What it does OpenShell wraps AI agents—Claude, Codex, Copilot, and others—in containerized sandboxes with locked-down filesystem, process, and network policies. You declare rules in YAML; the engine enforces them at the kernel and application layers, intercepting every outbound connection to allow, deny, or reroute it for inference.

The interesting bit The network policy engine operates at L7 (HTTP method and path) and can be hot-reloaded without restarting the sandbox. The “Privacy Router” strips caller credentials and injects backend ones, so your API keys never touch the sandbox filesystem—they arrive as runtime environment variables.

Key highlights

• One-command sandbox creation: openshell sandbox create -- claude
• Four policy layers: filesystem, network, process, and inference routing
• Credentials managed as “providers,” auto-discovered from your shell env for supported agents
• Supports Docker, Podman, MicroVM, and Kubernetes backends
• Experimental GPU passthrough via CDI or Docker’s NVIDIA GPU path
• Alpha status: explicitly “single-player mode,” not yet multi-tenant

Caveats

• Kubernetes and GPU support are both marked experimental with “rough edges and breaking changes”
• Default base image lacks GPU drivers; you must BYOC for GPU workloads
• No topics tagged, and the project is early enough that enterprise features remain aspirational

Verdict Worth a look if you’re already running agentic coding tools and losing sleep over exfiltration or credential leaks. Skip it if you need production multi-tenancy today—NVIDIA is clear this is proof-of-life, not infrastructure.