frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Show HN: DOM-docx – HTML to native, editable Word docs (MIT)

https://github.com/floodtide/dom-docx
66•fishbone•3h ago•22 comments

Show HN: Clawk – Give coding agents a disposable Linux VM, not your laptop

https://github.com/clawkwork/clawk
72•celrenheit•1h ago•74 comments

Show HN: Harpist – convert any website into a refined and documented API

https://harpist.site
2•sarreph•32m ago•0 comments

Show HN: Hackney – Compare Uber, Lyft, Waymo, and Robotaxi Prices

https://hackney.app/
2•griffinli•35m ago•0 comments

Show HN: A Sims-style house builder in the browser (Three.js, no back end)

https://github.com/ch-bas/threejs-sims-house-builder
4•ch-bas•2h ago•1 comments

Show HN: Loot Raiders – an ARC Raiders-inspired inventory game in Svelte

https://loot-raiders.vercel.app
9•refrigerator-12•7h ago•1 comments

Show HN: Mindwalk – Replay coding-agent sessions on a 3D map of your codebase

https://github.com/cosmtrek/mindwalk
157•cosmtrek•1d ago•63 comments

Show HN: Codebase Posters – turn any Git repo into generative poster art

https://github.com/unable12/codebase-posters
27•unable0•16h ago•5 comments

Show HN: Getting GLM 5.2 running on my slow computer

https://github.com/JustVugg/colibri
920•vforno•4d ago•234 comments

Show HN: Zen Mode – a global focus mode for macOS

https://github.com/cabeen/zen-mode
27•cafebeen•18h ago•10 comments

Show HN: 18 Words

https://18words.com/
1150•pompomsheep•4d ago•360 comments

Show HN: Shirei, cross-platform GUI framework in native Go

https://github.com/hasenj/go-shirei/
86•hsn915•22h ago•55 comments

Show HN: Kurvengefahr – browser CAD/CAM for pen plotters

https://kurvengefahr.org/
20•tibordp•1d ago•6 comments

Show HN: Pentaton LP – a music streamer with an LP sleeve sized display

https://pentaton.app/blog/2026-07-12-introducing-pentaton-lp/
5•interfeco•7h ago•0 comments

Show HN: Learn by rebuilding Redis, Git, a database from scratch

https://shipthatcode.com
193•acley•2d ago•65 comments

Show HN: Skillscript – A declarative, sandboxed language for tool orchestration

https://github.com/sshwarts/skillscript
16•sshwarts•1d ago•24 comments

Show HN: Level – a new demo for 8bit Atari XL/XE

https://ilmenit.github.io/level-by-agenda/
4•ilmenit•9h ago•0 comments

Show HN: Ant – A JavaScript runtime and ecosystem

https://antjs.org
323•theMackabu•1d ago•147 comments

Show HN: Orbit – AR satellite tracker, watch 15k+ objects

https://nagylukas.github.io/orbit.html
85•lukas9•1d ago•19 comments

Show HN: Sqlsure – deterministic semantic checks for AI-generated SQL

https://github.com/sqlsure/sqlsure
42•tejusarora•1d ago•7 comments

Show HN: Capn-hook for coding agents – don't grep the same mystery twice

https://github.com/cyrusNuevoDia/capn-hook
8•knrz•18h ago•1 comments

Show HN: Agent-run – Run a coding agent in a sandboxed environment

https://github.com/sin-ack/agent-run
7•trashburger•18h ago•2 comments

Show HN: Earth Game – An offline CLI for turning life goals into quests

https://github.com/skorotkiewicz/earth-game
55•modinfo•1d ago•12 comments

Show HN: Reverse-engineering web apps into agent tools

94•pancomplex•3d ago•39 comments

Show HN: Hologram, photo management and culling built with Tauri

https://github.com/ThatXliner/Hologram
3•thatxliner•16h ago•0 comments

Show HN: Cpulse – See why your Docker Compose stack is stuck

https://github.com/hyturing/compose-pulse
3•hyturing•16h ago•0 comments

Show HN: Self-hosted voice AI agent for Asterisk/FreePBX

https://github.com/hkjarral/AVA-AI-Voice-Agent-for-Asterisk
5•hkjarral•12h ago•1 comments

Show HN: PitchTrail – Perfect Pitch for Kids

https://pitchtrail.app/
6•theckel•17h ago•3 comments

Show HN: Reame – a CPU inference server that gets faster as it runs

https://github.com/swellweb/reame
56•targetbridge•1d ago•18 comments

Show HN: Free Community Radio Player (PWA)

https://radiodock.app/
4•bitmancer•18h ago•0 comments
Open in hackernews

Show HN: Clawk – Give coding agents a disposable Linux VM, not your laptop

https://github.com/clawkwork/clawk
72•celrenheit•1h ago

Comments

prairieroadent•58m ago
why not just a docker container
matheusmoreira•28m ago
Because that means you are sharing kernel with the sandboxed agent. Virtualization presents an infinitely smaller attack surface.
hwc•20m ago
If there is any attack surface within a properly-configured container, that's a kernel bug, right?
matheusmoreira•15m ago
Probably. If I remember correctly, containers on Linux are implemented using the kernel's namespaces. The same ones which became famous for the vulnerabilities they surfaced in previously unexercised code.
croes•4m ago
Then use SmolVM
ebeirne•51m ago
love what youve done here. i will be using this in the future.
celrenheit•15m ago
Thank you, that means a lot !
matheusmoreira•51m ago
> clawk forward add my-project 3000

> clawk network allow my-project api.example.com

Can you describe the implementation details? How did you implement the firewall without root?

I vibecoded virtdev, a virtual machine orchestration project just like this one:

https://github.com/matheusmoreira/virtdev

It was designed to not require root, and the nftables firewall ended up becoming the only exception. I'm very curious about how you implemented this. Did you find a better way?

celrenheit•32m ago
Thanks! There's no packet firewall at all, no iptables/nftables. On macOS the VM's NIC is a Virtualization.framework file-handle device. The daemon runs gvproxy, which terminates the guest's connections and re-dials them as host sockets, so I filter with an allow-list right before the dial. One caveat, since you asked about root specifically: that's the macOS path, and it only works thanks to the fd NIC. Firecracker on Linux only speaks a TAP, which needs root, so there I do shell out to sudo, but just for the device. The filtering is still the same userspace allow-list.
westurner•17m ago
(Years ago I had puppet and cobbler provisioning VMs over PXE and then iPXE. FWIU foreman is more actively maintained than cobbler, which is built on Django web framework.)

Vagrant manages VMs and virtual networks, in Ruby.

ansible-molecule creates, converges, and destroys VM(s) and containers, in order to test ansible playbooks and ansible roles in clean build roots.

podman machine manages VMs:

- podman-container-tools/podman-machine-os: machine image files: https://github.com/podman-container-tools/podman-machine-os/...

`podman kube play` over `podman machine` might solve for agents that need multiple VMs/containers

- Podman Desktop can work with the same local k8s setups as Docker Desktop. Though there's certainly more state to manage with k8s for agent session farm, k8s probably has better logging and quotas than a VM management script on each node.

OpenShift on OpenStack is one way to do containers over VMs over bare metal.

Microshift also does container-selinux.

There is not an apparmor policy set for containers?

bwrap and liboverlayfs and libseccomp are almost but not quite containers.

There are stronger container isolation layers that are more like a full or lightweight VM, that might be better for agent sessions: gVisor, firecracker vm, Todo

Cloudflare workerd is the open source part of cloudflare workers, which run lightweight WASM and JS VMs with multi-tenant isolation.

It takes far less resources to run a cloudflare worker than to run a container on cloudflare. So, if it's possible for an agent to operate within a WASM runtime ~container, that's probably more optimal for agent sessions.

Cloudflare/artifact-fs does lazy shallow git clones with a FUSE filesystem.

- "Show HN: VM-curator – a TUI alternative to libvirt and virt-manager" https://news.ycombinator.com/item?id=46750437

https://news.ycombinator.com/item?id=46825026 ; amla sandbox, agentvm, ARM64 MTE

https://news.ycombinator.com/item?id=46825119 ; container2wasm , vscode-container-wasm-gcc-example ; build WASM containers with Dockerfiles

docker and podman support multiple WASM runtimes for running WASM containers, e.g. for agent sessiobs

bitwize•49m ago
Errbody gangsta until the agent figures out it's in a container and finds an exploit that lets it break out of container jail...
matheusmoreira•47m ago
I developed a VM project just like this one. Asked Fable to stress test it and try to break out of containment, and to my surprise it didn't manage to. Fable didn't get downgraded to Opus either, for some reason.

Would have thrown Mythos at it if I had access to it.

arcanemachiner•33m ago
Isn't Fable just Mythos + guardrails? Sounds like you did throw Mythos at it.
matheusmoreira•23m ago
I initially thought that was the case: literally the same weights but with an incredibly obnoxious "safety classifier" tacked on. Now I'm uncertain because people on HN have told me it's a different model altogether with further fine tuning for safety or something.
nullc•14m ago
You should conduct the same test with knowingly faulty containment, otherwise the theory that the model is hobbled should probably outrank that it couldn't escape.
matheusmoreira•4m ago
That's a good idea. I don't have Fable at the moment, when it comes back I'll ochestrate those tests.

Opus did manage to iron out a lot of fail open bugs during development though, and Fable's like a hundred times more relentless than Opus. I'm not saying it's a definitive result or that my VM firewall thingy is unhackable... I'm just saying it put a smile on my face.

bad_haircut72•49m ago
Sprites from Fly io does this beautifully, claude comes preinstalled, its great
daitangio•47m ago
I am developing a super light similar thing here

https://github.com/daitangio/take-ai-control

It is docker + vscode friendly. I tested it with major systems (copilot, codex, Claude Code and pi.dev) Comments Wellcome!

felooboolooomba•46m ago
I use mkosi: https://github.com/systemd/mkosi

Which is just a front for systemd-nspawn. It's annoying you have to edit the config.nspawn to mount a directory if you start it with the "shell" command, instead of booting. But apart from that, it's brilliant.

NortySpock•37m ago
Have you seen https://news.ycombinator.com/item?id=48892015 and yoloai? https://github.com/kstenerud/yoloai

Seems like both projects are following very similar approaches.

guywithahat•31m ago
Funny that they're both written independently and in Go. Sometimes there's just a best way to do things I guess
rvz•34m ago
This is like the 30th AI sandbox project on Show HN. Why this one over the rest?
SoftTalker•17m ago
Also the readme (and thus likely the whole thing) is clearly LLM-generated.
vqtska•33m ago
I still don't understand the point of all these VMs and containers for agents. Just create a separate user on your machine without sudo privileges, switch to it in your terminal and run all the agents you want without it being able to reach your files. What am I missing?
altcognito•31m ago
In a corporate environment they may not have that option
SoftTalker•18m ago
But they can run arbitrary VMs?
bheadmaster•31m ago
VMs and containers are fairly isolated and reproducible. A separate user on your machine still depends on the programs installed locally.
Greenpants•18m ago
And those installed programs could have vulnerabilities that just a non-root user account could still take advantage of. Perhaps not likely for an LLM to do, but more so if you let them loose on the internet and they end up coming across prompt injection that instructs exactly that :)
bpavuk•30m ago
you can also simply use Landlock and bwrap on Linux. Pi even has a plugin for that https://pi.dev/packages/pi-landstrip
kstenerud•32m ago
yoloAI does something similar:

- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

- Sandbox on Mac using Docker, Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

- Network restriction

- Secrets control (file mounts or credentials broker)

- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)

- Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.

- Uses copy-on-write if your filesystem supports it (most modern ones do)

- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

- MCP passthrough

- Layered API if you want to sandbox other things

- FOSS

https://github.com/kstenerud/yoloai

anoop_kumar•32m ago
why not just use something like smol VMs? So many VM's and I am confused on which one to use for what. I think we now need a VM orchestrator!
htrp•30m ago
how does this compare with the aws lambda microvms?
petesergeant•27m ago
Yet another one, only I wrote this one, so I prefer it: https://github.com/pjlsergeant/byre

You might prefer byre's simplicity, transparency, and ease of reasoning about: one local container, explicit access grants, readable generated Docker, and a workflow that stays close to normal development rather than introducing a larger sandbox platform. It's also very very easy to eject from if you want to stop using it.

aftbit•27m ago
Does Codex run its own sandbox? I see that sometimes it runs commands without asking, which then fail for some reason, and it asks to run them again "outside of the sandbox"
skybrian•24m ago
If the agent is running on your machine, it will suspend when you put your laptop asleep. I prefer using a remote Linux VM to let the coding agent keep working.

I’m quite happy with exe.dev for this. My laptop is asleep upstairs but I have an agent coding away in a browser tab on the tablet I’m using. I could also check on it from my phone.

But it might also be nice if a setup similar to exe.dev were available for self-hosting. I have a Mac Mini that I don’t really use much.

mswphd•21m ago
https://paseo.sh/ supports self-hosting, though I've only used it a mild amount tbh.
matheusmoreira•19m ago
> it will suspend when you put your laptop asleep

It is possible to simply not do that. Laptops work just fine as servers. They even have a builtin monitor and UPS.

dietdrb•22m ago
We are building the cloud version of this: hosted, isolated VMs. MacOS and Linux supported. Cloud means you can run many VMs in parallel.

https://bitrise.io/platform/remote-dev-environments

mrbn100ful•13m ago
It's called https://github.com/features/codespaces or https://codeanywhere.com/ or https://claude.ai/code/
dietdrb•3m ago
None of the products you mentioned support macOS environments needed by iOS/tvOS/etc developers. (CodeAnywhere went out of business)

Bitrise has been doing macOS VMs for CI for 10 years, so we extended the existing product to this use-case.

0xbadcafebee•19m ago
How many of these are there now, a hundred? We get it, you can run an agent in a VM/container/sandbox. What about configuration management & rollbacks? What about the policy engine? What about dynamic credential management? What about the lethal trifecta? A sandbox is the easiest part and doesn't address the others.
mrbn100ful•16m ago
YAY, let's build the same thing over and over :/

Did you know that before reinventing the wheel, you can ask LLM your requirements, and they can find the most suited already existing tool ?

croes•3m ago
Isn’t the point of LLM to recreate the wheel?

Tl libraries, no frameworks. Let AI recreate it from scratch … every time

c0rruptbytes•16m ago
everyone loving these linux sandboxes, even Apple wrote one https://github.com/apple/containerization/tree/main/examples...
lucamartinetti•13m ago
I also wrote one where you can choose to use a container or a vm, with a MITM proxy on top https://github.com/agentcage/agentcage
rock_artist•11m ago
> Requires macOS 14+ on Apple silicon. (Linux is supported via firecracker and currently experimental...)

So should be noted it's mostly macOS out of the box with some Linux support if I understand right.

ttul•8m ago
And, make coding harnesses run 20x faster at many multi-processing and file operations by running the coding harness itself inside of Linux instead of MacOS…
mlnj•7m ago
Is file IO a bottleneck now?
mlnj•8m ago
Is there anyone who is NOT building another AI sandbox solution?
statt•7m ago
When firing up agent VMs for my personal projects, I tried to completely separate SSH keys as well. Surprisingly annoying to have multiple keys for, say GitHub, and restrict the agent to use a deploy key.

I saw this project enables ssh-agent forwarding, so my question; is this a non-issue to begin with? Or just not your focus currently.

thiodrio•4m ago
Is it similar to devcontainers?
einhard•4m ago
I am certainly no expert in this space so it is quite possible I'm missing something critical, but what seems to work for me is a Podman image I built on my computer with some basic things I need (using OpenCode, but I imagine any other agent could be used instead):

  FROM docker.io/archlinux:base
  RUN pacman -Syu --noconfirm && \
      pacman -S --noconfirm \
      base-devel \
      git \
      curl \
      uv \
      opencode && \
      pacman -Scc --noconfirm
  RUN mkdir -p /etc/opencode 
  WORKDIR /workspace
From there I just run the Podman image from the command line (using a Fish function) that mounts the specific project I'm working on to /workspace. I guess there might be some vulnerabilities with shared kernels and such, but it seems like an easy way to have some isolation.
TheRealPomax•3m ago
> On your own machine that leaves two bad options. You approve every command (and babysit a prompt every few seconds), or you run --dangerously-skip-permissions and hope nothing important is one rm -rf or one leaked token away.

Literally everyone has the option to use a VM - it's built into Windows, UTM on MacOS, Docker on Linux. Yes, "a tool that automatically builds a VM" is useful, but we've had a third option (four, if you count "actually I disagree with the idea that it's only useful if it's fully agentic") from day one.

0xbadcafebee•18m ago
Actually that doesn't just work on all systems and it breaks on others. The alternate user is actually guaranteed to work on all systems and it's built in
bpavuk•5m ago
Seatbelt on macOS and Landlock over WSL2 on Windows 11. Landlock is also built-in, and WSL2 is a first-party downloadable component
killerstorm•15m ago
Codex uses bwrap sandbox which is purely cosmetic - out-of-box it sees your ssh keys and can send it to remote server. It prevents agent from deleting outside files by mistake, but does nothing against malicious activity
bpavuk•9m ago
that Pi extension, by contrast, gives you a popup whenever an agent tries to access something outside the current working directory and send a network request. that depends on configuration. also if agent tries to ssh into something that will also send a request for access, so child processes are covered
petesergeant•26m ago
am I doing that once per project, or?
3form•26m ago
Well, for one, Debian and Debian-based distros make your home directory readable by everyone by default.

Security is riddled by traps. If you can afford best possible level of isolation, why not do it?

matheusmoreira•25m ago
You're missing the fact you'd be sharing a kernel with the sandboxed agent. Virtualization presents an infinitely smaller attack surface.
vqtska•18m ago
What kind of things are you even doing that the agent would try to perform a kernel exploit on you? I thought sandboxing is just to protect from the agent accidentally clearing your home directory.

Side note, just 6 days ago a Linux VM escape exploit was disclosed.

matheusmoreira•10m ago
I'm not worried about the agent at all. The VM is there to prevent it from clobbering files on my real system.

I'm worried about supply chain attacks on npm, pip, cargo and everything else. Don't want to get compromised if I install some stupid package.

My virtdev project has essentially split my computer into two systems: my "real" trusted system with software coming directly from my Linux distribition's repositories, and the VMs for everything else.

> just 6 days ago a Linux VM escape exploit was disclosed

Well, shit. Details?

zzril•11m ago
If your threat model is that of a malicious agent that will use a 0-day LPE to get root and exfiltrate all of your SSH keys, virtualization makes sense. But then, I wouldn't run such an agent at all, if not specifically in the context of malware analysis.

If you're just concerned about "agent messing up and taking the rules in some markdown files more laxly than I would have", then running it as a seperate user is totally enough...

matheusmoreira•8m ago
Threat model is supply chain attacks on unmaintained package repositories like npm, pip and cargo. Everything on my host comes from my Linux distribution's repositories. Everything else gets virtualized with extreme prejudice. I'll even virtualize my Steam games one of these days.
khuey•7m ago
IMO the threat model is more letting the agent loose on issues/PRs in a public Github repo and it getting tricked into running a malicious payload.
killerstorm•18m ago
Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...

Container is quite like a "separate user" except you can explicitly define what it can access.

(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)

wilkystyle•16m ago
Also, many of these sandboxing solutions provide features like network allowlists and credential masking/injection
vqtska•15m ago
Sure, if you assume the agent will be hostile on you. I thought it's just so the agent doesn't accidentally rm -rf / on you
pigeons•12m ago
They do try privilege escalation unprompted.
killerstorm•11m ago
The agent might install hostile software, e.g. a npm package. Unfortunately, very common problem nowadays.
de6u99er•12m ago
On my Mac, every sudo requires either my fingerprint or password, and times out immediately.
augusto-moura•12m ago
Mainly networking and namespaces, same reasons why we run services on docker instead of old multi-user setups
throw1234567891•7m ago
And why would I do that when I can create a vm from a snapshot and be done in 30 seconds?
TheRealPomax•1m ago
If you think those two contexts are equally secure, your machine is incredibly insecure and I hope you run daily incremental full system backups.

You have far too much data in unsecured locations, and you have far too little understanding of what an agent would do, to go "I trust whatever this user account will be doing on my machine".