Cloudflare primitives, mapped
This platform arrived at the same shape as Cloudflare's Claude Managed Agents (CMA) control plane independently: a scoped execution boundary, credentials injected rather than handed over, and typed tools as the only surface an agent touches. Here's the mapping, plus the one piece CMA has that this platform doesn't yet: an open-model brain running the loop itself.
The mapping
| CMA primitive | This platform's equivalent |
|---|---|
| A sandbox per session (MicroVM or Isolate) | A subagent's scope — one typed task in, one typed result out, no scope creep |
| Egress proxy / credential injection | Vault — macOS Keychain + Postgres audit layer; a coworker never holds a raw credential, it's injected at the point of use |
gates.toml policy |
Same shape as CMA's egress policy: a declarative match / require / surface rule, not code, deciding what needs approval before it runs |
defineTool in custom-tools.ts |
The e2m envelope + a role's mcp/server.toml — one typed contract every tool call binds to |
| Durable Object holding session state outside the sandbox | The manager tier + DurableTask queue — state that outlives any single coworker's execution window |
| Webhook-driven session lifecycle (start → drain → dispatch → run → persist) | Mailbox read → claim → execute atomically → write outcome transition |
Both systems land on the same reason for the shape: an agent's "hands" (what it can execute) need to be more constrained than its "judgment" (what it decides to try), so the fix in both cases is a boundary that isn't the agent's own discretion — a proxy that injects credentials, a gate that requires a human, a policy file instead of an if-statement.
Where this platform is ahead
CMA's identity is per-agent, configured once. This platform's identity is per-role and per-surface — macos__desktop_cowork__engineering_coworker is a different identity from cloud__docker_mcp__engineering_coworker for the same role, because a Mac-local binary and a cloud sandbox can reach different things. And approval gates here have a physical surface (the buddy device) that a Cloudflare dashboard toggle doesn't have an equivalent for.
Where CMA is ahead — and the open-models path to closing it
CMA runs its own agent loop as a hosted Anthropic session — poll for agent.custom_tool_use events, dispatch, repeat — which this platform doesn't have a Cloudflare-native equivalent of yet. The knowledge-engineering repo already has half of it scaffolded: infra/cloudflare/ is "Cloudflare Sandbox + Durable Objects for per-task ephemeral execution" per its own README, not yet wired to a model loop.
Closing that gap doesn't require ANTHROPIC_API_KEY — this chassis is OAuth-only by hard invariant, and CMA's key is only needed for the hosted loop, not for the sandbox, the egress boundary, or the tool catalog underneath it. A Workers AI open model (@cf/zai-org/glm-5.2, already driving subagentworkers.com and subagentdb.com) can run the same tool-calling loop in front of that scaffolded sandbox instead: read a DurableTask, call a tool, read the result, decide the next call — entirely inside Cloudflare, with the same gates.toml and Vault boundary already described above.
Related
- How it works
- Approval gates
- subagentcowork.com: Claude Managed Agents — the CMA side of this mapping
- subagentcowork.com: Open models
50a4671d9c26e8f8 · verify