Default Policy Reference#
The default policy is the policy applied when you create an OpenShell sandbox without --policy. It is baked into the community base image (ghcr.io/nvidia/openshell-community/sandboxes/base) and defined in the community repo’s dev-sandbox-policy.yaml.
Agent Compatibility#
The following table shows the coverage of the default policy for common agents.
Agent |
Coverage |
Action Required |
|---|---|---|
Claude Code |
Full |
None. Works out of the box. |
OpenCode |
Partial |
Add |
Codex |
None |
Provide a complete custom policy with OpenAI endpoints and Codex binary paths. |
Important
If you run a non-Claude agent without a custom policy, the agent’s API calls are denied by the proxy. You must provide a policy that declares the agent’s endpoints and binaries.
Default Policy Blocks#
The default policy blocks are defined in the community base image. See the openshell-community repository for the full dev-sandbox-policy.yaml source.