npm - just-bash - Versions diffs - 2.12.8 → 2.13.1 - Mend

just-bash 2.12.8 → 2.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (163) hide show

package/README.md CHANGED Viewed

@@ -1,96 +1,30 @@
 # just-bash
-A simulated bash environment with an in-memory virtual filesystem, written in TypeScript.
+A virtual bash environment with an in-memory filesystem, written in TypeScript and designed for AI agents.
-Designed for AI agents that need a secure, sandboxed bash environment.
+Broad support for standard unix commands and bash syntax with optional curl, Python, JS/TS, and sqlite support.
-Supports optional network access via `curl` with secure-by-default URL filtering.
+**Note**: This is beta software. Use at your own risk and please provide feedback. See [security model](#security-model).
-**Note**: This is beta software. Use at your own risk and please provide feedback.
-## Table of Contents
-- [Security model](#security-model)
-- [Installation](#installation)
-- [Usage](#usage)
-  - [Basic API](#basic-api)
-  - [Configuration](#configuration)
-  - [Custom Commands](#custom-commands)
-  - [Filesystem Options](#filesystem-options)
-  - [AI SDK Tool](#ai-sdk-tool)
-  - [Vercel Sandbox Compatible API](#vercel-sandbox-compatible-api)
-  - [CLI Binary](#cli-binary)
-  - [Interactive Shell](#interactive-shell)
-- [Supported Commands](#supported-commands)
-- [Shell Features](#shell-features)
-- [Default Layout](#default-layout)
-- [Network Access](#network-access)
-- [Execution Protection](#execution-protection)
-- [AST Transform Plugins](#ast-transform-plugins)
-- [Development](#development)
-## Security model
-- The shell only has access to the provided file system.
-- Execution is protected against infinite loops or recursion. However, Bash is not fully robust against DOS from input. If you need to be robust against this, use process isolation at the OS level.
-- Binaries or even WASM are inherently unsupported (Use [Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) or a similar product if a full VM is needed).
-- There is no network access by default.
-- Network access can be enabled, but requests are checked against URL prefix allow-lists and HTTP-method allow-lists. See [network access](#network-access) for details
-## Installation
+## Quick Start
 ```bash
 npm install just-bash
 ```
-## Usage
-### Basic API
 ```typescript
 import { Bash } from "just-bash";
-const env = new Bash();
-await env.exec('echo "Hello" > greeting.txt');
-const result = await env.exec("cat greeting.txt");
+const bash = new Bash();
+await bash.exec('echo "Hello" > greeting.txt');
+const result = await bash.exec("cat greeting.txt");
 console.log(result.stdout); // "Hello\n"
 console.log(result.exitCode); // 0
-console.log(result.env); // Final environment after execution
-```
-Each `exec()` is isolated—env vars, functions, and cwd don't persist across calls (filesystem does).
-### Configuration
-```typescript
-const env = new Bash({
-  files: { "/data/file.txt": "content" }, // Initial files
-  env: { MY_VAR: "value" }, // Initial environment
-  cwd: "/app", // Starting directory (default: /home/user)
-  executionLimits: { maxCallDepth: 50 }, // See "Execution Protection"
-});
-// Per-exec overrides
-await env.exec("echo $TEMP", { env: { TEMP: "value" }, cwd: "/tmp" });
 ```
-#### Lazy Files
+Each `exec()` call gets its own isolated shell state — environment variables, functions, and working directory reset between calls. The **filesystem is shared** across calls, so files written in one `exec()` are visible in the next.
-File values can be functions (sync or async). The function is called on first read and the result is cached — if the file is written to before being read, the function is never called:
-```typescript
-const env = new Bash({
-  files: {
-    "/data/config.json": () => JSON.stringify({ key: "value" }),
-    "/data/remote.txt": async () => (await fetch("https://example.com")).text(),
-    "/data/static.txt": "always loaded",
-  },
-});
-```
-This is useful for large or expensive-to-compute content that may not be needed.
-### Custom Commands
+## Custom Commands
 Extend just-bash with your own TypeScript commands using `defineCommand`:
@@ -112,17 +46,125 @@ await bash.exec("hello Alice"); // "Hello, Alice!\n"
 await bash.exec("echo 'test' | upper"); // "TEST\n"
 ```
-Custom commands receive the full `CommandContext` with access to `fs`, `cwd`, `env`, `stdin`, and `exec` for running subcommands.
+Custom commands receive a `CommandContext` with `fs`, `cwd`, `env`, `stdin`, and `exec` (for subcommands), and work with pipes, redirections, and all shell features.
-### Filesystem Options
+<details>
+<summary><h2>Supported Commands</h2></summary>
+### File Operations
+`cat`, `cp`, `file`, `ln`, `ls`, `mkdir`, `mv`, `readlink`, `rm`, `rmdir`, `split`, `stat`, `touch`, `tree`
+### Text Processing
-Four filesystem implementations are available:
+`awk`, `base64`, `column`, `comm`, `cut`, `diff`, `expand`, `fold`, `grep` (+ `egrep`, `fgrep`), `head`, `join`, `md5sum`, `nl`, `od`, `paste`, `printf`, `rev`, `rg`, `sed`, `sha1sum`, `sha256sum`, `sort`, `strings`, `tac`, `tail`, `tr`, `unexpand`, `uniq`, `wc`, `xargs`
+### Data Processing
+`jq` (JSON), `sqlite3` (SQLite), `xan` (CSV), `yq` (YAML/XML/TOML/CSV)
+### Optional Runtimes
+`js-exec` (JavaScript/TypeScript via QuickJS; requires `javascript: true`), `python3`/`python` (Python via CPython; requires `python: true`)
+### Compression & Archives
+`gzip` (+ `gunzip`, `zcat`), `tar`
+### Navigation & Environment
+`basename`, `cd`, `dirname`, `du`, `echo`, `env`, `export`, `find`, `hostname`, `printenv`, `pwd`, `tee`
+### Shell Utilities
+`alias`, `bash`, `chmod`, `clear`, `date`, `expr`, `false`, `help`, `history`, `seq`, `sh`, `sleep`, `time`, `timeout`, `true`, `unalias`, `which`, `whoami`
+### Network
+`curl`, `html-to-markdown` (require [network configuration](#network-access))
+All commands support `--help` for usage information.
+### Shell Features
+- **Pipes**: `cmd1 | cmd2`
+- **Redirections**: `>`, `>>`, `2>`, `2>&1`, `<`
+- **Command chaining**: `&&`, `||`, `;`
+- **Variables**: `$VAR`, `${VAR}`, `${VAR:-default}`
+- **Positional parameters**: `$1`, `$2`, `$@`, `$#`
+- **Glob patterns**: `*`, `?`, `[...]`
+- **If statements**: `if COND; then CMD; elif COND; then CMD; else CMD; fi`
+- **Functions**: `function name { ... }` or `name() { ... }`
+- **Local variables**: `local VAR=value`
+- **Loops**: `for`, `while`, `until`
+- **Symbolic links**: `ln -s target link`
+- **Hard links**: `ln target link`
+</details>
+## Configuration
+```typescript
+const env = new Bash({
+  files: { "/data/file.txt": "content" }, // Initial files
+  env: { MY_VAR: "value" }, // Initial environment
+  cwd: "/app", // Starting directory (default: /home/user)
+  executionLimits: { maxCallDepth: 50 }, // See "Execution Protection"
+  python: true, // Enable python3/python commands
+  javascript: true, // Enable js-exec command
+  // Or with bootstrap: javascript: { bootstrap: "globalThis.X = 1;" }
+});
+// Per-exec overrides
+await env.exec("echo $TEMP", { env: { TEMP: "value" }, cwd: "/tmp" });
+// Pass stdin to the script
+await env.exec("cat", { stdin: "hello from stdin\n" });
+// Start with a clean environment
+await env.exec("env", { replaceEnv: true, env: { ONLY: "this" } });
+// Pass arguments without shell escaping (like spawnSync)
+await env.exec("grep", { args: ["-r", "TODO", "src/"] });
+// Cancel long-running scripts
+const controller = new AbortController();
+setTimeout(() => controller.abort(), 5000);
+await env.exec("while true; do sleep 1; done", { signal: controller.signal });
+// Preserve leading whitespace (e.g., for heredocs)
+await env.exec("cat <<EOF\n  indented\nEOF", { rawScript: true });
+```
+`exec()` options:
+| Option | Type | Description |
+|---|---|---|
+| `env` | `Record<string, string>` | Environment variables for this execution only |
+| `cwd` | `string` | Working directory for this execution only |
+| `stdin` | `string` | Standard input passed to the script |
+| `args` | `string[]` | Additional argv passed directly to the first command (bypasses shell parsing; does not change `$1`, `$2`, ...) |
+| `replaceEnv` | `boolean` | Start with empty env instead of merging (default: `false`) |
+| `signal` | `AbortSignal` | Cooperative cancellation; stops at next statement boundary |
+| `rawScript` | `boolean` | Skip leading-whitespace normalization (default: `false`) |
+## Filesystem Options
+Four filesystem implementations:
 **InMemoryFs** (default) - Pure in-memory filesystem, no disk access:
 ```typescript
 import { Bash } from "just-bash";
-const env = new Bash(); // Uses InMemoryFs by default
+const env = new Bash({
+  files: {
+    "/data/config.json": '{"key": "value"}',
+    // Lazy: called on first read, cached. Never called if written before read.
+    "/data/large.csv": () => "col1,col2\na,b\n",
+    "/data/remote.txt": async () => (await fetch("https://example.com")).text(),
+  },
+});
 ```
 **OverlayFs** - Copy-on-write over a real directory. Reads come from disk, writes stay in memory:
@@ -138,7 +180,7 @@ await env.exec("cat package.json"); // reads from disk
 await env.exec('echo "modified" > package.json'); // stays in memory
 ```
-**ReadWriteFs** - Direct read-write access to a real directory. Use this if you want the agent to be agle to write to your disk:
+**ReadWriteFs** - Direct read-write access to a real directory. Use this if you want the agent to be able to write to your disk:
 ```typescript
 import { Bash } from "just-bash";
@@ -188,9 +230,191 @@ const fs = new MountableFs({
 });
 ```
+## Optional Capabilities
+### Network Access
+Network access is disabled by default. Enable it with the `network` option:
+```typescript
+// Allow specific URLs with GET/HEAD only (safest)
+const env = new Bash({
+  network: {
+    allowedUrlPrefixes: [
+      "https://api.github.com/repos/myorg/",
+      "https://api.example.com",
+    ],
+  },
+});
+// Allow specific URLs with additional methods
+const env = new Bash({
+  network: {
+    allowedUrlPrefixes: ["https://api.example.com"],
+    allowedMethods: ["GET", "HEAD", "POST"], // Default: ["GET", "HEAD"]
+  },
+});
+// Inject credentials via header transforms (secrets never enter the sandbox)
+const env = new Bash({
+  network: {
+    allowedUrlPrefixes: [
+      "https://public-api.com", // plain string — no transforms
+      {
+        url: "https://ai-gateway.vercel.sh",
+        transform: [{ headers: { Authorization: "Bearer secret" } }],
+      },
+    ],
+  },
+});
+// Allow all URLs and methods (use with caution)
+const env = new Bash({
+  network: { dangerouslyAllowFullInternetAccess: true },
+});
+```
+**Note:** The `curl` command only exists when network is configured. Without network configuration, `curl` returns "command not found".
+#### Allow-List Security
+The allow-list enforces:
+- **Origin matching**: URLs must match the exact origin (scheme + host + port)
+- **Path prefix**: Only paths starting with the specified prefix are allowed
+- **HTTP method restrictions**: Only GET and HEAD by default (configure `allowedMethods` for more)
+- **Redirect protection**: Redirects to non-allowed URLs are blocked
+- **Header transforms**: Firewall headers are injected at the fetch boundary and override any user-supplied headers with the same name, preventing credential substitution from inside the sandbox. Headers are re-evaluated on each redirect so credentials are never leaked to non-transform hosts
+#### Using curl
+```bash
+# Fetch and process data
+curl -s https://api.example.com/data | grep pattern
+# Download and convert HTML to Markdown
+curl -s https://example.com | html-to-markdown
+# POST JSON data
+curl -X POST -H "Content-Type: application/json" \
+  -d '{"key":"value"}' https://api.example.com/endpoint
+```
+### JavaScript Support
+JavaScript and TypeScript execution via QuickJS is opt-in due to additional security surface. Enable with `javascript: true`:
+```typescript
+const env = new Bash({
+  javascript: true,
+});
+// Execute JavaScript code
+await env.exec('js-exec -c "console.log(1 + 2)"');
+// Run script files (.js, .mjs, .ts, .mts)
+await env.exec('js-exec script.js');
+// ES module mode with imports
+await env.exec('js-exec -m -c "import fs from \'fs\'; console.log(fs.readFileSync(\'/data/file.txt\', \'utf8\'))"');
+```
+#### Bootstrap Code
+Run setup code before every `js-exec` invocation with the `bootstrap` option:
+```typescript
+const env = new Bash({
+  javascript: {
+    bootstrap: `
+      globalThis.API_BASE = "https://api.example.com";
+      globalThis.formatDate = (d) => new Date(d).toISOString();
+    `,
+  },
+});
+await env.exec('js-exec -c "console.log(API_BASE)"');
+// Output: https://api.example.com
+```
+#### Node.js Compatibility
+`js-exec` supports `require()` and `import` with these Node.js modules:
+- **fs**: `readFileSync`, `writeFileSync`, `readdirSync`, `statSync`, `existsSync`, `mkdirSync`, `rmSync`, `fs.promises.*`
+- **path**: `join`, `resolve`, `dirname`, `basename`, `extname`, `relative`, `normalize`
+- **child_process**: `execSync`, `spawnSync`
+- **process**: `argv`, `cwd()`, `exit()`, `env`, `platform`, `version`
+- **Other modules**: `os`, `url`, `assert`, `util`, `events`, `buffer`, `stream`, `string_decoder`, `querystring`
+- **Globals**: `console`, `fetch`, `Buffer`, `URL`, `URLSearchParams`
+`fs.readFileSync()` returns a `Buffer` by default (matching Node.js). Pass an encoding like `'utf8'` to get a string.
+**Note:** The `js-exec` command only exists when `javascript` is configured. It is not available in browser environments. Execution runs in a QuickJS WASM sandbox with a 64 MB memory limit and configurable timeout (default: 10s, 60s with network).
+### Python Support
+Python (CPython compiled to WASM) is opt-in due to additional security surface. Enable with `python: true`:
+```typescript
+const env = new Bash({
+  python: true,
+});
+// Execute Python code
+await env.exec('python3 -c "print(1 + 2)"');
+// Run Python scripts
+await env.exec('python3 script.py');
+```
+**Note:** The `python3` and `python` commands only exist when `python: true` is configured. Python is not available in browser environments.
+### SQLite Support
+`sqlite3` uses sql.js (SQLite compiled to WASM), sandboxed from the real filesystem:
+```typescript
+const env = new Bash();
+// Query in-memory database
+await env.exec('sqlite3 :memory: "SELECT 1 + 1"');
+// Query file-based database
+await env.exec('sqlite3 data.db "SELECT * FROM users"');
+```
+**Note:** SQLite is not available in browser environments. Queries run in a worker thread with a configurable timeout (default: 5 seconds) to prevent runaway queries from blocking execution.
+## AST Transform Plugins
+Parse bash scripts into an AST, transform them, and serialize back to bash. Good for instrumenting scripts (e.g., capturing per-command stdout/stderr) or extracting metadata before execution.
+```typescript
+import { Bash, BashTransformPipeline, TeePlugin, CommandCollectorPlugin } from "just-bash";
+// Standalone pipeline — output can be run by any shell
+const pipeline = new BashTransformPipeline()
+  .use(new TeePlugin({ outputDir: "/tmp/logs" }))
+  .use(new CommandCollectorPlugin());
+const result = pipeline.transform("echo hello | grep hello");
+result.script;             // transformed bash string
+result.metadata.commands;  // ["echo", "grep", "tee"]
+// Integrated API — exec() auto-applies transforms and returns metadata
+const bash = new Bash();
+bash.registerTransformPlugin(new CommandCollectorPlugin());
+const execResult = await bash.exec("echo hello | grep hello");
+execResult.metadata?.commands; // ["echo", "grep"]
+```
+See [src/transform/README.md](src/transform/README.md) for the full API, built-in plugins, and how to write custom plugins.
+## Integrations
 ### AI SDK Tool
-For AI agents, use [`bash-tool`](https://github.com/vercel-labs/bash-tool) which is optimized for just-bash and provides a ready-to-use [AI SDK](https://ai-sdk.dev/) tool:
+[`bash-tool`](https://github.com/vercel-labs/bash-tool) wraps just-bash as an [AI SDK](https://ai-sdk.dev/) tool:
 ```bash
 npm install bash-tool
@@ -211,11 +435,11 @@ const result = await generateText({
 });
 ```
-See the [bash-tool documentation](https://github.com/vercel-labs/bash-tool) for more details and examples.
+See [bash-tool](https://github.com/vercel-labs/bash-tool) for more.
 ### Vercel Sandbox Compatible API
-Bash provides a `Sandbox` class that's API-compatible with [`@vercel/sandbox`](https://vercel.com/docs/vercel-sandbox), making it easy to swap implementations. You can start with Bash and switch to a real sandbox when you need the power of a full VM (e.g. to run node, python, or custom binaries).
+`Sandbox` is a drop-in replacement for [`@vercel/sandbox`](https://vercel.com/docs/vercel-sandbox) — same API, but runs entirely in-process with the virtual filesystem. Start with just-bash for development and testing, swap in a real sandbox when you need a full VM.
 ```typescript
 import { Sandbox } from "just-bash";
@@ -244,9 +468,11 @@ await sandbox.mkDir("/app/logs", { recursive: true });
 await sandbox.stop();
 ```
+## CLI
 ### CLI Binary
-After installing globally (`npm install -g just-bash`), use the `just-bash` command as a secure alternative to `bash` for AI agents:
+Install globally (`npm install -g just-bash`) for a sandboxed CLI:
 ```bash
 # Execute inline script
@@ -266,7 +492,9 @@ just-bash -c 'echo hello' --json
 # Output: {"stdout":"hello\n","stderr":"","exitCode":0}
 ```
-The CLI uses OverlayFS - reads come from the real filesystem, but all writes stay in memory and are discarded after execution. The project root is mounted at `/home/user/project`.
+The CLI uses OverlayFS — reads come from the real filesystem, but all writes stay in memory and are discarded after execution.
+**Important**: The project root is mounted at `/home/user/project`. Use this path (or relative paths from the default cwd) to access your files inside the sandbox.
 Options:
@@ -282,158 +510,12 @@ Options:
 pnpm shell
 ```
-The interactive shell has full internet access enabled by default, allowing you to use `curl` to fetch data from any URL. Use `--no-network` to disable this:
+The interactive shell has full internet access by default. Disable with `--no-network`:
 ```bash
 pnpm shell --no-network
 ```
-## Supported Commands
-### File Operations
-`cat`, `cp`, `file`, `ln`, `ls`, `mkdir`, `mv`, `readlink`, `rm`, `rmdir`, `split`, `stat`, `touch`, `tree`
-### Text Processing
-`awk`, `base64`, `column`, `comm`, `cut`, `diff`, `expand`, `fold`, `grep` (+ `egrep`, `fgrep`), `head`, `join`, `md5sum`, `nl`, `od`, `paste`, `printf`, `rev`, `rg`, `sed`, `sha1sum`, `sha256sum`, `sort`, `strings`, `tac`, `tail`, `tr`, `unexpand`, `uniq`, `wc`, `xargs`
-### Data Processing
-`jq` (JSON), `python3`/`python` (Python via Pyodide; required opt-in), `sqlite3` (SQLite), `xan` (CSV), `yq` (YAML/XML/TOML/CSV)
-### Compression & Archives
-`gzip` (+ `gunzip`, `zcat`), `tar`
-### Navigation & Environment
-`basename`, `cd`, `dirname`, `du`, `echo`, `env`, `export`, `find`, `hostname`, `printenv`, `pwd`, `tee`
-### Shell Utilities
-`alias`, `bash`, `chmod`, `clear`, `date`, `expr`, `false`, `help`, `history`, `seq`, `sh`, `sleep`, `time`, `timeout`, `true`, `unalias`, `which`, `whoami`
-### Network Commands
-`curl`, `html-to-markdown`
-All commands support `--help` for usage information.
-## Shell Features
-- **Pipes**: `cmd1 | cmd2`
-- **Redirections**: `>`, `>>`, `2>`, `2>&1`, `<`
-- **Command chaining**: `&&`, `||`, `;`
-- **Variables**: `$VAR`, `${VAR}`, `${VAR:-default}`
-- **Positional parameters**: `$1`, `$2`, `$@`, `$#`
-- **Glob patterns**: `*`, `?`, `[...]`
-- **If statements**: `if COND; then CMD; elif COND; then CMD; else CMD; fi`
-- **Functions**: `function name { ... }` or `name() { ... }`
-- **Local variables**: `local VAR=value`
-- **Loops**: `for`, `while`, `until`
-- **Symbolic links**: `ln -s target link`
-- **Hard links**: `ln target link`
-## Default Layout
-When created without options, Bash provides a Unix-like directory structure:
-- `/home/user` - Default working directory (and `$HOME`)
-- `/bin` - Contains stubs for all built-in commands
-- `/usr/bin` - Additional binary directory
-- `/tmp` - Temporary files directory
-Commands can be invoked by path (e.g., `/bin/ls`) or by name.
-## Network Access
-Network access (and the `curl` command) is disabled by default for security. To enable it, configure the `network` option:
-```typescript
-// Allow specific URLs with GET/HEAD only (safest)
-const env = new Bash({
-  network: {
-    allowedUrlPrefixes: [
-      "https://api.github.com/repos/myorg/",
-      "https://api.example.com",
-    ],
-  },
-});
-// Allow specific URLs with additional methods
-const env = new Bash({
-  network: {
-    allowedUrlPrefixes: ["https://api.example.com"],
-    allowedMethods: ["GET", "HEAD", "POST"], // Default: ["GET", "HEAD"]
-  },
-});
-// Allow all URLs and methods (use with caution)
-const env = new Bash({
-  network: { dangerouslyAllowFullInternetAccess: true },
-});
-```
-**Note:** The `curl` command only exists when network is configured. Without network configuration, `curl` returns "command not found".
-## Python Support
-Python support via Pyodide is opt-in due to additional security surface. Enable it explicitly, but be aware of the risk:
-```typescript
-const env = new Bash({
-  python: true,
-});
-// Execute Python code
-await env.exec('python3 -c "print(1 + 2)"');
-// Run Python scripts
-await env.exec('python3 script.py');
-```
-**Note:** The `python3` and `python` commands only exist when `python: true` is configured. Python is not available in browser environments.
-## SQLite Support
-The `sqlite3` command uses sql.js (WASM-based SQLite) which is fully sandboxed and cannot access the real filesystem:
-```typescript
-const env = new Bash();
-// Query in-memory database
-await env.exec('sqlite3 :memory: "SELECT 1 + 1"');
-// Query file-based database
-await env.exec('sqlite3 data.db "SELECT * FROM users"');
-```
-**Note:** SQLite is not available in browser environments. Queries run in a worker thread with a configurable timeout (default: 5 seconds) to prevent runaway queries from blocking execution.
-### Allow-List Security
-The allow-list enforces:
-- **Origin matching**: URLs must match the exact origin (scheme + host + port)
-- **Path prefix**: Only paths starting with the specified prefix are allowed
-- **HTTP method restrictions**: Only GET and HEAD by default (configure `allowedMethods` for more)
-- **Redirect protection**: Redirects to non-allowed URLs are blocked
-### Using curl
-```bash
-# Fetch and process data
-curl -s https://api.example.com/data | grep pattern
-# Download and convert HTML to Markdown
-curl -s https://example.com | html-to-markdown
-# POST JSON data
-curl -X POST -H "Content-Type: application/json" \
-  -d '{"key":"value"}' https://api.example.com/endpoint
-```
 ## Execution Protection
 Bash protects against infinite loops and deep recursion with configurable limits:
@@ -450,45 +532,35 @@ const env = new Bash({
 });
 ```
-All limits have sensible defaults. Error messages include hints on which limit to increase. Feel free to increase if your scripts intentionally go beyond them.
+All limits have defaults. Error messages tell you which limit was hit. Increase as needed for your workload.
-## AST Transform Plugins
+## Security Model
-Parse bash scripts into an AST, run transform plugins, and serialize back to executable bash. Useful for instrumenting scripts (e.g., capturing per-command stdout/stderr) or analyzing them (e.g., extracting command names) before execution.
+- The shell only has access to the provided filesystem.
+- All execution happens without VM isolation. This does introduce additional risk. The code base was designed to be robust against prototype-pollution attacks and other break outs to the host JS engine and filesystem.
+- There is no network access by default. When enabled, requests are checked against URL prefix allow-lists and HTTP-method allow-lists.
+- Python and JavaScript execution are off by default as they represent additional security surface.
+- Execution is protected against infinite loops and deep recursion with configurable limits.
+- Use [Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) if you need a full VM with arbitrary binary execution.
-```typescript
-import { Bash, BashTransformPipeline, TeePlugin, CommandCollectorPlugin } from "just-bash";
+## Browser Support
-// Standalone pipeline — output can be run by any shell
-const pipeline = new BashTransformPipeline()
-  .use(new TeePlugin({ outputDir: "/tmp/logs" }))
-  .use(new CommandCollectorPlugin());
-const result = pipeline.transform("echo hello | grep hello");
-result.script;             // transformed bash string
-result.metadata.commands;  // ["echo", "grep", "tee"]
+The core shell (parsing, execution, filesystem, and all built-in commands) works in browser environments. The following features require Node.js and are unavailable in browsers: `python3`/`python`, `sqlite3`, `js-exec`, and `OverlayFs`/`ReadWriteFs` (which access the real filesystem).
-// Integrated API — exec() auto-applies transforms and returns metadata
-const bash = new Bash();
-bash.registerTransformPlugin(new CommandCollectorPlugin());
-const execResult = await bash.exec("echo hello | grep hello");
-execResult.metadata?.commands; // ["echo", "grep"]
-```
+## Default Layout
-See [src/transform/README.md](src/transform/README.md) for the full API, built-in plugins, and how to write custom plugins.
+When created without options, Bash provides a Unix-like directory structure:
-## Development
+- `/home/user` - Default working directory (and `$HOME`)
+- `/bin` - Contains stubs for all built-in commands
+- `/usr/bin` - Additional binary directory
+- `/tmp` - Temporary files directory
-```bash
-pnpm test        # Run tests in watch mode
-pnpm test:run    # Run tests once
-pnpm typecheck   # Type check without emitting
-pnpm build       # Build TypeScript
-pnpm shell       # Run interactive shell
-```
+Commands can be invoked by path (e.g., `/bin/ls`) or by name.
 ## AI Agent Instructions
-For AI agents, we recommend using [`bash-tool`](https://github.com/vercel-labs/bash-tool) which is optimized for just-bash and provides additional guidance in its `AGENTS.md`:
+For AI agents, [`bash-tool`](https://github.com/vercel-labs/bash-tool) provides additional guidance in its `AGENTS.md`:
 ```bash
 cat node_modules/bash-tool/dist/AGENTS.md