From 248dc22931051d8fc613a81f096e296667a83d03 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Wed, 6 May 2026 23:34:04 -0700
Subject: [PATCH 1/6] docs: consolidate documentation structure

Signed-off-by: Drew Newberry <anewberry@nvidia.com>
---
 docs/about/architecture.mdx                   |  70 --------
 docs/about/get-openshell.mdx                  |  77 +++++++++
 docs/about/overview.mdx                       |  98 ++++++++++-
 docs/about/supported-agents.mdx               |   2 +-
 docs/get-started/quickstart.mdx               |  11 +-
 .../tutorials/inference-ollama.mdx            |   6 +-
 .../tutorials/local-inference-lmstudio.mdx    |   4 +-
 docs/index.mdx                                |  49 ++++--
 docs/index.yml                                |   3 +-
 docs/inference/about.mdx                      |  68 --------
 docs/reference/support-matrix.mdx             |   3 +-
 docs/sandboxes/about.mdx                      |  64 --------
 docs/sandboxes/community-sandboxes.mdx        |  99 -----------
 .../inference-routing.mdx}                    | 102 ++++++++----
 docs/sandboxes/manage-gateways.mdx            | 154 +++++-------------
 docs/sandboxes/manage-providers.mdx           |   8 +-
 docs/sandboxes/manage-sandboxes.mdx           |  75 ++++++---
 docs/sandboxes/policies.mdx                   |   6 +-
 docs/security/best-practices.mdx              |   4 +-
 19 files changed, 392 insertions(+), 511 deletions(-)
 delete mode 100644 docs/about/architecture.mdx
 create mode 100644 docs/about/get-openshell.mdx
 delete mode 100644 docs/inference/about.mdx
 delete mode 100644 docs/sandboxes/about.mdx
 delete mode 100644 docs/sandboxes/community-sandboxes.mdx
 rename docs/{inference/configure.mdx => sandboxes/inference-routing.mdx} (56%)

diff --git a/docs/about/architecture.mdx b/docs/about/architecture.mdx
deleted file mode 100644
index e1d2ff746..000000000
--- a/docs/about/architecture.mdx
+++ /dev/null
@@ -1,70 +0,0 @@
----
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-title: "How OpenShell Works"
-sidebar-title: "How It Works"
-description: "OpenShell architecture overview covering the gateway, sandbox, and policy engine."
-keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Security, Architecture"
-position: 2
----
-
-OpenShell runs sandboxes through a gateway that uses one of four compute platforms: Kubernetes, Docker, Podman, or the experimental MicroVM runtime. Each sandbox is an isolated environment managed through the gateway. Three components work together to keep agents secure.
-
-![OpenShell architecture diagram](/assets/images/architecture.svg)
-
-## Components
-
-The following table describes each component and its role in the system:
-
-| Component         | Role                                                                                                                                                                                                         |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **Gateway**       | Control-plane API that coordinates sandbox lifecycle and state, and acts as the auth boundary between clients and sandboxes.                                                                                 |
-| **Sandbox**       | Isolated runtime that includes container supervision and policy-enforced egress routing.                                                                                                                     |
-| **Policy Engine** | Policy definition and enforcement layer for filesystem, network, process, and inference constraints. Defense in depth enforces policies from the application layer down to infrastructure and kernel layers. |
-
-## How a Request Flows
-
-Every outbound connection from agent code passes through the same decision path:
-
-1. The agent process opens an outbound connection (API call, package install, git clone, and so on).
-2. The proxy inside the sandbox intercepts the connection and identifies which binary opened it.
-3. If the target is `https://inference.local`, the proxy handles it as managed inference before policy evaluation. OpenShell strips sandbox-supplied credentials, injects the configured backend credentials, and forwards the request to the managed model endpoint.
-4. For every other destination, the proxy queries the policy engine with the destination, port, and calling binary.
-5. The policy engine returns one of the following decisions. Explicit deny takes precedence over allow, and allow takes precedence over implicit deny.
-
-   | Decision          | When it applies                                                                                                                                                                                                      | Outcome                                         |
-   | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
-   | **Explicit Deny** | A deny rule, or a hardening rule such as server-side request forgery (SSRF) protection, a blocked control-plane port, or a Layer 7 (L7) deny, rejects the request even when an allow rule would otherwise permit it. | The connection is blocked and logged.           |
-   | **Allow**         | The destination and binary match a policy block, and no deny rule applies.                                                                                                                                           | Traffic flows directly to the external service. |
-   | **Implicit Deny** | No policy block matched.                                                                                                                                                                                             | The connection is blocked and logged.           |
-
-For REST endpoints, the proxy auto-detects Transport Layer Security (TLS) by peeking the first bytes of each tunnel. When TLS is detected, the proxy terminates it transparently using a per-sandbox ephemeral certificate authority (CA) so each HTTP request can be checked against per-method, per-path rules before forwarding. To trust a corporate or internal CA for upstream traffic, add the PEM-encoded certificate to the sandbox container's trust store at image build time.
-
-## Gateway Lifecycle
-
-OpenShell preserves gateway state in the configured gateway database. Kubernetes deployments commonly use the Helm chart's persistent volume, while standalone gateway deployments can use local storage or Postgres. Sandbox state depends on the selected compute driver and the storage configured for sandbox workloads.
-
-## Observability
-
-The sandbox emits operational decisions as Open Cybersecurity Schema Framework (OCSF) v1.7.0 structured logs. The events cover network connections, HTTP requests, SSH sessions, process lifecycle, detection findings, and configuration changes. For event classes and the JSON Lines (JSONL) export format, refer to [OCSF JSON Export](/observability/ocsf-json-export).
-
-## Deployment Modes
-
-OpenShell supports four deployment modes: Kubernetes, Docker, Podman, and MicroVM. Each mode runs or exposes a gateway, then registers that endpoint with the CLI. The gateway's compute driver determines where sandboxes run.
-
-| Mode           | Description                                                                      |
-| -------------- | -------------------------------------------------------------------------------- |
-| **Docker**     | The gateway uses Docker to create local sandbox containers.                      |
-| **Podman**     | The gateway uses a Podman-compatible container runtime, commonly rootless.       |
-| **Kubernetes** | The Helm chart deploys the gateway and configures the Kubernetes compute driver. |
-| **MicroVM**    | The gateway uses the experimental VM compute driver.                             |
-
-You can register multiple gateways and switch between them with `openshell gateway select`. For the full deployment and management workflow, refer to the [Gateways](/sandboxes/manage-gateways) section.
-
-## Next Steps
-
-Continue with one of the following:
-
-- To deploy or register a gateway, refer to [Gateways](/sandboxes/manage-gateways).
-- To create your first sandbox, refer to the [Quickstart](/get-started/quickstart).
-- To learn how OpenShell enforces isolation across all protection layers, refer to [Sandboxes](/sandboxes/about).
diff --git a/docs/about/get-openshell.mdx b/docs/about/get-openshell.mdx
new file mode 100644
index 000000000..a4d7d0fa5
--- /dev/null
+++ b/docs/about/get-openshell.mdx
@@ -0,0 +1,77 @@
+---
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+title: "Get OpenShell"
+sidebar-title: "Get OpenShell"
+description: "Install OpenShell, choose a sandbox runtime, and connect to a gateway."
+keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Installation, Setup, Gateway, Docker, Podman, MicroVM, Kubernetes"
+position: 2
+---
+
+## Installation
+
+Install OpenShell with a single command:
+
+```shell
+curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+```
+
+The script detects your operating system and installs the OpenShell CLI and gateway with your native package manager. It then starts the local gateway server so you can begin creating sandboxes.
+
+You can also download release artifacts directly from the [OpenShell GitHub Releases](https://github.com/NVIDIA/OpenShell/releases) page.
+
+Use `openshell status` to confirm the CLI can reach the gateway.
+
+## Supported Sandbox Runtimes
+
+OpenShell supports several local sandbox runtimes. The installer chooses a default runtime for your platform, and the gateway reads the runtime choice from its startup configuration. Sandbox commands use the same CLI workflow after the gateway is running.
+
+| Runtime | How It Is Configured | System Requirements |
+|---|---|---|
+| Podman | The gateway is configured to create rootless Podman containers through the Podman API socket. | Linux with Podman 5.x, cgroups v2, rootless networking, and an active Podman user socket. |
+| Docker | The gateway is configured to create containers through Docker Desktop or Docker Engine. | Docker Desktop or Docker Engine 28.04 or later on the gateway host. |
+| MicroVM | The gateway is configured to create VM-backed sandboxes. | Host virtualization support. MicroVM uses Hypervisor.framework on macOS, KVM on Linux, and QEMU for GPU-backed sandboxes on Linux. |
+
+For detailed runtime behavior, refer to [Gateways](/sandboxes/manage-gateways) and [Sandboxes](/sandboxes/manage-sandboxes).
+
+## macOS
+
+On macOS, the install script uses Homebrew. The Homebrew package installs the `openshell` CLI, the gateway binary, and a Homebrew-managed gateway service.
+
+The installer starts the service for you. Use Homebrew service commands when you need to inspect, restart, or stop the gateway service:
+
+```shell
+brew services list
+brew services restart openshell
+```
+
+## Linux
+
+On Fedora and RHEL, the install script uses RPM packages. The RPM installs the `openshell` CLI, the `openshell-gateway` daemon, and a systemd user service.
+
+On Debian and Ubuntu, the install script uses a Debian package. The Debian package installs the `openshell` CLI, the `openshell-gateway` daemon, VM sandbox support, and a systemd user service.
+
+The installer starts the service for you. Use systemd user commands when you need to inspect, restart, or stop the gateway service:
+
+```shell
+systemctl --user status openshell-gateway
+systemctl --user restart openshell-gateway
+journalctl --user -u openshell-gateway -f
+```
+
+To keep the user service running after logout, enable linger:
+
+```shell
+sudo loginctl enable-linger $USER
+```
+
+## Kubernetes
+
+Kubernetes deployments use the OpenShell Helm chart. For chart installation and configuration, refer to the [Helm chart README](https://github.com/NVIDIA/OpenShell/blob/main/deploy/helm/openshell/README.md).
+
+## Next Steps
+
+- To create your first sandbox, refer to the [Quickstart](/get-started/quickstart).
+- To register, select, and inspect gateways, refer to [Gateways](/sandboxes/manage-gateways).
+- To supply API keys or tokens, refer to [Manage Providers](/sandboxes/manage-providers).
+- To control what the agent can access, refer to [Policies](/sandboxes/policies).
diff --git a/docs/about/overview.mdx b/docs/about/overview.mdx
index 6255c6225..8c59e70c7 100644
--- a/docs/about/overview.mdx
+++ b/docs/about/overview.mdx
@@ -36,7 +36,7 @@ OpenShell applies defense in depth across the following policy domains.
 | Process | Blocks privilege escalation and dangerous syscalls. | Locked at sandbox creation. |
 | Inference | Reroutes model API calls to controlled backends. | Hot-reloadable at runtime. |
 
-For details, refer to [Sandbox Policies](/sandboxes/about#sandbox-policies) and [Customize Sandbox Policies](/sandboxes/policies).
+For details, refer to [Sandbox Isolation and Policies](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies) and [Customize Sandbox Policies](/sandboxes/policies).
 
 ## Common Use Cases
 
@@ -51,10 +51,102 @@ OpenShell supports a range of agent deployment patterns.
 
 ---
 
+## Architecture
+
+The target architecture is built around three stable runtime components: the **CLI**, the **Gateway**, and
+the **Supervisor**.
+
+The CLI, SDK, and TUI provide user-facing access. The gateway is the
+authenticated control plane: it owns API access, durable state, policy and
+settings delivery, provider and inference configuration, and relay
+coordination. The supervisor runs inside every sandbox workload and is the local
+security boundary. It launches the agent as a restricted child process and
+enforces policy where process identity, filesystem access, network egress, and
+runtime credentials are visible.
+
+Infrastructure-specific work sits behind integration boundaries. Compute,
+credentials, control-plane identity, and sandbox identity each have a driver or
+adapter boundary so OpenShell can integrate with native runtimes, secret stores,
+identity providers, and workload identity systems without moving those concerns
+into the core gateway or sandbox model.
+
+```mermaid
+flowchart TB
+    subgraph UI["User interfaces"]
+        CLI["CLI"]
+        SDK["SDK"]
+        TUI["TUI"]
+    end
+
+    subgraph CP["Control plane"]
+        GW["Gateway core"]
+        DB[("Shared persistence")]
+        DRIVERS["Compute, credentials, and identity drivers"]
+    end
+
+    subgraph INFRA["Integrated infrastructure"]
+        RUNTIME["Docker, Podman, Kubernetes, or VM"]
+        SECRETSTORE["Secret stores"]
+        IDP["Identity providers"]
+        WORKLOADID["Workload identity"]
+    end
+
+    subgraph DP["Sandbox data plane"]
+        SUP["Supervisor"]
+        AGENT["Restricted agent process"]
+        PROXY["Policy proxy"]
+        POLICY["OPA policy engine"]
+        ROUTER["Inference router"]
+    end
+
+    CLI -->|"gRPC / HTTP"| GW
+    SDK -->|"gRPC / HTTP"| GW
+    TUI -->|"gRPC / HTTP"| GW
+    GW --> DB
+    GW --> DRIVERS
+    DRIVERS --> RUNTIME
+    DRIVERS --> SECRETSTORE
+    DRIVERS --> IDP
+    DRIVERS --> WORKLOADID
+    RUNTIME -->|"provisions workload"| SUP
+    SUP -->|"control, config, logs, relay"| GW
+    SUP -->|"spawn and restrict"| AGENT
+    AGENT -->|"ordinary egress"| PROXY
+    PROXY -->|"evaluate"| POLICY
+    PROXY -->|"allowed traffic"| EXT["External services"]
+    PROXY -->|"inference.local"| ROUTER
+    ROUTER -->|"managed inference"| MODEL["Inference backends"]
+```
+
+### Core Components
+
+| Component | Boundary |
+|---|---|
+| [Sandboxes](/sandboxes/manage-sandboxes) | Data-plane workloads that run the supervisor, launch restricted agent processes, apply local isolation, push logs, and maintain the gateway session. |
+| [Gateways](/sandboxes/manage-gateways) | Authenticated control plane that owns API access, durable state, sandbox lifecycle, settings delivery, authorization, and relay coordination. |
+| [Providers](/sandboxes/manage-providers) | Credential and provider records that map logical agent needs to platform or user-managed secrets without exposing raw credentials to the agent process. |
+| [Policies](/sandboxes/policies) | Declarative controls for filesystem access, process identity, network egress, L7 rules, credential injection, and runtime policy updates. |
+| [Inference Routing](/sandboxes/inference-routing) | Managed `https://inference.local` path that routes model traffic to configured backends while keeping provider credentials outside the sandbox. |
+
+### Gateways and Sandboxes
+
+The gateway and sandbox split control-plane authority from runtime enforcement. The gateway owns durable platform state: sandboxes, policy revisions, runtime settings, provider records, inference configuration, session records, and authorization decisions. A sandbox owns the local execution boundary: process identity, filesystem access, network egress, credential injection, local logs, and the agent child process.
+
+The relationship is supervisor initiated. Each sandbox supervisor connects outbound to a known gateway endpoint, authenticates as a sandbox workload, and keeps a live session open for control traffic and relays. This avoids requiring every compute driver to solve gateway-to-sandbox reachability through pod IPs, bridge networks, port mappings, NAT traversal, or custom tunnels.
+
+The gateway delivers desired state. The supervisor applies it locally, keeps last-known-good config when refresh fails, and leaves static isolation controls in place until the sandbox is recreated. Live operations such as config refresh, policy updates, credential delivery, log push, connect, exec, file sync, and relay setup use the same authenticated gateway-supervisor relationship.
+
+### Ecosystem Integration
+
+OpenShell integrates with infrastructure ecosystems instead of replacing them. Runtimes, schedulers, secret stores, identity providers, workload identity systems, image pipelines, storage, and GPU or device exposure remain owned by the platforms that provide them.
+
+The gateway owns OpenShell control-plane semantics: sandbox state, lifecycle ordering, policy and settings resolution, credential mapping, authorization, inference configuration, and relay coordination. Drivers translate those semantics into platform-native operations.
+
+The supervisor owns OpenShell sandbox semantics. Filesystem policy, process privilege reduction, network proxying, inference interception, credential injection, security logging, and gateway relay behavior stay consistent across Docker, Podman, Kubernetes, VM-backed sandboxes, and future integrations.
+
 ## Next Steps
 
 Explore these topics to go deeper:
 
-- To understand the components that make up the OpenShell runtime, refer to the [Architecture Overview](/about/architecture).
 - To install the CLI and create your first sandbox, refer to the [Quickstart](/get-started/quickstart).
-- To learn how OpenShell enforces isolation across all protection layers, refer to [Sandboxes](/sandboxes/about).
+- To learn how OpenShell enforces isolation across all protection layers, refer to [Sandboxes](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies).
diff --git a/docs/about/supported-agents.mdx b/docs/about/supported-agents.mdx
index e65778ab9..e2b715d7b 100644
--- a/docs/about/supported-agents.mdx
+++ b/docs/about/supported-agents.mdx
@@ -17,6 +17,6 @@ The following table summarizes the agents that run in OpenShell sandboxes. All a
 | [OpenClaw](https://openclaw.ai/) | [`openclaw`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/openclaw) | Bundled | Agent orchestration layer. Launch with `openshell sandbox create --from openclaw`. |
 | [Ollama](https://ollama.com/) | [`ollama`](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/ollama) | Bundled | Run cloud and local models. Includes Claude Code, Codex, and OpenCode. Launch with `openshell sandbox create --from ollama`. |
 
-More community agent sandboxes are available in the [Community Sandboxes](/sandboxes/community-sandboxes) catalog.
+For base image details and `--from` usage, refer to [Sandboxes](/sandboxes/manage-sandboxes#base-sandbox-container).
 
 For a complete support matrix, refer to the [Support Matrix](/reference/support-matrix) page.
diff --git a/docs/get-started/quickstart.mdx b/docs/get-started/quickstart.mdx
index 903133876..827f3ccbf 100644
--- a/docs/get-started/quickstart.mdx
+++ b/docs/get-started/quickstart.mdx
@@ -18,6 +18,7 @@ Before you begin, make sure you have:
 - The OpenShell CLI installed on your workstation.
 
 For a complete list of requirements, refer to [Support Matrix](/reference/support-matrix).
+If you have not chosen a runtime yet, refer to [Get OpenShell](/about/get-openshell).
 
 ## Install the OpenShell CLI
 
@@ -27,6 +28,8 @@ Run the install script:
 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
 ```
 
+The install script uses Homebrew, RPM, or a Debian package based on your machine. It starts the local gateway server after installation.
+
 If you prefer [uv](https://docs.astral.sh/uv/):
 
 ```shell
@@ -95,14 +98,12 @@ Run the following command to create a sandbox with OpenClaw:
 openshell sandbox create --from openclaw
 ```
 
-The `--from` flag pulls a pre-built sandbox definition from the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog.
-Each definition bundles a container image, a tailored policy, and optional skills into a single package.
+The `--from` flag pulls a pre-built sandbox container with its bundled policy and optional skills.
 </Tab>
 
-<Tab title="Community Sandbox">
+<Tab title="Base Sandbox">
 
-Use the `--from` flag to pull other OpenShell sandbox images from the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog.
-For example, to pull the `base` image, run:
+Use the `--from` flag to create a sandbox from the base container:
 
 ```shell
 openshell sandbox create --from base
diff --git a/docs/get-started/tutorials/inference-ollama.mdx b/docs/get-started/tutorials/inference-ollama.mdx
index 4fcc018a7..4a16eee01 100644
--- a/docs/get-started/tutorials/inference-ollama.mdx
+++ b/docs/get-started/tutorials/inference-ollama.mdx
@@ -206,6 +206,6 @@ openshell provider get ollama
 
 ## Next Steps
 
-- To learn more about managed inference, refer to [Index](/inference/about).
-- To configure a different self-hosted backend, refer to [Configure](/inference/configure).
-- To explore more community sandboxes, refer to [Community Sandboxes](/sandboxes/community-sandboxes).
+- To learn more about managed inference, refer to [Inference Routing](/sandboxes/inference-routing).
+- To configure a different self-hosted backend, refer to [Inference Routing](/sandboxes/inference-routing#configure-inference-routing).
+- To learn how sandbox containers are selected, refer to [Sandboxes](/sandboxes/manage-sandboxes#custom-containers).
diff --git a/docs/get-started/tutorials/local-inference-lmstudio.mdx b/docs/get-started/tutorials/local-inference-lmstudio.mdx
index 976770d1f..2d1246459 100644
--- a/docs/get-started/tutorials/local-inference-lmstudio.mdx
+++ b/docs/get-started/tutorials/local-inference-lmstudio.mdx
@@ -210,5 +210,5 @@ openshell provider get lmstudio-anthropic
 ## Next Steps
 
 - To learn more about using the LM Studio CLI, refer to [LM Studio docs](https://lmstudio.ai/docs/cli)
-- To learn more about managed inference, refer to [Index](/inference/about).
-- To configure a different self-hosted backend, refer to [Configure](/inference/configure).
+- To learn more about managed inference, refer to [Inference Routing](/sandboxes/inference-routing).
+- To configure a different self-hosted backend, refer to [Inference Routing](/sandboxes/inference-routing#configure-inference-routing).
diff --git a/docs/index.mdx b/docs/index.mdx
index 73b8d1d0b..45dc61ef5 100644
--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -36,7 +36,7 @@ uncontrolled network activity.
 
 ## Get Started
 
-Install the CLI and create your first sandbox in two commands.
+Install OpenShell and create your first sandbox in two commands.
 
 {/*Terminal demo styles live in fern/main.css — inline <style> with { } breaks MDX/acorn*/}
 <llms-ignore>
@@ -50,16 +50,33 @@ Install the CLI and create your first sandbox in two commands.
   <div className="nc-term-body">
     <div>
       <span className="nc-ps">$ </span>
-      <span>{"uv tool install -U openshell"}</span>
+      <span>
+        {
+          "curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh"
+        }
+      </span>
     </div>
     <div>
       <span className="nc-ps">$ </span>
       <span>{"openshell sandbox create "}</span>
       <span className="nc-swap">
-        <span>{"-- "}<span className="nc-hl">claude</span><span className="nc-cursor" /></span>
-        <span>{"--from "}<span className="nc-hl">openclaw</span><span className="nc-cursor" /></span>
-        <span>{"-- "}<span className="nc-hl">opencode</span><span className="nc-cursor" /></span>
-        <span>{"-- "}<span className="nc-hl">codex<span className="nc-cursor" /></span></span>
+        <span>
+          {"-- "}
+          <span className="nc-hl">claude</span>
+          <span className="nc-cursor" />
+        </span>
+        <span>
+          {"-- "}
+          <span className="nc-hl">opencode</span>
+          <span className="nc-cursor" />
+        </span>
+        <span>
+          {"-- "}
+          <span className="nc-hl">
+            codex
+            <span className="nc-cursor" />
+          </span>
+        </span>
       </span>
     </div>
   </div>
@@ -70,8 +87,8 @@ Install the CLI and create your first sandbox in two commands.
 <llms-only>
 
 ```shell
-uv tool install -U openshell
-openshell sandbox create --from openclaw
+curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+openshell sandbox create -- claude
 ```
 
 </llms-only>
@@ -94,7 +111,7 @@ Learn about OpenShell and its capabilities.
 
 <Card title="Quickstart" href="/get-started/quickstart">
 
-Install the CLI and create your first sandbox in two commands.
+Install OpenShell and create your first sandbox in two commands.
 
 <Badge intent="tip" minimal outlined>Tutorial</Badge>
 </Card>
@@ -113,7 +130,7 @@ Deploy gateways, create sandboxes, configure policies, providers, and community
 <Badge intent="tip" minimal outlined>Concept</Badge>
 </Card>
 
-<Card title="Inference Routing" href="/inference/about">
+<Card title="Inference Routing" href="/sandboxes/inference-routing">
 
 Keep inference traffic private by routing API calls to local or self-hosted backends.
 
@@ -147,5 +164,15 @@ Every configurable security control, its default, and the risk of changing it.
 ---
 
 <Warning title="Notice and Disclaimer">
-This software automatically retrieves, accesses or interacts with external materials. Those retrieved materials are not distributed with this software and are governed solely by separate terms, conditions and licenses. You are solely responsible for finding, reviewing and complying with all applicable terms, conditions, and licenses, and for verifying the security, integrity and suitability of any retrieved materials for your specific use case. This software is provided "AS IS", without warranty of any kind. The author makes no representations or warranties regarding any retrieved materials, and assumes no liability for any losses, damages, liabilities or legal consequences from your use or inability to use this software or any retrieved materials. Use this software and the retrieved materials at your own risk.
+  This software automatically retrieves, accesses or interacts with external
+  materials. Those retrieved materials are not distributed with this software
+  and are governed solely by separate terms, conditions and licenses. You are
+  solely responsible for finding, reviewing and complying with all applicable
+  terms, conditions, and licenses, and for verifying the security, integrity and
+  suitability of any retrieved materials for your specific use case. This
+  software is provided "AS IS", without warranty of any kind. The author makes
+  no representations or warranties regarding any retrieved materials, and
+  assumes no liability for any losses, damages, liabilities or legal
+  consequences from your use or inability to use this software or any retrieved
+  materials. Use this software and the retrieved materials at your own risk.
 </Warning>
diff --git a/docs/index.yml b/docs/index.yml
index 6453a7839..5a1039552 100644
--- a/docs/index.yml
+++ b/docs/index.yml
@@ -16,8 +16,7 @@ navigation:
   - folder: get-started/tutorials
     skip-slug: true
 - folder: sandboxes
-- folder: inference
-  title: "Inference Routing"
+  title: "How It Works"
 - folder: observability
   title: "Observability"
 - folder: reference
diff --git a/docs/inference/about.mdx b/docs/inference/about.mdx
deleted file mode 100644
index 97f951e9b..000000000
--- a/docs/inference/about.mdx
+++ /dev/null
@@ -1,68 +0,0 @@
----
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-title: "About Inference Routing"
-sidebar-title: "About Inference Routing"
-description: "Understand how OpenShell routes inference traffic through external endpoints and the local privacy router."
-keywords: "Generative AI, Cybersecurity, Inference Routing, Privacy, AI Agents, LLM"
-position: 1
----
-
-NVIDIA OpenShell handles inference traffic through two endpoints: `inference.local` and external endpoints.
-The following table summarizes how OpenShell handles inference traffic.
-
-| Path | How It Works |
-|---|---|
-| External endpoints | Traffic to hosts like `api.openai.com` or `api.anthropic.com` is treated like any other outbound request, allowed or denied by `network_policies`. Refer to [Policies](/sandboxes/policies). |
-| `inference.local` | A special endpoint exposed inside every sandbox for routing inference traffic locally, preserving privacy and security. The [privacy router](/about/architecture) strips the original credentials, forwards only approved inference headers, injects the configured backend credentials, and forwards to the managed model endpoint. |
-
-## How `inference.local` Works
-
-When code inside a sandbox calls `https://inference.local`, the privacy router routes the request to the configured backend for that gateway. The configured model is applied to generation requests, provider credentials are supplied by OpenShell rather than by code inside the sandbox, and only approved inference headers are forwarded upstream.
-
-If code calls an external inference host directly, that traffic is evaluated only by `network_policies`.
-
-| Property | Detail |
-|---|---|
-| Credentials | No sandbox API keys needed. Credentials come from the configured provider record. The router strips caller-supplied `Authorization` before forwarding the request. |
-| Header forwarding | `inference.local` forwards only a per-provider header allowlist. OpenAI routes allow `openai-organization` and `x-model-id`. Anthropic routes allow `anthropic-version` and `anthropic-beta`. NVIDIA routes allow `x-model-id`. All other caller headers are stripped. |
-| Configuration | One provider and one model define sandbox inference for the active gateway. Every sandbox on that gateway sees the same `inference.local` backend. |
-| Provider support | NVIDIA, any OpenAI-compatible provider, and Anthropic all work through the same endpoint. |
-| Streaming reliability | The router tolerates idle gaps of up to 120 seconds between streamed chunks so long reasoning responses are not cut off mid-stream. |
-| Hot-refresh | OpenShell picks up provider credential changes and inference updates without recreating sandboxes. Changes propagate within about 5 seconds by default. |
-
-## Supported API Patterns
-
-Supported request patterns depend on the provider configured for `inference.local`.
-
-<Tabs>
-<Tab title="OpenAI-compatible">
-
-| Pattern | Method | Path |
-|---|---|---|
-| Chat Completions | `POST` | `/v1/chat/completions` |
-| Completions | `POST` | `/v1/completions` |
-| Responses | `POST` | `/v1/responses` |
-| Model Discovery | `GET` | `/v1/models` |
-| Model Discovery | `GET` | `/v1/models/*` |
-
-</Tab>
-
-<Tab title="Anthropic-compatible">
-
-| Pattern | Method | Path |
-|---|---|---|
-| Messages | `POST` | `/v1/messages` |
-
-</Tab>
-
-</Tabs>
-
-Requests to `inference.local` that do not match the configured provider's supported patterns are denied.
-
-## Next Steps
-
-Continue with one of the following:
-
-- To set up the backend behind `inference.local`, refer to [Configure](/inference/configure).
-- To control external endpoints, refer to [Policies](/sandboxes/policies).
diff --git a/docs/reference/support-matrix.mdx b/docs/reference/support-matrix.mdx
index 9a2169178..fc5d45b29 100644
--- a/docs/reference/support-matrix.mdx
+++ b/docs/reference/support-matrix.mdx
@@ -40,7 +40,7 @@ The gateway can manage sandboxes on several compute platforms.
 | Docker | Supported for local development and single-machine gateways. | Requires Docker Desktop or Docker Engine on the gateway host. |
 | Podman | Supported for rootless local and workstation workflows. | Requires a Podman-compatible socket and rootless networking setup. |
 | Kubernetes | Supported through the Helm chart in `deploy/helm/openshell`. | Requires a Kubernetes cluster supplied by the operator. |
-| MicroVM | Experimental. | Uses the VM compute driver and libkrun-based runtime work. |
+| MicroVM | Supported for VM-backed sandboxes. | Uses the VM compute driver and libkrun-based runtime. |
 
 ## Software Prerequisites
 
@@ -53,6 +53,7 @@ Install the software for the compute platform you use:
 | Kubernetes | 1.29 | Required for Helm deployments and Kubernetes sandbox scheduling. |
 | Helm | 3.x | Required to install `deploy/helm/openshell`. |
 | kubectl | Compatible with your cluster | Required for Kubernetes operational inspection and secret creation. |
+| Host virtualization | Host dependent | Required for MicroVM-backed gateways. MicroVM uses Hypervisor.framework on macOS and KVM on Linux. |
 
 ## Sandbox Runtime Versions
 
diff --git a/docs/sandboxes/about.mdx b/docs/sandboxes/about.mdx
deleted file mode 100644
index e52346e16..000000000
--- a/docs/sandboxes/about.mdx
+++ /dev/null
@@ -1,64 +0,0 @@
----
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-title: "About Gateways and Sandboxes"
-sidebar-title: "About Gateways and Sandboxes"
-description: "Understand gateways, gateway types, sandbox lifecycle, supported agents, built-in default policy, and network access rules in OpenShell."
-keywords: "Generative AI, Cybersecurity, Gateway, Sandboxing, AI Agents, Security, Policy, Isolation"
-position: 1
----
-
-Every OpenShell deployment starts with a *gateway* and one or more *sandboxes*. The gateway is the control plane that manages sandbox lifecycle, providers, and policies. A sandbox is the data plane, a safe, private execution environment where an AI agent runs. Each sandbox runs with multiple layers of protection that prevent unauthorized data access, credential exposure, and network exfiltration. Protection layers include filesystem restrictions (Landlock), system call filtering (seccomp), network namespace isolation, and a privacy-enforcing HTTP CONNECT proxy.
-
-## Gateway Compute Platforms
-
-A gateway provisions sandboxes, brokers CLI requests, enforces policies, and manages provider credentials. OpenShell supports multiple compute platforms, so the gateway can run sandboxes wherever your workload requires.
-
-| Platform | Where Sandboxes Run | Best For |
-|---|---|---|
-| Docker | Containers on the gateway host | Solo development, quick iteration, and single-machine gateways. |
-| Podman | Rootless containers on the gateway host | Workstations that avoid a rootful Docker daemon. |
-| Kubernetes | Pods in an operator-managed cluster | Shared clusters and cloud environments. |
-| MicroVM | VM-backed sandboxes | Experimental stronger-isolation workflows. |
-
-All compute platforms expose the same gateway API surface. Sandboxes, policies, and providers work the same after the CLI registers the gateway endpoint. The difference is how the gateway creates sandbox workloads and how operators expose the gateway to users.
-
-<Tip>
-For local development, start a Docker-backed gateway from a source checkout with `mise run gateway:docker`, then register it with `openshell gateway add http://127.0.0.1:18080 --local --name local`.
-
-</Tip>
-
-## Sandbox Lifecycle
-
-Every sandbox moves through a defined set of phases:
-
-| Phase | Description |
-|---|---|
-| Provisioning | The runtime is setting up the sandbox environment, injecting credentials, and applying your policy. |
-| Ready | The sandbox is running. The agent process is active and all isolation layers are enforced. You can connect, sync files, and view logs. |
-| Error | Something went wrong during provisioning or execution. Check logs with `openshell logs` for details. |
-| Deleting | The sandbox is being torn down. The system releases resources and purges credentials. |
-
-## Sandbox Policies
-
-OpenShell ships a built-in policy that covers common agent workflows out of the box.
-When you create a sandbox without `--policy`, the default policy is applied. It controls three areas.
-
-| Layer | What It Controls | How It Works |
-|---|---|---|
-| Filesystem | What the agent can access on disk | Paths are split into read-only and read-write sets. [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforces these restrictions at the kernel level. |
-| Network | What the agent can reach on the network | Each policy block pairs allowed destinations (host and port) with allowed binaries (executable paths). The proxy matches every outbound connection to the binary that opened it. Both must match or the connection is denied. |
-| Process | What privileges the agent has | The agent runs as an unprivileged user with seccomp filters that block dangerous system calls. No `sudo`, no `setuid`, no path to elevated privileges. |
-
-For the full breakdown of each default policy block and agent compatibility details, refer to [Default Policy](/reference/default-policy).
-
-For the full policy structure with annotated YAML examples, refer to [Policies](/sandboxes/policies).
-
-## Next Steps
-
-Continue with one of the following:
-
-- To create your first sandbox, refer to [Manage Sandboxes](/sandboxes/manage-sandboxes).
-- To supply API keys or tokens, refer to [Manage Providers](/sandboxes/manage-providers).
-- To control what the agent can access, refer to [Policies](/sandboxes/policies).
-- To use a pre-built environment, refer to the [Community Sandboxes](/sandboxes/community-sandboxes) catalog.
diff --git a/docs/sandboxes/community-sandboxes.mdx b/docs/sandboxes/community-sandboxes.mdx
deleted file mode 100644
index 32668d3e5..000000000
--- a/docs/sandboxes/community-sandboxes.mdx
+++ /dev/null
@@ -1,99 +0,0 @@
----
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-title: "Community Sandboxes"
-description: "Use pre-built sandboxes from the OpenShell Community catalog or contribute your own."
-keywords: "Generative AI, Cybersecurity, Community, Sandbox, Container Image, Open Source"
-position: 6
----
-
-Use pre-built sandboxes from the OpenShell Community catalog, or contribute your
-own.
-
-## What Are Community Sandboxes
-
-Community sandboxes are ready-to-use environments published in the
-[OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository.
-Each sandbox bundles a Dockerfile, policy, optional skills, and startup scripts
-into a single package that you can launch with one command.
-
-## Current Catalog
-
-The following community sandboxes are available in the catalog.
-
-| Sandbox | Description |
-|---|---|
-| `base` | Foundational image with system tools and dev environment |
-| `ollama` | Ollama with cloud and local model support, Claude Code, OpenCode, and Codex pre-installed. Use `ollama launch` inside the sandbox to start coding agents with zero config. |
-| `openclaw` | Open agent manipulation and control |
-| `sdg` | Synthetic data generation workflows |
-
-## Use a Community Sandbox
-
-Launch a community sandbox by name with the `--from` flag:
-
-```shell
-openshell sandbox create --from openclaw
-```
-
-When you pass `--from` with a community sandbox name, the CLI:
-
-1. Resolves the name against the
-   [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository.
-2. Pulls the Dockerfile, policy, skills, and any startup scripts.
-3. Builds the container image locally.
-4. Creates the sandbox with the bundled configuration applied.
-
-You end up with a running sandbox whose image, policy, and tooling are all
-preconfigured by the community package.
-
-### Other Sources
-
-The `--from` flag also accepts:
-
-- Local directory paths: Point to a directory on disk that contains a
-  Dockerfile and optional policy/skills:
-
-  ```shell
-  openshell sandbox create --from ./my-sandbox-dir
-  ```
-
-- Container image references: Use an existing container image directly:
-
-  ```shell
-  openshell sandbox create --from my-registry.example.com/my-image:latest
-  ```
-
-## Contribute a Community Sandbox
-
-Each community sandbox is a directory under `sandboxes/` in the
-[OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository.
-At minimum, a sandbox directory must contain the following files:
-
-- `Dockerfile` that defines the container image.
-- `README.md` that describes the sandbox and how to use it.
-
-You can also include the following optional files:
-
-- `policy.yaml` that defines the default policy applied when the sandbox launches.
-- `skills/` that contains agent skill definitions bundled with the sandbox.
-- Startup scripts that are any scripts the Dockerfile or entrypoint invokes.
-
-To contribute, fork the repository, add your sandbox directory, and open a pull
-request. Refer to the repository's
-[CONTRIBUTING.md](https://github.com/NVIDIA/OpenShell-Community/blob/main/CONTRIBUTING.md)
-for submission guidelines.
-
-<Note>
-The community catalog is designed to grow. If you have built a sandbox that
-supports a particular workflow (data processing, simulation, code review,
-or anything else), consider contributing it back so others can use it.
-
-</Note>
-
-## Next Steps
-
-Explore related topics:
-
-- **Need to supply API keys or tokens?** Set up [Manage Providers](/sandboxes/manage-providers) for credential management.
-- **Want to customize the sandbox policy?** Write custom rules in [Policies](/sandboxes/policies).
diff --git a/docs/inference/configure.mdx b/docs/sandboxes/inference-routing.mdx
similarity index 56%
rename from docs/inference/configure.mdx
rename to docs/sandboxes/inference-routing.mdx
index 6e4332905..1e5b5e800 100644
--- a/docs/inference/configure.mdx
+++ b/docs/sandboxes/inference-routing.mdx
@@ -1,16 +1,66 @@
 ---
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
-title: "Configure Inference Routing"
-sidebar-title: "Configure Inference Routing"
-description: "Set up the managed local inference endpoint with provider credentials and model configuration."
+title: "Inference Routing"
+sidebar-title: "Inference Routing"
+description: "Understand and configure OpenShell inference routing through inference.local and external endpoints."
 keywords: "Generative AI, Cybersecurity, Inference Routing, Configuration, Privacy, LLM, Provider"
-position: 2
+position: 5
 ---
 
-This page covers the managed local inference endpoint (`https://inference.local`). External inference endpoints go through sandbox `network_policies`. Refer to [Policies](/sandboxes/policies) for details.
+OpenShell handles inference traffic through two paths: external endpoints and `inference.local`.
 
-The configuration consists of three values:
+| Path | How it works |
+|---|---|
+| External endpoints | Traffic to hosts like `api.openai.com` or `api.anthropic.com` is treated like any other outbound request, allowed or denied by `network_policies`. Refer to [Policies](/sandboxes/policies). |
+| `inference.local` | A sandbox-local HTTPS endpoint that routes model requests through the gateway. The privacy router strips sandbox-supplied credentials, forwards only approved inference headers, injects the configured backend credentials, and forwards to the managed model endpoint. |
+
+## How `inference.local` Works
+
+When code inside a sandbox calls `https://inference.local`, the privacy router routes the request to the configured backend for that gateway. The configured model is applied to generation requests, provider credentials come from OpenShell rather than from code inside the sandbox, and only approved inference headers are forwarded upstream.
+
+If code calls an external inference host directly, OpenShell evaluates that traffic only through `network_policies`.
+
+| Property | Detail |
+|---|---|
+| Credentials | No sandbox API keys needed. Credentials come from the configured provider record. The router strips caller-supplied `Authorization` before forwarding the request. |
+| Header forwarding | `inference.local` forwards only a per-provider header allowlist. OpenAI routes allow `openai-organization` and `x-model-id`. Anthropic routes allow `anthropic-version` and `anthropic-beta`. NVIDIA routes allow `x-model-id`. All other caller headers are stripped. |
+| Configuration | One provider and one model define sandbox inference for the active gateway. Every sandbox on that gateway sees the same `inference.local` backend. |
+| Provider support | NVIDIA, any OpenAI-compatible provider, and Anthropic all work through the same endpoint. |
+| Streaming reliability | The router tolerates idle gaps of up to 120 seconds between streamed chunks so long reasoning responses are not cut off mid-stream. |
+| Hot refresh | OpenShell picks up provider credential changes and inference updates without recreating sandboxes. Changes propagate within about 5 seconds by default. |
+
+## Supported API Patterns
+
+Supported request patterns depend on the provider configured for `inference.local`.
+
+<Tabs>
+<Tab title="OpenAI-compatible">
+
+| Pattern | Method | Path |
+|---|---|---|
+| Chat Completions | `POST` | `/v1/chat/completions` |
+| Completions | `POST` | `/v1/completions` |
+| Responses | `POST` | `/v1/responses` |
+| Model Discovery | `GET` | `/v1/models` |
+| Model Discovery | `GET` | `/v1/models/*` |
+
+</Tab>
+
+<Tab title="Anthropic-compatible">
+
+| Pattern | Method | Path |
+|---|---|---|
+| Messages | `POST` | `/v1/messages` |
+
+</Tab>
+</Tabs>
+
+Requests to `inference.local` that do not match the configured provider's supported patterns are denied.
+
+## Configure Inference Routing
+
+The managed local inference endpoint uses three values:
 
 | Value | Description |
 |---|---|
@@ -18,7 +68,7 @@ The configuration consists of three values:
 | Model ID | The model to use for generation requests. |
 | Timeout | Per-request timeout in seconds for upstream inference calls. Defaults to 60 seconds. |
 
-For a list of tested providers and their base URLs, refer to [Supported Inference Providers](/sandboxes/manage-providers#supported-inference-providers).
+For tested providers and base URLs, refer to [Supported Inference Providers](/sandboxes/manage-providers#supported-inference-providers).
 
 ## Create a Provider
 
@@ -64,11 +114,11 @@ openshell provider create \
 Use `--config OPENAI_BASE_URL` to point to any OpenAI-compatible server running where the gateway runs. For host-backed local inference, use `host.openshell.internal` or the host's LAN IP. Avoid `127.0.0.1` and `localhost`. Set `OPENAI_API_KEY` to a dummy value if the server does not require authentication.
 
 <Tip>
-For a self-contained setup, the Ollama community sandbox bundles Ollama inside the sandbox itself — no host-level provider needed. See [Inference Ollama](/get-started/tutorials/inference-ollama) for details.
+For a self-contained setup, the Ollama sandbox bundles Ollama inside the sandbox itself, so no host-level provider is needed. See [Inference Ollama](/get-started/tutorials/inference-ollama) for details.
 
 </Tip>
 
-Ollama also supports cloud-hosted models using the `:cloud` tag suffix (e.g., `qwen3.5:cloud`).
+Ollama also supports cloud-hosted models using the `:cloud` tag suffix, for example `qwen3.5:cloud`.
 
 </Tab>
 
@@ -81,7 +131,6 @@ openshell provider create --name anthropic-prod --type anthropic --from-existing
 This reads `ANTHROPIC_API_KEY` from your environment.
 
 </Tab>
-
 </Tabs>
 
 ## Set Inference Routing
@@ -103,9 +152,9 @@ openshell inference set \
     --timeout 300
 ```
 
-The value is in seconds. When `--timeout` is omitted (or set to `0`), the default of 60 seconds applies. Increase `--timeout` when you expect extended thinking phases so the full response completes before the request deadline.
+The value is in seconds. When `--timeout` is omitted or set to `0`, the default of 60 seconds applies. Increase `--timeout` when you expect extended thinking phases so the full response completes before the request deadline.
 
-## Verify the Active Config
+## Inspect and Update the Config
 
 Confirm that the provider and model are set correctly:
 
@@ -119,23 +168,11 @@ Gateway inference:
   Version: 1
 ```
 
-## Update Part of the Config
-
 Use `update` when you want to change only one field:
 
 ```shell
 openshell inference update --model nvidia/nemotron-3-nano-30b-a3b
-```
-
-Or switch providers without repeating the current model:
-
-```shell
 openshell inference update --provider openai-prod
-```
-
-Or change only the timeout:
-
-```shell
 openshell inference update --timeout 120
 ```
 
@@ -154,21 +191,19 @@ response = client.chat.completions.create(
 )
 ```
 
-The client-supplied `model` and `api_key` values are not sent upstream. The privacy router injects the real credentials from the configured provider and rewrites the model before forwarding. Caller-supplied `Authorization` and other non-allowlisted headers are stripped; only a per-provider header allowlist reaches the upstream endpoint. For the exact allowlist, refer to [About Inference Routing](/inference/about).
-
-Some SDKs require a non-empty API key even though `inference.local` does not use the sandbox-provided value. In those cases, pass any placeholder such as `test` or `unused`.
+The client-supplied `model` and `api_key` values are not sent upstream. The privacy router injects the real credentials from the configured provider and rewrites the model before forwarding. Some SDKs require a non-empty API key even though `inference.local` does not use the sandbox-provided value. In those cases, pass any placeholder such as `test` or `unused`.
 
 Use this endpoint when inference should stay local to the host for privacy and security reasons. External providers that should be reached directly belong in `network_policies` instead.
 
 When the upstream runs on the same machine as the gateway, bind it to `0.0.0.0` and point the provider at `host.openshell.internal` or the host's LAN IP. `127.0.0.1` and `localhost` usually fail because the request originates from the gateway or sandbox runtime, not from your shell.
 
-If the gateway runs on a remote host or behind a cloud deployment, `host.openshell.internal` points to that remote machine, not to your laptop. A locally running Ollama or vLLM process is not reachable from a remote gateway unless you add your own tunnel or shared network path. Ollama also supports cloud-hosted models that do not require local hardware.
+If the gateway runs on a remote host or behind a cloud deployment, `host.openshell.internal` points to that remote machine, not to your laptop. A locally running Ollama or vLLM process is not reachable from a remote gateway unless you add your own tunnel or shared network path.
 
-### Verify the Endpoint from a Sandbox
+## Verify from a Sandbox
 
 `openshell inference set` and `openshell inference update` verify the resolved upstream endpoint by default before saving the configuration. If the endpoint is not live yet, retry with `--no-verify` to persist the route without the probe.
 
-`openshell inference get` confirms the current saved configuration. To confirm end-to-end connectivity from a sandbox, run:
+To confirm end-to-end connectivity from a sandbox, run:
 
 ```shell
 curl https://inference.local/v1/responses \
@@ -187,10 +222,7 @@ A successful response confirms the privacy router can reach the configured backe
 
 ## Next Steps
 
-Explore related topics:
-
-- To understand the inference routing flow and supported API patterns, refer to [Index](/inference/about).
 - To follow a complete Ollama-based local setup, refer to [Inference Ollama](/get-started/tutorials/inference-ollama).
-- To follow a complete LM Studio-based local setup, refer to [Local Inference Lmstudio](/get-started/tutorials/local-inference-lmstudio).
+- To follow a complete LM Studio-based local setup, refer to [Local Inference LM Studio](/get-started/tutorials/local-inference-lmstudio).
 - To control external endpoints, refer to [Policies](/sandboxes/policies).
-- To manage provider records, refer to [Manage Providers](/sandboxes/manage-providers).
+- To manage provider records, refer to [Providers](/sandboxes/manage-providers).
diff --git a/docs/sandboxes/manage-gateways.mdx b/docs/sandboxes/manage-gateways.mdx
index f12f6951c..c2ab9b9ae 100644
--- a/docs/sandboxes/manage-gateways.mdx
+++ b/docs/sandboxes/manage-gateways.mdx
@@ -1,11 +1,11 @@
 ---
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
-title: "Deploy and Manage Gateways"
+title: "Manage Gateways"
 sidebar-title: "Gateways"
-description: "Deploy or register OpenShell gateways, choose a compute platform, and manage multiple gateway environments."
-keywords: "Generative AI, Cybersecurity, Gateway, Deployment, Docker, Podman, Kubernetes, Helm, MicroVM, CLI"
-position: 3
+description: "Register OpenShell gateways, switch between environments, inspect gateway status, and troubleshoot gateway access."
+keywords: "Generative AI, Cybersecurity, Gateway, Docker, Podman, Kubernetes, MicroVM, CLI"
+position: 2
 ---
 
 The gateway is the control plane for OpenShell. All control-plane traffic between the CLI and running sandboxes flows through the gateway.
@@ -18,117 +18,25 @@ The gateway is responsible for:
 - Managing inference configuration and serving inference bundles so sandboxes can route requests to the correct backend.
 - Providing the SSH tunnel endpoint so you can connect to sandboxes without exposing them directly.
 
-OpenShell separates gateway access from the compute platform that runs sandboxes. The CLI talks to a gateway endpoint. The gateway then uses a configured compute driver to create sandboxes on Kubernetes, Docker, Podman, or the experimental MicroVM runtime.
+OpenShell separates gateway access from the compute platform that runs sandboxes. Use [Get OpenShell](/about/get-openshell) to install OpenShell, choose a runtime, and start a gateway. This page covers working with gateway entries after a gateway exists.
 
-## Choose a Compute Platform
+## Gateway Compute Platforms
 
-Use the compute platform that matches where you want sandboxes to run.
+A gateway provisions sandboxes on the compute platform configured for that gateway.
 
-| Platform | Deployment shape | Typical use |
+| Platform | Where sandboxes run | Best for |
 |---|---|---|
-| Docker | Gateway process or container talks to a Docker daemon. | Local development, single-machine evaluation, and quick driver testing. |
-| Podman | Gateway uses rootless Podman-compatible container execution. | Workstations that avoid a rootful Docker daemon. |
-| Kubernetes | Gateway runs from the Helm chart and manages sandbox pods. | Shared clusters, cloud environments, and team infrastructure. |
-| MicroVM | Gateway uses the VM compute driver. | Experimental stronger-isolation workflows. |
+| Docker | Containers on the gateway host. | Solo development, quick iteration, and single-machine gateways. |
+| Podman | Rootless containers on the gateway host. | Workstations that avoid a rootful Docker daemon. |
+| Kubernetes | Pods in an operator-managed cluster. | Shared clusters and cloud environments. |
+| MicroVM | VM-backed sandboxes. | Workflows that need VM-backed isolation. |
 
-All platforms expose the same CLI workflow after the gateway endpoint is registered.
+All compute platforms expose the same gateway API surface. Sandboxes, policies, and providers work the same after the CLI registers the gateway endpoint. The difference is how the gateway creates sandbox workloads and how operators expose the gateway to users.
 
-## Run a Local Docker-Backed Gateway
+<Tip>
+For runtime setup, including Docker, Podman, MicroVM, and Kubernetes paths, refer to [Get OpenShell](/about/get-openshell).
 
-From a source checkout, use the Docker-backed development gateway for local evaluation:
-
-```shell
-git clone https://github.com/NVIDIA/OpenShell.git
-cd OpenShell
-mise trust
-mise run gateway:docker
-```
-
-In another terminal, register the gateway:
-
-```shell
-openshell gateway add http://127.0.0.1:18080 --local --name local
-openshell status
-```
-
-Use this path when you are testing the CLI, policy behavior, sandbox images, or Docker driver changes on one machine.
-
-## Deploy with Helm
-
-Use Helm when the gateway should run on a Kubernetes cluster you manage. Run these commands from a checkout of the OpenShell repository so Helm can read `deploy/helm/openshell`.
-
-Create the namespace and the SSH handshake secret required by sandbox relay:
-
-```shell
-kubectl create namespace openshell --dry-run=client -o yaml | kubectl apply -f -
-kubectl -n openshell create secret generic openshell-ssh-handshake \
-  --from-literal=secret="$(openssl rand -hex 32)" \
-  --dry-run=client -o yaml | kubectl apply -f -
-```
-
-For TLS-enabled deployments, create the mTLS secrets described in [Gateway Authentication](/reference/gateway-auth) before installing. Then install the chart:
-
-```shell
-helm upgrade --install openshell ./deploy/helm/openshell \
-  --namespace openshell
-```
-
-Wait for the gateway:
-
-```shell
-kubectl -n openshell rollout status statefulset/openshell
-```
-
-For local evaluation on a trusted workstation, you can disable TLS and use `kubectl port-forward`:
-
-```shell
-helm upgrade --install openshell ./deploy/helm/openshell \
-  --namespace openshell \
-  --set service.type=ClusterIP \
-  --set server.disableTls=true \
-  --set server.grpcEndpoint=http://openshell.openshell.svc.cluster.local:8080
-```
-
-Start a local port-forward:
-
-```shell
-kubectl -n openshell port-forward svc/openshell 8080:8080
-```
-
-In another terminal, register the gateway:
-
-```shell
-openshell gateway add http://127.0.0.1:8080 --local --name local
-openshell status
-```
-
-<Warning>
-Plaintext mode should be limited to local port-forwarding or a trusted private path. For shared environments, keep TLS enabled and terminate public traffic at your ingress, load balancer, or access proxy.
-</Warning>
-
-## Configure Chart Values
-
-The most commonly changed values are:
-
-| Value | Purpose |
-|---|---|
-| `image.repository` / `image.tag` | Gateway image. Defaults to `ghcr.io/nvidia/openshell/gateway:latest`. |
-| `service.type` | Kubernetes service type for the gateway. Use `ClusterIP`, `NodePort`, or your platform default. |
-| `server.dbUrl` | Gateway database URL. Defaults to SQLite on the chart-managed persistent volume. |
-| `server.sandboxNamespace` | Namespace where sandbox resources are created. |
-| `server.sandboxImage` | Default sandbox image used when a sandbox does not specify one. |
-| `server.grpcEndpoint` | Endpoint that sandbox supervisors use to call back to the gateway. |
-| `server.sshGatewayHost` / `server.sshGatewayPort` | Public host and port returned to CLI clients for SSH proxy connections. |
-| `server.disableTls` | Run the gateway over plaintext HTTP. Use only behind a trusted transport. |
-| `server.tls.*` | Secret names for server and client mTLS materials. |
-
-Use a values file for repeatable deployments:
-
-```shell
-helm upgrade --install openshell ./deploy/helm/openshell \
-  --namespace openshell \
-  --values values.yaml
-```
+</Tip>
 
 ## Register an Existing Gateway
 
@@ -176,7 +84,15 @@ Override the active gateway for a single command with `-g`:
 openshell status -g staging
 ```
 
-Show gateway details:
+## Inspect Gateway Status
+
+Use `openshell status` for a quick health check:
+
+```shell
+openshell status
+```
+
+Use `openshell gateway info` when you need the registered endpoint, gateway metadata, or runtime details:
 
 ```shell
 openshell gateway info
@@ -192,23 +108,27 @@ openshell status
 openshell gateway info
 ```
 
-For Docker-backed local gateways, inspect the process or container started by your local workflow:
+For Docker-backed local gateways, inspect Docker and the gateway process or container started by your local workflow:
 
 ```shell
-mise run gateway:docker
-openshell status
+openshell doctor check
+openshell gateway info
 ```
 
-For Kubernetes gateways, inspect the Helm release and gateway workload:
+For Kubernetes gateways, inspect the gateway workload and cluster events:
 
 ```shell
 kubectl -n openshell get pods
 kubectl -n openshell logs statefulset/openshell
-helm -n openshell get values openshell
-helm -n openshell status openshell
+kubectl -n openshell get events --sort-by=.lastTimestamp
 ```
 
-For Podman or MicroVM gateways, inspect the driver-specific gateway logs and confirm the gateway endpoint is reachable with `openshell status`.
+For Podman or MicroVM gateways managed by systemd, inspect the user service and logs:
+
+```shell
+systemctl --user status openshell-gateway
+journalctl --user -u openshell-gateway --no-pager -n 50
+```
 
 For sandbox startup failures, inspect the selected compute platform:
 
@@ -221,5 +141,5 @@ For sandbox startup failures, inspect the selected compute platform:
 
 ## Next Steps
 
+- To install OpenShell and choose a runtime, refer to [Get OpenShell](/about/get-openshell).
 - To create a sandbox using the gateway, refer to [Manage Sandboxes](/sandboxes/manage-sandboxes).
-- To install the CLI and get started quickly, refer to the [Quickstart](/get-started/quickstart).
diff --git a/docs/sandboxes/manage-providers.mdx b/docs/sandboxes/manage-providers.mdx
index b85ac6bae..c790d0881 100644
--- a/docs/sandboxes/manage-providers.mdx
+++ b/docs/sandboxes/manage-providers.mdx
@@ -5,7 +5,7 @@ title: "Providers"
 sidebar-title: "Providers"
 description: "Create and manage credential providers that inject API keys and tokens into OpenShell sandboxes."
 keywords: "Generative AI, Cybersecurity, Providers, Credentials, API Keys, Sandbox, Security"
-position: 4
+position: 3
 ---
 
 AI agents typically need credentials to access external services: an API key for the AI model provider, a token for GitHub or GitLab, and so on. OpenShell manages these credentials as first-class entities called *providers*.
@@ -178,7 +178,7 @@ The following provider types are supported.
 | `github` | `GITHUB_TOKEN`, `GH_TOKEN` | GitHub API, `gh` CLI — refer to [GitHub Sandbox](/get-started/tutorials/github-sandbox) |
 | `gitlab` | `GITLAB_TOKEN`, `GLAB_TOKEN`, `CI_JOB_TOKEN` | GitLab API, `glab` CLI |
 | `nvidia` | `NVIDIA_API_KEY` | NVIDIA API Catalog |
-| `openai` | `OPENAI_API_KEY` | Any OpenAI-compatible endpoint. Set `--config OPENAI_BASE_URL` to point to the provider. Refer to [Configure](/inference/configure). |
+| `openai` | `OPENAI_API_KEY` | Any OpenAI-compatible endpoint. Set `--config OPENAI_BASE_URL` to point to the provider. Refer to [Inference Routing](/sandboxes/inference-routing). |
 | `opencode` | `OPENCODE_API_KEY`, `OPENROUTER_API_KEY`, `OPENAI_API_KEY` | opencode tool |
 
 <Tip>
@@ -202,12 +202,12 @@ The following providers have been tested with `inference.local`. Any provider th
 | Ollama (local) | `ollama` | `openai` | `http://host.openshell.internal:11434/v1` | `OPENAI_API_KEY` |
 | LM Studio (local) | `lmstudio` | `openai` | `http://host.openshell.internal:1234/v1` | `OPENAI_API_KEY` |
 
-Refer to your provider's documentation for the correct base URL, available models, and API key setup. To configure inference routing, refer to [Configure](/inference/configure).
+Refer to your provider's documentation for the correct base URL, available models, and API key setup. To configure inference routing, refer to [Inference Routing](/sandboxes/inference-routing).
 
 ## Next Steps
 
 Explore related topics:
 
 - To control what the agent can access, refer to [Policies](/sandboxes/policies).
-- To use a pre-built environment, refer to the [Community Sandboxes](/sandboxes/community-sandboxes) catalog.
+- To use the base sandbox container, refer to [Sandboxes](/sandboxes/manage-sandboxes#base-sandbox-container).
 - To view the complete field reference for the policy YAML, refer to the [Policy Schema Reference](/reference/policy-schema).
diff --git a/docs/sandboxes/manage-sandboxes.mdx b/docs/sandboxes/manage-sandboxes.mdx
index e4d9b4cd0..a1383caee 100644
--- a/docs/sandboxes/manage-sandboxes.mdx
+++ b/docs/sandboxes/manage-sandboxes.mdx
@@ -3,16 +3,15 @@
 # SPDX-License-Identifier: Apache-2.0
 title: "Manage Sandboxes"
 sidebar-title: "Sandboxes"
-description: "Set up gateways, create sandboxes, and manage the full sandbox lifecycle."
+description: "Create sandboxes, understand sandbox isolation, and manage the full sandbox lifecycle."
 keywords: "Generative AI, Cybersecurity, Gateway, Sandboxing, AI Agents, Sandbox Management, CLI"
-position: 2
+position: 1
 ---
 
-This page covers creating sandboxes and managing them. For background on what sandboxes are and how isolation works, refer to [About Sandboxes](/sandboxes/about).
+A sandbox is the OpenShell data plane: a safe, private execution environment where an AI agent runs. Each sandbox combines runtime isolation with OpenShell policy controls that prevent unauthorized data access, credential exposure, and network exfiltration.
 
 <Info>
-You need an active gateway before creating a sandbox. Docker-backed gateways require Docker to be running. Podman, Kubernetes, and MicroVM-backed gateways require their respective runtime or cluster to be reachable from the gateway.
-
+You need an active gateway before creating a sandbox.
 </Info>
 
 ## Create a Sandbox
@@ -30,10 +29,6 @@ openshell gateway add http://127.0.0.1:18080 --local --name local
 openshell gateway select local
 ```
 
-### Remote Gateways
-
-If you plan to run sandboxes on a remote host, Kubernetes cluster, or cloud-hosted gateway, set up the gateway first. Refer to [Manage Gateways](/sandboxes/manage-gateways) for deployment options and multi-gateway management.
-
 ### GPU Resources
 
 To request GPU resources, add `--gpu`:
@@ -48,35 +43,34 @@ updated Docker daemon capability.
 
 ### Custom Containers
 
-Use `--from` to create a sandbox from a pre-built community package, a local directory, or a container image:
+Use `--from` to create a sandbox from the base image, another pre-built sandbox name, a local directory, or a container image:
 
 ```shell
+openshell sandbox create --from base
 openshell sandbox create --from openclaw
+openshell sandbox create --from ollama
 openshell sandbox create --from ./my-sandbox-dir
 openshell sandbox create --from my-registry.example.com/my-image:latest
 ```
 
-The CLI resolves community names against the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) catalog, pulls the bundled Dockerfile and policy, builds the image locally, and creates the sandbox. For the full catalog and how to contribute your own, refer to [Community Sandboxes](/sandboxes/community-sandboxes).
+Bare names such as `base`, `openclaw`, and `ollama` resolve to images under `ghcr.io/nvidia/openshell-community/sandboxes`. Set `OPENSHELL_COMMUNITY_REGISTRY` when you need to use an internal mirror.
 
 Local directories and Dockerfiles require a local gateway because the CLI builds
 through the local Docker daemon. Use a registry image reference for remote
 gateways.
 
-### Label a Sandbox
+## Base Sandbox Container
 
-Attach labels when you create a sandbox to track ownership, environment, or workflow grouping:
+The `base` sandbox container is the default runtime image for standard OpenShell sandboxes unless the gateway overrides its default sandbox image. It is published as `ghcr.io/nvidia/openshell-community/sandboxes/base:latest` and maintained in the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community/tree/main/sandboxes/base) repository.
 
-```shell
-openshell sandbox create --label env=dev --label team=platform -- claude
-```
-
-List only the sandboxes that match a label selector:
+The base container includes common development tooling, supported agent CLIs, and the default sandbox policy. Use it when you want a general-purpose agent environment without a workflow-specific image:
 
 ```shell
-openshell sandbox list --selector env=dev
-openshell sandbox list --selector env=dev,team=platform
+openshell sandbox create --from base
 ```
 
+For default policy coverage by agent, refer to [Default Policy](/reference/default-policy). For the supported agent list, refer to [Supported Agents](/about/supported-agents).
+
 ## Connect to a Sandbox
 
 Open an SSH session into a running sandbox:
@@ -128,6 +122,21 @@ OpenShell allocates a TTY automatically when both stdin and stdout are terminals
 | `--tty` | Force TTY allocation. |
 | `--no-tty` | Disable TTY allocation even when attached to a terminal. |
 
+## Label a Sandbox
+
+Attach labels when you create a sandbox to track ownership, environment, or workflow grouping:
+
+```shell
+openshell sandbox create --label env=dev --label team=platform -- claude
+```
+
+List only the sandboxes that match a label selector:
+
+```shell
+openshell sandbox list --selector env=dev
+openshell sandbox list --selector env=dev,team=platform
+```
+
 ## Monitor and Debug
 
 List all sandboxes:
@@ -240,9 +249,33 @@ Deleting a sandbox stops all processes, releases resources, and purges injected
 openshell sandbox delete my-sandbox
 ```
 
+## Sandbox Lifecycle
+
+Every sandbox moves through a defined set of phases:
+
+| Phase | Description |
+|---|---|
+| Provisioning | The runtime is setting up the sandbox environment, injecting credentials, and applying your policy. |
+| Ready | The sandbox is running. The agent process is active and all isolation layers are enforced. You can connect, sync files, and view logs. |
+| Error | Something went wrong during provisioning or execution. Check logs with `openshell logs` for details. |
+| Deleting | The sandbox is being torn down. The system releases resources and purges credentials. |
+
+## Sandbox Isolation and Policies
+
+OpenShell ships a built-in policy that covers common agent workflows out of the box. When you create a sandbox without `--policy`, OpenShell applies the default policy.
+
+| Layer | What it controls | How it works |
+|---|---|---|
+| Filesystem | What the agent can access on disk. | Paths are split into read-only and read-write sets. [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforces these restrictions at the kernel level. |
+| Network | What the agent can reach on the network. | Policy blocks pair allowed destinations with allowed binaries. The proxy matches every outbound connection to the binary that opened it. Both must match or the connection is denied. |
+| Process | What privileges the agent has. | The agent runs as an unprivileged user with seccomp filters that block dangerous system calls. Root execution, `sudo`, and `setuid` escalation paths are blocked. |
+| Inference | How model API traffic is routed. | Requests to `https://inference.local` route through the gateway so provider credentials stay outside the sandbox. |
+
+For the full breakdown of the built-in policy, refer to [Default Policy](/reference/default-policy). For custom policy structure and update workflows, refer to [Policies](/sandboxes/policies).
+
 ## Next Steps
 
 - To follow a complete end-to-end example, refer to the [GitHub Sandbox](/get-started/tutorials/github-sandbox) tutorial.
 - To supply API keys or tokens, refer to [Manage Providers](/sandboxes/manage-providers).
 - To control what the agent can access, refer to [Policies](/sandboxes/policies).
-- To use a pre-built environment, refer to the [Community Sandboxes](/sandboxes/community-sandboxes) catalog.
+- To use the default runtime image, refer to [Base Sandbox Container](#base-sandbox-container).
diff --git a/docs/sandboxes/policies.mdx b/docs/sandboxes/policies.mdx
index 14876331c..732323df7 100644
--- a/docs/sandboxes/policies.mdx
+++ b/docs/sandboxes/policies.mdx
@@ -5,7 +5,7 @@ title: "Customize Sandbox Policies"
 sidebar-title: "Policies"
 description: "Apply, iterate, and debug sandbox network policies with hot-reload on running OpenShell sandboxes."
 keywords: "Generative AI, Cybersecurity, Policy, Network Policy, Sandbox, Security, Hot Reload"
-position: 5
+position: 4
 ---
 
 Use this page to apply and iterate policy changes on running sandboxes. For a full field-by-field YAML definition, use the [Policy Schema Reference](/reference/policy-schema).
@@ -56,7 +56,7 @@ Raw streams are connection-scoped and outside L7 live-reload guarantees. This in
 | `filesystem_policy` | Static | Controls which directories the agent can access on disk. Paths are split into `read_only` and `read_write` lists. Any path not listed in either list is inaccessible. Set `include_workdir: true` to automatically add the agent's working directory to `read_write`. [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforces these restrictions at the kernel level. |
 | `landlock` | Static | Configures Landlock LSM enforcement behavior. Set `compatibility` to `best_effort` (skip individual inaccessible paths while applying remaining rules) or `hard_requirement` (fail if any path is inaccessible or the required kernel ABI is unavailable). See the [Policy Schema Reference](/reference/policy-schema#landlock) for the full behavior table. |
 | `process` | Static | Sets the OS-level identity for the agent process. `run_as_user` and `run_as_group` default to `sandbox`. Root (`root` or `0`) is rejected. The agent also runs with seccomp filters that block dangerous system calls. |
-| `network_policies` | Dynamic | Controls network access for ordinary outbound traffic from the sandbox. Each block has a name, a list of endpoints (host, port, protocol, and optional rules), and a list of binaries allowed to use those endpoints. <br />Every outbound connection except `https://inference.local` goes through the proxy, which queries the [policy engine](/about/architecture) with the destination and calling binary. A connection is allowed only when both match an entry in the same policy block. <br />For endpoints with `protocol: rest`, the proxy auto-detects TLS and terminates it so each HTTP request is checked against that endpoint's `rules` (method and path). <br />Endpoints without `protocol` allow the TCP stream through without inspecting payloads. <br />If no endpoint matches, the connection is denied. Configure managed inference separately through [Configure](/inference/configure). |
+| `network_policies` | Dynamic | Controls network access for ordinary outbound traffic from the sandbox. Each block has a name, a list of endpoints (host, port, protocol, and optional rules), and a list of binaries allowed to use those endpoints. <br />Every outbound connection except `https://inference.local` goes through the proxy, which queries the [policy engine](/about/overview#core-components) with the destination and calling binary. A connection is allowed only when both match an entry in the same policy block. <br />For endpoints with `protocol: rest`, the proxy auto-detects TLS and terminates it so each HTTP request can be checked against that endpoint's `rules` (method and path). <br />Endpoints without `protocol` allow the TCP stream through without inspecting payloads. <br />If no endpoint matches, the connection is denied. Configure managed inference separately through [Inference Routing](/sandboxes/inference-routing). |
 
 ## Baseline Filesystem Paths
 
@@ -589,6 +589,6 @@ GraphQL field names are application-specific, so treat these as starting shapes
 
 Explore related topics:
 
-- To learn about network access rules and sandbox isolation layers, refer to [Index](/sandboxes/about).
+- To learn about sandbox isolation layers, refer to [Sandboxes](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies).
 - To view the full field-by-field YAML definition, refer to the [Policy Schema Reference](/reference/policy-schema).
 - To review the default policy breakdown, refer to [Default Policy](/reference/default-policy).
diff --git a/docs/security/best-practices.mdx b/docs/security/best-practices.mdx
index e2dccb5ea..b122f355b 100644
--- a/docs/security/best-practices.mdx
+++ b/docs/security/best-practices.mdx
@@ -13,7 +13,7 @@ OpenShell enforces sandbox security across four layers: network, filesystem, pro
 This page documents every configurable control, its default, what it protects, and the risk of relaxing it.
 
 For the full policy YAML schema, refer to the [Policy Schema](/reference/policy-schema).
-For the architecture of each enforcement layer, refer to [Architecture](/about/architecture).
+For the architecture of each enforcement layer, refer to [Overview](/about/overview#architecture).
 
 <Note>
 If you use [NemoClaw](https://github.com/NVIDIA/NemoClaw) to run OpenClaw assistants, its [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) guide covers additional entrypoint-level controls, policy presets, provider trust tiers, and posture profiles specific to the NemoClaw blueprint.
@@ -282,5 +282,5 @@ The following patterns weaken security without providing meaningful benefit.
 - [Policy Schema](/reference/policy-schema) for the full field-by-field YAML reference.
 - [Default Policy](/reference/default-policy) for the built-in default policy breakdown.
 - [Gateway Auth](/reference/gateway-auth) for gateway authentication details.
-- [Architecture](/about/architecture) for the system architecture.
+- [Overview](/about/overview#architecture) for the system architecture.
 - NemoClaw [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) for entrypoint-level controls (capability drops, PATH hardening, build toolchain removal), policy presets, provider trust tiers, and posture profiles.

From de91be9a21425d21baeaf8cf096881f92e2fed97 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Wed, 6 May 2026 23:47:02 -0700
Subject: [PATCH 2/6] docs: move architecture to how it works

Signed-off-by: Drew Newberry <anewberry@nvidia.com>
---
 docs/about/how-it-works.mdx                   | 102 ++++++++++++++++++
 .../{get-openshell.mdx => installation.mdx}   |   8 +-
 docs/about/overview.mdx                       |  96 +----------------
 docs/about/release-notes.mdx                  |   2 +-
 docs/about/supported-agents.mdx               |   2 +-
 docs/get-started/quickstart.mdx               |   2 +-
 docs/index.mdx                                |   2 +-
 docs/sandboxes/manage-gateways.mdx            |   6 +-
 docs/security/best-practices.mdx              |   4 +-
 9 files changed, 116 insertions(+), 108 deletions(-)
 create mode 100644 docs/about/how-it-works.mdx
 rename docs/about/{get-openshell.mdx => installation.mdx} (97%)

diff --git a/docs/about/how-it-works.mdx b/docs/about/how-it-works.mdx
new file mode 100644
index 000000000..81fab000b
--- /dev/null
+++ b/docs/about/how-it-works.mdx
@@ -0,0 +1,102 @@
+---
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+title: "How OpenShell Works"
+sidebar-title: "How It Works"
+description: "Understand the OpenShell architecture, runtime boundaries, gateways, sandboxes, and ecosystem integration points."
+keywords: "Generative AI, Cybersecurity, AI Agents, Architecture, Gateway, Sandbox, Inference Routing"
+position: 2
+---
+
+OpenShell runs autonomous AI agents in sandboxed environments with explicit
+policy, credential, identity, and network boundaries. The target architecture is
+built around three stable runtime components: the **CLI**, the **Gateway**, and
+the **Supervisor**.
+
+The CLI, SDK, and TUI provide user-facing access. The gateway is the
+authenticated control plane: it owns API access, durable state, policy and
+settings delivery, provider and inference configuration, and relay
+coordination. The supervisor runs inside every sandbox workload and is the local
+security boundary. It launches the agent as a restricted child process and
+enforces policy where process identity, filesystem access, network egress, and
+runtime credentials are visible.
+
+Infrastructure-specific work sits behind integration boundaries. Compute,
+credentials, control-plane identity, and sandbox identity each have a driver or
+adapter boundary so OpenShell can integrate with native runtimes, secret stores,
+identity providers, and workload identity systems without moving those concerns
+into the core gateway or sandbox model.
+
+```mermaid
+flowchart TB
+    subgraph UI["User interfaces"]
+        CLI["CLI"]
+        SDK["SDK"]
+        TUI["TUI"]
+    end
+
+    subgraph CP["Control plane"]
+        GW["Gateway core"]
+        DB[("Shared persistence")]
+        DRIVERS["Compute, credentials, and identity drivers"]
+    end
+
+    subgraph INFRA["Integrated infrastructure"]
+        RUNTIME["Docker, Podman, Kubernetes, or VM"]
+        SECRETSTORE["Secret stores"]
+        IDP["Identity providers"]
+        WORKLOADID["Workload identity"]
+    end
+
+    subgraph DP["Sandbox data plane"]
+        SUP["Supervisor"]
+        AGENT["Restricted agent process"]
+        PROXY["Policy proxy"]
+        POLICY["OPA policy engine"]
+        ROUTER["Inference router"]
+    end
+
+    CLI -->|"gRPC / HTTP"| GW
+    SDK -->|"gRPC / HTTP"| GW
+    TUI -->|"gRPC / HTTP"| GW
+    GW --> DB
+    GW --> DRIVERS
+    DRIVERS --> RUNTIME
+    DRIVERS --> SECRETSTORE
+    DRIVERS --> IDP
+    DRIVERS --> WORKLOADID
+    RUNTIME -->|"provisions workload"| SUP
+    SUP -->|"control, config, logs, relay"| GW
+    SUP -->|"spawn and restrict"| AGENT
+    AGENT -->|"ordinary egress"| PROXY
+    PROXY -->|"evaluate"| POLICY
+    PROXY -->|"allowed traffic"| EXT["External services"]
+    PROXY -->|"inference.local"| ROUTER
+    ROUTER -->|"managed inference"| MODEL["Inference backends"]
+```
+
+## Core Components
+
+| Component | Boundary |
+|---|---|
+| [Sandboxes](/sandboxes/manage-sandboxes) | Data-plane workloads that run the supervisor, launch restricted agent processes, apply local isolation, push logs, and maintain the gateway session. |
+| [Gateways](/sandboxes/manage-gateways) | Authenticated control plane that owns API access, durable state, sandbox lifecycle, settings delivery, authorization, and relay coordination. |
+| [Providers](/sandboxes/manage-providers) | Credential and provider records that map logical agent needs to platform or user-managed secrets without exposing raw credentials to the agent process. |
+| [Policies](/sandboxes/policies) | Declarative controls for filesystem access, process identity, network egress, L7 rules, credential injection, and runtime policy updates. |
+| [Inference Routing](/sandboxes/inference-routing) | Managed `https://inference.local` path that routes model traffic to configured backends while keeping provider credentials outside the sandbox. |
+
+## Gateways and Sandboxes
+
+The gateway and sandbox split control-plane authority from runtime enforcement. The gateway owns durable platform state: sandboxes, policy revisions, runtime settings, provider records, inference configuration, session records, and authorization decisions. A sandbox owns the local execution boundary: process identity, filesystem access, network egress, credential injection, local logs, and the agent child process.
+
+The relationship is supervisor initiated. Each sandbox supervisor connects outbound to a known gateway endpoint, authenticates as a sandbox workload, and keeps a live session open for control traffic and relays. This avoids requiring every compute driver to solve gateway-to-sandbox reachability through pod IPs, bridge networks, port mappings, NAT traversal, or custom tunnels.
+
+The gateway delivers desired state. The supervisor applies it locally, keeps last-known-good config when refresh fails, and leaves static isolation controls in place until the sandbox is recreated. Live operations such as config refresh, policy updates, credential delivery, log push, connect, exec, file sync, and relay setup use the same authenticated gateway-supervisor relationship.
+
+## Ecosystem Integration
+
+OpenShell integrates with infrastructure ecosystems instead of replacing them. Runtimes, schedulers, secret stores, identity providers, workload identity systems, image pipelines, storage, and GPU or device exposure remain owned by the platforms that provide them.
+
+The gateway owns OpenShell control-plane semantics: sandbox state, lifecycle ordering, policy and settings resolution, credential mapping, authorization, inference configuration, and relay coordination. Drivers translate those semantics into platform-native operations.
+
+The supervisor owns OpenShell sandbox semantics. Filesystem policy, process privilege reduction, network proxying, inference interception, credential injection, security logging, and gateway relay behavior stay consistent across Docker, Podman, Kubernetes, VM-backed sandboxes, and future integrations.
diff --git a/docs/about/get-openshell.mdx b/docs/about/installation.mdx
similarity index 97%
rename from docs/about/get-openshell.mdx
rename to docs/about/installation.mdx
index a4d7d0fa5..5e2798ef4 100644
--- a/docs/about/get-openshell.mdx
+++ b/docs/about/installation.mdx
@@ -1,14 +1,14 @@
 ---
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
-title: "Get OpenShell"
-sidebar-title: "Get OpenShell"
+title: "Installation"
+sidebar-title: "Installation"
 description: "Install OpenShell, choose a sandbox runtime, and connect to a gateway."
 keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Installation, Setup, Gateway, Docker, Podman, MicroVM, Kubernetes"
-position: 2
+position: 3
 ---
 
-## Installation
+## Install OpenShell
 
 Install OpenShell with a single command:
 
diff --git a/docs/about/overview.mdx b/docs/about/overview.mdx
index 8c59e70c7..3d44a782d 100644
--- a/docs/about/overview.mdx
+++ b/docs/about/overview.mdx
@@ -49,104 +49,10 @@ OpenShell supports a range of agent deployment patterns.
 | Compliance and audit        | Treat policy YAML as version-controlled security controls that can be reviewed and audited.              |
 | Reusable environments       | Use community sandbox images or bring your own containerized runtime.                                    |
 
----
-
-## Architecture
-
-The target architecture is built around three stable runtime components: the **CLI**, the **Gateway**, and
-the **Supervisor**.
-
-The CLI, SDK, and TUI provide user-facing access. The gateway is the
-authenticated control plane: it owns API access, durable state, policy and
-settings delivery, provider and inference configuration, and relay
-coordination. The supervisor runs inside every sandbox workload and is the local
-security boundary. It launches the agent as a restricted child process and
-enforces policy where process identity, filesystem access, network egress, and
-runtime credentials are visible.
-
-Infrastructure-specific work sits behind integration boundaries. Compute,
-credentials, control-plane identity, and sandbox identity each have a driver or
-adapter boundary so OpenShell can integrate with native runtimes, secret stores,
-identity providers, and workload identity systems without moving those concerns
-into the core gateway or sandbox model.
-
-```mermaid
-flowchart TB
-    subgraph UI["User interfaces"]
-        CLI["CLI"]
-        SDK["SDK"]
-        TUI["TUI"]
-    end
-
-    subgraph CP["Control plane"]
-        GW["Gateway core"]
-        DB[("Shared persistence")]
-        DRIVERS["Compute, credentials, and identity drivers"]
-    end
-
-    subgraph INFRA["Integrated infrastructure"]
-        RUNTIME["Docker, Podman, Kubernetes, or VM"]
-        SECRETSTORE["Secret stores"]
-        IDP["Identity providers"]
-        WORKLOADID["Workload identity"]
-    end
-
-    subgraph DP["Sandbox data plane"]
-        SUP["Supervisor"]
-        AGENT["Restricted agent process"]
-        PROXY["Policy proxy"]
-        POLICY["OPA policy engine"]
-        ROUTER["Inference router"]
-    end
-
-    CLI -->|"gRPC / HTTP"| GW
-    SDK -->|"gRPC / HTTP"| GW
-    TUI -->|"gRPC / HTTP"| GW
-    GW --> DB
-    GW --> DRIVERS
-    DRIVERS --> RUNTIME
-    DRIVERS --> SECRETSTORE
-    DRIVERS --> IDP
-    DRIVERS --> WORKLOADID
-    RUNTIME -->|"provisions workload"| SUP
-    SUP -->|"control, config, logs, relay"| GW
-    SUP -->|"spawn and restrict"| AGENT
-    AGENT -->|"ordinary egress"| PROXY
-    PROXY -->|"evaluate"| POLICY
-    PROXY -->|"allowed traffic"| EXT["External services"]
-    PROXY -->|"inference.local"| ROUTER
-    ROUTER -->|"managed inference"| MODEL["Inference backends"]
-```
-
-### Core Components
-
-| Component | Boundary |
-|---|---|
-| [Sandboxes](/sandboxes/manage-sandboxes) | Data-plane workloads that run the supervisor, launch restricted agent processes, apply local isolation, push logs, and maintain the gateway session. |
-| [Gateways](/sandboxes/manage-gateways) | Authenticated control plane that owns API access, durable state, sandbox lifecycle, settings delivery, authorization, and relay coordination. |
-| [Providers](/sandboxes/manage-providers) | Credential and provider records that map logical agent needs to platform or user-managed secrets without exposing raw credentials to the agent process. |
-| [Policies](/sandboxes/policies) | Declarative controls for filesystem access, process identity, network egress, L7 rules, credential injection, and runtime policy updates. |
-| [Inference Routing](/sandboxes/inference-routing) | Managed `https://inference.local` path that routes model traffic to configured backends while keeping provider credentials outside the sandbox. |
-
-### Gateways and Sandboxes
-
-The gateway and sandbox split control-plane authority from runtime enforcement. The gateway owns durable platform state: sandboxes, policy revisions, runtime settings, provider records, inference configuration, session records, and authorization decisions. A sandbox owns the local execution boundary: process identity, filesystem access, network egress, credential injection, local logs, and the agent child process.
-
-The relationship is supervisor initiated. Each sandbox supervisor connects outbound to a known gateway endpoint, authenticates as a sandbox workload, and keeps a live session open for control traffic and relays. This avoids requiring every compute driver to solve gateway-to-sandbox reachability through pod IPs, bridge networks, port mappings, NAT traversal, or custom tunnels.
-
-The gateway delivers desired state. The supervisor applies it locally, keeps last-known-good config when refresh fails, and leaves static isolation controls in place until the sandbox is recreated. Live operations such as config refresh, policy updates, credential delivery, log push, connect, exec, file sync, and relay setup use the same authenticated gateway-supervisor relationship.
-
-### Ecosystem Integration
-
-OpenShell integrates with infrastructure ecosystems instead of replacing them. Runtimes, schedulers, secret stores, identity providers, workload identity systems, image pipelines, storage, and GPU or device exposure remain owned by the platforms that provide them.
-
-The gateway owns OpenShell control-plane semantics: sandbox state, lifecycle ordering, policy and settings resolution, credential mapping, authorization, inference configuration, and relay coordination. Drivers translate those semantics into platform-native operations.
-
-The supervisor owns OpenShell sandbox semantics. Filesystem policy, process privilege reduction, network proxying, inference interception, credential injection, security logging, and gateway relay behavior stay consistent across Docker, Podman, Kubernetes, VM-backed sandboxes, and future integrations.
-
 ## Next Steps
 
 Explore these topics to go deeper:
 
+- To understand the runtime architecture, refer to [How OpenShell Works](/about/how-it-works).
 - To install the CLI and create your first sandbox, refer to the [Quickstart](/get-started/quickstart).
 - To learn how OpenShell enforces isolation across all protection layers, refer to [Sandboxes](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies).
diff --git a/docs/about/release-notes.mdx b/docs/about/release-notes.mdx
index 0d9a4407e..2efa2b82c 100644
--- a/docs/about/release-notes.mdx
+++ b/docs/about/release-notes.mdx
@@ -5,7 +5,7 @@ title: "NVIDIA OpenShell Release Notes"
 sidebar-title: "Release Notes"
 description: "Track the latest changes and improvements to NVIDIA OpenShell."
 keywords: "Generative AI, Cybersecurity, Release Notes, Changelog, AI Agents"
-position: 4
+position: 5
 ---
 
 NVIDIA OpenShell follows a frequent release cadence. Use the following GitHub resources directly.
diff --git a/docs/about/supported-agents.mdx b/docs/about/supported-agents.mdx
index e2b715d7b..ec03cf755 100644
--- a/docs/about/supported-agents.mdx
+++ b/docs/about/supported-agents.mdx
@@ -4,7 +4,7 @@
 title: "Supported Agents"
 description: "AI agent frameworks and runtimes compatible with OpenShell sandboxes."
 keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Claude, Codex, Cursor"
-position: 3
+position: 4
 ---
 The following table summarizes the agents that run in OpenShell sandboxes. All agent sandbox images are maintained in the [OpenShell Community](https://github.com/NVIDIA/OpenShell-Community) repository. Agents in the base image are auto-configured when passed as the trailing command to `openshell sandbox create`.
 
diff --git a/docs/get-started/quickstart.mdx b/docs/get-started/quickstart.mdx
index 827f3ccbf..d18d13c0e 100644
--- a/docs/get-started/quickstart.mdx
+++ b/docs/get-started/quickstart.mdx
@@ -18,7 +18,7 @@ Before you begin, make sure you have:
 - The OpenShell CLI installed on your workstation.
 
 For a complete list of requirements, refer to [Support Matrix](/reference/support-matrix).
-If you have not chosen a runtime yet, refer to [Get OpenShell](/about/get-openshell).
+If you have not chosen a runtime yet, refer to [Installation](/about/installation).
 
 ## Install the OpenShell CLI
 
diff --git a/docs/index.mdx b/docs/index.mdx
index 45dc61ef5..354e41f77 100644
--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -146,7 +146,7 @@ Understand sandbox logs, access them via CLI and TUI, and export OCSF JSON recor
 
 <Card title="Reference" href="/reference/default-policy">
 
-Policy schema, environment variables, and system architecture.
+Policy schema, environment variables, and default policy details.
 
 <Badge intent="tip" minimal outlined>Reference</Badge>
 </Card>
diff --git a/docs/sandboxes/manage-gateways.mdx b/docs/sandboxes/manage-gateways.mdx
index c2ab9b9ae..152a23aaa 100644
--- a/docs/sandboxes/manage-gateways.mdx
+++ b/docs/sandboxes/manage-gateways.mdx
@@ -18,7 +18,7 @@ The gateway is responsible for:
 - Managing inference configuration and serving inference bundles so sandboxes can route requests to the correct backend.
 - Providing the SSH tunnel endpoint so you can connect to sandboxes without exposing them directly.
 
-OpenShell separates gateway access from the compute platform that runs sandboxes. Use [Get OpenShell](/about/get-openshell) to install OpenShell, choose a runtime, and start a gateway. This page covers working with gateway entries after a gateway exists.
+OpenShell separates gateway access from the compute platform that runs sandboxes. Use [Installation](/about/installation) to install OpenShell, choose a runtime, and start a gateway. This page covers working with gateway entries after a gateway exists.
 
 ## Gateway Compute Platforms
 
@@ -34,7 +34,7 @@ A gateway provisions sandboxes on the compute platform configured for that gatew
 All compute platforms expose the same gateway API surface. Sandboxes, policies, and providers work the same after the CLI registers the gateway endpoint. The difference is how the gateway creates sandbox workloads and how operators expose the gateway to users.
 
 <Tip>
-For runtime setup, including Docker, Podman, MicroVM, and Kubernetes paths, refer to [Get OpenShell](/about/get-openshell).
+For runtime setup, including Docker, Podman, MicroVM, and Kubernetes paths, refer to [Installation](/about/installation).
 
 </Tip>
 
@@ -141,5 +141,5 @@ For sandbox startup failures, inspect the selected compute platform:
 
 ## Next Steps
 
-- To install OpenShell and choose a runtime, refer to [Get OpenShell](/about/get-openshell).
+- To install OpenShell and choose a runtime, refer to [Installation](/about/installation).
 - To create a sandbox using the gateway, refer to [Manage Sandboxes](/sandboxes/manage-sandboxes).
diff --git a/docs/security/best-practices.mdx b/docs/security/best-practices.mdx
index b122f355b..92570c87f 100644
--- a/docs/security/best-practices.mdx
+++ b/docs/security/best-practices.mdx
@@ -13,7 +13,7 @@ OpenShell enforces sandbox security across four layers: network, filesystem, pro
 This page documents every configurable control, its default, what it protects, and the risk of relaxing it.
 
 For the full policy YAML schema, refer to the [Policy Schema](/reference/policy-schema).
-For the architecture of each enforcement layer, refer to [Overview](/about/overview#architecture).
+For the architecture of each enforcement layer, refer to [How OpenShell Works](/about/how-it-works).
 
 <Note>
 If you use [NemoClaw](https://github.com/NVIDIA/NemoClaw) to run OpenClaw assistants, its [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) guide covers additional entrypoint-level controls, policy presets, provider trust tiers, and posture profiles specific to the NemoClaw blueprint.
@@ -282,5 +282,5 @@ The following patterns weaken security without providing meaningful benefit.
 - [Policy Schema](/reference/policy-schema) for the full field-by-field YAML reference.
 - [Default Policy](/reference/default-policy) for the built-in default policy breakdown.
 - [Gateway Auth](/reference/gateway-auth) for gateway authentication details.
-- [Overview](/about/overview#architecture) for the system architecture.
+- [How OpenShell Works](/about/how-it-works) for the system architecture.
 - NemoClaw [Security Best Practices](https://docs.nvidia.com/nemoclaw/latest/security/best-practices.html) for entrypoint-level controls (capability drops, PATH hardening, build toolchain removal), policy presets, provider trust tiers, and posture profiles.

From 1a5f0373e434faacbbb1d56a83f05f92fc6ba93c Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Thu, 7 May 2026 00:02:53 -0700
Subject: [PATCH 3/6] docs: describe deployment and supervisor layers

Signed-off-by: Drew Newberry <anewberry@nvidia.com>
---
 docs/about/how-it-works.mdx | 51 +++++++++++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 11 deletions(-)

diff --git a/docs/about/how-it-works.mdx b/docs/about/how-it-works.mdx
index 81fab000b..5223072a2 100644
--- a/docs/about/how-it-works.mdx
+++ b/docs/about/how-it-works.mdx
@@ -8,17 +8,10 @@ keywords: "Generative AI, Cybersecurity, AI Agents, Architecture, Gateway, Sandb
 position: 2
 ---
 
-OpenShell runs autonomous AI agents in sandboxed environments with explicit
-policy, credential, identity, and network boundaries. The target architecture is
-built around three stable runtime components: the **CLI**, the **Gateway**, and
-the **Supervisor**.
+OpenShell is built around three stable runtime components: the **CLI**, the **Gateway**, and the **Supervisor**.
 
 The CLI, SDK, and TUI provide user-facing access. The gateway is the
-authenticated control plane: it owns API access, durable state, policy and
-settings delivery, provider and inference configuration, and relay
-coordination. The supervisor runs inside every sandbox workload and is the local
-security boundary. It launches the agent as a restricted child process and
-enforces policy where process identity, filesystem access, network egress, and
+control plane: it owns API access, state, policy and settings delivery, provider and inference configuration, and relay coordination. The supervisor runs inside every sandbox workload and is the local security boundary. It launches the agent as a restricted child process and enforces policy where process identity, filesystem access, network egress, and
 runtime credentials are visible.
 
 Infrastructure-specific work sits behind integration boundaries. Compute,
@@ -36,8 +29,8 @@ flowchart TB
     end
 
     subgraph CP["Control plane"]
-        GW["Gateway core"]
-        DB[("Shared persistence")]
+        GW["Gateway"]
+        DB[("Entity persistence")]
         DRIVERS["Compute, credentials, and identity drivers"]
     end
 
@@ -75,6 +68,22 @@ flowchart TB
     ROUTER -->|"managed inference"| MODEL["Inference backends"]
 ```
 
+## Deployment Models
+
+OpenShell can run on a single local machine or in a remote Kubernetes cluster.
+The CLI workflow stays the same: users point the CLI, SDK, or TUI at a gateway,
+and the gateway provisions sandboxes through its configured compute driver.
+
+| Deployment | How it works | Best for |
+|---|---|---|
+| Local machine | The gateway runs on the user's workstation or a nearby development host and creates sandboxes with Docker, Podman, or a VM runtime. The supervisor inside each sandbox connects back to that local gateway. | Individual development, local agent experiments, and private workstation workflows. |
+| Remote Kubernetes cluster | The gateway runs as a cluster service and creates sandbox pods in the configured namespace. Supervisors connect outbound to the gateway endpoint, so clients do not need direct pod access. | Shared teams, centrally managed policy, remote compute, GPUs, and production-like environments. |
+
+This deployment split keeps the runtime model consistent. Local deployments use
+the host's container or VM runtime as the integrated infrastructure. Kubernetes
+deployments use the cluster scheduler, networking, secrets, identity, and GPU
+device plugins without changing the gateway and sandbox contract.
+
 ## Core Components
 
 | Component | Boundary |
@@ -93,6 +102,26 @@ The relationship is supervisor initiated. Each sandbox supervisor connects outbo
 
 The gateway delivers desired state. The supervisor applies it locally, keeps last-known-good config when refresh fails, and leaves static isolation controls in place until the sandbox is recreated. Live operations such as config refresh, policy updates, credential delivery, log push, connect, exec, file sync, and relay setup use the same authenticated gateway-supervisor relationship.
 
+## Supervisor Protection Layers
+
+The supervisor is the sandbox-local enforcement component. It starts before the
+agent process, prepares the sandbox runtime, fetches gateway configuration, and
+then launches the agent under the active policy.
+
+| Protection layer | Supervisor responsibility |
+|---|---|
+| Process | Drops privileges, applies process identity rules, disables privilege escalation paths, and starts the agent as a restricted child process. |
+| Filesystem | Applies filesystem policy before the agent starts so undeclared paths are inaccessible and declared paths are read-only or read-write as configured. |
+| Network | Routes ordinary egress through the policy proxy so destination, port, binary identity, and L7 request rules can be evaluated before traffic leaves the sandbox. |
+| Credentials | Receives credential material from the gateway and injects it only through configured policy paths or request-time proxy rules. |
+| Inference | Intercepts `https://inference.local` and forwards model traffic through the configured inference route instead of exposing provider credentials to the agent. |
+| Observability | Emits local security and lifecycle logs, pushes sandbox logs to the gateway, and keeps relay endpoints available for connect, exec, and file transfer operations. |
+
+Static controls such as filesystem and process isolation are established at
+sandbox start and require sandbox recreation to change. Dynamic controls such as
+network policy, credential delivery, and inference routing can refresh over the
+live gateway-supervisor session.
+
 ## Ecosystem Integration
 
 OpenShell integrates with infrastructure ecosystems instead of replacing them. Runtimes, schedulers, secret stores, identity providers, workload identity systems, image pipelines, storage, and GPU or device exposure remain owned by the platforms that provide them.

From 8c72557fe135f5301b163e5fe7291ea5fd386f75 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Thu, 7 May 2026 00:24:46 -0700
Subject: [PATCH 4/6] docs: update gateway auth reference

Signed-off-by: Drew Newberry <anewberry@nvidia.com>
---
 docs/reference/gateway-auth.mdx | 108 ++++++++++++++++++++++++++------
 1 file changed, 88 insertions(+), 20 deletions(-)

diff --git a/docs/reference/gateway-auth.mdx b/docs/reference/gateway-auth.mdx
index db96a332b..c5e4a6d30 100644
--- a/docs/reference/gateway-auth.mdx
+++ b/docs/reference/gateway-auth.mdx
@@ -2,8 +2,8 @@
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 title: "Gateway Authentication"
-description: "Gateway resolution, authentication modes, connection flow, and credential file layout."
-keywords: "Generative AI, Cybersecurity, Gateway, Authentication, mTLS, Edge Authentication, Reference"
+description: "Gateway resolution, authentication modes, connection flow, OIDC support, and credential file layout."
+keywords: "Generative AI, Cybersecurity, Gateway, Authentication, mTLS, OIDC, OpenID Connect, Edge Authentication, Reference"
 position: 1
 ---
 
@@ -22,19 +22,29 @@ The CLI loads gateway metadata from disk to determine the endpoint URL and authe
 
 ## Authentication Modes
 
-The CLI uses one of three connection modes depending on the gateway's authentication configuration.
+The CLI uses one of four connection modes depending on the gateway's authentication configuration.
 
 ### mTLS
 
-The default mode for self-managed gateways. Every CLI request presents a client certificate to prove identity. Kubernetes Helm deployments provide the server certificate, client CA, and client certificate bundle through Kubernetes secrets. Standalone Docker, Podman, and MicroVM-backed gateways provide equivalent certificate files through their runtime configuration.
+The default mode for self-managed gateways. Every CLI request presents a client certificate to prove identity, and the gateway verifies that certificate against a configured client CA.
 
-The CLI loads three PEM files from `~/.config/openshell/gateways/<name>/mtls/`:
+Set these environment variables before starting the gateway:
+
+| Environment variable | Purpose |
+|---|---|
+| `OPENSHELL_TLS_CERT` | Path to the gateway server certificate. |
+| `OPENSHELL_TLS_KEY` | Path to the gateway server private key. |
+| `OPENSHELL_TLS_CLIENT_CA` | Path to the CA certificate that verifies CLI client certificates. |
+
+For local access, the server certificate must be valid for the endpoint the CLI uses. Include `localhost` and `127.0.0.1` in the certificate SANs when users connect to a local gateway through loopback.
+
+The CLI loads its mTLS bundle from `~/.config/openshell/gateways/<name>/mtls/`:
 
 | File | Purpose |
 |---|---|
-| `ca.crt` | CA certificate. Verifies the gateway's server certificate. |
-| `tls.crt` | Client certificate. Proves the CLI's identity to the gateway. |
-| `tls.key` | Client private key. |
+| `ca.crt` | CA certificate that verifies the gateway server certificate. |
+| `tls.crt` | Client certificate. It must chain to `OPENSHELL_TLS_CLIENT_CA`. |
+| `tls.key` | Client private key for `tls.crt`. |
 
 The connection flow:
 
@@ -44,23 +54,78 @@ The connection flow:
 4. The gateway verifies the client certificate against its CA.
 5. An HTTP/2 channel is established. All CLI commands use this channel.
 
-For Helm deployments, create these Kubernetes secrets before installing the chart:
+### OIDC
+
+Gateways can validate OpenID Connect access tokens on gRPC requests. Configure OIDC when you want users, operators, or automation to authenticate with an identity provider such as Keycloak, Entra ID, or Okta instead of relying only on client certificates.
+
+OIDC is application-layer authentication. TLS still controls the transport. If TLS client certificates remain required, the CLI must also have an mTLS bundle for the gateway. To accept OIDC bearer tokens without client certificates, keep TLS enabled and disable the mTLS client certificate requirement with `--disable-gateway-auth`, then configure OIDC on the same gateway.
+
+Configure the gateway with an issuer and audience:
 
 ```shell
-kubectl -n openshell create secret tls openshell-server-tls \
-  --cert server.crt \
-  --key server.key
+openshell-gateway \
+  --oidc-issuer https://idp.example.com/realms/openshell \
+  --oidc-audience openshell-cli \
+  --oidc-roles-claim realm_access.roles \
+  --oidc-admin-role openshell-admin \
+  --oidc-user-role openshell-user
+```
 
-kubectl -n openshell create secret generic openshell-server-client-ca \
-  --from-file=ca.crt=ca.crt
+The same settings are available through environment variables:
+
+| Environment variable | Purpose | Default |
+|---|---|---|
+| `OPENSHELL_OIDC_ISSUER` | OIDC issuer URL. The gateway discovers `/.well-known/openid-configuration` from this URL. | None |
+| `OPENSHELL_OIDC_AUDIENCE` | Expected JWT `aud` claim. | `openshell-cli` |
+| `OPENSHELL_OIDC_JWKS_TTL` | JWKS cache TTL in seconds. The gateway also refreshes on an unknown key ID. | `3600` |
+| `OPENSHELL_OIDC_ROLES_CLAIM` | Dot-separated claim path containing roles. | `realm_access.roles` |
+| `OPENSHELL_OIDC_ADMIN_ROLE` | Role required for admin operations. | `openshell-admin` |
+| `OPENSHELL_OIDC_USER_ROLE` | Role required for standard user operations. | `openshell-user` |
+| `OPENSHELL_OIDC_SCOPES_CLAIM` | Dot-separated claim path containing scopes. Empty disables scope enforcement. | Empty |
+
+For Helm deployments, set the same values under `server.oidc`:
+
+```yaml
+server:
+  oidc:
+    issuer: https://idp.example.com/realms/openshell
+    audience: openshell-cli
+    rolesClaim: realm_access.roles
+    adminRole: openshell-admin
+    userRole: openshell-user
+    scopesClaim: ""
+```
 
-kubectl -n openshell create secret generic openshell-client-tls \
-  --from-file=ca.crt=ca.crt \
-  --from-file=tls.crt=client.crt \
-  --from-file=tls.key=client.key
+Register an OIDC gateway with the CLI:
+
+```shell
+openshell gateway add https://gateway.example.com \
+  --name production \
+  --oidc-issuer https://idp.example.com/realms/openshell \
+  --oidc-client-id openshell-cli \
+  --oidc-audience openshell-cli
 ```
 
-The same `ca.crt`, `client.crt`, and `client.key` files must be placed in the CLI mTLS directory as `ca.crt`, `tls.crt`, and `tls.key`.
+When you register or log in to an OIDC gateway, the CLI uses the Authorization Code flow with PKCE. It opens a browser, receives the authorization code on a localhost callback, exchanges the code for tokens, and stores the token bundle under the gateway credential directory. If `OPENSHELL_OIDC_CLIENT_SECRET` is set, the CLI uses the client credentials flow instead. Use that mode for CI and other non-interactive automation.
+
+The connection flow:
+
+1. The CLI loads the stored OIDC token bundle.
+2. If the access token is expired and a refresh token is available, the CLI refreshes it.
+3. The CLI connects to the gateway and attaches `authorization: Bearer <token>` metadata to each gRPC request.
+4. The gateway validates the JWT signature, issuer, audience, expiration, and key ID against the issuer's JWKS.
+5. The gateway extracts roles and optional scopes from the configured claim paths.
+6. The gateway authorizes the gRPC method. Admin methods require the admin role, other authenticated methods require the user role. Admin role holders also satisfy user-role checks.
+
+If `OPENSHELL_OIDC_SCOPES_CLAIM` is set, the gateway also enforces scopes. It accepts space-delimited scope strings such as `scope: "openid sandbox:read"` and JSON arrays such as `scp: ["sandbox:read"]`. Standard OIDC scopes such as `openid`, `profile`, `email`, and `offline_access` are ignored for authorization. `openshell:all` grants access to all scoped methods.
+
+Supervisor-to-gateway RPCs do not use user OIDC tokens. When OIDC is enabled, sandbox supervisors authenticate their internal RPCs with the shared sandbox secret so log upload, policy status, credential environment lookup, inference bundle lookup, and sandbox config sync continue to work.
+
+Re-authenticate an OIDC gateway with:
+
+```shell
+openshell gateway login production
+```
 
 ### Edge JWT (cloud gateways)
 
@@ -82,7 +147,7 @@ For gateways behind a reverse proxy that handles authentication (e.g. Cloudflare
 4. The gateway bridges the WebSocket into the same service that handles direct mTLS connections.
 5. CLI commands send requests through the local proxy as plaintext HTTP/2 over the tunnel.
 
-This is transparent to the user. All CLI commands work the same regardless of whether the gateway uses mTLS or edge authentication.
+This is transparent to the user. All CLI commands work the same regardless of whether the gateway uses mTLS, OIDC, or edge authentication.
 
 **Re-authentication**: If the token expires, run `openshell gateway login` to open the browser flow again and update the stored token.
 
@@ -113,5 +178,8 @@ openshell/
         tls.crt                     # Client certificate
         tls.key                     # Client private key
       edge_token                    # Edge auth JWT (cloud gateways)
+      oidc_token.json               # OIDC access token, refresh token, and expiry metadata
       last_sandbox                  # Last-used sandbox for this gateway
 ```
+
+For OIDC gateways, `metadata.json` also stores the issuer, CLI client ID, optional audience, and requested scopes. Treat `oidc_token.json` as a credential. OpenShell writes it with owner-only file permissions.

From 3b4d5adc3434c37d23a8713efc4f8d5b6ab1b63a Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Thu, 7 May 2026 00:56:51 -0700
Subject: [PATCH 5/6] docs: add sandbox compute driver reference

---
 docs/about/installation.mdx                | 10 +--
 docs/about/overview.mdx                    |  4 +-
 docs/get-started/quickstart.mdx            |  4 +-
 docs/reference/sandbox-compute-drivers.mdx | 97 ++++++++++++++++++++++
 docs/reference/support-matrix.mdx          | 12 +--
 docs/sandboxes/manage-gateways.mdx         | 20 ++---
 docs/sandboxes/manage-sandboxes.mdx        | 13 +--
 docs/sandboxes/policies.mdx                |  2 +-
 8 files changed, 126 insertions(+), 36 deletions(-)
 create mode 100644 docs/reference/sandbox-compute-drivers.mdx

diff --git a/docs/about/installation.mdx b/docs/about/installation.mdx
index 5e2798ef4..e2ad59bd9 100644
--- a/docs/about/installation.mdx
+++ b/docs/about/installation.mdx
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 title: "Installation"
 sidebar-title: "Installation"
-description: "Install OpenShell, choose a sandbox runtime, and connect to a gateway."
+description: "Install OpenShell, choose a compute driver, and connect to a gateway."
 keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Installation, Setup, Gateway, Docker, Podman, MicroVM, Kubernetes"
 position: 3
 ---
@@ -22,17 +22,17 @@ You can also download release artifacts directly from the [OpenShell GitHub Rele
 
 Use `openshell status` to confirm the CLI can reach the gateway.
 
-## Supported Sandbox Runtimes
+## Supported Compute Drivers
 
-OpenShell supports several local sandbox runtimes. The installer chooses a default runtime for your platform, and the gateway reads the runtime choice from its startup configuration. Sandbox commands use the same CLI workflow after the gateway is running.
+OpenShell supports several local compute drivers. The installer chooses a default driver for your platform, and the gateway reads the driver choice from its startup configuration. Sandbox commands use the same CLI workflow after the gateway is running.
 
-| Runtime | How It Is Configured | System Requirements |
+| Compute Driver | How It Is Configured | System Requirements |
 |---|---|---|
 | Podman | The gateway is configured to create rootless Podman containers through the Podman API socket. | Linux with Podman 5.x, cgroups v2, rootless networking, and an active Podman user socket. |
 | Docker | The gateway is configured to create containers through Docker Desktop or Docker Engine. | Docker Desktop or Docker Engine 28.04 or later on the gateway host. |
 | MicroVM | The gateway is configured to create VM-backed sandboxes. | Host virtualization support. MicroVM uses Hypervisor.framework on macOS, KVM on Linux, and QEMU for GPU-backed sandboxes on Linux. |
 
-For detailed runtime behavior, refer to [Gateways](/sandboxes/manage-gateways) and [Sandboxes](/sandboxes/manage-sandboxes).
+For detailed driver behavior, refer to [Sandbox Compute Drivers](/reference/sandbox-compute-drivers). For gateway and sandbox operations, refer to [Gateways](/sandboxes/manage-gateways) and [Sandboxes](/sandboxes/manage-sandboxes).
 
 ## macOS
 
diff --git a/docs/about/overview.mdx b/docs/about/overview.mdx
index 3d44a782d..3d23c8794 100644
--- a/docs/about/overview.mdx
+++ b/docs/about/overview.mdx
@@ -36,7 +36,7 @@ OpenShell applies defense in depth across the following policy domains.
 | Process | Blocks privilege escalation and dangerous syscalls. | Locked at sandbox creation. |
 | Inference | Reroutes model API calls to controlled backends. | Hot-reloadable at runtime. |
 
-For details, refer to [Sandbox Isolation and Policies](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies) and [Customize Sandbox Policies](/sandboxes/policies).
+For details, refer to [Customize Sandbox Policies](/sandboxes/policies) and [Default Policy](/reference/default-policy).
 
 ## Common Use Cases
 
@@ -55,4 +55,4 @@ Explore these topics to go deeper:
 
 - To understand the runtime architecture, refer to [How OpenShell Works](/about/how-it-works).
 - To install the CLI and create your first sandbox, refer to the [Quickstart](/get-started/quickstart).
-- To learn how OpenShell enforces isolation across all protection layers, refer to [Sandboxes](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies).
+- To learn how OpenShell enforces policy controls across protection layers, refer to [Customize Sandbox Policies](/sandboxes/policies).
diff --git a/docs/get-started/quickstart.mdx b/docs/get-started/quickstart.mdx
index d18d13c0e..fcfbc945b 100644
--- a/docs/get-started/quickstart.mdx
+++ b/docs/get-started/quickstart.mdx
@@ -14,11 +14,11 @@ This page gets you from a reachable OpenShell gateway to a running, policy-enfor
 Before you begin, make sure you have:
 
 - A reachable OpenShell gateway.
-- At least one compute platform configured for the gateway: Kubernetes, Docker, Podman, or MicroVM.
+- At least one compute driver configured for the gateway: Kubernetes, Docker, Podman, or MicroVM.
 - The OpenShell CLI installed on your workstation.
 
 For a complete list of requirements, refer to [Support Matrix](/reference/support-matrix).
-If you have not chosen a runtime yet, refer to [Installation](/about/installation).
+If you have not chosen a compute driver yet, refer to [Installation](/about/installation).
 
 ## Install the OpenShell CLI
 
diff --git a/docs/reference/sandbox-compute-drivers.mdx b/docs/reference/sandbox-compute-drivers.mdx
new file mode 100644
index 000000000..9f07c1e40
--- /dev/null
+++ b/docs/reference/sandbox-compute-drivers.mdx
@@ -0,0 +1,97 @@
+---
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+title: "Sandbox Compute Drivers"
+sidebar-title: "Compute Drivers"
+description: "Reference for Docker, Podman, MicroVM, and Kubernetes sandbox compute drivers."
+keywords: "Generative AI, Cybersecurity, AI Agents, Sandboxing, Docker, Podman, MicroVM, Kubernetes, Reference"
+position: 4
+---
+
+The gateway's configured compute driver determines how OpenShell creates each sandbox. The CLI workflow stays the same across drivers: you create, connect to, inspect, and delete sandboxes through the gateway API.
+
+Every compute driver runs the OpenShell supervisor inside the sandbox workload. The supervisor launches the agent process, applies policy, routes egress through the proxy, injects configured credentials, and maintains the gateway session.
+
+## Configure a Compute Driver
+
+Configure the compute driver on the gateway. Current releases accept one driver per gateway:
+
+```shell
+openshell-gateway --drivers docker
+```
+
+You can also set the driver with `OPENSHELL_DRIVERS`. Supported values are `docker`, `podman`, `kubernetes`, and `vm`.
+
+When `--drivers` and `OPENSHELL_DRIVERS` are unset, the gateway auto-detects Kubernetes, then Podman, then Docker. The VM driver is never auto-detected; configure it explicitly with `--drivers vm`.
+
+Common gateway options:
+
+| Option | Environment variable | Description |
+|---|---|---|
+| `--drivers <driver>` | `OPENSHELL_DRIVERS` | Select the compute driver. Supported values are `docker`, `podman`, `kubernetes`, and `vm`. |
+| `--sandbox-image <image>` | `OPENSHELL_SANDBOX_IMAGE` | Set the default sandbox image used when a sandbox create request does not specify one. |
+| `--grpc-endpoint <url>` | `OPENSHELL_GRPC_ENDPOINT` | Set the gateway callback endpoint that sandbox workloads use to connect back to OpenShell. |
+
+## Docker Driver
+
+[Docker](https://www.docker.com/get-started/)-backed sandboxes run as containers on the gateway host. Use Docker for local development, single-machine gateways, and hosts that already use Docker Desktop or Docker Engine.
+
+The gateway talks to the Docker daemon to create sandbox containers. Docker is also required for local image builds from directories or Dockerfiles.
+
+| Option | Environment variable | Description |
+|---|---|---|
+| `--drivers docker` | `OPENSHELL_DRIVERS=docker` | Select the Docker compute driver. |
+| `--docker-network-name <name>` | `OPENSHELL_DOCKER_NETWORK_NAME` | Override the bridge network used by Docker sandbox containers. |
+| `--docker-supervisor-bin <path>` | `OPENSHELL_DOCKER_SUPERVISOR_BIN` | Use a local Linux `openshell-sandbox` binary instead of resolving or extracting one automatically. |
+| `--docker-supervisor-image <image>` | `OPENSHELL_DOCKER_SUPERVISOR_IMAGE` | Override the image used to extract the Linux `openshell-sandbox` binary. |
+| `--docker-tls-ca`, `--docker-tls-cert`, `--docker-tls-key` | `OPENSHELL_DOCKER_TLS_CA`, `OPENSHELL_DOCKER_TLS_CERT`, `OPENSHELL_DOCKER_TLS_KEY` | Mount sandbox client TLS materials into Docker containers for mTLS callback to the gateway. |
+
+For GPU-backed Docker sandboxes, configure Docker CDI before starting the gateway so OpenShell can detect the daemon capability.
+
+## Podman Driver
+
+[Podman](https://podman.io/)-backed sandboxes run as rootless containers on the gateway host. Use Podman for Linux workstation workflows that avoid a rootful Docker daemon.
+
+The gateway talks to the Podman API socket. The Podman driver requires Podman 5.x, cgroups v2, rootless networking, and an active Podman user socket.
+
+| Option | Environment variable | Description |
+|---|---|---|
+| `--drivers podman` | `OPENSHELL_DRIVERS=podman` | Select the Podman compute driver. |
+| None | `OPENSHELL_PODMAN_SOCKET` | Override the Podman API socket path. |
+| None | `OPENSHELL_NETWORK_NAME` | Override the Podman bridge network. |
+| None | `OPENSHELL_SUPERVISOR_IMAGE` | Override the image containing the `openshell-sandbox` supervisor binary. |
+| None | `OPENSHELL_STOP_TIMEOUT` | Set the container stop timeout in seconds. |
+| None | `OPENSHELL_PODMAN_TLS_CA`, `OPENSHELL_PODMAN_TLS_CERT`, `OPENSHELL_PODMAN_TLS_KEY` | Mount sandbox client TLS materials into Podman containers for mTLS callback to the gateway. |
+
+## MicroVM Driver
+
+MicroVM-backed sandboxes run inside VM-backed isolation instead of a container boundary. Use MicroVM when workloads need a VM boundary instead of a local container boundary.
+
+The gateway uses the VM compute driver to create VM-backed sandboxes. MicroVM requires host virtualization support. It uses [libkrun](https://github.com/containers/libkrun) with Apple's [Hypervisor framework](https://developer.apple.com/documentation/hypervisor) on macOS, KVM on Linux, and [QEMU](https://www.qemu.org/) for GPU-backed sandboxes on Linux.
+
+| Option | Environment variable | Description |
+|---|---|---|
+| `--drivers vm` | `OPENSHELL_DRIVERS=vm` | Select the VM compute driver. VM is never auto-detected. |
+| `--driver-dir <path>` | `OPENSHELL_DRIVER_DIR` | Search a custom directory for `openshell-driver-vm`. |
+| `--vm-driver-state-dir <path>` | `OPENSHELL_VM_DRIVER_STATE_DIR` | Store VM rootfs, console logs, runtime state, and image-rootfs cache under this directory. |
+| `--vm-driver-vcpus <count>` | `OPENSHELL_VM_DRIVER_VCPUS` | Set the default vCPU count for VM sandboxes. |
+| `--vm-driver-mem-mib <mib>` | `OPENSHELL_VM_DRIVER_MEM_MIB` | Set the default memory allocation for VM sandboxes in MiB. |
+| `--vm-krun-log-level <level>` | `OPENSHELL_VM_KRUN_LOG_LEVEL` | Set the libkrun log level for VM helper processes. |
+| `--vm-tls-ca`, `--vm-tls-cert`, `--vm-tls-key` | `OPENSHELL_VM_TLS_CA`, `OPENSHELL_VM_TLS_CERT`, `OPENSHELL_VM_TLS_KEY` | Copy sandbox client TLS materials into VM guests for mTLS callback to the gateway. |
+
+## Kubernetes Driver
+
+Kubernetes-backed sandboxes run as pods in the configured sandbox namespace. Use Kubernetes for shared clusters, remote compute, GPU scheduling, and operator-managed environments.
+
+Helm deployments set Kubernetes driver values through the chart.
+
+| Gateway option | Environment variable | Helm value | Description |
+|---|---|---|---|
+| `--drivers kubernetes` | `OPENSHELL_DRIVERS=kubernetes` | Not applicable | Select the Kubernetes compute driver. |
+| `--sandbox-namespace <namespace>` | `OPENSHELL_SANDBOX_NAMESPACE` | `server.sandboxNamespace` | Set the namespace for sandbox resources. |
+| `--sandbox-image <image>` | `OPENSHELL_SANDBOX_IMAGE` | `server.sandboxImage` | Set the default sandbox image. |
+| `--sandbox-image-pull-policy <policy>` | `OPENSHELL_SANDBOX_IMAGE_PULL_POLICY` | `server.sandboxImagePullPolicy` | Set the Kubernetes image pull policy for sandbox pods. |
+| `--grpc-endpoint <url>` | `OPENSHELL_GRPC_ENDPOINT` | `server.grpcEndpoint` | Set the gateway callback endpoint reachable from sandbox pods. |
+| `--client-tls-secret-name <name>` | `OPENSHELL_CLIENT_TLS_SECRET_NAME` | `server.tls.clientTlsSecretName` | Mount sandbox client TLS materials from a Kubernetes secret. |
+
+The Kubernetes driver creates namespaced `agents.x-k8s.io/v1alpha1` `Sandbox` resources from the Kubernetes SIG Apps [agent-sandbox](https://github.com/kubernetes-sigs/agent-sandbox) project. The Agent Sandbox controller turns those resources into sandbox pods and related storage.
diff --git a/docs/reference/support-matrix.mdx b/docs/reference/support-matrix.mdx
index fc5d45b29..73be93328 100644
--- a/docs/reference/support-matrix.mdx
+++ b/docs/reference/support-matrix.mdx
@@ -3,10 +3,10 @@
 # SPDX-License-Identifier: Apache-2.0
 title: "Support Matrix"
 description: ""
-position: 4
+position: 5
 ---
 
-This page lists the host platform, compute platform, software, runtime, and kernel requirements for running OpenShell.
+This page lists the host platform, compute driver, software, runtime, and kernel requirements for running OpenShell.
 
 ## Supported Platforms
 
@@ -31,11 +31,11 @@ OpenShell publishes standalone `openshell-gateway` release assets for manual dow
 
 These artifacts are attached to GitHub releases. Kubernetes deployments should use the Helm chart and the published gateway image.
 
-## Compute Platforms
+## Compute Drivers
 
-The gateway can manage sandboxes on several compute platforms.
+The gateway can manage sandboxes through several compute drivers.
 
-| Compute platform | Status | Notes |
+| Compute Driver | Status | Notes |
 |---|---|---|
 | Docker | Supported for local development and single-machine gateways. | Requires Docker Desktop or Docker Engine on the gateway host. |
 | Podman | Supported for rootless local and workstation workflows. | Requires a Podman-compatible socket and rootless networking setup. |
@@ -44,7 +44,7 @@ The gateway can manage sandboxes on several compute platforms.
 
 ## Software Prerequisites
 
-Install the software for the compute platform you use:
+Install the software for the compute driver you use:
 
 | Component | Minimum Version | Notes |
 |---|---|---|
diff --git a/docs/sandboxes/manage-gateways.mdx b/docs/sandboxes/manage-gateways.mdx
index 098d0e3c0..f1d23ac65 100644
--- a/docs/sandboxes/manage-gateways.mdx
+++ b/docs/sandboxes/manage-gateways.mdx
@@ -18,23 +18,23 @@ The gateway is responsible for:
 - Managing inference configuration and serving inference bundles so sandboxes can route requests to the correct backend.
 - Providing the SSH tunnel endpoint so you can connect to sandboxes without exposing them directly.
 
-OpenShell separates gateway access from the compute platform that runs sandboxes. Use [Installation](/about/installation) to install OpenShell, choose a runtime, and start a gateway. This page covers working with gateway entries after a gateway exists.
+OpenShell separates gateway access from the compute driver that runs sandboxes. Use [Installation](/about/installation) to install OpenShell, choose a compute driver, and start a gateway. This page covers working with gateway entries after a gateway exists.
 
-## Gateway Compute Platforms
+## Gateway Compute Drivers
 
-A gateway provisions sandboxes on the compute platform configured for that gateway.
+A gateway provisions sandboxes through the compute driver configured for that gateway.
 
-| Platform | Where sandboxes run | Best for |
+| Compute Driver | Where sandboxes run | Best for |
 |---|---|---|
 | Docker | Containers on the gateway host. | Solo development, quick iteration, and single-machine gateways. |
 | Podman | Rootless containers on the gateway host. | Workstations that avoid a rootful Docker daemon. |
 | Kubernetes | Pods in an operator-managed cluster. | Shared clusters and cloud environments. |
 | MicroVM | VM-backed sandboxes. | Workflows that need VM-backed isolation. |
 
-All compute platforms expose the same gateway API surface. Sandboxes, policies, and providers work the same after the CLI registers the gateway endpoint. The difference is how the gateway creates sandbox workloads and how operators expose the gateway to users.
+All compute drivers expose the same gateway API surface. Sandboxes, policies, and providers work the same after the CLI registers the gateway endpoint. The difference is how the gateway creates sandbox workloads and how operators expose the gateway to users.
 
 <Tip>
-For runtime setup, including Docker, Podman, MicroVM, and Kubernetes paths, refer to [Installation](/about/installation).
+For driver setup, including Docker, Podman, MicroVM, and Kubernetes paths, refer to [Installation](/about/installation).
 
 </Tip>
 
@@ -94,7 +94,7 @@ Use `openshell status` for a quick health check:
 openshell status
 ```
 
-Use `openshell gateway info` when you need the registered endpoint, gateway metadata, or runtime details:
+Use `openshell gateway info` when you need the registered endpoint, gateway metadata, or compute driver details:
 
 ```shell
 openshell gateway info
@@ -132,9 +132,9 @@ systemctl --user status openshell-gateway
 journalctl --user -u openshell-gateway --no-pager -n 50
 ```
 
-For sandbox startup failures, inspect the selected compute platform:
+For sandbox startup failures, inspect the selected compute driver:
 
-| Platform | What to check |
+| Compute Driver | What to check |
 |---|---|
 | Docker | Docker daemon health, image availability, gateway logs, and sandbox container state. |
 | Podman | Podman socket availability, rootless networking, image availability, and sandbox container state. |
@@ -143,5 +143,5 @@ For sandbox startup failures, inspect the selected compute platform:
 
 ## Next Steps
 
-- To install OpenShell and choose a runtime, refer to [Installation](/about/installation).
+- To install OpenShell and choose a compute driver, refer to [Installation](/about/installation).
 - To create a sandbox using the gateway, refer to [Manage Sandboxes](/sandboxes/manage-sandboxes).
diff --git a/docs/sandboxes/manage-sandboxes.mdx b/docs/sandboxes/manage-sandboxes.mdx
index a1383caee..b43a6846a 100644
--- a/docs/sandboxes/manage-sandboxes.mdx
+++ b/docs/sandboxes/manage-sandboxes.mdx
@@ -260,18 +260,11 @@ Every sandbox moves through a defined set of phases:
 | Error | Something went wrong during provisioning or execution. Check logs with `openshell logs` for details. |
 | Deleting | The sandbox is being torn down. The system releases resources and purges credentials. |
 
-## Sandbox Isolation and Policies
+## Sandbox Compute Drivers
 
-OpenShell ships a built-in policy that covers common agent workflows out of the box. When you create a sandbox without `--policy`, OpenShell applies the default policy.
+The gateway's configured compute driver determines how OpenShell creates each sandbox. The CLI workflow stays the same across drivers: you create, connect to, inspect, and delete sandboxes through the gateway API.
 
-| Layer | What it controls | How it works |
-|---|---|---|
-| Filesystem | What the agent can access on disk. | Paths are split into read-only and read-write sets. [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforces these restrictions at the kernel level. |
-| Network | What the agent can reach on the network. | Policy blocks pair allowed destinations with allowed binaries. The proxy matches every outbound connection to the binary that opened it. Both must match or the connection is denied. |
-| Process | What privileges the agent has. | The agent runs as an unprivileged user with seccomp filters that block dangerous system calls. Root execution, `sudo`, and `setuid` escalation paths are blocked. |
-| Inference | How model API traffic is routed. | Requests to `https://inference.local` route through the gateway so provider credentials stay outside the sandbox. |
-
-For the full breakdown of the built-in policy, refer to [Default Policy](/reference/default-policy). For custom policy structure and update workflows, refer to [Policies](/sandboxes/policies).
+For Docker, Podman, MicroVM, and Kubernetes behavior, refer to [Sandbox Compute Drivers](/reference/sandbox-compute-drivers).
 
 ## Next Steps
 
diff --git a/docs/sandboxes/policies.mdx b/docs/sandboxes/policies.mdx
index 732323df7..2bee1adde 100644
--- a/docs/sandboxes/policies.mdx
+++ b/docs/sandboxes/policies.mdx
@@ -589,6 +589,6 @@ GraphQL field names are application-specific, so treat these as starting shapes
 
 Explore related topics:
 
-- To learn about sandbox isolation layers, refer to [Sandboxes](/sandboxes/manage-sandboxes#sandbox-isolation-and-policies).
+- To learn about the built-in sandbox policy, refer to [Default Policy](/reference/default-policy).
 - To view the full field-by-field YAML definition, refer to the [Policy Schema Reference](/reference/policy-schema).
 - To review the default policy breakdown, refer to [Default Policy](/reference/default-policy).

From 4b490ba6d22e22af70624b894852d3f766bb615f Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Thu, 7 May 2026 08:01:03 -0700
Subject: [PATCH 6/6] docs: link support matrix to helm chart

---
 docs/reference/support-matrix.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/support-matrix.mdx b/docs/reference/support-matrix.mdx
index 73be93328..9bcda85e5 100644
--- a/docs/reference/support-matrix.mdx
+++ b/docs/reference/support-matrix.mdx
@@ -39,7 +39,7 @@ The gateway can manage sandboxes through several compute drivers.
 |---|---|---|
 | Docker | Supported for local development and single-machine gateways. | Requires Docker Desktop or Docker Engine on the gateway host. |
 | Podman | Supported for rootless local and workstation workflows. | Requires a Podman-compatible socket and rootless networking setup. |
-| Kubernetes | Supported through the Helm chart in `deploy/helm/openshell`. | Requires a Kubernetes cluster supplied by the operator. |
+| Kubernetes | Supported through the [OpenShell Helm chart](https://github.com/NVIDIA/OpenShell/blob/main/deploy/helm/openshell/README.md). | Requires a Kubernetes cluster supplied by the operator. |
 | MicroVM | Supported for VM-backed sandboxes. | Uses the VM compute driver and libkrun-based runtime. |
 
 ## Software Prerequisites