Compute and read
Pure work and scoped read-only calls can be replayed or cached when freshness, authorization, and subject boundaries allow it.
// security posture
Punk sits between applications, models, tools, web context, and consequential actions. Its design keeps execution attributable, tenant-scoped, policy-governed, and reviewable.
This page describes product design and review questions. It is not a certification statement, compliance attestation, or guarantee that every control is enabled in every deployment.
// identity boundaries
| Boundary | What it scopes | Example |
|---|---|---|
| Tenant | Runs, traces, settings, keys, policies, caches, and reusable workflows | Tenant-scoped storage and authorization |
| Application | Traffic for one logical product or workflow | X-Punk-App |
| Agent | The bot or workflow actor responsible for execution | X-Punk-Agent |
| Subject | The user, account, workspace, or queue safety dimension | X-Punk-Subject in eligible cache keys |
| Credential | Access to model providers and connected systems | Scoped provider configuration or supported tenant BYOK |
| Artifact | A reusable workflow's origin and evidence | Lifecycle, replay/shadow records, policy, rollback |
// action governance
Punk classifies side effects from pure computation through high-impact writes. An undeclared tool defaults to level 3: a user-visible write.
Pure work and scoped read-only calls can be replayed or cached when freshness, authorization, and subject boundaries allow it.
Reversible, idempotent, or user-visible writes need explicit treatment. Replay and shadow suppress or dry-run effects.
High-impact actions are expected to remain live and approval-gated by default, subject to tenant policy.
// traces and learning
The trace ledger is append-only so derived patterns, routes, and evidence can be rebuilt. That makes retention and access decisions important.
Do not infer an implementation-specific control from the architecture. Hosted configuration, customer deployment model, legal terms, and enabled controls must be reviewed together.
// untrusted inputs
Tool responses should be typed and sanitized before reuse. Embedded instructions do not independently authorize actions.
Pages, retrieved text, and documents are untrusted context. Policy checks operate independently of model-generated intent.
Low-trust context should not trigger high-impact side effects without a policy-approved path and any required human decision.
// review packet
Which tenant, app, agent, and subject owns the run, trace, cache entry, workflow, credential, and policy?
Which tools ran, what were their side-effect levels, and were any writes suppressed, blocked, approved, or executed?
Which route served, which alternatives were rejected, what policy version applied, and why did fallback occur?
If optimized, what replay, shadow, mismatch, canary, freshness, and rollback evidence supports the route?
Which credentials, retention rules, redaction controls, and access records apply in this deployment?
Bring your workload, data classes, tools, retention needs, and approval rules. We will map them to the boundaries Punk can enforce and identify what still needs validation.