Sample auditor pack
This folder contains a generated sample of what you might hand to a DPO, customer security reviewer, or internal audit — produced from the no-API-key docker-compose demo.
It is supporting controls and evidence for review, not a completed legal filing or certification. See LIMITATIONS.md and ROADMAP.md.
Contents
| File | Purpose |
|---|---|
| manifest.json | Generation metadata, verify commands, record count |
| evidence.signed.json | Full HMAC-signed evidence records (offline verification) |
| compliance-report.html | Framework-mapped control summary (HTML) |
| compliance-report.json | Same report as JSON |
| ropa.html | GDPR Art. 30 Record of Processing Activities (HTML, print-to-PDF-ready) |
| ropa.json | Same RoPA as JSON (machine-checkable) |
| annex-iv.html | EU AI Act Annex IV technical-documentation pack (HTML, print-to-PDF-ready) |
| annex-iv.json | Same Annex IV pack as JSON (machine-checkable) |
The RoPA and Annex IV pack merge declared facts (controller, purposes, retention, system description — see How to clear DECLARATION MISSING blocks in RoPA exports for the Example GmbH fields used in this sample) with runtime facts from the signed evidence (recipients, observed identifiers, third-country transfers, policy denials, oversight events). Generate your own with talon compliance ropa / talon compliance annex-iv — see the export runbook. The Annex IV pack also lists the items Talon cannot produce (model development process, performance metrics, declaration of conformity) with their owners.
Verify offline
From a machine with the talon CLI and the same signing key context as the demo (or verify signature structure only):
talon audit verify --file examples/auditor-pack/evidence.signed.json
For a live regeneration path, see Evidence integrity 5-minute proof.
Regenerate
Requires Docker. From the repo root:
make auditor-pack
# or: scripts/generate-auditor-pack.sh
When Docker is available, the script starts examples/docker-compose, runs demo-recorder.sh to seed ~10 requests, then exports from the running container.
When Docker is not available, make auditor-pack falls back to auditorpackgen (synthetic demo records with a fixed test signing key — see manifest.json).
Commit updated artifacts when the evidence schema or compliance mapping changes.