DDR-03 — mcf.yaml / UCCA Engine Validation Metadata Update

Status: Design Decision Record — queues as engine brief Trigger: After B-COMP-03 is written and DDR-02 Trust Center is deployed Surface: ucca-engine — mcf.yaml + UCCA Inc engine layer Date: 19 March 2026

---

What This Is

Machine-readable validation policy metadata to be added to the UCCA engine configuration. Makes the validation logic declared at the RTOpacks surface layer portable — when UCCA Inc licences the engine to other operators, they inherit the validation policy declaration and can extend or override it for their sector.

This is infrastructure-layer work. Not a surface brief. Goes to Alex in the ucca-engine repo, not the ucca-surfaces repo.

---

mcf.yaml Addition

Add the following block to mcf.yaml in ucca-engine:

validation_logic:
  # National Register currency validation
  tga_currency_check: enabled
  aqf_level_validation: enabled
  nomenclature_standard: AQF_2026_V1
  archived_data_visibility: restricted_by_default

  # Sync metadata
  last_sync: "2026-03-05"
  sync_source: "training.gov.au"
  sync_method: "official_export"
  sync_licence: "CC BY 4.0"
  sync_licence_url: "https://creativecommons.org/licenses/by/4.0/"

  # Guardrails
  naming_integrity: enforced
  level_invention_guard: enabled
  legacy_term_catchment: enabled

  # Audit mapping
  asqa_standard_mapping:
    - standard: "Standard 1.1"
      features:
        - currency_filter
        - naming_integrity
        - level_validation
        - archived_records_warning
        - legacy_term_catchment

---

/.well-known/validation-policy.json Endpoint

Add a static JSON endpoint at rtopacks.com.au/.well-known/validation-policy.json.

This is the machine-readable version of the Trust Center page. No auth required. Public.

{
  "schema_version": "1.0",
  "platform": "RTOpacks",
  "operator": "United Central Colleges of Australia Pty Ltd",
  "abn": "59 168 872 535",
  "engine_provider": "UCCA Inc",
  "engine_standard": "UCCO v1.1 Rev2",

  "data_source": {
    "name": "National Register on Vocational Education and Training",
    "url": "https://training.gov.au",
    "licence": "CC BY 4.0",
    "licence_url": "https://creativecommons.org/licenses/by/4.0/",
    "last_sync": "2026-03-05",
    "sync_method": "official_export",
    "realtime": false
  },

  "validation_logic": {
    "tga_currency_check": "enabled",
    "aqf_level_validation": "enabled",
    "nomenclature_standard": "AQF_2026_V1",
    "archived_data_visibility": "restricted_by_default",
    "naming_integrity": "enforced",
    "level_invention_guard": "enabled",
    "legacy_term_catchment": "enabled"
  },

  "asqa_mapping": {
    "Standard 1.1": [
      "currency_filter",
      "naming_integrity",
      "level_validation",
      "archived_records_warning",
      "legacy_term_catchment"
    ]
  },

  "agentic_processing": {
    "disclosure": "indicated_in_workspace",
    "output_rights": "vest_with_user",
    "standard": "UCCO v1.1 Rev2"
  },

  "terms_url": "https://rtopacks.com.au/terms",
  "trust_url": "https://rtopacks.com.au/trust",
  "contact": "admin@rtopacks.com.au"
}

---

Why This Matters at the UCCA Inc Layer

When UCCA Inc licences the engine to other regulated sectors — biomedical, defence, aviation, financial services — each operator gets the engine with this validation policy as a baseline declaration.

They can: - Extend — add their own sector-specific validation rules (e.g., TGA therapeutic device classification check for biomedical) - Override — change restricted_by_default to visible_by_default if their sector requires full archive visibility - Inherit — run with the defaults and declare compliance against the UCCO Standard

The engine_standard: UCCO v1.1 Rev2 field is the trust anchor. Any downstream operator who publishes this JSON with that field is declaring they're running against a known, published, auditable standard. That's the UCCO network effect in machine-readable form.

---

Cloudflare Worker — Static JSON Endpoint

Add to rtopacks.com.au Workers config:

// /.well-known/validation-policy.json
export default {
  async fetch(request) {
    const url = new URL(request.url);
    if (url.pathname === '/.well-known/validation-policy.json') {
      return new Response(JSON.stringify(VALIDATION_POLICY, null, 2), {
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': '*',
          'Cache-Control': 'public, max-age=86400'
        }
      });
    }
  }
}

Where VALIDATION_POLICY is the JSON object above.

---

Build Sequence Dependencies

This brief cannot drop until:

1. B-COMP-03 (Qualification Ladder) is written and the validation logic is confirmed implemented in the Composer
2. DDR-02 Trust Center (B-LEGAL-02) is deployed — the trust_url field must be live before the JSON is published
3. The last_sync date is updated — currently hardcoded to 2026-03-05. When the next National Register sync runs, this field updates.

---

Future: Automated Sync Heartbeat

When the National Register sync becomes automated (scheduled Cloudflare Worker or cron), the last_sync field in both mcf.yaml and validation-policy.json should update automatically on each successful sync.

The backup heartbeat system already live at KV namespace BACKUP_HEARTBEAT (059b78f23e2c4ab2bd9e78b7cdc6ce7d) is the model for this pattern.

---

DDR-03 · RTOpacks · 19 March 2026 Queues as engine brief · UCCA Inc