TG-FEDERATION-EXCHANGE
TrustGate Federation Exchange Engine
0. Identity
Depends on module:
1. Purpose
The TrustGate Federation Exchange Engine prepares and validates TrustGate assurance artifacts for secure exchange across ECO entities.
It is responsible for the export, import, validation, redaction, synchronization, and conflict handling of TrustGate trust evidence through the ZAYAZ federation stack.
The engine enables TrustGate outcomes to move beyond a single organization while preserving:
- ECO Number identity binding;
- DID-based verification;
- DAL-backed integrity;
- replayability;
- policy-governed disclosure;
- AFLE-compatible attestation structures;
- EGFS routing and synchronization;
- redaction and privacy controls;
- Carbon Passport interoperability.
The engine is the TrustGate runtime bridge between local assurance decisions and cross-ECO trust exchange.
2. Position within TrustGate Runtime
Trust Scoring
│
▼
Decision Engine
│
▼
Replay Engine
│
▼
Attestation Engine
│
▼
DAL Anchor Engine
│
▼
──────────────────────────────────────────
Federation Exchange Engine
──────────────────────────────────────────
│
├── AFLE Export Package
├── EGFS Federation Message
├── Cross-ECO Import Validation
├── Redacted Assurance Bundle
├── Carbon Passport Trust Link
└── Federation Verification Event
The engine executes after a trust attestation exists and DAL references are available, unless policy permits provisional federation exchange.
3. Canonical Identity
| Property | Value |
|---|---|
| MEID | MEID_TRUST_EXPORT_FEDERATION |
| CMI | vera.TG-FED.ENGINE.EXPORTER.1_0_0 |
| KIND | ENGINE |
| Owner Module | Verification & Assurance |
| Runtime Tier | Tier-0 Assurance Runtime |
| Engine Category | EXPORT |
| Engine Domain | trust |
| ZAR Registration | Required |
| Replay Support | Native |
| DAL Anchoring | Required |
| Federation Aware | Native |
The MEID identifies the stable logical federation exchange engine.
The CMI identifies this specific versioned executable artifact.
4. Runtime Responsibilities
| Responsibility | Description |
|---|---|
| Federation Export | Prepare TrustGate attestations and assurance evidence for AFLE/EGFS exchange. |
| Federation Import | Validate inbound assurance packages from external ECO entities. |
| ECO Identity Binding | Verify ECO Number, DID, controller, and federation node metadata. |
| Redaction Enforcement | Apply FAGF and federation-profile redaction rules before export. |
| DAL Proof Binding | Attach ledger references and Merkle inclusion proofs where available. |
| Replay Reference Binding | Attach replay manifests and replay verification status. |
| Carbon Passport Exchange | Prepare trust references for Carbon Passport and DPP workflows. |
| Signature Verification | Verify inbound package signatures and prepare outbound signature envelopes. |
| Conflict Detection | Detect inconsistent trust, lineage, identity, or ledger evidence. |
| Telemetry Publication | Emit federation metrics to AII, DSAIL, VIZZ, AFLE, and EGFS. |
The engine must never export raw source data unless explicitly allowed by FAGF policy and the active federation profile.
5. Federation Exchange Types
| Exchange Type | Purpose |
|---|---|
TRUST_ATTESTATION_EXPORT | Export TrustGate attestation to another ECO entity. |
TRUST_ATTESTATION_IMPORT | Validate inbound trust attestation. |
CARBON_PASSPORT_TRUST_LINK | Attach TrustGate evidence to Carbon Passport exchange. |
ASSURANCE_BUNDLE_EXPORT | Export auditor-facing evidence package. |
FEDERATION_LEDGER_PROOF | Exchange DAL proof references. |
REPLAY_REFERENCE_EXPORT | Exchange replay manifest and reproducibility metadata. |
FEDERATION_CONFLICT_NOTICE | Notify counterparties of trust or evidence conflict. |
REGULATOR_VERIFICATION_PACKAGE | Produce regulator-facing read-only verification package. |
6. Federation Preconditions
Outbound federation exchange requires:
| Precondition | Required |
|---|---|
| Valid ECO Number | Yes |
| Valid DID | Yes |
| Valid federation profile | Yes |
| Trust attestation exists | Yes |
| Trust decision exists | Yes |
| Replay manifest exists | Yes |
| DAL reference exists | Yes, unless provisional allowed |
| Redaction profile resolved | Yes |
| Target ECO or federation audience known | Yes |
| Policy allows export | Yes |
Inbound federation exchange requires:
| Precondition | Required |
|---|---|
| Source ECO Number present | Yes |
| Source DID resolvable | Yes |
| Signature valid | Yes |
| DAL reference valid | Conditional |
| Attestation schema valid | Yes |
| Federation policy compatible | Yes |
| Redaction status known | Yes |
| Replay reference present | Conditional |
7. Runtime Processing Pipeline — Export
Receive Export Request
│
▼
Resolve Federation Profile
│
▼
Resolve Target Audience
│
▼
Validate Source Identity
│
▼
Collect Trust Attestation
│
▼
Collect DAL and Replay References
│
▼
Apply Redaction Profile
│
▼
Create Federation Package
│
▼
Prepare Signature Envelope
│
▼
Submit to AFLE / EGFS
│
▼
Emit Export Event
Outbound exchange must be policy-driven and fully auditable.
8. Runtime Processing Pipeline — Import
Receive Federation Package
│
▼
Validate Envelope
│
▼
Verify Source ECO Number
│
▼
Resolve Source DID
│
▼
Verify Signature
│
▼
Validate Schema
│
▼
Verify DAL Reference
│
▼
Check Replay Reference
│
▼
Evaluate Policy Compatibility
│
▼
Accept / Review / Reject
│
▼
Emit Import Verification Event
Inbound federation packages must be treated as untrusted until verified.
9. Processing Algorithm — Export
function export_federation_package(request):
profile = resolve_federation_profile(request.target)
assert policy_allows_export(profile, request)
identity = resolve_local_identity(request.eco_number)
attestation = load_trust_attestation(request.attestation_id)
ledger_ref = load_dal_reference(attestation)
replay_ref = load_replay_manifest(attestation)
redacted_payload = apply_redaction_profile(
attestation,
profile.redaction_profile
)
package = create_federation_package(
redacted_payload,
identity,
ledger_ref,
replay_ref,
profile
)
signature_envelope = prepare_signature(package)
submit_to_afle_or_egfs(signature_envelope)
emit_export_event(package)
return package
10. Processing Algorithm — Import
function import_federation_package(package):
validate_package_schema(package)
source_identity = resolve_eco_identity(package.issuer)
verify_did(package.proof.verificationMethod)
verify_signature(package.proof)
verify_dal_reference(package.lineage.dal_ref)
verify_replay_reference(package.lineage.replay_id)
policy_result = evaluate_federation_policy(package)
if policy_result.blocking:
reject_package(package, policy_result)
if policy_result.review_required:
create_review_task(package, policy_result)
emit_import_verified_event(package)
return verification_result
11. Federation Package Model
A canonical TrustGate federation package contains:
| Field | Description |
|---|---|
federation_package_id | Unique exchange package identifier. |
exchange_type | Type of federation exchange. |
issuer | Source ECO Number. |
subject | Subject ECO Number, product, passport, or signal. |
audience | Target ECO, buyer, verifier, regulator, or federation region. |
trust | Trust score, confidence, and decision. |
lineage | USO, DAL, replay, and origin references. |
policy | FAGF and federation policy references. |
redaction | Redaction profile and disclosure class. |
proof | Signature or verifiable credential proof envelope. |
created_at | Creation timestamp. |
12. CSI Contracts
12.1. Input CSIs
| CSI | Required | Purpose |
|---|---|---|
comp.TG.INPUT.TRUST-ATTESTATION.v1_0 | Yes | TrustGate attestation to exchange. |
comp.DAL.OUTPUT.LEDGER-REF.v1_0 | Yes | DAL reference for evidence integrity. |
comp.TG.INPUT.REPLAY-MANIFEST.v1_0 | Conditional | Replay reference for reproducibility. |
comp.EGFS.INPUT.IDENTITY-CONTEXT.v1_0 | Yes | ECO Number and DID context. |
comp.FAGF.INPUT.FEDERATION-POLICY.v1_0 | Yes | Federation and redaction policy. |
comp.AFLE.INPUT.FEDERATION-PROFILE.v1_0 | Yes | AFLE exchange profile. |
comp.TG.INPUT.CARBON-PASSPORT-TRUST-REF.v1_0 | Conditional | Carbon Passport trust linkage. |
12.2. Output CSIs
| CSI | Purpose |
|---|---|
comp.AFLE.OUTPUT.FEDERATION-PACKAGE.v1_0 | AFLE-compatible TrustGate exchange package. |
comp.EGFS.OUTPUT.FEDERATION-MESSAGE.v1_0 | EGFS transport message. |
comp.TG.EVENT.FEDERATION-EXPORTED.v1_0 | Export event. |
comp.TG.EVENT.FEDERATION-IMPORTED.v1_0 | Import event. |
comp.TG.EVENT.FEDERATION-VERIFIED.v1_0 | Verification event. |
comp.TG.EVENT.FEDERATION-REJECTED.v1_0 | Rejection event. |
comp.DSAIL.INPUT.FEDERATION-FEEDBACK.v1_0 | AI feedback event. |
comp.AII.INPUT.FEDERATION-TELEMETRY.v1_0 | AII telemetry. |
13. Canonical Export Request
{
"export_request_id": "TGFXR-2026-00001472",
"exchange_type": "TRUST_ATTESTATION_EXPORT",
"issuer": "ECO-A123",
"target": {
"eco_number": "ECO-B456",
"role": "buyer",
"region": "EU"
},
"attestation_id": "TGATT-2026-00001472",
"replay_id": "TGR-2026-00001472",
"dal_ref": "DAL-2026-001245",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"federation_profile": "buyer_standard_assurance_v1",
"redaction_profile": "standard_federation"
},
"created_at": "2026-06-25T13:42:00Z"
}
14. Canonical Federation Package
{
"@context": [
"https://schema.zayaz.io/trustgate/federation/v1"
],
"federation_package_id": "TGFX-2026-00001472",
"exchange_type": "TRUST_ATTESTATION_EXPORT",
"issuer": "ECO-A123",
"issued_at": "2026-06-25T13:42:00Z",
"audience": {
"eco_number": "ECO-B456",
"role": "buyer"
},
"subject": {
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123"
},
"trust": {
"score": 0.914,
"confidence": 0.936,
"decision": "ACCEPT"
},
"lineage": {
"uso_id": "USO-98122",
"replay_id": "TGR-2026-00001472",
"dal_ref": "DAL-2026-001245",
"root_hash": "sha256:7cc4b1..."
},
"policy": {
"policy_bundle": "FAGF-2026.2",
"federation_profile": "buyer_standard_assurance_v1",
"redaction_profile": "standard_federation"
},
"proof": {
"type": "Ed25519Signature2020",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:zayaz:ECO-A123#trustgate-key",
"jws": "PENDING_SIGNATURE"
}
}
15. EGFS Federation Message
{
"federation_id": "FED-2026-00001472",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"payload_type": "trust_attestation",
"payload_hash": "sha256:f91c35b6f21c...",
"dal_ref": "DAL-2026-001245",
"timestamp": "2026-06-25T13:42:00Z",
"signature": "PENDING_SIGNATURE",
"verified": false
}
The EGFS message carries the transport metadata, while the federation package contains the assurance payload.
16. Federation Import Verification Result
{
"verification_id": "TGFV-2026-00001472",
"federation_package_id": "TGFX-2026-00001472",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"signature_valid": true,
"did_valid": true,
"dal_ref_valid": true,
"replay_ref_present": true,
"schema_valid": true,
"policy_compatible": true,
"decision": "ACCEPT",
"verified_at": "2026-06-25T13:42:09Z"
}
17. Export Event
{
"event_type": "trustgate.federation.exported",
"federation_package_id": "TGFX-2026-00001472",
"exchange_type": "TRUST_ATTESTATION_EXPORT",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"engine_cmi": "vera.TG-FED.ENGINE.EXPORTER.1_0_0",
"timestamp": "2026-06-25T13:42:00Z"
}
18. Import Event
{
"event_type": "trustgate.federation.imported",
"federation_package_id": "TGFX-2026-00001472",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"verification_status": "verified",
"engine_cmi": "vera.TG-FED.ENGINE.EXPORTER.1_0_0",
"timestamp": "2026-06-25T13:42:09Z"
}
19. Conflict Event
{
"event_type": "trustgate.federation.conflict",
"conflict_id": "TGFC-2026-00001472",
"federation_package_id": "TGFX-2026-00001472",
"source_eco": "ECO-A123",
"conflict_type": "DAL_REFERENCE_MISMATCH",
"severity": "critical",
"requires_review": true,
"timestamp": "2026-06-25T13:43:01Z"
}
Federation conflicts must trigger review or quarantine depending on active policy.
20. DAL Integration
Federation exchange packages produce DAL anchor candidates.
{
"artifact_type": "FederationTrustPackage",
"artifact_id": "TGFX-2026-00001472",
"artifact_hash": "sha256:f91c35b6f21c...",
"engine_cmi": "vera.TG-FED.ENGINE.EXPORTER.1_0_0",
"meid": "MEID_TRUST_EXPORT_FEDERATION",
"exchange_type": "TRUST_ATTESTATION_EXPORT",
"created_at": "2026-06-25T13:42:00Z"
}
Outbound federation packages should not be sent externally until a DAL reference exists, unless provisional exchange is explicitly permitted.
21. Replay Behaviour
Federation package generation must be replayable.
Replay inputs include:
- trust attestation;
- DAL reference;
- replay manifest;
- federation profile;
- redaction profile;
- target audience;
- policy context;
- engine CMI.
Replay verification succeeds when:
Signature values may be excluded from deterministic replay if signing keys or timestamps rotate. The unsigned canonical payload hash remains the replay target.
22. Redaction and Disclosure
Redaction is mandatory for federation exchange.
The engine supports:
| Redaction Profile | Use Case |
|---|---|
internal_full | Internal tenant exchange only. |
standard_federation | Buyer/supplier exchange. |
auditor_detailed | Auditor evidence package. |
regulator_readonly | Regulator verification package. |
public_minimal | Public proof without sensitive details. |
Redaction must be deterministic and replayable.
23. AI / DSAIL Integration
Federation outcomes are high-value AI feedback events.
DSAIL may consume:
- federation verification failures;
- federation conflicts;
- repeated source ECO issues;
- delayed synchronization;
- redaction mismatch rates;
- rejected inbound attestations;
- Carbon Passport trust discrepancies.
AI may recommend:
- increased sampling;
- federation trust decay;
- supplier review;
- policy adjustment;
- routing changes.
AI may not override federation verification results.
24. AII Integration
Federation exchange metrics contribute to AII.
{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"federated_attestations_exported": 3912,
"federated_attestations_imported": 1440,
"federation_verification_rate": 0.997,
"federation_conflict_rate": 0.003,
"avg_export_latency_seconds": 2.4,
"avg_import_verification_latency_seconds": 1.1
}
25. Failure Handling
| Failure | Severity | Action |
|---|---|---|
| Missing attestation | Critical | Abort |
| Missing federation profile | Critical | Abort |
| Missing redaction profile | Critical | Abort |
| Missing target ECO | Critical | Abort |
| Invalid source DID | Critical | Abort |
| Signature verification failed | Critical | Reject import |
| DAL reference invalid | Critical | Reject or review |
| Replay reference missing | Warning | Policy-dependent |
| EGFS unavailable | Warning | Queue export |
| AFLE unavailable | Warning | Queue export |
| Redaction failure | Critical | Abort |
| Policy incompatibility | Critical | Reject or review |
The engine must fail closed for external exports and inbound verification failures.
26. Observability Metrics
| Metric | Description |
|---|---|
tg_federation_export_total | Federation packages exported. |
tg_federation_import_total | Federation packages imported. |
tg_federation_verified_total | Successfully verified imports. |
tg_federation_rejected_total | Rejected federation packages. |
tg_federation_conflict_total | Federation conflicts. |
tg_federation_redaction_total | Redaction operations. |
tg_federation_export_latency_seconds | Export latency. |
tg_federation_import_latency_seconds | Import verification latency. |
tg_federation_queue_depth | Pending federation operations. |
27. Performance Targets
| Metric | Target |
|---|---|
| Export package creation latency | < 150 ms |
| Import verification latency | < 250 ms |
| Redaction latency | < 100 ms |
| Signature preparation latency | < 100 ms |
| Throughput | 5,000 federation packages/min per worker pool |
| Replay determinism | 100% for canonical payloads |
| Availability | 99.95% |
28. Security Requirements
The engine must:
- verify all inbound identities;
- verify inbound signatures;
- enforce redaction before export;
- prevent raw payload leakage;
- validate target ECO permissions;
- enforce federation profiles;
- bind packages to DAL references;
- record MEID and CMI in all outputs;
- reject unverifiable inbound packages;
- log all import/export operations;
- support key rotation and DID verification method updates.
29. Compliance Alignment
| Framework | Federation Exchange Contribution |
|---|---|
| CSRD | Enables verifiable cross-organization assurance evidence. |
| ESRS | Supports supply-chain data quality and traceability. |
| ISSB / IFRS S1-S2 | Supports investor-grade external sustainability data assurance. |
| ISO 14064-1 | Supports GHG evidence exchange and verification. |
| ISO 27001 | Supports secure exchange, identity, and access controls. |
| EU AI Act | Prevents AI from overriding federation verification. |
| W3C DID / VC | Supports decentralized identity and verifiable credentials. |
| Gaia-X | Supports federated trust and data sovereignty patterns. |
30. Developer Implementation Notes
Developers should implement the Federation Exchange Engine as a policy-driven exchange gateway.
Recommended design:
- federation profile resolver;
- target audience resolver;
- redaction engine;
- federation package builder;
- DID resolver;
- signature verifier;
- DAL proof verifier;
- AFLE adapter;
- EGFS transport adapter;
- import verification workflow;
- conflict detector;
- queue and retry manager;
- AII telemetry publisher;
- DSAIL feedback publisher.
The engine must keep transport concerns separate from assurance payload concerns.
31. Summary
The TrustGate Federation Exchange Engine makes TrustGate assurance artifacts portable across the ZAYAZ federation.
It ensures that trust attestations, Carbon Passport references, DAL proofs, replay references, and assurance bundles can be exchanged between ECO entities while preserving identity, integrity, replayability, governance, and privacy.
No TrustGate assurance artifact should be exchanged across ECO boundaries unless it has been processed by this engine or an equivalent FAGF-authorized federation workflow.