-
Notifications
You must be signed in to change notification settings - Fork 0
Roadmap Status Audit And Next Batch
Status date: 2026-06-04.
This public-safe audit reconciles the current CAVRA roadmap after the private
trial launch closeout chain was completed through cavra-enterprise PR #111
and synchronized publicly in Huzefaaa2/cavra PR #211.
The public Community repository contains only roadmap, boundary, and product documentation. It does not contain Enterprise source code, customer records, customer health records, account records, finance records, billing data, license-service internals, artifact signing internals, production provisioning details, private policy packs, or runtime secrets.
The audit confirms these tracks are complete for the current public/private split:
- public open-core Community and Enterprise boundaries;
- public trial-to-pilot intake, licensing interface, and SaaS Control Plane contracts;
- private trial package readiness and gated trial distribution evidence;
- private trial license issuance, evaluator access, expiry, follow-up, conversion, closeout, renewal, commercialization, launch-readiness, production-observability, release-hardening, release-to-market, post-launch, release-retrospective, and final launch retrospective closeout evidence;
- public-safe sync pages through Trial-Final-Launch-Retrospective-Closeout-Sync.md;
- public tenant onboarding, entitlement, hosted policy registry, tenant-audit-store, billing/subscription, support handoff, SaaS operating automation, and customer operating closeout contracts;
- public Go enforcement parity, release packaging, runner authentication, evidence verification, rollback, recovery, reporting, and auditor export documentation;
- public sandbox, README, roadmap, and wiki-source documentation for the completed tracks.
These roadmap items were previously listed as remaining, but the audit now treats them as delivered for the current scope:
- hosted policy registry readiness and policy-pack catalog operation are documented publicly and backed by private readiness evidence;
- tenant audit-store health, retention posture, and export readiness are documented publicly and backed by private operating evidence;
- private SaaS operating automation for support, customer-success, finance, and commercial closeout has public contract documentation and private operating evidence through the current closeout chain;
- final launch retrospective closeout workflows are delivered in the private repository and publicly synchronized;
- final launch archive synchronization is covered by the private final launch retrospective closeout gate and public-safe sync page.
The project is not yet complete as a mature product. The next maturity themes are:
- production deployment guide validation across install, configuration, storage, backup, restore, CORS/API, and GitHub Pages portal checks is delivered in Production-Deployment-Guide-Validation.
- Go enforcement plane production-path hardening is delivered in Go-Enforcement-Production-Hardening with Unix-socket transport, gRPC boundary planning, air-gapped packaging, reproducibility, upgrade validation, performance smoke, and operational readiness evidence validation.
- Enterprise integration validation remains active for GitHub App/orchestrator production hardening, GitLab/Azure DevOps parity, SAML identity readiness, and SIEM/ITSM workflow evidence.
The first Community GA Control Hardening batch is delivered in public-safe Community code and documentation. It focuses on the public Community core rather than adding more private Enterprise evidence. The goal is to make the free public edition more trustworthy for adoption while preserving the open-core boundary.
Delivered sequence:
- Public policy signing key workflow.
- Added documented Ed25519 key generation, signing, verification, and failure behavior for policy packs.
- Keep private customer keys, signing services, HSM/KMS integrations, and Enterprise approval workflows out of the public repo.
- Golden decision snapshot suite.
- Added stable snapshots for critical file, command, Git, MCP, and attestation decisions across bundled policy packs.
- Ensure snapshots make regressions visible without including customer policy data.
- Runtime mode hardening.
- Made audit-only, enforce, strict, and break-glass behavior explicit in CLI/API outputs and evidence examples.
- Keep Enterprise approval-routing integrations private.
- Production deployment guide validation.
- Updated the public Community deployment validation guide with policy signing, golden decision, and runtime mode release checks.
- Public docs/wiki sync.
- Updated README, roadmap, wiki-source pages, and phase logs after the batch completes.
This batch must not add:
- Enterprise source code;
- customer-specific policy packs;
- private signing keys or KMS identifiers;
- license-service implementation details;
- SaaS backend source;
- private approval-router integrations;
- paid policy pack implementation;
- customer evidence or customer deployment records.
Console closeout operator experience is documented at
Console-Closeout-Operator-Experience
and enforced by scripts/validate-console-closeout.py.
Community GA user-verifiable path is documented at
Community-GA-User-Verifiable-Path
and enforced by scripts/validate-community-ga-path.py.
Production deployment guide validation is documented at
Production-Deployment-Guide-Validation
and enforced by scripts/validate-production-deployment-guide.py.
Go enforcement production hardening is documented at
Go-Enforcement-Production-Hardening
and enforced by scripts/validate-go-production-hardening.py.
Enterprise integration validation is documented at
Enterprise-Integration-Validation
and enforced by scripts/validate-enterprise-integration-readiness.py.
Production readiness procurement closeout is documented at
Production-Readiness-Procurement-Closeout
and enforced by scripts/validate-production-readiness-procurement-closeout.py.
Merge the Community v1.0.0 metadata bump, create the community-v1.0.0 tag from main, build and upload final GitHub Release assets, then record final checksums, provenance, verifier defaults, and post-publication verification.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion