# Forensics and evidence locker

The evidence locker is a WORM friendly store for audit and forensic artifacts
such as bundles, logs, and attestations.

Storage model
- Object storage with immutable retention and versioning.
- PostgreSQL index with metadata and retention fields.

Ingest rules
- Append only, content addressed paths.
- Require tenant, hash, size, and provenance.
- Reject partial uploads or missing signatures.

Retention and legal hold
- Default retention per tenant.
- Legal hold blocks deletion until cleared by approval.
- Daily retention job emits audit logs.

Access and verification
- RBAC scopes for read, write, and legal hold.
- Verify hashes and DSSE signatures on demand.
- Background sampling emits failure events.

Minimum bundle layout
- manifest.json with hashes and provenance
- data/ payloads
- signatures/ for DSSE or sigstore bundles

Related references
- provenance/attestation-workflow.md
- security/timeline.md
- security/evidence-locker-publishing.md
- docs/forensics/evidence-locker.md
- docs/evidence-locker/evidence-pack-schema.md