-
Notifications
You must be signed in to change notification settings - Fork 0
Immutable Evidence Storage
Huzefaaa2 edited this page May 21, 2026
·
22 revisions
CAVRA now includes deployment references for immutable evidence archives.
-
examples/immutable-storage/aws-s3-object-lock: S3 Object Lock deployment and upload scripts. -
examples/immutable-storage/azure-blob-immutability: Azure Blob immutability deployment and upload scripts.
Generate and verify CAVRA evidence:
cavra evidence bundle --output .cavra/evidence/latest --signer platform-security --retention-days 2555
cavra evidence verify .cavra/evidence/latest --trust-root .cavra/keys/evidence-trust-roots.json --key-id prod-evidence --minimum-retention-days 2555
cavra evidence storage-plan .cavra/evidence/latest --output .cavra/evidence/storage --retention-days 2555Deploy AWS S3 Object Lock:
cd examples/immutable-storage/aws-s3-object-lock
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.shDeploy Azure Blob immutability:
cd examples/immutable-storage/azure-blob-immutability
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.sh- Verify evidence before upload.
- Use session-scoped object prefixes.
- Keep upload roles separate from retention administration.
- Use AWS S3 Object Lock compliance mode only after records-management review.
- Lock Azure immutability policies only after retention requirements are approved.
- Store cloud upload output with the change record or audit request.
- As an auditor, I can confirm CAVRA evidence was retained in a WORM-capable store.
- As a platform engineer, I can deploy immutable storage without granting CAVRA broad cloud permissions.
- As a records manager, I can map CAVRA retention policy artifacts to cloud retention controls.
Immutable storage references connect CAVRA's signed evidence bundles to enterprise retention controls. This helps regulated teams prove that AI-agent governance evidence was preserved after review, release, incident response, or audit.
continued release-governance record parity as new evidence metadata kinds are added.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion