Evidence pack format — Copilot module

Copilot Audit packs use the same verifier and signing chain as AI observability packs. One difference: different contents + module: "copilot" in the manifest.

Bundle layout

pack-N.tar.gz
├── manifest.json    — signed
├── manifest.sig     — Ed25519 over manifest.json
├── seats.jsonl      — one line per seat snapshot
└── events.jsonl     — one line per audit-log entry

No blobs/ directory like AI observability — Copilot data has no content blobs.

manifest.json keys

{
  "schema_version": 2,
  "module": "copilot",                        // ← NEW in v2
  "pack_id": "12",
  "tenant_id": "77198636-…",
  "period_start": "2026-04-01T00:00:00Z",
  "period_end":   "2026-04-30T23:59:59Z",
  "org_logins": ["acme-corp", "acme-eu"],
  "seat_count":  127,
  "event_count": 89,
  "seats_sha256": "abc…",
  "events_sha256": "def…",
  "signing_public_hex": "d2f60e21…",
  "created_at": "2026-05-01T03:14:22Z"
}

How to verify

Same verifier as AI observability packs:

python3 tools/evidence-pack-verify.py pack-12.tar.gz \
    --expected-pubkey d2f60e21e0d496252b92bb308310e1a1dd1d5010f8fcaabbe169bdae1e2b7173

The verifier detects module: "copilot" in the manifest and adjusts: instead of checking traces.jsonl + spans.jsonl it checks seats.jsonl + events.jsonl.

Exit code:

0 — signature valid + all hashes match
1 — mismatch

What your auditor does with it

A Belgian auditor can use the pack to prove:

Which users had Copilot in period X — from seats.jsonl, hashed but countable
When was a seat assigned/cancelled — from events.jsonl, with event_type: "copilot.seat_assigned" / "copilot.seat_cancelled"
Who changed the Copilot policy — from event_type: "copilot.policy_updated" with actor_hash
Date + time of every significant action — from occurred_at

What the auditor can’t do: look up a specific username in the pack. That mapping comes from your HR system via prefix match.