Push (Draft Mode)
Push an agent to the registry in draft mode for review before publishing.
Usage
sekuire push [OPTIONS]
Options
| Option | Description |
|---|---|
-r, --registry <URL> | Registry URL (default: https://api.sekuire.ai) |
--workspace <ID> | Workspace ID for policy validation |
--policy <FILE> | Path to local policy file (default: policy.json) |
--force | Override policy violations |
push vs publish
| Feature | push | publish |
|---|---|---|
| Mode | Draft (not listed) | Published (visible) |
| GitHub | Not required | Connects repository |
| Interactive | No | Yes |
| Use case | CI/CD pipelines | Initial setup |
Use push for automated workflows; use publish for interactive setup with repository connection.
Workflow
- Calculates Sekuire ID from manifest (
sekuire.yml) - Signs manifest with Ed25519 private key
- Validates against workspace policy (if
--workspaceprovided) - Uploads to registry as draft
Terminal
$ sekuire push
Identity: 7f8a9b3c2d1e...
Signature: a1b2c3d4...
Pushing agent as DRAFT...
Agent pushed as DRAFT!
This agent is in draft mode and not publicly listed.
Go to the dashboard to verify and publish: https://sekuire.ai/dashboard
Deployment Environment Variables:
SEKUIRE_AGENT_ID=7f8a9b3c2d1e...
SEKUIRE_PRIVATE_KEY=<copy from .sekuire/secret.key>
Optional:
SEKUIRE_API_URL=https://api.sekuire.ai (default)
SEKUIRE_AGENT_NAME=my-agent
Policy Validation
If --workspace is provided, the push validates the manifest against the workspace's active policy.
Terminal
$ sekuire push --workspace ws_abc123
Identity: 7f8a9b3c2d1e...
Signature: a1b2c3d4...
Pushing agent as DRAFT...
Validating active policy for workspace ws_abc123...
Policy pol_xyz789 (v2) verified (hash/signature)
Agent pushed as DRAFT!
Policy Violations
If violations are detected, push fails unless --force is used:
Terminal
$ sekuire push --workspace ws_abc123
Identity: 7f8a9b3c2d1e...
Signature: a1b2c3d4...
Pushing agent as DRAFT...
Validating active policy for workspace ws_abc123...
Policy violations detected:
- network_access: api.external.com not in allowed_domains
- tool: delete_file not in allowed_tools
Error: Policy violations. Re-run with --force to override.
# Force push despite violations
$ sekuire push --workspace ws_abc123 --force
--force supplied; proceeding despite violations.
Agent pushed as DRAFT!
Local Policy File
By default, push looks for policy.json in the current directory. If not found and --workspace is specified, it fetches the active policy from the backend:
Terminal
$ sekuire push --workspace ws_abc123 --policy ./my-policy.json
# Uses local policy file
Validating active policy for workspace ws_abc123...
Policy pol_xyz789 (v2) verified (hash/signature)
After Push
After pushing:
- Agent is in draft mode - not publicly visible
- Go to the dashboard to review and publish
- Set deployment environment variables in your infrastructure:
Environment Variables
SEKUIRE_AGENT_ID=7f8a9b3c2d1e...
SEKUIRE_PRIVATE_KEY=<contents of .sekuire/secret.key>
SEKUIRE_API_URL=https://api.sekuire.ai # optional
CI/CD Example
.github/workflows/deploy.yml
name: Deploy Agent
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Sekuire CLI
run: curl -fsSL https://install.sekuire.ai | sh
- name: Push to Registry
env:
SEKUIRE_API_KEY: ${{ secrets.SEKUIRE_API_KEY }}
run: sekuire push --workspace ${{ vars.WORKSPACE_ID }}
- name: Build and Deploy
run: |
docker build -t my-agent:${{ github.sha }} .
# ... deploy to your infrastructure