Skip to content

Go Daemon Transport

Huzefaaa2 edited this page May 21, 2026 · 16 revisions

Go Daemon Transport

CAVRA now includes the first local daemon transport for the Go enforcement plane.

What Was Added

  • go/cavra-runtime/daemon package.
  • Unix-socket server mode through go run ./cmd/cavra-runtime --serve.
  • One JSON EvaluateRequest per connection.
  • One JSON DecisionResponse returned per connection.
  • Reusable Go daemon.Client helper for Unix-socket requests.
  • CLI --daemon client mode for one-shot EvaluateRequest calls.
  • Daemon lifecycle helper with --lifecycle start, status, and stop.
  • PID-file tracking, readiness probing, and graceful signal cleanup for local daemon processes.
  • Request/response evidence hooks through --evidence-log.
  • JSONL evidence records with cavra.go-daemon.evidence.v1 schema and go-daemon-evidence://... references.
  • Runtime evaluator that can use either the built-in scaffold policy or compiled policy JSON loaded through --policy.
  • Typed release-governance daemon request examples under examples/go-runtime/typed-release-governance/.
  • CI runner examples for GitHub Actions, GitLab CI, and Azure Pipelines that send typed release_governance payloads through the daemon.
  • Packaged CI runner wrappers under examples/ci-runners/ plus a reusable GitHub composite action under examples/github-actions/actions/cavra-release-governance-go-runtime/.
  • Signed release-package metadata in cavra-runtime.ci-runner-bundles.json that binds runner wrappers to verified Go runtime binaries and CI deployment targets.
  • Go tests for contract request handling, client calls, lifecycle status, evidence recording, and compiled-policy-backed daemon evaluation.

How To Use

Start the daemon:

cd go/cavra-runtime
go run ./cmd/cavra-runtime --serve --socket .cavra/cavra-runtime.sock --policy testdata/compiled_policy.json

Send a contract-shaped request:

printf '{"action_type":"read_file","target":"config/prod.secret"}\n' \
  | nc -U .cavra/cavra-runtime.sock

Or use the CAVRA Go client mode:

printf '{"action_type":"execute_command","target":"terraform plan","requested_operation":"terraform plan"}\n' \
  | go run ./cmd/cavra-runtime --daemon --socket .cavra/cavra-runtime.sock

Manage the daemon lifecycle:

go run ./cmd/cavra-runtime --lifecycle start --socket .cavra/cavra-runtime.sock --policy testdata/compiled_policy.json
go run ./cmd/cavra-runtime --lifecycle status --socket .cavra/cavra-runtime.sock
go run ./cmd/cavra-runtime --lifecycle stop --socket .cavra/cavra-runtime.sock

Write daemon evidence records:

go run ./cmd/cavra-runtime --serve --socket .cavra/cavra-runtime.sock --evidence-log .cavra/go-daemon/evidence.jsonl
printf '{"action_type":"execute_command","target":"terraform plan","requested_operation":"terraform plan"}\n' \
  | go run ./cmd/cavra-runtime --daemon --socket .cavra/cavra-runtime.sock

The daemon returns a DecisionResponse JSON object matching the generated contract package under go/cavra-runtime/enforcement/v1. When evidence logging is enabled, the response includes a go-daemon-evidence://... reference and the JSONL record contains both the request and response.

Evaluate a typed release-governance request:

go run ./cmd/cavra-runtime --lifecycle start \
  --socket .cavra/cavra-runtime.sock \
  --evidence-log .cavra/go-daemon/release-governance-evidence.jsonl

go run ./cmd/cavra-runtime --daemon \
  --socket .cavra/cavra-runtime.sock \
  --input ../../examples/go-runtime/typed-release-governance/approved-promotion.json

go run ./cmd/cavra-runtime --lifecycle stop --socket .cavra/cavra-runtime.sock

Runner templates are available at:

  • examples/github-actions/cavra-release-governance-go-runtime.yml
  • examples/github-actions/actions/cavra-release-governance-go-runtime/action.yml
  • examples/gitlab-ci/cavra-release-governance-go-runtime.gitlab-ci.yml
  • examples/azure-pipelines/cavra-release-governance-go-runtime.azure-pipelines.yml

Signed Go runtime release packages now also include:

  • cavra-runtime.ci-runner-bundles.json
  • ci-runners/cavra-release-governance-runner.sh
  • ci-runners/github-action/action.yml

Verify the release package first, install the referenced runtime binary, then use the shell wrapper or composite action to execute a typed release-governance daemon check and publish .cavra/go-daemon/ as CI evidence.

User Stories

  • As a developer, I can run a local enforcement daemon without starting the Python API.
  • As a developer, I can start, inspect, and stop the daemon without hand-managing socket and PID files.
  • As a CI owner, I can connect runner-side tooling to a stable socket protocol.
  • As a CI owner, I can reuse a signed release-governance runner wrapper instead of rebuilding CAVRA from source in each pipeline.
  • As a platform engineer, I can call the daemon through a typed Go helper instead of hand-rolled socket code.
  • As a release manager, I can gate promotion or rollback workflows on typed release-governance evidence without relying on ad hoc JSON maps.
  • As an auditor, I can trace daemon decisions to a request/response evidence record.
  • As an enterprise architect, I can evaluate a path toward a lightweight air-gapped enforcement binary.

Enterprise Challenge Solved

Daemon transport moves the Go runtime from a CLI-only prototype toward an embeddable local enforcement service. This reduces latency and avoids shelling out for every guarded action while preserving the same contract and policy evidence path.

Current Limits

  • The daemon handles one request per connection.
  • There is no authentication layer or signed streaming evidence writer yet.
  • Expanded production hardening is still needed for runner authentication and signed streaming evidence.

Next Recommended Work

  1. Add runner authentication for signed runtime daemon checks.
  2. Add signed streaming evidence for long-lived daemon sessions.

Clone this wiki locally