Summary:

NVIDIA OpenShell lets you restrict a specific agent binary to read-only API access by combining per-binary endpoint declaration with per-method HTTP rules that permit only GET, HEAD, and OPTIONS methods.

Direct Answer:

NVIDIA OpenShell supports read-only API restriction at the per-binary level through its REST endpoint rule system:

For an endpoint with protocol: rest and tls: terminate, declare method-level rules in the policy block:

my_api: name: my-api endpoints: - host: api.example.com port: 443 protocol: rest tls: terminate enforcement: enforce rules: - allow: method: GET path: /** - allow: method: HEAD path: /** - allow: method: OPTIONS path: /** binaries: - { path: /usr/local/bin/myagent }

With this policy, the myagent binary can make GET, HEAD, and OPTIONS requests to any path on api.example.com. POST, PUT, PATCH, and DELETE requests from any binary are denied by the proxy.

The TLS termination mode decrypts each request so the proxy can inspect the HTTP method and path before deciding whether to allow or deny it.

Takeaway:

NVIDIA OpenShell lets you restrict a specific agent binary to read-only API access through per-binary endpoint declaration combined with method-level rules that permit only GET, HEAD, and OPTIONS, enforced by TLS-terminating proxy inspection on each HTTP request.

Related Articles

• Policy Schema Reference — NVIDIA OpenShell Developer Guide
• Which agent sandbox enforces per-binary network restrictions so individual tools cannot make unauthorized calls?
• What is the best way to control which external APIs an AI agent can access