Cloudflare pushed Sandboxes and Containers to GA this week, a pair of products aimed at giving AI agent workloads persistent, isolated Linux environments. The framing continues from Cloudflare's MCP enterprise architecture piece last week: if local agent execution is a security liability, the answer is properly governed remote execution with credential boundaries that agents cannot cross. Sandboxes and Containers are the execution side of that answer.
Five primitives are worth naming. Secure credential injection via outbound Workers acting as egress proxies — credentials are injected at the network layer on outbound requests, so the agent running inside the sandbox never sees the token. PTY terminal sessions proxied over WebSocket, replacing the earlier request-response shell simulation with real pseudo-terminals. Persistent code interpreters that hold state across execution calls (variables and imports survive between steps, like a Jupyter kernel). Filesystem watching via Linux inotify, so agents react to file changes in real time. And snapshot-based session recovery for near-instant restoration plus forking: you can branch a running sandbox into parallel explorations from a snapshot, which is the primitive that makes "agent tries N things in parallel" cheap.
The performance and pricing numbers tell the deployment story. Fresh boot plus git clone plus npm install is about 30 seconds; snapshot restore is about 2 seconds. Active-CPU pricing at $0.00002 per vCPU-second means you pay only for cycles actually used, which matters when an agent sits idle waiting for model output. Concurrency ceilings on the standard plan are 15,000 lite, 6,000 basic, 1,000+ larger. Figma is named as a production customer. The snapshot feature is still rolling out in the coming weeks, so the "GA" label has a qualifier. SDK is at 0.8.9, which suggests the TypeScript API will keep evolving.
Two notes for builders. One, the "agent never sees the token" primitive is the load-bearing piece of this release. If you are building agent tooling, the shift from "agent holds credentials and promises to use them responsibly" to "agent makes requests, egress proxy injects credentials, agent cannot exfiltrate what it never had" is the only credential-safety posture that survives the kind of prompt injection the week's security stories keep demonstrating. Two, snapshot forking for parallel agent exploration is the cost-and-latency primitive that makes the "spawn N subagents" pattern actually practical. The subagent convergence across Claude Code, Gemini CLI, and now Cloudflare Sandboxes is not a coincidence; the same problem is forcing the same solution across three different layers of the stack.