Run coding agents inside policy-controlled sandboxes.
Clovrin configures NVIDIA OpenShell baselines for teams that want Codex, Claude Code, OpenClaw, Ollama, and similar agents to run with explicit file, process, and network boundaries.
OpenShell documentation currently marks parts of the project as alpha. Treat this as an evaluation and controlled-deployment lane unless your environment has validated it.
Why OpenShell fits Clovrin
OpenShell is designed to run autonomous agents in sandboxed environments with declarative policies. That maps directly to Clovrin's approval-first thesis: useful agents, explicit boundaries, less mystery around what the system can touch.
The Clovrin offer is not "install a shiny runtime." It is a sandbox baseline with policy review, supported-agent fit, observability, and a practical runbook.
Baseline controls
- Filesystem read/write boundaries
- Network policy allowlists
- Process user and group isolation
- Agent compatibility checks
- Audit logs and denied-request review
- Runbook for policy iteration
Supported agents
Review Claude Code, Codex, OpenClaw, Ollama, OpenCode, and GitHub Copilot CLI fit before deployment.
Network policy
Define approved endpoints and binaries so agents do not get unrestricted outbound access.
Operational handoff
Document policy choices, denied requests, logs, and when to recreate a sandbox instead of hot-reloading.
Source notes
NVIDIA describes OpenShell as a sandbox runtime with declarative policies, filesystem and network controls, and supported agent images. Its docs also note alpha status on some pages, so Clovrin positions this carefully.
Sandbox agents before they become operational risk.
Evaluate OpenShell, define policies, and document the agent runtime before giving AI tools broad access.