TG_SCHEDULER_ORCHESTRATOR
TrustGate Scheduler / Orchestrator Engine
0. Identity
Depends on module:
1. Purpose
The TrustGate Scheduler / Orchestrator Engine is the runtime coordination engine for TrustGate.
It schedules, triggers, prioritizes, retries, supervises, and records TrustGate background jobs and asynchronous workflows.
It ensures operational tasks happen at the correct time, in the correct order, with the correct configuration snapshot, deterministic retry behavior, auditability, and observability.
The engine handles scheduled and asynchronous activities such as replay jobs, replay sampling, DAL anchor batching, DAL retries, federation synchronization, quarantine SLA checks, evidence request reminders, AI feedback publication, AII telemetry publication, audit integrity checks, runtime health checks, policy refresh, configuration cache invalidation, stale configuration detection, feature flag rollouts, safe-mode enforcement, dead-letter inspection, backfills, and periodic assurance reports.
The Scheduler / Orchestrator Engine is the operational nervous system of TrustGate.
It does not compute trust scores, validate signals, or make assurance decisions. It controls when and how background workflows execute.
2. Architectural Role
TrustGate has synchronous processing engines and asynchronous operational workflows.
Synchronous engines handle the direct signal processing path. The Scheduler / Orchestrator Engine handles controlled runtime coordination outside or adjacent to the signal path.
Runtime Configuration Engine
│
▼
Scheduler / Orchestrator Engine
│
├── Replay Jobs
├── DAL Batch Jobs
├── Federation Sync Jobs
├── Quarantine SLA Jobs
├── AI Feedback Jobs
├── AII Telemetry Jobs
├── Audit Integrity Jobs
├── Configuration Refresh Jobs
├── Observability Jobs
└── Maintenance Jobs
The engine coordinates the background assurance economy of TrustGate.
3. Canonical Identity
| Property | Value |
|---|---|
| MEID | MEID_TRUST_ROUTE_SCHEDULER |
| CMI | vera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0 |
| KIND | ENGINE |
| Owner Module | Verification & Assurance |
| Runtime Tier | Tier-0 Runtime Operations |
| Engine Category | JOB |
| Engine Domain | trust |
| ZAR Registration | Required |
| Replay Support | Native for workflow state |
| DAL Anchoring | Policy-based |
| Federation Aware | Yes |
| Critical Path | Indirect, through async runtime workflows |
4. Design Principles
| Principle | Requirement |
|---|---|
| Deterministic Scheduling | Same schedule definition and configuration snapshot must resolve to the same planned job set. |
| Idempotent Execution | Re-running the same job must not produce duplicate semantic side effects. |
| Configuration Binding | Every job must bind to a configuration snapshot from the Runtime Configuration Engine. |
| Auditability | Material jobs and workflow state transitions must be audit logged. |
| Observability | Every job must emit metrics, traces, status, and failure reasons. |
| Policy Governance | Jobs must respect FAGF, OARM, DAL, AFLE, EGFS, tenant, and security policies. |
| Fail-Safe Behavior | Failed jobs must retry, quarantine, dead-letter, or escalate according to policy. |
5. Runtime Responsibilities
| Responsibility | Description |
|---|---|
| Job Scheduling | Schedule one-off, periodic, event-driven, and policy-triggered jobs. |
| Workflow Orchestration | Coordinate multi-step workflows involving several TrustGate engines. |
| Retry Management | Apply deterministic retry, backoff, timeout, and dead-letter behavior. |
| Priority Management | Prioritize assurance-critical jobs over routine maintenance. |
| Replay Scheduling | Schedule replay jobs based on triggers, sampling, auditor requests, and policy. |
| DAL Batch Orchestration | Coordinate Merkle batch windows, anchor submission, and retry. |
| Federation Synchronization | Schedule EGFS / AFLE sync, export, import, and verification jobs. |
| Quarantine SLA Management | Track quarantine aging, review deadlines, reminders, and escalation. |
| Configuration Refresh | Schedule policy refresh, cache invalidation, and drift detection jobs. |
| AI Feedback Delivery | Coordinate DSAIL feedback publication and retry. |
| AII Telemetry Delivery | Schedule and publish aggregate runtime telemetry to AII. |
| Audit and Integrity Jobs | Schedule audit chain verification and evidence-chain checks. |
| Maintenance Jobs | Backfills, cleanup, compaction, retention, and stale state checks. |
| Workflow State Management | Persist workflow state transitions for replay and audit. |
| Alerting and Escalation | Emit alerts when jobs breach SLA or enter dead-letter state. |
6. Scheduling Modes
| Mode | Description |
|---|---|
cron | Time-based recurring jobs. |
interval | Jobs repeated every configured duration. |
event_triggered | Jobs triggered by runtime events. |
policy_triggered | Jobs triggered by policy conditions. |
manual | Authorized operator or reviewer request. |
backfill | Historical reprocessing over a defined window. |
batch_window | Windowed aggregation jobs such as DAL Merkle batches. |
adaptive | Schedule adjusted by runtime telemetry or policy. |
safe_mode | Emergency schedule activated by incident policy. |
Adaptive scheduling may use DSAIL recommendations, but the final schedule must remain policy-controlled.
7. Job Classes
| Job Class | Purpose |
|---|---|
REPLAY_JOB | Prepare or execute replay workflows. |
DAL_ANCHOR_JOB | Submit, verify, or retry DAL anchors. |
FEDERATION_SYNC_JOB | Exchange or verify federation artifacts. |
QUARANTINE_SLA_JOB | Check quarantine age, reminders, and escalation. |
AI_FEEDBACK_JOB | Publish AI feedback to DSAIL. |
AII_TELEMETRY_JOB | Publish AII telemetry. |
AUDIT_INTEGRITY_JOB | Verify audit chain, evidence chain, and log integrity. |
CONFIG_REFRESH_JOB | Refresh or invalidate configuration. |
POLICY_REFRESH_JOB | Load and verify policy bundles. |
OBSERVABILITY_JOB | Aggregate metrics, SLOs, dashboard feeds, and alerts. |
MAINTENANCE_JOB | Cleanup, compaction, retention, and backfill. |
SAFE_MODE_JOB | Incident-driven runtime protective jobs. |
8. Workflow Types
| Workflow | Description |
|---|---|
| Replay Verification Workflow | Prepare replay, execute replay, compare hash, record result, audit, emit telemetry. |
| DAL Batch Workflow | Collect candidates, build Merkle tree, submit root, verify ledger ref, publish proof. |
| Federation Export Workflow | Resolve config, package attestation, redact, sign, export, verify delivery. |
| Federation Import Workflow | Receive package, verify identity, verify signature, verify DAL, accept/reject. |
| Quarantine Review Workflow | Open quarantine, request evidence, remind reviewer, escalate, release/reject. |
| AI Feedback Workflow | Collect outcomes, apply policy, redact, publish to DSAIL, retry if needed. |
| AII Publication Workflow | Aggregate metrics, validate payload, publish, record status. |
| Configuration Rollout Workflow | Validate config, canary, observe, expand, rollback if needed. |
| Audit Integrity Workflow | Verify chain, detect conflicts, anchor critical proof, report status. |
9. Runtime Architecture
Triggers
│
├── Cron
├── Event Bus
├── Queue
├── Manual Request
├── Policy Condition
└── Observability Alert
│
▼
Scheduler / Orchestrator Engine
│
├── Job Resolver
├── Configuration Binder
├── Dependency Resolver
├── Priority Queue
├── Workflow State Machine
├── Retry Manager
├── Dead-Letter Manager
├── Worker Dispatcher
├── SLA Monitor
└── Audit / Telemetry Publisher
The engine may run on top of AWS Step Functions, EventBridge, SQS, Kubernetes Jobs, Airflow, or an internal ZAYAZ workflow runtime.
10. Runtime Processing Pipeline
Receive Trigger
│
▼
Resolve Job Definition
│
▼
Resolve Runtime Configuration
│
▼
Validate Job Preconditions
│
▼
Acquire Lock / Idempotency Key
│
▼
Create Job Run
│
▼
Dispatch Worker / Workflow
│
▼
Track State
│
▼
Handle Success / Retry / Failure
│
▼
Emit Audit and Observability Events
│
▼
Update AII / DSAIL / VIZZ as Required
Every job run must have a unique job run ID and an idempotency key.
11. Processing Algorithm
function schedule_or_execute(trigger):
job_definition = resolve_job_definition(trigger)
config = resolve_runtime_config(
job_definition,
trigger.scope
)
validate_job_preconditions(job_definition, config, trigger)
idempotency_key = compute_idempotency_key(trigger, job_definition, config)
if job_already_completed(idempotency_key):
return existing_result(idempotency_key)
lock = acquire_execution_lock(idempotency_key)
if not lock.acquired:
return duplicate_or_in_progress(idempotency_key)
job_run = create_job_run(
trigger,
job_definition,
config,
idempotency_key
)
try:
result = dispatch(job_run)
mark_completed(job_run, result)
emit_completed_events(job_run, result)
return result
except RetryableError as error:
schedule_retry(job_run, error)
emit_retry_event(job_run, error)
except NonRetryableError as error:
mark_failed(job_run, error)
route_to_dead_letter_if_required(job_run, error)
emit_failure_event(job_run, error)
finally:
release_lock(lock)
The engine must fail safely and avoid duplicate semantic execution.
12. Job Definition Model
A job definition describes what can be scheduled or executed.
| Field | Description |
|---|---|
job_definition_id | Stable job definition ID. |
job_code | Human-readable job code. |
job_class | Canonical job class. |
canonical_name | Human-readable name. |
description | Job purpose. |
trigger_type | Cron, event, manual, policy, batch window. |
schedule_expression | Cron or interval definition where applicable. |
target_engine_meid | Target engine or workflow owner. |
target_engine_cmi | Optional target CMI. |
workflow_steps | Ordered workflow steps. |
priority | Job priority. |
retry_policy | Retry strategy. |
timeout_policy | Timeout constraints. |
sla_policy | SLA constraints. |
config_profile | Required scheduler profile. |
idempotency_policy | Idempotency method. |
dal_anchor_required | Whether job events require anchoring. |
audit_required | Whether job must be audit logged. |
status | Draft, active, suspended, retired. |
13. Job Run Model
A job run is a concrete execution instance.
| Field | Description |
|---|---|
job_run_id | Unique execution ID. |
job_definition_id | Job definition reference. |
trigger_id | Trigger source reference. |
workflow_run_id | Optional workflow run reference. |
idempotency_key | Duplicate protection key. |
config_snapshot_id | Bound runtime configuration snapshot. |
config_digest | Hash of configuration snapshot. |
status | Pending, running, completed, failed, retrying, dead-lettered. |
attempt | Execution attempt number. |
priority | Effective priority. |
started_at | Start timestamp. |
ended_at | End timestamp. |
next_retry_at | Next retry timestamp. |
error_code | Failure code if any. |
result_ref | Result artifact reference. |
14. Workflow State Model
Workflow state transitions are explicit.
CREATED
│
▼
SCHEDULED
│
▼
DISPATCHED
│
▼
RUNNING
│
├── COMPLETED
├── RETRY_WAIT
├── FAILED
├── DEAD_LETTERED
├── CANCELLED
└── ESCALATED
State transitions must be persisted, observable, and audit-ready.
15. Canonical Job Definition Example
{
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"job_code": "TG-REPLAY-SAMPLING-DAILY",
"job_class": "REPLAY_JOB",
"canonical_name": "Daily TrustGate Replay Sampling",
"trigger_type": "cron",
"schedule_expression": "0 2 * * *",
"target_engine_meid": "MEID_TRUST_REPLAY_COORDINATOR",
"workflow_steps": [
"select_replay_population",
"create_replay_manifests",
"dispatch_replay_execution",
"record_replay_results",
"publish_replay_telemetry"
],
"priority": "high",
"retry_policy": "standard_exponential_backoff_v1",
"sla_policy": "replay_sampling_daily_v1",
"audit_required": true,
"dal_anchor_required": false,
"status": "active"
}
16. Canonical Job Run Example
{
"job_run_id": "TGJOBRUN-2026-00001472",
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"job_class": "REPLAY_JOB",
"trigger_id": "TGTRIG-2026-00001472",
"idempotency_key": "sha256:8b1c91...",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"config_digest": "sha256:4d6f8a...",
"status": "RUNNING",
"attempt": 1,
"priority": "high",
"started_at": "2026-06-26T02:00:00Z"
}
17. Trigger Model
A trigger starts a job or workflow.
| Trigger Type | Example |
|---|---|
cron | Daily replay sampling. |
event | New quarantine record created. |
queue | DAL anchor candidate queued. |
manual | Auditor requests replay. |
policy | Replay required because confidence below threshold. |
alert | Observability detects replay drift spike. |
configuration | New policy bundle activated. |
safe_mode | Incident policy activates emergency workflow. |
Triggers must include source identity and policy context.
18. Trigger Payload Example
{
"trigger_id": "TGTRIG-2026-00001472",
"trigger_type": "event",
"event_type": "trustgate.quarantine.created",
"source_engine_meid": "MEID_TRUST_QUARANTINE_MANAGER",
"source_engine_cmi": "vera.TG-QUARANTINE.ENGINE.MANAGER.1_0_0",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"scheduler_profile": "production_scheduler_v1"
},
"created_at": "2026-06-25T18:00:00Z"
}
19. Priority Model
Job priority determines execution order.
| Priority | Use Case |
|---|---|
critical | Security incident, safe mode, replay drift, audit conflict. |
high | Replay, DAL verification, federation conflict, quarantine SLA. |
normal | Routine federation sync, AII telemetry, standard AI feedback. |
low | Maintenance, compaction, archive, non-critical backfill. |
background | Long-running analytics or reporting jobs. |
Priority must not bypass safety, tenant isolation, or configuration rules.
20. Retry Model
Retry behavior is policy-controlled.
| Retry Strategy | Description |
|---|---|
none | No retry. |
fixed_delay | Retry after fixed delay. |
exponential_backoff | Delay increases after each failure. |
exponential_backoff_jitter | Backoff with random jitter to prevent thundering herd. |
dead_letter_after_n | Dead-letter after maximum attempts. |
manual_review_after_n | Escalate after repeated failures. |
safe_mode_on_failure | Activate safe mode after critical repeated failure. |
Retries must preserve idempotency keys.
21. Retry Policy Example
{
"retry_policy_id": "standard_exponential_backoff_v1",
"strategy": "exponential_backoff_jitter",
"max_attempts": 5,
"initial_delay_seconds": 30,
"max_delay_seconds": 1800,
"jitter": true,
"dead_letter_after_max_attempts": true,
"escalate_on_final_failure": true
}
22. Timeout and SLA Model
The Scheduler / Orchestrator Engine enforces timeouts and SLAs.
| Policy | Description |
|---|---|
| Execution Timeout | Maximum time a job may run. |
| Queue Timeout | Maximum time a job may remain pending. |
| SLA Deadline | Business or assurance deadline. |
| Retry Window | Maximum window for retry attempts. |
| Escalation Deadline | Time after which human escalation is required. |
| Evidence Deadline | Deadline for quarantine evidence submission. |
SLA breaches must emit observability and audit events.
23. SLA Breach Event
{
"event_type": "trustgate.scheduler.sla_breach",
"sla_breach_id": "TGSLA-2026-00001472",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "QUARANTINE_SLA_JOB",
"eco_number": "ECO-A123",
"sla_policy": "quarantine_review_48h_v1",
"deadline": "2026-06-27T12:22:44Z",
"breached_at": "2026-06-27T12:30:00Z",
"severity": "warning",
"requires_escalation": true
}
24. Idempotency Model
Idempotency prevents duplicate semantic side effects.
The idempotency key should be calculated as:
For event-driven jobs, the source event ID should be included.
For batch jobs, the batch window should be included.
For manual jobs, the authorized request ID should be included.
25. Locking Model
The engine uses distributed locking for critical workflows.
| Lock Type | Purpose |
|---|---|
| Job Lock | Prevent duplicate job execution. |
| Workflow Lock | Prevent concurrent workflow mutation. |
| Signal Lock | Prevent conflicting operations on a signal. |
| Quarantine Lock | Prevent conflicting release/reject transitions. |
| DAL Batch Lock | Prevent duplicate Merkle root submission. |
| Federation Lock | Prevent duplicate export/import processing. |
| Config Rollout Lock | Prevent concurrent production rollout conflict. |
Locks must have expiry and recovery behavior.
26. Dead-Letter Model
Jobs that cannot safely complete are moved to a dead-letter state.
Dead-letter causes include:
- maximum retries exceeded;
- invalid configuration;
- missing dependency;
- non-retryable validation failure;
- repeated DAL submission failure;
- signature verification failure;
- impossible federation target;
- audit write failure;
- unsafe state transition;
- operator cancellation.
Dead-letter events require observability and may require audit logging.
27. Dead-Letter Event
{
"event_type": "trustgate.scheduler.dead_lettered",
"dead_letter_id": "TGDLQ-2026-00001472",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "DAL_ANCHOR_JOB",
"reason": "maximum_retries_exceeded",
"last_error_code": "DAL_SUBMISSION_TIMEOUT",
"attempts": 5,
"requires_manual_review": true,
"created_at": "2026-06-25T19:00:00Z"
}
28. Replay Scheduling
Replay scheduling is one of the most important scheduler responsibilities.
Replay jobs may be triggered by:
| Trigger | Example |
|---|---|
| Policy Requirement | Critical event requires replay. |
| Sampling | Daily random assurance sample. |
| Auditor Request | External auditor requests replay. |
| Drift Detection | Observability detects replay drift spike. |
| Quarantine | Quarantine requires replay before release. |
| Federation | Inbound package requires replay reference verification. |
| AI Calibration | DSAIL detects model drift. |
| Safe Mode | Incident policy forces full replay sampling. |
Replay jobs must bind to configuration snapshots.
29. Replay Job Example
{
"job_run_id": "TGJOBRUN-REPLAY-2026-00001472",
"job_class": "REPLAY_JOB",
"replay_scope": {
"type": "signal",
"signal_id": "SIG-2026-00001472",
"replay_type": "FULL_PIPELINE_REPLAY"
},
"target_engine_meid": "MEID_TRUST_REPLAY_COORDINATOR",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"priority": "high",
"status": "SCHEDULED"
}
30. DAL Batch Orchestration
The engine coordinates DAL batch windows.
DAL batch orchestration includes:
- collecting anchor candidates;
- selecting direct vs Merkle mode;
- opening batch window;
- closing batch window;
- dispatching batch build;
- dispatching DAL submission;
- verifying ledger reference;
- retrying failed submissions;
- publishing inclusion proof availability.
DAL batch windows must be deterministic.
31. DAL Batch Job Example
{
"job_run_id": "TGJOBRUN-DALBATCH-2026-00001472",
"job_class": "DAL_ANCHOR_JOB",
"batch_id": "DALB-2026-06-25-1800",
"batch_window": {
"from": "2026-06-25T18:00:00Z",
"to": "2026-06-25T19:00:00Z"
},
"anchor_mode": "MERKLE_BATCH_ANCHOR",
"candidate_count": 158342,
"status": "RUNNING"
}
32. Federation Synchronization
Federation jobs coordinate AFLE and EGFS workflows.
Federation scheduled tasks include endpoint health checks, DID verification cache refresh, outbound package delivery, inbound package verification, federation conflict retry, Carbon Passport trust reference sync, cross-ECO replay reference sync, federation profile refresh, and federation safe-mode enforcement.
Federation jobs must respect redaction profiles and target permissions.
33. Federation Sync Job Example
{
"job_run_id": "TGJOBRUN-FEDSYNC-2026-00001472",
"job_class": "FEDERATION_SYNC_JOB",
"source_eco": "ECO-A123",
"target_eco": "ECO-B456",
"federation_profile": "buyer_standard_assurance_v1",
"sync_type": "trust_attestation_export",
"redaction_profile": "standard_federation",
"status": "SCHEDULED"
}
34. Quarantine SLA Orchestration
The engine schedules quarantine lifecycle jobs.
Quarantine orchestration includes:
- evidence request reminders;
- reviewer assignment reminders;
- SLA breach checks;
- automatic escalation;
- replay scheduling before release;
- expired quarantine detection;
- unresolved critical quarantine reporting.
Quarantine jobs must not release or reject records directly unless policy explicitly allows automation. Final release/reject remains controlled by the Quarantine Manager and reviewer workflow.
35. Quarantine SLA Job Example
{
"job_run_id": "TGJOBRUN-QSLA-2026-00001472",
"job_class": "QUARANTINE_SLA_JOB",
"quarantine_id": "TGQ-2026-00001472",
"eco_number": "ECO-A123",
"sla_policy": "quarantine_review_48h_v1",
"action": "check_and_escalate_if_overdue",
"status": "SCHEDULED",
"scheduled_for": "2026-06-27T12:22:44Z"
}
36. AI Feedback Orchestration
AI feedback jobs publish governed feedback to DSAIL.
AI feedback orchestration includes batching feedback events, applying redaction, verifying training eligibility, publishing to DSAIL, retrying failed publication, suppressing disallowed feedback, reporting feedback lag, and triggering model governance workflows where needed.
AI feedback jobs must not alter historical TrustGate facts.
37. AII Telemetry Orchestration
AII jobs aggregate and publish assurance telemetry.
AII publication includes validation telemetry, trust score telemetry, replay telemetry, DAL telemetry, federation telemetry, quarantine telemetry, audit telemetry, configuration telemetry, observability telemetry, and scheduler telemetry.
AII jobs must preserve period boundaries and avoid duplicate publication.
38. Configuration Refresh Orchestration
The Scheduler / Orchestrator Engine coordinates configuration refresh.
Configuration jobs include policy bundle refresh, runtime configuration cache invalidation, feature flag rollout, canary expansion, drift detection, rollback execution, safe mode activation, and expired override cleanup.
Configuration jobs must use the Runtime Configuration Engine as the authority.
39. Safe Mode Orchestration
Safe mode is an emergency runtime state.
Safe mode orchestration may trigger:
- federation export suspension;
- replay sampling increase;
- decision threshold tightening;
- DAL anchoring expansion;
- audit logging expansion;
- experimental engine rollback;
- quarantine SLA tightening;
- manual review requirement increase;
- notification to platform operators.
Safe mode jobs are critical priority and audit-required.
40. Safe Mode Job Example
{
"job_run_id": "TGJOBRUN-SAFE-2026-00001472",
"job_class": "SAFE_MODE_JOB",
"reason": "replay_drift_spike",
"actions": [
"increase_replay_sampling",
"disable_federation_export",
"require_manual_review_for_medium_confidence"
],
"priority": "critical",
"audit_required": true,
"status": "RUNNING"
}
41. CSI Contracts
41.1. Input CSIs
| CSI | Required | Purpose |
|---|---|---|
comp.TG.INPUT.SCHEDULER-TRIGGER.v1_0 | Yes | Trigger for job creation. |
comp.TG.INPUT.JOB-DEFINITION.v1_0 | Conditional | Job definition. |
comp.TG.INPUT.WORKFLOW-DEFINITION.v1_0 | Conditional | Workflow definition. |
comp.TG.OUTPUT.RESOLVED-CONFIG.v1_0 | Yes | Runtime configuration from Configuration Engine. |
comp.TG.INPUT.RUNTIME-EVENT.v1_0 | Conditional | Runtime event trigger. |
comp.TG.INPUT.QUEUE-METRIC.v1_0 | Conditional | Queue depth or backlog input. |
comp.TG.INPUT.OBSERVABILITY-ALERT.v1_0 | Conditional | Alert-triggered job. |
comp.FAGF.INPUT.SCHEDULER-POLICY.v1_0 | Yes | Scheduler policy and constraints. |
41.2. Output CSIs
| CSI | Purpose |
|---|---|
comp.TG.OUTPUT.SCHEDULED-JOB.v1_0 | Scheduled job record. |
comp.TG.OUTPUT.JOB-RUN.v1_0 | Job execution record. |
comp.TG.OUTPUT.WORKFLOW-RUN.v1_0 | Workflow execution record. |
comp.TG.EVENT.JOB-STARTED.v1_0 | Job started event. |
comp.TG.EVENT.JOB-COMPLETED.v1_0 | Job completed event. |
comp.TG.EVENT.JOB-FAILED.v1_0 | Job failure event. |
comp.TG.EVENT.JOB-RETRIED.v1_0 | Job retry event. |
comp.TG.EVENT.JOB-DEAD-LETTERED.v1_0 | Dead-letter event. |
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0 | DAL anchor candidate. |
comp.AII.INPUT.SCHEDULER-TELEMETRY.v1_0 | AII scheduler telemetry. |
comp.DSAIL.INPUT.SCHEDULER-FEEDBACK.v1_0 | DSAIL feedback. |
42. API Specification
42.1. Schedule Job
POST /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/schedule
Request:
{
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"scope": {
"environment": "production",
"region": "eu-north-1",
"tenant_id": "TEN-2026-0001",
"eco_number": "ECO-A123"
},
"trigger": {
"trigger_type": "manual",
"requested_by": "auditor@example.com",
"reason": "External assurance replay sample."
}
}
Response:
{
"status": "scheduled",
"job_run_id": "TGJOBRUN-2026-00001472",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"scheduled_for": "2026-06-25T18:30:00Z"
}
43. API: Cancel Job
POST /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/cancel
Request:
{
"job_run_id": "TGJOBRUN-2026-00001472",
"reason": "Superseded by safe-mode replay job.",
"requested_by": "platform.operator@viroway.com"
}
Response:
{
"status": "cancelled",
"job_run_id": "TGJOBRUN-2026-00001472",
"audit_required": true
}
44. API: Workflow Status
GET /api/trustgate/MEID_TRUST_ROUTE_SCHEDULER/workflows/{workflow_run_id}
Response:
{
"workflow_run_id": "TGWF-2026-00001472",
"status": "RUNNING",
"current_step": "dispatch_replay_execution",
"completed_steps": [
"select_replay_population",
"create_replay_manifests"
],
"remaining_steps": [
"record_replay_results",
"publish_replay_telemetry"
]
}
45. Job Started Event
{
"event_type": "trustgate.scheduler.job_started",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "REPLAY_JOB",
"job_definition_id": "TGJOBDEF-REPLAY-SAMPLING-001",
"engine_cmi": "vera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0",
"config_snapshot_id": "TGCFGSNAP-2026-00001472",
"started_at": "2026-06-26T02:00:00Z"
}
46. Job Completed Event
{
"event_type": "trustgate.scheduler.job_completed",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "REPLAY_JOB",
"result": {
"replay_manifests_created": 1240,
"replay_jobs_dispatched": 1240
},
"duration_ms": 8412,
"completed_at": "2026-06-26T02:00:08Z"
}
47. Job Failed Event
{
"event_type": "trustgate.scheduler.job_failed",
"job_run_id": "TGJOBRUN-2026-00001472",
"job_class": "FEDERATION_SYNC_JOB",
"error_code": "FEDERATION_TARGET_UNAVAILABLE",
"retryable": true,
"attempt": 2,
"next_retry_at": "2026-06-25T18:45:00Z",
"failed_at": "2026-06-25T18:30:00Z"
}
48. DAL Integration
Scheduler events may require DAL anchoring.
DAL anchoring is required for:
- safe mode activation;
- critical job failure;
- audit integrity workflow failure;
- replay drift workflow escalation;
- federation conflict escalation;
- material configuration rollout workflow;
- regulator-requested workflow evidence;
- workflow state transition used as assurance evidence.
Example anchor candidate:
{
"artifact_type": "TrustSchedulerWorkflowEvent",
"artifact_id": "TGWF-2026-00001472",
"artifact_hash": "sha256:aa42bd...",
"engine_cmi": "vera.TG-SCHED.ENGINE.ORCHESTRATOR.1_0_0",
"meid": "MEID_TRUST_ROUTE_SCHEDULER",
"event_type": "safe_mode_activation",
"created_at": "2026-06-25T18:30:00Z"
}
Final anchoring is performed by the TrustGate DAL Anchor Engine.
49. Audit Log Integration
The engine sends audit events for:
- material workflow start;
- material workflow completion;
- critical workflow failure;
- dead-letter event;
- safe mode job;
- configuration rollout job;
- manual job scheduling;
- job cancellation;
- retry exhaustion;
- scheduler policy changes;
- privilege-sensitive workflow execution.
Routine non-critical jobs may be logged as operational telemetry only.
50. Observability Integration
The Scheduler / Orchestrator Engine emits metrics to the Runtime Observability Engine.
Key metrics:
| Metric | Description |
|---|---|
tg_scheduler_job_created_total | Jobs created. |
tg_scheduler_job_started_total | Jobs started. |
tg_scheduler_job_completed_total | Jobs completed. |
tg_scheduler_job_failed_total | Jobs failed. |
tg_scheduler_job_retry_total | Retry attempts. |
tg_scheduler_job_deadletter_total | Dead-lettered jobs. |
tg_scheduler_queue_depth | Scheduler queue depth. |
tg_scheduler_workflow_latency_ms | Workflow latency. |
tg_scheduler_sla_breach_total | SLA breaches. |
tg_scheduler_safe_mode_job_total | Safe mode jobs. |
51. AII Integration
Scheduler telemetry contributes to AII operational resilience.
Example:
{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"jobs_scheduled": 18440,
"jobs_completed": 18412,
"job_success_rate": 0.9985,
"retry_rate": 0.014,
"dead_letter_rate": 0.0002,
"sla_breach_rate": 0.0008,
"avg_workflow_latency_ms": 842,
"replay_backlog": 12,
"dal_batch_success_rate": 0.9996
}
52. DSAIL Integration
DSAIL may consume scheduler telemetry to recommend operational improvements.
DSAIL may recommend:
- replay sampling adjustment;
- job priority changes;
- queue scaling;
- retry policy tuning;
- federation synchronization frequency changes;
- DAL batch size optimization;
- quarantine SLA focus;
- capacity planning;
- anomaly investigation.
DSAIL may not:
- execute jobs autonomously;
- cancel jobs;
- approve material workflow changes;
- bypass scheduler policy;
- alter retry behavior without governance approval;
- override safe mode policy.
53. Replay Behaviour
Scheduler workflows must be replayable where they affect assurance.
Replay inputs include:
- trigger event;
- job definition;
- workflow definition;
- runtime configuration snapshot;
- scheduler policy;
- queue state where material;
- workflow state transitions;
- engine CMI;
- retry policy;
- time window.
Replay verification succeeds when:
For workflow replay:
Live scheduling conditions must not be used in audit replay unless marked as simulation.
54. Federation Behaviour
Scheduler controls several federation workflows.
Federation scheduling must:
- respect federation profile;
- avoid duplicate export;
- verify target ECO permission;
- apply redaction before export;
- wait for DAL reference where required;
- verify DID cache freshness;
- retry failed delivery safely;
- dead-letter unverifiable packages;
- emit federation telemetry.
Cross-ECO job metadata must be redacted before sharing.
55. Security Requirements
The engine must:
- authenticate all scheduling requests;
- authorize manual job creation and cancellation;
- enforce tenant isolation;
- validate job definitions against ZAR;
- bind every job to runtime configuration;
- prevent unauthorized safe mode activation;
- protect worker dispatch credentials;
- prevent duplicate semantic execution;
- redact sensitive job metadata;
- audit privileged workflow actions;
- verify target engine compatibility;
- support signed job definitions where required;
- prevent cross-tenant queue leakage.
56. Worker Dispatch Security
Workers must receive only the configuration and payload required to execute the job.
Worker dispatch payloads must include:
- job run ID;
- idempotency key;
- configuration snapshot ID;
- configuration digest;
- target engine MEID;
- target engine CMI;
- scoped input references;
- authorization context;
- trace context;
- timeout and retry constraints.
Workers should not receive broad tenant configuration unless required.
57. Retention Model
| Data Type | Default Retention |
|---|---|
| Job definitions | Versioned indefinitely while referenced. |
| Job runs | Reporting period + assurance retention. |
| Workflow state | Reporting period + replay retention. |
| Critical workflow events | Audit retention period. |
| Dead-letter records | Until resolved + retention policy. |
| Queue metrics | 90 days hot, aggregated long-term. |
| Safe mode records | Governance retention period. |
| Replay scheduling records | Replay retention period. |
Retention is governed by FAGF and tenant policy.
58. Failure Handling
| Failure | Severity | Action |
|---|---|---|
| Missing job definition | Critical | Reject trigger. |
| Invalid configuration snapshot | Critical | Do not execute. |
| Lock acquisition failure | Info/Warning | Mark duplicate or retry. |
| Worker unavailable | Warning | Retry or reroute. |
| Queue unavailable | Critical | Escalate and buffer if possible. |
| Max retries exceeded | Critical if assurance job | Dead-letter and escalate. |
| DAL unavailable | Warning | Queue DAL-dependent jobs. |
| Federation unavailable | Warning | Queue federation jobs. |
| Audit unavailable | Critical for material jobs | Fail closed if required. |
| Observability unavailable | Warning | Continue but local log. |
| Safe mode activation failure | Critical | Escalate immediately. |
| Configuration drift | Critical | Pause affected jobs or safe mode. |
59. Performance Targets
| Metric | Target |
|---|---|
| Job scheduling latency | < 50 ms |
| Cached config binding latency | < 10 ms |
| Worker dispatch latency | < 100 ms |
| Workflow state transition latency | < 25 ms |
| Retry scheduling latency | < 50 ms |
| Queue throughput | 100,000 jobs/min per scheduler cluster |
| Critical job dispatch latency | < 5 seconds |
| Emergency safe mode dispatch | < 5 seconds |
| Availability | 99.99% |
| Idempotency correctness | 100% |
60. Deployment Model
Recommended deployment:
Event Sources
│
├── EventBridge
├── SQS
├── Cron
├── Manual API
├── Observability Alerts
└── Policy Triggers
│
▼
Scheduler / Orchestrator Engine
│
├── Job Definition Store
├── Workflow State Store
├── Priority Queue
├── Retry Queue
├── Dead-Letter Queue
├── Worker Dispatch Layer
├── Audit Publisher
├── Observability Publisher
└── DAL Candidate Publisher
The implementation may use AWS EventBridge, SQS, Step Functions, Lambda, ECS, Kubernetes Jobs, Airflow, or a ZAYAZ-native workflow runtime.
61. Storage Architecture
| Store | Purpose |
|---|---|
| Job Definition Store | Versioned job definitions. |
| Workflow State Store | State transitions and workflow history. |
| Queue Store | Pending and delayed jobs. |
| Retry Store | Retry state and next retry timestamp. |
| Dead-Letter Store | Failed unrecoverable jobs. |
| Lock Store | Distributed execution locks. |
| Snapshot Store | Bound configuration snapshots. |
| Audit Event Store | Material scheduler audit events. |
| Metrics Store | Scheduler observability metrics. |
62. Testing Requirements
The engine requires:
| Test Type | Requirement |
|---|---|
| Schedule Tests | Verify cron, interval, event, manual, and policy triggers. |
| Idempotency Tests | Verify duplicate triggers do not duplicate side effects. |
| Retry Tests | Verify backoff, jitter, and dead-letter behavior. |
| Lock Tests | Verify distributed lock safety. |
| Workflow Tests | Verify state transitions and recovery. |
| Config Binding Tests | Verify all jobs bind correct configuration snapshots. |
| Replay Tests | Verify deterministic workflow replay. |
| SLA Tests | Verify SLA breach detection and escalation. |
| Failure Tests | Verify worker, queue, DAL, federation, and audit outage behavior. |
| Security Tests | Verify scheduling authorization and tenant isolation. |
| Load Tests | Verify high-volume job orchestration. |
| Safe Mode Tests | Verify emergency workflows activate correctly. |
63. Compliance Alignment
| Framework | Scheduler / Orchestrator Contribution |
|---|---|
| CSRD | Ensures periodic assurance workflows, replay, and evidence tasks execute reliably. |
| ESRS | Supports data quality controls, audit evidence, and governance workflow execution. |
| ISSB / IFRS S1-S2 | Supports repeatable controls for decision-useful sustainability information. |
| ISO 14064-1 | Supports scheduled GHG verification, replay, and evidence management workflows. |
| ISO 27001 | Supports operational control, logging, incident response, and access governance. |
| EU AI Act | Ensures AI feedback and model-related workflows remain governed and traceable. |
| SOC2 | Supports processing integrity, availability, and operational control evidence. |
64. Developer Implementation Notes
Developers should implement the Scheduler / Orchestrator Engine as a policy-bound workflow control service.
Recommended components:
- trigger ingestor;
- job definition resolver;
- runtime configuration binder;
- idempotency key generator;
- distributed lock manager;
- priority queue manager;
- worker dispatcher;
- workflow state machine;
- retry manager;
- dead-letter manager;
- SLA monitor;
- safe mode controller;
- audit publisher;
- observability publisher;
- DAL anchor candidate publisher;
- AII telemetry publisher;
- DSAIL feedback publisher;
- federation job adapter;
- replay job adapter;
- DAL batch job adapter.
The engine must treat job definitions as versioned runtime artifacts.
65. Implementation Anti-Patterns
Avoid:
| Anti-Pattern | Risk |
|---|---|
| Unversioned cron jobs | Cannot replay or audit scheduling behavior. |
| Jobs without configuration snapshots | Non-deterministic execution. |
| Fire-and-forget background jobs | Loss of assurance evidence. |
| No idempotency keys | Duplicate DAL anchors, federation exports, or replay jobs. |
| Shared global queues without tenant isolation | Cross-tenant leakage. |
| Manual retries outside scheduler | Broken audit trail. |
| Workflow state only in logs | Not replayable or queryable. |
| AI-controlled scheduling without policy | Governance violation. |
| Disabling audit for material jobs | Assurance failure. |
| No dead-letter process | Silent operational risk accumulation. |
66. Summary
The TrustGate Scheduler / Orchestrator Engine coordinates TrustGate’s asynchronous and scheduled runtime operations.
It ensures replay, DAL batching, federation synchronization, quarantine SLA checks, AI feedback, AII telemetry, configuration refresh, audit integrity, observability, and maintenance workflows execute reliably, deterministically, and with full governance traceability.
It is the operational runtime layer that turns TrustGate from a set of engines into a resilient, production-grade assurance system.
No Tier-0 TrustGate deployment should be considered complete without this engine or an equivalent FAGF-authorized orchestration mechanism.