Workflow Schema Reference
Complete reference for the VaultWorkflow YAML schema, covering step definitions, field types, validation rules, and approval routing configuration.
The workflow schema is a YAML document stored in Azure Blob Storage. It defines the steps, fields, validation rules, and approval routing for a workflow instance. The schema is referenced by blob path when creating a workflow session.
Schema Storage
Workflow schemas are stored in the workflow-schemas container (default) of your Azure Blob Storage account. The schema blob path is provided in the POST /api/workflow request body.
Top-Level Structure
id: vendor-onboarding
title: Vendor Onboarding
description: Collect vendor information for approval and contract generation
workflowType: governance # 'governance' | 'standard'
organizationName: Contoso Ltd # Used in notification emails
requireOtp: false # Require OTP before participant accesses steps
steps:
- ...
validation:
rules:
- ...
approval:
routing:
mode: first-match
routes:
- ...
fallback:
approver:
email: approvals@contoso.comworkflowType
| Value | Behaviour |
|---|---|
governance | Triggers autoValidateOnCreate, which causes validation rules to run at session creation. Used for 3-way match and compliance workflows. |
standard | Validation runs when the participant submits all steps (default). |
Steps
Each step collects a set of fields from the participant. Steps are presented sequentially; the participant must submit each step before advancing.
steps:
- id: vendor-details
title: Vendor Details
description: Enter the vendor's basic information
fields:
- key: vendor_name
label: Vendor Name
type: text
required: true
maxLength: 200
- key: vendor_email
label: Vendor Email
type: email
required: true
- key: invoice_total
label: Invoice Total (USD)
type: number
required: true
min: 0
- key: payment_terms
label: Payment Terms
type: select
required: true
options:
- label: Net 30
value: net30
- label: Net 60
value: net60
- label: Immediate
value: immediate
- key: supporting_document
label: Upload Supporting Document
type: attachment
required: false
accept: ".pdf,.docx"
maxSizeMb: 10Field Types
| Type | Description |
|---|---|
text | Single-line text input. Supports maxLength. |
textarea | Multi-line text input. Supports maxLength. |
number | Numeric input. Supports min, max. |
email | Email address with format validation. |
date | ISO 8601 date picker. |
select | Single-selection dropdown. Requires options array. |
multiselect | Multi-selection. Requires options array. |
checkbox | Boolean yes/no field. |
attachment | File upload. Stored in Blob Storage. Supports accept (MIME/extension list) and maxSizeMb. |
Validation Rules
Validation rules evaluate collected field data using boolean expressions. They run when the participant advances past the final step (or at session creation for governance type workflows).
validation:
rules:
- id: po_amount_match
description: PO amount must cover invoice total
condition: "invoice_total <= po_amount"
severity: error
message: "Invoice total exceeds the approved PO amount."
fieldKey: invoice_total
- id: gr_quantity_check
description: Goods receipt quantity check
condition: "gr_quantity >= invoice_quantity"
severity: warning
message: "Goods receipt quantity is less than invoiced quantity. Approver review recommended."
fieldKey: gr_quantity
- id: tolerance_check
description: Invoice vs PO within 5% tolerance
type: numericTolerance
condition: "invoice_total <= po_amount * 1.05"
severity: error
message: "Invoice exceeds PO amount by more than 5% tolerance."
left: { path: "invoice_total", label: "Invoice Total" }
right: { path: "po_amount", label: "PO Amount" }
tolerance:
percent: 5
expandableDetails: true
fieldKey: invoice_totalValidation Rule Properties
| Property | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Stable identifier for this rule. Used in audit trails. |
description | string | No | Human-readable description (internal reference). |
condition | string | Yes | Boolean expression. Must return true to pass. Evaluated against the merged field data. |
severity | error | warning | Yes | error blocks advancement. warning is surfaced to the approver but does not block. |
message | string | Yes | Message shown to participant/approver when the rule fails. |
fieldKey | string | No | Associates the failure with a specific field for portal highlighting. |
type | string | No | Set to numericTolerance to enable comparison detail rendering. |
expandableDetails | boolean | No | When true, the portal renders an expandable variance panel. Requires left, right, and tolerance. |
Approval Routing
The approval.routing block determines which approver(s) receive the submission once validation passes.
approval:
routing:
mode: sequential # 'first-match' | 'sequential' | 'parallel'
routes:
- id: finance-lead
condition: "invoice_total > 50000"
priority: 1
description: High-value - Finance Lead approval required
approver:
email: finance-lead@contoso.com
role: Finance Lead
escalateAfterDays: 3
- id: dept-manager
priority: 2
description: Standard - Department Manager
approver:
email: dept-manager@contoso.com
role: Department Manager
escalateAfterDays: 5
fallback:
approver:
email: approvals@contoso.com
role: Default ApproverRouting Modes
| Mode | Behaviour |
|---|---|
first-match | The highest-priority route whose condition evaluates to true becomes the sole approver. Routes without a condition always match. Default when mode is absent. |
sequential | All matching routes become a chained approval sequence. Each approver must approve before the next is notified. |
parallel | All matching routes are assigned simultaneously. All must approve before the workflow advances. |
Route Properties
| Property | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Stable route identifier. Used in audit trail. |
condition | string | No | Boolean expression evaluated against merged field data. Absent = always matches. |
priority | number | No | Ascending order (1 = highest). Routes without priority default to 99. |
description | string | No | Human-readable description for audit/notifications. |
approver.email | string | Yes | Approver email address. Stored as HMAC hash; not retained in plaintext. |
approver.role | string | No | Role label used in notification emails. |
approver.adGroup | string | No | Azure AD group (informational; not enforced at the routing layer). |
approver.escalateAfterDays | number | No | Days after which the workflow is auto-escalated if the approver has not responded. 0 or absent = no escalation. |
Governance Validation Page
Governance workflows (workflowType: governance) automatically inject a Governance Validation page into the sealed PDF. This page is not present for standard data-collection workflows.
The page is generated at seal time and contains four elements.
Workflow Outcome
A banner at the top of the page states the final outcome of the workflow.
| Outcome | Meaning |
|---|---|
| Approved | All error-severity rules passed. The approver approved without exception. |
| Approved with Exception | One or more error-severity rules failed. The approver reviewed the failures, provided a justification, and approved with override. |
| Rejected | The approver rejected the submission. |
Governance Validation Summary
A summary banner below the outcome shows the overall validation status and rule counts in the format: X failed · Y warning · Z passed (N total).
The status label reflects the most severe outcome.
| Status | Condition |
|---|---|
PASSED | All error-severity rules passed. Warnings may be present. |
EXCEPTION | One or more error-severity rules failed; the approver approved with justification. |
FAILED | One or more error-severity rules failed and the submission was rejected. |
Validation Rule Breakdown
A table listing every validation rule defined in the schema, with its result.
| Column | Description |
|---|---|
| Rule | The message text from the validation rule definition. |
| Result | Pass, Fail, or Warning. Failed rows are highlighted in red; warning rows in amber. |
All rules are listed regardless of outcome, providing a complete audit record of what was evaluated.
Exception Review
When the outcome is Approved with Exception, an Exception Review section is appended below the rule breakdown. This section captures the approver's justification text, the approver role, and the timestamp of the override decision. The justification is sealed into the PDF and included in the immutable audit record.
Error rules do not always block sealing
When an approver chooses to approve with exception, validation failures are overridden. The Governance Validation page records those failures permanently in the sealed PDF. The exception and justification are also captured in the WORKFLOW_SEALED audit event.
Electronic Evidence Appendix
A sealed workflow PDF can include an Electronic Evidence Appendix page, injected at seal time by the VaultWorkflow system. It is available for both standard (data-collection) and governance workflows.
Opt-in via appendElectronicEvidence
The Evidence Appendix is not generated by default. Set appendElectronicEvidence: true to enable it. This can be set in any of the following (checked in this priority order):
templateSettings.workflow.appendElectronicEvidencein thePOST /api/workflowrequest body at session creation.- A license-level feature flag.
templateSettings.workflow.appendElectronicEvidenceembedded directly in the workflow YAML schema.
{
"templateSettings": {
"workflow": {
"enabled": true,
"appendElectronicEvidence": true
}
}
}Once enabled, it cannot be selectively removed after the fact - the flag applies to the whole sealed document, and modifying a sealed PDF breaks its hash chain regardless.
What the Appendix Contains
The appendix is structured in four sections.
Evidence Details
A table of immutable identifiers and timestamps recorded at seal time.
| Field | Description |
|---|---|
| Workflow ID | Unique identifier for the workflow session. |
| Correlation ID | Caller-supplied or system-assigned correlation reference for this document. |
| Completed At | UTC timestamp of workflow completion. |
| Verification Method | Method used to verify participant identity (for example, Email Verification). |
| Approver Hash | HMAC-SHA256 hash of the approver email address. The email is not retained in plaintext. |
| Tenant ID | The VaultPDF tenant GUID that owns this workflow. |
| Evidence Generated | UTC timestamp of appendix generation. |
Participant Data
Primary participant identity information is captured within the sealed workflow content. The appendix references that content rather than duplicating it, to prevent the appendix page from exposing PII in plaintext.
Captured Attestations
Any checkbox fields collected during the workflow are reproduced in this section, showing the label and confirmed state. This provides a tamper-evident record of what the participant agreed to.
Audit and Integrity Statement
Three subsections generated by the system.
- Governance Statement. Confirms that all submitted responses were captured and sealed at the time of approval, and that the workflow was processed in accordance with the configured governance settings for the tenant.
- Immutability and Integrity. States that the document hash recorded in the audit store covers the full document, including the appendix. Any modification to the document invalidates the hash and breaks the chain of custody.
- Evidence Storage. Confirms that a
WORKFLOW_SEALEDaudit event has been persisted to the tenant-controlled immutable audit archive in Azure Blob Storage. The archive uses a time-based immutability policy. Once written, audit blocks cannot be modified, overwritten, or deleted during the retention window.
Audit Event
When a workflow is sealed, VaultWorkflow emits a WORKFLOW_SEALED event to the tenant audit archive. The event payload includes the Workflow ID, Correlation ID, Tenant ID, seal timestamp, and a reference to the sealed PDF blob. Events are append-only and subject to the tenant's configured retention policy.
Hash chain integrity
The document hash is computed over the complete sealed PDF, including the Evidence Appendix page. Any post-seal modification to the document, including adding or removing pages, produces a different hash and will fail integrity verification. Do not modify sealed PDFs.
Condition Expressions
Conditions in validation rules and routing routes are simple boolean expressions evaluated against the merged workflow data (all fields collected across all steps). Supported operators:
| Operator | Example |
|---|---|
| Comparison | invoice_total > 50000 |
| Equality | payment_terms == 'net30' |
| Inequality | vendor_country != 'US' |
| Logical AND | invoice_total > 1000 && vendor_verified == true |
| Logical OR | risk_level == 'high' || invoice_total > 100000 |
| Parentheses | (a > b) && (c == 'x') |
Field Key Naming
Field keys used in conditions must exactly match the key values defined in your step fields. Conditions referencing undefined keys evaluate to false.
API Reference
See the full HTTP endpoint reference for creating workflow sessions, submitting steps, and managing approvals.
VaultWorkflow
VaultWorkflow is a governed multi-step document workflow engine. It orchestrates structured data collection, validation, approval routing, and final PDF sealing, all within your Azure tenant.
VaultWorkflow API Reference
HTTP endpoint reference for creating workflow sessions, submitting steps, managing approvals, and querying workflow status.