— the turn executor · a new layer in the agent stack

The turn
is the primitive.

Execution memory for AI agents. Markdown in, markdown out. Each turn runs in its own microVM and writes back to a context store the next turn reads. Turn three knows what turns one and two did.

every turn isolated
dedicated microVM
sub-second start
warm pool
end-to-end encrypted
gateway sees ciphertext
state across turns
context store
— 01 features  /  the three things

Three properties, together.

A turn executor sits below agent frameworks, above the runtime. Three properties make it a category, not a feature: a context store that compounds, per-sandbox isolation end-to-end, a substrate you can run yourself.

— 01 / context

Context that compounds

Every turn writes artifacts back to the context store. Turn three reads what turns one and two produced. Sessions accumulate.

# clone-as-context
turn 1sb_a7f3 ← claude /research turn 2sb_b4d1 = sb_a7f3.clone() inheritedworkspace · env · stdout
— 02 / isolation

Per-sandbox, end-to-end

Each turn runs in its own microVM. Per-session encryption between caller and sandbox; the gateway routes ciphertext only. Every session is a crypto domain.

# what the gateway never sees
execend-to-end encrypted diskinside the microVM peerscannot reach in
— 03 / substrate

Yours to run

No proprietary control plane. No SaaS in the hot path. Run it on someone else's metal, or stand it up on your own.

# self-hosted by design
runtimeFirecracker microVMs controlK8s + warm pool depsno managed services
— 02 the turn  /  branchable · replayable · merged

Fork from any turn.

A session is a tree, not a line. Branch from any frame: run alternatives in parallel, replay from a known-good turn, merge the winner back into main.

main fix/auth explore/oauth head · turn-10 14 turns branched from turn-6 branched from turn-9
— 03 compare  /  what it isn't

Not a sandbox.
Not a CI.

A cloud sandbox solves "rent a VM by the second." A CI runner solves "execute this YAML on every commit." Neither carries memory across runs. Neither treats agents as a first-class audience.

upstream cloud sandbox CI runner agent framework
unit of work turn · markdown in / out session · long-lived VM job · pipeline DAG graph node · tool call
context across runs typed context store in-VM only caches checkpoint store
self-hosted yours to deploy SaaS yes library
isolation microVM · per-session E2E microVM container in-process
audience agents first · humans second humans · SDK humans · git push callers · imports
— 04 thesis  /  why this exists

The agent is the user.

Most code this decade will be written by agents. Most pull requests, opened by agents. Most builds, triggered by agents talking to agents.

Every layer of the stack today was built for humans. SDKs with auto-generated clients. YAML pipelines with editor extensions. Web dashboards with charts. None of it fits the audience taking over.

A turn executor is what the layer looks like when you start from "the agent is the customer."

"CI already solved sequential sandboxed execution. The turn executor adds memory."

The unit of work changes. From session to turn. From workflow to conversation between processes. The audience changes. From engineer reading a status badge to agent reading a markdown receipt.

When the unit and audience change, the substrate changes. Markdown, not YAML. End-to-end per-sandbox, not shared tenancy. Context that compounds, not logs that disappear. Receipts another agent can read.

Markdown in,
markdown out.
That's the whole API.