06-reference/research

claude sandboxes security pricing vs rdco substrate

2026-07-02·research-brief·source: deep-research
claude-sandboxesmanaged-agentssubstrate-roadmapcloudflare-sandbox-sdkmcp-tunnels

Claude Sandboxes vs the RDCO substrate — security, pricing, and strategic fit

The question

What's the security model and pricing of Anthropic's Claude Sandboxes, and does it replace, complement, or compete with RDCO's current Cloudflare-Sandbox-SDK + Mac-Mini-tmux substrate? Context: "Claude Sandboxes" were announced ~2026-05-19; RDCO runs an always-on COO agent on a persistent Mac Mini (tmux + LaunchAgent, daily 4am restart) plus the Cloudflare Sandbox SDK for ephemeral compute — this is a substrate-roadmap strategic-fit call.

What we already know (from the vault)

What the web says

Convergences and contradictions

Synthesis for RDCO

Verdict: complement, not replace — with a partial convergence on the ephemeral Cloudflare use, and only a distant future compete against the Mac-Mini brain. The two "sandbox" products answer two different RDCO workloads, so the fit splits cleanly.

For the always-on Mac-Mini COO agent, Managed Agents is architecturally the opposite of what we run, so it does not replace it. Today the Mac Mini is the brain: one persistent Claude Code session owns its own loop, filesystem, tmux persistence, and 4am LaunchAgent restart, with "memory" living as the vault + working-context.md + MEMORY.md on local disk ([[project_channels_agent_setup]]). Managed Agents inverts that — it hands the agent loop to Anthropic's control plane and reduces your host to a per-session tool-executor that spawns, runs, and exits. Worse for our case, Memory is explicitly unsupported on self-hosted sandboxes, and there is no persistent-session primitive equivalent to a long-lived tmux session; long-running sessions persist within a run, not across the 24/7 cadence of cron loops. Adopting it for the COO agent would be a re-platforming that cedes harness ownership — cutting directly against the L5 harness-sovereignty thesis — for no current benefit. So: keep the Mac Mini as-is for the coordinator loop.

What does complement the Mac Mini today, essentially for free, is the other sandbox: Claude Code's built-in OS-level Bash sandboxing (Seatbelt on macOS). That is the direct, low-cost mitigation for the live blast-radius risk the vault already named — YOLO-equivalent cron jobs one hallucination from rm -rf ~/rdco-vault/ ([[2026-04-19-indydevdan-claude-code-deletes-production]]). This is a concrete near-term roadmap item: enable filesystem + network-proxy sandboxing on the Mac Mini's cron-driven Claude Code invocations, scoped to the vault/repo paths and the domains our MCP servers need. It complements the existing hooks/audit layer rather than replacing it.

For the ephemeral Cloudflare-Sandbox-SDK use, this is convergence, not competition. Cloudflare is now a first-class Managed Agents execution provider. If/when RDCO moves sub-agent fan-out (deep-research, video-critic, implementation sub-agents that run generated code) off the host and into isolated compute, the choice is no longer "build the orchestration glue ourselves on raw Cloudflare Sandbox SDK" vs "use Anthropic" — Anthropic supplies the work-queue + session lifecycle, and our Cloudflare substrate becomes the sanctioned execution layer beneath it. The trade is cost and control: we'd add ~$0.08/session-hour + tokens on top of Cloudflare compute, in exchange for not maintaining the claim/keepalive/skill-download plumbing. For low-volume, high-stakes code execution that shouldn't touch the host, that's plausibly worth it; for the current single-founder scale it's premature. Recommended posture: keep raw Cloudflare Sandbox SDK for what we control today; pilot Managed-Agents-on-Cloudflare only when fan-out volume or a customer-data-can't-touch-host requirement appears. Separately, request MCP tunnel access now (still research preview) — it's the cheapest high-value piece: private-MCP reachability without firewall holes, directly useful for any internal-only MCP server, and independent of whether we ever adopt self-hosted sandboxes.

Open follow-ups

Related

Sources