-
Notifications
You must be signed in to change notification settings - Fork 0
Immutable Evidence Storage
CAVRA evidence bundles can be archived in immutable object stores after local verification. This release adds deployment references for AWS S3 Object Lock and Azure Blob Storage immutability.
-
examples/immutable-storage/aws-s3-object-lock: S3 Object Lock bucket with versioning, KMS encryption, public-access blocking, TLS-only policy, default retention, and evidence upload script. -
examples/immutable-storage/azure-blob-immutability: Azure Blob Storage account and container with versioning, HTTPS-only access, public-access blocking, locked container immutability policy, optional legal hold tags, and evidence upload script.
Both references are designed as operator-owned deployment bundles. CAVRA produces evidence, retention policies, checksums, signatures, and storage plans; cloud operators own account permissions, key management, retention approval, and production lock decisions.
- Generate and sign a bundle.
- Verify bundle checksums and signatures against the approved trust root.
- Verify the bundle retention policy meets the enterprise minimum.
- Export the immutable storage plan.
- Upload the verified bundle into a session-scoped immutable prefix.
- Store cloud upload evidence with the change record or audit request.
cavra evidence bundle \
--output .cavra/evidence/latest \
--signer platform-security \
--private-key .cavra/keys/evidence-private.pem \
--retention-days 2555
cavra evidence verify .cavra/evidence/latest \
--trust-root .cavra/keys/evidence-trust-roots.json \
--key-id prod-evidence \
--minimum-retention-days 2555
cavra evidence storage-plan .cavra/evidence/latest \
--output .cavra/evidence/storage \
--retention-days 2555Use the AWS reference when your enterprise standardizes audit evidence in S3.
cd examples/immutable-storage/aws-s3-object-lock
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.shProduction controls:
- Create a new Object Lock-enabled bucket for CAVRA evidence.
- Use
COMPLIANCEmode only after records-management review. - Require KMS encryption and restrict key administration.
- Deny non-TLS access.
- Keep CAVRA runtime roles separate from retention-administration roles.
- Upload evidence only after
cavra evidence verifysucceeds.
Use the Azure reference when your enterprise standardizes audit evidence in Azure Storage.
cd examples/immutable-storage/azure-blob-immutability
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.shProduction controls:
- Use a dedicated storage account and container for CAVRA evidence.
- Enable blob versioning before locking the retention policy.
- Lock the immutability policy only after legal and records review.
- Use optional legal hold tags for active investigations.
- Keep upload roles separate from storage-account owner roles.
- Upload evidence only after
cavra evidence verifysucceeds.
- As an auditor, I can confirm CAVRA evidence was retained in a WORM-capable store.
- As a platform engineer, I can deploy cloud-native immutable evidence storage without giving CAVRA broad cloud permissions.
- As a records manager, I can map CAVRA retention policy artifacts to storage-level retention controls.
- As a security engineer, I can separate evidence upload permissions from retention bypass or storage-administration permissions.
AI-agent governance evidence must remain trustworthy after a release, incident, or audit request. Immutable evidence storage references close the gap between CAVRA's signed bundle artifacts and enterprise WORM storage controls, making evidence retention operationally repeatable across AWS and Azure.
The next recommended work is production release-signing operations, key rotation, and emergency revocation evidence.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion