-
Notifications
You must be signed in to change notification settings - Fork 0
Textbook 06 Community Edition User Guide
Community Edition is the public, local-first way to learn and use CAVRA. It is suitable for demonstrations, repository-level governance, policy authoring, evidence experiments, and public-safe AISPM exploration.
Community users can:
- Evaluate proposed file, command, Git, or tool actions.
- Use starter policy packs.
- List, validate, test, explain, sign, and verify policies.
- Create and process approval records.
- Generate evidence bundles.
- Verify evidence and PR attestations.
- Register agents and MCP servers.
- Run the sandbox GUI.
- Explore public-safe AISPM posture and report center views.
Run:
cavra evaluate write_file iam/admin-role.tf --jsonReview the output. The important fields are the action, resource, decision, reasons, policy references, and evidence expectations. If the action requires approval, create an approval request:
cavra approval create /tmp/cavra-decision.json --requested-by developerApprove or deny it:
cavra approval approve apr_123 --actor platform-security --reason "Scoped IAM change reviewed"
cavra approval deny apr_123 --actor platform-security --reason "Missing rollback plan"Goal: stop an agent from bypassing pull request review.
cavra evaluate git_operation origin/main --jsonExpected behavior: the starter policy blocks direct push to protected branches. In a CI/CD path, the same control should become a required check that verifies CAVRA evidence before merge.
Next, route normal work through a pull request and evidence path:
cavra evidence bundle --output .cavra/evidence/pr-123
cavra evidence verify .cavra/evidence/pr-123Use this tutorial when you want a developer to understand the simplest CAVRA rule: agents can help, but they should not bypass the protected delivery path.
Goal: separate safe command exploration from dangerous execution.
cavra evaluate execute_command "terraform plan" --json
cavra evaluate execute_command "terraform apply -auto-approve" --json
cavra evaluate execute_command "kubectl delete namespace production" --jsonExpected behavior: low-risk planning commands are allowed or recorded, while destructive or auto-approved production commands are blocked or routed for approval depending on the policy pack.
Goal: prove that policy, approval, and evidence are connected.
cavra evidence generate-keypair
cavra evidence trust-root .cavra/keys/evidence-ed25519-public.pem --key-id local-evidence-key
cavra evidence bundle --output .cavra/evidence/compliance-demo --classification regulated-sdlc --private-key .cavra/keys/evidence-ed25519-private.pem --key-id local-evidence-key
cavra evidence verify .cavra/evidence/compliance-demo --trust-root .cavra/keys/evidence-trust-root.jsonThe bundle can feed CI/CD checks, local review, SIEM export experiments, and AISPM posture samples.
Community policy work normally follows this path:
cavra policy list
cavra policy validate
cavra policy test
cavra policy explain
cavra policy sign
cavra policy verifyPolicies should be treated like code. They need review, tests, signing, and clear rollout modes.
Start by copying or initializing a starter policy:
cavra policy init --destination .cavra/policy.yaml
cavra policy validate .cavra/policy.yaml
cavra policy test --policy-pack cavra-ai-agent-baselineThen explain decisions before changing enforcement:
cavra policy explain execute_command "terraform apply -auto-approve"
cavra policy explain write_file iam/admin-role.tfEvidence allows users and automation systems to prove that a decision occurred and that the expected enforcement path was used.
cavra evidence generate-keypair --private-key .cavra/keys/evidence-private.pem --public-key .cavra/keys/evidence-public.pem
cavra evidence bundle --output .cavra/evidence/latest --key "$CAVRA_EVIDENCE_SIGNING_KEY"
cavra evidence verify .cavra/evidence/latest --trust-root .cavra/keys/evidence-trust-roots.json
cavra evidence verify-attestation .cavra/evidence/latestThe sandbox is the fastest way to understand CAVRA visually:
- Open the Dashboard.
- Run the "Before the Agent Acts" scenario.
- Review decisions and blocked actions.
- Open Evidence.
- Open AI Posture.
- Export public-safe report or readiness packets.

Community Edition intentionally avoids storing private enterprise tenant data, live production connector credentials, or paid enterprise source. When you need SSO, RBAC, tenant isolation, private policy packs, live production connectors, production report delivery, and live AISPM ingestion, move to the Enterprise evaluation path.
- Which Community workflow proves a risky change was evaluated before it happened?
- Why should policy tests be run before a policy pack is trusted?
- Which Enterprise requirements are intentionally outside Community Edition?
Read Enterprise Edition User Guide if you need organization-wide controls, or CAVRA CLI Command Reference if you want deeper command coverage first.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion