PUNKthe adaptive runtime

//DOCS Enterprise Security Review

Security-review guide to boundaries, retention, credentials, audit, rollback, and operational controls.

Enterprise Security Review

This page packages Punk's current trust and security posture for enterprise review. It is a practical review guide, not a certification report, legal commitment, or customer-specific security addendum.

Use it with:

  • Governance for policy, approvals, audit, redaction, DLP, tripwires, and trust lanes.
  • Configuration for environment variables, provider modes, auth modes, tenant settings, database choice, and readiness receipts.
  • Operations for production readiness, workers, health checks, backups, retention, and rollout operations.
  • Architecture for request flow, package boundaries, persistence, and trace integrity.
  • API for evidence packets, audit endpoints, run detail, receipts, keys, credentials, and settings.
  • Connectors for managed connector auth, data classes, side-effect levels, cache, replay, shadow, idempotency, and redaction metadata.

Review Scope

Punk sits between customer agents, model providers, tools, web context, side effects, and operator review. The security objective is to keep raw tenant traffic isolated, attributable, governed, reviewable, and removable under the configured retention policy while allowing proven optimized routes to serve only after replay, shadow, policy, and rollback checks.

Current public docs describe hosted Punk and Punk-operated infrastructure. They do not describe a customer self-hosting program.

Data Boundaries

BoundaryCurrent postureReview evidence
Tenant / organizationOrganizations are the tenant boundary. Runs, traces, workflows, conversations, keys, settings, approvals, credentials, usage, and invites are tenant-scoped. Dashboard sessions resolve an active organization.Accounts & Orgs, Architecture, API
AppTenant API keys can be pinned to an app id; otherwise X-Punk-App attributes traffic.API, Configuration
AgentX-Punk-Agent attributes behavior to an agent identity for trust, policy, cost, and audit.Governance
SubjectX-Punk-Subject is a pseudonymous user/account/task dimension and part of cache-safety boundaries.API, Agent Observability & Tool Caching
CredentialProvider and connector secrets are stored as tenant credentials, masked in list APIs, and resolved internally by the runtime when needed.Configuration, API
Artifact / routeOptimized routes are tied to tenant evidence, replay/shadow results, route explanations, and rollback controls.Enterprise Pilot, Learning, API

Reviewer note: tenant isolation is enforced by the application and storage interfaces. If a customer requires database-level row security, dedicated infrastructure, regional pinning, or customer-managed encryption keys, collect separate deployment evidence before making that commitment.

Data Processed

Punk can process these data classes depending on which features are enabled:

  • Model request messages and provider responses.
  • Route explanations, token counts, costs, latency, and provider/model metadata.
  • Trace events for request, model, tool, workflow, web, policy, DLP, tripwire, approval, learning, replay, and shadow behavior.
  • SDK tool arguments and results when traced by the application.
  • Managed connector tool inputs/results when installed.
  • Web snapshots and web session actions when web features are used.
  • Workflow definitions, workflow run events, conversations, agents, and schedules.
  • Human user records, org memberships, invites, sessions, and audit events.
  • Tenant settings, API key metadata, credential metadata, and encrypted credential secrets.

Do not put secrets in prompts, workflow inputs, trace-visible metadata, or customer-facing route explanations. Use tenant credentials and cred:<id> references for tool and connector secrets.

Retention And Redaction

ControlCurrent behaviorOperator decision
Trace ledgerTrace events are append-only during their lifetime and have a per-run integrity hash chain.Export evidence before destructive retention or org deletion.
Default retentionRetention sweep defaults to PUNK_RETENTION_DAYS, default 90, unless a tenant retention_days setting or job payload overrides it.Confirm tenant retention before production traffic.
Retention effectRetention deletes old runs, trace events, and audit records for the tenant.Confirm backups and customer evidence needs before shortening windows.
Trace redactionTenant setting redaction=true masks string leaves in stored trace payloads before append and marks payloads _redacted.Enable before tracing sensitive tool or workflow payloads.
Streaming DLPTenant setting streaming_dlp=true masks supported sensitive patterns in bytes returned to the client.Use for workloads where secrets or regulated identifiers may be returned by a model.
TripwiresOperators can plant sensitive decoys, audit detections, and optionally block matching runs.Use for known tokens, record ids, or URLs that should not appear in traffic.

Redaction is deterministic masking, not a substitute for data minimization. Review examples after enabling it, because masking changes trace fidelity and output readability.

Credentials And Provider Keys

Credential posture:

  • Tenant API keys are bearer pk_ tokens. The full token is shown once and stored only as a hash.
  • Human passwords are argon2id-hashed. Dashboard sessions use HttpOnly cookies, and session tokens are stored only as hashes.
  • Invite and verification tokens are one-time tokens stored as hashes.
  • Stored credentials use AES-256-GCM at rest with PUNK_ENCRYPTION_KEY. Authenticated deployments should set a valid 32-byte base64 key before storing provider keys, workflow credentials, MCP credentials, or managed connector credentials.
  • Credential list APIs return masked records. Runtime executors resolve plaintext internally when connecting to providers, MCP servers, or managed connectors.

Provider-key posture:

  • Customer apps should hold a Punk tenant API key, not raw OpenAI, Anthropic, OpenRouter, DeepSeek, Kimi/Moonshot, or Gemini keys.
  • Tenants can use hosted provider configuration or BYOK credentials. A tenant BYOK key takes precedence for that tenant and provider family.
  • Live run traces record whether a tenant key or platform key served the request.
  • Provider failover is visible in route explanations and trace events. Mock fallback is intended for local development, demos, and explicitly accepted deployments, not silent production fallback.
  • Live model providers receive the request content needed to answer the request. Provider retention, training, DPA, and subprocessor terms must be reviewed per provider and contract.

Governance And Side Effects

Punk classifies tools by side-effect level:

LevelMeaningEnterprise default posture
0Pure computationCache/replay eligible when useful.
1Read-only external accessGood first pilot scope; cache only with tenant/app/subject safety dimensions.
2Reversible or idempotent writeRequire idempotency, audit, and owner review.
3User-visible writeStart observe-only; require policy and approval before optimize mode.
4High-impact writeRequire explicit policy, human approval, replay/shadow suppression, and rollback planning.

Undeclared SDK tools default to level 3. Managed connectors declare side-effect level, cache posture, replay behavior, shadow suppression, idempotency, approval defaults, auth requirements, and redaction metadata in their manifests.

Observe mode is the recommended first enterprise rollout mode. Live provider responses still serve users, while Punk records policy decisions, candidate routes, ghost savings, and evidence gaps without serving optimized paths or enforcing denials.

Audit And Evidence Export

Security reviewers should expect one run to have an exportable story:

  1. Who acted: tenant, app, agent, subject, API key or human actor where applicable.
  2. What happened: request, route, provider/model, cost, latency, tool calls, side effects, policy decisions, and errors.
  3. Why this route served: route explanation, rejected alternatives, cache/artifact details, failover, savings, and evidence warnings.
  4. What proof exists: trace integrity result, replay bundle when available, shadow/evaluation evidence, Chorus receipt when present, side effects, feedback, and related audit rows.
  5. What can be undone: rollback, quarantine, policy deny, key revoke, credential delete, settings change, or return to observe mode.

Useful endpoints:

EndpointUse
GET /api/v1/runs/:idRun detail, trace events, and side effects.
GET /api/v1/runs/:id/integrityVerify the per-run trace integrity hash chain.
GET /api/v1/runs/:id/evidence-packetSupport/security packet with run, route explanation, integrity, replay material when available, side effects, audit rows, trace events, and Chorus material when present.
GET /api/v1/auditGovernance and operator audit events.
GET /api/v1/readinessDeployment readiness checks and machine-readable readiness receipt.

Deployment Architecture

Minimum Punk-operated production shape:

customer app or agent
  -> Punk hosted gateway / dashboard / API
  -> router, governance, cache, artifact runtime, web runtime
  -> live model provider or optimized route
  -> trace ledger, audit events, jobs, learning, replay, shadow

Operational expectations:

  • Use protected mode with PUNK_API_KEY, dashboard login, and scoped tenant API keys.
  • Use Postgres for durable deployed environments and a standalone worker or serverless cron tick for durable jobs.
  • Set PUNK_ENCRYPTION_KEY before credential storage.
  • Terminate HTTPS at the edge; bind the app to 127.0.0.1 behind a reverse proxy where applicable.
  • Keep PUNK_ALLOW_PRIVATE_WEB_FETCH=false and PUNK_ALLOW_PRIVATE_WEBHOOKS=false unless private network access is intentionally required.
  • Use /health, /api/v1/readiness, /api/v1/jobs, /api/v1/audit, /api/v1/runs, and /api/v1/cache/stats for operational checks.
  • Back up the production database and confirm backup retention covers audit and replay needs.

Incident And Rollback Procedure

Use this operational sequence for a suspected policy, data, credential, routing, or optimization incident.

  1. Contain serving risk: switch the affected app key to observe mode, revoke the key, disable semantic_cache serving, disable model substitution serving, or apply a deny/approval-required policy.
  2. Stop unsafe optimized routes: rollback or quarantine the artifact, disable canary, and confirm future matching traffic routes live or blocked according to policy.
  3. Contain credentials: delete or rotate affected provider, workflow, MCP, or managed connector credentials; verify PUNK_ENCRYPTION_KEY posture; revoke external provider/vendor keys if needed.
  4. Suppress side effects: keep L3/L4 actions approval-required, verify replay/shadow suppression, and pause risky workflows or scheduled agents.
  5. Preserve evidence: export the run evidence packet, run integrity result, relevant audit rows, readiness receipt, job status, and connector/workflow configuration.
  6. Restore deliberately: replay or shadow before re-promoting, re-enable canary for limited traffic, and document owner approval before optimize mode resumes.

Evidence to collect for a post-incident review:

  • Affected tenant, app, agent, subject, run ids, artifact ids, credential ids, provider key source, and policy version.
  • Route explanations and integrity results for affected runs.
  • Audit events for key, credential, policy, approval, artifact, org, user, and setting changes.
  • Job health and worker/cron evidence if background work was involved.
  • Provider/vendor response or support evidence if the incident crossed an external provider boundary.

Reviewer Checklist

Security reviewer:

  • Confirm the tenant, app, agent, and subject identifiers used by the pilot.
  • Confirm which data classes enter prompts, traces, tool calls, connectors, web snapshots, and provider calls.
  • Confirm provider key source for live traffic and review provider contractual terms.
  • Confirm tenant retention_days, redaction, streaming_dlp, semantic_cache, and cross_tenant_learning settings.
  • Confirm no cross-tenant aggregate learning is enabled unless the customer explicitly opted in.
  • Confirm L3/L4 tools require approval or are denied for the pilot.
  • Export one evidence packet for a live run and verify the route explanation is understandable.
  • Verify audit rows exist for login/key/credential/policy/approval/artifact actions used in the pilot.
  • Review private web fetch and private webhook posture.
  • Record not-yet evidence needed before production expansion.

Platform operator:

  • Set PUNK_API_KEY, dashboard admin credentials, and login mode for public deployments.
  • Issue scoped, non-admin tenant API keys and pin them to app ids where possible.
  • Set a valid PUNK_ENCRYPTION_KEY before storing credentials.
  • Use Postgres for deployed environments; run a standalone worker or serverless cron tick.
  • Configure live providers or tenant BYOK before production-like traffic.
  • Keep mock provider and mock failover out of production unless the risk is documented.
  • Set rate limits, private-network controls, retention, redaction, and backup posture.
  • Confirm /api/v1/readiness has no unexpected attention rows.
  • Review /api/v1/jobs, /api/v1/audit, and failed runs during pilot rollout.
  • Exercise artifact rollback/quarantine before expanding optimize-mode traffic.

Evidence packet for an enterprise review:

  • Readiness receipt.
  • Example run evidence packet.
  • Audit export for the review window.
  • Policy files or policy summary.
  • Tenant settings export or screenshots for retention/redaction/DLP/learning controls.
  • Provider-key source evidence for example runs.
  • Connector manifest excerpts for enabled tools.
  • Backup/restore evidence from the deployment operator.
  • Incident and rollback drill notes.

Compliance Mapping

This mapping is for review planning. It is not a compliance attestation.

Review areaCurrent product evidenceNot yet / evidence needed
SOC 2-style security controlsAuth modes, hashed API/session tokens, role-gated admin actions, audit events, readiness receipt, credential encryption, policy approvals, backups/operations checklist.Independent audit report, control owner matrix, vulnerability management evidence, change-management evidence, vendor/subprocessor evidence.
Privacy and data lifecycleTenant scoping, retention sweep, org deletion cascade for tenant data, evidence export, redaction, DLP, opt-in aggregate learning.Customer-specific DPA, subprocessor list, data residency terms, complete DSAR workflow, retention exceptions, legal basis review.
HIPAA/regulated health dataGovernance, redaction, DLP, and audit controls may help a risk assessment.BAA, PHI handling policy, healthcare-specific controls, provider BAAs, and customer approval before PHI is sent.
Data residencyDeployment can be operated with a chosen database/provider region when infrastructure supports it.Region-specific contract, backups/logs residency evidence, provider region configuration, and operational monitoring.
EncryptionCredential secrets are AES-256-GCM encrypted with PUNK_ENCRYPTION_KEY; HTTPS should be used at the edge; database provider encryption depends on deployment.Full database/disk encryption evidence, key rotation procedure, customer-managed key support, and provider attestations.
Access managementHuman users, org roles, admin gates, API keys, app pinning, revocation, invite lifecycle, session invalidation on member removal.SSO/SAML/SCIM evidence if required by the customer.
AuditabilityRun detail, trace integrity, route explanations, audit endpoint, evidence packet, readiness receipt, learning evidence, replay/shadow records.Long-term archive policy, SIEM export, immutable external log store, and customer-specific audit retention.
Incident responseOperational rollback/quarantine/key-revoke/policy-deny procedure and evidence export surfaces.Formal incident response policy, notification SLA, tabletop records, and customer-specific escalation contacts.

Not Yet And Evidence Needed

Do not claim these without separate evidence:

  • A completed SOC 2, ISO 27001, HIPAA, or other formal compliance attestation.
  • A customer-specific DPA, BAA, subprocessor list, data residency commitment, or provider retention commitment.
  • Customer-managed encryption keys or database-level row security.
  • SSO/SAML/SCIM support unless it has been implemented and documented elsewhere.
  • SIEM-native export, immutable external audit archive, or legal hold workflow.
  • A production incident notification SLA.
  • That live provider traffic has no provider-side retention or training exposure. Review each configured provider contract.

When a reviewer asks for one of these, treat it as an evidence request, not a product claim.