-
Notifications
You must be signed in to change notification settings - Fork 0
White Paper
AI coding agents are moving from suggestion to execution. They can inspect repositories, modify code, invoke tools, run shell commands, create branches, push commits, open pull requests, use MCP servers, and touch infrastructure. Traditional controls are often too late because they evaluate after code has changed or after a pull request exists.
CAVRA, Controlled Agentic Verification & Runtime Authority, is a runtime governance and authority layer for AI coding agents. Before the agent acts, CAVRA decides.
The current implementation also establishes the controlled path to low-latency enforcement. Python remains authoritative, while a bounded Go scaffold verifies critical decision parity in CI before any future promotion to local daemon, CI runner, or air-gapped binary enforcement.
Enterprises need a decision point between AI coding agents and meaningful engineering actions. CAVRA evaluates what an agent wants to read, write, execute, connect to, approve, merge, or change before execution. It returns a decision, records evidence, and routes risky actions to human approval when required.
- File reads and writes.
- Shell commands.
- Git operations.
- MCP tool calls.
- Infrastructure-as-code tools.
- Kubernetes.
- AWS, Azure, and GCP CLI operations.
- CI/CD workflows.
- PR attestation.
- Evidence generation.
- Approval routing.
CAVRA decisions are:
allowblockrequire_approvalwarnaudit_onlyallow_with_attestation
Each decision includes agent identity, actor, action type, target, requested operation, policy pack, policy ID, rule ID, severity, reason, evidence references, approver group, timestamp, and correlation ID.
CAVRA uses a dual-plane architecture.
Management plane:
- Python CLI.
- Policy registry.
- Evidence hub.
- Approval router.
- Agent Registry and MCP Trust Registry with JSON/SQLite persistence.
- Activity persistence for sessions and decisions.
- Repository inventory and policy rollout persistence.
- Integration inventory persistence.
- Persistent API backup, restore, and retention operations.
- Policy rollout drill-downs and read-only console security boundary reporting.
- FastAPI backend.
- Claude Code and MCP adapters.
- Compliance packs.
- Integrations.
Enforcement plane:
- Current Python runtime guard.
- Scaffolded Go runtime backend with shared parity fixtures and compiled-policy loading.
- Future Unix-socket or gRPC interface.
- Future local daemon and CI runner mode.
- Future air-gapped single-binary deployment.
CAVRA solves:
- Secret exposure.
- Unsafe infrastructure changes.
- Direct protected-branch push.
- Dangerous shell command execution.
- MCP tool sprawl.
- Audit gaps.
- Identity ambiguity.
- Approval bypass.
- Excessive agency.
- Prompt-injection-induced tool misuse.
CAVRA maps AI-agent runtime controls to banking, PCI DSS, HIPAA, SOX, NIST SSDF, ISO 27001, EU AI Act, and OWASP LLM/agentic risk requirements.
CAVRA should become the default governance layer for Claude Code users:
claude mcp add cavra -- cavra-mcp-serverThe strategy is simple: make safe adoption easier than ungoverned adoption.
The path to production readiness is:
- Productization foundation.
- Policy engine hardening. This phase is complete and adds schema validation, inheritance, semantic diff, compile output, and policy signature metadata.
- Evidence hub and attestation. This phase is near complete and includes signed evidence, SIEM exports, retention, trust roots, metadata search, governed artifact retrieval, and console evidence views.
- Approval router. This phase is complete for the current production-readiness slice and includes approval routing, OIDC/JWKS, repository RBAC, provider delivery, break-glass, and audit views.
- Agent Registry and MCP Trust Registry. This phase is complete for the current production-readiness slice and includes JSON/SQLite registry persistence, agent profiles, MCP capability classification, console views, and registry-backed runtime decisions.
- Console and persistent API. This phase has started with durable sessions, decisions, repository inventory, policy rollout persistence, policy authoring previews, rollout change workflows, production deployment validation, integration inventory persistence, evidence artifact retrieval, persistent API backup/restore/retention operations, policy rollout drill-downs, read-only console security boundary reporting, authenticated console sessions, RBAC-enforced console mutations, console Activity Explorer views, and repository/rollout/integration console views.
- Go enforcement plane.
- Enterprise integrations. This phase has started with GitHub required-check templates, GitLab and Azure DevOps CI/CD enforcement examples, evidence verification in branch protection, CI evidence artifact upload, approval-bound signed policy publishing, live SIEM/ITSM/ChatOps connector execution hooks, AWS/Azure immutable evidence storage references, and Entra/Okta OIDC-RBAC deployment references.
- Public sandbox and growth loop.
- Production readiness and release.
CAVRA is not a prompt filter or static scanner. It is the enterprise runtime authority layer for autonomous engineering.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Conclusion