Kill Switch

Lease-based liveness with emergency revocation. Agents must continuously prove they're authorized to run - revoke that authorization instantly from anywhere.

Lease-Based Model

Unlike traditional "always-on" agents, Sekuire agents operate on a lease model:

text

┌─────────────────────────────────────────────────────────┐
│                    Lease Timeline                        │
│                                                         │
│  ├── Heartbeat ──├── Heartbeat ──├── MISSED ──├── STOP  │
│  │   (renewed)   │   (renewed)   │  (expired)  │        │
│  ▼               ▼               ▼             ▼        │
│  Running         Running         Grace Period   Killed   │
└─────────────────────────────────────────────────────────┘

Each heartbeat renews the agent's lease
If the lease expires (missed heartbeats), the agent is considered dead
A grace period allows for transient network issues
After the grace period, the agent is terminated

Emergency Revocation

The kill switch can be triggered in multiple ways:

Dashboard

Navigate to the agent in the Sekuire dashboard and click "Revoke". The agent receives the revocation signal on its next heartbeat.

API

POST /api/v1/installations/:id/revokebash

curl -X POST https://api.sekuire.com/api/v1/installations/inst_xyz/revoke \
  -H "X-API-Key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "reason": "Security incident detected",
    "shutdown_timeout_ms": 5000
  }'

CLI

bash

sekuire install revoke --installation inst_xyz --reason "Compromised"

Revocation Scope

Scope	Effect	Use Case
Single Agent	Revokes one installation	Compromised agent instance
Agent ID	Revokes all installations of an agent	Agent code found to be malicious
Workspace	Revokes all agents in workspace	Broad security incident

Graceful Shutdown

When a kill signal is received, the SDK performs graceful shutdown:

Stop accepting new tasks
Complete in-flight tasks (within timeout)
Flush pending telemetry and logs
Send final shutdown heartbeat
Exit process

The shutdown_timeout_ms parameter controls how long the agent has to complete in-flight work. Default is 5000ms.

⚠️If the agent does not shut down within the timeout, the runtime environment should force-kill the process (e.g., SIGKILL).

Configuration

sekuire.ymlyaml

runtime:
  heartbeat_interval: 30       # seconds
  lease_duration: 120          # seconds (backend-controlled)
  shutdown_timeout: 5000       # milliseconds
  grace_period: 60             # seconds before marking dead

Next Steps

Beacon - Heartbeat system that powers the kill switch
sekuire run - Runtime configuration
Trust Triangle - How control fits the framework