What the Evidence Vault provides#
The Evidence Vault is the canonical store for proof of what governed agents did — every tool invocation, scope decision, and I/O hash.
Evidence receipts#
Each governed action produces an evidence receipt:
| Field | Purpose |
|---|---|
scope_requested | What the agent asked to do |
scope_allowed | What policy permitted |
scope_enforced | What actually happened |
io_hash | Cryptographic hash for integrity verification |
Ingest via POST /api/v1/evidence. Query via GET /api/v1/evidence.
Observe integration#
The Observe dashboard at /dashboard/observe shows per-workspace:
- Evidence receipt count and governed task count
- Export-ready or Awaiting evidence status badge
- Compliance export source badges and linked export path
Compliance export#
Export workspace data for compliance with
GET /api/v1/export?format=json (or csv).
The export includes:
- Evidence receipts with scope and I/O hashes
- Kernel events (task lifecycle)
- Telemetry metrics
- Access review data
Export is workspace-scoped and requires workspace membership.
Retention#
Evidence retention follows workspace tier:
| Tier | Retention |
|---|---|
| Free | 7 days |
| Team | 90 days |
| Enterprise | 365 days |
The retention cron enforces cleanup per tier configuration.