AI Tools

OpenAI Agents SDK 2026: Sandbox & Native Harness

OpenAI's Agents SDK update ships sandbox execution, a model-native harness, and Codex-like tools. Here's what changed and how it compares to rivals.

Harsimran Singh | | 10 min read | |
#OpenAI Agents SDK#agentic AI#AI coding agents#sandbox execution#Codex#model-native harness
OpenAI Agents SDK 2026: Sandbox & Native Harness

Key takeaways (May 17, 2026)

  • OpenAI’s Agents SDK shipped sandbox-harness improvements during Q2 2026.
  • New defaults: deterministic tool replay, structured tracing, and per-tool budget limits.
  • MCP support is now first-class; Responses API remains the recommended primitive for tool use.
  • Migrating from the old Assistants API is the main practical task for existing teams.

The OpenAI Agents SDK just got the biggest update since launch, and it shifts the framework from a thin orchestration layer into a real runtime for autonomous coding agents. On April 15, 2026, OpenAI shipped native sandbox execution, a model-native harness, Codex-like filesystem tools, and configurable memory, all callable through standard API pricing. I spent the weekend wiring a small agent on top of it, and the difference in reliability on long-horizon tasks is not subtle.

This article covers exactly what changed, how the new harness works, which sandbox providers are supported, where it fits next to Microsoft Agent Framework 1.0 and other 2026 agent stacks, and whether it’s the right pick for your team.

What the OpenAI Agents SDK update actually ships

The headline from OpenAI’s announcement is that the Agents SDK now aligns execution with how frontier models like GPT-5.3-Codex actually work best. The old SDK was basically a structured way to call tools and hand off between agents. The new one is closer to a small operating system for an AI worker.

Four things changed that matter:

  • Model-native harness. A single harness that coordinates files, tools, memory, and sandbox state in the shape the model expects. This replaces the ad-hoc glue most teams were writing.
  • Native sandbox execution. Agents run inside isolated workspaces with access only to designated files and dependencies. You can bring your own sandbox or use built-in integrations.
  • Codex-like filesystem tools. Shell execution, apply-patch style edits, file inspection, and directory navigation come as first-class primitives instead of custom tool definitions.
  • Configurable memory. Session memory preserves message history. A new sandbox memory layer distills lessons from prior workspace runs into files the agent can read on the next run.

TechCrunch framed this as OpenAI’s pitch to enterprises that want agentic AI without rolling their own execution layer. That’s accurate, but it undersells what the update does for smaller teams. Even a solo builder now gets production-grade sandboxing without writing a single Dockerfile. The infrastructure strategy moved further in June when OpenAI agreed to acquire Ona for Codex cloud-agent environments.

The model-native harness explained

The phrase “model-native harness” needs unpacking because it’s the load-bearing change. Every agentic framework has some wrapper that decides what to tell the model, what tools to expose, what to do with the output, and when to stop. This wrapper is the harness.

The old Agents SDK harness was generic. It worked fine for short tool-use loops but fell apart on multi-hour tasks because the model kept drifting away from its natural operating pattern. What OpenAI found, as described in their Codex long-horizon post, is that frontier models have a “shape” they think in when doing real work. Give the model that shape and it stays on task. Fight it and you burn tokens on corrections.

The new harness is built around that shape. It exposes tools the way Codex expects, it structures memory the way the model can actually re-read, and it gives the orchestrator sandbox awareness so the model isn’t reasoning about file state it can’t see. In my test on a small refactor task, the same prompt that used to wander for 40 turns finished in 11.

Sandbox execution and the seven providers

Native sandbox support is probably the feature most developers will feel first. Agents that touch code need somewhere safe to run it. Before this update, you wired E2B or a custom container yourself and prayed the hand-off worked. Now the SDK handles it.

Built-in sandbox providers:

ProviderStrengthWhen I’d pick it
BlaxelAgent-first runtimeMulti-agent workflows with shared state
CloudflareEdge and WorkersLow-latency, globally distributed agents
DaytonaDev-env simulationTasks that need full repo checkouts
E2BMature, well-documentedDefault pick if unsure
ModalServerless GPU + CPUAgents that also run model inference
RunloopCoding-agent focusLong-running Codex-style sessions
VercelFamiliar deploy loopFrontend teams already on Vercel

You can also bring your own sandbox. The SDK’s integration surface is narrow enough that swapping providers is closer to changing a DB driver than rewriting agent logic.

The Help Net Security writeup notes the obvious security benefit: system integrity is preserved even during fully autonomous operation. That’s the kind of sentence enterprise buyers have been waiting for, and it’s the specific reason I think this release unblocks a lot of stalled pilot projects.

Codex-like filesystem tools

If you’ve used Codex CLI, the new filesystem tools will feel familiar. The SDK now exposes shell execution, apply-patch edits, file read and write, and directory traversal as standard primitives. No more custom tool definitions for basic operations.

What I like about this approach is that it removes a common class of bugs. Before, every team wrote their own “edit file” tool and every team got subtly different semantics around partial edits, encoding, and line endings. The apply-patch primitive is deterministic and maps directly to what the model already knows how to generate. Your agent and your file state stay in sync.

The tools also integrate with MCP, which is now the standard protocol for tool discovery in 2026. That means third-party tools plug into the same surface without special-casing.

Sandbox memory changes how agents learn across runs

The memory split is the feature I’ve been waiting for. Session memory is obvious: messages in, messages out, preserved across turns. What was missing was a way for an agent to actually improve over repeated work in the same workspace.

Sandbox memory fills that gap. After a run ends, the agent distills what it learned into files inside the sandbox. On the next run, those files are there waiting. Think of it as a notebook the agent keeps for itself.

Practical impact: if you have an agent that works in the same repo every day, it starts to remember what worked last week. If you have an agent that keeps hitting the same compiler error, it can write a note to itself and avoid it next time. This is the closest any framework has come to genuine agent memory without resorting to an external vector database.

The tradeoff is that sandbox memory is workspace-scoped. If you want cross-workspace knowledge, you still need your own persistence layer. For most teams that’s the right default. Anthropic took a different approach with the Dreams API in Claude Managed Agents, which consolidates memory across sessions at the platform level rather than within a single workspace — worth comparing if cross-session knowledge retention is high on your requirements list.

How this compares to other 2026 agent frameworks

The agent framework space got crowded in early 2026. Microsoft Agent Framework 1.0 shipped the same week. Google ADK continues to expand on GCP. Cloudflare ran its own Agents Week. LangGraph and CrewAI are still strong for multi-agent workflows. Where does the OpenAI Agents SDK actually win?

FrameworkBest forLanguage supportSandboxMCP
OpenAI Agents SDKCodex-style coding agentsPython (TS soon)Native + 7 providersYes
Microsoft Agent Framework 1.0Enterprise .NET, AzurePython, .NETVia AzureYes
Google ADKGCP-native agentsPythonVia GCPPartial
CrewAIRole-based multi-agentPythonExternalYes
LangGraphGraph workflowsPython, TSExternalYes

My recommendation: if you’re already on OpenAI’s stack and you want the shortest path from idea to a working coding agent, this SDK is the right pick now. The harness rewrite alone closes most of the reliability gap that made teams reach for heavier frameworks. The Microsoft Agent Framework 1.0 release is stronger if you need graph-based workflows, middleware, or cross-framework agent-to-agent collaboration through A2A 1.0.

I tested the new harness on a refactor task

I gave the same prompt to an agent built on the old SDK harness and one built on the new one. The task: refactor a small Python module to use async/await throughout, add tests, and leave a migration note.

Old harness: 38 turns, 2 wrong edits the agent later reverted, one test that never ran because the agent forgot to install pytest, total runtime about 9 minutes.

New harness with sandbox memory: 11 turns, no reverts, pytest installed automatically because the sandbox kept a note from an earlier run, total runtime about 3 minutes.

The numbers match what I’ve seen others post. The 2026 Stack Overflow developer survey puts daily AI coding tool usage at 84%, but only 29% of developers trust AI-generated code in production without review. Reliability upgrades like this harness are exactly what moves that second number.

Security, governance, and the enterprise angle

Agents that run code are terrifying if you haven’t locked them down. The native sandbox plus configurable memory gives you a cleaner story to tell security reviewers. You can point to isolated execution, workspace-scoped memory, and deterministic file editing primitives and answer most of the questions that used to stall pilot projects.

Pair this with the Microsoft Agent Governance Toolkit or any OWASP-aligned agentic security layer and you have a defensible posture. The Agents SDK itself doesn’t enforce policy, so don’t treat sandbox execution as a substitute for runtime governance. Developers still own the release, which is why responsible generative AI development needs testing, disclosure, monitoring, and rollback before anything touches users.

The other missing layer is evaluation. A sandbox can contain bad behavior, but it does not tell you whether the agent is good enough to ship. For that, use an AI agent evaluation framework with canary tasks, traces, tool-use scoring, and cost limits.

On the regulation side, EU AI Act high-risk compliance requirements land in August 2026, and enterprise builders need audit trails for autonomous actions. The SDK’s tracing integration, still optimized for OpenAI infrastructure, makes that easier if you’re on OpenAI models. If you’re routing through other providers via Chat Completions, you’ll need to bring your own observability.

What I’d build with it now

If I had to pick three projects that got easier this week:

  1. A PR-review agent that actually fixes the issues it finds. The apply-patch tool plus sandbox execution makes this viable without a custom runtime.
  2. A nightly dependency-upgrade bot. Sandbox memory keeps notes on which upgrades break and avoids them on the next run.
  3. A code-migration agent. Long-horizon stability from the new harness means it can chew through a refactor across dozens of files without drifting.

Each of these fits the pattern agentic coding agents are heading toward in 2026: long-running teammates that own a slice of work end to end. The harness changes make that pattern production-ready instead of aspirational.

What’s missing and what’s coming

Two gaps worth flagging. First, TypeScript support for the new harness and sandbox is not live yet. If your stack is JS-first, wait a few weeks. Second, subagents and code mode are listed as coming soon but without a GA date. Multi-agent workflows in the current SDK still lean on handoffs, which is fine for linear chains but limited for graph-style coordination.

Coming features OpenAI has confirmed:

  • Subagents for Python and TypeScript
  • Code mode that lets the agent write and execute code as part of its reasoning loop
  • Expanded Responses API features for non-OpenAI models

The direction is clear. OpenAI wants the Agents SDK to be the default surface for building with Codex and future reasoning models, and this update is the biggest step they’ve taken toward that goal.

If you’re running autonomous AI agents in production in 2026, the harness rewrite alone is worth migrating for. If you’re still evaluating, this is the moment the framework went from “interesting for prototypes” to “defensible for production.” Start with a scoped pilot, pick a sandbox provider that matches your infra, and let sandbox memory do the compounding work.

Share this article
Q&A

Frequently Asked Questions

What changed in the OpenAI Agents SDK April 2026 update?

OpenAI announced the next evolution of the Agents SDK on April 15, 2026. The update ships a model-native harness, native sandbox execution, Codex-like filesystem tools, configurable memory, apply-patch style edits, shell execution, and standardized MCP integrations. Developers can bring their own sandbox or use built-in support for Blaxel, Cloudflare, Daytona, E2B, Modal, Runloop, and Vercel. Python support is live first, with TypeScript coming later. Pricing is standard API token and tool-use pricing.

Is the Agents SDK still limited to OpenAI models?

No. The SDK now works with over 100 non-OpenAI LLMs through the Chat Completions API. Tracing and the Responses API features are still optimized for OpenAI infrastructure, but you can route agents through Anthropic, Google, and open-weight providers for core reasoning if you want to.

How is the new sandbox different from existing tools like E2B or Modal?

Those providers still do the heavy lifting for isolated execution. What the SDK adds is a standardized integration so the agent treats sandboxes as a first-class primitive. You get sandbox-aware orchestration, persistent sandbox memory that distills lessons from prior runs, and Codex-like filesystem tools that work the same way whether you run on E2B, Daytona, or your own container. The SDK handles the wiring.

What are subagents and code mode in the Agents SDK roadmap?

Subagents are additional agents that operate under a primary agent to handle specific sub-tasks. Code mode lets the agent write and execute code as part of its reasoning loop. OpenAI has confirmed both are coming soon for Python and TypeScript but did not publish a GA date in the April 15 post.

Should I pick the OpenAI Agents SDK or Microsoft Agent Framework 1.0?

Pick the OpenAI Agents SDK if you want the lightest framework, Python-first workflows, and direct access to Codex-style coding loops. Pick Microsoft Agent Framework 1.0 if you need .NET support, graph-based multi-agent workflows, middleware hooks, A2A 1.0 cross-framework collaboration, or Azure-centric deployment. Both support MCP. Microsoft's framework is more opinionated; OpenAI's is more flexible.

References

Resources & Further Reading

  1. Anthropic — Engineering and research on agents
  2. OpenAI — Agents and tool use
  3. LangChain — Blog
  4. CrewAI — Documentation
  5. arXiv — Multi-agent systems
  6. GitHub — Awesome agents repository
  7. OpenAI's announcement
  8. TechCrunch framed this
  9. Codex long-horizon post
  10. Help Net Security writeup
Editorial

Editorial Notes

Update: Refreshed May 17, 2026 — verified the current agentic AI stack including MCP, managed agents and CI/CD.

Editorial review: Harsimran Singh.

Transparency

Disclosure

AI News Desk independently researches every article using public filings, official product documentation, and primary sources. No vendor paid for placement in this piece.

Harsimran Singh, editor of AI News Desk
Written by

Harsimran Singh

Editor & Publisher · AI News Desk

Harsimran covers agentic AI, model releases, AI regulation, and developer tooling with a builder-first lens — translating fast-moving research into practical guidance engineers and product teams can act on.

Published April 21, 2026 Updated May 17, 2026 Reading time 10 min