subagentcowork

.com 87 pages

Claude Managed Agents on Cloudflare

The brain runs on Anthropic. The hands — sandboxes, egress, browser, email, custom tools — run on infrastructure you own. Cloudflare ships the control plane as an open-source deployment template: cloudflare/claude-managed-agents.

The split

Claude Managed Agents (CMA) decouples the agent loop from where its actions execute. Anthropic's platform runs the loop — the model, the conversation, the decision of which tool to call next. A self-managed environment you deploy runs everything the agent's actions touch: a sandbox, a network egress path, and any custom tools you've wired up.

Cloudflare's reference implementation is a single Worker that receives a webhook when a session starts or ends, spins up a sandbox for that session, and shuts it down when the session does.

What the control plane gives you

  • Two sandbox backends per session — a full MicroVM (Cloudflare Containers, real Linux, bash) or a lightweight Isolate (Dynamic Workers, cold-starts in milliseconds). See Sandboxes.
  • Egress control — every outbound request from the sandbox passes through a policy engine that can inject credentials, restrict destinations, or run custom proxy logic. See Egress and identity.
  • Custom tools in one file — extend what an agent can do by adding a function to src/tools/custom-tools.ts; it runs with direct access to your Worker bindings (D1, R2, KV, Vectorize). See Custom tools.
  • Built-ins — Browser Run (headless browser, screenshots, session recordings), Agent Email (a real address per session), Workers AI image generation, Workers VPC for private services.
  • A dashboard — manage agents, inspect sessions and logs, SSH into a running MicroVM.

Where this site's own docs connect

This isn't a hypothetical pattern for us — it rhymes with two things already documented here:

  • Claude Tag runs the same decoupled shape for Slack: the model runs in an Anthropic-hosted sandbox per thread, credentials are injected by an Agent Proxy at the network boundary, and the sandbox is released and rebuilt across idle periods. See the side-by-side in Egress and identity.
  • subagentcoworkers.com documents a platform built on the same idea from the other direction — typed tasks, scoped credentials, a durable state layer outside the execution boundary — using open models instead of a paid Anthropic API key. See Open models.

The catch

Real CMA needs ANTHROPIC_API_KEY as one of four required secrets, plus a Workers Paid plan (Containers and Worker Loader bindings aren't on the free tier). If your stack is OAuth-only or zero-external-paid-API by policy, that's worth knowing before you fork the repo — see Open models for the adaptation.

Related

original sha256:16 d4b27555df5304ee · verify