Hi HN!

I built ChronoGuard, an open-source zero-trust proxy that provides network-enforced authorization for browser automation.

## The Problem

If you're running Playwright, Puppeteer, or Selenium agents at scale (CI/CD, K8s, VM fleets), you face two challenges:

  1. **Access control**: How do you ensure agents only access approved domains?
  2. **Auditability**: How do you prove WHEN and WHERE your automation accessed external resources?

Traditional approaches (SDK restrictions, code reviews, monitoring) are bypassable or lack temporal proof. Auditors and compliance teams want cryptographically verifiable, tamper-proof logs.

## The Solution

ChronoGuard is a mandatory forward proxy that sits between your agents and the internet. Every request flows through:

  Agent → Envoy (mTLS) → OPA (policy check) → Target Domain
                  ↓
           Immutable Audit Log (hash-chained, time-series)

*Key features:* - mTLS authentication for agent identity verification - Domain allowlists/blocklists with time-window restrictions - Cryptographic hash chains for audit log integrity - OPA integration for policy-as-code - Multi-tenant isolation - 96%+ test coverage

## Try It Now

Zero setup needed - just click: [](https://codespaces.new/j-raghavan/ChronoGuard?quickstart=1)

Or run locally: ```bash git clone https://github.com/j-raghavan/chronoguard cd chronoguard ./scripts/generate_secrets.sh docker compose up -d ```

  Dashboard: http://localhost:3000
  API docs: http://localhost:8000/docs

Architecture

Built with Domain-Driven Design + Clean Architecture: - 6 services: Envoy proxy, OPA policy engine, FastAPI backend, React dashboard, PostgreSQL+TimescaleDB, Redis - Tech stack: Python 3.11+, FastAPI, Envoy, Open Policy Agent, TimescaleDB - Deployment: Docker Compose (MVP), Kubernetes ready (roadmap)

Use Cases

  - E-commerce competitive intelligence
  - Fintech market research
  - Healthcare data operations (HIPAA compliance)
  - QA/testing providers with audit requirements
  - Any org running browser agents with compliance obligations

What's Next

  This is v0.1.0 MVP. I'm looking for feedback on:
  - Real-world use cases I haven't considered
  - Integration pain points with existing automation stacks
  - Feature priorities (WebSocket streaming, gRPC, advanced rate limiting)

Contributing

  The project follows strict quality standards (95%+ test coverage requirement,
  DRY principles, mypy + ruff). Looking for contributors interested in:
  - Security testing and threat modeling
  - Kubernetes/Helm deployment
  - Performance optimization
  - Client SDKs (Python, JS, Go)

  GitHub: https://github.com/j-raghavan/ChronoGuard
  License: Apache 2.0

Happy to answer questions about the architecture, design decisions, or roadmap!

Best Regards!