Technical

Export bundle anatomy.

Every Loupe export produces the same directory shape. The bundle is self-contained — recipients can read it, validate it, and re-derive findings from it without Loupe installed and without the original case file.

Directory shape

rca-PRB-20260427-A1B2-2026-04-27-orders-outage/
├── README.md                       Bundle index + verification commands
├── RCA.md                          Narrative — Markdown
├── RCA.html                        Same narrative — single-file HTML
├── RCA.pdf                         Same narrative — US Letter PDF
├── IODEF.xml                       RFC 7970 v2 incident description
├── Supporting Evidence/
│   ├── timeline.csv                Events ≥ notice severity + citations
│   ├── action-items.csv            Rule fires + recommended commands
│   └── affected-assets.csv         Classified hosts / IPs / services
├── Raw Logs/                       (Optional — opt-in at export time)
│   └── {sha-prefix}-{name}
├── Hashes.txt                      SHA-256 of every bundle file
└── Manifest.json                   Machine-readable bundle metadata

If the operator chose to also produce an encrypted zip, a sibling .zip appears next to the directory.

What every file contains

README.md
Index + verification recipe
Description
Plain-language entry point. Tells the recipient what the bundle is, names every file with one-line description, and includes the verification commands they should run.
Format
CommonMark Markdown
RCA.md
Narrative report
Description
The writeup the operator produced. Markdown is the canonical form; HTML and PDF are rendered from it. Citation footnotes resolve to events in Supporting Evidence/timeline.csv.
Format
CommonMark Markdown
RCA.html
Narrative report (web)
Description
Single-file HTML rendering with inline CSS and dark/light-aware print styles. No external assets. Open in any browser; print to PDF if you want a re-rendered version.
Format
HTML5
RCA.pdf
Narrative report (print)
Description
US Letter portrait, 0.5″ margins, rendered via WebKit from the same HTML. The PDF embeds page-numbered citation footnotes for read-only audiences.
Format
PDF/A-compatible
IODEF.xml
Machine-readable findings
Description
RFC 7970 v2 Incident Object Description Exchange Format (xmlns="urn:ietf:params:xml:ns:iodef-2.0"). Encodes the Incident, Affected Assets, BusinessImpact, EventData, and Action Items from the case. Any IODEF-aware IR / ITSM pipeline can ingest it.
Format
IODEF v2 (RFC 7970)
Supporting Evidence/
Citations + correlation
Description
Three CSVs the writeup references: timeline.csv (every event ≥ notice severity, with citation refs), action-items.csv (rule fires + recommended commands), affected-assets.csv (classified hosts/IPs/services).
Format
CSV (RFC 4180)
Raw Logs/
Optional
Original sources
Description
Copies of the original log files attached to the case, named with their ingest-time SHA-256 prefix. Off by default — the operator opts in during export. When present, every byte cited in the writeup can be re-derived against these files independently.
Format
As ingested
Hashes.txt
Recipient verification
Description
Standard `shasum -a 256` format: one SHA-256 + filename per line, covering every other file in the bundle. Verify with `shasum -a 256 -c Hashes.txt` (BSD) or `sha256sum -c Hashes.txt` (GNU).
Format
shasum (SHA-256, BSD/GNU compatible)
Manifest.json
Structured metadata
Description
Machine-readable bundle index: format version, generation timestamp, tool version, case + problem ID, template ID, redaction posture, and a sorted list of every file with SHA-256, size, and role.
Format
JSON (UTF-8)

Manifest.json schema

Top-level fields. Recipients can read this with jq or python3 -m json.tool.

formatVersion: 1Bundle schema version. Loupe v1 always emits 1.
createdAt: "2026-04-27T14:11:08Z"ISO-8601 UTC timestamp of the export.
toolName: "Loupe"Producing application.
toolVersion: "1.0.0"Producing application version.
caseID: "E5A1...0F2C"Loupe-internal case UUID.
caseName: "orders-api outage"Operator-given case name.
problemID: "PRB-20260427-A1B2"ITIL Problem ID, auto-generated.
templateID: "google-sre" | "atlassian" | "pagerduty" | "itil-pir" | "dmaic"RCA template the writeup uses.
redactionApplied: true | falseWhether any redaction targets were applied to the writeup.
redactionTargets: ["email","ipv4","bearer-token"]Exact list of targets applied. Recipients can see at a glance what was scrubbed.
files: [{path, sha256, size, role}, …]Sorted list of every file in the bundle with chain-of-custody data. Roles: writeup, supporting, raw, manifest.

Naming + path safety

Bundle directories are named:

rca-{problemID}-{YYYY-MM-DD}-{slug}

The slug is sanitized to lowercase alphanumeric + hyphens and truncated to a safe filesystem length. Path-traversal attempts (case names containing ../../../etc/passwd or absolute paths) are flattened. Bundle directories are guaranteed to land inside the parent folder the operator chose.

All docs Audit log format