Skip to main content
hexr build is the first command in every Hexr deployment. You point it at your Python agent file and it performs deep AST analysis — roughly 2,900 lines of it — to understand your agent’s framework, sub-agent roles, cloud resource requirements, and A2A topology. From that analysis it generates everything needed for a production Kubernetes deployment: a multi-stage Dockerfile, namespace and RBAC manifests, per-process SPIFFE context files, an A2A agent card, and a build metadata manifest. You never write these files by hand.

Usage

hexr build <agent_file> --tenant <tenant> [options]

Arguments

agent_file
path
required
Path to your Python agent file.
hexr build my_agent.py --tenant acme-corp
hexr build agents/content_crew.py --tenant acme-corp

Options

--tenant, -t
string
required
Tenant identifier. Maps to the Kubernetes namespace tenant-{tenant}.
--name, -n
string
Override the agent name. Defaults to the value in @hexr_agent(name=...) or the filename.
--target
string
default:"development"
Target environment: development, staging, or production.Affects OPA policies, resource limits, and security scanning levels.
--registry
string
Container registry base URL.
hexr build agent.py -t acme --registry us-central1-docker.pkg.dev/my-project/images
--pypi-url
string
default:"https://pypi.hexr.cloud/simple/"
Private PyPI URL for SDK installation in agent pods.
--python-version
string
default:"3.11"
Python version to use in the container image.
--base-image
string
default:"python:3.11-slim"
Base Docker image for the generated Dockerfile.
--multi-cloud
string
Comma-separated list of cloud providers to configure for credential exchange.
hexr build agent.py -t acme --multi-cloud aws,gcp,azure
--subprocess-support
flag
Enable subprocess role management for multi-process agents.
--security-scan
flag
Run a dependency security audit during the build step.
--output-dir, -o
path
default:".hexr"
Output directory for all generated artifacts.
--dockerfile-only
flag
Generate only the Dockerfile and requirements — skip Kubernetes manifests.
--dry-run
flag
Print what would be generated without writing any files.
--trust-domain
string
default:"demo.hexr.dev"
SPIFFE trust domain used when generating agent identity paths.

What gets generated

After a successful build, your .hexr/ directory contains: 
.hexr/
├── Dockerfile                    # Multi-stage build with SDK injection
├── requirements.txt              # Auto-detected from imports
├── agent-pod.yaml                # Pod spec with 4 containers
├── namespace.yaml                # tenant-{name} namespace
├── rbac.yaml                     # ServiceAccount + RoleBindings
├── agent-card.yaml               # ConfigMap for A2A discovery
├── process-contexts/             # Per-process SPIFFE context
│   ├── researcher.json
│   ├── writer.json
│   └── editor.json
└── hexr-manifest.json            # Build metadata

AST analysis

The build command inspects your agent file at the syntax-tree level — without executing it — to extract:
  1. Framework detection — CrewAI, LangChain, AutoGen, Strands, Swarm, or pure Python
  2. Agent discovery — all @hexr_agent decorators and framework-specific declarations
  3. Sub-agent mapping — distinct roles (researcher, writer, editor) for per-process identity
  4. Resource inferencehexr_tool() calls that determine required cloud permissions
  5. A2A detectionA2AClient usage and a2a=True parameters
  6. Coordination graph — NetworkX analysis of agent-to-agent relationships

Examples

$ hexr build research_agent.py --tenant acme-corp

Analyzing research_agent.py...
  Framework: pure_python
  Agents: 1 (research-agent)
  Resources: aws_s3
  A2A: disabled

Generated .hexr/ (5 files)
Run hexr push from the same directory after hexr build completes. hexr push reads the .hexr/ directory produced here.