bopodev-api 0.1.27 → 0.1.29

package/src/routes/issues.ts

@@ -1,27 +1,30 @@
 import { Router } from "express";
 import { mkdir, readFile, rm, stat, writeFile } from "node:fs/promises";
 import { basename, extname, join, resolve } from "node:path";
-import { and, desc, eq, inArray } from "drizzle-orm";
 import multer from "multer";
-import { z } from "zod";
 import { IssueDetailSchema, IssueSchema } from "bopodev-contracts";
 import {
   addIssueAttachment,
   addIssueComment,
   agents,
+  and,
   appendActivity,
   appendAuditEvent,
   createIssue,
   deleteIssueAttachment,
   deleteIssueComment,
   deleteIssue,
+  desc,
+  eq,
   getIssue,
   heartbeatRuns,
   getIssueAttachment,
+  inArray,
   issues,
   listIssueAttachments,
   listIssueActivity,
   listIssueComments,
+  listIssueGoalIdsBatch,
   listIssues,
   projects,
   projectWorkspaces,
@@ -39,70 +42,16 @@ import {
 } from "../lib/comment-recipients";
 import { isInsidePath, normalizeCompanyWorkspacePath, resolveProjectWorkspacePath } from "../lib/instance-paths";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { triggerIssueCommentDispatchWorker } from "../services/comment-recipient-dispatch-service";
 import { publishAttentionSnapshot } from "../realtime/attention";
-
-const createIssueSchema = z.object({
-  projectId: z.string().min(1),
-  parentIssueId: z.string().optional(),
-  title: z.string().min(1),
-  body: z.string().optional(),
-  metadata: z
-    .object({
-      delegatedHiringIntent: z
-        .object({
-          intentType: z.literal("agent_hiring_request"),
-          requestedRole: z.string().nullable().optional(),
-          requestedRoleKey: z.string().nullable().optional(),
-          requestedTitle: z.string().nullable().optional(),
-          requestedName: z.string().nullable().optional(),
-          requestedManagerAgentId: z.string().nullable().optional(),
-          requestedProviderType: z.string().nullable().optional(),
-          requestedRuntimeModel: z.string().nullable().optional()
-        })
-        .optional()
-    })
-    .optional(),
-  status: z.enum(["todo", "in_progress", "blocked", "in_review", "done", "canceled"]).default("todo"),
-  priority: z.enum(["none", "low", "medium", "high", "urgent"]).default("none"),
-  assigneeAgentId: z.string().nullable().optional(),
-  labels: z.array(z.string()).default([]),
-  tags: z.array(z.string()).default([])
-});
-
-const createIssueCommentSchema = z.object({
-  body: z.string().min(1),
-  recipients: z
-    .array(
-      z.object({
-        recipientType: z.enum(["agent", "board", "member"]),
-        recipientId: z.string().nullable().optional()
-      })
-    )
-    .default([]),
-  authorType: z.enum(["human", "agent", "system"]).optional(),
-  authorId: z.string().optional()
-});
-
-const createIssueCommentLegacySchema = z.object({
-  issueId: z.string().min(1),
-  body: z.string().min(1),
-  recipients: z
-    .array(
-      z.object({
-        recipientType: z.enum(["agent", "board", "member"]),
-        recipientId: z.string().nullable().optional()
-      })
-    )
-    .default([]),
-  authorType: z.enum(["human", "agent", "system"]).optional(),
-  authorId: z.string().optional()
-});
-
-const updateIssueCommentSchema = z.object({
-  body: z.string().min(1)
-});
+import {
+  createIssueCommentLegacySchema,
+  createIssueCommentSchema,
+  createIssueSchema,
+  updateIssueCommentSchema,
+  updateIssueSchema
+} from "../validation/issue-routes";
 
 const MAX_ATTACHMENTS_PER_REQUEST = parsePositiveIntEnv("BOPO_ISSUE_ATTACHMENTS_MAX_FILES", 10);
 const MAX_ATTACHMENT_SIZE_BYTES = parsePositiveIntEnv("BOPO_ISSUE_ATTACHMENTS_MAX_BYTES", 20 * 1024 * 1024);
@@ -145,30 +94,32 @@ function parseStringArray(value: unknown) {
   }
 }
 
-function toIssueResponse(issue: Record<string, unknown>) {
+function normalizeOptionalExternalLink(value: string | null | undefined) {
+  if (value === undefined) {
+    return undefined;
+  }
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+
+function toIssueResponse(issue: Record<string, unknown>, goalIds: string[] = []) {
   const labels = parseStringArray(issue.labelsJson);
   const tags = parseStringArray(issue.tagsJson);
-  const { labelsJson: _labelsJson, tagsJson: _tagsJson, ...rest } = issue;
+  const { labelsJson: _labelsJson, tagsJson: _tagsJson, goalId: _legacyGoalId, ...rest } = issue as Record<string, unknown> & {
+    goalId?: unknown;
+  };
+  const externalRaw = rest.externalLink;
+  const externalLink =
+    typeof externalRaw === "string" && externalRaw.trim().length > 0 ? externalRaw.trim() : null;
   return {
     ...rest,
+    externalLink,
     labels,
-    tags
+    tags,
+    goalIds
   };
 }
 
-const updateIssueSchema = z
-  .object({
-    projectId: z.string().min(1).optional(),
-    title: z.string().min(1).optional(),
-    body: z.string().nullable().optional(),
-    status: z.enum(["todo", "in_progress", "blocked", "in_review", "done", "canceled"]).optional(),
-    priority: z.enum(["none", "low", "medium", "high", "urgent"]).optional(),
-    assigneeAgentId: z.string().nullable().optional(),
-    labels: z.array(z.string()).optional(),
-    tags: z.array(z.string()).optional()
-  })
-  .refine((payload) => Object.keys(payload).length > 0, "At least one field must be provided.");
-
 export function createIssuesRouter(ctx: AppContext) {
   const router = Router();
   const upload = multer({
@@ -183,10 +134,17 @@ export function createIssuesRouter(ctx: AppContext) {
   router.get("/", async (req, res) => {
     const projectId = req.query.projectId?.toString();
     const rows = await listIssues(ctx.db, req.companyId!, projectId);
+    const goalMap = await listIssueGoalIdsBatch(
+      ctx.db,
+      req.companyId!,
+      rows.map((row) => row.id)
+    );
     return sendOkValidated(
       res,
       IssueSchema.array(),
-      rows.map((row) => toIssueResponse(row as unknown as Record<string, unknown>)),
+      rows.map((row) =>
+        toIssueResponse(row as unknown as Record<string, unknown>, goalMap.get(row.id) ?? [])
+      ),
       "issues.list"
     );
   });
@@ -197,7 +155,8 @@ export function createIssuesRouter(ctx: AppContext) {
     if (!issueRow) {
       return sendError(res, "Issue not found.", 404);
     }
-    const base = toIssueResponse(issueRow as unknown as Record<string, unknown>);
+    const goalMap = await listIssueGoalIdsBatch(ctx.db, req.companyId!, [issueId]);
+    const base = toIssueResponse(issueRow as unknown as Record<string, unknown>, goalMap.get(issueId) ?? []);
     const attachmentRows = await listIssueAttachments(ctx.db, req.companyId!, issueId);
     const attachments = attachmentRows.map((row) =>
       toIssueAttachmentResponse(row as unknown as Record<string, unknown>, issueId)
@@ -206,10 +165,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.post("/", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const parsed = createIssueSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -229,8 +185,10 @@ export function createIssuesRouter(ctx: AppContext) {
       companyId: req.companyId!,
       projectId: parsed.data.projectId,
       parentIssueId: parsed.data.parentIssueId,
+      goalIds: parsed.data.goalIds,
       title: parsed.data.title,
       body: applyIssueMetadataToBody(parsed.data.body, parsed.data.metadata),
+      externalLink: normalizeOptionalExternalLink(parsed.data.externalLink ?? null),
       status: parsed.data.status,
       priority: parsed.data.priority,
       assigneeAgentId: parsed.data.assigneeAgentId,
@@ -252,14 +210,14 @@ export function createIssuesRouter(ctx: AppContext) {
       entityId: issue.id,
       payload: issue
     });
-    return sendOk(res, toIssueResponse(issue as unknown as Record<string, unknown>));
+    return sendOk(
+      res,
+      toIssueResponse(issue as unknown as Record<string, unknown>, parsed.data.goalIds)
+    );
   });
 
   router.post("/:issueId/attachments", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
 
     upload.array("files", MAX_ATTACHMENTS_PER_REQUEST)(req, res, async (uploadError) => {
       if (uploadError) {
@@ -406,10 +364,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.delete("/:issueId/attachments/:attachmentId", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const issueContext = await getIssueContextForAttachment(ctx, req.companyId!, req.params.issueId);
     if (!issueContext) {
       return sendError(res, "Issue not found.", 404);
@@ -465,10 +420,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.post("/:issueId/comments", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const parsed = createIssueCommentSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -484,10 +436,7 @@ export function createIssuesRouter(ctx: AppContext) {
 
   // Backward-compatible endpoint used by older clients.
   router.post("/comment", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const parsed = createIssueCommentLegacySchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -502,10 +451,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.put("/:issueId/comments/:commentId", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const parsed = updateIssueCommentSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -547,10 +493,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.delete("/:issueId/comments/:commentId", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const deleted = await deleteIssueComment(ctx.db, req.companyId!, req.params.issueId, req.params.commentId);
     if (!deleted) {
       return sendError(res, "Comment not found.", 404);
@@ -577,10 +520,7 @@ export function createIssuesRouter(ctx: AppContext) {
   });
 
   router.put("/:issueId", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const parsed = updateIssueSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -614,7 +554,11 @@ export function createIssuesRouter(ctx: AppContext) {
       }
     }
 
-    const issue = await updateIssue(ctx.db, { companyId: req.companyId!, id: req.params.issueId, ...parsed.data });
+    const updateBody = { ...parsed.data };
+    if (updateBody.externalLink !== undefined) {
+      updateBody.externalLink = normalizeOptionalExternalLink(updateBody.externalLink) ?? null;
+    }
+    const issue = await updateIssue(ctx.db, { companyId: req.companyId!, id: req.params.issueId, ...updateBody });
     if (!issue) {
       return sendError(res, "Issue not found.", 404);
     }
@@ -634,14 +578,15 @@ export function createIssuesRouter(ctx: AppContext) {
       entityId: issue.id,
       payload: issue
     });
-    return sendOk(res, toIssueResponse(issue as unknown as Record<string, unknown>));
+    const goalMap = await listIssueGoalIdsBatch(ctx.db, req.companyId!, [issue.id]);
+    return sendOk(
+      res,
+      toIssueResponse(issue as unknown as Record<string, unknown>, goalMap.get(issue.id) ?? [])
+    );
   });
 
   router.delete("/:issueId", async (req, res) => {
-    requirePermission("issues:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "issues:write")) return;
     const deleted = await deleteIssue(ctx.db, req.companyId!, req.params.issueId);
     if (!deleted) {
       return sendError(res, "Issue not found.", 404);

package/src/routes/observability.ts

@@ -292,7 +292,12 @@ export function createObservabilityRouter(ctx: AppContext) {
       .filter((goal) => goal.status === "active" && goal.level === "project" && goal.projectId && projectIds.includes(goal.projectId))
       .map((goal) => goal.title);
     const activeAgentGoals = goals
-      .filter((goal) => goal.status === "active" && goal.level === "agent")
+      .filter(
+        (goal) =>
+          goal.status === "active" &&
+          goal.level === "agent" &&
+          (!goal.ownerAgentId || goal.ownerAgentId === agentId)
+      )
       .map((goal) => goal.title);
     const compiledPreview = [
       `Agent: ${agent.name} (${agent.role})`,

package/src/routes/plugins.ts

@@ -14,7 +14,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requireBoardRole, requirePermission } from "../middleware/request-actor";
+import { enforcePermission, requireBoardRole } from "../middleware/request-actor";
 import { deletePluginManifestFromFilesystem, writePluginManifestToFilesystem } from "../services/plugin-manifest-loader";
 import { registerPluginManifest } from "../services/plugin-runtime";
 
@@ -74,10 +74,7 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.put("/:pluginId", async (req, res) => {
-    requirePermission("plugins:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "plugins:write")) return;
     const parsed = pluginConfigSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -123,10 +120,7 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.post("/install-from-json", async (req, res) => {
-    requirePermission("plugins:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "plugins:write")) return;
     const parsed = pluginManifestCreateSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -164,10 +158,7 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.post("/:pluginId/install", async (req, res) => {
-    requirePermission("plugins:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "plugins:write")) return;
     const pluginId = readPluginIdParam(req.params.pluginId);
     if (!pluginId) {
       return sendError(res, "Missing plugin id.", 422);
@@ -193,10 +184,7 @@ export function createPluginsRouter(ctx: AppContext) {
   });
 
   router.delete("/:pluginId/install", async (req, res) => {
-    requirePermission("plugins:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "plugins:write")) return;
     const pluginId = readPluginIdParam(req.params.pluginId);
     if (!pluginId) {
       return sendError(res, "Missing plugin id.", 422);

package/src/routes/projects.ts

@@ -19,7 +19,7 @@ import type { AppContext } from "../context";
 import { sendError, sendOk, sendOkValidated } from "../http";
 import { normalizeCompanyWorkspacePath, resolveProjectWorkspacePath } from "../lib/instance-paths";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 
 const projectStatusSchema = z.enum(["planned", "active", "paused", "blocked", "completed", "archived"]);
 const executionWorkspacePolicySchema = z
@@ -129,10 +129,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.post("/", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const parsed = createProjectSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -203,10 +200,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.put("/:projectId", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const parsed = updateProjectSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -257,10 +251,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.post("/:projectId/workspaces", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const parsed = createProjectWorkspaceSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -306,10 +297,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.put("/:projectId/workspaces/:workspaceId", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const parsed = updateProjectWorkspaceSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -356,10 +344,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.delete("/:projectId/workspaces/:workspaceId", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const deleted = await deleteProjectWorkspace(ctx.db, {
       companyId: req.companyId!,
       projectId: req.params.projectId,
@@ -380,10 +365,7 @@ export function createProjectsRouter(ctx: AppContext) {
   });
 
   router.delete("/:projectId", async (req, res) => {
-    requirePermission("projects:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "projects:write")) return;
     const deleted = await deleteProject(ctx.db, req.companyId!, req.params.projectId);
     if (!deleted) {
       return sendError(res, "Project not found.", 404);

package/src/routes/templates.ts

@@ -24,7 +24,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { applyTemplateManifest } from "../services/template-apply-service";
 import { buildTemplatePreview } from "../services/template-preview-service";
 
@@ -39,10 +39,7 @@ export function createTemplatesRouter(ctx: AppContext) {
   });
 
   router.post("/", async (req, res) => {
-    requirePermission("templates:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "templates:write")) return;
     const parsed = TemplateCreateRequestSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -83,10 +80,7 @@ export function createTemplatesRouter(ctx: AppContext) {
   });
 
   router.put("/:templateId", async (req, res) => {
-    requirePermission("templates:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "templates:write")) return;
     const parsed = TemplateUpdateRequestSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -138,10 +132,7 @@ export function createTemplatesRouter(ctx: AppContext) {
   });
 
   router.delete("/:templateId", async (req, res) => {
-    requirePermission("templates:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "templates:write")) return;
     const deleted = await deleteTemplate(ctx.db, req.companyId!, req.params.templateId);
     if (!deleted) {
       return sendError(res, "Template not found.", 404);
@@ -188,10 +179,7 @@ export function createTemplatesRouter(ctx: AppContext) {
   });
 
   router.post("/:templateId/apply", async (req, res) => {
-    requirePermission("templates:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "templates:write")) return;
     const parsed = TemplateApplyRequestSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -261,10 +249,7 @@ export function createTemplatesRouter(ctx: AppContext) {
   });
 
   router.post("/import", async (req, res) => {
-    requirePermission("templates:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "templates:write")) return;
     const parsed = TemplateImportRequestSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);

package/src/scripts/onboard-seed.ts

@@ -316,18 +316,16 @@ async function ensureCeoStartupTask(
     `   - \`${ceoOperatingFolder}/HEARTBEAT.md\``,
     `   - \`${ceoOperatingFolder}/SOUL.md\``,
     `   - \`${ceoOperatingFolder}/TOOLS.md\``,
-    "3. Save your operating-file reference on your own agent record via `PUT /agents/:agentId`.",
-    `   - Supported simple body: \`{ "bootstrapPrompt": "Primary operating reference: ${ceoOperatingFolder}/AGENTS.md ..." }\``,
-    "   - If using `runtimeConfig`, only `runtimeConfig.bootstrapPrompt` is supported there.",
-    "   - Prefer heredoc/stdin payloads (for example `curl --data-binary @- <<'JSON' ... JSON`) to avoid temp-file cleanup failures under runtime policy.",
-    `   - If you must use payload files, store them in \`${ceoTmpFolder}/\` (or OS temp via \`mktemp\`) and avoid chaining cleanup commands into critical task flow.`,
+    "3. Each heartbeat already includes your operating directory via `$BOPODEV_AGENT_OPERATING_DIR` and directs you to AGENTS.md and related files there when they exist.",
+    "   You do not need to save file paths into `bootstrapPrompt` for operating docs—reserve `bootstrapPrompt` only for optional extra standing instructions.",
+    `   - Prefer heredoc/stdin payloads (for example \`curl --data-binary @- <<'JSON' ... JSON\`) when calling APIs; if you must use payload files, store them in \`${ceoTmpFolder}/\` (or OS temp via \`mktemp\`).`,
     "4. To inspect your own agent record, use `GET /agents` and filter by your agent id. Do not call `GET /agents/:agentId`.",
     "   - `GET /agents` uses envelope shape `{ \"ok\": true, \"data\": [...] }`; treat any other shape as failure.",
-    "   - Deterministic filter: `jq -er --arg id \"$BOPODEV_AGENT_ID\" '.data | if type==\"array\" then . else error(\"invalid_agents_payload\") end | map(select((.id? // \"\") == $id))[0] | {id,name,role,bootstrapPrompt}'`",
+    "   - Deterministic filter: `jq -er --arg id \"$BOPODEV_AGENT_ID\" '.data | if type==\"array\" then . else error(\"invalid_agents_payload\") end | map(select((.id? // \"\") == $id))[0] | {id,name,role}'`",
     "5. Heartbeat-assigned issues are already claimed for the current run. Do not call a checkout endpoint; update status with `PUT /issues/:issueId` only.",
     "6. After your operating files are active, submit a hire request for a Founding Engineer via `POST /agents` using supported fields:",
     "   - `name`, `role`, `providerType`, `heartbeatCron`, `monthlyBudgetUsd`",
-    "   - optional `managerAgentId`, `bootstrapPrompt`, `runtimeConfig`, `canHireAgents`",
+    "   - optional `managerAgentId`, `bootstrapPrompt` (extra standing instructions only), `runtimeConfig`, `canHireAgents`",
     "   - `requestApproval: true` and `sourceIssueId`",
     "7. Do not use unsupported hire fields such as `adapterType`, `adapterConfig`, or `reportsTo`.",
     "",