Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/NVIDIA/OpenShell/llms.txt

Use this file to discover all available pages before exploring further.

openshell policy

Alias: pol Manage sandbox policies. Network and inference policy sections are hot-reloadable on running sandboxes without a restart.
Pass --global to any subcommand to operate on the gateway-wide global policy instead of a per-sandbox policy.

openshell policy set

Apply or replace a policy on a running sandbox (or gateway-global). 
openshell policy set [NAME] --policy FILE [OPTIONS]
NAME
string
Sandbox name. Defaults to the last-used sandbox. Ignored when --global is set.
--policy
string
required
Path to a policy YAML file.
--global
boolean
Apply as a gateway-global policy that overrides sandbox-level policies for all sandboxes. Prompts for confirmation unless --yes is also set.
--yes
boolean
Skip the confirmation prompt when setting a global policy.
--wait
boolean
Wait for the sandbox to confirm it has loaded the new policy. Not supported for global policies (global policies are effective immediately).
--timeout
integer
default:"60"
Timeout in seconds for --wait.

Examples

# Apply a policy to a specific sandbox
openshell policy set my-sandbox --policy policy.yaml

# Apply and wait for the sandbox to load it
openshell policy set my-sandbox --policy policy.yaml --wait

# Apply a gateway-global policy with confirmation prompt
openshell policy set --global --policy strict.yaml

# Apply global policy non-interactively (e.g., in CI)
openshell policy set --global --policy strict.yaml --yes
--wait polls the sandbox until it reports the expected policy revision. Use this in scripts that apply a policy and then immediately run a command that depends on it.

openshell policy get

Show the active policy for a sandbox or the gateway-global policy. 
openshell policy get [NAME] [OPTIONS]
NAME
string
Sandbox name. Defaults to the last-used sandbox. Ignored when --global is set.
--rev
integer
default:"0"
Specific policy revision to retrieve. Defaults to the latest revision.
--full
boolean
Print the full policy document as YAML instead of a summary.
--global
boolean
Show the gateway-global policy revision.

Examples

# Show the active policy summary for a sandbox
openshell policy get my-sandbox

# Print the full YAML
openshell policy get my-sandbox --full

# Show a specific revision
openshell policy get my-sandbox --rev 3

# Show the gateway-global policy
openshell policy get --global

openshell policy list

List policy revision history for a sandbox or the gateway-global policy. 
openshell policy list [NAME] [OPTIONS]
NAME
string
Sandbox name. Defaults to the last-used sandbox. Ignored when --global is set.
--limit
integer
default:"20"
Maximum number of revisions to return.
--global
boolean
List gateway-global policy revisions.

Examples

openshell policy list my-sandbox
openshell policy list --global
openshell policy list my-sandbox --limit 5

openshell policy delete

Delete the gateway-global policy lock, restoring per-sandbox policy control. Only operates on global policy; per-sandbox policy delete is not supported. 
openshell policy delete --global [OPTIONS]
--global
boolean
required
Required. Delete the global policy setting.
--yes
boolean
Skip the confirmation prompt.

Example

openshell policy delete --global
openshell policy delete --global --yes

Policy behavior

SectionReloadableApplied at
network_policiesYes — hot-reload on running sandboxCreation and policy set
inferenceYes — hot-reload on running sandboxCreation and policy set
filesystemNo — locked at creationSandbox creation only
processNo — locked at creationSandbox creation only
Global policy overrides per-sandbox policy. Deleting the global policy with policy delete --global restores each sandbox’s own policy. See Policy Schema for the full YAML format.

Build docs developers (and LLMs) love

Get started for freeTalk to us