-
Notifications
You must be signed in to change notification settings - Fork 0
High Risk Command Cloud IaC Parity
CAVRA now includes shared Python and Go parity coverage for the high-risk command and cloud/IaC decisions that enterprises expect to be enforced consistently before a Go enforcement plane is promoted beyond a scaffold.
The shared fixture go/cavra-runtime/testdata/parity_cases.json now proves parity for:
- Cloud IAM mutation blocking through
cavra-cloud-iam. - Cloud IAM read-only inspection allowance through
cavra-cloud-iam. - Kubernetes production apply/delete blocking through
cavra-kubernetes-prod. - Kubernetes read-only diff/get/describe allowance through
cavra-kubernetes-prod. - Terraform and OpenTofu destructive operation blocking through
cavra-terraform-prod. - Terraform and OpenTofu plan/read-only operation allowance through
cavra-terraform-prod. - GitHub force-push and admin-merge blocking through
cavra-github-enterprise. - OWASP LLM agentic command-injection patterns such as
curl | shblocking throughcavra-owasp-llm-agentic. - Transparent delivery agent repository-setting mutation blocking through
cavra-agentic-delivery. - Transparent delivery agent test command allowance through
cavra-agentic-delivery.
The Go runtime built-in policy subset now mirrors the public-safe high-risk command portions of these bundled policy packs:
cavra-cloud-iamcavra-kubernetes-prodcavra-terraform-prodcavra-github-enterprisecavra-owasp-llm-agenticcavra-agentic-delivery
Python remains authoritative. The Go runtime only gains parity where the shared fixture and tests prove the same decision, rule ID, severity, approver group, and evidence metadata behavior.
Run the Python fixture verification:
python3 -m pytest tests/test_go_runtime_parity.py -qRun the Go runtime tests:
cd go/cavra-runtime
go test ./...Run one high-risk decision through Go:
echo '{"action_type":"execute_command","target":"aws iam attach-role-policy --role-name prod-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess","policy_pack":"cavra-cloud-iam"}' \
| go run ./cmd/cavra-runtimeExpected result:
{
"decision": "block",
"rule_id": "commands.block",
"severity": "high"
}- As a platform engineer, I can trust the Go runtime to block the same high-risk cloud IAM mutations that Python blocks.
- As a Kubernetes owner, I can prove production apply/delete commands are not allowed through a second enforcement backend without parity evidence.
- As an IaC owner, I can verify Terraform and OpenTofu destructive operations are consistently blocked while plan/read-only commands remain usable.
- As a security reviewer, I can verify force-push, admin merge, and command-injection protections before enabling Go in CI runners.
Enterprises cannot adopt a low-latency enforcement runtime if it behaves differently from the authoritative policy plane. This parity slice turns high-risk cloud, Kubernetes, IaC, GitHub, and command-injection cases into shared test evidence, reducing the risk of inconsistent enforcement during rollout.
The next recommended implementation step is to add acknowledgement audit delivery history filters and delivery health dashboards.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion