Most attempts to sandbox an AI agent reach for a container, then pay for it in startup time, image management, and a boundary the agent can still reason around. srt takes the opposite route: it leans on isolation primitives the operating system already ships, giving you process-level confinement you can wrap around any command without a runtime to deploy.
The core idea is a dual model where filesystem and network are both locked down by default, and you explicitly poke holes only where a process genuinely needs access. That secure-by-default stance is what makes it practical for the messy reality of MCP servers, which often want broad disk and network reach you'd rather not grant blindly.
What Sets It Apart
- Native enforcement, no container. macOS uses
sandbox-execwith generated Seatbelt profiles, Linux uses bubblewrap with network namespaces, and Windows (alpha) uses the Windows Filtering Platform plus ACL stamping — isolation rides on the OS rather than a runtime you ship. - Network as a first-class control. HTTP and SOCKS5 proxy servers let you allow traffic per host/domain instead of all-or-nothing, with seccomp BPF on Linux policing Unix-socket IPC.
- Asymmetric read vs. write defaults. Reads are deny-then-allow (open by default), writes are allow-only (closed by default) — the opposite precedence lets you carve readable windows inside blocked regions and protected regions inside writable ones.
- Real-time violation alerts. You see what a process tried to touch, turning "did the agent misbehave?" into an observable signal rather than a guess.
Who It's For
Great fit if you run MCP servers or autonomous agents and want a lightweight, per-process leash without standing up container infrastructure. Look elsewhere if you need full VM-grade isolation, work primarily on Windows today (support is still alpha), or want a turnkey GUI — this is a developer-facing primitive you compose into your own tooling.