Hi HN!
I built ChronoGuard, an open-source zero-trust proxy that provides network-enforced authorization for browser automation.
## The Problem
If you’re running Playwright, Puppeteer, or Selenium agents at scale (CI/CD, K8s, VM fleets), you face two challenges:
1. **Access control**: How do you ensure agents only access approved domains?
2. **Auditability**: How do you prove WHEN and WHERE your automation accessed external resources?
Traditional approaches (SDK restrictions, code reviews, monitoring) are bypassable or lack temporal proof. Auditors and compliance teams want cryptographically verifiable, tamper-proof logs.
## The Solution
ChronoGuard is a mandatory forward proxy that sits between your agents and the internet. Every request flows through:
Agent → Envoy (mTLS) → OPA (policy check) → Target Domain
↓
Immutable Audit Log (hash-chained, time-series)
*Key features:*
– mTLS authentication for agent identity verification
– Domain allowlists/blocklists with time-window restrictions
– Cryptographic hash chains for audit log integrity
– OPA integration for policy-as-code
– Multi-tenant isolation
– 96%+ test coverage
## Try It Now
Zero setup needed – just click:
[](https://codespaces.new/j-raghavan/ChronoGuard?quickstart=1)
Or run locally:
“`bash
git clone https://github.com/j-raghavan/chronoguard
cd chronoguard
./scripts/generate_secrets.sh
docker compose up -d
“`
Dashboard: http://localhost:3000
API docs: http://localhost:8000/docs
Architecture
Built with Domain-Driven Design + Clean Architecture:
– 6 services: Envoy proxy, OPA policy engine, FastAPI backend, React
dashboard, PostgreSQL+TimescaleDB, Redis
– Tech stack: Python 3.11+, FastAPI, Envoy, Open Policy Agent, TimescaleDB
– Deployment: Docker Compose (MVP), Kubernetes ready (roadmap)
Use Cases
- E-commerce competitive intelligence
- Fintech market research
- Healthcare data operations (HIPAA compliance)
- QA/testing providers with audit requirements
- Any org running browser agents with compliance obligations
What’s Next
This is v0.1.0 MVP. I'm looking for feedback on:
- Real-world use cases I haven't considered
- Integration pain points with existing automation stacks
- Feature priorities (WebSocket streaming, gRPC, advanced rate limiting)
Contributing
The project follows strict quality standards (95%+ test coverage requirement,
DRY principles, mypy + ruff). Looking for contributors interested in:
- Security testing and threat modeling
- Kubernetes/Helm deployment
- Performance optimization
- Client SDKs (Python, JS, Go)
GitHub: https://github.com/j-raghavan/ChronoGuard
License: Apache 2.0
Happy to answer questions about the architecture, design decisions, or roadmap!
Best Regards!
Comments URL: https://news.ycombinator.com/item?id=45943156
Points: 1
# Comments: 0
Source: github.com
