Skip to main content
A NEUS profile can run multiple agents under one controller account. Each agent gets its own identity and scoped delegation — same wallet, different authority. This is how teams, orgs, and multi-agent systems share trust without sharing keys.

The model

One controller account delegates scoped authority to multiple agents. All agents share the same operational wallet, but each has a separate delegation receipt with its own allowedActions, deniedActions, and scope. 
Controller account
  ├── sales-agent       → read, create, run, jobs, send (drafts)
  ├── creative-agent     → read, create, run, jobs
  ├── marketing-agent    → read, create, run, jobs, send (drafts)
  └── ops-agent         → read, create, run, jobs, manage_runtime
Separation is delegation scope, not key material. Every agent signs with the same wallet, but the delegation receipt controls what each one is allowed to do at any gate.

Why one wallet, many delegations

  • No key sprawl. One wallet to manage, secure, and rotate.
  • Per-agent scope. Each agent has a narrow delegation; a compromised creative agent cannot send messages or modify secrets.
  • Audit trail. Every action is tied to a delegation receipt, so you always know which agent did what.
  • Instant revocation. Revoke a single delegation to disable one agent without touching the others.

Action matrix

ActionSalesCreativeMarketingOps
read_contextyesyesyesyes
read_proofsyesyesyesyes
create_proofyesyesyesyes
run_commandyesyesyesyes
execute_jobsyesyesyesyes
send_messageyesyes
manage_runtimeyes
modify_secretsdenieddenieddenieddenied
manage_delegationsdenieddenieddenieddenied
manage_proofsdenieddenieddenieddenied
access_secretdenieddenieddenieddenied
Denied actions always win over allowed actions. Agents that can send_message are still gated by humanApprovalRequiredForNewClaims — they draft for human review, they do not auto-send.

Set it up

1

Create each agent

Call neus_agent_create for each team agent. Pass agentId, scope, delegationAllowedActions, delegationDeniedActions, skills, and instructions. The controller wallet signs the delegation.
2

Confirm each agent

Call neus_agent_link for each agent until linked: true.
3

Mount per project

In each project repo where the agent should operate:
neus mount <agentId> --apply cursor
Binds identity, delegation, and scoped policy to the workspace.
4

Assign jobs

Add recurring jobs to the agent in the job schedule. Each job carries its own agentId so the runtime dispatches to the correct agent.

Skills

Each agent carries role-specific skills in its delegation receipt. Skills are metadata — they advertise what the agent can do, but the delegation allowedActions/deniedActions decide what it is actually permitted to do. Skill catalogs are available to all agents at runtime without bloating the delegation payload.

Next

Agent delegation

Full field reference for allowedActions and deniedActions.

Runtime Mount

Bind an agent to any repo or runtime.

Agent cards

Public discovery via /agent/[id] and A2A.

Verification flow

Step-by-step setup order.
Last modified on June 30, 2026