From 418c3b1331e6381a9a5e6c00c707bbf3b385863e Mon Sep 17 00:00:00 2001
From: m3tm3re <p@m3ta.dev>
Date: Mon, 23 Mar 2026 19:56:15 +0100
Subject: [PATCH] feat: add openshell package

---
 pkgs/default.nix            |  1 +
 pkgs/openshell/default.nix  | 35 +++++++++++++++++++++++++
 pkgs/openshell/sources.json | 17 ++++++++++++
 pkgs/openshell/update.sh    | 52 +++++++++++++++++++++++++++++++++++++
 4 files changed, 105 insertions(+)
 create mode 100644 pkgs/openshell/default.nix
 create mode 100644 pkgs/openshell/sources.json
 create mode 100755 pkgs/openshell/update.sh

diff --git a/pkgs/default.nix b/pkgs/default.nix
index b631e4c..1b3357c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -18,6 +18,7 @@
   stt-ptt = pkgs.callPackage ./stt-ptt {};
   tuxedo-backlight = pkgs.callPackage ./tuxedo-backlight {};
   kestractl = pkgs.callPackage ./kestractl {};
+  openshell = pkgs.callPackage ./openshell {};
   zellij-ps = pkgs.callPackage ./zellij-ps {};
 
   # Imported from flake inputs
diff --git a/pkgs/openshell/default.nix b/pkgs/openshell/default.nix
new file mode 100644
index 0000000..d5a3479
--- /dev/null
+++ b/pkgs/openshell/default.nix
@@ -0,0 +1,35 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+}: let
+  sources = lib.importJSON ./sources.json;
+  source = sources.sources.${stdenv.hostPlatform.system};
+in
+  stdenv.mkDerivation {
+    pname = "openshell";
+    version = lib.removePrefix "v" sources.version;
+
+    src = fetchurl {
+      inherit (source) url hash;
+    };
+
+    unpackPhase = ''
+      tar -xzf $src
+    '';
+
+    installPhase = ''
+      install -Dm755 openshell $out/bin/openshell
+    '';
+
+    passthru.updateScript = ./update.sh;
+
+    meta = with lib; {
+      description = "Safe, private runtime for autonomous AI agents";
+      homepage = "https://github.com/NVIDIA/OpenShell";
+      license = licenses.asl20;
+      platforms = attrNames sources.sources;
+      mainProgram = "openshell";
+      maintainers = [];
+    };
+  }
diff --git a/pkgs/openshell/sources.json b/pkgs/openshell/sources.json
new file mode 100644
index 0000000..5174cc5
--- /dev/null
+++ b/pkgs/openshell/sources.json
@@ -0,0 +1,17 @@
+{
+  "version": "v0.0.14",
+  "sources": {
+    "x86_64-linux": {
+      "url": "https://github.com/NVIDIA/OpenShell/releases/download/v0.0.14/openshell-x86_64-unknown-linux-musl.tar.gz",
+      "hash": "sha256-80rPByRSGArchy2yB+7Bbyqne24nI8dFZnfCgdfR2dY="
+    },
+    "aarch64-linux": {
+      "url": "https://github.com/NVIDIA/OpenShell/releases/download/v0.0.14/openshell-aarch64-unknown-linux-musl.tar.gz",
+      "hash": "sha256-bHC9MRK6ZSTBZxiwujdHQjgBHXTGlLLxiqYAPaExKKU="
+    },
+    "aarch64-darwin": {
+      "url": "https://github.com/NVIDIA/OpenShell/releases/download/v0.0.14/openshell-aarch64-apple-darwin.tar.gz",
+      "hash": "sha256-8FaZt0qcYPEFt6+SJPJo8SYlYZbQZt6RtCO/pb4Gbso="
+    }
+  }
+}
diff --git a/pkgs/openshell/update.sh b/pkgs/openshell/update.sh
new file mode 100755
index 0000000..85331b0
--- /dev/null
+++ b/pkgs/openshell/update.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Update openshell sources.json with the latest release from GitHub.
+# Usage: ./update.sh
+# Called automatically by: nix-update --update-script openshell
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SOURCES_FILE="$SCRIPT_DIR/sources.json"
+
+# Map Nix system -> GitHub release asset name
+declare -A SYSTEMS=(
+  ["x86_64-linux"]="openshell-x86_64-unknown-linux-musl.tar.gz"
+  ["aarch64-linux"]="openshell-aarch64-unknown-linux-musl.tar.gz"
+  ["aarch64-darwin"]="openshell-aarch64-apple-darwin.tar.gz"
+)
+
+echo "Fetching latest openshell release..."
+LATEST=$(curl -fsSL "https://api.github.com/repos/NVIDIA/OpenShell/releases/latest")
+VERSION=$(echo "$LATEST" | jq -r '.tag_name')
+echo "Latest version: $VERSION"
+
+CURRENT_VERSION=$(jq -r '.version' "$SOURCES_FILE")
+if [[ "$VERSION" == "$CURRENT_VERSION" ]]; then
+  echo "Already at latest version $VERSION, nothing to do."
+  exit 0
+fi
+
+NEW_SOURCES="{}"
+
+for NIX_SYSTEM in "${!SYSTEMS[@]}"; do
+  ASSET_NAME="${SYSTEMS[$NIX_SYSTEM]}"
+  URL="https://github.com/NVIDIA/OpenShell/releases/download/${VERSION}/${ASSET_NAME}"
+
+  echo "Fetching hash for $NIX_SYSTEM ($URL)..."
+  HASH=$(nix-prefetch-url --type sha256 "$URL" 2>/dev/null)
+  SRI=$(nix hash to-sri --type sha256 "$HASH")
+
+  NEW_SOURCES=$(echo "$NEW_SOURCES" | jq \
+    --arg sys "$NIX_SYSTEM" \
+    --arg url "$URL" \
+    --arg hash "$SRI" \
+    '. + {($sys): {url: $url, hash: $hash}}')
+done
+
+jq -n \
+  --arg version "$VERSION" \
+  --argjson sources "$NEW_SOURCES" \
+  '{"version": $version, "sources": $sources}' \
+  > "$SOURCES_FILE"
+
+echo "Updated $SOURCES_FILE to $VERSION"