Open /compliance/evidence-export. Pick a date window (90 days back is the default; quick-range presets cover 30d / 90d / 12mo / YTD), add an optional label ("Q1 2026 SOC 2 visit", "FRCP discovery — Smith v. Acme"), tick the sections you want, click Generate. The browser downloads a single PDF.
What's in it:
- **Cover page** — tenant name, plan, window, generated-by + generated-at, live document count, tombstoned (recoverable) count, documents under active hold, active hold count, tenant id. - **Audit-chain integrity** (live) — walks the SHA-256 hash chain from genesis to the chain tip and reports PASS/FAIL with the first-mismatch detail (event id, stream, expected vs actual hash) when broken. Use this as the auditor-facing proof that the audit log hasn't been edited. - **Legal holds** — every hold (active + released) with matter ref, status, opened/released dates. Up to 200 rows. - **Retention classes** — every defined class with code, name, retention-for-years, disposition mode, and active/archived status. - **Member roster** — every workspace member with role and join date, plus a role-distribution summary line ("owner 1 · admin 3 · member 12"). - **Event-type summary** — total event count in the window + the top 40 event types with raw counts and share-of-traffic percentages. Reads like a "what happened in this period" dashboard. - **Recent events** (off by default) — the most recent 200 events in the window as a table with timestamp, type, actor, and stream id. Useful for FRCP discovery exhibits where individual events matter; expensive on the page count, hence the default-off.
## Hash-stamping
Each generated packet emits `compliance.evidence-packet-generated` to the tenant stream with the SHA-256 of the PDF bytes on the payload. The same hash also rides in the X-Kodori-Packet-Hash response header. An auditor reviewing your chain later can verify that the PDF you produce matches the hash on the chain — proof the bytes weren't tampered with after generation.
## Permissions
Owner / admin only. The packet leaks tenant hold matters + member list + event vocabulary by design, so the bar matches /compliance and /audit.
## When to use which compliance surface
- /compliance — the live one-page snapshot, daily-ops view - /compliance/reports — point-in-time CSV exports for working papers (retention disposal, hold log, audit-chain CSV, DSAR fulfillment, SOC 2 evidence map) - /compliance/evidence-export — single bundled PDF an auditor takes home, hash-chained and signed