Keys never leave your machine
Docs // evidence pack
Evidence Pack schema — versioned, signed, assessor-ready.
The JSON export your auditor receives from Trust Operations Console. Same shape as the public sample — verify offline without uploading source code.
Evidence Pack schema
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
Schema
ssx360.evidence-pack.v1
One artifact shape for sample download, simulator output, and live Team+ export.
ssx360.evidence-pack.v1Ed25519 detached signatureOffline verifiable
Machine readers: plain JSON at /samples/evidence-pack-sample.json · sibling .sig file ships beside the sample. · Compliance mappings
Glossary
Field reference
Assessor landing page — every top-level key explained below.
Top-level fields
- schema
- Version string — currently ssx360.evidence-pack.v1
- issued_at
- ISO-8601 UTC timestamp when the pack was generated
- account
- Redacted org identity: email hash, plan, entitlement state
- summary
- Aggregate counts: repos, events, signed/unsigned/blocked/review
- events[]
- Commit ledger rows: repo, branch, commit SHA, actor, policy result
- policy_templates[]
- Active preset rules evaluated at gate time
- compliance_mappings[]
- Procurement language mapped to DORA, PCI DSS v4.0.1, FS AI RMF, SSDF, and EU AI Act readiness
- signature
- Detached Ed25519 signature over canonical JSON bytes
Assessor
Verify offline
No account required — paste JSON at /verify or use the CLI.
bash · verify
matrixscroll verify --envelope path/to/envelope.json # Or paste JSON at https://ssx360.com/verify