Policy System

Enterprise governance for AI agents through cryptographically-signed workspace policies.

What Are Policies?

A policy is a JSON document that defines what AI agents can and cannot do within a workspace. Policies are:

Cryptographically signed — Tamper-proof via Ed25519 signatures
Version controlled — Track changes over time
Machine-readable — Automated validation before deployment

Policy Documentation

Command	Description
Syntax Guide	Policy JSON structure
Validator	Validate policies and agents

Policy Lifecycle

text

┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│    CREATE    │───▶│    SIGN      │───▶│   ACTIVATE   │
│              │    │              │    │              │
│  Define rules│    │ Admin signs  │    │ Apply to     │
│  in JSON     │    │ with Ed25519 │    │ workspace    │
└──────────────┘    └──────────────┘    └──────────────┘
        │                                      │
        └──────── VALIDATE AGENTS ◀────────────┘

Policy Structure

policy.jsonjson

{
  "policy_id": "policy_abc123",
  "workspace_id": "ws_xyz789",
  "version": "1",
  "status": "active",
  "content": {
    "agent": {
      "models": { ... },
      "capabilities": { ... }
    },
    "compliance": { ... }
  },
  "hash": "blake3_hash_of_content",
  "signature": "ed25519_signature",
  "signing_key_id": "key_..."
}

Key Features

Model Control

Restrict which LLM providers and models agents can use:

json

"models": {
  "allowed_providers": ["openai", "anthropic"],
  "allowed_models": ["gpt-4", "claude-3-opus-20240229"],
  "denied_models": ["gpt-3.5-turbo"]
}

Capability Control

Define which tools and capabilities agents can register:

json

"capabilities": {
  "allowed_tools": ["calculator", "web_search"],
  "denied_tools": ["file_write", "shell_exec"],
  "require_tool_approval": true
}

Compliance Frameworks

Enforce regulatory requirements:

json

"compliance": {
  "frameworks": ["soc2", "hipaa"],
  "require_audit_logging": true,
  "data_residency": "us"
}

CLI Commands

Command	Description
`sekuire policy pull`	Download workspace policy
`sekuire policy validate`	Verify policy integrity
`sekuire policy show`	Display policy summary

See CLI Policy for full documentation.

💡Policies are validated when you push with --workspace. Non-compliant agents are blocked.