Skip to main content

Key Concepts

See How Zen Works for the complete mental model — the control-surface model, authoring chain, runtime chain, plane model, and security baseline. See use cases for real-world examples.

Architecture

ConceptDescription
Control PlaneSaaS layer — manages configuration, policy, and evidence. Never in the delivery path.
Data PlaneDelivery runtime — ingesters, egresses, bridges that route events.
Edge PlaneCustomer environment running zen-agent. Connects outbound only. Available as Kubernetes Edge Plane or Edge Lite.
Edge LiteLightweight non-Kubernetes runtime path for evaluation and low-traffic use cases.

Delivery Paths

PathDescriptionEvidence
Standard deliveryDestination reachable from data planePROOF-001, 003, 004
Outbound-only private deliveryEgress relay to NAT/firewalled targetPROOF-008, 009

Trust Mechanisms

MechanismDescriptionEvidence
mTLSMutual TLS on all internal pathsTRUST-PROOF-004, 006
HMACPayload integrity via SHA-256 signatureTRUST-PROOF-003
SPIFFEWorkload identity via URI SAN in certsTRUST-PROOF-004
ZenLockCiphertext-only secret managementTRUST-PROOF-005, 009
EnrollmentK8s cluster registration via age-encrypted bundleTRUST-PROOF-001, 002

Evidence Model

ConceptDescription
Evidence PackConsolidated JSON with proof status, refs../ai/evidence-v1-supersession.md#non-claims
Victory LockCommit-pinned proof artifact with validation commands
Proof LedgerIndex of all proofs with scenarios and statuses
Replay VerifierValidator checking all artifacts and claims guard
State MachineTransition model for delivery, connectivity, topology, buffer
Non-ClaimsExplicitly unclaimed capabilities (not false, just not proven)

Status Classifications

StatusMeaning
victory_lockedProof committed, verified, witnessed
local_mock_provenDemonstrated in deterministic mock harness
implementation_presentCode exists but no execution proof artifact
plannedDesign documented, implementation not started
blockedCannot proceed due to known blocker
not_claimedExplicitly not claimed
supports / maps_toCompliance relationship (not certification)