-
Notifications
You must be signed in to change notification settings - Fork 0
Production Roadmap
The CAVRA roadmap is priority-based, not calendar-based.
Status: complete in PR #1.
Delivered CAVRA identity, CLI, MCP server, Claude Code setup, policy packs, runtime decisions, FastAPI app contract, sandbox, Docker validation, enterprise docs, and CAVRA diagrams.
Status: complete.
Implemented strict policy schema validation, policy inheritance, signature metadata, policy tests, semantic policy diff, and stable compiled policy output.
Status: near complete with governed artifact retrieval and production deployment validation delivered.
Implemented evidence bundle manifests, checksums, HMAC and Ed25519 signatures, trust-root bundles, PR attestation output and verification, SIEM export payloads, compliance reports, retention controls, immutable storage reference exporters, SQLite and JSON evidence metadata search, governed artifact retrieval APIs, API persistence, console API wiring, and idempotent migration automation.
Status: complete for the current production-readiness slice.
Implemented approval request JSON and SQLite persistence, API and CLI approval queue, approve/deny/expire lifecycle state, break-glass override evidence, default routing policies, repository-specific routing files, local claims-based approval authorization, signed OIDC/JWKS validation, repository RBAC policy files, reference notification payloads, credential-free provider request specs, secret-backed live provider delivery with redacted evidence, console approval queue actions, console break-glass creation, approval audit detail views, and approval outcome linkage into evidence and PR attestations.
Next: Go enforcement plane parity scaffold and hosted sandbox deployment workflow.
Status: complete for the current production-readiness slice.
Implemented JSON/SQLite governed agent identities, MCP server trust tiers, owner/capability/approval-state metadata, API and CLI access, default-deny unknown server mode, predefined profiles for Claude Code, Codex, Copilot, Cursor, Gemini CLI, and AWS Q Developer, MCP tool classification for filesystem, shell, network, database, SaaS, cloud, and repository capabilities, console registry views, and registry-backed MCP runtime decisions.
Next: Go enforcement plane parity scaffold and hosted sandbox deployment workflow.
Status: started.
Implemented JSON and SQLite activity persistence for sessions and decisions, API filters for session, agent, repository, policy pack, outcome, severity, and action type, repository inventory and policy rollout JSON/SQLite persistence, repository and rollout API filters, policy rollout detail API and console drill-downs, policy-pack authoring previews, rollout change planning/apply workflows, production deployment validation, integration inventory JSON/SQLite persistence, integration API filters, evidence artifact retrieval and console download views, persistent API store status, backup, restore, retention-plan operations, read-only operations API endpoints, read-only console security boundary reporting, authenticated console session validation, RBAC-enforced console mutations, console Activity Explorer views, and console repository/rollout/integration views.
Next: Go enforcement plane parity scaffold and hosted sandbox deployment workflow.
Implement Go runtime backend, generated protobuf clients, local daemon, CI runner mode, parity tests, and air-gapped binary.
Started with a GitHub required check, reusable GitHub Actions templates, GitLab CI and Azure Pipelines enforcement examples, evidence verification in branch protection, CI evidence artifact upload, approval-bound signed policy publishing, live SIEM/ITSM/ChatOps connector execution hooks, AWS/Azure immutable evidence storage references, and Entra/Okta OIDC-RBAC deployment references.
Next: Go enforcement plane parity scaffold and hosted sandbox deployment workflow.
Deploy a public Before the Agent Acts sandbox with real policy decisions and downloadable evidence.
Implement SBOM, signed releases, vulnerability disclosure, security scans, dependency audit, backup/restore docs, upgrade docs, performance tests, and procurement readiness.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion
- Development And Testing Archive
- Unified Enterprise Roadmap
- CLI
- API
- CAVRA Trial Field Guide
- AISPM Enterprise Live Ingestion
- Enterprise HA/DR Readiness
- Enterprise HA/DR Azure Map
- Enterprise KMS/HSM Evidence Custody
- Enterprise Immutable Audit Log
- Enterprise Compliance Mapping Packs
- Enterprise Reporting Exports
- Connector SDK And Certification
- Priority Certified Connectors
- Model Registry Connectors