-
Notifications
You must be signed in to change notification settings - Fork 0
Repository Policy Rollout
Phase 6 now persists repository scope and policy rollout status for the CAVRA console and API.
CAVRA tracks governed repositories and the policies applied to them through JSON or SQLite stores. This gives platform, security, and audit teams a durable view of which repositories are active, who owns them, which policy pack is assigned, how risky the repository is, and whether the rollout is planned, active, paused, or retired.
Repository inventory:
GET /repositoriesPOST /repositoriesGET /repositories/{repository_id}
Policy rollout:
GET /policy-rolloutsPOST /policy-rolloutsGET /policy-rollouts/{rollout_id}GET /policy-rollout-details/{rollout_id}
Supported repository filters are provider, owner, policy_pack, status, and risk_tier.
Supported rollout filters are repository, policy_pack, state, mode, and owner.
Default JSON store:
.cavra/api/inventory.jsonOverride the JSON location:
export CAVRA_INVENTORY_STORE=.cavra/api/inventory.jsonUse SQLite:
export CAVRA_INVENTORY_DB=.cavra/api/inventory.db
cavra evidence migrate --sqlite .cavra/api/inventory.dbThe migration 005_repository_policy_rollout.sql creates inventory_repositories and inventory_policy_rollouts with indexes for the common console and API filters.
The sandbox console now includes repository and rollout views. It can run with bundled sample data or use the API when /console/config exposes the repositories and policy_rollouts endpoints.
Operators can filter repositories by owner, policy pack, and risk tier. They can filter rollout records by state and mode to find active enforcement, planned rollouts, paused policy deployments, or break-glass exceptions. The rollout detail view joins rollout state with repository ownership, policy pack metadata, matching decision activity, integration readiness, and rollout readiness checks.
Rollout changes can now be previewed through POST /policy-rollouts/change-plan and applied through POST /policy-rollouts/apply-change. Plans show before/after state, changed fields, risk level, approval requirement, and operator notes. The console includes a Policy Authoring and Rollout Changes section for draft policy preview and rollout transition workflows.
- As a CISO, I can see which repositories are governed and which policy pack protects each one.
- As a platform engineer, I can track rollout state before moving repositories from audit-only to enforcement.
- As an auditor, I can connect repository policy coverage to evidence references and decision records.
Enterprises adopting AI coding agents need a central answer to: which repositories are governed, who owns them, what policy mode is active, and where the audit evidence is stored. Repository inventory and policy rollout persistence turn CAVRA from isolated runtime checks into an operational control plane that can support rollout governance, audit readiness, and phased adoption.
The next recommended step is provider-native OIDC token acquisition helpers and production key custody documentation.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion