← Back to Papers
March 2026 · Jordaaan Hill · 8 min read

The Agent Infrastructure Stack

How Four Open-Source Projects Define the Future of Managed AI Services
The AI agent ecosystem has silently converged on a layered infrastructure stack. Four projects from four companies — a payments giant, a tech conglomerate, its AI research division, and a crypto exchange — independently arrived at the same architecture. This paper maps the stack and identifies the infrastructure gap that determines which agents make it to production.
Stripe Minions OpenSandbox Qwen-Agent x402 MCP Infrastructure

1. The Stack Is Forming

The AI agent ecosystem has silently converged on a layered infrastructure stack. Four projects from four different companies — a payments giant, two divisions of a Chinese tech conglomerate, and a crypto exchange — independently arrived at the same architecture. None of them coordinated. None of them needed to. The problems they solved are structural, and structural problems produce convergent solutions.

Stripe built one-shot coding agents that merge 1,000+ pull requests per week with zero human-written code. Alibaba built a general-purpose sandbox for agent-executed code. Alibaba's Qwen team built an agent framework with native MCP support. Coinbase built an HTTP 402 protocol that lets agents pay other agents.

Each project solves one layer. Together, they define the stack.

+---------------------------------------------+
|          AGENT COMMERCE                      |
|   Autonomous payments between agents         |
+---------------------------------------------+
|       AGENT ORCHESTRATION                    |
|   Multi-agent coordination and execution     |
+---------------------------------------------+
|        AGENT FRAMEWORK                       |
|   Capabilities, tools, reasoning loops       |
+---------------------------------------------+
|       RUNTIME ISOLATION                      |
|   Sandboxed execution environments           |
+---------------------------------------------+
|        SECURITY LAYER                        |
|   Behavioral analysis and threat detection   |
+---------------------------------------------+
|     MANAGED INFRASTRUCTURE                   |
|   Deploy, monitor, secure, maintain          |
+---------------------------------------------+

Every layer above the bottom two exists as open-source software, available today. The security and managed infrastructure layers below — the ones that deploy, monitor, secure, and maintain the whole stack on real hardware — are what separates a GitHub repository from a production service.

2. Layer 1: Runtime Isolation

The foundational problem in agent infrastructure is containment. Agents execute arbitrary code. They call external APIs. They read and write files. They interact with databases. Without isolation, every agent is a potential security breach running at machine velocity.

Alibaba's OpenSandbox project addresses this directly, providing a general-purpose sandbox with multiple runtime backends ranging from standard containers to hardware-level microVMs. Each backend trades off between isolation strength, startup latency, and resource overhead.

The security model is defense-in-depth: ephemeral containers with defined lifecycles, secure runtimes that intercept system calls, network egress controls, resource quotas, and filesystem namespacing. No persistent state leaks between agent executions.

Key Principle

The isolation layer must be framework-agnostic. The framework layer changes faster than the security requirements underneath it. Multi-language SDK support means that regardless of which agent framework sits above, the isolation layer speaks the same API.

Why This Matters

You cannot offer production agent infrastructure without isolation guarantees. When a customer's marketing agent has access to their CRM, email, and financial data, the execution environment must prevent data exfiltration, lateral movement, and resource exhaustion. The isolation patterns are well-established. What remains is deploying and maintaining them on real customer infrastructure — with behavioral monitoring layered on top for the threats that containers alone cannot catch.

3. Layer 2: Agent Frameworks

Above isolation sits the agent framework — the layer that gives agents their capabilities. Qwen-Agent is representative of this layer, alongside LangChain, CrewAI, AutoGen, and thousands of others. Every framework converges toward the same three abstraction levels.

Atomic: Models and tools. An LLM with access to external capabilities — the minimum viable agent.

Agent: Composed from atomic components with reasoning loops, memory, and planning. Multi-step execution with tool selection.

Application: Purpose-built agents with domain-specific tools and workflows. A customer support assistant, a code review agent, a financial analysis bot.

40K+Agent Platforms Available
1M+Token Context Windows
400+MCP-Connected Tools

The most consequential capability at this layer is native MCP integration. The Model Context Protocol standardizes how agents connect to external tools, creating interoperability across the entire framework landscape.

The Framework Paradox

Here is the critical insight for infrastructure providers: framework choice matters less than the infrastructure underneath. There are 40,000+ agent platforms available today. The framework is replaceable. The isolation, monitoring, observability, security, and compliance layers beneath it are not.

A framework-agnostic infrastructure approach means the observability layer does not care which framework generated the logs. The security layer does not care which framework executed the suspicious behavior. Customers choose their framework. Infrastructure providers build what goes underneath all of them.

4. Layer 3: Agent Orchestration

Stripe's Minions project provides the most compelling production validation of agent orchestration at scale. Over 1,000 pull requests merged per week, with zero human-written code. This is not a research project. This is a production system serving 10,000+ engineers.

Patterns That Transfer

Three orchestration patterns from Stripe's architecture are universally applicable:

  • One-shot execution: Agents complete tasks in a single pass with staged feedback. No iterative conversation. This constraint forces better first-pass quality.
  • Deterministic interleaving: Agent loops alternate between LLM reasoning and deterministic code execution. The LLM decides what to do; deterministic processes ensure it was done correctly.
  • Bounded iteration: Hard limits on retry cycles prevent the endless iteration loop that degrades agent quality over time.
Insight

Stripe does not let agents iterate endlessly. Hard limits on CI rounds force better first-pass quality. Constraints produce better outcomes than unlimited resources. This principle applies equally to enterprise agent deployments — the same bounded execution model that works for 10,000 engineers works for 10-person teams.

Minions connects to over 400 tools via MCP Toolshed. The pattern is directly transferable: instead of 400 internal Stripe tools, a managed deployment might expose hundreds of business integrations, CRM APIs, and department-specific tools. The orchestration architecture is identical; only the tool catalog changes.

5. Layer 4: Agent Commerce

The top layer is the most forward-looking: agent-to-agent commerce. Coinbase's x402 protocol repurposes HTTP status code 402 — Payment Required — as the standard mechanism for agents to pay other agents for services.

The protocol is network and token agnostic, supporting both crypto and fiat settlement. It turns every API endpoint into a paywall that agents can navigate autonomously. Combined with agent discovery protocols, this creates a machine-to-machine services economy.

Insight

Agents that can discover AND pay each other create service ecosystems that humans never need to broker. This transforms the economics of managed services: agents will purchase services from other agents, creating transaction flows that require monitoring, auditing, and fraud detection at the infrastructure layer.

Agent commerce is nascent, but the protocol is simple and the SDKs are production-quality. Early infrastructure support for agent payments creates competitive advantage as this ecosystem matures. Every financial transaction an agent initiates must be monitored for anomalous patterns — and that monitoring is an infrastructure concern, not a framework feature.

6. The Missing Layer

Every layer described above exists as open-source software. You can clone the repositories today. None of them address the operational questions that determine production viability:

  • Who deploys this stack on customer hardware and keeps it running?
  • Who monitors it around the clock when an agent starts behaving anomalously?
  • Who handles compliance documentation and audit preparation?
  • Who manages the observability layer when usage patterns shift?
  • Who provisions hardware, configures networking, and handles secure remote access?
  • Who rotates API keys before they expire and applies security patches?
6–12hHardware to Production
400+MCP Tools Connectable
24/7Behavioral Monitoring

The managed infrastructure layer is what transforms open-source repositories into a production service. The software is free. The expertise to operate it is not.

This model has clear precedent. Red Hat built a multi-billion dollar business managing Linux. Databricks built on Apache Spark. Confluent built on Apache Kafka. The pattern repeats: open-source software creates the market, managed services capture the value.

The open-source nature of every layer is a feature, not a constraint. Full code auditability for compliance teams. No vendor lock-in for customers. Transparency that accelerates enterprise sales cycles.

7. Conclusion: The Infrastructure Layer Wins

Software commoditizes. Infrastructure persists.

Whether Qwen-Agent, LangChain, or something not yet built becomes the dominant framework, it will need the same infrastructure underneath: isolation, monitoring, security, compliance, hardware management, and observability.

The four projects analyzed in this paper independently validate that the stack is forming. Each layer is stabilizing around clear technical patterns. The runtime isolation problem is solved. The framework layer is mature. The orchestration patterns are production-proven at scale. The commerce protocol is defined.

What remains is the managed infrastructure layer. The layer that deploys this stack on real hardware in real offices for real teams. The layer that monitors it, secures it, maintains it, and makes it someone else's problem.

The framework is a line item in the configuration. The infrastructure is the business.

Ready to discuss how this stack applies to your infrastructure?

Schedule a Consultation

References

  1. Stripe Engineering. "Minions: Stripe's One-Shot End-to-End Coding Agents." stripe.dev/blog/minions, 2026.
  2. Alibaba Group. "OpenSandbox: General-Purpose Sandbox for AI Agents." github.com/alibaba/OpenSandbox, 2025.
  3. QwenLM. "Qwen-Agent: Agent Framework with MCP Support." github.com/QwenLM/Qwen-Agent, 2025.
  4. Coinbase. "x402: HTTP 402 Payment Protocol for Agent Commerce." github.com/coinbase/x402, 2025.
  5. Hill, Jordaaan and McNamara, Colin. "The Infrastructure Playbook." Organized AI Papers, March 2026.
  6. Hill, Jordaaan and McNamara, Colin. "Edge Compute Economics." Organized AI Papers, March 2026.

Continue Reading

Enter your email to unlock the full paper — runtime isolation, orchestration patterns, agent commerce, and the managed infrastructure thesis.

We'll send you updates on new papers. No spam. Unsubscribe anytime.