{
  "schema_version": "1.1.0",
  "document": "attack-model",
  "last_updated": "2026-05-30",
  "claim_maturity_index": "https://docs.zen-mesh.io/ai/security/v1/claim-maturity.json",
  "readiness_scope": "DEMO and local/mock/sandbox unless an entry cites public_evidence_ref. Not production-live, not customer-ready, not global demo-ready.",
  "narrative_vs_proof": "Blogs and narrative-context are narrative_context only — not proof.",
  "threat_model_split": {
    "saas_origin_dispatch": "Outbound URL fetch from control plane to customer-configured targets — SSRF and redirect abuse apply here.",
    "private_edge_delivery": "Ingester → egress → private target — distinct trust boundary; does not substitute for SaaS dispatch SSRF controls."
  },
  "maturity_legend": ["WIRED", "AUTOMATED_TESTED", "E2E_VALIDATED", "NOT_E2E_VALIDATED", "BACKLOG", "NOT_CLAIMED"],
  "entries": [
    {
      "id": "ATK-SSRF-SAAS-DISPATCH",
      "threat": "Server-side request forgery via SaaS-origin delivery worker fetching attacker-influenced URLs",
      "affected_surface": "saas_origin_dispatch",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-SSRF-SAAS-DISPATCH",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["SSRF to internal networks", "SSRF via redirect chains"],
      "validation_level": "Webhook-security gates only — not SSRF contract",
      "current_limitation": "Not SSRF-protected",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-001",
      "public_safe_summary": "SaaS dispatch SSRF controls are backlog — do not use SSRF-safe wording."
    },
    {
      "id": "ATK-EDGE-THREAT-MODEL-CONFUSION",
      "threat": "Conflating private edge delivery with SaaS URL-fetch SSRF controls",
      "affected_surface": "documentation",
      "claim_maturity": "WIRED",
      "related_primitive_ref": "PRIM-OUTBOUND-ONLY-EDGE",
      "helps_prevent": ["Mis-scoped claims that treat edge hardening as SSRF mitigation"],
      "helps_detect": [],
      "does_not_prevent": ["Actual SSRF on SaaS dispatch"],
      "validation_level": "Documented split in this attack-model file",
      "current_limitation": "Deeper architecture cross-links still maturing",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/attack-model.json",
      "roadmap_ref": "WH-AS-002",
      "public_safe_summary": "Edge delivery and SaaS dispatch use different threat models."
    },
    {
      "id": "ATK-MITM-TRANSIT",
      "threat": "Man-in-the-middle on TLS paths",
      "affected_surface": "control_plane_and_data_plane",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-MTLS-AGENT-SAAS",
      "helps_prevent": ["Passive eavesdropping where mTLS enforced"],
      "helps_detect": [],
      "does_not_prevent": ["MITM without TLS", "All paths covered"],
      "validation_level": "Mock-validated mTLS on documented agent routes",
      "current_limitation": "Not e2e-validated on every path",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/security-capability-validation.json",
      "roadmap_ref": null,
      "public_safe_summary": "mTLS is wired and mock-tested on agent routes — not production-live everywhere."
    },
    {
      "id": "ATK-FORGED-INGEST",
      "threat": "Forged webhook ingestion without valid signatures",
      "affected_surface": "ingestion",
      "claim_maturity": "AUTOMATED_TESTED",
      "related_primitive_ref": "PRIM-PROVIDER-SIGNATURE",
      "helps_prevent": ["Casual forged payloads on configured provider paths in mock scope"],
      "helps_detect": [],
      "does_not_prevent": ["Unconfigured sources", "Stolen secrets", "Replay outside dedup"],
      "validation_level": "Wedge Stripe path PROVEN local_mock; HMAC on agent routes",
      "current_limitation": "Per-source and environment dependent",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/wedge-claim-map.json",
      "roadmap_ref": null,
      "public_safe_summary": "Signatures are tested on configured wedge paths — not all sources or production-live."
    },
    {
      "id": "ATK-WORKLOAD-IMPERSONATION",
      "threat": "Workload impersonation",
      "affected_surface": "control_plane_enrollment",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-SPIFFE-SPIRE",
      "helps_prevent": ["Impersonation on SPIFFE-verified connections"],
      "helps_detect": [],
      "does_not_prevent": ["Workloads without SPIRE", "SVID rotation proof"],
      "validation_level": "SPIFFE wired where deployed",
      "current_limitation": "Partial SPIFFE coverage",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/security-capability-validation.json",
      "roadmap_ref": null,
      "public_safe_summary": "SPIFFE used where implemented — not everywhere or rotation-proven."
    },
    {
      "id": "ATK-TENANT-CROSS-ACCESS",
      "threat": "Cross-tenant data access",
      "affected_surface": "saas_control_plane",
      "claim_maturity": "WIRED",
      "related_primitive_ref": "PRIM-RLS-TENANT",
      "helps_prevent": ["Some cross-tenant SQL on RLS tables"],
      "helps_detect": [],
      "does_not_prevent": ["App-layer bugs", "Cache leaks"],
      "validation_level": "RLS in schema — no public fuzz e2e",
      "current_limitation": "Not isolation certification",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/manifest.json",
      "roadmap_ref": null,
      "public_safe_summary": "RLS is defense-in-depth — not enterprise isolation proof."
    },
    {
      "id": "ATK-REPLAY-DUPLICATE-DELIVERY",
      "threat": "Replay or duplicate delivery",
      "affected_surface": "delivery",
      "claim_maturity": "AUTOMATED_TESTED",
      "related_primitive_ref": "PRIM-IDEMPOTENCY-DEDUP",
      "helps_prevent": [],
      "helps_detect": ["Duplicate attempts within idempotency window in mock scenarios"],
      "does_not_prevent": ["Exactly-once", "Replay outside window", "Replay-proof delivery"],
      "validation_level": "Manifest victory_locked duplicate-idempotency scenario",
      "current_limitation": "At-least-once with dedup — not replay prevention",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/manifest.json",
      "roadmap_ref": null,
      "public_safe_summary": "Idempotency helps detect/limit duplicates in tested scenarios — not replay-proof."
    },
    {
      "id": "ATK-LARGE-PAYLOAD-DOS",
      "threat": "Large payload DoS",
      "affected_surface": "ingestion",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-PAYLOAD-POINTER",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["Memory or storage exhaustion from huge bodies"],
      "validation_level": "Pointer model not implemented",
      "current_limitation": "Ad hoc limits only",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-003",
      "public_safe_summary": "Large payload pointer model is backlog."
    },
    {
      "id": "ATK-JSON-PARSER-BOMB",
      "threat": "JSON parser bomb / malformed payload DoS",
      "affected_surface": "ingestion",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-INGEST-VALIDATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["Deep JSON", "Content-type abuse"],
      "validation_level": "Post-V1 backlog",
      "current_limitation": "No global evidenced parser limits",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-004",
      "public_safe_summary": "Parser limits are backlog — not immunity."
    },
    {
      "id": "ATK-RESPONSE-BODY-FLOOD",
      "threat": "Target response body flood in logs/storage",
      "affected_surface": "delivery_observability",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-RESPONSE-TRUNCATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["Secret leakage in stored responses"],
      "validation_level": "Not contract-proven",
      "current_limitation": "Full bodies may be stored on some paths",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-006",
      "public_safe_summary": "Response truncation is backlog."
    },
    {
      "id": "ATK-SENSITIVE-HEADER-LEAK",
      "threat": "Sensitive headers in persisted logs",
      "affected_surface": "delivery_observability",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-HEADER-SANITIZATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["Credential leakage in logs"],
      "validation_level": "Post-V1 backlog",
      "current_limitation": "Do not claim headers never logged",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-007",
      "public_safe_summary": "Header sanitization is backlog."
    },
    {
      "id": "ATK-REDIRECT-CHAIN-SSRF",
      "threat": "Redirect-chain SSRF on dispatch",
      "affected_surface": "saas_origin_dispatch",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-REDIRECT-REVALIDATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": ["Redirect to internal URLs"],
      "validation_level": "Not implemented",
      "current_limitation": "No hop limit proof",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-008",
      "public_safe_summary": "Redirect controls are backlog."
    },
    {
      "id": "ATK-RATE-ABUSE-INGEST",
      "threat": "Ingestion rate abuse",
      "affected_surface": "ingestion",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-SOURCE-RATE-LIMIT",
      "helps_prevent": [],
      "helps_detect": ["Some tenant-level throttling where configured"],
      "does_not_prevent": ["Per-source floods", "DDoS-scale abuse"],
      "validation_level": "Tenant limits wired in places; per-source backlog",
      "current_limitation": "Not DDoS-proof",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-005",
      "public_safe_summary": "Per-source rate limits are backlog; tenant limits are not DDoS proof."
    }
  ]
}