@cgh567/agent 2.4.2 → 2.4.4

package/daemon/routes/hbo.js

@@ -32,7 +32,7 @@ function getCorsHeaders(req) {
   const allowedOrigin = origin && HBO_ALLOWED_ORIGINS.has(origin) ? origin : 'http://localhost:9093';
   return {
     'Access-Control-Allow-Origin': allowedOrigin,
-    'Access-Control-Allow-Methods': 'GET, POST, PATCH, OPTIONS',
+    'Access-Control-Allow-Methods': 'GET, POST, PATCH, DELETE, OPTIONS',
     'Access-Control-Allow-Headers': 'Content-Type, Accept, Authorization',
     'Vary': 'Origin',
   };
@@ -431,28 +431,37 @@ async function handleTransitionBusinessTask(req, res, ctx, taskId) {
     const taskService = loadHBOService('lib/business-task-service.js');
     if (taskService && typeof taskService.transition === 'function') {
       try {
-        const task = await Promise.race([
-          taskService.transition(taskId, status, cid),
-          new Promise((_, reject) =>
-            setTimeout(() => reject(new Error('task-service timeout — falling back to direct')), 5000)
-          ),
-        ]);
-        jsonOk(res, { task });
-        return;
-      } catch (_svcErr) {
-        // service failed for any reason — fall through to direct Memgraph path below
-      }
-    }
-
-    // Fallback: update directly via ctx.mgQuery
-    const now = new Date().toISOString().replace(/\.\d{3}Z$/, 'Z');
-    await mgQuery(
-      `MATCH (bt:BusinessTask {id: $id, companyId: $cid})
-       SET bt.status = $status, bt.updatedAt = datetime($now)`,
-      { id: taskId, cid, status, now }
-    );
-    _bc({ type: 'task.updated', taskId, companyId: cid, status });
-    jsonOk(res, { updated: true, taskId, status });
+        const task = await Promise.race([
+          taskService.transition(taskId, status, cid),
+          new Promise((_, reject) =>
+            setTimeout(() => reject(new Error('task-service timeout — falling back to direct')), 5000)
+          ),
+        ]);
+        if (task !== null && task !== undefined) {
+          jsonOk(res, { task });
+          return;
+        }
+        // Service did not find a task for this company; fall through to the
+        // direct path so we can return a clear 404 instead of a silent success.
+      } catch (_svcErr) {
+        // service failed for any reason — fall through to direct Memgraph path below
+      }
+    }
+
+    // Fallback: update directly via ctx.mgQuery
+    const now = new Date().toISOString().replace(/\.\d{3}Z$/, 'Z');
+    const result = await mgQuery(
+      `MATCH (bt:BusinessTask {id: $id, companyId: $cid})
+       SET bt.status = $status, bt.updatedAt = datetime($now)
+       RETURN bt.id AS id`,
+      { id: taskId, cid, status, now }
+    );
+    if (parseRows(result).length === 0) {
+      jsonErr(res, 404, `BusinessTask ${taskId} not found for company ${cid}`);
+      return;
+    }
+    _bc({ type: 'task.updated', taskId, companyId: cid, status });
+    jsonOk(res, { updated: true, taskId, status });
   } catch (e) {
     jsonErr(res, 500, `Transition BusinessTask failed: ${safeErrMsg(e)}`);
   }
@@ -462,34 +471,206 @@ async function handleTransitionBusinessTask(req, res, ctx, taskId) {
 
 async function handleGetBusinessGoals(req, res, ctx) {
   const { mgQuery, cid } = ctx;
-  if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+  // SQL-P1: SQLite fallback when Memgraph is unavailable — not all users have Memgraph.
+  // Try Memgraph first; on failure (no connection or query error), fall through to SQLite.
+  if (mgQuery) {
+    try {
+      // Get all BusinessGoal nodes
+      // BUG-12 fix: BusinessGoal relationships are stored as (child)-[:CHILD_OF]->(parent).
+      const result = await mgQuery(
+        `MATCH (bg:BusinessGoal {companyId: $cid})
+         OPTIONAL MATCH (child:BusinessGoal)-[:CHILD_OF]->(bg)
+         WITH bg, [x IN collect(child.id) WHERE x IS NOT NULL] AS childIds
+         RETURN bg.id AS id, bg.title AS title, bg.level AS level,
+                bg.ownerAgentId AS ownerAgentId, bg.status AS status,
+                bg.progress AS progress, childIds
+         ORDER BY bg.level ASC`,
+        { cid }
+      );
+      const rows = parseRows(result);
+      const keys = ['id', 'title', 'level', 'ownerAgentId', 'status', 'progress', 'childIds'];
+      const goals = rows.map(r => {
+        const goal = rowToObj(r, keys);
+        if (goal.level !== null && goal.level !== undefined) goal.level = String(goal.level);
+        return goal;
+      });
+      const rootGoals = goals.filter(g => !g.level || String(g.level) === 'company');
+      return jsonOk(res, { goals, rootGoals, count: goals.length });
+    } catch (e) {
+      // Memgraph query failed — fall through to SQLite fallback below
+      process.stderr.write(`[hbo] handleGetBusinessGoals Memgraph failed, falling back to SQLite: ${e.message}\n`);
+    }
+  }
+  // SQLite fallback (Memgraph unavailable or query failed)
   try {
-    // Get all BusinessGoal nodes
-    // BUG-12 fix: BusinessGoal relationships are stored as (child)-[:CHILD_OF]->(parent).
-    // The old query used (bg)-[:PARENT_OF]->(child) which matched zero edges.
-    // Migration note: run `MATCH (bg:BusinessGoal)-[:PARENT_OF]->(c:BusinessGoal)
-    //   MERGE (c)-[:CHILD_OF]->(bg) DELETE relationship` if old edges exist.
-    const result = await mgQuery(
-      `MATCH (bg:BusinessGoal {companyId: $cid})
-       OPTIONAL MATCH (child:BusinessGoal)-[:CHILD_OF]->(bg)
-       WITH bg, [x IN collect(child.id) WHERE x IS NOT NULL] AS childIds
-       RETURN bg.id AS id, bg.title AS title, bg.level AS level,
-              bg.ownerAgentId AS ownerAgentId, bg.status AS status,
-              bg.progress AS progress, childIds
-       ORDER BY bg.level ASC`,
-      { cid }
-    );
-    const rows = parseRows(result);
-    const keys = ['id', 'title', 'level', 'ownerAgentId', 'status', 'progress', 'childIds'];
-    const goals = rows.map(r => rowToObj(r, keys));
-    // Build hierarchy tree
-    const rootGoals = goals.filter(g => !g.level || g.level === 0 || g.level === 'company');
-    jsonOk(res, { goals, rootGoals, count: goals.length });
-  } catch (e) {
-    jsonErr(res, 500, `BusinessGoal query failed: ${safeErrMsg(e)}`);
+    const storeGoals = hboStore.getGoalsByCompany ? hboStore.getGoalsByCompany(cid) : [];
+    const goals = (storeGoals || []).map(g => ({
+      id: g.id ?? g.id,
+      title: g.title ?? null,
+      level: g.level ? String(g.level) : null,
+      ownerAgentId: g.ownerAgentId ?? null,
+      status: g.status ?? null,
+      progress: g.progress ?? null,
+      childIds: g.childIds ?? [],
+    }));
+    const rootGoals = goals.filter(g => !g.level || g.level === 'company');
+    return jsonOk(res, { goals, rootGoals, count: goals.length, _source: 'sqlite' });
+  } catch (storeErr) {
+    return jsonErr(res, 503, `Goals unavailable: Memgraph not connected and SQLite fallback failed: ${storeErr.message}`);
+  }
+}
+
+async function handleGetBusinessGoal(req, res, ctx, goalId) {
+  const { mgQuery, cid } = ctx;
+  if (!goalId) { jsonErr(res, 400, 'Missing goal ID'); return; }
+  // SQL-P2: SQLite fallback when Memgraph unavailable.
+  if (mgQuery) {
+    try {
+      const result = await mgQuery(
+        `MATCH (g:BusinessGoal {id: $id, companyId: $cid})
+         RETURN g.id AS id, g.title AS title, g.description AS description,
+                g.level AS level, g.status AS status, g.parentId AS parentId,
+                g.ownerAgentId AS ownerAgentId, g.progress AS progress`,
+        { id: goalId, cid }
+      );
+      const rows = parseRows(result);
+      if (rows.length === 0) { jsonErr(res, 404, `BusinessGoal ${goalId} not found`); return; }
+      const keys = ['id', 'title', 'description', 'level', 'status', 'parentId', 'ownerAgentId', 'progress'];
+      return jsonOk(res, { goal: rowToObj(rows[0], keys) });
+    } catch (e) {
+      process.stderr.write(`[hbo] handleGetBusinessGoal Memgraph failed, falling back to SQLite: ${e.message}\n`);
+    }
+  }
+  // SQLite fallback
+  try {
+    const g = hboStore.getGoal ? hboStore.getGoal(goalId, cid) : null;
+    if (!g) { jsonErr(res, 404, `BusinessGoal ${goalId} not found`); return; }
+    return jsonOk(res, { goal: g, _source: 'sqlite' });
+  } catch (storeErr) {
+    return jsonErr(res, 503, `Goal unavailable: ${storeErr.message}`);
   }
 }
 
+async function handleCreateBusinessGoal(req, res, ctx) {
+  const { mgQuery, cid } = ctx;
+  if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+  // H-4 fix: reject if cid is missing or is the fallback sentinel — prevents silent writes to 'default-company'
+  if (!cid || cid === 'default-company') { jsonErr(res, 400, 'companyId is required'); return; }
+  try {
+    const body = await readBody(req);
+    if (!assertValidBody(body, res)) return;
+    const title = typeof body.title === 'string' ? body.title.trim() : '';
+    if (!title) { jsonErr(res, 400, 'title is required'); return; }
+
+    const goalId = body.id ? String(body.id) : `bg:${randomUUID()}`;
+    const description = body.description !== undefined ? String(body.description) : null;
+    const level = body.level !== undefined ? String(body.level) : 'company';
+    const parentId = body.parentId || body.parentGoalId ? String(body.parentId || body.parentGoalId) : null;
+
+    await mgQuery(
+      `CREATE (g:BusinessGoal {
+         id: $id, companyId: $cid, title: $title, description: $desc,
+         level: $level, status: 'active', parentId: $parentId,
+         parentGoalId: $parentId, createdAt: datetime(), updatedAt: datetime()
+       })`,
+      { id: goalId, cid, title, desc: description, level, parentId }
+    );
+    try {
+      hboStore.createGoal?.({ id: goalId, companyId: cid, title, description, level, status: 'active', parentId, createdAt: Date.now() });
+    } catch (storeErr) {
+      process.stderr.write(`[hbo] goal mirror failed: ${storeErr.message}\n`);
+    }
+    try { ctx._bc?.({ type: 'goal.created', companyId: cid, goalId }); } catch (_) {}
+    // Fire-and-forget: trigger tickGoalDecompose so the Harada cascade begins immediately
+    // (normally runs every 5th tick = up to 150s; injected hook shortens this to ~0ms).
+    if (_triggerGoalDecompose) {
+      setImmediate(() => {
+        try { _triggerGoalDecompose(cid); } catch (_tgdErr) {}
+      });
+    }
+    jsonOk(res, { goal: { id: goalId, companyId: cid, title, description, level, status: 'active', parentId } }, 201);
+  } catch (e) {
+    jsonErr(res, 500, `Create BusinessGoal failed: ${safeErrMsg(e)}`);
+  }
+}
+
+async function handleUpdateBusinessGoal(req, res, ctx, goalId) {
+  const { mgQuery, cid } = ctx;
+  if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+  if (!goalId) { jsonErr(res, 400, 'Missing goal ID'); return; }
+  try {
+    const body = await readBody(req);
+    if (!assertValidBody(body, res)) return;
+    const title = body.title !== undefined ? String(body.title).trim() : null;
+    const description = body.description !== undefined ? String(body.description) : null;
+    const level = body.level !== undefined ? String(body.level) : null;
+    const status = body.status !== undefined ? String(body.status) : null;
+    const parentId = body.parentId !== undefined ? (body.parentId ? String(body.parentId) : null) : undefined;
+
+    if (title === '' || (title === null && description === null && level === null && status === null && parentId === undefined)) {
+      jsonErr(res, 400, 'At least one of title, description, level, status, parentId must be provided');
+      return;
+    }
+
+    const result = await mgQuery(
+      `MATCH (g:BusinessGoal {id: $id, companyId: $cid})
+       SET g.title = COALESCE($title, g.title),
+           g.description = CASE WHEN $hasDescription THEN $description ELSE g.description END,
+           g.level = COALESCE($level, g.level),
+           g.status = COALESCE($status, g.status),
+           g.parentId = CASE WHEN $hasParentId THEN $parentId ELSE g.parentId END,
+           g.parentGoalId = CASE WHEN $hasParentId THEN $parentId ELSE g.parentGoalId END,
+           g.updatedAt = datetime()
+       RETURN g.id AS id, g.title AS title, g.description AS description,
+              g.level AS level, g.status AS status, g.parentId AS parentId`,
+      {
+        id: goalId, cid, title, description, level, status,
+        parentId: parentId === undefined ? null : parentId,
+        hasDescription: body.description !== undefined,
+        hasParentId: parentId !== undefined,
+      }
+    );
+    const rows = parseRows(result);
+    if (rows.length === 0) { jsonErr(res, 404, `BusinessGoal ${goalId} not found`); return; }
+    const goal = rowToObj(rows[0], ['id', 'title', 'description', 'level', 'status', 'parentId']);
+    // H-3 fix: only pass fields that were explicitly provided in the PATCH body to updateGoal.
+    // rowToObj fills missing Memgraph fields with null — passing null for e.g. title would
+    // overwrite the existing SQLite title with null on a status-only update.
+    const storeUpdate = { id: goalId };
+    if (title !== null) storeUpdate.title = goal.title;
+    if (description !== null) storeUpdate.description = goal.description;
+    if (level !== null) storeUpdate.level = goal.level;
+    if (status !== null) storeUpdate.status = goal.status;
+    if (parentId !== undefined) storeUpdate.parentId = goal.parentId;
+    try { hboStore.updateGoal?.(goalId, cid, storeUpdate); } catch (storeErr) { process.stderr.write(`[hbo] goal mirror failed: ${storeErr.message}\n`); }
+    try { ctx._bc?.({ type: 'goal.updated', companyId: cid, goalId }); } catch (_) {}
+    jsonOk(res, { goal });
+  } catch (e) {
+    jsonErr(res, 500, `Update BusinessGoal failed: ${safeErrMsg(e)}`);
+  }
+}
+
+async function handleDeleteBusinessGoal(req, res, ctx, goalId) {
+  const { mgQuery, cid } = ctx;
+  if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+  if (!goalId) { jsonErr(res, 400, 'Missing goal ID'); return; }
+  try {
+    const result = await mgQuery(
+      `MATCH (g:BusinessGoal {id: $id, companyId: $cid})
+       WITH g, g.id AS deletedId
+       DETACH DELETE g
+       RETURN deletedId AS id`,
+      { id: goalId, cid }
+    );
+    if (parseRows(result).length === 0) { jsonErr(res, 404, `BusinessGoal ${goalId} not found`); return; }
+    try { hboStore.deleteGoal?.(goalId, cid); } catch (storeErr) { process.stderr.write(`[hbo] goal mirror failed: ${storeErr.message}\n`); }
+    try { ctx._bc?.({ type: 'goal.deleted', companyId: cid, goalId }); } catch (_) {}
+    jsonOk(res, { deleted: true, goalId });
+  } catch (e) {
+    jsonErr(res, 500, `Delete BusinessGoal failed: ${safeErrMsg(e)}`);
+  }
+}
+
 // ── Warm signals handler ──────────────────────────────────────────────────────
 
 async function handleGetWarmSignals(req, res, ctx) {
@@ -2181,9 +2362,11 @@ async function handleGetHboApprovals(req, res, ctx) {
     const type   = url.searchParams.get('type')   || null;
 
     // GP3-B2: expanded to include strategy_proposal and harada_strategy_review types
-    let cypher = `MATCH (a:Approval {companyId: $cid}) WHERE a.type IN ['question','send_approval','strategy_proposal','harada_strategy_review','approval','domain_purchase','sender_identity_config','dns_records_review','email_domain_setup','harada_l2_review','harada_l3_review','harada_question']`;
+    let cypher = `MATCH (a:Approval {companyId: $cid}) WHERE a.type IN ['question','send_approval','strategy_proposal','harada_strategy_review','approval','domain_purchase','sender_identity_config','dns_records_review','email_domain_setup','harada_l2_review','harada_l3_review','harada_question','plan_change_review']`;
     const params = { cid: ctx.cid };
-    if (status) { cypher += ' AND a.status = $status'; params.status = status; }
+    // F-03: 'pending' filter also includes 'revision_requested' so operators see revision_requested items in the Pending tab
+    if (status === 'pending') { cypher += " AND a.status IN ['pending', 'revision_requested']"; }
+    else if (status) { cypher += ' AND a.status = $status'; params.status = status; }
     if (type)   { cypher += ' AND a.type = $type';     params.type = type; }
     cypher += ' RETURN a ORDER BY a.createdAt DESC LIMIT toInteger(50)';
 
@@ -2210,6 +2393,8 @@ async function handleGetHboApprovals(req, res, ctx) {
         department: p?.department ?? null,
         templateKey: p?.templateKey ?? null,
         inferredAnswer: p?.inferredAnswer ?? null,
+        decisionNote: p?.decisionNote ?? null,
+        followUpTaskId: p?.followUpTaskId ?? null,
       };
     });
     jsonOk(res, { approvals, count: approvals.length });
@@ -2218,6 +2403,28 @@ async function handleGetHboApprovals(req, res, ctx) {
   }
 }
 
+// P9A: GET /api/hbo/blocked-work — tasks stopped due to a blocker
+async function handleGetBlockedWork(req, res, ctx) {
+  try {
+    if (!ctx.mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+    const url = new URL(req.url, 'http://localhost');
+    const cid = ctx.cid || url.searchParams.get('companyId') || url.searchParams.get('cid') || '';
+    const r = await ctx.mgQuery(
+      `MATCH (t:Task) WHERE t.blockedReason IS NOT NULL AND t.status = 'blocked' AND t.companyId = $cid
+       RETURN t.id AS id, t.title AS title, t.blockedReason AS blockedReason, t.blockedAt AS blockedAt
+       ORDER BY t.blockedAt DESC`,
+      { cid }
+    ).catch(() => null);
+    const blockedWork = (r?.rows ?? []).map(row => {
+      if (Array.isArray(row)) return { id: row[0], title: row[1], blockedReason: row[2], blockedAt: row[3] };
+      return { id: row['id'], title: row['title'], blockedReason: row['blockedReason'], blockedAt: row['blockedAt'] };
+    });
+    jsonOk(res, { blockedWork, count: blockedWork.length });
+  } catch (e) {
+    jsonErr(res, 500, `Get blocked-work failed: ${safeErrMsg(e)}`);
+  }
+}
+
 async function handleHboLaunch(req, res, ctx) {
   const { mgQuery } = ctx;
   if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
@@ -2726,9 +2933,90 @@ async function handleGetCommandCenter(req, res, ctx) {
   }
 }
 
+// ── G-01: Budget Policy CRUD Handlers ────────────────────────────────────────
+
+async function handleCreateBudgetPolicy(req, res, ctx) {
+  try {
+    if (!ctx.mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+    const body = await readBody(req);
+    if (!assertValidBody(body, res)) return;
+    const { agentId, limitUSD, period, companyId: bodyCompanyId, id: clientId } = body || {};
+    if (!agentId || limitUSD === undefined || !period) {
+      jsonErr(res, 400, 'agentId, limitUSD, and period are required'); return;
+    }
+    // Use client-supplied id (from SQLite saved record) so delete path matches; fall back to generated key.
+    const cid = bodyCompanyId || ctx.cid;
+    const id = clientId || `bp:${cid}:${agentId}:${Date.now()}`;
+    await ctx.mgQuery(
+      `MERGE (bp:BudgetPolicy {id: $id})
+       ON CREATE SET bp.companyId = $cid, bp.agentId = $agentId,
+                     bp.limitUSD = $limitUSD, bp.period = $period,
+                     bp.limitCents = toInteger($limitUSD * 100),
+                     bp.spentCents = 0, bp.createdAt = datetime()
+       ON MATCH  SET bp.limitUSD = $limitUSD, bp.period = $period,
+                     bp.limitCents = toInteger($limitUSD * 100)`,
+      { id, cid, agentId: String(agentId), limitUSD: Number(limitUSD), period: String(period) }
+    );
+    jsonOk(res, { policy: { id, agentId, limitUSD: Number(limitUSD), period } });
+  } catch (e) { jsonErr(res, 500, `Create budget policy failed: ${safeErrMsg(e)}`); }
+}
+
+async function handleUpdateBudgetPolicy(req, res, ctx, policyId) {
+  try {
+    if (!ctx.mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+    if (!policyId) { jsonErr(res, 400, 'Missing policy ID'); return; }
+    const body = await readBody(req);
+    if (!assertValidBody(body, res)) return;
+    const setClauses = [];
+    const params = { id: policyId, cid: ctx.cid };
+    if (body.limitUSD !== undefined) { setClauses.push('bp.limitUSD = $limitUSD, bp.limitCents = toInteger($limitUSD * 100)'); params.limitUSD = Number(body.limitUSD); }
+    if (body.period !== undefined)   { setClauses.push('bp.period = $period'); params.period = String(body.period); }
+    if (body.agentId !== undefined)  { setClauses.push('bp.agentId = $agentId'); params.agentId = String(body.agentId); }
+    if (setClauses.length === 0) { jsonErr(res, 400, 'No fields to update'); return; }
+    const r = await ctx.mgQuery(
+      `MATCH (bp:BudgetPolicy {id: $id, companyId: $cid}) SET ${setClauses.join(', ')}, bp.updatedAt = datetime() RETURN bp.id`,
+      params
+    );
+    if (!(r?.rows?.length)) { jsonErr(res, 404, `Budget policy not found: ${policyId}`); return; }
+    jsonOk(res, { updated: true, policyId });
+  } catch (e) { jsonErr(res, 500, `Update budget policy failed: ${safeErrMsg(e)}`); }
+}
+
+async function handleDeleteBudgetPolicy(req, res, ctx, policyId) {
+  try {
+    if (!ctx.mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+    if (!policyId) { jsonErr(res, 400, 'Missing policy ID'); return; }
+    await ctx.mgQuery(
+      `MATCH (bp:BudgetPolicy {id: $id, companyId: $cid}) DETACH DELETE bp`,
+      { id: policyId, cid: ctx.cid }
+    );
+    jsonOk(res, { deleted: true, policyId });
+  } catch (e) { jsonErr(res, 500, `Delete budget policy failed: ${safeErrMsg(e)}`); }
+}
+
+async function handleGetBudgetIncidents(req, res, ctx) {
+  try {
+    if (!ctx.mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return; }
+    const r = await ctx.mgQuery(
+      `MATCH (bi:BudgetIncident {companyId: $cid}) RETURN bi ORDER BY bi.createdAt DESC LIMIT 50`,
+      { cid: ctx.cid }
+    ).catch(() => null);
+    const incidents = (r?.rows ?? []).map(row => {
+      const node = Array.isArray(row) ? row[0] : (row['bi'] || row);
+      const p = node?.properties || node;
+      return { id: p?.id, agentId: p?.agentId, limitUSD: p?.limitUSD, spentUSD: p?.spentUSD,
+               period: p?.period, resolvedAt: p?.resolvedAt ?? null, createdAt: p?.createdAt ?? null };
+    });
+    jsonOk(res, { incidents, count: incidents.length });
+  } catch (e) { jsonErr(res, 500, `Get budget incidents failed: ${safeErrMsg(e)}`); }
+}
+
 module.exports = function createHBORouter(handlers) {
-  const { broadcast, mgQuery: _mgQueryInit } = handlers || {};
+  const { broadcast, mgQuery: _mgQueryInit, triggerGoalDecompose } = handlers || {};
   const _bc = typeof broadcast === 'function' ? broadcast : () => {};
+  // Optional hook: after a BusinessGoal is created, caller can fire-and-forget tickGoalDecompose
+  // so the Harada cascade starts on the next event-loop tick rather than waiting up to 150s.
+  const _triggerGoalDecompose = typeof triggerGoalDecompose === 'function' ? triggerGoalDecompose : null;
   return async function hboRoute(req, res, ctx, pathname, method) {
     // R3-C10: Set module-level request reference so jsonOk/jsonErr can include CORS headers
     // at all 155 call sites without requiring changes to each handler.
@@ -2744,6 +3032,14 @@ module.exports = function createHBORouter(handlers) {
       return false;
     }
 
+    // H-2 fix: Handle OPTIONS preflight for all HBO routes (including DELETE /api/hbo/goals/:id).
+    // Must be BEFORE auth check — browsers never send credentials on preflight requests.
+    if (method === 'OPTIONS') {
+      res.writeHead(204, getCorsHeaders(req));
+      res.end();
+      return true;
+    }
+
     // Auth check for all HBO routes
     const authHeader = (req.headers || {})['authorization'];
     const expected = ctx.apiToken;
@@ -2815,12 +3111,110 @@ module.exports = function createHBORouter(handlers) {
       return true;
     }
 
+    // P8A-03: GET /api/hbo/tasks/:id — full task detail including originKind, approvalId, etc.
+    // Must be matched BEFORE the PATCH /:id pattern below.
+    const taskGetMatch = pathname.match(/^\/api\/hbo\/tasks\/([^/]+)$/);
+    if (method === 'GET' && taskGetMatch) {
+      const taskId = decodeURIComponent(taskGetMatch[1]);
+      const { mgQuery, cid } = ctx;
+      // E2 fix: prefer ?companyId query param so multi-company operator's active company
+      // is used. Fall back to ctx.cid (session default) for single-company deployments.
+      // Note: raw Node.js http.IncomingMessage has no .query property — must use URL.searchParams.
+      const queryCid = new URL(req.url, 'http://localhost').searchParams.get('companyId') || cid;
+      if (!mgQuery) {
+        // SQL parity: fall back to SQLite when Memgraph unavailable
+        try {
+          const hboStore = require('../../lib/hbo-core-store');
+          const t = hboStore.getTask ? hboStore.getTask(taskId, queryCid) : null;
+          if (!t) { jsonErr(res, 404, 'Task not found'); return true; }
+          jsonOk(res, { task: t, _source: 'sqlite' });
+        } catch (storeErr) {
+          jsonErr(res, 503, `Task unavailable: Memgraph not connected`);
+        }
+        return true;
+      }
+      try {
+        // Return full node — includes all properties: originKind, approvalId, pillarId,
+        // executionStateJson, executionPolicyJson, workspacePath, etc.
+        const result = await mgQuery('MATCH (t:Task {id: $id, companyId: $cid}) RETURN t', { id: taskId, cid: queryCid });
+        if (result.rows && result.rows.length > 0) {
+          const t = result.rows[0][0].properties || result.rows[0][0];
+          jsonOk(res, { task: t });
+        } else {
+          jsonErr(res, 404, 'Task not found');
+        }
+      } catch (e) {
+        jsonErr(res, 500, `Task query failed: ${safeErrMsg(e)}`);
+      }
+      return true;
+    }
+
     // POST /api/hbo/tasks
     if (method === 'POST' && pathname === '/api/hbo/tasks') {
       await handleCreateBusinessTask(req, res, ctx);
       return true;
     }
 
+    // POST /api/hbo/tasks/:id/interpretation/refresh — P_EXPLAIN-04
+    const taskInterpRefreshMatch = pathname.match(/^\/api\/hbo\/tasks\/([^/]+)\/interpretation\/refresh$/);
+    if (method === 'POST' && taskInterpRefreshMatch) {
+      const taskId = decodeURIComponent(taskInterpRefreshMatch[1]);
+      const { mgQuery } = ctx;
+      if (!mgQuery) { jsonResponse(res, 503, { error: 'Memgraph not connected' }); return true; }
+      const cid = ctx.cid;
+      try {
+        const { createInterpretationExplanation } = require('../lib/interpretation-engine.js');
+        const { rawWrite: _interpRw } = require('../lib/safe-memgraph.js');
+        await createInterpretationExplanation(taskId, cid, _interpRw);
+        jsonResponse(res, 200, { ok: true, taskId });
+      } catch (err) {
+        jsonResponse(res, 500, { error: `Interpretation refresh failed: ${err.message}` });
+      }
+      return true;
+    }
+
+    // E-02: GET /api/hbo/tasks/:taskId/enrichment — hill chart position + recent PDSA cycles
+    // Returns hillChart: { id, position, phase, updatedAt } | null
+    //         pdsaCycles: [...] (up to 5 most recent, ordered by createdAt DESC)
+    const taskEnrichmentMatch = pathname.match(/^\/api\/hbo\/tasks\/([^/]+)\/enrichment$/);
+    if (method === 'GET' && taskEnrichmentMatch) {
+      const taskId = decodeURIComponent(taskEnrichmentMatch[1]);
+      const { mgQuery, cid } = ctx;
+      const queryCid = new URL(req.url, 'http://localhost').searchParams.get('companyId') || cid;
+      if (!mgQuery) {
+        jsonResponse(res, 503, { error: 'Memgraph not connected' });
+        return true;
+      }
+      try {
+        const [hillResult, pdsaResult] = await Promise.all([
+          mgQuery(
+            `MATCH (t:Task {id: $taskId, companyId: $cid})
+             OPTIONAL MATCH (t)-[:HAS_HILL_CHART]->(h:HillChart)
+             RETURN h`,
+            { taskId, cid: queryCid }
+          ),
+          mgQuery(
+            `MATCH (t:Task {id: $taskId, companyId: $cid})
+             OPTIONAL MATCH (t)-[:HAS_PDSA]->(p:PDSACycle)
+             RETURN p ORDER BY p.createdAt DESC LIMIT 5`,
+            { taskId, cid: queryCid }
+          ),
+        ]);
+        const hRow = hillResult.rows && hillResult.rows[0] ? hillResult.rows[0][0] : null;
+        const hillChart = hRow
+          ? (hRow.properties ?? hRow)
+          : null;
+        const pdsaCycles = (pdsaResult.rows || [])
+          .map((r) => r[0])
+          .filter(Boolean)
+          .map((p) => p.properties ?? p);
+        jsonOk(res, { hillChart, pdsaCycles });
+      } catch (e) {
+        jsonErr(res, 500, `Enrichment query failed: ${safeErrMsg(e)}`);
+      }
+      return true;
+    }
+
     // PATCH /api/hbo/tasks/:id
     const taskPatchMatch = pathname.match(/^\/api\/hbo\/tasks\/(.+)$/);
     if (method === 'PATCH' && taskPatchMatch) {
@@ -2834,6 +3228,30 @@ module.exports = function createHBORouter(handlers) {
       return true;
     }
 
+    // GET /api/hbo/goals/:id — must be checked before POST/PATCH/DELETE goalMatch
+    const goalIdOnlyMatch = pathname.match(/^\/api\/hbo\/goals\/([^/]+)$/);
+    if (method === 'GET' && goalIdOnlyMatch) {
+      await handleGetBusinessGoal(req, res, ctx, decodeURIComponent(goalIdOnlyMatch[1]));
+      return true;
+    }
+
+    // POST /api/hbo/goals
+    if (method === 'POST' && pathname === '/api/hbo/goals') {
+      await handleCreateBusinessGoal(req, res, ctx);
+      return true;
+    }
+
+    // PATCH/DELETE /api/hbo/goals/:id
+    const goalMatch = pathname.match(/^\/api\/hbo\/goals\/(.+)$/);
+    if (method === 'PATCH' && goalMatch) {
+      await handleUpdateBusinessGoal(req, res, ctx, decodeURIComponent(goalMatch[1]));
+      return true;
+    }
+    if (method === 'DELETE' && goalMatch) {
+      await handleDeleteBusinessGoal(req, res, ctx, decodeURIComponent(goalMatch[1]));
+      return true;
+    }
+
     // GET /api/hbo/triage-summary
     if (method === 'GET' && pathname === '/api/hbo/triage-summary') {
       await handleGetTriageSummary(req, res, ctx);
@@ -2896,6 +3314,127 @@ module.exports = function createHBORouter(handlers) {
       return true;
     }
 
+    // ── T3-01: POST /api/hbo/pillar/:id/l2content — L2 research agent submits strategy ──────
+    const pillarL2ContentMatch = pathname.match(/^\/api\/hbo\/pillar\/([^/]+)\/l2content$/);
+    if (method === 'POST' && pillarL2ContentMatch) {
+      const pillarId = decodeURIComponent(pillarL2ContentMatch[1]);
+      const cid = ctx.cid;
+      const mgQuery = ctx.mgQuery;
+      if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return true; }
+      try {
+        const body = await readBody(req);
+        if (!assertValidBody(body, res)) return true;
+        const { l2Strategy, l2Content } = body || {};
+        if (!l2Strategy && !l2Content) { jsonErr(res, 400, 'l2Strategy or l2Content required'); return true; }
+        const r = await mgQuery(
+          `MATCH (gp:GoalPillar {id: $pillarId, companyId: $cid})
+           SET gp.l2Strategy = COALESCE($l2Strategy, gp.l2Strategy),
+               gp.l2Content = COALESCE($l2Content, gp.l2Content),
+               gp.l2ReviewStatus = 'pending_review',
+               gp.updatedAt = datetime()
+           RETURN gp.id AS id`,
+          { pillarId, cid, l2Strategy: l2Strategy ? String(l2Strategy) : null, l2Content: l2Content ? String(l2Content) : null }
+        );
+        if (!parseRows(r).length) { jsonErr(res, 404, `GoalPillar ${pillarId} not found`); return true; }
+        jsonOk(res, { ok: true, pillarId, l2ReviewStatus: 'pending_review' });
+      } catch (e) { jsonErr(res, 500, `l2content submit failed: ${safeErrMsg(e)}`); }
+      return true;
+    }
+
+    // ── T3-02: POST /api/hbo/pillar/:id/l2review — CEO agent reviews L2 content ────────────
+    const pillarL2ReviewMatch = pathname.match(/^\/api\/hbo\/pillar\/([^/]+)\/l2review$/);
+    if (method === 'POST' && pillarL2ReviewMatch) {
+      const pillarId = decodeURIComponent(pillarL2ReviewMatch[1]);
+      const cid = ctx.cid;
+      const mgQuery = ctx.mgQuery;
+      if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return true; }
+      try {
+        const body = await readBody(req);
+        if (!assertValidBody(body, res)) return true;
+        const { verdict, reviewCritique, goalId, agentId } = body || {};
+        if (!verdict || !['pass', 'fail'].includes(verdict)) { jsonErr(res, 400, 'verdict must be "pass" or "fail"'); return true; }
+        if (verdict === 'pass') {
+          await mgQuery(
+            `MATCH (gp:GoalPillar {id: $pillarId, companyId: $cid})
+             SET gp.l2ReviewStatus = 'approved', gp.l2ReviewedAt = datetime()
+             RETURN gp.id`,
+            { pillarId, cid }
+          );
+          jsonOk(res, { ok: true, pillarId, verdict: 'pass' });
+        } else {
+          // FAIL: increment cycle count, re-dispatch L2 research with critique
+          const cycleResult = await mgQuery(
+            `MATCH (gp:GoalPillar {id: $pillarId, companyId: $cid})
+             SET gp.l2ReviewStatus = 'revision_needed',
+                 gp.l2ReviewCycles = COALESCE(toInteger(gp.l2ReviewCycles), 0) + 1
+             RETURN gp.l2ReviewCycles AS cycles, gp.goalId AS goalId`,
+            { pillarId, cid }
+          );
+          const cycleRow = parseRows(cycleResult)[0];
+          const resolvedGoalId = goalId || (cycleRow && (cycleRow['cycles'] !== undefined ? null : cycleRow['goalId'])) || null;
+          const cycles = cycleRow ? Number(cycleRow['cycles'] ?? 1) : 1;
+          if (cycles < 3 && resolvedGoalId && agentId) {
+            try {
+              const { CascadeResearchDispatcher } = require('../lib/harada/cascade-research-dispatcher');
+              const crd = new CascadeResearchDispatcher(mgQuery, cid);
+              await crd.dispatchL2Research(pillarId, resolvedGoalId, cid, agentId, reviewCritique || '');
+            } catch (dispErr) {
+              process.stderr.write(`[hbo] l2review: re-dispatch failed: ${safeErrMsg(dispErr)}\n`);
+            }
+          }
+          jsonOk(res, { ok: true, pillarId, verdict: 'fail', cycles });
+        }
+      } catch (e) { jsonErr(res, 500, `l2review failed: ${safeErrMsg(e)}`); }
+      return true;
+    }
+
+    // ── T3-03: POST /api/hbo/action-cell/:id/l3content — L3 research agent submits ──────────
+    const cellL3ContentMatch = pathname.match(/^\/api\/hbo\/action-cell\/([^/]+)\/l3content$/);
+    if (method === 'POST' && cellL3ContentMatch) {
+      const cellId = decodeURIComponent(cellL3ContentMatch[1]);
+      const cid = ctx.cid;
+      const mgQuery = ctx.mgQuery;
+      if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return true; }
+      try {
+        const body = await readBody(req);
+        if (!assertValidBody(body, res)) return true;
+        const { l3Plan, l3Content } = body || {};
+        if (!l3Plan && !l3Content) { jsonErr(res, 400, 'l3Plan or l3Content required'); return true; }
+        const r = await mgQuery(
+          `MATCH (ac:ActionCell {id: $cellId, companyId: $cid})
+           SET ac.l3Plan = COALESCE($l3Plan, ac.l3Plan),
+               ac.l3Content = COALESCE($l3Content, ac.l3Content),
+               ac.l3ReviewStatus = 'pending_review',
+               ac.updatedAt = datetime()
+           RETURN ac.id AS id`,
+          { cellId, cid, l3Plan: l3Plan ? String(l3Plan) : null, l3Content: l3Content ? String(l3Content) : null }
+        );
+        if (!parseRows(r).length) { jsonErr(res, 404, `ActionCell ${cellId} not found`); return true; }
+        jsonOk(res, { ok: true, cellId, l3ReviewStatus: 'pending_review' });
+      } catch (e) { jsonErr(res, 500, `l3content submit failed: ${safeErrMsg(e)}`); }
+      return true;
+    }
+
+    // ── T3-03b: POST /api/hbo/action-cell/:id/l3review — dept head reviews L3 content ───────
+    const cellL3ReviewMatch = pathname.match(/^\/api\/hbo\/action-cell\/([^/]+)\/l3review$/);
+    if (method === 'POST' && cellL3ReviewMatch) {
+      const cellId = decodeURIComponent(cellL3ReviewMatch[1]);
+      const cid = ctx.cid;
+      const mgQuery = ctx.mgQuery;
+      if (!mgQuery) { jsonErr(res, 503, 'Memgraph not connected'); return true; }
+      try {
+        const body = await readBody(req);
+        if (!assertValidBody(body, res)) return true;
+        const { verdict, reviewCritique } = body || {};
+        if (!verdict || !['pass', 'fail'].includes(verdict)) { jsonErr(res, 400, 'verdict must be "pass" or "fail"'); return true; }
+        const { CascadeJudge } = require('../lib/harada/cascade-judge');
+        const judge = new CascadeJudge(mgQuery, cid);
+        const result = await judge.judgeL3(cellId);
+        jsonOk(res, { ok: true, cellId, verdict: result.verdict, critique: result.critique });
+      } catch (e) { jsonErr(res, 500, `l3review failed: ${safeErrMsg(e)}`); }
+      return true;
+    }
+
     // GET /api/hbo/metrics — ProcessMetrics and ControlChartSignals
     if (method === 'GET' && pathname === '/api/hbo/metrics') {
       await handleGetMetrics(req, res, ctx);
@@ -3053,11 +3592,17 @@ module.exports = function createHBORouter(handlers) {
       return true;
     }
 
-    // GET /api/hbo/command-center — aggregated snapshot for dashboard
-    if (method === 'GET' && pathname === '/api/hbo/command-center') {
-      await handleGetCommandCenter(req, res, ctx);
-      return true;
-    }
+     // GET /api/hbo/blocked-work — P9A: tasks stopped due to a blocker
+     if (method === 'GET' && pathname === '/api/hbo/blocked-work') {
+       await handleGetBlockedWork(req, res, ctx);
+       return true;
+     }
+
+     // GET /api/hbo/command-center — aggregated snapshot for dashboard
+     if (method === 'GET' && pathname === '/api/hbo/command-center') {
+       await handleGetCommandCenter(req, res, ctx);
+       return true;
+     }
 
     // GET /api/hbo/decisions/timeline — unified historical decisions timeline
     if (method === 'GET' && pathname === '/api/hbo/decisions/timeline') {
@@ -3065,6 +3610,21 @@ module.exports = function createHBORouter(handlers) {
       return true;
     }
 
-    return false;
-  };
-};
+    // G-01: Budget Policy CRUD
+    if (method === 'POST' && pathname === '/api/budget-policies') {
+      await handleCreateBudgetPolicy(req, res, ctx);
+      return true;
+    }
+    const budgetPolicyMatch = pathname.match(/^\/api\/budget-policies\/([^/]+)$/);
+    if (budgetPolicyMatch) {
+      if (method === 'PATCH') { await handleUpdateBudgetPolicy(req, res, ctx, budgetPolicyMatch[1]); return true; }
+      if (method === 'DELETE') { await handleDeleteBudgetPolicy(req, res, ctx, budgetPolicyMatch[1]); return true; }
+    }
+    if (method === 'GET' && pathname === '/api/budget-incidents') {
+      await handleGetBudgetIncidents(req, res, ctx);
+      return true;
+    }
+
+     return false;
+   };
+};