Export a Canvas

Three formats — PDF, JSON, Markdown — each with the same Evidence chain, cloud-console links, and redaction control.

Shipped vs roadmap

PDF export is the shipped format today. JSON and Markdown exports are designed (the schemas below are the target shape) but not yet shipped — they'll land alongside the typed Evidence work. If you need a JSON or Markdown export today, ping your Tessell contact.

The three formats

Format	Best for	What's in it
PDF	Auditor packs, board readouts, anything that needs to be printable and accept-on-sight	Cover page, claims with footnoted citations, appendix with the full Evidence records, cloud-console deep links as labelled URLs
JSON	SIEM ingest (Splunk, Datadog), GRC tools (Drata, Vanta), or your own pipeline	Top-level findings with `evidence_refs[]`, separate `evidence[]` array (de-duped), `console_links[]` preserved verbatim
Markdown	Notion, Confluence, GitHub Issues, Jira descriptions, Slack messages	Claims as bullets, Evidence in expandable `<details>` blocks, inline `[View in Console](https://...)` links

Cloud-console deep links travel with the export

Every Evidence record in a Canvas carries one or more cloud-console deep links — direct URLs into AWS Console or Azure Portal for the resource the claim is about. These survive into the export:

In a PDF, console links render as labelled clickable URLs at the bottom of each cited claim (e.g. View bucket in S3 Console ↗)
In JSON, they're preserved as console_links[] on each Evidence record
In Markdown, they render as inline links under each cited claim

An auditor reading the PDF doesn't have to take the report on faith — they click the link and verify the claim in the cloud's own UI.

Redaction

Three classes, chosen at export time:

Class	What's masked
`standard` (default)	Nothing — full Evidence with native IDs and console links
`sensitive`	Account IDs, IPs, IAM principal names, billing amounts. Console links rewritten to the generic service home (e.g. `https://console.aws.amazon.com/s3/`) — an external reader can't pivot from the link to the specific resource
`pii`	Everything in `sensitive` + masks email-looking strings, phone-number-looking strings, and tag values flagged as containing PII

The underlying Evidence record is always stored at standard class — redaction is a view applied at export, not a destructive transform.

TIP

Use sensitive when sharing with an external auditor or vendor. Use pii if your tags or resource names contain personal data. Otherwise stay on standard.

Bulk export (audit pack)

For a framework-scoped audit pack:

The audit pack is a ZIP containing:
- manifest.json — metadata (tenant, EstateView pin, generated_at, scope, redaction class, list of all included files)
- findings/{id}.json — one file per Finding included in the pack
- evidence/{id}.json — one file per Evidence record, de-duped
- report-summary.pdf — printable cover document

The pack is generated from the Compliance view for a chosen framework. The PDF cover document references the JSON files for the detailed Evidence chain.

Design intent

The audit pack format above is the target design. The exact in-app trigger (button location, framework picker) may differ in your build. Confirm with your Tessell contact or use Edit on GitHub (admin mode) to flag the difference.

A JSON export, in shape

json

{
  "canvas_id": "cv_abc123",
  "schema_version": 1,
  "question": "Which production S3 buckets are public?",
  "generated_at": "2026-05-13T14:23:11Z",
  "estate_view_id": "ev_42",
  "estate_view_captured_at": "2026-05-13T14:01:42Z",
  "scope": {
    "providers": ["aws"],
    "profiles": ["prod-aws"],
    "regions": ["us-east-1", "us-west-2", "eu-west-1"]
  },
  "redaction_class": "standard",

  "conclusion": "3 production S3 buckets allow public read. 1 also allows public write.",

  "findings": [
    {
      "id": "fnd_x1y2",
      "severity": "high",
      "title": "prod-customer-uploads — public read and write",
      "resource_arn": "arn:aws:s3:::prod-customer-uploads",
      "evidence_refs": ["ev_a1b2", "ev_a3b4"],
      "recommended_action": {
        "type": "enable_block_public_access",
        "preview": "..."
      }
    }
  ],

  "evidence": [
    {
      "id": "ev_a1b2",
      "type": "config_snapshot",
      "captured_at": "2026-05-13T14:01:42Z",
      "estate_view_id": "ev_42",
      "source": {
        "system": "aws.s3",
        "region": "us-east-1",
        "account_id": "123456789012",
        "native_id": "arn:aws:s3:::prod-customer-uploads",
        "api_call": "get-bucket-policy-status"
      },
      "console_links": [
        {
          "label": "View bucket in S3 Console",
          "href": "https://us-east-1.console.aws.amazon.com/s3/buckets/prod-customer-uploads?region=us-east-1"
        }
      ],
      "summary": "Public read AND write enabled on prod-customer-uploads",
      "payload": {
        "BlockPublicAcls": false,
        "BlockPublicPolicy": false,
        "IgnorePublicAcls": false,
        "RestrictPublicBuckets": false
      }
    }
  ]
}

For the full schema reference, see Evidence & Reports (developer reference).

What's next

Canvas Overview — Reading a Canvas
Sharing — Send a Canvas to a teammate
Reports, Findings, Plans — The object model behind every claim

Export a Canvas ​

The three formats ​

Cloud-console deep links travel with the export ​

Redaction ​

Bulk export (audit pack) ​

A JSON export, in shape ​