Shipyard

Evidence Pack

Self-serve compliance deliverables: NDJSON activity logs, bundled artifacts, and signed evidence you can hand auditors.

Start with the packaged bundle, run it on any repo, and export the artifacts + receipts that auditors expect.

Get Evidence Pack See it in action

What you get

Everything ships with the pack so your team can reproduce, verify, and export audit-ready proof on demand.

NDJSON activity log

Gate-by-gate events with actor, timestamp, status, and hashes so you can prove every change.

  • Smoke · lint · typecheck · unit · build · bundle gates
  • Outcome + warnings + durations
  • Signed gate hashes
Evidence bundle

SPEC.md, VERIFY_REPORT.md, SHA256SUMS.txt, and curated docs land in one sealed artifact.

  • Gate definitions + verification outcomes
  • Artifact ledger + hash manifest
  • Docs: quickstart, troubleshooting, retention notes
Signed artifacts

Portable bundle (run.ps1 / run.sh / run.cmd) plus signatures and certs prove delivery integrity.

  • Automated bundle -> artifact SCC pipe
  • Signed manifests and checksum checks
  • Activation scripts + status endpoints

Sample format — NDJSON Activity Log

This is a faithful excerpt of the activity log the pack exports every run.

{"ts":"2026-01-23T14:32:00.123Z","gate":"file-hash","path":"src/main.rs","hash":"sha256:abc123..","status":"pass"}{"ts":"2026-01-23T14:32:01.456Z","gate":"file-hash","path":"docs/README.md","hash":"sha256:def456..","status":"pass"}{"ts":"2026-01-23T14:32:02.789Z","gate":"commit-signed","commit":"a1b2c3d","signer":"alice@example.com","status":"pass"}{"ts":"2026-01-23T14:32:03.012Z","gate":"commit-signed","commit":"e4f5g6h","signer":"bob@example.com","status":"pass"}{"ts":"2026-01-23T14:32:04.345Z","summary":"4/4 gates passed","batch_id":"batch-xyz-001","timestamp":"2026-01-23T14:32:04.345Z"}

Filterable, exportable, NDJSON lines keep the entire verification history traceable.

Sample format — Bundle Structure

evidence-pack-20260123/ ├── SPEC.md ← Gate definitions & test results ├── VERIFY_REPORT.md ← Signature verification summary ├── SHA256SUMS.txt ← File integrity hashes ├── activity.ndjson ← Full event log (this format above) ├── gates/ │ ├── file-hash.json ← Per-gate results │ └── commit-signed.json ├── artifacts/ │ ├── root.sig ← Signed manifest │ ├── bundle.tar.gz.sig ← Signed archive │ └── cert.pem ← Verification certificate └── README.txt ← Quick start guide
What is inside
  • Audit-ready exports + specs
  • Signed artifacts + checksums
  • Docs + troubleshooting notes

How to use

Install the pack, run your gates, and export the bundle on your own timeline — no calls needed.

1. Download & configure

Grab the portable bundle, install the binaries, and point to your repo.

2. Execute gates

Run Shipyard to trigger smoke, lint, typecheck, unit, build, and artifact gates locally.

3. Export & deliver

Export the NDJSON log + artifact bundle, then share the signed archive with your compliance team.

Who it's for

Shipyard Evidence Pack supports teams that need determinism, audit trails, and reproducible artifacts.

Join the Evidence Pack waitlist
Consulting / agency delivery

Clear proof for clients with reproducible gate logs and invoices.

Security / compliance

Evidence export plus retention keeps SOC 2, ISO 27001, HIPAA reviewers satisfied.

Ship/Infra teams

Portable bundles + scripts ensure you can re-run, verify, and prove what shipped.

Pricing
Founding access to the Evidence Pack is $299 / month for up to 5 seats. Cancel anytime; no onboarding calls, no added SLA.
Compliance frameworks
SOC 2 · ISO 27001 · NIST 800-53 · HIPAA · PCI DSS · FedRAMP · 21 CFR Part 11 · GxP
Shipyard generates audit-ready evidence for these frameworks. Not a certification.
FAQ
  • Run the pack locally; there are no extra services or onboarding.
  • Support happens via GitHub Issues & Discussions; no SLA.
  • Need deeper integration? We can share automation hooks when you join the waitlist.