Default Policy Reference#

The default policy is the policy applied when you create an OpenShell sandbox without --policy. It is defined in the deploy/docker/sandbox/dev-sandbox-policy.yaml file.

Agent Compatibility#

The following table shows the coverage of the default policy for common agents.

Agent	Coverage	Action Required
Claude Code	Full	None. Works out of the box.
OpenCode	Partial	Add `opencode.ai` endpoint and OpenCode binary paths.
Codex	None	Provide a complete custom policy with OpenAI endpoints and Codex binary paths.

Important

If you run a non-Claude agent without a custom policy, the agent’s API calls are denied by the proxy. You must provide a policy that declares the agent’s endpoints and binaries.

Default Policy Blocks#

The following tables show the default policy blocks pre-configured in the file.

Filesystem, Landlock, and Process

Section	Setting	Value
Filesystem	Read-only	`/usr`, `/lib`, `/proc`, `/dev/urandom`, `/app`, `/etc`, `/var/log`
	Read-write	`/sandbox`, `/tmp`, `/dev/null`
	Workdir included	Yes
Landlock	Compatibility	`best_effort` (uses the highest ABI the host kernel supports)
Process	User / Group	`sandbox` / `sandbox`

Network Policy Blocks

Each block pairs a set of endpoints (host and port) with a set of binaries (executable paths inside the sandbox). The proxy identifies the calling binary by resolving the socket to a PID through /proc/net/tcp and reading /proc/{pid}/exe. A connection is allowed only when both the destination and the calling binary match an entry in the same block. All other outbound traffic is denied.

Anthropic API and Telemetry

Allows Claude Code to reach its API, feature-flagging (Statsig), error reporting (Sentry), release notes, and the Claude platform dashboard.

Endpoint	Port	TLS	Access
`api.anthropic.com`	443	terminate	full
`statsig.anthropic.com`	443	—	L4 passthrough
`sentry.io`	443	—	L4 passthrough
`raw.githubusercontent.com`	443	—	L4 passthrough
`platform.claude.com`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /usr/local/bin/claude, /usr/bin/node.

Git Clone and Fetch

Allows git clone, git fetch, and git pull over HTTPS via Git Smart HTTP. Push (git-receive-pack) is disabled by default.

Endpoint	Port	TLS	Rules
`github.com`	443	terminate	`GET /*/info/refs`, `POST /**/git-upload-pack`

Only the following binaries can use these endpoints: /usr/bin/git.

NVIDIA API Catalog

Allows outbound calls to the NVIDIA hosted inference API. Used by agents that route LLM requests through integrate.api.nvidia.com.

Endpoint	Port	TLS	Access
`integrate.api.nvidia.com`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /usr/bin/curl, /bin/bash, /usr/local/bin/opencode.

GitHub API (Read-Only)

Grants read-only access to the GitHub REST API. Enables issue reads, PR listing, and repository metadata lookups without allowing mutations.

Endpoint	Port	TLS	Access
`api.github.com`	443	terminate	read-only

Only the following binaries can use these endpoints: /usr/local/bin/claude, /usr/bin/gh.

Python Package Installation

Allows pip install and uv pip install to reach PyPI, python-build-standalone releases on GitHub, and downloads.python.org.

Endpoint	Port	TLS	Access
`pypi.org`	443	—	L4 passthrough
`files.pythonhosted.org`	443	—	L4 passthrough
`github.com`	443	—	L4 passthrough
`objects.githubusercontent.com`	443	—	L4 passthrough
`api.github.com`	443	—	L4 passthrough
`downloads.python.org`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /sandbox/.venv/bin/python, /sandbox/.venv/bin/python3, /sandbox/.venv/bin/pip, /app/.venv/bin/python, /app/.venv/bin/python3, /app/.venv/bin/pip, /usr/local/bin/uv, /sandbox/.uv/python/**.

VS Code Remote and Marketplace

Allows VS Code Server, Remote Containers, and extension marketplace traffic so remote development sessions can download updates and extensions.

Endpoint	Port	TLS	Access
`update.code.visualstudio.com`	443	—	L4 passthrough
`az764295.vo.msecnd.net`	443	—	L4 passthrough
`vscode.download.prss.microsoft.com`	443	—	L4 passthrough
`marketplace.visualstudio.com`	443	—	L4 passthrough
`gallerycdn.vsassets.io`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /usr/bin/curl, /usr/bin/wget, /sandbox/.vscode-server/**, /sandbox/.vscode-remote-containers/**.

cursor

Endpoint	Port	TLS	Access
`cursor.blob.core.windows.net`	443	—	L4 passthrough
`api2.cursor.sh`	443	—	L4 passthrough
`repo.cursor.sh`	443	—	L4 passthrough
`download.cursor.sh`	443	—	L4 passthrough
`cursor.download.prss.microsoft.com`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /usr/bin/curl, /usr/bin/wget, /sandbox/.cursor-server/**.

opencode

Endpoint	Port	TLS	Access
`registry.npmjs.org`	443	—	L4 passthrough
`opencode.ai`	443	—	L4 passthrough
`integrate.api.nvidia.com`	443	—	L4 passthrough

Only the following binaries can use these endpoints: /usr/lib/node_modules/opencode-ai/bin/.opencode, /usr/bin/node, /usr/local/bin/opencode.