External Evidence & Proof
Not all compliance controls can be verified purely by reading source code. For instance, BSI TR-03161 requires proof that cryptographic keys are stored in a certified Hardware Security Module (HSM). Since an HSM is a physical device, the codebase alone cannot prove compliance.
To bridge this gap, azuma nori allows you to attach external documents—PDF certificates, pentest reports, architectural diagrams, or manual screenshot proof—directly into the analysis pipeline.
Types of Evidence
1. Global Evidence
Global evidence applies to your entire project. This includes overarching documentation like your high-level Security Concept, threat models, or network architecture diagrams. When you attach Global Evidence in the Standalone Client, the Indexing Phase ingests these documents and incorporates them into the local Wiki, making the knowledge available to all evaluating sub-agents.
2. Per-Control Evidence
Per-Control evidence is pinned specifically to a single compliance requirement. For example, you can attach your HSM vendor certification directly to control O.Cryp_2.
When the sub-agent evaluates that specific control, nori guarantees that the attached document is explicitly injected into the LLM's context window for that exact evaluation cycle, ensuring the agent uses it to grant a Pass status.
Document Evidence Indexing
Rather than feeding raw, token-heavy evidence files directly into control evaluations, nori uses a structured Document Indexing phase to compile files into concise, AI-readable summaries.
The Extraction Routes: Text vs. Visual
Nori supports indexing for a wide variety of formats (PDF, images, Word/Excel/PowerPoint, and text) using two distinct routes based on the configured model connection type:
- Visual Indexing (CLI Models): When indexing using a local agent CLI (like the Claude CLI), nori utilizes the model's native visual processing capabilities to extract layout, text, scanned pages, and architecture diagrams directly.
- Text-Only Extraction (Direct API): When running via Direct Cloud API, nori extracts the raw text layer using local parsers. Files with no extractable text (like scanned PDFs without an OCR layer or raw images) will generate a placeholder.
Folder Ref-Expansion
In the Evidence tab, you can point nori to entire directories of documentation. The engine automatically expands these directory references into individual files, which can then be individually indexed and custom-mapped.
Wiki (Files) & Control Linkage
Once indexed, the files appear in the Wiki (Files) tab of the dashboard. Here, you can:
- Browse the AI-generated structured summaries and Synopses.
- See which controls each file is linked to.
- Override linkages manually (e.g. marking a file as "General/Applies to All Controls" or pinning it to a specific BSI requirement).
Evaluation & Token Optimization
During a compliance run, nori feeds only the curated summaries into the LLM context instead of the raw document content:
- General Documents: Contribute a single-line synopsis to the general context.
- Control-Specific Documents: Contribute their full structured summary to the specific control evaluation.
This hybrid approach ensures the sub-agents have access to precise, auditor-satisfying evidence references without inflating API costs or overloading the prompt context.