Summary
openshell sandbox get <name> returns the immutable baseline policy from sandbox creation time. Network policies added post-creation via openshell policy set are stored in the sandbox_policies runtime table but are not reflected in sandbox get output.
This forces downstream tools (NemoClaw) to call both sandbox get and policy get --full and stitch the output together to show users the actual enforced policy.
Request
Add an option to openshell sandbox get that includes the live runtime policy revisions in the output. For example:
openshell sandbox get <name> --include-runtime-policy
Or always include the latest runtime policy in the output alongside the baseline.
Context
- NemoClaw PR #1871 works around this by parsing
sandbox get output, finding the Policy: section, and replacing it with policy get --full output.
- This works but is fragile — it depends on the exact output format of
sandbox get.
- A first-class flag would eliminate the workaround and prevent breakage if the output format changes.
Related
Summary
openshell sandbox get <name>returns the immutable baseline policy from sandbox creation time. Network policies added post-creation viaopenshell policy setare stored in thesandbox_policiesruntime table but are not reflected insandbox getoutput.This forces downstream tools (NemoClaw) to call both
sandbox getandpolicy get --fulland stitch the output together to show users the actual enforced policy.Request
Add an option to
openshell sandbox getthat includes the live runtime policy revisions in the output. For example:Or always include the latest runtime policy in the output alongside the baseline.
Context
sandbox getoutput, finding thePolicy:section, and replacing it withpolicy get --fulloutput.sandbox get.Related