Managed Agents Architecture
Managed Agents Architecture
Anthropic's Managed Agents service is built on the insight that harnesses encode assumptions that go stale as models improve. The architecture decouples the three logical layers of an agent system so each can be upgraded, scaled, or replaced independently.
The Brain / Hands / Session model
┌─────────────────────────────────────────────┐
│ Session │
│ (append-only event log) │
│ persists outside Brain+Hands │
└──────────────┬──────────────────────────────┘
│ wake(sessionId) / getSession(id)
┌───────┴──────┐ ┌──────────────────┐
│ Brain │ │ Hands │
│ Claude + │─────── │ Sandboxes + │
│ harness │execute │ tools │
│ (outside │(name, │ (isolated, no │
│ container) │input)→ │ credentials) │
└──────────────┘ string └──────────────────┘
| Layer |
Responsibility |
Failure mode |
| Brain |
Reasoning, tool-calling, retry logic |
Crash → new harness resumes from Session |
| Hands |
Code execution, I/O, tool actions |
Error propagates to Brain as string → Brain retries |
| Session |
Durability, auditability, replay |
External store; survives Brain and Hands restarts |
Why decouple?
- Models improve faster than infrastructure. Harnesses tied to containers couple model assumptions to deployment details.
- Independent failure domains. Brain, Hands, and Session each fail and recover without taking the others down.
- On-demand provisioning. Hands (containers) are spun up per-task rather than reserved per-session → 60–90%+ latency reduction.
- Many brains, many hands. Multiple Claude instances can share many execution environments with no shared-state coupling.
Key API surface
| Call |
Direction |
Purpose |
execute(name, input) → string |
Brain → Hands |
Run a tool/command in the sandbox |
wake(sessionId) |
Brain → Session |
Resume a harness after crash/restart |
getSession(id) |
Brain → Session |
Replay events from last checkpoint |
Security model
- Credentials never enter the sandbox (Hands layer).
- Git tokens pre-wired at initialization.
- OAuth tokens stored in external vaults, accessed by Hands via proxies.
- Compromise of Hands layer cannot exfiltrate credentials.
Contrast with prior approach
|
Old |
New |
| Harness location |
Inside container |
Outside container |
| Container lifecycle |
Pre-allocated per session |
On-demand per task |
| Container failure handling |
Nursed back to health |
Error → Claude retries |
| Session state |
In-process / ephemeral |
External append-only log |
| Credential scope |
Available in sandbox |
Never in sandbox |