Skip to main content

Concepts Glossary

Three-Plane Model

The Zen Mesh architecture separates control (SaaS), data (edge), and customer planes. See Three Plane Model.

mTLS (Mutual TLS)

Both client and server verify each other's certificates. Required on internal Zen Mesh paths. See TRUST-PROOF-004/006.

HMAC-SHA256

Message authentication code for payload integrity. Prevents tampering and verifies source. Proven in TRUST-PROOF-003.

SPIFFE/SPIRE

SPIFFE provides workload identity via URI SAN in mTLS certs. SPIRE-based SVID rotation is planned (TD-011).

ZenLock

Ciphertext-only secret management via Kubernetes CRDs. Proven in TRUST-PROOF-005/009.

Enrollment

Process of registering a K8s cluster via age-encrypted bundle + zen-agent. Proven in TRUST-PROOF-001/002.

Delivery Modes

  • Direct: Standard delivery — destination reachable from data plane
  • Standard delivery: Default delivery mode — the destination is reachable from the selected Zen Mesh data plane (maps to transport.mode=direct)
  • Outbound-only private delivery: Delivery mode for destinations behind NAT/firewall — an enrolled edge adapter maintains an outbound relay connection (maps to transport.mode=relay)

Proven in PROOF-001/008/009/010.

Evidence Pack

Consolidated machine-readable JSON with proof status and evidence refs. One per domain (runtime, trust). See Non-Claims.

Victory Lock

A commit-pinned proof artifact that records scenario, evidence refs, validation commands, and non-claims boundaries.

Proof Ledger

Index of all proofs with status, scenario, and evidence file paths.

Replay Verifier

Validator script that checks all proof artifacts, ledgers, claims guard, and blocker state.