# Zen Mesh — Webhook Operations (Full AI Context) Version: 1.0.0 Last-Updated: 2026-05-29T22:00:00Z Product: Zen Mesh — webhook ingestion, validation, delivery visibility, and security operations across Stripe, GitHub, and custom webhooks Zen helps teams receive, validate, observe, and operate webhooks across Stripe, GitHub, and custom sources, with a planned expansion path to Shopify, Twilio, GitLab, Alipay, and similar providers. Current readiness: DEMO (local/mock/sandbox only; not production-live, not customer-ready). V1 governance (2026-05-30): evidence-first federated operational runtime/trust platform with a webhook delivery wedge. Canonical failure-stop on script failure. Accepted evidence artifacts require hash-chain inclusion; integrity comparison is not authentication, not identity proof, not encryption, or replay prevention. Planes management UI (T1) NOT product-pass. Sandbox delivery validation: relay-path proof mandatory for demo scope; direct/egress/relay receipts per manifest proof_status — not platform go-live. Runtime workload identity (SVID) rotation not proven on mainline. DeliveryPolicy TLS/trust-chain controls L2 deferred — not PASS. ## Core Links - Website: https://www.zen-mesh.io - AI evidence index: https://www.zen-mesh.io/evidence - Documentation: https://docs.zen-mesh.io - Source: https://github.com/zenmesh/zen-platform - Contact: zen@zen-mesh.io ## Public terminology and traceability - Traceability (JSON): https://www.zen-mesh.io/ai/public-surface-traceability.json - Taxonomy (JSON): https://www.zen-mesh.io/ai/public-terminology-taxonomy.json - Human guide: https://www.zen-mesh.io/docs/public-terminology-taxonomy ## Narrative context (not proof; narrative_context classification) - Narrative registry (JSON): https://www.zen-mesh.io/ai/narrative-context.json - Blog — webhook delivery evidence: https://www.zen-mesh.io/blogs/webhook-delivery-evidence/ (editorial; not accepted_evidence) - Blog — webhooks behind firewalls: https://www.zen-mesh.io/blogs/webhooks-behind-firewalls/ (editorial; not accepted_evidence) - Proof source of truth: manifest.json, non-claims.json, and zen-platform evidence artifacts — not blog posts ## Wedge Evidence - Wedge Claim Map: https://docs.zen-mesh.io/ai/evidence/v1/wedge-claim-map.json - Wedge Non-Claims: https://docs.zen-mesh.io/ai/evidence/v1/wedge-non-claims.json - Wedge Overview: https://docs.zen-mesh.io/docs/ai/wedge-overview ## Full Platform Evidence - Capability Manifest: https://docs.zen-mesh.io/ai/evidence/v1/manifest.json - Compliance Map: https://docs.zen-mesh.io/ai/evidence/v1/compliance-map.json - Non-Claims: https://docs.zen-mesh.io/ai/evidence/v1/non-claims.json - Evidence Schema: https://docs.zen-mesh.io/ai/evidence/v1/manifest.schema.json - Compliance Schema: https://docs.zen-mesh.io/ai/evidence/v1/compliance-map.schema.json - AI Overview: https://docs.zen-mesh.io/docs/ai/overview - Capability Evidence: https://docs.zen-mesh.io/docs/ai/capability-evidence - Compliance Evidence: https://docs.zen-mesh.io/docs/ai/compliance-evidence - Evidence Schema Guide: https://docs.zen-mesh.io/docs/ai/evidence-schema - Non-Claims: https://docs.zen-mesh.io/docs/ai/non-claims - Verification: https://docs.zen-mesh.io/docs/ai/verification ## Wedge Proof Summary All wedge proof artifacts at github.com/zenmesh/zen-platform/docs/80-EVIDENCE/ | Capability | Status | Scope | |---|---|---| | Stripe webhook ingestion | PROVEN | local/mock | | GitHub webhook ingestion | PARTIAL | provider adapter present | | Custom webhook ingestion | PLANNED | generic pipeline | | Delivery visibility | PROVEN | local/mock | | Retry with DLQ routing | PROVEN | local/mock | | Idempotency/duplicate detection | PROVEN | local/mock | | mTLS on internal paths | PROVEN | local/mock | | HMAC verification with replay protection | PROVEN | local/mock | | Machine-readable evidence with Merkle integrity | PROVEN | local/mock | | SPIFFE workload identity | PROVEN | local/mock | ## Non-Claims (Wedge Scope) - No production-live or customer-ready claim - No public edge/mesh/relay capability claim - No exactly-once or zero-loss delivery guarantee - No compliance certification - SVID rotation not yet automated - Provider validation scope: Stripe tested (local/mock), GitHub adapter present (custom validation needed), Custom webhook planned - Shopify, Twilio, GitLab, Alipay are on the provider expansion roadmap — not currently validated - Provider expansion roadmap is not production support - Custom webhook support does not imply every provider-specific signature scheme is implemented - Modular provider adapter model is not a claim of full marketplace coverage - All proofs are local/mock unless stated otherwise ## Provider Expansion Roadmap The modular provider adapter model is designed to extend to Shopify, Twilio, GitLab, Alipay, and similar providers. These are planned — not yet validated. ## Security Posture - mTLS: Enforced on internal control-plane paths - HMAC-SHA256: Payload verification with nonce-based replay protection - SPIFFE/SPIRE: Workload identity for control-plane auth - Merkle integrity: Evidence integrity verification only ## Known Limitations - Stripe native webhook signing secret integration not yet validated - GitHub webhook-specific signature verification not yet validated - No production Stripe or GitHub event validated on a production cloud deployment; Stripe Sandbox event validated on GKE demo cloud (northamerica-northeast2) - Custom webhook signature schemes are provider-specific and evaluated case by case - Comprehensive delivery status dashboard is planned - SVID rotation is not yet automated