-
Notifications
You must be signed in to change notification settings - Fork 0
Go Enforcement Parity
The Go enforcement plane starts as a parity scaffold, not as a replacement for the Python runtime. Python remains authoritative for policy authoring, evidence, approvals, integrations, and production decisions until Go uses generated contracts, supports the full policy surface, and passes expanded golden tests.
-
go/cavra-runtime/go.moddefines the Go module. -
go/cavra-runtime/runtime/decision.goevaluates critical file, command, Git, and MCP decisions. -
go/cavra-runtime/cmd/cavra-runtime/main.goreads a JSON request and writes a JSON decision. -
go/cavra-runtime/testdata/parity_cases.jsoncaptures shared critical decision cases. -
go/cavra-runtime/testdata/compiled_policy.jsoncaptures a compiled-policy loading fixture. -
go/cavra-runtime/testdata/mcp_registry.jsoncaptures registry-backed MCP trust decisions. -
go/cavra-runtime/testdata/release_governance_records.jsoncaptures release governance record decisions for approvals, delivery failures, endpoint publication, inventory freshness, reconciliation drift, SLA reports, handoff status, rollout evidence verification, and rollout artifact integrity. -
go/cavra-runtime/runtime/decision_test.goverifies the Go evaluator against the shared fixture. -
tests/test_go_runtime_parity.pyverifies the same runtime and release-governance fixtures against PythonRuntimeGuardand compiles every bundled policy pack before checking representative Go CLI decisions. -
go run ./cmd/cavra-runtime --policy compiled-policy.jsonevaluates against normalized JSON fromcavra policy compile. -
go run ./cmd/cavra-runtime --registry mcp-registry.jsonevaluates MCP calls with trust-registry decisions. - Built-in Go policy parity now covers high-risk Cloud IAM, Kubernetes production, Terraform/OpenTofu production, GitHub Enterprise, OWASP LLM agentic command-injection, and transparent agentic delivery command controls.
-
release_governance_recordrequests verify pending, approved, denied, missing-approval, failed-delivery, and critical operational signal states without exposing private enterprise logic. -
go/cavra-runtime/enforcement/v1contains generated Go request, release-governance evidence, and response contracts from the enforcement protobuf. -
go/cavra-runtime/testdata/release_governance_contracts.jsonverifies typed release-governance contract payloads for approved, failed-delivery, critical-signal, rollout evidence verification, rollout artifact integrity, promotion audit export, and rollback audit export records. - Go decisions now emit runtime evidence metadata: decision ID, correlation ID, timestamp, and
evidence://...references. -
.github/workflows/go-release.ymlpackages Go runtime binaries with checksums, SPDX SBOM metadata, signed installer metadata, reproducibility manifests, release signing operations metadata, managed endpoint deployment manifests, release channel manifests, managed workstation updater policy, signed release-channel promotion approvals, Jamf/Intune/Linux endpoint-management export bundles, channel publishing history metadata, endpoint export publication delivery, endpoint inventory ingestion, endpoint inventory freshness SLA reports, reconciliation automation from ingested inventory, managed endpoint reconciliation, endpoint drift dashboards, approval-bound endpoint drift remediation plans, approved remediation execution records, endpoint remediation handoff packages, endpoint remediation handoff status reconciliation, rollout evidence capture, rollout evidence verification and indexing, rollout evidence search filters and console/API views, governed rollout artifact retrieval, rollout artifact integrity status, promotion readiness indicators, signed promotion approval requests, approved promotion execution records, promotion execution search and audit drill-downs, rollback evidence links, approved rollback execution records, SIEM/ITSM promotion audit exports, connector delivery for promotion audit and rollback execution records, endpoint remediation escalation delivery actions, owner review workflows, recurrence policies, owner calendars, maintenance-window suppression, recurrence delivery batching, suppression audit exports, recurrence retry policies, owner digest notifications, suppression trend analytics, installer smoke validation, detached signatures, GitHub keyless OIDC attestations, offline trust bootstrap metadata, air-gapped zip verification, release-candidate upgrade validation, and release evidence. -
src/cavra/go_backend.pyexposes an opt-in backend pilot that evaluates Python first, runs Go only when enabled, comparesdecision,rule_id, andseverity, and falls back to Python on runtime failure, timeout, missing readiness inputs, or mismatch. -
cavra runtime go-pilot-readiness,cavra runtime go-pilot-evaluate,/runtime/go-pilot/readiness, and/runtime/go-pilot/evaluateexpose pilot readiness and evaluation evidence for operators. -
cavra runtime go-deployment-readinessand/runtime/go-pilot/deployment-readinessvalidate Go backend CI runner and workstation rollout metadata. -
cavra runtime go-promotion-readinessand/runtime/go-pilot/promotion-readinessrequire approved audited parity evidence beforepromotedmode selects Go as an optional backend. -
cavra runtime go-rollback-readinessand/runtime/go-pilot/rollback-readinessrequire an approved rollback plan beforepromotedmode selects Go as an optional backend. -
cavra runtime go-rollback-rehearsaland/runtime/go-pilot/rollback-rehearsalrequire public-safe rollback rehearsal evidence beforepromotedmode selects Go as an optional backend. -
cavra runtime go-rollback-drillsand/runtime/go-pilot/rollback-drillsrequire fresh public-safe operational drill history beforepromotedmode selects Go as an optional backend. -
/deployment/production-readinessand the Evidence Console Production Readiness panel now surface Go backend pilot, deployment, promotion, rollback, rehearsal, and drill history status. -
.github/workflows/test.ymlincludes ago-runtime-parityjob. -
.github/workflows/cavra-governance.ymlruns the Go parity suite inside the required governance check.
Run the Python-side parity expectations:
python3 -m pytest tests/test_go_runtime_parity.py -qRun the Go runtime tests when the Go toolchain is installed:
cd go/cavra-runtime
go test ./...Evaluate one request through the Go CLI:
echo '{"action_type":"execute_command","target":"terraform apply -auto-approve","policy_pack":"cavra-ai-agent-baseline"}' \
| go run ./cmd/cavra-runtimeEvaluate with compiled policy JSON:
PYTHONPATH=src python3 -m cavra.cli policy compile --policy-pack cavra-ai-agent-baseline > /tmp/cavra-compiled-policy.json
echo '{"action_type":"read_file","target":".env"}' \
| go run ./cmd/cavra-runtime --policy /tmp/cavra-compiled-policy.jsonEvaluate MCP trust through the registry fixture:
echo '{"session_id":"registry-demo","action_type":"mcp_tool_call","server":"github-mcp","tool":"delete_repository","capability":"repository","policy_pack":"cavra-mcp-enterprise"}' \
| go run ./cmd/cavra-runtime --registry testdata/mcp_registry.jsonEvaluate release governance evidence:
echo '{"session_id":"release-demo","action_type":"release_governance_record","release_governance":{"metadata_kind":"rollout-promotion-execution","approval_state":"approved","approval_id":"apr_prod"}}' \
| go run ./cmd/cavra-runtime- As a CI owner, I can verify that a future low-latency runtime returns the same critical decisions as the authoritative Python runtime.
- As a platform engineer, I can inspect a small Go implementation before allowing it into runners or developer laptops.
- As an auditor, I can see that parity is tested before CAVRA claims a second enforcement backend.
- As a release manager, I can verify that promotion, rollback, endpoint remediation, endpoint publication, inventory freshness, reconciliation drift, SLA, rollout evidence, artifact integrity, and rollout audit export evidence are evaluated consistently by the Go runtime.
- As a cloud platform owner, I can verify that IAM, Kubernetes, Terraform/OpenTofu, GitHub, and command-injection decisions match Python before Go is allowed in runner paths.
Enterprises need fast local enforcement but cannot accept inconsistent policy decisions. This scaffold creates a controlled path to a Go runtime by making parity explicit, tested, and visible in the required governance check.
- The Go runtime supports compiled policy JSON for the currently mirrored sections: filesystem, commands, and MCP trust lists.
- Built-in high-risk command parity is now covered for Cloud IAM, Kubernetes production, Terraform/OpenTofu production, GitHub Enterprise, OWASP LLM agentic command injection, and transparent agentic delivery governance packs.
- Registry-backed MCP parity is implemented for approved, pending, blocked, tool-scope, and capability-scope decisions.
- Release governance record parity is intentionally bounded to public-safe metadata checks for approval state, delivery success, drift status, alert level, blocked counts, SLA breach counts, rollout verification status, artifact integrity status, and rollout audit export status.
- It exposes an initial Unix-socket daemon transport using the generated request and response types.
- Managed endpoint deployment manifests are available for packaged CI runner and developer workstation rollout metadata.
- Promote Go to an optional backend only after audited parity and deployment tests pass.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion