SYSTEM Cited by 1 source
Claude Managed Agents¶
Claude Managed Agents is Anthropic's managed agent platform: the agent loop (model inference, prompt caching, automatic compaction, tool-use orchestration, agent-first performance optimisations) runs on Anthropic-provided infrastructure, and the execution sandbox (file reads, command exec, code execution, web browsing) runs wherever the operator chooses — originally Anthropic-only, now extensible to any self-managed environment that implements the brain↔hands contract.
Anthropic frames the design as "decoupling the brain from the hands" — the brain (the agent loop) is the model plus the harness; the hands (where code actually runs) can be any compute platform that signs up to the contract. Self-managed environments give the operator control over security, compliance, and performance (network proximity, custom tools, private-service connectivity) that the all-Anthropic deployment doesn't. Source: sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare.
What the agent loop owns (the "brain")¶
- Model inference — Claude (e.g. systems/claude-sonnet-4) generating tool-use messages and final text.
- Prompt caching — built-in, harness-managed; cuts token cost on long-running sessions.
- Compaction — when the conversation exceeds a window, the harness automatically compacts older turns rather than failing.
- Various agent-first performance optimisations — the post doesn't enumerate; the framing is "the harness supports built-in prompt caching, compaction, and various agent-first performance optimizations."
What the execution sandbox owns (the "hands")¶
- File system — read / write / list within the sandbox.
- Command execution —
bash-style command running in the sandbox. - Web browsing — typically delegated to a browser tool like Browser Run.
- Code execution — JS / Python / shell, depending on the sandbox configuration.
- Custom tools — operator-defined functions (e.g. via
defineTool) that the agent can call.
Self-managed environment contract¶
When a Claude Agent starts a session, it sends a message to the operator's control plane. The control plane:
- Provisions a sandbox for the session.
- Persists state across session sleeps (the agent can pause and resume without losing workspace state).
- Routes tool calls from Claude into the sandbox and tool results back.
- (Optionally) exposes operator-side observability — logs, shells, audit trails.
This is the contract the Cloudflare integration implements: the Workers-based control plane takes the session-start message, picks one of two sandbox tiers (microVM or V8 isolate), and runs the session until Claude completes or sleeps.
Cloudflare integration as canonical example¶
The 2026-05-19 Cloudflare launch post is the first publicly-named external implementation of the Claude Managed Agents brain↔hands contract. Cloudflare's hands deployment combines:
- Workers control plane.
- Containers microVM tier for "agents acting as developers, building full applications and running Linux-based tools."
- Dynamic Workers + Codemode V8-isolate tier for "a faster, cheaper, and more scalable alternative" — "bursts of tens of thousands of concurrent agents or more."
- An outbound Worker proxy for every byte of egress (zero-trust credential injection, allowlists, custom middleware). See patterns/outbound-worker-proxy-for-agent-egress.
- Cloudflare Mesh / Workers VPC for private- service connectivity without VPN or bastion host.
- A pre-bundled tool surface —
browser_search,browser_execute,screenshot,browse,fetch_to_markdown, Cloudflare-specificweb_fetch,send_email,email_read,email_list,call_service,image_generate. - A default deployment template meant to be forked and customised rather than treated as a black box.
Properties¶
| Property | Default-Anthropic | Self-managed |
|---|---|---|
| Brain location | Anthropic | Anthropic |
| Hands location | Anthropic | Operator choice |
| Operator code in path | None | Control plane + outbound proxy + custom tools |
| Network egress visibility | Anthropic-controlled | Operator-controlled (full audit + middleware) |
| Private-service access | Public Internet only | Native (e.g. Mesh / VPC tunnels) |
| Custom tooling | Limited | Unbounded (operator deploys their own) |
Seen in¶
- sources/2026-05-19-cloudflare-announcing-claude-managed-agents-on-cloudflare — canonical wiki entry. First publicly-named external implementation; the launch post is the source of the brain↔hands framing and the Cloudflare-specific microVM-or-isolate tier choice.
Related¶
- Architectural concept: concepts/agent-brain-hands-decoupling
- Sandbox tier trade-off: concepts/isolate-vs-microvm-for-agent-sandbox
- Egress security: concepts/outbound-proxy-credential-injection
- Cloudflare hands substrate: systems/cloudflare-containers / systems/dynamic-workers / systems/cloudflare-workers / systems/code-mode / systems/cloudflare-sandbox-sdk
- Private connectivity: systems/cloudflare-mesh / systems/cloudflare-workers-vpc
- Companies: companies/cloudflare