shoreguard 0.16.2

Open source control plane for NVIDIA OpenShell

ShoreGuard

Open-source control plane for NVIDIA OpenShell. Manage AI agent sandboxes, gateways, and security policies from a web UI, REST API, or Terraform.

What is ShoreGuard?

NVIDIA OpenShell provides secure, sandboxed environments for autonomous AI agents — but it ships with only a CLI and terminal UI. ShoreGuard adds the missing management layer: a web-based control plane to register gateways, create sandboxes, edit policies, and approve access requests — across multiple gateways from a single dashboard.

Think of it like Rancher for Kubernetes, but for OpenShell gateways.

Why ShoreGuard?

OpenShell gives you secure sandboxes — ShoreGuard gives you control over them:

• Visibility — see every gateway, sandbox, and policy in one dashboard instead of juggling CLI sessions
• Guardrails — visual policy editor with revision history, so security changes are auditable, not ad-hoc
• Approval flow — agents request network access, humans approve or deny in real-time
• Multi-gateway — manage dev, staging, and production gateways from a single pane
• Automation — REST API and Terraform provider for CI/CD pipelines and GitOps workflows

Channel	Use case
Web UI	Ops teams, dashboards, approval flows
REST API	CI/CD pipelines, custom integrations
Terraform Provider	Infrastructure as Code, GitOps

Where ShoreGuard fits

graph TB
    subgraph Orchestration
        PC[Paperclip]
    end
    subgraph Agents
        OC[OpenClaw]
        CC[Claude Code]
        CX[Codex]
    end
    subgraph Secure Runtime
        OS[NVIDIA OpenShell]
    end
    subgraph Management Plane
        SG["ShoreGuard<br/>Web UI · REST API · Terraform"]
    end
    subgraph Infrastructure
        DO[DigitalOcean / AWS / on-premise]
    end

    PC --> OC
    PC --> CC
    PC --> CX
    OC --> OS
    CC --> OS
    CX --> OS
    SG -- "gRPC / mTLS" --> OS
    OS --> DO
    SG --> DO

    style SG fill:#1a7f37,color:#fff,stroke:#1a7f37

Quick start

pip (local development)

pip install shoreguard
shoreguard --local --no-auth

Open http://localhost:8888. The --local flag enables Docker-based gateway management, --no-auth skips login for development.

Docker Compose (production)

git clone https://github.com/FloHofstetter/shoreguard.git
cd shoreguard
cp .env.example .env
# Edit .env — set POSTGRES_PASSWORD and SHOREGUARD_SECRET_KEY
docker compose up -d

Open http://localhost:8888 and complete the setup wizard. See the deployment guide for TLS, reverse proxy, and production hardening.

Features

• Gateway management — register and monitor multiple remote OpenShell gateways with health probing, descriptions, and label-based filtering
• Sandbox wizard — step-by-step creation with agent types, images, and presets
• Visual policy editor — network rules, filesystem paths, process settings — no YAML
• Approval flow — review agent-requested endpoint access in real-time
• RBAC — Admin, Operator, Viewer roles with gateway-scoped overrides
• Docker deployment — Dockerfile + docker-compose with PostgreSQL and health probes
• Audit log — persistent, filterable, exportable audit trail
• Terraform provider — declarative infrastructure-as-code
• Webhooks & Notifications — Slack, Discord, Email, and generic webhook channels with HMAC-SHA256 signing
• Prometheus metrics — /metrics endpoint for Grafana, Datadog, and standard monitoring stacks

Screenshots

Policy Editor	Network Policies	Gateway Detail

Documentation

Full documentation is available at flohofstetter.github.io/shoreguard.

• Installation
• CLI Reference
• REST API Reference
• Configuration
• Architecture
• Contributing

Roadmap

Completed:

• Multi-gateway management with health monitoring
• RBAC — Admin, Operator, Viewer roles with gateway-scoped overrides
• Sandbox wizard with community images and presets
• Visual policy editor with revision history and diff viewer
• Approval flow with real-time notifications
• Terraform provider (separate repo)
• Alpine.js reactive frontend with dark/light theme
• Persistent audit log with export
• Docker image + docker-compose with PostgreSQL
• Health probes (/healthz, /readyz)
• Stateless gateway routing (URL-based, no server-side selection)
• Inference timeout configuration (OpenShell v0.0.22)
• L7 query parameter matchers for network policies
• Webhooks with HMAC-SHA256 signing
• Notification channels (Slack, Discord, Email)
• Prometheus /metrics endpoint
• Justfile for common development tasks
• Gateway descriptions and labels with API filtering

Planned:

• DigitalOcean Marketplace integration
• Paperclip adapter for agent orchestration
• Multi-region gateway federation

Development

git clone https://github.com/FloHofstetter/shoreguard.git
cd shoreguard
uv sync --group dev
uv run shoreguard --local --no-auth

This starts ShoreGuard with SQLite, hot-reload, no login, and local gateway management. Create a gateway from the UI or use the openshell CLI.

Run checks with just:

just check    # lint + format + typecheck + tests
just dev      # start dev server
just test     # run unit tests

Or manually:

uv run ruff check . && uv run ruff format --check . && uv run pyright && uv run pytest -m 'not integration'

See the contributing guide for details.

License

Apache 2.0