1.9 KiB
ADR-0007 · Evidence chain is separate workstream, not blocking demo
Status: accepted Date: 2026-05
Context
A "legal-grade evidence chain" — clips with cryptographic manifests, NTS-anchored timestamps, transparency-log replication, eIDAS-compliant TSA signatures — is a strong differentiator and a future moat. But it's also:
- Multi-month engineering effort.
- Requires legal review per jurisdiction.
- Has nuanced UX implications (key custody, signature verification flow).
The pressure to "have evidence chain in the demo" risks pulling resources from getting the basic forensic experience working end-to-end.
Decision
Treat evidence chain as a separate workstream (Epic 7 — Hardening). For the demo path (Epics 0-6), implement only:
- SHA256 of clips at write time.
- Manifest JSON with
cam_id,sha256,ts_local,ts_nts,model_sha. - Simple signature with a Cell-local key.
That gives a story to tell ("we hash and sign every clip") without the full eIDAS / RFC 3161 TSA ceremony.
The full evidence chain — transparency log, BYOK customer encryption, third-party verifiable manifests, FIDO2-attested operator actions — is post-MVP.
Consequences
Good:
- MVP demo viable end of sprint 4 instead of end of sprint 8.
- Evidence chain workstream can move at its own (legal-paced) tempo.
- Customers can adopt MVP first and upgrade to evidence chain later.
Bad / trade-offs:
- Sales conversations with legal-grade buyers (police, banks, insurance) need to clearly say "evidence chain coming in v2" — risk of losing those leads if they need it now.
- Some early demos may overpromise; need disciplined messaging.
Alternatives considered
- Full evidence chain in MVP: rejected, blocks first revenue by 4-6 months.
- No evidence chain ever, position as operational tool only: rejected, removes a key strategic differentiator.