Evidence — Deep Reference (Gated)

Gated content notice. This page is part of the gated reference surface. Distribution restricted by NDA. Do not mirror to public channels.

Edition gate

Requires NextPDF Enterprise. Get a license.

License feature flag

The Evidence surface is gated by the enterprise.compliance.evidence capability (Enterprise edition tier). A denied entitlement denies the feature.

Behavior contract

EvidencePortal::generateEvidence(string $documentHash, list<EvidenceRecord> $records, ?string $tsaTimestamp = null): EvidencePackage assembles records into a sealed package, computes pass/fail counts, persists through EvidenceStoreInterface, and returns the package. Externally observable rules:

Immutability. EvidencePackage is constructed once and never mutated; it is suitable for WORM storage. allPassed is true only when failedCount === 0. passRate returns 0.0 when totalFindings === 0 (an empty package is not a pass).
Determinism. EvidenceExporter::toJson produces a stable, reproducible JSON form; exportHash returns a 64-character SHA-256 over that JSON. The same package always yields the same digest, independent of time or host.
Timestamp is evidence of time, not a verdict. A package may carry an optional RFC 3161 token; it binds the package datum to a time value. It is not a legal attestation and does not assert that the content is compliant.
Regression tracking. ContinuousMonitor::check(EvidencePackage $current, string $documentHash): MonitorResult diffs current against stored prior evidence by failed policy name, categorizing issues as newIssues, resolvedIssues, unchangedIssues, with a hasChanges flag. MonitorSchedule / MonitorFrequency drive isDue-style polling.

Public API surface

composer require nextpdf/enterprise:^3

namespace NextPDF\Enterprise\Evidence;

final class EvidencePortal {
    public function __construct(EvidenceStoreInterface $store, EvidenceExporter $exporter);
    public function generateEvidence(string $documentHash, array $records, ?string $tsaTimestamp = null): EvidencePackage;
}

final readonly class EvidencePackage {
    public function allPassed: bool;
    public function passRate: float;
}

final readonly class EvidenceExporter {
    public function toJson(EvidencePackage $package): string;     // deterministic
    public function exportHash(EvidencePackage $package): string; // 64-char SHA-256
}

final class ContinuousMonitor {
    public function __construct(EvidenceStoreInterface $store);
    public function check(EvidencePackage $currentEvidence, string $documentHash): MonitorResult;
}

Conformance

Behavior	Reference
Time-stamp token binds a datum to a time value	IETF RFC 3161 §2
Document Security Store / long-term validation context	ISO 32000-2:2020 §12.8

A timestamp token is evidence of time only. Evidence capture supports audit workflows; it is not a legal attestation or an audit certification.

Edge cases & FIPS-mode behavior

A package with no records has passRate === 0.0; do not interpret an empty package as a pass.
Durability and access control follow your EvidenceStoreInterface; the in-memory store is not durable.
This module computes SHA-256 and embeds a caller-supplied RFC 3161 token. It performs no signing and no key custody; FIPS-mode behavior is governed by the Security and Signature modules.

NDA scan status

This gated page references the public package contract and externally observable behavior only. It contains no internal namespace paths beyond the public supported class names already listed, no internal trait names, no internal store internals, no runbook filenames, and no internal ticket prefixes. Attested in the co-located NDA checklist.

Core fallback

Core and Pro produce findings and reports; sealing those findings into an immutable, deterministic, optionally timestamped package with regression tracking has no Core-tier equivalent. The Enterprise surface depends on findings produced elsewhere; it does not itself perform conformance checks.

Pro fallback

Pro fallback — none; this capability has no Pro-tier equivalent. The sealed evidence package, the deterministic exporter, and the continuous monitor ship in the nextpdf/enterprise package only; the surface consumes findings from the Validation or Compliance surfaces.

Enterprise boundary note

The portal, package, exporter, and monitor are described at the behavior level. The reference in-memory store is documented; durable persistence is supplied by the host, and any internal store internals are out of scope and are not reproduced here. This module embeds a caller-supplied TSA token; it does not vouch for the TSA.

Deployment boundary

Packaging and serialization are in-process. The operator supplies a durable store implementation, is responsible for WORM enforcement and access control, and supplies a TSA token from a trusted TSA. Evidence records and document hashes may reference regulated content; residency follows the operator’s store, and retention and minimization controls are the operator’s responsibility.

Legal-compliance boundary

This module is flagged export_control_class: legal-review-required; legal sign-off is required before any publish: true. Evidence capture supports audit workflows; it is not a legal attestation or an audit certification, and validity and conformance remain properties of the final file plus a validator. This reference is not a legal opinion; consult your own compliance and legal advisers.