-
Notifications
You must be signed in to change notification settings - Fork 0
Enterprise KMS HSM Evidence Custody
Huzefaaa2 edited this page Jul 4, 2026
·
1 revision
CAVRA R3.1 defines a public-safe KMS/HSM evidence signing, key rotation, custody policy, revocation, and independent verifier readiness contract for Enterprise and Managed deployments.
| Component | Purpose |
|---|---|
build_enterprise_evidence_custody_contract |
Defines supported signing providers, algorithms, custody boundaries, rotation cadence, and verifier commands. |
validate_enterprise_evidence_custody_packet |
Validates sample or live KMS/HSM custody evidence packets. |
scripts/validate_enterprise_evidence_custody.py |
CLI validator for public sample packets and private live packets. |
examples/evidence/enterprise-evidence-custody.sample.json |
Public-safe packet showing the expected evidence shape. |
examples/evidence/enterprise-evidence-custody.live.sanitized.example.json |
Sanitized live-mode example that passes --require-live without exposing real customer infrastructure. |
.github/workflows/enterprise-evidence-custody.yml |
CI workflow for sample validation and manual strict live validation. |
tests/test_evidence_custody.py |
Contract, sample, live-mode, blocker, and workflow tests. |
- External KMS, HSM, Vault Transit, or PKCS#11 signing provider.
- Non-exportable private signing keys.
- Dual-control custody and separation of duties.
- Rotation cadence of 90 days or less.
- Rotation overlap of at least 7 days.
- Retired keys retained for historical verification.
- Emergency revocation drill evidence.
- Public trust-root distribution for independent verifiers.
- Offline evidence bundle and PR attestation verification.
Public/sample validation:
python3 scripts/validate_enterprise_evidence_custody.py \
--packet examples/evidence/enterprise-evidence-custody.sample.json \
--output dist/test/enterprise-evidence-custody-sample.jsonPrivate live validation:
python3 scripts/validate_enterprise_evidence_custody.py \
--packet .cavra/enterprise/enterprise-evidence-custody-live.json \
--require-live \
--output dist/enterprise/enterprise-evidence-custody-result.jsonSanitized live-mode template validation:
python3 scripts/validate_enterprise_evidence_custody.py \
--packet examples/evidence/enterprise-evidence-custody.live.sanitized.example.json \
--require-liveR3.1 is production-complete only when the live packet returns ready_for_enterprise_live_evidence_custody: true, blocker_count: 0, and warning_count: 0.
Detailed repo document: Enterprise KMS/HSM Evidence Custody.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion
- Development And Testing Archive
- Unified Enterprise Roadmap
- CLI
- API
- CAVRA Trial Field Guide
- AISPM Enterprise Live Ingestion
- Enterprise HA/DR Readiness
- Enterprise HA/DR Azure Map
- Enterprise KMS/HSM Evidence Custody
- Enterprise Immutable Audit Log
- Enterprise Compliance Mapping Packs
- Enterprise Reporting Exports
- Connector SDK And Certification