Spaceship: A JIT-compiled systems language that compiles .sh to LLVM
I’ve always felt that the gap between "one-off shell scripts" and "robust systems code" is too wide. Bash is ubiquitous but dangerous; Go is safe but can feel heavy for quick automation.
I’m building Spaceship to bridge that gap. It’s a Go-inspired systems language with a C++/Boost-based compiler that JIT-compiles everything—including legacy shell scripts—directly into native machine code via LLVM.
The highlights:
* @jit Directive: You can take an existing .sh file and run @jit("script.sh"). Instead of spawning a subshell, Spaceship parses the shell logic, translates it to POSIX-compliant AST nodes, and JIT-compiles it into the current execution path.
* Zero-Trust JIT Sandbox: Security is enforced at the LLVM IR lowering phase. If your script doesn't explicitly allow a capability (like network.tcp or process.fork) in the security manifest, the JIT simply refuses to generate the machine code for those instructions. No runtime interceptor overhead.
* Arbitrary Bit-Widths: Since it’s LLVM-native, you aren't stuck with i32 or i64. If you're interfacing with specific hardware or protocols, you can use i1, i23, i25, etc.
* The !i32 Contract: All system calls return a success value or an i32 POSIX error code, handled via a check/except flow that mirrors C++ exception speed but keeps the simplicity of Go’s error handling.
* Unified Backend: We use Boost (Asio, Process, Filesystem) as the high-performance standard library that the JIT links against, ensuring POSIX compatibility across Linux and macOS.
The parser is implemented in C++ and handles deferred execution pipelines—nothing runs until you call .run(), which allows the JIT to optimize the entire chain of operations.
I'd love to hear your thoughts on the "Security through Omission" model and the feasibility of replacing dash/bash with a JIT-ted environment for high-performance automation.
> The parser is implemented in C++ and handles deferred execution pipelines—nothing runs until you call .run(), which allows the JIT to optimize the entire chain of operations.
I think "The parser would hypothetically be implemented in C++" would be more correct as this looks more like an empty skeleton with hypothetical benchmarks.
> "Security through Omission" model
I guess a systems-level programming language that omits the implementation like Orbit is indeed more secure, but also not very useful.
Cool, I am also working on a systems language targeting binaries. FreedomLang (freelang.dev) takes a radically different approach by using direct PE/Mach-O emission with zero runtime dependencies, built specifically for security agents and DevSecOps automation.
The key philosophical differences:
FSABI (Filesystem ABI) Concurrency: Instead of JIT-compiling shell pipelines, we use the filesystem as the concurrency boundary. Jobs fork with typed params written to /jobs/job<id>/inbox/*.<type>, execute in isolated processes, and write results to ./outbox. Debuggable with ls -R, reproducible, and naturally auditable. No shared memory, no race conditions.
Windows "Self-Exec" Model: Since Windows has no fork(), we re-spawn the binary with --flx-worker flags—the child reads its entire state from the FSABI inbox. Zero runtime shims, no process table magic.
Raw Assembly -> Kernel Only: Our binaries are tiny (7.5KB hello world, ~22KB for realistic file I/O + control flow + assertions) and link only against kernel32.dll (Windows) or raw syscalls (Linux). No libc, no CRT startup, direct CreateProcessA/WriteFile calls. The attack surface is just the kernel interface.
Fail-Fast by Design: fall for bugs (immediate termination), explicit variants for world state (missing files, timeouts). No exceptions, no silent recoveries that hide security issues in production agents.
We're in RFC/private beta right now, targeting security teams that need to justify every line of code running in their scanning agents and CI/CD gates. The ability to audit the entire compiler/runtime in an afternoon is the feature.
Questions on yours:
Your shell-to-LLVM JIT is fascinating -- how are you handling the semantic gap between Bash's lenient error model (pipelines succeed if any command succeeds) and POSIX's strict contracts? Do you expose multiple error handling modes, or force everything through the check/except flow?
Also curious: when you JIT-compile legacy .sh scripts, do you preserve the original behavior of things like unquoted variable expansion and word splitting, or do you enforce stricter semantics? What do you think of shc?
I’ve always felt that the gap between "one-off shell scripts" and "robust systems code" is too wide. Bash is ubiquitous but dangerous; Go is safe but can feel heavy for quick automation.
I’m building Spaceship to bridge that gap. It’s a Go-inspired systems language with a C++/Boost-based compiler that JIT-compiles everything—including legacy shell scripts—directly into native machine code via LLVM.
The highlights:
* @jit Directive: You can take an existing .sh file and run @jit("script.sh"). Instead of spawning a subshell, Spaceship parses the shell logic, translates it to POSIX-compliant AST nodes, and JIT-compiles it into the current execution path. * Zero-Trust JIT Sandbox: Security is enforced at the LLVM IR lowering phase. If your script doesn't explicitly allow a capability (like network.tcp or process.fork) in the security manifest, the JIT simply refuses to generate the machine code for those instructions. No runtime interceptor overhead. * Arbitrary Bit-Widths: Since it’s LLVM-native, you aren't stuck with i32 or i64. If you're interfacing with specific hardware or protocols, you can use i1, i23, i25, etc. * The !i32 Contract: All system calls return a success value or an i32 POSIX error code, handled via a check/except flow that mirrors C++ exception speed but keeps the simplicity of Go’s error handling. * Unified Backend: We use Boost (Asio, Process, Filesystem) as the high-performance standard library that the JIT links against, ensuring POSIX compatibility across Linux and macOS.
The parser is implemented in C++ and handles deferred execution pipelines—nothing runs until you call .run(), which allows the JIT to optimize the entire chain of operations.
I'd love to hear your thoughts on the "Security through Omission" model and the feasibility of replacing dash/bash with a JIT-ted environment for high-performance automation.