Subagent Isolation
also known as Worktree Subagent, Parallel Subagent, Isolated Worker
Run subagents in isolated workspaces so their writes do not collide and parallelism is safe.
This pattern helps complete certain larger patterns —
- specialisesOrchestrator-Workers★★— An orchestrator dynamically breaks a task into subtasks at runtime and delegates each to a worker LLM, then synthesises results.
- used-byClone Fan-Out Research·— Spawn 100 or more identical, full-capability agent instances in parallel — each a complete general agent rather than a role-specialised worker — and aggregate their independent outputs into a single answer.
Context
A coding agent — or any agent that edits files, runs commands, or mutates a workspace — delegates to several sub-agents that should work in parallel. Each sub-agent has its own bounded task: one refactors a module, another updates tests, a third writes documentation. They all want to touch the same repository at the same time.
Problem
If the sub-agents share one working directory, their edits race each other: one sub-agent's commit clobbers another's uncommitted changes, two sub-agents edit the same file with incompatible diffs, and a failure in one leaves the workspace in a state that breaks the others. Serialising them removes the parallelism that was the point of spawning sub-agents in the first place. Without isolated workspaces, the team has to choose between racing writes and giving up on parallel execution.
Forces
- Isolation has setup cost (new worktree, branch, container).
- Reconciling work back to the main workspace is its own problem.
- Excessive isolation prevents subagents from seeing each other's progress when that would help.
Example
A research agent is asked to write a market report. Instead of doing every sub-task in its main loop, it spawns three sub-agents in parallel: one to research competitors, one to pull pricing data, one to summarise news. Each sub-agent has its own tool set and step budget. The main agent only sees the three structured results that come back, not the dozens of intermediate web searches each sub-agent ran.
Diagram
Solution
Therefore:
Each subagent runs in its own workspace (git worktree, container, branch, sandbox). The supervisor reconciles results back to the main workspace on completion (merge, cherry-pick, replay). Only one workspace can land changes at a time.
What this pattern forbids. Subagents may only write to their own isolated workspace; cross-workspace writes are forbidden.
The smaller patterns that complete this one —
- generalisesLLM Map-Reduce Isolation★— Process each untrusted document in its own sealed sub-agent and merge only structured outputs, so an injection in one document cannot steer the processing of others.
And the patterns that stand alongside it, or against it —
- composes-withSandbox Isolation★★— Run agent-emitted code or actions in a contained environment with restricted filesystem, network, and process privileges.
- composes-withLLMCompiler·— Take ReWOO's plan-as-DAG and run independent steps in parallel through a task-fetching dispatcher.
- complementsAgent-as-Tool Embedding★— Wrap a sub-agent (with its own loop, prompt, and tool palette) behind a single function-shaped tool signature, so the parent agent calls it like any other tool and never sees the sub-agent's internal turns.
- complementsUnbounded Subagent Spawn✕— Anti-pattern: a supervisor or orchestrator spawns sub-agents that can themselves spawn sub-agents without a global cap.
- alternative-toCascading Agent Failures✕— Anti-pattern: build a multi-agent system where one agent's failure or hallucination propagates as input to peers, until the whole system has drifted.
- alternative-toMemory Extraction Attack✕— Anti-pattern: let any session prompt the agent to read out, summarise, or paraphrase long-term memory entries belonging to other users, prior sessions, or system state, with no read-time isolation by principal.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in recipes
Used in frameworks
- Sparrot
A subagent runtime spawns bounded child agents for delegable work (deeper passes, isolated investigations) and returns their result to the main loop without merging their context…
- LangGraph
Subgraphs scope state per inner graph; isolation is achieved by giving the subgraph a different state schema (no shared keys) or by transforming state between parent and child.
- Claude Code
Each subagent runs in its own context window with custom prompt, tool access, and permissions.
- Azure AI Foundry Agent Service
Hosted agents run in per-session VM-isolated sandboxes; sessions are isolated from each other. Code Interpreter sessions are isolated by a Hyper-V boundary in Azure Container Apps…
- Cline
Coordinator + specialist agents, each with own tools and context; Plan/Act modes preserve context history when switching.
- AutoGen
Implicit via Actor model in Core — each agent runs inside an agent runtime that manages lifecycles and enforces security boundaries. No first-class context-isolation API specifica…
- OpenHands
Sub-Agent Delegation is a documented SDK primitive — parallel work with independent contexts; consolidated results returned to main agent.
- Claude Agent SDK
Each subagent runs in its own fresh conversation; intermediate tool calls/results stay inside and only the final message returns to the parent. Subagents cannot spawn subagents.
- OpenAI Agents SDK
Handoffs transfer control rather than spawn an isolated subagent; the delegated agent receives the conversation history (optionally reshaped via input_filter). Nested handoffs are…
- Agent Development Kit (ADK)
sub_agents trees give an LlmAgent named children it can delegate to with automatic return-to-parent behaviour after each task; ADK does not document a hard context-isolation bound…
Show 9 more
- Devin
Managed Devins: each subagent runs in its own isolated VM with its own terminal, browser, dev environment; the main session coordinates.
- Manus
Wide Research sub-agents are full-capability general-purpose Manus instances, each with its own dedicated context window. Sandboxes also isolate tasks from each other at the VM le…
- GitHub Copilot Coding Agent
Each task spins up its own ephemeral dev container, isolated from other tasks and from the user's machine.
- Goose
Subagents handle tasks in parallel with isolated file scopes per agent.
- Cursor
Background/Cloud Agents run in their own VMs; parallel without local machine. Still 'limited' — VM isolation not the same as named per-task subagent primitive.
- Pochi
Parallel Agents pattern: each task runs in its own git worktree, isolated state.
- smolagents
Managed agents are supported but Approach-1 sandboxing (per-snippet executor_type=e2b/blaxel/modal/docker) doesn't cover multi-agents; full multi-agent isolation requires running…
- Roo Code
Mode-as-subagent gives prompt+tool isolation: each mode (Code, Architect, Debug, Ask) has its own prompt and toolset; no full process-level isolation.
- Trae
Trae IDE markets @Agent + MCP as multi-agent collaboration, with a dedicated @Agent blog ('Rules + Tools to Define Your Future Agents'). Specific isolation guarantees per sub-agen…
References
Provenance
- Source: patterns/subagent-isolation.md on GitHub · commit
4fa1213· view history - Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.