ArchitectureUpdated 2026-04-02

Trust Signal Bus

Cross-layer signal propagation: GovernanceLayer, BusSignalType, BusSeverity, SignalPriority, and how signals flow between layers in under 100ms.

Trust Signal Bus

The Trust Signal Bus is the nervous system of the Vorion governance stack. It carries trust-relevant events between governance layers in real time, ensuring every layer has a consistent view of agent trust posture.

The signal schema is open-source (Apache-2.0). The Bus Router that routes and correlates signals is an AgentAnchor Pro/Enterprise feature.

Architecture

graph LR
    subgraph "Governance Layers"
        ID[IDENTITY<br/>CAR Registry]
        GOV[GOVERNANCE<br/>CogniGate, Policy]
        CON[CONTAINMENT<br/>Phantom Runtime]
        ORC[ORCHESTRATION<br/>A3I, Council]
        OBS[OBSERVATION<br/>Dashboards, Audit]
    end

    BUS((Trust Signal Bus))

    ID <-->|signals| BUS
    GOV <-->|signals| BUS
    CON <-->|signals| BUS
    ORC <-->|signals| BUS
    OBS <-->|signals| BUS

    style BUS fill:#f9a825,stroke:#f57f17,color:#000

Every governance layer can emit and consume signals through the Bus. Signals carry trust-relevant events -- threat detections, trust score changes, circuit breaker trips, canary probe results -- and route them to the layers that need to act.

Core Enums

Four enums define the signal taxonomy. All are defined in @vorionsys/contracts/canonical/trust-bus.ts.

GovernanceLayer

Which layer emitted or should receive a signal.

enum GovernanceLayer {
  IDENTITY      = 'identity',      // CAR Registry, Paramesphere
  GOVERNANCE    = 'governance',    // CogniGate, Policy Engine
  CONTAINMENT   = 'containment',   // Phantom Runtime
  ORCHESTRATION = 'orchestration', // A3I Orchestrator, Council
  OBSERVATION   = 'observation',   // Observer, dashboards
}

BusSignalType

What happened. These are cross-layer governance events, distinct from intra-layer operational signals.

enum BusSignalType {
  THREAT_DETECTED          = 'threat_detected',
  ANOMALY                  = 'anomaly',
  DRIFT                    = 'drift',
  PROBE_DETECTED           = 'probe_detected',
  ROTATION_TRIGGERED       = 'rotation_triggered',
  POLICY_TIGHTENED         = 'policy_tightened',
  TRUST_UPDATED            = 'trust_updated',
  CANARY_PASSED            = 'canary_passed',
  CANARY_FAILED            = 'canary_failed',
  DORMANCY_DEDUCTION       = 'dormancy_deduction',
  RISK_ACCUMULATOR_WARNING = 'risk_accumulator_warning',
  RISK_ACCUMULATOR_DEGRADED = 'risk_accumulator_degraded',
  CIRCUIT_BREAKER_TRIPPED  = 'circuit_breaker_tripped',
}

BusSeverity

How urgent the signal is. Distinct from the 6 action risk levels.

enum BusSeverity {
  LOW       = 'low',       // Normal operational event
  MEDIUM    = 'medium',    // Enhanced monitoring
  HIGH      = 'high',      // Immediate attention
  CRITICAL  = 'critical',  // Enforcement action required
  EMERGENCY = 'emergency', // Immediate halt
}

SignalPriority

Delivery priority. Affects routing order and latency targets.

enum SignalPriority {
  CRITICAL = 'critical',  // <20ms target
  HIGH     = 'high',      // <50ms target
  NORMAL   = 'normal',    // <50ms target
  LOW      = 'low',       // Best-effort
}

Signal Structure

Every Trust Bus signal follows the TrustBusSignal schema:

interface TrustBusSignal {
  // Identity
  signalId: string;       // UUID v4
  correlationId: string;  // Groups related signals

  // Routing
  sourceLayer: GovernanceLayer;
  targetLayers: GovernanceLayer[];  // Empty = broadcast
  priority: SignalPriority;

  // Payload
  agentId: string;
  tenantId: string;
  busSignalType: BusSignalType;
  severity: BusSeverity;
  riskLevel?: 'READ' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL' | 'LIFE_CRITICAL';
  payload: {
    event: string;             // Human-readable description
    recommendedDelta?: number; // Trust score change
    currentTier?: string;      // T0-T7
    currentScore?: number;     // 0-1000
    decision?: string;         // allow/deny/escalate/degrade
    details?: Record<string, unknown>;
  };

  // Integrity
  timestamp: string;       // ISO 8601 UTC
  previousHash: string;    // sha256:<hex> chain linkage
  signalHash: string;      // sha256:<hex> self-hash
  metadata?: Record<string, unknown>;
  expiresAt?: string;      // Stale signals dropped
}

Key design choices:

Hash chain: Every signal references the previous signal's hash for tamper detection
Correlation ID: Related signals (e.g., a canary failure and the resulting trust drop) share a correlation ID for tracing
Expiration: Signals can expire. Stale signals are dropped by the router.
Broadcast: Empty targetLayers means all layers receive the signal

Emitting a Signal

Layers emit signals using the EmitTrustBusSignal schema. Hash fields are computed by the emitter, not provided by the caller.

import { GovernanceLayer, BusSignalType, BusSeverity, SignalPriority } from '@vorionsys/contracts';

const signal = {
  sourceLayer: GovernanceLayer.GOVERNANCE,
  targetLayers: [],  // Broadcast to all
  priority: SignalPriority.HIGH,
  agentId: 'data-sync-bot',
  tenantId: 'acme-corp',
  busSignalType: BusSignalType.CANARY_FAILED,
  severity: BusSeverity.HIGH,
  riskLevel: 'MEDIUM',
  payload: {
    event: 'Canary probe failed: ETHICAL category, CRITICAL risk',
    recommendedDelta: -8.57,
    currentTier: 'T3',
    currentScore: 580,
    details: {
      canaryCategory: 'ETHICAL',
      probeId: 'eth-042',
      failureType: 'alignment_violation',
    },
  },
};

Subscribing to Signals

Consumers subscribe to specific signal types, layers, and severity levels:

const subscription = {
  sourceLayers: [GovernanceLayer.GOVERNANCE, GovernanceLayer.CONTAINMENT],
  signalTypes: [BusSignalType.THREAT_DETECTED, BusSignalType.CIRCUIT_BREAKER_TRIPPED],
  minSeverity: BusSeverity.HIGH,
  minPriority: SignalPriority.HIGH,
  deliveryUrl: 'https://my-service.example.com/webhooks/trust-bus',
  signingSecret: 'whsec_...',  // HMAC verification, min 32 chars
};

Subscriptions filter at the router level. Consumers only receive signals that match their criteria.

Signal Flow: Circuit Breaker Trip

Here is a concrete example of signal propagation when a circuit breaker trips:

sequenceDiagram
    participant GOV as GOVERNANCE
    participant BUS as Trust Bus
    participant ORC as ORCHESTRATION
    participant CON as CONTAINMENT
    participant OBS as OBSERVATION
    participant ID as IDENTITY

    GOV->>BUS: CIRCUIT_BREAKER_TRIPPED<br/>priority: CRITICAL<br/>severity: CRITICAL
    Note over BUS: Route at under 20ms
    par Parallel delivery
        BUS->>ORC: Halt agent coordination
        BUS->>CON: Lock sandbox
        BUS->>OBS: Alert dashboard
        BUS->>ID: Flag CAR record
    end
    ORC->>BUS: POLICY_TIGHTENED<br/>Agent removed from council
    CON->>BUS: POLICY_TIGHTENED<br/>Sandbox frozen

The circuit breaker signal travels at CRITICAL priority (<20ms target) and broadcasts to all layers. Each layer takes independent action:

ORCHESTRATION removes the agent from active councils
CONTAINMENT freezes the agent's sandbox
OBSERVATION fires alerts to the operator dashboard
IDENTITY flags the CAR record

Latency Targets

| Priority | Target | Use Case | |----------|--------|----------| | CRITICAL | <20ms | Circuit breaker trips, security events | | HIGH | <50ms | Trust score changes, compliance violations | | NORMAL | <50ms | Routine success signals, decay events | | LOW | Best-effort | Analytics, informational |

The Bus Router optimizes delivery order by priority. CRITICAL signals preempt lower-priority signals in the queue. Expired signals are dropped without delivery.

Signal Types by Layer

| Signal Type | Typical Source | Typical Target | |-------------|---------------|----------------| | THREAT_DETECTED | CONTAINMENT | GOVERNANCE, ORCHESTRATION | | ANOMALY | CONTAINMENT, OBSERVATION | GOVERNANCE | | DRIFT | OBSERVATION | GOVERNANCE | | PROBE_DETECTED | CONTAINMENT | All (broadcast) | | ROTATION_TRIGGERED | CONTAINMENT | GOVERNANCE, ORCHESTRATION | | POLICY_TIGHTENED | GOVERNANCE | ORCHESTRATION, CONTAINMENT | | TRUST_UPDATED | GOVERNANCE | All (broadcast) | | CANARY_PASSED | GOVERNANCE | OBSERVATION | | CANARY_FAILED | GOVERNANCE | All (broadcast) | | DORMANCY_DEDUCTION | GOVERNANCE | OBSERVATION | | RISK_ACCUMULATOR_WARNING | GOVERNANCE | ORCHESTRATION, OBSERVATION | | RISK_ACCUMULATOR_DEGRADED | GOVERNANCE | All (broadcast) | | CIRCUIT_BREAKER_TRIPPED | GOVERNANCE | All (broadcast) |

Signals that affect operational state (circuit breaker, risk accumulator degraded, canary failure) broadcast to all layers. Informational signals target specific consumers.

Integrity

Every signal is hash-chained per agent:

Signal N: signalHash = sha256(contents_N)
Signal N+1: previousHash = sha256(contents_N), signalHash = sha256(contents_N+1)

This means the signal history for each agent forms a tamper-evident chain. Modifying any past signal breaks the chain at that point. The proof plane can independently verify signal chain integrity.

Next Steps

Live Agent Anchor -- How signals update the real-time trust posture
Six-Layer Stack -- What each governance layer does
Proof Chain -- The immutable audit trail
Intent to Proof Flow -- Complete action walkthrough

All Documentation