-
Notifications
You must be signed in to change notification settings - Fork 0
Go Enforcement Parity
The Go enforcement plane starts as a parity scaffold, not as a replacement for the Python runtime. Python remains authoritative for policy authoring, evidence, approvals, integrations, and production decisions until Go uses generated contracts, supports the full policy surface, and passes expanded golden tests.
-
go/cavra-runtime/go.moddefines the Go module. -
go/cavra-runtime/runtime/decision.goevaluates critical file, command, Git, and MCP decisions. -
go/cavra-runtime/cmd/cavra-runtime/main.goreads a JSON request and writes a JSON decision. -
go/cavra-runtime/testdata/parity_cases.jsoncaptures shared critical decision cases. -
go/cavra-runtime/testdata/compiled_policy.jsoncaptures a compiled-policy loading fixture. -
go/cavra-runtime/testdata/mcp_registry.jsoncaptures registry-backed MCP trust decisions. -
go/cavra-runtime/testdata/release_governance_records.jsoncaptures release governance record decisions for approvals, delivery failures, endpoint publication, inventory freshness, reconciliation drift, SLA reports, and handoff status. -
go/cavra-runtime/runtime/decision_test.goverifies the Go evaluator against the shared fixture. -
tests/test_go_runtime_parity.pyverifies the same fixture against PythonRuntimeGuardand compiles every bundled policy pack before checking representative Go CLI decisions. -
go run ./cmd/cavra-runtime --policy compiled-policy.jsonevaluates against normalized JSON fromcavra policy compile. -
go run ./cmd/cavra-runtime --registry mcp-registry.jsonevaluates MCP calls with trust-registry decisions. -
release_governance_recordrequests verify pending, approved, denied, missing-approval, failed-delivery, and critical operational signal states without exposing private enterprise logic. -
go/cavra-runtime/enforcement/v1contains generated Go request, release-governance evidence, and response contracts from the enforcement protobuf. -
go/cavra-runtime/testdata/release_governance_contracts.jsonverifies typed release-governance contract payloads for approved, failed-delivery, and critical-signal records. - Go decisions now emit runtime evidence metadata: decision ID, correlation ID, timestamp, and
evidence://...references. -
.github/workflows/go-release.ymlpackages Go runtime binaries with checksums, SPDX SBOM metadata, signed installer metadata, managed endpoint deployment manifests, release channel manifests, managed workstation updater policy, signed release-channel promotion approvals, Jamf/Intune/Linux endpoint-management export bundles, channel publishing history metadata, endpoint export publication delivery, endpoint inventory ingestion, endpoint inventory freshness SLA reports, reconciliation automation from ingested inventory, managed endpoint reconciliation, endpoint drift dashboards, approval-bound endpoint drift remediation plans, approved remediation execution records, endpoint remediation handoff packages, endpoint remediation handoff status reconciliation, rollout evidence capture, rollout evidence verification and indexing, rollout evidence search filters and console/API views, governed rollout artifact retrieval, rollout artifact integrity status, promotion readiness indicators, signed promotion approval requests, approved promotion execution records, promotion execution search and audit drill-downs, rollback evidence links, approved rollback execution records, SIEM/ITSM promotion audit exports, connector delivery for promotion audit and rollback execution records, endpoint remediation escalation delivery actions, owner review workflows, recurrence policies, owner calendars, maintenance-window suppression, recurrence delivery batching, suppression audit exports, recurrence retry policies, owner digest notifications, suppression trend analytics, installer smoke validation, detached signatures, GitHub keyless OIDC attestations, offline trust bootstrap metadata, air-gapped zip verification, release-candidate upgrade validation, and release evidence. -
.github/workflows/test.ymlincludes ago-runtime-parityjob. -
.github/workflows/cavra-governance.ymlruns the Go parity suite inside the required governance check.
Run the Python-side parity expectations:
python3 -m pytest tests/test_go_runtime_parity.py -qRun the Go runtime tests when the Go toolchain is installed:
cd go/cavra-runtime
go test ./...Evaluate one request through the Go CLI:
echo '{"action_type":"execute_command","target":"terraform apply -auto-approve","policy_pack":"cavra-ai-agent-baseline"}' \
| go run ./cmd/cavra-runtimeEvaluate with compiled policy JSON:
PYTHONPATH=src python3 -m cavra.cli policy compile --policy-pack cavra-ai-agent-baseline > /tmp/cavra-compiled-policy.json
echo '{"action_type":"read_file","target":".env"}' \
| go run ./cmd/cavra-runtime --policy /tmp/cavra-compiled-policy.jsonEvaluate MCP trust through the registry fixture:
echo '{"session_id":"registry-demo","action_type":"mcp_tool_call","server":"github-mcp","tool":"delete_repository","capability":"repository","policy_pack":"cavra-mcp-enterprise"}' \
| go run ./cmd/cavra-runtime --registry testdata/mcp_registry.jsonEvaluate release governance evidence:
echo '{"session_id":"release-demo","action_type":"release_governance_record","release_governance":{"metadata_kind":"rollout-promotion-execution","approval_state":"approved","approval_id":"apr_prod"}}' \
| go run ./cmd/cavra-runtime- As a CI owner, I can verify that a future low-latency runtime returns the same critical decisions as the authoritative Python runtime.
- As a platform engineer, I can inspect a small Go implementation before allowing it into runners or developer laptops.
- As an auditor, I can see that parity is tested before CAVRA claims a second enforcement backend.
- As a release manager, I can verify that promotion, rollback, endpoint remediation, endpoint publication, inventory freshness, reconciliation drift, and SLA evidence are evaluated consistently by the Go runtime.
Enterprises need fast local enforcement but cannot accept inconsistent policy decisions. This scaffold creates a controlled path to a Go runtime by making parity explicit, tested, and visible in the required governance check.
- The Go runtime supports compiled policy JSON for the currently mirrored sections: filesystem, commands, and MCP trust lists.
- Registry-backed MCP parity is implemented for approved, pending, blocked, tool-scope, and capability-scope decisions.
- Release governance record parity is intentionally bounded to public-safe metadata checks for approval state, delivery success, drift status, alert level, blocked counts, and SLA breach counts.
- It exposes an initial Unix-socket daemon transport using the generated request and response types.
- Managed endpoint deployment manifests are available for packaged CI runner and developer workstation rollout metadata.
- Add Go runtime parity expansion and air-gapped single-binary reproducibility documentation.
- Add contract-level fixtures when new release governance metadata kinds are introduced.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion