Skip to main content

Webhook Operations Wedge — Evidence Overview

Zen helps teams receive, validate, observe, and operate webhooks across Stripe, GitHub, Twilio, Shopify, and custom sources.

Current Readiness: DEMO

All evidence is local/demo/sandbox only. Not customer-ready or production-live.

What Is Proven

CapabilityStatusProof Scope
Stripe webhook ingestionPROVENlocal/mock
GitHub webhook ingestionPROVENlocal/mock
Twilio webhook ingestionPROVENlocal/mock
Shopify webhook ingestionPROVENlocal/mock
Custom webhook ingestionPROVENlocal/mock
Delivery attempt recording and outcomesPROVENlocal/mock
Retry with DLQ exhaustion routingPROVENlocal/mock
Duplicate detection via idempotency keysPROVENlocal/mock
mTLS on internal pathsPROVENlocal/mock
HMAC payload verification with replay protectionPROVENlocal/mock
Machine-readable evidence with integrityPROVENlocal/mock
SPIFFE/SPIRE identity for workload authPROVENlocal/mock

What Is Partial / Planned

CapabilityStatusLimitation
Compliance control mappingPARTIALInternal readiness only; no certification
UI route quality and delivery dashboardPARTIALRoute UI exists; dashboard planned

What Is Not Claimed

  • Not production-live or customer-ready
  • No public edge/mesh/relay capability claim
  • No exactly-once or zero-loss delivery guarantee
  • No compliance certification
  • SVID rotation not yet automated
  • Custom webhook support does not imply every provider-specific signature scheme is implemented

Machine-Readable Endpoints

EndpointDescription
ai/evidence-v1-supersession.md#wedge-claim-mapStructured claim matrix (webhook wedge)
ai/evidence-v1-supersession.md#non-claimsExplicit non-claims for wedge scope
ai/evidence-v1-supersession.md#manifestFull platform manifest

Security Posture

  • mTLS: Enforced on internal paths
  • HMAC-SHA256: Payload verification with nonce-based replay protection
  • SPIFFE/SPIRE: Workload identity for service auth (SVID rotation not yet automated)
  • Machine-readable evidence: Delivery outcomes recorded with integrity verification

Test Methodology

All proofs are tested in a local mock harness with deterministic scenarios. See the verification guide for how to validate evidence.

Known Limitations

  • No real webhook event validated on a cloud deployment
  • Custom webhook signature schemes are provider-specific
  • Comprehensive delivery status dashboard is planned
  • Full SPIRE Workload API SVID rotation is post-V1 (file-based X.509 SVID lifecycle is implemented via cert-manager)