Getting Started

Deploy Agent Sandboxes on Azure with NVIDIA NCP

Build, push, and deploy OpenShell agent sandboxes to Azure Kubernetes Service with NVIDIA inference in under 30 minutes.

Prerequisites

Before you begin, make sure you have the following installed and configured on your local machine:

  • Azure CLI az --version — version 2.50 or later
  • Docker Desktop or Docker Engine — for building container images
  • kubectl — Kubernetes command-line tool
  • NVIDIA API key from build.nvidia.com
  • Codicera account join the waitlist

Step 1: Build the Container Image

OpenShell and NemoClaw are open source. You build the container image from the Infrastacks fork to maintain full trust and transparency over what runs in your infrastructure.

bash
git clone https://github.com/Infrastacks/NemoClaw.git
cd NemoClaw
docker build -f deploy/Dockerfile -t nemoclaw:v1.0.0 .
The image includes the OpenShell sandbox runtime, NemoClaw orchestrator, and the Codicera agent sidecar. The agent connects back to the Codicera management plane via WebSocket for telemetry, commands, and health reporting.

The container exposes two ports: 18789 for the OpenShell API and 18790 for the agent metrics endpoint and WebSocket connection.

Step 2: Push to Azure Container Registry

Create an Azure resource group and container registry, then push the container image so your AKS cluster can pull it.

bash
# Create resource group
az group create --name codicera-rg --location eastus

# Create container registry
az acr create --resource-group codicera-rg --name <yourRegistryName> --sku Basic

# Sign in to registry
az acr login --name <yourRegistryName>

# Tag and push
docker tag nemoclaw:v1.0.0 <yourRegistryName>.azurecr.io/nemoclaw:v1.0.0
docker push <yourRegistryName>.azurecr.io/nemoclaw:v1.0.0

# Verify
az acr repository list --name <yourRegistryName> --output table
Replace <yourRegistryName> with a globally unique name. ACR names must be alphanumeric, 5-50 characters.

Step 3: Create an AKS Cluster

Provision an AKS cluster with ACR integration so your nodes can pull images without additional credential configuration.

bash
# Create cluster with ACR integration
az aks create \
  --resource-group codicera-rg \
  --name nemoclaw-cluster \
  --node-count 3 \
  --generate-ssh-keys \
  --attach-acr <yourRegistryName>

# Get kubectl credentials
az aks get-credentials --resource-group codicera-rg --name nemoclaw-cluster
You do not need to create any ServiceAccounts, RBAC rules, or namespaces manually. The Codicera cluster agent handles all of this automatically in the next step.

Step 4: Configure Codicera

With your AKS cluster running, register it as a compute target in Codicera and deploy the cluster agent. The agent runs inside your cluster and relays API requests from Codicera securely — no need to expose your K8s API server to the internet.

Register the Compute Target

  1. 1Open the Codicera console and navigate to Compute > Targets.
  2. 2
    Click Register Target and fill in:
    • Name: aks-eastus
    • Type: Kubernetes
    • Container Image: <yourRegistryName>.azurecr.io/nemoclaw:v1.0.0
  3. 3Click Register. The console will display a one-time cluster token and an installation command. Copy both before closing the dialog.
The cluster token is shown only once. If you lose it, you will need to delete and re-register the compute target.

Deploy the Cluster Agent

The cluster agent is a lightweight Go binary (~6 MB) that runs in your cluster and establishes an outbound WebSocket connection to Codicera. It creates all required RBAC, ServiceAccounts, and namespaces automatically.

Run the command shown in the console to download and apply the agent manifest:

bash
# Download the agent manifest (uses your auth token)
curl -s "https://api.codicera.com/api/v1/compute/targets/<targetId>/manifest" \
  -H "Authorization: Bearer <your-token>" > codicera-agent.yaml

# Deploy the cluster agent
kubectl apply -f codicera-agent.yaml

The manifest creates a codicera-system namespace with the agent deployment, ServiceAccount, ClusterRole, and a Secret containing your cluster token. Verify the agent is running:

bash
kubectl get pods -n codicera-system

# Expected output:
# NAME                                      READY   STATUS    RESTARTS   AGE
# codicera-cluster-agent-xxxxx-xxxxx        1/1     Running   0          30s

Back in the console, click Health Check on your target. Once the agent connects, the status will show Active with your cluster's node count and Kubernetes version.

Configure NVIDIA NCP Inference

NVIDIA NCP (NVIDIA Cloud Partner) provides access to NVIDIA's inference models including Nemotron and Llama variants. Codicera injects your API key into every agent sandbox so OpenShell can route inference through NCP.

  1. 1Navigate to Settings > Providers.
  2. 2
    Click Add Provider and fill in:
    • Provider Type: NVIDIA
    • Name: NVIDIA NCP
    • Endpoint: https://integrate.api.nvidia.com/v1
    • Model: nvidia/llama-3.3-nemotron-super-49b-v1
    • Credential Env: NVIDIA_API_KEY
    • Credential: your NCP API key from build.nvidia.com
Get your NVIDIA API key at build.nvidia.com. The key is injected as the NVIDIA_API_KEY environment variable into every agent sandbox deployed through Codicera.

Step 5: Deploy Agent Sandboxes

  1. 1Navigate to Compute > Deploy.
  2. 2
    Fill in the deployment form:
    • Compute Target: select aks-eastus
    • Blueprint: select your blueprint (or the default ncp-llama-sandbox)
    • Team: select your team
    • Instance Count: 5
    • Name Prefix: nemoclaw
  3. 3Click Deploy.

Codicera will:

  • Create 5 sandbox records in the database
  • Provision 5 Kubernetes Deployments in the codicera-sandboxes namespace
  • Each Deployment contains an OpenShell sandbox + Codicera agent sidecar
  • The NVIDIA_API_KEY is automatically injected into each container
  • The agent sidecar connects to Codicera via WebSocket for real-time telemetry
bash
# Verify pods are running
kubectl get pods -n codicera-sandboxes

# Expected output:
# NAME                                            READY   STATUS    RESTARTS   AGE
# nemoclaw-codicera-sb_xxx-xxxxx-xxxxx            2/2     Running   0          30s
# nemoclaw-codicera-sb_yyy-yyyyy-yyyyy            2/2     Running   0          30s
# ...

Monitor in the Fleet Dashboard

Once deployed, navigate to the Fleet Dashboard to see your instances. The dashboard shows:

  • Total sandbox count and status breakdown
  • Real-time metrics pushed via WebSocket
  • Per-sandbox logs and events
  • Cost tracking from inference usage

What's Next

Now that your agent sandboxes are deployed and visible in the Codicera console, configure behavior intelligence for complete agent visibility:

  • Configure Behavior Monitoring — Enable the behavior event pipeline to track every file access, model call, and policy decision. Navigate to Console > Behavior to see the dashboard.
  • Set Up Compliance Evidence — Map your SOC 2 or HIPAA controls to behavior graph queries. Generate exportable evidence from Console > Compliance.
  • Configure Anomaly Detection — Set thresholds for policy spikes and unusual behavior patterns. Alerts flow through your existing notification channels.
  • Explore Graph Queries — Use the behavior graph API to investigate agent activity, correlate costs to outcomes, and build custom compliance reports.