The transcript admits itself.
In a German civil dispute, an electronic record gets the same evidentiary weight as a notarized paper original when it carries a qualified electronic timestamp from an EU-registered Trust Service Provider. Adjudon's transcript architecture is built to carry that timestamp, anchored to D-Trust GmbH (BNetzA-listed, eIDAS Art. 24).
Status today (2026-05-11): the D-Trust commercial contract is in procurement. Until it goes live, the eIDAS RFC 3161 timestamp client (services/eidasTimestampService.js) produces a deterministic mock token that preserves chain integrity and verifier-replayability but does NOT carry the eIDAS Art. 41(2) statutory presumption. We document this honestly so procurement does not arrive expecting a live qualified timestamp that does not exist yet. The chain of cryptographic guarantees below — SHA-256 hash chain, Sigstore Cosign + Rekor v2 transparency log, content-hash + PolicyVersion immutability — runs today; the eIDAS presumption layer activates the moment the D-Trust API key lands.
Four pillars of court-admissibility.
§371a Abs. 3 ZPO
German Code of Civil Procedure. An electronic document bearing a qualified electronic signature is treated as self-authenticating — opposing counsel must affirmatively disprove the signature, and that bar is high.
eIDAS Art. 41(2)
EU Regulation 910/2014. A qualified electronic timestamp creates a presumption of accuracy of the date and time indicated, and of the integrity of the data linked to it. The presumption is binding on every EU member state.
D-Trust GmbH (QTSP)
Bundesdruckerei subsidiary. Listed in the BNetzA Vertrauensliste under eIDAS Art. 24 as a Qualified Trust Service Provider for qualified electronic timestamps. Adjudon's transcript pipeline is wired to call D-Trust on every policy evaluation — the client lives at services/eidasTimestampService.js and activates when EIDAS_TSA_PROD is set with the D-Trust endpoint. Commercial contract in procurement; see the status note in the hero for what runs today vs. on contract.
Sigstore Cosign + Rekor v2
Open-source transparency log (CNCF). The bundle signer (services/policyBundleSigner.js) is wired to dual-anchor each transcript bundle to Rekor — a third-party tamper-evident log run by the Sigstore community. Once D-Trust is live, the Rekor anchor provides independent timestamp evidence in case the QTSP ever fails. Status today (2026-05-11): the signer returns a structured stub until the GitHub Actions OIDC keyless-signing pipeline ships (Phase 3.1, gated on founder action — see FOUNDER_ACTION_CHECKLIST gate 3.1).
Six fields per immutable record.
Each policy fire produces one immutable PolicyTranscript record containing:
- policyVersionHash — SHA-256 of the canonicalised policy text (RFC 8785 JCS) that was in force at evaluation time. Pinned to the immutable PolicyVersion chain.
- firedConditions[] — every condition that evaluated TRUE, with the (PII-scrubbed) trace value and the rule value, plus the operator that compared them.
- cedarRequestHash — SHA-256 of the canonicalised Cedar request payload, providing a verifier-replayable digest independent of the trace store.
- schemaVersion + algoSuite — pins the exact compiler version + hash algorithm used. A regulator replaying the decision in 2030 sees the 2026 semantics, not whatever version is in force at replay time.
- qtspToken — D-Trust QTSP-issued qualified electronic timestamp over the canonicalised transcript.
- cosignBundle — Sigstore Cosign keyless signature + Rekor v2 inclusion proof.
The auditor's laptop is enough.
The portable bundle ships with adjudon-replay, a Node CLI that takes the bundle plus the trace input and re-evaluates the policy version offline against the Cedar substrate (via the cedar-wasm npm package). A passing replay is independent evidence — it doesn't require Adjudon's servers to still be online, doesn't require Adjudon as a corporation to still exist.
The standalone binary build pipeline (build-replay-binary.sh) produces self-contained linux/macos/windows binaries with cedar-wasm embedded — pre-built signed binaries publish in Phase 3.1 alongside Sigstore Cosign keyless OIDC. Until then the Node CLI is the verifier of record; a court-appointed expert needs Node installed but no Adjudon network access.
See Portable bundle for the bundle schema and verifier walkthrough.