-
Notifications
You must be signed in to change notification settings - Fork 0
Hosted Sandbox Deployment
Huzefaaa2 edited this page May 20, 2026
·
67 revisions
The hosted sandbox deployment workflow publishes the static CAVRA evidence console through GitHub Pages after merge to main.
Workflow file: .github/workflows/deploy-sandbox.yml
The workflow:
- Runs on manual dispatch and pushes to
mainthat affect the sandbox, docs, or workflow file. - Validates
apps/sandbox-ui/config.jsandapps/sandbox-ui/sandbox.jswithnode --check. - Copies
apps/sandbox-uiinto a staticpublic/artifact. - Writes
public/config.jsfrom the optionalCAVRA_PUBLIC_API_BASE_URLrepository variable. - Packages the generated Before the Agent Acts sample evidence at
evidence/before-the-agent-acts/evidence.json. - Includes SVG diagrams from
docs/diagrams. - Configures the already-enabled GitHub Pages site for GitHub Actions publishing.
- Uploads a Pages artifact.
- Deploys only when the workflow runs on
refs/heads/main. - Runs a post-deploy smoke check against the public page, JavaScript, stylesheet, brand assets, C4 diagram asset, and downloadable evidence file.
After the branch is merged to main, run:
gh workflow run deploy-sandbox.yml --repo Huzefaaa2/cavra --ref mainGitHub Pages is enabled for Actions publishing. The public sandbox URL is:
https://huzefaaa2.github.io/cavra/
- As a prospect, I can open the sandbox without cloud credentials or a local install.
- As a CISO, I can see CAVRA decisions, evidence, and deployment readiness from a browser.
- As a developer, I can copy the Claude Code MCP setup command from the same product surface.
- As a platform evaluator, I can point the public sandbox at a deployed CAVRA API and run backend-generated policy decisions.
Security and platform buyers need a short, credible product walkthrough before design-partner workshops. The hosted sandbox makes CAVRA reviewable from a static URL while the same surface can call a deployed API for backend-generated scenario runs, persisted evidence metadata, and activity records.
- Public URL validation requires the workflow to run from
main. - The static sandbox uses built-in sample data when no API is configured.
- Backend-driven sandbox runs require a reachable API URL and matching
CAVRA_CORS_ORIGINS. - Public counters require the API activity store to retain sandbox session rows.
- Add recurrence plan-driven escalation delivery batching and suppression audit exports.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion