diff --git a/README.md b/README.md
index 9097327f4..cba1f3a03 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,80 @@ It also includes open source models such as [NVIDIA Nemotron](https://build.nvid
---
+## Architecture
+
+**OpenShell** is a general-purpose agent runtime. It provides sandbox containers, a credential-storing gateway, inference proxying, and policy enforcement — but no opinions about what runs inside.
+
+**NemoClaw** is an opinionated reference stack built on OpenShell. It adds:
+
+| Layer | What it provides |
+|-------|------------------|
+| **Onboarding** | Guided setup that validates credentials, selects providers, and creates a working sandbox in one command. |
+| **Blueprint** | A hardened Dockerfile with security policies, capability drops, and least-privilege network rules. |
+| **State management** | Safe migration of agent state across machines with credential stripping and integrity verification. |
+| **Messaging bridges** | Host-side processes that connect Telegram, Discord, and Slack to the sandboxed agent. |
+
+OpenShell handles *how* to sandbox an agent securely. NemoClaw handles *what* goes in the sandbox and makes the setup accessible.
+
+```mermaid
+graph LR
+ classDef nemoclaw fill:#76b900,stroke:#5a8f00,color:#fff,stroke-width:2px,font-weight:bold
+ classDef openshell fill:#1a1a1a,stroke:#1a1a1a,color:#fff,stroke-width:2px,font-weight:bold
+ classDef sandbox fill:#444,stroke:#76b900,color:#fff,stroke-width:2px,font-weight:bold
+ classDef agent fill:#f5f5f5,stroke:#e0e0e0,color:#1a1a1a,stroke-width:1px
+ classDef external fill:#f5f5f5,stroke:#e0e0e0,color:#1a1a1a,stroke-width:1px
+ classDef user fill:#fff,stroke:#76b900,color:#1a1a1a,stroke-width:2px,font-weight:bold
+
+ USER(["👤 User"]):::user
+
+ subgraph EXTERNAL["External Services"]
+ INFERENCE["Inference Provider
NVIDIA Endpoints · OpenAI
Anthropic · Ollama · vLLM"]:::external
+ MSGAPI["Messaging Platforms
Telegram · Discord · Slack"]:::external
+ INTERNET["Internet
PyPI · npm · GitHub · APIs"]:::external
+ end
+
+ subgraph HOST["Host Machine"]
+
+ subgraph NEMOCLAW["NemoClaw"]
+ direction TB
+ NCLI["CLI + Onboarding
Guided setup · provider selection
credential validation · deploy"]:::nemoclaw
+ BRIDGE["Messaging Bridges
Connect chat platforms
to sandboxed agent"]:::nemoclaw
+ BP["Blueprint
Hardened Dockerfile
Network policies · Presets
Security configuration"]:::nemoclaw
+ MIGRATE["State Management
Migration snapshots
Credential stripping
Integrity verification"]:::nemoclaw
+ end
+
+ subgraph OPENSHELL["OpenShell"]
+ direction TB
+ GW["Gateway
Credential store
Inference proxy
Policy engine
Device auth"]:::openshell
+ OSCLI["openshell CLI
provider · sandbox
gateway · policy"]:::openshell
+
+ subgraph SANDBOX["Sandbox Container 🔒"]
+ direction TB
+ AGENT["Agent
OpenClaw or any
compatible agent"]:::agent
+ PLUG["NemoClaw Plugin
Extends agent with
managed configuration"]:::sandbox
+ end
+ end
+ end
+
+ USER -->|"nemoclaw onboard
nemoclaw connect"| NCLI
+ USER -->|"Chat messages"| MSGAPI
+
+ NCLI -->|"Orchestrates"| OSCLI
+ BP -->|"Defines sandbox
shape + policies"| SANDBOX
+ MIGRATE -->|"Safe state
transfer"| SANDBOX
+
+ AGENT -->|"Inference requests
no credentials"| GW
+ GW -->|"Proxied with
credential injected"| INFERENCE
+
+ MSGAPI -->|"Bot messages"| BRIDGE
+ BRIDGE -->|"Relayed as data
via SSH"| AGENT
+
+ AGENT -.->|"Policy-gated"| INTERNET
+ GW -.->|"Enforced by
gateway"| INTERNET
+```
+
+---
+
## Quick Start
Follow these steps to get started with NemoClaw and your first sandboxed OpenClaw agent.