-
Notifications
You must be signed in to change notification settings - Fork 0
Textbook 07 Enterprise Edition User Guide
Enterprise Edition extends CAVRA from local governance into organization-wide agentic control. It is intended for platform security, application security, cloud security, release engineering, compliance, and executive reporting teams.
Enterprise operators manage:
- Tenant identity and isolation.
- SSO and RBAC.
- Private policy packs.
- Live connector credentials.
- Approval routing.
- Runtime workflow enforcement.
- Evidence storage and retention.
- AISPM live ingestion.
- Report delivery.
- Pilot and production readiness gates.
A production tenant needs:
- Tenant ID and display name.
- SSO provider configuration.
- RBAC role mappings.
- Repository and environment inventory.
- Policy pack assignment.
- Evidence store path or provider.
- Connector configuration.
- Report delivery recipients.
- Operating contacts and escalation routes.
See Tenant Onboarding Contract, Tenant Audit Store Operating Contract, and Entitlement Status Contract.
An Enterprise evaluation should not start with every possible feature. Start with one tenant, one repository, one high-risk workflow, one connector path, and one report recipient group.
- Create or select the evaluation tenant.
- Assign evaluator, security reviewer, operator, and report-recipient roles.
- Attach a policy pack to one repository or workflow.
- Run a governed agent workflow that attempts file, command, Git, and MCP activity.
- Route one approval and one denied action.
- Generate evidence and ingest it into AISPM.
- Deliver one report through the configured SMTP/provider path.
- Confirm the readiness packet has no blockers before expanding scope.
This keeps the evaluation measurable. The question is not "does the dashboard look complete?" The question is "did real runtime authority, evidence, report delivery, and tenant isolation work end to end?"
Enterprise Trial access starts at the public approved-access portal:
https://cavra-trial.mind-ops.cloud
The evaluator submits a business email, GitHub username, company role, and evaluation goal. A CAVRA trial operator reviews the request. Approved evaluators receive private package entitlement and one-time, time-limited license material through a controlled channel.
Use the trial license only inside the approved evaluation boundary:
- Store license material in the protected location described by the approval handoff.
- Configure private package access through the approved channel.
- Run the supplied license validation step before any Enterprise workflow.
- Keep evidence from the trial in the approved evidence room or evaluator archive.
- Close the evaluation by confirming license expiry or revocation, package access removal, feedback, blockers, and pilot decision.
Use CAVRA Trial Field Guide as the working handbook. The guide gives trial users a complete proof-of-value use case: pick one repository or workflow, govern one risky AI-agent action, route one approval, generate evidence, review AISPM/report output, and close out the trial cleanly.
Enterprise connectors can deliver or retrieve evidence, tickets, alerts, reports, and operating records. Typical connector families include:
- SIEM.
- ITSM.
- ChatOps.
- SMTP or report delivery provider.
- GitHub, GitLab, Azure DevOps, and CI/CD systems.
- Cloud and endpoint inventory systems.
- Private queues or internal webhooks.
Connector configuration should always avoid storing secrets in source control. Use environment variables, secret stores, or deployment-level secret management.
Enterprise report delivery normally requires:
- SMTP or report-provider host, port, TLS setting, and sender identity.
- Recipient policies for security, compliance, executive, and operator reports.
- Delivery audit event storage.
- Retry and escalation policy.
- Redaction policy for report content and provider logs.
- Evidence that at least one validation report was delivered successfully.
Treat report delivery as a production control. A generated report that never reaches the right reviewer is not operationally complete.
Before production, Enterprise users must run validators against real workflows:
- Live ingestion.
- Streaming.
- Connector delivery.
- Tenant isolation.
- SMTP or provider report delivery.
- Agent and tool workflows.
- Runtime control enforcement.
- AISPM production readiness gate.
The production completion condition is a final packet that returns ready_for_aispm_production: true with no blockers.
Azure Enterprise deployment is operated from the private
Huzefaaa2/cavra-enterprise repository. The workflow set deploys the Trial
portal, Trial front door, Enterprise control plane, authenticated operator UI,
connector jobs, and final AISPM production readiness gate.
The Azure architecture uses Container Apps or AKS, Static Web Apps or App Service, Azure Container Registry, Key Vault, Azure SQL or PostgreSQL, immutable Blob Storage, Service Bus or Event Grid, Front Door/WAF, Private Endpoints, Monitor, and Application Insights.
Use Azure Trial And Enterprise Deployment
for the public-safe operator map. Production launch is not complete until the
final private readiness packet returns ready_for_aispm_production: true with
no blockers.
| Area | Ready signal |
|---|---|
| Tenant isolation | Cross-tenant evidence, policy, report, and connector access is denied. |
| SSO/RBAC | Role mappings match evaluator, reviewer, operator, and executive responsibilities. |
| Runtime workflow | Real agent/tool activity passes through CAVRA rather than only fixture payloads. |
| Connectors | Delivery succeeds or fails with auditable retry evidence. |
| AISPM | Findings, coverage, reports, and blockers are traceable to source evidence. |
| Report delivery | Validation report is delivered to approved recipients and recorded. |
| Production gate | Final readiness packet returns ready with no blockers. |
After launch, Enterprise teams should use recurring operating reviews:
- Weekly posture review.
- Open finding review.
- Approval and exception review.
- Report delivery audit.
- Tenant isolation audit.
- Connector health review.
- Security advisory drill.
- Production readiness archive closeout.
These reviews are described through the product contract pages and preserved historical records in Development And Testing Artifacts.
- Why is synthetic validation not enough for Enterprise production readiness?
- What must report delivery prove beyond packet generation?
- Which recurring review would catch stale evidence or connector drift?
Read CAVRA CLI Command Reference for command-level operation, then AISPM Guide for posture and reporting.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion