From a0c17f459b1db1f4ecf1d8c53458a46719c87e1e Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sat, 16 May 2026 23:50:05 +0000 Subject: [PATCH 1/2] chore(release): prepare v0.6.0 --- CHANGELOG.md | 71 +++++++++++++++++++++++++++++ Cargo.lock | 14 +++--- Cargo.toml | 2 +- crates/bashkit-cli/Cargo.toml | 2 +- crates/bashkit-js/package-lock.json | 4 +- crates/bashkit-js/package.json | 2 +- 6 files changed, 83 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b926782..d45a96ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,77 @@ ## [Unreleased] +## [0.6.0] - 2026-05-16 + +### Highlights + +- **Coreutils module-vendor mode** — Extends the codegen pipeline beyond `uu_app()` argument surfaces to vendor whole upstream uutils modules with a manifest and drift-detection CI. `tee`, `mktemp`, `realpath`, `stat`, and `od` are now ported through codegen, and `printf` now runs on a vendored copy of uucore's format implementation ([#1593](https://github.com/everruns/bashkit/pull/1593), [#1594](https://github.com/everruns/bashkit/pull/1594)). +- **`env` builtin via uutils virtual-env shim** — Ports the uutils env-default surface through a virtual-env shim (TM-INF-024), bringing the full upstream flag set without granting filesystem or process access ([#1592](https://github.com/everruns/bashkit/pull/1592)). +- **MCP server mode removed from CLI** — The `bashkit mcp` server mode has been removed. The recommended path for MCP integrations is now to embed bashkit via the library bindings. +- **Security hardening across the sandbox** — Fail-closed fixes across realfs (no-follow resolver for stat/read_link/remove; reject leaf-symlink writes), snapshot/restore (atomic, fail-closed `vfs_restore`), sqlite (reject `VACUUM`/`VACUUM INTO`; row caps; engine cache invalidation), network (SSRF precheck fails closed; IPv4-mapped IPv6 normalization), jq (replace `halt` to stop sandbox escape via `process::exit`; fancy-regex execution + file-binding caps), and ssh (shell-escape sftp `ls`; try `none`-auth before password/key) ([#1581](https://github.com/everruns/bashkit/pull/1581), [#1582](https://github.com/everruns/bashkit/pull/1582), [#1583](https://github.com/everruns/bashkit/pull/1583), [#1584](https://github.com/everruns/bashkit/pull/1584), [#1585](https://github.com/everruns/bashkit/pull/1585), [#1586](https://github.com/everruns/bashkit/pull/1586), [#1587](https://github.com/everruns/bashkit/pull/1587), [#1588](https://github.com/everruns/bashkit/pull/1588), [#1589](https://github.com/everruns/bashkit/pull/1589), [#1590](https://github.com/everruns/bashkit/pull/1590), [#1591](https://github.com/everruns/bashkit/pull/1591), [#1599](https://github.com/everruns/bashkit/pull/1599), [#1601](https://github.com/everruns/bashkit/pull/1601), [#1613](https://github.com/everruns/bashkit/pull/1613), [#1615](https://github.com/everruns/bashkit/pull/1615)). +- **Threat-model coverage** — Final 6 OPEN entries in the threat model are now marked mitigated ([#1568](https://github.com/everruns/bashkit/pull/1568)). + +### Breaking Changes + +- **CLI MCP server mode removed**: The `bashkit mcp` subcommand and the MCP server transport bundled in the CLI have been removed. + - Before: `bashkit mcp --transport stdio` + - After: embed bashkit via the library bindings (`bashkit` crate, `@everruns/bashkit` on npm, `bashkit` on PyPI) and expose tools through your own MCP server. + +### What's Changed + +* fix(coreutils-port): constrain uu_app builder macro arguments ([#1629](https://github.com/everruns/bashkit/pull/1629)) by @chaliy +* fix(coreutils-port): accept localized-Command let-binding in uu_app ([#1628](https://github.com/everruns/bashkit/pull/1628)) by @chaliy +* chore(deps): bump the rust-dependencies group with 3 updates ([#1626](https://github.com/everruns/bashkit/pull/1626)) by @dependabot +* fix(fuzz): strip real-shell error lines from stderr before banned-shape check ([#1623](https://github.com/everruns/bashkit/pull/1623)) by @chaliy +* fix(fuzz): drop arithmetic_fuzz inputs that contain banned debug shapes ([#1622](https://github.com/everruns/bashkit/pull/1622)) by @chaliy +* fix(fuzz): drop glob_fuzz inputs that contain banned debug shapes ([#1621](https://github.com/everruns/bashkit/pull/1621)) by @chaliy +* fix(coreutils-port): allow safe clap macros in uu_app validator ([#1620](https://github.com/everruns/bashkit/pull/1620)) by @chaliy +* fix(bashkit-eval): make rustls provider init idempotent ([#1619](https://github.com/everruns/bashkit/pull/1619)) by @chaliy +* fix(printf): cap float exponent magnitude in format validation ([#1618](https://github.com/everruns/bashkit/pull/1618)) by @chaliy +* fix(coreutils-port): harden uu_app builder validation ([#1617](https://github.com/everruns/bashkit/pull/1617)) by @chaliy +* fix(sqlite): enforce row cap while stepping ([#1615](https://github.com/everruns/bashkit/pull/1615)) by @chaliy +* fix(ci): isolate coreutils drift external execution ([#1614](https://github.com/everruns/bashkit/pull/1614)) by @chaliy +* fix(jq): cap file binding memory ([#1613](https://github.com/everruns/bashkit/pull/1613)) by @chaliy +* fix(ci): sandbox coreutils drift generation ([#1611](https://github.com/everruns/bashkit/pull/1611)) by @chaliy +* fix(export): continue after invalid identifier to avoid stale env sync ([#1610](https://github.com/everruns/bashkit/pull/1610)) by @chaliy +* fix(js): correct sqlite maxMemory unit handling ([#1609](https://github.com/everruns/bashkit/pull/1609)) by @chaliy +* chore(specs): mark TM-DOS-057 partial on WASM ([#1607](https://github.com/everruns/bashkit/pull/1607)) by @chaliy +* fix(bashkit-eval): install rustls provider for library providers ([#1606](https://github.com/everruns/bashkit/pull/1606)) by @chaliy +* fix(python): preserve credential placeholder env on snapshot restore ([#1605](https://github.com/everruns/bashkit/pull/1605)) by @chaliy +* fix(export): sync successful exports when readonly args fail ([#1604](https://github.com/everruns/bashkit/pull/1604)) by @chaliy +* fix(tool_def): reject bare array flags without values ([#1603](https://github.com/everruns/bashkit/pull/1603)) by @chaliy +* fix(jq): enforce fancy-regex execution limits ([#1601](https://github.com/everruns/bashkit/pull/1601)) by @chaliy +* fix(bindings): derive sqlite limits from host time and memory caps ([#1600](https://github.com/everruns/bashkit/pull/1600)) by @chaliy +* fix(sqlite): invalidate cached engine when VFS file changes ([#1599](https://github.com/everruns/bashkit/pull/1599)) by @chaliy +* fix(tool_def): bound aggregate JSON flag coercion ([#1598](https://github.com/everruns/bashkit/pull/1598)) by @chaliy +* fix(scripted-tool): isolate and bound extension invocation traces ([#1597](https://github.com/everruns/bashkit/pull/1597)) by @chaliy +* fix(scripts): follow redirects and bump just to 1.50.0 in init-cloud-env ([#1595](https://github.com/everruns/bashkit/pull/1595)) by @chaliy +* refactor(builtins): port tee/mktemp/realpath/stat/od to codegen args ([#1594](https://github.com/everruns/bashkit/pull/1594)) by @chaliy +* feat(coreutils-port): add module-vendor mode with manifest and drift CI ([#1593](https://github.com/everruns/bashkit/pull/1593)) by @chaliy +* feat(builtins): port uutils env-default surface via virtual-env shim (TM-INF-024) ([#1592](https://github.com/everruns/bashkit/pull/1592)) by @chaliy +* fix(network): fail closed in SSRF precheck and document handler responsibility ([#1591](https://github.com/everruns/bashkit/pull/1591)) by @chaliy +* fix(network): normalize IPv4-mapped IPv6 in is_private_ip to block SSRF ([#1590](https://github.com/everruns/bashkit/pull/1590)) by @chaliy +* fix(jq): replace halt native to stop sandbox-escape via process::exit ([#1589](https://github.com/everruns/bashkit/pull/1589)) by @chaliy +* fix(sqlite): reject VACUUM to block VFS escape via VACUUM INTO ([#1588](https://github.com/everruns/bashkit/pull/1588)) by @chaliy +* fix(interop): mark filesystem import unsafe and own the foreign vtable ([#1587](https://github.com/everruns/bashkit/pull/1587)) by @chaliy +* fix(snapshot): make vfs_restore fail closed and apply atomically ([#1586](https://github.com/everruns/bashkit/pull/1586)) by @chaliy +* fix(realfs): reject leaf-symlink writes to block dangling-symlink escape ([#1585](https://github.com/everruns/bashkit/pull/1585)) by @chaliy +* fix(realfs): use no-follow resolver for stat/read_link/remove ([#1584](https://github.com/everruns/bashkit/pull/1584)) by @chaliy +* fix(ln): surface remove failure under -f instead of falling through to symlink ([#1583](https://github.com/everruns/bashkit/pull/1583)) by @chaliy +* fix(ssh): try none-auth before password/key to avoid leaking defaults ([#1582](https://github.com/everruns/bashkit/pull/1582)) by @chaliy +* fix(ssh): shell-escape sftp ls path to prevent remote command injection ([#1581](https://github.com/everruns/bashkit/pull/1581)) by @chaliy +* docs(threat-model): mark final 6 OPEN entries mitigated ([#1568](https://github.com/everruns/bashkit/pull/1568)) by @chaliy +* fix(coreutils-port): accept let-bound Command chain in uu_app validator by @chaliy +* fix(fuzz): strip uutils clap error chrome before banned-shape check by @chaliy +* chore(ci): bump artifact actions by @dependabot +* feat(printf): vendor uucore format by @chaliy +* fix(truncate): enforce VFS limits before resize by @chaliy +* fix(shuf): cap range and repeat output allocation by @chaliy +* fix(cli): remove MCP server mode by @chaliy +* chore(maintenance): add deepsec scanning workspace by @chaliy + +**Full Changelog**: https://github.com/everruns/bashkit/compare/v0.5.0...v0.6.0 + ## [0.5.0] - 2026-05-06 ### Highlights diff --git a/Cargo.lock b/Cargo.lock index 641e8a24..8acca483 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -345,7 +345,7 @@ checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" [[package]] name = "bashkit" -version = "0.5.0" +version = "0.6.0" dependencies = [ "anyhow", "async-trait", @@ -398,7 +398,7 @@ dependencies = [ [[package]] name = "bashkit-bench" -version = "0.5.0" +version = "0.6.0" dependencies = [ "anyhow", "bashkit", @@ -412,7 +412,7 @@ dependencies = [ [[package]] name = "bashkit-cli" -version = "0.5.0" +version = "0.6.0" dependencies = [ "anyhow", "bashkit", @@ -428,7 +428,7 @@ dependencies = [ [[package]] name = "bashkit-coreutils-port" -version = "0.5.0" +version = "0.6.0" dependencies = [ "anyhow", "prettyplease", @@ -442,7 +442,7 @@ dependencies = [ [[package]] name = "bashkit-eval" -version = "0.5.0" +version = "0.6.0" dependencies = [ "anyhow", "async-trait", @@ -459,7 +459,7 @@ dependencies = [ [[package]] name = "bashkit-js" -version = "0.5.0" +version = "0.6.0" dependencies = [ "bashkit", "napi", @@ -472,7 +472,7 @@ dependencies = [ [[package]] name = "bashkit-python" -version = "0.5.0" +version = "0.6.0" dependencies = [ "bashkit", "num-bigint", diff --git a/Cargo.toml b/Cargo.toml index 24a4c87e..9f851a6a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ resolver = "2" members = ["crates/*"] [workspace.package] -version = "0.5.0" +version = "0.6.0" edition = "2024" license = "MIT" authors = ["Everruns"] diff --git a/crates/bashkit-cli/Cargo.toml b/crates/bashkit-cli/Cargo.toml index 3ae9090f..e54fcc5c 100644 --- a/crates/bashkit-cli/Cargo.toml +++ b/crates/bashkit-cli/Cargo.toml @@ -31,7 +31,7 @@ scripted_tool = ["bashkit/scripted_tool"] interactive = ["dep:rustyline", "dep:terminal_size", "dep:signal-hook"] [dependencies] -bashkit = { path = "../bashkit", version = "0.5.0", features = ["http_client", "git", "jq"] } +bashkit = { path = "../bashkit", version = "0.6.0", features = ["http_client", "git", "jq"] } tokio = { workspace = true, features = ["macros", "net", "rt", "rt-multi-thread", "time"] } clap.workspace = true anyhow.workspace = true diff --git a/crates/bashkit-js/package-lock.json b/crates/bashkit-js/package-lock.json index 531de6b7..d471ad84 100644 --- a/crates/bashkit-js/package-lock.json +++ b/crates/bashkit-js/package-lock.json @@ -1,12 +1,12 @@ { "name": "@everruns/bashkit", - "version": "0.5.0", + "version": "0.6.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@everruns/bashkit", - "version": "0.5.0", + "version": "0.6.0", "license": "MIT", "devDependencies": { "@langchain/core": "^1.1.39", diff --git a/crates/bashkit-js/package.json b/crates/bashkit-js/package.json index 1967967f..a5517f3e 100644 --- a/crates/bashkit-js/package.json +++ b/crates/bashkit-js/package.json @@ -1,6 +1,6 @@ { "name": "@everruns/bashkit", - "version": "0.5.0", + "version": "0.6.0", "description": "Sandboxed bash interpreter for JavaScript/TypeScript", "main": "wrapper.js", "browser": "bashkit.wasi-browser.js", From 4de84037ccfccc25d981f1d44ea545079a5b914b Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 17 May 2026 00:28:32 +0000 Subject: [PATCH 2/2] chore(release): trim v0.6.0 highlights --- CHANGELOG.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d45a96ce..f8f0f3d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,11 +6,9 @@ ### Highlights -- **Coreutils module-vendor mode** — Extends the codegen pipeline beyond `uu_app()` argument surfaces to vendor whole upstream uutils modules with a manifest and drift-detection CI. `tee`, `mktemp`, `realpath`, `stat`, and `od` are now ported through codegen, and `printf` now runs on a vendored copy of uucore's format implementation ([#1593](https://github.com/everruns/bashkit/pull/1593), [#1594](https://github.com/everruns/bashkit/pull/1594)). -- **`env` builtin via uutils virtual-env shim** — Ports the uutils env-default surface through a virtual-env shim (TM-INF-024), bringing the full upstream flag set without granting filesystem or process access ([#1592](https://github.com/everruns/bashkit/pull/1592)). +- **Continue coreutils adoption experiment** — Extends the codegen pipeline beyond `uu_app()` argument surfaces to vendor whole upstream uutils modules with a manifest and drift-detection CI. `tee`, `mktemp`, `realpath`, `stat`, and `od` now flow through codegen; `printf` runs on a vendored copy of uucore's format implementation; and `env` is ported through a virtual-env shim (TM-INF-024) ([#1592](https://github.com/everruns/bashkit/pull/1592), [#1593](https://github.com/everruns/bashkit/pull/1593), [#1594](https://github.com/everruns/bashkit/pull/1594)). - **MCP server mode removed from CLI** — The `bashkit mcp` server mode has been removed. The recommended path for MCP integrations is now to embed bashkit via the library bindings. -- **Security hardening across the sandbox** — Fail-closed fixes across realfs (no-follow resolver for stat/read_link/remove; reject leaf-symlink writes), snapshot/restore (atomic, fail-closed `vfs_restore`), sqlite (reject `VACUUM`/`VACUUM INTO`; row caps; engine cache invalidation), network (SSRF precheck fails closed; IPv4-mapped IPv6 normalization), jq (replace `halt` to stop sandbox escape via `process::exit`; fancy-regex execution + file-binding caps), and ssh (shell-escape sftp `ls`; try `none`-auth before password/key) ([#1581](https://github.com/everruns/bashkit/pull/1581), [#1582](https://github.com/everruns/bashkit/pull/1582), [#1583](https://github.com/everruns/bashkit/pull/1583), [#1584](https://github.com/everruns/bashkit/pull/1584), [#1585](https://github.com/everruns/bashkit/pull/1585), [#1586](https://github.com/everruns/bashkit/pull/1586), [#1587](https://github.com/everruns/bashkit/pull/1587), [#1588](https://github.com/everruns/bashkit/pull/1588), [#1589](https://github.com/everruns/bashkit/pull/1589), [#1590](https://github.com/everruns/bashkit/pull/1590), [#1591](https://github.com/everruns/bashkit/pull/1591), [#1599](https://github.com/everruns/bashkit/pull/1599), [#1601](https://github.com/everruns/bashkit/pull/1601), [#1613](https://github.com/everruns/bashkit/pull/1613), [#1615](https://github.com/everruns/bashkit/pull/1615)). -- **Threat-model coverage** — Final 6 OPEN entries in the threat model are now marked mitigated ([#1568](https://github.com/everruns/bashkit/pull/1568)). +- **Security hardening across the sandbox** — Fail-closed fixes across realfs (no-follow resolver for stat/read_link/remove; reject leaf-symlink writes), snapshot/restore (atomic, fail-closed `vfs_restore`), sqlite (reject `VACUUM`/`VACUUM INTO`; row caps; engine cache invalidation), network (SSRF precheck fails closed; IPv4-mapped IPv6 normalization), jq (replace `halt` to stop sandbox escape via `process::exit`; fancy-regex execution + file-binding caps), and ssh (shell-escape sftp `ls`; try `none`-auth before password/key). The final 6 OPEN entries in the threat model are now marked mitigated ([#1568](https://github.com/everruns/bashkit/pull/1568), [#1581](https://github.com/everruns/bashkit/pull/1581), [#1582](https://github.com/everruns/bashkit/pull/1582), [#1583](https://github.com/everruns/bashkit/pull/1583), [#1584](https://github.com/everruns/bashkit/pull/1584), [#1585](https://github.com/everruns/bashkit/pull/1585), [#1586](https://github.com/everruns/bashkit/pull/1586), [#1587](https://github.com/everruns/bashkit/pull/1587), [#1588](https://github.com/everruns/bashkit/pull/1588), [#1589](https://github.com/everruns/bashkit/pull/1589), [#1590](https://github.com/everruns/bashkit/pull/1590), [#1591](https://github.com/everruns/bashkit/pull/1591), [#1599](https://github.com/everruns/bashkit/pull/1599), [#1601](https://github.com/everruns/bashkit/pull/1601), [#1613](https://github.com/everruns/bashkit/pull/1613), [#1615](https://github.com/everruns/bashkit/pull/1615)). ### Breaking Changes