SYSTEM Cited by 1 source

Agent Lee

Agent Lee is Cloudflare's first-party in-dashboard AI assistant — launched 2026-04-15 in open beta — that understands a user's Cloudflare account and can both troubleshoot and apply changes across the entire platform (DNS, Workers, SSL/TLS, R2, Registrar, Cache, Cloudflare Tunnel, API Shield, and more) from a single natural-language prompt, rendering real-data visualisations (charts, tables, architecture maps) inline on an adaptive grid.

Scale at launch

Reported in the launch post after an active beta (Source: sources/2026-04-15-cloudflare-introducing-agent-lee):

• ~18,000 daily users
• ~250,000 tool calls / day
• Products covered: DNS, Workers, SSL/TLS, R2, Registrar, Cache, Cloudflare Tunnel, API Shield, and more.
• Free-plan availability — entry point is Ask AI in the Cloudflare dashboard.

Architecture

Agent Lee is built on primitives Cloudflare ships to customers:

• Agents SDK — runtime.
• Workers AI / Workers — compute and model hosting.
• Durable Objects — the permission + credentialed-proxy layer (see below).
• MCP — tool-description surface for Cloudflare's API.

The MCP surface Agent Lee consumes is two tools, not 3,000: "a search tool for querying API endpoints and an execute tool for writing code that performs API requests." All ~3,000 Cloudflare HTTP API operations are reachable through the execute tool via Code Mode (canonical patterns/tool-surface-minimization).

Code Mode, not direct tool calls

"Rather than presenting MCP tool definitions directly to the model, Agent Lee uses Code Mode to convert the tools into a TypeScript API and asks the model to write code that calls it instead."

Two explicit quantitative rationales in the launch post:

1. LLMs have seen a vast amount of real-world TypeScript but few tool-call examples → higher accuracy on multi-step invocations.
2. Multi-step tasks chain into a single generated script whose intermediate results stay inside the sandbox — no per-step round-trips between planner and tool.

See patterns/code-generation-over-tool-calls and systems/code-mode.

The Durable Object is the enforcement layer

The generated code is dispatched to an upstream Cloudflare MCP server for sandboxed execution. But it travels through a Durable Object that acts as a credentialed proxy. The DO:

• Classifies the generated code as read or write by inspecting the method and body before any call leaves.
• Proxies reads directly.
• Blocks writes until explicit approval via an elicitation gate — "Agent Lee cannot skip this step. The permission model is the enforcement layer, and the confirmation prompt you see is not a UX courtesy. It's the gate."
• Holds API keys — keys are never present in the generated code, so the sandbox cannot exfiltrate them. They're injected server-side when the upstream call is made.

Load-bearing structural framing: "The security boundary isn't just a sandbox that gets thrown away; it's a permission architecture that structurally prevents writes from happening without your approval."

See patterns/credentialed-proxy-sandbox.

Dynamic UI, not just text

"The platform dynamically generates UI components alongside textual responses." Blocks in today's library:

• Dynamic tables.
• Interactive charts (e.g. error-rate-over-24h rendered from real traffic, inline — not a link out to Analytics).
• Architecture maps.
• More in development.

Users interact via an adaptive grid: click-and-drag to carve out a tile, describe what should go in it in natural language, and Agent Lee populates it. "Transforms your chat history into a living dashboard."

See patterns/dynamic-ui-generation.

Quality + safety posture

Continuous measurement ("keeping users in control"):

• Evals on conversation success + information accuracy.
• User feedback (thumbs up / down).
• Tool-call execution-success rate + hallucination scorers.
• Per-product conversation-performance breakdown.

Roadmap (stated in the launch post)

• Surface-agnostic — CLI next, phone later. "The surface you use shouldn't matter."
• Proactive — watches Workers / traffic / error thresholds and reaches out when something warrants attention.
• Accumulated context — already knows account config; will know past conversations, current page, last week's debugging.

Caveats

• In beta. Post explicitly warns of "unexpected limitations or edge cases." Today's scale figures are a snapshot.
• Latency / approval-abandonment / per-tool success rates not disclosed.
• Underlying Code Mode sandbox substrate (isolate reuse, timeout model) lives in a separate Cloudflare Code Mode post (blog.cloudflare.com/code-mode/), not in the Agent Lee announcement itself.

Seen in

• sources/2026-04-15-cloudflare-introducing-agent-lee — the launch + architecture post, 18K DAU / 250K tool calls/day.

Related

• systems/code-mode
• systems/model-context-protocol
• systems/cloudflare-durable-objects
• systems/cloudflare-workers
• patterns/code-generation-over-tool-calls
• patterns/credentialed-proxy-sandbox
• patterns/dynamic-ui-generation
• companies/cloudflare