QODIQA Reference Architecture
for Deterministic Runtime Consent Enforcement

Deterministic Runtime Consent Enforcement for Artificial Intelligence Systems

April 2026

QODIQA-ARCH-2026-001  ·  Version 1.0

Canonical, vendor-neutral architectural topology for deterministic runtime consent enforcement.

Scroll
Contents
Abstract

This document defines the canonical, vendor-neutral architectural topology for deterministic runtime consent enforcement as specified in the QODIQA corpus. It translates the normative requirements of the Core Standard, the 68-Point Enforcement Framework, the Security and Cryptographic Profile, and the Implementation Playbook into a structurally coherent reference model of components, data flows, trust boundaries, failure modes, and scaling properties.

This document does not prescribe implementation technology, vendor choice, or product design. It establishes the logical architecture (the arrangement, isolation, and interaction of components) within which any conformant implementation must operate. The governing constraint is structural: the architecture is the enforcement boundary, and the enforcement boundary must be deterministic, fail-closed, and cryptographically anchored or it is not a conformant QODIQA architecture.

AI systems do not enforce consent. This architecture introduces a deterministic enforcement boundary before inference execution. Every request is evaluated, cryptographically bound, and audit-committed prior to execution. In the absence of a valid enforcement decision, execution does not occur.

Section 1

#Purpose and Scope

The QODIQA corpus defines what must be enforced and how conformance is measured. This Reference Architecture defines the logical structure within which enforcement occurs. It is the structural complement to the normative corpus: where the Core Standard defines required behavior, this document defines the architectural form within which that behavior is realized.

A reference architecture is a vendor-neutral, technology-neutral canonical model. It defines the minimum structural elements, their responsibilities, their relationships, and the invariants that must hold across all of them, regardless of how any individual element is implemented. Implementations may vary in technology, topology, and scale; they may not vary in the structural properties this architecture specifies. AI systems operating without deterministic consent enforcement lack a verifiable enforcement boundary and cannot produce auditable guarantees of consent compliance.

1.1 Relationship to the Core Standard

The Core Standard is normative over enforcement semantics (what decisions are made and when). This Reference Architecture is normative over the structural properties that make those decisions possible (how components are arranged, isolated, and connected). The Core Standard governs the decision function; this architecture governs the decision infrastructure.

1.2 Relationship to the Implementation Playbook

The Implementation Playbook defines how to build a conformant deployment from this architecture. This document defines what must be built. The Playbook is operationally specific; this document is logically abstract. A deployment that satisfies the Playbook necessarily satisfies this architecture; a deployment that satisfies this architecture but not the Playbook may be architecturally valid but operationally non-conformant.

1.3 Relationship to the Security Profile

The Security and Cryptographic Profile defines the cryptographic properties of the key hierarchy, artifact generation, and audit chain integrity. This architecture defines where those cryptographic properties are applied: at which component boundaries, in which directions, and with which isolation requirements. The Security Profile governs the cryptographic specification; this architecture governs the cryptographic topology.

1.4 Non-Product Positioning Statement

This Reference Architecture Is — and Is Not
  • A logical component model defining canonical responsibilities and boundaries
  • A structural reference against which implementations are assessed for architectural conformance
  • A technology-neutral specification applicable to any conforming implementation
  • A normative reference for component interaction, trust assumptions, and failure behavior
  • Not a product design, API specification, or deployment blueprint
  • Not a prescriptive technology stack or vendor reference
  • Not a commercial architecture, SaaS design, or infrastructure product
  • Not a replacement for enterprise IAM, data governance, or model management infrastructure

This document is a logical architecture model published as part of the QODIQA technical standards corpus.

Section 2

#Architectural Principles

Eight architectural principles govern the QODIQA reference architecture. Each is stated as a structural invariant: a property the architecture must satisfy at all times, not a design aspiration. An architecture that violates any of these principles is not a conformant QODIQA architecture, regardless of the correctness of individual components.

AP-01 — Deterministic Decision Boundary

The enforcement decision function is a pure function of its inputs: frozen context, token state at evaluation time, and frozen policy version. For identical inputs, the function must return an identical output on every invocation, across every Policy Engine instance, after every restart, and across all time. No implementation detail (execution order, cache population, thread scheduling, or network timing) may cause the decision function to return different results for identical inputs.

Structural requirement: evaluation isolation; no shared mutable state in decision path.

AP-02 — Fail-Closed Execution

The default state of the enforcement system is denial. Any condition that prevents the system from producing a verified, audit-committed enforcement decision (component unavailability, network partition, ledger write failure, signing key unavailability, timeout expiry) must result in denial of the request and must not result in inference execution. There is no degraded mode in which enforcement is relaxed. The absence of a successful enforcement decision is itself an enforcement outcome: deny.

Structural requirement: circuit breakers at all external component interfaces; AL write before inference release.

AP-03 — Release Separation of Consent State and Policy Logic

Consent state (the current validity of a specific consent grant) and policy logic (the rules that determine what a consent grant authorizes) must be managed by structurally separate components with independent storage, independent lifecycle, and independent deployment. A change to consent state must not require a policy redeployment. A change to policy logic must not alter existing consent state. The two domains must be logically decoupled and can only be combined at evaluation time within the Policy Engine.

Structural requirement: Consent Registry and Policy Engine are separate components; no shared persistent storage.

AP-04 — Cryptographic Anchoring

Every enforcement decision artifact must be cryptographically bound to the specific enforcement context that produced it. The artifact must be infeasible to generate without access to the current signing key and must be verifiable against the context without re-executing the enforcement decision. The cryptographic binding must make it structurally impossible for the inference system to execute on an artifact that was not produced by an authorized enforcement decision for the specific request context.

Structural requirement: HMAC-SHA256 artifact generation; three-tier key hierarchy; artifact verification at inference boundary.

Security implication: prevents artifact replay across contexts; an artifact issued for one enforcement context cannot authorize execution under any other.

AP-05 — Immutable Audit Trace

Every enforcement decision must produce a durable, tamper-evident audit record before the corresponding inference execution may proceed. The audit record is committed before the artifact is released; the artifact is released before inference execution begins. This sequence is mandatory and non-negotiable. An audit record that cannot be verified for integrity is equivalent to no audit record.

Structural requirement: write-before-execute invariant; append-only ledger; hash chain integrity.

Security implication: the write-before-execute invariant ensures no inference execution occurs without a prior durable audit record.

AP-06 — Replay Verifiability

Any enforcement decision recorded in the audit ledger must be independently reproducible from the archived frozen context and the corresponding frozen policy snapshot, without re-executing the original request. Replay verifiability enables post-hoc audit, determinism certification, and dispute resolution. The architecture must preserve all information required for deterministic replay for the duration of the declared retention period.

Structural requirement: frozen context archived in AL; policy snapshot archived and retrievable; determinism test protocol operable against historical records.

AP-07 — Zero Implicit Trust Between Components

No component in the enforcement architecture implicitly trusts any other component. All inter-component communication must be authenticated. All data received from another component must be verified before use. A component that has been compromised must not be able to cause another component to produce an incorrect enforcement outcome by sending it crafted data. Trust is established through cryptographic authentication at every interface, not through network position or service identity alone.

Structural requirement: mTLS on all enforcement-path interfaces; signed payloads; verification before use.

AP-08 — Consent State Supersession

A revocation event, once committed to the Consent Registry, supersedes all prior consent grants for the affected consent_id. No cached state, in-flight decision, or previously issued artifact may authorize inference execution for a revoked consent after the revocation has propagated within the declared TTL. The architecture must ensure that revocation is structurally irreversible within the enforcement path: no component may restore a revoked grant without an explicit re-grant operation.

Structural requirement: linearizable revocation reads; bounded TTL propagation; conservative mode on propagation delay.

Section 3

#Canonical Component Model

The QODIQA reference architecture defines nine logically separate components. Each component has a distinct responsibility domain, a defined trust boundary, specified inputs and outputs, explicit security assumptions, and a defined failure behavior. No two components may share persistent state. Components may communicate only through defined interfaces; side channels are non-conformant.

EXTERNAL ZONE CS Calling System mTLS · authenticated request ENFORCEMENT PERIMETER DETERMINISTIC DECISION BOUNDARY EG — Enforcement Gateway sole entry point · orchestrates full enforcement flow 1. CR query 2. evaluate 3. sign CR Consent Registry PE Policy Engine AE Artifact Engine RS Revocation Service 4. audit write (blocking) ACK AL Audit Ledger write-before-execute invariant KEY TRUST ANCHOR TA Trust Anchor / KMS

Figure 3.1 — QODIQA canonical enforcement architecture. The Enforcement Gateway is the sole entry point and deterministic decision boundary; all downstream components operate within the trusted enforcement perimeter. The Audit Ledger write is blocking: no artifact is released until acknowledged.

CS — Calling System
PropertyDetail
ResponsibilitiesInitiates inference requests; presents consent_id; provides frozen context hash; receives enforcement decision artifact; presents artifact to inference system boundary. Does not evaluate policy. Does not access Consent Registry directly.
Trust BoundaryExternal to the enforcement perimeter. Treated as untrusted by all internal components. Must authenticate to Enforcement Gateway via mTLS or equivalent. Cannot be assumed to have received an uncorrupted enforcement artifact.
InputsInference request payload; consent_id; context parameters used to construct frozen context hash.
OutputsAuthenticated enforcement request to EG; artifact to inference system boundary (if PERMIT returned).
Security AssumptionsCS is not trusted with enforcement logic. A compromised CS may attempt to replay artifacts, fabricate consent_ids, or bypass the EG. The architecture must be secure against all three attack vectors at the EG layer.
Failure BehaviorCS failure has no effect on enforcement infrastructure. A CS that becomes unavailable cannot affect the enforcement state of any consent_id. Crashed or compromised CS instances must not be able to preserve or replay prior PERMIT decisions.
EG — Enforcement Gateway
PropertyDetail
ResponsibilitiesSingle structural entry point for all inference requests. Extracts and validates consent_id and context_hash. Orchestrates the enforcement flow: CR query → PE evaluation → AE artifact generation → AL write → artifact release. Enforces rate limits. Operates circuit breakers on all downstream components.
Trust BoundaryInternal enforcement perimeter. Trusted by PE, AE, CR, and AL to present authenticated, well-formed enforcement requests. Does not trust CS. Does not expose any internal component interface to CS. Is the sole structural chokepoint between the external domain and the enforcement infrastructure.
InputsAuthenticated inference request from CS; CR revocation state (query response); PE decision (PERMIT or DENY); AE artifact (if PERMIT); AL write confirmation.
OutputsCR query; PE evaluation request; AE signing request; AL write request; enforcement decision (PERMIT and artifact, or DENY) to CS.
Security AssumptionsEG is the only component that communicates with CS. All other components can assume they receive only EG-originated requests. EG operates in a trust-verified context. A compromised EG is a complete breach of the enforcement perimeter; redundant EG instances do not reduce single-instance trust requirements.
Failure BehaviorEG failure: all requests denied at the transport layer. No fallback path. EG restart must re-verify all component connectivity before resuming enforcement. EG must not resume after restart without a fresh CR read for any in-flight consent_id.
PE — Policy Engine
PropertyDetail
ResponsibilitiesEvaluates the enforcement decision: given a frozen context and current token state, applies the frozen policy snapshot to produce a deterministic PERMIT or DENY. Holds a verified, immutable copy of the active policy snapshot. Does not query external state during evaluation. Does not write to any persistent store.
Trust BoundaryInternal enforcement perimeter; trusted only by EG. Does not trust data from any source other than the EG enforcement request (which carries the frozen context hash) and its own local policy snapshot (which is verified at load time). Stateless at evaluation time; all evaluation state is confined to the single request scope.
InputsEnforcement request from EG: (consent_id, context_hash, token_state, policy_version); verified local policy snapshot.
OutputsDeterministic enforcement decision: PERMIT or DENY, with decision reason code and policy_version binding, returned to EG.
Security AssumptionsPE must not be reachable by any component other than EG. PE must not make network calls during evaluation. PE policy snapshot must be verified against the AL POLICY_FROZEN record at load time. A compromised PE that produces incorrect decisions is a structural breach; multiple PE instances do not eliminate this risk: each instance must independently verify its snapshot.
Failure BehaviorPE unavailability: EG circuit breaker opens; all subsequent requests denied with PE_UNAVAILABLE until PE recovers and snapshot re-verifies. PE must not enter a partially initialized state from which it accepts evaluation requests without a verified policy snapshot.
CR — Consent Registry
PropertyDetail
ResponsibilitiesAuthoritative store of consent grant state. Responds to EG queries with the current state of a specified consent_id: ACTIVE, REVOKED, EXPIRED, or NOT_FOUND. Accepts revocation writes from the Revocation Service. Provides linearizable reads for revocation state. Maintains replication consistency across all deployment domains within the declared TTL.
Trust BoundaryInternal enforcement perimeter. Accepts queries only from authenticated EG instances. Accepts revocation writes only from the authenticated Revocation Service. Rejects all other write attempts. Read responses are considered trusted by EG within the declared cache TTL.
InputsConsent_id query from EG; revocation event from RS.
OutputsConsent state response to EG; replication events to peer CR instances (in replicated deployments).
Security AssumptionsCR holds the authoritative revocation state. A CR that serves stale or incorrect state is a safety failure. CR must use linearizable reads for revocation checks: eventually consistent reads are non-conformant for revocation state. A CR compromised to serve fabricated ACTIVE states is a complete consent enforcement breach.
Failure BehaviorCR unavailability: EG opens circuit breaker; all requests denied. Cached state may be served for the duration of the cache TTL, after which CR unavailability causes denial. No request may be PERMIT-ted based on cache state after TTL expiry without a fresh CR read.
RS — Revocation Service
PropertyDetail
ResponsibilitiesReceives revocation events from authorized principals; propagates revocation state to the Consent Registry within the declared TTL; emits revocation notifications to all EG instances. Holds the sole credential authorized to write revocation flags to the CR. Provides durable delivery guarantee for revocation events.
Trust BoundaryPartially external (receives revocation requests from authorized principals, which may be external to the enforcement perimeter) and partially internal (writes to CR). The RS must authenticate all revocation event sources. The RS signing credential for CR writes must be isolated and not derivable from any other system credential.
InputsAuthenticated revocation event from authorized principal; acknowledgment from CR on write commit.
OutputsSigned revocation write to CR; revocation notification broadcast to EG instances (for cache invalidation); AL REVOCATION_COMMITTED record.
Security AssumptionsRS is the only authorized writer of revocation state. Any component that can write REVOKED flags to CR without RS mediation is a structural violation. RS must guarantee delivery of revocation events: loss of a revocation event is a consent enforcement failure.
Failure BehaviorRS unavailability: revocation events queue for delivery on RS recovery. EG instances enter conservative mode for affected consent_ids if RS delivery is delayed beyond TTL/2. A revocation event that cannot be delivered within TTL causes conservative denial for all in-flight requests for the affected consent_id.
AE — Artifact Engine
PropertyDetail
ResponsibilitiesGenerates the cryptographic enforcement artifact that binds a PERMIT decision to a specific enforcement context. Computes HMAC-SHA256 over (consent_id, context_hash, policy_version, decision, nonce) using the current active signing key. Provides artifact verification capability for the inference system. Key operations may be delegated to a hardware security module.
Trust BoundaryInternal enforcement perimeter; trusted only by EG. Receives signing requests only from authenticated EG instances carrying valid PERMIT decisions. Does not independently evaluate policy. Does not access CR or PE. The signing key must be accessible only to AE; no other component holds the signing key or a derivation thereof.
InputsSigning request from EG: (consent_id, context_hash, policy_version, decision=PERMIT, nonce); active signing key (from key store).
OutputsHMAC-SHA256 enforcement artifact returned to EG; artifact verification result when queried by inference system.
Security AssumptionsAE is the cryptographic boundary of the enforcement decision. A compromised AE that produces artifacts for fabricated decisions represents a complete bypass of enforcement logic. AE must be isolated from all external network access. AE signing operations must be deterministic and reproducible under the same key and nonce. Security implication: AE isolation from external networks is mandatory; any external access path to AE represents a complete bypass vector.
Failure BehaviorAE unavailability: EG cannot release PERMIT decisions; all PERMIT-eligible requests denied. No artifact generated means no inference execution. AE must not emit partial artifacts. A signing operation that fails must produce no artifact output visible to EG.
AL — Audit Ledger
PropertyDetail
ResponsibilitiesProvides append-only, hash-chained, tamper-evident storage for all enforcement events. Records every enforcement decision (PERMIT and DENY), every policy lifecycle event, every key rotation event, every revocation event, and every system integrity event. Is the authoritative accountability record for all enforcement activity. Writes must be acknowledged before artifacts are released.
Trust BoundaryInternal enforcement perimeter. Accepts write operations only from authenticated EG and RS instances. Accepts read operations from authenticated assessors and audit processes. Rejects DELETE, UPDATE, and TRUNCATE operations at the storage interface. All write operations must extend the hash chain.
InputsEnforcement decision records from EG; revocation event records from RS; key rotation records from key management; policy lifecycle records from deployment process.
OutputsHash-chained records readable by audit processes; signed exports for external archival; chain integrity verification results.
Security AssumptionsAL integrity is a precondition for certification. A tampered AL makes it impossible to verify enforcement accountability. AL must be designed so that any modification, deletion, or reordering of records is detectable through chain verification without access to the original write clients.
Failure BehaviorAL unavailability: EG cannot commit audit records; PERMIT decisions not released; all requests denied. An AL write that fails must not be retried silently: EG must treat an unacknowledged write as a write failure and deny. Partial writes must be detectable and must not corrupt the existing chain.
ML — Monitoring and Telemetry Layer
PropertyDetail
ResponsibilitiesCollects enforcement-path metrics, component health signals, revocation propagation measurements, and integrity heartbeat results. Dispatches alerts for Class I and Class 0 conditions. Provides the observability surface for operational monitoring and certification evidence. Is not in the enforcement decision path.
Trust BoundaryPartially internal (receives metrics from all enforcement components) and partially external (exports metrics to monitoring infrastructure). ML compromise does not affect enforcement decisions. ML must not be used as a data plane for enforcement decisions. ML availability is not a condition for enforcement operation.
InputsMetrics from EG, PE, CR, RS, AE, AL; component health probes; integrity heartbeat results.
OutputsAlert dispatches (Class I and Class 0); metric time-series for dashboards and certification evidence; integrity heartbeat records.
Security AssumptionsML is a read-only observer of the enforcement plane. It must not issue commands to any enforcement component. Metric data must not contain sensitive enforcement payloads. ML compromise may suppress alerts but must not affect enforcement outcomes.
Failure BehaviorML failure has no effect on enforcement decisions. Enforcement continues in the absence of ML telemetry. Alert suppression due to ML failure is a monitoring gap, not an enforcement failure. Components must not block enforcement operations waiting for ML write acknowledgment.
TA — Trust Anchor and Key Management Layer
PropertyDetail
ResponsibilitiesManages the three-tier key hierarchy: root key (offline), intermediate key, AE signing key. Performs key provisioning to AE; manages key rotation lifecycle; maintains the key rotation audit trail in AL. Root key never leaves the offline trust anchor. Intermediate key rotation events trigger dual-key window management in AE.
Trust BoundaryThe highest trust boundary in the enforcement architecture. The root key trust anchor is isolated from all operational systems. Key provisioning to AE occurs over an authenticated channel with explicit key delivery confirmation. No other component in the architecture holds key material at the root or intermediate level.
InputsKey rotation schedule; human authorization for root key operations; AE key provisioning requests.
OutputsProvisioned AE signing key (to AE); key rotation records (to AL); key rotation notifications (to EG for artifact verification window management).
Security AssumptionsCompromise of the root key trust anchor represents a complete collapse of the enforcement architecture's cryptographic guarantees. Root key operations require out-of-band human authorization. Intermediate key compromise requires immediate rotation and notification of all artifact-verifying systems.
Failure BehaviorTA unavailability does not immediately affect enforcement (AE holds a valid current key). Key rotation cannot proceed during TA unavailability; if the current AE signing key expires during TA unavailability, AE enters conservative mode and enforcement becomes deny-only until key provisioning resumes.
Section 4

#Logical Data Flow Model

The enforcement data flow is strictly sequential. No step may be executed concurrently with a step that depends on its output. No step may be skipped. No step may be reordered. The sequence is the enforcement invariant: any implementation that satisfies this sequence, regardless of the technology used to realize each component, satisfies the structural data flow requirement.

4.1 Pre-Execution Gating Flow

EXTERNAL DOMAIN Calling System (CS) authenticated request EG — Enforcement Gateway sole entry point · validates identity · extracts context 1. CR query — consent_id CR — Consent Registry linearizable read · returns ACTIVE | REVOKED 2. evaluation request PE — Policy Engine pure function · frozen snapshot · PERMIT | DENY 3. signing request (PERMIT only) AE — Artifact Engine HMAC-SHA256 · signed enforcement artifact 4. audit write — BLOCKING AL — Audit Ledger append-only · hash chain extended · ACK required 5. artifact released (PERMIT + ACK) INFERENCE EXECUTION

Figure 4.1 — Pre-execution gating flow. Steps are strictly sequential; no step may be skipped or reordered. The AL write at step 4 is blocking — the artifact is not released until the write is acknowledged.

4.2 Decision Artifact Binding

The enforcement artifact is the cryptographic binding between the enforcement decision and the inference execution it authorizes. The artifact is computed over a fixed set of fields that unambiguously identify the enforcement decision: the consent_id that was evaluated, the context_hash that was evaluated against, the policy version that governed the evaluation, the decision outcome, and a single-use nonce that prevents artifact replay. Any execution that does not present a valid artifact for its exact context is structurally unauthorized.

Artifact Binding Invariant: An enforcement artifact is valid if and only if HMAC-SHA256(K, consent_id || context_hash || policy_version || decision || nonce) verifies correctly and the nonce has not been previously consumed. The artifact is not valid for any other consent_id, context, policy version, or decision outcome.

4.3 Write-Before-Execute Invariant

The write-before-execute invariant is the strongest sequencing constraint in the architecture. It states: no inference execution may begin until the EG has received an acknowledged write from the AL for the enforcement decision authorizing that execution. This invariant has no exceptions. A network failure between the AL write and the artifact release means the artifact is not released. A timeout between the AL write and the acknowledgment means the artifact is not released. An AL that acknowledges without actually writing is a structural integrity failure.

StepDescription
W-01 — PE Decision CompletePE returns PERMIT or DENY to EG. Decision is in EG memory only; no external record exists yet. No artifact is generated. No inference execution is possible.

4.4 Revocation Propagation Flow

Authorized Principal revocation request { consent_id, reason, authorized_by } RS — Revocation Service authenticates principal · commits revocation to CR REVOCATION_COMMITTED AL Audit Ledger propagation within TTL CR — Consent Registry consent_id updated to REVOKED · replication within TTL cache invalidation notification EG — Enforcement Gateways cache invalidated · subsequent CR reads return REVOKED all requests for consent_id → DENY Invariant: no PERMIT after T_revocation + TTL Conservative mode activates if invalidation not received by TTL/2

Figure 4.4 — Revocation propagation flow. The RS commits revocation to CR and records the event in AL concurrently. Cache invalidation notifications are dispatched to all EG instances; conservative denial activates if propagation lags beyond TTL/2.

Section 5

#Trust Boundary Definition

Trust boundaries are structural properties of the architecture, not configuration choices. A boundary defines where trust transitions: where one domain ends and another begins, and what authentication or verification must occur at the crossing. Every component interface is a boundary crossing; no crossing is implicit.

5.1 External Boundary

The external boundary separates the Calling System (and all external agents) from the enforcement perimeter. The sole authorized crossing point is the Enforcement Gateway. No other enforcement component (PE, CR, RS, AE, AL) has a network interface accessible from outside the enforcement perimeter. Any architecture in which PE, CR, or AL is reachable from the external domain is non-conformant regardless of access control configuration.

EXTERNAL ZONE — UNTRUSTED Calling System · Agents · Applications No enforcement logic. No direct registry access. Treated as untrusted by all internal components. CS Calling System mTLS · rate limit · sole authorized crossing ENFORCEMENT PERIMETER — TRUSTED INTERNAL mTLS · signed payloads on all links EG — Enforcement Gateway sole chokepoint · orchestrates full flow PE Policy Engine CR Consent Registry AE Artifact Engine AL Audit Ledger RS Revocation Service isolated credential channel · AE key provisioning only KEY TRUST ANCHOR — HIGHEST ISOLATION Root key: offline / air-gapped · Intermediate key: HSM-backed · Key provisioning: out-of-band authorization required

Figure 5.1 — Trust boundary zones. The Enforcement Gateway is the sole authorized crossing point between the external and internal zones. All inter-component communication within the perimeter uses mTLS with signed payloads.

5.2 Internal Trust Segments

Within the enforcement perimeter, trust is not uniform. Inter-component trust is directional and purpose-bounded. EG trusts CR to return accurate consent state but does not trust CR to make enforcement decisions. PE trusts the EG to provide an authentic enforcement request but does not trust the EG to interpret policy. AL trusts EG to write accurately but does not trust EG to determine what constitutes a complete enforcement record. These directional trust properties must be enforced by design, not by convention.

Table 5.1 — Internal Component Trust Matrix
Source Component Target Component Trust Granted Trust Withheld
EGCRConsent state response accuracy within TTLEnforcement decision authority; policy interpretation
EGPEDecision output for the provided input tupleContext construction; consent state verification
EGAEArtifact generation for EG-provided PERMIT decisionIndependent policy evaluation; consent verification
EGALWrite durability and hash-chain integrityDecision correctness determination; audit record interpretation
PEEGAuthenticity of the enforcement request; context_hash accuracyPolicy evaluation; decision outcome; audit record
AETAKey provisioning correctness; key hierarchy integrityEnforcement decision; consent state; policy evaluation
CRRSAuthorization to write revocation flagsEnforcement decisions; policy evaluation; audit records
MLAllMetric data accuracy (read-only, non-authoritative)No enforcement authority; no write authority on any component

5.3 Cross-Region Boundary

In multi-region deployments, each region constitutes a distinct enforcement domain. Enforcement decisions are made locally within each region; cross-region communication is limited to consent state synchronization and revocation propagation. A region must be able to enforce correctly, including fail-closed, while cross-region communication is unavailable. Loss of cross-region connectivity triggers conservative mode for affected consent_ids until synchronization is confirmed.

5.4 Registry Synchronization Boundary

The Registry Synchronization Boundary is the interface between CR instances in a replicated deployment. Writes committed at one CR instance must propagate to all CR instances within the declared TTL. The synchronization protocol must preserve linearizability for revocation writes: once a revocation is committed at any CR instance, that instance must not serve a non-revoked state for the affected consent_id, and all other instances must converge to the revoked state within TTL.

5.5 Key Material Isolation Boundary

Key material boundaries define where cryptographic credentials are permitted to exist. The root key must exist only within the offline Trust Anchor. The intermediate key must exist only within HSM-backed storage, never in software or on a general-purpose filesystem. The AE signing key must exist only within the AE signing context, provisioned by the TA over an authenticated channel. No other component may possess, derive, or observe any key material at any tier of the hierarchy. Violation of this boundary nullifies the cryptographic guarantees of the entire enforcement architecture.

Section 6

#Deployment Topology Variants

The canonical component model supports five reference topology variants. Each variant satisfies the architectural principles and component model defined in this document. The variants differ in how components are distributed, replicated, and isolated across failure domains, not in what the components do or what invariants they must satisfy. All variants enforce identical invariants; topology determines resilience, latency, and failure containment, not enforcement semantics.

DT-01 — Centralized Control Plane

Topology Properties

  • All components deployed within a single datacenter or availability zone
  • Single EG cluster; single PE cluster; single CR instance; single AL partition
  • RS operates as an internal service within the enforcement perimeter
  • TA root key stored offline in same physical facility
  • ML collocated with enforcement components
  • Simplest deployment topology; lowest operational complexity

Characteristics

  • Revocation propagation: single-instance CR → near-zero propagation delay for local EG instances
  • Failure containment: datacenter boundary; total failure on datacenter loss
  • Latency: lowest enforcement latency; all components on low-latency network fabric
  • AL durability: single-region; requires external replication for durability guarantees
  • Suitable for: single-domain deployments, development and pre-production environments, low-criticality enforcement workloads
PropertyValue
Max Certification LevelCL-01 (Declared or Verified)
Failure DomainSingle datacenter
Revocation TTLDeclared; 300s minimum
DT-02 — Federated Multi-Domain Architecture

Topology Properties

  • Multiple enforcement domains, each with independent EG, PE, and local CR replica
  • Shared Consent Registry with per-domain replicas synchronized via RS
  • Single authoritative AL with domain-specific write partitions
  • RS operates as a shared propagation broker across domains
  • Cross-domain revocation propagation bound by inter-domain TTL
  • Each domain independently fail-closed; domain failure does not affect other domains

Characteristics

  • Revocation propagation: within-domain immediate; cross-domain within inter-domain TTL
  • Failure containment: per-domain; domain isolation is a design requirement, not an option
  • Data flow: CS in Domain A communicates only with EG in Domain A; no cross-domain enforcement path
  • Conservative mode: domain enters conservative mode if cross-domain sync exceeds TTL/2
  • Suitable for: multi-tenant enforcement infrastructure, federated AI governance, regulatory boundary enforcement
PropertyValue
Max Certification LevelCL-02 (Verified)
Failure DomainPer enforcement domain
Revocation TTLDeclared per domain; 60s intra-domain
DT-03 — On-Premises Enterprise Deployment

Topology Properties

  • All enforcement components deployed within the enterprise network boundary
  • No enforcement component reachable from external networks
  • EG is the sole interface between enterprise AI workloads and enforcement infrastructure
  • TA root key in on-premises HSM or offline secure element
  • AL stored in enterprise-controlled immutable storage
  • ML integrated with enterprise monitoring infrastructure; no external telemetry

Characteristics

  • Revocation propagation: within enterprise network; bounded by internal network latency
  • Failure containment: enterprise network boundary; air-gap protects against external interference
  • Key material: fully on-premises; no cloud key management services required
  • AL durability: enterprise storage; backup and replication per enterprise policy
  • Suitable for: regulated industries, government, financial services, high-confidentiality AI workloads
PropertyValue
Max Certification LevelCL-03 (Certified) if SLA evidence available
Failure DomainEnterprise network
Revocation TTLOperator-declared; 60s recommended
DT-04 — Edge Enforcement Model

Topology Properties

  • EG and PE deployed at network edge, co-located with inference workloads
  • CR replica at edge; synchronizes with central CR within declared TTL
  • AL writes forwarded to central AL over authenticated channel; local buffering only
  • AE at edge with signing key provisioned from central TA; rotation via secure channel
  • RS at central location; propagation to edge CR via RS propagation channel
  • Enforcement decision made at edge without requiring WAN round-trip for CR query

Characteristics

  • Revocation propagation: central RS → edge CR within TTL; edge must enter conservative mode if sync lapses
  • Failure containment: edge enforcement isolated from central failure; central failure does not affect edge decisions for cached consent state within TTL
  • AL durability: central AL; edge buffers locally until write is confirmed; enforcement blocked if buffer exceeds threshold without central acknowledgment
  • Latency: lowest enforcement latency; WAN latency not in enforcement critical path
  • Suitable for: latency-sensitive AI workloads, geographically distributed inference, air-gap tolerant deployments
PropertyValue
Max Certification LevelCL-02; CL-03 requires central AL durability evidence
Failure DomainEdge site (enforcement); central (audit durability)
Revocation TTLDeclared; must account for WAN sync latency
DT-05 — Multi-Region Active-Active

Topology Properties

  • Full enforcement stack (EG, PE, CR replica, AE, AL partition) deployed in each region
  • All regions simultaneously active; no primary/secondary distinction
  • Revocation propagates to all regions within inter-region TTL via RS
  • Cross-region consensus required for revocation commitment; divergence triggers conservative mode
  • AL partitioned by region; cross-region chain verification for export integrity
  • TA root key offline; intermediate keys per-region or shared via secure channel

Characteristics

  • Revocation propagation: within-region immediate; cross-region bounded by TTL (maximum 15s for CL-04)
  • Failure containment: regional; full regional failure handled by other regions; no enforcement continuity in failed region
  • Consensus: cross-region revocation commits require quorum; unilateral revocation in one region is not propagated without quorum confirmation
  • Clock skew: cross-region timestamp comparisons subject to skew tolerance; requests within skew window for TTL boundary are denied conservatively
  • Suitable for: global-scale AI governance, high-availability enforcement infrastructure, regulated multi-jurisdictional deployments
PropertyValue
Max Certification LevelCL-04 (High-Assurance; accredited ACB required)
Failure DomainPer region; cross-region consensus boundary
Revocation TTL15s cross-region (CL-04); 60s (CL-03)
Section 7

#Deterministic Decision Boundary Model

The deterministic decision boundary is the structural isolation that makes QODIQA enforcement verifiable. It is not a quality property of the evaluation logic; it is an architectural constraint on what the evaluation function is permitted to access. The decision function must be a pure function: it produces output from inputs, and nothing else. Any access to state not present in the input tuple corrupts the determinism guarantee.

7.1 Evaluation Isolation

The Policy Engine evaluation function is isolated from all external state at the moment of evaluation. The evaluation is presented with exactly three inputs: the frozen context (including token state as read from CR before the evaluation begins), the frozen policy snapshot (loaded and verified at PE startup), and a representation of the declared policy version. No other information may enter the evaluation function. In particular, the evaluation function must not: make network calls of any kind; read from any mutable shared store; access a real-time clock; generate or consume randomness; or depend on the thread-local state of the evaluation process beyond the input tuple.

Evaluation Isolation Invariant: Let f be the PE evaluation function, C be the frozen context, and P be the frozen policy snapshot. The invariant is: f(C, P) is a pure total function. For all C1, C2 such that C1 = C2, and all snapshots P1, P2 such that P1 = P2: f(C1, P1) = f(C2, P2). No implementation artifact (execution order, cache state, memory layout, or timing) may cause this equality to fail.

7.2 Frozen Context Binding

The frozen context is the canonical, version-tagged serialization of all enforcement-relevant attributes of a request at the moment of EG evaluation. Once the EG has computed the frozen context and its hash, neither the context nor the hash may be modified before delivery to PE. The context_hash delivered to PE by EG is the caller's commitment to a specific context; the PE evaluates that commitment, not the raw request.

STRUCTURE: Frozen Context — Canonical Structure 
// Frozen context: all fields that govern the enforcement decision
// Must be canonically serialized before hashing
// Version prefix ensures hash namespace isolation across schema revisions

frozen_context = {
  "version":        "qodiqa-ctx-v1",
  "consent_id":     "<opaque string>",
  "policy_version": "<declared frozen policy version>",
  "caller_id":      "<authenticated caller identifier>",
  "token_state":    "ACTIVE" | "REVOKED" | "EXPIRED" | "NOT_FOUND",
  "token_scope":    ["scope_a", "scope_b"],  // canonical-sorted
  "issued_at":      1700000000,              // integer seconds
  "expires_at":     1700003600,              // integer seconds; no float
  "nonce":          "<unique per request; not included in context_hash>"
}

// Canonicalization invariants (from Playbook §8.1)
CS-INV-01: Keys sorted lexicographically by UTF-8 byte sequence
CS-INV-02: No whitespace in serialized output
CS-INV-03: UTF-8 encoding, no BOM, no surrogates
CS-INV-04: context_hash = "sha256:qodiqa-ctx-v1:" + hex(SHA256(serialize(context)))
CS-INV-05: Semantic equivalence implies hash equality
CS-INV-06: No floating-point values permitted

7.3 Artifact Generation Atomicity

Artifact generation is an atomic operation from the perspective of the EG. The AE either produces a complete, valid artifact or it produces nothing. There is no partial artifact state observable to EG. If the AE signing operation fails for any reason (key unavailable, hardware fault, signing algorithm rejection of malformed input) the AE returns an error, EG receives no artifact, and the enforcement flow terminates with a DENY decision. EG must not retry signing with a different nonce in response to a signing failure; a new enforcement evaluation must be initiated from the beginning by CS.

7.4 Decision Independence from External Network

At the moment of PE evaluation, the enforcement decision must not depend on any external network call. The token state has already been read from CR by EG and included in the enforcement request. The policy snapshot is already loaded in PE local memory. No additional network access is required or permitted. An implementation that makes external calls during PE evaluation is structurally non-conformant regardless of whether those calls succeed.

  • The enforcement decision must not depend on any call to an external service during evaluation
  • The enforcement decision must not depend on the current wall clock time; token expiry is checked against the clock before context freezing, not during evaluation
  • The enforcement decision must not depend on randomness or entropy from any source
  • The enforcement decision must not depend on mutable shared state accessible from multiple PE evaluation threads simultaneously
  • The enforcement decision must produce the same result regardless of how many parallel evaluations are in progress in the PE at the same moment
Section 8

#Scaling and Performance Model

The reference architecture is designed for horizontal scalability of stateless components and vertical or replicated scalability of stateful components. Scalability must not relax enforcement invariants. An architecture that achieves higher throughput by skipping enforcement steps, relaxing audit write guarantees, or introducing eventual consistency into the revocation check path is not a conformant scale-out architecture; it is a non-conformant architecture with increased throughput.

8.1 Horizontal Scaling of Enforcement Gateway

EG instances are structurally stateless at the enforcement decision level. Each EG instance independently maintains its local revocation cache (bounded by the declared TTL), its circuit breaker state (per downstream component), and its rate limit counters (per consent_id, per instance). Because rate limit counters are per-instance, distributed rate limiting is not a structural requirement; per-instance rate limits are a conformant implementation. Multiple EG instances behind a load balancer constitute a horizontally scalable enforcement perimeter with linear throughput scaling.

MODEL: EG Horizontal Scaling — Invariants 
// EG is stateless at the enforcement decision level
// Each instance independently correct; no coordination required

throughput(EG, n_instances) = n x throughput(EG, 1)   // linear

// Cache invalidation cost: bounded
// On revocation notification: O(1) per EG instance
// Total cost per revocation: O(n_EG_instances)
// Must complete within TTL; provision EG pool size accordingly

// Saturation behavior:
// EG throughput ceiling = min(EG capacity, CR read capacity, AL write capacity)
// Saturation triggers fail-closed, NOT graceful degradation
// Provision all components at ≤ 70% of single-instance ceiling

// Enforcement latency model (no-cache, upper bound):
L_enforcement ≤ L_CR + L_PE + L_AE + L_AL + L_EG_overhead
             ≤ 30  + 10  + 5   + 20  + 3   = 68ms

8.2 Stateless Enforcement Node Properties

EG and PE are structurally stateless enforcement nodes. Statelessness means: no enforcement decision depends on the history of prior decisions on the same instance; adding or removing an instance does not change the enforcement outcome for any specific request; and an instance restart does not require state recovery (beyond snapshot re-verification for PE and fresh CR connectivity for EG). These properties are architectural requirements, not implementation preferences.

8.3 Registry Caching with TTL

EG instances may cache CR query results for the duration of the declared TTL. Caching is a latency optimization, not a semantic change. The cache TTL is identical to the revocation propagation TTL: a consent_id may be served from cache until the cache entry expires, after which a fresh CR query is required. Cache invalidation on revocation notification must complete within the TTL. An EG instance that cannot invalidate a cache entry for a revoked consent_id within TTL must enter conservative mode and deny all requests for that consent_id until CR confirms revocation.

8.4 Ledger Write Throughput Model

The AL is the throughput ceiling of the enforcement system. Every PERMIT and every DENY requires an AL write. The AL write throughput must exceed the enforcement decision rate; otherwise, the enforcement path saturates at the AL and the circuit breaker opens, causing system-wide denial. The AL must be provisioned for the expected peak decision rate with a minimum 40% headroom. AL partitioning by consent_id or by EG instance is a valid scaling strategy; the hash chain must remain verifiable across partition boundaries via the partition-level chain structure defined in the Implementation Playbook.

8.5 Artifact Hashing Cost Envelope

The HMAC-SHA256 computation for artifact generation is O(n) in the byte length of the serialized context. For typical enforcement contexts of 200–500 bytes, this operation completes in microseconds on general-purpose hardware. The cost is bounded and deterministic; it does not depend on the complexity of the policy evaluation or the number of concurrent evaluations. AE throughput scales linearly with the number of AE instances, subject to the signing key being accessible to each instance independently.

Table 8.1 — Scaling Properties by Component
Component Scaling Axis State Model Throughput Scaling Saturation Behavior
EGHorizontal (instances)Stateless per decisionLinearCircuit breaker → deny-all
PEHorizontal (instances)Stateless; snapshot pinnedLinearEG circuit breaker → deny
CRRead: horizontal (replicas); Write: verticalStateful; linearizable writesRead: near-linear; Write: boundedEG circuit breaker → deny-all
RSVertical; message broker replicasStateful; durable deliveryEvent-driven; not in hot enforcement pathQueue overflow → revocation delayed; conservative mode
AEHorizontal (instances)Stateless; key-boundLinear per keyEG circuit breaker → deny PERMIT
ALHorizontal (partitions)Stateful; append-onlyPartition-linearEG circuit breaker → deny-all
Section 9

#Failure and Degradation Model

The QODIQA reference architecture does not have a graceful degradation mode. Degradation is not a permitted operational state. The architecture has two modes: full enforcement (all components operational, all invariants satisfied) and fail-closed (some components unavailable, all requests denied). Any intermediate state (partial enforcement, selective bypass, or probabilistic enforcement) is structurally non-conformant. Every failure condition described below resolves to one of these two modes.

Degradation Invariant: There is no failure condition in the QODIQA reference architecture that results in enforcement being weakened, bypassed, or probabilistically applied. All ambiguity resolves to denial. The only permitted operational states are: full enforcement (PERMIT or DENY decisions for all requests) and fail-closed enforcement (DENY decisions for all requests due to component unavailability). There is no third state.

9.1 Registry Unavailability

StepDescription
F-01a — CR Query TimeoutEG issues CR query; response not received within timeout ceiling. EG increments CR failure counter. If counter exceeds circuit breaker threshold within window W: circuit OPEN. All subsequent requests: DENY with CR_UNAVAILABLE. No inference execution. AL receives DENY records.

9.2 Policy Engine Failure

PE failure is architecturally equivalent to CR failure from the EG perspective: no PE decision can be obtained → no PERMIT can be issued → all requests DENY. PE failure is surfaced by EG as PE_UNAVAILABLE and recorded in AL. PE recovery requires: (a) process restart; (b) snapshot re-load; (c) snapshot hash verification against AL POLICY_FROZEN record; (d) EG circuit breaker probe success. PE may not resume evaluation before all four steps complete. A PE that bypasses snapshot verification during recovery is non-conformant regardless of whether it happens to load the correct snapshot.

9.3 Audit Ledger Failure

AL failure has the most severe impact in the architecture: a PERMIT-eligible request that receives a PERMIT decision from PE and a valid artifact from AE cannot be released because the AL write cannot be committed. The request is denied. The artifact is discarded. The request must be retried by CS from the beginning after AL recovery. Under no circumstances may EG release an artifact without an AL write acknowledgment. An AL that acknowledges writes without durably committing them (acknowledging before fsync, for example) is a silent data integrity failure and is structurally non-conformant at all certification levels.

9.4 Clock Drift Detection

Clock drift affects TTL calculations, token expiry checks, and cross-region timestamp comparisons. The reference architecture defines a maximum clock skew tolerance of 30 seconds between any two enforcement components. If clock skew between an EG instance and its time reference exceeds the tolerance: the EG instance must enter conservative mode, deny all requests where token expiry falls within the skew window, and alert ML with a CLOCK_SKEW_EXCEEDED condition. EG instances must not make enforcement decisions based on timestamps they cannot verify for consistency.

9.5 Key Revocation Event

A key revocation event (distinct from a consent token revocation event) is the retirement of an AE signing key. Key revocation triggers the dual-key window protocol: both the outgoing and incoming keys are valid for artifact verification during the window duration. After the window closes, the outgoing key is retired from all verification contexts. An artifact presented to the inference system after the window closes that was signed by the retired key is no longer valid, regardless of when the original enforcement decision was made. Deployments must ensure that no artifact with a validity period extending beyond the window duration is issued.

9.6 Partial System Partition

A partial system partition is a network condition in which some enforcement components can reach each other but others cannot. Partial partitions are among the most operationally complex failure conditions because they can produce inconsistent behavior across EG instances. The reference architecture handles all partition scenarios through the same mechanism: if a required component is unreachable from EG, the circuit breaker opens for that component at that EG instance, and all requests handled by that EG instance are denied until connectivity is restored. EG instances that can reach all components continue to enforce normally. The partition does not affect enforcement correctness at any individual EG instance; it affects enforcement availability for requests routed to affected EG instances.

Section 10

#Interoperability and Extensibility Model

The reference architecture is designed for structural stability. Interoperability means that different conformant implementations of the same component can be substituted without affecting enforcement semantics. Extensibility means that new control profiles or audit record types can be added to the architecture without violating existing invariants. Neither interoperability nor extensibility permits relaxation of enforcement invariants or introduction of probabilistic enforcement. This architecture is deployment-agnostic and may be positioned in front of any AI inference system without modification to model internals.

10.1 Version Binding

Every enforcement interaction is bound to an explicit version: the context schema version (embedded in the context_hash prefix), the policy version (referenced in every enforcement request), and the artifact schema version (embedded in the artifact structure). Version binding ensures that a receiver can unambiguously determine the schema under which a context, decision, or artifact was produced. Mixed-version deployments (where different EG instances run different corpus versions) are non-conformant; all instances within a single deployment must run the same corpus version. Version binding is compatible with real-time inference APIs, batch processing systems, streaming inference pipelines, and edge deployments; the binding mechanism is transport-independent.

10.2 Backward Compatibility Handling

Backward compatibility is defined at the interface level. A new version of the corpus that changes the frozen context schema is a breaking change; all components that produce or consume frozen contexts must be updated together. A new version that adds new AL record types is non-breaking; existing components that do not produce the new record types continue to be conformant unless the new record type is declared normatively required. No corpus version may relax enforcement semantics as a backward compatibility measure. The enforcement boundary defined by this architecture applies equivalently to synchronous real-time inference APIs, asynchronous batch processing systems, and streaming inference pipelines; backward compatibility obligations hold across all deployment paradigms.

10.3 Profile Layering

The reference architecture supports two compliance profiles: Core Profile and Full Framework Profile. The Core Profile requires only the controls specified in the Core Standard and the component model defined in this document. The Full Framework Profile additionally requires all 68 controls from the 68-Point Enforcement Framework. Both profiles satisfy all invariants in this architecture; the Full Framework Profile adds additional control surface area above the structural minimum. A deployment may declare conformance at the Core Profile or Full Framework Profile; the claimed profile must be disclosed in the conformance claim.

Table 10.1 — Profile Layering — Component Requirements
Component Core Profile Full Framework Profile Difference
EGRequired; single instance minimumRequired; 2 or more instances, independent failure domainsRedundancy and failure domain isolation
PERequired; single instance; snapshot verifiedRequired; 2 or more instances; cross-instance snapshot hash agreement verifiedPolicy drift detection across instances
CRRequired; linearizable revocation readsRequired; replicated; cross-domain sync within TTL 60sReplication and TTL tightening
RSRequired; durable delivery to CRRequired; durable; cross-domain; conservative mode on lagCross-domain propagation and conservative mode
AERequired; HMAC-SHA256; key from hierarchyRequired; HSM-backed; attestation on restartHardware-backed key operations
ALRequired; append-only; weekly chain verifyRequired; per-write chain verify; daily external exportVerification frequency and durability cadence
MLRequired; core metrics; Class I alertsRequired; full drift matrix; Class 0 alerts; heartbeatObservability completeness
TARequired; root key offline; hierarchy documentedRequired; intermediate key HSM-backed; rotation log in ALIntermediate key protection and rotation evidence

10.4 Future Control Extension

New control profiles may be defined as annexes to the QODIQA corpus in future revisions. Any new control profile must be additive to the existing architecture: it may require additional component behavior, additional audit record types, or additional test procedures, but it may not modify the enforcement semantics of existing components, relax existing invariants, or introduce probabilistic enforcement. A new control profile that contradicts any invariant in this reference architecture is architecturally incompatible with the QODIQA corpus and cannot be adopted without a corpus version revision.

Section 11

#Reference Invariants Summary

The following invariants constitute the structural commitments of the QODIQA reference architecture. Each invariant is stated as an unconditional property that any conformant implementation must satisfy. These invariants align with and extend the global system invariants defined in the Implementation Playbook and are the canonical reference for architectural conformance assessment.

INV-A — Deterministic Replay Invariant

Statement: For all frozen contexts C and frozen policy snapshots P: evaluate(C, P) = replay(C, P). The enforcement function is a pure total function. Identical inputs produce identical outputs on every invocation, on every PE instance, after every restart, and across every time interval, subject only to the constraint that the frozen context and frozen policy snapshot are identical.

This invariant is violated if: the PE makes any external network call during evaluation; the PE reads from any mutable shared state during evaluation; the PE uses real-time clock values in the evaluation; or any implementation artifact causes different PE instances to produce different decisions for the same input.

Corpus reference: Playbook INV-07; Certification Framework §6; AP-01.

INV-B — Fail-Closed Invariant

Statement: For all enforcement requests R: if any component required to complete the enforcement flow (CR, PE, AE, AL) is unavailable or returns an error, then outcome(R) = DENY. There exists no operational state of the enforcement architecture in which a request receives a PERMIT outcome without all required components having successfully participated in the enforcement flow for that specific request.

This invariant is violated if: a PERMIT is issued when CR is unavailable; a PERMIT is issued without an AL write acknowledgment; a PERMIT is issued when AE cannot generate an artifact; or any enforcement component failure results in an outcome other than DENY.

Corpus reference: Playbook INV-02; Certification Framework §5.3; AP-02.

INV-C — Artifact Immutability Invariant

Statement: For all enforcement artifacts A produced by the AE: A is cryptographically bound to exactly one enforcement context (consent_id, context_hash, policy_version, decision, nonce). A cannot authorize inference execution for any context other than the one for which it was produced. A is valid for exactly one use (nonce consumed on first verification). A is invalid after the current AE signing key is retired.

This invariant is violated if: an artifact verifies successfully for a different context_hash than the one used to produce it; a nonce can be reused to authorize a second inference execution with the same artifact; or a retired key continues to be accepted for artifact verification.

Corpus reference: Playbook INV-04; Certification Framework §6.4; AP-04.

INV-D — Revocation Supersession Invariant

Statement: For all consent_ids C and all revocation events V committed at time T_rev: for all enforcement requests for C arriving after T_rev + TTL at any EG instance, outcome = DENY. No cached state, in-flight artifact, or previously issued decision permits inference execution for C after T_rev + TTL at any EG instance in the deployment.

This invariant is violated if: any EG instance issues a PERMIT for C after T_rev + TTL; any artifact issued before T_rev remains valid for verification after T_rev + TTL; or conservative mode is not activated when propagation lag exceeds TTL/2.

Corpus reference: Playbook INV-03; Certification Framework §8; AP-08.

INV-E — Policy Version Binding Invariant

Statement: For all enforcement decisions D: D is produced by evaluating the frozen context against the declared frozen policy snapshot at the declared policy version. No enforcement decision is produced by evaluating against a policy snapshot that has not been frozen (hash committed to AL), by evaluating against a policy version that does not match the declared policy_version field in the enforcement request, or by evaluating against a modified version of a previously frozen snapshot.

This invariant is violated if: PE evaluates against a policy snapshot that has not been verified against a POLICY_FROZEN AL record at load time; PE accepts evaluation requests for a policy version that does not correspond to the loaded snapshot; or any mechanism allows modification of the loaded policy snapshot after it has been verified.

Corpus reference: Playbook INV-06; Certification Framework §6.3; AP-03.

INV-F — Audit Completeness Invariant

Statement: For all enforcement requests R that produce a decision: there exists a record r in AL such that r.consent_id = R.consent_id, r.context_hash = R.context_hash, r.decision = outcome(R), and r.committed_at < inference_execution_time(R). There is no inference execution without a prior durable AL record. The absence of an AL record for a request that reached PE is an audit completeness failure, more severe than a chain integrity failure.

This invariant is violated if: inference execution begins before the corresponding AL record is acknowledged; an AL record is lost due to storage failure without detection; or any enforcement decision is produced without a corresponding AL record within the declared retention period.

Corpus reference: Playbook INV-01, INV-05; Certification Framework §7; AP-05.

Section 12

#Non-Coverage Disclosure

This Reference Architecture defines the canonical component model, data flows, trust boundaries, and invariants for QODIQA consent enforcement. It does not define everything relevant to a production AI infrastructure deployment. The following domains are explicitly outside the scope of this document and must not be inferred from its contents.

12.1 Product APIs and Protocol Specifications

This document does not define product APIs, wire protocols, message formats beyond what is needed to specify the enforcement flow, or inter-component communication standards. API specification is outside the scope of a reference architecture. Conformant implementations may use any API design, message encoding, or transport protocol that satisfies the structural requirements of this document.

12.2 Specific Technology Stacks

This document does not mandate, recommend, or imply the suitability of any specific technology stack, programming language, database system, message broker, or infrastructure platform for any component. References to architectural properties (linearizability, append-only, distributed consensus) describe requirements, not implementations. Any technology that satisfies the structural requirement is equally valid.

12.3 Enterprise IAM and Identity Systems

This document does not replace, extend, or integrate with enterprise identity and access management systems. The Calling System authenticates to the Enforcement Gateway; the mechanism by which the calling system's identity is established is outside the scope of this architecture. QODIQA enforces consent at the inference boundary, not authentication at organizational or user-identity boundaries. Enterprise IAM and QODIQA serve complementary but structurally distinct functions.

12.4 AI Model Internals

This document does not govern the internal architecture, training process, serving infrastructure, or behavioral properties of AI inference systems. QODIQA enforcement operates at the boundary between the request and the inference system; it does not inspect, modify, or constrain what happens within the inference system. The inference system is treated as a black box that accepts or rejects execution requests based on artifact validity.

12.5 Data Storage Encryption

This document does not define encryption standards for data at rest in any enforcement component. Storage encryption for the Consent Registry, Audit Ledger, or any other component is a deployment-specific security control that must be satisfied according to the applicable regulatory and organizational requirements. This architecture specifies the tamper-evidence properties of the Audit Ledger through hash-chaining; storage encryption is orthogonal to hash-chain integrity and is not specified here.

12.6 Consent Grant Origination

This document does not govern the process by which consent grants are created, the user experience through which data principals express consent, or the legal basis on which consent is established. QODIQA enforcement begins at the point of inference-time enforcement; the processes upstream of consent grant creation (consent collection, consent validity determination, consent storage in authoritative systems of record) are outside the scope of this architecture. The Consent Registry as defined here stores the enforcement-relevant state of consent grants; it is not a system of record for consent governance.

Non-Coverage Summary — What This Architecture Does Not Define
  • Product APIs, wire protocols, or specific inter-component message formats
  • Specific technology stack, database, or infrastructure platform choices
  • Enterprise IAM, user authentication, or organizational identity management
  • AI model internals, training infrastructure, or inference system architecture
  • Data storage encryption standards for any enforcement component
  • Consent grant origination, data principal UX, or legal basis for consent
  • Network infrastructure, physical security, or datacenter design
  • Billing, access control to enforcement configuration, or operational tooling

This architecture defines the logical component model only. All implementation choices not constrained by the invariants in this document are at the discretion of the implementing organization.

Section 13

#Institutional Closing Statement

QODIQA is a runtime control plane. It does not govern what AI systems may do in the abstract; it governs what inference executions may occur in specific operational contexts, against specific consent states, evaluated by specific frozen policy versions, at specific instants in time. The architecture defined in this document is the structural form through which that governance is exercised. It is not a description of intent; it is a specification of a runtime boundary.

The enforcement architecture is the consent boundary. Not a policy document about the consent boundary. Not a monitoring system that observes the consent boundary. The architecture itself is the boundary. When the EG denies a request, when the AL records the denial, when the circuit breaker opens under component failure, these are the consent boundary operating correctly. The boundary does not exist outside the architecture that implements it.

Determinism is structural in this architecture, not aspirational. The architectural constraint that the PE evaluation function be pure (no network calls, no shared mutable state, no real-time clock, no randomness) is not a performance optimization. It is the mechanism by which enforcement decisions become auditable, replayable, and certifiable. An enforcement system that makes probabilistic or state-dependent decisions cannot be audited; it cannot be replayed; it cannot be certified. Determinism is the precondition for accountability.

Infrastructure precedes policy interpretation. A consent policy is not enforceable by declaration. It is enforceable only when there exists an infrastructure (a runtime control plane) that gates inference execution against the policy, records every decision with cryptographic evidence, and fails closed when any component required for verified enforcement is unavailable. This reference architecture is the specification of that infrastructure. Where it is implemented correctly, consent enforcement is structural. Where it is not, consent governance remains advisory.

13.1 Corpus Alignment Statement

This Reference Architecture (QODIQA-ARCH-2026-001 v1.0) is normatively complementary to and must be read in conjunction with the following corpus documents: QODIQA — Consent as Infrastructure for Artificial Intelligence Technical Whitepaper — Version 1.0; QODIQA — 68-Point Enforcement Framework for Deterministic Runtime Consent Enforcement — Version 1.0; QODIQA — Core Standard for Deterministic Runtime Consent Enforcement — Version 1.0; QODIQA — Implementation Playbook for Deterministic Runtime Consent Enforcement — Version 1.0; QODIQA — Certification Framework for Deterministic Runtime Consent Enforcement — Version 1.0. This document is authoritative for the canonical component model, trust boundary definitions, and architectural invariants. For normative enforcement semantics, defer to the Core Standard. For operational deployment guidance, defer to the Implementation Playbook. For certification procedures, defer to the Certification Framework.

Document Status

#Document Status and Classification

This document is the Reference Architecture of the QODIQA specification corpus. It defines the canonical, vendor-neutral architectural topology for deterministic runtime consent enforcement. It is issued as a Reference Architecture Specification and is not a product specification, an implementation guide, or a commercial deployment blueprint. It is a logical architectural model against which conformant implementations may be assessed for structural conformance.

The governing constraint is structural: the architecture is the enforcement boundary, and the enforcement boundary must be deterministic, fail-closed, and cryptographically anchored or it is not a conformant QODIQA architecture.

The material contained herein is intended for:

  • Principal architects designing QODIQA-conformant enforcement infrastructure
  • Distributed systems engineers implementing canonical enforcement components
  • Security architects defining trust boundaries and isolation properties for AI inference infrastructure
  • Standards body members and regulatory reviewers evaluating the architectural basis of QODIQA enforcement
  • Independent assessors and certification bodies conducting architectural conformance evaluation
  • Technical governance leads responsible for AI consent enforcement infrastructure decisions

All architectural principles described in this document are production-oriented, deterministically anchored, and designed for integration within large-scale AI ecosystems.

This document should be read together with the following related specifications:

  • QODIQA — Consent as Infrastructure for Artificial Intelligence Technical Whitepaper — Version 1.0
  • QODIQA — Core Standard for Deterministic Runtime Consent Enforcement — Version 1.0
  • QODIQA — 68-Point Enforcement Framework for Deterministic Runtime Consent Enforcement — Version 1.0
  • QODIQA — Implementation Playbook for Deterministic Runtime Consent Enforcement — Version 1.0
  • QODIQA — Certification Framework for Deterministic Runtime Consent Enforcement — Version 1.0
  • QODIQA — Security and Cryptographic Profile for Runtime Consent Enforcement — Version 1.0
  • QODIQA — Threat Model and Abuse Case Specification — Version 1.0
  • QODIQA — Governance Charter for the QODIQA Standard Corpus — Version 1.0

Version 1.0 represents the initial formal release of this document as part of the QODIQA standard corpus.

For strategic inquiries, architectural discussions, or partnership exploration:

Bogdan Duțescu

bddutescu@gmail.com

0040.724.218.572

Document Identifier QODIQA-ARCH-2026-001
Title Reference Architecture for Deterministic Runtime Consent Enforcement
Subtitle Canonical Topology and Component Interaction Model for QODIQA Enforcement Infrastructure
Publication Date April 2026
Version 1.0
Document Type Reference Architecture Specification
Document Status Normative — Reference Architecture Specification
Governing Authority QODIQA Governance Charter
Integrity Notice Document integrity may be verified using the official SHA-256 checksum distributed with the QODIQA specification corpus.