diff --git a/decisions/0007-evidence-chain-postpone.md b/decisions/0007-evidence-chain-postpone.md new file mode 100644 index 0000000..01bbd8b --- /dev/null +++ b/decisions/0007-evidence-chain-postpone.md @@ -0,0 +1,42 @@ +# ADR-0007 · Evidence chain is separate workstream, not blocking demo + +**Status**: accepted +**Date**: 2026-05 + +## Context + +A "legal-grade evidence chain" — clips with cryptographic manifests, NTS-anchored timestamps, transparency-log replication, eIDAS-compliant TSA signatures — is a strong differentiator and a future moat. But it's also: + +- Multi-month engineering effort. +- Requires legal review per jurisdiction. +- Has nuanced UX implications (key custody, signature verification flow). + +The pressure to "have evidence chain in the demo" risks pulling resources from getting the **basic forensic experience** working end-to-end. + +## Decision + +Treat evidence chain as a **separate workstream** (Epic 7 — Hardening). For the demo path (Epics 0-6), implement only: + +- SHA256 of clips at write time. +- Manifest JSON with `cam_id`, `sha256`, `ts_local`, `ts_nts`, `model_sha`. +- Simple signature with a Cell-local key. + +That gives a story to tell ("we hash and sign every clip") without the full eIDAS / RFC 3161 TSA ceremony. + +The full evidence chain — transparency log, BYOK customer encryption, third-party verifiable manifests, FIDO2-attested operator actions — is **post-MVP**. + +## Consequences + +**Good**: +- MVP demo viable end of sprint 4 instead of end of sprint 8. +- Evidence chain workstream can move at its own (legal-paced) tempo. +- Customers can adopt MVP first and upgrade to evidence chain later. + +**Bad / trade-offs**: +- Sales conversations with legal-grade buyers (police, banks, insurance) need to clearly say "evidence chain coming in v2" — risk of losing those leads if they need it now. +- Some early demos may overpromise; need disciplined messaging. + +## Alternatives considered + +- **Full evidence chain in MVP**: rejected, blocks first revenue by 4-6 months. +- **No evidence chain ever, position as operational tool only**: rejected, removes a key strategic differentiator.