TG-AUDIT-LOG
TrustGate Audit Log Engine
0. Identity
Depends on module:
1. Purpose
The TrustGate Audit Log Engine records immutable audit events across the TrustGate runtime.
It captures the operational evidence needed to reconstruct who did what, which engine executed, which policy applied, which data artifact was affected, which decision was issued, which reviewer action occurred, and which downstream assurance systems received the resulting event.
The engine is the operational memory of TrustGate.
It ensures that every material TrustGate action becomes part of an auditable, replay-aware, DAL-anchorable evidence trail that supports OARM, AAE, VIZZ, AII, FAGF governance, regulator inspection, and third-party assurance.
The Audit Log Engine does not decide trust, compute scores, validate data, or anchor ledgers directly. It records the evidence required to prove that those actions happened correctly.
2. Position within TrustGate Runtime
All TrustGate Engines
│
▼
──────────────────────────────────────────
Audit Log Engine
──────────────────────────────────────────
│
├── Runtime Audit Event
├── Reviewer Action Record
├── Policy Action Record
├── Evidence Chain Record
├── Security Event Record
├── DAL Anchor Candidate
└── AII / DSAIL Telemetry
The Audit Log Engine receives events from the entire TrustGate runtime, including:
- Signal Parser;
- Structure Validation Engine;
- Signal Normalizer;
- Context Enrichment Engine;
- Rule Evaluation Engine;
- Policy Resolution Engine;
- Trust Scoring Engine;
- Decision Engine;
- Quarantine Manager;
- Replay Engine;
- Attestation Engine;
- DAL Anchor Engine;
- Federation Exchange Engine;
- AI Feedback Engine.
3. Canonical Identity
| Property | Value |
|---|---|
| MEID | MEID_TRUST_MONITOR_AUDIT |
| CMI | vera.TG-AUDIT.ENGINE.LOGGER.1_0_0 |
| KIND | ENGINE |
| Owner Module | Verification & Assurance |
| Runtime Tier | Tier-0 Assurance Runtime |
| Engine Category | MONITOR |
| Engine Domain | trust |
| ZAR Registration | Required |
| Replay Support | Native |
| DAL Anchoring | Policy-based / Critical Events Required |
| Federation Aware | Yes |
The MEID identifies the stable logical audit logging engine.
The CMI identifies this specific versioned executable artifact.
4. Runtime Responsibilities
| Responsibility | Description |
|---|---|
| Runtime Audit Logging | Record all material TrustGate runtime actions. |
| Evidence Chain Construction | Connect audit events into a coherent evidence chain. |
| Reviewer Action Logging | Record manual review, override, release, rejection, and escalation actions. |
| Policy Action Logging | Record which policy bundles and thresholds influenced runtime outcomes. |
| Security Event Logging | Record authentication, authorization, signature, and identity events. |
| Replay Context Logging | Record replay creation, replay result, and replay drift evidence. |
| DAL Candidate Creation | Emit anchor candidates for audit records requiring tamper-evident integrity. |
| Federation Audit Logging | Record cross-ECO imports, exports, verifications, and conflicts. |
| AII Telemetry | Provide audit coverage and evidence completeness metrics. |
| Governance Reporting | Support FAGF audits, OARM replay, and VIZZ audit dashboards. |
The engine must preserve audit event immutability.
5. Audit Event Classes
TrustGate audit events are grouped into canonical classes.
| Audit Class | Description |
|---|---|
RUNTIME_EVENT | Engine execution, state transition, or pipeline action. |
VALIDATION_EVENT | Validation result, validation failure, or rule outcome. |
SCORING_EVENT | Trust score calculation and confidence output. |
DECISION_EVENT | Accept, route, review, quarantine, reject, or abort decision. |
REVIEWER_ACTION | Human review, approval, rejection, override, or escalation. |
POLICY_ACTION | Policy resolution, threshold application, or policy override. |
REPLAY_EVENT | Replay manifest creation, result, or drift. |
DAL_EVENT | Anchor submission, verification, failure, or proof retrieval. |
FEDERATION_EVENT | Cross-ECO import, export, verification, or conflict. |
SECURITY_EVENT | Authentication, authorization, DID, signature, or access-control event. |
AI_EVENT | AI recommendation, feedback, calibration, or suppression event. |
GOVERNANCE_EVENT | FAGF-controlled action, approval, or compliance checkpoint. |
6. Audit Severity Levels
| Severity | Meaning |
|---|---|
info | Routine operational audit event. |
notice | Important but expected system action. |
warning | Non-blocking issue requiring visibility. |
error | Failed operation requiring follow-up. |
critical | High-impact assurance, security, replay, or governance issue. |
blocking | Event prevents safe continuation of processing. |
Severity should align with the platform-wide Validation Rule Registry and FAGF policy profiles.
7. Runtime Processing Pipeline
Receive Runtime Event
│
▼
Classify Audit Event
│
▼
Validate Audit Schema
│
▼
Attach Identity and Engine Context
│
▼
Attach Policy and Lineage Context
│
▼
Assign Severity and Retention Class
│
▼
Create Immutable Audit Record
│
▼
Emit Evidence Chain Link
│
▼
Queue DAL Anchor Candidate if Required
│
▼
Publish Telemetry
The Audit Log Engine must be non-destructive and append-only.
8. Processing Algorithm
function audit(event):
audit_class = classify_event(event)
validate_schema(event, audit_class)
context = resolve_context(
event.signal_id,
event.eco_number,
event.engine_cmi,
event.policy_bundle
)
severity = resolve_severity(event, audit_class, context.policy)
retention = resolve_retention(event, severity, context.policy)
audit_record = create_audit_record(
event,
audit_class,
context,
severity,
retention
)
evidence_link = link_to_evidence_chain(audit_record)
if requires_dal_anchor(audit_record):
queue_dal_anchor_candidate(audit_record)
publish_audit_telemetry(audit_record)
return audit_record
Audit record generation must be deterministic for identical event input and policy context.
9. Evidence Chain Model
The Audit Log Engine links audit events into evidence chains.
An evidence chain represents the ordered assurance history of a signal, assessment, replay, attestation, or federation package.
Signal Received
│
▼
Parsed
│
▼
Validated
│
▼
Normalized
│
▼
Enriched
│
▼
Scored
│
▼
Decisioned
│
▼
Replay Manifest Created
│
▼
Attested
│
▼
DAL Anchored
│
▼
Federated
Each audit event includes:
- previous audit event hash;
- current audit event hash;
- signal identifier;
- engine CMI;
- MEID;
- policy context;
- timestamp;
- actor or service identity.
This creates an internal hash-linked operational audit trail.
10. Audit Hashing Model
Audit event hashes are computed over canonical audit records.
Evidence chain links may be calculated as:
Where:
$H_{audit}$is the current audit record hash;$H_{previous}$is the previous chain hash;$H_{chain}$is the resulting evidence chain hash.
Critical audit events should be anchored in DAL.
11. CSI Contracts
11.1. Input CSIs
| CSI | Required | Purpose |
|---|---|---|
comp.TG.INPUT.RUNTIME-EVENT.v1_0 | Yes | Generic TrustGate runtime event. |
comp.TG.INPUT.TRUST-DECISION.v1_0 | Conditional | Decision event to audit. |
comp.TG.INPUT.REVIEWER-ACTION.v1_0 | Conditional | Human action to audit. |
comp.TG.INPUT.REPLAY-RESULT.v1_0 | Conditional | Replay event to audit. |
comp.DAL.INPUT.VERIFICATION-EVENT.v1_0 | Conditional | DAL verification event. |
comp.AFLE.INPUT.FEDERATION-EVENT.v1_0 | Conditional | Federation event. |
comp.FAGF.INPUT.POLICY-CONTEXT.v1_0 | Yes | Active audit and retention policy. |
11.2. Output CSIs
| CSI | Purpose |
|---|---|
comp.TG.OUTPUT.AUDIT-RECORD.v1_0 | Canonical TrustGate audit record. |
comp.TG.OUTPUT.EVIDENCE-CHAIN-LINK.v1_0 | Evidence chain link. |
comp.TG.EVENT.AUDIT-RECORDED.v1_0 | Audit record creation event. |
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0 | DAL anchor candidate for critical audit records. |
comp.AII.INPUT.AUDIT-TELEMETRY.v1_0 | AII audit coverage telemetry. |
comp.DSAIL.INPUT.AUDIT-FEEDBACK.v1_0 | AI learning feedback for audit anomalies. |
12. Canonical Audit Input
{
"runtime_event_id": "TGEVT-2026-00001472",
"event_type": "trustgate.decision.issued",
"audit_class": "DECISION_EVENT",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"engine_cmi": "vera.TG-DECISION.ENGINE.ROUTER.1_0_0",
"meid": "MEID_TRUST_ROUTE_DECISION",
"policy_bundle": "FAGF-2026.2",
"payload_ref": "s3://zayaz-artifacts/trustgate/TGD-2026-00001472.json",
"created_at": "2026-06-25T14:05:10Z"
}
13. Canonical Audit Record
{
"audit_id": "TGAUD-2026-00001472",
"event_type": "trustgate.decision.issued",
"audit_class": "DECISION_EVENT",
"severity": "notice",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"actor": {
"type": "service",
"id": "trustgate-decision-engine"
},
"engine": {
"meid": "MEID_TRUST_ROUTE_DECISION",
"cmi": "vera.TG-DECISION.ENGINE.ROUTER.1_0_0"
},
"policy": {
"policy_bundle": "FAGF-2026.2",
"retention_class": "assurance-critical"
},
"hashes": {
"payload_hash": "sha256:2f93ad...",
"audit_hash": "sha256:aa71d0...",
"previous_chain_hash": "sha256:04cc91...",
"evidence_chain_hash": "sha256:11dc88..."
},
"dal_anchor_required": true,
"created_at": "2026-06-25T14:05:10Z"
}
14. Reviewer Action Record
{
"audit_id": "TGAUD-2026-00001501",
"event_type": "trustgate.reviewer.action",
"audit_class": "REVIEWER_ACTION",
"signal_id": "SIG-2026-00001472",
"quarantine_id": "TGQ-2026-00001472",
"actor": {
"type": "user",
"id": "assurance.reviewer@eco-a123.com",
"role": "assurance_reviewer"
},
"action": "release_from_quarantine",
"reason": "identity_revalidated_and_signature_verified",
"approval_required": true,
"approval_status": "approved",
"created_at": "2026-06-26T09:14:03Z"
}
Reviewer actions must be immutable and must preserve reviewer identity, role, approval basis, and policy context.
15. Security Audit Event
{
"audit_id": "TGAUD-2026-00001520",
"event_type": "trustgate.security.signature_failed",
"audit_class": "SECURITY_EVENT",
"severity": "critical",
"eco_number": "ECO-B456",
"signal_id": "SIG-2026-00001892",
"security_context": {
"failure_type": "signature_verification_failed",
"verification_method": "did:zayaz:ECO-B456#trustgate-key",
"source_ip_class": "federation-node",
"action": "rejected"
},
"dal_anchor_required": true,
"created_at": "2026-06-25T14:08:41Z"
}
Critical security events must be eligible for DAL anchoring and governance review.
16. Audit Recorded Event
{
"event_type": "trustgate.audit.recorded",
"audit_id": "TGAUD-2026-00001472",
"audit_class": "DECISION_EVENT",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"evidence_chain_hash": "sha256:11dc88...",
"engine_cmi": "vera.TG-AUDIT.ENGINE.LOGGER.1_0_0",
"timestamp": "2026-06-25T14:05:10Z"
}
17. DAL Integration
The Audit Log Engine produces DAL anchor candidates for audit records that are:
- critical;
- blocking;
- security-relevant;
- reviewer-action relevant;
- federation-relevant;
- replay-drift relevant;
- policy-override relevant;
- auditor-requested;
- regulator-requested.
Example anchor candidate:
{
"artifact_type": "TrustAuditRecord",
"artifact_id": "TGAUD-2026-00001472",
"artifact_hash": "sha256:aa71d0...",
"engine_cmi": "vera.TG-AUDIT.ENGINE.LOGGER.1_0_0",
"meid": "MEID_TRUST_MONITOR_AUDIT",
"audit_class": "DECISION_EVENT",
"created_at": "2026-06-25T14:05:10Z"
}
Final anchoring is performed by the TrustGate DAL Anchor Engine.
18. Replay Behaviour
Audit record creation must be replay deterministic.
Replay inputs include:
- source runtime event;
- actor identity;
- policy context;
- retention profile;
- previous evidence chain hash;
- canonical serialization version;
- engine CMI.
Replay verification succeeds when:
For evidence chains, replay also verifies:
19. Federation Behaviour
Audit records are generally internal, but federation-relevant audit summaries may be shared when policy permits.
Federation-safe audit exports may include:
- event type;
- timestamp;
- ECO Number;
- trust decision reference;
- DAL reference;
- replay reference;
- verification status;
- redacted reason code.
Federation exports must not include:
- internal reviewer notes;
- internal IP addresses;
- tenant-private policy details;
- personal data unless explicitly permitted;
- raw payloads unless authorized.
20. AI / DSAIL Integration
Audit events provide high-value AI governance signals.
DSAIL may consume:
- repeated validation failures;
- unusual reviewer override patterns;
- replay drift clusters;
- policy override frequency;
- federation conflict frequency;
- DAL verification anomalies;
- quarantine aging issues.
AI may recommend:
- increased sampling;
- reviewer workload balancing;
- trust model recalibration;
- policy review;
- anomaly investigation.
AI may not modify audit records, suppress audit records, or rewrite evidence chains.
21. AII Integration
Audit telemetry contributes to AII integrity, transparency, and assurance resilience dimensions.
{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"audit_events_total": 883440,
"critical_audit_events": 42,
"reviewer_actions": 118,
"policy_overrides": 7,
"audit_dal_anchor_rate": 0.998,
"evidence_chain_completeness": 0.999,
"avg_audit_latency_ms": 12
}
22. Retention and Classification
Audit records must be assigned retention classes.
| Retention Class | Description |
|---|---|
operational | Routine runtime audit events. |
assurance-critical | Events required for assurance and replay. |
security-critical | Security, identity, signature, and access-control events. |
federation-critical | Cross-ECO exchange and verification events. |
regulatory | Events required for reporting and regulator inspection. |
model-governance | AI-related governance and feedback events. |
Retention periods are defined by FAGF and tenant policy.
23. Failure Handling
| Failure | Severity | Action |
|---|---|---|
| Missing runtime event | Critical | Abort |
| Invalid audit schema | Critical | Abort |
| Missing engine CMI | Critical | Abort |
| Missing ECO Number | Warning | Continue only if system event |
| Missing policy context | Critical | Use safest retention policy or abort |
| Hash generation failure | Critical | Abort |
| Evidence chain conflict | Critical | Escalate |
| DAL unavailable | Warning | Queue anchor candidate |
| Storage unavailable | Critical | Block critical pipeline if audit required |
| DSAIL unavailable | Info | Continue |
| AII unavailable | Warning | Queue telemetry |
For critical audit classes, TrustGate must fail closed if audit recording is unavailable.
24. Observability Metrics
| Metric | Description |
|---|---|
tg_audit_recorded_total | Total audit records created. |
tg_audit_failed_total | Failed audit record attempts. |
tg_audit_latency_ms | Audit creation latency. |
tg_audit_by_class_total | Audit record count by class. |
tg_audit_critical_total | Critical audit records. |
tg_audit_dal_candidate_total | Audit records queued for DAL anchoring. |
tg_audit_chain_conflict_total | Evidence chain conflicts. |
tg_audit_reviewer_action_total | Reviewer actions recorded. |
tg_audit_policy_override_total | Policy override events recorded. |
25. Performance Targets
| Metric | Target |
|---|---|
| Audit record creation latency | < 20 ms |
| Evidence chain link latency | < 10 ms |
| Hash generation latency | < 5 ms |
| Throughput | 50,000 audit events/sec per worker pool |
| Critical audit durability | 100% |
| Availability | 99.99% |
| Replay determinism | 100% |
26. Security Requirements
The engine must:
- enforce append-only audit writes;
- prevent audit record mutation;
- preserve actor identity;
- preserve service identity;
- record MEID and CMI in every audit record;
- hash every audit record;
- protect audit storage with encryption;
- support tenant isolation;
- enforce retention and deletion policies;
- prevent unauthorized audit reads;
- redact audit exports;
- anchor critical audit records in DAL.
27. Compliance Alignment
| Framework | Audit Log Engine Contribution |
|---|---|
| CSRD | Supports auditability of sustainability data controls and disclosures. |
| ESRS | Supports transparency, traceability, and data quality evidence. |
| ISSB / IFRS S1-S2 | Supports investor-grade control evidence. |
| ISO 14064-1 | Supports GHG verification and chain-of-custody evidence. |
| ISO 27001 | Supports logging, monitoring, access control, and evidence retention. |
| EU AI Act | Supports AI decision traceability and human oversight records. |
28. Developer Implementation Notes
Developers should implement the Audit Log Engine as an append-only event recording service.
Recommended design:
- event classifier;
- schema validator;
- context resolver;
- severity resolver;
- retention resolver;
- canonical serializer;
- audit hash generator;
- evidence chain linker;
- immutable audit store;
- DAL anchor candidate publisher;
- AII telemetry publisher;
- DSAIL anomaly feedback publisher;
- VIZZ audit dashboard feed.
Audit writes for critical events should be synchronous where policy requires. Routine operational events may be asynchronous.
29. Summary
The TrustGate Audit Log Engine provides the immutable evidence trail required for TrustGate assurance, replay, governance, security, and federation operations.
It ensures every material runtime action is traceable, replay-aware, hash-linked, policy-contextualized, and eligible for DAL anchoring.
No TrustGate assurance decision should be considered audit-ready unless its material runtime events have been recorded by this engine or an equivalent FAGF-authorized audit mechanism.