-
Notifications
You must be signed in to change notification settings - Fork 0
Current Feature Inventory
Implemented modules: policy registry, policy authoring preview, approval-bound signed policy publishing, rollout change planning, runtime guard, session audit, command interceptor, PR attestation exporter, webhook exporter, connector execution hooks, connector delivery history dashboards, approval router, evidence hub, evidence artifact retrieval, CI/CD required-check templates, activity persistence, repository inventory, policy rollout persistence, integration inventory, persistent API operations, production deployment validation, Typer CLI, MCP server, FastAPI app, sandbox decision model, Go enforcement-plane parity scaffold, opt-in Go backend pilot, Go backend deployment readiness, Go backend promotion gate, Go backend rollback controls, Go backend rollback rehearsal evidence, Go backend rollback drill history, Go backend rollback drill scheduling and stale notification delivery, Go backend rollback drill notification acknowledgements and escalation plans, Go backend rollback drill owner routing, maintenance-window suppression, routing history filters, suppression trend summaries, authenticated drill acknowledgement controls, bulk drill acknowledgement workflows, acknowledgement audit packages, acknowledgement audit delivery routing, acknowledgement audit delivery health dashboards, acknowledgement audit delivery retry plans, scheduled acknowledgement audit delivery worker runs, worker health alerts, retry acknowledgements, retry execution approvals, connector recovery playbooks, approval-bound live retry execution records, connector recovery closure evidence, retry execution dashboards, recovery SLO reporting, closure trend analytics, recovery escalation notifications, recovery escalation acknowledgements, escalation delivery retry plans, recovery escalation retry workers, recovery escalation retry execution records, recovery escalation retry health reports, recovery retry health alert delivery, retry planning and retry worker execution, executive recovery reports, scheduled executive report runs, executive report delivery, executive report delivery retry plans, executive report delivery retry execution, executive delivery retry health reports, and executive retry health alert delivery and acknowledgements, final reporting closure dashboards, release-readiness summaries, operator runbook exports, readiness approval decisions, release record attachments, closure packet verifications, auditor exports, auditor export delivery routing, immutable archive references, auditor export retry planning, auditor export retry worker execution records, archive reference health checks, archive health alert delivery acknowledgements, final closeout delivery, retention review approvals, downloadable closeout artifact bundles, closeout retention health reports, retention health alert delivery, closeout delivery retry plans, closeout retry workers, closeout retry execution records, final closeout operator runbooks, final closeout release criteria, final closeout trial guidance, final closeout trial walkthrough, synthetic sample evidence package, sales-engineering demo script, interactive final closeout sandbox flow, downloadable final closeout sample evidence, release-criteria summary cards, final closeout production pilot intake worksheets, pilot readiness checklists, Enterprise/SaaS handoff plan, synthetic pilot intake template, Go enforcement contracts, typed release-governance evidence contract payloads, runner authentication contract payloads, typed release-governance daemon and CI runner examples, Go daemon transport, Go daemon client helper, signed runner authentication claims, CI-provider OIDC JWT runner verification, provider-native runner OIDC token acquisition for GitHub Actions, GitLab CI, and Azure Pipelines wrappers, runner/evidence key custody documentation, hash-chained HMAC-signed daemon evidence streams, daemon evidence verifier CLI support, signed CI runner bundle metadata, reusable release-governance runner wrappers, GitHub composite runner action, release governance record parity for approvals, delivery failures, endpoint publication, inventory freshness, reconciliation drift, SLA reports, and handoff status, release channel manifests, managed workstation updater policy, release-channel promotion approvals, endpoint-management export bundles, release channel publishing history views, governed endpoint export downloads, endpoint export publication delivery, endpoint inventory ingestion, endpoint inventory freshness SLA reporting, reconciliation automation from ingested inventory, managed endpoint deployment reconciliation, endpoint drift monitoring dashboards, approval-bound endpoint drift remediation plans, endpoint remediation handoff packages, endpoint remediation handoff status reconciliation, endpoint remediation SLA and executive reporting, endpoint remediation SLA notification delivery, notification routing policies, acknowledgement tracking, duplicate suppression windows, escalation ladders, owner-specific service-level objectives, recurrence retry policies, owner digest notifications, suppression trend analytics, Evidence Console recurrence operations filters and export drill-downs, Evidence Console drill notification acknowledgement and escalation drill-downs, scheduled recurrence automation worker runs, Evidence Console recurrence automation worker history, recurrence automation deployment templates, recurrence automation health reporting, recurrence automation health alert delivery and acknowledgements, hosted sandbox deployment workflow, CAVRA brand asset system, open-core edition boundaries, public-safe licensing placeholders, feature registry, and plugin runtime interfaces.
Agent enforcement readiness: agent enforcement-readiness inspects local CAVRA enforcement files and optional exported provider settings for required-check workflow coverage, evidence artifacts, agent manifests, PR templates, CODEOWNERS, branch protection, required checks, security checks, and risky workflow permission patterns.
Existing CLI commands: version, evaluate, agent start, agent exec, agent attest, agent enforcement-readiness, policy list, policy describe, policy validate, policy test, policy explain, policy compile, policy diff, policy sign, policy verify, policy simulate, policy dry-run, policy init, runtime go-pilot-readiness, runtime go-deployment-readiness, runtime go-promotion-readiness, runtime go-rollback-readiness, runtime go-rollback-rehearsal, runtime go-rollback-drills, runtime go-rollback-drill-schedule, runtime go-rollback-drill-notification-plan, runtime go-rollback-drill-notification-ack, runtime go-rollback-drill-escalation-plan, runtime go-pilot-evaluate, integration deliver, ops stores, ops backup, ops restore, ops retention-plan, init claude-code, demo before-the-agent-acts.
Policy engine hardening: policy validate uses JSON Schema, policy compile emits normalized output and accepts overlays, policy diff reports semantic added/removed/changed paths, policy sign emits signature metadata, policy verify detects digest tampering, and policy packs can inherit parent packs through metadata.inherits.
Evidence hub: evidence bundle creates manifest.json, evidence.json, pr-attestation.md, compliance-mapping.md, siem-event.json, and sandbox-run-summary.json; evidence verify validates checksums plus optional HMAC or Ed25519 signatures; trust-root bundles, offline trust-root distribution packages, retention artifacts, immutable storage plans, AWS S3 Object Lock and Azure Blob immutability deployment references, SQLite metadata indexing, PR attestation verification, and governed artifact retrieval are available. Go release packaging includes signed installer metadata, managed endpoint deployment manifests, release channel manifests, managed workstation updater policy, signed release-channel promotion approvals, Jamf/Intune/Linux endpoint-management export bundles, release channel promotion request indexing, endpoint export indexing, API and Evidence Console publishing history views, governed endpoint export downloads, checksum-enforced endpoint export integrity, endpoint export publication records, Jamf/Intune/Linux connector delivery, endpoint publication history dashboards, endpoint inventory ingestion for Jamf, Intune, Linux fleet, and EDR exports, endpoint inventory freshness SLA reports, reconciliation automation from ingested inventory, managed endpoint reconciliation, endpoint drift dashboards, approval-bound endpoint drift remediation requests, approved remediation execution records, endpoint remediation handoff packages, endpoint remediation handoff status reconciliation, SLA breach reporting, executive summaries, SLA notification delivery, routing plans, duplicate suppression, acknowledgement records, escalation ladders, owner-specific acknowledgement and resolution SLO state, escalation delivery actions, owner review records, recurrence policies, owner calendars, maintenance-window suppression, recurrence delivery batching, suppression audit exports, recurrence retry policies, owner digest notifications, and suppression trend analytics for ITSM, ChatOps, and private connector queues, managed rollout evidence capture, rollout evidence verification and indexing, rollout evidence search filters and console/API views, governed rollout artifact retrieval, rollout artifact integrity status, promotion readiness indicators, signed promotion approval requests, approved promotion execution records, promotion execution search and audit drill-downs, rollback evidence links, approved rollback execution records, SIEM/ITSM promotion audit exports, connector delivery for promotion audit and rollback execution records, persisted connector delivery history, alert dashboard summaries, installer smoke validation, SBOM, provenance, keyless attestations, release evidence, and air-gapped verification.
Approval router: approval create, list, approve, deny, expire, break-glass, route, migrate, export-notifications, provider-requests, and deliver support JSON or SQLite stores, repository routing files, local claims authorization, signed OIDC/JWKS validation, repository RBAC policies, Entra ID and Okta deployment references, provider payload exports, credential-free provider request specs, live provider delivery with redacted evidence, console break-glass creation, and approval audit detail views.
Existing API endpoints: /health, /version, /policies, /policy-packs, /policy-pack-catalog, /policy-packs/draft, /policy-packs/publish-plan, /policy-packs/publish-request, /policy-packs/publish, /policy-rollouts/change-plan, /policy-rollouts/apply-change, /deployment/production-readiness, /runtime/go-pilot/readiness, /runtime/go-pilot/deployment-readiness, /runtime/go-pilot/promotion-readiness, /runtime/go-pilot/rollback-readiness, /runtime/go-pilot/rollback-rehearsal, /runtime/go-pilot/rollback-drills, /runtime/go-pilot/evaluate, /decisions, /sessions, /agents, /repositories, /approvals, /evidence, /evidence/{session_id}/artifacts, /integrations, /integrations/{integration_id}/deliver, /mcp/servers, /mcp/trust, /risk/events, /compliance/mappings, and sandbox endpoints under /api/sandbox.
Activity persistence: POST /decisions evaluates and persists decisions, GET /decisions searches decisions by session, agent, repository, policy pack, outcome, severity, and action type, and GET /sessions searches session summaries. JSON and SQLite stores are supported through CAVRA_ACTIVITY_STORE and CAVRA_ACTIVITY_DB.
Repository inventory and policy rollout persistence: POST /repositories upserts repository scope, ownership, status, protected branch, required check, risk tier, and active policy metadata; GET /repositories searches by provider, owner, policy pack, status, and risk tier; POST /policy-rollouts upserts rollout mode, state, owner, version, coverage, and evidence references; and GET /policy-rollouts searches by repository, policy pack, state, mode, and owner. JSON and SQLite stores are supported through CAVRA_INVENTORY_STORE and CAVRA_INVENTORY_DB.
Policy rollout drill-downs: GET /policy-rollout-details/{rollout_id} joins rollout state with repository inventory, policy pack metadata, matching decision activity, integration inventory, and readiness checks. The console shows rollout detail from each policy rollout row.
Policy authoring and rollout changes: GET /policy-pack-catalog summarizes installed policy packs, POST /policy-packs/draft validates read-only policy drafts, POST /policy-packs/publish-plan previews approval-bound write-back, POST /policy-packs/publish-request creates a digest-bound approval request, POST /policy-packs/publish writes policy.yaml and signature metadata only after matching approval, POST /policy-rollouts/change-plan previews rollout transitions, and POST /policy-rollouts/apply-change persists rollout changes with verified actor context when OIDC or RBAC is configured.
Integration inventory persistence: POST /integrations upserts provider, category, owner, environment, auth mode, endpoint reference, status, health status, capability, repository scope, and evidence metadata; GET /integrations searches by provider, category, status, owner, environment, and health status. JSON and SQLite stores are supported through CAVRA_INTEGRATION_STORE and CAVRA_INTEGRATION_DB.
Connector execution hooks: POST /integrations/{integration_id}/deliver and cavra integration deliver send events through configured Splunk, Sentinel, Datadog, Slack, Teams, Jira, ServiceNow, or webhook connectors and return redacted delivery evidence. CAVRA_CONNECTOR_CONFIG points the API at connector configuration.
Persistent API operations: ops stores reports active JSON/SQLite persistence paths, ops backup writes checksum-backed JSON and SQLite backups, ops restore validates backup checksums before copying stores to a test or live path, and ops retention-plan exports JSON and Markdown retention controls. The API exposes read-only /operations/stores and /operations/retention-plan, and operations now include integration inventory stores.
Production deployment validation: GET /deployment/production-readiness checks OIDC, RBAC, CORS, evidence artifact root, policy catalog availability, persistent store presence, Go backend pilot readiness, Go CI runner/workstation deployment readiness, Go promotion readiness, Go rollback readiness, Go rollback rehearsal readiness, Go rollback drill history, and Go rollback drill scheduling. The console includes a Production Readiness panel with Go pilot, deployment, promotion, rollback, rehearsal, latest drill status, recovery target, next drill due date, notification routes, and evidence references.
CI/CD required-check templates: .github/workflows/cavra-governance.yml exposes cavra-required-check for branch protection, validates policy packs, runs lint/tests, generates and verifies evidence, verifies PR attestation, and uploads CI evidence artifacts. Reusable GitHub Actions, GitLab CI, and Azure Pipelines examples live under examples/.
Go enforcement-plane parity scaffold: go/cavra-runtime/ contains a Go module, runtime decision evaluator, CLI entrypoint, compiled-policy JSON loader, generated enforcement contract package, and shared parity fixture for critical file, command, Git, MCP, and release governance record decisions. Release governance parity now covers approval states, delivery failures, endpoint publication delivery, inventory freshness, reconciliation drift, SLA reports, and handoff status. The Go CLI supports --policy for normalized JSON generated by cavra policy compile. tests/test_go_runtime_parity.py, the go-runtime-parity CI job, and cavra-required-check exercise the parity contract.
Go enforcement contracts: scripts/generate_go_enforcement_contracts.py generates go/cavra-runtime/enforcement/v1/contracts.go from proto/cavra/enforcement/v1/enforcement.proto. The generated package provides EvaluateRequest, ReleaseGovernanceEvidence, DecisionResponse, and conversion helpers for daemon transport and runtime release-governance records.
Go daemon transport: go/cavra-runtime/daemon and go run ./cmd/cavra-runtime --serve --socket .cavra/cavra-runtime.sock provide the first Unix-socket transport for generated EvaluateRequest and DecisionResponse JSON payloads. daemon.NewClient(socket).Evaluate(request) and go run ./cmd/cavra-runtime --daemon --socket .cavra/cavra-runtime.sock provide a reusable client path. go run ./cmd/cavra-runtime --lifecycle start|status|stop provides PID-file-backed daemon lifecycle management. --evidence-log writes request/response JSONL evidence and appends go-daemon-evidence://... references to decision responses. examples/go-runtime/typed-release-governance/ plus GitHub Actions, GitLab CI, Azure Pipelines templates, examples/ci-runners/cavra-release-governance-runner.sh, and examples/github-actions/actions/cavra-release-governance-go-runtime/action.yml show release-governance gates using typed daemon requests. The Go release package now emits cavra-runtime.ci-runner-bundles.json and signs the reusable runner wrappers with the rest of the runtime release evidence.
Opt-in Go backend pilot: src/cavra/go_backend.py defaults to Python-only mode, supports disabled, shadow, enforce, and promoted, validates configured runtime and compiled policy paths, exposes CLI and API readiness reports, evaluates Python first, invokes Go only when enabled, and falls back to Python on runtime failure, timeout, missing readiness inputs, missing promotion evidence, missing rollback controls, missing rollback rehearsal evidence, missing rollback drill history, or parity mismatch.
Go backend deployment readiness: cavra runtime go-deployment-readiness, /runtime/go-pilot/deployment-readiness, and /deployment/production-readiness validate CI runner bundle metadata, endpoint deployment metadata, workstation release channels, and updater policy before Go backend promotion.
Go backend promotion gate: cavra runtime go-promotion-readiness, /runtime/go-pilot/promotion-readiness, and /deployment/production-readiness require runtime readiness, deployment readiness, approved audited parity evidence, and CAVRA_GO_PROMOTION_EVIDENCE before promoted mode selects Go as an optional backend.
Go backend rollback controls: cavra runtime go-rollback-readiness, /runtime/go-pilot/rollback-readiness, and /deployment/production-readiness require an approved CAVRA_GO_ROLLBACK_PLAN with target_mode=disabled, recovery steps, controls, and evidence references before promoted mode selects Go as an optional backend.
Go backend rollback rehearsal evidence: cavra runtime go-rollback-rehearsal, /runtime/go-pilot/rollback-rehearsal, and /deployment/production-readiness require CAVRA_GO_ROLLBACK_REHEARSAL_EVIDENCE, verified Python fallback restoration, recovery-time evidence, a runbook reference, and evidence refs before promoted mode selects Go as an optional backend. The Evidence Console surfaces rehearsal status, recovery target, and evidence references.
Go backend rollback drill history: cavra runtime go-rollback-drills, /runtime/go-pilot/rollback-drills, and /deployment/production-readiness require CAVRA_GO_ROLLBACK_DRILL_HISTORY, a fresh passing drill, disabled target mode, verified Python fallback restoration, recovery-time evidence, and evidence refs before promoted mode selects Go as an optional backend. The Evidence Console surfaces latest drill status, timestamp, and evidence references.
Go backend rollback drill scheduling: cavra runtime go-rollback-drill-schedule, cavra runtime go-rollback-drill-notification-plan, /runtime/go-pilot/rollback-drill-schedule, and /runtime/go-pilot/rollback-drill-notifications/deliver require CAVRA_GO_ROLLBACK_DRILL_SCHEDULE, active cadence metadata, owners, notification providers, and runbook references. Promoted mode selects Go only when the schedule is ready or due soon; stale schedules fall back to Python and can deliver redacted connector notification evidence.
Go backend rollback drill notification acknowledgements: runtime APIs now include acknowledgement audit delivery, recovery escalation, recovery retry health alert delivery, retry planning, retry worker execution, executive recovery reports, scheduled executive report delivery, executive delivery retry plans, executive delivery retry workers, executive delivery retry health reports, executive retry health alerts, final closeout retention health, final closeout retention alerts, final closeout delivery retry planning, final closeout retry workers, dashboard search, route history, and missed-notification escalation plans. They record public-safe acknowledgement metadata, dashboard outstanding routes, bulk route acknowledgements, delivery health dashboards, retry acknowledgements, retry recovery reports, recovery escalation delivery, recovery escalation retry execution records, recovery health alert retry execution records, executive report delivery retry execution, executive retry health alert acknowledgements, and health metadata, final auditor export delivery metadata, immutable archive references, auditor export retry plans, auditor export retry worker execution records, archive reference health reports, archive health alert acknowledgements, closeout retention health reports, and closeout retry execution records without connector or archive secrets.
Go backend rollback drill routing: cavra runtime go-rollback-drill-notification-plan --routing-policy and /runtime/go-pilot/rollback-drill-notifications/deliver accept public-safe owner_routes, maintenance_windows, and owner_calendars to select per-owner providers, apply owner-specific acknowledgement SLOs, and suppress connector delivery during approved change freezes or owner unavailability.
Hosted sandbox deployment workflow: .github/workflows/deploy-sandbox.yml validates apps/sandbox-ui/sandbox.js, builds a static artifact from apps/sandbox-ui, includes SVG diagram assets, uploads a GitHub Pages artifact, opts JavaScript-based GitHub Actions into Node.js 24, and deploys only from main.
Brand assets: assets/brand/ contains CAVRA SVG logos, favicons, social thumbnails, and PNG exports for documentation, README, dashboard, and social preview usage. The sandbox console uses a top-left CAVRA wordmark, a larger top-right hero mark below the install CTA, and ships the brand assets in the Pages artifact.
Console security boundary and sessions: GET /console/security-boundary reports OIDC, repository RBAC, CORS, console permission categories, and operator notes for deployed console/API topologies. GET /console/session validates bearer-token OIDC context, returns actor identity, repository permissions, and console permission flags, and console approval or break-glass mutations require verified actor context when OIDC or RBAC is configured. Entra ID and Okta reference bundles live under examples/identity/.
Evidence artifact retrieval: GET /evidence/{session_id}/artifacts, GET /evidence/{session_id}/artifacts/{artifact_name}, and GET /evidence/{session_id}/artifact-bundle expose allowlisted bundle files for indexed sessions and allowlisted managed endpoint rollout evidence files when CAVRA_EVIDENCE_ARTIFACT_ROOT is configured. Rollout listings include checksum integrity and promotion readiness. The console shows artifact lists, bundle download links, rollout integrity, and readiness indicators from evidence rows.
Agent and MCP registry: registry agent-register, registry agent-list, registry profiles, registry mcp-register, registry mcp-list, registry mcp-check, registry mcp-classifications, and registry migrate support JSON/SQLite governed agent identities, MCP trust tiers, approved tools, capabilities, owner, approval state, last-seen metadata, predefined agent capability profiles, MCP tool classifications, console registry views, and registry-backed MCP runtime decisions.
Existing policy packs: CAVRA baseline, banking, PCI DSS, HIPAA, SOX, NIST SSDF, ISO 27001, EU AI Act, OWASP LLM/agentic, MCP enterprise, Kubernetes prod, Terraform/OpenTofu prod, cloud IAM, GitHub Enterprise, GitLab Enterprise.
Current controls: file reads, file writes, shell commands, Terraform/OpenTofu, Kubernetes, cloud IAM commands, Git protected branch push, MCP unknown server blocking, audit evidence, approval routing, claims-aware approval decisions, PR attestation, final rollback drill readiness bundles, externally signed archive manifests, release closeout summaries, closeout delivery, retention review approvals, downloadable closeout artifact bundles, closeout retention health reports, retention alert delivery, failed closeout delivery retry planning, final closeout operator guidance, final closeout release criteria, final closeout trial guidance, final closeout trial walkthrough, synthetic sample evidence package, sales-engineering demo script, interactive final closeout sandbox flow, downloadable sample evidence, release-criteria summary cards, production pilot intake worksheets, readiness checklists, Enterprise/SaaS handoff plan, synthetic pilot intake template, Evidence Console pilot readiness panel, pilot intake save API, pilot readiness scoring, public-safe private handoff plan contracts, private Enterprise MVP bootstrap for tenant-scoped pilot-intake execution, private SSO claim binding for Enterprise pilot authorization, private customer/SaaS KMS-style envelope encryption, private managed tenant database adapter contracts, private CRM/ITSM/GRC/customer-success/tenant-management handoff workers, private provider-native Salesforce/HubSpot/Jira/ServiceNow/Archer adapters, private immutable audit export and retention enforcement, private provider auth/rate-limit handling, private immutable object storage adapters, private archive health deployment recipes, private scheduled archive health workers, private archive alert delivery and dashboard persistence, private archive alert transport packages and dashboard API persistence, private managed archive dashboard storage with live alert transports, private archive alert deployment wiring, private archive alert deployment runbooks with Kubernetes/Helm examples and provider smoke-test guidance, and private archive alert smoke-test execution jobs with post-delivery dashboard assertions, and private archive alert smoke-test scheduling with evidence export and customer-facing deployment verification reports, and private archive alert verification report delivery routing with customer-success handoff automation, and private archive alert verification delivery health dashboards with retry planning, and private archive alert verification retry workers with customer-success closure evidence, and private archive alert verification retry health alerts with closure trend reporting, and private archive alert verification retry alert routing with closure dashboard persistence, and private archive alert verification retry alert acknowledgements with closure dashboard query filters, and private archive alert verification acknowledgement trend reports with dashboard export packages, and private archive alert verification dashboard export delivery routing with acknowledgement SLA summaries, and private archive alert verification delivery SLA alert routing with export delivery health dashboards, and private archive alert verification SLA alert delivery retry planning with export delivery health trend reports, and private archive alert verification SLA alert retry worker execution with export delivery trend persistence, and private archive alert verification SLA retry worker health reporting with export trend query filters, and private archive alert verification SLA retry worker health alert routing with export trend summary packages, and private archive alert verification SLA retry worker health alert acknowledgements with export summary delivery dashboards, and private archive alert verification export summary delivery retry planning with acknowledgement trend reports, and private archive alert verification export summary retry worker execution with acknowledgement trend persistence.
Known gaps: Archive alert deployment runbooks, Kubernetes/Helm examples, and provider smoke-test commands remain private Enterprise/SaaS follow-up work.
Recent parity expansion: Go and Python now share high-risk command and cloud/IaC fixtures for Cloud IAM, Kubernetes production, Terraform/OpenTofu production, GitHub Enterprise, OWASP LLM agentic command injection, and transparent agentic delivery controls.
Refactor recommendations: typed policy models, JSON Schema validation in command path, persistent evidence store, policy inheritance resolver, expanded golden parity suite, generated enforcement contracts for the Go runtime, and promotion posture checks for Go pilot runner and workstation paths.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion