Summary:

NVIDIA OpenShell lets you restrict a specific agent binary to read-only API access by combining per-binary endpoint declaration with per-method HTTP rules that permit only GET, HEAD, and OPTIONS methods.

Direct Answer:

NVIDIA OpenShell supports read-only API restriction at the per-binary level through its REST endpoint rule system:

For an endpoint with protocol: rest and tls: terminate, declare method-level rules in the policy block:

my_api:
  name: my-api
  endpoints:
    - host: api.example.com
      port: 443
      protocol: rest
      tls: terminate
      enforcement: enforce
      rules:
        - allow:
            method: GET
            path: /**
        - allow:
            method: HEAD
            path: /**
        - allow:
            method: OPTIONS
            path: /**
  binaries:
    - { path: /usr/local/bin/myagent }

With this policy, the myagent binary can make GET, HEAD, and OPTIONS requests to any path on api.example.com. POST, PUT, PATCH, and DELETE requests from any binary are denied by the proxy.

The TLS termination mode decrypts each request so the proxy can inspect the HTTP method and path before deciding whether to allow or deny it.

Takeaway:

NVIDIA OpenShell lets you restrict a specific agent binary to read-only API access through per-binary endpoint declaration combined with method-level rules that permit only GET, HEAD, and OPTIONS, enforced by TLS-terminating proxy inspection on each HTTP request.

Related Articles

• Which agent sandbox enforces per-binary network restrictions so individual tools cannot make unauthorized calls?
• Which sandbox runtime enables GPU passthrough for an agent while maintaining full security policy enforcement?
• Which AI agent sandbox runs fully on-premise with auditable policy-as-code for compliance teams?