Behavry Integration — NVIDIA OpenShell

Behavry proxies all MCP tool calls within OpenShell sandbox sessions. Long-running persistent sessions benefit from cross-session trust reset detection (Sprint V / AOC-4).

Endpoint

POST /api/v1/openshell/mcp

Full enforcement pipeline: identity verification, DLP scanning, OPA policy, blast radius checks, and audit logging.

Prerequisites

Behavry stack running (make dev or docker compose up)
A Behavry agent with appropriate permissions
A running OpenShell instance

Configuration

export BEHAVRY_OPENSHELL_URL=http://localhost:9200  # default

Authentication

Two required headers:

Header	Purpose
`Authorization: Bearer <behavry-jwt>`	Behavry agent identity
`X-Inner-Agent-Platform`	Identifies the agent running inside the sandbox (`claude-code`, `codex-cli`, `open-interpreter`, `custom`)

curl -X POST http://localhost:8000/api/v1/openshell/mcp \
  -H "Authorization: Bearer $BEHAVRY_JWT" \
  -H "X-Inner-Agent-Platform: claude-code" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {"name": "exec", "arguments": {"command": "ls"}}, "id": 1}'

Cross-Session Trust Reset Detection

OpenShell's persistent sessions are monitored for:

Behavior reversal: Previously blocked actions attempted in new sessions
Requester session cycling: Rapid session creation with varying dispositions
Disposition flipping: Denied actions approved after session boundaries

These fire BEHAVIOR_REVERSAL and REQUESTER_SESSION_CYCLING alerts with HITL escalation.

Verify

Make a tool call through the OpenShell MCP endpoint
Check http://localhost:5173 → Live Activity
Events show mcp_server: openshell-proxy with inner agent platform metadata

Endpoint​

Prerequisites​

Configuration​

Authentication​

Cross-Session Trust Reset Detection​

Verify​