diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index edc91a4..5f2834e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,6 +25,11 @@ jobs:
       - name: Typecheck
         run: npm run typecheck
 
+      - name: ShellCheck
+        run: |
+          find bin/ setup.sh start.sh -type f \( -name '*.sh' -o -name 'hornet-safe-bash' -o -name 'hornet-docker' \) \
+            | xargs shellcheck -s bash -S warning
+
   test:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
new file mode 100644
index 0000000..5e15ea7
--- /dev/null
+++ b/.github/workflows/integration.yml
@@ -0,0 +1,83 @@
+name: Integration
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: integration-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - distro: ubuntu
+            image: ubuntu-24-04-x64
+            setup_script: bin/ci/setup-ubuntu.sh
+          # To add Arch (or other distros), add entries here:
+          # - distro: arch
+          #   image: arch-linux-x64  # or a custom snapshot ID
+          #   setup_script: bin/ci/setup-arch.sh
+
+    name: ${{ matrix.distro }}
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate ephemeral SSH key
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keygen -t ed25519 -f ~/.ssh/ci_key -N "" -q
+
+      - name: Create droplet
+        id: droplet
+        env:
+          DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
+        run: |
+          output=$(bash bin/ci/droplet.sh create \
+            "ci-${{ matrix.distro }}-${{ github.run_id }}" \
+            "${{ matrix.image }}" \
+            ~/.ssh/ci_key.pub)
+          echo "$output" >> "$GITHUB_OUTPUT"
+          echo "$output"
+
+      - name: Wait for SSH
+        env:
+          DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
+        run: |
+          bash bin/ci/droplet.sh wait-ssh \
+            "${{ steps.droplet.outputs.DROPLET_IP }}" \
+            ~/.ssh/ci_key
+
+      - name: Upload source
+        run: |
+          tar czf /tmp/hornet-src.tar.gz \
+            --exclude=node_modules --exclude=.git .
+          scp -o StrictHostKeyChecking=no -o BatchMode=yes \
+            -i ~/.ssh/ci_key \
+            /tmp/hornet-src.tar.gz \
+            "root@${{ steps.droplet.outputs.DROPLET_IP }}:/tmp/hornet-src.tar.gz"
+
+      - name: Setup and test
+        run: |
+          bash bin/ci/droplet.sh run \
+            "${{ steps.droplet.outputs.DROPLET_IP }}" \
+            ~/.ssh/ci_key \
+            "${{ matrix.setup_script }}"
+
+      - name: Cleanup
+        if: always()
+        env:
+          DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
+        run: |
+          bash bin/ci/droplet.sh destroy \
+            "${{ steps.droplet.outputs.DROPLET_ID }}" \
+            "${{ steps.droplet.outputs.SSH_KEY_ID }}"
diff --git a/.pi/todos/20e26efc.md b/.pi/todos/20e26efc.md
new file mode 100644
index 0000000..189db36
--- /dev/null
+++ b/.pi/todos/20e26efc.md
@@ -0,0 +1,38 @@
+{
+  "id": "20e26efc",
+  "title": "CI job: run setup + tests on fresh Ubuntu droplet per PR",
+  "tags": [
+    "infra",
+    "ci",
+    "ubuntu"
+  ],
+  "status": "done",
+  "created_at": "2026-02-17T02:30:52.375Z"
+}
+
+## Result
+Implemented and verified end-to-end. Workflow will activate once PR merges to main (GH Actions limitation: new workflow files in PRs don't trigger until they exist on the base branch).
+
+### What was built
+- **`bin/ci/droplet.sh`** — reusable DO droplet lifecycle: `create`, `destroy`, `wait-ssh`, `run`
+- **`bin/ci/setup-ubuntu.sh`** — Ubuntu-specific: prereqs, setup.sh, test suite
+- **`.github/workflows/integration.yml`** — matrix-based workflow (Ubuntu now, extensible)
+
+### Design
+- **Ephemeral everything**: fresh droplet + SSH key generated per run, destroyed on cleanup
+- **Single secret**: `DO_API_TOKEN` (set in GitHub repo)
+- **Matrix**: `include` array with `distro`, `image`, `setup_script` — add Arch/other by adding entries
+- **Concurrency group**: one run at a time per PR
+- **Always cleanup**: `if: always()` destroys droplet + SSH key even on failure
+
+### Local test results (3 full cycles)
+- Create droplet: ~15s
+- SSH ready: ~10s
+- Prereqs + setup + deploy: ~90s
+- Tests (5 suites): ~10s
+- Destroy: instant
+- **Total: ~2 minutes per run**
+- All 5 test suites pass on fresh Ubuntu 24.04
+
+### PR
+https://github.com/modem-dev/hornet/pull/10
diff --git a/.pi/todos/cb931656.md b/.pi/todos/cb931656.md
new file mode 100644
index 0000000..368293f
--- /dev/null
+++ b/.pi/todos/cb931656.md
@@ -0,0 +1,32 @@
+{
+  "id": "cb931656",
+  "title": "Verify hornet setup on Ubuntu droplet (manual)",
+  "tags": [
+    "infra",
+    "ubuntu",
+    "ci"
+  ],
+  "status": "done",
+  "created_at": "2026-02-17T02:30:39.055Z"
+}
+
+## Result
+Verified on DigitalOcean Ubuntu 24.04 droplet (4GB RAM, 2 vCPU).
+
+### Bugs found and fixed
+1. **`setup.sh` — shared repo permissions**: ran `git config` as `hornet_agent` on admin's repo → agent can't access admin home. Fix: run as `$ADMIN_USER` instead.
+2. **`setup.sh` — harden-permissions path**: called source copy (`$REPO_DIR/bin/harden-permissions.sh`) which agent can't access. Fix: use deployed copy (`$HORNET_HOME/runtime/bin/`).
+3. **`setup.sh` — CWD inheritance**: `sudo -u hornet_agent` inherits root's CWD, causing `find`/`git` failures. Fix: `cd /tmp` at top of script.
+4. **`harden-permissions.sh` — sessions dir**: `find` on non-existent sessions dir fails under `set -e`. Fix: wrap in `if [ -d ... ]` guard.
+5. **`hornet-safe-bash` — `grep -P`**: Perl regex not reliably available on Ubuntu. Fix: all patterns converted to `grep -E`.
+
+### Verification results
+- ✅ `setup.sh` completes cleanly (user, Node, pi, firewall, hidepid, deploy, harden)
+- ✅ All 5 test suites pass (tool-guard, bridge security, extension scanner, safe-bash, log redaction)
+- ✅ Varlock validates env schema
+- ✅ `start.sh` boots pi agent (fails at API auth with dummy keys — expected)
+- ✅ Firewall active with all rules
+- ✅ Process isolation working
+
+### PR
+https://github.com/modem-dev/hornet/pull/10
diff --git a/AGENTS.md b/AGENTS.md
index 37be779..6d3a06b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -14,6 +14,9 @@ bin/                        security & operations scripts
   harden-permissions.sh     filesystem hardening (runs on boot)
   scan-extensions.mjs       extension static analysis
   redact-logs.sh            secret scrubber for session logs
+  ci/                       CI integration scripts
+    droplet.sh              ephemeral DigitalOcean droplet lifecycle (create/destroy/ssh)
+    setup-ubuntu.sh         Ubuntu droplet: prereqs + setup + tests
 hooks/
   pre-commit                blocks agent from modifying security files in git
 pi/
@@ -110,6 +113,7 @@ Add new test files to `bin/test.sh` — don't scatter test invocations across CI
 - Skills are deployed from `pi/skills/` → agent's `~/.pi/agent/skills/`.
 - Agent commits operational learnings to its own skills dir (not back to source).
 - **When changing behavior, update all docs.** Check and update: `README.md`, `CONFIGURATION.md`, skill files (`pi/skills/*/SKILL.md`), and `AGENTS.md`. Inline code examples in docs must match the actual implementation.
+- **No distro-specific commands.** Scripts must work on both Arch and Ubuntu (and any standard Linux). Use `grep -E` (not `grep -P`), POSIX-compatible tools, and avoid package manager calls (`pacman`, `apt`, etc.). If a package is needed, document it as a prerequisite rather than auto-installing it.
 
 ## Security Notes
 
diff --git a/bin/ci/droplet.sh b/bin/ci/droplet.sh
new file mode 100755
index 0000000..0b0305d
--- /dev/null
+++ b/bin/ci/droplet.sh
@@ -0,0 +1,175 @@
+#!/bin/bash
+# Manage ephemeral DigitalOcean droplets for CI.
+#
+# Usage:
+#   bin/ci/droplet.sh create <name> <image> <ssh_pub_key_file>
+#   bin/ci/droplet.sh destroy <droplet_id> [ssh_key_id]
+#   bin/ci/droplet.sh wait-ssh <ip> <ssh_private_key_file>
+#   bin/ci/droplet.sh run <ip> <ssh_private_key_file> <script>
+#
+# Requires: DO_API_TOKEN env var
+#
+# create:    Registers SSH key with DO, creates droplet, polls until active.
+#            Outputs: DROPLET_ID=xxx DROPLET_IP=xxx SSH_KEY_ID=xxx
+# destroy:   Deletes droplet and (optionally) SSH key from DO.
+# wait-ssh:  Polls until SSH is reachable (up to 120s).
+# run:       Executes a script on the droplet via SSH.
+
+set -euo pipefail
+
+DO_API="https://api.digitalocean.com/v2"
+REGION="${DO_REGION:-tor1}"
+SIZE="${DO_SIZE:-s-2vcpu-4gb}"
+
+die() { echo "❌ $1" >&2; exit 1; }
+
+require_token() {
+  if [ -z "${DO_API_TOKEN:-}" ]; then
+    die "DO_API_TOKEN not set"
+  fi
+}
+
+do_api() {
+  local method="$1" endpoint="$2"
+  shift 2
+  curl -s -X "$method" \
+    -H "Authorization: Bearer $DO_API_TOKEN" \
+    -H "Content-Type: application/json" \
+    "$DO_API/$endpoint" "$@"
+}
+
+# ── create <name> <image> <ssh_pub_key_file> ─────────────────────────────────
+cmd_create() {
+  require_token
+  local name="${1:?Usage: droplet.sh create <name> <image> <ssh_pub_key_file>}"
+  local image="${2:?}"
+  local pub_key_file="${3:?}"
+
+  [ -f "$pub_key_file" ] || die "SSH public key not found: $pub_key_file"
+
+  local pub_key
+  pub_key=$(cat "$pub_key_file")
+
+  # Register ephemeral SSH key
+  local key_name
+  key_name="ci-${name}-$(date +%s)"
+  local key_result
+  key_result=$(do_api POST "account/keys" -d "{\"name\":\"$key_name\",\"public_key\":\"$pub_key\"}")
+
+  local ssh_key_id
+  ssh_key_id=$(echo "$key_result" | python3 -c "import json,sys; print(json.load(sys.stdin)['ssh_key']['id'])" 2>/dev/null) \
+    || die "Failed to register SSH key: $key_result"
+
+  echo "  SSH key registered: $ssh_key_id ($key_name)" >&2
+
+  # Create droplet
+  local create_result
+  create_result=$(do_api POST "droplets" -d "{
+    \"name\": \"$name\",
+    \"region\": \"$REGION\",
+    \"size\": \"$SIZE\",
+    \"image\": \"$image\",
+    \"ssh_keys\": [$ssh_key_id],
+    \"backups\": false,
+    \"monitoring\": false
+  }")
+
+  local droplet_id
+  droplet_id=$(echo "$create_result" | python3 -c "import json,sys; print(json.load(sys.stdin)['droplet']['id'])" 2>/dev/null) \
+    || die "Failed to create droplet: $create_result"
+
+  echo "  Droplet created: $droplet_id (polling for IP...)" >&2
+
+  # Poll until active with public IP
+  local ip="none"
+  for i in $(seq 1 60); do
+    local data
+    data=$(do_api GET "droplets/$droplet_id")
+    local status
+    status=$(echo "$data" | python3 -c "import json,sys; print(json.load(sys.stdin)['droplet']['status'])")
+    ip=$(echo "$data" | python3 -c "
+import json,sys
+d=json.load(sys.stdin)['droplet']
+v4=[n for n in d['networks']['v4'] if n['type']=='public']
+print(v4[0]['ip_address'] if v4 else 'none')
+" 2>/dev/null || echo "none")
+
+    if [ "$status" = "active" ] && [ "$ip" != "none" ]; then
+      echo "  Droplet active: $ip" >&2
+      break
+    fi
+    sleep 3
+  done
+
+  if [ "$ip" = "none" ]; then
+    die "Droplet $droplet_id never became active"
+  fi
+
+  # Output for GitHub Actions $GITHUB_OUTPUT or eval
+  echo "DROPLET_ID=$droplet_id"
+  echo "DROPLET_IP=$ip"
+  echo "SSH_KEY_ID=$ssh_key_id"
+}
+
+# ── destroy <droplet_id> [ssh_key_id] ────────────────────────────────────────
+cmd_destroy() {
+  require_token
+  local droplet_id="${1:-}"
+  local ssh_key_id="${2:-}"
+
+  if [ -n "$droplet_id" ]; then
+    local http_code
+    http_code=$(do_api DELETE "droplets/$droplet_id" -o /dev/null -w "%{http_code}")
+    if [ "$http_code" = "204" ]; then
+      echo "  Droplet $droplet_id destroyed" >&2
+    else
+      echo "  ⚠️  Droplet destroy returned $http_code (may already be gone)" >&2
+    fi
+  fi
+
+  if [ -n "$ssh_key_id" ]; then
+    local http_code
+    http_code=$(do_api DELETE "account/keys/$ssh_key_id" -o /dev/null -w "%{http_code}")
+    if [ "$http_code" = "204" ]; then
+      echo "  SSH key $ssh_key_id deleted" >&2
+    else
+      echo "  ⚠️  SSH key delete returned $http_code (may already be gone)" >&2
+    fi
+  fi
+}
+
+# ── wait-ssh <ip> <ssh_private_key_file> ──────────────────────────────────────
+cmd_wait_ssh() {
+  local ip="${1:?Usage: droplet.sh wait-ssh <ip> <ssh_private_key_file>}"
+  local key_file="${2:?}"
+
+  echo "  Waiting for SSH on $ip..." >&2
+  for i in $(seq 1 40); do
+    if ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o BatchMode=yes \
+         -i "$key_file" "root@$ip" true 2>/dev/null; then
+      echo "  SSH ready ($((i * 3))s)" >&2
+      return 0
+    fi
+    sleep 3
+  done
+  die "SSH not reachable on $ip after 120s"
+}
+
+# ── run <ip> <ssh_private_key_file> <script> ──────────────────────────────────
+cmd_run() {
+  local ip="${1:?Usage: droplet.sh run <ip> <ssh_private_key_file> <script>}"
+  local key_file="${2:?}"
+  local script="${3:?}"
+
+  ssh -o StrictHostKeyChecking=no -o BatchMode=yes \
+    -i "$key_file" "root@$ip" bash -s < "$script"
+}
+
+# ── Dispatch ──────────────────────────────────────────────────────────────────
+case "${1:-}" in
+  create)    shift; cmd_create "$@" ;;
+  destroy)   shift; cmd_destroy "$@" ;;
+  wait-ssh)  shift; cmd_wait_ssh "$@" ;;
+  run)       shift; cmd_run "$@" ;;
+  *)         die "Usage: droplet.sh {create|destroy|wait-ssh|run} ..." ;;
+esac
diff --git a/bin/ci/setup-ubuntu.sh b/bin/ci/setup-ubuntu.sh
new file mode 100755
index 0000000..a02f44c
--- /dev/null
+++ b/bin/ci/setup-ubuntu.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# CI setup script for Ubuntu droplets.
+# Runs as root on a fresh droplet. Installs prereqs, uploads source,
+# runs setup.sh, and executes the test suite.
+#
+# Expects: /tmp/hornet-src.tar.gz already uploaded via scp.
+
+set -euo pipefail
+
+echo "=== [Ubuntu] Waiting for unattended-upgrades ==="
+# Fresh DO droplets run unattended-upgrades on first boot which holds apt locks.
+# Wait for all apt/dpkg processes to finish (up to 120s).
+for _ in $(seq 1 60); do
+  if ! pgrep -x 'apt|apt-get|dpkg|unattended-upgrade' >/dev/null 2>&1; then
+    break
+  fi
+  sleep 2
+done
+
+echo "=== [Ubuntu] Installing prerequisites ==="
+apt-get update -qq
+apt-get install -y -qq git curl tmux iptables docker.io 2>&1 | tail -3
+
+echo "=== Preparing source ==="
+useradd -m -s /bin/bash hornet_admin
+mkdir -p /home/hornet_admin/hornet
+cd /home/hornet_admin/hornet
+tar xzf /tmp/hornet-src.tar.gz
+chown -R hornet_admin:hornet_admin /home/hornet_admin/
+sudo -u hornet_admin bash -c 'cd ~/hornet && git init -q && git config user.email "ci@test" && git config user.name "CI" && git add -A && git commit -q -m "init"'
+
+echo "=== Running setup.sh ==="
+cd /
+bash /home/hornet_admin/hornet/setup.sh hornet_admin
+
+echo "=== Installing test dependencies ==="
+export PATH="/home/hornet_agent/opt/node-v22.14.0-linux-x64/bin:$PATH"
+cd /home/hornet_admin/hornet
+npm install --ignore-scripts 2>&1 | tail -1
+cd slack-bridge && npm install 2>&1 | tail -1
+cd ..
+
+echo "=== Running tests ==="
+bash bin/test.sh
+
+echo ""
+echo "✅ All checks passed on Ubuntu"
diff --git a/bin/harden-permissions.sh b/bin/harden-permissions.sh
index 26ddf4c..6a492db 100755
--- a/bin/harden-permissions.sh
+++ b/bin/harden-permissions.sh
@@ -51,9 +51,11 @@ if [ -d "$HOME/.pi/agent/sessions" ]; then
 fi
 
 # Session logs (full conversation history)
-find "$HOME/.pi/agent/sessions" -name '*.jsonl' -not -perm 600 -exec chmod 600 {} + 2>/dev/null && \
-  count=$(find "$HOME/.pi/agent/sessions" -name '*.jsonl' 2>/dev/null | wc -l) && \
+if [ -d "$HOME/.pi/agent/sessions" ]; then
+  find "$HOME/.pi/agent/sessions" -name '*.jsonl' -not -perm 600 -exec chmod 600 {} + 2>/dev/null || true
+  count=$(find "$HOME/.pi/agent/sessions" -name '*.jsonl' 2>/dev/null | wc -l)
   [ "$count" -gt 0 ] && echo "  ✓ $count session log(s) → 600"
+fi
 
 # Pi settings
 fix_file "$HOME/.pi/agent/settings.json" "600"
diff --git a/bin/hornet-safe-bash b/bin/hornet-safe-bash
index 5ede7f6..e255e1a 100755
--- a/bin/hornet-safe-bash
+++ b/bin/hornet-safe-bash
@@ -5,6 +5,9 @@
 #
 # This is defense-in-depth — the agent's instructions also prohibit these,
 # but a successful injection might override soft instructions.
+#
+# NOTE: Avoid grep -P (Perl regex) — not available on all distros.
+# Use grep -E (extended regex) or awk instead.
 
 # Patterns that should NEVER be executed by the agent
 COMMAND="$*"
@@ -16,64 +19,67 @@ block() {
 }
 
 # Fork bomb
-if echo "$COMMAND" | grep -qP ':\(\)\s*\{.*\|.*&.*\}'; then
+if echo "$COMMAND" | grep -qE ':\(\)[[:space:]]*\{.*\|.*&.*\}'; then
   block "fork bomb"
 fi
 
 # rm -rf / or rm -rf /* (root filesystem deletion)
-if echo "$COMMAND" | grep -qP 'rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(-[a-zA-Z]*r[a-zA-Z]*\s+)?(\/\s*$|\/\*|\/\s+)'; then
+if echo "$COMMAND" | grep -qE 'rm[[:space:]]+(-[a-zA-Z]*f[a-zA-Z]*[[:space:]]+)?(-[a-zA-Z]*r[a-zA-Z]*[[:space:]]+)?(/[[:space:]]*$|/\*|/[[:space:]]+)'; then
   block "recursive delete of root filesystem"
 fi
-if echo "$COMMAND" | grep -qP 'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?(-[a-zA-Z]*f[a-zA-Z]*\s+)?(\/\s*$|\/\*|\/\s+)'; then
+if echo "$COMMAND" | grep -qE 'rm[[:space:]]+(-[a-zA-Z]*r[a-zA-Z]*[[:space:]]+)?(-[a-zA-Z]*f[a-zA-Z]*[[:space:]]+)?(/[[:space:]]*$|/\*|/[[:space:]]+)'; then
   block "recursive delete of root filesystem"
 fi
 
 # dd writing to block devices
-if echo "$COMMAND" | grep -qP 'dd\s+.*of=/dev/(sd|vd|nvme|xvd)'; then
+if echo "$COMMAND" | grep -qE 'dd[[:space:]]+.*of=/dev/(sd|vd|nvme|xvd)'; then
   block "dd write to block device"
 fi
 
 # mkfs on block devices
-if echo "$COMMAND" | grep -qP 'mkfs\b.*\/dev\/'; then
+if echo "$COMMAND" | grep -qE 'mkfs[^a-zA-Z].*/dev/'; then
   block "mkfs on block device"
 fi
 
 # chmod 777 on sensitive paths
-if echo "$COMMAND" | grep -qP 'chmod\s+(-[a-zA-Z]*\s+)?777\s+(\/|\/etc|\/home|\/root|\/var)'; then
+if echo "$COMMAND" | grep -qE 'chmod[[:space:]]+(-[a-zA-Z]*[[:space:]]+)?777[[:space:]]+(/|/etc|/home|/root|/var)'; then
   block "chmod 777 on sensitive path"
 fi
 
 # Curl/wget piped to shell
-if echo "$COMMAND" | grep -qP '(curl|wget)\s+.*\|\s*(ba)?sh'; then
+if echo "$COMMAND" | grep -qE '(curl|wget)[[:space:]]+.*\|[[:space:]]*(ba)?sh'; then
   block "piping download to shell"
 fi
 
 # Reverse shell patterns
-if echo "$COMMAND" | grep -qP 'bash\s+-i\s+>(&|\|)\s*/dev/tcp/'; then
+if echo "$COMMAND" | grep -qE 'bash[[:space:]]+-i[[:space:]]+>[&|][[:space:]]*/dev/tcp/'; then
   block "reverse shell (bash /dev/tcp)"
 fi
-if echo "$COMMAND" | grep -qP 'nc\s+(-[a-zA-Z]*\s+)*[0-9]+.*-e\s*(\/bin\/)?(ba)?sh'; then
+if echo "$COMMAND" | grep -qE 'nc[[:space:]]+(-[a-zA-Z]*[[:space:]]+)*[0-9]+.*-e[[:space:]]*(\/bin\/)?(ba)?sh'; then
   block "reverse shell (netcat)"
 fi
-if echo "$COMMAND" | grep -qP 'python[23]?\s+-c.*socket.*connect.*subprocess'; then
+if echo "$COMMAND" | grep -qE 'python[23]?[[:space:]]+-c.*socket.*connect.*subprocess'; then
   block "reverse shell (python)"
 fi
 
 # crontab modification (persistence)
-if echo "$COMMAND" | grep -qP '(crontab\s+-[erl]|echo.*>\s*/etc/cron)'; then
+if echo "$COMMAND" | grep -qE '(crontab[[:space:]]+-[erl]|echo.*>[[:space:]]*/etc/cron)'; then
   block "crontab modification"
 fi
 
 # Modifying /etc/passwd or /etc/shadow
-if echo "$COMMAND" | grep -qP '>\s*/etc/(passwd|shadow|sudoers)'; then
+if echo "$COMMAND" | grep -qE '>[[:space:]]*/etc/(passwd|shadow|sudoers)'; then
   block "write to system auth files"
 fi
 
 # SSH key injection to other users
-if echo "$COMMAND" | grep -qP '>\s*/home/(?!hornet_agent).*/\.ssh/authorized_keys'; then
-  block "SSH key injection to another user"
+# Can't use negative lookahead without grep -P, so match broadly then exclude our user
+if echo "$COMMAND" | grep -qE '>[[:space:]]*/home/.*/.ssh/authorized_keys'; then
+  if ! echo "$COMMAND" | grep -qE '>[[:space:]]*/home/hornet_agent/.ssh/authorized_keys'; then
+    block "SSH key injection to another user"
+  fi
 fi
-if echo "$COMMAND" | grep -qP '>\s*/root/\.ssh/authorized_keys'; then
+if echo "$COMMAND" | grep -qE '>[[:space:]]*/root/.ssh/authorized_keys'; then
   block "SSH key injection to root"
 fi
 
diff --git a/bin/redact-logs.test.sh b/bin/redact-logs.test.sh
index 96b029c..92e4fd2 100755
--- a/bin/redact-logs.test.sh
+++ b/bin/redact-logs.test.sh
@@ -25,7 +25,8 @@ check() {
   local expected_pattern="$3"
   local not_expected="${4:-}"
 
-  local logfile="$SESSION_DIR/test-$(date +%s%N).jsonl"
+  local logfile
+  logfile="$SESSION_DIR/test-$(date +%s%N).jsonl"
   echo "$input" > "$logfile"
 
   HOME="$TMPDIR" bash "$SCRIPT" >/dev/null 2>&1
@@ -65,7 +66,8 @@ check_unchanged() {
   local desc="$1"
   local input="$2"
 
-  local logfile="$SESSION_DIR/test-unchanged-$(date +%s%N).jsonl"
+  local logfile
+  logfile="$SESSION_DIR/test-unchanged-$(date +%s%N).jsonl"
   echo "$input" > "$logfile"
 
   HOME="$TMPDIR" bash "$SCRIPT" >/dev/null 2>&1
diff --git a/bin/security-audit.sh b/bin/security-audit.sh
index 3c26c80..702e451 100755
--- a/bin/security-audit.sh
+++ b/bin/security-audit.sh
@@ -194,6 +194,7 @@ if [ -r "$HORNET_SRC/setup.sh" ] 2>/dev/null; then
 fi
 
 # Check extensions/skills are real dirs, not symlinks into source
+# shellcheck disable=SC2088  # tildes in log messages are intentional
 if [ -L "$HORNET_HOME/.pi/agent/extensions" ]; then
   finding "CRITICAL" "~/.pi/agent/extensions is a symlink (should be a real dir)" \
     "Run: rm ~/.pi/agent/extensions && mkdir ~/.pi/agent/extensions && deploy.sh"
@@ -201,6 +202,7 @@ else
   ok "~/.pi/agent/extensions/ is a real directory"
 fi
 
+# shellcheck disable=SC2088
 if [ -L "$HORNET_HOME/.pi/agent/skills" ]; then
   finding "CRITICAL" "~/.pi/agent/skills is a symlink (should be a real dir)" \
     "Run: rm ~/.pi/agent/skills && mkdir ~/.pi/agent/skills && deploy.sh"
@@ -209,6 +211,7 @@ else
 fi
 
 # Check runtime bridge exists
+# shellcheck disable=SC2088
 if [ -d "$HORNET_HOME/runtime/slack-bridge" ]; then
   ok "Runtime bridge directory exists"
 else
diff --git a/bin/test.sh b/bin/test.sh
index 181604a..0896668 100755
--- a/bin/test.sh
+++ b/bin/test.sh
@@ -9,7 +9,7 @@
 # Add new test files here — don't scatter test invocations across CI/docs.
 
 set -uo pipefail
-cd "$(dirname "$0")/.."
+cd "$(dirname "$0")/.." || exit 1
 
 FILTER="${1:-all}"
 FAILED=0
diff --git a/setup.sh b/setup.sh
index 6e0dd51..f9396f5 100755
--- a/setup.sh
+++ b/setup.sh
@@ -3,7 +3,7 @@
 # Run as root or with sudo from the admin user account
 #
 # Prerequisites:
-#   - Arch Linux (or similar)
+#   - Linux (tested on Arch and Ubuntu)
 #   - Docker installed
 #
 # This script:
@@ -35,6 +35,10 @@ HORNET_HOME="/home/hornet_agent"
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
 NODE_VERSION="22.14.0"
 
+# Work from a neutral directory — sudo -u hornet_agent inherits CWD, and
+# git/find fail if CWD is a directory the agent can't access (e.g. /root).
+cd /tmp
+
 echo "=== Creating hornet_agent user ==="
 if id hornet_agent &>/dev/null; then
   echo "User already exists, skipping"
@@ -103,7 +107,16 @@ echo "=== Configuring shared repo permissions ==="
 # Set core.sharedRepository=group on all repos so git creates objects
 # with group-write perms. Without this, umask 077 in start.sh causes
 # new .git/objects to be owner-only, breaking group access (admin user).
-for repo in "$REPO_DIR" "$HORNET_HOME/workspace/modem" "$HORNET_HOME/workspace/website"; do
+
+# Source repo — set as admin user (agent can't access admin home, and root
+# needs safe.directory due to different ownership)
+if [ -d "$REPO_DIR/.git" ]; then
+  sudo -u "$ADMIN_USER" git -C "$REPO_DIR" config core.sharedRepository group
+  echo "  ✓ $REPO_DIR"
+fi
+
+# Agent workspace repos — set as agent
+for repo in "$HORNET_HOME/workspace/modem" "$HORNET_HOME/workspace/website"; do
   if [ -d "$repo/.git" ]; then
     sudo -u hornet_agent git -C "$repo" config core.sharedRepository group
     echo "  ✓ $repo"
@@ -168,10 +181,10 @@ echo "=== Installing extension dependencies ==="
 # npm install runs in source (admin-owned) then deploy copies to runtime
 NODE_BIN="$HORNET_HOME/opt/node-v$NODE_VERSION-linux-x64/bin"
 export PATH="$NODE_BIN:$PATH"
-for dir in $(find "$REPO_DIR/pi/extensions" -name package.json -not -path '*/node_modules/*' -exec dirname {} \;); do
+while IFS= read -r dir; do
   echo "  Installing deps in $dir"
   (cd "$dir" && npm install)
-done
+done < <(find "$REPO_DIR/pi/extensions" -name package.json -not -path '*/node_modules/*' -exec dirname {} \;)
 
 echo "=== Installing Slack bridge dependencies ==="
 (cd "$REPO_DIR/slack-bridge" && npm install)
@@ -232,7 +245,7 @@ fi
 echo "Process isolation: hornet_agent can only see its own processes"
 
 echo "=== Hardening permissions ==="
-sudo -u hornet_agent bash -c "'$REPO_DIR/bin/harden-permissions.sh'"
+sudo -u hornet_agent bash -c "cd ~ && '$HORNET_HOME/runtime/bin/harden-permissions.sh'"
 
 echo ""
 echo "=== Setup complete ==="
diff --git a/start.sh b/start.sh
index aad07c9..c1f8e63 100755
--- a/start.sh
+++ b/start.sh
@@ -22,6 +22,7 @@ varlock load --path ~/.config/ || {
   exit 1
 }
 set -a
+# shellcheck disable=SC1090  # path is dynamic (agent home)
 source ~/.config/.env
 set +a