Skip to main content
Jira progress: loading…

TG-DAL-ANCHOR

TrustGate DAL Anchor Engine

0. Identity

Loading identity…

Depends on module:

Decision-grade verification and assurance domain that orchestrates verifier workflows, evidence handling, trust scoring, audit trails, and assurance packaging across CSRD/ESRS and other frameworks. Enables third-party sign-off, dispute handling, and assurance-ready disclosure outputs with replayable provenance.
Domain:
assurance-verification
Category:
trust-assurance
Classification:
module
Lifecycle status:
active
Semver:
1.0.0
Introduced in:
v0.3
Governance
AI risk level:
high
Trust threshold:
0.97
Human review required:
true
Verifier involved:
true
Audit required:
true
Ownership
Primary owner:
Platform
Architecture board:
true
White-label allowed:
true
Entrypoints
Docs:
/verification-assurance
UI:
/app/assurance
API:
/api/assurance
Dependencies
Modules
  • sis
  • input-hub
  • reports-insights-hub
  • zara
  • zaam
Unresolved tokens
  • ALTD
  • DAL
  • EvidenceVault
  • StripeConnect
  • TruliooKYB
  • TrustGate
  • VTE
  • VerifierWorkflowEngine
Engines (declared)
  • VerifierWorkflowEngine
  • DaVE
  • VTE
  • DICE
  • EvidenceVault
  • ALTD
  • DAL
  • TrustGate
  • StripeConnect
  • TruliooKYB
  • AISIM
Micro-engines (from registry)
None
Micro-engines (declared)
None
Signals
USO
  • ASSURANCE.VERIFICATION
  • ASSURANCE.EVIDENCE
  • ASSURANCE.SIGNOFF
  • AUDIT.LINEAGE
  • GOVERNANCE.TRUST
  • IDENTITY.VERIFIER
  • PAYMENT.ESCROW
CSI
  • CSI_VERIFICATION_ASSURANCE
SSSR tags
  • assurance
  • verification
  • verifiers
  • evidence
  • signoff
  • trust-score
  • audit
  • tamper-detection
  • blockchain
  • rfp
  • disputes
  • escrow
  • stripe-connect
Workflows & Outputs
Workflows
  • VerifierOnboardingAndQualification
  • AssuranceRFPAndProposalFlow
  • EvidenceRequestAndCollection
  • EvidenceValidationAndScoring
  • TrustScoreComputationAndPropagation
  • VerifierReviewAndCommenting
  • IssueFlaggingAndDisputeResolution
  • VerifierSignOffAndStamping
  • AssurancePackagingForReports
  • PaymentEscrowAndPayoutOrchestration
Outputs
  • verifier_profiles
  • assurance_requests
  • evidence_packages
  • validation_findings
  • trust_score_updates
  • signoff_stamps
  • assurance_ready_disclosure_packages
  • payment_events
Audit
Ledger:
ALTD
Replay supported:
true
PII policy:
controlled_pii_outside_omr
Tags

1. Purpose

The TrustGate DAL Anchor Engine is responsible for converting finalized TrustGate runtime artifacts into cryptographically verifiable Digital Assurance Ledger (DAL) anchor records.

It receives anchor candidates from TrustGate engines, canonicalizes and hashes the referenced artifacts, groups records into Merkle batches where appropriate, submits anchor payloads to DAL, receives ledger references, and emits verification events back into the TrustGate runtime.

The engine provides the cryptographic bridge between TrustGate operations and the immutable assurance layer of ZAYAZ.

The core purpose is to ensure that every material TrustGate outcome can later be independently verified by auditors, regulators, federation participants, buyers, suppliers, and internal assurance teams.


2. Position within TrustGate Runtime

Trust Scoring


Decision Engine


Replay Engine


Attestation Engine


──────────────────────────────────────────
DAL Anchor Engine
──────────────────────────────────────────

├── Canonical Hash
├── Merkle Batch
├── DAL Submission
├── Ledger Reference
└── Inclusion Proof

The DAL Anchor Engine executes after one or more TrustGate artifacts have reached an anchorable state.

Anchorable artifacts include:

  • trust score events;
  • decision events;
  • quarantine lifecycle events;
  • replay manifests;
  • replay results;
  • trust attestations;
  • federation packages;
  • AI feedback events where policy requires anchoring;
  • assurance evidence bundles.

3. Canonical Identity

PropertyValue
MEIDMEID_TRUST_ANCHOR_LEDGER
CMIvera.TG-DAL.ENGINE.ANCHOR.1_0_0
KINDENGINE
Owner ModuleVerification & Assurance
Runtime TierTier-0 Assurance Runtime
Engine CategoryANCHOR
Engine Domaintrust
ZAR RegistrationRequired
Replay SupportNative
DAL AnchoringNative
Federation AwareYes

The MEID identifies the stable logical ledger anchoring engine.

The CMI identifies this specific versioned implementation.


4. Runtime Responsibilities

ResponsibilityDescription
Anchor Candidate IntakeReceive anchorable TrustGate artifacts from upstream engines.
Canonical SerializationConvert artifacts into stable deterministic serialization.
Hash GenerationCompute cryptographic hashes over canonical payloads.
Merkle Batch AssemblyGroup anchor candidates into Merkle batches when policy permits.
DAL SubmissionSubmit root hashes, batch metadata, and artifact metadata to DAL.
Verification TrackingReceive and store DAL verification state and ledger references.
Proof BindingBind ledger references to TrustGate artifacts, USO lineage, replay manifests, and attestations.
Retry HandlingSafely retry failed submissions without duplicate anchoring.
Federation ReadinessPrepare DAL references for AFLE and EGFS exchange.
AII TelemetryEmit DAL integrity metrics for Assurance Intelligence Index computation.

The engine must not alter upstream artifacts. It only anchors canonicalized representations and returns ledger references.


5. Anchorable Artifact Types

Artifact TypeSource EngineDAL Required
TrustScoreEventTrust Scoring EngineYes
TrustDecisionEventDecision EngineYes
TrustQuarantineEventQuarantine ManagerYes
TrustReplayManifestReplay EngineYes
TrustReplayResultReplay Engine / OARM / AAEYes
TrustAttestationAttestation EngineYes
FederationTrustPackageAttestation / Federation EngineYes
CarbonPassportTrustReferenceAttestation EngineYes
AITrustFeedbackEventAI Feedback EnginePolicy-based
AuditReviewActionQuarantine / OARMPolicy-based

The canonical list should be maintained in ZAR and mirrored in the DAL artifact type registry.


6. Anchoring Model

The engine supports two anchoring modes.

ModeDescription
DIRECT_ANCHORSubmits a single artifact hash directly to DAL.
MERKLE_BATCH_ANCHORGroups multiple artifact hashes into a Merkle tree and submits the root hash.

Direct anchoring is used for high-criticality events.

Merkle batch anchoring is used for high-volume operational events.

The default mode is policy-controlled by artifact type.


7. Hashing Model

The canonical artifact hash is calculated as:

Hartifact=SHA256(CanonicalSerialize(Artifact))H_{artifact} = SHA256(CanonicalSerialize(Artifact))

For Merkle batches:

Root=MerkleRoot(H1,H2,...,Hn)Root = MerkleRoot(H_1, H_2, ..., H_n)

The engine must preserve:

  • canonical payload hash;
  • canonical serialization version;
  • hash algorithm;
  • artifact type;
  • engine CMI;
  • MEID;
  • source ECO Number;
  • USO reference;
  • replay reference where applicable;
  • policy context.

8. Runtime Processing Pipeline

Receive Anchor Candidate


Validate Candidate


Resolve Artifact Type Policy


Canonicalize Payload


Generate Artifact Hash


Add to Direct Anchor or Merkle Batch


Submit to DAL


Receive Ledger Reference


Bind Ledger Reference to Artifact


Emit Verification Event

The pipeline must be idempotent.

If the same artifact hash is submitted twice, the engine must detect the existing ledger reference and avoid duplicate semantic anchoring.


9. Processing Algorithm

function anchor(candidate):

validate_candidate(candidate)

policy = resolve_anchor_policy(candidate.artifact_type)

canonical_payload = canonical_serialize(candidate.artifact)

artifact_hash = sha256(canonical_payload)

existing_ref = lookup_existing_anchor(artifact_hash)

if existing_ref exists:
emit_anchor_reused_event(existing_ref)
return existing_ref

if policy.mode == DIRECT_ANCHOR:
submission = create_direct_anchor(candidate, artifact_hash)
ledger_ref = submit_to_dal(submission)

if policy.mode == MERKLE_BATCH_ANCHOR:
batch = add_to_merkle_batch(candidate, artifact_hash)
ledger_ref = submit_batch_when_ready(batch)

bind_ledger_ref(candidate.artifact_id, ledger_ref)

emit_anchor_verified_event(ledger_ref)

return ledger_ref

The engine must be safe for retries, concurrency, and partial DAL outage scenarios.


10. CSI Contracts

10.1. Input CSIs

CSIRequiredPurpose
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0YesAnchor candidate from TrustGate runtime engines.
comp.TG.INPUT.TRUST-SCORE.v1_0ConditionalTrust score event to anchor.
comp.TG.INPUT.TRUST-DECISION.v1_0ConditionalDecision event to anchor.
comp.TG.INPUT.REPLAY-MANIFEST.v1_0ConditionalReplay manifest to anchor.
comp.TG.INPUT.TRUST-ATTESTATION.v1_0ConditionalAttestation payload to anchor.
comp.USO.INPUT.LINEAGE-REF.v1_0YesUSO lineage reference.
comp.FAGF.INPUT.POLICY-CONTEXT.v1_0YesAnchor policy and retention profile.

10.2. Output CSIs

CSIPurpose
comp.DAL.OUTPUT.LEDGER-REF.v1_0DAL ledger reference returned after anchoring.
comp.DAL.OUTPUT.MERKLE-PROOF.v1_0Merkle inclusion proof where applicable.
comp.TG.EVENT.DAL-ANCHOR-SUBMITTED.v1_0Anchor submission event.
comp.TG.EVENT.DAL-ANCHOR-VERIFIED.v1_0Anchor verification event.
comp.TG.EVENT.DAL-ANCHOR-FAILED.v1_0Anchor failure event.
comp.AII.INPUT.DAL-TELEMETRY.v1_0AII DAL integrity telemetry.

11. Canonical Anchor Candidate

{
"anchor_candidate_id": "TGAC-2026-00001472",
"artifact_type": "TrustDecisionEvent",
"artifact_id": "TGD-2026-00001472",
"eco_number": "ECO-A123",
"uso_id": "USO-98122",
"source_engine_cmi": "vera.TG-DECISION.ENGINE.ROUTER.1_0_0",
"source_meid": "MEID_TRUST_ROUTE_DECISION",
"artifact_payload_ref": "s3://zayaz-artifacts/trustgate/TGD-2026-00001472.json",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"anchor_profile": "critical_assurance_event_v1"
},
"created_at": "2026-06-25T12:50:11Z"
}

12. Canonical Ledger Reference

{
"ledger_ref": {
"ledger_id": "DAL-2026-001245",
"artifact_id": "TGD-2026-00001472",
"artifact_type": "TrustDecisionEvent",
"artifact_hash": "sha256:2f93ad...",
"anchor_mode": "MERKLE_BATCH_ANCHOR",
"root_hash": "sha256:7cc4b1...",
"batch_id": "DALB-2026-06-25-1200",
"verified": true,
"anchored_at": "2026-06-25T13:00:00Z"
}
}

13. Merkle Batch Record

{
"batch_id": "DALB-2026-06-25-1200",
"batch_window": {
"from": "2026-06-25T12:00:00Z",
"to": "2026-06-25T13:00:00Z"
},
"record_count": 158342,
"anchored_objects": [
"TrustScoreEvent",
"TrustDecisionEvent",
"TrustReplayManifest",
"TrustAttestation"
],
"root_hash": "sha256:7cc4b1...",
"hash_algorithm": "SHA-256",
"submitted_by": "vera.TG-DAL.ENGINE.ANCHOR.1_0_0"
}

The record_count and anchored_objects fields are required for operational transparency and audit-grade batch verification.


14. Merkle Inclusion Proof

{
"proof": {
"artifact_id": "TGD-2026-00001472",
"leaf_hash": "sha256:2f93ad...",
"merkle_path": [
{
"position": "left",
"hash": "sha256:d7c9..."
},
{
"position": "right",
"hash": "sha256:f9ab..."
}
],
"root_hash": "sha256:7cc4b1...",
"verified": true
}
}

Auditors may recompute the hash path to confirm inclusion in the anchored batch.


15. Anchor Submitted Event

{
"event_type": "trustgate.dal.anchor_submitted",
"anchor_candidate_id": "TGAC-2026-00001472",
"artifact_id": "TGD-2026-00001472",
"artifact_type": "TrustDecisionEvent",
"artifact_hash": "sha256:2f93ad...",
"anchor_mode": "MERKLE_BATCH_ANCHOR",
"engine_cmi": "vera.TG-DAL.ENGINE.ANCHOR.1_0_0",
"timestamp": "2026-06-25T13:00:00Z"
}

16. Anchor Verified Event

{
"event_type": "trustgate.dal.anchor_verified",
"artifact_id": "TGD-2026-00001472",
"ledger_id": "DAL-2026-001245",
"root_hash": "sha256:7cc4b1...",
"verified": true,
"proof_available": true,
"timestamp": "2026-06-25T13:00:09Z"
}

17. DAL Integration

The engine integrates directly with DAL services for:

  • anchor submission;
  • Merkle batch creation;
  • ledger reference lookup;
  • proof retrieval;
  • anchor verification;
  • failed anchor retry;
  • external root synchronization.

The engine must treat DAL as the authoritative ledger system. TrustGate only prepares and submits anchor candidates.


18. Replay Behaviour

The anchor process must be replayable.

Replay inputs include:

  • anchor candidate;
  • canonical serialization version;
  • artifact payload reference;
  • artifact hash;
  • batch policy;
  • Merkle construction algorithm;
  • DAL submission response;
  • engine CMI.

Replay verification succeeds when:

Hash(AnchorCandidateoriginal)=Hash(AnchorCandidatereplay)Hash(AnchorCandidate_{original}) = Hash(AnchorCandidate_{replay})

For Merkle batches, replay also verifies:

Rootoriginal=RootrecomputedRoot_{original} = Root_{recomputed}

19. Federation Behaviour

DAL references produced by this engine are used by AFLE and EGFS to validate TrustGate evidence across organizational boundaries.

Federation-safe ledger references must include:

FieldRequired
ECO NumberYes
Artifact TypeYes
Artifact HashYes
Ledger IDYes
Root HashYes
Merkle ProofConditional
Anchor TimestampYes
Signature MetadataConditional

Raw payloads must not be exported unless allowed by FAGF policy and federation profile.


20. AII Integration

DAL anchoring telemetry contributes to AII integrity dimensions.

{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"anchor_candidates": 18440,
"anchors_submitted": 18440,
"anchors_verified": 18439,
"anchor_failure_rate": 0.00005,
"avg_anchor_latency_seconds": 62.4,
"merkle_batches": 12,
"dal_verification_rate": 0.99995
}

21. AI / DSAIL Integration

DAL anchoring outcomes may be consumed by DSAIL.

Useful learning signals include:

  • anchor failure rate;
  • delayed anchoring;
  • repeated anchor retries;
  • artifact type anomaly;
  • ledger verification drift;
  • federation proof failures.

AI may recommend:

  • increased replay sampling;
  • policy review;
  • federation trust adjustment;
  • batch size optimization;
  • anomaly investigation.

AI may not suppress failed anchor events or modify ledger references.


22. Failure Handling

FailureSeverityAction
Missing anchor candidateCriticalAbort
Missing artifact payloadCriticalAbort
Canonical serialization failureCriticalAbort
Hash generation failureCriticalAbort
DAL unavailableWarningQueue retry
Duplicate artifact hashInfoReuse existing ledger reference
Merkle batch timeoutWarningSubmit partial batch if policy permits
DAL verification failureCriticalEscalate
Ledger proof unavailableWarningMark proof pending
Federation export requested before verificationCriticalBlock export

The engine must fail closed for federation and external assurance use cases.


23. Observability Metrics

MetricDescription
tg_dal_anchor_candidate_totalAnchor candidates received.
tg_dal_anchor_submitted_totalAnchors submitted to DAL.
tg_dal_anchor_verified_totalAnchors verified by DAL.
tg_dal_anchor_failed_totalAnchor failures.
tg_dal_anchor_latency_secondsAnchor submission-to-verification latency.
tg_dal_merkle_batch_totalMerkle batches created.
tg_dal_merkle_batch_record_countRecords per Merkle batch.
tg_dal_duplicate_hash_totalDuplicate hashes reused.
tg_dal_retry_totalRetry attempts.

24. Performance Targets

MetricTarget
Anchor candidate validation latency< 20 ms
Hash generation latency< 10 ms per artifact
Batch assembly latency< 100 ms
Direct anchor submission latency< 2 sec
Merkle batch windowPolicy-defined, default 60 min
Throughput100,000 anchor candidates/min per worker pool
Verification availability99.99%
Hash determinism100%

25. Security Requirements

The engine must:

  • use approved hash algorithms;
  • preserve canonical serialization rules;
  • prevent payload mutation after hashing;
  • enforce identity and service authentication;
  • prevent unauthorized anchor submission;
  • redact sensitive payload details from logs;
  • store only hashes and references unless policy permits payload storage;
  • record MEID and CMI in every anchor event;
  • verify DAL responses;
  • protect against replay attacks and duplicate semantic anchors.

26. Compliance Alignment

FrameworkDAL Anchor Engine Contribution
CSRDSupports tamper-evident audit trails for sustainability data.
ESRSSupports evidence traceability and assurance transparency.
ISSB / IFRS S1-S2Supports investor-grade data integrity controls.
ISO 14064-1Supports GHG verification and chain-of-custody evidence.
ISO 27001Supports integrity, logging, and cryptographic controls.
W3C DID / VCSupports verifiable trust evidence exchanged across federation.

27. Developer Implementation Notes

Developers should implement the DAL Anchor Engine as an idempotent, event-driven anchoring service.

Recommended design:

  • anchor candidate queue;
  • canonical serialization library;
  • hash generator;
  • Merkle batch builder;
  • duplicate hash detector;
  • DAL submission adapter;
  • ledger reference binder;
  • verification listener;
  • retry scheduler;
  • proof retrieval service;
  • AII telemetry publisher.

The engine should never mutate source artifacts. All operations must reference immutable payloads and hashes.


28. Summary

The TrustGate DAL Anchor Engine provides the cryptographic integrity layer for TrustGate outcomes.

It ensures that TrustGate scores, decisions, replay artifacts, quarantine events, and attestations become tamper-evident, independently verifiable, and federation-ready through DAL.

No TrustGate artifact should be used for external assurance, federation exchange, Carbon Passport reference, or regulatory disclosure unless it has a DAL ledger reference or an explicit policy exception.




GitHub RepoRequest for Change (RFC)