agent-driven browsing

Let your agent loose on the hostile web. Your machine never touches it.

crucible runs headless browsers inside disposable microVMs with SSRF-safe egress. The whole public internet goes in. Nothing reaches your host, your LAN, or your cloud metadata. By construction, not by policy.

  • KVM-isolated
  • ~125 ms warm fork
  • 27 MCP tools
  • 0 host exposure
agent@sandbox · --net-full-egress

two walls, not one

Everyone can box a browser. Almost nobody walls the network too.

A prompt-injected agent, a drive-by exploit, a page that phones home to your cloud metadata: crucible stops all three at two independent layers.

01 · machine

The VM is the wall

The browser, the exploit, the agent: all run inside a Firecracker microVM with its own kernel, under jailer. A KVM-enforced boundary, not a shared-kernel namespace. Done exploring? crucible rm and the whole machine is gone.

Isolation: Firecracker + jailer · own kernel · disposable
02 · network

So is the network

Open the entire public internet with one flag, and the sandbox still can't reach 169.254.169.254, link-local, or any RFC1918 address. The metadata-exfil attack every browser-agent tutorial waves away is structurally impossible here.

Egress: --net-full-egress · metadata / link-local / RFC1918 blocked

the containment chamber

Danger flows in. It doesn't flow back.

untrusted

The hostile web

Arbitrary sites, exploits, injected prompts, malware.

contained

microVM

Headless browser + your agent, own kernel.

SSRF filter · own netns
protected

Your host

Untouched. No path in. LAN & metadata unreachable.

three ways in

Playwright, Patchright, any headless browser.

It's a stock Linux microVM, so Chromium and Firefox run headless out of the box. Drive it however your stack already works.

host-side

Drive it over CDP

Your agent code stays on your machine. The browser (and the danger) stays in the box.

# browser in the VM, published on a port
$ crucible run mcr.microsoft.com/playwright \
    -p 9222:9222 --memory 2048 --net-full-egress

// connect from the host
const b = await chromium.connectOverCDP(
  'ws://localhost:9222')

fork-native

A warm session pool

Snapshot one warmed-up browser, fork independent sessions in ~125ms each, with its own netns and identity.

$ SNAP=$(crucible snapshot create $SBX)

# 50 isolated sessions, near-instant
$ crucible fork $SNAP --count 50

# each: fresh RNG + machine-id,
# cannot see or corrupt the others

agent-native

Straight from MCP

Point Claude or any MCP client at the daemon. Create, exec, capture traffic, destroy. No glue code.

# 27 tools, scoped & policy-gated
create_sandbox -> exec ->
capture (pcap) -> delete

# see what the page tried to reach
$ crucible sandbox capture $SBX

the wedge

Hosted browser infra, without the host.

The same disposable-browser primitive the SaaS platforms sell, running on your own metal, with your data never leaving it.

[+] Self-hosted

Your hardware, your network, your data. No third party sees the sessions your agents run.

[+] Free & open

Apache-2.0, one static Go binary. Fork it, audit it, ship it. No seats, no metering.

[+] Fork-native

Warm a browser once, fork hundreds. No shared-kernel container branches running state like this.

[+] Safe by default

Default-deny egress, SSRF range-filtering, KVM isolation, so the secure path is the easy path.

one command on a Linux + KVM box

Give your agents a computer they can't use to hurt you.

Install the daemon, boot a browser image, hand it to your agent. The blast radius is a microVM you throw away.

$ curl -fsSL https://github.com/gnana997/crucible/releases/latest/download/install.sh | sudo bash -s -- --with-deps --enable