arch: remove local web control plane (#110)

Author: benvinegar

.c8rc.json

@@ -2,7 +2,6 @@
   "all": false,
   "include": [
     "slack-bridge/security.mjs",
-    "control-plane/server.mjs",
     "bin/scan-extensions.mjs"
   ],
   "exclude": [

AGENTS.md

@@ -20,7 +20,6 @@ bin/                        security & operations scripts
   prune-session-logs.sh     retention cleanup for old pi session logs
   config.sh                 env var validation helper
   broker-register.mjs       Slack broker workspace registration CLI
-  control-plane.sh          starts the admin web dashboard
   doctor.sh                 system health checks
   uninstall.sh              clean removal of baudbot
   test.sh                   runs all test suites
@@ -52,9 +51,6 @@ pi/
     dev-agent/              coding agent
     sentry-agent/           monitoring/triage agent
   settings.json             pi agent settings
-control-plane/
-  server.mjs                admin-owned web dashboard + API (port 28800)
-  server.test.mjs           control plane tests
 slack-bridge/
   bridge.mjs                Slack ↔ agent bridge (legacy Socket Mode)
   broker-bridge.mjs         Slack ↔ agent bridge (broker pull mode — preferred)

CONFIGURATION.md

@@ -135,17 +135,6 @@ These are **command-time overrides** for `baudbot update` / `baudbot rollback` (
 | `BAUDBOT_UPDATE_REPO` | Update source repo URL/path override | auto-detected / remembered |
 | `BAUDBOT_UPDATE_BRANCH` | Update source branch override | remembered / `main` |
 
-### Control Plane
-
-The control plane runs as the admin user, not `baudbot_agent`. These env vars are for the admin's environment.
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `BAUDBOT_CP_PORT` | Control plane listen port | `28800` |
-| `BAUDBOT_CP_TOKEN` | Bearer token for API auth | *(empty — no auth, localhost only)* |
-
-Port 28800 is intentionally outside the agent's firewall allowlist — the agent cannot reach the control plane.
-
 ### Setup Overrides
 
 Set during `setup.sh` / `baudbot install` via env vars:

SECURITY.md

@@ -86,18 +86,6 @@ the admin can re-deploy from the untampered source at any time.
 
 **baudbot_agent → admin access**: None. Admin home is `700`, baudbot_agent is not in the admin user's group.
 
-## Control Plane Isolation
-
-The control plane (`control-plane/server.mjs`) is an admin-owned web server on port 28800.
-
-- Runs as the **admin user**, not `baudbot_agent`
-- Port 28800 is **not** in the agent's firewall allowlist — the agent cannot reach it
-- Provides read-only visibility into agent state (processes, config, sessions)
-- Optional bearer token auth (`BAUDBOT_CP_TOKEN`)
-- Config endpoint shows which env vars are set, **never** their values
-
-The agent cannot use the control plane to reconfigure or inspect itself.
-
 ## Data Flows
 
 ```

bin/ci/setup-arch.sh

@@ -69,7 +69,6 @@ export PATH="/home/baudbot_agent/opt/node-v22.14.0-linux-x64/bin:$PATH"
 cd /home/baudbot_admin/baudbot
 npm install --ignore-scripts 2>&1 | tail -1
 cd slack-bridge && npm install 2>&1 | tail -1
-cd ../control-plane && npm install 2>&1 | tail -1
 cd ..
 
 echo "=== Running tests ==="

bin/ci/setup-ubuntu.sh

@@ -107,7 +107,6 @@ export PATH="/home/baudbot_agent/opt/node-v22.14.0-linux-x64/bin:$PATH"
 cd /home/baudbot_admin/baudbot
 npm install --ignore-scripts 2>&1 | tail -1
 cd slack-bridge && npm install 2>&1 | tail -1
-cd ../control-plane && npm install 2>&1 | tail -1
 cd ..
 
 echo "=== Running tests ==="

bin/control-plane.sh

@@ -84,10 +84,6 @@ iptables -w -A "$CHAIN" -o lo -p tcp --dport 53 -j ACCEPT
 # Allow localhost responses (established connections back to us)
 iptables -w -A "$CHAIN" -o lo -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-# ── NOTE: control plane (28800) is intentionally NOT allowed ──────────
-# The admin-owned control plane runs on port 28800. The agent must not
-# be able to reach it — the default-deny below handles this.
-
 # Block everything else on localhost
 iptables -w -A "$CHAIN" -o lo -j LOG --log-prefix "BAUDBOT_LOCAL_BLOCKED: " --log-level 4
 iptables -w -A "$CHAIN" -o lo -j DROP

bin/setup-firewall.sh

@@ -52,7 +52,6 @@ JS_TEST_FILES=(
   slack-bridge/security.test.mjs
   bin/scan-extensions.test.mjs
   bin/broker-register.test.mjs
-  control-plane/server.test.mjs
 )
 
 JS_TEST_NAMES=(
@@ -62,7 +61,6 @@ JS_TEST_NAMES=(
   "bridge security"
   "extension scanner"
   "broker register"
-  "control-plane"
 )
 
 run_js_tests() {