-
Notifications
You must be signed in to change notification settings - Fork 0
Community v1.0.0 Release Candidate Hardening
This packet hardens the public Community v1.0.0 release-candidate path after the completed Node 24 readiness baseline and the Community v1.0.0 stabilization plan.
Community v1.0.0 can move toward a public release candidate only when the release operator can prove artifact integrity, provenance, announcement readiness, final operator evidence, and public open-core boundaries without using Enterprise source code or private signing material.
| Workstream | RC Evidence | Exit Condition |
|---|---|---|
| Signed artifacts | Release artifact list, SHA-256 manifest, detached signature references, and keyless attestation references | Every RC artifact is either signed or explicitly blocked before publication. |
| Reproducible provenance verification | Build source commit, workflow run, SBOM reference, SLSA provenance reference, and verifier command output | A maintainer can verify the RC from tagged public source and recorded build inputs. |
| GA announcement checklist | README links, release notes draft, wiki navigation, release index, dashboard state, and announcement copy review | Public users can understand install, verification, support boundary, and next action. |
| Final operator evidence | Release verification runbook, Evidence Console path, boundary validation, CI checks, and release decision | Operators, auditors, platform teams, and CISOs can follow one coherent RC evidence chain. |
| Public boundary | Boundary validation output, Enterprise-folder warning, and trial-distribution documentation | No Enterprise source, private policy pack, customer material, private key, license-service secret, or private registry credential is public. |
docs/community-v1.0.0-release-candidate-hardening.mddocs/release-verifications/community-v1.0.0-release-candidate-hardening.json-
docs/releases/community-v1.0.0.mdbefore RC publication docs/release-verifications/community-v1.0.0-maintenance-verification.mddocs/release-verifications/community-v1.0.0-post-release-verification.mddocs/community-release-index.mddocs/community-release-readiness-dashboard.mddocs/community-release-verification-runbook.md.github/workflows/verify-community-release.ymlscripts/verify-community-release-artifacts.pyscripts/validate-community-v100-rc-hardening.py
| Gate | Status | Owner | Evidence |
|---|---|---|---|
| Node 24 readiness baseline | Ready | release-agent | Community CI, release, governance, and security workflows use Node 24-ready action versions. |
| Signed artifacts | Planned for RC publication | release-agent | Final checksums, detached signatures, and attestation links are recorded after artifacts exist. |
| Reproducible provenance verification | Planned for RC publication | release-agent | SLSA provenance, SBOM metadata, and rebuild inputs are recorded with the tagged RC. |
| GA announcement checklist | Ready for RC draft | docs-agent | README, wiki navigation, release index, and readiness dashboard have public RC links. |
| Final operator evidence | Ready for RC draft | architect-agent | Verification runbook, Evidence Console path, release dashboard, and CI validators are wired. |
| Public boundary | Ready | security-agent |
scripts/validate-boundaries.sh . remains the public boundary gate before RC publication. |
- Build the Community RC from a tagged public source commit.
- Attach Community source distribution and wheel artifacts only.
- Record SHA-256 checksums for every attached artifact.
- Attach detached signatures or keyless attestation evidence for every artifact.
- Attach SBOM and SLSA provenance references when generated by the release workflow.
- Run
scripts/verify-community-release-artifacts.pyagainst the RC tag. - Run
scripts/validate-community-v100-rc-hardening.py. - Run
scripts/validate-boundaries.sh .. - Confirm README, release notes, release index, dashboard, and wiki navigation all reference the same RC.
- Confirm the Evidence Console and release verification runbook describe the same operator path.
- Confirm no Enterprise source code, private signing key, license-service secret, private registry token, private policy pack, or customer material is present.
- As a developer, I can install the Community release candidate and verify the package version, checksum, and public release notes before adoption.
- As a platform engineer, I can validate signatures, provenance, and the release verifier output before adding CAVRA to CI runner images.
- As a CISO, I can review a single public RC evidence packet before approving CAVRA for broader AI-agent governance pilots.
- As an auditor, I can confirm that Community artifacts were built from public source and that Enterprise-only code was not included.
The Community v1.0.0 RC path is ready to prepare for publication, but it is not yet a tagged RC release. Final artifact checksums, signatures, provenance, and post-release verification must be recorded after the maintainer publishes the actual RC artifacts.
This packet is public Community release-candidate hardening only. It does not include Enterprise source code, private policy packs, private trial packages, license-service internals, SaaS backend implementation, private signing keys, private registry credentials, private customer templates, or customer records.
Prepare Community v1.0.0 release-candidate publication from the completed Node 24 readiness baseline with signed artifact verification, provenance evidence, release notes, and announcement readiness.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion