Scope: shell CLI and operational scripts under bin/.
- CLI entrypoint (
baudbot) and runtime helpers - deploy/update/rollback flows
- security audit and firewall scripts
- install/uninstall operational scripts
- CI infrastructure (
bin/ci/) - JS tooling:
broker-register.mjs,scan-extensions.mjs(and their tests) - systemd unit files:
baudbot.service,baudbot-firewall.service
- Keep CLIs thin; move reusable logic into
bin/lib/*.sh. - Reuse shared helpers (
shell-common.sh,paths-common.sh,release-common.sh, etc.) instead of duplicating constants or logging/error patterns. - Prefer portable shell patterns; distro-specific branches are acceptable when reliability improves.
- Any security-relevant shell change must include/adjust tests.
- Never call
node,npm, etc. by bare name in scripts that run as root. The embedded runtime is not on root's PATH. Useruntime-node.shhelpers (bb_resolve_runtime_node_bin,bb_resolve_runtime_node_bin_dir) to resolve the full path first.
Treat as security-critical:
baudbot-safe-bash— runtime command-blocking wrapperharden-permissions.sh— filesystem permission lockdownsetup-firewall.sh— network egress lockdownsecurity-audit.sh— security posture auditscan-extensions.mjs— static analysis scanner for extensionsredact-logs.sh— secret redaction from session logs
- Shared helpers in
bin/lib/have co-located test files (e.g.deploy-common.test.sh,json-common.test.sh). Update tests when changing helpers. - For JS files in
bin/, also runnpm run lint:jsandnpm run test:js.
Run before finishing shell work:
npm run lint:shell
npm run test:shellFor security-sensitive updates, also run:
bin/security-audit.sh --deep