bopodev-api 0.1.18 → 0.1.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.18",
+  "version": "0.1.21",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -17,9 +17,9 @@
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-agent-sdk": "0.1.18",
-    "bopodev-db": "0.1.18",
-    "bopodev-contracts": "0.1.18"
+    "bopodev-agent-sdk": "0.1.21",
+    "bopodev-db": "0.1.21",
+    "bopodev-contracts": "0.1.21"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",

package/src/lib/ceo-bootstrap-prompt.ts

@@ -0,0 +1,12 @@
+export function buildDefaultCeoBootstrapPrompt() {
+  return [
+    "You are the CEO agent responsible for organization design and hiring quality.",
+    "When a delegated request asks you to create an agent:",
+    "- Clarify missing constraints before hiring when requirements are ambiguous.",
+    "- Choose reporting lines, provider, model, and permissions that fit company goals and budget.",
+    "- Use governance-safe hiring via `POST /agents` with `requestApproval: true` unless explicitly told otherwise.",
+    "- Avoid duplicate hires by checking existing agents and pending approvals first.",
+    "- Use the control-plane coordination skill as the source of truth for endpoint paths, required headers, and approval workflow steps.",
+    "- Record hiring rationale and key decisions in issue comments for auditability."
+  ].join("\n");
+}

package/src/lib/hiring-delegate.ts

@@ -0,0 +1,60 @@
+type AgentLike = {
+  id: string;
+  name: string;
+  role: string;
+  status: string;
+  canHireAgents?: boolean | null;
+};
+
+export type HiringDelegateResolution =
+  | {
+      delegate: {
+        agentId: string;
+        name: string;
+        role: string;
+      };
+      reason: "ceo_with_hiring_capability" | "first_hiring_capable_agent";
+    }
+  | {
+      delegate: null;
+      reason: "no_hiring_capable_agent";
+    };
+
+export function resolveHiringDelegate(agents: AgentLike[]): HiringDelegateResolution {
+  const eligible = agents
+    .filter((agent) => agent.status !== "terminated")
+    .filter((agent) => Boolean(agent.canHireAgents));
+  if (eligible.length === 0) {
+    return {
+      delegate: null,
+      reason: "no_hiring_capable_agent"
+    };
+  }
+  const normalized = eligible.map((agent) => ({
+    ...agent,
+    normalizedRole: agent.role.trim().toLowerCase(),
+    normalizedName: agent.name.trim().toLowerCase()
+  }));
+  const ceo =
+    normalized.find((agent) => agent.normalizedRole === "ceo") ??
+    normalized.find((agent) => agent.normalizedName === "ceo");
+  if (ceo) {
+    return {
+      delegate: {
+        agentId: ceo.id,
+        name: ceo.name,
+        role: ceo.role
+      },
+      reason: "ceo_with_hiring_capability"
+    };
+  }
+  const fallback = [...normalized].sort((a, b) => a.name.localeCompare(b.name) || a.id.localeCompare(b.id))[0]!;
+  return {
+    delegate: {
+      agentId: fallback.id,
+      name: fallback.name,
+      role: fallback.role
+    },
+    reason: "first_hiring_capable_agent"
+  };
+}

package/src/routes/agents.ts

@@ -27,6 +27,7 @@ import {
   runtimeConfigToDb,
   runtimeConfigToStateBlobPatch
 } from "../lib/agent-config";
+import { resolveHiringDelegate } from "../lib/hiring-delegate";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { assertRuntimeCwdForCompany, hasText, resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
 import { requireCompanyScope } from "../middleware/company-scope";
@@ -147,6 +148,53 @@ export function createAgentsRouter(ctx: AppContext) {
     );
   });
 
+  router.get("/hiring-delegate", async (req, res) => {
+    const rows = await listAgents(ctx.db, req.companyId!);
+    const resolution = resolveHiringDelegate(
+      rows.map((row) => ({
+        id: row.id,
+        name: row.name,
+        role: row.role,
+        status: row.status,
+        canHireAgents: row.canHireAgents
+      }))
+    );
+    return sendOk(res, {
+      delegate: resolution.delegate,
+      reason: resolution.reason
+    });
+  });
+
+  router.get("/leadership-diagnostics", async (req, res) => {
+    const rows = await listAgents(ctx.db, req.companyId!);
+    return sendOk(
+      res,
+      rows.map((row) => {
+        const normalizedRole = row.role.trim().toLowerCase();
+        const isLeadership = normalizedRole === "ceo" || Boolean(row.canHireAgents);
+        const issues: string[] = [];
+        const hasBootstrapPrompt = hasText(row.bootstrapPrompt);
+        if (isLeadership && !hasBootstrapPrompt) {
+          issues.push("missing_bootstrap_prompt");
+        }
+        if (isLeadership && !providerSupportsSkillInjection(row.providerType)) {
+          issues.push("provider_without_runtime_skill_injection");
+        }
+        return {
+          agentId: row.id,
+          name: row.name,
+          role: row.role,
+          providerType: row.providerType,
+          canHireAgents: Boolean(row.canHireAgents),
+          isLeadership,
+          hasBootstrapPrompt,
+          supportsSkillInjection: providerSupportsSkillInjection(row.providerType),
+          issues
+        };
+      })
+    );
+  });
+
   router.get("/runtime-default-cwd", async (req, res) => {
     let runtimeCwd: string;
     try {
@@ -314,7 +362,9 @@ export function createAgentsRouter(ctx: AppContext) {
       await mkdir(runtimeConfig.runtimeCwd!, { recursive: true });
     }
 
-    if (parsed.data.requestApproval && isApprovalRequired("hire_agent")) {
+    const sourceIssueIds = normalizeSourceIssueIds(parsed.data.sourceIssueId, parsed.data.sourceIssueIds);
+    const shouldRequestApproval = (parsed.data.requestApproval || req.actor?.type === "agent") && isApprovalRequired("hire_agent");
+    if (shouldRequestApproval) {
       const duplicate = await findDuplicateHireRequest(ctx.db, req.companyId!, {
         role: parsed.data.role,
         managerAgentId: parsed.data.managerAgentId ?? null
@@ -330,10 +380,12 @@ export function createAgentsRouter(ctx: AppContext) {
       }
       const approvalId = await createApprovalRequest(ctx.db, {
         companyId: req.companyId!,
+        requestedByAgentId: req.actor?.type === "agent" ? req.actor.id : null,
         action: "hire_agent",
         payload: {
           ...parsed.data,
-          runtimeConfig
+          runtimeConfig,
+          sourceIssueIds
         }
       });
       const approval = await getApprovalRequest(ctx.db, req.companyId!, approvalId);
@@ -361,14 +413,18 @@ export function createAgentsRouter(ctx: AppContext) {
       ...runtimeConfigToDb(runtimeConfig),
       initialState: runtimeConfigToStateBlobPatch(runtimeConfig)
     });
-
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "agent.hired",
       entityType: "agent",
       entityId: agent.id,
-      payload: agent
+      payload: {
+        ...agent,
+        sourceIssueIds
+      }
     });
     await publishOfficeOccupantForAgent(ctx.db, ctx.realtimeHub, req.companyId!, agent.id);
     return sendOk(res, toAgentResponse(agent as unknown as Record<string, unknown>));
@@ -398,6 +454,34 @@ export function createAgentsRouter(ctx: AppContext) {
     if (!existingAgent) {
       return sendError(res, "Agent not found.", 404);
     }
+    if (req.actor?.type === "agent") {
+      if (req.actor.id !== req.params.agentId) {
+        return sendError(res, "Agents can only update their own record.", 403);
+      }
+      const forbiddenFieldUpdates: string[] = [];
+      if (parsed.data.canHireAgents !== undefined) {
+        forbiddenFieldUpdates.push("canHireAgents");
+      }
+      if (parsed.data.status !== undefined) {
+        forbiddenFieldUpdates.push("status");
+      }
+      if (parsed.data.monthlyBudgetUsd !== undefined) {
+        forbiddenFieldUpdates.push("monthlyBudgetUsd");
+      }
+      if (parsed.data.providerType !== undefined) {
+        forbiddenFieldUpdates.push("providerType");
+      }
+      if (parsed.data.managerAgentId !== undefined) {
+        forbiddenFieldUpdates.push("managerAgentId");
+      }
+      if (forbiddenFieldUpdates.length > 0) {
+        return sendError(
+          res,
+          `Agents cannot update restricted fields: ${forbiddenFieldUpdates.join(", ")}.`,
+          403
+        );
+      }
+    }
     const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, req.companyId!);
     const existingRuntime = parseRuntimeConfigFromAgentRow(existingAgent as unknown as Record<string, unknown>);
     const effectiveProviderType = parsed.data.providerType ?? existingAgent.providerType;
@@ -474,9 +558,11 @@ export function createAgentsRouter(ctx: AppContext) {
         return sendError(res, "Agent not found.", 404);
       }
 
+      const auditActor = resolveAuditActor(req.actor);
       await appendAuditEvent(ctx.db, {
         companyId: req.companyId!,
-        actorType: "human",
+        actorType: auditActor.actorType,
+        actorId: auditActor.actorId,
         eventType: "agent.updated",
         entityType: "agent",
         entityId: agent.id,
@@ -499,9 +585,11 @@ export function createAgentsRouter(ctx: AppContext) {
       return sendError(res, "Agent not found.", 404);
     }
 
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "agent.deleted",
       entityType: "agent",
       entityId: req.params.agentId,
@@ -524,9 +612,11 @@ export function createAgentsRouter(ctx: AppContext) {
     if (!agent) {
       return sendError(res, "Agent not found.", 404);
     }
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "agent.paused",
       entityType: "agent",
       entityId: agent.id,
@@ -549,9 +639,11 @@ export function createAgentsRouter(ctx: AppContext) {
     if (!agent) {
       return sendError(res, "Agent not found.", 404);
     }
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "agent.resumed",
       entityType: "agent",
       entityId: agent.id,
@@ -574,9 +666,11 @@ export function createAgentsRouter(ctx: AppContext) {
     if (!agent) {
       return sendError(res, "Agent not found.", 404);
     }
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "agent.terminated",
       entityType: "agent",
       entityId: agent.id,
@@ -670,3 +764,28 @@ function duplicateMessage(input: { existingAgentId: string | null; pendingApprov
   }
   return `Duplicate hire request blocked: pending approval ${input.pendingApprovalId}.`;
 }
+
+function normalizeSourceIssueIds(sourceIssueId: string | undefined, sourceIssueIds: string[] | undefined) {
+  const merged = new Set<string>();
+  for (const value of [sourceIssueId, ...(sourceIssueIds ?? [])]) {
+    const normalized = value?.trim();
+    if (normalized) {
+      merged.add(normalized);
+    }
+  }
+  return Array.from(merged);
+}
+
+function providerSupportsSkillInjection(providerType: string) {
+  return providerType === "codex" || providerType === "cursor" || providerType === "opencode" || providerType === "claude_code";
+}
+
+function resolveAuditActor(actor: { type: "board" | "member" | "agent"; id: string } | undefined) {
+  if (!actor) {
+    return { actorType: "human" as const, actorId: null as string | null };
+  }
+  if (actor.type === "agent") {
+    return { actorType: "agent" as const, actorId: actor.id };
+  }
+  return { actorType: "human" as const, actorId: actor.id };
+}

package/src/routes/companies.ts

@@ -1,15 +1,29 @@
+import { mkdir } from "node:fs/promises";
+import type { NextFunction, Request, Response } from "express";
 import { Router } from "express";
 import { z } from "zod";
-import { createCompany, deleteCompany, listCompanies, updateCompany } from "bopodev-db";
+import { createAgent, createCompany, deleteCompany, listCompanies, updateCompany } from "bopodev-db";
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
+import { normalizeRuntimeConfig, resolveRuntimeModelForProvider, runtimeConfigToDb, runtimeConfigToStateBlobPatch } from "../lib/agent-config";
+import { buildDefaultCeoBootstrapPrompt } from "../lib/ceo-bootstrap-prompt";
+import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
+import { resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
+import { canAccessCompany, requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { ensureCompanyModelPricingDefaults } from "../services/model-pricing";
 import { ensureCompanyBuiltinPluginDefaults } from "../services/plugin-runtime";
 import { ensureCompanyBuiltinTemplateDefaults } from "../services/template-catalog";
 
+const DEFAULT_AGENT_PROVIDER_ENV = "BOPO_DEFAULT_AGENT_PROVIDER";
+const DEFAULT_AGENT_MODEL_ENV = "BOPO_DEFAULT_AGENT_MODEL";
+
 const createCompanySchema = z.object({
   name: z.string().min(1),
-  mission: z.string().optional()
+  mission: z.string().optional(),
+  providerType: z
+    .enum(["codex", "claude_code", "cursor", "gemini_cli", "opencode", "openai_api", "anthropic_api", "shell"])
+    .optional(),
+  runtimeModel: z.string().optional()
 });
 
 const updateCompanySchema = z
@@ -22,38 +36,98 @@ const updateCompanySchema = z
 export function createCompaniesRouter(ctx: AppContext) {
   const router = Router();
 
-  router.get("/", async (_req, res) => {
+  router.get("/", async (req, res) => {
     const companies = await listCompanies(ctx.db);
-    return sendOk(res, companies);
+    if (req.actor?.type === "board") {
+      return sendOk(res, companies);
+    }
+    const visibleCompanyIds = new Set(req.actor?.companyIds ?? []);
+    return sendOk(
+      res,
+      companies.filter((company) => visibleCompanyIds.has(company.id))
+    );
   });
 
-  router.post("/", async (req, res) => {
+  router.post("/", requireBoardRole, async (req, res) => {
     const parsed = createCompanySchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
     }
     const company = await createCompany(ctx.db, parsed.data);
+    const providerType =
+      parseAgentProvider(parsed.data.providerType) ??
+      parseAgentProvider(process.env[DEFAULT_AGENT_PROVIDER_ENV]) ??
+      "shell";
+    const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, company.id);
+    await mkdir(defaultRuntimeCwd, { recursive: true });
+    const requestedModel = parsed.data.runtimeModel?.trim() || process.env[DEFAULT_AGENT_MODEL_ENV]?.trim() || undefined;
+    const resolvedRuntimeModel = resolveRuntimeModelForProvider(
+      providerType,
+      await resolveOpencodeRuntimeModel(
+        providerType,
+        normalizeRuntimeConfig({
+          defaultRuntimeCwd,
+          runtimeConfig: {
+            runtimeModel: requestedModel,
+            runtimeEnv: resolveSeedRuntimeEnv(providerType)
+          }
+        })
+      )
+    );
+    const defaultRuntimeConfig = normalizeRuntimeConfig({
+      defaultRuntimeCwd,
+      runtimeConfig: {
+        runtimeModel: resolvedRuntimeModel,
+        bootstrapPrompt: buildDefaultCeoBootstrapPrompt(),
+        runtimeEnv: resolveSeedRuntimeEnv(providerType),
+        ...(providerType === "shell"
+          ? {
+              runtimeCommand: "echo",
+              runtimeArgs: ["ceo bootstrap heartbeat"]
+            }
+          : {})
+      }
+    });
+    await createAgent(ctx.db, {
+      companyId: company.id,
+      role: "CEO",
+      name: "CEO",
+      providerType,
+      heartbeatCron: "*/5 * * * *",
+      monthlyBudgetUsd: "100.0000",
+      canHireAgents: true,
+      ...runtimeConfigToDb(defaultRuntimeConfig),
+      initialState: runtimeConfigToStateBlobPatch(defaultRuntimeConfig)
+    });
     await ensureCompanyBuiltinPluginDefaults(ctx.db, company.id);
     await ensureCompanyBuiltinTemplateDefaults(ctx.db, company.id);
     await ensureCompanyModelPricingDefaults(ctx.db, company.id);
     return sendOk(res, company);
   });
 
-  router.put("/:companyId", async (req, res) => {
+  router.put("/:companyId", requireCompanyWriteAccess, async (req, res) => {
     const parsed = updateCompanySchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
     }
 
-    const company = await updateCompany(ctx.db, { id: req.params.companyId, ...parsed.data });
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    const company = await updateCompany(ctx.db, { id: companyId, ...parsed.data });
     if (!company) {
       return sendError(res, "Company not found.", 404);
     }
     return sendOk(res, company);
   });
 
-  router.delete("/:companyId", async (req, res) => {
-    const deleted = await deleteCompany(ctx.db, req.params.companyId);
+  router.delete("/:companyId", requireCompanyWriteAccess, async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    const deleted = await deleteCompany(ctx.db, companyId);
     if (!deleted) {
       return sendError(res, "Company not found.", 404);
     }
@@ -62,3 +136,50 @@ export function createCompaniesRouter(ctx: AppContext) {
 
   return router;
 }
+
+function requireCompanyWriteAccess(req: Request, res: Response, next: NextFunction) {
+  const targetCompanyId = readCompanyIdParam(req);
+  if (!targetCompanyId) {
+    return sendError(res, "Missing company id.", 422);
+  }
+  if (!canAccessCompany(req, targetCompanyId)) {
+    return sendError(res, "Actor does not have access to this company.", 403);
+  }
+  if (req.actor?.type === "board") {
+    next();
+    return;
+  }
+  return requirePermission("companies:write")(req, res, next);
+}
+
+function readCompanyIdParam(req: Request) {
+  return typeof req.params.companyId === "string" ? req.params.companyId : null;
+}
+
+function parseAgentProvider(value: unknown) {
+  if (
+    value === "codex" ||
+    value === "claude_code" ||
+    value === "cursor" ||
+    value === "gemini_cli" ||
+    value === "opencode" ||
+    value === "openai_api" ||
+    value === "anthropic_api" ||
+    value === "shell"
+  ) {
+    return value;
+  }
+  return null;
+}
+
+function resolveSeedRuntimeEnv(providerType: string): Record<string, string> {
+  if (providerType === "codex" || providerType === "openai_api") {
+    const key = (process.env.BOPO_OPENAI_API_KEY ?? process.env.OPENAI_API_KEY)?.trim();
+    return key ? { OPENAI_API_KEY: key } : {};
+  }
+  if (providerType === "claude_code" || providerType === "anthropic_api") {
+    const key = (process.env.BOPO_ANTHROPIC_API_KEY ?? process.env.ANTHROPIC_API_KEY)?.trim();
+    return key ? { ANTHROPIC_API_KEY: key } : {};
+  }
+  return {};
+}

package/src/routes/governance.ts

@@ -159,9 +159,11 @@ export function createGovernanceRouter(ctx: AppContext) {
       throw error;
     }
 
+    const auditActor = resolveAuditActor(req.actor);
     await appendAuditEvent(ctx.db, {
       companyId: req.companyId!,
-      actorType: "human",
+      actorType: auditActor.actorType,
+      actorId: auditActor.actorId,
       eventType: "governance.approval_resolved",
       entityType: "approval_request",
       entityId: parsed.data.approvalId,
@@ -181,7 +183,8 @@ export function createGovernanceRouter(ctx: AppContext) {
             : "memory.promoted_from_approval";
       await appendAuditEvent(ctx.db, {
         companyId: req.companyId!,
-        actorType: "human",
+        actorType: auditActor.actorType,
+        actorId: auditActor.actorId,
         eventType,
         entityType: resolution.execution.entityType,
         entityId: resolution.execution.entityId,
@@ -213,6 +216,16 @@ export function createGovernanceRouter(ctx: AppContext) {
   return router;
 }
 
+function resolveAuditActor(actor: { type: "board" | "member" | "agent"; id: string } | undefined) {
+  if (!actor) {
+    return { actorType: "human" as const, actorId: null as string | null };
+  }
+  if (actor.type === "agent") {
+    return { actorType: "agent" as const, actorId: actor.id };
+  }
+  return { actorType: "human" as const, actorId: actor.id };
+}
+
 function parsePayload(payloadJson: string) {
   try {
     const parsed = JSON.parse(payloadJson) as unknown;

package/src/routes/issues.ts

@@ -37,6 +37,20 @@ const createIssueSchema = z.object({
   parentIssueId: z.string().optional(),
   title: z.string().min(1),
   body: z.string().optional(),
+  metadata: z
+    .object({
+      delegatedHiringIntent: z
+        .object({
+          intentType: z.literal("agent_hiring_request"),
+          requestedRole: z.string().nullable().optional(),
+          requestedName: z.string().nullable().optional(),
+          requestedManagerAgentId: z.string().nullable().optional(),
+          requestedProviderType: z.string().nullable().optional(),
+          requestedRuntimeModel: z.string().nullable().optional()
+        })
+        .optional()
+    })
+    .optional(),
   status: z.enum(["todo", "in_progress", "blocked", "in_review", "done", "canceled"]).default("todo"),
   priority: z.enum(["none", "low", "medium", "high", "urgent"]).default("none"),
   assigneeAgentId: z.string().nullable().optional(),
@@ -165,7 +179,18 @@ export function createIssuesRouter(ctx: AppContext) {
         return sendError(res, assignmentValidation, 422);
       }
     }
-    const issue = await createIssue(ctx.db, { companyId: req.companyId!, ...parsed.data });
+    const issue = await createIssue(ctx.db, {
+      companyId: req.companyId!,
+      projectId: parsed.data.projectId,
+      parentIssueId: parsed.data.parentIssueId,
+      title: parsed.data.title,
+      body: applyIssueMetadataToBody(parsed.data.body, parsed.data.metadata),
+      status: parsed.data.status,
+      priority: parsed.data.priority,
+      assigneeAgentId: parsed.data.assigneeAgentId,
+      labels: parsed.data.labels,
+      tags: parsed.data.tags
+    });
     await appendActivity(ctx.db, {
       companyId: req.companyId!,
       issueId: issue.id,
@@ -618,6 +643,34 @@ export function createIssuesRouter(ctx: AppContext) {
   return router;
 }
 
+function applyIssueMetadataToBody(
+  body: string | undefined,
+  metadata:
+    | {
+        delegatedHiringIntent?: {
+          intentType: "agent_hiring_request";
+          requestedRole?: string | null;
+          requestedName?: string | null;
+          requestedManagerAgentId?: string | null;
+          requestedProviderType?: string | null;
+          requestedRuntimeModel?: string | null;
+        };
+      }
+    | undefined
+) {
+  if (!metadata || Object.keys(metadata).length === 0) {
+    return body;
+  }
+  const metadataBlock = [
+    "",
+    "---",
+    "<!-- bopodev:issue-metadata:v1",
+    JSON.stringify(metadata),
+    "-->"
+  ].join("\n");
+  return `${body ?? ""}${metadataBlock}`.trim();
+}
+
 function parsePayload(payloadJson: string) {
   try {
     const parsed = JSON.parse(payloadJson) as unknown;

package/src/routes/observability.ts

@@ -14,6 +14,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
+import { requirePermission } from "../middleware/request-actor";
 import { listAgentMemoryFiles, readAgentMemoryFile } from "../services/memory-file-service";
 
 export function createObservabilityRouter(ctx: AppContext) {
@@ -70,6 +71,10 @@ export function createObservabilityRouter(ctx: AppContext) {
   });
 
   router.put("/models/pricing", async (req, res) => {
+    requirePermission("observability:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
     const parsed = modelPricingUpdateSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);

package/src/routes/plugins.ts

@@ -14,6 +14,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
+import { requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { deletePluginManifestFromFilesystem, writePluginManifestToFilesystem } from "../services/plugin-manifest-loader";
 import { registerPluginManifest } from "../services/plugin-runtime";
 
@@ -73,11 +74,18 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.put("/:pluginId", async (req, res) => {
+    requirePermission("plugins:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
     const parsed = pluginConfigSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
     }
-    const pluginId = req.params.pluginId;
+    const pluginId = readPluginIdParam(req.params.pluginId);
+    if (!pluginId) {
+      return sendError(res, "Missing plugin id.", 422);
+    }
     const [catalog, companies] = await Promise.all([listPlugins(ctx.db), listCompanies(ctx.db)]);
     const pluginExists = catalog.some((plugin) => plugin.id === pluginId);
     if (!pluginExists) {
@@ -115,6 +123,10 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.post("/install-from-json", async (req, res) => {
+    requirePermission("plugins:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
     const parsed = pluginManifestCreateSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -152,7 +164,14 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.post("/:pluginId/install", async (req, res) => {
-    const pluginId = req.params.pluginId;
+    requirePermission("plugins:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
+    const pluginId = readPluginIdParam(req.params.pluginId);
+    if (!pluginId) {
+      return sendError(res, "Missing plugin id.", 422);
+    }
     const [catalog, companies] = await Promise.all([listPlugins(ctx.db), listCompanies(ctx.db)]);
     const plugin = catalog.find((item) => item.id === pluginId);
     if (!plugin) {
@@ -174,7 +193,14 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.delete("/:pluginId/install", async (req, res) => {
-    const pluginId = req.params.pluginId;
+    requirePermission("plugins:write")(req, res, () => {});
+    if (res.headersSent) {
+      return;
+    }
+    const pluginId = readPluginIdParam(req.params.pluginId);
+    if (!pluginId) {
+      return sendError(res, "Missing plugin id.", 422);
+    }
     const [catalog, companies] = await Promise.all([listPlugins(ctx.db), listCompanies(ctx.db)]);
     const plugin = catalog.find((item) => item.id === pluginId);
     if (!plugin) {
@@ -191,8 +217,11 @@ export function createPluginsRouter(ctx: AppContext) {
     return sendOk(res, { ok: true, pluginId, installed: false });
   });
 
-  router.delete("/:pluginId", async (req, res) => {
-    const pluginId = req.params.pluginId;
+  router.delete("/:pluginId", requireBoardRole, async (req, res) => {
+    const pluginId = readPluginIdParam(req.params.pluginId);
+    if (!pluginId) {
+      return sendError(res, "Missing plugin id.", 422);
+    }
     const [catalog, companies] = await Promise.all([listPlugins(ctx.db), listCompanies(ctx.db)]);
     const plugin = catalog.find((item) => item.id === pluginId);
     if (!plugin) {
@@ -232,6 +261,10 @@ export function createPluginsRouter(ctx: AppContext) {
   return router;
 }
 
+function readPluginIdParam(value: string | string[] | undefined) {
+  return typeof value === "string" ? value : null;
+}
+
 function safeParseStringArray(value: string | null | undefined) {
   if (!value) {
     return [] as string[];

package/src/scripts/onboard-seed.ts

@@ -29,6 +29,7 @@ import {
   resolveAgentFallbackWorkspacePath,
   resolveProjectWorkspacePath
 } from "../lib/instance-paths";
+import { buildDefaultCeoBootstrapPrompt } from "../lib/ceo-bootstrap-prompt";
 import { resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
 import { ensureCompanyModelPricingDefaults } from "../services/model-pricing";
 import { applyTemplateManifest } from "../services/template-apply-service";
@@ -122,6 +123,10 @@ export async function ensureOnboardingSeed(input: {
       });
       let ceoId = existingCeo?.id ?? null;
       if (!existingCeo) {
+        const ceoCreateRuntimeConfig = {
+          ...defaultRuntimeConfig,
+          bootstrapPrompt: buildDefaultCeoBootstrapPrompt()
+        };
         const ceo = await createAgent(db, {
           companyId,
           role: "CEO",
@@ -130,13 +135,13 @@ export async function ensureOnboardingSeed(input: {
           heartbeatCron: "*/5 * * * *",
           monthlyBudgetUsd: "100.0000",
           canHireAgents: true,
-          ...runtimeConfigToDb(defaultRuntimeConfig),
-          initialState: runtimeConfigToStateBlobPatch(defaultRuntimeConfig)
+          ...runtimeConfigToDb(ceoCreateRuntimeConfig),
+          initialState: runtimeConfigToStateBlobPatch(ceoCreateRuntimeConfig)
         });
         ceoId = ceo.id;
         ceoCreated = true;
         ceoProviderType = agentProvider;
-        ceoRuntimeModel = ceo.runtimeModel ?? defaultRuntimeConfig.runtimeModel ?? null;
+        ceoRuntimeModel = ceo.runtimeModel ?? ceoCreateRuntimeConfig.runtimeModel ?? null;
       } else if (isBootstrapCeoRuntime(existingCeo.providerType, existingCeo.stateBlob)) {
         const nextState = {
           ...stripRuntimeFromState(existingCeo.stateBlob),

package/src/services/governance-service.ts

@@ -50,6 +50,21 @@ const approvalGatedActions = new Set([
 ]);
 
 const hireAgentPayloadSchema = AgentCreateRequestSchema.extend({
+  sourceIssueId: z.string().min(1).optional(),
+  sourceIssueIds: z.array(z.string().min(1)).default([]),
+  delegationIntent: z
+    .object({
+      intentType: z.literal("agent_hiring_request"),
+      requestedRole: z.string().nullable().optional(),
+      requestedName: z.string().nullable().optional(),
+      requestedManagerAgentId: z.string().nullable().optional(),
+      requestedProviderType: z
+        .enum(["claude_code", "codex", "cursor", "opencode", "gemini_cli", "openai_api", "anthropic_api", "http", "shell"])
+        .nullable()
+        .optional(),
+      requestedRuntimeModel: z.string().nullable().optional()
+    })
+    .optional(),
   runtimeCommand: z.string().optional(),
   runtimeArgs: z.array(z.string()).optional(),
   runtimeCwd: z.string().optional(),
@@ -194,6 +209,13 @@ async function applyApprovalAction(db: BopoDb, companyId: string, action: string
     if (!parsed.success) {
       throw new GovernanceError("Approval payload for agent hiring is invalid.");
     }
+    const sourceIssueIds = Array.from(
+      new Set(
+        [parsed.data.sourceIssueId, ...(parsed.data.sourceIssueIds ?? [])]
+          .map((entry) => entry?.trim())
+          .filter((entry): entry is string => Boolean(entry))
+      )
+    );
     const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(db, companyId);
     const runtimeConfig = normalizeRuntimeConfig({
       runtimeConfig: parsed.data.runtimeConfig,
@@ -265,7 +287,11 @@ async function applyApprovalAction(db: BopoDb, companyId: string, action: string
       applied: true,
       entityType: "agent" as const,
       entityId: agent.id,
-      entity: agent as Record<string, unknown>
+      entity: {
+        ...(agent as Record<string, unknown>),
+        sourceIssueIds,
+        delegationIntent: parsed.data.delegationIntent ?? null
+      }
     };
   }
 

package/src/services/heartbeat-service.ts

@@ -385,6 +385,7 @@ export async function runHeartbeatForAgent(
   let transcriptLiveHighSignalCount = 0;
   let transcriptPersistFailureReported = false;
   let pluginFailureSummary: string[] = [];
+  const seenResultMessages = new Set<string>();
 
   const enqueueTranscriptEvent = (event: {
     kind: string;
@@ -401,6 +402,10 @@ export async function runHeartbeatForAgent(
     const signalLevel = normalizeTranscriptSignalLevel(event.signalLevel, event.kind);
     const groupKey = event.groupKey ?? defaultTranscriptGroupKey(event.kind, event.label);
     const source = event.source ?? "stdout";
+    const normalizedResultText = event.kind === "result" ? normalizeTranscriptResultText(event.text) : "";
+    if (event.kind === "result" && normalizedResultText.length > 0) {
+      seenResultMessages.add(normalizedResultText);
+    }
     transcriptLiveCount += 1;
     if (isUsefulTranscriptSignal(signalLevel)) {
       transcriptLiveUsefulCount += 1;
@@ -480,6 +485,10 @@ export async function runHeartbeatForAgent(
     if (!trimmed) {
       return;
     }
+    const normalized = normalizeTranscriptResultText(trimmed);
+    if (normalized.length > 0 && seenResultMessages.has(normalized)) {
+      return;
+    }
     enqueueTranscriptEvent({
       kind: "result",
       label,
@@ -993,6 +1002,20 @@ export async function runHeartbeatForAgent(
         (transcriptLiveHighSignalCount < 2 && fallbackHighSignalCount > transcriptLiveHighSignalCount));
     if (shouldAppendFallback) {
       const createdAt = new Date();
+      const dedupedFallbackMessages = fallbackMessages.filter((message) => {
+        if (message.kind !== "result") {
+          return true;
+        }
+        const normalized = normalizeTranscriptResultText(message.text);
+        if (!normalized) {
+          return true;
+        }
+        if (seenResultMessages.has(normalized)) {
+          return false;
+        }
+        seenResultMessages.add(normalized);
+        return true;
+      });
       const rows: Array<{
         id: string;
         sequence: number;
@@ -1004,7 +1027,7 @@ export async function runHeartbeatForAgent(
         groupKey: string | null;
         source: "trace_fallback";
         createdAt: Date;
-      }> = fallbackMessages.map((message) => ({
+      }> = dedupedFallbackMessages.map((message) => ({
         id: nanoid(14),
         sequence: transcriptSequence++,
         kind: message.kind,
@@ -1711,6 +1734,11 @@ function normalizeTranscriptKind(
   return "system";
 }
 
+function normalizeTranscriptResultText(value: string | undefined) {
+  const normalized = (value ?? "").replace(/\s+/g, " ").trim().toLowerCase();
+  return normalized;
+}
+
 function defaultTranscriptGroupKey(kind: string, label?: string) {
   if (kind === "tool_call" || kind === "tool_result") {
     return `tool:${(label ?? "unknown").trim().toLowerCase()}`;
@@ -2219,7 +2247,7 @@ function buildHeartbeatRuntimeEnv(input: {
   canHireAgents: boolean;
 }) {
   const apiBaseUrl = resolveControlPlaneApiBaseUrl();
-  const actorPermissions = ["issues:write", "agents:write"].join(",");
+  const actorPermissions = ["issues:write", ...(input.canHireAgents ? ["agents:write"] : [])].join(",");
   const actorHeaders = JSON.stringify({
     "x-company-id": input.companyId,
     "x-actor-type": "agent",