Policy Validator

Validate policies and agents against workspace rules.

Overview

The policy validator ensures:

Policy integrity — Valid signature, no tampering
Agent compliance — Agent meets policy requirements
Push blocking — Non-compliant agents can't deploy

CLI Commands

Pull Policy

Download the active policy for a workspace:

Terminalbash

sekuire policy pull --workspace ws_abc123 --backend http://localhost:5556 --out policy.json

Validate Policy Integrity

Verify the signature and hash of a policy file:

Terminaltext

$ sekuire policy validate --file policy.json

🔐 Validating policy...

  ✅ Hash verified
  ✅ Signature valid (signed by key_admin123)
  ✅ Policy is active
  ✅ No expired rules

Policy is VALID

Show Policy Summary

Display a human-readable summary:

Terminaltext

$ sekuire policy show --file policy.json

📋 Policy Summary
  ID: policy_abc123
  Workspace: ws_xyz789
  Version: 1
  Status: active

🤖 Agent Rules
  Providers: openai, anthropic
  Allowed Models: gpt-4, gpt-4-turbo, claude-3-opus
  Denied Tools: shell_exec, file_delete

🔒 Compliance
  Frameworks: soc2, hipaa
  Audit Logging: required
  Data Residency: us

Agent Validation

When you push with --workspace, your agent is validated against the policy:

Terminaltext

$ sekuire push --workspace ws_abc123

🔐 Validating agent against workspace policy...

  ✅ Provider 'openai' is allowed
  ✅ Model 'gpt-4-turbo' is allowed
  ✅ Tool 'calculator' is allowed
  ✅ Tool 'web_search' is allowed
  ❌ Tool 'shell_exec' is DENIED

❌ Agent does not comply with workspace policy

Blocked tools: shell_exec

Fix the issues above and try again.
Use --force to bypass (not recommended).

Validation Checks

Check	Description	Severity
Provider	LLM provider in allowed list	Error
Model	Model name in allowed list (or not in denied)	Error
Tools	All tools in allowed list	Error
Denied Tools	No tools in denied list	Error
Compliance	Agent meets compliance framework	Warning

Full Agent Verification

Use sekuire verify-agent for comprehensive security checks:

Terminaltext

$ sekuire verify-agent --compliance hipaa

🔒 Running full verification...

1. Identity Verification
   ✅ Keypair valid
   ✅ Sekuire ID matches manifest
   ✅ Registered in registry

2. Policy Compliance
   ✅ Provider allowed
   ✅ Model allowed
   ✅ All tools allowed

3. HIPAA Compliance
   ✅ Audit logging enabled
   ⚠️  Encryption: not configured
   ✅ PHI detection: enabled

Overall: PASSED with warnings
   - Configure encryption for full HIPAA compliance

Bypassing Validation

⚠️Bypassing policy validation should only be used in development or emergency situations.

Terminalbash

# Force push even if policy validation fails (not recommended)
sekuire push --workspace ws_abc123 --force

Bypassed pushes are logged and may trigger alerts in enterprise workspaces.

Next Steps

Syntax Guide — Policy JSON structure
CLI Policy — Full command reference
Compliance — HIPAA, SOC2, GDPR