Skip to content

Hosted Sandbox Deployment

Huzefaaa2 edited this page Jun 5, 2026 · 67 revisions

Hosted Sandbox Deployment

The hosted sandbox deployment workflow publishes the static CAVRA evidence console through GitHub Pages after merge to main.

Workflow

Workflow file: .github/workflows/deploy-sandbox.yml

The workflow:

  • Runs on manual dispatch and pushes to main that affect the sandbox, docs, or workflow file.
  • Validates apps/sandbox-ui/config.js and apps/sandbox-ui/sandbox.js with node --check.
  • Copies apps/sandbox-ui into a static public/ artifact.
  • Writes public/config.js from the optional CAVRA_PUBLIC_API_BASE_URL and CAVRA_PUBLIC_TRIAL_API_URL repository variables.
  • Packages the generated Before the Agent Acts sample evidence at evidence/before-the-agent-acts/evidence.json.
  • Packages the final closeout trial sample evidence at evidence/final-closeout-trial/sample-evidence-package.json.
  • Includes SVG diagrams from docs/diagrams.
  • Configures the already-enabled GitHub Pages site for GitHub Actions publishing.
  • Uploads a Pages artifact.
  • Deploys only when the workflow runs on refs/heads/main.
  • Opts JavaScript-based GitHub Actions into Node.js 24 to avoid the hosted-runner Node.js 20 deprecation path.
  • Runs a post-deploy smoke check against the public page, JavaScript, stylesheet, brand assets, C4 diagram asset, and downloadable evidence files.

How To Run

After the branch is merged to main, run:

gh workflow run deploy-sandbox.yml --repo Huzefaaa2/cavra --ref main

GitHub Pages is enabled for Actions publishing. The public sandbox URL is:

https://huzefaaa2.github.io/cavra/

User Stories

  • As a prospect, I can open the sandbox without cloud credentials or a local install.
  • As a CISO, I can see CAVRA decisions, evidence, and deployment readiness from a browser.
  • As a developer, I can copy the Claude Code MCP setup command from the same product surface.
  • As a platform evaluator, I can point the public sandbox at a deployed CAVRA API and run backend-generated policy decisions.
  • As a customer evaluator, I can select the final closeout trial scenario and download synthetic release-governance evidence.

Enterprise Challenge Solved

Security and platform buyers need a short, credible product walkthrough before design-partner workshops. The hosted sandbox makes CAVRA reviewable from a static URL while the same surface can call a deployed API for backend-generated scenario runs, persisted evidence metadata, and activity records.

Current Limits

  • Public URL validation requires the workflow to run from main.
  • The static sandbox uses built-in sample data when no API is configured.
  • The final closeout trial sample is synthetic and does not perform live Enterprise connector, archive, license, SSO, or RBAC enforcement.
  • Backend-driven sandbox runs require a reachable API URL and matching CAVRA_CORS_ORIGINS.
  • Public counters require the API activity store to retain sandbox session rows.

Next Recommended Work

  1. Add a final closeout production pilot intake package with repository, agent, CI/CD, connector, SSO/RBAC, retention, and Enterprise/SaaS handoff worksheets.

Clone this wiki locally