just-bash-mcp 2.9.3 → 2.9.5

package/README.md

@@ -7,16 +7,14 @@ An MCP (Model Context Protocol) server that provides a sandboxed bash environmen
 
 Execute bash commands in a secure, isolated environment with an in-memory virtual filesystem.
 
-Built on top of [`just-bash`](https://github.com/vercel-labs/just-bash) v2.10.2.
+Built on top of [`just-bash`](https://github.com/vercel-labs/just-bash) v2.12.5.
 
-## What's New in v2.9.2
+## What's New in v2.9.5
 
-- **Expanded Vercel Sandbox API coverage** - `bash_sandbox_run` now supports optional `includeOutput` and `includeLogs`
-- **Sandbox domain support** - New `bash_sandbox_domain` tool returns the current sandbox domain/identifier
-- **Synced with upstream `just-bash` v2.10.2** - Full upstream commands, APIs, and type exports
+- **Synced with upstream `just-bash` v2.12.5** - Full upstream commands, APIs, and type exports
+- **Persistent sandbox tools** - `bash_sandbox_*` tools remain available for higher-level isolated workflows
 - **Defense-in-depth mode** - Opt-in monkey-patching of dangerous JS globals (`JUST_BASH_DEFENSE_IN_DEPTH=true`)
-- **Python support** - Python3 via Pyodide (`JUST_BASH_ENABLE_PYTHON=true`)
-- **Vercel Sandbox API tools** - Compatible `bash_sandbox_*` tools for isolated execution
+- **Python support** - Python3 via the upstream emscripten CPython runtime (`JUST_BASH_ENABLE_PYTHON=true`)
 - **MountableFS + ReadWriteFS** - Real directory mounts with overlay/read-write options
 - **Configurable execution limits** - Fine-grained control over loops, strings, arrays, heredocs, and substitutions
 
@@ -30,6 +28,22 @@ Built on top of [`just-bash`](https://github.com/vercel-labs/just-bash) v2.10.2.
 - **MountableFS Support**: Mount multiple filesystems at different paths
 - **ReadWriteFS Support**: Direct read-write access to real directories
 
+## Synced Upstream Features
+
+The current wrapper release tracks `just-bash` `v2.12.5`, which brings in the post-`v2.10.2` upstream feature set, including:
+
+- Defense-in-depth hardening across the runtime and filesystem layers
+- Defense-in-depth enabled by default upstream, plus additional hardening passes
+- Filesystem hardening for overlays, external filesystems, symlinks, and broken symlink handling
+- Virtualized PID and shell security invariant improvements
+- Updated `Sandbox.runCommand()` signature compatibility
+- Python runtime migration from Pyodide to emscripten CPython
+- Follow-up Python runtime hardening and cleanup
+- UTF-8 handling and write-path fixes
+- CommonJS compatibility improvements upstream
+- `ls -F` / `--classify` support
+- Additional cleanup and internal hardening work shipped through `v2.12.5`
+
 ## Installation
 
 ### From npm (recommended)
@@ -123,7 +137,7 @@ Add to your MCP settings:
 | `JUST_BASH_MAX_CALL_DEPTH` | Maximum function recursion depth | `100` |
 | `JUST_BASH_MAX_COMMAND_COUNT` | Maximum total commands per execution | `10000` |
 | `JUST_BASH_MAX_LOOP_ITERATIONS` | Maximum iterations per loop | `10000` |
-| `JUST_BASH_ENABLE_PYTHON` | Enable Python3 via Pyodide (`true`/`false`) | `false` |
+| `JUST_BASH_ENABLE_PYTHON` | Enable Python3 via emscripten CPython (`true`/`false`) | `false` |
 | `JUST_BASH_DEFENSE_IN_DEPTH` | Enable defense-in-depth mode (`true`/`false`) | `false` |
 | `JUST_BASH_DEFENSE_IN_DEPTH_AUDIT` | Audit mode: log violations but don't block | `false` |
 | `JUST_BASH_DEFENSE_IN_DEPTH_LOG` | Log violations to console | `false` |
@@ -174,16 +188,16 @@ Get information about the bash environment configuration, including defense-in-d
 
 Get current working directory or environment variables.
 
-### Vercel Sandbox API
+### `bash_sandbox_*`
 
-Compatible with the Vercel Sandbox API:
+Persistent isolated-environment helpers:
 
-- `bash_sandbox_run` - Run a command in the sandbox (optionally include structured output/logs)
-- `bash_sandbox_domain` - Get the sandbox domain/identifier
+- `bash_sandbox_run` - Run a command with optional structured output/logs
+- `bash_sandbox_domain` - Get the current sandbox domain/identifier
 - `bash_sandbox_write_files` - Write multiple files at once
 - `bash_sandbox_read_file` - Read a file (supports base64 encoding)
 - `bash_sandbox_mkdir` - Create a directory
-- `bash_sandbox_stop` - Stop and clean up the sandbox
+- `bash_sandbox_stop` - Stop and clean up the sandbox state
 - `bash_sandbox_reset` - Reset the sandbox state
 
 ## Supported Commands
@@ -274,7 +288,7 @@ Compatible with the Vercel Sandbox API:
 
 ## Upstream API Coverage
 
-This wrapper integrates the full public API surface of `just-bash` v2.10.2:
+This wrapper integrates the full public API surface of `just-bash` v2.12.5:
 
 | Category | Exports Used |
 |----------|-------------|

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "just-bash-mcp",
-	"version": "2.9.3",
+	"version": "2.9.5",
 	"description": "MCP server providing a sandboxed bash environment using just-bash",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -42,8 +42,7 @@
 		"cline",
 		"roo-code",
 		"windsurf",
-		"just-bash",
-		"vercel"
+		"just-bash"
 	],
 	"author": "dalist1",
 	"license": "Apache-2.0",
@@ -61,7 +60,7 @@
 	"packageManager": "bun@1.3.8",
 	"dependencies": {
 		"@modelcontextprotocol/sdk": "^1.27.0",
-		"just-bash": "^2.10.2",
+		"just-bash": "^2.12.5",
 		"zod": "^4.3.6"
 	},
 	"devDependencies": {

package/src/config/index.ts

@@ -372,7 +372,8 @@ export const ENVIRONMENT_VARIABLES = {
 		"Max file read size in bytes for OverlayFs/ReadWriteFs (default: 10MB)",
 	JUST_BASH_ENABLE_LOGGING: "Enable debug logging (default: false)",
 	JUST_BASH_ENABLE_TRACING: "Enable performance tracing (default: false)",
-	JUST_BASH_ENABLE_PYTHON: "Enable python3/python commands via Pyodide (default: false)",
+	JUST_BASH_ENABLE_PYTHON:
+		"Enable python3/python commands via the upstream emscripten CPython runtime (default: false)",
 	JUST_BASH_DEFENSE_IN_DEPTH:
 		"Enable defense-in-depth mode that patches dangerous JS globals (default: false)",
 	JUST_BASH_DEFENSE_IN_DEPTH_AUDIT:
@@ -390,7 +391,7 @@ export const COMMAND_CATEGORIES = {
 	textProcessing:
 		"awk, base64, column, comm, cut, diff, expand, fold, grep (egrep, fgrep), head, join, md5sum, nl, od, paste, printf, rev, rg (ripgrep), sed, sha1sum, sha256sum, sort, strings, tac, tail, tr, unexpand, uniq, wc, xargs",
 	dataProcessing:
-		"jq (JSON), python3/python (Python via Pyodide), sqlite3 (SQLite), xan (CSV), yq (YAML/XML/TOML/CSV)",
+		"jq (JSON), python3/python (Python via emscripten CPython), sqlite3 (SQLite), xan (CSV), yq (YAML/XML/TOML/CSV)",
 	compression: "gzip (gunzip, zcat), tar",
 	navigation:
 		"basename, cd, dirname, du, echo, env, export, find, hostname, printenv, pwd, tee, whoami",
@@ -411,8 +412,9 @@ export const FEATURES = {
 	trace: "Performance profiling via TraceCallback (upstream type)",
 	commandFilter: "Restrict available commands via JUST_BASH_ALLOWED_COMMANDS env var",
 	sandboxApi:
-		"Vercel Sandbox compatible API via bash_sandbox_* tools (run, write, read, mkdir, stop, reset)",
-	python: "Python support via Pyodide (opt-in via JUST_BASH_ENABLE_PYTHON=true)",
+		"Additional persistent sandbox tools via bash_sandbox_* (run, write, read, mkdir, stop, reset)",
+	python:
+		"Python support via the upstream emscripten CPython runtime (opt-in via JUST_BASH_ENABLE_PYTHON=true)",
 	defenseInDepth:
 		"Defense-in-depth with SecurityViolationLogger, audit mode, and console logging (opt-in via JUST_BASH_DEFENSE_IN_DEPTH=true)",
 	overlayReadOnly:

package/src/index.ts

@@ -4,7 +4,7 @@
  * just-bash-mcp - MCP Server for sandboxed bash execution
  *
  * A Model Context Protocol (MCP) server that provides AI agents with a
- * secure, sandboxed bash environment powered by just-bash from Vercel Labs.
+ * secure, sandboxed bash environment powered by just-bash.
  *
  * @see https://github.com/vercel-labs/just-bash
  * @see https://modelcontextprotocol.io

package/src/tools/bash-instance.ts

@@ -3,7 +3,7 @@
  * Handles creation and lifecycle of Bash instances
  *
  * Uses all upstream just-bash APIs:
- * - Bash, Sandbox, SandboxCommand for execution
+ * - Bash and Sandbox for execution
  * - DefenseInDepthBox with SecurityViolationLogger for security monitoring
  * - defineCommand for custom command registration
  * - All filesystem variants (InMemoryFs, MountableFs, OverlayFs, ReadWriteFs)

package/src/tools/index.ts

@@ -37,7 +37,7 @@ export function registerAllTools(server: McpServer): void {
 	// File operation tools
 	registerFileTools(server);
 
-	// Vercel Sandbox compatible tools
+	// Additional persistent sandbox tools
 	registerSandboxTools(server);
 
 	// Information and state tools

package/src/tools/sandbox-tools.ts

@@ -1,6 +1,6 @@
 /**
  * Sandbox API tools
- * Vercel Sandbox compatible tools for execution in an isolated environment
+ * Tools for execution in a persistent isolated environment
  *
  * Uses upstream Sandbox/SandboxCommand APIs:
  * - Sandbox.create(), runCommand(), writeFiles(), readFile(), mkDir(), stop()
@@ -27,9 +27,6 @@ import {
 } from "../utils/index.ts";
 import { getPersistentSandbox, resetPersistentSandbox } from "./bash-instance.ts";
 
-/**
- * Classify errors from just-bash into user-friendly messages.
- */
 function classifyError(error: unknown, prefix: string) {
 	if (error instanceof NetworkAccessDeniedError) {
 		return createErrorResponse(error, `${prefix} [Network Access Denied]`);
@@ -46,18 +43,12 @@ function classifyError(error: unknown, prefix: string) {
 	return createErrorResponse(error, prefix);
 }
 
-/**
- * Register Vercel Sandbox compatible tools with the MCP server
- */
 export function registerSandboxTools(server: McpServer): void {
-	// ========================================================================
-	// bash_sandbox_run - Run command in sandbox
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_run",
 		{
 			description:
-				"Run a command in a Vercel Sandbox compatible environment. The sandbox persists across calls.",
+				"Run a command in a persistent isolated environment with optional structured output and logs.",
 			inputSchema: {
 				command: z.string().describe("The command to execute"),
 				cwd: z.string().optional().describe("Working directory for the command"),
@@ -122,13 +113,10 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_domain - Get sandbox domain
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_domain",
 		{
-			description: "Get the current sandbox domain/identifier.",
+			description: "Get the current sandbox domain or identifier.",
 			inputSchema: {},
 		},
 		async () => {
@@ -141,13 +129,10 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_write_files - Write multiple files
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_write_files",
 		{
-			description: "Write multiple files to the sandbox environment at once.",
+			description: "Write multiple files to the persistent isolated environment at once.",
 			inputSchema: {
 				files: z.record(z.string(), z.string()).describe("Files to write (path -> content)"),
 			},
@@ -166,13 +151,10 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_read_file - Read file from sandbox
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_read_file",
 		{
-			description: "Read a file from the sandbox environment.",
+			description: "Read a file from the persistent isolated environment.",
 			inputSchema: {
 				path: z.string().describe("The file path to read"),
 				encoding: z.enum(["utf-8", "base64"]).optional().describe("File encoding (default: utf-8)"),
@@ -197,13 +179,10 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_mkdir - Create directory in sandbox
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_mkdir",
 		{
-			description: "Create a directory in the sandbox environment.",
+			description: "Create a directory in the persistent isolated environment.",
 			inputSchema: {
 				path: z.string().describe("The directory path to create"),
 				recursive: z
@@ -224,14 +203,11 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_stop - Stop and clean up sandbox
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_stop",
 		{
 			description:
-				"Stop and clean up the sandbox environment, releasing all resources. Use bash_sandbox_reset to just clear state.",
+				"Stop and clean up the persistent isolated environment, releasing all resources. Use bash_sandbox_reset to just clear state.",
 			inputSchema: {},
 		},
 		async () => {
@@ -244,13 +220,10 @@ export function registerSandboxTools(server: McpServer): void {
 		},
 	);
 
-	// ========================================================================
-	// bash_sandbox_reset - Reset sandbox
-	// ========================================================================
 	server.registerTool(
 		"bash_sandbox_reset",
 		{
-			description: "Reset the sandbox environment, clearing all files and state.",
+			description: "Reset the persistent isolated environment, clearing all files and state.",
 			inputSchema: {},
 		},
 		async () => {