Skip to main content
Jira progress: loading…

TG_SCHEDULER_ORCHESTRATOR

TrustGate Scheduler / Orchestrator Engine

0. Identity

Loading identity…

Depends on module:

Decision-grade verification and assurance domain that orchestrates verifier workflows, evidence handling, trust scoring, audit trails, and assurance packaging across CSRD/ESRS and other frameworks. Enables third-party sign-off, dispute handling, and assurance-ready disclosure outputs with replayable provenance.
Domain:
assurance-verification
Category:
trust-assurance
Classification:
module
Lifecycle status:
active
Semver:
1.0.0
Introduced in:
v0.3
Governance
AI risk level:
high
Trust threshold:
0.97
Human review required:
true
Verifier involved:
true
Audit required:
true
Ownership
Primary owner:
Platform
Architecture board:
true
White-label allowed:
true
Entrypoints
Docs:
/verification-assurance
UI:
/app/assurance
API:
/api/assurance
Dependencies
Modules
  • sis
  • input-hub
  • reports-insights-hub
  • zara
  • zaam
Unresolved tokens
  • ALTD
  • DAL
  • EvidenceVault
  • StripeConnect
  • TruliooKYB
  • TrustGate
  • VTE
  • VerifierWorkflowEngine
Engines (declared)
  • VerifierWorkflowEngine
  • DaVE
  • VTE
  • DICE
  • EvidenceVault
  • ALTD
  • DAL
  • TrustGate
  • StripeConnect
  • TruliooKYB
  • AISIM
Micro-engines (from registry)
None
Micro-engines (declared)
None
Signals
USO
  • ASSURANCE.VERIFICATION
  • ASSURANCE.EVIDENCE
  • ASSURANCE.SIGNOFF
  • AUDIT.LINEAGE
  • GOVERNANCE.TRUST
  • IDENTITY.VERIFIER
  • PAYMENT.ESCROW
CSI
  • CSI_VERIFICATION_ASSURANCE
SSSR tags
  • assurance
  • verification
  • verifiers
  • evidence
  • signoff
  • trust-score
  • audit
  • tamper-detection
  • blockchain
  • rfp
  • disputes
  • escrow
  • stripe-connect
Workflows & Outputs
Workflows
  • VerifierOnboardingAndQualification
  • AssuranceRFPAndProposalFlow
  • EvidenceRequestAndCollection
  • EvidenceValidationAndScoring
  • TrustScoreComputationAndPropagation
  • VerifierReviewAndCommenting
  • IssueFlaggingAndDisputeResolution
  • VerifierSignOffAndStamping
  • AssurancePackagingForReports
  • PaymentEscrowAndPayoutOrchestration
Outputs
  • verifier_profiles
  • assurance_requests
  • evidence_packages
  • validation_findings
  • trust_score_updates
  • signoff_stamps
  • assurance_ready_disclosure_packages
  • payment_events
Audit
Ledger:
ALTD
Replay supported:
true
PII policy:
controlled_pii_outside_omr
Tags

1. Purpose

The TrustGate Scheduler / Orchestrator Engine is the runtime coordination engine for TrustGate.

It schedules, triggers, prioritizes, retries, supervises, and records TrustGate background jobs and asynchronous workflows.

It ensures operational tasks happen at the correct time, in the correct order, with the correct configuration snapshot, deterministic retry behavior, auditability, and observability.

The engine handles scheduled and asynchronous activities such as replay jobs, replay sampling, DAL anchor batching, DAL retries, federation synchronization, quarantine SLA checks, evidence request reminders, AI feedback publication, AII telemetry publication, audit integrity checks, runtime health checks, policy refresh, configuration cache invalidation, stale configuration detection, feature flag rollouts, safe-mode enforcement, dead-letter inspection, backfills, and periodic assurance reports.

The Scheduler / Orchestrator Engine is the operational nervous system of TrustGate.

It does not compute trust scores, validate signals, or make assurance decisions. It controls when and how background workflows execute.


2. Architectural Role

TrustGate has synchronous processing engines and asynchronous operational workflows.

Synchronous engines handle the direct signal processing path. The Scheduler / Orchestrator Engine handles controlled runtime coordination outside or adjacent to the signal path.

Runtime Configuration Engine


Scheduler / Orchestrator Engine

├── Replay Jobs
├── DAL Batch Jobs
├── Federation Sync Jobs
├── Quarantine SLA Jobs
├── AI Feedback Jobs
├── AII Telemetry Jobs
├── Audit Integrity Jobs
├── Configuration Refresh Jobs
├── Observability Jobs
└── Maintenance Jobs

The engine coordinates the background assurance economy of TrustGate.


3. Canonical Identity

PropertyValue
MEIDMEID_TRUST_ROUTE_SCHEDULER
CMIvera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0
KINDENGINE
Owner ModuleVerification & Assurance
Runtime TierTier-0 Runtime Operations
Engine CategoryJOB
Engine Domaintrust
ZAR RegistrationRequired
Replay SupportNative for workflow state
DAL AnchoringPolicy-based
Federation AwareYes
Critical PathIndirect, through async runtime workflows

4. Design Principles

PrincipleRequirement
Deterministic SchedulingSame schedule definition and configuration snapshot must resolve to the same planned job set.
Idempotent ExecutionRe-running the same job must not produce duplicate semantic side effects.
Configuration BindingEvery job must bind to a configuration snapshot from the Runtime Configuration Engine.
AuditabilityMaterial jobs and workflow state transitions must be audit logged.
ObservabilityEvery job must emit metrics, traces, status, and failure reasons.
Policy GovernanceJobs must respect FAGF, OARM, DAL, AFLE, EGFS, tenant, and security policies.
Fail-Safe BehaviorFailed jobs must retry, quarantine, dead-letter, or escalate according to policy.

5. Runtime Responsibilities

ResponsibilityDescription
Job SchedulingSchedule one-off, periodic, event-driven, and policy-triggered jobs.
Workflow OrchestrationCoordinate multi-step workflows involving several TrustGate engines.
Retry ManagementApply deterministic retry, backoff, timeout, and dead-letter behavior.
Priority ManagementPrioritize assurance-critical jobs over routine maintenance.
Replay SchedulingSchedule replay jobs based on triggers, sampling, auditor requests, and policy.
DAL Batch OrchestrationCoordinate Merkle batch windows, anchor submission, and retry.
Federation SynchronizationSchedule EGFS / AFLE sync, export, import, and verification jobs.
Quarantine SLA ManagementTrack quarantine aging, review deadlines, reminders, and escalation.
Configuration RefreshSchedule policy refresh, cache invalidation, and drift detection jobs.
AI Feedback DeliveryCoordinate DSAIL feedback publication and retry.
AII Telemetry DeliverySchedule and publish aggregate runtime telemetry to AII.
Audit and Integrity JobsSchedule audit chain verification and evidence-chain checks.
Maintenance JobsBackfills, cleanup, compaction, retention, and stale state checks.
Workflow State ManagementPersist workflow state transitions for replay and audit.
Alerting and EscalationEmit alerts when jobs breach SLA or enter dead-letter state.

6. Scheduling Modes

ModeDescription
cronTime-based recurring jobs.
intervalJobs repeated every configured duration.
event_triggeredJobs triggered by runtime events.
policy_triggeredJobs triggered by policy conditions.
manualAuthorized operator or reviewer request.
backfillHistorical reprocessing over a defined window.
batch_windowWindowed aggregation jobs such as DAL Merkle batches.
adaptiveSchedule adjusted by runtime telemetry or policy.
safe_modeEmergency schedule activated by incident policy.

Adaptive scheduling may use DSAIL recommendations, but the final schedule must remain policy-controlled.


7. Job Classes

Job ClassPurpose
REPLAY_JOBPrepare or execute replay workflows.
DAL_ANCHOR_JOBSubmit, verify, or retry DAL anchors.
FEDERATION_SYNC_JOBExchange or verify federation artifacts.
QUARANTINE_SLA_JOBCheck quarantine age, reminders, and escalation.
AI_FEEDBACK_JOBPublish AI feedback to DSAIL.
AII_TELEMETRY_JOBPublish AII telemetry.
AUDIT_INTEGRITY_JOBVerify audit chain, evidence chain, and log integrity.
CONFIG_REFRESH_JOBRefresh or invalidate configuration.
POLICY_REFRESH_JOBLoad and verify policy bundles.
OBSERVABILITY_JOBAggregate metrics, SLOs, dashboard feeds, and alerts.
MAINTENANCE_JOBCleanup, compaction, retention, and backfill.
SAFE_MODE_JOBIncident-driven runtime protective jobs.

8. Workflow Types

WorkflowDescription
Replay Verification WorkflowPrepare replay, execute replay, compare hash, record result, audit, emit telemetry.
DAL Batch WorkflowCollect candidates, build Merkle tree, submit root, verify ledger ref, publish proof.
Federation Export WorkflowResolve config, package attestation, redact, sign, export, verify delivery.
Federation Import WorkflowReceive package, verify identity, verify signature, verify DAL, accept/reject.
Quarantine Review WorkflowOpen quarantine, request evidence, remind reviewer, escalate, release/reject.
AI Feedback WorkflowCollect outcomes, apply policy, redact, publish to DSAIL, retry if needed.
AII Publication WorkflowAggregate metrics, validate payload, publish, record status.
Configuration Rollout WorkflowValidate config, canary, observe, expand, rollback if needed.
Audit Integrity WorkflowVerify chain, detect conflicts, anchor critical proof, report status.

9. Runtime Architecture

Triggers

├── Cron
├── Event Bus
├── Queue
├── Manual Request
├── Policy Condition
└── Observability Alert


Scheduler / Orchestrator Engine

├── Job Resolver
├── Configuration Binder
├── Dependency Resolver
├── Priority Queue
├── Workflow State Machine
├── Retry Manager
├── Dead-Letter Manager
├── Worker Dispatcher
├── SLA Monitor
└── Audit / Telemetry Publisher

The engine may run on top of AWS Step Functions, EventBridge, SQS, Kubernetes Jobs, Airflow, or an internal ZAYAZ workflow runtime.


10. Runtime Processing Pipeline

Receive Trigger


Resolve Job Definition


Resolve Runtime Configuration


Validate Job Preconditions


Acquire Lock / Idempotency Key


Create Job Run


Dispatch Worker / Workflow


Track State


Handle Success / Retry / Failure


Emit Audit and Observability Events


Update AII / DSAIL / VIZZ as Required

Every job run must have a unique job run ID and an idempotency key.


11. Processing Algorithm

function schedule_or_execute(trigger):

job_definition = resolve_job_definition(trigger)

config = resolve_runtime_config(
job_definition,
trigger.scope
)

validate_job_preconditions(job_definition, config, trigger)

idempotency_key = compute_idempotency_key(trigger, job_definition, config)

if job_already_completed(idempotency_key):
return existing_result(idempotency_key)

lock = acquire_execution_lock(idempotency_key)

if not lock.acquired:
return duplicate_or_in_progress(idempotency_key)

job_run = create_job_run(
trigger,
job_definition,
config,
idempotency_key
)

try:
result = dispatch(job_run)
mark_completed(job_run, result)
emit_completed_events(job_run, result)
return result

except RetryableError as error:
schedule_retry(job_run, error)
emit_retry_event(job_run, error)

except NonRetryableError as error:
mark_failed(job_run, error)
route_to_dead_letter_if_required(job_run, error)
emit_failure_event(job_run, error)

finally:
release_lock(lock)

The engine must fail safely and avoid duplicate semantic execution.


12. Job Definition Model

A job definition describes what can be scheduled or executed.

FieldDescription
job_definition_idStable job definition ID.
job_codeHuman-readable job code.
job_classCanonical job class.
canonical_nameHuman-readable name.
descriptionJob purpose.
trigger_typeCron, event, manual, policy, batch window.
schedule_expressionCron or interval definition where applicable.
target_engine_meidTarget engine or workflow owner.
target_engine_cmiOptional target CMI.
workflow_stepsOrdered workflow steps.
priorityJob priority.
retry_policyRetry strategy.
timeout_policyTimeout constraints.
sla_policySLA constraints.
config_profileRequired scheduler profile.
idempotency_policyIdempotency method.
dal_anchor_requiredWhether job events require anchoring.
audit_requiredWhether job must be audit logged.
statusDraft, active, suspended, retired.

13. Job Run Model

A job run is a concrete execution instance.

FieldDescription
job_run_idUnique execution ID.
job_definition_idJob definition reference.
trigger_idTrigger source reference.
workflow_run_idOptional workflow run reference.
idempotency_keyDuplicate protection key.
config_snapshot_idBound runtime configuration snapshot.
config_digestHash of configuration snapshot.
statusPending, running, completed, failed, retrying, dead-lettered.
attemptExecution attempt number.
priorityEffective priority.
started_atStart timestamp.
ended_atEnd timestamp.
next_retry_atNext retry timestamp.
error_codeFailure code if any.
result_refResult artifact reference.

14. Workflow State Model

Workflow state transitions are explicit.

CREATED


SCHEDULED


DISPATCHED


RUNNING

├── COMPLETED
├── RETRY_WAIT
├── FAILED
├── DEAD_LETTERED
├── CANCELLED
└── ESCALATED

State transitions must be persisted, observable, and audit-ready.


15. Canonical Job Definition Example

{
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"job_code": "TG-REPLAY-SAMPLING-DAILY",
"job_class": "REPLAY_JOB",
"canonical_name": "Daily TrustGate Replay Sampling",
"trigger_type": "cron",
"schedule_expression": "0 2 * * *",
"target_engine_meid": "MEID_TRUST_REPLAY_COORDINATOR",
"workflow_steps": [
"select_replay_population",
"create_replay_manifests",
"dispatch_replay_execution",
"record_replay_results",
"publish_replay_telemetry"
],
"priority": "high",
"retry_policy": "standard_exponential_backoff_v1",
"sla_policy": "replay_sampling_daily_v1",
"audit_required": true,
"dal_anchor_required": false,
"status": "active"
}

16. Canonical Job Run Example

{
"job_run_id": "TGJOBRUN-2026-00001472",
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"job_class": "REPLAY_JOB",
"trigger_id": "TGTRIG-2026-00001472",
"idempotency_key": "sha256:8b1c91...",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"config_digest": "sha256:4d6f8a...",
"status": "RUNNING",
"attempt": 1,
"priority": "high",
"started_at": "2026-06-26T02:00:00Z"
}

17. Trigger Model

A trigger starts a job or workflow.

Trigger TypeExample
cronDaily replay sampling.
eventNew quarantine record created.
queueDAL anchor candidate queued.
manualAuditor requests replay.
policyReplay required because confidence below threshold.
alertObservability detects replay drift spike.
configurationNew policy bundle activated.
safe_modeIncident policy activates emergency workflow.

Triggers must include source identity and policy context.


18. Trigger Payload Example

{
"trigger_id": "TGTRIG-2026-00001472",
"trigger_type": "event",
"event_type": "trustgate.quarantine.created",
"source_engine_meid": "MEID_TRUST_QUARANTINE_MANAGER",
"source_engine_cmi": "vera.TG-QUARANTINE.ENGINE.MANAGER.1_0_0",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"scheduler_profile": "production_scheduler_v1"
},
"created_at": "2026-06-25T18:00:00Z"
}

19. Priority Model

Job priority determines execution order.

PriorityUse Case
criticalSecurity incident, safe mode, replay drift, audit conflict.
highReplay, DAL verification, federation conflict, quarantine SLA.
normalRoutine federation sync, AII telemetry, standard AI feedback.
lowMaintenance, compaction, archive, non-critical backfill.
backgroundLong-running analytics or reporting jobs.

Priority must not bypass safety, tenant isolation, or configuration rules.


20. Retry Model

Retry behavior is policy-controlled.

Retry StrategyDescription
noneNo retry.
fixed_delayRetry after fixed delay.
exponential_backoffDelay increases after each failure.
exponential_backoff_jitterBackoff with random jitter to prevent thundering herd.
dead_letter_after_nDead-letter after maximum attempts.
manual_review_after_nEscalate after repeated failures.
safe_mode_on_failureActivate safe mode after critical repeated failure.

Retries must preserve idempotency keys.


21. Retry Policy Example

{
"retry_policy_id": "standard_exponential_backoff_v1",
"strategy": "exponential_backoff_jitter",
"max_attempts": 5,
"initial_delay_seconds": 30,
"max_delay_seconds": 1800,
"jitter": true,
"dead_letter_after_max_attempts": true,
"escalate_on_final_failure": true
}

22. Timeout and SLA Model

The Scheduler / Orchestrator Engine enforces timeouts and SLAs.

PolicyDescription
Execution TimeoutMaximum time a job may run.
Queue TimeoutMaximum time a job may remain pending.
SLA DeadlineBusiness or assurance deadline.
Retry WindowMaximum window for retry attempts.
Escalation DeadlineTime after which human escalation is required.
Evidence DeadlineDeadline for quarantine evidence submission.

SLA breaches must emit observability and audit events.


23. SLA Breach Event

{
"event_type": "trustgate.scheduler.sla_breach",
"sla_breach_id": "TGSLA-2026-00001472",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "QUARANTINE_SLA_JOB",
"eco_number": "ECO-A123",
"sla_policy": "quarantine_review_48h_v1",
"deadline": "2026-06-27T12:22:44Z",
"breached_at": "2026-06-27T12:30:00Z",
"severity": "warning",
"requires_escalation": true
}

24. Idempotency Model

Idempotency prevents duplicate semantic side effects.

The idempotency key should be calculated as:

IdempotencyKey=SHA256(JobDefinitionIdTriggerIdScopeConfigDigestExecutionWindow)IdempotencyKey = SHA256(JobDefinitionId || TriggerId || Scope || ConfigDigest || ExecutionWindow)

For event-driven jobs, the source event ID should be included.

For batch jobs, the batch window should be included.

For manual jobs, the authorized request ID should be included.


25. Locking Model

The engine uses distributed locking for critical workflows.

Lock TypePurpose
Job LockPrevent duplicate job execution.
Workflow LockPrevent concurrent workflow mutation.
Signal LockPrevent conflicting operations on a signal.
Quarantine LockPrevent conflicting release/reject transitions.
DAL Batch LockPrevent duplicate Merkle root submission.
Federation LockPrevent duplicate export/import processing.
Config Rollout LockPrevent concurrent production rollout conflict.

Locks must have expiry and recovery behavior.


26. Dead-Letter Model

Jobs that cannot safely complete are moved to a dead-letter state.

Dead-letter causes include:

  • maximum retries exceeded;
  • invalid configuration;
  • missing dependency;
  • non-retryable validation failure;
  • repeated DAL submission failure;
  • signature verification failure;
  • impossible federation target;
  • audit write failure;
  • unsafe state transition;
  • operator cancellation.

Dead-letter events require observability and may require audit logging.


27. Dead-Letter Event

{
"event_type": "trustgate.scheduler.dead_lettered",
"dead_letter_id": "TGDLQ-2026-00001472",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "DAL_ANCHOR_JOB",
"reason": "maximum_retries_exceeded",
"last_error_code": "DAL_SUBMISSION_TIMEOUT",
"attempts": 5,
"requires_manual_review": true,
"created_at": "2026-06-25T19:00:00Z"
}

28. Replay Scheduling

Replay scheduling is one of the most important scheduler responsibilities.

Replay jobs may be triggered by:

TriggerExample
Policy RequirementCritical event requires replay.
SamplingDaily random assurance sample.
Auditor RequestExternal auditor requests replay.
Drift DetectionObservability detects replay drift spike.
QuarantineQuarantine requires replay before release.
FederationInbound package requires replay reference verification.
AI CalibrationDSAIL detects model drift.
Safe ModeIncident policy forces full replay sampling.

Replay jobs must bind to configuration snapshots.


29. Replay Job Example

{
"job_run_id": "TGJOBRUN-REPLAY-2026-00001472",
"job_class": "REPLAY_JOB",
"replay_scope": {
"type": "signal",
"signal_id": "SIG-2026-00001472",
"replay_type": "FULL_PIPELINE_REPLAY"
},
"target_engine_meid": "MEID_TRUST_REPLAY_COORDINATOR",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"priority": "high",
"status": "SCHEDULED"
}

30. DAL Batch Orchestration

The engine coordinates DAL batch windows.

DAL batch orchestration includes:

  • collecting anchor candidates;
  • selecting direct vs Merkle mode;
  • opening batch window;
  • closing batch window;
  • dispatching batch build;
  • dispatching DAL submission;
  • verifying ledger reference;
  • retrying failed submissions;
  • publishing inclusion proof availability.

DAL batch windows must be deterministic.


31. DAL Batch Job Example

{
"job_run_id": "TGJOBRUN-DALBATCH-2026-00001472",
"job_class": "DAL_ANCHOR_JOB",
"batch_id": "DALB-2026-06-25-1800",
"batch_window": {
"from": "2026-06-25T18:00:00Z",
"to": "2026-06-25T19:00:00Z"
},
"anchor_mode": "MERKLE_BATCH_ANCHOR",
"candidate_count": 158342,
"status": "RUNNING"
}

32. Federation Synchronization

Federation jobs coordinate AFLE and EGFS workflows.

Federation scheduled tasks include endpoint health checks, DID verification cache refresh, outbound package delivery, inbound package verification, federation conflict retry, Carbon Passport trust reference sync, cross-ECO replay reference sync, federation profile refresh, and federation safe-mode enforcement.

Federation jobs must respect redaction profiles and target permissions.


33. Federation Sync Job Example

{
"job_run_id": "TGJOBRUN-FEDSYNC-2026-00001472",
"job_class": "FEDERATION_SYNC_JOB",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"federation_profile": "buyer_standard_assurance_v1",
"sync_type": "trust_attestation_export",
"redaction_profile": "standard_federation",
"status": "SCHEDULED"
}

34. Quarantine SLA Orchestration

The engine schedules quarantine lifecycle jobs.

Quarantine orchestration includes:

  • evidence request reminders;
  • reviewer assignment reminders;
  • SLA breach checks;
  • automatic escalation;
  • replay scheduling before release;
  • expired quarantine detection;
  • unresolved critical quarantine reporting.

Quarantine jobs must not release or reject records directly unless policy explicitly allows automation. Final release/reject remains controlled by the Quarantine Manager and reviewer workflow.


35. Quarantine SLA Job Example

{
"job_run_id": "TGJOBRUN-QSLA-2026-00001472",
"job_class": "QUARANTINE_SLA_JOB",
"quarantine_id": "TGQ-2026-00001472",
"eco_number": "ECO-A123",
"sla_policy": "quarantine_review_48h_v1",
"action": "check_and_escalate_if_overdue",
"status": "SCHEDULED",
"scheduled_for": "2026-06-27T12:22:44Z"
}

36. AI Feedback Orchestration

AI feedback jobs publish governed feedback to DSAIL.

AI feedback orchestration includes batching feedback events, applying redaction, verifying training eligibility, publishing to DSAIL, retrying failed publication, suppressing disallowed feedback, reporting feedback lag, and triggering model governance workflows where needed.

AI feedback jobs must not alter historical TrustGate facts.


37. AII Telemetry Orchestration

AII jobs aggregate and publish assurance telemetry.

AII publication includes validation telemetry, trust score telemetry, replay telemetry, DAL telemetry, federation telemetry, quarantine telemetry, audit telemetry, configuration telemetry, observability telemetry, and scheduler telemetry.

AII jobs must preserve period boundaries and avoid duplicate publication.


38. Configuration Refresh Orchestration

The Scheduler / Orchestrator Engine coordinates configuration refresh.

Configuration jobs include policy bundle refresh, runtime configuration cache invalidation, feature flag rollout, canary expansion, drift detection, rollback execution, safe mode activation, and expired override cleanup.

Configuration jobs must use the Runtime Configuration Engine as the authority.


39. Safe Mode Orchestration

Safe mode is an emergency runtime state.

Safe mode orchestration may trigger:

  • federation export suspension;
  • replay sampling increase;
  • decision threshold tightening;
  • DAL anchoring expansion;
  • audit logging expansion;
  • experimental engine rollback;
  • quarantine SLA tightening;
  • manual review requirement increase;
  • notification to platform operators.

Safe mode jobs are critical priority and audit-required.


40. Safe Mode Job Example

{
"job_run_id": "TGJOBRUN-SAFE-2026-00001472",
"job_class": "SAFE_MODE_JOB",
"reason": "replay_drift_spike",
"actions": [
"increase_replay_sampling",
"disable_federation_export",
"require_manual_review_for_medium_confidence"
],
"priority": "critical",
"audit_required": true,
"status": "RUNNING"
}

41. CSI Contracts

41.1. Input CSIs

CSIRequiredPurpose
comp.TG.INPUT.SCHEDULER-TRIGGER.v1_0YesTrigger for job creation.
comp.TG.INPUT.JOB-DEFINITION.v1_0ConditionalJob definition.
comp.TG.INPUT.WORKFLOW-DEFINITION.v1_0ConditionalWorkflow definition.
comp.TG.OUTPUT.RESOLVED-CONFIG.v1_0YesRuntime configuration from Configuration Engine.
comp.TG.INPUT.RUNTIME-EVENT.v1_0ConditionalRuntime event trigger.
comp.TG.INPUT.QUEUE-METRIC.v1_0ConditionalQueue depth or backlog input.
comp.TG.INPUT.OBSERVABILITY-ALERT.v1_0ConditionalAlert-triggered job.
comp.FAGF.INPUT.SCHEDULER-POLICY.v1_0YesScheduler policy and constraints.

41.2. Output CSIs

CSIPurpose
comp.TG.OUTPUT.SCHEDULED-JOB.v1_0Scheduled job record.
comp.TG.OUTPUT.JOB-RUN.v1_0Job execution record.
comp.TG.OUTPUT.WORKFLOW-RUN.v1_0Workflow execution record.
comp.TG.EVENT.JOB-STARTED.v1_0Job started event.
comp.TG.EVENT.JOB-COMPLETED.v1_0Job completed event.
comp.TG.EVENT.JOB-FAILED.v1_0Job failure event.
comp.TG.EVENT.JOB-RETRIED.v1_0Job retry event.
comp.TG.EVENT.JOB-DEAD-LETTERED.v1_0Dead-letter event.
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0DAL anchor candidate.
comp.AII.INPUT.SCHEDULER-TELEMETRY.v1_0AII scheduler telemetry.
comp.DSAIL.INPUT.SCHEDULER-FEEDBACK.v1_0DSAIL feedback.

42. API Specification

42.1. Schedule Job

POST /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/schedule

Request:

{
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"scope": {
"environment": "production",
"region": "eu-north-1",
"tenant_id": "TEN-2026-0001",
"eco_number": "ECO-A123"
},
"trigger": {
"trigger_type": "manual",
"requested_by": "auditor@example.com",
"reason": "External assurance replay sample."
}
}

Response:

{
"status": "scheduled",
"job_run_id": "TGJOBRUN-2026-00001472",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"scheduled_for": "2026-06-25T18:30:00Z"
}

43. API: Cancel Job

POST /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/cancel

Request:

{
"job_run_id": "TGJOBRUN-2026-00001472",
"reason": "Superseded by safe-mode replay job.",
"requested_by": "platform.operator@viroway.com"
}

Response:

{
"status": "cancelled",
"job_run_id": "TGJOBRUN-2026-00001472",
"audit_required": true
}

44. API: Workflow Status

GET /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/workflows/{workflow_run_id}

Response:

{
"workflow_run_id": "TGWF-2026-00001472",
"status": "RUNNING",
"current_step": "dispatch_replay_execution",
"completed_steps": [
"select_replay_population",
"create_replay_manifests"
],
"remaining_steps": [
"record_replay_results",
"publish_replay_telemetry"
]
}

45. Job Started Event

{
"event_type": "trustgate.scheduler.job_started",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "REPLAY_JOB",
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"engine_cmi": "vera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"started_at": "2026-06-26T02:00:00Z"
}

46. Job Completed Event

{
"event_type": "trustgate.scheduler.job_completed",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "REPLAY_JOB",
"result": {
"replay_manifests_created": 1240,
"replay_jobs_dispatched": 1240
},
"duration_ms": 8412,
"completed_at": "2026-06-26T02:00:08Z"
}

47. Job Failed Event

{
"event_type": "trustgate.scheduler.job_failed",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "FEDERATION_SYNC_JOB",
"error_code": "FEDERATION_TARGET_UNAVAILABLE",
"retryable": true,
"attempt": 2,
"next_retry_at": "2026-06-25T18:45:00Z",
"failed_at": "2026-06-25T18:30:00Z"
}

48. DAL Integration

Scheduler events may require DAL anchoring.

DAL anchoring is required for:

  • safe mode activation;
  • critical job failure;
  • audit integrity workflow failure;
  • replay drift workflow escalation;
  • federation conflict escalation;
  • material configuration rollout workflow;
  • regulator-requested workflow evidence;
  • workflow state transition used as assurance evidence.

Example anchor candidate:

{
"artifact_type": "TrustSchedulerWorkflowEvent",
"artifact_id": "TGWF-2026-00001472",
"artifact_hash": "sha256:aa42bd...",
"engine_cmi": "vera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0",
"meid": "MEID_TRUST_ROUTE_SCHEDULER",
"event_type": "safe_mode_activation",
"created_at": "2026-06-25T18:30:00Z"
}

Final anchoring is performed by the TrustGate DAL Anchor Engine.


49. Audit Log Integration

The engine sends audit events for:

  • material workflow start;
  • material workflow completion;
  • critical workflow failure;
  • dead-letter event;
  • safe mode job;
  • configuration rollout job;
  • manual job scheduling;
  • job cancellation;
  • retry exhaustion;
  • scheduler policy changes;
  • privilege-sensitive workflow execution.

Routine non-critical jobs may be logged as operational telemetry only.


50. Observability Integration

The Scheduler / Orchestrator Engine emits metrics to the Runtime Observability Engine.

Key metrics:

MetricDescription
tg_scheduler_job_created_totalJobs created.
tg_scheduler_job_started_totalJobs started.
tg_scheduler_job_completed_totalJobs completed.
tg_scheduler_job_failed_totalJobs failed.
tg_scheduler_job_retry_totalRetry attempts.
tg_scheduler_job_deadletter_totalDead-lettered jobs.
tg_scheduler_queue_depthScheduler queue depth.
tg_scheduler_workflow_latency_msWorkflow latency.
tg_scheduler_sla_breach_totalSLA breaches.
tg_scheduler_safe_mode_job_totalSafe mode jobs.

51. AII Integration

Scheduler telemetry contributes to AII operational resilience.

Example:

{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"jobs_scheduled": 18440,
"jobs_completed": 18412,
"job_success_rate": 0.9985,
"retry_rate": 0.014,
"dead_letter_rate": 0.0002,
"sla_breach_rate": 0.0008,
"avg_workflow_latency_ms": 842,
"replay_backlog": 12,
"dal_batch_success_rate": 0.9996
}

52. DSAIL Integration

DSAIL may consume scheduler telemetry to recommend operational improvements.

DSAIL may recommend:

  • replay sampling adjustment;
  • job priority changes;
  • queue scaling;
  • retry policy tuning;
  • federation synchronization frequency changes;
  • DAL batch size optimization;
  • quarantine SLA focus;
  • capacity planning;
  • anomaly investigation.

DSAIL may not:

  • execute jobs autonomously;
  • cancel jobs;
  • approve material workflow changes;
  • bypass scheduler policy;
  • alter retry behavior without governance approval;
  • override safe mode policy.

53. Replay Behaviour

Scheduler workflows must be replayable where they affect assurance.

Replay inputs include:

  • trigger event;
  • job definition;
  • workflow definition;
  • runtime configuration snapshot;
  • scheduler policy;
  • queue state where material;
  • workflow state transitions;
  • engine CMI;
  • retry policy;
  • time window.

Replay verification succeeds when:

Hash(JobRunoriginal)=Hash(JobRunreplay)Hash(JobRun_{original}) = Hash(JobRun_{replay})

For workflow replay:

Hash(WorkflowStateSequenceoriginal)=Hash(WorkflowStateSequencereplay)Hash(WorkflowStateSequence_{original}) = Hash(WorkflowStateSequence_{replay})

Live scheduling conditions must not be used in audit replay unless marked as simulation.


54. Federation Behaviour

Scheduler controls several federation workflows.

Federation scheduling must:

  • respect federation profile;
  • avoid duplicate export;
  • verify target ECO permission;
  • apply redaction before export;
  • wait for DAL reference where required;
  • verify DID cache freshness;
  • retry failed delivery safely;
  • dead-letter unverifiable packages;
  • emit federation telemetry.

Cross-ECO job metadata must be redacted before sharing.


55. Security Requirements

The engine must:

  • authenticate all scheduling requests;
  • authorize manual job creation and cancellation;
  • enforce tenant isolation;
  • validate job definitions against ZAR;
  • bind every job to runtime configuration;
  • prevent unauthorized safe mode activation;
  • protect worker dispatch credentials;
  • prevent duplicate semantic execution;
  • redact sensitive job metadata;
  • audit privileged workflow actions;
  • verify target engine compatibility;
  • support signed job definitions where required;
  • prevent cross-tenant queue leakage.

56. Worker Dispatch Security

Workers must receive only the configuration and payload required to execute the job.

Worker dispatch payloads must include:

  • job run ID;
  • idempotency key;
  • configuration snapshot ID;
  • configuration digest;
  • target engine MEID;
  • target engine CMI;
  • scoped input references;
  • authorization context;
  • trace context;
  • timeout and retry constraints.

Workers should not receive broad tenant configuration unless required.


57. Retention Model

Data TypeDefault Retention
Job definitionsVersioned indefinitely while referenced.
Job runsReporting period + assurance retention.
Workflow stateReporting period + replay retention.
Critical workflow eventsAudit retention period.
Dead-letter recordsUntil resolved + retention policy.
Queue metrics90 days hot, aggregated long-term.
Safe mode recordsGovernance retention period.
Replay scheduling recordsReplay retention period.

Retention is governed by FAGF and tenant policy.


58. Failure Handling

FailureSeverityAction
Missing job definitionCriticalReject trigger.
Invalid configuration snapshotCriticalDo not execute.
Lock acquisition failureInfo/WarningMark duplicate or retry.
Worker unavailableWarningRetry or reroute.
Queue unavailableCriticalEscalate and buffer if possible.
Max retries exceededCritical if assurance jobDead-letter and escalate.
DAL unavailableWarningQueue DAL-dependent jobs.
Federation unavailableWarningQueue federation jobs.
Audit unavailableCritical for material jobsFail closed if required.
Observability unavailableWarningContinue but local log.
Safe mode activation failureCriticalEscalate immediately.
Configuration driftCriticalPause affected jobs or safe mode.

59. Performance Targets

MetricTarget
Job scheduling latency< 50 ms
Cached config binding latency< 10 ms
Worker dispatch latency< 100 ms
Workflow state transition latency< 25 ms
Retry scheduling latency< 50 ms
Queue throughput100,000 jobs/min per scheduler cluster
Critical job dispatch latency< 5 seconds
Emergency safe mode dispatch< 5 seconds
Availability99.99%
Idempotency correctness100%

60. Deployment Model

Recommended deployment:

Event Sources

├── EventBridge
├── SQS
├── Cron
├── Manual API
├── Observability Alerts
└── Policy Triggers


Scheduler / Orchestrator Engine

├── Job Definition Store
├── Workflow State Store
├── Priority Queue
├── Retry Queue
├── Dead-Letter Queue
├── Worker Dispatch Layer
├── Audit Publisher
├── Observability Publisher
└── DAL Candidate Publisher

The implementation may use AWS EventBridge, SQS, Step Functions, Lambda, ECS, Kubernetes Jobs, Airflow, or a ZAYAZ-native workflow runtime.


61. Storage Architecture

StorePurpose
Job Definition StoreVersioned job definitions.
Workflow State StoreState transitions and workflow history.
Queue StorePending and delayed jobs.
Retry StoreRetry state and next retry timestamp.
Dead-Letter StoreFailed unrecoverable jobs.
Lock StoreDistributed execution locks.
Snapshot StoreBound configuration snapshots.
Audit Event StoreMaterial scheduler audit events.
Metrics StoreScheduler observability metrics.

62. Testing Requirements

The engine requires:

Test TypeRequirement
Schedule TestsVerify cron, interval, event, manual, and policy triggers.
Idempotency TestsVerify duplicate triggers do not duplicate side effects.
Retry TestsVerify backoff, jitter, and dead-letter behavior.
Lock TestsVerify distributed lock safety.
Workflow TestsVerify state transitions and recovery.
Config Binding TestsVerify all jobs bind correct configuration snapshots.
Replay TestsVerify deterministic workflow replay.
SLA TestsVerify SLA breach detection and escalation.
Failure TestsVerify worker, queue, DAL, federation, and audit outage behavior.
Security TestsVerify scheduling authorization and tenant isolation.
Load TestsVerify high-volume job orchestration.
Safe Mode TestsVerify emergency workflows activate correctly.

63. Compliance Alignment

FrameworkScheduler / Orchestrator Contribution
CSRDEnsures periodic assurance workflows, replay, and evidence tasks execute reliably.
ESRSSupports data quality controls, audit evidence, and governance workflow execution.
ISSB / IFRS S1-S2Supports repeatable controls for decision-useful sustainability information.
ISO 14064-1Supports scheduled GHG verification, replay, and evidence management workflows.
ISO 27001Supports operational control, logging, incident response, and access governance.
EU AI ActEnsures AI feedback and model-related workflows remain governed and traceable.
SOC2Supports processing integrity, availability, and operational control evidence.

64. Developer Implementation Notes

Developers should implement the Scheduler / Orchestrator Engine as a policy-bound workflow control service.

Recommended components:

  • trigger ingestor;
  • job definition resolver;
  • runtime configuration binder;
  • idempotency key generator;
  • distributed lock manager;
  • priority queue manager;
  • worker dispatcher;
  • workflow state machine;
  • retry manager;
  • dead-letter manager;
  • SLA monitor;
  • safe mode controller;
  • audit publisher;
  • observability publisher;
  • DAL anchor candidate publisher;
  • AII telemetry publisher;
  • DSAIL feedback publisher;
  • federation job adapter;
  • replay job adapter;
  • DAL batch job adapter.

The engine must treat job definitions as versioned runtime artifacts.


65. Implementation Anti-Patterns

Avoid:

Anti-PatternRisk
Unversioned cron jobsCannot replay or audit scheduling behavior.
Jobs without configuration snapshotsNon-deterministic execution.
Fire-and-forget background jobsLoss of assurance evidence.
No idempotency keysDuplicate DAL anchors, federation exports, or replay jobs.
Shared global queues without tenant isolationCross-tenant leakage.
Manual retries outside schedulerBroken audit trail.
Workflow state only in logsNot replayable or queryable.
AI-controlled scheduling without policyGovernance violation.
Disabling audit for material jobsAssurance failure.
No dead-letter processSilent operational risk accumulation.

66. Summary

The TrustGate Scheduler / Orchestrator Engine coordinates TrustGate’s asynchronous and scheduled runtime operations.

It ensures replay, DAL batching, federation synchronization, quarantine SLA checks, AI feedback, AII telemetry, configuration refresh, audit integrity, observability, and maintenance workflows execute reliably, deterministically, and with full governance traceability.

It is the operational runtime layer that turns TrustGate from a set of engines into a resilient, production-grade assurance system.

No Tier-0 TrustGate deployment should be considered complete without this engine or an equivalent FAGF-authorized orchestration mechanism.




GitHub RepoRequest for Change (RFC)