OpenShell Development Build

This build is automatically published on every commit to main that passes CI.

NOTE: This is a development build, not a tagged release, and may be unstable.

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=dev sh

OpenShell v0.0.54

OpenShell v0.0.54

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.54 sh

What's Changed

• feat(telemetry): add anonymous opt-out OpenShell usage telemetry by @kirit93 in #1433
• ci(release): gate helm/oci artifact publishing on release by @krishicks in #1662
• ci(kubernetes): stabilize HA e2e setup by @TaylorMutch in #1659
• fix(gateway): place supervisor_image under podman driver TOML table by @jhjaggars in #1661
• refactor: deduplicate shared utilities across driver crates by @ericcurtin in #1660
• fix(config): reject unknown fields in nested gateway config tables by @pimlock in #1666
• feat(kubernetes): support sandbox image pull secrets by @TaylorMutch in #1671
• refactor(driver): trim compute capability response by @elezar in #1402

New Contributors

• @jhjaggars made their first contribution in #1661

Full Changelog: v0.0.53...v0.0.54

OpenShell v0.0.53

OpenShell v0.0.53

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.53 sh

What's Changed

• refactor(proto): move phase and current_policy_version into status by @derekwaynecarr in #1565
• feat(python-sdk): support OIDC Bearer auth on SandboxClient by @mrunalp in #1621
• fix(helm): vendor chart dependencies before release packaging by @TaylorMutch in #1627
• fix(driver-podman): bind gateway to 0.0.0.0 in rootless mode by @jewzaam in #1623
• docs(providers): note that ANTHROPIC_API_KEY requires an API account, not a subscription by @mesutoezdil in #1542
• fix(podman): avoid host-gateway on macOS machines by @TaylorMutch in #1637
• generalize crate for multi-device PCIe passthrough by @cheese-head in #1573
• fix(sandbox): trust exact declared private endpoints by @mjamiv in #1560
• feat(policy): add agentic approval loop by @zredlined in #1528
• fix(e2e): clean up temp files in sandbox-runner on exit by @mesutoezdil in #1647
• ci(kubernetes): add HA e2e workflow by @TaylorMutch in #1598
• ci(release): use bundled Z3 for macOS gateway build by @pimlock in #1658
• fix(gateway): align package TLS bootstrap path by @TaylorMutch in #1601
• feat(tui): add PageUp/PageDown scrolling to all panes by @major in #1656

New Contributors

• @jewzaam made their first contribution in #1623
• @cheese-head made their first contribution in #1573
• @major made their first contribution in #1656

Full Changelog: v0.0.52...v0.0.53

OpenShell v0.0.52

OpenShell v0.0.52

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.52 sh

What's Changed

• docs: refresh landing terminal demo and apply NVIDIA fern theme by @aschilling-nv in #1615
• build(macos): remove unused import of tracing::warn by @Cali0707 in #1619
• chore: align .python-version with mise.toml by @Cali0707 in #1618
• feat(helm): add optional PostgreSQL backing store by @sauagarwa in #1579
• docs(config): update gateway config reference by @TaylorMutch in #1624
• feat(flake): add Nix development shell by @SDAChess in #1592

New Contributors

• @aschilling-nv made their first contribution in #1615
• @Cali0707 made their first contribution in #1619
• @SDAChess made their first contribution in #1592

Full Changelog: v0.0.51...v0.0.52

OpenShell v0.0.51

OpenShell v0.0.51

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.51 sh

What's Changed

• docs(kubernetes): note that Sandbox volumeClaimTemplates is immutable by @mesutoezdil in #1543
• fix(sandbox): use succinct endpoint denial reason by @krishicks in #1584
• feat(docker): add provisioning progress events by @drew in #1567
• docs(kubernetes): add RBAC section to setup page by @mesutoezdil in #1540
• Make sandbox child nproc limit configurable by @mjamiv in #1497
• fix(gateway): make readiness health checks dependency-aware by @alangou in #1328
• fix(vm): scope rootfs cache by openshell version by @drew in #1587
• fix(cli): preserve symlinks during sandbox upload by @johntmyers in #1595
• fix(core): preserve SSH gateway default ports by @TaylorMutch in #1602
• feat(server): declare gRPC auth (mode + scope + role) at the handler, enforce at the router by @mrunalp in #1596
• ci(snap): add snap release pipeline by @drew in #1600

Full Changelog: v0.0.50...v0.0.51

OpenShell v0.0.50

OpenShell v0.0.50

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.50 sh

What's Changed

• refactor: deduplicate shared code across ocsf builders and driver crates by @ericcurtin in #1526
• fix(python): raise SandboxError instead of FileNotFoundError or KeyError by @mesutoezdil in #1547
• fix(scripts): replace mapfile with bash 3.2-compatible read loop in helm-k3s-local by @mesutoezdil in #1539
• docs: add macOS compiler troubleshooting by @amfred in #1569
• fix(gateway): configure local dev auth by @krishicks in #1575
• docs: add Pi as supported sandbox by @vegarsti in #1572
• fix(sandbox): add mechanistic smoke test for L4 deny and document the L4/L7 split by @mesutoezdil in #1412
• docs(readme): whitespace by @krishicks in #1578
• fix(cli): replace outdated name reference by @krishicks in #1582
• fix(sandbox): probe Landlock before build, skip on unsupported kernels by @dims in #1585
• fix(sandbox): decouple GPU baseline from network policy by @elezar in #1524

New Contributors

• @amfred made their first contribution in #1569
• @vegarsti made their first contribution in #1572
• @dims made their first contribution in #1585

Full Changelog: v0.0.49...v0.0.50

OpenShell v0.0.49

OpenShell v0.0.49

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.49 sh

What's Changed

• ci: pin azure/setup-helm and helm/kind-action to commit SHAs by @mesutoezdil in #1544

Full Changelog: v0.0.48...v0.0.49

OpenShell v0.0.48

OpenShell v0.0.48

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.48 sh

What's Changed

• feat(providers): derive discovery from profiles by @johntmyers in #1503
• docs: update NemoClaw/OpenClaw references by @drew in #1529
• ci: seed shared Rust caches from main by @pimlock in #1530
• fix(release): build host Linux binaries with glibc floor by @pimlock in #1490
• fix(homebrew): repair local driver bootstrap state by @TaylorMutch in #1527
• ci: install cargo-zigbuild from release binaries by @pimlock in #1533
• fix(cli): propagate --gateway-insecure to OIDC auth flows by @zanetworker in #1535
• ci(release): smoke test rpm artifacts on fedora by @pimlock in #1558
• chore(deps): bump docker/login-action from 4.1.0 to 4.2.0 by @dependabot[bot] in #1554
• chore(helm): add missing SPDX header to gateway-config template by @mesutoezdil in #1545
• ci(release): skip python rpm in gateway smoke test by @pimlock in #1559

Full Changelog: v0.0.47...v0.0.48

OpenShell v0.0.47

OpenShell v0.0.47

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.47 sh

What's Changed

• fix(sandbox): skip fork-exec socket ambiguity test on SELinux by @derekwaynecarr in #1449
• fix(sandbox): allow first-label L7 host wildcards by @mjamiv in #1304
• feat(cli): add JSON/YAML output format to gateway list by @benoitf in #1500
• refactor: deduplicate repeated patterns across crates by @ericcurtin in #1499
• fix(ci): resolve mirror gate statuses for fork PRs by @pimlock in #1504
• fix(server): respect OPENSHELL_PODMAN_SOCKET env var in embedded driver by @russellb in #1483
• refactor(sandbox,driver-vm): Start moving to rustix (esp over libc unsafe) by @cgwalters in #1505
• fix(packaging): add upgrade migration docs and podman socket retry by @maxamillion in #1507
• ci: deduplicate e2e workflows by @TaylorMutch in #1512
• feat(auth): per-sandbox authentication to gateway by @TaylorMutch in #1404
• docs(sandboxes): add policy advisor guide by @johntmyers in #1480
• fix(docker): use host-gateway callbacks on macOS by @TaylorMutch in #1516
• ci(e2e): load single-arch images into kind by @TaylorMutch in #1518
• docs(rfc): add sandbox resource requirements proposal by @elezar in #1360
• ci(canary): keep helm jwt secret generation enabled by @TaylorMutch in #1521
• fix(cli): add json output for policy get by @mjamiv in #1410

Full Changelog: v0.0.46...v0.0.47

OpenShell v0.0.46

OpenShell v0.0.46

Quick install

curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.46 sh

What's Changed

• docs(providers): add Providers v2 guide by @johntmyers in #1442
• refactor: deduplicate shared driver and provider constants by @ericcurtin in #1474
• docs(agents): add release canary testing skill by @TaylorMutch in #1440
• chore(deps): bump azure/setup-helm from 4 to 5 by @dependabot[bot] in #1468
• fix(server): add ConnectSupervisor and RelayStream to SANDBOX_METHODS by @zanetworker in #1475
• fix(ci): eliminate image-tag race between concurrent workflows by @mesutoezdil in #1413
• test(server): cover service endpoint plaintext security by @drew in #1352
• fix(cli): add auth and TLS support to completion client by @sjenning in #1489
• fix(scripts): use portable lowercase in normalize_bool for Bash 3.2 by @benoitf in #1493
• refactor(server): extract shared relay-await and sandbox-scan helpers by @ericcurtin in #1495

New Contributors

• @zanetworker made their first contribution in #1475

Full Changelog: v0.0.45...v0.0.46