This release includes 2 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
Summary
AI summaryRealtimeAgent now defaults to model gpt-realtime-2 and sandbox materialization restricts source paths to the base directory unless explicitly granted.
Full changelog
Key Changes
RealtimeAgent's default is now gpt-realtime-2
Since this version, the default model for RealtimeAgents is gpt-realtime-2: https://developers.openai.com/api/docs/models/gpt-realtime-2
Sandbox local source materialization change
In this version, sandbox local source materialization keeps LocalFile.src and LocalDir.src within the materialization base_dir unless the source path is covered by Manifest.extra_path_grants. The base_dir is the SDK process current working directory when the manifest is applied; relative local sources are resolved from that directory, while absolute local sources must already be inside it or under an explicit grant. This closes a local artifact boundary issue, but it can affect applications that intentionally copy trusted host files or directories from outside that base directory into a sandbox workspace.Expand commentComment on line R24Resolved
To migrate, grant trusted host roots at the manifest level with SandboxPathGrant, preferably as read-only when the sandbox only needs to read those files:
from pathlib import Path
from agents.sandbox import Manifest, SandboxPathGrant
from agents.sandbox.entries import Dir, LocalDir
# This is an absolute host path outside the SDK process base_dir.
TRUSTED_DOCS_ROOT = Path("/opt/my-app/docs")
manifest = Manifest(
extra_path_grants=(
# This host root is outside the SDK process base_dir, so the manifest must grant it.
SandboxPathGrant(path=str(TRUSTED_DOCS_ROOT), read_only=True),
),
entries={
# No grant is needed for local sources that stay under the SDK process base_dir.
"fixtures": LocalDir(src=Path("fixtures"), description="Local test fixtures."),
# This entry reads from the granted host root and copies it into the sandbox workspace.
"docs": LocalDir(src=TRUSTED_DOCS_ROOT, description="Trusted local documents."),
# Dir creates a sandbox workspace directory; it does not read from the host filesystem.
"output": Dir(description="Generated artifacts."),
},
)
Treat extra_path_grants as trusted application configuration. Do not populate grants from model output or other untrusted manifest input unless your application has already approved those host paths.
What's Changed
- feat: default realtime sessions to gpt-realtime-2 by @seratch in https://github.com/openai/openai-agents-python/pull/3190
- fix: #3169 constrain local sandbox artifact sources to base dir by @seratch in https://github.com/openai/openai-agents-python/pull/3177
- fix: Responses context-management extra_args collision by @alfozan in https://github.com/openai/openai-agents-python/pull/3185
Documentation & Other Changes
- Release 0.17.0 by @github-actions[bot] in https://github.com/openai/openai-agents-python/pull/3191
Full Changelog: https://github.com/openai/openai-agents-python/compare/v0.16.1...v0.17.0
Breaking Changes
- Default model for RealtimeAgent changed from previous default to gpt-realtime-2.
- Sandbox local source materialization now confines `LocalFile.src` and `LocalDir.src` within the manifest's `base_dir` unless granted via `Manifest.extra_path_grants`.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About openai-agents-python
A lightweight, powerful framework for multi-agent workflows
Related context
Related tools
Beta — feedback welcome: [email protected]