We just released a driver that allows users of just-bash to attach a full Archil file system, synced to S3. This would let you run just-bash in an enrivonment where you don't have a full VM and get high-performance access to data that's in your S3 bucket already to do like greps or edits.
At this point why not make the agents use a restricted subset of python, typescript or lua or something.
Bash has been unchanged for decades but its not a very nice language.
I know pydantic has been experimenting with https://github.com/pydantic/monty (restricted python) and I think Cloudflare and co were experimenting with giving typescript to agents.
kkukshtel 1 days ago [-]
This is a really interesting idea. I wonder if something like Luau would be a good solution here - it's a typed version of Lua meant for sandboxing (built for Roblox scripting) that has a lot of guardrails on it.
Being unchanged for decades means that the training data should provide great results even for the smaller models.
fragmede 1 days ago [-]
It means there's also plenty of bad examples in the training data to learn the wrong lessons from though.
JohnMakin 1 days ago [-]
They use bash in ways a human never would, and it seems very intuitive for them.
Spivak 1 days ago [-]
If you present most LLM's with a run_python tool it won't realize that it can access a standard Linux userspace with it even if it's explicitly detailed. But spiritually the same tool called run_shell it will use correctly.
Gotta work with what's in the training data I suppose.
0x457 1 days ago [-]
There are a lot of shellscripts holding this world together out there.
fragmede 21 hours ago [-]
don't forget Perl!
wild_egg 1 days ago [-]
Agents really do not care at all how "nice" a language is. You only need to be picky with language if a human is going to be working with the code. I get the impression that is not the use case here though
bigbadfeline 1 days ago [-]
> Agents really do not care at all how "nice" a language is.
People do care.
> You only need to be picky with language if a human is going to be working with the code.
Sooner or later humans will have to work with the code - if only for their own self-preservation.
> I get the impression that is not the use case here though
If that's not the use case, there's no legitimate use case at all.
wild_egg 22 hours ago [-]
I might have misinterpreted what the submitted link is offering then. I thought this was some "secure" sandboxing thing where agents can write ephemeral scripts as tool calls to take arbitrary actions. No human will be looking at that. It's not checked into a repo and is not maintained.
One-off throwaway scripts can be written in literally anything. It does not matter.
fragmede 23 hours ago [-]
> Sooner or later humans will have to work with the code
We want that to be true, but it's starting to look like it might not be.
bandrami 18 hours ago [-]
Humans will eventually have to work with the code, generally at 3am with alarms going off and three tiers of bosses yelling at them on the phone
resonious 1 days ago [-]
I'll add that agents (CC/Codex) very often screw up escaping/quoting with their bash scripts and waste tokens figuring out what happened. It's worse when it's a script they save and re use because it's often a code injection vulnerability.
fragmede 1 days ago [-]
I want them to be better at it, but given how hard it is for me as a human to get it right (which is to say, I get it wrong a lot, especially handling new lines in filenames, or filenames that start with --) I find it hard to fault them too much.
Bolwin 1 days ago [-]
I've had LLMs write some pretty complex powershell on the fly. Still a shell language but a lot nicer.
Ideally something like nushell but they don't know that well
inetknght 1 days ago [-]
Bash is ubiquitous and is not going away any time soon. Nothing is stopping you from doing the same thing with your favorite language.
andrewingram 1 days ago [-]
just-bash comes with Python installed, so in a way that's what this has done. I've used this for some prototypes with AI tools (via bash-tool), can't really productionise it in our current setup, but it worked very well and was undeniably pretty cool.
Leynos 1 days ago [-]
Codex has a JS REPL built in now. And pydantic have a minimal version of Python called Monty.
sheept 1 days ago [-]
I feel like Deno would be perfect for this because it already has a permissions model enforced by the runtime
tosh 1 days ago [-]
At least for me codex seems to write way more python than bash for general purpose stuff
jauntywundrkind 1 days ago [-]
Agreed! Very notable codex behavior to prefer python for scripting purposes.
I keep telling myself to make a good zx skills or agents.md. I really like zx ergonomics & it's output when it shells out is friendly.
Top comments are lua. I respect it, and those look like neat tools. But please, not what I want to look at. It would be interesting to see how Lua fairs for scripting purposes though; I haven't done enough io to know what that would look like. Does it assume some uv wrapper too?
> std::slop is a persistent, SQLite-driven C++ CLI agent. It remembers your work through per-session ledgers, providing long-term recall, structured state management. std::slop features built-in Git integration. It's goal is to be an agent for which the context and its use fully transparent and configurable.
westurner 1 days ago [-]
TIL about Monty. A number of people have tried to sandbox [python,] using python and user space; but ultimately they've all concluded that you can't sandbox python with python.
Virtual Machines are a better workload isolation boundary than Containers are a better workload isolation boundary than bubblewrap and a WASM runtime.
> Should a (formally verified) policy engine run within the same WASM runtime, or should it be enforced by the WASM runtime, or by the VM or Container that the WASM runtime runs within?
> How do these userspace policies compare to MAC and DAC implementations like SELinux AVC, AppArmor, Systemd SyscallFilter, and seccomp with containers for example?
I'm hacking on a similar thing that lets you build CLIs directly into xterm / ghostty web so that they also work in the terminal. Eg they are cross platform web and CLI.
I did a slightly less ambitious prototype a few weeks ago where I created added lazy loading of GCS files into the just-bash file-systems, as well as lots of other on-demand files. Was a lot of fun.
jeffchuber 1 days ago [-]
yeah (optional) caching is interesting to think about - incl write_through and write_back
JustFinishedBSG 1 days ago [-]
What problem were you trying to solve ? ( not that you need to solve one. I’m just curious )
throwaway13337 1 days ago [-]
The unix commandline tools being the most efficient way to use an LLM has been a surprise.
I wonder the reason.
Maybe 'do one thing well'? The piping? The fact that the tools have been around so long so there are so many examples in the training data? Simplicity? All of it?
The success of this project depends on the answer.
Even so, I suspect that something like this will be a far too leaky abstraction.
But Vercel must try because they see the writing on the wall.
No one needs expensive cloud platforms anymore.
justaboutanyone 1 days ago [-]
Shell programming is high density inter-language glue. You simply have more options of implementations to call out to and so less to write.
I can trivially combine a tool written in rust with one written in js/java/C/whatever without writing bindings
cyanydeez 1 days ago [-]
If you want a better guess: It's because of the man pages for all the tools are likely duplicated across so many media for the LLM training that there's just an efficient pipeline. They go back to the 70s or whatever.
So, mostly re-enforcement along multiple vectors.
fragmede 24 hours ago [-]
I'm not convinced. I don't want to rack servers and diagnose bad RAM like it's still the 90's, so I'm paying someone else for the privilege, especially to get POPs closer to customers than I want to drive or fly to setup, especially in foreign countries where I don't speak the language or know the culture. Fun for vacation but a recipe to waste time and money setting up a local corporate entity and a whole team when I can just pay GCP or AWS and have a server on the other side of the planet from me faster than I can book a plane flight and hotel reservation there.
There's also the maintenance of the server to be considered. Vercel or other PaaS/Lambda/GCP functions/etc serverless means there's just less crap for me to manage, because they're dealing with it, and yeah, they charge money for that service. Being able to tell Claude code, I setup ssh keys and sudo no password for you, go fix my shit; like, that works, but then the hard drive is full so I have to up size the VPS, and if you're stupid/brave, you can give Claude Code MCP access to Chrome so it can click the buttons in Hetzner to upsize for you, but that's time and tokens spent not working on the product so at the end of the day I think Vercel is gonna be fine. AI generating code means there are many many more people trying out making some sort of Internet company, but they'll only discover cheaper options only after paying for Vercel becomes painful.
jpitz 1 days ago [-]
Just curious: why wouldn't you attack this with a jail?
wild_egg 1 days ago [-]
Jails are alien magic and typescript is safe and familiar
otterley 1 days ago [-]
What, exactly, is "safe" about TypeScript other than type safety?
TypeScript is just a language anyway. It's the runtime that needs to be contained. In that sense it's no different from any other interpreter or runtime, whether it be Go, Python, Java, or any shell.
In my view this really is best managed by the OS kernel, as the ultimate responsibility for process isolation belongs to it. Relying on userspace solutions to enforce restrictions only gets you so far.
wild_egg 1 days ago [-]
Ah I forgot to add an /s
I agree on all counts and that this project is silly on the face of it.
My comment was more that there is a massive cohort of devs who have never done sysadmin and know nothing of prior art in the space. Typescript "feels" safe and familiar and the right way to accomplish their goals, regardless of if it actually is.
lombasihir 1 days ago [-]
agree, or just busybox or alpine linux that will have more flexibility?
but i think its still useful if we are bound to js/ts ecosystem sandboxed enviroment like in vercel.
CuriouslyC 1 days ago [-]
Trying to secure the sandbox the harness is running in seems like the hard way to do things. It's not a bad idea, but I think it'd be easier to focus on isolating the sandbox and securing resources the harness sandbox accesses, since true security requires that anyhow.
rbbydotdev 1 days ago [-]
It’s cool to see this project and others pop up. Virtualizing os primitives like bash and even file systems
You can interface around the nodejs files system interface and have access to some nice tools, like git isomorphic for instance. Then obviously everything couples nicely with agents.
This ends up reading files into node.js and then running a command like grep but implemented in JS. I love the concept but isn’t this incredibly slow compared to native cli tools? Building everything in JS on top of just readFile and writeFile interfaces seems pretty limited in what you can do for performance.
simonw 1 days ago [-]
Performance of the tools doesn't really matter when you have a full LLM inference loop in between each tool call.
tcdent 1 days ago [-]
I still find it revolting they're writing this stuff in typescript.
cramforce 1 days ago [-]
In practice it is actually extremely fast because there is no process fork. You're talking nanoseconds for common commands
[Disclaimer: I made the thing]
_pdp_ 1 days ago [-]
Interesting concept but I think the issue is to make the tools compatible with the official tools otherwise you will get odd behaviour. I think it is useful for very specific scenarios where you want to control the environment with a subset of tools only while benefiting from some form of scripts.
Not sure why I would ever want to use this over bash in a sandboxed VM.
Lerc 1 days ago [-]
I have been playing around with something like this.
I'm not going for compatibility, but something that is a bit hackable. Deliberately not having /lib /share and /etc to avoid confusion that it might be posix
LLMs like to use the shell because it's stable and virtually unchanged for decades.
It doesn't need to worry much about versions or whether something is supported or not, it can just assume it is.
Re-implementing bash is a herculean effort. I wish good luck.
cramforce 1 days ago [-]
I would not over-read into that doc. In practice, the only missing stuff are extreme edge cases of the type that is actually not consistent between other implementations of bash.
In practice it works great. I haven't seen a failed command in a while
[Disclaimer: I made the thing]
gaigalas 20 hours ago [-]
I gave it a shot. Failed with a simple `> /dev/null` redirection. LLMs do that a lot.
Good luck with the project! I'm sure it will get there.
simonw 1 days ago [-]
Incompatibilities don't matter much provided your error messages are actionable - an LLM can hit a problem, read the error message and try again. They'll also remember that solution for the rest of that session.
gaigalas 1 days ago [-]
I don't think the current incompatibilities can be worked around.
Also, huge waste of tokens. And the waste is not even worth it, the sandbox seems insufficient.
Again, good luck to the developers. I just don't think it's ready.
esafak 1 days ago [-]
No, they use it because there's a lot of training material.
Why do you think there is a lot of training data? Could it be because it's stable and virtually unchanged for decades? Hmmm.
esafak 1 days ago [-]
Because bash is everywhere. Stability is a separate concern. And we know this because LLMs routinely generate deprecated code for libraries that change a lot.
gaigalas 1 days ago [-]
This project runs on all shells, totally portable:
It's a great litmus test, that many have passed. Let me know when just-bash is able to run it.
esafak 1 days ago [-]
I have no connection to coral or just-bash. Why don't you do it yourself and let us know, since you are familiar with it?
gaigalas 1 days ago [-]
I've been working with the shell long enough that I know just by looking at it.
Anyway, it was rethorical. I was making a point about portability. Scripts we write today run even on ancient versions, and it has been an effort kept by lots of different interpreters (not only bash).
I'm trying to give sane advice here. Re-implementing bash is a herculean task, and some "small incompatibilities" sometimes reveal themselves as deep architectural dead-ends.
esafak 1 days ago [-]
The project does not list portability as a concern. It's for agent use; they are not trying to re-use existing bash code.
gaigalas 1 days ago [-]
Before, you said:
> they use it because there's a lot of training material.
Now, you say:
> they are not trying to re-use existing bash code.
Can't you see how this is a contradiction?
---
I'm sorry, I can't continue like this. I want to have meaningful conversations.
esafak 1 days ago [-]
Is English your second language? "They" refers to very different things here.
gaigalas 17 hours ago [-]
The issue here is not language, is basic understanding of how LLMs are trained, how agents act on that training and what is the role of the shell from a systems perspective.
I can't have a meaningful conversation with someone that doesn't fully grasp those, no matter in which language.
gaigalas 1 days ago [-]
[flagged]
MidasTools 1 days ago [-]
[flagged]
tmp10423288442 1 days ago [-]
Perl?
SignalStackDev 1 days ago [-]
[dead]
raphaelmolly8 1 days ago [-]
[dead]
sentra 1 days ago [-]
[dead]
dostick 1 days ago [-]
Why couldn’t they name it `agent-bash` then? What’s with all the “just-this”, “super-that” naming?
Like developer lost the last remaining brain cells developing it, and when it’s came to name it, used the first meaningless word that came up.
After all you’re limiting discovery with name like that.
1 days ago [-]
Rendered at 23:08:40 GMT+0000 (Coordinated Universal Time) with Vercel.
Check it out here: https://www.npmjs.com/package/@archildata/just-bash
Bash has been unchanged for decades but its not a very nice language.
I know pydantic has been experimenting with https://github.com/pydantic/monty (restricted python) and I think Cloudflare and co were experimenting with giving typescript to agents.
https://luau.org/
Gotta work with what's in the training data I suppose.
People do care.
> You only need to be picky with language if a human is going to be working with the code.
Sooner or later humans will have to work with the code - if only for their own self-preservation.
> I get the impression that is not the use case here though
If that's not the use case, there's no legitimate use case at all.
One-off throwaway scripts can be written in literally anything. It does not matter.
We want that to be true, but it's starting to look like it might not be.
Ideally something like nushell but they don't know that well
I keep telling myself to make a good zx skills or agents.md. I really like zx ergonomics & it's output when it shells out is friendly.
Top comments are lua. I respect it, and those look like neat tools. But please, not what I want to look at. It would be interesting to see how Lua fairs for scripting purposes though; I haven't done enough io to know what that would look like. Does it assume some uv wrapper too?
> std::slop is a persistent, SQLite-driven C++ CLI agent. It remembers your work through per-session ledgers, providing long-term recall, structured state management. std::slop features built-in Git integration. It's goal is to be an agent for which the context and its use fully transparent and configurable.
Virtual Machines are a better workload isolation boundary than Containers are a better workload isolation boundary than bubblewrap and a WASM runtime.
eWASM has costed opcodes; https://news.ycombinator.com/item?id=46825763
From "Show HN: CSL-Core – Formally Verified Neuro-Symbolic Safety Engine for AI" (2026) https://news.ycombinator.com/item?id=46963924 :
> Should a (formally verified) policy engine run within the same WASM runtime, or should it be enforced by the WASM runtime, or by the VM or Container that the WASM runtime runs within?
> "Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents" (2026) https://news.ycombinator.com/item?id=46825026 re: eWASM and costed opcodes for agent efficiency
> How do these userspace policies compare to MAC and DAC implementations like SELinux AVC, AppArmor, Systemd SyscallFilter, and seccomp with containers for example?
> [ containers/bubblewrap#sandboxing , cloudflare/workerd, wasmtime-mte, ]
"Microsandbox: Virtual Machines that feel and perform like containers" https://news.ycombinator.com/item?id=44137501
microsandbox/microsandbox: https://github.com/microsandbox/microsandbox :
> opensource self-hosted sandboxes for ai agents
Demo: https://wizard-nine-blush.vercel.app/
Project: https://ink-web.dev
I love the approach of just bash as well. Super cool!
Edit: warning - don't use it mobile.
https://github.com/jeffchuber/just-bash-openfs
it puts a bash interface in front of s3, filesystem (real and in-memory), postgres, and chroma.
still very much alpha - but curious what people think about it.
see an example app here: https://github.com/jeffchuber/openfs-incident-app
I wonder the reason.
Maybe 'do one thing well'? The piping? The fact that the tools have been around so long so there are so many examples in the training data? Simplicity? All of it?
The success of this project depends on the answer.
Even so, I suspect that something like this will be a far too leaky abstraction.
But Vercel must try because they see the writing on the wall.
No one needs expensive cloud platforms anymore.
I can trivially combine a tool written in rust with one written in js/java/C/whatever without writing bindings
So, mostly re-enforcement along multiple vectors.
There's also the maintenance of the server to be considered. Vercel or other PaaS/Lambda/GCP functions/etc serverless means there's just less crap for me to manage, because they're dealing with it, and yeah, they charge money for that service. Being able to tell Claude code, I setup ssh keys and sudo no password for you, go fix my shit; like, that works, but then the hard drive is full so I have to up size the VPS, and if you're stupid/brave, you can give Claude Code MCP access to Chrome so it can click the buttons in Hetzner to upsize for you, but that's time and tokens spent not working on the product so at the end of the day I think Vercel is gonna be fine. AI generating code means there are many many more people trying out making some sort of Internet company, but they'll only discover cheaper options only after paying for Vercel becomes painful.
TypeScript is just a language anyway. It's the runtime that needs to be contained. In that sense it's no different from any other interpreter or runtime, whether it be Go, Python, Java, or any shell.
In my view this really is best managed by the OS kernel, as the ultimate responsibility for process isolation belongs to it. Relying on userspace solutions to enforce restrictions only gets you so far.
I agree on all counts and that this project is silly on the face of it.
My comment was more that there is a massive cohort of devs who have never done sysadmin and know nothing of prior art in the space. Typescript "feels" safe and familiar and the right way to accomplish their goals, regardless of if it actually is.
but i think its still useful if we are bound to js/ts ecosystem sandboxed enviroment like in vercel.
You can interface around the nodejs files system interface and have access to some nice tools, like git isomorphic for instance. Then obviously everything couples nicely with agents.
Something I did in my markdown editor project: https://github.com/rbbydotdev/opal
Have half a mind to release a browser kit which unifies the file tree explorer and virtual file apis and libs in the browser
I've been using it to make my own sandbox that is much more configurable than the default claude code sandbox: https://github.com/gartnera/lite-sandbox
[Disclaimer: I made the thing]
I'm not going for compatibility, but something that is a bit hackable. Deliberately not having /lib /share and /etc to avoid confusion that it might be posix
On neocoties for proof of static hosting
https://lerc.neocities.org
That's a lot of incompatibilities.
LLMs like to use the shell because it's stable and virtually unchanged for decades.
It doesn't need to worry much about versions or whether something is supported or not, it can just assume it is.
Re-implementing bash is a herculean effort. I wish good luck.
In practice it works great. I haven't seen a failed command in a while
[Disclaimer: I made the thing]
Good luck with the project! I'm sure it will get there.
Also, huge waste of tokens. And the waste is not even worth it, the sandbox seems insufficient.
Again, good luck to the developers. I just don't think it's ready.
pro-tip: vercel's https://agent-browser.dev/ is a great CLI for agent-based browser automation.
https://github.com/alganet/coral
busybox, bash, zsh, dash, you name it. If smells bourne, it runs. Here's the list: https://github.com/alganet/coral/blob/main/test/matrix#L50 (more than 20 years of compatibility, runs even on bash 3)
It's a great litmus test, that many have passed. Let me know when just-bash is able to run it.
Anyway, it was rethorical. I was making a point about portability. Scripts we write today run even on ancient versions, and it has been an effort kept by lots of different interpreters (not only bash).
I'm trying to give sane advice here. Re-implementing bash is a herculean task, and some "small incompatibilities" sometimes reveal themselves as deep architectural dead-ends.
> they use it because there's a lot of training material.
Now, you say:
> they are not trying to re-use existing bash code.
Can't you see how this is a contradiction?
---
I'm sorry, I can't continue like this. I want to have meaningful conversations.
I can't have a meaningful conversation with someone that doesn't fully grasp those, no matter in which language.