bopodev-api 0.1.12 → 0.1.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -13,16 +13,18 @@
     "dotenv": "^17.0.1",
     "drizzle-orm": "^0.44.5",
     "express": "^5.1.0",
+    "multer": "^2.1.1",
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-contracts": "0.1.12",
-    "bopodev-db": "0.1.12",
-    "bopodev-agent-sdk": "0.1.12"
+    "bopodev-contracts": "0.1.13",
+    "bopodev-agent-sdk": "0.1.13",
+    "bopodev-db": "0.1.13"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.3",
+    "@types/multer": "^2.1.0",
     "@types/ws": "^8.18.1",
     "tsx": "^4.20.5"
   },

package/src/app.ts

@@ -13,6 +13,7 @@ import { createHeartbeatRouter } from "./routes/heartbeats";
 import { createIssuesRouter } from "./routes/issues";
 import { createObservabilityRouter } from "./routes/observability";
 import { createProjectsRouter } from "./routes/projects";
+import { createPluginsRouter } from "./routes/plugins";
 import { sendError } from "./http";
 import { attachRequestActor } from "./middleware/request-actor";
 
@@ -62,6 +63,7 @@ export function createApp(ctx: AppContext) {
   app.use("/governance", createGovernanceRouter(ctx));
   app.use("/heartbeats", createHeartbeatRouter(ctx));
   app.use("/observability", createObservabilityRouter(ctx));
+  app.use("/plugins", createPluginsRouter(ctx));
 
   app.use((error: unknown, _req: Request, res: Response, _next: NextFunction) => {
     if (error instanceof RepositoryValidationError) {

package/src/lib/instance-paths.ts

@@ -62,6 +62,18 @@ export function resolveAgentFallbackWorkspacePath(companyId: string, agentId: st
   return join(resolveBopoInstanceRoot(), "workspaces", companyId, "agents", agentId);
 }
 
+export function resolveAgentMemoryRootPath(companyId: string, agentId: string) {
+  return join(resolveAgentFallbackWorkspacePath(companyId, agentId), "memory");
+}
+
+export function resolveAgentDurableMemoryPath(companyId: string, agentId: string) {
+  return join(resolveAgentMemoryRootPath(companyId, agentId), "life");
+}
+
+export function resolveAgentDailyMemoryPath(companyId: string, agentId: string) {
+  return join(resolveAgentMemoryRootPath(companyId, agentId), "memory");
+}
+
 export function resolveStorageRoot() {
   return join(resolveBopoInstanceRoot(), "data", "storage");
 }

package/src/lib/opencode-model.ts

@@ -0,0 +1,35 @@
+import { getAdapterModels } from "bopodev-agent-sdk";
+import type { NormalizedRuntimeConfig } from "./agent-config";
+
+export async function resolveOpencodeRuntimeModel(
+  providerType: string,
+  runtimeConfig: NormalizedRuntimeConfig
+): Promise<string | undefined> {
+  if (providerType !== "opencode") {
+    return runtimeConfig.runtimeModel;
+  }
+  if (runtimeConfig.runtimeModel?.trim()) {
+    return runtimeConfig.runtimeModel.trim();
+  }
+
+  const configured =
+    process.env.BOPO_OPENCODE_MODEL?.trim() ||
+    process.env.OPENCODE_MODEL?.trim() ||
+    undefined;
+  try {
+    const discovered = await getAdapterModels("opencode", {
+      command: runtimeConfig.runtimeCommand,
+      cwd: runtimeConfig.runtimeCwd,
+      env: runtimeConfig.runtimeEnv
+    });
+    if (configured && discovered.some((entry) => entry.id === configured)) {
+      return configured;
+    }
+    if (discovered.length > 0) {
+      return discovered[0]!.id;
+    }
+  } catch {
+    // Fall back to configured env default when discovery is unavailable.
+  }
+  return configured;
+}

package/src/lib/workspace-policy.ts

@@ -5,6 +5,7 @@ import {
   isInsidePath,
   normalizeAbsolutePath,
   resolveAgentFallbackWorkspacePath,
+  resolveAgentMemoryRootPath,
   resolveCompanyProjectsWorkspacePath
 } from "./instance-paths";
 
@@ -73,3 +74,7 @@ export function ensureRuntimeWorkspaceCompatible(projectWorkspacePath: string, r
 export function resolveAgentFallbackWorkspace(companyId: string, agentId: string) {
   return resolveAgentFallbackWorkspacePath(companyId, agentId);
 }
+
+export function resolveAgentMemoryRoot(companyId: string, agentId: string) {
+  return resolveAgentMemoryRootPath(companyId, agentId);
+}

package/src/realtime/heartbeat-runs.ts

@@ -0,0 +1,78 @@
+import type {
+  HeartbeatRunRealtimeEvent,
+  RealtimeEventEnvelope,
+  RealtimeMessage
+} from "bopodev-contracts";
+import { listHeartbeatRunMessagesForRuns, listHeartbeatRuns, type BopoDb } from "bopodev-db";
+
+export function createHeartbeatRunsRealtimeEvent(
+  companyId: string,
+  event: HeartbeatRunRealtimeEvent
+): Extract<RealtimeMessage, { kind: "event" }> {
+  return createRealtimeEvent(companyId, {
+    channel: "heartbeat-runs",
+    event
+  });
+}
+
+export async function loadHeartbeatRunsRealtimeSnapshot(
+  db: BopoDb,
+  companyId: string
+): Promise<Extract<RealtimeMessage, { kind: "event" }>> {
+  const runs = await listHeartbeatRuns(db, companyId, 8);
+  const transcriptsByRunId = await listHeartbeatRunMessagesForRuns(db, {
+    companyId,
+    runIds: runs.map((run) => run.id),
+    perRunLimit: 60
+  });
+  const transcripts = runs.map((run) => {
+    const result = transcriptsByRunId.get(run.id) ?? { items: [], nextCursor: null };
+    return {
+      runId: run.id,
+      messages: result.items.map((message) => ({
+        id: message.id,
+        runId: message.runId,
+        sequence: message.sequence,
+        kind: message.kind as
+          | "system"
+          | "assistant"
+          | "thinking"
+          | "tool_call"
+          | "tool_result"
+          | "result"
+          | "stderr",
+        label: message.label,
+        text: message.text,
+        payload: message.payloadJson,
+        signalLevel: (message.signalLevel as "high" | "medium" | "low" | "noise" | null) ?? undefined,
+        groupKey: message.groupKey,
+        source: (message.source as "stdout" | "stderr" | "trace_fallback" | null) ?? undefined,
+        createdAt: message.createdAt.toISOString()
+      })),
+      nextCursor: result.nextCursor
+    };
+  });
+
+  return createHeartbeatRunsRealtimeEvent(companyId, {
+    type: "runs.snapshot",
+    runs: runs.map((run) => ({
+      runId: run.id,
+      status: run.status as "started" | "completed" | "failed" | "skipped",
+      message: run.message ?? null,
+      startedAt: run.startedAt.toISOString(),
+      finishedAt: run.finishedAt?.toISOString() ?? null
+    })),
+    transcripts
+  });
+}
+
+function createRealtimeEvent(
+  companyId: string,
+  envelope: Extract<RealtimeEventEnvelope, { channel: "heartbeat-runs" }>
+): Extract<RealtimeMessage, { kind: "event" }> {
+  return {
+    kind: "event",
+    companyId,
+    ...envelope
+  };
+}

package/src/realtime/hub.ts

@@ -25,7 +25,7 @@ export function attachRealtimeHub(
 
   wss.on("connection", async (socket, request) => {
     const subscription = getSubscription(request.url);
-    if (!subscription) {
+    if (!subscription || !canSubscribeToCompany(request.headers, subscription.companyId)) {
       socket.close(1008, "Invalid realtime subscription");
       return;
     }
@@ -131,6 +131,42 @@ function getSubscription(requestUrl: string | undefined) {
   };
 }
 
+function canSubscribeToCompany(
+  headers: Record<string, string | string[] | undefined>,
+  companyId: string
+) {
+  const actorType = readHeader(headers, "x-actor-type")?.toLowerCase();
+  const actorCompanies = parseCommaList(readHeader(headers, "x-actor-companies"));
+  const hasActorHeaders = Boolean(actorType || actorCompanies.length > 0);
+  const allowLocalBoardFallback = process.env.NODE_ENV !== "production" && process.env.BOPO_ALLOW_LOCAL_BOARD_FALLBACK !== "0";
+
+  if (!hasActorHeaders) {
+    return allowLocalBoardFallback;
+  }
+  if (actorType === "board") {
+    return true;
+  }
+  return actorCompanies.includes(companyId);
+}
+
+function readHeader(headers: Record<string, string | string[] | undefined>, name: string) {
+  const value = headers[name];
+  if (Array.isArray(value)) {
+    return value[0];
+  }
+  return value;
+}
+
+function parseCommaList(value: string | undefined) {
+  if (!value) {
+    return [] as string[];
+  }
+  return value
+    .split(",")
+    .map((entry) => entry.trim())
+    .filter((entry) => entry.length > 0);
+}
+
 function buildSubscriptionKey(companyId: string, channel: RealtimeChannel) {
   return `${companyId}:${channel}`;
 }

package/src/realtime/office-space.ts

@@ -427,7 +427,16 @@ function sortOccupants(occupants: OfficeOccupant[]) {
 }
 
 function normalizeProviderType(value: string): OfficeOccupant["providerType"] {
-  return value === "claude_code" || value === "codex" || value === "http" || value === "shell" ? value : null;
+  return value === "claude_code" ||
+    value === "codex" ||
+    value === "cursor" ||
+    value === "opencode" ||
+    value === "openai_api" ||
+    value === "anthropic_api" ||
+    value === "http" ||
+    value === "shell"
+    ? value
+    : null;
 }
 
 function formatActionLabel(action: string) {

package/src/routes/agents.ts

@@ -14,6 +14,7 @@ import {
   deleteAgent,
   getApprovalRequest,
   listAgents,
+  listApprovalRequests,
   updateAgent
 } from "bopodev-db";
 import type { AppContext } from "../context";
@@ -25,6 +26,7 @@ import {
   runtimeConfigToDb,
   runtimeConfigToStateBlobPatch
 } from "../lib/agent-config";
+import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { hasText, resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
 import { requireCompanyScope } from "../middleware/company-scope";
 import { requireBoardRole, requirePermission } from "../middleware/request-actor";
@@ -63,7 +65,16 @@ const updateAgentSchema = AgentUpdateRequestSchema.extend({
 });
 
 const runtimePreflightSchema = z.object({
-  providerType: z.enum(["claude_code", "codex", "cursor", "opencode", "http", "shell"]),
+  providerType: z.enum([
+    "claude_code",
+    "codex",
+    "cursor",
+    "opencode",
+    "openai_api",
+    "anthropic_api",
+    "http",
+    "shell"
+  ]),
   runtimeConfig: z.record(z.string(), z.unknown()).optional(),
   ...legacyRuntimeConfigSchema.shape
 });
@@ -143,7 +154,15 @@ export function createAgentsRouter(ctx: AppContext) {
       runtimeConfig: req.body?.runtimeConfig,
       defaultRuntimeCwd
     });
-    const typedProviderType = providerType as "claude_code" | "codex" | "cursor" | "opencode" | "http" | "shell";
+    const typedProviderType = providerType as
+      | "claude_code"
+      | "codex"
+      | "cursor"
+      | "opencode"
+      | "openai_api"
+      | "anthropic_api"
+      | "http"
+      | "shell";
     const models = await getAdapterModels(typedProviderType, {
       command: runtimeConfig.runtimeCommand,
       args: runtimeConfig.runtimeArgs,
@@ -245,6 +264,7 @@ export function createAgentsRouter(ctx: AppContext) {
       },
       defaultRuntimeCwd
     });
+    runtimeConfig.runtimeModel = await resolveOpencodeRuntimeModel(parsed.data.providerType, runtimeConfig);
     if (requiresRuntimeCwd(parsed.data.providerType) && !hasText(runtimeConfig.runtimeCwd)) {
       return sendError(res, "Runtime working directory is required for this runtime provider.", 422);
     }
@@ -253,6 +273,19 @@ export function createAgentsRouter(ctx: AppContext) {
     }
 
     if (parsed.data.requestApproval && isApprovalRequired("hire_agent")) {
+      const duplicate = await findDuplicateHireRequest(ctx.db, req.companyId!, {
+        role: parsed.data.role,
+        managerAgentId: parsed.data.managerAgentId ?? null
+      });
+      if (duplicate) {
+        return sendOk(res, {
+          queuedForApproval: false,
+          duplicate: true,
+          existingAgentId: duplicate.existingAgentId ?? null,
+          pendingApprovalId: duplicate.pendingApprovalId ?? null,
+          message: duplicateMessage(duplicate)
+        });
+      }
       const approvalId = await createApprovalRequest(ctx.db, {
         companyId: req.companyId!,
         action: "hire_agent",
@@ -363,6 +396,7 @@ export function createAgentsRouter(ctx: AppContext) {
           })
         : {})
     };
+    nextRuntime.runtimeModel = await resolveOpencodeRuntimeModel(effectiveProviderType, nextRuntime);
     if (!nextRuntime.runtimeCwd && defaultRuntimeCwd) {
       nextRuntime.runtimeCwd = defaultRuntimeCwd;
     }
@@ -522,3 +556,56 @@ function listUnsupportedAgentUpdateKeys(payload: unknown) {
   }
   return unsupported;
 }
+
+async function findDuplicateHireRequest(
+  db: AppContext["db"],
+  companyId: string,
+  input: { role: string; managerAgentId: string | null }
+) {
+  const role = input.role.trim();
+  const managerAgentId = input.managerAgentId ?? null;
+  const agents = await listAgents(db, companyId);
+  const existingAgent = agents.find(
+    (agent) =>
+      agent.role === role &&
+      (agent.managerAgentId ?? null) === managerAgentId &&
+      agent.status !== "terminated"
+  );
+  const approvals = await listApprovalRequests(db, companyId);
+  const pendingApproval = approvals.find((approval) => {
+    if (approval.status !== "pending" || approval.action !== "hire_agent") {
+      return false;
+    }
+    const payload = parseApprovalPayload(approval.payloadJson);
+    return payload.role === role && (payload.managerAgentId ?? null) === managerAgentId;
+  });
+  if (!existingAgent && !pendingApproval) {
+    return null;
+  }
+  return {
+    existingAgentId: existingAgent?.id ?? null,
+    pendingApprovalId: pendingApproval?.id ?? null
+  };
+}
+
+function parseApprovalPayload(payloadJson: string): { role?: string; managerAgentId?: string | null } {
+  try {
+    const parsed = JSON.parse(payloadJson) as Record<string, unknown>;
+    return {
+      role: typeof parsed.role === "string" ? parsed.role : undefined,
+      managerAgentId: typeof parsed.managerAgentId === "string" ? parsed.managerAgentId : null
+    };
+  } catch {
+    return {};
+  }
+}
+
+function duplicateMessage(input: { existingAgentId: string | null; pendingApprovalId: string | null }) {
+  if (input.existingAgentId && input.pendingApprovalId) {
+    return `Duplicate hire request blocked: existing agent ${input.existingAgentId} and pending approval ${input.pendingApprovalId}.`;
+  }
+  if (input.existingAgentId) {
+    return `Duplicate hire request blocked: existing agent ${input.existingAgentId}.`;
+  }
+  return `Duplicate hire request blocked: pending approval ${input.pendingApprovalId}.`;
+}

package/src/routes/companies.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { createCompany, deleteCompany, listCompanies, updateCompany } from "bopodev-db";
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
+import { ensureCompanyBuiltinPluginDefaults } from "../services/plugin-runtime";
 
 const createCompanySchema = z.object({
   name: z.string().min(1),
@@ -30,6 +31,7 @@ export function createCompaniesRouter(ctx: AppContext) {
       return sendError(res, parsed.error.message, 422);
     }
     const company = await createCompany(ctx.db, parsed.data);
+    await ensureCompanyBuiltinPluginDefaults(ctx.db, company.id);
     return sendOk(res, company);
   });
 

package/src/routes/governance.ts

@@ -163,11 +163,18 @@ export function createGovernanceRouter(ctx: AppContext) {
     });
 
     if (resolution.execution.applied && resolution.execution.entityType && resolution.execution.entityId) {
+      const eventType =
+        resolution.action === "grant_plugin_capabilities"
+          ? "plugin.capabilities_granted_from_approval"
+          : resolution.execution.entityType === "agent"
+          ? "agent.hired_from_approval"
+          : resolution.execution.entityType === "goal"
+            ? "goal.activated_from_approval"
+            : "memory.promoted_from_approval";
       await appendAuditEvent(ctx.db, {
         companyId: req.companyId!,
         actorType: "human",
-        eventType:
-          resolution.execution.entityType === "agent" ? "agent.hired_from_approval" : "goal.activated_from_approval",
+        eventType,
         entityType: resolution.execution.entityType,
         entityId: resolution.execution.entityId,
         payload: resolution.execution.entity ?? { id: resolution.execution.entityId }

package/src/routes/heartbeats.ts

@@ -79,7 +79,8 @@ export function createHeartbeatRouter(ctx: AppContext) {
     const stopResult = await stopHeartbeatRun(ctx.db, req.companyId!, parsed.data.runId, {
       requestId: req.requestId,
       trigger: "manual",
-      actorId: req.actor?.id ?? undefined
+      actorId: req.actor?.id ?? undefined,
+      realtimeHub: ctx.realtimeHub
     });
     if (!stopResult.ok) {
       if (stopResult.reason === "not_found") {