frontpage.

Show HN: ChronoGuard–Zero-trust proxy for browser automation with temporal ctrls

https://github.com/j-raghavan/ChronoGuard

2•j-raghavan•2mo ago

Hi HN!

I built ChronoGuard, an open-source zero-trust proxy that provides network-enforced authorization for browser automation.

## The Problem

If you're running Playwright, Puppeteer, or Selenium agents at scale (CI/CD, K8s, VM fleets), you face two challenges:

  1. **Access control**: How do you ensure agents only access approved domains?
  2. **Auditability**: How do you prove WHEN and WHERE your automation accessed external resources?

Traditional approaches (SDK restrictions, code reviews, monitoring) are bypassable or lack temporal proof. Auditors and compliance teams want cryptographically verifiable, tamper-proof logs.

## The Solution

ChronoGuard is a mandatory forward proxy that sits between your agents and the internet. Every request flows through:

  Agent → Envoy (mTLS) → OPA (policy check) → Target Domain
                  ↓
           Immutable Audit Log (hash-chained, time-series)

*Key features:* - mTLS authentication for agent identity verification - Domain allowlists/blocklists with time-window restrictions - Cryptographic hash chains for audit log integrity - OPA integration for policy-as-code - Multi-tenant isolation - 96%+ test coverage

## Try It Now

Zero setup needed - just click: [![Open in Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/j-raghavan/ChronoGuard?quickstart=1)

Or run locally: ```bash git clone https://github.com/j-raghavan/chronoguard cd chronoguard ./scripts/generate_secrets.sh docker compose up -d ```

  Dashboard: http://localhost:3000
  API docs: http://localhost:8000/docs

Architecture

Built with Domain-Driven Design + Clean Architecture: - 6 services: Envoy proxy, OPA policy engine, FastAPI backend, React dashboard, PostgreSQL+TimescaleDB, Redis - Tech stack: Python 3.11+, FastAPI, Envoy, Open Policy Agent, TimescaleDB - Deployment: Docker Compose (MVP), Kubernetes ready (roadmap)

Use Cases

  - E-commerce competitive intelligence
  - Fintech market research
  - Healthcare data operations (HIPAA compliance)
  - QA/testing providers with audit requirements
  - Any org running browser agents with compliance obligations

What's Next

  This is v0.1.0 MVP. I'm looking for feedback on:
  - Real-world use cases I haven't considered
  - Integration pain points with existing automation stacks
  - Feature priorities (WebSocket streaming, gRPC, advanced rate limiting)

Contributing

  The project follows strict quality standards (95%+ test coverage requirement,
  DRY principles, mypy + ruff). Looking for contributors interested in:
  - Security testing and threat modeling
  - Kubernetes/Helm deployment
  - Performance optimization
  - Client SDKs (Python, JS, Go)

  GitHub: https://github.com/j-raghavan/ChronoGuard
  License: Apache 2.0

Happy to answer questions about the architecture, design decisions, or roadmap!

Best Regards!

Show HN: Browser based state machine simulator and visualizer

Show HN: A luma dependent chroma compression algorithm (image compression)

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Show HN: If you lose your memory, how to regain access to your computer?

Show HN: I spent 4 years building a UI design tool with only the features I use

Show HN: PalettePoint – AI color palette generator from text or images

Show HN: Smooth CLI – Token-efficient browser for AI agents

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

Show HN: I built a <400ms latency voice agent that runs on a 4gb vram GTX 1650"

Show HN: Artifact Keeper – Open-Source Artifactory/Nexus Alternative in Rust

Show HN: BioTradingArena – Benchmark for LLMs to predict biotech stock movements

Show HN: Slack CLI for Agents

Show HN: Stacky – certain block game clone

Show HN: A toy compiler I built in high school (runs in browser)

Show HN: ARM64 Android Dev Kit

Show HN: Gigacode – Use OpenCode's UI with Claude Code/Codex/Amp

Show HN: Nginx-defender – realtime abuse blocking for Nginx

Show HN: Micropolis/SimCity Clone in Emacs Lisp

Show HN: MCP App to play backgammon with your LLM

Show HN: I'm 75, building an OSS Virtual Protest Protocol for digital activism

Show HN: I built Divvy to split restaurant bills from a photo

Show HN: Horizons – OSS agent execution engine

Show HN: Daily-updated database of malicious browser extensions

Show HN: Falcon's Eye (isometric NetHack) running in the browser via WebAssembly

Show HN: Slop News – HN front page now, but it's all slop

Show HN: I Hacked My Family's Meal Planning with an App

Show HN: Local task classifier and dispatcher on RTX 3080

Show HN: I built a free UCP checker – see if AI agents can find your store