-
Notifications
You must be signed in to change notification settings - Fork 0
Go Enforcement Parity
The Go enforcement plane starts as a parity scaffold, not as a replacement for the Python runtime. Python remains authoritative for policy authoring, evidence, approvals, integrations, and production decisions until Go uses generated contracts, supports the full policy surface, and passes expanded golden tests.
-
go/cavra-runtime/go.moddefines the Go module. -
go/cavra-runtime/runtime/decision.goevaluates critical file, command, Git, and MCP decisions. -
go/cavra-runtime/cmd/cavra-runtime/main.goreads a JSON request and writes a JSON decision. -
go/cavra-runtime/testdata/parity_cases.jsoncaptures shared critical decision cases. -
go/cavra-runtime/testdata/compiled_policy.jsoncaptures a compiled-policy loading fixture. -
go/cavra-runtime/testdata/mcp_registry.jsoncaptures registry-backed MCP trust decisions. -
go/cavra-runtime/runtime/decision_test.goverifies the Go evaluator against the shared fixture. -
tests/test_go_runtime_parity.pyverifies the same fixture against PythonRuntimeGuardand compiles every bundled policy pack before checking representative Go CLI decisions. -
go run ./cmd/cavra-runtime --policy compiled-policy.jsonevaluates against normalized JSON fromcavra policy compile. -
go run ./cmd/cavra-runtime --registry mcp-registry.jsonevaluates MCP calls with trust-registry decisions. -
go/cavra-runtime/enforcement/v1contains generated Go request and response contracts from the enforcement protobuf. - Go decisions now emit runtime evidence metadata: decision ID, correlation ID, timestamp, and
evidence://...references. -
.github/workflows/go-release.ymlpackages Go runtime binaries with checksums, SPDX SBOM metadata, signed installer metadata, managed endpoint deployment manifests, release channel manifests, managed workstation updater policy, signed release-channel promotion approvals, Jamf/Intune/Linux endpoint-management export bundles, channel publishing history metadata, endpoint export publication delivery, endpoint inventory ingestion, endpoint inventory freshness SLA reports, reconciliation automation from ingested inventory, managed endpoint reconciliation, endpoint drift dashboards, approval-bound endpoint drift remediation plans, approved remediation execution records, endpoint remediation handoff packages, endpoint remediation handoff status reconciliation, rollout evidence capture, rollout evidence verification and indexing, rollout evidence search filters and console/API views, governed rollout artifact retrieval, rollout artifact integrity status, promotion readiness indicators, signed promotion approval requests, approved promotion execution records, promotion execution search and audit drill-downs, rollback evidence links, approved rollback execution records, SIEM/ITSM promotion audit exports, connector delivery for promotion audit and rollback execution records, endpoint remediation escalation delivery actions, owner review workflows, recurrence policies, owner calendars, maintenance-window suppression, recurrence delivery batching, suppression audit exports, recurrence retry policies, owner digest notifications, suppression trend analytics, installer smoke validation, detached signatures, GitHub keyless OIDC attestations, offline trust bootstrap metadata, air-gapped zip verification, release-candidate upgrade validation, and release evidence. -
.github/workflows/test.ymlincludes ago-runtime-parityjob. -
.github/workflows/cavra-governance.ymlruns the Go parity suite inside the required governance check.
Run the Python-side parity expectations:
python3 -m pytest tests/test_go_runtime_parity.py -qRun the Go runtime tests when the Go toolchain is installed:
cd go/cavra-runtime
go test ./...Evaluate one request through the Go CLI:
echo '{"action_type":"execute_command","target":"terraform apply -auto-approve","policy_pack":"cavra-ai-agent-baseline"}' \
| go run ./cmd/cavra-runtimeEvaluate with compiled policy JSON:
PYTHONPATH=src python3 -m cavra.cli policy compile --policy-pack cavra-ai-agent-baseline > /tmp/cavra-compiled-policy.json
echo '{"action_type":"read_file","target":".env"}' \
| go run ./cmd/cavra-runtime --policy /tmp/cavra-compiled-policy.jsonEvaluate MCP trust through the registry fixture:
echo '{"session_id":"registry-demo","action_type":"mcp_tool_call","server":"github-mcp","tool":"delete_repository","capability":"repository","policy_pack":"cavra-mcp-enterprise"}' \
| go run ./cmd/cavra-runtime --registry testdata/mcp_registry.json- As a CI owner, I can verify that a future low-latency runtime returns the same critical decisions as the authoritative Python runtime.
- As a platform engineer, I can inspect a small Go implementation before allowing it into runners or developer laptops.
- As an auditor, I can see that parity is tested before CAVRA claims a second enforcement backend.
Enterprises need fast local enforcement but cannot accept inconsistent policy decisions. This scaffold creates a controlled path to a Go runtime by making parity explicit, tested, and visible in the required governance check.
- The Go runtime supports compiled policy JSON for the currently mirrored sections: filesystem, commands, and MCP trust lists.
- Registry-backed MCP parity is implemented for approved, pending, blocked, tool-scope, and capability-scope decisions.
- It exposes an initial Unix-socket daemon transport using the generated request and response types.
- Managed endpoint deployment manifests are available for packaged CI runner and developer workstation rollout metadata.
- Add recurrence automation health reporting for missed runs, failed jobs, stale metadata, and connector delivery failures across CLI, API, and Evidence Console views.
- Continue broadening approval-route parity as new policy packs are added.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion