Sandboxes: MicroVM vs. Isolate
Every session gets its own sandbox. Which kind is a per-agent setting, not a global one.
The two backends
| MicroVM | Isolate | |
|---|---|---|
| Runs on | Cloudflare Containers | a Workers Isolate (Dynamic Workers, Agents SDK) |
| Cold start | ~2 seconds | sub-second |
| Filesystem | full Linux, /workspace |
SQLite-backed Workspace (@cloudflare/shell) |
| Shell | yes — bash, arbitrary processes |
no |
| Persistence | R2 snapshot of /workspace on idle |
Durable Object SQLite, automatic |
| Code execution | shell-driven | execute / run_file via Worker Loader (codemode) |
| Best for | installs, builds, fixing a test suite — anything needing a real shell | structured edits, code review, tool-heavy tasks, fast iteration |
Why both exist
A MicroVM is a real Linux box: npm install works, a failing binary can be rebuilt, a CLI can be installed. It costs more (a container has to boot) and takes a couple of seconds to start.
An Isolate is a Workers runtime with a virtual filesystem layered on top. There's no shell — everything the agent does is a typed tool call (read, write, edit, grep, find, delete, or execute for arbitrary JS) — but it starts in milliseconds and its state persists automatically through Durable Object SQLite storage, no snapshot step required.
Most deployments pick one as the default and reach for the other for specific agents that need it.
What happens at dispatch
Both backends share the same egress policy, the same dashboard, and the same webhook ingress — the difference is entirely in what happens once a session starts:
MicroVM: the control plane resolves the session's egress policy and registers it as the container's outbound handler, boots the container with secrets injected as env vars, restores the latest R2 snapshot into /workspace if one exists, and starts the agent loop (ant beta:worker run --workdir /workspace ...). After a few minutes of idle, it snapshots /workspace back to R2 and lets the container sleep.
Isolate: the Durable Object resolves and attaches the egress policy via an outbound gateway, builds its tool list from whatever bindings are wired up, and runs an Anthropic SDK tool dispatcher detached — the model runs on Anthropic's infrastructure, tool calls stream into the Durable Object and execute locally. It sleeps after 60 seconds idle; the next webhook wakes it with its SQLite state intact.
Related
252fbcd436372ce3 · verify