bridge: migrate protected slack-bridge path to /opt release

benvinegar · benvinegar · commit a8e3ad9e7427 · 2026-02-23T23:00:27.000-05:00
diff --git a/bin/deploy.sh b/bin/deploy.sh
@@ -293,6 +293,14 @@ deploy_runtime_asset_entry() {
 
 bb_manifest_for_each RUNTIME_ASSET_MANIFEST deploy_runtime_asset_entry
 
+# Clean up legacy bridge runtime path; bridge now runs from /opt release only.
+if [ "$DRY_RUN" -eq 0 ]; then
+  as_agent bash -c "rm -rf '$BAUDBOT_HOME/runtime/slack-bridge'"
+  log "✓ removed legacy runtime/slack-bridge"
+else
+  log "would remove: runtime/slack-bridge (legacy path)"
+fi
+
 # ── Memory Seeds ─────────────────────────────────────────────────────────────
 
 MEMORY_SEED_DIR="$STAGE_DIR/skills/control-agent/memory"
diff --git a/pi/extensions/tool-guard.test.mjs b/pi/extensions/tool-guard.test.mjs
@@ -46,7 +46,7 @@ const BASH_DENY_RULES = [
   { id: "chmod-baudbot-source", pattern: new RegExp(`chmod\\b.*${escapeRegex(BAUDBOT_SOURCE_DIR)}`), label: "chmod on baudbot source repo", severity: "block" },
   { id: "chown-baudbot-source", pattern: new RegExp(`chown\\b.*${escapeRegex(BAUDBOT_SOURCE_DIR)}`), label: "chown on baudbot source repo", severity: "block" },
   { id: "tee-baudbot-source", pattern: new RegExp(`tee\\s+.*${escapeRegex(BAUDBOT_SOURCE_DIR)}/`), label: "tee write to baudbot source repo", severity: "block" },
-  { id: "chmod-runtime-security", pattern: /chmod\b.*\/(\.pi\/agent\/extensions\/tool-guard|runtime\/slack-bridge\/security)\./, label: "chmod on protected runtime security file", severity: "block" },
+  { id: "chmod-runtime-security", pattern: /chmod\b.*\/(\.pi\/agent\/extensions\/tool-guard|runtime\/slack-bridge\/security|opt\/baudbot\/current\/slack-bridge\/security)\./, label: "chmod on protected runtime security file", severity: "block" },
   // Credential exfiltration
   { id: "env-exfil-curl", pattern: /\benv\b.*\|\s*(curl|wget|nc)\b/, label: "Piping environment to network tool", severity: "block" },
   { id: "cat-env-curl", pattern: /cat\s+.*\.env.*\|\s*(curl|wget|nc)\b/, label: "Exfiltrating .env via network", severity: "block" },
@@ -77,8 +77,8 @@ function isAllowedWritePath(filePath) {
 const PROTECTED_RUNTIME_FILES = [
   `${AGENT_HOME}/.pi/agent/extensions/tool-guard.ts`,
   `${AGENT_HOME}/.pi/agent/extensions/tool-guard.test.mjs`,
-  `${AGENT_HOME}/runtime/slack-bridge/security.mjs`,
-  `${AGENT_HOME}/runtime/slack-bridge/security.test.mjs`,
+  `/opt/baudbot/current/slack-bridge/security.mjs`,
+  `/opt/baudbot/current/slack-bridge/security.test.mjs`,
 ];
 
 function isProtectedPath(filePath) {
@@ -307,7 +307,7 @@ describe("tool-guard: source repo protection (bash)", () => {
     assert.equal(checkBashCommand(`chmod a+w ${AGENT_HOME}/.pi/agent/extensions/tool-guard.ts`).blocked, true);
   });
   it("blocks chmod on runtime security.mjs", () => {
-    assert.equal(checkBashCommand(`chmod 777 ${AGENT_HOME}/runtime/slack-bridge/security.mjs`).blocked, true);
+    assert.equal(checkBashCommand("chmod 777 /opt/baudbot/current/slack-bridge/security.mjs").blocked, true);
   });
 });
 
@@ -358,8 +358,8 @@ describe("tool-guard: workspace confinement (allow-list)", () => {
   it(`allows write to ${AGENT_HOME}/.pi/agent/skills/new-skill/SKILL.md`, () => {
     assert.equal(checkWritePath(`${AGENT_HOME}/.pi/agent/skills/new-skill/SKILL.md`), false);
   });
-  it(`allows write to ${AGENT_HOME}/runtime/slack-bridge/bridge.mjs`, () => {
-    assert.equal(checkWritePath(`${AGENT_HOME}/runtime/slack-bridge/bridge.mjs`), false);
+  it("blocks write to /opt/baudbot/current/slack-bridge/bridge.mjs", () => {
+    assert.equal(checkWritePath("/opt/baudbot/current/slack-bridge/bridge.mjs"), true);
   });
 
   // BLOCKED: outside agent home
@@ -430,13 +430,13 @@ describe("tool-guard: protected runtime security files", () => {
     assert.equal(checkWritePath(`${AGENT_HOME}/.pi/agent/extensions/tool-guard.test.mjs`), true);
   });
   it("blocks write to runtime security.mjs", () => {
-    assert.equal(checkWritePath(`${AGENT_HOME}/runtime/slack-bridge/security.mjs`), true);
+    assert.equal(checkWritePath("/opt/baudbot/current/slack-bridge/security.mjs"), true);
   });
   it("blocks write to runtime security.test.mjs", () => {
-    assert.equal(checkWritePath(`${AGENT_HOME}/runtime/slack-bridge/security.test.mjs`), true);
+    assert.equal(checkWritePath("/opt/baudbot/current/slack-bridge/security.test.mjs"), true);
   });
-  it("allows write to runtime bridge.mjs (agent-modifiable)", () => {
-    assert.equal(checkWritePath(`${AGENT_HOME}/runtime/slack-bridge/bridge.mjs`), false);
+  it("blocks write to runtime bridge.mjs (immutable release path)", () => {
+    assert.equal(checkWritePath("/opt/baudbot/current/slack-bridge/bridge.mjs"), true);
   });
   it("allows write to runtime non-security extensions", () => {
     assert.equal(checkWritePath(`${AGENT_HOME}/.pi/agent/extensions/auto-name.ts`), false);
diff --git a/pi/extensions/tool-guard.ts b/pi/extensions/tool-guard.ts
@@ -253,7 +253,7 @@ const BASH_DENY_RULES: DenyRule[] = [
   ] : []),
   {
     id: "chmod-runtime-security",
-    pattern: /chmod\b.*\/(\.pi\/agent\/extensions\/tool-guard|runtime\/slack-bridge\/security)\./,
+    pattern: /chmod\b.*\/(\.pi\/agent\/extensions\/tool-guard|runtime\/slack-bridge\/security|opt\/baudbot\/current\/slack-bridge\/security)\./,
     label: "chmod on protected runtime security file",
     severity: "block" as const,
     tier: "high" as const,
@@ -311,8 +311,8 @@ function isAllowedWritePath(filePath: string): boolean {
 const PROTECTED_RUNTIME_FILES = [
   `${AGENT_HOME}/.pi/agent/extensions/tool-guard.ts`,
   `${AGENT_HOME}/.pi/agent/extensions/tool-guard.test.mjs`,
-  `${AGENT_HOME}/runtime/slack-bridge/security.mjs`,
-  `${AGENT_HOME}/runtime/slack-bridge/security.test.mjs`,
+  `/opt/baudbot/current/slack-bridge/security.mjs`,
+  `/opt/baudbot/current/slack-bridge/security.test.mjs`,
 ];
 
 function isProtectedPath(filePath: string): boolean {
diff --git a/pi/skills/control-agent/startup-cleanup.sh b/pi/skills/control-agent/startup-cleanup.sh
@@ -16,12 +16,23 @@ set -euo pipefail
 # processes and causes `varlock run` to treat subcommands as Node module paths).
 unset PKG_EXECPATH 2>/dev/null || true
 
+RUNTIME_NODE_HELPER="$HOME/runtime/bin/lib/runtime-node.sh"
+if [ -r "$RUNTIME_NODE_HELPER" ]; then
+  # shellcheck source=bin/lib/runtime-node.sh
+  source "$RUNTIME_NODE_HELPER"
+fi
+
 BRIDGE_POLICY_HELPER="$HOME/runtime/bin/lib/bridge-restart-policy.sh"
 if [ -r "$BRIDGE_POLICY_HELPER" ]; then
   # shellcheck source=bin/lib/bridge-restart-policy.sh
   source "$BRIDGE_POLICY_HELPER"
 fi
 
+NODE_BIN_DIR="${NODE_BIN_DIR:-$HOME/opt/node/bin}"
+if command -v bb_resolve_runtime_node_bin_dir >/dev/null 2>&1; then
+  NODE_BIN_DIR="$(bb_resolve_runtime_node_bin_dir "$HOME")"
+fi
+
 SOCKET_DIR="$HOME/.pi/session-control"
 
 if [ $# -eq 0 ]; then
@@ -145,26 +156,21 @@ echo "Starting slack-bridge ($BRIDGE_SCRIPT) with PI_SESSION_ID=$MY_UUID..."
 mkdir -p "$BRIDGE_LOG_DIR"
 (
   unset PKG_EXECPATH
-  # Clear ALL varlock-managed env vars inherited from the parent session.
-  # varlock run does not override vars already set in the environment, so
-  # stale values (e.g. expired broker tokens) would leak through. By unsetting
-  # every key varlock manages, we guarantee varlock run injects fresh values
-  # from ~/.config/.env on every bridge restart.
-  if command -v varlock >/dev/null 2>&1; then
-    while IFS='=' read -r key _; do
-      [ -n "$key" ] && unset "$key"
-    done < <(varlock load --path "$HOME/.config/" --format env --compact 2>/dev/null)
-  fi
-  export PATH="$HOME/.varlock/bin:$HOME/opt/node/bin:$PATH"
+  export PATH="$NODE_BIN_DIR:$PATH"
   export PI_SESSION_ID="$MY_UUID"
   cd /opt/baudbot/current/slack-bridge
 
   if command -v bb_bridge_supervise >/dev/null 2>&1; then
     bb_bridge_supervise "$BRIDGE_LOG_FILE" "$BRIDGE_STATUS_FILE" "$BRIDGE_SCRIPT" \
-      varlock run --path ~/.config/ -- node "$BRIDGE_SCRIPT"
+      bash -lc 'for v in $(env | grep ^SLACK_BROKER_ | cut -d= -f1 || true); do unset "$v"; done; set -a; source "$HOME/.config/.env"; set +a; node "$1"' -- "$BRIDGE_SCRIPT"
   else
     while true; do
-      if varlock run --path ~/.config/ -- node "$BRIDGE_SCRIPT" >>"$BRIDGE_LOG_FILE" 2>&1; then
+      for v in $(env | grep ^SLACK_BROKER_ | cut -d= -f1 || true); do unset "$v"; done
+      set -a
+      # shellcheck disable=SC1090  # path is dynamic (agent home)
+      source "$HOME/.config/.env"
+      set +a
+      if node "$BRIDGE_SCRIPT" >>"$BRIDGE_LOG_FILE" 2>&1; then
         exit_code=0
       else
         exit_code=$?
