I’m a sucker for a write up on coding agent architecture, I think because I enjoy learning about how the sandboxing works. Here’s one from Browser Use (who’s technical writing is often great). It’s a simple, effective design - probably exactly as you would do it if you started from a blank sheet of paper. I always wondered about the cold starts so learning a little about Unikraft was interesting. The juice on the design is this part in the middle:

The VM sits in a private VPC with no permissions other than talking to the control plane. Think of the control plane as a proxy service. The sandbox has no direct access to the outside world. Every request has to hop through the control plane. Need to call an LLM? Goes through the control plane. Need to upload a file to S3? Goes through the control plane. It’s the only way the agent can talk to anything outside its VM. It’s a stateless FastAPI service. Every request from the sandbox carries a Bearer: {session_token} header. The control plane looks up the session by token, validates that it’s still active, and executes the operation with real credentials.

The whole article is interesting throughout (e.g. the compilation to bytecode of the agent framework, how env vars are handled), and the pattern is spelt out in far more detail than we are usually granted. Textbook.