Files
wdmUI/decisions/0007-evidence-chain-postpone.md
T

1.9 KiB

ADR-0007 · Evidence chain is separate workstream, not blocking demo

Status: accepted Date: 2026-05

Context

A "legal-grade evidence chain" — clips with cryptographic manifests, NTS-anchored timestamps, transparency-log replication, eIDAS-compliant TSA signatures — is a strong differentiator and a future moat. But it's also:

  • Multi-month engineering effort.
  • Requires legal review per jurisdiction.
  • Has nuanced UX implications (key custody, signature verification flow).

The pressure to "have evidence chain in the demo" risks pulling resources from getting the basic forensic experience working end-to-end.

Decision

Treat evidence chain as a separate workstream (Epic 7 — Hardening). For the demo path (Epics 0-6), implement only:

  • SHA256 of clips at write time.
  • Manifest JSON with cam_id, sha256, ts_local, ts_nts, model_sha.
  • Simple signature with a Cell-local key.

That gives a story to tell ("we hash and sign every clip") without the full eIDAS / RFC 3161 TSA ceremony.

The full evidence chain — transparency log, BYOK customer encryption, third-party verifiable manifests, FIDO2-attested operator actions — is post-MVP.

Consequences

Good:

  • MVP demo viable end of sprint 4 instead of end of sprint 8.
  • Evidence chain workstream can move at its own (legal-paced) tempo.
  • Customers can adopt MVP first and upgrade to evidence chain later.

Bad / trade-offs:

  • Sales conversations with legal-grade buyers (police, banks, insurance) need to clearly say "evidence chain coming in v2" — risk of losing those leads if they need it now.
  • Some early demos may overpromise; need disciplined messaging.

Alternatives considered

  • Full evidence chain in MVP: rejected, blocks first revenue by 4-6 months.
  • No evidence chain ever, position as operational tool only: rejected, removes a key strategic differentiator.