security: align audits with release bridge location

Author: benvinegar

bin/doctor.sh

@@ -279,13 +279,14 @@ else
   fi
 fi
 
-if [ -d "$BAUDBOT_HOME/runtime/slack-bridge" ] && [ -f "$BAUDBOT_HOME/runtime/slack-bridge/bridge.mjs" ]; then
-  pass "slack bridge deployed"
+BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/slack-bridge"
+if [ -d "$BRIDGE_DIR" ] && [ -f "$BRIDGE_DIR/bridge.mjs" ]; then
+  pass "slack bridge deployed ($BRIDGE_DIR)"
 else
-  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME/runtime" ]; then
+  if [ "$IS_ROOT" -ne 1 ] && { [ -d "$BAUDBOT_CURRENT_LINK" ] || [ -e "$BAUDBOT_CURRENT_LINK" ]; }; then
     warn "cannot verify slack bridge files as non-root (run: sudo baudbot doctor)"
   else
-    fail "slack bridge not deployed (run: baudbot deploy)"
+    fail "slack bridge not deployed (expected: $BRIDGE_DIR; run: sudo baudbot update)"
   fi
 fi
 

bin/security-audit.sh

@@ -219,13 +219,13 @@ else
   ok "~/.pi/agent/skills/ is a real directory"
 fi
 
-# Check runtime bridge exists
+BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/slack-bridge"
 # shellcheck disable=SC2088
-if [ -d "$BAUDBOT_HOME/runtime/slack-bridge" ]; then
-  ok "Runtime bridge directory exists"
+if [ -d "$BRIDGE_DIR" ]; then
+  ok "Release bridge directory exists ($BRIDGE_DIR)"
 else
-  finding "WARN" "~/runtime/slack-bridge/ not found" \
-    "Run: deploy.sh"
+  finding "WARN" "release bridge directory not found" \
+    "Expected: $BRIDGE_DIR (run: sudo baudbot update)"
 fi
 
 # Check version stamp exists
@@ -251,10 +251,14 @@ if [ -f "$MANIFEST_FILE" ]; then
   for critical_file in \
     ".pi/agent/extensions/tool-guard.ts" \
     ".pi/agent/extensions/tool-guard.test.mjs" \
-    "runtime/slack-bridge/security.mjs" \
-    "runtime/slack-bridge/security.test.mjs"; do
+    "release/slack-bridge/security.mjs" \
+    "release/slack-bridge/security.test.mjs"; do
 
-    full_path="$BAUDBOT_HOME/$critical_file"
+    if [[ "$critical_file" == release/* ]]; then
+      full_path="$BAUDBOT_CURRENT_LINK/${critical_file#release/}"
+    else
+      full_path="$BAUDBOT_HOME/$critical_file"
+    fi
     if [ ! -f "$full_path" ]; then
       finding "WARN" "Missing critical file: $critical_file" "Run deploy.sh"
       missing=$((missing + 1))
@@ -649,17 +653,17 @@ if [ "$DEEP" -eq 1 ]; then
 fi
 
 # Check that bridge security.mjs exists and is tested
-if [ -f "$BAUDBOT_HOME/runtime/slack-bridge/security.mjs" ]; then
-  ok "Bridge security module exists (runtime)"
-  if [ -f "$BAUDBOT_HOME/runtime/slack-bridge/security.test.mjs" ]; then
-    ok "Bridge security tests exist (runtime)"
+if [ -f "$BRIDGE_DIR/security.mjs" ]; then
+  ok "Bridge security module exists (release)"
+  if [ -f "$BRIDGE_DIR/security.test.mjs" ]; then
+    ok "Bridge security tests exist (release)"
   else
-    finding "WARN" "No tests for bridge security module in runtime" \
-      "Run deploy.sh to copy from source"
+    finding "WARN" "No tests for bridge security module in release" \
+      "Run: sudo baudbot update"
   fi
 else
   finding "WARN" "Bridge security module not found" \
-    "Expected in ~/runtime/slack-bridge/security.mjs — run deploy.sh"
+    "Expected in $BRIDGE_DIR/security.mjs — run: sudo baudbot update"
 fi
 echo ""
 

bin/security-audit.test.sh

@@ -19,7 +19,7 @@ trap cleanup EXIT
 setup_base() {
   local home="$1"
   rm -rf "$home"
-  mkdir -p "$home/.config" "$home/.ssh" "$home/.pi" "$home/baudbot/slack-bridge" "$home/baudbot/.git"
+  mkdir -p "$home/.config" "$home/.ssh" "$home/.pi" "$home/opt/baudbot/current/slack-bridge" "$home/baudbot/.git"
 
   # Secrets file
   echo "SLACK_BOT_TOKEN=xoxb-test" > "$home/.config/.env"
@@ -38,8 +38,8 @@ setup_base() {
   echo -e "[user]\n\tname = test\n\temail = test@test.com" > "$home/.gitconfig"
 
   # Bridge security module
-  echo "// security" > "$home/baudbot/slack-bridge/security.mjs"
-  echo "// tests" > "$home/baudbot/slack-bridge/security.test.mjs"
+  echo "// security" > "$home/opt/baudbot/current/slack-bridge/security.mjs"
+  echo "// tests" > "$home/opt/baudbot/current/slack-bridge/security.test.mjs"
 
   # Audit log (fallback location)
   mkdir -p "$home/logs"
@@ -50,7 +50,7 @@ setup_base() {
 run_audit() {
   local home="$1"
   shift
-  BAUDBOT_HOME="$home" bash "$SCRIPT" "$@" 2>&1 || true
+  BAUDBOT_HOME="$home" BAUDBOT_RELEASE_ROOT="$home/opt/baudbot" bash "$SCRIPT" "$@" 2>&1 || true
 }
 
 expect_contains() {
@@ -183,7 +183,7 @@ echo ""
 echo "Test: missing bridge security module"
 HOME8="$TMPDIR/no-bridge-sec"
 setup_base "$HOME8"
-rm -f "$HOME8/baudbot/slack-bridge/security.mjs"
+rm -f "$HOME8/opt/baudbot/current/slack-bridge/security.mjs"
 
 output=$(run_audit "$HOME8")
 expect_contains "reports missing security module" "$output" "Bridge security module not found"
@@ -195,7 +195,7 @@ echo ""
 echo "Test: missing bridge tests"
 HOME9="$TMPDIR/no-bridge-tests"
 setup_base "$HOME9"
-rm -f "$HOME9/baudbot/slack-bridge/security.test.mjs"
+rm -f "$HOME9/opt/baudbot/current/slack-bridge/security.test.mjs"
 
 output=$(run_audit "$HOME9")
 expect_contains "reports missing tests" "$output" "No tests for bridge security"
@@ -224,7 +224,7 @@ HOME11="$TMPDIR/exitcode"
 setup_base "$HOME11"
 echo "SLACK_ALLOWED_USERS=U12345" >> "$HOME11/.config/.env"
 set +e
-BAUDBOT_HOME="$HOME11" bash "$SCRIPT" >/dev/null 2>&1
+BAUDBOT_HOME="$HOME11" BAUDBOT_RELEASE_ROOT="$HOME11/opt/baudbot" bash "$SCRIPT" >/dev/null 2>&1
 code=$?
 set -e
 if [ "$code" -le 2 ]; then
@@ -239,7 +239,7 @@ HOME11b="$TMPDIR/exitcode-crit"
 setup_base "$HOME11b"
 chmod 644 "$HOME11b/.config/.env"
 set +e
-BAUDBOT_HOME="$HOME11b" bash "$SCRIPT" >/dev/null 2>&1
+BAUDBOT_HOME="$HOME11b" BAUDBOT_RELEASE_ROOT="$HOME11b/opt/baudbot" bash "$SCRIPT" >/dev/null 2>&1
 code=$?
 set -e
 if [ "$code" -eq 2 ]; then

test/security-audit.test.mjs

@@ -13,7 +13,7 @@ function setupFixture(homeDir) {
   fs.mkdirSync(path.join(homeDir, ".config"), { recursive: true });
   fs.mkdirSync(path.join(homeDir, ".ssh"), { recursive: true });
   fs.mkdirSync(path.join(homeDir, ".pi/agent"), { recursive: true });
-  fs.mkdirSync(path.join(homeDir, "runtime/slack-bridge"), { recursive: true });
+  fs.mkdirSync(path.join(homeDir, "opt/baudbot/current/slack-bridge"), { recursive: true });
   fs.mkdirSync(path.join(homeDir, "baudbot/.git/hooks"), { recursive: true });
   fs.mkdirSync(path.join(homeDir, "logs"), { recursive: true });
 
@@ -29,8 +29,8 @@ function setupFixture(homeDir) {
     path.join(homeDir, ".pi/agent/baudbot-version.json"),
     JSON.stringify({ short: "testsha", deployed_at: "2026-01-01T00:00:00Z" }),
   );
-  fs.writeFileSync(path.join(homeDir, "runtime/slack-bridge/security.mjs"), "// security\n");
-  fs.writeFileSync(path.join(homeDir, "runtime/slack-bridge/security.test.mjs"), "// tests\n");
+  fs.writeFileSync(path.join(homeDir, "opt/baudbot/current/slack-bridge/security.mjs"), "// security\n");
+  fs.writeFileSync(path.join(homeDir, "opt/baudbot/current/slack-bridge/security.test.mjs"), "// tests\n");
   fs.writeFileSync(path.join(homeDir, "logs/commands.log"), "");
 }
 
@@ -43,6 +43,7 @@ function runAudit(homeDir, args = []) {
       BAUDBOT_HOME: homeDir,
       BAUDBOT_SRC: path.join(homeDir, "baudbot"),
       BAUDBOT_AGENT_USER: "baudbot_agent",
+      BAUDBOT_RELEASE_ROOT: path.join(homeDir, "opt/baudbot"),
     },
   });