Skip to main content
The hexr CLI is the primary interface for building, publishing, and deploying AI agents on the Hexr platform. You use it from your local machine or CI pipeline to go from a Python agent file to a running, identity-provisioned Kubernetes pod — with SPIFFE certificates, mTLS networking, and A2A endpoints configured automatically. No Dockerfile authoring, no manual manifest writing, no kubectl gymnastics required.

Installation

uv pip install "hexr-sdk[cli]" --extra-index-url https://pypi.hexr.cloud/simple/
The CLI ships inside the hexr-sdk Python package — no separate install step.

Commands

CommandDescription
hexr buildAST analysis → Dockerfile + K8s manifests + SPIFFE contexts
hexr pushBuild container image + vulnerability scan + push to registry
hexr deployApply manifests to Kubernetes cluster
hexr auditVulnerability scan + SBOM generation + drift detection
hexr loginAuthenticate with Hexr Cloud
hexr statusShow deployed agents and their health
hexr cacheCredential cache management

Global flags

FlagDescription
--verbose, -vVerbose output
--debugDebug-level logging
--versionShow version

The three-command workflow

Every Hexr deployment follows the same three steps. Here is what each one does and what you see in your terminal:
1

hexr build — analyze and generate

hexr build performs AST analysis on your agent file, detects its framework, agents, cloud resource usage, and A2A configuration, then writes a complete set of deployment artifacts to .hexr/.
$ hexr build my_agent.py --tenant acme-corp

Analyzing my_agent.py...
  Framework: crewai (detected from imports)
  Agents: 3 (researcher, writer, editor)
  Resources: aws_s3, gcp_bigquery
  A2A: enabled

Generated .hexr/:
  ├── Dockerfile
  ├── requirements.txt
  ├── agent-pod.yaml
  ├── namespace.yaml
  ├── rbac.yaml
  ├── agent-card.yaml (ConfigMap)
  ├── process-contexts/
   ├── researcher.json
   ├── writer.json
   └── editor.json
  └── hexr-manifest.json
2

hexr push — build and publish the image

hexr push picks a build strategy (Docker Build Cloud, local buildx, or Google Cloud Build), builds a multi-platform container image, runs a vulnerability scan, and pushes the result to your registry.
$ hexr push

Detected build strategies:
  1. Docker Build Cloud (cloud-sugiv-hexr) [RECOMMENDED]
  2. Local buildx
  3. Basic Docker

Select strategy [1]: 1

Building for: linux/amd64, linux/arm64
Pushing to: us-central1-docker.pkg.dev/hexr-cloud-prod/hexr-images/acme-research-analyst:latest

 Image pushed successfully
 Vulnerability scan: 0 critical, 0 high
3

hexr deploy — apply to Kubernetes

hexr deploy applies the generated manifests to your chosen cluster in the correct order, waits for pod readiness across all containers, and confirms the agent’s SPIFFE ID and A2A endpoint.
$ hexr deploy

Detected clusters:
  1. hexr-cloud (GKE, us-central1-a)
  2. do-nyc1-hexr-demo (DigitalOcean)

Select cluster [1]: 1

Applying manifests to tenant-acme-corp...
 Namespace created
 RBAC applied
 Agent pod created
  
Waiting for pod readiness...
 acme-research-analyst: 4/4 containers running
  
Agent deployed! SPIFFE ID: spiffe://hexr.cloud/agent/acme-corp/research-analyst/main