Claude Sandboxes vs the RDCO substrate — security, pricing, and strategic fit
The question
What's the security model and pricing of Anthropic's Claude Sandboxes, and does it replace, complement, or compete with RDCO's current Cloudflare-Sandbox-SDK + Mac-Mini-tmux substrate? Context: "Claude Sandboxes" were announced ~2026-05-19; RDCO runs an always-on COO agent on a persistent Mac Mini (tmux + LaunchAgent, daily 4am restart) plus the Cloudflare Sandbox SDK for ephemeral compute — this is a substrate-roadmap strategic-fit call.
What we already know (from the vault)
- Two features shipped together in the 2026-05-19 announcement: self-hosted sandboxes (public beta) + MCP tunnels (research preview). Claude's reasoning/orchestration stays on Anthropic infra; tool execution moves to user-owned compute (Cloudflare / Vercel / Modal / Daytona named as managed options). MCP tunnels = single encrypted outbound connection to private DBs/APIs, no inbound firewall holes. ([[2026-05-19-alphasignal-anthropic-claude-sandboxes-mcp-tunnels-trellis]])
- The 2026-05-19 note already flagged two RDCO-relevant hooks: sub-agent isolation (heavy fan-out could execute in user-owned compute) and MCP tunnels for RDCO's MCP-heavy substrate (qmd, Notion, Gmail, Stripe, Cloudflare, dozens more) — recommendation at the time was "watch list, worth requesting tunnel access to dogfood." ([[2026-05-19-alphasignal-anthropic-claude-sandboxes-mcp-tunnels-trellis]])
- The 2026-05-21 re-coverage added detail: hot-swap tools/MCP servers/vault IDs mid-session, and >100k-token MCP outputs auto-offload to sandbox files instead of bloating context. It also mapped MCP tunnels onto the specialist-fleet "cattle-shape" brainstorm (one outbound tunnel per specialist). ([[2026-05-21-alphasignal-hallmark-anthropic-sandboxes-moe]])
- The multi-agent fan-out research already asked the exact open question this brief closes: "Is there a Cloudflare Workers / Sandbox SDK pattern that maps to the per-task scratch dir + isolation primitive, so RDCO could borrow infrastructure instead of building it?" ([[2026-05-20-multi-agent-fanout-architectural-patterns]])
- The always-on COO agent's real risk profile: multiple Claude Code cron jobs (/check-board, /process-newsletter, /graph-reingest) run daily in YOLO-equivalent conditions on the Mac Mini — "one hallucination away from a destructive command against ~/rdco-vault/." Blast-radius containment is the live need, not aspirational. ([[2026-04-19-indydevdan-claude-code-deletes-production]])
What the web says
- There are two distinct "sandbox" products, and the strategic answer differs for each. (1) Claude Code sandboxing — an OS-level sandbox for the Bash tool, built into Claude Code, running locally on the same host (macOS Seatbelt; Linux/WSL2 bubblewrap-style). It isolates filesystem + routes network through an allowlist proxy, and cuts permission prompts ~84% in Anthropic's internal use. This is free and local. (2) Claude Managed Agents self-hosted sandboxes — the enterprise API product where Anthropic keeps the agent loop and you host tool execution. (anthropic.com/engineering/claude-code-sandboxing, platform.claude.com self-hosted-sandboxes)
- Managed Agents security model = shared responsibility with a clean data-flow boundary. Tool inputs/outputs flow to Anthropic's control plane (so the model sees results); the filesystem, spawned processes, and network egress stay on your host. Anthropic secures the control plane (session/work-queue integrity, multi-tenant isolation, agent-context minimization). You own sandbox-image hardening (drop Linux caps, non-root, read-only rootfs), egress controls (VPC/firewall), and retention/redaction of session content. ZDR and HIPAA BAA eligibility are available. (platform.claude.com self-hosted-sandboxes)
- Execution model is a work queue, not a persistent host. A
self_hostedenvironment is a queue: Anthropic enqueues a session; your environment worker claims it, downloads skills, runs tool calls, posts results, and (in per-session mode) exits. Two worker shapes: an always-on poller (long-running, outbound-HTTPS only) or a webhook-triggered handler that wakes onsession.status_run_started. Filesystem is/workspace(working dir) +/mnt/session/outputs(bind-mount a host dir to retrieve deliverables after the session ends). (platform.claude.com self-hosted-sandboxes) - Persistent-state semantics are session-scoped, and two limits matter for RDCO. (a) Anthropic does NOT mount files/repos into self-hosted sandboxes — you pass refs (S3 path, commit SHA) via session
metadataand stage them yourself. (b) "Memory is not currently supported with self-hosted sandboxes." Long-running sessions persist progress/output through disconnects, and some providers add their own persistence (Daytona sandboxes "can be paused and restored with full state preserved"), but that's provider-specific, not an Anthropic primitive. (platform.claude.com self-hosted-sandboxes, claude.com/blog managed-agents-updates) - Cloudflare is a first-class supported execution provider (microVMs with zero-trust secrets), alongside AWS Lambda MicroVMs, Blaxel, Daytona, E2B, GKE Agent Sandbox, Modal, Namespace, Superserve, and Vercel — each with a dedicated integration guide, including one at developers.cloudflare.com/sandbox/claude-managed-agents/. (platform.claude.com self-hosted-sandboxes)
- Pricing: Managed Agents bills on two axes — tokens at standard model rates PLUS $0.08 per session-hour of active runtime, metered to the millisecond and only while status is
running(idle/awaiting-confirmation/terminated time doesn't accrue). Web search inside a session is the standard $10 / 1,000 searches. Self-hosted sandboxes are public beta; MCP tunnels are research preview (access-gated). Note: you also pay your own compute provider (Cloudflare/etc.) for the sandbox itself. (platform.claude.com pricing, reported via WaveSpeed and Verdent)
Convergences and contradictions
- Convergence: the vault's open fan-out question ("does a Cloudflare Sandbox SDK pattern map to per-task isolation?") is now answered officially — Anthropic ships the orchestration glue and treats Cloudflare as a sanctioned execution provider. RDCO's existing Cloudflare investment slots underneath Managed Agents rather than being displaced by it.
- Contradiction / caution: the "Claude Sandboxes" label conflates two products. The vault notes (and the AlphaSignal framing) treat it as one enterprise feature; the actual pricing/persistence tradeoffs are only coherent once you separate the free local Claude Code sandbox from the paid Managed Agents self-hosted sandbox.
- Pricing discrepancy to flag: Anthropic's pricing doc (echoed by WaveSpeed/Verdent) says $0.08/session-hour; one third-party writeup (Tygart Media) headlines $0.25/session-hour. Trust the $0.08 platform figure; treat the $0.25 as unverified.
Synthesis for RDCO
Verdict: complement, not replace — with a partial convergence on the ephemeral Cloudflare use, and only a distant future compete against the Mac-Mini brain. The two "sandbox" products answer two different RDCO workloads, so the fit splits cleanly.
For the always-on Mac-Mini COO agent, Managed Agents is architecturally the opposite of what we run, so it does not replace it. Today the Mac Mini is the brain: one persistent Claude Code session owns its own loop, filesystem, tmux persistence, and 4am LaunchAgent restart, with "memory" living as the vault + working-context.md + MEMORY.md on local disk ([[project_channels_agent_setup]]). Managed Agents inverts that — it hands the agent loop to Anthropic's control plane and reduces your host to a per-session tool-executor that spawns, runs, and exits. Worse for our case, Memory is explicitly unsupported on self-hosted sandboxes, and there is no persistent-session primitive equivalent to a long-lived tmux session; long-running sessions persist within a run, not across the 24/7 cadence of cron loops. Adopting it for the COO agent would be a re-platforming that cedes harness ownership — cutting directly against the L5 harness-sovereignty thesis — for no current benefit. So: keep the Mac Mini as-is for the coordinator loop.
What does complement the Mac Mini today, essentially for free, is the other sandbox: Claude Code's built-in OS-level Bash sandboxing (Seatbelt on macOS). That is the direct, low-cost mitigation for the live blast-radius risk the vault already named — YOLO-equivalent cron jobs one hallucination from rm -rf ~/rdco-vault/ ([[2026-04-19-indydevdan-claude-code-deletes-production]]). This is a concrete near-term roadmap item: enable filesystem + network-proxy sandboxing on the Mac Mini's cron-driven Claude Code invocations, scoped to the vault/repo paths and the domains our MCP servers need. It complements the existing hooks/audit layer rather than replacing it.
For the ephemeral Cloudflare-Sandbox-SDK use, this is convergence, not competition. Cloudflare is now a first-class Managed Agents execution provider. If/when RDCO moves sub-agent fan-out (deep-research, video-critic, implementation sub-agents that run generated code) off the host and into isolated compute, the choice is no longer "build the orchestration glue ourselves on raw Cloudflare Sandbox SDK" vs "use Anthropic" — Anthropic supplies the work-queue + session lifecycle, and our Cloudflare substrate becomes the sanctioned execution layer beneath it. The trade is cost and control: we'd add ~$0.08/session-hour + tokens on top of Cloudflare compute, in exchange for not maintaining the claim/keepalive/skill-download plumbing. For low-volume, high-stakes code execution that shouldn't touch the host, that's plausibly worth it; for the current single-founder scale it's premature. Recommended posture: keep raw Cloudflare Sandbox SDK for what we control today; pilot Managed-Agents-on-Cloudflare only when fan-out volume or a customer-data-can't-touch-host requirement appears. Separately, request MCP tunnel access now (still research preview) — it's the cheapest high-value piece: private-MCP reachability without firewall holes, directly useful for any internal-only MCP server, and independent of whether we ever adopt self-hosted sandboxes.
Open follow-ups
- Can Claude Code's Seatbelt sandbox be enabled per-cron-invocation on the Mac Mini without breaking the MCP servers, git pushes, and wrangler deploys those loops depend on? (Scope test: which domains/paths must be allowlisted.)
- What's the real per-session cost envelope if RDCO ran deep-research fan-out through Managed-Agents-on-Cloudflare vs raw Cloudflare Sandbox SDK — at current volume and at 20-50x fan-out?
- Does MCP-tunnel access get us anything today given our MCP servers are mostly local/OAuth SaaS, or does it only pay off once we host internal-only MCP servers behind a private network?
- Since Memory is unsupported on self-hosted sandboxes, is there any Managed Agents configuration (Anthropic-managed cloud sandbox) that could host a persistent agent loop, or is the persistent-coordinator pattern fundamentally outside the Managed Agents product shape?
- Does adopting Anthropic's orchestration control plane conflict with the sovereignty/harness-ownership posture, and where's the line between "borrow their execution glue" and "cede the loop"?
Related
- [[2026-05-19-alphasignal-anthropic-claude-sandboxes-mcp-tunnels-trellis]] — original filing of the self-hosted sandboxes + MCP tunnels announcement
- [[2026-05-21-alphasignal-hallmark-anthropic-sandboxes-moe]] — re-coverage with mid-session hot-swap + context-offload detail, and the cattle-shape mapping
- [[2026-06-18-technically-code-sandboxes]] — conceptual foundation: sandboxes as blast-radius containment for untrusted/agent-generated code
- [[2026-04-19-indydevdan-claude-code-deletes-production]] — the live Mac-Mini blast-radius risk that local Claude Code sandboxing mitigates
- [[2026-05-20-multi-agent-fanout-architectural-patterns]] — the open fan-out/isolation question this brief closes
- [[project_channels_agent_setup]] — the Mac Mini always-on tmux + LaunchAgent substrate this is measured against
Sources
- Vault:
~/rdco-vault/06-reference/2026-05-19-alphasignal-anthropic-claude-sandboxes-mcp-tunnels-trellis.md - Vault:
~/rdco-vault/06-reference/2026-05-21-alphasignal-hallmark-anthropic-sandboxes-moe.md - Vault:
~/rdco-vault/06-reference/2026-06-18-technically-code-sandboxes.md - Vault:
~/rdco-vault/06-reference/2026-04-19-indydevdan-claude-code-deletes-production.md - Vault:
~/rdco-vault/06-reference/research/2026-05-20-multi-agent-fanout-architectural-patterns.md - Vault:
~/.claude/projects/-Users-ray/memory/project_channels_agent_setup.md - Web: Anthropic — Making Claude Code more secure and autonomous with sandboxing — https://www.anthropic.com/engineering/claude-code-sandboxing
- Web: Claude Platform Docs — Self-hosted sandboxes — https://platform.claude.com/docs/en/managed-agents/self-hosted-sandboxes
- Web: Claude Platform Docs — Self-hosted sandboxes security model — https://platform.claude.com/docs/en/managed-agents/self-hosted-sandboxes-security
- Web: Claude by Anthropic — Managed Agents updates (self-hosted sandboxes + MCP tunnels) — https://claude.com/blog/claude-managed-agents-updates
- Web: Claude Platform Docs — Pricing — https://platform.claude.com/docs/en/about-claude/pricing
- Web: WaveSpeed — Claude Managed Agents Pricing and Beta Limits — https://wavespeed.ai/blog/posts/claude-managed-agents-pricing-2026/
- Web: Verdent — Claude Managed Agents Pricing: Costs and Limits (2026) — https://www.verdent.ai/guides/claude-managed-agents-pricing