IdeaWell

Project ideas from Hacker News discussions.

The browser is the sandbox

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. The browser can be a trusted sandbox for AI agents
Many commenters praise the maturity of browser sandboxing and its suitability for running untrusted code.

“What I find most compelling about this framing is the maturity argument. Browser sandboxing has been battle‑tested by billions of users clicking on sketchy links for decades.” – augusteo
“The browser sandbox is incredible for isolated code execution, but I've found it tricky for 'local agent' workflows where you actually want the LLM to use the host CLI or filesystem, just safely.” – jacobgadek

2. The File System Access API (and directory input) is a game‑changer
The ability to give a web app read‑write access to a whole folder is a recurring point of excitement and debate.

“The folder input thing caught me off guard too when I first saw it.” – augusteo
“The Fily System Access API is the best thing that happened to the web in years.” – mg

3. Browser sandbox vs. containers/VMs – trade‑offs and limitations
Several voices weigh the pros and cons of using the browser instead of Docker, Firecracker, or a dedicated VM.

“For a lot of AI coding tasks that's actually fine. For others it's a dealbreaker.” – augusteo
“If you want to run a full OS or something like WebContainers in the user's browser is the way, I think you need to build a slightly custom runtime for this type of local agentic environment.” – blixt

4. Historical context: plugins, Flash, and the evolution of web sandboxing
The discussion often references the legacy of NPAPI, Flash, and how modern browsers have moved away from plugin‑based sandboxing.

“There are external sandbox escapes such as Adobe Flash, ActiveX, Java Applet and Silverlight… but those external escapes are often another sandbox of its own.” – stevefan1999
“The browser sandbox is incredible for isolated code execution, but I've found it tricky for 'local agent' workflows…” – jacobgadek (echoing the same caution that older plugin sandboxes were fragile).

These four themes capture the core of the conversation: the promise of browser‑based isolation for AI tools, the power of the new file‑system APIs, the practical limits compared to traditional containers, and the lessons learned from the browser’s plugin past.

🚀 Project Ideas

Co‑Do Lite

Summary

  • A browser‑based sandbox that lets users run local code, AI agents, and CLI tools with persistent read‑write access to a chosen directory, regardless of browser.
  • Core value: eliminates the need for separate desktop apps or complex permission juggling, while keeping all execution inside the browser sandbox.

Details

Key Value
Target Audience Non‑developer users building AI‑powered workflows, small teams needing local code execution.
Core Feature WebAssembly runtime + polyfilled File System Access API that persists permissions across Chrome, Edge, Safari, Firefox; UI for selecting a directory and launching agents.
Tech Stack WebAssembly (WASI), Rust/AssemblyScript, IndexedDB for permission cache, Service Workers for offline support.
Difficulty Medium
Monetization Revenue‑ready: $9/month per user for premium features (advanced agent templates, analytics).

Notes

  • HN commenters lament “no persistent permissions” and “Safari/Firefox lack support” (e.g., modeless, mg).
  • The tool would let users “select a directory and let AI get to work inside of it” without manual downloads, directly addressing mg’s praise of the File System Access API.
  • Discussion potential: how to balance security with usability, and whether browsers should expose more APIs.

DirPicker.js

Summary

  • A lightweight JavaScript library that normalizes directory selection across all major browsers, providing a single API for webkitdirectory, <input type="file" webkitdirectory>, drag‑and‑drop, and the File System Access API.
  • Core value: removes the “developer education problem” and “cross‑browser inconsistencies” highlighted by cxr and modeless.

Details

Key Value
Target Audience Web developers building file‑centric web apps (e.g., code editors, media managers).
Core Feature Unified selectDirectory() promise that returns a virtual file tree; handles permission persistence, fallbacks, and error reporting.
Tech Stack Vanilla JS, polyfills, optional TypeScript typings, small bundle (~10 KB).
Difficulty Low
Monetization Hobby (open source, optional donation).

Notes

  • Addresses cxr’s frustration that “the last holdout on allowing the filepicker to accept a full directory” was Safari.
  • Enables projects like Co‑Do to work out of the box on all browsers.
  • Could spark discussion on browser API standardization.

AgentGuard

Summary

  • A lightweight local sandbox that runs AI agents in a minimal container (Firecracker or Bubblewrap), exposing only whitelisted CLI tools and a secure, FUSE‑backed file system.
  • Core value: gives developers a “confused‑deputy‑free” way to let LLMs use local tools without risking system compromise, addressing jacobgadek’s concerns.

Details

Key Value
Target Audience Developers building AI‑powered local assistants, CI pipelines, or automation tools.
Core Feature CLI wrapper that launches an agent in a sandbox, enforces egress filtering, loop detection, and tool whitelisting; integrates with local FS via FUSE.
Tech Stack Go (for CLI), Firecracker/Bubblewrap, FUSE, Docker‑like image format for agent bundles.
Difficulty High
Monetization Revenue‑ready: $49/month per installation for enterprise support and advanced policy engine.

Notes

  • Directly responds to jacobgadek’s “process supervisor” idea but with a ready‑made, open‑source package.
  • Provides a practical alternative to running full VMs or relying on browser sandbox for local tool access.
  • Discussion potential around policy language, integration with existing CI/CD tools.

ClickTrace

Summary

  • A browser extension that captures click events, timestamps, target elements, and DOM mutations across tabs without injecting heavy scripts, using the browser’s debugging protocol.
  • Core value: solves the need to record user interactions for analytics or debugging while respecting privacy and avoiding script injection, as requested by sdoering.

Details

Key Value
Target Audience Product managers, UX researchers, web developers needing interaction logs.
Core Feature Background script that listens to the DevTools Protocol, logs events to a local IndexedDB, and exports CSV/JSON.
Tech Stack Chrome/Firefox extension APIs, DevTools Protocol, TypeScript.
Difficulty Medium
Monetization Hobby (open source, optional paid analytics dashboard).

Notes

  • Addresses sdoering’s desire for “click metadata without injecting my own JS.”
  • Provides a lightweight alternative to Hotjar/FullStory for privacy‑conscious teams.
  • Could spark debate on the limits of cross‑origin event capture and privacy implications.

Read Later