-
Notifications
You must be signed in to change notification settings - Fork 0
Immutable Evidence Storage
Huzefaaa2 edited this page May 18, 2026
·
22 revisions
CAVRA now includes deployment references for immutable evidence archives.
-
examples/immutable-storage/aws-s3-object-lock: S3 Object Lock deployment and upload scripts. -
examples/immutable-storage/azure-blob-immutability: Azure Blob immutability deployment and upload scripts.
Generate and verify CAVRA evidence:
cavra evidence bundle --output .cavra/evidence/latest --signer platform-security --retention-days 2555
cavra evidence verify .cavra/evidence/latest --trust-root .cavra/keys/evidence-trust-roots.json --key-id prod-evidence --minimum-retention-days 2555
cavra evidence storage-plan .cavra/evidence/latest --output .cavra/evidence/storage --retention-days 2555Deploy AWS S3 Object Lock:
cd examples/immutable-storage/aws-s3-object-lock
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.shDeploy Azure Blob immutability:
cd examples/immutable-storage/azure-blob-immutability
cp variables.example.env .env
source .env
bash deploy.sh
bash upload-evidence.sh- Verify evidence before upload.
- Use session-scoped object prefixes.
- Keep upload roles separate from retention administration.
- Use AWS S3 Object Lock compliance mode only after records-management review.
- Lock Azure immutability policies only after retention requirements are approved.
- Store cloud upload output with the change record or audit request.
- As an auditor, I can confirm CAVRA evidence was retained in a WORM-capable store.
- As a platform engineer, I can deploy immutable storage without granting CAVRA broad cloud permissions.
- As a records manager, I can map CAVRA retention policy artifacts to cloud retention controls.
Immutable storage references connect CAVRA's signed evidence bundles to enterprise retention controls. This helps regulated teams prove that AI-agent governance evidence was preserved after review, release, incident response, or audit.
Go daemon evidence hooks and public sandbox URL validation after deployment from main.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion