> ## Documentation Index
> Fetch the complete documentation index at: https://docs.roboticks.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Evidence Packs

> A per-release, tamper-evident bundle that pins every requirement, test result, MCAP, log, coverage report, SBOM, and static-analysis finding the auditor needs.

# Evidence Packs

An **evidence pack** is the single artefact Roboticks produces for a release that an external auditor, internal QA gate, or certification body ingests. It pins every input that fed the verification run and every output that came out, in formats the certified toolchain already understands.

<Info>
  Generate one per release; archive for a decade or more. The pack is the contractual receipt that — on the day you shipped that commit set — every safety, functional, and performance requirement had a passing test behind it.
</Info>

## What is inside

A pack is a structured directory tree rendered into three deliverable formats. Every pack contains:

| Artefact                       | Source                                                                    | Why it is there                                                                                                            |
| ------------------------------ | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| **Requirements snapshot**      | Immutable copy of every pinned requirement at the moment of release       | The auditor needs the exact text you verified against, not the latest                                                      |
| **Traceability matrix subset** | The requirement × test grid for this release only                         | Proves coverage and surfaces any acknowledged gap                                                                          |
| **JUnit XMLs**                 | Every test run that fed the release, with `roboticks.confirms` properties | The raw verification evidence                                                                                              |
| **MCAP references**            | Signed URLs into the hot or Glacier S3 path                               | The bag files the tests recorded, retained per the [archive policy](/evidence/archive)                                     |
| **Logs**                       | stdout/stderr, runner logs, ROS2 node logs                                | Failure forensics; required by many functional-safety standards                                                            |
| **Coverage report**            | gcov / lcov for C++, coverage.py for Python                               | Mandatory under most functional-safety regimes for SIL or ASIL items                                                       |
| **SBOM**                       | SPDX 2.3 or CycloneDX 1.5                                                 | Required by EU Cyber Resilience Act; auditor cross-checks for known-vulnerable components                                  |
| **Static-analysis findings**   | SARIF 2.1.0 from your scanner stack                                       | clang-tidy, cppcheck, Bandit, Semgrep, plus any [BYO connector](/integrations/overview) output (LDRA, Polyspace, Coverity) |
| **Screenshots and clips**      | Optional. From sim runs                                                   | Visual evidence reviewers find disproportionately persuasive                                                               |
| **Manifest**                   | `evidence_pack.manifest.json`                                             | The [machine-readable index](/evidence/manifest) tying it all together                                                     |

## Three formats, one source of truth

The same pack renders three ways. The format you hand over depends on what the recipient ingests.

| Format    | What it is                                                                                | Tier                   |
| --------- | ----------------------------------------------------------------------------------------- | ---------------------- |
| **PDF**   | Audit-ready, paginated, with table-of-contents, requirement-by-requirement evidence pages | Free, Team, Enterprise |
| **ZIP**   | Every raw file, the manifest, and a `README.md` describing the layout                     | Free, Team, Enterprise |
| **ReqIF** | Round-trippable into Polarion, Jama, codeBeamer, DOORS                                    | Team, Enterprise       |

ReqIF is the soft paywall that unlocks at Team — it is the format the compliance buyer needs to put the pack back into their requirements-management system. See [Formats](/evidence/formats) for a deep dive.

## Storage and retention

Packs land in S3 at `s3://{bucket}/evidence-packs/{release_id_or_set_hash}.zip`. They live in S3 standard for 90 days, then transition to S3 Glacier Deep Archive, where they remain for the **10-year minimum** the EU Product Liability Directive expects. The retention floor is configurable up to 25 years for industries with longer tails (medical devices, rail).

See [Archive lifecycle](/evidence/archive) for the cost model and retrieval timing.

## Tamper-evident hash chain

Every pack stores the SHA-256 hash of the previous pack for the same project and signs the combined manifest with an Ed25519 key Roboticks holds in AWS KMS. The chain is verifiable years later with `rbtk evidence verify-chain`. An auditor can prove that no historical pack was rewritten after the fact. See [Hash chain](/evidence/hash-chain).

## Release-scoped vs ad-hoc

A pack is scoped either to a **Release** (the canonical form — pins commits across every linked repo and snapshots requirements) or to a **branch + commit set** for ad-hoc inspections. The Release form is what regulators expect; the ad-hoc form is for debugging, customer escalations, or sandbox runs. See [Release scoping](/evidence/release-scoping).

## What this is not

<Warning>
  **Roboticks is audit-readiness tooling, not a certified toolchain.** We assemble the evidence your notified body, certification body, or QA process ingests. We do not replace tool qualification (DO-178C, ISO 26262-8 TCL) and we do not issue conformity assessments. Verify the regulatory interpretations on this page against the standard text and your accredited assessor.
</Warning>

## Next steps

<CardGroup cols={2}>
  <Card title="Generate a pack" icon="file-export" href="/evidence/generation">
    Dashboard button, API call, or `rbtk test evidence-pack`.
  </Card>

  <Card title="Read the manifest schema" icon="file-code" href="/evidence/manifest">
    Every field in `evidence_pack.manifest.json` explained.
  </Card>

  <Card title="Hand off to an auditor" icon="user-shield" href="/evidence/customer-handoff">
    Cover-letter template, read-only project access, the disclaimer.
  </Card>

  <Card title="Standards coverage" icon="scale-balanced" href="/standards/overview">
    Which standards the pack is structured to satisfy.
  </Card>
</CardGroup>
