Skip to content

Connector Execution Hooks

Huzefaaa2 edited this page May 19, 2026 · 4 revisions

Connector Execution Hooks

CAVRA now supports live connector execution hooks for SIEM, ChatOps, ITSM, generic webhooks, and endpoint-management publication delivery.

Supported Providers

  • SIEM: Splunk HEC, Microsoft Sentinel or Log Analytics ingestion endpoints, Datadog Logs, generic webhook.
  • ChatOps: Slack incoming webhooks, Microsoft Teams incoming webhooks.
  • ITSM: Jira issue API, ServiceNow change request API.
  • Endpoint management: Jamf, Microsoft Intune, and Linux fleet delivery endpoints for governed runtime export publication.

Configuration

Use examples/connectors/cavra-connectors.example.json as a starting point. Production deployments should store secrets in environment variables and reference them with token_env, api_key_env, authorization_env, or url_env.

export CAVRA_CONNECTOR_CONFIG=.cavra/connectors.json
export SPLUNK_HEC_URL=https://splunk.example/services/collector
export SPLUNK_HEC_TOKEN=...

Credential-bearing headers are redacted in delivery evidence. URLs with query strings are also redacted.

API Delivery

Register an integration record:

curl -X POST http://127.0.0.1:8000/integrations \
  -H 'content-type: application/json' \
  -d '{"integration_id":"splunk","provider":"splunk","category":"siem","status":"active","health_status":"healthy"}'

Deliver an event through that integration:

curl -X POST http://127.0.0.1:8000/integrations/splunk/deliver \
  -H 'content-type: application/json' \
  -d '{"event":{"event_type":"cavra.evidence_bundle","session_id":"demo-session","decision_count":7,"blocked_count":4,"approval_required_count":1,"max_severity":"high"},"retries":1}'

The response uses cavra.connector.delivery.v1 and records provider, success, status code, attempt count, redacted request metadata, and errors.

Release governance records can use the same connector path:

curl -X POST http://127.0.0.1:8000/promotion-executions/rpe_prod/audit-export/deliver \
  -H 'content-type: application/json' \
  -d '{"provider":"webhook","retries":1}'

curl -X POST http://127.0.0.1:8000/rollback-executions/rre_prod/deliver \
  -H 'content-type: application/json' \
  -d '{"provider":"webhook","retries":1}'

curl -X POST http://127.0.0.1:8000/endpoint-management-exports/eme_stable/publish \
  -H 'content-type: application/json' \
  -d '{"provider":"jamf","retries":1}'

Release governance API deliveries are indexed as metadata_kind=release-connector-delivery in the active evidence metadata store. Review delivery history and alert summaries:

curl 'http://127.0.0.1:8000/release-connector-deliveries?provider=webhook&success=false'
curl http://127.0.0.1:8000/release-connector-deliveries/dashboard
curl 'http://127.0.0.1:8000/endpoint-management-publications?provider=jamf&success=false'
curl http://127.0.0.1:8000/endpoint-management-publications/dashboard

CLI Delivery

cavra integration deliver .cavra/evidence/latest/siem-event.json \
  --config .cavra/connectors.json \
  --provider splunk \
  --output .cavra/integrations/deliveries

cavra release deliver-promotion-audit .cavra/release/rollout-promotion-execution/rollout-promotion-execution.json \
  --config .cavra/connectors.json \
  --provider webhook \
  --retries 1 \
  --metadata-json .cavra/evidence/metadata.json

cavra release deliver-rollback-execution .cavra/release/rollout-rollback-execution/rollout-rollback-execution.json \
  --config .cavra/connectors.json \
  --provider webhook \
  --retries 1 \
  --metadata-json .cavra/evidence/metadata.json

cavra release deliver-endpoint-export .cavra/release/endpoint-management-export/endpoint-management-export-manifest.json \
  --config .cavra/connectors.json \
  --provider jamf \
  --retries 1 \
  --metadata-json .cavra/evidence/metadata.json

cavra release connector-delivery-history --metadata-json .cavra/evidence/metadata.json --provider webhook --no-success
cavra release connector-delivery-dashboard --metadata-json .cavra/evidence/metadata.json
cavra release endpoint-publication-history --metadata-json .cavra/evidence/metadata.json --provider jamf --no-success
cavra release endpoint-publication-dashboard --metadata-json .cavra/evidence/metadata.json

User Stories

  • As a SOC analyst, I can receive CAVRA evidence events in SIEM without manually uploading JSON.
  • As a platform engineer, I can send governance notifications to Slack or Teams with redacted delivery evidence.
  • As a change manager, I can create Jira or ServiceNow records from CAVRA events.
  • As a release manager, I can route promotion audit and rollback execution events with retry evidence.
  • As a release manager, I can review persisted release connector delivery history by provider, event, and success state.
  • As an endpoint engineer, I can see whether a Jamf, Intune, or Linux export was actually delivered after it was generated.
  • As a SOC analyst, I can see dashboard alerts when release governance delivery fails.
  • As an auditor, I can inspect delivery evidence without seeing connector secrets.

Enterprise Value

Connector execution hooks move CAVRA from generated payloads to operational delivery. Teams can route AI-agent governance evidence into existing SOC, ChatOps, and change-management systems while preserving redacted audit trails.

Clone this wiki locally