Skip to main content

Capability Evidence

All capabilities are classified with a proof status. See../ai/evidence-v1-supersession.md#manifest` for the full machine-readable manifest.

Runtime Convergence

CapabilityProof IDStatusEvidence Path
Retry-to-successPROOF-001victory-locked, local/mockruntime_convergence_evidence_pack_v1.json
CP outage/reconnectPROOF-002victory-locked, local/mockruntime/control_plane_outage_reconciliation_execution.json
DLQ exhaustionPROOF-003victory-locked, local/mockruntime/retry_exhaustion_dlq_execution.json
Duplicate/idempotencyPROOF-004victory-locked, local/mockruntime/duplicate_idempotency_execution.json
Reconnect conflictPROOF-005victory-locked, local/mockruntime/reconnect_conflict_reconciliation_execution.json
Topology driftPROOF-006victory-locked, local/mockruntime/topology_drift_convergence_execution.json
Evidence buffer flushPROOF-007victory-locked, local/mockruntime/evidence_buffer_flush_execution.json
Relay path convergencePROOF-008victory-locked, local/mockruntime/relay_path_convergence_execution.json
Failover recoveryPROOF-009victory-locked, local/mockruntime/relay_failover_recovery_execution.json
Private-edge pathPROOF-010victory-locked, local/mockruntime/private_edge_path_convergence_execution.json

Verification: make runtime-proof-replay-verify / make runtime-convergence-state-machine-check

Trust Lifecycle

CapabilityProof IDStatusEvidence Path
Enrollment happy pathTRUST-PROOF-001local/mock provensecurity/trust_enrollment_execution.json
Enrollment rejectionTRUST-PROOF-002local/mock provensecurity/trust_enrollment_rejection_execution.json
HMAC valid/invalid/stale/rotatedTRUST-PROOF-003local/mock provensecurity/hmac_trust_execution.json
mTLS/cert baselineTRUST-PROOF-004implementation_presentsecurity/mtls_cert_trust_execution.json
ZenLock secret authorityTRUST-PROOF-005local/mock provensecurity/zenlock_secret_authority_execution.json
mTLS cert rejection (5 scenarios)TRUST-PROOF-006local/mock provensecurity/mtls_cert_rejection_execution.json
Canary cert rotationTRUST-PROOF-007local/mock proven (ingester)security/canary_cert_rotation_execution.json
Trust bundle rotationTRUST-PROOF-008blocked (no implementation)security/trust_bundle_rotation_execution.json
ZenLock secret rotationTRUST-PROOF-009local/mock provensecurity/zenlock_secret_rotation_execution.json
Revocation/expiryTRUST-PROOF-010local/mock provensecurity/trust_revocation_expiry_execution.json

Verification: make trust-proof-replay-verify / make trust-lifecycle-state-machine-check

Edge Lite

CapabilityProof IDStatusEvidence PathIntegrity Root
Docker runtime wedgeH484PASScheckpoints/CHECKPOINT_H484_...edge_lite_h484_merkle.json
Real enrollment/TLS wedgeH487PASScheckpoints/CHECKPOINT_H487_...edge_lite_h487_merkle.json
Single multi-role imageH489PASScheckpoints/CHECKPOINT_H489_...edge_lite_h489_merkle.json
Ingester local intake/spoolH490PASScheckpoints/CHECKPOINT_H490_...edge_lite_h490_merkle.json
Local flow delivery loopH491PASScheckpoints/CHECKPOINT_H491_...edge_lite_h491_merkle.json
Size budgetH492PASScheckpoints/CHECKPOINT_H492_...edge_lite_h492_merkle.json
Local release bundle/UXH493PASScheckpoints/CHECKPOINT_H493_...edge_lite_h493_merkle.json
Release security policy/gatesH494PASScheckpoints/CHECKPOINT_H494_...edge_lite_h494_merkle.json
SBOM/scan gate policyH495PASScheckpoints/CHECKPOINT_H495_...edge_lite_h495_merkle.json
Signing/provenance policyH496PASScheckpoints/CHECKPOINT_H496_...edge_lite_h496_merkle.json
Real SBOM/scan/toolchainH497PASScheckpoints/CHECKPOINT_H497_...edge_lite_h497_merkle.json
Dual Helm+Docker UX contractH498PASScheckpoints/CHECKPOINT_H498_...edge_lite_h498_merkle.json
curlsh installer dry-runH499PASScheckpoints/CHECKPOINT_H499_...

Non-claims: launch_ready=false, customer_ready=false, prod_live=false, real_enrollment_implementation=false, real_saas_delivery=false, signing_executed=false, provenance_generated=false, release_gates_complete=false.

Gateway API (Local Proof)

| Capability | Proof ID | Status | Evidence Path | Integrity Root | |---|---|---|---|---|---| | MetalLB Programmed=True | H481 | PASS | checkpoints/CHECKPOINT_H481_... | gateway_api_h500_merkle.json | | Traffic proof (5/5) | H482 | PASS | checkpoints/CHECKPOINT_H482_... | gateway_api_h500_merkle.json | | Local evidence closeout | H483 | PASS | checkpoints/CHECKPOINT_H483_... | gateway_api_h500_merkle.json |

Non-claims: gateway_cloud_proof=false, production_gateway_proof=false, multicluster_gateway=false, customer_ready=false, prod_live=false, zero_trust_complete=false.

Public Trust & Evidence Pack

A buyer-readable summary of all Edge Lite and Gateway API evidence../ai/evidence-v1-supersession.md#non-claims, and launch blockers is available in the zen-platform repository:

Evidence Support

ArtifactDescriptionPath
Runtime evidence pack10 proofs consolidatedruntime/runtime_convergence_evidence_pack_v1.json
Runtime replay verifierValidates all 10 proofsscripts/validation/runtime_proof_replay_verify.py
Runtime state machines4 machines (delivery, CP, topology, buffer)runtime/runtime_convergence_state_machine.json
Trust evidence packTrust proofs consolidatedsecurity/trust_lifecycle_evidence_pack_v1.json
Trust replay verifierValidates all trust proofsscripts/validation/trust_proof_replay_verify.py
Trust state machines4 machines (enrollment, cert, HMAC, secret)security/trust_lifecycle_state_machine.json
Zero-trust proof matrix12 scoped claim rowssecurity/zero_trust_proof_matrix.json
Trust lifecycle evidence map17 capabilitiessecurity/trust_lifecycle_evidence_map.json
Claims guard0 critical overclaimsscripts/validation/runtime_claims_guard.py

All paths are relative to zen-platform/docs/80-EVIDENCE/.