Skip to content

feat: add OpenShell sandbox provider extension#3469

Open
zanetworker wants to merge 4 commits into
openai:mainfrom
zanetworker:feat/openshell-sandbox-extension
Open

feat: add OpenShell sandbox provider extension#3469
zanetworker wants to merge 4 commits into
openai:mainfrom
zanetworker:feat/openshell-sandbox-extension

Conversation

@zanetworker
Copy link
Copy Markdown

@zanetworker zanetworker commented May 20, 2026
edited
Loading

Summary

Add NVIDIA OpenShell as a sandbox provider extension. OpenShell is an open-source, self-hosted sandbox runtime for AI agents with declarative YAML network policies, credential isolation, and GPU support.

The extension wraps the openshell Python SDK (sync gRPC client) via run_in_executor, following the Modal provider pattern. It implements BaseSandboxClient / BaseSandboxSession with:

  • Gateway discovery via SandboxClient.from_active_cluster() or explicit endpoint
  • Command execution via gRPC ExecSandbox RPC
  • File I/O via exec + base64 (OpenShell has no native file API)
  • Tar-based workspace persistence
  • Local path normalization (OpenShell rejects newline characters in command arguments, so the remote runtime helper cannot be used; OpenShell enforces its own filesystem policy inside the sandbox)

Files:

  • src/agents/extensions/sandbox/openshell/__init__.py — re-exports
  • src/agents/extensions/sandbox/openshell/sandbox.py — 4 classes: OpenShellSandboxClient, OpenShellSandboxSession, OpenShellSandboxClientOptions, OpenShellSandboxSessionState
  • src/agents/extensions/sandbox/__init__.py — lazy import block
  • pyproject.toml — optional openshell dependency + mypy override
  • tests/extensions/sandbox/test_openshell.py — 27 tests
  • examples/sandbox/extensions/openshell_runner.py — session-level and agent-level integration example

Test plan

  • uv run pytest tests/extensions/sandbox/test_openshell.py -v — 27/27 pass
  • make format — clean
  • make lint — clean
  • make typecheck — zero openshell-related errors
  • make tests — 4406 pass, zero openshell regressions
  • Live integration tested against a local OpenShell gateway (Docker driver): sandbox creation, exec, file read/write, workspace persistence, shutdown all verified

Issue number

Closes #3468

Checks

  • I've added new tests (if relevant)
  • I've added/updated the relevant documentation
  • I've run make lint and make format
  • I've made sure tests pass

@zanetworker
feat: add OpenShell sandbox provider extension
a97447e 
Add NVIDIA OpenShell as a sandbox provider, wrapping the `openshell`
Python SDK (sync gRPC client) via run_in_executor. Implements the
standard BaseSandboxClient/BaseSandboxSession contracts with gateway
discovery, tar-based workspace persistence, and file I/O via exec.

Closes openai#3468
@zanetworker zanetworker force-pushed the feat/openshell-sandbox-extension branch from 6664a4e to a97447e Compare May 20, 2026 11:48
@zanetworker
Copy link
Copy Markdown
Author

zanetworker commented May 20, 2026

@seratch would appreciate your review on this when you get a chance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature:sandboxes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add OpenShell sandbox provider extension

2 participants

@zanetworker @seratch