Forensa — Evidence Layer for AI Agents

Every enterprise AI vendor is building enforcement — guardrails, policy engines, control planes. None is building evidence. After enforcement fires, who can prove what the agent actually did, on whose authority, against which policy version? EU AI Act Article 12 makes this question non-negotiable from August 2026, and DORA, NIST AI RMF, and ISO 42001 already demand it. Forensa is the black-box flight recorder for enterprise AI agents. Every agent decision — input, reasoning, policy verdict, output — is captured as a cryptographic Receipt: SHA-256 canonical hash, Ed25519 signed by the tenant key and the agent identity, chained to the previous receipt, and anchored daily to an RFC 3161 timestamp authority (FreeTSA) with full PKIX certificate-chain verification. The chain is offline-verifiable in any language. Compliance officers query Forensa six months after an incident. The console surfaces the receipts in scope, Gemini 2.5 Pro generates a regulator-readable narrative (with four-layer prompt-injection defence), and the system exports a JSON-LD + PDF evidence pack with a single root hash binding the entire pack. Auditors can verify offline. Regulators get a legally admissible artifact. M&A acquirers get 90-day diligence in hours, not months. Built in 6 days for TechEx Hackathon 0018. Real cryptography end-to-end — no mocks. FastAPI + Python 3.14 + Postgres + Next.js 16 console. Strict Pydantic v2, 100% test coverage gate, pytest + vitest. Sponsor stack: Veea Lobster Trap (policy enforcement → evidence sink), Gemini 2.5 Pro (live narrative), Google AI Studio (export templates), OpenTelemetry GenAI (wire format), AWS data pipeline. 20 of 24 user stories IMPLEMENTED+TESTED. 13 business requirements traced to code, tests, and 9 regulatory frameworks. Demo-ready.