From Agents Week Announcements to Production: Cloudflare Control Plane Patterns

Cloudflare’s Agents Week launches introduced a coherent stack: Sandboxes, Artifacts, Workflows control-plane scaling, and policy-aware egress primitives. The common mistake now is treating these as isolated features. In production, they should be assembled as one control plane for agent lifecycle.

The architecture shift: agent sessions as first-class workloads

Traditional web architecture assumes many users hit one app. Agent workloads invert that. You often have one user running multiple long-lived sessions with state, tools, and background jobs. That requires:

isolated execution units per session
versioned workspace state
durable orchestration for retries and deadlines
policy-bound network egress

This is why “serverless + stateless handlers only” breaks under agent workloads.

Reference blueprint

A practical enterprise shape:

Workers: entry policy, authN/authZ, tenancy checks
Durable Objects: per-session control records and lock coordination
Sandboxes: tool execution and stateful task runtime
Artifacts: versioned workspace and handoff between human and agent
Workflows: long-running orchestration and compensation logic
R2/KV + analytics pipeline: evidence and telemetry

This model keeps runtime flexibility while preserving governance boundaries.

Session lifecycle contract

Define explicit phases for each session:

created (policy attached, identity verified)
active (tool operations allowed under scope)
checkpointed (artifact snapshot + summary)
suspended (resource limits tightened)
closed (retention and redaction policy enforced)

When these phases are implicit, incident response takes hours instead of minutes.

Egress governance is non-negotiable

Most high-severity agent incidents come from outbound actions, not inbound prompts. Build policy around destination and intent:

allowlist by service class and environment
token injection only at egress boundary
per-session credential leasing with strict TTL
deterministic denial reason codes

Never hand long-lived credentials to untrusted runtime code in plaintext.

Artifact strategy: code, memory, evidence

Treat artifacts in three classes:

working state (mutable)
decision evidence (append-only)
release candidate outputs (promotable, signed)

This separation prevents accidental editing of compliance evidence while keeping developer velocity high.

Reliability controls for long-running agents

Long-running sessions need distributed-system hygiene:

idempotency keys for tool operations
retry classes split by timeout/capacity/policy failures
heartbeat and liveness windows per workflow step
dead-letter queue for policy-blocked actions
deterministic resume points from checkpoints

Without explicit resume semantics, restarts become partial corruption risks.

SRE metrics that matter

For this stack, dashboard vanity metrics are not enough. Track:

session success rate by workload class
mean recovery time after tool failure
policy-block rate and false-positive ratio
egress denial top causes
artifact restore latency
cost per completed workflow

These map directly to reliability, safety, and business efficiency.

Deployment plan for an existing platform team

Month 1

classify top five agent workflows
introduce session state records in Durable Objects
move credentials to boundary-injection model

Month 2

standardize checkpoints into Artifacts
migrate async branches into Workflows
publish SLOs for session completion and recovery

Month 3

run red-team tests for egress bypass
enforce retention policy and automated evidence export
add executive weekly report for cost + risk + delivery throughput

Closing

Agents Week was not a list of product updates. It was a blueprint for how cloud infrastructure must evolve for autonomous workloads. Teams that unify compute, state, orchestration, and egress governance into one control plane will scale agent usage without losing control.