At this point why not make the agents use a restricted subset of python, typescript or lua or something.
Bash has been unchanged for decades but its not a very nice language.
I know pydantic has been experimenting with https://github.com/pydantic/monty (restricted python) and I think Cloudflare and co were experimenting with giving typescript to agents.
> std::slop is a persistent, SQLite-driven C++ CLI agent. It remembers your work through per-session ledgers, providing long-term recall, structured state management. std::slop features built-in Git integration. It's goal is to be an agent for which the context and its use fully transparent and configurable.
TIL about Monty. A number of people have tried to sandbox [python,] using python and user space; but ultimately they've all concluded that you can't sandbox python with python.
Virtual Machines are a better workload isolation boundary than Containers are a better workload isolation boundary than bubblewrap and a WASM runtime.
> Should a (formally verified) policy engine run within the same WASM runtime, or should it be enforced by the WASM runtime, or by the VM or Container that the WASM runtime runs within?
> How do these userspace policies compare to MAC and DAC implementations like SELinux AVC, AppArmor, Systemd SyscallFilter, and seccomp with containers for example?
I'll add that agents (CC/Codex) very often screw up escaping/quoting with their bash scripts and waste tokens figuring out what happened. It's worse when it's a script they save and re use because it's often a code injection vulnerability.
We just released a driver that allows users of just-bash to attach a full Archil file system, synced to S3. This would let you run just-bash in an enrivonment where you don't have a full VM and get high-performance access to data that's in your S3 bucket already to do like greps or edits.
I have been playing around with something like this.
I'm not going for compatibility, but something that is a bit hackable. Deliberately not having /lib /share and /etc to avoid confusion that it might be posix
This ends up reading files into node.js and then running a command like grep but implemented in JS. I love the concept but isn’t this incredibly slow compared to native cli tools? Building everything in JS on top of just readFile and writeFile interfaces seems pretty limited in what you can do for performance.
Interesting concept but I think the issue is to make the tools compatible with the official tools otherwise you will get odd behaviour. I think it is useful for very specific scenarios where you want to control the environment with a subset of tools only while benefiting from some form of scripts.
Why couldn’t they name it `agent-bash` then? What’s with all the “just-this”, “super-that” naming?
Like developer lost the last remaining brain cells developing it, and when it’s came to name it, used the first meaningless word that came up.
After all you’re limiting discovery with name like that.
The unix commandline tools being the most efficient way to use an LLM has been a surprise.
I wonder the reason.
Maybe 'do one thing well'? The piping? The fact that the tools have been around so long so there are so many examples in the training data? Simplicity? All of it?
The success of this project depends on the answer.
Even so, I suspect that something like this will be a far too leaky abstraction.
But Vercel must try because they see the writing on the wall.
If you want a better guess: It's because of the man pages for all the tools are likely duplicated across so many media for the LLM training that there's just an efficient pipeline. They go back to the 70s or whatever.
I'm not convinced. I don't want to rack servers and diagnose bad RAM like it's still the 90's, so I'm paying someone else for the privilege, especially to get POPs closer to customers than I want to drive or fly to setup, especially in foreign countries where I don't speak the language or know the culture. Fun for vacation but a recipe to waste time and money setting up a local corporate entity and a whole team when I can just pay GCP or AWS and have a server on the other side of the planet from me faster than I can book a plane flight and hotel reservation there.
There's also the maintenance of the server to be considered. Vercel or other PaaS/Lambda/GCP functions/etc serverless means there's just less crap for me to manage, because they're dealing with it, and yeah, they charge money for that service. Being able to tell Claude code, I setup ssh keys and sudo no password for you, go fix my shit; like, that works, but then the hard drive is full so I have to up size the VPS, and if you're stupid/brave, you can give Claude Code MCP access to Chrome so it can click the buttons in Hetzner to upsize for you, but that's time and tokens spent not working on the product so at the end of the day I think Vercel is gonna be fine. AI generating code means there are many many more people trying out making some sort of Internet company, but they'll only discover cheaper options only after paying for Vercel becomes painful.
> The unix commandline tools being the most efficient way to use an LLM has been a surprise.
> I wonder the reason.
Because they are really, really well designed for humans.
Everyone is trying to reinvent the wheel and create "agent interfaces", but there is fundamentally no difference between what makes a text based interface easy for a human to use and what makes it easy for an agent to use.
Trying to secure the sandbox the harness is running in seems like the hard way to do things. It's not a bad idea, but I think it'd be easier to focus on isolating the sandbox and securing resources the harness sandbox accesses, since true security requires that anyhow.
It’s cool to see this project and others pop up. Virtualizing os primitives like bash and even file systems
You can interface around the nodejs files system interface and have access to some nice tools, like git isomorphic for instance. Then obviously everything couples nicely with agents.
I'm hacking on a similar thing that lets you build CLIs directly into xterm / ghostty web so that they also work in the terminal. Eg they are cross platform web and CLI.
34 comments
[ 3.5 ms ] story [ 54.7 ms ] threadThat's a lot of incompatibilities.
LLMs like to use the shell because it's stable and virtually unchanged for decades.
It doesn't need to worry much about versions or whether something is supported or not, it can just assume it is.
Re-implementing bash is a herculean effort. I wish good luck.
but i think its still useful if we are bound to js/ts ecosystem sandboxed enviroment like in vercel.
Bash has been unchanged for decades but its not a very nice language.
I know pydantic has been experimenting with https://github.com/pydantic/monty (restricted python) and I think Cloudflare and co were experimenting with giving typescript to agents.
> std::slop is a persistent, SQLite-driven C++ CLI agent. It remembers your work through per-session ledgers, providing long-term recall, structured state management. std::slop features built-in Git integration. It's goal is to be an agent for which the context and its use fully transparent and configurable.
Virtual Machines are a better workload isolation boundary than Containers are a better workload isolation boundary than bubblewrap and a WASM runtime.
eWASM has costed opcodes; https://news.ycombinator.com/item?id=46825763
From "Show HN: CSL-Core – Formally Verified Neuro-Symbolic Safety Engine for AI" (2026) https://news.ycombinator.com/item?id=46963924 :
> Should a (formally verified) policy engine run within the same WASM runtime, or should it be enforced by the WASM runtime, or by the VM or Container that the WASM runtime runs within?
> "Show HN: Amla Sandbox – WASM bash shell sandbox for AI agents" (2026) https://news.ycombinator.com/item?id=46825026 re: eWASM and costed opcodes for agent efficiency
> How do these userspace policies compare to MAC and DAC implementations like SELinux AVC, AppArmor, Systemd SyscallFilter, and seccomp with containers for example?
> [ containers/bubblewrap#sandboxing , cloudflare/workerd, wasmtime-mte, ]
"Microsandbox: Virtual Machines that feel and perform like containers" https://news.ycombinator.com/item?id=44137501
microsandbox/microsandbox: https://github.com/microsandbox/microsandbox :
> opensource self-hosted sandboxes for ai agents
Check it out here: https://www.npmjs.com/package/@archildata/just-bash
I'm not going for compatibility, but something that is a bit hackable. Deliberately not having /lib /share and /etc to avoid confusion that it might be posix
On neocoties for proof of static hosting
https://lerc.neocities.org
https://github.com/jeffchuber/just-bash-openfs
it puts a bash interface in front of s3, filesystem (real and in-memory), postgres, and chroma.
still very much alpha - but curious what people think about it.
see an example app here: https://github.com/jeffchuber/openfs-incident-app
I wonder the reason.
Maybe 'do one thing well'? The piping? The fact that the tools have been around so long so there are so many examples in the training data? Simplicity? All of it?
The success of this project depends on the answer.
Even so, I suspect that something like this will be a far too leaky abstraction.
But Vercel must try because they see the writing on the wall.
No one needs expensive cloud platforms anymore.
I can trivially combine a tool written in rust with one written in js/java/C/whatever without writing bindings
So, mostly re-enforcement along multiple vectors.
There's also the maintenance of the server to be considered. Vercel or other PaaS/Lambda/GCP functions/etc serverless means there's just less crap for me to manage, because they're dealing with it, and yeah, they charge money for that service. Being able to tell Claude code, I setup ssh keys and sudo no password for you, go fix my shit; like, that works, but then the hard drive is full so I have to up size the VPS, and if you're stupid/brave, you can give Claude Code MCP access to Chrome so it can click the buttons in Hetzner to upsize for you, but that's time and tokens spent not working on the product so at the end of the day I think Vercel is gonna be fine. AI generating code means there are many many more people trying out making some sort of Internet company, but they'll only discover cheaper options only after paying for Vercel becomes painful.
Because they are really, really well designed for humans.
Everyone is trying to reinvent the wheel and create "agent interfaces", but there is fundamentally no difference between what makes a text based interface easy for a human to use and what makes it easy for an agent to use.
You can interface around the nodejs files system interface and have access to some nice tools, like git isomorphic for instance. Then obviously everything couples nicely with agents.
Something I did in my markdown editor project: https://github.com/rbbydotdev/opal
Have half a mind to release a browser kit which unifies the file tree explorer and virtual file apis and libs in the browser
I've been using it to make my own sandbox that is much more configurable than the default claude code sandbox: https://github.com/gartnera/lite-sandbox
Demo: https://wizard-nine-blush.vercel.app/
Project: https://ink-web.dev
I love the approach of just bash as well. Super cool!
Edit: warning - don't use it mobile.