TG-ATTESTATION-ENGINE
TrustGate Attestation Engine
0. Identity
Depends on module:
1. Purpose
The TrustGate Attestation Engine generates verifiable assurance statements from finalized TrustGate runtime outcomes.
It converts TrustGate scores, decisions, replay manifests, policy context, lineage references, and identity metadata into structured trust attestations that can be used internally, anchored in DAL, exchanged through AFLE, referenced by Carbon Passports, and inspected by auditors or federation participants.
The Attestation Engine is not the source of the trust score. It packages already computed and decisioned assurance evidence into a verifiable attestation artifact.
The primary purpose is to answer:
What did TrustGate conclude, based on which evidence, under which software, policy, schema, and identity context?
2. Position within TrustGate Runtime
Trust Scoring
│
▼
Decision Engine
│
▼
Replay Engine
│
▼
──────────────────────────────────────────
Attestation Engine
──────────────────────────────────────────
│
├── Trust Attestation
├── Assurance Bundle
├── Carbon Passport Reference
├── AFLE Federation Package
└── DAL Anchor Candidate
The Attestation Engine executes after a valid TrustGate decision and replay manifest exist, unless policy allows provisional attestations.
3. Canonical Identity
| Property | Value |
|---|---|
| MEID | MEID_TRUST_ATTEST_GENERATOR |
| CMI | vera.TG-ATTEST.ENGINE.GENERATOR.1_0_0 |
| KIND | ENGINE |
| Owner Module | Verification & Assurance |
| Runtime Tier | Tier-0 Assurance Runtime |
| Engine Category | ATTEST |
| Engine Domain | trust |
| ZAR Registration | Required |
| Replay Support | Native |
| DAL Anchoring | Required |
| Federation Aware | Yes |
The MEID identifies the stable logical attestation engine.
The CMI identifies this specific versioned executable artifact.
4. Runtime Responsibilities
| Responsibility | Description |
|---|---|
| Trust Attestation Creation | Produce canonical TrustGate trust attestations. |
| Assurance Bundle Assembly | Package score, confidence, decision, replay, lineage, and policy references. |
| Identity Binding | Bind attestations to ECO Number and DID. |
| Evidence Binding | Bind attestations to USO, DAL, replay, CMI, CSI, and policy references. |
| Federation Packaging | Prepare AFLE-compatible attestation exchange objects. |
| Carbon Passport Referencing | Generate trust references for Carbon Passport and DPP workflows. |
| Signature Preparation | Prepare payloads for signing through the configured cryptographic service. |
| DAL Anchor Candidate Creation | Produce DAL anchor candidates for attestation artifacts. |
| Redaction Profile Application | Apply federation and disclosure redaction profiles. |
| Audit Event Emission | Emit immutable attestation events for OARM and AII. |
The engine must not alter the underlying score, decision, or replay evidence.
5. Attestation Types
TrustGate supports multiple attestation types.
| Attestation Type | Purpose |
|---|---|
TRUST_SCORE_ATTESTATION | Attests to TrustGate score and confidence. |
TRUST_DECISION_ATTESTATION | Attests to the final TrustGate decision. |
REPLAY_READY_ATTESTATION | Attests that replay prerequisites exist. |
CARBON_PASSPORT_TRUST_REFERENCE | Supplies assurance metadata to Carbon Passport assembly. |
FEDERATION_TRUST_ATTESTATION | AFLE-compatible cross-ECO trust package. |
AUDITOR_ASSURANCE_BUNDLE | Evidence package for auditor inspection. |
PROVISIONAL_ATTESTATION | Limited attestation before replay or DAL finalization. |
Policy controls which attestation types are permitted in each context.
6. Attestation Preconditions
A standard final attestation requires:
| Precondition | Required |
|---|---|
| Valid ECO Number | Yes |
| Valid DID or identity binding | Yes |
| Trust score exists | Yes |
| Confidence score exists | Yes |
| Trust decision exists | Yes |
| Replay manifest exists | Yes |
| Policy bundle recorded | Yes |
| Engine CMI map recorded | Yes |
| USO lineage exists | Yes |
| DAL anchor candidate exists | Yes |
| Redaction profile resolved | Conditional |
| Federation profile resolved | Conditional |
If a mandatory precondition is missing, the engine must either abort or emit a policy-controlled provisional attestation.
7. Runtime Processing Pipeline
Receive Attestation Request
│
▼
Resolve Trust Outcome
│
▼
Resolve Identity
│
▼
Resolve Lineage and Replay
│
▼
Resolve Policy and Redaction Profile
│
▼
Assemble Evidence References
│
▼
Generate Attestation Payload
│
▼
Prepare Signature Envelope
│
▼
Emit Attestation Event
│
▼
Queue DAL Anchor Candidate
The pipeline is deterministic and replayable.
8. Processing Algorithm
function attest(request):
trust_outcome = resolve_trust_outcome(request.signal_id)
identity = resolve_identity(trust_outcome.eco_number)
lineage = resolve_lineage(trust_outcome.uso_id)
replay = resolve_replay_manifest(trust_outcome.signal_id)
policy = resolve_attestation_policy(request.policy_context)
redaction_profile = resolve_redaction_profile(policy, request.target)
evidence_refs = assemble_evidence_refs(
trust_outcome,
identity,
lineage,
replay,
policy
)
payload = create_attestation_payload(
request.attestation_type,
evidence_refs,
redaction_profile
)
signature_envelope = prepare_signature(payload)
emit_attestation_event(payload)
queue_dal_anchor_candidate(payload)
return payload
The engine must ensure that attestation content is derived only from immutable source artifacts.
9. Attestation Data Model
The canonical attestation object contains:
| Field | Description |
|---|---|
attestation_id | Unique TrustGate attestation identifier. |
attestation_type | Type of attestation produced. |
eco_number | ECO Number bound to the attestation. |
did | DID or equivalent identity reference. |
signal_id | Signal being attested. |
trust_score | Trust score at time of attestation. |
confidence | Confidence score. |
decision | Final TrustGate decision. |
uso_id | Lineage reference. |
replay_id | Replay manifest reference. |
policy_bundle | Active governance policy. |
engine_cmi | Attestation engine version. |
evidence_refs | Evidence references included in attestation. |
signature | Signature envelope or signing reference. |
created_at | Creation timestamp. |
10. CSI Contracts
10.1. Input CSIs
| CSI | Required | Purpose |
|---|---|---|
comp.TG.INPUT.TRUST-SCORE.v1_0 | Yes | Trust score and confidence. |
comp.TG.INPUT.TRUST-DECISION.v1_0 | Yes | Final TrustGate decision. |
comp.TG.INPUT.REPLAY-MANIFEST.v1_0 | Yes | Replay manifest and replayability status. |
comp.USO.INPUT.LINEAGE-GRAPH.v1_0 | Yes | Operational lineage graph. |
comp.FAGF.INPUT.POLICY-CONTEXT.v1_0 | Yes | Active attestation policy. |
comp.EGFS.INPUT.IDENTITY-CONTEXT.v1_0 | Conditional | Federation identity and DID context. |
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0 | Conditional | DAL anchor candidate reference. |
10.2. Output CSIs
| CSI | Purpose |
|---|---|
comp.TG.OUTPUT.TRUST-ATTESTATION.v1_0 | Canonical TrustGate attestation. |
comp.TG.OUTPUT.ASSURANCE-BUNDLE.v1_0 | Auditor-facing assurance evidence package. |
comp.AFLE.INPUT.FEDERATION-ATTESTATION.v1_0 | AFLE-compatible attestation package. |
comp.TG.OUTPUT.CARBON-PASSPORT-TRUST-REF.v1_0 | Carbon Passport trust reference. |
comp.TG.EVENT.ATTESTATION-CREATED.v1_0 | Attestation runtime event. |
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0 | DAL anchor candidate. |
comp.AII.INPUT.ATTESTATION-TELEMETRY.v1_0 | AII attestation telemetry. |
11. Canonical Input Payload
{
"attestation_request_id": "TGAR-2026-00001472",
"attestation_type": "TRUST_DECISION_ATTESTATION",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"score_id": "TGS-2026-00001472",
"decision_id": "TGD-2026-00001472",
"replay_id": "TGR-2026-00001472",
"uso_id": "USO-98122",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"attestation_profile": "federation_trust_attestation_v1"
},
"target": {
"type": "AFLE",
"audience": "buyer",
"redaction_profile": "standard_federation"
},
"created_at": "2026-06-25T12:40:02Z"
}
12. Canonical Output Payload
{
"attestation_id": "TGATT-2026-00001472",
"attestation_type": "TRUST_DECISION_ATTESTATION",
"eco_number": "ECO-A123",
"did": "did:zayaz:ECO-A123",
"signal_id": "SIG-2026-00001472",
"trust_score": 0.914,
"confidence": 0.936,
"decision": "ACCEPT",
"lineage": {
"uso_id": "USO-98122",
"origin_chain_verified": true
},
"replay": {
"replay_id": "TGR-2026-00001472",
"replayable": true
},
"policy": {
"policy_bundle": "FAGF-2026.2",
"attestation_profile": "federation_trust_attestation_v1"
},
"evidence_refs": [
"TGS-2026-00001472",
"TGD-2026-00001472",
"TGR-2026-00001472",
"USO-98122"
],
"engine_cmi": "vera.TG-ATTEST.ENGINE.GENERATOR.1_0_0",
"meid": "MEID_TRUST_ATTEST_GENERATOR",
"signature": {
"type": "Ed25519Signature2020",
"verification_method": "did:zayaz:ECO-A123#trustgate-key",
"status": "prepared"
},
"created_at": "2026-06-25T12:40:02Z"
}
13. AFLE Federation Attestation Package
When prepared for AFLE, the attestation is wrapped in a federation-safe package.
{
"@context": [
"https://schema.zayaz.io/trustgate/attestation/v1"
],
"id": "urn:trustgate-attestation:TGATT-2026-00001472",
"issuer": "ECO-A123",
"issued_at": "2026-06-25T12:40:02Z",
"subject": {
"eco_number": "ECO-A123",
"did": "did:zayaz:ECO-A123"
},
"trust": {
"score": 0.914,
"confidence": 0.936,
"decision": "ACCEPT"
},
"lineage": {
"uso_id": "USO-98122",
"replay_id": "TGR-2026-00001472",
"dal_ref": "DAL-PENDING"
},
"proof": {
"type": "Ed25519Signature2020",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:zayaz:ECO-A123#trustgate-key",
"jws": "PENDING_SIGNATURE"
}
}
The final jws value is produced by the configured signing service.
14. Carbon Passport Trust Reference
The Attestation Engine may emit trust references for Carbon Passport workflows.
{
"passport_trust_ref_id": "CPTR-2026-00001472",
"passport_id": "CP-2026-000087",
"attestation_id": "TGATT-2026-00001472",
"trust_score": 0.914,
"confidence": 0.936,
"decision": "ACCEPT",
"replay_id": "TGR-2026-00001472",
"dal_ref": "DAL-PENDING",
"created_at": "2026-06-25T12:40:02Z"
}
Carbon Passport trust references must preserve linkage to the underlying TrustGate attestation.
15. Attestation Event
{
"event_type": "trustgate.attestation.created",
"attestation_id": "TGATT-2026-00001472",
"attestation_type": "TRUST_DECISION_ATTESTATION",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"trust_score": 0.914,
"confidence": 0.936,
"decision": "ACCEPT",
"engine_cmi": "vera.TG-ATTEST.ENGINE.GENERATOR.1_0_0",
"timestamp": "2026-06-25T12:40:02Z"
}
16. DAL Integration
The Attestation Engine produces DAL anchor candidates for all final attestations.
{
"artifact_type": "TrustAttestation",
"artifact_id": "TGATT-2026-00001472",
"artifact_hash": "sha256:77fd22...",
"engine_cmi": "vera.TG-ATTEST.ENGINE.GENERATOR.1_0_0",
"meid": "MEID_TRUST_ATTEST_GENERATOR",
"attestation_type": "TRUST_DECISION_ATTESTATION",
"created_at": "2026-06-25T12:40:02Z"
}
Final anchoring is performed by the TrustGate DAL Anchor Engine.
17. Replay Behaviour
The engine must be replay deterministic.
Replay inputs include:
- score result;
- decision result;
- replay manifest;
- lineage graph reference;
- policy context;
- attestation profile;
- redaction profile;
- engine CMI.
Replay verification succeeds when:
Signature material may be excluded from deterministic replay if signing keys rotate. In that case, replay must verify the unsigned canonical payload hash.
18. Federation Behaviour
The Attestation Engine is the primary TrustGate producer of AFLE-compatible trust evidence.
Federation exports must:
- verify ECO Number;
- verify DID;
- include trust score and confidence;
- include decision;
- include replay reference;
- include DAL reference or anchor candidate;
- include policy bundle;
- apply redaction profile;
- preserve original evidence hashes.
Federation profiles determine whether detailed rule failures, reviewer notes, and source-system references may be shared.
19. AI Integration
The engine emits attestation outcomes to DSAIL.
AI may use attestation telemetry to:
- detect trust patterns;
- recommend sampling frequency;
- identify suppliers requiring attention;
- tune federation trust weighting;
- improve anomaly detection.
AI may not:
- create attestations autonomously;
- modify attestation evidence;
- suppress attestation failures;
- alter cryptographic proofs;
- remove required lineage references.
All AI influence must be recorded separately from factual attestation content.
20. AII Integration
Attestation telemetry contributes to AII.
{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"attestations_created": 18440,
"federated_attestations": 3912,
"carbon_passport_trust_refs": 640,
"attestation_replayable_rate": 0.998,
"attestation_dal_ready_rate": 1.0,
"avg_attestation_confidence": 0.936
}
21. Failure Handling
| Failure | Severity | Action |
|---|---|---|
| Missing trust score | Critical | Abort |
| Missing decision | Critical | Abort |
| Missing ECO Number | Critical | Abort |
| Missing replay manifest | Critical | Abort unless provisional allowed |
| Missing policy context | Critical | Abort |
| Missing lineage reference | Critical | Abort |
| Missing redaction profile | Warning | Use safest default |
| Signing service unavailable | Warning | Emit prepared unsigned payload if policy permits |
| DAL unavailable | Warning | Queue anchor candidate |
| Federation unavailable | Warning | Create local attestation only |
The engine must fail closed for external or federation attestations.
22. Observability Metrics
| Metric | Description |
|---|---|
tg_attestation_created_total | Total attestations created. |
tg_attestation_federated_total | Attestations prepared for AFLE. |
tg_attestation_carbon_passport_total | Carbon Passport trust references produced. |
tg_attestation_failed_total | Failed attestation attempts. |
tg_attestation_latency_ms | Attestation creation latency. |
tg_attestation_missing_replay_total | Missing replay manifest failures. |
tg_attestation_signature_pending_total | Attestations waiting for signature. |
tg_attestation_dal_candidate_total | DAL candidates produced. |
23. Performance Targets
| Metric | Target |
|---|---|
| Attestation creation latency | < 75 ms |
| Federation package creation latency | < 150 ms |
| Carbon Passport trust reference latency | < 100 ms |
| Throughput | 5,000 attestations/sec per worker pool |
| Replay determinism | 100% for canonical payloads |
| Availability | 99.99% |
24. Security Requirements
The engine must:
- verify identity before attestation;
- ensure attestation source artifacts are immutable;
- use signed policy profiles;
- prepare signature envelopes using approved methods;
- support key rotation;
- prevent unsigned external export unless policy permits;
- redact sensitive data before federation;
- preserve all evidence hashes;
- record MEID and CMI in all outputs;
- emit immutable audit logs.
25. Compliance Alignment
| Framework | Attestation Engine Contribution |
|---|---|
| CSRD | Provides auditable assurance evidence for sustainability data. |
| ESRS | Supports traceability, data quality, and assurance transparency. |
| ISSB / IFRS S1-S2 | Supports investor-grade trust evidence. |
| ISO 14064-1 | Supports GHG verification evidence and chain-of-custody. |
| ISO 27001 | Supports cryptographic integrity and controlled evidence handling. |
| EU AI Act | Separates factual evidence from AI advisory metadata. |
| W3C VC / DID | Supports verifiable credentials and decentralized identity proofs. |
26. Developer Implementation Notes
Developers should implement the Attestation Engine as a deterministic artifact generator.
Recommended design:
- attestation profile resolver;
- evidence reference assembler;
- redaction profile applicator;
- canonical payload serializer;
- signature envelope preparer;
- DAL anchor candidate publisher;
- AFLE package exporter;
- Carbon Passport trust reference publisher;
- AII telemetry publisher.
Attestation payloads must be immutable after creation. Any correction requires a new attestation or revocation event.
27. Summary
The TrustGate Attestation Engine packages TrustGate scores, decisions, replay references, identity, lineage, and policy context into verifiable assurance artifacts.
It is the bridge between internal TrustGate runtime decisions and externally usable assurance evidence, including AFLE federation attestations, Carbon Passport trust references, auditor evidence packages, and DAL-anchored trust records.
No TrustGate trust claim should be exchanged outside the local runtime without a valid attestation produced by this engine or an equivalent FAGF-authorized process.