bopodev-api 0.1.29 → 0.1.31

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -17,9 +17,9 @@
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-contracts": "0.1.29",
-    "bopodev-agent-sdk": "0.1.29",
-    "bopodev-db": "0.1.29"
+    "bopodev-db": "0.1.31",
+    "bopodev-agent-sdk": "0.1.31",
+    "bopodev-contracts": "0.1.31"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",

package/src/app.ts

@@ -10,6 +10,7 @@ import { createGoalsRouter } from "./routes/goals";
 import { createGovernanceRouter } from "./routes/governance";
 import { createHeartbeatRouter } from "./routes/heartbeats";
 import { createIssuesRouter } from "./routes/issues";
+import { createLoopsRouter } from "./routes/loops";
 import { createObservabilityRouter } from "./routes/observability";
 import { createProjectsRouter } from "./routes/projects";
 import { createPluginsRouter } from "./routes/plugins";
@@ -64,6 +65,7 @@ export function createApp(ctx: AppContext) {
   app.use("/companies", createCompaniesRouter(ctx));
   app.use("/projects", createProjectsRouter(ctx));
   app.use("/issues", createIssuesRouter(ctx));
+  app.use("/loops", createLoopsRouter(ctx));
   app.use("/goals", createGoalsRouter(ctx));
   app.use("/agents", createAgentsRouter(ctx));
   app.use("/governance", createGovernanceRouter(ctx));

package/src/lib/ceo-bootstrap-prompt.ts

@@ -5,6 +5,7 @@ export function buildDefaultCeoBootstrapPrompt() {
     "- Clarify missing constraints before hiring when requirements are ambiguous.",
     "- Choose reporting lines, provider, model, and permissions that fit company goals and budget.",
     "- Use governance-safe hiring via `POST /agents` with `requestApproval: true` unless explicitly told otherwise.",
+    "- Always set `capabilities` on every new hire: one or two sentences describing what they do, for the org chart and team roster (delegation). If the issue metadata or body specifies requested capabilities, use or refine that text; if missing, write an appropriate line from the role and request details.",
     "- Avoid duplicate hires by checking existing agents and pending approvals first.",
     "- Use the control-plane coordination skill as the source of truth for endpoint paths, required headers, and approval workflow steps.",
     "- Record hiring rationale and key decisions in issue comments for auditability."

package/src/lib/instance-paths.ts

@@ -78,6 +78,11 @@ export function resolveAgentMemoryRootPath(companyId: string, agentId: string) {
   return join(resolveAgentFallbackWorkspacePath(companyId, agentId), "memory");
 }
 
+/** Agent operating docs (AGENTS.md, HEARTBEAT.md, etc.) — matches `BOPODEV_AGENT_OPERATING_DIR` at runtime. */
+export function resolveAgentOperatingPath(companyId: string, agentId: string) {
+  return join(resolveAgentFallbackWorkspacePath(companyId, agentId), "operating");
+}
+
 export function resolveCompanyMemoryRootPath(companyId: string) {
   const safeCompanyId = assertPathSegment(companyId, "companyId");
   return join(resolveBopoInstanceRoot(), "workspaces", safeCompanyId, "memory");

package/src/middleware/cors-config.ts

@@ -22,7 +22,7 @@ export function createCorsMiddleware(deploymentMode: DeploymentMode, allowedOrig
       callback(new Error(`CORS origin denied: ${origin}`));
     },
     credentials: true,
-    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: [
       "content-type",
       "x-company-id",

package/src/realtime/office-space.ts

@@ -437,6 +437,7 @@ function normalizeProviderType(value: string): OfficeOccupant["providerType"] {
     value === "gemini_cli" ||
     value === "openai_api" ||
     value === "anthropic_api" ||
+    value === "openclaw_gateway" ||
     value === "http" ||
     value === "shell"
     ? value

package/src/routes/agents.ts

@@ -1,4 +1,4 @@
-import { Router } from "express";
+import { Router, type Response } from "express";
 import { mkdir } from "node:fs/promises";
 import { z } from "zod";
 import {
@@ -82,17 +82,25 @@ const runtimePreflightSchema = z.object({
     "gemini_cli",
     "openai_api",
     "anthropic_api",
+    "openclaw_gateway",
     "http",
     "shell"
   ]),
   runtimeConfig: z.record(z.string(), z.unknown()).optional(),
   ...legacyRuntimeConfigSchema.shape
 });
+
+/** Body for POST /agents/adapter-models/:providerType (runtime for CLI discovery). */
+const adapterModelsBodySchema = z.object({
+  runtimeConfig: z.record(z.string(), z.unknown()).optional(),
+  ...legacyRuntimeConfigSchema.shape
+});
 const UPDATE_AGENT_ALLOWED_KEYS = new Set([
   "managerAgentId",
   "role",
   "roleKey",
   "title",
+  "capabilities",
   "name",
   "providerType",
   "status",
@@ -135,7 +143,7 @@ function toAgentResponse(agent: Record<string, unknown>) {
 }
 
 function providerRequiresNamedModel(providerType: string) {
-  return providerType !== "http" && providerType !== "shell";
+  return providerType !== "http" && providerType !== "shell" && providerType !== "openclaw_gateway";
 }
 
 const agentResponseSchema = AgentSchema.extend({
@@ -149,6 +157,66 @@ function ensureNamedRuntimeModel(providerType: string, runtimeModel: string | un
   return hasText(runtimeModel);
 }
 
+type AdapterModelsProviderType = NonNullable<z.infer<typeof runtimePreflightSchema>["providerType"]>;
+
+async function handleAdapterModelsRequest(
+  ctx: AppContext,
+  res: Response,
+  companyId: string,
+  providerType: string,
+  parsedBody: z.infer<typeof adapterModelsBodySchema> | null
+) {
+  if (!runtimePreflightSchema.shape.providerType.safeParse(providerType).success) {
+    return sendError(res, `Unsupported provider type: ${providerType}`, 422);
+  }
+  const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, companyId);
+  let runtimeConfig: ReturnType<typeof normalizeRuntimeConfig>;
+  try {
+    if (parsedBody) {
+      runtimeConfig = normalizeRuntimeConfig({
+        runtimeConfig: parsedBody.runtimeConfig,
+        legacy: {
+          runtimeCommand: parsedBody.runtimeCommand,
+          runtimeArgs: parsedBody.runtimeArgs,
+          runtimeCwd: parsedBody.runtimeCwd,
+          runtimeTimeoutMs: parsedBody.runtimeTimeoutMs,
+          runtimeModel: parsedBody.runtimeModel,
+          runtimeThinkingEffort: parsedBody.runtimeThinkingEffort,
+          bootstrapPrompt: parsedBody.bootstrapPrompt,
+          runtimeTimeoutSec: parsedBody.runtimeTimeoutSec,
+          interruptGraceSec: parsedBody.interruptGraceSec,
+          runtimeEnv: parsedBody.runtimeEnv,
+          runPolicy: parsedBody.runPolicy
+        },
+        defaultRuntimeCwd
+      });
+    } else {
+      runtimeConfig = normalizeRuntimeConfig({ defaultRuntimeCwd });
+    }
+    runtimeConfig = enforceRuntimeCwdPolicy(companyId, runtimeConfig);
+  } catch (error) {
+    return sendError(res, String(error), 422);
+  }
+
+  if (parsedBody && runtimeConfig.runtimeCwd) {
+    await mkdir(runtimeConfig.runtimeCwd, { recursive: true });
+  }
+
+  const typedProviderType = providerType as AdapterModelsProviderType;
+  const models = await getAdapterModels(typedProviderType, {
+    command: runtimeConfig.runtimeCommand,
+    args: runtimeConfig.runtimeArgs,
+    cwd: runtimeConfig.runtimeCwd,
+    env: runtimeConfig.runtimeEnv,
+    model: runtimeConfig.runtimeModel,
+    thinkingEffort: runtimeConfig.runtimeThinkingEffort,
+    timeoutMs: runtimeConfig.runtimeTimeoutSec > 0 ? runtimeConfig.runtimeTimeoutSec * 1000 : undefined,
+    interruptGraceSec: runtimeConfig.interruptGraceSec,
+    runPolicy: runtimeConfig.runPolicy
+  });
+  return sendOk(res, { providerType: typedProviderType, models });
+}
+
 export function createAgentsRouter(ctx: AppContext) {
   const router = Router();
   router.use(requireCompanyScope);
@@ -229,42 +297,16 @@ export function createAgentsRouter(ctx: AppContext) {
 
   router.get("/adapter-models/:providerType", async (req, res) => {
     const providerType = req.params.providerType;
-    if (!runtimePreflightSchema.shape.providerType.safeParse(providerType).success) {
-      return sendError(res, `Unsupported provider type: ${providerType}`, 422);
-    }
-    const defaultRuntimeCwd = await resolveDefaultRuntimeCwdForCompany(ctx.db, req.companyId!);
-    let runtimeConfig: ReturnType<typeof normalizeRuntimeConfig>;
-    try {
-      runtimeConfig = normalizeRuntimeConfig({
-        runtimeConfig: req.body?.runtimeConfig,
-        defaultRuntimeCwd
-      });
-      runtimeConfig = enforceRuntimeCwdPolicy(req.companyId!, runtimeConfig);
-    } catch (error) {
-      return sendError(res, String(error), 422);
+    return handleAdapterModelsRequest(ctx, res, req.companyId!, providerType, null);
+  });
+
+  router.post("/adapter-models/:providerType", async (req, res) => {
+    const providerType = req.params.providerType;
+    const parsed = adapterModelsBodySchema.safeParse(req.body ?? {});
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
     }
-    const typedProviderType = providerType as
-      | "claude_code"
-      | "codex"
-      | "cursor"
-      | "opencode"
-      | "gemini_cli"
-      | "openai_api"
-      | "anthropic_api"
-      | "http"
-      | "shell";
-    const models = await getAdapterModels(typedProviderType, {
-      command: runtimeConfig.runtimeCommand,
-      args: runtimeConfig.runtimeArgs,
-      cwd: runtimeConfig.runtimeCwd,
-      env: runtimeConfig.runtimeEnv,
-      model: runtimeConfig.runtimeModel,
-      thinkingEffort: runtimeConfig.runtimeThinkingEffort,
-      timeoutMs: runtimeConfig.runtimeTimeoutSec > 0 ? runtimeConfig.runtimeTimeoutSec * 1000 : undefined,
-      interruptGraceSec: runtimeConfig.interruptGraceSec,
-      runPolicy: runtimeConfig.runPolicy
-    });
-    return sendOk(res, { providerType: typedProviderType, models });
+    return handleAdapterModelsRequest(ctx, res, req.companyId!, providerType, parsed.data);
   });
 
   router.post("/runtime-preflight", async (req, res) => {
@@ -425,6 +467,7 @@ export function createAgentsRouter(ctx: AppContext) {
       role: resolveAgentRoleText(parsed.data.role, parsed.data.roleKey, parsed.data.title),
       roleKey: normalizeRoleKey(parsed.data.roleKey),
       title: normalizeTitle(parsed.data.title),
+      capabilities: normalizeCapabilities(parsed.data.capabilities),
       name: parsed.data.name,
       providerType: parsed.data.providerType,
       heartbeatCron: parsed.data.heartbeatCron,
@@ -573,6 +616,8 @@ export function createAgentsRouter(ctx: AppContext) {
             : undefined,
         roleKey: parsed.data.roleKey !== undefined ? normalizeRoleKey(parsed.data.roleKey) : undefined,
         title: parsed.data.title !== undefined ? normalizeTitle(parsed.data.title) : undefined,
+        capabilities:
+          parsed.data.capabilities !== undefined ? normalizeCapabilities(parsed.data.capabilities) : undefined,
         name: parsed.data.name,
         providerType: parsed.data.providerType,
         status: parsed.data.status,
@@ -823,6 +868,11 @@ function normalizeTitle(input: string | null | undefined) {
   return normalized ? normalized : null;
 }
 
+function normalizeCapabilities(input: string | null | undefined) {
+  const normalized = input?.trim();
+  return normalized ? normalized : null;
+}
+
 function resolveAgentRoleText(
   legacyRole: string | undefined,
   roleKeyInput: string | null | undefined,

package/src/routes/companies.ts

@@ -114,6 +114,8 @@ export function createCompaniesRouter(ctx: AppContext) {
       role: "CEO",
       roleKey: "ceo",
       title: "CEO",
+      capabilities:
+        "Company leadership: priorities, hiring, governance, and aligning agents to mission and budget.",
       name: "CEO",
       providerType,
       heartbeatCron: "*/5 * * * *",

package/src/routes/issues.ts

@@ -612,10 +612,13 @@ function applyIssueMetadataToBody(
         delegatedHiringIntent?: {
           intentType: "agent_hiring_request";
           requestedRole?: string | null;
+          requestedRoleKey?: string | null;
+          requestedTitle?: string | null;
           requestedName?: string | null;
           requestedManagerAgentId?: string | null;
           requestedProviderType?: string | null;
           requestedRuntimeModel?: string | null;
+          requestedCapabilities?: string | null;
         };
       }
     | undefined

package/src/routes/loops.ts

@@ -0,0 +1,360 @@
+import { Router } from "express";
+import { appendAuditEvent, listAuditEvents } from "bopodev-db";
+import {
+  WorkLoopCreateRequestSchema,
+  WorkLoopTriggerCreateRequestSchema,
+  WorkLoopUpdateRequestSchema,
+  WorkLoopTriggerUpdateRequestSchema
+} from "bopodev-contracts";
+import type { AppContext } from "../context";
+import { sendError, sendOk } from "../http";
+import { requireCompanyScope } from "../middleware/company-scope";
+import { enforcePermission } from "../middleware/request-actor";
+import {
+  workLoopRuns,
+  workLoops,
+  workLoopTriggers
+} from "bopodev-db";
+import {
+  addWorkLoopTrigger,
+  addWorkLoopTriggerFromPreset,
+  dispatchLoopRun,
+  getWorkLoop,
+  listWorkLoopRuns,
+  listWorkLoops,
+  listWorkLoopTriggers,
+  createWorkLoop,
+  updateWorkLoop,
+  updateWorkLoopTrigger,
+  deleteWorkLoopTrigger
+} from "../services/work-loop-service";
+
+function serializeLoop(row: typeof workLoops.$inferSelect) {
+  let goalIds: string[] = [];
+  try {
+    goalIds = JSON.parse(row.goalIdsJson || "[]") as string[];
+  } catch {
+    goalIds = [];
+  }
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    projectId: row.projectId,
+    parentIssueId: row.parentIssueId,
+    goalIds,
+    title: row.title,
+    description: row.description,
+    assigneeAgentId: row.assigneeAgentId,
+    priority: row.priority,
+    status: row.status,
+    concurrencyPolicy: row.concurrencyPolicy,
+    catchUpPolicy: row.catchUpPolicy,
+    lastTriggeredAt: row.lastTriggeredAt ? row.lastTriggeredAt.toISOString() : null,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+function serializeTrigger(row: typeof workLoopTriggers.$inferSelect) {
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    workLoopId: row.workLoopId,
+    kind: row.kind,
+    label: row.label,
+    enabled: row.enabled,
+    cronExpression: row.cronExpression,
+    timezone: row.timezone,
+    nextRunAt: row.nextRunAt ? row.nextRunAt.toISOString() : null,
+    lastFiredAt: row.lastFiredAt ? row.lastFiredAt.toISOString() : null,
+    lastResult: row.lastResult,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+function serializeRun(row: typeof workLoopRuns.$inferSelect) {
+  return {
+    id: row.id,
+    companyId: row.companyId,
+    workLoopId: row.workLoopId,
+    triggerId: row.triggerId,
+    source: row.source,
+    status: row.status,
+    triggeredAt: row.triggeredAt.toISOString(),
+    idempotencyKey: row.idempotencyKey,
+    linkedIssueId: row.linkedIssueId,
+    coalescedIntoRunId: row.coalescedIntoRunId,
+    failureReason: row.failureReason,
+    completedAt: row.completedAt ? row.completedAt.toISOString() : null,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString()
+  };
+}
+
+export function createLoopsRouter(ctx: AppContext) {
+  const router = Router();
+  router.use(requireCompanyScope);
+
+  router.get("/", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const rows = await listWorkLoops(ctx.db, req.companyId!);
+    return sendOk(res, { data: rows.map(serializeLoop) });
+  });
+
+  router.post("/", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopCreateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    try {
+      const row = await createWorkLoop(ctx.db, {
+        companyId: req.companyId!,
+        projectId: parsed.data.projectId,
+        parentIssueId: parsed.data.parentIssueId,
+        goalIds: parsed.data.goalIds,
+        title: parsed.data.title,
+        description: parsed.data.description,
+        assigneeAgentId: parsed.data.assigneeAgentId,
+        priority: parsed.data.priority,
+        status: parsed.data.status,
+        concurrencyPolicy: parsed.data.concurrencyPolicy,
+        catchUpPolicy: parsed.data.catchUpPolicy
+      });
+      if (!row) {
+        return sendError(res, "Failed to create work loop.", 500);
+      }
+      await appendAuditEvent(ctx.db, {
+        companyId: req.companyId!,
+        actorType: "human",
+        actorId: req.actor?.id ?? null,
+        eventType: "work_loop.created",
+        entityType: "work_loop",
+        entityId: row.id,
+        correlationId: req.requestId ?? null,
+        payload: { loopId: row.id, title: row.title }
+      });
+      return sendOk(res, { data: serializeLoop(row) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to create work loop.", 422);
+    }
+  });
+
+  router.get("/:loopId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const row = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!row) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const [triggers, recentRuns] = await Promise.all([
+      listWorkLoopTriggers(ctx.db, req.companyId!, loopId),
+      listWorkLoopRuns(ctx.db, req.companyId!, loopId, 30)
+    ]);
+    return sendOk(res, {
+      data: {
+        ...serializeLoop(row),
+        triggers: triggers.map(serializeTrigger),
+        recentRuns: recentRuns.map(serializeRun)
+      }
+    });
+  });
+
+  router.patch("/:loopId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopUpdateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    const row = await updateWorkLoop(ctx.db, req.companyId!, req.params.loopId, parsed.data);
+    if (!row) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.updated",
+      entityType: "work_loop",
+      entityId: row.id,
+      correlationId: req.requestId ?? null,
+      payload: { patch: parsed.data }
+    });
+    return sendOk(res, { data: serializeLoop(row) });
+  });
+
+  router.post("/:loopId/run", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:run")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const run = await dispatchLoopRun(ctx.db, {
+      companyId: req.companyId!,
+      loopId,
+      triggerId: null,
+      source: "manual",
+      idempotencyKey: req.requestId ? `manual:${loopId}:${req.requestId}` : `manual:${loopId}:${Date.now()}`,
+      realtimeHub: ctx.realtimeHub,
+      requestId: req.requestId
+    });
+    if (!run) {
+      return sendError(res, "Work loop is not active or could not be dispatched.", 409);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.manual_run",
+      entityType: "work_loop",
+      entityId: loopId,
+      correlationId: req.requestId ?? null,
+      payload: { runId: run.id, status: run.status }
+    });
+    return sendOk(res, { data: serializeRun(run) });
+  });
+
+  router.get("/:loopId/runs", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loop = await getWorkLoop(ctx.db, req.companyId!, req.params.loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const limit = Math.min(500, Math.max(1, Number(req.query.limit) || 100));
+    const runs = await listWorkLoopRuns(ctx.db, req.companyId!, req.params.loopId, limit);
+    return sendOk(res, { data: runs.map(serializeRun) });
+  });
+
+  router.get("/:loopId/activity", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:read")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const events = await listAuditEvents(ctx.db, req.companyId!, 200);
+    const filtered = events.filter((e) => e.entityType === "work_loop" && e.entityId === loopId);
+    return sendOk(res, {
+      data: filtered.map((e) => ({
+        id: e.id,
+        eventType: e.eventType,
+        actorType: e.actorType,
+        actorId: e.actorId,
+        payload: JSON.parse(e.payloadJson || "{}") as Record<string, unknown>,
+        createdAt: e.createdAt.toISOString()
+      }))
+    });
+  });
+
+  router.post("/:loopId/triggers", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const loopId = req.params.loopId;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const parsed = WorkLoopTriggerCreateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    try {
+      const body = parsed.data;
+      const trigger =
+        body.mode === "cron"
+          ? await addWorkLoopTrigger(ctx.db, {
+              companyId: req.companyId!,
+              workLoopId: loopId,
+              cronExpression: body.cronExpression,
+              timezone: body.timezone,
+              label: body.label ?? null,
+              enabled: body.enabled
+            })
+          : await addWorkLoopTriggerFromPreset(ctx.db, {
+              companyId: req.companyId!,
+              workLoopId: loopId,
+              preset: body.preset,
+              hour24: body.hour24,
+              minute: body.minute,
+              dayOfWeek: body.preset === "weekly" ? (body.dayOfWeek ?? 1) : undefined,
+              timezone: body.timezone,
+              label: body.label ?? null,
+              enabled: body.enabled
+            });
+      if (!trigger) {
+        return sendError(res, "Failed to create trigger.", 500);
+      }
+      return sendOk(res, { data: serializeTrigger(trigger) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to create trigger.", 422);
+    }
+  });
+
+  router.patch("/:loopId/triggers/:triggerId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const parsed = WorkLoopTriggerUpdateRequestSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return sendError(res, parsed.error.message, 422);
+    }
+    const loop = await getWorkLoop(ctx.db, req.companyId!, req.params.loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    try {
+      const row = await updateWorkLoopTrigger(ctx.db, req.companyId!, req.params.triggerId, parsed.data);
+      if (!row || row.workLoopId !== req.params.loopId) {
+        return sendError(res, "Trigger not found.", 404);
+      }
+      return sendOk(res, { data: serializeTrigger(row) });
+    } catch (e) {
+      return sendError(res, e instanceof Error ? e.message : "Failed to update trigger.", 422);
+    }
+  });
+
+  router.delete("/:loopId/triggers/:triggerId", async (req, res) => {
+    if (!enforcePermission(req, res, "loops:write")) {
+      return;
+    }
+    const { loopId, triggerId } = req.params;
+    const loop = await getWorkLoop(ctx.db, req.companyId!, loopId);
+    if (!loop) {
+      return sendError(res, "Work loop not found.", 404);
+    }
+    const deleted = await deleteWorkLoopTrigger(ctx.db, req.companyId!, loopId, triggerId);
+    if (!deleted) {
+      return sendError(res, "Trigger not found.", 404);
+    }
+    await appendAuditEvent(ctx.db, {
+      companyId: req.companyId!,
+      actorType: "human",
+      actorId: req.actor?.id ?? null,
+      eventType: "work_loop.trigger_deleted",
+      entityType: "work_loop",
+      entityId: loopId,
+      correlationId: req.requestId ?? null,
+      payload: { triggerId }
+    });
+    return sendOk(res, { deleted: true });
+  });
+
+  return router;
+}