fix: resolve npm from embedded node runtime in update-release (#174)

benvinegar · web-flow · commit 400754b5272a · 2026-02-24T23:20:33.000-05:00
diff --git a/bin/AGENTS.md b/bin/AGENTS.md
@@ -18,6 +18,17 @@ Scope: shell CLI and operational scripts under `bin/`.
 - Reuse shared helpers (`shell-common.sh`, `paths-common.sh`, `release-common.sh`, etc.) instead of duplicating constants or logging/error patterns.
 - Prefer portable shell patterns; distro-specific branches are acceptable when reliability improves.
 - Any security-relevant shell change must include/adjust tests.
+- **Never call `node`, `npm`, or other runtime binaries by bare name** in scripts that run as root or outside the agent user's shell. These binaries live in the agent's embedded runtime (`/home/baudbot_agent/opt/node/bin/`) and are not on root's PATH. Use `runtime-node.sh` helpers (e.g. `bb_resolve_runtime_node_bin`, `bb_resolve_runtime_node_bin_dir`) to resolve the full path, then invoke via a variable. Fall back to bare name only as a last resort.
+
+  ```bash
+  # ✅ Good: resolve then invoke
+  source "$SCRIPT_DIR/lib/runtime-node.sh"
+  node_bin_dir="$(bb_resolve_runtime_node_bin_dir "$agent_home")"
+  "$node_bin_dir/npm" ci --omit=dev
+
+  # ❌ Bad: bare name breaks when not on PATH
+  npm ci --omit=dev
+  ```
 
 ## Critical files
 
diff --git a/bin/update-release.sh b/bin/update-release.sh
@@ -46,6 +46,8 @@ RELEASE_DIR=""
 log() { bb_log "$1"; }
 die() { bb_die "$1"; }
 
+# shellcheck source=bin/lib/runtime-node.sh
+source "$SCRIPT_DIR/lib/runtime-node.sh"
 # shellcheck source=bin/lib/release-common.sh
 source "$SCRIPT_DIR/lib/release-common.sh"
 # shellcheck source=bin/lib/release-runtime-common.sh
@@ -219,10 +221,19 @@ install_release_bridge_dependencies() {
   log "installing production Slack bridge dependencies in release"
   rm -rf "$bridge_dir/node_modules"
 
+  # Resolve npm from the agent's embedded node runtime, falling back to PATH.
+  local npm_bin="npm"
+  local agent_home="/home/${BAUDBOT_AGENT_USER:-baudbot_agent}"
+  local node_bin_dir=""
+  node_bin_dir="$(bb_resolve_runtime_node_bin_dir "$agent_home" 2>/dev/null || true)"
+  if [ -n "$node_bin_dir" ] && [ -x "$node_bin_dir/npm" ]; then
+    npm_bin="$node_bin_dir/npm"
+  fi
+
   if [ -f "$bridge_dir/package-lock.json" ]; then
-    (cd "$bridge_dir" && npm ci --omit=dev)
+    (cd "$bridge_dir" && "$npm_bin" ci --omit=dev)
   else
-    (cd "$bridge_dir" && npm install --omit=dev)
+    (cd "$bridge_dir" && "$npm_bin" install --omit=dev)
   fi
 }
 
