The first complete agent harness
native to the browser.
The browser is the runtime. Temporal awareness, the DOM, process isolation, hardened cryptography, real session state, voice input, and a real Linux VM running in WebAssembly for shell access and server-side code — every primitive the agent needs is already here. Your AI peer, with access to everything you have access to.
No app to install. No janky browser MCP.
// open source. BYOK. client-side. yours to keep.
An agent that uses your tabs
the way you would.
Peerd is a browser extension that turns your browser into an agent harness. It can read pages, click links, fill forms, and even run shell commands in a Linux VM that runs entirely in your browser, compiled to WebAssembly. It stitches all of that into a single task — the way you'd do it yourself, just faster and without losing focus.
Bring your own model. We don't run a service. We don't see your data. We don't sit between you and the provider. There's nothing to subscribe to.
The browser
is the runtime.
Cloud AI browsers ask you to switch your default. Native agent apps install an app and drive a browser from outside through Playwright-style automation — never inheriting the logins, cookies, or tabs you already have. Both reimplement what the browser already does — session state, the DOM, hardware access — only worse.
A browser-native harness inherits all of it, for free. That's the bet.
// peerd inherits:
The Chrome sandbox.
Cloud agents invent their own isolation model. Peerd inherits Chrome's — process isolation, same-origin policy, the renderer sandbox. Fifteen years of hardening against actually-hostile websites, applied to your agent. We didn't build it. We use it.
A Linux VM, via WebAssembly.
Not a remote shell. Not a fake terminal. A real sandboxed Linux VM, compiled to WebAssembly, running entirely in your browser. The agent can write a script, run it, parse the output, and act on it — without ever touching a server.
Your sessions.
The agent inherits everything you're logged into. No OAuth dance, no credential storage, no session pools. Scoped by a denylist that protects your bank, healthcare, and password manager from day one.
The DOM.
The DOM is to peerd what LSP is to a coding agent. The accessibility tree, mutation observers, ARIA roles, computed styles — semantic structure, not scraped HTML. The agent reads the page the way the browser reads it, because it is in the browser.
Temporal grounding.
Tab focus, idle state, system sleep, navigation — the browser is continuously observing real time. Peerd surfaces a spartan temporal block to the model on every turn. The agent has a sense of time because something with a sense of time is hosting it.
Hardened cryptography.
Terminal agents ship crypto libraries, manage OS keychains, or hand-roll secret storage. Peerd inherits. AES-GCM via WebCrypto encrypts the vault. WebAuthn passkeys unlock it with a touch. Subresource integrity verifies every model and plugin download. Origin isolation keeps the extension's storage off-limits to pages. Peerd doesn't write a line of crypto — the browser does.
Voice input.
Click the mic icon next to any text input and start talking. Transcription runs locally via Moonshine over WebGPU — audio never leaves your device. Terminal agents can't ship voice without a server upload or a separate native helper. Peerd just listens.
Hardware APIs.
Bluetooth, USB, Serial, HID, NFC — every Web hardware API is a primitive the agent can use. Talk to a 3D printer, read a Yubikey, control a smart lamp. From inside the browser.
soon — on the roadmapLocal inference.
WebGPU runs models in the browser. Not "localhost Ollama" — inside the same JS context, with no network call at all. The privacy fallback no other harness can match.
soon — on the roadmapPeer-to-peer messaging.
WebRTC means two agents on different browsers can negotiate and trade directly, no servers, no relay. Federated swarms of true peer AIs using the most robust P2P comms protocol in the world. The name isn't an accident.
soon — on the roadmapagent@peerd:~/work$ curl -s https://api.example.com/orders.csv | head -n 1 order_id,sku,qty,unit_price,total agent@peerd:~/work$ python3 - <<'EOF' import pandas as pd df = pd.read_csv('https://api.example.com/orders.csv') print(df.groupby('sku')['total'].sum().nlargest(3)) EOF sku WIDGET-A 18420.00 GIZMO-B 12380.50 WIDGET-C 9120.75 Name: total, dtype: float64 agent@peerd:~/work$ ▊
--- name: pr-review applies-to: github.com expose-tools: [read_page, vm_run, click, type] allow-origins: [https://api.github.com] --- # Review a pull request When the user asks for a PR review: 1. Read the PR description and changed files from the page. 2. Clone the repo into the VM and run the test suite. 3. Post structured feedback as a single review comment.
Native agent apps drive your browser from outside.
Peerd lives inside it.
Inside the browser. Not outside it.
Cloud AI browsers ask you to switch your default. Native agent apps drive a browser from outside, never inheriting your actual session. Peerd is a browser extension — part of the browser, with your tabs, sessions, and logins from day one.
A real Linux box.
Yes — really. Sandboxed Linux, compiled to WebAssembly, running in your browser. The agent can write a script, run it, parse the output, and act on it. No remote machines. No container service. Just vm_run and the answer.
Built like a tool, priced like one.
Bring your own API key. No subscription. No usage caps we control. Pay your provider directly. Use whatever model fits the task — frontier for hard problems, cheap for routine ones.
Peerd inherits the browser's security model.
We added five layers for the agent.
Webpages can carry hidden instructions designed to hijack the agent — read this token, summarize that inbox, exfiltrate a cookie. We don't try to solve this in one place. Each layer below assumes the ones above it might fail.
Egress allowlist.
The extension can only make network calls to the model API you configured. Even if the agent is fully prompt-injected, your conversation can't leave your machine.
Sensitive-site denylist.
Hundreds of banks, healthcare portals, password managers, and identity providers pre-blocked from agent access. Fully editable.
Per-session trust modes.
Open, Scoped, Paranoid. Pick how much rope the agent gets before it asks for confirmation. Surfaced persistently in the UI so you always know what you authorized.
Confirmation gates.
Form submits, downloads, cross-origin requests — none happen without your sign-off. Bypassable only by you, never by the model.
Prompt-injection quarantine.
Web content is wrapped as untrusted data, not instruction. The model treats injected text as content to read, not commands to follow.
// Hard egress allowlist. Even if the agent is fully prompt-injected // and tries to POST your conversation to an attacker-controlled URL, // the network layer refuses. Fail closed. const PROVIDER_ALLOWLIST = Object.freeze([ 'https://api.anthropic.com', 'http://localhost:11434', // local Ollama ]); export const safeFetch = async (resource, init) => { const origin = resolveOrigin(resource); if (!PROVIDER_ALLOWLIST.includes(origin)) { await auditLog({ type: 'egress_denied', origin }); throw new EgressDeniedError(origin); } return fetch(resource, init); };
V1 is the on-ramp.
First builds ship soon.
We'll email when Peerd is in the Chrome Web Store. No spam, no drips, no marketing automation. One email when it's ready.