The first complete AI agent harness
native to the browser.

The browser is the runtime. Temporal awareness, the DOM, process isolation, hardened cryptography, real session state, voice input, local inference. The browser is the hypervisor. Real Linux VMs running in WebAssembly, each in its own tab — parallel, labeled, visible — for shell access and server-side code.

peerd is your AI peer.

No app to install. No server. No janky browser MCP.

install peerd view on github →
01 — what it is, what it isn't

Native AI apps drive your browser from outside.
peerd lives inside it.

peerd is a browser extension that turns your browser into an AI agent harness. It reads pages, clicks links, fills forms, and runs shell commands in real Linux VMs running in WebAssembly. Bring your own model — no service, no subscription, no middleman.

01.

Not a cloud AI browser.

Comet, Atlas, Brave Leo, Dia ask you to switch your default browser to theirs. peerd is an extension — it plugs into the browser you already use, with the tabs and sessions you already have.

02.

Not a terminal harness.

Claude Code, OpenCode, Hermes, Aider live in your terminal. They can't reach the page you're looking at, fill the form on your screen, or use the session you logged into. peerd lives in the browser; everything the browser sees, the agent sees.

03.

Not a browser-driving agent.

Playwright MCP, browser-use, BrowserBase orchestrate a fresh browser through external automation — slow, fragile, none of your real session state. peerd is the browser; agent and page share a process and a memory.

04.

Not a cloud operator.

ChatGPT Operator and Anthropic's Computer Use run in datacenters with their own browsers and their own credentials. peerd runs locally with yours. Your conversation, sessions, and API key never leave your machine.

02 — why the browser

The browser
is the runtime, and the hypervisor.

Cloud AI browsers ask you to switch your default. Native agent apps install an app and drive a browser from outside through Playwright-style automation — never inheriting the logins, cookies, or tabs you already have. Both reimplement what the browser already does — session state, the DOM, hardware access — only worse.

A browser-native harness doesn't just run in the browser. It uses the browser — as a runtime, as a hypervisor, as a security model. That's the bet.

// peerd inherits:

The Chrome sandbox.

Cloud agents invent their own isolation model. peerd inherits Chrome's — process isolation, same-origin policy, the renderer sandbox. Fifteen years of hardening against actually-hostile websites, applied to your agent. We didn't build it. We use it.

A Linux VM, via WebAssembly.

Not a remote shell. Not a fake terminal. A real sandboxed Linux VM, compiled to WebAssembly, running entirely in your browser. Each VM is a tab — own name, own context, watchable, killable, attachable from any chat session. Spin up several in parallel; the agent addresses them by label. Network follows the web model: HTTPS to any host on your allowlist works (git, pip, npm, curl, every cloud API), raw sockets don't exist. The agent cannot port-scan or SSH out by browser design.

Your sessions.

The agent inherits everything you're logged into. No OAuth dance, no credential storage, no session pools. Scoped by a denylist that protects your bank, healthcare, and password manager from day one.

The DOM.

The DOM is to peerd what LSP is to a coding agent. The accessibility tree, mutation observers, ARIA roles, computed styles — semantic structure, not scraped HTML. The agent reads the page the way the browser reads it, because it is in the browser.

Hardened cryptography.

Terminal agents ship crypto libraries, manage OS keychains, or hand-roll secret storage. peerd inherits. AES-GCM via WebCrypto encrypts the vault. WebAuthn passkeys unlock it with a touch. Subresource integrity verifies every model and plugin download. Origin isolation keeps the extension's storage off-limits to pages. peerd doesn't write a line of crypto — the browser does.

Voice input.

Click the mic icon next to any text input and start talking. Transcription runs locally via Moonshine over WebGPU — audio never leaves your device. Terminal agents can't ship voice without a server upload or a separate native helper. peerd just listens.

And more, on the roadmap.

Hardware APIs — Bluetooth, USB, Serial, HID, NFC. Talk to a 3D printer, read a Yubikey, control a smart lamp. Local inference — WebGPU runs models in the same JS context, no network call at all. Peer-to-peer messaging — WebRTC between agents in different browsers, federated swarms with no relay. The name isn't an accident.

soon — on the roadmap
vm_run — sandboxed linux, in your browser via webassembly 
agent@peerd:~/work$ curl -s https://api.example.com/orders.csv | head -n 1
order_id,sku,qty,unit_price,total

agent@peerd:~/work$ python3 - <<'EOF'
import pandas as pd
df = pd.read_csv('https://api.example.com/orders.csv')
print(df.groupby('sku')['total'].sum().nlargest(3))
EOF
sku
WIDGET-A    18420.00
GIZMO-B     12380.50
WIDGET-C     9120.75
Name: total, dtype: float64

agent@peerd:~/work$
~/.peerd/skills/pr-review.peerd-skill.md roadmap · skills 
---
name: pr-review
applies-to: github.com
expose-tools: [read_page, vm_run, click, type]
allow-origins: [https://api.github.com]
---

# Review a pull request

When the user asks for a PR review:

1. Read the PR description and changed files from the page.
2. Clone the repo into the VM and run the test suite.
3. Post structured feedback as a single review comment.
03 — security

peerd inherits the browser's security model.
We added five layers for the agent.

Webpages can carry hidden instructions designed to hijack the agent — read this token, summarize that inbox, exfiltrate a cookie. We don't try to solve this in one place. Each layer below assumes the ones above it might fail.

Egress allowlist.

The extension can only make network calls to the model API you configured. Even if the agent is fully prompt-injected, your conversation can't leave your machine.

Sensitive-site denylist.

Hundreds of banks, healthcare portals, password managers, and identity providers pre-blocked from agent access. Fully editable.

Per-session trust modes.

Open, Scoped, Paranoid. Pick how much rope the agent gets before it asks for confirmation. Surfaced persistently in the UI so you always know what you authorized.

Confirmation gates.

Form submits, downloads, cross-origin requests — none happen without your sign-off. Bypassable only by you, never by the model.

Prompt-injection quarantine.

Web content is wrapped as untrusted data, not instruction. The model treats injected text as content to read, not commands to follow.

Some of the above are policies. The most important ones are structural: peerd's VM cannot open raw sockets, cannot port-scan, cannot SSH out, cannot pivot to your local network, cannot maintain a custom command-and-control channel — because browsers don't expose raw sockets to any code. Cloud and terminal agents have to enforce this with policy if they enforce it at all. peerd inherits it from the platform.

background/security/egress.js ↳ enforced at every fetch 
// Hard egress allowlist. Even if the agent is fully prompt-injected
// and tries to POST your conversation to an attacker-controlled URL,
// the network layer refuses. Fail closed.
const PROVIDER_ALLOWLIST = Object.freeze([
  'https://api.anthropic.com',
  'http://localhost:11434',   // local Ollama
]);

export const safeFetch = async (resource, init) => {
  const origin = resolveOrigin(resource);
  if (!PROVIDER_ALLOWLIST.includes(origin)) {
    await auditLog({ type: 'egress_denied', origin });
    throw new EgressDeniedError(origin);
  }
  return fetch(resource, init);
};
// no telemetry, ever.
// works without us.
04 — what comes next

The d is for distribution.

Today. peerd is a single agent in your browser. Tomorrow, a federated peer-to-peer network.

WebRTC ships in every modern browser. Two browsers can negotiate a direct connection and exchange arbitrary data — no relay, no server, no platform in the middle. The infrastructure for peer-to-peer is already deployed and battle-tested across five billion devices. The use case for it is here.

AI agents are that use case. As their numbers grow and their capabilities deepen, they'll need ways to find, talk to, and transact with each other. They'll spawn swarms and exit faster than any platform can mediate. An agent economy needs new social networks, new payment rails, new everything — built for peers, not for platforms.

The stack is already there: WebRTC for direct connections, browser-derived cryptographic identity for trust and secure comms, WebTorrent for peer discovery and routing. None of it new. None of it speculative. Together, they enable federated swarms and decentralized web apps that run peer-to-peer, not server-spoke.

The browser is the runtime and hypervisor.
And peerd is the real web 3.0.
We're going to prove it.
05 — questions

The first ones everyone asks.

Where does my data go?

To the model provider you configured. That's it. peerd has no backend. Your conversations, vault contents, and API key never leave your machine except as outbound calls to the model you picked.

Do I need a paid API key?

For V1, yes — peerd uses the Anthropic API and you bring the key. OpenAI support ships in V1.1, Ollama (free, local) in V1.1 as well. Local inference via WebGPU with no API key at all is on the roadmap for V2.

Can the agent see my bank, my email, my password manager?

Not by default. A sensitive-site denylist ships pre-loaded with hundreds of banks, healthcare portals, password managers, and identity providers. Editable from settings. You can also drop the agent into Paranoid mode — nothing happens without explicit per-action confirmation.

How is the Linux VM not a security hole?

The VM runs in WebAssembly inside the browser sandbox. Its network is HTTPS-only, gated by peerd's egress allowlist — same gate the agent itself uses. The VM cannot open raw sockets, port-scan, SSH out, or pivot to your local network, because browsers don't expose raw sockets to any code. Structural, not policy.

How is this different from Claude Code / OpenCode / Hermes?

Those live in your terminal. They can't see the page you're looking at, fill the form on your screen, or use the session you logged into. peerd lives in the browser; everything the browser sees, the agent sees. See section 01 for the full comparison matrix.

Is peerd really open source?

Yes, Apache 2.0. The extension code lives at github.com/peerd/peerd. CLA required for contributions; trademark held by peerd Labs to prevent fork-confusion. The VM engine (CheerpX) is a commercial dependency in V1; we're migrating to v86 (BSD-2-Clause) in V2.1.5 for a fully open stack.

More in the docs FAQ.

06 — install peerd

Add peerd to your browser.

Free, Apache 2.0, no account. Bring your own model key.

Install from the Chrome Web Store.

Add peerd to Chrome →

Works on any Chromium browser — Chrome, Edge, Brave, Arc, Vivaldi.

Firefox support ships in v1.x.

Watch the release →

The extension is built on WebExtensions. Firefox builds will follow Chrome closely.

Build from source.

git clone https://github.com/peerd/peerd.git && cd peerd && npm install && npm run build

Then load the unpacked extension from ./dist in Chrome's extension developer mode. Full docs: docs/.