Policy Enforcement

TypeScript policy primitives for agent/runtime enforcement.

PolicyClient

PolicyClient fetches and verifies the active workspace policy.

import { PolicyClient } from '@sekuire/sdk';

const policyClient = new PolicyClient('https://api.sekuire.ai');

const policy = await policyClient.fetchActivePolicy('ws_abc123');
console.log(policy.policy_id, policy.version, policy.hash);

// If policy changes, invalidate and refetch
policyClient.invalidateCache('ws_abc123');

fetchActivePolicy verifies hash/signature integrity before returning.

PolicyEnforcer

PolicyEnforcer applies policy checks in-process and throws PolicyViolationError when a rule blocks an action.

import { PolicyEnforcer } from '@sekuire/sdk';

const enforcer = new PolicyEnforcer(policy, false, (rule, reason) => {
  console.warn(`[policy][${rule}] ${reason}`);
});

enforcer.enforceTool('web_search');
enforcer.enforceNetwork('api.openai.com', 'https');
enforcer.enforceFilesystem('/workspace/data.txt', 'read');
enforcer.enforceApi('openai');
enforcer.enforceModel('gpt-4o');
enforcer.enforceRateLimit('request');

Warn-only mode

Pass true as the second constructor argument, or
set SEKUIRE_POLICY_DEV_OVERRIDE=true

In warn-only mode, violations are logged/callbacked and execution continues.

Agent Integration (`getAgent`)

getAgent() automatically tries to load policy data from policy.json (or builds from config when available).

import { getAgent } from '@sekuire/sdk';

const agent = await getAgent('assistant', {
  policyPath: './policy.json',
});

const response = await agent.chat('Summarize the latest incident report');

SekuireAgent applies policy checks to model selection, rate limits, and tool execution.

Infrastructure Enforcement (`PolicyGateway`)

PolicyGateway wraps policy checks for infrastructure components such as TaskWorker, Beacon, and A2ATaskDelegator.

import { PolicyClient, PolicyGateway } from '@sekuire/sdk';

const gateway = new PolicyGateway(
  new PolicyClient('https://api.sekuire.ai'),
  'ws_abc123',
);

await gateway.initialize();

const decision = gateway.checkCapability('github:create_issue');
if (!decision.allowed) {
  console.error(decision.violations[0]?.message);
}

When heartbeat responses include active_policy_hash, gateway can refresh policy automatically via onHeartbeatResponse.

PolicyClient​

PolicyEnforcer​

Warn-only mode​

Agent Integration (getAgent)​

Infrastructure Enforcement (PolicyGateway)​

Next Steps​

PolicyClient

PolicyEnforcer

Warn-only mode

Agent Integration (`getAgent`)

Infrastructure Enforcement (`PolicyGateway`)

Next Steps