bopodev-api 0.1.28 → 0.1.29

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.28",
+  "version": "0.1.29",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -17,9 +17,9 @@
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-agent-sdk": "0.1.28",
-    "bopodev-db": "0.1.28",
-    "bopodev-contracts": "0.1.28"
+    "bopodev-contracts": "0.1.29",
+    "bopodev-agent-sdk": "0.1.29",
+    "bopodev-db": "0.1.29"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",

package/src/app.ts

@@ -1,8 +1,6 @@
-import cors from "cors";
 import express from "express";
 import type { NextFunction, Request, Response } from "express";
-import { RepositoryValidationError, sql } from "bopodev-db";
-import { nanoid } from "nanoid";
+import { pingDatabase, RepositoryValidationError } from "bopodev-db";
 import type { AppContext } from "./context";
 import { createAgentsRouter } from "./routes/agents";
 import { createAuthRouter } from "./routes/auth";
@@ -17,6 +15,9 @@ import { createProjectsRouter } from "./routes/projects";
 import { createPluginsRouter } from "./routes/plugins";
 import { createTemplatesRouter } from "./routes/templates";
 import { sendError } from "./http";
+import { createCorsMiddleware } from "./middleware/cors-config";
+import { attachCrudRequestLogging } from "./middleware/request-logging";
+import { attachRequestId } from "./middleware/request-id";
 import { attachRequestActor } from "./middleware/request-actor";
 import { resolveAllowedOrigins, resolveDeploymentMode } from "./security/deployment-mode";
 
@@ -24,75 +25,20 @@ export function createApp(ctx: AppContext) {
   const app = express();
   const deploymentMode = ctx.deploymentMode ?? resolveDeploymentMode();
   const allowedOrigins = ctx.allowedOrigins ?? resolveAllowedOrigins(deploymentMode);
-  app.use(
-    cors({
-      origin(origin, callback) {
-        if (!origin) {
-          callback(null, true);
-          return;
-        }
-        if (
-          deploymentMode === "local" &&
-          (origin.startsWith("http://localhost:") || origin.startsWith("http://127.0.0.1:"))
-        ) {
-          callback(null, true);
-          return;
-        }
-        if (allowedOrigins.includes(origin)) {
-          callback(null, true);
-          return;
-        }
-        callback(new Error(`CORS origin denied: ${origin}`));
-      },
-      credentials: true,
-      methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-      allowedHeaders: [
-        "content-type",
-        "x-company-id",
-        "authorization",
-        "x-client-trace-id",
-        "x-bopo-actor-token",
-        "x-request-id",
-        "x-bopodev-run-id"
-      ]
-    })
-  );
+  app.use(createCorsMiddleware(deploymentMode, allowedOrigins));
   app.use(express.json());
   app.use(attachRequestActor);
-
-  app.use((req, res, next) => {
-    const requestId = req.header("x-request-id")?.trim() || nanoid(14);
-    req.requestId = requestId;
-    res.setHeader("x-request-id", requestId);
-    next();
-  });
+  app.use(attachRequestId);
   const logApiRequests = process.env.BOPO_LOG_API_REQUESTS !== "0";
   if (logApiRequests) {
-    app.use((req, res, next) => {
-      if (req.path === "/health") {
-        next();
-        return;
-      }
-      const method = req.method.toUpperCase();
-      if (!isCrudMethod(method)) {
-        next();
-        return;
-      }
-      const startedAt = Date.now();
-      res.on("finish", () => {
-        const elapsedMs = Date.now() - startedAt;
-        const timestamp = new Date().toTimeString().slice(0, 8);
-        process.stderr.write(`[${timestamp}] INFO: ${method} ${req.originalUrl} ${res.statusCode} ${elapsedMs}ms\n`);
-      });
-      next();
-    });
+    app.use(attachCrudRequestLogging);
   }
 
   app.get("/health", async (_req, res) => {
     let dbReady = false;
     let dbError: string | undefined;
     try {
-      await ctx.db.execute(sql`SELECT 1`);
+      await pingDatabase(ctx.db);
       dbReady = true;
     } catch (error) {
       dbError = String(error);
@@ -126,18 +72,20 @@ export function createApp(ctx: AppContext) {
   app.use("/plugins", createPluginsRouter(ctx));
   app.use("/templates", createTemplatesRouter(ctx));
 
-  app.use((error: unknown, _req: Request, res: Response, _next: NextFunction) => {
+  app.use((error: unknown, req: Request, res: Response, _next: NextFunction) => {
     if (error instanceof RepositoryValidationError) {
       return sendError(res, error.message, 422);
     }
-    // eslint-disable-next-line no-console
-    console.error(error);
+    const requestId = req.requestId;
+    if (requestId) {
+      // eslint-disable-next-line no-console
+      console.error(`[request ${requestId}]`, error);
+    } else {
+      // eslint-disable-next-line no-console
+      console.error(error);
+    }
     return sendError(res, "Internal server error", 500);
   });
 
   return app;
 }
-
-function isCrudMethod(method: string) {
-  return method === "GET" || method === "POST" || method === "PUT" || method === "PATCH" || method === "DELETE";
-}

package/src/lib/run-artifact-paths.ts

@@ -70,6 +70,14 @@ function normalizeWorkspaceRelativeArtifactPath(value: string) {
   }
   const workspaceScopedMatch = normalized.match(/(?:^|\/)workspace\/([^/]+)\/(.+)$/);
   if (!workspaceScopedMatch) {
+    const projectAgentsMatch = normalized.match(/(?:^|\/)projects\/agents\/([^/]+)\/operating\/(.+)$/);
+    if (projectAgentsMatch) {
+      const [, agentId, suffix] = projectAgentsMatch;
+      if (!agentId || !suffix) {
+        return "";
+      }
+      return `agents/${agentId}/operating/${suffix}`;
+    }
     return normalized;
   }
   const scopedRelativePath = workspaceScopedMatch[2];

package/src/middleware/cors-config.ts

@@ -0,0 +1,36 @@
+import cors from "cors";
+import type { DeploymentMode } from "../security/deployment-mode";
+
+export function createCorsMiddleware(deploymentMode: DeploymentMode, allowedOrigins: string[]) {
+  return cors({
+    origin(origin, callback) {
+      if (!origin) {
+        callback(null, true);
+        return;
+      }
+      if (
+        deploymentMode === "local" &&
+        (origin.startsWith("http://localhost:") || origin.startsWith("http://127.0.0.1:"))
+      ) {
+        callback(null, true);
+        return;
+      }
+      if (allowedOrigins.includes(origin)) {
+        callback(null, true);
+        return;
+      }
+      callback(new Error(`CORS origin denied: ${origin}`));
+    },
+    credentials: true,
+    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allowedHeaders: [
+      "content-type",
+      "x-company-id",
+      "authorization",
+      "x-client-trace-id",
+      "x-bopo-actor-token",
+      "x-request-id",
+      "x-bopodev-run-id"
+    ]
+  });
+}

package/src/middleware/request-actor.ts

@@ -3,23 +3,9 @@ import { RequestActorHeadersSchema } from "bopodev-contracts";
 import { sendError } from "../http";
 import { verifyActorToken } from "../security/actor-token";
 import { isAuthenticatedMode, resolveDeploymentMode } from "../security/deployment-mode";
+import type { RequestActor } from "../types/request-actor";
 
-export type RequestActor = {
-  type: "board" | "member" | "agent";
-  id: string;
-  companyIds: string[] | null;
-  permissions: string[];
-};
-
-declare global {
-  namespace Express {
-    interface Request {
-      actor?: RequestActor;
-      companyId?: string;
-      requestId?: string;
-    }
-  }
-}
+export type { RequestActor };
 
 export function attachRequestActor(req: Request, res: Response, next: NextFunction) {
   const deploymentMode = resolveDeploymentMode();
@@ -136,6 +122,14 @@ export function requirePermission(permission: string) {
   };
 }
 
+export function enforcePermission(req: Request, res: Response, permission: string): boolean {
+  let allowed = false;
+  requirePermission(permission)(req, res, () => {
+    allowed = true;
+  });
+  return allowed;
+}
+
 export function requireBoardRole(req: Request, res: Response, next: NextFunction) {
   if (req.actor?.type !== "board") {
     return sendError(res, "Board role required.", 403);

package/src/middleware/request-id.ts

@@ -0,0 +1,9 @@
+import type { NextFunction, Request, Response } from "express";
+import { nanoid } from "nanoid";
+
+export function attachRequestId(req: Request, res: Response, next: NextFunction) {
+  const requestId = req.header("x-request-id")?.trim() || nanoid(14);
+  req.requestId = requestId;
+  res.setHeader("x-request-id", requestId);
+  next();
+}

package/src/middleware/request-logging.ts

@@ -0,0 +1,24 @@
+import type { NextFunction, Request, Response } from "express";
+
+function isCrudMethod(method: string) {
+  return method === "GET" || method === "POST" || method === "PUT" || method === "PATCH" || method === "DELETE";
+}
+
+export function attachCrudRequestLogging(req: Request, res: Response, next: NextFunction) {
+  if (req.path === "/health") {
+    next();
+    return;
+  }
+  const method = req.method.toUpperCase();
+  if (!isCrudMethod(method)) {
+    next();
+    return;
+  }
+  const startedAt = Date.now();
+  res.on("finish", () => {
+    const elapsedMs = Date.now() - startedAt;
+    const timestamp = new Date().toTimeString().slice(0, 8);
+    process.stderr.write(`[${timestamp}] INFO: ${method} ${req.originalUrl} ${res.statusCode} ${elapsedMs}ms\n`);
+  });
+  next();
+}

package/src/routes/agents.ts

@@ -37,7 +37,7 @@ import { resolveHiringDelegate } from "../lib/hiring-delegate";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { assertRuntimeCwdForCompany, hasText, resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requireBoardRole, requirePermission } from "../middleware/request-actor";
+import { enforcePermission, requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import {
@@ -629,10 +629,7 @@ export function createAgentsRouter(ctx: AppContext) {
   });
 
   router.post("/:agentId/pause", async (req, res) => {
-    requirePermission("agents:lifecycle")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "agents:lifecycle")) return;
     const agent = await updateAgent(ctx.db, {
       companyId: req.companyId!,
       id: req.params.agentId,
@@ -656,10 +653,7 @@ export function createAgentsRouter(ctx: AppContext) {
   });
 
   router.post("/:agentId/resume", async (req, res) => {
-    requirePermission("agents:lifecycle")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "agents:lifecycle")) return;
     const agent = await updateAgent(ctx.db, {
       companyId: req.companyId!,
       id: req.params.agentId,

package/src/routes/companies.ts

@@ -10,6 +10,7 @@ import { normalizeRuntimeConfig, resolveRuntimeModelForProvider, runtimeConfigTo
 import { buildDefaultCeoBootstrapPrompt } from "../lib/ceo-bootstrap-prompt";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
+import { buildCompanyPortabilityExport } from "../services/company-export-service";
 import { canAccessCompany, requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { ensureCompanyBuiltinPluginDefaults } from "../services/plugin-runtime";
 import { ensureCompanyBuiltinTemplateDefaults } from "../services/template-catalog";
@@ -21,7 +22,7 @@ const createCompanySchema = z.object({
   name: z.string().min(1),
   mission: z.string().optional(),
   providerType: z
-    .enum(["codex", "claude_code", "cursor", "gemini_cli", "opencode", "openai_api", "anthropic_api", "shell"])
+    .enum(["codex", "claude_code", "cursor", "gemini_cli", "opencode", "openai_api", "anthropic_api", "http", "shell"])
     .optional(),
   runtimeModel: z.string().optional()
 });
@@ -53,6 +54,21 @@ export function createCompaniesRouter(ctx: AppContext) {
     );
   });
 
+  router.get("/:companyId/export", async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    if (!canAccessCompany(req, companyId)) {
+      return sendError(res, "Actor does not have access to this company.", 403);
+    }
+    const payload = await buildCompanyPortabilityExport(ctx.db, companyId);
+    if (!payload) {
+      return sendError(res, "Company not found.", 404);
+    }
+    return sendOk(res, payload);
+  });
+
   router.post("/", requireBoardRole, async (req, res) => {
     const parsed = createCompanySchema.safeParse(req.body);
     if (!parsed.success) {
@@ -171,6 +187,7 @@ function parseAgentProvider(value: unknown) {
     value === "opencode" ||
     value === "openai_api" ||
     value === "anthropic_api" ||
+    value === "http" ||
     value === "shell"
   ) {
     return value;

package/src/routes/goals.ts

@@ -5,7 +5,7 @@ import { appendAuditEvent, createApprovalRequest, createGoal, deleteGoal, getApp
 import type { AppContext } from "../context";
 import { sendError, sendOk, sendOkValidated } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import { isApprovalRequired } from "../services/governance-service";
@@ -13,6 +13,7 @@ import { isApprovalRequired } from "../services/governance-service";
 const createGoalSchema = z.object({
   projectId: z.string().optional(),
   parentGoalId: z.string().optional(),
+  ownerAgentId: z.string().optional(),
   level: z.enum(["company", "project", "agent"]),
   title: z.string().min(1),
   description: z.string().optional(),
@@ -23,6 +24,7 @@ const updateGoalSchema = z
   .object({
     projectId: z.string().nullable().optional(),
     parentGoalId: z.string().nullable().optional(),
+    ownerAgentId: z.string().nullable().optional(),
     level: z.enum(["company", "project", "agent"]).optional(),
     title: z.string().min(1).optional(),
     description: z.string().nullable().optional(),
@@ -44,10 +46,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.post("/", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const parsed = createGoalSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -76,6 +75,7 @@ export function createGoalsRouter(ctx: AppContext) {
       companyId: req.companyId!,
       projectId: parsed.data.projectId,
       parentGoalId: parsed.data.parentGoalId,
+      ownerAgentId: parsed.data.ownerAgentId,
       level: parsed.data.level,
       title: parsed.data.title,
       description: parsed.data.description
@@ -92,10 +92,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.put("/:goalId", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const parsed = updateGoalSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -118,10 +115,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.delete("/:goalId", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const deleted = await deleteGoal(ctx.db, req.companyId!, req.params.goalId);
     if (!deleted) {
       return sendError(res, "Goal not found.", 404);

package/src/routes/governance.ts

@@ -14,7 +14,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import {
@@ -146,10 +146,7 @@ export function createGovernanceRouter(ctx: AppContext) {
   });
 
   router.post("/resolve", async (req, res) => {
-    requirePermission("governance:resolve")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "governance:resolve")) return;
     const parsed = resolveSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);

package/src/routes/heartbeats.ts

@@ -4,7 +4,7 @@ import { agents, and, eq, heartbeatRuns, listHeartbeatQueueJobs } from "bopodev-
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import {
   findPendingProjectBudgetOverrideBlocksForAgent,
   runHeartbeatSweep,
@@ -30,10 +30,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   router.use(requireCompanyScope);
 
   router.post("/run-agent", async (req, res) => {
-    requirePermission("heartbeats:run")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:run")) return;
     const parsed = runAgentSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -84,10 +81,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   });
 
   router.post("/:runId/stop", async (req, res) => {
-    requirePermission("heartbeats:run")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:run")) return;
     const parsed = runIdParamsSchema.safeParse(req.params);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -173,10 +167,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   }
 
   router.post("/:runId/resume", async (req, res) => {
-    requirePermission("heartbeats:run")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:run")) return;
     const parsed = runIdParamsSchema.safeParse(req.params);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -200,10 +191,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   });
 
   router.post("/:runId/redo", async (req, res) => {
-    requirePermission("heartbeats:run")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:run")) return;
     const parsed = runIdParamsSchema.safeParse(req.params);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -227,10 +215,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   });
 
   router.post("/sweep", async (req, res) => {
-    requirePermission("heartbeats:sweep")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:sweep")) return;
     const runIds = await runHeartbeatSweep(ctx.db, req.companyId!, {
       requestId: req.requestId,
       realtimeHub: ctx.realtimeHub
@@ -239,10 +224,7 @@ export function createHeartbeatRouter(ctx: AppContext) {
   });
 
   router.get("/queue", async (req, res) => {
-    requirePermission("heartbeats:run")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "heartbeats:run")) return;
     const parsed = queueQuerySchema.safeParse(req.query);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);