<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: hardsnow</title><link>https://news.ycombinator.com/user?id=hardsnow</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Thu, 09 Jul 2026 00:14:53 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=hardsnow" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by hardsnow in "GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos"]]></title><description><![CDATA[
<p>GitHub doesn’t exactly make it easy to configure agent access securely. In fact, their regular access tokens and app credentials don’t provide granular enough controls to give direct access to private repos securely. Even if tokens are tightly scoped, access to public repos is always allowed and exfiltration via public repo issues for example remains a vector. Securing this requires patching via MITM proxy that implements stricter controls than GitHub provides.<p>Now, presumably GitHub Agentic workflows are the proper 1st party solution for this exact issue, but seems like they still have some work to do, either on the security model, or at least in making it easier to use securely.<p>More on this here: <a href="https://haulos.com/blog/do-not-give-your-agent-github-access/" rel="nofollow">https://haulos.com/blog/do-not-give-your-agent-github-access...</a></p>
]]></description><pubDate>Wed, 08 Jul 2026 17:11:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=48834492</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=48834492</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48834492</guid></item><item><title><![CDATA[New comment by hardsnow in "All your agents are going async"]]></title><description><![CDATA[
<p>I’ve been using email as an async channel with agents. Email does proper long-form async and native threaded communication extremely well and IMO is the best match UX-wise.<p>The system I’ve developed for this is open source and detailed at <a href="https://airut.org" rel="nofollow">https://airut.org</a></p>
]]></description><pubDate>Wed, 22 Apr 2026 17:34:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47866693</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47866693</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47866693</guid></item><item><title><![CDATA[New comment by hardsnow in "Cloudflare Email Service"]]></title><description><![CDATA[
<p>I seriously think this great! I’ve been saying that email is the right interface for agents for a while now. It is available anywhere, natively threaded, and works for asynchronous long-form communication. Comes with great clients as well.<p>I’ve been developing last three months by emailing Claude, with email threads mapping to an isolated workspace and claude -p. Works super well, especially when trying to get some coding done between everything else.<p>With right CLAUDE.md and a bit of workflow tooling this extends itself to building other kinds of agents as well. For example, I do my bookkeeping by emailing Claude my statements and receipts, which it then imports into a plain-text accounting system. And we’ve proven this in corporate environment as well, creating agent that can troubleshoot more complex issues by correlating diagnostic logs against product source code.<p>Once the basic “email agent” infrastructure is there, creating new agents becomes super simple.</p>
]]></description><pubDate>Thu, 16 Apr 2026 15:14:06 +0000</pubDate><link>https://news.ycombinator.com/item?id=47794403</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47794403</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47794403</guid></item><item><title><![CDATA[New comment by hardsnow in "Open Source Isn't Dead. Cal.com Just Learned the Wrong Lesson"]]></title><description><![CDATA[
<p>This is a sandbox escape pentest so the only tooling needed is Claude Code and a simple prompt that asks it to follow a workflow: <a href="https://github.com/airutorg/airut/blob/main/workflows/sandbox-pentest.md" rel="nofollow">https://github.com/airutorg/airut/blob/main/workflows/sandbo...</a></p>
]]></description><pubDate>Wed, 15 Apr 2026 18:10:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=47782963</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47782963</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47782963</guid></item><item><title><![CDATA[New comment by hardsnow in "Open Source Isn't Dead. Cal.com Just Learned the Wrong Lesson"]]></title><description><![CDATA[
<p>I’ve recently set up nightly automated pentest for my open-source project. I’m considering starting to publish these reports as proof of security posture.<p>If the cost of security audit becomes marginal, it would seem reasonable to expect projects to publish results of such audits frequently.<p>There’s probably a quite hefty backlog of medium- and low-severity issues in existing projects for maintainers to suffer through first though.</p>
]]></description><pubDate>Wed, 15 Apr 2026 16:48:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=47781723</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47781723</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47781723</guid></item><item><title><![CDATA[New comment by hardsnow in "Launch HN: Twill.ai (YC S25) – Delegate to cloud agents, get back PRs"]]></title><description><![CDATA[
<p>I’ve been developing an open-source version of something similar[1] and used it quite extensively (well over 1k PRs)[2]. I’m definitely believer of the “prompt to PR model”. Very liberating to not have to think about managing the agent sessions. Seems that you have built a lot of useful tooling (e.g., session videos) around this core idea.<p>Couple of learnings to share that I hope could be of use:<p>1) Execution sandboxing is just the start. For any enterprise usage you want fairly tight network egress control as well to limit chances of accidental leaks or malicious exfiltration if theres any risk of untrusted material getting into model context. Speaking as a decision maker at a tech company we do actually review stuff like this when evaluating tools.<p>2) Once you have proper network sandboxing, you could secure credentials much better: give agent only dummy surrogates and swap them to real creds on the way out.<p>3) Sandboxed agents with automatic provisioning of workspace from git can be used for more than just development tasks. In fact, it might be easier to find initial traction with a more constrained and thus predictable tasks. E.g., “ask my codebase” or “debug CI failures”.<p>[1] <a href="https://airut.org" rel="nofollow">https://airut.org</a>
[2] <a href="https://haulos.com/blog/building-agents-over-email/" rel="nofollow">https://haulos.com/blog/building-agents-over-email/</a></p>
]]></description><pubDate>Fri, 10 Apr 2026 18:35:18 +0000</pubDate><link>https://news.ycombinator.com/item?id=47721952</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47721952</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47721952</guid></item><item><title><![CDATA[New comment by hardsnow in "Open source security at Astral"]]></title><description><![CDATA[
<p>I would agree with this. I recently tried to figure out how to properly secure agent-authored code in GitHub Actions. I believe I succeeded in doing this[1] but the secure configuration ended up being so delicate that I don’t have high hopes of this being a scalable path.<p>Now, as other commenter pointed out, maybe this is just inherent complexity in this space. But more secure defaults could go a long way making this more secure in practice.<p>[1] <a href="https://github.com/airutorg/sandbox-action" rel="nofollow">https://github.com/airutorg/sandbox-action</a></p>
]]></description><pubDate>Thu, 09 Apr 2026 15:15:46 +0000</pubDate><link>https://news.ycombinator.com/item?id=47704855</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47704855</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47704855</guid></item><item><title><![CDATA[Open-source system that runs Claude Code tasks from email and Slack]]></title><description><![CDATA[
<p>Article URL: <a href="https://airut.org">https://airut.org</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=47547186">https://news.ycombinator.com/item?id=47547186</a></p>
<p>Points: 2</p>
<p># Comments: 0</p>
]]></description><pubDate>Fri, 27 Mar 2026 19:32:03 +0000</pubDate><link>https://airut.org</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47547186</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47547186</guid></item><item><title><![CDATA[New comment by hardsnow in "Nvidia NemoClaw"]]></title><description><![CDATA[
<p>OpenShell is the gem here indeed. A lot of good ideas like network sandbox that does TLS decryption and use of policy engine to set the rules. However:<p>> Credentials never leak into the sandbox filesystem; they are injected as environment variables at runtime.<p>If anyone from the team is reading - you should copy surrogate credentials approach from here to secure the credentials further: <a href="https://github.com/airutorg/airut/blob/main/doc/network-sandbox.md#masked-secrets-token-replacement" rel="nofollow">https://github.com/airutorg/airut/blob/main/doc/network-sand...</a></p>
]]></description><pubDate>Wed, 18 Mar 2026 19:46:09 +0000</pubDate><link>https://news.ycombinator.com/item?id=47430524</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47430524</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47430524</guid></item><item><title><![CDATA[New comment by hardsnow in "Show HN: OneCLI – Vault for AI Agents in Rust"]]></title><description><![CDATA[
<p>I’ve been running this with workloads accessing Anthropic, GitHub, Gemini, and AWS & CF R2 APIs for a while now, and have not ran into issues. I’m sure there’s an API out there that won’t work out of the box but I’m positive that support could be added.<p>Another thing I did was to allow configuring which hosts each credential is scoped to. Replacement /resigning doesn’t happen unless host matches. That way it is not possible to leak keys by making requests to malicious hosts.</p>
]]></description><pubDate>Thu, 12 Mar 2026 18:05:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=47354854</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47354854</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47354854</guid></item><item><title><![CDATA[New comment by hardsnow in "Show HN: OneCLI – Vault for AI Agents in Rust"]]></title><description><![CDATA[
<p>This is the right approach. I built a similar system to <a href="https://github.com/airutorg/airut" rel="nofollow">https://github.com/airutorg/airut</a> - couple of learnings to share:<p>1) Not all systems respect HTTP_PROXY. Node in particular is very uncooperative in this regard.<p>2) AWS access keys can’t be handled by simple credential swap; the requests need to be resigned with the real keys. Replicating the SigV4 and SigV4A exactly was bit of a pain.<p>3) To be secure, this system needs to run outside of the execution sandbox so that the agent can’t just read the keys from the proxy process.<p>For Airut I settled on a transparent (mitm)proxy, running in a separate container, and injecting proxy cert to the cert store in the container where the agent runs. This solved 1 and 3.</p>
]]></description><pubDate>Thu, 12 Mar 2026 17:15:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=47354122</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47354122</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47354122</guid></item><item><title><![CDATA[Securing Agentic AI Is a Probabilistic Problem]]></title><description><![CDATA[
<p>Article URL: <a href="https://haulos.com/blog/agentic-ai-security/">https://haulos.com/blog/agentic-ai-security/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=47350795">https://news.ycombinator.com/item?id=47350795</a></p>
<p>Points: 2</p>
<p># Comments: 0</p>
]]></description><pubDate>Thu, 12 Mar 2026 14:13:38 +0000</pubDate><link>https://haulos.com/blog/agentic-ai-security/</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47350795</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47350795</guid></item><item><title><![CDATA[From one-shot to agentic diagnostic analysis]]></title><description><![CDATA[
<p>Article URL: <a href="https://haulos.com/blog/agentic-diagnostics-analysis/">https://haulos.com/blog/agentic-diagnostics-analysis/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=47326502">https://news.ycombinator.com/item?id=47326502</a></p>
<p>Points: 1</p>
<p># Comments: 0</p>
]]></description><pubDate>Tue, 10 Mar 2026 17:46:03 +0000</pubDate><link>https://haulos.com/blog/agentic-diagnostics-analysis/</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47326502</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47326502</guid></item><item><title><![CDATA[New comment by hardsnow in "Show HN: enveil – hide your .env secrets from prAIng eyes"]]></title><description><![CDATA[
<p>Yep - requires the client to trust the SSL cert of the proxy. Cooperative clients that support eg HTTP_PROXY may be easier to support, but for Airut I went for full transparent mitmproxy. All DNS A requests resolve to the proxy IP and proxy cert is injected to the container where Claude Code runs as trusted CA. As a bonus this closes DNS as potential exfiltration channel.</p>
]]></description><pubDate>Tue, 24 Feb 2026 07:27:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=47133974</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47133974</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47133974</guid></item><item><title><![CDATA[New comment by hardsnow in "Show HN: enveil – hide your .env secrets from prAIng eyes"]]></title><description><![CDATA[
<p>Alternative, and more robust approach is to give the agent surrogate credentials and replace them on the way out in a proxy. If proxy runs in an environment to which agent has no access to, the real secrets are not available to it directly; it can only make requests to scoped hosts with those.<p>I’ve built this in Airut and so far seems to handle all the common cases (GitHub, Anthropic / Google API keys, and even AWS, which requires slightly more work due to the request signing approach). Described in more detail here: <a href="https://github.com/airutorg/airut/blob/main/doc/network-sandbox.md#masked-secrets-token-replacement" rel="nofollow">https://github.com/airutorg/airut/blob/main/doc/network-sand...</a></p>
]]></description><pubDate>Tue, 24 Feb 2026 06:31:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=47133573</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47133573</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47133573</guid></item><item><title><![CDATA[Show HN: Airut – Sandboxed Claude Code over Email and Slack]]></title><description><![CDATA[
<p>I built Airut as an experiment - could email be a good fit for talking to a coding agent? Turns out that the answer is yes, at least for me personally - I immediately moved almost all of my development to happen exclusively over email.<p>Email is perfect fit for async long-form conversation, naturally threaded, and with excellent UX across platforms. Each email thread becomes a Claude Code session within automatically created sandboxed workspace. Working on multiple things in parallel requires no additional thought - they just exist as independent email threads in your inbox. Friction to start a new task is what I would consider zero - just send an email (without having to worry about a human judging your poor grammar even!)<p>I recently added slack support as well, inspired by Spotify’s “Honk”. Slack having native threading maps to Airut’s model reasonably well. Although I wish Slack had better UX for switching between threads.<p>Airut works best when the project is set up for agentic development and the agent has necessary access to push code for review. I’ve tried to make this possible securely; Airut for example has “masked secrets” feature where the container running Claude Code doesn’t hold the real authentication tokens, only look-alike surrogates which are swapped to real ones on the way out by a proxy.<p>Project is open-source (MIT) and should be straightforward to set up on a Linux machine or VM. I’d love to hear feedback about the conceptual model and the sandboxing implementation.</p>
<hr>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=47101752">https://news.ycombinator.com/item?id=47101752</a></p>
<p>Points: 1</p>
<p># Comments: 0</p>
]]></description><pubDate>Sat, 21 Feb 2026 15:39:03 +0000</pubDate><link>https://github.com/airutorg/airut</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=47101752</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47101752</guid></item><item><title><![CDATA[New comment by hardsnow in "NanoClaw solves one of OpenClaw's biggest security issues"]]></title><description><![CDATA[
<p>Container isolation is a good foundation, but one layer worth adding is network sandboxing. A filesystem-sandboxed agent can still exfiltrate data over the network if it gets prompt-injected — domain allowlists and egress filtering can reduce the risk significantly.<p>Another useful primitive is surrogate credentials: the agent never handles real API keys or tokens. A proxy swaps in real values only for scoped hosts on the way out. This keeps the access the agent has locked inside the container; surrogate credentials are not valid outside.<p>My Claude Code over email project demonstrates both of these: <a href="https://github.com/airutorg/airut" rel="nofollow">https://github.com/airutorg/airut</a></p>
]]></description><pubDate>Wed, 11 Feb 2026 18:11:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=46978552</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=46978552</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46978552</guid></item><item><title><![CDATA[Show HN: Airut – Sandboxed Claude Code sessions over email]]></title><description><![CDATA[
<p>I built Airut to solve the friction I hit while switching to an agent-first workflow.<p>With the latest models and a solid CLAUDE.md, I could reliably go from prompt to PR using Claude Code with --dangerously-skip-permissions. But that left me with two problems:<p>1. <i>Safety</i>: Running permissive mode on my host machine felt reckless. I needed real sandboxing — not just a container, but network isolation too.<p>2. <i>Session management</i>: I needed a way to run multiple long-running Claude Code sessions without juggling terminals.<p>I realized the ideal interaction model matches email: asynchronous, threaded, long-form. So I built a service that runs headless Claude Code inside rootless Podman containers, mapping email threads to agent sessions.<p>The security model goes beyond container isolation. All network traffic routes through an mitmproxy instance that enforces a per-repo allowlist — the agent can only reach pre-approved hosts. Credentials use a masked secrets system where containers get surrogate tokens; real values are swapped in by the proxy only for scoped hosts. Even if the agent is compromised via prompt injection, exfiltration paths are significantly constrained.<p>Today I develop two large projects (plus Airut itself) almost exclusively over email. I send a task, the agent works in its sandbox, and I get a PR to review. And I often do this from my phone while on the go.<p>Compared to OpenClaw, Airut is more opinionated — email-only, Claude-only, git-native — with a deeper sandbox (network allowlist, masked secrets, DNS exfiltration protection). Compared to enterprise agents, there's no issue tracker or web UI to fight with.<p>It's open source (MIT) and self-hosted. I'd love feedback on the security model and whether this async email workflow resonates.</p>
<hr>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=46947714">https://news.ycombinator.com/item?id=46947714</a></p>
<p>Points: 2</p>
<p># Comments: 0</p>
]]></description><pubDate>Mon, 09 Feb 2026 17:04:14 +0000</pubDate><link>https://github.com/airutorg/airut</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=46947714</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46947714</guid></item><item><title><![CDATA[New comment by hardsnow in "Meta Quest Pro – Bad AR Passthrough"]]></title><description><![CDATA[
<p>As someone with first-hand experience in implementing pass-through AR, I found the review well-made (e.g., they measured photon-to-photon latency) and extremely interesting. Here's a few observations I made:<p>1. 30 Hz frame rate and 50ms photon-to-photon latency sound so bad that I'm surprised they launched this at all. I would be very interested in trying this out to see how (un)comfortable the experience is. What I would have expected is pass-through feed rate synchronized to display frame rate (i.e., 90 Hz) and photon-to-photon latency no more than perhaps 2 frames (22ms). At 90 Hz and 11ms you can actually play ping-pong while wearing a pass-through headset.<p>2. I can relate with the exposure, saturation, and noise issues. The existing well-tuned video ISP pipes aren't suitable for low latency, and building a new one that achieves low latency and gives a good picture in indoor lighting from an essentially smartphone sensor with exposure time < 11ms and doesn't add multi-frame latency is HARD.<p>3. Above points to one possible explanation for the 30Hz capture; maybe they used a cheap sensor that can't produce usable picture in < 11ms exposure time (in dimly lit indoor environment) and thus had to go with 30Hz capture. Would be interesting to repeat the experiment in well-lit (outdoor) environment to see if the capture pipe kicks into a higher framerate.<p>4. I wonder if they do any warping to correct for the camera positions and how well that works. For AR-focused headset the ideal pass-through camera positions would approximate eye positions to minimize need for distortion. Even shifting capture positions a few centimeters forward from the eyes (which you'd need to do if you don't replace eyes with cameras or play tricks with optics) creates a subtle but noticeable effect unless corrected.</p>
]]></description><pubDate>Wed, 04 Jan 2023 14:26:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=34245824</link><dc:creator>hardsnow</dc:creator><comments>https://news.ycombinator.com/item?id=34245824</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=34245824</guid></item></channel></rss>