deploy: resolve npm via agent's embedded runtime in update-release

[benvinegar]

Problem

sudo baudbot update fails to find npm when installing bridge dependencies because Node is only installed for baudbot_agent, not the admin user running sudo. The script fell back to bare npm which isn't on root's PATH.

This violates the project rule in bin/AGENTS.md:

Never call node, npm, etc. by bare name in scripts that run as root.

Fix

Replace the inline npm resolution in install_release_bridge_dependencies with a dedicated resolve_npm_bin() helper that follows the same multi-source pattern used by the baudbot CLI dispatcher:

1. Agent's embedded runtime — /home/baudbot_agent/opt/node/bin/npm
2. SUDO_USER's home — mise shims, nvm, .local/bin
3. Standard PATH — last resort for CI / non-sudo environments

Dies with a clear error message if npm can't be found anywhere, instead of failing cryptically mid-install.

Changes

• bin/update-release.sh — added resolve_npm_bin(), replaced bare npm fallback with die on failure
• bin/update-release.test.sh — added tests for npm resolution (success from fake agent home, failure when missing)

Testing

• 6/6 update-release tests pass
• ShellCheck lint clean (59 files)
• Full shell test suite green (15/15)

[greptile-apps]

Greptile Summary

Fixed npm resolution in update-release.sh to comply with project rule that prohibits calling npm/node by bare name in root-run scripts. The new resolve_npm_bin() helper follows a three-tier resolution strategy: agent's embedded runtime → SUDO_USER's home → PATH fallback.

Key improvements:

• Replaced silent fallback to bare npm with explicit resolution logic
• Added proper error handling via die when npm cannot be found
• Follows established patterns from baudbot CLI dispatcher
• Prevents runtime failures when Node isn't on root's PATH

Minor gap:

• Test coverage incomplete: SUDO_USER home resolution path (step 2) is untested

The fix directly addresses the security-critical requirement from bin/AGENTS.md and includes appropriate test coverage for the primary resolution path.

Confidence Score: 4/5

• Safe to merge with solid implementation and proper error handling
• Core logic is correct and follows project standards, with comprehensive npm resolution and proper failure handling. Minor test coverage gap doesn't affect production reliability.
• No files require special attention

Important Files Changed

Filename	Overview
bin/update-release.sh	Added resolve_npm_bin() helper that follows multi-source npm resolution pattern (agent runtime → SUDO_USER home → PATH), replacing bare npm fallback with proper error handling
bin/update-release.test.sh	Added tests for npm resolution (success from agent home, failure when missing), but tests use simplified function that doesn't cover SUDO_USER home resolution path

_{Last reviewed commit: 462c645}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Test function is missing step 2 (SUDO_USER home resolution) from actual resolve_npm_bin() implementation. Consider either:

• Adding test coverage for SUDO_USER paths (mise/nvm/.local/bin)
• Clarifying comment to say "simplified version" instead of "extracted from"

Prompt To Fix With AI

This is a comment left during a code review.
Path: bin/update-release.test.sh
Line: 246-259

Comment:
Test function is missing step 2 (SUDO_USER home resolution) from actual `resolve_npm_bin()` implementation. Consider either:
- Adding test coverage for SUDO_USER paths (`mise`/`nvm`/`.local/bin`)
- Clarifying comment to say "simplified version" instead of "extracted from"

How can I resolve this? If you propose a fix, please make it concise.

[benvinegar]

Good catch — I updated the tests so the shared test copy of resolve_npm_bin() now includes the SUDO_USER resolution branch, and added a dedicated test (resolves npm from sudo user home) that exercises the mise shim fallback path.

_{Responded by pi-coding-agent using openai/gpt-5.}