-
Notifications
You must be signed in to change notification settings - Fork 0
Repository Policy Rollout
Huzefaaa2 edited this page May 21, 2026
·
30 revisions
Phase 6 now includes durable repository scope and policy rollout visibility.
- JSON and SQLite persistence for governed repositories.
- JSON and SQLite persistence for policy rollout records.
- API filters for owner, policy pack, status, risk tier, rollout state, rollout mode, and repository.
- Console views for repository inventory, rollout progress, and rollout detail.
- Rollout change planning and apply workflows.
- Evidence references so rollout records can point back to CAVRA decisions, bundles, or attestations.
Configure JSON persistence:
export CAVRA_INVENTORY_STORE=.cavra/api/inventory.jsonConfigure SQLite persistence:
export CAVRA_INVENTORY_DB=.cavra/api/inventory.db
cavra evidence migrate --sqlite .cavra/api/inventory.dbCreate or update repository inventory:
curl -X POST http://127.0.0.1:8000/repositories \
-H 'content-type: application/json' \
-d '{"repository":"payments/api","owner":"payments-platform","policy_pack":"cavra-banking-baseline","risk_tier":"regulated","status":"active"}'Create or update policy rollout state:
curl -X POST http://127.0.0.1:8000/policy-rollouts \
-H 'content-type: application/json' \
-d '{"repository":"payments/api","policy_pack":"cavra-banking-baseline","mode":"strict","state":"active","coverage_percent":100}'Preview and apply rollout changes:
curl -X POST http://127.0.0.1:8000/policy-rollouts/change-plan \
-H 'content-type: application/json' \
-d '{"rollout_id":"payments-api-banking","repository":"payments/api","policy_pack":"cavra-banking-baseline","mode":"strict","state":"active","coverage_percent":100}'- As a CISO, I can see which repositories are protected by which policy pack.
- As a platform engineer, I can track rollout mode before moving teams from audit-only to enforcement.
- As an auditor, I can map policy coverage to evidence references and persisted decision records.
Large enterprises cannot govern AI coding agents repository by repository through spreadsheets. CAVRA now provides an API-backed inventory and rollout view so repository coverage, ownership, risk, and enforcement mode can be inspected centrally.
The next recommended work is continued release-governance record parity as new evidence metadata kinds are added.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion