Security & trust

konareef is built around explicit, declared trust boundaries. A reefpod states what it can access, what it can spend, and what evidence it produces — and every run leaves a verifiable custody proof. This page is for builders shipping pods and for evaluators deciding whether a pod is safe to run against company data.

The trust model at a glance

BoundaryDeclared byEnforced by
Secrets[dependencies].secrets (names only)reef-core vault at spawn
Tools[directive].tools_allowed / tools_deniedruntime
Spend[budget] (satoshis)runtime + PayGate rails
Done / limits[output] predicatesruntime
Evidencecustody proofkonareef verify

Secrets

Pods never contain secret values. They declare the secret names they require; reef-core injects the values from its vault at spawn time. This keeps credentials out of source control, out of the published bundle, and out of proof logs.

[dependencies]
secrets = ["OPENAI_API_KEY", "GITHUB_TOKEN"]   # names only — never values

Tools

Constrain what the directive is allowed to invoke. Prefer an explicit allowlist over denying individual tools.

[directive]
template      = "./prompts/system.md"
tools_allowed = ["web_search"]
tools_denied  = ["shell"]

Budgets

Budgets are hard caps in satoshis. They stop runaway cost and runtime, and they make a pod easy to approve inside a team.

[budget]
max_sats          = 500
per_call_cap_sats = 100
daily_cap_sats    = 2000

Proof

Every run on reef-core produces a signed custody proof: evidence of what the pod did, what it cost, and that it stayed within its declared boundaries. Proofs are re-verifiable offline:

konareef verify ./bundle            # re-verify a konareef-bundle
konareef verify ./bundle --strict   # stricter signature/attestation checks

For privacy-sensitive pods, konareef supports disclosure policies that control how much of a run is revealed in the proof (selective disclosure, --disclosure-policy), backed by a zero-knowledge bundle. Choose the policy that reveals only what a verifier needs.

Good vs. bad

Over-broad — vague, hard to approve, over-permissioned:

[dependencies]
secrets = ["OPENAI_API_KEY", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "GITHUB_TOKEN"]

[directive]
task = "Do whatever it takes."
# no tool limits, no budget

Least-privilege — narrow, bounded, reviewable:

[dependencies]
secrets = ["GITHUB_TOKEN"]

[directive]
template      = "./prompts/system.md"
tools_allowed = ["web_search"]

[budget]
max_sats       = 250
daily_cap_sats = 1000

Safe publishing checklist

For company evaluators

Because boundaries are declared in pod.toml and every run is provable, you can review a pod before it touches your data and audit it afterward from its custody proof — without trusting the publisher’s claims.