Policy Validator

Validate policies and agents against workspace rules.

Overview

The policy validator ensures:

Policy integrity - Valid signature, no tampering
Agent compliance - Agent meets policy requirements
Push blocking - Non-compliant agents can't deploy

CLI Commands

Pull Policy

Download the active policy for a workspace:

sekuire policy pull --workspace ws_abc123 --backend http://localhost:9300 --out policy.json

Validate Policy Integrity

Verify the signature and hash of a policy file:

$ sekuire policy validate --file policy.json

Validating policy...

  Hash verified
  Signature valid (signed by key_admin123)
  Policy is active
  No expired rules

Policy is VALID

Show Policy Summary

Display a human-readable summary:

$ sekuire policy show --file policy.json

Policy Summary
  ID: policy_abc123
  Workspace: ws_xyz789
  Version: 1
  Status: active

Agent Rules
  Providers: openai, anthropic
  Allowed Models: gpt-4, gpt-4-turbo, claude-3-opus
  Denied Tools: shell_exec, file_delete

Compliance
  Frameworks: soc2, hipaa
  Audit Logging: required
  Data Residency: us

Agent Validation

When you push with --workspace, your agent is validated against the policy:

$ sekuire push --workspace ws_abc123

Validating agent against workspace policy...

  Provider 'openai' is allowed
  Model 'gpt-4-turbo' is allowed
  Tool 'calculator' is allowed
  Tool 'web_search' is allowed
  Tool 'shell_exec' is DENIED

Agent does not comply with workspace policy

Blocked tools: shell_exec

Fix the issues above and try again.
Use --force to bypass (not recommended).

Validation Checks

Check	Description	Severity
Provider	LLM provider in allowed list	Error
Model	Model name in allowed list (or not in denied)	Error
Tools	All tools in allowed list	Error
Denied Tools	No tools in denied list	Error
Compliance	Agent meets compliance framework	Warning

Full Agent Verification

Use sekuire verify-agent for comprehensive security checks:

$ sekuire verify-agent --compliance hipaa

Running full verification...

1. Identity Verification
   Keypair valid
   Sekuire ID matches manifest
   Registered in registry

2. Policy Compliance
   Provider allowed
   Model allowed
   All tools allowed

3. HIPAA Compliance
   Audit logging enabled
   Encryption: not configured
   PHI detection: enabled

Overall: PASSED with warnings
   - Configure encryption for full HIPAA compliance

Bypassing Validation

warning

Bypassing policy validation should only be used in development or emergency situations.

# Force push even if policy validation fails (not recommended)
sekuire push --workspace ws_abc123 --force

Bypassed pushes are logged and may trigger alerts in enterprise workspaces.

Next Steps

Syntax Guide - Policy JSON structure
CLI Policy - Full command reference
Compliance - HIPAA, SOC2, GDPR

Overview​

CLI Commands​

Pull Policy​

Validate Policy Integrity​

Show Policy Summary​

Agent Validation​

Validation Checks​

Full Agent Verification​

Bypassing Validation​

Next Steps​