Skip to main content

Security Validation Suite

The Security Validation Suite (also referred to as the Negative Security Test Suite) validates that Zen Mesh security controls correctly reject, detect, or handle adversarial inputs and boundary conditions.

Structure

Every scenario follows a consistent schema:

FieldDescription
Scenario / AttackWhat is being tested
ResultAccepted, Rejected, or Detected
Why Rejected / DetectedThe control or mechanism that produced the result
Evidence ArtifactWhere the result is recorded
Operator VisibilityHow an operator can observe the result

Scenarios

Authentication and Integrity

ScenarioExpected ResultControl
Invalid HMAC signatureRejectedSignature verification rejects payload
Missing signature headerRejectedRequired header validation
Expired timestamp / stale nonceRejectedReplay protection (timestamp window + nonce tracking)
Replayed payload with valid signatureDetected / RejectedNonce deduplication
Payload tampering after signatureRejectedHMAC covers full payload
Unknown provider endpointRejectedProvider routing validation

Authorization and Identity

ScenarioExpected ResultControl
Request from IP outside allowlistRejectedIP allowlisting (deny-by-default)
Request without valid bearer tokenRejectedBearer token validation
Request with expired API keyRejectedAPI key validation
Cross-tenant delivery targetRejectedTenant isolation / RLS
Unauthorized delivery endpointRejectedTarget authentication

2FA/MFA Authentication

ScenarioExpected ResultV1 StatusNotes
Local login with 2FA enabledTWO_FACTOR_REQUIRED (403)V1_BLOCKER pending R22Route returns 403 until 2FA completed
TOTP enrollmentSeed provisionedV1_BLOCKER pending R22Sandbox-safe seed path required for testing
Invalid OTP verificationRejected (401)V1_BLOCKER pending R22Deterministic OTP validation
Valid OTP verificationAuthenticated (200)V1_BLOCKER pending R22Session/token issued after 2FA
/me after 2FARoute accessibleV1_BLOCKER pending R22Proves auth session carries 2FA context
Authenticated routes after 2FAFull route matrix accessibleV1_BLOCKER pending R22All V1 routes pass auth gate
2FA audit event emissionEvent recordedV1_BLOCKER pending R22Enrollment/success/failure events
OIDC IdP MFA (when configured)Delegated to IdPV1_PARTIALMust be documented; no app-level MFA for OIDC V1

These scenarios are V1_BLOCKER until Hermes R22 proves end-to-end enrollment, verification, and route acceptance after 2FA. Do not claim 2FA is complete until all scenarios pass with runtime evidence.

Schema and Input Validation

ScenarioExpected ResultControl
Malformed JSON payloadRejectedSchema validation
Missing required event fieldsRejectedRequired field validation
Unknown event typeRejectedEvent type validation
Oversized payload (>1 MB Pro, >256 KB Free)RejectedPayload size limits
Invalid content-type headerRejectedContent-type validation

Delivery and Reliability

ScenarioExpected ResultControl
Delivery endpoint unreachableDetectedRetry with DLQ exhaustion
Delivery endpoint returns 5xxDetectedRetry with exponential backoff
Duplicate delivery requestDetectedIdempotency key matching
Delivery timeoutDetectedDelivery timeout enforcement

Infrastructure and Connectivity

ScenarioExpected ResultControl
Edge Lite agent network disconnectDetectedAgent heartbeat / reconnect
mTLS certificate expiryRejectedCertificate validation
TLS version downgrade attemptRejectedTLS minimum version enforcement
DNS rebinding on delivery targetRejectedDNS resolution validation

Scope and Limitations

  • Scenarios validate individual controls, not full system compromise chains.
  • Some scenarios require specific configuration (e.g., IP allowlisting requires an allowlist to be configured).
  • Results depend on the runtime environment (sandbox validation environment vs. production).
  • The suite covers Stripe, GitHub, Shopify, Twilio, and Custom webhook providers. Not every scenario is implemented for every provider.
  • See Trust Lab for operational/correctness validation scenarios.

Status

The Security Validation Suite is under active development. Scenario coverage varies by provider. See the capability manifest for current proof_status per security control.