-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the CAVRA Wiki. This wiki now opens as a technical textbook for CAVRA, Controlled Agentic Verification and Runtime Authority. It is written for developers, security engineers, platform owners, compliance teams, architects, and enterprise evaluators who need to understand what CAVRA is, how it works, how to run it, and how to operate it safely.
CAVRA exists for a simple reason: AI agents should not receive unchecked authority over code, cloud, data, identity, CI/CD, MCP tools, and production workflows. CAVRA gives organizations a runtime authority layer that evaluates agent actions before they happen, records evidence after they happen, and turns that evidence into AI Security Posture Management, or AISPM.
Read the book in order if you are new to CAVRA. Jump directly to the command, GUI, AISPM, or deployment chapters if you already know the product shape.
If you want to see CAVRA work before reading the full book, follow this short path:
- Install the Community Edition from the repository with
pip install -e .. - Run
cavra versionandcavra policy list. - Run
cavra demo before-the-agent-actsto see CAVRA block risky agent behavior. - Run
cavra evaluate execute_command "terraform apply -auto-approve" --jsonto evaluate a dangerous command directly. - Run
cavra evidence bundle --output .cavra/evidence/latestandcavra evidence verify .cavra/evidence/latestto prove the control path. - Open the sandbox GUI and review the decision, evidence, and AISPM views.
The detailed walkthrough is in Install And Deploy CAVRA, Community Edition User Guide, and Use Cases, Labs, And Example Workflows.
| Reader | Read first | Outcome |
|---|---|---|
| First-time user | Chapters 0, 1, 5, 6, 13 | Install, run a demo, block a risky action, and verify evidence. |
| Developer | Chapters 5, 6, 8, 11 | Use the CLI, write policy, route approvals, and create evidence. |
| Security architect | Chapters 1, 2, 3, 11, 15, 16 | Understand the runtime authority model, policy language, governance controls, and troubleshooting. |
| Platform owner | Chapters 3, 5, 8, 12 | Integrate CAVRA into CI/CD, APIs, and operating workflows. |
| Enterprise evaluator | Chapters 4, 7, 10, 12, 13, 16 | Validate SSO/RBAC, connectors, tenant isolation, AISPM, report delivery, and blocker closeout. |
- Foreword, Preface, And Reader Paths
- Why CAVRA Exists
- The Runtime Authority Model
- Architecture And Open-Core Design
- Editions, Licensing, And Feature Boundaries
- Install And Deploy CAVRA
- Community Edition User Guide
- Enterprise Edition User Guide
- CAVRA CLI Command Reference
- CAVRA GUI And Sandbox Guide
- AISPM Guide
- Policies, Approvals, Evidence, And Attestations
- Operations, Integrations, And Deployment Patterns
- Use Cases, Labs, And Example Workflows
- Reference Appendices
- Policy Language Reference
- Troubleshooting And FAQ
- Conclusion: The Runtime Authority Revolution
| Topic | Diagram |
|---|---|
| Runtime authority | CAVRA runtime authority map |
| Architecture context | Architecture context |
| Runtime decision flow | Runtime flow |
| Editions | Edition map |
| CLI command families | Command map |
| AISPM posture loop | AISPM posture loop |
| Enterprise sequence | Enterprise sequence |
| Getting started journey | Getting started journey |
| Policy authoring journey | Policy authoring journey |
| Approval routing | Approval routing flow |
| Troubleshooting | Troubleshooting decision tree |
| Dynamic runtime loop | Animated runtime authority loop |
| Dynamic AISPM readiness | Animated AISPM readiness pulse |
The animated diagrams are SVG-native and are written to degrade into readable static diagrams when motion is disabled by browser, accessibility, or renderer settings. Every textbook image uses descriptive alt text in the surrounding Markdown.
Approved Enterprise evaluators start at the public trial portal:
The trial portal is the starting point for requesting operator-reviewed access, private package entitlement, and time-limited evaluator license material. After approval, use the CAVRA Trial Field Guide to run a complete proof-of-value scenario: choose one repository or workflow, govern one risky AI-agent action, route one approval, generate evidence, review AISPM, and close out the trial without leaving stale package or license access behind.
- CLI
- API
- Diagrams
- Edition Boundaries
- AI Agent Enforcement And Anti-Bypass Model
- Agent Registry And MCP Trust
- Approval Workflows
- Evidence Hub And Attestation
- Policy Engine Hardening
- AISPM Dashboard Roadmap
- AI Security Posture Dashboard Contract
- AISPM CSO Report Center
- AISPM Enterprise Live Ingestion
- CAVRA Trial Field Guide
- AISPM Trial Access And Operator Approval
- AISPM Trial Revocation, Expiry, And Closeout
- Enterprise Trial Availability
- Enterprise Trial Self-Service Access
Historical implementation notes, release packets, validation records, trial synchronization notes, rollback-drill records, closeout documents, and readiness artifacts are preserved in one archive:
The archive is intentionally separated from the textbook so new readers can learn CAVRA without walking through every development milestone.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion