Key takeaways
- The first-party entrant: srt is the open-sourced isolation layer behind Claude Code's /sandbox sandboxed Bash tool, which Anthropic says cut permission prompts by 84% in internal testing
- No containers required — it wraps processes in OS security primitives (Seatbelt/sandbox-exec on macOS, bubblewrap on Linux) plus an HTTP/SOCKS5 proxy that enforces a domain allowlist on all child processes
- 4,388 GitHub stars and 320 forks in under eight months under an Apache-2.0 license — but it is explicitly a "Beta Research Preview" in an anthropic-experimental org, with 118 open issues and community PRs that developers report go unanswered
- It already shapes the category: Fence's creator says his tool was "inspired by sandbox-runtime," and other developers fork srt to add the policy features it lacks
FAQ
What is Anthropic Sandbox Runtime?
Anthropic Sandbox Runtime (srt) is an open-source tool that enforces filesystem and network restrictions on arbitrary processes at the operating-system level — without a container — using Seatbelt on macOS, bubblewrap on Linux, and a proxy-based domain allowlist; it is the same isolation layer behind Claude Code's sandboxed Bash tool.
How much does Anthropic Sandbox Runtime cost?
It is free and open source under the Apache-2.0 license, installed via npm as @anthropic-ai/sandbox-runtime.
How does Anthropic Sandbox Runtime isolate processes?
A dual isolation model — filesystem reads default-allowed with deny rules, writes denied by default, and all network access denied unless a domain is allowlisted through its HTTP/SOCKS5 proxy — enforced by the OS on the wrapped process and every child process it spawns.
How is Anthropic Sandbox Runtime different from yolobox?
yolobox runs agents inside Docker containers with full sudo and protects you by not mounting your home directory, while srt needs no container at all — it applies kernel-level Seatbelt or bubblewrap policies plus proxy-based network filtering directly to the process on your machine.
Executive Summary
Anthropic Sandbox Runtime (srt) is Anthropic's answer to the local agent sandbox problem, released from the inside: "a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container."[1] On macOS it wraps processes with sandbox-exec and dynamically generated Seatbelt profiles; on Linux it uses bubblewrap with network namespace isolation; on both, an HTTP/SOCKS5 proxy running outside the sandbox enforces a domain allowlist on every child process.[1] It is the open-sourced core of Claude Code's /sandbox sandboxed Bash tool, which Anthropic's engineering team reports cut permission prompts by 84% in internal testing.[2][3]
That provenance is what makes srt the entrant that pressures the whole category. The third-party local sandbox wave — yolobox, Fence, nono, landrun — exists because agents shipped without OS-level containment; srt is the agent vendor shipping it first-party, open source, under Apache-2.0, and accumulating 4,388 stars and 320 forks in under eight months (created October 20, 2025).[1] The counterweight is its own labeling: it lives in the anthropic-experimental org, calls itself a "Beta Research Preview," carries 118 open issues, and developers report bug-fix PRs sitting without maintainer response.[1][4]
| Attribute | Value |
|---|---|
| Creator | Anthropic (anthropic-experimental GitHub org)[1] |
| Released | October 20, 2025, alongside the Claude Code sandboxing engineering post[1][2] |
| GitHub Stars | 4,388 (320 forks, 118 open issues) as of June 11, 2026[1] |
| License | Apache-2.0[1] |
| Language | TypeScript, distributed via npm as @anthropic-ai/sandbox-runtime[1] |
| Status | "Beta Research Preview"; latest release v0.0.54 (June 4, 2026), repo pushed June 11, 2026[1] |
Product Overview
srt does one thing: take an arbitrary command — an agent, an MCP server, a build script — and run it inside an OS-enforced boundary. Install with npm install -g @anthropic-ai/sandbox-runtime, configure policy in ~/.srt-settings.json, and wrap the process.[1] The permission model is asymmetric by design: filesystem reads follow a deny-then-allow pattern (allowed by default, with deny rules), filesystem writes follow an allow-only pattern (denied by default), and network access is allow-only — every domain must be explicitly permitted through the proxy.[1]
Most users encounter srt indirectly, through Claude Code. Running /sandbox in a session opens a panel for enabling the sandboxed Bash tool; in auto-allow mode, sandboxed commands run without permission prompts because the OS boundary — not a per-command approval — is the control.[3] The first time a command needs a new network domain, Claude Code prompts; commands that cannot run sandboxed fall back to the regular permission flow.[3]
Key Capabilities
| Capability | Description |
|---|---|
| Container-free isolation | OS primitives directly on the process: Seatbelt/sandbox-exec (macOS), bubblewrap (Linux)[1] |
| Proxy-based network filtering | HTTP and SOCKS5 proxies enforce domain allowlists/denylists outside the sandbox[1] |
| Child-process coverage | Restrictions apply to all scripts, programs, and subprocesses a command spawns[3] |
| Dual isolation model | Filesystem and network restrictions both required for effective sandboxing[1] |
| Seccomp filter (Linux) | Optional Unix-domain-socket blocking, installed via the npm package[3] |
| Self-protection | Claude Code's sandbox denies writes to its own settings.json at every scope[3] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
srt CLI / npm package | Sandbox arbitrary commands, agents, and MCP servers | Beta Research Preview[1] |
Claude Code /sandbox | Built-in sandboxed Bash tool with auto-allow and regular modes | GA in Claude Code on macOS, Linux, WSL2[3] |
| Managed settings | Org-wide enforcement: failIfUnavailable, allowUnsandboxedCommands: false, managed domain lockdown | GA in Claude Code[3] |
Technical Architecture
The architecture is deliberately not a container. On macOS, srt generates Seatbelt profiles dynamically and applies them via the built-in sandbox-exec — nothing to install.[1][3] On Linux and WSL2 it requires two packages, bubblewrap (unprivileged filesystem isolation) and socat (relaying traffic to the sandbox proxy); native Windows is not supported.[3] Network filtering happens in a proxy outside the boundary, which makes its allow decision from the client-supplied hostname and does not terminate or inspect TLS — a documented design trade-off with real consequences (see Cautions).[3]
Anthropic's engineering post frames the dual requirement bluntly: "Without network isolation, a compromised agent could exfiltrate sensitive files like SSH keys; without filesystem isolation, a compromised agent could easily escape the sandbox."[2]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Local CLI via npm (@anthropic-ai/sandbox-runtime); embedded in Claude Code[1][3] |
| Isolation | Seatbelt (macOS), bubblewrap + network namespaces (Linux/WSL2); no container, no root[1] |
| Network | External HTTP/SOCKS5 proxy with domain allowlist; custom-proxy hook for TLS-inspecting setups[1][3] |
| Defaults | Reads allowed (deny rules available), writes denied, network denied[1] |
| Open Source | Apache-2.0, TypeScript, v0.0.54 (June 4, 2026)[1] |
Strengths
- First-party legitimacy — this is the agent vendor sandboxing its own agent, with the design rationale published and the runtime open-sourced "to encourage industry-wide adoption of agent security practices."[2]
- Measured prompt reduction — the 84% drop in permission prompts (internal testing) is the clearest articulation yet that sandboxing is an autonomy feature, not just a safety feature: the boundary replaces approval fatigue.[2][3]
- No container tax — OS primitives mean no Docker daemon, no image builds, no shared-kernel container semantics; on macOS there is nothing to install at all.[1][3]
- Child-process and subprocess coverage — the OS enforces the boundary on everything a command spawns, so
npm,terraform, and arbitrary scripts inherit the same restrictions regardless of what the model chose to run.[3] - Real category traction — 4,388 stars and 320 forks in under eight months, plus enterprise-grade enforcement hooks (managed settings, strict sandbox mode) already shipped in Claude Code.[1][3]
Cautions
- "Experimental" is load-bearing — the repo lives in
anthropic-experimental, self-describes as a Beta Research Preview whose APIs may evolve, and has 118 open issues against a v0.0.x version line.[1] - Network filtering is bypassable by design — the proxy does not inspect TLS, so the docs warn that domain fronting can reach hosts outside the allowlist, and a public issue demonstrates data exfiltration via DNS resolution (e.g., an iodine DNS tunnel).[3][5]
- Defaults leave credentials readable — default read access covers the entire computer, including
~/.aws/credentialsand~/.ssh/, unless you add explicitdenyReadrules; reads are denylist-only, not allowlist.[3][6] - Day-one escape reports and an escape hatch — a developer reported opening a bypass issue "on day 1 of the release," and Claude Code's default behavior lets the model retry failed commands outside the sandbox (gated by a prompt) unless strict mode is set.[7][3]
- Maintenance responsiveness is a known complaint — community members report bug-fix PRs going weeks without response, and a long-standing Linux bug littering repo roots with empty files.[4][8]
- Weaker modes dilute guarantees —
enableWeakerNestedSandbox(for Docker environments without privileged namespaces) "considerably weakens security," and Apple Events support weakens code-execution isolation on macOS.[3][1]
What Developers Say
Community discussion is spread across many HN threads rather than one big launch thread — the original Show-style submission drew only a handful of points, but srt resurfaces constantly in sandboxing discussions as the reference implementation.[9]
"I think this will result in more people using Claude Code in a Sandbox, which should improve safety all around." — an HN commenter on the launch thread[9]
"FYI the sandbox feature is not fully baked and does not seem to be high priority." — caspar on Hacker News[8]
"Not the cleanest tool, but the paradigm is a big upgrade to previous AI coding." — pveierland on Hacker News, on the empty-file pollution bug[10]
"Yes, Fence was inspired by sandbox-runtime. Both use the same underlying OS primitives (sandbox-exec on macOS, bubblewrap on Linux) and proxy-based network filtering." — jy-tan, creator of Fence[11]
"Anthropic's tool only support read blacklist, not a whitelist, so I forked it yesterday to support that." — carderne on Hacker News[6]
The pattern across threads: developers treat srt as the right paradigm and the canonical reference, while criticizing its execution maturity — unfixed bugs, unanswered PRs, and policy gaps that third-party tools and forks fill.[4][11]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open source | Free | Full runtime via npm (@anthropic-ai/sandbox-runtime), Apache-2.0[1] |
| Via Claude Code | Included in Claude Code | /sandbox sandboxed Bash, managed-settings enforcement (Claude Code itself requires a paid Claude plan or API usage)[3] |
Licensing model: Apache-2.0 open source; no commercial tier, no hosted offering.[1]
Hidden costs: the price is operational — it is a research preview with no support guarantees, evolving APIs, and a threat model that requires you to write denyRead rules for credentials and, for stronger network guarantees, supply your own TLS-inspecting proxy.[1][3]
Competitive Positioning
Direct Competitors
| Competitor | Differentiation |
|---|---|
| Fence | Explicitly inspired by srt and built on the same primitives (sandbox-exec, bubblewrap, proxy filtering), adding controls srt lacks — command deny rules and SSH command filtering[11] |
| nono | Independent capability-based sandbox using Landlock on Linux and Seatbelt on macOS; third-party and policy-first where srt is first-party and Claude Code-first |
| yolobox | Container-based rather than OS-primitive: agents get full sudo inside Docker/Podman while the home directory is simply not mounted; srt needs no container runtime at all |
| landrun | Linux-only kernel-level Landlock wrapper, lighter than bubblewrap but with no macOS story and no network proxy layer |
| Codex built-in sandbox | OpenAI's first-party equivalent — bubblewrap/Seatbelt scoped to Codex, just as srt's polish flows primarily to Claude Code |
When to Choose Anthropic Sandbox Runtime Over Alternatives
- Choose srt when: you use Claude Code (you already have it — turn on
/sandbox), or you want the first-party reference implementation of OS-level agent sandboxing as a library for your own agents and MCP servers. - Choose Fence when: you want srt's architecture plus command-level deny rules and SSH filtering from a tool whose only job is standalone sandboxing.
- Choose nono when: you want capability-style, deny-by-default policies (including default-blocked credentials) independent of any agent vendor.
- Choose yolobox when: you prefer the simplicity of a disposable container with full sudo over per-path OS policy tuning.
Ideal Customer Profile
Best fit:
- Claude Code users who want autonomous Bash execution without approval fatigue — the 84% prompt-reduction case[2]
- Platform teams embedding an OS-level boundary around agents or MCP servers without adopting a container stack
- Organizations standardizing on Claude Code that need centrally enforced sandboxing via managed settings[3]
Poor fit:
- Security teams needing a hard isolation boundary today — the docs themselves say sandboxing "is not a complete isolation boundary," and the network layer is bypassable via domain fronting and DNS tunneling[3][5]
- Native Windows environments (WSL2 only)[3]
- Teams that need read allowlists, command-level rules, or responsive upstream maintenance — today that means Fence, nono, or a fork[6][11]
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | Not a revenue product — sustained by Anthropic as Claude Code security infrastructure, the strongest possible sponsor for the category[2] |
| Market Position | The de facto reference implementation; competitors define themselves against it[11] |
| Innovation Pace | Steady but unglamorous — v0.0.54 by June 2026, repo pushed the day of this profile; still pre-1.0[1] |
| Community/Ecosystem | 4,388 stars and 320 forks, but 118 open issues and recurring complaints about unanswered PRs[1][4] |
| Long-term Outlook | Strong as a paradigm, uncertain as a standalone project — its polish flows to Claude Code first, and "experimental" status means no API stability promise[1][3] |
The asymmetry to understand: srt-the-feature (Claude Code's /sandbox) gets first-class docs, managed-settings enforcement, and an engineering-blog spotlight, while srt-the-repo gets experimental branding and a maintenance cadence the community finds wanting.[3][8] Anthropic's incentive is to make Claude Code safe, not to win the standalone sandbox-tool market — which is exactly why the standalone tools keep existing.
Bottom Line
Anthropic Sandbox Runtime is the most consequential project in local agent sandboxing — not because it is the best standalone tool (it arguably is not), but because it made OS-level sandboxing the default expectation by shipping it inside the most popular coding agent and publishing the architecture under Apache-2.0. If you use Claude Code, enabling /sandbox is close to free safety with a measured 84% reduction in prompts. If you are choosing a standalone sandbox, srt is the reference point everything else improves on — and tools like Fence and nono exist precisely to close its policy and maintenance gaps.
Recommended for: Claude Code users (enable it), and teams that want the first-party, container-free reference architecture for sandboxing agents and MCP servers.
Not recommended for: anyone needing a hard security boundary against a determined adversary (TLS-blind proxy, DNS exfiltration, readable credentials by default), native Windows users, or teams that need responsive upstream maintenance on the standalone tool.
Outlook: Watch for three signals — a move out of anthropic-experimental with API stability promises, TLS-aware network isolation (which the docs call "an active area of development"), and whether community PRs start landing. Any of these would convert srt from category-pressuring reference into category-winning product.[3][1]
Research by Ry Walker Research • methodology
Sources
- [1] Anthropic Sandbox Runtime GitHub Repository
- [2] Anthropic Engineering: Making Claude Code more secure and autonomous with sandboxing
- [3] Claude Code Docs: Configure the sandboxed Bash tool
- [4] Hacker News: neop1x on sandbox-runtime maintenance
- [5] sandbox-runtime Issue #88: Data Exfiltration via DNS Resolution
- [6] Hacker News: carderne on forking sandbox-runtime
- [7] Hacker News: arianvanp on a day-one sandbox-runtime issue
- [8] Hacker News: caspar on Claude Code sandbox stability
- [9] Hacker News: Anthropic Sandbox Runtime (srt)
- [10] Hacker News: pveierland on the Claude Code sandbox
- [11] Hacker News: Fence creator on sandbox-runtime as inspiration