CONCEPT Cited by 2 sources
Agent brain–hands decoupling¶
Definition¶
A two-tier architectural shape for managed agent platforms in which the agent loop (model inference, prompt caching, compaction, tool-use orchestration, harness internals) — the "brain" — is hosted by the model platform, while the execution sandbox (file reads, command exec, code execution, web browsing, custom tools) — the "hands" — runs on operator- chosen infrastructure.
The two layers communicate over a stable brain↔hands contract: the brain emits tool-use messages; the hands run them and return tool-result messages. The hands run on a control plane provided by the operator's chosen substrate; that control plane is responsible for sandbox lifecycle, state persistence across session sleeps, egress policy, observability, and any custom tools.
Canonical disclosure¶
The framing was crystallised in Anthropic's Claude Managed Agents launch and the companion Cloudflare post (2026-05-19), quoted directly:
"Anthropic describes this as 'decoupling the brain from the hands.' The core agent loop runs in Anthropic (the 'brain'), but the infrastructure for running and executing code (the 'hands') can be run anywhere, including Cloudflare."
(Source: sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare.)
Why it's a distinct shape¶
Most first-generation agent products either (a) ran the entire stack on the model vendor's infrastructure (Anthropic-only, OpenAI- Assistants-only) or (b) ran the entire stack on the operator's infrastructure (open-source agent harnesses + open-source model). Neither option lets the operator independently choose best model platform and best execution substrate for its workload — the choice was bundled.
Brain–hands decoupling unbundles the choice by making the contract between agent loop and execution sandbox explicit:
| Layer | Owned by | Picked for |
|---|---|---|
| Brain | Model platform | Best model + best harness primitives (caching, compaction) |
| Hands | Operator | Best security regime, compliance boundary, network locality, custom tooling |
What the operator gains¶
- Independent compute choice — pick microVM vs V8-isolate (concepts/isolate-vs-microvm-for-agent-sandbox), durable vs ephemeral sandbox (concepts/durable-vs-ephemeral-sandbox), region, provider, on-prem vs cloud, etc.
- Network locality — co-locate the sandbox with internal services it has to call, instead of round-tripping over the Internet.
- Custom tools — add operator-defined capabilities (e.g. via
defineTool) without the model platform's involvement. - Egress control — every byte the sandbox emits goes through operator-controlled networking; canonical instance is patterns/outbound-worker-proxy-for-agent-egress.
- Compliance / sovereignty — keep PII / regulated data inside the operator's compliance boundary while still using a vendor-hosted brain.
- Observability — operator-side logs, shells, audit trails on every tool call. Canonical instance: the launch post's "sandbox logs can be queried or shipped to external providers like Datadog or Splunk" and "SSH into running machines."
What it costs¶
- Network round-trip per tool call. Each tool call now crosses brain↔hands; that's a non-trivial latency floor.
- Contract stability. The brain↔hands wire format has to stay compatible; breaking changes in the contract become cross-vendor-coordination problems.
- Operator implementation surface. A control plane has to be built and operated by the operator; the Cloudflare integration mitigates this with a forkable default template.
Composition with adjacent concepts¶
- Composes with concepts/isolate-vs-microvm-for-agent-sandbox — once the hands are operator-chosen, the operator picks the isolation primitive. The 2026-05-19 disclosure pairs the brain– hands split with a per-agent microVM-or-isolate tier choice.
- Composes with concepts/outbound-proxy-credential-injection — once the hands are operator-controlled, every byte of egress can be intercepted by the operator's proxy.
- Composes with concepts/durable-vs-ephemeral-sandbox — once the hands are operator-controlled, the operator can choose durability semantics (Cloudflare's launch post explicitly states "State is automatically persisted across session sleeps").
- Sibling to patterns/four-component-agent-production-stack — that pattern names the four components an agent system needs in production; brain–hands decoupling is the architectural concept that lets two of those components live on different infrastructures.
Seen in¶
- sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare — canonical wiki origin. Anthropic's own framing of the "brain / hands" split, instantiated by Cloudflare as the first publicly-announced external execution substrate.
- sources/2026-06-08-flyio-building-agents-that-dont-break-themselves — practical demonstration with Fly Sprites: SpriteDoc and Hermes Agent both run the agent loop on a stable server and dispatch all shell commands to separate Sprite sandboxes. Illustrates that "being sandboxed does not mean its commands should run in that same sandbox" — even an agent in a Sprite pushes execution to a different Sprite.
Related¶
- Originating system: systems/claude-managed-agents
- Hands substrate (Cloudflare): systems/cloudflare-containers / systems/dynamic-workers / systems/cloudflare-workers
- Sandbox tier trade-off: concepts/isolate-vs-microvm-for-agent-sandbox
- Egress control: concepts/outbound-proxy-credential-injection
- Canonical egress pattern: patterns/outbound-worker-proxy-for-agent-egress