diff --git a/docs/AUDIT_TRAIL_PRD.md b/docs/AUDIT_TRAIL_PRD.md
index 2d3a20f..2b05421 100644
--- a/docs/AUDIT_TRAIL_PRD.md
+++ b/docs/AUDIT_TRAIL_PRD.md
@@ -1,5 +1,21 @@
 # PRD: Production-Ready Audit Trail
 
+> **⚠ OVER-SCOPED — 9-phase plan needs to shrink for local-only deployment.**
+>
+> 2026-05-03 evening: J reframed the system as local-only per PRD line 70. The 9-phase plan in §8 was sized for SaaS-tier infrastructure with cloud HSM, separate identity daemon, dual-control JWT, etc. For a single-box local deployment, audit trail can be a few hundred LOC of local writers + a signed local file, not a 17-20 day phase plan.
+>
+> **What stays valid:**
+> - The legal use case (worked example: John Martinez at Warehouse B requests audit) — this is the real problem
+> - The §10.5 jurisdictional surface (IL BIPA, IN, federal) — counsel reads this
+> - The §3 surface map: where decisions get made today (file:line evidence — see `AUDIT_PHASE_1_DISCOVERY.md`)
+> - Phase 1.6 BIPA pre-launch gates — those still apply when real photos arrive
+>
+> **What's over-scoped:**
+> - The 9-phase implementation plan (§8) — should compress to 3-4 phases for local-only
+> - The identity service design (`IDENTITY_SERVICE_DESIGN.md`) — see that doc's deprecation header
+>
+> Do NOT execute the §8 phase plan as-written. When J greenlights, draft a v2 plan sized for local single-box.
+
 **Status:** Draft — 2026-05-03 · **Owner:** J · **Drafted by:** working session 2026-05-03
 
 > **Why this document exists.** Staffing client won't sign until we can prove the AI system can defend a discrimination claim. We've been claiming "production-ready" off smoke + parity tests; those prove the surface compiles, NOT that an audit response can be produced for a specific person. This PRD writes the audit-trail capability down before we start building it, so the phases are accountable and the scope doesn't drift mid-implementation.
diff --git a/docs/IDENTITY_SERVICE_DESIGN.md b/docs/IDENTITY_SERVICE_DESIGN.md
index 2231fab..2003a64 100644
--- a/docs/IDENTITY_SERVICE_DESIGN.md
+++ b/docs/IDENTITY_SERVICE_DESIGN.md
@@ -1,5 +1,15 @@
 # Identity Service — Phase 2 Design (v2 — post-scrum revisions)
 
+> **⚠ OVER-SCOPED FOR LOCAL-ONLY DEPLOYMENT — needs simpler rewrite before implementation.**
+>
+> 2026-05-03 evening: J reframed the system as local-only per PRD line 70 ("Everything runs locally — no cloud APIs"). This document was drafted assuming SaaS-tier infrastructure (HashiCorp Vault, AWS KMS, S3 Object Lock, dual-control JWT split-secret ceremony, mTLS CA, separate Postgres database). For J's local-only single-box deployment serving IL+IN staffing, the audit trail can be MUCH smaller: local SQLite or Postgres, local key file, local HMAC chain to an append-only JSONL.
+>
+> The discovery findings in `AUDIT_PHASE_1_DISCOVERY.md` and `AUDIT_PHASE_1_5_BIPA_AND_OUTCOMES.md` remain valid (PII flow paths, BIPA exposure, etc.). The PROBLEM is real. This DOC's solution shape is wrong for the deployment.
+>
+> Do NOT implement this document as-written. When J greenlights audit-trail work, draft a v3 that's local-only sized (~3-5 days, not 17-20).
+>
+> See `STATE_OF_PLAY.md` "PRD line 70 is load-bearing" entry for the binding direction.
+
 **Status:** Draft v2 — 2026-05-03 · **Owner:** J · **Drafted by:** working session 2026-05-03
 **Companion to:** [`AUDIT_TRAIL_PRD.md`](AUDIT_TRAIL_PRD.md), [`AUDIT_PHASE_1_DISCOVERY.md`](AUDIT_PHASE_1_DISCOVERY.md), [`AUDIT_PHASE_1_5_BIPA_AND_OUTCOMES.md`](AUDIT_PHASE_1_5_BIPA_AND_OUTCOMES.md)