VaultWorkflow

Workflow Schema Reference

Complete reference for the VaultWorkflow YAML schema, covering step definitions, field types, validation rules, and approval routing configuration.

The workflow schema is a YAML document stored in Azure Blob Storage. It defines the steps, fields, validation rules, and approval routing for a workflow instance. The schema is referenced by blob path when creating a workflow session.

Schema Storage

Workflow schemas are stored in the workflow-schemas container (default) of your Azure Blob Storage account. The schema blob path is provided in the POST /api/workflow request body.


Top-Level Structure

id: vendor-onboarding
title: Vendor Onboarding
description: Collect vendor information for approval and contract generation
workflowType: governance        # 'governance' | 'standard'
organizationName: Contoso Ltd   # Used in notification emails
requireOtp: false               # Require OTP before participant accesses steps

steps:
  - ...

validation:
  rules:
    - ...

approval:
  routing:
    mode: first-match
    routes:
      - ...
    fallback:
      approver:
        email: approvals@contoso.com

workflowType

ValueBehaviour
governanceTriggers autoValidateOnCreate, which causes validation rules to run at session creation. Used for 3-way match and compliance workflows.
standardValidation runs when the participant submits all steps (default).

Steps

Each step collects a set of fields from the participant. Steps are presented sequentially; the participant must submit each step before advancing.

steps:
  - id: vendor-details
    title: Vendor Details
    description: Enter the vendor's basic information
    fields:
      - key: vendor_name
        label: Vendor Name
        type: text
        required: true
        maxLength: 200

      - key: vendor_email
        label: Vendor Email
        type: email
        required: true

      - key: invoice_total
        label: Invoice Total (USD)
        type: number
        required: true
        min: 0

      - key: payment_terms
        label: Payment Terms
        type: select
        required: true
        options:
          - label: Net 30
            value: net30
          - label: Net 60
            value: net60
          - label: Immediate
            value: immediate

      - key: supporting_document
        label: Upload Supporting Document
        type: attachment
        required: false
        accept: ".pdf,.docx"
        maxSizeMb: 10

Field Types

TypeDescription
textSingle-line text input. Supports maxLength.
textareaMulti-line text input. Supports maxLength.
numberNumeric input. Supports min, max.
emailEmail address with format validation.
dateISO 8601 date picker.
selectSingle-selection dropdown. Requires options array.
multiselectMulti-selection. Requires options array.
checkboxBoolean yes/no field.
attachmentFile upload. Stored in Blob Storage. Supports accept (MIME/extension list) and maxSizeMb.

Validation Rules

Validation rules evaluate collected field data using boolean expressions. They run when the participant advances past the final step (or at session creation for governance type workflows).

validation:
  rules:
    - id: po_amount_match
      description: PO amount must cover invoice total
      condition: "invoice_total <= po_amount"
      severity: error
      message: "Invoice total exceeds the approved PO amount."
      fieldKey: invoice_total

    - id: gr_quantity_check
      description: Goods receipt quantity check
      condition: "gr_quantity >= invoice_quantity"
      severity: warning
      message: "Goods receipt quantity is less than invoiced quantity. Approver review recommended."
      fieldKey: gr_quantity

    - id: tolerance_check
      description: Invoice vs PO within 5% tolerance
      type: numericTolerance
      condition: "invoice_total <= po_amount * 1.05"
      severity: error
      message: "Invoice exceeds PO amount by more than 5% tolerance."
      left:  { path: "invoice_total", label: "Invoice Total" }
      right: { path: "po_amount",     label: "PO Amount" }
      tolerance:
        percent: 5
      expandableDetails: true
      fieldKey: invoice_total

Validation Rule Properties

PropertyTypeRequiredDescription
idstringYesStable identifier for this rule. Used in audit trails.
descriptionstringNoHuman-readable description (internal reference).
conditionstringYesBoolean expression. Must return true to pass. Evaluated against the merged field data.
severityerror | warningYeserror blocks advancement. warning is surfaced to the approver but does not block.
messagestringYesMessage shown to participant/approver when the rule fails.
fieldKeystringNoAssociates the failure with a specific field for portal highlighting.
typestringNoSet to numericTolerance to enable comparison detail rendering.
expandableDetailsbooleanNoWhen true, the portal renders an expandable variance panel. Requires left, right, and tolerance.

Approval Routing

The approval.routing block determines which approver(s) receive the submission once validation passes.

approval:
  routing:
    mode: sequential          # 'first-match' | 'sequential' | 'parallel'
    routes:
      - id: finance-lead
        condition: "invoice_total > 50000"
        priority: 1
        description: High-value - Finance Lead approval required
        approver:
          email: finance-lead@contoso.com
          role: Finance Lead
          escalateAfterDays: 3

      - id: dept-manager
        priority: 2
        description: Standard - Department Manager
        approver:
          email: dept-manager@contoso.com
          role: Department Manager
          escalateAfterDays: 5

    fallback:
      approver:
        email: approvals@contoso.com
        role: Default Approver

Routing Modes

ModeBehaviour
first-matchThe highest-priority route whose condition evaluates to true becomes the sole approver. Routes without a condition always match. Default when mode is absent.
sequentialAll matching routes become a chained approval sequence. Each approver must approve before the next is notified.
parallelAll matching routes are assigned simultaneously. All must approve before the workflow advances.

Route Properties

PropertyTypeRequiredDescription
idstringYesStable route identifier. Used in audit trail.
conditionstringNoBoolean expression evaluated against merged field data. Absent = always matches.
prioritynumberNoAscending order (1 = highest). Routes without priority default to 99.
descriptionstringNoHuman-readable description for audit/notifications.
approver.emailstringYesApprover email address. Stored as HMAC hash; not retained in plaintext.
approver.rolestringNoRole label used in notification emails.
approver.adGroupstringNoAzure AD group (informational; not enforced at the routing layer).
approver.escalateAfterDaysnumberNoDays after which the workflow is auto-escalated if the approver has not responded. 0 or absent = no escalation.

Governance Validation Page

Governance workflows (workflowType: governance) automatically inject a Governance Validation page into the sealed PDF. This page is not present for standard data-collection workflows.

The page is generated at seal time and contains four elements.

Workflow Outcome

A banner at the top of the page states the final outcome of the workflow.

OutcomeMeaning
ApprovedAll error-severity rules passed. The approver approved without exception.
Approved with ExceptionOne or more error-severity rules failed. The approver reviewed the failures, provided a justification, and approved with override.
RejectedThe approver rejected the submission.

Governance Validation Summary

A summary banner below the outcome shows the overall validation status and rule counts in the format: X failed · Y warning · Z passed (N total).

The status label reflects the most severe outcome.

StatusCondition
PASSEDAll error-severity rules passed. Warnings may be present.
EXCEPTIONOne or more error-severity rules failed; the approver approved with justification.
FAILEDOne or more error-severity rules failed and the submission was rejected.

Validation Rule Breakdown

A table listing every validation rule defined in the schema, with its result.

ColumnDescription
RuleThe message text from the validation rule definition.
ResultPass, Fail, or Warning. Failed rows are highlighted in red; warning rows in amber.

All rules are listed regardless of outcome, providing a complete audit record of what was evaluated.

Exception Review

When the outcome is Approved with Exception, an Exception Review section is appended below the rule breakdown. This section captures the approver's justification text, the approver role, and the timestamp of the override decision. The justification is sealed into the PDF and included in the immutable audit record.

Error rules do not always block sealing

When an approver chooses to approve with exception, validation failures are overridden. The Governance Validation page records those failures permanently in the sealed PDF. The exception and justification are also captured in the WORKFLOW_SEALED audit event.


Electronic Evidence Appendix

A sealed workflow PDF can include an Electronic Evidence Appendix page, injected at seal time by the VaultWorkflow system. It is available for both standard (data-collection) and governance workflows.

Opt-in via appendElectronicEvidence

The Evidence Appendix is not generated by default. Set appendElectronicEvidence: true to enable it. This can be set in any of the following (checked in this priority order):

  1. templateSettings.workflow.appendElectronicEvidence in the POST /api/workflow request body at session creation.
  2. A license-level feature flag.
  3. templateSettings.workflow.appendElectronicEvidence embedded directly in the workflow YAML schema.
{
  "templateSettings": {
    "workflow": {
      "enabled": true,
      "appendElectronicEvidence": true
    }
  }
}

Once enabled, it cannot be selectively removed after the fact - the flag applies to the whole sealed document, and modifying a sealed PDF breaks its hash chain regardless.

What the Appendix Contains

The appendix is structured in four sections.

Evidence Details

A table of immutable identifiers and timestamps recorded at seal time.

FieldDescription
Workflow IDUnique identifier for the workflow session.
Correlation IDCaller-supplied or system-assigned correlation reference for this document.
Completed AtUTC timestamp of workflow completion.
Verification MethodMethod used to verify participant identity (for example, Email Verification).
Approver HashHMAC-SHA256 hash of the approver email address. The email is not retained in plaintext.
Tenant IDThe VaultPDF tenant GUID that owns this workflow.
Evidence GeneratedUTC timestamp of appendix generation.

Participant Data

Primary participant identity information is captured within the sealed workflow content. The appendix references that content rather than duplicating it, to prevent the appendix page from exposing PII in plaintext.

Captured Attestations

Any checkbox fields collected during the workflow are reproduced in this section, showing the label and confirmed state. This provides a tamper-evident record of what the participant agreed to.

Audit and Integrity Statement

Three subsections generated by the system.

  • Governance Statement. Confirms that all submitted responses were captured and sealed at the time of approval, and that the workflow was processed in accordance with the configured governance settings for the tenant.
  • Immutability and Integrity. States that the document hash recorded in the audit store covers the full document, including the appendix. Any modification to the document invalidates the hash and breaks the chain of custody.
  • Evidence Storage. Confirms that a WORKFLOW_SEALED audit event has been persisted to the tenant-controlled immutable audit archive in Azure Blob Storage. The archive uses a time-based immutability policy. Once written, audit blocks cannot be modified, overwritten, or deleted during the retention window.

Audit Event

When a workflow is sealed, VaultWorkflow emits a WORKFLOW_SEALED event to the tenant audit archive. The event payload includes the Workflow ID, Correlation ID, Tenant ID, seal timestamp, and a reference to the sealed PDF blob. Events are append-only and subject to the tenant's configured retention policy.

Hash chain integrity

The document hash is computed over the complete sealed PDF, including the Evidence Appendix page. Any post-seal modification to the document, including adding or removing pages, produces a different hash and will fail integrity verification. Do not modify sealed PDFs.


Condition Expressions

Conditions in validation rules and routing routes are simple boolean expressions evaluated against the merged workflow data (all fields collected across all steps). Supported operators:

OperatorExample
Comparisoninvoice_total > 50000
Equalitypayment_terms == 'net30'
Inequalityvendor_country != 'US'
Logical ANDinvoice_total > 1000 && vendor_verified == true
Logical ORrisk_level == 'high' || invoice_total > 100000
Parentheses(a > b) && (c == 'x')

Field Key Naming

Field keys used in conditions must exactly match the key values defined in your step fields. Conditions referencing undefined keys evaluate to false.


API Reference

See the full HTTP endpoint reference for creating workflow sessions, submitting steps, and managing approvals.

On this page