# Hexr ## Docs - [Inside an Agent Pod: Four Containers Working Together](https://docs.hexr.dev/architecture/agent-pod.md): Every Hexr agent runs as a pod with four containers: your code, an mTLS proxy, an A2A sidecar, and a process identity mapper — all generated by hexr build. - [Zero-Secret Cloud Access: How Credential Exchange Works](https://docs.hexr.dev/architecture/credential-exchange.md): Call hexr_tool() to get a cloud client with no credentials in your code. Hexr exchanges your SPIFFE identity for short-lived tokens via a three-tier cache. - [How Hexr's Five-Layer Platform Protects Your Agents](https://docs.hexr.dev/architecture/five-layers.md): Hexr stacks five platform layers — identity, observability, runtime services, developer SDK, and management — each building on the one below. - [Built-in Observability: Traces, Metrics, and Dashboards](https://docs.hexr.dev/architecture/observability.md): Hexr auto-instruments agents with OpenTelemetry — distributed traces, LLM cost attribution, and 42 pre-built Grafana panels, zero extra configuration. - [How Hexr Works: Platform Architecture Overview](https://docs.hexr.dev/architecture/overview.md): Hexr wraps any Python agent in cryptographic identity, mTLS, cloud credentials, and observability — all automatically with no extra configuration. - [Per-Process Identity: One SPIFFE ID Per Agent Role](https://docs.hexr.dev/architecture/per-process-identity.md): Hexr assigns a unique cryptographic SPIFFE identity to each agent process — not just each pod. Here's what that gives you and how it works. - [hexr audit — Vulnerability Scan, SBOM, and Drift Detection](https://docs.hexr.dev/cli/audit.md): hexr audit scans Python dependencies and container images for CVEs, generates a CycloneDX SBOM, and detects drift between manifests and live cluster state. - [hexr build — AST Analysis and Manifest Generation](https://docs.hexr.dev/cli/build.md): hexr build uses AST analysis to generate a Dockerfile, Kubernetes manifests, and SPIFFE contexts from your agent. Flags: --tenant, --target, --multi-cloud. - [hexr cache — Credential Cache Management](https://docs.hexr.dev/cli/cache.md): hexr cache manages the three-tier credential cache used by hexr_tool(). Subcommands: status, clear, metrics. Inspect hit rates, TTLs, and latency. - [hexr deploy — Apply Manifests and Provision Agent Identity](https://docs.hexr.dev/cli/deploy.md): hexr deploy applies Kubernetes manifests, waits for pod readiness, and confirms SPIFFE identity. Key flags: --cloud, build_dir path override. - [hexr CLI Installation — Setup and Prerequisites](https://docs.hexr.dev/cli/installation.md): Install the hexr CLI via the hexr-sdk package using pip or uv. Requires Python 3.10+, Docker for local builds, and kubectl for deploying to Kubernetes. - [hexr login — Authenticate with Hexr Cloud](https://docs.hexr.dev/cli/login.md): hexr login stores your Hexr Cloud API key to enable cloud builds, deploys, and dashboard access. Key flags: --key, --url, --status. - [Hexr CLI Overview — Commands, Flags, and Workflows](https://docs.hexr.dev/cli/overview.md): The hexr CLI deploys AI agents to Kubernetes in three commands: hexr build, hexr push, and hexr deploy. Global flags: --verbose, --debug, --version. - [hexr push — Container Build, Scan, and Registry Push](https://docs.hexr.dev/cli/push.md): hexr push builds a multi-platform container image, runs vulnerability scanning, and pushes to your registry. Key flags: --cloud, --scan-level, --platform. - [hexr status — View Deployed Agent Health and Identity](https://docs.hexr.dev/cli/status.md): hexr status lists all deployed agents in your tenant namespace, showing container health, uptime, and SPIFFE identity. Supports --namespace filtering. - [Managing Hexr Cloud API Keys Securely](https://docs.hexr.dev/cloud/api-keys.md): Generate, scope, and revoke Hexr Cloud API keys to authenticate the CLI and make programmatic requests. Each key is scoped to a role and permission level. - [Hexr Cloud Credits and HCU Billing Explained](https://docs.hexr.dev/cloud/credits.md): Hexr Compute Units (HCU) are the metering currency for Hexr Cloud. Learn what each platform operation costs and how to track your usage. - [Navigating the Hexr Cloud Dashboard](https://docs.hexr.dev/cloud/dashboard.md): The Hexr Cloud dashboard gives you a single interface to manage deployed agents, monitor traces and metrics, control API keys, and administer your team. - [Get Started with Hexr Cloud in Under 5 Minutes](https://docs.hexr.dev/cloud/quickstart.md): Sign up for Hexr Cloud, install the SDK, and deploy your first AI agent to the fully managed platform — no infrastructure setup required. - [Hexr Deployment Models: Cloud, Self-Hosted, and Air-Gapped](https://docs.hexr.dev/deployment-models.md): Hexr supports four deployment models — from fully managed SaaS to completely air-gapped. Same agent code, same runtime, different infrastructure ownership. - [Set Up Agent-to-Agent Communication with Hexr](https://docs.hexr.dev/guides/agent-to-agent.md): Enable agents to discover and delegate tasks using the A2A protocol with SPIFFE identity and mTLS on every message. Includes fan-out and pipeline examples. - [Build a Browser-Enabled AI Agent with Hexr](https://docs.hexr.dev/guides/browser-agent.md): Give your Hexr agent a headless browser for web research, screenshot analysis, and form submission. Sessions are isolated and destroyed after each call. - [Run Untrusted Code Safely in a Hexr Sandbox](https://docs.hexr.dev/guides/code-execution.md): Execute LLM-generated Python, JavaScript, or Bash in isolated Firecracker microVMs. No network access, no persistent state, no host escape risk. - [Add LLM Observability to Your AI Agent with Hexr](https://docs.hexr.dev/guides/llm-observability.md): Track every LLM call — tokens, costs, latency, and model — with zero-config OpenTelemetry tracing via hexr_llm. View results in Grafana. - [Deploy a Multi-Cloud AI Agent with Hexr](https://docs.hexr.dev/guides/multi-cloud-tools.md): Access AWS, GCP, and Azure from a single agent using SPIFFE identity — no credentials in your code, no manual key rotation, no cross-cloud config. - [Deploy Multi-Framework AI Agents with Hexr](https://docs.hexr.dev/guides/multi-framework.md): Run CrewAI, LangChain, AutoGen, and other frameworks on Hexr. Each agent role gets its own SPIFFE identity, cloud credentials, and cost attribution. - [Deploy Your First AI Agent with Hexr in 5 Minutes](https://docs.hexr.dev/guides/quickstart.md): Install the Hexr SDK, write a Python agent, and deploy it to Kubernetes with SPIFFE identity, vault-backed secrets, and automatic LLM tracing. - [Manage Secrets Securely in Your Hexr AI Agent](https://docs.hexr.dev/guides/secure-secrets.md): Store and retrieve API keys with AES-256 encryption and per-agent SPIFFE identity scoping. No secrets in environment variables, logs, or shared config. - [Hexr: Deploy Secure AI Agents with One Decorator](https://docs.hexr.dev/introduction.md): Hexr gives every AI agent a cryptographic identity, zero-secret cloud access, and full observability — automatically, from a single Python decorator. - [A2A: Authenticated Agent-to-Agent Communication over mTLS](https://docs.hexr.dev/sdk/a2a.md): Send messages between Hexr agents over mutual TLS using JSON-RPC 2.0. Discover agents by name, stream responses with SSE, and manage full task lifecycle. - [Browser: Headless Chromium in a Hardware-Isolated microVM](https://docs.hexr.dev/sdk/browser.md): Navigate, click, screenshot, and extract text from websites using headless Chromium in an isolated microVM — safe for LLM-generated and untrusted inputs. - [Gateway: MCP Tool Discovery and Authenticated API Invocation](https://docs.hexr.dev/sdk/gateway.md): Call MCP tools without managing API keys. Register any OpenAPI spec as callable tools — the Gateway fetches credentials from Vault per your agent identity. - [Guard: LLM Prompt Injection and Output Scanning](https://docs.hexr.dev/sdk/guard.md): Detect prompt injection and secret leakage before LLM calls. Scan outputs for harmful content and data leaks. Integrates automatically with hexr_llm. - [@hexr_agent: Cryptographic Identity Decorator for AI Agents](https://docs.hexr.dev/sdk/hexr-agent.md): Decorate any Python function or class to give it a SPIFFE identity, OpenTelemetry tracing, multi-cloud credential scoping, and optional A2A communication. - [hexr_llm: LLM Observability and Cost Attribution Proxy](https://docs.hexr.dev/sdk/hexr-llm.md): Wrap any LLM client with one line for per-agent token counting, cost attribution, and latency histograms — no changes to your existing provider API calls. - [hexr_tool: Authenticated Cloud SDK Client Factory](https://docs.hexr.dev/sdk/hexr-tool.md): Get an authenticated AWS, GCP, or Azure client in one line. SPIFFE identity exchanges for short-lived credentials via a 3-tier cache — no keys in code. - [Installing the Hexr Python SDK from Private PyPI](https://docs.hexr.dev/sdk/installation.md): Install hexr-sdk from the private PyPI registry using pip or uv, configure persistent registry access, and verify your installation is working correctly. - [Hexr Python SDK: Identity-First Runtime for AI Agents](https://docs.hexr.dev/sdk/overview.md): The Hexr SDK gives agents SPIFFE identity, cloud tool access, LLM observability, and inter-agent communication — with one decorator and minimal setup. - [Sandbox: Hardware-Isolated Code Execution for AI Agents](https://docs.hexr.dev/sdk/sandbox.md): Execute Python or shell code in a hardware-isolated Firecracker microVM. No network access, no persistent state, no access to your agent credentials. - [Vault: SPIFFE-Native Secret Management for AI Agents](https://docs.hexr.dev/sdk/vault.md): Store and retrieve secrets using your agent's SPIFFE identity — no separate tokens or keys. Secrets are AES-256-GCM encrypted and OPA-enforced per tenant. - [Compliance Frameworks: SOC 2, NIST, GDPR, HIPAA, and FedRAMP](https://docs.hexr.dev/security/compliance-frameworks.md): See how Hexr's architecture maps to SOC 2 Type II, NIST AI RMF, GDPR, HIPAA, and FedRAMP requirements — with specific controls for each framework. - [OPA Policies: Fine-Grained Authorization for Agent Processes](https://docs.hexr.dev/security/opa-policies.md): Control agent access to cloud services using OPA Rego policies. Write rules in Rego, deploy as a ConfigMap, and Hexr enforces them on every request. - [Security at Every Layer: Hexr's Defense-in-Depth Model](https://docs.hexr.dev/security/overview.md): Hexr protects agents with six security layers: SPIFFE identity, mTLS, OPA policies, short-lived credentials, GenAI threat scanning, and hardware isolation. - [SPIFFE Identity: Cryptographic Proof for Every Agent Process](https://docs.hexr.dev/security/spiffe-identity.md): Hexr issues a unique SPIFFE identity to every agent process. Learn how SPIFFE IDs, X.509 SVIDs, and automatic certificate rotation keep your agents secure. - [Threat Model: AI Agent Attacks and Hexr Mitigations](https://docs.hexr.dev/security/threat-model.md): AI agents face unique threats. See the attack chains Hexr prevents — prompt injection, credential theft, code execution escapes, and cross-tenant access. - [Deploy Hexr in an Air-Gapped Environment](https://docs.hexr.dev/self-hosted/air-gapped.md): Run the full Hexr platform with zero internet access — download an image bundle on a connected machine, transfer it, and install with a private registry. - [Deploy Hexr on Your Own Kubernetes Cluster](https://docs.hexr.dev/self-hosted/quickstart.md): Install the full Hexr runtime on your own Kubernetes cluster using Helm — including SPIRE, Vault, the Credential Injector, and the observability stack. - [Provision Hexr Infrastructure with Terraform](https://docs.hexr.dev/self-hosted/terraform.md): Use Hexr's Terraform modules to provision a Kubernetes cluster, PostgreSQL database, container registry, and IAM roles on AWS, GCP, or Azure.