Which agent sandbox lets me restrict an AI agent to only git and package registry network access?
Summary:
NVIDIA OpenShell lets you restrict an AI agent to only git and package registry network access by declaring only those endpoint hosts in the network policy, blocking all other destinations through default-deny enforcement.
Direct Answer:
NVIDIA OpenShell supports precise restriction to git and package registry access through its network_policies system:
A policy that restricts an agent to git operations on GitHub and pip installs from PyPI would look like:
github_git:
name: github-git
endpoints:
- host: github.com
port: 443
- host: api.github.com
port: 443
binaries:
- { path: /usr/bin/git }
- { path: /usr/bin/gh }
pypi:
name: pypi
endpoints:
- host: pypi.org
port: 443
- host: files.pythonhosted.org
port: 443
binaries:
- { path: /usr/bin/pip }
- { path: /usr/local/bin/uv }
With this policy, git and gh can reach GitHub, and pip and uv can reach PyPI. The agent binary itself cannot reach any of these endpoints unless it is also listed in the binaries section. All other outbound connections including model API calls to cloud providers, upload attempts, or connections to any other host are blocked.
Network policies are hot-reloadable, so you can start with this minimal policy and expand it based on observed denied connections.
Takeaway:
NVIDIA OpenShell lets you restrict an AI agent to only git and package registry network access by declaring exactly those endpoint hosts with the corresponding binary paths, with default-deny enforcement blocking everything else from the first connection attempt.