modem-dev
diff --git a/‎.c8rc.json‎
Lines changed: 1 addition & 1 deletion b/‎.c8rc.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 4 additions & 3 deletions b/‎AGENTS.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎bin/ci/setup-arch.sh‎
Lines changed: 1 addition & 1 deletion b/‎bin/ci/setup-arch.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/ci/setup-ubuntu.sh‎
Lines changed: 1 addition & 1 deletion b/‎bin/ci/setup-ubuntu.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/ci/smoke-agent-runtime.sh‎
Lines changed: 3 additions & 2 deletions b/‎bin/ci/smoke-agent-runtime.sh‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎bin/deploy.sh‎
Lines changed: 5 additions & 5 deletions b/‎bin/deploy.sh‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎bin/doctor.sh‎
Lines changed: 5 additions & 2 deletions b/‎bin/doctor.sh‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎bin/lib/baudbot-runtime.sh‎
Lines changed: 7 additions & 2 deletions b/‎bin/lib/baudbot-runtime.sh‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎bin/security-audit.sh‎
Lines changed: 22 additions & 5 deletions b/‎bin/security-audit.sh‎
Lines changed: 22 additions & 5 deletions
@@ -1,7 +1,7 @@
 {
   "all": false,
   "include": [
-    "slack-bridge/security.mjs",
+    "gateway-bridge/security.mjs",
     "bin/scan-extensions.mjs"
   ],
   "exclude": [
 
@@ -3,6 +3,9 @@
 *.pem
 node_modules/
 # Gateway bridge
+gateway-bridge/node_modules/
+gateway-bridge/.env
+# Legacy compat path (symlink)
 slack-bridge/node_modules/
 slack-bridge/.env
 .pi/
 
@@ -5,7 +5,7 @@ Baudbot is hardened infrastructure for running always-on AI agents.
 Use this file for **repo-wide** guidance. For directory-specific rules, use the nearest nested `AGENTS.md`:
 - [`bin/AGENTS.md`](bin/AGENTS.md)
 - [`pi/extensions/AGENTS.md`](pi/extensions/AGENTS.md)
-- [`slack-bridge/AGENTS.md`](slack-bridge/AGENTS.md)
+- [`gateway-bridge/AGENTS.md`](gateway-bridge/AGENTS.md)
 
 ## How Baudbot works
 
@@ -16,7 +16,7 @@ Baudbot is a persistent, team-facing coding agent system. It connects to Slack,
 ```text
 Slack
    ↓
-Gateway bridge (slack-bridge dir; broker pull-mode or legacy Socket Mode)
+Gateway bridge (gateway-bridge dir; broker pull-mode or legacy Socket Mode)
    ↓
 control-agent (always-on, manages todo/routing/Slack threads)
    ├── dev-agent(s) — ephemeral coding workers in isolated worktrees
@@ -47,7 +47,8 @@ There are two startup phases with distinct ownership:
   - `dev-agent/` — coding worker persona
   - `sentry-agent/` — incident triage persona
 - `pi/settings.json` — pi agent settings
-- `slack-bridge/` — Gateway bridge runtime + security module
+- `gateway-bridge/` — Gateway bridge runtime + security module
+- `slack-bridge` → symlink to `gateway-bridge/` (legacy compatibility shim)
 - `docs/` — architecture/operations/security documentation
 - `test/` — vitest wrappers for shell scripts, integration, and legacy Node tests
 - `hooks/` — git hooks (security-critical `pre-commit` protecting admin-managed files)
 
@@ -96,7 +96,7 @@ echo "=== Installing test dependencies ==="
 export PATH="/home/baudbot_agent/opt/node/bin:$PATH"
 cd /home/baudbot_admin/baudbot
 npm install --ignore-scripts 2>&1 | tail -1
-cd slack-bridge && npm install 2>&1 | tail -1
+cd gateway-bridge && npm install 2>&1 | tail -1
 cd ..
 
 echo "=== Running tests ==="
 
@@ -115,7 +115,7 @@ echo "=== Installing test dependencies ==="
 export PATH="/home/baudbot_agent/opt/node/bin:$PATH"
 cd /home/baudbot_admin/baudbot
 npm install --ignore-scripts 2>&1 | tail -1
-cd slack-bridge && npm install 2>&1 | tail -1
+cd gateway-bridge && npm install 2>&1 | tail -1
 cd ..
 
 echo "=== Running tests ==="
 
@@ -15,7 +15,8 @@ readonly AGENT_USER="baudbot_agent"
 readonly AGENT_HOME="/home/${AGENT_USER}"
 readonly CONTROL_DIR="${AGENT_HOME}/.pi/session-control"
 readonly CONTROL_ALIAS="${CONTROL_DIR}/control-agent.alias"
-readonly BRIDGE_STATUS_FILE="${AGENT_HOME}/.pi/agent/slack-bridge-supervisor.json"
+readonly BRIDGE_STATUS_FILE="${AGENT_HOME}/.pi/agent/gateway-bridge-supervisor.json"
+readonly BRIDGE_STATUS_FILE_LEGACY="${AGENT_HOME}/.pi/agent/slack-bridge-supervisor.json"
 readonly START_TIMEOUT_SECONDS=60
 readonly STABILIZE_SECONDS=20
 
@@ -143,7 +144,7 @@ main() {
   # start.sh. In CI the agent doesn't run long enough for startup-pi.sh
   # to execute, so the status file may not exist. Log but don't fail.
   log "checking bridge supervisor status file"
-  if [[ -f "$BRIDGE_STATUS_FILE" ]]; then
+  if [[ -f "$BRIDGE_STATUS_FILE" ]] || [[ -f "$BRIDGE_STATUS_FILE_LEGACY" ]]; then
     log "bridge supervisor status file exists"
   else
     log "bridge supervisor status file not found (expected — bridge starts inside agent)"
 
@@ -325,12 +325,12 @@ deploy_runtime_asset_entry() {
 
 bb_manifest_for_each RUNTIME_ASSET_MANIFEST deploy_runtime_asset_entry
 
-# Clean up legacy bridge runtime path; bridge now runs from /opt release only.
+# Clean up legacy bridge runtime paths; bridge now runs from /opt release only.
 if [ "$DRY_RUN" -eq 0 ]; then
-  as_agent bash -c "rm -rf '$BAUDBOT_HOME/runtime/slack-bridge'"
-  log "✓ removed legacy runtime/slack-bridge"
+  as_agent bash -c "rm -rf '$BAUDBOT_HOME/runtime/gateway-bridge' '$BAUDBOT_HOME/runtime/slack-bridge'"
+  log "✓ removed legacy runtime/gateway-bridge and runtime/slack-bridge"
 else
-  log "would remove: runtime/slack-bridge (legacy path)"
+  log "would remove: runtime/gateway-bridge and runtime/slack-bridge (legacy paths)"
 fi
 
 # ── Memory Seeds ─────────────────────────────────────────────────────────────
@@ -441,7 +441,7 @@ VEOF
       echo '  \"source_sha\": \"$GIT_SHA\",'
       echo '  \"files\": {'
       first=1
-      for dir in '$BAUDBOT_HOME/.pi/agent/extensions' '$BAUDBOT_HOME/.pi/agent/skills' '/opt/baudbot/current/slack-bridge' '$BAUDBOT_HOME/runtime/bin'; do
+      for dir in '$BAUDBOT_HOME/.pi/agent/extensions' '$BAUDBOT_HOME/.pi/agent/skills' '/opt/baudbot/current/gateway-bridge' '$BAUDBOT_HOME/runtime/bin'; do
         if [ -d \"\$dir\" ]; then
           while IFS= read -r f; do
             hash=\$(sha256sum \"\$f\" | cut -d' ' -f1)
 
@@ -307,14 +307,17 @@ else
   fi
 fi
 
-BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/slack-bridge"
+BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/gateway-bridge"
+BRIDGE_DIR_LEGACY="$BAUDBOT_CURRENT_LINK/slack-bridge"
 if [ -d "$BRIDGE_DIR" ] && [ -f "$BRIDGE_DIR/bridge.mjs" ]; then
   pass "gateway bridge deployed ($BRIDGE_DIR)"
+elif [ -d "$BRIDGE_DIR_LEGACY" ] && [ -f "$BRIDGE_DIR_LEGACY/bridge.mjs" ]; then
+  pass "gateway bridge deployed via legacy path ($BRIDGE_DIR_LEGACY)"
 else
   if [ "$IS_ROOT" -ne 1 ] && { [ -d "$BAUDBOT_CURRENT_LINK" ] || [ -e "$BAUDBOT_CURRENT_LINK" ]; }; then
     warn "cannot verify gateway bridge files as non-root (run: sudo baudbot doctor)"
   else
-    fail "gateway bridge not deployed (expected: $BRIDGE_DIR; run: sudo baudbot update)"
+    fail "gateway bridge not deployed (expected: $BRIDGE_DIR or $BRIDGE_DIR_LEGACY; run: sudo baudbot update)"
   fi
 fi
 
 
@@ -195,15 +195,20 @@ PY
 
 print_bridge_supervisor_status() {
   local agent_user="${BAUDBOT_AGENT_USER:-baudbot_agent}"
-  local status_file="/home/$agent_user/.pi/agent/slack-bridge-supervisor.json"
+  local status_file="/home/$agent_user/.pi/agent/gateway-bridge-supervisor.json"
+  local legacy_status_file="/home/$agent_user/.pi/agent/slack-bridge-supervisor.json"
   local summary=""
   local mode=""
   local state=""
   local failures=""
   local threshold=""
 
   if [ ! -r "$status_file" ]; then
-    return 0
+    if [ -r "$legacy_status_file" ]; then
+      status_file="$legacy_status_file"
+    else
+      return 0
+    fi
   fi
 
   summary="$(python3 - "$status_file" <<'PY'
 
@@ -220,13 +220,17 @@ else
   ok "~/.pi/agent/skills/ is a real directory"
 fi
 
-BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/slack-bridge"
+BRIDGE_DIR="$BAUDBOT_CURRENT_LINK/gateway-bridge"
+BRIDGE_DIR_LEGACY="$BAUDBOT_CURRENT_LINK/slack-bridge"
 # shellcheck disable=SC2088
 if [ -d "$BRIDGE_DIR" ]; then
   ok "Release bridge directory exists ($BRIDGE_DIR)"
+elif [ -d "$BRIDGE_DIR_LEGACY" ]; then
+  ok "Release bridge directory exists via legacy path ($BRIDGE_DIR_LEGACY)"
+  BRIDGE_DIR="$BRIDGE_DIR_LEGACY"
 else
   finding "WARN" "release bridge directory not found" \
-    "Expected: $BRIDGE_DIR (run: sudo baudbot update)"
+    "Expected: $BRIDGE_DIR or $BRIDGE_DIR_LEGACY (run: sudo baudbot update)"
 fi
 
 # Check version stamp exists
@@ -252,21 +256,34 @@ if [ -f "$MANIFEST_FILE" ]; then
   for critical_file in \
     ".pi/agent/extensions/tool-guard.ts" \
     ".pi/agent/extensions/tool-guard.test.mjs" \
-    "release/slack-bridge/security.mjs" \
-    "release/slack-bridge/security.test.mjs"; do
+    "release/gateway-bridge/security.mjs" \
+    "release/gateway-bridge/security.test.mjs"; do
 
     if [[ "$critical_file" == release/* ]]; then
       full_path="$BAUDBOT_CURRENT_LINK/${critical_file#release/}"
     else
       full_path="$BAUDBOT_HOME/$critical_file"
     fi
+
+    expected_hash=$(grep "\"$critical_file\"" "$MANIFEST_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "")
+
+    # Legacy compatibility: manifests from older releases used release/slack-bridge/* keys.
+    if [[ "$critical_file" == "release/gateway-bridge/security.mjs" ]] && [ -z "$expected_hash" ]; then
+      critical_file="release/slack-bridge/security.mjs"
+      full_path="$BAUDBOT_CURRENT_LINK/slack-bridge/security.mjs"
+      expected_hash=$(grep "\"$critical_file\"" "$MANIFEST_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "")
+    elif [[ "$critical_file" == "release/gateway-bridge/security.test.mjs" ]] && [ -z "$expected_hash" ]; then
+      critical_file="release/slack-bridge/security.test.mjs"
+      full_path="$BAUDBOT_CURRENT_LINK/slack-bridge/security.test.mjs"
+      expected_hash=$(grep "\"$critical_file\"" "$MANIFEST_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "")
+    fi
+
     if [ ! -f "$full_path" ]; then
       finding "WARN" "Missing critical file: $critical_file" "Run deploy.sh"
       missing=$((missing + 1))
       continue
     fi
 
-    expected_hash=$(grep "\"$critical_file\"" "$MANIFEST_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "")
     if [ -z "$expected_hash" ]; then
       finding "WARN" "$critical_file not in manifest" "Run deploy.sh to regenerate"
       continue
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"all": false,`
`3`	`3`	`"include": [`
`4`		`- "slack-bridge/security.mjs",`
	`4`	`+ "gateway-bridge/security.mjs",`
`5`	`5`	`"bin/scan-extensions.mjs"`
`6`	`6`	`],`
`7`	`7`	`"exclude": [`