Sandbox Permission Boundaries

Treat file inspection, command execution, and code editing as three independent permissions. Scope reads to a whitelisted path set, confine writes to the working directory, and let only allow-listed executables through for commands. Block the network by default and open specific domains only as needed. Any call that steps outside the boundary raises an exception immediately, and zero permission violations becomes a hard deploy-gate condition.

Subagent Isolation

The orchestrator handles planning and approval only; actual execution is delegated to isolated subagents. Each subagent receives a least-privilege token and its own context so that one agent's failure cannot propagate across the session. A failed subagent is reclaimed and restarted by its parent while the higher-level state is preserved.

Model-Native Harness

On 2026-04-15, OpenAI added a model-native harness to the Agents SDK that performs file inspection, command execution, and code editing inside a sandbox, and released AgentKit including Agent Builder. Code mode and subagents are being expanded to Python and TypeScript. Because the harness standardizes tool calls, the operations side can focus on permission policy and log schema.

A Full Guide: From Planning to Operations

In planning, pin your target metrics to numbers. For example, set a baseline of at least 90% task completion, p95 tool-call latency under 2 seconds, zero permission violations, and a human-intervention rate of 15% or less. Without metrics you cannot judge failure, so write each subagent's success condition and stop condition directly into the requirements.

Classify failures into four patterns. First, tool errors are retried up to three times with exponential backoff before being declared failed. Second, boundary violations are halted immediately with no retry and routed to a human-confirmation queue. Third, repetition loops trigger safe truncation — returning only a summary — once the same command is detected five times. Fourth, context overflow saves intermediate output and hands off to a fresh subagent.

Code the recovery branches explicitly. Split into four paths — retryable error, human confirmation required, safe truncation, and hard stop — and manage each branch's entry condition and timeout as constants. Exceeding 10 minutes of total runtime or 50 tool calls forces a stop and returns partial results.

The operations checklist enforces standard logging. For every tool call, emit a one-line JSON record with session ID, subagent ID, tool name, input hash, result code, and latency. Make PII masking a mandatory pre-ingestion step, substituting emails, phone numbers, and tokens via regex. A missed mask is grounds to block deployment.

Quality control is verified with a regression set. Keep 30 representative tasks as fixed scenarios and compare completion rate and violation count each release; roll back if completion drops by 5 points or more, or if even a single violation appears.

Run the continuous-improvement loop once a week. Aggregate failure logs by type, derive the top three root causes, and adjust exactly one item each in the permission list, retry policy, and prompt. Apply changes only after the regression set passes, keeping improvement and regression tracked separately.

Executive Summary

The core is to split the three capabilities into permissions, isolate subagents, then pin target metrics and stop conditions to numbers. Handle failures through four branches — retry, human confirmation, safe truncation, and stop — keep standard logging and PII masking as gates to hold violations at zero, and run the improvement loop weekly.

References

Introducing AgentKit (OpenAI)