MCPcopy Index your code
hub / github.com/ProxyShard/ShardBrowser

github.com/ProxyShard/ShardBrowser @v0.1.10

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.1.10 ↗ · + Follow
768 symbols 1,845 edges 54 files 214 documented · 28%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

ShardX Launcher

License

PyPI version npm version crates.io version docs.rs

GitHub stars Last commit PyPI downloads npm downloads crates.io downloads

A project by the ProxyShard team — the proxy service with full SOCKS5 UDP relay (RFC 1928 §7) and active p0f TCP-fingerprint spoofing on the exit (so the OS the proxy claims to be on actually matches the SYN/ACK shape sites see). ShardX is the in-house anti-detect browser stack we built to get the most out of those proxies: the launcher manages profiles, binds proxies, and ships the patched Chromium 149 browser that does the actual spoofing at the engine level.

Drive ShardX whichever way fits the job — all four read from the same on-disk state, so a profile is reachable from every entry-point with no sync step:

  • Desktop UI — workspace for day-to-day work (profiles, proxies, cookies, fingerprint editor).
  • Local HTTP API — Bearer-JWT auth on 127.0.0.1:40325; create / start / stop profiles and grab a CDP endpoint from any language.
  • MCP server — drops into Claude Desktop / Cursor for natural-language profile orchestration (HTTP API + browser-over-CDP).
  • Standalone SDKs — Python, Node + Rust libraries that ship the engine themselves and need no GUI at all; ideal for scrapers / CI / servers.

Setup for each lives in Usage below.

ShardX Launcher


What it is

A free, open-source anti-detect browser for web scraping and multi-accounting.

Run hundreds of isolated browser identities side by side, each one a fully-formed device with its own GPU, screen, fonts, audio stack, timezone, locale, WebGL/WebGPU caps, TLS ClientHello, UA-CH, WebRTC policy, geolocation and cookies — every signal coherent with the others, and every signal spoofed inside Chromium's C++ engine (Blink / V8 / network stack), not via JS injection that detectors trip on instantly.

You get 170 ready-made device profiles out of the box (mac M1–M5, Windows desktops/laptops with RTX/GTX/Intel/AMD GPUs, Linux workstations), bind a SOCKS5 / HTTP proxy to each one, and the launcher handles the rest — auto-resolved timezone + locale + geolocation from the proxy's exit country, isolated user-data-dir, persistent cookies, Widevine pre-warm, QUIC over the proxy's UDP relay, no real-IP leaks via WebRTC.

Free for any use — pair with ProxyShard proxies for the QUIC + WebRTC stack to actually work end-to-end, or bring your own.

What this gives you out of the box:

Test Result
browserleaks.com/quic QUIC True, JA4 matches real Chrome, MTU 1232 over SOCKS5 UDP relay
fingerprint.com Bot / VPN / DevTools / browser-tampering all Not detected
browserscan.net Authenticity 100%
pixelscan.net Fingerprint consistent, no proxy / automation detected
fp.haru.gay isBot: false, every sub-signal false
antcpt.com/score_detector reCAPTCHA v3 score 0.9
networktest.twilio.com TURN UDP / TCP / TLS + Voice — all Pass (no real-IP leak)

Fingerprint surfaces patched

All overrides live inside the browser engine — there is no JavaScript shim layer that detectors can spot, so spoofed values are consistent across iframes, web workers, devtools and headless inspection.

  • Device identity — user agent, platform, vendor, CPU cores, RAM, touch points, full Sec-CH-UA stack (brand, version, architecture, bitness, mobile, model) with stable GREASE.
  • Graphics — WebGL renderer / vendor / extensions / limits, WebGPU adapter + limits, deterministic per-profile noise for Canvas, DOMRect and ClientRects, color gamut and HDR claims.
  • Audio — sample rate, channel count, optional per-profile noise on raw audio samples.
  • Screen & window — full resolution + available area + DPR + color depth, max-size cap so the OS won't resize past the claimed dimensions.
  • Locale — timezone, ICU locale, primary language and the Accept-Language header auto-derived from the bound proxy's country.
  • Geolocation — coordinates either set manually or derived from the proxy's exit IP; host GPS / Wi-Fi is never used.
  • Network capability — connection type, downlink, RTT, save-data, storage quota, JS heap limit, battery state, media-device counts.
  • TLS ClientHello — Chrome-149 cipher + signature-algorithm selection, extension shuffling, so JA4 / Akamai / Peetprint fingerprints match real Chrome.
  • HTTP-3 over the proxy's UDP relay — QUIC works end-to-end through SOCKS5; origin hostnames are resolved proxy-side.
  • WebRTC policyblock / tcp_only / auto. In auto traffic rides the proxy's UDP relay; otherwise WebRTC candidates report the proxy exit IP, never the host. STUN / TURN targets on private networks are dropped.
  • Speech voices — full per-OS speechSynthesis.getVoices() enumeration (200+ macOS voices, SAPI + Google for Windows, Google-only for Linux).
  • Fonts — system font enumeration pinned to a per-profile set so font-list probes return the claimed device's fonts, not the host's.
  • WebGPU on Linux — disabled to match what real Linux Chrome actually exposes (most distros ship WebGPU off).
  • Google validation headers — the headers real Google Chrome adds to requests against Google properties (notably x-client-data — its absence is the loudest reCAPTCHA bot signal) are reproduced correctly.
  • WebAuthn — platform-authenticator availability matches the claimed device.
  • Hardening — Widevine pre-warmed per profile, headless markers stripped, devtools-protocol side-channels closed, sync hard-disabled, no keychain prompts, no Google account telemetry, no Privacy Sandbox enrollment data leaked.

Launcher features

  • Profile workspace — per-profile user-data-dir, persistent Chrome sessions ("Continue where you left off" without the crash-restore bubble), bulk import, folder / tag organisation, pin to top, clone.
  • Fingerprint library — 170 starter profiles shipped via CDN (31 mac-arm64 / 120 windows-x64 / 19 linux-x64). Profile editor randomises CPU / RAM / platform-version when you change the GPU.
  • Proxy manager — SOCKS5 / HTTP / HTTPS, bulk paste-import, per-proxy live test (TCP + UDP_ASSOCIATE probe + geo lookup), bind a proxy to a profile by id or inline-on-launch. Auto-resolves timezone / locale / geolocation from the proxy's exit country.
  • Auto-runtime — first launch pulls the patched ShardX Chromium build, Widevine CDM and the fingerprint library from CDN, places Widevine inside the framework, persists an etag so subsequent launches are zero-network.
  • Local automation API — axum HTTP server on 127.0.0.1, JWT-Bearer auth. Full reference at docs.proxyshard.com/eng/shardx-launcher-api, raw schema in openapi.yaml. Create / start / stop profiles and get a CDP WebSocket URL programmatically.
  • MCP server bundled — drop into Claude Desktop / IDE for natural-language profile orchestration.
  • Cookie I/O — import / export the profile's Chromium Cookies SQLite with v10 (mac / linux) and AES-GCM + DPAPI (win) decryption.
  • Cross-platform — macOS arm64, Windows x64, Linux x64; native traffic lights on mac, custom titlebar elsewhere.

Screenshots

Network — QUIC + WebRTC over SOCKS5

QUIC handshake completes end-to-end through the SOCKS5 UDP relay; every WebRTC probe (UDP / TCP / TLS) passes against Twilio's test suite without leaking the host IP.

browserleaks.com/quic — QUIC True, JA4 matches Chrome 149 networktest.twilio.com — every probe Pass
QUIC Twilio

Bot / automation detection

fingerprint.com — Bot / VPN / DevTools / tampering Not detected fp.haru.gay — isBot: false, every signal false
FP Haru

Fingerprint consistency

ProxyShard's own browser-checker — no issues across 9 categories pixelscan.net — Fingerprint consistent
ProxyShard Pixelscan

Authenticity score

browserscan.net — Authenticity 100 %, locale honoured antcpt.com — reCAPTCHA v3 score 0.9
Browserscan reCAPTCHA

Comparison with other anti-detect browsers

All three are patched Chromium forks — the differentiation is in which surfaces each one bothers to patch, how cleanly, and what's wrapped around the engine.

Feature ShardX (this project) CloakBrowser Multilogin / AdsPower / Dolphin
WebGPU spoofing (navigator.gpu adapter + every limit) ✅ full ❌ untouched — host GPU leaks ✅ full
Client Hints (Sec-CH-UA-* full stack with GREASE) ✅ full ❌ partial / inconsistent ✅ full on Multilogin / AdsPower, ❌ Dolphin
Font enumeration pinned per profile

Extension points exported contracts — how you extend this code

ShardXOptions (Interface)
(no doc)
sdks/node/src/index.ts
ShardXLaunchOptions (Interface)
(no doc)
sdks/node/src/index.ts
ProxyCheckResult (Interface)
(no doc)
sdks/node/src/index.ts
ParsedProxy (Interface)
(no doc)
sdks/node/src/proxy.ts
LaunchOptions (Interface)
(no doc)
sdks/node/src/browser.ts

Core symbols most depended-on inside this repo

text
called by 86
mcp/index.js
s
called by 74
sdks/node/src/geo.ts
as_str
called by 68
sdks/rust/src/proxy.rs
pageFor
called by 59
mcp/index.js
filter
called by 46
sdks/rust/src/profile.rs
err
called by 36
src-tauri/src/api.rs
s
called by 25
sdks/python/shardx/geo.py
reload
called by 24
src/App.tsx

Shape

Function 528
Method 154
Class 73
Interface 9
Enum 4

Languages

Rust54%
TypeScript34%
Python12%

Modules by API surface

src/App.tsx144 symbols
src-tauri/src/lib.rs85 symbols
src-tauri/src/api.rs47 symbols
src-tauri/src/proxy.rs33 symbols
src-tauri/src/runtime.rs30 symbols
sdks/node/src/runtime.ts30 symbols
sdks/rust/src/runtime.rs29 symbols
sdks/python/shardx/runtime.py26 symbols
src-tauri/src/cookies.rs25 symbols
src-tauri/src/profile.rs22 symbols
sdks/node/src/index.ts18 symbols
sdks/rust/src/lib.rs17 symbols

For agents

$ claude mcp add ShardBrowser \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page