Jacob Smythe · Security + Infrastructure
← Back to projects
TraceLodger cover image

published

TraceLodger

Local-first forensic review platform for reconstructing AI-artifact activity timelines with evidence integrity preserved during degraded auth or network states.

Published Apr 11, 2026

  • forensics
  • python
  • rust
  • stripe
  • tauri
  • workos

Short Summary

TraceLodger is desktop-first forensic review software for reconstructing AI-artifact timelines without sending evidence into cloud processing paths.

Problem

AI activity leaves traces across browser sessions, desktop clients, exports, and mobile artifacts. Traditional DFIR tooling can recover pieces of that activity, but not always in one coherent, provenance-aware workflow.

I wanted system that could ingest mixed artifacts, normalize evidence, and rebuild defensible timelines while staying local-first and safe under degraded auth, billing, or network conditions.

What I Built

  • Tauri + Rust desktop shell for local review workflow
  • React interface for search, filtering, and evidence navigation
  • Python sidecar for parser iteration and normalization pipelines
  • Next.js control plane for identity, billing, and entitlements
  • Read-only fallback behavior when remote state degrades

Built With

  • Rust + Tauri
  • React
  • Python sidecar
  • Next.js control plane
  • WorkOS
  • Stripe
  • Neon Postgres

Architecture

TraceLodger splits responsibilities across local and remote layers.
The desktop app (Tauri/Rust + React) handles local evidence and examiner workflow.
A Python sidecar runs parsing and ingestion transforms for structured analysis pipelines.

The web control plane (Next.js) manages identity, billing, and entitlements through WorkOS and Stripe-backed gating.
Critical behavior: when auth or network state degrades, the system falls back to read-only mode so evidence cannot be modified.

TraceLodger architecture diagram

Security and Reliability Decisions

  • Evidence handling stays local-first. Website and account systems do not become evidence-ingestion path.
  • Auth or network degradation drops desktop into review-only behavior instead of unsafe partial-write state.
  • Parsed artifacts keep provenance metadata so findings can be traced back to concrete source coordinates.
  • System surfaces Absent, Unsupported, or Insufficient Evidence instead of inventing unsupported conclusions.

Results

TraceLodger proves forensic workflow design, local-first architecture, entitlement-aware desktop/web boundaries, and security-focused failure handling.
Project sharpened my approach to graceful degradation, parser isolation, and defensible evidence review.

Next improvements: richer timeline visualization, stronger parser plugin model, and expanded artifact type coverage.

What I Learned

  • Failure behavior matters as much as feature behavior in forensic software.
  • Provenance and state labels need to be first-class UX, not hidden metadata.
  • Desktop/local workflows and cloud account systems need explicit boundaries.
  • Case study: /projects/tracelodger
  • Architecture diagram: /images/projects/tracelodger/architecture.svg

Technical Notes

Building TraceLedger: Shining a Light on Shadow AI in Digital Forensics

Digital forensics is changing fast.
Vibecoding, agentic workflows, and embedded AI have created a growing blind spot for investigators: Shadow AI.

Traditional DFIR tools still excel at standard communications and endpoint review, but they were not built for cross-device AI engagement reconstruction with tight provenance replay.
TraceLedger (formerly the internal CSAA Pipeline) closes that gap as an offline, read-only, provenance-first desktop platform.

As we approach the first major external release gate, this post covers the architecture journey, major shifts, and current readiness.

Part 1: Foundation - Building an Honest Engine

From day one, the rule was strict: do no harm to evidence and never guess.
The platform had to run fully offline so sensitive case data never depends on third-party inference APIs or remote processing.

Step 1: Permissive Evidence Access Refactor

Early ingestion leaned on dissect.target, but commercial requirements called for a repository-owned evidence access layer.
I refactored ingestion to support logical extractions and mounted filesystems across macOS, Windows, and iOS while avoiding restrictive copyleft coupling.

Step 2: Normalization + Provenance

Every parsed artifact (chat logs, browser events, agent actions, exports) is normalized into canonical schemas while preserving exact provenance metadata.
If TraceLedger shows a finding, an examiner can trace it to concrete source coordinates (file path and locator) in raw evidence.

Part 2: Expanding the Shadow AI Footprint

AI usage is spread across native apps, browsers, exports, and mobile traces.
Extraction phases were organized to support full Shadow AI reconstruction, not isolated app snapshots.

Desktop Natives

Initial extraction focused on macOS ChatGPT and Claude desktop internals (JSONL + SQLite).
Support then expanded to fixture-backed Windows packaged instances for ChatGPT and Claude parity.

Browser Evidence (Phase 7)

Chromium-family artifacts (Chrome, Edge) were added across macOS and Windows.
Coverage includes draft prompts, visit traces, and downloaded or exported artifacts tied to AI sessions.

Mobile Forensics (Phase 5)

iOS pattern-of-life extraction integrated Biome SEGB sources and knowledgeC.db with geospatial markers.
This enables timeline correlation for AI usage away from desktop endpoints.

Agent Activity (Phase 8)

The scope moved beyond chat logs into agentic reconstruction.
TraceLedger tracks tool-mediated activity such as browser usage, file touches, and generated output artifacts within an AI engagement.

Gemini Support

Google Gemini support was added through Google Takeout exports, Workspace compliance exports, and browser-side traces.
Gemini’s artifact surface differs from local desktop clients, so parser strategy and evidence mapping were tuned accordingly.

Cross-Device Reconstruction (Phase 9)

Identity and event linking across Mac and iPhone evidence was introduced to produce unified engagement narratives.
These outputs ship as corroboration packs that present one coherent cross-device story instead of disconnected records.

Part 3: The Great UI Migration

The original Streamlit interface enabled rapid prototyping, but it was not the right long-term enterprise product surface.

Deprecating Streamlit in Favor of Tauri + React + Rust

The legacy Streamlit UI is now formally deprecated.
The production surface is now a native desktop app with a Tauri shell, React frontend, and Rust host supervisor, with the Python engine bundled as a standalone sidecar (including Nuitka-oriented hardening and refactor work).

Search-First Forensic Artifact Explorer

The new UI is not a visual reskin; it is a forensic workbench.
It uses case-level SQLite FTS5 indexing, faceted filtering, and histogram-backed evidence navigation tuned for DFIR, legal, HR, and security review workflows.

Part 4: Trust, Validation, and Commercialization

Forensics tooling is only useful if its outputs are defensible under scrutiny.
Enterprise buyers and legal teams need evidentiary confidence, not probabilistic UI comfort.

Phase 10 + 11: Productization and Evidentiary Moat

An enterprise enrichment layer was added for M365/Purview metadata overlays and compliance export context on top of endpoint evidence.
Validation hardening (Phase 11) introduced labeled golden datasets, adversarial scenarios (including screenshot OCR and paraphrasing pressure), and calibrated confidence scoring.

The system explicitly surfaces degraded states as Absent, Unsupported, or Insufficient Evidence rather than inferring beyond defensible limits.

Licensing Control Plane

Commercial rollout includes an account-backed licensing control plane built on Vercel, Neon, WorkOS, and Stripe.
Seat enforcement uses cryptographic entitlements (Ed25519 signatures), and offline manual activation remains first-class for air-gapped labs.

If license state degrades, the desktop transitions gracefully into review-only behavior to protect evidence workflows.

Part 5: Web Surface and Access Boundaries

As release moved closer, we treated the public website as part of the trust model, not a separate marketing layer. The TraceLedger website is live at velsics.com.

Deployment

The deployment model is explicit: the public web control surface at velsics.com handles account and licensing flows, and a local desktop evidence surface handles case analysis.
The website never becomes an evidence ingestion path, which keeps evidentiary posture intact.

Demo Case

We built a synchronized scroll narrative around synthetic case TL-DEMO-IR-001.
It includes a bounded UTC timeline, source artifact references, pipeline-step framing, explicit evidence-state labels, and visible unresolved gaps.

Reduced-motion users get an equivalent stacked-card narrative generated from the same source data model.

Docs

Documentation is managed as typed, code-reviewed content modules instead of loosely controlled CMS pages.
Workflows, docs sections, and demo-case narrative blocks are versioned and reviewable, which reduces product-claim drift.

Request Access

The request-access flow routes prospects toward controlled enterprise evaluation instead of open evidence upload patterns.
CTA paths prioritize the demo case and access request sequence while preserving forensic safety language.

Auth

The auth stack extends beyond brochure pages:

  • WorkOS browser-auth route stack
  • session guards for /account/* and /admin/*
  • role-gated admin access
  • Neon-backed licensing persistence
  • deterministic Stripe webhook replay and out-of-order handling

This allowed real account-facing operations without weakening reliability.

Privacy and Terms

Privacy and Terms content was written to match actual system behavior: local-first evidence handling, clear boundaries for website-collected data, and explicit limits on what should never be submitted via public forms.

Part 6: Homepage and Motion System

The homepage was designed to sell the product without blurring evidence boundaries.

Homepage Structure

The structure now emphasizes:

  • clear positioning statement
  • workflow previews
  • enterprise enrichment as additive context, not replacement evidence
  • deployment clarity
  • calls to action for demo case and access request

Reusable Motion System

Animation primitives were centralized instead of implemented page by page:

  • shared motion tokens (duration, delay, easing, offsets)
  • wrappers for intro, reveal, and stagger patterns
  • consistent sequencing across marketing pages

Result: polished motion with lower regression risk and full reduced-motion behavior.

Where We Are Today (Late April 2026)

  • Legacy UI deprecation is complete (Stage 3); TraceLedger Desktop is the sole commercial interface.
  • Parsing contracts are locked across macOS, Windows, iOS, and major browser vectors.
  • Gemini, ChatGPT, and Claude are supported across native, export, and compliance acquisition paths.
  • Licensing control plane tasks 1-13 are complete; desktop entitlement verification executes locally.
  • The search-first React interface handles large normalized record sets with smooth pagination.
  • The synthetic demo case, “Asterion Circuit Works,” is locked for enterprise walkthroughs.

Launch Gate and QA Strategy

Local release gate commands:

pnpm lint
pnpm test
pnpm build

Launch-gate status as of April 25, 2026:

  • pnpm lint: pass
  • pnpm test: pass (52 passed, 4 skipped)
  • pnpm build: pass

Playwright coverage included:

  • route rendering and overflow checks
  • motion behavior and deep-section reveal checks
  • demo-case progression through Scene 12
  • reduced-motion equivalence checks
  • auth, licensing session, and webhook determinism scenarios

Technical Decisions That Paid Off

  1. Treat content claims as code. Typed content modules improved reviewability for sensitive product language.
  2. Make evidence states first-class UX language. Badges and copy consistently separated direct support, inference, and unresolved gaps.
  3. Centralize motion. Shared wrappers avoided fragile per-page animation regressions.
  4. Pair marketing with auth and licensing readiness. Public polish and account infrastructure matured together.
  5. Use an explicit launch gate. lint/test/build plus live checks made release confidence measurable.

Challenges and Tradeoffs

  • We needed strong visual quality without reading like a generic AI startup.
  • We had to preserve forensic tone while still improving conversion.
  • We balanced rich scroll storytelling with accessibility and reduced-motion parity.
  • We tuned QA concurrency for more deterministic local gate behavior.

What’s Next

Immediate focus is the external Beta/GA cut for early enterprise adopters.
Post-launch roadmap focus includes Safari/Brave coverage, deeper Windows registry enrichment, and broader agent-framework artifact support while preserving strict zero-hallucination evidentiary standards.

Near-term execution items:

  • complete and record recurring manual interactive auth checks across preview and production
  • deepen docs coverage without weakening public claim boundaries
  • iterate on conversion UX while preserving the “do not send evidence via website” posture

Building TraceLedger has required balancing modern AI behavior reconstruction with uncompromising forensic rigor.
The goal is not only to recover chats, but to reconstruct the shadow workflows that increasingly define modern AI-assisted activity.

The core lesson has been simple: for investigation software, marketing quality is trust quality.
When the website is precise about evidence boundaries, provenance, and unresolved gaps, the product promise is stronger before the first demo.