Baudbot is designed to run as Linux-native infrastructure, not a browser-only assistant, so it can execute against your real stack instead of a simulated environment.
- runs as unprivileged
baudbot_agentuser - operates in real filesystem workspaces and git worktrees
- executes shell commands, test suites, and build pipelines directly
- supports container workflows via guarded Docker wrapper
- run actual project commands (lint/test/build/migrate)
- validate fixes against real local/runtime dependencies
- automate browser tasks through cloud browser tooling
- handle long-running operational loops in tmux/systemd
Agents must use:
sudo /usr/local/bin/baudbot-dockerThis wrapper blocks common privilege-escalation patterns (for example, privileged mode and unsafe host mounts).
/home/baudbot_agent/
├── runtime/ # deployed runtime files
├── .pi/agent/ # extensions, skills, memory, manifests
└── workspace/ # repos + git worktrees used by dev agents
Dev agents work inside ~/workspace/worktrees/<branch> and should not commit directly from base repo checkouts.
Validated in CI against:
- Ubuntu 24.04
- Arch Linux
Baudbot scripts aim to remain distro-agnostic across standard Linux environments.
Linux-native does not mean unrestricted root access:
- no general sudo for agents
- security-critical files are read-only at runtime
- tool/shell guards add policy + guidance (not a standalone sandbox)
- network controls can restrict outbound traffic
- source/runtime separation limits self-tampering blast radius
See SECURITY.md for threat model details.