Evidence Bundles
An evidence bundle is a portable .peac.tar.gz archive containing receipts, policy snapshots, public keys, and verification reports. Bundles are the unit of evidence exchange -- self-contained packages that can be verified offline by any party.
Bundle structure
Every evidence bundle follows a fixed directory layout.
evidence-bundle.peac.tar.gz
manifest.json # Bundle metadata and content index
receipts/ # Signed JWS receipts
rec_01HZQX....jws
rec_01HZQY....jws
policies/ # Policy snapshots at time of interaction
api.example.com.peac.txt
keys/ # Public keys for offline verification
api.example.com.jwks.json
reports/ # Verification reports
verification-report.json
The bundle captures the complete verification context: the receipt itself, the policy that was in effect, and the keys needed to verify the signature -- all frozen at a point in time.
Manifest
The manifest.json serves as the table of contents for the bundle, listing every included artifact and its integrity hash.
{
"version": "peac-bundle/0.1",
"created_at": "2026-02-19T12:00:00Z",
"receipts": [
"receipts/rec_01HZQX....jws",
"receipts/rec_01HZQY....jws"
],
"policies": [
"policies/api.example.com.peac.txt"
],
"keys": [
"keys/api.example.com.jwks.json"
],
"reports": [
"reports/verification-report.json"
],
"peac_txt_hash": "sha256:abc123..."
}
The peac_txt_hash field records the SHA-256 hash of the included policy snapshot, enabling tamper detection even when the original policy has since changed.
Creating a bundle
Use @peac/protocol to create evidence bundles programmatically.
import { createEvidenceBundle } from '@peac/protocol';
const bundle = await createEvidenceBundle({
receipts: [receipt1, receipt2],
policyUrl: 'https://api.example.com/.well-known/peac.txt',
issuerUrl: 'https://api.example.com',
output: './evidence-2026-02-19.peac.tar.gz',
});
console.log(`Bundle created: ${bundle.path}`);
console.log(`Receipts included: ${bundle.receiptCount}`);
The function fetches the current policy and JWKS from the issuer, runs verification on all receipts, and packages everything into a single archive.
MCP server bundling
AI agents using the PEAC MCP server can create evidence bundles via the peac_create_bundle tool.
The peac_create_bundle tool is a privileged operation that requires explicit capability configuration in the MCP server policy file. It is disabled by default. See the MCP server configuration for setup instructions.
{
"tool": "peac_create_bundle",
"arguments": {
"receipts": ["<jws1>", "<jws2>"],
"issuer_url": "https://api.example.com",
"output_path": "./evidence.peac.tar.gz"
}
}
CLI bundling
Create evidence bundles from the command line.
npx peac bundle create \
--receipts receipt1.jws receipt2.jws \
--issuer https://api.example.com \
--output evidence.peac.tar.gz
The CLI fetches the issuer's policy and keys, verifies all receipts, and produces the archive.
Verification report
Every bundle includes a structured verification report documenting the outcome of each receipt verification at bundle creation time.
{
"verified_at": "2026-02-19T12:00:00Z",
"receipts": [
{
"jti": "rec_01HZQX...",
"verified": true,
"checks": [
{ "id": 1, "name": "signature_valid", "passed": true },
{ "id": 2, "name": "algorithm_allowed", "passed": true },
{ "id": 3, "name": "type_header_present", "passed": true }
],
"policy_binding": "unavailable"
}
],
"summary": {
"total": 2,
"verified": 2,
"failed": 0
}
}
Use cases
-
Billing disputes -- Bundle receipts proving what was consumed, at what price, and under what terms. Both parties can independently verify the evidence offline.
-
Compliance audits -- Export evidence of terms acceptance, consent acknowledgment, and policy compliance for regulatory review.
-
Safety reviews -- Portable artifacts for cross-organization incident investigation. Each bundle is self-contained and verifiable without access to the original issuer.
-
Regulatory submissions -- Self-contained evidence packages for regulators that include all context needed for independent verification.
-
Dispute resolution -- Provide timestamped, signed proof of exactly what happened during an interaction, with the policy snapshot that was in effect at the time.