alt.hn

6/30/2026 at 1:40:11 PM

Ask HN: Secure wrapper for coding agents?

by rjzzleep

6/30/2026 at 7:41:21 PM

If you're on a mac, lookup https://bromure.io/en/agentic-coding

(Lookup the browser too: https://bromure.io/en/secure-web)

Everything you see is made by Claude (and Renaud Deraison :-)) and working quite well jugding from the demos)

See here for more details (in french but English subs available (and more)): https://www.sstic.org/2026/presentation/cloture_2026/

by pixdamix

6/30/2026 at 9:46:05 PM

The “fusion” mode looks really cool. Also loved the logo grid under “for the paranoid” — looks like a customer list but except it’s a wall of shame (“they did not run bromure”). Thanks for sharing!

by j-conn

6/30/2026 at 2:38:36 PM

I believe you're looking for Era. It uses libkrun for local microVM isolation and was built specifically to solve the "LLM hallucinated a destructive bash command" problem without the overhead of a massive VM.

Another one that handles this gracefully is Yolobox, which uses rootless Podman. Both are actively maintained and cut through the noise of the thousands of generic wrapper repos out there right now.

by sanju3026

6/30/2026 at 3:30:04 PM

Era links to https://github.com/smol-machines/smolvm now

by femboyvtuber

7/1/2026 at 6:41:53 PM

Yep, I needed to go deeper down the stack in order to get to the lightweight optimizations I needed.

by binsquare

7/2/2026 at 9:10:29 AM

Celesto has an unified interface for sandboxes based on QEMU, Firecracker and Libkrun.

https://docs.celesto.ai/smolvm

by theaniketmaurya

7/1/2026 at 1:28:13 PM

This may be too naive, but I created a user on my linux box who doesn't have very many permissions. Then I sudo to that user, use firejail to start pi in a dev project directory, and let it have at it.

My projects are usually very limited with respect to external dependencies and that is part of prompts or markdown files describing various project goals, plans, and current state.

My operating theory is that this probably won't get my systems borked. I wasn't patient enough to dig deeper.

by clusterhacks

6/30/2026 at 6:53:46 PM

If you are running MacOS, I would recommend Agent Safehouse. Well maintained and is built on existing sandbox-exec so you are not locked in and can always build your own rules independent of the CLI tool.

https://github.com/eugene1g/agent-safehouse/ https://agent-safehouse.dev/

Originally posted on HN https://news.ycombinator.com/item?id=47301085

by ca_tech

6/30/2026 at 7:03:35 PM

Seconding this. I've been running Safehouse for months and love that it can wrap any process (it's just a wrapper around the native macOS sandbox API, after all). The only thing I miss is the ability to limit network access, which isn't supported by the API.

by atombender

7/2/2026 at 11:08:35 AM

Safehouse author here - glad you found it helpful. It didn't even occur to me to add --offline mode because my mental model is anchored in agents which often require network access. Until we add this, the easiest option is to create a custom policy and then reference it with Safehouse (I usually setup shell aliases/funciton for this)

  ;; in ~/.config/agent-safehouse/no-network.sb
  (deny network*)

  safehouse --append-profile="$HOME/.config/agent-safehouse/no-network.sb" -- <command>

by e1g

7/2/2026 at 1:07:19 PM

Hello! I was definitely not looking to block all network access. I would want to maintain a whitelist of hosts and IPs. I don't know if that's possible?

by atombender

7/2/2026 at 5:02:03 PM

Unfortunately, no, MacOS sandboxing does not allow that type of blocking. Only broad categories like "local" vs "remote", but no selective targeting based on domain names or IPs.

by e1g

6/30/2026 at 6:40:45 PM

Docker has introduced sandboxes for this purpose.

by aborsy

7/1/2026 at 3:40:10 AM

for coding agents, i care less about sandbox branding and more about boring audit logs. what did it read, what did it write, and what was blocked?

by felixlu2026

6/30/2026 at 3:42:28 PM

Have you thought About docker?

by rohityin

7/2/2026 at 2:43:25 AM

[flagged]

by sosojustdo

7/1/2026 at 5:09:28 AM

[dead]

by denn-gubsky

7/1/2026 at 8:49:27 PM

[flagged]

by henryagi

7/1/2026 at 1:48:52 PM

[dead]

by 512colors