Security & trust
konareef is built around explicit, declared trust boundaries. A reefpod states what it can access, what it can spend, and what evidence it produces — and every run leaves a verifiable custody proof. This page is for builders shipping pods and for evaluators deciding whether a pod is safe to run against company data.
The trust model at a glance
| Boundary | Declared by | Enforced by |
|---|---|---|
| Secrets | [dependencies].secrets (names only) | reef-core vault at spawn |
| Tools | [directive].tools_allowed / tools_denied | runtime |
| Spend | [budget] (satoshis) | runtime + PayGate rails |
| Done / limits | [output] predicates | runtime |
| Evidence | custody proof | konareef verify |
Secrets
Pods never contain secret values. They declare the secret names they require; reef-core injects the values from its vault at spawn time. This keeps credentials out of source control, out of the published bundle, and out of proof logs.
[dependencies]
secrets = ["OPENAI_API_KEY", "GITHUB_TOKEN"] # names only — never values
Tools
Constrain what the directive is allowed to invoke. Prefer an explicit allowlist over denying individual tools.
[directive]
template = "./prompts/system.md"
tools_allowed = ["web_search"]
tools_denied = ["shell"]
Budgets
Budgets are hard caps in satoshis. They stop runaway cost and runtime, and they make a pod easy to approve inside a team.
[budget]
max_sats = 500
per_call_cap_sats = 100
daily_cap_sats = 2000
Proof
Every run on reef-core produces a signed custody proof: evidence of what the pod did, what it cost, and that it stayed within its declared boundaries. Proofs are re-verifiable offline:
konareef verify ./bundle # re-verify a konareef-bundle
konareef verify ./bundle --strict # stricter signature/attestation checks
For privacy-sensitive pods, konareef supports disclosure policies that
control how much of a run is revealed in the proof (selective disclosure,
--disclosure-policy), backed by a zero-knowledge bundle.
Choose the policy that reveals only what a verifier needs.
Good vs. bad
Over-broad — vague, hard to approve, over-permissioned:
[dependencies]
secrets = ["OPENAI_API_KEY", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "GITHUB_TOKEN"]
[directive]
task = "Do whatever it takes."
# no tool limits, no budget
Least-privilege — narrow, bounded, reviewable:
[dependencies]
secrets = ["GITHUB_TOKEN"]
[directive]
template = "./prompts/system.md"
tools_allowed = ["web_search"]
[budget]
max_sats = 250
daily_cap_sats = 1000
Safe publishing checklist
- Does this pod need every secret it declares? Remove any it does not.
- Are secrets declared by name only, never embedded?
- Is the tool surface restricted with
tools_allowed? - Is a
[budget]declared with a sensiblemax_sats? - Does
[output]declare clear success/failure conditions? - For sensitive workflows, is an appropriate disclosure policy chosen so proofs don’t leak inputs?
- Does
konareef pod validatepass cleanly?
Because boundaries are declared in pod.toml and every run
is provable, you can review a pod before it touches your data and audit
it afterward from its custody proof — without trusting the publisher’s
claims.