doctor: clarify non-root inconclusive checks (#57)

benvinegar · web-flow · commit fc892c5e9777 · 2026-02-18T15:44:28.000-05:00
diff --git a/bin/doctor.sh b/bin/doctor.sh
@@ -19,13 +19,22 @@ BAUDBOT_HOME="/home/baudbot_agent"
 PASS=0
 FAIL=0
 WARN=0
+IS_ROOT=0
+if [ "$(id -u)" -eq 0 ]; then
+  IS_ROOT=1
+fi
 
 pass() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
 fail() { echo "  ✗ $1"; FAIL=$((FAIL + 1)); }
 warn() { echo "  ⚠ $1"; WARN=$((WARN + 1)); }
 
 echo "Baudbot Doctor"
 echo ""
+if [ "$IS_ROOT" -ne 1 ]; then
+  echo "ℹ Running without root: some checks may be inconclusive."
+  echo "  For full accuracy, run: sudo baudbot doctor"
+  echo ""
+fi
 
 # ── User ─────────────────────────────────────────────────────────────────────
 
@@ -135,7 +144,11 @@ if [ -f "$ENV_FILE" ]; then
     fi
   done
 else
-  fail ".env not found at $ENV_FILE"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME/.config" ]; then
+    warn "cannot verify agent .env as non-root (run: sudo baudbot doctor)"
+  else
+    fail ".env not found at $ENV_FILE"
+  fi
 fi
 
 # ── Runtime ──────────────────────────────────────────────────────────────────
@@ -146,26 +159,42 @@ echo "Runtime:"
 if [ -f "$BAUDBOT_HOME/runtime/start.sh" ]; then
   pass "start.sh deployed"
 else
-  fail "start.sh not found (run: baudbot deploy)"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME/runtime" ]; then
+    warn "cannot verify start.sh as non-root (run: sudo baudbot doctor)"
+  else
+    fail "start.sh not found (run: baudbot deploy)"
+  fi
 fi
 
 if [ -d "$BAUDBOT_HOME/.pi/agent/extensions" ]; then
   EXT_COUNT=$(find "$BAUDBOT_HOME/.pi/agent/extensions" -maxdepth 1 -name '*.ts' -o -name '*.mjs' 2>/dev/null | wc -l)
   pass "extensions deployed ($EXT_COUNT files)"
 else
-  fail "extensions not deployed (run: baudbot deploy)"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME" ]; then
+    warn "cannot verify extensions as non-root (run: sudo baudbot doctor)"
+  else
+    fail "extensions not deployed (run: baudbot deploy)"
+  fi
 fi
 
 if [ -d "$BAUDBOT_HOME/.pi/agent/skills" ]; then
   pass "skills deployed"
 else
-  fail "skills not deployed (run: baudbot deploy)"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME" ]; then
+    warn "cannot verify skills as non-root (run: sudo baudbot doctor)"
+  else
+    fail "skills not deployed (run: baudbot deploy)"
+  fi
 fi
 
 if [ -d "$BAUDBOT_HOME/runtime/slack-bridge" ] && [ -f "$BAUDBOT_HOME/runtime/slack-bridge/bridge.mjs" ]; then
   pass "slack bridge deployed"
 else
-  fail "slack bridge not deployed (run: baudbot deploy)"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME/runtime" ]; then
+    warn "cannot verify slack bridge files as non-root (run: sudo baudbot doctor)"
+  else
+    fail "slack bridge not deployed (run: baudbot deploy)"
+  fi
 fi
 
 # ── Security ─────────────────────────────────────────────────────────────────
@@ -178,7 +207,11 @@ if command -v iptables &>/dev/null && iptables -w -L BAUDBOT_OUTPUT -n &>/dev/nu
   RULE_COUNT=$(iptables -w -L BAUDBOT_OUTPUT -n 2>/dev/null | tail -n +3 | wc -l)
   pass "firewall active ($RULE_COUNT rules)"
 else
-  warn "firewall not active (run: baudbot setup)"
+  if command -v iptables &>/dev/null && [ "$IS_ROOT" -ne 1 ]; then
+    warn "cannot verify firewall as non-root (run: sudo baudbot doctor)"
+  else
+    warn "firewall not active (run: baudbot setup)"
+  fi
 fi
 
 # /proc hidepid
@@ -214,7 +247,11 @@ if [ -f "$TOOL_GUARD" ]; then
     fi
   fi
 else
-  fail "tool-guard.ts not found"
+  if [ "$IS_ROOT" -ne 1 ] && [ -d "$BAUDBOT_HOME" ]; then
+    warn "cannot verify tool-guard.ts as non-root (run: sudo baudbot doctor)"
+  else
+    fail "tool-guard.ts not found"
+  fi
 fi
 
 # ── Agent Status ─────────────────────────────────────────────────────────────
@@ -223,13 +260,20 @@ echo ""
 echo "Agent:"
 
 if command -v systemctl &>/dev/null && [ -d /run/systemd/system ]; then
-  if systemctl is-enabled baudbot &>/dev/null 2>&1; then
+  enabled_state=$(systemctl is-enabled baudbot 2>&1 || true)
+  if [ "$enabled_state" = "enabled" ]; then
     pass "systemd unit enabled"
-    if systemctl is-active baudbot &>/dev/null 2>&1; then
+
+    active_state=$(systemctl is-active baudbot 2>&1 || true)
+    if [ "$active_state" = "active" ]; then
       pass "agent is running (systemd)"
+    elif [ "$IS_ROOT" -ne 1 ] && echo "$active_state" | grep -qiE 'access denied|not authorized|interactive authentication|required'; then
+      warn "cannot verify agent runtime as non-root (run: sudo baudbot doctor)"
     else
       warn "agent is not running"
     fi
+  elif [ "$IS_ROOT" -ne 1 ] && echo "$enabled_state" | grep -qiE 'access denied|not authorized|interactive authentication|required'; then
+    warn "cannot verify systemd unit state as non-root (run: sudo baudbot doctor)"
   else
     warn "systemd unit not installed (run: baudbot setup)"
   fi
diff --git a/bin/update-release.sh b/bin/update-release.sh
@@ -256,6 +256,9 @@ publish_release() {
   if [ -d "$RELEASE_DIR" ]; then
     log "release already exists: $RELEASE_DIR"
     verify_git_free_release "$RELEASE_DIR" || die "existing release contains .git: $RELEASE_DIR"
+    # Ensure the top-level release directory is traversable by non-root users
+    # so /usr/local/bin/baudbot remains discoverable on PATH.
+    chmod a+rx "$RELEASE_DIR" 2>/dev/null || true
     return 0
   fi
 
@@ -277,6 +280,10 @@ publish_release() {
   # Keep directories writable for release pruning/cleanup workflows.
   find "$STAGING_DIR" -type f -exec chmod a-w {} +
 
+  # Ensure release root is traversable by non-root users so the global
+  # /usr/local/bin/baudbot symlink can be resolved from PATH.
+  chmod a+rx "$STAGING_DIR"
+
   mv "$STAGING_DIR" "$RELEASE_DIR"
   STAGING_DIR=""
 }
diff --git a/bin/update-release.test.sh b/bin/update-release.test.sh
@@ -107,6 +107,8 @@ test_publish_git_free_release() {
 
     [ "$current_target" = "$release_root/releases/$sha" ]
     [ -f "$current_target/baudbot-release.json" ]
+    # Release root must be traversable so /usr/local/bin/baudbot is discoverable.
+    [ "$(stat -c '%a' "$current_target")" = "755" ]
     assert_no_git_dirs "$release_root/releases"
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,8 @@ test_publish_git_free_release() {`
`107`	`107`
`108`	`108`	`[ "$current_target" = "$release_root/releases/$sha" ]`
`109`	`109`	`[ -f "$current_target/baudbot-release.json" ]`
	`110`	`+ # Release root must be traversable so /usr/local/bin/baudbot is discoverable.`
	`111`	`+ [ "$(stat -c '%a' "$current_target")" = "755" ]`
`110`	`112`	`assert_no_git_dirs "$release_root/releases"`
`111`	`113`	`)`
`112`	`114`	`}`