Auditor Export Pack

When you generate an export, EvidenceOps creates a structured ZIP file containing your evidence files, summaries, and metadata. This file is designed to give auditors everything they need for their review.

audit-export-2024-q4.zip/
├── README.md               # Human-readable overview
├── SUMMARY.md              # Full index with stats and links
├── EXPORT_INFO.md          # Export metadata and verification instructions
├── SHA256SUMS.txt          # File integrity checksums (standard format)
├── verify.sh               # Verification script for Mac/Linux
├── verify.ps1              # Verification script for Windows
├── evidence/               # Evidence documentation (per-item folders)
│   ├── Access Review Q4/
│   │   ├── index.md        # Evidence details and links
│   │   ├── ai-summary.md   # AI analysis and claims
│   │   └── extracted-text.md
│   └── Vuln Scan October/
│       └── ...
├── requests/               # Request documentation (one file per request)
│   ├── CC6.1 Access Review.md
│   └── CC7.1 Vulnerability Management.md
├── files/                  # Original uploaded files
│   ├── access-review-q4.pdf
│   ├── vuln-scan-october.pdf
│   └── ...
└── _meta/                  # Machine-readable metadata (JSON)
    ├── manifest.json
    ├── evidence-index.json
    ├── readiness.json
    ├── export-manifest.json
    └── export-signature.txt

A human-readable markdown file with:

• Workspace and audit cycle information
• Quick navigation links to key files
• Folder structure explanation
• Instructions for navigating the export
• Disclaimer about compliance determinations

Auditors typically open this first to understand what's included and how to navigate the pack.

A comprehensive markdown index with:

• Export metadata (ID, timestamp, worker version)
• Audit readiness percentage and breakdown
• Request completeness status (Complete, In Progress, Not Started)
• Evidence status breakdown (Reviewed, Needs Review, Stale, Pending)
• Quick stats (total requests, evidence counts, OCR usage)
• Full evidence list with links to details, AI summaries, and files
• Full requests list with status and evidence counts

This allows auditors to quickly scan all evidence and requests with direct links to details.

Machine-readable JSON metadata for verification and integration:

manifest.json

Core export metadata and file listing:

{
  "schemaVersion": "1.0",
  "exportId": "exp_abc123",
  "generatedAt": "2024-10-15T14:30:00Z",
  "workerVersion": "a1b2c3d",
  "hierarchy": "human-readable-no-slugs",
  "workspace": { "id": "...", "name": "Acme Corp" },
  "auditCycle": { "id": "...", "name": "2024 Annual Audit", ... },
  "counts": { "requests": 45, "evidence": 38, ... },
  "files": [{ "path": "files/report.pdf", "sha256": "...", ... }]
}

evidence-index.json

Structured index of all evidence and request linkages:

{
  "evidence": [
    { "id": "...", "title": "Q4 Access Review", "folderName": "Access Review Q4",
      "hasFile": true, "hasAiSummary": true, "linkedRequestIds": [...] }
  ],
  "requests": [
    { "id": "...", "title": "CC6.1 Access Review", "status": "DONE",
      "linkedEvidenceIds": [...] }
  ]
}

readiness.json

Audit readiness breakdown for automated reporting:

{
  "summary": { "readinessPercentage": 87, "totalRequests": 45, "totalEvidence": 38 },
  "requestCompleteness": { "complete": 39, "partial": 4, "empty": 2 },
  "evidenceReadiness": { "ready": 32, "needsReview": 4, "stale": 2, "missingText": 0 }
}

export-manifest.json & export-signature.txt

Cryptographic integrity verification (when EXPORT_SIGNING_KEY is configured):

• export-manifest.json: Complete file listing with paths, sizes, and SHA-256 hashes
• export-signature.txt: HMAC-SHA256 signature over the canonical manifest

These files enable verification that the export has not been tampered with since generation.

Contains one folder per evidence item with human-readable names (derived from the original filename or evidence title). Each folder includes:

• index.md: Evidence metadata, AI analysis summary, and links to related requests
• ai-summary.md: Full AI analysis including freshness assessment, key claims, missing elements, and suggested request matches (if AI summary exists)
• extracted-text.md: Raw extracted text from the document (if text extraction succeeded)

The folder structure makes it easy to navigate evidence by name without needing to decode IDs.

Contains one markdown file per audit request, named using the request title. Each file includes:

• Request status and metadata (framework tag, due date, owner)
• Request description
• Linked evidence list with direct links to evidence folders and files

Contains the original uploaded files (PDFs, images, etc.) with their original filenames preserved. If two files have the same name, a short ID suffix is added to make them unique.

This folder contains the actual documents auditors will review.

Each evidence summary includes a freshness assessment:

• likely_valid: Document appears current and relevant
• possibly_stale: May need review (dates unclear)
• likely_outdated: Document appears old or expired
• unknown: Could not determine freshness

The SUMMARY.md includes freshness status so auditors can quickly identify evidence that may need attention.

Every export includes metadata stamping for audit trail purposes:

• Export ID: Unique identifier for this export
• Generated At: ISO timestamp of generation
• Worker Version: Git commit SHA that built the export
• EXPORT_INFO.md: Human-readable summary with verification instructions

This metadata allows auditors to cross-reference the export with records in EvidenceOps and verify they have the correct version.

A typical auditor workflow:

1. Download the ZIP from the auditor portal
2. Extract the ZIP and open README.md for orientation
3. Review SUMMARY.md for the full evidence index
4. Check requests/ folder for coverage mapping
5. Open specific evidence files as needed
6. Verify integrity using the included verification scripts

The structured format reduces back-and-forth questions and gives auditors confidence in the evidence package.

Each export includes cryptographic integrity verification to prove the contents have not been modified since generation.

Quick Verification

After extracting the ZIP, run the included verification script:

# Mac/Linux:
chmod +x verify.sh && ./verify.sh

# Windows PowerShell:
.\verify.ps1

# Manual verification (Mac/Linux):
shasum -a 256 -c SHA256SUMS.txt

All files should show OK. Any failures indicate modification.

What's Verified

• SHA256SUMS.txt: Standard-format SHA-256 checksums for every file
• export-manifest.json: Complete file listing with paths, sizes, and hashes
• export-signature.txt: HMAC-SHA256 signature over the canonical manifest

The signature uses HMAC-SHA256, ensuring that only exports generated by EvidenceOps can produce valid signatures. The manifest records the exact state of all files at generation time.