Skip to main content

Trust Scenario Registry

Generated: 2026-06-26

Purpose

This registry catalogs all Trust Scenarios for Zen Mesh webhook delivery validation. It is a planning and tracking document, not an implementation. Scenarios are grouped by maturity tier (V1, V1.1, Post-V1).

Registry

V1 Scenarios

IDTitleValidator PathEvidence PathSafe in ProdCustomer RunnableAI RunnableOwnerStatusNext Action
AUTH-2FA-01Local login returns TWO_FACTOR_REQUIRED when 2FA enabledN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/❌ No❌ No❌ NoHermes❌ V1_BLOCKERImplement 2FA enrollment path; prove TWO_FACOR_REQUIRED 403
AUTH-2FA-02TOTP enrollment or sandbox-safe seed availableN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/❌ No❌ No❌ NoHermes❌ V1_BLOCKERImplement TOTP enrollment; seed must be sandbox-safe for testing
AUTH-2FA-03Invalid OTP rejectedN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/✅ Yes❌ No❌ NoHermes❌ V1_BLOCKERImplement OTP verification with rejection of invalid codes
AUTH-2FA-04Valid OTP completes authenticationN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/✅ Yes❌ No❌ NoHermes❌ V1_BLOCKERImplement OTP verification with acceptance of valid codes
AUTH-2FA-05/me endpoint succeeds after 2FAN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/✅ Yes❌ No❌ NoHermes❌ V1_BLOCKERVerify authenticated /me call succeeds after 2FA completion
AUTH-2FA-06Authenticated route matrix succeeds after 2FAN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/✅ Yes❌ No❌ NoHermes❌ V1_BLOCKERVerify route access after 2FA for all V1 routes
AUTH-2FA-072FA enrollment/success/failure emits audit/security eventN/A — event path~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/❌ No❌ No❌ NoHermes❌ V1_BLOCKERWire audit event emission for 2FA lifecycle events
AUTH-2FA-08Recovery/reset path exists or is operator-controlledN/A — runtime endpoint~/zenmesh/docs/docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/❌ No❌ No❌ NoHermes❌ V1_BLOCKERDocument recovery path; operator-controlled reset for V1
------------------------------------------------------------------------------------------------------------------
TS-001Replay attack rejection (Stripe)testdata/stripe/stale_signature.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-002Replay attack rejection (Shopify)N/A — dedup onlyN/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on SH-01 (HMAC enforcement)
TS-003Replay attack rejection (Twilio)N/A — dedup onlyN/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on TW-01 (signature enforcement)
TS-004Invalid signature rejection (Stripe)testdata/stripe/invalid_signature.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-005Invalid signature rejection (Shopify)N/A — HMAC not implementedN/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on SH-01
TS-006Invalid signature rejection (Twilio)N/A — signature not implementedN/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on TW-01
TS-007Expired timestamp rejection (Stripe)testdata/stripe/stale_signature.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-008Missing signature header rejectiontestdata/stripe/missing_id.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-009Payload tampering rejection (Stripe)Covered by HMAC validationzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-010Payload tampering rejection (Shopify)Blocked on SH-01N/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on SH-01
TS-011Payload tampering rejection (Twilio)Blocked on TW-01N/A❌ No❌ No❌ NoHermes❌ PENDINGBlocked on TW-01
TS-012Malformed request rejection (Stripe)testdata/stripe/malformed_payload.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-013Duplicate delivery behavior (Stripe)testdata/stripe/payment_intent_succeeded_duplicate.* + go testzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-014Duplicate delivery behavior (Shopify)Dedup via idempotency keyzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-015Duplicate delivery behavior (Twilio)Dedup via MessageSid/CallSidzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-016Oversized payload rejectionPayload size enforcementzen-platform docs/80-EVIDENCE/✅ Yes❌ No❌ NoHermes✅ DONEMaintain
TS-017Unknown event type rejectionEvent type validationzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-018IP allowlist enforcementIP allowlist validatordocs/providerflow/✅ Yes✅ Yes❌ NoHermes✅ DONEMaintain
TS-019Missing required event fieldsSchema validationzen-platform docs/80-EVIDENCE/✅ Yes❌ No✅ YesHermes✅ DONEMaintain
TS-020Invalid content-type rejectionContent-type validationzen-platform docs/80-EVIDENCE/✅ Yes❌ No❌ NoHermes✅ DONEMaintain
TS-021Delivery timeout enforcementTimeout handlingzen-platform docs/80-EVIDENCE/✅ Yes❌ No❌ NoHermes✅ DONEMaintain
TS-022Unknown provider endpoint rejectionProvider routingzen-platform docs/80-EVIDENCE/✅ Yes❌ No❌ NoHermes✅ DONEMaintain

V1.1 Scenarios

IDTitleValidator PathEvidence PathSafe in ProdCustomer RunnableAI RunnableOwnerStatusNext Action
TS-101Trust Lab automated suiteN/A — framework not builtN/A❌ No❌ No❌ NoHermes + DocsAI❌ PENDINGV1.1 framework
TS-102Header filtering validationHeader management moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 Business+
TS-103Header blocking validationHeader management moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 Business+
TS-104Header transform validationHeader management moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 Business+
TS-105GitHub BaseURL SSRF hardeningSSRF prevention moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 (V1_PARTIAL risk)
TS-106GitLab BaseURL SSRF hardeningSSRF prevention moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 (V1_SAFE_WITH_DOC)
TS-107Bitbucket BaseURL SSRF hardeningSSRF prevention moduleN/A❌ No❌ No❌ NoHermes❌ PENDINGV1.1 (V1_SAFE_WITH_DOC)
TS-108mTLS certificate expiry rejectionCertificate validationN/A❌ No❌ No❌ NoHermes🔶 PARTIALPlatform-level exists; per-webhook pending
TS-109Cross-tenant isolation / RLSTenant isolationN/A❌ No❌ No❌ NoHermes🔶 PARTIALDesign exists; per-webhook RLS pending

Post-V1 Scenarios

IDTitleStatusOwner
TS-201Customer-runnable Trust Scenarios❌ PENDINGDocsAI
TS-202AI-orchestrated Trust Scenarios❌ PENDINGDocsAI + Hermes
TS-203Synthetic monitoring integration❌ PENDINGHermes
TS-204Historical trust evidence comparison❌ PENDINGHermes
TS-205DNS rebinding on delivery target❌ PENDINGHermes

Summary

TierTotalDONEPENDINGPARTIALV1_BLOCKER
V13015618
V1.190810
Post-V150500
Total44151928

Key Gaps

The 6 pending V1 scenarios are blocked on Shopify/Twilio HMAC/signature enforcement (SH-01, TW-01). The 8 AUTH-2FA-* scenarios are all V1_BLOCKER pending Hermes R22 runtime evidence. Core Stripe scenarios are all DONE.

Usage

  • Hermes: Update this registry when scenarios are implemented or status changes.
  • DocsAI: Sync registry changes to public surfaces when scenarios become customer-facing.
  • Reviewers: Before claiming a security capability, verify it appears in this registry with DONE status.