OpenAI Agents SDK 0.17 Makes Sandbox Boundaries and Realtime Defaults Part of the Agent Contract
OpenAI’s Agents SDK 0.17.0 is a small release with the kind of implications that only show up after a system has users: defaults moved, sandbox boundaries tightened, and a previously implicit filesystem contract became explicit. That is the right direction. Agent frameworks are no longer cute wrappers around chat completions; they are runtimes that assemble files, tools, model sessions, and third-party instructions into something close enough to executable infrastructure that pretending otherwise is negligence.
The release, published on May 8, changes the default model for RealtimeAgent to gpt-realtime-2 and hardens local source materialization for sandbox manifests around a concrete base_dir. The changelog is short, but the signal is not. OpenAI is saying two things at once: realtime agents now have a new default behavioral and cost profile, and sandbox manifests should not be allowed to wander around the host filesystem unless the application grants that access deliberately.
The default model change is not just a convenience bump
Changing RealtimeAgent to default to gpt-realtime-2 will be received by many developers as a routine upgrade. It is not. Defaults are production decisions when they sit inside agent constructors. If an application creates realtime agents without pinning a model, its behavior just changed: latency, response shape, tool-calling patterns, reasoning effort, audio handling, and cost can all move under the application without a corresponding code change.
OpenAI’s model page lists gpt-realtime-2 pricing at $4.00 per million text input tokens, $24.00 per million text output tokens, $32.00 per million audio input tokens, and $64.00 per million audio output tokens. That is not trivia. Realtime systems often hide cost in long sessions, partial turns, retries, audio streams, and parallel tool calls. A developer who thinks “the SDK default got better” may be right technically and wrong operationally if their budget assumptions were built around the previous default path.
PR #3190, merged at 06:24 UTC on May 8, changed 15 files with 103 additions and 46 deletions. Its scope was exactly where production surprises live: update websocket realtime defaults, expose session settings for reasoning and parallel tool calls, and refresh docs and examples so new integrations start on gpt-realtime-2. That is useful, but it should push teams toward explicit configuration. If the user experience depends on voice latency or deterministic tool behavior, pin the model. If the business model depends on predictable audio-token economics, pin the model. “Whatever the SDK currently means” is not a deployment strategy.
The sandbox fix is the larger story
The more important change is PR #3177, merged one minute after the realtime work. It changed 7 files with 504 additions and 55 deletions and fixes issue #3169 by preventing LocalFile and LocalDir from reading host files outside the manifest base_dir by default. The release now requires LocalFile.src and LocalDir.src to remain inside the materialization base directory unless covered by explicit Manifest.extra_path_grants.
That may sound like file-copy plumbing. It is actually the right mental model for agent security. Modern agent systems increasingly build their workspaces from manifests: copy this source tree, mount that directory, include these docs, execute this tool, write artifacts over there. Those manifests may be generated by internal software, imported from templates, produced by a model, installed as a skill, or pulled from a repository. Once a manifest can influence which host files enter the sandbox, it becomes part of the runtime trust boundary.
OpenAI’s migration path is explicit: trusted host roots should be granted with SandboxPathGrant, preferably read_only=True when the sandbox only needs read access. The warning in the release is the sentence worth taping to the monitor: “Treat extra_path_grants as trusted application configuration. Do not populate grants from model output or other untrusted manifest input unless your application has already approved those host paths.” That is not boilerplate. That is the entire threat model.
If the model can decide which host path receives a grant, the boundary has already failed. If a downloaded skill can request access to ~/.ssh, /var/run, application secrets, or a neighboring project directory and the application grants it automatically, the sandbox becomes a stage prop. Default-deny outside base_dir is the right framework posture because it forces developers to convert hidden host reads into reviewable configuration.
What builders should change this week
First, audit every RealtimeAgent instantiation. If it does not pin a model, decide whether taking gpt-realtime-2 by default is intentional. For prototypes, the new default is fine. For production, it should be a conscious migration with latency tests, audio-cost review, and tool-call regression checks.
Second, inspect sandbox manifests for local file and directory sources that point outside the working root. Some of them will be legitimate: shared fixtures, documentation directories, internal templates, or generated assets. Those now need explicit grants. That is migration friction, but it is healthy friction. Host filesystem access was always security-sensitive; the SDK merely made the contract visible.
Third, separate model-authored content from application-authored policy. A model can propose that it needs a file. It should not grant itself the path. A user, service policy, allowlist, or application layer should approve the boundary crossing. This is the same lesson the industry keeps relearning across tool calls, MCP servers, browser automation, and package installation: untrusted instructions may request capabilities, but trusted code must decide whether they get them.
The broader pattern is what matters. Agent SDKs are becoming operating environments, not helper libraries. Their defaults decide model behavior. Their manifests decide filesystem access. Their examples become production architecture by copy-paste. OpenAI’s 0.17 release is good because it tightens one of those boundaries while making another default more capable. Teams should accept the hardening and distrust the convenience until they have measured it.
Sources: OpenAI Agents SDK v0.17.0 release, PR #3177, PR #3190, OpenAI gpt-realtime-2 model documentation