A curated collection of infrastructure resources for building production AI agents: runtimes, workspaces, sandboxes, tool protocols, context systems, security, observability, and evaluation.
Last reviewed: 2026-07
This list focuses on the systems layer below agent products and above foundation models.
It is not a general "awesome AI agents" list. It is focused on the infrastructure needed to run agents safely and reliably in production.
Organized around one question, asked of every component: what state is this, and where does it belong?
Contents
Scope
Included:
- Agent runtimes and control planes
- Durable execution
- Workspace and runtime state
- Sandbox and execution environments
- Tool protocols such as MCP
- Context files and repo-level guidance
- Security, permissions, and policy
- Observability, tracing, and evaluation
- Coding-agent workflows
- Relevant systems books and videos
Not included:
- Prompt collections
- General AI app directories
- Chatbot UI tools
- Generic RAG tools unless they are directly relevant to agent infrastructure
- End-user agent products without clear infrastructure lessons
Core Concepts
| Concept |
Meaning |
| Agent runtime |
The execution layer that runs agent loops, manages state, retries, tools, and human interaction. |
| Harness |
The model-facing loop and scaffolding that turns model outputs into actions. |
| Workspace |
The durable working state an agent reads and writes during a task. Not just a folder. |
| Sandbox |
The isolated compute environment where actions execute. |
| Session / run |
The ordered record of an agent execution attempt. |
| Tool protocol |
The interface by which agents discover and call external tools or resources. |
| Policy |
Runtime constraints over tools, data, paths, permissions, and publish actions. |
| Publish lifecycle |
The process of promoting candidate agent output into source-of-truth systems. |
| Observability |
Traces, logs, metrics, costs, evals, and replay data for agent behavior. |
| Storage concern |
The persistence needs around agent metadata, conversations, run events, workspaces, artifacts, memory, and traces. |
Foundational Articles
| Resource |
Layer |
Why it matters |
| Anthropic: Building Effective Agents |
Runtime |
Practical guide arguing for simple composable agent patterns instead of over-engineered abstractions. |
| Lilian Weng: Harness Engineering for Self-Improvement |
Harness / runtime |
Frames harnesses as the deployment layer around models: workflow, tools, context, persistent state, permissions, and evals. |
| Anthropic: Effective Context Engineering for AI Agents |
Context / Runtime |
Good framing for context as runtime design rather than prompt stuffing. |
| Anthropic: Writing Effective Tools for AI Agents |
Tooling |
Useful for designing tool APIs agents can actually use. |
| Martin Fowler: Context Engineering for Coding Agents |
Coding agents / Context |
Strong developer-facing explanation of workspace files and repo context for coding agents. |
| Temporal: What Is Durable Execution? |
Durable execution |
Core concept for long-running, crash-resilient workflows. |
| DBOS: Durable Execution for Crashproof AI Agents |
Durable execution |
Applies durable execution ideas directly to AI agents. |
| GitHub Blog: A practical guide on how to use the GitHub MCP server |
Tool protocol / GitHub workflow |
Practical reference for MCP + GitHub integration. |
| Anthropic: Building with Claude Managed Agents |
Runtime |
Defines the brain/hand/session split, vault-brokered credentials, and session-derived memory in a first-party production agent runtime note. |
| OpenAI: Sandbox Agents |
Runtime / sandbox |
Draws the harness/control-plane vs. compute/sandbox-plane line, with credentials treated as runtime configuration rather than prompt content. |
| OpenAI: The next evolution of the Agents SDK |
Runtime / SDK |
Official launch context for Sandbox Agents and the Agents SDK direction. |
| Vercel: Agentic Infrastructure |
Runtime |
Reports that over 30% of Vercel deployments are agent-triggered and maps sandboxes, workflows, gateway, and observability into shipped infrastructure. |
| HumanLayer: 12-Factor Agents |
Runtime |
The stateless-reducer framing: agent execution as a function over an append-only event log. |
| Manus: Context Engineering for AI Agents |
Context / workspace |
Production note arguing for filesystem-backed context and stable append-only traces. |
| Microsoft Agent Framework at Build 2026 |
Runtime / hosted agents |
First-party description of Agent Harness, hosted agents, per-session VM isolation, filesystem persistence, and OpenTelemetry. |
| OpenRath: Session-Centered Runtime State for Agent Systems |
Runtime state |
Makes the case for session as a first-class runtime value rather than incidental chat history. |
Runtime and Control Plane
Projects
| Project |
Type |
Why it matters |
| LangGraph |
Runtime framework |
Stateful graph runtime for long-running agents, persistence, human-in-the-loop, and durable execution. |
| OpenAI Agents SDK Python |
SDK |
Lightweight SDK for building agentic apps. Useful baseline for minimal abstractions. |
| OpenAI Agents SDK TypeScript |
SDK |
TypeScript version, useful for JS/TS infrastructure builders. |
| Omnigent |
Meta-harness / control plane |
Common orchestration layer over coding agents and custom agents, with policies, sandboxing, shared sessions, and multi-device collaboration. |
| LiteLLM Agent Platform |
Agent platform |
Self-hostable control plane for calling and managing coding agents with per-session isolation and shared proxy infrastructure. |
| LiteLLM Agent Runtime |
Runtime |
Coding-agent daemon designed to run inside per-session VMs, with customization layered through repo, team, and session config. |
| Microsoft Foundry Agent Service |
Hosted runtime |
Framework-agnostic hosted agent service with session isolation, durable state, tracing, evaluation, and production deployment hooks. |
| OpenHands |
Agent platform |
Full open-source software-agent platform with sandboxed execution and developer workflows. |
| OpenHands Software Agent SDK |
SDK |
Composable SDK for building software-development agents. |
| SWE-agent |
Coding-agent scaffold |
Simple and influential coding-agent scaffold for GitHub issue solving. |
| mini-SWE-agent |
Minimal agent |
Small baseline for understanding the minimal loop needed to solve coding tasks. |
| Goose |
Local agent runtime |
General-purpose open-source agent with CLI, desktop, API, and MCP extension ecosystem. |
| Semantic Kernel |
Enterprise SDK |
Enterprise-oriented orchestration and agent framework from Microsoft. |
| CrewAI |
Multi-agent framework |
Popular multi-agent orchestration framework. |
| AutoGen |
Multi-agent framework |
Influential multi-agent framework. Useful historically and architecturally. |
| Letta |
Stateful agents / memory |
Platform for stateful agents with advanced memory. Useful for understanding memory-first agent design. |
| Letta Code |
Coding agent / memory |
Memory-first coding agent. Useful contrast with workspace-first designs. |
Papers
Tool Protocols and Context Interfaces
MCP
Context and Repo Guidance
Workspace and Runtime State
| Resource |
Type |
Why it matters |
| Resilient Write paper |
Paper |
Durable write surface for coding agents. Very relevant to workspace design. |
| Resilient Write blog |
Blog |
More engineering-oriented explanation of durable write paths. |
| BranchFS |
Filesystem project |
FUSE-based copy-on-write branching workspace. Useful for fork/snapshot semantics. |
| TClone |
Paper |
Low-latency forking of live GUI workspaces for computer-use agents. |
| Git worktree docs |
Git docs |
Basic primitive for isolated local candidate workspaces. |
| Git apply docs |
Git docs |
Basis for patch-based publish. |
| Git format-patch docs |
Git docs |
Basis for exporting deltas and patch bundles. |
| GitHub Pull Requests docs |
Workflow docs |
Publish target for coding-agent output. |
| GitHub Actions docs |
CI docs |
Common validation stage for agent-produced changes. |
Sandbox and Execution
The useful first question is not "which provider?", but "what boundary protects the host?". Agent sandboxes also need a state model, because long-running agents often need files, snapshots, or branches to survive beyond one process.
| Isolation model |
Boundary |
Typical fit |
| Process policy sandbox |
Host process plus OS policy |
Local tools or helper processes with filesystem and network limits. |
| Shared-kernel container |
Namespaces, cgroups, capabilities, seccomp |
Dense Linux workloads where compatibility matters more than kernel separation. |
| Userspace-kernel container |
Container API with syscall mediation |
Stronger isolation than ordinary containers while preserving OCI-style workflows. |
| Language or WebAssembly runtime |
Engine-level isolate or capability grants |
Controlled plugins, edge functions, and short-lived extension code. |
| MicroVM |
Separate guest kernel per workload |
Untrusted Linux code, generated code, package installs, and agent execution. |
| VM-backed container runtime |
Container UX backed by lightweight VMs |
Kubernetes or OCI workflows that need a stronger tenant boundary. |
| Full VM or enclave |
Hypervisor VM or confidential-computing TEE |
Broad OS compatibility or highly sensitive secret-handling paths. |
| State model |
What persists or branches |
Why it matters for agents |
| Ephemeral runtime |
Nothing durable by default |
Good for one-shot code execution and tests. |
| Durable volume |
Files survive sandbox stop/start |
Useful for package caches, generated artifacts, and long tasks. |
| Filesystem snapshot |
Filesystem state can be cloned or restored |
Enables branch-mutate-evaluate workflows without rebuilding environments. |
| Memory/process snapshot |
Running state can resume from a checkpoint |
Useful for fast warm starts and long-lived interactive sessions. |
| Branchable backing services |
Databases or object state can fork cheaply |
Keeps agent experiments isolated beyond the filesystem. |
Managed Agent Sandboxes
| Resource |
Type |
Why it matters |
| E2B docs |
Cloud sandbox docs |
Cloud sandbox for AI agents. Useful for remote execution, code interpreter, and agent runtime patterns. |
| E2B GitHub |
Repo |
Open-source infrastructure for AI code execution sandboxes. |
| E2B coding agents docs |
Use-case docs |
Shows how secure sandboxes are exposed to coding agents with terminal, filesystem, and Git access. |
| Daytona docs |
Sandbox docs |
Secure sandbox runtime for AI-generated code. |
| Daytona sandboxes docs |
Sandbox docs |
Lifecycle and sandbox concepts. |
| Daytona GitHub |
Repo |
Secure and elastic runtime for AI-generated code execution and agent workflows. |
| Modal |
Serverless compute |
Useful reference for fast, dynamic cloud execution, even if not agent-specific. |
| Modal docs |
Docs |
Good reference for serverless execution, container images, sandboxes, secrets, and jobs. |
| Modal Sandbox docs |
Sandbox docs |
Useful example of exposing programmatic sandboxed command execution. |
| Modal: Code execution sandboxes for browser-use agents |
Scale note |
Public production-scale numbers for agent sandbox concurrency and session volume. |
| Northflank: E2B vs Modal |
Comparison article |
Helpful market and architecture comparison for AI code execution sandboxes. |
| Blaxel Sandboxes |
Sandbox docs |
Distinguishes snapshot-backed standby from durable-volume persistence, a useful split for agent workspace design. |
Browser, GUI, and Computer-Use Sandboxes
| Resource |
Type |
Why it matters |
| Browserbase docs |
Browser sandbox docs |
Cloud browser infrastructure for browser agents and automation. |
| Browserbase |
Browser infrastructure |
Useful reference for running browser sessions remotely for agents. |
| Stagehand docs |
Browser-agent framework docs |
Browser automation framework built around AI-assisted browser actions. |
| Stagehand GitHub |
Repo |
Open-source browser automation framework for AI agents. |
| browser-use GitHub |
Browser agent project |
Popular open-source project for browser-using agents. |
| browser-use docs |
Docs |
Practical browser-agent execution and automation patterns. |
| Microsoft Playwright MCP |
MCP server |
Browser automation through MCP using Playwright. |
| Playwright docs |
Browser automation docs |
Useful lower-level browser automation primitive. |
| Scrapybara docs |
Browser / computer sandbox docs |
Reference for hosted computer-use and browser sandboxes. |
| Scrapybara GitHub |
Repo |
Agent-facing computer-use sandbox project. |
| BrowserArena |
Paper / eval |
Live open-web agent evaluation platform; useful for understanding web-agent failure modes. |
| FP-Agent |
Paper |
Fingerprinting AI browsing agents; relevant for browser-agent detection and control. |
MicroVM and VM Isolation
Container Isolation and Runtime Hardening
| Resource |
Type |
Why it matters |
| Docker Engine docs |
Runtime docs |
Container execution basics. |
| Docker security docs |
Security docs |
Container security baseline: namespaces, capabilities, seccomp, rootless mode, daemon risks. |
| Docker seccomp docs |
Security docs |
Default seccomp profile and syscall restrictions. |
| Docker rootless mode |
Security docs |
Useful for reducing daemon and root risk in local sandboxes. |
| Docker AppArmor docs |
Security docs |
AppArmor profile support for Docker containers. |
| containerd |
Runtime |
Core container runtime used by many systems. |
| containerd GitHub |
Repo |
Implementation reference for container lifecycle. |
| runc |
OCI runtime |
Low-level OCI container runtime used by Docker and containerd. |
| OCI Runtime Spec |
Spec |
Standard interface for container runtimes. |
| Podman |
Container runtime |
Daemonless container engine, useful for rootless and local execution models. |
| Podman docs |
Docs |
Rootless container and pod execution patterns. |
Linux Kernel and Process Confinement
| Resource |
Type |
Why it matters |
| Linux namespaces man page |
Kernel docs |
Foundation for container isolation. |
| Linux cgroups v2 docs |
Kernel docs |
CPU, memory, IO, and process resource control. |
| seccomp kernel docs |
Kernel docs |
Syscall filtering primitive. |
| AppArmor docs |
LSM docs |
Mandatory access-control profiles for process confinement. |
| SELinux project |
LSM project |
Mandatory access-control system; important conceptually for strong policy enforcement. |
| gVisor docs |
Container sandbox docs |
Userspace kernel that provides an additional isolation boundary for containers. |
| gVisor GitHub |
Repo |
Implementation of a sandboxed container runtime. |
| gVisor architecture guide |
Architecture docs |
Explains how gVisor interposes between application and host kernel. |
| nsjail |
Process sandbox |
Linux namespaces, cgroups, seccomp-bpf, and resource limits in one tool. |
| bubblewrap |
Unprivileged sandbox |
Commonly used by Flatpak; useful for lightweight local process isolation. |
| Firejail |
Linux sandbox |
SUID sandbox using namespaces and seccomp. |
| Landlock LSM docs |
Kernel docs |
Unprivileged access-control mechanism for sandboxing. |
| Sandlock paper |
Paper |
Confines AI agent code using unprivileged Linux primitives. Highly relevant to local-agent execution. |
| Sandlock GitHub |
Repo |
Companion implementation for the Sandlock paper. |
Kubernetes and Cluster Execution
Sandbox Security Papers and Measurement
| Resource |
Type |
Why it matters |
| AI Code Sandboxes: Comparative Security Study |
Paper |
Compares engine-level properties such as attack surface, leakage, stackability, CVE history, patch cadence, and fuzzing. |
| AI Sandboxes: Threat Model, Taxonomy, and Measurement Framework |
Paper |
Gives a broad sandbox taxonomy and measurement framework for fidelity, controllability, observability, containment, reproducibility, and governance artifacts. |
| Fault-Tolerant Sandboxing for AI Coding Agents |
Paper |
Transactional sandboxing approach with policy interception and filesystem rollback. |
| ceLLMate: Sandboxing Browser AI Agents |
Paper |
Browser-level sandboxing framework for reducing prompt-injection blast radius. |
| AgentBay |
Paper |
Hybrid interaction sandbox for agent and human takeover across Linux, Windows, Android, browser, and code-interpreter environments. |
Security, Policy, and Governance
Observability and Evaluation
Observability Checklist
A production agent run should record:
- Run ID
- Workspace ID
- Model and harness
- Tool calls
- File changes
- Command execution
- Cost and latency
- Policy decisions
- Publish attempts
- External references such as PR URLs
- Error and retry history
- Final outcome
Coding-Agent Workflows
Data Layer and Storage
Agent infrastructure usually combines several storage concerns: control-plane records, conversation and run history, workspace state, artifacts, memory, and observability data. This section focuses on reusable storage ideas rather than generic application frameworks.
Note: no purpose-built session-store engine exists yet. The session log's contract - idempotent append, read-your-own-tail at low latency, per-session ordered replay, and fork - fits neither OLTP nor plain append logs. Pointers welcome.
Control-Plane Metadata
Agent definitions, identity, permissions, config, source references, and low-volume control-plane state usually fit normal OLTP systems well.
| Resource |
Why it matters |
| PostgreSQL |
Strong default metadata store for identity, config, policy, workspace specs, and source references. |
| PostgreSQL JSONB docs |
Useful when specs and policy need typed relational fields plus flexible structured payloads. |
| PostgreSQL advisory locks |
Practical primitive for workspace locks, publish locks, and idempotent control-plane operations. |
Conversation and Run History
Agent runs are easiest to debug and replay when prompts, model calls, tool calls, decisions, file changes, and checkpoints are recorded as ordered history. Some frameworks implement replay and branching at the framework layer; storage choices need to preserve the semantics those features depend on.
Workspace and Artifact State
Coding agents and computer-use agents often need durable files, snapshots, forked workspaces, generated artifacts, and discardable candidate output. This is where storage design meets sandbox lifecycle.
| Resource |
Why it matters |
| Replit snapshot engine |
Shows a compute-and-storage fabric where filesystem state is durable and addressable independently of any one container. |
| Cloudflare Sandboxes GA |
Sandboxes are addressed by name, sleep at zero compute cost, and wake with state intact; only compute is disposable. |
| MinIO docs |
S3-compatible object storage reference for artifacts, logs, and workspace-adjacent binary state. |
Memory
Long-running agents may need memory beyond a single run. The important infrastructure questions are provenance, branching, compaction, retention, and whether memory is editable or only append-derived.
| Resource |
Why it matters |
| AWS Bedrock AgentCore Memory |
Treats memory branching as a named capability for message edits, what-if exploration, and divergent context paths. |
Observability and Analytics Storage
Trace-shaped analytical reads are a well-understood storage problem, but they have different needs than conversation replay or workspace state.
| Resource |
Why it matters |
| ClickHouse |
Common storage engine for high-volume analytical telemetry and trace-style reads. |
| ClickHouse async inserts |
Shows why analytics-shaped engines can fail the session-store contract: async insert defers visibility and deduplication happens later, the opposite of read-your-writes. |
Books
| Book |
Why it matters |
| Designing Data-Intensive Applications |
State, consistency, durability, lineage, logs, storage, and systems tradeoffs. |
| Google SRE Books |
Reliability, operations, incident response, SLOs, and production discipline. |
| Site Reliability Engineering table of contents |
Free online SRE book. |
| Operating Systems: Three Easy Pieces |
Processes, virtualization, concurrency, persistence, and filesystems. |
| Distributed Systems, Maarten van Steen |
Naming, replication, consistency, coordination, and fault tolerance. |
Videos and Talks
MCP and Tool Protocol
Runtime and Durable Execution
Sandbox Videos
Observability Videos
Coding Agents
Related Awesome Lists
Contributing
Contributions are welcome. Please read CONTRIBUTING.md before opening a pull request.
A resource belongs here if it helps answer at least one of these questions:
- How should an agent runtime manage state?
- How should tools be exposed safely?
- How should workspace changes be isolated and published?
- How should sandboxes execute untrusted or semi-trusted actions?
- How should agent runs be traced, evaluated, and replayed?
- How should secrets, permissions, and policy be enforced?
- How should coding agents integrate with repos, issues, PRs, and CI?
A resource does not belong here if it is only:
- A generic prompt engineering article
- An end-user chatbot product
- A generic AI app directory
- A model leaderboard with no infrastructure implications
- A shallow tutorial with no reusable systems insight