AIAny
AI Infra2025
Icon for item

Anthropic Sandbox Runtime (srt)

Enforces filesystem and network limits on arbitrary processes at the OS level, no container required. Uses macOS Seatbelt, Linux bubblewrap, and the Windows Filtering Platform; built to sandbox MCP servers and AI agents under a secure-by-default model.

Introduction

Most attempts to sandbox an AI agent reach for a container, then pay for it in startup time, image management, and a boundary the agent can still reason around. srt takes the opposite route: it leans on isolation primitives the operating system already ships, giving you process-level confinement you can wrap around any command without a runtime to deploy.

The core idea is a dual model where filesystem and network are both locked down by default, and you explicitly poke holes only where a process genuinely needs access. That secure-by-default stance is what makes it practical for the messy reality of MCP servers, which often want broad disk and network reach you'd rather not grant blindly.

What Sets It Apart
  • Native enforcement, no container. macOS uses sandbox-exec with generated Seatbelt profiles, Linux uses bubblewrap with network namespaces, and Windows (alpha) uses the Windows Filtering Platform plus ACL stamping — isolation rides on the OS rather than a runtime you ship.
  • Network as a first-class control. HTTP and SOCKS5 proxy servers let you allow traffic per host/domain instead of all-or-nothing, with seccomp BPF on Linux policing Unix-socket IPC.
  • Asymmetric read vs. write defaults. Reads are deny-then-allow (open by default), writes are allow-only (closed by default) — the opposite precedence lets you carve readable windows inside blocked regions and protected regions inside writable ones.
  • Real-time violation alerts. You see what a process tried to touch, turning "did the agent misbehave?" into an observable signal rather than a guess.
Who It's For

Great fit if you run MCP servers or autonomous agents and want a lightweight, per-process leash without standing up container infrastructure. Look elsewhere if you need full VM-grade isolation, work primarily on Windows today (support is still alpha), or want a turnkey GUI — this is a developer-facing primitive you compose into your own tooling.

Information

  • Websitegithub.com
  • OrganizationsAnthropic
  • AuthorsAnthropic (anthropic-experimental)
  • Published date2025/10/20

Categories

More Items

Enables RL post-training with million-token prompts under a fixed GPU budget by evaluating shared prompt state without autograd, retaining only minimal model state, and replaying short response branches; instantiated as GRPO and demonstrated on Qwen3.6-27B and GLM-5.2 up to multi-million token execution.

GitHub
AI Infra2026

Defines OpenTelemetry semantic conventions for generative AI telemetry — spans, metrics, and events for GenAI clients, the Model Context Protocol (MCP), and provider-specific integrations. Includes YAML models, human-readable docs, and reference implementations to standardize observability across GenAI deployments.

GitHub
AI Infra2024

Provides a lightweight build platform for HIP and ROCm that supports building ROCm, PyTorch, and JAX from source, multi-architecture nightly releases, and integrated CI/CD and developer tooling for Linux and Windows.