just-bash-mcp 2.8.0 → 2.9.0

package/README.md

@@ -7,15 +7,20 @@ An MCP (Model Context Protocol) server that provides a sandboxed bash environmen
 
 Execute bash commands in a secure, isolated environment with an in-memory virtual filesystem.
 
-Built on top of [`just-bash`](https://github.com/vercel-labs/just-bash) v2.5.2.
+Built on top of [`just-bash`](https://github.com/vercel-labs/just-bash) v2.9.6.
 
-## What's New in v2.1.0
+## What's New in v2.8.0
 
+- **Synced with upstream `just-bash` v2.9.6** - Latest security hardening, defense-in-depth, fuzzing, jq fixes, and large file support
+- **Defense-in-depth mode** - Opt-in monkey-patching of dangerous JS globals (`JUST_BASH_DEFENSE_IN_DEPTH=true`)
+- **Python support** - Python3 via Pyodide (`JUST_BASH_ENABLE_PYTHON=true`)
+- **Vercel Sandbox API** - Compatible `bash_sandbox_*` tools for isolated execution
+- **oxlint/oxfmt toolchain** - Replaced tsc/biome with faster oxlint and oxfmt
+- **Configurable limits** - Fine-grained control over glob ops, string length, array size, heredoc size, and more
 - **`rg` (ripgrep)** - Fast regex search with `--files`, `-d`, `--stats`, `-t markdown`
 - **`tar`** - Archive support with compression
 - **MountableFS** - Mount multiple filesystems at different paths
 - **ReadWriteFS** - Direct read-write access to real directories
-- **Multi-level glob patterns** - Improved `**/*.ts` style matching
 
 ## Features
 
@@ -120,6 +125,16 @@ Add to your MCP settings:
 | `JUST_BASH_MAX_CALL_DEPTH` | Maximum function recursion depth | `100` |
 | `JUST_BASH_MAX_COMMAND_COUNT` | Maximum total commands per execution | `10000` |
 | `JUST_BASH_MAX_LOOP_ITERATIONS` | Maximum iterations per loop | `10000` |
+| `JUST_BASH_ENABLE_PYTHON` | Enable Python3 via Pyodide (`true`/`false`) | `false` |
+| `JUST_BASH_DEFENSE_IN_DEPTH` | Enable defense-in-depth mode (`true`/`false`) | `false` |
+| `JUST_BASH_DEFENSE_IN_DEPTH_AUDIT` | Audit mode: log violations but don't block | `false` |
+| `JUST_BASH_DEFENSE_IN_DEPTH_LOG` | Log violations to console | `false` |
+| `JUST_BASH_OVERLAY_READ_ONLY` | OverlayFS read-only mode | `false` |
+| `JUST_BASH_MAX_RESPONSE_SIZE` | Max network response body size (bytes) | `10485760` |
+| `JUST_BASH_MAX_FILE_READ_SIZE` | Max file read size for OverlayFs/ReadWriteFs | `10485760` |
+| `JUST_BASH_ALLOWED_COMMANDS` | Comma-separated command allow-list | all |
+| `JUST_BASH_ENABLE_LOGGING` | Enable execution logging | `false` |
+| `JUST_BASH_ENABLE_TRACING` | Enable performance tracing | `false` |
 
 ## Tools
 
@@ -149,9 +164,28 @@ Reset the persistent bash environment, clearing all files and state.
 
 File operations in the persistent environment.
 
+### `bash_direct_read` / `bash_direct_write`
+
+Direct filesystem read/write operations (bypass shell execution).
+
 ### `bash_info`
 
-Get information about the bash environment configuration.
+Get information about the bash environment configuration, including defense-in-depth violation stats.
+
+### `bash_get_cwd` / `bash_get_env`
+
+Get current working directory or environment variables.
+
+### Vercel Sandbox API
+
+Compatible with the Vercel Sandbox API:
+
+- `bash_sandbox_run` - Run a command in the sandbox
+- `bash_sandbox_write_files` - Write multiple files at once
+- `bash_sandbox_read_file` - Read a file (supports base64 encoding)
+- `bash_sandbox_mkdir` - Create a directory
+- `bash_sandbox_stop` - Stop and clean up the sandbox
+- `bash_sandbox_reset` - Reset the sandbox state
 
 ## Supported Commands
 
@@ -235,6 +269,26 @@ Get information about the bash environment configuration.
 - Execution limits protect against infinite loops and recursion
 - No binary/WASM execution
 - Network disabled by default; when enabled, URL and method allow-lists enforced
+- **Defense-in-depth mode** (opt-in): Monkey-patches dangerous JS globals (`Function`, `eval`, `setTimeout`, `process`, etc.) during script execution to block escape vectors
+- **SecurityViolationLogger**: Tracks all defense-in-depth violations with full stats accessible via `bash_info`
+- **Rich network error classification**: `NetworkAccessDeniedError`, `TooManyRedirectsError`, `RedirectNotAllowedError` for precise error messages
+
+## Upstream API Coverage
+
+This wrapper integrates the full public API surface of `just-bash` v2.9.6:
+
+| Category | Exports Used |
+|----------|-------------|
+| Core | `Bash`, `BashOptions`, `ExecOptions`, `BashExecResult` |
+| Commands | `CommandName`, `AllCommandName`, `getCommandNames`, `getNetworkCommandNames`, `getPythonCommandNames` |
+| Custom Commands | `defineCommand`, `CustomCommand`, `LazyCommand` |
+| Filesystem | `InMemoryFs`, `OverlayFs`, `ReadWriteFs`, `MountableFs`, `IFileSystem` |
+| Network | `NetworkConfig`, `NetworkAccessDeniedError`, `TooManyRedirectsError`, `RedirectNotAllowedError` |
+| Sandbox | `Sandbox`, `SandboxCommand`, `SandboxOptions`, `OutputMessage` |
+| Security | `DefenseInDepthBox`, `SecurityViolationLogger`, `SecurityViolationError`, `createConsoleViolationCallback` |
+| Trace | `TraceCallback`, `TraceEvent` |
+
+All types are re-exported from `src/types.ts` for downstream consumers.
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "just-bash-mcp",
-	"version": "2.8.0",
+	"version": "2.9.0",
 	"description": "MCP server providing a sandboxed bash environment using just-bash",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -65,9 +65,9 @@
 		"zod": "^4.3.6"
 	},
 	"devDependencies": {
-		"@types/node": "^25.2.1",
+		"@types/node": "^25.2.2",
 		"oxfmt": "^0.28.0",
 		"oxlint": "^1.43.0",
-		"oxlint-tsgolint": "^0.11.4"
+		"oxlint-tsgolint": "^0.11.5"
 	}
 }

package/src/config/index.ts

@@ -7,29 +7,26 @@ import {
 	type BashLogger,
 	type BashOptions,
 	type CommandName,
-	InMemoryFs,
-	MountableFs,
+	type DefenseInDepthConfig,
 	type MountConfig,
 	type NetworkConfig,
+	type TraceCallback,
+	type TraceEvent,
 	OverlayFs,
 	ReadWriteFs,
+	SecurityViolationLogger,
+	createConsoleViolationCallback,
 } from "just-bash";
 
+// Re-export upstream types used by other modules
+export type { DefenseInDepthConfig, TraceCallback, TraceEvent };
+
 // ============================================================================
 // Types
 // ============================================================================
 
 export type HttpMethod = "GET" | "HEAD" | "POST" | "PUT" | "DELETE" | "PATCH" | "OPTIONS";
 
-export interface TraceEvent {
-	category: string;
-	name: string;
-	durationMs: number;
-	details?: Record<string, unknown>;
-}
-
-export type TraceCallback = (event: TraceEvent) => void;
-
 // ============================================================================
 // Environment Variable Parsing
 // ============================================================================
@@ -89,6 +86,8 @@ export interface Config {
 	readonly ENABLE_TRACING: boolean;
 	readonly ENABLE_PYTHON: boolean;
 	readonly ENABLE_DEFENSE_IN_DEPTH: boolean;
+	readonly DEFENSE_IN_DEPTH_AUDIT: boolean;
+	readonly DEFENSE_IN_DEPTH_LOG: boolean;
 	readonly OVERLAY_READ_ONLY: boolean;
 	readonly ALLOWED_COMMANDS: CommandName[] | undefined;
 }
@@ -157,6 +156,8 @@ export const config: Config = {
 	// Feature flags
 	ENABLE_PYTHON: parseEnvBoolean("JUST_BASH_ENABLE_PYTHON", false),
 	ENABLE_DEFENSE_IN_DEPTH: parseEnvBoolean("JUST_BASH_DEFENSE_IN_DEPTH", false),
+	DEFENSE_IN_DEPTH_AUDIT: parseEnvBoolean("JUST_BASH_DEFENSE_IN_DEPTH_AUDIT", false),
+	DEFENSE_IN_DEPTH_LOG: parseEnvBoolean("JUST_BASH_DEFENSE_IN_DEPTH_LOG", false),
 	OVERLAY_READ_ONLY: parseEnvBoolean("JUST_BASH_OVERLAY_READ_ONLY", false),
 
 	// Command filtering
@@ -199,6 +200,39 @@ export const traceCallback: TraceCallback | undefined = config.ENABLE_TRACING
 		}
 	: undefined;
 
+// ============================================================================
+// Defense-in-Depth Configuration
+// ============================================================================
+
+/**
+ * Shared SecurityViolationLogger instance for tracking violations across
+ * all Bash instances. Exposed so info-tools can report violation stats.
+ */
+export const violationLogger = new SecurityViolationLogger();
+
+/**
+ * Build the defense-in-depth configuration from environment variables.
+ * Returns `false` when disabled, or a full DefenseInDepthConfig object.
+ */
+export function buildDefenseInDepthConfig(): DefenseInDepthConfig | false {
+	if (!config.ENABLE_DEFENSE_IN_DEPTH) {
+		return false;
+	}
+
+	const consoleCallback = config.DEFENSE_IN_DEPTH_LOG
+		? createConsoleViolationCallback()
+		: undefined;
+
+	return {
+		enabled: true,
+		auditMode: config.DEFENSE_IN_DEPTH_AUDIT,
+		onViolation: (violation) => {
+			violationLogger.record(violation);
+			consoleCallback?.(violation);
+		},
+	};
+}
+
 // ============================================================================
 // Configuration Builders
 // ============================================================================
@@ -315,6 +349,10 @@ export const ENVIRONMENT_VARIABLES = {
 	JUST_BASH_ENABLE_PYTHON: "Enable python3/python commands via Pyodide (default: false)",
 	JUST_BASH_DEFENSE_IN_DEPTH:
 		"Enable defense-in-depth mode that patches dangerous JS globals (default: false)",
+	JUST_BASH_DEFENSE_IN_DEPTH_AUDIT:
+		"Audit mode: log violations but don't block them (default: false, requires DEFENSE_IN_DEPTH=true)",
+	JUST_BASH_DEFENSE_IN_DEPTH_LOG:
+		"Log violations to console via createConsoleViolationCallback (default: false)",
 } as const;
 
 // ============================================================================
@@ -340,19 +378,25 @@ export const COMMAND_CATEGORIES = {
 // ============================================================================
 
 export const FEATURES = {
-	customCommands: "Define custom TypeScript commands using defineCommand()",
+	customCommands:
+		"Define custom TypeScript commands using defineCommand() from just-bash, supports lazy-loading via LazyCommand",
 	rawScript: "Preserve leading whitespace in scripts (useful for here-docs)",
 	logger: "Optional execution logging via BashLogger interface",
-	trace: "Performance profiling via TraceCallback",
+	trace: "Performance profiling via TraceCallback (upstream type)",
 	commandFilter: "Restrict available commands via JUST_BASH_ALLOWED_COMMANDS env var",
-	sandboxApi: "Vercel Sandbox compatible API via bash_sandbox_* tools",
+	sandboxApi:
+		"Vercel Sandbox compatible API via bash_sandbox_* tools (run, write, read, mkdir, stop, reset)",
 	python: "Python support via Pyodide (opt-in via JUST_BASH_ENABLE_PYTHON=true)",
 	defenseInDepth:
-		"Defense-in-depth mode that monkey-patches dangerous JS globals during execution (opt-in via JUST_BASH_DEFENSE_IN_DEPTH=true)",
+		"Defense-in-depth with SecurityViolationLogger, audit mode, and console logging (opt-in via JUST_BASH_DEFENSE_IN_DEPTH=true)",
 	overlayReadOnly:
 		"Read-only overlay filesystem mode (opt-in via JUST_BASH_OVERLAY_READ_ONLY=true)",
 	networkResponseSize:
 		"Configurable max network response body size via JUST_BASH_MAX_RESPONSE_SIZE",
 	fileReadSizeLimit:
 		"Configurable max file read size for OverlayFs/ReadWriteFs via JUST_BASH_MAX_FILE_READ_SIZE",
+	networkErrorHandling:
+		"Rich network error classification: NetworkAccessDeniedError, TooManyRedirectsError, RedirectNotAllowedError",
+	securityViolationTracking:
+		"SecurityViolationLogger tracks all defense-in-depth violations with stats via bash_info",
 } as const;