{
  "schema_version": "1.1.0",
  "document": "attack-model",
  "last_updated": "2026-07-04",
  "claim_maturity_index": "https://docs.zen-mesh.io/ai/security/v1/claim-maturity.json",
  "readiness_scope": "Sandbox/local validation unless an entry cites public_evidence_ref. Production-live cloud deployment is tracked separately.",
  "narrative_vs_proof": "Blogs and narrative-context are narrative_context only \u2014 not proof.",
  "threat_model_split": {
    "saas_origin_dispatch": "Outbound URL fetch from control plane to customer-configured targets \u2014 SSRF and redirect abuse apply here.",
    "private_edge_delivery": "Ingester \u2192 egress \u2192 private target \u2014 distinct trust boundary; does not substitute for SaaS dispatch SSRF controls."
  },
  "maturity_legend": [
    "WIRED",
    "AUTOMATED_TESTED",
    "E2E_VALIDATED",
    "NOT_E2E_VALIDATED",
    "BACKLOG",
    "NOT_CLAIMED"
  ],
  "entries": [
    {
      "id": "ATK-SSRF-SAAS-DISPATCH",
      "threat": "Server-side request forgery via SaaS-origin delivery worker fetching attacker-influenced URLs",
      "affected_surface": "saas_origin_dispatch",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-SSRF-SAAS-DISPATCH",
      "helps_prevent": [
        "Scoped SSRF on FLOW-03 proxy-mode ServiceRef path (local/mock validated)",
        "Scoped SSRF on FLOW-02 egress target validation path",
        "Redirect-chain restrictions on webhook dispatch path"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "SSRF to internal networks",
        "SSRF via redirect chains",
        "SaaS-wide control-plane dispatch SSRF",
        "Provider dispatcher SSRF (Splunk/Grafana/PagerDuty/Teams/Git)"
      ],
      "validation_level": "Central SSRF validation library (ValidateTargetURL + SSRFDialContext) tested with 409-line negative suite. FLOW-03 proxy-mode ServiceRef path validated local/mock (H569/H574). BFF internal client hardened. SaaS-wide API dispatch and most shared client libraries not yet validated.",
      "current_limitation": "Scoped SSRF controls exist on FLOW-02/03 dispatch paths. SaaS-wide (control-plane dispatch, provider dispatchers) is not yet validated.",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-001",
      "public_safe_summary": "Scoped SSRF controls exist for FLOW-02/03 dispatch paths. SaaS-wide dispatch SSRF is backlog \u2014 do not use SSRF-safe wording."
    },
    {
      "id": "ATK-EDGE-THREAT-MODEL-CONFUSION",
      "threat": "Conflating private edge delivery with SaaS URL-fetch SSRF controls",
      "affected_surface": "documentation",
      "claim_maturity": "WIRED",
      "related_primitive_ref": "PRIM-OUTBOUND-ONLY-EDGE",
      "helps_prevent": [
        "Mis-scoped claims that treat edge hardening as SSRF mitigation"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "Actual SSRF on SaaS dispatch"
      ],
      "validation_level": "Documented split in this attack-model file",
      "current_limitation": "Deeper architecture cross-links still maturing",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/attack-model.json",
      "roadmap_ref": "WH-AS-002",
      "public_safe_summary": "Edge delivery and SaaS dispatch use different threat models."
    },
    {
      "id": "ATK-MITM-TRANSIT",
      "threat": "Man-in-the-middle on TLS paths",
      "affected_surface": "control_plane_and_data_plane",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-MTLS-AGENT-SAAS",
      "helps_prevent": [
        "Passive eavesdropping where mTLS enforced"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "MITM without TLS",
        "All paths covered"
      ],
      "validation_level": "Mock-validated mTLS on documented agent routes",
      "current_limitation": "Not e2e-validated on every path",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/security-capability-validation.json",
      "roadmap_ref": null,
      "public_safe_summary": "mTLS is wired and mock-tested on agent routes \u2014 not production-live everywhere."
    },
    {
      "id": "ATK-FORGED-INGEST",
      "threat": "Forged webhook ingestion without valid signatures",
      "affected_surface": "ingestion",
      "claim_maturity": "AUTOMATED_TESTED",
      "related_primitive_ref": "PRIM-PROVIDER-SIGNATURE",
      "helps_prevent": [
        "Casual forged payloads on configured provider paths in mock scope"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "Unconfigured sources",
        "Stolen secrets",
        "Replay outside dedup"
      ],
      "validation_level": "Wedge Stripe path PROVEN local_mock; HMAC on agent routes",
      "current_limitation": "Per-source and environment dependent",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/wedge-claim-map.json",
      "roadmap_ref": null,
      "public_safe_summary": "Signatures are tested on configured wedge paths \u2014 not all sources or production-live."
    },
    {
      "id": "ATK-WORKLOAD-IMPERSONATION",
      "threat": "Workload impersonation",
      "affected_surface": "control_plane_enrollment",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-SPIFFE-SPIRE-NATIVE-INTERNAL",
      "helps_prevent": [
        "Impersonation on SPIFFE-verified connections"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "Workloads without SPIRE",
        "SVID rotation proof"
      ],
      "validation_level": "SPIFFE wired where deployed",
      "current_limitation": "Partial SPIFFE coverage",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/security/v1/security-capability-validation.json",
      "roadmap_ref": null,
      "public_safe_summary": "SPIFFE used where implemented \u2014 not everywhere or rotation-proven."
    },
    {
      "id": "ATK-TENANT-CROSS-ACCESS",
      "threat": "Cross-tenant data access",
      "affected_surface": "saas_control_plane",
      "claim_maturity": "WIRED",
      "related_primitive_ref": "PRIM-RLS-TENANT",
      "helps_prevent": [
        "Some cross-tenant SQL on RLS tables"
      ],
      "helps_detect": [],
      "does_not_prevent": [
        "App-layer bugs",
        "Cache leaks"
      ],
      "validation_level": "RLS in schema \u2014 no public fuzz e2e",
      "current_limitation": "Not isolation certification",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/manifest.json",
      "roadmap_ref": null,
      "public_safe_summary": "RLS is defense-in-depth \u2014 not enterprise isolation proof."
    },
    {
      "id": "ATK-REPLAY-DUPLICATE-DELIVERY",
      "threat": "Replay or duplicate delivery",
      "affected_surface": "delivery",
      "claim_maturity": "AUTOMATED_TESTED",
      "related_primitive_ref": "PRIM-IDEMPOTENCY-DEDUP",
      "helps_prevent": [],
      "helps_detect": [
        "Duplicate attempts within idempotency window in mock scenarios"
      ],
      "does_not_prevent": [
        "Exactly-once",
        "Replay outside window",
        "Replay-proof delivery"
      ],
      "validation_level": "Manifest victory_locked duplicate-idempotency scenario",
      "current_limitation": "At-least-once with dedup \u2014 not replay prevention",
      "public_evidence_ref": "https://docs.zen-mesh.io/ai/evidence/v1/manifest.json",
      "roadmap_ref": null,
      "public_safe_summary": "Idempotency helps detect/limit duplicates in tested scenarios \u2014 not replay-proof."
    },
    {
      "id": "ATK-LARGE-PAYLOAD-DOS",
      "threat": "Large payload DoS",
      "affected_surface": "ingestion",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-PAYLOAD-POINTER",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": [
        "Memory or storage exhaustion from huge bodies"
      ],
      "validation_level": "Pointer model not implemented",
      "current_limitation": "Ad hoc limits only",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-003",
      "public_safe_summary": "Large payload pointer model is backlog."
    },
    {
      "id": "ATK-JSON-PARSER-BOMB",
      "threat": "JSON parser bomb / malformed payload DoS",
      "affected_surface": "ingestion",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-INGEST-VALIDATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": [
        "Deep JSON",
        "Content-type abuse"
      ],
      "validation_level": "Post-V1 backlog",
      "current_limitation": "No global evidenced parser limits",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-004",
      "public_safe_summary": "Parser limits are backlog \u2014 not immunity."
    },
    {
      "id": "ATK-RESPONSE-BODY-FLOOD",
      "threat": "Target response body flood in logs/storage",
      "affected_surface": "delivery_observability",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-RESPONSE-TRUNCATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": [
        "Secret leakage in stored responses"
      ],
      "validation_level": "Not contract-proven",
      "current_limitation": "Full bodies may be stored on some paths",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-006",
      "public_safe_summary": "Response truncation is backlog."
    },
    {
      "id": "ATK-SENSITIVE-HEADER-LEAK",
      "threat": "Sensitive headers in persisted logs",
      "affected_surface": "delivery_observability",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-HEADER-SANITIZATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": [
        "Credential leakage in logs"
      ],
      "validation_level": "Post-V1 backlog",
      "current_limitation": "Do not claim headers never logged",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-007",
      "public_safe_summary": "Header sanitization is backlog."
    },
    {
      "id": "ATK-REDIRECT-CHAIN-SSRF",
      "threat": "Redirect-chain SSRF on dispatch",
      "affected_surface": "saas_origin_dispatch",
      "claim_maturity": "BACKLOG",
      "related_primitive_ref": "PRIM-REDIRECT-REVALIDATION",
      "helps_prevent": [],
      "helps_detect": [],
      "does_not_prevent": [
        "Redirect to internal URLs"
      ],
      "validation_level": "Not implemented",
      "current_limitation": "No hop limit proof",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-008",
      "public_safe_summary": "Redirect controls are backlog."
    },
    {
      "id": "ATK-RATE-ABUSE-INGEST",
      "threat": "Ingestion rate abuse",
      "affected_surface": "ingestion",
      "claim_maturity": "NOT_E2E_VALIDATED",
      "related_primitive_ref": "PRIM-SOURCE-RATE-LIMIT",
      "helps_prevent": [],
      "helps_detect": [
        "Some tenant-level throttling where configured"
      ],
      "does_not_prevent": [
        "Per-source floods",
        "DDoS-scale abuse"
      ],
      "validation_level": "Tenant limits wired in places; per-source backlog",
      "current_limitation": "Not DDoS-proof",
      "public_evidence_ref": null,
      "roadmap_ref": "WH-AS-005",
      "public_safe_summary": "Per-source rate limits are backlog; tenant limits are not DDoS proof."
    }
  ]
}