@baitong-dev/bash-mcp 0.0.2

package/bash.txt

@@ -0,0 +1,118 @@
+Executes a given bash command in a persistent shell session with optional timeout, ensuring proper handling and security measures.
+
+All commands run in ${directory} by default. Use the `cwd` parameter if you need to run a command in a different directory. AVOID using `cd <directory> && <command>` patterns - use `cwd` instead.
+
+IMPORTANT: This tool is for terminal operations like git, npm, docker, etc. DO NOT use it for file operations (reading, writing, editing, searching, finding files) - use the specialized tools for this instead.
+
+Before executing the command, please follow these steps:
+
+1. Directory Verification:
+   - If the command will create new directories or files, first use `ls` to verify the parent directory exists and is the correct location
+   - For example, before running "mkdir foo/bar", first use `ls foo` to check that "foo" exists and is the intended parent directory
+
+2. Command Execution:
+   - Always quote file paths that contain spaces with double quotes (e.g., rm "path with spaces/file.txt")
+   - Examples of proper quoting:
+     - mkdir "/Users/name/My Documents" (correct)
+     - mkdir /Users/name/My Documents (incorrect - will fail)
+     - python "/path/with spaces/script.py" (correct)
+     - python /path/with spaces/script.py (incorrect - will fail)
+   - After ensuring proper quoting, execute the command.
+   - Capture the output of the command.
+
+Usage notes:
+  - The command argument is required.
+  - You can specify an optional timeout in milliseconds. If not specified, commands will time out after 120000ms (2 minutes).
+  - It is very helpful if you write a clear, concise description of what this command does in 5-10 words.
+  - If the output exceeds ${maxLines} lines or ${maxBytes} bytes, it will be truncated and the full output will be written to a file. You can use Read with offset/limit to read specific sections or Grep to search the full content. Because of this, you do NOT need to use `head`, `tail`, or other truncation commands to limit output - just run the command directly.
+
+  - Avoid using Bash with the `find`, `grep`, `cat`, `head`, `tail`, `sed`, `awk`, or `echo` commands, unless explicitly instructed or when these commands are truly necessary for the task. Instead, always prefer using the dedicated tools for these commands:
+    - File search: Use Glob (NOT find or ls)
+    - Content search: Use Grep (NOT grep or rg)
+    - Read files: Use Read (NOT cat/head/tail)
+    - Edit files: Use Edit (NOT sed/awk)
+    - Write files: Use Write (NOT echo >/cat <<EOF)
+    - Communication: Output text directly (NOT echo/printf)
+
+  - When issuing multiple commands:
+    - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message. For example, if you need to run "git status" and "git diff", send a single message with two Bash tool calls in parallel.
+    - If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together (e.g., `git add . && git commit -m "message" && git push`). For instance, if one operation must complete before another starts (like mkdir before cp, Write before Bash for git operations, or git add before git commit), run these operations sequentially instead.
+    - Use ';' only when you need to run commands sequentially but don't care if earlier commands fail
+    - DO NOT use newlines to separate commands (newlines are ok in quoted strings)
+
+  - AVOID using `cd <directory> && <command>`. Use the `cwd` parameter to change directories instead.
+    <good-example>
+    Use cwd="/foo/bar" with command: pytest tests
+    </good-example>
+    <bad-example>
+    cd /foo/bar && pytest tests
+    </bad-example>
+
+
+# Committing changes with git
+
+Only create commits when requested by the user. If unclear, ask first. When the user asks you to create a new git commit, follow these steps carefully:
+
+Git Safety Protocol:
+- NEVER update the git config
+- NEVER run destructive/irreversible git commands (like push --force, hard reset, etc) unless the user explicitly requests them
+- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it
+- NEVER run force push to main/master, warn the user if they request it
+- Avoid git commit --amend. ONLY use --amend when ALL conditions are met:
+  (1) User explicitly requested amend, OR commit SUCCEEDED but pre-commit hook auto-modified files that need including
+  (2) HEAD commit was created by you in this conversation (verify: git log -1 --format='%an %ae')
+  (3) Commit has NOT been pushed to remote (verify: git status shows "Your branch is ahead")
+- CRITICAL: If commit FAILED or was REJECTED by hook, NEVER amend - fix the issue and create a NEW commit
+- CRITICAL: If you already pushed to remote, NEVER amend unless user explicitly requests it (requires force push)
+- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive.
+
+1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel, each using the Bash tool:
+  - Run a git status command to see all untracked files.
+  - Run a git diff command to see both staged and unstaged changes that will be committed.
+  - Run a git log command to see recent commit messages, so that you can follow this repository's commit message style.
+2. Analyze all staged changes (both previously staged and newly added) and draft a commit message:
+  - Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.). Ensure the message accurately reflects the changes and their purpose (i.e. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.).
+  - Do not commit files that likely contain secrets (.env, credentials.json, etc.). Warn the user if they specifically request to commit those files
+  - Draft a concise (1-2 sentences) commit message that focuses on the "why" rather than the "what"
+  - Ensure it accurately reflects the changes and their purpose
+3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands:
+   - Add relevant untracked files to the staging area.
+   - Create the commit with a message
+   - Run git status after the commit completes to verify success.
+   Note: git status depends on the commit completing, so run it sequentially after the commit.
+4. If the commit fails due to pre-commit hook, fix the issue and create a NEW commit (see amend rules above)
+
+Important notes:
+- NEVER run additional commands to read or explore code, besides git bash commands
+- NEVER use the TodoWrite or Task tools
+- DO NOT push to the remote repository unless the user explicitly asks you to do so
+- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.
+- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit
+
+# Creating pull requests
+Use the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a GitHub URL use the gh command to get the information needed.
+
+IMPORTANT: When the user asks you to create a pull request, follow these steps carefully:
+
+1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel using the Bash tool, in order to understand the current state of the branch since it diverged from the main branch:
+   - Run a git status command to see all untracked files
+   - Run a git diff command to see both staged and unstaged changes that will be committed
+   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote
+   - Run a git log command and `git diff [base-branch]...HEAD` to understand the full commit history for the current branch (from the time it diverged from the base branch)
+2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request summary
+3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands in parallel:
+   - Create new branch if needed
+   - Push to remote with -u flag if needed
+   - Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.
+<example>
+gh pr create --title "the pr title" --body "$(cat <<'EOF'
+## Summary
+<1-3 bullet points>
+</example>
+
+Important:
+- DO NOT use the TodoWrite or Task tools
+- Return the PR URL when you're done, so the user can see it
+
+# Other common operations
+- View comments on a GitHub PR: gh api repos/foo/bar/pulls/123/comments

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env bun
+export {};

package/dist/index.js

@@ -0,0 +1,349 @@
+#!/usr/bin/env bun
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Bash MCP Server v1.0
+ */
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const path_1 = __importDefault(require("path"));
+const zod_1 = __importDefault(require("zod"));
+const web_tree_sitter_1 = require("web-tree-sitter");
+// @ts-ignore wasm
+const web_tree_sitter_wasm_1 = __importDefault(require("web-tree-sitter/web-tree-sitter.wasm"));
+// @ts-ignore wasm
+const tree_sitter_bash_wasm_1 = __importDefault(require("tree-sitter-bash/tree-sitter-bash.wasm"));
+const child_process_1 = require("child_process");
+const bash_txt_1 = __importDefault(require("../bash.txt"));
+const mcp_helpers_1 = require("@baitong-dev/mcp-helpers");
+const MCP_NAME = 'Bash MCP';
+const MCP_VERSION = '0.0.1';
+const parser = (0, mcp_helpers_1.lazy)(async () => {
+    const treePath = (0, mcp_helpers_1.resolveWasm)(web_tree_sitter_wasm_1.default);
+    await web_tree_sitter_1.Parser.init({
+        locateFile() {
+            return treePath;
+        }
+    });
+    const bashPath = (0, mcp_helpers_1.resolveWasm)(tree_sitter_bash_wasm_1.default);
+    const bashLanguage = await web_tree_sitter_1.Language.load(bashPath);
+    const p = new web_tree_sitter_1.Parser();
+    p.setLanguage(bashLanguage);
+    return p;
+});
+/**
+ * Get the path to the bash executable
+ * @returns The path to the bash executable
+ */
+const getBashPath = (0, mcp_helpers_1.lazy)(() => {
+    const shell = process.env.SHELL;
+    if (shell)
+        return shell;
+    // Fallback: check common Git Bash paths directly
+    if (process.platform === 'win32') {
+        const bash = (0, mcp_helpers_1.findGitBash)((0, mcp_helpers_1.getBundledBinaryPath)('bash'));
+        if (bash)
+            return bash;
+        throw new Error('Git Bash not found');
+        // return process.env.COMSPEC || "cmd.exe"
+    }
+    if (process.platform === 'darwin')
+        return '/bin/zsh';
+    const bash = Bun.which('bash');
+    if (bash)
+        return bash;
+    return '/bin/sh';
+});
+const server = new mcp_js_1.McpServer({
+    name: MCP_NAME,
+    version: MCP_VERSION
+}, {
+    capabilities: {
+        logging: {}
+    }
+});
+// =============================================================================
+// Constants
+// =============================================================================
+// Default working directory
+const DEFAULT_CWD = path_1.default.join(mcp_helpers_1.MCP_HOME_DIR, 'workspace');
+// Grace period before SIGKILL (ms)
+const SIGKILL_TIMEOUT_MS = 5000;
+// Reserved characters for truncation ellipsis
+const TRUNCATION_ELLIPSIS_RESERVE = 50;
+// Exit code for timeout (shell convention)
+const EXIT_CODE_TIMEOUT = 124;
+// Sudo rejection message
+const SUDO_REJECTION_MESSAGE = '[REJECTED] sudo commands cannot be executed. Please STOP and ask human user to run it for you!\n';
+// Default max_output
+const DEFAULT_MAX_OUTPUT = 30000;
+const DEFAULT_TIMEOUT_MS = 2 * 60 * 1000;
+// Environment variables that cannot be overridden (hardened mode only)
+const PROTECTED_ENV_VARS = new Set([
+    'LD_PRELOAD',
+    'LD_LIBRARY_PATH',
+    'DYLD_INSERT_LIBRARIES',
+    'DYLD_LIBRARY_PATH'
+]);
+/**
+ * Check if a command contains sudo
+ * Matches: sudo at start, after semicolon, after &&, after ||, after |, after $(, after backtick
+ */
+function containsSudo(command) {
+    // Match sudo as a standalone command (not part of another word like "pseudocode")
+    return /(?:^|[;&|`$()]\s*)sudo(?:\s|$)/m.test(command);
+}
+/**
+ * Filter out protected environment variables that could be used for injection.
+ * Only active in hardened mode. Passes everything through when hardened mode is off.
+ */
+function filterEnvVars(env) {
+    if (!env)
+        return { filtered: undefined, rejected: [] };
+    const rejected = [];
+    const filtered = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (PROTECTED_ENV_VARS.has(key.toUpperCase())) {
+            rejected.push(key);
+        }
+        else {
+            filtered[key] = value;
+        }
+    }
+    return { filtered: Object.keys(filtered).length > 0 ? filtered : undefined, rejected };
+}
+/**
+ * Middle-truncate output to preserve beginning and end
+ */
+function middleTruncate(text, maxLength) {
+    if (text.length <= maxLength)
+        return text;
+    const halfLength = Math.floor((maxLength - TRUNCATION_ELLIPSIS_RESERVE) / 2);
+    const start = text.slice(0, halfLength);
+    const end = text.slice(-halfLength);
+    const truncatedBytes = text.length - maxLength;
+    return `${start}\n\n... [truncated ${truncatedBytes} characters] ...\n\n${end}`;
+}
+// =============================================================================
+// Tool Definitions
+// =============================================================================
+const bashInputSchema = zod_1.default.object({
+    command: zod_1.default.string().min(1).describe('The command to execute'),
+    cwd: zod_1.default
+        .string()
+        .optional()
+        .describe(`The working directory to run the command in. Must be in ${DEFAULT_CWD}. Defaults to ${DEFAULT_CWD}. Use this instead of 'cd' commands.`), // 需要在DEFAULT_CWD下
+    timeout: zod_1.default
+        .number()
+        .min(1)
+        .max(600000)
+        .optional()
+        .describe(`Timeout in milliseconds (optional, default ${DEFAULT_TIMEOUT_MS}, max 600000)`),
+    description: zod_1.default
+        .string()
+        .optional()
+        .describe('Clear, concise description of what this command does in 5-10 words. Examples:\nInput: ls\nOutput: Lists files in current directory\n\nInput: git status\nOutput: Shows working tree status\n\nInput: npm install\nOutput: Installs package dependencies\n\nInput: mkdir foo\nOutput: Creates directory "foo"'),
+    env: zod_1.default
+        .record(zod_1.default.string(), zod_1.default.string())
+        .optional()
+        .describe('Additional environment variables to set'),
+    maxOutput: zod_1.default
+        .number()
+        .min(1)
+        .max(1000000)
+        .optional()
+        .describe(`Maximum output length before middle-truncation (default ${DEFAULT_MAX_OUTPUT})`)
+});
+async function killTree(proc, opts) {
+    const pid = proc.pid;
+    if (!pid || opts?.exited?.())
+        return;
+    if (process.platform === 'win32') {
+        await new Promise(resolve => {
+            const killer = (0, child_process_1.spawn)('taskkill', ['/pid', String(pid), '/f', '/t'], { stdio: 'ignore' });
+            killer.once('exit', () => resolve());
+            killer.once('error', () => resolve());
+        });
+        return;
+    }
+    try {
+        process.kill(-pid, 'SIGTERM');
+        await Bun.sleep(SIGKILL_TIMEOUT_MS);
+        if (!opts?.exited?.()) {
+            process.kill(-pid, 'SIGKILL');
+        }
+    }
+    catch (_e) {
+        proc.kill('SIGTERM');
+        await Bun.sleep(SIGKILL_TIMEOUT_MS);
+        if (!opts?.exited?.()) {
+            proc.kill('SIGKILL');
+        }
+    }
+}
+/**
+ * Execute a bash command and return result
+ */
+async function executeBash(options) {
+    const command = options.command.trim();
+    const cwd = options.cwd || DEFAULT_CWD;
+    const timeout = options.timeout || DEFAULT_TIMEOUT_MS;
+    const maxOutput = options.maxOutput || DEFAULT_MAX_OUTPUT;
+    const { filtered: safeEnv, rejected: rejectedVars } = filterEnvVars(options.env);
+    if (containsSudo(command)) {
+        throw Error(`${SUDO_REJECTION_MESSAGE}$ ${command}`);
+    }
+    if (!(0, mcp_helpers_1.isSubdirectory)(DEFAULT_CWD, cwd, {
+        includeSelf: true
+    })) {
+        throw Error(`"${cwd}" must be in ${DEFAULT_CWD}`);
+    }
+    if (!(await (0, mcp_helpers_1.isDir)(cwd))) {
+        throw Error(`"${cwd}" must be a directory`);
+    }
+    const tree = await parser().then(p => p.parse(command));
+    if (!tree) {
+        throw new Error('Failed to parse command');
+    }
+    const directories = new Set();
+    // if (!Instance.containsPath(cwd)) directories.add(cwd)
+    const patterns = new Set();
+    // const always = new Set<string>()
+    let output = '';
+    for (const node of tree.rootNode.descendantsOfType('command')) {
+        if (!node)
+            continue;
+        // Get full command text including redirects if present
+        let commandText = node.parent?.type === 'redirected_statement' ? node.parent.text : node.text;
+        const commands = [];
+        for (let i = 0; i < node.childCount; i++) {
+            const child = node.child(i);
+            if (!child)
+                continue;
+            if (child.type !== 'command_name' &&
+                child.type !== 'word' &&
+                child.type !== 'string' &&
+                child.type !== 'raw_string' &&
+                child.type !== 'concatenation') {
+                continue;
+            }
+            commands.push(child.text);
+        }
+        // not an exhaustive list, but covers most common cases
+        if (['cd', 'rm', 'cp', 'mv', 'mkdir', 'touch', 'chmod', 'chown', 'cat'].includes(commands[0])) {
+            for (const arg of commands.slice(1)) {
+                if (arg.startsWith('-') || (commands[0] === 'chmod' && arg.startsWith('+'))) {
+                    continue;
+                }
+                const resolved = await Bun.$ `realpath ${arg}`
+                    .cwd(cwd)
+                    .quiet()
+                    .nothrow()
+                    .text()
+                    .then(x => x.trim());
+                if (resolved) {
+                    // Git Bash on Windows returns Unix-style paths like /c/Users/...
+                    const normalized = process.platform === 'win32' && resolved.match(/^\/[a-z]\//)
+                        ? (0, mcp_helpers_1.gitBashToWindowsPath)(resolved)
+                        : resolved;
+                    if (!(0, mcp_helpers_1.isSubdirectory)(DEFAULT_CWD, normalized, { includeSelf: true })) {
+                        const dir = (await (0, mcp_helpers_1.isDir)(normalized)) ? normalized : path_1.default.dirname(normalized);
+                        directories.add(dir);
+                    }
+                }
+            }
+        }
+        else {
+        }
+        // cd covered by above check
+        if (commands.length && commands[0] !== 'cd') {
+            patterns.add(commandText);
+            // always.add(BashArity.prefix(command).join(' ') + ' *')
+        }
+    }
+    const mergedEnv = {
+        ...process.env,
+        ...safeEnv,
+        ...(0, mcp_helpers_1.getBinaryEnvs)()
+    };
+    const proc = (0, child_process_1.spawn)(command, {
+        shell: getBashPath(),
+        cwd,
+        env: {
+            ...mergedEnv
+        },
+        stdio: ['ignore', 'pipe', 'pipe'],
+        detached: process.platform !== 'win32'
+    });
+    const append = (chunk) => {
+        output += chunk.toString();
+    };
+    proc.stdout?.on('data', append);
+    proc.stderr?.on('data', append);
+    let timedOut = false;
+    let exited = false;
+    const kill = () => killTree(proc, { exited: () => exited });
+    const timeoutTimer = setTimeout(() => {
+        timedOut = true;
+        void kill();
+    }, timeout + 100);
+    await new Promise((resolve, reject) => {
+        const cleanup = () => {
+            clearTimeout(timeoutTimer);
+        };
+        proc.once('exit', () => {
+            exited = true;
+            cleanup();
+            resolve();
+        });
+        proc.once('error', error => {
+            exited = true;
+            cleanup();
+            reject(error);
+        });
+    });
+    const resultMetadata = [];
+    if (timedOut) {
+        resultMetadata.push(`bash tool terminated command after exceeding timeout ${timeout} ms`);
+    }
+    if (rejectedVars.length > 0) {
+        resultMetadata.push(`bash tool blocked env vars: ${rejectedVars.join(', ')}`);
+    }
+    if (resultMetadata.length > 0) {
+        output += '\n\n<bash_metadata>\n' + resultMetadata.join('\n') + '\n</bash_metadata>';
+    }
+    return {
+        output: middleTruncate(output, maxOutput),
+        exitCode: proc.exitCode,
+        description: options.description
+    };
+}
+server.registerTool('bash', {
+    description: bash_txt_1.default.replaceAll('${directory}', DEFAULT_CWD)
+        .replaceAll('${maxLines}', String(2000))
+        .replaceAll('${maxBytes}', String(50 * 1024)),
+    inputSchema: bashInputSchema
+}, async (args) => {
+    try {
+        const result = await executeBash({ ...args });
+        return {
+            content: [{ type: 'text', text: JSON.stringify(result) }],
+            structuredContent: result
+        };
+    }
+    catch (error) {
+        return {
+            isError: true,
+            content: [{ type: 'text', text: error instanceof Error ? error.message : String(error) }]
+        };
+    }
+});
+// =============================================================================
+// Start Server
+// =============================================================================
+const transport = new stdio_js_1.StdioServerTransport();
+server.connect(transport);
+console.error(`${MCP_NAME} Server v${MCP_VERSION} running`);

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@baitong-dev/bash-mcp",
+  "version": "0.0.2",
+  "main": "./dist/index.js",
+  "bin": {
+    "@baitong-dev/bash-mcp": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "bash.txt",
+    "README.md"
+  ],
+  "keywords": [
+    "mcp",
+    "bash"
+  ],
+  "description": "bash-mcp",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.25.1",
+    "tree-sitter-bash": "^0.25.1",
+    "web-tree-sitter": "^0.26.5",
+    "zod": "^4.3.4",
+    "@baitong-dev/mcp-helpers": "0.0.1"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
+  },
+  "scripts": {
+    "tsc": "tsc ./src/index.ts  --declaration --module commonjs  --target es2021 --esModuleInterop --outDir ./dist"
+  }
+}