Agent scopes and safety
Limit what an agent can do with scopes and audit.
Every `nxk_live` key carries scopes. An agent can only call tools or endpoints its scopes allow, and every action is recorded in the audit log.
Safe practice
- Grant the minimum scopes the agent needs
- Use a separate key per agent for easy revocation
- Watch the audit log for unexpected actions
- Rotate keys if leaked