Skip to content
monsys.ai

Report Builder

The Report Builder produces custom evidence packs using the same infrastructure as the monthly Audit Pack: JSONL.gz + PDF + .sig, Ed25519-signed with the same hash chain. Difference: you pick the template, scope and date range.

In the dashboard

  1. Sidebar → Reports (under MANAGE)
  2. Step 1: pick one of 5 templates (cards):
    • Executive summary (1-2p) — CISO/board view with Trust Score chart
    • Technical audit (12-20p) — for NIS2/CRA auditor
    • Per application (4-6p) — deep dive one app: SLA + CVEs + EATs
    • Per group (6-10p) — all hosts in one group with aggregates
    • MSP handover (4-8p) — what your MSP team did inside a tenant
  3. Step 2: fill scope + dates:
    • Title (optional, free text)
    • Date range (default last 30 days, max 365)
    • Scope fields appear based on template:
      • tags (comma-separated)
      • group_id (UUID from /groups)
      • app_id (UUID from /apps)
      • msp_actor (email domain, for msp_handover)
      • agent_ids (comma-separated, for specific hosts)
  4. Click Generate report → async job starts
  5. Wait 10-60 s (depending on window). Shows up under My reports with status “ready”
  6. Download: PDF / JSONL.gz / .sig buttons per row

What’s in each template

TemplateContent
executiveTrust Score 30d trend chart, 3 KPI tiles (score / open critical / kernel CVEs), top 5 recent critical incidents, 1-2p total
technical_auditCover + Trust Score chart + Hosts-in-scope table + EATs + alerts + CVEs + kernel currency + verify appendix (8 sections)
per_applicationCover + app metadata + SLA uptime section + restart EATs for this app + dependencies + recent state changes
per_groupCover + all hosts in group + per-host alert/EAT summary + aggregate Trust Score breakdown
msp_handoverCover + all actions executed by MSP team (filtered on actor email domain) — “what we did this month”

All templates include a verify appendix with manifest_hash + Ed25519 signature + verify-CLI command. Offline-verifiable by external auditor with monsys-verify-eat-linux-x64 verify-pack.

Who can do what

RoleCan generateTemplates available
Vieweronly executivedownloads of own reports
Editorexecutive, technical_audit, per_application, per_groupall scopes
Adminall 5 templates incl. msp_handoverall scopes

Charts in PDF

No external libraries, no headless browser. We draw directly with gofpdf primitives:

  • Line chart: Trust Score 30d trend with y-axis ticks (0/50/100) and date labels on x-axis
  • Bar chart: alert volume per day (coming in v1.1)

Pixel-grid styling: 1px lines, monospace ticks, no grid lines except mid. Matches existing branding.

Cryptographic pipeline

Identical to the monthly Audit Pack:

  1. Worker streams evidence rows into <base>.jsonl.gz with hash chain over every line via sha256
  2. Manifest JSON with hash_chain_root + counts + range + scope
  3. manifest_hash = sha256(manifest_json)
  4. Ed25519 sign with MONSYS_HUB_SIGNING_KEY_HEX<base>.sig
  5. PDF rendered from the same data + verify appendix explaining the chain

Filename pattern: <template_kind>-<8-char-id>.jsonl.gz/.pdf/.sig. On-demand reports and the monthly 2026-04.* set coexist in /var/lib/monsys/audit-packs/<tenant_id>/.

Storage retention

Reports are not auto-deleted. The monthly Audit Pack keeps minimum 12 months (per NIS2 Art21 §2(c) interpretation). On-demand reports stay until manually removed. For disk management:

-- Find unused on-demand reports older than 90 days
SELECT id, template_kind, title, created_at
  FROM audit_packs
 WHERE tenant_id = $1::UUID
   AND template_kind <> 'monthly_full'
   AND created_at < NOW() - INTERVAL '90 days'
 ORDER BY created_at;

Or via API (advanced — for automation)

Terminal window
# 1. List available templates
curl https://app.monsys.ai/api/v1/reports/templates \
  -H "Authorization: Bearer $TOKEN"


# 2. Generate a per-app report (async)
curl -X POST https://app.monsys.ai/api/v1/reports/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "template_kind": "per_application",
    "title":         "Q1 2026 review — checkout-api",
    "range_start":   "2026-01-01",
    "range_end":     "2026-03-31",
    "scope_filter":  {"app_id": "<uuid>"}
  }'


# 3. Poll status
curl https://app.monsys.ai/api/v1/reports/<id> \
  -H "Authorization: Bearer $TOKEN"


# 4. Download when status=ready
curl -L https://app.monsys.ai/api/v1/reports/<id>/download?format=pdf \
  -H "Authorization: Bearer $TOKEN" -o report.pdf

Monthly Audit Pack vs Report Builder

AspectMonthly Audit PackReport Builder
TriggerAuto, 1st of month 02:00 UTCOperator clicks “Generate”
ScopeWhole tenantTenant / group / app / tag / agents / actor
PeriodPrevious calendar monthCustom (max 365 days)
Templates1 (full audit)5
ChartsNoYes (Trust Score trend)
AudienceAnnual/quarterly NIS2 auditor reportAd-hoc CISO briefing / per-app review / MSP client handover

Not a replacement — complement. The monthly pack stays the “compliance baseline”; the Report Builder is for the moments you DON’T want a calendar-month report but a specific question answered with audit-grade evidence.

What does NOT belong on this page

  • Monthly Audit Pack (auto-generated) → see Monthly Audit Pack
  • Transparency log (signed log of every EAT) → see Transparency log
  • Auditor workbench (read-only login for external auditor) → see Auditor