AI agent code execution

Run the code your agent writes. Safely.

Agents generate code you have never seen. crucible runs it in a hardware-isolated Firecracker microVM that boots in about a second, captures the output, and vanishes on exit. Your host, your keys, and your network stay untouched.

  • KVM isolation
  • ~1 s cold boot
  • 27 MCP tools
  • default-deny network
agent@host · crucible run

why a VM, not a container

Isolation you can explain in one sentence

Each run is a real virtual machine with its own kernel, not a namespace sharing yours.

01

Own kernel, not a namespace

A container escape is a shared-kernel bug. Here there is no shared kernel to escape: each guest runs under Firecracker and jailer with its own kernel.

Firecracker + jailer
02

Locked down by default

No network unless you allow it. Even with full egress, cloud metadata and RFC1918 stay blocked. Resource caps and a timeout kill runaways.

default-deny · SSRF-safe
03

Disposable by design

One command creates it, one removes it, a daemon restart drops it. No cleanup script, no residue on your box.

crucible rm

three ways to run it

Fits however your stack already works

one-shot

Run and capture

Boot an image, run a command, get the output, tear down.

$ OUT=$(crucible run python:3.12 -- \
    python -c 'print(6*7)')
$ echo "$OUT"
42

long-lived

Keep a session

Create once, exec many times, push files in with cp.

$ SBX=$(crucible run node:22)
$ crucible cp ./workspace $SBX:/app
$ crucible exec $SBX -- npm test

agent-native

Straight from MCP

Give any MCP agent create, exec, and file tools it cannot widen.

# 27 tools, scoped & policy-gated
create_sandbox -> exec ->
read_file -> delete
# the operator sets the ceiling

one command on a Linux + KVM box

Give your agent a computer you can throw away.

Install the daemon, hand your agent a sandbox tool, and let it run whatever it writes. The blast radius is a microVM.

$ curl -fsSL https://github.com/gnana997/crucible/releases/latest/download/install.sh | sudo bash -s -- --with-deps --enable