Skip to main content

How Zen Works

Status: PUBLIC_CONTRACT_DRAFT — This page explains the Zen Mesh mental model. Individual components carry their own status. Not a production-live availability claim.

Zen Mesh is a declarative event delivery platform. Every operation — creating an endpoint, configuring a target, inspecting a delivery — follows the same operational model, regardless of which surface you use.

Control surfaces

SurfaceAudienceMaturity
UI (dashboard)Human operators, evaluationWIRED_SANDBOX
CLIAutomation, CI/CDWIRED_SANDBOX
API (REST)Programmatic access, integrationsWIRED_SANDBOX
MCPAutomation interface for operatorsWIRED_SANDBOX

All supported surfaces use the same validation and authorization model for configuration changes.

Authoring chain

Template → Blueprint → Flow → Traffic → Evidence
StepWhat it isStatus
TemplateReusable source configuration (Stripe, GitHub, Custom)WIRED_SANDBOX
BlueprintValidated template instantiation with defaultsWIRED_SANDBOX
FlowDeclarative link from endpoint to targetWIRED_SANDBOX
TrafficLive event delivery, attempts, DLQ, retry, replayWIRED_SANDBOX
EvidenceDelivery visibility and audit records where availableWIRED_SANDBOX

Runtime chain

When events flow through the system, each delivery follows this path:

Endpoint → Flow → Target → Attempt → DLQ / Retry / Replay → Trace → Evidence
ObjectRoleStatus
EndpointWhere events arrive (ingester URL)WIRED_SANDBOX
FlowDelivery contract — links endpoint to targetWIRED_SANDBOX
TargetWhere events are delivered (your service URL)WIRED_SANDBOX
AttemptOne delivery execution with statusWIRED_SANDBOX
DLQFailed events preserved for recoveryWIRED_SANDBOX
RetryAutomatic or manual retry of failed attemptsWIRED_SANDBOX
ReplayRe-deliver events from DLQ or historyWIRED_SANDBOX
TraceDelivery spine record linking attempts to evidence scopeWIRED_SANDBOX
EvidenceDelivery receipts and operational metadataWIRED_SANDBOX

See Delivery for detailed capability pages.

Plane model

PlaneWhat it doesConnection model
Control PlaneSaaS surface (UI, API, MCP). Configuration, policy, evidence scope. Never sees payloads.Customer → CP
Data PlaneDelivery runtime — ingesters, egresses, bridges. Processes event payloads.Customer → DP
Edge PlaneCustomer environment. Runs zen-agent (required), optional ingester/egress.Outbound only
Edge LiteLightweight non-Kubernetes runtime. Evaluation and low-traffic use cases.Outbound only

See Planes and Choose a Runtime Path.

Security baseline

mTLS, SPIFFE/SPIRE, HMAC on every data-plane path — non-negotiable.

ControlWhere it appliesEvidence reference
mTLSInternal control-plane and data-plane pathswedge-claim-map.json
SPIFFE/SPIREWorkload identity on Zen-managed internal pathswedge-claim-map.json
HMACAgent → control-plane payload verificationclaim-maturity.json

External provider ingress uses provider-specific signature verification. See Security Controls.