Skip to content

Enterprise Live Identity Validation

Huzefaaa2 edited this page Jul 3, 2026 · 1 revision

Enterprise Live Identity Validation

CAVRA R2.1 now includes a public-safe live identity validation packet for proving real IdP and SCIM evidence without publishing secrets.

Required Checks

Check Required proof
oidc_token_validation Issuer, audience, expiry, not-before, JWKS key, and RS256 signature validation passed.
rbac_group_mapping Enterprise groups map to CISO, security operator, platform security, model owner, auditor, and break-glass roles.
abac_runtime_scope Tenant, workspace, repository, environment, model owner, and data classification attributes are present.
scim_group_sync SCIM group and role synchronization completed.
scim_deprovisioning Deprovisioning evidence meets the 60 minute SLA.
break_glass_audit CAB role, reason, external reference, short TTL, and audit event are retained.
audit_evidence_retention Public-safe identity evidence references are retained.

Command

python3 scripts/validate_enterprise_live_identity_packet.py \
  --packet .cavra/identity/enterprise-live-identity-validation.json \
  --output dist/enterprise-live-identity-validation-result.json

The final packet must return:

{
  "ready_for_live_enterprise_identity": true,
  "status": "ready",
  "blocker_count": 0
}

The sample at examples/identity/enterprise-live-identity-validation.sample.json is shape-only and stays blocked until environment.validation_mode is set to live with real redacted evidence.

Detailed repo documentation: Enterprise Live Identity Validation.

Clone this wiki locally