Anthropic has fundamentally restructured how its Managed Agents operate, moving from a single-container architecture to a distributed design with three decoupled components.

The original design bundled the model loop (harness), sandbox execution environment, and session history into one container. This created three operational problems: debugging was opaque because failures in the harness, network packets, or the container itself looked identical; network reach was limited because the harness assumed resources lived in the same container, forcing customers to either peer networks or run their own harness; and security risks emerged because credentials and untrusted generated code shared the same environment—a prompt injection did not need to escape the container but only convince Claude to read environment variables.

The new architecture virtualizes the agent into three independent interfaces, inspired by how operating systems virtualized hardware. The session is a durable, append-only log of all events. The harness (brain) is the orchestration loop that calls Claude and routes tool calls. The sandbox (hands) is the execution environment where code runs and files are edited. Each component can fail or be replaced without disrupting the others.

This decoupling delivers three major benefits. First, time-to-first-token fell dramatically because inference can now start immediately by pulling pending events from the session log; container provisioning is deferred until a tool call actually requires it. Sessions that never execute code skip the container boot entirely, which explains why p95 latency dropped over 90%—the tail was dominated by unnecessary container setup. Second, both the harness and sandbox become stateless and replaceable; if the harness crashes, a new instance boots with wake(sessionId), reconstructs state from the session log via getEvents(), and resumes. If a sandbox fails, a fresh container spins up on demand. Third, credentials are now structurally unreachable from generated code: Git tokens are used once during cloning and never held again; OAuth tokens for custom tools live in an external vault and are swapped for session tokens through a dedicated proxy, so prompt injection can no longer steal long-lived credentials.

On July 22, 2026, Anthropic is changing how memory listing behaves on Managed Agents: the order_by and order parameters will be ignored in favor of a stable, server-defined order. This reflects the broader design philosophy that durable, queryable interfaces outlast specific implementations. The session log itself is treated as a context object outside the model's window, allowing the harness to fetch slices of the event stream, rewind, or reread around specific decisions—all before sending to Claude. This sidesteps the problem of irreversible decisions about which tokens to discard when tasks overflow context.

The underlying principle is to encode assumptions into interfaces rather than implementations. Model capabilities improve over time, making workarounds obsolete; Anthropic notes that context-reset logic added for Sonnet 4.5 became dead weight by Opus 4.5. By separating brain, hands, and memory, and keeping credentials out of the execution sandbox, agent systems become resilient to model evolution and immune to entire classes of attacks.