trollbridge

single binary

Let your agents
run amok.

trollbridge is an HTTP proxy. The amok is local — your agent has free run of your machine. Online, every outbound request goes through an allow list of HTTP servers you control; anything off the list is held for one keystroke.

curl -fsSL https://trollbridge.dev/install.sh | bash

Linux & macOS · amd64 & arm64 · installs to ~/.local/bin · no sudo. View the script.

View on GitHub →

Local: no safeguards. Online: only the servers you allow.

Localhost stays open.

Local MCP servers, your dev database, the model running on your machine — your agent talks to them with no holds, no prompts, no policy fiddling. localhost and 127.0.0.1 are in the default allow list and stay there until you remove them.

Outbound only where you say.

Every HTTP and HTTPS request that leaves your machine is checked against an allow list you write. api.openai.com allowed, *.suspicious.tld denied — decided at the wire, before the request goes out.

Hold the rest for one keystroke.

Anything the allow list doesn't cover pauses at the proxy. Approve in the operator UI with one keystroke; sticky-approve to make it policy without editing a file. Held requests wait — walk away and they're still there in the morning.

All of this assumes the “machine” is a sandbox you control — a VM, a container, an Incus instance. trollbridge gates the wire; the sandbox bounds the file system and processes.

How it works.

Policy.

Inline allow/deny lists handle the obvious cases at the wire. api.openai.com allowed, *.suspicious.tld denied — decided before the request reaches the network.

LLM.

When "is this domain ok?" needs judgment, an LLM advisor reads the request and recommends allow or deny. You stay in the loop with less friction.

Manual.

Anything policy doesn't cover gets held. Approve or deny with a keystroke in the operator UI. Sticky decisions become new policy without you editing a file.

Quickstart.

  1. Install

    curl -fsSL https://trollbridge.dev/install.sh | bash

    User-mode install to ~/.local/bin. No sudo, no system files.

  2. Run & point your agent

    trollbridge quickstart
eval "$(trollbridge env)"

    Starts the proxy on 127.0.0.1:8080 and exports HTTP_PROXY / HTTPS_PROXY for the current shell. Works with any HTTP client.

  3. Approve, deny, observe

    Each held request appears in the operator UI. Approve once or make it sticky. Tail the audit log for a record of every decision.

Ready in 30 seconds.

curl -fsSL https://trollbridge.dev/install.sh | bash

Installs to ~/.local/bin/trollbridge. Verifies SHA256 against the GitHub release. Run install.sh --uninstall to remove.