Claude Managed Agents is a pre-built, configurable agent harness that runs in managed infrastructure: instead of building your own agent loop, tool execution, and runtime, you get an environment where Claude can read files, run commands, and execute code securely, with a fresh container provisioned per session as the agent's workspace. That is exactly the shape a coding agent needs. This article walks through the pattern: repository access, test-run tooling, human review gates, and sandbox constraints.
managed-agents-2026-04-01 beta header, which the SDK sets automatically. On other platforms, see the fallback section below.Give the agent your repository
Sessions can attach a github_repository resource, which is cloned into the container before the agent starts. The clone is authorized with a fine-grained personal access token — Contents: Read to clone, Read and write if the agent should push branches. Importantly, that token never enters the container: git operations route through an Anthropic-side proxy that injects the credential after the request leaves the sandbox, so even a prompt-injected agent cannot read or exfiltrate it. Repositories are cached, so repeat sessions on the same repo start faster.
One documented boundary to plan around: the github_repository resource gives filesystem and git access only. If the agent should open pull requests, you additionally attach the GitHub MCP server.
Tools for editing and running tests
Enable the pre-built toolset agent_toolset_20260401 on the agent. It provides bash, read, write, edit, glob, and grep (plus web tools you can leave off for a coding agent) — everything needed to explore a codebase, apply changes, and run a test suite from the shell. The agent is a persistent, versioned resource: create it once, store the ID, and reference it from every session. Creating a new agent per run is the documented number-one anti-pattern.
from anthropic import AnthropicAWS # Claude Platform on AWS
client = AnthropicAWS() # AWS_REGION + ANTHROPIC_AWS_WORKSPACE_ID env vars
agent = client.beta.agents.create(
name="repo-fixer",
model="claude-opus-4-8",
system="Fix the failing tests. Run the suite before and after changes.",
tools=[{"type": "agent_toolset_20260401"}],
)
# Store agent.id; every run calls sessions.create() referencing it.
Review gates: two documented mechanisms
Tool confirmations. Server-executed tools accept a permission policy: always_allow (the default) or always_ask, which pauses the session in an idle state until your application sends a user.tool_confirmation event with allow or deny. Setting always_ask on bash or write turns every risky action into an approval step your reviewers see.
Outcomes. Sending a user.define_outcome event with a description and rubric turns the session into rubric-graded work: the harness runs an iterate → grade → revise loop, with a separate grader model scoring each iteration in an independent context window, until the rubric is satisfied or a maximum iteration count is hit (default 3, max 20). "All tests pass and the diff touches only files under src/" is a natural coding-agent rubric.
As a recommended practice beyond what the platform automates, keep a human merge gate: let the agent push a branch, and require your normal code review before anything lands on main.
Sandbox constraints
Cloud environments support two network policies: unrestricted, or limited — deny-by-default egress with explicit allowed_hosts and an allow_package_managers opt-in so builds can still fetch dependencies. A coding agent rarely needs open internet; start limited. Never place API keys in the system prompt or user messages as a workaround — they persist in the session's event history. Use vault credentials, which are injected by Anthropic-side proxies at egress and never enter the sandbox. Note that Managed Agents is stateful by design and not currently eligible for Zero Data Retention or HIPAA BAA coverage; confirm data-handling requirements with your compliance team.
If you are on Bedrock, Vertex AI, or Foundry
You can still build a coding agent — you just own the loop. The client-side bash and text editor tools are generally available on Bedrock and Vertex AI (beta on Foundry): Claude proposes commands and edits, and your application executes them. The official security guidance applies with force here: commands are untrusted model output, so run them in an isolated environment, use an allowlist of executables rather than a blocklist, set timeouts and resource limits, and log every command. Confine all file paths to a fixed project root.
Where to go next
Read Managed Agents sessions for the event-stream mechanics, scheduled and background agents to run this nightly, and versioned prompts for managing the agent's system prompt over time.