Evidence Packet
An evidence packet is a self-contained, independently verifiable compliance artifact. It contains everything an auditor needs to confirm that the assessment happened, what it found, and that it can be reproduced.
Generating a packet
stave bundle audit \
--framework hipaa \
--period Q1-2026 \
--history ./assessments/ \
--out ./evidence/
Required inputs:
--framework— compliance framework (hipaa,soc2,fedramp,pci_dss)--period— period shorthand (Q1-2026) or explicit range (--from 2026-01-01 --to 2026-03-31)--history— directory of assessment JSON files fromstave apply --format json--out— output directory (created if not exists)
Optional:
--exempt— path to acknowledgments YAML (includes exemption register in the packet)--dry-run— show what would be collected without writing
Packet contents
evidence/
├── manifest.sha256 # SHA-256 of every file in the packet
├── assessment-results/ # All assessment JSON files for the period
│ ├── 2026-01-15.json
│ ├── 2026-02-01.json
│ └── ...
├── executive-report.json # Summary: finding counts, trends, risk posture
├── continuity-attestation/ # Evidence of continuous monitoring (no gaps)
├── remediation-trend.json # Finding open/close over the period
└── exemption-register.json # Active and expired exemptions during the period
Re-derivability
The evidence packet is independently verifiable:
- An auditor with the original snapshots and the same Stave version can re-run every assessment and get byte-identical findings
- The manifest provides integrity — any modification to any file in the packet is detectable
- The catalog version is recorded — the auditor knows exactly which controls were evaluated
This means the assessor does not need to be trusted. The auditor can verify the assessment themselves.
Verifying a packet
stave bundle audit --path ./evidence/ --verify
Verification checks:
- Manifest integrity (SHA-256 of each file matches)
- Period coverage (no gaps in the assessment cadence)
- Catalog version consistency across assessments
- Exemption register matches the acknowledgments file
What an auditor receives
The evidence packet crosses the practitioner → CISO gap without requiring tool knowledge. An auditor sees:
- What was evaluated — catalog version, control count, resource scope
- What was found — finding counts by severity, trend over time
- What was accepted — exemption register with rationale and expiry
- That it's reproducible — manifest + catalog version = re-derivable
- That monitoring was continuous — no gaps in the assessment cadence
The auditor does not need to install Stave, understand the control YAML format, or have cloud credentials. The packet is the deliverable.