NVIDIA/OpenShell

NVIDIA/OpenShell

Description: OpenShell is the safe, private runtime for autonomous AI agents.

Language: Rust

License: Apache-2.0

Stars: 7015

Forks: 841

Open issues: 257

Created: 2026-02-24T22:52:22Z

Pushed: 2026-06-11T00:23:54Z

Default branch: main

Fork: no

Archived: no

README:

NVIDIA OpenShell

OpenShell is the safe, private runtime for autonomous AI agents. It provides sandboxed execution environments that protect your data, credentials, and infrastructure — governed by declarative YAML policies that prevent unauthorized file access, data exfiltration, and uncontrolled network activity.

OpenShell is built agent-first. The project ships with agent skills for everything from gateway troubleshooting to policy generation, and we expect contributors to use them.

> Alpha software — single-player mode. OpenShell is proof-of-life: one developer, one environment, one gateway. We are building toward multi-tenant enterprise deployments, but the starting point is getting your own environment up and running. Expect rough edges. Bring your agent.

Quickstart

Prerequisites

• A supported host — macOS, Windows with WSL 2, or Linux.
• A local runtime — Docker, Podman, or host virtualization enabled for MicroVM-backed sandboxes.

Install

Binary (recommended):

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

From PyPI (requires [uv](https://docs.astral.sh/uv/)):

uv tool install -U openshell

Both methods install the latest stable release by default. To install a specific version, set OPENSHELL_VERSION (binary) or pin the version with uv tool install openshell==. A `dev` release is also available that tracks the latest commit on main.

Helm chart:

> Experimental — the Kubernetes deployment path is under active development. Expect rough edges and breaking changes.

Deploy the OpenShell gateway into a Kubernetes cluster from the OCI chart published to GHCR:

helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart

See [deploy/helm/openshell/README.md](deploy/helm/openshell/README.md) for available versions, dev tag conventions, and configuration.

For deploying OpenShell on OpenShift, see [deploy/helm/openshell/README.md#install-on-openshift](deploy/helm/openshell/README.md#install-on-openshift).

Create a sandbox

openshell sandbox create -- claude # or opencode, codex, copilot

The sandbox container includes the following tools by default:

| Category | Tools | | ---------- | -------------------------------------------------------- | | Agent | claude, opencode, codex, copilot | | Language | python (3.14), node (22) | | Developer | gh, git, vim, nano | | Networking | ping, dig, nslookup, nc, traceroute, netstat |

For more details see https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base.

See network policy in action

Every sandbox starts with minimal outbound access. You open additional access with a short YAML policy that the proxy enforces at the HTTP method and path level, without restarting anything.

# 1. Create a sandbox (starts with minimal outbound access)
openshell sandbox create

# 2. Inside the sandbox — blocked
sandbox$ curl -sS https://api.github.com/zen
curl: (56) Received HTTP code 403 from proxy after CONNECT

# 3. Back on the host — apply a read-only GitHub API policy
sandbox$ exit
openshell policy set demo --policy examples/sandbox-policy-quickstart/policy.yaml --wait

# 4. Reconnect — GET allowed, POST blocked by L7
openshell sandbox connect demo
sandbox$ curl -sS https://api.github.com/zen
Anything added dilutes everything else.

sandbox$ curl -sS -X POST https://api.github.com/repos/octocat/hello-world/issues -d '{"title":"oops"}'
{"error":"policy_denied","detail":"POST /repos/octocat/hello-world/issues not permitted by policy"}

See the [full walkthrough](examples/sandbox-policy-quickstart/) or run the automated demo:

bash examples/sandbox-policy-quickstart/demo.sh

How It Works

OpenShell isolates each sandbox in its own container with policy-enforced egress routing. A lightweight gateway coordinates sandbox lifecycle, and every outbound connection is intercepted by the policy engine, which does one of three things:

• Allows — the destination and binary match a policy block.
• Routes for inference — strips caller credentials, injects backend credentials, and forwards to the managed model.
• Denies — blocks the request and logs it.

| Component | Role | | ------------------ | -------------------------------------------------------------------------------------------- | | Gateway | Control-plane API that coordinates sandbox lifecycle and acts as the auth boundary. | | Sandbox | Isolated runtime with container supervision and policy-enforced egress routing. | | Policy Engine | Enforces filesystem, network, and process constraints from application layer down to kernel. | | Privacy Router | Privacy-aware LLM routing that keeps sensitive context on sandbox compute. |

OpenShell runs a gateway control plane that manages sandbox lifecycle through a configured compute driver. Supported compute platforms include Docker, Podman, MicroVM, and Kubernetes.

Protection Layers

OpenShell applies defense in depth across four policy domains:

| Layer | What it protects | When it applies | | ---------- | --------------------------------------------------- | --------------------------- | | Filesystem | Prevents reads/writes outside allowed paths. | Locked at sandbox creation. | | Network | Blocks unauthorized outbound connections. | Hot-reloadable at runtime. | | Process | Blocks privilege escalation and dangerous syscalls. | Locked at sandbox creation. | | Inference | Reroutes model API calls to controlled backends. | Hot-reloadable at runtime. |

Policies are declarative YAML files. Static sections (filesystem, process) are locked at creation; dynamic sections (network, inference) can be hot-reloaded on a running sandbox with openshell policy set.

Providers

Agents need credentials — API keys, tokens, service accounts. OpenShell manages these as providers: named credential bundles that are injected into sandboxes at creation. The CLI auto-discovers credentials for recognized agents (Claude, Codex, OpenCode, Copilot) from your shell…