Submission + - Show HN: Zerobox - Sandbox any command with file and network restrictions (github.com)
afshin writes: Zerobox is an open-source process sandbox that wraps any command with deny-by-default file and network restrictions. Built on the same sandboxing engine that powers OpenAI Codex. no Docker, no VMs, no daemon. A single binary that starts in ~10ms.
Control what the process can read, write, and connect to with granular allow/deny flags. Filter network by domain through a built-in HTTP/SOCKS proxy. Pass API keys as secrets that are never visible inside the sandbox — the proxy injects real values into HTTP headers only for approved hosts. Environment variables are clean by default (only PATH, HOME, etc.).
TypeScript SDK included: Sandbox.create({ secrets: { OPENAI_API_KEY: { value: "sk-...", hosts: ["api.openai.com"] } } }).
Read more: https://github.com/afshinm/zer...
Control what the process can read, write, and connect to with granular allow/deny flags. Filter network by domain through a built-in HTTP/SOCKS proxy. Pass API keys as secrets that are never visible inside the sandbox — the proxy injects real values into HTTP headers only for approved hosts. Environment variables are clean by default (only PATH, HOME, etc.).
TypeScript SDK included: Sandbox.create({ secrets: { OPENAI_API_KEY: { value: "sk-...", hosts: ["api.openai.com"] } } }).
Read more: https://github.com/afshinm/zer...
