Enterprise Security
RBAC, audit logging, secret masking, and sandboxed command execution as standalone primitives you can wire into your trust boundaries.
from neuroagent import RBAC, AuditLog, SecretStore, Sandbox
# Role-based access control (supports "*" and "ns:*" wildcards)
rbac = RBAC()
rbac.define_role("analyst", {"db:read", "api:get"})
rbac.assign("amit", "analyst")
rbac.require("amit", "db:read") # raises SecurityError if not permitted
# Append-only audit log (optional JSONL file sink)
audit = AuditLog(sink_path="audit.jsonl")
audit.record("amit", "db:query", resource="customers", rows=42)
# Secret resolution + masking (encryption via the [security] extra)
secrets = SecretStore({"API_KEY": "sk-supersecret-1234"})
print(secrets.masked("API_KEY")) # ***************1234
# Command policy guard for shell/code/SQL tools
sandbox = Sandbox(allow=["ls", "cat"])
sandbox.check("rm -rf /") # raises SecurityError
Database and API agents are read-only by default; pair them
with
RBAC and AuditLog when exposing write access to an agent.
NeuroAgent AI