# ADR-0007 · Evidence chain is separate workstream, not blocking demo **Status**: accepted **Date**: 2026-05 ## Context A "legal-grade evidence chain" — clips with cryptographic manifests, NTS-anchored timestamps, transparency-log replication, eIDAS-compliant TSA signatures — is a strong differentiator and a future moat. But it's also: - Multi-month engineering effort. - Requires legal review per jurisdiction. - Has nuanced UX implications (key custody, signature verification flow). The pressure to "have evidence chain in the demo" risks pulling resources from getting the **basic forensic experience** working end-to-end. ## Decision Treat evidence chain as a **separate workstream** (Epic 7 — Hardening). For the demo path (Epics 0-6), implement only: - SHA256 of clips at write time. - Manifest JSON with `cam_id`, `sha256`, `ts_local`, `ts_nts`, `model_sha`. - Simple signature with a Cell-local key. That gives a story to tell ("we hash and sign every clip") without the full eIDAS / RFC 3161 TSA ceremony. The full evidence chain — transparency log, BYOK customer encryption, third-party verifiable manifests, FIDO2-attested operator actions — is **post-MVP**. ## Consequences **Good**: - MVP demo viable end of sprint 4 instead of end of sprint 8. - Evidence chain workstream can move at its own (legal-paced) tempo. - Customers can adopt MVP first and upgrade to evidence chain later. **Bad / trade-offs**: - Sales conversations with legal-grade buyers (police, banks, insurance) need to clearly say "evidence chain coming in v2" — risk of losing those leads if they need it now. - Some early demos may overpromise; need disciplined messaging. ## Alternatives considered - **Full evidence chain in MVP**: rejected, blocks first revenue by 4-6 months. - **No evidence chain ever, position as operational tool only**: rejected, removes a key strategic differentiator.