-
Notifications
You must be signed in to change notification settings - Fork 0
Community GA User Verifiable Path
This page ties the public CAVRA Community GA release into one operator-verifiable path. It connects Policy, Evidence, Console, Go Runtime readiness, and Release Verification so maintainers, auditors, platform teams, and CISOs can inspect the same release story from public artifacts.
Run the validator from the repository root:
python scripts/validate-community-ga-path.pyExpected success output:
CAVRA Community GA path validation passed.
| Area | Public Evidence | User-Verifiable Check |
|---|---|---|
| Policy |
docs/community-ga-release-checklist.md, docs/release-packets/community-ga-v0.1.0.json
|
Policy signing, policy validation, runtime modes, and golden decisions are required Community GA gates. |
| Evidence |
docs/release-packets/community-ga-v0.1.0.md, docs/release-verifications/community-v0.1.0-post-release-verification.md
|
Release packet and post-release verification show gate status, artifact checksums, install smoke, and public boundary status. |
| Console |
apps/sandbox-ui, docs/sandbox-portal-smoke-validation.md, docs/console-closeout-operator-experience.md
|
Portal smoke validation and console closeout validation prove public routes, operator journeys, and documentation links remain coherent. |
| Go Runtime |
docs/release-packets/community-ga-v0.1.0.json, docs/go-backend-promotion.md
|
Go runtime readiness is explicit. For Community GA v0.1.0, Go remains disabled/not promoted and Python remains authoritative. |
| Release Verification |
docs/releases/community-v0.1.0.md, docs/release-verifications/community-v0.1.0-post-release-verification.json, .github/workflows/verify-community-release.yml
|
Release notes, artifact verification, README/wiki navigation, and manual verification workflow are linked. |
-
Start with the current public release:
docs/releases/community-v0.1.0.md. -
Confirm the release packet:
docs/release-packets/community-ga-v0.1.0.json. -
Confirm post-release artifact verification:
docs/release-verifications/community-v0.1.0-post-release-verification.json. -
Run the public release validators:
python scripts/validate-release-packets.py python scripts/validate-maintenance-release-evidence.py python scripts/validate-community-release-note-freshness.py python scripts/validate-community-release-index.py python scripts/validate-community-release-readiness-dashboard.py python scripts/validate-sandbox-portal.py python scripts/validate-console-closeout.py python scripts/validate-community-ga-path.py scripts/validate-boundaries.sh . -
Confirm CI evidence in the public workflows:
.github/workflows/community-ci.yml,.github/workflows/security-scan.yml,.github/workflows/release-community.yml, and.github/workflows/cavra-governance.yml. -
Confirm GitHub Release artifacts exist at
https://github.com/Huzefaaa2/cavra/releases/tag/community-v0.1.0. -
Keep Go Runtime promoted only when readiness, promotion, rollback, rehearsal, and drill evidence are complete. Otherwise, treat disabled Go as the correct Community GA state.
This path is public Community Edition release evidence only. It does not expose Enterprise source code, private policy packs, SaaS backend implementation, license-service internals, customer evidence, private connector configuration, provider credentials, private signing keys, billing records, or private trial package paths.
- As a maintainer, I can verify the full Community GA story with one documented path before publishing release changes.
- As an auditor, I can trace Community GA from release notes to packet, verification evidence, console checks, and public boundary status.
- As a platform engineer, I can confirm policy, CI, console, and runtime readiness gates without needing private Enterprise repositories.
- As a CISO, I can see that Go Runtime promotion is explicit and not silently enabled without rollback and readiness evidence.
Regulated teams need proof that a release is not just tagged, but governed end to end. This GA path turns CAVRA Community release evidence into a public, repeatable audit trail that a buyer, maintainer, platform owner, or auditor can verify without private access.
Merge the Community v1.0.0 metadata bump, create the community-v1.0.0 tag from main, build and upload final GitHub Release assets, then record final checksums, provenance, verifier defaults, and post-publication verification.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion