From 013c5a2816d71e5f7e37842d1e0b85921507c380 Mon Sep 17 00:00:00 2001
From: Miyoung Choi <miyoungc@nvidia.com>
Date: Tue, 12 May 2026 15:12:23 -0700
Subject: [PATCH 1/3] docs: style fixes

---
 docs/get-started/quickstart.mdx               |  2 +-
 .../tutorials/first-network-policy.mdx        |  4 ++--
 docs/get-started/tutorials/github-sandbox.mdx | 12 +++++-----
 docs/get-started/tutorials/index.mdx          |  2 +-
 .../tutorials/inference-ollama.mdx            | 18 +++++++--------
 .../tutorials/local-inference-lmstudio.mdx    |  8 +++----
 docs/index.mdx                                |  4 ++--
 docs/kubernetes/access-control.mdx            |  6 ++---
 docs/kubernetes/ingress.mdx                   |  2 +-
 docs/kubernetes/managing-certificates.mdx     |  4 ++--
 docs/kubernetes/openshift.mdx                 |  6 ++---
 docs/kubernetes/setup.mdx                     | 22 +++++++++----------
 docs/observability/accessing-logs.mdx         |  2 +-
 docs/observability/logging.mdx                |  4 ++--
 docs/observability/ocsf-json-export.mdx       | 14 +++++++-----
 docs/observability/overview.mdx               |  8 +++----
 docs/reference/default-policy.mdx             |  2 +-
 docs/reference/gateway-auth.mdx               |  2 +-
 docs/reference/policy-schema.mdx              |  6 ++---
 docs/reference/sandbox-compute-drivers.mdx    |  2 +-
 docs/sandboxes/inference-routing.mdx          |  2 +-
 docs/sandboxes/manage-gateways.mdx            |  2 +-
 docs/sandboxes/manage-providers.mdx           |  2 +-
 docs/sandboxes/policies.mdx                   |  4 ++--
 docs/security/best-practices.mdx              | 12 +++++-----
 fern/fern.config.json                         |  2 +-
 26 files changed, 79 insertions(+), 75 deletions(-)

diff --git a/docs/get-started/quickstart.mdx b/docs/get-started/quickstart.mdx
index fcfbc945b..9c40eb024 100644
--- a/docs/get-started/quickstart.mdx
+++ b/docs/get-started/quickstart.mdx
@@ -36,7 +36,7 @@ If you prefer [uv](https://docs.astral.sh/uv/):
 uv tool install -U openshell
 ```
 
-After installing the CLI, run `openshell --help` in your terminal to see the full CLI reference.
+After installing the CLI, run `openshell --help` in your terminal to view the full CLI reference.
 
 <Tip>
 You can also clone the [NVIDIA OpenShell GitHub repository](https://github.com/NVIDIA/OpenShell) and use the `/openshell-cli` skill to load the CLI reference into your agent.
diff --git a/docs/get-started/tutorials/first-network-policy.mdx b/docs/get-started/tutorials/first-network-policy.mdx
index effe7c445..3e4593308 100644
--- a/docs/get-started/tutorials/first-network-policy.mdx
+++ b/docs/get-started/tutorials/first-network-policy.mdx
@@ -4,7 +4,7 @@
 title: "Write Your First Sandbox Network Policy"
 sidebar-title: "First Network Policy"
 slug: "get-started/tutorials/first-network-policy"
-description: "See how OpenShell network policies work by creating a sandbox, observing default-deny in action, and applying a fine-grained L7 read-only rule."
+description: "Learn how OpenShell network policies work by creating a sandbox, observing default-deny in action, and applying a fine-grained L7 read-only rule."
 keywords: "Generative AI, Cybersecurity, Tutorial, Policy, Network Policy, Sandbox, Security"
 ---
 
@@ -117,7 +117,7 @@ network_policies:
       - { path: /usr/bin/curl }
 ```
 
-The `filesystem_policy`, `landlock`, and `process` sections preserve the default sandbox settings. This is required because `policy set` replaces the entire policy. The `network_policies` section is the key part: `curl` may make GET, HEAD, and OPTIONS requests to `api.github.com` over HTTPS. Everything else is denied. The proxy auto-detects TLS on HTTPS endpoints and terminates it to inspect each HTTP request and enforce the `read-only` access preset at the method level.
+The `filesystem_policy`, `landlock`, and `process` sections preserve the default sandbox settings. This is required because `policy set` replaces the entire policy. The `network_policies` section is the key part: `curl` can make GET, HEAD, and OPTIONS requests to `api.github.com` over HTTPS. Everything else is denied. The proxy auto-detects TLS on HTTPS endpoints and terminates it to inspect each HTTP request and enforce the `read-only` access preset at the method level.
 
 Apply it:
 
diff --git a/docs/get-started/tutorials/github-sandbox.mdx b/docs/get-started/tutorials/github-sandbox.mdx
index 1f225fb60..63c895147 100644
--- a/docs/get-started/tutorials/github-sandbox.mdx
+++ b/docs/get-started/tutorials/github-sandbox.mdx
@@ -11,7 +11,7 @@ keywords: "Generative AI, Cybersecurity, Tutorial, GitHub, Sandbox, Policy, Clau
 This tutorial walks through an iterative sandbox policy workflow. You launch a sandbox, ask Claude Code to push code to GitHub, and observe the default network policy denying the request.
 You then diagnose the denial from your machine and from inside the sandbox, apply a policy update, and verify that the policy update to the sandbox takes effect.
 
-After completing this tutorial, you will have:
+After completing this tutorial, you have:
 
 - A running sandbox with Claude Code that can push to a GitHub repository.
 - A custom network policy that grants GitHub access for a specific repository.
@@ -33,8 +33,10 @@ This tutorial requires the following:
 
 This tutorial uses two terminals to demonstrate the iterative policy workflow:
 
-- **Terminal 1**: The sandbox terminal. You create the sandbox in this terminal by running `openshell sandbox create` and interact with Claude Code inside it.
-- **Terminal 2**: A terminal outside the sandbox on your machine. You use this terminal for viewing the sandbox logs with `openshell term` and applying an updated policy with `openshell policy set`.
+| Terminal | Purpose |
+|---|---|
+| Terminal 1 | Use the sandbox terminal to create the sandbox with `openshell sandbox create` and interact with Claude Code. |
+| Terminal 2 | Use a terminal outside the sandbox on your machine to view sandbox logs with `openshell term` and apply an updated policy with `openshell policy set`. |
 
 Each section below indicates which terminal to use.
 
@@ -131,7 +133,7 @@ The sandbox runs a proxy that enforces policies on outbound traffic.
 The `github_rest_api` policy allows GET requests (used to read the file)
 but blocks PUT/write requests to GitHub. This is a sandbox-level restriction,
 not a token issue. No matter what token you provide, pushes through the API
-will be blocked until the policy is updated.
+are blocked until you update the policy.
 </Accordion>
 
 Both perspectives confirm the same thing: the proxy is doing its job. The default policy is designed to be restrictive. To allow GitHub pushes, you need to update the network policy.
@@ -162,7 +164,7 @@ Refer to the following policy example to compare with the generated policy befor
 
 The following YAML shows a complete policy that extends the [default policy](/reference/default-policy) with GitHub access for a single repository. Replace `<org>` with your GitHub organization or username and `<repo>` with your repository name.
 
-The `filesystem_policy`, `landlock`, and `process` sections are static. They are read once at sandbox creation and cannot be changed by a hot-reload. They are included here for completeness so the file is self-contained, but only the `network_policies` section takes effect when you apply this to a running sandbox.
+The `filesystem_policy`, `landlock`, and `process` sections are static. OpenShell reads them at sandbox creation, and a hot reload cannot change them. They are included here for completeness so the file is self-contained, but only the `network_policies` section takes effect when you apply this to a running sandbox.
 
 ```yaml
 version: 1
diff --git a/docs/get-started/tutorials/index.mdx b/docs/get-started/tutorials/index.mdx
index f5a79b543..c03e924f7 100644
--- a/docs/get-started/tutorials/index.mdx
+++ b/docs/get-started/tutorials/index.mdx
@@ -29,6 +29,6 @@ Route inference through Ollama using cloud-hosted or local models, and verify it
 
 <Card title="Local Inference with LM Studio" href="/get-started/tutorials/local-inference-lmstudio">
 
-Route inference to a local LM Studio server via the OpenAI or Anthropic compatible APIs.
+Route inference to a local LM Studio server using the OpenAI-compatible or Anthropic-compatible APIs.
 </Card>
 </Cards>
diff --git a/docs/get-started/tutorials/inference-ollama.mdx b/docs/get-started/tutorials/inference-ollama.mdx
index 4a16eee01..4f46b847e 100644
--- a/docs/get-started/tutorials/inference-ollama.mdx
+++ b/docs/get-started/tutorials/inference-ollama.mdx
@@ -8,12 +8,12 @@ description: "Run local and cloud models inside an OpenShell sandbox using the O
 keywords: "Generative AI, Cybersecurity, Tutorial, Inference Routing, Ollama, Local Inference, Sandbox"
 ---
 
-This tutorial covers two ways to use Ollama with OpenShell:
+This tutorial covers two ways of running Ollama with OpenShell:
 
-1. **Ollama sandbox (recommended)** — a self-contained sandbox with Ollama, Claude Code, and Codex pre-installed. One command to start.
-2. **Host-level Ollama** — run Ollama on the gateway host and route sandbox inference to it. Useful when you want a single Ollama instance shared across multiple sandboxes.
+1. Ollama sandbox. This is the recommended way to run Ollama. A self-contained sandbox with Ollama, Claude Code, and Codex pre-installed. One command starts it.
+2. Host-level Ollama. This is an alternative way to run Ollama. Run Ollama on the gateway host and route sandbox inference to it. Use this option when you want a single Ollama instance shared across multiple sandboxes.
 
-After completing this tutorial, you will know how to:
+After completing this tutorial, you know how to:
 
 - Launch the Ollama community sandbox for a batteries-included experience.
 - Use `ollama launch` to start coding agents inside a sandbox.
@@ -190,11 +190,11 @@ The response should be JSON from the model.
 
 Common issues and fixes:
 
-- **Ollama not reachable from sandbox** — Ollama must be bound to `0.0.0.0`, not `127.0.0.1`. This applies to host-level Ollama only; the community sandbox handles this automatically.
-- **`OPENAI_BASE_URL` wrong** — Use `http://host.openshell.internal:11434/v1`, not `localhost` or `127.0.0.1`.
-- **Model not found** — Run `ollama ps` to confirm the model is loaded. Run `ollama pull <model>` if needed.
-- **HTTPS vs HTTP** — Code inside sandboxes must call `https://inference.local`, not `http://`.
-- **AMD GPU driver issues** — Ollama v0.18+ requires ROCm 7 drivers for AMD GPUs. Update your drivers if you see GPU detection failures.
+- **Ollama not reachable from sandbox:** Ollama must be bound to `0.0.0.0`, not `127.0.0.1`. This applies to host-level Ollama only; the community sandbox handles this automatically.
+- **`OPENAI_BASE_URL` wrong:** Use `http://host.openshell.internal:11434/v1`, not `localhost` or `127.0.0.1`.
+- **Model not found:** Run `ollama ps` to confirm the model is loaded. Run `ollama pull <model>` if needed.
+- **HTTPS instead of HTTP:** Code inside sandboxes must call `https://inference.local`, not `http://`.
+- **AMD GPU driver issues:** Ollama v0.18+ requires ROCm 7 drivers for AMD GPUs. Update your drivers if you see GPU detection failures.
 
 Useful commands:
 
diff --git a/docs/get-started/tutorials/local-inference-lmstudio.mdx b/docs/get-started/tutorials/local-inference-lmstudio.mdx
index 2d1246459..7ce604009 100644
--- a/docs/get-started/tutorials/local-inference-lmstudio.mdx
+++ b/docs/get-started/tutorials/local-inference-lmstudio.mdx
@@ -15,7 +15,7 @@ The LM Studio server provides easy setup with both OpenAI and Anthropic compatib
 
 </Note>
 
-This tutorial will cover:
+This tutorial covers:
 
 - Expose a local inference server to OpenShell sandboxes.
 - Verify end-to-end inference from inside a sandbox.
@@ -54,11 +54,11 @@ lms daemon up
 
 Start the LM Studio local server from the Developer tab, and verify the OpenAI-compatible endpoint is enabled.
 
-LM Studio will listen to `127.0.0.1:1234` by default. For use with OpenShell, you'll need to configure LM Studio to listen on all interfaces (`0.0.0.0`).
+LM Studio listens to `127.0.0.1:1234` by default. For use with OpenShell, configure LM Studio to listen on all interfaces (`0.0.0.0`).
 
-If you're using the GUI, go to the Developer Tab, select Server Settings, then enable Serve on Local Network.
+If you use the GUI, go to the Developer Tab, select Server Settings, then enable Serve on Local Network.
 
-If you're using llmster in headless mode, run `lms server start --bind 0.0.0.0`.
+If you use llmster in headless mode, run `lms server start --bind 0.0.0.0`.
 
 ## Test with a small model
 
diff --git a/docs/index.mdx b/docs/index.mdx
index 4d358a827..91aba803d 100644
--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -38,7 +38,7 @@ uncontrolled network activity.
 
 Install OpenShell and create your first sandbox in two commands.
 
-{/*Terminal demo styles live in fern/main.css — inline <style> with { } breaks MDX/acorn*/}
+{/*Terminal demo styles live in fern/main.css. Inline <style> with { } breaks MDX/acorn*/}
 <llms-ignore>
 
 <div className="nc-term">
@@ -139,7 +139,7 @@ Keep inference traffic private by routing API calls to local or self-hosted back
 
 <Card title="Observability" href="/observability">
 
-Understand sandbox logs, access them via CLI and TUI, and export OCSF JSON records.
+Understand sandbox logs, access them with the CLI and TUI, and export OCSF JSON records.
 
 <Badge intent="tip" minimal outlined>How-To</Badge>
 </Card>
diff --git a/docs/kubernetes/access-control.mdx b/docs/kubernetes/access-control.mdx
index c07f77eaa..d66dc528d 100644
--- a/docs/kubernetes/access-control.mdx
+++ b/docs/kubernetes/access-control.mdx
@@ -64,7 +64,7 @@ helm upgrade openshell \
   --set server.oidc.userRole=openshell-user
 ```
 
-`adminRole` and `userRole` must both be set or both be empty — setting only one is not supported.
+Both `adminRole` and `userRole` must be set, or both must be empty. Setting only one is not supported.
 
 ### Provider-specific rolesClaim paths
 
@@ -76,7 +76,7 @@ helm upgrade openshell \
 
 ## Reverse-Proxy Auth Termination
 
-When an access proxy — such as Cloudflare Access, ngrok, or a corporate SSO gateway — handles authentication in front of the OpenShell gateway, you can disable the gateway's own client certificate verification:
+When an access proxy, such as Cloudflare Access, ngrok, or a corporate SSO gateway, handles authentication in front of the OpenShell gateway, you can disable the gateway's own client certificate verification:
 
 ```shell
 helm upgrade openshell \
@@ -99,7 +99,7 @@ To also disable TLS entirely (when the proxy terminates TLS before the request r
 Only disable TLS and gateway auth when the gateway is not reachable from outside the cluster and the proxy path is fully trusted. Never expose a plaintext, auth-disabled gateway to a public network.
 </Warning>
 
-Register the gateway with the CLI using the proxy's public URL — the browser-based login flow runs automatically on first use:
+Register the gateway with the CLI using the proxy's public URL. The browser-based login flow runs automatically on first use:
 
 ```shell
 openshell gateway add https://gateway.example.com --name production
diff --git a/docs/kubernetes/ingress.mdx b/docs/kubernetes/ingress.mdx
index fa0a1cf14..e4b23101f 100644
--- a/docs/kubernetes/ingress.mdx
+++ b/docs/kubernetes/ingress.mdx
@@ -55,7 +55,7 @@ After the Gateway is provisioned, Envoy Gateway creates a LoadBalancer service i
 kubectl -n openshell get svc -l gateway.envoyproxy.io/owning-gateway-name=openshell
 ```
 
-Once the `EXTERNAL-IP` is assigned, register the gateway with the CLI:
+After the `EXTERNAL-IP` is assigned, register the gateway with the CLI:
 
 ```shell
 openshell gateway add http://<external-ip> --name production
diff --git a/docs/kubernetes/managing-certificates.mdx b/docs/kubernetes/managing-certificates.mdx
index dcea304d4..65caa395e 100644
--- a/docs/kubernetes/managing-certificates.mdx
+++ b/docs/kubernetes/managing-certificates.mdx
@@ -12,13 +12,13 @@ The OpenShell gateway requires mTLS certificates for sandbox supervisors and cli
 
 | Mode | When to use |
 |---|---|
-| Built-in `pkiInitJob` (default) | Simplest path. A pre-install Kubernetes Job generates a self-signed CA and certificates once at install time. No additional dependencies. |
+| Built-in `pkiInitJob` (default) | The default path. A pre-install Kubernetes Job generates a self-signed CA and certificates during installation. No additional dependencies. |
 | cert-manager | Production deployments that need automatic certificate rotation managed by a running controller. |
 
 The rest of this page covers switching to cert-manager. The built-in mode requires no configuration.
 
 <Note>
-cert-manager and `pkiInitJob` are mutually exclusive. The chart will fail if both are enabled at the same time.
+cert-manager and `pkiInitJob` are mutually exclusive. The chart fails if both are enabled at the same time.
 </Note>
 
 ## Install cert-manager
diff --git a/docs/kubernetes/openshift.mdx b/docs/kubernetes/openshift.mdx
index 151bf27a6..7328a2608 100644
--- a/docs/kubernetes/openshift.mdx
+++ b/docs/kubernetes/openshift.mdx
@@ -83,6 +83,6 @@ openshell status
 
 ## Next Steps
 
-- For TLS-enabled deployments, see [Managing Certificates](/kubernetes/managing-certificates) once SCC-compatible PKI is supported.
-- To expose the gateway externally, see [Ingress](/kubernetes/ingress).
-- To configure OIDC authentication, see [Access Control](/kubernetes/access-control).
+- For TLS-enabled deployments, refer to [Managing Certificates](/kubernetes/managing-certificates) after SCC-compatible PKI is supported.
+- To expose the gateway externally, refer to [Ingress](/kubernetes/ingress).
+- To configure OIDC authentication, refer to [Access Control](/kubernetes/access-control).
diff --git a/docs/kubernetes/setup.mdx b/docs/kubernetes/setup.mdx
index 84fccc036..fa1eedccd 100644
--- a/docs/kubernetes/setup.mdx
+++ b/docs/kubernetes/setup.mdx
@@ -9,7 +9,7 @@ position: 1
 ---
 
 <Warning>
-The OpenShell Helm chart is experimental and under active development. Templates, values, and defaults may change between releases. Do not use it in production.
+The OpenShell Helm chart is experimental and under active development. Templates, values, and defaults can change between releases. Do not use it in production.
 </Warning>
 
 Use the Kubernetes deployment when the gateway should run on a shared cluster, in a cloud environment, or as part of team infrastructure. The Helm chart deploys the gateway as a StatefulSet and handles PKI bootstrap, RBAC, and sandbox namespace setup automatically.
@@ -20,11 +20,11 @@ Make sure the following are in place before you install.
 
 | Prerequisite | Required | Notes |
 |---|---|---|
-| Kubernetes 1.29+ with RBAC enabled | Yes | — |
-| Helm 3.x | Yes | — |
-| Agent Sandbox controller and CRDs | Yes | Install before the OpenShell chart — see [Install Agent Sandbox](#install-agent-sandbox) below |
-| cert-manager | No | See [Managing Certificates](/kubernetes/managing-certificates) — only needed if you prefer cert-manager over the built-in PKI job |
-| Kubernetes Gateway API | No | See [Ingress](/kubernetes/ingress) — only needed for external access without port-forwarding |
+| Kubernetes 1.29+ with RBAC enabled | Yes | No additional notes. |
+| Helm 3.x | Yes | No additional notes. |
+| Agent Sandbox controller and CRDs | Yes | Install before the OpenShell chart. Refer to [Install Agent Sandbox](#install-agent-sandbox). |
+| cert-manager | No | Refer to [Managing Certificates](/kubernetes/managing-certificates). Use cert-manager only if you prefer it over the built-in PKI job. |
+| Kubernetes Gateway API | No | Refer to [Ingress](/kubernetes/ingress). Use it only for external access without port-forwarding. |
 
 ## Install Agent Sandbox
 
@@ -94,7 +94,7 @@ kubectl -n openshell port-forward svc/openshell 8080:8080
 ```
 
 <Warning>
-The port-forward is for local evaluation only. For shared environments, expose the gateway through your ingress controller or access proxy. See [Ingress](/kubernetes/ingress) for an external access option.
+The port-forward is for local evaluation only. For shared environments, expose the gateway through your ingress controller or access proxy. Refer to [Ingress](/kubernetes/ingress) for an external access option.
 </Warning>
 
 ## Install the client mTLS certificate
@@ -150,7 +150,7 @@ helm upgrade --install openshell \
 
 ## Next Steps
 
-- To enable automatic certificate rotation with cert-manager, see [Managing Certificates](/kubernetes/managing-certificates).
-- To expose the gateway externally without port-forwarding, see [Ingress](/kubernetes/ingress).
-- To configure OIDC or reverse-proxy authentication, see [Access Control](/kubernetes/access-control).
-- To create your first sandbox, see [Manage Sandboxes](/sandboxes/manage-sandboxes).
+- To enable automatic certificate rotation with cert-manager, refer to [Managing Certificates](/kubernetes/managing-certificates).
+- To expose the gateway externally without port-forwarding, refer to [Ingress](/kubernetes/ingress).
+- To configure OIDC or reverse-proxy authentication, refer to [Access Control](/kubernetes/access-control).
+- To create your first sandbox, refer to [Manage Sandboxes](/sandboxes/manage-sandboxes).
diff --git a/docs/observability/accessing-logs.mdx b/docs/observability/accessing-logs.mdx
index 1995ab9d7..e96dfeab2 100644
--- a/docs/observability/accessing-logs.mdx
+++ b/docs/observability/accessing-logs.mdx
@@ -54,7 +54,7 @@ You can also run a one-off command without an interactive shell:
 openshell sandbox connect my-sandbox -- cat /var/log/openshell.2026-04-01.log
 ```
 
-The log files inside the sandbox contain the complete record, including events that may have been dropped from the gRPC push channel under load. The push channel is bounded and drops events rather than blocking.
+The log files inside the sandbox contain the complete record, including events that the gRPC push channel can drop under load. The push channel is bounded and drops events rather than blocking.
 
 ## Filtering by Event Type
 
diff --git a/docs/observability/logging.mdx b/docs/observability/logging.mdx
index d45c15d81..81c47248c 100644
--- a/docs/observability/logging.mdx
+++ b/docs/observability/logging.mdx
@@ -20,7 +20,7 @@ Internal operational events use Rust's `tracing` framework with a conventional f
 2026-04-01T03:28:39.175Z INFO openshell_sandbox: Creating OPA engine from proto policy data
 ```
 
-These events cover startup plumbing, gRPC communication, and internal state transitions that are useful for debugging but don't represent security-relevant decisions.
+These events cover startup plumbing, gRPC communication, and internal state transitions that are useful for debugging but do not represent security-relevant decisions.
 
 ### OCSF structured events
 
@@ -40,7 +40,7 @@ In the log file, OCSF events appear in a shorthand format with an `OCSF` level l
 
 The `OCSF` label at column 25 distinguishes structured events from standard `INFO` tracing at the same position. Both formats appear in the same file.
 
-When viewed through the CLI or TUI, which receive logs via gRPC, the same distinction applies:
+When viewed through the CLI or TUI, which receive logs through gRPC, the same distinction applies:
 
 ```text
 [1775014132.118] [sandbox] [OCSF ] [ocsf] NET:OPEN [INFO] ALLOWED /usr/bin/curl(58) -> api.github.com:443 [policy:github_api engine:opa]
diff --git a/docs/observability/ocsf-json-export.mdx b/docs/observability/ocsf-json-export.mdx
index 27034a479..5c326d665 100644
--- a/docs/observability/ocsf-json-export.mdx
+++ b/docs/observability/ocsf-json-export.mdx
@@ -145,10 +145,12 @@ The `class_uid` field identifies the event type:
 
 The JSONL file can be shipped to any tool that accepts OCSF-formatted data:
 
-- **Splunk**: Use the [Splunk OCSF Add-on](https://splunkbase.splunk.com/app/6943) to ingest OCSF JSONL files.
-- **Amazon Security Lake**: OCSF is the native schema for Security Lake.
-- **Elastic**: Use Filebeat to ship JSONL files with the OCSF field mappings.
-- **Custom pipelines**: Parse the JSONL file with `jq`, Python, or any JSON-capable tool.
+| Tool | Integration Path |
+|---|---|
+| Splunk | Use the [Splunk OCSF Add-on](https://splunkbase.splunk.com/app/6943) to ingest OCSF JSONL files. |
+| Amazon Security Lake | OCSF is the native schema for Security Lake. |
+| Elastic | Use Filebeat to ship JSONL files with the OCSF field mappings. |
+| Custom pipelines | Parse the JSONL file with `jq`, Python, or any JSON-capable tool. |
 
 Example with `jq` to extract all denied connections:
 
@@ -161,9 +163,9 @@ cat /var/log/openshell-ocsf.2026-04-01.log | \
 
 The shorthand format in `openshell.YYYY-MM-DD.log` and the JSON format in `openshell-ocsf.YYYY-MM-DD.log` are derived from the same OCSF events. The shorthand is a human-readable projection; the JSON is the complete record. Both are generated at the same time from the same event data.
 
-The shorthand log is always active. The JSON export is opt-in via `ocsf_json_enabled`.
+The shorthand log is always active. The JSON export is opt-in through `ocsf_json_enabled`.
 
 ## Next Steps
 
 - Learn how to [read the shorthand format](/observability/logging) for real-time monitoring.
-- See the [OCSF specification](https://schema.ocsf.io/) for the full schema reference.
+- Refer to the [OCSF specification](https://schema.ocsf.io/) for the full schema reference.
diff --git a/docs/observability/overview.mdx b/docs/observability/overview.mdx
index 69fde7a06..269874260 100644
--- a/docs/observability/overview.mdx
+++ b/docs/observability/overview.mdx
@@ -10,8 +10,8 @@ position: 1
 
 OpenShell provides structured logging for every sandbox. Every network connection, process lifecycle event, filesystem policy decision, and configuration change is recorded so you can understand exactly what happened inside a sandbox.
 
-This section covers:
+Navigate to the following pages to learn more about the OpenShell observability features:
 
-- **[Sandbox Logging](/observability/logging)**: How the two log formats work, where logs are stored, and how to read them.
-- **[Accessing Logs](/observability/accessing-logs)**: How to view logs through the CLI, TUI, and directly on the sandbox filesystem.
-- **[OCSF JSON Export](/observability/ocsf-json-export)**: How to enable full OCSF JSON output for integration with SIEMs, log aggregators, and compliance tools.
+- [Sandbox Logging](/observability/logging) explains how the two log formats work, where logs are stored, and how to read them.
+- [Accessing Logs](/observability/accessing-logs) shows how to view logs through the CLI, TUI, and directly on the sandbox filesystem.
+- [OCSF JSON Export](/observability/ocsf-json-export) explains how to enable full OCSF JSON output for integration with SIEMs, log aggregators, and compliance tools.
diff --git a/docs/reference/default-policy.mdx b/docs/reference/default-policy.mdx
index 9f3a1d5cd..73dedf89c 100644
--- a/docs/reference/default-policy.mdx
+++ b/docs/reference/default-policy.mdx
@@ -26,4 +26,4 @@ If you run a non-Claude agent without a custom policy, the agent's API calls are
 
 ## Default Policy Blocks
 
-The default policy blocks are defined in the community base image. See the [openshell-community repository](https://github.com/nvidia/openshell-community) for the full `dev-sandbox-policy.yaml` source.
+The default policy blocks are defined in the community base image. Refer to the [openshell-community repository](https://github.com/nvidia/openshell-community) for the full `dev-sandbox-policy.yaml` source.
diff --git a/docs/reference/gateway-auth.mdx b/docs/reference/gateway-auth.mdx
index e95ce854b..5a74127d6 100644
--- a/docs/reference/gateway-auth.mdx
+++ b/docs/reference/gateway-auth.mdx
@@ -140,7 +140,7 @@ For gateways behind a reverse proxy that handles authentication (e.g. Cloudflare
 1. The CLI stores gateway metadata with the edge authentication mode.
 2. Opens your browser to the gateway's authentication endpoint.
 3. The reverse proxy handles login (SSO, identity provider, etc.).
-4. After authentication, the browser relays the authorization token back to the CLI via a localhost callback.
+4. After authentication, the browser relays the authorization token back to the CLI through a localhost callback.
 5. The CLI stores the token and sets the gateway as active.
 
 **Connection flow** (subsequent commands):
diff --git a/docs/reference/policy-schema.mdx b/docs/reference/policy-schema.mdx
index 295f850df..747b2b236 100644
--- a/docs/reference/policy-schema.mdx
+++ b/docs/reference/policy-schema.mdx
@@ -87,7 +87,7 @@ Configures [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforc
 
 | Field | Type | Required | Values | Description |
 |---|---|---|---|---|
-| `compatibility` | string | No | `best_effort`, `hard_requirement` | How OpenShell handles Landlock failures. See behavior table below. |
+| `compatibility` | string | No | `best_effort`, `hard_requirement` | How OpenShell handles Landlock failures. Refer to the behavior table below. |
 
 **Compatibility modes:**
 
@@ -96,7 +96,7 @@ Configures [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforc
 | `best_effort` | Warns and continues without Landlock. | Skips the path, applies remaining rules. | Warns and continues without Landlock (refuses to apply an empty ruleset). |
 | `hard_requirement` | Aborts sandbox startup. | Aborts sandbox startup. | Aborts sandbox startup. |
 
-`best_effort` (the default) is appropriate for most deployments. It handles missing paths gracefully -- for example, `/app` may not exist in every container image but is included in the baseline path set for containers that do have it. Individual missing paths are skipped while the remaining filesystem rules are still enforced.
+`best_effort` (the default) is appropriate for most deployments. It handles missing paths gracefully. For example, `/app` might not exist in every container image but is included in the baseline path set for containers that do have it. Individual missing paths are skipped while the remaining filesystem rules are still enforced.
 
 `hard_requirement` is for environments where any gap in filesystem isolation is unacceptable. If a listed path cannot be opened for any reason (missing, permission denied, symlink loop), sandbox startup fails immediately rather than running with reduced protection.
 
@@ -120,7 +120,7 @@ Sets the OS-level identity for the agent process inside the sandbox.
 | `run_as_user` | string | No | The user name or UID the agent process runs as. Default: `sandbox`. |
 | `run_as_group` | string | No | The group name or GID the agent process runs as. Default: `sandbox`. |
 
-**Validation constraint:** Neither `run_as_user` nor `run_as_group` may be set to `root` or `0`. Policies that request root process identity are rejected at creation or update time.
+**Validation constraint:** Neither `run_as_user` nor `run_as_group` can be set to `root` or `0`. Policies that request root process identity are rejected at creation or update time.
 
 Example:
 
diff --git a/docs/reference/sandbox-compute-drivers.mdx b/docs/reference/sandbox-compute-drivers.mdx
index da1951c4b..9c6a16d94 100644
--- a/docs/reference/sandbox-compute-drivers.mdx
+++ b/docs/reference/sandbox-compute-drivers.mdx
@@ -103,6 +103,6 @@ For maintainer-level implementation details, refer to the [Kubernetes driver REA
 | `--sandbox-image-pull-policy <policy>` | `OPENSHELL_SANDBOX_IMAGE_PULL_POLICY` | `server.sandboxImagePullPolicy` | Set the Kubernetes image pull policy for sandbox pods. |
 | `--grpc-endpoint <url>` | `OPENSHELL_GRPC_ENDPOINT` | `server.grpcEndpoint` | Set the gateway callback endpoint reachable from sandbox pods. |
 | `--client-tls-secret-name <name>` | `OPENSHELL_CLIENT_TLS_SECRET_NAME` | `server.tls.clientTlsSecretName` | Mount sandbox client TLS materials from a Kubernetes secret. |
-| Not applicable | Not applicable | `supervisor.sideloadMethod` | How the supervisor binary is delivered into sandbox pods. Leave empty to auto-detect from cluster version. Set to `image-volume` to mount the supervisor OCI image directly as a volume (requires Kubernetes 1.33+ with the ImageVolume feature gate; GA in 1.36), or `init-container` to copy via an init container on older clusters. |
+| Not applicable | Not applicable | `supervisor.sideloadMethod` | How the supervisor binary is delivered into sandbox pods. Leave empty to auto-detect from cluster version. Set to `image-volume` to mount the supervisor OCI image directly as a volume (requires Kubernetes 1.33+ with the ImageVolume feature gate; GA in 1.36), or `init-container` to copy it through an init container on older clusters. |
 
 The Kubernetes driver creates namespaced `agents.x-k8s.io/v1alpha1` `Sandbox` resources from the Kubernetes SIG Apps [agent-sandbox](https://github.com/kubernetes-sigs/agent-sandbox) project. The Agent Sandbox controller turns those resources into sandbox pods and related storage.
diff --git a/docs/sandboxes/inference-routing.mdx b/docs/sandboxes/inference-routing.mdx
index f24b552b3..3cc6fcb06 100644
--- a/docs/sandboxes/inference-routing.mdx
+++ b/docs/sandboxes/inference-routing.mdx
@@ -114,7 +114,7 @@ openshell provider create \
 Use `--config OPENAI_BASE_URL` to point to any OpenAI-compatible server running where the gateway runs. For host-backed local inference, use `host.openshell.internal` or the host's LAN IP. Avoid `127.0.0.1` and `localhost`. Set `OPENAI_API_KEY` to a dummy value if the server does not require authentication.
 
 <Tip>
-For a self-contained setup, the Ollama sandbox bundles Ollama inside the sandbox itself, so no host-level provider is needed. See [Inference Ollama](/get-started/tutorials/inference-ollama) for details.
+For a self-contained setup, the Ollama sandbox bundles Ollama inside the sandbox itself, so no host-level provider is needed. Refer to [Inference Ollama](/get-started/tutorials/inference-ollama) for details.
 
 </Tip>
 
diff --git a/docs/sandboxes/manage-gateways.mdx b/docs/sandboxes/manage-gateways.mdx
index 65aacfcdc..156cf8036 100644
--- a/docs/sandboxes/manage-gateways.mdx
+++ b/docs/sandboxes/manage-gateways.mdx
@@ -66,7 +66,7 @@ For direct mTLS endpoints, place the CLI client certificate bundle in the gatewa
 
 One gateway is always the active gateway. All CLI commands target it by default. `gateway add` sets the new gateway as active.
 
-The active gateway is the persisted default. The `-g` flag and the `OPENSHELL_GATEWAY` environment variable override it when commands resolve a gateway. If `OPENSHELL_GATEWAY` is set to a different gateway, `openshell gateway select <name>` still saves the new default and warns that the current shell will keep using the environment value until you unset or update it.
+The active gateway is the persisted default. The `-g` flag and the `OPENSHELL_GATEWAY` environment variable override it when commands resolve a gateway. If `OPENSHELL_GATEWAY` is set to a different gateway, `openshell gateway select <name>` still saves the new default and warns that the current shell continues to use the environment value until you unset or update it.
 
 List all registered gateways:
 
diff --git a/docs/sandboxes/manage-providers.mdx b/docs/sandboxes/manage-providers.mdx
index 46a3513c8..6f50e1725 100644
--- a/docs/sandboxes/manage-providers.mdx
+++ b/docs/sandboxes/manage-providers.mdx
@@ -177,7 +177,7 @@ The following provider types are supported.
 | `codex` | `OPENAI_API_KEY` | OpenAI Codex |
 | `copilot` | `COPILOT_GITHUB_TOKEN`, `GH_TOKEN`, `GITHUB_TOKEN` | GitHub Copilot CLI |
 | `generic` | User-defined | Any service with custom credentials |
-| `github` | `GITHUB_TOKEN`, `GH_TOKEN` | GitHub API, `gh` CLI — refer to [GitHub Sandbox](/get-started/tutorials/github-sandbox) |
+| `github` | `GITHUB_TOKEN`, `GH_TOKEN` | GitHub API and `gh` CLI. Refer to [GitHub Sandbox](/get-started/tutorials/github-sandbox). |
 | `gitlab` | `GITLAB_TOKEN`, `GLAB_TOKEN`, `CI_JOB_TOKEN` | GitLab API, `glab` CLI |
 | `nvidia` | `NVIDIA_API_KEY` | NVIDIA API Catalog |
 | `openai` | `OPENAI_API_KEY` | Any OpenAI-compatible endpoint. Set `--config OPENAI_BASE_URL` to point to the provider. Refer to [Inference Routing](/sandboxes/inference-routing). |
diff --git a/docs/sandboxes/policies.mdx b/docs/sandboxes/policies.mdx
index fb0b04cfe..3d4a27c67 100644
--- a/docs/sandboxes/policies.mdx
+++ b/docs/sandboxes/policies.mdx
@@ -54,7 +54,7 @@ Raw streams are connection-scoped and outside L7 live-reload guarantees. This in
 | Section | Type | Description |
 |---|---|---|
 | `filesystem_policy` | Static | Controls which directories the agent can access on disk. Paths are split into `read_only` and `read_write` lists. Any path not listed in either list is inaccessible. Set `include_workdir: true` to automatically add the agent's working directory to `read_write`. [Landlock LSM](https://docs.kernel.org/security/landlock.html) enforces these restrictions at the kernel level. |
-| `landlock` | Static | Configures Landlock LSM enforcement behavior. Set `compatibility` to `best_effort` (skip individual inaccessible paths while applying remaining rules) or `hard_requirement` (fail if any path is inaccessible or the required kernel ABI is unavailable). See the [Policy Schema Reference](/reference/policy-schema#landlock) for the full behavior table. |
+| `landlock` | Static | Configures Landlock LSM enforcement behavior. Set `compatibility` to `best_effort` (skip individual inaccessible paths while applying remaining rules) or `hard_requirement` (fail if any path is inaccessible or the required kernel ABI is unavailable). Refer to the [Policy Schema Reference](/reference/policy-schema#landlock) for the full behavior table. |
 | `process` | Static | Sets the OS-level identity for the agent process. `run_as_user` and `run_as_group` default to `sandbox`. Root (`root` or `0`) is rejected. The agent also runs with seccomp filters that block dangerous system calls. |
 | `network_policies` | Dynamic | Controls network access for ordinary outbound traffic from the sandbox. Each block has a name, a list of endpoints (host, port, protocol, and optional rules), and a list of binaries allowed to use those endpoints. <br />Every outbound connection except `https://inference.local` goes through the proxy, which queries the [policy engine](/about/how-it-works#core-components) with the destination and calling binary. A connection is allowed only when both match an entry in the same policy block. <br />For endpoints with `protocol: rest`, the proxy auto-detects TLS and terminates it so each HTTP request can be checked against that endpoint's `rules` (method and path). For endpoints with `protocol: websocket`, the proxy validates the RFC 6455 upgrade and evaluates `GET` rules for the handshake plus either `WEBSOCKET_TEXT` rules for raw client text messages or GraphQL operation rules for GraphQL-over-WebSocket messages. Set `websocket_credential_rewrite: true` only when a WebSocket or REST compatibility endpoint must keep placeholder credentials in sandbox-owned text frames and resolve them at the OpenShell relay boundary. <br />Endpoints without `protocol` allow the TCP stream through without inspecting payloads. <br />If no endpoint matches, the connection is denied. Configure managed inference separately through [Inference Routing](/sandboxes/inference-routing). |
 
@@ -192,7 +192,7 @@ The incremental update surface is split into endpoint-level operations and metho
 
 ### Add Endpoint Compared to Allow and Deny
 
-`--add-endpoint` works at the endpoint and rule level. It creates a new `network_policies` entry when needed, or merges into an existing rule that already covers the same host and port. Use it when you are defining where traffic may go and which binaries may send it.
+`--add-endpoint` works at the endpoint and rule level. It creates a new `network_policies` entry when needed, or merges into an existing rule that already covers the same host and port. Use it when you define where traffic can go and which binaries can send it.
 
 `--add-allow` and `--add-deny` work at the method/path rule level. They do not create binaries, and they do not create a new endpoint. They modify an existing endpoint that already has `protocol: rest` or `protocol: websocket`.
 
diff --git a/docs/security/best-practices.mdx b/docs/security/best-practices.mdx
index f51781144..73cc368de 100644
--- a/docs/security/best-practices.mdx
+++ b/docs/security/best-practices.mdx
@@ -1,7 +1,7 @@
 ---
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
-title: "OpenShell Security Best Practices — Controls, Risks, and Configuration Guidance"
+title: "OpenShell Security Best Practices for Controls, Risks, and Configuration Guidance"
 sidebar-title: "Security Best Practices"
 slug: "security/best-practices"
 description: "A guide to every configurable security control in OpenShell: defaults, what you can change, and the risks of each choice."
@@ -66,13 +66,13 @@ Even if a process ignores proxy environment variables, it can only reach the pro
 ### User Namespace Isolation
 
 Kubernetes user namespaces (`hostUsers: false`) map container UID 0 to an unprivileged host UID.
-Capabilities like `CAP_SYS_ADMIN` become namespaced — they grant power over container-local resources only, not the host.
+Capabilities like `CAP_SYS_ADMIN` become namespaced. They grant power over container-local resources only, not the host.
 This provides defense-in-depth: even if a container escape vulnerability exists, the attacker lands as an unprivileged host user.
 
 | Aspect | Detail |
 |---|---|
 | Default | Disabled. Set `server.enableUserNamespaces: true` in the Helm values or `OPENSHELL_ENABLE_USER_NAMESPACES=true` as an environment variable to enable cluster-wide. |
-| What you can change | Enable cluster-wide via Helm or environment variable. Override per-sandbox via the `user_namespaces` field on `SandboxTemplate` in the API. |
+| What you can change | Enable cluster-wide through Helm or environment variable. Override per-sandbox through the `user_namespaces` field on `SandboxTemplate` in the API. |
 | Prerequisites | Kubernetes 1.33+ with user namespace support available (beta through 1.35, GA in 1.36+), a container runtime that supports user namespaces (containerd 2.0+, CRI-O 1.25+), and Linux 5.12+ for ID-mapped mounts. |
 | Risk if enabled with GPU | NVIDIA device plugin compatibility with user namespaces is unverified. OpenShell logs a warning when both GPU and user namespaces are active on the same sandbox. |
 | Recommendation | Enable on non-GPU clusters running Kubernetes with user namespace support available (1.33+ beta, 1.36+ GA) for stronger host isolation. Test GPU workloads separately before enabling on GPU clusters. |
@@ -110,7 +110,7 @@ When L7 inspection is active, the `enforcement` field controls whether the proxy
 | Default | `audit`. The proxy logs violations but forwards traffic. |
 | What you can change | Set `enforcement: enforce` to block requests that do not match any `rules` entry. Denied requests receive a `403 Forbidden` response with a JSON body describing the violation. |
 | Risk if relaxed | `audit` mode provides visibility but does not prevent unauthorized actions. An agent can still perform write or delete operations on an API even if the rules would deny them. |
-| Recommendation | Start with `audit` to understand traffic patterns and verify that rules are correct. Switch to `enforce` once you have validated that the rules match the intended access pattern. |
+| Recommendation | Start with `audit` to understand traffic patterns and verify that rules are correct. Switch to `enforce` after you validate that the rules match the intended access pattern. |
 
 ### TLS Handling
 
@@ -268,7 +268,7 @@ For Helm deployments, provide a CA and certificate bundle through the Kubernetes
 
 ### SSH Tunnel Authentication
 
-SSH connections to sandboxes travel through the gateway over the sandbox's existing mTLS session. On top of the gateway's transport authentication (mTLS by default), each SSH connect call also carries a short-lived session token scoped to a specific sandbox. The sandbox never exposes an SSH port on the network — its SSH daemon listens on a local Unix socket that only the sandbox's own supervisor process can reach.
+SSH connections to sandboxes travel through the gateway over the sandbox's existing mTLS session. On top of the gateway's transport authentication (mTLS by default), each SSH connect call also carries a short-lived session token scoped to a specific sandbox. The sandbox never exposes an SSH port on the network. Its SSH daemon listens on a local Unix socket that only the sandbox's own supervisor process can reach.
 
 | Aspect | Detail |
 |---|---|
@@ -288,7 +288,7 @@ The following patterns weaken security without providing meaningful benefit.
 | Adding endpoints permanently when operator approval would suffice | Adding endpoints to the policy YAML makes them permanently reachable across all instances. | Use operator approval. Approved endpoints persist within the sandbox instance but reset on re-creation. |
 | Using broad binary globs | A glob like `/**` allows any binary to reach the endpoint, defeating binary-scoped enforcement. | Scope globs to specific directories (for example, `/sandbox/.vscode-server/**`). |
 | Skipping TLS termination on HTTPS APIs | Setting `tls: skip` disables credential injection and L7 inspection. | Use the default auto-detect behavior unless the upstream requires client-certificate mTLS. |
-| Setting `enforcement: enforce` before auditing | Jumping to `enforce` without first running in `audit` mode risks breaking the agent's workflow. | Start with `audit`, review the logs, and switch to `enforce` once you have validated the rules. |
+| Setting `enforcement: enforce` before auditing | Jumping to `enforce` without first running in `audit` mode risks breaking the agent's workflow. | Start with `audit`, review the logs, and switch to `enforce` after you validate the rules. |
 
 ## Related Topics
 
diff --git a/fern/fern.config.json b/fern/fern.config.json
index d0bf7eb00..83a8e22b9 100644
--- a/fern/fern.config.json
+++ b/fern/fern.config.json
@@ -1,4 +1,4 @@
 {
   "organization": "nvidia",
-  "version": "4.75.0"
+  "version": "5.23.3"
 }

From 5a1d31cd3f2ef3dab40cab64d7563ee7ce57e962 Mon Sep 17 00:00:00 2001
From: Miyoung Choi <miyoungc@nvidia.com>
Date: Tue, 12 May 2026 15:26:37 -0700
Subject: [PATCH 2/3] docs: drop observability section overview page and rename
 a section title

---
 docs/index.mdx                  |  2 +-
 docs/index.yml                  |  2 +-
 docs/observability/overview.mdx | 17 -----------------
 3 files changed, 2 insertions(+), 19 deletions(-)
 delete mode 100644 docs/observability/overview.mdx

diff --git a/docs/index.mdx b/docs/index.mdx
index 91aba803d..40c4f1cef 100644
--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -137,7 +137,7 @@ Keep inference traffic private by routing API calls to local or self-hosted back
 <Badge intent="tip" minimal outlined>Concept</Badge>
 </Card>
 
-<Card title="Observability" href="/observability">
+<Card title="Observability" href="/observability/logging">
 
 Understand sandbox logs, access them with the CLI and TUI, and export OCSF JSON records.
 
diff --git a/docs/index.yml b/docs/index.yml
index bbeb4decf..1e2005f45 100644
--- a/docs/index.yml
+++ b/docs/index.yml
@@ -16,7 +16,7 @@ navigation:
   - folder: get-started/tutorials
     skip-slug: true
 - folder: sandboxes
-  title: "How It Works"
+  title: "Manage OpenShell"
 - folder: observability
   title: "Observability"
 - folder: kubernetes
diff --git a/docs/observability/overview.mdx b/docs/observability/overview.mdx
deleted file mode 100644
index 269874260..000000000
--- a/docs/observability/overview.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-title: "Observability"
-sidebar-title: "Overview"
-description: "Understand how OpenShell logs sandbox activity, how to access logs, and how to export structured OCSF records."
-keywords: "Generative AI, Cybersecurity, Logging, OCSF, Observability, Monitoring"
-position: 1
----
-
-OpenShell provides structured logging for every sandbox. Every network connection, process lifecycle event, filesystem policy decision, and configuration change is recorded so you can understand exactly what happened inside a sandbox.
-
-Navigate to the following pages to learn more about the OpenShell observability features:
-
-- [Sandbox Logging](/observability/logging) explains how the two log formats work, where logs are stored, and how to read them.
-- [Accessing Logs](/observability/accessing-logs) shows how to view logs through the CLI, TUI, and directly on the sandbox filesystem.
-- [OCSF JSON Export](/observability/ocsf-json-export) explains how to enable full OCSF JSON output for integration with SIEMs, log aggregators, and compliance tools.

From 331e456d9375b99f890494074773a8a90ed739df Mon Sep 17 00:00:00 2001
From: Miyoung Choi <miyoungc@nvidia.com>
Date: Tue, 12 May 2026 16:00:09 -0700
Subject: [PATCH 3/3] docs: title updates

---
 docs/get-started/tutorials/github-sandbox.mdx | 6 ++----
 docs/index.mdx                                | 2 +-
 docs/kubernetes/setup.mdx                     | 2 +-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/docs/get-started/tutorials/github-sandbox.mdx b/docs/get-started/tutorials/github-sandbox.mdx
index 63c895147..7c76d4e41 100644
--- a/docs/get-started/tutorials/github-sandbox.mdx
+++ b/docs/get-started/tutorials/github-sandbox.mdx
@@ -33,10 +33,8 @@ This tutorial requires the following:
 
 This tutorial uses two terminals to demonstrate the iterative policy workflow:
 
-| Terminal | Purpose |
-|---|---|
-| Terminal 1 | Use the sandbox terminal to create the sandbox with `openshell sandbox create` and interact with Claude Code. |
-| Terminal 2 | Use a terminal outside the sandbox on your machine to view sandbox logs with `openshell term` and apply an updated policy with `openshell policy set`. |
+- **Terminal 1**: The sandbox terminal. You create the sandbox in this terminal by running `openshell sandbox create` and interact with Claude Code inside it.
+- **Terminal 2**: A terminal outside the sandbox on your machine. You use this terminal for viewing the sandbox logs with `openshell term` and applying an updated policy with `openshell policy set`.
 
 Each section below indicates which terminal to use.
 
diff --git a/docs/index.mdx b/docs/index.mdx
index 40c4f1cef..91aba803d 100644
--- a/docs/index.mdx
+++ b/docs/index.mdx
@@ -137,7 +137,7 @@ Keep inference traffic private by routing API calls to local or self-hosted back
 <Badge intent="tip" minimal outlined>Concept</Badge>
 </Card>
 
-<Card title="Observability" href="/observability/logging">
+<Card title="Observability" href="/observability">
 
 Understand sandbox logs, access them with the CLI and TUI, and export OCSF JSON records.
 
diff --git a/docs/kubernetes/setup.mdx b/docs/kubernetes/setup.mdx
index fa1eedccd..6ac1caaaf 100644
--- a/docs/kubernetes/setup.mdx
+++ b/docs/kubernetes/setup.mdx
@@ -1,7 +1,7 @@
 ---
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
-title: "Get Started on Kubernetes"
+title: "Set Up OpenShell on Kubernetes"
 sidebar-title: "Setup"
 description: "Deploy the OpenShell gateway to a Kubernetes cluster using the official Helm chart from GHCR."
 keywords: "Generative AI, Cybersecurity, Kubernetes, Helm, Gateway, Deployment, OCI, GHCR, Installation"