Produce a regulator-ready audit export with R+3
By the end of this tutorial you'll have generated a complete R+3 audit bundle for an agent — every signed action, every memory write, every settlement — packaged in a format an auditor at MeitY, the EU AI Office, or a Fortune 500 compliance team can verify without needing access to your infrastructure.
What R+3 is
R+2 (which you've been using) defines the receipt for a single agent action. R+3 builds on top of it to define a complete tamper-evident audit trail format — what a regulator receives when they ask "show me everything this agent did between [date] and [date]".
An R+3 bundle contains:
- Every R+2 receipt for the agent in the time window, in chain order
- A manifest signed by the agent's key, listing all included receipts
- The agent's public key (so the regulator can verify everything without our cooperation)
- Optional: a Merkle tree of the bundle's receipts for batch-verification
- Compliance metadata mapped to the relevant regulation (RTI, DPDP §8, EU AI Act Art. 12, etc.)
Step 01 Generate the export
One API call produces a full audit bundle:
curl -X POST https://api.dcslabs.ai/v1/audit/export \ -H "Authorization: Bearer $DCS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "agent_id": "0348", "from": "2026-05-01T00:00:00Z", "to": "2026-05-31T23:59:59Z", "profile": "r2-gov-v1", "include_merkle": true, "include_pdf": true }'
The profile parameter tells the API which sectoral profile to apply:
| Profile | Use for |
|---|---|
| r2-base-v1 | Generic export, no sector-specific fields |
| r2-gov-v1 | Government / public sector — RTI + DPDP §8 |
| r2-finance-v1 | Finance / banking — PSD2, RBI, MAS, SOX |
| r2-health-v1 | Healthcare — HIPAA, GDPR Art. 9, DPDP §9 |
Step 02 What you get back
Response is a JSON manifest plus download links:
{
"export_id": "exp_a83f12cd",
"agent_id": "0348",
"time_window": { "from": "2026-05-01T00:00:00Z", "to": "2026-05-31T23:59:59Z" },
"receipt_count": 247,
"profile": "r2-gov-v1",
"merkle_root": "sha256:f4a8b2...",
"chain_head_at_export": "sha256:bafy2bz...",
"manifest_signature": "ed25519:zX7Yp...",
"downloads": {
"json_bundle": "https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/bundle.json",
"ndjson": "https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/bundle.ndjson",
"pdf_summary": "https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/summary.pdf",
"zip_archive": "https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/full.zip"
},
"generated_at": "2026-05-21T15:42:08Z"
}
Step 03 Download the full ZIP
curl -O https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/full.zip unzip full.zip -d audit-export/
You'll have:
audit-export/ ├── manifest.json # signed manifest of everything in the bundle ├── bundle.json # all R+2 receipts in chain order ├── bundle.ndjson # same, newline-delimited (for streaming) ├── summary.pdf # human-readable summary for the auditor's eyes ├── verification-instructions.md # how to verify the bundle (auditor's runbook) └── pubkey.txt # the agent's public key
Step 04 Verify the bundle yourself first
Before handing to an auditor, verify the bundle yourself:
cd audit-export npx @trdnetwork/r2-verify bundle --bundle bundle.json --pubkey-file pubkey.txt
Expected output:
Verifying R+3 audit bundle...
Manifest signature: ✓ valid
Receipt count: 247 / 247 expected
Chain integrity: ✓ unbroken
Merkle root: sha256:f4a8b2... ✓ matches
Time window: ✓ within bounds
Sectoral profile: r2-gov-v1 ✓ compliant
Bundle verified. Safe to hand to auditor.
Step 05 Hand to the auditor
Email the ZIP to the regulator. The bundle is self-contained — they don't need any access to your systems. They run:
npx @trdnetwork/r2-verify bundle --bundle bundle.json --pubkey-file pubkey.txt
If it returns "Bundle verified", they have cryptographic proof that:
- Every receipt was actually signed by the agent claiming to have done the action
- The bundle hasn't been tampered with since you generated it
- The chain of receipts is unbroken (no actions hidden, no actions inserted)
- The time window is what you claimed
Step 06 Sectoral profile compliance mapping
When you used profile: "r2-gov-v1", the export auto-includes a compliance mapping:
{
"profile_compliance": {
"r2-gov-v1": {
"rti_act_section": "§4(1)(b)(xvi)",
"dpdp_act_clauses": ["§8(4)", "§8(5)", "§8(8)"],
"data_principal_rights": "verifiable via §7",
"breach_notification_window": "72 hours per §8(6)",
"children_data": "none processed (§8(8) confirmed)"
}
}
}
This makes it trivially clear to an Indian auditor (MeitY, DPB, court-appointed) exactly which clauses of which statute the export satisfies.
Step 07 Long-term durability
If you need to keep the export verifiable for years (regulators often require 7-10 year retention), pin to IPFS via Filecoin:
curl -X POST https://api.dcslabs.ai/v1/audit/exports/exp_a83f12cd/pin \ -H "Authorization: Bearer $DCS_API_KEY" \ -d '{ "duration_years": 10 }'
Response:
{
"ok": true,
"ipfs_cid": "bafybeih...",
"filecoin_deals": [
{ "miner": "f01234", "duration_years": 10, "deal_id": "9876" },
{ "miner": "f05678", "duration_years": 10, "deal_id": "9877" }
],
"permanent_url": "ipfs://bafybeih...",
"gateway_url": "https://ipfs.io/ipfs/bafybeih..."
}
The bundle now lives across multiple Filecoin storage providers for 10 years. Anyone can fetch it via the IPFS gateway URL and verify it independently — even decades after DCS Labs as a company stops existing.
Step 08 What to send with the export
When emailing the audit bundle to a regulator, include a brief cover note:
Subject: Audit export for Agent #0348 — May 2026 window To: [auditor@regulator] From: [email protected] Attached: audit-export.zip (containing 247 signed R+2 receipts plus manifest, summary PDF, and verification instructions). To verify the bundle: 1. Unzip the archive 2. Install the verifier: npm install -g @trdnetwork/r2-verify 3. Run: r2-verify bundle --bundle bundle.json --pubkey-file pubkey.txt If the verifier returns "Bundle verified", you have cryptographic proof of the agent's complete action history during the window. Compliance mapping for this export: - RTI Act §4(1)(b)(xvi) — public-disclosure ready - DPDP Act §8(4)(5)(6)(8) — full compliance confirmed - DCS Labs DPDP §8 statement: https://dcsai.ai/dpdp Permanent IPFS URL (for archival): ipfs://bafybeih... Permanent storage: 10-year Filecoin deals (deal IDs in manifest) Happy to walk through any specific receipt or answer technical questions. The R+2 specification is at https://dcslabs.ai/standard. Best, Deepak
Compliance mappings reference
| Regulation | What R+3 export satisfies |
|---|---|
| RTI Act §4(1)(b)(xvi) | Proactive disclosure of AI decision-making |
| DPDP Act §8 | Accuracy + safeguards + breach + children's data |
| EU AI Act Art. 12 | High-risk AI system logging |
| EU AI Act Art. 26 | Deployer's record-keeping obligations |
| GDPR Art. 30 | Records of processing activities |
| NIST AI RMF GOVERN-1.4 | Documentation of model decisions |
| HIPAA §164.312(b) | Audit controls (when r2-health-v1 profile used) |
| SOX §302/§404 | Internal controls (when r2-finance-v1 profile used) |
Pricing
R+3 audit exports are billed by bundle size and IPFS pinning duration:
- Free tier: 1 export/month, up to 1,000 receipts per export, 1-year IPFS pin
- Builder ($29/mo): 10 exports/month, up to 10K receipts per export, 5-year IPFS pin
- Sovereign (custom): Unlimited exports + indefinite IPFS pin + Filecoin durability guarantees
What's next
You've completed the full 6-tutorial sequence. From zero to producing regulator-ready audit exports of cryptographically signed agent histories. Here's what to build with this foundation:
- Ship a real agent to production. Use the same patterns at scale.
- Build a sectoral profile. If your industry needs a custom R+2 profile, propose it via GitHub.
- Hand the standard to your compliance team. Share dcslabs.ai/standard with your legal/compliance department; they'll know how to use it.
- Help us improve. Email [email protected] with what worked, what broke, what's missing.