Policy Commands

Manage workspace policies for agent compliance validation.

Commands

sekuire policy pull — Download active policy
sekuire policy validate — Verify policy integrity
sekuire policy show — Display policy summary

pull

Fetch the active workspace policy and save it locally.

bash

sekuire policy pull [OPTIONS]

Options

Option	Description
`--workspace <ID>`	Workspace ID (required)
`--backend <URL>`	Backend URL (default: http://localhost:5556)
`--out <PATH>`	Output file (default: policy.json)

Example

Terminalbash

$ sekuire policy pull --workspace ws_abc123
✅ Saved active policy policy_xyz (v1) for workspace ws_abc123 to policy.json
   Signature: verified

Output File

policy.jsonjson

{
  "policy_id": "policy_xyz",
  "workspace_id": "ws_abc123",
  "version": "1",
  "status": "active",
  "hash": "a1b2c3d4...",
  "content": {
    "agent": {
      "models": {
        "allowed_models": ["gpt-4", "claude-3-opus"],
        "allowed_providers": ["openai", "anthropic"]
      }
    }
  },
  "signature": "...",
  "signing_key_id": "key_..."
}

validate

Verify the integrity of a downloaded policy file (hash + signature).

bash

sekuire policy validate [OPTIONS]

Options

Option	Description
`--file <PATH>`	Policy file path (default: policy.json)

Example

Terminalbash

$ sekuire policy validate --file policy.json
✅ Policy policy_xyz (v1) integrity verified (hash/signature)

What's Verified

Hash — Recalculates BLAKE3 hash and compares to stored value
Signature — Verifies Ed25519 signature using the policy's public key

show

Display a summary of a downloaded policy.

bash

sekuire policy show [OPTIONS]

Options

Option	Description
`--file <PATH>`	Policy file path (default: policy.json)

Example

Terminalbash

$ sekuire policy show
Policy ID:     policy_xyz
Workspace ID:  ws_abc123
Version:       1
Status:        active
Hash:          a1b2c3d4...
Signature:     e5f6g7h8...
Signing Key:   key_123

Policy Validation During Push

When pushing with --workspace, your agent manifest is validated against the workspace's active policy:

bash

sekuire push --workspace ws_abc123

Validation checks include:

Allowed models — Is your agent's model permitted?
Allowed providers — Is the LLM provider permitted?
Capabilities — Are your declared tools within policy limits?

ℹ️If validation fails, the push is blocked unless you use --force.