Evidence & Proof Packages

Evidence System

ADCG's evidence system is the foundation of its compliance story. Every gate evaluation produces immutable evidence. Every run produces a proof package. Nothing is ephemeral.

Gate-Level Evidence

Each gate produces a JSON evidence artifact:

{
  "evidenceId": "evt_a1b2c3d4",
  "runId": "run_x7y8z9",
  "gateId": 4,
  "gateName": "Security Scan",
  "verdict": "pass",
  "timestamp": "2026-02-15T14:32:01.847Z",
  "executor": "gate-runner-v2.1.0",
  "policyVersion": "pol_v3.2.1",
  "ruleResults": [
    {
      "ruleId": "vuln-critical",
      "operator": "lte",
      "expected": 0,
      "actual": 0,
      "pass": true
    },
    {
      "ruleId": "secret-detection",
      "operator": "eq",
      "expected": 0,
      "actual": 0,
      "pass": true
    }
  ],
  "evidenceHash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
  "previousHash": "sha256:7d865e959b2466918c9863afca942d0fb89d7c9ac0c99bafc3749504ded97730"
}

Hash Chain

Evidence artifacts are linked sequentially. Each artifact's evidenceHash is computed over:

1. The artifact's content (verdict, rule results, timestamps)
2. The previousHash (the hash of the preceding evidence artifact)

This creates a tamper-evident chain. Modifying any historical artifact breaks the chain from that point forward. Verification is a simple linear scan.

DB-Level Immutability

The evidence tables have PostgreSQL triggers that:

• Block UPDATE — No row in the evidence table can be modified after insertion
• Block DELETE — No row can be removed

These triggers are enforced at the database level, not the application level. Even direct SQL access cannot modify evidence without disabling triggers (which requires superuser access and is logged).

Run Manifests

Each complete pipeline run produces a manifest:

{
  "runId": "run_x7y8z9",
  "tenantId": "tnt_abc123",
  "startedAt": "2026-02-15T14:30:00.000Z",
  "completedAt": "2026-02-15T14:35:12.000Z",
  "status": "passed",
  "gateResults": [
    { "gateId": 0, "verdict": "pass", "evidenceId": "evt_..." },
    { "gateId": 1, "verdict": "pass", "evidenceId": "evt_..." }
  ],
  "inputHash": "sha256:...",
  "outputHash": "sha256:...",
  "policyVersion": "pol_v3.2.1",
  "proofPackageId": "pkg_def456"
}

Proof Packages

The proof package is the compliance deliverable. It bundles:

Component	Description
Gate evidence	All 13 evidence artifacts for the run
Run manifest	Timing, status, policy version, input/output hashes
File hashes	SHA-256 of every input and output file
Policy snapshot	The exact policy version used (frozen at gate 2)
Aggregate verdict	Overall pass/partial/fail determination

Proof packages can be exported via the API for delivery to auditors, compliance officers, or regulatory bodies.