From 45b3f32a4fcd321338401f967ac508cd742c4a55 Mon Sep 17 00:00:00 2001
From: Ben Vinegar <ben@benv.ca>
Date: Sat, 21 Feb 2026 18:09:21 -0500
Subject: [PATCH 1/3] ops: harden varlock startup and broker status detection

---
 bin/baudbot   | 20 ++++++++++++--------
 bin/doctor.sh |  3 +++
 start.sh      | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/bin/baudbot b/bin/baudbot
index c87061a..81c11f4 100755
--- a/bin/baudbot
+++ b/bin/baudbot
@@ -369,6 +369,7 @@ print_broker_connection_status() {
   local health_summary=""
   local connection_state=""
   local components_line=""
+  local bridge_running=0
 
   if ! broker_mode_configured "$agent_user"; then
     echo -e "${BOLD}broker connection:${RESET} not configured"
@@ -376,20 +377,23 @@ print_broker_connection_status() {
   fi
 
   if [ "$(id -u)" -eq 0 ]; then
-    sudo -u "$agent_user" tmux has-session -t slack-bridge 2>/dev/null || {
-      echo -e "${BOLD}broker connection:${RESET} disconnected (bridge tmux session not running)"
-      return 0
-    }
+    if pgrep -u "$agent_user" -f "node broker-bridge.mjs" >/dev/null 2>&1; then
+      bridge_running=1
+    fi
   elif [ "$(id -un)" = "$agent_user" ]; then
-    tmux has-session -t slack-bridge 2>/dev/null || {
-      echo -e "${BOLD}broker connection:${RESET} disconnected (bridge tmux session not running)"
-      return 0
-    }
+    if pgrep -u "$agent_user" -f "node broker-bridge.mjs" >/dev/null 2>&1; then
+      bridge_running=1
+    fi
   else
     echo -e "${BOLD}broker connection:${RESET} configured (run with sudo for runtime status)"
     return 0
   fi
 
+  if [ "$bridge_running" -ne 1 ]; then
+    echo -e "${BOLD}broker connection:${RESET} disconnected (broker bridge process not running)"
+    return 0
+  fi
+
   if [ ! -r "$health_file" ]; then
     echo -e "${BOLD}broker connection:${RESET} starting"
     echo -e "${BOLD}broker health:${RESET} unavailable (waiting for bridge health file)"
diff --git a/bin/doctor.sh b/bin/doctor.sh
index 6356e7b..5c41197 100755
--- a/bin/doctor.sh
+++ b/bin/doctor.sh
@@ -67,6 +67,9 @@ fi
 
 if command -v varlock &>/dev/null || [ -x "$BAUDBOT_HOME/.varlock/bin/varlock" ]; then
   pass "varlock is installed"
+  if [ -f "$BAUDBOT_HOME/.varlock/config.json" ] && grep -q '"anonymousId"' "$BAUDBOT_HOME/.varlock/config.json"; then
+    warn "~/.varlock/config.json includes anonymousId (remove to avoid varlock run crash)"
+  fi
 else
   fail "varlock not found"
 fi
diff --git a/start.sh b/start.sh
index 97ed3f7..f909d5c 100755
--- a/start.sh
+++ b/start.sh
@@ -16,6 +16,40 @@ cd ~
 # Set PATH
 export PATH="$HOME/.varlock/bin:$HOME/opt/node-v22.14.0-linux-x64/bin:$PATH"
 
+sanitize_varlock_config() {
+  local cfg="$HOME/.varlock/config.json"
+  local tmp=""
+
+  [ -f "$cfg" ] || return 0
+  grep -q '"anonymousId"' "$cfg" || return 0
+
+  tmp="$(mktemp "$HOME/.varlock/config.XXXXXX")"
+  if python3 - "$cfg" "$tmp" <<'PY'
+import json
+import sys
+
+src, dst = sys.argv[1], sys.argv[2]
+with open(src, "r", encoding="utf-8") as f:
+    data = json.load(f)
+
+if isinstance(data, dict) and "anonymousId" in data:
+    data.pop("anonymousId", None)
+
+with open(dst, "w", encoding="utf-8") as f:
+    json.dump(data, f, indent=2)
+    f.write("\n")
+PY
+  then
+    mv "$tmp" "$cfg"
+    chmod 600 "$cfg" 2>/dev/null || true
+    echo "Removed unsupported anonymousId from ~/.varlock/config.json"
+  else
+    rm -f "$tmp"
+  fi
+}
+
+sanitize_varlock_config
+
 # Validate and load secrets via varlock
 varlock load --path ~/.config/ || {
   echo "❌ Environment validation failed — check ~/.config/.env against .env.schema"

From 564a9d2f49d48791f1357369c4eafb3c3af42bc5 Mon Sep 17 00:00:00 2001
From: Ben Vinegar <ben@benv.ca>
Date: Sat, 21 Feb 2026 18:10:39 -0500
Subject: [PATCH 2/3] doctor: fix shellcheck tilde warning

---
 bin/doctor.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/doctor.sh b/bin/doctor.sh
index 5c41197..db20b32 100755
--- a/bin/doctor.sh
+++ b/bin/doctor.sh
@@ -68,7 +68,7 @@ fi
 if command -v varlock &>/dev/null || [ -x "$BAUDBOT_HOME/.varlock/bin/varlock" ]; then
   pass "varlock is installed"
   if [ -f "$BAUDBOT_HOME/.varlock/config.json" ] && grep -q '"anonymousId"' "$BAUDBOT_HOME/.varlock/config.json"; then
-    warn "~/.varlock/config.json includes anonymousId (remove to avoid varlock run crash)"
+    warn "$BAUDBOT_HOME/.varlock/config.json includes anonymousId (remove to avoid varlock run crash)"
   fi
 else
   fail "varlock not found"

From b3ea846034eff4b7ff8f070ef823243a3a92c653 Mon Sep 17 00:00:00 2001
From: Ben Vinegar <ben@benv.ca>
Date: Sat, 21 Feb 2026 18:13:37 -0500
Subject: [PATCH 3/3] ops: use varlock telemetry opt-out env in startup

---
 bin/doctor.sh |  2 +-
 start.sh      | 36 +++---------------------------------
 2 files changed, 4 insertions(+), 34 deletions(-)

diff --git a/bin/doctor.sh b/bin/doctor.sh
index db20b32..6b15840 100755
--- a/bin/doctor.sh
+++ b/bin/doctor.sh
@@ -68,7 +68,7 @@ fi
 if command -v varlock &>/dev/null || [ -x "$BAUDBOT_HOME/.varlock/bin/varlock" ]; then
   pass "varlock is installed"
   if [ -f "$BAUDBOT_HOME/.varlock/config.json" ] && grep -q '"anonymousId"' "$BAUDBOT_HOME/.varlock/config.json"; then
-    warn "$BAUDBOT_HOME/.varlock/config.json includes anonymousId (remove to avoid varlock run crash)"
+    warn "$BAUDBOT_HOME/.varlock/config.json includes anonymousId (export VARLOCK_TELEMETRY_DISABLED=1 or remove this field)"
   fi
 else
   fail "varlock not found"
diff --git a/start.sh b/start.sh
index f909d5c..c47289c 100755
--- a/start.sh
+++ b/start.sh
@@ -16,39 +16,9 @@ cd ~
 # Set PATH
 export PATH="$HOME/.varlock/bin:$HOME/opt/node-v22.14.0-linux-x64/bin:$PATH"
 
-sanitize_varlock_config() {
-  local cfg="$HOME/.varlock/config.json"
-  local tmp=""
-
-  [ -f "$cfg" ] || return 0
-  grep -q '"anonymousId"' "$cfg" || return 0
-
-  tmp="$(mktemp "$HOME/.varlock/config.XXXXXX")"
-  if python3 - "$cfg" "$tmp" <<'PY'
-import json
-import sys
-
-src, dst = sys.argv[1], sys.argv[2]
-with open(src, "r", encoding="utf-8") as f:
-    data = json.load(f)
-
-if isinstance(data, dict) and "anonymousId" in data:
-    data.pop("anonymousId", None)
-
-with open(dst, "w", encoding="utf-8") as f:
-    json.dump(data, f, indent=2)
-    f.write("\n")
-PY
-  then
-    mv "$tmp" "$cfg"
-    chmod 600 "$cfg" 2>/dev/null || true
-    echo "Removed unsupported anonymousId from ~/.varlock/config.json"
-  else
-    rm -f "$tmp"
-  fi
-}
-
-sanitize_varlock_config
+# Work around varlock telemetry config crash by opting out at runtime.
+# This avoids loading anonymousId from user config and keeps startup deterministic.
+export VARLOCK_TELEMETRY_DISABLED=1
 
 # Validate and load secrets via varlock
 varlock load --path ~/.config/ || {