-
Notifications
You must be signed in to change notification settings - Fork 0
Evidence Artifact Retrieval
CAVRA exposes read-only evidence bundle artifacts for indexed sessions when CAVRA_EVIDENCE_ARTIFACT_ROOT is configured.
GET /evidence/{session_id}/artifactsGET /evidence/{session_id}/artifacts/{artifact_name}GET /evidence/{session_id}/artifact-bundle
The artifact root contains one directory per evidence session. The session must exist in metadata before files are served. The API only serves known evidence bundle filenames such as manifest.json, evidence.json, pr-attestation.md, compliance-mapping.md, siem-event.json, sandbox-run-summary.json, and retention-policy.json.
Downloads include x-cavra-artifact-sha256 for audit logging and client-side verification.
- No arbitrary server-side paths.
- Disabled unless
CAVRA_EVIDENCE_ARTIFACT_ROOTis set. - Metadata record required.
- Allowlisted artifact names only.
- Path traversal rejected.
- As an auditor, I can download a full CAVRA evidence bundle for a session.
- As a reviewer, I can retrieve the PR attestation directly from the console.
- As a platform engineer, I can expose evidence from a controlled root without granting broad filesystem access.
Artifact retrieval connects metadata search to audit-ready evidence. Teams can find a session, inspect risk, download the attestation or bundle, and attach it to change records, incident reviews, or compliance requests.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion