Policy Commands
Manage workspace policies for agent compliance validation.
Commands
- sekuire policy pull - Download active policy
- sekuire policy validate - Verify policy integrity
- sekuire policy show - Display policy summary
pull
Fetch the active workspace policy and save it locally.
sekuire policy pull [OPTIONS]
Options
| Option | Description |
|---|---|
--workspace <ID> | Workspace ID (required) |
--backend <URL> | Backend URL (default: https://api.sekuire.ai) |
--out <PATH> | Output file (default: policy.json) |
Example
Terminal
$ sekuire policy pull --workspace ws_abc123
Saved active policy policy_xyz (v1) for workspace ws_abc123 to policy.json
Signature: verified
Output File
policy.json
{
"policy_id": "policy_xyz",
"workspace_id": "ws_abc123",
"version": "1",
"status": "active",
"hash": "a1b2c3d4...",
"content": {
"agent": {
"models": {
"allowed_models": ["gpt-4", "claude-3-opus"],
"allowed_providers": ["openai", "anthropic"]
}
}
},
"signature": "...",
"signing_key_id": "key_..."
}
validate
Verify the integrity of a downloaded policy file (hash + signature).
sekuire policy validate [OPTIONS]
Options
| Option | Description |
|---|---|
--file <PATH> | Policy file path (default: policy.json) |
Example
Terminal
$ sekuire policy validate --file policy.json
Policy policy_xyz (v1) integrity verified (hash/signature)
What's Verified
- Hash - Recalculates BLAKE3 hash and compares to stored value
- Signature - Verifies Ed25519 signature using the policy's public key
show
Display a summary of a downloaded policy.
sekuire policy show [OPTIONS]
Options
| Option | Description |
|---|---|
--file <PATH> | Policy file path (default: policy.json) |
Example
Terminal
$ sekuire policy show
Policy ID: policy_xyz
Workspace ID: ws_abc123
Version: 1
Status: active
Hash: a1b2c3d4...
Signature: e5f6g7h8...
Signing Key: key_123
Policy Validation During Push
When pushing with --workspace, your agent manifest is validated against the workspace's active policy:
sekuire push --workspace ws_abc123
Validation checks include:
- Allowed models - Is your agent's model permitted?
- Allowed providers - Is the LLM provider permitted?
- Capabilities - Are your declared tools within policy limits?
note
If validation fails, the push is blocked unless you use --force.