bopodev-api 0.1.28 → 0.1.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.28",
+  "version": "0.1.30",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -17,9 +17,9 @@
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-agent-sdk": "0.1.28",
-    "bopodev-db": "0.1.28",
-    "bopodev-contracts": "0.1.28"
+    "bopodev-contracts": "0.1.30",
+    "bopodev-db": "0.1.30",
+    "bopodev-agent-sdk": "0.1.30"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",

package/src/app.ts

@@ -1,8 +1,6 @@
-import cors from "cors";
 import express from "express";
 import type { NextFunction, Request, Response } from "express";
-import { RepositoryValidationError, sql } from "bopodev-db";
-import { nanoid } from "nanoid";
+import { pingDatabase, RepositoryValidationError } from "bopodev-db";
 import type { AppContext } from "./context";
 import { createAgentsRouter } from "./routes/agents";
 import { createAuthRouter } from "./routes/auth";
@@ -17,6 +15,9 @@ import { createProjectsRouter } from "./routes/projects";
 import { createPluginsRouter } from "./routes/plugins";
 import { createTemplatesRouter } from "./routes/templates";
 import { sendError } from "./http";
+import { createCorsMiddleware } from "./middleware/cors-config";
+import { attachCrudRequestLogging } from "./middleware/request-logging";
+import { attachRequestId } from "./middleware/request-id";
 import { attachRequestActor } from "./middleware/request-actor";
 import { resolveAllowedOrigins, resolveDeploymentMode } from "./security/deployment-mode";
 
@@ -24,75 +25,20 @@ export function createApp(ctx: AppContext) {
   const app = express();
   const deploymentMode = ctx.deploymentMode ?? resolveDeploymentMode();
   const allowedOrigins = ctx.allowedOrigins ?? resolveAllowedOrigins(deploymentMode);
-  app.use(
-    cors({
-      origin(origin, callback) {
-        if (!origin) {
-          callback(null, true);
-          return;
-        }
-        if (
-          deploymentMode === "local" &&
-          (origin.startsWith("http://localhost:") || origin.startsWith("http://127.0.0.1:"))
-        ) {
-          callback(null, true);
-          return;
-        }
-        if (allowedOrigins.includes(origin)) {
-          callback(null, true);
-          return;
-        }
-        callback(new Error(`CORS origin denied: ${origin}`));
-      },
-      credentials: true,
-      methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-      allowedHeaders: [
-        "content-type",
-        "x-company-id",
-        "authorization",
-        "x-client-trace-id",
-        "x-bopo-actor-token",
-        "x-request-id",
-        "x-bopodev-run-id"
-      ]
-    })
-  );
+  app.use(createCorsMiddleware(deploymentMode, allowedOrigins));
   app.use(express.json());
   app.use(attachRequestActor);
-
-  app.use((req, res, next) => {
-    const requestId = req.header("x-request-id")?.trim() || nanoid(14);
-    req.requestId = requestId;
-    res.setHeader("x-request-id", requestId);
-    next();
-  });
+  app.use(attachRequestId);
   const logApiRequests = process.env.BOPO_LOG_API_REQUESTS !== "0";
   if (logApiRequests) {
-    app.use((req, res, next) => {
-      if (req.path === "/health") {
-        next();
-        return;
-      }
-      const method = req.method.toUpperCase();
-      if (!isCrudMethod(method)) {
-        next();
-        return;
-      }
-      const startedAt = Date.now();
-      res.on("finish", () => {
-        const elapsedMs = Date.now() - startedAt;
-        const timestamp = new Date().toTimeString().slice(0, 8);
-        process.stderr.write(`[${timestamp}] INFO: ${method} ${req.originalUrl} ${res.statusCode} ${elapsedMs}ms\n`);
-      });
-      next();
-    });
+    app.use(attachCrudRequestLogging);
   }
 
   app.get("/health", async (_req, res) => {
     let dbReady = false;
     let dbError: string | undefined;
     try {
-      await ctx.db.execute(sql`SELECT 1`);
+      await pingDatabase(ctx.db);
       dbReady = true;
     } catch (error) {
       dbError = String(error);
@@ -126,18 +72,20 @@ export function createApp(ctx: AppContext) {
   app.use("/plugins", createPluginsRouter(ctx));
   app.use("/templates", createTemplatesRouter(ctx));
 
-  app.use((error: unknown, _req: Request, res: Response, _next: NextFunction) => {
+  app.use((error: unknown, req: Request, res: Response, _next: NextFunction) => {
     if (error instanceof RepositoryValidationError) {
       return sendError(res, error.message, 422);
     }
-    // eslint-disable-next-line no-console
-    console.error(error);
+    const requestId = req.requestId;
+    if (requestId) {
+      // eslint-disable-next-line no-console
+      console.error(`[request ${requestId}]`, error);
+    } else {
+      // eslint-disable-next-line no-console
+      console.error(error);
+    }
     return sendError(res, "Internal server error", 500);
   });
 
   return app;
 }
-
-function isCrudMethod(method: string) {
-  return method === "GET" || method === "POST" || method === "PUT" || method === "PATCH" || method === "DELETE";
-}

package/src/lib/ceo-bootstrap-prompt.ts

@@ -5,6 +5,7 @@ export function buildDefaultCeoBootstrapPrompt() {
     "- Clarify missing constraints before hiring when requirements are ambiguous.",
     "- Choose reporting lines, provider, model, and permissions that fit company goals and budget.",
     "- Use governance-safe hiring via `POST /agents` with `requestApproval: true` unless explicitly told otherwise.",
+    "- Always set `capabilities` on every new hire: one or two sentences describing what they do, for the org chart and team roster (delegation). If the issue metadata or body specifies requested capabilities, use or refine that text; if missing, write an appropriate line from the role and request details.",
     "- Avoid duplicate hires by checking existing agents and pending approvals first.",
     "- Use the control-plane coordination skill as the source of truth for endpoint paths, required headers, and approval workflow steps.",
     "- Record hiring rationale and key decisions in issue comments for auditability."

package/src/lib/run-artifact-paths.ts

@@ -70,6 +70,14 @@ function normalizeWorkspaceRelativeArtifactPath(value: string) {
   }
   const workspaceScopedMatch = normalized.match(/(?:^|\/)workspace\/([^/]+)\/(.+)$/);
   if (!workspaceScopedMatch) {
+    const projectAgentsMatch = normalized.match(/(?:^|\/)projects\/agents\/([^/]+)\/operating\/(.+)$/);
+    if (projectAgentsMatch) {
+      const [, agentId, suffix] = projectAgentsMatch;
+      if (!agentId || !suffix) {
+        return "";
+      }
+      return `agents/${agentId}/operating/${suffix}`;
+    }
     return normalized;
   }
   const scopedRelativePath = workspaceScopedMatch[2];

package/src/middleware/cors-config.ts

@@ -0,0 +1,36 @@
+import cors from "cors";
+import type { DeploymentMode } from "../security/deployment-mode";
+
+export function createCorsMiddleware(deploymentMode: DeploymentMode, allowedOrigins: string[]) {
+  return cors({
+    origin(origin, callback) {
+      if (!origin) {
+        callback(null, true);
+        return;
+      }
+      if (
+        deploymentMode === "local" &&
+        (origin.startsWith("http://localhost:") || origin.startsWith("http://127.0.0.1:"))
+      ) {
+        callback(null, true);
+        return;
+      }
+      if (allowedOrigins.includes(origin)) {
+        callback(null, true);
+        return;
+      }
+      callback(new Error(`CORS origin denied: ${origin}`));
+    },
+    credentials: true,
+    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allowedHeaders: [
+      "content-type",
+      "x-company-id",
+      "authorization",
+      "x-client-trace-id",
+      "x-bopo-actor-token",
+      "x-request-id",
+      "x-bopodev-run-id"
+    ]
+  });
+}

package/src/middleware/request-actor.ts

@@ -3,23 +3,9 @@ import { RequestActorHeadersSchema } from "bopodev-contracts";
 import { sendError } from "../http";
 import { verifyActorToken } from "../security/actor-token";
 import { isAuthenticatedMode, resolveDeploymentMode } from "../security/deployment-mode";
+import type { RequestActor } from "../types/request-actor";
 
-export type RequestActor = {
-  type: "board" | "member" | "agent";
-  id: string;
-  companyIds: string[] | null;
-  permissions: string[];
-};
-
-declare global {
-  namespace Express {
-    interface Request {
-      actor?: RequestActor;
-      companyId?: string;
-      requestId?: string;
-    }
-  }
-}
+export type { RequestActor };
 
 export function attachRequestActor(req: Request, res: Response, next: NextFunction) {
   const deploymentMode = resolveDeploymentMode();
@@ -136,6 +122,14 @@ export function requirePermission(permission: string) {
   };
 }
 
+export function enforcePermission(req: Request, res: Response, permission: string): boolean {
+  let allowed = false;
+  requirePermission(permission)(req, res, () => {
+    allowed = true;
+  });
+  return allowed;
+}
+
 export function requireBoardRole(req: Request, res: Response, next: NextFunction) {
   if (req.actor?.type !== "board") {
     return sendError(res, "Board role required.", 403);

package/src/middleware/request-id.ts

@@ -0,0 +1,9 @@
+import type { NextFunction, Request, Response } from "express";
+import { nanoid } from "nanoid";
+
+export function attachRequestId(req: Request, res: Response, next: NextFunction) {
+  const requestId = req.header("x-request-id")?.trim() || nanoid(14);
+  req.requestId = requestId;
+  res.setHeader("x-request-id", requestId);
+  next();
+}

package/src/middleware/request-logging.ts

@@ -0,0 +1,24 @@
+import type { NextFunction, Request, Response } from "express";
+
+function isCrudMethod(method: string) {
+  return method === "GET" || method === "POST" || method === "PUT" || method === "PATCH" || method === "DELETE";
+}
+
+export function attachCrudRequestLogging(req: Request, res: Response, next: NextFunction) {
+  if (req.path === "/health") {
+    next();
+    return;
+  }
+  const method = req.method.toUpperCase();
+  if (!isCrudMethod(method)) {
+    next();
+    return;
+  }
+  const startedAt = Date.now();
+  res.on("finish", () => {
+    const elapsedMs = Date.now() - startedAt;
+    const timestamp = new Date().toTimeString().slice(0, 8);
+    process.stderr.write(`[${timestamp}] INFO: ${method} ${req.originalUrl} ${res.statusCode} ${elapsedMs}ms\n`);
+  });
+  next();
+}

package/src/realtime/office-space.ts

@@ -437,6 +437,7 @@ function normalizeProviderType(value: string): OfficeOccupant["providerType"] {
     value === "gemini_cli" ||
     value === "openai_api" ||
     value === "anthropic_api" ||
+    value === "openclaw_gateway" ||
     value === "http" ||
     value === "shell"
     ? value

package/src/routes/agents.ts

@@ -1,4 +1,4 @@
-import { Router } from "express";
+import { Router, type Response } from "express";
 import { mkdir } from "node:fs/promises";
 import { z } from "zod";
 import {
@@ -37,7 +37,7 @@ import { resolveHiringDelegate } from "../lib/hiring-delegate";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { assertRuntimeCwdForCompany, hasText, resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requireBoardRole, requirePermission } from "../middleware/request-actor";
+import { enforcePermission, requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import {
@@ -82,17 +82,25 @@ const runtimePreflightSchema = z.object({
     "gemini_cli",
     "openai_api",
     "anthropic_api",
+    "openclaw_gateway",
     "http",
     "shell"
   ]),
   runtimeConfig: z.record(z.string(), z.unknown()).optional(),
   ...legacyRuntimeConfigSchema.shape
 });
+
+/** Body for POST /agents/adapter-models/:providerType (runtime for CLI discovery). */
+const adapterModelsBodySchema = z.object({
+  runtimeConfig: z.record(z.string(), z.unknown()).optional(),
+  ...legacyRuntimeConfigSchema.shape
+});
 const UPDATE_AGENT_ALLOWED_KEYS = new Set([
   "managerAgentId",
   "role",
   "roleKey",
   "title",
+  "capabilities",
   "name",
   "providerType",
   "status",
@@ -135,7 +143,7 @@ function toAgentResponse(agent: Record<string, unknown>) {
 }
 
 function providerRequiresNamedModel(providerType: string) {
-  return providerType !== "http" && providerType !== "shell";
+  return providerType !== "http" && providerType !== "shell" && providerType !== "openclaw_gateway";
 }
 
 const agentResponseSchema = AgentSchema.extend({
@@ -149,6 +157,66 @@ function ensureNamedRuntimeModel(providerType: string, runtimeModel: string | un
   return hasText(runtimeModel);
 }
 
+type AdapterModelsProviderType = NonNullable<z.infer<typeof runtimePreflightSchema>["providerType"]>;
+
+async function handleAdapterModelsRequest(
+  ctx: AppContext,
+  res: Response,
+  companyId: string,
+  providerType: string,
+  parsedBody: z.infer<typeof adapterModelsBodySchema> | null
+) {
+  if (!runtimePreflightSchema.shape.providerType.safeParse(providerType).success) {
+    return sendError(res, `Unsupported provider type: ${providerType}`, 422);
+  }
+  const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, companyId);
+  let runtimeConfig: ReturnType<typeof normalizeRuntimeConfig>;
+  try {
+    if (parsedBody) {
+      runtimeConfig = normalizeRuntimeConfig({
+        runtimeConfig: parsedBody.runtimeConfig,
+        legacy: {
+          runtimeCommand: parsedBody.runtimeCommand,
+          runtimeArgs: parsedBody.runtimeArgs,
+          runtimeCwd: parsedBody.runtimeCwd,
+          runtimeTimeoutMs: parsedBody.runtimeTimeoutMs,
+          runtimeModel: parsedBody.runtimeModel,
+          runtimeThinkingEffort: parsedBody.runtimeThinkingEffort,
+          bootstrapPrompt: parsedBody.bootstrapPrompt,
+          runtimeTimeoutSec: parsedBody.runtimeTimeoutSec,
+          interruptGraceSec: parsedBody.interruptGraceSec,
+          runtimeEnv: parsedBody.runtimeEnv,
+          runPolicy: parsedBody.runPolicy
+        },
+        defaultRuntimeCwd
+      });
+    } else {
+      runtimeConfig = normalizeRuntimeConfig({ defaultRuntimeCwd });
+    }
+    runtimeConfig = enforceRuntimeCwdPolicy(companyId, runtimeConfig);
+  } catch (error) {
+    return sendError(res, String(error), 422);
+  }
+
+  if (parsedBody && runtimeConfig.runtimeCwd) {
+    await mkdir(runtimeConfig.runtimeCwd, { recursive: true });
+  }
+
+  const typedProviderType = providerType as AdapterModelsProviderType;
+  const models = await getAdapterModels(typedProviderType, {
+    command: runtimeConfig.runtimeCommand,
+    args: runtimeConfig.runtimeArgs,
+    cwd: runtimeConfig.runtimeCwd,
+    env: runtimeConfig.runtimeEnv,
+    model: runtimeConfig.runtimeModel,
+    thinkingEffort: runtimeConfig.runtimeThinkingEffort,
+    timeoutMs: runtimeConfig.runtimeTimeoutSec > 0 ? runtimeConfig.runtimeTimeoutSec * 1000 : undefined,
+    interruptGraceSec: runtimeConfig.interruptGraceSec,
+    runPolicy: runtimeConfig.runPolicy
+  });
+  return sendOk(res, { providerType: typedProviderType, models });
+}
+
 export function createAgentsRouter(ctx: AppContext) {
   const router = Router();
   router.use(requireCompanyScope);
@@ -229,42 +297,16 @@ export function createAgentsRouter(ctx: AppContext) {
 
   router.get("/adapter-models/:providerType", async (req, res) => {
     const providerType = req.params.providerType;
-    if (!runtimePreflightSchema.shape.providerType.safeParse(providerType).success) {
-      return sendError(res, `Unsupported provider type: ${providerType}`, 422);
-    }
-    const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, req.companyId!);
-    let runtimeConfig: ReturnType<typeof normalizeRuntimeConfig>;
-    try {
-      runtimeConfig = normalizeRuntimeConfig({
-        runtimeConfig: req.body?.runtimeConfig,
-        defaultRuntimeCwd
-      });
-      runtimeConfig = enforceRuntimeCwdPolicy(req.companyId!, runtimeConfig);
-    } catch (error) {
-      return sendError(res, String(error), 422);
+    return handleAdapterModelsRequest(ctx, res, req.companyId!, providerType, null);
+  });
+
+  router.post("/adapter-models/:providerType", async (req, res) => {
+    const providerType = req.params.providerType;
+    const parsed = adapterModelsBodySchema.safeParse(req.body ?? {});
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
     }
-    const typedProviderType = providerType as
-      | "claude_code"
-      | "codex"
-      | "cursor"
-      | "opencode"
-      | "gemini_cli"
-      | "openai_api"
-      | "anthropic_api"
-      | "http"
-      | "shell";
-    const models = await getAdapterModels(typedProviderType, {
-      command: runtimeConfig.runtimeCommand,
-      args: runtimeConfig.runtimeArgs,
-      cwd: runtimeConfig.runtimeCwd,
-      env: runtimeConfig.runtimeEnv,
-      model: runtimeConfig.runtimeModel,
-      thinkingEffort: runtimeConfig.runtimeThinkingEffort,
-      timeoutMs: runtimeConfig.runtimeTimeoutSec > 0 ? runtimeConfig.runtimeTimeoutSec * 1000 : undefined,
-      interruptGraceSec: runtimeConfig.interruptGraceSec,
-      runPolicy: runtimeConfig.runPolicy
-    });
-    return sendOk(res, { providerType: typedProviderType, models });
+    return handleAdapterModelsRequest(ctx, res, req.companyId!, providerType, parsed.data);
   });
 
   router.post("/runtime-preflight", async (req, res) => {
@@ -425,6 +467,7 @@ export function createAgentsRouter(ctx: AppContext) {
       role: resolveAgentRoleText(parsed.data.role, parsed.data.roleKey, parsed.data.title),
       roleKey: normalizeRoleKey(parsed.data.roleKey),
       title: normalizeTitle(parsed.data.title),
+      capabilities: normalizeCapabilities(parsed.data.capabilities),
       name: parsed.data.name,
       providerType: parsed.data.providerType,
       heartbeatCron: parsed.data.heartbeatCron,
@@ -573,6 +616,8 @@ export function createAgentsRouter(ctx: AppContext) {
             : undefined,
         roleKey: parsed.data.roleKey !== undefined ? normalizeRoleKey(parsed.data.roleKey) : undefined,
         title: parsed.data.title !== undefined ? normalizeTitle(parsed.data.title) : undefined,
+        capabilities:
+          parsed.data.capabilities !== undefined ? normalizeCapabilities(parsed.data.capabilities) : undefined,
         name: parsed.data.name,
         providerType: parsed.data.providerType,
         status: parsed.data.status,
@@ -629,10 +674,7 @@ export function createAgentsRouter(ctx: AppContext) {
   });
 
   router.post("/:agentId/pause", async (req, res) => {
-    requirePermission("agents:lifecycle")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "agents:lifecycle")) return;
     const agent = await updateAgent(ctx.db, {
       companyId: req.companyId!,
       id: req.params.agentId,
@@ -656,10 +698,7 @@ export function createAgentsRouter(ctx: AppContext) {
   });
 
   router.post("/:agentId/resume", async (req, res) => {
-    requirePermission("agents:lifecycle")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "agents:lifecycle")) return;
     const agent = await updateAgent(ctx.db, {
       companyId: req.companyId!,
       id: req.params.agentId,
@@ -829,6 +868,11 @@ function normalizeTitle(input: string | null | undefined) {
   return normalized ? normalized : null;
 }
 
+function normalizeCapabilities(input: string | null | undefined) {
+  const normalized = input?.trim();
+  return normalized ? normalized : null;
+}
+
 function resolveAgentRoleText(
   legacyRole: string | undefined,
   roleKeyInput: string | null | undefined,

package/src/routes/companies.ts

@@ -10,6 +10,7 @@ import { normalizeRuntimeConfig, resolveRuntimeModelForProvider, runtimeConfigTo
 import { buildDefaultCeoBootstrapPrompt } from "../lib/ceo-bootstrap-prompt";
 import { resolveOpencodeRuntimeModel } from "../lib/opencode-model";
 import { resolveDefaultRuntimeCwdForCompany } from "../lib/workspace-policy";
+import { buildCompanyPortabilityExport } from "../services/company-export-service";
 import { canAccessCompany, requireBoardRole, requirePermission } from "../middleware/request-actor";
 import { ensureCompanyBuiltinPluginDefaults } from "../services/plugin-runtime";
 import { ensureCompanyBuiltinTemplateDefaults } from "../services/template-catalog";
@@ -21,7 +22,7 @@ const createCompanySchema = z.object({
   name: z.string().min(1),
   mission: z.string().optional(),
   providerType: z
-    .enum(["codex", "claude_code", "cursor", "gemini_cli", "opencode", "openai_api", "anthropic_api", "shell"])
+    .enum(["codex", "claude_code", "cursor", "gemini_cli", "opencode", "openai_api", "anthropic_api", "http", "shell"])
     .optional(),
   runtimeModel: z.string().optional()
 });
@@ -53,6 +54,21 @@ export function createCompaniesRouter(ctx: AppContext) {
     );
   });
 
+  router.get("/:companyId/export", async (req, res) => {
+    const companyId = readCompanyIdParam(req);
+    if (!companyId) {
+      return sendError(res, "Missing company id.", 422);
+    }
+    if (!canAccessCompany(req, companyId)) {
+      return sendError(res, "Actor does not have access to this company.", 403);
+    }
+    const payload = await buildCompanyPortabilityExport(ctx.db, companyId);
+    if (!payload) {
+      return sendError(res, "Company not found.", 404);
+    }
+    return sendOk(res, payload);
+  });
+
   router.post("/", requireBoardRole, async (req, res) => {
     const parsed = createCompanySchema.safeParse(req.body);
     if (!parsed.success) {
@@ -98,6 +114,8 @@ export function createCompaniesRouter(ctx: AppContext) {
       role: "CEO",
       roleKey: "ceo",
       title: "CEO",
+      capabilities:
+        "Company leadership: priorities, hiring, governance, and aligning agents to mission and budget.",
       name: "CEO",
       providerType,
       heartbeatCron: "*/5 * * * *",
@@ -171,6 +189,7 @@ function parseAgentProvider(value: unknown) {
     value === "opencode" ||
     value === "openai_api" ||
     value === "anthropic_api" ||
+    value === "http" ||
     value === "shell"
   ) {
     return value;

package/src/routes/goals.ts

@@ -5,7 +5,7 @@ import { appendAuditEvent, createApprovalRequest, createGoal, deleteGoal, getApp
 import type { AppContext } from "../context";
 import { sendError, sendOk, sendOkValidated } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import { isApprovalRequired } from "../services/governance-service";
@@ -13,6 +13,7 @@ import { isApprovalRequired } from "../services/governance-service";
 const createGoalSchema = z.object({
   projectId: z.string().optional(),
   parentGoalId: z.string().optional(),
+  ownerAgentId: z.string().optional(),
   level: z.enum(["company", "project", "agent"]),
   title: z.string().min(1),
   description: z.string().optional(),
@@ -23,6 +24,7 @@ const updateGoalSchema = z
   .object({
     projectId: z.string().nullable().optional(),
     parentGoalId: z.string().nullable().optional(),
+    ownerAgentId: z.string().nullable().optional(),
     level: z.enum(["company", "project", "agent"]).optional(),
     title: z.string().min(1).optional(),
     description: z.string().nullable().optional(),
@@ -44,10 +46,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.post("/", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const parsed = createGoalSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -76,6 +75,7 @@ export function createGoalsRouter(ctx: AppContext) {
       companyId: req.companyId!,
       projectId: parsed.data.projectId,
       parentGoalId: parsed.data.parentGoalId,
+      ownerAgentId: parsed.data.ownerAgentId,
       level: parsed.data.level,
       title: parsed.data.title,
       description: parsed.data.description
@@ -92,10 +92,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.put("/:goalId", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const parsed = updateGoalSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);
@@ -118,10 +115,7 @@ export function createGoalsRouter(ctx: AppContext) {
   });
 
   router.delete("/:goalId", async (req, res) => {
-    requirePermission("goals:write")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "goals:write")) return;
     const deleted = await deleteGoal(ctx.db, req.companyId!, req.params.goalId);
     if (!deleted) {
       return sendError(res, "Goal not found.", 404);

package/src/routes/governance.ts

@@ -14,7 +14,7 @@ import {
 import type { AppContext } from "../context";
 import { sendError, sendOk } from "../http";
 import { requireCompanyScope } from "../middleware/company-scope";
-import { requirePermission } from "../middleware/request-actor";
+import { enforcePermission } from "../middleware/request-actor";
 import { createGovernanceRealtimeEvent, serializeStoredApproval } from "../realtime/governance";
 import { publishAttentionSnapshot } from "../realtime/attention";
 import {
@@ -146,10 +146,7 @@ export function createGovernanceRouter(ctx: AppContext) {
   });
 
   router.post("/resolve", async (req, res) => {
-    requirePermission("governance:resolve")(req, res, () => {});
-    if (res.headersSent) {
-      return;
-    }
+    if (!enforcePermission(req, res, "governance:resolve")) return;
     const parsed = resolveSchema.safeParse(req.body);
     if (!parsed.success) {
       return sendError(res, parsed.error.message, 422);