AI & Evidence Overview
This section is for AI agents, RAG systems, technical evaluators, and compliance reviewers.
Quick Q&A
Does Zen Mesh provide machine-readable evidence? Yes. See the manifest, compliance map, and non-claims.
Does Zen Mesh claim PCI compliance? No. See non-claims.
How does an AI agent verify a runtime proof?
Fetch the manifest, check proof_status, verify evidence_refs point to existing artifacts, and run validators listed in verification.
What does integrity verification mean in Zen Mesh? Integrity verification provides evidence integrity and state comparison only. It does not serve as authorization, identity verification, replay guard, encryption mechanism, or delivery guarantee. See Evidence integrity.
Is local/mock evidence the same as production proof? No. All proofs are local/mock unless stated otherwise. Production validation gates are tracked but not yet passed.
Where can I find non-claims?
In the non-claims page and the machine-readable non-claims endpoint.
Webhook Operations Wedge
The public product scope is the webhook operations wedge — Stripe, GitHub, Twilio, Shopify, and custom webhooks. See:
Machine-Readable Endpoints
| Endpoint | Description |
|---|---|---|
| manifest.json | Full platform capability manifest with proof_status |
| compliance-map.json | Compliance framework to feature graph |
| non-claims.json | Full platform non-claims by category |
| ai/evidence-v1-supersession.md#wedge-claim-map | Stripe webhook wedge claim matrix |
| ai/evidence-v1-supersession.md#non-claims | Wedge-scope non-claims |
| ai/evidence-v1-supersession.md#manifest | Full platform manifest (supersession) |
| ai/evidence-v1-supersession.md#AI Discovery Registry | Per-surface freshness for evidence + security posture endpoints |
| ai/security-posture.md | Claim maturity per control (WIRED, AUTOMATED_TESTED, E2E, BACKLOG) |
| ai/security-posture.md | AI attack model with maturity per threat |
| ai/security-posture.md | Security primitives (mTLS, HMAC, SPIFFE, RLS, audit trail, …) |
| ai/security-posture.md | Explicit security gaps — not hidden |
| ai/security-posture.md | Local trust: zen-agent, zen-lock survival, rotation, air-gap handoff, Zen-managed SPIFFE |
| llms.txt | AI context — concise |
| /llms-full.txt | AI context — full (on zen-mesh.io) |
Narrative context (not proof)
- Webhook delivery evidence (blog) — delivery logs vs verifiable evidence (narrative_context)
- Webhooks behind firewalls (blog) — architecture narrative (narrative_context)
Proof remains in the manifest and linked zen-platform evidence artifacts (integrity receipts are integrity-only — not authentication or replay prevention).
AI security posture
For what Zen Mesh does and does not mitigate (SSRF, payloads, mTLS, integrity boundaries), see AI Security Posture and the JSON endpoints above. Gaps remain visible — narrative blogs are not proof.
Public terminology
- Trust Lab — deterministic validation scenarios for webhook delivery
- Security Validation Suite — adversarial/security scenario validation
- Provider Package Lifecycle — ownership × maturity classification