frontpage.

Show HN: ChronoGuard–Zero-trust proxy for browser automation with temporal ctrls

https://github.com/j-raghavan/ChronoGuard

2•j-raghavan•2mo ago

Hi HN!

I built ChronoGuard, an open-source zero-trust proxy that provides network-enforced authorization for browser automation.

## The Problem

If you're running Playwright, Puppeteer, or Selenium agents at scale (CI/CD, K8s, VM fleets), you face two challenges:

  1. **Access control**: How do you ensure agents only access approved domains?
  2. **Auditability**: How do you prove WHEN and WHERE your automation accessed external resources?

Traditional approaches (SDK restrictions, code reviews, monitoring) are bypassable or lack temporal proof. Auditors and compliance teams want cryptographically verifiable, tamper-proof logs.

## The Solution

ChronoGuard is a mandatory forward proxy that sits between your agents and the internet. Every request flows through:

  Agent → Envoy (mTLS) → OPA (policy check) → Target Domain
                  ↓
           Immutable Audit Log (hash-chained, time-series)

*Key features:* - mTLS authentication for agent identity verification - Domain allowlists/blocklists with time-window restrictions - Cryptographic hash chains for audit log integrity - OPA integration for policy-as-code - Multi-tenant isolation - 96%+ test coverage

## Try It Now

Zero setup needed - just click: [![Open in Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/j-raghavan/ChronoGuard?quickstart=1)

Or run locally: ```bash git clone https://github.com/j-raghavan/chronoguard cd chronoguard ./scripts/generate_secrets.sh docker compose up -d ```

  Dashboard: http://localhost:3000
  API docs: http://localhost:8000/docs

Architecture

Built with Domain-Driven Design + Clean Architecture: - 6 services: Envoy proxy, OPA policy engine, FastAPI backend, React dashboard, PostgreSQL+TimescaleDB, Redis - Tech stack: Python 3.11+, FastAPI, Envoy, Open Policy Agent, TimescaleDB - Deployment: Docker Compose (MVP), Kubernetes ready (roadmap)

Use Cases

  - E-commerce competitive intelligence
  - Fintech market research
  - Healthcare data operations (HIPAA compliance)
  - QA/testing providers with audit requirements
  - Any org running browser agents with compliance obligations

What's Next

  This is v0.1.0 MVP. I'm looking for feedback on:
  - Real-world use cases I haven't considered
  - Integration pain points with existing automation stacks
  - Feature priorities (WebSocket streaming, gRPC, advanced rate limiting)

Contributing

  The project follows strict quality standards (95%+ test coverage requirement,
  DRY principles, mypy + ruff). Looking for contributors interested in:
  - Security testing and threat modeling
  - Kubernetes/Helm deployment
  - Performance optimization
  - Client SDKs (Python, JS, Go)

  GitHub: https://github.com/j-raghavan/ChronoGuard
  License: Apache 2.0

Happy to answer questions about the architecture, design decisions, or roadmap!

Best Regards!

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Show HN: MCP App to play backgammon with your LLM

Show HN: I spent 4 years building a UI design tool with only the features I use

Show HN: If you lose your memory, how to regain access to your computer?

Show HN: I'm 75, building an OSS Virtual Protest Protocol for digital activism

Show HN: I built Divvy to split restaurant bills from a photo

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

Show HN: Smooth CLI – Token-efficient browser for AI agents

Show HN: ARM64 Android Dev Kit

Show HN: BioTradingArena – Benchmark for LLMs to predict biotech stock movements

Show HN: Slack CLI for Agents

Show HN: I Hacked My Family's Meal Planning with an App

Show HN: Artifact Keeper – Open-Source Artifactory/Nexus Alternative in Rust

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: Gigacode – Use OpenCode's UI with Claude Code/Codex/Amp

Show HN: Compile-Time Vibe Coding

Show HN: Slop News – HN front page now, but it's all slop

Show HN: Daily-updated database of malicious browser extensions

Show HN: Horizons – OSS agent execution engine

Show HN: Micropolis/SimCity Clone in Emacs Lisp

Show HN: Falcon's Eye (isometric NetHack) running in the browser via WebAssembly

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

Show HN: I built a RAG engine to search Singaporean laws

Show HN: Local task classifier and dispatcher on RTX 3080

Show HN: Sem – Semantic diffs and patches for Git

Show HN: A password system with no database, no sync, and nothing to breach

Show HN: FastLog: 1.4 GB/s text file analyzer with AVX2 SIMD

Show HN: GitClaw – An AI assistant that runs in GitHub Actions

Show HN: Gohpts tproxy with arp spoofing and sniffing got a new update

Show HN: I built a directory of $1M+ in free credits for startups