Describe the feature
Add NVIDIA OpenShell as a sandbox provider extension, alongside E2B, Modal, Daytona, Cloudflare, Blaxel, Runloop, and Vercel.
OpenShell is an open-source sandbox runtime for AI agents. It provides isolated execution environments governed by declarative YAML policies that control file access, network activity, and credential exposure at the per-binary and per-URL-path level.
What makes it different from existing providers:
- Self-hosted. Runs on your own infrastructure (Docker, Podman, MicroVM, or Kubernetes), not a third-party cloud. No data leaves your environment.
- Policy-driven network control. Declarative YAML policies enforce per-binary, per-domain, per-HTTP-method access rules. An agent can
curl to api.github.com/repos/*/contents/* but not to api.github.com/repos/*/settings. No other provider offers this granularity.
- Credential isolation. Secrets are injected via providers and scoped to the sandbox. Even if an agent is tricked into exfiltration, credentials are ephemeral and useless outside the proxy.
- GPU support. Sandboxes can request GPU resources for inference workloads.
Why this matters for the Agents SDK
The current hosted providers (E2B, Modal, Vercel, etc.) require sending agent workloads to external infrastructure. For enterprises with data residency requirements, regulated environments, or air-gapped clusters, a self-hosted sandbox option is needed. OpenShell fills this gap while adding policy-based security controls that go beyond container isolation.
Proposed approach
Wrap the openshell Python SDK (sync gRPC client) via run_in_executor, following the same pattern as the Modal provider. Implement the standard BaseSandboxClient / BaseSandboxSession contracts with:
- Gateway discovery via
SandboxClient.from_active_cluster() or explicit endpoint
- Command execution via
SandboxClient.exec() (gRPC streaming)
- File I/O via exec + base64 (OpenShell has no native file API)
- Tar-based workspace persistence
- Best-effort cleanup on shutdown
References
Describe the feature
Add NVIDIA OpenShell as a sandbox provider extension, alongside E2B, Modal, Daytona, Cloudflare, Blaxel, Runloop, and Vercel.
OpenShell is an open-source sandbox runtime for AI agents. It provides isolated execution environments governed by declarative YAML policies that control file access, network activity, and credential exposure at the per-binary and per-URL-path level.
What makes it different from existing providers:
curltoapi.github.com/repos/*/contents/*but not toapi.github.com/repos/*/settings. No other provider offers this granularity.Why this matters for the Agents SDK
The current hosted providers (E2B, Modal, Vercel, etc.) require sending agent workloads to external infrastructure. For enterprises with data residency requirements, regulated environments, or air-gapped clusters, a self-hosted sandbox option is needed. OpenShell fills this gap while adding policy-based security controls that go beyond container isolation.
Proposed approach
Wrap the
openshellPython SDK (sync gRPC client) viarun_in_executor, following the same pattern as the Modal provider. Implement the standardBaseSandboxClient/BaseSandboxSessioncontracts with:SandboxClient.from_active_cluster()or explicit endpointSandboxClient.exec()(gRPC streaming)References