-
Notifications
You must be signed in to change notification settings - Fork 0
Console Security Boundary
Huzefaaa2 edited this page May 18, 2026
·
28 revisions
Phase 6 now reports the deployed console/API security boundary.
- Read-only
GET /console/security-boundary. - Read-only
GET /console/sessionfor signed bearer-token actor context. - OIDC readiness from
CAVRA_APPROVAL_OIDC_CONFIG. - Repository RBAC readiness from
CAVRA_APPROVAL_RBAC_FILE. - CORS origin visibility from
CAVRA_CORS_ORIGINS. - Browser-visible console permission categories.
- Operator notes for production deployments.
curl http://127.0.0.1:8000/console/security-boundaryThe sandbox console displays the same information in the Console Security Boundary panel.
The boundary endpoint reports whether the console/API topology is ready for signed OIDC actor tokens and repository RBAC on approval decisions, break-glass actions, and policy publish write-back. GET /console/session validates a bearer token and reports actor context. Production deployments should host the console behind enterprise identity and restrict CORS.
- As a platform engineer, I can confirm OIDC and RBAC wiring before production console rollout.
- As a security architect, I can separate static demo console behavior from production identity boundaries.
- As an auditor, I can inspect the control boundary for approval decisions.
The next recommended work is Go daemon evidence hooks and public sandbox URL validation after deployment from main.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion