Durable Objects and Dynamic Workers Reopen Eval for AI Agents

Sunil Pai said Cloudflare’s AI agents work began “seriously a little over a year ago,” and the central infrastructure choice was Durable Objects. He called the name bad and the abstraction initially confusing: “It’s a database?” he said people ask. “No, but it has a database.” The reason it mattered for agents was not the database alone, but the shape of the compute model.

Pai framed the familiar serverless model as a function that takes a request and returns a response. That model breaks as soon as a developer expects local state to survive. A hit counter written as a local variable works on a laptop, then fails after deployment because the function spins up, handles work, and disappears. A developer then has to introduce a database and surrounding coordination just to preserve state.

Durable Objects invert that pattern for a given ID. Pai described them as a class that “spun up once” for an identifier, with future requests and WebSocket connections landing in the same place. Cloudflare calls that “stateful serverless,” a phrase Pai admitted is confusing because servers are already stateful. But the point, in his telling, is that the object behaves like serverless infrastructure while preserving a durable, addressable point of coordination.

The performance claim was concrete. Pai said that on Cloudflare’s network, London can see “like 15 millisecond latency.” He contrasted that with 60 frames per second, where a frame is a little over 16 milliseconds. He cited tldraw as an application built on the same technology: open the same shared canvas on multiple phones, draw, and the screens stay in sync.

For agents, Pai argued, the same properties become the right execution model. Durable Objects are addressable. They can run long-running work even when no request is actively arriving. They can operate in the background, hibernate, go to sleep, persist data, and connect outward to other services. That combination, he said, was “the original bet.”

The Agents SDK is built on that bet. Pai showed the Cloudflare agents page, headed “The Platform For Building Agents,” and an npm install snippet for the agents package. He described the programming model as extending an agent class, defining startup behavior, scheduling work, adding callable functions, and using client-side hooks or plain JavaScript clients. The SDK is not positioned as a single higher-level agent framework that excludes others; later, Pai said it is “more the execution environment than the library you use,” and can sit under LangChain, Vercel’s AI SDK, or other libraries.

Scheduling is one of Pai’s favorite parts. His example was deliberately mundane and agentic: every Friday at 9 p.m., inspect Git history, a wiki, and Notion, compile a manager update, and “mess up the spelling so it looks like I wrote it.” The recurring work runs as part of the same agent-shaped execution model rather than as a separate orchestration problem.

Matt Carey tied the Durable Objects model to MCP’s production deployment problem. Around April of the previous year, he said, MCP became “mega popular.” In its original form, he explained, MCP required a stateful connection between client and server. That was one of the annoying parts of deploying MCP servers to production in the cloud.

Durable Objects were useful because maintaining stateful connections is “kind of the whole point,” Carey said. He said Cloudflare jumped on MCP early and had some of the first MCP servers, naming PayPal and Sentry. Pai then broadened the claim, saying “all the big ones” ran that way and adding Linear and Intercom, while Carey noted there were some they could not name. Pai and Carey presented MCP adoption as a case where agent-adjacent systems immediately needed durable state and long-lived connections.

Pai’s example was resumable streaming. A user asks an LLM for a long story and refreshes the page in the middle of the stream. In a conventional serverless design, Pai said, the developer now has to think about a database, replication, sticky sessions, and related distributed-systems work. In the Agents SDK model, the client reconnects to the Durable Object. If a stream is already in progress, the object can provide the beginning of the stream and continue sending bytes.

The same mechanism, Pai said, gives developers multi-tab sync, multi-browser sync, and phone-plus-laptop sync. He connected this back to Cloudflare’s original Durable Objects use case: real-time collaborative synchronization.

Pai asked why two people cannot share a link to a ChatGPT conversation and work in the same conversation together. His answer was not that this is impossible, but that without the right primitives, teams patch synchronization into userland and become “this crazy distributed systems engineer.” With Durable Objects and the Agents SDK, he said, developers can “make it Cloudflare’s problem.”

The more aggressive claim was about Dynamic Workers. Matt Carey described Workers as Cloudflare’s serverless function platform — “like a Lambda,” but designed later. Dynamic Workers change the deployment model: from one Worker, a developer can take a string of code sent by a customer, written by a user, or generated by an LLM, and run it in its own isolated Worker.

Carey said this “breaks a lot of people’s brains.” He described a recent MCP developer summit anecdote: a startup founder near him was convinced no enterprise would allow generated code it had never seen to run, and then someone from Lockheed Martin told Carey they liked the generated-code approach. Carey used the contrast to describe the mixed reactions he encounters.

The security model, as Pai described it, starts from denial rather than containment around a large machine. He contrasted it with sandboxes that begin as a VM or container and add security around the outside. Dynamic Workers, in his explanation, begin with JavaScript code that has no access to fetch, no APIs, no environment variables, and no ambient privileges. From outside, the host grants explicit capabilities: perhaps a few APIs, perhaps outgoing fetch only to github.com, or even to a narrower path. Pai said Cloudflare’s recommendation is to block outgoing fetches and grant only the capabilities the sandbox needs.

The generated code is not trusted because it came from a model, a user, or a customer. It is made usable because the runtime starts with nothing and receives only the powers the host explicitly gives it.

Pai said developers have been told for decades not to use eval, and noted that Cloudflare Workers themselves do not provide it because it is dangerous. His argument was that a whole branch of the technical tree has been avoided for 20 or 30 years because running generated code safely was not practical. Dynamic Workers are Cloudflare’s attempt to reopen that design space with a fast, secure, cheap primitive.

The speakers did not present this as a VM replacement. Carey was explicit that it is “not a VM” and not a full file system. It is an isolate that can be spun up on demand, and he said Cloudflare can spin up billions of them. The intended use case is code-shaped work that previously would have been forced into a safer but less expressive representation.

Carey’s example was DSLs and generated JSON. If a product lets users configure behavior through a form, the backend may serialize that as JSON and then compile or interpret it into behavior. In Carey’s framing, Dynamic Workers let developers ask a simpler question: if the desired behavior is code, why not run code under explicit capabilities instead?

The visual support for this part of the argument was Cloudflare’s own blog page. Carey opened the Cloudflare Blog and scrolled to an article titled “Sandboxing AI agents, 100x faster.” Pai then pointed listeners to the blog as the place where Cloudflare had written up the technical details, while distinguishing the engineering explanation from the marketing call to action at the bottom.

Carey’s clearest application example was generative UI. He pointed to the pattern of generating JSON and rendering it, then asked why the system should generate JSON at all. Why not generate HTML? Why not generate React and render that?

His answer was that many platforms lack a primitive for rendering untrusted code. If such a primitive exists, agents, users, or customers can generate code that runs and produces UI directly. Carey compared the user-facing experience to Claude Artifacts: generated HTML rendered in the browser. The browser case feels less alarming to many people because the code runs client-side. Carey’s concern was the point where generated UI is rendered “on their servers,” which he called the moment it starts getting “a little bit dodgy” without the right sandbox.

Dynamic Workers are the primitive Carey thinks changes that tradeoff. Instead of constraining generative UI through JSON because the execution environment cannot safely run code, a developer could let the model produce HTML, React, or another UI representation as code and run it in an isolated Worker with bounded capabilities.

That same move underpins what Pai and Carey called Code Mode. Carey said his own follow-up talk would cover using Code Mode in an MCP server to give access to all 2,600 Cloudflare API endpoints in “only a thousand tokens.” He did not explain the mechanism in detail in this session. The preview was narrower: generated code, run inside a Dynamic Worker, can be a compact way to act across a large capability surface without exposing the whole surface as a large prompt payload.

Pai framed the broader idea as “eval plus plus.” Developers have treated eval as forbidden because arbitrary code execution is dangerous. Code Mode is Cloudflare’s attempt to make generated code an explicit agent interface while moving the control point into the sandbox: the code can run, but only with the capabilities the host grants.

An audience member asked whether it would be fair to say one could rebuild a Claude Code-like cloud interface with these primitives. Sunil Pai’s first answer was joking — “should we start leaking secrets?” — but then he said yes.

He described an agent loop running in the Agents SDK as the backend of a Claude Code-like system. Because the backend is persistent and addressable, clients could connect from a terminal, chat interface, phone, iOS app, or web app. State would sync across clients. Work would be resumable. The system would remain stateful.

Matt Carey then made the status explicit: “We’re building it.” He said Cloudflare hoped to ship it “imminently,” and characterized the approach as Cloudflare’s version of a broader industry pattern. Everyone is building a harness, he said, and each team leans into the benefits of its infrastructure or philosophy. Cloudflare’s version combines spin-up/spin-down stateful agents, generated code that can run instantly, and resumability by default.

He also rejected the idea that Workers must be the only execution environment. If an agent needs to delegate to a large container, Carey said it should be able to do that. He mentioned Cloudflare’s sandbox SDK, browser execution, Daytona, browser-use, and Lightpanda as examples of components that could be connected. In his framing, Workers and the Agents SDK become the “nexus” that coordinates other execution targets.

An audience member then asked about skills: a Claude-like system that can create its own extensions, receive a voice message, and set up cron-like behavior. Pai said the ingredients are a heartbeat, a virtual file system, and service connections. Add extensions, and the system needs generated code running in a safe sandbox. Pai said he had implemented extensions that morning and that they worked well on Cloudflare’s system.

For storage, Pai named Durable Object SQLite and R2. Initially he said developers currently have to wire these up, but soon would not. When pressed, he clarified that the relevant piece already exists: @cloudflare/shell. He said its APIs should not break and that it is usable today, providing a full file system layered on Durable Object SQLite and R2 for larger files.

When asked about languages beyond JavaScript and React, Matt Carey’s immediate answer was Python. He said Dynamic Workers and Workers support Python, though Cloudflare needed to polish rough edges. In the repeated exchange that followed, the speakers clarified the language hierarchy: Python is first-class, JavaScript is first-class, and everything else goes through Wasm unless native execution is important enough to use a container.

Sunil Pai and Carey said they had recently been playing with Zig. Pai said someone on the team was the first person to bring Zig into production in Cloudflare Workers for work they could not discuss. The advantage he named was bundle size: Zig’s Wasm bundles are “tiny” compared with Go and Rust.

The more provocative point was that language preference may matter less when the code author is an LLM. Carey and Pai both made that argument. If the model is writing the code, Carey asked, why should the developer care whether it is JavaScript? Pai put it more bluntly: “your LLM is writing code at this point.”

Pai also described Worker Bundler, a tool that runs a bundler inside a Worker. It pulls dependencies from npm, strips types, JSX, and TypeScript, and produces the code that runs inside the Worker. He said one consequence is that it uses Cloudflare’s cache for dependencies rather than depending directly on npm availability at runtime.

Dynamic Workers also show up as a plugin boundary. Pai used Cloudflare’s newly launched CMS, M-dash, as the example. He said it runs fully on Workers and Durable Objects, but otherwise deploys on any platform and is not Cloudflare-specific. Its plugin system is built on Dynamic Workers. The comparison point was WordPress: Pai said WordPress has had plugin-related security incidents, while a locked-down Dynamic Worker environment can offer extensibility without giving plugin code ambient access. He also said Cloudflare is working on support for the Dynamic Worker piece on other platforms.

Pai and Carey pointed to follow-up talks that would go deeper on the two unresolved parts of the session: Pai on Code Mode, and Carey on using Code Mode to compress access to Cloudflare’s API surface through MCP. Pai also directed developers to agents.cloudflare.com, developers.cloudflare.com/agents, and github.com/cloudflare/agents.