Skip to main content

Agent → SaaS mTLS

Status: Required — fail-closed (source-validated, not production-live attested) Related: Security Capability Validation, MCP Authentication & mTLS


Overview

The Zen Mesh agent communicates with the SaaS backend through mTLS (Mutual TLS). This is enforced fail-closed at the middleware layer.

Caveat: The evidence below is source-validated against the current codebase. Production-live attestation is not claimed here — refer to the evidence index for deployment-specific validation status.

Architecture

The agent uses SAAS_SYNC_URL which points to the mTLS service (port 9443) for post-bootstrap sync operations:

RouteMethodAuthScope
/agent/v1/clusters/{cid}/desired-stateGETmTLS + HMACDesired-state polling
/agent/v1/heartbeatPOSTmTLS + HMACAgent heartbeat
/agent/v1/heartbeatsPOSTmTLS + HMACAgent heartbeat
/agent/v1/clusters/{cluster_id}/adapters/syncPOSTmTLS + HMACAdapter registration
/agent/v1/allowlistGETmTLS + HMACEgress/adapter allowlist
/agent/v1/agents/bootstrapPOSTmTLS (no HMAC)Agent bootstrap
/agent/v1/agents/rekeyPOSTmTLS (no HMAC)Agent rekey

Bootstrap and rekey routes are on the mTLS listener without HMAC — the agent has not yet enrolled and cannot present an HMAC identity at that stage.

Security Matrix

ControlStatusScopeEvidence ReferencePublic Caveat
mTLS listenerImplementedPort 9443, internal CP↔EP/DP routesmtls_listener.go: agent route registration on mTLS listenerSource-validated at commit time; no production-live attestation here
mTLS identity middlewareImplementedAgent routes (tenant/cluster identity from cert)mtls_identity.go: RequireMTLSIdentity middlewareExtracts identity from client cert; fails 401 if missing
mTLS enforcement (fail-closed)ImplementedAll internal CP↔EP/DP routesmain.go: mTLS enforcement initializationFatal error if mTLS enforcement cannot initialize; applies to API v1 routes
HMAC middlewareImplementedAgent routes under /agent/v1HMACVerifier initialization in main.goFail-closed in production; non-nil check
Bootstrap SPIFFE gateConfig-driven (optional)Agent bootstrap handleragent_bootstrap_handler.go: BOOTSTRAP_REQUIRE_SPIFFEOptional; when enabled, requires valid SPIFFE ID in client cert
SPIRE Workload APIPlannedFull workload identity modelCAP-004 evidence entryPlanned for post-V1 hardening; does not affect current mTLS requirement

CAP-004 Clarification

The capability evidence entry CAP-004 "SPIFFE/SPIRE workload identity" has status planned. This refers to the fuller workload identity model with SPIRE Workload API integration — the comprehensive, dynamic workload identity with automatic SVID rotation via SPIRE agents.

It does NOT mean mTLS is planned. mTLS is required today. The "planned" item is the deeper SPIRE Workload API integration for a more comprehensive identity model.

Enforcement

  • Production: mTLS enforcement is fail-closed. If mTLS middleware initialization fails, the system logs a fatal error and refuses to start.
  • Bootstrap: Agent bootstrap can optionally require SPIFFE identity via BOOTSTRAP_REQUIRE_SPIFFE.
  • HMAC: HMAC middleware is also fail-closed in production.
  • Route isolation: Agent routes are ONLY reachable via the mTLS listener (port 9443), not on the public listener.

Non-Claims

  • mTLS claimed as product standard on every data-plane path (see llms.txt). Per-path evidence maturity tracked in wedge-claim-map.json. See also claim-maturity.json (primitive PRIM-MTLS-AGENT-SAAS) and security-capability-validation.json for per-scope validation scope.
  • No claim that SPIRE Workload API is fully deployed
  • No production-live proof for all paths (evidence is source-validated, not live-attested)
  • No claim that bootstrap SPIFFE gate is enabled in all deployments