OpenAI Agents SDK Turns Absolute Sandbox Paths Into a Coding-Agent Trust Boundary

The OpenAI Agents SDK just patched the kind of bug nobody puts on a conference slide and everybody depends on in production: a sandbox path invariant.

PR #3422 changes WorkspacePathPolicy so it rejects relative sandbox workspace roots. The stated problem is simple: the helper methods are documented and used as absolute sandbox path helpers, but a configuration like root="workspace" could make normalize_path("file.py") return workspace/file.py instead of an absolute sandbox path. That sounds small until you remember what sandbox agents are supposed to do: inspect files, run commands, apply patches, and carry workspace state across longer tasks.

In other words, the path helper is not plumbing. It is part of the trust boundary.

The PR was created on May 15 and merged on May 16. The code now raises ValueError("sandbox workspace root must be absolute") when both Path(root) and coerce_posix_path(root) are non-absolute. It also adds a regression test, test_workspace_path_policy_rejects_relative_root(), to lock the behavior. The validation list is reassuringly ordinary: pytest for sandbox path tests, Ruff for the sandbox code, and Pyright for type checking. This is what serious agent framework work increasingly looks like: not one more benchmark chart, but path normalization with tests.

Relative roots are how invariants start leaking

A relative sandbox root is not automatically an exploit. That is the wrong way to read this fix. The issue is that relative roots weaken an invariant other layers may already rely on: sandbox paths are rooted under one absolute workspace. Once that guarantee becomes fuzzy, downstream code starts making assumptions that may be true in one provider, false in another, and dangerously misleading in approval surfaces.

Consider what happens in a real coding-agent loop. The model proposes a file operation. A tool normalizes the path. A sandbox backend maps it into a container or workspace. A UI displays it to a human. A trace records it. A later patch application or command execution uses the path again. If the path is relative at the wrong layer, it may be joined against a different current working directory, compared incorrectly against an allowlist, rendered ambiguously in an approval prompt, or interpreted differently by host and container code.

That is why rejection is the right fix. Do not try to infer what the user meant by a relative sandbox root. Do not normalize your way into confidence. Fail early, loudly, and with a test. In security-sensitive framework code, ambiguity is not flexibility. It is debt with a fuse.

The adjacent same-hour PR #3424, which normalized leading question marks in exposed port queries so providers passing query="?token=..." would not produce ??token=..., fits the same pattern. Agent sandboxes are full of boring edges: filesystem paths, exposed ports, URL query strings, workspace mounts, process environments, and host/container translation. Those edges become product features the moment users delegate real work to an agent.

Sandbox agents make old systems problems newly visible

The OpenAI Agents SDK describes itself as a framework for multi-agent workflows with agents, sandbox agents, agents-as-tools, handoffs, MCP and hosted tools, guardrails, human-in-the-loop, sessions, tracing, and realtime agents. That breadth matters because the sandbox is no longer a narrow utility. It is where model intent meets operating-system reality.

A sandbox agent that can edit a repository is not just answering questions. It is acting through a permissions layer. Every ambiguity in that layer changes what the user has actually delegated. Absolute path invariants help humans reason about those delegations. They also help policy code, audit logs, and provider backends agree on what happened.

This is the piece many coding-agent comparisons still miss. Claude Code vs Codex vs Cursor vs Gemini CLI vs DeepAgents is not only a model-quality or editor-UX contest. It is a runtime-mechanics contest. Which files can the agent touch? Are approvals tied to absolute paths or pretty labels? Can the sandbox backend drift from the UI’s workspace model? Are path traversal, symlink behavior, host/container mapping, and command working directories covered by tests? What happens when an MCP tool returns a path? What happens when the agent writes a patch in one directory and runs tests in another?

The winning tools will not be the ones that merely produce good diffs. They will be the ones whose authority is understandable before the diff exists.

What practitioners should take from this

If you use the OpenAI Agents SDK sandbox APIs, audit your workspace root configuration. Treat relative roots as invalid in your own wrappers too, even if a framework version allows them somewhere else. Display absolute paths in approval prompts when file operations matter. If you collapse paths for readability, keep the absolute target available in traces and logs so an operator can reconstruct what actually happened.

If you are building your own sandbox layer, add regression tests for the unglamorous cases: relative roots, .. segments, symlinks, host-to-container path mapping, case sensitivity, workspace prefixes that share names, and command execution from unexpected working directories. Test what the UI says against what the backend does. The approval surface is only trustworthy if it is bound to the same normalized object the executor uses.

Also resist the temptation to treat sandbox correctness as a provider problem. Frameworks can harden defaults, but application code still composes tools, mounts workspaces, stores sessions, passes paths through MCP servers, and displays approvals. Every one of those is a chance to break the invariant again. The model does not need to be malicious for that to matter. Long-horizon automation finds edge cases through volume.

The broader industry signal is clear: agent frameworks are entering the phase where boring security mechanics become differentiators. Deserialization hardening, SSRF guards, prompt-manifest trust boundaries, streamed tool-call visibility, and sandbox path invariants are all part of the same story. Agents are finally being treated less like chat demos and more like software processes that need operating constraints.

That is good news. It is also overdue. If an agent can run commands and edit files, absolute path handling is not an implementation detail. It is the line between “the user approved this action” and “the user approved some text that resembled this action.” OpenAI’s fix is small, but it points in the right direction: make the sandbox contract strict enough that higher layers can safely build on it.

Sandbox correctness is now a coding-agent feature. The teams that understand that will ship tools engineers can trust. The teams that do not will keep rediscovering that a pretty chat transcript is not a security boundary.

Sources: OpenAI Agents SDK PR #3422, OpenAI Agents SDK repository, OpenAI sandbox agents documentation, exposed-port query normalization PR #3424