agent-driven browsing
Let your agent loose on the hostile web. Your machine never touches it.
crucible runs headless browsers inside disposable microVMs with SSRF-safe egress. The whole public internet goes in. Nothing reaches your host, your LAN, or your cloud metadata. By construction, not by policy.
- KVM-isolated
- ~125 ms warm fork
- 27 MCP tools
- 0 host exposure
two walls, not one
Everyone can box a browser. Almost nobody walls the network too.
A prompt-injected agent, a drive-by exploit, a page that phones home to your cloud metadata: crucible stops all three at two independent layers.
The VM is the wall
The browser, the exploit, the agent: all run inside a Firecracker microVM with its own kernel, under jailer. A KVM-enforced boundary, not a shared-kernel namespace. Done exploring? crucible rm and the whole machine is gone.
So is the network
Open the entire public internet with one flag, and the sandbox still can't reach 169.254.169.254, link-local, or any RFC1918 address. The metadata-exfil attack every browser-agent tutorial waves away is structurally impossible here.
the containment chamber
Danger flows in. It doesn't flow back.
The hostile web
Arbitrary sites, exploits, injected prompts, malware.
microVM
Headless browser + your agent, own kernel.
SSRF filter · own netnsYour host
Untouched. No path in. LAN & metadata unreachable.
three ways in
Playwright, Patchright, any headless browser.
It's a stock Linux microVM, so Chromium and Firefox run headless out of the box. Drive it however your stack already works.
host-side
Drive it over CDP
Your agent code stays on your machine. The browser (and the danger) stays in the box.
# browser in the VM, published on a port
$ crucible run mcr.microsoft.com/playwright \
-p 9222:9222 --memory 2048 --net-full-egress
// connect from the host
const b = await chromium.connectOverCDP(
'ws://localhost:9222')fork-native
A warm session pool
Snapshot one warmed-up browser, fork independent sessions in ~125ms each, with its own netns and identity.
$ SNAP=$(crucible snapshot create $SBX) # 50 isolated sessions, near-instant $ crucible fork $SNAP --count 50 # each: fresh RNG + machine-id, # cannot see or corrupt the others
agent-native
Straight from MCP
Point Claude or any MCP client at the daemon. Create, exec, capture traffic, destroy. No glue code.
# 27 tools, scoped & policy-gated create_sandbox -> exec -> capture (pcap) -> delete # see what the page tried to reach $ crucible sandbox capture $SBX
the wedge
Hosted browser infra, without the host.
The same disposable-browser primitive the SaaS platforms sell, running on your own metal, with your data never leaving it.
[+] Self-hosted
Your hardware, your network, your data. No third party sees the sessions your agents run.
[+] Free & open
Apache-2.0, one static Go binary. Fork it, audit it, ship it. No seats, no metering.
[+] Fork-native
Warm a browser once, fork hundreds. No shared-kernel container branches running state like this.
[+] Safe by default
Default-deny egress, SSRF range-filtering, KVM isolation, so the secure path is the easy path.
one command on a Linux + KVM box
Give your agents a computer they can't use to hurt you.
Install the daemon, boot a browser image, hand it to your agent. The blast radius is a microVM you throw away.
$ curl -fsSL https://github.com/gnana997/crucible/releases/latest/download/install.sh | sudo bash -s -- --with-deps --enable