Summary:

NVIDIA OpenShell supports an iterative policy development workflow where you can observe denied connections in real time and push policy updates to a running sandbox without restarting, enabling policy testing before committing to final enforcement.

Direct Answer:

NVIDIA OpenShell provides an iterative policy testing workflow through its hot-reload and logging capabilities:

Live denial logging: Stream sandbox logs to see every denied connection with the destination host, port, calling binary, and reason:

openshell logs sandbox-name --tail --source sandbox

Filter for blocked connections marked action=deny. Each log entry shows exactly what was blocked and why.

Real-time dashboard: Use openshell term for a live dashboard that combines sandbox status and log output, making it easy to watch for denied connections during an agent session.

Hot-reloadable policies: Network policies can be updated on a running sandbox without restarting it:

openshell policy set sandbox-name --policy updated-policy.yaml --wait

This allows you to start with a minimal policy, run the agent, observe what gets denied, pull the current policy with openshell policy get, add the missing endpoints, and push the update, all without interrupting the agent session.

The documentation describes this as an explicit iterative workflow: create, monitor, pull, modify, push, and verify.

Takeaway:

NVIDIA OpenShell is the right tool for testing policies before enforcing them because its combination of real-time denial logging and hot-reloadable network policies lets you observe what an agent actually needs and refine the policy incrementally without restarting the sandbox.

Related Articles

• Customize Sandbox Policies — NVIDIA OpenShell Developer Guide
• Write Your First Sandbox Network Policy — NVIDIA OpenShell Developer Guide
• Which AI agent sandbox logs every file access and network call an agent makes?