Skip to content

Compliance Export

KCP Harness can generate compliance evidence bundles from its audit log, mapped to SOC 2 Type II and ISO 27001:2022 controls.

Quick Start

bash
# Export both SOC 2 and ISO 27001 evidence
kcp-harness export \
  --format both \
  --org "Your Company" \
  --from 2026-07-01 \
  --to 2026-07-07 \
  --out evidence/

Output Structure

evidence/
  manifest.json           — generator, date range, statistics
  raw/
    sessions.json         — all sessions with event counts
    statistics.json       — aggregate metrics
  soc2/
    CC6.1-logical-access.json
    CC6.3-authorized-access.json
    CC6.6-system-boundaries.json
    CC7.2-monitoring.json
    CC8.1-change-management.json
    summary.md            — auditor-ready report
  iso27001/
    A.8.3-access-restriction.json
    A.8.4-source-code-access.json
    A.8.15-logging.json
    A.8.16-monitoring.json
    A.5.23-cloud-services.json
    summary.md            — auditor-ready report

SOC 2 Type II Controls

ControlNameMaps From
CC6.1Logical Access ControlsGoverned tool calls with authorization decisions
CC6.3Authorized AccessPlan-first mode pre-authorization
CC6.6System BoundariesAll tool calls with governed/pass-through classification
CC7.2Monitoring ActivitiesAll audit events
CC8.1Change ManagementTemporal drifts and plan invalidations

ISO 27001:2022 Annex A Controls

ControlNameMaps From
A.8.3Information Access RestrictionGoverned tool calls
A.8.4Access to Source CodeRead/Glob/Grep in governed domains
A.8.15LoggingSession lifecycle events
A.8.16Monitoring ActivitiesDrifts, budget exceeded, blocked access
A.5.23Cloud Services SecurityManifest signature verification

CLI Options

FlagDescriptionDefault
--formatsoc2, iso27001, or bothboth
--orgOrganization name for report headers
--fromStart date filter (ISO 8601)
--toEnd date filter (ISO 8601)
--outOutput directoryevidence
--auditPath to audit JSONL logfrom config or .kcp-harness/audit.jsonl
--configPath to harness configharness.yaml

How Mapping Works

The mapping is deterministic: audit events map to specific control IDs based on their type and outcome fields. No manual tagging, no AI classification — just predicate filters over structured data.

Audit Event (type + outcome + classification)

  ├─ type === "tool_call" && governed === true  →  CC6.1, A.8.3
  ├─ mode === "plan-first"                      →  CC6.3
  ├─ type === "tool_call"                       →  CC6.6
  ├─ always                                     →  CC7.2
  ├─ type === "temporal_drift"                  →  CC8.1, A.8.16
  ├─ toolCall.name in [Read, Glob, Grep]        →  A.8.4
  ├─ type in [session_start, session_end]       →  A.8.15
  └─ signature !== undefined                    →  A.5.23

Programmatic API

typescript
import { exportEvidence } from "kcp-harness";

const result = await exportEvidence({
  auditPath: ".kcp-harness/audit.jsonl",
  outputDir: "evidence",
  format: "both",
  organization: "Acme Corp",
  dateRange: { from: "2026-07-01", to: "2026-07-07" },
});

console.log(`Exported ${result.files.length} files`);
console.log(`${result.summary.events} events, ${result.summary.sessions} sessions`);

Released under the Apache 2.0 License.