{"id":493267,"date":"2026-03-24T21:10:09","date_gmt":"2026-03-24T21:10:09","guid":{"rendered":"https:\/\/www.newsbeep.com\/uk\/493267\/"},"modified":"2026-03-24T21:10:09","modified_gmt":"2026-03-24T21:10:09","slug":"sandboxing-ai-agents-100x-faster","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/uk\/493267\/","title":{"rendered":"Sandboxing AI agents, 100x faster"},"content":{"rendered":"

Last September we introduced Code Mode<\/a>, the idea that agents should perform tasks not by making tool calls, but instead by writing code that calls APIs. We’ve shown that simply converting an MCP server into a TypeScript API can cut token usage by 81%<\/a>. We demonstrated that Code Mode can also operate behind an MCP server instead of in front of it, creating the new Cloudflare MCP server that exposes the entire Cloudflare API with just two tools and under 1,000 tokens<\/a>.<\/p>\n

But if an agent (or an MCP server) is going to execute code generated on-the-fly by AI to perform tasks, that code needs to run somewhere, and that somewhere needs to be secure. You can’t just eval() AI-generated code directly in your app: a malicious user could trivially prompt the AI to inject vulnerabilities.<\/p>\n

You need a sandbox: a place to execute code that is isolated from your application and from the rest of the world, except for the specific capabilities the code is meant to access.<\/p>\n

Sandboxing is a hot topic in the AI industry. For this task, most people are reaching for containers. Using a Linux-based container, you can start up any sort of code execution environment you want. Cloudflare even offers our container runtime<\/a> and our Sandbox SDK<\/a> for this purpose.<\/p>\n

But containers are expensive and slow to start, taking hundreds of milliseconds to boot and hundreds of megabytes of memory to run. You probably need to keep them warm to avoid delays, and you may be tempted to reuse existing containers for multiple tasks, compromising the security.<\/p>\n

If we want to support consumer-scale agents, where every end user has an agent (or many!) and every agent writes code, containers are not enough. We need something lighter.<\/p>\n

And we have it.<\/p>\n

Dynamic Worker Loader: a lean sandbox
\n <\/p>\n

<\/a><\/p>\n

Tucked into our Code Mode post in September was the announcement of a new, experimental feature: the Dynamic Worker Loader API. This API allows a Cloudflare Worker to instantiate a new Worker, in its own sandbox, with code specified at runtime, all on the fly.<\/p>\n

Dynamic Worker Loader is now in open beta, available to all paid Workers users.<\/p>\n

Read the docs for full details<\/a>, but here’s what it looks like:<\/p>\n

\/\/ Have your LLM generate code like this.
\nlet agentCode: string = `
\n export default {
\n async myAgent(param, env, ctx) {
\n \/\/ …
\n }
\n }
\n`;<\/p>\n

\/\/ Get RPC stubs representing APIs the agent should be able
\n\/\/ to access. (This can be any Workers RPC API you define.)
\nlet chatRoomRpcStub = …;<\/p>\n

\/\/ Load a worker to run the code, using the worker loader
\n\/\/ binding.
\nlet worker = env.LOADER.load({
\n \/\/ Specify the code.
\n compatibilityDate: “2026-03-01”,
\n mainModule: “agent.js”,
\n modules: { “agent.js”: agentCode },<\/p>\n

\/\/ Give agent access to the chat room API.
\n env: { CHAT_ROOM: chatRoomRpcStub },<\/p>\n

\/\/ Block internet access. (You can also intercept it.)
\n globalOutbound: null,
\n});<\/p>\n

\/\/ Call RPC methods exported by the agent code.
\nawait worker.getEntrypoint().myAgent(param);<\/p>\n

That’s it.<\/p>\n

Dynamic Workers use the same underlying sandboxing mechanism that the entire Cloudflare Workers platform has been built on since its launch, eight years ago: isolates. An isolate is an instance of the V8 JavaScript execution engine, the same engine used by Google Chrome. They are how Workers work<\/a>.<\/p>\n

An isolate takes a few milliseconds to start and uses a few megabytes of memory. That’s around 100x faster and 10x-100x more memory efficient than a typical container.<\/p>\n

That means that if you want to start a new isolate for every user request, on-demand, to run one snippet of code, then throw it away, you can.<\/p>\n

Many container-based sandbox providers impose limits on global concurrent sandboxes and rate of sandbox creation. Dynamic Worker Loader has no such limits. It doesn’t need to, because it is simply an API to the same technology that has powered our platform all along, which has always allowed Workers to seamlessly scale to millions of requests per second.<\/p>\n

Want to handle a million requests per second, where every single request loads a separate Dynamic Worker sandbox, all running concurrently? No problem!<\/p>\n

One-off Dynamic Workers usually run on the same machine \u2014 the same thread, even \u2014 as the Worker that created them. No need to communicate around the world to find a warm sandbox. Isolates are so lightweight that we can just run them wherever the request landed. Dynamic Workers are supported in every one of Cloudflare’s hundreds of locations around the world.<\/p>\n

The only catch, vs. containers, is that your agent needs to write JavaScript.<\/p>\n

Technically, Workers (including dynamic ones) can use Python and WebAssembly, but for small snippets of code \u2014 like that written on-demand by an agent \u2014 JavaScript will load and run much faster.<\/p>\n

We humans tend to have strong preferences on programming languages, and while many love JavaScript, others might prefer Python, Rust, or countless others.<\/p>\n

But we aren’t talking about humans here. We’re talking about AI. AI will write any language you want it to. LLMs are experts in every major language. Their training data in JavaScript is immense.<\/p>\n

JavaScript, by its nature on the web, is designed to be sandboxed. It is the correct language for the job.<\/p>\n

Tools defined in TypeScript
\n <\/p>\n

<\/a><\/p>\n

If we want our agent to be able to do anything useful, it needs to talk to external APIs. How do we tell it about the APIs it has access to?<\/p>\n

MCP defines schemas for flat tool calls, but not programming APIs. OpenAPI offers a way to express REST APIs, but it is verbose, both in the schema itself and the code you’d have to write to call it.<\/p>\n

For APIs exposed to JavaScript, there is a single, obvious answer: TypeScript.<\/p>\n

Agents know TypeScript. TypeScript is designed to be concise. With very few tokens, you can give your agent a precise understanding of your API.<\/p>\n

\/\/ Interface to interact with a chat room.
\ninterface ChatRoom {
\n \/\/ Get the last `limit` messages of the chat log.
\n getHistory(limit: number): Promise;<\/p>\n

\/\/ Subscribe to new messages. Dispose the returned object
\n \/\/ to unsubscribe.
\n subscribe(callback: (msg: Message) => void): Promise;<\/p>\n

\/\/ Post a message to chat.
\n post(text: string): Promise;
\n}<\/p>\n

type Message = {
\n author: string;
\n time: Date;
\n text: string;
\n}<\/p>\n

Compare this with the equivalent OpenAPI spec (which is so long you have to scroll to see it all):<\/p>\n

openapi: 3.1.0
\ninfo:
\n title: ChatRoom API
\n description: >
\n Interface to interact with a chat room.
\n version: 1.0.0<\/p>\n

paths:
\n \/messages:
\n get:
\n operationId: getHistory
\n summary: Get recent chat history
\n description: Returns the last `limit` messages from the chat log, newest first.
\n parameters:
\n – name: limit
\n in: query
\n required: true
\n schema:
\n type: integer
\n minimum: 1
\n responses:
\n “200”:
\n description: A list of messages.
\n content:
\n application\/json:
\n schema:
\n type: array
\n items:
\n $ref: “#\/components\/schemas\/Message”<\/p>\n

post:
\n operationId: postMessage
\n summary: Post a message to the chat room
\n requestBody:
\n required: true
\n content:
\n application\/json:
\n schema:
\n type: object
\n required:
\n – text
\n properties:
\n text:
\n type: string
\n responses:
\n “204”:
\n description: Message posted successfully.<\/p>\n

\/messages\/stream:
\n get:
\n operationId: subscribeMessages
\n summary: Subscribe to new messages via SSE
\n description: >
\n Opens a Server-Sent Events stream. Each event carries a JSON-encoded
\n Message object. The client unsubscribes by closing the connection.
\n responses:
\n “200”:
\n description: An SSE stream of new messages.
\n content:
\n text\/event-stream:
\n schema:
\n description: >
\n Each SSE `data` field contains a JSON-encoded Message object.
\n $ref: “#\/components\/schemas\/Message”<\/p>\n

components:
\n schemas:
\n Message:
\n type: object
\n required:
\n – author
\n – time
\n – text
\n properties:
\n author:
\n type: string
\n time:
\n type: string
\n format: date-time
\n text:
\n type: string<\/p>\n

We think the TypeScript API is better. It’s fewer tokens and much easier to understand (for both agents and humans). <\/p>\n

Dynamic Worker Loader makes it easy to implement a TypeScript API like this in your own Worker and then pass it in to the Dynamic Worker either as a method parameter or in the env object. The Workers Runtime will automatically set up a Cap’n Web RPC<\/a> bridge between the sandbox and your harness code, so that the agent can invoke your API across the security boundary without ever realizing that it isn’t using a local library.<\/p>\n

That means your agent can write code like this:<\/p>\n

\/\/ Thinking: The user asked me to summarize recent chat messages from Alice.
\n\/\/ I will filter the recent message history in code so that I only have to
\n\/\/ read the relevant messages.
\nlet history = await env.CHAT_ROOM.getHistory(1000);
\nreturn history.filter(msg => msg.author == “alice”);<\/p>\n

HTTP filtering and credential injection
\n <\/p>\n

<\/a><\/p>\n

If you prefer to give your agents HTTP APIs, that’s fully supported. Using the globalOutbound option to the worker loader API, you can register a callback to be invoked on every HTTP request, in which you can inspect the request, rewrite it, inject auth keys, respond to it directly, block it, or anything else you might like.<\/p>\n

For example, you can use this to implement credential injection (token injection): When the agent makes an HTTP request to a service that requires authorization, you add credentials to the request on the way out. This way, the agent itself never knows the secret credentials, and therefore cannot leak them.<\/p>\n

Using a plain HTTP interface may be desirable when an agent is talking to a well-known API that is in its training set, or when you want your agent to use a library that is built on a REST API (the library can run inside the agent’s sandbox).<\/p>\n

With that said, in the absence of a compatibility requirement, TypeScript RPC interfaces are better than HTTP:<\/p>\n

As shown above, a TypeScript interface requires far fewer tokens to describe than an HTTP interface.<\/p>\n

The agent can write code to call TypeScript interfaces using far fewer tokens than equivalent HTTP.<\/p>\n

With TypeScript interfaces, since you are defining your own wrapper interface anyway, it is easier to narrow the interface to expose exactly the capabilities that you want to provide to your agent, both for simplicity and security. With HTTP, you are more likely implementing filtering of requests made against some existing API. This is hard, because your proxy must fully interpret the meaning of every API call in order to properly decide whether to allow it, and HTTP requests are complicated, with many headers and other parameters that could all be meaningful. It ends up being easier to just write a TypeScript wrapper that only implements the functions you want to allow.<\/p>\n

Hardening an isolate-based sandbox is tricky, as it is a more complicated attack surface than hardware virtual machines. Although all sandboxing mechanisms have bugs, security bugs in V8 are more common than security bugs in typical hypervisors. When using isolates to sandbox possibly-malicious code, it’s important to have additional layers of defense-in-depth. Google Chrome, for example, implemented strict process isolation for this reason, but it is not the only possible solution.<\/p>\n

We have nearly a decade of experience securing our isolate-based platform. Our systems automatically deploy V8 security patches to production within hours \u2014 faster than Chrome itself. Our security architecture<\/a> features a custom second-layer sandbox with dynamic cordoning of tenants based on risk assessments. We’ve extended the V8 sandbox itself<\/a> to leverage hardware features like MPK. We’ve teamed up with (and hired) leading researchers to develop novel defenses against Spectre<\/a>. We also have systems that scan code for malicious patterns and automatically block them or apply additional layers of sandboxing. And much more.<\/p>\n

When you use Dynamic Workers on Cloudflare, you get all of this automatically.<\/p>\n

We’ve built a number of libraries that you might find useful when working with Dynamic Workers: <\/p>\n

@cloudflare\/codemode<\/a> simplifies running model-generated code against AI tools using Dynamic Workers. At its core is DynamicWorkerExecutor(), which constructs a purpose-built sandbox with code normalisation to handle common formatting errors, and direct access to a globalOutbound fetcher for controlling fetch() behaviour inside the sandbox \u2014 set it to null for full isolation, or pass a Fetcher binding to route, intercept or enrich outbound requests from the sandbox.<\/p>\n

const executor = new DynamicWorkerExecutor({
\n loader: env.LOADER,
\n globalOutbound: null, \/\/ fully isolated
\n});<\/p>\n

const codemode = createCodeTool({
\n tools: myTools,
\n executor,
\n});<\/p>\n

return generateText({
\n model,
\n messages,
\n tools: { codemode },
\n});<\/p>\n

The Code Mode SDK also provides two server-side utility functions. codeMcpServer({ server, executor }) wraps an existing MCP Server, replacing its tool surface with a single code() tool. openApiMcpServer({ spec, executor, request }) goes further: given an OpenAPI spec and an executor, it builds a complete MCP Server with search() and execute() tools as used by the Cloudflare MCP Server, and better suited to larger APIs.<\/p>\n

In both cases, the code generated by the model runs inside Dynamic Workers, with calls to external services made over RPC bindings passed to the executor.<\/p>\n

Learn more about the library and how to use it.<\/a> <\/p>\n

Dynamic Workers expect pre-bundled modules. @cloudflare\/worker-bundler<\/a> handles that for you: give it source files and a package.json, and it resolves npm dependencies from the registry, bundles everything with esbuild, and returns the module map the Worker Loader expects.<\/p>\n

import { createWorker } from “@cloudflare\/worker-bundler”;<\/p>\n

const worker = env.LOADER.get(“my-worker”, async () => {
\n const { mainModule, modules } = await createWorker({
\n files: {
\n “src\/index.ts”: `
\n import { Hono } from ‘hono’;
\n import { cors } from ‘hono\/cors’;<\/p>\n

const app = new Hono();
\n app.use(‘*’, cors());
\n app.get(‘\/’, (c) => c.text(‘Hello from Hono!’));
\n app.get(‘\/json’, (c) => c.json({ message: ‘It works!’ }));<\/p>\n

export default app;
\n `,
\n “package.json”: JSON.stringify({
\n dependencies: { hono: “^4.0.0” }
\n })
\n }
\n });<\/p>\n

return { mainModule, modules, compatibilityDate: “2026-01-01” };
\n});<\/p>\n

await worker.getEntrypoint().fetch(request);<\/p>\n

It also supports full-stack apps via createApp \u2014 bundle a server Worker, client-side JavaScript, and static assets together, with built-in asset serving that handles content types, ETags, and SPA routing.<\/p>\n

Learn more about the library and how to use it.<\/a><\/p>\n

@cloudflare\/shell<\/a> gives your agent a virtual filesystem inside a Dynamic Worker. Agent code calls typed methods on a state object \u2014 read, write, search, replace, diff, glob, JSON query\/update, archive \u2014 with structured inputs and outputs instead of string parsing.<\/p>\n

Storage is backed by a durable Workspace (SQLite + R2), so files persist across executions. Coarse operations like searchFiles, replaceInFiles, and planEdits minimize RPC round-trips \u2014 the agent issues one call instead of looping over individual files. Batch writes are transactional by default: if any write fails, earlier writes roll back automatically.<\/p>\n

import { Workspace } from “@cloudflare\/shell”;
\nimport { stateTools } from “@cloudflare\/shell\/workers”;
\nimport { DynamicWorkerExecutor, resolveProvider } from “@cloudflare\/codemode”;<\/p>\n

const workspace = new Workspace({
\n sql: this.ctx.storage.sql, \/\/ Works with any DO’s SqlStorage, D1, or custom SQL backend
\n r2: this.env.MY_BUCKET, \/\/ large files spill to R2 automatically
\n name: () => this.name \/\/ lazy \u2014 resolved when needed, not at construction
\n});<\/p>\n

\/\/ Code runs in an isolated Worker sandbox with no network access
\nconst executor = new DynamicWorkerExecutor({ loader: env.LOADER });<\/p>\n

\/\/ The LLM writes this code; `state.*` calls dispatch back to the host via RPC
\nconst result = await executor.execute(
\n `async () => {
\n \/\/ Search across all TypeScript files for a pattern
\n const hits = await state.searchFiles(“src\/**\/*.ts”, “answer”);
\n \/\/ Plan multiple edits as a single transaction
\n const plan = await state.planEdits([
\n { kind: “replace”, path: “\/src\/app.ts”,
\n search: “42”, replacement: “43” },
\n { kind: “writeJson”, path: “\/src\/config.json”,
\n value: { version: 2 } }
\n ]);
\n \/\/ Apply atomically \u2014 rolls back on failure
\n return await state.applyEditPlan(plan);
\n }`,
\n [resolveProvider(stateTools(workspace))]
\n);<\/p>\n

The package also ships prebuilt TypeScript type declarations and a system prompt template, so you can drop the full state API into your LLM context in a handful of tokens.<\/p>\n

Learn more about the library and how to use it.<\/a><\/p>\n

Developers want their agents to write and execute code against tool APIs, rather than making sequential tool calls one at a time. With Dynamic Workers, the LLM generates a single TypeScript function that chains multiple API calls together, runs it in a Dynamic Worker, and returns the final result back to the agent. As a result, only the output, and not every intermediate step, ends up in the context window. This cuts both latency and token usage, and produces better results, especially when the tool surface is large.<\/p>\n

Our own Cloudflare MCP server<\/a> is built exactly this way: it exposes the entire Cloudflare API through just two tools \u2014 search and execute \u2014 in under 1,000 tokens, because the agent writes code against a typed API instead of navigating hundreds of individual tool definitions.<\/p>\n

Building custom automations\u00a0
\n <\/p>\n

<\/a><\/p>\n

Developers are using Dynamic Workers to let agents build custom automations on the fly. Zite<\/a>, for example, is building an app platform where users interact through a chat interface \u2014 the LLM writes TypeScript behind the scenes to build CRUD apps, connect to services like Stripe, Airtable, and Google Calendar, and run backend logic, all without the user ever seeing a line of code. Every automation runs in its own Dynamic Worker, with access to only the specific services and libraries that the endpoint needs.<\/p>\n

\u201cTo enable server-side code for Zite\u2019s LLM-generated apps, we needed an execution layer that was instant, isolated, and secure. Cloudflare\u2019s Dynamic Workers hit the mark on all three, and out-performed all of the other platforms we benchmarked for speed and library support. The NodeJS compatible runtime supported all of Zite\u2019s workflows, allowing hundreds of third party integrations, without sacrificing on startup time. Zite now services millions of execution requests daily thanks to Dynamic Workers.\u201d <\/p>\n

\u2014 Antony Toron, CTO and Co-Founder, Zite\u00a0<\/p>\n

Running AI-generated applications
\n <\/p>\n

<\/a><\/p>\n

Developers are building platforms that generate full applications from AI \u2014 either for their customers or for internal teams building prototypes. With Dynamic Workers, each app can be spun up on demand, then put back into cold storage until it’s invoked again. Fast startup times make it easy to preview changes during active development. Platforms can also block or intercept any network requests the generated code makes, keeping AI-generated apps safe to run.<\/p>\n

Dynamically-loaded Workers are priced at $0.002 per unique Worker loaded per day (as of this post\u2019s publication), in addition to the usual CPU time and invocation pricing of regular Workers.<\/p>\n

For AI-generated “code mode” use cases, where every Worker is a unique one-off, this means the price is $0.002 per Worker loaded (plus CPU and invocations). This cost is typically negligible compared to the inference costs to generate the code.<\/p>\n

During the beta period, the $0.002 charge is waived. As pricing is subject to change, please always check our Dynamic Workers pricing<\/a> for the most current information.\u00a0<\/p>\n

If you\u2019re on the Workers Paid plan, you can start using Dynamic Workers<\/a> today.\u00a0<\/p>\n

\"Deploy<\/a><\/p>\n

Use this \u201chello world\u201d starter<\/a> to get a Worker deployed that can load and execute Dynamic Workers.\u00a0<\/p>\n

Dynamic Workers Playground
\n <\/p>\n

<\/a><\/p>\n

\"Deploy<\/a><\/p>\n

You can also deploy the Dynamic Workers Playground<\/a>, where you\u2019ll be able to write or import code, bundle it at runtime with @cloudflare\/worker-bundler, execute it through a Dynamic Worker, see real-time responses and execution logs. <\/p>\n

Dynamic Workers are fast, scalable, and lightweight. Find us on Discord<\/a> if you have any questions. We\u2019d love to see what you build!<\/p>\n","protected":false},"excerpt":{"rendered":"Last September we introduced Code Mode, the idea that agents should perform tasks not by making tool calls,…\n","protected":false},"author":2,"featured_media":493268,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[554,733,4308,86,56,54,55],"class_list":{"0":"post-493267","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-technology","12":"tag-uk","13":"tag-united-kingdom","14":"tag-unitedkingdom"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/493267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/comments?post=493267"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/493267\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media\/493268"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media?parent=493267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/categories?post=493267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/tags?post=493267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}