| ▲ | just-bash: Bash for Agents(github.com) |
| 69 points by tosh 5 hours ago | 40 comments |
| |
|
| ▲ | CuriouslyC 11 minutes ago | parent | next [-] |
| Trying to secure the sandbox the harness is running in seems like the hard way to do things. It's not a bad idea, but I think it'd be easier to focus on isolating the sandbox and securing resources the harness sandbox accesses, since true security requires that anyhow. |
|
| ▲ | MidasTools 30 minutes ago | parent | prev | next [-] |
| On the "why bash not python/lua" question -- the answer isn't that bash is a better language. It's that bash is the only language you can assume is there. When we run autonomous agents across different environments (Vercel functions, local dev, CI containers, remote VMs), Python availability is a negotiation. Bash is given. The agent doesn't need to worry about whether venv is activated, which Python version is installed, or whether a package needs to be pip-installed first. There's also a subtler benefit: bash commands have predictable, well-documented side effects. When an agent runs `git commit -m "..."` it knows exactly what happened. When it runs a Python script that does the same thing via subprocess, there's now an abstraction layer to reason about. The performance concern is real for I/O-heavy tasks. But for orchestration -- "list files, check git status, curl an API, write a line to a log" -- bash overhead is negligible and the interoperability wins dominate. The place where this breaks down is anything requiring complex data transformation or error handling with multiple failure modes. That's where we drop into Python. The architecture that works for us: bash for the orchestration layer (run this, check that, pipe here), Python for anything with real logic. |
|
| ▲ | IceWreck 3 hours ago | parent | prev | next [-] |
| At this point why not make the agents use a restricted subset of python, typescript or lua or something. Bash has been unchanged for decades but its not a very nice language. I know pydantic has been experimenting with https://github.com/pydantic/monty (restricted python) and I think Cloudflare and co were experimenting with giving typescript to agents. |
| |
| ▲ | kkukshtel 2 hours ago | parent | next [-] | | This is a really interesting idea. I wonder if something like Luau would be a good solution here - it's a typed version of Lua meant for sandboxing (built for Roblox scripting) that has a lot of guardrails on it. https://luau.org/ | |
| ▲ | JohnMakin 2 hours ago | parent | prev | next [-] | | They use bash in ways a human never would, and it seems very intuitive for them. | |
| ▲ | simonw 3 hours ago | parent | prev | next [-] | | Being unchanged for decades means that the training data should provide great results even for the smaller models. | |
| ▲ | Bolwin an hour ago | parent | prev | next [-] | | I've had LLMs write some pretty complex powershell on the fly. Still a shell language but a lot nicer. Ideally something like nushell but they don't know that well | |
| ▲ | wild_egg 3 hours ago | parent | prev | next [-] | | Agents really do not care at all how "nice" a language is. You only need to be picky with language if a human is going to be working with the code. I get the impression that is not the use case here though | |
| ▲ | inetknght 2 hours ago | parent | prev | next [-] | | Bash is ubiquitous and is not going away any time soon. Nothing is stopping you from doing the same thing with your favorite language. | |
| ▲ | andrewingram an hour ago | parent | prev | next [-] | | just-bash comes with Python installed, so in a way that's what this has done. I've used this for some prototypes with AI tools (via bash-tool), can't really productionise it in our current setup, but it worked very well and was undeniably pretty cool. | |
| ▲ | tosh 2 hours ago | parent | prev | next [-] | | At least for me codex seems to write way more python than bash for general purpose stuff | |
| ▲ | sheept 2 hours ago | parent | prev [-] | | I feel like Deno would be perfect for this because it already has a permissions model enforced by the runtime |
|
|
| ▲ | throwaway13337 28 minutes ago | parent | prev | next [-] |
| The unix commandline tools being the most efficient way to use an LLM has been a surprise. I wonder the reason. Maybe 'do one thing well'? The piping? The fact that the tools have been around so long so there are so many examples in the training data? Simplicity? All of it? The success of this project depends on the answer. Even so, I suspect that something like this will be a far too leaky abstraction. But Vercel must try because they see the writing on the wall. No one needs expensive cloud platforms anymore. |
|
| ▲ | huntaub 3 hours ago | parent | prev | next [-] |
| We just released a driver that allows users of just-bash to attach a full Archil file system, synced to S3. This would let you run just-bash in an enrivonment where you don't have a full VM and get high-performance access to data that's in your S3 bucket already to do like greps or edits. Check it out here: https://www.npmjs.com/package/@archildata/just-bash |
|
| ▲ | sentra 2 hours ago | parent | prev | next [-] |
| The language choice is somewhat orthogonal to the real problem - you still need a governance layer regardless of whether agents execute bash, Python, or TypeScript. We built Execwall [1] to sit between the agent and the OS, enforcing argument-level policies. So you can allow git clone but deny git push, or allow chmod 644 but block chmod 777. Works with any shell or execution method.
The key insight is that "restricted subsets" of languages still need policy enforcement at runtime - an agent can construct dangerous commands dynamically even in a sandboxed language.
[1] https://github.com/sundarsub/execwall
|
|
| ▲ | jpitz 3 hours ago | parent | prev | next [-] |
| Just curious: why wouldn't you attack this with a jail? |
| |
| ▲ | wild_egg 3 hours ago | parent [-] | | Jails are alien magic and typescript is safe and familiar | | |
| ▲ | otterley 2 hours ago | parent [-] | | What, exactly, is "safe" about TypeScript other than type safety? TypeScript is just a language anyway. It's the runtime that needs to be contained. In that sense it's no different from any other interpreter or runtime, whether it be Go, Python, Java, or any shell. In my view this really is best managed by the OS kernel, as the ultimate responsibility for process isolation belongs to it. Relying on userspace solutions to enforce restrictions only gets you so far. | | |
| ▲ | wild_egg 2 hours ago | parent [-] | | Ah I forgot to add an /s I agree on all counts and that this project is silly on the face of it. My comment was more that there is a massive cohort of devs who have never done sysadmin and know nothing of prior art in the space. Typescript "feels" safe and familiar and the right way to accomplish their goals, regardless of if it actually is. |
|
|
|
|
| ▲ | _pdp_ 3 hours ago | parent | prev | next [-] |
| Interesting concept but I think the issue is to make the tools compatible with the official tools otherwise you will get odd behaviour. I think it is useful for very specific scenarios where you want to control the environment with a subset of tools only while benefiting from some form of scripts. |
|
| ▲ | jeffchuber 2 hours ago | parent | prev | next [-] |
| last weekend I vibe-coded a project called `openfs` that plugs into just-bash https://github.com/jeffchuber/just-bash-openfs it puts a bash interface in front of s3, filesystem (real and in-memory), postgres, and chroma. still very much alpha - but curious what people think about it. see an example app here: https://github.com/jeffchuber/openfs-incident-app |
| |
| ▲ | andrewingram an hour ago | parent [-] | | I did a slightly less ambitious prototype a few weeks ago where I created added lazy loading of GCS files into the just-bash file-systems, as well as lots of other on-demand files. Was a lot of fun. | | |
| ▲ | jeffchuber an hour ago | parent [-] | | yeah (optional) caching is interesting to think about - incl write_through and write_back |
|
|
|
| ▲ | RobertLong 3 hours ago | parent | prev | next [-] |
| This ends up reading files into node.js and then running a command like grep but implemented in JS. I love the concept but isn’t this incredibly slow compared to native cli tools? Building everything in JS on top of just readFile and writeFile interfaces seems pretty limited in what you can do for performance. |
| |
| ▲ | simonw 3 hours ago | parent [-] | | Performance of the tools doesn't really matter when you have a full LLM inference loop in between each tool call. | | |
| ▲ | tcdent 2 hours ago | parent [-] | | I still find it revolting they're writing this stuff in typescript. |
|
|
|
| ▲ | Lerc 3 hours ago | parent | prev | next [-] |
| I have been playing around with something like this. I'm not going for compatibility, but something that is a bit hackable. Deliberately not having /lib /share and /etc to avoid confusion that it might be posix On neocoties for proof of static hosting https://lerc.neocities.org |
|
| ▲ | gaigalas 4 hours ago | parent | prev | next [-] |
| https://github.com/vercel-labs/just-bash/blob/main/src/spec-... That's a lot of incompatibilities. LLMs like to use the shell because it's stable and virtually unchanged for decades. It doesn't need to worry much about versions or whether something is supported or not, it can just assume it is. Re-implementing bash is a herculean effort. I wish good luck. |
| |
| ▲ | simonw 3 hours ago | parent | next [-] | | Incompatibilities don't matter much provided your error messages are actionable - an LLM can hit a problem, read the error message and try again. They'll also remember that solution for the rest of that session. | | |
| ▲ | gaigalas an hour ago | parent [-] | | I don't think the current incompatibilities can be worked around. Also, huge waste of tokens. And the waste is not even worth it, the sandbox seems insufficient. Again, good luck to the developers. I just don't think it's ready. |
| |
| ▲ | esafak 4 hours ago | parent | prev [-] | | No, they use it because there's a lot of training material. pro-tip: vercel's https://agent-browser.dev/ is a great CLI for agent-based browser automation. | | |
| ▲ | athorax 3 hours ago | parent | next [-] | | Why do you think there is a lot of training data? Could it be because it's stable and virtually unchanged for decades? Hmmm. | | |
| ▲ | esafak 3 hours ago | parent [-] | | Because bash is everywhere. Stability is a separate concern. And we know this because LLMs routinely generate deprecated code for libraries that change a lot. | | |
| ▲ | gaigalas 3 hours ago | parent [-] | | This project runs on all shells, totally portable: https://github.com/alganet/coral busybox, bash, zsh, dash, you name it. If smells bourne, it runs. Here's the list: https://github.com/alganet/coral/blob/main/test/matrix#L50 (more than 20 years of compatibility, runs even on bash 3) It's a great litmus test, that many have passed. Let me know when just-bash is able to run it. | | |
| ▲ | esafak 3 hours ago | parent [-] | | I have no connection to coral or just-bash. Why don't you do it yourself and let us know, since you are familiar with it? | | |
| ▲ | gaigalas 2 hours ago | parent [-] | | I've been working with the shell long enough that I know just by looking at it. Anyway, it was rethorical. I was making a point about portability. Scripts we write today run even on ancient versions, and it has been an effort kept by lots of different interpreters (not only bash). I'm trying to give sane advice here. Re-implementing bash is a herculean task, and some "small incompatibilities" sometimes reveal themselves as deep architectural dead-ends. | | |
| ▲ | esafak an hour ago | parent [-] | | The project does not list portability as a concern. It's for agent use; they are not trying to re-use existing bash code. | | |
| ▲ | gaigalas 14 minutes ago | parent [-] | | Before, you said: > they use it because there's a lot of training material. Now, you say: > they are not trying to re-use existing bash code. Can't you see how this is a contradiction? --- I'm sorry, I can't continue like this. I want to have meaningful conversations. |
|
|
|
|
|
| |
| ▲ | gaigalas 3 hours ago | parent | prev [-] | | > No, they use it because there's a lot of training material. Trained on an interpreter that is stable is virtually unchanged for decades. That's precisely my point. It was never trained on an incompatible, partial implementation. > agent-based browser automation Clearly out of scope. You a bot? |
|
|
|
| ▲ | dostick 2 hours ago | parent | prev [-] |
| Why couldn’t they name it `agent-bash` then? What’s with all the “just-this”, “super-that” naming?
Like developer lost the last remaining brain cells developing it, and when it’s came to name it, used the first meaningless word that came up.
After all you’re limiting discovery with name like that. |
