Building cloud agent infrastructure: what's different, and what we learned
A hands-on report from CREAO detailing the architectural challenges of moving AI agents from a single-user desktop to a multi-tenant cloud sandbox. It presents two hard-won lessons. First, decouple slowly-changing user environments from fast-changing platform code by freezing user sandboxes into snapshots and hot-swapping the runner library in ~300ms via an atomic sequence involving chattr, V8 compile cache purging, and post-run re-snapshotting. Second, enforce strict credential isolation by ensuring no long-lived secrets ever enter the sandbox; a host-side API bridge verifies sandbox calls using a dual check of IP allowlisting and short-lived, per-run JWTs, so a compromised agent yields only an expiring, network-pinned token. Concrete commands, validation steps, and design rationale included. Recommended for backend and infrastructure engineers productizing agents in shared environments.