Compliance Time Capsule — exporting your audit-ready snapshot
For: all
Tier: pro+
Time: ~5 min
Why you'd do this
Compliance evidence has to leave the platform sometimes — for a regulator submission, a board pack, an internal annual archive, or a lawyer review. The Time Capsule is the canonical export format: a single zip containing the latest scan, every attached evidence file, all completed Human Gate PDFs, the Declaration of Conformity, and a manifest with SHA-256 hashes — verifiable as untampered, self-contained, and dated.
Before you start
- Pro+ tier (the export action is gated; free / starter sees the button render an upgrade prompt)
- At least one synced scan with completed evidence / Human Gates (otherwise the export contains a near-empty manifest)
- Storage space — typical export is 5-50 MB, large repos with many PDFs can hit 200-500 MB
Step 1
Two entry points:
Per-repo Export — top-right of any repo's overview page. Exports just that repo's state.
Cross-repo Export — /dashboard/reports (sidebar → Reports). Pick which repos to include via checkbox; export bundles all selected into one zip with a cross-repo manifest.
The button shows tier state inline: an emerald "Pro" badge if you can export, an amber lock + tier name if you can't.
What you'll see: Reports page with the per-repo and cross-repo export controls. Generation typically takes 5-30 seconds depending on evidence volume.
Step 2
The exported zip's structure:
compliancelint-YYYY-MM-DD-<repo-name>.zip
├── manifest.json — top-level index + SHA-256 of every file
├── scan/
│ ├── scan.json — full scan envelope (all findings)
│ └── compliance-profile.json — account snapshot at export time
├── evidence/
│ └── <finding-id>/ — one folder per finding with evidence
│ ├── <file-1>.pdf
│ └── ...
├── human-gates/
│ ├── art09.pdf — Risk Management System submission
│ ├── art14.pdf — Human Oversight Design
│ └── ...
├── doc.pdf — Declaration of Conformity (Annex V)
├── tech-doc.pdf — Technical Documentation cover (Annex IV §1)
└── README.md — what's inside, how to verify hashes
Every PDF is independently openable; the zip is a convenience wrapper, not a proprietary format.
Step 3
Past exports are listed under /dashboard/reports → Past exports tab. Tier determines retention:
| Tier | Past exports kept | |---|---| | Free | 7 days | | Starter | 30 days | | Pro | 12 months | | Business | 36 months |
Each export entry shows the timestamp, repo(s) covered, total finding count, total evidence count, and a download button. Older entries are pruned by a daily job; download anything you need to keep BEFORE the cutoff.
The exported zip itself is yours forever — retention only applies to the dashboard's copy / regenerate-on-demand. If you've downloaded the zip locally it's not affected by retention.
Step 4
The manifest.json at the top of the zip contains:
- Export timestamp (ISO-8601 UTC)
- Scanner version + obligation set hash
- Every file path + SHA-256 hash
- Account fingerprint (so a regulator can verify the export came from a specific organisation's account, not someone else's)
To verify integrity locally:
$ shasum -a 256 evidence/<finding-id>/<file>.pdf
<hash> evidence/<finding-id>/<file>.pdf
$ jq '.files["evidence/<finding-id>/<file>.pdf"]' manifest.json
<same hash>
If the hashes don't match, the file was modified after export — the manifest is your proof that the regulator received exactly what was generated, not a re-edited version.
Step 5
Recommended export cadence:
Quarterly — minimum for any production system. Captures the compliance state at known intervals; useful for board reporting and audit trail continuity.
Pre-release — every time you push a release that touches AI components. Pins the compliance evidence to a specific release artifact.
Pre-regulator-submission — anchors the snapshot you submit; future scans don't change what the regulator was given.
Pre-tier-downgrade — downgrade may prune older scans from the dashboard; export FIRST so the historical evidence isn't lost. (The export retention is tier-based but the LOCAL zip is yours forever.)
Future: scheduled auto-export (Business+, planned 2026 Q2). Until then, run manually on a calendar reminder.
What can go wrong
- Export job stays "in progress" for more than 5 minutes — Large evidence volumes (>200 MB) take longer. The progress indicator updates every 10s. If it really hangs (no update for 2+ minutes), refresh the Reports page — the server-side job is tracked separately, refresh re-attaches the UI without canceling. Persistent hangs > 10 min: open a support ticket including the export job id from the URL.
- Downloaded zip won't extract / shows corruption — Network truncation during download. Re-download from the Past exports list (the same export can be re-downloaded as long as it's within the tier retention window). If multiple re-downloads all corrupt, check your browser's download settings (some block .zip with PDF inside as "suspicious"). Curl as a fallback: the Past exports list shows each entry's API URL.
- Manifest hashes don't match the file contents — Either the file was modified after export, OR the file was extracted with line-ending normalisation (some Windows zip tools convert LF → CRLF in TXT/MD files). Re-extract with a tool that preserves bytes (e.g.
unzip -Kon macOS / Linux, 7-Zip with the "keep file modification" option on Windows). If hashes still don't match, the export itself is suspect — regenerate from Reports.
Related
Last updated: 2026-04-30