Skip to main content

Security Validation V1 Cutline

Generated: 2026-06-26

Purpose

This page defines which security validation scenarios are required for V1, V1 Pro+, V1.1, and post-V1. It prevents overclaiming and ensures the validation roadmap is transparent.

V1 Required (All Plans)

These are negative security basics that every V1 deployment must pass:

ScenarioControlStatus
Replay attack rejectionNonce deduplication + timestamp window🔶 PARTIAL — Implemented for Stripe; Shopify/Twilio dedup-only
Expired timestamp rejectionTimestamp skew validation🔶 PARTIAL — Implemented for Stripe; Shopify/Twilio pending
Invalid signature rejectionCryptographic signature verification✅ Stripe; ❌ Shopify HMAC PENDING; ❌ Twilio signature PENDING
Missing signature header rejectionRequired header validation✅ DONE
Payload tampering rejectionHMAC covers full payload✅ Stripe; ❌ Shopify/Twilio
Malformed request rejectionSchema validation✅ DONE
Unknown event type rejectionEvent type validation✅ DONE
Missing required event fieldsRequired field validation✅ DONE
Oversized payload rejection (>1 MB Pro, >256 KB Free)Payload size limits✅ DONE
Invalid content-type rejectionContent-type validation✅ DONE
Unknown provider endpoint rejectionProvider routing validation✅ DONE
Duplicate delivery detectionIdempotency key matching✅ DONE
Delivery timeout enforcementDelivery timeout✅ DONE
Local auth 2FA/MFA enrollment and verificationTOTP enrollment + OTP validation + route matrix after 2FA❌ V1_BLOCKER — PENDING Hermes R22

V1 Pro+ Required

ScenarioControlPlanStatus
IP allowlist enforcementSource IP deny-by-defaultPro+✅ DONE
IP block enforcementExplicit IP deny listPro+✅ DONE

V1 Docs-Only / Non-Claim

These scenarios are documented in the Security Validation Suite but are NOT claimed as V1-complete. They describe design intent, not current capability.

ScenarioRationale
mTLS certificate expiry rejectionmTLS is tested at infrastructure level; per-webhook mTLS validation is post-V1.1
TLS version downgrade rejectionPlatform-level enforcement exists; per-webhook TLS policy is post-V1.1
Cross-tenant delivery target rejectionTenant isolation design exists; per-webhook RLS validation is post-V1.1
DNS rebinding on delivery targetDocumented risk; no current mitigation

V1.1 Required

ScenarioControlRationale
Header filtering/blocking/transformHTTP header managementBusiness+ plan feature, V1.1 scope
GitHub user-controlled BaseURL SSRF hardeningSSRF preventionNot exposed in V1 SaaS; V1.1 when self-hosted GitHub is supported
GitLab self-hosted BaseURL SSRF hardeningSSRF preventionV1.1 when self-hosted GitLab is supported
Bitbucket self-hosted BaseURL SSRF hardeningSSRF preventionV1.1 when self-hosted Bitbucket is supported
Trust Lab as full synthetic/continuous monitoringAutomated scenario executionV1.1 framework; deterministic validators for V1 claims must exist before V1
Provider-specific validation suites (Shopify, Twilio)Negative securityRequires HMAC/signature implementation (V1 blocker for those providers)

Post-V1

ScenarioRationale
Full Trust Lab automation (scheduled scenario runs)V1.1+ product capability
Customer-runnable Trust ScenariosSelf-service validation, post-V1.1
Synthetic monitoring integrationPost-V1.1 platform integration
AI-orchestrated Trust ScenariosPost-V1.1 AI integration

Implementation Status Legend

StatusMeaning
✅ DONEImplemented and evidenced
🔶 PARTIALImplemented for some providers or configurations
❌ PENDINGNot yet implemented
➖ DESIGNDesign exists but not implemented

Key Rules

  1. Do not claim V1 security is complete until all V1 Required scenarios are PASS for all V1-shipping providers.
  2. Do not claim SSRF protection — SaaS SSRF is a documented gap (GAP-SSRF-SAAS-DISPATCH). SSRF hardening is V1.1.
  3. Do not claim Shopify/Twilio security validation until HMAC/signature enforcement is implemented and live E2E validated.
  4. Deterministic validators for V1 claims must exist before V1. AI-judged results are not sufficient for security claims.
  5. V1.1 items are not V1 blockers. Do not block V1 on V1.1 scope.
  6. 2FA/MFA is a V1 prerequisite. Local/password auth requires app-level 2FA enrollment and verification for V1. Google/OIDC users may rely on IdP MFA for V1 when configured and documented. Do not claim 2FA is DONE until Hermes R22 proves end-to-end enrollment, OTP validation, and route acceptance after 2FA.