Enterprise Security Review
This page packages Punk's current trust and security posture for enterprise review. It is a practical review guide, not a certification report, legal commitment, or customer-specific security addendum.
Use it with:
- Governance for policy, approvals, audit, redaction, DLP, tripwires, and trust lanes.
- Configuration for environment variables, provider modes, auth modes, tenant settings, database choice, and readiness receipts.
- Operations for production readiness, workers, health checks, backups, retention, and rollout operations.
- Architecture for request flow, package boundaries, persistence, and trace integrity.
- API for evidence packets, audit endpoints, run detail, receipts, keys, credentials, and settings.
- Connectors for managed connector auth, data classes, side-effect levels, cache, replay, shadow, idempotency, and redaction metadata.
Review Scope
Punk sits between customer agents, model providers, tools, web context, side effects, and operator review. The security objective is to keep raw tenant traffic isolated, attributable, governed, reviewable, and removable under the configured retention policy while allowing proven optimized routes to serve only after replay, shadow, policy, and rollback checks.
Current public docs describe hosted Punk and Punk-operated infrastructure. They do not describe a customer self-hosting program.
Data Boundaries
| Boundary | Current posture | Review evidence |
|---|---|---|
| Tenant / organization | Organizations are the tenant boundary. Runs, traces, workflows, conversations, keys, settings, approvals, credentials, usage, and invites are tenant-scoped. Dashboard sessions resolve an active organization. | Accounts & Orgs, Architecture, API |
| App | Tenant API keys can be pinned to an app id; otherwise X-Punk-App attributes traffic. | API, Configuration |
| Agent | X-Punk-Agent attributes behavior to an agent identity for trust, policy, cost, and audit. | Governance |
| Subject | X-Punk-Subject is a pseudonymous user/account/task dimension and part of cache-safety boundaries. | API, Agent Observability & Tool Caching |
| Credential | Provider and connector secrets are stored as tenant credentials, masked in list APIs, and resolved internally by the runtime when needed. | Configuration, API |
| Artifact / route | Optimized routes are tied to tenant evidence, replay/shadow results, route explanations, and rollback controls. | Enterprise Pilot, Learning, API |
Reviewer note: tenant isolation is enforced by the application and storage interfaces. If a customer requires database-level row security, dedicated infrastructure, regional pinning, or customer-managed encryption keys, collect separate deployment evidence before making that commitment.
Data Processed
Punk can process these data classes depending on which features are enabled:
- Model request messages and provider responses.
- Route explanations, token counts, costs, latency, and provider/model metadata.
- Trace events for request, model, tool, workflow, web, policy, DLP, tripwire, approval, learning, replay, and shadow behavior.
- SDK tool arguments and results when traced by the application.
- Managed connector tool inputs/results when installed.
- Web snapshots and web session actions when web features are used.
- Workflow definitions, workflow run events, conversations, agents, and schedules.
- Human user records, org memberships, invites, sessions, and audit events.
- Tenant settings, API key metadata, credential metadata, and encrypted credential secrets.
Do not put secrets in prompts, workflow inputs, trace-visible metadata, or customer-facing route explanations. Use tenant credentials and cred:<id> references for tool and connector secrets.
Retention And Redaction
| Control | Current behavior | Operator decision |
|---|---|---|
| Trace ledger | Trace events are append-only during their lifetime and have a per-run integrity hash chain. | Export evidence before destructive retention or org deletion. |
| Default retention | Retention sweep defaults to PUNK_RETENTION_DAYS, default 90, unless a tenant retention_days setting or job payload overrides it. | Confirm tenant retention before production traffic. |
| Retention effect | Retention deletes old runs, trace events, and audit records for the tenant. | Confirm backups and customer evidence needs before shortening windows. |
| Trace redaction | Tenant setting redaction=true masks string leaves in stored trace payloads before append and marks payloads _redacted. | Enable before tracing sensitive tool or workflow payloads. |
| Streaming DLP | Tenant setting streaming_dlp=true masks supported sensitive patterns in bytes returned to the client. | Use for workloads where secrets or regulated identifiers may be returned by a model. |
| Tripwires | Operators can plant sensitive decoys, audit detections, and optionally block matching runs. | Use for known tokens, record ids, or URLs that should not appear in traffic. |
Redaction is deterministic masking, not a substitute for data minimization. Review examples after enabling it, because masking changes trace fidelity and output readability.
Credentials And Provider Keys
Credential posture:
- Tenant API keys are bearer
pk_tokens. The full token is shown once and stored only as a hash. - Human passwords are argon2id-hashed. Dashboard sessions use HttpOnly cookies, and session tokens are stored only as hashes.
- Invite and verification tokens are one-time tokens stored as hashes.
- Stored credentials use AES-256-GCM at rest with
PUNK_ENCRYPTION_KEY. Authenticated deployments should set a valid 32-byte base64 key before storing provider keys, workflow credentials, MCP credentials, or managed connector credentials. - Credential list APIs return masked records. Runtime executors resolve plaintext internally when connecting to providers, MCP servers, or managed connectors.
Provider-key posture:
- Customer apps should hold a Punk tenant API key, not raw OpenAI, Anthropic, OpenRouter, DeepSeek, Kimi/Moonshot, or Gemini keys.
- Tenants can use hosted provider configuration or BYOK credentials. A tenant BYOK key takes precedence for that tenant and provider family.
- Live run traces record whether a tenant key or platform key served the request.
- Provider failover is visible in route explanations and trace events. Mock fallback is intended for local development, demos, and explicitly accepted deployments, not silent production fallback.
- Live model providers receive the request content needed to answer the request. Provider retention, training, DPA, and subprocessor terms must be reviewed per provider and contract.
Governance And Side Effects
Punk classifies tools by side-effect level:
| Level | Meaning | Enterprise default posture |
|---|---|---|
| 0 | Pure computation | Cache/replay eligible when useful. |
| 1 | Read-only external access | Good first pilot scope; cache only with tenant/app/subject safety dimensions. |
| 2 | Reversible or idempotent write | Require idempotency, audit, and owner review. |
| 3 | User-visible write | Start observe-only; require policy and approval before optimize mode. |
| 4 | High-impact write | Require explicit policy, human approval, replay/shadow suppression, and rollback planning. |
Undeclared SDK tools default to level 3. Managed connectors declare side-effect level, cache posture, replay behavior, shadow suppression, idempotency, approval defaults, auth requirements, and redaction metadata in their manifests.
Observe mode is the recommended first enterprise rollout mode. Live provider responses still serve users, while Punk records policy decisions, candidate routes, ghost savings, and evidence gaps without serving optimized paths or enforcing denials.
Audit And Evidence Export
Security reviewers should expect one run to have an exportable story:
- Who acted: tenant, app, agent, subject, API key or human actor where applicable.
- What happened: request, route, provider/model, cost, latency, tool calls, side effects, policy decisions, and errors.
- Why this route served: route explanation, rejected alternatives, cache/artifact details, failover, savings, and evidence warnings.
- What proof exists: trace integrity result, replay bundle when available, shadow/evaluation evidence, Chorus receipt when present, side effects, feedback, and related audit rows.
- What can be undone: rollback, quarantine, policy deny, key revoke, credential delete, settings change, or return to observe mode.
Useful endpoints:
| Endpoint | Use |
|---|---|
GET /api/v1/runs/:id | Run detail, trace events, and side effects. |
GET /api/v1/runs/:id/integrity | Verify the per-run trace integrity hash chain. |
GET /api/v1/runs/:id/evidence-packet | Support/security packet with run, route explanation, integrity, replay material when available, side effects, audit rows, trace events, and Chorus material when present. |
GET /api/v1/audit | Governance and operator audit events. |
GET /api/v1/readiness | Deployment readiness checks and machine-readable readiness receipt. |
Deployment Architecture
Minimum Punk-operated production shape:
customer app or agent
-> Punk hosted gateway / dashboard / API
-> router, governance, cache, artifact runtime, web runtime
-> live model provider or optimized route
-> trace ledger, audit events, jobs, learning, replay, shadow
Operational expectations:
- Use protected mode with
PUNK_API_KEY, dashboard login, and scoped tenant API keys. - Use Postgres for durable deployed environments and a standalone worker or serverless cron tick for durable jobs.
- Set
PUNK_ENCRYPTION_KEYbefore credential storage. - Terminate HTTPS at the edge; bind the app to
127.0.0.1behind a reverse proxy where applicable. - Keep
PUNK_ALLOW_PRIVATE_WEB_FETCH=falseandPUNK_ALLOW_PRIVATE_WEBHOOKS=falseunless private network access is intentionally required. - Use
/health,/api/v1/readiness,/api/v1/jobs,/api/v1/audit,/api/v1/runs, and/api/v1/cache/statsfor operational checks. - Back up the production database and confirm backup retention covers audit and replay needs.
Incident And Rollback Procedure
Use this operational sequence for a suspected policy, data, credential, routing, or optimization incident.
- Contain serving risk: switch the affected app key to observe mode, revoke the key, disable
semantic_cacheserving, disable model substitution serving, or apply a deny/approval-required policy. - Stop unsafe optimized routes: rollback or quarantine the artifact, disable canary, and confirm future matching traffic routes live or blocked according to policy.
- Contain credentials: delete or rotate affected provider, workflow, MCP, or managed connector credentials; verify
PUNK_ENCRYPTION_KEYposture; revoke external provider/vendor keys if needed. - Suppress side effects: keep L3/L4 actions approval-required, verify replay/shadow suppression, and pause risky workflows or scheduled agents.
- Preserve evidence: export the run evidence packet, run integrity result, relevant audit rows, readiness receipt, job status, and connector/workflow configuration.
- Restore deliberately: replay or shadow before re-promoting, re-enable canary for limited traffic, and document owner approval before optimize mode resumes.
Evidence to collect for a post-incident review:
- Affected tenant, app, agent, subject, run ids, artifact ids, credential ids, provider key source, and policy version.
- Route explanations and integrity results for affected runs.
- Audit events for key, credential, policy, approval, artifact, org, user, and setting changes.
- Job health and worker/cron evidence if background work was involved.
- Provider/vendor response or support evidence if the incident crossed an external provider boundary.
Reviewer Checklist
Security reviewer:
- Confirm the tenant, app, agent, and subject identifiers used by the pilot.
- Confirm which data classes enter prompts, traces, tool calls, connectors, web snapshots, and provider calls.
- Confirm provider key source for live traffic and review provider contractual terms.
- Confirm tenant
retention_days,redaction,streaming_dlp,semantic_cache, andcross_tenant_learningsettings. - Confirm no cross-tenant aggregate learning is enabled unless the customer explicitly opted in.
- Confirm L3/L4 tools require approval or are denied for the pilot.
- Export one evidence packet for a live run and verify the route explanation is understandable.
- Verify audit rows exist for login/key/credential/policy/approval/artifact actions used in the pilot.
- Review private web fetch and private webhook posture.
- Record not-yet evidence needed before production expansion.
Platform operator:
- Set
PUNK_API_KEY, dashboard admin credentials, and login mode for public deployments. - Issue scoped, non-admin tenant API keys and pin them to app ids where possible.
- Set a valid
PUNK_ENCRYPTION_KEYbefore storing credentials. - Use Postgres for deployed environments; run a standalone worker or serverless cron tick.
- Configure live providers or tenant BYOK before production-like traffic.
- Keep mock provider and mock failover out of production unless the risk is documented.
- Set rate limits, private-network controls, retention, redaction, and backup posture.
- Confirm
/api/v1/readinesshas no unexpectedattentionrows. - Review
/api/v1/jobs,/api/v1/audit, and failed runs during pilot rollout. - Exercise artifact rollback/quarantine before expanding optimize-mode traffic.
Evidence packet for an enterprise review:
- Readiness receipt.
- Example run evidence packet.
- Audit export for the review window.
- Policy files or policy summary.
- Tenant settings export or screenshots for retention/redaction/DLP/learning controls.
- Provider-key source evidence for example runs.
- Connector manifest excerpts for enabled tools.
- Backup/restore evidence from the deployment operator.
- Incident and rollback drill notes.
Compliance Mapping
This mapping is for review planning. It is not a compliance attestation.
| Review area | Current product evidence | Not yet / evidence needed |
|---|---|---|
| SOC 2-style security controls | Auth modes, hashed API/session tokens, role-gated admin actions, audit events, readiness receipt, credential encryption, policy approvals, backups/operations checklist. | Independent audit report, control owner matrix, vulnerability management evidence, change-management evidence, vendor/subprocessor evidence. |
| Privacy and data lifecycle | Tenant scoping, retention sweep, org deletion cascade for tenant data, evidence export, redaction, DLP, opt-in aggregate learning. | Customer-specific DPA, subprocessor list, data residency terms, complete DSAR workflow, retention exceptions, legal basis review. |
| HIPAA/regulated health data | Governance, redaction, DLP, and audit controls may help a risk assessment. | BAA, PHI handling policy, healthcare-specific controls, provider BAAs, and customer approval before PHI is sent. |
| Data residency | Deployment can be operated with a chosen database/provider region when infrastructure supports it. | Region-specific contract, backups/logs residency evidence, provider region configuration, and operational monitoring. |
| Encryption | Credential secrets are AES-256-GCM encrypted with PUNK_ENCRYPTION_KEY; HTTPS should be used at the edge; database provider encryption depends on deployment. | Full database/disk encryption evidence, key rotation procedure, customer-managed key support, and provider attestations. |
| Access management | Human users, org roles, admin gates, API keys, app pinning, revocation, invite lifecycle, session invalidation on member removal. | SSO/SAML/SCIM evidence if required by the customer. |
| Auditability | Run detail, trace integrity, route explanations, audit endpoint, evidence packet, readiness receipt, learning evidence, replay/shadow records. | Long-term archive policy, SIEM export, immutable external log store, and customer-specific audit retention. |
| Incident response | Operational rollback/quarantine/key-revoke/policy-deny procedure and evidence export surfaces. | Formal incident response policy, notification SLA, tabletop records, and customer-specific escalation contacts. |
Not Yet And Evidence Needed
Do not claim these without separate evidence:
- A completed SOC 2, ISO 27001, HIPAA, or other formal compliance attestation.
- A customer-specific DPA, BAA, subprocessor list, data residency commitment, or provider retention commitment.
- Customer-managed encryption keys or database-level row security.
- SSO/SAML/SCIM support unless it has been implemented and documented elsewhere.
- SIEM-native export, immutable external audit archive, or legal hold workflow.
- A production incident notification SLA.
- That live provider traffic has no provider-side retention or training exposure. Review each configured provider contract.
When a reviewer asks for one of these, treat it as an evidence request, not a product claim.