bashrs 6.51.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289

<div align="center">

<p align="center">
  <img src=".github/bashrs-hero.svg" alt="bashrs" width="800">
</p>

<h1 align="center">Rash - Bidirectional Shell Safety Tool</h1>

<p align="center">
  <a href="https://crates.io/crates/bashrs"><img src="https://img.shields.io/crates/v/bashrs.svg" alt="Crates.io"></a>
  <a href="https://docs.rs/bashrs"><img src="https://docs.rs/bashrs/badge.svg" alt="Documentation"></a>
  <a href="https://paiml.github.io/bashrs/"><img src="https://img.shields.io/badge/book-The%20Rash%20Book-blue" alt="Book"></a>
  <a href="LICENSE"><img src="https://img.shields.io/crates/l/bashrs.svg" alt="License"></a>
  <a href="https://github.com/paiml/bashrs/actions"><img src="https://github.com/paiml/bashrs/workflows/CI/badge.svg" alt="CI"></a>
</p>

<p align="center">
  <b>Bidirectional shell safety tool that purifies legacy bash scripts and lets you write shell scripts in REAL Rust with automatic safety guarantees.</b>
</p>

</div>

## Table of Contents

- [What's New](#-whats-new-in-v6490)
- [Why Rash?](#why-rash)
- [Quick Start](#quick-start)
- [Features](#features)
- [Core Commands](#core-commands)
- [Advanced Testing](#advanced-testing)
- [Documentation](#-documentation)
- [Quality Metrics](#quality-metrics)
- [Shell Compatibility](#shell-compatibility)
- [Performance](#performance)
- [MCP Server](#mcp-server)
- [Contributing](#contributing)
- [License](#license)

## 🚀 What's New in v6.50.0

**Latest Release** - 2026-01-06

- **Logic Extraction for EXTREME TDD**: Pure logic functions extracted from linter rules
  - `sc2086_logic.rs`: Double-quote detection (37 unit tests)
  - `sc2154_logic.rs`: Variable reference validation (44 unit tests)
  - `devcontainer_logic.rs`: JSON validation helpers (42 unit tests)
  - `sec010_logic.rs`: Path traversal detection (26 unit tests)
- **New Linter Rules**: docker007-012, signal001, systemd001, launchd001
- **Fast Coverage**: `make coverage` runs in under 5 minutes with nextest
- **Quality Metrics**: 9,824 tests, 94.16% line coverage, 96.52% function coverage

See [CHANGELOG.md](CHANGELOG.md) for complete release notes.

## Why Rash?

Shell scripts are everywhere—CI/CD pipelines, deployment automation, system configuration—but they're notoriously difficult to write safely. Rash solves this by providing:

1. **Bidirectional Safety**: Write in Rust and transpile to shell, or purify existing bash scripts
2. **Automatic Transformation**: Don't just detect problems—fix them automatically
3. **Deterministic Guarantees**: Same input always produces identical, reproducible output
4. **Zero Runtime Dependencies**: Generated scripts run on any POSIX-compliant system

## Features

- 🛡️ **Automatic Safety**: Protection against shell injection, word splitting, glob expansion
- 🔍 **Beyond Linting**: Full AST semantic understanding - **transforms** code, doesn't just warn
- 📦 **Zero Runtime Dependencies**: Generated scripts work on any POSIX shell
- 🎯 **Deterministic Output**: Same input always produces identical scripts
-**ShellCheck Compliant**: All output passes strict linting

### How Rash Exceeds ShellCheck

| What ShellCheck Does | What Rash Does |
|---------------------|----------------|
| ⚠️ **Warns**: "$RANDOM is non-deterministic" |**Rewrites** to version-based deterministic IDs |
| ⚠️ **Warns**: "mkdir may fail if exists" |**Transforms** to `mkdir -p` (idempotent) |
| ⚠️ **Warns**: "Unquoted variable expansion" |**Quotes** all variables automatically |
| Static pattern matching | **Full AST semantic understanding** |
| Detects issues (read-only) | **Fixes issues (read-write transformation)** |

**Key Difference**: ShellCheck tells you what's wrong. Rash **understands your code's intent** and rewrites it to be safe, deterministic, and idempotent — automatically.

## Quick Start

### Installation

```bash
# From crates.io (recommended)
cargo install bashrs

# Or from source
git clone https://github.com/paiml/bashrs
cd bashrs
cargo install --path rash
```

### Write Rust, Get Safe Shell

```rust
// install.rs
#[rash::main]
fn main() {
    let version = env_var_or("VERSION", "1.0.0");
    let prefix = env_var_or("PREFIX", "/usr/local");

    echo("Installing MyApp {version} to {prefix}");

    mkdir_p("{prefix}/bin");
    mkdir_p("{prefix}/share/myapp");

    if exec("cp myapp {prefix}/bin/") {
        echo("✓ Binary installed");
    } else {
        eprint("✗ Failed to install binary");
        exit(1);
    }
}
```

**Transpile to safe POSIX shell**:

```bash
$ bashrs build install.rs -o install.sh
```

### Or Purify Existing Bash

**Before** (messy bash):
```bash
#!/bin/bash
SESSION_ID=$RANDOM                      # Non-deterministic
mkdir /app/releases/$RELEASE            # Non-idempotent
rm /app/current                         # Fails if doesn't exist
```

**After** (purified by Rash):
```bash
#!/bin/sh
session_id="session-${version}"         # ✅ Deterministic
mkdir -p "/app/releases/${release}"     # ✅ Idempotent
rm -f "/app/current"                    # ✅ Safe removal
```

## Core Commands

```bash
# Transpile Rust to shell
bashrs build input.rs -o output.sh

# Purify legacy bash scripts
bashrs purify messy.sh -o clean.sh

# Interactive REPL with debugging
bashrs repl

# Lint shell scripts (including Dockerfiles)
bashrs lint script.sh

# Test bash scripts
bashrs test script.sh

# Quality scoring
bashrs score script.sh

# Comprehensive audit
bashrs audit script.sh
```

## Advanced Testing

Rash includes Probar integration for comprehensive quality assurance:

```bash
# State machine testing with playbooks
bashrs playbook install.playbook.yaml --run

# Mutation testing (goal: >90% kill rate)
bashrs mutate script.sh --count 10

# Deterministic simulation replay
bashrs simulate script.sh --seed 42 --verify
```

**Mutation Operators**: Rash applies 10 mutation operators including string mutations, command substitutions, conditional inversions, and redirect modifications to verify test quality.

## 📚 Documentation

**The Rash Book** is the canonical source for all documentation:

### [**→ Read The Rash Book**](https://paiml.github.io/bashrs/)

**Quick links**:
- [Getting Started](https://paiml.github.io/bashrs/getting-started/installation.html)
- [Quick Start Tutorial](https://paiml.github.io/bashrs/getting-started/quick-start.html)
- [Linting Rules](https://paiml.github.io/bashrs/linting/security.html)
- [Configuration Management](https://paiml.github.io/bashrs/config/overview.html)
- [API Reference](https://docs.rs/bashrs)

**Why the book?**
- ✅ All examples automatically tested
- ✅ Always up-to-date with latest release
- ✅ Comprehensive coverage of all features
- ✅ Real-world examples and tutorials

## Quality Metrics

| Metric | Value | Status |
|--------|-------|--------|
| **PMAT Score** | 133/134 (99.3%) | ✅ Grade A+ |
| **Tests** | 9,824 passing | ✅ 100% pass rate |
| **Line Coverage** | 94.16% | ✅ Near target (95%) |
| **Function Coverage** | 96.52% | ✅ Exceeds target |
| **T-code Falsification** | 142/142 | ✅ 130-point checklist |
| **D-code Falsification** | 31/31 | ✅ Dockerfile validation |
| **ShellCheck** | 100% compliant | ✅ All output passes |
| **Shell Compatibility** | 6 shells | ✅ sh, dash, bash, ash, zsh, mksh |

### Falsification Testing (Popper Methodology)

Rash uses Popperian falsification—tests attempt to **disprove** functionality rather than prove it works:

```bash
# Run 130-point transpiler falsification checklist
cargo test -p bashrs --test transpiler_tcode_tests

# Run 30-point Dockerfile falsification checklist
cargo test -p bashrs --test dockerfile_dcode_tests
```

A passing test means the falsification attempt **failed**—the feature works correctly.

## Shell Compatibility

Generated scripts are tested on:

| Shell | Version | Status |
|-------|---------|--------|
| POSIX sh | - | ✅ Full support |
| dash | 0.5.11+ | ✅ Full support |
| bash | 3.2+ | ✅ Full support |
| ash (BusyBox) | 1.30+ | ✅ Full support |
| zsh | 5.0+ | ✅ Full support |
| mksh | R59+ | ✅ Full support |

## Performance

Rash is designed for fast transpilation:

- **Rust-to-Shell**: 21.1µs transpile time
- **Makefile Parsing**: 0.034-1.43ms (70-320x faster than targets)
- **Memory Usage**: <10MB for most scripts

## MCP Server

Rash provides a Model Context Protocol (MCP) server for AI-assisted shell script generation:

```bash
# Install MCP server
cargo install rash-mcp

# Run server
rash-mcp
```

Available in the official MCP registry as `io.github.paiml/rash`.

## Contributing

We welcome contributions! See our [Contributing Guide](CONTRIBUTING.md) for details.

```bash
# Clone and test
git clone https://github.com/paiml/bashrs.git
cd bashrs
make test

# Run all quality checks
make validate
```

## License

MIT License. See [LICENSE](LICENSE) for details.

---

<div align="center">
<b>For comprehensive documentation, visit <a href="https://paiml.github.io/bashrs/">The Rash Book</a></b>
</div>