Security
Overview
Security is built into every layer of AgentFlow, not bolted on as an afterthought.
RBAC
Three built-in roles with granular permissions:
| Role | Permissions |
|---|---|
| Admin | Full access -- manage users, config, pipelines, security |
| Operator | Read/write metrics and pipelines, execute, train classifier |
| Viewer | Read-only access to metrics, pipelines, security logs |
API Key Management
- Keys are SHA-256 hashed at rest
- Key rotation without downtime via rotate_key()
- Deactivated users immediately lose access
Request Signing
HMAC-SHA256 request signing prevents tampering.
Output Filtering
Automatic scanning for prompt injection attempts, PII leakage, and internal system information exposure.
Canary Tokens
Embed trackable tokens in sensitive data to detect unauthorised access or exfiltration.
Rate Detection
Automatic detection of anomalous request patterns with configurable thresholds.
Audit Logging
Structured audit trail for all security-relevant events via structlog.