TG-VALIDATION-RULE
TrustGate Validation Rule Engine
0. Identity
Depends on module:
1. Purpose
The TrustGate Validation Rule Engine executes registry-defined validation rules against TrustGate signals before business rule evaluation, policy scoring, trust scoring, decisioning, replay, attestation, and federation exchange.
This engine is the runtime executor for the platform-wide validation rule registry stored under the zar schema, including:
zar.validation_rule_registry;zar.validation_rule_domain;zar.validation_rule_category;zar.validation_rule_function.
It separates data validity from trust evaluation.
The Structure Validation Engine answers:
Can this payload be read and interpreted structurally?
The Validation Rule Engine answers:
Is this structurally valid payload allowed to proceed under registered validation rules?
The Rule Evaluation Engine answers:
How should a valid signal influence trust, score, routing, risk, and assurance?
This separation prevents rule sprawl, keeps the TrustGate runtime modular, and allows new validation rules to be added through the registry without changing engine code.
2. Position within TrustGate Runtime
Signal Parser
│
▼
Structure Validation
│
▼
Signal Normalizer
│
▼
Context Enrichment
│
▼
──────────────────────────────────────────
Validation Rule Engine
──────────────────────────────────────────
│
▼
Policy Resolution
│
▼
Rule Evaluation
│
▼
Trust Scoring
│
▼
Decision Engine
The Validation Rule Engine runs after the signal has enough context to evaluate rules that depend on identity, schema, units, registry references, DAL state, federation state, and policy context.
3. Canonical Identity
| Property | Value |
|---|---|
| MEID | MEID_SIGNAL_VALIDATE_RULES |
| CMI | vera.TG-VALRULE.ENGINE.VALIDATION.1_0_0 |
| KIND | ENGINE |
| Owner Module | Verification & Assurance |
| Runtime Tier | Tier-0 Assurance Runtime |
| Engine Category | VALIDATE |
| Engine Domain | signal |
| ZAR Registration | Required |
| Replay Support | Native |
| DAL Anchoring | Policy-based |
| Federation Aware | Yes |
The MEID identifies the stable logical validation rule engine.
The CMI identifies this specific versioned executable artifact.
4. Runtime Responsibilities
| Responsibility | Description |
|---|---|
| Rule Discovery | Load active validation rules from zar.validation_rule_registry. |
| Rule Scope Resolution | Select rules based on MEID, CMI, CSI, domain, category, function, tenant, policy, and signal type. |
| Rule Expression Execution | Execute validation expressions using approved expression runtimes such as CEL. |
| Registry Validation | Validate ECO Numbers, DIDs, CSI versions, CMI references, metric types, units, signatures, hashes, and policy references. |
| Severity Handling | Apply severity mappings from info to blocking. |
| Action Mapping | Convert rule outcomes into pass, warn, review, quarantine, reject, or abort candidates. |
| Evidence Production | Produce rule-level evidence and failure details. |
| Replay Support | Preserve rule version, input hash, policy context, and execution result for deterministic replay. |
| DAL Candidate Creation | Emit DAL anchor candidates for critical, blocking, federation-relevant, or auditor-requested validation outcomes. |
| AII and DSAIL Telemetry | Publish validation quality signals to AII and DSAIL. |
The engine must not calculate a TrustGate score. It only produces validation rule outcomes.
5. Relationship to Other TrustGate Engines
| Engine | Role |
|---|---|
| Signal Parser | Parses input payloads into canonical signal objects. |
| Structure Validation Engine | Validates syntax, required structure, datatypes, and base schema conformance. |
| Signal Normalizer | Canonicalizes units, timestamps, identifiers, and value representations. |
| Context Enrichment Engine | Adds identity, lineage, governance, replay, federation, AI, and risk context. |
| Validation Rule Engine | Executes registry-defined validity and admissibility rules. |
| Rule Evaluation Engine | Applies business, assurance, scoring, and policy logic to valid signals. |
| Trust Scoring Engine | Computes the numerical trust score. |
| Decision Engine | Converts score and rule results into operational outcomes. |
The Validation Rule Engine is therefore a registry-driven control layer between context enrichment and trust evaluation.
6. Validation Rule Registry Model
Rules are stored in zar.validation_rule_registry.
Core fields include:
| Field | Purpose |
|---|---|
rule_id | Stable internal rule identifier. |
rule_code | Human-readable rule code such as TG-VAL-0008. |
canonical_name | Rule name. |
description | Rule description. |
owning_module | Module owner, usually vera for TrustGate. |
owning_component | Component owner, such as TrustGate. |
rule_domain | Controlled domain such as SIGNAL, IDENTITY, CRYPTO. |
rule_category | Controlled category such as FORMAT, REFERENCE, SIGNATURE. |
rule_function | Specific function such as ECO_NUMBER, DID, CSI_VERSION. |
severity | Rule severity. |
action | Required action on failure. |
rule_expression | Executable validation expression. |
rule_expression_language | Expression runtime such as CEL. |
input_csi | Input CSI the rule applies to. |
applies_to_meid | Optional MEID scope. |
applies_to_cmi | Optional CMI scope. |
replay_required | Whether replay evidence is required. |
dal_anchor_required | Whether failed or critical results require DAL anchoring. |
federation_relevant | Whether the rule affects federation exchange. |
tenant_overridable | Whether tenant policy may override behavior. |
status | Lifecycle status. |
7. Validation Domains, Categories, and Functions
The engine uses controlled vocabularies.
7.1. Rule Domains
Examples:
| Domain | Purpose |
|---|---|
SIGNAL | Payload, schema, datatype, format, and signal validity. |
IDENTITY | ECO Number, DID, controller, and federation identity. |
ENGINE | MEID, CMI, executable artifact, and runtime compatibility. |
METRIC | Metric type, semantic ID, and framework mapping. |
UNIT | Unit validity and dimensional compatibility. |
CRYPTO | Signatures, hashes, certificates, and proof verification. |
POLICY | Policy version, profile, and governance compatibility. |
REPLAY | Replay prerequisites and reproducibility. |
FEDERATION | Cross-ECO exchange and AFLE/EGFS metadata. |
AI | AI model references, explainability, calibration, and drift. |
7.2. Rule Categories
Examples:
| Category | Purpose |
|---|---|
SCHEMA | Registered schema validation. |
STRUCTURE | Object structure validation. |
FORMAT | Syntax and identifier format. |
DATATYPE | Field datatype validation. |
REQUIRED_FIELD | Required field validation. |
REFERENCE | Registry reference validation. |
VERSION | Version compatibility validation. |
SIGNATURE | Signature validation. |
HASH | Hash validation. |
POLICY | Governance policy validation. |
REPLAY | Replay validation. |
FEDERATION | Federation validation. |
7.3. Rule Functions
Examples:
| Function | Purpose |
|---|---|
JSON | JSON validation. |
REQUIRED_FIELDS | Required field presence. |
DATATYPE | Datatype validation. |
ECO_NUMBER | ECO Number validation. |
DID | DID validation. |
CSI_VERSION | CSI version validation. |
CMI_REFERENCE | CMI reference validation. |
MEID_REFERENCE | MEID reference validation. |
METRIC_TYPE | Metric type validation. |
UNIT_COMPATIBILITY | Unit compatibility validation. |
SIGNATURE | Digital signature validation. |
MERKLE_PROOF | Merkle proof validation. |
AI_MODEL | AI model reference validation. |
8. Initial TrustGate Validation Rules
The initial TrustGate validation rule set includes:
| Rule Code | Canonical Name | Domain | Category | Function |
|---|---|---|---|---|
TG-VAL-0001 | Invalid JSON Structure | SIGNAL | FORMAT | JSON |
TG-VAL-0002 | Missing Required Field | SIGNAL | REQUIRED_FIELD | REQUIRED_FIELDS |
TG-VAL-0003 | Invalid ECO Number | IDENTITY | FORMAT | ECO_NUMBER |
TG-VAL-0004 | Invalid CSI Version | SIGNAL | VERSION | CSI_VERSION |
TG-VAL-0005 | Invalid CMI Reference | ENGINE | REFERENCE | CMI_REFERENCE |
TG-VAL-0006 | Unknown Metric Type | METRIC | REFERENCE | METRIC_TYPE |
TG-VAL-0007 | Invalid Unit | UNIT | COMPATIBILITY | UNIT_COMPATIBILITY |
TG-VAL-0008 | Invalid ECO Number | IDENTITY | FORMAT | ECO_NUMBER |
TG-VAL-0009 | Invalid DID | IDENTITY | FORMAT | DID |
TG-VAL-0010 | Signature Verification Failed | CRYPTO | SIGNATURE | SIGNATURE |
TG-VAL-0011 | Invalid Datatype | SIGNAL | DATATYPE | DATATYPE |
TG-VAL-0003 and TG-VAL-0008 should be reconciled during registry cleanup if they are duplicate ECO Number rules. Until then, the engine must treat both as valid registered rules but may mark one as deprecated when the registry is updated.
9. Runtime Processing Pipeline
Receive Enriched Signal
│
▼
Resolve Active Validation Profile
│
▼
Load Applicable Rules from ZAR
│
▼
Validate Rule Registry Integrity
│
▼
Prepare Rule Execution Context
│
▼
Execute Rules
│
▼
Aggregate Results
│
▼
Map Severity and Actions
│
▼
Emit Validation Rule Result
│
▼
Queue DAL Anchor Candidate if Required
│
▼
Publish AII / DSAIL Telemetry
Rules should be executed in deterministic order:
- blocking identity and cryptographic rules;
- schema and version rules;
- registry reference rules;
- metric and unit rules;
- policy and federation rules;
- replay and AI governance rules;
- informational quality rules.
10. Processing Algorithm
function execute_validation_rules(enriched_signal, policy_context):
profile = resolve_validation_profile(policy_context)
rules = load_active_rules(
input_csi = enriched_signal.schema.csi,
applies_to_meid = "MEID_SIGNAL_VALIDATE_RULES",
profile = profile
)
sorted_rules = sort_rules_by_priority(rules)
execution_context = build_rule_context(
enriched_signal,
policy_context,
registry_snapshots
)
results = []
for rule in sorted_rules:
if not rule_is_applicable(rule, execution_context):
results.append(skipped(rule))
continue
result = execute_rule_expression(rule, execution_context)
mapped_result = map_result_to_action(rule, result)
results.append(mapped_result)
if mapped_result.action == "abort":
break
aggregate = aggregate_rule_results(results)
emit_validation_rule_event(aggregate)
if aggregate.requires_dal_anchor:
queue_dal_anchor_candidate(aggregate)
publish_telemetry(aggregate)
return aggregate
The engine must never silently ignore active applicable rules.
11. Rule Applicability
A rule is applicable when all required scope conditions match.
Applicability dimensions include:
| Dimension | Example |
|---|---|
| Input CSI | comp.TG.OUTPUT.ENRICHED-SIGNAL.v1_0 |
| MEID | MEID_SIGNAL_VALIDATE_RULES |
| CMI | vera.TG-VALRULE.ENGINE.VALIDATION.1_0_0 |
| Domain | SIGNAL, IDENTITY, CRYPTO |
| Signal Type | invoice, sensor, upload, federation package |
| Metric Type | energy.total_consumption |
| Tenant Policy | tenant-specific validation profile |
| Federation Status | local-only or federation-relevant |
| Replay Requirement | replayable or non-replayable |
| Regulatory Scope | CSRD, ESRS, ISSB, ISO 14064-1 |
Rules that are not applicable should be recorded as skipped only when policy requires full rule traceability.
12. Rule Execution Context
The engine builds a context object for rule evaluation.
{
"signal": {
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"metric_type": "energy.total_consumption",
"unit": "kWh",
"value": 12843.2
},
"identity": {
"did": "did:zayaz:ECO-A123",
"identity_status": "active"
},
"schema": {
"csi": "comp.TG.OUTPUT.ENRICHED-SIGNAL.v1_0",
"schema_version": "1_0"
},
"component": {
"meid": "MEID_SIGNAL_ENRICH_CONTEXT",
"cmi": "vera.TG-ENRICH.ENGINE.CONTEXT.1_0_0"
},
"governance": {
"policy_bundle": "FAGF-2026.2",
"validation_profile": "standard_signal_validation_v1"
},
"federation": {
"federation_relevant": true,
"region": "EU"
}
}
The context must be canonicalized for replay.
13. Severity and Action Mapping
Each validation rule has a severity and action.
13.1. Severity
| Severity | Meaning |
|---|---|
info | Informational validation observation. |
warning | Non-blocking issue requiring visibility. |
error | Validation failure requiring review or quarantine. |
critical | High-impact failure requiring rejection, quarantine, or abort. |
blocking | Processing must stop immediately. |
13.2. Action
| Action | Meaning |
|---|---|
pass | Rule passed. |
warn | Continue with warning. |
review | Continue only with review requirement. |
quarantine | Create quarantine candidate. |
reject | Reject the signal. |
abort | Abort due to unsafe runtime or governance state. |
The action is policy-controlled but must not downgrade non-overridable critical rules.
14. Aggregation Model
The engine aggregates individual rule results into a validation summary.
Rule Results
│
▼
Severity Aggregation
│
▼
Action Aggregation
│
▼
Validation Summary
The most severe result determines the default aggregate severity.
Action precedence:
abort
>
reject
>
quarantine
>
review
>
warn
>
pass
If any rule returns abort, the aggregate result must be abort.
15. Validation Result Formula
A simple validation pass ratio may be calculated as:
A weighted validation quality score may be calculated as:
Where:
$SeverityWeight_i$is the configured weight for the rule severity;$Failure_i$is1if the rule failed and0otherwise.
This score is not the final TrustGate score. It is a validation quality input consumed by the Trust Scoring Engine.
16. CSI Contracts
16.1. Input CSIs
| CSI | Required | Purpose |
|---|---|---|
comp.TG.OUTPUT.ENRICHED-SIGNAL.v1_0 | Yes | Enriched signal to validate. |
comp.TG.INPUT.STRUCTURE-VALIDATION-RESULT.v1_0 | Yes | Structural validation result. |
comp.ZAR.INPUT.VALIDATION-RULESET.v1_0 | Yes | Active registry-derived validation rules. |
comp.FAGF.INPUT.POLICY-CONTEXT.v1_0 | Yes | Validation policy and override controls. |
comp.SSSR.INPUT.SCHEMA-SNAPSHOT.v1_0 | Conditional | Schema snapshot for CSI checks. |
comp.EGFS.INPUT.IDENTITY-CONTEXT.v1_0 | Conditional | Identity and DID context. |
comp.DAL.INPUT.VERIFICATION-EVENT.v1_0 | Conditional | DAL proof and verification context. |
16.2. Output CSIs
| CSI | Purpose |
|---|---|
comp.TG.OUTPUT.VALIDATION-RULE-RESULT.v1_0 | Full validation rule result. |
comp.TG.OUTPUT.VALIDATION-FAILURE.v1_0 | Individual validation failure record. |
comp.TG.OUTPUT.QUARANTINE-CANDIDATE.v1_0 | Candidate for quarantine when required. |
comp.TG.EVENT.VALIDATION-RULES-EXECUTED.v1_0 | Runtime execution event. |
comp.TG.EVENT.VALIDATION-RULE-FAILED.v1_0 | Rule failure event. |
comp.DAL.INPUT.ANCHOR-CANDIDATE.v1_0 | DAL anchor candidate for critical outcomes. |
comp.AII.INPUT.VALIDATION-TELEMETRY.v1_0 | AII validation telemetry. |
comp.DSAIL.INPUT.VALIDATION-FEEDBACK.v1_0 | AI feedback signal. |
17. Canonical Input Payload
{
"validation_request_id": "TGVRR-2026-00001472",
"signal_id": "SIG-2026-00001472",
"enriched_signal_id": "TGENR-2026-00001472",
"eco_number": "ECO-A123",
"input_csi": "comp.TG.OUTPUT.ENRICHED-SIGNAL.v1_0",
"validation_profile": "standard_signal_validation_v1",
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"tenant_overrides_allowed": false
},
"created_at": "2026-06-25T14:30:00Z"
}
18. Canonical Output Payload
{
"validation_result_id": "TGVR-2026-00001472",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"engine_cmi": "vera.TG-VALRULE.ENGINE.VALIDATION.1_0_0",
"meid": "MEID_SIGNAL_VALIDATE_RULES",
"status": "passed",
"aggregate_severity": "info",
"aggregate_action": "pass",
"rules_executed": 11,
"rules_passed": 11,
"rules_failed": 0,
"rules_warned": 0,
"validation_pass_ratio": 1.0,
"validation_quality": 1.0,
"policy_context": {
"policy_bundle": "FAGF-2026.2",
"validation_profile": "standard_signal_validation_v1"
},
"created_at": "2026-06-25T14:30:01Z"
}
19. Validation Failure Payload
{
"validation_failure_id": "TGVF-2026-00001472",
"signal_id": "SIG-2026-00001892",
"eco_number": "ECO-B456",
"rule_code": "TG-VAL-0010",
"rule_id": "VRR-TG-0010",
"canonical_name": "Signature Verification Failed",
"rule_domain": "CRYPTO",
"rule_category": "SIGNATURE",
"rule_function": "SIGNATURE",
"severity": "critical",
"action": "reject",
"field": "proof.jws",
"message": "Digital signature could not be verified against the referenced DID verification method.",
"federation_relevant": true,
"dal_anchor_required": true,
"created_at": "2026-06-25T14:30:01Z"
}
20. Validation Rules Executed Event
{
"event_type": "trustgate.validation.rules_executed",
"validation_result_id": "TGVR-2026-00001472",
"signal_id": "SIG-2026-00001472",
"eco_number": "ECO-A123",
"rules_executed": 11,
"rules_failed": 0,
"aggregate_action": "pass",
"engine_cmi": "vera.TG-VALRULE.ENGINE.VALIDATION.1_0_0",
"timestamp": "2026-06-25T14:30:01Z"
}
21. Quarantine Candidate
When a rule action requires quarantine, the engine emits a quarantine candidate.
{
"quarantine_candidate_id": "TGQC-2026-00001892",
"signal_id": "SIG-2026-00001892",
"eco_number": "ECO-B456",
"source": "validation_rule_engine",
"reason_codes": [
"SIGNATURE_FAILURE"
],
"rule_codes": [
"TG-VAL-0010"
],
"severity": "critical",
"required_action": "human_assurance_review",
"created_at": "2026-06-25T14:30:01Z"
}
22. DAL Integration
The engine produces DAL anchor candidates for:
- blocking rule failures;
- critical validation failures;
- federation-relevant failures;
- signature failures;
- invalid DID failures;
- invalid ECO identity failures;
- auditor-requested validation outcomes;
- validation registry changes when executed in assurance mode.
Example:
{
"artifact_type": "TrustValidationRuleResult",
"artifact_id": "TGVR-2026-00001892",
"artifact_hash": "sha256:bc88d1...",
"engine_cmi": "vera.TG-VALRULE.ENGINE.VALIDATION.1_0_0",
"meid": "MEID_SIGNAL_VALIDATE_RULES",
"aggregate_action": "reject",
"created_at": "2026-06-25T14:30:01Z"
}
Final anchoring is performed by the TrustGate DAL Anchor Engine.
23. Replay Behaviour
The engine must be replay deterministic.
Replay inputs include:
- enriched signal;
- validation profile;
- rule registry snapshot;
- rule domain/category/function snapshots;
- policy bundle;
- schema snapshot;
- identity snapshot;
- DAL verification snapshot if used;
- expression runtime version;
- engine CMI.
Replay verification succeeds when:
The engine must not use live registry values during replay. It must use the snapshot that was active at original execution time.
24. Federation Behaviour
Federation-relevant rules affect AFLE and EGFS exchange.
Rules marked federation_relevant = true may block:
- outbound attestation exchange;
- inbound federation package acceptance;
- Carbon Passport trust reference exchange;
- cross-ECO replay reference acceptance;
- external auditor evidence package publication.
Federation-safe validation outputs may include rule codes and severity, but sensitive internal diagnostic detail must be redacted according to the federation profile.
25. AI / DSAIL Integration
Validation outcomes provide important learning signals.
DSAIL may consume:
- repeated rule failures;
- rule failure clusters;
- validation drift;
- false positive/false negative reviewer outcomes;
- federation validation failures;
- metric-specific failure patterns;
- source system quality patterns.
AI may recommend:
- rule tuning;
- sampling changes;
- supplier review;
- schema migration support;
- policy review.
AI may not:
- suppress validation rules;
- downgrade non-overridable severity;
- modify validation facts;
- alter registry rule definitions without governance approval.
26. AII Integration
Validation telemetry contributes to AII integrity and transparency dimensions.
{
"eco_number": "ECO-A123",
"period": "2026-Q2",
"validation_rules_executed": 184400,
"validation_failure_rate": 0.0062,
"critical_failure_rate": 0.0004,
"signature_failure_rate": 0.0001,
"identity_failure_rate": 0.0002,
"validation_quality_avg": 0.991
}
27. Failure Handling
| Failure | Severity | Action |
|---|---|---|
| Missing enriched signal | Critical | Abort |
| Missing validation profile | Critical | Abort |
| Rule registry unavailable | Critical | Abort |
| Rule expression invalid | Critical | Abort or skip if rule inactive |
| Expression runtime unavailable | Critical | Abort |
| Invalid rule vocabulary | Critical | Abort |
| Missing identity snapshot | Warning/Critical | Policy-dependent |
| DAL unavailable | Warning | Queue anchor candidate |
| DSAIL unavailable | Info | Continue |
| AII unavailable | Warning | Queue telemetry |
| Tenant override invalid | Critical | Ignore override and log |
The engine must fail closed for mandatory validation.
28. Observability Metrics
| Metric | Description |
|---|---|
tg_valrule_executed_total | Validation rules executed. |
tg_valrule_passed_total | Rules passed. |
tg_valrule_failed_total | Rules failed. |
tg_valrule_warning_total | Rules producing warnings. |
tg_valrule_quarantine_total | Rules producing quarantine candidates. |
tg_valrule_reject_total | Rules producing rejection actions. |
tg_valrule_abort_total | Rules producing abort actions. |
tg_valrule_latency_ms | Rule execution latency. |
tg_valrule_registry_load_ms | Registry lookup latency. |
tg_valrule_by_code_total | Rule execution count by code. |
29. Performance Targets
| Metric | Target |
|---|---|
| Rule registry load latency | < 30 ms cached |
| Average rule execution latency | < 2 ms per rule |
| Full rule profile latency | < 50 ms |
| P95 full profile latency | < 120 ms |
| Throughput | 20,000 validation profiles/sec per worker pool |
| Replay determinism | 100% with registry snapshots |
| Availability | 99.99% |
30. Security Requirements
The engine must:
- execute only approved rule expression languages;
- sandbox expression execution;
- prevent arbitrary code execution;
- validate rule definitions before activation;
- enforce registry status values;
- prevent unauthorized tenant overrides;
- preserve rule version and registry snapshot;
- record MEID and CMI in every output;
- prevent sensitive data leakage in failure messages;
- produce audit events for critical failures;
- enforce immutable replay snapshots.
31. Compliance Alignment
| Framework | Validation Rule Engine Contribution |
|---|---|
| CSRD | Supports controlled validation of sustainability data before disclosure. |
| ESRS | Supports data quality, completeness, traceability, and auditability. |
| ISSB / IFRS S1-S2 | Supports investor-grade data control and validation evidence. |
| ISO 14064-1 | Supports GHG data validation and assurance workflows. |
| ISO 27001 | Supports registry governance, access control, logging, and integrity. |
| EU AI Act | Prevents AI from overriding governed validation rules. |
| W3C DID / VC | Supports identity and proof validation for assurance artifacts. |
32. Developer Implementation Notes
Developers should implement the Validation Rule Engine as a registry-driven, deterministic, sandboxed rule executor.
Recommended design:
- rule profile resolver;
- registry snapshot loader;
- rule applicability filter;
- deterministic rule sorter;
- CEL expression runtime adapter;
- rule result mapper;
- severity/action aggregator;
- validation failure publisher;
- quarantine candidate publisher;
- DAL anchor candidate publisher;
- AII telemetry publisher;
- DSAIL feedback publisher;
- replay snapshot binder.
Rule definitions must be validated before activation in ZAR. Invalid active rules are platform governance defects and should trigger FAGF review.
33. Summary
The TrustGate Validation Rule Engine is the governed runtime executor for platform validation rules.
It executes ZAR-registered validation logic against enriched TrustGate signals and produces deterministic, replayable, audit-ready validation outcomes.
This engine is the clean boundary between structural validity and trust evaluation. It ensures that only rule-compliant, registry-verified, identity-aware, and policy-compatible signals can proceed to TrustGate business rule evaluation and scoring.