firebox¶

Personal microVM sandbox-as-a-service. Spin up isolated Firecracker microVMs from Python or any MCP-aware agent, drive a real Chromium inside, throw them away when done.

flowchart LR
    A["Your client / agent / MCP"] -- HTTP + bearer --> D["firebox-daemon"]
    D --> V1["microVM"]
    D --> V2["microVM"]
    D --> V3["microVM"]
    V1 -.fbr0 NAT.-> Net((Internet))
    V2 -.fbr0 NAT.-> Net
    V3 -.fbr0 NAT.-> Net

    classDef sandbox fill:#ff7043,stroke:#bf360c,color:#fff
    class V1,V2,V3 sandbox

What you get¶

~170 ms cold start on bare-metal KVM
Real isolation — each sandbox is a Firecracker microVM with its own kernel, RAM, rootfs, and network namespace
One Python SDK that talks HTTP — no SSH, no Playwright on the caller
Multi-tenant from day one — per-token quotas, scoped sandbox visibility, admin / user roles
MCP server so Claude Desktop, Cursor, or any MCP-aware agent gets 60+ native tools the moment you point it at the daemon
Manus-grade browser surface — view() returns markdown + indexed elements + annotated screenshot in one call, walks cross-origin iframes, waits for network-idle. click_idx / input_idx / select_option_idx for index-based action. Diff- since-last-view cuts session tokens 5–10×. Network capture lets agents read XHR responses directly instead of scraping the DOM.
Stealth-by-default browser — passes bot.sannysoft.com fingerprint checks, real-Chrome TLS via curl_cffi, audio + image-grid captcha solvers
OS-level input via xdotool (sb.os.click/type/key/screenshot) for native dialogs and computer-use models
Live noVNC stream URL — sb.stream.start() returns a URL the user opens in a browser tab to watch the agent work
Multi-session shells with stdin write — sb.shells.start("dev", "npm run dev"), then view, write, wait, kill
Public URL for sandbox services — sb.ports.expose(8000) installs DNAT and returns a public URL the agent can hand the user
Aggregated search without API keys — SearxNG fan-out across ~200 engines, sb.search.web/news/papers/code/images/videos/wiki/maps

Two-minute version¶

On a KVM-capable Linux box

curl -fsSL https://raw.githubusercontent.com/LovroK23/firebox/main/scripts/firebox-host-bootstrap.sh \
  | sudo bash
# → prints token + endpoint

From any laptop / server

pip install git+ssh://git@github.com/LovroK23/firebox.git
export FIREBOX_URL=https://firebox.example.com
export FIREBOX_TOKEN=<the-secret-printed-above>
firebox doctor

And you're cooking

from firebox.sandbox import Sandbox

with Sandbox.create(template="browser-use", ttl_seconds=600) as sb:
    sb.browser.start()
    sb.browser.navigate("https://example.com", wait_for_load="networkidle")

    # The Manus / browser-use agent loop:
    obs = sb.browser.view()              # markdown + indexed elements + screenshot
    button_idx = next(e["idx"] for e in obs["elements"] if "More" in e["text"])
    sb.browser.click_idx(button_idx)     # act by index, no CSS selectors

Where to next?¶

Quickstart

Spin up your first sandbox end-to-end in five minutes.

Tools showcase

Every capability with a 5-line example: run, stream, files, browser, http, search, audio, captcha.

Agent recipes

Worked patterns: web research, code interpreter, scraping, lead-gen, multi-turn sessions, MCP plug-in.

Architecture

Daemon, in-VM agent, network bridge, registry. The whole flow.

Host setup

Deploy the daemon on your own KVM box.

Tokens & quotas

Multi-tenant access, scoped sandboxes, resource caps.

Reference

Every CLI subcommand, the full SDK surface, all 60+ MCP tools.