OpenShell/snapcraft.yaml at main · NVIDIA/OpenShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

name: openshell
title: OpenShell
adopt-info: openshell
summary: Safe, sandboxed runtimes for autonomous AI agents
description: |
  OpenShell provides safe, sandboxed runtimes for autonomous AI agents.
  It offers a CLI for managing gateways, sandboxes, and providers with
  policy-enforced egress routing, credential proxying, and privacy-aware
  LLM inference routing.

  The OpenShell snap ships a CLI (`openshell`), a terminal UI
  (`openshell.term`), and a managed gateway daemon (`openshell.gateway`).

  **Setup instructions**

    1. Install the Docker snap:

         sudo snap install docker

       Support for system-installed Docker is coming in snapd 2.76.

    2. Connect the required interfaces and start the gateway:

         sudo snap connect openshell:docker docker:docker-daemon
         sudo snap connect openshell:log-observe
         sudo snap connect openshell:system-observe
         sudo snap connect openshell:ssh-keys
         sudo snap start openshell.gateway

    3. Verify the gateway and register it locally:

         snap services openshell.gateway
         openshell status
         openshell gateway add http://127.0.0.1:17670 --local --name openshell-gateway

    After a snap refresh, restart the gateway to pick up the new revision:

         sudo snap restart openshell.gateway

    Restarting the gateway will interrupt active sandbox sessions. The gateway
    is not restarted automatically to avoid disconnecting running sandboxes.

base: core24
grade: stable
confinement: strict
license: Apache-2.0
website: https://docs.nvidia.com/openshell/latest/index.html
source-code: https://github.com/NVIDIA/OpenShell
issues: https://github.com/NVIDIA/OpenShell/issues
contact: https://github.com/NVIDIA/OpenShell/security/policy
platforms:
  amd64:
    build-on: [amd64]
    build-for: [amd64]
  arm64:
    build-on: [arm64]
    build-for: [arm64]

apps:
  openshell:
    command: bin/openshell
    plugs:
      - home
      - network
      - ssh-keys
      - system-observe
  term:
    command: bin/openshell term
    desktop: meta/gui/term.desktop
    plugs:
      - home
      - network
      - ssh-keys
      - system-observe
  gateway:
    command: bin/openshell-gateway-wrapper
    daemon: simple
    # refresh-mode: endure prevents snapd from restarting the gateway daemon
    # during snap refreshes, which would kill active sandbox sessions.
    # Operators must manually restart the service after a refresh if needed.
    refresh-mode: endure
    # The wrapper sets OPENSHELL_DISABLE_TLS=true and OPENSHELL_DB_URL to
    # use $SNAP_COMMON/gateway.db. If $SNAP_COMMON/gateway.toml exists it is
    # passed to the gateway as --config, allowing operators to override
    # settings without rebuilding the snap.
    environment:
      XDG_DATA_HOME: "$SNAP_COMMON"
      XDG_RUNTIME_DIR: "$SNAP_COMMON"
    plugs:
      - docker
      # Docker snap is required because the snap uses the docker:docker-daemon
      # interface slot. It does not work with system-installed Docker.
      - log-observe
      - network
      - network-bind
      - ssh-keys
      - system-observe

parts:
  openshell:
    plugin: nil
    source: ./snap/prebuilt
    override-pull: |
      craftctl default
      craftctl set version="$(cat "$CRAFT_PART_SRC/version")"
    override-build: |
      set -euo pipefail

      MISSING=()
      for bin in openshell openshell-gateway openshell-sandbox openshell-gateway-wrapper; do
        if [ ! -f "$CRAFT_PART_SRC/$bin" ]; then
          MISSING+=("$bin")
        fi
      done

      if [ ${#MISSING[@]} -gt 0 ]; then
        printf '%s\n' \
          "ERROR: snap/prebuilt/ is incomplete:" \
          "${MISSING[@]/#/'  - '}" \
          "" \
          "The snap build directory must be populated by CI before snapcraft pack." \
          >&2
        exit 1
      fi

      install -D -m 0755 "$CRAFT_PART_SRC/openshell" \
        "$CRAFT_PART_INSTALL/bin/openshell"
      install -D -m 0755 "$CRAFT_PART_SRC/openshell-gateway" \
        "$CRAFT_PART_INSTALL/bin/openshell-gateway"
      install -D -m 0755 "$CRAFT_PART_SRC/openshell-sandbox" \
        "$CRAFT_PART_INSTALL/bin/openshell-sandbox"
      install -D -m 0755 "$CRAFT_PART_SRC/openshell-gateway-wrapper" \
        "$CRAFT_PART_INSTALL/bin/openshell-gateway-wrapper"
      install -D -m 0644 "$CRAFT_PART_SRC/meta/gui/term.desktop" \
        "$CRAFT_PART_INSTALL/meta/gui/term.desktop"
      install -D -m 0644 "$CRAFT_PART_SRC/meta/gui/icon.png" \
        "$CRAFT_PART_INSTALL/meta/gui/icon.png"
      install -D -m 0644 "$CRAFT_PART_SRC/LICENSE" \
        "$CRAFT_PART_INSTALL/usr/share/doc/openshell/LICENSE"
      install -D -m 0644 "$CRAFT_PART_SRC/README.md" \
        "$CRAFT_PART_INSTALL/usr/share/doc/openshell/README.md"