The browser runtime whereAI agents actually work.
Site adapters replace fragile DOM guessing. Checkpoints let agents recover from failures. State persists across sessions.
Site adapters replace fragile DOM guessing. Checkpoints let agents recover from failures. State persists across sessions.
First, the login wall — headless browsers launch blank, hit MFA and CAPTCHAs, and break before the task starts. But the bigger problem? Mid-task failure with no recovery. Your agent completes 7 of 10 steps, hits an error, and restarts from scratch.
| Standard approach | Pagerunner | |
|---|---|---|
| The login wall | ||
| Sessions | Launches blank, no cookies | Opens your real Chrome profile via CDP |
| Auth state | No cookies, passwords, or history | Inherits all saved credentials |
| Bot detection | MFA / CAPTCHA blocks it | Genuine human browser fingerprint |
| Result | Task fails before it starts | Executes immediately, already authenticated |
| Mid-task failure | ||
| Step 7 fails | Restart from step 1 | Resume from checkpoint at step 5 |
| Browser state | Lost — no saved state | Tabs, cookies, localStorage preserved |
| Site changes | CSS selectors break on redesign | Adapters bridge to internal logic |
| Result | Fragile, unreliable, can't recover | Stable across redesigns, recoverable |
Not a mock. These are actual Pagerunner MCP calls with real Chrome, real auth, real results.
Browser automation that relies only on clicking UI elements breaks every time a site ships a redesign. Site Intelligence lets agents bridge directly to the site's internal logic — bypassing clunky UI entirely or tracking which selectors are stable over time.
register_adapter and generate_adapter to bridge the agent directly to internal site logiccall_site_api for rapid, API-style execution inside the authenticated sessionWhen your agent fails mid-task, it doesn't start over. Checkpoints save complete browser state — tabs, cookies, localStorage, scroll position — so agents resume from where they left off. Not from step one.
save_session_checkpointrestore_session_checkpoint picks up exactly where it stoppedYou log into GitHub, Jira, your staging environment once. Pagerunner saves the authenticated state — cookies, localStorage, session tokens — encrypted with AES-256-GCM, key stored in your macOS Keychain. Every agent call that follows starts already logged in.
A local ONNX NER model runs on your machine before get_content() returns anything to the agent. Emails, names, phone numbers, SSNs, credit cards, and IBANs are replaced with reversible tokens. The LLM works with tokens. Your data never leaves.
john@co.com → [EMAIL:a3f9], reversible via vaultjohn@co.com → [EMAIL][EMAIL:a3f9] to fill(), real value written to DOMOne daemon process, multiple AI clients, persistent memory outside the LLM context window. Agents remember what they learned across sessions — login patterns, site behavior, task history — without re-discovering it every run.
Start once. Run all day. Sessions survive restarts, context survives across Claude windows.
A background service initializes, sharing one browser state across multiple Claude Code windows and MCP clients simultaneously.
Pagerunner continuously saves the complete browser state — tabs, cookies, localStorage — so nothing is lost between agent interactions.
If the daemon restarts, the system automatically reattaches to the active session via TCP without losing context or requiring manual reconnection.
Manage sessions, control checkpoints, and monitor the daemon entirely from a native Swift companion app — no terminal window required.
Pagerunner is how they solve it — without writing scrapers, managing auth, or babysitting headless Chrome.
Edit CSS, navigate, screenshot, compare to design spec — without touching the browser yourself. Agent closes the loop.
Track competitor pricing, feature pages, and changelog on a schedule. Morning briefing, automatically compiled.
Screenshot feature branches at 375px, 768px, 1440px. Pixel-diff against baseline. Flag regressions before merge.
Track your rankings and competitors'. Surface ranking drops before they hurt traffic. No third-party SaaS required.
Legal, HR, finance workflows where PII can't reach an external LLM. Local ONNX NER + token vault makes it possible.
Queue depths, error counts, certificate expiry — read from dashboards that have no API. Screenshot for audit trail.
Website, LinkedIn, Crunchbase, press in 2 minutes before every call. Agent reads, synthesizes, CRM field updated.
Revenue, support queue, competitor mentions, PR status — all pulled, summarized, waiting in Slack at 8am.
Three layers of protection around your Chrome profile and credentials. Browser automation without guardrails is dangerous — Pagerunner ships with controls most tools never considered.
Blocks navigation to private IPs (RFC1918), loopback, file://, javascript:, and embedded-credential URLs. An agent can't be tricked into leaking internal resources.
Strips hidden elements (display:none, visibility:hidden), HTML tags, and zero-width Unicode characters from page content before it reaches the agent.
All session snapshots and KV store data encrypted at rest. Encryption key stored in macOS Keychain. On Linux, set PAGERUNNER_DB_KEY env var.
Every tool call logged to ~/.pagerunner/audit.log with timestamp, tool name, session, and result. File permissions 0600. Cannot be modified retroactively.
Restrict any session to an explicit list of domains. An agent running a Jira automation can't navigate to Stripe or your internal admin console, even if instructed to.
Before restoring a saved snapshot, Pagerunner verifies the origin matches. A snapshot saved for github.com cannot be injected into a different origin.
Responsible Automation: The anonymize: true flag ensures workflows processing third-party data never leak PII to external LLM providers. GDPR/CCPA compliance without re-engineering your agent.
Blast Radius Containment: Domain allowlisting and SSRF protections prevent autonomous agents from pivoting into internal corporate networks or unauthorized applications — even if the agent is given malicious instructions.
Most browser tools were built for testing. Pagerunner was built for agents.
| Capability | Pagerunner | Computer Use | Playwright MCP | agent-browser | Browserbase |
|---|---|---|---|---|---|
| Action latency | 1–2s | 30–60s | 1–3s | 1–2s | 2–5s |
| Tokens per action | 50–200 | ~2,000 | 50–200 | 50–200 | 50–200 |
| Persistent auth | ✓ Encrypted snapshots | ✗ Re-login every run | ~ Session only | ✓ Auth vault | ~ Managed sessions |
| Checkpoint / recovery | ✓ Resume from checkpoint | ✗ | ✗ | ✗ | ✗ |
| Site adapters | ✓ Stable across redesigns | ✗ | ✗ | ✗ | ✗ |
| PII anonymization | ✓ Local ONNX NER | ✗ | ✗ | ✗ | ✗ |
| Daemon + KV store | ✓ Shared across clients | ✗ | ✗ | ✓ Basic | ✗ |
| CLI parity | ✓ All 44 tools | — | ✗ | ✓ | ✗ |
| Bot detection bypass | ✓ Stealth mode | ✗ Blocked frequently | ~ Headless tells | ~ Basic | ~ Cloud IP |
| SSRF protection | ✓ RFC1918 blocked | ✗ | ✗ | ✗ | ~ Network isolation |
| Audit log | ✓ Append-only | ✗ | ✗ | ✗ | ~ Cloud logs |
| Data locality | ✓ Never leaves machine | ✗ To Anthropic cloud | ✓ Local | ✓ Local | ✗ Cloud execution |
| Cost | Free · Open source | Usage-based | Free | Free | $20–$99/mo |
agent-browser has recently added auth vault and basic daemon support. It still doesn't strip PII or protect against SSRF. · Browserbase is the right choice for 100+ parallel sessions. For developer-scale work, local + free wins.
Pick your client. Copy. Paste. Done.
Free forever. Open source. No cloud, no subscription, no surveillance.
Your sessions stay on your machine.