subagentcowork

.com 87 pages

Open models: the same primitives, a different brain

Real Claude Managed Agents needs ANTHROPIC_API_KEY and a Workers Paid plan. If your stack can't or won't hold that key, the sandbox / egress / typed-tools shape still stands — only the loop that decides which tool to call next has to move.

Where the dependency actually is

Of the four required secrets a self-managed CMA environment needs — ENVIRONMENT_ID, ANTHROPIC_ENVIRONMENT_KEY, ANTHROPIC_API_KEY, WEBHOOK_SECRET — only ANTHROPIC_API_KEY is a paid-usage credential. The other three authenticate the webhook relationship (Anthropic tells your Worker when a session starts), not model calls. The agent loop itself — reading a message, deciding on a tool call, reading the result, deciding the next one — is what the API key pays for, because that loop runs as a hosted Anthropic session.

Two ecosystems referenced from this site already avoid that dependency on principle: subagentworkers.com and subagentdb.com generate everything through Workers AI's open models (@cf/zai-org/glm-5.2) rather than the Anthropic API, and the knowledge-engineering chassis behind subagentcoworkers.com enforces OAuth-only billing as a hard invariant — ANTHROPIC_API_KEY is rejected at every layer, by design.

What changes if you swap the brain

Keep everything Cloudflare-side: the MicroVM/Isolate sandbox choice, the egress policy engine, the defineTool catalog, D1/KV/R2 storage, the webhook-shaped session lifecycle. Replace the piece that decides which tool to call next:

Stays the same Changes
Sandbox backends (MicroVM / Isolate) The agent loop moves from a hosted Anthropic session to a loop you run yourself in the Worker, calling Workers AI
Egress proxy + credential injection Nothing — this boundary doesn't care what's on the other side of it
defineTool custom tools Nothing — a tool-calling open model reads the same JSON Schema shape
D1 / KV / R2 storage Nothing
Webhook ingress Replaced by whatever triggers a session in your system — a DurableTask queue write, a cron tick, a mailbox message

Concretely: instead of Anthropic polling agent.custom_tool_use events against a hosted session, your Worker runs its own request/response loop against a Workers AI model that supports function calling (glm-5.2 does), feeding it the same tool catalog custom-tools.ts already declares, and dispatching tool calls into the same Sandbox or Isolate Durable Object this repo already has. The sandbox doesn't know or care whether the thing calling its tools is Anthropic's hosted loop or your own.

The concrete next step here

The knowledge-engineering repo already has a scaffold for exactly this: infra/cloudflare/ is described in its own README as "Cloudflare Sandbox + Durable Objects for per-task ephemeral execution (scaffolded)" — the sandbox half of this pattern, not yet wired to an open-model loop. Closing that gap — an open-model tool-calling loop in front of an already-scaffolded sandbox — is the adaptation this page is describing, applied to that specific repo.

Related

original sha256:16 9351eccb5468535b · verify