frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

The Evolution of the Interface

https://www.asktog.com/columns/038MacUITrends.html
1•dhruv3006•18s ago•0 comments

Azure: Virtual network routing appliance overview

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-routing-appliance-overview
1•mariuz•31s ago•0 comments

Seedance2 – multi-shot AI video generation

https://www.genstory.app/story-template/seedance2-ai-story-generator
1•RyanMu•4m ago•1 comments

Πfs – The Data-Free Filesystem

https://github.com/philipl/pifs
1•ravenical•7m ago•0 comments

Go-busybox: A sandboxable port of busybox for AI agents

https://github.com/rcarmo/go-busybox
1•rcarmo•8m ago•0 comments

Quantization-Aware Distillation for NVFP4 Inference Accuracy Recovery [pdf]

https://research.nvidia.com/labs/nemotron/files/NVFP4-QAD-Report.pdf
1•gmays•8m ago•0 comments

xAI Merger Poses Bigger Threat to OpenAI, Anthropic

https://www.bloomberg.com/news/newsletters/2026-02-03/musk-s-xai-merger-poses-bigger-threat-to-op...
1•andsoitis•9m ago•0 comments

Atlas Airborne (Boston Dynamics and RAI Institute) [video]

https://www.youtube.com/watch?v=UNorxwlZlFk
1•lysace•10m ago•0 comments

Zen Tools

http://postmake.io/zen-list
1•Malfunction92•12m ago•0 comments

Is the Detachment in the Room? – Agents, Cruelty, and Empathy

https://hailey.at/posts/3mear2n7v3k2r
1•carnevalem•12m ago•0 comments

The purpose of Continuous Integration is to fail

https://blog.nix-ci.com/post/2026-02-05_the-purpose-of-ci-is-to-fail
1•zdw•14m ago•0 comments

Apfelstrudel: Live coding music environment with AI agent chat

https://github.com/rcarmo/apfelstrudel
1•rcarmo•15m ago•0 comments

What Is Stoicism?

https://stoacentral.com/guides/what-is-stoicism
3•0xmattf•16m ago•0 comments

What happens when a neighborhood is built around a farm

https://grist.org/cities/what-happens-when-a-neighborhood-is-built-around-a-farm/
1•Brajeshwar•16m ago•0 comments

Every major galaxy is speeding away from the Milky Way, except one

https://www.livescience.com/space/cosmology/every-major-galaxy-is-speeding-away-from-the-milky-wa...
2•Brajeshwar•16m ago•0 comments

Extreme Inequality Presages the Revolt Against It

https://www.noemamag.com/extreme-inequality-presages-the-revolt-against-it/
2•Brajeshwar•16m ago•0 comments

There's no such thing as "tech" (Ten years later)

1•dtjb•17m ago•0 comments

What Really Killed Flash Player: A Six-Year Campaign of Deliberate Platform Work

https://medium.com/@aglaforge/what-really-killed-flash-player-a-six-year-campaign-of-deliberate-p...
1•jbegley•18m ago•0 comments

Ask HN: Anyone orchestrating multiple AI coding agents in parallel?

1•buildingwdavid•19m ago•0 comments

Show HN: Knowledge-Bank

https://github.com/gabrywu-public/knowledge-bank
1•gabrywu•25m ago•0 comments

Show HN: The Codeverse Hub Linux

https://github.com/TheCodeVerseHub/CodeVerseLinuxDistro
3•sinisterMage•26m ago•2 comments

Take a trip to Japan's Dododo Land, the most irritating place on Earth

https://soranews24.com/2026/02/07/take-a-trip-to-japans-dododo-land-the-most-irritating-place-on-...
2•zdw•26m ago•0 comments

British drivers over 70 to face eye tests every three years

https://www.bbc.com/news/articles/c205nxy0p31o
37•bookofjoe•26m ago•12 comments

BookTalk: A Reading Companion That Captures Your Voice

https://github.com/bramses/BookTalk
1•_bramses•27m ago•0 comments

Is AI "good" yet? – tracking HN's sentiment on AI coding

https://www.is-ai-good-yet.com/#home
3•ilyaizen•28m ago•1 comments

Show HN: Amdb – Tree-sitter based memory for AI agents (Rust)

https://github.com/BETAER-08/amdb
1•try_betaer•29m ago•0 comments

OpenClaw Partners with VirusTotal for Skill Security

https://openclaw.ai/blog/virustotal-partnership
2•anhxuan•29m ago•0 comments

Show HN: Seedance 2.0 Release

https://seedancy2.com/
2•funnycoding•29m ago•0 comments

Leisure Suit Larry's Al Lowe on model trains, funny deaths and Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
1•thelok•29m ago•0 comments

Towards Self-Driving Codebases

https://cursor.com/blog/self-driving-codebases
1•edwinarbus•30m ago•0 comments
Open in hackernews

Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions

https://github.com/Use-Tusk/fence
78•jy-tan•2w ago
Hi HN!

Fence wraps any command in a sandbox that blocks network by default and restricts filesystem writes. Useful for running semi-trusted code (package installs, build scripts, unfamiliar repos) with controlled side effects, or even just blocking tools that phone home.

> fence curl https://example.com # -> blocked

> fence -t code -- npm install # -> template with registries allowed

> fence -m -- npm install # -> monitor mode: see what gets blocked

One use-case is to use it with AI coding agents to reduce the risk of running agents with fewer interactive permission prompts:

> fence -t code -- claude --dangerously-skip-permissions

You can import existing Claude Code permissions with `fence import --claude`.

Fence uses OS-native sandboxing (macOS sandbox-exec, Linux bubblewrap) + local HTTP/SOCKS proxies for domain filtering.

Why I built this: I work on Tusk Drift, a system to record and replay real traffic as API tests (https://github.com/Use-Tusk/tusk-drift-cli). I needed a way to sandbox the service under test during replays to block localhost outbound connections (Postgres, Redis) and force the app to use mocks instead of real services. I quickly realized that this could be a general purpose tool that would also be useful as a permission manager across CLI agents.

Limitations: Not strong containment against malware. Proxy-based filtering requires programs to respect `HTTP_PROXY`.

Curious if others have run into similar needs, and happy to answer any questions!

Comments

Marceltan•2w ago
Nice, this was helpful for us internally. Good call on allowing importing of existing .claude/settings.json, makes my life easier on personal projects.
uwemaurer•2w ago
I like it. Is it also possible to block all filesystem access and only allow certain directories / files?

Currently it seems to allow read access by default and only allows to block some paths with with "denyRead"

jy-tan•2w ago
Yes, currently writes are deny-by-default, but reads are allow-by-default.

The challenge is that most programs need read access to system paths (/lib, /usr, /etc, /proc) just to run. A pure "deny all reads" mode would require users to figure out every dependency, which might be painful.

That said, a middle-ground would be reasonable, perhaps something like "defaultDenyRead: true" that blocks home/cwd/etc but still allows essential system paths, then lets you opt-in with "allowRead".

Curious what is your use case that makes deny-by-default reads more helpful? Either way, will file this as an issue.

_pktm_•2w ago
Thank you for sharing. Why do you say that it’s not strong protection against malware? Seems like it might be pretty handy there, at least with respect to untrusted code.
jy-tan•2w ago
Fair point, it does raise the bar! The distinction I'm drawing is between "semi-trusted" and "actively malicious".

Fence handles well supply-chain scripts that phone home, tools that write broadly across your filesystem, accidental secret leakage, the "opportunistic" stuff that makes up most real-world supply chain incidents.

I hedge on malware because: (1) Domain filtering relies on programs respecting HTTP_PROXY, and malware could ignore it (though direct connections are blocked at the OS level, so they'd fail rather than succeed), (2) OS sandboxes (sandbox-exec, bubblewrap) aren't VM-level isolation and I believe determined attackers could exploit kernel bugs, (3) there are no resource limits or content inspection.

The threat model is really "reduce blast radius from code you're running anyway". For a stronger containment boundary you'd want a proper VM.

More thoughts in the security model doc (https://github.com/Use-Tusk/fence/blob/main/docs/security-mo...) if you're curious!

kxbnb•2w ago
Nice work on Fence! The network/filesystem restriction approach is exactly what's needed for running untrusted commands safely.

We're working on similar containment problems but at the API/MCP layer at keypost.ai - enforcing what outbound calls an agent can make rather than what local filesystem/network it can access. The two layers complement each other well.

The "restrictions as code" pattern is powerful. Are you thinking about extending to other resource types (API calls, token budgets, etc.)?

jy-tan•2w ago
Thanks! And yeah, these are complementary layers. Fence is at the OS/network boundary, while API-level policies (endpoints, parameters, token budgets) need something that actually understands the protocols.

I think Fence should stay a thin wrapper around OS primitives (sandbox-exec, bubblewrap, Landlock), so not much beyond what it does today. The one extension that probably makes sense is basic resource limits (CPU, memory, fork bombs, etc). But API semantics and MCP tool restrictions belong in a different layer.

gregpr07•1w ago
Wow this is really cool
will_wright•1w ago
pretty close to anthropic’s version, yes? or am I mistaken

https://github.com/anthropic-experimental/sandbox-runtime

mellosouls•1w ago
That's acknowledged in the readme though I don't know if there is a comparison

https://github.com/Use-Tusk/fence?tab=readme-ov-file#attribu...

jy-tan•1w ago
Hey! Yes, Fence was inspired by sandbox-runtime. Both use the same underlying OS primitives (sandbox-exec on macOS, bubblewrap on Linux) and proxy-based network filtering.

Fence adds additional controls on top of what is available on sandbox-runtime:

- Command deny rules

- SSH command filtering

- Port exposure for inbound connections (useful for running dev servers inside the sandbox). This is a key reason why I decided to create Fence - because https://github.com/Use-Tusk/tusk-drift-cli spins up users’ services locally for trace replays and Fence helps to block unintended localhost outbound connections.

- Built-in templates for common developer workflows

- Better ergonomics for violation monitoring (`fence -m` gives you real-time violation logging on both macOS and Linux via eBPF, vs sandbox-runtime where Linux requires manual strace)

In summary, Fence layers extra permission-management features for wrapping popular CLI agents. If you just need filesystem + network isolation and you're in the Node ecosystem, sandbox-runtime is great. If you want command blocking, SSH filtering, inbound port exposure, or a standalone Go binary, Fence adds that.

foresto•1w ago
Can fence wrap applications that do their namespace-based sandboxing?

This could allow finer control than the application's own sandbox offers. For example, Flatpak apps run in bubblewrap containers with all-or-nothing network permissions. Being able to restrict access by domain name would be useful.

jy-tan•1w ago
Unfortunately nested bubblewrap sandboxes don't work.

When you run `fence flatpak run <app>`, Fence creates a bwrap sandbox with its own user namespace, Flatpak then tries to create another user namespace inside, so you'd get something like `bwrap: setting up uid map: Permission denied`.

The outer sandbox doesn't grant the capability for nested namespace creation (otherwise it would defeat much of the security), so Fence can't wrap Flatpak (or similar namespace-based sandbox tools) in a useful way. Ideally you'd need something at the network level outside any sandbox.

That said, open to suggestions if anyone knows of a feasible solution.

foresto•1w ago
Steam creates its pressure-vessel containers using namespaces, and there is a Steam flatpak, which I think was made possible by some work a few years ago specifically for the purpose of nesting. I don't know if that work applied to flatpak, bubblewrap, or both. It might be worth investigating.

https://gitlab.steamos.cloud/steamrt/steam-runtime-tools/-/t...

https://github.com/flathub/com.valvesoftware.Steam

luckman212•1w ago
Is there anything like this for macOS?
jy-tan•1w ago
Fence works on macOS and Linux (the install script works for both platforms). I'll make that clearer in the README.
netcoyote•1w ago
- https://github.com/webcoyote/sandvault: sandboxes AI agents in a MacOS limited user account, and also uses sandbox-exec to limit access, though fence has more strict limitations

- https://github.com/webcoyote/clodpod: sandboxes AI agents in a MacOS virtual machine

Note: I’m the author of both of these Apache open-source projects

vivzkestrel•1w ago
- can i run user submitted untrusted code in this? and can it do a pip install if user wants or an npm install?
jy-tan•1w ago
Yes, Fence is designed for exactly this, the built-in `code` template already allowlists npm and PyPI registries:

``` fence -t code pip install requests fence -t code npm install express ```

This restricts writes to workspace + cache dirs, blocks reading credentials, limits network to allowlisted domains, and blocks dangerous commands (`rm -rf`, `npm publish`, etc).

vivzkestrel•1w ago
thank you for the response,

- how would you go about deploying this on an aws ecosystem? ec2 server? lambda? fargate?

- basically i want to run untrusted user code for many programming languages inside a sandbox and i am looking for solutions to do so

- need to be able to install libraries from pip, npm, cargo , just about any programming language's package manager

jy-tan•1w ago
You can just install Fence in your deployed service (see the installation instructions in the README), then wrap the user command/script with `fence -t code <command>`. It will probably work fine in an EC2 instance but I'm not very sure about Fargate/ECS/Lambda.

The `code` template already allowlists npm, PyPI, crates.io, and Go modules, easy to extend for others by adding to allowedDomains in your config.

whinvik•1w ago
Thanks. I was sure someone was going to make this sooner rather than later and this one seems relatively easy to configure.

I got tired of setting individual allow lists for each CLI, hopefully now I can run them all in Yolo mode while fence does the centralized sandboxing.

jy-tan•1w ago
Awesome, give it a spin and let me know if you have any feedback!