Skip to content

Hosted Sandbox Deployment

Huzefaaa2 edited this page May 21, 2026 · 67 revisions

Hosted Sandbox Deployment

The hosted sandbox deployment workflow publishes the static CAVRA evidence console through GitHub Pages after merge to main.

Workflow

Workflow file: .github/workflows/deploy-sandbox.yml

The workflow:

  • Runs on manual dispatch and pushes to main that affect the sandbox, docs, or workflow file.
  • Validates apps/sandbox-ui/config.js and apps/sandbox-ui/sandbox.js with node --check.
  • Copies apps/sandbox-ui into a static public/ artifact.
  • Writes public/config.js from the optional CAVRA_PUBLIC_API_BASE_URL repository variable.
  • Packages the generated Before the Agent Acts sample evidence at evidence/before-the-agent-acts/evidence.json.
  • Includes SVG diagrams from docs/diagrams.
  • Configures the already-enabled GitHub Pages site for GitHub Actions publishing.
  • Uploads a Pages artifact.
  • Deploys only when the workflow runs on refs/heads/main.
  • Opts JavaScript-based GitHub Actions into Node.js 24 to avoid the hosted-runner Node.js 20 deprecation path.
  • Runs a post-deploy smoke check against the public page, JavaScript, stylesheet, brand assets, C4 diagram asset, and downloadable evidence file.

How To Run

After the branch is merged to main, run:

gh workflow run deploy-sandbox.yml --repo Huzefaaa2/cavra --ref main

GitHub Pages is enabled for Actions publishing. The public sandbox URL is:

https://huzefaaa2.github.io/cavra/

User Stories

  • As a prospect, I can open the sandbox without cloud credentials or a local install.
  • As a CISO, I can see CAVRA decisions, evidence, and deployment readiness from a browser.
  • As a developer, I can copy the Claude Code MCP setup command from the same product surface.
  • As a platform evaluator, I can point the public sandbox at a deployed CAVRA API and run backend-generated policy decisions.

Enterprise Challenge Solved

Security and platform buyers need a short, credible product walkthrough before design-partner workshops. The hosted sandbox makes CAVRA reviewable from a static URL while the same surface can call a deployed API for backend-generated scenario runs, persisted evidence metadata, and activity records.

Current Limits

  • Public URL validation requires the workflow to run from main.
  • The static sandbox uses built-in sample data when no API is configured.
  • Backend-driven sandbox runs require a reachable API URL and matching CAVRA_CORS_ORIGINS.
  • Public counters require the API activity store to retain sandbox session rows.

Next Recommended Work

  1. Add remaining high-risk command and cloud/IaC decision parity cases that are still Python-only.

Clone this wiki locally