions-linux-amd64-runner --change-record CHG-123 --json
cavra release verify-rollout .cavra/release/rollout --metadata-json .cavra/evidence/metadata.json --sqlite .cavra/evidence/metadata.db --json
cavra release request-rollout-promotion .cavra/release/rollout --target-ring production --approval-store .cavra/api/approvals.json --json
cavra release execute-rollout-promotion .cavra/release/rollout-promotion/rollout-promotion-approval-request.json --approval-store .cavra/api/approvals.json --metadata-json .cavra/evidence/metadata.json --json
cavra release export-promotion-audit .cavra/release/rollout-promotion-execution/rollout-promotion-execution.json --provider all --json
cavra release execute-rollout-rollback .cavra/release/rollout-promotion-execution/rollout-promotion-execution.json --approval-store .cavra/api/approvals.json --approval-id apr_rollback_prod --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-promotion-audit .cavra/release/rollout-promotion-execution/rollout-promotion-execution.json --config .cavra/connectors.json --provider webhook --retries 1 --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-rollback-execution .cavra/release/rollout-rollback-execution/rollout-rollback-execution.json --config .cavra/connectors.json --provider webhook --retries 1 --metadata-json .cavra/evidence/metadata.json --json
cavra release connector-delivery-history --metadata-json .cavra/evidence/metadata.json --provider webhook --no-success
cavra release connector-delivery-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-publication-history --metadata-json .cavra/evidence/metadata.json --provider jamf --no-success
cavra release endpoint-publication-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-reconciliation-history --metadata-json .cavra/evidence/metadata.json --drift-status drift_detected
cavra release endpoint-reconciliation-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-reconciliation-automation-history --metadata-json .cavra/evidence/metadata.json --approval-state pending
cavra release endpoint-reconciliation-automation-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release request-endpoint-remediation .cavra/release/endpoint-reconciliation/managed-endpoint-reconciliation.json --approval-store .cavra/api/approvals.json --metadata-json .cavra/evidence/metadata.json --json
cavra release execute-endpoint-remediation .cavra/release/endpoint-remediation/endpoint-remediation-request.json --approval-store .cavra/api/approvals.json --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-history --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release export-endpoint-remediation-handoff .cavra/release/endpoint-remediation/endpoint-remediation-request.json --provider jira --provider private_queue --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-endpoint-remediation-sla .cavra/release/endpoint-remediation-sla/endpoint-remediation-sla-report.json --config .cavra/connectors.json --routing-policy .cavra/sla-notification-policy.json --provider all --metadata-json .cavra/evidence/metadata.json --json
cavra release ack-endpoint-remediation-sla ersla_123 --provider slack --acknowledged-by release-manager --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-sla-notification-history --metadata-json .cavra/evidence/metadata.json --provider slack
cavra release endpoint-remediation-sla-notification-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-sla-escalation-plan --slo-policy .cavra/sla-escalation-policy.json --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-endpoint-remediation-sla-escalation .cavra/release/endpoint-remediation-sla-escalation-plan.json --config .cavra/connectors.json --provider all --metadata-json .cavra/evidence/metadata.json --json
cavra release review-endpoint-remediation-sla-escalation erslaesc_123 --report-id ersla_123 --provider slack --owner release-governance --reviewed-by release-manager --review-state escalated --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-sla-escalation-action-history --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-sla-escalation-action-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-sla-escalation-recurrence-plan --recurrence-policy .cavra/sla-escalation-recurrence-policy.json --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-endpoint-remediation-sla-escalation-recurrence .cavra/release/endpoint-remediation-sla-escalation-recurrence-plan.json --config .cavra/connectors.json --provider all --metadata-json .cavra/evidence/metadata.json --json
cavra release export-endpoint-remediation-sla-escalation-suppression-audit .cavra/release/endpoint-remediation-sla-escalation-recurrence-plan.json --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-sla-escalation-recurrence-retry-plan --metadata-json .cavra/evidence/metadata.json --json
cavra release deliver-endpoint-remediation-sla-escalation-owner-digest .cavra/release/endpoint-remediation-sla-escalation-recurrence-plan.json --retry-plan .cavra/release/endpoint-remediation-sla-escalation-recurrence-retry-plan.json --config .cavra/connectors.json --provider all --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-sla-escalation-suppression-trends --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-sla-escalation-recurrence-history --metadata-json .cavra/evidence/metadata.json --action suppress
cavra release endpoint-remediation-sla-escalation-recurrence-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-sla-escalation-history --metadata-json .cavra/evidence/metadata.json --active-only
cavra release endpoint-remediation-sla-escalation-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-handoff-history --metadata-json .cavra/evidence/metadata.json --provider private_queue
cavra release endpoint-remediation-handoff-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release record-endpoint-remediation-handoff-status .cavra/release/endpoint-remediation-handoff/endpoint-remediation-handoff.json --provider private_queue --status completed --external-ref queue-job-123 --metadata-json .cavra/evidence/metadata.json --json
cavra release endpoint-remediation-handoff-status-history --metadata-json .cavra/evidence/metadata.json --provider private_queue
cavra release endpoint-remediation-handoff-status-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-remediation-sla-report --metadata-json .cavra/evidence/metadata.json --index-metadata-json .cavra/evidence/metadata.json --warning-hours 24 --critical-hours 48 --json
cavra release endpoint-remediation-sla-history --metadata-json .cavra/evidence/metadata.json --alert-level critical
cavra release endpoint-remediation-sla-dashboard --metadata-json .cavra/evidence/metadata.json
cavra evidence search --sqlite .cavra/evidence/metadata.db --metadata-kind rollout-promotion-execution --rollout-status promoted --target-ring production --approval-state approved --promotion-execution-status executed --deployment-target github-actions-linux-amd64-runner
cavra evidence search --sqlite .cavra/evidence/metadata.db --metadata-kind rollout-rollback-execution --rollback-execution-status executed --approval-state approvedcavra evidence verify-attestation exits with a nonzero status when pr-attestation.md is missing or does not match the bundle evidence, so CI/CD systems can use it as a required merge check.
Connector delivery example:
cavra integration deliver .cavra/evidence/latest/siem-event.json --config .cavra/connectors.json --provider splunkRegistry examples:
cavra registry agent-register codex-agent --vendor OpenAI --capability code_edit --repository payments/api --owner "Platform AI"
cavra registry agent-register claude-code --vendor Anthropic --capability mcp_tool_call --sqlite .cavra/registry.db
cavra registry agent-list --owner "Platform AI"
cavra registry profiles
cavra registry mcp-register github-mcp --trust-tier approved --approval-state approved --capability repository --tool create_pull_request --owner "Developer Platform"
cavra registry mcp-register filesystem-mcp --trust-tier approved --approval-state approved --capability filesystem --tool read_file --sqlite .cavra/registry.db
cavra registry mcp-list --trust-tier approved
cavra registry mcp-check github-mcp create_pull_request --capability repository
cavra registry mcp-classifications --capability cloud
cavra registry migrate --sqlite .cavra/registry.dbcavra ops stores
cavra ops backup --output .cavra/backups/$(date +%Y%m%d)
cavra ops restore .cavra/backups/20260518/manifest.json --target-dir /tmp/cavra-restore-test
cavra ops retention-plan --output .cavra/operations/retention --retention-days 2555 --legal-holdBefore the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion