-
Notifications
You must be signed in to change notification settings - Fork 0
Community v1.0.0 Release Candidate Publication
This packet prepares the public Community v1.0.0 release-candidate publication from the completed Node 24 readiness baseline, the stabilization plan, and the release-candidate hardening packet.
Community v1.0.0 RC1 can be published only after the maintainer can produce a tagged public source state, release notes, signed artifact verification, provenance evidence, and announcement-ready documentation without exposing Enterprise source code, private signing keys, private policy packs, private registry credentials, or customer material.
| Field | Value |
|---|---|
| Candidate | CAVRA Community v1.0.0 RC1 |
| Tag | community-v1.0.0-rc.1 |
| Package version | 1.0.0rc1 |
| Release state | dry-run-publication-ready |
| Planned GitHub Release | https://github.com/Huzefaaa2/cavra/releases/tag/community-v1.0.0-rc.1 |
| Release notes draft | docs/releases/community-v1.0.0-rc.1.md |
| Publication readiness verification | docs/release-verifications/community-v1.0.0-rc.1-publication-readiness.md |
| Publication packet | docs/release-verifications/community-v1.0.0-release-candidate-publication.json |
| Validator | scripts/validate-community-v100-rc-publication.py |
| Gate | Status | Evidence |
|---|---|---|
| Node 24 readiness baseline | Ready | Community CI, release, security, governance, and verification workflows use Node 24-ready action versions. |
| Release notes | Ready |
docs/releases/community-v1.0.0-rc.1.md describes the RC scope, dry-run state, and verification path. |
| Signed artifact verification | Pending real artifacts | Final SHA-256 checksums, detached signatures, and keyless attestation links must be recorded after artifacts exist. |
| Provenance evidence | Pending real artifacts | Final SBOM and SLSA provenance references must be recorded after the release workflow produces artifacts. |
| Announcement readiness | Ready | README, wiki navigation, release index, release dashboard, and release notes point to the RC1 dry-run record. |
| Public boundary | Ready |
bash scripts/validate-boundaries.sh . remains mandatory before publishing the RC. |
- Create the
community-v1.0.0-rc.1tag from mergedmain. - Run the Community release workflow and attach only public Community artifacts.
- Record SHA-256 checksums for every attached artifact.
- Attach detached signatures or keyless attestation evidence for every artifact.
- Attach SBOM and SLSA provenance evidence when produced by the workflow.
- Run
scripts/verify-community-release-artifacts.py --tag community-v1.0.0-rc.1. - Replace the dry-run readiness packet with post-publication verification.
- Confirm
README.md,docs/community-release-index.md,docs/community-release-readiness-dashboard.md, anddocs/wiki/Home.mdall point to the published RC. - Run
scripts/validate-community-v100-rc-publication.py. - Run
scripts/validate-boundaries.sh ..
- RC1 release notes draft exists.
- RC1 publication readiness verification exists.
- README links RC1 release notes, readiness verification, and publication packet.
- Wiki navigation links RC1 release notes, verification, and publication preparation.
- Release index and readiness dashboard include RC1 as a dry-run record.
- Publication validator runs in Community CI, security scan, release, and governance workflows.
- GitHub Release exists for
community-v1.0.0-rc.1. - Published artifacts include SHA-256 checksums.
- Published artifacts include detached signatures or keyless attestation evidence.
- Published artifacts include SBOM and SLSA provenance references when generated.
- Clean install smoke records
cavra 1.0.0rc1.
- As a developer, I can inspect the RC1 release notes before the release is published and understand which verification steps will become mandatory.
- As a platform engineer, I can see exactly where checksums, signatures, and provenance must be recorded before testing RC1 internally.
- As a CISO, I can confirm the RC announcement path is gated on public boundary validation and does not depend on private Enterprise implementation.
- As an auditor, I can trace the RC1 dry-run record to the future tagged release, verification packet, README links, and wiki navigation.
Decision: approve RC1 publication preparation as a dry-run release record.
The actual Community v1.0.0 RC1 release must still be published from merged
main, and final artifact checksums, signature verification, provenance
evidence, release links, and post-publication verification must be recorded
after artifacts exist.
This publication preparation covers public Community release-candidate documentation only. It does not include Enterprise source code, private policy packs, SaaS backend implementation, license-service internals, private signing keys, private registry credentials, customer templates, or customer records.
Publish Community v1.0.0 release-candidate artifacts from the completed Node 24 readiness baseline and record signed artifact checksums, provenance, GitHub Release links, and post-publication verification evidence.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion