OpenAI plans to acquire Ona, the cloud-development company formerly known as Gitpod, to give Codex a more durable and controlled place to work. The agreement, announced on June 11, 2026, has not closed and remains subject to customary closing conditions, including required regulatory approvals. Financial terms were not disclosed.
The deal is less about making Codex “smarter” in isolation than about changing where an agent can safely do work. A coding agent that only lives in a short chat session can explain a bug or draft a patch. An agent expected to investigate a repository, reproduce a failure, run tests, update dependencies, open a pull request, and leave review evidence needs a real workspace around it.
Ona is that workspace layer. OpenAI says the company provides secure, persistent environments where agents can access the tools, systems, and context they need over time. Ona says its platform has helped about 2 million developers work in reproducible cloud environments. If the acquisition closes, Ona’s team will join OpenAI’s Codex organization.
What Ona Adds To Codex
Ona’s core product is a standardized cloud development environment. Instead of depending on whatever is installed on a developer’s laptop, a task can begin inside a preconfigured workspace with repository access, dependencies, build tools, databases, secrets, network rules, logs, and policy settings already defined.
That matters because serious agent work is stateful. Debugging a failing CI job may require reading logs, checking test fixtures, installing project dependencies, reproducing the failure, changing code, rerunning tests, and explaining what changed. A disposable shell or a stateless chat transcript is a poor fit for that kind of work.
Ona’s public materials point to the enterprise controls OpenAI will need around Codex: scoped credentials, audit trails, egress restrictions, command controls, disposable workspaces, customer-cloud deployment, and background agent sessions. OpenAI has not said which Ona features will become Codex features, but those are the right categories of control for letting an AI agent operate near real software systems.
Why Persistence Is The Product
OpenAI framed the deal around Codex moving beyond a single device or active session. That is the important product shift. Long-running agents need to survive interruptions, keep context, preserve command history, and produce enough evidence for a human reviewer to trust the result.
The user experience also changes when the workspace is persistent. A developer can assign an investigation, leave the agent running, return to a branch, inspect test output, review a diff, and approve or reject the result. The agent’s work becomes closer to a software-development workflow than a message exchange.
Ona’s own joining announcement gives a clue about demand. Co-founder and chief executive Johannes Landgraf said weekly Ona agent sessions have grown 13 times in production since the beginning of 2026 across customers that include major financial, pharmaceutical, and sovereign-wealth institutions. Ona did not name those customers in that post, but the sectors are telling: they are exactly the kinds of organizations that will not let agents run without governance.
The Security Controls Matter More Than The Demo
For enterprise buyers, the hard questions are operational. Which repositories can Codex reach? Which commands can it execute? Which package registries can it contact? What secrets are available inside the workspace? Can outbound network access be blocked or logged? Which actions require human approval? What evidence is retained for audit?
Those questions are not paperwork. A coding agent may need to install dependencies, run build scripts, inspect environment variables, read test databases, call internal services, or review production-adjacent logs. Too much access turns the agent into a broad execution surface. Too little access turns it back into a suggestion engine.
Ona’s security story is useful because it is infrastructure-level rather than prompt-level. Its Veto work, for example, describes kernel-level enforcement for agent environments, with command and binary controls designed for software agents that can reason around ordinary deny lists. Whether that specific product becomes part of Codex is unknown, but the idea is central: agent safety will depend on enforced runtime boundaries, not only model behavior.
How It Fits OpenAI’s Enterprise Codex Push
The Ona deal follows other OpenAI moves aimed at bringing Codex into enterprise infrastructure. In May, OpenAI and Dell Technologies announced work to bring Codex to hybrid and on-premises environments. On June 10, OpenAI said Oracle Cloud Infrastructure customers would be able to use eligible Oracle Universal Credits for OpenAI models and Codex.
Those moves solve different adoption barriers. Oracle addresses procurement and cloud commitments. Dell addresses hybrid and on-premises deployment needs. Ona addresses the workspace where agents actually execute tasks. Together, they show OpenAI trying to make Codex fit governed software environments rather than treating it as a consumer assistant with enterprise branding.
The competitive context matters too. Agentic coding is shifting from autocomplete and chat toward background work: bug fixes from issue trackers, CI-failure triage, dependency updates, code migrations, release-note drafts, and review assistance. Those tasks are valuable because they are repetitive and reviewable, but they become risky if the workspace cannot constrain what the agent sees and does.
What Is Still Unanswered
The announcement leaves the most important implementation details open. OpenAI has not announced an Ona-powered Codex product, pricing, release date, migration path for current Ona customers, supported cloud providers, data-residency options, identity integrations, audit-log format, approval workflow, or final administrative controls.
There is also a supervision problem. Persistence makes agents more useful, but it can make them harder to follow if the interface is noisy or opaque. Teams will need clear status, command logs, file diffs, credential-use records, test results, and approval checkpoints. A long-running agent that quietly changes too much is worse than a short-lived assistant that can do too little.
OpenAI’s planned Ona acquisition is therefore an infrastructure bet. Codex’s next phase will not be judged only by model benchmarks. It will be judged by whether teams can give agents enough access to finish real software work while still knowing where the work ran, what it touched, which controls applied, and what a human approved before anything shipped.
