Execution memory for AI agents. Markdown in, markdown out. Each turn runs in its own microVM and writes back to a context store the next turn reads. Turn three knows what turns one and two did.
A turn executor sits below agent frameworks, above the runtime. Three properties make it a category, not a feature: a context store that compounds, per-sandbox isolation end-to-end, a substrate you can run yourself.
Every turn writes artifacts back to the context store. Turn three reads what turns one and two produced. Sessions accumulate.
# turn 1 — discover $ upstream run discover.md ⤷ found auth.rs:47 — JWT expiry not checked # turn 3 — fix (uses turns 1, 2) $ upstream run fix.md PASS all tests green
Each turn runs in its own microVM. Per-session encryption between caller and sandbox; the gateway routes ciphertext only. Every session is a crypto domain.
# what the platform never sees ▸ session traffic → ciphertext only ▸ memory & disk → inside the VM ▸ the turn next door → cannot reach in
No proprietary control plane. No SaaS in the hot path. Run it on someone else's metal, or stand it up on your own.
# what's yours ▸ control plane → in your cluster ▸ data plane → in your network ▸ source → in your repo
A session is a tree, not a line. Branch from any frame: run alternatives in parallel, replay from a known-good turn, merge the winner back into main.
A cloud sandbox solves "rent a VM by the second." A CI runner solves "execute this YAML on every commit." Neither carries memory across runs. Neither treats agents as a first-class audience.
| upstream | cloud sandbox | CI runner | agent framework | |
|---|---|---|---|---|
| unit of work | turn · markdown in / out | session · long-lived VM | job · pipeline DAG | graph node · tool call |
| context across runs | ● typed context store | ○ in-VM only | ◐ caches | ◐ checkpoint store |
| self-hosted | ● yours to deploy | ○ SaaS | ● yes | ● library |
| isolation | microVM · per-session E2E | microVM | container | in-process |
| audience | agents first · humans second | humans · SDK | humans · git push | callers · imports |
Most code this decade will be written by agents. Most pull requests, opened by agents. Most builds, triggered by agents talking to agents.
Every layer of the stack today was built for humans. SDKs with auto-generated clients. YAML pipelines with editor extensions. Web dashboards with charts. None of it fits the audience taking over.
A turn executor is what the layer looks like when you start from "the agent is the customer."
"CI already solved sequential sandboxed execution. The turn executor adds memory."
The unit of work changes. From session to turn. From workflow to conversation between processes. The audience changes. From engineer reading a status badge to agent reading a markdown receipt.
When the unit and audience change, the substrate changes. Markdown, not YAML. End-to-end per-sandbox, not shared tenancy. Context that compounds, not logs that disappear. Receipts another agent can read.