deploy: run Slack bridge directly from release

[benvinegar]

Summary

• make release snapshots self-contained by installing production Slack bridge dependencies during publish_release() in bin/update-release.sh
• run the bridge from /opt/baudbot/current/slack-bridge in start.sh
• stop deploying a runtime bridge copy in bin/deploy.sh
• stop creating ~/runtime/slack-bridge in setup.sh (runtime dir still created)
• update control-agent startup cleanup bridge restart path to /opt/baudbot/current/slack-bridge

Validation

• bin/test.sh
• fresh release dependency check:
  • ran bin/update-release.sh against a temp release root
  • verified slack-bridge/node_modules/@slack/bolt exists in the release
  • verified slack-bridge/node_modules/libsodium-wrappers-sumo exists in the release
• verified start.sh references /opt/baudbot/current/slack-bridge
• verified bin/deploy.sh no longer contains a slack-bridge deploy section

[greptile-apps]

Greptile Summary

This PR refactors the Slack bridge deployment to run directly from immutable release snapshots at /opt/baudbot/current/slack-bridge instead of copying to ~/runtime/slack-bridge. Production dependencies are now installed during release creation via install_release_bridge_dependencies() in update-release.sh.

Key changes:

• Removed slack-bridge deployment section from bin/deploy.sh (no longer copies to runtime)
• Added dependency installation in bin/update-release.sh during publish_release()
• Updated start.sh and startup-cleanup.sh to reference /opt/baudbot/current/slack-bridge
• Removed ~/runtime/slack-bridge directory creation in setup.sh
• Updated manifest generation to include release bridge files

Critical issue found:

• bin/security-audit.sh and bin/doctor.sh still reference the old ~/runtime/slack-bridge path for security checks, which will cause audit failures since the bridge no longer exists at that location

Confidence Score: 2/5

• This PR has a critical path inconsistency that will break security audits
• The refactoring is architecturally sound and well-validated, but bin/security-audit.sh and bin/doctor.sh were not updated to reflect the new bridge location at /opt/baudbot/current/slack-bridge. This will cause security checks to fail or report false warnings about missing critical security files (security.mjs, security.test.mjs)
• Pay close attention to bin/deploy.sh manifest generation and verify that bin/security-audit.sh and bin/doctor.sh are updated to reference the new bridge path

Important Files Changed

Filename	Overview
bin/deploy.sh	Removed slack-bridge deployment section and updated manifest generation to reference /opt/baudbot/current/slack-bridge, but this creates inconsistency with security-audit.sh and doctor.sh
bin/update-release.sh	Added install_release_bridge_dependencies() to install production bridge dependencies during release creation, making releases self-contained
pi/skills/control-agent/startup-cleanup.sh	Updated bridge restart logic to use /opt/baudbot/current/slack-bridge path instead of ~/runtime/slack-bridge
setup.sh	Removed ~/runtime/slack-bridge directory creation since bridge now runs from release location
start.sh	Updated slack-bridge startup to run from /opt/baudbot/current/slack-bridge with RELEASE_BRIDGE variable for clarity

_{Last reviewed commit: af60c5f}

[greptile-apps]

_{5 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

the manifest generation now includes /opt/baudbot/current/slack-bridge, but bin/security-audit.sh and bin/doctor.sh still check for files at ~/runtime/slack-bridge. this path mismatch will cause security audits to fail when looking for security.mjs and security.test.mjs

Prompt To Fix With AI

This is a comment left during a code review.
Path: bin/deploy.sh
Line: 379

Comment:
the manifest generation now includes `/opt/baudbot/current/slack-bridge`, but `bin/security-audit.sh` and `bin/doctor.sh` still check for files at `~/runtime/slack-bridge`. this path mismatch will cause security audits to fail when looking for `security.mjs` and `security.test.mjs`

How can I resolve this? If you propose a fix, please make it concise.

[benvinegar]

Addressed — thanks for the review.

Fix applied (commit e5b49e4)

• Updated bin/security-audit.sh to use the release bridge path:
  • "$BAUDBOT_CURRENT_LINK/slack-bridge"
• Updated manifest integrity checks to validate:
  • release/slack-bridge/security.mjs
  • release/slack-bridge/security.test.mjs
    (resolved via BAUDBOT_CURRENT_LINK)
• Updated bin/doctor.sh runtime check to validate:
  • "$BAUDBOT_CURRENT_LINK/slack-bridge"
• Updated test fixtures to match release-root layout and pass BAUDBOT_RELEASE_ROOT:
  • test/security-audit.test.mjs
  • bin/security-audit.test.sh

Validation

• npm run test:shell ✅
• bin/test.sh ✅