February 26, 2026
Shell yeah or shell nah?
just-bash: Bash for Agents
Safe toy shell for AI or broken Bash knockoff? Devs are roasting and raving
TLDR: just-bash offers a sandboxed, in-memory Bash-like environment for AI agents with optional, filtered internet access. The community split fast: critics flagged compatibility gaps and asked for real OS jails or different languages, while others plugged add-ons and tinkered—debating safety, practicality, and what “shell for AI” should actually be.
Meet just-bash, a “pretend” command line built in TypeScript for AI agents. It runs in memory, forgets most settings between commands, blocks the internet by default, and only lets through links you approve. You can plug in different file systems, add custom commands, and it’s all very “beta—try carefully.” And yet the real story isn’t the features—it’s the food fight in the comments.
Skeptics pounced first. One user pointed to the project’s known limitations and groaned, “That’s a lot of incompatibilities,” warning that large AI models lean on Bash precisely because it’s barely changed in decades. Security-minded folks chimed in with a classics-only take: why not just use an operating-system “jail,” essentially a locked room for programs? Meanwhile, a third camp said forget Bash altogether—use a restricted flavor of Python or TypeScript instead, name-dropping experiments like Pydantic Monty.
Then the plot twist: toolmakers arrived with add-ons. One plugged a driver that attaches a full Archil filesystem synced to Amazon S3, promising fast greps and edits straight from your cloud data. Tinkerers also showed off their own “not-quite-POSIX” toy shells, like a minimalist experiment hosted on Neocities.
The vibe? Part “this is a toy, please bring real Bash,” part “finally, a padded playroom for bots.” The fight is over what AI really needs: rock-solid compatibility, heavy-duty OS sandboxes—or lightweight, hackable training wheels. Drama: unlocked.
Key Points
- •Just-bash is a TypeScript-based simulated Bash environment with an in-memory virtual filesystem for AI agents.
- •The security model restricts access to the provided filesystem, disables binaries/WASM, and blocks network by default.
- •Optional network access is available via curl, controlled by URL prefix and HTTP method allow-lists.
- •Each exec() call is isolated (env, functions, cwd don’t persist), while the filesystem state persists across executions.
- •Multiple filesystem backends are supported: InMemoryFs (default), OverlayFs, ReadWriteFs, and MountableFs, with support for custom commands via defineCommand.