-
Notifications
You must be signed in to change notification settings - Fork 0
Hosted Sandbox Deployment
Huzefaaa2 edited this page May 20, 2026
·
67 revisions
The hosted sandbox deployment workflow publishes the static CAVRA evidence console through GitHub Pages after merge to main.
Workflow file: .github/workflows/deploy-sandbox.yml
The workflow:
- Runs on manual dispatch and pushes to
mainthat affect the sandbox, docs, or workflow file. - Validates
apps/sandbox-ui/config.jsandapps/sandbox-ui/sandbox.jswithnode --check. - Copies
apps/sandbox-uiinto a staticpublic/artifact. - Writes
public/config.jsfrom the optionalCAVRA_PUBLIC_API_BASE_URLrepository variable. - Packages the generated Before the Agent Acts sample evidence at
evidence/before-the-agent-acts/evidence.json. - Includes SVG diagrams from
docs/diagrams. - Configures the already-enabled GitHub Pages site for GitHub Actions publishing.
- Uploads a Pages artifact.
- Deploys only when the workflow runs on
refs/heads/main. - Runs a post-deploy smoke check against the public page, JavaScript, stylesheet, brand assets, C4 diagram asset, and downloadable evidence file.
After the branch is merged to main, run:
gh workflow run deploy-sandbox.yml --repo Huzefaaa2/cavra --ref mainGitHub Pages is enabled for Actions publishing. The public sandbox URL is:
https://huzefaaa2.github.io/cavra/
- As a prospect, I can open the sandbox without cloud credentials or a local install.
- As a CISO, I can see CAVRA decisions, evidence, and deployment readiness from a browser.
- As a developer, I can copy the Claude Code MCP setup command from the same product surface.
- As a platform evaluator, I can point the public sandbox at a deployed CAVRA API and run backend-generated policy decisions.
Security and platform buyers need a short, credible product walkthrough before design-partner workshops. The hosted sandbox makes CAVRA reviewable from a static URL while the same surface can call a deployed API for backend-generated scenario runs, persisted evidence metadata, and activity records.
- Public URL validation requires the workflow to run from
main. - The static sandbox uses built-in sample data when no API is configured.
- Backend-driven sandbox runs require a reachable API URL and matching
CAVRA_CORS_ORIGINS. - Public counters require the API activity store to retain sandbox session rows.
- Add recurrence automation health reporting for missed runs, failed jobs, stale metadata, and connector delivery failures across CLI, API, and Evidence Console views.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion