arch: baudbot CLI dispatcher, systemd unit, and doctor command

[benvinegar]

What

Phase 1 of the CLI restructure (TODO-41e29e4e). Adds a single baudbot entry point that routes to internal scripts. No path changes yet — everything still works the old way internally.

New files

bin/baudbot — CLI dispatcher

Bash script installed as /usr/local/bin/baudbot. Routes subcommands:

baudbot start [--direct]   Start agent (systemd or foreground)
baudbot stop               Stop agent
baudbot restart            Restart agent
baudbot status             Show status (systemd or process check)
baudbot logs               Tail logs (journalctl or tmux hint)
baudbot setup              One-time system setup
baudbot config             Interactive secrets setup (stub for now)
baudbot deploy             Deploy source to agent runtime
baudbot audit              Security posture audit
baudbot test               Run test suite
baudbot update             Pull latest + redeploy
baudbot uninstall          Remove everything
baudbot doctor             Health check
baudbot --version          Show version
baudbot --help             Show help

Resolves BAUDBOT_ROOT from script location or BAUDBOT_ROOT env var. Works whether symlinked from /usr/local/bin/ or run directly from the repo.

bin/baudbot.service — systemd unit

ExecStartPre=harden-permissions.sh
ExecStartPre=redact-logs.sh
ExecStart=start.sh
Restart=on-failure

Includes security hardening: NoNewPrivileges, ProtectSystem=strict, ProtectHome=tmpfs, PrivateTmp, ReadOnlyPaths=/opt/baudbot.

bin/doctor.sh — health check

Checks: user exists, Node/pi/varlock installed, .env perms and contents, runtime deployed, firewall active, /proc hidepid, safe-bash installed, tool-guard read-only, systemd unit status.

Modified files

• setup.sh: installs CLI symlink and systemd unit, updated final output to show baudbot commands
• uninstall.sh: removes CLI symlink and systemd unit (before removing user)
• install.sh: launches via systemd when available, updated final output
• CI scripts: verify baudbot --version and baudbot --help work after install
• package.json: added version: "0.1.0"

[sentry]

Bug: The setup.sh script lacks set -e, so it doesn't propagate failures from deploy.sh. This causes install.sh to attempt to start a service with missing files, masking the error.
_{Severity: HIGH}

Suggested Fix

Add set -euo pipefail to the beginning of setup.sh to ensure that any errors from scripts it calls, such as deploy.sh, are properly propagated, causing the installation process to fail immediately and clearly.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: install.sh#L417-L422

Potential issue: The `setup.sh` script, which is called by `install.sh`, does not have
`set -e` or `set -euo pipefail` enabled. Consequently, if the `deploy.sh` script fails
during its execution, the error is not propagated. `setup.sh` continues to run and exits
successfully. `install.sh` then proceeds to start the `baudbot` service, which will fail
because the necessary files, like `start.sh`, were not deployed. This service start
failure is then silently ignored by a `|| true` clause, masking the root cause of the
installation failure.