Verify an export bundle.

You received either a directory or a .zip. If it's a zip, unpack it (no password = standard, password = sender will have shared one out-of-band):

# Standard zip (most common)
unzip rca-PRB-20260427-A1B2-2026-04-27-orders-outage.zip

# Password-protected zip
unzip -P <password> rca-PRB-20260427-A1B2-2026-04-27-orders-outage.zip

cd into the resulting directory. From here, every command is run inside it.

Hashes.txt is a standard shasum-format file — one SHA-256 per line. Verify with the Apple-bundled shasum:

shasum -a 256 -c Hashes.txt

Every file in the bundle should report : OK. A single : FAILED means that file was modified or corrupted after export. Stop and contact the sender — do not proceed.

On Linux, sha256sum -c Hashes.txt works the same way (shasum is BSD; sha256sum is GNU coreutils).

Manifest.json is the machine-readable summary. Pretty-print it:

cat Manifest.json | python3 -m json.tool | less

Read the top-level fields:

• formatVersion — bundle schema version (current: 1)
• toolVersion — Loupe version that produced this
• caseID + problemID— sender's internal references
• templateID — the RCA template (Google SRE / Atlassian / PagerDuty / ITIL PIR / DMAIC)
• redactionApplied + redactionTargets — exactly what classes of data were redacted from the writeup
• files — every file in the bundle with its SHA-256, size, and role

If redactionApplied: false, the writeup contains every email / IP / token verbatim. Ask yourself if that's appropriate for your audit context before forwarding.

IODEF.xml conforms to RFC 7970 v2. If you have an IR or ITSM pipeline that accepts IODEF, feed it the file directly. To sanity-check that it parses:

xmllint --noout --format IODEF.xml
xmllint --xpath '//IncidentID/text()' IODEF.xml

The first command parses the file and exits 0 if valid. The second extracts the Incident ID — useful for cross-referencing in your ticketing system.

Three formats; same content. Pick whichever your audience prefers:

open RCA.pdf      # macOS, opens in Preview
open RCA.html     # any modern browser
cat RCA.md        # quick text peek

Citations in the PDF render as footnote markers. The HTML version makes them clickable into Supporting Evidence/timeline.csv. The Markdown is byte-identical to what the editor produced — useful if you want to re-publish in your own system.

Supporting Evidence/ ships three CSVs:

• timeline.csv — every event ≥ notice severity
• action-items.csv — rule fires + recommended commands
• affected-assets.csv — classified hosts / IPs / services

If Raw Logs/ is present (sender opted in), the original log files are there with their ingest-time SHA-256 prefix in the filename. You can re-derive any citation from the writeup against those files yourself — the exact byte ranges are preserved.