TG-ATTC-3
TrustGate - Signal Attestation Catalog - Appendicies
APPENDIX A — Canonical Artifact Summary
A.1. Purpose
This appendix provides a consolidated reference of the canonical artifacts defined by the TrustGate architecture.
It serves as a high-level reference for developers, architects, auditors, and implementers by summarizing the purpose, lifecycle, persistence, and governance responsibilities of each artifact.
Unless otherwise specified, the canonical definition of each artifact is provided by its respective TrustGate specification.
A.2. Architectural Layers
TrustGate artifacts belong to one of three constitutional layers.
| Layer | Purpose |
|---|---|
| Registry Objects | Canonical definitions governed through registries |
| Runtime Artifacts | Immutable operational artifacts produced during execution |
| Published Assurance Artifacts | Canonical artifacts exchanged, verified, and governed across ZAYAZ Domains |
Each layer has distinct governance responsibilities.
A.3. Registry Objects
Registry Objects define governed metadata and constitutional definitions.
They are maintained through controlled publication workflows and are never created automatically during runtime.
| Artifact | Identifier | Registry | Purpose |
|---|---|---|---|
| Validation Rule | VRID | zar.validation_rule_registry | Defines canonical validation logic |
| Trust Intelligence | TIID | zar.trust_intelligence_registry | Defines AI-generated Trust Intelligence Objects |
| Trust Object | TOID | zar.trust_object_registry | Defines canonical Trust Objects |
| Trust Vector | TVID | zar.trust_vector_registry | Defines canonical Trust Vectors |
| Trust Operational Flag | (system managed) | zar.trust_operational_flag | Defines operational trust conditions |
| Trust Lifecycle State | (system managed) | zar.trust_lifecycle_state | Defines governed lifecycle states |
| Trust Status | (system managed) | zar.trust_status | Defines canonical trust status values |
Registry Objects provide the constitutional vocabulary of TrustGate.
A.4. Runtime Artifacts
Runtime Artifacts are generated automatically during platform execution.
They preserve operational history while remaining immutable after creation.
| Artifact | Primary Identifier | Purpose |
|---|---|---|
| USO Instance | USO ID | Runtime signal instance |
| TG-VRES | USO lineage | Validation result |
| TG-VEVID | VEVID | Validation evidence |
| TG-AEVENT | Telemetry Event ID | Attestation runtime event |
| TG-INTEL | TIID | AI-generated Trust Intelligence |
| TrustGate Telemetry Event | Event ID | Operational monitoring and telemetry |
Runtime Artifacts document platform execution.
They do not define constitutional governance.
A.5. Published Assurance Artifacts
Published Assurance Artifacts represent governed, exchangeable trust objects.
They are immutable once published.
| Artifact | Identifier | Registry | Purpose |
|---|---|---|---|
| TG-ATTEST | TAID | zar.trust_attestation_registry | Canonical Trust Attestation |
| Trust Object | TOID | zar.trust_object_registry | Published trust assessment |
| Trust Vector | TVID | zar.trust_vector_registry | Published trust dimension |
| Federation Package (TG-FPACK) | (future) | Federation Registry | Exchange package between ZAYAZ Domains |
Published Assurance Artifacts form the constitutional trust layer of TrustGate.
A.6. Canonical Artifact Relationships
The following diagram illustrates the relationship between the principal TrustGate artifacts.
Signal
↓
USO Instance
↓
Validation Rule (VRID)
↓
TG-VRES
↓
TG-VEVID
↓
Trust Object (TOID)
↓
Trust Vector (TVID)
↓
TG-ATTEST (TAID)
↓
TG-INTEL (TIID)
↓
Federation Exchange
↓
Receiving ZAYAZ Domain
Each artifact contributes additional assurance while preserving complete computational lineage.
A.7. Artifact Responsibilities
Each canonical artifact has a single constitutional responsibility.
| Artifact | Constitutional Responsibility |
|---|---|
| VRID | Defines validation logic |
| TG-VRES | Records validation outcome |
| TG-VEVID | Preserves validation evidence |
| TO | Represents trust assessment |
| TV | Represents trust dimensions |
| TG-ATTEST | Certifies trust |
| TG-INTEL | Interprets trust |
| TG-AEVENT | Records attestation runtime execution |
No artifact duplicates the responsibility of another.
A.8. Lifecycle Categories
Canonical artifacts participate in different lifecycle models.
| Category | Lifecycle |
|---|---|
| Registry Objects | Governed publication lifecycle |
| Runtime Artifacts | Immutable runtime lifecycle |
| Published Artifacts | CALM lifecycle |
Lifecycle semantics are defined by the Canonical Artifact Lifecycle Model (CALM).
A.9. Persistence Summary
The following registries constitute the canonical persistence layer for TrustGate.
| Registry | Primary Purpose |
|---|---|
zar.validation_rule_registry | Validation definitions |
zar.trust_object_registry | Trust Objects |
zar.trust_vector_registry | Trust Vectors |
zar.trust_intelligence_registry | Trust Intelligence |
zar.trust_attestation_registry | Trust Attestations |
zar.trustgate_telemetry_event | Runtime telemetry |
zar.uso_instance | Runtime signal lineage |
Additional implementation tables may exist but shall not replace the canonical registries defined by this specification.
A.10. Architectural Principles
The canonical artifact model is governed by the following principles.
- Every canonical artifact has exactly one constitutional responsibility.
- Every published artifact shall possess a canonical identifier.
- Runtime artifacts shall remain immutable.
- Registry Objects shall define—but never duplicate—runtime behavior.
- Published artifacts shall preserve complete lineage.
- Trust Intelligence shall interpret—not replace—published assurance.
- Federation shall preserve artifact identity.
- Replay shall preserve artifact integrity.
These principles are normative.
A.11. Summary
The TrustGate architecture is built upon a coherent family of canonical artifacts that separate governance, execution, assurance, intelligence, and federation into clearly defined constitutional responsibilities.
By distinguishing Registry Objects, Runtime Artifacts, and Published Assurance Artifacts, the platform achieves deterministic execution, complete traceability, replayable assurance, explainable intelligence, and interoperable federation while maintaining a clean and scalable architectural model.
APPENDIX B — Canonical Identifier Reference
B.1. Purpose
This appendix provides a consolidated reference for the canonical identifiers used by the TrustGate architecture.
All identifiers defined herein are governed by the Canonical Identifier Architecture (CIA), which establishes the principles for identity generation, uniqueness, immutability, lifecycle, and traceability across the ZAYAZ platform.
This appendix summarizes the identifiers used by TrustGate and their relationships to canonical artifacts.
B.2. Architectural Principles
Every canonical identifier shall:
- identify exactly one governed object;
- remain globally unique;
- remain immutable after publication;
- support deterministic replay;
- preserve lineage;
- support federation;
- be governed by CIA.
Identifiers shall never be regenerated for existing artifacts.
B.3. Platform Identifier Family
The following identifiers are platform-wide identifiers defined by the Canonical Identifier Architecture.
| Identifier | Name | Governs | Canonical Registry |
|---|---|---|---|
| CSI | Canonical Signal Identifier | Signal semantics | SSSR |
| CMID | Canonical Managed Identifier | Managed component | ZAR |
| USO ID | Universal Signal Ontology Instance Identifier | Runtime signal instance | zar.uso_instance |
These identifiers form the foundation upon which TrustGate operates.
B.4. TrustGate Identifier Family
TrustGate introduces additional identifiers for governed assurance artifacts.
| Identifier | Canonical Artifact | Registry |
|---|---|---|
| VRID | Validation Rule | zar.validation_rule_registry |
| VEVID | Validation Evidence | Validation Evidence Registry |
| TOID | Trust Object | zar.trust_object_registry |
| TVID | Trust Vector | zar.trust_vector_registry |
| TAID | Trust Attestation | zar.trust_attestation_registry |
| TIID | Trust Intelligence | zar.trust_intelligence_registry |
Each identifier governs one constitutional artifact family.
B.5. Identifier Responsibilities
Every identifier has exactly one constitutional responsibility.
| Identifier | Responsibility |
|---|---|
| CSI | Defines what a signal means |
| CMID | Identifies who produced or processed it |
| USO ID | Identifies the runtime occurrence of the signal |
| VRID | Identifies the validation rule applied |
| VEVID | Identifies the validation evidence collected |
| TOID | Identifies the Trust Object produced |
| TVID | Identifies the Trust Vector produced |
| TAID | Identifies the published Trust Attestation |
| TIID | Identifies the Trust Intelligence Object |
No identifier duplicates another.
B.6. Identifier Relationships
The identifiers participate in a deterministic lineage.
CSI
\
\
USO ID
/
CMID
↓
VRID
↓
VEVID
↓
TOID
↓
TVID
↓
TAID
↓
TIID
Every identifier contributes additional governance without replacing upstream identity.
B.7. Identifier Persistence
Identifiers are persisted within their respective canonical registries.
| Identifier | Registry |
|---|---|
| CSI | Signal Semantic Source Registry (SSSR) |
| CMID | ZAYAZ Artifact Registry (ZAR) |
| USO ID | zar.uso_instance |
| VRID | zar.validation_rule_registry |
| VEVID | Validation Evidence Registry |
| TOID | zar.trust_object_registry |
| TVID | zar.trust_vector_registry |
| TAID | zar.trust_attestation_registry |
| TIID | zar.trust_intelligence_registry |
Registries remain the canonical source of truth for their governed artifacts.
B.8. Identifier Lifecycle
Identifiers remain constant throughout the lifecycle of their associated artifacts.
Lifecycle state transitions shall never change an identifier.
For example:
Draft
↓
Approved
↓
Published
↓
Operational
↓
Revoked
↓
Archived
The artifact lifecycle changes.
The identifier does not.
B.9. Identifier Federation
During federation:
- identifiers shall be preserved;
- identifiers shall not be regenerated;
- identifiers shall remain globally unique;
- receiving ZAYAZ Domains shall reference original identifiers.
Federation therefore exchanges governed artifacts—not new identities.
B.10. Identifier Replay
Replay execution shall preserve every canonical identifier.
Replay shall therefore reproduce:
- CSI;
- CMID;
- USO ID;
- VRID;
- VEVID;
- TOID;
- TVID;
- TAID;
- TIID.
Identifier preservation is a constitutional requirement for deterministic replay.
B.11. Identifier Governance
Identifier generation shall comply with the Canonical Identifier Architecture (CIA).
CIA defines:
- generation algorithms;
- uniqueness requirements;
- version semantics;
- publication rules;
- federation behavior;
- governance responsibilities.
This specification references CIA but does not redefine identifier generation.
B.12. Identifier Invariants
The following invariant families govern canonical identifiers.
| Invariant Family | Scope |
|---|---|
| CIA-* | Platform-wide identifier governance |
| TGATT-* | Trust Attestation identifiers |
| TGVAL-* | Validation identifiers |
| TGTRUST-* | Trust identifiers |
| TGINTEL-* | Trust Intelligence identifiers |
| CIR-* | Constitutional identifier rules |
Normative invariant definitions are maintained by the Canonical Invariant Registry (CIR).
B.13. Summary
The Canonical Identifier Reference establishes the governed identity model for TrustGate.
By extending the platform-wide identifiers defined by the Canonical Identifier Architecture with the TrustGate-specific identifiers VRID, VEVID, TOID, TVID, TAID, and TIID, the architecture provides complete, immutable, replayable, and federatable identity across the assurance lifecycle.
Each identifier governs exactly one constitutional artifact, ensuring that identity, semantics, execution, trust, attestation, and intelligence remain distinct while preserving complete lineage throughout the ZAYAZ ecosystem.
APPENDIX C — Attestation Type Catalog
C.1 Purpose
This appendix defines the canonical catalog of TrustGate Attestation Types.
Attestation Types classify the constitutional purpose of a Trust Attestation (TG-ATTEST) while remaining independent of implementation details.
Each published Trust Attestation shall declare exactly one canonical Attestation Type.
The catalog is normative.
C.2 Architectural Principles
Attestation Types shall:
- classify the purpose of an attestation;
- remain implementation independent;
- support deterministic replay;
- support federation;
- preserve explainability;
- remain immutable once published.
The Attestation Type describes what is being attested, not how the attestation was produced.
C.3 Canonical Attestation Type Catalog
| Code | Name | Purpose |
|---|---|---|
| ATT-VAL | Validation Attestation | Certifies validation outcomes. |
| ATT-EVD | Evidence Attestation | Certifies evidence integrity and completeness. |
| ATT-REP | Replay Attestation | Certifies deterministic replay results. |
| ATT-TRUST | Trust Attestation | Certifies Trust Objects and Trust Vectors. |
| ATT-POL | Policy Attestation | Certifies policy compliance. |
| ATT-GOV | Governance Attestation | Certifies governance decisions and approvals. |
| ATT-FED | Federation Attestation | Certifies cross-domain trust exchange. |
| ATT-DAL | Ledger Attestation | Certifies Distributed Assurance Ledger anchoring. |
| ATT-AI | AI Governance Attestation | Certifies AI governance, models, or explainability evidence. |
These Attestation Types constitute the constitutional vocabulary of TrustGate assurance.
C.4 ATT-VAL — Validation Attestation
Validation Attestations certify that one or more validation activities were successfully completed.
Typical references include:
- VRID;
- TG-VRES;
- TG-VEVID;
- USO lineage.
Typical use cases include:
- CSRD validation;
- ESG rule validation;
- regulatory compliance;
- quality assurance.
C.5 ATT-EVD — Evidence Attestation
Evidence Attestations certify the authenticity, completeness, and integrity of supporting evidence.
Typical references include:
- TG-VEVID;
- evidence repositories;
- source documents;
- external evidence providers.
Evidence Attestations strengthen trust without re-performing validation.
C.6 ATT-REP — Replay Attestation
Replay Attestations certify that historical computational replay has produced deterministic results.
Typical references include:
- replay execution;
- replay profile;
- replay checksum;
- replay lineage.
Replay Attestations demonstrate reproducibility.
C.7 ATT-TRUST — Trust Attestation
Trust Attestations certify published trust assessments.
Typical references include:
- TOID;
- TVID;
- Trust Status;
- Trust Lifecycle.
Trust Attestations represent the primary assurance artifacts produced by the Trust Model.
C.8 ATT-POL — Policy Attestation
Policy Attestations certify compliance with one or more governance or regulatory policies.
Typical references include:
- governance policies;
- validation policies;
- regulatory frameworks;
- constitutional rules.
Policy Attestations document compliance.