-
Notifications
You must be signed in to change notification settings - Fork 0
Policy Engine Hardening
Huzefaaa2 edited this page Jun 3, 2026
·
2 revisions
Phase 2 is complete.
CAVRA policy behavior is now stricter and more reviewable:
- JSON Schema validation for policy packs.
- Policy inheritance with
metadata.inherits. - Normalized policy compilation.
- Semantic policy diff output.
- Ed25519 policy signing key generation.
- Policy signature metadata with Ed25519 and backward-compatible HMAC modes.
- Policy verification with digest, public-key fingerprint, and signature mismatch detection.
cavra policy validate policies/cavra-ai-agent-baseline
cavra policy compile --policy-pack cavra-ai-agent-baseline
cavra policy diff policies/cavra-ai-agent-baseline policies/cavra-banking-baseline
cavra policy keygen --output .cavra/policy-signing --key-id community-ga-policy-key
cavra policy sign policies/cavra-ai-agent-baseline/policy.yaml --signer platform-security --private-key .cavra/policy-signing/community-ga-policy-key.private.pem --key-id community-ga-policy-key
cavra policy verify policies/cavra-ai-agent-baseline/policy.yaml --public-key .cavra/policy-signing/community-ga-policy-key.public.pemPolicy hardening gives platform and security teams a defensible policy lifecycle. Policies can be validated before rollout, compiled for review, compared semantically, inherited by repository-specific overlays, and verified against tampering after approval.
- As a platform engineer, I can validate all policy packs before rollout.
- As a CISO, I can prove which policy version governed a repository.
- As an auditor, I can compare policy changes by control path.
- As a repository owner, I can inherit enterprise policy while adding stricter local controls.
Phase 3: Evidence Hub and Attestation.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion