Ona's Gitpod roots: OpenAI’s secure runtime for Codex

OpenAI announced it will acquire Ona, the company that began life as Gitpod, folding the German-built cloud workspace platform into Codex to give enterprise customers a sandboxed runtime for long-running agents and workflows.

The deal was made public on June 12, 2026 and OpenAI said Ona’s technology “provides secure, persistent environments where agents can access the tools, systems, and context they need to make progress over time.”

Ona traces its lineage to Gitpod, a five‑year-old project that moved development off local machines into preconfigured browser workspaces. The company rebranded to Ona in September 2025 and repositioned its product around autonomous software agents and secure cloud environments.

At its core Ona offers API‑first, sandboxed environments that are preloaded with repositories, dependencies, and the connectivity agents need to act — source control, registries, secret stores, and developer tools. Those environments can run in Ona’s cloud or inside a customer virtual private cloud, a key distinction for regulated enterprises.

For OpenAI, the attraction is practical: Codex needs a trusted place to execute agent work that can last hours or days instead of minutes. Integrating Ona supplies a customer‑controlled execution layer so Codex agents can continue jobs after the initiating user logs off.

Ona’s product pitch emphasizes isolation and enterprise controls — OS‑level sandboxing, RBAC, SSO/OIDC, command deny lists, and detailed audit trails — which let IT teams apply their existing governance and credential management to agent runs. OpenAI framed the move as expanding Codex beyond single‑device sessions into production‑grade automation.

Technically this gives Codex a runtime where agents have scoped, auditable access to systems under the customer’s control. Ona environments are declared with devcontainer-like manifests and can mount storage and secrets so agents can run tests, build artifacts, or patch code without exposing enterprise credentials to the model service itself.

Beyond developer convenience, the integration is a strategic enterprise play. Analysts and coverage note the acquisition helps OpenAI compete with rivals offering self‑hosted or customer‑controlled agent sandboxes, and it bolsters Codex’s pitch to CIOs and CISOs who demand visibility and control.

Real operational use cases are straightforward: long refactors, automated CVE triage across private repos, multi‑step migrations, and continuous validation tasks that must persist between business hours. Those scenarios require durable execution environments that keep logs, enforce limits, and let operators revoke or suspend agents.

Security observers caution that sandboxes reduce but do not eliminate risk. Recent safety research highlights how persistent agents expand an attack surface through capabilities, identity, and knowledge channels — meaning sandboxing, credential hygiene, and runtime policy controls must be paired with testing and monitoring.

Commercial considerations are in play too. Industry reporting indicates Ona remained a relatively small vendor with a handful of large customers and rising enterprise ARR before the deal, and research firms have offered rough revenue estimates that help explain why OpenAI chose to buy rather than build this particular plumbing. The agreement still needs regulatory approval before it closes.

For developers and engineering managers the practical result should be an out‑of‑the‑box, sandboxed runtime for Codex agents that ships with preconfigured policies, secrets integration, and audit trails. That reduces friction for teams that want agents to run background tasks inside their own cloud, while raising familiar tradeoffs about vendor lock‑in versus building a bespoke stack.