Skip to content
Effloow
← Back to article
EFFLOOW LAB LAB-RUN ·2026-05-31

Anthropic Self Hosted Sandboxes Managed Agents Poc 2026

Evidence notes document the bounded local or source-based checks behind an Effloow article. They are not product endorsements, legal advice, or benchmark claims.

Goal

Validate the local shape of a Claude Managed Agents self-hosted sandbox worker without using Anthropic credentials, production data, or network calls.

The PoC does not test the live Claude Managed Agents API. It simulates the queue-worker contract described in Anthropic's docs: claim work, keep it alive, run tool execution inside a per-session workspace, and post results back.

Environment

  • Machine: local macOS workstation
  • Date: 2026-05-31
  • Working directory: /tmp/effloow-anthropic-self-hosted-sandbox-poc
  • Runtime: Python 3.12.8
  • Dependencies: Python standard library only
  • Secrets used: none
  • Network calls: none during PoC execution

Commands

mkdir -p /tmp/effloow-anthropic-self-hosted-sandbox-poc
cd /tmp/effloow-anthropic-self-hosted-sandbox-poc
python3 --version
python3 worker_poc.py

Script Behavior

worker_poc.py defines:

  • FakeEnvironmentQueue: local queue with claim, keepalive, and post_result methods.
  • execute_in_session_sandbox: creates a per-session workspace plus /mnt/session/outputs-style directory tree under a temporary root.
  • Three work items:
    • write report.txt in sess_local_001
    • read the same file in sess_local_001
    • run a safe python3 -c subprocess in sess_local_002

The temporary sandbox root is deleted after execution.

Output

Python 3.12.8
{
  "sandbox_root_created": "/var/folders/c9/dq96xgqs6mgbxl8k80c4blb00000gn/T/effloow-self-hosted-sandbox-gfpen_v3",
  "claimed_count": 3,
  "keepalive_count": 3,
  "results": [
    {
      "work_id": "work_001",
      "session_id": "sess_local_001",
      "result": {
        "ok": true,
        "summary": "wrote sess_local_001/workspace/report.txt"
      }
    },
    {
      "work_id": "work_002",
      "session_id": "sess_local_001",
      "result": {
        "ok": true,
        "content": "hello from a claimed self-hosted work item\n"
      }
    },
    {
      "work_id": "work_003",
      "session_id": "sess_local_002",
      "result": {
        "ok": true,
        "returncode": 0,
        "stdout": "sandbox argv ok",
        "stderr": ""
      }
    }
  ],
  "events": [
    {
      "event": "claimed",
      "work_id": "work_001",
      "session_id": "sess_local_001"
    },
    {
      "event": "posted",
      "work_id": "work_001",
      "ok": true
    },
    {
      "event": "claimed",
      "work_id": "work_002",
      "session_id": "sess_local_001"
    },
    {
      "event": "posted",
      "work_id": "work_002",
      "ok": true
    },
    {
      "event": "claimed",
      "work_id": "work_003",
      "session_id": "sess_local_002"
    },
    {
      "event": "posted",
      "work_id": "work_003",
      "ok": true
    }
  ]
}

What Worked

  • The simulated worker successfully claimed three work items.
  • Each claimed item recorded one keepalive.
  • Session-local filesystem state persisted across tool calls for the same session: sess_local_001 wrote and then read report.txt.
  • A second session got a separate workspace.
  • The subprocess tool executed with a clean zero exit code.
  • Results were posted back as structured payloads with work_id, session_id, and result content.

What Failed

  • No failures occurred in the local simulation.

Limitations

  • This is not a live Anthropic Managed Agents integration.
  • It does not create a real self-hosted environment, environment key, agent, or session.
  • It does not use the ant CLI, Anthropic SDK worker helpers, or Environments Work endpoints.
  • It does not test Cloudflare, Daytona, Modal, or Vercel integrations.
  • It does not validate isolation strength, Linux capability hardening, egress control, queue latency, billing, uptime, or production security.
  • It does not test MCP tunnels, Anthropic vault credentials, web tools, model behavior, memory, or Claude Platform on AWS.

Source Notes

  • Anthropic official announcement: self-hosted sandboxes public beta and MCP tunnels research preview were announced on May 19, 2026.
  • Anthropic self-hosted sandbox docs describe the environment worker as a process that claims work from a queue, spawns an execution context, runs tool calls locally, and posts results back.
  • Anthropic security docs define the shared-responsibility boundary: Anthropic secures the control plane, while the customer owns sandbox image hardening, egress controls, environment key handling, workload isolation, tool blast radius, and log retention.

Read the article

This note supports the public article and records what was actually checked.

Open article →