Every MCP server you run locally executes with your full filesystem and network permissions. That means the GitHub MCP server, the Slack one, that third-party tool you installed from npm last week — all of them can read your SSH keys, .env files, and credential stores by default.
Anthropic just open-sourced the fix: sandbox-runtime, the sandboxing layer they built for Claude Code. One-line wrap, no Docker, OS-level enforcement.
What actually changed
srt (the Sandbox Runtime CLI) enforces filesystem and network restrictions on any process using native OS primitives:
macOS: Uses sandbox-exec with dynamically generated Seatbelt profiles
