OpenAI Agents JS 0.11.1 Fixes Sandbox Manifest Edges After Tightening Local Artifact Boundaries

OpenAI Agents JS 0.11.1 is the kind of patch release that looks boring until you remember what a sandbox manifest actually is. It is not a preferences file. It is a capability document: which files can enter an agent workspace, which environment values resolve at runtime, which provider lifecycle rules apply, and where the boundary between host and sandbox is supposed to be.

The immediate release fixes two issues: preserving sandbox environment resolvers across manifest merges and aligning Blaxel sandbox behavior with shared sandbox error and lifecycle contracts. The reason those fixes matter is the prior release, 0.11.0, which tightened local sandbox materialization so LocalFile.src and LocalDir.src stay inside the SDK process base directory unless explicitly covered by Manifest.extraPathGrants. OpenAI closed the boundary first, then patched the edge cases. That is how platform hardening usually looks when it is real.

Explicit grants beat magical file copies

The most important phrase in the 0.11.0 notes is “explicit grant.” If a shared skill bundle lives at /opt/company/agent-skills, it now needs an extraPathGrants entry, ideally read-only, before the SDK can materialize it into the sandbox. That is the right default. Agent systems are increasingly built from local artifacts: skill directories, prompt packs, test fixtures, repo templates, generated plans, tool manifests, and provider config. Copying those into an agent workspace without an explicit grant is not convenience. It is ambient authority with a nice developer experience.

That distinction matters because local agent sandboxes are not purely local anymore. A coding agent may be running inside a developer laptop, a remote VM, a CI worker, or a managed provider workspace. It may read a repo, execute commands, call MCP tools, and package artifacts for later review. If the manifest can silently pull host paths into that workspace, the manifest becomes part of the supply chain. A malicious or sloppy skill bundle does not need RCE if it can convince the framework to include sensitive local files in the “normal” sandbox materialization path.

OpenAI’s move is not radical; it is basic least privilege applied to agent artifacts. The useful part is that it makes the grant visible. Teams can review why a directory outside the app base is available, whether it needs write access, and which environments should allow it. That is much easier to audit than a framework that helpfully copies whatever path a manifest mentions because the demo worked better that way.

Manifest merges are security-sensitive code

PR #1275 fixes a subtler problem: mergeManifestDelta rebuilt merged manifest environment values through a serialized environment path. Static strings survived, but resolver-backed values were dropped and became static placeholders after later manifest merges. That sounds like a serialization bug. In an agent sandbox, it is an authority bug.

Resolver-backed environment values usually exist because something should be resolved late. That could be an ephemeral credential, a per-workspace endpoint, a policy-derived token, or a value that should never be committed into a static manifest representation. If a merge turns that resolver into a placeholder, the obvious failure mode is that the sandbox breaks. The nastier failure mode is that developers work around it by making dynamic values static, broadening permissions, or moving secret resolution outside the framework’s intended lifecycle. Security boundaries often rot through compatibility pressure, not through one dramatic exploit.

Fixing this at the merge layer is the correct place. Once a bad manifest has been materialized, downstream code can only guess whether the authority model was intentional. The release notes also say validation covered targeted Vitest tests, core build checks, full pnpm build, recursive build checks, changeset validation, lint, and full tests under sanitized Git config and temp directory settings. That is worth mentioning because sandbox changes need boring validation. A patch that touches manifests and workspace materialization without end-to-end tests is how you get a “security fix” that breaks into unsafe local workarounds.

Provider parity is part of the sandbox

PR #1276 aligns Blaxel sandbox behavior with shared contracts. It wraps file-read failures in typed workspace read errors, throws SandboxInvalidManifestPathError for out-of-root workspace paths, converts command timeouts from milliseconds to seconds at the provider boundary, and preserves pauseOnExit identity so delete() can pause and resume() can reattach.

This is another “small” fix with a large production implication. Sandbox abstractions only work if providers obey the same contract. If one provider treats out-of-root paths differently, returns untyped filesystem errors, or interprets timeout units differently, the application no longer has a sandbox policy. It has provider-specific trivia. Teams then add conditional patches around the boundary, and each patch becomes one more place where the boundary can be bypassed or misunderstood.

The timeout conversion detail is especially easy to dismiss until it is not. Milliseconds versus seconds is exactly the kind of mismatch that produces flaky behavior: commands killed too early, commands allowed to run far longer than intended, cleanup paths that only fail under load. In an agent system, timeouts are a control surface. They limit cost, runaway execution, and stuck tool calls. Unit mismatches are not just bugs; they weaken operational guardrails.

For builders using OpenAI Agents JS, the practical work is unromantic. Review every manifest that materializes local source into a sandbox. If it references shared skills, corporate prompt libraries, generated templates, or fixture directories outside the SDK base directory, add explicit extraPathGrants and make them read-only unless write access is genuinely required. Test manifest merges that involve dynamic environment values. Verify provider behavior for out-of-root paths, workspace reads, pauses, resumes, and timeouts before assuming the same policy applies everywhere.

The larger takeaway is that agent frameworks are finally treating filesystem-backed workspaces as security boundaries instead of developer convenience layers. Good. The industry has already learned the hard way that package manifests, CI config, and infrastructure-as-code files are executable enough to deserve review. Agent sandbox manifests belong in the same category. OpenAI Agents JS 0.11.1 is not a flashy release, but it moves the ecosystem away from magical file copies and toward explicit grants. That is the boring kind of progress production agents need.

Sources: OpenAI Agents JS v0.11.1 release, v0.11.0 release, PR #1275, PR #1276