A zero-dependency, pure-memory POSIX Shell sandbox powered by MoonBit.
MoonBash is a complete rewrite of vercel-labs/just-bash using MoonBit, compiled to pure JavaScript with no WASM dependencies. It provides a secure, embeddable Bash interpreter for AI Agents, Serverless Edge functions, browser-based terminals, and any environment that needs sandboxed shell execution.
| Feature | just-bash (TS) | MoonBash (MoonBit) |
|---|---|---|
| Language | TypeScript | MoonBit -> Pure JS |
| Type Safety | Structural (TS) | Algebraic Data Types + Pattern Matching |
| ReDoS Protection | JS RegExp (vulnerable) | VM-based regex engine (immune) |
| Commands | ~30 | 87 (incl. awk, sed, jq, tar, diff, gzip) |
| Bundle Size | ~200KB+ | 245 KB gzip / 997 KB minified |
| Cold Start | Fast | Faster (sync init, no WASM instantiate) |
| WASM Required | No | No |
| API Surface Compatible | N/A | 100% drop-in replacement |
Status note (as of 2026-02-20): command coverage is complete (87/87) and comparison tests are at 522/523 (1 awk regression from b38190a). Security test suite fully passing (188/188 attacks, all sandbox/limits/prototype-pollution suites). gzip/gunzip/zcat now use real DEFLATE compression via gmlewis/gzip. Spec compatibility hardening remains in progress. See docs/ROADMAP.md.
A complete POSIX shell with awk, sed, jq, tar, diff, gzip and 87 commands, delivered as a single zero-dependency JS file:
| Stage | Size | Reduction |
|---|---|---|
| MoonBit compile (release) | 4.2 MB | raw output |
| + esbuild minify | 997 KB | -76% (FQN mangling) |
| + gzip | 245 KB | -94% total |
Why so small? MoonBit emits verbose fully-qualified names ($moonbitlang$core$array$Array$push) that compress extremely well. Minification crushes them to single letters; gzip exploits the remaining pattern repetition. Wasm binaries are dense machine code that cannot be minified and barely compress (~20-30% via gzip).
Fits comfortably within Cloudflare Workers free tier (1 MB), Vercel Edge Functions, and any CDN.
- Zero Dependencies - Compiles to a single pure JS file, no WASM, no native binaries
- Memory Safe - MoonBit's type system prevents null pointer crashes and buffer overflows
- ReDoS Immune - Built-in VM-based regex engine eliminates catastrophic backtracking
- API Compatible - Drop-in replacement for
just-bashwith identical TypeScript API - Multi-Target - Same MoonBit source compiles to JS (npm), WASM (Python/Rust), and native
- AI Agent Frameworks - LangChain, AutoGen, OpenDevin, Claude Code
- Serverless Edge - Vercel Edge, Cloudflare Workers, Deno Deploy
- Browser - Online coding education, interactive documentation
- Embedded - Game engines, cross-platform build tools, CI/CD pipelines
import { Bash } from "moon-bash";
const bash = new Bash({
env: { USER: "agent" },
});
const result = await bash.exec('echo "Hello from MoonBash!" | tr a-z A-Z');
console.log(result.stdout); // "HELLO FROM MOONBASH!\n"
console.log(result.exitCode); // 0┌─────────────────────────────────────────────────────┐
│ TypeScript API Layer │
│ (100% compatible with just-bash API) │
├─────────────────────────────────────────────────────┤
│ MoonBit Core Engine │
│ ┌──────────┐ ┌──────────┐ ┌───────────────────┐ │
│ │ Lexer │→ │ Parser │→ │ AST Evaluator │ │
│ │(lexmatch)│ │(ADT+PM) │ │(pattern matching) │ │
│ └──────────┘ └──────────┘ └───────────────────┘ │
│ ┌──────────────────┐ ┌──────────────────────────┐ │
│ │ 87 Built-in │ │ Virtual Filesystem │ │
│ │ Commands │ │ (InMemoryFs + AgentFS) │ │
│ └──────────────────┘ └──────────────────────────┘ │
├─────────────────────────────────────────────────────┤
│ moon build --target js │
│ Pure JavaScript Output (no WASM) │
└─────────────────────────────────────────────────────┘
| Document | Description |
|---|---|
| Architecture | System architecture and module design |
| API Specification | Public API surface and type definitions |
| Commands | All 87 built-in command specifications |
| Ecosystem Mapping | Command-to-library implementation strategy and FFI boundary |
| Filesystem | Virtual filesystem design and implementation |
| Security | Sandbox security model and threat mitigation |
| FFI & Interop | MoonBit-JavaScript interop design |
| Roadmap | Development phases and milestones |
Apache-2.0