Documentation Index Fetch the complete documentation index at: https://docs.fibonacci.today/llms.txt
Use this file to discover all available pages before exploring further.
Security is critical for production workflows. This guide covers authentication, secrets management, encryption, access controls, and security best practices.
Authentication API Key Management Store API keys securely using Fibonacci’s keychain integration:
from fibonacci import SecureConfig from fibonacci.security import KeychainStorage # Store API key in system keychain keychain = KeychainStorage() keychain.set( "fibonacci_api_key" , "your-api-key" ) # Use in workflow config = SecureConfig( api_key = keychain.get( "fibonacci_api_key" ) )
Supported Keychain Backends Platform Backend macOS Keychain Services Windows Windows Credential Manager Linux Secret Service (GNOME Keyring, KWallet)
Environment-Based Authentication For CI/CD and containerized environments:
from fibonacci import SecureConfig import os config = SecureConfig( api_key = os.environ.get( "FIBONACCI_API_KEY" ), # Validate key is present require_api_key = True )
Secrets Management Defining Secrets Never hardcode secrets in workflow files:
# ❌ Bad - secrets in plain text nodes : - id : api_call type : tool tool : http.request inputs : headers : Authorization : "Bearer sk-1234567890" # ✅ Good - reference secrets nodes : - id : api_call type : tool tool : http.request inputs : headers : Authorization : "Bearer {{secrets.API_KEY}}"
Setting Secrets via CLI # Set a secret (prompts for value) fibonacci secret set API_KEY # Set secret for specific environment fibonacci secret set API_KEY --env production # List secrets (names only, never values) fibonacci secret list
Secrets in Python from fibonacci import Workflow from fibonacci.security import SecretsManager # Configure secrets manager secrets = SecretsManager( backend = "vault" , # or "aws_secrets", "gcp_secrets", "azure_keyvault" config = { "vault_addr" : "https://vault.example.com" , "auth_method" : "kubernetes" } ) workflow = Workflow( name = "secure-workflow" , secrets_manager = secrets ) # Access secrets in code api_key = secrets.get( "API_KEY" )
Secret Rotation from fibonacci.security import SecretsManager, RotationPolicy secrets = SecretsManager( backend = "vault" , rotation_policy = RotationPolicy( enabled = True , interval_days = 30 , notify_before_days = 7 ) ) # Check rotation status status = secrets.rotation_status( "API_KEY" ) print ( f "Days until rotation: { status.days_remaining } " )
Encryption Data Encryption at Rest Encrypt sensitive data stored in memory:
from fibonacci import Workflow, MemoryConfig from fibonacci.security import EncryptionConfig workflow = Workflow( name = "encrypted-workflow" , memory_config = MemoryConfig( backend = "redis" , encryption = EncryptionConfig( enabled = True , algorithm = "AES-256-GCM" , key_source = "keychain" # or "env", "vault" ) ) ) # All memory operations are now encrypted workflow.memory.set( "sensitive_data" , { "ssn" : "123-45-6789" })
Encryption in Transit All Fibonacci Cloud communications use TLS 1.3:
from fibonacci import FibonacciClient client = FibonacciClient( api_key = "..." , # TLS is always enabled, these are additional options tls_config = { "verify_certificates" : True , "min_version" : "1.3" , "client_cert" : "/path/to/cert.pem" , # mTLS "client_key" : "/path/to/key.pem" } )
Field-Level Encryption Encrypt specific fields in workflow data:
from fibonacci import LLMNode from fibonacci.security import encrypt_field, decrypt_field # Encrypt sensitive input before processing encrypted_data = encrypt_field( data = user_pii, fields = [ "ssn" , "credit_card" ], key_id = "pii-encryption-key" ) # Decrypt when needed decrypted = decrypt_field( data = encrypted_data, fields = [ "ssn" ], key_id = "pii-encryption-key" )
Access Control Role-Based Access Control (RBAC) Define roles and permissions for workflows:
from fibonacci import Workflow from fibonacci.security import AccessControl, Role # Define roles admin_role = Role( name = "admin" , permissions = [ "read" , "write" , "execute" , "delete" , "admin" ] ) developer_role = Role( name = "developer" , permissions = [ "read" , "write" , "execute" ] ) viewer_role = Role( name = "viewer" , permissions = [ "read" ] ) workflow = Workflow( name = "access-controlled" , access_control = AccessControl( enabled = True , default_role = "viewer" , roles = [admin_role, developer_role, viewer_role] ) )
Resource-Level Permissions # fibonacci.yaml access_control : enabled : true resources : workflows : "production/*" : execute : - role : admin - role : production-deployer write : - role : admin "development/*" : execute : - role : developer - role : admin write : - role : developer - role : admin secrets : "*" : read : - role : admin write : - role : admin
API Key Scopes Create scoped API keys with limited permissions:
# Create read-only key fibonacci auth create-key --name "monitoring" --scope read # Create execution-only key fibonacci auth create-key --name "ci-cd" --scope execute # Create key with specific workflow access fibonacci auth create-key --name "production" \ --scope execute \ --workflows "production/*"
Audit Logging Enable Audit Logs from fibonacci import Workflow from fibonacci.security import AuditLogger audit = AuditLogger( enabled = True , destination = "cloudwatch" , # or "file", "splunk", "datadog" config = { "log_group" : "/fibonacci/audit" , "log_stream" : "workflows" } ) workflow = Workflow( name = "audited-workflow" , audit_logger = audit )
Audit Log Contents Audit logs capture:
{ "timestamp" : "2025-01-23T10:30:00Z" , "event_type" : "workflow.execute" , "workflow_id" : "customer-support" , "user_id" : "user-123" , "ip_address" : "192.168.1.100" , "action" : "execute" , "status" : "success" , "duration_ms" : 1523 , "metadata" : { "input_hash" : "abc123" , "nodes_executed" : [ "classifier" , "responder" ], "api_key_id" : "key-456" } }
Query Audit Logs # View recent audit events fibonacci audit logs --since "1 hour ago" # Filter by workflow fibonacci audit logs --workflow production-pipeline # Filter by user fibonacci audit logs --user user-123 # Export for analysis fibonacci audit export --format json --output audit.json
Schema Validation from fibonacci import Workflow workflow = Workflow( name = "validated-workflow" , input_schema = { "type" : "object" , "required" : [ "user_input" ], "properties" : { "user_input" : { "type" : "string" , "maxLength" : 10000 , "pattern" : "^[a-zA-Z0-9 \\ s.,!?-]*$" }, "email" : { "type" : "string" , "format" : "email" } }, "additionalProperties" : False } )
Prompt Injection Prevention from fibonacci import LLMNode from fibonacci.security import sanitize_input # Sanitize user input before including in prompts sanitized = sanitize_input( user_input, rules = [ "escape_xml" , "remove_system_prompts" , "limit_length" ] ) node = LLMNode( id = "analyzer" , model = "claude-sonnet-4-5-20250929" , prompt = f """Analyze this text: <user_input> { sanitized } </user_input> Provide sentiment analysis.""" , # Additional safeguards prompt_injection_detection = True )
Output Filtering from fibonacci import Workflow from fibonacci.security import OutputFilter workflow = Workflow( name = "filtered-workflow" , output_filter = OutputFilter( rules = [ { "type" : "pii" , "action" : "redact" }, # Redact PII { "type" : "secrets" , "action" : "block" }, # Block secret patterns { "type" : "code" , "action" : "sandbox" } # Sandbox code output ] ) )
Network Security IP Allowlisting # fibonacci.yaml security : network : ip_allowlist : - 10.0.0.0/8 - 192.168.1.0/24 - 203.0.113.50 ip_blocklist : - 0.0.0.0/0 # Block all except allowlist
VPC Configuration from fibonacci import FibonacciClient client = FibonacciClient( api_key = "..." , vpc_config = { "vpc_id" : "vpc-12345" , "subnet_ids" : [ "subnet-a" , "subnet-b" ], "security_group_ids" : [ "sg-12345" ] } )
Security Checklist Compliance GDPR Compliance from fibonacci import Workflow from fibonacci.compliance import GDPRConfig workflow = Workflow( name = "gdpr-compliant" , compliance = GDPRConfig( data_retention_days = 90 , enable_right_to_erasure = True , enable_data_portability = True , consent_tracking = True ) )
SOC 2 Compliance Fibonacci Cloud is SOC 2 Type II certified. Enable additional controls:
# fibonacci.yaml compliance : soc2 : enabled : true controls : - access_logging - encryption_at_rest - encryption_in_transit - vulnerability_scanning - incident_response
Next Steps
Best Practices Production workflow patterns
Error Handling Handle failures gracefully
