Skip to main content

Workspace Policies

Define and enforce organization-wide rules for AI agent behavior.

What Are Policies?

Policies are JSON documents that specify what agents can and cannot do in your workspace. When agents are pushed with --workspace, they're validated against the active policy.

Policy Structure

policy.json
{
  "policy_id": "policy_abc123",
  "workspace_id": "ws_xyz789",
  "version": "1",
  "status": "active",
  "content": {
    "agent": {
      "models": {
        "allowed_models": ["gpt-4", "gpt-4-turbo", "claude-3-opus"],
        "allowed_providers": ["openai", "anthropic"]
      },
      "capabilities": {
        "allowed_tools": ["calculator", "web_search"],
        "denied_tools": ["file_write", "shell_exec"]
      }
    },
    "compliance": {
      "frameworks": ["soc2"],
      "require_audit_logging": true
    }
  },
  "hash": "a1b2c3d4...",
  "signature": "e5f6g7h8...",
  "signing_key_id": "key_..."
}

Model Restrictions

Control which LLM providers and models agents can use:

"models": {
  "allowed_providers": ["openai", "anthropic"],
  "allowed_models": [
    "gpt-4",
    "gpt-4-turbo",
    "claude-3-opus-20240229",
    "claude-3-sonnet-20240229"
  ],
  "denied_models": ["gpt-3.5-turbo"]
}
note

If allowed_models is empty, all models from allowed providers are permitted.

Capability Control

Restrict which tools and capabilities agents can register:

"capabilities": {
  "allowed_tools": [
    "calculator",
    "web_search",
    "http_request"
  ],
  "denied_tools": [
    "file_write",
    "file_delete",
    "shell_exec"
  ],
  "require_tool_approval": true
}

CLI Commands

Pull Active Policy

sekuire policy pull --workspace ws_abc123

Validate Policy Integrity

sekuire policy validate --file policy.json

Show Policy Summary

sekuire policy show --file policy.json

Push with Policy Validation

sekuire push --workspace ws_abc123

Policy Validation

When you push with --workspace, Sekuire validates:

CheckDescription
ProviderIs the LLM provider in allowed list?
ModelIs the model in allowed list?
ToolsAre all tools permitted?
CapabilitiesNo denied capabilities?

If validation fails, the push is blocked (unless --force).

Next Steps