Show HN: Afterburner – Capability-Sandboxed JavaScript/TS Runtime in Rust

Scripts run locked down by default: no network, no filesystem, no environment variables. You explicitly grant whatever access a script actually needs, and every call gets hard caps on CPU, memory, and time.

The goal isn't to replace your existing stack. It's to fit cleanly into it:

Embed a JS/TS engine in your Rust app with a single crate. Run user scripts, plugins, business rules, or edge logic, each call fully sandboxed. Wrap the tools you already use. Commands like `burn node app.js`, `burn npm test`, `burn bun`, `burn deno run`, and `burn npx tsx` run your existing toolchain under the sandbox. Take an unmodified Express, Fastify, or Hono app and run it with zero ambient I/O and a memory ceiling. No code changes needed. Use the built-in registry at registry.afterburner.sh. Publish with `burn publish`, install with `burn install` or `burn add` dependencies are pinned by content digest. Every package ships with a capability manifest, so installed code is sandboxed by default. It also interops with npm, so you can still pull in npm libraries as needed. Since nothing gets ambient authority, it's also just a clean, practical way to run untrusted code without having to cross your fingers and hope.

Repo: https://github.com/afterburner-sh/afterburner Site: https://afterburner.sh Registry: https://registry.afterburner.sh

The full walkthrough like how it works, what it can do, and benchmarks hitting up to ~16.8M rows/sec is all in one post. It's the best place to start: https://vertexclique.com/blog/burn-after-reading/

One licensing note: it's source-available under BSL-1.1, which automatically converts to Apache-2.0 four years after each release. Free to use for your own projects so go build something.