subagentcowork

.com 87 pages

Egress and identity: two products, one pattern

Claude Managed Agents on Cloudflare and Claude Tag arrive at the same design independently: the sandbox never holds a credential, and a boundary proxy attaches one only when a request matches a rule.

Side by side

Claude Managed Agents (Cloudflare) Claude Tag (Slack)
Where the agent runs A MicroVM or Isolate sandbox, per session An ephemeral sandbox, per Slack thread
Where credentials live KV (SECRETS, EGRESS_POLICIES) A separate credential store
The boundary An egress proxy compiled from each session's policy Agent Proxy
Default Deny — unlisted hosts are unreachable Deny — unlisted hosts are unreachable
Three outcomes policy match + credential injected / allowlist-only, no credential / blocked rule match + credential injected / allowlist-only, no credential / blocked
What the model sees Never the credential — only the response Never the credential — only the response
Identity while acting The agent/session's configured identity The channel's service accounts (Claude app, Claude GitHub App, or a per-tool service account)

The mechanism is close enough to be the same idea in two products: a request leaves the sandbox, hits a policy checkpoint, and only there does a credential (if any) get attached — the sandbox and the model are never handed the secret itself.

Why this shape keeps showing up

Whenever an agent's "hands" are more powerful than you want its "judgment" to be trusted with directly, the fix is the same: put the credential somewhere the agent can't read it, and put a policy — not the agent's own discretion — between a request and a live secret. Both systems also make the identity scoped to the surface, not the person: a CMA agent's identity is configured per-agent up front; a Claude Tag session acts as the channel's service accounts, not as whoever typed @Claude, so the same request does the same thing regardless of who asked.

What you configure, either way

  • Allow rules — which hosts a credentialed request may reach, and which credential attaches
  • Allowlist-only rules — hosts reachable without a credential (useful for public APIs)
  • Everything else — blocked outright, not just unauthenticated

Cloudflare's version adds header-injection and arbitrary custom Worker proxy code as escape hatches beyond the declarative allow/deny shape; Claude Tag's admin surface (Connections, Allowed websites) is the same shape without needing you to write a proxy.

Related

original sha256:16 3a790b5d9d8b1509 · verify