Show HN: I built a smart proxy so your coding agent can run loose A developer built trollbridge, a smart proxy that enforces HTTP-level policies on coding agents, with an optional LLM advisor for held requests. The tool logs all decisions and falls back to human approval when the advisor is uncertain, aiming to give developers safe but unrestricted agent access. Isn't this just mitmproxy with extra steps? mitmproxy is an interception toolkit; trollbridge is a policy-enforced gateway. You could build trollbridge on top of mitmproxy in a weekend — the parts that take longer are the rule engine, the optional LLM advisor, the JSONL audit log with per-request correlation, and the approval TUI. Operationally, you set HTTPS PROXY once and forget it; there's no Python deployment story. Why an LLM in the proxy path — isn't that slow or expensive? The advisor only ever sees what policy holds . Your inline allow/deny lists settle the bulk of traffic at the wire, before any model is consulted. When a request is held — that's default-ask mode, or a rule that returns ask llm — a configured advisor classifies it against your lists and, if it's confident, resolves it; low-confidence or unreachable verdicts fall to the operator queue instead of auto-allowing. It's off unless you configure one, so most setups never call a model at all. What happens when the LLM advisor is wrong? Every LLM verdict is written to the audit log alongside the request metadata, the model that decided, and the confidence floor it cleared — grep and jq are the review interface. Below the floor, or when the advisor is unreachable, the decision falls back to the operator approval queue instead of auto-allowing, so close calls land in front of a human. How is this different from gVisor, firejail, or Bubblewrap network policy? Those gate egress at the kernel boundary — binary allow/deny by destination IP or port. trollbridge gates at HTTP semantics: host and port for HTTPS by default, plus path/method/query/body when TLS interception is on. It also stays out of the file system and the process table entirely. The layers are complementary; run both. Can I run it without sending data to a third-party LLM? Yes — two ways. First, the LLM advisor is off by default: with no advisor block configured and no rule returning ask llm , trollbridge never calls out to a model, decisions stay on the deterministic policy and operator-queue path, and the binary makes zero outbound calls. Second, if you do want the advisor, run your own model — point the advisor endpoint at a local, OpenAI-compatible server Ollama, vLLM, llama.cpp, and friends so the judgment runs on hardware you control and request data never leaves your network.