Evidence pack format — OpenAI Audit module
OpenAI Audit packs use the same verifier and signing chain as the
other modules. Manifest carries module: "openai_admin" and
schema_version: 2; the bundle contains four jsonl files instead of two.
Bundle layout
pack-N.tar.gz├── manifest.json — signed├── manifest.sig — Ed25519 over manifest.json├── users.jsonl├── projects.jsonl├── api_keys.jsonl└── events.jsonlmanifest.json keys
{ "schema_version": 2, "module": "openai_admin", "pack_id": "12", "tenant_id": "77198636-…", "period_start": "2026-04-01T00:00:00Z", "period_end": "2026-04-30T23:59:59Z", "org_ids": ["org-abc123", "org-def456"], "user_count": 25, "project_count": 3, "api_key_count": 12, "event_count": 89, "users_sha256": "…", "projects_sha256": "…", "api_keys_sha256": "…", "events_sha256": "…", "signing_public_hex": "d2f60e21…"}Verify
python3 tools/evidence-pack-verify.py pack-12.tar.gz \ --expected-pubkey d2f60e21e0d496252b92bb308310e1a1dd1d5010f8fcaabbe169bdae1e2b7173The verifier detects module: "openai_admin" and validates the 4 jsonl
files + manifest signature.
What the pack proves
- API key inventory at date X — from
api_keys.jsonl - Which keys are orphan — entries with
last_used_at < period_start - 90d - Who was admin in the period — from
users.jsonlwith role=“owner” - When was a key/user/project added or removed — from
events.jsonl
What the pack does NOT show
- Full email addresses — only prefixes and hashes
- API key values — only redacted versions
- What keys actually did (prompts/completions) — that data is at OpenAI, not us