Sandbox Runtime (srt) patterns for running Claude with filesystem/network restrictions. Use when setting up sandboxed autonomous Claude sessions, DX testing, or CI/CD integration with constrained dangerous mode.
Runs Claude in sandboxed environments with filesystem and network restrictions for safe autonomous execution.
/plugin marketplace add rbergman/dark-matter-marketplace/plugin install rbergman-dm-work-plugins-workflow@rbergman/dark-matter-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
srt is a lightweight OS-level sandbox for restricting filesystem and network access without containers.
Use cases:
--dangerously-skip-permissions safelynpm install -g @anthropic-ai/sandbox-runtime
| Platform | Mechanism |
|---|---|
| macOS | sandbox-exec with dynamic profiles |
| Linux | bubblewrap with network namespaces |
Access model:
srt uses JSON config files (default: ~/.srt-settings.json or -s <path>).
{
"network": {
"allowedDomains": ["api.anthropic.com", "github.com"],
"deniedDomains": []
},
"filesystem": {
"denyRead": ["~/.ssh", "~/.gnupg", "~/.aws/credentials"],
"allowWrite": [".", "/tmp"],
"denyWrite": []
}
}
Rust development:
"allowedDomains": [
"api.anthropic.com",
"crates.io", "*.crates.io", "static.crates.io", "index.crates.io",
"github.com", "*.github.com",
"static.rust-lang.org",
"*.cloudfront.net"
]
Go development:
"allowedDomains": [
"api.anthropic.com",
"proxy.golang.org", "sum.golang.org", "storage.googleapis.com",
"github.com", "*.github.com",
"gopkg.in"
]
Node/TypeScript development:
"allowedDomains": [
"api.anthropic.com",
"registry.npmjs.org", "*.npmjs.org",
"github.com", "*.github.com"
]
With MCP services (Context7, Brightdata):
"allowedDomains": [
"api.anthropic.com",
"context7.com", "*.context7.com",
"brightdata.com", "*.brightdata.com"
]
For sandboxed Claude runs, disable state writes:
claude --dangerously-skip-permissions \
--no-session-persistence \
--strict-mcp-config --mcp-config '{"mcpServers":{}}'
| Flag | Purpose |
|---|---|
--dangerously-skip-permissions | No permission prompts (srt handles safety) |
--no-session-persistence | Don't write to ~/.claude.json |
--strict-mcp-config --mcp-config '{...}' | No MCP servers (avoids log writes to ~/Library/Caches/) |
Why disable MCP? Claude writes MCP logs to ~/Library/Caches/claude-cli-nodejs/. Sandboxing this requires broad write access. Simpler to disable for autonomous runs.
.srt.jsonFor a Rust project:
{
"network": {
"allowedDomains": [
"api.anthropic.com",
"crates.io", "*.crates.io", "static.crates.io", "index.crates.io",
"github.com", "*.github.com",
"static.rust-lang.org", "*.cloudfront.net"
]
},
"filesystem": {
"denyRead": ["~/.ssh", "~/.gnupg", "~/.aws/credentials"],
"allowWrite": [
".",
"~/.cargo/registry",
"~/.cargo/git",
"/tmp"
]
}
}
For stress-testing skills in /tmp:
{
"network": {
"allowedDomains": [
"api.anthropic.com",
"crates.io", "*.crates.io", "github.com", "*.github.com",
"registry.npmjs.org", "proxy.golang.org"
]
},
"filesystem": {
"denyRead": ["~/.ssh", "~/.gnupg"],
"allowWrite": [
"/tmp",
"~/.cargo/registry", "~/.cargo/git",
"~/.npm", "~/.cache/go-build"
]
}
}
srt -s .srt.json -c 'claude --dangerously-skip-permissions \
--no-session-persistence \
--strict-mcp-config --mcp-config "{\"mcpServers\":{}}" \
-p "Build and test the project, report any issues"'
srt -s /tmp/dx-test.srt.json -c 'claude --dangerously-skip-permissions \
--no-session-persistence \
--strict-mcp-config --mcp-config "{\"mcpServers\":{}}" \
-p "Create a Rust CLI in /tmp/test-project following rust-pro patterns.
Report any toolchain friction or missing patterns."'
Add these recipes to a project's justfile for convenient access:
# Interactive Claude session
ai:
claude
# Autonomous Claude (sandboxed, no prompts)
ai-auto:
srt -s .srt.json -c 'claude --dangerously-skip-permissions --no-session-persistence --strict-mcp-config --mcp-config "{\"mcpServers\":{}}"'
Note: This is an optional pattern. Only add if the project needs autonomous Claude runs.
| Limitation | Impact |
|---|---|
| Domain fronting | Broad allowlists (github.com) have exfiltration surface |
| Linux monitoring | No violation alerts (macOS has real-time notifications) |
| Proxy bypass | Apps ignoring env vars can bypass network filtering |
| MCP disabled | No Context7, Brightdata, etc. in sandboxed runs |
For MCP in sandbox, you'd need to allow ~/Library/Caches/claude-cli-nodejs/ writes and add MCP endpoints to network allowlist.
Check what path is being blocked:
~/.claude.json → Add --no-session-persistence~/Library/Caches/claude-cli-nodejs/ → Disable MCP or allow writesallowWritesrt -d -s .srt.json -c 'your-command'
Shows sandbox profile and violations.
srt -s .srt.json -c 'touch /path/to/test && echo "write ok"'
# Install
npm install -g @anthropic-ai/sandbox-runtime
# Run sandboxed command
srt -s config.json -c 'command'
# Run sandboxed Claude (stateless)
srt -s .srt.json -c 'claude --dangerously-skip-permissions \
--no-session-persistence \
--strict-mcp-config --mcp-config "{\"mcpServers\":{}}" \
-p "prompt"'
# Debug mode
srt -d -s config.json -c 'command'
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.