S
Sekuire Docs

Core Concepts

Understand the key concepts behind the Sekuire platform and our security framework.

The Trust Triangle

Sekuire provides three pillars of trust for AI agents - Identity, Visibility, and Control. Together they form the Trust Triangle that enables enterprise governance.

  • Identity (Sekuire ID) - Cryptographic proof of who the agent is
  • Visibility (Beacon) - Real-time knowledge of where agents are and what they're doing
  • Control (Kill Switch) - Ability to stop any agent instantly

Learn more about the Trust Triangle

Agent Identity

Every Sekuire agent has a unique, verifiable identity:

Ed25519 Keypair

When you run sekuire init, an Ed25519 keypair is generated:

.sekuire/text
.sekuire/ ├── public.key # Share freely - used for verification └── secret.key # NEVER SHARE - used for signing

Sekuire ID

The Sekuire ID is a BLAKE3 hash of the agent's manifest (name, version, public key, capabilities). It's deterministic - the same agent always produces the same ID.

Terminalbash
$ sekuire hash Sekuire ID: a1b2c3d4e5f6g7h8...
The Sekuire ID lets anyone verify they're running the authentic agent, not a modified copy.

Deep dive into Sekuire ID

Beacon & Visibility

The Beacon system provides real-time visibility into your agent fleet:

  • Auto-discovery - Agents register automatically when they start
  • Heartbeat - Periodic signals prove the agent is alive and healthy
  • Platform detection - Automatically detects Docker, Kubernetes, serverless, or bare metal
Terminalbash
# Run with beacon enabled (default) sekuire run --cmd "npm start" # Custom heartbeat interval sekuire run --heartbeat-interval 30

Learn more about Beacon

Kill Switch

The kill switch provides emergency control over agents:

  • Lease-based - Agents must continuously renew their lease to keep running
  • Instant revocation - Stop any agent from the dashboard or API
  • Graceful shutdown - Agents complete in-flight work before stopping

Learn more about Kill Switch

Config-First Architecture

Sekuire uses a config-first approach. Your agent is fully defined in sekuire.yml:

sekuire.ymlyaml
project: name: "my-agent" version: "1.0.0" agents: assistant: name: "AI Assistant" system_prompt: "./prompts/assistant.md" llm: provider: "openai" model: "gpt-4-turbo" tools: - calculator - web_search

This config is used by:

  • CLI — For initialization, pushing, and running
  • SDK — For loading agents with getAgent()
  • Registry — For storing agent metadata

Trust Registry

The Sekuire Registry stores agent identities and metadata:

  • Push — Upload your agent (creates a draft)
  • Verify — Prove an agent's authenticity
  • Pull — Deploy verified agents
Terminalbash
# Push to registry sekuire push # Verify a remote agent sekuire verify --agent-id a1b2c3d4...

Workspaces

A workspace is an organizational boundary:

  • Group related agents together
  • Define workspace-wide policies
  • Control who can deploy what

Agents are installed into a workspace:

bash
sekuire install agent --workspace ws_abc123 --agent $(sekuire hash)

Policies

Policies define rules for what agents can do:

  • Allowed models — Which LLMs are permitted
  • Allowed tools — Which capabilities are allowed
  • Compliance — SOC2, HIPAA, GDPR requirements

When you push with --workspace, the agent is validated against the workspace policy.

Agent Lifecycle

text
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ CREATE │───▶│ PUSH │───▶│ INSTALL │───▶│ RUN │ │ │ │ │ │ │ │ │ │ init │ │ registry │ │ workspace│ │ runtime │ │ keygen │ │ verify │ │ policy │ │ heartbeat│ └──────────┘ └──────────┘ └──────────┘ └──────────┘
  1. Createsekuire init scaffolds project and generates keys
  2. Pushsekuire push uploads to registry
  3. Installsekuire install agent adds to workspace
  4. Runsekuire run starts with heartbeat

Next Steps