Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add @cloudflare/shell#1103

Merged
threepointone merged 1 commit into
mainfrom
shell
Mar 13, 2026
Merged

feat: add @cloudflare/shell#1103
threepointone merged 1 commit into
mainfrom
shell

Conversation

@threepointone
Copy link
Copy Markdown
Contributor

@threepointone threepointone commented Mar 13, 2026
edited by devin-ai-integration Bot
Loading

Summary

Introduces — a runtime-agnostic bash interpreter with an in-memory filesystem, 80+ built-in commands, and pluggable backends for SQL, code execution, and HTML-to-Markdown conversion. Forked from just-bash (Apache-2.0, Vercel Labs) and substantially extended.

Also migrates @cloudflare/think from just-bash to @cloudflare/shell.

What's in the package

Core interpreter

  • Full bash subset: pipes, redirects, variables, arithmetic, arrays, globbing, brace expansion, functions, heredocs, process substitution, set -euo pipefail
  • 80+ built-in commands across I/O, filesystem, text processing, data, archives, network, and control flow
  • In-memory POSIX-like filesystem with symlinks, permissions, /proc, /dev/null, /dev/urandom, lazy file loading
  • defineCommand() API for registering custom TypeScript commands
  • Configurable execution limits (18 knobs) to prevent resource exhaustion in multi-tenant environments
  • RE2-based regex engine via re2js to avoid ReDoS from user-supplied patterns
  • Network access disabled by default; opt-in via URL allow-list with optional SSRF protection (denyPrivateRanges)

Pluggable interface architecture

The core has zero WASM/native dependencies. Three small interfaces externalize heavyweight capabilities:

Interface Enables
SqlExecutor sqlite3 command
CodeExecutor js-exec, node, python3, python commands
MarkdownConverter html-to-markdown command

Entry points and adapters

  • @cloudflare/shell — core shell, filesystem, interfaces, types
  • @cloudflare/shell/workersDOSqlExecutor (Durable Object SqlStorage), D1SqlExecutor (Cloudflare D1), DynamicIsolateExecutor (Worker Loader API for isolated V8 code execution), WorkersAIMarkdownConverter
  • @cloudflare/shell/nodeBetterSqlite3Executor, ChildProcessExecutor, TurndownConverter
  • @cloudflare/shell/embeddedEmbeddedExecutor with QuickJS (~500KB WASM) and Pyodide (~10MB WASM)

Testing

  • Syntax tests: pipes, redirects, variables, arithmetic, arrays, loops, functions, heredocs, set -e/-u/-o pipefail, command substitution, process substitution, brace/glob expansion
  • Execution protection tests: all 18 execution limits
  • Command tests: grep, sed, jq, awk, find, tar, curl, sqlite3, etc.
  • Spec-compliance tests: BusyBox grep/sed test suites, GNU grep BRE/ERE/spencer test suites, jq upstream test suite, bash spec cases
  • Workers integration tests: Durable Object SQL, code execution via Worker Loader
  • Node.js integration tests: better-sqlite3, child_process, turndown
  • E2E Playwright tests against a real deployed Worker

Differences from just-bash

  • Pluggable adapters instead of bundled WASM — zero core dependencies on platform APIs
  • RE2 regex engine instead of native RegExp
  • 13 additional execution limits (just-bash has 5)
  • SSRF protection via denyPrivateRanges
  • xan and yq not ported (niche/overlapping with jq)

@cloudflare/think migration

  • Replaces just-bash peer/dev dep with @cloudflare/shell
  • Updates vitest optimizer config accordingly
Open with Devin

@threepointone
@cloudflare/shell
1915d77 
Initial release of `@cloudflare/shell` — a runtime-agnostic bash interpreter forked from [just-bash](https://github.com/vercel-labs/just-bash) (Apache-2.0, Vercel Labs).

- 80+ built-in commands: I/O, filesystem, text processing, data, archives, network (`curl`), and control flow
- In-memory POSIX-like filesystem with symlinks, permissions, `/proc`, `/dev/null`, `/dev/urandom`
- Full bash subset: pipes, redirects, variables, arithmetic, arrays, globbing, brace expansion, functions, heredocs, `set -euo pipefail`
- Pluggable interfaces for SQL (`SqlExecutor`), code execution (`CodeExecutor`), and HTML-to-Markdown conversion (`MarkdownConverter`)
- Configurable execution limits to prevent resource exhaustion in multi-tenant environments
- RE2-based regex engine via [re2js](https://github.com/le0pard/re2js) for ReDoS-safe `grep`, `sed`, and `awk`
- Network access disabled by default with URL allow-list and optional SSRF protection (`denyPrivateRanges`)
- Workers adapters (`@cloudflare/shell/workers`): `DOSqlExecutor` (Durable Object SqlStorage), `D1SqlExecutor` (Cloudflare D1), `DynamicIsolateExecutor` (Worker Loader), `WorkersAIMarkdownConverter`
- Node.js adapters (`@cloudflare/shell/node`): `BetterSqlite3Executor`, `ChildProcessExecutor`, `TurndownConverter`
- Embedded adapters (`@cloudflare/shell/embedded`): `EmbeddedExecutor` with QuickJS and Pyodide WASM
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 13, 2026

🦋 Changeset detected

Latest commit: 1915d77

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/shell Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

devin-ai-integration[bot]
devin-ai-integration Bot reviewed Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Mar 13, 2026

Open in StackBlitz

agents

npm i https://pkg.pr.new/cloudflare/agents@1103

@cloudflare/ai-chat

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/ai-chat@1103

@cloudflare/codemode

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/codemode@1103

hono-agents

npm i https://pkg.pr.new/cloudflare/agents/hono-agents@1103

@cloudflare/shell

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/shell@1103

@cloudflare/voice

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/voice@1103

@cloudflare/worker-bundler

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/worker-bundler@1103

commit: 9b2d27d

@threepointone threepointone merged commit fd1f435 into main Mar 13, 2026
1 check passed
@threepointone threepointone deleted the shell branch March 13, 2026 14:17
@github-actions github-actions Bot mentioned this pull request Mar 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@threepointone