Neural Inverse is Open Source →
DocsAudit Bundle

Audit Bundle

At cutover, the IDE exports a tamper-evident audit bundle that records every translation decision, approval, divergence, and sign-off. The bundle is your compliance evidence for regulated migrations.

Structure

IAuditBundle {
  sessionId: string                // session identifier
  exportedAt: number               // Unix timestamp (ms)
  migrationPattern: string         // e.g. "cobol-to-typescript"
  sourceProjects: string[]         // source project labels
  targetProjects: string[]         // target project labels
  complianceFrameworks: string[]   // detected frameworks (e.g. ["iso-26262", "iec-61508"])
  units: IAuditUnitRecord[]        // one record per approved unit
  bundleHash: string               // FNV-1a hash of all unit records
  chainIntegrity: boolean          // true = hash verified on export
}

Unit Record

IAuditUnitRecord {
  unitId: string
  sourceFile: string               // relative path in source project
  targetFile: string               // relative path in target project
  sourceLang: string
  targetLang: string
  outcome: 'approved' | 'skipped' | 'rejected'
  confidence: 'high' | 'medium' | 'low'
  fingerprintSimilarity: number    // 0.0–1.0
  translationVersion: number       // how many times this unit was re-translated
  decisions: IAuditDecision[]      // all human decisions raised + resolved
  divergences: IAuditDivergence[]  // all divergences detected + reviewed
  approvedBy?: string              // user ID who approved
  approvedAt?: number              // approval timestamp
  signOffs: IAuditSignOff[]        // compliance officer sign-offs
  techDebtItems: string[]          // tech debt categories detected at discovery
  blockers: string[]               // blocker types detected at planning
}

Decision Record

IAuditDecision {
  decisionId: string
  type: 'type-mapping' | 'naming' | 'rule-interpretation' | 'architecture'
  description: string
  resolution: string               // what was decided
  resolvedBy: string
  resolvedAt: number
}

Divergence Record

IAuditDivergence {
  divergenceId: string
  type: string                     // see Validation divergence types
  description: string
  reviewedBy: string
  reviewedAt: number
  accepted: boolean                // true = accepted as expected difference
}

Sign-off Record

IAuditSignOff {
  role: string                     // e.g. "compliance-officer", "security-architect"
  signedBy: string
  signedAt: number
  comment?: string
}

Tamper Evidence

The bundle hash is a FNV-1a hash computed over the serialised unit records array (JSON, sorted by unitId). It is computed and embedded at export time.

To verify integrity after the fact:

import { verifyAuditBundleIntegrity } from 'neural-inverse-sdk'

const bundle = JSON.parse(fs.readFileSync('migration-audit.json', 'utf8'))
const isIntact = verifyAuditBundleIntegrity(bundle)
// true = bundle has not been modified since export

verifyAuditBundleIntegrity re-computes the FNV-1a hash over the unit records and compares against the stored bundleHash. Any post-export modification — even whitespace changes in the unit records — will cause the check to fail.

Exporting the Bundle

The audit bundle is exported automatically at cutover. It is also available for manual export at any time after cutover:

Neural Inverse: Export Audit Bundle

The bundle is written to the target project root as migration-audit-<sessionId>.json.

Using the Bundle for Compliance

The bundle provides evidence for:

  • ISO 26262: Traceability from source ASIL-rated units to approved translated equivalents with formal verification sign-offs
  • IEC 61508: SIL-rated unit translation history with independent verification records
  • MISRA-C: Decision records showing rationale for deviations
  • IEC 62443: Audit trail for OT/ICS modernisation with zone isolation sign-offs
  • 3GPP / GSMA: Security architect sign-offs on key material externalisation

The chainIntegrity: true field is your tamper-evidence assertion. Include the bundle as an attachment in your safety case or compliance dossier.


Was this page helpful?

Last edited