OpenAI Agents SDK update with sandboxing and open-source harness

The single most consequential shift in this release is architectural, not featural. Previous Agents SDK deployments tended to collapse the orchestration logic and the execution environment into the same process — the code that decided what an agent should do next also ran whatever the model wrote. OpenAI has now pulled those apart. The harness, which holds plans, tool definitions, memory, and credentials, stays in the developer's trusted environment. The sandbox, which runs model-generated shell commands and code, lives on a separate compute backend — Cloudflare, Vercel, Modal, E2B, Blaxel, Daytona, Runloop, Docker, or a local Unix option.

What falls out of that split is a security posture that was awkward to achieve before: 'No API keys, no secrets in that sandbox. You want it to be totally isolated — probably isolated from the network in a lot of cases,' as an OpenAI representative told The New Stack. If the sandbox gets compromised by a prompt injection or a misbehaving tool call, it doesn't have the credentials to do anything interesting. The harness is where auth lives; the sandbox is where risk is contained. The Manifest abstraction — a portable description of a fresh sandbox's starting contents — is the mechanism that lets the same agent code target any of the eight integrated providers without rewriting infrastructure glue.

The release reads like a routine SDK update until you stack it against how model capability has shifted. OpenAI frames the change in blunt terms: earlier-generation agents 'could take five, six, seven steps maybe in a workflow, but not really go beyond that,' while current models 'can kind of work for hours at a time or days or weeks.' That is a two- to three-order-of-magnitude jump in runtime horizon, and it breaks the assumptions of an in-process harness. A five-step agent can live inside a single function call. A five-day agent cannot — it needs durable state that survives process restarts, human approvals, and weekend outages.

That is what the new RunState, session_state, and snapshot primitives are for. RunState snapshots serialize to JSON, so a long-horizon workflow can pause for a compliance review, resume on a different worker, or replay after a crash. Before this, the standard workaround was to bolt on an external durable-execution system — the AI Engineer talk 'OpenAI + Temporalio: Building Durable, Production Ready Agents' illustrates the pattern, with Temporal framing itself as the orchestration brain agents were missing. Bringing snapshotting in-house changes the calculus: durability is no longer an integration, it is a primitive. Independent orchestration vendors now have to argue why an external system is still worth the wire-up.

The most interesting reaction on X is not cheerleading but a live strategic disagreement about what an agent platform even is. One widely-circulated framing contrasts three bets: Anthropic's (the model and the harness are one integrated product, as with Claude Code); OpenAI's (the model is a commodity, the harness is open, and the sandbox is bring-your-own); and Cursor's (any model, any harness, value accrues to the IDE layer). The OpenAI release is the clearest statement yet of the middle bet — it open-sources the orchestration scaffolding and invites every sandbox vendor onto an equal footing.

One widely-shared developer-side framing on X pushed the point further: 'the real product is no longer the model. It's the control plane around the model.' If that read is right, the winners of this release are infrastructure players who can plug into the Manifest interface and the losers are single-purpose 'agent framework' startups whose moat was orchestration glue. The partners OpenAI lists — Cloudflare, Vercel, Modal, E2B, and peers — benefit today from distribution while accepting that the control plane itself is now owned by OpenAI, not them.

The update is not receiving uniform applause. On r/AI_Agents, one developer pushed back that 'there's a whole class of agent work that fundamentally can't be sandboxed: anything that needs to interact with native desktop apps through accessibility APIs' — a reminder that Unix-like isolation is a poor fit for Windows automation, operator-style screen control, or anything else whose value is specifically that it touches the real machine. A Vercel-adjacent comment flagged the other structural objection: Claude's and OpenAI's SDKs 'lock you to one provider,' which is why multi-provider wrappers like the Vercel AI SDK keep pulling interest even as OpenAI expands its own stack. And a running thread of smaller-scale developers argued that 'for small projects, a simple loop around API calls still works fine' — the full harness/sandbox machinery is overhead nobody asked for below a certain complexity threshold.

There are narrower but concrete gaps too. TypeScript developers do not get the new harness and sandbox APIs on day one; Python ships first, TypeScript is 'planned for a later release.' For teams whose agent code already lives in Node, that is a non-trivial wait. And the sandbox-provider comparison work being done on Reddit — ranking systems like SmolVM, Microsandbox, OpenSandbox, and E2B on snapshotting, fork/clone, and pause/resume — suggests the eight-provider roster is less commoditized than the uniform Manifest interface implies. Snapshot semantics in particular vary, and 'portable' will only be as real as the lowest-common-denominator feature set.

The quantitative shape of the release tells the consolidation story clearly. Eight integrated sandbox providers ship on day one — Blaxel, Cloudflare, Daytona, Docker, E2B, Modal, Runloop, and Vercel — plus a Unix-local option for development. Four enterprise cloud storage backends are mountable directly into sandboxes: AWS S3, Google Cloud Storage, Azure Blob Storage, and Cloudflare R2, which covers essentially the full set of object stores a Fortune-500 buyer is likely to already run. The SDK is also advertised as compatible with 100+ non-OpenAI LLMs via Chat Completions-compatible endpoints, which positions the harness as deliberately model-agnostic even as it is published by a model vendor.

The most striking number, though, is the one that isn't a unit count: the agent-workflow horizon has moved from roughly five to seven steps under previous-generation models to hours, days, or weeks of continuous autonomous work under current frontier models. Every other design decision in this release — snapshots, configurable memory, isolated compute, mountable cloud storage — follows from that single shift. If you only read one data point out of this launch, read that one.