-
Notifications
You must be signed in to change notification settings - Fork 0
Enterprise Compliance Mapping Packs
CAVRA Enterprise compliance mapping packs convert runtime evidence and AISPM findings into clause-level control mappings for auditor, CISO, board, and customer-success workflows.
R3.3 adds a public-safe contract for five required framework packs:
- NIST AI RMF 1.0
- ISO/IEC 42001
- OWASP LLM/GenAI
- NIST SSDF SP 800-218
- EU AI Act
The public repository includes representative clause mappings and deterministic finding-to-clause tests. Customer-specific control narratives, legal interpretations, and live evidence rooms remain deployment-specific Enterprise operating evidence.
- Built-in clause-level pack registry in
src/cavra/compliance_packs.py. - Deterministic mapping from AISPM/runtime finding tags to framework clauses.
- JSON mapping report builder for auditor and AISPM report center use.
- Readiness packet validator for sample and live Enterprise evidence.
- GitHub Actions workflow for sample and strict live validation.
- Sample findings and sanitized live readiness packet.
Sample contract validation:
python3 scripts/validate_enterprise_compliance_packs.py \
--packet examples/compliance/enterprise-compliance-packs.sample.json \
--output dist/test/enterprise-compliance-packs-sample.jsonLive sanitized validation:
python3 scripts/validate_enterprise_compliance_packs.py \
--packet examples/compliance/enterprise-compliance-packs.live.sanitized.example.json \
--require-live \
--output dist/test/enterprise-compliance-packs-live-sanitized.jsonFinding-to-clause mapping report:
python3 scripts/validate_enterprise_compliance_packs.py \
--findings examples/compliance/sample-findings.json \
--output dist/test/enterprise-compliance-mapping-report.jsonBuilt-in registry export:
python3 scripts/validate_enterprise_compliance_packs.py \
--registry \
--output dist/test/enterprise-compliance-pack-registry.jsonFor ready_for_enterprise_live_compliance_mapping: true, the live packet must prove:
- The pack registry is approved, versioned, clause-level, and owned.
- All five required frameworks are present.
- Finding-to-clause mapping is enabled and deterministic.
- Mapping taxonomy and report schema are versioned.
- At least 25 clauses are covered with required framework-level tests.
- Coverage is at least 90 percent.
- JSON, Markdown, CSV, and AISPM report outputs are supported.
- Auditor trace, evidence bundle linking, and AISPM report linking are enabled.
- Compliance owner, pack review, exception register, auditor handoff, and latest validation evidence references are present.
The public CAVRA repository ships the contract, schema, sample packs, tests, and public-safe readiness evidence. Production Enterprise deployments must attach their own legal review, customer control mappings, evidence room references, approved exception register, and auditor handoff evidence.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion
- Development And Testing Archive
- Unified Enterprise Roadmap
- CLI
- API
- CAVRA Trial Field Guide
- AISPM Enterprise Live Ingestion
- Enterprise HA/DR Readiness
- Enterprise HA/DR Azure Map
- Enterprise KMS/HSM Evidence Custody
- Enterprise Immutable Audit Log
- Enterprise Compliance Mapping Packs
- Enterprise Reporting Exports
- Connector SDK And Certification