Anthropic Sandbox Runtime (srt)

Anthropic Sandbox Runtime (srt)

Anthropic Sandbox Runtime (srt) is an open-source, lightweight sandboxing toolkit created to enforce filesystem and network restrictions at the OS level for arbitrary processes, without needing a full container runtime. It was developed as a beta research preview for use with Claude Code to improve the safety of agentic workflows and is provided to the community to help build safer AI agents by default.

Key technical features:

• OS-native enforcement: on macOS srt generates Seatbelt profiles and uses sandbox-exec; on Linux it uses bubblewrap with carefully chosen bind mounts and namespace controls.
• Network filtering via proxies: all outbound network traffic is mediated by host-side HTTP/SOCKS proxies that enforce domain allowlists/denylists (allow-only default). On Linux the sandbox removes the network namespace and uses Unix domain sockets to route traffic through host proxies; on macOS the Seatbelt profile restricts connections to specific localhost ports.
• Fine-grained filesystem controls: read restrictions follow a deny-only pattern (reads allowed by default except explicitly denied paths), while write restrictions follow an allow-only pattern (writes denied by default except allowed paths). The runtime supports path patterns (glob-like on macOS) and performs additional scanning on Linux to locate sensitive files within allowed write trees.
• Unix socket and seccomp support (Linux): precompiled seccomp BPF filters and helper binaries are included to block creation of AF_UNIX sockets at the syscall level, preventing certain IPC-based escape paths on supported architectures (x64, arm64).
• Violation monitoring: macOS taps into the system sandbox violation log for real-time alerts; Linux users can use strace-based tracing (manual) to observe EPERM-denied operations.
• Secure-by-default and safety-oriented UX: ships with mandatory deny paths for common sensitive files (e.g., shell config, git hooks) and is designed to make it easy to run MCP servers, agent components, or arbitrary commands with minimal privileges.

Usage scenarios and integration:

• Sandboxing MCP servers and other local model-related services so they cannot exfiltrate secrets or reach arbitrary network endpoints.
• Running untrusted or third-party tools invoked by agents (e.g., shell commands, language tooling) with strict filesystem and network policies.
• Development and research tools for agent safety—e.g., enabling safe autonomous behaviors inside Claude Code or other agent platforms.

Developer ergonomics:

• Available as both a CLI (srt) and a library export (TypeScript) so it can wrap commands or be embedded into tooling.
• Configuration is stored (by default) at ~/.srt-settings.json; supports per-command ignore lists and platform-specific options.
• Includes helper scripts and prebuilt seccomp assets to reduce runtime dependencies; Linux users need bubblewrap, socat, and optionally ripgrep for best results.

Limitations and security notes:

• Network policy is domain-based and enforced at the proxy layer; programs that ignore proxy environment variables may be unable to connect or may bypass filtering in some edge cases.
• Linux enforcement has some platform-specific caveats (e.g., mandatory-deny paths only affect existing files due to bind-mount semantics). The enableWeakerNestedSandbox mode reduces security to enable nested use in Docker.
• Care required when allowing unix sockets (e.g., /var/run/docker.sock) or broad write access, since these can enable privilege escalation or host access.

Anthropic released the project as an early research preview to help the ecosystem prototype safer agent runtimes; APIs and configuration formats may evolve as feedback is collected.