From fc4462521dce8673ce5a3af7e2dae88be1be198c Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 22 May 2026 09:13:13 -0700 Subject: [PATCH 1/3] docs: remove OpenClaw sandbox references Signed-off-by: Drew Newberry --- README.md | 4 +- crates/openshell-cli/src/main.rs | 2 +- crates/openshell-cli/src/run.rs | 20 +++++----- crates/openshell-cli/src/ssh.rs | 4 +- docs/about/overview.mdx | 2 +- docs/about/supported-agents.mdx | 4 +- docs/get-started/quickstart.mdx | 11 ------ docs/sandboxes/manage-sandboxes.mdx | 3 +- docs/security/best-practices.mdx | 2 +- examples/openclaw.md | 37 ------------------- .../README.md | 2 +- tasks/scripts/release.py | 2 +- 12 files changed, 22 insertions(+), 71 deletions(-) delete mode 100644 examples/openclaw.md diff --git a/README.md b/README.md index 574347642..80329004f 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ Docker-backed GPU sandboxes auto-select CDI when available and otherwise fall ba | [OpenCode](https://opencode.ai/) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Works out of the box. Provider uses `OPENAI_API_KEY` or `OPENROUTER_API_KEY`. | | [Codex](https://developers.openai.com/codex) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Works out of the box. Provider uses `OPENAI_API_KEY`. | | [GitHub Copilot CLI](https://docs.github.com/en/copilot/github-copilot-in-the-cli) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Works out of the box. Provider uses `GITHUB_TOKEN` or `COPILOT_GITHUB_TOKEN`. | -| [OpenClaw](https://openclaw.ai/) | [Community](https://github.com/NVIDIA/OpenShell-Community) | Launch with `openshell sandbox create --from openclaw`. | +| [OpenClaw](https://openclaw.ai/) | [NemoClaw](https://github.com/NVIDIA/NemoClaw) | Run OpenClaw more securely inside NVIDIA OpenShell with managed inference using NemoClaw. | | [Ollama](https://ollama.com/) | [Community](https://github.com/NVIDIA/OpenShell-Community) | Launch with `openshell sandbox create --from ollama`. | ## Key Commands @@ -191,7 +191,7 @@ The TUI gives you a live, keyboard-driven view of your gateway and sandboxes. Na Use `--from` to create sandboxes from the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog, a local directory, or a container image: ```bash -openshell sandbox create --from openclaw # community catalog +openshell sandbox create --from ollama # community catalog openshell sandbox create --from ./my-sandbox-dir # local Dockerfile openshell sandbox create --from registry.io/img:v1 # container image ``` diff --git a/crates/openshell-cli/src/main.rs b/crates/openshell-cli/src/main.rs index ab66ac56d..7cb3391fe 100644 --- a/crates/openshell-cli/src/main.rs +++ b/crates/openshell-cli/src/main.rs @@ -1153,7 +1153,7 @@ enum SandboxCommands { #[arg(long, add = ArgValueCompleter::new(completers::complete_sandbox_names))] name: Option, - /// Sandbox source: a community sandbox name (e.g., `openclaw`), a path + /// Sandbox source: a community sandbox name (e.g., `ollama`), a path /// to a Dockerfile or directory containing one, or a full container /// image reference (e.g., `myregistry.com/img:tag`). /// diff --git a/crates/openshell-cli/src/run.rs b/crates/openshell-cli/src/run.rs index 3669ede1d..db3c1b7f8 100644 --- a/crates/openshell-cli/src/run.rs +++ b/crates/openshell-cli/src/run.rs @@ -2013,7 +2013,7 @@ pub async fn sandbox_create( // If --forward was requested, start the background port forward // *before* running the command so that long-running processes - // (e.g. `openclaw gateway`) are reachable immediately. + // (e.g. a web gateway) are reachable immediately. if let Some(ref spec) = forward { sandbox_forward( &effective_server, @@ -7356,7 +7356,7 @@ mod tests { for image in [ "ghcr.io/nvidia/openshell-community/sandboxes/base:latest", "registry.example.com/gpu/team/base:latest", - "registry.example.com/team/openclaw:latest", + "registry.example.com/team/notebook:latest", "cuda-toolkit:latest", "registry.example.com/team/graphics:latest", ] { @@ -7468,10 +7468,10 @@ mod tests { fn service_url_for_gateway_uses_external_gateway_port() { assert_eq!( service_url_for_gateway( - "https://quiet-flamingo--openclaw.navigator.openshell.localhost:8080/", + "https://quiet-flamingo--notebook.navigator.openshell.localhost:8080/", "https://127.0.0.1:31886" ), - "https://quiet-flamingo--openclaw.navigator.openshell.localhost:31886/" + "https://quiet-flamingo--notebook.navigator.openshell.localhost:31886/" ); } @@ -7479,10 +7479,10 @@ mod tests { fn service_url_for_gateway_omits_default_external_port() { assert_eq!( service_url_for_gateway( - "https://quiet-flamingo--openclaw.navigator.openshell.localhost:8080/", + "https://quiet-flamingo--notebook.navigator.openshell.localhost:8080/", "https://gateway.example.com" ), - "https://quiet-flamingo--openclaw.navigator.openshell.localhost/" + "https://quiet-flamingo--notebook.navigator.openshell.localhost/" ); } @@ -7490,10 +7490,10 @@ mod tests { fn service_url_for_gateway_preserves_service_scheme() { assert_eq!( service_url_for_gateway( - "http://quiet-flamingo--openclaw.navigator.openshell.localhost:8080/", + "http://quiet-flamingo--notebook.navigator.openshell.localhost:8080/", "https://127.0.0.1:31886" ), - "http://quiet-flamingo--openclaw.navigator.openshell.localhost:31886/" + "http://quiet-flamingo--notebook.navigator.openshell.localhost:31886/" ); } @@ -7501,10 +7501,10 @@ mod tests { fn service_url_for_gateway_uses_gateway_default_port() { assert_eq!( service_url_for_gateway( - "http://quiet-flamingo--openclaw.navigator.openshell.localhost:8080/", + "http://quiet-flamingo--notebook.navigator.openshell.localhost:8080/", "https://gateway.example.com" ), - "http://quiet-flamingo--openclaw.navigator.openshell.localhost:443/" + "http://quiet-flamingo--notebook.navigator.openshell.localhost:443/" ); } diff --git a/crates/openshell-cli/src/ssh.rs b/crates/openshell-cli/src/ssh.rs index 5db4c74d6..204128d34 100644 --- a/crates/openshell-cli/src/ssh.rs +++ b/crates/openshell-cli/src/ssh.rs @@ -1574,8 +1574,8 @@ mod tests { "/sandbox/file.txt" ); assert_eq!( - validate_sandbox_source_path("/sandbox/.openclaw/workspace/hello.txt").unwrap(), - "/sandbox/.openclaw/workspace/hello.txt" + validate_sandbox_source_path("/sandbox/.agent/workspace/hello.txt").unwrap(), + "/sandbox/.agent/workspace/hello.txt" ); assert_eq!( validate_sandbox_source_path("/sandbox").unwrap(), diff --git a/docs/about/overview.mdx b/docs/about/overview.mdx index 3d23c8794..6ef41b34a 100644 --- a/docs/about/overview.mdx +++ b/docs/about/overview.mdx @@ -44,7 +44,7 @@ OpenShell supports a range of agent deployment patterns. | Use Case | Description | |-----------------------------|----------------------------------------------------------------------------------------------------------| -| Secure coding agents | Run Claude Code, OpenCode, or OpenClaw with constrained file and network access. | +| Secure coding agents | Run Claude Code, OpenCode, Codex, or GitHub Copilot CLI with constrained file and network access. | | Private enterprise development | Route inference to self-hosted or private backends while keeping sensitive context under your control. | | Compliance and audit | Treat policy YAML as version-controlled security controls that can be reviewed and audited. | | Reusable environments | Use community sandbox images or bring your own containerized runtime. | diff --git a/docs/about/supported-agents.mdx b/docs/about/supported-agents.mdx index c97e1e677..5f1c1e742 100644 --- a/docs/about/supported-agents.mdx +++ b/docs/about/supported-agents.mdx @@ -6,7 +6,7 @@ description: "AI agent frameworks and runtimes compatible with OpenShell sandbox keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Claude, Codex, Cursor" position: 5 --- -The following table summarizes the agents that run in OpenShell sandboxes. All agent sandbox images are maintained in the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository. Agents in the base image are auto-configured when passed as the trailing command to `openshell sandbox create`. +The following table summarizes the agents that run in OpenShell sandboxes. Most agent sandbox images are maintained in the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository. Agents in the base image are auto-configured when passed as the trailing command to `openshell sandbox create`. | Agent | Source | Default Policy | Notes | |---|---|---|---| @@ -14,7 +14,7 @@ The following table summarizes the agents that run in OpenShell sandboxes. All a | [OpenCode](https://opencode.ai/) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Partial coverage | Pre-installed. Add `opencode.ai` endpoint and OpenCode binary paths to the policy for full functionality. | | [Codex](https://developers.openai.com/codex) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | No coverage | Pre-installed. Requires a custom policy with OpenAI endpoints and Codex binary paths. Requires `OPENAI_API_KEY`. | | [GitHub Copilot CLI](https://docs.github.com/en/copilot/github-copilot-in-the-cli) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Full coverage | Pre-installed. Works out of the box. Requires `GITHUB_TOKEN` or `COPILOT_GITHUB_TOKEN`. | -| [OpenClaw](https://openclaw.ai/) | [`openclaw`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/openclaw) | Bundled | Agent orchestration layer. Launch with `openshell sandbox create --from openclaw`. | +| [NemoClaw](https://github.com/NVIDIA/NemoClaw) | [NemoClaw](https://github.com/NVIDIA/NemoClaw) | Blueprint-managed | OpenShell-backed agent stack. Follow the NemoClaw repository for setup. | | [Ollama](https://ollama.com/) | [`ollama`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/ollama) | Bundled | Run cloud and local models. Includes Claude Code, Codex, and OpenCode. Launch with `openshell sandbox create --from ollama`. | For base image details and `--from` usage, refer to [Sandboxes](/sandboxes/manage-sandboxes#base-sandbox-container). diff --git a/docs/get-started/quickstart.mdx b/docs/get-started/quickstart.mdx index 9c40eb024..0955c7673 100644 --- a/docs/get-started/quickstart.mdx +++ b/docs/get-started/quickstart.mdx @@ -90,17 +90,6 @@ If `OPENAI_API_KEY` is set in your environment, the CLI picks it up automaticall If not, you can configure it from inside the sandbox after it launches. - - -Run the following command to create a sandbox with OpenClaw: - -```shell -openshell sandbox create --from openclaw -``` - -The `--from` flag pulls a pre-built sandbox container with its bundled policy and optional skills. - - Use the `--from` flag to create a sandbox from the base container: diff --git a/docs/sandboxes/manage-sandboxes.mdx b/docs/sandboxes/manage-sandboxes.mdx index a62f57bf5..11e08773c 100644 --- a/docs/sandboxes/manage-sandboxes.mdx +++ b/docs/sandboxes/manage-sandboxes.mdx @@ -61,13 +61,12 @@ Use `--from` to create a sandbox from the base image, another pre-built sandbox ```shell openshell sandbox create --from base -openshell sandbox create --from openclaw openshell sandbox create --from ollama openshell sandbox create --from ./my-sandbox-dir openshell sandbox create --from my-registry.example.com/my-image:latest ``` -Bare names such as `base`, `openclaw`, and `ollama` resolve to images under `ghcr.io/nvidia/openshell-community/sandboxes`. Set `OPENSHELL_COMMUNITY_REGISTRY` when you need to use an internal mirror. +Bare names such as `base` and `ollama` resolve to images under `ghcr.io/nvidia/openshell-community/sandboxes`. Set `OPENSHELL_COMMUNITY_REGISTRY` when you need to use an internal mirror. Local directories and Dockerfiles require a local gateway because the CLI builds through the local Docker daemon. Use a registry image reference for remote diff --git a/docs/security/best-practices.mdx b/docs/security/best-practices.mdx index 838b5d115..6473d63d2 100644 --- a/docs/security/best-practices.mdx +++ b/docs/security/best-practices.mdx @@ -16,7 +16,7 @@ For the full policy YAML schema, refer to the [Policy Schema](/reference/policy- For the architecture of each enforcement layer, refer to [How OpenShell Works](/about/how-it-works). -If you use [NemoClaw](https://github.com/NVIDIA/NemoClaw) to run OpenClaw assistants, its [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) guide covers additional entrypoint-level controls, policy presets, provider trust tiers, and posture profiles specific to the NemoClaw blueprint. +If you use [NemoClaw](https://github.com/NVIDIA/NemoClaw), its [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) guide covers additional entrypoint-level controls, policy presets, provider trust tiers, and posture profiles specific to the NemoClaw blueprint. diff --git a/examples/openclaw.md b/examples/openclaw.md deleted file mode 100644 index f098e139e..000000000 --- a/examples/openclaw.md +++ /dev/null @@ -1,37 +0,0 @@ -# OpenClaw Sandbox - -## Quick start - -```sh -openshell sandbox create --forward 18789 --from openclaw -- openclaw-start -``` - -`openclaw-start` is a helper script pre-installed in the sandbox that runs the -onboarding wizard, starts the gateway as a background daemon, and prints the -access URL. - -The CLI returns automatically once the script finishes; the port -forward continues running in the background. - -Once the command completes, the gateway is accessible locally: - -- **Control UI:** http://127.0.0.1:18789/ -- **Health check:** `openclaw health` - -Note: you will need use the auth token present in the bootstrapping process to connect to the endpoint. - -## Step-by-step alternative - -### Create the sandbox - -```sh -openshell sandbox create --forward 18789 --from openclaw -``` - -Inside the sandbox, run the onboarding wizard and start the gateway: - -```sh -openclaw onboard -nohup openclaw gateway run > /tmp/gateway.log 2>&1 & -exit -``` diff --git a/rfc/0002-agent-driven-policy-management/README.md b/rfc/0002-agent-driven-policy-management/README.md index 9a1e3c4aa..992bf1bfe 100644 --- a/rfc/0002-agent-driven-policy-management/README.md +++ b/rfc/0002-agent-driven-policy-management/README.md @@ -606,7 +606,7 @@ Deliverables: - Structured deny messages that point agents to the local policy workflow. - Feedback path so agents can read operator rejection guidance and iterate on a proposal. -This is the point where the feature becomes broadly useful to OpenClaw, Claude Code, Cursor, and other agents. +This is the point where the feature becomes broadly useful to NemoClaw, Claude Code, Cursor, and other agents. ### Phase 3: Validation and simulation diff --git a/tasks/scripts/release.py b/tasks/scripts/release.py index 79cb7ab73..9e72e3bcf 100644 --- a/tasks/scripts/release.py +++ b/tasks/scripts/release.py @@ -394,7 +394,7 @@ def generate_homebrew_formula( def build_parser() -> argparse.ArgumentParser: - parser = argparse.ArgumentParser(description="OpenClaw release tooling.") + parser = argparse.ArgumentParser(description="OpenShell release tooling.") sub = parser.add_subparsers(dest="command", required=True) get_version_parser = sub.add_parser("get-version", help="Print computed version.") From 7c65f1dfebbc4ffb533850fd4efd20dbadf9d7d7 Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 22 May 2026 09:33:26 -0700 Subject: [PATCH 2/3] docs: refine OpenClaw NemoClaw references Signed-off-by: Drew Newberry --- docs/about/supported-agents.mdx | 2 +- rfc/0002-agent-driven-policy-management/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/about/supported-agents.mdx b/docs/about/supported-agents.mdx index 5f1c1e742..153eee8d3 100644 --- a/docs/about/supported-agents.mdx +++ b/docs/about/supported-agents.mdx @@ -14,7 +14,7 @@ The following table summarizes the agents that run in OpenShell sandboxes. Most | [OpenCode](https://opencode.ai/) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Partial coverage | Pre-installed. Add `opencode.ai` endpoint and OpenCode binary paths to the policy for full functionality. | | [Codex](https://developers.openai.com/codex) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | No coverage | Pre-installed. Requires a custom policy with OpenAI endpoints and Codex binary paths. Requires `OPENAI_API_KEY`. | | [GitHub Copilot CLI](https://docs.github.com/en/copilot/github-copilot-in-the-cli) | [`base`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) | Full coverage | Pre-installed. Works out of the box. Requires `GITHUB_TOKEN` or `COPILOT_GITHUB_TOKEN`. | -| [NemoClaw](https://github.com/NVIDIA/NemoClaw) | [NemoClaw](https://github.com/NVIDIA/NemoClaw) | Blueprint-managed | OpenShell-backed agent stack. Follow the NemoClaw repository for setup. | +| [OpenClaw](https://openclaw.ai/) | [NemoClaw](https://github.com/NVIDIA/NemoClaw) | Blueprint-managed | Run OpenClaw more securely inside NVIDIA OpenShell with managed inference using NemoClaw. | | [Ollama](https://ollama.com/) | [`ollama`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/ollama) | Bundled | Run cloud and local models. Includes Claude Code, Codex, and OpenCode. Launch with `openshell sandbox create --from ollama`. | For base image details and `--from` usage, refer to [Sandboxes](/sandboxes/manage-sandboxes#base-sandbox-container). diff --git a/rfc/0002-agent-driven-policy-management/README.md b/rfc/0002-agent-driven-policy-management/README.md index 992bf1bfe..9a1e3c4aa 100644 --- a/rfc/0002-agent-driven-policy-management/README.md +++ b/rfc/0002-agent-driven-policy-management/README.md @@ -606,7 +606,7 @@ Deliverables: - Structured deny messages that point agents to the local policy workflow. - Feedback path so agents can read operator rejection guidance and iterate on a proposal. -This is the point where the feature becomes broadly useful to NemoClaw, Claude Code, Cursor, and other agents. +This is the point where the feature becomes broadly useful to OpenClaw, Claude Code, Cursor, and other agents. ### Phase 3: Validation and simulation From 0811d7040ed12a712a1c3540bf949a227ab0e567 Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Fri, 22 May 2026 10:26:13 -0700 Subject: [PATCH 3/3] wip --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 80329004f..c14caa413 100644 --- a/README.md +++ b/README.md @@ -191,7 +191,7 @@ The TUI gives you a live, keyboard-driven view of your gateway and sandboxes. Na Use `--from` to create sandboxes from the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog, a local directory, or a container image: ```bash -openshell sandbox create --from ollama # community catalog +openshell sandbox create --from gemini # community catalog openshell sandbox create --from ./my-sandbox-dir # local Dockerfile openshell sandbox create --from registry.io/img:v1 # container image ```