Secure AI Workers for Enterprise
Every agent gets its own Cloudflare Sandbox. Hardware-level isolation. Per-agent cryptographic identity. Strict network egress controls. No shared state between agents.
Security Architecture
Hardware-Isolated Sandboxes
Cloudflare Sandbox provides stronger isolation than containers. Each agent gets its own execution environment with no shared kernel state. This is not Docker on a shared host.
Per-Agent DID Identity
Each agent receives a unique Ed25519 Decentralized Identifier at provisioning. All signing operations use this identity. Agents cannot impersonate other agents.
Egress Mediation
Work Policy Contracts define exactly which external endpoints each agent can reach. All model calls route through clawproxy. Unauthorized network access is blocked and logged.
Scoped R2 Storage
Agent state persists in R2 with tenant/agent-scoped prefixes. Agents can only access their own storage subtree. Cross-agent data access is impossible at the infrastructure level.
Sleep/Wake Lifecycle
Agents sleep after configurable idle time (default 30 min) and wake on demand. State persists through R2 sync. Pay only for active compute. No data loss during transitions.
DLP Redaction Pipeline
Built-in data loss prevention strips sensitive data (PII, PHI, financial data) before it leaves the sandbox. Redaction actions are logged in the proof bundle.
Frequently Asked Questions
Each agent runs in its own Cloudflare Sandbox with separate process and filesystem boundaries. Agent state is synchronized to tenant/agent-scoped R2 prefixes, so one agent cannot read another agent's persisted data.
Yes. Work Policy Contracts enforce explicit egress allowlists and approval gates. Unauthorized destinations are denied at execution time and reflected in audit evidence.
Runtime state is synced to scoped storage before sleep and restored on wake. Restart events and lifecycle transitions are logged so operations teams can verify continuity.