PUNK

// security posture

Sensitive infrastructure needs visible boundaries.

Punk sits between applications, models, tools, web context, and consequential actions. Its design keeps execution attributable, tenant-scoped, policy-governed, and reviewable.

Important scope

This page describes product design and review questions. It is not a certification statement, compliance attestation, or guarantee that every control is enabled in every deployment.

// identity boundaries

Every route needs context about who owns the work.

BoundaryWhat it scopesExample
TenantRuns, traces, settings, keys, policies, caches, and reusable workflowsTenant-scoped storage and authorization
ApplicationTraffic for one logical product or workflowX-Punk-App
AgentThe bot or workflow actor responsible for executionX-Punk-Agent
SubjectThe user, account, workspace, or queue safety dimensionX-Punk-Subject in eligible cache keys
CredentialAccess to model providers and connected systemsScoped provider configuration or supported tenant BYOK
ArtifactA reusable workflow's origin and evidenceLifecycle, replay/shadow records, policy, rollback

// action governance

Unknown tools are treated conservatively.

Punk classifies side effects from pure computation through high-impact writes. An undeclared tool defaults to level 3: a user-visible write.

Levels 0–1

Compute and read

Pure work and scoped read-only calls can be replayed or cached when freshness, authorization, and subject boundaries allow it.

Levels 2–3

Controlled writes

Reversible, idempotent, or user-visible writes need explicit treatment. Replay and shadow suppress or dry-run effects.

Level 4

High impact

High-impact actions are expected to remain live and approval-gated by default, subject to tenant policy.

// traces and learning

Optimization does not require a shared raw-data pool.

The trace ledger is append-only so derived patterns, routes, and evidence can be rebuilt. That makes retention and access decisions important.

Default learning posture

  • Tenant-local optimization
  • No cross-tenant raw-data use by default
  • Explicit opt-in for aggregate learning
  • Scoped identities in routing and cache decisions
  • Secrets excluded from explanations and public collateral

Validate for your deployment

  • Storage encryption and operational access
  • Retention, export, and deletion behavior
  • Redaction, masking, and PII handling
  • Credential storage and rotation
  • Administrative audit and tamper evidence

Do not infer an implementation-specific control from the architecture. Hosted configuration, customer deployment model, legal terms, and enabled controls must be reviewed together.

// untrusted inputs

Content is data, not runtime instruction.

Tool outputs

Tool responses should be typed and sanitized before reuse. Embedded instructions do not independently authorize actions.

Web + documents

Pages, retrieved text, and documents are untrusted context. Policy checks operate independently of model-generated intent.

Memory influence

Low-trust context should not trigger high-impact side effects without a policy-approved path and any required human decision.

// review packet

Ask these questions for every important route.

  1. Ownership

    Which tenant, app, agent, and subject owns the run, trace, cache entry, workflow, credential, and policy?

  2. Actions

    Which tools ran, what were their side-effect levels, and were any writes suppressed, blocked, approved, or executed?

  3. Decision

    Which route served, which alternatives were rejected, what policy version applied, and why did fallback occur?

  4. Evidence

    If optimized, what replay, shadow, mismatch, canary, freshness, and rollback evidence supports the route?

  5. Data lifecycle

    Which credentials, retention rules, redaction controls, and access records apply in this deployment?

Review the real deployment, not a badge wall.

Bring your workload, data classes, tools, retention needs, and approval rules. We will map them to the boundaries Punk can enforce and identify what still needs validation.