-
Notifications
You must be signed in to change notification settings - Fork 0
White Paper
AI coding agents are moving from suggestion to execution. They can inspect repositories, modify code, invoke tools, run shell commands, create branches, push commits, open pull requests, use MCP servers, and touch infrastructure. Traditional controls are often too late because they evaluate after code has changed or after a pull request exists.
CAVRA, Controlled Agentic Verification & Runtime Authority, is a runtime governance and authority layer for AI coding agents. Before the agent acts, CAVRA decides.
Enterprises need a decision point between AI coding agents and meaningful engineering actions. CAVRA evaluates what an agent wants to read, write, execute, connect to, approve, merge, or change before execution. It returns a decision, records evidence, and routes risky actions to human approval when required.
- File reads and writes.
- Shell commands.
- Git operations.
- MCP tool calls.
- Terraform/OpenTofu.
- Kubernetes.
- AWS, Azure, and GCP CLI operations.
- CI/CD workflows.
- PR attestation.
- Evidence generation.
- Approval routing.
Terraform/OpenTofu is one supported control surface, not the product boundary.
CAVRA decisions are:
allowblockrequire_approvalwarnaudit_onlyallow_with_attestation
Each decision includes agent identity, actor, action type, target, requested operation, policy pack, policy ID, rule ID, severity, reason, evidence references, approver group, timestamp, and correlation ID.
CAVRA uses a dual-plane architecture.
Management plane:
- Python CLI.
- Policy registry.
- Evidence hub.
- Approval router.
- Agent Registry and MCP Trust Registry with JSON/SQLite persistence.
- Activity persistence for sessions and decisions.
- Repository inventory and policy rollout persistence.
- Persistent API backup, restore, and retention operations.
- FastAPI backend.
- Claude Code and MCP adapters.
- Compliance packs.
- Integrations.
Enforcement plane:
- Current Python runtime guard.
- Future Go runtime backend.
- Unix-socket or gRPC interface.
- Local daemon and CI runner mode.
- Air-gapped single-binary deployment.
CAVRA solves:
- Secret exposure.
- Unsafe infrastructure changes.
- Direct protected-branch push.
- Dangerous shell command execution.
- MCP tool sprawl.
- Audit gaps.
- Identity ambiguity.
- Approval bypass.
- Excessive agency.
- Prompt-injection-induced tool misuse.
CAVRA maps AI-agent runtime controls to banking, PCI DSS, HIPAA, SOX, NIST SSDF, ISO 27001, EU AI Act, and OWASP LLM/agentic risk requirements.
CAVRA should become the default governance layer for Claude Code users:
claude mcp add cavra -- cavra-mcp-serverThe strategy is simple: make safe adoption easier than ungoverned adoption.
The path to production readiness is:
- Productization foundation.
- Policy engine hardening. This phase is complete and adds schema validation, inheritance, semantic diff, compile output, and policy signature metadata.
- Evidence hub and attestation. This phase is near complete and includes signed evidence, SIEM exports, retention, trust roots, metadata search, and console evidence views.
- Approval router. This phase is complete for the current production-readiness slice and includes approval routing, OIDC/JWKS, repository RBAC, provider delivery, break-glass, and audit views.
- Agent Registry and MCP Trust Registry. This phase is complete for the current production-readiness slice and includes JSON/SQLite registry persistence, agent profiles, MCP capability classification, console views, and registry-backed runtime decisions.
- Console and persistent API. This phase has started with durable sessions, decisions, repository inventory, policy rollout persistence, persistent API backup/restore/retention operations, console Activity Explorer views, and repository/rollout console views. Integrations inventory, policy-pack drill-downs, OIDC-ready console boundaries, and hosted attestation retrieval are next.
- Go enforcement plane.
- Enterprise integrations.
- Public sandbox and growth loop.
- Production readiness and release.
CAVRA is not a prompt filter or static scanner. It is the enterprise runtime authority layer for autonomous engineering.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion