bun-workspaces 1.10.0 → 1.11.0

package/README.md

@@ -1,5 +1,5 @@
 <a href="https://bunworkspaces.com">
-<img src="./workspaces/web/documentation-website/src/pages/public/images/png/bwunster-bg-banner-wide_3000x900.png" alt="bun-workspaces" width="100%" />
+<img src="./workspaces/web/documentation-website/src/pages/public/images/png/bwunster-bg-rect-title-wide_3000x900.png" alt="bun-workspaces" width="100%" />
 </a>
 
 <br/>
@@ -8,6 +8,8 @@ Full Documentation: [https://bunworkspaces.com](https://bunworkspaces.com)
 
 Changelog: [GitHub Releases](https://github.com/bun-workspaces/bun-workspaces/releases)
 
+Example Projects: [Repository](https://github.com/bun-workspaces/bun-workspaces-examples)
+
 # bun-workspaces
 
 A [monorepo](http://sonarsource.com/resources/library/monorepo/) tool that enhances native [Bun workspaces](https://bun.sh/docs/install/workspaces).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bun-workspaces",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "description": "A monorepo management tool for Bun, with a CLI and API to enhance Bun's native workspaces.",
   "license": "MIT",
   "exports": {

package/src/2392.mjs

@@ -1,5 +1,6 @@
 import { OUTPUT_STYLE_VALUES, SCRIPT_SHELL_OPTIONS } from "./4427.mjs";
 import { LOG_LEVELS } from "./8126.mjs";
+import { getUserEnvVarName } from "./5166.mjs";
 
 const JSON_FLAGS = ["-j", "--json"];
 const PRETTY_FLAGS = ["-p", "--pretty"];
@@ -142,7 +143,7 @@ const CLI_COMMANDS_CONFIG = {
     isGlobal: true,
     aliases: [],
     description:
-      "Start the bun-workspaces MCP (Model Context Protocol) server over stdio",
+      "Start the bun-workspaces MCP (Model Context Protocol) server over stdio. Defaults to skipping executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}) for agent security. Pass the global --no-disable-executable-configs flag to allow them.",
     options: {},
   },
   listAffected: {
@@ -431,6 +432,14 @@ const CLI_GLOBAL_OPTIONS_CONFIG = {
     values: null,
     param: "",
   },
+  disableExecutableConfigs: {
+    mainOption: "--disable-executable-configs",
+    shortOption: "",
+    description: `Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var ${getUserEnvVarName("disableExecutableConfigsDefault")}=true.`,
+    defaultValue: "",
+    values: null,
+    param: "",
+  },
 };
 const getCliGlobalOptionConfig = (optionName) =>
   CLI_GLOBAL_OPTIONS_CONFIG[optionName];

package/src/5166.mjs

@@ -3,6 +3,7 @@ const USER_ENV_VARS = {
   scriptShellDefault: "BW_SHELL_DEFAULT",
   includeRootWorkspaceDefault: "BW_INCLUDE_ROOT_WORKSPACE_DEFAULT",
   affectedBaseRefDefault: "BW_AFFECTED_BASE_REF_DEFAULT",
+  disableExecutableConfigsDefault: "BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT",
 };
 const getUserEnvVarName = (key) => USER_ENV_VARS[key];
 

package/src/affected/gitAffectedFiles.mjs

@@ -3,7 +3,29 @@ import path from "path";
 import { defineErrors } from "../internal/core/index.mjs";
 import { createSubprocess } from "../runScript/subprocesses.mjs";
 
-const GIT_AFFECTED_ERRORS = defineErrors("NoGitRepository", "GitCommandFailed");
+const GIT_AFFECTED_ERRORS = defineErrors(
+  "NoGitRepository",
+  "GitCommandFailed",
+  "InvalidGitRef",
+);
+/**
+ * Reject ref values that look like CLI options to avoid argument injection
+ * (e.g. a ref of `--upload-pack=...` being interpreted as a git option when
+ * passed as a positional argument). Git itself forbids refs starting with
+ * `-` via `git check-ref-format`, so this rejects only inputs that could
+ * never be a real ref.
+ */ const assertValidGitRef = (ref, label) => {
+  if (typeof ref !== "string" || ref.length === 0) {
+    throw new GIT_AFFECTED_ERRORS.InvalidGitRef(
+      `${label} must be a non-empty string`,
+    );
+  }
+  if (ref.startsWith("-")) {
+    throw new GIT_AFFECTED_ERRORS.InvalidGitRef(
+      `${label} cannot start with "-" (got ${JSON.stringify(ref)})`,
+    );
+  }
+};
 const GIT_AFFECTED_FILE_REASONS = ["diff", "staged", "unstaged", "untracked"];
 const runGit = async (args, cwd) => {
   const proc = createSubprocess(["git", ...args], {
@@ -61,6 +83,7 @@ const resolveGitRoot = async (rootDirectory) => {
   ref,
   projectRelativePath,
 }) => {
+  assertValidGitRef(ref, "ref");
   const gitRoot = fs.realpathSync.native(
     path.resolve(await resolveGitRoot(rootDirectory)),
   );
@@ -106,6 +129,8 @@ const getGitAffectedFiles = async (options) => {
     ignoreUnstaged,
     ignoreUncommitted,
   } = options;
+  assertValidGitRef(baseRef, "baseRef");
+  assertValidGitRef(headRef, "headRef");
   const gitRoot = fs.realpathSync.native(
     path.resolve(await resolveGitRoot(rootDirectory)),
   );

package/src/ai/mcp/bwMcpServer.mjs

@@ -1,7 +1,10 @@
 import package_0 from "../../../package.json";
 import { createMcpServer } from "./core/index.mjs";
 import { registerBwResources } from "./resources.mjs";
-import { setServerWorkingDirectory } from "./serverState.mjs";
+import {
+  setServerEnableExecutableConfigs,
+  setServerWorkingDirectory,
+} from "./serverState.mjs";
 import { registerBwTools } from "./tools.mjs";
 
 const SERVER_INSTRUCTIONS = `
@@ -32,6 +35,7 @@ $ bw run lint "alias:my-alias-*" "path:packages/**/*" "not:path:my-path/*" # use
 (end bun-workspaces MCP instructions)
 `.trim();
 const startBwMcpServer = async (options) => {
+  setServerEnableExecutableConfigs(options.enableExecutableConfigs ?? false);
   setServerWorkingDirectory(options.initialWorkingDirectory);
   const server = createMcpServer({
     name: "bun-workspaces",

package/src/ai/mcp/serverState.mjs

@@ -2,19 +2,28 @@ import { createFileSystemProject } from "../../project/implementations/fileSyste
 
 const SERVER_STATE = {
   workingDirectory: null,
+  enableExecutableConfigs: false,
 };
 const setServerWorkingDirectory = (directory) => {
   SERVER_STATE.workingDirectory = directory;
 };
+const setServerEnableExecutableConfigs = (enabled) => {
+  SERVER_STATE.enableExecutableConfigs = enabled;
+};
 const getServerProject = () => {
   if (!SERVER_STATE.workingDirectory) return null;
   try {
     return createFileSystemProject({
       rootDirectory: SERVER_STATE.workingDirectory,
+      disableExecutableConfigs: !SERVER_STATE.enableExecutableConfigs,
     });
   } catch {
     return null;
   }
 };
 
-export { getServerProject, setServerWorkingDirectory };
+export {
+  getServerProject,
+  setServerEnableExecutableConfigs,
+  setServerWorkingDirectory,
+};

package/src/ai/mcp/tools.mjs

@@ -202,7 +202,7 @@ const registerBwTools = (server) => {
     {
       name: "set_working_directory",
       description:
-        "Set the working directory used by this MCP server. All subsequent project queries will reflect the new directory.",
+        "Set the working directory used by this MCP server. All subsequent project queries will reflect the new directory. By default the server skips executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}) in the target directory so that pointing the server at an unfamiliar project does not evaluate its code. Only bw.root.{jsonc,json}, bw.workspace.{jsonc,json}, and the package.json bw key are read. Start the server with --no-disable-executable-configs to allow executable configs.",
       inputSchema: {
         type: "object",
         properties: {

package/src/cli/commands/commandHandlerUtils.mjs

@@ -1,4 +1,5 @@
 import { Option } from "../../internal/bundledDeps/commander.mjs";
+import { sanitizeOutput } from "../../internal/core/index.mjs";
 import { BunWorkspacesError } from "../../internal/core/error/index.mjs";
 import { createLogger, logger } from "../../internal/logger/index.mjs";
 import { getCliCommandConfig } from "../../2392.mjs";
@@ -15,18 +16,18 @@ import { getCliCommandConfig } from "../../2392.mjs";
     .filter(Boolean)
     .map((value) => value.replace(/\\\s/g, " "));
 const createWorkspaceInfoLines = (workspace) => [
-  `Workspace: ${workspace.name}${workspace.isRoot ? " (root)" : ""}`,
-  ` - Aliases: ${workspace.aliases.join(", ")}`,
-  ` - Path: ${workspace.path}`,
-  ` - Glob Match: ${workspace.matchPattern}`,
-  ` - Scripts: ${workspace.scripts.join(", ")}`,
-  ` - Tags: ${workspace.tags.join(", ")}`,
-  ` - Dependencies: ${workspace.dependencies.join(", ")}`,
-  ` - Dependents: ${workspace.dependents.join(", ")}`,
+  `Workspace: ${sanitizeOutput(workspace.name)}${workspace.isRoot ? " (root)" : ""}`,
+  ` - Aliases: ${workspace.aliases.map(sanitizeOutput).join(", ")}`,
+  ` - Path: ${sanitizeOutput(workspace.path)}`,
+  ` - Glob Match: ${sanitizeOutput(workspace.matchPattern)}`,
+  ` - Scripts: ${workspace.scripts.map(sanitizeOutput).join(", ")}`,
+  ` - Tags: ${workspace.tags.map(sanitizeOutput).join(", ")}`,
+  ` - Dependencies: ${workspace.dependencies.map(sanitizeOutput).join(", ")}`,
+  ` - Dependents: ${workspace.dependents.map(sanitizeOutput).join(", ")}`,
 ];
 const createScriptInfoLines = (script, workspaces) => [
-  `Script: ${script}`,
-  ...workspaces.map((workspace) => ` - ${workspace.name}`),
+  `Script: ${sanitizeOutput(script)}`,
+  ...workspaces.map((workspace) => ` - ${sanitizeOutput(workspace.name)}`),
 ];
 const createJsonLines = (data, options) =>
   JSON.stringify(data, null, options.pretty ? 2 : undefined).split("\n");

package/src/cli/commands/commands.mjs

@@ -21,10 +21,10 @@ const defineProjectCommands = (context) => {
   scriptInfo(context);
   listTags(context);
   tagInfo(context);
-  mcpServer(context);
   runScript(context);
   listAffected(context);
   runAffected(context);
+  mcpServer(context);
 };
 
 export { defineGlobalCommands, defineProjectCommands };

package/src/cli/commands/handleSimpleCommands.mjs

@@ -1,4 +1,5 @@
 import { getDoctorInfo } from "../../doctor/index.mjs";
+import { sanitizeOutput } from "../../internal/core/index.mjs";
 import { logger } from "../../internal/logger/index.mjs";
 import {
   commandOutputLogger,
@@ -65,7 +66,7 @@ const listWorkspaces = handleProjectCommand(
     } else {
       workspaces.forEach((workspace) => {
         if (options.nameOnly) {
-          lines.push(workspace.name);
+          lines.push(sanitizeOutput(workspace.name));
         } else {
           lines.push(...createWorkspaceInfoLines(workspace));
         }
@@ -108,7 +109,7 @@ const listScripts = handleProjectCommand(
         .sort(({ name: nameA }, { name: nameB }) => nameA.localeCompare(nameB))
         .forEach(({ name, workspaces }) => {
           if (options.nameOnly) {
-            lines.push(name);
+            lines.push(sanitizeOutput(name));
           } else {
             lines.push(...createScriptInfoLines(name, workspaces));
           }
@@ -161,7 +162,7 @@ const scriptInfo = handleProjectCommand(
             options,
           )
         : options.workspacesOnly
-          ? scriptMetadata.workspaces.map(({ name }) => name)
+          ? scriptMetadata.workspaces.map(({ name }) => sanitizeOutput(name))
           : createScriptInfoLines(script, scriptMetadata.workspaces)
       ).join("\n"),
     );
@@ -189,10 +190,10 @@ const listTags = handleProjectCommand("listTags", ({ project }, options) => {
     }
     tags.forEach(({ tag, workspaces }) => {
       if (options.nameOnly) {
-        lines.push(tag);
+        lines.push(sanitizeOutput(tag));
       } else {
         lines.push(
-          `Tag: ${tag}\n${workspaces.map((name) => ` - ${name}`).join("\n")}`,
+          `Tag: ${sanitizeOutput(tag)}\n${workspaces.map((name) => ` - ${sanitizeOutput(name)}`).join("\n")}`,
         );
       }
     });
@@ -217,7 +218,7 @@ const handleSimpleCommands_tagInfo = handleProjectCommand(
     commandOutputLogger.info(
       options.json
         ? createJsonLines(tagInfo, options).join("\n")
-        : `Tag: ${tagInfo.name}\n${tagInfo.workspaces.map((name) => ` - ${name}`).join("\n")}`,
+        : `Tag: ${sanitizeOutput(tagInfo.name)}\n${tagInfo.workspaces.map((name) => ` - ${sanitizeOutput(name)}`).join("\n")}`,
     );
   },
 );

package/src/cli/commands/listAffected.mjs

@@ -1,4 +1,5 @@
 import path from "path";
+import { sanitizeOutput } from "../../internal/core/index.mjs";
 import { logger } from "../../internal/logger/index.mjs";
 import {
   commandOutputLogger,
@@ -19,34 +20,35 @@ const formatGitHeader = (metadata) => {
 };
 const formatDependencyChain = (dependency) => {
   const segments = dependency.chain.map((entry, index) => {
-    if (index === 0 || !entry.edgeSource) return entry.workspaceName;
-    return `\x1b[90m--[${entry.edgeSource}]->\x1b[0m ${entry.workspaceName}`;
+    const safeName = sanitizeOutput(entry.workspaceName);
+    if (index === 0 || !entry.edgeSource) return safeName;
+    return `\x1b[90m--[${entry.edgeSource}]->\x1b[0m ${safeName}`;
   });
   return segments.join(" ");
 };
 const formatSourceMarker = (change) =>
   change.source === "devDependencies" ? " (dev)" : "";
 const formatExternalDepEntryShort = (change) =>
-  `${change.name}${formatSourceMarker(change)}`;
+  `${sanitizeOutput(change.name)}${formatSourceMarker(change)}`;
 const formatExternalDepEntryDetailed = (change) => {
   const versions =
     change.baseVersion === null && change.headVersion === null
       ? "lockfile changed; precise diff unavailable"
-      : `${change.baseVersion ?? "(absent)"} -> ${change.headVersion ?? "(absent)"}`;
-  return `${change.name}${formatSourceMarker(change)} \x1b[90m[${versions}]\x1b[0m`;
+      : `${sanitizeOutput(change.baseVersion ?? "(absent)")} -> ${sanitizeOutput(change.headVersion ?? "(absent)")}`;
+  return `${sanitizeOutput(change.name)}${formatSourceMarker(change)} \x1b[90m[${versions}]\x1b[0m`;
 };
 const createWorkspaceSummaryLines = (result) => {
   const { workspace, affectedReasons } = result;
   const lines = [
-    `\x1b[1mWorkspace: ${workspace.name}\x1b[0m`,
-    `Path: ${workspace.path}`,
+    `\x1b[1mWorkspace: ${sanitizeOutput(workspace.name)}\x1b[0m`,
+    `Path: ${sanitizeOutput(workspace.path)}`,
   ];
   lines.push(
     `\x1b[96mChanged input files:\x1b[0m ${affectedReasons.changedFiles.length}`,
   );
   if (affectedReasons.dependencies.length) {
     lines.push(
-      `\x1b[96mAffected dependencies:\x1b[0m ${affectedReasons.dependencies.map(({ dependencyName }) => dependencyName).join(", ")}`,
+      `\x1b[96mAffected dependencies:\x1b[0m ${affectedReasons.dependencies.map(({ dependencyName }) => sanitizeOutput(dependencyName)).join(", ")}`,
     );
   } else {
     lines.push(`\x1b[96mAffected dependencies:\x1b[0m (none)`);
@@ -63,8 +65,8 @@ const createWorkspaceSummaryLines = (result) => {
 const createWorkspaceDetailedLines = (result) => {
   const { workspace, affectedReasons } = result;
   const lines = [
-    `\x1b[1mWorkspace: ${workspace.name}\x1b[0m`,
-    `Path: ${workspace.path}`,
+    `\x1b[1mWorkspace: ${sanitizeOutput(workspace.name)}\x1b[0m`,
+    `Path: ${sanitizeOutput(workspace.path)}`,
   ];
   if (affectedReasons.changedFiles.length) {
     lines.push("\x1b[96mChanged input files:\x1b[0m");
@@ -73,7 +75,7 @@ const createWorkspaceDetailedLines = (result) => {
         ?.filter((reason) => reason !== "diff")
         .join(", ");
       lines.push(
-        ` - ${path.relative(workspace.path, file.projectFilePath)} \x1b[90m(input: ${JSON.stringify(file.inputMatch)})${reasons ? ` [${reasons}]` : ""}\x1b[0m`,
+        ` - ${sanitizeOutput(path.relative(workspace.path, file.projectFilePath))} \x1b[90m(input: ${JSON.stringify(file.inputMatch)})${reasons ? ` [${reasons}]` : ""}\x1b[0m`,
       );
     }
   } else {
@@ -82,7 +84,7 @@ const createWorkspaceDetailedLines = (result) => {
   if (affectedReasons.dependencies.length) {
     lines.push("\x1b[96mAffected dependencies:\x1b[0m");
     for (const dependency of affectedReasons.dependencies) {
-      lines.push(` - ${dependency.dependencyName}`);
+      lines.push(` - ${sanitizeOutput(dependency.dependencyName)}`);
       lines.push(`   chain: ${formatDependencyChain(dependency)}`);
     }
   } else {
@@ -153,7 +155,9 @@ const listAffected = handleProjectCommand(
     if (!options.explain) {
       if (affectedResults.length) {
         commandOutputLogger.info(
-          affectedResults.map(({ workspace }) => workspace.name).join("\n"),
+          affectedResults
+            .map(({ workspace }) => sanitizeOutput(workspace.name))
+            .join("\n"),
         );
       } else {
         logger.info("No affected workspaces");

package/src/cli/commands/mcp.mjs

@@ -1,13 +1,23 @@
 import { startBwMcpServer } from "../../ai/mcp/index.mjs";
+import { getUserBoolEnvVar } from "../../config/userEnvVars/index.mjs";
 import { logger } from "../../internal/logger/index.mjs";
 import { handleGlobalCommand } from "./commandHandlerUtils.mjs";
 
 const mcpServer = handleGlobalCommand(
   "mcpServer",
-  async ({ workingDirectory }) => {
+  async ({ workingDirectory, disableExecutableConfigs }) => {
     logger.printLevel = "silent";
+    // mcp-server is the only command that defaults to *disabled* when
+    // neither the global flag nor the env var is set, because the server
+    // can be redirected to arbitrary directories at runtime via the
+    // set_working_directory tool. Precedence: CLI flag > env var > true.
+    const effectiveDisable =
+      disableExecutableConfigs ??
+      getUserBoolEnvVar("disableExecutableConfigsDefault") ??
+      true;
     await startBwMcpServer({
       initialWorkingDirectory: workingDirectory,
+      enableExecutableConfigs: !effectiveDisable,
     });
   },
 );

package/src/cli/commands/runScript/output/renderGroupedOutput.mjs

@@ -1,4 +1,4 @@
-import { runOnExit } from "../../../../internal/core/index.mjs";
+import { runOnExit, sanitizeOutput } from "../../../../internal/core/index.mjs";
 import {
   TypedEventTarget,
   createTypedEventFactory,
@@ -158,7 +158,8 @@ const renderGroupedOutput = async (
         statusText += ` (signal: ${state.signal})`;
       }
       const workspaceLine =
-        textOps[BORDER_COLOR]("Workspace: ") + textOps.bold(workspace.name);
+        textOps[BORDER_COLOR]("Workspace: ") +
+        textOps.bold(sanitizeOutput(workspace.name));
       const statusLine =
         textOps[BORDER_COLOR]("   Status: ") +
         textOps[STATUS_COLORS[state.status]](statusText);

package/src/cli/commands/runScript/output/renderPlainOutput.mjs

@@ -1,3 +1,4 @@
+import { sanitizeOutput } from "../../../../internal/core/index.mjs";
 import { sanitizeChunk } from "./sanitizeChunk.mjs";
 
 async function* generatePlainOutputLines(
@@ -6,7 +7,9 @@ async function* generatePlainOutputLines(
 ) {
   const workspaceLineBuffers = {};
   const formatLine = (line, workspaceName) => {
-    const prefixedLine = prefix ? `[${workspaceName}] ${line}` : line;
+    const prefixedLine = prefix
+      ? `[${sanitizeOutput(workspaceName)}] ${line}`
+      : line;
     return `\x1b[0m${prefixedLine}`;
   };
   for await (const { metadata, chunk } of output.text()) {

package/src/cli/commands/runScript/scriptRunFlow.mjs

@@ -1,6 +1,9 @@
 import fs from "fs";
 import path from "path";
-import { expandHomePath } from "../../../internal/core/index.mjs";
+import {
+  expandHomePath,
+  sanitizeOutput,
+} from "../../../internal/core/index.mjs";
 import { logger } from "../../../internal/logger/index.mjs";
 import {
   getDefaultOutputStyle,
@@ -130,13 +133,15 @@ const handleScriptRunFlow = async ({
   exitResults.scriptResults.forEach(
     ({ success, metadata: { workspace }, exitCode }) => {
       const isSkipped = exitCode === -1;
+      const safeWorkspaceName = sanitizeOutput(workspace.name);
+      const safeScriptName = sanitizeOutput(scriptName ?? "");
       if (isSkipped) {
         logger.info(
-          `➖ ${workspace.name}: ${scriptName} (skipped due to dependency failure)`,
+          `➖ ${safeWorkspaceName}: ${safeScriptName} (skipped due to dependency failure)`,
         );
       } else {
         logger.info(
-          `${success ? "✅" : "❌"} ${workspace.name}: ${scriptName}${exitCode ? ` (exited with code ${exitCode})` : ""}`,
+          `${success ? "✅" : "❌"} ${safeWorkspaceName}: ${safeScriptName}${exitCode ? ` (exited with code ${exitCode})` : ""}`,
         );
       }
     },

package/src/cli/createCli.mjs

@@ -82,8 +82,12 @@ const createCli = ({ defaultCwd = process.cwd(), defaultMiddleware } = {}) => {
         process.exit(1);
         return;
       }
-      const { project, projectError, workingDirectory } =
-        initializeWithGlobalOptions(program, args, middleware);
+      const {
+        project,
+        projectError,
+        workingDirectory,
+        disableExecutableConfigs,
+      } = initializeWithGlobalOptions(program, args, middleware);
       middleware.findProject({
         ...defaultContext,
         project,
@@ -103,6 +107,7 @@ const createCli = ({ defaultCwd = process.cwd(), defaultMiddleware } = {}) => {
         terminalWidth,
         terminalHeight,
         workingDirectory,
+        disableExecutableConfigs,
       });
       defineGlobalCommands({
         program,
@@ -112,6 +117,7 @@ const createCli = ({ defaultCwd = process.cwd(), defaultMiddleware } = {}) => {
         terminalWidth,
         terminalHeight,
         workingDirectory,
+        disableExecutableConfigs,
       });
       logger.debug(`Commands initialized. Parsing args...`);
       middleware.preParse({

package/src/cli/globalOptions/globalOptions.mjs

@@ -18,10 +18,8 @@ const ERRORS = defineErrors(
 const addGlobalOption = (program, optionName, defaultOverride) => {
   const { mainOption, shortOption, description, param, values, defaultValue } =
     getCliGlobalOptionConfig(optionName);
-  let option = new Option(
-    `${shortOption} ${mainOption}${param ? ` <${param}>` : ""}`,
-    description,
-  );
+  const flagsString = `${shortOption ? `${shortOption} ` : ""}${mainOption}${param ? ` <${param}>` : ""}`;
+  let option = new Option(flagsString, description);
   const effectiveDefaultValue = defaultOverride ?? defaultValue;
   if (effectiveDefaultValue) {
     option = option.default(effectiveDefaultValue);
@@ -106,6 +104,7 @@ const defineGlobalOptions = (program, args, middleware) => {
   }
   addGlobalOption(program, "logLevel");
   addGlobalOption(program, "includeRoot");
+  addGlobalOption(program, "disableExecutableConfigs");
   return {
     cwd,
   };
@@ -119,6 +118,7 @@ const applyGlobalOptions = (options) => {
     project = createFileSystemProject({
       rootDirectory: options.cwd,
       includeRootWorkspace: options.includeRoot,
+      disableExecutableConfigs: options.disableExecutableConfigs,
     });
     logger.debug(
       `Project: ${JSON.stringify(project.name)} (${project.workspaces.length} workspace${project.workspaces.length === 1 ? "" : "s"})`,
@@ -134,6 +134,7 @@ const applyGlobalOptions = (options) => {
     project,
     projectError: error,
     workingDirectory: options.cwd,
+    disableExecutableConfigs: options.disableExecutableConfigs,
   };
 };
 const initializeWithGlobalOptions = (program, args, middleware) => {

package/src/cli/index.d.ts

@@ -553,7 +553,7 @@ export declare const CLI_COMMANDS_CONFIG: {
     readonly command: "mcp-server";
     readonly isGlobal: true;
     readonly aliases: [];
-    readonly description: "Start the bun-workspaces MCP (Model Context Protocol) server over stdio";
+    readonly description: "Start the bun-workspaces MCP (Model Context Protocol) server over stdio. Defaults to skipping executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}) for agent security. Pass the global --no-disable-executable-configs flag to allow them.";
     readonly options: {};
   };
   readonly listAffected: {
@@ -916,7 +916,7 @@ export declare const getCliCommandConfig: (commandName: CliCommandName) =>
       readonly command: "mcp-server";
       readonly isGlobal: true;
       readonly aliases: [];
-      readonly description: "Start the bun-workspaces MCP (Model Context Protocol) server over stdio";
+      readonly description: "Start the bun-workspaces MCP (Model Context Protocol) server over stdio. Defaults to skipping executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}) for agent security. Pass the global --no-disable-executable-configs flag to allow them.";
       readonly options: {};
     }
   | {
@@ -1150,6 +1150,7 @@ export interface CliGlobalOptions {
   cwd: string;
   includeRoot: boolean;
   workspaceRoot: boolean;
+  disableExecutableConfigs: boolean;
 }
 export interface CliGlobalOptionConfig {
   mainOption: string;
@@ -1194,6 +1195,19 @@ export declare const getCliGlobalOptionConfig: (
       readonly defaultValue: "";
       readonly values: null;
       readonly param: "";
+    }
+  | {
+      readonly mainOption: "--disable-executable-configs";
+      readonly shortOption: "";
+      readonly description:
+        | "Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var BW_PARALLEL_MAX_DEFAULT=true."
+        | "Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var BW_SHELL_DEFAULT=true."
+        | "Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var BW_INCLUDE_ROOT_WORKSPACE_DEFAULT=true."
+        | "Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var BW_AFFECTED_BASE_REF_DEFAULT=true."
+        | "Skip evaluating executable config files (bw.root.{ts,js}, bw.workspace.{ts,js}). Only jsonc/json/package.json configs are read, for untrusted contexts. Can also be set via env var BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT=true.";
+      readonly defaultValue: "";
+      readonly values: null;
+      readonly param: "";
     };
 export declare const getCliGlobalOptionNames: () => CliGlobalOptionName[];
 /**
@@ -1375,6 +1389,17 @@ export type CreateFileSystemProjectOptions = {
   name?: string;
   /** Whether to include the root workspace as a normal workspace. This overrides any config or env var settings. */
   includeRootWorkspace?: boolean;
+  /**
+   * When true, skip discovery of `.ts`/`.js` config files (`bw.root.{ts,js}`,
+   * `bw.workspace.{ts,js}`) so no executable code is loaded from the project,
+   * for untrusted contexts.
+   *
+   * `.jsonc`/`.json` configs and the `package.json` `bw` key still resolve.
+   *
+   * When omitted, the `BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT` user env var is
+   * consulted (`"true"` or `"false"`). If neither is set, defaults to false.
+   */
+  disableExecutableConfigs?: boolean;
 };
 export type InlineScriptOptions = {
   /** A name to act as a label for the inline script */
@@ -1525,6 +1550,13 @@ export type GlobalCommandContext = {
   terminalWidth: number;
   terminalHeight: number;
   workingDirectory: string;
+  /**
+   * Value of the global `--disable-executable-configs` flag.
+   * `undefined` means the flag was not passed; commands are free to
+   * apply their own default (notably the mcp-server command defaults
+   * to disabled for security).
+   */
+  disableExecutableConfigs: boolean | undefined;
 };
 export type ProjectCommandContext = GlobalCommandContext & {
   project: FileSystemProject;
@@ -1697,6 +1729,7 @@ export declare const initializeWithGlobalOptions: (
   }>;
   projectError: Error | null;
   workingDirectory: string;
+  disableExecutableConfigs: boolean;
 };
 
 export {};

package/src/config/rootConfig/loadRootConfig.mjs

@@ -5,13 +5,14 @@ import {
   ROOT_CONFIG_PACKAGE_JSON_KEY,
 } from "../../8529.mjs";
 
-const loadRootConfig = (rootDirectory) => {
+const loadRootConfig = (rootDirectory, loadOptions = {}) => {
   const config = loadConfig(
     "root",
     rootDirectory,
     ROOT_CONFIG_FILE_NAME,
     ROOT_CONFIG_PACKAGE_JSON_KEY,
     (content) => resolveRootConfig(content),
+    loadOptions,
   );
   return config ?? createDefaultRootConfig();
 };

package/src/config/userEnvVars/userEnvVars.mjs

@@ -1,5 +1,16 @@
 import { USER_ENV_VARS } from "../../5166.mjs";
 
 const getUserEnvVar = (key) => process.env[USER_ENV_VARS[key]];
+/**
+ * Parse a user env var into a strict boolean tri-state. Returns `true` for
+ * "true", `false` for "false", and `undefined` for any other value (including
+ * unset) — so callers can distinguish "user explicitly set false" from
+ * "user did not set anything."
+ */ const getUserBoolEnvVar = (key) => {
+  const value = getUserEnvVar(key);
+  if (value === "true") return true;
+  if (value === "false") return false;
+  return undefined;
+};
 
-export { getUserEnvVar };
+export { getUserBoolEnvVar, getUserEnvVar };

package/src/config/util/loadConfig.mjs

@@ -111,9 +111,23 @@ const LOCATION_FINDERS = {
     return null;
   },
 };
-const getConfigLocation = (name, directory, fileName, packageJsonKey) => {
+const isExecutableLocationType = (locationType) =>
+  locationType === "tsFile" || locationType === "jsFile";
+const getConfigLocation = (
+  name,
+  directory,
+  fileName,
+  packageJsonKey,
+  loadOptions = {},
+) => {
   const locations = [];
   for (const locationType of CONFIG_LOCATION_TYPES) {
+    if (
+      loadOptions.disableExecutableConfigs &&
+      isExecutableLocationType(locationType)
+    ) {
+      continue;
+    }
     const location = LOCATION_FINDERS[locationType](
       directory,
       fileName,
@@ -136,8 +150,15 @@ const loadConfig = (
   fileName,
   packageJsonKey,
   processContent,
+  loadOptions = {},
 ) => {
-  const location = getConfigLocation(name, directory, fileName, packageJsonKey);
+  const location = getConfigLocation(
+    name,
+    directory,
+    fileName,
+    packageJsonKey,
+    loadOptions,
+  );
   if (!location) {
     return null;
   }

package/src/config/workspaceConfig/loadWorkspaceConfig.mjs

@@ -5,13 +5,14 @@ import {
 } from "./workspaceConfig.mjs";
 import { WORKSPACE_CONFIG_FILE_NAME } from "../../8529.mjs";
 
-const loadWorkspaceConfig = (workspacePath) => {
+const loadWorkspaceConfig = (workspacePath, loadOptions = {}) => {
   const config = loadConfig(
     "workspace",
     workspacePath,
     WORKSPACE_CONFIG_FILE_NAME,
     /* inlined export .WORKSPACE_CONFIG_PACKAGE_JSON_KEY */ "bw",
     (content) => resolveWorkspaceConfig(content),
+    loadOptions,
   );
   return config ?? createDefaultWorkspaceConfig();
 };

package/src/index.d.ts

@@ -600,6 +600,17 @@ export type CreateFileSystemProjectOptions = {
   name?: string;
   /** Whether to include the root workspace as a normal workspace. This overrides any config or env var settings. */
   includeRootWorkspace?: boolean;
+  /**
+   * When true, skip discovery of `.ts`/`.js` config files (`bw.root.{ts,js}`,
+   * `bw.workspace.{ts,js}`) so no executable code is loaded from the project,
+   * for untrusted contexts.
+   *
+   * `.jsonc`/`.json` configs and the `package.json` `bw` key still resolve.
+   *
+   * When omitted, the `BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT` user env var is
+   * consulted (`"true"` or `"false"`). If neither is set, defaults to false.
+   */
+  disableExecutableConfigs?: boolean;
 };
 export type InlineScriptOptions = {
   /** A name to act as a label for the inline script */

package/src/internal/core/language/string/index.mjs

@@ -1,3 +1,4 @@
 export * from "./id.mjs";
+export * from "./sanitizeOutput.mjs";
 
 export {};

package/src/internal/core/language/string/sanitizeOutput.mjs

@@ -0,0 +1,15 @@
+/**
+ * Strip ANSI escape sequences and other terminal-disruptive control
+ * characters from a string before rendering it. Use this for values
+ * sourced from package.json, config files, or other untrusted inputs to
+ * prevent terminal-escape injection in bw's CLI output (e.g., a workspace
+ * name containing `\x1b[2J` clearing the user's screen during `bw info`).
+ *
+ * Preserves `\n` and `\t`. Strips ANSI sequences plus C0/C1 controls
+ * other than newline and tab.
+ */ // eslint-disable-next-line no-control-regex
+const DISRUPTIVE_CONTROLS_REGEX = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x9F]/g;
+const sanitizeOutput = (value) =>
+  Bun.stripANSI(value).replace(DISRUPTIVE_CONTROLS_REGEX, "");
+
+export { sanitizeOutput };

package/src/internal/core/runtime/tempFile.mjs

@@ -7,7 +7,21 @@ import { BUN_WORKSPACES_VERSION } from "../../version.mjs";
 import { createShortId } from "../language/string/id.mjs";
 import { runOnExit } from "./onExit.mjs";
 
-const getTempBasePackageDir = () => path.join(os.tmpdir(), "bun-workspaces");
+/**
+ * Per-user suffix on the temp base dir prevents a different local user from
+ * pre-creating or symlink-squatting `/tmp/bun-workspaces` to steer our writes.
+ * On platforms without a numeric uid (Windows), `os.tmpdir()` is already
+ * per-user so the suffix becomes inert.
+ */ const getUserSuffix = () => {
+  try {
+    const { uid } = os.userInfo();
+    return uid >= 0 ? `-${uid}` : "";
+  } catch {
+    return "";
+  }
+};
+const getTempBasePackageDir = () =>
+  path.join(os.tmpdir(), `bun-workspaces${getUserSuffix()}`);
 const getTempParentDir = () =>
   path.join(getTempBasePackageDir(), BUN_WORKSPACES_VERSION);
 class TempDir {
@@ -18,10 +32,14 @@ class TempDir {
   }
   initialize(clean = false) {
     if (fs.existsSync(this.dir)) return;
+    // Pass mode at creation time so the dir is never briefly readable by
+    // other local users between mkdir and a subsequent chmod (closes the
+    // TOCTOU window where another process could enter the dir before the
+    // mode is tightened).
     fs.mkdirSync(this.dir, {
       recursive: true,
+      mode: 448,
     });
-    fs.chmodSync(this.dir, 448);
     if (clean) {
       for (const dir of fs.readdirSync(path.resolve(getTempBasePackageDir()))) {
         if (dir !== BUN_WORKSPACES_VERSION) {

package/src/project/implementations/fileSystemProject/fileSystemProject.mjs

@@ -1,7 +1,10 @@
 import fs from "fs";
 import path from "path";
 import { loadRootConfig } from "../../../config/index.mjs";
-import { getUserEnvVar } from "../../../config/userEnvVars/index.mjs";
+import {
+  getUserBoolEnvVar,
+  getUserEnvVar,
+} from "../../../config/userEnvVars/index.mjs";
 import { parse, quote } from "../../../internal/bundledDeps/shellQuote.mjs";
 import {
   DEFAULT_TEMP_DIR,
@@ -70,17 +73,22 @@ const serializeArgs = (args, metadata, shell) => {
     return args
       .map((arg) =>
         quoteArg(
-          interpolateWorkspaceScriptMetadata(arg, metadata, shell),
+          interpolateWorkspaceScriptMetadata({
+            text: arg,
+            metadata,
+            shell,
+          }),
           shell,
         ),
       )
       .join(" ");
   }
-  const interpolated = interpolateWorkspaceScriptMetadata(
-    args,
+  const interpolated = interpolateWorkspaceScriptMetadata({
+    text: args,
     metadata,
     shell,
-  );
+    quoteValues: true,
+  });
   // Escape backslashes in interpolated values before POSIX parse on Windows,
   // so that path separators survive parse's escape processing (\\→\)
   const parseInput =
@@ -128,6 +136,11 @@ class _FileSystemProject extends ProjectBase {
           typeofName: "boolean",
           optional: true,
         },
+        "disableExecutableConfigs option": {
+          value: options.disableExecutableConfigs,
+          typeofName: "boolean",
+          optional: true,
+        },
       },
       {
         throw: true,
@@ -141,7 +154,16 @@ class _FileSystemProject extends ProjectBase {
       process.cwd(),
       expandHomePath(options.rootDirectory ?? ""),
     );
-    const rootConfig = loadRootConfig(this.rootDirectory);
+    // Root config can't supply a default for this — the config file itself
+    // is what we're deciding whether to evaluate. Precedence is therefore
+    // option > BW_DISABLE_EXECUTABLE_CONFIGS_DEFAULT env var > false.
+    const loadConfigOptions = {
+      disableExecutableConfigs:
+        options.disableExecutableConfigs ??
+        getUserBoolEnvVar("disableExecutableConfigsDefault") ??
+        false,
+    };
+    const rootConfig = loadRootConfig(this.rootDirectory, loadConfigOptions);
     const { workspaces, workspaceMap, rootWorkspace } = findWorkspaces({
       rootDirectory: this.rootDirectory,
       includeRootWorkspace:
@@ -149,6 +171,7 @@ class _FileSystemProject extends ProjectBase {
         rootConfig.defaults.includeRootWorkspace ??
         getUserEnvVar("includeRootWorkspaceDefault") === "true",
       workspacePatternConfigs: rootConfig.workspacePatternConfigs,
+      loadConfigOptions,
     });
     this.rootWorkspace = rootWorkspace;
     this.workspaces = workspaces;
@@ -262,11 +285,12 @@ class _FileSystemProject extends ProjectBase {
     };
     const args = serializeArgs(options.args, workspaceScriptMetadata, shell);
     const script = options.inline
-      ? interpolateWorkspaceScriptMetadata(
-          options.script,
-          workspaceScriptMetadata,
+      ? interpolateWorkspaceScriptMetadata({
+          text: options.script,
+          metadata: workspaceScriptMetadata,
           shell,
-        ) + (args ? " " + args : "")
+          quoteValues: true,
+        }) + (args ? " " + args : "")
       : options.script;
     if (!options.inline && checkIsRecursiveScript(workspace.name, script)) {
       throw new PROJECT_ERRORS.RecursiveWorkspaceScript(
@@ -473,11 +497,12 @@ class _FileSystemProject extends ProjectBase {
           shell,
         );
         const script = options.inline
-          ? interpolateWorkspaceScriptMetadata(
-              options.script,
-              workspaceScriptMetadata,
+          ? interpolateWorkspaceScriptMetadata({
+              text: options.script,
+              metadata: workspaceScriptMetadata,
               shell,
-            ) + (args ? " " + args : "")
+              quoteValues: true,
+            }) + (args ? " " + args : "")
           : options.script;
         const scriptCommand = options.inline
           ? {

package/src/runScript/scriptExecution.mjs

@@ -19,7 +19,7 @@ const createShellScript = (command) => {
   return DEFAULT_TEMP_DIR.createFile({
     name: fileName,
     content: command,
-    mode: 493,
+    mode: 448,
   });
 };
 const createScriptExecutor = (command, shell) => {

package/src/runScript/workspaceScriptMetadata.mjs

@@ -1,6 +1,16 @@
+import { quote } from "../internal/bundledDeps/shellQuote.mjs";
 import { BunWorkspacesError, IS_WINDOWS } from "../internal/core/index.mjs";
 import { getWorkspaceScriptMetadataConfig } from "../3725.mjs";
 
+/**
+ * Wrap a value so that, when it is concatenated into a shell command for
+ * `shell`, the receiving shell parses it as a single literal token. Used
+ * when substituted metadata values land in a shell-interpretable context
+ * (inline command bodies, string-form `--args` before POSIX parse).
+ */ const quoteShellValue = (value, shell) =>
+  IS_WINDOWS && shell === "system"
+    ? `"${value.replace(/"/g, '""')}"`
+    : quote([value]);
 const createScriptRuntimeEnvVars = (metadata) => {
   const keys = [
     "projectPath",
@@ -16,7 +26,12 @@ const createScriptRuntimeEnvVars = (metadata) => {
     return acc;
   }, {});
 };
-const interpolateWorkspaceScriptMetadata = (text, metadata, shell) => {
+const interpolateWorkspaceScriptMetadata = ({
+  text,
+  metadata,
+  shell,
+  quoteValues = false,
+}) => {
   const keys = [
     "projectPath",
     "projectName",
@@ -33,6 +48,13 @@ const interpolateWorkspaceScriptMetadata = (text, metadata, shell) => {
       (k) => getWorkspaceScriptMetadataConfig(k).inlineName === match,
     );
     const value = metadata[key];
+    if (quoteValues) {
+      // Preserve "empty substitution is invisible" — quoting an empty value
+      // would inject a literal `''` shell token (an empty positional arg),
+      // which changes argv length for commands like `echo <scriptName>`
+      // when no inline scriptName is set.
+      return value === "" ? "" : quoteShellValue(value, shell);
+    }
     if (IS_WINDOWS && shell === "bun") {
       return value.replace(/\\/g, "\\\\");
     }
@@ -57,4 +79,5 @@ export {
   createScriptRuntimeEnvVars,
   getWorkspaceScriptMetadata,
   interpolateWorkspaceScriptMetadata,
+  quoteShellValue,
 };

package/src/workspaces/findWorkspaces.mjs

@@ -67,6 +67,7 @@ const findWorkspaces = ({
   workspaceGlobs: _workspaceGlobs,
   includeRootWorkspace = false,
   workspacePatternConfigs,
+  loadConfigOptions,
 }) => {
   rootDirectory = path.resolve(rootDirectory);
   logger.debug(`Finding workspaces in ${rootDirectory}`);
@@ -109,6 +110,7 @@ const findWorkspaces = ({
       );
       const workspaceConfig = loadWorkspaceConfig(
         path.dirname(packageJsonPath),
+        loadConfigOptions,
       );
       if (workspaceConfig) {
         for (const alias of workspaceConfig.aliases) {