Skip to content

Add article: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In#64

Merged
htekdev merged 2 commits intomainfrom
copilot/write-article-nvidia-openshell
Mar 23, 2026
Merged

Add article: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In#64
htekdev merged 2 commits intomainfrom
copilot/write-article-nvidia-openshell

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 23, 2026
edited
Loading

New article covering NVIDIA OpenShell (GTC 2026), the kernel-level policy-driven sandbox runtime for autonomous AI agents, and Hector's upstream contribution adding GitHub Copilot CLI as a first-class agent provider.

Article content

  • What OpenShell enforces — four protection domains at OS level: Landlock LSM filesystem isolation, OPA-evaluated network proxy (deny-by-default), seccomp BPF syscall filtering, and private inference routing that strips caller credentials before LLM API calls
  • Policy-as-code — declarative YAML policies that hot-reload on running sandboxes; version-controlled, diff-reviewable governance
  • Hector's contribution (feat(providers): add GitHub Copilot CLI agent provider NVIDIA/OpenShell#476) — Copilot CLI agent provider: credential discovery from COPILOT_GITHUB_TOKEN/GH_TOKEN/GITHUB_TOKEN, dual-form command detection (copilot binary + gh copilot extension), scoped network policy for *.githubcopilot.com inference endpoints
  • Layer 0 framing — positions OpenShell beneath the existing hooks/gates enforcement stack, with a comparison table and internal links to related agentic DevOps articles
  • draft: true

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/htekdev/gh-hookflow/releases/latest
    • Triggering command: /usr/bin/gh gh extension install htekdev/gh-hookflow (http block)
  • telemetry.astro.build
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/htek-dev-site/htek-dev-site/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Write article: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In</issue_title>
<issue_description>Write an article for htek.dev based on content idea htekdev/content-management#69. Research the topic thoroughly. Highlight Hector's personal contribution (PR htekdev/htek-dev-site#476 — Copilot CLI agent provider). Follow existing article format. Set draft: true.</issue_description>

Comments on the Issue (you are @copilot in this section)

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

Copilot AI changed the title [WIP] Add article on NVIDIA OpenShell for AI agents Add article: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In Mar 23, 2026
Copilot AI requested a review from htekdev March 23, 2026 05:33
@htekdev htekdev marked this pull request as ready for review March 23, 2026 12:35
@htekdev htekdev merged commit cab3827 into main Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@htekdev htekdev Awaiting requested review from htekdev

Assignees

@htekdev htekdev

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Write article: NVIDIA OpenShell — The Sandbox Your AI Agents Should Be Running In

2 participants

@htekdev