What does Knox pin at upload?

Five things, in one structured event: (1) the SHA-256 of the canonical scene file (whatever format the capture app emits — .ply, .splat, glTF including the draft Khronos KHR_gaussian_splatting extension), (2) the hash of the metadata bundle (timestamp, GPS, device fingerprint, capture-app version), (3) the operator attestation as a signed declaration that this scene is the unmodified output of capture session S at facility F at timestamp T, (4) a sequence-link to the operator's previous capture (or the genesis link if first capture), and (5) the Knox event chain commitment which rolls into the hourly Merkle root and is submitted to OpenTimestamps for Bitcoin-block attestation. The OpenTimestamps calendar commitment is immediate at upload; the Bitcoin-block confirmation typically lands within hours via OTS calendar upgrade. Mutation is detectable from the chain — if any byte changes after anchor, the recomputed hash will not match the chain record.

How does this differ from notarized photos, C2PA, or raw OpenTimestamps?

Notarized photos provide manual single-instance authentication and are expensive per record; the resulting evidence is not standardized and not re-verifiable independent of the notary's records. C2PA Content Credentials sign the creator and edit history of media at capture-time but do not provide independent timestamping of arbitrary file bytes against a public chain. OpenTimestamps provides a Bitcoin-anchored timestamp on any file but requires the operator to self-instrument and provides no operator-attestation layer, no industry-vertical event taxonomy, and no admissibility framework. Knox sits one level up from OpenTimestamps: it anchors a structured event (file fingerprint plus operator attestation plus metadata bundle plus chain link) and serves it through an event taxonomy and a public verify endpoint that any party can hit without contacting Bonis.

Which Knox event type covers spatial evidence?

One canonical event type extends the Knox taxonomy into this theater: spatial_evidence_anchored. The event payload includes the canonical scene-file hash, the metadata-bundle hash, the operator-attestation digest, the capture-session identifier, and the previous-capture chain-link digest. The same primitive serves every vertical that needs a spatial record — cannabis facility, clinical trial site, construction work-as-performed, insurance pre-loss baseline, real-estate condition-of-date, federal facility security baseline, cyber-physical data-center walkthrough, and forensic chain-of-custody.

What regulatory and admissibility frames apply?

The spatial-evidence chain is architecturally aligned with FRE 902(13) (self-authenticating electronic records generated by a system producing accurate results) and FRE 902(14) (self-authenticating data copied from electronic device, storage, or file by digital identification). FRE 901 (authentication of evidence) is supported by the operator-attestation layer combined with the chain commitment. The Daubert standard for expert testimony on spatial reconstruction is supported by a self-authenticating chain of evidence. Domain-specific frames apply per vertical: FDA 21 CFR Part 11 for clinical trial site documentation, 21 CFR §312 for IND-stage clinical investigation site records, state-CRA seed-to-sale tracking regimes for cannabis facility records, EU GDPR Article 32 integrity-and-confidentiality requirements where personal-data-adjacent processing is involved, and state insurance-commissioner regimes for claims-handling timeliness and accuracy. Admissibility itself is a court determination; Knox provides the architectural foundation, not the verdict.

Is Bonis defensive or offensive in this theater?

Defensive only. The operator captures their own facility on their own device with their own capture app. The operator uploads the capture file to a Bonis-instrumented surface or to their own surface via the Knox API. Bonis hashes the bytes at upload, anchors the canonical commitment, and returns a receipt. Bonis does not capture facilities, does not operate cameras or drones or phones, does not mutate captured scene files, and does not store raw capture data unredacted — only the hash, the metadata commitment, and the operator attestation. Even a provably hostile operator capture gets reported, never seized. The takedown belongs to lawful authority; Bonis provides the audit primitive.

AAM · Theater · Spatial Evidence

When the spatial record is the evidence, who has the receipt?

Q: What is a spatial capture and why does it need an audit-permanence layer?

A spatial capture is a 3D record of a physical facility — a Gaussian-splat scene, a photogrammetry mesh, a LiDAR point cloud, or a glTF KHR_gaussian_splatting file produced by a commodity phone-based capture app. Today the capture is a marketing or sales asset; it sits as an opaque file on a vendor device or in a shared Drive. There is no cryptographic record of what was captured, when, by whom, where, or whether the bytes have been mutated since. AAM extends the capture from a decorative asset to a per-execution evidentiary artifact: the canonical scene file is hashed, the operator declaration is signed, the capture metadata is committed, and the bundle is anchored to the Bitcoin blockchain at upload moment.

A spatial capture of a facility is a candidate evidentiary artifact. Today it sits as an opaque file on a vendor’s phone or a marketing-team drive. There is no cryptographic record of what was captured, when, by whom, where, or whether the bytes have been mutated since. The Knox layer pins all five at upload moment.

Vendor-neutralBitcoin-anchoredFRE 902(13)/(14) architectureOperator-attestedDefensive only

TL;DR

A spatial capture becomes a self-authenticating record the moment Knox anchors it.

The gap. Spatial captures today are decorative — sales assets and marketing walk-throughs. There is no cryptographic record of what was captured, when, by whom, where, or whether the bytes have been mutated since.
What Knox pins. Five things at upload: SHA-256 of the canonical scene file, hash of the metadata bundle (timestamp + GPS + device fingerprint + capture-app version), operator attestation digest, sequence-link to the operator’s previous capture, and the chain commitment that submits to OpenTimestamps for Bitcoin-block attestation. The chain commitment is what removes the bytes from operator-side rewrite — once anchored, the recomputed hash either matches or it does not.
Vendor-neutral. Above any spatial-capture pipeline. The capture-app vendor handles capture; Knox handles audit-permanence. Same primitive across every vertical.
Verification. Any third party — regulator, FDA inspector, plaintiff counsel, defense counsel, insurance adjuster, IG office, civil-rights bar, or counterparty — verifies via the public endpoint at /api/knox/verify without contacting Bonis. Architecturally aligned with FRE 902(13)/(14) self-authentication.
Posture. Defensive-only. Bonis hashes what the operator uploaded; never accesses cameras, drones, or phones; never mutates the scene file; never stores raw capture data unredacted.

The seam

From decorative capture to evidentiary commitment.

Industry default for spatial capture today is decorative. Real-estate listings, construction marketing, retail walk- throughs — used as a sales asset, not an evidentiary one. The AAM extension flips it from decorative to per-execution audit-permanence.

What AAM commits

Capture file fingerprint. SHA-256 of the canonical scene file, whatever the capture app emits — .ply, .splat, glTF KHR_gaussian_splatting.
Capture metadata commitment. Hash of the metadata bundle: timestamp, GPS, device fingerprint, capture-app version. Pinned by the chain commitment at upload — independent of any later device-clock manipulation.
Operator attestation. Signed declaration: “I, operator X, captured facility Y at timestamp T, this scene is the unmodified output of capture session S.”
Chain link. Sequence-link to the operator’s previous capture (or genesis if first). Re-captures are provably linked across time.
Bitcoin anchor. Hourly Merkle root → Bitcoin block via OpenTimestamps. Verifiable years later by any party, no Bonis call required.

Cross-vertical reach

One audit primitive. Every vertical that needs a spatial record on a date.

The same Knox event type (spatial_evidence_anchored) serves every vertical. The same chain primitive. The same self-authentication architecture. Categories below; named operators are not surfaced on this page per Stealth Posture.

Cannabis

Operator captures grow op or dispensary interior on production date; export-prep dossier; state-CRA inspection record; federal-rescheduling-era audit dossier.

Clinical trial

Site-on-date documentation for FDA inspection (21 CFR §312 / ICH GCP); trial-site monitoring record; investigator-binder spatial-evidence component.

Construction

Work-as-performed proof for lien claims; pre-loss / post-loss spatial record for insurance adjustment; building inspector record.

Insurance

Pre-loss baseline capture; post-loss damage assessment; subrogation evidence.

Real estate

Condition-on-date proof for purchase-and-sale agreement; landlord-tenant move-in / move-out record.

Federal facility

Periodic security-control documentation; visit-log spatial baseline; chain-of-custody for evidence storage spaces.

Cyber-physical

Data-center walkthrough proof; physical-access-control record; PCI-DSS-adjacent facility documentation.

Forensic chain-of-custody

Crime-scene spatial baseline as a public-chain-anchored record produced by lawful authority; Bonis is the audit primitive only.

Verifiable today

Five proof rows. Each one is independently checkable.

Every claim below resolves to a live endpoint, a canonical taxonomy entry, or a published reference primitive. No screenshots, no PDFs, no closed-source attestations.

Knox event type

spatial_evidence_anchored

Canonical entry in the Knox event taxonomy. Verifiable in the live taxonomy at /aam/taxonomy.

Reference engine (Foundation)

Spatial Evidence Anchor — Phase 0

Shipped 2026-04-28 as a vertical-agnostic upload + Knox-anchor + verify primitive. Pluggable chain target (in-process or remote). Tamper-detection proven end-to-end via single-byte XOR.

Anchor primitive

SHA-256 → sequence-numbered Knox chain → Merkle root → Bitcoin via OpenTimestamps

Same primitive that anchors every other Knox event class. Public verify endpoint at /api/knox/verify.

Admissibility shape

FRE 902(13)/(14) self-authenticating

Architecturally aligned. The court determines admissibility on the record; Knox provides the foundation.

Operator attestation

Signed declaration pinned at upload

Operator declares: 'I, operator X, captured facility Y at timestamp T, this scene is the unmodified output of capture session S.' Signed digest committed alongside the scene-file hash.

Doctrine

Bonis is the audit primitive. Never the operator.

The operator captures. Their facility, their device, their capture app — Polycam, Luma, Scaniverse, KIRI, or any other. Bonis does not select the capture vendor.
The operator uploads. To a Bonis-instrumented surface or to their own surface via the Knox API.
Bonis hashes and anchors. The canonical bytes get a SHA-256 commitment, the operator attestation gets a signed digest, the metadata bundle gets a hash. The chain commits.
Bonis never operates the device. Never captures facilities, never operates cameras / drones / phones, never mutates the scene file, never stores raw capture data unredacted.
Lawful authority decides what to do with the evidence. Courts, regulators, FDA inspectors, state-CRA auditors, IG offices, plaintiff counsel, defense counsel, insurance carriers. Bonis provides the audit primitive; the verdict is the court’s.

Closer

A cryptographic flight-data recorder for the physical facility.

Differentiated from C2PA by structured event taxonomy plus self-authentication architecture. Differentiated from notarization by per-capture cost plus automated chain. Differentiated from spatial-capture vendors by audit-permanence layer. Differentiated from raw OpenTimestamps by operator attestation plus verify endpoint plus admissibility framework.

Per-capture receipt for every facility walkthrough. Spatial integrity attestation independent of the capture vendor. Self-authenticating record at commodity capture cost.