ewhauser/gbash

FileSystem(...))` — arbitrary filesystem implementation ### Network Access Network is off by default. To enable it, call `gbash.WithNetworkAccess()` before building the runtime. With network enabled, `curl` is registered by default. Other commands that need network (e.g., `git`) must be explicitly registered in the registry before execution. ## Security Model gbash's security model is built around preventing unintended host access: - **Virtual filesystem**: All filesystem operations are sandboxed to an in-memory or host-backed filesystem implementation. No host binary execution. - **Registry-backed command execution**: Only explicitly registered commands can be executed. Unknown commands are rejected before parsing. - **Network access**: Network is off by default. When enabled, only allowlisted commands can use it. - **Execution budgets**: Limits on command count, loop iterations, glob expansion, and output size prevent resource exhaustion. - **Determinism**: The same script always produces the same output, given the same filesystem and registry. ## Supported Commands gbash supports 90+ built-in commands with GNU coreutils compatibility coverage. A compatibility report is available at [ewhauser.github.io/gbash/docs/performance/compatibility/](https://ewhauser.github.io/gbash/docs/performance/compatibility/). ### Contrib Commands