AI agent code execution
Run the code your agent writes. Safely.
Agents generate code you have never seen. crucible runs it in a hardware-isolated Firecracker microVM that boots in about a second, captures the output, and vanishes on exit. Your host, your keys, and your network stay untouched.
- KVM isolation
- ~1 s cold boot
- 27 MCP tools
- default-deny network
why a VM, not a container
Isolation you can explain in one sentence
Each run is a real virtual machine with its own kernel, not a namespace sharing yours.
Own kernel, not a namespace
A container escape is a shared-kernel bug. Here there is no shared kernel to escape: each guest runs under Firecracker and jailer with its own kernel.
Locked down by default
No network unless you allow it. Even with full egress, cloud metadata and RFC1918 stay blocked. Resource caps and a timeout kill runaways.
Disposable by design
One command creates it, one removes it, a daemon restart drops it. No cleanup script, no residue on your box.
three ways to run it
Fits however your stack already works
one-shot
Run and capture
Boot an image, run a command, get the output, tear down.
$ OUT=$(crucible run python:3.12 -- \
python -c 'print(6*7)')
$ echo "$OUT"
42long-lived
Keep a session
Create once, exec many times, push files in with cp.
$ SBX=$(crucible run node:22) $ crucible cp ./workspace $SBX:/app $ crucible exec $SBX -- npm test
agent-native
Straight from MCP
Give any MCP agent create, exec, and file tools it cannot widen.
# 27 tools, scoped & policy-gated create_sandbox -> exec -> read_file -> delete # the operator sets the ceiling
one command on a Linux + KVM box
Give your agent a computer you can throw away.
Install the daemon, hand your agent a sandbox tool, and let it run whatever it writes. The blast radius is a microVM.
$ curl -fsSL https://github.com/gnana997/crucible/releases/latest/download/install.sh | sudo bash -s -- --with-deps --enable